statem_srvr.c 111.7 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

B
Bodo Möller 已提交
10 11 12
/* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
13
 * Portions of the attached software ("Contribution") are developed by
B
Bodo Möller 已提交
14 15 16 17 18 19 20 21 22
 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
 *
 * The Contribution is licensed pursuant to the OpenSSL open source
 * license provided above.
 *
 * ECC cipher suite support in OpenSSL originally written by
 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
 *
 */
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
49 50

#include <stdio.h>
M
Matt Caswell 已提交
51
#include "../ssl_locl.h"
M
Matt Caswell 已提交
52
#include "statem_locl.h"
53
#include "internal/constant_time_locl.h"
54 55 56 57
#include <openssl/buffer.h>
#include <openssl/rand.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
58
#include <openssl/hmac.h>
59
#include <openssl/x509.h>
R
Rich Salz 已提交
60
#include <openssl/dh.h>
61
#include <openssl/bn.h>
62
#include <openssl/md5.h>
63

M
Matt Caswell 已提交
64
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
65 66
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                      PACKET *cipher_suites,
E
Emilia Kasper 已提交
67 68 69
                                                      STACK_OF(SSL_CIPHER)
                                                      **skp, int sslv2format,
                                                      int *al);
M
Matt Caswell 已提交
70

M
Matt Caswell 已提交
71
/*
72 73 74 75 76
 * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when a TLSv1.3 server is reading messages from
 * the client. The message type that the client has sent is provided in |mt|.
 * The current state is in |s->statem.hand_state|.
 *
77 78
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
79 80 81 82 83
 */
static int ossl_statem_server13_read_transition(SSL *s, int mt)
{
    OSSL_STATEM *st = &s->statem;

84 85 86 87 88
    /*
     * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
     * we will update this to look more like real TLSv1.3
     */

89 90 91 92 93 94 95 96 97
    /*
     * Note: There is no case for TLS_ST_BEFORE because at that stage we have
     * not negotiated TLSv1.3 yet, so that case is handled by
     * ossl_statem_server_read_transition()
     */
    switch (st->hand_state) {
    default:
        break;

98
    case TLS_ST_SW_FINISHED:
99 100 101 102 103 104
        if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        } else {
105 106
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
107 108 109 110 111 112 113
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT:
        if (s->session->peer == NULL) {
114 115
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
    }

    /* No valid transition found */
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
    SSLerr(SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION,
           SSL_R_UNEXPECTED_MESSAGE);
    return 0;
}

/*
 * ossl_statem_server_read_transition() encapsulates the logic for the allowed
 * handshake state transitions when the server is reading messages from the
 * client. The message type that the client has sent is provided in |mt|. The
 * current state is in |s->statem.hand_state|.
M
Matt Caswell 已提交
146
 *
147 148
 * Return values are 1 for success (transition allowed) and  0 on error
 * (transition not allowed)
M
Matt Caswell 已提交
149
 */
150
int ossl_statem_server_read_transition(SSL *s, int mt)
M
Matt Caswell 已提交
151
{
M
Matt Caswell 已提交
152
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
153

154
    if (SSL_IS_TLS13(s)) {
155 156 157 158
        if (!ossl_statem_server13_read_transition(s, mt))
            goto err;
        return 1;
    }
159

160
    switch (st->hand_state) {
R
Rich Salz 已提交
161 162 163
    default:
        break;

M
Matt Caswell 已提交
164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182
    case TLS_ST_BEFORE:
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (mt == SSL3_MT_CLIENT_HELLO) {
            st->hand_state = TLS_ST_SR_CLNT_HELLO;
            return 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
        /*
         * If we get a CKE message after a ServerDone then either
         * 1) We didn't request a Certificate
         * OR
         * 2) If we did request one then
         *      a) We allow no Certificate to be returned
         *      AND
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
183 184 185
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            if (s->s3->tmp.cert_request) {
                if (s->version == SSL3_VERSION) {
186 187
                    if ((s->verify_mode & SSL_VERIFY_PEER)
                        && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
188 189
                        /*
                         * This isn't an unexpected message as such - we're just
190 191
                         * not going to accept it because we require a client
                         * cert.
192 193 194
                         */
                        ssl3_send_alert(s, SSL3_AL_FATAL,
                                        SSL3_AD_HANDSHAKE_FAILURE);
195
                        SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
196 197 198 199 200 201 202 203 204 205
                               SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
                        return 0;
                    }
                    st->hand_state = TLS_ST_SR_KEY_EXCH;
                    return 1;
                }
            } else {
                st->hand_state = TLS_ST_SR_KEY_EXCH;
                return 1;
            }
M
Matt Caswell 已提交
206 207 208 209
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
210
            }
M
Matt Caswell 已提交
211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226
        }
        break;

    case TLS_ST_SR_CERT:
        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
            st->hand_state = TLS_ST_SR_KEY_EXCH;
            return 1;
        }
        break;

    case TLS_ST_SR_KEY_EXCH:
        /*
         * We should only process a CertificateVerify message if we have
         * received a Certificate from the client. If so then |s->session->peer|
         * will be non NULL. In some instances a CertificateVerify message is
         * not required even if the peer has sent a Certificate (e.g. such as in
227
         * the case of static DH). In that case |st->no_cert_verify| should be
M
Matt Caswell 已提交
228 229
         * set.
         */
230
        if (s->session->peer == NULL || st->no_cert_verify) {
M
Matt Caswell 已提交
231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290
            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * For the ECDH ciphersuites when the client sends its ECDH
                 * pub key in a certificate, the CertificateVerify message is
                 * not sent. Also for GOST ciphersuites when the client uses
                 * its key from the certificate for key exchange.
                 */
                st->hand_state = TLS_ST_SR_CHANGE;
                return 1;
            }
        } else {
            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
                st->hand_state = TLS_ST_SR_CERT_VRFY;
                return 1;
            }
        }
        break;

    case TLS_ST_SR_CERT_VRFY:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;

    case TLS_ST_SR_CHANGE:
#ifndef OPENSSL_NO_NEXTPROTONEG
        if (s->s3->next_proto_neg_seen) {
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
            }
        } else {
#endif
            if (mt == SSL3_MT_FINISHED) {
                st->hand_state = TLS_ST_SR_FINISHED;
                return 1;
            }
#ifndef OPENSSL_NO_NEXTPROTONEG
        }
#endif
        break;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        if (mt == SSL3_MT_FINISHED) {
            st->hand_state = TLS_ST_SR_FINISHED;
            return 1;
        }
        break;
#endif

    case TLS_ST_SW_FINISHED:
        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
            st->hand_state = TLS_ST_SR_CHANGE;
            return 1;
        }
        break;
    }

291
 err:
M
Matt Caswell 已提交
292
    /* No valid transition found */
293
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
294
    SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
M
Matt Caswell 已提交
295 296 297 298 299 300 301 302 303 304
    return 0;
}

/*
 * Should we send a ServerKeyExchange message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
305
static int send_server_key_exchange(SSL *s)
M
Matt Caswell 已提交
306 307 308 309
{
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /*
310
     * only send a ServerKeyExchange if DH or fortezza but we have a
M
Matt Caswell 已提交
311 312 313 314 315 316
     * sign only certificate PSK: may send PSK identity hints For
     * ECC ciphersuites, we send a serverKeyExchange message only if
     * the cipher suite is either ECDH-anon or ECDHE. In other cases,
     * the server certificate contains the server's public key for
     * key exchange.
     */
E
Emilia Kasper 已提交
317
    if (alg_k & (SSL_kDHE | SSL_kECDHE)
M
Matt Caswell 已提交
318 319 320 321 322 323 324 325 326 327 328 329 330 331 332
        /*
         * PSK: send ServerKeyExchange if PSK identity hint if
         * provided
         */
#ifndef OPENSSL_NO_PSK
        /* Only send SKE if we have identity hint for plain PSK */
        || ((alg_k & (SSL_kPSK | SSL_kRSAPSK))
            && s->cert->psk_identity_hint)
        /* For other PSK always send SKE */
        || (alg_k & (SSL_PSK & (SSL_kDHEPSK | SSL_kECDHEPSK)))
#endif
#ifndef OPENSSL_NO_SRP
        /* SRP: send ServerKeyExchange */
        || (alg_k & SSL_kSRP)
#endif
E
Emilia Kasper 已提交
333
        ) {
M
Matt Caswell 已提交
334 335 336 337 338 339 340 341 342 343 344 345 346
        return 1;
    }

    return 0;
}

/*
 * Should we send a CertificateRequest message?
 *
 * Valid return values are:
 *   1: Yes
 *   0: No
 */
M
Matt Caswell 已提交
347
static int send_certificate_request(SSL *s)
M
Matt Caswell 已提交
348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363
{
    if (
           /* don't request cert unless asked for it: */
           s->verify_mode & SSL_VERIFY_PEER
           /*
            * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert
            * during re-negotiation:
            */
           && ((s->session->peer == NULL) ||
               !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE))
           /*
            * never request cert in anonymous ciphersuites (see
            * section "Certificate request" in SSL 3 drafts and in
            * RFC 2246):
            */
           && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
E
Emilia Kasper 已提交
364 365 366 367 368
               /*
                * ... except when the application insists on
                * verification (against the specs, but statem_clnt.c accepts
                * this for SSL 3)
                */
M
Matt Caswell 已提交
369 370 371 372 373 374 375
               || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
           /* don't request certificate for SRP auth */
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
           /*
            * With normal PSK Certificates and Certificate Requests
            * are omitted
            */
376
           && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) {
M
Matt Caswell 已提交
377 378 379 380 381 382 383
        return 1;
    }

    return 0;
}

/*
384 385 386 387 388 389 390 391
 * ossl_statem_server13_write_transition() works out what handshake state to
 * move to next when a TLSv1.3 server is writing messages to be sent to the
 * client.
 */
static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
{
    OSSL_STATEM *st = &s->statem;

392 393 394 395 396
    /*
     * TODO(TLS1.3): This is still based on the TLSv1.2 state machine. Over time
     * we will update this to look more like real TLSv1.3
     */

397 398 399 400 401 402 403 404 405 406 407 408 409 410 411
    /*
     * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
     * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
     */

    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

    case TLS_ST_SR_CLNT_HELLO:
        st->hand_state = TLS_ST_SW_SRVR_HELLO;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SRVR_HELLO:
M
Matt Caswell 已提交
412 413 414 415
        st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
416
        if (s->hit)
417 418 419
            st->hand_state = TLS_ST_SW_FINISHED;
        else if (send_certificate_request(s))
            st->hand_state = TLS_ST_SW_CERT_REQ;
420
        else
421
            st->hand_state = TLS_ST_SW_CERT;
422

423 424 425
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT_REQ:
426
        st->hand_state = TLS_ST_SW_CERT;
427 428
        return WRITE_TRAN_CONTINUE;

429
    case TLS_ST_SW_CERT:
430 431
            st->hand_state = s->tlsext_status_expected ? TLS_ST_SW_CERT_STATUS
                                                       : TLS_ST_SW_FINISHED;
432 433
        return WRITE_TRAN_CONTINUE;

434
    case TLS_ST_SW_CERT_STATUS:
435 436 437 438
        st->hand_state = TLS_ST_SW_FINISHED;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
439
        return WRITE_TRAN_FINISHED;
440

441
    case TLS_ST_SR_FINISHED:
442 443 444 445 446 447 448 449 450
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
    }
}

/*
 * ossl_statem_server_write_transition() works out what handshake state to move
 * to next when the server is writing messages to be sent to the client.
M
Matt Caswell 已提交
451
 */
452
WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
M
Matt Caswell 已提交
453
{
M
Matt Caswell 已提交
454
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
455

456 457 458 459 460
    /*
     * Note that before the ClientHello we don't know what version we are going
     * to negotiate yet, so we don't take this branch until later
     */

461
    if (SSL_IS_TLS13(s))
462 463
        return ossl_statem_server13_write_transition(s);

464
    switch (st->hand_state) {
R
Rich Salz 已提交
465 466 467 468
    default:
        /* Shouldn't happen */
        return WRITE_TRAN_ERROR;

469
    case TLS_ST_BEFORE:
E
Emilia Kasper 已提交
470
        /* Just go straight to trying to read from the client */
471
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
472

473 474 475 476
    case TLS_ST_OK:
        /* We must be trying to renegotiate */
        st->hand_state = TLS_ST_SW_HELLO_REQ;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
477

478 479 480 481
    case TLS_ST_SW_HELLO_REQ:
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
482

483 484
    case TLS_ST_SR_CLNT_HELLO:
        if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
E
Emilia Kasper 已提交
485
            && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
486 487 488 489
            st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
        else
            st->hand_state = TLS_ST_SW_SRVR_HELLO;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
490

491 492
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        return WRITE_TRAN_FINISHED;
M
Matt Caswell 已提交
493

494 495 496 497 498 499 500 501 502 503
    case TLS_ST_SW_SRVR_HELLO:
        if (s->hit) {
            if (s->tlsext_ticket_expected)
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            else
                st->hand_state = TLS_ST_SW_CHANGE;
        } else {
            /* Check if it is anon DH or anon ECDH, */
            /* normal PSK or SRP */
            if (!(s->s3->tmp.new_cipher->algorithm_auth &
E
Emilia Kasper 已提交
504
                  (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
505 506
                st->hand_state = TLS_ST_SW_CERT;
            } else if (send_server_key_exchange(s)) {
M
Matt Caswell 已提交
507
                st->hand_state = TLS_ST_SW_KEY_EXCH;
508
            } else if (send_certificate_request(s)) {
M
Matt Caswell 已提交
509
                st->hand_state = TLS_ST_SW_CERT_REQ;
510 511
            } else {
                st->hand_state = TLS_ST_SW_SRVR_DONE;
M
Matt Caswell 已提交
512
            }
513 514
        }
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
515

516 517 518
    case TLS_ST_SW_CERT:
        if (s->tlsext_status_expected) {
            st->hand_state = TLS_ST_SW_CERT_STATUS;
M
Matt Caswell 已提交
519
            return WRITE_TRAN_CONTINUE;
520 521
        }
        /* Fall through */
M
Matt Caswell 已提交
522

523 524 525
    case TLS_ST_SW_CERT_STATUS:
        if (send_server_key_exchange(s)) {
            st->hand_state = TLS_ST_SW_KEY_EXCH;
M
Matt Caswell 已提交
526
            return WRITE_TRAN_CONTINUE;
527 528
        }
        /* Fall through */
M
Matt Caswell 已提交
529

