statem_srvr.c 132.9 KB
Newer Older
R
Rich Salz 已提交
1
/*
2
 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4
 * Copyright 2005 Nokia. All rights reserved.
5
 *
R
Rich Salz 已提交
6 7 8 9
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
10
 */
R
Rich Salz 已提交
11

12
#include <stdio.h>
M
Matt Caswell 已提交
13
#include "../ssl_locl.h"
M
Matt Caswell 已提交
14
#include "statem_locl.h"
15
#include "internal/constant_time_locl.h"
16
#include "internal/cryptlib.h"
17 18 19 20
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
21
#include <openssl/hmac.h>
22
#include <openssl/x509.h>
R
Rich Salz 已提交
23
#include <openssl/dh.h>
24
#include <openssl/bn.h>
25
#include <openssl/md5.h>
26

M
Matt Caswell 已提交
27
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
M
Matt Caswell 已提交
28

M
Matt Caswell 已提交
29
/*
30 31 32 33 34
 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when a TLSv1.3 server is reading messages from
 * the client. The message type that the client has sent is provided in |mt|.
 * The current state is in |s->statem.hand_state|.
 *
35 36
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
37 38 39 40 41 42 43 44 45 46 47 48 49 50
 */
static int ossl_statem_server13_read_transition(SSL *s, int mt)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * Note: There is no case for TLS_ST_BEFORE because at that stage we have
     * not negotiated TLSv1.3 yet, so that case is handled by
     * ossl_statem_server_read_transition()
     */
    switch (st->hand_state) {
    default:
        break;

51
    case TLS_ST_EARLY_DATA:
52
        if (s->hello_retry_request == SSL_HRR_PENDING) {
M
Matt Caswell 已提交
53 54 55 56 57 58
            if (mt == SSL3_MT_CLIENT_HELLO) {
                st->hand_state = TLS_ST_SR_CLNT_HELLO;
                return 1;
            }
            break;
        } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
59 60 61 62 63 64 65 66 67
            if (mt == SSL3_MT_END_OF_EARLY_DATA) {
                st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA;
                return 1;
            }
            break;
        }
        /* Fall through */

    case TLS_ST_SR_END_OF_EARLY_DATA:
68
    case TLS_ST_SW_FINISHED:
69 70 71 72 73 74
        if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        } else {
75 76
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
77 78 79 80 81 82 83
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT:
        if (s->session->peer == NULL) {
84 85
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
102 103

    case TLS_ST_OK:
104 105 106 107 108 109
        /*
         * Its never ok to start processing handshake messages in the middle of
         * early data (i.e. before we've received the end of early data alert)
         */
        if (s->early_data_state == SSL_EARLY_DATA_READING)
            break;
110 111 112 113 114 115 116

        if (mt == SSL3_MT_CERTIFICATE
                && s->post_handshake_auth == SSL_PHA_REQUESTED) {
            st->hand_state = TLS_ST_SR_CERT;
            return 1;
        }

117 118 119 120 121
        if (mt == SSL3_MT_KEY_UPDATE) {
            st->hand_state = TLS_ST_SR_KEY_UPDATE;
            return 1;
        }
        break;
122 123 124 125 126 127 128 129 130 131 132
    }

    /* No valid transition found */
    return 0;
}

/*
 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when the server is reading messages from the
 * client. The message type that the client has sent is provided in |mt|. The
 * current state is in |s->statem.hand_state|.
M
Matt Caswell 已提交
133
 *
134 135
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
M
Matt Caswell 已提交
136
 */
137
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
138
{
M
Matt Caswell 已提交
139
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
140

141
    if (SSL_IS_TLS13(s)) {
142 143 144 145
        if (!ossl_statem_server13_read_transition(s, mt))
            goto err;
        return 1;
    }
146

147
    switch (st->hand_state) {
R
Rich Salz 已提交
148 149 150
    default:
        break;

M
Matt Caswell 已提交
151
    case TLS_ST_BEFORE:
152
    case TLS_ST_OK:
M
Matt Caswell 已提交
153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
171 172 173
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            if (s->s3->tmp.cert_request) {
                if (s->version == SSL3_VERSION) {
174 175
                    if ((s->verify_mode & SSL_VERIFY_PEER)
                        && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
176 177
                        /*
                         * This isn't an unexpected message as such - we're just
178 179
                         * not going to accept it because we require a client
                         * cert.
180
                         */
181 182 183
                        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                                 SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
                                 SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
184 185 186 187 188 189 190 191 192
                        return 0;
                    }
                    st->hand_state = TLS_ST_SR_KEY_EXCH;
                    return 1;
                }
            } else {
                st->hand_state = TLS_ST_SR_KEY_EXCH;
                return 1;
            }
M
Matt Caswell 已提交
193 194 195 196
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
197
            }
M
Matt Caswell 已提交
198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
214
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
215 216
         * set.
         */
217
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
R
Rich Salz 已提交
245
        if (s->s3->npn_seen) {
M
Matt Caswell 已提交
246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;
    }

278
 err:
M
Matt Caswell 已提交
279
    /* No valid transition found */
280 281 282
    SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
             SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
             SSL_R_UNEXPECTED_MESSAGE);
M
Matt Caswell 已提交
283 284 285 286 287 288 289 290 291 292
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
293
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
294 295 296 297
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
298
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
299 300 301 302 303 304
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
E
Emilia Kasper 已提交
305
    if (alg_k & (SSL_kDHE | SSL_kECDHE)
M
Matt Caswell 已提交
306 307 308 309 310 311 312 313 314 315 316 317 318 319 320
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
E
Emilia Kasper 已提交
321
        ) {
M
Matt Caswell 已提交
322 323 324 325 326 327 328 329 330 331 332 333 334
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
335
int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
336 337 338 339
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
340 341 342 343 344 345
           /*
            * don't request if post-handshake-only unless doing
            * post-handshake in TLSv1.3:
            */
           && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE)
               || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING)
M
Matt Caswell 已提交
346 347
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
348
            * a second time:
M
Matt Caswell 已提交
349
            */
350
           && (s->certreqs_sent < 1 ||
M
Matt Caswell 已提交
351 352 353 354 355 356 357
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
E
Emilia Kasper 已提交
358 359 360 361 362
               /*
                * ... except when the application insists on
                * verification (against the specs, but statem_clnt.c accepts
                * this for SSL 3)
                */
M
Matt Caswell 已提交
363 364 365 366 367 368 369
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
370
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
371 372 373 374 375 376 377
        return 1;
    }

    return 0;
}

/*
378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393
 * ossl_statem_server13_write_transition() works out what handshake state to
 * move to next when a TLSv1.3 server is writing messages to be sent to the
 * client.
 */
static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
{
    OSSL_STATEM *st = &s->statem;

    /*
     * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
     * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
     */

    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
394 395 396
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER13_WRITE_TRANSITION,
                 ERR_R_INTERNAL_ERROR);
397 398
        return WRITE_TRAN_ERROR;

399 400 401 402 403
    case TLS_ST_OK:
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
404 405 406 407
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
            return WRITE_TRAN_CONTINUE;
        }
408 409
        /* Try to read from the client instead */
        return WRITE_TRAN_FINISHED;
410

411
    case TLS_ST_SR_CLNT_HELLO:
M
Matt Caswell 已提交
412
        st->hand_state = TLS_ST_SW_SRVR_HELLO;
M
Matt Caswell 已提交
413
        return WRITE_TRAN_CONTINUE;
414

415
    case TLS_ST_SW_SRVR_HELLO:
416 417
        if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
                && s->hello_retry_request != SSL_HRR_COMPLETE)
418
            st->hand_state = TLS_ST_SW_CHANGE;
419 420
        else if (s->hello_retry_request == SSL_HRR_PENDING)
            st->hand_state = TLS_ST_EARLY_DATA;
421 422 423 424 425
        else
            st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CHANGE:
426 427 428 429
        if (s->hello_retry_request == SSL_HRR_PENDING)
            st->hand_state = TLS_ST_EARLY_DATA;
        else
            st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
M
Matt Caswell 已提交
430 431 432
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
433
        if (s->hit)
434 435 436
            st->hand_state = TLS_ST_SW_FINISHED;
        else if (send_certificate_request(s))
            st->hand_state = TLS_ST_SW_CERT_REQ;
437
        else
438
            st->hand_state = TLS_ST_SW_CERT;
439

440 441 442
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_REQ:
443 444 445 446 447 448
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            s->post_handshake_auth = SSL_PHA_REQUESTED;
            st->hand_state = TLS_ST_OK;
        } else {
            st->hand_state = TLS_ST_SW_CERT;
        }
449 450
        return WRITE_TRAN_CONTINUE;

451
    case TLS_ST_SW_CERT:
452 453 454 455
        st->hand_state = TLS_ST_SW_CERT_VRFY;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_VRFY:
456
        st->hand_state = TLS_ST_SW_FINISHED;
457 458 459
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
460 461
        st->hand_state = TLS_ST_EARLY_DATA;
        return WRITE_TRAN_CONTINUE;
462

463 464 465
    case TLS_ST_EARLY_DATA:
        return WRITE_TRAN_FINISHED;

466
    case TLS_ST_SR_FINISHED:
467 468 469 470 471 472 473 474
        /*
         * Technically we have finished the handshake at this point, but we're
         * going to remain "in_init" for now and write out the session ticket
         * immediately.
         * TODO(TLS1.3): Perhaps we need to be able to control this behaviour
         * and give the application the opportunity to delay sending the
         * session ticket?
         */
475 476
        if (s->post_handshake_auth == SSL_PHA_REQUESTED)
            s->post_handshake_auth = SSL_PHA_EXT_RECEIVED;
477 478 479
        st->hand_state = TLS_ST_SW_SESSION_TICKET;
        return WRITE_TRAN_CONTINUE;

480
    case TLS_ST_SR_KEY_UPDATE:
481 482 483 484 485 486
        if (s->key_update != SSL_KEY_UPDATE_NONE) {
            st->hand_state = TLS_ST_SW_KEY_UPDATE;
            return WRITE_TRAN_CONTINUE;
        }
        /* Fall through */

487
    case TLS_ST_SW_KEY_UPDATE:
488
    case TLS_ST_SW_SESSION_TICKET:
489 490 491 492 493 494 495 496
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
    }
}

/*
 * ossl_statem_server_write_transition() works out what handshake state to move
 * to next when the server is writing messages to be sent to the client.
M
Matt Caswell 已提交
497
 */
498
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
499
{
M
Matt Caswell 已提交
500
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
501

502 503 504 505 506
    /*
     * Note that before the ClientHello we don't know what version we are going
     * to negotiate yet, so we don't take this branch until later
     */

507
    if (SSL_IS_TLS13(s))
508 509
        return ossl_statem_server13_write_transition(s);

510
    switch (st->hand_state) {
R
Rich Salz 已提交
511 512
    default:
        /* Shouldn't happen */
513 514 515
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_WRITE_TRANSITION,
                 ERR_R_INTERNAL_ERROR);
R
Rich Salz 已提交
516 517
        return WRITE_TRAN_ERROR;

518 519 520 521 522 523 524
    case TLS_ST_OK:
        if (st->request_state == TLS_ST_SW_HELLO_REQ) {
            /* We must be trying to renegotiate */
            st->hand_state = TLS_ST_SW_HELLO_REQ;
            st->request_state = TLS_ST_BEFORE;
            return WRITE_TRAN_CONTINUE;
        }
525 526
        /* Must be an incoming ClientHello */
        if (!tls_setup_handshake(s)) {
527
            /* SSLfatal() already called */
528 529
            return WRITE_TRAN_ERROR;
        }
530 531
        /* Fall through */

532
    case TLS_ST_BEFORE:
E
Emilia Kasper 已提交
533
        /* Just go straight to trying to read from the client */
534
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
535

536 537 538
    case TLS_ST_SW_HELLO_REQ:
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
539

540 541
    case TLS_ST_SR_CLNT_HELLO:
        if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
542
            && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) {
543
            st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
544 545 546 547 548
        } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
            /* We must have rejected the renegotiation */
            st->hand_state = TLS_ST_OK;
            return WRITE_TRAN_CONTINUE;
        } else {
549
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
550
        }
551
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
552

553 554
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
555

556 557
    case TLS_ST_SW_SRVR_HELLO:
        if (s->hit) {
R
Rich Salz 已提交
558
            if (s->ext.ticket_expected)
559 560 561 562 563 564 565
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            else
                st->hand_state = TLS_ST_SW_CHANGE;
        } else {
            /* Check if it is anon DH or anon ECDH, */
            /* normal PSK or SRP */
            if (!(s->s3->tmp.new_cipher->algorithm_auth &
E
Emilia Kasper 已提交
566
                  (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
567 568
                st->hand_state = TLS_ST_SW_CERT;
            } else if (send_server_key_exchange(s)) {
M
Matt Caswell 已提交
569
                st->hand_state = TLS_ST_SW_KEY_EXCH;
570
            } else if (send_certificate_request(s)) {
M
Matt Caswell 已提交
571
                st->hand_state = TLS_ST_SW_CERT_REQ;
572 573
            } else {
                st->hand_state = TLS_ST_SW_SRVR_DONE;
M
Matt Caswell 已提交
574
            }
575 576
        }
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
577

578
    case TLS_ST_SW_CERT:
R
Rich Salz 已提交
579
        if (s->ext.status_expected) {
580
            st->hand_state = TLS_ST_SW_CERT_STATUS;
M
Matt Caswell 已提交
581
            return WRITE_TRAN_CONTINUE;
582 583
        }
        /* Fall through */
M
Matt Caswell 已提交
584

585 586 587
    case TLS_ST_SW_CERT_STATUS:
        if (send_server_key_exchange(s)) {
            st->hand_state = TLS_ST_SW_KEY_EXCH;
M
Matt Caswell 已提交
588
            return WRITE_TRAN_CONTINUE;
589 590
        }
        /* Fall through */
M
Matt Caswell 已提交
591

592 593 594
    case TLS_ST_SW_KEY_EXCH:
        if (send_certificate_request(s)) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
M
Matt Caswell 已提交
595
            return WRITE_TRAN_CONTINUE;
596 597
        }
        /* Fall through */
M
Matt Caswell 已提交
598

599 600 601
    case TLS_ST_SW_CERT_REQ:
        st->hand_state = TLS_ST_SW_SRVR_DONE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
602

603 604 605 606 607
    case TLS_ST_SW_SRVR_DONE:
        return WRITE_TRAN_FINISHED;

    case TLS_ST_SR_FINISHED:
        if (s->hit) {
M
Matt Caswell 已提交
608 609
            st->hand_state = TLS_ST_OK;
            return WRITE_TRAN_CONTINUE;
R
Rich Salz 已提交
610
        } else if (s->ext.ticket_expected) {
611 612 613 614 615 616 617 618 619
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        } else {
            st->hand_state = TLS_ST_SW_CHANGE;
        }
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        st->hand_state = TLS_ST_SW_CHANGE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
620

