-/* ssl/statem/statem_srvr.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
*
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
+
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
* OTHERWISE.
*/
-
#include <stdio.h>
#include "../ssl_locl.h"
#include "statem_locl.h"
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/x509.h>
-#ifndef OPENSSL_NO_DH
-# include <openssl/dh.h>
-#endif
+#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/md5.h>
static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
PACKET *cipher_suites,
- STACK_OF(SSL_CIPHER) **skp,
- int sslv2format, int *al);
+ STACK_OF(SSL_CIPHER)
+ **skp, int sslv2format,
+ int *al);
/*
* server_read_transition() encapsulates the logic for the allowed handshake
{
OSSL_STATEM *st = &s->statem;
- switch(st->hand_state) {
+ switch (st->hand_state) {
+ default:
+ break;
+
case TLS_ST_BEFORE:
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
if (mt == SSL3_MT_CLIENT_HELLO) {
* b) We are running SSL3 (in TLS1.0+ the client must return a 0
* list if we requested a certificate)
*/
- if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
- && (!s->s3->tmp.cert_request
- || (!((s->verify_mode & SSL_VERIFY_PEER) &&
- (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
- && (s->version == SSL3_VERSION)))) {
- st->hand_state = TLS_ST_SR_KEY_EXCH;
- return 1;
+ if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
+ if (s->s3->tmp.cert_request) {
+ if (s->version == SSL3_VERSION) {
+ if ((s->verify_mode & SSL_VERIFY_PEER)
+ && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
+ /*
+ * This isn't an unexpected message as such - we're just
+ * not going to accept it because we require a client
+ * cert.
+ */
+ ssl3_send_alert(s, SSL3_AL_FATAL,
+ SSL3_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION,
+ SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+ return 0;
+ }
+ st->hand_state = TLS_ST_SR_KEY_EXCH;
+ return 1;
+ }
+ } else {
+ st->hand_state = TLS_ST_SR_KEY_EXCH;
+ return 1;
+ }
} else if (s->s3->tmp.cert_request) {
if (mt == SSL3_MT_CERTIFICATE) {
st->hand_state = TLS_ST_SR_CERT;
return 1;
- }
+ }
}
break;
return 1;
}
break;
-
- default:
- break;
}
/* No valid transition found */
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
+ SSLerr(SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION, SSL_R_UNEXPECTED_MESSAGE);
return 0;
}
* the server certificate contains the server's public key for
* key exchange.
*/
- if (alg_k & (SSL_kDHE|SSL_kECDHE)
+ if (alg_k & (SSL_kDHE | SSL_kECDHE)
/*
* PSK: send ServerKeyExchange if PSK identity hint if
* provided
/* SRP: send ServerKeyExchange */
|| (alg_k & SSL_kSRP)
#endif
- ) {
+ ) {
return 1;
}
* RFC 2246):
*/
&& (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
- /*
- * ... except when the application insists on
- * verification (against the specs, but s3_clnt.c accepts
- * this for SSL 3)
- */
+ /*
+ * ... except when the application insists on
+ * verification (against the specs, but statem_clnt.c accepts
+ * this for SSL 3)
+ */
|| (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
/* don't request certificate for SRP auth */
&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP)
{
OSSL_STATEM *st = &s->statem;
- switch(st->hand_state) {
- case TLS_ST_BEFORE:
- /* Just go straight to trying to read from the client */;
- return WRITE_TRAN_FINISHED;
-
- case TLS_ST_OK:
- /* We must be trying to renegotiate */
- st->hand_state = TLS_ST_SW_HELLO_REQ;
- return WRITE_TRAN_CONTINUE;
+ switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return WRITE_TRAN_ERROR;
- case TLS_ST_SW_HELLO_REQ:
- st->hand_state = TLS_ST_OK;
- ossl_statem_set_in_init(s, 0);
- return WRITE_TRAN_CONTINUE;
+ case TLS_ST_BEFORE:
+ /* Just go straight to trying to read from the client */
+ return WRITE_TRAN_FINISHED;
- case TLS_ST_SR_CLNT_HELLO:
- if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
- && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
- st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
- else
- st->hand_state = TLS_ST_SW_SRVR_HELLO;
- return WRITE_TRAN_CONTINUE;
+ case TLS_ST_OK:
+ /* We must be trying to renegotiate */
+ st->hand_state = TLS_ST_SW_HELLO_REQ;
+ return WRITE_TRAN_CONTINUE;
- case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
- return WRITE_TRAN_FINISHED;
+ case TLS_ST_SW_HELLO_REQ:
+ st->hand_state = TLS_ST_OK;
+ ossl_statem_set_in_init(s, 0);
+ return WRITE_TRAN_CONTINUE;
- case TLS_ST_SW_SRVR_HELLO:
- if (s->hit) {
- if (s->tlsext_ticket_expected)
- st->hand_state = TLS_ST_SW_SESSION_TICKET;
- else
- st->hand_state = TLS_ST_SW_CHANGE;
- } else {
- /* Check if it is anon DH or anon ECDH, */
- /* normal PSK or SRP */
- if (!(s->s3->tmp.new_cipher->algorithm_auth &
- (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
- st->hand_state = TLS_ST_SW_CERT;
- } else if (send_server_key_exchange(s)) {
- st->hand_state = TLS_ST_SW_KEY_EXCH;
- } else if (send_certificate_request(s)) {
- st->hand_state = TLS_ST_SW_CERT_REQ;
- } else {
- st->hand_state = TLS_ST_SW_SRVR_DONE;
- }
- }
- return WRITE_TRAN_CONTINUE;
+ case TLS_ST_SR_CLNT_HELLO:
+ if (SSL_IS_DTLS(s) && !s->d1->cookie_verified
+ && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