530 531 532
    case TLS_ST_SW_KEY_EXCH:
        if (send_certificate_request(s)) {
            st->hand_state = TLS_ST_SW_CERT_REQ;
M
Matt Caswell 已提交
533
            return WRITE_TRAN_CONTINUE;
534 535
        }
        /* Fall through */
M
Matt Caswell 已提交
536

537 538 539
    case TLS_ST_SW_CERT_REQ:
        st->hand_state = TLS_ST_SW_SRVR_DONE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
540

541 542 543 544 545
    case TLS_ST_SW_SRVR_DONE:
        return WRITE_TRAN_FINISHED;

    case TLS_ST_SR_FINISHED:
        if (s->hit) {
M
Matt Caswell 已提交
546
            st->hand_state = TLS_ST_OK;
M
Matt Caswell 已提交
547
            ossl_statem_set_in_init(s, 0);
M
Matt Caswell 已提交
548
            return WRITE_TRAN_CONTINUE;
549 550 551 552 553 554 555 556 557 558
        } else if (s->tlsext_ticket_expected) {
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        } else {
            st->hand_state = TLS_ST_SW_CHANGE;
        }
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        st->hand_state = TLS_ST_SW_CHANGE;
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
559

560 561 562 563 564 565 566 567 568 569 570
    case TLS_ST_SW_CHANGE:
        st->hand_state = TLS_ST_SW_FINISHED;
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_FINISHED:
        if (s->hit) {
            return WRITE_TRAN_FINISHED;
        }
        st->hand_state = TLS_ST_OK;
        ossl_statem_set_in_init(s, 0);
        return WRITE_TRAN_CONTINUE;
M
Matt Caswell 已提交
571 572 573 574 575 576 577
    }
}

/*
 * Perform any pre work that needs to be done prior to sending a message from
 * the server to the client.
 */
578
WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
579
{
M
Matt Caswell 已提交
580
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
581

582
    switch (st->hand_state) {
R
Rich Salz 已提交
583 584 585 586
    default:
        /* No pre work to be done */
        break;

M
Matt Caswell 已提交
587 588 589
    case TLS_ST_SW_HELLO_REQ:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s))
590
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
591 592 593 594 595
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        s->shutdown = 0;
        if (SSL_IS_DTLS(s)) {
596
            dtls1_clear_sent_buffer(s);
M
Matt Caswell 已提交
597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631
            /* We don't buffer this message so don't use the timer */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_SRVR_HELLO:
        if (SSL_IS_DTLS(s)) {
            /*
             * Messages we write from now on should be bufferred and
             * retransmitted if necessary, so we need to use the timer now
             */
            st->use_timer = 1;
        }
        break;

    case TLS_ST_SW_SRVR_DONE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s)))
            return dtls_wait_for_dry(s);
#endif
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_SW_SESSION_TICKET:
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer
             */
            st->use_timer = 0;
        }
        break;

    case TLS_ST_SW_CHANGE:
        s->session->cipher = s->s3->tmp.new_cipher;
        if (!s->method->ssl3_enc->setup_key_block(s)) {
M
Matt Caswell 已提交
632
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656
            return WORK_ERROR;
        }
        if (SSL_IS_DTLS(s)) {
            /*
             * We're into the last flight. We don't retransmit the last flight
             * unless we need to, so we don't use the timer. This might have
             * already been set to 0 if we sent a NewSessionTicket message,
             * but we'll set it again here in case we didn't.
             */
            st->use_timer = 0;
        }
        return WORK_FINISHED_CONTINUE;

    case TLS_ST_OK:
        return tls_finish_handshake(s, wst);
    }

    return WORK_FINISHED_CONTINUE;
}

/*
 * Perform any work that needs to be done after sending a message from the
 * server to the client.
 */
657
WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
658
{
M
Matt Caswell 已提交
659
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
660 661 662

    s->init_num = 0;

663
    switch (st->hand_state) {
R
Rich Salz 已提交
664 665 666 667
    default:
        /* No post work to be done */
        break;

M
Matt Caswell 已提交
668 669 670
    case TLS_ST_SW_HELLO_REQ:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
671 672 673 674
        if (!ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
675 676 677 678 679 680
        break;

    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        /* HelloVerifyRequest resets Finished MAC */
681 682 683 684
        if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701
        /*
         * The next message should be another ClientHello which we need to
         * treat like it was the first packet
         */
        s->first_packet = 1;
        break;

    case TLS_ST_SW_SRVR_HELLO:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];

            /*
             * Add new shared key for SCTP-Auth, will be ignored if no
             * SCTP used.
             */
M
Matt Caswell 已提交
702 703
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
M
Matt Caswell 已提交
704 705

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
706 707 708
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
709
                ossl_statem_set_error(s);
M
Matt Caswell 已提交
710 711 712 713 714 715 716
                return WORK_ERROR;
            }

            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
        }
#endif
717 718 719 720 721 722 723 724 725 726 727 728 729 730
        /*
         * TODO(TLS1.3): This actually causes a problem. We don't yet know
         * whether the next record we are going to receive is an unencrypted
         * alert, or an encrypted handshake message. We're going to need
         * something clever in the record layer for this.
         */
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->setup_key_block(s)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ))
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
731 732 733 734 735 736 737 738 739 740 741 742 743 744
        break;

    case TLS_ST_SW_CHANGE:
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && !s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
        if (!s->method->ssl3_enc->change_cipher_state(s,
E
Emilia Kasper 已提交
745 746
                                                      SSL3_CHANGE_CIPHER_SERVER_WRITE))
        {
M
Matt Caswell 已提交
747
            ossl_statem_set_error(s);
M
Matt Caswell 已提交
748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772
            return WORK_ERROR;
        }

        if (SSL_IS_DTLS(s))
            dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
        break;

    case TLS_ST_SW_SRVR_DONE:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
        break;

    case TLS_ST_SW_FINISHED:
        if (statem_flush(s) != 1)
            return WORK_MORE_A;
#ifndef OPENSSL_NO_SCTP
        if (SSL_IS_DTLS(s) && s->hit) {
            /*
             * Change to new shared key of SCTP-Auth, will be ignored if
             * no SCTP used.
             */
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
                     0, NULL);
        }
#endif
773 774 775 776 777 778 779 780
        if (SSL_IS_TLS13(s)) {
            if (!s->method->ssl3_enc->generate_master_secret(s,
                        s->session->master_key, s->handshake_secret, 0,
                        &s->session->master_key_length)
                || !s->method->ssl3_enc->change_cipher_state(s,
                        SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE))
            return WORK_ERROR;
        }
M
Matt Caswell 已提交
781 782 783 784 785 786 787
        break;
    }

    return WORK_FINISHED_CONTINUE;
}

/*
788 789
 * Get the message construction function and message type for sending from the
 * server
M
Matt Caswell 已提交
790 791 792 793 794
 *
 * Valid return values are:
 *   1: Success
 *   0: Error
 */
795
int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
796
                                         confunc_f *confunc, int *mt)
M
Matt Caswell 已提交
797
{
M
Matt Caswell 已提交
798
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
799

800 801 802 803 804 805
    switch (st->hand_state) {
    default:
        /* Shouldn't happen */
        return 0;

    case TLS_ST_SW_CHANGE:
806
        if (SSL_IS_DTLS(s))
807
            *confunc = dtls_construct_change_cipher_spec;
808
        else
809 810
            *confunc = tls_construct_change_cipher_spec;
        *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
811
        break;
R
Rich Salz 已提交
812

813
    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
814 815
        *confunc = dtls_construct_hello_verify_request;
        *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
816
        break;
M
Matt Caswell 已提交
817

818 819
    case TLS_ST_SW_HELLO_REQ:
        /* No construction function needed */
820 821
        *confunc = NULL;
        *mt = SSL3_MT_HELLO_REQUEST;
822
        break;
M
Matt Caswell 已提交
823

824
    case TLS_ST_SW_SRVR_HELLO:
825 826
        *confunc = tls_construct_server_hello;
        *mt = SSL3_MT_SERVER_HELLO;
827
        break;
M
Matt Caswell 已提交
828

829
    case TLS_ST_SW_CERT:
830 831
        *confunc = tls_construct_server_certificate;
        *mt = SSL3_MT_CERTIFICATE;
832
        break;
M
Matt Caswell 已提交
833

834
    case TLS_ST_SW_KEY_EXCH:
835 836
        *confunc = tls_construct_server_key_exchange;
        *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
837
        break;
M
Matt Caswell 已提交
838

839
    case TLS_ST_SW_CERT_REQ:
840 841
        *confunc = tls_construct_certificate_request;
        *mt = SSL3_MT_CERTIFICATE_REQUEST;
842
        break;
M
Matt Caswell 已提交
843

844
    case TLS_ST_SW_SRVR_DONE:
845 846
        *confunc = tls_construct_server_done;
        *mt = SSL3_MT_SERVER_DONE;
847
        break;
M
Matt Caswell 已提交
848

849
    case TLS_ST_SW_SESSION_TICKET:
850 851
        *confunc = tls_construct_new_session_ticket;
        *mt = SSL3_MT_NEWSESSION_TICKET;
852
        break;
M
Matt Caswell 已提交
853

854
    case TLS_ST_SW_CERT_STATUS:
855 856
        *confunc = tls_construct_cert_status;
        *mt = SSL3_MT_CERTIFICATE_STATUS;
857
        break;
M
Matt Caswell 已提交
858

859
    case TLS_ST_SW_FINISHED:
860 861
        *confunc = tls_construct_finished;
        *mt = SSL3_MT_FINISHED;
862
        break;
M
Matt Caswell 已提交
863 864 865 866 867

    case TLS_ST_SW_ENCRYPTED_EXTENSIONS:
        *confunc = tls_construct_encrypted_extensions;
        *mt = SSL3_MT_ENCRYPTED_EXTENSIONS;
        break;
868
    }
M
Matt Caswell 已提交
869

870
    return 1;
M
Matt Caswell 已提交
871 872
}

873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889
/*
 * Maximum size (excluding the Handshake header) of a ClientHello message,
 * calculated as follows:
 *
 *  2 + # client_version
 *  32 + # only valid length for random
 *  1 + # length of session_id
 *  32 + # maximum size for session_id
 *  2 + # length of cipher suites
 *  2^16-2 + # maximum length of cipher suites array
 *  1 + # length of compression_methods
 *  2^8-1 + # maximum length of compression methods
 *  2 + # length of extensions
 *  2^16-1 # maximum length of extensions
 */
#define CLIENT_HELLO_MAX_LENGTH         131396

M
Matt Caswell 已提交
890 891 892 893 894 895 896
#define CLIENT_KEY_EXCH_MAX_LENGTH      2048
#define NEXT_PROTO_MAX_LENGTH           514

/*
 * Returns the maximum allowed length for the current message that we are
 * reading. Excludes the message header.
 */
897
size_t ossl_statem_server_max_message_size(SSL *s)
M
Matt Caswell 已提交
898
{
M
Matt Caswell 已提交
899
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
900

901
    switch (st->hand_state) {
R
Rich Salz 已提交
902 903 904 905
    default:
        /* Shouldn't happen */
        return 0;

M
Matt Caswell 已提交
906
    case TLS_ST_SR_CLNT_HELLO:
907
        return CLIENT_HELLO_MAX_LENGTH;
M
Matt Caswell 已提交
908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933

    case TLS_ST_SR_CERT:
        return s->max_cert_list;

    case TLS_ST_SR_KEY_EXCH:
        return CLIENT_KEY_EXCH_MAX_LENGTH;

    case TLS_ST_SR_CERT_VRFY:
        return SSL3_RT_MAX_PLAIN_LENGTH;

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return NEXT_PROTO_MAX_LENGTH;
#endif

    case TLS_ST_SR_CHANGE:
        return CCS_MAX_LENGTH;

    case TLS_ST_SR_FINISHED:
        return FINISHED_MAX_LENGTH;
    }
}

/*
 * Process a message that the server has received from the client.
 */
934
MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
935
{
M
Matt Caswell 已提交
936
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
937

938
    switch (st->hand_state) {
R
Rich Salz 已提交
939 940 941 942
    default:
        /* Shouldn't happen */
        return MSG_PROCESS_ERROR;

M
Matt Caswell 已提交
943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971
    case TLS_ST_SR_CLNT_HELLO:
        return tls_process_client_hello(s, pkt);

    case TLS_ST_SR_CERT:
        return tls_process_client_certificate(s, pkt);

    case TLS_ST_SR_KEY_EXCH:
        return tls_process_client_key_exchange(s, pkt);

    case TLS_ST_SR_CERT_VRFY:
        return tls_process_cert_verify(s, pkt);

#ifndef OPENSSL_NO_NEXTPROTONEG
    case TLS_ST_SR_NEXT_PROTO:
        return tls_process_next_proto(s, pkt);
#endif

    case TLS_ST_SR_CHANGE:
        return tls_process_change_cipher_spec(s, pkt);

    case TLS_ST_SR_FINISHED:
        return tls_process_finished(s, pkt);
    }
}

/*
 * Perform any further processing required following the receipt of a message
 * from the client
 */
972
WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
973
{
M
Matt Caswell 已提交
974
    OSSL_STATEM *st = &s->statem;
M
Matt Caswell 已提交
975

976
    switch (st->hand_state) {
R
Rich Salz 已提交
977 978 979 980
    default:
        /* Shouldn't happen */
        return WORK_ERROR;

M
Matt Caswell 已提交
981 982 983 984 985 986 987 988
    case TLS_ST_SR_CLNT_HELLO:
        return tls_post_process_client_hello(s, wst);

    case TLS_ST_SR_KEY_EXCH:
        return tls_post_process_client_key_exchange(s, wst);

    case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
E
Emilia Kasper 已提交
989 990 991 992
        if (                    /* Is this SCTP? */
               BIO_dgram_is_sctp(SSL_get_wbio(s))
               /* Are we renegotiating? */
               && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
M
Matt Caswell 已提交
993 994 995 996
            s->s3->in_read_app_data = 2;
            s->rwstate = SSL_READING;
            BIO_clear_retry_flags(SSL_get_rbio(s));
            BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
997
            ossl_statem_set_sctp_read_sock(s, 1);
M
Matt Caswell 已提交
998 999
            return WORK_MORE_A;
        } else {
M
Matt Caswell 已提交
1000
            ossl_statem_set_sctp_read_sock(s, 0);
M
Matt Caswell 已提交
1001 1002 1003 1004
        }
#endif
        return WORK_FINISHED_CONTINUE;
    }
1005
    return WORK_FINISHED_CONTINUE;
M
Matt Caswell 已提交
1006 1007
}

