statem_srvr.c 108.6 KB
Newer Older
M
Matt Caswell 已提交
1
/* ssl/statem/statem_srvr.c -*- mode:C; c-file-style: "eay" -*- */
2
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 4 5 6 7
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
8
 *
9 10 11 12 13 14
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15
 *
16 17 18 19 20 21
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
22
 *
23 24 25 26 27 28 29 30 31 32 33 34 35 36
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
37
 * 4. If you include any Windows specific code (or a derivative thereof) from
38 39
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40
 *
41 42 43 44 45 46 47 48 49 50 51
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
52
 *
53 54 55 56 57
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
58
/* ====================================================================
59
 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 61 62 63 64 65
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
66
 *    notice, this list of conditions and the following disclaimer.
67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
B
Bodo Möller 已提交
111 112 113
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
114
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
115 116 117 118 119 120 121 122 123
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
150

151

152
#include <stdio.h>
M
Matt Caswell 已提交
153
#include "../ssl_locl.h"
M
Matt Caswell 已提交
154
#include "statem_locl.h"
155
#include "internal/constant_time_locl.h"
156 157 158 159
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
160
#include <openssl/hmac.h>
161
#include <openssl/x509.h>
N
make  
Nils Larsch 已提交
162
#ifndef OPENSSL_NO_DH
163
# include <openssl/dh.h>
N
make  
Nils Larsch 已提交
164
#endif
165
#include <openssl/bn.h>
166
#include <openssl/md5.h>
167

168 169 170 171
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                      PACKET *cipher_suites,
                                                      STACK_OF(SSL_CIPHER) **skp,
                                                      int sslv2format, int *al);
M
Matt Caswell 已提交
172

M
Matt Caswell 已提交
173 174 175 176 177 178 179 180 181 182
/*
 * server_read_transition() encapsulates the logic for the allowed handshake
 * state transitions when the server is reading messages from the client. The
 * message type that the client has sent is provided in |mt|. The current state
 * is in |s->statem.hand_state|.
 *
 *  Valid return values are:
 *  1: Success (transition allowed)
 *  0: Error (transition not allowed)
 */
183
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
184
{
M
Matt Caswell 已提交
185
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234

    switch(st->hand_state) {
    case TLS_ST_BEFORE:
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
                && (!s->s3->tmp.cert_request
                    || (!((s->verify_mode & SSL_VERIFY_PEER) &&
                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
                        && (s->version == SSL3_VERSION)))) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            } 
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
235
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
236 237
         * set.
         */
238
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
        if (s->s3->next_proto_neg_seen) {
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    default:
        break;
    }

    /* No valid transition found */
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
313
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
314 315 316 317
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
318
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
    if (   (alg_k & SSL_kDHE)
        || (alg_k & SSL_kECDHE)
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
       ) {
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
356
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
           && ((s->session->peer == NULL) ||
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
           /*
            * ... except when the application insists on
            * verification (against the specs, but s3_clnt.c accepts
            * this for SSL 3)
            */
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
385
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
386 387 388 389 390 391 392 393 394 395
        return 1;
    }

    return 0;
}

/*
 * server_write_transition() works out what handshake state to move to next
 * when the server is writing messages to be sent to the client.
 */
396
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
397
{
M
Matt Caswell 已提交
398
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
399 400 401 402 403 404 405 406 407 408 409 410 411

    switch(st->hand_state) {
        case TLS_ST_BEFORE:
            /* Just go straight to trying to read from the client */;
            return WRITE_TRAN_FINISHED;

        case TLS_ST_OK:
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_HELLO_REQ:
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
412
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SR_CLNT_HELLO:
            if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
                    && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
                st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
            else
                st->hand_state = TLS_ST_SW_SRVR_HELLO;
            return WRITE_TRAN_CONTINUE;

        case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SW_SRVR_HELLO:
            if (s->hit) {
                if (s->tlsext_ticket_expected)
                    st->hand_state = TLS_ST_SW_SESSION_TICKET;
                else
                    st->hand_state = TLS_ST_SW_CHANGE;
            } else {
                /* Check if it is anon DH or anon ECDH, */
                /* normal PSK or SRP */
                if (!(s->s3->tmp.new_cipher->algorithm_auth &
                     (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                    st->hand_state = TLS_ST_SW_CERT;
                } else if (send_server_key_exchange(s)) {
                    st->hand_state = TLS_ST_SW_KEY_EXCH;
                } else if (send_certificate_request(s)) {
                    st->hand_state = TLS_ST_SW_CERT_REQ;
                } else {
                    st->hand_state = TLS_ST_SW_SRVR_DONE;
                }
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CERT:
            if (s->tlsext_status_expected) {
                st->hand_state = TLS_ST_SW_CERT_STATUS;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_STATUS:
            if (send_server_key_exchange(s)) {
                st->hand_state = TLS_ST_SW_KEY_EXCH;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_KEY_EXCH:
            if (send_certificate_request(s)) {
                st->hand_state = TLS_ST_SW_CERT_REQ;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_REQ:
            st->hand_state = TLS_ST_SW_SRVR_DONE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SRVR_DONE:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SR_FINISHED:
            if (s->hit) {
                st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
479
                ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500
                return WRITE_TRAN_CONTINUE;
            } else if (s->tlsext_ticket_expected) {
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            } else {
                st->hand_state = TLS_ST_SW_CHANGE;
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SESSION_TICKET:
            st->hand_state = TLS_ST_SW_CHANGE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CHANGE:
            st->hand_state = TLS_ST_SW_FINISHED;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_FINISHED:
            if (s->hit) {
                return WRITE_TRAN_FINISHED;
            }
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
501
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
502 503 504 505 506 507 508 509 510 511 512 513
            return WRITE_TRAN_CONTINUE;

        default:
            /* Shouldn't happen */
            return WRITE_TRAN_ERROR;
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
514
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
515
{
M
Matt Caswell 已提交
516
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
            dtls1_clear_record_buffer(s);
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
            dtls1_clear_record_buffer(s);
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
             * Messages we write from now on should be bufferred and
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
564
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_OK:
        return tls_finish_handshake(s, wst);

    default:
        /* No pre work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
593
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
594
{
M
Matt Caswell 已提交
595
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628

    s->init_num = 0;

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        ssl3_init_finished_mac(s);
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
        if (s->version != DTLS1_BAD_VER)
            ssl3_init_finished_mac(s);
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
629 630
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
631 632 633 634

            if (SSL_export_keying_material(s, sctpauthkey,
                    sizeof(sctpauthkey), labelbuffer,
                    sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
635
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
                SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
M
Matt Caswell 已提交
658
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        break;

    default:
        /* No post work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Construct a message to be sent from the server to the client.
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
701
int ossl_statem_server_construct_message(SSL *s)
M
Matt Caswell 已提交
702
{
M
Matt Caswell 已提交
703
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760

    switch(st->hand_state) {
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return dtls_construct_hello_verify_request(s);

    case TLS_ST_SW_HELLO_REQ:
        return tls_construct_hello_request(s);

    case TLS_ST_SW_SRVR_HELLO:
        return tls_construct_server_hello(s);

    case TLS_ST_SW_CERT:
        return tls_construct_server_certificate(s);

    case TLS_ST_SW_KEY_EXCH:
        return tls_construct_server_key_exchange(s);

    case TLS_ST_SW_CERT_REQ:
        return tls_construct_certificate_request(s);

    case TLS_ST_SW_SRVR_DONE:
        return tls_construct_server_done(s);

    case TLS_ST_SW_SESSION_TICKET:
        return tls_construct_new_session_ticket(s);

    case TLS_ST_SW_CERT_STATUS:
        return tls_construct_cert_status(s);

    case TLS_ST_SW_CHANGE:
        if (SSL_IS_DTLS(s))
            return dtls_construct_change_cipher_spec(s);
        else
            return tls_construct_change_cipher_spec(s);

    case TLS_ST_SW_FINISHED:
        return tls_construct_finished(s,
                                      s->method->
                                      ssl3_enc->server_finished_label,
                                      s->method->
                                      ssl3_enc->server_finished_label_len);

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
761
unsigned long ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
762
{
M
Matt Caswell 已提交
763
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return SSL3_RT_MAX_PLAIN_LENGTH;

    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

/*
 * Process a message that the server has received from the client.
 */
800
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
801
{
M
Matt Caswell 已提交
802
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);

    default:
        /* Shouldn't happen */
        break;
    }

    return MSG_PROCESS_ERROR;
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
840
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
841
{
M
Matt Caswell 已提交
842
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);

    case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
        if (    /* Is this SCTP? */
                BIO_dgram_is_sctp(SSL_get_wbio(s))
                /* Are we renegotiating? */
                && s->renegotiate
                && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
862
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
863 864
            return WORK_MORE_A;
        } else {
M
Matt Caswell 已提交
865
            ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
866 867 868 869 870 871 872 873 874 875 876 877
        }
#endif
        return WORK_FINISHED_CONTINUE;

    default:
        break;
    }

    /* Shouldn't happen */
    return WORK_ERROR;
}

B
Ben Laurie 已提交
878
#ifndef OPENSSL_NO_SRP
879
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
900 901
#endif

M
Matt Caswell 已提交
902 903 904 905
int tls_construct_hello_request(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
906
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
907 908 909 910 911 912
        return 0;
    }

    return 1;
}

M
Matt Caswell 已提交
913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943
unsigned int dtls_raw_hello_verify_request(unsigned char *buf,
                                            unsigned char *cookie,
                                            unsigned char cookie_len)
{
    unsigned int msg_len;
    unsigned char *p;

    p = buf;
    /* Always use DTLS 1.0 version: see RFC 6347 */
    *(p++) = DTLS1_VERSION >> 8;
    *(p++) = DTLS1_VERSION & 0xFF;

