statem_srvr.c 118.6 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

B
Bodo Möller 已提交
10 11 12
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
13
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
14 15 16 17 18 19 20 21 22
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
49 50

#include <stdio.h>
M
Matt Caswell 已提交
51
#include "../ssl_locl.h"
M
Matt Caswell 已提交
52
#include "statem_locl.h"
53
#include "internal/constant_time_locl.h"
54 55 56 57
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
58
#include <openssl/hmac.h>
59
#include <openssl/x509.h>
R
Rich Salz 已提交
60
#include <openssl/dh.h>
61
#include <openssl/bn.h>
62
#include <openssl/md5.h>
63

M
Matt Caswell 已提交
64
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
65
static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt);
66 67
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                      PACKET *cipher_suites,
E
Emilia Kasper 已提交
68 69 70
                                                      STACK_OF(SSL_CIPHER)
                                                      **skp, int sslv2format,
                                                      int *al);
M
Matt Caswell 已提交
71

M
Matt Caswell 已提交
72
/*
73 74 75 76 77
 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when a TLSv1.3 server is reading messages from
 * the client. The message type that the client has sent is provided in |mt|.
 * The current state is in |s->statem.hand_state|.
 *
78 79
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
80 81 82 83 84 85 86 87 88 89 90 91 92 93
 */
static int ossl_statem_server13_read_transition(SSL *s, int mt)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * Note: There is no case for TLS_ST_BEFORE because at that stage we have
     * not negotiated TLSv1.3 yet, so that case is handled by
     * ossl_statem_server_read_transition()
     */
    switch (st->hand_state) {
    default:
        break;

94 95 96 97 98 99 100
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

101
    case TLS_ST_SW_FINISHED:
102 103 104 105 106 107
        if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        } else {
108 109
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
110 111 112 113 114 115 116
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT:
        if (s->session->peer == NULL) {
117 118
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
    }

    /* No valid transition found */
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
    SSLerr(SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION,
           SSL_R_UNEXPECTED_MESSAGE);
    return 0;
}

/*
 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when the server is reading messages from the
 * client. The message type that the client has sent is provided in |mt|. The
 * current state is in |s->statem.hand_state|.
M
Matt Caswell 已提交
149
 *
150 151
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
M
Matt Caswell 已提交
152
 */
153
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
154
{
M
Matt Caswell 已提交
155
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
156

157
    if (SSL_IS_TLS13(s)) {
158 159 160 161
        if (!ossl_statem_server13_read_transition(s, mt))
            goto err;
        return 1;
    }
162

163
    switch (st->hand_state) {
R
Rich Salz 已提交
164 165 166
    default:
        break;

M
Matt Caswell 已提交
167
    case TLS_ST_BEFORE:
168
    case TLS_ST_OK:
M
Matt Caswell 已提交
169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
187 188 189
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            if (s->s3->tmp.cert_request) {
                if (s->version == SSL3_VERSION) {
190 191
                    if ((s->verify_mode & SSL_VERIFY_PEER)
                        && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
192 193
                        /*
                         * This isn't an unexpected message as such - we're just
194 195
                         * not going to accept it because we require a client
                         * cert.
196 197 198
                         */
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                                        SSL3_AD_HANDSHAKE_FAILURE);
199
                        SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
200 201 202 203 204 205 206 207 208 209
                               SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                        return 0;
                    }
                    st->hand_state = TLS_ST_SR_KEY_EXCH;
                    return 1;
                }
            } else {
                st->hand_state = TLS_ST_SR_KEY_EXCH;
                return 1;
            }
M
Matt Caswell 已提交
210 211 212 213
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
214
            }
M
Matt Caswell 已提交
215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
231
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
232 233
         * set.
         */
234
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
R
Rich Salz 已提交
262
        if (s->s3->npn_seen) {
M
Matt Caswell 已提交
263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;
    }

295
 err:
M
Matt Caswell 已提交
296
    /* No valid transition found */
297
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
298
    SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
M
Matt Caswell 已提交
299 300 301 302 303 304 305 306 307 308
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
309
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
310 311 312 313
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
314
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
315 316 317 318 319 320
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
E
Emilia Kasper 已提交
321
    if (alg_k & (SSL_kDHE | SSL_kECDHE)
M
Matt Caswell 已提交
322 323 324 325 326 327 328 329 330 331 332 333 334 335 336
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
E
Emilia Kasper 已提交
337
        ) {
M
Matt Caswell 已提交
338 339 340 341 342 343 344 345 346 347 348 349 350
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
351
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
352 353 354 355 356 357 358 359
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
M
Matt Caswell 已提交
360
           && (s->s3->tmp.finish_md_len == 0 ||
M
Matt Caswell 已提交
361 362 363 364 365 366 367
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
E
Emilia Kasper 已提交
368 369 370 371 372
               /*
                * ... except when the application insists on
                * verification (against the specs, but statem_clnt.c accepts
                * this for SSL 3)
                */
M
Matt Caswell 已提交
373 374 375 376 377 378 379
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
380
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
381 382 383 384 385 386 387
        return 1;
    }

    return 0;
}

/*
388 389 390 391 392 393 394 395
 * ossl_statem_server13_write_transition() works out what handshake state to
 * move to next when a TLSv1.3 server is writing messages to be sent to the
 * client.
 */
static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
{
    OSSL_STATEM *st = &s->statem;

396 397 398 399 400
    /*
     * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
     * we will update this to look more like real TLSv1.3
     */

401 402 403 404 405 406 407 408 409 410 411
    /*
     * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
     * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
     */

    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

    case TLS_ST_SR_CLNT_HELLO:
412 413 414 415
        if (s->hello_retry_request)
            st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST;
        else
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
416 417
        return WRITE_TRAN_CONTINUE;

418 419 420
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        return WRITE_TRAN_FINISHED;

421
    case TLS_ST_SW_SRVR_HELLO:
M
Matt Caswell 已提交
422 423 424 425
        st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
426
        if (s->hit)
427 428 429
            st->hand_state = TLS_ST_SW_FINISHED;
        else if (send_certificate_request(s))
            st->hand_state = TLS_ST_SW_CERT_REQ;
430
        else
431
            st->hand_state = TLS_ST_SW_CERT;
432

433 434 435
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_REQ:
436
        st->hand_state = TLS_ST_SW_CERT;
437 438
        return WRITE_TRAN_CONTINUE;

439
    case TLS_ST_SW_CERT:
440 441 442 443
        st->hand_state = TLS_ST_SW_CERT_VRFY;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_VRFY:
444
        st->hand_state = TLS_ST_SW_FINISHED;
445 446 447
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
448
        return WRITE_TRAN_FINISHED;
449

450
    case TLS_ST_SR_FINISHED:
451 452 453 454 455 456 457 458 459 460 461 462
        /*
         * Technically we have finished the handshake at this point, but we're
         * going to remain "in_init" for now and write out the session ticket
         * immediately.
         * TODO(TLS1.3): Perhaps we need to be able to control this behaviour
         * and give the application the opportunity to delay sending the
         * session ticket?
         */
        st->hand_state = TLS_ST_SW_SESSION_TICKET;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
463 464 465 466 467 468 469 470 471
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
    }
}

/*
 * ossl_statem_server_write_transition() works out what handshake state to move
 * to next when the server is writing messages to be sent to the client.
M
Matt Caswell 已提交
472
 */
473
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
474
{
M
Matt Caswell 已提交
475
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
476

477 478 479 480 481
    /*
     * Note that before the ClientHello we don't know what version we are going
     * to negotiate yet, so we don't take this branch until later
     */

482
    if (SSL_IS_TLS13(s))
483 484
        return ossl_statem_server13_write_transition(s);

485
    switch (st->hand_state) {
R
Rich Salz 已提交
486 487 488 489
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

490 491 492 493 494 495 496
    case TLS_ST_OK:
        if (st->request_state == TLS_ST_SW_HELLO_REQ) {
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            st->request_state = TLS_ST_BEFORE;
            return WRITE_TRAN_CONTINUE;
        }
497 498 499 500 501
        /* Must be an incoming ClientHello */
        if (!tls_setup_handshake(s)) {
            ossl_statem_set_error(s);
            return WRITE_TRAN_ERROR;
        }
502 503
        /* Fall through */

504
    case TLS_ST_BEFORE:
E
Emilia Kasper 已提交
505
        /* Just go straight to trying to read from the client */
506
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
507

508 509 510 511
    case TLS_ST_SW_HELLO_REQ:
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
512

513 514
    case TLS_ST_SR_CLNT_HELLO:
        if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
E
Emilia Kasper 已提交
515
            && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
516 517 518 519
            st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
        else
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
520

521 522
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
523

524 525
    case TLS_ST_SW_SRVR_HELLO:
        if (s->hit) {
R
Rich Salz 已提交
526
            if (s->ext.ticket_expected)
527 528 529 530 531 532 533
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            else
                st->hand_state = TLS_ST_SW_CHANGE;
        } else {
            /* Check if it is anon DH or anon ECDH, */
            /* normal PSK or SRP */
            if (!(s->s3->tmp.new_cipher->algorithm_auth &
E
Emilia Kasper 已提交
534
                  (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
535 536
                st->hand_state = TLS_ST_SW_CERT;
            } else if (send_server_key_exchange(s)) {
M
Matt Caswell 已提交
537
                st->hand_state = TLS_ST_SW_KEY_EXCH;
538
            } else if (send_certificate_request(s)) {
M
Matt Caswell 已提交
539
                st->hand_state = TLS_ST_SW_CERT_REQ;
540 541
            } else {
                st->hand_state = TLS_ST_SW_SRVR_DONE;
M
Matt Caswell 已提交
542
            }
543 544
        }
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
545

546
    case TLS_ST_SW_CERT:
R
Rich Salz 已提交
547
        if (s->ext.status_expected) {
548
            st->hand_state = TLS_ST_SW_CERT_STATUS;
M
Matt Caswell 已提交
549
            return WRITE_TRAN_CONTINUE;
550 551
        }
        /* Fall through */
M
Matt Caswell 已提交
552

553 554 555
    case TLS_ST_SW_CERT_STATUS:
        if (send_server_key_exchange(s)) {
            st->hand_state = TLS_ST_SW_KEY_EXCH;
M
Matt Caswell 已提交
556
            return WRITE_TRAN_CONTINUE;
557 558
        }
        /* Fall through */
M
Matt Caswell 已提交
559

560 561 562
    case TLS_ST_SW_KEY_EXCH:
        if (send_certificate_request(s)) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
M
Matt Caswell 已提交
563
            return WRITE_TRAN_CONTINUE;
564 565
        }
        /* Fall through */
M
Matt Caswell 已提交
566

567 568 569
    case TLS_ST_SW_CERT_REQ:
        st->hand_state = TLS_ST_SW_SRVR_DONE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
570

571 572 573 574 575
    case TLS_ST_SW_SRVR_DONE:
        return WRITE_TRAN_FINISHED;

    case TLS_ST_SR_FINISHED:
        if (s->hit) {
M
Matt Caswell 已提交
576
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
577
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
578
            return WRITE_TRAN_CONTINUE;
R
Rich Salz 已提交
579
        } else if (s->ext.ticket_expected) {
580 581 582 583 584 585 586 587 588
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        } else {
            st->hand_state = TLS_ST_SW_CHANGE;
        }
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        st->hand_state = TLS_ST_SW_CHANGE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
589

