* OTHERWISE.
*/
-
#include <stdio.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
PACKET *cipher_suites,
- STACK_OF(SSL_CIPHER) **skp,
- int sslv2format, int *al);
+ STACK_OF(SSL_CIPHER)
+ **skp, int sslv2format,
+ int *al);
/*
* server_read_transition() encapsulates the logic for the allowed handshake
OSSL_STATEM *st = &s->statem;
switch (st->hand_state) {
+ default:
+ break;
+
case TLS_ST_BEFORE:
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
if (mt == SSL3_MT_CLIENT_HELLO) {
return 1;
}
break;
-
- default:
- break;
}
/* No valid transition found */
* the server certificate contains the server's public key for
* key exchange.
*/
- if (alg_k & (SSL_kDHE|SSL_kECDHE)
+ if (alg_k & (SSL_kDHE | SSL_kECDHE)
/*
* PSK: send ServerKeyExchange if PSK identity hint if
* provided
/* SRP: send ServerKeyExchange */
|| (alg_k & SSL_kSRP)
#endif
- ) {
+ ) {
return 1;
}
* RFC 2246):
*/
&& (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
- /*
- * ... except when the application insists on
- * verification (against the specs, but statem_clnt.c accepts
- * this for SSL 3)
- */
+ /*
+ * ... except when the application insists on
+ * verification (against the specs, but statem_clnt.c accepts
+ * this for SSL 3)
+ */
|| (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
/* don't request certificate for SRP auth */
&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
OSSL_STATEM *st = &s->statem;
switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return WRITE_TRAN_ERROR;
+
case TLS_ST_BEFORE:
- /* Just go straight to trying to read from the client */;
+ /* Just go straight to trying to read from the client */
return WRITE_TRAN_FINISHED;
case TLS_ST_OK:
case TLS_ST_SR_CLNT_HELLO:
if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
- && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
+ && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
else
st->hand_state = TLS_ST_SW_SRVR_HELLO;
/* Check if it is anon DH or anon ECDH, */
/* normal PSK or SRP */
if (!(s->s3->tmp.new_cipher->algorithm_auth &
- (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
+ (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
st->hand_state = TLS_ST_SW_CERT;
} else if (send_server_key_exchange(s)) {
st->hand_state = TLS_ST_SW_KEY_EXCH;
st->hand_state = TLS_ST_OK;
ossl_statem_set_in_init(s, 0);
return WRITE_TRAN_CONTINUE;
-
- default:
- /* Shouldn't happen */
- return WRITE_TRAN_ERROR;
}
}
OSSL_STATEM *st = &s->statem;
switch (st->hand_state) {
+ default:
+ /* No pre work to be done */
+ break;
+
case TLS_ST_SW_HELLO_REQ:
s->shutdown = 0;
if (SSL_IS_DTLS(s))
- dtls1_clear_record_buffer(s);
+ dtls1_clear_sent_buffer(s);
break;
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
s->shutdown = 0;
if (SSL_IS_DTLS(s)) {
- dtls1_clear_record_buffer(s);
+ dtls1_clear_sent_buffer(s);
/* We don't buffer this message so don't use the timer */
st->use_timer = 0;
}
case TLS_ST_OK:
return tls_finish_handshake(s, wst);
-
- default:
- /* No pre work to be done */
- break;
}
return WORK_FINISHED_CONTINUE;
s->init_num = 0;
switch (st->hand_state) {
+ default:
+ /* No post work to be done */
+ break;
+
case TLS_ST_SW_HELLO_REQ:
if (statem_flush(s) != 1)
return WORK_MORE_A;
sizeof(DTLS1_SCTP_AUTH_LABEL));
if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ sizeof(sctpauthkey), labelbuffer,
+ sizeof(labelbuffer), NULL, 0,
+ 0) <= 0) {
ossl_statem_set_error(s);
return WORK_ERROR;
}
}
#endif
if (!s->method->ssl3_enc->change_cipher_state(s,
- SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
+ SSL3_CHANGE_CIPHER_SERVER_WRITE))
+ {
ossl_statem_set_error(s);
return WORK_ERROR;
}
}
#endif
break;
-
- default:
- /* No post work to be done */
- break;
}
return WORK_FINISHED_CONTINUE;
* 1: Success
* 0: Error
*/
-int ossl_statem_server_construct_message(SSL *s)
+int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt)
{
OSSL_STATEM *st = &s->statem;
+ int (*confunc) (SSL *s, WPACKET *pkt) = NULL;
+ int ret = 1, mt;
- switch (st->hand_state) {
- case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
- return dtls_construct_hello_verify_request(s);
+ if (st->hand_state == TLS_ST_SW_CHANGE) {
+ /* Special case becase it is a different content type */
+ if (SSL_IS_DTLS(s))
+ return dtls_construct_change_cipher_spec(s, pkt);
- case TLS_ST_SW_HELLO_REQ:
- return tls_construct_hello_request(s);
+ return tls_construct_change_cipher_spec(s, pkt);
+ } else if (st->hand_state == DTLS_ST_SW_HELLO_VERIFY_REQUEST) {
