statem_srvr.c 114.8 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

B
Bodo Möller 已提交
10 11 12
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
13
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
14 15 16 17 18 19 20 21 22
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
49 50

#include <stdio.h>
M
Matt Caswell 已提交
51
#include "../ssl_locl.h"
M
Matt Caswell 已提交
52
#include "statem_locl.h"
53
#include "internal/constant_time_locl.h"
54 55 56 57
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
58
#include <openssl/hmac.h>
59
#include <openssl/x509.h>
R
Rich Salz 已提交
60
#include <openssl/dh.h>
61
#include <openssl/bn.h>
62
#include <openssl/md5.h>
63

M
Matt Caswell 已提交
64
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
65
static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt);
M
Matt Caswell 已提交
66

M
Matt Caswell 已提交
67
/*
68 69 70 71 72
 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when a TLSv1.3 server is reading messages from
 * the client. The message type that the client has sent is provided in |mt|.
 * The current state is in |s->statem.hand_state|.
 *
73 74
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
75 76 77 78 79 80 81 82 83 84 85 86 87 88
 */
static int ossl_statem_server13_read_transition(SSL *s, int mt)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * Note: There is no case for TLS_ST_BEFORE because at that stage we have
     * not negotiated TLSv1.3 yet, so that case is handled by
     * ossl_statem_server_read_transition()
     */
    switch (st->hand_state) {
    default:
        break;

89 90 91 92 93 94 95
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

96
    case TLS_ST_SW_FINISHED:
97 98 99 100 101 102
        if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        } else {
103 104
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
105 106 107 108 109 110 111
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT:
        if (s->session->peer == NULL) {
112 113
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
130 131 132 133 134 135 136

    case TLS_ST_OK:
        if (mt == SSL3_MT_KEY_UPDATE) {
            st->hand_state = TLS_ST_SR_KEY_UPDATE;
            return 1;
        }
        break;
137 138 139 140 141 142 143 144 145 146 147 148 149 150
    }

    /* No valid transition found */
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
    SSLerr(SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION,
           SSL_R_UNEXPECTED_MESSAGE);
    return 0;
}

/*
 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when the server is reading messages from the
 * client. The message type that the client has sent is provided in |mt|. The
 * current state is in |s->statem.hand_state|.
M
Matt Caswell 已提交
151
 *
152 153
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
M
Matt Caswell 已提交
154
 */
155
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
156
{
M
Matt Caswell 已提交
157
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
158

159
    if (SSL_IS_TLS13(s)) {
160 161 162 163
        if (!ossl_statem_server13_read_transition(s, mt))
            goto err;
        return 1;
    }
164

165
    switch (st->hand_state) {
R
Rich Salz 已提交
166 167 168
    default:
        break;

M
Matt Caswell 已提交
169
    case TLS_ST_BEFORE:
170
    case TLS_ST_OK:
M
Matt Caswell 已提交
171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
189 190 191
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            if (s->s3->tmp.cert_request) {
                if (s->version == SSL3_VERSION) {
192 193
                    if ((s->verify_mode & SSL_VERIFY_PEER)
                        && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
194 195
                        /*
                         * This isn't an unexpected message as such - we're just
196 197
                         * not going to accept it because we require a client
                         * cert.
198 199 200
                         */
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                                        SSL3_AD_HANDSHAKE_FAILURE);
201
                        SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
202 203 204 205 206 207 208 209 210 211
                               SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                        return 0;
                    }
                    st->hand_state = TLS_ST_SR_KEY_EXCH;
                    return 1;
                }
            } else {
                st->hand_state = TLS_ST_SR_KEY_EXCH;
                return 1;
            }
M
Matt Caswell 已提交
212 213 214 215
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
216
            }
M
Matt Caswell 已提交
217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
233
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
234 235
         * set.
         */
236
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
R
Rich Salz 已提交
264
        if (s->s3->npn_seen) {
M
Matt Caswell 已提交
265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;
    }

297
 err:
M
Matt Caswell 已提交
298
    /* No valid transition found */
299
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
300
    SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
M
Matt Caswell 已提交
301 302 303 304 305 306 307 308 309 310
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
311
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
312 313 314 315
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
316
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
317 318 319 320 321 322
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
E
Emilia Kasper 已提交
323
    if (alg_k & (SSL_kDHE | SSL_kECDHE)
M
Matt Caswell 已提交
324 325 326 327 328 329 330 331 332 333 334 335 336 337 338
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
E
Emilia Kasper 已提交
339
        ) {
M
Matt Caswell 已提交
340 341 342 343 344 345 346 347 348 349 350 351 352
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
353
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
354 355 356 357 358 359 360 361
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
M
Matt Caswell 已提交
362
           && (s->s3->tmp.finish_md_len == 0 ||
M
Matt Caswell 已提交
363 364 365 366 367 368 369
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
E
Emilia Kasper 已提交
370 371 372 373 374
               /*
                * ... except when the application insists on
                * verification (against the specs, but statem_clnt.c accepts
                * this for SSL 3)
                */
M
Matt Caswell 已提交
375 376 377 378 379 380 381
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
382
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
383 384 385 386 387 388 389
        return 1;
    }

    return 0;
}

/*
390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407
 * ossl_statem_server13_write_transition() works out what handshake state to
 * move to next when a TLSv1.3 server is writing messages to be sent to the
 * client.
 */
static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
     * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
     */

    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

408 409 410 411 412
    case TLS_ST_OK:
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
413 414
        /* Try to read from the client instead */
        return WRITE_TRAN_FINISHED;
415

416
    case TLS_ST_SR_CLNT_HELLO:
417 418 419 420
        if (s->hello_retry_request)
            st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST;
        else
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
421 422
        return WRITE_TRAN_CONTINUE;

423 424 425
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        return WRITE_TRAN_FINISHED;

426
    case TLS_ST_SW_SRVR_HELLO:
M
Matt Caswell 已提交
427 428 429 430
        st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
431
        if (s->hit)
432 433 434
            st->hand_state = TLS_ST_SW_FINISHED;
        else if (send_certificate_request(s))
            st->hand_state = TLS_ST_SW_CERT_REQ;
435
        else
436
            st->hand_state = TLS_ST_SW_CERT;
437

438 439 440
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_REQ:
441
        st->hand_state = TLS_ST_SW_CERT;
442 443
        return WRITE_TRAN_CONTINUE;

444
    case TLS_ST_SW_CERT:
445 446 447 448
        st->hand_state = TLS_ST_SW_CERT_VRFY;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_VRFY:
449
        st->hand_state = TLS_ST_SW_FINISHED;
450 451 452
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
453
        return WRITE_TRAN_FINISHED;
454

455
    case TLS_ST_SR_FINISHED:
456 457 458 459 460 461 462 463 464 465 466
        /*
         * Technically we have finished the handshake at this point, but we're
         * going to remain "in_init" for now and write out the session ticket
         * immediately.
         * TODO(TLS1.3): Perhaps we need to be able to control this behaviour
         * and give the application the opportunity to delay sending the
         * session ticket?
         */
        st->hand_state = TLS_ST_SW_SESSION_TICKET;
        return WRITE_TRAN_CONTINUE;

467
    case TLS_ST_SR_KEY_UPDATE:
468 469 470 471 472 473
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
        /* Fall through */

474
    case TLS_ST_SW_KEY_UPDATE:
475
    case TLS_ST_SW_SESSION_TICKET:
476 477 478 479 480 481 482 483 484
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
    }
}

/*
 * ossl_statem_server_write_transition() works out what handshake state to move
 * to next when the server is writing messages to be sent to the client.
M
Matt Caswell 已提交
485
 */
486
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
487
{
M
Matt Caswell 已提交
488
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
489

490 491 492 493 494
    /*
     * Note that before the ClientHello we don't know what version we are going
     * to negotiate yet, so we don't take this branch until later
     */

495
    if (SSL_IS_TLS13(s))
496 497
        return ossl_statem_server13_write_transition(s);

498
    switch (st->hand_state) {
R
Rich Salz 已提交
499 500 501 502
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

503 504 505 506 507 508 509
    case TLS_ST_OK:
        if (st->request_state == TLS_ST_SW_HELLO_REQ) {
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            st->request_state = TLS_ST_BEFORE;
            return WRITE_TRAN_CONTINUE;
        }
510 511 512 513 514
        /* Must be an incoming ClientHello */
        if (!tls_setup_handshake(s)) {
            ossl_statem_set_error(s);
            return WRITE_TRAN_ERROR;
        }
515 516
        /* Fall through */

517
    case TLS_ST_BEFORE:
E
Emilia Kasper 已提交
518
        /* Just go straight to trying to read from the client */
519
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
520

521 522 523 524
    case TLS_ST_SW_HELLO_REQ:
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
525

526 527
    case TLS_ST_SR_CLNT_HELLO:
        if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
E
Emilia Kasper 已提交
528
            && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
529 530 531 532
            st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
        else
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
533

534 535
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
536

537 538
    case TLS_ST_SW_SRVR_HELLO:
        if (s->hit) {
R
Rich Salz 已提交
539
            if (s->ext.ticket_expected)
540 541 542 543 544 545 546
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            else
                st->hand_state = TLS_ST_SW_CHANGE;
        } else {
            /* Check if it is anon DH or anon ECDH, */
            /* normal PSK or SRP */
            if (!(s->s3->tmp.new_cipher->algorithm_auth &
E
Emilia Kasper 已提交
547
                  (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
548 549
                st->hand_state = TLS_ST_SW_CERT;
            } else if (send_server_key_exchange(s)) {
M
Matt Caswell 已提交
550
                st->hand_state = TLS_ST_SW_KEY_EXCH;
551
            } else if (send_certificate_request(s)) {
M
Matt Caswell 已提交
552
                st->hand_state = TLS_ST_SW_CERT_REQ;
553 554
            } else {
                st->hand_state = TLS_ST_SW_SRVR_DONE;
M
Matt Caswell 已提交
555
            }
556 557
        }
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
558

559
    case TLS_ST_SW_CERT:
R
Rich Salz 已提交
560
        if (s->ext.status_expected) {
561
            st->hand_state = TLS_ST_SW_CERT_STATUS;
M
Matt Caswell 已提交
562
            return WRITE_TRAN_CONTINUE;
563 564
        }
        /* Fall through */
M
Matt Caswell 已提交
565

566 567 568
    case TLS_ST_SW_CERT_STATUS:
        if (send_server_key_exchange(s)) {
            st->hand_state = TLS_ST_SW_KEY_EXCH;
M
Matt Caswell 已提交
569
            return WRITE_TRAN_CONTINUE;
570 571
        }
        /* Fall through */
M
Matt Caswell 已提交
572

573 574 575
    case TLS_ST_SW_KEY_EXCH:
        if (send_certificate_request(s)) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
M
Matt Caswell 已提交
576
            return WRITE_TRAN_CONTINUE;
577 578
        }
        /* Fall through */
M
Matt Caswell 已提交
579