    *(p++) = (unsigned char)cookie_len;
    memcpy(p, cookie, cookie_len);
    p += cookie_len;
    msg_len = p - buf;

    return msg_len;
}

int dtls_construct_hello_verify_request(SSL *s)
{
    unsigned int len;
    unsigned char *buf;

    buf = (unsigned char *)s->init_buf->data;

    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
                                  &(s->d1->cookie_len)) == 0 ||
        s->d1->cookie_len > 255) {
M
Matt Caswell 已提交
944
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
945
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
M
Matt Caswell 已提交
946
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963
        return 0;
    }

    len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
                                         s->d1->cookie, s->d1->cookie_len);

    dtls1_set_message_header(s, buf, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
                             len);
    len += DTLS1_HM_HEADER_LENGTH;

    /* number of bytes to write */
    s->init_num = len;
    s->init_off = 0;

    return 1;
}

M
Matt Caswell 已提交
964
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
965 966 967 968 969 970 971 972 973 974 975
{
    int i, al = SSL_AD_INTERNAL_ERROR;
    unsigned int j, complen = 0;
    unsigned long id;
    SSL_CIPHER *c;
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
    int protverr = 1;
    /* |cookie| will only be initialized for DTLS. */
976
    PACKET session_id, cipher_suites, compression, extensions, cookie;
M
Matt Caswell 已提交
977 978
    int is_v2_record;

979 980
    is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer);

E
Emilia Kasper 已提交
981
    PACKET_null_init(&cookie);
982
    /* First lets get s->client_version set correctly */
983
    if (is_v2_record) {
M
Matt Caswell 已提交
984 985
        unsigned int version;
        unsigned int mt;
986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

1001
        if (!PACKET_get_1(pkt, &mt)
M
Matt Caswell 已提交
1002
                || mt != SSL2_MT_CLIENT_HELLO) {
1003 1004 1005 1006 1007
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
1008
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1009
            goto err;
1010 1011
        }

1012
        if (!PACKET_get_net_2(pkt, &version)) {
M
Matt Caswell 已提交
1013
            /* No protocol version supplied! */
M
Matt Caswell 已提交
1014
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
M
Matt Caswell 已提交
1015 1016 1017
            goto err;
        }
        if (version == 0x0002) {
1018
            /* This is real SSLv2. We don't support it. */
M
Matt Caswell 已提交
1019
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1020
            goto err;
M
Matt Caswell 已提交
1021
        } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
1022
            /* SSLv3/TLS */
M
Matt Caswell 已提交
1023
            s->client_version = version;
1024 1025
        } else {
            /* No idea what protocol this is */
M
Matt Caswell 已提交
1026
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1027 1028 1029 1030
            goto err;
        }
    } else {
        /*
M
Matt Caswell 已提交
1031 1032
         * use version from inside client hello, not from record header (may
         * differ: see RFC 2246, Appendix E, second paragraph)
1033
         */
1034
        if(!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
1035
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1036
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
1037 1038
            goto f_err;
        }
1039 1040
    }

1041 1042 1043
    /* Do SSL/TLS version negotiation if applicable */
    if (!SSL_IS_DTLS(s)) {
        if (s->version != TLS_ANY_VERSION) {
1044
            if (s->client_version >= s->version) {
1045 1046
                protverr = 0;
            }
1047
        } else if (s->client_version >= SSL3_VERSION) {
1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074
            switch(s->client_version) {
            default:
            case TLS1_2_VERSION:
                if(!(s->options & SSL_OP_NO_TLSv1_2)) {
                    s->version = TLS1_2_VERSION;
                    s->method = TLSv1_2_server_method();
                    protverr = 0;
                    break;
                }
                /* Deliberately fall through */
            case TLS1_1_VERSION:
                if(!(s->options & SSL_OP_NO_TLSv1_1)) {
                    s->version = TLS1_1_VERSION;
                    s->method = TLSv1_1_server_method();
                    protverr = 0;
                    break;
                }
                /* Deliberately fall through */
            case TLS1_VERSION:
                if(!(s->options & SSL_OP_NO_TLSv1)) {
                    s->version = TLS1_VERSION;
                    s->method = TLSv1_server_method();
                    protverr = 0;
                    break;
                }
                /* Deliberately fall through */
            case SSL3_VERSION:
1075
#ifndef OPENSSL_NO_SSL3
1076 1077 1078 1079 1080 1081
                if(!(s->options & SSL_OP_NO_SSLv3)) {
                    s->version = SSL3_VERSION;
                    s->method = SSLv3_server_method();
                    protverr = 0;
                    break;
                }
1082 1083 1084
#else
                break;
#endif
1085 1086
            }
        }
1087 1088
    } else if (s->client_version <= s->version
                || s->method->version == DTLS_ANY_VERSION) {
1089 1090 1091 1092 1093 1094 1095 1096
        /*
         * For DTLS we just check versions are potentially compatible. Version
         * negotiation comes later.
         */
        protverr = 0;
    }

    if (protverr) {
M
Matt Caswell 已提交
1097
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1098
        if ((!s->enc_write_ctx && !s->write_hash)) {
1099 1100 1101 1102 1103 1104 1105 1106 1107 1108
            /*
             * similar to ssl3_get_record, send alert using remote version
             * number
             */
            s->version = s->client_version;
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
    }

1109 1110
    /* Parse the message and load client random. */
    if (is_v2_record) {
1111 1112 1113 1114 1115
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
         * Real SSLv2 is not supported, and is rejected above.
         */
1116
        unsigned int cipher_len, session_id_len, challenge_len;
1117
        PACKET challenge;
1118

1119 1120 1121
        if (!PACKET_get_net_2(pkt, &cipher_len)
                || !PACKET_get_net_2(pkt, &session_id_len)
                || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
1122 1123
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1124 1125
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1126
        }
1127

1128 1129 1130
        if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
            || !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1131
            /* No extensions. */
1132
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1133 1134
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1135 1136 1137 1138
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }

1139
        /* Load the client random */
1140 1141
        challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
            challenge_len;
1142
        memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
1143 1144 1145
        if (!PACKET_copy_bytes(&challenge,
                               s->s3->client_random + SSL3_RANDOM_SIZE -
                               challenge_len, challenge_len)) {
M
Matt Caswell 已提交
1146
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1147
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1148 1149
            goto f_err;
        }
1150 1151 1152

        PACKET_null_init(&compression);
        PACKET_null_init(&extensions);
1153
    } else {
1154
        /* Regular ClientHello. */
1155 1156
        if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
            || !PACKET_get_length_prefixed_1(pkt, &session_id)) {
M
Matt Caswell 已提交
1157
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1158
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1159 1160
            goto f_err;
        }
1161

1162
        if (SSL_IS_DTLS(s)) {
1163
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1164
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1165
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1166 1167
                goto f_err;
            }
1168 1169 1170 1171 1172 1173 1174
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
                if (PACKET_remaining(&cookie) == 0)
1175
                return 1;
1176
            }
1177
        }
1178

1179 1180
        if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
            || !PACKET_get_length_prefixed_1(pkt, &compression)) {
1181
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1182
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1183 1184 1185
                goto f_err;
        }
        /* Could be empty. */
1186
        extensions = *pkt;
1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213
    }

    s->hit = 0;

    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
    if (is_v2_record ||
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
        i = ssl_get_prev_session(s, &extensions, &session_id);
1214
        /*
1215 1216 1217 1218 1219 1220 1221
         * Only resume if the session's version matches the negotiated
         * version.
         * RFC 5246 does not provide much useful advice on resumption
         * with a different protocol version. It doesn't forbid it but
         * the sanity of such behaviour would be questionable.
         * In practice, clients do not accept a version mismatch and
         * will abort the handshake with an error.
1222
         */
1223 1224 1225 1226 1227
        if (i == 1 && s->version == s->session->ssl_version) {
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
            goto err;
1228
        } else {
1229 1230
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1231
                goto err;
1232
        }
1233
    }
1234

1235
    if (SSL_IS_DTLS(s)) {
M
Matt Caswell 已提交
1236
        /* Empty cookie was already handled above by returning early. */
E
Emilia Kasper 已提交
1237
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1238
            if (s->ctx->app_verify_cookie_cb != NULL) {
E
Emilia Kasper 已提交
1239 1240
                if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
                                                 PACKET_remaining(&cookie)) == 0) {
1241
                    al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1242
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1243
                           SSL_R_COOKIE_MISMATCH);
1244
                    goto f_err;
E
Emilia Kasper 已提交
1245
                    /* else cookie verification succeeded */
1246
                }
1247
            /* default verification */
E
Emilia Kasper 已提交
1248 1249
            } else if (!PACKET_equal(&cookie, s->d1->cookie,
                                     s->d1->cookie_len)) {
1250
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1251
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1252
                goto f_err;
1253
            }
M
Matt Caswell 已提交
1254
            s->d1->cookie_verified = 1;
1255
        }
1256 1257 1258 1259 1260 1261 1262
        if (s->method->version == DTLS_ANY_VERSION) {
            /* Select version to use */
            if (s->client_version <= DTLS1_2_VERSION &&
                !(s->options & SSL_OP_NO_DTLSv1_2)) {
                s->version = DTLS1_2_VERSION;
                s->method = DTLSv1_2_server_method();
            } else if (tls1_suiteb(s)) {
M
Matt Caswell 已提交
1263
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1264 1265 1266 1267 1268 1269 1270 1271 1272
                       SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            } else if (s->client_version <= DTLS1_VERSION &&
                       !(s->options & SSL_OP_NO_DTLSv1)) {
                s->version = DTLS1_VERSION;
                s->method = DTLSv1_server_method();
            } else {
M
Matt Caswell 已提交
1273
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1274 1275 1276 1277 1278 1279
                       SSL_R_WRONG_VERSION_NUMBER);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
            s->session->ssl_version = s->version;
1280
        }
1281
    }
1282