B
Ben Laurie 已提交
1008
#ifndef OPENSSL_NO_SRP
1009
static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029
{
    int ret = SSL_ERROR_NONE;

    *al = SSL_AD_UNRECOGNIZED_NAME;

    if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
        (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
        if (s->srp_ctx.login == NULL) {
            /*
             * RFC 5054 says SHOULD reject, we do so if There is no srp
             * login name
             */
            ret = SSL3_AL_FATAL;
            *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
        } else {
            ret = SSL_srp_server_param_with_username(s, al);
        }
    }
    return ret;
}
B
Ben Laurie 已提交
1030 1031
#endif

1032
int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
M
Matt Caswell 已提交
1033
                                  size_t cookie_len)
M
Matt Caswell 已提交
1034 1035
{
    /* Always use DTLS 1.0 version: see RFC 6347 */
1036 1037 1038
    if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
            || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
        return 0;
M
Matt Caswell 已提交
1039

1040
    return 1;
M
Matt Caswell 已提交
1041 1042
}

1043
int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1044
{
M
Matt Caswell 已提交
1045
    unsigned int cookie_leni;
M
Matt Caswell 已提交
1046 1047
    if (s->ctx->app_gen_cookie_cb == NULL ||
        s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
M
Matt Caswell 已提交
1048 1049
                                  &cookie_leni) == 0 ||
        cookie_leni > 255) {
M
Matt Caswell 已提交
1050
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
M
Matt Caswell 已提交
1051 1052 1053
               SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
        return 0;
    }
M
Matt Caswell 已提交
1054
    s->d1->cookie_len = cookie_leni;
M
Matt Caswell 已提交
1055

1056 1057
    if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
                                              s->d1->cookie_len)) {
1058 1059 1060
        SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
1061 1062 1063 1064

    return 1;
}

M
Matt Caswell 已提交
1065
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
1066 1067
{
    int i, al = SSL_AD_INTERNAL_ERROR;
1068
    unsigned int j;
1069
    size_t loop;
M
Matt Caswell 已提交
1070
    unsigned long id;
1071
    const SSL_CIPHER *c;
M
Matt Caswell 已提交
1072 1073 1074 1075
#ifndef OPENSSL_NO_COMP
    SSL_COMP *comp = NULL;
#endif
    STACK_OF(SSL_CIPHER) *ciphers = NULL;
1076
    int protverr;
M
Matt Caswell 已提交
1077
    /* |cookie| will only be initialized for DTLS. */
1078
    PACKET session_id, compression, extensions, cookie;
M
Matt Caswell 已提交
1079
    static const unsigned char null_compression = 0;
1080
    CLIENTHELLO_MSG clienthello;
M
Matt Caswell 已提交
1081

1082
    /*
1083
     * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
1084
     */
1085
    memset(&clienthello, 0, sizeof(clienthello));
1086
    clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
E
Emilia Kasper 已提交
1087
    PACKET_null_init(&cookie);
1088 1089

    if (clienthello.isv2) {
M
Matt Caswell 已提交
1090
        unsigned int mt;
1091

1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106
        /*-
         * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
         * header is sent directly on the wire, not wrapped as a TLS
         * record. Our record layer just processes the message length and passes
         * the rest right through. Its format is:
         * Byte  Content
         * 0-1   msg_length - decoded by the record layer
         * 2     msg_type - s->init_msg points here
         * 3-4   version
         * 5-6   cipher_spec_length
         * 7-8   session_id_length
         * 9-10  challenge_length
         * ...   ...
         */

1107
        if (!PACKET_get_1(pkt, &mt)
E
Emilia Kasper 已提交
1108
            || mt != SSL2_MT_CLIENT_HELLO) {
1109 1110 1111 1112 1113
            /*
             * Should never happen. We should have tested this in the record
             * layer in order to have determined that this is a SSLv2 record
             * in the first place
             */
M
Matt Caswell 已提交
1114
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1115
            goto err;
1116 1117 1118
        }
    }

1119
    if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) {
1120 1121 1122
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
        goto err;
1123 1124
    }

1125
    /* Parse the message and load client random. */
1126
    if (clienthello.isv2) {
1127 1128 1129
        /*
         * Handle an SSLv2 backwards compatible ClientHello
         * Note, this is only for SSLv3+ using the backward compatible format.
1130
         * Real SSLv2 is not supported, and is rejected below.
1131
         */
1132
        unsigned int ciphersuite_len, session_id_len, challenge_len;
1133
        PACKET challenge;
1134

1135
        if (!PACKET_get_net_2(pkt, &ciphersuite_len)
E
Emilia Kasper 已提交
1136 1137
            || !PACKET_get_net_2(pkt, &session_id_len)
            || !PACKET_get_net_2(pkt, &challenge_len)) {
M
Matt Caswell 已提交
1138 1139
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
1140 1141
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1142
        }
1143

1144 1145 1146 1147 1148 1149
        if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1150 1151
        if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
                                   ciphersuite_len)
1152
            || !PACKET_copy_bytes(pkt, clienthello.session_id, session_id_len)
1153
            || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
1154
            /* No extensions. */
1155
            || PACKET_remaining(pkt) != 0) {
M
Matt Caswell 已提交
1156 1157
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                   SSL_R_RECORD_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1158 1159 1160
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
1161
        clienthello.session_id_len = session_id_len;
M
Matt Caswell 已提交
1162

1163 1164 1165 1166 1167 1168 1169 1170
        /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
         * here rather than sizeof(clienthello.random) because that is the limit
         * for SSLv3 and it is fixed. It won't change even if
         * sizeof(clienthello.random) does.
         */
        challenge_len = challenge_len > SSL3_RANDOM_SIZE
                        ? SSL3_RANDOM_SIZE : challenge_len;
        memset(clienthello.random, 0, SSL3_RANDOM_SIZE);
1171
        if (!PACKET_copy_bytes(&challenge,
1172
                               clienthello.random + SSL3_RANDOM_SIZE -
D
David Benjamin 已提交
1173 1174 1175
                               challenge_len, challenge_len)
            /* Advertise only null compression. */
            || !PACKET_buf_init(&compression, &null_compression, 1)) {
M
Matt Caswell 已提交
1176
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1177
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1178 1179
            goto f_err;
        }
1180

1181
        PACKET_null_init(&clienthello.extensions);
1182
    } else {
1183
        /* Regular ClientHello. */
1184
        if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
1185 1186 1187 1188
            || !PACKET_get_length_prefixed_1(pkt, &session_id)
            || !PACKET_copy_all(&session_id, clienthello.session_id,
                    SSL_MAX_SSL_SESSION_ID_LENGTH,
                    &clienthello.session_id_len)) {
M
Matt Caswell 已提交
1189
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1190
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
1191 1192
            goto f_err;
        }
1193

1194
        if (SSL_IS_DTLS(s)) {
1195
            if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
1196
                al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1197
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
1198 1199
                goto f_err;
            }
1200 1201 1202 1203 1204 1205 1206
            if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie,
                                 DTLS1_COOKIE_LENGTH,
                                 &clienthello.dtls_cookie_len)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
1207 1208 1209 1210 1211 1212
            /*
             * If we require cookies and this ClientHello doesn't contain one,
             * just return since we do not want to allocate any memory yet.
             * So check cookie length...
             */
            if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
1213
                if (clienthello.dtls_cookie_len == 0)
E
Emilia Kasper 已提交
1214
                    return 1;
1215
            }
1216
        }
1217

1218 1219 1220 1221 1222 1223
        if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) {
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
        }

1224
        if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
E
Emilia Kasper 已提交
1225 1226 1227
            al = SSL_AD_DECODE_ERROR;
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
            goto f_err;
1228
        }
1229

1230
        /* Could be empty. */
1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241
        if (PACKET_remaining(pkt) == 0) {
            PACKET_null_init(&clienthello.extensions);
        } else {
            if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) {
                al = SSL_AD_DECODE_ERROR;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
                goto f_err;
            }
        }
    }

1242
    if (!PACKET_copy_all(&compression, clienthello.compressions,
1243 1244
                         MAX_COMPRESSIONS_SIZE,
                         &clienthello.compressions_len)) {
1245 1246 1247 1248 1249
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }

1250
    /* Preserve the raw extensions PACKET for later use */
1251
    extensions = clienthello.extensions;
1252
    if (!tls_collect_extensions(&extensions, &clienthello.pre_proc_exts,
1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265
                                  &clienthello.num_extensions, &al)) {
        /* SSLerr already been called */
        goto f_err;
    }

    /* Finished parsing the ClientHello, now we can start processing it */

    /* Set up the client_random */
    memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE);

    /* Choose the version */

    if (clienthello.isv2) {
1266 1267
        if (clienthello.legacy_version == SSL2_VERSION
                || (clienthello.legacy_version & 0xff00)
1268 1269 1270 1271 1272
                   != (SSL3_VERSION_MAJOR << 8)) {
            /*
             * This is real SSLv2 or something complete unknown. We don't
             * support it.
             */
1273 1274 1275
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
            goto err;
        }
1276
        /* SSLv3/TLS */
1277
        s->client_version = clienthello.legacy_version;
1278 1279 1280 1281 1282 1283 1284 1285
    }
    /*
     * Do SSL/TLS version negotiation if applicable. For DTLS we just check
     * versions are potentially compatible. Version negotiation comes later.
     */
    if (!SSL_IS_DTLS(s)) {
        protverr = ssl_choose_server_version(s, &clienthello);
    } else if (s->method->version != DTLS_ANY_VERSION &&
1286
               DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) {
1287 1288 1289 1290 1291 1292 1293 1294
        protverr = SSL_R_VERSION_TOO_LOW;
    } else {
        protverr = 0;
    }

    if (protverr) {
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
        if ((!s->enc_write_ctx && !s->write_hash)) {
1295
            /* like ssl3_get_record, send alert using remote version number */
1296
            s->version = s->client_version = clienthello.legacy_version;
1297 1298 1299
        }
        al = SSL_AD_PROTOCOL_VERSION;
        goto f_err;
1300 1301
    }

1302 1303 1304 1305
    if (SSL_IS_DTLS(s)) {
        /* Empty cookie was already handled above by returning early. */
        if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
            if (s->ctx->app_verify_cookie_cb != NULL) {
1306 1307
                if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie,
                        clienthello.dtls_cookie_len) == 0) {
1308 1309 1310 1311 1312 1313
                    al = SSL_AD_HANDSHAKE_FAILURE;
                    SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
                           SSL_R_COOKIE_MISMATCH);
                    goto f_err;
                    /* else cookie verification succeeded */
                }
E
Emilia Kasper 已提交
1314
                /* default verification */
1315 1316 1317
            } else if (s->d1->cookie_len != clienthello.dtls_cookie_len
                    || memcmp(clienthello.dtls_cookie, s->d1->cookie,
                              s->d1->cookie_len) != 0) {
1318 1319 1320 1321 1322 1323 1324
                al = SSL_AD_HANDSHAKE_FAILURE;
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
                goto f_err;
            }
            s->d1->cookie_verified = 1;
        }
        if (s->method->version == DTLS_ANY_VERSION) {
1325
            protverr = ssl_choose_server_version(s, &clienthello);
1326 1327 1328 1329 1330 1331 1332 1333 1334
            if (protverr != 0) {
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
                s->version = s->client_version;
                al = SSL_AD_PROTOCOL_VERSION;
                goto f_err;
            }
        }
    }

1335 1336
    s->hit = 0;

1337
    /* We need to do this before getting the session */
1338
    if (!tls_check_client_ems_support(s, &clienthello)) {
1339 1340 1341 1342 1343 1344
        /* Only fails if the extension is malformed */
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
        goto f_err;
    }

1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360
    /*
     * We don't allow resumption in a backwards compatible ClientHello.
     * TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
     *
     * Versions before 0.9.7 always allow clients to resume sessions in
     * renegotiation. 0.9.7 and later allow this by default, but optionally
     * ignore resumption requests with flag
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather
     * than a change to default behavior so that applications relying on
     * this for security won't even compile against older library versions).
     * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() to
     * request renegotiation but not a new session (s->new_session remains
     * unset): for servers, this essentially just means that the
     * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
     * ignored.
     */
1361
    if (clienthello.isv2 ||
1362 1363 1364 1365 1366
        (s->new_session &&
         (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
        if (!ssl_get_new_session(s, 1))
            goto err;
    } else {
1367
        i = ssl_get_prev_session(s, &clienthello);
1368
        /*
1369 1370 1371 1372 1373 1374 1375
         * Only resume if the session's version matches the negotiated
         * version.
         * RFC 5246 does not provide much useful advice on resumption
         * with a different protocol version. It doesn't forbid it but
         * the sanity of such behaviour would be questionable.
         * In practice, clients do not accept a version mismatch and
         * will abort the handshake with an error.
1376
         */
1377 1378 1379 1380 1381
        if (i == 1 && s->version == s->session->ssl_version) {
            /* previous session */
            s->hit = 1;
        } else if (i == -1) {
            goto err;
1382
        } else {
1383 1384
            /* i == 0 */
            if (!ssl_get_new_session(s, 1))
1385
                goto err;
1386
        }
1387
    }
1388

1389
    if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers,
1390
                                 clienthello.isv2, &al) == NULL) {
1391 1392
        goto f_err;
    }
1393

1394 1395 1396 1397
    /* If it is a hit, check that the cipher is in the list */
    if (s->hit) {
        j = 0;
        id = s->session->cipher->id;
1398

1399
#ifdef CIPHER_DEBUG
E
Emilia Kasper 已提交
1400
        fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
1401
#endif
1402 1403
        for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
            c = sk_SSL_CIPHER_value(ciphers, i);
1404
#ifdef CIPHER_DEBUG
1405 1406
            fprintf(stderr, "client [%2d of %2d]:%s\n",
                    i, sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c));
1407
#endif
1408 1409 1410
            if (c->id == id) {
                j = 1;
                break;
1411
            }
1412
        }
1413
        if (j == 0) {
1414
            /*
1415 1416
             * we need to have the cipher in the cipher list if we are asked
             * to reuse it
1417
             */
1418
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1419
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1420
                   SSL_R_REQUIRED_CIPHER_MISSING);
1421 1422
            goto f_err;
        }
1423
    }
M
Matt Caswell 已提交
1424

1425 1426
    for (loop = 0; loop < clienthello.compressions_len; loop++) {
        if (clienthello.compressions[loop] == 0)
1427
            break;
1428
    }
1429

1430
    if (loop >= clienthello.compressions_len) {
1431 1432
        /* no compress */
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
1433
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
1434 1435
        goto f_err;
    }
1436