580 581 582
    case TLS_ST_SW_CERT_REQ:
        st->hand_state = TLS_ST_SW_SRVR_DONE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
583

584 585 586 587 588
    case TLS_ST_SW_SRVR_DONE:
        return WRITE_TRAN_FINISHED;

    case TLS_ST_SR_FINISHED:
        if (s->hit) {
M
Matt Caswell 已提交
589
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
590
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
591
            return WRITE_TRAN_CONTINUE;
R
Rich Salz 已提交
592
        } else if (s->ext.ticket_expected) {
593 594 595 596 597 598 599 600 601
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        } else {
            st->hand_state = TLS_ST_SW_CHANGE;
        }
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        st->hand_state = TLS_ST_SW_CHANGE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
602

603 604 605 606 607 608 609 610 611 612 613
    case TLS_ST_SW_CHANGE:
        st->hand_state = TLS_ST_SW_FINISHED;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
        if (s->hit) {
            return WRITE_TRAN_FINISHED;
        }
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
614 615 616 617 618 619 620
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
621
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
622
{
M
Matt Caswell 已提交
623
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
624

625
    switch (st->hand_state) {
R
Rich Salz 已提交
626 627 628 629
    default:
        /* No pre work to be done */
        break;

M
Matt Caswell 已提交
630 631 632
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
633
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
634 635 636 637 638
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
639
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
             * Messages we write from now on should be bufferred and
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
663 664 665 666 667 668 669 670
        if (SSL_IS_TLS13(s)) {
            /*
             * Actually this is the end of the handshake, but we're going
             * straight into writing the session ticket out. So we finish off
             * the handshake, but keep the various buffers active.
             */
            return tls_finish_handshake(s, wst, 0);
        } if (SSL_IS_DTLS(s)) {
M
Matt Caswell 已提交
671 672 673 674 675 676 677 678 679 680 681
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
682
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
683 684 685 686 687 688 689 690 691 692 693 694 695 696
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_OK:
697
        return tls_finish_handshake(s, wst, 1);
M
Matt Caswell 已提交
698 699 700 701 702 703 704 705 706
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
707
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
708
{
M
Matt Caswell 已提交
709
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
710 711 712

    s->init_num = 0;

713
    switch (st->hand_state) {
R
Rich Salz 已提交
714 715 716 717
    default:
        /* No post work to be done */
        break;

718 719 720 721 722
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

M
Matt Caswell 已提交
723 724 725
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
726 727 728 729
        if (!ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
730 731 732 733 734 735
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
736 737 738 739
        if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
757 758
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
759 760

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
761 762 763
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
764
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
765 766 767 768 769 770 771
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
772 773 774 775 776 777 778 779 780 781 782 783 784 785
        /*
         * TODO(TLS1.3): This actually causes a problem. We don't yet know
         * whether the next record we are going to receive is an unencrypted
         * alert, or an encrypted handshake message. We're going to need
         * something clever in the record layer for this.
         */
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->setup_key_block(s)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ))
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
786 787 788 789 790 791 792 793 794 795 796 797 798 799
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
E
Emilia Kasper 已提交
800 801
                                                      SSL3_CHANGE_CIPHER_SERVER_WRITE))
        {
M
Matt Caswell 已提交
802
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
828 829
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->generate_master_secret(s,
830
                        s->master_secret, s->handshake_secret, 0,
831 832 833 834 835
                        &s->session->master_key_length)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
836
        break;
837

838
    case TLS_ST_SW_KEY_UPDATE:
839 840 841 842 843 844
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        if (!tls13_update_key(s, 1))
            return WORK_ERROR;
        break;

845 846 847 848
    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
            return WORK_MORE_A;
        break;
M
Matt Caswell 已提交
849 850 851 852 853 854
    }

    return WORK_FINISHED_CONTINUE;
}

/*
855 856
 * Get the message construction function and message type for sending from the
 * server
M
Matt Caswell 已提交
857 858 859 860 861
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
862
int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
863
                                         confunc_f *confunc, int *mt)
M
Matt Caswell 已提交
864
{
M
Matt Caswell 已提交
865
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
866

867 868 869 870 871 872
    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return 0;

    case TLS_ST_SW_CHANGE:
873
        if (SSL_IS_DTLS(s))
874
            *confunc = dtls_construct_change_cipher_spec;
875
        else
876 877
            *confunc = tls_construct_change_cipher_spec;
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
878
        break;
R
Rich Salz 已提交
879

880
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
881 882
        *confunc = dtls_construct_hello_verify_request;
        *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
883
        break;
M
Matt Caswell 已提交
884

885 886
    case TLS_ST_SW_HELLO_REQ:
        /* No construction function needed */
887 888
        *confunc = NULL;
        *mt = SSL3_MT_HELLO_REQUEST;
889
        break;
M
Matt Caswell 已提交
890

891
    case TLS_ST_SW_SRVR_HELLO:
892 893
        *confunc = tls_construct_server_hello;
        *mt = SSL3_MT_SERVER_HELLO;
894
        break;
M
Matt Caswell 已提交
895

896
    case TLS_ST_SW_CERT:
897 898
        *confunc = tls_construct_server_certificate;
        *mt = SSL3_MT_CERTIFICATE;
899
        break;
M
Matt Caswell 已提交
900

901 902 903 904 905 906
    case TLS_ST_SW_CERT_VRFY:
        *confunc = tls_construct_cert_verify;
        *mt = SSL3_MT_CERTIFICATE_VERIFY;
        break;


907
    case TLS_ST_SW_KEY_EXCH:
908 909
        *confunc = tls_construct_server_key_exchange;
        *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
910
        break;
M
Matt Caswell 已提交
911

912
    case TLS_ST_SW_CERT_REQ:
913 914
        *confunc = tls_construct_certificate_request;
        *mt = SSL3_MT_CERTIFICATE_REQUEST;
915
        break;
M
Matt Caswell 已提交
916

917
    case TLS_ST_SW_SRVR_DONE:
918 919
        *confunc = tls_construct_server_done;
        *mt = SSL3_MT_SERVER_DONE;
920
        break;
M
Matt Caswell 已提交
921

922
    case TLS_ST_SW_SESSION_TICKET:
923 924
        *confunc = tls_construct_new_session_ticket;
        *mt = SSL3_MT_NEWSESSION_TICKET;
925
        break;
M
Matt Caswell 已提交
926

927
    case TLS_ST_SW_CERT_STATUS:
928 929
        *confunc = tls_construct_cert_status;
        *mt = SSL3_MT_CERTIFICATE_STATUS;
930
        break;
M
Matt Caswell 已提交
931

932
    case TLS_ST_SW_FINISHED:
933 934
        *confunc = tls_construct_finished;
        *mt = SSL3_MT_FINISHED;
935
        break;
M
Matt Caswell 已提交
936 937 938 939 940

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
        *confunc = tls_construct_encrypted_extensions;
        *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
        break;
941 942 943 944 945

    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        *confunc = tls_construct_hello_retry_request;
        *mt = SSL3_MT_HELLO_RETRY_REQUEST;
        break;
946 947 948 949 950

    case TLS_ST_SW_KEY_UPDATE:
        *confunc = tls_construct_key_update;
        *mt = SSL3_MT_KEY_UPDATE;
        break;
951
    }
M
Matt Caswell 已提交
952

953
    return 1;
M
Matt Caswell 已提交
954 955
}

956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972
/*
 * Maximum size (excluding the Handshake header) of a ClientHello message,
 * calculated as follows:
 *
 *  2 + # client_version
 *  32 + # only valid length for random
 *  1 + # length of session_id
 *  32 + # maximum size for session_id
 *  2 + # length of cipher suites
 *  2^16-2 + # maximum length of cipher suites array
 *  1 + # length of compression_methods
 *  2^8-1 + # maximum length of compression methods
 *  2 + # length of extensions
 *  2^16-1 # maximum length of extensions
 */
#define CLIENT_HELLO_MAX_LENGTH         131396

M
Matt Caswell 已提交
973 974 975 976 977 978 979
#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
980
size_t ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
981
{
M
Matt Caswell 已提交
982
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
983

984
    switch (st->hand_state) {
R
Rich Salz 已提交
985 986 987 988
    default:
        /* Shouldn't happen */
        return 0;

M
Matt Caswell 已提交
989
    case TLS_ST_SR_CLNT_HELLO:
990
        return CLIENT_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010

    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;
1011 1012 1013

    case TLS_ST_SR_KEY_UPDATE:
        return KEY_UPDATE_MAX_LENGTH;
M
Matt Caswell 已提交
1014 1015 1016 1017 1018 1019
    }
}

/*
 * Process a message that the server has received from the client.
 */
1020
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1021
{
M
Matt Caswell 已提交
1022
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1023

1024
    switch (st->hand_state) {
R
Rich Salz 已提交
1025 1026 1027 1028
    default:
        /* Shouldn't happen */
        return MSG_PROCESS_ERROR;

M
Matt Caswell 已提交
1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);
1051 1052 1053 1054

    case TLS_ST_SR_KEY_UPDATE:
        return tls_process_key_update(s, pkt);

M
Matt Caswell 已提交
1055 1056 1057 1058 1059 1060 1061
    }
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
1062
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1063
{
M
Matt Caswell 已提交
1064
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1065

1066
    switch (st->hand_state) {
R
Rich Salz 已提交
1067 1068 1069 1070
    default:
        /* Shouldn't happen */
        return WORK_ERROR;

M
Matt Caswell 已提交
1071 1072 1073 1074 1075 1076 1077 1078
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);

    case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
E
Emilia Kasper 已提交
1079 1080 1081 1082
        if (                    /* Is this SCTP? */
               BIO_dgram_is_sctp(SSL_get_wbio(s))
               /* Are we renegotiating? */
               && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
M
Matt Caswell 已提交
1083 1084 1085 1086
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
1087
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
1088 1089
            return WORK_MORE_A;
        } else {
M
Matt Caswell 已提交
1090
            ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
1091 1092 1093 1094
        }
#endif
        return WORK_FINISHED_CONTINUE;
    }
1095
    return WORK_FINISHED_CONTINUE;
M
Matt Caswell 已提交
1096 1097
}

B
Ben Laurie 已提交
1098
#ifndef OPENSSL_NO_SRP
1099
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
1120 1121
#endif

1122
int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
M
Matt Caswell 已提交
1123
                                  size_t cookie_len)
M
Matt Caswell 已提交
1124 1125
{
    /* Always use DTLS 1.0 version: see RFC 6347 */
1126 1127 1128
    if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
            || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
        return 0;
M
Matt Caswell 已提交
1129