621 622 623 624 625 626 627 628 629 630
    case TLS_ST_SW_CHANGE:
        st->hand_state = TLS_ST_SW_FINISHED;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
        if (s->hit) {
            return WRITE_TRAN_FINISHED;
        }
        st->hand_state = TLS_ST_OK;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
631 632 633 634 635 636 637
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
638
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
639
{
M
Matt Caswell 已提交
640
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
641

642
    switch (st->hand_state) {
R
Rich Salz 已提交
643 644 645 646
    default:
        /* No pre work to be done */
        break;

M
Matt Caswell 已提交
647 648 649
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
650
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
651 652 653 654 655
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
656
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
657 658 659 660 661 662 663 664
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
F
FdaSilvaYY 已提交
665
             * Messages we write from now on should be buffered and
M
Matt Caswell 已提交
666 667 668 669 670 671 672 673
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
674 675
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
            /* Calls SSLfatal() as required */
M
Matt Caswell 已提交
676
            return dtls_wait_for_dry(s);
677
        }
M
Matt Caswell 已提交
678 679 680 681
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
682 683 684 685 686
        if (SSL_IS_TLS13(s)) {
            /*
             * Actually this is the end of the handshake, but we're going
             * straight into writing the session ticket out. So we finish off
             * the handshake, but keep the various buffers active.
687
             *
688
             * Calls SSLfatal as required.
689
             */
690
            return tls_finish_handshake(s, wst, 0, 0);
691
        } if (SSL_IS_DTLS(s)) {
M
Matt Caswell 已提交
692 693 694 695 696 697 698 699 700
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
701 702
        if (SSL_IS_TLS13(s))
            break;
M
Matt Caswell 已提交
703 704
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
705
            /* SSLfatal() already called */
M
Matt Caswell 已提交
706 707 708 709 710 711 712 713 714 715 716 717 718
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

719
    case TLS_ST_EARLY_DATA:
720 721
        if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING
                && (s->s3->flags & TLS1_FLAGS_STATELESS) == 0)
722 723 724
            return WORK_FINISHED_CONTINUE;
        /* Fall through */

M
Matt Caswell 已提交
725
    case TLS_ST_OK:
726
        /* Calls SSLfatal() as required */
727
        return tls_finish_handshake(s, wst, 1, 1);
M
Matt Caswell 已提交
728 729 730 731 732 733 734 735 736
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
737
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
738
{
M
Matt Caswell 已提交
739
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
740 741 742

    s->init_num = 0;

743
    switch (st->hand_state) {
R
Rich Salz 已提交
744 745 746 747
    default:
        /* No post work to be done */
        break;

M
Matt Caswell 已提交
748 749 750
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
751
        if (!ssl3_init_finished_mac(s)) {
752
            /* SSLfatal() already called */
753 754
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
755 756 757 758 759 760
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
761
        if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
762
            /* SSLfatal() already called */
763 764
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
765 766 767 768 769 770 771 772
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
773
        if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) {
M
Matt Caswell 已提交
774 775
            if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0
                    && statem_flush(s) != 1)
M
Matt Caswell 已提交
776 777 778
                return WORK_MORE_A;
            break;
        }
M
Matt Caswell 已提交
779 780 781 782 783 784 785 786 787
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
788 789
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
790 791

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
792 793 794
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
795 796 797
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_OSSL_STATEM_SERVER_POST_WORK,
                         ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
798 799 800 801 802 803 804
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
805
        if (!SSL_IS_TLS13(s)
806 807
                || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
                    && s->hello_retry_request != SSL_HRR_COMPLETE))
808 809 810 811
            break;
        /* Fall through */

    case TLS_ST_SW_CHANGE:
M
Matt Caswell 已提交
812 813 814
        if (s->hello_retry_request == SSL_HRR_PENDING) {
            if (!statem_flush(s))
                return WORK_MORE_A;
815
            break;
M
Matt Caswell 已提交
816
        }
817 818 819 820 821 822 823 824 825
        /*
         * TODO(TLS1.3): This actually causes a problem. We don't yet know
         * whether the next record we are going to receive is an unencrypted
         * alert, or an encrypted handshake message. We're going to need
         * something clever in the record layer for this.
         */
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->setup_key_block(s)
                || !s->method->ssl3_enc->change_cipher_state(s,
826 827
                        SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
                /* SSLfatal() already called */
828
                return WORK_ERROR;
829
            }
830 831 832

            if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED
                && !s->method->ssl3_enc->change_cipher_state(s,
833 834
                        SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) {
                /* SSLfatal() already called */
835
                return WORK_ERROR;
836
            }
837
            break;
838
        }
M
Matt Caswell 已提交
839 840 841 842 843 844 845 846 847 848 849 850

#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
E
Emilia Kasper 已提交
851 852
                                                      SSL3_CHANGE_CIPHER_SERVER_WRITE))
        {
853
            /* SSLfatal() already called */
M
Matt Caswell 已提交
854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
879 880
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->generate_master_secret(s,
881
                        s->master_secret, s->handshake_secret, 0,
882 883 884
                        &s->session->master_key_length)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
885
            /* SSLfatal() already called */
886 887
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
888
        break;
889

890 891 892 893 894 895 896
    case TLS_ST_SW_CERT_REQ:
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            if (statem_flush(s) != 1)
                return WORK_MORE_A;
        }
        break;

897
    case TLS_ST_SW_KEY_UPDATE:
898 899
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
900 901
        if (!tls13_update_key(s, 1)) {
            /* SSLfatal() already called */
902
            return WORK_ERROR;
903
        }
904 905
        break;

906 907 908 909
    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
            return WORK_MORE_A;
        break;
M
Matt Caswell 已提交
910 911 912 913 914 915
    }

    return WORK_FINISHED_CONTINUE;
}

/*
916 917
 * Get the message construction function and message type for sending from the
 * server
M
Matt Caswell 已提交
918 919 920 921 922
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
923
int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
924
                                         confunc_f *confunc, int *mt)
M
Matt Caswell 已提交
925
{
M
Matt Caswell 已提交
926
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
927

928 929 930
    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
931 932 933
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
                 SSL_R_BAD_HANDSHAKE_STATE);
934 935 936
        return 0;

    case TLS_ST_SW_CHANGE:
937
        if (SSL_IS_DTLS(s))
938
            *confunc = dtls_construct_change_cipher_spec;
939
        else
940 941
            *confunc = tls_construct_change_cipher_spec;
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
942
        break;
R
Rich Salz 已提交
943

944
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
945 946
        *confunc = dtls_construct_hello_verify_request;
        *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
947
        break;
M
Matt Caswell 已提交
948

949 950
    case TLS_ST_SW_HELLO_REQ:
        /* No construction function needed */
951 952
        *confunc = NULL;
        *mt = SSL3_MT_HELLO_REQUEST;
953
        break;
M
Matt Caswell 已提交
954

955
    case TLS_ST_SW_SRVR_HELLO:
956 957
        *confunc = tls_construct_server_hello;
        *mt = SSL3_MT_SERVER_HELLO;
958
        break;
M
Matt Caswell 已提交
959

960
    case TLS_ST_SW_CERT:
961 962
        *confunc = tls_construct_server_certificate;
        *mt = SSL3_MT_CERTIFICATE;
963
        break;
M
Matt Caswell 已提交
964

965 966 967 968 969 970
    case TLS_ST_SW_CERT_VRFY:
        *confunc = tls_construct_cert_verify;
        *mt = SSL3_MT_CERTIFICATE_VERIFY;
        break;


971
    case TLS_ST_SW_KEY_EXCH:
972 973
        *confunc = tls_construct_server_key_exchange;
        *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
974
        break;
M
Matt Caswell 已提交
975

976
    case TLS_ST_SW_CERT_REQ:
977 978
        *confunc = tls_construct_certificate_request;
        *mt = SSL3_MT_CERTIFICATE_REQUEST;
979
        break;
M
Matt Caswell 已提交
980

981
    case TLS_ST_SW_SRVR_DONE:
982 983
        *confunc = tls_construct_server_done;
        *mt = SSL3_MT_SERVER_DONE;
984
        break;
M
Matt Caswell 已提交
985

986
    case TLS_ST_SW_SESSION_TICKET:
987 988
        *confunc = tls_construct_new_session_ticket;
        *mt = SSL3_MT_NEWSESSION_TICKET;
989
        break;
M
Matt Caswell 已提交
990

991
    case TLS_ST_SW_CERT_STATUS:
992 993
        *confunc = tls_construct_cert_status;
        *mt = SSL3_MT_CERTIFICATE_STATUS;
994
        break;
M
Matt Caswell 已提交
995

996
    case TLS_ST_SW_FINISHED:
997 998
        *confunc = tls_construct_finished;
        *mt = SSL3_MT_FINISHED;
999
        break;
M
Matt Caswell 已提交
1000

1001 1002 1003 1004 1005
    case TLS_ST_EARLY_DATA:
        *confunc = NULL;
        *mt = SSL3_MT_DUMMY;
        break;

M
Matt Caswell 已提交
1006 1007 1008 1009
    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
        *confunc = tls_construct_encrypted_extensions;
        *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
        break;
1010

1011 1012 1013 1014
    case TLS_ST_SW_KEY_UPDATE:
        *confunc = tls_construct_key_update;
        *mt = SSL3_MT_KEY_UPDATE;
        break;
1015
    }
M
Matt Caswell 已提交
1016

1017
    return 1;
M
Matt Caswell 已提交
1018 1019
}

1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036
/*
 * Maximum size (excluding the Handshake header) of a ClientHello message,
 * calculated as follows:
 *
 *  2 + # client_version
 *  32 + # only valid length for random
 *  1 + # length of session_id
 *  32 + # maximum size for session_id
 *  2 + # length of cipher suites
 *  2^16-2 + # maximum length of cipher suites array
 *  1 + # length of compression_methods
 *  2^8-1 + # maximum length of compression methods
 *  2 + # length of extensions
 *  2^16-1 # maximum length of extensions
 */
#define CLIENT_HELLO_MAX_LENGTH         131396

M
Matt Caswell 已提交
1037 1038 1039 1040 1041 1042 1043
#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
1044
size_t ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
1045
{
M
Matt Caswell 已提交
1046
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1047

1048
    switch (st->hand_state) {
R
Rich Salz 已提交
1049 1050 1051 1052
    default:
        /* Shouldn't happen */
        return 0;

M
Matt Caswell 已提交
1053
    case TLS_ST_SR_CLNT_HELLO:
1054
        return CLIENT_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
1055

1056 1057 1058
    case TLS_ST_SR_END_OF_EARLY_DATA:
        return END_OF_EARLY_DATA_MAX_LENGTH;

M
Matt Caswell 已提交
1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077
    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;
1078 1079 1080

    case TLS_ST_SR_KEY_UPDATE:
        return KEY_UPDATE_MAX_LENGTH;
M
Matt Caswell 已提交
1081 1082 1083 1084 1085 1086
    }
}

/*
 * Process a message that the server has received from the client.
 */
1087
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1088
{
M
Matt Caswell 已提交
1089
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1090

1091
    switch (st->hand_state) {
R
Rich Salz 已提交
1092 1093
    default:
        /* Shouldn't happen */
1094 1095 1096
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_PROCESS_MESSAGE,
                 ERR_R_INTERNAL_ERROR);
R
Rich Salz 已提交
1097 1098
        return MSG_PROCESS_ERROR;

M
Matt Caswell 已提交
1099 1100 1101
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

1102 1103 1104
    case TLS_ST_SR_END_OF_EARLY_DATA:
        return tls_process_end_of_early_data(s, pkt);

M
Matt Caswell 已提交
1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123
    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);
1124 1125 1126 1127

    case TLS_ST_SR_KEY_UPDATE:
        return tls_process_key_update(s, pkt);

M
Matt Caswell 已提交
1128 1129 1130 1131 1132 1133 1134
    }
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
1135
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1136
{
M
Matt Caswell 已提交
1137
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
1138

1139
    switch (st->hand_state) {
R
Rich Salz 已提交
1140 1141
    default:
        /* Shouldn't happen */
1142 1143 1144
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_OSSL_STATEM_SERVER_POST_PROCESS_MESSAGE,
                 ERR_R_INTERNAL_ERROR);
R
Rich Salz 已提交
1145 1146
        return WORK_ERROR;

M
Matt Caswell 已提交
1147 1148 1149 1150 1151 1152 1153 1154
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);
    }
}

B
Ben Laurie 已提交
1155
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1156 1157
/* Returns 1 on success, 0 for retryable error, -1 for fatal error */
static int ssl_check_srp_ext_ClientHello(SSL *s)
1158
{
M
Matt Caswell 已提交
1159 1160
    int ret;
    int al = SSL_AD_UNRECOGNIZED_NAME;
1161 1162 1163 1164 1165 1166 1167 1168

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
M
Matt Caswell 已提交
1169 1170 1171 1172
            SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
                     SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
                     SSL_R_PSK_IDENTITY_NOT_FOUND);
            return -1;
1173
        } else {
M
Matt Caswell 已提交
1174 1175 1176 1177 1178 1179 1180 1181 1182 1183
            ret = SSL_srp_server_param_with_username(s, &al);
            if (ret < 0)
                return 0;
            if (ret == SSL3_AL_FATAL) {
                SSLfatal(s, al, SSL_F_SSL_CHECK_SRP_EXT_CLIENTHELLO,
                         al == SSL_AD_UNKNOWN_PSK_IDENTITY
                         ? SSL_R_PSK_IDENTITY_NOT_FOUND
                         : SSL_R_CLIENTHELLO_TLSEXT);
                return -1;
            }
1184 1185
        }
    }
M
Matt Caswell 已提交
1186
    return 1;
1187
}
B
Ben Laurie 已提交
1188 1189
#endif

1190
int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
M
Matt Caswell 已提交
1191
                                  size_t cookie_len)
M
Matt Caswell 已提交
1192 1193
{
    /* Always use DTLS 1.0 version: see RFC 6347 */
1194 1195 1196
    if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
            || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
        return 0;
M
Matt Caswell 已提交
1197

1198
    return 1;
M
Matt Caswell 已提交
1199 1200
}

1201
int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1202
{
M
Matt Caswell 已提交
1203
    unsigned int cookie_leni;
M
Matt Caswell 已提交
1204 1205
    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
M
Matt Caswell 已提交
1206 1207
                                  &cookie_leni) == 0 ||
        cookie_leni > 255) {
1208 1209
        SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
                 SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
M
Matt Caswell 已提交
1210 1211
        return 0;
    }
M
Matt Caswell 已提交
1212
    s->d1->cookie_len = cookie_leni;
M
Matt Caswell 已提交
1213

