Don't set the handshake header in every message

author Matt Caswell <matt@openssl.org>

Thu, 29 Sep 2016 23:27:40 +0000 (00:27 +0100)

committer Matt Caswell <matt@openssl.org>

Mon, 3 Oct 2016 15:25:48 +0000 (16:25 +0100)
author Matt Caswell <matt@openssl.org>
Thu, 29 Sep 2016 23:27:40 +0000 (00:27 +0100)
committer Matt Caswell <matt@openssl.org>
Mon, 3 Oct 2016 15:25:48 +0000 (16:25 +0100)
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h

index 517716f345194a81ab8ff6c1c682ed28b4155194..e0d82f23bdaf318d5de3cf27d6062e4184730b84 100644 (file)
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2078,7 +2078,9 @@ int ERR_load_SSL_strings(void);
  # define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE               370
  # define SSL_F_DTLS_PROCESS_HELLO_VERIFY                  386
  # define SSL_F_OPENSSL_INIT_SSL                           342
  # define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE               370
  # define SSL_F_DTLS_PROCESS_HELLO_VERIFY                  386
  # define SSL_F_OPENSSL_INIT_SSL                           342
+# define SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE       430
  # define SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION         417
  # define SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION         417
+# define SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE       431
  # define SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION         418
  # define SSL_F_READ_STATE_MACHINE                         352
  # define SSL_F_SSL3_CHANGE_CIPHER_STATE                   129
  # define SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION         418
  # define SSL_F_READ_STATE_MACHINE                         352
  # define SSL_F_SSL3_CHANGE_CIPHER_STATE                   129
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c

index 9539e674e1c4d255cb402fc49dcadcb12da27779..c1a886ac4cae80ec9fa44c265344f8885d95da86 100644 (file)
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -49,8 +49,12 @@ static ERR_STRING_DATA SSL_str_functs[] = {
       "dtls_get_reassembled_message"},
      {ERR_FUNC(SSL_F_DTLS_PROCESS_HELLO_VERIFY), "dtls_process_hello_verify"},
      {ERR_FUNC(SSL_F_OPENSSL_INIT_SSL), "OPENSSL_init_ssl"},
       "dtls_get_reassembled_message"},
      {ERR_FUNC(SSL_F_DTLS_PROCESS_HELLO_VERIFY), "dtls_process_hello_verify"},
      {ERR_FUNC(SSL_F_OPENSSL_INIT_SSL), "OPENSSL_init_ssl"},
+    {ERR_FUNC(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE),
+     "ossl_statem_client_construct_message"},
      {ERR_FUNC(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION),
       "ossl_statem_client_read_transition"},
      {ERR_FUNC(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION),
       "ossl_statem_client_read_transition"},
+    {ERR_FUNC(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE),
+     "ossl_statem_server_construct_message"},
      {ERR_FUNC(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION),
       "ossl_statem_server_read_transition"},
      {ERR_FUNC(SSL_F_READ_STATE_MACHINE), "read_state_machine"},
      {ERR_FUNC(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION),
       "ossl_statem_server_read_transition"},
      {ERR_FUNC(SSL_F_READ_STATE_MACHINE), "read_state_machine"},
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c

index 5614d5afcb5d6755db7e34a21b7b29f394bce55e..18eaf3257fe228f9560a78a85c3e983159ec68e4 100644 (file)
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -513,41 +513,74 @@ WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
  int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt)
  {
      OSSL_STATEM *st = &s->statem;
  int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt)
  {
      OSSL_STATEM *st = &s->statem;
+    int (*confunc) (SSL *s, WPACKET *pkt) = NULL;
+    int ret = 1, mt;
  
  
-    switch (st->hand_state) {
-    default:
-        /* Shouldn't happen */
-        return 0;
+    if (st->hand_state == TLS_ST_CW_CHANGE) {
+        /* Special case becase it is a different content type */
+        if (SSL_IS_DTLS(s))
+            return dtls_construct_change_cipher_spec(s, pkt);
  