+ st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST;
+ else
+ st->hand_state = TLS_ST_SW_SRVR_HELLO;
+ return WRITE_TRAN_CONTINUE;
- case TLS_ST_SW_CERT:
- if (s->tlsext_status_expected) {
- st->hand_state = TLS_ST_SW_CERT_STATUS;
- return WRITE_TRAN_CONTINUE;
- }
- /* Fall through */
+ case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
+ return WRITE_TRAN_FINISHED;
- case TLS_ST_SW_CERT_STATUS:
- if (send_server_key_exchange(s)) {
+ case TLS_ST_SW_SRVR_HELLO:
+ if (s->hit) {
+ if (s->tlsext_ticket_expected)
+ st->hand_state = TLS_ST_SW_SESSION_TICKET;
+ else
+ st->hand_state = TLS_ST_SW_CHANGE;
+ } else {
+ /* Check if it is anon DH or anon ECDH, */
+ /* normal PSK or SRP */
+ if (!(s->s3->tmp.new_cipher->algorithm_auth &
+ (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
+ st->hand_state = TLS_ST_SW_CERT;
+ } else if (send_server_key_exchange(s)) {
st->hand_state = TLS_ST_SW_KEY_EXCH;
- return WRITE_TRAN_CONTINUE;
- }
- /* Fall through */
-
- case TLS_ST_SW_KEY_EXCH:
- if (send_certificate_request(s)) {
+ } else if (send_certificate_request(s)) {
st->hand_state = TLS_ST_SW_CERT_REQ;
- return WRITE_TRAN_CONTINUE;
+ } else {
+ st->hand_state = TLS_ST_SW_SRVR_DONE;
}
- /* Fall through */
+ }
+ return WRITE_TRAN_CONTINUE;
- case TLS_ST_SW_CERT_REQ:
- st->hand_state = TLS_ST_SW_SRVR_DONE;
+ case TLS_ST_SW_CERT:
+ if (s->tlsext_status_expected) {
+ st->hand_state = TLS_ST_SW_CERT_STATUS;
return WRITE_TRAN_CONTINUE;
+ }
+ /* Fall through */
- case TLS_ST_SW_SRVR_DONE:
- return WRITE_TRAN_FINISHED;
-
- case TLS_ST_SR_FINISHED:
- if (s->hit) {
- st->hand_state = TLS_ST_OK;
- ossl_statem_set_in_init(s, 0);
- return WRITE_TRAN_CONTINUE;
- } else if (s->tlsext_ticket_expected) {
- st->hand_state = TLS_ST_SW_SESSION_TICKET;
- } else {
- st->hand_state = TLS_ST_SW_CHANGE;
- }
+ case TLS_ST_SW_CERT_STATUS:
+ if (send_server_key_exchange(s)) {
+ st->hand_state = TLS_ST_SW_KEY_EXCH;
return WRITE_TRAN_CONTINUE;
+ }
+ /* Fall through */
- case TLS_ST_SW_SESSION_TICKET:
- st->hand_state = TLS_ST_SW_CHANGE;
+ case TLS_ST_SW_KEY_EXCH:
+ if (send_certificate_request(s)) {
+ st->hand_state = TLS_ST_SW_CERT_REQ;
return WRITE_TRAN_CONTINUE;
+ }
+ /* Fall through */
- case TLS_ST_SW_CHANGE:
- st->hand_state = TLS_ST_SW_FINISHED;
- return WRITE_TRAN_CONTINUE;
+ case TLS_ST_SW_CERT_REQ:
+ st->hand_state = TLS_ST_SW_SRVR_DONE;
+ return WRITE_TRAN_CONTINUE;
- case TLS_ST_SW_FINISHED:
- if (s->hit) {
- return WRITE_TRAN_FINISHED;
- }
+ case TLS_ST_SW_SRVR_DONE:
+ return WRITE_TRAN_FINISHED;
+
+ case TLS_ST_SR_FINISHED:
+ if (s->hit) {
st->hand_state = TLS_ST_OK;
ossl_statem_set_in_init(s, 0);
return WRITE_TRAN_CONTINUE;
+ } else if (s->tlsext_ticket_expected) {
+ st->hand_state = TLS_ST_SW_SESSION_TICKET;
+ } else {
+ st->hand_state = TLS_ST_SW_CHANGE;
+ }
+ return WRITE_TRAN_CONTINUE;
+
+ case TLS_ST_SW_SESSION_TICKET:
+ st->hand_state = TLS_ST_SW_CHANGE;
+ return WRITE_TRAN_CONTINUE;
+
+ case TLS_ST_SW_CHANGE:
+ st->hand_state = TLS_ST_SW_FINISHED;
+ return WRITE_TRAN_CONTINUE;
- default:
- /* Shouldn't happen */
- return WRITE_TRAN_ERROR;
+ case TLS_ST_SW_FINISHED:
+ if (s->hit) {
+ return WRITE_TRAN_FINISHED;
+ }
+ st->hand_state = TLS_ST_OK;
+ ossl_statem_set_in_init(s, 0);
+ return WRITE_TRAN_CONTINUE;
}
}
{
OSSL_STATEM *st = &s->statem;
- switch(st->hand_state) {
+ switch (st->hand_state) {
+ default:
+ /* No pre work to be done */
+ break;
+
case TLS_ST_SW_HELLO_REQ:
s->shutdown = 0;
if (SSL_IS_DTLS(s))
- dtls1_clear_record_buffer(s);
+ dtls1_clear_sent_buffer(s);
break;
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
s->shutdown = 0;
if (SSL_IS_DTLS(s)) {
- dtls1_clear_record_buffer(s);
+ dtls1_clear_sent_buffer(s);
/* We don't buffer this message so don't use the timer */
st->use_timer = 0;
}
case TLS_ST_OK:
return tls_finish_handshake(s, wst);
-
- default:
- /* No pre work to be done */
- break;
}
return WORK_FINISHED_CONTINUE;
s->init_num = 0;
- switch(st->hand_state) {
+ switch (st->hand_state) {
+ default:
+ /* No post work to be done */
+ break;
+
case TLS_ST_SW_HELLO_REQ:
if (statem_flush(s) != 1)
return WORK_MORE_A;
- ssl3_init_finished_mac(s);
+ if (!ssl3_init_finished_mac(s)) {
+ ossl_statem_set_error(s);
+ return WORK_ERROR;
+ }
break;
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
if (statem_flush(s) != 1)
return WORK_MORE_A;
/* HelloVerifyRequest resets Finished MAC */
- if (s->version != DTLS1_BAD_VER)
- ssl3_init_finished_mac(s);
+ if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) {
+ ossl_statem_set_error(s);
+ return WORK_ERROR;
+ }
/*
* The next message should be another ClientHello which we need to
* treat like it was the first packet
sizeof(DTLS1_SCTP_AUTH_LABEL));
if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ sizeof(sctpauthkey), labelbuffer,
+ sizeof(labelbuffer), NULL, 0,
+ 0) <= 0) {
ossl_statem_set_error(s);
return WORK_ERROR;
}
}
#endif
if (!s->method->ssl3_enc->change_cipher_state(s,
- SSL3_CHANGE_CIPHER_SERVER_WRITE)) {
+ SSL3_CHANGE_CIPHER_SERVER_WRITE))
+ {
ossl_statem_set_error(s);
return WORK_ERROR;
}
}
#endif
break;
-
- default:
- /* No post work to be done */
- break;
}
return WORK_FINISHED_CONTINUE;
}
/*
- * Construct a message to be sent from the server to the client.
