statem_srvr.c 137.4 KB
Newer Older
R
Rich Salz 已提交
1
/*
2
 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
R
Rich Salz 已提交
6 7 8 9
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
10
 */
R
Rich Salz 已提交
11

12
#include <stdio.h>
M
Matt Caswell 已提交
13
#include "../ssl_locl.h"
M
Matt Caswell 已提交
14
#include "statem_locl.h"
15
#include "internal/constant_time_locl.h"
16
#include "internal/cryptlib.h"
17 18 19 20
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
21
#include <openssl/hmac.h>
22
#include <openssl/x509.h>
R
Rich Salz 已提交
23
#include <openssl/dh.h>
24
#include <openssl/bn.h>
25
#include <openssl/md5.h>
26

M
Matt Caswell 已提交
27 28
#define TICKET_NONCE_SIZE       8

M
Matt Caswell 已提交
29
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
M
Matt Caswell 已提交
30

M
Matt Caswell 已提交
31
/*
32 33 34 35 36
 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when a TLSv1.3 server is reading messages from
 * the client. The message type that the client has sent is provided in |mt|.
 * The current state is in |s->statem.hand_state|.
 *
37 38
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
39 40 41 42 43 44 45 46 47 48 49 50 51 52
 */
static int ossl_statem_server13_read_transition(SSL *s, int mt)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * Note: There is no case for TLS_ST_BEFORE because at that stage we have
     * not negotiated TLSv1.3 yet, so that case is handled by
     * ossl_statem_server_read_transition()
     */
    switch (st->hand_state) {
    default:
        break;

53
    case TLS_ST_EARLY_DATA:
54
        if (s->hello_retry_request == SSL_HRR_PENDING) {
M
Matt Caswell 已提交
55 56 57 58 59 60
            if (mt == SSL3_MT_CLIENT_HELLO) {
                st->hand_state = TLS_ST_SR_CLNT_HELLO;
                return 1;
            }
            break;
        } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
61 62 63 64 65 66 67 68 69
            if (mt == SSL3_MT_END_OF_EARLY_DATA) {
                st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
                return 1;
            }
            break;
        }
        /* Fall through */

    case TLS_ST_SR_END_OF_EARLY_DATA:
70
    case TLS_ST_SW_FINISHED:
71 72 73 74 75 76
        if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        } else {
77 78
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
79 80 81 82 83 84 85
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT:
        if (s->session->peer == NULL) {
86 87
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
104 105

    case TLS_ST_OK:
106 107 108 109 110 111
        /*
         * Its never ok to start processing handshake messages in the middle of
         * early data (i.e. before we've received the end of early data alert)
         */
        if (s->early_data_state == SSL_EARLY_DATA_READING)
            break;
112 113 114 115 116 117 118

        if (mt == SSL3_MT_CERTIFICATE
                && s->post_handshake_auth == SSL_PHA_REQUESTED) {
            st->hand_state = TLS_ST_SR_CERT;
            return 1;
        }

119 120 121 122 123
        if (mt == SSL3_MT_KEY_UPDATE) {
            st->hand_state = TLS_ST_SR_KEY_UPDATE;
            return 1;
        }
        break;
124 125 126 127 128 129 130 131 132 133 134
    }

    /* No valid transition found */
    return 0;
}

/*
 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when the server is reading messages from the
 * client. The message type that the client has sent is provided in |mt|. The
 * current state is in |s->statem.hand_state|.
M
Matt Caswell 已提交
135
 *
136 137
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
M
Matt Caswell 已提交
138
 */
139
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
140
{
M
Matt Caswell 已提交
141
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
142

143
    if (SSL_IS_TLS13(s)) {
144 145 146 147
        if (!ossl_statem_server13_read_transition(s, mt))
            goto err;
        return 1;
    }
148

149
    switch (st->hand_state) {
R
Rich Salz 已提交
150 151 152
    default:
        break;

M
Matt Caswell 已提交
153
    case TLS_ST_BEFORE:
154
    case TLS_ST_OK:
M
Matt Caswell 已提交
155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
173 174 175
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            if (s->s3->tmp.cert_request) {
                if (s->version == SSL3_VERSION) {
176 177
                    if ((s->verify_mode & SSL_VERIFY_PEER)
                        && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
178 179
                        /*
                         * This isn't an unexpected message as such - we're just
180 181
                         * not going to accept it because we require a client
                         * cert.
182
                         */
183 184 185
                        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                                 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
                                 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
186 187 188 189 190 191 192 193 194
                        return 0;
                    }
                    st->hand_state = TLS_ST_SR_KEY_EXCH;
                    return 1;
                }
            } else {
                st->hand_state = TLS_ST_SR_KEY_EXCH;
                return 1;
            }
M
Matt Caswell 已提交
195 196 197 198
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
199
            }
M
Matt Caswell 已提交
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
216
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
217 218
         * set.
         */
219
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
R
Rich Salz 已提交
247
        if (s->s3->npn_seen) {
M
Matt Caswell 已提交
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;
    }

280
 err:
M
Matt Caswell 已提交
281
    /* No valid transition found */
282 283 284 285 286 287 288 289 290 291 292 293 294 295
    if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
        BIO *rbio;

        /*
         * CCS messages don't have a message sequence number so this is probably
         * because of an out-of-order CCS. We'll just drop it.
         */
        s->init_num = 0;
        s->rwstate = SSL_READING;
        rbio = SSL_get_rbio(s);
        BIO_clear_retry_flags(rbio);
        BIO_set_retry_read(rbio);
        return 0;
    }
296 297 298
    SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
             SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
             SSL_R_UNEXPECTED_MESSAGE);
M
Matt Caswell 已提交
299 300 301 302 303 304 305 306 307 308
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
309
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
310 311 312 313
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
314
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
315 316 317 318 319 320
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
E
Emilia Kasper 已提交
321
    if (alg_k & (SSL_kDHE | SSL_kECDHE)
M
Matt Caswell 已提交
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
E
Emilia Kasper 已提交
337
        ) {
M
Matt Caswell 已提交
338 339 340 341 342 343 344 345 346 347 348 349 350
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
351
int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
352 353 354 355
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
356 357 358 359 360 361
           /*
            * don't request if post-handshake-only unless doing
            * post-handshake in TLSv1.3:
            */
           && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
               || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
M
Matt Caswell 已提交
362 363
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
364
            * a second time:
M
Matt Caswell 已提交
365
            */
366
           && (s->certreqs_sent < 1 ||
M
Matt Caswell 已提交
367 368 369 370 371 372 373
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
E
Emilia Kasper 已提交
374 375 376 377 378
               /*
                * ... except when the application insists on
                * verification (against the specs, but statem_clnt.c accepts
                * this for SSL 3)
                */
M
Matt Caswell 已提交
379 380 381 382 383 384 385
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
386
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
387 388 389 390 391 392 393
        return 1;
    }

    return 0;
}

/*
394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409
 * ossl_statem_server13_write_transition() works out what handshake state to
 * move to next when a TLSv1.3 server is writing messages to be sent to the
 * client.
 */
static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
     * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
     */

    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
410 411 412
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION,
                 ERR_R_INTERNAL_ERROR);
413 414
        return WRITE_TRAN_ERROR;

415 416 417 418 419
    case TLS_ST_OK:
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
420 421 422 423
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
            return WRITE_TRAN_CONTINUE;
        }
424 425
        /* Try to read from the client instead */
        return WRITE_TRAN_FINISHED;
426

427
    case TLS_ST_SR_CLNT_HELLO:
M
Matt Caswell 已提交
428
        st->hand_state = TLS_ST_SW_SRVR_HELLO;
M
Matt Caswell 已提交
429
        return WRITE_TRAN_CONTINUE;
430

431
    case TLS_ST_SW_SRVR_HELLO:
432 433
        if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
                && s->hello_retry_request != SSL_HRR_COMPLETE)
434
            st->hand_state = TLS_ST_SW_CHANGE;
435 436
        else if (s->hello_retry_request == SSL_HRR_PENDING)
            st->hand_state = TLS_ST_EARLY_DATA;
437 438 439 440 441
        else
            st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CHANGE:
442 443 444 445
        if (s->hello_retry_request == SSL_HRR_PENDING)
            st->hand_state = TLS_ST_EARLY_DATA;
        else
            st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
M
Matt Caswell 已提交
446 447 448
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
449
        if (s->hit)
450 451 452
            st->hand_state = TLS_ST_SW_FINISHED;
        else if (send_certificate_request(s))
            st->hand_state = TLS_ST_SW_CERT_REQ;
453
        else
454
            st->hand_state = TLS_ST_SW_CERT;
455

456 457 458
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_REQ:
459 460 461 462 463 464
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            s->post_handshake_auth = SSL_PHA_REQUESTED;
            st->hand_state = TLS_ST_OK;
        } else {
            st->hand_state = TLS_ST_SW_CERT;
        }
465 466
        return WRITE_TRAN_CONTINUE;

467
    case TLS_ST_SW_CERT:
468 469 470 471
        st->hand_state = TLS_ST_SW_CERT_VRFY;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_VRFY:
472
        st->hand_state = TLS_ST_SW_FINISHED;
473 474 475
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
476 477
        st->hand_state = TLS_ST_EARLY_DATA;
        return WRITE_TRAN_CONTINUE;
478

479 480 481
    case TLS_ST_EARLY_DATA:
        return WRITE_TRAN_FINISHED;

482
    case TLS_ST_SR_FINISHED:
483 484
        /*
         * Technically we have finished the handshake at this point, but we're
485
         * going to remain "in_init" for now and write out any session tickets
486 487
         * immediately.
         */
M
Matt Caswell 已提交
488 489
        if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
            s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
490
        } else if (!s->ext.ticket_expected) {
M
Matt Caswell 已提交
491
            /*
492 493
             * If we're not going to renew the ticket then we just finish the
             * handshake at this point.
M
Matt Caswell 已提交
494 495
             */
            st->hand_state = TLS_ST_OK;
496
            return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
497
        }
498 499 500 501
        if (s->num_tickets > s->sent_tickets)
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        else
            st->hand_state = TLS_ST_OK;
502 503
        return WRITE_TRAN_CONTINUE;

504
    case TLS_ST_SR_KEY_UPDATE:
505 506 507 508 509 510
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
        /* Fall through */

511
    case TLS_ST_SW_KEY_UPDATE:
512 513 514
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;

515
    case TLS_ST_SW_SESSION_TICKET:
516 517 518 519 520 521 522 523
        /* In a resumption we only ever send a maximum of one new ticket.
         * Following an initial handshake we send the number of tickets we have
         * been configured for.
         */
        if (s->hit || s->num_tickets <= s->sent_tickets) {
            /* We've written enough tickets out. */
            st->hand_state = TLS_ST_OK;
        }
524 525 526 527 528 529 530
        return WRITE_TRAN_CONTINUE;
    }
}

/*
 * ossl_statem_server_write_transition() works out what handshake state to move
 * to next when the server is writing messages to be sent to the client.
M
Matt Caswell 已提交
531
 */
532
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
533
{
M
Matt Caswell 已提交
534
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
535

536 537 538 539 540
    /*
     * Note that before the ClientHello we don't know what version we are going
     * to negotiate yet, so we don't take this branch until later
     */

541
    if (SSL_IS_TLS13(s))
542 543
        return ossl_statem_server13_write_transition(s);

544
    switch (st->hand_state) {
R
Rich Salz 已提交
545 546
    default:
        /* Shouldn't happen */
547 548 549
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION,
                 ERR_R_INTERNAL_ERROR);
R
Rich Salz 已提交
550 551
        return WRITE_TRAN_ERROR;

552 553 554 555 556 557 558
    case TLS_ST_OK:
        if (st->request_state == TLS_ST_SW_HELLO_REQ) {
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            st->request_state = TLS_ST_BEFORE;
            return WRITE_TRAN_CONTINUE;
        }
559 560
        /* Must be an incoming ClientHello */
        if (!tls_setup_handshake(s)) {
561
            /* SSLfatal() already called */
562 563
            return WRITE_TRAN_ERROR;
        }
564 565
        /* Fall through */

566
    case TLS_ST_BEFORE:
E
Emilia Kasper 已提交
567
        /* Just go straight to trying to read from the client */
568
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
569

570 571 572
    case TLS_ST_SW_HELLO_REQ:
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
573

574 575
    case TLS_ST_SR_CLNT_HELLO:
        if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
576
            && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
577
            st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
578 579 580 581 582
        } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
            /* We must have rejected the renegotiation */
            st->hand_state = TLS_ST_OK;
            return WRITE_TRAN_CONTINUE;
        } else {
583
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
584
        }
585
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
586

587 588
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
589

590 591
    case TLS_ST_SW_SRVR_HELLO:
        if (s->hit) {
R
Rich Salz 已提交
592
            if (s->ext.ticket_expected)
593 594 595 596 597 598 599
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            else
                st->hand_state = TLS_ST_SW_CHANGE;
        } else {
            /* Check if it is anon DH or anon ECDH, */
            /* normal PSK or SRP */
            if (!(s->s3->tmp.new_cipher->algorithm_auth &
E
Emilia Kasper 已提交
600
                  (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
601 602
                st->hand_state = TLS_ST_SW_CERT;
            } else if (send_server_key_exchange(s)) {
M
Matt Caswell 已提交
603
                st->hand_state = TLS_ST_SW_KEY_EXCH;
604
            } else if (send_certificate_request(s)) {
M
Matt Caswell 已提交
605
                st->hand_state = TLS_ST_SW_CERT_REQ;
606 607
            } else {
                st->hand_state = TLS_ST_SW_SRVR_DONE;
M
Matt Caswell 已提交
608
            }
609 610
        }
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
611

612
    case TLS_ST_SW_CERT:
R
Rich Salz 已提交
613
        if (s->ext.status_expected) {
614
            st->hand_state = TLS_ST_SW_CERT_STATUS;
M
Matt Caswell 已提交
615
            return WRITE_TRAN_CONTINUE;
616 617
        }
        /* Fall through */
M
Matt Caswell 已提交
618

619 620 621
    case TLS_ST_SW_CERT_STATUS:
        if (send_server_key_exchange(s)) {
            st->hand_state = TLS_ST_SW_KEY_EXCH;
M
Matt Caswell 已提交
622
            return WRITE_TRAN_CONTINUE;
623 624
        }
        /* Fall through */
M
Matt Caswell 已提交
625

626 627 628
    case TLS_ST_SW_KEY_EXCH:
        if (send_certificate_request(s)) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
M
Matt Caswell 已提交
629
            return WRITE_TRAN_CONTINUE;
630 631
        }
        /* Fall through */
M
Matt Caswell 已提交
632

633 634 635
    case TLS_ST_SW_CERT_REQ:
        st->hand_state = TLS_ST_SW_SRVR_DONE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
636