+ /* Special case because we don't call ssl_close_construct_packet() */
+ return dtls_construct_hello_verify_request(s, pkt);
+ } else {
+ switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return 0;
- case TLS_ST_SW_SRVR_HELLO:
- return tls_construct_server_hello(s);
+ case TLS_ST_SW_HELLO_REQ:
+ /* No construction function needed */
+ mt = SSL3_MT_HELLO_REQUEST;
+ break;
- case TLS_ST_SW_CERT:
- return tls_construct_server_certificate(s);
+ case TLS_ST_SW_SRVR_HELLO:
+ confunc = tls_construct_server_hello;
+ mt = SSL3_MT_SERVER_HELLO;
+ break;
- case TLS_ST_SW_KEY_EXCH:
- return tls_construct_server_key_exchange(s);
+ case TLS_ST_SW_CERT:
+ confunc = tls_construct_server_certificate;
+ mt = SSL3_MT_CERTIFICATE;
+ break;
- case TLS_ST_SW_CERT_REQ:
- return tls_construct_certificate_request(s);
+ case TLS_ST_SW_KEY_EXCH:
+ confunc = tls_construct_server_key_exchange;
+ mt = SSL3_MT_SERVER_KEY_EXCHANGE;
+ break;
- case TLS_ST_SW_SRVR_DONE:
- return tls_construct_server_done(s);
+ case TLS_ST_SW_CERT_REQ:
+ confunc = tls_construct_certificate_request;
+ mt = SSL3_MT_CERTIFICATE_REQUEST;
+ break;
- case TLS_ST_SW_SESSION_TICKET:
- return tls_construct_new_session_ticket(s);
+ case TLS_ST_SW_SRVR_DONE:
+ confunc = tls_construct_server_done;
+ mt = SSL3_MT_SERVER_DONE;
+ break;
- case TLS_ST_SW_CERT_STATUS:
- return tls_construct_cert_status(s);
+ case TLS_ST_SW_SESSION_TICKET:
+ confunc = tls_construct_new_session_ticket;
+ mt = SSL3_MT_NEWSESSION_TICKET;
+ break;
- case TLS_ST_SW_CHANGE:
- if (SSL_IS_DTLS(s))
- return dtls_construct_change_cipher_spec(s);
- else
- return tls_construct_change_cipher_spec(s);
+ case TLS_ST_SW_CERT_STATUS:
+ confunc = tls_construct_cert_status;
+ mt = SSL3_MT_CERTIFICATE_STATUS;
+ break;
- case TLS_ST_SW_FINISHED:
- return tls_construct_finished(s,
- s->method->
- ssl3_enc->server_finished_label,
- s->method->
- ssl3_enc->server_finished_label_len);
+ case TLS_ST_SW_FINISHED:
+ mt = SSL3_MT_FINISHED;
+ break;
+ }
- default:
- /* Shouldn't happen */
- break;
- }
+ if (!ssl_set_handshake_header(s, pkt, mt)) {
+ SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
- return 0;
+ if (st->hand_state == TLS_ST_SW_FINISHED)
+ ret = tls_construct_finished(s, pkt,
+ s->method->
+ ssl3_enc->server_finished_label,
+ s->method->
+ ssl3_enc->server_finished_label_len);
+ else if (confunc != NULL)
+ ret = confunc(s, pkt);
+
+ if (!ret || !ssl_close_construct_packet(s, pkt)) {
+ SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ return 1;
}
/*
OSSL_STATEM *st = &s->statem;
switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return 0;
+
case TLS_ST_SR_CLNT_HELLO:
return CLIENT_HELLO_MAX_LENGTH;
case TLS_ST_SR_FINISHED:
return FINISHED_MAX_LENGTH;
-
- default:
- /* Shouldn't happen */
- break;
}
-
- return 0;
}
/*
OSSL_STATEM *st = &s->statem;
switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return MSG_PROCESS_ERROR;
+
case TLS_ST_SR_CLNT_HELLO:
return tls_process_client_hello(s, pkt);
case TLS_ST_SR_FINISHED:
return tls_process_finished(s, pkt);
-
- default:
- /* Shouldn't happen */
- break;
}
-
- return MSG_PROCESS_ERROR;
}
/*
OSSL_STATEM *st = &s->statem;
switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return WORK_ERROR;
+
case TLS_ST_SR_CLNT_HELLO:
return tls_post_process_client_hello(s, wst);
case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
- if ( /* Is this SCTP? */
- BIO_dgram_is_sctp(SSL_get_wbio(s))
- /* Are we renegotiating? */
- && s->renegotiate
- && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
+ if ( /* Is this SCTP? */
+ BIO_dgram_is_sctp(SSL_get_wbio(s))
+ /* Are we renegotiating? */
+ && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->s3->in_read_app_data = 2;
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
}
#endif
return WORK_FINISHED_CONTINUE;
-
- default:
- break;
}
- /* Shouldn't happen */
- return WORK_ERROR;
}
#ifndef OPENSSL_NO_SRP
}
#endif
-int tls_construct_hello_request(SSL *s)
+int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
+ unsigned char cookie_len)
{
- if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
+ /* Always use DTLS 1.0 version: see RFC 6347 */
+ if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
+ || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
return 0;
- }
return 1;
}
-unsigned int dtls_raw_hello_verify_request(unsigned char *buf,
- unsigned char *cookie,
- unsigned char cookie_len)
+int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
