}
/*
- * Construct a message to be sent from the server to the client.
+ * Get the message construction function and message type for sending from the
+ * server
*
* Valid return values are:
* 1: Success
* 0: Error
*/
-int ossl_statem_server_construct_message(SSL *s)
+int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
+ confunc_f *confunc, int *mt)
{
OSSL_STATEM *st = &s->statem;
/* Shouldn't happen */
return 0;
+ case TLS_ST_SW_CHANGE:
+ if (SSL_IS_DTLS(s))
+ *confunc = dtls_construct_change_cipher_spec;
+ else
+ *confunc = tls_construct_change_cipher_spec;
+ *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
+ break;
+
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
- return dtls_construct_hello_verify_request(s);
+ *confunc = dtls_construct_hello_verify_request;
+ *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
+ break;
case TLS_ST_SW_HELLO_REQ:
- return tls_construct_hello_request(s);
+ /* No construction function needed */
+ *confunc = NULL;
+ *mt = SSL3_MT_HELLO_REQUEST;
+ break;
case TLS_ST_SW_SRVR_HELLO:
- return tls_construct_server_hello(s);
+ *confunc = tls_construct_server_hello;
+ *mt = SSL3_MT_SERVER_HELLO;
+ break;
case TLS_ST_SW_CERT:
- return tls_construct_server_certificate(s);
+ *confunc = tls_construct_server_certificate;
+ *mt = SSL3_MT_CERTIFICATE;
+ break;
case TLS_ST_SW_KEY_EXCH:
- return tls_construct_server_key_exchange(s);
+ *confunc = tls_construct_server_key_exchange;
+ *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
+ break;
case TLS_ST_SW_CERT_REQ:
- return tls_construct_certificate_request(s);
+ *confunc = tls_construct_certificate_request;
+ *mt = SSL3_MT_CERTIFICATE_REQUEST;
+ break;
case TLS_ST_SW_SRVR_DONE:
- return tls_construct_server_done(s);
+ *confunc = tls_construct_server_done;
+ *mt = SSL3_MT_SERVER_DONE;
+ break;
case TLS_ST_SW_SESSION_TICKET:
- return tls_construct_new_session_ticket(s);
+ *confunc = tls_construct_new_session_ticket;
+ *mt = SSL3_MT_NEWSESSION_TICKET;
+ break;
case TLS_ST_SW_CERT_STATUS:
- return tls_construct_cert_status(s);
-
- case TLS_ST_SW_CHANGE:
- if (SSL_IS_DTLS(s))
- return dtls_construct_change_cipher_spec(s);
- else
- return tls_construct_change_cipher_spec(s);
+ *confunc = tls_construct_cert_status;
+ *mt = SSL3_MT_CERTIFICATE_STATUS;
+ break;
case TLS_ST_SW_FINISHED:
- return tls_construct_finished(s,
- s->method->
- ssl3_enc->server_finished_label,
- s->method->
- ssl3_enc->server_finished_label_len);
+ *confunc = tls_construct_finished;
+ *mt = SSL3_MT_FINISHED;
+ break;
}
+
+ return 1;
}
/*
* Returns the maximum allowed length for the current message that we are
* reading. Excludes the message header.