590 591 592 593 594 595 596 597 598 599 600
    case TLS_ST_SW_CHANGE:
        st->hand_state = TLS_ST_SW_FINISHED;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
        if (s->hit) {
            return WRITE_TRAN_FINISHED;
        }
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
601 602 603 604 605 606 607
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
608
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
609
{
M
Matt Caswell 已提交
610
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
611

612
    switch (st->hand_state) {
R
Rich Salz 已提交
613 614 615 616
    default:
        /* No pre work to be done */
        break;

M
Matt Caswell 已提交
617 618 619
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
620
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
621 622 623 624 625
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
626
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
             * Messages we write from now on should be bufferred and
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
650 651 652 653 654 655 656 657
        if (SSL_IS_TLS13(s)) {
            /*
             * Actually this is the end of the handshake, but we're going
             * straight into writing the session ticket out. So we finish off
             * the handshake, but keep the various buffers active.
             */
            return tls_finish_handshake(s, wst, 0);
        } if (SSL_IS_DTLS(s)) {
M
Matt Caswell 已提交
658 659 660 661 662 663 664 665 666 667 668
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
669
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
670 671 672 673 674 675 676 677 678 679 680 681 682 683
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_OK:
684
        return tls_finish_handshake(s, wst, 1);
M
Matt Caswell 已提交
685 686 687 688 689 690 691 692 693
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
694
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
695
{
M
Matt Caswell 已提交
696
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
697 698 699

    s->init_num = 0;

700
    switch (st->hand_state) {
R
Rich Salz 已提交
701 702 703 704
    default:
        /* No post work to be done */
        break;

705 706 707 708 709
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

M
Matt Caswell 已提交
710 711 712
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
713 714 715 716
        if (!ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
717 718 719 720 721 722
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
723 724 725 726
        if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
744 745
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
746 747

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
748 749 750
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
751
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
752 753 754 755 756 757 758
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
759 760 761 762 763 764 765 766 767 768 769 770 771 772
        /*
         * TODO(TLS1.3): This actually causes a problem. We don't yet know
         * whether the next record we are going to receive is an unencrypted
         * alert, or an encrypted handshake message. We're going to need
         * something clever in the record layer for this.
         */
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->setup_key_block(s)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ))
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
773 774 775 776 777 778 779 780 781 782 783 784 785 786
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
E
Emilia Kasper 已提交
787 788
                                                      SSL3_CHANGE_CIPHER_SERVER_WRITE))
        {
M
Matt Caswell 已提交
789
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
815 816
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->generate_master_secret(s,
817
                        s->master_secret, s->handshake_secret, 0,
818 819 820 821 822
                        &s->session->master_key_length)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
823
        break;
824 825 826 827 828

    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
            return WORK_MORE_A;
        break;
M
Matt Caswell 已提交
829 830 831 832 833 834
    }

    return WORK_FINISHED_CONTINUE;
}

/*
835 836
 * Get the message construction function and message type for sending from the
 * server
M
Matt Caswell 已提交
837 838 839 840 841
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
842
int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
843
                                         confunc_f *confunc, int *mt)
M
Matt Caswell 已提交
844
{
M
Matt Caswell 已提交
845
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
846

847 848 849 850 851 852
    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return 0;

    case TLS_ST_SW_CHANGE:
853
        if (SSL_IS_DTLS(s))
854
            *confunc = dtls_construct_change_cipher_spec;
855
        else
856 857
            *confunc = tls_construct_change_cipher_spec;
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
858
        break;
R
Rich Salz 已提交
859

860
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
861 862
        *confunc = dtls_construct_hello_verify_request;
        *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
863
        break;
M
Matt Caswell 已提交
864

865 866
    case TLS_ST_SW_HELLO_REQ:
        /* No construction function needed */
867 868
        *confunc = NULL;
        *mt = SSL3_MT_HELLO_REQUEST;
869
        break;
M
Matt Caswell 已提交
870

871
    case TLS_ST_SW_SRVR_HELLO:
872 873
        *confunc = tls_construct_server_hello;
        *mt = SSL3_MT_SERVER_HELLO;
874
        break;
M
Matt Caswell 已提交
875

876
    case TLS_ST_SW_CERT:
877 878
        *confunc = tls_construct_server_certificate;
        *mt = SSL3_MT_CERTIFICATE;
879
        break;
M
Matt Caswell 已提交
880

881 882 883 884 885 886
    case TLS_ST_SW_CERT_VRFY:
        *confunc = tls_construct_cert_verify;
        *mt = SSL3_MT_CERTIFICATE_VERIFY;
        break;


887
    case TLS_ST_SW_KEY_EXCH:
888 889
        *confunc = tls_construct_server_key_exchange;
        *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
890
        break;
M
Matt Caswell 已提交
891

892
    case TLS_ST_SW_CERT_REQ:
893 894
        *confunc = tls_construct_certificate_request;
        *mt = SSL3_MT_CERTIFICATE_REQUEST;
895
        break;
M
Matt Caswell 已提交
896

897
    case TLS_ST_SW_SRVR_DONE:
898 899
        *confunc = tls_construct_server_done;
        *mt = SSL3_MT_SERVER_DONE;
900
        break;
M
Matt Caswell 已提交
901

902
    case TLS_ST_SW_SESSION_TICKET:
903 904
        *confunc = tls_construct_new_session_ticket;
        *mt = SSL3_MT_NEWSESSION_TICKET;
905
        break;
M
Matt Caswell 已提交
906

907
    case TLS_ST_SW_CERT_STATUS:
908 909
        *confunc = tls_construct_cert_status;
        *mt = SSL3_MT_CERTIFICATE_STATUS;
910
        break;
M
Matt Caswell 已提交
911

912
    case TLS_ST_SW_FINISHED:
913 914
        *confunc = tls_construct_finished;
        *mt = SSL3_MT_FINISHED;
915
        break;
M
Matt Caswell 已提交
916 917 918 919 920

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
        *confunc = tls_construct_encrypted_extensions;
        *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
        break;
921 922 923 924 925

    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        *confunc = tls_construct_hello_retry_request;
        *mt = SSL3_MT_HELLO_RETRY_REQUEST;
        break;
926
    }
M
Matt Caswell 已提交
927

928
    return 1;
M
Matt Caswell 已提交
929 930
}

931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947
/*
 * Maximum size (excluding the Handshake header) of a ClientHello message,
 * calculated as follows:
 *
 *  2 + # client_version
 *  32 + # only valid length for random
 *  1 + # length of session_id
 *  32 + # maximum size for session_id
 *  2 + # length of cipher suites
 *  2^16-2 + # maximum length of cipher suites array
 *  1 + # length of compression_methods
 *  2^8-1 + # maximum length of compression methods
 *  2 + # length of extensions
 *  2^16-1 # maximum length of extensions
 */
#define CLIENT_HELLO_MAX_LENGTH         131396

M
Matt Caswell 已提交
948 949 950 951 952 953 954
#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
955
size_t ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
956
{
M
Matt Caswell 已提交
957
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
958

959
    switch (st->hand_state) {
R
Rich Salz 已提交
960 961 962 963
    default:
        /* Shouldn't happen */
        return 0;

M
Matt Caswell 已提交
964
    case TLS_ST_SR_CLNT_HELLO:
965
        return CLIENT_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991

    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;
    }
}

/*
 * Process a message that the server has received from the client.
 */
992
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
993
{
M
Matt Caswell 已提交
994
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
995

996
    switch (st->hand_state) {
R
Rich Salz 已提交
997 998 999 1000
    default:
        /* Shouldn't happen */
        return MSG_PROCESS_ERROR;

M
Matt Caswell 已提交
1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);
    }
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
1030
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1031
{
M
Matt Caswell 已提交
1032
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1033

1034
    switch (st->hand_state) {
R
Rich Salz 已提交
1035 1036 1037 1038
    default:
        /* Shouldn't happen */
        return WORK_ERROR;

M
Matt Caswell 已提交
1039 1040 1041 1042 1043 1044 1045 1046
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);

    case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
E
Emilia Kasper 已提交
1047 1048 1049 1050
        if (                    /* Is this SCTP? */
               BIO_dgram_is_sctp(SSL_get_wbio(s))
               /* Are we renegotiating? */
               && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
M
Matt Caswell 已提交
1051 1052 1053 1054
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
1055
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
1056 1057
            return WORK_MORE_A;
        } else {
M
Matt Caswell 已提交
1058
            ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
1059 1060 1061 1062
        }
#endif
        return WORK_FINISHED_CONTINUE;
    }
1063
    return WORK_FINISHED_CONTINUE;
M
Matt Caswell 已提交
1064 1065
}

B
Ben Laurie 已提交
1066
#ifndef OPENSSL_NO_SRP
1067
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
1088 1089
#endif

1090
int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
M
Matt Caswell 已提交
1091
                                  size_t cookie_len)
M
Matt Caswell 已提交
1092 1093
{
    /* Always use DTLS 1.0 version: see RFC 6347 */
1094 1095 1096
    if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
            || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
        return 0;
M
Matt Caswell 已提交
1097

1098
    return 1;
M
Matt Caswell 已提交
1099 1100
}

1101
int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1102
{
M
Matt Caswell 已提交
1103
    unsigned int cookie_leni;
M
Matt Caswell 已提交
1104 1105
    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
M
Matt Caswell 已提交
1106 1107
                                  &cookie_leni) == 0 ||
        cookie_leni > 255) {
M
Matt Caswell 已提交
1108
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
1109 1110 1111
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
        return 0;
    }
M
Matt Caswell 已提交
1112
    s->d1->cookie_len = cookie_leni;
M
Matt Caswell 已提交
1113

1114 1115
    if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
                                              s->d1->cookie_len)) {
1116 1117 1118
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
1119 1120 1121 1122

    return 1;
}

1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162
#ifndef OPENSSL_NO_EC
/*-
 * ssl_check_for_safari attempts to fingerprint Safari using OS X
 * SecureTransport using the TLS extension block in |hello|.
 * Safari, since 10.6, sends exactly these extensions, in this order:
 *   SNI,
 *   elliptic_curves
 *   ec_point_formats
 *
 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).
 */
static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
{
    static const unsigned char kSafariExtensionsBlock[] = {
        0x00, 0x0a,             /* elliptic_curves extension */
        0x00, 0x08,             /* 8 bytes */
        0x00, 0x06,             /* 6 bytes of curve ids */
        0x00, 0x17,             /* P-256 */
        0x00, 0x18,             /* P-384 */
        0x00, 0x19,             /* P-521 */