1283 1284
    if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
                                 is_v2_record, &al) == NULL) {
1285 1286
        goto f_err;
    }
1287

1288 1289 1290 1291
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1292

1293
#ifdef CIPHER_DEBUG
1294 1295
        fprintf(stderr, "client sent %d ciphers\n",
                sk_SSL_CIPHER_num(ciphers));
1296
#endif
1297 1298
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1299
#ifdef CIPHER_DEBUG
1300 1301
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1302
#endif
1303 1304 1305
            if (c->id == id) {
                j = 1;
                break;
1306
            }
1307
        }
1308
        if (j == 0) {
1309
            /*
1310 1311
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1312
             */
1313
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1314
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1315
                   SSL_R_REQUIRED_CIPHER_MISSING);
1316 1317
            goto f_err;
        }
1318
    }
M
Matt Caswell 已提交
1319

1320 1321 1322 1323
    complen = PACKET_remaining(&compression);
    for (j = 0; j < complen; j++) {
        if (PACKET_data(&compression)[j] == 0)
            break;
1324
    }
1325

1326 1327 1328
    if (j >= complen) {
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1329
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1330 1331 1332
        goto f_err;
    }
    
1333 1334
    /* TLS extensions */
    if (s->version >= SSL3_VERSION) {
1335
        if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
M
Matt Caswell 已提交
1336
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377
            goto err;
        }
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
        SSL_CIPHER *pref_cipher = NULL;

        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length, ciphers,
                                     &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
            pref_cipher =
                pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
                                                               s->
                                                               session->ciphers,
                                                               SSL_get_ciphers
                                                               (s));
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1378
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1379 1380 1381 1382
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1383
            sk_SSL_CIPHER_free(s->cipher_list);
1384
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1385
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1386 1387 1388
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1389

1390 1391
    /*
     * Worst case, we will use the NULL compression, but if we have other
1392
     * options, we will now look for them.  We have complen-1 compression
1393 1394 1395
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1396
#ifndef OPENSSL_NO_COMP
1397 1398 1399
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1400
        unsigned int k;
1401 1402 1403
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
M
Matt Caswell 已提交
1404
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1405 1406 1407 1408 1409 1410 1411 1412 1413 1414 1415 1416
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
M
Matt Caswell 已提交
1417
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1418 1419 1420 1421
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
M
Matt Caswell 已提交
1422
        for (k = 0; k < complen; k++) {
1423
            if (PACKET_data(&compression)[k] == comp_id)
1424 1425
                break;
        }
M
Matt Caswell 已提交
1426
        if (k >= complen) {
1427
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1428
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1429 1430 1431 1432 1433 1434
                   SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1435
        /* See if we have a match */
M
Matt Caswell 已提交
1436 1437
        int m, nn, v, done = 0;
        unsigned int o;
1438 1439 1440 1441 1442

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1443
            for (o = 0; o < complen; o++) {
1444
                if (v == PACKET_data(&compression)[o]) {
1445 1446 1447 1448 1449 1450 1451 1452 1453 1454 1455 1456
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1457
#else
1458 1459 1460 1461 1462
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
M
Matt Caswell 已提交
1463
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1464 1465
        goto f_err;
    }
1466
#endif
1467

1468 1469 1470
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1471

1472
    if (!s->hit) {
1473
#ifdef OPENSSL_NO_COMP
1474
        s->session->compress_meth = 0;
1475
#else
1476
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1477
#endif
R
Rich Salz 已提交
1478
        sk_SSL_CIPHER_free(s->session->ciphers);
1479 1480
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1481
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1482
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1483 1484 1485 1486
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
M
Matt Caswell 已提交
1487
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1488 1489
            goto err;
        }
M
Matt Caswell 已提交
1490 1491 1492 1493 1494 1495 1496
    }

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1497
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1498 1499 1500 1501 1502 1503

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_ERROR;

}

M
Matt Caswell 已提交
1504
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1505
{
M
Matt Caswell 已提交
1506
    int al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1507 1508 1509 1510 1511 1512 1513 1514 1515 1516 1517 1518 1519 1520 1521 1522 1523
    SSL_CIPHER *cipher;

    if (wst == WORK_MORE_A) {
        if (!s->hit) {
            /* Let cert callback update server certificates if required */
            if (s->cert->cert_cb) {
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
                    return WORK_MORE_A;
                }
                s->rwstate = SSL_NOTHING;
1524
            }
M
Matt Caswell 已提交
1525 1526 1527 1528 1529
            cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

            if (cipher == NULL) {
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
                goto f_err;
1530
            }
M
Matt Caswell 已提交
1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541
            s->s3->tmp.new_cipher = cipher;
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
                s->session->not_resumable = s->not_resumable_session_cb(s,
                    ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
            if (s->session->not_resumable)
                /* do not send a session ticket */
                s->tlsext_ticket_expected = 0;
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1542 1543
        }

1544
        if (!(s->verify_mode & SSL_VERIFY_PEER)) {
M
Matt Caswell 已提交
1545 1546
            if (!ssl3_digest_cached_records(s, 0)) {
                al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1547
                goto f_err;
M
Matt Caswell 已提交
1548
            }
1549 1550
        }

M
Matt Caswell 已提交
1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561
        /*-
         * we now have the following setup.
         * client_random
         * cipher_list          - our prefered list of ciphers
         * ciphers              - the clients prefered list of ciphers
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
1562

M
Matt Caswell 已提交
1563 1564 1565
        /* Handles TLS extensions that we couldn't check earlier */
        if (s->version >= SSL3_VERSION) {
            if (ssl_check_clienthello_tlsext_late(s) <= 0) {
M
Matt Caswell 已提交
1566 1567
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_CLIENTHELLO_TLSEXT);
M
Matt Caswell 已提交
1568 1569 1570
                goto f_err;
            }
        }
1571

M
Matt Caswell 已提交
1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592
        wst = WORK_MORE_B;
    }
#ifndef OPENSSL_NO_SRP
    if (wst == WORK_MORE_B) {
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
            return WORK_MORE_B;
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CLIENTHELLO_TLSEXT);
            goto f_err;
1593 1594
        }
    }
M
Matt Caswell 已提交
1595 1596
#endif
    s->renegotiate = 2;
1597

M
Matt Caswell 已提交
1598
    return WORK_FINISHED_STOP;
1599
 f_err:
M
Matt Caswell 已提交
1600
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1601
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1602 1603 1604 1605
    return WORK_ERROR;
}

int tls_construct_server_hello(SSL *s)
1606 1607 1608 1609 1610 1611 1612
{
    unsigned char *buf;
    unsigned char *p, *d;
    int i, sl;
    int al = 0;
    unsigned long l;

M
Matt Caswell 已提交
1613
    buf = (unsigned char *)s->init_buf->data;
1614

M
Matt Caswell 已提交
1615 1616
    /* Do the message type and length last */
    d = p = ssl_handshake_start(s);
1617

M
Matt Caswell 已提交
1618 1619
    *(p++) = s->version >> 8;
    *(p++) = s->version & 0xff;
1620

M
Matt Caswell 已提交
1621 1622 1623 1624 1625 1626
    /*
     * Random stuff. Filling of the server_random takes place in
     * tls_process_client_hello()
     */
    memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
    p += SSL3_RANDOM_SIZE;
1627

M
Matt Caswell 已提交
1628 1629 1630 1631 1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
    if (sl > (int)sizeof(s->session->session_id)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1652
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1653 1654 1655 1656 1657
        return 0;
    }
    *(p++) = sl;
    memcpy(p, s->session->session_id, sl);
    p += sl;
1658

M
Matt Caswell 已提交
1659 1660 1661
    /* put the cipher */
    i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
    p += i;
1662

M
Matt Caswell 已提交
1663
    /* put the compression method */
1664
#ifdef OPENSSL_NO_COMP
M
Matt Caswell 已提交
1665
    *(p++) = 0;
1666
#else
M
Matt Caswell 已提交
1667 1668 1669 1670
    if (s->s3->tmp.new_compression == NULL)
        *(p++) = 0;
    else
        *(p++) = s->s3->tmp.new_compression->id;
1671
#endif
1672

M
Matt Caswell 已提交
1673 1674
    if (ssl_prepare_serverhello_tlsext(s) <= 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
M
Matt Caswell 已提交
1675
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1676 1677 1678 1679 1680 1681 1682
        return 0;
    }
    if ((p =
         ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
                                    &al)) == NULL) {
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1683
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1684 1685
        return 0;
    }
1686

M
Matt Caswell 已提交
1687 1688 1689 1690
    /* do the header */
    l = (p - d);
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1691
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1692
        return 0;
1693
    }
1694

M
Matt Caswell 已提交
1695
    return 1;
1696
}
1697

M
Matt Caswell 已提交
1698 1699 1700 1701
int tls_construct_server_done(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1702
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1703 1704 1705 1706 1707
        return 0;
    }

    if (!s->s3->tmp.cert_request) {
        if (!ssl3_digest_cached_records(s, 0)) {
M
Matt Caswell 已提交
1708
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
1709 1710 1711 1712 1713 1714 1715
        }
    }

    return 1;
}

int tls_construct_server_key_exchange(SSL *s)
1716
{
1717
#ifndef OPENSSL_NO_DH
1718
    DH *dh = NULL, *dhp;
B
Bodo Möller 已提交
1719
#endif
1720
#ifndef OPENSSL_NO_EC
1721 1722 1723
    unsigned char *encodedPoint = NULL;
    int encodedlen = 0;
    int curve_id = 0;
1724
#endif
1725 1726 1727 1728 1729 1730 1731 1732 1733
    EVP_PKEY *pkey;
    const EVP_MD *md = NULL;
    unsigned char *p, *d;
    int al, i;
    unsigned long type;
    int n;
    BIGNUM *r[4];
    int nr[4], kn;
    BUF_MEM *buf;
1734
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
1735

