statem_srvr.c 105.5 KB
Newer Older
1
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 3 4 5 6
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
7
 *
8 9 10 11 12 13
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14
 *
15 16 17 18 19 20
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
21
 *
22 23 24 25 26 27 28 29 30 31 32 33 34 35
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
36
 * 4. If you include any Windows specific code (or a derivative thereof) from
37 38
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39
 *
40 41 42 43 44 45 46 47 48 49 50
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
51
 *
52 53 54 55 56
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
57
/* ====================================================================
58
 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
59 60 61 62 63 64
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
65
 *    notice, this list of conditions and the following disclaimer.
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
B
Bodo Möller 已提交
110 111 112
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
113
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
114 115 116 117 118 119 120 121 122
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
149

150

151
#include <stdio.h>
M
Matt Caswell 已提交
152
#include "../ssl_locl.h"
M
Matt Caswell 已提交
153
#include "statem_locl.h"
154
#include "internal/constant_time_locl.h"
155 156 157 158
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
159
#include <openssl/hmac.h>
160
#include <openssl/x509.h>
N
make  
Nils Larsch 已提交
161
#ifndef OPENSSL_NO_DH
162
# include <openssl/dh.h>
N
make  
Nils Larsch 已提交
163
#endif
164
#include <openssl/bn.h>
165
#include <openssl/md5.h>
166

167 168 169 170
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                      PACKET *cipher_suites,
                                                      STACK_OF(SSL_CIPHER) **skp,
                                                      int sslv2format, int *al);
M
Matt Caswell 已提交
171

M
Matt Caswell 已提交
172 173 174 175 176 177 178 179 180 181
/*
 * server_read_transition() encapsulates the logic for the allowed handshake
 * state transitions when the server is reading messages from the client. The
 * message type that the client has sent is provided in |mt|. The current state
 * is in |s->statem.hand_state|.
 *
 *  Valid return values are:
 *  1: Success (transition allowed)
 *  0: Error (transition not allowed)
 */
182
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
183
{
M
Matt Caswell 已提交
184
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233

    switch(st->hand_state) {
    case TLS_ST_BEFORE:
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
                && (!s->s3->tmp.cert_request
                    || (!((s->verify_mode & SSL_VERIFY_PEER) &&
                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
                        && (s->version == SSL3_VERSION)))) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            } 
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
234
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
235 236
         * set.
         */
237
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
        if (s->s3->next_proto_neg_seen) {
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    default:
        break;
    }

    /* No valid transition found */
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
312
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
313 314 315 316
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
317
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
318 319 320 321 322 323
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
D
Dr. Stephen Henson 已提交
324
    if (alg_k & (SSL_kDHE|SSL_kECDHE)
M
Matt Caswell 已提交
325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
       ) {
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
354
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
           && ((s->session->peer == NULL) ||
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
           /*
            * ... except when the application insists on
            * verification (against the specs, but s3_clnt.c accepts
            * this for SSL 3)
            */
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
383
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
384 385 386 387 388 389 390 391 392 393
        return 1;
    }

    return 0;
}

/*
 * server_write_transition() works out what handshake state to move to next
 * when the server is writing messages to be sent to the client.
 */
394
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
395
{
M
Matt Caswell 已提交
396
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
397 398 399 400 401 402 403 404 405 406 407 408 409

    switch(st->hand_state) {
        case TLS_ST_BEFORE:
            /* Just go straight to trying to read from the client */;
            return WRITE_TRAN_FINISHED;

        case TLS_ST_OK:
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_HELLO_REQ:
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
410
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SR_CLNT_HELLO:
            if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
                    && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
                st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
            else
                st->hand_state = TLS_ST_SW_SRVR_HELLO;
            return WRITE_TRAN_CONTINUE;

        case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SW_SRVR_HELLO:
            if (s->hit) {
                if (s->tlsext_ticket_expected)
                    st->hand_state = TLS_ST_SW_SESSION_TICKET;
                else
                    st->hand_state = TLS_ST_SW_CHANGE;
            } else {
                /* Check if it is anon DH or anon ECDH, */
                /* normal PSK or SRP */
                if (!(s->s3->tmp.new_cipher->algorithm_auth &
                     (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
                    st->hand_state = TLS_ST_SW_CERT;
                } else if (send_server_key_exchange(s)) {
                    st->hand_state = TLS_ST_SW_KEY_EXCH;
                } else if (send_certificate_request(s)) {
                    st->hand_state = TLS_ST_SW_CERT_REQ;
                } else {
                    st->hand_state = TLS_ST_SW_SRVR_DONE;
                }
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CERT:
            if (s->tlsext_status_expected) {
                st->hand_state = TLS_ST_SW_CERT_STATUS;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_STATUS:
            if (send_server_key_exchange(s)) {
                st->hand_state = TLS_ST_SW_KEY_EXCH;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_KEY_EXCH:
            if (send_certificate_request(s)) {
                st->hand_state = TLS_ST_SW_CERT_REQ;
                return WRITE_TRAN_CONTINUE;
            }
            /* Fall through */

        case TLS_ST_SW_CERT_REQ:
            st->hand_state = TLS_ST_SW_SRVR_DONE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SRVR_DONE:
            return WRITE_TRAN_FINISHED;

        case TLS_ST_SR_FINISHED:
            if (s->hit) {
                st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
477
                ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498
                return WRITE_TRAN_CONTINUE;
            } else if (s->tlsext_ticket_expected) {
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            } else {
                st->hand_state = TLS_ST_SW_CHANGE;
            }
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_SESSION_TICKET:
            st->hand_state = TLS_ST_SW_CHANGE;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_CHANGE:
            st->hand_state = TLS_ST_SW_FINISHED;
            return WRITE_TRAN_CONTINUE;

        case TLS_ST_SW_FINISHED:
            if (s->hit) {
                return WRITE_TRAN_FINISHED;
            }
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
499
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
500 501 502 503 504 505 506 507 508 509 510 511
            return WRITE_TRAN_CONTINUE;

        default:
            /* Shouldn't happen */
            return WRITE_TRAN_ERROR;
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
512
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
513
{
M
Matt Caswell 已提交
514
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
            dtls1_clear_record_buffer(s);
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
            dtls1_clear_record_buffer(s);
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
             * Messages we write from now on should be bufferred and
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
562
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_OK:
        return tls_finish_handshake(s, wst);

    default:
        /* No pre work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
591
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
592
{
M
Matt Caswell 已提交
593
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626

    s->init_num = 0;

    switch(st->hand_state) {
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        ssl3_init_finished_mac(s);
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
        if (s->version != DTLS1_BAD_VER)
            ssl3_init_finished_mac(s);
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
627 628
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
629 630 631 632

            if (SSL_export_keying_material(s, sctpauthkey,
                    sizeof(sctpauthkey), labelbuffer,
                    sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
633
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
                SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
M
Matt Caswell 已提交
656
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        break;

    default:
        /* No post work to be done */
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Construct a message to be sent from the server to the client.
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
699
int ossl_statem_server_construct_message(SSL *s)
M
Matt Caswell 已提交
700
{
M
Matt Caswell 已提交
701
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758

    switch(st->hand_state) {
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return dtls_construct_hello_verify_request(s);

    case TLS_ST_SW_HELLO_REQ:
        return tls_construct_hello_request(s);

    case TLS_ST_SW_SRVR_HELLO:
        return tls_construct_server_hello(s);

    case TLS_ST_SW_CERT:
        return tls_construct_server_certificate(s);

    case TLS_ST_SW_KEY_EXCH:
        return tls_construct_server_key_exchange(s);

    case TLS_ST_SW_CERT_REQ:
        return tls_construct_certificate_request(s);

    case TLS_ST_SW_SRVR_DONE:
        return tls_construct_server_done(s);

    case TLS_ST_SW_SESSION_TICKET:
        return tls_construct_new_session_ticket(s);

    case TLS_ST_SW_CERT_STATUS:
        return tls_construct_cert_status(s);

    case TLS_ST_SW_CHANGE:
        if (SSL_IS_DTLS(s))
            return dtls_construct_change_cipher_spec(s);
        else
            return tls_construct_change_cipher_spec(s);

    case TLS_ST_SW_FINISHED:
        return tls_construct_finished(s,
                                      s->method->
                                      ssl3_enc->server_finished_label,
                                      s->method->
                                      ssl3_enc->server_finished_label_len);

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
759
unsigned long ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
760
{
M
Matt Caswell 已提交
761
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return SSL3_RT_MAX_PLAIN_LENGTH;

    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;

    default:
        /* Shouldn't happen */
        break;
    }

    return 0;
}

/*
 * Process a message that the server has received from the client.
 */
798
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
799
{
M
Matt Caswell 已提交
800
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);

    default:
        /* Shouldn't happen */
        break;
    }

    return MSG_PROCESS_ERROR;
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
838
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
839
{
M
Matt Caswell 已提交
840
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859

    switch(st->hand_state) {
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);

    case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
        if (    /* Is this SCTP? */
                BIO_dgram_is_sctp(SSL_get_wbio(s))
                /* Are we renegotiating? */
                && s->renegotiate
                && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
860
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
861 862
            return WORK_MORE_A;
        } else {
M
Matt Caswell 已提交
863
            ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
864 865 866 867 868 869 870 871 872 873 874 875
        }
#endif
        return WORK_FINISHED_CONTINUE;

    default:
        break;
    }

    /* Shouldn't happen */
    return WORK_ERROR;
}

B
Ben Laurie 已提交
876
#ifndef OPENSSL_NO_SRP
877
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
898 899
#endif