        0x00, 0x0b,             /* ec_point_formats */
        0x00, 0x02,             /* 2 bytes */
        0x01,                   /* 1 point format */
        0x00,                   /* uncompressed */
        /* The following is only present in TLS 1.2 */
        0x00, 0x0d,             /* signature_algorithms */
        0x00, 0x0c,             /* 12 bytes */
        0x00, 0x0a,             /* 10 bytes */
        0x05, 0x01,             /* SHA-384/RSA */
        0x04, 0x01,             /* SHA-256/RSA */
        0x02, 0x01,             /* SHA-1/RSA */
        0x04, 0x03,             /* SHA-256/ECDSA */
        0x02, 0x03,             /* SHA-1/ECDSA */
    };
    /* Length of the common prefix (first two extensions). */
    static const size_t kSafariCommonExtensionsLength = 18;
1163 1164 1165
    unsigned int type;
    PACKET sni, tmppkt;
    size_t ext_len;
1166 1167 1168 1169 1170 1171 1172

    tmppkt = hello->extensions;

    if (!PACKET_forward(&tmppkt, 2)
        || !PACKET_get_net_2(&tmppkt, &type)
        || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
        return;
1173 1174
    }

1175 1176 1177 1178 1179 1180 1181 1182
    if (type != TLSEXT_TYPE_server_name)
        return;

    ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
        sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;

    s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
                                             ext_len);
1183
}
1184
#endif                          /* !OPENSSL_NO_EC */
1185

M
Matt Caswell 已提交
1186
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1187 1188
{
    int i, al = SSL_AD_INTERNAL_ERROR;
1189
    unsigned int j;
1190
    size_t loop;
M
Matt Caswell 已提交
1191
    unsigned long id;
1192
    const SSL_CIPHER *c;
M
Matt Caswell 已提交
1193 1194 1195 1196
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
1197
    int protverr;
M
Matt Caswell 已提交
1198
    /* |cookie| will only be initialized for DTLS. */
1199
    PACKET session_id, compression, extensions, cookie;
M
Matt Caswell 已提交
1200
    static const unsigned char null_compression = 0;
1201
    CLIENTHELLO_MSG clienthello;
M
Matt Caswell 已提交
1202

1203 1204 1205 1206 1207 1208 1209 1210 1211
    /* Check if this is actually an unexpected renegotiation ClientHello */
    if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
        s->renegotiate = 1;
        s->new_session = 1;
    }

    /* This is a real handshake so make sure we clean it up at the end */
    s->statem.cleanuphand = 1;

1212
    /*
1213
     * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1214
     */
1215
    memset(&clienthello, 0, sizeof(clienthello));
1216
    clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
E
Emilia Kasper 已提交
1217
    PACKET_null_init(&cookie);
1218 1219

    if (clienthello.isv2) {
M
Matt Caswell 已提交
1220
        unsigned int mt;
1221

1222 1223 1224 1225 1226 1227
        if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
            goto f_err;
        }

1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

1243
        if (!PACKET_get_1(pkt, &mt)
E
Emilia Kasper 已提交
1244
            || mt != SSL2_MT_CLIENT_HELLO) {
1245 1246 1247 1248 1249
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
1250
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1251
            goto err;
1252 1253 1254
        }
    }

1255
    if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) {
1256 1257 1258
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
        goto err;
1259 1260
    }

1261
    /* Parse the message and load client random. */
1262
    if (clienthello.isv2) {
1263 1264 1265
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
1266
         * Real SSLv2 is not supported, and is rejected below.
1267
         */
1268
        unsigned int ciphersuite_len, session_id_len, challenge_len;
1269
        PACKET challenge;
1270

1271
        if (!PACKET_get_net_2(pkt, &ciphersuite_len)
E
Emilia Kasper 已提交
1272 1273
            || !PACKET_get_net_2(pkt, &session_id_len)
            || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
1274 1275
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1276 1277
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1278
        }
1279

1280 1281 1282 1283 1284 1285
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1286 1287
        if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
                                   ciphersuite_len)
1288
            || !PACKET_copy_bytes(pkt, clienthello.session_id, session_id_len)
1289
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1290
            /* No extensions. */
1291
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1292 1293
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1294 1295 1296
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
1297
        clienthello.session_id_len = session_id_len;
M
Matt Caswell 已提交
1298

1299 1300 1301 1302 1303 1304 1305 1306
        /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
         * here rather than sizeof(clienthello.random) because that is the limit
         * for SSLv3 and it is fixed. It won't change even if
         * sizeof(clienthello.random) does.
         */
        challenge_len = challenge_len > SSL3_RANDOM_SIZE
                        ? SSL3_RANDOM_SIZE : challenge_len;
        memset(clienthello.random, 0, SSL3_RANDOM_SIZE);
1307
        if (!PACKET_copy_bytes(&challenge,
1308
                               clienthello.random + SSL3_RANDOM_SIZE -
D
David Benjamin 已提交
1309 1310 1311
                               challenge_len, challenge_len)
            /* Advertise only null compression. */
            || !PACKET_buf_init(&compression, &null_compression, 1)) {
M
Matt Caswell 已提交
1312
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1313
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1314 1315
            goto f_err;
        }
1316

1317
        PACKET_null_init(&clienthello.extensions);
1318
    } else {
1319
        /* Regular ClientHello. */
1320
        if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
1321 1322 1323 1324
            || !PACKET_get_length_prefixed_1(pkt, &session_id)
            || !PACKET_copy_all(&session_id, clienthello.session_id,
                    SSL_MAX_SSL_SESSION_ID_LENGTH,
                    &clienthello.session_id_len)) {
M
Matt Caswell 已提交
1325
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1326
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1327 1328
            goto f_err;
        }
1329

1330
        if (SSL_IS_DTLS(s)) {
1331
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1332
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1333
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1334 1335
                goto f_err;
            }
1336 1337 1338 1339 1340 1341 1342
            if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie,
                                 DTLS1_COOKIE_LENGTH,
                                 &clienthello.dtls_cookie_len)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
1343 1344 1345 1346 1347 1348
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1349
                if (clienthello.dtls_cookie_len == 0)
E
Emilia Kasper 已提交
1350
                    return 1;
1351
            }
1352
        }
1353

1354 1355 1356 1357 1358 1359
        if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1360
        if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
E
Emilia Kasper 已提交
1361 1362 1363
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
1364
        }
1365

1366
        /* Could be empty. */
1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377
        if (PACKET_remaining(pkt) == 0) {
            PACKET_null_init(&clienthello.extensions);
        } else {
            if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
        }
    }

1378
    if (!PACKET_copy_all(&compression, clienthello.compressions,
1379 1380
                         MAX_COMPRESSIONS_SIZE,
                         &clienthello.compressions_len)) {
1381 1382 1383 1384 1385
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }

1386
    /* Preserve the raw extensions PACKET for later use */
1387
    extensions = clienthello.extensions;
1388
    if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO,
1389
                                &clienthello.pre_proc_exts, &al)) {
1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401
        /* SSLerr already been called */
        goto f_err;
    }

    /* Finished parsing the ClientHello, now we can start processing it */

    /* Set up the client_random */
    memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE);

    /* Choose the version */

    if (clienthello.isv2) {
1402 1403
        if (clienthello.legacy_version == SSL2_VERSION
                || (clienthello.legacy_version & 0xff00)
1404 1405 1406 1407 1408
                   != (SSL3_VERSION_MAJOR << 8)) {
            /*
             * This is real SSLv2 or something complete unknown. We don't
             * support it.
             */
1409 1410 1411
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
            goto err;
        }
1412
        /* SSLv3/TLS */
1413
        s->client_version = clienthello.legacy_version;
1414 1415 1416 1417 1418 1419 1420 1421
    }
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
    if (!SSL_IS_DTLS(s)) {
        protverr = ssl_choose_server_version(s, &clienthello);
    } else if (s->method->version != DTLS_ANY_VERSION &&
1422
               DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) {
1423 1424 1425 1426 1427 1428 1429
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
        protverr = 0;
    }

    if (protverr) {
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
1430
        if (SSL_IS_FIRST_HANDSHAKE(s)) {
1431
            /* like ssl3_get_record, send alert using remote version number */
1432
            s->version = s->client_version = clienthello.legacy_version;
1433 1434 1435
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
1436 1437
    }

1438 1439 1440 1441
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
1442 1443
                if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie,
                        clienthello.dtls_cookie_len) == 0) {
1444 1445 1446 1447 1448 1449
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                           SSL_R_COOKIE_MISMATCH);
                    goto f_err;
                    /* else cookie verification succeeded */
                }
E
Emilia Kasper 已提交
1450
                /* default verification */
1451 1452 1453
            } else if (s->d1->cookie_len != clienthello.dtls_cookie_len
                    || memcmp(clienthello.dtls_cookie, s->d1->cookie,
                              s->d1->cookie_len) != 0) {
1454 1455 1456 1457 1458 1459 1460
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                goto f_err;
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
1461
            protverr = ssl_choose_server_version(s, &clienthello);
1462 1463 1464 1465 1466 1467 1468 1469 1470
            if (protverr != 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
        }
    }

1471 1472
    s->hit = 0;

1473
    /* We need to do this before getting the session */
1474
    if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
M
Matt Caswell 已提交
1475
                             EXT_CLIENT_HELLO,
1476
                             clienthello.pre_proc_exts, NULL, 0, &al)) {
1477 1478 1479 1480
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
        goto f_err;
    }

1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495 1496
    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
1497
    if (clienthello.isv2 ||
1498 1499 1500 1501 1502
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
1503
        i = ssl_get_prev_session(s, &clienthello, &al);
1504
        if (i == 1) {
1505 1506 1507
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
1508
            goto f_err;
1509
        } else {
1510 1511
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1512
                goto err;
1513
        }
1514
    }
1515

1516
    if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers,
1517
                                 clienthello.isv2, &al) == NULL) {
1518 1519
        goto f_err;
    }
1520

1521 1522 1523 1524
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1525

1526
#ifdef CIPHER_DEBUG
E
Emilia Kasper 已提交
1527
        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
1528
#endif
1529 1530
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1531
#ifdef CIPHER_DEBUG
1532 1533
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1534
#endif
1535 1536 1537
            if (c->id == id) {
                j = 1;
                break;
1538
            }
1539
        }
1540
        if (j == 0) {
1541
            /*
1542 1543
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1544
             */
1545
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1546
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1547
                   SSL_R_REQUIRED_CIPHER_MISSING);
1548 1549
            goto f_err;
        }
1550
    }
M
Matt Caswell 已提交
1551

1552 1553
    for (loop = 0; loop < clienthello.compressions_len; loop++) {
        if (clienthello.compressions[loop] == 0)
1554
            break;
1555
    }
1556

1557
    if (loop >= clienthello.compressions_len) {
1558 1559
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1560
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1561 1562
        goto f_err;
    }
1563

1564 1565 1566 1567 1568
#ifndef OPENSSL_NO_EC
    if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
        ssl_check_for_safari(s, &clienthello);
#endif                          /* !OPENSSL_NO_EC */

1569
    /* TLS extensions */
1570
    if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO,
1571
                                  clienthello.pre_proc_exts, NULL, 0, &al)) {
1572
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1573
        goto f_err;
1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587 1588 1589
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

R
Rich Salz 已提交
1590
    if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) {
1591
        const SSL_CIPHER *pref_cipher = NULL;
1592 1593 1594 1595 1596
        /*
         * s->session->master_key_length is a size_t, but this is an int for
         * backwards compat reasons
         */
        int master_key_length;
1597