1214 1215
    if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
                                              s->d1->cookie_len)) {
1216 1217
        SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
                 ERR_R_INTERNAL_ERROR);
1218 1219
        return 0;
    }
M
Matt Caswell 已提交
1220 1221 1222 1223

    return 1;
}

1224 1225 1226 1227 1228 1229 1230 1231
#ifndef OPENSSL_NO_EC
/*-
 * ssl_check_for_safari attempts to fingerprint Safari using OS X
 * SecureTransport using the TLS extension block in |hello|.
 * Safari, since 10.6, sends exactly these extensions, in this order:
 *   SNI,
 *   elliptic_curves
 *   ec_point_formats
1232
 *   signature_algorithms (for TLSv1.2 only)
1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264
 *
 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
 * 10.8..10.8.3 (which don't work).
 */
static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello)
{
    static const unsigned char kSafariExtensionsBlock[] = {
        0x00, 0x0a,             /* elliptic_curves extension */
        0x00, 0x08,             /* 8 bytes */
        0x00, 0x06,             /* 6 bytes of curve ids */
        0x00, 0x17,             /* P-256 */
        0x00, 0x18,             /* P-384 */
        0x00, 0x19,             /* P-521 */

        0x00, 0x0b,             /* ec_point_formats */
        0x00, 0x02,             /* 2 bytes */
        0x01,                   /* 1 point format */
        0x00,                   /* uncompressed */
        /* The following is only present in TLS 1.2 */
        0x00, 0x0d,             /* signature_algorithms */
        0x00, 0x0c,             /* 12 bytes */
        0x00, 0x0a,             /* 10 bytes */
        0x05, 0x01,             /* SHA-384/RSA */
        0x04, 0x01,             /* SHA-256/RSA */
        0x02, 0x01,             /* SHA-1/RSA */
        0x04, 0x03,             /* SHA-256/ECDSA */
        0x02, 0x03,             /* SHA-1/ECDSA */
    };
    /* Length of the common prefix (first two extensions). */
    static const size_t kSafariCommonExtensionsLength = 18;
1265 1266 1267
    unsigned int type;
    PACKET sni, tmppkt;
    size_t ext_len;
1268 1269 1270 1271 1272 1273 1274

    tmppkt = hello->extensions;

    if (!PACKET_forward(&tmppkt, 2)
        || !PACKET_get_net_2(&tmppkt, &type)
        || !PACKET_get_length_prefixed_2(&tmppkt, &sni)) {
        return;
1275 1276
    }

1277 1278 1279 1280 1281 1282 1283 1284
    if (type != TLSEXT_TYPE_server_name)
        return;

    ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ?
        sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength;

    s->s3->is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock,
                                             ext_len);
1285
}
1286
#endif                          /* !OPENSSL_NO_EC */
1287

M
Matt Caswell 已提交
1288
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1289 1290
{
    /* |cookie| will only be initialized for DTLS. */
1291
    PACKET session_id, compression, extensions, cookie;
M
Matt Caswell 已提交
1292
    static const unsigned char null_compression = 0;
1293
    CLIENTHELLO_MSG *clienthello = NULL;
M
Matt Caswell 已提交
1294

1295 1296
    /* Check if this is actually an unexpected renegotiation ClientHello */
    if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) {
1297 1298 1299
        if (!ossl_assert(!SSL_IS_TLS13(s))) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
1300 1301
            goto err;
        }
1302 1303 1304 1305 1306 1307 1308
        if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0
                || (!s->s3->send_connection_binding
                    && (s->options
                        & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) {
            ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
            return MSG_PROCESS_FINISHED_READING;
        }
1309 1310 1311 1312
        s->renegotiate = 1;
        s->new_session = 1;
    }

1313 1314 1315 1316 1317 1318 1319
    clienthello = OPENSSL_zalloc(sizeof(*clienthello));
    if (clienthello == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                 ERR_R_INTERNAL_ERROR);
        goto err;
    }

1320
    /*
1321
     * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1322
     */
B
Benjamin Kaduk 已提交
1323
    clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
E
Emilia Kasper 已提交
1324
    PACKET_null_init(&cookie);
1325

B
Benjamin Kaduk 已提交
1326
    if (clienthello->isv2) {
M
Matt Caswell 已提交
1327
        unsigned int mt;
1328

1329 1330
        if (!SSL_IS_FIRST_HANDSHAKE(s)
                || s->hello_retry_request != SSL_HRR_NONE) {
1331 1332 1333
            SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
                     SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNEXPECTED_MESSAGE);
            goto err;
1334 1335
        }

1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

1351
        if (!PACKET_get_1(pkt, &mt)
E
Emilia Kasper 已提交
1352
            || mt != SSL2_MT_CLIENT_HELLO) {
1353 1354 1355 1356 1357
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
1358 1359
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1360
            goto err;
1361 1362 1363
        }
    }

B
Benjamin Kaduk 已提交
1364
    if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) {
1365 1366
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                 SSL_R_LENGTH_TOO_SHORT);
1367
        goto err;
1368 1369
    }

1370
    /* Parse the message and load client random. */
B
Benjamin Kaduk 已提交
1371
    if (clienthello->isv2) {
1372 1373 1374
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
1375
         * Real SSLv2 is not supported, and is rejected below.
1376
         */
1377
        unsigned int ciphersuite_len, session_id_len, challenge_len;
1378
        PACKET challenge;
1379

1380
        if (!PACKET_get_net_2(pkt, &ciphersuite_len)
E
Emilia Kasper 已提交
1381 1382
            || !PACKET_get_net_2(pkt, &session_id_len)
            || !PACKET_get_net_2(pkt, &challenge_len)) {
1383 1384 1385
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_RECORD_LENGTH_MISMATCH);
            goto err;
1386
        }
1387

1388
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
1389 1390 1391
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto err;
1392 1393
        }

B
Benjamin Kaduk 已提交
1394
        if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites,
1395
                                   ciphersuite_len)
B
Benjamin Kaduk 已提交
1396
            || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len)
1397
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1398
            /* No extensions. */
1399
            || PACKET_remaining(pkt) != 0) {
1400 1401 1402
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_RECORD_LENGTH_MISMATCH);
            goto err;
M
Matt Caswell 已提交
1403
        }
B
Benjamin Kaduk 已提交
1404
        clienthello->session_id_len = session_id_len;
M
Matt Caswell 已提交
1405

1406
        /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
B
Benjamin Kaduk 已提交
1407
         * here rather than sizeof(clienthello->random) because that is the limit
1408
         * for SSLv3 and it is fixed. It won't change even if
B
Benjamin Kaduk 已提交
1409
         * sizeof(clienthello->random) does.
1410 1411 1412
         */
        challenge_len = challenge_len > SSL3_RANDOM_SIZE
                        ? SSL3_RANDOM_SIZE : challenge_len;
B
Benjamin Kaduk 已提交
1413
        memset(clienthello->random, 0, SSL3_RANDOM_SIZE);
1414
        if (!PACKET_copy_bytes(&challenge,
B
Benjamin Kaduk 已提交
1415
                               clienthello->random + SSL3_RANDOM_SIZE -
D
David Benjamin 已提交
1416 1417 1418
                               challenge_len, challenge_len)
            /* Advertise only null compression. */
            || !PACKET_buf_init(&compression, &null_compression, 1)) {
1419 1420 1421
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
            goto err;
M
Matt Caswell 已提交
1422
        }
1423

B
Benjamin Kaduk 已提交
1424
        PACKET_null_init(&clienthello->extensions);
1425
    } else {
1426
        /* Regular ClientHello. */
B
Benjamin Kaduk 已提交
1427
        if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE)
1428
            || !PACKET_get_length_prefixed_1(pkt, &session_id)
B
Benjamin Kaduk 已提交
1429
            || !PACKET_copy_all(&session_id, clienthello->session_id,
1430
                    SSL_MAX_SSL_SESSION_ID_LENGTH,
B
Benjamin Kaduk 已提交
1431
                    &clienthello->session_id_len)) {
1432 1433 1434
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_LENGTH_MISMATCH);
            goto err;
M
Matt Caswell 已提交
1435
        }
1436

1437
        if (SSL_IS_DTLS(s)) {
1438
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1439 1440 1441
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                         SSL_R_LENGTH_MISMATCH);
                goto err;
1442
            }
B
Benjamin Kaduk 已提交
1443
            if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
1444
                                 DTLS1_COOKIE_LENGTH,
B
Benjamin Kaduk 已提交
1445
                                 &clienthello->dtls_cookie_len)) {
1446 1447 1448
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
                goto err;
1449
            }
1450 1451 1452 1453 1454 1455
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
B
Benjamin Kaduk 已提交
1456
                if (clienthello->dtls_cookie_len == 0)
1457
                    return MSG_PROCESS_FINISHED_READING;
1458
            }
1459
        }
1460

B
Benjamin Kaduk 已提交
1461
        if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) {
1462 1463 1464
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_LENGTH_MISMATCH);
            goto err;
1465 1466
        }

1467
        if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
1468 1469 1470
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                     SSL_R_LENGTH_MISMATCH);
            goto err;
1471
        }
1472

1473
        /* Could be empty. */
1474
        if (PACKET_remaining(pkt) == 0) {
B
Benjamin Kaduk 已提交
1475
            PACKET_null_init(&clienthello->extensions);
1476
        } else {
1477 1478
            if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions)
                    || PACKET_remaining(pkt) != 0) {
1479 1480 1481
                SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                         SSL_R_LENGTH_MISMATCH);
                goto err;
1482 1483 1484 1485
            }
        }
    }

B
Benjamin Kaduk 已提交
1486
    if (!PACKET_copy_all(&compression, clienthello->compressions,
1487
                         MAX_COMPRESSIONS_SIZE,
B
Benjamin Kaduk 已提交
1488
                         &clienthello->compressions_len)) {
1489 1490 1491
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_HELLO,
                 ERR_R_INTERNAL_ERROR);
        goto err;
1492 1493
    }

1494
    /* Preserve the raw extensions PACKET for later use */
B
Benjamin Kaduk 已提交
1495
    extensions = clienthello->extensions;
1496
    if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO,
1497
                                &clienthello->pre_proc_exts,
1498
                                &clienthello->pre_proc_exts_len, 1)) {
1499 1500
        /* SSLfatal already been called */
        goto err;
1501
    }
B
Benjamin Kaduk 已提交
1502
    s->clienthello = clienthello;
1503

B
Benjamin Kaduk 已提交
1504 1505
    return MSG_PROCESS_CONTINUE_PROCESSING;

1506
 err:
1507 1508
    if (clienthello != NULL)
        OPENSSL_free(clienthello->pre_proc_exts);
B
Benjamin Kaduk 已提交
1509 1510 1511 1512 1513
    OPENSSL_free(clienthello);

    return MSG_PROCESS_ERROR;
}

1514
static int tls_early_post_process_client_hello(SSL *s)
B
Benjamin Kaduk 已提交
1515 1516
{
    unsigned int j;
1517
    int i, al = SSL_AD_INTERNAL_ERROR;
B
Benjamin Kaduk 已提交
1518 1519 1520 1521 1522 1523 1524 1525 1526 1527
    int protverr;
    size_t loop;
    unsigned long id;
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
    STACK_OF(SSL_CIPHER) *scsvs = NULL;
    CLIENTHELLO_MSG *clienthello = s->clienthello;
1528
    DOWNGRADE dgrd = DOWNGRADE_NONE;
B
Benjamin Kaduk 已提交
1529

1530
    /* Finished parsing the ClientHello, now we can start processing it */
1531 1532 1533
    /* Give the ClientHello callback a crack at things */
    if (s->ctx->client_hello_cb != NULL) {
        /* A failure in the ClientHello callback terminates the connection. */
1534 1535 1536 1537
        switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) {
        case SSL_CLIENT_HELLO_SUCCESS:
            break;
        case SSL_CLIENT_HELLO_RETRY:
1538
            s->rwstate = SSL_CLIENT_HELLO_CB;
1539 1540 1541
            return -1;
        case SSL_CLIENT_HELLO_ERROR:
        default:
1542 1543 1544
            SSLfatal(s, al,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_CALLBACK_FAILED);
1545
            goto err;
B
Benjamin Kaduk 已提交
1546 1547
        }
    }
1548 1549

    /* Set up the client_random */
B
Benjamin Kaduk 已提交
1550
    memcpy(s->s3->client_random, clienthello->random, SSL3_RANDOM_SIZE);
1551 1552 1553

    /* Choose the version */

B
Benjamin Kaduk 已提交
1554 1555 1556
    if (clienthello->isv2) {
        if (clienthello->legacy_version == SSL2_VERSION
                || (clienthello->legacy_version & 0xff00)
1557 1558
                   != (SSL3_VERSION_MAJOR << 8)) {
            /*
1559
             * This is real SSLv2 or something completely unknown. We don't
1560 1561
             * support it.
             */
1562 1563 1564
            SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_UNKNOWN_PROTOCOL);
1565 1566
            goto err;
        }
1567
        /* SSLv3/TLS */
B
Benjamin Kaduk 已提交
1568
        s->client_version = clienthello->legacy_version;
1569 1570 1571 1572 1573 1574
    }
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
    if (!SSL_IS_DTLS(s)) {
1575
        protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1576
    } else if (s->method->version != DTLS_ANY_VERSION &&
B
Benjamin Kaduk 已提交
1577
               DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) {
1578 1579 1580 1581 1582 1583
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
        protverr = 0;
    }

    if (protverr) {
1584
        if (SSL_IS_FIRST_HANDSHAKE(s)) {
1585
            /* like ssl3_get_record, send alert using remote version number */
B
Benjamin Kaduk 已提交
1586
            s->version = s->client_version = clienthello->legacy_version;
1587
        }
1588 1589
        SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
B
Benjamin Kaduk 已提交
1590
        goto err;
1591 1592
    }

M
Matt Caswell 已提交
1593
    /* TLSv1.3 specifies that a ClientHello must end on a record boundary */
1594
    if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1595 1596 1597
        SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                 SSL_R_NOT_ON_RECORD_BOUNDARY);
1598 1599 1600
        goto err;
    }