1736 1737 1738 1739 1740
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
1741

M
Matt Caswell 已提交
1742 1743 1744
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    buf = s->init_buf;
1745

M
Matt Caswell 已提交
1746 1747
    r[0] = r[1] = r[2] = r[3] = NULL;
    n = 0;
1748
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759
    if (type & SSL_PSK) {
        /*
         * reserve size for record length and PSK identity hint
         */
        n += 2;
        if (s->cert->psk_identity_hint)
            n += strlen(s->cert->psk_identity_hint);
    }
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
1760
#endif                          /* !OPENSSL_NO_PSK */
1761
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
1762
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
1763 1764
        CERT *cert = s->cert;

M
Matt Caswell 已提交
1765 1766
        if (s->cert->dh_tmp_auto) {
            dhp = ssl_get_auto_dh(s);
1767
            if (dhp == NULL) {
M
Matt Caswell 已提交
1768 1769
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
1770
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1771
                goto f_err;
1772
            }
M
Matt Caswell 已提交
1773 1774 1775
        } else
            dhp = cert->dh_tmp;
        if ((dhp == NULL) && (s->cert->dh_tmp_cb != NULL))
1776
            dhp = s->cert->dh_tmp_cb(s, 0, 1024);
M
Matt Caswell 已提交
1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794
        if (dhp == NULL) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
                          DH_security_bits(dhp), 0, dhp)) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
        if (s->s3->tmp.dh != NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
1795

M
Matt Caswell 已提交
1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808
        if (s->cert->dh_tmp_auto)
            dh = dhp;
        else if ((dh = DHparams_dup(dhp)) == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
            goto err;
        }

        s->s3->tmp.dh = dh;
        if ((dhp->pub_key == NULL ||
             dhp->priv_key == NULL ||
             (s->options & SSL_OP_SINGLE_DH_USE))) {
            if (!DH_generate_key(dh)) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
1809 1810
                goto err;
            }
M
Matt Caswell 已提交
1811 1812 1813 1814 1815 1816
        } else {
            dh->pub_key = BN_dup(dhp->pub_key);
            dh->priv_key = BN_dup(dhp->priv_key);
            if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB);
                goto err;
1817
            }
M
Matt Caswell 已提交
1818 1819 1820 1821 1822
        }
        r[0] = dh->p;
        r[1] = dh->g;
        r[2] = dh->pub_key;
    } else
1823
#endif
1824
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1825
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1826
        int nid;
M
Matt Caswell 已提交
1827

D
Dr. Stephen Henson 已提交
1828
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1829 1830 1831 1832 1833
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

1834 1835 1836 1837
        /* Get NID of appropriate shared curve */
        nid = tls1_shared_curve(s, -2);
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
1838 1839 1840 1841
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
1842 1843 1844
        s->s3->tmp.pkey = ssl_generate_pkey(NULL, nid);
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
1845
            al = SSL_AD_INTERNAL_ERROR;
D
Dr. Stephen Henson 已提交
1846
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1847 1848 1849
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
1850 1851 1852
        /* Encode the public key. */
        encodedlen = EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(s->s3->tmp.pkey),
                                    POINT_CONVERSION_UNCOMPRESSED,
1853
                                    &encodedPoint, NULL);
1854

M
Matt Caswell 已提交
1855
        if (encodedlen == 0) {
1856
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
1857 1858
            goto err;
        }
1859

M
Matt Caswell 已提交
1860
        /*
1861 1862 1863
         * We only support named (not generic) curves in ECDH ephemeral key
         * exchanges. In this situation, we need four additional bytes to
         * encode the entire ServerECDHParams structure.
M
Matt Caswell 已提交
1864 1865
         */
        n += 4 + encodedlen;
1866

M
Matt Caswell 已提交
1867 1868 1869 1870 1871 1872 1873 1874 1875
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
1876
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
1877
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1878 1879 1880 1881 1882 1883 1884
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
1885
        }
M
Matt Caswell 已提交
1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
    for (i = 0; i < 4 && r[i] != NULL; i++) {
        nr[i] = BN_num_bytes(r[i]);
B
Ben Laurie 已提交
1900
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1901 1902 1903
        if ((i == 2) && (type & SSL_kSRP))
            n += 1 + nr[i];
        else
B
Ben Laurie 已提交
1904
#endif
M
Matt Caswell 已提交
1905 1906
            n += 2 + nr[i];
    }
1907

M
Matt Caswell 已提交
1908 1909 1910 1911 1912 1913
    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
        && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
        if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
            == NULL) {
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1914
        }
M
Matt Caswell 已提交
1915 1916 1917 1918 1919
        kn = EVP_PKEY_size(pkey);
    } else {
        pkey = NULL;
        kn = 0;
    }
1920

M
Matt Caswell 已提交
1921 1922 1923 1924 1925
    if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
        goto err;
    }
    d = p = ssl_handshake_start(s);
1926

1927
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1928 1929 1930 1931 1932 1933 1934 1935 1936
    if (type & SSL_PSK) {
        /* copy PSK identity hint */
        if (s->cert->psk_identity_hint) {
            s2n(strlen(s->cert->psk_identity_hint), p);
            strncpy((char *)p, s->cert->psk_identity_hint,
                    strlen(s->cert->psk_identity_hint));
            p += strlen(s->cert->psk_identity_hint);
        } else {
            s2n(0, p);
1937
        }
M
Matt Caswell 已提交
1938
    }
1939 1940
#endif

M
Matt Caswell 已提交
1941
    for (i = 0; i < 4 && r[i] != NULL; i++) {
B
Ben Laurie 已提交
1942
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1943 1944 1945 1946
        if ((i == 2) && (type & SSL_kSRP)) {
            *p = nr[i];
            p++;
        } else
B
Ben Laurie 已提交
1947
#endif
M
Matt Caswell 已提交
1948 1949 1950 1951
            s2n(nr[i], p);
        BN_bn2bin(r[i], p);
        p += nr[i];
    }
1952

1953
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
         * XXX: For now, we only support named (not generic) curves. In
         * this situation, the serverKeyExchange message has: [1 byte
         * CurveType], [2 byte CurveName] [1 byte length of encoded
         * point], followed by the actual encoded point itself
         */
        *p = NAMED_CURVE_TYPE;
        p += 1;
        *p = 0;
        p += 1;
        *p = curve_id;
        p += 1;
        *p = encodedlen;
        p += 1;
        memcpy(p, encodedPoint, encodedlen);
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
        p += encodedlen;
    }
B
Bodo Möller 已提交
1974 1975
#endif

M
Matt Caswell 已提交
1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990
    /* not anonymous */
    if (pkey != NULL) {
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
        if (md) {
            /* send signature algorithm */
            if (SSL_USE_SIGALGS(s)) {
                if (!tls12_get_sigandhash(p, pkey, md)) {
                    /* Should never happen */
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
1991
                }
M
Matt Caswell 已提交
1992 1993
                p += 2;
            }
1994
#ifdef SSL_DEBUG
M
Matt Caswell 已提交
1995
            fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
1996
#endif
1997 1998
            if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0
                    || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
1999
                                      SSL3_RANDOM_SIZE) <= 0
2000
                    || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
2001
                                      SSL3_RANDOM_SIZE) <= 0
2002 2003
                    || EVP_SignUpdate(md_ctx, d, n) <= 0
                    || EVP_SignFinal(md_ctx, &(p[2]),
2004
                               (unsigned int *)&i, pkey) <= 0) {
M
Matt Caswell 已提交
2005
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
2006 2007
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
2008
            }
M
Matt Caswell 已提交
2009 2010 2011 2012 2013 2014
            s2n(i, p);
            n += i + 2;
            if (SSL_USE_SIGALGS(s))
                n += 2;
        } else {
            /* Is this error check actually needed? */
M
Matt Caswell 已提交
2015
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2016 2017
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNKNOWN_PKEY_TYPE);
M
Matt Caswell 已提交
2018 2019
            goto f_err;
        }
2020 2021
    }

M
Matt Caswell 已提交
2022 2023 2024 2025 2026 2027
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

2028
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2029
    return 1;
2030 2031 2032
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
2033
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2034
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
2035
#endif
2036
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2037
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2038
    return 0;
2039
}
2040

M
Matt Caswell 已提交
2041
int tls_construct_certificate_request(SSL *s)
2042 2043 2044 2045 2046 2047 2048
{
    unsigned char *p, *d;
    int i, j, nl, off, n;
    STACK_OF(X509_NAME) *sk = NULL;
    X509_NAME *name;
    BUF_MEM *buf;

M
Matt Caswell 已提交
2049
    buf = s->init_buf;
2050

M
Matt Caswell 已提交
2051
    d = p = ssl_handshake_start(s);
2052

M
Matt Caswell 已提交
2053 2054 2055 2056 2057 2058
    /* get the list of acceptable cert types */
    p++;
    n = ssl3_get_req_cert_type(s, p);
    d[0] = n;
    p += n;
    n++;
2059