637 638 639 640 641
    case TLS_ST_SW_SRVR_DONE:
        return WRITE_TRAN_FINISHED;

    case TLS_ST_SR_FINISHED:
        if (s->hit) {
M
Matt Caswell 已提交
642 643
            st->hand_state = TLS_ST_OK;
            return WRITE_TRAN_CONTINUE;
R
Rich Salz 已提交
644
        } else if (s->ext.ticket_expected) {
645 646 647 648 649 650 651 652 653
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        } else {
            st->hand_state = TLS_ST_SW_CHANGE;
        }
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        st->hand_state = TLS_ST_SW_CHANGE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
654

655 656 657 658 659 660 661 662 663 664
    case TLS_ST_SW_CHANGE:
        st->hand_state = TLS_ST_SW_FINISHED;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
        if (s->hit) {
            return WRITE_TRAN_FINISHED;
        }
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
665 666 667 668 669 670 671
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
672
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
673
{
M
Matt Caswell 已提交
674
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
675

676
    switch (st->hand_state) {
R
Rich Salz 已提交
677 678 679 680
    default:
        /* No pre work to be done */
        break;

M
Matt Caswell 已提交
681 682 683
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
684
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
685 686 687 688 689
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
690
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
691 692 693 694 695 696 697 698
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
F
FdaSilvaYY 已提交
699
             * Messages we write from now on should be buffered and
M
Matt Caswell 已提交
700 701 702 703 704 705 706 707
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
708 709
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
            /* Calls SSLfatal() as required */
M
Matt Caswell 已提交
710
            return dtls_wait_for_dry(s);
711
        }
M
Matt Caswell 已提交
712 713 714 715
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
716
        if (SSL_IS_TLS13(s) && s->sent_tickets == 0) {
717 718 719 720
            /*
             * Actually this is the end of the handshake, but we're going
             * straight into writing the session ticket out. So we finish off
             * the handshake, but keep the various buffers active.
721
             *
722
             * Calls SSLfatal as required.
723
             */
724
            return tls_finish_handshake(s, wst, 0, 0);
725
        } if (SSL_IS_DTLS(s)) {
M
Matt Caswell 已提交
726 727 728 729 730 731 732 733 734
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
735 736
        if (SSL_IS_TLS13(s))
            break;
M
Matt Caswell 已提交
737 738
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
739
            /* SSLfatal() already called */
M
Matt Caswell 已提交
740 741 742 743 744 745 746 747 748 749 750 751 752
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

753
    case TLS_ST_EARLY_DATA:
754 755
        if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
                && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
756 757 758
            return WORK_FINISHED_CONTINUE;
        /* Fall through */

M
Matt Caswell 已提交
759
    case TLS_ST_OK:
760
        /* Calls SSLfatal() as required */
761
        return tls_finish_handshake(s, wst, 1, 1);
M
Matt Caswell 已提交
762 763 764 765 766 767 768 769 770
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
771
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
772
{
M
Matt Caswell 已提交
773
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
774 775 776

    s->init_num = 0;

777
    switch (st->hand_state) {
R
Rich Salz 已提交
778 779 780 781
    default:
        /* No post work to be done */
        break;

M
Matt Caswell 已提交
782 783 784
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
785
        if (!ssl3_init_finished_mac(s)) {
786
            /* SSLfatal() already called */
787 788
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
789 790 791 792 793 794
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
795
        if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
796
            /* SSLfatal() already called */
797 798
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
799 800 801 802 803 804 805 806
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
807
        if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
M
Matt Caswell 已提交
808 809
            if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
                    && statem_flush(s) != 1)
M
Matt Caswell 已提交
810 811 812
                return WORK_MORE_A;
            break;
        }
M
Matt Caswell 已提交
813 814 815 816 817 818 819 820 821
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
822 823
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
824 825

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
826 827 828
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
829 830 831
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_OSSL_STATEM_SERVER_POST_WORK,
                         ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
832 833 834 835 836 837 838
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
839
        if (!SSL_IS_TLS13(s)
840 841
                || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
                    && s->hello_retry_request != SSL_HRR_COMPLETE))
842 843 844 845
            break;
        /* Fall through */

    case TLS_ST_SW_CHANGE:
M
Matt Caswell 已提交
846 847 848
        if (s->hello_retry_request == SSL_HRR_PENDING) {
            if (!statem_flush(s))
                return WORK_MORE_A;
849
            break;
M
Matt Caswell 已提交
850
        }
851 852 853 854 855 856 857 858 859
        /*
         * TODO(TLS1.3): This actually causes a problem. We don't yet know
         * whether the next record we are going to receive is an unencrypted
         * alert, or an encrypted handshake message. We're going to need
         * something clever in the record layer for this.
         */
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->setup_key_block(s)
                || !s->method->ssl3_enc->change_cipher_state(s,
860 861
                        SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
                /* SSLfatal() already called */
862
                return WORK_ERROR;
863
            }
864 865 866

            if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
                && !s->method->ssl3_enc->change_cipher_state(s,
867 868
                        SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
                /* SSLfatal() already called */
869
                return WORK_ERROR;
870
            }
871
            break;
872
        }
M
Matt Caswell 已提交
873 874 875 876 877 878 879 880 881 882 883 884

#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
E
Emilia Kasper 已提交
885 886
                                                      SSL3_CHANGE_CIPHER_SERVER_WRITE))
        {
887
            /* SSLfatal() already called */
M
Matt Caswell 已提交
888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
913 914
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->generate_master_secret(s,
915
                        s->master_secret, s->handshake_secret, 0,
916 917 918
                        &s->session->master_key_length)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
919
            /* SSLfatal() already called */
920 921
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
922
        break;
923

924 925 926 927 928 929 930
    case TLS_ST_SW_CERT_REQ:
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            if (statem_flush(s) != 1)
                return WORK_MORE_A;
        }
        break;

931
    case TLS_ST_SW_KEY_UPDATE:
932 933
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
934 935
        if (!tls13_update_key(s, 1)) {
            /* SSLfatal() already called */
936
            return WORK_ERROR;
937
        }
938 939
        break;

940 941 942 943
    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
            return WORK_MORE_A;
        break;
M
Matt Caswell 已提交
944 945 946 947 948 949
    }

    return WORK_FINISHED_CONTINUE;
}

/*
950 951
 * Get the message construction function and message type for sending from the
 * server
M
Matt Caswell 已提交
952 953 954 955 956
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
957
int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
958
                                         confunc_f *confunc, int *mt)
M
Matt Caswell 已提交
959
{
M
Matt Caswell 已提交
960
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
961

962 963 964
    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
965 966 967
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
                 SSL_R_BAD_HANDSHAKE_STATE);
968 969 970
        return 0;

    case TLS_ST_SW_CHANGE:
971
        if (SSL_IS_DTLS(s))
972
            *confunc = dtls_construct_change_cipher_spec;
973
        else
974 975
            *confunc = tls_construct_change_cipher_spec;
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
976
        break;
R
Rich Salz 已提交
977

978
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
979 980
        *confunc = dtls_construct_hello_verify_request;
        *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
981
        break;
M
Matt Caswell 已提交
982

983 984
    case TLS_ST_SW_HELLO_REQ:
        /* No construction function needed */
985 986
        *confunc = NULL;
        *mt = SSL3_MT_HELLO_REQUEST;
987
        break;
M
Matt Caswell 已提交
988

989
    case TLS_ST_SW_SRVR_HELLO:
990 991
        *confunc = tls_construct_server_hello;
        *mt = SSL3_MT_SERVER_HELLO;
992
        break;
M
Matt Caswell 已提交
993

994
    case TLS_ST_SW_CERT:
995 996
        *confunc = tls_construct_server_certificate;
        *mt = SSL3_MT_CERTIFICATE;
997
        break;
M
Matt Caswell 已提交
998

999 1000 1001 1002 1003 1004
    case TLS_ST_SW_CERT_VRFY:
        *confunc = tls_construct_cert_verify;
        *mt = SSL3_MT_CERTIFICATE_VERIFY;
        break;


1005
    case TLS_ST_SW_KEY_EXCH:
1006 1007
        *confunc = tls_construct_server_key_exchange;
        *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
1008
        break;
M
Matt Caswell 已提交
1009

1010
    case TLS_ST_SW_CERT_REQ:
1011 1012
        *confunc = tls_construct_certificate_request;
        *mt = SSL3_MT_CERTIFICATE_REQUEST;
1013
        break;
M
Matt Caswell 已提交
1014

1015
    case TLS_ST_SW_SRVR_DONE:
1016 1017
        *confunc = tls_construct_server_done;
        *mt = SSL3_MT_SERVER_DONE;
1018
        break;
M
Matt Caswell 已提交
1019

1020
    case TLS_ST_SW_SESSION_TICKET:
1021 1022
        *confunc = tls_construct_new_session_ticket;
        *mt = SSL3_MT_NEWSESSION_TICKET;
1023
        break;
M
Matt Caswell 已提交
1024

1025
    case TLS_ST_SW_CERT_STATUS:
1026 1027
        *confunc = tls_construct_cert_status;
        *mt = SSL3_MT_CERTIFICATE_STATUS;
1028
        break;
M
Matt Caswell 已提交
1029

1030
    case TLS_ST_SW_FINISHED:
1031 1032
        *confunc = tls_construct_finished;
        *mt = SSL3_MT_FINISHED;
1033
        break;
M
Matt Caswell 已提交
1034

1035 1036 1037 1038 1039
    case TLS_ST_EARLY_DATA:
        *confunc = NULL;
        *mt = SSL3_MT_DUMMY;
        break;

M
Matt Caswell 已提交
1040 1041 1042 1043
    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
        *confunc = tls_construct_encrypted_extensions;
        *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
        break;
1044

1045 1046 1047 1048
    case TLS_ST_SW_KEY_UPDATE:
        *confunc = tls_construct_key_update;
        *mt = SSL3_MT_KEY_UPDATE;
        break;
1049
    }
M
Matt Caswell 已提交
1050

1051
    return 1;
M
Matt Caswell 已提交
1052 1053
}

1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070
/*
 * Maximum size (excluding the Handshake header) of a ClientHello message,
 * calculated as follows:
 *
 *  2 + # client_version
 *  32 + # only valid length for random
 *  1 + # length of session_id
 *  32 + # maximum size for session_id
 *  2 + # length of cipher suites
 *  2^16-2 + # maximum length of cipher suites array
 *  1 + # length of compression_methods
 *  2^8-1 + # maximum length of compression methods
 *  2 + # length of extensions
 *  2^16-1 # maximum length of extensions
 */
#define CLIENT_HELLO_MAX_LENGTH         131396

M
Matt Caswell 已提交
1071 1072 1073 1074 1075 1076 1077
#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
1078
size_t ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
1079
{
M
Matt Caswell 已提交
1080
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1081

1082
    switch (st->hand_state) {
R
Rich Salz 已提交
1083 1084 1085 1086
    default:
        /* Shouldn't happen */
        return 0;

M
Matt Caswell 已提交
1087
    case TLS_ST_SR_CLNT_HELLO:
1088
        return CLIENT_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
1089

1090 1091 1092
    case TLS_ST_SR_END_OF_EARLY_DATA:
        return END_OF_EARLY_DATA_MAX_LENGTH;

M
Matt Caswell 已提交
1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111
    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;
1112 1113 1114

    case TLS_ST_SR_KEY_UPDATE:
        return KEY_UPDATE_MAX_LENGTH;
M
Matt Caswell 已提交
1115 1116 1117 1118 1119 1120
    }
}

/*
 * Process a message that the server has received from the client.
 */
1121
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1122
{
M
Matt Caswell 已提交
1123
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1124

1125
    switch (st->hand_state) {
R
Rich Salz 已提交
1126 1127
    default:
        /* Shouldn't happen */
1128 1129 1130
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE,
                 ERR_R_INTERNAL_ERROR);
R
Rich Salz 已提交
1131 1132
        return MSG_PROCESS_ERROR;

M
Matt Caswell 已提交
1133 1134 1135
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

1136 1137 1138
    case TLS_ST_SR_END_OF_EARLY_DATA:
        return tls_process_end_of_early_data(s, pkt);

M
Matt Caswell 已提交
1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157
    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);
1158 1159 1160 1161

    case TLS_ST_SR_KEY_UPDATE:
        return tls_process_key_update(s, pkt);

M
Matt Caswell 已提交
1162 1163 1164 1165 1166 1167 1168
    }
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
1169
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1170
{
M
Matt Caswell 已提交
1171
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1172

1173
    switch (st->hand_state) {
R
Rich Salz 已提交
1174 1175
    default:
        /* Shouldn't happen */
1176 1177 1178
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE,
                 ERR_R_INTERNAL_ERROR);
R
Rich Salz 已提交
1179 1180
        return WORK_ERROR;

M
Matt Caswell 已提交
1181 1182 1183 1184 1185 1186 1187 1188
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);
    }
}

B
Ben Laurie 已提交
1189
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1190 1191
/* Returns 1 on success, 0 for retryable error, -1 for fatal error */
static int ssl_check_srp_ext_ClientHello(SSL *s)
1192
{
M
Matt Caswell 已提交
1193 1194
    int ret;
    int al = SSL_AD_UNRECOGNIZED_NAME;
1195 1196 1197 1198 1199 1200 1201 1202

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
M
Matt Caswell 已提交
1203 1204 1205 1206
            SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
                     SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
                     SSL_R_PSK_IDENTITY_NOT_FOUND);
            return -1;
1207
        } else {
M
Matt Caswell 已提交
1208 1209 1210 1211 1212 1213 1214 1215 1216 1217
            ret = SSL_srp_server_param_with_username(s, &al);
            if (ret < 0)
                return 0;
            if (ret == SSL3_AL_FATAL) {
                SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
                         al == SSL_AD_UNKNOWN_PSK_IDENTITY
                         ? SSL_R_PSK_IDENTITY_NOT_FOUND
                         : SSL_R_CLIENTHELLO_TLSEXT);
                return -1;
            }
1218 1219
        }
    }
M
Matt Caswell 已提交
1220
    return 1;
1221
}
B
Ben Laurie 已提交
1222 1223
#endif

1224
int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
M
Matt Caswell 已提交
1225
                                  size_t cookie_len)
M
Matt Caswell 已提交
1226 1227
{
    /* Always use DTLS 1.0 version: see RFC 6347 */
1228 1229 1230
    if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
            || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
        return 0;
M
Matt Caswell 已提交
1231

1232
    return 1;
M
Matt Caswell 已提交
1233 1234
}

1235
int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1236
{
M
Matt Caswell 已提交
1237
    unsigned int cookie_leni;
M
Matt Caswell 已提交
1238 1239
    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
M
Matt Caswell 已提交
1240 1241
                                  &cookie_leni) == 0 ||
        cookie_leni > 255) {
1242 1243
        SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
                 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
M
Matt Caswell 已提交
1244 1245
        return 0;
    }
M
Matt Caswell 已提交
1246
    s->d1->cookie_len = cookie_leni;
M
Matt Caswell 已提交
1247