1601 1602 1603 1604
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
B
Benjamin Kaduk 已提交
1605 1606
                if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie,
                        clienthello->dtls_cookie_len) == 0) {
1607 1608 1609
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                             SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_COOKIE_MISMATCH);
B
Benjamin Kaduk 已提交
1610
                    goto err;
1611 1612
                    /* else cookie verification succeeded */
                }
E
Emilia Kasper 已提交
1613
                /* default verification */
B
Benjamin Kaduk 已提交
1614 1615
            } else if (s->d1->cookie_len != clienthello->dtls_cookie_len
                    || memcmp(clienthello->dtls_cookie, s->d1->cookie,
1616
                              s->d1->cookie_len) != 0) {
1617 1618 1619
                SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_COOKIE_MISMATCH);
B
Benjamin Kaduk 已提交
1620
                goto err;
1621 1622 1623 1624
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
1625
            protverr = ssl_choose_server_version(s, clienthello, &dgrd);
1626 1627
            if (protverr != 0) {
                s->version = s->client_version;
1628 1629
                SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, protverr);
B
Benjamin Kaduk 已提交
1630
                goto err;
1631 1632 1633 1634
            }
        }
    }

1635 1636
    s->hit = 0;

1637
    if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites,
1638
                              clienthello->isv2) ||
1639
        !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs,
M
Matt Caswell 已提交
1640
                              clienthello->isv2, 1)) {
1641
        /* SSLfatal() already called */
1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652
        goto err;
    }

    s->s3->send_connection_binding = 0;
    /* Check what signalling cipher-suite values were received. */
    if (scsvs != NULL) {
        for(i = 0; i < sk_SSL_CIPHER_num(scsvs); i++) {
            c = sk_SSL_CIPHER_value(scsvs, i);
            if (SSL_CIPHER_get_id(c) == SSL3_CK_SCSV) {
                if (s->renegotiate) {
                    /* SCSV is fatal if renegotiating */
1653 1654 1655
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                             SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667
                    goto err;
                }
                s->s3->send_connection_binding = 1;
            } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV &&
                       !ssl_check_version_downgrade(s)) {
                /*
                 * This SCSV indicates that the client previously tried
                 * a higher version.  We should fail if the current version
                 * is an unexpected downgrade, as that indicates that the first
                 * connection may have been tampered with in order to trigger
                 * an insecure downgrade.
                 */
1668 1669 1670
                SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_INAPPROPRIATE_FALLBACK);
1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681
                goto err;
            }
        }
    }

    /* For TLSv1.3 we must select the ciphersuite *before* session resumption */
    if (SSL_IS_TLS13(s)) {
        const SSL_CIPHER *cipher =
            ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));

        if (cipher == NULL) {
1682 1683 1684
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_NO_SHARED_CIPHER);
1685 1686
            goto err;
        }
1687
        if (s->hello_retry_request == SSL_HRR_PENDING
1688 1689
                && (s->s3->tmp.new_cipher == NULL
                    || s->s3->tmp.new_cipher->id != cipher->id)) {
1690 1691 1692 1693
            /*
             * A previous HRR picked a different ciphersuite to the one we
             * just selected. Something must have changed.
             */
1694 1695 1696
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_BAD_CIPHER);
1697 1698 1699 1700 1701
            goto err;
        }
        s->s3->tmp.new_cipher = cipher;
    }

1702
    /* We need to do this before getting the session */
1703
    if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret,
1704
                             SSL_EXT_CLIENT_HELLO,
1705 1706
                             clienthello->pre_proc_exts, NULL, 0)) {
        /* SSLfatal() already called */
B
Benjamin Kaduk 已提交
1707
        goto err;
1708 1709
    }

1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725
    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
B
Benjamin Kaduk 已提交
1726
    if (clienthello->isv2 ||
1727 1728
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
1729 1730
        if (!ssl_get_new_session(s, 1)) {
            /* SSLfatal() already called */
1731
            goto err;
1732
        }
1733
    } else {
1734
        i = ssl_get_prev_session(s, clienthello);
1735
        if (i == 1) {
1736 1737 1738
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
1739
            /* SSLfatal() already called */
B
Benjamin Kaduk 已提交
1740
            goto err;
1741
        } else {
1742
            /* i == 0 */
1743 1744
            if (!ssl_get_new_session(s, 1)) {
                /* SSLfatal() already called */
1745
                goto err;
1746
            }
1747
        }
1748
    }
1749

1750 1751 1752 1753 1754 1755
    if (SSL_IS_TLS13(s)) {
        memcpy(s->tmp_session_id, s->clienthello->session_id,
               s->clienthello->session_id_len);
        s->tmp_session_id_len = s->clienthello->session_id_len;
    }

1756
    /*
1757 1758
     * If it is a hit, check that the cipher is in the list. In TLSv1.3 we check
     * ciphersuite compatibility with the session as part of resumption.
1759 1760
     */
    if (!SSL_IS_TLS13(s) && s->hit) {
1761 1762
        j = 0;
        id = s->session->cipher->id;
1763

1764
#ifdef CIPHER_DEBUG
E
Emilia Kasper 已提交
1765
        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
1766
#endif
1767 1768
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1769
#ifdef CIPHER_DEBUG
1770 1771
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1772
#endif
1773 1774 1775
            if (c->id == id) {
                j = 1;
                break;
1776
            }
1777
        }
1778
        if (j == 0) {
1779
            /*
1780 1781
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1782
             */
1783 1784 1785
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_REQUIRED_CIPHER_MISSING);
B
Benjamin Kaduk 已提交
1786
            goto err;
1787
        }
1788
    }
M
Matt Caswell 已提交
1789

B
Benjamin Kaduk 已提交
1790 1791
    for (loop = 0; loop < clienthello->compressions_len; loop++) {
        if (clienthello->compressions[loop] == 0)
1792
            break;
1793
    }
1794

B
Benjamin Kaduk 已提交
1795
    if (loop >= clienthello->compressions_len) {
1796
        /* no compress */
1797 1798 1799
        SSLfatal(s, SSL_AD_DECODE_ERROR,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                 SSL_R_NO_COMPRESSION_SPECIFIED);
B
Benjamin Kaduk 已提交
1800
        goto err;
1801
    }
1802

1803 1804
#ifndef OPENSSL_NO_EC
    if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
B
Benjamin Kaduk 已提交
1805
        ssl_check_for_safari(s, clienthello);
1806 1807
#endif                          /* !OPENSSL_NO_EC */

1808
    /* TLS extensions */
1809
    if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO,
1810 1811
                                  clienthello->pre_proc_exts, NULL, 0, 1)) {
        /* SSLfatal() already called */
B
Benjamin Kaduk 已提交
1812
        goto err;
1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823
    }

    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
1824
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) {
1825 1826 1827
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
B
Benjamin Kaduk 已提交
1828
            goto err;
1829 1830 1831
        }
    }

1832 1833 1834 1835 1836
    if (!s->hit
            && s->version >= TLS1_VERSION
            && !SSL_IS_TLS13(s)
            && !SSL_IS_DTLS(s)
            && s->ext.session_secret_cb) {
1837
        const SSL_CIPHER *pref_cipher = NULL;
1838 1839 1840 1841 1842
        /*
         * s->session->master_key_length is a size_t, but this is an int for
         * backwards compat reasons
         */
        int master_key_length;
1843

1844
        master_key_length = sizeof(s->session->master_key);
R
Rich Salz 已提交
1845
        if (s->ext.session_secret_cb(s, s->session->master_key,
1846
                                     &master_key_length, ciphers,
1847
                                     &pref_cipher,
R
Rich Salz 已提交
1848
                                     s->ext.session_secret_cb_arg)
1849 1850
                && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
1851 1852 1853 1854 1855 1856 1857
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
D
Dr. Stephen Henson 已提交
1858 1859 1860
            if (pref_cipher == NULL)
                pref_cipher = ssl3_choose_cipher(s, s->session->ciphers,
                                                 SSL_get_ciphers(s));
1861
            if (pref_cipher == NULL) {
1862 1863 1864
                SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                         SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_NO_SHARED_CIPHER);
B
Benjamin Kaduk 已提交
1865
                goto err;
1866 1867 1868
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1869
            sk_SSL_CIPHER_free(s->cipher_list);
1870
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1871
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1872 1873 1874
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1875

1876 1877
    /*
     * Worst case, we will use the NULL compression, but if we have other
1878
     * options, we will now look for them.  We have complen-1 compression
1879 1880 1881
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1882 1883 1884 1885 1886 1887 1888
    if (SSL_IS_TLS13(s)) {
        /*
         * We already checked above that the NULL compression method appears in
         * the list. Now we check there aren't any others (which is illegal in
         * a TLSv1.3 ClientHello.
         */
        if (clienthello->compressions_len != 1) {
1889 1890 1891
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_INVALID_COMPRESSION_ALGORITHM);
1892 1893 1894
            goto err;
        }
    }
1895
#ifndef OPENSSL_NO_COMP
1896
    /* This only happens if we have a cache hit */
1897
    else if (s->session->compress_meth != 0) {
1898
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1899
        unsigned int k;
1900 1901 1902
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
1903 1904 1905
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_INCONSISTENT_COMPRESSION);
B
Benjamin Kaduk 已提交
1906
            goto err;
1907 1908 1909 1910 1911 1912 1913 1914 1915 1916
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
1917 1918 1919
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_INVALID_COMPRESSION_ALGORITHM);
B
Benjamin Kaduk 已提交
1920
            goto err;
1921 1922
        }
        /* Look for resumed method in compression list */
B
Benjamin Kaduk 已提交
1923 1924
        for (k = 0; k < clienthello->compressions_len; k++) {
            if (clienthello->compressions[k] == comp_id)
1925 1926
                break;
        }
B
Benjamin Kaduk 已提交
1927
        if (k >= clienthello->compressions_len) {
1928 1929 1930
            SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
B
Benjamin Kaduk 已提交
1931
            goto err;
1932
        }
1933
    } else if (s->hit) {
1934
        comp = NULL;
1935
    } else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1936
        /* See if we have a match */
M
Matt Caswell 已提交
1937 1938
        int m, nn, v, done = 0;
        unsigned int o;
1939 1940 1941 1942 1943

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
B
Benjamin Kaduk 已提交
1944 1945
            for (o = 0; o < clienthello->compressions_len; o++) {
                if (v == clienthello->compressions[o]) {
1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1958
#else
1959 1960 1961 1962 1963
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
1964 1965 1966
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                 SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                 SSL_R_INCONSISTENT_COMPRESSION);
B
Benjamin Kaduk 已提交
1967
        goto err;
1968
    }
1969
#endif
1970

1971 1972 1973
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1974

1975
    if (!s->hit || SSL_IS_TLS13(s)) {
R
Rich Salz 已提交
1976
        sk_SSL_CIPHER_free(s->session->ciphers);
1977 1978
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1979 1980 1981
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO,
                     ERR_R_INTERNAL_ERROR);
B
Benjamin Kaduk 已提交
1982
            goto err;
1983 1984
        }
        ciphers = NULL;
1985 1986 1987 1988 1989 1990 1991 1992
    }

    if (!s->hit) {
#ifdef OPENSSL_NO_COMP
        s->session->compress_meth = 0;
#else
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
#endif
1993
        if (!tls1_set_server_sigalgs(s)) {
1994
            /* SSLfatal() already called */
1995 1996
            goto err;
        }
M
Matt Caswell 已提交
1997 1998 1999
    }

    sk_SSL_CIPHER_free(ciphers);
B
Benjamin Kaduk 已提交
2000 2001 2002 2003 2004
    sk_SSL_CIPHER_free(scsvs);
    OPENSSL_free(clienthello->pre_proc_exts);
    OPENSSL_free(s->clienthello);
    s->clienthello = NULL;
    return 1;
M
Matt Caswell 已提交
2005 2006
 err:
    sk_SSL_CIPHER_free(ciphers);
B
Benjamin Kaduk 已提交
2007 2008 2009 2010
    sk_SSL_CIPHER_free(scsvs);
    OPENSSL_free(clienthello->pre_proc_exts);
    OPENSSL_free(s->clienthello);
    s->clienthello = NULL;
M
Matt Caswell 已提交
2011

B
Benjamin Kaduk 已提交
2012
    return 0;
M
Matt Caswell 已提交
2013 2014
}

2015 2016
/*
 * Call the status request callback if needed. Upon success, returns 1.
2017
 * Upon failure, returns 0.
2018
 */
2019
static int tls_handle_status_request(SSL *s)
2020
{
R
Rich Salz 已提交
2021
    s->ext.status_expected = 0;
2022 2023 2024 2025 2026 2027 2028

    /*
     * If status request then ask callback what to do. Note: this must be
     * called after servername callbacks in case the certificate has changed,
     * and must be called after the cipher has been chosen because this may
     * influence which certificate is sent
     */
R
Rich Salz 已提交
2029 2030
    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
            && s->ctx->ext.status_cb != NULL) {
2031
        int ret;
2032

2033
        /* If no certificate can't return certificate status */
2034
        if (s->s3->tmp.cert != NULL) {
2035 2036 2037 2038
            /*
             * Set current certificate to one we will use so SSL_get_certificate
             * et al can pick it up.
             */
2039
            s->cert->key = s->s3->tmp.cert;
R
Rich Salz 已提交
2040
            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2041 2042 2043
            switch (ret) {
                /* We don't want to send a status request response */
            case SSL_TLSEXT_ERR_NOACK:
R
Rich Salz 已提交
2044
                s->ext.status_expected = 0;
2045 2046 2047
                break;
                /* status request response should be sent */
            case SSL_TLSEXT_ERR_OK:
R
Rich Salz 已提交
2048 2049
                if (s->ext.ocsp.resp)
                    s->ext.status_expected = 1;
2050 2051 2052 2053
                break;
                /* something bad happened */
            case SSL_TLSEXT_ERR_ALERT_FATAL:
            default:
2054 2055 2056
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_HANDLE_STATUS_REQUEST,
                         SSL_R_CLIENTHELLO_TLSEXT);
2057 2058 2059 2060 2061 2062 2063 2064
                return 0;
            }
        }
    }

    return 1;
}

2065 2066
/*
 * Call the alpn_select callback if needed. Upon success, returns 1.
M
Matt Caswell 已提交
2067
 * Upon failure, returns 0.
2068
 */
2069
int tls_handle_alpn(SSL *s)
2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083
{
    const unsigned char *selected = NULL;
    unsigned char selected_len = 0;

    if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
        int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
                                           s->s3->alpn_proposed,
                                           (unsigned int)s->s3->alpn_proposed_len,
                                           s->ctx->ext.alpn_select_cb_arg);

        if (r == SSL_TLSEXT_ERR_OK) {
            OPENSSL_free(s->s3->alpn_selected);
            s->s3->alpn_selected = OPENSSL_memdup(selected, selected_len);
            if (s->s3->alpn_selected == NULL) {
2084 2085
                SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_HANDLE_ALPN,
                         ERR_R_INTERNAL_ERROR);
2086 2087 2088 2089 2090 2091 2092
                return 0;
            }
            s->s3->alpn_selected_len = selected_len;
#ifndef OPENSSL_NO_NEXTPROTONEG
            /* ALPN takes precedence over NPN. */
            s->s3->npn_seen = 0;
#endif
2093

