Don't set the handshake header in every message

[openssl.git] / ssl / statem / statem_clnt.c
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c

index ff42858ff3612a04cb59d1e19ad60c5b5f2fc035..18eaf3257fe228f9560a78a85c3e983159ec68e4 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -63,7 +63,7 @@ static ossl_inline int cert_req_allowed(SSL *s);
  static int key_exchange_expected(SSL *s);
  static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
  static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
-                                    unsigned char *p);
+                                    WPACKET *pkt);
  
  /*
   * Is a CertificateRequest message allowed at the moment or not?
@@ -122,6 +122,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
      int ske_expected;
  
      switch (st->hand_state) {
+    default:
+        break;
+
      case TLS_ST_CW_CLNT_HELLO:
          if (mt == SSL3_MT_SERVER_HELLO) {
              st->hand_state = TLS_ST_CR_SRVR_HELLO;
@@ -258,9 +261,6 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
              return 1;
          }
          break;
-
-    default:
-        break;
      }
  
   err:
@@ -279,6 +279,10 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
      OSSL_STATEM *st = &s->statem;
  
      switch (st->hand_state) {
+    default:
+        /* Shouldn't happen */
+        return WRITE_TRAN_ERROR;
+
      case TLS_ST_OK:
          /* Renegotiation - fall through */
      case TLS_ST_BEFORE:
@@ -367,10 +371,6 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
              ossl_statem_set_in_init(s, 0);
              return WRITE_TRAN_CONTINUE;
          }
-
-    default:
-        /* Shouldn't happen */
-        return WRITE_TRAN_ERROR;
      }
  }
  
@@ -383,6 +383,10 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
      OSSL_STATEM *st = &s->statem;
  
      switch (st->hand_state) {
+    default:
+        /* No pre work to be done */
+        break;
+
      case TLS_ST_CW_CLNT_HELLO:
          s->shutdown = 0;
          if (SSL_IS_DTLS(s)) {
@@ -408,14 +412,10 @@ WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
                  return dtls_wait_for_dry(s);
  #endif
          }
-        return WORK_FINISHED_CONTINUE;
+        break;
  
      case TLS_ST_OK:
          return tls_finish_handshake(s, wst);
-
-    default:
-        /* No pre work to be done */
-        break;
      }
  
      return WORK_FINISHED_CONTINUE;
@@ -432,6 +432,10 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
      s->init_num = 0;
  
      switch (st->hand_state) {
+    default:
+        /* No post work to be done */
+        break;
+
      case TLS_ST_CW_CLNT_HELLO:
          if (wst == WORK_MORE_A && statem_flush(s) != 1)
              return WORK_MORE_A;
@@ -494,10 +498,6 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
          if (statem_flush(s) != 1)
              return WORK_MORE_B;
          break;
-
-    default:
-        /* No post work to be done */
-        break;
      }
  
      return WORK_FINISHED_CONTINUE;
@@ -510,46 +510,77 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
   *   1: Success
   *   0: Error
   */
-int ossl_statem_client_construct_message(SSL *s)
+int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt)
  {
      OSSL_STATEM *st = &s->statem;
+    int (*confunc) (SSL *s, WPACKET *pkt) = NULL;
+    int ret = 1, mt;
  
-    switch (st->hand_state) {
-    case TLS_ST_CW_CLNT_HELLO:
-        return tls_construct_client_hello(s);
+    if (st->hand_state == TLS_ST_CW_CHANGE) {
+        /* Special case becase it is a different content type */
+        if (SSL_IS_DTLS(s))
+            return dtls_construct_change_cipher_spec(s, pkt);
  
-    case TLS_ST_CW_CERT:
-        return tls_construct_client_certificate(s);
+        return tls_construct_change_cipher_spec(s, pkt);
+    } else {
+        switch (st->hand_state) {
+        default:
+            /* Shouldn't happen */
+            return 0;
  