1248 1249
    if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
                                              s->d1->cookie_len)) {
1250 1251
        SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
                 ERR_R_INTERNAL_ERROR);
1252 1253
        return 0;
    }
M
Matt Caswell 已提交
1254 1255 1256 1257

    return 1;
}

1258 1259 1260 1261 1262 1263 1264 1265
#ifndef OPENSSL_NO_EC
/*-
 * ssl_check_for_safari attempts to fingerprint Safari using OS X
 * SecureTransport using the TLS extension block in |hello|.
 * Safari, since 10.6, sends exactly these extensions, in this order:
 *   SNI,
 *   elliptic_curves
 *   ec_point_formats
1266
 *   signature_algorithms (for TLSv1.2 only)
1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298
 *
 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).
 */
static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
{
    static const unsigned char kSafariExtensionsBlock[] = {
        0x00, 0x0a,             /* elliptic_curves extension */
        0x00, 0x08,             /* 8 bytes */
        0x00, 0x06,             /* 6 bytes of curve ids */
        0x00, 0x17,             /* P-256 */
        0x00, 0x18,             /* P-384 */
        0x00, 0x19,             /* P-521 */

        0x00, 0x0b,             /* ec_point_formats */
        0x00, 0x02,             /* 2 bytes */
        0x01,                   /* 1 point format */
        0x00,                   /* uncompressed */
        /* The following is only present in TLS 1.2 */
        0x00, 0x0d,             /* signature_algorithms */
        0x00, 0x0c,             /* 12 bytes */
        0x00, 0x0a,             /* 10 bytes */
        0x05, 0x01,             /* SHA-384/RSA */
        0x04, 0x01,             /* SHA-256/RSA */
        0x02, 0x01,             /* SHA-1/RSA */
        0x04, 0x03,             /* SHA-256/ECDSA */
        0x02, 0x03,             /* SHA-1/ECDSA */
    };
    /* Length of the common prefix (first two extensions). */
    static const size_t kSafariCommonExtensionsLength = 18;
1299 1300 1301
    unsigned int type;
    PACKET sni, tmppkt;
    size_t ext_len;
1302 1303 1304 1305 1306 1307 1308

    tmppkt = hello->extensions;

    if (!PACKET_forward(&tmppkt, 2)
        || !PACKET_get_net_2(&tmppkt, &type)
        || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
        return;
1309 1310
    }

1311 1312 1313 1314 1315 1316 1317 1318
    if (type != TLSEXT_TYPE_server_name)
        return;

    ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
        sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;

    s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
                                             ext_len);
1319
}
1320
#endif                          /* !OPENSSL_NO_EC */
1321

M
Matt Caswell 已提交
1322
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1323 1324
{
    /* |cookie| will only be initialized for DTLS. */
1325
    PACKET session_id, compression, extensions, cookie;
M
Matt Caswell 已提交
1326
    static const unsigned char null_compression = 0;
1327
    CLIENTHELLO_MSG *clienthello = NULL;
M
Matt Caswell 已提交
1328

1329 1330
    /* Check if this is actually an unexpected renegotiation ClientHello */
    if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
1331 1332 1333
        if (!ossl_assert(!SSL_IS_TLS13(s))) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
1334 1335
            goto err;
        }
1336 1337 1338 1339 1340 1341 1342
        if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
                || (!s->s3->send_connection_binding
                    && (s->options
                        & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
            ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
            return MSG_PROCESS_FINISHED_READING;
        }
1343 1344 1345 1346
        s->renegotiate = 1;
        s->new_session = 1;
    }

1347 1348 1349 1350 1351 1352 1353
    clienthello = OPENSSL_zalloc(sizeof(*clienthello));
    if (clienthello == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                 ERR_R_INTERNAL_ERROR);
        goto err;
    }

1354
    /*
1355
     * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1356
     */
B
Benjamin Kaduk 已提交
1357
    clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
E
Emilia Kasper 已提交
1358
    PACKET_null_init(&cookie);
1359

B
Benjamin Kaduk 已提交
1360
    if (clienthello->isv2) {
M
Matt Caswell 已提交
1361
        unsigned int mt;
1362

1363 1364
        if (!SSL_IS_FIRST_HANDSHAKE(s)
                || s->hello_retry_request != SSL_HRR_NONE) {
1365 1366 1367
            SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
                     SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
            goto err;
1368 1369
        }

1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

1385
        if (!PACKET_get_1(pkt, &mt)
E
Emilia Kasper 已提交
1386
            || mt != SSL2_MT_CLIENT_HELLO) {
1387 1388 1389 1390 1391
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
1392 1393
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1394
            goto err;
1395 1396 1397
        }
    }

B
Benjamin Kaduk 已提交
1398
    if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
1399 1400
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                 SSL_R_LENGTH_TOO_SHORT);
1401
        goto err;
1402 1403
    }

1404
    /* Parse the message and load client random. */
B
Benjamin Kaduk 已提交
1405
    if (clienthello->isv2) {
1406 1407 1408
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
1409
         * Real SSLv2 is not supported, and is rejected below.
1410
         */
1411
        unsigned int ciphersuite_len, session_id_len, challenge_len;
1412
        PACKET challenge;
1413

1414
        if (!PACKET_get_net_2(pkt, &ciphersuite_len)
E
Emilia Kasper 已提交
1415 1416
            || !PACKET_get_net_2(pkt, &session_id_len)
            || !PACKET_get_net_2(pkt, &challenge_len)) {
1417 1418 1419
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_RECORD_LENGTH_MISMATCH);
            goto err;
1420
        }
1421

1422
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
1423 1424 1425
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto err;
1426 1427
        }

B
Benjamin Kaduk 已提交
1428
        if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
1429
                                   ciphersuite_len)
B
Benjamin Kaduk 已提交
1430
            || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
1431
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1432
            /* No extensions. */
1433
            || PACKET_remaining(pkt) != 0) {
1434 1435 1436
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_RECORD_LENGTH_MISMATCH);
            goto err;
M
Matt Caswell 已提交
1437
        }
B
Benjamin Kaduk 已提交
1438
        clienthello->session_id_len = session_id_len;
M
Matt Caswell 已提交
1439

1440
        /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
B
Benjamin Kaduk 已提交
1441
         * here rather than sizeof(clienthello->random) because that is the limit
1442
         * for SSLv3 and it is fixed. It won't change even if
B
Benjamin Kaduk 已提交
1443
         * sizeof(clienthello->random) does.
1444 1445 1446
         */
        challenge_len = challenge_len > SSL3_RANDOM_SIZE
                        ? SSL3_RANDOM_SIZE : challenge_len;
B
Benjamin Kaduk 已提交
1447
        memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
1448
        if (!PACKET_copy_bytes(&challenge,
B
Benjamin Kaduk 已提交
1449
                               clienthello->random + SSL3_RANDOM_SIZE -
D
David Benjamin 已提交
1450 1451 1452
                               challenge_len, challenge_len)
            /* Advertise only null compression. */
            || !PACKET_buf_init(&compression, &null_compression, 1)) {
1453 1454 1455
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
            goto err;
M
Matt Caswell 已提交
1456
        }
1457

B
Benjamin Kaduk 已提交
1458
        PACKET_null_init(&clienthello->extensions);
1459
    } else {
1460
        /* Regular ClientHello. */
B
Benjamin Kaduk 已提交
1461
        if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
1462
            || !PACKET_get_length_prefixed_1(pkt, &session_id)
B
Benjamin Kaduk 已提交
1463
            || !PACKET_copy_all(&session_id, clienthello->session_id,
1464
                    SSL_MAX_SSL_SESSION_ID_LENGTH,
B
Benjamin Kaduk 已提交
1465
                    &clienthello->session_id_len)) {
1466 1467 1468
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_LENGTH_MISMATCH);
            goto err;
M
Matt Caswell 已提交
1469
        }
1470

1471
        if (SSL_IS_DTLS(s)) {
1472
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1473 1474 1475
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                         SSL_R_LENGTH_MISMATCH);
                goto err;
1476
            }
B
Benjamin Kaduk 已提交
1477
            if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
1478
                                 DTLS1_COOKIE_LENGTH,
B
Benjamin Kaduk 已提交
1479
                                 &clienthello->dtls_cookie_len)) {
1480 1481 1482
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
                goto err;
1483
            }
1484 1485 1486 1487 1488 1489
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
B
Benjamin Kaduk 已提交
1490
                if (clienthello->dtls_cookie_len == 0)
1491
                    return MSG_PROCESS_FINISHED_READING;
1492
            }
1493
        }
1494

B
Benjamin Kaduk 已提交
1495
        if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
1496 1497 1498
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_LENGTH_MISMATCH);
            goto err;
1499 1500
        }

1501
        if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
1502 1503 1504
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_LENGTH_MISMATCH);
            goto err;
1505
        }
1506

1507
        /* Could be empty. */
1508
        if (PACKET_remaining(pkt) == 0) {
B
Benjamin Kaduk 已提交
1509
            PACKET_null_init(&clienthello->extensions);
1510
        } else {
1511 1512
            if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
                    || PACKET_remaining(pkt) != 0) {
1513 1514 1515
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                         SSL_R_LENGTH_MISMATCH);
                goto err;
1516 1517 1518 1519
            }
        }
    }

B
Benjamin Kaduk 已提交
1520
    if (!PACKET_copy_all(&compression, clienthello->compressions,
1521
                         MAX_COMPRESSIONS_SIZE,
B
Benjamin Kaduk 已提交
1522
                         &clienthello->compressions_len)) {
1523 1524 1525
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                 ERR_R_INTERNAL_ERROR);
        goto err;
1526 1527
    }

1528
    /* Preserve the raw extensions PACKET for later use */
B
Benjamin Kaduk 已提交
1529
    extensions = clienthello->extensions;
1530
    if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
1531
                                &clienthello->pre_proc_exts,
1532
                                &clienthello->pre_proc_exts_len, 1)) {
1533 1534
        /* SSLfatal already been called */
        goto err;
1535
    }
B
Benjamin Kaduk 已提交
1536
    s->clienthello = clienthello;
1537

B
Benjamin Kaduk 已提交
1538 1539
    return MSG_PROCESS_CONTINUE_PROCESSING;

1540
 err:
1541 1542
    if (clienthello != NULL)
        OPENSSL_free(clienthello->pre_proc_exts);
B
Benjamin Kaduk 已提交
1543 1544 1545 1546 1547
    OPENSSL_free(clienthello);

    return MSG_PROCESS_ERROR;
}

1548
static int tls_early_post_process_client_hello(SSL *s)
B
Benjamin Kaduk 已提交
1549 1550
{
    unsigned int j;
1551
    int i, al = SSL_AD_INTERNAL_ERROR;
B
Benjamin Kaduk 已提交
1552 1553 1554 1555 1556 1557 1558 1559 1560 1561
    int protverr;
    size_t loop;
    unsigned long id;
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
    STACK_OF(SSL_CIPHER) *scsvs = NULL;
    CLIENTHELLO_MSG *clienthello = s->clienthello;
1562
    DOWNGRADE dgrd = DOWNGRADE_NONE;
B
Benjamin Kaduk 已提交
1563

1564
    /* Finished parsing the ClientHello, now we can start processing it */
1565 1566 1567
    /* Give the ClientHello callback a crack at things */
    if (s->ctx->client_hello_cb != NULL) {
        /* A failure in the ClientHello callback terminates the connection. */
1568 1569 1570 1571
        switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
        case SSL_CLIENT_HELLO_SUCCESS:
            break;
        case SSL_CLIENT_HELLO_RETRY:
1572
            s->rwstate = SSL_CLIENT_HELLO_CB;
1573 1574 1575
            return -1;
        case SSL_CLIENT_HELLO_ERROR:
        default:
1576 1577 1578
            SSLfatal(s, al,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_CALLBACK_FAILED);
1579
            goto err;
B
Benjamin Kaduk 已提交
1580 1581
        }
    }
1582 1583

    /* Set up the client_random */
B
Benjamin Kaduk 已提交
1584
    memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
1585 1586 1587

    /* Choose the version */

B
Benjamin Kaduk 已提交
1588 1589 1590
    if (clienthello->isv2) {
        if (clienthello->legacy_version == SSL2_VERSION
                || (clienthello->legacy_version & 0xff00)
1591 1592
                   != (SSL3_VERSION_MAJOR << 8)) {
            /*
1593
             * This is real SSLv2 or something completely unknown. We don't
1594 1595
             * support it.
             */
1596 1597 1598
            SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_UNKNOWN_PROTOCOL);
1599 1600
            goto err;
        }
1601
        /* SSLv3/TLS */
B
Benjamin Kaduk 已提交
1602
        s->client_version = clienthello->legacy_version;
1603 1604 1605 1606 1607 1608
    }
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
    if (!SSL_IS_DTLS(s)) {
1609
        protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1610
    } else if (s->method->version != DTLS_ANY_VERSION &&
B
Benjamin Kaduk 已提交
1611
               DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
1612 1613 1614 1615 1616 1617
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
        protverr = 0;
    }

    if (protverr) {
1618
        if (SSL_IS_FIRST_HANDSHAKE(s)) {
1619
            /* like ssl3_get_record, send alert using remote version number */
B
Benjamin Kaduk 已提交
1620
            s->version = s->client_version = clienthello->legacy_version;
1621
        }
1622 1623
        SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
B
Benjamin Kaduk 已提交
1624
        goto err;
1625 1626
    }

M
Matt Caswell 已提交
1627
    /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
1628
    if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1629 1630 1631
        SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                 SSL_R_NOT_ON_RECORD_BOUNDARY);
1632 1633 1634
        goto err;
    }

1635 1636 1637 1638
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
B
Benjamin Kaduk 已提交
1639 1640
                if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
                        clienthello->dtls_cookie_len) == 0) {
1641 1642 1643
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                             SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_COOKIE_MISMATCH);
B
Benjamin Kaduk 已提交
1644
                    goto err;
1645 1646
                    /* else cookie verification succeeded */
                }
E
Emilia Kasper 已提交
1647
                /* default verification */
B
Benjamin Kaduk 已提交
1648 1649
            } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
                    || memcmp(clienthello->dtls_cookie, s->d1->cookie,
1650
                              s->d1->cookie_len) != 0) {
1651 1652 1653
                SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_COOKIE_MISMATCH);
B
Benjamin Kaduk 已提交
1654
                goto err;
1655 1656 1657 1658
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
1659
            protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1660 1661
            if (protverr != 0) {
                s->version = s->client_version;
1662 1663
                SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
B
Benjamin Kaduk 已提交
1664
                goto err;
1665 1666 1667 1668
            }
        }
    }