  
-    case TLS_ST_CW_CLNT_HELLO:
-        return tls_construct_client_hello(s, pkt);
+        return tls_construct_change_cipher_spec(s, pkt);
+    } else {
+        switch (st->hand_state) {
+        default:
+            /* Shouldn't happen */
+            return 0;
  
  
-    case TLS_ST_CW_CERT:
-        return tls_construct_client_certificate(s, pkt);
+        case TLS_ST_CW_CLNT_HELLO:
+            confunc = tls_construct_client_hello;
+            mt = SSL3_MT_CLIENT_HELLO;
+            break;
  
  
-    case TLS_ST_CW_KEY_EXCH:
-        return tls_construct_client_key_exchange(s, pkt);
+        case TLS_ST_CW_CERT:
+            confunc = tls_construct_client_certificate;
+            mt = SSL3_MT_CERTIFICATE;
+            break;
  
  
-    case TLS_ST_CW_CERT_VRFY:
-        return tls_construct_client_verify(s, pkt);
+        case TLS_ST_CW_KEY_EXCH:
+            confunc = tls_construct_client_key_exchange;
+            mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
+            break;
  
  
-    case TLS_ST_CW_CHANGE:
-        if (SSL_IS_DTLS(s))
-            return dtls_construct_change_cipher_spec(s, pkt);
-        else
-            return tls_construct_change_cipher_spec(s, pkt);
+        case TLS_ST_CW_CERT_VRFY:
+            confunc = tls_construct_client_verify;
+            mt = SSL3_MT_CERTIFICATE_VERIFY;
+            break;
  
  #if !defined(OPENSSL_NO_NEXTPROTONEG)
  
  #if !defined(OPENSSL_NO_NEXTPROTONEG)
-    case TLS_ST_CW_NEXT_PROTO:
-        return tls_construct_next_proto(s, pkt);
+        case TLS_ST_CW_NEXT_PROTO:
+            confunc = tls_construct_next_proto;
+            mt = SSL3_MT_NEXT_PROTO;
+            break;
  #endif
  #endif
-    case TLS_ST_CW_FINISHED:
-        return tls_construct_finished(s, pkt,
-                                      s->method->
-                                      ssl3_enc->client_finished_label,
-                                      s->method->
-                                      ssl3_enc->client_finished_label_len);
+        case TLS_ST_CW_FINISHED:
+            mt = SSL3_MT_FINISHED;
+            break;
+        }
+
+        if (!ssl_set_handshake_header(s, pkt, mt)) {
+            SSLerr(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE,
+                   ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+
+        if (st->hand_state == TLS_ST_CW_FINISHED)
+            ret = tls_construct_finished(s, pkt,
+                                         s->method->
+                                         ssl3_enc->client_finished_label,
+                                         s->method->
+                                         ssl3_enc->client_finished_label_len);
+        else
+            ret = confunc(s, pkt);
+
+        if (!ret || !ssl_close_construct_packet(s, pkt)) {
+            SSLerr(SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE,
+                   ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
      }
      }
+    return 1;
  }
  
  /*
  }
  
  /*
@@ -736,12 +769,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
      if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
          return 0;
  
      if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
          return 0;
  
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CLIENT_HELLO)) {
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-        return 0;
-    }
-
      /*-
       * version indicates the negotiated version: for example from
       * an SSLv2/v3 compatible client hello). The client_version
      /*-
       * version indicates the negotiated version: for example from
       * an SSLv2/v3 compatible client hello). The client_version
@@ -855,11 +882,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
          return 0;
      }
  
          return 0;
      }
  
-    if (!ssl_close_construct_packet(s, pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
-        return 0;
-    }
-
      return 1;
  }
  
      return 1;
  }
  
@@ -2455,12 +2477,6 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
      unsigned long alg_k;
      int al = -1;
  
      unsigned long alg_k;
      int al = -1;
  