-    case TLS_ST_CW_KEY_EXCH:
-        return tls_construct_client_key_exchange(s);
+        case TLS_ST_CW_CLNT_HELLO:
+            confunc = tls_construct_client_hello;
+            mt = SSL3_MT_CLIENT_HELLO;
+            break;
  
-    case TLS_ST_CW_CERT_VRFY:
-        return tls_construct_client_verify(s);
+        case TLS_ST_CW_CERT:
+            confunc = tls_construct_client_certificate;
+            mt = SSL3_MT_CERTIFICATE;
+            break;
  
-    case TLS_ST_CW_CHANGE:
-        if (SSL_IS_DTLS(s))
-            return dtls_construct_change_cipher_spec(s);
-        else
-            return tls_construct_change_cipher_spec(s);
+        case TLS_ST_CW_KEY_EXCH:
+            confunc = tls_construct_client_key_exchange;
+            mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
+            break;
+
+        case TLS_ST_CW_CERT_VRFY:
+            confunc = tls_construct_client_verify;
+            mt = SSL3_MT_CERTIFICATE_VERIFY;
+            break;
  
  #if !defined(OPENSSL_NO_NEXTPROTONEG)
-    case TLS_ST_CW_NEXT_PROTO:
-        return tls_construct_next_proto(s);
+        case TLS_ST_CW_NEXT_PROTO:
+            confunc = tls_construct_next_proto;
+            mt = SSL3_MT_NEXT_PROTO;
+            break;
  #endif
-    case TLS_ST_CW_FINISHED:
-        return tls_construct_finished(s,
-                                      s->method->
-                                      ssl3_enc->client_finished_label,
-                                      s->method->
-                                      ssl3_enc->client_finished_label_len);
+        case TLS_ST_CW_FINISHED:
+            mt = SSL3_MT_FINISHED;
+            break;
+        }
  
-    default:
-        /* Shouldn't happen */
-        break;
-    }
+        if (!ssl_set_handshake_header(s, pkt, mt)) {
+            SSLerr(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE,
+                   ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
  
-    return 0;
+        if (st->hand_state == TLS_ST_CW_FINISHED)
+            ret = tls_construct_finished(s, pkt,
+                                         s->method->
+                                         ssl3_enc->client_finished_label,
+                                         s->method->
+                                         ssl3_enc->client_finished_label_len);
+        else
+            ret = confunc(s, pkt);
+
+        if (!ret || !ssl_close_construct_packet(s, pkt)) {
+            SSLerr(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE,
+                   ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+    }
+    return 1;
  }
  
  /*
@@ -561,6 +592,10 @@ unsigned long ossl_statem_client_max_message_size(SSL *s)
      OSSL_STATEM *st = &s->statem;
  
      switch (st->hand_state) {
+    default:
+        /* Shouldn't happen */
+        return 0;
+
      case TLS_ST_CR_SRVR_HELLO:
          return SERVER_HELLO_MAX_LENGTH;
  
@@ -597,13 +632,7 @@ unsigned long ossl_statem_client_max_message_size(SSL *s)
  
      case TLS_ST_CR_FINISHED:
          return FINISHED_MAX_LENGTH;
-
-    default:
-        /* Shouldn't happen */
-        break;
      }
-
-    return 0;
  }
  
  /*
@@ -614,6 +643,10 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
      OSSL_STATEM *st = &s->statem;
  
      switch (st->hand_state) {
+    default:
+        /* Shouldn't happen */
+        return MSG_PROCESS_ERROR;
+
      case TLS_ST_CR_SRVR_HELLO:
          return tls_process_server_hello(s, pkt);
  
@@ -643,13 +676,7 @@ MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
  
      case TLS_ST_CR_FINISHED:
          return tls_process_finished(s, pkt);
-
-    default:
-        /* Shouldn't happen */
-        break;
      }
-
-    return MSG_PROCESS_ERROR;
  }
  