1669 1670
    s->hit = 0;

1671
    if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
1672
                              clienthello->isv2) ||
1673
        !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
M
Matt Caswell 已提交
1674
                              clienthello->isv2, 1)) {
1675
        /* SSLfatal() already called */
1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686
        goto err;
    }

    s->s3->send_connection_binding = 0;
    /* Check what signalling cipher-suite values were received. */
    if (scsvs != NULL) {
        for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
            c = sk_SSL_CIPHER_value(scsvs, i);
            if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
                if (s->renegotiate) {
                    /* SCSV is fatal if renegotiating */
1687 1688 1689
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                             SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701
                    goto err;
                }
                s->s3->send_connection_binding = 1;
            } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
                       !ssl_check_version_downgrade(s)) {
                /*
                 * This SCSV indicates that the client previously tried
                 * a higher version.  We should fail if the current version
                 * is an unexpected downgrade, as that indicates that the first
                 * connection may have been tampered with in order to trigger
                 * an insecure downgrade.
                 */
1702 1703 1704
                SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_INAPPROPRIATE_FALLBACK);
1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715
                goto err;
            }
        }
    }

    /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
    if (SSL_IS_TLS13(s)) {
        const SSL_CIPHER *cipher =
            ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));

        if (cipher == NULL) {
1716 1717 1718
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_NO_SHARED_CIPHER);
1719 1720
            goto err;
        }
1721
        if (s->hello_retry_request == SSL_HRR_PENDING
1722 1723
                && (s->s3->tmp.new_cipher == NULL
                    || s->s3->tmp.new_cipher->id != cipher->id)) {
1724 1725 1726 1727
            /*
             * A previous HRR picked a different ciphersuite to the one we
             * just selected. Something must have changed.
             */
1728 1729 1730
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_BAD_CIPHER);
1731 1732 1733 1734 1735
            goto err;
        }
        s->s3->tmp.new_cipher = cipher;
    }

1736
    /* We need to do this before getting the session */
1737
    if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
1738
                             SSL_EXT_CLIENT_HELLO,
1739 1740
                             clienthello->pre_proc_exts, NULL, 0)) {
        /* SSLfatal() already called */
B
Benjamin Kaduk 已提交
1741
        goto err;
1742 1743
    }

1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759
    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
B
Benjamin Kaduk 已提交
1760
    if (clienthello->isv2 ||
1761 1762
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1763 1764
        if (!ssl_get_new_session(s, 1)) {
            /* SSLfatal() already called */
1765
            goto err;
1766
        }
1767
    } else {
1768
        i = ssl_get_prev_session(s, clienthello);
1769
        if (i == 1) {
1770 1771 1772
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
1773
            /* SSLfatal() already called */
B
Benjamin Kaduk 已提交
1774
            goto err;
1775
        } else {
1776
            /* i == 0 */
1777 1778
            if (!ssl_get_new_session(s, 1)) {
                /* SSLfatal() already called */
1779
                goto err;
1780
            }
1781
        }
1782
    }
1783

1784 1785 1786 1787 1788 1789
    if (SSL_IS_TLS13(s)) {
        memcpy(s->tmp_session_id, s->clienthello->session_id,
               s->clienthello->session_id_len);
        s->tmp_session_id_len = s->clienthello->session_id_len;
    }

1790
    /*
1791 1792
     * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
     * ciphersuite compatibility with the session as part of resumption.
1793 1794
     */
    if (!SSL_IS_TLS13(s) && s->hit) {
1795 1796
        j = 0;
        id = s->session->cipher->id;
1797

1798
#ifdef CIPHER_DEBUG
E
Emilia Kasper 已提交
1799
        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
1800
#endif
1801 1802
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1803
#ifdef CIPHER_DEBUG
1804 1805
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1806
#endif
1807 1808 1809
            if (c->id == id) {
                j = 1;
                break;
1810
            }
1811
        }
1812
        if (j == 0) {
1813
            /*
1814 1815
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1816
             */
1817 1818 1819
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_REQUIRED_CIPHER_MISSING);
B
Benjamin Kaduk 已提交
1820
            goto err;
1821
        }
1822
    }
M
Matt Caswell 已提交
1823

B
Benjamin Kaduk 已提交
1824 1825
    for (loop = 0; loop < clienthello->compressions_len; loop++) {
        if (clienthello->compressions[loop] == 0)
1826
            break;
1827
    }
1828

B
Benjamin Kaduk 已提交
1829
    if (loop >= clienthello->compressions_len) {
1830
        /* no compress */
1831 1832 1833
        SSLfatal(s, SSL_AD_DECODE_ERROR,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                 SSL_R_NO_COMPRESSION_SPECIFIED);
B
Benjamin Kaduk 已提交
1834
        goto err;
1835
    }
1836

1837 1838
#ifndef OPENSSL_NO_EC
    if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
B
Benjamin Kaduk 已提交
1839
        ssl_check_for_safari(s, clienthello);
1840 1841
#endif                          /* !OPENSSL_NO_EC */

1842
    /* TLS extensions */
1843
    if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
1844 1845
                                  clienthello->pre_proc_exts, NULL, 0, 1)) {
        /* SSLfatal() already called */
B
Benjamin Kaduk 已提交
1846
        goto err;
1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
1858
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
1859 1860 1861
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
B
Benjamin Kaduk 已提交
1862
            goto err;
1863 1864 1865
        }
    }

1866 1867 1868 1869 1870
    if (!s->hit
            && s->version >= TLS1_VERSION
            && !SSL_IS_TLS13(s)
            && !SSL_IS_DTLS(s)
            && s->ext.session_secret_cb) {
1871
        const SSL_CIPHER *pref_cipher = NULL;
1872 1873 1874 1875 1876
        /*
         * s->session->master_key_length is a size_t, but this is an int for
         * backwards compat reasons
         */
        int master_key_length;
1877

1878
        master_key_length = sizeof(s->session->master_key);
R
Rich Salz 已提交
1879
        if (s->ext.session_secret_cb(s, s->session->master_key,
1880
                                     &master_key_length, ciphers,
1881
                                     &pref_cipher,
R
Rich Salz 已提交
1882
                                     s->ext.session_secret_cb_arg)
1883 1884
                && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
1885 1886 1887 1888 1889 1890 1891
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
D
Dr. Stephen Henson 已提交
1892 1893 1894
            if (pref_cipher == NULL)
                pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
                                                 SSL_get_ciphers(s));
1895
            if (pref_cipher == NULL) {
1896 1897 1898
                SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_NO_SHARED_CIPHER);
B
Benjamin Kaduk 已提交
1899
                goto err;
1900 1901 1902
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1903
            sk_SSL_CIPHER_free(s->cipher_list);
1904
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1905
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1906 1907 1908
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1909

1910 1911
    /*
     * Worst case, we will use the NULL compression, but if we have other
1912
     * options, we will now look for them.  We have complen-1 compression
1913 1914 1915
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1916 1917 1918 1919 1920 1921 1922
    if (SSL_IS_TLS13(s)) {
        /*
         * We already checked above that the NULL compression method appears in
         * the list. Now we check there aren't any others (which is illegal in
         * a TLSv1.3 ClientHello.
         */
        if (clienthello->compressions_len != 1) {
1923 1924 1925
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_INVALID_COMPRESSION_ALGORITHM);
1926 1927 1928
            goto err;
        }
    }
1929
#ifndef OPENSSL_NO_COMP
1930
    /* This only happens if we have a cache hit */
1931
    else if (s->session->compress_meth != 0) {
1932
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1933
        unsigned int k;
1934 1935 1936
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
1937 1938 1939
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_INCONSISTENT_COMPRESSION);
B
Benjamin Kaduk 已提交
1940
            goto err;
1941 1942 1943 1944 1945 1946 1947 1948 1949 1950
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
1951 1952 1953
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_INVALID_COMPRESSION_ALGORITHM);
B
Benjamin Kaduk 已提交
1954
            goto err;
1955 1956
        }
        /* Look for resumed method in compression list */
B
Benjamin Kaduk 已提交
1957 1958
        for (k = 0; k < clienthello->compressions_len; k++) {
            if (clienthello->compressions[k] == comp_id)
1959 1960
                break;
        }
B
Benjamin Kaduk 已提交
1961
        if (k >= clienthello->compressions_len) {
1962 1963 1964
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
B
Benjamin Kaduk 已提交
1965
            goto err;
1966
        }
1967
    } else if (s->hit) {
1968
        comp = NULL;
1969
    } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1970
        /* See if we have a match */
M
Matt Caswell 已提交
1971 1972
        int m, nn, v, done = 0;
        unsigned int o;
1973 1974 1975 1976 1977

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
B
Benjamin Kaduk 已提交
1978 1979
            for (o = 0; o < clienthello->compressions_len; o++) {
                if (v == clienthello->compressions[o]) {
1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1992
#else
1993 1994 1995 1996 1997
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
1998 1999 2000
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                 SSL_R_INCONSISTENT_COMPRESSION);
B
Benjamin Kaduk 已提交
2001
        goto err;
2002
    }
2003
#endif
2004

2005 2006 2007
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
2008

2009
    if (!s->hit || SSL_IS_TLS13(s)) {
R
Rich Salz 已提交
2010
        sk_SSL_CIPHER_free(s->session->ciphers);
2011 2012
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
2013 2014 2015
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
B
Benjamin Kaduk 已提交
2016
            goto err;
2017 2018
        }
        ciphers = NULL;
2019 2020 2021 2022 2023 2024 2025 2026
    }

    if (!s->hit) {
#ifdef OPENSSL_NO_COMP
        s->session->compress_meth = 0;
#else
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
#endif
2027
        if (!tls1_set_server_sigalgs(s)) {
2028
            /* SSLfatal() already called */
2029 2030
            goto err;
        }
M
Matt Caswell 已提交
2031 2032 2033
    }

    sk_SSL_CIPHER_free(ciphers);
B
Benjamin Kaduk 已提交
2034 2035 2036 2037 2038
    sk_SSL_CIPHER_free(scsvs);
    OPENSSL_free(clienthello->pre_proc_exts);
    OPENSSL_free(s->clienthello);
    s->clienthello = NULL;
    return 1;
M
Matt Caswell 已提交
2039 2040
 err:
    sk_SSL_CIPHER_free(ciphers);
B
Benjamin Kaduk 已提交
2041 2042 2043 2044
    sk_SSL_CIPHER_free(scsvs);
    OPENSSL_free(clienthello->pre_proc_exts);
    OPENSSL_free(s->clienthello);
    s->clienthello = NULL;
M
Matt Caswell 已提交
2045

B
Benjamin Kaduk 已提交
2046
    return 0;
M
Matt Caswell 已提交
2047 2048
}

2049 2050
/*
 * Call the status request callback if needed. Upon success, returns 1.
2051
 * Upon failure, returns 0.
2052
 */
2053
static int tls_handle_status_request(SSL *s)
2054
{
R
Rich Salz 已提交
2055
    s->ext.status_expected = 0;
2056 2057 2058 2059 2060 2061 2062

    /*
     * If status request then ask callback what to do. Note: this must be
     * called after servername callbacks in case the certificate has changed,
     * and must be called after the cipher has been chosen because this may
     * influence which certificate is sent
     */
R
Rich Salz 已提交
2063 2064
    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
            && s->ctx->ext.status_cb != NULL) {
2065
        int ret;
2066

2067
        /* If no certificate can't return certificate status */
2068
        if (s->s3->tmp.cert != NULL) {
2069 2070 2071 2072
            /*
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
             */
2073
            s->cert->key = s->s3->tmp.cert;
R
Rich Salz 已提交
2074
            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2075 2076 2077
            switch (ret) {
                /* We don't want to send a status request response */
            case SSL_TLSEXT_ERR_NOACK:
R
Rich Salz 已提交
2078
                s->ext.status_expected = 0;
2079 2080 2081
                break;
                /* status request response should be sent */
            case SSL_TLSEXT_ERR_OK:
R
Rich Salz 已提交
2082 2083
                if (s->ext.ocsp.resp)
                    s->ext.status_expected = 1;
2084 2085 2086 2087
                break;
                /* something bad happened */
            case SSL_TLSEXT_ERR_ALERT_FATAL:
            default:
2088 2089 2090
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_HANDLE_STATUS_REQUEST,
                         SSL_R_CLIENTHELLO_TLSEXT);
2091 2092 2093 2094 2095 2096 2097 2098
                return 0;
            }
        }
    }

    return 1;
}

2099 2100
/*
 * Call the alpn_select callback if needed. Upon success, returns 1.
M
Matt Caswell 已提交
2101
 * Upon failure, returns 0.
2102
 */
2103
int tls_handle_alpn(SSL *s)
2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117
{
    const unsigned char *selected = NULL;
    unsigned char selected_len = 0;

    if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
        int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
                                           s->s3->alpn_proposed,
                                           (unsigned int)s->s3->alpn_proposed_len,
                                           s->ctx->ext.alpn_select_cb_arg);

        if (r == SSL_TLSEXT_ERR_OK) {
            OPENSSL_free(s->s3->alpn_selected);
            s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
            if (s->s3->alpn_selected == NULL) {
2118 2119
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
                         ERR_R_INTERNAL_ERROR);
2120 2121 2122 2123 2124 2125 2126
                return 0;
            }
            s->s3->alpn_selected_len = selected_len;
#ifndef OPENSSL_NO_NEXTPROTONEG
            /* ALPN takes precedence over NPN. */
            s->s3->npn_seen = 0;
#endif
2127

2128 2129
            /* Check ALPN is consistent with session */
            if (s->session->ext.alpn_selected == NULL
2130 2131
                        || selected_len != s->session->ext.alpn_selected_len
                        || memcmp(selected, s->session->ext.alpn_selected,
2132 2133
                                  selected_len) != 0) {
                /* Not consistent so can't be used for early_data */
2134 2135
                s->ext.early_data_ok = 0;

2136
                if (!s->hit) {
2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147
                    /*
                     * This is a new session and so alpn_selected should have
                     * been initialised to NULL. We should update it with the
                     * selected ALPN.
                     */
                    if (!ossl_assert(s->session->ext.alpn_selected == NULL)) {
                        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                                 SSL_F_TLS_HANDLE_ALPN,
                                 ERR_R_INTERNAL_ERROR);
                        return 0;
                    }
2148 2149 2150
                    s->session->ext.alpn_selected = OPENSSL_memdup(selected,
                                                                   selected_len);
                    if (s->session->ext.alpn_selected == NULL) {
2151 2152 2153
                        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                                 SSL_F_TLS_HANDLE_ALPN,
                                 ERR_R_INTERNAL_ERROR);
2154 2155 2156 2157 2158 2159
                        return 0;
                    }
                    s->session->ext.alpn_selected_len = selected_len;
                }
            }