{
- unsigned int msg_len;
- unsigned char *p;
-
- p = buf;
- /* Always use DTLS 1.0 version: see RFC 6347 */
- *(p++) = DTLS1_VERSION >> 8;
- *(p++) = DTLS1_VERSION & 0xFF;
-
- *(p++) = (unsigned char)cookie_len;
- memcpy(p, cookie, cookie_len);
- p += cookie_len;
- msg_len = p - buf;
-
- return msg_len;
-}
-
-int dtls_construct_hello_verify_request(SSL *s)
-{
- unsigned int len;
- unsigned char *buf;
-
- buf = (unsigned char *)s->init_buf->data;
+ size_t msglen;
if (s->ctx->app_gen_cookie_cb == NULL ||
s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
s->d1->cookie_len > 255) {
SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
- ossl_statem_set_error(s);
return 0;
}
- len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
- s->d1->cookie, s->d1->cookie_len);
-
- dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
- len);
- len += DTLS1_HM_HEADER_LENGTH;
+ if (!ssl_set_handshake_header(s, pkt,
+ DTLS1_MT_HELLO_VERIFY_REQUEST)
+ || !dtls_raw_hello_verify_request(pkt, s->d1->cookie,
+ s->d1->cookie_len)
+ /*
+ * We don't call close_construct_packet() because we don't want
+ * to buffer this message
+ */
+ || !WPACKET_close(pkt)
+ || !WPACKET_get_length(pkt, &msglen)
+ || !WPACKET_finish(pkt)) {
+ SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
/* number of bytes to write */
- s->init_num = len;
+ s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH;
+ s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH;
+ s->init_num = (int)msglen;
s->init_off = 0;
return 1;
*/
if (!PACKET_get_1(pkt, &mt)
- || mt != SSL2_MT_CLIENT_HELLO) {
+ || mt != SSL2_MT_CLIENT_HELLO) {
/*
* Should never happen. We should have tested this in the record
* layer in order to have determined that this is a SSLv2 record
PACKET challenge;
if (!PACKET_get_net_2(pkt, &cipher_len)
- || !PACKET_get_net_2(pkt, &session_id_len)
- || !PACKET_get_net_2(pkt, &challenge_len)) {
+ || !PACKET_get_net_2(pkt, &session_id_len)
+ || !PACKET_get_net_2(pkt, &challenge_len)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_RECORD_LENGTH_MISMATCH);
al = SSL_AD_DECODE_ERROR;
*/
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
if (PACKET_remaining(&cookie) == 0)
- return 1;
+ return 1;
}
}
if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
|| !PACKET_get_length_prefixed_1(pkt, &compression)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
- goto f_err;
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
}
/* Could be empty. */
extensions = *pkt;
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
if (s->ctx->app_verify_cookie_cb != NULL) {
if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
- PACKET_remaining(&cookie)) == 0) {
+ PACKET_remaining(&cookie)) ==
+ 0) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_COOKIE_MISMATCH);
goto f_err;
/* else cookie verification succeeded */
}
- /* default verification */
- } else if (!PACKET_equal(&cookie, s->d1->cookie,
- s->d1->cookie_len)) {
+ /* default verification */
+ } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
goto f_err;
id = s->session->cipher->id;
#ifdef CIPHER_DEBUG
- fprintf(stderr, "client sent %d ciphers\n",
- sk_SSL_CIPHER_num(ciphers));
+ fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
#endif
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
c = sk_SSL_CIPHER_value(ciphers, i);
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
if (rv == 0) {
al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
+ SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_CERT_CB_ERROR);
goto f_err;
}
if (rv < 0) {
}
s->rwstate = SSL_NOTHING;
}
- cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ cipher =
+ ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
if (cipher == NULL) {
- SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
+ SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_NO_SHARED_CIPHER);
goto f_err;
}
s->s3->tmp.new_cipher = cipher;
/* check whether we should disable session resumption */
if (s->not_resumable_session_cb != NULL)
s->session->not_resumable = s->not_resumable_session_cb(s,
- ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
+ ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
if (s->session->not_resumable)
/* do not send a session ticket */
s->tlsext_ticket_expected = 0;
*/
if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
- SSL_R_CLIENTHELLO_TLSEXT);
+ SSL_R_CLIENTHELLO_TLSEXT);
goto f_err;
}
}
return WORK_ERROR;
}
-int tls_construct_server_hello(SSL *s)