1437
    /* TLS extensions */
1438 1439 1440
    if (!ssl_parse_clienthello_tlsext(s, &clienthello)) {
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
        goto err;
1441 1442
    }

1443
    /* Check we've got a key_share for TLSv1.3 */
M
Matt Caswell 已提交
1444
    if (SSL_IS_TLS13(s) && s->s3->peer_tmp == NULL && !s->hit) {
1445
        /* No suitable share */
1446
        /* TODO(TLS1.3): Send a HelloRetryRequest */
1447 1448 1449 1450 1451
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SUITABLE_KEY_SHARE);
        goto f_err;
    }

1452 1453 1454 1455 1456 1457 1458 1459 1460 1461 1462 1463 1464 1465 1466
    /*
     * Check if we want to use external pre-shared secret for this handshake
     * for not reused session only. We need to generate server_random before
     * calling tls_session_secret_cb in order to allow SessionTicket
     * processing to use it in key derivation.
     */
    {
        unsigned char *pos;
        pos = s->s3->server_random;
        if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0) {
            goto f_err;
        }
    }

    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
1467
        const SSL_CIPHER *pref_cipher = NULL;
1468 1469 1470 1471 1472
        /*
         * s->session->master_key_length is a size_t, but this is an int for
         * backwards compat reasons
         */
        int master_key_length;
1473

1474
        master_key_length = sizeof(s->session->master_key);
1475
        if (s->tls_session_secret_cb(s, s->session->master_key,
1476
                                     &master_key_length, ciphers,
1477
                                     &pref_cipher,
1478 1479 1480
                                     s->tls_session_secret_cb_arg)
                && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
1481 1482 1483 1484 1485 1486 1487 1488 1489 1490 1491 1492 1493 1494 1495
            s->hit = 1;
            s->session->ciphers = ciphers;
            s->session->verify_result = X509_V_OK;

            ciphers = NULL;

            /* check if some cipher was preferred by call back */
            pref_cipher =
                pref_cipher ? pref_cipher : ssl3_choose_cipher(s,
                                                               s->
                                                               session->ciphers,
                                                               SSL_get_ciphers
                                                               (s));
            if (pref_cipher == NULL) {
                al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
1496
                SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
1497 1498 1499 1500
                goto f_err;
            }

            s->session->cipher = pref_cipher;
R
Rich Salz 已提交
1501
            sk_SSL_CIPHER_free(s->cipher_list);
1502
            s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers);
R
Rich Salz 已提交
1503
            sk_SSL_CIPHER_free(s->cipher_list_by_id);
1504 1505 1506
            s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->session->ciphers);
        }
    }
1507

1508 1509
    /*
     * Worst case, we will use the NULL compression, but if we have other
1510
     * options, we will now look for them.  We have complen-1 compression
1511 1512 1513
     * algorithms from the client, starting at q.
     */
    s->s3->tmp.new_compression = NULL;
1514
#ifndef OPENSSL_NO_COMP
1515 1516 1517
    /* This only happens if we have a cache hit */
    if (s->session->compress_meth != 0) {
        int m, comp_id = s->session->compress_meth;
M
Matt Caswell 已提交
1518
        unsigned int k;
1519 1520 1521
        /* Perform sanity checks on resumed compression algorithm */
        /* Can't disable compression */
        if (!ssl_allow_compression(s)) {
M
Matt Caswell 已提交
1522
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1523 1524 1525 1526 1527 1528 1529 1530 1531 1532 1533 1534
                   SSL_R_INCONSISTENT_COMPRESSION);
            goto f_err;
        }
        /* Look for resumed compression method */
        for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            if (comp_id == comp->id) {
                s->s3->tmp.new_compression = comp;
                break;
            }
        }
        if (s->s3->tmp.new_compression == NULL) {
M
Matt Caswell 已提交
1535
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
1536 1537 1538 1539
                   SSL_R_INVALID_COMPRESSION_ALGORITHM);
            goto f_err;
        }
        /* Look for resumed method in compression list */
1540 1541
        for (k = 0; k < clienthello.compressions_len; k++) {
            if (clienthello.compressions[k] == comp_id)
1542 1543
                break;
        }
1544
        if (k >= clienthello.compressions_len) {
1545
            al = SSL_AD_ILLEGAL_PARAMETER;
M
Matt Caswell 已提交
1546
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
F
FdaSilvaYY 已提交
1547
                   SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
1548 1549 1550 1551 1552
            goto f_err;
        }
    } else if (s->hit)
        comp = NULL;
    else if (ssl_allow_compression(s) && s->ctx->comp_methods) {
1553
        /* See if we have a match */
M
Matt Caswell 已提交
1554 1555
        int m, nn, v, done = 0;
        unsigned int o;
1556 1557 1558 1559 1560

        nn = sk_SSL_COMP_num(s->ctx->comp_methods);
        for (m = 0; m < nn; m++) {
            comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
            v = comp->id;
1561 1562
            for (o = 0; o < clienthello.compressions_len; o++) {
                if (v == clienthello.compressions[o]) {
1563 1564 1565 1566 1567 1568 1569 1570 1571 1572 1573 1574
                    done = 1;
                    break;
                }
            }
            if (done)
                break;
        }
        if (done)
            s->s3->tmp.new_compression = comp;
        else
            comp = NULL;
    }
1575
#else
1576 1577 1578 1579 1580
    /*
     * If compression is disabled we'd better not try to resume a session
     * using compression.
     */
    if (s->session->compress_meth != 0) {
M
Matt Caswell 已提交
1581
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_INCONSISTENT_COMPRESSION);
1582 1583
        goto f_err;
    }
1584
#endif
1585

1586 1587 1588
    /*
     * Given s->session->ciphers and SSL_get_ciphers, we must pick a cipher
     */
1589

1590
    if (!s->hit) {
1591
#ifdef OPENSSL_NO_COMP
1592
        s->session->compress_meth = 0;
1593
#else
1594
        s->session->compress_meth = (comp == NULL) ? 0 : comp->id;
1595
#endif
R
Rich Salz 已提交
1596
        sk_SSL_CIPHER_free(s->session->ciphers);
1597 1598
        s->session->ciphers = ciphers;
        if (ciphers == NULL) {
1599
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1600
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
1601 1602 1603 1604
            goto f_err;
        }
        ciphers = NULL;
        if (!tls1_set_server_sigalgs(s)) {
M
Matt Caswell 已提交
1605
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1606 1607
            goto err;
        }
M
Matt Caswell 已提交
1608 1609 1610
    }

    sk_SSL_CIPHER_free(ciphers);
1611
    OPENSSL_free(clienthello.pre_proc_exts);
M
Matt Caswell 已提交
1612 1613 1614 1615
    return MSG_PROCESS_CONTINUE_PROCESSING;
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
M
Matt Caswell 已提交
1616
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1617 1618

    sk_SSL_CIPHER_free(ciphers);
1619
    OPENSSL_free(clienthello.pre_proc_exts);
M
Matt Caswell 已提交
1620

M
Matt Caswell 已提交
1621
    return MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
1622 1623
}

M
Matt Caswell 已提交
1624
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
M
Matt Caswell 已提交
1625
{
M
Matt Caswell 已提交
1626
    int al = SSL_AD_HANDSHAKE_FAILURE;
1627
    const SSL_CIPHER *cipher;
M
Matt Caswell 已提交
1628 1629 1630 1631 1632 1633 1634 1635

    if (wst == WORK_MORE_A) {
        if (!s->hit) {
            /* Let cert callback update server certificates if required */
            if (s->cert->cert_cb) {
                int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
                if (rv == 0) {
                    al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
1636 1637
                    SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                           SSL_R_CERT_CB_ERROR);
M
Matt Caswell 已提交
1638 1639 1640 1641 1642 1643 1644
                    goto f_err;
                }
                if (rv < 0) {
                    s->rwstate = SSL_X509_LOOKUP;
                    return WORK_MORE_A;
                }
                s->rwstate = SSL_NOTHING;
1645
            }
E
Emilia Kasper 已提交
1646 1647
            cipher =
                ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
M
Matt Caswell 已提交
1648 1649

            if (cipher == NULL) {
E
Emilia Kasper 已提交
1650 1651
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_NO_SHARED_CIPHER);
M
Matt Caswell 已提交
1652
                goto f_err;
1653
            }
M
Matt Caswell 已提交
1654 1655 1656 1657
            s->s3->tmp.new_cipher = cipher;
            /* check whether we should disable session resumption */
            if (s->not_resumable_session_cb != NULL)
                s->session->not_resumable = s->not_resumable_session_cb(s,
E
Emilia Kasper 已提交
1658
                                                                        ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
M
Matt Caswell 已提交
1659 1660 1661 1662 1663 1664
            if (s->session->not_resumable)
                /* do not send a session ticket */
                s->tlsext_ticket_expected = 0;
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
1665 1666
        }

1667
        if (!(s->verify_mode & SSL_VERIFY_PEER)) {
M
Matt Caswell 已提交
1668 1669
            if (!ssl3_digest_cached_records(s, 0)) {
                al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
1670
                goto f_err;
M
Matt Caswell 已提交
1671
            }
1672 1673
        }

M
Matt Caswell 已提交
1674 1675 1676
        /*-
         * we now have the following setup.
         * client_random
1677 1678
         * cipher_list          - our preferred list of ciphers
         * ciphers              - the clients preferred list of ciphers
M
Matt Caswell 已提交
1679 1680 1681 1682 1683 1684
         * compression          - basically ignored right now
         * ssl version is set   - sslv3
         * s->session           - The ssl session has been setup.
         * s->hit               - session reuse flag
         * s->s3->tmp.new_cipher- the new cipher to use.
         */
1685

M
Matt Caswell 已提交
1686 1687
        /* Handles TLS extensions that we couldn't check earlier */
        if (s->version >= SSL3_VERSION) {
1688
            if (!ssl_check_clienthello_tlsext_late(s, &al)) {
M
Matt Caswell 已提交
1689 1690
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_CLIENTHELLO_TLSEXT);
M
Matt Caswell 已提交
1691 1692 1693
                goto f_err;
            }
        }
1694

M
Matt Caswell 已提交
1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713
        wst = WORK_MORE_B;
    }
#ifndef OPENSSL_NO_SRP
    if (wst == WORK_MORE_B) {
        int ret;
        if ((ret = ssl_check_srp_ext_ClientHello(s, &al)) < 0) {
            /*
             * callback indicates further work to be done
             */
            s->rwstate = SSL_X509_LOOKUP;
            return WORK_MORE_B;
        }
        if (ret != SSL_ERROR_NONE) {
            /*
             * This is not really an error but the only means to for
             * a client to detect whether srp is supported.
             */
            if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
E
Emilia Kasper 已提交
1714
                       SSL_R_CLIENTHELLO_TLSEXT);
1715 1716 1717
            else
                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                       SSL_R_PSK_IDENTITY_NOT_FOUND);
M
Matt Caswell 已提交
1718
            goto f_err;
1719 1720
        }
    }
M
Matt Caswell 已提交
1721 1722
#endif
    s->renegotiate = 2;
1723

M
Matt Caswell 已提交
1724
    return WORK_FINISHED_STOP;
1725
 f_err:
M
Matt Caswell 已提交
1726
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
1727
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
1728 1729 1730
    return WORK_ERROR;
}

1731
int tls_construct_server_hello(SSL *s, WPACKET *pkt)
1732
{
1733 1734
    int compm, al = SSL_AD_INTERNAL_ERROR;
    size_t sl, len;
1735
    int version;
1736

1737
    /* TODO(TLS1.3): Remove the DRAFT conditional before release */
1738 1739
    version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version;
    if (!WPACKET_put_bytes_u16(pkt, version)
1740 1741 1742 1743
               /*
                * Random stuff. Filling of the server_random takes place in
                * tls_process_client_hello()
                */
1744
            || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
1745 1746 1747
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
        goto err;
    }
1748

M
Matt Caswell 已提交
1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770
    /*-
     * There are several cases for the session ID to send
     * back in the server hello:
     * - For session reuse from the session cache,
     *   we send back the old session ID.
     * - If stateless session reuse (using a session ticket)
     *   is successful, we send back the client's "session ID"
     *   (which doesn't actually identify the session).
     * - If it is a new session, we send back the new
     *   session ID.
     * - However, if we want the new session to be single-use,
     *   we send back a 0-length session ID.
     * s->hit is non-zero in either case of session reuse,
     * so the following won't overwrite an ID that we're supposed
     * to send back.
     */
    if (s->session->not_resumable ||
        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
         && !s->hit))
        s->session->session_id_length = 0;

    sl = s->session->session_id_length;
1771
    if (sl > sizeof(s->session->session_id)) {
M
Matt Caswell 已提交
1772
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1773
        goto err;
M
Matt Caswell 已提交
1774
    }
1775

1776
    /* set up the compression method */
1777
#ifdef OPENSSL_NO_COMP
1778
    compm = 0;
1779
#else
M
Matt Caswell 已提交
1780
    if (s->s3->tmp.new_compression == NULL)
1781
        compm = 0;
M
Matt Caswell 已提交
1782
    else
1783
        compm = s->s3->tmp.new_compression->id;
1784
#endif
1785

1786 1787
    if ((!SSL_IS_TLS13(s)
                && !WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl))
1788
            || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
1789 1790
            || (!SSL_IS_TLS13(s)
                && !WPACKET_put_bytes_u8(pkt, compm))
1791
            || !ssl_prepare_serverhello_tlsext(s)
1792
            || !ssl_add_serverhello_tlsext(s, pkt, &al)) {
M
Matt Caswell 已提交
1793
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1794
        goto err;
1795
    }
1796

M
Matt Caswell 已提交
1797
    return 1;
1798 1799 1800
 err:
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
    return 0;
1801
}
1802

1803
int tls_construct_server_done(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
1804 1805
{
    if (!s->s3->tmp.cert_request) {
1806 1807 1808 1809
        if (!ssl3_digest_cached_records(s, 0)) {
            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
            return 0;
        }
M
Matt Caswell 已提交
1810 1811 1812 1813
    }
    return 1;
}

1814
int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
1815
{
1816
#ifndef OPENSSL_NO_DH
1817
    EVP_PKEY *pkdh = NULL;
B
Bodo Möller 已提交
1818
#endif
1819
#ifndef OPENSSL_NO_EC
1820
    unsigned char *encodedPoint = NULL;
1821
    size_t encodedlen = 0;
1822
    int curve_id = 0;
1823
#endif
1824 1825
    EVP_PKEY *pkey;
    const EVP_MD *md = NULL;
1826
    int al = SSL_AD_INTERNAL_ERROR, i;
1827
    unsigned long type;
1828
    const BIGNUM *r[4];
1829
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
1830 1831
    size_t paramlen, paramoffset;