2094 2095
            /* Check ALPN is consistent with session */
            if (s->session->ext.alpn_selected == NULL
2096 2097
                        || selected_len != s->session->ext.alpn_selected_len
                        || memcmp(selected, s->session->ext.alpn_selected,
2098 2099
                                  selected_len) != 0) {
                /* Not consistent so can't be used for early_data */
2100 2101
                s->ext.early_data_ok = 0;

2102 2103 2104 2105 2106
                if (!s->hit) {
                    /* If a new session update it with the new ALPN value */
                    s->session->ext.alpn_selected = OPENSSL_memdup(selected,
                                                                   selected_len);
                    if (s->session->ext.alpn_selected == NULL) {
2107 2108 2109
                        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                                 SSL_F_TLS_HANDLE_ALPN,
                                 ERR_R_INTERNAL_ERROR);
2110 2111 2112 2113 2114 2115
                        return 0;
                    }
                    s->session->ext.alpn_selected_len = selected_len;
                }
            }

2116
            return 1;
2117
        } else if (r != SSL_TLSEXT_ERR_NOACK) {
2118 2119
            SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, SSL_F_TLS_HANDLE_ALPN,
                     SSL_R_NO_APPLICATION_PROTOCOL);
2120 2121
            return 0;
        }
2122 2123 2124 2125
        /*
         * If r == SSL_TLSEXT_ERR_NOACK then behave as if no callback was
         * present.
         */
2126 2127
    }

2128 2129 2130
    /* Check ALPN is consistent with session */
    if (s->session->ext.alpn_selected != NULL) {
        /* Not consistent so can't be used for early_data */
2131
        s->ext.early_data_ok = 0;
2132
    }
2133

2134 2135 2136
    return 1;
}

M
Matt Caswell 已提交
2137
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
2138
{
2139
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
2140 2141

    if (wst == WORK_MORE_A) {
2142
        int rv = tls_early_post_process_client_hello(s);
B
Benjamin Kaduk 已提交
2143
        if (rv == 0) {
2144 2145
            /* SSLfatal() was already called */
            goto err;
B
Benjamin Kaduk 已提交
2146 2147 2148 2149 2150 2151
        }
        if (rv < 0)
            return WORK_MORE_A;
        wst = WORK_MORE_B;
    }
    if (wst == WORK_MORE_B) {
2152
        if (!s->hit || SSL_IS_TLS13(s)) {
M
Matt Caswell 已提交
2153
            /* Let cert callback update server certificates if required */
2154
            if (!s->hit && s->cert->cert_cb != NULL) {
M
Matt Caswell 已提交
2155 2156
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
2157 2158 2159 2160
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                             SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_CERT_CB_ERROR);
                    goto err;
M
Matt Caswell 已提交
2161 2162 2163
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
B
Benjamin Kaduk 已提交
2164
                    return WORK_MORE_B;
M
Matt Caswell 已提交
2165 2166
                }
                s->rwstate = SSL_NOTHING;
2167
            }
M
Matt Caswell 已提交
2168

2169 2170 2171 2172 2173 2174
            /* In TLSv1.3 we selected the ciphersuite before resumption */
            if (!SSL_IS_TLS13(s)) {
                cipher =
                    ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));

                if (cipher == NULL) {
2175 2176 2177 2178
                    SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                             SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                             SSL_R_NO_SHARED_CIPHER);
                    goto err;
2179 2180
                }
                s->s3->tmp.new_cipher = cipher;
2181
            }
2182
            if (!s->hit) {
2183 2184 2185 2186
                if (!tls_choose_sigalg(s, 1)) {
                    /* SSLfatal already called */
                    goto err;
                }
2187 2188 2189
                /* check whether we should disable session resumption */
                if (s->not_resumable_session_cb != NULL)
                    s->session->not_resumable =
2190 2191 2192
                        s->not_resumable_session_cb(s,
                            ((s->s3->tmp.new_cipher->algorithm_mkey
                              & (SSL_kDHE | SSL_kECDHE)) != 0));
2193 2194 2195 2196
                if (s->session->not_resumable)
                    /* do not send a session ticket */
                    s->ext.ticket_expected = 0;
            }
M
Matt Caswell 已提交
2197 2198 2199
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
2200 2201
        }

M
Matt Caswell 已提交
2202 2203 2204
        /*-
         * we now have the following setup.
         * client_random
2205 2206
         * cipher_list          - our preferred list of ciphers
         * ciphers              - the clients preferred list of ciphers
M
Matt Caswell 已提交
2207 2208 2209 2210 2211 2212
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
2213

2214 2215 2216 2217
        /*
         * Call status_request callback if needed. Has to be done after the
         * certificate callbacks etc above.
         */
2218 2219 2220
        if (!tls_handle_status_request(s)) {
            /* SSLfatal() already called */
            goto err;
M
Matt Caswell 已提交
2221
        }
2222 2223
        /*
         * Call alpn_select callback if needed.  Has to be done after SNI and
2224 2225 2226
         * cipher negotiation (HTTP/2 restricts permitted ciphers). In TLSv1.3
         * we already did this because cipher negotiation happens earlier, and
         * we must handle ALPN before we decide whether to accept early_data.
2227
         */
2228 2229 2230
        if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) {
            /* SSLfatal() already called */
            goto err;
2231
        }
2232

B
Benjamin Kaduk 已提交
2233
        wst = WORK_MORE_C;
M
Matt Caswell 已提交
2234 2235
    }
#ifndef OPENSSL_NO_SRP
B
Benjamin Kaduk 已提交
2236
    if (wst == WORK_MORE_C) {
M
Matt Caswell 已提交
2237
        int ret;
M
Matt Caswell 已提交
2238
        if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) {
M
Matt Caswell 已提交
2239 2240 2241 2242
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
B
Benjamin Kaduk 已提交
2243
            return WORK_MORE_C;
M
Matt Caswell 已提交
2244
        }
M
Matt Caswell 已提交
2245 2246
        if (ret < 0) {
            /* SSLfatal() already called */
2247
            goto err;
2248 2249
        }
    }
M
Matt Caswell 已提交
2250
#endif
2251

M
Matt Caswell 已提交
2252
    return WORK_FINISHED_STOP;
2253
 err:
M
Matt Caswell 已提交
2254 2255 2256
    return WORK_ERROR;
}

2257
int tls_construct_server_hello(SSL *s, WPACKET *pkt)
2258
{
2259
    int compm;
2260
    size_t sl, len;
2261
    int version;
2262
    unsigned char *session_id;
2263
    int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING;
2264

M
Matt Caswell 已提交
2265
    version = usetls13 ? TLS1_2_VERSION : s->version;
2266
    if (!WPACKET_put_bytes_u16(pkt, version)
2267 2268 2269 2270
               /*
                * Random stuff. Filling of the server_random takes place in
                * tls_process_client_hello()
                */
M
Matt Caswell 已提交
2271
            || !WPACKET_memcpy(pkt,
2272
                               s->hello_retry_request == SSL_HRR_PENDING
M
Matt Caswell 已提交
2273 2274
                                   ? hrrrandom : s->s3->server_random,
                               SSL3_RANDOM_SIZE)) {
2275 2276 2277
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
                 ERR_R_INTERNAL_ERROR);
        return 0;
2278
    }
2279

M
Matt Caswell 已提交
2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
2292 2293
     * - In TLSv1.3 we echo back the session id sent to us by the client
     *   regardless
M
Matt Caswell 已提交
2294 2295 2296 2297 2298 2299 2300 2301 2302
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

M
Matt Caswell 已提交
2303
    if (usetls13) {
2304 2305 2306 2307 2308 2309 2310
        sl = s->tmp_session_id_len;
        session_id = s->tmp_session_id;
    } else {
        sl = s->session->session_id_length;
        session_id = s->session->session_id;
    }

2311
    if (sl > sizeof(s->session->session_id)) {
2312 2313 2314
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_SERVER_HELLO,
                 ERR_R_INTERNAL_ERROR);
        return 0;
M
Matt Caswell 已提交
2315
    }
2316

2317
    /* set up the compression method */
2318
#ifdef OPENSSL_NO_COMP
2319
    compm = 0;
2320
#else
M
Matt Caswell 已提交
2321
    if (usetls13 || s->s3->tmp.new_compression == NULL)
2322
        compm = 0;
M
Matt Caswell 已提交
2323
    else
2324
        compm = s->s3->tmp.new_compression->id;
2325
#endif
2326

M
Matt Caswell 已提交
2327
    if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl)
2328
            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
2329
            || !WPACKET_put_bytes_u8(pkt, compm)
2330
            || !tls_construct_extensions(s, pkt,
M
Matt Caswell 已提交
2331
                                         s->hello_retry_request
2332
                                            == SSL_HRR_PENDING
M
Matt Caswell 已提交
2333 2334 2335 2336
                                            ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST
                                            : (SSL_IS_TLS13(s)
                                                ? SSL_EXT_TLS1_3_SERVER_HELLO
                                                : SSL_EXT_TLS1_2_SERVER_HELLO),
2337 2338 2339
                                         NULL, 0)) {
        /* SSLfatal() already called */
        return 0;
2340
    }
2341

2342
    if (s->hello_retry_request == SSL_HRR_PENDING) {
M
Matt Caswell 已提交
2343 2344 2345 2346 2347 2348 2349 2350 2351
        /* Ditch the session. We'll create a new one next time around */
        SSL_SESSION_free(s->session);
        s->session = NULL;
        s->hit = 0;

        /*
         * Re-initialise the Transcript Hash. We're going to prepopulate it with
         * a synthetic message_hash in place of ClientHello1.
         */
2352
        if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
M
Matt Caswell 已提交
2353 2354 2355 2356 2357
            /* SSLfatal() already called */
            return 0;
        }
    } else if (!(s->verify_mode & SSL_VERIFY_PEER)
                && !ssl3_digest_cached_records(s, 0)) {
2358 2359
        /* SSLfatal() already called */;
        return 0;
2360 2361
    }

M
Matt Caswell 已提交
2362
    return 1;
2363
}
2364

2365
int tls_construct_server_done(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
2366 2367
{
    if (!s->s3->tmp.cert_request) {
2368
        if (!ssl3_digest_cached_records(s, 0)) {
2369
            /* SSLfatal() already called */
2370 2371
            return 0;
        }
M
Matt Caswell 已提交
2372 2373 2374 2375
    }
    return 1;
}

2376
int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
2377
{
2378
#ifndef OPENSSL_NO_DH
2379
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
2380
#endif
2381
#ifndef OPENSSL_NO_EC
2382
    unsigned char *encodedPoint = NULL;
2383
    size_t encodedlen = 0;
2384
    int curve_id = 0;
2385
#endif
2386
    const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
2387
    int i;
2388
    unsigned long type;
2389
    const BIGNUM *r[4];
2390
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
2391
    EVP_PKEY_CTX *pctx = NULL;
2392 2393
    size_t paramlen, paramoffset;

2394
    if (!WPACKET_get_total_written(pkt, &paramoffset)) {
2395 2396 2397
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto err;
2398
    }
2399

2400
    if (md_ctx == NULL) {
2401 2402 2403
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        goto err;
2404
    }
2405

M
Matt Caswell 已提交
2406 2407 2408
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    r[0] = r[1] = r[2] = r[3] = NULL;
2409
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2410 2411 2412
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
2413
#endif                          /* !OPENSSL_NO_PSK */
2414
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
2415
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
2416 2417
        CERT *cert = s->cert;

2418 2419 2420
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
2421
        if (s->cert->dh_tmp_auto) {
2422 2423 2424 2425
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
2426 2427 2428 2429
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
                goto err;
2430
            }
2431 2432 2433 2434 2435 2436 2437 2438 2439
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
2440 2441 2442 2443
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
                goto err;
2444 2445 2446 2447
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
2448 2449 2450 2451
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_MISSING_TMP_DH_KEY);
            goto err;
M
Matt Caswell 已提交
2452 2453
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
2454
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
2455 2456 2457 2458
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_DH_KEY_TOO_SMALL);
            goto err;
M
Matt Caswell 已提交
2459
        }
2460
        if (s->s3->tmp.pkey != NULL) {
2461 2462 2463
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2464 2465
            goto err;
        }
2466

D
Dr. Stephen Henson 已提交
2467
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
2468
        if (s->s3->tmp.pkey == NULL) {
2469
            /* SSLfatal() already called */
2470
            goto err;
M
Matt Caswell 已提交
2471
        }
2472 2473 2474 2475 2476 2477

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
2478 2479
        DH_get0_pqg(dh, &r[0], NULL, &r[1]);
        DH_get0_key(dh, &r[2], NULL);
M
Matt Caswell 已提交
2480
    } else
2481
#endif
2482
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2483 2484
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {

D
Dr. Stephen Henson 已提交
2485
        if (s->s3->tmp.pkey != NULL) {
2486 2487 2488
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2489 2490 2491
            goto err;
        }

2492
        /* Get NID of appropriate shared curve */
2493
        curve_id = tls1_shared_group(s, -2);
2494
        if (curve_id == 0) {
2495 2496 2497
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
M
Matt Caswell 已提交
2498 2499
            goto err;
        }
2500
        s->s3->tmp.pkey = ssl_generate_pkey_group(s, curve_id);
D
Dr. Stephen Henson 已提交
2501 2502
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
2503 2504
            /* SSLfatal() already called */
            goto err;
2505 2506
        }

D
Dr. Stephen Henson 已提交
2507
        /* Encode the public key. */
2508 2509
        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
                                                    &encodedPoint);
M
Matt Caswell 已提交
2510
        if (encodedlen == 0) {
2511 2512
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
2513 2514
            goto err;
        }
2515

M
Matt Caswell 已提交
2516 2517 2518 2519 2520 2521 2522 2523 2524
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
2525
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
2526
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2527 2528 2529 2530
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
2531 2532 2533
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     SSL_R_MISSING_SRP_PARAM);
M
Matt Caswell 已提交
2534
            goto err;
2535
        }
M
Matt Caswell 已提交
2536 2537 2538 2539 2540 2541 2542
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
2543 2544 2545 2546
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                 SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto err;
M
Matt Caswell 已提交
2547
    }
2548

2549 2550 2551 2552
    if (((s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0)
        || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) {
        lu = NULL;
    } else if (lu == NULL) {
2553 2554 2555
        SSLfatal(s, SSL_AD_DECODE_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
        goto err;
M
Matt Caswell 已提交
2556
    }
2557

