statem_srvr.c 120.0 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
R
Rich Salz 已提交
6 7 8 9
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
10
 */
R
Rich Salz 已提交
11

12
#include <stdio.h>
M
Matt Caswell 已提交
13
#include "../ssl_locl.h"
M
Matt Caswell 已提交
14
#include "statem_locl.h"
15
#include "internal/constant_time_locl.h"
16 17 18 19
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
20
#include <openssl/hmac.h>
21
#include <openssl/x509.h>
R
Rich Salz 已提交
22
#include <openssl/dh.h>
23
#include <openssl/bn.h>
24
#include <openssl/md5.h>
25

M
Matt Caswell 已提交
26
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
27
static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt);
M
Matt Caswell 已提交
28

M
Matt Caswell 已提交
29
/*
30 31 32 33 34
 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when a TLSv1.3 server is reading messages from
 * the client. The message type that the client has sent is provided in |mt|.
 * The current state is in |s->statem.hand_state|.
 *
35 36
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
37 38 39 40 41 42 43 44 45 46 47 48 49 50
 */
static int ossl_statem_server13_read_transition(SSL *s, int mt)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * Note: There is no case for TLS_ST_BEFORE because at that stage we have
     * not negotiated TLSv1.3 yet, so that case is handled by
     * ossl_statem_server_read_transition()
     */
    switch (st->hand_state) {
    default:
        break;

51
    case TLS_ST_EARLY_DATA:
M
Matt Caswell 已提交
52 53 54 55 56 57 58
        if (s->hello_retry_request) {
            if (mt == SSL3_MT_CLIENT_HELLO) {
                st->hand_state = TLS_ST_SR_CLNT_HELLO;
                return 1;
            }
            break;
        } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
59 60 61 62 63 64 65 66 67
            if (mt == SSL3_MT_END_OF_EARLY_DATA) {
                st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
                return 1;
            }
            break;
        }
        /* Fall through */

    case TLS_ST_SR_END_OF_EARLY_DATA:
68
    case TLS_ST_SW_FINISHED:
69 70 71 72 73 74
        if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        } else {
75 76
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
77 78 79 80 81 82 83
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT:
        if (s->session->peer == NULL) {
84 85
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
102 103

    case TLS_ST_OK:
104 105 106 107 108 109
        /*
         * Its never ok to start processing handshake messages in the middle of
         * early data (i.e. before we've received the end of early data alert)
         */
        if (s->early_data_state == SSL_EARLY_DATA_READING)
            break;
110 111 112 113 114
        if (mt == SSL3_MT_KEY_UPDATE) {
            st->hand_state = TLS_ST_SR_KEY_UPDATE;
            return 1;
        }
        break;
115 116 117 118 119 120 121 122 123 124 125
    }

    /* No valid transition found */
    return 0;
}

/*
 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when the server is reading messages from the
 * client. The message type that the client has sent is provided in |mt|. The
 * current state is in |s->statem.hand_state|.
M
Matt Caswell 已提交
126
 *
127 128
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
M
Matt Caswell 已提交
129
 */
130
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
131
{
M
Matt Caswell 已提交
132
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
133

134
    if (SSL_IS_TLS13(s)) {
135 136 137 138
        if (!ossl_statem_server13_read_transition(s, mt))
            goto err;
        return 1;
    }
139

140
    switch (st->hand_state) {
R
Rich Salz 已提交
141 142 143
    default:
        break;

M
Matt Caswell 已提交
144
    case TLS_ST_BEFORE:
145
    case TLS_ST_OK:
M
Matt Caswell 已提交
146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
164 165 166
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            if (s->s3->tmp.cert_request) {
                if (s->version == SSL3_VERSION) {
167 168
                    if ((s->verify_mode & SSL_VERIFY_PEER)
                        && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
169 170
                        /*
                         * This isn't an unexpected message as such - we're just
171 172
                         * not going to accept it because we require a client
                         * cert.
173 174 175
                         */
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                                        SSL3_AD_HANDSHAKE_FAILURE);
176
                        SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
177 178 179 180 181 182 183 184 185 186
                               SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                        return 0;
                    }
                    st->hand_state = TLS_ST_SR_KEY_EXCH;
                    return 1;
                }
            } else {
                st->hand_state = TLS_ST_SR_KEY_EXCH;
                return 1;
            }
M
Matt Caswell 已提交
187 188 189 190
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
191
            }
M
Matt Caswell 已提交
192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
208
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
209 210
         * set.
         */
211
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
R
Rich Salz 已提交
239
        if (s->s3->npn_seen) {
M
Matt Caswell 已提交
240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;
    }

272
 err:
M
Matt Caswell 已提交
273
    /* No valid transition found */
274
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
275
    SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
M
Matt Caswell 已提交
276 277 278 279 280 281 282 283 284 285
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
286
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
287 288 289 290
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
291
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
292 293 294 295 296 297
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
E
Emilia Kasper 已提交
298
    if (alg_k & (SSL_kDHE | SSL_kECDHE)
M
Matt Caswell 已提交
299 300 301 302 303 304 305 306 307 308 309 310 311 312 313
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
E
Emilia Kasper 已提交
314
        ) {
M
Matt Caswell 已提交
315 316 317 318 319 320 321 322 323 324 325 326 327
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
328
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
329 330 331 332 333 334 335 336
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
M
Matt Caswell 已提交
337
           && (s->s3->tmp.finish_md_len == 0 ||
M
Matt Caswell 已提交
338 339 340 341 342 343 344
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
E
Emilia Kasper 已提交
345 346 347 348 349
               /*
                * ... except when the application insists on
                * verification (against the specs, but statem_clnt.c accepts
                * this for SSL 3)
                */
M
Matt Caswell 已提交
350 351 352 353 354 355 356
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
357
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
358 359 360 361 362 363 364
        return 1;
    }

    return 0;
}

/*
365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382
 * ossl_statem_server13_write_transition() works out what handshake state to
 * move to next when a TLSv1.3 server is writing messages to be sent to the
 * client.
 */
static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
     * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
     */

    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

383 384 385 386 387
    case TLS_ST_OK:
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
388 389
        /* Try to read from the client instead */
        return WRITE_TRAN_FINISHED;
390

391
    case TLS_ST_SR_CLNT_HELLO:
392 393 394 395
        if (s->hello_retry_request)
            st->hand_state = TLS_ST_SW_HELLO_RETRY_REQUEST;
        else
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
396 397
        return WRITE_TRAN_CONTINUE;

398
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
M
Matt Caswell 已提交
399 400
        st->hand_state = TLS_ST_EARLY_DATA;
        return WRITE_TRAN_CONTINUE;
401

402
    case TLS_ST_SW_SRVR_HELLO:
M
Matt Caswell 已提交
403 404 405 406
        st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
407
        if (s->hit)
408 409 410
            st->hand_state = TLS_ST_SW_FINISHED;
        else if (send_certificate_request(s))
            st->hand_state = TLS_ST_SW_CERT_REQ;
411
        else
412
            st->hand_state = TLS_ST_SW_CERT;
413

414 415 416
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_REQ:
417
        st->hand_state = TLS_ST_SW_CERT;
418 419
        return WRITE_TRAN_CONTINUE;

420
    case TLS_ST_SW_CERT:
421 422 423 424
        st->hand_state = TLS_ST_SW_CERT_VRFY;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_VRFY:
425
        st->hand_state = TLS_ST_SW_FINISHED;
426 427 428
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
429 430
        st->hand_state = TLS_ST_EARLY_DATA;
        return WRITE_TRAN_CONTINUE;
431

432 433 434
    case TLS_ST_EARLY_DATA:
        return WRITE_TRAN_FINISHED;

435
    case TLS_ST_SR_FINISHED:
436 437 438 439 440 441 442 443 444 445 446
        /*
         * Technically we have finished the handshake at this point, but we're
         * going to remain "in_init" for now and write out the session ticket
         * immediately.
         * TODO(TLS1.3): Perhaps we need to be able to control this behaviour
         * and give the application the opportunity to delay sending the
         * session ticket?
         */
        st->hand_state = TLS_ST_SW_SESSION_TICKET;
        return WRITE_TRAN_CONTINUE;

447
    case TLS_ST_SR_KEY_UPDATE:
448 449 450 451 452 453
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
        /* Fall through */

454
    case TLS_ST_SW_KEY_UPDATE:
455
    case TLS_ST_SW_SESSION_TICKET:
456 457 458 459 460 461 462 463
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
    }
}

/*
 * ossl_statem_server_write_transition() works out what handshake state to move
 * to next when the server is writing messages to be sent to the client.
M
Matt Caswell 已提交
464
 */
465
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
466
{
M
Matt Caswell 已提交
467
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
468

469 470 471 472 473
    /*
     * Note that before the ClientHello we don't know what version we are going
     * to negotiate yet, so we don't take this branch until later
     */

474
    if (SSL_IS_TLS13(s))
475 476
        return ossl_statem_server13_write_transition(s);

477
    switch (st->hand_state) {
R
Rich Salz 已提交
478 479 480 481
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

482 483 484 485 486 487 488
    case TLS_ST_OK:
        if (st->request_state == TLS_ST_SW_HELLO_REQ) {
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            st->request_state = TLS_ST_BEFORE;
            return WRITE_TRAN_CONTINUE;
        }
489 490 491 492 493
        /* Must be an incoming ClientHello */
        if (!tls_setup_handshake(s)) {
            ossl_statem_set_error(s);
            return WRITE_TRAN_ERROR;
        }
494 495
        /* Fall through */

496
    case TLS_ST_BEFORE:
E
Emilia Kasper 已提交
497
        /* Just go straight to trying to read from the client */
498
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
499

500 501 502
    case TLS_ST_SW_HELLO_REQ:
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
503

504 505
    case TLS_ST_SR_CLNT_HELLO:
        if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
E
Emilia Kasper 已提交
506
            && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
507 508 509 510
            st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
        else
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
511

512 513
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
514

515 516
    case TLS_ST_SW_SRVR_HELLO:
        if (s->hit) {
R
Rich Salz 已提交
517
            if (s->ext.ticket_expected)
518 519 520 521 522 523 524
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            else
                st->hand_state = TLS_ST_SW_CHANGE;
        } else {
            /* Check if it is anon DH or anon ECDH, */
            /* normal PSK or SRP */
            if (!(s->s3->tmp.new_cipher->algorithm_auth &
E
Emilia Kasper 已提交
525
                  (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
526 527
                st->hand_state = TLS_ST_SW_CERT;
            } else if (send_server_key_exchange(s)) {
M
Matt Caswell 已提交
528
                st->hand_state = TLS_ST_SW_KEY_EXCH;
529
            } else if (send_certificate_request(s)) {
M
Matt Caswell 已提交
530
                st->hand_state = TLS_ST_SW_CERT_REQ;
531 532
            } else {
                st->hand_state = TLS_ST_SW_SRVR_DONE;
M
Matt Caswell 已提交
533
            }
534 535
        }
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
536

537
    case TLS_ST_SW_CERT:
R
Rich Salz 已提交
538
        if (s->ext.status_expected) {
539
            st->hand_state = TLS_ST_SW_CERT_STATUS;
M
Matt Caswell 已提交
540
            return WRITE_TRAN_CONTINUE;
541 542
        }
        /* Fall through */
M
Matt Caswell 已提交
543

544 545 546
    case TLS_ST_SW_CERT_STATUS:
        if (send_server_key_exchange(s)) {
            st->hand_state = TLS_ST_SW_KEY_EXCH;
M
Matt Caswell 已提交
547
            return WRITE_TRAN_CONTINUE;
548 549
        }
        /* Fall through */
M
Matt Caswell 已提交
550

551 552 553
    case TLS_ST_SW_KEY_EXCH:
        if (send_certificate_request(s)) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
M
Matt Caswell 已提交
554
            return WRITE_TRAN_CONTINUE;
555 556
        }
        /* Fall through */
M
Matt Caswell 已提交
557

558 559 560
    case TLS_ST_SW_CERT_REQ:
        st->hand_state = TLS_ST_SW_SRVR_DONE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
561

562 563 564 565 566
    case TLS_ST_SW_SRVR_DONE:
        return WRITE_TRAN_FINISHED;

    case TLS_ST_SR_FINISHED:
        if (s->hit) {
M
Matt Caswell 已提交
567 568
            st->hand_state = TLS_ST_OK;
            return WRITE_TRAN_CONTINUE;
R
Rich Salz 已提交
569
        } else if (s->ext.ticket_expected) {
570 571 572 573 574 575 576 577 578
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        } else {
            st->hand_state = TLS_ST_SW_CHANGE;
        }
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        st->hand_state = TLS_ST_SW_CHANGE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
579