  /*
@@ -661,6 +688,10 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
      OSSL_STATEM *st = &s->statem;
  
      switch (st->hand_state) {
+    default:
+        /* Shouldn't happen */
+        return WORK_ERROR;
+
      case TLS_ST_CR_CERT_REQ:
          return tls_prepare_client_certificate(s, wst);
  
@@ -678,36 +709,31 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
          ossl_statem_set_sctp_read_sock(s, 0);
          return WORK_FINISHED_STOP;
  #endif
-
-    default:
-        break;
      }
-
-    /* Shouldn't happen */
-    return WORK_ERROR;
  }
  
-int tls_construct_client_hello(SSL *s)
+int tls_construct_client_hello(SSL *s, WPACKET *pkt)
  {
-    unsigned char *buf;
-    unsigned char *p, *d;
+    unsigned char *p;
      int i;
      int protverr;
-    unsigned long l;
-    int al = 0;
+    int al = SSL_AD_HANDSHAKE_FAILURE;
  #ifndef OPENSSL_NO_COMP
-    int j;
      SSL_COMP *comp;
  #endif
      SSL_SESSION *sess = s->session;
  
-    buf = (unsigned char *)s->init_buf->data;
+    if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
+        /* Should not happen */
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
  
      /* Work out what SSL/TLS/DTLS version to use */
      protverr = ssl_set_client_hello_version(s);
      if (protverr != 0) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, protverr);
-        goto err;
+        return 0;
      }
  
      if ((sess == NULL) || !ssl_version_supported(s, sess->ssl_version) ||
@@ -718,7 +744,7 @@ int tls_construct_client_hello(SSL *s)
          (!sess->session_id_length && !sess->tlsext_tick) ||
          (sess->not_resumable)) {
          if (!ssl_get_new_session(s, 0))
-            goto err;
+            return 0;
      }
      /* else use the pre-loaded session */
  
@@ -741,10 +767,7 @@ int tls_construct_client_hello(SSL *s)
          i = 1;
  
      if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
-        goto err;
-
-    /* Do the message type and length last */
-    d = p = ssl_handshake_start(s);
+        return 0;
  
      /*-
       * version indicates the negotiated version: for example from
@@ -776,99 +799,90 @@ int tls_construct_client_hello(SSL *s)
       * client_version in client hello and not resetting it to
       * the negotiated version.
       */
-    *(p++) = s->client_version >> 8;
-    *(p++) = s->client_version & 0xff;
-
-    /* Random stuff */
-    memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
-    p += SSL3_RANDOM_SIZE;
+    if (!WPACKET_put_bytes_u16(pkt, s->client_version)
+            || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
  
      /* Session ID */
      if (s->new_session)
          i = 0;
      else
          i = s->session->session_id_length;
-    *(p++) = i;
-    if (i != 0) {
-        if (i > (int)sizeof(s->session->session_id)) {
-            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-            goto err;
-        }
-        memcpy(p, s->session->session_id, i);
-        p += i;
+    if (i > (int)sizeof(s->session->session_id)
+            || !WPACKET_start_sub_packet_u8(pkt)
+            || (i != 0 && !WPACKET_memcpy(pkt, s->session->session_id, i))
+            || !WPACKET_close(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        return 0;
      }
  
      /* cookie stuff for DTLS */
      if (SSL_IS_DTLS(s)) {
-        if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
+        if (s->d1->cookie_len > sizeof(s->d1->cookie)
+                || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
+                                          s->d1->cookie_len)) {
              SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-            goto err;
+            return 0;
          }
-        *(p++) = s->d1->cookie_len;
-        memcpy(p, s->d1->cookie, s->d1->cookie_len);
-        p += s->d1->cookie_len;
      }
  