*/
-unsigned long ossl_statem_server_max_message_size(SSL *s)
+size_t ossl_statem_server_max_message_size(SSL *s)
{
OSSL_STATEM *st = &s->statem;
}
#endif
-int tls_construct_hello_request(SSL *s)
-{
- WPACKET pkt;
-
- if (!WPACKET_init(&pkt, s->init_buf)
- || !ssl_set_handshake_header2(s, &pkt, SSL3_MT_HELLO_REQUEST)
- || !ssl_close_construct_packet(s, &pkt)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- WPACKET_cleanup(&pkt);
- return 0;
- }
-
- return 1;
-}
-
int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
- unsigned char cookie_len)
+ size_t cookie_len)
{
/* Always use DTLS 1.0 version: see RFC 6347 */
if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
return 1;
}
-int dtls_construct_hello_verify_request(SSL *s)
+int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
{
- size_t msglen;
- WPACKET pkt;
-
+ unsigned int cookie_leni;
if (s->ctx->app_gen_cookie_cb == NULL ||
s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
- &(s->d1->cookie_len)) == 0 ||
- s->d1->cookie_len > 255) {
+ &cookie_leni) == 0 ||
+ cookie_leni > 255) {
SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
- ossl_statem_set_error(s);
return 0;
}
+ s->d1->cookie_len = cookie_leni;
- if (!WPACKET_init(&pkt, s->init_buf)
- || !ssl_set_handshake_header2(s, &pkt,
- DTLS1_MT_HELLO_VERIFY_REQUEST)
- || !dtls_raw_hello_verify_request(&pkt, s->d1->cookie,
- s->d1->cookie_len)
- /*
- * We don't call close_construct_packet() because we don't want
- * to buffer this message
- */
- || !WPACKET_close(&pkt)
- || !WPACKET_get_length(&pkt, &msglen)
- || !WPACKET_finish(&pkt)) {
+ if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
+ s->d1->cookie_len)) {
SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
- WPACKET_cleanup(&pkt);
- ossl_statem_set_error(s);
return 0;
}
- /* number of bytes to write */
- s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH;
- s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH;
- s->init_num = (int)msglen;
- s->init_off = 0;
-
return 1;
}
MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
{
int i, al = SSL_AD_INTERNAL_ERROR;
- unsigned int j, complen = 0;
+ unsigned int j;
+ size_t loop;
unsigned long id;
const SSL_CIPHER *c;
#ifndef OPENSSL_NO_COMP
STACK_OF(SSL_CIPHER) *ciphers = NULL;
int protverr;
/* |cookie| will only be initialized for DTLS. */
- PACKET session_id, cipher_suites, compression, extensions, cookie;
- int is_v2_record;
+ PACKET session_id, compression, extensions, cookie;
static const unsigned char null_compression = 0;
+ CLIENTHELLO_MSG clienthello;
- is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer);
-
+ /*
+ * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
+ */
+ memset(&clienthello, 0, sizeof(clienthello));
+ clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
PACKET_null_init(&cookie);
- /* First lets get s->client_version set correctly */
- if (is_v2_record) {
- unsigned int version;
+
+ if (clienthello.isv2) {
unsigned int mt;
+
/*-
* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
* header is sent directly on the wire, not wrapped as a TLS
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
-
- if (!PACKET_get_net_2(pkt, &version)) {
- /* No protocol version supplied! */
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
- goto err;
- }
- if (version == 0x0002) {
- /* This is real SSLv2. We don't support it. */
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
- goto err;
- } else if ((version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
- /* SSLv3/TLS */
- s->client_version = version;
- } else {
- /* No idea what protocol this is */
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
- goto err;
- }
- } else {
- /*
- * use version from inside client hello, not from record header (may
- * differ: see RFC 2246, Appendix E, second paragraph)
- */
- if (!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
- }
}
- /*
- * Do SSL/TLS version negotiation if applicable. For DTLS we just check
- * versions are potentially compatible. Version negotiation comes later.
- */
- if (!SSL_IS_DTLS(s)) {
- protverr = ssl_choose_server_version(s);
- } else if (s->method->version != DTLS_ANY_VERSION &&
- DTLS_VERSION_LT(s->client_version, s->version)) {
- protverr = SSL_R_VERSION_TOO_LOW;
- } else {
- protverr = 0;
- }
-
- if (protverr) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
- if ((!s->enc_write_ctx && !s->write_hash)) {
- /*
- * similar to ssl3_get_record, send alert using remote version
- * number
- */
- s->version = s->client_version;
- }
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
+ if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto err;
}
/* Parse the message and load client random. */
- if (is_v2_record) {
+ if (clienthello.isv2) {
/*
* Handle an SSLv2 backwards compatible ClientHello
* Note, this is only for SSLv3+ using the backward compatible format.
