X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=46bd5c7be02fd78766b6de151c3fea856b193660;hp=bf50e79e83a85493bb4fe6d55d51773f4be72ff8;hb=5923ad4bbe5d13c2fcc11f7849594db838ea57bd;hpb=25849a8f8bb64956f35a8a2a160ae0de1d2990c6 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index bf50e79e83..46bd5c7be0 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -619,55 +619,94 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) * 1: Success * 0: Error */ -int ossl_statem_server_construct_message(SSL *s) +int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt) { OSSL_STATEM *st = &s->statem; + int (*confunc) (SSL *s, WPACKET *pkt) = NULL; + int ret = 1, mt; - switch (st->hand_state) { - default: - /* Shouldn't happen */ - return 0; + if (st->hand_state == TLS_ST_SW_CHANGE) { + /* Special case becase it is a different content type */ + if (SSL_IS_DTLS(s)) + return dtls_construct_change_cipher_spec(s, pkt); - case DTLS_ST_SW_HELLO_VERIFY_REQUEST: - return dtls_construct_hello_verify_request(s); + return tls_construct_change_cipher_spec(s, pkt); + } else if (st->hand_state == DTLS_ST_SW_HELLO_VERIFY_REQUEST) { + /* Special case because we don't call ssl_close_construct_packet() */ + return dtls_construct_hello_verify_request(s, pkt); + } else { + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return 0; - case TLS_ST_SW_HELLO_REQ: - return tls_construct_hello_request(s); + case TLS_ST_SW_HELLO_REQ: + /* No construction function needed */ + mt = SSL3_MT_HELLO_REQUEST; + break; - case TLS_ST_SW_SRVR_HELLO: - return tls_construct_server_hello(s); + case TLS_ST_SW_SRVR_HELLO: + confunc = tls_construct_server_hello; + mt = SSL3_MT_SERVER_HELLO; + break; - case TLS_ST_SW_CERT: - return tls_construct_server_certificate(s); + case TLS_ST_SW_CERT: + confunc = tls_construct_server_certificate; + mt = SSL3_MT_CERTIFICATE; + break; - case TLS_ST_SW_KEY_EXCH: - return tls_construct_server_key_exchange(s); + case TLS_ST_SW_KEY_EXCH: + confunc = tls_construct_server_key_exchange; + mt = SSL3_MT_SERVER_KEY_EXCHANGE; + break; - case TLS_ST_SW_CERT_REQ: - return tls_construct_certificate_request(s); + case TLS_ST_SW_CERT_REQ: + confunc = tls_construct_certificate_request; + mt = SSL3_MT_CERTIFICATE_REQUEST; + break; - case TLS_ST_SW_SRVR_DONE: - return tls_construct_server_done(s); + case TLS_ST_SW_SRVR_DONE: + confunc = tls_construct_server_done; + mt = SSL3_MT_SERVER_DONE; + break; - case TLS_ST_SW_SESSION_TICKET: - return tls_construct_new_session_ticket(s); + case TLS_ST_SW_SESSION_TICKET: + confunc = tls_construct_new_session_ticket; + mt = SSL3_MT_NEWSESSION_TICKET; + break; - case TLS_ST_SW_CERT_STATUS: - return tls_construct_cert_status(s); + case TLS_ST_SW_CERT_STATUS: + confunc = tls_construct_cert_status; + mt = SSL3_MT_CERTIFICATE_STATUS; + break; - case TLS_ST_SW_CHANGE: - if (SSL_IS_DTLS(s)) - return dtls_construct_change_cipher_spec(s); - else - return tls_construct_change_cipher_spec(s); + case TLS_ST_SW_FINISHED: + mt = SSL3_MT_FINISHED; + break; + } - case TLS_ST_SW_FINISHED: - return tls_construct_finished(s, - s->method-> - ssl3_enc->server_finished_label, - s->method-> - ssl3_enc->server_finished_label_len); + if (!ssl_set_handshake_header(s, pkt, mt)) { + SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, + ERR_R_INTERNAL_ERROR); + return 0; + } + + if (st->hand_state == TLS_ST_SW_FINISHED) + ret = tls_construct_finished(s, pkt, + s->method-> + ssl3_enc->server_finished_label, + s->method-> + ssl3_enc->server_finished_label_len); + else if (confunc != NULL) + ret = confunc(s, pkt); + + if (!ret || !ssl_close_construct_packet(s, pkt)) { + SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE, + ERR_R_INTERNAL_ERROR); + return 0; + } } + return 1; } /* @@ -829,22 +868,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) } #endif -int tls_construct_hello_request(SSL *s) -{ - WPACKET pkt; - - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, SSL3_MT_HELLO_REQUEST) - || !ssl_close_construct_packet(s, &pkt)) { - SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - WPACKET_cleanup(&pkt); - return 