+ * Get the message construction function and message type for sending from the
+ * server
*
* Valid return values are:
* 1: Success
* 0: Error
*/
-int ossl_statem_server_construct_message(SSL *s)
+int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt,
+ confunc_f *confunc, int *mt)
{
OSSL_STATEM *st = &s->statem;
- switch(st->hand_state) {
+ switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return 0;
+
+ case TLS_ST_SW_CHANGE:
+ if (SSL_IS_DTLS(s))
+ *confunc = dtls_construct_change_cipher_spec;
+ else
+ *confunc = tls_construct_change_cipher_spec;
+ *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
+ break;
+
case DTLS_ST_SW_HELLO_VERIFY_REQUEST:
- return dtls_construct_hello_verify_request(s);
+ *confunc = dtls_construct_hello_verify_request;
+ *mt = DTLS1_MT_HELLO_VERIFY_REQUEST;
+ break;
case TLS_ST_SW_HELLO_REQ:
- return tls_construct_hello_request(s);
+ /* No construction function needed */
+ *confunc = NULL;
+ *mt = SSL3_MT_HELLO_REQUEST;
+ break;
case TLS_ST_SW_SRVR_HELLO:
- return tls_construct_server_hello(s);
+ *confunc = tls_construct_server_hello;
+ *mt = SSL3_MT_SERVER_HELLO;
+ break;
case TLS_ST_SW_CERT:
- return tls_construct_server_certificate(s);
+ *confunc = tls_construct_server_certificate;
+ *mt = SSL3_MT_CERTIFICATE;
+ break;
case TLS_ST_SW_KEY_EXCH:
- return tls_construct_server_key_exchange(s);
+ *confunc = tls_construct_server_key_exchange;
+ *mt = SSL3_MT_SERVER_KEY_EXCHANGE;
+ break;
case TLS_ST_SW_CERT_REQ:
- return tls_construct_certificate_request(s);
+ *confunc = tls_construct_certificate_request;
+ *mt = SSL3_MT_CERTIFICATE_REQUEST;
+ break;
case TLS_ST_SW_SRVR_DONE:
- return tls_construct_server_done(s);
+ *confunc = tls_construct_server_done;
+ *mt = SSL3_MT_SERVER_DONE;
+ break;
case TLS_ST_SW_SESSION_TICKET:
- return tls_construct_new_session_ticket(s);
+ *confunc = tls_construct_new_session_ticket;
+ *mt = SSL3_MT_NEWSESSION_TICKET;
+ break;
case TLS_ST_SW_CERT_STATUS:
- return tls_construct_cert_status(s);
-
- case TLS_ST_SW_CHANGE:
- if (SSL_IS_DTLS(s))
- return dtls_construct_change_cipher_spec(s);
- else
- return tls_construct_change_cipher_spec(s);
+ *confunc = tls_construct_cert_status;
+ *mt = SSL3_MT_CERTIFICATE_STATUS;
+ break;
case TLS_ST_SW_FINISHED:
- return tls_construct_finished(s,
- s->method->
- ssl3_enc->server_finished_label,
- s->method->
- ssl3_enc->server_finished_label_len);
-
- default:
- /* Shouldn't happen */
+ *confunc = tls_construct_finished;
+ *mt = SSL3_MT_FINISHED;
break;
}
- return 0;
+ return 1;
}
+/*
+ * Maximum size (excluding the Handshake header) of a ClientHello message,
+ * calculated as follows:
+ *
+ * 2 + # client_version
+ * 32 + # only valid length for random
+ * 1 + # length of session_id
+ * 32 + # maximum size for session_id
+ * 2 + # length of cipher suites
+ * 2^16-2 + # maximum length of cipher suites array
+ * 1 + # length of compression_methods
+ * 2^8-1 + # maximum length of compression methods
+ * 2 + # length of extensions
+ * 2^16-1 # maximum length of extensions
+ */
+#define CLIENT_HELLO_MAX_LENGTH 131396
+
#define CLIENT_KEY_EXCH_MAX_LENGTH 2048
#define NEXT_PROTO_MAX_LENGTH 514
* Returns the maximum allowed length for the current message that we are
* reading. Excludes the message header.
*/
-unsigned long ossl_statem_server_max_message_size(SSL *s)
+size_t ossl_statem_server_max_message_size(SSL *s)
{
OSSL_STATEM *st = &s->statem;
- switch(st->hand_state) {
+ switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return 0;
+
case TLS_ST_SR_CLNT_HELLO:
- return SSL3_RT_MAX_PLAIN_LENGTH;
+ return CLIENT_HELLO_MAX_LENGTH;
case TLS_ST_SR_CERT:
return s->max_cert_list;
case TLS_ST_SR_FINISHED:
return FINISHED_MAX_LENGTH;
-
- default:
- /* Shouldn't happen */
- break;
}
-
- return 0;
}
/*
{
OSSL_STATEM *st = &s->statem;
- switch(st->hand_state) {
+ switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return MSG_PROCESS_ERROR;
+
case TLS_ST_SR_CLNT_HELLO:
return tls_process_client_hello(s, pkt);
case TLS_ST_SR_FINISHED:
return tls_process_finished(s, pkt);
-
- default:
- /* Shouldn't happen */
- break;
}
-
- return MSG_PROCESS_ERROR;
}
/*
{
OSSL_STATEM *st = &s->statem;
- switch(st->hand_state) {
+ switch (st->hand_state) {
+ default:
+ /* Shouldn't happen */
+ return WORK_ERROR;
+
case TLS_ST_SR_CLNT_HELLO:
return tls_post_process_client_hello(s, wst);
case TLS_ST_SR_CERT_VRFY:
#ifndef OPENSSL_NO_SCTP
- if ( /* Is this SCTP? */
- BIO_dgram_is_sctp(SSL_get_wbio(s))
- /* Are we renegotiating? */
- && s->renegotiate
- && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
+ if ( /* Is this SCTP? */
+ BIO_dgram_is_sctp(SSL_get_wbio(s))
+ /* Are we renegotiating? */
+ && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->s3->in_read_app_data = 2;
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
}
#endif
return WORK_FINISHED_CONTINUE;
-
- default:
- break;
}
- /* Shouldn't happen */
- return WORK_ERROR;
}
#ifndef OPENSSL_NO_SRP
}
#endif
-int tls_construct_hello_request(SSL *s)
+int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie,
+ unsigned char cookie_len)
{
- if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
+ /* Always use DTLS 1.0 version: see RFC 6347 */
+ if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION)
+ || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len))
return 0;
- }
return 1;
}
-unsigned int dtls_raw_hello_verify_request(unsigned char *buf,
- unsigned char *cookie,
- unsigned char cookie_len)
-{
- unsigned int msg_len;
- unsigned char *p;
-
- p = buf;
- /* Always use DTLS 1.0 version: see RFC 6347 */
- *(p++) = DTLS1_VERSION >> 8;
- *(p++) = DTLS1_VERSION & 0xFF;
-
- *(p++) = (unsigned char)cookie_len;
- memcpy(p, cookie, cookie_len);
- p += cookie_len;
- msg_len = p - buf;
-
- return msg_len;
-}
-
-int dtls_construct_hello_verify_request(SSL *s)
+int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt)
{
- unsigned int len;
- unsigned char *buf;
-
- buf = (unsigned char *)s->init_buf->data;
-
if (s->ctx->app_gen_cookie_cb == NULL ||
s->ctx->app_gen_cookie_cb(s, s->d1->cookie,
&(s->d1->cookie_len)) == 0 ||
s->d1->cookie_len > 255) {
SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST,
SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
- ossl_statem_set_error(s);
return 0;
}
- len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH],
- s->d1->cookie, s->d1->cookie_len);
-
- dtls1_set_message_header(s, buf, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0,
- len);
- len += DTLS1_HM_HEADER_LENGTH;
-
- /* number of bytes to write */
- s->init_num = len;
- s->init_off = 0;
+ if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie,
+ s->d1->cookie_len)) {
+ SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
return 1;
}
int i, al = SSL_AD_INTERNAL_ERROR;