* Real SSLv2 is not supported, and is rejected above.
*/
- unsigned int cipher_len, session_id_len, challenge_len;
+ unsigned int ciphersuite_len, session_id_len, challenge_len;
PACKET challenge;
- if (!PACKET_get_net_2(pkt, &cipher_len)
+ if (!PACKET_get_net_2(pkt, &ciphersuite_len)
|| !PACKET_get_net_2(pkt, &session_id_len)
|| !PACKET_get_net_2(pkt, &challenge_len)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
+ clienthello.session_id_len = session_id_len;
if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
- || !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
+ if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
+ ciphersuite_len)
+ || !PACKET_get_sub_packet(pkt, &session_id,
+ clienthello.session_id_len)
|| !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
/* No extensions. */
|| PACKET_remaining(pkt) != 0) {
}
/* Load the client random and compression list. */
- challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
- challenge_len;
- memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
+ challenge_len = challenge_len > sizeof(clienthello.random)
+ ? sizeof(clienthello.random) : challenge_len;
+ memset(clienthello.random, 0, sizeof(clienthello.random));
if (!PACKET_copy_bytes(&challenge,
- s->s3->client_random + SSL3_RANDOM_SIZE -
+ clienthello.random + sizeof(clienthello.random) -
challenge_len, challenge_len)
/* Advertise only null compression. */
|| !PACKET_buf_init(&compression, &null_compression, 1)) {
goto f_err;
}
- PACKET_null_init(&extensions);
+ PACKET_null_init(&clienthello.extensions);
} else {
/* Regular ClientHello. */
- if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)
+ if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
|| !PACKET_get_length_prefixed_1(pkt, &session_id)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
- if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
-
if (SSL_IS_DTLS(s)) {
if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
+ if (!PACKET_copy_all(&cookie, clienthello.dtls_cookie,
+ DTLS1_COOKIE_LENGTH,
+ &clienthello.dtls_cookie_len)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
/*
* If we require cookies and this ClientHello doesn't contain one,
* just return since we do not want to allocate any memory yet.
* So check cookie length...
*/
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
- if (PACKET_remaining(&cookie) == 0)
+ if (clienthello.dtls_cookie_len == 0)
return 1;
}
}
- if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
- || !PACKET_get_length_prefixed_1(pkt, &compression)) {
+ if (!PACKET_get_length_prefixed_2(pkt, &clienthello.ciphersuites)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
+ if (!PACKET_get_length_prefixed_1(pkt, &compression)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
goto f_err;
}
+
/* Could be empty. */
- extensions = *pkt;
+ if (PACKET_remaining(pkt) == 0) {
+ PACKET_null_init(&clienthello.extensions);
+ } else {
+ if (!PACKET_get_length_prefixed_2(pkt, &clienthello.extensions)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+ }
+ }
+
+ if (!PACKET_copy_all(&compression, clienthello.compressions,
+ MAX_COMPRESSIONS_SIZE, &clienthello.compressions_len)
+ || !PACKET_copy_all(&session_id, clienthello.session_id,
+ SSL_MAX_SSL_SESSION_ID_LENGTH,
+ &clienthello.session_id_len)) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
+ /* Preserve the raw extensions PACKET for later use */
+ extensions = clienthello.extensions;
+ if (!tls_collect_extensions(&extensions, &clienthello.pre_proc_exts,
+ &clienthello.num_extensions, &al)) {
+ /* SSLerr already been called */
+ goto f_err;
+ }
+
+ /* Finished parsing the ClientHello, now we can start processing it */
+
+ /* Set up the client_random */
+ memcpy(s->s3->client_random, clienthello.random, SSL3_RANDOM_SIZE);
+
+ /* Choose the version */
+
+ if (clienthello.isv2) {
+ if (clienthello.legacy_version == SSL2_VERSION
+ || (clienthello.legacy_version & 0xff00)
+ != (SSL3_VERSION_MAJOR << 8)) {
+ /*
+ * This is real SSLv2 or something complete unknown. We don't
+ * support it.