2558
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
2559
    if (type & SSL_PSK) {
2560 2561 2562 2563 2564 2565 2566 2567
        size_t len = (s->cert->psk_identity_hint == NULL)
                        ? 0 : strlen(s->cert->psk_identity_hint);

        /*
         * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
         * checked this when we set the identity hint - but just in case
         */
        if (len > PSK_MAX_IDENTITY_LEN
2568
                || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2569
                                           len)) {
2570 2571 2572 2573
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2574
        }
M
Matt Caswell 已提交
2575
    }
2576 2577
#endif

M
Matt Caswell 已提交
2578
    for (i = 0; i < 4 && r[i] != NULL; i++) {
2579 2580 2581
        unsigned char *binval;
        int res;

B
Ben Laurie 已提交
2582
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2583
        if ((i == 2) && (type & SSL_kSRP)) {
2584
            res = WPACKET_start_sub_packet_u8(pkt);
M
Matt Caswell 已提交
2585
        } else
2586
#endif
2587
            res = WPACKET_start_sub_packet_u16(pkt);
2588 2589

        if (!res) {
2590 2591 2592 2593
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2594 2595
        }

2596
#ifndef OPENSSL_NO_DH
E
Emilia Kasper 已提交
2597
        /*-
2598 2599 2600 2601 2602
         * for interoperability with some versions of the Microsoft TLS
         * stack, we need to zero pad the DHE pub key to the same length
         * as the prime
         */
        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2603
            size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
M
Matt Caswell 已提交
2604

2605
            if (len > 0) {
2606
                if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2607 2608 2609 2610
                    SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                             SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                             ERR_R_INTERNAL_ERROR);
                    goto err;
2611 2612
                }
                memset(binval, 0, len);
2613
            }
2614
        }
B
Ben Laurie 已提交
2615
#endif
2616 2617
        if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
                || !WPACKET_close(pkt)) {
2618 2619 2620 2621
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2622 2623 2624
        }

        BN_bn2bin(r[i], binval);
M
Matt Caswell 已提交
2625
    }
2626

2627
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2628 2629
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
2630 2631 2632 2633
         * We only support named (not generic) curves. In this situation, the
         * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
         * [1 byte length of encoded point], followed by the actual encoded
         * point itself
M
Matt Caswell 已提交
2634
         */
2635 2636 2637 2638
        if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
                || !WPACKET_put_bytes_u8(pkt, 0)
                || !WPACKET_put_bytes_u8(pkt, curve_id)
                || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2639 2640 2641 2642
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2643
        }
M
Matt Caswell 已提交
2644 2645 2646
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
    }
B
Bodo Möller 已提交
2647 2648
#endif

M
Matt Caswell 已提交
2649
    /* not anonymous */
2650
    if (lu != NULL) {
2651
        EVP_PKEY *pkey = s->s3->tmp.cert->privatekey;
2652 2653 2654 2655
        const EVP_MD *md;
        unsigned char *sigbytes1, *sigbytes2, *tbs;
        size_t siglen, tbslen;
        int rv;
2656

D
Dr. Stephen Henson 已提交
2657
        if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
2658
            /* Should never happen */
2659 2660 2661 2662
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2663 2664 2665
        }
        /* Get length of the parameters we have written above */
        if (!WPACKET_get_length(pkt, &paramlen)) {
2666 2667 2668 2669
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2670 2671
        }
        /* send signature algorithm */
2672 2673 2674 2675 2676 2677
        if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
        }
2678 2679 2680 2681 2682 2683 2684 2685 2686
        /*
         * Create the signature. We don't know the actual length of the sig
         * until after we've created it, so we reserve enough bytes for it
         * up front, and then properly allocate them in the WPACKET
         * afterwards.
         */
        siglen = EVP_PKEY_size(pkey);
        if (!WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1)
            || EVP_DigestSignInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
2687 2688 2689 2690
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
2691 2692 2693 2694
        }
        if (lu->sig == EVP_PKEY_RSA_PSS) {
            if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
                || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, RSA_PSS_SALTLEN_DIGEST) <= 0) {
2695 2696 2697 2698
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                        ERR_R_EVP_LIB);
                goto err;
2699
            }
2700
        }
2701 2702 2703 2704
        tbslen = construct_key_exchange_tbs(s, &tbs,
                                            s->init_buf->data + paramoffset,
                                            paramlen);
        if (tbslen == 0) {
2705 2706
            /* SSLfatal() already called */
            goto err;
2707 2708 2709 2710
        }
        rv = EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen);
        OPENSSL_free(tbs);
        if (rv <= 0 || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2711
            || sigbytes1 != sigbytes2) {
2712 2713 2714 2715
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
M
Matt Caswell 已提交
2716
        }
2717 2718
    }

2719
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2720
    return 1;
2721
 err:
2722 2723 2724
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
2725
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2726
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
2727
#endif
2728
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2729
    return 0;
2730
}
2731

2732
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2733
{
2734
    if (SSL_IS_TLS13(s)) {
2735 2736 2737 2738 2739 2740 2741 2742 2743 2744 2745 2746 2747 2748 2749 2750 2751 2752 2753 2754 2755 2756 2757 2758
        /* Send random context when doing post-handshake auth */
        if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) {
            OPENSSL_free(s->pha_context);
            s->pha_context_len = 32;
            if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL
                    || ssl_randbytes(s, s->pha_context, s->pha_context_len) <= 0
                    || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                         ERR_R_INTERNAL_ERROR);
                return 0;
            }
            /* reset the handshake hash back to just after the ClientFinished */
            if (!tls13_restore_handshake_digest_for_pha(s)) {
                /* SSLfatal() already called */
                return 0;
            }
        } else {
            if (!WPACKET_put_bytes_u8(pkt, 0)) {
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                         ERR_R_INTERNAL_ERROR);
                return 0;
            }
2759
        }
2760

2761 2762
        if (!tls_construct_extensions(s, pkt,
                                      SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL,
2763 2764 2765
                                      0)) {
            /* SSLfatal() already called */
            return 0;
2766
        }
2767 2768 2769 2770 2771 2772
        goto done;
    }

    /* get the list of acceptable cert types */
    if (!WPACKET_start_sub_packet_u8(pkt)
        || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) {
2773 2774 2775
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
2776
    }
2777

M
Matt Caswell 已提交
2778
    if (SSL_USE_SIGALGS(s)) {
2779
        const uint16_t *psigs;
2780
        size_t nl = tls12_get_psigalgs(s, 1, &psigs);
2781

2782
        if (!WPACKET_start_sub_packet_u16(pkt)
2783
                || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
2784 2785
                || !tls12_copy_sigalgs(s, pkt, psigs, nl)
                || !WPACKET_close(pkt)) {
2786 2787 2788 2789
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                     ERR_R_INTERNAL_ERROR);
            return 0;
2790
        }
M
Matt Caswell 已提交
2791
    }
2792

2793
    if (!construct_ca_names(s, pkt)) {
2794 2795
        /* SSLfatal() already called */
        return 0;
2796
    }
M
Matt Caswell 已提交
2797

2798
 done:
2799
    s->certreqs_sent++;
M
Matt Caswell 已提交
2800 2801
    s->s3->tmp.cert_request = 1;
    return 1;
2802
}
2803

2804
static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2805
{
2806
#ifndef OPENSSL_NO_PSK
2807 2808 2809
    unsigned char psk[PSK_MAX_PSK_LEN];
    size_t psklen;
    PACKET psk_identity;
2810

2811
    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
2812 2813
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_LENGTH_MISMATCH);
2814 2815 2816
        return 0;
    }
    if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
2817 2818
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_DATA_LENGTH_TOO_LONG);
2819 2820 2821
        return 0;
    }
    if (s->psk_server_callback == NULL) {
2822 2823
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_PSK_NO_SERVER_CB);
2824 2825
        return 0;
    }
2826

2827
    if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
2828 2829
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 ERR_R_INTERNAL_ERROR);
2830 2831
        return 0;
    }
2832

2833
    psklen = s->psk_server_callback(s, s->session->psk_identity,
E
Emilia Kasper 已提交
2834
                                    psk, sizeof(psk));
2835

2836
    if (psklen > PSK_MAX_PSK_LEN) {
2837 2838
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 ERR_R_INTERNAL_ERROR);
2839 2840 2841 2842 2843
        return 0;
    } else if (psklen == 0) {
        /*
         * PSK related to the given identity not found
         */
2844 2845 2846
        SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY,
                 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
                 SSL_R_PSK_IDENTITY_NOT_FOUND);
2847 2848
        return 0;
    }
2849

2850 2851 2852
    OPENSSL_free(s->s3->tmp.psk);
    s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
    OPENSSL_cleanse(psk, psklen);
2853

2854
    if (s->s3->tmp.psk == NULL) {
2855 2856
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2857
        return 0;
2858
    }
2859 2860 2861 2862 2863 2864

    s->s3->tmp.psklen = psklen;

    return 1;
#else
    /* Should never happen */
2865 2866
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
             ERR_R_INTERNAL_ERROR);
2867
    return 0;
2868
#endif
2869 2870
}

2871
static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
2872
{
2873
#ifndef OPENSSL_NO_RSA
2874 2875 2876 2877 2878 2879 2880 2881 2882
    unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
    int decrypt_len;
    unsigned char decrypt_good, version_good;
    size_t j, padding_len;
    PACKET enc_premaster;
    RSA *rsa = NULL;
    unsigned char *rsa_decrypt = NULL;
    int ret = 0;

2883
    rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA].privatekey);
2884
    if (rsa == NULL) {
2885 2886
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 SSL_R_MISSING_RSA_CERTIFICATE);
2887 2888 2889 2890 2891 2892 2893 2894 2895
        return 0;
    }

    /* SSLv3 and pre-standard DTLS omit the length bytes. */
    if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
        enc_premaster = *pkt;
    } else {
        if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
            || PACKET_remaining(pkt) != 0) {
2896 2897
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                     SSL_R_LENGTH_MISMATCH);
2898
            return 0;
2899
        }
2900
    }
2901

2902 2903 2904 2905 2906 2907 2908
    /*
     * We want to be sure that the plaintext buffer size makes it safe to
     * iterate over the entire size of a premaster secret
     * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
     * their ciphertext cannot accommodate a premaster secret anyway.
     */
    if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
2909 2910
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 RSA_R_KEY_SIZE_TOO_SMALL);
2911 2912
        return 0;
    }
2913

2914 2915
    rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
    if (rsa_decrypt == NULL) {
2916 2917
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 ERR_R_MALLOC_FAILURE);
2918 2919
        return 0;
    }
2920

2921 2922 2923 2924 2925 2926 2927
    /*
     * We must not leak whether a decryption failure occurs because of
     * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
     * section 7.4.7.1). The code follows that advice of the TLS RFC and
     * generates a random premaster secret for the case that the decrypt
     * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
     */
2928

2929 2930 2931 2932
    if (ssl_randbytes(s, rand_premaster_secret,
                      sizeof(rand_premaster_secret)) <= 0) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 ERR_R_INTERNAL_ERROR);
2933
        goto err;
2934
    }
2935

2936 2937 2938 2939
    /*
     * Decrypt with no padding. PKCS#1 padding will be removed as part of
     * the timing-sensitive code below.
     */
2940 2941 2942 2943
     /* TODO(size_t): Convert this function */
    decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
                                           PACKET_data(&enc_premaster),
                                           rsa_decrypt, rsa, RSA_NO_PADDING);
2944 2945 2946
    if (decrypt_len < 0) {
        SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 ERR_R_INTERNAL_ERROR);
2947
        goto err;
2948
    }
2949

2950
    /* Check the padding. See RFC 3447, section 7.2.2. */
2951

2952 2953 2954 2955 2956 2957
    /*
     * The smallest padded premaster is 11 bytes of overhead. Small keys
     * are publicly invalid, so this may return immediately. This ensures
     * PS is at least 8 bytes.
     */
    if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
2958 2959
        SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
                 SSL_R_DECRYPTION_FAILED);
2960 2961
        goto err;
    }
2962

2963 2964
    padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
    decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
E
Emilia Kasper 已提交
2965
        constant_time_eq_int_8(rsa_decrypt[1], 2);
2966 2967 2968 2969
    for (j = 2; j < padding_len - 1; j++) {
        decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
    }
    decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
2970

2971 2972 2973 2974 2975 2976 2977 2978 2979 2980 2981 2982 2983 2984
    /*
     * If the version in the decrypted pre-master secret is correct then
     * version_good will be 0xff, otherwise it'll be zero. The
     * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
     * (http://eprint.iacr.org/2003/052/) exploits the version number
     * check as a "bad version oracle". Thus version checks are done in
     * constant time and are treated like any other decryption error.
     */
    version_good =
        constant_time_eq_8(rsa_decrypt[padding_len],
                           (unsigned)(s->client_version >> 8));
    version_good &=
        constant_time_eq_8(rsa_decrypt[padding_len + 1],
                           (unsigned)(s->client_version & 0xff));
2985

2986 2987 2988 2989 2990 2991 2992 2993 2994 2995 2996 2997 2998 2999
    /*
     * The premaster secret must contain the same version number as the
     * ClientHello to detect version rollback attacks (strangely, the
     * protocol does not offer such protection for DH ciphersuites).
     * However, buggy clients exist that send the negotiated protocol
     * version instead if the server does not support the requested
     * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
     * clients.
     */
    if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
        unsigned char workaround_good;
        workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
                                             (unsigned)(s->version >> 8));
        workaround_good &=
3000
            constant_time_eq_8(rsa_decrypt[padding_len + 1],
3001 3002 3003
                               (unsigned)(s->version & 0xff));
        version_good |= workaround_good;
    }
3004

3005 3006 3007 3008 3009
    /*
     * Both decryption and version must be good for decrypt_good to
     * remain non-zero (0xff).
     */
    decrypt_good &= version_good;
3010

3011 3012 3013 3014 3015 3016 3017 3018 3019 3020 3021 3022
    /*
     * Now copy rand_premaster_secret over from p using
     * decrypt_good_mask. If decryption failed, then p does not
     * contain valid plaintext, however, a check above guarantees
     * it is still sufficiently large to read from.
     */
    for (j = 0; j < sizeof(rand_premaster_secret); j++) {
        rsa_decrypt[padding_len + j] =
            constant_time_select_8(decrypt_good,
                                   rsa_decrypt[padding_len + j],
                                   rand_premaster_secret[j]);
    }
3023

3024 3025
    if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
                                    sizeof(rand_premaster_secret), 0)) {
3026
        /* SSLfatal() already called */
3027 3028
        goto err;
    }
3029