M
Matt Caswell 已提交
900 901 902 903
int tls_construct_hello_request(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
904
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
905 906 907 908 909 910
        return 0;
    }

    return 1;
}

M
Matt Caswell 已提交
911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941
unsigned int dtls_raw_hello_verify_request(unsigned char *buf,
                                            unsigned char *cookie,
                                            unsigned char cookie_len)
{
    unsigned int msg_len;
    unsigned char *p;

    p = buf;
    /* Always use DTLS 1.0 version: see RFC 6347 */
    *(p++) = DTLS1_VERSION >> 8;
    *(p++) = DTLS1_VERSION & 0xFF;

    *(p++) = (unsigned char)cookie_len;
    memcpy(p, cookie, cookie_len);
    p += cookie_len;
    msg_len = p - buf;

    return msg_len;
}

int dtls_construct_hello_verify_request(SSL *s)
{
    unsigned int len;
    unsigned char *buf;

    buf = (unsigned char *)s->init_buf->data;

    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
                                  &(s->d1->cookie_len)) == 0 ||
        s->d1->cookie_len > 255) {
M
Matt Caswell 已提交
942
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
943
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
M
Matt Caswell 已提交
944
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961
        return 0;
    }

    len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
                                         s->d1->cookie, s->d1->cookie_len);

    dtls1_set_message_header(s, buf, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
                             len);
    len += DTLS1_HM_HEADER_LENGTH;

    /* number of bytes to write */
    s->init_num = len;
    s->init_off = 0;

    return 1;
}

M
Matt Caswell 已提交
962
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
963 964 965 966
{
    int i, al = SSL_AD_INTERNAL_ERROR;
    unsigned int j, complen = 0;
    unsigned long id;
967
    const SSL_CIPHER *c;
M
Matt Caswell 已提交
968 969 970 971
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
972
    int protverr;
M
Matt Caswell 已提交
973
    /* |cookie| will only be initialized for DTLS. */
974
    PACKET session_id, cipher_suites, compression, extensions, cookie;
M
Matt Caswell 已提交
975 976
    int is_v2_record;

977 978
    is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer);

E
Emilia Kasper 已提交
979
    PACKET_null_init(&cookie);
980
    /* First lets get s->client_version set correctly */
981
    if (is_v2_record) {
M
Matt Caswell 已提交
982 983
        unsigned int version;
        unsigned int mt;
984 985 986 987 988 989 990 991 992 993 994 995 996 997 998
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

999
        if (!PACKET_get_1(pkt, &mt)
M
Matt Caswell 已提交
1000
                || mt != SSL2_MT_CLIENT_HELLO) {
1001 1002 1003 1004 1005
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
1006
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1007
            goto err;
1008 1009
        }

1010
        if (!PACKET_get_net_2(pkt, &version)) {
M
Matt Caswell 已提交
1011
            /* No protocol version supplied! */
M
Matt Caswell 已提交
1012
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
M
Matt Caswell 已提交
1013 1014 1015
            goto err;
        }
        if (version == 0x0002) {
1016
            /* This is real SSLv2. We don't support it. */
M
Matt Caswell 已提交
1017
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1018
            goto err;
M
Matt Caswell 已提交
1019
        } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
1020
            /* SSLv3/TLS */
M
Matt Caswell 已提交
1021
            s->client_version = version;
1022 1023
        } else {
            /* No idea what protocol this is */
M
Matt Caswell 已提交
1024
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1025 1026 1027 1028
            goto err;
        }
    } else {
        /*
M
Matt Caswell 已提交
1029 1030
         * use version from inside client hello, not from record header (may
         * differ: see RFC 2246, Appendix E, second paragraph)
1031
         */
1032
        if(!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
1033
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1034
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
1035 1036
            goto f_err;
        }
1037 1038
    }

1039 1040 1041 1042
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
1043
    if (!SSL_IS_DTLS(s)) {
1044 1045 1046 1047 1048
        protverr = ssl_choose_server_version(s);
    } else if (s->method->version != DTLS_ANY_VERSION &&
               DTLS_VERSION_LT(s->client_version, s->version)) {
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
1049 1050 1051 1052
        protverr = 0;
    }

    if (protverr) {
1053
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
1054
        if ((!s->enc_write_ctx && !s->write_hash)) {
1055 1056 1057 1058 1059 1060 1061 1062 1063 1064
            /*
             * similar to ssl3_get_record, send alert using remote version
             * number
             */
            s->version = s->client_version;
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
    }

1065 1066
    /* Parse the message and load client random. */
    if (is_v2_record) {
1067 1068 1069 1070 1071
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
         * Real SSLv2 is not supported, and is rejected above.
         */
1072
        unsigned int cipher_len, session_id_len, challenge_len;
1073
        PACKET challenge;
1074

1075 1076 1077
        if (!PACKET_get_net_2(pkt, &cipher_len)
                || !PACKET_get_net_2(pkt, &session_id_len)
                || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
1078 1079
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1080 1081
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1082
        }
1083

1084 1085 1086 1087 1088 1089
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1090 1091 1092
        if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
            || !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1093
            /* No extensions. */
1094
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1095 1096
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1097 1098 1099 1100
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }

1101
        /* Load the client random */
1102 1103
        challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
            challenge_len;
1104
        memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
1105 1106 1107
        if (!PACKET_copy_bytes(&challenge,
                               s->s3->client_random + SSL3_RANDOM_SIZE -
                               challenge_len, challenge_len)) {
M
Matt Caswell 已提交
1108
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1109
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1110 1111
            goto f_err;
        }
1112 1113 1114

        PACKET_null_init(&compression);
        PACKET_null_init(&extensions);
1115
    } else {
1116
        /* Regular ClientHello. */
1117 1118
        if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
            || !PACKET_get_length_prefixed_1(pkt, &session_id)) {
M
Matt Caswell 已提交
1119
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1120
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1121 1122
            goto f_err;
        }
1123

1124 1125 1126 1127 1128 1129
        if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1130
        if (SSL_IS_DTLS(s)) {
1131
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1132
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1133
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1134 1135
                goto f_err;
            }
1136 1137 1138 1139 1140 1141 1142
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
                if (PACKET_remaining(&cookie) == 0)
1143
                return 1;
1144
            }
1145
        }
1146

1147 1148
        if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
            || !PACKET_get_length_prefixed_1(pkt, &compression)) {
1149
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1150
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1151 1152 1153
                goto f_err;
        }
        /* Could be empty. */
1154
        extensions = *pkt;
1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181
    }

    s->hit = 0;

    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
    if (is_v2_record ||
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
        i = ssl_get_prev_session(s, &extensions, &session_id);
1182
        /*
1183 1184 1185 1186 1187 1188 1189
         * Only resume if the session's version matches the negotiated
         * version.
         * RFC 5246 does not provide much useful advice on resumption
         * with a different protocol version. It doesn't forbid it but
         * the sanity of such behaviour would be questionable.
         * In practice, clients do not accept a version mismatch and
         * will abort the handshake with an error.
1190
         */
1191 1192 1193 1194 1195
        if (i == 1 && s->version == s->session->ssl_version) {
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
            goto err;
1196
        } else {
1197 1198
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1199
                goto err;
1200
        }
1201
    }
1202

1203
    if (SSL_IS_DTLS(s)) {
M
Matt Caswell 已提交
1204
        /* Empty cookie was already handled above by returning early. */
E
Emilia Kasper 已提交
1205
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1206
            if (s->ctx->app_verify_cookie_cb != NULL) {
E
Emilia Kasper 已提交
1207 1208
                if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
                                                 PACKET_remaining(&cookie)) == 0) {
1209
                    al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1210
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1211
                           SSL_R_COOKIE_MISMATCH);
1212
                    goto f_err;
E
Emilia Kasper 已提交
1213
                    /* else cookie verification succeeded */
1214
                }
1215
            /* default verification */
E
Emilia Kasper 已提交
1216 1217
            } else if (!PACKET_equal(&cookie, s->d1->cookie,
                                     s->d1->cookie_len)) {
1218
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1219
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
1220
                goto f_err;
1221
            }
M
Matt Caswell 已提交
1222
            s->d1->cookie_verified = 1;
1223
        }
1224
        if (s->method->version == DTLS_ANY_VERSION) {
1225 1226 1227
            protverr = ssl_choose_server_version(s);
            if (protverr != 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
1228 1229 1230 1231 1232
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
            s->session->ssl_version = s->version;
1233
        }
1234
    }
1235

1236 1237
    if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
                                 is_v2_record, &al) == NULL) {
1238 1239
        goto f_err;
    }
1240