1598
        master_key_length = sizeof(s->session->master_key);
R
Rich Salz 已提交
1599
        if (s->ext.session_secret_cb(s, s->session->master_key,
1600
                                     &master_key_length, ciphers,
1601
                                     &pref_cipher,
R
Rich Salz 已提交
1602
                                     s->ext.session_secret_cb_arg)
1603 1604
                && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
1605 1606 1607 1608 1609 1610 1611
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
D
Dr. Stephen Henson 已提交
1612 1613 1614
            if (pref_cipher == NULL)
                pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
                                                 SSL_get_ciphers(s));
1615 1616
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1617
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1618 1619 1620 1621
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1622
            sk_SSL_CIPHER_free(s->cipher_list);
1623
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1624
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1625 1626 1627
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1628

1629 1630
    /*
     * Worst case, we will use the NULL compression, but if we have other
1631
     * options, we will now look for them.  We have complen-1 compression
1632 1633 1634
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1635
#ifndef OPENSSL_NO_COMP
1636 1637 1638
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1639
        unsigned int k;
1640 1641 1642
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
M
Matt Caswell 已提交
1643
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
M
Matt Caswell 已提交
1656
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1657 1658 1659 1660
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
1661 1662
        for (k = 0; k < clienthello.compressions_len; k++) {
            if (clienthello.compressions[k] == comp_id)
1663 1664
                break;
        }
1665
        if (k >= clienthello.compressions_len) {
1666
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1667
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
F
FdaSilvaYY 已提交
1668
                   SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
1669 1670 1671 1672 1673
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1674
        /* See if we have a match */
M
Matt Caswell 已提交
1675 1676
        int m, nn, v, done = 0;
        unsigned int o;
1677 1678 1679 1680 1681

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1682 1683
            for (o = 0; o < clienthello.compressions_len; o++) {
                if (v == clienthello.compressions[o]) {
1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1696
#else
1697 1698 1699 1700 1701
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
M
Matt Caswell 已提交
1702
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1703 1704
        goto f_err;
    }
1705
#endif
1706

1707 1708 1709
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1710

1711
    if (!s->hit) {
1712
#ifdef OPENSSL_NO_COMP
1713
        s->session->compress_meth = 0;
1714
#else
1715
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1716
#endif
R
Rich Salz 已提交
1717
        sk_SSL_CIPHER_free(s->session->ciphers);
1718 1719
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1720
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1721
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1722 1723 1724 1725
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
M
Matt Caswell 已提交
1726
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1727 1728
            goto err;
        }
M
Matt Caswell 已提交
1729 1730 1731
    }

    sk_SSL_CIPHER_free(ciphers);
1732
    OPENSSL_free(clienthello.pre_proc_exts);
M
Matt Caswell 已提交
1733 1734 1735 1736
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1737
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1738 1739

    sk_SSL_CIPHER_free(ciphers);
1740
    OPENSSL_free(clienthello.pre_proc_exts);
M
Matt Caswell 已提交
1741

M
Matt Caswell 已提交
1742
    return MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
1743 1744
}

1745 1746
/*
 * Call the status request callback if needed. Upon success, returns 1.
1747
 * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert.
1748 1749 1750
 */
static int tls_handle_status_request(SSL *s, int *al)
{
R
Rich Salz 已提交
1751
    s->ext.status_expected = 0;
1752 1753 1754 1755 1756 1757 1758

    /*
     * If status request then ask callback what to do. Note: this must be
     * called after servername callbacks in case the certificate has changed,
     * and must be called after the cipher has been chosen because this may
     * influence which certificate is sent
     */
R
Rich Salz 已提交
1759 1760
    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
            && s->ctx->ext.status_cb != NULL) {
1761
        int ret;
1762 1763
        CERT_PKEY *certpkey = ssl_get_server_send_pkey(s);

1764 1765 1766 1767 1768 1769 1770
        /* If no certificate can't return certificate status */
        if (certpkey != NULL) {
            /*
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
             */
            s->cert->key = certpkey;
R
Rich Salz 已提交
1771
            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
1772 1773 1774
            switch (ret) {
                /* We don't want to send a status request response */
            case SSL_TLSEXT_ERR_NOACK:
R
Rich Salz 已提交
1775
                s->ext.status_expected = 0;
1776 1777 1778
                break;
                /* status request response should be sent */
            case SSL_TLSEXT_ERR_OK:
R
Rich Salz 已提交
1779 1780
                if (s->ext.ocsp.resp)
                    s->ext.status_expected = 1;
1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793
                break;
                /* something bad happened */
            case SSL_TLSEXT_ERR_ALERT_FATAL:
            default:
                *al = SSL_AD_INTERNAL_ERROR;
                return 0;
            }
        }
    }

    return 1;
}

M
Matt Caswell 已提交
1794
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1795
{
M
Matt Caswell 已提交
1796
    int al = SSL_AD_HANDSHAKE_FAILURE;
1797
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
1798 1799 1800 1801 1802 1803 1804 1805

    if (wst == WORK_MORE_A) {
        if (!s->hit) {
            /* Let cert callback update server certificates if required */
            if (s->cert->cert_cb) {
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
1806 1807
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CERT_CB_ERROR);
M
Matt Caswell 已提交
1808 1809 1810 1811 1812 1813 1814
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
                    return WORK_MORE_A;
                }
                s->rwstate = SSL_NOTHING;
1815
            }
E
Emilia Kasper 已提交
1816 1817
            cipher =
                ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
M
Matt Caswell 已提交
1818 1819

            if (cipher == NULL) {
E
Emilia Kasper 已提交
1820 1821
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_NO_SHARED_CIPHER);
M
Matt Caswell 已提交
1822
                goto f_err;
1823
            }
M
Matt Caswell 已提交
1824
            s->s3->tmp.new_cipher = cipher;
1825 1826 1827 1828 1829 1830
            if (!tls_choose_sigalg(s)) {
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM);
                goto f_err;
            }
M
Matt Caswell 已提交
1831 1832
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
1833 1834 1835 1836
                s->session->not_resumable =
                    s->not_resumable_session_cb(s, ((cipher->algorithm_mkey
                                                    & (SSL_kDHE | SSL_kECDHE))
                                                   != 0));
M
Matt Caswell 已提交
1837 1838
            if (s->session->not_resumable)
                /* do not send a session ticket */
R
Rich Salz 已提交
1839
                s->ext.ticket_expected = 0;
M
Matt Caswell 已提交
1840 1841 1842
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1843 1844
        }

1845
        if (!(s->verify_mode & SSL_VERIFY_PEER)) {
M
Matt Caswell 已提交
1846 1847
            if (!ssl3_digest_cached_records(s, 0)) {
                al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1848
                goto f_err;
M
Matt Caswell 已提交
1849
            }
1850 1851
        }

M
Matt Caswell 已提交
1852 1853 1854
        /*-
         * we now have the following setup.
         * client_random
1855 1856
         * cipher_list          - our preferred list of ciphers
         * ciphers              - the clients preferred list of ciphers
M
Matt Caswell 已提交
1857 1858 1859 1860 1861 1862
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
1863

1864 1865 1866 1867 1868 1869 1870 1871
        /*
         * Call status_request callback if needed. Has to be done after the
         * certificate callbacks etc above.
         */
        if (!tls_handle_status_request(s, &al)) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                   SSL_R_CLIENTHELLO_TLSEXT);
            goto f_err;
M
Matt Caswell 已提交
1872
        }
1873

M
Matt Caswell 已提交
1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892
        wst = WORK_MORE_B;
    }
#ifndef OPENSSL_NO_SRP
    if (wst == WORK_MORE_B) {
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
            return WORK_MORE_B;
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
E
Emilia Kasper 已提交
1893
                       SSL_R_CLIENTHELLO_TLSEXT);
1894 1895 1896
            else
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_PSK_IDENTITY_NOT_FOUND);
M
Matt Caswell 已提交
1897
            goto f_err;
1898 1899
        }
    }
M
Matt Caswell 已提交
1900
#endif
1901

M
Matt Caswell 已提交
1902
    return WORK_FINISHED_STOP;
1903
 f_err:
M
Matt Caswell 已提交
1904
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1905
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1906 1907 1908
    return WORK_ERROR;
}

1909
int tls_construct_server_hello(SSL *s, WPACKET *pkt)
1910
{
1911 1912
    int compm, al = SSL_AD_INTERNAL_ERROR;
    size_t sl, len;
1913
    int version;
1914

1915
    /* TODO(TLS1.3): Remove the DRAFT conditional before release */
1916 1917
    version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version;
    if (!WPACKET_put_bytes_u16(pkt, version)
1918 1919 1920 1921
               /*
                * Random stuff. Filling of the server_random takes place in
                * tls_process_client_hello()
                */
1922
            || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
1923 1924 1925
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
        goto err;
    }
1926

M
Matt Caswell 已提交
1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
1949
    if (sl > sizeof(s->session->session_id)) {
M
Matt Caswell 已提交
1950
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1951
        goto err;
M
Matt Caswell 已提交
1952
    }
1953

1954
    /* set up the compression method */
1955
#ifdef OPENSSL_NO_COMP
1956
    compm = 0;
1957
#else
M
Matt Caswell 已提交
1958
    if (s->s3->tmp.new_compression == NULL)
1959
        compm = 0;
M
Matt Caswell 已提交
1960
    else
1961
        compm = s->s3->tmp.new_compression->id;
1962
#endif
1963

1964 1965
    if ((!SSL_IS_TLS13(s)
                && !WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl))
1966
            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
1967 1968
            || (!SSL_IS_TLS13(s)
                && !WPACKET_put_bytes_u8(pkt, compm))
1969
            || !tls_construct_extensions(s, pkt,
M
Matt Caswell 已提交
1970
                                         SSL_IS_TLS13(s)
1971
                                            ? EXT_TLS1_3_SERVER_HELLO
1972 1973
                                            : EXT_TLS1_2_SERVER_HELLO,
                                         NULL, 0, &al)) {
M
Matt Caswell 已提交
1974
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1975
        goto err;
1976
    }
1977

M
Matt Caswell 已提交
1978
    return 1;
1979
 err:
1980
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
1981
    return 0;
1982
}
1983

1984
int tls_construct_server_done(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1985 1986
{
    if (!s->s3->tmp.cert_request) {
1987 1988 1989 1990
        if (!ssl3_digest_cached_records(s, 0)) {
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
            return 0;
        }
M
Matt Caswell 已提交
1991 1992 1993 1994
    }
    return 1;
}

1995
int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
1996
{
1997
#ifndef OPENSSL_NO_DH
1998
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
1999
#endif
2000
#ifndef OPENSSL_NO_EC
2001
    unsigned char *encodedPoint = NULL;
2002
    size_t encodedlen = 0;
2003
    int curve_id = 0;
2004
#endif
2005 2006
    EVP_PKEY *pkey;
    const EVP_MD *md = NULL;
2007
    int al = SSL_AD_INTERNAL_ERROR, i;
2008
    unsigned long type;
2009
    const BIGNUM *r[4];
2010
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
2011
    EVP_PKEY_CTX *pctx = NULL;
2012 2013
    size_t paramlen, paramoffset;