      /* Ciphers supported */
-    i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]));
-    if (i == 0) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
-        goto err;
+    if (!WPACKET_start_sub_packet_u16(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
+    /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
+    if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt))
+        return 0;
+    if (!WPACKET_close(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        return 0;
      }
-#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
-    /*
-     * Some servers hang if client hello > 256 bytes as hack workaround
-     * chop number of supported ciphers to keep it well below this if we
-     * use TLS v1.2
-     */
-    if (TLS1_get_version(s) >= TLS1_2_VERSION
-        && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
-        i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
-#endif
-    s2n(i, p);
-    p += i;
  
      /* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
-    *(p++) = 1;
-#else
-
-    if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
-        j = 0;
-    else
-        j = sk_SSL_COMP_num(s->ctx->comp_methods);
-    *(p++) = 1 + j;
-    for (i = 0; i < j; i++) {
-        comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
-        *(p++) = comp->id;
+    if (!WPACKET_start_sub_packet_u8(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
+#ifndef OPENSSL_NO_COMP
+    if (ssl_allow_compression(s) && s->ctx->comp_methods) {
+        int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
+        for (i = 0; i < compnum; i++) {
+            comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
+            if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
+                SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+                return 0;
+            }
+        }
      }
  #endif
-    *(p++) = 0;                 /* Add the NULL method */
+    /* Add the NULL method */
+    if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+        return 0;
+    }
  
      /* TLS extensions */
      if (ssl_prepare_clienthello_tlsext(s) <= 0) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
-        goto err;
+        return 0;
      }
-    if ((p =
-         ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
-                                    &al)) == NULL) {
+    if (!WPACKET_start_sub_packet_u16(pkt)
+               /*
+                * If extensions are of zero length then we don't even add the
+                * extensions length bytes
+                */
+            || !WPACKET_set_flags(pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)
+            || !ssl_add_clienthello_tlsext(s, pkt, &al)
+            || !WPACKET_close(pkt)) {
          ssl3_send_alert(s, SSL3_AL_FATAL, al);
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
-    l = p - d;
-    if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-        goto err;
+        return 0;
      }
  
      return 1;
- err:
-    ossl_statem_set_error(s);
-    return 0;
  }
  
  MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
@@ -2064,8 +2078,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
          return MSG_PROCESS_FINISHED_READING;
  }
  
-static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p,
-                                          size_t *pskhdrlen, int *al)
+static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt, int *al)
  {
  #ifndef OPENSSL_NO_PSK
      int ret = 0;
@@ -2126,10 +2139,12 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p,
      OPENSSL_free(s->session->psk_identity);
      s->session->psk_identity = tmpidentity;
      tmpidentity = NULL;
-    s2n(identitylen, *p);
-    memcpy(*p, identity, identitylen);
-    *pskhdrlen = 2 + identitylen;
-    *p += identitylen;
+
+    if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen))  {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
+        *al = SSL_AD_INTERNAL_ERROR;
+        goto err;
+    }
  
      ret = 1;
  
@@ -2147,10 +2162,10 @@ static int tls_construct_cke_psk_preamble(SSL *s, unsigned char **p,
  #endif
  }
  
-static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al)
+static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al)
  {
  #ifndef OPENSSL_NO_RSA
-    unsigned char *q;
+    unsigned char *encdata = NULL;
      EVP_PKEY *pkey = NULL;
      EVP_PKEY_CTX *pctx = NULL;
      size_t enclen;
@@ -2185,21 +2200,22 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al)
          goto err;
      }
  
-    q = *p;
      /* Fix buf for TLS and beyond */
-    if (s->version > SSL3_VERSION)
-        *p += 2;
+    if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
      pctx = EVP_PKEY_CTX_new(pkey, NULL);
      if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
          || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_EVP_LIB);
          goto err;
      }
-    if (EVP_PKEY_encrypt(pctx, *p, &enclen, pms, pmslen) <= 0) {
+    if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
+            || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, SSL_R_BAD_RSA_ENCRYPT);
          goto err;
      }
-    *len = enclen;
      EVP_PKEY_CTX_free(pctx);
      pctx = NULL;
  # ifdef PKCS1_CHECK
@@ -2210,9 +2226,9 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al)
  # endif
  