580 581 582 583 584 585 586 587 588 589
    case TLS_ST_SW_CHANGE:
        st->hand_state = TLS_ST_SW_FINISHED;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
        if (s->hit) {
            return WRITE_TRAN_FINISHED;
        }
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
590 591 592 593 594 595 596
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
597
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
598
{
M
Matt Caswell 已提交
599
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
600

601
    switch (st->hand_state) {
R
Rich Salz 已提交
602 603 604 605
    default:
        /* No pre work to be done */
        break;

M
Matt Caswell 已提交
606 607 608
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
609
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
610 611 612 613 614
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
615
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
616 617 618 619 620 621 622 623
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
F
FdaSilvaYY 已提交
624
             * Messages we write from now on should be buffered and
M
Matt Caswell 已提交
625 626 627 628 629 630 631 632 633 634 635 636 637 638
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
639 640 641 642 643 644 645 646
        if (SSL_IS_TLS13(s)) {
            /*
             * Actually this is the end of the handshake, but we're going
             * straight into writing the session ticket out. So we finish off
             * the handshake, but keep the various buffers active.
             */
            return tls_finish_handshake(s, wst, 0);
        } if (SSL_IS_DTLS(s)) {
M
Matt Caswell 已提交
647 648 649 650 651 652 653 654 655 656 657
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
658
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
659 660 661 662 663 664 665 666 667 668 669 670 671
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

672
    case TLS_ST_EARLY_DATA:
673 674 675 676
        if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING)
            return WORK_FINISHED_CONTINUE;
        /* Fall through */

M
Matt Caswell 已提交
677
    case TLS_ST_OK:
678
        return tls_finish_handshake(s, wst, 1);
M
Matt Caswell 已提交
679 680 681 682 683 684 685 686 687
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
688
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
689
{
M
Matt Caswell 已提交
690
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
691 692 693

    s->init_num = 0;

694
    switch (st->hand_state) {
R
Rich Salz 已提交
695 696 697 698
    default:
        /* No post work to be done */
        break;

699 700 701 702 703
    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

M
Matt Caswell 已提交
704 705 706
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
707 708 709 710
        if (!ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
711 712 713 714 715 716
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
717 718 719 720
        if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
738 739
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
740 741

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
742 743 744
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
745
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
746 747 748 749 750 751 752
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
753 754 755 756 757 758 759 760 761
        /*
         * TODO(TLS1.3): This actually causes a problem. We don't yet know
         * whether the next record we are going to receive is an unencrypted
         * alert, or an encrypted handshake message. We're going to need
         * something clever in the record layer for this.
         */
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->setup_key_block(s)
                || !s->method->ssl3_enc->change_cipher_state(s,
762 763 764 765 766
                        SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE))
                return WORK_ERROR;

            if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
                && !s->method->ssl3_enc->change_cipher_state(s,
767
                        SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ))
768
                return WORK_ERROR;
769
        }
M
Matt Caswell 已提交
770 771 772 773 774 775 776 777 778 779 780 781 782 783
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
E
Emilia Kasper 已提交
784 785
                                                      SSL3_CHANGE_CIPHER_SERVER_WRITE))
        {
M
Matt Caswell 已提交
786
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
812 813
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->generate_master_secret(s,
814
                        s->master_secret, s->handshake_secret, 0,
815 816 817 818 819
                        &s->session->master_key_length)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
820
        break;
821

822
    case TLS_ST_SW_KEY_UPDATE:
823 824 825 826 827 828
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        if (!tls13_update_key(s, 1))
            return WORK_ERROR;
        break;

829 830 831 832
    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
            return WORK_MORE_A;
        break;
M
Matt Caswell 已提交
833 834 835 836 837 838
    }

    return WORK_FINISHED_CONTINUE;
}

/*
839 840
 * Get the message construction function and message type for sending from the
 * server
M
Matt Caswell 已提交
841 842 843 844 845
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
846
int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
847
                                         confunc_f *confunc, int *mt)
M
Matt Caswell 已提交
848
{
M
Matt Caswell 已提交
849
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
850

851 852 853 854 855 856
    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return 0;

    case TLS_ST_SW_CHANGE:
857
        if (SSL_IS_DTLS(s))
858
            *confunc = dtls_construct_change_cipher_spec;
859
        else
860 861
            *confunc = tls_construct_change_cipher_spec;
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
862
        break;
R
Rich Salz 已提交
863

864
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
865 866
        *confunc = dtls_construct_hello_verify_request;
        *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
867
        break;
M
Matt Caswell 已提交
868

869 870
    case TLS_ST_SW_HELLO_REQ:
        /* No construction function needed */
871 872
        *confunc = NULL;
        *mt = SSL3_MT_HELLO_REQUEST;
873
        break;
M
Matt Caswell 已提交
874

875
    case TLS_ST_SW_SRVR_HELLO:
876 877
        *confunc = tls_construct_server_hello;
        *mt = SSL3_MT_SERVER_HELLO;
878
        break;
M
Matt Caswell 已提交
879

880
    case TLS_ST_SW_CERT:
881 882
        *confunc = tls_construct_server_certificate;
        *mt = SSL3_MT_CERTIFICATE;
883
        break;
M
Matt Caswell 已提交
884

885 886 887 888 889 890
    case TLS_ST_SW_CERT_VRFY:
        *confunc = tls_construct_cert_verify;
        *mt = SSL3_MT_CERTIFICATE_VERIFY;
        break;


891
    case TLS_ST_SW_KEY_EXCH:
892 893
        *confunc = tls_construct_server_key_exchange;
        *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
894
        break;
M
Matt Caswell 已提交
895

896
    case TLS_ST_SW_CERT_REQ:
897 898
        *confunc = tls_construct_certificate_request;
        *mt = SSL3_MT_CERTIFICATE_REQUEST;
899
        break;
M
Matt Caswell 已提交
900

901
    case TLS_ST_SW_SRVR_DONE:
902 903
        *confunc = tls_construct_server_done;
        *mt = SSL3_MT_SERVER_DONE;
904
        break;
M
Matt Caswell 已提交
905

906
    case TLS_ST_SW_SESSION_TICKET:
907 908
        *confunc = tls_construct_new_session_ticket;
        *mt = SSL3_MT_NEWSESSION_TICKET;
909
        break;
M
Matt Caswell 已提交
910

911
    case TLS_ST_SW_CERT_STATUS:
912 913
        *confunc = tls_construct_cert_status;
        *mt = SSL3_MT_CERTIFICATE_STATUS;
914
        break;
M
Matt Caswell 已提交
915

916
    case TLS_ST_SW_FINISHED:
917 918
        *confunc = tls_construct_finished;
        *mt = SSL3_MT_FINISHED;
919
        break;
M
Matt Caswell 已提交
920

921 922 923 924 925
    case TLS_ST_EARLY_DATA:
        *confunc = NULL;
        *mt = SSL3_MT_DUMMY;
        break;

M
Matt Caswell 已提交
926 927 928 929
    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
        *confunc = tls_construct_encrypted_extensions;
        *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
        break;
930 931 932 933 934

    case TLS_ST_SW_HELLO_RETRY_REQUEST:
        *confunc = tls_construct_hello_retry_request;
        *mt = SSL3_MT_HELLO_RETRY_REQUEST;
        break;
935 936 937 938 939

    case TLS_ST_SW_KEY_UPDATE:
        *confunc = tls_construct_key_update;
        *mt = SSL3_MT_KEY_UPDATE;
        break;
940
    }
M
Matt Caswell 已提交
941

942
    return 1;
M
Matt Caswell 已提交
943 944
}

945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961
/*
 * Maximum size (excluding the Handshake header) of a ClientHello message,
 * calculated as follows:
 *
 *  2 + # client_version
 *  32 + # only valid length for random
 *  1 + # length of session_id
 *  32 + # maximum size for session_id
 *  2 + # length of cipher suites
 *  2^16-2 + # maximum length of cipher suites array
 *  1 + # length of compression_methods
 *  2^8-1 + # maximum length of compression methods
 *  2 + # length of extensions
 *  2^16-1 # maximum length of extensions
 */
#define CLIENT_HELLO_MAX_LENGTH         131396

M
Matt Caswell 已提交
962 963 964 965 966 967 968
#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
969
size_t ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
970
{
M
Matt Caswell 已提交
971
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
972

973
    switch (st->hand_state) {
R
Rich Salz 已提交
974 975 976 977
    default:
        /* Shouldn't happen */
        return 0;

M
Matt Caswell 已提交
978
    case TLS_ST_SR_CLNT_HELLO:
979
        return CLIENT_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
980

981 982 983
    case TLS_ST_SR_END_OF_EARLY_DATA:
        return END_OF_EARLY_DATA_MAX_LENGTH;

M
Matt Caswell 已提交
984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002
    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;
1003 1004 1005

    case TLS_ST_SR_KEY_UPDATE:
        return KEY_UPDATE_MAX_LENGTH;
M
Matt Caswell 已提交
1006 1007 1008 1009 1010 1011
    }
}

/*
 * Process a message that the server has received from the client.
 */
1012
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1013
{
M
Matt Caswell 已提交
1014
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1015

1016
    switch (st->hand_state) {
R
Rich Salz 已提交
1017 1018 1019 1020
    default:
        /* Shouldn't happen */
        return MSG_PROCESS_ERROR;

M
Matt Caswell 已提交
1021 1022 1023
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

1024 1025 1026
    case TLS_ST_SR_END_OF_EARLY_DATA:
        return tls_process_end_of_early_data(s, pkt);

M
Matt Caswell 已提交
1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045
    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);
1046 1047 1048 1049

    case TLS_ST_SR_KEY_UPDATE:
        return tls_process_key_update(s, pkt);

M
Matt Caswell 已提交
1050 1051 1052 1053 1054 1055 1056
    }
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
1057
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1058
{
M
Matt Caswell 已提交
1059
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1060

1061
    switch (st->hand_state) {
R
Rich Salz 已提交
1062 1063 1064 1065
    default:
        /* Shouldn't happen */
        return WORK_ERROR;

M
Matt Caswell 已提交
1066 1067 1068 1069 1070 1071
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);
    }
1072
    return WORK_FINISHED_CONTINUE;
M
Matt Caswell 已提交
1073 1074
}

B
Ben Laurie 已提交
1075
#ifndef OPENSSL_NO_SRP
1076
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
1097 1098
#endif

1099
int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
M
Matt Caswell 已提交
1100
                                  size_t cookie_len)
M
Matt Caswell 已提交
1101 1102
{
    /* Always use DTLS 1.0 version: see RFC 6347 */
1103 1104 1105
    if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
            || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
        return 0;
M
Matt Caswell 已提交
1106

1107
    return 1;
M
Matt Caswell 已提交
1108 1109
}

1110
int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1111
{
M
Matt Caswell 已提交
1112
    unsigned int cookie_leni;
M
Matt Caswell 已提交
1113 1114
    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
M
Matt Caswell 已提交
1115 1116
                                  &cookie_leni) == 0 ||
        cookie_leni > 255) {
M
Matt Caswell 已提交
1117
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
1118 1119 1120
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
        return 0;
    }
M
Matt Caswell 已提交
1121
    s->d1->cookie_len = cookie_leni;
M
Matt Caswell 已提交
1122

1123 1124
    if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
                                              s->d1->cookie_len)) {
1125 1126 1127
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
1128 1129 1130 1131

    return 1;
}

1132 1133 1134 1135 1136 1137 1138 1139
#ifndef OPENSSL_NO_EC
/*-
 * ssl_check_for_safari attempts to fingerprint Safari using OS X
 * SecureTransport using the TLS extension block in |hello|.
 * Safari, since 10.6, sends exactly these extensions, in this order:
 *   SNI,
 *   elliptic_curves
 *   ec_point_formats
1140
 *   signature_algorithms (for TLSv1.2 only)
1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172
 *
 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).
 */
static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
{
    static const unsigned char kSafariExtensionsBlock[] = {
        0x00, 0x0a,             /* elliptic_curves extension */
        0x00, 0x08,             /* 8 bytes */
        0x00, 0x06,             /* 6 bytes of curve ids */
        0x00, 0x17,             /* P-256 */
        0x00, 0x18,             /* P-384 */
        0x00, 0x19,             /* P-521 */