M
Matt Caswell 已提交
2060 2061 2062 2063 2064
    if (SSL_USE_SIGALGS(s)) {
        const unsigned char *psigs;
        unsigned char *etmp = p;
        nl = tls12_get_psigalgs(s, &psigs);
        /* Skip over length for now */
2065
        p += 2;
M
Matt Caswell 已提交
2066 2067 2068 2069 2070 2071
        nl = tls12_copy_sigalgs(s, p, psigs, nl);
        /* Now fill in length */
        s2n(nl, etmp);
        p += nl;
        n += nl + 2;
    }
2072

M
Matt Caswell 已提交
2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087
    off = n;
    p += 2;
    n += 2;

    sk = SSL_get_client_CA_list(s);
    nl = 0;
    if (sk != NULL) {
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
            name = sk_X509_NAME_value(sk, i);
            j = i2d_X509_NAME(name, NULL);
            if (!BUF_MEM_grow_clean
                (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                       ERR_R_BUF_LIB);
                goto err;
2088
            }
M
Matt Caswell 已提交
2089 2090 2091 2092 2093
            p = ssl_handshake_start(s) + n;
            s2n(j, p);
            i2d_X509_NAME(name, &p);
            n += 2 + j;
            nl += 2 + j;
2094
        }
M
Matt Caswell 已提交
2095 2096 2097 2098
    }
    /* else no CA names */
    p = ssl_handshake_start(s) + off;
    s2n(nl, p);
2099

M
Matt Caswell 已提交
2100 2101 2102
    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
2103
    }
2104

M
Matt Caswell 已提交
2105 2106 2107
    s->s3->tmp.cert_request = 1;

    return 1;
2108
 err:
M
Matt Caswell 已提交
2109
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2110
    return 0;
2111
}
2112

M
Matt Caswell 已提交
2113
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2114 2115 2116
{
    int al;
    unsigned int i;
2117
    unsigned long alg_k;
2118
#ifndef OPENSSL_NO_RSA
2119 2120
    RSA *rsa = NULL;
    EVP_PKEY *pkey = NULL;
2121
#endif
2122
#ifndef OPENSSL_NO_DH
2123 2124
    BIGNUM *pub = NULL;
    DH *dh_srvr, *dh_clnt = NULL;
2125
#endif
2126
#ifndef OPENSSL_NO_EC
D
Dr. Stephen Henson 已提交
2127 2128
    EVP_PKEY *ckey = NULL;
    EVP_PKEY_CTX *pctx = NULL;
B
Bodo Möller 已提交
2129
#endif
2130
    PACKET enc_premaster;
2131
    unsigned char *data, *rsa_decrypt = NULL;
B
Bodo Möller 已提交
2132

2133
    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2134

2135 2136 2137 2138 2139
#ifndef OPENSSL_NO_PSK
    /* For PSK parse and retrieve identity, obtain PSK key */
    if (alg_k & SSL_PSK) {
        unsigned char psk[PSK_MAX_PSK_LEN];
        size_t psklen;
2140
        PACKET psk_identity;
2141

2142
        if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2143
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2144
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2145 2146
            goto f_err;
        }
2147
        if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2148
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2149
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2150 2151 2152 2153 2154
                   SSL_R_DATA_LENGTH_TOO_LONG);
            goto f_err;
        }
        if (s->psk_server_callback == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2155
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2156 2157 2158 2159
                   SSL_R_PSK_NO_SERVER_CB);
            goto f_err;
        }

2160
        if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
M
Matt Caswell 已提交
2161
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2162
            al = SSL_AD_INTERNAL_ERROR;
2163 2164
            goto f_err;
        }
2165 2166 2167 2168 2169 2170

        psklen = s->psk_server_callback(s, s->session->psk_identity,
                                         psk, sizeof(psk));

        if (psklen > PSK_MAX_PSK_LEN) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2171
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2172 2173 2174 2175 2176
            goto f_err;
        } else if (psklen == 0) {
            /*
             * PSK related to the given identity not found
             */
M
Matt Caswell 已提交
2177
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2178 2179 2180 2181 2182 2183
                   SSL_R_PSK_IDENTITY_NOT_FOUND);
            al = SSL_AD_UNKNOWN_PSK_IDENTITY;
            goto f_err;
        }

        OPENSSL_free(s->s3->tmp.psk);
R
Rich Salz 已提交
2184
        s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
2185 2186 2187 2188
        OPENSSL_cleanse(psk, psklen);

        if (s->s3->tmp.psk == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2189
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2190 2191 2192 2193 2194 2195 2196
            goto f_err;
        }

        s->s3->tmp.psklen = psklen;
    }
    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
2197
        if (PACKET_remaining(pkt) != 0) {
2198
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2199
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2200 2201 2202 2203 2204
            goto f_err;
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2205
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2206 2207 2208 2209
            goto f_err;
        }
    } else
#endif
2210
#ifndef OPENSSL_NO_RSA
2211
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
2212 2213 2214 2215 2216 2217
        unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
        int decrypt_len;
        unsigned char decrypt_good, version_good;
        size_t j;

        /* FIX THIS UP EAY EAY EAY EAY */
2218 2219 2220 2221 2222 2223 2224
        pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
        if ((pkey == NULL) ||
            (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_RSA_CERTIFICATE);
            goto f_err;
2225
        }
2226
        rsa = pkey->pkey.rsa;
2227

2228 2229
        /* SSLv3 and pre-standard DTLS omit the length bytes. */
        if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2230
            enc_premaster = *pkt;
2231
        } else {
2232 2233 2234
            PACKET orig = *pkt;
            if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
                || PACKET_remaining(pkt) != 0) {
2235 2236 2237 2238
                /* Try SSLv3 behaviour for TLS. */
                if (s->options & SSL_OP_TLS_D5_BUG) {
                    enc_premaster = orig;
                } else {
2239
                    al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2240 2241
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                           SSL_R_LENGTH_MISMATCH);
2242
                    goto f_err;
2243 2244
                }
            }
2245 2246 2247
        }

        /*
2248 2249 2250 2251
         * We want to be sure that the plaintext buffer size makes it safe to
         * iterate over the entire size of a premaster secret
         * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
         * their ciphertext cannot accommodate a premaster secret anyway.
2252
         */
2253 2254
        if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2255
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2256
                   RSA_R_KEY_SIZE_TOO_SMALL);
2257 2258 2259
            goto f_err;
        }

2260 2261
        rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
        if (rsa_decrypt == NULL) {
2262
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2263
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2264 2265
            goto f_err;
        }
2266

2267 2268 2269 2270 2271 2272 2273 2274
        /*
         * We must not leak whether a decryption failure occurs because of
         * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
         * section 7.4.7.1). The code follows that advice of the TLS RFC and
         * generates a random premaster secret for the case that the decrypt
         * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
         */

M
Matt Caswell 已提交
2275
        if (RAND_bytes(rand_premaster_secret,
2276
                       sizeof(rand_premaster_secret)) <= 0) {
2277
            goto err;
2278 2279 2280 2281 2282
        }

        decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
                                          PACKET_data(&enc_premaster),
                                          rsa_decrypt, rsa, RSA_PKCS1_PADDING);
2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300
        ERR_clear_error();

        /*
         * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
         * be 0xff if so and zero otherwise.
         */
        decrypt_good =
            constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);

        /*
         * If the version in the decrypted pre-master secret is correct then
         * version_good will be 0xff, otherwise it'll be zero. The
         * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
         * (http://eprint.iacr.org/2003/052/) exploits the version number
         * check as a "bad version oracle". Thus version checks are done in
         * constant time and are treated like any other decryption error.
         */
        version_good =
2301 2302
            constant_time_eq_8(rsa_decrypt[0],
                               (unsigned)(s->client_version >> 8));
2303
        version_good &=
2304 2305
            constant_time_eq_8(rsa_decrypt[1],
                               (unsigned)(s->client_version & 0xff));
2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318

        /*
         * The premaster secret must contain the same version number as the
         * ClientHello to detect version rollback attacks (strangely, the
         * protocol does not offer such protection for DH ciphersuites).
         * However, buggy clients exist that send the negotiated protocol
         * version instead if the server does not support the requested
         * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
         * clients.
         */
        if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
            unsigned char workaround_good;
            workaround_good =
2319
                constant_time_eq_8(rsa_decrypt[0], (unsigned)(s->version >> 8));
2320
            workaround_good &=
2321 2322
                constant_time_eq_8(rsa_decrypt[1],
                                   (unsigned)(s->version & 0xff));
2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338
            version_good |= workaround_good;
        }

        /*
         * Both decryption and version must be good for decrypt_good to
         * remain non-zero (0xff).
         */
        decrypt_good &= version_good;

        /*
         * Now copy rand_premaster_secret over from p using
         * decrypt_good_mask. If decryption failed, then p does not
         * contain valid plaintext, however, a check above guarantees
         * it is still sufficiently large to read from.
         */
        for (j = 0; j < sizeof(rand_premaster_secret); j++) {
2339 2340 2341
            rsa_decrypt[j] =
                constant_time_select_8(decrypt_good, rsa_decrypt[j],
                                       rand_premaster_secret[j]);
2342 2343
        }

2344 2345
        if (!ssl_generate_master_secret(s, rsa_decrypt,
                                        sizeof(rand_premaster_secret), 0)) {
M
Matt Caswell 已提交
2346
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2347
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2348 2349
            goto f_err;
        }
2350 2351
        OPENSSL_free(rsa_decrypt);
        rsa_decrypt = NULL;
2352
    } else
U
Ulf Möller 已提交
2353
#endif
2354
#ifndef OPENSSL_NO_DH
2355
    if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd | SSL_kDHEPSK)) {
2356 2357
        int idx = -1;
        EVP_PKEY *skey = NULL;
2358 2359
        unsigned char shared[(OPENSSL_DH_MAX_MODULUS_BITS + 7) / 8];