2160
            return 1;
2161
        } else if (r != SSL_TLSEXT_ERR_NOACK) {
2162 2163
            SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
                     SSL_R_NO_APPLICATION_PROTOCOL);
2164 2165
            return 0;
        }
2166 2167 2168 2169
        /*
         * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
         * present.
         */
2170 2171
    }

2172 2173 2174
    /* Check ALPN is consistent with session */
    if (s->session->ext.alpn_selected != NULL) {
        /* Not consistent so can't be used for early_data */
2175
        s->ext.early_data_ok = 0;
2176
    }
2177

2178 2179 2180
    return 1;
}

M
Matt Caswell 已提交
2181
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
2182
{
2183
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
2184 2185

    if (wst == WORK_MORE_A) {
2186
        int rv = tls_early_post_process_client_hello(s);
B
Benjamin Kaduk 已提交
2187
        if (rv == 0) {
2188 2189
            /* SSLfatal() was already called */
            goto err;
B
Benjamin Kaduk 已提交
2190 2191 2192 2193 2194 2195
        }
        if (rv < 0)
            return WORK_MORE_A;
        wst = WORK_MORE_B;
    }
    if (wst == WORK_MORE_B) {
2196
        if (!s->hit || SSL_IS_TLS13(s)) {
M
Matt Caswell 已提交
2197
            /* Let cert callback update server certificates if required */
2198
            if (!s->hit && s->cert->cert_cb != NULL) {
M
Matt Caswell 已提交
2199 2200
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
2201 2202 2203 2204
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                             SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_CERT_CB_ERROR);
                    goto err;
M
Matt Caswell 已提交
2205 2206 2207
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
B
Benjamin Kaduk 已提交
2208
                    return WORK_MORE_B;
M
Matt Caswell 已提交
2209 2210
                }
                s->rwstate = SSL_NOTHING;
2211
            }
M
Matt Caswell 已提交
2212

2213 2214 2215 2216 2217 2218
            /* In TLSv1.3 we selected the ciphersuite before resumption */
            if (!SSL_IS_TLS13(s)) {
                cipher =
                    ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

                if (cipher == NULL) {
2219 2220 2221 2222
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                             SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_NO_SHARED_CIPHER);
                    goto err;
2223 2224
                }
                s->s3->tmp.new_cipher = cipher;
2225
            }
2226
            if (!s->hit) {
2227 2228 2229 2230
                if (!tls_choose_sigalg(s, 1)) {
                    /* SSLfatal already called */
                    goto err;
                }
2231 2232 2233
                /* check whether we should disable session resumption */
                if (s->not_resumable_session_cb != NULL)
                    s->session->not_resumable =
2234 2235 2236
                        s->not_resumable_session_cb(s,
                            ((s->s3->tmp.new_cipher->algorithm_mkey
                              & (SSL_kDHE | SSL_kECDHE)) != 0));
2237 2238 2239 2240
                if (s->session->not_resumable)
                    /* do not send a session ticket */
                    s->ext.ticket_expected = 0;
            }
M
Matt Caswell 已提交
2241 2242 2243
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
2244 2245
        }

M
Matt Caswell 已提交
2246 2247 2248
        /*-
         * we now have the following setup.
         * client_random
2249 2250
         * cipher_list          - our preferred list of ciphers
         * ciphers              - the clients preferred list of ciphers
M
Matt Caswell 已提交
2251 2252 2253 2254 2255 2256
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
2257

2258 2259 2260 2261
        /*
         * Call status_request callback if needed. Has to be done after the
         * certificate callbacks etc above.
         */
2262 2263 2264
        if (!tls_handle_status_request(s)) {
            /* SSLfatal() already called */
            goto err;
M
Matt Caswell 已提交
2265
        }
2266 2267
        /*
         * Call alpn_select callback if needed.  Has to be done after SNI and
2268 2269 2270
         * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
         * we already did this because cipher negotiation happens earlier, and
         * we must handle ALPN before we decide whether to accept early_data.
2271
         */
2272 2273 2274
        if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
            /* SSLfatal() already called */
            goto err;
2275
        }
2276

B
Benjamin Kaduk 已提交
2277
        wst = WORK_MORE_C;
M
Matt Caswell 已提交
2278 2279
    }
#ifndef OPENSSL_NO_SRP
B
Benjamin Kaduk 已提交
2280
    if (wst == WORK_MORE_C) {
M
Matt Caswell 已提交
2281
        int ret;
M
Matt Caswell 已提交
2282
        if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
M
Matt Caswell 已提交
2283 2284 2285 2286
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
B
Benjamin Kaduk 已提交
2287
            return WORK_MORE_C;
M
Matt Caswell 已提交
2288
        }
M
Matt Caswell 已提交
2289 2290
        if (ret < 0) {
            /* SSLfatal() already called */
2291
            goto err;
2292 2293
        }
    }
M
Matt Caswell 已提交
2294
#endif
2295

M
Matt Caswell 已提交
2296
    return WORK_FINISHED_STOP;
2297
 err:
M
Matt Caswell 已提交
2298 2299 2300
    return WORK_ERROR;
}

2301
int tls_construct_server_hello(SSL *s, WPACKET *pkt)
2302
{
2303
    int compm;
2304
    size_t sl, len;
2305
    int version;
2306
    unsigned char *session_id;
2307
    int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
2308

M
Matt Caswell 已提交
2309
    version = usetls13 ? TLS1_2_VERSION : s->version;
2310
    if (!WPACKET_put_bytes_u16(pkt, version)
2311 2312 2313 2314
               /*
                * Random stuff. Filling of the server_random takes place in
                * tls_process_client_hello()
                */
M
Matt Caswell 已提交
2315
            || !WPACKET_memcpy(pkt,
2316
                               s->hello_retry_request == SSL_HRR_PENDING
M
Matt Caswell 已提交
2317 2318
                                   ? hrrrandom : s->s3->server_random,
                               SSL3_RANDOM_SIZE)) {
2319 2320 2321
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
                 ERR_R_INTERNAL_ERROR);
        return 0;
2322
    }
2323

M
Matt Caswell 已提交
2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
2336 2337
     * - In TLSv1.3 we echo back the session id sent to us by the client
     *   regardless
M
Matt Caswell 已提交
2338 2339 2340 2341 2342 2343 2344 2345 2346
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

M
Matt Caswell 已提交
2347
    if (usetls13) {
2348 2349 2350 2351 2352 2353 2354
        sl = s->tmp_session_id_len;
        session_id = s->tmp_session_id;
    } else {
        sl = s->session->session_id_length;
        session_id = s->session->session_id;
    }

2355
    if (sl > sizeof(s->session->session_id)) {
2356 2357 2358
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
                 ERR_R_INTERNAL_ERROR);
        return 0;
M
Matt Caswell 已提交
2359
    }
2360

2361
    /* set up the compression method */
2362
#ifdef OPENSSL_NO_COMP
2363
    compm = 0;
2364
#else
M
Matt Caswell 已提交
2365
    if (usetls13 || s->s3->tmp.new_compression == NULL)
2366
        compm = 0;
M
Matt Caswell 已提交
2367
    else
2368
        compm = s->s3->tmp.new_compression->id;
2369
#endif
2370

M
Matt Caswell 已提交
2371
    if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
2372
            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
2373
            || !WPACKET_put_bytes_u8(pkt, compm)
2374
            || !tls_construct_extensions(s, pkt,
M
Matt Caswell 已提交
2375
                                         s->hello_retry_request
2376
                                            == SSL_HRR_PENDING
M
Matt Caswell 已提交
2377 2378 2379 2380
                                            ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
                                            : (SSL_IS_TLS13(s)
                                                ? SSL_EXT_TLS1_3_SERVER_HELLO
                                                : SSL_EXT_TLS1_2_SERVER_HELLO),
2381 2382 2383
                                         NULL, 0)) {
        /* SSLfatal() already called */
        return 0;
2384
    }
2385

2386
    if (s->hello_retry_request == SSL_HRR_PENDING) {
M
Matt Caswell 已提交
2387 2388 2389 2390 2391 2392 2393 2394 2395
        /* Ditch the session. We'll create a new one next time around */
        SSL_SESSION_free(s->session);
        s->session = NULL;
        s->hit = 0;

        /*
         * Re-initialise the Transcript Hash. We're going to prepopulate it with
         * a synthetic message_hash in place of ClientHello1.
         */
2396
        if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
M
Matt Caswell 已提交
2397 2398 2399 2400 2401
            /* SSLfatal() already called */
            return 0;
        }
    } else if (!(s->verify_mode & SSL_VERIFY_PEER)
                && !ssl3_digest_cached_records(s, 0)) {
2402 2403
        /* SSLfatal() already called */;
        return 0;
2404 2405
    }

M
Matt Caswell 已提交
2406
    return 1;
2407
}
2408

2409
int tls_construct_server_done(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
2410 2411
{
    if (!s->s3->tmp.cert_request) {
2412
        if (!ssl3_digest_cached_records(s, 0)) {
2413
            /* SSLfatal() already called */
2414 2415
            return 0;
        }
M
Matt Caswell 已提交
2416 2417 2418 2419
    }
    return 1;
}

2420
int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
2421
{
2422
#ifndef OPENSSL_NO_DH
2423
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
2424
#endif
2425
#ifndef OPENSSL_NO_EC
2426
    unsigned char *encodedPoint = NULL;
2427
    size_t encodedlen = 0;
2428
    int curve_id = 0;
2429
#endif
2430
    const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
2431
    int i;
2432
    unsigned long type;
2433
    const BIGNUM *r[4];
2434
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
2435
    EVP_PKEY_CTX *pctx = NULL;
2436 2437
    size_t paramlen, paramoffset;

2438
    if (!WPACKET_get_total_written(pkt, &paramoffset)) {
2439 2440 2441
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto err;
2442
    }
2443

2444
    if (md_ctx == NULL) {
2445 2446 2447
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        goto err;
2448
    }
2449

M
Matt Caswell 已提交
2450 2451 2452
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    r[0] = r[1] = r[2] = r[3] = NULL;
2453
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2454 2455 2456
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
2457
#endif                          /* !OPENSSL_NO_PSK */
2458
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
2459
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
2460 2461
        CERT *cert = s->cert;

2462 2463 2464
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
2465
        if (s->cert->dh_tmp_auto) {
2466 2467 2468 2469
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
2470 2471 2472 2473
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
                goto err;
2474
            }
2475 2476 2477 2478 2479 2480 2481 2482 2483
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
2484 2485 2486 2487
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
                goto err;
2488 2489 2490 2491
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
2492 2493 2494 2495
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_MISSING_TMP_DH_KEY);
            goto err;
M
Matt Caswell 已提交
2496 2497
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
2498
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
2499 2500 2501 2502
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_DH_KEY_TOO_SMALL);
            goto err;
M
Matt Caswell 已提交
2503
        }
2504
        if (s->s3->tmp.pkey != NULL) {
2505 2506 2507
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2508 2509
            goto err;
        }
2510

D
Dr. Stephen Henson 已提交
2511
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
2512
        if (s->s3->tmp.pkey == NULL) {
2513
            /* SSLfatal() already called */
2514
            goto err;
M
Matt Caswell 已提交
2515
        }
2516 2517

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);
2518 2519 2520 2521 2522 2523
        if (dh == NULL) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
        }
2524 2525 2526 2527

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
2528 2529
        DH_get0_pqg(dh, &r[0], NULL, &r[1]);
        DH_get0_key(dh, &r[2], NULL);
M
Matt Caswell 已提交
2530
    } else
2531
#endif
2532
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2533 2534
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {

D
Dr. Stephen Henson 已提交
2535
        if (s->s3->tmp.pkey != NULL) {
2536 2537 2538
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2539 2540 2541
            goto err;
        }

2542
        /* Get NID of appropriate shared curve */
2543
        curve_id = tls1_shared_group(s, -2);
2544
        if (curve_id == 0) {
2545 2546 2547
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
M
Matt Caswell 已提交
2548 2549
            goto err;
        }
2550
        s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id);
D
Dr. Stephen Henson 已提交
2551 2552
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
2553 2554
            /* SSLfatal() already called */
            goto err;
2555 2556
        }

D
Dr. Stephen Henson 已提交
2557
        /* Encode the public key. */
2558 2559
        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
                                                    &encodedPoint);
M
Matt Caswell 已提交
2560
        if (encodedlen == 0) {
2561 2562
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
2563 2564
            goto err;
        }
2565

M
Matt Caswell 已提交
2566 2567 2568 2569 2570 2571 2572 2573 2574
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
2575
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
2576
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2577 2578 2579 2580
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
2581 2582 2583
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_MISSING_SRP_PARAM);
M
Matt Caswell 已提交
2584
            goto err;
2585
        }
M
Matt Caswell 已提交
2586 2587 2588 2589 2590 2591 2592
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
2593 2594 2595 2596
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto err;
M
Matt Caswell 已提交
2597
    }
2598

2599 2600 2601 2602
    if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
        || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
        lu = NULL;
    } else if (lu == NULL) {
2603 2604 2605
        SSLfatal(s, SSL_AD_DECODE_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto err;
M
Matt Caswell 已提交
2606
    }
2607

2608
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2609
    if (type & SSL_PSK) {
2610 2611 2612 2613 2614 2615 2616 2617
        size_t len = (s->cert->psk_identity_hint == NULL)
                        ? 0 : strlen(s->cert->psk_identity_hint);

        /*
         * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
         * checked this when we set the identity hint - but just in case
         */
        if (len > PSK_MAX_IDENTITY_LEN
2618
                || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2619
                                           len)) {
2620 2621 2622 2623
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2624
        }
M
Matt Caswell 已提交
2625
    }
2626 2627
#endif

M
Matt Caswell 已提交
2628
    for (i = 0; i < 4 && r[i] != NULL; i++) {
2629 2630 2631
        unsigned char *binval;
        int res;

B
Ben Laurie 已提交
2632
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2633
        if ((i == 2) && (type & SSL_kSRP)) {
2634
            res = WPACKET_start_sub_packet_u8(pkt);
M
Matt Caswell 已提交
2635
        } else
2636
#endif
2637
            res = WPACKET_start_sub_packet_u16(pkt);
2638 2639

        if (!res) {
2640 2641 2642 2643
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2644 2645
        }

2646
#ifndef OPENSSL_NO_DH
E
Emilia Kasper 已提交
2647
        /*-
2648 2649 2650 2651 2652
         * for interoperability with some versions of the Microsoft TLS
         * stack, we need to zero pad the DHE pub key to the same length
         * as the prime
         */
        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2653
            size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
M
Matt Caswell 已提交
2654

2655
            if (len > 0) {
2656
                if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2657 2658 2659 2660
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                             SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                             ERR_R_INTERNAL_ERROR);
                    goto err;
2661 2662
                }
                memset(binval, 0, len);
2663
            }
2664
        }
B
Ben Laurie 已提交
2665
#endif
2666 2667
        if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
                || !WPACKET_close(pkt)) {
2668 2669 2670 2671
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2672 2673 2674
        }