        0x00, 0x0b,             /* ec_point_formats */
        0x00, 0x02,             /* 2 bytes */
        0x01,                   /* 1 point format */
        0x00,                   /* uncompressed */
        /* The following is only present in TLS 1.2 */
        0x00, 0x0d,             /* signature_algorithms */
        0x00, 0x0c,             /* 12 bytes */
        0x00, 0x0a,             /* 10 bytes */
        0x05, 0x01,             /* SHA-384/RSA */
        0x04, 0x01,             /* SHA-256/RSA */
        0x02, 0x01,             /* SHA-1/RSA */
        0x04, 0x03,             /* SHA-256/ECDSA */
        0x02, 0x03,             /* SHA-1/ECDSA */
    };
    /* Length of the common prefix (first two extensions). */
    static const size_t kSafariCommonExtensionsLength = 18;
1173 1174 1175
    unsigned int type;
    PACKET sni, tmppkt;
    size_t ext_len;
1176 1177 1178 1179 1180 1181 1182

    tmppkt = hello->extensions;

    if (!PACKET_forward(&tmppkt, 2)
        || !PACKET_get_net_2(&tmppkt, &type)
        || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
        return;
1183 1184
    }

1185 1186 1187 1188 1189 1190 1191 1192
    if (type != TLSEXT_TYPE_server_name)
        return;

    ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
        sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;

    s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
                                             ext_len);
1193
}
1194
#endif                          /* !OPENSSL_NO_EC */
1195

M
Matt Caswell 已提交
1196
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1197
{
B
Benjamin Kaduk 已提交
1198
    int al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1199
    /* |cookie| will only be initialized for DTLS. */
1200
    PACKET session_id, compression, extensions, cookie;
M
Matt Caswell 已提交
1201
    static const unsigned char null_compression = 0;
B
Benjamin Kaduk 已提交
1202
    CLIENTHELLO_MSG *clienthello;
M
Matt Caswell 已提交
1203

B
Benjamin Kaduk 已提交
1204 1205 1206 1207 1208
    clienthello = OPENSSL_zalloc(sizeof(*clienthello));
    if (clienthello == NULL) {
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
        goto err;
    }
1209 1210
    /* Check if this is actually an unexpected renegotiation ClientHello */
    if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
T
Todd Short 已提交
1211 1212 1213 1214
        if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
            ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
            goto err;
        }
1215 1216 1217 1218
        s->renegotiate = 1;
        s->new_session = 1;
    }

1219
    /*
1220
     * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1221
     */
B
Benjamin Kaduk 已提交
1222
    clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
E
Emilia Kasper 已提交
1223
    PACKET_null_init(&cookie);
1224

B
Benjamin Kaduk 已提交
1225
    if (clienthello->isv2) {
M
Matt Caswell 已提交
1226
        unsigned int mt;
1227

1228
        if (!SSL_IS_FIRST_HANDSHAKE(s) || s->hello_retry_request) {
1229
            al = SSL_AD_UNEXPECTED_MESSAGE;
1230 1231 1232 1233
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
            goto f_err;
        }

1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

1249
        if (!PACKET_get_1(pkt, &mt)
E
Emilia Kasper 已提交
1250
            || mt != SSL2_MT_CLIENT_HELLO) {
1251 1252 1253 1254 1255
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
1256
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1257
            goto err;
1258 1259 1260
        }
    }

B
Benjamin Kaduk 已提交
1261
    if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
1262 1263 1264
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
        goto err;
1265 1266
    }

1267
    /* Parse the message and load client random. */
B
Benjamin Kaduk 已提交
1268
    if (clienthello->isv2) {
1269 1270 1271
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
1272
         * Real SSLv2 is not supported, and is rejected below.
1273
         */
1274
        unsigned int ciphersuite_len, session_id_len, challenge_len;
1275
        PACKET challenge;
1276

1277
        if (!PACKET_get_net_2(pkt, &ciphersuite_len)
E
Emilia Kasper 已提交
1278 1279
            || !PACKET_get_net_2(pkt, &session_id_len)
            || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
1280 1281
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1282 1283
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1284
        }
1285

1286
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
1287
            al = SSL_AD_ILLEGAL_PARAMETER;
1288 1289 1290 1291
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

B
Benjamin Kaduk 已提交
1292
        if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
1293
                                   ciphersuite_len)
B
Benjamin Kaduk 已提交
1294
            || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
1295
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1296
            /* No extensions. */
1297
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1298 1299
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1300 1301 1302
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
B
Benjamin Kaduk 已提交
1303
        clienthello->session_id_len = session_id_len;
M
Matt Caswell 已提交
1304

1305
        /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
B
Benjamin Kaduk 已提交
1306
         * here rather than sizeof(clienthello->random) because that is the limit
1307
         * for SSLv3 and it is fixed. It won't change even if
B
Benjamin Kaduk 已提交
1308
         * sizeof(clienthello->random) does.
1309 1310 1311
         */
        challenge_len = challenge_len > SSL3_RANDOM_SIZE
                        ? SSL3_RANDOM_SIZE : challenge_len;
B
Benjamin Kaduk 已提交
1312
        memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
1313
        if (!PACKET_copy_bytes(&challenge,
B
Benjamin Kaduk 已提交
1314
                               clienthello->random + SSL3_RANDOM_SIZE -
D
David Benjamin 已提交
1315 1316 1317
                               challenge_len, challenge_len)
            /* Advertise only null compression. */
            || !PACKET_buf_init(&compression, &null_compression, 1)) {
M
Matt Caswell 已提交
1318
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1319
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1320 1321
            goto f_err;
        }
1322

B
Benjamin Kaduk 已提交
1323
        PACKET_null_init(&clienthello->extensions);
1324
    } else {
1325
        /* Regular ClientHello. */
B
Benjamin Kaduk 已提交
1326
        if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
1327
            || !PACKET_get_length_prefixed_1(pkt, &session_id)
B
Benjamin Kaduk 已提交
1328
            || !PACKET_copy_all(&session_id, clienthello->session_id,
1329
                    SSL_MAX_SSL_SESSION_ID_LENGTH,
B
Benjamin Kaduk 已提交
1330
                    &clienthello->session_id_len)) {
M
Matt Caswell 已提交
1331
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1332
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1333 1334
            goto f_err;
        }
1335

1336
        if (SSL_IS_DTLS(s)) {
1337
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1338
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1339
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1340 1341
                goto f_err;
            }
B
Benjamin Kaduk 已提交
1342
            if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
1343
                                 DTLS1_COOKIE_LENGTH,
B
Benjamin Kaduk 已提交
1344
                                 &clienthello->dtls_cookie_len)) {
1345 1346
                al = SSL_AD_INTERNAL_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1347 1348
                goto f_err;
            }
1349 1350 1351 1352 1353 1354
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
B
Benjamin Kaduk 已提交
1355
                if (clienthello->dtls_cookie_len == 0)
E
Emilia Kasper 已提交
1356
                    return 1;
1357
            }
1358
        }
1359

B
Benjamin Kaduk 已提交
1360
        if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
1361 1362 1363 1364 1365
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1366
        if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
E
Emilia Kasper 已提交
1367 1368 1369
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
1370
        }
1371

1372
        /* Could be empty. */
1373
        if (PACKET_remaining(pkt) == 0) {
B
Benjamin Kaduk 已提交
1374
            PACKET_null_init(&clienthello->extensions);
1375
        } else {
1376 1377
            if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
                    || PACKET_remaining(pkt) != 0) {
1378 1379 1380 1381 1382 1383 1384
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
        }
    }

B
Benjamin Kaduk 已提交
1385
    if (!PACKET_copy_all(&compression, clienthello->compressions,
1386
                         MAX_COMPRESSIONS_SIZE,
B
Benjamin Kaduk 已提交
1387
                         &clienthello->compressions_len)) {
1388 1389
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1390 1391 1392
        goto f_err;
    }

1393
    /* Preserve the raw extensions PACKET for later use */
B
Benjamin Kaduk 已提交
1394
    extensions = clienthello->extensions;
1395
    if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
B
Benjamin Kaduk 已提交
1396
                                &clienthello->pre_proc_exts, &al,
1397
                                &clienthello->pre_proc_exts_len, 1)) {
1398 1399 1400
        /* SSLerr already been called */
        goto f_err;
    }
B
Benjamin Kaduk 已提交
1401
    s->clienthello = clienthello;
1402

B
Benjamin Kaduk 已提交
1403 1404 1405 1406 1407 1408
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
    ossl_statem_set_error(s);

1409 1410
    if (clienthello != NULL)
        OPENSSL_free(clienthello->pre_proc_exts);
B
Benjamin Kaduk 已提交
1411 1412 1413 1414 1415
    OPENSSL_free(clienthello);

    return MSG_PROCESS_ERROR;
}

1416
static int tls_early_post_process_client_hello(SSL *s, int *pal)
B
Benjamin Kaduk 已提交
1417 1418
{
    unsigned int j;
1419
    int i, al = SSL_AD_INTERNAL_ERROR;
B
Benjamin Kaduk 已提交
1420 1421 1422 1423 1424 1425 1426 1427 1428 1429
    int protverr;
    size_t loop;
    unsigned long id;
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
    STACK_OF(SSL_CIPHER) *scsvs = NULL;
    CLIENTHELLO_MSG *clienthello = s->clienthello;
1430
    DOWNGRADE dgrd = DOWNGRADE_NONE;
B
Benjamin Kaduk 已提交
1431

1432
    /* Finished parsing the ClientHello, now we can start processing it */
B
Benjamin Kaduk 已提交
1433 1434 1435 1436
    /* Give the early callback a crack at things */
    if (s->ctx->early_cb != NULL) {
        int code;
        /* A failure in the early callback terminates the connection. */
1437
        code = s->ctx->early_cb(s, &al, s->ctx->early_cb_arg);
B
Benjamin Kaduk 已提交
1438 1439 1440 1441 1442 1443 1444
        if (code == 0)
            goto err;
        if (code < 0) {
            s->rwstate = SSL_EARLY_WORK;
            return code;
        }
    }
1445 1446

    /* Set up the client_random */
B
Benjamin Kaduk 已提交
1447
    memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
1448 1449 1450

    /* Choose the version */

B
Benjamin Kaduk 已提交
1451 1452 1453
    if (clienthello->isv2) {
        if (clienthello->legacy_version == SSL2_VERSION
                || (clienthello->legacy_version & 0xff00)
1454 1455 1456 1457 1458
                   != (SSL3_VERSION_MAJOR << 8)) {
            /*
             * This is real SSLv2 or something complete unknown. We don't
             * support it.
             */
B
Benjamin Kaduk 已提交
1459
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
1460 1461
            goto err;
        }
1462
        /* SSLv3/TLS */
B
Benjamin Kaduk 已提交
1463
        s->client_version = clienthello->legacy_version;
1464 1465 1466 1467 1468 1469
    }
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
    if (!SSL_IS_DTLS(s)) {
1470
        protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1471
    } else if (s->method->version != DTLS_ANY_VERSION &&
B
Benjamin Kaduk 已提交
1472
               DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
1473 1474 1475 1476 1477 1478
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
        protverr = 0;
    }

    if (protverr) {
B
Benjamin Kaduk 已提交
1479
        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
1480
        if (SSL_IS_FIRST_HANDSHAKE(s)) {
1481
            /* like ssl3_get_record, send alert using remote version number */
B
Benjamin Kaduk 已提交
1482
            s->version = s->client_version = clienthello->legacy_version;
1483
        }
1484
        al = SSL_AD_PROTOCOL_VERSION;
B
Benjamin Kaduk 已提交
1485
        goto err;
1486 1487
    }

M
Matt Caswell 已提交
1488
    /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
1489
    if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1490
        al = SSL_AD_UNEXPECTED_MESSAGE;
1491 1492 1493 1494 1495
        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
               SSL_R_NOT_ON_RECORD_BOUNDARY);
        goto err;
    }