2360
        if (!PACKET_get_net_2(pkt, &i)) {
2361
            if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
M
Matt Caswell 已提交
2362
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2363
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
M
Matt Caswell 已提交
2364 2365 2366
                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
                goto f_err;
            }
2367
            i = 0;
M
Matt Caswell 已提交
2368
        }
2369
        if (PACKET_remaining(pkt) != i) {
2370 2371 2372
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
            goto err;
2373 2374 2375 2376 2377 2378 2379 2380 2381 2382
        }
        if (alg_k & SSL_kDHr)
            idx = SSL_PKEY_DH_RSA;
        else if (alg_k & SSL_kDHd)
            idx = SSL_PKEY_DH_DSA;
        if (idx >= 0) {
            skey = s->cert->pkeys[idx].privatekey;
            if ((skey == NULL) ||
                (skey->type != EVP_PKEY_DH) || (skey->pkey.dh == NULL)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2383
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2384 2385 2386 2387 2388 2389
                       SSL_R_MISSING_RSA_CERTIFICATE);
                goto f_err;
            }
            dh_srvr = skey->pkey.dh;
        } else if (s->s3->tmp.dh == NULL) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2390
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2391 2392 2393 2394 2395
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        } else
            dh_srvr = s->s3->tmp.dh;

2396
        if (PACKET_remaining(pkt) == 0L) {
2397 2398 2399 2400 2401 2402 2403 2404
            /* Get pubkey from cert */
            EVP_PKEY *clkey = X509_get_pubkey(s->session->peer);
            if (clkey) {
                if (EVP_PKEY_cmp_parameters(clkey, skey) == 1)
                    dh_clnt = EVP_PKEY_get1_DH(clkey);
            }
            if (dh_clnt == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2405
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2406 2407 2408 2409 2410
                       SSL_R_MISSING_TMP_DH_KEY);
                goto f_err;
            }
            EVP_PKEY_free(clkey);
            pub = dh_clnt->pub_key;
2411
        } else {
2412
            if (!PACKET_get_bytes(pkt, &data, i)) {
2413 2414
                /* We already checked we have enough data */
                al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2415
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2416 2417 2418 2419 2420
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pub = BN_bin2bn(data, i, NULL);
        }
2421
        if (pub == NULL) {
M
Matt Caswell 已提交
2422
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2423 2424 2425
            goto err;
        }

2426
        i = DH_compute_key(shared, pub, dh_srvr);
2427 2428

        if (i <= 0) {
M
Matt Caswell 已提交
2429
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_DH_LIB);
2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440
            BN_clear_free(pub);
            goto err;
        }

        DH_free(s->s3->tmp.dh);
        s->s3->tmp.dh = NULL;
        if (dh_clnt)
            DH_free(dh_clnt);
        else
            BN_clear_free(pub);
        pub = NULL;
2441
        if (!ssl_generate_master_secret(s, shared, i, 0)) {
M
Matt Caswell 已提交
2442
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2443
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2444 2445
            goto f_err;
        }
M
Matt Caswell 已提交
2446
        if (dh_clnt) {
2447
            s->statem.no_cert_verify = 1;
M
Matt Caswell 已提交
2448 2449
            return MSG_PROCESS_CONTINUE_PROCESSING;
        }
2450
    } else
2451
#endif
B
Bodo Möller 已提交
2452

2453
#ifndef OPENSSL_NO_EC
2454
    if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) {
D
Dr. Stephen Henson 已提交
2455
        EVP_PKEY *skey = NULL;
2456 2457 2458 2459

        /* Let's get server private key and group information */
        if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
            /* use the certificate */
D
Dr. Stephen Henson 已提交
2460
            skey = s->cert->pkeys[SSL_PKEY_ECC].privatekey;
2461 2462 2463 2464 2465
        } else {
            /*
             * use the ephermeral values we saved when generating the
             * ServerKeyExchange msg.
             */
D
Dr. Stephen Henson 已提交
2466
            skey = s->s3->tmp.pkey;
2467 2468
        }

2469
        if (PACKET_remaining(pkt) == 0L) {
D
Dr. Stephen Henson 已提交
2470 2471 2472 2473 2474
            /* We don't support ECDH client auth */
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_ECDH_KEY);
            goto f_err;
2475 2476 2477 2478 2479 2480 2481
        } else {
            /*
             * Get client's public key from encoded point in the
             * ClientKeyExchange message.
             */

            /* Get encoded point length */
2482
            if (!PACKET_get_1(pkt, &i)) {
2483
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2484
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2485 2486 2487
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
2488 2489
            if (!PACKET_get_bytes(pkt, &data, i)
                    || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
2490
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2491 2492
                goto err;
            }
D
Dr. Stephen Henson 已提交
2493 2494 2495 2496 2497 2498 2499
            ckey = EVP_PKEY_new();
            if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EVP_LIB);
                goto err;
            }
            if (EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(ckey), data, i,
                               NULL) == 0) {
M
Matt Caswell 已提交
2500
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2501 2502 2503 2504
                goto err;
            }
        }

D
Dr. Stephen Henson 已提交
2505
        if (ssl_derive(s, skey, ckey) == 0) {
M
Matt Caswell 已提交
2506
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2507
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2508 2509
            goto f_err;
        }
D
Dr. Stephen Henson 已提交
2510 2511 2512 2513

        EVP_PKEY_free(ckey);
        ckey = NULL;

M
Matt Caswell 已提交
2514
        return MSG_PROCESS_CONTINUE_PROCESSING;
2515
    } else
2516
#endif
B
Ben Laurie 已提交
2517
#ifndef OPENSSL_NO_SRP
2518
    if (alg_k & SSL_kSRP) {
2519 2520
        if (!PACKET_get_net_2(pkt, &i)
                || !PACKET_get_bytes(pkt, &data, i)) {
2521
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2522
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2523 2524
            goto f_err;
        }
2525
        if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
M
Matt Caswell 已提交
2526
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2527 2528 2529 2530 2531
            goto err;
        }
        if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
            || BN_is_zero(s->srp_ctx.A)) {
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
2532
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2533 2534 2535
                   SSL_R_BAD_SRP_PARAMETERS);
            goto f_err;
        }
R
Rich Salz 已提交
2536
        OPENSSL_free(s->session->srp_username);
R
Rich Salz 已提交
2537
        s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
2538
        if (s->session->srp_username == NULL) {
M
Matt Caswell 已提交
2539
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2540 2541 2542
            goto err;
        }

2543
        if (!srp_generate_server_master_secret(s)) {
M
Matt Caswell 已提交
2544
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2545 2546 2547 2548
            goto err;
        }
    } else
#endif                          /* OPENSSL_NO_SRP */
M
Matt Caswell 已提交
2549
#ifndef OPENSSL_NO_GOST
2550 2551 2552 2553 2554 2555 2556 2557
    if (alg_k & SSL_kGOST) {
        EVP_PKEY_CTX *pkey_ctx;
        EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
        unsigned char premaster_secret[32], *start;
        size_t outlen = 32, inlen;
        unsigned long alg_a;
        int Ttag, Tclass;
        long Tlen;
2558
        long sess_key_len;
2559 2560 2561

        /* Get our certificate private key */
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573
        if (alg_a & SSL_aGOST12) {
            /*
             * New GOST ciphersuites have SSL_aGOST01 bit too
             */
            pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
            }
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
            }
        } else if (alg_a & SSL_aGOST01) {
2574
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2575
        }
2576 2577

        pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2578 2579 2580 2581 2582
        if (pkey_ctx == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto f_err;
        }
2583 2584 2585 2586 2587
        if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2588 2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599
        /*
         * If client certificate is present and is of the same type, maybe
         * use it for key exchange.  Don't mind errors from
         * EVP_PKEY_derive_set_peer, because it is completely valid to use a
         * client certificate for authorization only.
         */
        client_pub_pkey = X509_get_pubkey(s->session->peer);
        if (client_pub_pkey) {
            if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
                ERR_clear_error();
        }
        /* Decrypt session key */
2600 2601
        sess_key_len = PACKET_remaining(pkt);
        if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
2602
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2603
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2604
            goto gerr;
2605
        }
2606 2607 2608
        if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag,
                             &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
            || Ttag != V_ASN1_SEQUENCE
2609
            || Tclass != V_ASN1_UNIVERSAL) {
2610
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2611
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2612 2613 2614
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
2615
        start = data;
2616 2617 2618
        inlen = Tlen;
        if (EVP_PKEY_decrypt
            (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
M
Matt Caswell 已提交
2619
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2620
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2621 2622 2623 2624
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
        /* Generate master secret */
2625 2626
        if (!ssl_generate_master_secret(s, premaster_secret,
                                        sizeof(premaster_secret), 0)) {
M
Matt Caswell 已提交
2627
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2628
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2629
            goto gerr;
M
Matt Caswell 已提交
2630
        }
2631 2632 2633
        /* Check if pubkey from client certificate was used */
        if (EVP_PKEY_CTX_ctrl
            (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2634
            s->statem.no_cert_verify = 1;
M
Matt Caswell 已提交
2635 2636 2637 2638

        EVP_PKEY_free(client_pub_pkey);
        EVP_PKEY_CTX_free(pkey_ctx);
        return MSG_PROCESS_CONTINUE_PROCESSING;
2639 2640 2641
 gerr:
        EVP_PKEY_free(client_pub_pkey);
        EVP_PKEY_CTX_free(pkey_ctx);
2642
        goto f_err;
M
Matt Caswell 已提交
2643 2644 2645
    } else
#endif
    {
2646
        al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2647
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
2648 2649 2650
        goto f_err;
    }