1241 1242 1243 1244
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1245

1246
#ifdef CIPHER_DEBUG
1247 1248
        fprintf(stderr, "client sent %d ciphers\n",
                sk_SSL_CIPHER_num(ciphers));
1249
#endif
1250 1251
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1252
#ifdef CIPHER_DEBUG
1253 1254
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1255
#endif
1256 1257 1258
            if (c->id == id) {
                j = 1;
                break;
1259
            }
1260
        }
1261
        if (j == 0) {
1262
            /*
1263 1264
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1265
             */
1266
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1267
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1268
                   SSL_R_REQUIRED_CIPHER_MISSING);
1269 1270
            goto f_err;
        }
1271
    }
M
Matt Caswell 已提交
1272

1273 1274 1275 1276
    complen = PACKET_remaining(&compression);
    for (j = 0; j < complen; j++) {
        if (PACKET_data(&compression)[j] == 0)
            break;
1277
    }
1278

1279 1280 1281
    if (j >= complen) {
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1282
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1283 1284 1285
        goto f_err;
    }
    
1286 1287
    /* TLS extensions */
    if (s->version >= SSL3_VERSION) {
1288
        if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
M
Matt Caswell 已提交
1289
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308
            goto err;
        }
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1309
        const SSL_CIPHER *pref_cipher = NULL;
1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330

        s->session->master_key_length = sizeof(s->session->master_key);
        if (s->tls_session_secret_cb(s, s->session->master_key,
                                     &s->session->master_key_length, ciphers,
                                     &pref_cipher,
                                     s->tls_session_secret_cb_arg)) {
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
            pref_cipher =
                pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
                                                               s->
                                                               session->ciphers,
                                                               SSL_get_ciphers
                                                               (s));
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1331
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1332 1333 1334 1335
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1336
            sk_SSL_CIPHER_free(s->cipher_list);
1337
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1338
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1339 1340 1341
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1342

1343 1344
    /*
     * Worst case, we will use the NULL compression, but if we have other
1345
     * options, we will now look for them.  We have complen-1 compression
1346 1347 1348
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1349
#ifndef OPENSSL_NO_COMP
1350 1351 1352
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1353
        unsigned int k;
1354 1355 1356
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
M
Matt Caswell 已提交
1357
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
M
Matt Caswell 已提交
1370
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1371 1372 1373 1374
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
M
Matt Caswell 已提交
1375
        for (k = 0; k < complen; k++) {
1376
            if (PACKET_data(&compression)[k] == comp_id)
1377 1378
                break;
        }
M
Matt Caswell 已提交
1379
        if (k >= complen) {
1380
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1381
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1382 1383 1384 1385 1386 1387
                   SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1388
        /* See if we have a match */
M
Matt Caswell 已提交
1389 1390
        int m, nn, v, done = 0;
        unsigned int o;
1391 1392 1393 1394 1395

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1396
            for (o = 0; o < complen; o++) {
1397
                if (v == PACKET_data(&compression)[o]) {
1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1410
#else
1411 1412 1413 1414 1415
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
M
Matt Caswell 已提交
1416
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1417 1418
        goto f_err;
    }
1419
#endif
1420

1421 1422 1423
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1424

1425
    if (!s->hit) {
1426
#ifdef OPENSSL_NO_COMP
1427
        s->session->compress_meth = 0;
1428
#else
1429
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1430
#endif
R
Rich Salz 已提交
1431
        sk_SSL_CIPHER_free(s->session->ciphers);
1432 1433
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1434
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1435
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1436 1437 1438 1439
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
M
Matt Caswell 已提交
1440
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1441 1442
            goto err;
        }
M
Matt Caswell 已提交
1443 1444 1445 1446 1447 1448 1449
    }

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1450
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1451 1452 1453 1454 1455 1456

    sk_SSL_CIPHER_free(ciphers);
    return MSG_PROCESS_ERROR;

}

M
Matt Caswell 已提交
1457
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1458
{
M
Matt Caswell 已提交
1459
    int al = SSL_AD_HANDSHAKE_FAILURE;
1460
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476

    if (wst == WORK_MORE_A) {
        if (!s->hit) {
            /* Let cert callback update server certificates if required */
            if (s->cert->cert_cb) {
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
                    return WORK_MORE_A;
                }
                s->rwstate = SSL_NOTHING;
1477
            }
M
Matt Caswell 已提交
1478 1479 1480 1481 1482
            cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

            if (cipher == NULL) {
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
                goto f_err;
1483
            }
M
Matt Caswell 已提交
1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494
            s->s3->tmp.new_cipher = cipher;
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
                s->session->not_resumable = s->not_resumable_session_cb(s,
                    ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
            if (s->session->not_resumable)
                /* do not send a session ticket */
                s->tlsext_ticket_expected = 0;
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1495 1496
        }

1497
        if (!(s->verify_mode & SSL_VERIFY_PEER)) {
M
Matt Caswell 已提交
1498 1499
            if (!ssl3_digest_cached_records(s, 0)) {
                al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1500
                goto f_err;
M
Matt Caswell 已提交
1501
            }
1502 1503
        }

M
Matt Caswell 已提交
1504 1505 1506 1507 1508 1509 1510 1511 1512 1513 1514
        /*-
         * we now have the following setup.
         * client_random
         * cipher_list          - our prefered list of ciphers
         * ciphers              - the clients prefered list of ciphers
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
1515

M
Matt Caswell 已提交
1516 1517 1518
        /* Handles TLS extensions that we couldn't check earlier */
        if (s->version >= SSL3_VERSION) {
            if (ssl_check_clienthello_tlsext_late(s) <= 0) {
M
Matt Caswell 已提交
1519 1520
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_CLIENTHELLO_TLSEXT);
M
Matt Caswell 已提交
1521 1522 1523
                goto f_err;
            }
        }
1524

M
Matt Caswell 已提交
1525 1526 1527 1528 1529 1530 1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545
        wst = WORK_MORE_B;
    }
#ifndef OPENSSL_NO_SRP
    if (wst == WORK_MORE_B) {
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
            return WORK_MORE_B;
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CLIENTHELLO_TLSEXT);
            goto f_err;
1546 1547
        }
    }
M
Matt Caswell 已提交
1548 1549
#endif
    s->renegotiate = 2;
1550

M
Matt Caswell 已提交
1551
    return WORK_FINISHED_STOP;
1552
 f_err:
M
Matt Caswell 已提交
1553
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1554
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1555 1556 1557 1558
    return WORK_ERROR;
}

int tls_construct_server_hello(SSL *s)
1559 1560 1561 1562 1563 1564 1565
{
    unsigned char *buf;
    unsigned char *p, *d;
    int i, sl;
    int al = 0;
    unsigned long l;

M
Matt Caswell 已提交
1566
    buf = (unsigned char *)s->init_buf->data;
1567

M
Matt Caswell 已提交
1568 1569
    /* Do the message type and length last */
    d = p = ssl_handshake_start(s);
1570

M
Matt Caswell 已提交
1571 1572
    *(p++) = s->version >> 8;
    *(p++) = s->version & 0xff;
1573

M
Matt Caswell 已提交
1574 1575 1576 1577 1578 1579
    /*
     * Random stuff. Filling of the server_random takes place in
     * tls_process_client_hello()
     */
    memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
    p += SSL3_RANDOM_SIZE;
1580

M
Matt Caswell 已提交
1581 1582 1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593 1594 1595 1596 1597 1598 1599 1600 1601 1602 1603 1604
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
    if (sl > (int)sizeof(s->session->session_id)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1605
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1606 1607 1608 1609 1610
        return 0;
    }
    *(p++) = sl;
    memcpy(p, s->session->session_id, sl);
    p += sl;
1611

M
Matt Caswell 已提交
1612 1613 1614
    /* put the cipher */
    i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
    p += i;
1615

M
Matt Caswell 已提交
1616
    /* put the compression method */
1617
#ifdef OPENSSL_NO_COMP
M
Matt Caswell 已提交
1618
    *(p++) = 0;
1619
#else
M
Matt Caswell 已提交
1620 1621 1622 1623
    if (s->s3->tmp.new_compression == NULL)
        *(p++) = 0;
    else
        *(p++) = s->s3->tmp.new_compression->id;
1624
#endif
1625

M
Matt Caswell 已提交
1626 1627
    if (ssl_prepare_serverhello_tlsext(s) <= 0) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
M
Matt Caswell 已提交
1628
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1629 1630 1631 1632 1633 1634 1635
        return 0;
    }
    if ((p =
         ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
                                    &al)) == NULL) {
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1636
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1637 1638
        return 0;
    }
1639

M
Matt Caswell 已提交
1640 1641 1642 1643
    /* do the header */
    l = (p - d);
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1644
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1645
        return 0;
1646
    }
1647

M
Matt Caswell 已提交
1648
    return 1;
1649
}
1650

M
Matt Caswell 已提交
1651 1652 1653 1654
int tls_construct_server_done(SSL *s)
{
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1655
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
1656 1657 1658 1659 1660
        return 0;
    }

    if (!s->s3->tmp.cert_request) {
        if (!ssl3_digest_cached_records(s, 0)) {
M
Matt Caswell 已提交
1661
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
1662 1663 1664 1665 1666 1667 1668
        }
    }

    return 1;
}

int tls_construct_server_key_exchange(SSL *s)
1669
{
1670
#ifndef OPENSSL_NO_DH
1671
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
1672
#endif
1673
#ifndef OPENSSL_NO_EC
1674 1675 1676
    unsigned char *encodedPoint = NULL;
    int encodedlen = 0;
    int curve_id = 0;
1677
#endif
1678 1679 1680 1681 1682 1683 1684 1685 1686
    EVP_PKEY *pkey;
    const EVP_MD *md = NULL;
    unsigned char *p, *d;
    int al, i;
    unsigned long type;
    int n;
    BIGNUM *r[4];
    int nr[4], kn;
    BUF_MEM *buf;
1687
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
1688