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CLIENT_KEY_EXCHANGE)) {
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  
      if ((alg_k & SSL_PSK)
      alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
  
      if ((alg_k & SSL_PSK)
@@ -2488,12 +2504,6 @@ int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
          goto err;
      }
  
          goto err;
      }
  
-    if (!ssl_close_construct_packet(s, pkt)) {
-        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      return 1;
   err:
      if (al != -1)
      return 1;
   err:
      if (al != -1)
@@ -2582,11 +2592,6 @@ int tls_construct_client_verify(SSL *s, WPACKET *pkt)
      void *hdata;
      unsigned char *sig = NULL;
  
      void *hdata;
      unsigned char *sig = NULL;
  
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CERTIFICATE_VERIFY)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      mctx = EVP_MD_CTX_new();
      if (mctx == NULL) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
      mctx = EVP_MD_CTX_new();
      if (mctx == NULL) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_MALLOC_FAILURE);
@@ -2640,11 +2645,6 @@ int tls_construct_client_verify(SSL *s, WPACKET *pkt)
      if (!ssl3_digest_cached_records(s, 0))
          goto err;
  
      if (!ssl3_digest_cached_records(s, 0))
          goto err;
  
-    if (!ssl_close_construct_packet(s, pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      OPENSSL_free(sig);
      EVP_MD_CTX_free(mctx);
      return 1;
      OPENSSL_free(sig);
      EVP_MD_CTX_free(mctx);
      return 1;
@@ -2846,11 +2846,6 @@ int tls_construct_next_proto(SSL *s, WPACKET *pkt)
      size_t len, padding_len;
      unsigned char *padding = NULL;
  
      size_t len, padding_len;
      unsigned char *padding = NULL;
  
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_NEXT_PROTO)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      len = s->next_proto_negotiated_len;
      padding_len = 32 - ((len + 2) % 32);
  
      len = s->next_proto_negotiated_len;
      padding_len = 32 - ((len + 2) % 32);
  
@@ -2862,11 +2857,6 @@ int tls_construct_next_proto(SSL *s, WPACKET *pkt)
  
      memset(padding, 0, padding_len);
  
  
      memset(padding, 0, padding_len);
  
-    if (!ssl_close_construct_packet(s, pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      return 1;
   err:
      ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
      return 1;
   err:
      ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c

index a6b1f6beb9bbb22442a2fbf8ecbc113df4fd27c3..cac18cc550b47056b25581d532cad55ae7c36d26 100644 (file)
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -75,11 +75,6 @@ int tls_construct_finished(SSL *s, WPACKET *pkt, const char *sender, int slen)
  {
      int i;
  
  {
      int i;
  
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_FINISHED)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      i = s->method->ssl3_enc->final_finish_mac(s,
                                                sender, slen,
                                                s->s3->tmp.finish_md);
      i = s->method->ssl3_enc->final_finish_mac(s,
                                                sender, slen,
                                                s->s3->tmp.finish_md);
@@ -108,11 +103,6 @@ int tls_construct_finished(SSL *s, WPACKET *pkt, const char *sender, int slen)
          s->s3->previous_server_finished_len = i;
      }
  
          s->s3->previous_server_finished_len = i;
      }
  
-    if (!ssl_close_construct_packet(s, pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      return 1;
   err:
      ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
      return 1;
   err:
      ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
@@ -278,11 +268,9 @@ int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
  
  unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
  {
  
  unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
  {
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CERTIFICATE)
-            || !WPACKET_start_sub_packet_u24(pkt)
+    if (!WPACKET_start_sub_packet_u24(pkt)
              || !ssl_add_cert_chain(s, pkt, cpk)
              || !ssl_add_cert_chain(s, pkt, cpk)
-            || !WPACKET_close(pkt)
-            || !ssl_close_construct_packet(s, pkt)) {
+            || !WPACKET_close(pkt)) {
          SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR);
          return 0;
      }
          SSLerr(SSL_F_SSL3_OUTPUT_CERT_CHAIN, ERR_R_INTERNAL_ERROR);
          return 0;
      }
diff --git a/ssl/statem/statem_locl.h b/ssl/statem/statem_locl.h