1832
    if (!WPACKET_get_total_written(pkt, &paramoffset)) {
1833
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1834 1835
        goto f_err;
    }
1836

1837 1838 1839 1840
    if (md_ctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
        goto f_err;
    }
1841

M
Matt Caswell 已提交
1842 1843 1844
    type = s->s3->tmp.new_cipher->algorithm_mkey;

    r[0] = r[1] = r[2] = r[3] = NULL;
1845
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1846 1847 1848
    /* Plain PSK or RSAPSK nothing to do */
    if (type & (SSL_kPSK | SSL_kRSAPSK)) {
    } else
1849
#endif                          /* !OPENSSL_NO_PSK */
1850
#ifndef OPENSSL_NO_DH
M
Matt Caswell 已提交
1851
    if (type & (SSL_kDHE | SSL_kDHEPSK)) {
1852 1853
        CERT *cert = s->cert;

1854 1855 1856
        EVP_PKEY *pkdhp = NULL;
        DH *dh;

M
Matt Caswell 已提交
1857
        if (s->cert->dh_tmp_auto) {
1858 1859 1860 1861
            DH *dhp = ssl_get_auto_dh(s);
            pkdh = EVP_PKEY_new();
            if (pkdh == NULL || dhp == NULL) {
                DH_free(dhp);
M
Matt Caswell 已提交
1862
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
1863
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
1864
                goto f_err;
1865
            }
1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881
            EVP_PKEY_assign_DH(pkdh, dhp);
            pkdhp = pkdh;
        } else {
            pkdhp = cert->dh_tmp;
        }
        if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) {
            DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
            pkdh = ssl_dh_to_pkey(dhp);
            if (pkdh == NULL) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
            pkdhp = pkdh;
        }
        if (pkdhp == NULL) {
M
Matt Caswell 已提交
1882 1883 1884 1885 1886 1887
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_TMP_DH_KEY);
            goto f_err;
        }
        if (!ssl_security(s, SSL_SECOP_TMP_DH,
1888
                          EVP_PKEY_security_bits(pkdhp), 0, pkdhp)) {
M
Matt Caswell 已提交
1889 1890 1891 1892 1893
            al = SSL_AD_HANDSHAKE_FAILURE;
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_DH_KEY_TOO_SMALL);
            goto f_err;
        }
1894
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1895 1896 1897 1898
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
1899

D
Dr. Stephen Henson 已提交
1900
        s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
M
Matt Caswell 已提交
1901

1902 1903
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1904
            goto err;
M
Matt Caswell 已提交
1905
        }
1906 1907 1908 1909 1910 1911

        dh = EVP_PKEY_get0_DH(s->s3->tmp.pkey);

        EVP_PKEY_free(pkdh);
        pkdh = NULL;

M
Matt Caswell 已提交
1912 1913
        DH_get0_pqg(dh, &r[0], NULL, &r[1]);
        DH_get0_key(dh, &r[2], NULL);
M
Matt Caswell 已提交
1914
    } else
1915
#endif
1916
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
1917
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
1918
        int nid;
M
Matt Caswell 已提交
1919

D
Dr. Stephen Henson 已提交
1920
        if (s->s3->tmp.pkey != NULL) {
M
Matt Caswell 已提交
1921 1922 1923 1924 1925
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }

1926
        /* Get NID of appropriate shared curve */
1927
        nid = tls1_shared_group(s, -2);
1928 1929
        curve_id = tls1_ec_nid2curve_id(nid);
        if (curve_id == 0) {
M
Matt Caswell 已提交
1930 1931 1932 1933
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
            goto err;
        }
D
Dr. Stephen Henson 已提交
1934
        s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id);
D
Dr. Stephen Henson 已提交
1935 1936 1937
        /* Generate a new key for this curve */
        if (s->s3->tmp.pkey == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
1938 1939 1940
            goto f_err;
        }

D
Dr. Stephen Henson 已提交
1941
        /* Encode the public key. */
1942 1943
        encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
                                                    &encodedPoint);
M
Matt Caswell 已提交
1944
        if (encodedlen == 0) {
1945
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
M
Matt Caswell 已提交
1946 1947
            goto err;
        }
1948

M
Matt Caswell 已提交
1949 1950 1951 1952 1953 1954 1955 1956 1957
        /*
         * We'll generate the serverKeyExchange message explicitly so we
         * can set these to NULLs
         */
        r[0] = NULL;
        r[1] = NULL;
        r[2] = NULL;
        r[3] = NULL;
    } else
1958
#endif                          /* !OPENSSL_NO_EC */
B
Ben Laurie 已提交
1959
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
1960 1961 1962 1963 1964 1965 1966
    if (type & SSL_kSRP) {
        if ((s->srp_ctx.N == NULL) ||
            (s->srp_ctx.g == NULL) ||
            (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_MISSING_SRP_PARAM);
            goto err;
1967
        }
M
Matt Caswell 已提交
1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979
        r[0] = s->srp_ctx.N;
        r[1] = s->srp_ctx.g;
        r[2] = s->srp_ctx.s;
        r[3] = s->srp_ctx.B;
    } else
#endif
    {
        al = SSL_AD_HANDSHAKE_FAILURE;
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
               SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
        goto f_err;
    }
1980

E
Emilia Kasper 已提交
1981
    if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
M
Matt Caswell 已提交
1982 1983 1984 1985 1986
        && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
        if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
            == NULL) {
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
1987
        }
M
Matt Caswell 已提交
1988 1989 1990
    } else {
        pkey = NULL;
    }
1991

1992
#ifndef OPENSSL_NO_PSK
M
Matt Caswell 已提交
1993
    if (type & SSL_PSK) {
1994 1995 1996 1997 1998 1999 2000 2001
        size_t len = (s->cert->psk_identity_hint == NULL)
                        ? 0 : strlen(s->cert->psk_identity_hint);

        /*
         * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
         * checked this when we set the identity hint - but just in case
         */
        if (len > PSK_MAX_IDENTITY_LEN
2002
                || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
2003 2004 2005 2006
                                           len)) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
2007
        }
M
Matt Caswell 已提交
2008
    }
2009 2010
#endif

M
Matt Caswell 已提交
2011
    for (i = 0; i < 4 && r[i] != NULL; i++) {
2012 2013 2014
        unsigned char *binval;
        int res;

B
Ben Laurie 已提交
2015
#ifndef OPENSSL_NO_SRP
M
Matt Caswell 已提交
2016
        if ((i == 2) && (type & SSL_kSRP)) {
2017
            res = WPACKET_start_sub_packet_u8(pkt);
M
Matt Caswell 已提交
2018
        } else
2019
#endif
2020
            res = WPACKET_start_sub_packet_u16(pkt);
2021 2022 2023 2024 2025 2026 2027

        if (!res) {
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

2028
#ifndef OPENSSL_NO_DH
E
Emilia Kasper 已提交
2029
        /*-
2030 2031 2032 2033 2034
         * for interoperability with some versions of the Microsoft TLS
         * stack, we need to zero pad the DHE pub key to the same length
         * as the prime
         */
        if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
2035
            size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
M
Matt Caswell 已提交
2036

2037
            if (len > 0) {
2038
                if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
2039 2040 2041 2042 2043
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
                }
                memset(binval, 0, len);
2044
            }
2045
        }
B
Ben Laurie 已提交
2046
#endif
2047 2048
        if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
                || !WPACKET_close(pkt)) {
2049 2050 2051 2052 2053 2054
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }

        BN_bn2bin(r[i], binval);
M
Matt Caswell 已提交
2055
    }
2056

2057
#ifndef OPENSSL_NO_EC
M
Matt Caswell 已提交
2058 2059
    if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
        /*
2060 2061 2062 2063
         * We only support named (not generic) curves. In this situation, the
         * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
         * [1 byte length of encoded point], followed by the actual encoded
         * point itself
M
Matt Caswell 已提交
2064
         */
2065 2066 2067 2068
        if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
                || !WPACKET_put_bytes_u8(pkt, 0)
                || !WPACKET_put_bytes_u8(pkt, curve_id)
                || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
2069 2070 2071 2072
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
            goto f_err;
        }
M
Matt Caswell 已提交
2073 2074 2075
        OPENSSL_free(encodedPoint);
        encodedPoint = NULL;
    }
B
Bodo Möller 已提交
2076 2077
#endif

M
Matt Caswell 已提交
2078 2079 2080 2081 2082 2083 2084
    /* not anonymous */
    if (pkey != NULL) {
        /*
         * n is the length of the params, they start at &(d[4]) and p
         * points to the space at the end.
         */
        if (md) {
2085 2086 2087 2088
            unsigned char *sigbytes1, *sigbytes2;
            unsigned int siglen;

            /* Get length of the parameters we have written above */
2089
            if (!WPACKET_get_length(pkt, &paramlen)) {
2090 2091 2092 2093
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
                goto f_err;
            }
M
Matt Caswell 已提交
2094 2095
            /* send signature algorithm */
            if (SSL_USE_SIGALGS(s)) {
2096
                if (!tls12_get_sigandhash(pkt, pkey, md)) {
M
Matt Caswell 已提交
2097 2098 2099 2100
                    /* Should never happen */
                    SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                           ERR_R_INTERNAL_ERROR);
                    goto f_err;
2101
                }
M
Matt Caswell 已提交
2102
            }
2103
#ifdef SSL_DEBUG
M
Matt Caswell 已提交
2104
            fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
2105
#endif
2106 2107 2108 2109 2110 2111
            /*
             * Create the signature. We don't know the actual length of the sig
             * until after we've created it, so we reserve enough bytes for it
             * up front, and then properly allocate them in the WPACKET
             * afterwards.
             */
2112
            if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey),
2113 2114 2115 2116 2117 2118 2119 2120 2121
                                               &sigbytes1)
                    || EVP_SignInit_ex(md_ctx, md, NULL) <= 0
                    || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
                                      SSL3_RANDOM_SIZE) <= 0
                    || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
                                      SSL3_RANDOM_SIZE) <= 0
                    || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset,
                                      paramlen) <= 0
                    || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0
2122
                    || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
2123 2124 2125
                    || sigbytes1 != sigbytes2) {
                SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                       ERR_R_INTERNAL_ERROR);
2126
                goto f_err;
2127
            }
M
Matt Caswell 已提交
2128 2129
        } else {
            /* Is this error check actually needed? */
M
Matt Caswell 已提交
2130
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
2131 2132
            SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
                   SSL_R_UNKNOWN_PKEY_TYPE);
M
Matt Caswell 已提交
2133 2134
            goto f_err;
        }
2135 2136
    }

2137
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2138
    return 1;
2139 2140 2141
 f_err:
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
 err:
2142 2143 2144
#ifndef OPENSSL_NO_DH
    EVP_PKEY_free(pkdh);
#endif
2145
#ifndef OPENSSL_NO_EC
R
Rich Salz 已提交
2146
    OPENSSL_free(encodedPoint);
B
Bodo Möller 已提交
2147
#endif
2148
    EVP_MD_CTX_free(md_ctx);
M
Matt Caswell 已提交
2149
    return 0;
2150
}
2151

2152
int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
2153
{
2154
    int i;
2155 2156
    STACK_OF(X509_NAME) *sk = NULL;

M
Matt Caswell 已提交
2157
    /* get the list of acceptable cert types */
2158 2159 2160
    if (!WPACKET_start_sub_packet_u8(pkt)
            || !ssl3_get_req_cert_type(s, pkt)
            || !WPACKET_close(pkt)) {
2161 2162 2163
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
2164

M
Matt Caswell 已提交
2165 2166
    if (SSL_USE_SIGALGS(s)) {
        const unsigned char *psigs;
2167
        size_t nl = tls12_get_psigalgs(s, &psigs);
2168 2169 2170
        if (!WPACKET_start_sub_packet_u16(pkt)
                || !tls12_copy_sigalgs(s, pkt, psigs, nl)
                || !WPACKET_close(pkt)) {
2171 2172 2173 2174
            SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                   ERR_R_INTERNAL_ERROR);
            goto err;
        }
M
Matt Caswell 已提交
2175
    }
2176

2177
    /* Start sub-packet for client CA list */
2178
    if (!WPACKET_start_sub_packet_u16(pkt)) {
2179 2180 2181
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
2182 2183 2184 2185

    sk = SSL_get_client_CA_list(s);
    if (sk != NULL) {
        for (i = 0; i < sk_X509_NAME_num(sk); i++) {
2186 2187 2188 2189 2190 2191
            unsigned char *namebytes;
            X509_NAME *name = sk_X509_NAME_value(sk, i);
            int namelen;

            if (name == NULL
                    || (namelen = i2d_X509_NAME(name, NULL)) < 0
2192
                    || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2193 2194 2195 2196
                                                       &namebytes)
                    || i2d_X509_NAME(name, &namebytes) != namelen) {
                SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
                       ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2197
                goto err;
2198 2199
            }
        }
M
Matt Caswell 已提交
2200 2201
    }
    /* else no CA names */
2202

2203
    if (!WPACKET_close(pkt)) {
M
Matt Caswell 已提交
2204 2205
        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
        goto err;
2206
    }
2207

M
Matt Caswell 已提交
2208 2209 2210
    s->s3->tmp.cert_request = 1;

    return 1;
2211
 err:
2212
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
2213
    return 0;
2214
}
2215

2216
static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
M
Matt Caswell 已提交
2217
{
2218
#ifndef OPENSSL_NO_PSK
2219 2220 2221
    unsigned char psk[PSK_MAX_PSK_LEN];
    size_t psklen;
    PACKET psk_identity;
2222

2223 2224
    if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
        *al = SSL_AD_DECODE_ERROR;
2225
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
2226 2227 2228 2229
        return 0;
    }
    if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
        *al = SSL_AD_DECODE_ERROR;
2230
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
2231 2232 2233 2234
        return 0;
    }
    if (s->psk_server_callback == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
E
Emilia Kasper 已提交
2235
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
2236 2237
        return 0;
    }
2238

2239 2240
    if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
        *al = SSL_AD_INTERNAL_ERROR;
2241
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2242 2243
        return 0;
    }
2244

2245
    psklen = s->psk_server_callback(s, s->session->psk_identity,
E
Emilia Kasper 已提交
2246
                                    psk, sizeof(psk));
2247

2248 2249
    if (psklen > PSK_MAX_PSK_LEN) {
        *al = SSL_AD_INTERNAL_ERROR;
2250
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2251 2252 2253 2254 2255 2256
        return 0;
    } else if (psklen == 0) {
        /*
         * PSK related to the given identity not found
         */
        *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
2257
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
2258 2259 2260
               SSL_R_PSK_IDENTITY_NOT_FOUND);
        return 0;
    }
2261