unsigned int j, complen = 0;
unsigned long id;
- SSL_CIPHER *c;
+ const SSL_CIPHER *c;
#ifndef OPENSSL_NO_COMP
SSL_COMP *comp = NULL;
#endif
/* |cookie| will only be initialized for DTLS. */
PACKET session_id, cipher_suites, compression, extensions, cookie;
int is_v2_record;
+ static const unsigned char null_compression = 0;
is_v2_record = RECORD_LAYER_is_sslv2_record(&s->rlayer);
*/
if (!PACKET_get_1(pkt, &mt)
- || mt != SSL2_MT_CLIENT_HELLO) {
+ || mt != SSL2_MT_CLIENT_HELLO) {
/*
* Should never happen. We should have tested this in the record
* layer in order to have determined that this is a SSLv2 record
* use version from inside client hello, not from record header (may
* differ: see RFC 2246, Appendix E, second paragraph)
*/
- if(!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
+ if (!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
goto f_err;
PACKET challenge;
if (!PACKET_get_net_2(pkt, &cipher_len)
- || !PACKET_get_net_2(pkt, &session_id_len)
- || !PACKET_get_net_2(pkt, &challenge_len)) {
+ || !PACKET_get_net_2(pkt, &session_id_len)
+ || !PACKET_get_net_2(pkt, &challenge_len)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
SSL_R_RECORD_LENGTH_MISMATCH);
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
+ if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
if (!PACKET_get_sub_packet(pkt, &cipher_suites, cipher_len)
|| !PACKET_get_sub_packet(pkt, &session_id, session_id_len)
|| !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
goto f_err;
}
- /* Load the client random */
+ /* Load the client random and compression list. */
challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
challenge_len;
memset(s->s3->client_random, 0, SSL3_RANDOM_SIZE);
if (!PACKET_copy_bytes(&challenge,
s->s3->client_random + SSL3_RANDOM_SIZE -
- challenge_len, challenge_len)) {
+ challenge_len, challenge_len)
+ /* Advertise only null compression. */
+ || !PACKET_buf_init(&compression, &null_compression, 1)) {
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
- PACKET_null_init(&compression);
PACKET_null_init(&extensions);
} else {
/* Regular ClientHello. */
goto f_err;
}
+ if (PACKET_remaining(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
if (SSL_IS_DTLS(s)) {
if (!PACKET_get_length_prefixed_1(pkt, &cookie)) {
al = SSL_AD_DECODE_ERROR;
*/
if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
if (PACKET_remaining(&cookie) == 0)
- return 1;
+ return 1;
}
}
if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites)
|| !PACKET_get_length_prefixed_1(pkt, &compression)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
- goto f_err;
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
}
/* Could be empty. */
extensions = *pkt;
}
+ if (SSL_IS_DTLS(s)) {
+ /* Empty cookie was already handled above by returning early. */
+ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
+ if (s->ctx->app_verify_cookie_cb != NULL) {
+ if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
+ PACKET_remaining(&cookie)) ==
+ 0) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
+ SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ /* else cookie verification succeeded */
+ }
+ /* default verification */
+ } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
+ goto f_err;
+ }
+ s->d1->cookie_verified = 1;
+ }
+ if (s->method->version == DTLS_ANY_VERSION) {
+ protverr = ssl_choose_server_version(s);
+ if (protverr != 0) {
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
+ s->version = s->client_version;
+ al = SSL_AD_PROTOCOL_VERSION;
+ goto f_err;
+ }
+ }
+ }
+
s->hit = 0;
/*
}
}
- if (SSL_IS_DTLS(s)) {
- /* Empty cookie was already handled above by returning early. */
- if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) {
- if (s->ctx->app_verify_cookie_cb != NULL) {
- if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie),
- PACKET_remaining(&cookie)) == 0) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
- SSL_R_COOKIE_MISMATCH);
- goto f_err;
- /* else cookie verification succeeded */
- }
- /* default verification */
- } else if (!PACKET_equal(&cookie, s->d1->cookie,
- s->d1->cookie_len)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
- goto f_err;
- }
- s->d1->cookie_verified = 1;
- }
- if (s->method->version == DTLS_ANY_VERSION) {
- protverr = ssl_choose_server_version(s);
- if (protverr != 0) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
- s->version = s->client_version;
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- }
- s->session->ssl_version = s->version;
- }
- }
-
if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
is_v2_record, &al) == NULL) {
goto f_err;
id = s->session->cipher->id;
#ifdef CIPHER_DEBUG
- fprintf(stderr, "client sent %d ciphers\n",
- sk_SSL_CIPHER_num(ciphers));
+ fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers));
#endif
for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
c = sk_SSL_CIPHER_value(ciphers, i);
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED);
goto f_err;
}
-
+
/* TLS extensions */
if (s->version >= SSL3_VERSION) {
if (!ssl_parse_clienthello_tlsext(s, &extensions)) {
}
if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
- SSL_CIPHER *pref_cipher = NULL;
+ const SSL_CIPHER *pref_cipher = NULL;
s->session->master_key_length = sizeof(s->session->master_key);
if (s->tls_session_secret_cb(s, s->session->master_key,
if (k >= complen) {
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO,
- SSL_R_REQUIRED_COMPRESSSION_ALGORITHM_MISSING);
+ SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING);
goto f_err;
}
} else if (s->hit)
WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
{
int al = SSL_AD_HANDSHAKE_FAILURE;
- SSL_CIPHER *cipher;
+ const SSL_CIPHER *cipher;
if (wst == WORK_MORE_A) {
if (!s->hit) {
int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg);
if (rv == 0) {
al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR);
+ SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_CERT_CB_ERROR);
goto f_err;
}
if (rv < 0) {
}
s->rwstate = SSL_NOTHING;
}
- cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
+ cipher =
+ ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s));
if (cipher == NULL) {
- SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER);
+ SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+ SSL_R_NO_SHARED_CIPHER);
goto f_err;
}
s->s3->tmp.new_cipher = cipher;
/* check whether we should disable session resumption */
if (s->not_resumable_session_cb != NULL)
s->session->not_resumable = s->not_resumable_session_cb(s,
- ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
+ ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0));
if (s->session->not_resumable)
/* do not send a session ticket */
s->tlsext_ticket_expected = 0;
/*-
* we now have the following setup.