+int tls_construct_server_hello(SSL *s, WPACKET *pkt)
{
- unsigned char *buf;
- unsigned char *p, *d;
- int i, sl;
- int al = 0;
- unsigned long l;
-
- buf = (unsigned char *)s->init_buf->data;
-
- /* Do the message type and length last */
- d = p = ssl_handshake_start(s);
-
- *(p++) = s->version >> 8;
- *(p++) = s->version & 0xff;
-
- /*
- * Random stuff. Filling of the server_random takes place in
- * tls_process_client_hello()
- */
- memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
- p += SSL3_RANDOM_SIZE;
+ int sl, compm, al = SSL_AD_INTERNAL_ERROR;
+ size_t len;
+
+ if (!WPACKET_put_bytes_u16(pkt, s->version)
+ /*
+ * Random stuff. Filling of the server_random takes place in
+ * tls_process_client_hello()
+ */
+ || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
/*-
* There are several cases for the session ID to send
sl = s->session->session_id_length;
if (sl > (int)sizeof(s->session->session_id)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
+ goto err;
}
- *(p++) = sl;
- memcpy(p, s->session->session_id, sl);
- p += sl;
- /* put the cipher */
- i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
- p += i;
-
- /* put the compression method */
+ /* set up the compression method */
#ifdef OPENSSL_NO_COMP
- *(p++) = 0;
+ compm = 0;
#else
if (s->s3->tmp.new_compression == NULL)
- *(p++) = 0;
+ compm = 0;
else
- *(p++) = s->s3->tmp.new_compression->id;
+ compm = s->s3->tmp.new_compression->id;
#endif
- if (ssl_prepare_serverhello_tlsext(s) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
- ossl_statem_set_error(s);
- return 0;
- }
- if ((p =
- ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
- &al)) == NULL) {
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
+ if (!WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl)
+ || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
+ || !WPACKET_put_bytes_u8(pkt, compm)
+ || !ssl_prepare_serverhello_tlsext(s)
+ || !ssl_add_serverhello_tlsext(s, pkt, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
- }
-
- /* do the header */
- l = (p - d);
- if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
+ goto err;
}
return 1;
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
}
-int tls_construct_server_done(SSL *s)
+int tls_construct_server_done(SSL *s, WPACKET *pkt)
{
- if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
- }
-
if (!s->s3->tmp.cert_request) {
if (!ssl3_digest_cached_records(s, 0)) {
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
}
}
-
return 1;
}
-int tls_construct_server_key_exchange(SSL *s)
+int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
{
#ifndef OPENSSL_NO_DH
EVP_PKEY *pkdh = NULL;
- int j;
#endif
#ifndef OPENSSL_NO_EC
unsigned char *encodedPoint = NULL;
#endif
EVP_PKEY *pkey;
const EVP_MD *md = NULL;
- unsigned char *p, *d;
- int al, i;
+ int al = SSL_AD_INTERNAL_ERROR, i;
unsigned long type;
- int n;
const BIGNUM *r[4];
- int nr[4], kn;
- BUF_MEM *buf;
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
+ size_t paramlen, paramoffset;
+
+ if (!WPACKET_get_total_written(pkt, ¶moffset)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
if (md_ctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
type = s->s3->tmp.new_cipher->algorithm_mkey;
- buf = s->init_buf;
-
r[0] = r[1] = r[2] = r[3] = NULL;
- n = 0;
#ifndef OPENSSL_NO_PSK
- if (type & SSL_PSK) {
- /*
- * reserve size for record length and PSK identity hint
- */
- n += 2;
- if (s->cert->psk_identity_hint)
- n += strlen(s->cert->psk_identity_hint);
- }
/* Plain PSK or RSAPSK nothing to do */
if (type & (SSL_kPSK | SSL_kRSAPSK)) {
} else
pkdh = EVP_PKEY_new();
if (pkdh == NULL || dhp == NULL) {
DH_free(dhp);
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
pkdh = ssl_dh_to_pkey(dhp);
if (pkdh == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
goto err;
}
- s->s3->tmp.pkey = ssl_generate_pkey(pkdhp, NID_undef);
+ s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
if (s->s3->tmp.pkey == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
goto err;
}
- s->s3->tmp.pkey = ssl_generate_pkey(NULL, curve_id);
+ s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id);
/* Generate a new key for this curve */
if (s->s3->tmp.pkey == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
goto f_err;
}
goto err;
}
- /*
- * We only support named (not generic) curves in ECDH ephemeral key
- * exchanges. In this situation, we need four additional bytes to
- * encode the entire ServerECDHParams structure.