1496 1497 1498 1499
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
B
Benjamin Kaduk 已提交
1500 1501
                if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
                        clienthello->dtls_cookie_len) == 0) {
1502
                    al = SSL_AD_HANDSHAKE_FAILURE;
B
Benjamin Kaduk 已提交
1503
                    SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1504
                           SSL_R_COOKIE_MISMATCH);
B
Benjamin Kaduk 已提交
1505
                    goto err;
1506 1507
                    /* else cookie verification succeeded */
                }
E
Emilia Kasper 已提交
1508
                /* default verification */
B
Benjamin Kaduk 已提交
1509 1510
            } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
                    || memcmp(clienthello->dtls_cookie, s->d1->cookie,
1511
                              s->d1->cookie_len) != 0) {
1512
                al = SSL_AD_HANDSHAKE_FAILURE;
B
Benjamin Kaduk 已提交
1513 1514
                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                goto err;
1515 1516 1517 1518
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
1519
            protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1520
            if (protverr != 0) {
B
Benjamin Kaduk 已提交
1521
                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
1522
                s->version = s->client_version;
1523
                al = SSL_AD_PROTOCOL_VERSION;
B
Benjamin Kaduk 已提交
1524
                goto err;
1525 1526 1527 1528
            }
        }
    }

1529 1530
    s->hit = 0;

1531 1532 1533 1534 1535 1536 1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574 1575 1576 1577 1578 1579
    if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
                              clienthello->isv2, &al) ||
        !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
                             clienthello->isv2, &al)) {
        goto err;
    }

    s->s3->send_connection_binding = 0;
    /* Check what signalling cipher-suite values were received. */
    if (scsvs != NULL) {
        for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
            c = sk_SSL_CIPHER_value(scsvs, i);
            if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
                if (s->renegotiate) {
                    /* SCSV is fatal if renegotiating */
                    SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    goto err;
                }
                s->s3->send_connection_binding = 1;
            } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
                       !ssl_check_version_downgrade(s)) {
                /*
                 * This SCSV indicates that the client previously tried
                 * a higher version.  We should fail if the current version
                 * is an unexpected downgrade, as that indicates that the first
                 * connection may have been tampered with in order to trigger
                 * an insecure downgrade.
                 */
                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_INAPPROPRIATE_FALLBACK);
                al = SSL_AD_INAPPROPRIATE_FALLBACK;
                goto err;
            }
        }
    }

    /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
    if (SSL_IS_TLS13(s)) {
        const SSL_CIPHER *cipher =
            ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));

        if (cipher == NULL) {
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                   SSL_R_NO_SHARED_CIPHER);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto err;
        }
1580 1581 1582
        if (s->hello_retry_request
                && (s->s3->tmp.new_cipher == NULL
                    || s->s3->tmp.new_cipher->id != cipher->id)) {
1583 1584 1585 1586 1587 1588 1589 1590 1591 1592 1593
            /*
             * A previous HRR picked a different ciphersuite to the one we
             * just selected. Something must have changed.
             */
            al = SSL_AD_ILLEGAL_PARAMETER;
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_BAD_CIPHER);
            goto err;
        }
        s->s3->tmp.new_cipher = cipher;
    }

1594
    /* We need to do this before getting the session */
1595
    if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
1596
                             SSL_EXT_CLIENT_HELLO,
1597
                             clienthello->pre_proc_exts, NULL, 0, &al)) {
B
Benjamin Kaduk 已提交
1598 1599
        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
        goto err;
1600 1601
    }

1602 1603 1604 1605 1606 1607 1608 1609 1610 1611 1612 1613 1614 1615 1616 1617
    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
B
Benjamin Kaduk 已提交
1618
    if (clienthello->isv2 ||
1619 1620 1621 1622 1623
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
1624
        i = ssl_get_prev_session(s, clienthello, &al);
1625
        if (i == 1) {
1626 1627 1628
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
B
Benjamin Kaduk 已提交
1629
            goto err;
1630
        } else {
1631 1632
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1633
                goto err;
1634
        }
1635
    }
1636

1637
    /*
1638 1639
     * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
     * ciphersuite compatibility with the session as part of resumption.
1640 1641
     */
    if (!SSL_IS_TLS13(s) && s->hit) {
1642 1643
        j = 0;
        id = s->session->cipher->id;
1644

1645
#ifdef CIPHER_DEBUG
E
Emilia Kasper 已提交
1646
        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
1647
#endif
1648 1649
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1650
#ifdef CIPHER_DEBUG
1651 1652
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1653
#endif
1654 1655 1656
            if (c->id == id) {
                j = 1;
                break;
1657
            }
1658
        }
1659
        if (j == 0) {
1660
            /*
1661 1662
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1663
             */
1664
            al = SSL_AD_ILLEGAL_PARAMETER;
B
Benjamin Kaduk 已提交
1665
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1666
                   SSL_R_REQUIRED_CIPHER_MISSING);
B
Benjamin Kaduk 已提交
1667
            goto err;
1668
        }
1669
    }
M
Matt Caswell 已提交
1670

B
Benjamin Kaduk 已提交
1671 1672
    for (loop = 0; loop < clienthello->compressions_len; loop++) {
        if (clienthello->compressions[loop] == 0)
1673
            break;
1674
    }
1675

B
Benjamin Kaduk 已提交
1676
    if (loop >= clienthello->compressions_len) {
1677
        /* no compress */
1678
        al = SSL_AD_DECODE_ERROR;
B
Benjamin Kaduk 已提交
1679 1680
        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
        goto err;
1681
    }
1682

1683 1684
#ifndef OPENSSL_NO_EC
    if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
B
Benjamin Kaduk 已提交
1685
        ssl_check_for_safari(s, clienthello);
1686 1687
#endif                          /* !OPENSSL_NO_EC */

1688
    /* TLS extensions */
1689
    if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
1690
                                  clienthello->pre_proc_exts, NULL, 0, &al, 1)) {
B
Benjamin Kaduk 已提交
1691 1692
        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
        goto err;
1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
1704
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
B
Benjamin Kaduk 已提交
1705
            goto err;
1706 1707 1708
        }
    }

1709 1710 1711 1712 1713
    if (!s->hit
            && s->version >= TLS1_VERSION
            && !SSL_IS_TLS13(s)
            && !SSL_IS_DTLS(s)
            && s->ext.session_secret_cb) {
1714
        const SSL_CIPHER *pref_cipher = NULL;
1715 1716 1717 1718 1719
        /*
         * s->session->master_key_length is a size_t, but this is an int for
         * backwards compat reasons
         */
        int master_key_length;
1720

1721
        master_key_length = sizeof(s->session->master_key);
R
Rich Salz 已提交
1722
        if (s->ext.session_secret_cb(s, s->session->master_key,
1723
                                     &master_key_length, ciphers,
1724
                                     &pref_cipher,
R
Rich Salz 已提交
1725
                                     s->ext.session_secret_cb_arg)
1726 1727
                && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
1728 1729 1730 1731 1732 1733 1734
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
D
Dr. Stephen Henson 已提交
1735 1736 1737
            if (pref_cipher == NULL)
                pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
                                                 SSL_get_ciphers(s));
1738
            if (pref_cipher == NULL) {
1739
                al = SSL_AD_HANDSHAKE_FAILURE;
B
Benjamin Kaduk 已提交
1740 1741
                SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
                goto err;
1742 1743 1744
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1745
            sk_SSL_CIPHER_free(s->cipher_list);
1746
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1747
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1748 1749 1750
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1751

1752 1753
    /*
     * Worst case, we will use the NULL compression, but if we have other
1754
     * options, we will now look for them.  We have complen-1 compression
1755 1756 1757
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770
    if (SSL_IS_TLS13(s)) {
        /*
         * We already checked above that the NULL compression method appears in
         * the list. Now we check there aren't any others (which is illegal in
         * a TLSv1.3 ClientHello.
         */
        if (clienthello->compressions_len != 1) {
            al = SSL_AD_ILLEGAL_PARAMETER;
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto err;
        }
    }
1771
#ifndef OPENSSL_NO_COMP
1772
    /* This only happens if we have a cache hit */
1773
    else if (s->session->compress_meth != 0) {
1774
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1775
        unsigned int k;
1776 1777 1778
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
B
Benjamin Kaduk 已提交
1779
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1780
                   SSL_R_INCONSISTENT_COMPRESSION);
B
Benjamin Kaduk 已提交
1781
            goto err;
1782 1783 1784 1785 1786 1787 1788 1789 1790 1791
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
B
Benjamin Kaduk 已提交
1792
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
1793
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
B
Benjamin Kaduk 已提交
1794
            goto err;
1795 1796
        }
        /* Look for resumed method in compression list */
B
Benjamin Kaduk 已提交
1797 1798
        for (k = 0; k < clienthello->compressions_len; k++) {
            if (clienthello->compressions[k] == comp_id)
1799 1800
                break;
        }
B
Benjamin Kaduk 已提交
1801
        if (k >= clienthello->compressions_len) {
1802
            al = SSL_AD_ILLEGAL_PARAMETER;
B
Benjamin Kaduk 已提交
1803
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
F
FdaSilvaYY 已提交
1804
                   SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
B
Benjamin Kaduk 已提交
1805
            goto err;
1806
        }
1807
    } else if (s->hit) {
1808
        comp = NULL;
1809
    } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1810
        /* See if we have a match */
M
Matt Caswell 已提交
1811 1812
        int m, nn, v, done = 0;
        unsigned int o;
1813 1814 1815 1816 1817

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
B
Benjamin Kaduk 已提交
1818 1819
            for (o = 0; o < clienthello->compressions_len; o++) {
                if (v == clienthello->compressions[o]) {
1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1832
#else
1833 1834 1835 1836 1837
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
B
Benjamin Kaduk 已提交
1838 1839
        SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
        goto err;
1840
    }
1841
#endif
1842

1843 1844 1845
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1846

1847
    if (!s->hit || SSL_IS_TLS13(s)) {
R
Rich Salz 已提交
1848
        sk_SSL_CIPHER_free(s->session->ciphers);
1849 1850
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1851
            al = SSL_AD_INTERNAL_ERROR;
B
Benjamin Kaduk 已提交
1852 1853
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
            goto err;
1854 1855
        }
        ciphers = NULL;
1856 1857 1858 1859 1860 1861 1862 1863
    }

    if (!s->hit) {
#ifdef OPENSSL_NO_COMP
        s->session->compress_meth = 0;
#else
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
#endif
1864
        if (!tls1_set_server_sigalgs(s)) {
B
Benjamin Kaduk 已提交
1865
            SSLerr(SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1866 1867
            goto err;
        }
M
Matt Caswell 已提交
1868 1869 1870
    }

    sk_SSL_CIPHER_free(ciphers);
B
Benjamin Kaduk 已提交
1871 1872 1873 1874 1875
    sk_SSL_CIPHER_free(scsvs);
    OPENSSL_free(clienthello->pre_proc_exts);
    OPENSSL_free(s->clienthello);
    s->clienthello = NULL;
    return 1;
M
Matt Caswell 已提交
1876
 err:
M
Matt Caswell 已提交
1877
    ossl_statem_set_error(s);
1878
    *pal = al;
M
Matt Caswell 已提交
1879 1880

    sk_SSL_CIPHER_free(ciphers);
B
Benjamin Kaduk 已提交
1881 1882 1883 1884
    sk_SSL_CIPHER_free(scsvs);
    OPENSSL_free(clienthello->pre_proc_exts);
    OPENSSL_free(s->clienthello);
    s->clienthello = NULL;
M
Matt Caswell 已提交
1885

B
Benjamin Kaduk 已提交
1886
    return 0;
M
Matt Caswell 已提交
1887 1888
}

1889 1890
/*
 * Call the status request callback if needed. Upon success, returns 1.
1891
 * Upon failure, returns 0 and sets |*al| to the appropriate fatal alert.
1892 1893 1894
 */
static int tls_handle_status_request(SSL *s, int *al)
{
R
Rich Salz 已提交
1895
    s->ext.status_expected = 0;
1896 1897 1898 1899 1900 1901 1902

    /*
     * If status request then ask callback what to do. Note: this must be
     * called after servername callbacks in case the certificate has changed,
     * and must be called after the cipher has been chosen because this may
     * influence which certificate is sent
     */
R
Rich Salz 已提交
1903 1904
    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
            && s->ctx->ext.status_cb != NULL) {
1905
        int ret;
1906