+ */
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
+ goto err;
+ }
+ /* SSLv3/TLS */
+ s->client_version = clienthello.legacy_version;
+ }
+ /*
+ * Do SSL/TLS version negotiation if applicable. For DTLS we just check
+ * versions are potentially compatible. Version negotiation comes later.
+ */
+ if (!SSL_IS_DTLS(s)) {
+ protverr = ssl_choose_server_version(s, &clienthello);
+ } else if (s->method->version != DTLS_ANY_VERSION &&
+ DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) {
+ protverr = SSL_R_VERSION_TOO_LOW;
+ } else {
+ protverr = 0;
+ }
+
+ if (protverr) {
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
+ if ((!s->enc_write_ctx && !s->write_hash)) {
+ /* like ssl3_get_record, send alert using remote version number */
+ s->version = s->client_version = clienthello.legacy_version;
+ }
+ al = SSL_AD_PROTOCOL_VERSION;
+ goto f_err;
}
if (SSL_IS_DTLS(s)) {
/* Empty cookie was already handled above by returning early. */
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
if (s->ctx->app_verify_cookie_cb != NULL) {
- if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
- PACKET_remaining(&cookie)) ==
- 0) {
+ if (s->ctx->app_verify_cookie_cb(s, clienthello.dtls_cookie,
+ clienthello.dtls_cookie_len) == 0) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_COOKIE_MISMATCH);
/* else cookie verification succeeded */
}
/* default verification */
- } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) {
+ } else if (s->d1->cookie_len != clienthello.dtls_cookie_len
+ || memcmp(clienthello.dtls_cookie, s->d1->cookie,
+ s->d1->cookie_len) != 0) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
goto f_err;
s->d1->cookie_verified = 1;
}
if (s->method->version == DTLS_ANY_VERSION) {
- protverr = ssl_choose_server_version(s);
+ protverr = ssl_choose_server_version(s, &clienthello);
if (protverr != 0) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
s->version = s->client_version;
s->hit = 0;
+ /* We need to do this before getting the session */
+ if (!tls_check_client_ems_support(s, &clienthello)) {
+ /* Only fails if the extension is malformed */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+ goto f_err;
+ }
+
/*
* We don't allow resumption in a backwards compatible ClientHello.
* TODO(openssl-team): in TLS1.1+, session_id MUST be empty.
* SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be
* ignored.
*/
- if (is_v2_record ||
+ if (clienthello.isv2 ||
(s->new_session &&
(s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) {
if (!ssl_get_new_session(s, 1))
goto err;
} else {
- i = ssl_get_prev_session(s, &extensions, &session_id);
+ i = ssl_get_prev_session(s, &clienthello);
/*
* Only resume if the session's version matches the negotiated
* version.