2014
    if (!WPACKET_get_total_written(pkt, &paramoffset)) {
2015
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2016 2017
        goto f_err;
    }
2018

2019 2020 2021 2022
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        goto f_err;
    }
2023

M
Matt Caswell 已提交
2024 2025 2026
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    r[0] = r[1] = r[2] = r[3] = NULL;
2027
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2028 2029 2030
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
2031
#endif                          /* !OPENSSL_NO_PSK */
2032
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
2033
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
2034 2035
        CERT *cert = s->cert;

2036 2037 2038
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
2039
        if (s->cert->dh_tmp_auto) {
2040 2041 2042 2043
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
M
Matt Caswell 已提交
2044
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2045
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2046
                goto f_err;
2047
            }
2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
M
Matt Caswell 已提交
2064 2065 2066 2067 2068 2069
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
2070
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
M
Matt Caswell 已提交
2071 2072 2073 2074 2075
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
2076
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
2077 2078 2079 2080
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
2081

D
Dr. Stephen Henson 已提交
2082
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
M
Matt Caswell 已提交
2083

2084 2085
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
2086
            goto err;
M
Matt Caswell 已提交
2087
        }
2088 2089 2090 2091 2092 2093

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
2094 2095
        DH_get0_pqg(dh, &r[0], NULL, &r[1]);
        DH_get0_key(dh, &r[2], NULL);
M
Matt Caswell 已提交
2096
    } else
2097
#endif
2098
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2099
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2100
        int nid;
M
Matt Caswell 已提交
2101

D
Dr. Stephen Henson 已提交
2102
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
2103 2104 2105 2106 2107
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

2108
        /* Get NID of appropriate shared curve */
2109
        nid = tls1_shared_group(s, -2);
2110 2111
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
2112 2113 2114 2115
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
2116
        s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id);
D
Dr. Stephen Henson 已提交
2117 2118 2119
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
2120 2121 2122
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
2123
        /* Encode the public key. */
2124 2125
        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
                                                    &encodedPoint);
M
Matt Caswell 已提交
2126
        if (encodedlen == 0) {
2127
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
2128 2129
            goto err;
        }
2130

M
Matt Caswell 已提交
2131 2132 2133 2134 2135 2136 2137 2138 2139
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
2140
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
2141
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2142 2143 2144 2145 2146 2147 2148
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
2149
        }
M
Matt Caswell 已提交
2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
2162

E
Emilia Kasper 已提交
2163
    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
M
Matt Caswell 已提交
2164 2165 2166 2167 2168
        && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
        if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
            == NULL) {
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
2169
        }
M
Matt Caswell 已提交
2170 2171 2172
    } else {
        pkey = NULL;
    }
2173

2174
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2175
    if (type & SSL_PSK) {
2176 2177 2178 2179 2180 2181 2182 2183
        size_t len = (s->cert->psk_identity_hint == NULL)
                        ? 0 : strlen(s->cert->psk_identity_hint);

        /*
         * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
         * checked this when we set the identity hint - but just in case
         */
        if (len > PSK_MAX_IDENTITY_LEN
2184
                || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2185 2186 2187 2188
                                           len)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
2189
        }
M
Matt Caswell 已提交
2190
    }
2191 2192
#endif

M
Matt Caswell 已提交
2193
    for (i = 0; i < 4 && r[i] != NULL; i++) {
2194 2195 2196
        unsigned char *binval;
        int res;

B
Ben Laurie 已提交
2197
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2198
        if ((i == 2) && (type & SSL_kSRP)) {
2199
            res = WPACKET_start_sub_packet_u8(pkt);
M
Matt Caswell 已提交
2200
        } else
2201
#endif
2202
            res = WPACKET_start_sub_packet_u16(pkt);
2203 2204 2205 2206 2207 2208 2209

        if (!res) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

2210
#ifndef OPENSSL_NO_DH
E
Emilia Kasper 已提交
2211
        /*-
2212 2213 2214 2215 2216
         * for interoperability with some versions of the Microsoft TLS
         * stack, we need to zero pad the DHE pub key to the same length
         * as the prime
         */
        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2217
            size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
M
Matt Caswell 已提交
2218

2219
            if (len > 0) {
2220
                if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2221 2222 2223 2224 2225
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
                }
                memset(binval, 0, len);
2226
            }
2227
        }
B
Ben Laurie 已提交
2228
#endif
2229 2230
        if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
                || !WPACKET_close(pkt)) {
2231 2232 2233 2234 2235 2236
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

        BN_bn2bin(r[i], binval);
M
Matt Caswell 已提交
2237
    }
2238

2239
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2240 2241
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
2242 2243 2244 2245
         * We only support named (not generic) curves. In this situation, the
         * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
         * [1 byte length of encoded point], followed by the actual encoded
         * point itself
M
Matt Caswell 已提交
2246
         */
2247 2248 2249 2250
        if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
                || !WPACKET_put_bytes_u8(pkt, 0)
                || !WPACKET_put_bytes_u8(pkt, curve_id)
                || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2251 2252 2253 2254
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
M
Matt Caswell 已提交
2255 2256 2257
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
    }
B
Bodo Möller 已提交
2258 2259
#endif

M
Matt Caswell 已提交
2260 2261 2262 2263 2264 2265 2266
    /* not anonymous */
    if (pkey != NULL) {
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
        if (md) {
2267
            unsigned char *sigbytes1, *sigbytes2;
2268 2269
            size_t siglen;
            int ispss = 0;
2270 2271

            /* Get length of the parameters we have written above */
2272
            if (!WPACKET_get_length(pkt, &paramlen)) {
2273 2274 2275 2276
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
M
Matt Caswell 已提交
2277 2278
            /* send signature algorithm */
            if (SSL_USE_SIGALGS(s)) {
2279
                if (!tls12_get_sigandhash(s, pkt, pkey, md, &ispss)) {
M
Matt Caswell 已提交
2280 2281 2282 2283
                    /* Should never happen */
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
2284
                }
M
Matt Caswell 已提交
2285
            }
2286
#ifdef SSL_DEBUG
M
Matt Caswell 已提交
2287
            fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
2288
#endif
2289 2290 2291 2292 2293 2294
            /*
             * Create the signature. We don't know the actual length of the sig
             * until after we've created it, so we reserve enough bytes for it
             * up front, and then properly allocate them in the WPACKET
             * afterwards.
             */
2295 2296
            siglen = EVP_PKEY_size(pkey);
            if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
2297 2298 2299 2300 2301 2302 2303 2304
                    || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            if (ispss) {
                if (EVP_PKEY_CTX_set_rsa_padding(pctx,
                                                 RSA_PKCS1_PSS_PADDING) <= 0
2305
                    || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_EVP_LIB);
                    goto f_err;
                }
            }
            if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]),
                                     SSL3_RANDOM_SIZE) <= 0
                    || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]),
                                            SSL3_RANDOM_SIZE) <= 0
                    || EVP_DigestSignUpdate(md_ctx,
                                            s->init_buf->data + paramoffset,
                                            paramlen) <= 0
                    || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0
2319
                    || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2320 2321 2322
                    || sigbytes1 != sigbytes2) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
2323
                goto f_err;
2324
            }
M
Matt Caswell 已提交
2325 2326
        } else {
            /* Is this error check actually needed? */
M
Matt Caswell 已提交
2327
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2328 2329
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNKNOWN_PKEY_TYPE);
M
Matt Caswell 已提交
2330 2331
            goto f_err;
        }
2332 2333
    }

2334
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2335
    return 1;
2336 2337 2338
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
2339 2340 2341
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
2342
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2343
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
2344
#endif
2345
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2346
    return 0;
2347
}
2348

2349
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2350
{
2351
    int i;
2352 2353
    STACK_OF(X509_NAME) *sk = NULL;

M
Matt Caswell 已提交
2354
    /* get the list of acceptable cert types */
2355 2356 2357
    if (!WPACKET_start_sub_packet_u8(pkt)
            || !ssl3_get_req_cert_type(s, pkt)
            || !WPACKET_close(pkt)) {
2358 2359 2360
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
2361

M
Matt Caswell 已提交
2362
    if (SSL_USE_SIGALGS(s)) {
2363
        const uint16_t *psigs;
2364
        size_t nl = tls12_get_psigalgs(s, 1, &psigs);
2365

2366 2367 2368
        if (!WPACKET_start_sub_packet_u16(pkt)
                || !tls12_copy_sigalgs(s, pkt, psigs, nl)
                || !WPACKET_close(pkt)) {
2369 2370 2371 2372
            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
M
Matt Caswell 已提交
2373
    }
2374

2375
    /* Start sub-packet for client CA list */
2376
    if (!WPACKET_start_sub_packet_u16(pkt)) {
2377 2378 2379
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
2380 2381 2382 2383

    sk = SSL_get_client_CA_list(s);
    if (sk != NULL) {
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2384 2385 2386 2387 2388 2389
            unsigned char *namebytes;
            X509_NAME *name = sk_X509_NAME_value(sk, i);
            int namelen;

            if (name == NULL
                    || (namelen = i2d_X509_NAME(name, NULL)) < 0
2390
                    || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2391 2392 2393 2394
                                                       &namebytes)
                    || i2d_X509_NAME(name, &namebytes) != namelen) {
                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2395
                goto err;
2396 2397
            }
        }
M
Matt Caswell 已提交
2398 2399
    }
    /* else no CA names */
2400

2401
    if (!WPACKET_close(pkt)) {
M
Matt Caswell 已提交
2402 2403
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
2404
    }
2405

M
Matt Caswell 已提交
2406 2407 2408
    s->s3->tmp.cert_request = 1;

    return 1;
2409
 err:
2410
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
2411
    return 0;
2412
}
2413

2414
static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
M
Matt Caswell 已提交
2415
{
2416
#ifndef OPENSSL_NO_PSK
2417 2418 2419
    unsigned char psk[PSK_MAX_PSK_LEN];
    size_t psklen;
    PACKET psk_identity;
2420

2421 2422
    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
        *al = SSL_AD_DECODE_ERROR;
2423
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
2424 2425 2426 2427
        return 0;
    }
    if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
        *al = SSL_AD_DECODE_ERROR;
2428
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
2429 2430 2431 2432
        return 0;
    }
    if (s->psk_server_callback == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
2433
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
2434 2435
        return 0;
    }
2436

2437 2438
    if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
        *al = SSL_AD_INTERNAL_ERROR;
2439
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2440 2441
        return 0;
    }
2442

2443
    psklen = s->psk_server_callback(s, s->session->psk_identity,
E
Emilia Kasper 已提交
2444
                                    psk, sizeof(psk));
2445

2446 2447
    if (psklen > PSK_MAX_PSK_LEN) {
        *al = SSL_AD_INTERNAL_ERROR;
2448
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2449 2450 2451 2452 2453 2454
        return 0;
    } else if (psklen == 0) {
        /*
         * PSK related to the given identity not found
         */
        *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2455
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2456 2457 2458
               SSL_R_PSK_IDENTITY_NOT_FOUND);
        return 0;
    }
2459

2460 2461 2462
    OPENSSL_free(s->s3->tmp.psk);
    s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
    OPENSSL_cleanse(psk, psklen);
2463