1130
    return 1;
M
Matt Caswell 已提交
1131 1132
}

1133
int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1134
{
M
Matt Caswell 已提交
1135
    unsigned int cookie_leni;
M
Matt Caswell 已提交
1136 1137
    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
M
Matt Caswell 已提交
1138 1139
                                  &cookie_leni) == 0 ||
        cookie_leni > 255) {
M
Matt Caswell 已提交
1140
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
1141 1142 1143
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
        return 0;
    }
M
Matt Caswell 已提交
1144
    s->d1->cookie_len = cookie_leni;
M
Matt Caswell 已提交
1145

1146 1147
    if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
                                              s->d1->cookie_len)) {
1148 1149 1150
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
1151 1152 1153 1154

    return 1;
}

1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194
#ifndef OPENSSL_NO_EC
/*-
 * ssl_check_for_safari attempts to fingerprint Safari using OS X
 * SecureTransport using the TLS extension block in |hello|.
 * Safari, since 10.6, sends exactly these extensions, in this order:
 *   SNI,
 *   elliptic_curves
 *   ec_point_formats
 *
 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).
 */
static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
{
    static const unsigned char kSafariExtensionsBlock[] = {
        0x00, 0x0a,             /* elliptic_curves extension */
        0x00, 0x08,             /* 8 bytes */
        0x00, 0x06,             /* 6 bytes of curve ids */
        0x00, 0x17,             /* P-256 */
        0x00, 0x18,             /* P-384 */
        0x00, 0x19,             /* P-521 */

        0x00, 0x0b,             /* ec_point_formats */
        0x00, 0x02,             /* 2 bytes */
        0x01,                   /* 1 point format */
        0x00,                   /* uncompressed */
        /* The following is only present in TLS 1.2 */
        0x00, 0x0d,             /* signature_algorithms */
        0x00, 0x0c,             /* 12 bytes */
        0x00, 0x0a,             /* 10 bytes */
        0x05, 0x01,             /* SHA-384/RSA */
        0x04, 0x01,             /* SHA-256/RSA */
        0x02, 0x01,             /* SHA-1/RSA */
        0x04, 0x03,             /* SHA-256/ECDSA */
        0x02, 0x03,             /* SHA-1/ECDSA */
    };
    /* Length of the common prefix (first two extensions). */
    static const size_t kSafariCommonExtensionsLength = 18;
1195 1196 1197
    unsigned int type;
    PACKET sni, tmppkt;
    size_t ext_len;
1198 1199 1200 1201 1202 1203 1204

    tmppkt = hello->extensions;

    if (!PACKET_forward(&tmppkt, 2)
        || !PACKET_get_net_2(&tmppkt, &type)
        || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
        return;
1205 1206
    }

1207 1208 1209 1210 1211 1212 1213 1214
    if (type != TLSEXT_TYPE_server_name)
        return;

    ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
        sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;

    s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
                                             ext_len);
1215
}
1216
#endif                          /* !OPENSSL_NO_EC */
1217

M
Matt Caswell 已提交
1218
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1219 1220
{
    int i, al = SSL_AD_INTERNAL_ERROR;
1221
    unsigned int j;
1222
    size_t loop;
M
Matt Caswell 已提交
1223
    unsigned long id;
1224
    const SSL_CIPHER *c;
M
Matt Caswell 已提交
1225 1226 1227 1228
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
1229
    STACK_OF(SSL_CIPHER) *scsvs = NULL;
1230
    int protverr;
M
Matt Caswell 已提交
1231
    /* |cookie| will only be initialized for DTLS. */
1232
    PACKET session_id, compression, extensions, cookie;
M
Matt Caswell 已提交
1233
    static const unsigned char null_compression = 0;
1234
    CLIENTHELLO_MSG clienthello;
M
Matt Caswell 已提交
1235

1236 1237 1238 1239 1240 1241 1242 1243 1244
    /* Check if this is actually an unexpected renegotiation ClientHello */
    if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
        s->renegotiate = 1;
        s->new_session = 1;
    }

    /* This is a real handshake so make sure we clean it up at the end */
    s->statem.cleanuphand = 1;

1245
    /*
1246
     * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1247
     */
1248
    memset(&clienthello, 0, sizeof(clienthello));
1249
    clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
E
Emilia Kasper 已提交
1250
    PACKET_null_init(&cookie);
1251 1252

    if (clienthello.isv2) {
M
Matt Caswell 已提交
1253
        unsigned int mt;
1254

1255 1256 1257 1258 1259 1260
        if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) {
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
            goto f_err;
        }

1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

1276
        if (!PACKET_get_1(pkt, &mt)
E
Emilia Kasper 已提交
1277
            || mt != SSL2_MT_CLIENT_HELLO) {
1278 1279 1280 1281 1282
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
1283
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1284
            goto err;
1285 1286 1287
        }
    }

1288
    if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) {
1289 1290 1291
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
        goto err;
1292 1293
    }

1294
    /* Parse the message and load client random. */
1295
    if (clienthello.isv2) {
1296 1297 1298
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
1299
         * Real SSLv2 is not supported, and is rejected below.
1300
         */
1301
        unsigned int ciphersuite_len, session_id_len, challenge_len;
1302
        PACKET challenge;
1303

1304
        if (!PACKET_get_net_2(pkt, &ciphersuite_len)
E
Emilia Kasper 已提交
1305 1306
            || !PACKET_get_net_2(pkt, &session_id_len)
            || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
1307 1308
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1309 1310
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1311
        }
1312

1313 1314 1315 1316 1317 1318
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1319 1320
        if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
                                   ciphersuite_len)
1321
            || !PACKET_copy_bytes(pkt, clienthello.session_id, session_id_len)
1322
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1323
            /* No extensions. */
1324
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1325 1326
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1327 1328 1329
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
1330
        clienthello.session_id_len = session_id_len;
M
Matt Caswell 已提交
1331

1332 1333 1334 1335 1336 1337 1338 1339
        /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
         * here rather than sizeof(clienthello.random) because that is the limit
         * for SSLv3 and it is fixed. It won't change even if
         * sizeof(clienthello.random) does.
         */
        challenge_len = challenge_len > SSL3_RANDOM_SIZE
                        ? SSL3_RANDOM_SIZE : challenge_len;
        memset(clienthello.random, 0, SSL3_RANDOM_SIZE);
1340
        if (!PACKET_copy_bytes(&challenge,
1341
                               clienthello.random + SSL3_RANDOM_SIZE -
D
David Benjamin 已提交
1342 1343 1344
                               challenge_len, challenge_len)
            /* Advertise only null compression. */
            || !PACKET_buf_init(&compression, &null_compression, 1)) {
M
Matt Caswell 已提交
1345
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1346
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1347 1348
            goto f_err;
        }
1349

1350
        PACKET_null_init(&clienthello.extensions);
1351
    } else {
1352
        /* Regular ClientHello. */
1353
        if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
1354 1355 1356 1357
            || !PACKET_get_length_prefixed_1(pkt, &session_id)
            || !PACKET_copy_all(&session_id, clienthello.session_id,
                    SSL_MAX_SSL_SESSION_ID_LENGTH,
                    &clienthello.session_id_len)) {
M
Matt Caswell 已提交
1358
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1359
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1360 1361
            goto f_err;
        }
1362

1363
        if (SSL_IS_DTLS(s)) {
1364
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1365
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1366
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1367 1368
                goto f_err;
            }
1369 1370 1371 1372 1373 1374 1375
            if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie,
                                 DTLS1_COOKIE_LENGTH,
                                 &clienthello.dtls_cookie_len)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
1376 1377 1378 1379 1380 1381
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1382
                if (clienthello.dtls_cookie_len == 0)
E
Emilia Kasper 已提交
1383
                    return 1;
1384
            }
1385
        }
1386

1387 1388 1389 1390 1391 1392
        if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1393
        if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
E
Emilia Kasper 已提交
1394 1395 1396
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
1397
        }
1398

1399
        /* Could be empty. */
1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410
        if (PACKET_remaining(pkt) == 0) {
            PACKET_null_init(&clienthello.extensions);
        } else {
            if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
        }
    }

1411
    if (!PACKET_copy_all(&compression, clienthello.compressions,
1412 1413
                         MAX_COMPRESSIONS_SIZE,
                         &clienthello.compressions_len)) {
1414 1415 1416 1417 1418
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }

1419
    /* Preserve the raw extensions PACKET for later use */
1420
    extensions = clienthello.extensions;
1421
    if (!tls_collect_extensions(s, &extensions, EXT_CLIENT_HELLO,
1422 1423
                                &clienthello.pre_proc_exts, &al,
                                &clienthello.pre_proc_exts_len)) {
1424 1425 1426 1427 1428 1429 1430 1431 1432 1433 1434 1435
        /* SSLerr already been called */
        goto f_err;
    }

    /* Finished parsing the ClientHello, now we can start processing it */

    /* Set up the client_random */
    memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE);

    /* Choose the version */

    if (clienthello.isv2) {
1436 1437
        if (clienthello.legacy_version == SSL2_VERSION
                || (clienthello.legacy_version & 0xff00)
1438 1439 1440 1441 1442
                   != (SSL3_VERSION_MAJOR << 8)) {
            /*
             * This is real SSLv2 or something complete unknown. We don't
             * support it.
             */
1443 1444 1445
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
            goto err;
        }
1446
        /* SSLv3/TLS */
1447
        s->client_version = clienthello.legacy_version;
1448 1449 1450 1451 1452 1453 1454 1455
    }
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
    if (!SSL_IS_DTLS(s)) {
        protverr = ssl_choose_server_version(s, &clienthello);
    } else if (s->method->version != DTLS_ANY_VERSION &&
1456
               DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) {
1457 1458 1459 1460 1461 1462 1463
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
        protverr = 0;
    }

    if (protverr) {
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
1464
        if (SSL_IS_FIRST_HANDSHAKE(s)) {
1465
            /* like ssl3_get_record, send alert using remote version number */
1466
            s->version = s->client_version = clienthello.legacy_version;
1467 1468 1469
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
1470 1471
    }

1472 1473 1474 1475
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
1476 1477
                if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie,
                        clienthello.dtls_cookie_len) == 0) {
1478 1479 1480 1481 1482 1483
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                           SSL_R_COOKIE_MISMATCH);
                    goto f_err;
                    /* else cookie verification succeeded */
                }
E
Emilia Kasper 已提交
1484
                /* default verification */
1485 1486 1487
            } else if (s->d1->cookie_len != clienthello.dtls_cookie_len
                    || memcmp(clienthello.dtls_cookie, s->d1->cookie,
                              s->d1->cookie_len) != 0) {
1488 1489 1490 1491 1492 1493 1494
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                goto f_err;
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
1495
            protverr = ssl_choose_server_version(s, &clienthello);
1496 1497 1498 1499 1500 1501 1502 1503 1504
            if (protverr != 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
        }
    }