1689 1690 1691 1692 1693
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
1694

M
Matt Caswell 已提交
1695 1696 1697
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    buf = s->init_buf;
1698

M
Matt Caswell 已提交
1699 1700
    r[0] = r[1] = r[2] = r[3] = NULL;
    n = 0;
1701
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712
    if (type & SSL_PSK) {
        /*
         * reserve size for record length and PSK identity hint
         */
        n += 2;
        if (s->cert->psk_identity_hint)
            n += strlen(s->cert->psk_identity_hint);
    }
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
1713
#endif                          /* !OPENSSL_NO_PSK */
1714
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
1715
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
1716 1717
        CERT *cert = s->cert;

1718 1719 1720
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
1721
        if (s->cert->dh_tmp_auto) {
1722 1723 1724 1725
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
M
Matt Caswell 已提交
1726 1727
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
1728
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1729
                goto f_err;
1730
            }
1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
M
Matt Caswell 已提交
1748 1749 1750 1751 1752 1753
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
1754
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
M
Matt Caswell 已提交
1755 1756 1757 1758 1759
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
1760
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1761 1762 1763 1764
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
1765

1766
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp, NID_undef);
M
Matt Caswell 已提交
1767

1768 1769
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1770
            goto err;
M
Matt Caswell 已提交
1771
        }
1772 1773 1774 1775 1776 1777

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
1778 1779 1780 1781
        r[0] = dh->p;
        r[1] = dh->g;
        r[2] = dh->pub_key;
    } else
1782
#endif
1783
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1784
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1785
        int nid;
M
Matt Caswell 已提交
1786

D
Dr. Stephen Henson 已提交
1787
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1788 1789 1790 1791 1792
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

1793 1794 1795 1796
        /* Get NID of appropriate shared curve */
        nid = tls1_shared_curve(s, -2);
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
1797 1798 1799 1800
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
1801 1802 1803
        s->s3->tmp.pkey = ssl_generate_pkey(NULL, nid);
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
1804
            al = SSL_AD_INTERNAL_ERROR;
D
Dr. Stephen Henson 已提交
1805
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1806 1807 1808
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
1809 1810 1811
        /* Encode the public key. */
        encodedlen = EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(s->s3->tmp.pkey),
                                    POINT_CONVERSION_UNCOMPRESSED,
1812
                                    &encodedPoint, NULL);
1813

M
Matt Caswell 已提交
1814
        if (encodedlen == 0) {
1815
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
1816 1817
            goto err;
        }
1818

M
Matt Caswell 已提交
1819
        /*
1820 1821 1822
         * We only support named (not generic) curves in ECDH ephemeral key
         * exchanges. In this situation, we need four additional bytes to
         * encode the entire ServerECDHParams structure.
M
Matt Caswell 已提交
1823 1824
         */
        n += 4 + encodedlen;
1825

M
Matt Caswell 已提交
1826 1827 1828 1829 1830 1831 1832 1833 1834
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
1835
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
1836
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1837 1838 1839 1840 1841 1842 1843
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
1844
        }
M
Matt Caswell 已提交
1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
    for (i = 0; i < 4 && r[i] != NULL; i++) {
        nr[i] = BN_num_bytes(r[i]);
B
Ben Laurie 已提交
1859
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1860 1861 1862
        if ((i == 2) && (type & SSL_kSRP))
            n += 1 + nr[i];
        else
B
Ben Laurie 已提交
1863
#endif
M
Matt Caswell 已提交
1864 1865
            n += 2 + nr[i];
    }
1866

M
Matt Caswell 已提交
1867 1868 1869 1870 1871 1872
    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
        && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
        if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
            == NULL) {
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1873
        }
M
Matt Caswell 已提交
1874 1875 1876 1877 1878
        kn = EVP_PKEY_size(pkey);
    } else {
        pkey = NULL;
        kn = 0;
    }
1879

M
Matt Caswell 已提交
1880 1881 1882 1883 1884
    if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
        goto err;
    }
    d = p = ssl_handshake_start(s);
1885

1886
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1887 1888 1889 1890 1891 1892 1893 1894 1895
    if (type & SSL_PSK) {
        /* copy PSK identity hint */
        if (s->cert->psk_identity_hint) {
            s2n(strlen(s->cert->psk_identity_hint), p);
            strncpy((char *)p, s->cert->psk_identity_hint,
                    strlen(s->cert->psk_identity_hint));
            p += strlen(s->cert->psk_identity_hint);
        } else {
            s2n(0, p);
1896
        }
M
Matt Caswell 已提交
1897
    }
1898 1899
#endif

M
Matt Caswell 已提交
1900
    for (i = 0; i < 4 && r[i] != NULL; i++) {
B
Ben Laurie 已提交
1901
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1902 1903 1904 1905
        if ((i == 2) && (type & SSL_kSRP)) {
            *p = nr[i];
            p++;
        } else
B
Ben Laurie 已提交
1906
#endif
M
Matt Caswell 已提交
1907 1908 1909 1910
            s2n(nr[i], p);
        BN_bn2bin(r[i], p);
        p += nr[i];
    }
1911

1912
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
         * XXX: For now, we only support named (not generic) curves. In
         * this situation, the serverKeyExchange message has: [1 byte
         * CurveType], [2 byte CurveName] [1 byte length of encoded
         * point], followed by the actual encoded point itself
         */
        *p = NAMED_CURVE_TYPE;
        p += 1;
        *p = 0;
        p += 1;
        *p = curve_id;
        p += 1;
        *p = encodedlen;
        p += 1;
        memcpy(p, encodedPoint, encodedlen);
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
        p += encodedlen;
    }
B
Bodo Möller 已提交
1933 1934
#endif

M
Matt Caswell 已提交
1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949
    /* not anonymous */
    if (pkey != NULL) {
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
        if (md) {
            /* send signature algorithm */
            if (SSL_USE_SIGALGS(s)) {
                if (!tls12_get_sigandhash(p, pkey, md)) {
                    /* Should never happen */
                    al = SSL_AD_INTERNAL_ERROR;
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
1950
                }
M
Matt Caswell 已提交
1951 1952
                p += 2;
            }
1953
#ifdef SSL_DEBUG
M
Matt Caswell 已提交
1954
            fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
1955
#endif
1956 1957
            if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0
                    || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
1958
                                      SSL3_RANDOM_SIZE) <= 0
1959
                    || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
1960
                                      SSL3_RANDOM_SIZE) <= 0
1961 1962
                    || EVP_SignUpdate(md_ctx, d, n) <= 0
                    || EVP_SignFinal(md_ctx, &(p[2]),
1963
                               (unsigned int *)&i, pkey) <= 0) {
M
Matt Caswell 已提交
1964
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
1965 1966
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
1967
            }
M
Matt Caswell 已提交
1968 1969 1970 1971 1972 1973
            s2n(i, p);
            n += i + 2;
            if (SSL_USE_SIGALGS(s))
                n += 2;
        } else {
            /* Is this error check actually needed? */
M
Matt Caswell 已提交
1974
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1975 1976
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNKNOWN_PKEY_TYPE);
M
Matt Caswell 已提交
1977 1978
            goto f_err;
        }
1979 1980
    }

M
Matt Caswell 已提交
1981 1982 1983 1984 1985 1986
    if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

1987
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
1988
    return 1;
1989 1990 1991
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
1992 1993 1994
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
1995
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
1996
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
1997
#endif
1998
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
1999
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2000
    return 0;
2001
}
2002

M
Matt Caswell 已提交
2003
int tls_construct_certificate_request(SSL *s)
2004 2005 2006 2007 2008 2009 2010
{
    unsigned char *p, *d;
    int i, j, nl, off, n;
    STACK_OF(X509_NAME) *sk = NULL;
    X509_NAME *name;
    BUF_MEM *buf;

M
Matt Caswell 已提交
2011
    buf = s->init_buf;
2012

M
Matt Caswell 已提交
2013
    d = p = ssl_handshake_start(s);
2014

M
Matt Caswell 已提交
2015 2016 2017 2018 2019 2020
    /* get the list of acceptable cert types */
    p++;
    n = ssl3_get_req_cert_type(s, p);
    d[0] = n;
    p += n;
    n++;
2021

M
Matt Caswell 已提交
2022 2023 2024 2025 2026
    if (SSL_USE_SIGALGS(s)) {
        const unsigned char *psigs;
        unsigned char *etmp = p;
        nl = tls12_get_psigalgs(s, &psigs);
        /* Skip over length for now */
2027
        p += 2;
M
Matt Caswell 已提交
2028 2029 2030 2031 2032 2033
        nl = tls12_copy_sigalgs(s, p, psigs, nl);
        /* Now fill in length */
        s2n(nl, etmp);
        p += nl;
        n += nl + 2;
    }
2034