- */
- n += 4 + encodedlen;
-
/*
* We'll generate the serverKeyExchange message explicitly so we
* can set these to NULLs
SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
goto f_err;
}
- for (i = 0; i < 4 && r[i] != NULL; i++) {
- nr[i] = BN_num_bytes(r[i]);
-#ifndef OPENSSL_NO_SRP
- if ((i == 2) && (type & SSL_kSRP))
- n += 1 + nr[i];
- else
-#endif
-#ifndef OPENSSL_NO_DH
- /*
- * for interoperability with some versions of the Microsoft TLS
- * stack, we need to zero pad the DHE pub key to the same length
- * as the prime, so use the length of the prime here
- */
- if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK)))
- n += 2 + nr[0];
- else
-#endif
- n += 2 + nr[i];
- }
- if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
+ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
== NULL) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- kn = EVP_PKEY_size(pkey);
- /* Allow space for signature algorithm */
- if (SSL_USE_SIGALGS(s))
- kn += 2;
- /* Allow space for signature length */
- kn += 2;
} else {
pkey = NULL;
- kn = 0;
}
- if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
- goto err;
- }
- d = p = ssl_handshake_start(s);
-
#ifndef OPENSSL_NO_PSK
if (type & SSL_PSK) {
- /* copy PSK identity hint */
- if (s->cert->psk_identity_hint) {
- size_t len = strlen(s->cert->psk_identity_hint);
- if (len > PSK_MAX_IDENTITY_LEN) {
- /*
- * Should not happen - we already checked this when we set
- * the identity hint
- */
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
- goto err;
- }
- s2n(len, p);
- memcpy(p, s->cert->psk_identity_hint, len);
- p += len;
- } else {
- s2n(0, p);
+ size_t len = (s->cert->psk_identity_hint == NULL)
+ ? 0 : strlen(s->cert->psk_identity_hint);
+
+ /*
+ * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
+ * checked this when we set the identity hint - but just in case
+ */
+ if (len > PSK_MAX_IDENTITY_LEN
+ || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
+ len)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
}
}
#endif
for (i = 0; i < 4 && r[i] != NULL; i++) {
+ unsigned char *binval;
+ int res;
+
#ifndef OPENSSL_NO_SRP
if ((i == 2) && (type & SSL_kSRP)) {
- *p = nr[i];
- p++;
+ res = WPACKET_start_sub_packet_u8(pkt);
} else
#endif
+ res = WPACKET_start_sub_packet_u16(pkt);
+
+ if (!res) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+
#ifndef OPENSSL_NO_DH
- /*
+ /*-
* for interoperability with some versions of the Microsoft TLS
* stack, we need to zero pad the DHE pub key to the same length
* as the prime
*/
if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
- s2n(nr[0], p);
- for (j = 0; j < (nr[0] - nr[2]); ++j) {
- *p = 0;
- ++p;
+ size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
+
+ if (len > 0) {
+ if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+ memset(binval, 0, len);
}
- } else
+ }
#endif
- s2n(nr[i], p);
- BN_bn2bin(r[i], p);
- p += nr[i];
+ if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+
+ BN_bn2bin(r[i], binval);
}
#ifndef OPENSSL_NO_EC
if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
/*
- * XXX: For now, we only support named (not generic) curves. In
- * this situation, the serverKeyExchange message has: [1 byte
- * CurveType], [2 byte CurveName] [1 byte length of encoded
- * point], followed by the actual encoded point itself
+ * We only support named (not generic) curves. In this situation, the
+ * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
+ * [1 byte length of encoded point], followed by the actual encoded
+ * point itself
*/
- *p = NAMED_CURVE_TYPE;
- p += 1;
- *p = 0;
- p += 1;
- *p = curve_id;
- p += 1;
- *p = encodedlen;
- p += 1;
- memcpy(p, encodedPoint, encodedlen);
+ if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
+ || !WPACKET_put_bytes_u8(pkt, 0)
+ || !WPACKET_put_bytes_u8(pkt, curve_id)
+ || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
OPENSSL_free(encodedPoint);
encodedPoint = NULL;
- p += encodedlen;
}
#endif
* points to the space at the end.