      /* Fix buf for TLS and beyond */
-    if (s->version > SSL3_VERSION) {
-        s2n(*len, q);
-        *len += 2;
+    if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_RSA, ERR_R_INTERNAL_ERROR);
+        goto err;
      }
  
      s->s3->tmp.pms = pms;
@@ -2231,49 +2247,48 @@ static int tls_construct_cke_rsa(SSL *s, unsigned char **p, int *len, int *al)
  #endif
  }
  
-static int tls_construct_cke_dhe(SSL *s, unsigned char **p, int *len, int *al)
+static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt, int *al)
  {
  #ifndef OPENSSL_NO_DH
      DH *dh_clnt = NULL;
      const BIGNUM *pub_key;
      EVP_PKEY *ckey = NULL, *skey = NULL;
+    unsigned char *keybytes = NULL;
  
      skey = s->s3->peer_tmp;
-    if (skey == NULL) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR);
-        return 0;
-    }
+    if (skey == NULL)
+        goto err;
+
      ckey = ssl_generate_pkey(skey);
      dh_clnt = EVP_PKEY_get0_DH(ckey);
  
-    if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR);
-        EVP_PKEY_free(ckey);
-        return 0;
-    }
+    if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0)
+        goto err;
  
      /* send off the data */
      DH_get0_key(dh_clnt, &pub_key, NULL);
-    *len = BN_num_bytes(pub_key);
-    s2n(*len, *p);
-    BN_bn2bin(pub_key, *p);
-    *len += 2;
+    if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key), &keybytes))
+        goto err;
+
+    BN_bn2bin(pub_key, keybytes);
      EVP_PKEY_free(ckey);
  
      return 1;
-#else
+ err:
+    EVP_PKEY_free(ckey);
+#endif
      SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR);
      *al = SSL_AD_INTERNAL_ERROR;
      return 0;
-#endif
  }
  
-static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al)
+static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, int *al)
  {
  #ifndef OPENSSL_NO_EC
      unsigned char *encodedPoint = NULL;
      int encoded_pt_len = 0;
      EVP_PKEY *ckey = NULL, *skey = NULL;
+    int ret = 0;
  
      skey = s->s3->peer_tmp;
      if (skey == NULL) {
@@ -2296,25 +2311,16 @@ static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al)
          goto err;
      }
  
-    EVP_PKEY_free(ckey);
-    ckey = NULL;
-
-    *len = encoded_pt_len;
-
-    /* length of encoded point */
-    **p = *len;
-    *p += 1;
-    /* copy the point */
-    memcpy(*p, encodedPoint, *len);
-    /* increment len to account for length field */
-    *len += 1;
-
-    OPENSSL_free(encodedPoint);
+    if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
  
-    return 1;
+    ret = 1;
   err:
+    OPENSSL_free(encodedPoint);
      EVP_PKEY_free(ckey);
-    return 0;
+    return ret;
  #else
      SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
      *al = SSL_AD_INTERNAL_ERROR;
@@ -2322,7 +2328,7 @@ static int tls_construct_cke_ecdhe(SSL *s, unsigned char **p, int *len, int *al)
  #endif
  }
  