}
}
- if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
- is_v2_record, &al) == NULL) {
+ if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers,
+ clienthello.isv2, &al) == NULL) {
goto f_err;
}
}
}
- complen = PACKET_remaining(&compression);
- for (j = 0; j < complen; j++) {
- if (PACKET_data(&compression)[j] == 0)
+ for (loop = 0; loop < clienthello.compressions_len; loop++) {
+ if (clienthello.compressions[loop] == 0)
break;
}
- if (j >= complen) {
+ if (loop >= clienthello.compressions_len) {
/* no compress */
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
}
/* TLS extensions */
- if (s->version >= SSL3_VERSION) {
- if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
- goto err;
- }
+ if (!ssl_parse_clienthello_tlsext(s, &clienthello)) {
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
+ goto err;
}
/*
if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
const SSL_CIPHER *pref_cipher = NULL;
+ /*
+ * s->session->master_key_length is a size_t, but this is an int for
+ * backwards compat reasons
+ */
+ int master_key_length;
- s->session->master_key_length = sizeof(s->session->master_key);
+ master_key_length = sizeof(s->session->master_key);
if (s->tls_session_secret_cb(s, s->session->master_key,
- &s->session->master_key_length, ciphers,
+ &master_key_length, ciphers,
&pref_cipher,
- s->tls_session_secret_cb_arg)) {
+ s->tls_session_secret_cb_arg)
+ && master_key_length > 0) {
+ s->session->master_key_length = master_key_length;
s->hit = 1;
s->session->ciphers = ciphers;
s->session->verify_result = X509_V_OK;
goto f_err;
}
/* Look for resumed method in compression list */
- for (k = 0; k < complen; k++) {
- if (PACKET_data(&compression)[k] == comp_id)
+ for (k = 0; k < clienthello.compressions_len; k++) {
+ if (clienthello.compressions[k] == comp_id)
break;
}
- if (k >= complen) {
+ if (k >= clienthello.compressions_len) {
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
for (m = 0; m < nn; m++) {
comp = sk_SSL_COMP_value(s->ctx->comp_methods, m);
v = comp->id;
- for (o = 0; o < complen; o++) {
- if (v == PACKET_data(&compression)[o]) {
+ for (o = 0; o < clienthello.compressions_len; o++) {
+ if (v == clienthello.compressions[o]) {
done = 1;
break;
}
}
sk_SSL_CIPHER_free(ciphers);
+ OPENSSL_free(clienthello.pre_proc_exts);
return MSG_PROCESS_CONTINUE_PROCESSING;
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
ossl_statem_set_error(s);
sk_SSL_CIPHER_free(ciphers);
- return MSG_PROCESS_ERROR;
+ OPENSSL_free(clienthello.pre_proc_exts);
+ return MSG_PROCESS_ERROR;
}
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
return WORK_ERROR;
}
-int tls_construct_server_hello(SSL *s)
+int tls_construct_server_hello(SSL *s, WPACKET *pkt)
{
- int sl, compm, al = SSL_AD_INTERNAL_ERROR;
- size_t len;
- WPACKET pkt;
+ int compm, al = SSL_AD_INTERNAL_ERROR;
+ size_t sl, len;
- if (!WPACKET_init(&pkt, s->init_buf)
- || !ssl_set_handshake_header2(s, &pkt, SSL3_MT_SERVER_HELLO)
- || !WPACKET_put_bytes_u16(&pkt, s->version)
+ if (!WPACKET_put_bytes_u16(pkt, s->version)
/*
* Random stuff. Filling of the server_random takes place in
* tls_process_client_hello()
*/
- || !WPACKET_memcpy(&pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
+ || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
s->session->session_id_length = 0;
sl = s->session->session_id_length;
- if (sl > (int)sizeof(s->session->session_id)) {
+ if (sl > sizeof(s->session->session_id)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
compm = s->s3->tmp.new_compression->id;
#endif
- if (!WPACKET_sub_memcpy_u8(&pkt, s->session->session_id, sl)
- || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &pkt, &len)
- || !WPACKET_put_bytes_u8(&pkt, compm)
+ if (!WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl)
+ || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
+ || !WPACKET_put_bytes_u8(pkt, compm)
|| !ssl_prepare_serverhello_tlsext(s)
- || !ssl_add_serverhello_tlsext(s, &pkt, &al)
- || !ssl_close_construct_packet(s, &pkt)) {
+ || !ssl_add_serverhello_tlsext(s, pkt, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