*/
if (md) {
+ unsigned char *sigbytes1, *sigbytes2;
+ unsigned int siglen;
+
+ /* Get length of the parameters we have written above */
+ if (!WPACKET_get_length(pkt, ¶mlen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
/* send signature algorithm */
if (SSL_USE_SIGALGS(s)) {
- if (!tls12_get_sigandhash(p, pkey, md)) {
+ if (!tls12_get_sigandhash(pkt, pkey, md)) {
/* Should never happen */
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
}
- p += 2;
}
#ifdef SSL_DEBUG
fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
#endif
- if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0
+ /*
+ * Create the signature. We don't know the actual length of the sig
+ * until after we've created it, so we reserve enough bytes for it
+ * up front, and then properly allocate them in the WPACKET
+ * afterwards.
+ */
+ if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey),
+ &sigbytes1)
+ || EVP_SignInit_ex(md_ctx, md, NULL) <= 0
|| EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
SSL3_RANDOM_SIZE) <= 0
|| EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
SSL3_RANDOM_SIZE) <= 0
- || EVP_SignUpdate(md_ctx, d, n) <= 0
- || EVP_SignFinal(md_ctx, &(p[2]),
- (unsigned int *)&i, pkey) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
- al = SSL_AD_INTERNAL_ERROR;
+ || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset,
+ paramlen) <= 0
+ || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0
+ || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
+ || sigbytes1 != sigbytes2) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
goto f_err;
}
- s2n(i, p);
- n += i + 2;
- if (SSL_USE_SIGALGS(s))
- n += 2;
} else {
/* Is this error check actually needed? */
al = SSL_AD_HANDSHAKE_FAILURE;
}
}
- if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
-
EVP_MD_CTX_free(md_ctx);
return 1;
f_err:
OPENSSL_free(encodedPoint);
#endif
EVP_MD_CTX_free(md_ctx);
- ossl_statem_set_error(s);
return 0;
}
-int tls_construct_certificate_request(SSL *s)
+int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
{
- unsigned char *p, *d;
- int i, j, nl, off, n;
+ int i, nl;
STACK_OF(X509_NAME) *sk = NULL;
- X509_NAME *name;
- BUF_MEM *buf;
-
- buf = s->init_buf;
-
- d = p = ssl_handshake_start(s);
/* get the list of acceptable cert types */
- p++;
- n = ssl3_get_req_cert_type(s, p);
- d[0] = n;
- p += n;
- n++;
+ if (!WPACKET_start_sub_packet_u8(pkt)
+ || !ssl3_get_req_cert_type(s, pkt)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
- unsigned char *etmp = p;
nl = tls12_get_psigalgs(s, &psigs);
- /* Skip over length for now */
- p += 2;
- nl = tls12_copy_sigalgs(s, p, psigs, nl);
- /* Now fill in length */
- s2n(nl, etmp);
- p += nl;
- n += nl + 2;
+ if (!WPACKET_start_sub_packet_u16(pkt)
+ || !tls12_copy_sigalgs(s, pkt, psigs, nl)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
}
- off = n;
- p += 2;
- n += 2;
+ /* Start sub-packet for client CA list */
+ if (!WPACKET_start_sub_packet_u16(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
sk = SSL_get_client_CA_list(s);
- nl = 0;
if (sk != NULL) {
for (i = 0; i < sk_X509_NAME_num(sk); i++) {
- name = sk_X509_NAME_value(sk, i);
- j = i2d_X509_NAME(name, NULL);
- if (!BUF_MEM_grow_clean
- (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
+ unsigned char *namebytes;
+ X509_NAME *name = sk_X509_NAME_value(sk, i);
+ int namelen;
+
+ if (name == NULL
+ || (namelen = i2d_X509_NAME(name, NULL)) < 0
+ || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
+ &namebytes)
+ || i2d_X509_NAME(name, &namebytes) != namelen) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
- ERR_R_BUF_LIB);
+ ERR_R_INTERNAL_ERROR);
goto err;
}
- p = ssl_handshake_start(s) + n;
- s2n(j, p);
- i2d_X509_NAME(name, &p);
- n += 2 + j;
- nl += 2 + j;
}
}
/* else no CA names */
- p = ssl_handshake_start(s) + off;
- s2n(nl, p);
- if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
+ if (!WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
goto err;
}
return 1;
err:
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
}
if (s->psk_server_callback == NULL) {
*al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
- SSL_R_PSK_NO_SERVER_CB);
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
return 0;
}
}
psklen = s->psk_server_callback(s, s->session->psk_identity,
- psk, sizeof(psk));
+ psk, sizeof(psk));
if (psklen > PSK_MAX_PSK_LEN) {
*al = SSL_AD_INTERNAL_ERROR;
#endif
}
-
static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
{
#ifndef OPENSSL_NO_RSA
* fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
*/
- if (RAND_bytes(rand_premaster_secret,
- sizeof(rand_premaster_secret)) <= 0)
+ if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
goto err;
/*
padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
- constant_time_eq_int_8(rsa_decrypt[1], 2);
+ constant_time_eq_int_8(rsa_decrypt[1], 2);
for (j = 2; j < padding_len - 1; j++) {
decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