2262 2263 2264
    OPENSSL_free(s->s3->tmp.psk);
    s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
    OPENSSL_cleanse(psk, psklen);
2265

2266 2267
    if (s->s3->tmp.psk == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2268
        SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
2269
        return 0;
2270
    }
2271 2272 2273 2274 2275 2276 2277

    s->s3->tmp.psklen = psklen;

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2278
    SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2279
    return 0;
2280
#endif
2281 2282 2283 2284
}

static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
{
2285
#ifndef OPENSSL_NO_RSA
2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297
    unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
    int decrypt_len;
    unsigned char decrypt_good, version_good;
    size_t j, padding_len;
    PACKET enc_premaster;
    RSA *rsa = NULL;
    unsigned char *rsa_decrypt = NULL;
    int ret = 0;

    rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
    if (rsa == NULL) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2298
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE);
2299 2300 2301 2302 2303 2304 2305 2306 2307 2308
        return 0;
    }

    /* SSLv3 and pre-standard DTLS omit the length bytes. */
    if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
        enc_premaster = *pkt;
    } else {
        if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
            || PACKET_remaining(pkt) != 0) {
            *al = SSL_AD_DECODE_ERROR;
2309
            SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH);
2310
            return 0;
2311
        }
2312
    }
2313

2314 2315 2316 2317 2318 2319 2320 2321
    /*
     * We want to be sure that the plaintext buffer size makes it safe to
     * iterate over the entire size of a premaster secret
     * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
     * their ciphertext cannot accommodate a premaster secret anyway.
     */
    if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_INTERNAL_ERROR;
2322
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
2323 2324
        return 0;
    }
2325

2326 2327 2328
    rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
    if (rsa_decrypt == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2329
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE);
2330 2331
        return 0;
    }
2332

2333 2334 2335 2336 2337 2338 2339
    /*
     * We must not leak whether a decryption failure occurs because of
     * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
     * section 7.4.7.1). The code follows that advice of the TLS RFC and
     * generates a random premaster secret for the case that the decrypt
     * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
     */
2340

E
Emilia Kasper 已提交
2341
    if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
2342
        goto err;
2343

2344 2345 2346 2347
    /*
     * Decrypt with no padding. PKCS#1 padding will be removed as part of
     * the timing-sensitive code below.
     */
2348 2349 2350 2351
     /* TODO(size_t): Convert this function */
    decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
                                           PACKET_data(&enc_premaster),
                                           rsa_decrypt, rsa, RSA_NO_PADDING);
2352 2353
    if (decrypt_len < 0)
        goto err;
2354

2355
    /* Check the padding. See RFC 3447, section 7.2.2. */
2356

2357 2358 2359 2360 2361 2362 2363
    /*
     * The smallest padded premaster is 11 bytes of overhead. Small keys
     * are publicly invalid, so this may return immediately. This ensures
     * PS is at least 8 bytes.
     */
    if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
        *al = SSL_AD_DECRYPT_ERROR;
2364
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED);
2365 2366
        goto err;
    }
2367

2368 2369
    padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
    decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
E
Emilia Kasper 已提交
2370
        constant_time_eq_int_8(rsa_decrypt[1], 2);
2371 2372 2373 2374
    for (j = 2; j < padding_len - 1; j++) {
        decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
    }
    decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
2375

2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389
    /*
     * If the version in the decrypted pre-master secret is correct then
     * version_good will be 0xff, otherwise it'll be zero. The
     * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
     * (http://eprint.iacr.org/2003/052/) exploits the version number
     * check as a "bad version oracle". Thus version checks are done in
     * constant time and are treated like any other decryption error.
     */
    version_good =
        constant_time_eq_8(rsa_decrypt[padding_len],
                           (unsigned)(s->client_version >> 8));
    version_good &=
        constant_time_eq_8(rsa_decrypt[padding_len + 1],
                           (unsigned)(s->client_version & 0xff));
2390

2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404
    /*
     * The premaster secret must contain the same version number as the
     * ClientHello to detect version rollback attacks (strangely, the
     * protocol does not offer such protection for DH ciphersuites).
     * However, buggy clients exist that send the negotiated protocol
     * version instead if the server does not support the requested
     * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
     * clients.
     */
    if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
        unsigned char workaround_good;
        workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
                                             (unsigned)(s->version >> 8));
        workaround_good &=
2405
            constant_time_eq_8(rsa_decrypt[padding_len + 1],
2406 2407 2408
                               (unsigned)(s->version & 0xff));
        version_good |= workaround_good;
    }
2409

2410 2411 2412 2413 2414
    /*
     * Both decryption and version must be good for decrypt_good to
     * remain non-zero (0xff).
     */
    decrypt_good &= version_good;
2415

2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427
    /*
     * Now copy rand_premaster_secret over from p using
     * decrypt_good_mask. If decryption failed, then p does not
     * contain valid plaintext, however, a check above guarantees
     * it is still sufficiently large to read from.
     */
    for (j = 0; j < sizeof(rand_premaster_secret); j++) {
        rsa_decrypt[padding_len + j] =
            constant_time_select_8(decrypt_good,
                                   rsa_decrypt[padding_len + j],
                                   rand_premaster_secret[j]);
    }
2428

2429 2430 2431
    if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
                                    sizeof(rand_premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
2432
        SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2433 2434
        goto err;
    }
2435

2436 2437 2438 2439 2440 2441 2442
    ret = 1;
 err:
    OPENSSL_free(rsa_decrypt);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2443
    SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
2444 2445 2446 2447
    return 0;
#endif
}

2448 2449 2450 2451 2452 2453 2454 2455 2456 2457 2458
static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_DH
    EVP_PKEY *skey = NULL;
    DH *cdh;
    unsigned int i;
    BIGNUM *pub_key;
    const unsigned char *data;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

D
Dr. Stephen Henson 已提交
2459
    if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
2460
        *al = SSL_AD_HANDSHAKE_FAILURE;
2461
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE,
2462 2463 2464 2465 2466 2467
               SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
        goto err;
    }
    skey = s->s3->tmp.pkey;
    if (skey == NULL) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2468
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2469 2470 2471 2472 2473
        goto err;
    }

    if (PACKET_remaining(pkt) == 0L) {
        *al = SSL_AD_HANDSHAKE_FAILURE;
2474
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
2475 2476 2477 2478 2479
        goto err;
    }
    if (!PACKET_get_bytes(pkt, &data, i)) {
        /* We already checked we have enough data */
        *al = SSL_AD_INTERNAL_ERROR;
2480
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2481 2482 2483 2484
        goto err;
    }
    ckey = EVP_PKEY_new();
    if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
2485
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
2486 2487 2488 2489 2490 2491
        goto err;
    }
    cdh = EVP_PKEY_get0_DH(ckey);
    pub_key = BN_bin2bn(data, i, NULL);

    if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
2492
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2493 2494 2495 2496 2497
        if (pub_key != NULL)
            BN_free(pub_key);
        goto err;
    }

2498
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2499
        *al = SSL_AD_INTERNAL_ERROR;
2500
        SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2501 2502 2503 2504 2505 2506 2507 2508 2509 2510 2511 2512
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2513
    SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
2514 2515 2516 2517
    return 0;
#endif
}

2518 2519 2520 2521 2522 2523 2524 2525 2526 2527
static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_EC
    EVP_PKEY *skey = s->s3->tmp.pkey;
    EVP_PKEY *ckey = NULL;
    int ret = 0;

    if (PACKET_remaining(pkt) == 0L) {
        /* We don't support ECDH client auth */
        *al = SSL_AD_HANDSHAKE_FAILURE;
2528
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY);
2529 2530 2531 2532 2533 2534 2535 2536 2537 2538 2539
        goto err;
    } else {
        unsigned int i;
        const unsigned char *data;

        /*
         * Get client's public key from encoded point in the
         * ClientKeyExchange message.
         */

        /* Get encoded point length */
D
Dr. Stephen Henson 已提交
2540 2541
        if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
            || PACKET_remaining(pkt) != 0) {
2542
            *al = SSL_AD_DECODE_ERROR;
2543
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH);
2544 2545 2546 2547
            goto err;
        }
        ckey = EVP_PKEY_new();
        if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
2548
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB);
2549 2550
            goto err;
        }
2551
        if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
D
Dr. Stephen Henson 已提交
2552
            *al = SSL_AD_HANDSHAKE_FAILURE;
2553
            SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB);
2554 2555 2556 2557
            goto err;
        }
    }

2558
    if (ssl_derive(s, skey, ckey, 1) == 0) {
2559
        *al = SSL_AD_INTERNAL_ERROR;
2560
        SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2561 2562 2563 2564 2565 2566 2567 2568 2569 2570 2571 2572 2573
        goto err;
    }

    ret = 1;
    EVP_PKEY_free(s->s3->tmp.pkey);
    s->s3->tmp.pkey = NULL;
 err:
    EVP_PKEY_free(ckey);

    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2574
    SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
2575 2576 2577 2578
    return 0;
#endif
}

2579 2580 2581 2582 2583 2584 2585
static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_SRP
    unsigned int i;
    const unsigned char *data;

    if (!PACKET_get_net_2(pkt, &i)
E
Emilia Kasper 已提交
2586
        || !PACKET_get_bytes(pkt, &data, i)) {
2587
        *al = SSL_AD_DECODE_ERROR;
2588
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
2589 2590 2591
        return 0;
    }
    if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
2592
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
2593 2594
        return 0;
    }
E
Emilia Kasper 已提交
2595
    if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
2596
        *al = SSL_AD_ILLEGAL_PARAMETER;
2597
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
2598 2599 2600 2601 2602
        return 0;
    }
    OPENSSL_free(s->session->srp_username);
    s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
    if (s->session->srp_username == NULL) {
2603
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE);
2604 2605 2606 2607
        return 0;
    }

    if (!srp_generate_server_master_secret(s)) {
2608
        SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2609 2610 2611 2612 2613 2614 2615
        return 0;
    }

    return 1;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2616
    SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
2617 2618 2619 2620 2621 2622 2623 2624 2625 2626 2627 2628 2629 2630 2631
    return 0;
#endif
}

static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_GOST
    EVP_PKEY_CTX *pkey_ctx;
    EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
    unsigned char premaster_secret[32];
    const unsigned char *start;
    size_t outlen = 32, inlen;
    unsigned long alg_a;
    int Ttag, Tclass;
    long Tlen;
2632
    size_t sess_key_len;
2633 2634 2635 2636 2637 2638 2639 2640 2641 2642 2643 2644 2645 2646 2647 2648 2649 2650 2651 2652 2653 2654 2655
    const unsigned char *data;
    int ret = 0;

    /* Get our certificate private key */
    alg_a = s->s3->tmp.new_cipher->algorithm_auth;
    if (alg_a & SSL_aGOST12) {
        /*
         * New GOST ciphersuites have SSL_aGOST01 bit too
         */
        pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
        }
        if (pk == NULL) {
            pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
        }
    } else if (alg_a & SSL_aGOST01) {
        pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
    }

    pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
    if (pkey_ctx == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
2656
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE);
2657 2658 2659 2660
        return 0;
    }
    if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
        *al = SSL_AD_INTERNAL_ERROR;
2661
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2662 2663 2664 2665 2666 2667 2668 2669 2670 2671 2672 2673 2674 2675 2676 2677 2678
        return 0;
    }
    /*
     * If client certificate is present and is of the same type, maybe
     * use it for key exchange.  Don't mind errors from
     * EVP_PKEY_derive_set_peer, because it is completely valid to use a
     * client certificate for authorization only.
     */
    client_pub_pkey = X509_get0_pubkey(s->session->peer);
    if (client_pub_pkey) {
        if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
            ERR_clear_error();
    }
    /* Decrypt session key */
    sess_key_len = PACKET_remaining(pkt);
    if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
        *al = SSL_AD_INTERNAL_ERROR;
2679
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2680 2681
        goto err;
    }
2682
    /* TODO(size_t): Convert this function */
E
Emilia Kasper 已提交
2683
    if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
2684
                        &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
E
Emilia Kasper 已提交
2685
        || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
2686
        *al = SSL_AD_DECODE_ERROR;
2687
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
2688 2689 2690 2691 2692 2693 2694
        goto err;
    }
    start = data;
    inlen = Tlen;
    if (EVP_PKEY_decrypt
        (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
        *al = SSL_AD_DECODE_ERROR;
2695
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
2696 2697 2698 2699 2700 2701
        goto err;
    }
    /* Generate master secret */
    if (!ssl_generate_master_secret(s, premaster_secret,
                                    sizeof(premaster_secret), 0)) {
        *al = SSL_AD_INTERNAL_ERROR;
2702
        SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2703 2704 2705 2706 2707 2708 2709 2710 2711 2712 2713 2714 2715 2716
        goto err;
    }
    /* Check if pubkey from client certificate was used */
    if (EVP_PKEY_CTX_ctrl
        (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
        s->statem.no_cert_verify = 1;

    ret = 1;
 err:
    EVP_PKEY_CTX_free(pkey_ctx);
    return ret;
#else
    /* Should never happen */
    *al = SSL_AD_INTERNAL_ERROR;
2717
    SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
2718 2719 2720 2721
    return 0;
#endif
}

2722 2723 2724 2725 2726 2727 2728 2729 2730 2731 2732 2733 2734 2735 2736
MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
{
    int al = -1;
    unsigned long alg_k;

    alg_k = s->s3->tmp.new_cipher->algorithm_mkey;

    /* For PSK parse and retrieve identity, obtain PSK key */
    if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al))
        goto err;

    if (alg_k & SSL_kPSK) {
        /* Identity extracted earlier: should be nothing left */
        if (PACKET_remaining(pkt) != 0) {
            al = SSL_AD_HANDSHAKE_FAILURE;
E
Emilia Kasper 已提交
2737 2738
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
                   SSL_R_LENGTH_MISMATCH);
2739
            goto err;
2740 2741 2742
        }
        /* PSK handled by ssl_generate_master_secret */
        if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
M
Matt Caswell 已提交
2743
            al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
2744
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
2745
            goto err;
M
Matt Caswell 已提交
2746
        }
2747 2748 2749
    } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
        if (!tls_process_cke_rsa(s, pkt, &al))
            goto err;
2750 2751
    } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
        if (!tls_process_cke_dhe(s, pkt, &al))
2752
            goto err;
2753 2754 2755
    } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
        if (!tls_process_cke_ecdhe(s, pkt, &al))
            goto err;
2756 2757
    } else if (alg_k & SSL_kSRP) {
        if (!tls_process_cke_srp(s, pkt, &al))
2758
            goto err;
2759 2760
    } else if (alg_k & SSL_kGOST) {
        if (!tls_process_cke_gost(s, pkt, &al))
2761
            goto err;
2762
    } else {
2763
        al = SSL_AD_HANDSHAKE_FAILURE;
E
Emilia Kasper 已提交
2764 2765
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
               SSL_R_UNKNOWN_CIPHER_TYPE);
2766
        goto err;
2767 2768
    }