0; - } - - return 1; -} - int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, unsigned char cookie_len) { @@ -856,10 +879,9 @@ int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, return 1; } -int dtls_construct_hello_verify_request(SSL *s) +int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) { size_t msglen; - WPACKET pkt; if (s->ctx->app_gen_cookie_cb == NULL || s->ctx->app_gen_cookie_cb(s, s->d1->cookie, @@ -867,25 +889,21 @@ int dtls_construct_hello_verify_request(SSL *s) s->d1->cookie_len > 255) { SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); - ossl_statem_set_error(s); return 0; } - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, - DTLS1_MT_HELLO_VERIFY_REQUEST) - || !dtls_raw_hello_verify_request(&pkt, s->d1->cookie, + if (!ssl_set_handshake_header(s, pkt, + DTLS1_MT_HELLO_VERIFY_REQUEST) + || !dtls_raw_hello_verify_request(pkt, s->d1->cookie, s->d1->cookie_len) /* * We don't call close_construct_packet() because we don't want * to buffer this message */ - || !WPACKET_close(&pkt) - || !WPACKET_get_length(&pkt, &msglen) - || !WPACKET_finish(&pkt)) { + || !WPACKET_close(pkt) + || !WPACKET_get_length(pkt, &msglen) + || !WPACKET_finish(pkt)) { SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); - WPACKET_cleanup(&pkt); - ossl_statem_set_error(s); return 0; } @@ -1497,20 +1515,17 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) return WORK_ERROR; } -int tls_construct_server_hello(SSL *s) +int tls_construct_server_hello(SSL *s, WPACKET *pkt) { int sl, compm, al = SSL_AD_INTERNAL_ERROR; size_t len; - WPACKET pkt; - if (!WPACKET_init(&pkt, s->init_buf) - || !ssl_set_handshake_header2(s, &pkt, SSL3_MT_SERVER_HELLO) - || !WPACKET_put_bytes_u16(&pkt, s->version) + if (!WPACKET_put_bytes_u16(pkt, s->version) /* * Random stuff. Filling of the server_random takes place in * tls_process_client_hello() */ - || !WPACKET_memcpy(&pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } @@ -1552,46 +1567,36 @@ int tls_construct_server_hello(SSL *s) compm = s->s3->tmp.new_compression->id; #endif - if (!WPACKET_sub_memcpy_u8(&pkt, s->session->session_id, sl) - || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &pkt, &len) - || !WPACKET_put_bytes_u8(&pkt, compm) + if (!WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl) + || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len) + || !WPACKET_put_bytes_u8(pkt, compm) || !ssl_prepare_serverhello_tlsext(s) - || !ssl_add_serverhello_tlsext(s, &pkt, &al) - || !ssl_close_construct_packet(s, &pkt)) { + || !ssl_add_serverhello_tlsext(s, pkt, &al)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); goto err; } return 1; err: - WPACKET_cleanup(&pkt); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); - ossl_statem_set_error(s); return 0; } -int tls_construct_server_done(SSL *s) +int tls_construct_server_done(SSL *s, WPACKET *pkt) { - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; - } - if (!s->s3->tmp.cert_request) { if (!ssl3_digest_cached_records(s, 0)) { - ossl_statem_set_error(s); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; } } - return 1; } -int tls_construct_server_key_exchange(SSL *s) +int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) { #ifndef OPENSSL_NO_DH EVP_PKEY *pkdh = NULL; - int j; #endif #ifndef OPENSSL_NO_EC unsigned char *encodedPoint = NULL; @@ -1600,36 +1605,26 @@ int tls_construct_server_key_exchange(SSL *s) #endif EVP_PKEY *pkey; const EVP_MD *md = NULL; - unsigned char *p, *d; - int al, i; + int al = SSL_AD_INTERNAL_ERROR, i; unsigned long type; - int n; const BIGNUM *r[4]; - int nr[4], kn; - BUF_MEM *buf; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); + size_t paramlen, paramoffset; + + if (!WPACKET_get_total_written(pkt, ¶moffset)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } if (md_ctx == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; goto f_err; } type = s->s3->tmp.new_cipher->algorithm_mkey; - buf = s->init_buf; - r[0] = r[1] = r[2] = r[3] = NULL; - n = 0; #ifndef OPENSSL_NO_PSK - if (type & SSL_PSK) { - /* - * reserve size for record length and PSK identity hint - */ - n += 2; - if (s->cert->psk_identity_hint) - n += strlen(s->cert->psk_identity_hint); - } /* Plain PSK or RSAPSK nothing to do */ if (type & (SSL_kPSK | SSL_kRSAPSK)) { } else @@ -1646,7 +1641,6 @@ int tls_construct_server_key_exchange(SSL *s) pkdh = EVP_PKEY_new(); if (pkdh == NULL || dhp == NULL) { DH_free(dhp); - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -1660,7 +1654,6 @@ int tls_construct_server_key_exchange(SSL *s) DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); pkdh = ssl_dh_to_pkey(dhp); if (pkdh == NULL) { - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -1723,7 +1716,6 @@ int tls_construct_server_key_exchange(SSL *s) s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id); /* Generate a new key for this curve */ if (s->s3->tmp.pkey == NULL) { - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); goto f_err; } @@ -1736,13 +1728,6 @@ int tls_construct_server_key_exchange(SSL *s) goto err; } - /* - * We only support named (not generic) curves in ECDH ephemeral key - * exchanges. In this situation, we need four additional bytes to - * encode the entire ServerECDHParams structure. - */ - n += 4 + encodedlen; - /* * We'll generate the serverKeyExchange message explicitly so we * can set these to NULLs @@ -1774,25 +1759,6 @@ int tls_construct_server_key_exchange(SSL *s) SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); goto f_err; } - for (i = 0; i < 4 && r[i] != NULL; i++) { - nr[i] = BN_num_bytes(r[i]); -#ifndef OPENSSL_NO_SRP - if ((i == 2) && (type & SSL_kSRP)) - n += 1 + nr[i]; - else -#endif -#ifndef OPENSSL_NO_DH - /*- - * for interoperability with some versions of the Microsoft TLS - * stack, we need to zero pad the DHE pub key to the same length - * as the prime, so use the length of the prime here - */ - if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) - n += 2 + nr[0]; - else -#endif - n += 2 + nr[i]; - } if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) { @@ -1801,53 +1767,46 @@ int tls_construct_server_key_exchange(SSL *s) al = SSL_AD_DECODE_ERROR; goto f_err; } - kn = EVP_PKEY_size(pkey); - /* Allow space for signature algorithm */ - if (SSL_USE_SIGALGS(s)) - kn += 2; - /* Allow space for signature length */ - kn += 2; } else { pkey = NULL; - kn = 0; - } - - if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF); - goto err; } - d = p = ssl_handshake_start(s); #ifndef OPENSSL_NO_PSK if (type & SSL_PSK) { - /* copy PSK identity hint */ - if (s->cert->psk_identity_hint) { - size_t len = strlen(s->cert->psk_identity_hint); - if (len > PSK_MAX_IDENTITY_LEN) { - /* - * Should not happen - we already checked this when we set - * the identity hint - */ - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - s2n(len, p); - memcpy(p, s->cert->psk_identity_hint, len); - p += len; - } else { - s2n(0, p); + size_t len = (s->cert->psk_identity_hint == NULL) + ? 0 : strlen(s->cert->psk_identity_hint); + + /* + * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already + * checked this when we set the identity hint - but just in case + */ + if (len > PSK_MAX_IDENTITY_LEN + || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, + len)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; } } #endif for (i = 0; i < 4 && r[i] != NULL; i++) { + unsigned char *binval; + int res; + #ifndef OPENSSL_NO_SRP if ((i == 2) && (type & SSL_kSRP)) { - *p = nr[i]; - p++; + res = WPACKET_start_sub_packet_u8(pkt); } else #endif + res = WPACKET_start_sub_packet_u16(pkt); + + if (!res) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + #ifndef OPENSSL_NO_DH /*- * for interoperability with some versions of the Microsoft TLS @@ -1855,38 +1814,46 @@ int tls_construct_server_key_exchange(SSL *s) * as the prime */ if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) { - s2n(nr[0], p); - for (j = 0; j < (nr[0] - nr[2]); ++j) { - *p = 