1907
        /* If no certificate can't return certificate status */
1908
        if (s->s3->tmp.cert != NULL) {
1909 1910 1911 1912
            /*
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
             */
1913
            s->cert->key = s->s3->tmp.cert;
R
Rich Salz 已提交
1914
            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
1915 1916 1917
            switch (ret) {
                /* We don't want to send a status request response */
            case SSL_TLSEXT_ERR_NOACK:
R
Rich Salz 已提交
1918
                s->ext.status_expected = 0;
1919 1920 1921
                break;
                /* status request response should be sent */
            case SSL_TLSEXT_ERR_OK:
R
Rich Salz 已提交
1922 1923
                if (s->ext.ocsp.resp)
                    s->ext.status_expected = 1;
1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936
                break;
                /* something bad happened */
            case SSL_TLSEXT_ERR_ALERT_FATAL:
            default:
                *al = SSL_AD_INTERNAL_ERROR;
                return 0;
            }
        }
    }

    return 1;
}

M
Matt Caswell 已提交
1937
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1938
{
M
Matt Caswell 已提交
1939
    int al = SSL_AD_HANDSHAKE_FAILURE;
1940
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
1941 1942

    if (wst == WORK_MORE_A) {
B
Benjamin Kaduk 已提交
1943 1944 1945 1946 1947 1948 1949 1950 1951 1952
        int rv = tls_early_post_process_client_hello(s, &al);
        if (rv == 0) {
            /* SSLErr() was already called */
            goto f_err;
        }
        if (rv < 0)
            return WORK_MORE_A;
        wst = WORK_MORE_B;
    }
    if (wst == WORK_MORE_B) {
1953
        if (!s->hit || SSL_IS_TLS13(s)) {
M
Matt Caswell 已提交
1954
            /* Let cert callback update server certificates if required */
1955
            if (!s->hit && s->cert->cert_cb != NULL) {
M
Matt Caswell 已提交
1956 1957 1958
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
1959 1960
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CERT_CB_ERROR);
M
Matt Caswell 已提交
1961 1962 1963 1964
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
B
Benjamin Kaduk 已提交
1965
                    return WORK_MORE_B;
M
Matt Caswell 已提交
1966 1967
                }
                s->rwstate = SSL_NOTHING;
1968
            }
M
Matt Caswell 已提交
1969

1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980
            /* In TLSv1.3 we selected the ciphersuite before resumption */
            if (!SSL_IS_TLS13(s)) {
                cipher =
                    ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

                if (cipher == NULL) {
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_NO_SHARED_CIPHER);
                    goto f_err;
                }
                s->s3->tmp.new_cipher = cipher;
1981
            }
1982 1983 1984 1985 1986 1987
            if (!s->hit) {
                if (!tls_choose_sigalg(s, &al))
                    goto f_err;
                /* check whether we should disable session resumption */
                if (s->not_resumable_session_cb != NULL)
                    s->session->not_resumable =
1988 1989 1990
                        s->not_resumable_session_cb(s,
                            ((s->s3->tmp.new_cipher->algorithm_mkey
                              & (SSL_kDHE | SSL_kECDHE)) != 0));
1991 1992 1993 1994
                if (s->session->not_resumable)
                    /* do not send a session ticket */
                    s->ext.ticket_expected = 0;
            }
M
Matt Caswell 已提交
1995 1996 1997
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1998 1999
        }

M
Matt Caswell 已提交
2000 2001 2002
        /*-
         * we now have the following setup.
         * client_random
2003 2004
         * cipher_list          - our preferred list of ciphers
         * ciphers              - the clients preferred list of ciphers
M
Matt Caswell 已提交
2005 2006 2007 2008 2009 2010
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
2011

2012 2013 2014 2015 2016 2017 2018 2019
        /*
         * Call status_request callback if needed. Has to be done after the
         * certificate callbacks etc above.
         */
        if (!tls_handle_status_request(s, &al)) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                   SSL_R_CLIENTHELLO_TLSEXT);
            goto f_err;
M
Matt Caswell 已提交
2020
        }
2021

B
Benjamin Kaduk 已提交
2022
        wst = WORK_MORE_C;
M
Matt Caswell 已提交
2023 2024
    }
#ifndef OPENSSL_NO_SRP
B
Benjamin Kaduk 已提交
2025
    if (wst == WORK_MORE_C) {
M
Matt Caswell 已提交
2026 2027 2028 2029 2030 2031
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
B
Benjamin Kaduk 已提交
2032
            return WORK_MORE_C;
M
Matt Caswell 已提交
2033 2034 2035 2036 2037 2038 2039 2040
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
E
Emilia Kasper 已提交
2041
                       SSL_R_CLIENTHELLO_TLSEXT);
2042 2043 2044
            else
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_PSK_IDENTITY_NOT_FOUND);
M
Matt Caswell 已提交
2045
            goto f_err;
2046 2047
        }
    }
M
Matt Caswell 已提交
2048
#endif
2049

M
Matt Caswell 已提交
2050
    return WORK_FINISHED_STOP;
2051
 f_err:
M
Matt Caswell 已提交
2052
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2053
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2054 2055 2056
    return WORK_ERROR;
}

2057
int tls_construct_server_hello(SSL *s, WPACKET *pkt)
2058
{
2059 2060
    int compm, al = SSL_AD_INTERNAL_ERROR;
    size_t sl, len;
2061
    int version;
2062

2063
    /* TODO(TLS1.3): Remove the DRAFT conditional before release */
2064 2065
    version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version;
    if (!WPACKET_put_bytes_u16(pkt, version)
2066 2067 2068 2069
               /*
                * Random stuff. Filling of the server_random takes place in
                * tls_process_client_hello()
                */
2070
            || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
2071 2072 2073
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
        goto err;
    }
2074

M
Matt Caswell 已提交
2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
2097
    if (sl > sizeof(s->session->session_id)) {
M
Matt Caswell 已提交
2098
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
2099
        goto err;
M
Matt Caswell 已提交
2100
    }
2101

2102
    /* set up the compression method */
2103
#ifdef OPENSSL_NO_COMP
2104
    compm = 0;
2105
#else
M
Matt Caswell 已提交
2106
    if (s->s3->tmp.new_compression == NULL)
2107
        compm = 0;
M
Matt Caswell 已提交
2108
    else
2109
        compm = s->s3->tmp.new_compression->id;
2110
#endif
2111

2112 2113
    if ((!SSL_IS_TLS13(s)
                && !WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl))
2114
            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
2115 2116
            || (!SSL_IS_TLS13(s)
                && !WPACKET_put_bytes_u8(pkt, compm))
2117
            || !tls_construct_extensions(s, pkt,
M
Matt Caswell 已提交
2118
                                         SSL_IS_TLS13(s)
2119 2120
                                            ? SSL_EXT_TLS1_3_SERVER_HELLO
                                            : SSL_EXT_TLS1_2_SERVER_HELLO,
2121
                                         NULL, 0, &al)) {
M
Matt Caswell 已提交
2122
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
2123
        goto err;
2124
    }
2125

2126 2127 2128 2129 2130 2131
    if (!(s->verify_mode & SSL_VERIFY_PEER)
            && !ssl3_digest_cached_records(s, 0)) {
        al = SSL_AD_INTERNAL_ERROR;
        goto err;
    }

M
Matt Caswell 已提交
2132
    return 1;
2133
 err:
2134
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
2135
    return 0;
2136
}
2137

2138
int tls_construct_server_done(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
2139 2140
{
    if (!s->s3->tmp.cert_request) {
2141 2142 2143 2144
        if (!ssl3_digest_cached_records(s, 0)) {
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
            return 0;
        }
M
Matt Caswell 已提交
2145 2146 2147 2148
    }
    return 1;
}

2149
int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
2150
{
2151
#ifndef OPENSSL_NO_DH
2152
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
2153
#endif
2154
#ifndef OPENSSL_NO_EC
2155
    unsigned char *encodedPoint = NULL;
2156
    size_t encodedlen = 0;
2157
    int curve_id = 0;
2158
#endif
2159
    const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
2160
    int al = SSL_AD_INTERNAL_ERROR, i;
2161
    unsigned long type;
2162
    const BIGNUM *r[4];
2163
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
2164
    EVP_PKEY_CTX *pctx = NULL;
2165 2166
    size_t paramlen, paramoffset;

2167
    if (!WPACKET_get_total_written(pkt, &paramoffset)) {
2168
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2169 2170
        goto f_err;
    }
2171

2172 2173 2174 2175
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        goto f_err;
    }
2176

M
Matt Caswell 已提交
2177 2178 2179
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    r[0] = r[1] = r[2] = r[3] = NULL;
2180
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2181 2182 2183
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
2184
#endif                          /* !OPENSSL_NO_PSK */
2185
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
2186
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
2187 2188
        CERT *cert = s->cert;

2189 2190 2191
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
2192
        if (s->cert->dh_tmp_auto) {
2193 2194 2195 2196
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
M
Matt Caswell 已提交
2197
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2198
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2199
                goto f_err;
2200
            }
2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
2217
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2218 2219 2220 2221 2222
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
2223
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
M
Matt Caswell 已提交
2224 2225 2226 2227 2228
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
2229
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
2230 2231 2232 2233
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
2234

D
Dr. Stephen Henson 已提交
2235
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
M
Matt Caswell 已提交
2236

2237 2238
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
2239
            goto err;
M
Matt Caswell 已提交
2240
        }
2241 2242 2243 2244 2245 2246

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
2247 2248
        DH_get0_pqg(dh, &r[0], NULL, &r[1]);
        DH_get0_key(dh, &r[2], NULL);
M
Matt Caswell 已提交
2249
    } else
2250
#endif
2251
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2252
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
2253
        int nid;
M
Matt Caswell 已提交
2254

D
Dr. Stephen Henson 已提交
2255
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
2256 2257 2258 2259 2260
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

2261
        /* Get NID of appropriate shared curve */
2262
        nid = tls1_shared_group(s, -2);
2263 2264
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
2265 2266 2267 2268
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
2269
        s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id);
D
Dr. Stephen Henson 已提交
2270 2271 2272
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
2273 2274 2275
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
2276
        /* Encode the public key. */
2277 2278
        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
                                                    &encodedPoint);
M
Matt Caswell 已提交
2279
        if (encodedlen == 0) {
2280
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
2281 2282
            goto err;
        }
2283

M
Matt Caswell 已提交
2284 2285 2286 2287 2288 2289 2290 2291 2292
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
2293
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
2294
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2295 2296 2297 2298 2299 2300 2301
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
2302
        }
M
Matt Caswell 已提交
2303 2304 2305 2306 2307 2308 2309
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
2310
        al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2311 2312 2313 2314
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
2315

2316 2317 2318 2319 2320 2321
    if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
        || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
        lu = NULL;
    } else if (lu == NULL) {
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
M
Matt Caswell 已提交
2322
    }
2323

2324
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2325
    if (type & SSL_PSK) {
2326 2327 2328 2329 2330 2331 2332 2333
        size_t len = (s->cert->psk_identity_hint == NULL)
                        ? 0 : strlen(s->cert->psk_identity_hint);

        /*
         * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
         * checked this when we set the identity hint - but just in case
         */
        if (len > PSK_MAX_IDENTITY_LEN
2334
                || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2335 2336 2337 2338
                                           len)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
2339
        }
M
Matt Caswell 已提交
2340
    }
2341 2342
#endif

M
Matt Caswell 已提交
2343
    for (i = 0; i < 4 && r[i] != NULL; i++) {
2344 2345 2346
        unsigned char *binval;
        int res;

B
Ben Laurie 已提交
2347
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2348
        if ((i == 2) && (type & SSL_kSRP)) {
2349
            res = WPACKET_start_sub_packet_u8(pkt);
M
Matt Caswell 已提交
2350
        } else
2351
#endif
2352
            res = WPACKET_start_sub_packet_u16(pkt);
2353 2354 2355 2356 2357 2358 2359

        if (!res) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

2360
#ifndef OPENSSL_NO_DH
E
Emilia Kasper 已提交
2361
        /*-
2362 2363 2364 2365 2366
         * for interoperability with some versions of the Microsoft TLS
         * stack, we need to zero pad the DHE pub key to the same length
         * as the prime
         */
        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2367
            size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
M
Matt Caswell 已提交
2368

2369
            if (len > 0) {
2370
                if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2371 2372 2373 2374 2375
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
                }
                memset(binval, 0, len);
2376
            }
2377
        }
B
Ben Laurie 已提交
2378
#endif
2379 2380
        if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
                || !WPACKET_close(pkt)) {
2381 2382 2383 2384 2385 2386
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