-static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al)
+static int tls_construct_cke_gost(SSL *s, WPACKET *pkt, int *al)
  {
  #ifndef OPENSSL_NO_GOST
      /* GOST key exchange message creation */
@@ -2378,18 +2384,6 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al)
          SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
          goto err;
      };
-    /*
-     * If we have client certificate, use its secret as peer key
-     */
-    if (s->s3->tmp.cert_req && s->cert->key->privatekey) {
-        if (EVP_PKEY_derive_set_peer(pkey_ctx, s->cert->key->privatekey) <= 0) {
-            /*
-             * If there was an error - just ignore it. Ephemeral key
-             * * would be used
-             */
-            ERR_clear_error();
-        }
-    }
      /*
       * Compute shared IV and store it in algorithm-specific context
       * data
@@ -2418,28 +2412,21 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al)
      /*
       * Encapsulate it into sequence
       */
-    *((*p)++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
      msglen = 255;
      if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
          *al = SSL_AD_INTERNAL_ERROR;
          SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, SSL_R_LIBRARY_BUG);
          goto err;
      }
-    if (msglen >= 0x80) {
-        *((*p)++) = 0x81;
-        *((*p)++) = msglen & 0xff;
-        *len = msglen + 3;
-    } else {
-        *((*p)++) = msglen & 0xff;
-        *len = msglen + 2;
-    }
-    memcpy(*p, tmp, msglen);
-    /* Check if pubkey from client certificate was used */
-    if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2,
-                          NULL) > 0) {
-        /* Set flag "skip certificate verify" */
-        s->s3->flags |= TLS1_FLAGS_SKIP_CERT_VERIFY;
+
+    if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
+            || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
+            || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
+        *al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_TLS_CONSTRUCT_CKE_GOST, ERR_R_INTERNAL_ERROR);
+        goto err;
      }
+
      EVP_PKEY_CTX_free(pkey_ctx);
      s->s3->tmp.pms = pms;
      s->s3->tmp.pmslen = pmslen;
@@ -2457,19 +2444,19 @@ static int tls_construct_cke_gost(SSL *s, unsigned char **p, int *len, int *al)
  #endif
  }
  
-static int tls_construct_cke_srp(SSL *s, unsigned char **p, int *len, int *al)
+static int tls_construct_cke_srp(SSL *s, WPACKET *pkt, int *al)
  {
  #ifndef OPENSSL_NO_SRP
-    if (s->srp_ctx.A != NULL) {
-        /* send off the data */
-        *len = BN_num_bytes(s->srp_ctx.A);
-        s2n(*len, *p);
-        BN_bn2bin(s->srp_ctx.A, *p);
-        *len += 2;
-    } else {
+    unsigned char *abytes = NULL;
+
+    if (s->srp_ctx.A == NULL
+            || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
+                                               &abytes)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CKE_SRP, ERR_R_INTERNAL_ERROR);
          return 0;
      }
+    BN_bn2bin(s->srp_ctx.A, abytes);
+
      OPENSSL_free(s->session->srp_username);
      s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
      if (s->session->srp_username == NULL) {
@@ -2485,48 +2472,33 @@ static int tls_construct_cke_srp(SSL *s, unsigned char **p, int *len, int *al)
  #endif
  }
  
-int tls_construct_client_key_exchange(SSL *s)
+int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
  {
-    unsigned char *p;
-    int len;
-    size_t pskhdrlen = 0;
      unsigned long alg_k;
      int al = -1;
  
      alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  
-    p = ssl_handshake_start(s);
-
      if ((alg_k & SSL_PSK)
-        && !tls_construct_cke_psk_preamble(s, &p, &pskhdrlen, &al))
+        && !tls_construct_cke_psk_preamble(s, pkt, &al))
          goto err;
  
-    if (alg_k & SSL_kPSK) {
-        len = 0;
-    } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
-        if (!tls_construct_cke_rsa(s, &p, &len, &al))
+    if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
+        if (!tls_construct_cke_rsa(s, pkt, &al))
              goto err;
      } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
-        if (!tls_construct_cke_dhe(s, &p, &len, &al))
+        if (!tls_construct_cke_dhe(s, pkt, &al))
              goto err;
      } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
-        if (!tls_construct_cke_ecdhe(s, &p, &len, &al))
+        if (!tls_construct_cke_ecdhe(s, pkt, &al))
              goto err;
      } else if (alg_k & SSL_kGOST) {
-        if (!tls_construct_cke_gost(s, &p, &len, &al))
+        if (!tls_construct_cke_gost(s, pkt, &al))
              goto err;
      } else if (alg_k & SSL_kSRP) {
-        if (!tls_construct_cke_srp(s, &p, &len, &al))
+        if (!tls_construct_cke_srp(s, pkt, &al))
              goto err;
-    } else {
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
-    len += pskhdrlen;
-
-    if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_KEY_EXCHANGE, len)) {
+    } else if (!(alg_k & SSL_kPSK)) {
          ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
          goto err;
@@ -2542,7 +2514,6 @@ int tls_construct_client_key_exchange(SSL *s)
      OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
      s->s3->tmp.psk = NULL;
  #endif
-    ossl_statem_set_error(s);
      return 0;
  }
  