0; - ++p; + size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]); + + if (len > 0) { + if (!WPACKET_allocate_bytes(pkt, len, &binval)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + memset(binval, 0, len); } - } else + } #endif - s2n(nr[i], p); - BN_bn2bin(r[i], p); - p += nr[i]; + if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval) + || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + + BN_bn2bin(r[i], binval); } #ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { /* - * XXX: For now, we only support named (not generic) curves. In - * this situation, the serverKeyExchange message has: [1 byte - * CurveType], [2 byte CurveName] [1 byte length of encoded - * point], followed by the actual encoded point itself + * We only support named (not generic) curves. In this situation, the + * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName] + * [1 byte length of encoded point], followed by the actual encoded + * point itself */ - *p = NAMED_CURVE_TYPE; - p += 1; - *p = 0; - p += 1; - *p = curve_id; - p += 1; - *p = encodedlen; - p += 1; - memcpy(p, encodedPoint, encodedlen); + if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE) + || !WPACKET_put_bytes_u8(pkt, 0) + || !WPACKET_put_bytes_u8(pkt, curve_id) + || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } OPENSSL_free(encodedPoint); encodedPoint = NULL; - p += encodedlen; } #endif @@ -1897,36 +1864,49 @@ int tls_construct_server_key_exchange(SSL *s) * points to the space at the end. */ if (md) { + unsigned char *sigbytes1, *sigbytes2; + unsigned int siglen; + + /* Get length of the parameters we have written above */ + if (!WPACKET_get_length(pkt, ¶mlen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } /* send signature algorithm */ if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash_old(p, pkey, md)) { + if (!tls12_get_sigandhash(pkt, pkey, md)) { /* Should never happen */ - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; } - p += 2; } #ifdef SSL_DEBUG fprintf(stderr, "Using hash %s\n", EVP_MD_name(md)); #endif - if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]), - SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, d, n) <= 0 - || EVP_SignFinal(md_ctx, &(p[2]), - (unsigned int *)&i, pkey) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP); - al = SSL_AD_INTERNAL_ERROR; + /* + * Create the signature. We don't know the actual length of the sig + * until after we've created it, so we reserve enough bytes for it + * up front, and then properly allocate them in the WPACKET + * afterwards. + */ + if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey), + &sigbytes1) + || EVP_SignInit_ex(md_ctx, md, NULL) <= 0 + || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]), + SSL3_RANDOM_SIZE) <= 0 + || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]), + SSL3_RANDOM_SIZE) <= 0 + || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset, + paramlen) <= 0 + || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0 + || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) + || sigbytes1 != sigbytes2) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto f_err; } - s2n(i, p); - n += i + 2; - if (SSL_USE_SIGALGS(s)) - n += 2; } else { /* Is this error check actually needed? */ al = SSL_AD_HANDSHAKE_FAILURE; @@ -1936,12 +1916,6 @@ int tls_construct_server_key_exchange(SSL *s) } } - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); - goto f_err; - } - EVP_MD_CTX_free(md_ctx); return 1; f_err: @@ -1954,68 +1928,61 @@ int tls_construct_server_key_exchange(SSL *s) OPENSSL_free(encodedPoint); #endif EVP_MD_CTX_free(md_ctx); - ossl_statem_set_error(s); return 0; } -int tls_construct_certificate_request(SSL *s) +int tls_construct_certificate_request(SSL *s, WPACKET *pkt) { - unsigned char *p, *d; - int i, j, nl, off, n; + int i, nl; STACK_OF(X509_NAME) *sk = NULL; - X509_NAME *name; - BUF_MEM *buf; - - buf = s->init_buf; - - d = p = ssl_handshake_start(s); /* get the list of acceptable cert types */ - p++; - n = ssl3_get_req_cert_type(s, p); - d[0] = n; - p += n; - n++; + if (!WPACKET_start_sub_packet_u8(pkt) + || !ssl3_get_req_cert_type(s, pkt) + || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } if (SSL_USE_SIGALGS(s)) { const unsigned char *psigs; - unsigned char *etmp = p; nl = tls12_get_psigalgs(s, &psigs); - /* Skip over length for now */ - p += 2; - nl = tls12_copy_sigalgs_old(s, p, psigs, nl); - /* Now fill in length */ - s2n(nl, etmp); - p += nl; - n += nl + 2; + if (!WPACKET_start_sub_packet_u16(pkt) + || !tls12_copy_sigalgs(s, pkt, psigs, nl) + || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + goto err; + } } - off = n; - p += 2; - n += 2; + /* Start sub-packet for client CA list */ + if (!WPACKET_start_sub_packet_u16(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } sk = SSL_get_client_CA_list(s); - nl = 0; if (sk != NULL) { for (i = 0; i < sk_X509_NAME_num(sk); i++) { - name = sk_X509_NAME_value(sk, i); - j = i2d_X509_NAME(name, NULL); - if (!BUF_MEM_grow_clean(buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) { - SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_BUF_LIB); + unsigned char *namebytes; + X509_NAME *name = sk_X509_NAME_value(sk, i); + int namelen; + + if (name == NULL + || (namelen = i2d_X509_NAME(name, NULL)) < 0 + || !WPACKET_sub_allocate_bytes_u16(pkt, namelen, + &namebytes) + || i2d_X509_NAME(name, &namebytes) != namelen) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); goto err; } - p = ssl_handshake_start(s) + n; - s2n(j, p); - i2d_X509_NAME(name, &p); - n += 2 + j; - nl += 2 + j; } } /* else no CA names */ - p = ssl_handshake_start(s) + off; - s2n(nl, p); - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) { + if (!WPACKET_close(pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } @@ -2024,7 +1991,7 @@ int tls_construct_certificate_request(SSL *s) return 1; err: - ossl_statem_set_error(s); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; } @@ -2940,40 +2907,39 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) return ret; } -int tls_construct_server_certificate(SSL *s) +int tls_construct_server_certificate(SSL *s, WPACKET *pkt) { CERT_PKEY *cpk; cpk = ssl_get_server_send_pkey(s); if (cpk == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); return 0; } - if (!ssl3_output_cert_chain(s, cpk)) { + if (!ssl3_output_cert_chain(s, pkt, cpk)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); return 0; } return 1; } -int tls_construct_new_session_ticket(SSL *s) +int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) { unsigned char *senc = NULL; - EVP_CIPHER_CTX *ctx; + EVP_CIPHER_CTX *ctx = NULL; HMAC_CTX *hctx = NULL; - unsigned char *p, *macstart; + unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2; const unsigned char *const_p; - int len, slen_full, slen; + int len, slen_full, slen, lenfinal; SSL_SESSION *sess; unsigned int hlen; SSL_CTX *tctx = s->initial_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; int iv_len; + size_t macoffset, macendoffset; /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -2993,6 +2959,10 @@ int tls_construct_new_session_ticket(SSL *s) ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); + if (ctx == NULL || hctx == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + goto err; + } p = senc; if (!i2d_SSL_SESSION(s->session, &p)) @@ -3019,21 +2989,6 @@ int tls_construct_new_session_ticket(SSL *s) } SSL_SESSION_free(sess); - /*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 4 (ticket lifetime hint) + 2 (ticket length) + - * sizeof(keyname) + max_iv_len (iv length) + - * max_enc_block_size (max encrypted session * length) + - * max_md_size (HMAC) + session_length. - */ - if (!BUF_MEM_grow(s->init_buf, - SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) + - EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + - EVP_MAX_MD_SIZE + slen)) - goto err; - - p = ssl_handshake_start(s); /* * Initialize HMAC and cipher contexts. If callback present it does * all the work otherwise use generated values from parent ctx. @@ -3044,11 +2999,15 @@ int tls_construct_new_session_ticket(SSL *s) hctx, 1); if (ret == 0) { - l2n(0, p); /* timeout */ - s2n(0, p); /* length */ - if (!ssl_set_handshake_header - (s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s))) + + /* Put timeout and length */ + if (!WPACKET_put_bytes_u32(pkt, 0) + || !WPACKET_put_bytes_u16(pkt, 0) + || !ssl_close_construct_packet(s, pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; + } OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); @@ -3079,44 +3038,39 @@ int tls_construct_new_session_ticket(SSL *s) * for resumed session (for simplicity), and guess that tickets for * new sessions will live as long as their sessions. */ - l2n(s->hit ? 0 : s->session->timeout, p); - - /* Skip ticket length for now */ - p += 2; - /* Output key name */ - macstart = p; - memcpy(p, key_name, sizeof(key_name)); - p += sizeof(key_name); - /* output IV */ - memcpy(p, iv, iv_len); - p += iv_len; - /* Encrypt session data */ - if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen)) + if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout) + /* Now the actual ticket data */ + || !WPACKET_start_sub_packet_u16(pkt) + || !WPACKET_get_total_written(pkt, &macoffset) + /* Output key name */ + || !WPACKET_memcpy(pkt, key_name, sizeof(key_name)) + /* output IV */ + || !WPACKET_memcpy(pkt, iv, iv_len) + || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH, + &encdata1) + /* Encrypt session data */ + || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen) + || !WPACKET_allocate_bytes(pkt, len, &encdata2) + || encdata1 != encdata2 + || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal) + || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2) + || encdata1 + len != encdata2 + || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH + || !WPACKET_get_total_written(pkt, &macendoffset) + || !HMAC_Update(hctx, + (unsigned char *)s->init_buf->data + macoffset, + macendoffset - macoffset) + || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1) + || !HMAC_Final(hctx, macdata1, &hlen) + || hlen > EVP_MAX_MD_SIZE + || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) + || macdata1 != macdata2 + || !WPACKET_close(pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; - p += len; - if (!EVP_EncryptFinal(ctx, p, &len)) - goto err; - p += len; - - if (!HMAC_Update(hctx, macstart, p - macstart)) - goto err; - if (!HMAC_Final(hctx, p, &hlen)) - goto err; - + } EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - ctx = NULL; - hctx = NULL; - - p += hlen; - /* Now write out lengths: p points to end of data written */ - /* Total length */ - len = p - ssl_handshake_start(s); - /* Skip ticket lifetime hint */ - p = ssl_handshake_start(s) + 4; - s2n(len - 6, p); - if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) - goto err; OPENSSL_free(senc); return 1; @@ -3124,42 +3078,21 @@ int tls_construct_new_session_ticket(SSL *s) OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - ossl_statem_set_error(s); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); return 0; } -int tls_construct_cert_status(SSL *s) +int tls_construct_cert_status(SSL *s, WPACKET *pkt) { - unsigned char *p; - size_t msglen; - - /*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 1 (ocsp response type) + 3 (ocsp response length) - * + (ocsp response) - */ - msglen = 4 + s->tlsext_ocsp_resplen; - if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen)) - goto err; - - p = ssl_handshake_start(s); - - /* status type */ - *(p++) = s->tlsext_status_type; - /* length of OCSP response */ - l2n3(s->tlsext_ocsp_resplen, p); - /* actual response */ - memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); - - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_STATUS, msglen)) - goto err; + if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type) + || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp, + s->tlsext_ocsp_resplen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return 0; + } return 1; - - err: - ossl_statem_set_error(s); - return 0; } #ifndef OPENSSL_NO_NEXTPROTONEG