* client_random
- * cipher_list - our prefered list of ciphers
- * ciphers - the clients prefered list of ciphers
+ * cipher_list - our preferred list of ciphers
+ * ciphers - the clients preferred list of ciphers
* compression - basically ignored right now
* ssl version is set - sslv3
* s->session - The ssl session has been setup.
/* Handles TLS extensions that we couldn't check earlier */
if (s->version >= SSL3_VERSION) {
- if (ssl_check_clienthello_tlsext_late(s) <= 0) {
+ if (!ssl_check_clienthello_tlsext_late(s, &al)) {
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
SSL_R_CLIENTHELLO_TLSEXT);
goto f_err;
*/
if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
- SSL_R_CLIENTHELLO_TLSEXT);
+ SSL_R_CLIENTHELLO_TLSEXT);
goto f_err;
}
}
return WORK_ERROR;
}
-int tls_construct_server_hello(SSL *s)
+int tls_construct_server_hello(SSL *s, WPACKET *pkt)
{
- unsigned char *buf;
- unsigned char *p, *d;
- int i, sl;
- int al = 0;
- unsigned long l;
-
- buf = (unsigned char *)s->init_buf->data;
-
- /* Do the message type and length last */
- d = p = ssl_handshake_start(s);
-
- *(p++) = s->version >> 8;
- *(p++) = s->version & 0xff;
-
- /*
- * Random stuff. Filling of the server_random takes place in
- * tls_process_client_hello()
- */
- memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
- p += SSL3_RANDOM_SIZE;
+ int sl, compm, al = SSL_AD_INTERNAL_ERROR;
+ size_t len;
+
+ if (!WPACKET_put_bytes_u16(pkt, s->version)
+ /*
+ * Random stuff. Filling of the server_random takes place in
+ * tls_process_client_hello()
+ */
+ || !WPACKET_memcpy(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
/*-
* There are several cases for the session ID to send
sl = s->session->session_id_length;
if (sl > (int)sizeof(s->session->session_id)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
+ goto err;
}
- *(p++) = sl;
- memcpy(p, s->session->session_id, sl);
- p += sl;
-
- /* put the cipher */
- i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
- p += i;
- /* put the compression method */
+ /* set up the compression method */
#ifdef OPENSSL_NO_COMP
- *(p++) = 0;
+ compm = 0;
#else
if (s->s3->tmp.new_compression == NULL)
- *(p++) = 0;
+ compm = 0;
else
- *(p++) = s->s3->tmp.new_compression->id;
+ compm = s->s3->tmp.new_compression->id;
#endif
- if (ssl_prepare_serverhello_tlsext(s) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT);
- ossl_statem_set_error(s);
- return 0;
- }
- if ((p =
- ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
- &al)) == NULL) {
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
- }
-
- /* do the header */
- l = (p - d);
- if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) {
+ if (!WPACKET_sub_memcpy_u8(pkt, s->session->session_id, sl)
+ || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, pkt, &len)
+ || !WPACKET_put_bytes_u8(pkt, compm)
+ || !ssl_prepare_serverhello_tlsext(s)
+ || !ssl_add_serverhello_tlsext(s, pkt, &al)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
+ goto err;
}
return 1;
+ err:
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
}
-int tls_construct_server_done(SSL *s)
+int tls_construct_server_done(SSL *s, WPACKET *pkt)
{
- if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
- return 0;
- }
-
if (!s->s3->tmp.cert_request) {
if (!ssl3_digest_cached_records(s, 0)) {
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return 0;
}
}
-
return 1;
}
-int tls_construct_server_key_exchange(SSL *s)
+int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
{
#ifndef OPENSSL_NO_DH
EVP_PKEY *pkdh = NULL;
#endif
EVP_PKEY *pkey;
const EVP_MD *md = NULL;
- unsigned char *p, *d;
- int al, i;
+ int al = SSL_AD_INTERNAL_ERROR, i;
unsigned long type;
- int n;
- BIGNUM *r[4];
- int nr[4], kn;
- BUF_MEM *buf;
+ const BIGNUM *r[4];
EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
+ size_t paramlen, paramoffset;
+
+ if (!WPACKET_get_total_written(pkt, ¶moffset)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
if (md_ctx == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
type = s->s3->tmp.new_cipher->algorithm_mkey;
- buf = s->init_buf;
-
r[0] = r[1] = r[2] = r[3] = NULL;
- n = 0;
#ifndef OPENSSL_NO_PSK
- if (type & SSL_PSK) {
- /*
- * reserve size for record length and PSK identity hint
- */
- n += 2;
- if (s->cert->psk_identity_hint)
- n += strlen(s->cert->psk_identity_hint);
- }
/* Plain PSK or RSAPSK nothing to do */
if (type & (SSL_kPSK | SSL_kRSAPSK)) {
} else
pkdh = EVP_PKEY_new();
if (pkdh == NULL || dhp == NULL) {
DH_free(dhp);
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024);
pkdh = ssl_dh_to_pkey(dhp);
if (pkdh == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
goto err;
}
- s->s3->tmp.pkey = ssl_generate_pkey(pkdhp, NID_undef);
+ s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
if (s->s3->tmp.pkey == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
EVP_PKEY_free(pkdh);
pkdh = NULL;
- r[0] = dh->p;
- r[1] = dh->g;
- r[2] = dh->pub_key;
+ DH_get0_pqg(dh, &r[0], NULL, &r[1]);
+ DH_get0_key(dh, &r[2], NULL);
} else
#endif
#ifndef OPENSSL_NO_EC
SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
goto err;
}
- s->s3->tmp.pkey = ssl_generate_pkey(NULL, nid);
+ s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id);
/* Generate a new key for this curve */
if (s->s3->tmp.pkey == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB);
goto f_err;
}
/* Encode the public key. */
- encodedlen = EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(s->s3->tmp.pkey),
- POINT_CONVERSION_UNCOMPRESSED,
- &encodedPoint, NULL);
-
+ encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey,
+ &encodedPoint);
if (encodedlen == 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB);
goto err;
}
- /*
- * We only support named (not generic) curves in ECDH ephemeral key
- * exchanges. In this situation, we need four additional bytes to
- * encode the entire ServerECDHParams structure.