3030 3031 3032 3033 3034 3035
    ret = 1;
 err:
    OPENSSL_free(rsa_decrypt);
    return ret;
#else
    /* Should never happen */
3036 3037
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_RSA,
             ERR_R_INTERNAL_ERROR);
3038 3039 3040 3041
    return 0;
#endif
}

3042
static int tls_process_cke_dhe(SSL *s, PACKET *pkt)
3043 3044 3045 3046 3047 3048 3049 3050 3051 3052
{
#ifndef OPENSSL_NO_DH
    EVP_PKEY *skey = NULL;
    DH *cdh;
    unsigned int i;
    BIGNUM *pub_key;
    const unsigned char *data;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

D
Dr. Stephen Henson 已提交
3053
    if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
3054
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
3055 3056 3057 3058 3059
               SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
        goto err;
    }
    skey = s->s3->tmp.pkey;
    if (skey == NULL) {
3060 3061
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 SSL_R_MISSING_TMP_DH_KEY);
3062 3063 3064 3065
        goto err;
    }

    if (PACKET_remaining(pkt) == 0L) {
3066 3067
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 SSL_R_MISSING_TMP_DH_KEY);
3068 3069 3070 3071
        goto err;
    }
    if (!PACKET_get_bytes(pkt, &data, i)) {
        /* We already checked we have enough data */
3072 3073
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 ERR_R_INTERNAL_ERROR);
3074 3075 3076 3077
        goto err;
    }
    ckey = EVP_PKEY_new();
    if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
3078 3079
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 SSL_R_BN_LIB);
3080 3081 3082 3083 3084 3085
        goto err;
    }
    cdh = EVP_PKEY_get0_DH(ckey);
    pub_key = BN_bin2bn(data, i, NULL);

    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
3086 3087
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
                 ERR_R_INTERNAL_ERROR);
3088 3089 3090 3091 3092
        if (pub_key != NULL)
            BN_free(pub_key);
        goto err;
    }

3093
    if (ssl_derive(s, skey, ckey, 1) == 0) {
3094
        /* SSLfatal() already called */
3095 3096 3097 3098 3099 3100 3101 3102 3103 3104 3105
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);
    return ret;
#else
    /* Should never happen */
3106 3107
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_DHE,
             ERR_R_INTERNAL_ERROR);
3108 3109 3110 3111
    return 0;
#endif
}

3112
static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt)
3113 3114 3115 3116 3117 3118 3119 3120
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *skey = s->s3->tmp.pkey;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

    if (PACKET_remaining(pkt) == 0L) {
        /* We don't support ECDH client auth */
3121 3122
        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_CKE_ECDHE,
                 SSL_R_MISSING_TMP_ECDH_KEY);
3123 3124 3125 3126 3127 3128 3129 3130 3131 3132 3133
        goto err;
    } else {
        unsigned int i;
        const unsigned char *data;

        /*
         * Get client's public key from encoded point in the
         * ClientKeyExchange message.
         */

        /* Get encoded point length */
D
Dr. Stephen Henson 已提交
3134 3135
        if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
            || PACKET_remaining(pkt) != 0) {
3136 3137
            SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
                     SSL_R_LENGTH_MISMATCH);
3138 3139 3140 3141
            goto err;
        }
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
3142 3143
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
                     ERR_R_EVP_LIB);
3144 3145
            goto err;
        }
3146
        if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
3147 3148
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
                     ERR_R_EC_LIB);
3149 3150 3151 3152
            goto err;
        }
    }

3153
    if (ssl_derive(s, skey, ckey, 1) == 0) {
3154
        /* SSLfatal() already called */
3155 3156 3157 3158 3159 3160 3161 3162 3163 3164 3165 3166
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);

    return ret;
#else
    /* Should never happen */
3167 3168
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_ECDHE,
             ERR_R_INTERNAL_ERROR);
3169 3170 3171 3172
    return 0;
#endif
}

3173
static int tls_process_cke_srp(SSL *s, PACKET *pkt)
3174 3175 3176 3177 3178 3179
{
#ifndef OPENSSL_NO_SRP
    unsigned int i;
    const unsigned char *data;

    if (!PACKET_get_net_2(pkt, &i)
E
Emilia Kasper 已提交
3180
        || !PACKET_get_bytes(pkt, &data, i)) {
3181 3182
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
                 SSL_R_BAD_SRP_A_LENGTH);
3183 3184 3185
        return 0;
    }
    if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
3186 3187
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
                 ERR_R_BN_LIB);
3188 3189
        return 0;
    }
E
Emilia Kasper 已提交
3190
    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
3191 3192
        SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CKE_SRP,
                 SSL_R_BAD_SRP_PARAMETERS);
3193 3194 3195 3196 3197
        return 0;
    }
    OPENSSL_free(s->session->srp_username);
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
    if (s->session->srp_username == NULL) {
3198 3199
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
                 ERR_R_MALLOC_FAILURE);
3200 3201 3202 3203
        return 0;
    }

    if (!srp_generate_server_master_secret(s)) {
3204
        /* SSLfatal() already called */
3205 3206 3207 3208 3209 3210
        return 0;
    }

    return 1;
#else
    /* Should never happen */
3211 3212
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_SRP,
             ERR_R_INTERNAL_ERROR);
3213 3214 3215 3216
    return 0;
#endif
}

3217
static int tls_process_cke_gost(SSL *s, PACKET *pkt)
3218 3219 3220 3221 3222 3223 3224 3225 3226 3227
{
#ifndef OPENSSL_NO_GOST
    EVP_PKEY_CTX *pkey_ctx;
    EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
    unsigned char premaster_secret[32];
    const unsigned char *start;
    size_t outlen = 32, inlen;
    unsigned long alg_a;
    int Ttag, Tclass;
    long Tlen;
3228
    size_t sess_key_len;
3229 3230 3231 3232 3233 3234 3235 3236 3237 3238 3239 3240 3241 3242 3243 3244 3245 3246 3247 3248 3249 3250
    const unsigned char *data;
    int ret = 0;

    /* Get our certificate private key */
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
    if (alg_a & SSL_aGOST12) {
        /*
         * New GOST ciphersuites have SSL_aGOST01 bit too
         */
        pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
        }
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
        }
    } else if (alg_a & SSL_aGOST01) {
        pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
    }

    pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
    if (pkey_ctx == NULL) {
3251 3252
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 ERR_R_MALLOC_FAILURE);
3253 3254 3255
        return 0;
    }
    if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
3256 3257
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 ERR_R_INTERNAL_ERROR);
3258 3259 3260 3261 3262 3263 3264 3265 3266 3267 3268 3269 3270 3271 3272 3273
        return 0;
    }
    /*
     * If client certificate is present and is of the same type, maybe
     * use it for key exchange.  Don't mind errors from
     * EVP_PKEY_derive_set_peer, because it is completely valid to use a
     * client certificate for authorization only.
     */
    client_pub_pkey = X509_get0_pubkey(s->session->peer);
    if (client_pub_pkey) {
        if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
            ERR_clear_error();
    }
    /* Decrypt session key */
    sess_key_len = PACKET_remaining(pkt);
    if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
3274 3275
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 ERR_R_INTERNAL_ERROR);
3276 3277
        goto err;
    }
3278
    /* TODO(size_t): Convert this function */
E
Emilia Kasper 已提交
3279
    if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
3280
                        &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
E
Emilia Kasper 已提交
3281
        || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
3282 3283
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 SSL_R_DECRYPTION_FAILED);
3284 3285 3286 3287
        goto err;
    }
    start = data;
    inlen = Tlen;
3288 3289 3290 3291
    if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start,
                         inlen) <= 0) {
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
                 SSL_R_DECRYPTION_FAILED);
3292 3293 3294 3295 3296
        goto err;
    }
    /* Generate master secret */
    if (!ssl_generate_master_secret(s, premaster_secret,
                                    sizeof(premaster_secret), 0)) {
3297
        /* SSLfatal() already called */
3298 3299 3300
        goto err;
    }
    /* Check if pubkey from client certificate was used */
3301 3302
    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
                          NULL) > 0)
3303 3304 3305 3306 3307 3308 3309 3310
        s->statem.no_cert_verify = 1;

    ret = 1;
 err:
    EVP_PKEY_CTX_free(pkey_ctx);
    return ret;
#else
    /* Should never happen */
3311 3312
    SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CKE_GOST,
             ERR_R_INTERNAL_ERROR);
3313 3314 3315 3316
    return 0;
#endif
}

3317 3318 3319 3320 3321 3322 3323
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{
    unsigned long alg_k;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /* For PSK parse and retrieve identity, obtain PSK key */
3324 3325
    if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) {
        /* SSLfatal() already called */
3326
        goto err;
3327
    }
3328 3329 3330 3331

    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
        if (PACKET_remaining(pkt) != 0) {
3332 3333 3334
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                     SSL_R_LENGTH_MISMATCH);
3335
            goto err;
3336 3337 3338
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
3339
            /* SSLfatal() already called */
3340
            goto err;
M
Matt Caswell 已提交
3341
        }
3342
    } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3343 3344
        if (!tls_process_cke_rsa(s, pkt)) {
            /* SSLfatal() already called */
3345
            goto err;
3346
        }
3347
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3348 3349
        if (!tls_process_cke_dhe(s, pkt)) {
            /* SSLfatal() already called */
3350
            goto err;
3351
        }
3352
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3353 3354
        if (!tls_process_cke_ecdhe(s, pkt)) {
            /* SSLfatal() already called */
3355
            goto err;
3356
        }
3357
    } else if (alg_k & SSL_kSRP) {
3358 3359
        if (!tls_process_cke_srp(s, pkt)) {
            /* SSLfatal() already called */
3360
            goto err;
3361
        }
3362
    } else if (alg_k & SSL_kGOST) {
3363 3364
        if (!tls_process_cke_gost(s, pkt)) {
            /* SSLfatal() already called */
3365
            goto err;
3366
        }
3367
    } else {
3368 3369 3370
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                 SSL_R_UNKNOWN_CIPHER_TYPE);
3371
        goto err;
3372 3373
    }

M
Matt Caswell 已提交
3374
    return MSG_PROCESS_CONTINUE_PROCESSING;
3375
 err:
3376 3377 3378
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
3379
#endif
M
Matt Caswell 已提交
3380
    return MSG_PROCESS_ERROR;
3381
}
3382

M
Matt Caswell 已提交
3383
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
3384 3385
{
#ifndef OPENSSL_NO_SCTP
3386 3387 3388 3389 3390 3391 3392 3393
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
3394 3395
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
3396 3397

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
3398 3399 3400
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
3401 3402 3403
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                         ERR_R_INTERNAL_ERROR);
F
FdaSilvaYY 已提交
3404
                return WORK_ERROR;
3405
            }
3406

3407 3408
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
3409 3410 3411 3412
        }
    }
#endif

3413
    if (s->statem.no_cert_verify || !s->session->peer) {
E
Emilia Kasper 已提交
3414 3415 3416
        /*
         * No certificate verify or no peer certificate so we no longer need
         * the handshake_buffer
3417 3418
         */
        if (!ssl3_digest_cached_records(s, 0)) {
3419
            /* SSLfatal() already called */
3420 3421
            return WORK_ERROR;
        }
3422
        return WORK_FINISHED_CONTINUE;
3423
    } else {
3424
        if (!s->s3->handshake_buffer) {
3425 3426 3427
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                     ERR_R_INTERNAL_ERROR);
3428 3429 3430 3431 3432 3433 3434
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
3435
            /* SSLfatal() already called */
3436 3437 3438 3439 3440 3441 3442
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
3443
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3444
{
3445
    int i;
3446
    MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3447
    X509 *x = NULL;
3448
    unsigned long l;
E
Emilia Kasper 已提交
3449
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
3450
    STACK_OF(X509) *sk = NULL;
3451
    PACKET spkt, context;
3452
    size_t chainidx;
3453
    SSL_SESSION *new_sess = NULL;
3454 3455

    if ((sk = sk_X509_new_null()) == NULL) {
3456 3457 3458
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                 ERR_R_MALLOC_FAILURE);
        goto err;
3459 3460
    }

3461 3462 3463 3464 3465 3466 3467 3468 3469 3470
    if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context)
                            || (s->pha_context == NULL && PACKET_remaining(&context) != 0)
                            || (s->pha_context != NULL &&
                                !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) {
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                 SSL_R_INVALID_CONTEXT);
        goto err;
    }

    if (!PACKET_get_length_prefixed_3(pkt, &spkt)
3471
            || PACKET_remaining(pkt) != 0) {
3472 3473 3474
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                 SSL_R_LENGTH_MISMATCH);
        goto err;
3475
    }
3476

3477
    for (chainidx = 0; PACKET_remaining(&spkt) > 0; chainidx++) {
3478
        if (!PACKET_get_net_3(&spkt, &l)
E
Emilia Kasper 已提交
3479
            || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3480 3481 3482 3483
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_CERT_LENGTH_MISMATCH);
            goto err;
3484 3485
        }

3486 3487
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3488
        if (x == NULL) {
3489 3490 3491
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto err;
3492
        }
3493
        if (certbytes != (certstart + l)) {
3494 3495 3496 3497
            SSLfatal(s, SSL_AD_DECODE_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_CERT_LENGTH_MISMATCH);
            goto err;
3498
        }
3499 3500 3501 3502 3503 3504

        if (SSL_IS_TLS13(s)) {
            RAW_EXTENSION *rawexts = NULL;
            PACKET extensions;

            if (!PACKET_get_length_prefixed_2(&spkt, &extensions)) {
3505 3506 3507 3508
                SSLfatal(s, SSL_AD_DECODE_ERROR,
                         SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                         SSL_R_BAD_LENGTH);
                goto err;
3509
            }
3510 3511
            if (!tls_collect_extensions(s, &extensions,
                                        SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
3512
                                        NULL, chainidx == 0)
3513
                || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
3514
                                             rawexts, x, chainidx,
3515
                                             PACKET_remaining(&spkt) == 0)) {
3516
                OPENSSL_free(rawexts);
3517
                goto err;
3518 3519
            }
            OPENSSL_free(rawexts);
3520 3521
        }

3522
        if (!sk_X509_push(sk, x)) {
3523 3524 3525 3526
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     ERR_R_MALLOC_FAILURE);
            goto err;
3527 3528 3529 3530 3531 3532 3533
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
3534 3535 3536 3537
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_NO_CERTIFICATES_RETURNED);
            goto err;
3538 3539 3540 3541
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
3542 3543 3544 3545
            SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            goto err;
3546 3547
        }
        /* No client certificate so digest cached records */
3548
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3549 3550
            /* SSLfatal() already called */
            goto err;
3551 3552 3553 3554 3555
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
3556 3557 3558 3559
            SSLfatal(s, ssl_verify_alarm_type(s->verify_result),
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto err;
3560 3561
        }
        if (i > 1) {
3562 3563 3564
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
            goto err;
3565
        }
3566
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3567
        if (pkey == NULL) {
3568 3569 3570 3571
            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto err;
3572 3573 3574
        }
    }