1505 1506
    s->hit = 0;

1507
    /* We need to do this before getting the session */
1508
    if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
M
Matt Caswell 已提交
1509
                             EXT_CLIENT_HELLO,
1510
                             clienthello.pre_proc_exts, NULL, 0, &al)) {
1511 1512 1513 1514
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
        goto f_err;
    }

1515 1516 1517 1518 1519 1520 1521 1522 1523 1524 1525 1526 1527 1528 1529 1530
    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
1531
    if (clienthello.isv2 ||
1532 1533 1534 1535 1536
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
1537
        i = ssl_get_prev_session(s, &clienthello, &al);
1538
        if (i == 1) {
1539 1540 1541
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
1542
            goto f_err;
1543
        } else {
1544 1545
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1546
                goto err;
1547
        }
1548
    }
1549

1550 1551 1552 1553
    if (!ssl_cache_cipherlist(s, &clienthello.ciphersuites,
                              clienthello.isv2, &al) ||
        !bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers, &scsvs,
                             clienthello.isv2, &al)) {
1554 1555
        goto f_err;
    }
1556

1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579 1580 1581 1582 1583 1584 1585 1586 1587
    s->s3->send_connection_binding = 0;
    /* Check what signalling cipher-suite values were received. */
    if (scsvs != NULL) {
        for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
            c = sk_SSL_CIPHER_value(scsvs, i);
            if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
                if (s->renegotiate) {
                    /* SCSV is fatal if renegotiating */
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                           SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    goto f_err;
                }
                s->s3->send_connection_binding = 1;
            } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
                       !ssl_check_version_downgrade(s)) {
                /*
                 * This SCSV indicates that the client previously tried
                 * a higher version.  We should fail if the current version
                 * is an unexpected downgrade, as that indicates that the first
                 * connection may have been tampered with in order to trigger
                 * an insecure downgrade.
                 */
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                       SSL_R_INAPPROPRIATE_FALLBACK);
                al = SSL_AD_INAPPROPRIATE_FALLBACK;
                goto f_err;
            }
        }
    }

1588 1589 1590 1591
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1592

1593
#ifdef CIPHER_DEBUG
E
Emilia Kasper 已提交
1594
        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
1595
#endif
1596 1597
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1598
#ifdef CIPHER_DEBUG
1599 1600
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1601
#endif
1602 1603 1604
            if (c->id == id) {
                j = 1;
                break;
1605
            }
1606
        }
1607
        if (j == 0) {
1608
            /*
1609 1610
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1611
             */
1612
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1613
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1614
                   SSL_R_REQUIRED_CIPHER_MISSING);
1615 1616
            goto f_err;
        }
1617
    }
M
Matt Caswell 已提交
1618

1619 1620
    for (loop = 0; loop < clienthello.compressions_len; loop++) {
        if (clienthello.compressions[loop] == 0)
1621
            break;
1622
    }
1623

1624
    if (loop >= clienthello.compressions_len) {
1625 1626
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1627
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1628 1629
        goto f_err;
    }
1630

1631 1632 1633 1634 1635
#ifndef OPENSSL_NO_EC
    if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
        ssl_check_for_safari(s, &clienthello);
#endif                          /* !OPENSSL_NO_EC */

1636
    /* TLS extensions */
1637
    if (!tls_parse_all_extensions(s, EXT_CLIENT_HELLO,
1638
                                  clienthello.pre_proc_exts, NULL, 0, &al)) {
1639
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1640
        goto f_err;
1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

R
Rich Salz 已提交
1657
    if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) {
1658
        const SSL_CIPHER *pref_cipher = NULL;
1659 1660 1661 1662 1663
        /*
         * s->session->master_key_length is a size_t, but this is an int for
         * backwards compat reasons
         */
        int master_key_length;
1664

1665
        master_key_length = sizeof(s->session->master_key);
R
Rich Salz 已提交
1666
        if (s->ext.session_secret_cb(s, s->session->master_key,
1667
                                     &master_key_length, ciphers,
1668
                                     &pref_cipher,
R
Rich Salz 已提交
1669
                                     s->ext.session_secret_cb_arg)
1670 1671
                && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
1672 1673 1674 1675 1676 1677 1678
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
D
Dr. Stephen Henson 已提交
1679 1680 1681
            if (pref_cipher == NULL)
                pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
                                                 SSL_get_ciphers(s));
1682 1683
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1684
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1685 1686 1687 1688
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1689
            sk_SSL_CIPHER_free(s->cipher_list);
1690
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1691
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1692 1693 1694
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1695

1696 1697
    /*
     * Worst case, we will use the NULL compression, but if we have other
1698
     * options, we will now look for them.  We have complen-1 compression
1699 1700 1701
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1702
#ifndef OPENSSL_NO_COMP
1703 1704 1705
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1706
        unsigned int k;
1707 1708 1709
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
M
Matt Caswell 已提交
1710
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
M
Matt Caswell 已提交
1723
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1724 1725 1726 1727
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
1728 1729
        for (k = 0; k < clienthello.compressions_len; k++) {
            if (clienthello.compressions[k] == comp_id)
1730 1731
                break;
        }
1732
        if (k >= clienthello.compressions_len) {
1733
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1734
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
F
FdaSilvaYY 已提交
1735
                   SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
1736 1737 1738 1739 1740
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1741
        /* See if we have a match */
M
Matt Caswell 已提交
1742 1743
        int m, nn, v, done = 0;
        unsigned int o;
1744 1745 1746 1747 1748

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1749 1750
            for (o = 0; o < clienthello.compressions_len; o++) {
                if (v == clienthello.compressions[o]) {
1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1763
#else
1764 1765 1766 1767 1768
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
M
Matt Caswell 已提交
1769
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1770 1771
        goto f_err;
    }
1772
#endif
1773

1774 1775 1776
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1777

1778
    if (!s->hit) {
1779
#ifdef OPENSSL_NO_COMP
1780
        s->session->compress_meth = 0;
1781
#else
1782
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1783
#endif
R
Rich Salz 已提交
1784
        sk_SSL_CIPHER_free(s->session->ciphers);
1785 1786
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1787
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1788
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1789 1790 1791 1792
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
M
Matt Caswell 已提交
1793
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1794 1795
            goto err;
        }
M
Matt Caswell 已提交
1796 1797 1798
    }

    sk_SSL_CIPHER_free(ciphers);
1799
    OPENSSL_free(clienthello.pre_proc_exts);
M
Matt Caswell 已提交
1800 1801 1802 1803
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1804
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1805 1806

    sk_SSL_CIPHER_free(ciphers);
1807
    OPENSSL_free(clienthello.pre_proc_exts);
M
Matt Caswell 已提交
1808

M
Matt Caswell 已提交
1809
    return MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
1810 1811
}

1812 1813
/*
 * Call the status request callback if needed. Upon success, returns 1.
1814
 * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert.
1815 1816 1817
 */
static int tls_handle_status_request(SSL *s, int *al)
{
R
Rich Salz 已提交
1818
    s->ext.status_expected = 0;
1819 1820 1821 1822 1823 1824 1825

    /*
     * If status request then ask callback what to do. Note: this must be
     * called after servername callbacks in case the certificate has changed,
     * and must be called after the cipher has been chosen because this may
     * influence which certificate is sent
     */
R
Rich Salz 已提交
1826 1827
    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
            && s->ctx->ext.status_cb != NULL) {
1828
        int ret;
1829

1830
        /* If no certificate can't return certificate status */
1831
        if (s->s3->tmp.cert != NULL) {
1832 1833 1834 1835
            /*
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
             */
1836
            s->cert->key = s->s3->tmp.cert;
R
Rich Salz 已提交
1837
            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
1838 1839 1840
            switch (ret) {
                /* We don't want to send a status request response */
            case SSL_TLSEXT_ERR_NOACK:
R
Rich Salz 已提交
1841
                s->ext.status_expected = 0;
1842 1843 1844
                break;
                /* status request response should be sent */
            case SSL_TLSEXT_ERR_OK:
R
Rich Salz 已提交
1845 1846
                if (s->ext.ocsp.resp)
                    s->ext.status_expected = 1;
1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859
                break;
                /* something bad happened */
            case SSL_TLSEXT_ERR_ALERT_FATAL:
            default:
                *al = SSL_AD_INTERNAL_ERROR;
                return 0;
            }
        }
    }

    return 1;
}

M
Matt Caswell 已提交
1860
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1861
{
M
Matt Caswell 已提交
1862
    int al = SSL_AD_HANDSHAKE_FAILURE;
1863
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
1864 1865 1866 1867 1868 1869 1870 1871

    if (wst == WORK_MORE_A) {
        if (!s->hit) {
            /* Let cert callback update server certificates if required */
            if (s->cert->cert_cb) {
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
1872 1873
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CERT_CB_ERROR);
M
Matt Caswell 已提交
1874 1875 1876 1877 1878 1879 1880
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
                    return WORK_MORE_A;
                }
                s->rwstate = SSL_NOTHING;
1881
            }
E
Emilia Kasper 已提交
1882 1883
            cipher =
                ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
M
Matt Caswell 已提交
1884 1885

            if (cipher == NULL) {
E
Emilia Kasper 已提交
1886 1887
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_NO_SHARED_CIPHER);
M
Matt Caswell 已提交
1888
                goto f_err;
1889
            }
M
Matt Caswell 已提交
1890
            s->s3->tmp.new_cipher = cipher;
1891
            if (!tls_choose_sigalg(s, &al))
1892
                goto f_err;
M
Matt Caswell 已提交
1893 1894
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
1895 1896 1897 1898
                s->session->not_resumable =
                    s->not_resumable_session_cb(s, ((cipher->algorithm_mkey
                                                    & (SSL_kDHE | SSL_kECDHE))
                                                   != 0));
M
Matt Caswell 已提交
1899 1900
            if (s->session->not_resumable)
                /* do not send a session ticket */
R
Rich Salz 已提交
1901
                s->ext.ticket_expected = 0;
M
Matt Caswell 已提交
1902 1903 1904
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1905 1906
        }

M
Matt Caswell 已提交
1907 1908 1909
        /*-
         * we now have the following setup.
         * client_random
1910 1911
         * cipher_list          - our preferred list of ciphers
         * ciphers              - the clients preferred list of ciphers
M
Matt Caswell 已提交
1912 1913 1914 1915 1916 1917
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
1918

1919 1920 1921 1922 1923 1924 1925 1926
        /*
         * Call status_request callback if needed. Has to be done after the
         * certificate callbacks etc above.
         */
        if (!tls_handle_status_request(s, &al)) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                   SSL_R_CLIENTHELLO_TLSEXT);
            goto f_err;
M
Matt Caswell 已提交
1927
        }
1928