- */
- n += 4 + encodedlen;
-
/*
* We'll generate the serverKeyExchange message explicitly so we
* can set these to NULLs
SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
goto f_err;
}
- for (i = 0; i < 4 && r[i] != NULL; i++) {
- nr[i] = BN_num_bytes(r[i]);
-#ifndef OPENSSL_NO_SRP
- if ((i == 2) && (type & SSL_kSRP))
- n += 1 + nr[i];
- else
-#endif
- n += 2 + nr[i];
- }
- if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP))
+ if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) {
if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md))
== NULL) {
al = SSL_AD_DECODE_ERROR;
goto f_err;
}
- kn = EVP_PKEY_size(pkey);
} else {
pkey = NULL;
- kn = 0;
- }
-
- if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF);
- goto err;
}
- d = p = ssl_handshake_start(s);
#ifndef OPENSSL_NO_PSK
if (type & SSL_PSK) {
- /* copy PSK identity hint */
- if (s->cert->psk_identity_hint) {
- s2n(strlen(s->cert->psk_identity_hint), p);
- strncpy((char *)p, s->cert->psk_identity_hint,
- strlen(s->cert->psk_identity_hint));
- p += strlen(s->cert->psk_identity_hint);
- } else {
- s2n(0, p);
+ size_t len = (s->cert->psk_identity_hint == NULL)
+ ? 0 : strlen(s->cert->psk_identity_hint);
+
+ /*
+ * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already
+ * checked this when we set the identity hint - but just in case
+ */
+ if (len > PSK_MAX_IDENTITY_LEN
+ || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint,
+ len)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
}
}
#endif
for (i = 0; i < 4 && r[i] != NULL; i++) {
+ unsigned char *binval;
+ int res;
+
#ifndef OPENSSL_NO_SRP
if ((i == 2) && (type & SSL_kSRP)) {
- *p = nr[i];
- p++;
+ res = WPACKET_start_sub_packet_u8(pkt);
} else
#endif
- s2n(nr[i], p);
- BN_bn2bin(r[i], p);
- p += nr[i];
+ res = WPACKET_start_sub_packet_u16(pkt);
+
+ if (!res) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+
+#ifndef OPENSSL_NO_DH
+ /*-
+ * for interoperability with some versions of the Microsoft TLS
+ * stack, we need to zero pad the DHE pub key to the same length
+ * as the prime
+ */
+ if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) {
+ size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]);
+
+ if (len > 0) {
+ if (!WPACKET_allocate_bytes(pkt, len, &binval)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+ memset(binval, 0, len);
+ }
+ }
+#endif
+ if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
+
+ BN_bn2bin(r[i], binval);
}
#ifndef OPENSSL_NO_EC
if (type & (SSL_kECDHE | SSL_kECDHEPSK)) {
/*
- * XXX: For now, we only support named (not generic) curves. In
- * this situation, the serverKeyExchange message has: [1 byte
- * CurveType], [2 byte CurveName] [1 byte length of encoded
- * point], followed by the actual encoded point itself
+ * We only support named (not generic) curves. In this situation, the
+ * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName]
+ * [1 byte length of encoded point], followed by the actual encoded
+ * point itself
*/
- *p = NAMED_CURVE_TYPE;
- p += 1;
- *p = 0;
- p += 1;
- *p = curve_id;
- p += 1;
- *p = encodedlen;
- p += 1;
- memcpy(p, encodedPoint, encodedlen);
+ if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE)
+ || !WPACKET_put_bytes_u8(pkt, 0)
+ || !WPACKET_put_bytes_u8(pkt, curve_id)
+ || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
OPENSSL_free(encodedPoint);
encodedPoint = NULL;
- p += encodedlen;
}
#endif
* points to the space at the end.
*/
if (md) {
+ unsigned char *sigbytes1, *sigbytes2;
+ unsigned int siglen;
+
+ /* Get length of the parameters we have written above */
+ if (!WPACKET_get_length(pkt, ¶mlen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
/* send signature algorithm */
if (SSL_USE_SIGALGS(s)) {
- if (!tls12_get_sigandhash(p, pkey, md)) {
+ if (!tls12_get_sigandhash(pkt, pkey, md)) {
/* Should never happen */
- al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
goto f_err;
}
- p += 2;
}
#ifdef SSL_DEBUG
fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
#endif
- if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0
+ /*
+ * Create the signature. We don't know the actual length of the sig
+ * until after we've created it, so we reserve enough bytes for it
+ * up front, and then properly allocate them in the WPACKET
+ * afterwards.