        BN_bn2bin(r[i], binval);
M
Matt Caswell 已提交
2675
    }
2676

2677
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2678 2679
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
2680 2681 2682 2683
         * We only support named (not generic) curves. In this situation, the
         * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
         * [1 byte length of encoded point], followed by the actual encoded
         * point itself
M
Matt Caswell 已提交
2684
         */
2685 2686 2687 2688
        if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
                || !WPACKET_put_bytes_u8(pkt, 0)
                || !WPACKET_put_bytes_u8(pkt, curve_id)
                || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2689 2690 2691 2692
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2693
        }
M
Matt Caswell 已提交
2694 2695 2696
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
    }
B
Bodo Möller 已提交
2697 2698
#endif

M
Matt Caswell 已提交
2699
    /* not anonymous */
2700
    if (lu != NULL) {
2701
        EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
2702 2703 2704 2705
        const EVP_MD *md;
        unsigned char *sigbytes1, *sigbytes2, *tbs;
        size_t siglen, tbslen;
        int rv;
2706

D
Dr. Stephen Henson 已提交
2707
        if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
2708
            /* Should never happen */
2709 2710 2711 2712
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2713 2714 2715
        }
        /* Get length of the parameters we have written above */
        if (!WPACKET_get_length(pkt, &paramlen)) {
2716 2717 2718 2719
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2720 2721
        }
        /* send signature algorithm */
2722 2723 2724 2725 2726 2727
        if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
        }
2728 2729 2730 2731 2732 2733 2734 2735 2736
        /*
         * Create the signature. We don't know the actual length of the sig
         * until after we've created it, so we reserve enough bytes for it
         * up front, and then properly allocate them in the WPACKET
         * afterwards.
         */
        siglen = EVP_PKEY_size(pkey);
        if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
            || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
2737 2738 2739 2740
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2741 2742 2743 2744
        }
        if (lu->sig == EVP_PKEY_RSA_PSS) {
            if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
                || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
2745 2746 2747 2748
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                        ERR_R_EVP_LIB);
                goto err;
2749
            }
2750
        }
2751 2752 2753 2754
        tbslen = construct_key_exchange_tbs(s, &tbs,
                                            s->init_buf->data + paramoffset,
                                            paramlen);
        if (tbslen == 0) {
2755 2756
            /* SSLfatal() already called */
            goto err;
2757 2758 2759 2760
        }
        rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
        OPENSSL_free(tbs);
        if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2761
            || sigbytes1 != sigbytes2) {
2762 2763 2764 2765
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
M
Matt Caswell 已提交
2766
        }
2767 2768
    }

2769
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2770
    return 1;
2771
 err:
2772 2773 2774
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
2775
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2776
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
2777
#endif
2778
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2779
    return 0;
2780
}
2781

2782
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2783
{
2784
    if (SSL_IS_TLS13(s)) {
2785 2786 2787 2788 2789
        /* Send random context when doing post-handshake auth */
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            OPENSSL_free(s->pha_context);
            s->pha_context_len = 32;
            if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
2790
                    || RAND_bytes(s->pha_context, s->pha_context_len) <= 0
2791 2792 2793 2794 2795 2796 2797 2798 2799 2800 2801 2802 2803 2804 2805 2806 2807 2808
                    || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                         ERR_R_INTERNAL_ERROR);
                return 0;
            }
            /* reset the handshake hash back to just after the ClientFinished */
            if (!tls13_restore_handshake_digest_for_pha(s)) {
                /* SSLfatal() already called */
                return 0;
            }
        } else {
            if (!WPACKET_put_bytes_u8(pkt, 0)) {
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                         ERR_R_INTERNAL_ERROR);
                return 0;
            }
2809
        }
2810

2811 2812
        if (!tls_construct_extensions(s, pkt,
                                      SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
2813 2814 2815
                                      0)) {
            /* SSLfatal() already called */
            return 0;
2816
        }
2817 2818 2819 2820 2821 2822
        goto done;
    }

    /* get the list of acceptable cert types */
    if (!WPACKET_start_sub_packet_u8(pkt)
        || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
2823 2824 2825
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
2826
    }
2827

M
Matt Caswell 已提交
2828
    if (SSL_USE_SIGALGS(s)) {
2829
        const uint16_t *psigs;
2830
        size_t nl = tls12_get_psigalgs(s, 1, &psigs);
2831

2832
        if (!WPACKET_start_sub_packet_u16(pkt)
2833
                || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
2834 2835
                || !tls12_copy_sigalgs(s, pkt, psigs, nl)
                || !WPACKET_close(pkt)) {
2836 2837 2838 2839
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                     ERR_R_INTERNAL_ERROR);
            return 0;
2840
        }
M
Matt Caswell 已提交
2841
    }
2842

2843
    if (!construct_ca_names(s, pkt)) {
2844 2845
        /* SSLfatal() already called */
        return 0;
2846
    }
M
Matt Caswell 已提交
2847

2848
 done:
2849
    s->certreqs_sent++;
M
Matt Caswell 已提交
2850 2851
    s->s3->tmp.cert_request = 1;
    return 1;
2852
}
2853

2854
static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2855
{
2856
#ifndef OPENSSL_NO_PSK
2857 2858 2859
    unsigned char psk[PSK_MAX_PSK_LEN];
    size_t psklen;
    PACKET psk_identity;
2860

2861
    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2862 2863
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_LENGTH_MISMATCH);
2864 2865 2866
        return 0;
    }
    if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2867 2868
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_DATA_LENGTH_TOO_LONG);
2869 2870 2871
        return 0;
    }
    if (s->psk_server_callback == NULL) {
2872 2873
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_PSK_NO_SERVER_CB);
2874 2875
        return 0;
    }
2876

2877
    if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
2878 2879
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 ERR_R_INTERNAL_ERROR);
2880 2881
        return 0;
    }
2882

2883
    psklen = s->psk_server_callback(s, s->session->psk_identity,
E
Emilia Kasper 已提交
2884
                                    psk, sizeof(psk));
2885

2886
    if (psklen > PSK_MAX_PSK_LEN) {
2887 2888
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 ERR_R_INTERNAL_ERROR);
2889 2890 2891 2892 2893
        return 0;
    } else if (psklen == 0) {
        /*
         * PSK related to the given identity not found
         */
2894 2895 2896
        SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
                 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_PSK_IDENTITY_NOT_FOUND);
2897 2898
        return 0;
    }
2899

2900 2901 2902
    OPENSSL_free(s->s3->tmp.psk);
    s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
    OPENSSL_cleanse(psk, psklen);
2903

2904
    if (s->s3->tmp.psk == NULL) {
2905 2906
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2907
        return 0;
2908
    }
2909 2910 2911 2912 2913 2914

    s->s3->tmp.psklen = psklen;

    return 1;
#else
    /* Should never happen */
2915 2916
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
             ERR_R_INTERNAL_ERROR);
2917
    return 0;
2918
#endif
2919 2920
}

2921
static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
2922
{
2923
#ifndef OPENSSL_NO_RSA
2924 2925 2926 2927 2928 2929 2930 2931 2932
    unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
    int decrypt_len;
    unsigned char decrypt_good, version_good;
    size_t j, padding_len;
    PACKET enc_premaster;
    RSA *rsa = NULL;
    unsigned char *rsa_decrypt = NULL;
    int ret = 0;

2933
    rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
2934
    if (rsa == NULL) {
2935 2936
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 SSL_R_MISSING_RSA_CERTIFICATE);
2937 2938 2939 2940 2941 2942 2943 2944 2945
        return 0;
    }

    /* SSLv3 and pre-standard DTLS omit the length bytes. */
    if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
        enc_premaster = *pkt;
    } else {
        if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
            || PACKET_remaining(pkt) != 0) {
2946 2947
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                     SSL_R_LENGTH_MISMATCH);
2948
            return 0;
2949
        }
2950
    }
2951

2952 2953 2954 2955 2956 2957 2958
    /*
     * We want to be sure that the plaintext buffer size makes it safe to
     * iterate over the entire size of a premaster secret
     * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
     * their ciphertext cannot accommodate a premaster secret anyway.
     */
    if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
2959 2960
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 RSA_R_KEY_SIZE_TOO_SMALL);
2961 2962
        return 0;
    }
2963

2964 2965
    rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
    if (rsa_decrypt == NULL) {
2966 2967
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 ERR_R_MALLOC_FAILURE);
2968 2969
        return 0;
    }
2970

2971 2972 2973 2974 2975 2976 2977
    /*
     * We must not leak whether a decryption failure occurs because of
     * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
     * section 7.4.7.1). The code follows that advice of the TLS RFC and
     * generates a random premaster secret for the case that the decrypt
     * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
     */
2978

2979
    if (RAND_priv_bytes(rand_premaster_secret,
2980 2981 2982
                      sizeof(rand_premaster_secret)) <= 0) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 ERR_R_INTERNAL_ERROR);
2983
        goto err;
2984
    }
2985

2986 2987 2988 2989
    /*
     * Decrypt with no padding. PKCS#1 padding will be removed as part of
     * the timing-sensitive code below.
     */
2990 2991 2992 2993
     /* TODO(size_t): Convert this function */
    decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
                                           PACKET_data(&enc_premaster),
                                           rsa_decrypt, rsa, RSA_NO_PADDING);
2994 2995 2996
    if (decrypt_len < 0) {
        SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 ERR_R_INTERNAL_ERROR);
2997
        goto err;
2998
    }
2999

3000
    /* Check the padding. See RFC 3447, section 7.2.2. */
3001

3002 3003 3004 3005 3006 3007
    /*
     * The smallest padded premaster is 11 bytes of overhead. Small keys
     * are publicly invalid, so this may return immediately. This ensures
     * PS is at least 8 bytes.
     */
    if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
3008 3009
        SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 SSL_R_DECRYPTION_FAILED);
3010 3011
        goto err;
    }
3012

3013 3014
    padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
    decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
E
Emilia Kasper 已提交
3015
        constant_time_eq_int_8(rsa_decrypt[1], 2);
3016 3017 3018 3019
    for (j = 2; j < padding_len - 1; j++) {
        decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
    }
    decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
3020

3021 3022 3023 3024 3025 3026 3027 3028 3029 3030 3031 3032 3033 3034
    /*
     * If the version in the decrypted pre-master secret is correct then
     * version_good will be 0xff, otherwise it'll be zero. The
     * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
     * (http://eprint.iacr.org/2003/052/) exploits the version number
     * check as a "bad version oracle". Thus version checks are done in
     * constant time and are treated like any other decryption error.
     */
    version_good =
        constant_time_eq_8(rsa_decrypt[padding_len],
                           (unsigned)(s->client_version >> 8));
    version_good &=
        constant_time_eq_8(rsa_decrypt[padding_len + 1],
                           (unsigned)(s->client_version & 0xff));
3035

3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049
    /*
     * The premaster secret must contain the same version number as the
     * ClientHello to detect version rollback attacks (strangely, the
     * protocol does not offer such protection for DH ciphersuites).
     * However, buggy clients exist that send the negotiated protocol
     * version instead if the server does not support the requested
     * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
     * clients.
     */
    if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
        unsigned char workaround_good;
        workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
                                             (unsigned)(s->version >> 8));
        workaround_good &=
3050
            constant_time_eq_8(rsa_decrypt[padding_len + 1],
3051 3052 3053
                               (unsigned)(s->version & 0xff));
        version_good |= workaround_good;
    }
3054

3055 3056 3057 3058 3059
    /*
     * Both decryption and version must be good for decrypt_good to
     * remain non-zero (0xff).
     */
    decrypt_good &= version_good;
3060

3061 3062 3063 3064 3065 3066 3067 3068 3069 3070 3071 3072
    /*
     * Now copy rand_premaster_secret over from p using
     * decrypt_good_mask. If decryption failed, then p does not
     * contain valid plaintext, however, a check above guarantees
     * it is still sufficiently large to read from.
     */
    for (j = 0; j < sizeof(rand_premaster_secret); j++) {
        rsa_decrypt[padding_len + j] =
            constant_time_select_8(decrypt_good,
                                   rsa_decrypt[padding_len + j],
                                   rand_premaster_secret[j]);
    }
3073

3074 3075
    if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
                                    sizeof(rand_premaster_secret), 0)) {
3076
        /* SSLfatal() already called */
3077 3078
        goto err;
    }
3079

3080 3081 3082 3083 3084 3085
    ret = 1;
 err:
    OPENSSL_free(rsa_decrypt);
    return ret;
#else
    /* Should never happen */
3086 3087
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
             ERR_R_INTERNAL_ERROR);
3088 3089 3090 3091
    return 0;
#endif
}

3092
static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
3093 3094 3095 3096 3097 3098 3099 3100 3101 3102
{
#ifndef OPENSSL_NO_DH
    EVP_PKEY *skey = NULL;
    DH *cdh;
    unsigned int i;
    BIGNUM *pub_key;
    const unsigned char *data;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

D
Dr. Stephen Henson 已提交
3103
    if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
3104
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3105 3106 3107 3108 3109
               SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
        goto err;
    }
    skey = s->s3->tmp.pkey;
    if (skey == NULL) {
3110 3111
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 SSL_R_MISSING_TMP_DH_KEY);
3112 3113 3114 3115
        goto err;
    }

    if (PACKET_remaining(pkt) == 0L) {
3116 3117
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 SSL_R_MISSING_TMP_DH_KEY);
3118 3119 3120 3121
        goto err;
    }
    if (!PACKET_get_bytes(pkt, &data, i)) {
        /* We already checked we have enough data */
3122 3123
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 ERR_R_INTERNAL_ERROR);
3124 3125 3126 3127
        goto err;
    }
    ckey = EVP_PKEY_new();
    if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
3128 3129
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 SSL_R_BN_LIB);
3130 3131 3132 3133 3134 3135
        goto err;
    }
    cdh = EVP_PKEY_get0_DH(ckey);
    pub_key = BN_bin2bn(data, i, NULL);

    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
3136 3137
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 ERR_R_INTERNAL_ERROR);
3138 3139 3140 3141 3142
        if (pub_key != NULL)
            BN_free(pub_key);
        goto err;
    }

3143
    if (ssl_derive(s, skey, ckey, 1) == 0) {
3144
        /* SSLfatal() already called */
3145 3146 3147 3148 3149 3150 3151 3152 3153 3154 3155
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);
    return ret;
#else
    /* Should never happen */
3156 3157
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
             ERR_R_INTERNAL_ERROR);
3158 3159 3160 3161
    return 0;
#endif
}