M
Matt Caswell 已提交
2651
    return MSG_PROCESS_CONTINUE_PROCESSING;
2652 2653
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2654
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
2655
 err:
B
Bodo Möller 已提交
2656
#endif
2657
#ifndef OPENSSL_NO_EC
D
Dr. Stephen Henson 已提交
2658 2659
    EVP_PKEY_free(ckey);
    EVP_PKEY_CTX_free(pctx);
2660
    OPENSSL_free(rsa_decrypt);
2661 2662 2663 2664
#endif
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2665
#endif
M
Matt Caswell 已提交
2666
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2667
    return MSG_PROCESS_ERROR;
2668
}
2669

M
Matt Caswell 已提交
2670
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
2671 2672
{
#ifndef OPENSSL_NO_SCTP
2673 2674 2675 2676 2677 2678 2679 2680
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
2681 2682
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
2683 2684 2685 2686

            if (SSL_export_keying_material(s, sctpauthkey,
                                       sizeof(sctpauthkey), labelbuffer,
                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
2687
                ossl_statem_set_error(s);
2688 2689
                return WORK_ERROR;;
            }
2690

2691 2692
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
2693
        }
2694 2695
        wst = WORK_MORE_B;
    }
2696

2697 2698 2699 2700 2701 2702
    if ((wst == WORK_MORE_B)
            /* Is this SCTP? */
            && BIO_dgram_is_sctp(SSL_get_wbio(s))
            /* Are we renegotiating? */
            && s->renegotiate
            /* Are we going to skip the CertificateVerify? */
2703
            && (s->session->peer == NULL || s->statem.no_cert_verify)
2704 2705 2706 2707 2708
            && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
        s->s3->in_read_app_data = 2;
        s->rwstate = SSL_READING;
        BIO_clear_retry_flags(SSL_get_rbio(s));
        BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
2709
        ossl_statem_set_sctp_read_sock(s, 1);
2710 2711
        return WORK_MORE_B;
    } else {
M
Matt Caswell 已提交
2712
        ossl_statem_set_sctp_read_sock(s, 0);
2713 2714 2715
    }
#endif

2716
    if (s->statem.no_cert_verify) {
2717 2718
        /* No certificate verify so we no longer need the handshake_buffer */
        BIO_free(s->s3->handshake_buffer);
2719
        s->s3->handshake_buffer = NULL;
2720
        return WORK_FINISHED_CONTINUE;
2721
    } else {
2722 2723 2724 2725 2726 2727 2728 2729
        if (!s->session->peer) {
            /* No peer certificate so we no longer need the handshake_buffer */
            BIO_free(s->s3->handshake_buffer);
            return WORK_FINISHED_CONTINUE;
        }
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2730
            ossl_statem_set_error(s);
2731 2732 2733 2734 2735 2736 2737
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
2738
            ossl_statem_set_error(s);
2739 2740 2741 2742 2743 2744 2745
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
2746
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2747 2748 2749 2750
{
    EVP_PKEY *pkey = NULL;
    unsigned char *sig, *data;
    int al, ret = MSG_PROCESS_ERROR;
2751
    int type = 0, j;
M
Matt Caswell 已提交
2752 2753 2754
    unsigned int len;
    X509 *peer;
    const EVP_MD *md = NULL;
2755 2756 2757
    long hdatalen = 0;
    void *hdata;

2758
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
2759 2760 2761 2762 2763 2764

    if (mctx == NULL) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
M
Matt Caswell 已提交
2765

2766 2767 2768
    peer = s->session->peer;
    pkey = X509_get_pubkey(peer);
    type = X509_certificate_type(peer, pkey);
2769 2770

    if (!(type & EVP_PKT_SIGN)) {
M
Matt Caswell 已提交
2771
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY,
2772 2773 2774 2775 2776 2777 2778 2779
               SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
        al = SSL_AD_ILLEGAL_PARAMETER;
        goto f_err;
    }

    /* Check for broken implementations of GOST ciphersuites */
    /*
     * If key is GOST and n is exactly 64, it is bare signature without
2780
     * length field (CryptoPro implementations at least till CSP 4.0)
2781
     */
M
Matt Caswell 已提交
2782
#ifndef OPENSSL_NO_GOST
2783
    if (PACKET_remaining(pkt) == 64 && pkey->type == NID_id_GostR3410_2001) {
2784
        len = 64;
M
Matt Caswell 已提交
2785 2786 2787
    } else
#endif
    {
2788
        if (SSL_USE_SIGALGS(s)) {
2789 2790
            int rv;

2791
            if (!PACKET_get_bytes(pkt, &sig, 2)) {
2792 2793 2794 2795
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
            rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
2796 2797 2798 2799 2800 2801 2802
            if (rv == -1) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            } else if (rv == 0) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
D
Dr. Stephen Henson 已提交
2803
#ifdef SSL_DEBUG
2804
            fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2805
#endif
2806
        } else {
2807 2808 2809 2810 2811 2812 2813 2814
            /* Use default digest for this key type */
            int idx = ssl_cert_type(NULL, pkey);
            if (idx >= 0)
                md = s->s3->tmp.md[idx];
            if (md == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
2815
        }
2816

2817
        if (!PACKET_get_net_2(pkt, &len)) {
M
Matt Caswell 已提交
2818
            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2819 2820 2821 2822 2823
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
    }
    j = EVP_PKEY_size(pkey);
2824 2825
    if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
            || (PACKET_remaining(pkt) == 0)) {
M
Matt Caswell 已提交
2826
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2827 2828 2829
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2830
    if (!PACKET_get_bytes(pkt, &data, len)) {
M
Matt Caswell 已提交
2831
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2832 2833 2834
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2835

2836 2837 2838 2839 2840 2841
    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
    if (hdatalen <= 0) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
D
Dr. Stephen Henson 已提交
2842
#ifdef SSL_DEBUG
2843
    fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2844
#endif
2845 2846
    if (!EVP_VerifyInit_ex(mctx, md, NULL)
        || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) {
2847 2848 2849 2850
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
2851

M
Matt Caswell 已提交
2852
#ifndef OPENSSL_NO_GOST
2853 2854 2855
    if (pkey->type == NID_id_GostR3410_2001
            || pkey->type == NID_id_GostR3410_2012_256
            || pkey->type == NID_id_GostR3410_2012_512) {
M
Matt Caswell 已提交
2856
        BUF_reverse(data, NULL, len);
2857
    }
M
Matt Caswell 已提交
2858
#endif
2859

2860
    if (s->version == SSL3_VERSION
2861
        && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
2862 2863 2864 2865 2866 2867 2868
                            s->session->master_key_length,
                            s->session->master_key)) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }

2869
    if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) {
2870 2871
        al = SSL_AD_DECRYPT_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
2872 2873 2874
        goto f_err;
    }

2875
    ret = MSG_PROCESS_CONTINUE_PROCESSING;
2876 2877 2878
    if (0) {
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2879
        ossl_statem_set_error(s);
2880
    }
R
Rich Salz 已提交
2881 2882
    BIO_free(s->s3->handshake_buffer);
    s->s3->handshake_buffer = NULL;
2883
    EVP_MD_CTX_free(mctx);
2884
    EVP_PKEY_free(pkey);
M
Matt Caswell 已提交
2885
    return ret;
2886
}
2887

M
Matt Caswell 已提交
2888
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2889
{
M
Matt Caswell 已提交
2890
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
2891 2892 2893 2894 2895
    X509 *x = NULL;
    unsigned long l, llen;
    const unsigned char *certstart;
    unsigned char *certbytes;
    STACK_OF(X509) *sk = NULL;
2896
    PACKET spkt;
2897 2898

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
2899 2900
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
2901 2902
    }

2903 2904 2905
    if (!PACKET_get_net_3(pkt, &llen)
            || !PACKET_get_sub_packet(pkt, &spkt, llen)
            || PACKET_remaining(pkt) != 0) {
2906
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2907
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
2908 2909
        goto f_err;
    }
2910 2911 2912 2913

    while (PACKET_remaining(&spkt) > 0) {
        if (!PACKET_get_net_3(&spkt, &l)
                || !PACKET_get_bytes(&spkt, &certbytes, l)) {
2914
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2915
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2916 2917 2918 2919
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

2920 2921
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
2922
        if (x == NULL) {
M
Matt Caswell 已提交
2923 2924
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
2925
        }
2926
        if (certbytes != (certstart + l)) {
2927
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2928
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2929 2930 2931 2932
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
2933 2934
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
2935 2936 2937 2938 2939 2940 2941 2942
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2943
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2944 2945 2946 2947 2948 2949
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
2950
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2951 2952 2953 2954 2955
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
2956
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
2957 2958 2959 2960 2961 2962 2963
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
2964
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2965 2966 2967 2968
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
2969
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
2970 2971 2972 2973 2974 2975
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        pkey = X509_get_pubkey(sk_X509_value(sk, 0));
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2976
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2977 2978 2979 2980 2981 2982
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
        EVP_PKEY_free(pkey);
    }

R
Rich Salz 已提交
2983
    X509_free(s->session->peer);
2984 2985 2986
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

2987 2988
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
2989 2990 2991 2992 2993
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
     * certificate, while we do include it in s3_clnt.c
     */
    sk = NULL;
M
Matt Caswell 已提交
2994
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
2995 2996
    goto done;

2997
 f_err:
R
Rich Salz 已提交
2998
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2999
    ossl_statem_set_error(s);
R
Rich Salz 已提交
3000
 done:
R
Rich Salz 已提交
3001 3002
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
3003
    return ret;
3004
}
3005