@@ -2611,24 +2582,21 @@ int tls_client_key_exchange_post_work(SSL *s)
      return 0;
  }
  
-int tls_construct_client_verify(SSL *s)
+int tls_construct_client_verify(SSL *s, WPACKET *pkt)
  {
-    unsigned char *p;
      EVP_PKEY *pkey;
      const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
-    EVP_MD_CTX *mctx;
+    EVP_MD_CTX *mctx = NULL;
      unsigned u = 0;
-    unsigned long n = 0;
      long hdatalen = 0;
      void *hdata;
+    unsigned char *sig = NULL;
  
      mctx = EVP_MD_CTX_new();
      if (mctx == NULL) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
          goto err;
      }
-
-    p = ssl_handshake_start(s);
      pkey = s->cert->key->privatekey;
  
      hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
@@ -2636,24 +2604,25 @@ int tls_construct_client_verify(SSL *s)
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
          goto err;
      }
-    if (SSL_USE_SIGALGS(s)) {
-        if (!tls12_get_sigandhash(p, pkey, md)) {
-            SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
-            goto err;
-        }
-        p += 2;
-        n = 2;
+    if (SSL_USE_SIGALGS(s)&& !tls12_get_sigandhash(pkt, pkey, md)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
+        goto err;
      }
  #ifdef SSL_DEBUG
      fprintf(stderr, "Using client alg %s\n", EVP_MD_name(md));
  #endif
+    sig = OPENSSL_malloc(EVP_PKEY_size(pkey));
+    if (sig == NULL) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
      if (!EVP_SignInit_ex(mctx, md, NULL)
          || !EVP_SignUpdate(mctx, hdata, hdatalen)
          || (s->version == SSL3_VERSION
              && !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
                                  s->session->master_key_length,
                                  s->session->master_key))
-        || !EVP_SignFinal(mctx, p + 2, &u, pkey)) {
+        || !EVP_SignFinal(mctx, sig, &u, pkey)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_EVP_LIB);
          goto err;
      }
@@ -2663,24 +2632,26 @@ int tls_construct_client_verify(SSL *s)
          if (pktype == NID_id_GostR3410_2001
              || pktype == NID_id_GostR3410_2012_256
              || pktype == NID_id_GostR3410_2012_512)
-            BUF_reverse(p + 2, NULL, u);
+            BUF_reverse(sig, NULL, u);
      }
  #endif
  
-    s2n(u, p);
-    n += u + 2;
-    /* Digest cached records and discard handshake buffer */
-    if (!ssl3_digest_cached_records(s, 0))
-        goto err;
-    if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_VERIFY, n)) {
+    if (!WPACKET_sub_memcpy_u16(pkt, sig, u)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
          goto err;
      }
  
+    /* Digest cached records and discard handshake buffer */
+    if (!ssl3_digest_cached_records(s, 0))
+        goto err;
+
+    OPENSSL_free(sig);
      EVP_MD_CTX_free(mctx);
      return 1;
   err:
+    OPENSSL_free(sig);
      EVP_MD_CTX_free(mctx);
+    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
      return 0;
  }
  
@@ -2781,14 +2752,13 @@ WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
      return WORK_ERROR;
  }
  