3575 3576 3577 3578 3579 3580 3581 3582 3583 3584 3585 3586 3587 3588 3589 3590 3591 3592 3593 3594 3595 3596 3597 3598 3599 3600 3601 3602 3603
    /*
     * Sessions must be immutable once they go into the session cache. Otherwise
     * we can get multi-thread problems. Therefore we don't "update" sessions,
     * we replace them with a duplicate. Here, we need to do this every time
     * a new certificate is received via post-handshake authentication, as the
     * session may have already gone into the session cache.
     */

    if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
        int m = s->session_ctx->session_cache_mode;

        if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
                     ERR_R_MALLOC_FAILURE);
            goto err;
        }

        if (m & SSL_SESS_CACHE_SERVER) {
            /*
             * Remove the old session from the cache. We carry on if this fails
             */
            SSL_CTX_remove_session(s->session_ctx, s->session);
        }

        SSL_SESSION_free(s->session);
        s->session = new_sess;
    }

R
Rich Salz 已提交
3604
    X509_free(s->session->peer);
3605 3606 3607
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

3608 3609
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
3610

3611 3612 3613
    if (new_sess != NULL)
        ssl_update_cache(s, SSL_SESS_CACHE_SERVER);

3614 3615 3616 3617
    /*
     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
     * message
     */
3618
    if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3619 3620
        /* SSLfatal() already called */
        goto err;
3621 3622
    }

3623 3624
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
M
Matt Caswell 已提交
3625
     * certificate, while we do include it in statem_clnt.c
3626 3627
     */
    sk = NULL;
3628 3629 3630 3631 3632 3633

    /* Save the current hash state for when we receive the CertificateVerify */
    if (SSL_IS_TLS13(s)
            && !ssl_handshake_hash(s, s->cert_verify_hash,
                                   sizeof(s->cert_verify_hash),
                                   &s->cert_verify_hash_len)) {
3634 3635
        /* SSLfatal() already called */
        goto err;
3636 3637
    }

M
Matt Caswell 已提交
3638
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
3639

3640
 err:
R
Rich Salz 已提交
3641 3642
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
3643
    return ret;
3644
}
3645

3646
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3647
{
3648
    CERT_PKEY *cpk = s->s3->tmp.cert;
M
Matt Caswell 已提交
3649

3650
    if (cpk == NULL) {
3651 3652
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3653 3654 3655
        return 0;
    }

3656 3657 3658 3659
    /*
     * In TLSv1.3 the certificate chain is always preceded by a 0 length context
     * for the server Certificate message
     */
3660 3661 3662 3663 3664 3665 3666
    if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }
    if (!ssl3_output_cert_chain(s, pkt, cpk)) {
        /* SSLfatal() already called */
M
Matt Caswell 已提交
3667 3668 3669 3670 3671 3672
        return 0;
    }

    return 1;
}

3673
int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3674 3675
{
    unsigned char *senc = NULL;
3676
    EVP_CIPHER_CTX *ctx = NULL;
3677
    HMAC_CTX *hctx = NULL;
3678
    unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
M
Matt Caswell 已提交
3679
    const unsigned char *const_p;
3680
    int len, slen_full, slen, lenfinal;
M
Matt Caswell 已提交
3681 3682
    SSL_SESSION *sess;
    unsigned int hlen;
3683
    SSL_CTX *tctx = s->session_ctx;
M
Matt Caswell 已提交
3684
    unsigned char iv[EVP_MAX_IV_LENGTH];
K
Kurt Roeckx 已提交
3685
    unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
3686
    int iv_len;
3687
    size_t macoffset, macendoffset;
3688 3689 3690 3691
    union {
        unsigned char age_add_c[sizeof(uint32_t)];
        uint32_t age_add;
    } age_add_u;
M
Matt Caswell 已提交
3692

M
Matt Caswell 已提交
3693
    if (SSL_IS_TLS13(s)) {
3694 3695 3696 3697
        if (ssl_randbytes(s, age_add_u.age_add_c, sizeof(age_add_u)) <= 0) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3698
            goto err;
3699
        }
M
Matt Caswell 已提交
3700
        s->session->ext.tick_age_add = age_add_u.age_add;
3701 3702 3703 3704 3705 3706 3707 3708
       /*
        * ticket_nonce is set to a single 0 byte because we only ever send a
        * single ticket per connection. IMPORTANT: If we ever support multiple
        * tickets per connection then this will need to be changed.
        */
        OPENSSL_free(s->session->ext.tick_nonce);
        s->session->ext.tick_nonce = OPENSSL_zalloc(sizeof(char));
        if (s->session->ext.tick_nonce == NULL) {
3709 3710 3711
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     ERR_R_MALLOC_FAILURE);
3712 3713 3714
            goto err;
        }
        s->session->ext.tick_nonce_len = 1;
3715
        s->session->time = (long)time(NULL);
3716 3717 3718 3719 3720
        if (s->s3->alpn_selected != NULL) {
            OPENSSL_free(s->session->ext.alpn_selected);
            s->session->ext.alpn_selected =
                OPENSSL_memdup(s->s3->alpn_selected, s->s3->alpn_selected_len);
            if (s->session->ext.alpn_selected == NULL) {
3721 3722 3723
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                         ERR_R_MALLOC_FAILURE);
3724 3725 3726 3727 3728
                goto err;
            }
            s->session->ext.alpn_selected_len = s->s3->alpn_selected_len;
        }
        s->session->ext.max_early_data = s->max_early_data;
M
Matt Caswell 已提交
3729 3730
    }

M
Matt Caswell 已提交
3731 3732 3733 3734 3735 3736 3737
    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
3738 3739
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
3740
        goto err;
M
Matt Caswell 已提交
3741 3742
    }
    senc = OPENSSL_malloc(slen_full);
3743
    if (senc == NULL) {
3744 3745
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
3746
        goto err;
M
Matt Caswell 已提交
3747
    }
3748

3749
    ctx = EVP_CIPHER_CTX_new();
3750
    hctx = HMAC_CTX_new();
3751
    if (ctx == NULL || hctx == NULL) {
3752 3753
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
3754 3755
        goto err;
    }
3756
    EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
3757

M
Matt Caswell 已提交
3758
    p = senc;
3759 3760 3761
    if (!i2d_SSL_SESSION(s->session, &p)) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3762
        goto err;
3763
    }
M
Matt Caswell 已提交
3764

M
Matt Caswell 已提交
3765 3766 3767 3768 3769
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
3770 3771 3772
    if (sess == NULL) {
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3773
        goto err;
3774
    }
M
Matt Caswell 已提交
3775
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3776

M
Matt Caswell 已提交
3777
    slen = i2d_SSL_SESSION(sess, NULL);
3778 3779 3780 3781
    if (slen == 0 || slen > slen_full) {
        /* shouldn't ever happen */
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3782 3783 3784 3785 3786
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
3787 3788
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3789 3790 3791 3792
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3793

M
Matt Caswell 已提交
3794 3795 3796 3797
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
R
Rich Salz 已提交
3798
    if (tctx->ext.ticket_key_cb) {
T
Todd Short 已提交
3799
        /* if 0 is returned, write an empty ticket */
R
Rich Salz 已提交
3800
        int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
T
Todd Short 已提交
3801 3802 3803
                                             hctx, 1);

        if (ret == 0) {
3804 3805

            /* Put timeout and length */
3806
            if (!WPACKET_put_bytes_u32(pkt, 0)
3807
                    || !WPACKET_put_bytes_u16(pkt, 0)) {
3808 3809 3810
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                         ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
3811
                goto err;
3812
            }
T
Todd Short 已提交
3813 3814 3815 3816 3817
            OPENSSL_free(senc);
            EVP_CIPHER_CTX_free(ctx);
            HMAC_CTX_free(hctx);
            return 1;
        }
3818 3819 3820 3821
        if (ret < 0) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     SSL_R_CALLBACK_FAILED);
M
Matt Caswell 已提交
3822
            goto err;
3823
        }
K
Kurt Roeckx 已提交
3824
        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3825
    } else {
K
Kurt Roeckx 已提交
3826 3827 3828
        const EVP_CIPHER *cipher = EVP_aes_256_cbc();

        iv_len = EVP_CIPHER_iv_length(cipher);
3829 3830 3831 3832 3833 3834 3835 3836 3837
        if (ssl_randbytes(s, iv, iv_len) <= 0
                || !EVP_EncryptInit_ex(ctx, cipher, NULL,
                                       tctx->ext.tick_aes_key, iv)
                || !HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
                                 sizeof(tctx->ext.tick_hmac_key),
                                 EVP_sha256(), NULL)) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                     SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                     ERR_R_INTERNAL_ERROR);
3838
            goto err;
3839
        }
R
Rich Salz 已提交
3840 3841
        memcpy(key_name, tctx->ext.tick_key_name,
               sizeof(tctx->ext.tick_key_name));
3842 3843
    }

M
Matt Caswell 已提交
3844
    /*
3845 3846 3847 3848
     * Ticket lifetime hint: For TLSv1.2 this is advisory only and we leave this
     * unspecified for resumed session (for simplicity).
     * In TLSv1.3 we reset the "time" field above, and always specify the
     * timeout.
M
Matt Caswell 已提交
3849
     */
3850 3851 3852
    if (!WPACKET_put_bytes_u32(pkt,
                               (s->hit && !SSL_IS_TLS13(s))
                               ? 0 : s->session->timeout)
3853
            || (SSL_IS_TLS13(s)
3854
                && (!WPACKET_put_bytes_u32(pkt, age_add_u.age_add)
3855 3856
                    || !WPACKET_sub_memcpy_u8(pkt, s->session->ext.tick_nonce,
                                              s->session->ext.tick_nonce_len)))
3857
               /* Now the actual ticket data */
3858 3859
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_get_total_written(pkt, &macoffset)
3860
               /* Output key name */
3861
            || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3862
               /* output IV */
3863 3864
            || !WPACKET_memcpy(pkt, iv, iv_len)
            || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3865 3866 3867
                                      &encdata1)
               /* Encrypt session data */
            || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3868
            || !WPACKET_allocate_bytes(pkt, len, &encdata2)
3869 3870
            || encdata1 != encdata2
            || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
3871
            || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
3872 3873
            || encdata1 + len != encdata2
            || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
3874
            || !WPACKET_get_total_written(pkt, &macendoffset)
3875 3876 3877
            || !HMAC_Update(hctx,
                            (unsigned char *)s->init_buf->data + macoffset,
                            macendoffset - macoffset)
3878
            || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
3879 3880
            || !HMAC_Final(hctx, macdata1, &hlen)
            || hlen > EVP_MAX_MD_SIZE
3881
            || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
3882
            || macdata1 != macdata2
3883
            || !WPACKET_close(pkt)) {
3884 3885
        SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                 SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3886
        goto err;
3887
    }
3888 3889 3890 3891 3892 3893 3894
    if (SSL_IS_TLS13(s)
            && !tls_construct_extensions(s, pkt,
                                         SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
                                         NULL, 0)) {
        /* SSLfatal() already called */
        goto err;
    }
D
Dr. Stephen Henson 已提交
3895 3896
    EVP_CIPHER_CTX_free(ctx);
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3897 3898 3899
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3900
 err:
R
Rich Salz 已提交
3901
    OPENSSL_free(senc);
3902
    EVP_CIPHER_CTX_free(ctx);
3903
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3904
    return 0;
3905
}
3906

3907 3908 3909 3910 3911
/*
 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
 * create a separate message. Returns 1 on success or 0 on failure.
 */
int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3912
{
3913 3914 3915
    if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
            || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
                                       s->ext.ocsp.resp_len)) {
3916 3917
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_STATUS_BODY,
                 ERR_R_INTERNAL_ERROR);
3918 3919 3920 3921 3922 3923 3924 3925 3926
        return 0;
    }

    return 1;
}

int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
    if (!tls_construct_cert_status_body(s, pkt)) {
3927
        /* SSLfatal() already called */
3928 3929
        return 0;
    }
M
Matt Caswell 已提交
3930 3931 3932 3933

    return 1;
}

3934
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3935 3936 3937 3938
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3939
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3940
{
3941
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3942 3943
    size_t next_proto_len;

3944 3945 3946 3947 3948 3949 3950
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3951 3952 3953
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
3954 3955 3956
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
                 SSL_R_LENGTH_MISMATCH);
        return MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3957
    }
3958

R
Rich Salz 已提交
3959 3960
    if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
        s->ext.npn_len = 0;
3961 3962 3963
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEXT_PROTO,
                 ERR_R_INTERNAL_ERROR);
        return MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3964 3965
    }

R
Rich Salz 已提交
3966
    s->ext.npn_len = (unsigned char)next_proto_len;
3967

M
Matt Caswell 已提交
3968
    return MSG_PROCESS_CONTINUE_READING;
3969
}
3970
#endif
M
Matt Caswell 已提交
3971

M
Matt Caswell 已提交
3972 3973
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{
3974
    if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
3975 3976
                                  NULL, 0)) {
        /* SSLfatal() already called */
M
Matt Caswell 已提交
3977 3978 3979 3980 3981 3982
        return 0;
    }

    return 1;
}

3983 3984 3985
MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt)
{
    if (PACKET_remaining(pkt) != 0) {
3986 3987
        SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
                 SSL_R_LENGTH_MISMATCH);
3988 3989 3990 3991 3992
        return MSG_PROCESS_ERROR;
    }

    if (s->early_data_state != SSL_EARLY_DATA_READING
            && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) {
3993 3994 3995
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
                 ERR_R_INTERNAL_ERROR);
        return MSG_PROCESS_ERROR;
3996 3997 3998 3999 4000 4001 4002
    }

    /*
     * EndOfEarlyData signals a key change so the end of the message must be on
     * a record boundary.
     */
    if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
4003 4004 4005 4006
        SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
                 SSL_F_TLS_PROCESS_END_OF_EARLY_DATA,
                 SSL_R_NOT_ON_RECORD_BOUNDARY);
        return MSG_PROCESS_ERROR;
4007 4008 4009 4010 4011
    }

    s->early_data_state = SSL_EARLY_DATA_FINISHED_READING;
    if (!s->method->ssl3_enc->change_cipher_state(s,
                SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) {
4012 4013
        /* SSLfatal() already called */
        return MSG_PROCESS_ERROR;
4014 4015 4016 4017
    }

    return MSG_PROCESS_CONTINUE_READING;
}