}
const unsigned char *data;
if (!PACKET_get_net_2(pkt, &i)
- || !PACKET_get_bytes(pkt, &data, i)) {
+ || !PACKET_get_bytes(pkt, &data, i)) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
return 0;
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
return 0;
}
- if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
- || BN_is_zero(s->srp_ctx.A)) {
+ if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
*al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
return 0;
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
goto err;
}
- if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag,
- &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
- || Ttag != V_ASN1_SEQUENCE
- || Tclass != V_ASN1_UNIVERSAL) {
+ if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
+ &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
+ || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
goto err;
/* Identity extracted earlier: should be nothing left */
if (PACKET_remaining(pkt) != 0) {
al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+ SSL_R_LENGTH_MISMATCH);
goto err;
}
/* PSK handled by ssl_generate_master_secret */
goto err;
} else {
al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+ SSL_R_UNKNOWN_CIPHER_TYPE);
goto err;
}
sizeof(DTLS1_SCTP_AUTH_LABEL));
if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ sizeof(sctpauthkey), labelbuffer,
+ sizeof(labelbuffer), NULL, 0,
+ 0) <= 0) {
ossl_statem_set_error(s);
return WORK_ERROR;;
}
}
if ((wst == WORK_MORE_B)
- /* Is this SCTP? */
- && BIO_dgram_is_sctp(SSL_get_wbio(s))
- /* Are we renegotiating? */
- && s->renegotiate
- /* Are we going to skip the CertificateVerify? */
- && (s->session->peer == NULL || s->statem.no_cert_verify)
- && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
+ /* Is this SCTP? */
+ && BIO_dgram_is_sctp(SSL_get_wbio(s))
+ /* Are we renegotiating? */
+ && s->renegotiate
+ /* Are we going to skip the CertificateVerify? */
+ && (s->session->peer == NULL || s->statem.no_cert_verify)
+ && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->s3->in_read_app_data = 2;
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
#endif
if (s->statem.no_cert_verify || !s->session->peer) {
- /* No certificate verify or no peer certificate so we no longer need the
- * handshake_buffer
+ /*
+ * No certificate verify or no peer certificate so we no longer need
+ * the handshake_buffer
*/
if (!ssl3_digest_cached_records(s, 0)) {
ossl_statem_set_error(s);
}
j = EVP_PKEY_size(pkey);
if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
- || (PACKET_remaining(pkt) == 0)) {
+ || (PACKET_remaining(pkt) == 0)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
al = SSL_AD_DECODE_ERROR;
goto f_err;
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
-
#ifndef OPENSSL_NO_GOST
{
int pktype = EVP_PKEY_id(pkey);
}
if (!PACKET_get_net_3(pkt, &llen)
- || !PACKET_get_sub_packet(pkt, &spkt, llen)
- || PACKET_remaining(pkt) != 0) {
+ || !PACKET_get_sub_packet(pkt, &spkt, llen)
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
goto f_err;
while (PACKET_remaining(&spkt) > 0) {
if (!PACKET_get_net_3(&spkt, &l)
- || !PACKET_get_bytes(&spkt, &certbytes, l)) {
+ || !PACKET_get_bytes(&spkt, &certbytes, l)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH);
return ret;
}
-int tls_construct_server_certificate(SSL *s)
+int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
{
CERT_PKEY *cpk;
cpk = ssl_get_server_send_pkey(s);
if (cpk == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
- if (!ssl3_output_cert_chain(s, cpk)) {
+ if (!ssl3_output_cert_chain(s, pkt, cpk)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
return 1;
}
-int tls_construct_new_session_ticket(SSL *s)
+int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
{
unsigned char *senc = NULL;
- EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER_CTX *ctx = NULL;
HMAC_CTX *hctx = NULL;
- unsigned char *p, *macstart;
+ unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
const unsigned char *const_p;
- int len, slen_full, slen;
+ int len, slen_full, slen, lenfinal;
SSL_SESSION *sess;
unsigned int hlen;
SSL_CTX *tctx = s->initial_ctx;
unsigned char iv[EVP_MAX_IV_LENGTH];
unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
int iv_len;
+ size_t macoffset, macendoffset;
/* get session encoding length */
slen_full = i2d_SSL_SESSION(s->session, NULL);
ctx = EVP_CIPHER_CTX_new();
hctx = HMAC_CTX_new();
+ if (ctx == NULL || hctx == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
p = senc;
if (!i2d_SSL_SESSION(s->session, &p))
}
SSL_SESSION_free(sess);
- /*-
- * Grow buffer if need be: the length calculation is as
- * follows handshake_header_length +
- * 4 (ticket lifetime hint) + 2 (ticket length) +
- * sizeof(keyname) + max_iv_len (iv length) +
- * max_enc_block_size (max encrypted session * length) +
- * max_md_size (HMAC) + session_length.