M
Matt Caswell 已提交
1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947
        wst = WORK_MORE_B;
    }
#ifndef OPENSSL_NO_SRP
    if (wst == WORK_MORE_B) {
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
            return WORK_MORE_B;
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
E
Emilia Kasper 已提交
1948
                       SSL_R_CLIENTHELLO_TLSEXT);
1949 1950 1951
            else
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_PSK_IDENTITY_NOT_FOUND);
M
Matt Caswell 已提交
1952
            goto f_err;
1953 1954
        }
    }
M
Matt Caswell 已提交
1955
#endif
1956

M
Matt Caswell 已提交
1957
    return WORK_FINISHED_STOP;
1958
 f_err:
M
Matt Caswell 已提交
1959
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1960
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1961 1962 1963
    return WORK_ERROR;
}

1964
int tls_construct_server_hello(SSL *s, WPACKET *pkt)
1965
{
1966 1967
    int compm, al = SSL_AD_INTERNAL_ERROR;
    size_t sl, len;
1968
    int version;
1969

1970
    /* TODO(TLS1.3): Remove the DRAFT conditional before release */
1971 1972
    version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version;
    if (!WPACKET_put_bytes_u16(pkt, version)
1973 1974 1975 1976
               /*
                * Random stuff. Filling of the server_random takes place in
                * tls_process_client_hello()
                */
1977
            || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
1978 1979 1980
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
        goto err;
    }
1981

M
Matt Caswell 已提交
1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
2004
    if (sl > sizeof(s->session->session_id)) {
M
Matt Caswell 已提交
2005
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
2006
        goto err;
M
Matt Caswell 已提交
2007
    }
2008

2009
    /* set up the compression method */
2010
#ifdef OPENSSL_NO_COMP
2011
    compm = 0;
2012
#else
M
Matt Caswell 已提交
2013
    if (s->s3->tmp.new_compression == NULL)
2014
        compm = 0;
M
Matt Caswell 已提交
2015
    else
2016
        compm = s->s3->tmp.new_compression->id;
2017
#endif
2018

2019 2020
    if ((!SSL_IS_TLS13(s)
                && !WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl))
2021
            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
2022 2023
            || (!SSL_IS_TLS13(s)
                && !WPACKET_put_bytes_u8(pkt, compm))
2024
            || !tls_construct_extensions(s, pkt,
M
Matt Caswell 已提交
2025
                                         SSL_IS_TLS13(s)
2026
                                            ? EXT_TLS1_3_SERVER_HELLO
2027 2028
                                            : EXT_TLS1_2_SERVER_HELLO,
                                         NULL, 0, &al)) {
M
Matt Caswell 已提交
2029
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
2030
        goto err;
2031
    }
2032

2033 2034 2035 2036 2037 2038
    if (!(s->verify_mode & SSL_VERIFY_PEER)
            && !ssl3_digest_cached_records(s, 0)) {
        al = SSL_AD_INTERNAL_ERROR;
        goto err;
    }

M
Matt Caswell 已提交
2039
    return 1;
2040
 err:
2041
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2042
    return 0;
2043
}
2044

2045
int tls_construct_server_done(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
2046 2047
{
    if (!s->s3->tmp.cert_request) {
2048 2049 2050 2051
        if (!ssl3_digest_cached_records(s, 0)) {
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
            return 0;
        }
M
Matt Caswell 已提交
2052 2053 2054 2055
    }
    return 1;
}

2056
int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
2057
{
2058
#ifndef OPENSSL_NO_DH
2059
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
2060
#endif
2061
#ifndef OPENSSL_NO_EC
2062
    unsigned char *encodedPoint = NULL;
2063
    size_t encodedlen = 0;
2064
    int curve_id = 0;
2065
#endif
2066
    const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
2067
    int al = SSL_AD_INTERNAL_ERROR, i;
2068
    unsigned long type;
2069
    const BIGNUM *r[4];
2070
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
2071
    EVP_PKEY_CTX *pctx = NULL;
2072 2073
    size_t paramlen, paramoffset;

2074
    if (!WPACKET_get_total_written(pkt, &paramoffset)) {
2075
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2076 2077
        goto f_err;
    }
2078

2079 2080 2081 2082
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        goto f_err;
    }
2083

M
Matt Caswell 已提交
2084 2085 2086
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    r[0] = r[1] = r[2] = r[3] = NULL;
2087
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2088 2089 2090
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
2091
#endif                          /* !OPENSSL_NO_PSK */
2092
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
2093
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
2094 2095
        CERT *cert = s->cert;

2096 2097 2098
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
2099
        if (s->cert->dh_tmp_auto) {
2100 2101 2102 2103
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
M
Matt Caswell 已提交
2104
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2105
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2106
                goto f_err;
2107
            }
2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
M
Matt Caswell 已提交
2124 2125 2126 2127 2128 2129
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
2130
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
M
Matt Caswell 已提交
2131 2132 2133 2134 2135
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
2136
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
2137 2138 2139 2140
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
2141

D
Dr. Stephen Henson 已提交
2142
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
M
Matt Caswell 已提交
2143

2144 2145
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
2146
            goto err;
M
Matt Caswell 已提交
2147
        }
2148 2149 2150 2151 2152 2153

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
2154 2155
        DH_get0_pqg(dh, &r[0], NULL, &r[1]);
        DH_get0_key(dh, &r[2], NULL);
M
Matt Caswell 已提交
2156
    } else
2157
#endif
2158
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2159
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2160
        int nid;
M
Matt Caswell 已提交
2161

D
Dr. Stephen Henson 已提交
2162
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
2163 2164 2165 2166 2167
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

2168
        /* Get NID of appropriate shared curve */
2169
        nid = tls1_shared_group(s, -2);
2170 2171
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
2172 2173 2174 2175
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
2176
        s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id);
D
Dr. Stephen Henson 已提交
2177 2178 2179
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
2180 2181 2182
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
2183
        /* Encode the public key. */
2184 2185
        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
                                                    &encodedPoint);
M
Matt Caswell 已提交
2186
        if (encodedlen == 0) {
2187
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
2188 2189
            goto err;
        }
2190

M
Matt Caswell 已提交
2191 2192 2193 2194 2195 2196 2197 2198 2199
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
2200
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
2201
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2202 2203 2204 2205 2206 2207 2208
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
2209
        }
M
Matt Caswell 已提交
2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
2222

2223 2224 2225 2226 2227 2228
    if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
        || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
        lu = NULL;
    } else if (lu == NULL) {
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
M
Matt Caswell 已提交
2229
    }
2230

2231
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2232
    if (type & SSL_PSK) {
2233 2234 2235 2236 2237 2238 2239 2240
        size_t len = (s->cert->psk_identity_hint == NULL)
                        ? 0 : strlen(s->cert->psk_identity_hint);

        /*
         * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
         * checked this when we set the identity hint - but just in case
         */
        if (len > PSK_MAX_IDENTITY_LEN
2241
                || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2242 2243 2244 2245
                                           len)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
2246
        }
M
Matt Caswell 已提交
2247
    }
2248 2249
#endif

M
Matt Caswell 已提交
2250
    for (i = 0; i < 4 && r[i] != NULL; i++) {
2251 2252 2253
        unsigned char *binval;
        int res;

B
Ben Laurie 已提交
2254
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2255
        if ((i == 2) && (type & SSL_kSRP)) {
2256
            res = WPACKET_start_sub_packet_u8(pkt);
M
Matt Caswell 已提交
2257
        } else
2258
#endif
2259
            res = WPACKET_start_sub_packet_u16(pkt);
2260 2261 2262 2263 2264 2265 2266

        if (!res) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

2267
#ifndef OPENSSL_NO_DH
E
Emilia Kasper 已提交
2268
        /*-
2269 2270 2271 2272 2273
         * for interoperability with some versions of the Microsoft TLS
         * stack, we need to zero pad the DHE pub key to the same length
         * as the prime
         */
        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2274
            size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
M
Matt Caswell 已提交
2275

2276
            if (len > 0) {
2277
                if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2278 2279 2280 2281 2282
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
                }
                memset(binval, 0, len);
2283
            }
2284
        }
B
Ben Laurie 已提交
2285
#endif
2286 2287
        if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
                || !WPACKET_close(pkt)) {
2288 2289 2290 2291 2292 2293
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

        BN_bn2bin(r[i], binval);
M
Matt Caswell 已提交
2294
    }
2295

2296
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2297 2298
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
2299 2300 2301 2302
         * We only support named (not generic) curves. In this situation, the
         * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
         * [1 byte length of encoded point], followed by the actual encoded
         * point itself
M
Matt Caswell 已提交
2303
         */
2304 2305 2306 2307
        if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
                || !WPACKET_put_bytes_u8(pkt, 0)
                || !WPACKET_put_bytes_u8(pkt, curve_id)
                || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2308 2309 2310 2311
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
M
Matt Caswell 已提交
2312 2313 2314
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
    }
B
Bodo Möller 已提交
2315 2316
#endif

M
Matt Caswell 已提交
2317
    /* not anonymous */
2318
    if (lu != NULL) {
2319
        EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330
        const EVP_MD *md = ssl_md(lu->hash_idx);
        unsigned char *sigbytes1, *sigbytes2;
        size_t siglen;

        if (pkey == NULL || md == NULL) {
            /* Should never happen */
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
M
Matt Caswell 已提交
2331 2332 2333 2334
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
2335

2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360
        /* Get length of the parameters we have written above */
        if (!WPACKET_get_length(pkt, &paramlen)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
        /* send signature algorithm */
        if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg))
                return 0;
        /*
         * Create the signature. We don't know the actual length of the sig
         * until after we've created it, so we reserve enough bytes for it
         * up front, and then properly allocate them in the WPACKET
         * afterwards.
         */
        siglen = EVP_PKEY_size(pkey);
        if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
            || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
        if (lu->sig == EVP_PKEY_RSA_PSS) {
            if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
                || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
2361
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2362
                       ERR_R_EVP_LIB);
2363
                goto f_err;
2364
            }
2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375
        }
        if (EVP_DigestSignUpdate(md_ctx, &(s->s3->client_random[0]),
                                 SSL3_RANDOM_SIZE) <= 0
            || EVP_DigestSignUpdate(md_ctx, &(s->s3->server_random[0]),
                                        SSL3_RANDOM_SIZE) <= 0
            || EVP_DigestSignUpdate(md_ctx,
                                        s->init_buf->data + paramoffset,
                                        paramlen) <= 0
            || EVP_DigestSignFinal(md_ctx, sigbytes1, &siglen) <= 0
            || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
            || sigbytes1 != sigbytes2) {
M
Matt Caswell 已提交
2376
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2377
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2378 2379
            goto f_err;
        }
2380 2381
    }

2382
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2383
    return 1;
2384 2385 2386
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
2387 2388 2389
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
2390
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2391
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
2392
#endif
2393
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2394
    return 0;
2395
}
2396