index 8d6dd2a0428bdf3596ba18c87024c018e9b13476..f67361c06fdc17a4b2a009a949520b954c80ed36 100644 (file)
--- a/ssl/statem/statem_locl.h
+++ b/ssl/statem/statem_locl.h
@@ -109,7 +109,6 @@ __owur MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt);
  __owur MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt);
  __owur WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst);
  __owur int tls_construct_server_hello(SSL *s, WPACKET *pkt);
  __owur MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt);
  __owur WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst);
  __owur int tls_construct_server_hello(SSL *s, WPACKET *pkt);
-__owur int tls_construct_hello_request(SSL *s, WPACKET *pkt);
  __owur int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt);
  __owur int tls_construct_server_certificate(SSL *s, WPACKET *pkt);
  __owur int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt);
  __owur int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt);
  __owur int tls_construct_server_certificate(SSL *s, WPACKET *pkt);
  __owur int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index 17dc9cbf5d279c6ec6e84ce1533cbbf20b1151c9..46bd5c7be02fd78766b6de151c3fea856b193660 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -622,52 +622,91 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
  int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt)
  {
      OSSL_STATEM *st = &s->statem;
  int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt)
  {
      OSSL_STATEM *st = &s->statem;
+    int (*confunc) (SSL *s, WPACKET *pkt) = NULL;
+    int ret = 1, mt;
  
  
-    switch (st->hand_state) {
-    default:
-        /* Shouldn't happen */
-        return 0;
+    if (st->hand_state == TLS_ST_SW_CHANGE) {
+        /* Special case becase it is a different content type */
+        if (SSL_IS_DTLS(s))
+            return dtls_construct_change_cipher_spec(s, pkt);
  
  
-    case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
+        return tls_construct_change_cipher_spec(s, pkt);
+    } else if (st->hand_state == DTLS_ST_SW_HELLO_VERIFY_REQUEST) {
+        /* Special case because we don't call ssl_close_construct_packet() */
          return dtls_construct_hello_verify_request(s, pkt);
          return dtls_construct_hello_verify_request(s, pkt);
+    } else {
+        switch (st->hand_state) {
+        default:
+            /* Shouldn't happen */
+            return 0;
  
  
-    case TLS_ST_SW_HELLO_REQ:
-        return tls_construct_hello_request(s, pkt);
+        case TLS_ST_SW_HELLO_REQ:
+            /* No construction function needed */
+            mt = SSL3_MT_HELLO_REQUEST;
+            break;
  
  
-    case TLS_ST_SW_SRVR_HELLO:
-        return tls_construct_server_hello(s, pkt);
+        case TLS_ST_SW_SRVR_HELLO:
+            confunc = tls_construct_server_hello;
+            mt = SSL3_MT_SERVER_HELLO;
+            break;
  
  
-    case TLS_ST_SW_CERT:
-        return tls_construct_server_certificate(s, pkt);
+        case TLS_ST_SW_CERT:
+            confunc = tls_construct_server_certificate;
+            mt = SSL3_MT_CERTIFICATE;
+            break;
  
  
-    case TLS_ST_SW_KEY_EXCH:
-        return tls_construct_server_key_exchange(s, pkt);
+        case TLS_ST_SW_KEY_EXCH:
+            confunc = tls_construct_server_key_exchange;
+            mt = SSL3_MT_SERVER_KEY_EXCHANGE;
+            break;
  
  
-    case TLS_ST_SW_CERT_REQ:
-        return tls_construct_certificate_request(s, pkt);
+        case TLS_ST_SW_CERT_REQ:
+            confunc = tls_construct_certificate_request;
+            mt = SSL3_MT_CERTIFICATE_REQUEST;
+            break;
  
  
-    case TLS_ST_SW_SRVR_DONE:
-        return tls_construct_server_done(s, pkt);
+        case TLS_ST_SW_SRVR_DONE:
+            confunc = tls_construct_server_done;
+            mt = SSL3_MT_SERVER_DONE;
+            break;
  
  
-    case TLS_ST_SW_SESSION_TICKET:
-        return tls_construct_new_session_ticket(s, pkt);
+        case TLS_ST_SW_SESSION_TICKET:
+            confunc = tls_construct_new_session_ticket;
+            mt = SSL3_MT_NEWSESSION_TICKET;
+            break;
  