M
Matt Caswell 已提交
2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049
    off = n;
    p += 2;
    n += 2;

    sk = SSL_get_client_CA_list(s);
    nl = 0;
    if (sk != NULL) {
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
            name = sk_X509_NAME_value(sk, i);
            j = i2d_X509_NAME(name, NULL);
            if (!BUF_MEM_grow_clean
                (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                       ERR_R_BUF_LIB);
                goto err;
2050
            }
M
Matt Caswell 已提交
2051 2052 2053 2054 2055
            p = ssl_handshake_start(s) + n;
            s2n(j, p);
            i2d_X509_NAME(name, &p);
            n += 2 + j;
            nl += 2 + j;
2056
        }
M
Matt Caswell 已提交
2057 2058 2059 2060
    }
    /* else no CA names */
    p = ssl_handshake_start(s) + off;
    s2n(nl, p);
2061

M
Matt Caswell 已提交
2062 2063 2064
    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
2065
    }
2066

M
Matt Caswell 已提交
2067 2068 2069
    s->s3->tmp.cert_request = 1;

    return 1;
2070
 err:
M
Matt Caswell 已提交
2071
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2072
    return 0;
2073
}
2074

M
Matt Caswell 已提交
2075
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2076 2077 2078
{
    int al;
    unsigned int i;
2079
    unsigned long alg_k;
2080
#ifndef OPENSSL_NO_RSA
2081
    RSA *rsa = NULL;
2082
#endif
D
Dr. Stephen Henson 已提交
2083
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
D
Dr. Stephen Henson 已提交
2084
    EVP_PKEY *ckey = NULL;
B
Bodo Möller 已提交
2085
#endif
2086
    PACKET enc_premaster;
E
Emilia Kasper 已提交
2087 2088
    const unsigned char *data;
    unsigned char *rsa_decrypt = NULL;
B
Bodo Möller 已提交
2089

2090
    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2091

2092 2093 2094 2095 2096
#ifndef OPENSSL_NO_PSK
    /* For PSK parse and retrieve identity, obtain PSK key */
    if (alg_k & SSL_PSK) {
        unsigned char psk[PSK_MAX_PSK_LEN];
        size_t psklen;
2097
        PACKET psk_identity;
2098

2099
        if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2100
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2101
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2102 2103
            goto f_err;
        }
2104
        if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2105
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2106
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2107 2108 2109 2110 2111
                   SSL_R_DATA_LENGTH_TOO_LONG);
            goto f_err;
        }
        if (s->psk_server_callback == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2112
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2113 2114 2115 2116
                   SSL_R_PSK_NO_SERVER_CB);
            goto f_err;
        }

2117
        if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
M
Matt Caswell 已提交
2118
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2119
            al = SSL_AD_INTERNAL_ERROR;
2120 2121
            goto f_err;
        }
2122 2123 2124 2125 2126 2127

        psklen = s->psk_server_callback(s, s->session->psk_identity,
                                         psk, sizeof(psk));

        if (psklen > PSK_MAX_PSK_LEN) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2128
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2129 2130 2131 2132 2133
            goto f_err;
        } else if (psklen == 0) {
            /*
             * PSK related to the given identity not found
             */
M
Matt Caswell 已提交
2134
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2135 2136 2137 2138 2139 2140
                   SSL_R_PSK_IDENTITY_NOT_FOUND);
            al = SSL_AD_UNKNOWN_PSK_IDENTITY;
            goto f_err;
        }

        OPENSSL_free(s->s3->tmp.psk);
R
Rich Salz 已提交
2141
        s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
2142 2143 2144 2145
        OPENSSL_cleanse(psk, psklen);

        if (s->s3->tmp.psk == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2146
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2147 2148 2149 2150 2151 2152 2153
            goto f_err;
        }

        s->s3->tmp.psklen = psklen;
    }
    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
2154
        if (PACKET_remaining(pkt) != 0) {
2155
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2156
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
2157 2158 2159 2160 2161
            goto f_err;
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2162
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2163 2164 2165 2166
            goto f_err;
        }
    } else
#endif
2167
#ifndef OPENSSL_NO_RSA
2168
    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
2169 2170 2171 2172 2173 2174
        unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
        int decrypt_len;
        unsigned char decrypt_good, version_good;
        size_t j;

        /* FIX THIS UP EAY EAY EAY EAY */
D
Dr. Stephen Henson 已提交
2175 2176
        rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
        if (rsa == NULL) {
2177 2178 2179 2180
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_RSA_CERTIFICATE);
            goto f_err;
2181 2182
        }

2183 2184
        /* SSLv3 and pre-standard DTLS omit the length bytes. */
        if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
2185
            enc_premaster = *pkt;
2186
        } else {
2187 2188
            if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
                || PACKET_remaining(pkt) != 0) {
2189 2190 2191 2192
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
2193
            }
2194 2195 2196
        }

        /*
2197 2198 2199 2200
         * We want to be sure that the plaintext buffer size makes it safe to
         * iterate over the entire size of a premaster secret
         * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
         * their ciphertext cannot accommodate a premaster secret anyway.
2201
         */
2202 2203
        if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2204
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2205
                   RSA_R_KEY_SIZE_TOO_SMALL);
2206 2207 2208
            goto f_err;
        }

2209 2210
        rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
        if (rsa_decrypt == NULL) {
2211
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2212
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2213 2214
            goto f_err;
        }
2215

2216 2217 2218 2219 2220 2221 2222 2223
        /*
         * We must not leak whether a decryption failure occurs because of
         * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
         * section 7.4.7.1). The code follows that advice of the TLS RFC and
         * generates a random premaster secret for the case that the decrypt
         * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
         */

M
Matt Caswell 已提交
2224
        if (RAND_bytes(rand_premaster_secret,
2225
                       sizeof(rand_premaster_secret)) <= 0) {
2226
            goto err;
2227 2228 2229 2230 2231
        }

        decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
                                          PACKET_data(&enc_premaster),
                                          rsa_decrypt, rsa, RSA_PKCS1_PADDING);
2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249
        ERR_clear_error();

        /*
         * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
         * be 0xff if so and zero otherwise.
         */
        decrypt_good =
            constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);

        /*
         * If the version in the decrypted pre-master secret is correct then
         * version_good will be 0xff, otherwise it'll be zero. The
         * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
         * (http://eprint.iacr.org/2003/052/) exploits the version number
         * check as a "bad version oracle". Thus version checks are done in
         * constant time and are treated like any other decryption error.
         */
        version_good =
2250 2251
            constant_time_eq_8(rsa_decrypt[0],
                               (unsigned)(s->client_version >> 8));
2252
        version_good &=
2253 2254
            constant_time_eq_8(rsa_decrypt[1],
                               (unsigned)(s->client_version & 0xff));
2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267

        /*
         * The premaster secret must contain the same version number as the
         * ClientHello to detect version rollback attacks (strangely, the
         * protocol does not offer such protection for DH ciphersuites).
         * However, buggy clients exist that send the negotiated protocol
         * version instead if the server does not support the requested
         * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
         * clients.
         */
        if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
            unsigned char workaround_good;
            workaround_good =
2268
                constant_time_eq_8(rsa_decrypt[0], (unsigned)(s->version >> 8));
2269
            workaround_good &=
2270 2271
                constant_time_eq_8(rsa_decrypt[1],
                                   (unsigned)(s->version & 0xff));
2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287
            version_good |= workaround_good;
        }

        /*
         * Both decryption and version must be good for decrypt_good to
         * remain non-zero (0xff).
         */
        decrypt_good &= version_good;

        /*
         * Now copy rand_premaster_secret over from p using
         * decrypt_good_mask. If decryption failed, then p does not
         * contain valid plaintext, however, a check above guarantees
         * it is still sufficiently large to read from.
         */
        for (j = 0; j < sizeof(rand_premaster_secret); j++) {
2288 2289 2290
            rsa_decrypt[j] =
                constant_time_select_8(decrypt_good, rsa_decrypt[j],
                                       rand_premaster_secret[j]);
2291 2292
        }

2293 2294
        if (!ssl_generate_master_secret(s, rsa_decrypt,
                                        sizeof(rand_premaster_secret), 0)) {
M
Matt Caswell 已提交
2295
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2296
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2297 2298
            goto f_err;
        }
2299 2300
        OPENSSL_free(rsa_decrypt);
        rsa_decrypt = NULL;
2301
    } else
U
Ulf Möller 已提交
2302
#endif
2303
#ifndef OPENSSL_NO_DH
D
Dr. Stephen Henson 已提交
2304
    if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2305 2306
        EVP_PKEY *skey = NULL;
        DH *cdh;
2307

2308
        if (!PACKET_get_net_2(pkt, &i)) {
2309
            if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
M
Matt Caswell 已提交
2310
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2311
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
M
Matt Caswell 已提交
2312 2313 2314
                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
                goto f_err;
            }
2315
            i = 0;
M
Matt Caswell 已提交
2316
        }
2317
        if (PACKET_remaining(pkt) != i) {
2318 2319 2320
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
            goto err;
2321
        }
2322 2323
        skey = s->s3->tmp.pkey;
        if (skey == NULL) {
2324
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2325
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2326 2327
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
2328
        }
2329