2397
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2398
{
2399
    int i;
2400 2401
    STACK_OF(X509_NAME) *sk = NULL;

M
Matt Caswell 已提交
2402
    /* get the list of acceptable cert types */
2403 2404 2405
    if (!WPACKET_start_sub_packet_u8(pkt)
            || !ssl3_get_req_cert_type(s, pkt)
            || !WPACKET_close(pkt)) {
2406 2407 2408
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
2409

M
Matt Caswell 已提交
2410
    if (SSL_USE_SIGALGS(s)) {
2411
        const uint16_t *psigs;
2412
        size_t nl = tls12_get_psigalgs(s, 1, &psigs);
2413

2414 2415 2416
        if (!WPACKET_start_sub_packet_u16(pkt)
                || !tls12_copy_sigalgs(s, pkt, psigs, nl)
                || !WPACKET_close(pkt)) {
2417 2418 2419 2420
            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
M
Matt Caswell 已提交
2421
    }
2422

2423
    /* Start sub-packet for client CA list */
2424
    if (!WPACKET_start_sub_packet_u16(pkt)) {
2425 2426 2427
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
2428 2429 2430 2431

    sk = SSL_get_client_CA_list(s);
    if (sk != NULL) {
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2432 2433 2434 2435 2436 2437
            unsigned char *namebytes;
            X509_NAME *name = sk_X509_NAME_value(sk, i);
            int namelen;

            if (name == NULL
                    || (namelen = i2d_X509_NAME(name, NULL)) < 0
2438
                    || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2439 2440 2441 2442
                                                       &namebytes)
                    || i2d_X509_NAME(name, &namebytes) != namelen) {
                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2443
                goto err;
2444 2445
            }
        }
M
Matt Caswell 已提交
2446 2447
    }
    /* else no CA names */
2448

2449
    if (!WPACKET_close(pkt)) {
M
Matt Caswell 已提交
2450 2451
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
2452
    }
2453

M
Matt Caswell 已提交
2454 2455 2456
    s->s3->tmp.cert_request = 1;

    return 1;
2457
 err:
2458
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
2459
    return 0;
2460
}
2461

2462
static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
M
Matt Caswell 已提交
2463
{
2464
#ifndef OPENSSL_NO_PSK
2465 2466 2467
    unsigned char psk[PSK_MAX_PSK_LEN];
    size_t psklen;
    PACKET psk_identity;
2468

2469 2470
    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
        *al = SSL_AD_DECODE_ERROR;
2471
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
2472 2473 2474 2475
        return 0;
    }
    if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
        *al = SSL_AD_DECODE_ERROR;
2476
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
2477 2478 2479 2480
        return 0;
    }
    if (s->psk_server_callback == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
2481
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
2482 2483
        return 0;
    }
2484

2485 2486
    if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
        *al = SSL_AD_INTERNAL_ERROR;
2487
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2488 2489
        return 0;
    }
2490

2491
    psklen = s->psk_server_callback(s, s->session->psk_identity,
E
Emilia Kasper 已提交
2492
                                    psk, sizeof(psk));
2493

2494 2495
    if (psklen > PSK_MAX_PSK_LEN) {
        *al = SSL_AD_INTERNAL_ERROR;
2496
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2497 2498 2499 2500 2501 2502
        return 0;
    } else if (psklen == 0) {
        /*
         * PSK related to the given identity not found
         */
        *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2503
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2504 2505 2506
               SSL_R_PSK_IDENTITY_NOT_FOUND);
        return 0;
    }
2507

2508 2509 2510
    OPENSSL_free(s->s3->tmp.psk);
    s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
    OPENSSL_cleanse(psk, psklen);
2511

2512 2513
    if (s->s3->tmp.psk == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2514
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2515
        return 0;
2516
    }
2517 2518 2519 2520 2521 2522 2523

    s->s3->tmp.psklen = psklen;

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2524
    SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2525
    return 0;
2526
#endif
2527 2528 2529 2530
}

static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
{
2531
#ifndef OPENSSL_NO_RSA
2532 2533 2534 2535 2536 2537 2538 2539 2540
    unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
    int decrypt_len;
    unsigned char decrypt_good, version_good;
    size_t j, padding_len;
    PACKET enc_premaster;
    RSA *rsa = NULL;
    unsigned char *rsa_decrypt = NULL;
    int ret = 0;

2541
    rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
2542 2543
    if (rsa == NULL) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2544
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE);
2545 2546 2547 2548 2549 2550 2551 2552 2553 2554
        return 0;
    }

    /* SSLv3 and pre-standard DTLS omit the length bytes. */
    if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
        enc_premaster = *pkt;
    } else {
        if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
            || PACKET_remaining(pkt) != 0) {
            *al = SSL_AD_DECODE_ERROR;
2555
            SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH);
2556
            return 0;
2557
        }
2558
    }
2559

2560 2561 2562 2563 2564 2565 2566 2567
    /*
     * We want to be sure that the plaintext buffer size makes it safe to
     * iterate over the entire size of a premaster secret
     * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
     * their ciphertext cannot accommodate a premaster secret anyway.
     */
    if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_INTERNAL_ERROR;
2568
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
2569 2570
        return 0;
    }
2571

2572 2573 2574
    rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
    if (rsa_decrypt == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2575
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE);
2576 2577
        return 0;
    }
2578

2579 2580 2581 2582 2583 2584 2585
    /*
     * We must not leak whether a decryption failure occurs because of
     * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
     * section 7.4.7.1). The code follows that advice of the TLS RFC and
     * generates a random premaster secret for the case that the decrypt
     * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
     */
2586

E
Emilia Kasper 已提交
2587
    if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
2588
        goto err;
2589

2590 2591 2592 2593
    /*
     * Decrypt with no padding. PKCS#1 padding will be removed as part of
     * the timing-sensitive code below.
     */
2594 2595 2596 2597
     /* TODO(size_t): Convert this function */
    decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
                                           PACKET_data(&enc_premaster),
                                           rsa_decrypt, rsa, RSA_NO_PADDING);
2598 2599
    if (decrypt_len < 0)
        goto err;
2600

2601
    /* Check the padding. See RFC 3447, section 7.2.2. */
2602

2603 2604 2605 2606 2607 2608 2609
    /*
     * The smallest padded premaster is 11 bytes of overhead. Small keys
     * are publicly invalid, so this may return immediately. This ensures
     * PS is at least 8 bytes.
     */
    if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_DECRYPT_ERROR;
2610
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED);
2611 2612
        goto err;
    }
2613

2614 2615
    padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
    decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
E
Emilia Kasper 已提交
2616
        constant_time_eq_int_8(rsa_decrypt[1], 2);
2617 2618 2619 2620
    for (j = 2; j < padding_len - 1; j++) {
        decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
    }
    decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
2621

2622 2623 2624 2625 2626 2627 2628 2629 2630 2631 2632 2633 2634 2635
    /*
     * If the version in the decrypted pre-master secret is correct then
     * version_good will be 0xff, otherwise it'll be zero. The
     * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
     * (http://eprint.iacr.org/2003/052/) exploits the version number
     * check as a "bad version oracle". Thus version checks are done in
     * constant time and are treated like any other decryption error.
     */
    version_good =
        constant_time_eq_8(rsa_decrypt[padding_len],
                           (unsigned)(s->client_version >> 8));
    version_good &=
        constant_time_eq_8(rsa_decrypt[padding_len + 1],
                           (unsigned)(s->client_version & 0xff));
2636

2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650
    /*
     * The premaster secret must contain the same version number as the
     * ClientHello to detect version rollback attacks (strangely, the
     * protocol does not offer such protection for DH ciphersuites).
     * However, buggy clients exist that send the negotiated protocol
     * version instead if the server does not support the requested
     * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
     * clients.
     */
    if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
        unsigned char workaround_good;
        workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
                                             (unsigned)(s->version >> 8));
        workaround_good &=
2651
            constant_time_eq_8(rsa_decrypt[padding_len + 1],
2652 2653 2654
                               (unsigned)(s->version & 0xff));
        version_good |= workaround_good;
    }
2655

2656 2657 2658 2659 2660
    /*
     * Both decryption and version must be good for decrypt_good to
     * remain non-zero (0xff).
     */
    decrypt_good &= version_good;
2661

2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673
    /*
     * Now copy rand_premaster_secret over from p using
     * decrypt_good_mask. If decryption failed, then p does not
     * contain valid plaintext, however, a check above guarantees
     * it is still sufficiently large to read from.
     */
    for (j = 0; j < sizeof(rand_premaster_secret); j++) {
        rsa_decrypt[padding_len + j] =
            constant_time_select_8(decrypt_good,
                                   rsa_decrypt[padding_len + j],
                                   rand_premaster_secret[j]);
    }
2674

2675 2676 2677
    if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
                                    sizeof(rand_premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
2678
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2679 2680
        goto err;
    }
2681

2682 2683 2684 2685 2686 2687 2688
    ret = 1;
 err:
    OPENSSL_free(rsa_decrypt);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2689
    SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2690 2691 2692 2693
    return 0;
#endif
}

2694 2695 2696 2697 2698 2699 2700 2701 2702 2703 2704
static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_DH
    EVP_PKEY *skey = NULL;
    DH *cdh;
    unsigned int i;
    BIGNUM *pub_key;
    const unsigned char *data;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

D
Dr. Stephen Henson 已提交
2705
    if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
2706
        *al = SSL_AD_HANDSHAKE_FAILURE;
2707
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE,
2708 2709 2710 2711 2712 2713
               SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
        goto err;
    }
    skey = s->s3->tmp.pkey;
    if (skey == NULL) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2714
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2715 2716 2717 2718 2719
        goto err;
    }

    if (PACKET_remaining(pkt) == 0L) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2720
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2721 2722 2723 2724 2725
        goto err;
    }
    if (!PACKET_get_bytes(pkt, &data, i)) {
        /* We already checked we have enough data */
        *al = SSL_AD_INTERNAL_ERROR;
2726
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2727 2728 2729 2730
        goto err;
    }
    ckey = EVP_PKEY_new();
    if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
2731
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
2732 2733 2734 2735 2736 2737
        goto err;
    }
    cdh = EVP_PKEY_get0_DH(ckey);
    pub_key = BN_bin2bn(data, i, NULL);

    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
2738
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2739 2740 2741 2742 2743
        if (pub_key != NULL)
            BN_free(pub_key);
        goto err;
    }

2744
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2745
        *al = SSL_AD_INTERNAL_ERROR;
2746
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2759
    SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2760 2761 2762 2763
    return 0;
#endif
}

2764 2765 2766 2767 2768 2769 2770 2771 2772 2773
static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *skey = s->s3->tmp.pkey;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

    if (PACKET_remaining(pkt) == 0L) {
        /* We don't support ECDH client auth */
        *al = SSL_AD_HANDSHAKE_FAILURE;
2774
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY);
2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785
        goto err;
    } else {
        unsigned int i;
        const unsigned char *data;