3162
static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
3163 3164 3165 3166 3167 3168 3169 3170
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *skey = s->s3->tmp.pkey;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

    if (PACKET_remaining(pkt) == 0L) {
        /* We don't support ECDH client auth */
3171 3172
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
                 SSL_R_MISSING_TMP_ECDH_KEY);
3173 3174 3175 3176 3177 3178 3179 3180 3181 3182 3183
        goto err;
    } else {
        unsigned int i;
        const unsigned char *data;

        /*
         * Get client's public key from encoded point in the
         * ClientKeyExchange message.
         */

        /* Get encoded point length */
D
Dr. Stephen Henson 已提交
3184 3185
        if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
            || PACKET_remaining(pkt) != 0) {
3186 3187
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
                     SSL_R_LENGTH_MISMATCH);
3188 3189 3190 3191
            goto err;
        }
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
3192 3193
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
                     ERR_R_EVP_LIB);
3194 3195
            goto err;
        }
3196
        if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
3197 3198
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
                     ERR_R_EC_LIB);
3199 3200 3201 3202
            goto err;
        }
    }

3203
    if (ssl_derive(s, skey, ckey, 1) == 0) {
3204
        /* SSLfatal() already called */
3205 3206 3207 3208 3209 3210 3211 3212 3213 3214 3215 3216
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);

    return ret;
#else
    /* Should never happen */
3217 3218
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
             ERR_R_INTERNAL_ERROR);
3219 3220 3221 3222
    return 0;
#endif
}

3223
static int tls_process_cke_srp(SSL *s, PACKET *pkt)
3224 3225 3226 3227 3228 3229
{
#ifndef OPENSSL_NO_SRP
    unsigned int i;
    const unsigned char *data;

    if (!PACKET_get_net_2(pkt, &i)
E
Emilia Kasper 已提交
3230
        || !PACKET_get_bytes(pkt, &data, i)) {
3231 3232
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
                 SSL_R_BAD_SRP_A_LENGTH);
3233 3234 3235
        return 0;
    }
    if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
3236 3237
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
                 ERR_R_BN_LIB);
3238 3239
        return 0;
    }
E
Emilia Kasper 已提交
3240
    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
3241 3242
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
                 SSL_R_BAD_SRP_PARAMETERS);
3243 3244 3245 3246 3247
        return 0;
    }
    OPENSSL_free(s->session->srp_username);
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
    if (s->session->srp_username == NULL) {
3248 3249
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
                 ERR_R_MALLOC_FAILURE);
3250 3251 3252 3253
        return 0;
    }

    if (!srp_generate_server_master_secret(s)) {
3254
        /* SSLfatal() already called */
3255 3256 3257 3258 3259 3260
        return 0;
    }

    return 1;
#else
    /* Should never happen */
3261 3262
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
             ERR_R_INTERNAL_ERROR);
3263 3264 3265 3266
    return 0;
#endif
}

3267
static int tls_process_cke_gost(SSL *s, PACKET *pkt)
3268 3269 3270 3271 3272 3273 3274 3275
{
#ifndef OPENSSL_NO_GOST
    EVP_PKEY_CTX *pkey_ctx;
    EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
    unsigned char premaster_secret[32];
    const unsigned char *start;
    size_t outlen = 32, inlen;
    unsigned long alg_a;
M
Matt Caswell 已提交
3276
    unsigned int asn1id, asn1len;
3277
    int ret = 0;
M
Matt Caswell 已提交
3278
    PACKET encdata;
3279 3280 3281 3282 3283 3284 3285 3286 3287 3288 3289 3290 3291 3292 3293 3294 3295 3296 3297 3298

    /* Get our certificate private key */
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
    if (alg_a & SSL_aGOST12) {
        /*
         * New GOST ciphersuites have SSL_aGOST01 bit too
         */
        pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
        }
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
        }
    } else if (alg_a & SSL_aGOST01) {
        pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
    }

    pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
    if (pkey_ctx == NULL) {
3299 3300
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 ERR_R_MALLOC_FAILURE);
3301 3302 3303
        return 0;
    }
    if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
3304 3305
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 ERR_R_INTERNAL_ERROR);
3306 3307 3308 3309 3310 3311 3312 3313 3314 3315 3316 3317 3318 3319
        return 0;
    }
    /*
     * If client certificate is present and is of the same type, maybe
     * use it for key exchange.  Don't mind errors from
     * EVP_PKEY_derive_set_peer, because it is completely valid to use a
     * client certificate for authorization only.
     */
    client_pub_pkey = X509_get0_pubkey(s->session->peer);
    if (client_pub_pkey) {
        if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
            ERR_clear_error();
    }
    /* Decrypt session key */
M
Matt Caswell 已提交
3320 3321 3322 3323 3324
    if (!PACKET_get_1(pkt, &asn1id)
            || asn1id != (V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
            || !PACKET_peek_1(pkt, &asn1len)) {
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 SSL_R_DECRYPTION_FAILED);
3325 3326
        goto err;
    }
M
Matt Caswell 已提交
3327 3328 3329 3330 3331 3332 3333 3334 3335 3336 3337 3338 3339 3340 3341 3342 3343 3344 3345 3346 3347 3348
    if (asn1len == 0x81) {
        /*
         * Long form length. Should only be one byte of length. Anything else
         * isn't supported.
         * We did a successful peek before so this shouldn't fail
         */
        if (!PACKET_forward(pkt, 1)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                     SSL_R_DECRYPTION_FAILED);
            goto err;
        }
    } else  if (asn1len >= 0x80) {
        /*
         * Indefinite length, or more than one long form length bytes. We don't
         * support it
         */
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 SSL_R_DECRYPTION_FAILED);
        goto err;
    } /* else short form length */

    if (!PACKET_as_length_prefixed_1(pkt, &encdata)) {
3349 3350
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 SSL_R_DECRYPTION_FAILED);
3351 3352
        goto err;
    }
M
Matt Caswell 已提交
3353 3354 3355
    inlen = PACKET_remaining(&encdata);
    start = PACKET_data(&encdata);

3356 3357 3358 3359
    if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
                         inlen) <= 0) {
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 SSL_R_DECRYPTION_FAILED);
3360 3361 3362 3363 3364
        goto err;
    }
    /* Generate master secret */
    if (!ssl_generate_master_secret(s, premaster_secret,
                                    sizeof(premaster_secret), 0)) {
3365
        /* SSLfatal() already called */
3366 3367 3368
        goto err;
    }
    /* Check if pubkey from client certificate was used */
3369 3370
    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
                          NULL) > 0)
3371 3372 3373 3374 3375 3376 3377 3378
        s->statem.no_cert_verify = 1;

    ret = 1;
 err:
    EVP_PKEY_CTX_free(pkey_ctx);
    return ret;
#else
    /* Should never happen */
3379 3380
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
             ERR_R_INTERNAL_ERROR);
3381 3382 3383 3384
    return 0;
#endif
}

3385 3386 3387 3388 3389 3390 3391
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{
    unsigned long alg_k;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /* For PSK parse and retrieve identity, obtain PSK key */
3392 3393
    if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
        /* SSLfatal() already called */
3394
        goto err;
3395
    }
3396 3397 3398 3399

    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
        if (PACKET_remaining(pkt) != 0) {
3400 3401 3402
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                     SSL_R_LENGTH_MISMATCH);
3403
            goto err;
3404 3405 3406
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
3407
            /* SSLfatal() already called */
3408
            goto err;
M
Matt Caswell 已提交
3409
        }
3410
    } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3411 3412
        if (!tls_process_cke_rsa(s, pkt)) {
            /* SSLfatal() already called */
3413
            goto err;
3414
        }
3415
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3416 3417
        if (!tls_process_cke_dhe(s, pkt)) {
            /* SSLfatal() already called */
3418
            goto err;
3419
        }
3420
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3421 3422
        if (!tls_process_cke_ecdhe(s, pkt)) {
            /* SSLfatal() already called */
3423
            goto err;
3424
        }
3425
    } else if (alg_k & SSL_kSRP) {
3426 3427
        if (!tls_process_cke_srp(s, pkt)) {
            /* SSLfatal() already called */
3428
            goto err;
3429
        }
3430
    } else if (alg_k & SSL_kGOST) {
3431 3432
        if (!tls_process_cke_gost(s, pkt)) {
            /* SSLfatal() already called */
3433
            goto err;
3434
        }
3435
    } else {
3436 3437 3438
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                 SSL_R_UNKNOWN_CIPHER_TYPE);
3439
        goto err;
3440 3441
    }

M
Matt Caswell 已提交
3442
    return MSG_PROCESS_CONTINUE_PROCESSING;
3443
 err:
3444 3445 3446
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
3447
#endif
M
Matt Caswell 已提交
3448
    return MSG_PROCESS_ERROR;
3449
}
3450

M
Matt Caswell 已提交
3451
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
3452 3453
{
#ifndef OPENSSL_NO_SCTP
3454 3455 3456 3457 3458 3459 3460 3461
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
3462 3463
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
3464 3465

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
3466 3467 3468
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
3469 3470 3471
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
F
FdaSilvaYY 已提交
3472
                return WORK_ERROR;
3473
            }
3474

3475 3476
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
3477 3478 3479 3480
        }
    }
#endif

3481
    if (s->statem.no_cert_verify || !s->session->peer) {
E
Emilia Kasper 已提交
3482 3483 3484
        /*
         * No certificate verify or no peer certificate so we no longer need
         * the handshake_buffer
3485 3486
         */
        if (!ssl3_digest_cached_records(s, 0)) {
3487
            /* SSLfatal() already called */
3488 3489
            return WORK_ERROR;
        }
3490
        return WORK_FINISHED_CONTINUE;
3491
    } else {
3492
        if (!s->s3->handshake_buffer) {
3493 3494 3495
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
3496 3497 3498 3499 3500 3501 3502
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
3503
            /* SSLfatal() already called */
3504 3505 3506 3507 3508 3509 3510
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
3511
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3512
{
3513
    int i;
3514
    MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3515
    X509 *x = NULL;
3516
    unsigned long l;
E
Emilia Kasper 已提交
3517
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
3518
    STACK_OF(X509) *sk = NULL;
3519
    PACKET spkt, context;
3520
    size_t chainidx;
3521
    SSL_SESSION *new_sess = NULL;
3522 3523

    if ((sk = sk_X509_new_null()) == NULL) {
3524 3525 3526
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                 ERR_R_MALLOC_FAILURE);
        goto err;
3527 3528
    }

3529 3530 3531 3532 3533 3534 3535 3536 3537 3538
    if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
                            || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
                            || (s->pha_context != NULL &&
                                !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                 SSL_R_INVALID_CONTEXT);
        goto err;
    }

    if (!PACKET_get_length_prefixed_3(pkt, &spkt)
3539
            || PACKET_remaining(pkt) != 0) {
3540 3541 3542
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                 SSL_R_LENGTH_MISMATCH);
        goto err;
3543
    }
3544

3545
    for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
3546
        if (!PACKET_get_net_3(&spkt, &l)
E
Emilia Kasper 已提交
3547
            || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3548 3549 3550 3551
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_CERT_LENGTH_MISMATCH);
            goto err;
3552 3553
        }

3554 3555
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3556
        if (x == NULL) {
3557 3558 3559
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto err;
3560
        }
3561
        if (certbytes != (certstart + l)) {
3562 3563 3564 3565
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_CERT_LENGTH_MISMATCH);
            goto err;
3566
        }
3567 3568 3569 3570 3571 3572

        if (SSL_IS_TLS13(s)) {
            RAW_EXTENSION *rawexts = NULL;
            PACKET extensions;

            if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
3573 3574 3575 3576
                SSLfatal(s, SSL_AD_DECODE_ERROR,
                         SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                         SSL_R_BAD_LENGTH);
                goto err;
3577
            }
3578 3579
            if (!tls_collect_extensions(s, &extensions,
                                        SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
3580
                                        NULL, chainidx == 0)
3581
                || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
3582
                                             rawexts, x, chainidx,
3583
                                             PACKET_remaining(&spkt) == 0)) {
3584
                OPENSSL_free(rawexts);
3585
                goto err;
3586 3587
            }
            OPENSSL_free(rawexts);
3588 3589
        }

3590
        if (!sk_X509_push(sk, x)) {
3591 3592 3593 3594
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     ERR_R_MALLOC_FAILURE);
            goto err;
3595 3596 3597 3598 3599 3600 3601
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
3602 3603 3604 3605
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_NO_CERTIFICATES_RETURNED);
            goto err;
3606 3607 3608 3609
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3610 3611 3612 3613
            SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            goto err;
3614 3615
        }
        /* No client certificate so digest cached records */
3616
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3617 3618
            /* SSLfatal() already called */
            goto err;
3619 3620 3621 3622 3623
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
R
Rich Salz 已提交
3624
            SSLfatal(s, ssl_x509err2alert(s->verify_result),
3625 3626 3627
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto err;
3628 3629
        }
        if (i > 1) {
3630 3631 3632
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
            goto err;
3633
        }
3634
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3635
        if (pkey == NULL) {
3636 3637 3638 3639
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto err;
3640 3641 3642
        }
    }

3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663 3664 3665 3666 3667 3668 3669 3670 3671
    /*
     * Sessions must be immutable once they go into the session cache. Otherwise
     * we can get multi-thread problems. Therefore we don't "update" sessions,
     * we replace them with a duplicate. Here, we need to do this every time
     * a new certificate is received via post-handshake authentication, as the
     * session may have already gone into the session cache.
     */

    if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
        int m = s->session_ctx->session_cache_mode;

        if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     ERR_R_MALLOC_FAILURE);
            goto err;
        }

        if (m & SSL_SESS_CACHE_SERVER) {
            /*
             * Remove the old session from the cache. We carry on if this fails
             */
            SSL_CTX_remove_session(s->session_ctx, s->session);
        }

        SSL_SESSION_free(s->session);
        s->session = new_sess;
    }

R
Rich Salz 已提交
3672
    X509_free(s->session->peer);
3673 3674 3675
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

3676 3677
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
3678 3679 3680 3681 3682

    /*
     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
     * message
     */
3683
    if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3684 3685
        /* SSLfatal() already called */
        goto err;
3686 3687
    }

3688 3689
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
M
Matt Caswell 已提交
3690
     * certificate, while we do include it in statem_clnt.c
3691 3692
     */
    sk = NULL;
3693 3694

    /* Save the current hash state for when we receive the CertificateVerify */
3695 3696 3697 3698 3699 3700 3701 3702 3703 3704
    if (SSL_IS_TLS13(s)) {
        if (!ssl_handshake_hash(s, s->cert_verify_hash,
                                sizeof(s->cert_verify_hash),
                                &s->cert_verify_hash_len)) {
            /* SSLfatal() already called */
            goto err;
        }

        /* Resend session tickets */
        s->sent_tickets = 0;
3705 3706
    }

M
Matt Caswell 已提交
3707
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
3708