        BN_bn2bin(r[i], binval);
M
Matt Caswell 已提交
2387
    }
2388

2389
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2390 2391
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
2392 2393 2394 2395
         * We only support named (not generic) curves. In this situation, the
         * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
         * [1 byte length of encoded point], followed by the actual encoded
         * point itself
M
Matt Caswell 已提交
2396
         */
2397 2398 2399 2400
        if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
                || !WPACKET_put_bytes_u8(pkt, 0)
                || !WPACKET_put_bytes_u8(pkt, curve_id)
                || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2401 2402 2403 2404
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
M
Matt Caswell 已提交
2405 2406 2407
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
    }
B
Bodo Möller 已提交
2408 2409
#endif

M
Matt Caswell 已提交
2410
    /* not anonymous */
2411
    if (lu != NULL) {
2412
        EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
2413 2414 2415 2416
        const EVP_MD *md;
        unsigned char *sigbytes1, *sigbytes2, *tbs;
        size_t siglen, tbslen;
        int rv;
2417

D
Dr. Stephen Henson 已提交
2418
        if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
2419 2420 2421 2422 2423 2424
            /* Should never happen */
            al = SSL_AD_INTERNAL_ERROR;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
M
Matt Caswell 已提交
2425 2426 2427 2428
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
2429

2430 2431 2432 2433 2434 2435 2436 2437 2438 2439 2440 2441 2442 2443 2444 2445 2446 2447 2448 2449 2450 2451 2452 2453 2454
        /* Get length of the parameters we have written above */
        if (!WPACKET_get_length(pkt, &paramlen)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
        /* send signature algorithm */
        if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg))
                return 0;
        /*
         * Create the signature. We don't know the actual length of the sig
         * until after we've created it, so we reserve enough bytes for it
         * up front, and then properly allocate them in the WPACKET
         * afterwards.
         */
        siglen = EVP_PKEY_size(pkey);
        if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
            || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
        if (lu->sig == EVP_PKEY_RSA_PSS) {
            if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
                || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
2455
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2456
                       ERR_R_EVP_LIB);
2457
                goto f_err;
2458
            }
2459
        }
2460 2461 2462 2463 2464 2465 2466 2467 2468 2469 2470
        tbslen = construct_key_exchange_tbs(s, &tbs,
                                            s->init_buf->data + paramoffset,
                                            paramlen);
        if (tbslen == 0) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_MALLOC_FAILURE);
            goto f_err;
        }
        rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
        OPENSSL_free(tbs);
        if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2471
            || sigbytes1 != sigbytes2) {
M
Matt Caswell 已提交
2472
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
2473
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2474 2475
            goto f_err;
        }
2476 2477
    }

2478
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2479
    return 1;
2480 2481 2482
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
2483 2484 2485
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
2486
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2487
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
2488
#endif
2489
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2490
    return 0;
2491
}
2492

2493
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2494
{
2495 2496
    int al = SSL_AD_INTERNAL_ERROR;

2497 2498 2499 2500 2501 2502 2503
    if (SSL_IS_TLS13(s)) {
        /* TODO(TLS1.3) for now send empty request context */
        if (!WPACKET_put_bytes_u8(pkt, 0)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
2504

2505 2506 2507
        if (!tls_construct_extensions(s, pkt,
                                      SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
                                      0, &al)) {
2508 2509 2510 2511
            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
2512 2513 2514 2515 2516 2517 2518 2519
        goto done;
    }

    /* get the list of acceptable cert types */
    if (!WPACKET_start_sub_packet_u8(pkt)
        || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
2520
    }
2521

M
Matt Caswell 已提交
2522
    if (SSL_USE_SIGALGS(s)) {
2523
        const uint16_t *psigs;
2524
        size_t nl = tls12_get_psigalgs(s, 1, &psigs);
2525

2526
        if (!WPACKET_start_sub_packet_u16(pkt)
2527
                || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
2528 2529
                || !tls12_copy_sigalgs(s, pkt, psigs, nl)
                || !WPACKET_close(pkt)) {
2530 2531 2532 2533
            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
M
Matt Caswell 已提交
2534
    }
2535

2536
    if (!construct_ca_names(s, pkt)) {
2537 2538 2539
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
2540

2541
 done:
M
Matt Caswell 已提交
2542 2543
    s->s3->tmp.cert_request = 1;
    return 1;
2544
 err:
2545
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
2546
    return 0;
2547
}
2548

2549
static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
M
Matt Caswell 已提交
2550
{
2551
#ifndef OPENSSL_NO_PSK
2552 2553 2554
    unsigned char psk[PSK_MAX_PSK_LEN];
    size_t psklen;
    PACKET psk_identity;
2555

2556 2557
    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
        *al = SSL_AD_DECODE_ERROR;
2558
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
2559 2560 2561 2562
        return 0;
    }
    if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
        *al = SSL_AD_DECODE_ERROR;
2563
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
2564 2565 2566 2567
        return 0;
    }
    if (s->psk_server_callback == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
2568
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
2569 2570
        return 0;
    }
2571

2572 2573
    if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
        *al = SSL_AD_INTERNAL_ERROR;
2574
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2575 2576
        return 0;
    }
2577

2578
    psklen = s->psk_server_callback(s, s->session->psk_identity,
E
Emilia Kasper 已提交
2579
                                    psk, sizeof(psk));
2580

2581 2582
    if (psklen > PSK_MAX_PSK_LEN) {
        *al = SSL_AD_INTERNAL_ERROR;
2583
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2584 2585 2586 2587 2588 2589
        return 0;
    } else if (psklen == 0) {
        /*
         * PSK related to the given identity not found
         */
        *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2590
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2591 2592 2593
               SSL_R_PSK_IDENTITY_NOT_FOUND);
        return 0;
    }
2594

2595 2596 2597
    OPENSSL_free(s->s3->tmp.psk);
    s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
    OPENSSL_cleanse(psk, psklen);
2598

2599 2600
    if (s->s3->tmp.psk == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2601
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2602
        return 0;
2603
    }
2604 2605 2606 2607 2608 2609 2610

    s->s3->tmp.psklen = psklen;

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2611
    SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2612
    return 0;
2613
#endif
2614 2615 2616 2617
}

static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
{
2618
#ifndef OPENSSL_NO_RSA
2619 2620 2621 2622 2623 2624 2625 2626 2627
    unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
    int decrypt_len;
    unsigned char decrypt_good, version_good;
    size_t j, padding_len;
    PACKET enc_premaster;
    RSA *rsa = NULL;
    unsigned char *rsa_decrypt = NULL;
    int ret = 0;

2628
    rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
2629
    if (rsa == NULL) {
2630
        *al = SSL_AD_INTERNAL_ERROR;
2631
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE);
2632 2633 2634 2635 2636 2637 2638 2639 2640 2641
        return 0;
    }

    /* SSLv3 and pre-standard DTLS omit the length bytes. */
    if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
        enc_premaster = *pkt;
    } else {
        if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
            || PACKET_remaining(pkt) != 0) {
            *al = SSL_AD_DECODE_ERROR;
2642
            SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH);
2643
            return 0;
2644
        }
2645
    }
2646

2647 2648 2649 2650 2651 2652 2653 2654
    /*
     * We want to be sure that the plaintext buffer size makes it safe to
     * iterate over the entire size of a premaster secret
     * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
     * their ciphertext cannot accommodate a premaster secret anyway.
     */
    if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_INTERNAL_ERROR;
2655
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
2656 2657
        return 0;
    }
2658

2659 2660 2661
    rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
    if (rsa_decrypt == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2662
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE);
2663 2664
        return 0;
    }
2665

2666 2667 2668 2669 2670 2671 2672
    /*
     * We must not leak whether a decryption failure occurs because of
     * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
     * section 7.4.7.1). The code follows that advice of the TLS RFC and
     * generates a random premaster secret for the case that the decrypt
     * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
     */
2673

E
Emilia Kasper 已提交
2674
    if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
2675
        goto err;
2676

2677 2678 2679 2680
    /*
     * Decrypt with no padding. PKCS#1 padding will be removed as part of
     * the timing-sensitive code below.
     */
2681 2682 2683 2684
     /* TODO(size_t): Convert this function */
    decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
                                           PACKET_data(&enc_premaster),
                                           rsa_decrypt, rsa, RSA_NO_PADDING);
2685 2686
    if (decrypt_len < 0)
        goto err;
2687

2688
    /* Check the padding. See RFC 3447, section 7.2.2. */
2689

2690 2691 2692 2693 2694 2695 2696
    /*
     * The smallest padded premaster is 11 bytes of overhead. Small keys
     * are publicly invalid, so this may return immediately. This ensures
     * PS is at least 8 bytes.
     */
    if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_DECRYPT_ERROR;
2697
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED);
2698 2699
        goto err;
    }
2700

2701 2702
    padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
    decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
E
Emilia Kasper 已提交
2703
        constant_time_eq_int_8(rsa_decrypt[1], 2);
2704 2705 2706 2707
    for (j = 2; j < padding_len - 1; j++) {
        decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
    }
    decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
2708

2709 2710 2711 2712 2713 2714 2715 2716 2717 2718 2719 2720 2721 2722
    /*
     * If the version in the decrypted pre-master secret is correct then
     * version_good will be 0xff, otherwise it'll be zero. The
     * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
     * (http://eprint.iacr.org/2003/052/) exploits the version number
     * check as a "bad version oracle". Thus version checks are done in
     * constant time and are treated like any other decryption error.
     */
    version_good =
        constant_time_eq_8(rsa_decrypt[padding_len],
                           (unsigned)(s->client_version >> 8));
    version_good &=
        constant_time_eq_8(rsa_decrypt[padding_len + 1],
                           (unsigned)(s->client_version & 0xff));
2723

2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736 2737
    /*
     * The premaster secret must contain the same version number as the
     * ClientHello to detect version rollback attacks (strangely, the
     * protocol does not offer such protection for DH ciphersuites).
     * However, buggy clients exist that send the negotiated protocol
     * version instead if the server does not support the requested
     * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
     * clients.
     */
    if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
        unsigned char workaround_good;
        workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
                                             (unsigned)(s->version >> 8));
        workaround_good &=
2738
            constant_time_eq_8(rsa_decrypt[padding_len + 1],
2739 2740 2741
                               (unsigned)(s->version & 0xff));
        version_good |= workaround_good;
    }
2742

2743 2744 2745 2746 2747
    /*
     * Both decryption and version must be good for decrypt_good to
     * remain non-zero (0xff).
     */
    decrypt_good &= version_good;
2748

2749 2750 2751 2752 2753 2754 2755 2756 2757 2758 2759 2760
    /*
     * Now copy rand_premaster_secret over from p using
     * decrypt_good_mask. If decryption failed, then p does not
     * contain valid plaintext, however, a check above guarantees
     * it is still sufficiently large to read from.
     */
    for (j = 0; j < sizeof(rand_premaster_secret); j++) {
        rsa_decrypt[padding_len + j] =
            constant_time_select_8(decrypt_good,
                                   rsa_decrypt[padding_len + j],
                                   rand_premaster_secret[j]);
    }
2761

2762 2763 2764
    if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
                                    sizeof(rand_premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
2765
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2766 2767
        goto err;
    }
2768

2769 2770 2771 2772 2773 2774 2775
    ret = 1;
 err:
    OPENSSL_free(rsa_decrypt);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2776
    SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2777 2778 2779 2780
    return 0;
#endif
}

2781 2782 2783 2784 2785 2786 2787 2788 2789 2790 2791
static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_DH
    EVP_PKEY *skey = NULL;
    DH *cdh;
    unsigned int i;
    BIGNUM *pub_key;
    const unsigned char *data;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

D
Dr. Stephen Henson 已提交
2792
    if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
2793
        *al = SSL_AD_DECODE_ERROR;
2794
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE,
2795 2796 2797 2798 2799
               SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
        goto err;
    }
    skey = s->s3->tmp.pkey;
    if (skey == NULL) {
2800
        *al = SSL_AD_INTERNAL_ERROR;
2801
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2802 2803 2804 2805
        goto err;
    }

    if (PACKET_remaining(pkt) == 0L) {
2806
        *al = SSL_AD_DECODE_ERROR;
2807
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2808 2809 2810 2811 2812
        goto err;
    }
    if (!PACKET_get_bytes(pkt, &data, i)) {
        /* We already checked we have enough data */
        *al = SSL_AD_INTERNAL_ERROR;
2813
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2814 2815 2816 2817
        goto err;
    }
    ckey = EVP_PKEY_new();
    if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
2818
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
2819 2820 2821 2822 2823 2824
        goto err;
    }
    cdh = EVP_PKEY_get0_DH(ckey);
    pub_key = BN_bin2bn(data, i, NULL);