+ */
+ if (!WPACKET_sub_reserve_bytes_u16(pkt, EVP_PKEY_size(pkey),
+ &sigbytes1)
+ || EVP_SignInit_ex(md_ctx, md, NULL) <= 0
|| EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]),
SSL3_RANDOM_SIZE) <= 0
|| EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]),
SSL3_RANDOM_SIZE) <= 0
- || EVP_SignUpdate(md_ctx, d, n) <= 0
- || EVP_SignFinal(md_ctx, &(p[2]),
- (unsigned int *)&i, pkey) <= 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
- al = SSL_AD_INTERNAL_ERROR;
+ || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset,
+ paramlen) <= 0
+ || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0
+ || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2)
+ || sigbytes1 != sigbytes2) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
goto f_err;
}
- s2n(i, p);
- n += i + 2;
- if (SSL_USE_SIGALGS(s))
- n += 2;
} else {
/* Is this error check actually needed? */
al = SSL_AD_HANDSHAKE_FAILURE;
}
}
- if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
-
EVP_MD_CTX_free(md_ctx);
return 1;
f_err:
OPENSSL_free(encodedPoint);
#endif
EVP_MD_CTX_free(md_ctx);
- ossl_statem_set_error(s);
return 0;
}
-int tls_construct_certificate_request(SSL *s)
+int tls_construct_certificate_request(SSL *s, WPACKET *pkt)
{
- unsigned char *p, *d;
- int i, j, nl, off, n;
+ int i, nl;
STACK_OF(X509_NAME) *sk = NULL;
- X509_NAME *name;
- BUF_MEM *buf;
-
- buf = s->init_buf;
-
- d = p = ssl_handshake_start(s);
/* get the list of acceptable cert types */
- p++;
- n = ssl3_get_req_cert_type(s, p);
- d[0] = n;
- p += n;
- n++;
+ if (!WPACKET_start_sub_packet_u8(pkt)
+ || !ssl3_get_req_cert_type(s, pkt)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
if (SSL_USE_SIGALGS(s)) {
const unsigned char *psigs;
- unsigned char *etmp = p;
nl = tls12_get_psigalgs(s, &psigs);
- /* Skip over length for now */
- p += 2;
- nl = tls12_copy_sigalgs(s, p, psigs, nl);
- /* Now fill in length */
- s2n(nl, etmp);
- p += nl;
- n += nl + 2;
+ if (!WPACKET_start_sub_packet_u16(pkt)
+ || !tls12_copy_sigalgs(s, pkt, psigs, nl)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
}
- off = n;
- p += 2;
- n += 2;
+ /* Start sub-packet for client CA list */
+ if (!WPACKET_start_sub_packet_u16(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
sk = SSL_get_client_CA_list(s);
- nl = 0;
if (sk != NULL) {
for (i = 0; i < sk_X509_NAME_num(sk); i++) {
- name = sk_X509_NAME_value(sk, i);
- j = i2d_X509_NAME(name, NULL);
- if (!BUF_MEM_grow_clean
- (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) {
+ unsigned char *namebytes;
+ X509_NAME *name = sk_X509_NAME_value(sk, i);
+ int namelen;
+
+ if (name == NULL
+ || (namelen = i2d_X509_NAME(name, NULL)) < 0
+ || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
+ &namebytes)
+ || i2d_X509_NAME(name, &namebytes) != namelen) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST,
- ERR_R_BUF_LIB);
+ ERR_R_INTERNAL_ERROR);
goto err;
}
- p = ssl_handshake_start(s) + n;
- s2n(j, p);
- i2d_X509_NAME(name, &p);
- n += 2 + j;
- nl += 2 + j;
}
}
/* else no CA names */
- p = ssl_handshake_start(s) + off;
- s2n(nl, p);
- if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) {
+ if (!WPACKET_close(pkt)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR);
goto err;
}
return 1;
err:
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
-MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
+static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al)
{
- int al;
- unsigned int i;
- unsigned long alg_k;
-#ifndef OPENSSL_NO_RSA
- RSA *rsa = NULL;
- EVP_PKEY *pkey = NULL;
-#endif
-#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
- EVP_PKEY *ckey = NULL;
-#endif
- PACKET enc_premaster;
- unsigned char *data, *rsa_decrypt = NULL;
-
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-
#ifndef OPENSSL_NO_PSK
- /* For PSK parse and retrieve identity, obtain PSK key */
- if (alg_k & SSL_PSK) {
- unsigned char psk[PSK_MAX_PSK_LEN];
- size_t psklen;
- PACKET psk_identity;
-
- if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
- if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_DATA_LENGTH_TOO_LONG);
- goto f_err;
- }
- if (s->psk_server_callback == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_PSK_NO_SERVER_CB);
- goto f_err;
- }
+ unsigned char psk[PSK_MAX_PSK_LEN];
+ size_t psklen;
+ PACKET psk_identity;
- if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- al = SSL_AD_INTERNAL_ERROR;
- goto f_err;
- }
+ if (!PACKET_get_length_prefixed_2(pkt, &psk_identity)) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_LENGTH_MISMATCH);
+ return 0;
+ }
+ if (PACKET_remaining(&psk_identity) > PSK_MAX_IDENTITY_LEN) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_DATA_LENGTH_TOO_LONG);
+ return 0;
+ }
+ if (s->psk_server_callback == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB);
+ return 0;
+ }
- psklen = s->psk_server_callback(s, s->session->psk_identity,
- psk, sizeof(psk));
+ if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
- if (psklen > PSK_MAX_PSK_LEN) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- } else if (psklen == 0) {
- /*
- * PSK related to the given identity not found
- */
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_PSK_IDENTITY_NOT_FOUND);
- al = SSL_AD_UNKNOWN_PSK_IDENTITY;
- goto f_err;
- }
+ psklen = s->psk_server_callback(s, s->session->psk_identity,
+ psk, sizeof(psk));
- OPENSSL_free(s->s3->tmp.psk);
- s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
- OPENSSL_cleanse(psk, psklen);
+ if (psklen > PSK_MAX_PSK_LEN) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
+ return 0;
+ } else if (psklen == 0) {
+ /*
+ * PSK related to the given identity not found
+ */
+ *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE,
+ SSL_R_PSK_IDENTITY_NOT_FOUND);
+ return 0;
+ }
- if (s->s3->tmp.psk == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto f_err;
- }
+ OPENSSL_free(s->s3->tmp.psk);
+ s->s3->tmp.psk = OPENSSL_memdup(psk, psklen);
+ OPENSSL_cleanse(psk, psklen);
- s->s3->tmp.psklen = psklen;
+ if (s->s3->tmp.psk == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_MALLOC_FAILURE);
+ return 0;
}
- if (alg_k & SSL_kPSK) {
- /* Identity extracted earlier: should be nothing left */
- if (PACKET_remaining(pkt) != 0) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
- /* PSK handled by ssl_generate_master_secret */
- if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- } else
-#endif
-#ifndef OPENSSL_NO_RSA
- if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
- unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
- int decrypt_len;
- unsigned char decrypt_good, version_good;
- size_t j;
-
- /* FIX THIS UP EAY EAY EAY EAY */
- pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
- if ((pkey == NULL) ||
- (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_RSA_CERTIFICATE);
- goto f_err;
- }
- rsa = pkey->pkey.rsa;
- /* SSLv3 and pre-standard DTLS omit the length bytes. */
- if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
- enc_premaster = *pkt;
- } else {
- if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
- || PACKET_remaining(pkt) != 0) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
- }
+ s->s3->tmp.psklen = psklen;
- /*
- * We want to be sure that the plaintext buffer size makes it safe to
- * iterate over the entire size of a premaster secret
- * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
- * their ciphertext cannot accommodate a premaster secret anyway.