M
Matt Caswell 已提交
2769
    return MSG_PROCESS_CONTINUE_PROCESSING;
2770
 err:
2771 2772
    if (al != -1)
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
2773 2774 2775
#ifndef OPENSSL_NO_PSK
    OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
    s->s3->tmp.psk = NULL;
2776
#endif
M
Matt Caswell 已提交
2777
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
2778
    return MSG_PROCESS_ERROR;
2779
}
2780

M
Matt Caswell 已提交
2781
WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst)
2782 2783
{
#ifndef OPENSSL_NO_SCTP
2784 2785 2786 2787 2788 2789 2790 2791
    if (wst == WORK_MORE_A) {
        if (SSL_IS_DTLS(s)) {
            unsigned char sctpauthkey[64];
            char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
            /*
             * Add new shared key for SCTP-Auth, will be ignored if no SCTP
             * used.
             */
M
Matt Caswell 已提交
2792 2793
            memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
                   sizeof(DTLS1_SCTP_AUTH_LABEL));
2794 2795

            if (SSL_export_keying_material(s, sctpauthkey,
E
Emilia Kasper 已提交
2796 2797 2798
                                           sizeof(sctpauthkey), labelbuffer,
                                           sizeof(labelbuffer), NULL, 0,
                                           0) <= 0) {
M
Matt Caswell 已提交
2799
                ossl_statem_set_error(s);
2800 2801
                return WORK_ERROR;;
            }
2802

2803 2804
            BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                     sizeof(sctpauthkey), sctpauthkey);
2805
        }
2806 2807
        wst = WORK_MORE_B;
    }
2808

2809
    if ((wst == WORK_MORE_B)
E
Emilia Kasper 已提交
2810 2811 2812 2813 2814 2815 2816
        /* Is this SCTP? */
        && BIO_dgram_is_sctp(SSL_get_wbio(s))
        /* Are we renegotiating? */
        && s->renegotiate
        /* Are we going to skip the CertificateVerify? */
        && (s->session->peer == NULL || s->statem.no_cert_verify)
        && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
2817 2818 2819 2820
        s->s3->in_read_app_data = 2;
        s->rwstate = SSL_READING;
        BIO_clear_retry_flags(SSL_get_rbio(s));
        BIO_set_retry_read(SSL_get_rbio(s));
M
Matt Caswell 已提交
2821
        ossl_statem_set_sctp_read_sock(s, 1);
2822 2823
        return WORK_MORE_B;
    } else {
M
Matt Caswell 已提交
2824
        ossl_statem_set_sctp_read_sock(s, 0);
2825 2826 2827
    }
#endif

2828
    if (s->statem.no_cert_verify || !s->session->peer) {
E
Emilia Kasper 已提交
2829 2830 2831
        /*
         * No certificate verify or no peer certificate so we no longer need
         * the handshake_buffer
2832 2833 2834 2835 2836
         */
        if (!ssl3_digest_cached_records(s, 0)) {
            ossl_statem_set_error(s);
            return WORK_ERROR;
        }
2837
        return WORK_FINISHED_CONTINUE;
2838
    } else {
2839 2840 2841
        if (!s->s3->handshake_buffer) {
            SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
                   ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
2842
            ossl_statem_set_error(s);
2843 2844 2845 2846 2847 2848 2849
            return WORK_ERROR;
        }
        /*
         * For sigalgs freeze the handshake buffer. If we support
         * extms we've done this already so this is a no-op
         */
        if (!ssl3_digest_cached_records(s, 1)) {
M
Matt Caswell 已提交
2850
            ossl_statem_set_error(s);
2851 2852 2853 2854 2855 2856 2857
            return WORK_ERROR;
        }
    }

    return WORK_FINISHED_CONTINUE;
}

M
Matt Caswell 已提交
2858
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
2859 2860
{
    EVP_PKEY *pkey = NULL;
E
Emilia Kasper 已提交
2861
    const unsigned char *sig, *data;
2862
#ifndef OPENSSL_NO_GOST
E
Emilia Kasper 已提交
2863
    unsigned char *gost_data = NULL;
2864
#endif
M
Matt Caswell 已提交
2865
    int al, ret = MSG_PROCESS_ERROR;
2866
    int type = 0, j;
M
Matt Caswell 已提交
2867 2868 2869
    unsigned int len;
    X509 *peer;
    const EVP_MD *md = NULL;
2870 2871 2872
    long hdatalen = 0;
    void *hdata;

2873
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
2874 2875 2876 2877 2878 2879

    if (mctx == NULL) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
M
Matt Caswell 已提交
2880

2881
    peer = s->session->peer;
2882
    pkey = X509_get0_pubkey(peer);
2883
    type = X509_certificate_type(peer, pkey);
2884 2885

    if (!(type & EVP_PKT_SIGN)) {
M
Matt Caswell 已提交
2886
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY,
2887 2888 2889 2890 2891 2892 2893 2894
               SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
        al = SSL_AD_ILLEGAL_PARAMETER;
        goto f_err;
    }

    /* Check for broken implementations of GOST ciphersuites */
    /*
     * If key is GOST and n is exactly 64, it is bare signature without
2895
     * length field (CryptoPro implementations at least till CSP 4.0)
2896
     */
M
Matt Caswell 已提交
2897
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2898 2899
    if (PACKET_remaining(pkt) == 64
        && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
2900
        len = 64;
M
Matt Caswell 已提交
2901 2902 2903
    } else
#endif
    {
2904
        if (SSL_USE_SIGALGS(s)) {
2905 2906
            int rv;

2907
            if (!PACKET_get_bytes(pkt, &sig, 2)) {
2908 2909 2910 2911
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
            rv = tls12_check_peer_sigalg(&md, s, sig, pkey);
2912 2913 2914 2915 2916 2917 2918
            if (rv == -1) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            } else if (rv == 0) {
                al = SSL_AD_DECODE_ERROR;
                goto f_err;
            }
D
Dr. Stephen Henson 已提交
2919
#ifdef SSL_DEBUG
2920
            fprintf(stderr, "USING TLSv1.2 HASH %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2921
#endif
2922
        } else {
2923 2924 2925 2926 2927 2928 2929 2930
            /* Use default digest for this key type */
            int idx = ssl_cert_type(NULL, pkey);
            if (idx >= 0)
                md = s->s3->tmp.md[idx];
            if (md == NULL) {
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
2931
        }
2932

2933
        if (!PACKET_get_net_2(pkt, &len)) {
M
Matt Caswell 已提交
2934
            SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2935 2936 2937 2938 2939
            al = SSL_AD_DECODE_ERROR;
            goto f_err;
        }
    }
    j = EVP_PKEY_size(pkey);
2940
    if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
E
Emilia Kasper 已提交
2941
        || (PACKET_remaining(pkt) == 0)) {
M
Matt Caswell 已提交
2942
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
2943 2944 2945
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2946
    if (!PACKET_get_bytes(pkt, &data, len)) {
M
Matt Caswell 已提交
2947
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH);
2948 2949 2950
        al = SSL_AD_DECODE_ERROR;
        goto f_err;
    }
2951

2952 2953 2954 2955 2956 2957
    hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
    if (hdatalen <= 0) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
2958

D
Dr. Stephen Henson 已提交
2959
#ifdef SSL_DEBUG
2960
    fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
D
Dr. Stephen Henson 已提交
2961
#endif
2962 2963
    if (!EVP_VerifyInit_ex(mctx, md, NULL)
        || !EVP_VerifyUpdate(mctx, hdata, hdatalen)) {
2964 2965 2966 2967
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }
M
Matt Caswell 已提交
2968
#ifndef OPENSSL_NO_GOST
D
Dr. Stephen Henson 已提交
2969 2970 2971 2972
    {
        int pktype = EVP_PKEY_id(pkey);
        if (pktype == NID_id_GostR3410_2001
            || pktype == NID_id_GostR3410_2012_256
E
Emilia Kasper 已提交
2973 2974 2975 2976 2977 2978 2979 2980 2981
            || pktype == NID_id_GostR3410_2012_512) {
            if ((gost_data = OPENSSL_malloc(len)) == NULL) {
                SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
                al = SSL_AD_INTERNAL_ERROR;
                goto f_err;
            }
            BUF_reverse(gost_data, data, len);
            data = gost_data;
        }
2982
    }
M
Matt Caswell 已提交
2983
#endif
2984

2985
    if (s->version == SSL3_VERSION
2986
        && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
2987
                            (int)s->session->master_key_length,
2988 2989 2990 2991 2992 2993
                            s->session->master_key)) {
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
        al = SSL_AD_INTERNAL_ERROR;
        goto f_err;
    }

2994
    if (EVP_VerifyFinal(mctx, data, len, pkey) <= 0) {
2995 2996
        al = SSL_AD_DECRYPT_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_BAD_SIGNATURE);
2997 2998 2999
        goto f_err;
    }

3000
    ret = MSG_PROCESS_CONTINUE_PROCESSING;
3001 3002 3003
    if (0) {
 f_err:
        ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3004
        ossl_statem_set_error(s);
3005
    }
R
Rich Salz 已提交
3006 3007
    BIO_free(s->s3->handshake_buffer);
    s->s3->handshake_buffer = NULL;
3008
    EVP_MD_CTX_free(mctx);
3009
#ifndef OPENSSL_NO_GOST
E
Emilia Kasper 已提交
3010
    OPENSSL_free(gost_data);
3011
#endif
M
Matt Caswell 已提交
3012
    return ret;
3013
}
3014

M
Matt Caswell 已提交
3015
MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3016
{
M
Matt Caswell 已提交
3017
    int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
M
Matt Caswell 已提交
3018 3019
    X509 *x = NULL;
    unsigned long l, llen;
E
Emilia Kasper 已提交
3020
    const unsigned char *certstart, *certbytes;
M
Matt Caswell 已提交
3021
    STACK_OF(X509) *sk = NULL;
3022
    PACKET spkt;
3023 3024

    if ((sk = sk_X509_new_null()) == NULL) {
M
Matt Caswell 已提交
3025 3026
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
        goto f_err;
3027 3028
    }

3029
    if (!PACKET_get_net_3(pkt, &llen)
E
Emilia Kasper 已提交
3030 3031
        || !PACKET_get_sub_packet(pkt, &spkt, llen)
        || PACKET_remaining(pkt) != 0) {
3032
        al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3033
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
3034 3035
        goto f_err;
    }
3036 3037 3038

    while (PACKET_remaining(&spkt) > 0) {
        if (!PACKET_get_net_3(&spkt, &l)
E
Emilia Kasper 已提交
3039
            || !PACKET_get_bytes(&spkt, &certbytes, l)) {
3040
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3041
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3042 3043 3044 3045
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }

3046 3047
        certstart = certbytes;
        x = d2i_X509(NULL, (const unsigned char **)&certbytes, l);
3048
        if (x == NULL) {
M
Matt Caswell 已提交
3049 3050
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB);
            goto f_err;
3051
        }
3052
        if (certbytes != (certstart + l)) {
3053
            al = SSL_AD_DECODE_ERROR;
M
Matt Caswell 已提交
3054
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3055 3056 3057 3058
                   SSL_R_CERT_LENGTH_MISMATCH);
            goto f_err;
        }
        if (!sk_X509_push(sk, x)) {
M
Matt Caswell 已提交
3059 3060
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE);
            goto f_err;
3061 3062 3063 3064 3065 3066 3067 3068
        }
        x = NULL;
    }

    if (sk_X509_num(sk) <= 0) {
        /* TLS does not mind 0 certs returned */
        if (s->version == SSL3_VERSION) {
            al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3069
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3070 3071 3072 3073 3074 3075
                   SSL_R_NO_CERTIFICATES_RETURNED);
            goto f_err;
        }
        /* Fail for TLS only if we required a certificate */
        else if ((s->verify_mode & SSL_VERIFY_PEER) &&
                 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
M
Matt Caswell 已提交
3076
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3077 3078 3079 3080 3081
                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
        /* No client certificate so digest cached records */
3082
        if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) {
3083 3084 3085 3086 3087 3088 3089
            goto f_err;
        }
    } else {
        EVP_PKEY *pkey;
        i = ssl_verify_cert_chain(s, sk);
        if (i <= 0) {
            al = ssl_verify_alarm_type(s->verify_result);
M
Matt Caswell 已提交
3090
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3091 3092 3093 3094
                   SSL_R_CERTIFICATE_VERIFY_FAILED);
            goto f_err;
        }
        if (i > 1) {
M
Matt Caswell 已提交
3095
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, i);
3096 3097 3098
            al = SSL_AD_HANDSHAKE_FAILURE;
            goto f_err;
        }
3099
        pkey = X509_get0_pubkey(sk_X509_value(sk, 0));
3100 3101
        if (pkey == NULL) {
            al = SSL3_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3102
            SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
3103 3104 3105 3106 3107
                   SSL_R_UNKNOWN_CERTIFICATE_TYPE);
            goto f_err;
        }
    }

R
Rich Salz 已提交
3108
    X509_free(s->session->peer);
3109 3110 3111
    s->session->peer = sk_X509_shift(sk);
    s->session->verify_result = s->verify_result;

3112 3113
    sk_X509_pop_free(s->session->peer_chain, X509_free);
    s->session->peer_chain = sk;
3114 3115 3116 3117 3118

    /*
     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
     * message
     */
3119
    if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) {
3120 3121 3122 3123 3124
        al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        goto f_err;
    }

3125 3126
    /*
     * Inconsistency alert: cert_chain does *not* include the peer's own
M
Matt Caswell 已提交
3127
     * certificate, while we do include it in statem_clnt.c
3128 3129
     */
    sk = NULL;
M
Matt Caswell 已提交
3130
    ret = MSG_PROCESS_CONTINUE_READING;
R
Rich Salz 已提交
3131 3132
    goto done;