2464 2465
    if (s->s3->tmp.psk == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2466
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2467
        return 0;
2468
    }
2469 2470 2471 2472 2473 2474 2475

    s->s3->tmp.psklen = psklen;

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2476
    SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2477
    return 0;
2478
#endif
2479 2480 2481 2482
}

static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
{
2483
#ifndef OPENSSL_NO_RSA
2484 2485 2486 2487 2488 2489 2490 2491 2492
    unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
    int decrypt_len;
    unsigned char decrypt_good, version_good;
    size_t j, padding_len;
    PACKET enc_premaster;
    RSA *rsa = NULL;
    unsigned char *rsa_decrypt = NULL;
    int ret = 0;

2493
    rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
2494 2495
    if (rsa == NULL) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2496
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE);
2497 2498 2499 2500 2501 2502 2503 2504 2505 2506
        return 0;
    }

    /* SSLv3 and pre-standard DTLS omit the length bytes. */
    if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
        enc_premaster = *pkt;
    } else {
        if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
            || PACKET_remaining(pkt) != 0) {
            *al = SSL_AD_DECODE_ERROR;
2507
            SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH);
2508
            return 0;
2509
        }
2510
    }
2511

2512 2513 2514 2515 2516 2517 2518 2519
    /*
     * We want to be sure that the plaintext buffer size makes it safe to
     * iterate over the entire size of a premaster secret
     * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
     * their ciphertext cannot accommodate a premaster secret anyway.
     */
    if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_INTERNAL_ERROR;
2520
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
2521 2522
        return 0;
    }
2523

2524 2525 2526
    rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
    if (rsa_decrypt == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2527
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE);
2528 2529
        return 0;
    }
2530

2531 2532 2533 2534 2535 2536 2537
    /*
     * We must not leak whether a decryption failure occurs because of
     * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
     * section 7.4.7.1). The code follows that advice of the TLS RFC and
     * generates a random premaster secret for the case that the decrypt
     * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
     */
2538

E
Emilia Kasper 已提交
2539
    if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
2540
        goto err;
2541

2542 2543 2544 2545
    /*
     * Decrypt with no padding. PKCS#1 padding will be removed as part of
     * the timing-sensitive code below.
     */
2546 2547 2548 2549
     /* TODO(size_t): Convert this function */
    decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
                                           PACKET_data(&enc_premaster),
                                           rsa_decrypt, rsa, RSA_NO_PADDING);
2550 2551
    if (decrypt_len < 0)
        goto err;
2552

2553
    /* Check the padding. See RFC 3447, section 7.2.2. */
2554

2555 2556 2557 2558 2559 2560 2561
    /*
     * The smallest padded premaster is 11 bytes of overhead. Small keys
     * are publicly invalid, so this may return immediately. This ensures
     * PS is at least 8 bytes.
     */
    if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_DECRYPT_ERROR;
2562
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED);
2563 2564
        goto err;
    }
2565

2566 2567
    padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
    decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
E
Emilia Kasper 已提交
2568
        constant_time_eq_int_8(rsa_decrypt[1], 2);
2569 2570 2571 2572
    for (j = 2; j < padding_len - 1; j++) {
        decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
    }
    decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
2573

2574 2575 2576 2577 2578 2579 2580 2581 2582 2583 2584 2585 2586 2587
    /*
     * If the version in the decrypted pre-master secret is correct then
     * version_good will be 0xff, otherwise it'll be zero. The
     * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
     * (http://eprint.iacr.org/2003/052/) exploits the version number
     * check as a "bad version oracle". Thus version checks are done in
     * constant time and are treated like any other decryption error.
     */
    version_good =
        constant_time_eq_8(rsa_decrypt[padding_len],
                           (unsigned)(s->client_version >> 8));
    version_good &=
        constant_time_eq_8(rsa_decrypt[padding_len + 1],
                           (unsigned)(s->client_version & 0xff));
2588

2589 2590 2591 2592 2593 2594 2595 2596 2597 2598 2599 2600 2601 2602
    /*
     * The premaster secret must contain the same version number as the
     * ClientHello to detect version rollback attacks (strangely, the
     * protocol does not offer such protection for DH ciphersuites).
     * However, buggy clients exist that send the negotiated protocol
     * version instead if the server does not support the requested
     * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
     * clients.
     */
    if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
        unsigned char workaround_good;
        workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
                                             (unsigned)(s->version >> 8));
        workaround_good &=
2603
            constant_time_eq_8(rsa_decrypt[padding_len + 1],
2604 2605 2606
                               (unsigned)(s->version & 0xff));
        version_good |= workaround_good;
    }
2607

2608 2609 2610 2611 2612
    /*
     * Both decryption and version must be good for decrypt_good to
     * remain non-zero (0xff).
     */
    decrypt_good &= version_good;
2613

2614 2615 2616 2617 2618 2619 2620 2621 2622 2623 2624 2625
    /*
     * Now copy rand_premaster_secret over from p using
     * decrypt_good_mask. If decryption failed, then p does not
     * contain valid plaintext, however, a check above guarantees
     * it is still sufficiently large to read from.
     */
    for (j = 0; j < sizeof(rand_premaster_secret); j++) {
        rsa_decrypt[padding_len + j] =
            constant_time_select_8(decrypt_good,
                                   rsa_decrypt[padding_len + j],
                                   rand_premaster_secret[j]);
    }
2626

2627 2628 2629
    if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
                                    sizeof(rand_premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
2630
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2631 2632
        goto err;
    }
2633

2634 2635 2636 2637 2638 2639 2640
    ret = 1;
 err:
    OPENSSL_free(rsa_decrypt);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2641
    SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2642 2643 2644 2645
    return 0;
#endif
}

2646 2647 2648 2649 2650 2651 2652 2653 2654 2655 2656
static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_DH
    EVP_PKEY *skey = NULL;
    DH *cdh;
    unsigned int i;
    BIGNUM *pub_key;
    const unsigned char *data;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

D
Dr. Stephen Henson 已提交
2657
    if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
2658
        *al = SSL_AD_HANDSHAKE_FAILURE;
2659
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE,
2660 2661 2662 2663 2664 2665
               SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
        goto err;
    }
    skey = s->s3->tmp.pkey;
    if (skey == NULL) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2666
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2667 2668 2669 2670 2671
        goto err;
    }

    if (PACKET_remaining(pkt) == 0L) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2672
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2673 2674 2675 2676 2677
        goto err;
    }
    if (!PACKET_get_bytes(pkt, &data, i)) {
        /* We already checked we have enough data */
        *al = SSL_AD_INTERNAL_ERROR;
2678
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2679 2680 2681 2682
        goto err;
    }
    ckey = EVP_PKEY_new();
    if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
2683
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
2684 2685 2686 2687 2688 2689
        goto err;
    }
    cdh = EVP_PKEY_get0_DH(ckey);
    pub_key = BN_bin2bn(data, i, NULL);

    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
2690
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2691 2692 2693 2694 2695
        if (pub_key != NULL)
            BN_free(pub_key);
        goto err;
    }

2696
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2697
        *al = SSL_AD_INTERNAL_ERROR;
2698
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2699 2700 2701 2702 2703 2704 2705 2706 2707 2708 2709 2710
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2711
    SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2712 2713 2714 2715
    return 0;
#endif
}

2716 2717 2718 2719 2720 2721 2722 2723 2724 2725
static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *skey = s->s3->tmp.pkey;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

    if (PACKET_remaining(pkt) == 0L) {
        /* We don't support ECDH client auth */
        *al = SSL_AD_HANDSHAKE_FAILURE;
2726
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY);
2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737
        goto err;
    } else {
        unsigned int i;
        const unsigned char *data;

        /*
         * Get client's public key from encoded point in the
         * ClientKeyExchange message.
         */

        /* Get encoded point length */
D
Dr. Stephen Henson 已提交
2738 2739
        if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
            || PACKET_remaining(pkt) != 0) {
2740
            *al = SSL_AD_DECODE_ERROR;
2741
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH);
2742 2743 2744 2745
            goto err;
        }
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
2746
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB);
2747 2748
            goto err;
        }
2749
        if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
D
Dr. Stephen Henson 已提交
2750
            *al = SSL_AD_HANDSHAKE_FAILURE;
2751
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB);
2752 2753 2754 2755
            goto err;
        }
    }

2756
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2757
        *al = SSL_AD_INTERNAL_ERROR;
2758
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2759 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);

    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2772
    SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2773 2774 2775 2776
    return 0;
#endif
}

2777 2778 2779 2780 2781 2782 2783
static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_SRP
    unsigned int i;
    const unsigned char *data;

    if (!PACKET_get_net_2(pkt, &i)
E
Emilia Kasper 已提交
2784
        || !PACKET_get_bytes(pkt, &data, i)) {
2785
        *al = SSL_AD_DECODE_ERROR;
2786
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
2787 2788 2789
        return 0;
    }
    if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
2790
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
2791 2792
        return 0;
    }
E
Emilia Kasper 已提交
2793
    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
2794
        *al = SSL_AD_ILLEGAL_PARAMETER;
2795
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
2796 2797 2798 2799 2800
        return 0;
    }
    OPENSSL_free(s->session->srp_username);
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
    if (s->session->srp_username == NULL) {
2801
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE);
2802 2803 2804 2805
        return 0;
    }

    if (!srp_generate_server_master_secret(s)) {
2806
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2807 2808 2809 2810 2811 2812 2813
        return 0;
    }

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2814
    SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2815 2816 2817 2818 2819 2820 2821 2822 2823 2824 2825 2826 2827 2828 2829
    return 0;
#endif
}

static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_GOST
    EVP_PKEY_CTX *pkey_ctx;
    EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
    unsigned char premaster_secret[32];
    const unsigned char *start;
    size_t outlen = 32, inlen;
    unsigned long alg_a;
    int Ttag, Tclass;
    long Tlen;
2830
    size_t sess_key_len;
2831 2832 2833 2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845 2846 2847 2848 2849 2850 2851 2852 2853
    const unsigned char *data;
    int ret = 0;

    /* Get our certificate private key */
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
    if (alg_a & SSL_aGOST12) {
        /*
         * New GOST ciphersuites have SSL_aGOST01 bit too
         */
        pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
        }
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
        }
    } else if (alg_a & SSL_aGOST01) {
        pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
    }

    pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
    if (pkey_ctx == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2854
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE);
2855 2856 2857 2858
        return 0;
    }
    if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
        *al = SSL_AD_INTERNAL_ERROR;
2859
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2860 2861 2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876
        return 0;
    }
    /*
     * If client certificate is present and is of the same type, maybe
     * use it for key exchange.  Don't mind errors from
     * EVP_PKEY_derive_set_peer, because it is completely valid to use a
     * client certificate for authorization only.
     */
    client_pub_pkey = X509_get0_pubkey(s->session->peer);
    if (client_pub_pkey) {
        if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
            ERR_clear_error();
    }
    /* Decrypt session key */
    sess_key_len = PACKET_remaining(pkt);
    if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
        *al = SSL_AD_INTERNAL_ERROR;
2877
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2878 2879
        goto err;
    }
2880
    /* TODO(size_t): Convert this function */
E
Emilia Kasper 已提交
2881
    if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
2882
                        &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
E
Emilia Kasper 已提交
2883
        || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
2884
        *al = SSL_AD_DECODE_ERROR;
2885
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
2886 2887 2888 2889 2890 2891 2892
        goto err;
    }
    start = data;
    inlen = Tlen;
    if (EVP_PKEY_decrypt
        (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
        *al = SSL_AD_DECODE_ERROR;
2893
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
2894 2895 2896 2897 2898 2899
        goto err;
    }
    /* Generate master secret */
    if (!ssl_generate_master_secret(s, premaster_secret,
                                    sizeof(premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
2900
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2901 2902 2903 2904 2905 2906 2907 2908 2909 2910 2911 2912 2913 2914
        goto err;
    }
    /* Check if pubkey from client certificate was used */
    if (EVP_PKEY_CTX_ctrl
        (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
        s->statem.no_cert_verify = 1;

    ret = 1;
 err:
    EVP_PKEY_CTX_free(pkey_ctx);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2915
    SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2916 2917 2918 2919
    return 0;
#endif
}