        /*
         * Get client's public key from encoded point in the
         * ClientKeyExchange message.
         */

        /* Get encoded point length */
D
Dr. Stephen Henson 已提交
2786 2787
        if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
            || PACKET_remaining(pkt) != 0) {
2788
            *al = SSL_AD_DECODE_ERROR;
2789
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH);
2790 2791 2792 2793
            goto err;
        }
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
2794
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB);
2795 2796
            goto err;
        }
2797
        if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
D
Dr. Stephen Henson 已提交
2798
            *al = SSL_AD_HANDSHAKE_FAILURE;
2799
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB);
2800 2801 2802 2803
            goto err;
        }
    }

2804
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2805
        *al = SSL_AD_INTERNAL_ERROR;
2806
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2807 2808 2809 2810 2811 2812 2813 2814 2815 2816 2817 2818 2819
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);

    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2820
    SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2821 2822 2823 2824
    return 0;
#endif
}

2825 2826 2827 2828 2829 2830 2831
static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_SRP
    unsigned int i;
    const unsigned char *data;

    if (!PACKET_get_net_2(pkt, &i)
E
Emilia Kasper 已提交
2832
        || !PACKET_get_bytes(pkt, &data, i)) {
2833
        *al = SSL_AD_DECODE_ERROR;
2834
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
2835 2836 2837
        return 0;
    }
    if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
2838
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
2839 2840
        return 0;
    }
E
Emilia Kasper 已提交
2841
    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
2842
        *al = SSL_AD_ILLEGAL_PARAMETER;
2843
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
2844 2845 2846 2847 2848
        return 0;
    }
    OPENSSL_free(s->session->srp_username);
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
    if (s->session->srp_username == NULL) {
2849
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE);
2850 2851 2852 2853
        return 0;
    }

    if (!srp_generate_server_master_secret(s)) {
2854
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2855 2856 2857 2858 2859 2860 2861
        return 0;
    }

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2862
    SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2863 2864 2865 2866 2867 2868 2869 2870 2871 2872 2873 2874 2875 2876 2877
    return 0;
#endif
}

static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_GOST
    EVP_PKEY_CTX *pkey_ctx;
    EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
    unsigned char premaster_secret[32];
    const unsigned char *start;
    size_t outlen = 32, inlen;
    unsigned long alg_a;
    int Ttag, Tclass;
    long Tlen;
2878
    size_t sess_key_len;
2879 2880 2881 2882 2883 2884 2885 2886 2887 2888 2889 2890 2891 2892 2893 2894 2895 2896 2897 2898 2899 2900 2901
    const unsigned char *data;
    int ret = 0;

    /* Get our certificate private key */
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
    if (alg_a & SSL_aGOST12) {
        /*
         * New GOST ciphersuites have SSL_aGOST01 bit too
         */
        pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
        }
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
        }
    } else if (alg_a & SSL_aGOST01) {
        pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
    }

    pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
    if (pkey_ctx == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2902
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE);
2903 2904 2905 2906
        return 0;
    }
    if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
        *al = SSL_AD_INTERNAL_ERROR;
2907
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2908 2909 2910 2911 2912 2913 2914 2915 2916 2917 2918 2919 2920 2921 2922 2923 2924
        return 0;
    }
    /*
     * If client certificate is present and is of the same type, maybe
     * use it for key exchange.  Don't mind errors from
     * EVP_PKEY_derive_set_peer, because it is completely valid to use a
     * client certificate for authorization only.
     */
    client_pub_pkey = X509_get0_pubkey(s->session->peer);
    if (client_pub_pkey) {
        if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
            ERR_clear_error();
    }
    /* Decrypt session key */
    sess_key_len = PACKET_remaining(pkt);
    if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
        *al = SSL_AD_INTERNAL_ERROR;
2925
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2926 2927
        goto err;
    }
2928
    /* TODO(size_t): Convert this function */
E
Emilia Kasper 已提交
2929
    if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
2930
                        &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
E
Emilia Kasper 已提交
2931
        || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
2932
        *al = SSL_AD_DECODE_ERROR;
2933
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
2934 2935 2936 2937 2938 2939 2940
        goto err;
    }
    start = data;
    inlen = Tlen;
    if (EVP_PKEY_decrypt
        (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
        *al = SSL_AD_DECODE_ERROR;
2941
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
2942 2943 2944 2945 2946 2947
        goto err;
    }
    /* Generate master secret */
    if (!ssl_generate_master_secret(s, premaster_secret,
                                    sizeof(premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
2948
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2949 2950 2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962
        goto err;
    }
    /* Check if pubkey from client certificate was used */
    if (EVP_PKEY_CTX_ctrl
        (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
        s->statem.no_cert_verify = 1;

    ret = 1;
 err:
    EVP_PKEY_CTX_free(pkey_ctx);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2963
    SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2964 2965 2966 2967
    return 0;
#endif
}

2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{
    int al = -1;
    unsigned long alg_k;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /* For PSK parse and retrieve identity, obtain PSK key */
    if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al))
        goto err;

    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
        if (PACKET_remaining(pkt) != 0) {
            al = SSL_AD_HANDSHAKE_FAILURE;
E
Emilia Kasper 已提交
2983 2984
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_LENGTH_MISMATCH);
2985
            goto err;
2986 2987 2988
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
M
Matt Caswell 已提交
2989
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2990
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2991
            goto err;
M
Matt Caswell 已提交
2992
        }
2993 2994 2995
    } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
        if (!tls_process_cke_rsa(s, pkt, &al))
            goto err;
2996 2997
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
        if (!tls_process_cke_dhe(s, pkt, &al))
2998
            goto err;
2999 3000 3001
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
        if (!tls_process_cke_ecdhe(s, pkt, &al))
            goto err;
3002 3003
    } else if (alg_k & SSL_kSRP) {
        if (!tls_process_cke_srp(s, pkt, &al))
3004
            goto err;
3005 3006
    } else if (alg_k & SSL_kGOST) {
        if (!tls_process_cke_gost(s, pkt, &al))
3007
            goto err;
3008
    } else {
3009
        al = SSL_AD_HANDSHAKE_FAILURE;
E
Emilia Kasper 已提交
3010 3011
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
               SSL_R_UNKNOWN_CIPHER_TYPE);
3012
        goto err;
3013 3014
    }

M
Matt Caswell 已提交
3015
    return MSG_PROCESS_CONTINUE_PROCESSING;
3016
 err:
3017 3018
    if (al != -1)
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
3019 3020 3021
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
3022
#endif
M
Matt Caswell 已提交
3023
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3024
    return MSG_PROCESS_ERROR;
3025
}
3026

M
Matt Caswell 已提交
3027
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
3028 3029
{
#ifndef OPENSSL_NO_SCTP
3030 3031 3032 3033 3034 3035 3036 3037
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
3038 3039
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
3040 3041

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
3042 3043 3044
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
3045
                ossl_statem_set_error(s);
F
FdaSilvaYY 已提交
3046
                return WORK_ERROR;
3047
            }
3048

3049 3050
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
3051
        }
3052 3053
        wst = WORK_MORE_B;
    }
3054

3055
    if ((wst == WORK_MORE_B)
E
Emilia Kasper 已提交
3056 3057 3058 3059 3060 3061 3062
        /* Is this SCTP? */
        && BIO_dgram_is_sctp(SSL_get_wbio(s))
        /* Are we renegotiating? */
        && s->renegotiate
        /* Are we going to skip the CertificateVerify? */
        && (s->session->peer == NULL || s->statem.no_cert_verify)
        && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
3063 3064 3065 3066
        s->s3->in_read_app_data = 2;
        s->rwstate = SSL_READING;
        BIO_clear_retry_flags(SSL_get_rbio(s));
        BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
3067
        ossl_statem_set_sctp_read_sock(s, 1);
3068 3069
        return WORK_MORE_B;
    } else {
M
Matt Caswell 已提交
3070
        ossl_statem_set_sctp_read_sock(s, 0);
3071 3072 3073
    }
#endif

3074
    if (s->statem.no_cert_verify || !s->session->peer) {
E
Emilia Kasper 已提交
3075 3076 3077
        /*
         * No certificate verify or no peer certificate so we no longer need
         * the handshake_buffer
3078 3079 3080 3081 3082
         */
        if (!ssl3_digest_cached_records(s, 0)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
3083
        return WORK_FINISHED_CONTINUE;
3084
    } else {
3085 3086 3087
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3088
            ossl_statem_set_error(s);
3089 3090 3091 3092 3093 3094 3095
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
3096
            ossl_statem_set_error(s);
3097 3098 3099 3100 3101 3102 3103
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
3104
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3105
{
M
Matt Caswell 已提交
3106
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3107 3108
    X509 *x = NULL;
    unsigned long l, llen;
E
Emilia Kasper 已提交
3109
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
3110
    STACK_OF(X509) *sk = NULL;
3111
    PACKET spkt, context;
3112
    size_t chainidx;
3113 3114

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
3115 3116
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
3117 3118
    }

3119 3120 3121 3122 3123
    /* TODO(TLS1.3): For now we ignore the context. We need to verify this */
    if ((SSL_IS_TLS13(s) && !PACKET_get_length_prefixed_1(pkt, &context))
            || !PACKET_get_net_3(pkt, &llen)
            || !PACKET_get_sub_packet(pkt, &spkt, llen)
            || PACKET_remaining(pkt) != 0) {
3124
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3125
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3126 3127
        goto f_err;
    }
3128

3129
    for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
3130
        if (!PACKET_get_net_3(&spkt, &l)
E
Emilia Kasper 已提交
3131
            || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3132
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3133
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3134 3135 3136 3137
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

3138 3139
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3140
        if (x == NULL) {
M
Matt Caswell 已提交
3141 3142
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
3143
        }
3144
        if (certbytes != (certstart + l)) {
3145
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3146
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3147 3148 3149
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
3150 3151 3152 3153 3154 3155 3156 3157 3158 3159 3160

        if (SSL_IS_TLS13(s)) {
            RAW_EXTENSION *rawexts = NULL;
            PACKET extensions;

            if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH);
                goto f_err;
            }
            if (!tls_collect_extensions(s, &extensions, EXT_TLS1_3_CERTIFICATE,
3161
                                        &rawexts, &al, NULL)
3162
                    || !tls_parse_all_extensions(s, EXT_TLS1_3_CERTIFICATE,
3163 3164
                                                 rawexts, x, chainidx, &al)) {
                OPENSSL_free(rawexts);
3165
                goto f_err;
3166 3167
            }
            OPENSSL_free(rawexts);
3168 3169
        }