M
Matt Caswell 已提交
3006 3007 3008 3009 3010 3011 3012
int tls_construct_server_certificate(SSL *s)
{
    CERT_PKEY *cpk;

    cpk = ssl_get_server_send_pkey(s);
    if (cpk == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3013
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3014 3015 3016 3017 3018
        return 0;
    }

    if (!ssl3_output_cert_chain(s, cpk)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3019
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3020 3021 3022 3023 3024 3025 3026 3027 3028 3029
        return 0;
    }

    return 1;
}

int tls_construct_new_session_ticket(SSL *s)
{
    unsigned char *senc = NULL;
    EVP_CIPHER_CTX ctx;
3030
    HMAC_CTX *hctx = NULL;
M
Matt Caswell 已提交
3031 3032 3033 3034 3035 3036 3037 3038 3039 3040 3041 3042 3043 3044 3045 3046
    unsigned char *p, *macstart;
    const unsigned char *const_p;
    int len, slen_full, slen;
    SSL_SESSION *sess;
    unsigned int hlen;
    SSL_CTX *tctx = s->initial_ctx;
    unsigned char iv[EVP_MAX_IV_LENGTH];
    unsigned char key_name[16];

    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
M
Matt Caswell 已提交
3047
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3048 3049 3050
        return 0;
    }
    senc = OPENSSL_malloc(slen_full);
3051
    if (senc == NULL) {
M
Matt Caswell 已提交
3052
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3053 3054
        return 0;
    }
3055

M
Matt Caswell 已提交
3056
    EVP_CIPHER_CTX_init(&ctx);
3057
    hctx = HMAC_CTX_new();
3058

M
Matt Caswell 已提交
3059 3060 3061
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
3062

M
Matt Caswell 已提交
3063 3064 3065 3066 3067 3068 3069 3070
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3071

M
Matt Caswell 已提交
3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3083

M
Matt Caswell 已提交
3084 3085 3086 3087 3088 3089 3090 3091 3092 3093 3094 3095
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows handshake_header_length +
     * 4 (ticket lifetime hint) + 2 (ticket length) +
     * 16 (key name) + max_iv_len (iv length) +
     * session_length + max_enc_block_size (max encrypted session
     * length) + max_md_size (HMAC).
     */
    if (!BUF_MEM_grow(s->init_buf,
                      SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
                      EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
        goto err;
3096

M
Matt Caswell 已提交
3097 3098 3099 3100 3101 3102
    p = ssl_handshake_start(s);
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
    if (tctx->tlsext_ticket_key_cb) {
3103
        if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, hctx, 1) < 0)
M
Matt Caswell 已提交
3104 3105 3106
            goto err;
    } else {
        if (RAND_bytes(iv, 16) <= 0)
M
Matt Caswell 已提交
3107
            goto err;
M
Matt Caswell 已提交
3108 3109
        if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
                                tctx->tlsext_tick_aes_key, iv))
M
Matt Caswell 已提交
3110
            goto err;
3111
        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
M
Matt Caswell 已提交
3112
                          EVP_sha256(), NULL))
3113
            goto err;
M
Matt Caswell 已提交
3114
        memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3115 3116
    }

M
Matt Caswell 已提交
3117 3118 3119 3120 3121 3122 3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133 3134 3135 3136 3137 3138 3139 3140
    /*
     * Ticket lifetime hint (advisory only): We leave this unspecified
     * for resumed session (for simplicity), and guess that tickets for
     * new sessions will live as long as their sessions.
     */
    l2n(s->hit ? 0 : s->session->timeout, p);

    /* Skip ticket length for now */
    p += 2;
    /* Output key name */
    macstart = p;
    memcpy(p, key_name, 16);
    p += 16;
    /* output IV */
    memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
    p += EVP_CIPHER_CTX_iv_length(&ctx);
    /* Encrypt session data */
    if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen))
        goto err;
    p += len;
    if (!EVP_EncryptFinal(&ctx, p, &len))
        goto err;
    p += len;

3141
    if (!HMAC_Update(hctx, macstart, p - macstart))
M
Matt Caswell 已提交
3142
        goto err;
3143
    if (!HMAC_Final(hctx, p, &hlen))
M
Matt Caswell 已提交
3144 3145 3146
        goto err;

    EVP_CIPHER_CTX_cleanup(&ctx);
3147
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3148 3149 3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160

    p += hlen;
    /* Now write out lengths: p points to end of data written */
    /* Total length */
    len = p - ssl_handshake_start(s);
    /* Skip ticket lifetime hint */
    p = ssl_handshake_start(s) + 4;
    s2n(len - 6, p);
    if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
        goto err;
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3161
 err:
R
Rich Salz 已提交
3162
    OPENSSL_free(senc);
M
Matt Caswell 已提交
3163
    EVP_CIPHER_CTX_cleanup(&ctx);
3164
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3165
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3166
    return 0;
3167
}
3168

M
Matt Caswell 已提交
3169 3170 3171 3172 3173 3174 3175 3176 3177 3178
int tls_construct_cert_status(SSL *s)
{
    unsigned char *p;
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows 1 (message type) + 3 (message length) +
     * 1 (ocsp response type) + 3 (ocsp response length)
     * + (ocsp response)
     */
    if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
M
Matt Caswell 已提交
3179
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3180 3181 3182 3183 3184 3185 3186 3187 3188 3189 3190 3191 3192 3193 3194 3195 3196 3197 3198 3199 3200 3201
        return 0;
    }

    p = (unsigned char *)s->init_buf->data;

    /* do the header */
    *(p++) = SSL3_MT_CERTIFICATE_STATUS;
    /* message length */
    l2n3(s->tlsext_ocsp_resplen + 4, p);
    /* status type */
    *(p++) = s->tlsext_status_type;
    /* length of OCSP response */
    l2n3(s->tlsext_ocsp_resplen, p);
    /* actual response */
    memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
    /* number of bytes to write */
    s->init_num = 8 + s->tlsext_ocsp_resplen;
    s->init_off = 0;

    return 1;
}

3202
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3203 3204 3205 3206
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3207
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3208
{
3209
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3210 3211
    size_t next_proto_len;

3212 3213 3214 3215 3216 3217 3218
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3219 3220 3221
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
M
Matt Caswell 已提交
3222
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3223
        goto err;
M
Matt Caswell 已提交
3224
    }
3225

3226 3227 3228
    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
                       &next_proto_len)) {
        s->next_proto_negotiated_len = 0;
M
Matt Caswell 已提交
3229 3230 3231
        goto err;
    }

3232
    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
3233

M
Matt Caswell 已提交
3234
    return MSG_PROCESS_CONTINUE_READING;
M
Matt Caswell 已提交
3235
err:
M
Matt Caswell 已提交
3236
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3237
    return MSG_PROCESS_ERROR;
3238
}
3239
#endif
M
Matt Caswell 已提交
3240 3241 3242

#define SSLV2_CIPHER_LEN    3

3243 3244
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                               PACKET *cipher_suites,
M
Matt Caswell 已提交
3245
                                               STACK_OF(SSL_CIPHER) **skp,
3246 3247
                                               int sslv2format, int *al
                                               )
M
Matt Caswell 已提交
3248 3249 3250
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk;
3251 3252 3253
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];
M
Matt Caswell 已提交
3254

3255 3256 3257 3258 3259 3260 3261 3262
    s->s3->send_connection_binding = 0;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return NULL;
M
Matt Caswell 已提交
3263
    }
3264 3265

    if (PACKET_remaining(cipher_suites) % n != 0) {
M
Matt Caswell 已提交
3266 3267
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3268 3269
        *al = SSL_AD_DECODE_ERROR;
        return NULL;
M
Matt Caswell 已提交
3270
    }
3271

M
Matt Caswell 已提交
3272 3273 3274 3275
    if ((skp == NULL) || (*skp == NULL)) {
        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
        if(sk == NULL) {
            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3276
            *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3277 3278 3279 3280 3281 3282 3283
            return NULL;
        }
    } else {
        sk = *skp;
        sk_SSL_CIPHER_zero(sk);
    }

3284 3285 3286
    if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                       &s->s3->tmp.ciphers_rawlen)) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3287 3288 3289
        goto err;
    }

3290 3291
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
3292 3293 3294
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
3295 3296 3297 3298
         */
        if (sslv2format && cipher[0] != '\0')
                continue;

M
Matt Caswell 已提交
3299
        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3300 3301
        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3302 3303 3304 3305
            /* SCSV fatal if renegotiating */
            if (s->renegotiate) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3306
                *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3307 3308 3309 3310 3311 3312 3313 3314 3315 3316
                goto err;
            }
            s->s3->send_connection_binding = 1;
#ifdef OPENSSL_RI_DEBUG
            fprintf(stderr, "SCSV received by server\n");
#endif
            continue;
        }

        /* Check for TLS_FALLBACK_SCSV */
3317 3318
        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3319 3320 3321 3322 3323 3324 3325 3326
            /*
             * The SCSV indicates that the client previously tried a higher
             * version. Fail if the current version is an unexpected
             * downgrade.
             */
            if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_INAPPROPRIATE_FALLBACK);
3327
                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
M
Matt Caswell 已提交
3328 3329 3330 3331 3332
                goto err;
            }
            continue;
        }

3333 3334
        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
M
Matt Caswell 已提交
3335 3336 3337
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3338
                *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3339 3340 3341 3342
                goto err;
            }
        }
    }
3343 3344 3345 3346 3347
    if (PACKET_remaining(cipher_suites) > 0) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
3348 3349 3350 3351 3352 3353 3354

    if (skp != NULL)
        *skp = sk;
    return (sk);
 err:
    if ((skp == NULL) || (*skp == NULL))
        sk_SSL_CIPHER_free(sk);
3355
    return NULL;
M
Matt Caswell 已提交
3356
}