    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
2825
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2826 2827 2828 2829 2830
        if (pub_key != NULL)
            BN_free(pub_key);
        goto err;
    }

2831
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2832
        *al = SSL_AD_INTERNAL_ERROR;
2833
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2834 2835 2836 2837 2838 2839 2840 2841 2842 2843 2844 2845
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2846
    SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2847 2848 2849 2850
    return 0;
#endif
}

2851 2852 2853 2854 2855 2856 2857 2858 2859 2860
static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *skey = s->s3->tmp.pkey;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

    if (PACKET_remaining(pkt) == 0L) {
        /* We don't support ECDH client auth */
        *al = SSL_AD_HANDSHAKE_FAILURE;
2861
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY);
2862 2863 2864 2865 2866 2867 2868 2869 2870 2871 2872
        goto err;
    } else {
        unsigned int i;
        const unsigned char *data;

        /*
         * Get client's public key from encoded point in the
         * ClientKeyExchange message.
         */

        /* Get encoded point length */
D
Dr. Stephen Henson 已提交
2873 2874
        if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
            || PACKET_remaining(pkt) != 0) {
2875
            *al = SSL_AD_DECODE_ERROR;
2876
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH);
2877 2878 2879 2880
            goto err;
        }
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
2881
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB);
2882 2883
            goto err;
        }
2884
        if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
2885
            *al = SSL_AD_ILLEGAL_PARAMETER;
2886
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB);
2887 2888 2889 2890
            goto err;
        }
    }

2891
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2892
        *al = SSL_AD_INTERNAL_ERROR;
2893
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2894 2895 2896 2897 2898 2899 2900 2901 2902 2903 2904 2905 2906
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);

    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2907
    SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2908 2909 2910 2911
    return 0;
#endif
}

2912 2913 2914 2915 2916 2917 2918
static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_SRP
    unsigned int i;
    const unsigned char *data;

    if (!PACKET_get_net_2(pkt, &i)
E
Emilia Kasper 已提交
2919
        || !PACKET_get_bytes(pkt, &data, i)) {
2920
        *al = SSL_AD_DECODE_ERROR;
2921
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
2922 2923 2924
        return 0;
    }
    if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
2925
        *al = SSL_AD_INTERNAL_ERROR;
2926
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
2927 2928
        return 0;
    }
E
Emilia Kasper 已提交
2929
    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
2930
        *al = SSL_AD_ILLEGAL_PARAMETER;
2931
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
2932 2933 2934 2935 2936
        return 0;
    }
    OPENSSL_free(s->session->srp_username);
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
    if (s->session->srp_username == NULL) {
2937
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE);
2938 2939 2940 2941
        return 0;
    }

    if (!srp_generate_server_master_secret(s)) {
2942
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2943 2944 2945 2946 2947 2948 2949
        return 0;
    }

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2950
    SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2951 2952 2953 2954 2955 2956 2957 2958 2959 2960 2961 2962 2963 2964 2965
    return 0;
#endif
}

static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_GOST
    EVP_PKEY_CTX *pkey_ctx;
    EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
    unsigned char premaster_secret[32];
    const unsigned char *start;
    size_t outlen = 32, inlen;
    unsigned long alg_a;
    int Ttag, Tclass;
    long Tlen;
2966
    size_t sess_key_len;
2967 2968 2969 2970 2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984 2985 2986 2987 2988 2989
    const unsigned char *data;
    int ret = 0;

    /* Get our certificate private key */
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
    if (alg_a & SSL_aGOST12) {
        /*
         * New GOST ciphersuites have SSL_aGOST01 bit too
         */
        pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
        }
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
        }
    } else if (alg_a & SSL_aGOST01) {
        pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
    }

    pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
    if (pkey_ctx == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2990
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE);
2991 2992 2993 2994
        return 0;
    }
    if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
        *al = SSL_AD_INTERNAL_ERROR;
2995
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2996 2997 2998 2999 3000 3001 3002 3003 3004 3005 3006 3007 3008 3009 3010 3011 3012
        return 0;
    }
    /*
     * If client certificate is present and is of the same type, maybe
     * use it for key exchange.  Don't mind errors from
     * EVP_PKEY_derive_set_peer, because it is completely valid to use a
     * client certificate for authorization only.
     */
    client_pub_pkey = X509_get0_pubkey(s->session->peer);
    if (client_pub_pkey) {
        if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
            ERR_clear_error();
    }
    /* Decrypt session key */
    sess_key_len = PACKET_remaining(pkt);
    if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
        *al = SSL_AD_INTERNAL_ERROR;
3013
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
3014 3015
        goto err;
    }
3016
    /* TODO(size_t): Convert this function */
E
Emilia Kasper 已提交
3017
    if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
3018
                        &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
E
Emilia Kasper 已提交
3019
        || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
3020
        *al = SSL_AD_DECODE_ERROR;
3021
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
3022 3023 3024 3025 3026 3027 3028
        goto err;
    }
    start = data;
    inlen = Tlen;
    if (EVP_PKEY_decrypt
        (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
        *al = SSL_AD_DECODE_ERROR;
3029
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
3030 3031 3032 3033 3034 3035
        goto err;
    }
    /* Generate master secret */
    if (!ssl_generate_master_secret(s, premaster_secret,
                                    sizeof(premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
3036
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
3037 3038 3039 3040 3041 3042 3043 3044 3045 3046 3047 3048 3049 3050
        goto err;
    }
    /* Check if pubkey from client certificate was used */
    if (EVP_PKEY_CTX_ctrl
        (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
        s->statem.no_cert_verify = 1;

    ret = 1;
 err:
    EVP_PKEY_CTX_free(pkey_ctx);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
3051
    SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
3052 3053 3054 3055
    return 0;
#endif
}

3056 3057 3058 3059 3060 3061 3062 3063 3064 3065 3066 3067 3068 3069
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{
    int al = -1;
    unsigned long alg_k;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /* For PSK parse and retrieve identity, obtain PSK key */
    if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al))
        goto err;

    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
        if (PACKET_remaining(pkt) != 0) {
3070
            al = SSL_AD_DECODE_ERROR;
E
Emilia Kasper 已提交
3071 3072
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_LENGTH_MISMATCH);
3073
            goto err;
3074 3075 3076
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
M
Matt Caswell 已提交
3077
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3078
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
3079
            goto err;
M
Matt Caswell 已提交
3080
        }
3081 3082 3083
    } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
        if (!tls_process_cke_rsa(s, pkt, &al))
            goto err;
3084 3085
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
        if (!tls_process_cke_dhe(s, pkt, &al))
3086
            goto err;
3087 3088 3089
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
        if (!tls_process_cke_ecdhe(s, pkt, &al))
            goto err;
3090 3091
    } else if (alg_k & SSL_kSRP) {
        if (!tls_process_cke_srp(s, pkt, &al))
3092
            goto err;
3093 3094
    } else if (alg_k & SSL_kGOST) {
        if (!tls_process_cke_gost(s, pkt, &al))
3095
            goto err;
3096
    } else {
3097
        al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
3098 3099
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
               SSL_R_UNKNOWN_CIPHER_TYPE);
3100
        goto err;
3101 3102
    }

M
Matt Caswell 已提交
3103
    return MSG_PROCESS_CONTINUE_PROCESSING;
3104
 err:
3105 3106
    if (al != -1)
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
3107 3108 3109
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
3110
#endif
M
Matt Caswell 已提交
3111
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3112
    return MSG_PROCESS_ERROR;
3113
}
3114

M
Matt Caswell 已提交
3115
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
3116 3117
{
#ifndef OPENSSL_NO_SCTP
3118 3119 3120 3121 3122 3123 3124 3125
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
3126 3127
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
3128 3129

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
3130 3131 3132
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
3133
                ossl_statem_set_error(s);
F
FdaSilvaYY 已提交
3134
                return WORK_ERROR;
3135
            }
3136

3137 3138
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
3139 3140 3141 3142
        }
    }
#endif

3143
    if (s->statem.no_cert_verify || !s->session->peer) {
E
Emilia Kasper 已提交
3144 3145 3146
        /*
         * No certificate verify or no peer certificate so we no longer need
         * the handshake_buffer
3147 3148 3149 3150 3151
         */
        if (!ssl3_digest_cached_records(s, 0)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
3152
        return WORK_FINISHED_CONTINUE;
3153
    } else {
3154 3155 3156
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3157
            ossl_statem_set_error(s);
3158 3159 3160 3161 3162 3163 3164
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
3165
            ossl_statem_set_error(s);
3166 3167 3168 3169 3170 3171 3172
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
3173
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3174
{
M
Matt Caswell 已提交
3175
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3176 3177
    X509 *x = NULL;
    unsigned long l, llen;
E
Emilia Kasper 已提交
3178
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
3179
    STACK_OF(X509) *sk = NULL;
3180
    PACKET spkt, context;
3181
    size_t chainidx;
3182 3183

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
3184 3185
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
3186 3187
    }

3188 3189 3190 3191 3192
    /* TODO(TLS1.3): For now we ignore the context. We need to verify this */
    if ((SSL_IS_TLS13(s) && !PACKET_get_length_prefixed_1(pkt, &context))
            || !PACKET_get_net_3(pkt, &llen)
            || !PACKET_get_sub_packet(pkt, &spkt, llen)
            || PACKET_remaining(pkt) != 0) {
3193
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3194
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3195 3196
        goto f_err;
    }
3197

3198
    for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
3199
        if (!PACKET_get_net_3(&spkt, &l)
E
Emilia Kasper 已提交
3200
            || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3201
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3202
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3203 3204 3205 3206
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

3207 3208
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3209
        if (x == NULL) {
M
Matt Caswell 已提交
3210 3211
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
3212
        }
3213
        if (certbytes != (certstart + l)) {
3214
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3215
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3216 3217 3218
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
3219 3220 3221 3222 3223 3224 3225 3226 3227 3228

        if (SSL_IS_TLS13(s)) {
            RAW_EXTENSION *rawexts = NULL;
            PACKET extensions;

            if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_BAD_LENGTH);
                goto f_err;
            }
3229 3230
            if (!tls_collect_extensions(s, &extensions,
                                        SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
3231
                                        &al, NULL, chainidx == 0)
3232 3233 3234
                || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
                                             rawexts, x, chainidx, &al,
                                             PACKET_remaining(&spkt) == 0)) {
3235
                OPENSSL_free(rawexts);
3236
                goto f_err;
3237 3238
            }
            OPENSSL_free(rawexts);
3239 3240
        }

3241
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
3242 3243
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
3244 3245 3246 3247 3248 3249 3250 3251
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3252
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3253 3254 3255 3256 3257 3258
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
3259
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3260
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
3261
            al = SSL_AD_CERTIFICATE_REQUIRED;
3262 3263 3264
            goto f_err;
        }
        /* No client certificate so digest cached records */
3265
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3266 3267 3268 3269 3270 3271 3272
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
3273
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3274 3275 3276 3277
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
3278
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
3279 3280 3281
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
3282
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3283 3284
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3285
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3286 3287 3288 3289 3290
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
    }

R
Rich Salz 已提交
3291
    X509_free(s->session->peer);
3292 3293 3294
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

3295 3296
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
3297 3298 3299 3300 3301

    /*
     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
     * message
     */
3302
    if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3303 3304 3305 3306 3307
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

3308 3309
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
M
Matt Caswell 已提交
3310
     * certificate, while we do include it in statem_clnt.c
3311 3312
     */
    sk = NULL;
3313 3314 3315 3316 3317 3318 3319 3320 3321 3322 3323

    /* Save the current hash state for when we receive the CertificateVerify */
    if (SSL_IS_TLS13(s)
            && !ssl_handshake_hash(s, s->cert_verify_hash,
                                   sizeof(s->cert_verify_hash),
                                   &s->cert_verify_hash_len)) {
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

M
Matt Caswell 已提交
3324
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
3325 3326
    goto done;

3327
 f_err:
R
Rich Salz 已提交
3328
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3329
    ossl_statem_set_error(s);
R
Rich Salz 已提交
3330
 done:
R
Rich Salz 已提交
3331 3332
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
3333
    return ret;
3334
}
3335