-int tls_construct_client_certificate(SSL *s)
+int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
  {
-    if (!ssl3_output_cert_chain(s,
+    if (!ssl3_output_cert_chain(s, pkt,
                                  (s->s3->tmp.cert_req ==
                                   2) ? NULL : s->cert->key)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
          ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-        ossl_statem_set_error(s);
          return 0;
      }
  
@@ -2871,24 +2841,26 @@ int ssl3_check_cert_and_algorithm(SSL *s)
  }
  
  #ifndef OPENSSL_NO_NEXTPROTONEG
-int tls_construct_next_proto(SSL *s)
+int tls_construct_next_proto(SSL *s, WPACKET *pkt)
  {
-    unsigned int len, padding_len;
-    unsigned char *d;
+    size_t len, padding_len;
+    unsigned char *padding = NULL;
  
      len = s->next_proto_negotiated_len;
      padding_len = 32 - ((len + 2) % 32);
-    d = (unsigned char *)s->init_buf->data;
-    d[4] = len;
-    memcpy(d + 5, s->next_proto_negotiated, len);
-    d[5 + len] = padding_len;
-    memset(d + 6 + len, 0, padding_len);
-    *(d++) = SSL3_MT_NEXT_PROTO;
-    l2n3(2 + len + padding_len, d);
-    s->init_num = 4 + 2 + len + padding_len;
-    s->init_off = 0;
+
+    if (!WPACKET_sub_memcpy_u8(pkt, s->next_proto_negotiated, len)
+            || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
+
+    memset(padding, 0, padding_len);
  
      return 1;
+ err:
+    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+    return 0;
  }
  #endif
  
@@ -2909,47 +2881,79 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
      return i;
  }
  
-int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p)
+int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
  {
-    int i, j = 0;
-    const SSL_CIPHER *c;
-    unsigned char *q;
+    int i;
+    size_t totlen = 0, len, maxlen;
      int empty_reneg_info_scsv = !s->renegotiate;
      /* Set disabled masks for this session */
      ssl_set_client_disabled(s);
  
      if (sk == NULL)
          return (0);
-    q = p;
  
-    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
+#  error Max cipher length too short
+# endif
+    /*
+     * Some servers hang if client hello > 256 bytes as hack workaround
+     * chop number of supported ciphers to keep it well below this if we
+     * use TLS v1.2
+     */
+    if (TLS1_get_version(s) >= TLS1_2_VERSION)
+        maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+    else
+#endif
+        /* Maximum length that can be stored in 2 bytes. Length must be even */
+        maxlen = 0xfffe;
+
+    if (empty_reneg_info_scsv)
+        maxlen -= 2;
+    if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
+        maxlen -= 2;
+
+    for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
+        const SSL_CIPHER *c;
+
          c = sk_SSL_CIPHER_value(sk, i);
          /* Skip disabled ciphers */
          if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
              continue;
-        j = s->method->put_cipher_by_char(c, p);
-        p += j;
+
+        if (!s->method->put_cipher_by_char(c, pkt, &len)) {
+            SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+
+        totlen += len;
      }
-    /*
-     * If p == q, no ciphers; caller indicates an error. Otherwise, add
-     * applicable SCSVs.
-     */
-    if (p != q) {
+
+    if (totlen == 0) {
+        SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
+        return 0;
+    }
+
+    if (totlen != 0) {
          if (empty_reneg_info_scsv) {
              static SSL_CIPHER scsv = {
                  0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
              };
-            j = s->method->put_cipher_by_char(&scsv, p);
-            p += j;
+            if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
+                SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
+                return 0;
+            }
          }
          if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
              static SSL_CIPHER scsv = {
                  0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
              };
-            j = s->method->put_cipher_by_char(&scsv, p);
-            p += j;
+            if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
+                SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
+                return 0;
+            }
          }
      }
  
-    return (p - q);
+    return 1;
  }