3133
 f_err:
R
Rich Salz 已提交
3134
    ssl3_send_alert(s, SSL3_AL_FATAL, al);
M
Matt Caswell 已提交
3135
    ossl_statem_set_error(s);
R
Rich Salz 已提交
3136
 done:
R
Rich Salz 已提交
3137 3138
    X509_free(x);
    sk_X509_pop_free(sk, X509_free);
M
Matt Caswell 已提交
3139
    return ret;
3140
}
3141

3142
int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3143 3144 3145 3146 3147 3148 3149 3150 3151
{
    CERT_PKEY *cpk;

    cpk = ssl_get_server_send_pkey(s);
    if (cpk == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }

3152
    if (!ssl3_output_cert_chain(s, pkt, cpk)) {
M
Matt Caswell 已提交
3153 3154 3155 3156 3157 3158 3159
        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
        return 0;
    }

    return 1;
}

3160
int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3161 3162
{
    unsigned char *senc = NULL;
3163
    EVP_CIPHER_CTX *ctx = NULL;
3164
    HMAC_CTX *hctx = NULL;
3165
    unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
M
Matt Caswell 已提交
3166
    const unsigned char *const_p;
3167
    int len, slen_full, slen, lenfinal;
M
Matt Caswell 已提交
3168 3169 3170 3171
    SSL_SESSION *sess;
    unsigned int hlen;
    SSL_CTX *tctx = s->initial_ctx;
    unsigned char iv[EVP_MAX_IV_LENGTH];
K
Kurt Roeckx 已提交
3172 3173
    unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
    int iv_len;
3174
    size_t macoffset, macendoffset;
M
Matt Caswell 已提交
3175 3176 3177 3178 3179 3180 3181 3182

    /* get session encoding length */
    slen_full = i2d_SSL_SESSION(s->session, NULL);
    /*
     * Some length values are 16 bits, so forget it if session is too
     * long
     */
    if (slen_full == 0 || slen_full > 0xFF00) {
M
Matt Caswell 已提交
3183
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3184 3185 3186
        return 0;
    }
    senc = OPENSSL_malloc(slen_full);
3187
    if (senc == NULL) {
M
Matt Caswell 已提交
3188
        ossl_statem_set_error(s);
M
Matt Caswell 已提交
3189 3190
        return 0;
    }
3191

3192
    ctx = EVP_CIPHER_CTX_new();
3193
    hctx = HMAC_CTX_new();
3194 3195 3196 3197
    if (ctx == NULL || hctx == NULL) {
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
        goto err;
    }
3198

M
Matt Caswell 已提交
3199 3200 3201
    p = senc;
    if (!i2d_SSL_SESSION(s->session, &p))
        goto err;
M
Matt Caswell 已提交
3202

M
Matt Caswell 已提交
3203 3204 3205 3206 3207 3208 3209 3210
    /*
     * create a fresh copy (not shared with other threads) to clean up
     */
    const_p = senc;
    sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
    if (sess == NULL)
        goto err;
    sess->session_id_length = 0; /* ID is irrelevant for the ticket */
3211

M
Matt Caswell 已提交
3212 3213 3214 3215 3216 3217 3218 3219 3220 3221 3222
    slen = i2d_SSL_SESSION(sess, NULL);
    if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
        SSL_SESSION_free(sess);
        goto err;
    }
    p = senc;
    if (!i2d_SSL_SESSION(sess, &p)) {
        SSL_SESSION_free(sess);
        goto err;
    }
    SSL_SESSION_free(sess);
3223

M
Matt Caswell 已提交
3224 3225 3226 3227 3228
    /*
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
    if (tctx->tlsext_ticket_key_cb) {
T
Todd Short 已提交
3229 3230 3231 3232 3233
        /* if 0 is returned, write an empty ticket */
        int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx,
                                             hctx, 1);

        if (ret == 0) {
3234 3235

            /* Put timeout and length */
3236
            if (!WPACKET_put_bytes_u32(pkt, 0)
3237
                    || !WPACKET_put_bytes_u16(pkt, 0)) {
3238 3239
                SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
                       ERR_R_INTERNAL_ERROR);
T
Todd Short 已提交
3240
                goto err;
3241
            }
T
Todd Short 已提交
3242 3243 3244 3245 3246 3247
            OPENSSL_free(senc);
            EVP_CIPHER_CTX_free(ctx);
            HMAC_CTX_free(hctx);
            return 1;
        }
        if (ret < 0)
M
Matt Caswell 已提交
3248
            goto err;
K
Kurt Roeckx 已提交
3249
        iv_len = EVP_CIPHER_CTX_iv_length(ctx);
M
Matt Caswell 已提交
3250
    } else {
K
Kurt Roeckx 已提交
3251 3252 3253 3254
        const EVP_CIPHER *cipher = EVP_aes_256_cbc();

        iv_len = EVP_CIPHER_iv_length(cipher);
        if (RAND_bytes(iv, iv_len) <= 0)
M
Matt Caswell 已提交
3255
            goto err;
K
Kurt Roeckx 已提交
3256
        if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
M
Matt Caswell 已提交
3257
                                tctx->tlsext_tick_aes_key, iv))
M
Matt Caswell 已提交
3258
            goto err;
3259 3260
        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
                          sizeof(tctx->tlsext_tick_hmac_key),
M
Matt Caswell 已提交
3261
                          EVP_sha256(), NULL))
3262
            goto err;
3263 3264
        memcpy(key_name, tctx->tlsext_tick_key_name,
               sizeof(tctx->tlsext_tick_key_name));
3265 3266
    }

M
Matt Caswell 已提交
3267 3268 3269 3270 3271
    /*
     * Ticket lifetime hint (advisory only): We leave this unspecified
     * for resumed session (for simplicity), and guess that tickets for
     * new sessions will live as long as their sessions.
     */
3272
    if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout)
3273
               /* Now the actual ticket data */
3274 3275
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_get_total_written(pkt, &macoffset)
3276
               /* Output key name */
3277
            || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
3278
               /* output IV */
3279 3280
            || !WPACKET_memcpy(pkt, iv, iv_len)
            || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
3281 3282 3283
                                      &encdata1)
               /* Encrypt session data */
            || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
3284
            || !WPACKET_allocate_bytes(pkt, len, &encdata2)
3285 3286
            || encdata1 != encdata2
            || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
3287
            || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
3288 3289
            || encdata1 + len != encdata2
            || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
3290
            || !WPACKET_get_total_written(pkt, &macendoffset)
3291 3292 3293
            || !HMAC_Update(hctx,
                            (unsigned char *)s->init_buf->data + macoffset,
                            macendoffset - macoffset)
3294
            || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
3295 3296
            || !HMAC_Final(hctx, macdata1, &hlen)
            || hlen > EVP_MAX_MD_SIZE
3297
            || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
3298
            || macdata1 != macdata2
3299
            || !WPACKET_close(pkt)) {
3300
        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
M
Matt Caswell 已提交
3301
        goto err;
3302
    }
D
Dr. Stephen Henson 已提交
3303 3304
    EVP_CIPHER_CTX_free(ctx);
    HMAC_CTX_free(hctx);
M
Matt Caswell 已提交
3305 3306 3307
    OPENSSL_free(senc);

    return 1;
M
Matt Caswell 已提交
3308
 err:
R
Rich Salz 已提交
3309
    OPENSSL_free(senc);
3310
    EVP_CIPHER_CTX_free(ctx);
3311
    HMAC_CTX_free(hctx);
3312
    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
M
Matt Caswell 已提交
3313
    return 0;
3314
}
3315

3316
int tls_construct_cert_status(SSL *s, WPACKET *pkt)
M
Matt Caswell 已提交
3317
{
3318
    if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
3319
            || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
3320
                                       s->tlsext_ocsp_resplen)) {
3321 3322 3323 3324
        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        return 0;
    }
M
Matt Caswell 已提交
3325 3326 3327 3328

    return 1;
}

3329
#ifndef OPENSSL_NO_NEXTPROTONEG
M
Matt Caswell 已提交
3330 3331 3332 3333
/*
 * tls_process_next_proto reads a Next Protocol Negotiation handshake message.
 * It sets the next_proto member in s if found
 */
M
Matt Caswell 已提交
3334
MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
M
Matt Caswell 已提交
3335
{
3336
    PACKET next_proto, padding;
M
Matt Caswell 已提交
3337 3338
    size_t next_proto_len;

3339 3340 3341 3342 3343 3344 3345
    /*-
     * The payload looks like:
     *   uint8 proto_len;
     *   uint8 proto[proto_len];
     *   uint8 padding_len;
     *   uint8 padding[padding_len];
     */
3346 3347 3348
    if (!PACKET_get_length_prefixed_1(pkt, &next_proto)
        || !PACKET_get_length_prefixed_1(pkt, &padding)
        || PACKET_remaining(pkt) > 0) {
M
Matt Caswell 已提交
3349
        SSLerr(SSL_F_TLS_PROCESS_NEXT_PROTO, SSL_R_LENGTH_MISMATCH);
M
Matt Caswell 已提交
3350
        goto err;
M
Matt Caswell 已提交
3351
    }
3352

E
Emilia Kasper 已提交
3353
    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) {
3354
        s->next_proto_negotiated_len = 0;
M
Matt Caswell 已提交
3355 3356 3357
        goto err;
    }

3358
    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
3359

M
Matt Caswell 已提交
3360
    return MSG_PROCESS_CONTINUE_READING;
E
Emilia Kasper 已提交
3361
 err:
M
Matt Caswell 已提交
3362
    ossl_statem_set_error(s);
M
Matt Caswell 已提交
3363
    return MSG_PROCESS_ERROR;
3364
}
3365
#endif
M
Matt Caswell 已提交
3366

M
Matt Caswell 已提交
3367 3368 3369 3370 3371 3372 3373 3374 3375 3376 3377 3378
static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt)
{
    /* TODO(TLS1.3): Zero length encrypted extensions message for now */
    if (!WPACKET_put_bytes_u16(pkt, 0)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_ENCRYPTED_EXTENSIONS, ERR_R_INTERNAL_ERROR);
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        return 0;
    }

    return 1;
}

M
Matt Caswell 已提交
3379 3380
#define SSLV2_CIPHER_LEN    3

3381 3382
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                               PACKET *cipher_suites,
M
Matt Caswell 已提交
3383
                                               STACK_OF(SSL_CIPHER) **skp,
E
Emilia Kasper 已提交
3384
                                               int sslv2format, int *al)
M
Matt Caswell 已提交
3385 3386 3387
{
    const SSL_CIPHER *c;
    STACK_OF(SSL_CIPHER) *sk;
3388 3389 3390
    int n;
    /* 3 = SSLV2_CIPHER_LEN > TLS_CIPHER_LEN = 2. */
    unsigned char cipher[SSLV2_CIPHER_LEN];
M
Matt Caswell 已提交
3391

3392 3393 3394 3395 3396 3397 3398 3399
    s->s3->send_connection_binding = 0;

    n = sslv2format ? SSLV2_CIPHER_LEN : TLS_CIPHER_LEN;

    if (PACKET_remaining(cipher_suites) == 0) {
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, SSL_R_NO_CIPHERS_SPECIFIED);
        *al = SSL_AD_ILLEGAL_PARAMETER;
        return NULL;
M
Matt Caswell 已提交
3400
    }
3401 3402

    if (PACKET_remaining(cipher_suites) % n != 0) {
M
Matt Caswell 已提交
3403 3404
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
               SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
3405 3406
        *al = SSL_AD_DECODE_ERROR;
        return NULL;
M
Matt Caswell 已提交
3407
    }
3408

M
Matt Caswell 已提交
3409 3410
    if ((skp == NULL) || (*skp == NULL)) {
        sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
3411
        if (sk == NULL) {
M
Matt Caswell 已提交
3412
            SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3413
            *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3414 3415 3416 3417 3418 3419 3420
            return NULL;
        }
    } else {
        sk = *skp;
        sk_SSL_CIPHER_zero(sk);
    }

3421 3422 3423
    if (!PACKET_memdup(cipher_suites, &s->s3->tmp.ciphers_raw,
                       &s->s3->tmp.ciphers_rawlen)) {
        *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3424 3425 3426
        goto err;
    }

3427 3428
    while (PACKET_copy_bytes(cipher_suites, cipher, n)) {
        /*
3429 3430 3431
         * SSLv3 ciphers wrapped in an SSLv2-compatible ClientHello have the
         * first byte set to zero, while true SSLv2 ciphers have a non-zero
         * first byte. We don't support any true SSLv2 ciphers, so skip them.
3432 3433
         */
        if (sslv2format && cipher[0] != '\0')
E
Emilia Kasper 已提交
3434
            continue;
3435

M
Matt Caswell 已提交
3436
        /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
3437 3438
        if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3439 3440 3441 3442
            /* SCSV fatal if renegotiating */
            if (s->renegotiate) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
3443
                *al = SSL_AD_HANDSHAKE_FAILURE;
M
Matt Caswell 已提交
3444 3445 3446 3447 3448 3449 3450
                goto err;
            }
            s->s3->send_connection_binding = 1;
            continue;
        }

        /* Check for TLS_FALLBACK_SCSV */
3451 3452
        if ((cipher[n - 2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
            (cipher[n - 1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) {
M
Matt Caswell 已提交
3453 3454 3455 3456 3457
            /*
             * The SCSV indicates that the client previously tried a higher
             * version. Fail if the current version is an unexpected
             * downgrade.
             */
3458
            if (!ssl_check_version_downgrade(s)) {
M
Matt Caswell 已提交
3459 3460
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                       SSL_R_INAPPROPRIATE_FALLBACK);
3461
                *al = SSL_AD_INAPPROPRIATE_FALLBACK;
M
Matt Caswell 已提交
3462 3463 3464 3465 3466
                goto err;
            }
            continue;
        }

3467 3468
        /* For SSLv2-compat, ignore leading 0-byte. */
        c = ssl_get_cipher_by_char(s, sslv2format ? &cipher[1] : cipher);
M
Matt Caswell 已提交
3469 3470 3471
        if (c != NULL) {
            if (!sk_SSL_CIPHER_push(sk, c)) {
                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
3472
                *al = SSL_AD_INTERNAL_ERROR;
M
Matt Caswell 已提交
3473 3474 3475 3476
                goto err;
            }
        }
    }
3477 3478 3479 3480 3481
    if (PACKET_remaining(cipher_suites) > 0) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_INTERNAL_ERROR);
        goto err;
    }
M
Matt Caswell 已提交
3482 3483 3484 3485 3486 3487 3488

    if (skp != NULL)
        *skp = sk;
    return (sk);
 err:
    if ((skp == NULL) || (*skp == NULL))
        sk_SSL_CIPHER_free(sk);
3489
    return NULL;
M
Matt Caswell 已提交
3490
}