2330
        if (PACKET_remaining(pkt) == 0L) {
D
Dr. Stephen Henson 已提交
2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!PACKET_get_bytes(pkt, &data, i)) {
            /* We already checked we have enough data */
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
2342
        }
2343 2344
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
M
Matt Caswell 已提交
2345
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2346 2347
            goto err;
        }
2348 2349 2350 2351
        cdh = EVP_PKEY_get0_DH(ckey);
        cdh->pub_key = BN_bin2bn(data, i, NULL);
        if (cdh->pub_key == NULL) {
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
2352 2353 2354
            goto err;
        }

2355
        if (ssl_derive(s, skey, ckey) == 0) {
M
Matt Caswell 已提交
2356
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2357
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2358 2359
            goto f_err;
        }
2360 2361 2362 2363

        EVP_PKEY_free(ckey);
        ckey = NULL;

2364
    } else
2365
#endif
B
Bodo Möller 已提交
2366

2367
#ifndef OPENSSL_NO_EC
2368
    if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) {
D
Dr. Stephen Henson 已提交
2369
        EVP_PKEY *skey = NULL;
2370 2371 2372 2373

        /* Let's get server private key and group information */
        if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
            /* use the certificate */
D
Dr. Stephen Henson 已提交
2374
            skey = s->cert->pkeys[SSL_PKEY_ECC].privatekey;
2375 2376 2377 2378 2379
        } else {
            /*
             * use the ephermeral values we saved when generating the
             * ServerKeyExchange msg.
             */
D
Dr. Stephen Henson 已提交
2380
            skey = s->s3->tmp.pkey;
2381 2382
        }

2383
        if (PACKET_remaining(pkt) == 0L) {
D
Dr. Stephen Henson 已提交
2384 2385 2386 2387 2388
            /* We don't support ECDH client auth */
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_ECDH_KEY);
            goto f_err;
2389 2390 2391 2392 2393 2394 2395
        } else {
            /*
             * Get client's public key from encoded point in the
             * ClientKeyExchange message.
             */

            /* Get encoded point length */
2396
            if (!PACKET_get_1(pkt, &i)) {
2397
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2398
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2399 2400 2401
                       SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
2402 2403
            if (!PACKET_get_bytes(pkt, &data, i)
                    || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
2404
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2405 2406
                goto err;
            }
D
Dr. Stephen Henson 已提交
2407 2408 2409 2410 2411 2412 2413
            ckey = EVP_PKEY_new();
            if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EVP_LIB);
                goto err;
            }
            if (EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(ckey), data, i,
                               NULL) == 0) {
M
Matt Caswell 已提交
2414
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
2415 2416 2417 2418
                goto err;
            }
        }

D
Dr. Stephen Henson 已提交
2419
        if (ssl_derive(s, skey, ckey) == 0) {
M
Matt Caswell 已提交
2420
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2421
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2422 2423
            goto f_err;
        }
D
Dr. Stephen Henson 已提交
2424 2425 2426 2427

        EVP_PKEY_free(ckey);
        ckey = NULL;

M
Matt Caswell 已提交
2428
        return MSG_PROCESS_CONTINUE_PROCESSING;
2429
    } else
2430
#endif
B
Ben Laurie 已提交
2431
#ifndef OPENSSL_NO_SRP
2432
    if (alg_k & SSL_kSRP) {
2433 2434
        if (!PACKET_get_net_2(pkt, &i)
                || !PACKET_get_bytes(pkt, &data, i)) {
2435
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2436
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
2437 2438
            goto f_err;
        }
2439
        if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
M
Matt Caswell 已提交
2440
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
2441 2442 2443 2444 2445
            goto err;
        }
        if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
            || BN_is_zero(s->srp_ctx.A)) {
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
2446
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2447 2448 2449
                   SSL_R_BAD_SRP_PARAMETERS);
            goto f_err;
        }
R
Rich Salz 已提交
2450
        OPENSSL_free(s->session->srp_username);
R
Rich Salz 已提交
2451
        s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
2452
        if (s->session->srp_username == NULL) {
M
Matt Caswell 已提交
2453
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
2454 2455 2456
            goto err;
        }

2457
        if (!srp_generate_server_master_secret(s)) {
M
Matt Caswell 已提交
2458
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2459 2460 2461 2462
            goto err;
        }
    } else
#endif                          /* OPENSSL_NO_SRP */
M
Matt Caswell 已提交
2463
#ifndef OPENSSL_NO_GOST
2464 2465 2466
    if (alg_k & SSL_kGOST) {
        EVP_PKEY_CTX *pkey_ctx;
        EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
E
Emilia Kasper 已提交
2467 2468
        unsigned char premaster_secret[32];
        const unsigned char *start;
2469 2470 2471 2472
        size_t outlen = 32, inlen;
        unsigned long alg_a;
        int Ttag, Tclass;
        long Tlen;
2473
        long sess_key_len;
2474 2475 2476

        /* Get our certificate private key */
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
2477 2478 2479 2480 2481 2482 2483 2484 2485 2486 2487 2488
        if (alg_a & SSL_aGOST12) {
            /*
             * New GOST ciphersuites have SSL_aGOST01 bit too
             */
            pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
            }
            if (pk == NULL) {
                pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
            }
        } else if (alg_a & SSL_aGOST01) {
2489
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
2490
        }
2491 2492

        pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
2493 2494 2495 2496 2497
        if (pkey_ctx == NULL) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
            goto f_err;
        }
2498 2499 2500 2501 2502
        if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
2503 2504 2505 2506 2507 2508
        /*
         * If client certificate is present and is of the same type, maybe
         * use it for key exchange.  Don't mind errors from
         * EVP_PKEY_derive_set_peer, because it is completely valid to use a
         * client certificate for authorization only.
         */
2509
        client_pub_pkey = X509_get0_pubkey(s->session->peer);
2510 2511 2512 2513 2514
        if (client_pub_pkey) {
            if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
                ERR_clear_error();
        }
        /* Decrypt session key */
2515 2516
        sess_key_len = PACKET_remaining(pkt);
        if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
2517
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2518
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2519
            goto gerr;
2520
        }
2521 2522 2523
        if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag,
                             &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
            || Ttag != V_ASN1_SEQUENCE
2524
            || Tclass != V_ASN1_UNIVERSAL) {
2525
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2526
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2527 2528 2529
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
2530
        start = data;
2531 2532 2533
        inlen = Tlen;
        if (EVP_PKEY_decrypt
            (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
M
Matt Caswell 已提交
2534
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2535
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
2536 2537 2538 2539
                   SSL_R_DECRYPTION_FAILED);
            goto gerr;
        }
        /* Generate master secret */
2540 2541
        if (!ssl_generate_master_secret(s, premaster_secret,
                                        sizeof(premaster_secret), 0)) {
M
Matt Caswell 已提交
2542
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2543
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2544
            goto gerr;
M
Matt Caswell 已提交
2545
        }
2546 2547 2548
        /* Check if pubkey from client certificate was used */
        if (EVP_PKEY_CTX_ctrl
            (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
2549
            s->statem.no_cert_verify = 1;
M
Matt Caswell 已提交
2550 2551 2552

        EVP_PKEY_CTX_free(pkey_ctx);
        return MSG_PROCESS_CONTINUE_PROCESSING;
2553 2554
 gerr:
        EVP_PKEY_CTX_free(pkey_ctx);
2555
        goto f_err;
M
Matt Caswell 已提交
2556 2557 2558
    } else
#endif
    {
2559
        al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2560
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
2561 2562 2563
        goto f_err;
    }

M
Matt Caswell 已提交
2564
    return MSG_PROCESS_CONTINUE_PROCESSING;
2565 2566
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2567
#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
2568
 err:
B
Bodo Möller 已提交
2569
#endif
D
Dr. Stephen Henson 已提交
2570
#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
D
Dr. Stephen Henson 已提交
2571
    EVP_PKEY_free(ckey);
2572
#endif
2573
    OPENSSL_free(rsa_decrypt);
2574 2575 2576
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2577
#endif
M
Matt Caswell 已提交
2578
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2579
    return MSG_PROCESS_ERROR;
2580
}
2581

M
Matt Caswell 已提交
2582
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
2583 2584
{
#ifndef OPENSSL_NO_SCTP
2585 2586 2587 2588 2589 2590 2591 2592
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
2593 2594
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
2595 2596 2597 2598

            if (SSL_export_keying_material(s, sctpauthkey,
                                       sizeof(sctpauthkey), labelbuffer,
                                       sizeof(labelbuffer), NULL, 0, 0) <= 0) {
M
Matt Caswell 已提交
2599
                ossl_statem_set_error(s);
2600 2601
                return WORK_ERROR;;
            }
2602

2603 2604
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
2605
        }
2606 2607
        wst = WORK_MORE_B;
    }
2608