3709
 err:
R
Rich Salz 已提交
3710 3711
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
3712
    return ret;
3713
}
3714

3715
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3716
{
3717
    CERT_PKEY *cpk = s->s3->tmp.cert;
M
Matt Caswell 已提交
3718

3719
    if (cpk == NULL) {
3720 3721
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3722 3723 3724
        return 0;
    }

3725 3726 3727 3728
    /*
     * In TLSv1.3 the certificate chain is always preceded by a 0 length context
     * for the server Certificate message
     */
3729 3730 3731 3732 3733 3734 3735
    if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }
    if (!ssl3_output_cert_chain(s, pkt, cpk)) {
        /* SSLfatal() already called */
M
Matt Caswell 已提交
3736 3737 3738 3739 3740 3741
        return 0;
    }

    return 1;
}

3742
int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3743 3744
{
    unsigned char *senc = NULL;
3745
    EVP_CIPHER_CTX *ctx = NULL;
3746
    HMAC_CTX *hctx = NULL;
3747
    unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
M
Matt Caswell 已提交
3748
    const unsigned char *const_p;
3749
    int len, slen_full, slen, lenfinal;
M
Matt Caswell 已提交
3750 3751
    SSL_SESSION *sess;
    unsigned int hlen;
3752
    SSL_CTX *tctx = s->session_ctx;
M
Matt Caswell 已提交
3753
    unsigned char iv[EVP_MAX_IV_LENGTH];
K
Kurt Roeckx 已提交
3754
    unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
3755
    int iv_len;
3756
    unsigned char tick_nonce[TICKET_NONCE_SIZE];
3757
    size_t macoffset, macendoffset;
3758 3759 3760 3761
    union {
        unsigned char age_add_c[sizeof(uint32_t)];
        uint32_t age_add;
    } age_add_u;
M
Matt Caswell 已提交
3762

M
Matt Caswell 已提交
3763
    if (SSL_IS_TLS13(s)) {
M
Matt Caswell 已提交
3764 3765
        size_t i, hashlen;
        uint64_t nonce;
3766
        static const unsigned char nonce_label[] = "resumption";
M
Matt Caswell 已提交
3767
        const EVP_MD *md = ssl_handshake_md(s);
3768
        void (*cb) (const SSL *ssl, int type, int val) = NULL;
M
Matt Caswell 已提交
3769 3770 3771 3772 3773 3774 3775 3776 3777 3778
        int hashleni = EVP_MD_size(md);

        /* Ensure cast to size_t is safe */
        if (!ossl_assert(hashleni >= 0)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     ERR_R_INTERNAL_ERROR);
            goto err;
        }
        hashlen = (size_t)hashleni;
3779 3780 3781 3782 3783

        if (s->info_callback != NULL)
            cb = s->info_callback;
        else if (s->ctx->info_callback != NULL)
            cb = s->ctx->info_callback;
3784

3785
        if (cb != NULL) {
3786
            /*
3787 3788 3789
             * We don't start and stop the handshake in between each ticket when
             * sending more than one - but it should appear that way to the info
             * callback.
3790
             */
3791 3792 3793 3794 3795 3796 3797 3798 3799 3800 3801 3802 3803 3804 3805 3806 3807 3808 3809 3810 3811
            if (s->sent_tickets != 0) {
                ossl_statem_set_in_init(s, 0);
                cb(s, SSL_CB_HANDSHAKE_DONE, 1);
                ossl_statem_set_in_init(s, 1);
            }
            cb(s, SSL_CB_HANDSHAKE_START, 1);
        }
        /*
         * If we already sent one NewSessionTicket then we need to take a copy
         * of it and create a new session from it.
         */
        if (s->sent_tickets != 0) {
            SSL_SESSION *new_sess = ssl_session_dup(s->session, 0);

            if (new_sess == NULL) {
                /* SSLfatal already called */
                goto err;
            }

            SSL_SESSION_free(s->session);
            s->session = new_sess;
3812 3813
        }

3814 3815 3816 3817
        if (!ssl_generate_session_id(s, s->session)) {
            /* SSLfatal() already called */
            goto err;
        }
3818
        if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
3819 3820 3821
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3822
            goto err;
3823
        }
M
Matt Caswell 已提交
3824
        s->session->ext.tick_age_add = age_add_u.age_add;
M
Matt Caswell 已提交
3825 3826

        nonce = s->next_ticket_nonce;
3827 3828
        for (i = TICKET_NONCE_SIZE; i > 0; i--) {
            tick_nonce[i - 1] = (unsigned char)(nonce & 0xff);
M
Matt Caswell 已提交
3829 3830 3831 3832
            nonce >>= 8;
        }

        if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
3833
                               nonce_label,
M
Matt Caswell 已提交
3834
                               sizeof(nonce_label) - 1,
3835 3836
                               tick_nonce,
                               TICKET_NONCE_SIZE,
M
Matt Caswell 已提交
3837 3838 3839 3840 3841 3842 3843
                               s->session->master_key,
                               hashlen)) {
            /* SSLfatal() already called */
            goto err;
        }
        s->session->master_key_length = hashlen;

3844
        s->session->time = (long)time(NULL);
3845 3846 3847 3848 3849
        if (s->s3->alpn_selected != NULL) {
            OPENSSL_free(s->session->ext.alpn_selected);
            s->session->ext.alpn_selected =
                OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
            if (s->session->ext.alpn_selected == NULL) {
3850 3851 3852
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                         ERR_R_MALLOC_FAILURE);
3853 3854 3855 3856 3857
                goto err;
            }
            s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
        }
        s->session->ext.max_early_data = s->max_early_data;
M
Matt Caswell 已提交
3858 3859
    }

T
Todd Short 已提交
3860 3861 3862 3863
    if (tctx->generate_ticket_cb != NULL &&
        tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0)
        goto err;

M
Matt Caswell 已提交
3864 3865 3866 3867 3868 3869 3870
    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
3871 3872
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
3873
        goto err;
M
Matt Caswell 已提交
3874 3875
    }
    senc = OPENSSL_malloc(slen_full);
3876
    if (senc == NULL) {
3877 3878
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
3879
        goto err;
M
Matt Caswell 已提交
3880
    }
3881

3882
    ctx = EVP_CIPHER_CTX_new();
3883
    hctx = HMAC_CTX_new();
3884
    if (ctx == NULL || hctx == NULL) {
3885 3886
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
3887 3888
        goto err;
    }
3889

M
Matt Caswell 已提交
3890
    p = senc;
3891 3892 3893
    if (!i2d_SSL_SESSION(s->session, &p)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3894
        goto err;
3895
    }
M
Matt Caswell 已提交
3896

M
Matt Caswell 已提交
3897 3898 3899 3900 3901
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3902 3903 3904
    if (sess == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3905
        goto err;
3906
    }
3907

M
Matt Caswell 已提交
3908
    slen = i2d_SSL_SESSION(sess, NULL);
3909 3910 3911 3912
    if (slen == 0 || slen > slen_full) {
        /* shouldn't ever happen */
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3913 3914 3915 3916 3917
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
3918 3919
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3920 3921 3922 3923
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3924

M
Matt Caswell 已提交
3925 3926 3927 3928
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
R
Rich Salz 已提交
3929
    if (tctx->ext.ticket_key_cb) {
T
Todd Short 已提交
3930
        /* if 0 is returned, write an empty ticket */
R
Rich Salz 已提交
3931
        int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
T
Todd Short 已提交
3932 3933 3934
                                             hctx, 1);

        if (ret == 0) {
3935 3936

            /* Put timeout and length */
3937
            if (!WPACKET_put_bytes_u32(pkt, 0)
3938
                    || !WPACKET_put_bytes_u16(pkt, 0)) {
3939 3940 3941
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                         ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
3942
                goto err;
3943
            }
T
Todd Short 已提交
3944 3945 3946 3947 3948
            OPENSSL_free(senc);
            EVP_CIPHER_CTX_free(ctx);
            HMAC_CTX_free(hctx);
            return 1;
        }
3949 3950 3951 3952
        if (ret < 0) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     SSL_R_CALLBACK_FAILED);
M
Matt Caswell 已提交
3953
            goto err;
3954
        }
K
Kurt Roeckx 已提交
3955
        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3956
    } else {
K
Kurt Roeckx 已提交
3957 3958 3959
        const EVP_CIPHER *cipher = EVP_aes_256_cbc();

        iv_len = EVP_CIPHER_iv_length(cipher);
3960
        if (RAND_bytes(iv, iv_len) <= 0
3961
                || !EVP_EncryptInit_ex(ctx, cipher, NULL,
3962 3963 3964
                                       tctx->ext.secure->tick_aes_key, iv)
                || !HMAC_Init_ex(hctx, tctx->ext.secure->tick_hmac_key,
                                 sizeof(tctx->ext.secure->tick_hmac_key),
3965 3966 3967 3968
                                 EVP_sha256(), NULL)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     ERR_R_INTERNAL_ERROR);
3969
            goto err;
3970
        }
R
Rich Salz 已提交
3971 3972
        memcpy(key_name, tctx->ext.tick_key_name,
               sizeof(tctx->ext.tick_key_name));
3973 3974
    }

M
Matt Caswell 已提交
3975
    /*
3976 3977 3978 3979
     * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
     * unspecified for resumed session (for simplicity).
     * In TLSv1.3 we reset the "time" field above, and always specify the
     * timeout.
M
Matt Caswell 已提交
3980
     */
3981 3982 3983
    if (!WPACKET_put_bytes_u32(pkt,
                               (s->hit && !SSL_IS_TLS13(s))
                               ? 0 : s->session->timeout)
3984
            || (SSL_IS_TLS13(s)
3985
                && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add)
3986 3987
                    || !WPACKET_sub_memcpy_u8(pkt, tick_nonce,
                                              TICKET_NONCE_SIZE)))
3988
               /* Now the actual ticket data */
3989 3990
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_get_total_written(pkt, &macoffset)
3991
               /* Output key name */
3992
            || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3993
               /* output IV */
3994 3995
            || !WPACKET_memcpy(pkt, iv, iv_len)
            || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3996 3997 3998
                                      &encdata1)
               /* Encrypt session data */
            || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3999
            || !WPACKET_allocate_bytes(pkt, len, &encdata2)
4000 4001
            || encdata1 != encdata2
            || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
4002
            || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
4003 4004
            || encdata1 + len != encdata2
            || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
4005
            || !WPACKET_get_total_written(pkt, &macendoffset)
4006 4007 4008
            || !HMAC_Update(hctx,
                            (unsigned char *)s->init_buf->data + macoffset,
                            macendoffset - macoffset)
4009
            || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
4010 4011
            || !HMAC_Final(hctx, macdata1, &hlen)
            || hlen > EVP_MAX_MD_SIZE
4012
            || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
4013
            || macdata1 != macdata2
4014
            || !WPACKET_close(pkt)) {
4015 4016
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
4017
        goto err;
4018
    }
4019 4020 4021 4022 4023 4024 4025
    if (SSL_IS_TLS13(s)) {
        if (!tls_construct_extensions(s, pkt,
                                      SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
                                      NULL, 0)) {
            /* SSLfatal() already called */
            goto err;
        }
M
Matt Caswell 已提交
4026 4027 4028 4029 4030
        /*
         * Increment both |sent_tickets| and |next_ticket_nonce|. |sent_tickets|
         * gets reset to 0 if we send more tickets following a post-handshake
         * auth, but |next_ticket_nonce| does not.
         */
4031
        s->sent_tickets++;
M
Matt Caswell 已提交
4032
        s->next_ticket_nonce++;
4033
        ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
4034
    }
D
Dr. Stephen Henson 已提交
4035 4036
    EVP_CIPHER_CTX_free(ctx);
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
4037 4038 4039
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
4040
 err:
R
Rich Salz 已提交
4041
    OPENSSL_free(senc);
4042
    EVP_CIPHER_CTX_free(ctx);
4043
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
4044
    return 0;
4045
}
4046

4047 4048 4049 4050 4051
/*
 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
 * create a separate message. Returns 1 on success or 0 on failure.
 */
int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
4052
{
4053 4054 4055
    if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
            || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
                                       s->ext.ocsp.resp_len)) {
4056 4057
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY,
                 ERR_R_INTERNAL_ERROR);
4058 4059 4060 4061 4062 4063 4064 4065 4066
        return 0;
    }

    return 1;
}

int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
    if (!tls_construct_cert_status_body(s, pkt)) {
4067
        /* SSLfatal() already called */
4068 4069
        return 0;
    }
M
Matt Caswell 已提交
4070 4071 4072 4073

    return 1;
}

4074
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
4075 4076 4077 4078
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
4079
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
4080
{
4081
    PACKET next_proto, padding;
M
Matt Caswell 已提交
4082 4083
    size_t next_proto_len;

4084 4085 4086 4087 4088 4089 4090
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
4091 4092 4093
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
4094 4095 4096
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
                 SSL_R_LENGTH_MISMATCH);
        return MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
4097
    }
4098

R
Rich Salz 已提交
4099 4100
    if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
        s->ext.npn_len = 0;
4101 4102 4103
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
                 ERR_R_INTERNAL_ERROR);
        return MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
4104 4105
    }

R
Rich Salz 已提交
4106
    s->ext.npn_len = (unsigned char)next_proto_len;
4107

M
Matt Caswell 已提交
4108
    return MSG_PROCESS_CONTINUE_READING;
4109
}
4110
#endif
M
Matt Caswell 已提交
4111

M
Matt Caswell 已提交
4112 4113
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{
4114
    if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
4115 4116
                                  NULL, 0)) {
        /* SSLfatal() already called */
M
Matt Caswell 已提交
4117 4118 4119 4120 4121 4122
        return 0;
    }

    return 1;
}

4123 4124 4125
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
{
    if (PACKET_remaining(pkt) != 0) {
4126 4127
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
                 SSL_R_LENGTH_MISMATCH);
4128 4129 4130 4131 4132
        return MSG_PROCESS_ERROR;
    }

    if (s->early_data_state != SSL_EARLY_DATA_READING
            && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
4133 4134 4135
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
                 ERR_R_INTERNAL_ERROR);
        return MSG_PROCESS_ERROR;
4136 4137 4138 4139 4140 4141 4142
    }

    /*
     * EndOfEarlyData signals a key change so the end of the message must be on
     * a record boundary.
     */
    if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
4143 4144 4145 4146
        SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
                 SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
                 SSL_R_NOT_ON_RECORD_BOUNDARY);
        return MSG_PROCESS_ERROR;
4147 4148 4149 4150 4151
    }

    s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
    if (!s->method->ssl3_enc->change_cipher_state(s,
                SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
4152 4153
        /* SSLfatal() already called */
        return MSG_PROCESS_ERROR;
4154 4155 4156 4157
    }

    return MSG_PROCESS_CONTINUE_READING;
}