2920 2921 2922 2923 2924 2925 2926 2927 2928 2929 2930 2931 2932 2933 2934
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{
    int al = -1;
    unsigned long alg_k;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /* For PSK parse and retrieve identity, obtain PSK key */
    if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al))
        goto err;

    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
        if (PACKET_remaining(pkt) != 0) {
            al = SSL_AD_HANDSHAKE_FAILURE;
E
Emilia Kasper 已提交
2935 2936
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_LENGTH_MISMATCH);
2937
            goto err;
2938 2939 2940
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
M
Matt Caswell 已提交
2941
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2942
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2943
            goto err;
M
Matt Caswell 已提交
2944
        }
2945 2946 2947
    } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
        if (!tls_process_cke_rsa(s, pkt, &al))
            goto err;
2948 2949
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
        if (!tls_process_cke_dhe(s, pkt, &al))
2950
            goto err;
2951 2952 2953
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
        if (!tls_process_cke_ecdhe(s, pkt, &al))
            goto err;
2954 2955
    } else if (alg_k & SSL_kSRP) {
        if (!tls_process_cke_srp(s, pkt, &al))
2956
            goto err;
2957 2958
    } else if (alg_k & SSL_kGOST) {
        if (!tls_process_cke_gost(s, pkt, &al))
2959
            goto err;
2960
    } else {
2961
        al = SSL_AD_HANDSHAKE_FAILURE;
E
Emilia Kasper 已提交
2962 2963
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
               SSL_R_UNKNOWN_CIPHER_TYPE);
2964
        goto err;
2965 2966
    }

M
Matt Caswell 已提交
2967
    return MSG_PROCESS_CONTINUE_PROCESSING;
2968
 err:
2969 2970
    if (al != -1)
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
2971 2972 2973
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2974
#endif
M
Matt Caswell 已提交
2975
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2976
    return MSG_PROCESS_ERROR;
2977
}
2978

M
Matt Caswell 已提交
2979
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
2980 2981
{
#ifndef OPENSSL_NO_SCTP
2982 2983 2984 2985 2986 2987 2988 2989
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
2990 2991
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
2992 2993

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
2994 2995 2996
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
2997
                ossl_statem_set_error(s);
F
FdaSilvaYY 已提交
2998
                return WORK_ERROR;
2999
            }
3000

3001 3002
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
3003
        }
3004 3005
        wst = WORK_MORE_B;
    }
3006

3007
    if ((wst == WORK_MORE_B)
E
Emilia Kasper 已提交
3008 3009 3010 3011 3012 3013 3014
        /* Is this SCTP? */
        && BIO_dgram_is_sctp(SSL_get_wbio(s))
        /* Are we renegotiating? */
        && s->renegotiate
        /* Are we going to skip the CertificateVerify? */
        && (s->session->peer == NULL || s->statem.no_cert_verify)
        && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
3015 3016 3017 3018
        s->s3->in_read_app_data = 2;
        s->rwstate = SSL_READING;
        BIO_clear_retry_flags(SSL_get_rbio(s));
        BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
3019
        ossl_statem_set_sctp_read_sock(s, 1);
3020 3021
        return WORK_MORE_B;
    } else {
M
Matt Caswell 已提交
3022
        ossl_statem_set_sctp_read_sock(s, 0);
3023 3024 3025
    }
#endif

3026
    if (s->statem.no_cert_verify || !s->session->peer) {
E
Emilia Kasper 已提交
3027 3028 3029
        /*
         * No certificate verify or no peer certificate so we no longer need
         * the handshake_buffer
3030 3031 3032 3033 3034
         */
        if (!ssl3_digest_cached_records(s, 0)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
3035
        return WORK_FINISHED_CONTINUE;
3036
    } else {
3037 3038 3039
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3040
            ossl_statem_set_error(s);
3041 3042 3043 3044 3045 3046 3047
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
3048
            ossl_statem_set_error(s);
3049 3050 3051 3052 3053 3054 3055
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
3056
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3057
{
M
Matt Caswell 已提交
3058
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3059 3060
    X509 *x = NULL;
    unsigned long l, llen;
E
Emilia Kasper 已提交
3061
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
3062
    STACK_OF(X509) *sk = NULL;
3063
    PACKET spkt, context;
3064
    size_t chainidx;
3065 3066

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
3067 3068
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
3069 3070
    }

3071 3072 3073 3074 3075
    /* TODO(TLS1.3): For now we ignore the context. We need to verify this */
    if ((SSL_IS_TLS13(s) && !PACKET_get_length_prefixed_1(pkt, &context))
            || !PACKET_get_net_3(pkt, &llen)
            || !PACKET_get_sub_packet(pkt, &spkt, llen)
            || PACKET_remaining(pkt) != 0) {
3076
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3077
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3078 3079
        goto f_err;
    }
3080

3081
    for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
3082
        if (!PACKET_get_net_3(&spkt, &l)
E
Emilia Kasper 已提交
3083
            || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3084
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3085
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3086 3087 3088 3089
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

3090 3091
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3092
        if (x == NULL) {
M
Matt Caswell 已提交
3093 3094
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
3095
        }
3096
        if (certbytes != (certstart + l)) {
3097
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3098
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3099 3100 3101
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
3102 3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114

        if (SSL_IS_TLS13(s)) {
            RAW_EXTENSION *rawexts = NULL;
            PACKET extensions;

            if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH);
                goto f_err;
            }
            if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
                                        &rawexts, &al)
                    || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
3115 3116
                                                 rawexts, x, chainidx, &al)) {
                OPENSSL_free(rawexts);
3117
                goto f_err;
3118 3119
            }
            OPENSSL_free(rawexts);
3120 3121
        }

3122
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
3123 3124
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
3125 3126 3127 3128 3129 3130 3131 3132
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3133
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3134 3135 3136 3137 3138 3139
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
3140
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3141 3142 3143 3144 3145
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
3146
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3147 3148 3149 3150 3151 3152 3153
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
3154
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3155 3156 3157 3158
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
3159
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
3160 3161 3162
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
3163
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3164 3165
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3166
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3167 3168 3169 3170 3171
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
    }

R
Rich Salz 已提交
3172
    X509_free(s->session->peer);
3173 3174 3175
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

3176 3177
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
3178 3179 3180 3181 3182

    /*
     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
     * message
     */
3183
    if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3184 3185 3186 3187 3188
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

3189 3190
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
M
Matt Caswell 已提交
3191
     * certificate, while we do include it in statem_clnt.c
3192 3193
     */
    sk = NULL;
3194 3195 3196 3197 3198 3199 3200 3201 3202 3203 3204

    /* Save the current hash state for when we receive the CertificateVerify */
    if (SSL_IS_TLS13(s)
            && !ssl_handshake_hash(s, s->cert_verify_hash,
                                   sizeof(s->cert_verify_hash),
                                   &s->cert_verify_hash_len)) {
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

M
Matt Caswell 已提交
3205
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
3206 3207
    goto done;

3208
 f_err:
R
Rich Salz 已提交
3209
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3210
    ossl_statem_set_error(s);
R
Rich Salz 已提交
3211
 done:
R
Rich Salz 已提交
3212 3213
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
3214
    return ret;
3215
}
3216

3217
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3218 3219
{
    CERT_PKEY *cpk;
3220
    int al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3221 3222 3223 3224 3225 3226 3227

    cpk = ssl_get_server_send_pkey(s);
    if (cpk == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }

3228 3229 3230 3231 3232 3233
    /*
     * In TLSv1.3 the certificate chain is always preceded by a 0 length context
     * for the server Certificate message
     */
    if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0))
            || !ssl3_output_cert_chain(s, pkt, cpk, &al)) {
M
Matt Caswell 已提交
3234
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3235
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3236 3237 3238 3239 3240 3241
        return 0;
    }

    return 1;
}

3242
int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3243 3244
{
    unsigned char *senc = NULL;
3245
    EVP_CIPHER_CTX *ctx = NULL;
3246
    HMAC_CTX *hctx = NULL;
3247
    unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
M
Matt Caswell 已提交
3248
    const unsigned char *const_p;
3249
    int len, slen_full, slen, lenfinal;
M
Matt Caswell 已提交
3250 3251
    SSL_SESSION *sess;
    unsigned int hlen;
3252
    SSL_CTX *tctx = s->session_ctx;
M
Matt Caswell 已提交
3253
    unsigned char iv[EVP_MAX_IV_LENGTH];
K
Kurt Roeckx 已提交
3254
    unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
3255
    int iv_len, al = SSL_AD_INTERNAL_ERROR;
3256
    size_t macoffset, macendoffset;
3257 3258 3259 3260
    union {
        unsigned char age_add_c[sizeof(uint32_t)];
        uint32_t age_add;
    } age_add_u;
M
Matt Caswell 已提交
3261

M
Matt Caswell 已提交
3262 3263 3264 3265 3266 3267
    if (SSL_IS_TLS13(s)) {
        if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0)
            goto err;
        s->session->ext.tick_age_add = age_add_u.age_add;
    }

M
Matt Caswell 已提交
3268 3269 3270 3271 3272 3273 3274
    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
M
Matt Caswell 已提交
3275
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3276 3277 3278
        return 0;
    }
    senc = OPENSSL_malloc(slen_full);
3279
    if (senc == NULL) {
M
Matt Caswell 已提交
3280
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3281 3282
        return 0;
    }
3283

3284
    ctx = EVP_CIPHER_CTX_new();
3285
    hctx = HMAC_CTX_new();
3286 3287 3288 3289
    if (ctx == NULL || hctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
        goto err;
    }
3290

M
Matt Caswell 已提交
3291 3292 3293
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
3294

M
Matt Caswell 已提交
3295 3296 3297 3298 3299 3300 3301 3302
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3303

M
Matt Caswell 已提交
3304 3305 3306 3307 3308 3309 3310 3311 3312 3313 3314
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3315