3170
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
3171 3172
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
3173 3174 3175 3176 3177 3178 3179 3180
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3181
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3182 3183 3184 3185 3186 3187
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
3188
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3189 3190 3191 3192 3193
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
3194
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3195 3196 3197 3198 3199 3200 3201
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
3202
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3203 3204 3205 3206
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
3207
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
3208 3209 3210
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
3211
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3212 3213
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3214
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3215 3216 3217 3218 3219
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
    }

R
Rich Salz 已提交
3220
    X509_free(s->session->peer);
3221 3222 3223
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

3224 3225
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
3226 3227 3228 3229 3230

    /*
     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
     * message
     */
3231
    if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3232 3233 3234 3235 3236
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

3237 3238
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
M
Matt Caswell 已提交
3239
     * certificate, while we do include it in statem_clnt.c
3240 3241
     */
    sk = NULL;
3242 3243 3244 3245 3246 3247 3248 3249 3250 3251 3252

    /* Save the current hash state for when we receive the CertificateVerify */
    if (SSL_IS_TLS13(s)
            && !ssl_handshake_hash(s, s->cert_verify_hash,
                                   sizeof(s->cert_verify_hash),
                                   &s->cert_verify_hash_len)) {
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

M
Matt Caswell 已提交
3253
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
3254 3255
    goto done;

3256
 f_err:
R
Rich Salz 已提交
3257
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3258
    ossl_statem_set_error(s);
R
Rich Salz 已提交
3259
 done:
R
Rich Salz 已提交
3260 3261
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
3262
    return ret;
3263
}
3264

3265
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3266
{
3267
    CERT_PKEY *cpk = s->s3->tmp.cert;
3268
    int al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3269

3270
    if (cpk == NULL) {
M
Matt Caswell 已提交
3271 3272 3273 3274
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }

3275 3276 3277 3278 3279 3280
    /*
     * In TLSv1.3 the certificate chain is always preceded by a 0 length context
     * for the server Certificate message
     */
    if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0))
            || !ssl3_output_cert_chain(s, pkt, cpk, &al)) {
M
Matt Caswell 已提交
3281
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3282
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3283 3284 3285 3286 3287 3288
        return 0;
    }

    return 1;
}

3289
int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3290 3291
{
    unsigned char *senc = NULL;
3292
    EVP_CIPHER_CTX *ctx = NULL;
3293
    HMAC_CTX *hctx = NULL;
3294
    unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
M
Matt Caswell 已提交
3295
    const unsigned char *const_p;
3296
    int len, slen_full, slen, lenfinal;
M
Matt Caswell 已提交
3297 3298
    SSL_SESSION *sess;
    unsigned int hlen;
3299
    SSL_CTX *tctx = s->session_ctx;
M
Matt Caswell 已提交
3300
    unsigned char iv[EVP_MAX_IV_LENGTH];
K
Kurt Roeckx 已提交
3301
    unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
3302
    int iv_len, al = SSL_AD_INTERNAL_ERROR;
3303
    size_t macoffset, macendoffset;
3304 3305 3306 3307
    union {
        unsigned char age_add_c[sizeof(uint32_t)];
        uint32_t age_add;
    } age_add_u;
M
Matt Caswell 已提交
3308

M
Matt Caswell 已提交
3309 3310 3311 3312 3313 3314
    if (SSL_IS_TLS13(s)) {
        if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0)
            goto err;
        s->session->ext.tick_age_add = age_add_u.age_add;
    }

M
Matt Caswell 已提交
3315 3316 3317 3318 3319 3320 3321
    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
M
Matt Caswell 已提交
3322
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3323 3324 3325
        return 0;
    }
    senc = OPENSSL_malloc(slen_full);
3326
    if (senc == NULL) {
M
Matt Caswell 已提交
3327
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3328 3329
        return 0;
    }
3330

3331
    ctx = EVP_CIPHER_CTX_new();
3332
    hctx = HMAC_CTX_new();
3333 3334 3335 3336
    if (ctx == NULL || hctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
        goto err;
    }
3337

M
Matt Caswell 已提交
3338 3339 3340
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
3341

M
Matt Caswell 已提交
3342 3343 3344 3345 3346 3347 3348 3349
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3350

M
Matt Caswell 已提交
3351 3352 3353 3354 3355 3356 3357 3358 3359 3360 3361
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3362

M
Matt Caswell 已提交
3363 3364 3365 3366
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
R
Rich Salz 已提交
3367
    if (tctx->ext.ticket_key_cb) {
T
Todd Short 已提交
3368
        /* if 0 is returned, write an empty ticket */
R
Rich Salz 已提交
3369
        int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
T
Todd Short 已提交
3370 3371 3372
                                             hctx, 1);

        if (ret == 0) {
3373 3374

            /* Put timeout and length */
3375
            if (!WPACKET_put_bytes_u32(pkt, 0)
3376
                    || !WPACKET_put_bytes_u16(pkt, 0)) {
3377 3378
                SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                       ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
3379
                goto err;
3380
            }
T
Todd Short 已提交
3381 3382 3383 3384 3385 3386
            OPENSSL_free(senc);
            EVP_CIPHER_CTX_free(ctx);
            HMAC_CTX_free(hctx);
            return 1;
        }
        if (ret < 0)
M
Matt Caswell 已提交
3387
            goto err;
K
Kurt Roeckx 已提交
3388
        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3389
    } else {
K
Kurt Roeckx 已提交
3390 3391 3392 3393
        const EVP_CIPHER *cipher = EVP_aes_256_cbc();

        iv_len = EVP_CIPHER_iv_length(cipher);
        if (RAND_bytes(iv, iv_len) <= 0)
M
Matt Caswell 已提交
3394
            goto err;
K
Kurt Roeckx 已提交
3395
        if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
R
Rich Salz 已提交
3396
                                tctx->ext.tick_aes_key, iv))
M
Matt Caswell 已提交
3397
            goto err;
R
Rich Salz 已提交
3398 3399
        if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
                          sizeof(tctx->ext.tick_hmac_key),
M
Matt Caswell 已提交
3400
                          EVP_sha256(), NULL))
3401
            goto err;
R
Rich Salz 已提交
3402 3403
        memcpy(key_name, tctx->ext.tick_key_name,
               sizeof(tctx->ext.tick_key_name));
3404 3405
    }

M
Matt Caswell 已提交
3406 3407 3408 3409 3410
    /*
     * Ticket lifetime hint (advisory only): We leave this unspecified
     * for resumed session (for simplicity), and guess that tickets for
     * new sessions will live as long as their sessions.
     */
3411
    if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout)
3412 3413
            || (SSL_IS_TLS13(s)
                && !WPACKET_put_bytes_u32(pkt, age_add_u.age_add))
3414
               /* Now the actual ticket data */
3415 3416
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_get_total_written(pkt, &macoffset)
3417
               /* Output key name */
3418
            || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3419
               /* output IV */
3420 3421
            || !WPACKET_memcpy(pkt, iv, iv_len)
            || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3422 3423 3424
                                      &encdata1)
               /* Encrypt session data */
            || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3425
            || !WPACKET_allocate_bytes(pkt, len, &encdata2)
3426 3427
            || encdata1 != encdata2
            || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
3428
            || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
3429 3430
            || encdata1 + len != encdata2
            || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
3431
            || !WPACKET_get_total_written(pkt, &macendoffset)
3432 3433 3434
            || !HMAC_Update(hctx,
                            (unsigned char *)s->init_buf->data + macoffset,
                            macendoffset - macoffset)
3435
            || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
3436 3437
            || !HMAC_Final(hctx, macdata1, &hlen)
            || hlen > EVP_MAX_MD_SIZE
3438
            || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
3439
            || macdata1 != macdata2
3440 3441 3442 3443 3444
            || !WPACKET_close(pkt)
            || (SSL_IS_TLS13(s)
                && !tls_construct_extensions(s, pkt,
                                             EXT_TLS1_3_NEW_SESSION_TICKET,
                                             NULL, 0, &al))) {
3445
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3446
        goto err;
3447
    }
D
Dr. Stephen Henson 已提交
3448 3449
    EVP_CIPHER_CTX_free(ctx);
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3450 3451 3452
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3453
 err:
R
Rich Salz 已提交
3454
    OPENSSL_free(senc);
3455
    EVP_CIPHER_CTX_free(ctx);
3456
    HMAC_CTX_free(hctx);
3457
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
3458
    return 0;
3459
}
3460

3461 3462 3463 3464 3465
/*
 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
 * create a separate message. Returns 1 on success or 0 on failure.
 */
int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3466
{
3467 3468 3469
    if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
            || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
                                       s->ext.ocsp.resp_len)) {
3470 3471 3472 3473 3474 3475 3476 3477 3478 3479
        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    return 1;
}

int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
    if (!tls_construct_cert_status_body(s, pkt)) {
3480 3481 3482
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
3483 3484 3485 3486

    return 1;
}

3487
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3488 3489 3490 3491
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3492
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3493
{
3494
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3495 3496
    size_t next_proto_len;

3497 3498 3499 3500 3501 3502 3503
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3504 3505 3506
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
M
Matt Caswell 已提交
3507
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3508
        goto err;
M
Matt Caswell 已提交
3509
    }
3510

R
Rich Salz 已提交
3511 3512
    if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
        s->ext.npn_len = 0;
M
Matt Caswell 已提交
3513 3514 3515
        goto err;
    }

R
Rich Salz 已提交
3516
    s->ext.npn_len = (unsigned char)next_proto_len;
3517

M
Matt Caswell 已提交
3518
    return MSG_PROCESS_CONTINUE_READING;
E
Emilia Kasper 已提交
3519
 err:
M
Matt Caswell 已提交
3520
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3521
    return MSG_PROCESS_ERROR;
3522
}
3523
#endif
M
Matt Caswell 已提交
3524

M
Matt Caswell 已提交
3525 3526
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{
M
Matt Caswell 已提交
3527 3528
    int al;

3529
    if (!tls_construct_extensions(s, pkt, EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
3530
                                  NULL, 0, &al)) {
M
Matt Caswell 已提交
3531
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3532
        SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3533
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3534 3535 3536 3537 3538 3539
        return 0;
    }

    return 1;
}

3540 3541
static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
{
3542
    int al = SSL_AD_INTERNAL_ERROR;
3543 3544 3545 3546 3547 3548 3549 3550 3551 3552 3553 3554 3555 3556 3557 3558 3559 3560 3561 3562

    /*
     * TODO(TLS1.3): Remove the DRAFT version before release
     * (should be s->version)
     */
    if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
            || !tls_construct_extensions(s, pkt, EXT_TLS1_3_HELLO_RETRY_REQUEST,
                                         NULL, 0, &al)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        return 0;
    }

    /* Ditch the session. We'll create a new one next time around */
    SSL_SESSION_free(s->session);
    s->session = NULL;
    s->hit = 0;

    return 1;
}