return 1;
err:
- WPACKET_cleanup(&pkt);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
-int tls_construct_server_done(SSL *s)
+int tls_construct_server_done(SSL *s, WPACKET *pkt)
{
- if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
- }
-
if (!s->s3->tmp.cert_request) {
if (!ssl3_digest_cached_records(s, 0)) {
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
}
}
-
return 1;
}
-int tls_construct_server_key_exchange(SSL *s)
+int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
{
#ifndef OPENSSL_NO_DH
EVP_PKEY *pkdh = NULL;
#endif
#ifndef OPENSSL_NO_EC
unsigned char *encodedPoint = NULL;
- int encodedlen = 0;
+ size_t encodedlen = 0;
int curve_id = 0;
#endif
EVP_PKEY *pkey;
unsigned long type;
const BIGNUM *r[4];
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
- WPACKET pkt;
size_t paramlen, paramoffset;
- if (!WPACKET_init(&pkt, s->init_buf)
- || !ssl_set_handshake_header2(s, &pkt,
- SSL3_MT_SERVER_KEY_EXCHANGE)
- || !WPACKET_get_total_written(&pkt, ¶moffset)) {
+ if (!WPACKET_get_total_written(pkt, ¶moffset)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err;
}
* checked this when we set the identity hint - but just in case
*/
if (len > PSK_MAX_IDENTITY_LEN
- || !WPACKET_sub_memcpy_u16(&pkt, s->cert->psk_identity_hint,
+ || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
len)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
#ifndef OPENSSL_NO_SRP
if ((i == 2) && (type & SSL_kSRP)) {
- res = WPACKET_start_sub_packet_u8(&pkt);
+ res = WPACKET_start_sub_packet_u8(pkt);
} else
#endif
- res = WPACKET_start_sub_packet_u16(&pkt);
+ res = WPACKET_start_sub_packet_u16(pkt);
if (!res) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
if (len > 0) {
- if (!WPACKET_allocate_bytes(&pkt, len, &binval)) {
+ if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
}
}
#endif
- if (!WPACKET_allocate_bytes(&pkt, BN_num_bytes(r[i]), &binval)
- || !WPACKET_close(&pkt)) {
+ if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
+ || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
* [1 byte length of encoded point], followed by the actual encoded
* point itself
*/
- if (!WPACKET_put_bytes_u8(&pkt, NAMED_CURVE_TYPE)
- || !WPACKET_put_bytes_u8(&pkt, 0)
- || !WPACKET_put_bytes_u8(&pkt, curve_id)
- || !WPACKET_sub_memcpy_u8(&pkt, encodedPoint, encodedlen)) {
+ if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
+ || !WPACKET_put_bytes_u8(pkt, 0)
+ || !WPACKET_put_bytes_u8(pkt, curve_id)
+ || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
unsigned int siglen;
/* Get length of the parameters we have written above */
- if (!WPACKET_get_length(&pkt, ¶mlen)) {
+ if (!WPACKET_get_length(pkt, ¶mlen)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
}
/* send signature algorithm */
if (SSL_USE_SIGALGS(s)) {
- if (!tls12_get_sigandhash(&pkt, pkey, md)) {
+ if (!tls12_get_sigandhash(pkt, pkey, md)) {
/* Should never happen */
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
* up front, and then properly allocate them in the WPACKET
* afterwards.
*/
- if (!WPACKET_sub_reserve_bytes_u16(&pkt, EVP_PKEY_size(pkey),
+ if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey),
&sigbytes1)
|| EVP_SignInit_ex(md_ctx, md, NULL) <= 0
|| EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
|| EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset,
paramlen) <= 0
|| EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0
- || !WPACKET_sub_allocate_bytes_u16(&pkt, siglen, &sigbytes2)
+ || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
|| sigbytes1 != sigbytes2) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
}
}
- if (!ssl_close_construct_packet(s, &pkt)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
-
EVP_MD_CTX_free(md_ctx);
return 1;
f_err:
OPENSSL_free(encodedPoint);
#endif
EVP_MD_CTX_free(md_ctx);
- ossl_statem_set_error(s);
- WPACKET_cleanup(&pkt);
return 0;
}
-int tls_construct_certificate_request(SSL *s)
+int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
{
- int i, nl;
+ int i;
STACK_OF(X509_NAME) *sk = NULL;
- WPACKET pkt;
-
- if (!WPACKET_init(&pkt, s->init_buf)