2609 2610 2611 2612 2613 2614
    if ((wst == WORK_MORE_B)
            /* Is this SCTP? */
            && BIO_dgram_is_sctp(SSL_get_wbio(s))
            /* Are we renegotiating? */
            && s->renegotiate
            /* Are we going to skip the CertificateVerify? */
2615
            && (s->session->peer == NULL || s->statem.no_cert_verify)
2616 2617 2618 2619 2620
            && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
        s->s3->in_read_app_data = 2;
        s->rwstate = SSL_READING;
        BIO_clear_retry_flags(SSL_get_rbio(s));
        BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
2621
        ossl_statem_set_sctp_read_sock(s, 1);
2622 2623
        return WORK_MORE_B;
    } else {
M
Matt Caswell 已提交
2624
        ossl_statem_set_sctp_read_sock(s, 0);
2625 2626 2627
    }
#endif

2628
    if (s->statem.no_cert_verify) {
2629 2630
        /* No certificate verify so we no longer need the handshake_buffer */
        BIO_free(s->s3->handshake_buffer);
2631
        s->s3->handshake_buffer = NULL;
2632
        return WORK_FINISHED_CONTINUE;
2633
    } else {
2634 2635 2636 2637 2638 2639 2640 2641
        if (!s->session->peer) {
            /* No peer certificate so we no longer need the handshake_buffer */
            BIO_free(s->s3->handshake_buffer);
            return WORK_FINISHED_CONTINUE;
        }
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2642
            ossl_statem_set_error(s);
2643 2644 2645 2646 2647 2648 2649
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
2650
            ossl_statem_set_error(s);
2651 2652 2653 2654 2655 2656 2657
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
2658
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2659 2660
{
    EVP_PKEY *pkey = NULL;
E
Emilia Kasper 已提交
2661 2662
    const unsigned char *sig, *data;
    unsigned char *gost_data = NULL;
M
Matt Caswell 已提交
2663
    int al, ret = MSG_PROCESS_ERROR;
2664
    int type = 0, j;
M
Matt Caswell 已提交
2665 2666 2667
    unsigned int len;
    X509 *peer;
    const EVP_MD *md = NULL;
2668 2669 2670
    long hdatalen = 0;
    void *hdata;

2671
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
2672 2673 2674 2675 2676 2677

    if (mctx == NULL) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
M
Matt Caswell 已提交
2678

2679
    peer = s->session->peer;
2680
    pkey = X509_get0_pubkey(peer);
2681
    type = X509_certificate_type(peer, pkey);
2682 2683

    if (!(type & EVP_PKT_SIGN)) {
M
Matt Caswell 已提交
2684
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY,
2685 2686 2687 2688 2689 2690 2691 2692
               SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
        al = SSL_AD_ILLEGAL_PARAMETER;
        goto f_err;
    }

    /* Check for broken implementations of GOST ciphersuites */
    /*
     * If key is GOST and n is exactly 64, it is bare signature without
2693
     * length field (CryptoPro implementations at least till CSP 4.0)
2694
     */
M
Matt Caswell 已提交
2695
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2696 2697
    if (PACKET_remaining(pkt) == 64
        && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2698
        len = 64;
M
Matt Caswell 已提交
2699 2700 2701
    } else
#endif
    {
2702
        if (SSL_USE_SIGALGS(s)) {
2703 2704
            int rv;

2705
            if (!PACKET_get_bytes(pkt, &sig, 2)) {
2706 2707 2708 2709
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
            rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
2710 2711 2712 2713 2714 2715 2716
            if (rv == -1) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            } else if (rv == 0) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
D
Dr. Stephen Henson 已提交
2717
#ifdef SSL_DEBUG
2718
            fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2719
#endif
2720
        } else {
2721 2722 2723 2724 2725 2726 2727 2728
            /* Use default digest for this key type */
            int idx = ssl_cert_type(NULL, pkey);
            if (idx >= 0)
                md = s->s3->tmp.md[idx];
            if (md == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
2729
        }
2730

2731
        if (!PACKET_get_net_2(pkt, &len)) {
M
Matt Caswell 已提交
2732
            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2733 2734 2735 2736 2737
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
    }
    j = EVP_PKEY_size(pkey);
2738 2739
    if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
            || (PACKET_remaining(pkt) == 0)) {
M
Matt Caswell 已提交
2740
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2741 2742 2743
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2744
    if (!PACKET_get_bytes(pkt, &data, len)) {
M
Matt Caswell 已提交
2745
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2746 2747 2748
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2749

2750 2751 2752 2753 2754 2755
    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
    if (hdatalen <= 0) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
D
Dr. Stephen Henson 已提交
2756
#ifdef SSL_DEBUG
2757
    fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2758
#endif
2759 2760
    if (!EVP_VerifyInit_ex(mctx, md, NULL)
        || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) {
2761 2762 2763 2764
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
2765

M
Matt Caswell 已提交
2766
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2767 2768 2769 2770
    {
        int pktype = EVP_PKEY_id(pkey);
        if (pktype == NID_id_GostR3410_2001
            || pktype == NID_id_GostR3410_2012_256
E
Emilia Kasper 已提交
2771 2772 2773 2774 2775 2776 2777 2778 2779
            || pktype == NID_id_GostR3410_2012_512) {
            if ((gost_data = OPENSSL_malloc(len)) == NULL) {
                SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
            BUF_reverse(gost_data, data, len);
            data = gost_data;
        }
2780
    }
M
Matt Caswell 已提交
2781
#endif
2782

2783
    if (s->version == SSL3_VERSION
2784
        && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
2785 2786 2787 2788 2789 2790 2791
                            s->session->master_key_length,
                            s->session->master_key)) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }

2792
    if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) {
2793 2794
        al = SSL_AD_DECRYPT_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
2795 2796 2797
        goto f_err;
    }

2798
    ret = MSG_PROCESS_CONTINUE_PROCESSING;
2799 2800 2801
    if (0) {
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2802
        ossl_statem_set_error(s);
2803
    }
R
Rich Salz 已提交
2804 2805
    BIO_free(s->s3->handshake_buffer);
    s->s3->handshake_buffer = NULL;
2806
    EVP_MD_CTX_free(mctx);
E
Emilia Kasper 已提交
2807
    OPENSSL_free(gost_data);
M
Matt Caswell 已提交
2808
    return ret;
2809
}
2810

M
Matt Caswell 已提交
2811
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2812
{
M
Matt Caswell 已提交
2813
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
2814 2815
    X509 *x = NULL;
    unsigned long l, llen;
E
Emilia Kasper 已提交
2816
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
2817
    STACK_OF(X509) *sk = NULL;
2818
    PACKET spkt;
2819 2820

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
2821 2822
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
2823 2824
    }

2825 2826 2827
    if (!PACKET_get_net_3(pkt, &llen)
            || !PACKET_get_sub_packet(pkt, &spkt, llen)
            || PACKET_remaining(pkt) != 0) {
2828
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2829
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
2830 2831
        goto f_err;
    }
2832 2833 2834 2835

    while (PACKET_remaining(&spkt) > 0) {
        if (!PACKET_get_net_3(&spkt, &l)
                || !PACKET_get_bytes(&spkt, &certbytes, l)) {
2836
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2837
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2838 2839 2840 2841
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

2842 2843
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
2844
        if (x == NULL) {
M
Matt Caswell 已提交
2845 2846
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
2847
        }
2848
        if (certbytes != (certstart + l)) {
2849
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
2850
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2851 2852 2853 2854
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
2855 2856
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
2857 2858 2859 2860 2861 2862 2863 2864
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2865
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2866 2867 2868 2869 2870 2871
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
2872
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2873 2874 2875 2876 2877
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
2878
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
2879 2880 2881 2882 2883 2884 2885
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
2886
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2887 2888 2889 2890
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
2891
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
2892 2893 2894
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
2895
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
2896 2897
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2898
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
2899 2900 2901 2902 2903
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
    }

R
Rich Salz 已提交
2904
    X509_free(s->session->peer);
2905 2906 2907
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

2908 2909
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
2910 2911 2912 2913 2914
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
     * certificate, while we do include it in s3_clnt.c
     */
    sk = NULL;
M
Matt Caswell 已提交
2915
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
2916 2917
    goto done;

2918
 f_err:
R
Rich Salz 已提交
2919
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2920
    ossl_statem_set_error(s);
R
Rich Salz 已提交
2921
 done:
R
Rich Salz 已提交
2922 2923
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
2924
    return ret;
2925
}
2926

M
Matt Caswell 已提交
2927 2928 2929 2930 2931 2932 2933
int tls_construct_server_certificate(SSL *s)
{
    CERT_PKEY *cpk;

    cpk = ssl_get_server_send_pkey(s);
    if (cpk == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2934
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2935 2936 2937 2938 2939
        return 0;
    }

    if (!ssl3_output_cert_chain(s, cpk)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2940
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2941 2942 2943 2944 2945 2946 2947 2948 2949
        return 0;
    }

    return 1;
}

int tls_construct_new_session_ticket(SSL *s)
{
    unsigned char *senc = NULL;
2950
    EVP_CIPHER_CTX *ctx;
2951
    HMAC_CTX *hctx = NULL;
M
Matt Caswell 已提交
2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965 2966 2967
    unsigned char *p, *macstart;
    const unsigned char *const_p;
    int len, slen_full, slen;
    SSL_SESSION *sess;
    unsigned int hlen;
    SSL_CTX *tctx = s->initial_ctx;
    unsigned char iv[EVP_MAX_IV_LENGTH];
    unsigned char key_name[16];