M
Matt Caswell 已提交
3316 3317 3318 3319
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
R
Rich Salz 已提交
3320
    if (tctx->ext.ticket_key_cb) {
T
Todd Short 已提交
3321
        /* if 0 is returned, write an empty ticket */
R
Rich Salz 已提交
3322
        int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
T
Todd Short 已提交
3323 3324 3325
                                             hctx, 1);

        if (ret == 0) {
3326 3327

            /* Put timeout and length */
3328
            if (!WPACKET_put_bytes_u32(pkt, 0)
3329
                    || !WPACKET_put_bytes_u16(pkt, 0)) {
3330 3331
                SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                       ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
3332
                goto err;
3333
            }
T
Todd Short 已提交
3334 3335 3336 3337 3338 3339
            OPENSSL_free(senc);
            EVP_CIPHER_CTX_free(ctx);
            HMAC_CTX_free(hctx);
            return 1;
        }
        if (ret < 0)
M
Matt Caswell 已提交
3340
            goto err;
K
Kurt Roeckx 已提交
3341
        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3342
    } else {
K
Kurt Roeckx 已提交
3343 3344 3345 3346
        const EVP_CIPHER *cipher = EVP_aes_256_cbc();

        iv_len = EVP_CIPHER_iv_length(cipher);
        if (RAND_bytes(iv, iv_len) <= 0)
M
Matt Caswell 已提交
3347
            goto err;
K
Kurt Roeckx 已提交
3348
        if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
R
Rich Salz 已提交
3349
                                tctx->ext.tick_aes_key, iv))
M
Matt Caswell 已提交
3350
            goto err;
R
Rich Salz 已提交
3351 3352
        if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
                          sizeof(tctx->ext.tick_hmac_key),
M
Matt Caswell 已提交
3353
                          EVP_sha256(), NULL))
3354
            goto err;
R
Rich Salz 已提交
3355 3356
        memcpy(key_name, tctx->ext.tick_key_name,
               sizeof(tctx->ext.tick_key_name));
3357 3358
    }

M
Matt Caswell 已提交
3359 3360 3361 3362 3363
    /*
     * Ticket lifetime hint (advisory only): We leave this unspecified
     * for resumed session (for simplicity), and guess that tickets for
     * new sessions will live as long as their sessions.
     */
3364
    if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout)
3365 3366
            || (SSL_IS_TLS13(s)
                && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add))
3367
               /* Now the actual ticket data */
3368 3369
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_get_total_written(pkt, &macoffset)
3370
               /* Output key name */
3371
            || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3372
               /* output IV */
3373 3374
            || !WPACKET_memcpy(pkt, iv, iv_len)
            || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3375 3376 3377
                                      &encdata1)
               /* Encrypt session data */
            || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3378
            || !WPACKET_allocate_bytes(pkt, len, &encdata2)
3379 3380
            || encdata1 != encdata2
            || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
3381
            || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
3382 3383
            || encdata1 + len != encdata2
            || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
3384
            || !WPACKET_get_total_written(pkt, &macendoffset)
3385 3386 3387
            || !HMAC_Update(hctx,
                            (unsigned char *)s->init_buf->data + macoffset,
                            macendoffset - macoffset)
3388
            || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
3389 3390
            || !HMAC_Final(hctx, macdata1, &hlen)
            || hlen > EVP_MAX_MD_SIZE
3391
            || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
3392
            || macdata1 != macdata2
3393 3394 3395 3396 3397
            || !WPACKET_close(pkt)
            || (SSL_IS_TLS13(s)
                && !tls_construct_extensions(s, pkt,
                                             EXT_TLS1_3_NEW_SESSION_TICKET,
                                             NULL, 0, &al))) {
3398
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3399
        goto err;
3400
    }
D
Dr. Stephen Henson 已提交
3401 3402
    EVP_CIPHER_CTX_free(ctx);
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3403 3404 3405
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3406
 err:
R
Rich Salz 已提交
3407
    OPENSSL_free(senc);
3408
    EVP_CIPHER_CTX_free(ctx);
3409
    HMAC_CTX_free(hctx);
3410
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
3411
    return 0;
3412
}
3413

3414 3415 3416 3417 3418
/*
 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
 * create a separate message. Returns 1 on success or 0 on failure.
 */
int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3419
{
3420 3421 3422
    if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
            || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
                                       s->ext.ocsp.resp_len)) {
3423 3424 3425 3426 3427 3428 3429 3430 3431 3432
        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    return 1;
}

int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
    if (!tls_construct_cert_status_body(s, pkt)) {
3433 3434 3435
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
3436 3437 3438 3439

    return 1;
}

3440
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3441 3442 3443 3444
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3445
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3446
{
3447
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3448 3449
    size_t next_proto_len;

3450 3451 3452 3453 3454 3455 3456
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3457 3458 3459
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
M
Matt Caswell 已提交
3460
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3461
        goto err;
M
Matt Caswell 已提交
3462
    }
3463

R
Rich Salz 已提交
3464 3465
    if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
        s->ext.npn_len = 0;
M
Matt Caswell 已提交
3466 3467 3468
        goto err;
    }

R
Rich Salz 已提交
3469
    s->ext.npn_len = (unsigned char)next_proto_len;
3470

M
Matt Caswell 已提交
3471
    return MSG_PROCESS_CONTINUE_READING;
E
Emilia Kasper 已提交
3472
 err:
M
Matt Caswell 已提交
3473
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3474
    return MSG_PROCESS_ERROR;
3475
}
3476
#endif
M
Matt Caswell 已提交
3477

M
Matt Caswell 已提交
3478 3479
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{
M
Matt Caswell 已提交
3480 3481
    int al;

3482
    if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
3483
                                  NULL, 0, &al)) {
M
Matt Caswell 已提交
3484
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3485
        SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3486
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3487 3488 3489 3490 3491 3492
        return 0;
    }

    return 1;
}

M
Matt Caswell 已提交
3493 3494
#define SSLV2_CIPHER_LEN    3

3495 3496
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                               PACKET *cipher_suites,
M
Matt Caswell 已提交
3497
                                               STACK_OF(SSL_CIPHER) **skp,
E
Emilia Kasper 已提交
3498
                                               int sslv2format, int *al)
M
Matt Caswell 已提交
3499 3500 3501
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk;
3502 3503 3504
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];
M
Matt Caswell 已提交
3505

3506 3507 3508 3509 3510 3511 3512 3513
    s->s3->send_connection_binding = 0;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return NULL;
M
Matt Caswell 已提交
3514
    }
3515 3516

    if (PACKET_remaining(cipher_suites) % n != 0) {
M
Matt Caswell 已提交
3517 3518
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3519 3520
        *al = SSL_AD_DECODE_ERROR;
        return NULL;
M
Matt Caswell 已提交
3521
    }
3522

M
Matt Caswell 已提交
3523 3524 3525 3526 3527
    sk = sk_SSL_CIPHER_new_null();
    if (sk == NULL) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
        *al = SSL_AD_INTERNAL_ERROR;
        return NULL;
M
Matt Caswell 已提交
3528 3529
    }

3530 3531 3532 3533
    OPENSSL_free(s->s3->tmp.ciphers_raw);
    s->s3->tmp.ciphers_raw = NULL;
    s->s3->tmp.ciphers_rawlen = 0;

M
Matt Caswell 已提交
3534 3535 3536 3537 3538 3539 3540 3541 3542 3543 3544 3545 3546
    if (sslv2format) {
        size_t numciphers = PACKET_remaining(cipher_suites) / n;
        PACKET sslv2ciphers = *cipher_suites;
        unsigned int leadbyte;
        unsigned char *raw;

        /*
         * We store the raw ciphers list in SSLv3+ format so we need to do some
         * preprocessing to convert the list first. If there are any SSLv2 only
         * ciphersuites with a non-zero leading byte then we are going to
         * slightly over allocate because we won't store those. But that isn't a
         * problem.
         */
3547 3548
        raw = OPENSSL_malloc(numciphers * TLS_CIPHER_LEN);
        s->s3->tmp.ciphers_raw = raw;
M
Matt Caswell 已提交
3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562
        if (raw == NULL) {
            *al = SSL_AD_INTERNAL_ERROR;
            goto err;
        }
        for (s->s3->tmp.ciphers_rawlen = 0;
             PACKET_remaining(&sslv2ciphers) > 0;
             raw += TLS_CIPHER_LEN) {
            if (!PACKET_get_1(&sslv2ciphers, &leadbyte)
                    || (leadbyte == 0
                        && !PACKET_copy_bytes(&sslv2ciphers, raw,
                                              TLS_CIPHER_LEN))
                    || (leadbyte != 0
                        && !PACKET_forward(&sslv2ciphers, TLS_CIPHER_LEN))) {
                *al = SSL_AD_INTERNAL_ERROR;
R
Richard Levitte 已提交
3563
                OPENSSL_free(s->s3->tmp.ciphers_raw);
M
Matt Caswell 已提交
3564 3565 3566 3567 3568 3569 3570 3571 3572
                s->s3->tmp.ciphers_raw = NULL;
                s->s3->tmp.ciphers_rawlen = 0;
                goto err;
            }
            if (leadbyte == 0)
                s->s3->tmp.ciphers_rawlen += TLS_CIPHER_LEN;
        }
    } else if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                           &s->s3->tmp.ciphers_rawlen)) {
3573
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3574 3575 3576
        goto err;
    }

3577 3578
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
3579 3580 3581
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
3582 3583
         */
        if (sslv2format && cipher[0] != '\0')
E
Emilia Kasper 已提交
3584
            continue;
3585

M
Matt Caswell 已提交
3586
        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3587 3588
        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3589 3590 3591 3592
            /* SCSV fatal if renegotiating */
            if (s->renegotiate) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3593
                *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3594 3595 3596 3597 3598 3599 3600
                goto err;
            }
            s->s3->send_connection_binding = 1;
            continue;
        }

        /* Check for TLS_FALLBACK_SCSV */
3601 3602
        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3603 3604 3605 3606 3607
            /*
             * The SCSV indicates that the client previously tried a higher
             * version. Fail if the current version is an unexpected
             * downgrade.
             */
3608
            if (!ssl_check_version_downgrade(s)) {
M
Matt Caswell 已提交
3609 3610
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_INAPPROPRIATE_FALLBACK);
3611
                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
M
Matt Caswell 已提交
3612 3613 3614 3615 3616
                goto err;
            }
            continue;
        }

3617 3618
        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
M
Matt Caswell 已提交
3619 3620 3621
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3622
                *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3623 3624 3625 3626
                goto err;
            }
        }
    }
3627 3628 3629 3630 3631
    if (PACKET_remaining(cipher_suites) > 0) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
3632

M
Matt Caswell 已提交
3633 3634
    *skp = sk;
    return sk;
M
Matt Caswell 已提交
3635
 err:
M
Matt Caswell 已提交
3636
    sk_SSL_CIPHER_free(sk);
3637
    return NULL;
M
Matt Caswell 已提交
3638
}
3639 3640 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3655 3656 3657 3658 3659 3660 3661 3662 3663

static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
{
    int al;

    /*
     * TODO(TLS1.3): Remove the DRAFT version before release
     * (should be s->version)
     */
    if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
            || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
                                         NULL, 0, &al)) {
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        return 0;
    }

    /* Ditch the session. We'll create a new one next time around */
    SSL_SESSION_free(s->session);
    s->session = NULL;
    s->hit = 0;

    return 1;
}