- */
- if (!BUF_MEM_grow(s->init_buf,
- SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) +
- EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
- EVP_MAX_MD_SIZE + slen))
- goto err;
-
- p = ssl_handshake_start(s);
/*
* Initialize HMAC and cipher contexts. If callback present it does
* all the work otherwise use generated values from parent ctx.
hctx, 1);
if (ret == 0) {
- l2n(0, p); /* timeout */
- s2n(0, p); /* length */
- if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s)))
+
+ /* Put timeout and length */
+ if (!WPACKET_put_bytes_u32(pkt, 0)
+ || !WPACKET_put_bytes_u16(pkt, 0)
+ || !ssl_close_construct_packet(s, pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+ ERR_R_INTERNAL_ERROR);
goto err;
+ }
OPENSSL_free(senc);
EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
* for resumed session (for simplicity), and guess that tickets for
* new sessions will live as long as their sessions.
*/
- l2n(s->hit ? 0 : s->session->timeout, p);
-
- /* Skip ticket length for now */
- p += 2;
- /* Output key name */
- macstart = p;
- memcpy(p, key_name, sizeof(key_name));
- p += sizeof(key_name);
- /* output IV */
- memcpy(p, iv, iv_len);
- p += iv_len;
- /* Encrypt session data */
- if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen))
- goto err;
- p += len;
- if (!EVP_EncryptFinal(ctx, p, &len))
- goto err;
- p += len;
-
- if (!HMAC_Update(hctx, macstart, p - macstart))
- goto err;
- if (!HMAC_Final(hctx, p, &hlen))
+ if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout)
+ /* Now the actual ticket data */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_get_total_written(pkt, &macoffset)
+ /* Output key name */
+ || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
+ /* output IV */
+ || !WPACKET_memcpy(pkt, iv, iv_len)
+ || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
+ &encdata1)
+ /* Encrypt session data */
+ || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
+ || !WPACKET_allocate_bytes(pkt, len, &encdata2)
+ || encdata1 != encdata2
+ || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
+ || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
+ || encdata1 + len != encdata2
+ || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
+ || !WPACKET_get_total_written(pkt, &macendoffset)
+ || !HMAC_Update(hctx,
+ (unsigned char *)s->init_buf->data + macoffset,
+ macendoffset - macoffset)
+ || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
+ || !HMAC_Final(hctx, macdata1, &hlen)
+ || hlen > EVP_MAX_MD_SIZE
+ || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
+ || macdata1 != macdata2
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
-
+ }
EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
- ctx = NULL;
- hctx = NULL;
-
- p += hlen;
- /* Now write out lengths: p points to end of data written */
- /* Total length */
- len = p - ssl_handshake_start(s);
- /* Skip ticket lifetime hint */
- p = ssl_handshake_start(s) + 4;
- s2n(len - 6, p);
- if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
- goto err;
OPENSSL_free(senc);
return 1;
OPENSSL_free(senc);
EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
-int tls_construct_cert_status(SSL *s)
+int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
- unsigned char *p;
- /*-
- * Grow buffer if need be: the length calculation is as
- * follows 1 (message type) + 3 (message length) +
- * 1 (ocsp response type) + 3 (ocsp response length)
- * + (ocsp response)
- */
- if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
- ossl_statem_set_error(s);
+ if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
+ || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
+ s->tlsext_ocsp_resplen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
- p = (unsigned char *)s->init_buf->data;
-
- /* do the header */
- *(p++) = SSL3_MT_CERTIFICATE_STATUS;
- /* message length */
- l2n3(s->tlsext_ocsp_resplen + 4, p);
- /* status type */
- *(p++) = s->tlsext_status_type;
- /* length of OCSP response */
- l2n3(s->tlsext_ocsp_resplen, p);
- /* actual response */
- memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
- /* number of bytes to write */
- s->init_num = 8 + s->tlsext_ocsp_resplen;
- s->init_off = 0;
-
return 1;
}
goto err;
}
- if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
- &next_proto_len)) {
+ if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) {
s->next_proto_negotiated_len = 0;
goto err;
}
s->next_proto_negotiated_len = (unsigned char)next_proto_len;
return MSG_PROCESS_CONTINUE_READING;
-err:
+ err:
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
}
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **skp,
- int sslv2format, int *al
- )
+ int sslv2format, int *al)
{
const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
* first byte. We don't support any true SSLv2 ciphers, so skip them.
*/
if (sslv2format && cipher[0] != '\0')
- continue;
+ continue;
/* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&