    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
M
Matt Caswell 已提交
2968
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2969 2970 2971
        return 0;
    }
    senc = OPENSSL_malloc(slen_full);
2972
    if (senc == NULL) {
M
Matt Caswell 已提交
2973
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
2974 2975
        return 0;
    }
2976

2977
    ctx = EVP_CIPHER_CTX_new();
2978
    hctx = HMAC_CTX_new();
2979

M
Matt Caswell 已提交
2980 2981 2982
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
2983

M
Matt Caswell 已提交
2984 2985 2986 2987 2988 2989 2990 2991
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
2992

M
Matt Caswell 已提交
2993 2994 2995 2996 2997 2998 2999 3000 3001 3002 3003
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3004

M
Matt Caswell 已提交
3005 3006 3007 3008 3009 3010 3011 3012 3013 3014 3015 3016
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows handshake_header_length +
     * 4 (ticket lifetime hint) + 2 (ticket length) +
     * 16 (key name) + max_iv_len (iv length) +
     * session_length + max_enc_block_size (max encrypted session
     * length) + max_md_size (HMAC).
     */
    if (!BUF_MEM_grow(s->init_buf,
                      SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
                      EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
        goto err;
3017

M
Matt Caswell 已提交
3018 3019 3020 3021 3022 3023
    p = ssl_handshake_start(s);
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
    if (tctx->tlsext_ticket_key_cb) {
3024
        if (tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, hctx, 1) < 0)
M
Matt Caswell 已提交
3025 3026 3027
            goto err;
    } else {
        if (RAND_bytes(iv, 16) <= 0)
M
Matt Caswell 已提交
3028
            goto err;
3029
        if (!EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL,
M
Matt Caswell 已提交
3030
                                tctx->tlsext_tick_aes_key, iv))
M
Matt Caswell 已提交
3031
            goto err;
3032
        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
M
Matt Caswell 已提交
3033
                          EVP_sha256(), NULL))
3034
            goto err;
M
Matt Caswell 已提交
3035
        memcpy(key_name, tctx->tlsext_tick_key_name, 16);
3036 3037
    }

M
Matt Caswell 已提交
3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050 3051
    /*
     * Ticket lifetime hint (advisory only): We leave this unspecified
     * for resumed session (for simplicity), and guess that tickets for
     * new sessions will live as long as their sessions.
     */
    l2n(s->hit ? 0 : s->session->timeout, p);

    /* Skip ticket length for now */
    p += 2;
    /* Output key name */
    macstart = p;
    memcpy(p, key_name, 16);
    p += 16;
    /* output IV */
3052 3053
    memcpy(p, iv, EVP_CIPHER_CTX_iv_length(ctx));
    p += EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3054
    /* Encrypt session data */
3055
    if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen))
M
Matt Caswell 已提交
3056 3057
        goto err;
    p += len;
3058
    if (!EVP_EncryptFinal(ctx, p, &len))
M
Matt Caswell 已提交
3059 3060 3061
        goto err;
    p += len;

3062
    if (!HMAC_Update(hctx, macstart, p - macstart))
M
Matt Caswell 已提交
3063
        goto err;
3064
    if (!HMAC_Final(hctx, p, &hlen))
M
Matt Caswell 已提交
3065 3066
        goto err;

3067
    EVP_CIPHER_CTX_free(ctx);
3068
    HMAC_CTX_free(hctx);
3069 3070
    ctx = NULL;
    hctx = NULL;
M
Matt Caswell 已提交
3071 3072 3073 3074 3075 3076 3077 3078 3079 3080 3081 3082 3083

    p += hlen;
    /* Now write out lengths: p points to end of data written */
    /* Total length */
    len = p - ssl_handshake_start(s);
    /* Skip ticket lifetime hint */
    p = ssl_handshake_start(s) + 4;
    s2n(len - 6, p);
    if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
        goto err;
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3084
 err:
R
Rich Salz 已提交
3085
    OPENSSL_free(senc);
3086
    EVP_CIPHER_CTX_free(ctx);
3087
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3088
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3089
    return 0;
3090
}
3091

M
Matt Caswell 已提交
3092 3093 3094 3095 3096 3097 3098 3099 3100 3101
int tls_construct_cert_status(SSL *s)
{
    unsigned char *p;
    /*-
     * Grow buffer if need be: the length calculation is as
     * follows 1 (message type) + 3 (message length) +
     * 1 (ocsp response type) + 3 (ocsp response length)
     * + (ocsp response)
     */
    if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
M
Matt Caswell 已提交
3102
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3103 3104 3105 3106 3107 3108 3109 3110 3111 3112 3113 3114 3115 3116 3117 3118 3119 3120 3121 3122 3123 3124
        return 0;
    }

    p = (unsigned char *)s->init_buf->data;

    /* do the header */
    *(p++) = SSL3_MT_CERTIFICATE_STATUS;
    /* message length */
    l2n3(s->tlsext_ocsp_resplen + 4, p);
    /* status type */
    *(p++) = s->tlsext_status_type;
    /* length of OCSP response */
    l2n3(s->tlsext_ocsp_resplen, p);
    /* actual response */
    memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
    /* number of bytes to write */
    s->init_num = 8 + s->tlsext_ocsp_resplen;
    s->init_off = 0;

    return 1;
}

3125
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3126 3127 3128 3129
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3130
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3131
{
3132
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3133 3134
    size_t next_proto_len;

3135 3136 3137 3138 3139 3140 3141
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3142 3143 3144
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
M
Matt Caswell 已提交
3145
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3146
        goto err;
M
Matt Caswell 已提交
3147
    }
3148

3149 3150 3151
    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
                       &next_proto_len)) {
        s->next_proto_negotiated_len = 0;
M
Matt Caswell 已提交
3152 3153 3154
        goto err;
    }

3155
    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
3156

M
Matt Caswell 已提交
3157
    return MSG_PROCESS_CONTINUE_READING;
M
Matt Caswell 已提交
3158
err:
M
Matt Caswell 已提交
3159
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3160
    return MSG_PROCESS_ERROR;
3161
}
3162
#endif
M
Matt Caswell 已提交
3163 3164 3165

#define SSLV2_CIPHER_LEN    3

3166 3167
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                               PACKET *cipher_suites,
M
Matt Caswell 已提交
3168
                                               STACK_OF(SSL_CIPHER) **skp,
3169 3170
                                               int sslv2format, int *al
                                               )
M
Matt Caswell 已提交
3171 3172 3173
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk;
3174 3175 3176
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];
M
Matt Caswell 已提交
3177

3178 3179 3180 3181 3182 3183 3184 3185
    s->s3->send_connection_binding = 0;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return NULL;
M
Matt Caswell 已提交
3186
    }
3187 3188

    if (PACKET_remaining(cipher_suites) % n != 0) {
M
Matt Caswell 已提交
3189 3190
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3191 3192
        *al = SSL_AD_DECODE_ERROR;
        return NULL;
M
Matt Caswell 已提交
3193
    }
3194

M
Matt Caswell 已提交
3195 3196 3197 3198
    if ((skp == NULL) || (*skp == NULL)) {
        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
        if(sk == NULL) {
            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3199
            *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3200 3201 3202 3203 3204 3205 3206
            return NULL;
        }
    } else {
        sk = *skp;
        sk_SSL_CIPHER_zero(sk);
    }

3207 3208 3209
    if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                       &s->s3->tmp.ciphers_rawlen)) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3210 3211 3212
        goto err;
    }

3213 3214
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
3215 3216 3217
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
3218 3219 3220 3221
         */
        if (sslv2format && cipher[0] != '\0')
                continue;

M
Matt Caswell 已提交
3222
        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3223 3224
        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3225 3226 3227 3228
            /* SCSV fatal if renegotiating */
            if (s->renegotiate) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3229
                *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3230 3231 3232 3233 3234 3235 3236 3237 3238 3239
                goto err;
            }
            s->s3->send_connection_binding = 1;
#ifdef OPENSSL_RI_DEBUG
            fprintf(stderr, "SCSV received by server\n");
#endif
            continue;
        }

        /* Check for TLS_FALLBACK_SCSV */
3240 3241
        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3242 3243 3244 3245 3246
            /*
             * The SCSV indicates that the client previously tried a higher
             * version. Fail if the current version is an unexpected
             * downgrade.
             */
3247
            if (!ssl_check_version_downgrade(s)) {
M
Matt Caswell 已提交
3248 3249
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_INAPPROPRIATE_FALLBACK);
3250
                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
M
Matt Caswell 已提交
3251 3252 3253 3254 3255
                goto err;
            }
            continue;
        }

3256 3257
        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
M
Matt Caswell 已提交
3258 3259 3260
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3261
                *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3262 3263 3264 3265
                goto err;
            }
        }
    }
3266 3267 3268 3269 3270
    if (PACKET_remaining(cipher_suites) > 0) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
3271 3272 3273 3274 3275 3276 3277

    if (skp != NULL)
        *skp = sk;
    return (sk);
 err:
    if ((skp == NULL) || (*skp == NULL))
        sk_SSL_CIPHER_free(sk);
3278
    return NULL;
M
Matt Caswell 已提交
3279
}