- || !ssl_set_handshake_header2(s, &pkt,
- SSL3_MT_CERTIFICATE_REQUEST)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
- goto err;
- }
-
/* get the list of acceptable cert types */
- if (!WPACKET_start_sub_packet_u8(&pkt)
- || !ssl3_get_req_cert_type(s, &pkt)
- || !WPACKET_close(&pkt)) {
+ if (!WPACKET_start_sub_packet_u8(pkt)
+ || !ssl3_get_req_cert_type(s, pkt)
+ || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
goto err;
}
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
- nl = tls12_get_psigalgs(s, &psigs);
- if (!WPACKET_start_sub_packet_u16(&pkt)
- || !tls12_copy_sigalgs(s, &pkt, psigs, nl)
- || !WPACKET_close(&pkt)) {
+ size_t nl = tls12_get_psigalgs(s, &psigs);
+ if (!WPACKET_start_sub_packet_u16(pkt)
+ || !tls12_copy_sigalgs(s, pkt, psigs, nl)
+ || !WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
ERR_R_INTERNAL_ERROR);
goto err;
}
/* Start sub-packet for client CA list */
- if (!WPACKET_start_sub_packet_u16(&pkt)) {
+ if (!WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
goto err;
}
if (name == NULL
|| (namelen = i2d_X509_NAME(name, NULL)) < 0
- || !WPACKET_sub_allocate_bytes_u16(&pkt, namelen,
+ || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
&namebytes)
|| i2d_X509_NAME(name, &namebytes) != namelen) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
}
/* else no CA names */
- if (!WPACKET_close(&pkt)
- || !ssl_close_construct_packet(s, &pkt)) {
+ if (!WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
goto err;
}
return 1;
err:
- WPACKET_cleanup(&pkt);
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
* Decrypt with no padding. PKCS#1 padding will be removed as part of
* the timing-sensitive code below.
*/
- decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
- PACKET_data(&enc_premaster),
- rsa_decrypt, rsa, RSA_NO_PADDING);
+ /* TODO(size_t): Convert this function */
+ decrypt_len = (int)RSA_private_decrypt((int)PACKET_remaining(&enc_premaster),
+ PACKET_data(&enc_premaster),
+ rsa_decrypt, rsa, RSA_NO_PADDING);
if (decrypt_len < 0)
goto err;
unsigned long alg_a;
int Ttag, Tclass;
long Tlen;
- long sess_key_len;
+ size_t sess_key_len;
const unsigned char *data;
int ret = 0;
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
}
+ /* TODO(size_t): Convert this function */
if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
- &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
+ &Tclass, (long)sess_key_len) != V_ASN1_CONSTRUCTED
|| Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
if (s->version == SSL3_VERSION
&& !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
- s->session->master_key_length,
+ (int)s->session->master_key_length,
s->session->master_key)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB);
al = SSL_AD_INTERNAL_ERROR;
return ret;
}
-int tls_construct_server_certificate(SSL *s)
+int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
{
CERT_PKEY *cpk;
cpk = ssl_get_server_send_pkey(s);
if (cpk == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
- if (!ssl3_output_cert_chain(s, cpk)) {
+ if (!ssl3_output_cert_chain(s, pkt, cpk)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
return 1;
}
-int tls_construct_new_session_ticket(SSL *s)
+int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
{
unsigned char *senc = NULL;
EVP_CIPHER_CTX *ctx = NULL;
HMAC_CTX *hctx = NULL;
- unsigned char *p, *macstart;
+ unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
const unsigned char *const_p;
- int len, slen_full, slen;
+ int len, slen_full, slen, lenfinal;
SSL_SESSION *sess;
unsigned int hlen;
SSL_CTX *tctx = s->initial_ctx;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
int iv_len;
+ size_t macoffset, macendoffset;
/* get session encoding length */
slen_full = i2d_SSL_SESSION(s->session, NULL);
}
SSL_SESSION_free(sess);
- /*-
- * Grow buffer if need be: the length calculation is as
- * follows handshake_header_length +
- * 4 (ticket lifetime hint) + 2 (ticket length) +
- * sizeof(keyname) + max_iv_len (iv length) +
- * max_enc_block_size (max encrypted session * length) +
- * max_md_size (HMAC) + session_length.