  
-    case TLS_ST_SW_CERT_STATUS:
-        return tls_construct_cert_status(s, pkt);
+        case TLS_ST_SW_CERT_STATUS:
+            confunc = tls_construct_cert_status;
+            mt = SSL3_MT_CERTIFICATE_STATUS;
+            break;
  
  
-    case TLS_ST_SW_CHANGE:
-        if (SSL_IS_DTLS(s))
-            return dtls_construct_change_cipher_spec(s, pkt);
-        else
-            return tls_construct_change_cipher_spec(s, pkt);
+        case TLS_ST_SW_FINISHED:
+            mt = SSL3_MT_FINISHED;
+            break;
+        }
  
  
-    case TLS_ST_SW_FINISHED:
-        return tls_construct_finished(s, pkt,
-                                      s->method->
-                                      ssl3_enc->server_finished_label,
-                                      s->method->
-                                      ssl3_enc->server_finished_label_len);
+        if (!ssl_set_handshake_header(s, pkt, mt)) {
+            SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
+                   ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
+
+        if (st->hand_state == TLS_ST_SW_FINISHED)
+            ret = tls_construct_finished(s, pkt,
+                                         s->method->
+                                         ssl3_enc->server_finished_label,
+                                         s->method->
+                                         ssl3_enc->server_finished_label_len);
+        else if (confunc != NULL)
+            ret = confunc(s, pkt);
+
+        if (!ret || !ssl_close_construct_packet(s, pkt)) {
+            SSLerr(SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE,
+                   ERR_R_INTERNAL_ERROR);
+            return 0;
+        }
      }
      }
+    return 1;
  }
  
  /*
  }
  
  /*
@@ -829,17 +868,6 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
  }
  #endif
  
  }
  #endif
  
-int tls_construct_hello_request(SSL *s, WPACKET *pkt)
-{
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_HELLO_REQUEST)
-            || !ssl_close_construct_packet(s, pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
-        return 0;
-    }
-
-    return 1;
-}
-
  int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
                                    unsigned char cookie_len)
  {
  int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
                                    unsigned char cookie_len)
  {
@@ -1492,8 +1520,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
      int sl, compm, al = SSL_AD_INTERNAL_ERROR;
      size_t len;
  
      int sl, compm, al = SSL_AD_INTERNAL_ERROR;
      size_t len;
  
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_SERVER_HELLO)
-            || !WPACKET_put_bytes_u16(pkt, s->version)
+    if (!WPACKET_put_bytes_u16(pkt, s->version)
                 /*
                  * Random stuff. Filling of the server_random takes place in
                  * tls_process_client_hello()
                 /*
                  * Random stuff. Filling of the server_random takes place in
                  * tls_process_client_hello()
@@ -1544,8 +1571,7 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
              || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
              || !WPACKET_put_bytes_u8(pkt, compm)
              || !ssl_prepare_serverhello_tlsext(s)
              || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
              || !WPACKET_put_bytes_u8(pkt, compm)
              || !ssl_prepare_serverhello_tlsext(s)
-            || !ssl_add_serverhello_tlsext(s, pkt, &al)
-            || !ssl_close_construct_packet(s, pkt)) {
+            || !ssl_add_serverhello_tlsext(s, pkt, &al)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
          goto err;
      }
          SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
          goto err;
      }
@@ -1558,21 +1584,13 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
  
  int tls_construct_server_done(SSL *s, WPACKET *pkt)
  {
  
  int tls_construct_server_done(SSL *s, WPACKET *pkt)
  {
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_SERVER_DONE)
-            || !ssl_close_construct_packet(s, pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      if (!s->s3->tmp.cert_request) {
      if (!s->s3->tmp.cert_request) {
-        if (!ssl3_digest_cached_records(s, 0))
-            goto err;
+        if (!ssl3_digest_cached_records(s, 0)) {
+            ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+            return 0;
+        }
      }
      return 1;
      }
      return 1;
-
- err:
-    ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
-    return 0;
  }
  
  int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
  }
  
  int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
@@ -1593,9 +1611,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
      EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
      size_t paramlen, paramoffset;
  
      EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
      size_t paramlen, paramoffset;
  
-    if (!ssl_set_handshake_header(s, pkt,
-                                         SSL3_MT_SERVER_KEY_EXCHANGE)
-            || !WPACKET_get_total_written(pkt, &paramoffset)) {
+    if (!WPACKET_get_total_written(pkt, &paramoffset)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
          goto f_err;
      }
          SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
          goto f_err;
      }
@@ -1900,11 +1916,6 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
          }
      }
  
          }
      }
  
-    if (!ssl_close_construct_packet(s, pkt)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-        goto f_err;
-    }
-
      EVP_MD_CTX_free(md_ctx);
      return 1;
   f_err:
      EVP_MD_CTX_free(md_ctx);
      return 1;
   f_err:
@@ -1925,13 +1936,6 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
      int i, nl;
      STACK_OF(X509_NAME) *sk = NULL;
  
      int i, nl;
      STACK_OF(X509_NAME) *sk = NULL;
  
-    if (!ssl_set_handshake_header(s, pkt,
-                                         SSL3_MT_CERTIFICATE_REQUEST)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
-
      /* get the list of acceptable cert types */
      if (!WPACKET_start_sub_packet_u8(pkt)
              || !ssl3_get_req_cert_type(s, pkt)
      /* get the list of acceptable cert types */
      if (!WPACKET_start_sub_packet_u8(pkt)
              || !ssl3_get_req_cert_type(s, pkt)
@@ -1978,8 +1982,7 @@ int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
      }
      /* else no CA names */
  
      }
      /* else no CA names */
  
-    if (!WPACKET_close(pkt)
-            || !ssl_close_construct_packet(s, pkt)) {
+    if (!WPACKET_close(pkt)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
          goto err;
      }
          SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
          goto err;
      }
@@ -2954,11 +2957,6 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
          return 0;
      }
  
          return 0;
      }
  
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_NEWSESSION_TICKET)) {
-        SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
      ctx = EVP_CIPHER_CTX_new();
      hctx = HMAC_CTX_new();
      if (ctx == NULL || hctx == NULL) {
      ctx = EVP_CIPHER_CTX_new();
      hctx = HMAC_CTX_new();
      if (ctx == NULL || hctx == NULL) {
@@ -3067,8 +3065,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
              || hlen > EVP_MAX_MD_SIZE
              || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
              || macdata1 != macdata2
              || hlen > EVP_MAX_MD_SIZE
              || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
              || macdata1 != macdata2
-            || !WPACKET_close(pkt)
-            || !ssl_close_construct_packet(s, pkt)) {
+            || !WPACKET_close(pkt)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
          goto err;
      }
          SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
          goto err;
      }
@@ -3087,11 +3084,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
  
  int tls_construct_cert_status(SSL *s, WPACKET *pkt)
  {
  
  int tls_construct_cert_status(SSL *s, WPACKET *pkt)
  {
-    if (!ssl_set_handshake_header(s, pkt, SSL3_MT_CERTIFICATE_STATUS)
-            || !WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
+    if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
              || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
              || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
-                                       s->tlsext_ocsp_resplen)
-            || !ssl_close_construct_packet(s, pkt)) {
+                                       s->tlsext_ocsp_resplen)) {
          SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
          ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
          return 0;
          SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
          ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
          return 0;
author	Matt Caswell <matt@openssl.org>
	Thu, 29 Sep 2016 23:27:40 +0000 (00:27 +0100)
committer	Matt Caswell <matt@openssl.org>
	Mon, 3 Oct 2016 15:25:48 +0000 (16:25 +0100)
include/openssl/ssl.h		patch \| blob \| history
ssl/ssl_err.c		patch \| blob \| history
ssl/statem/statem_clnt.c		patch \| blob \| history
ssl/statem/statem_lib.c		patch \| blob \| history
ssl/statem/statem_locl.h		patch \| blob \| history
ssl/statem/statem_srvr.c		patch \| blob \| history