3336
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3337
{
3338
    CERT_PKEY *cpk = s->s3->tmp.cert;
3339
    int al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3340

3341
    if (cpk == NULL) {
M
Matt Caswell 已提交
3342 3343 3344 3345
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }

3346 3347 3348 3349 3350 3351
    /*
     * In TLSv1.3 the certificate chain is always preceded by a 0 length context
     * for the server Certificate message
     */
    if ((SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0))
            || !ssl3_output_cert_chain(s, pkt, cpk, &al)) {
M
Matt Caswell 已提交
3352
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3353
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3354 3355 3356 3357 3358 3359
        return 0;
    }

    return 1;
}

3360
int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3361 3362
{
    unsigned char *senc = NULL;
3363
    EVP_CIPHER_CTX *ctx = NULL;
3364
    HMAC_CTX *hctx = NULL;
3365
    unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
M
Matt Caswell 已提交
3366
    const unsigned char *const_p;
3367
    int len, slen_full, slen, lenfinal;
M
Matt Caswell 已提交
3368 3369
    SSL_SESSION *sess;
    unsigned int hlen;
3370
    SSL_CTX *tctx = s->session_ctx;
M
Matt Caswell 已提交
3371
    unsigned char iv[EVP_MAX_IV_LENGTH];
K
Kurt Roeckx 已提交
3372
    unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
3373
    int iv_len, al = SSL_AD_INTERNAL_ERROR;
3374
    size_t macoffset, macendoffset;
3375 3376 3377 3378
    union {
        unsigned char age_add_c[sizeof(uint32_t)];
        uint32_t age_add;
    } age_add_u;
M
Matt Caswell 已提交
3379

M
Matt Caswell 已提交
3380 3381 3382 3383
    if (SSL_IS_TLS13(s)) {
        if (RAND_bytes(age_add_u.age_add_c, sizeof(age_add_u)) <= 0)
            goto err;
        s->session->ext.tick_age_add = age_add_u.age_add;
3384 3385 3386 3387 3388 3389 3390 3391 3392 3393 3394 3395 3396
       /*
        * ticket_nonce is set to a single 0 byte because we only ever send a
        * single ticket per connection. IMPORTANT: If we ever support multiple
        * tickets per connection then this will need to be changed.
        */
        OPENSSL_free(s->session->ext.tick_nonce);
        s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char));
        if (s->session->ext.tick_nonce == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                   ERR_R_MALLOC_FAILURE);
            goto err;
        }
        s->session->ext.tick_nonce_len = 1;
3397
        s->session->time = (long)time(NULL);
3398 3399 3400 3401 3402 3403 3404 3405 3406 3407 3408 3409
        if (s->s3->alpn_selected != NULL) {
            OPENSSL_free(s->session->ext.alpn_selected);
            s->session->ext.alpn_selected =
                OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
            if (s->session->ext.alpn_selected == NULL) {
                SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                       ERR_R_MALLOC_FAILURE);
                goto err;
            }
            s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
        }
        s->session->ext.max_early_data = s->max_early_data;
M
Matt Caswell 已提交
3410 3411
    }

M
Matt Caswell 已提交
3412 3413 3414 3415 3416 3417 3418
    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
3419 3420
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
        goto err;
M
Matt Caswell 已提交
3421 3422
    }
    senc = OPENSSL_malloc(slen_full);
3423
    if (senc == NULL) {
3424 3425
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
        goto err;
M
Matt Caswell 已提交
3426
    }
3427

3428
    ctx = EVP_CIPHER_CTX_new();
3429
    hctx = HMAC_CTX_new();
3430 3431 3432 3433
    if (ctx == NULL || hctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
        goto err;
    }
3434

M
Matt Caswell 已提交
3435 3436 3437
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
3438

M
Matt Caswell 已提交
3439 3440 3441 3442 3443 3444 3445 3446
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3447

M
Matt Caswell 已提交
3448 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3459

M
Matt Caswell 已提交
3460 3461 3462 3463
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
R
Rich Salz 已提交
3464
    if (tctx->ext.ticket_key_cb) {
T
Todd Short 已提交
3465
        /* if 0 is returned, write an empty ticket */
R
Rich Salz 已提交
3466
        int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
T
Todd Short 已提交
3467 3468 3469
                                             hctx, 1);

        if (ret == 0) {
3470 3471

            /* Put timeout and length */
3472
            if (!WPACKET_put_bytes_u32(pkt, 0)
3473
                    || !WPACKET_put_bytes_u16(pkt, 0)) {
3474 3475
                SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                       ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
3476
                goto err;
3477
            }
T
Todd Short 已提交
3478 3479 3480 3481 3482 3483
            OPENSSL_free(senc);
            EVP_CIPHER_CTX_free(ctx);
            HMAC_CTX_free(hctx);
            return 1;
        }
        if (ret < 0)
M
Matt Caswell 已提交
3484
            goto err;
K
Kurt Roeckx 已提交
3485
        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3486
    } else {
K
Kurt Roeckx 已提交
3487 3488 3489 3490
        const EVP_CIPHER *cipher = EVP_aes_256_cbc();

        iv_len = EVP_CIPHER_iv_length(cipher);
        if (RAND_bytes(iv, iv_len) <= 0)
M
Matt Caswell 已提交
3491
            goto err;
K
Kurt Roeckx 已提交
3492
        if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
R
Rich Salz 已提交
3493
                                tctx->ext.tick_aes_key, iv))
M
Matt Caswell 已提交
3494
            goto err;
R
Rich Salz 已提交
3495 3496
        if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
                          sizeof(tctx->ext.tick_hmac_key),
M
Matt Caswell 已提交
3497
                          EVP_sha256(), NULL))
3498
            goto err;
R
Rich Salz 已提交
3499 3500
        memcpy(key_name, tctx->ext.tick_key_name,
               sizeof(tctx->ext.tick_key_name));
3501 3502
    }

M
Matt Caswell 已提交
3503
    /*
3504 3505 3506 3507
     * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
     * unspecified for resumed session (for simplicity).
     * In TLSv1.3 we reset the "time" field above, and always specify the
     * timeout.
M
Matt Caswell 已提交
3508
     */
3509 3510 3511
    if (!WPACKET_put_bytes_u32(pkt,
                               (s->hit && !SSL_IS_TLS13(s))
                               ? 0 : s->session->timeout)
3512
            || (SSL_IS_TLS13(s)
3513
                && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add)
3514 3515
                    || !WPACKET_sub_memcpy_u8(pkt, s->session->ext.tick_nonce,
                                              s->session->ext.tick_nonce_len)))
3516
               /* Now the actual ticket data */
3517 3518
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_get_total_written(pkt, &macoffset)
3519
               /* Output key name */
3520
            || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3521
               /* output IV */
3522 3523
            || !WPACKET_memcpy(pkt, iv, iv_len)
            || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3524 3525 3526
                                      &encdata1)
               /* Encrypt session data */
            || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3527
            || !WPACKET_allocate_bytes(pkt, len, &encdata2)
3528 3529
            || encdata1 != encdata2
            || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
3530
            || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
3531 3532
            || encdata1 + len != encdata2
            || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
3533
            || !WPACKET_get_total_written(pkt, &macendoffset)
3534 3535 3536
            || !HMAC_Update(hctx,
                            (unsigned char *)s->init_buf->data + macoffset,
                            macendoffset - macoffset)
3537
            || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
3538 3539
            || !HMAC_Final(hctx, macdata1, &hlen)
            || hlen > EVP_MAX_MD_SIZE
3540
            || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
3541
            || macdata1 != macdata2
3542 3543 3544
            || !WPACKET_close(pkt)
            || (SSL_IS_TLS13(s)
                && !tls_construct_extensions(s, pkt,
3545
                                             SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
3546
                                             NULL, 0, &al))) {
3547
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3548
        goto err;
3549
    }
D
Dr. Stephen Henson 已提交
3550 3551
    EVP_CIPHER_CTX_free(ctx);
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3552 3553 3554
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3555
 err:
3556
    ossl_statem_set_error(s);
R
Rich Salz 已提交
3557
    OPENSSL_free(senc);
3558
    EVP_CIPHER_CTX_free(ctx);
3559
    HMAC_CTX_free(hctx);
3560
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
3561
    return 0;
3562
}
3563

3564 3565 3566 3567 3568
/*
 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
 * create a separate message. Returns 1 on success or 0 on failure.
 */
int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3569
{
3570 3571 3572
    if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
            || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
                                       s->ext.ocsp.resp_len)) {
3573 3574 3575 3576 3577 3578 3579 3580 3581 3582
        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    return 1;
}

int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
    if (!tls_construct_cert_status_body(s, pkt)) {
3583 3584 3585
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
3586 3587 3588 3589

    return 1;
}

3590
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3591 3592 3593 3594
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3595
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3596
{
3597
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3598
    size_t next_proto_len;
3599
    int al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3600

3601 3602 3603 3604 3605 3606 3607
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3608 3609 3610
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
3611
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3612
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3613
        goto err;
M
Matt Caswell 已提交
3614
    }
3615

R
Rich Salz 已提交
3616 3617
    if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
        s->ext.npn_len = 0;
M
Matt Caswell 已提交
3618 3619 3620
        goto err;
    }

R
Rich Salz 已提交
3621
    s->ext.npn_len = (unsigned char)next_proto_len;
3622

M
Matt Caswell 已提交
3623
    return MSG_PROCESS_CONTINUE_READING;
E
Emilia Kasper 已提交
3624
 err:
3625
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3626
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3627
    return MSG_PROCESS_ERROR;
3628
}
3629
#endif
M
Matt Caswell 已提交
3630

M
Matt Caswell 已提交
3631 3632
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{
M
Matt Caswell 已提交
3633 3634
    int al;

3635
    if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
3636
                                  NULL, 0, &al)) {
M
Matt Caswell 已提交
3637
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3638 3639 3640 3641 3642 3643 3644
        SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    return 1;
}

3645 3646
static int tls_construct_hello_retry_request(SSL *s, WPACKET *pkt)
{
3647
    int al = SSL_AD_INTERNAL_ERROR;
3648
    size_t len = 0;
3649 3650 3651 3652 3653 3654

    /*
     * TODO(TLS1.3): Remove the DRAFT version before release
     * (should be s->version)
     */
    if (!WPACKET_put_bytes_u16(pkt, TLS1_3_VERSION_DRAFT)
3655
            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
3656 3657
            || !tls_construct_extensions(s, pkt,
                                         SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
3658 3659
                                         NULL, 0, &al)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_RETRY_REQUEST, ERR_R_INTERNAL_ERROR);
3660
        goto err;
3661 3662 3663 3664 3665 3666 3667
    }

    /* Ditch the session. We'll create a new one next time around */
    SSL_SESSION_free(s->session);
    s->session = NULL;
    s->hit = 0;

3668 3669 3670 3671 3672 3673 3674
    /*
     * Re-initialise the Transcript Hash. We're going to prepopulate it with
     * a synthetic message_hash in place of ClientHello1.
     */
    if (!create_synthetic_message_hash(s))
        goto err;

3675
    return 1;
3676 3677 3678
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
    return 0;
3679
}
3680 3681 3682 3683 3684 3685 3686 3687 3688 3689 3690 3691 3692 3693 3694 3695 3696 3697 3698 3699 3700 3701 3702 3703 3704 3705 3706 3707 3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 3719 3720 3721

MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
{
    int al = SSL_AD_INTERNAL_ERROR;

    if (PACKET_remaining(pkt) != 0) {
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, SSL_R_LENGTH_MISMATCH);
        ossl_statem_set_error(s);
        return MSG_PROCESS_ERROR;
    }

    if (s->early_data_state != SSL_EARLY_DATA_READING
            && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
        SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    /*
     * EndOfEarlyData signals a key change so the end of the message must be on
     * a record boundary.
     */
    if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
        al = SSL_AD_UNEXPECTED_MESSAGE;
        SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
               SSL_R_NOT_ON_RECORD_BOUNDARY);
        goto err;
    }

    s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
    if (!s->method->ssl3_enc->change_cipher_state(s,
                SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
        SSLerr(SSL_F_TLS_PROCESS_END_OF_EARLY_DATA, ERR_R_INTERNAL_ERROR);
        goto err;
    }

    return MSG_PROCESS_CONTINUE_READING;
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
    ossl_statem_set_error(s);
    return MSG_PROCESS_ERROR;
}