- */
- if (!BUF_MEM_grow(s->init_buf,
- SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) +
- EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
- EVP_MAX_MD_SIZE + slen))
- goto err;
-
- p = ssl_handshake_start(s);
/*
* Initialize HMAC and cipher contexts. If callback present it does
* all the work otherwise use generated values from parent ctx.
hctx, 1);
if (ret == 0) {
- l2n(0, p); /* timeout */
- s2n(0, p); /* length */
- if (!ssl_set_handshake_header
- (s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s)))
+
+ /* Put timeout and length */
+ if (!WPACKET_put_bytes_u32(pkt, 0)
+ || !WPACKET_put_bytes_u16(pkt, 0)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+ ERR_R_INTERNAL_ERROR);
goto err;
+ }
OPENSSL_free(senc);
EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
* for resumed session (for simplicity), and guess that tickets for
* new sessions will live as long as their sessions.
*/
- l2n(s->hit ? 0 : s->session->timeout, p);
-
- /* Skip ticket length for now */
- p += 2;
- /* Output key name */
- macstart = p;
- memcpy(p, key_name, sizeof(key_name));
- p += sizeof(key_name);
- /* output IV */
- memcpy(p, iv, iv_len);
- p += iv_len;
- /* Encrypt session data */
- if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen))
- goto err;
- p += len;
- if (!EVP_EncryptFinal(ctx, p, &len))
- goto err;
- p += len;
-
- if (!HMAC_Update(hctx, macstart, p - macstart))
- goto err;
- if (!HMAC_Final(hctx, p, &hlen))
+ if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout)
+ /* Now the actual ticket data */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_get_total_written(pkt, &macoffset)
+ /* Output key name */
+ || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
+ /* output IV */
+ || !WPACKET_memcpy(pkt, iv, iv_len)
+ || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
+ &encdata1)
+ /* Encrypt session data */
+ || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
+ || !WPACKET_allocate_bytes(pkt, len, &encdata2)
+ || encdata1 != encdata2
+ || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
+ || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
+ || encdata1 + len != encdata2
+ || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
+ || !WPACKET_get_total_written(pkt, &macendoffset)
+ || !HMAC_Update(hctx,
+ (unsigned char *)s->init_buf->data + macoffset,
+ macendoffset - macoffset)
+ || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
+ || !HMAC_Final(hctx, macdata1, &hlen)
+ || hlen > EVP_MAX_MD_SIZE
+ || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
+ || macdata1 != macdata2
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
-
+ }
EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
- ctx = NULL;
- hctx = NULL;
-
- p += hlen;
- /* Now write out lengths: p points to end of data written */
- /* Total length */
- len = p - ssl_handshake_start(s);
- /* Skip ticket lifetime hint */
- p = ssl_handshake_start(s) + 4;
- s2n(len - 6, p);
- if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
- goto err;
OPENSSL_free(senc);
return 1;
OPENSSL_free(senc);
EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
-int tls_construct_cert_status(SSL *s)
+int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
- unsigned char *p;
- size_t msglen;
-
- /*-
- * Grow buffer if need be: the length calculation is as
- * follows handshake_header_length +
- * 1 (ocsp response type) + 3 (ocsp response length)
- * + (ocsp response)
- */
- msglen = 4 + s->tlsext_ocsp_resplen;
- if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen))
- goto err;
-
- p = ssl_handshake_start(s);
-
- /* status type */
- *(p++) = s->tlsext_status_type;
- /* length of OCSP response */
- l2n3(s->tlsext_ocsp_resplen, p);
- /* actual response */
- memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
-
- if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_STATUS, msglen))
- goto err;
+ if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
+ || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
+ s->tlsext_ocsp_resplen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
+ }
return 1;
-
- err:
- ossl_statem_set_error(s);
- return 0;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
projects / openssl.git / blobdiff