- */
- if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- RSA_R_KEY_SIZE_TOO_SMALL);
- goto f_err;
- }
+ return 1;
+#else
+ /* Should never happen */
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
+ return 0;
+#endif
+}
- rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
- if (rsa_decrypt == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto f_err;
- }
+static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al)
+{
+#ifndef OPENSSL_NO_RSA
+ unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH];
+ int decrypt_len;
+ unsigned char decrypt_good, version_good;
+ size_t j, padding_len;
+ PACKET enc_premaster;
+ RSA *rsa = NULL;
+ unsigned char *rsa_decrypt = NULL;
+ int ret = 0;
- /*
- * We must not leak whether a decryption failure occurs because of
- * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
- * section 7.4.7.1). The code follows that advice of the TLS RFC and
- * generates a random premaster secret for the case that the decrypt
- * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
- */
+ rsa = EVP_PKEY_get0_RSA(s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey);
+ if (rsa == NULL) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_MISSING_RSA_CERTIFICATE);
+ return 0;
+ }
- if (RAND_bytes(rand_premaster_secret,
- sizeof(rand_premaster_secret)) <= 0) {
- goto err;
+ /* SSLv3 and pre-standard DTLS omit the length bytes. */
+ if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) {
+ enc_premaster = *pkt;
+ } else {
+ if (!PACKET_get_length_prefixed_2(pkt, &enc_premaster)
+ || PACKET_remaining(pkt) != 0) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_LENGTH_MISMATCH);
+ return 0;
}
+ }
- decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
- PACKET_data(&enc_premaster),
- rsa_decrypt, rsa, RSA_PKCS1_PADDING);
- ERR_clear_error();
+ /*
+ * We want to be sure that the plaintext buffer size makes it safe to
+ * iterate over the entire size of a premaster secret
+ * (SSL_MAX_MASTER_KEY_LENGTH). Reject overly short RSA keys because
+ * their ciphertext cannot accommodate a premaster secret anyway.
+ */
+ if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, RSA_R_KEY_SIZE_TOO_SMALL);
+ return 0;
+ }
- /*
- * decrypt_len should be SSL_MAX_MASTER_KEY_LENGTH. decrypt_good will
- * be 0xff if so and zero otherwise.
- */
- decrypt_good =
- constant_time_eq_int_8(decrypt_len, SSL_MAX_MASTER_KEY_LENGTH);
+ rsa_decrypt = OPENSSL_malloc(RSA_size(rsa));
+ if (rsa_decrypt == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
- /*
- * If the version in the decrypted pre-master secret is correct then
- * version_good will be 0xff, otherwise it'll be zero. The
- * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
- * (http://eprint.iacr.org/2003/052/) exploits the version number
- * check as a "bad version oracle". Thus version checks are done in
- * constant time and are treated like any other decryption error.
- */
- version_good =
- constant_time_eq_8(rsa_decrypt[0],
- (unsigned)(s->client_version >> 8));
- version_good &=
- constant_time_eq_8(rsa_decrypt[1],
- (unsigned)(s->client_version & 0xff));
+ /*
+ * We must not leak whether a decryption failure occurs because of
+ * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
+ * section 7.4.7.1). The code follows that advice of the TLS RFC and
+ * generates a random premaster secret for the case that the decrypt
+ * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1
+ */
- /*
- * The premaster secret must contain the same version number as the
- * ClientHello to detect version rollback attacks (strangely, the
- * protocol does not offer such protection for DH ciphersuites).
- * However, buggy clients exist that send the negotiated protocol
- * version instead if the server does not support the requested
- * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
- * clients.
- */
- if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
- unsigned char workaround_good;
- workaround_good =
- constant_time_eq_8(rsa_decrypt[0], (unsigned)(s->version >> 8));
- workaround_good &=
- constant_time_eq_8(rsa_decrypt[1],
- (unsigned)(s->version & 0xff));
- version_good |= workaround_good;
- }
+ if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0)
+ goto err;
- /*
- * Both decryption and version must be good for decrypt_good to
- * remain non-zero (0xff).
- */
- decrypt_good &= version_good;
+ /*
+ * Decrypt with no padding. PKCS#1 padding will be removed as part of
+ * the timing-sensitive code below.
+ */
+ decrypt_len = RSA_private_decrypt(PACKET_remaining(&enc_premaster),
+ PACKET_data(&enc_premaster),
+ rsa_decrypt, rsa, RSA_NO_PADDING);
+ if (decrypt_len < 0)
+ goto err;
- /*
- * Now copy rand_premaster_secret over from p using
- * decrypt_good_mask. If decryption failed, then p does not
- * contain valid plaintext, however, a check above guarantees
- * it is still sufficiently large to read from.
- */
- for (j = 0; j < sizeof(rand_premaster_secret); j++) {
- rsa_decrypt[j] =
- constant_time_select_8(decrypt_good, rsa_decrypt[j],
- rand_premaster_secret[j]);
- }
+ /* Check the padding. See RFC 3447, section 7.2.2. */
- if (!ssl_generate_master_secret(s, rsa_decrypt,
- sizeof(rand_premaster_secret), 0)) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- OPENSSL_free(rsa_decrypt);
- rsa_decrypt = NULL;
- } else
+ /*
+ * The smallest padded premaster is 11 bytes of overhead. Small keys
+ * are publicly invalid, so this may return immediately. This ensures
+ * PS is at least 8 bytes.
+ */
+ if (decrypt_len < 11 + SSL_MAX_MASTER_KEY_LENGTH) {
+ *al = SSL_AD_DECRYPT_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, SSL_R_DECRYPTION_FAILED);
+ goto err;
+ }
+
+ padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH;
+ decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) &
+ constant_time_eq_int_8(rsa_decrypt[1], 2);
+ for (j = 2; j < padding_len - 1; j++) {
+ decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]);
+ }
+ decrypt_good &= constant_time_is_zero_8(rsa_decrypt[padding_len - 1]);
+
+ /*
+ * If the version in the decrypted pre-master secret is correct then
+ * version_good will be 0xff, otherwise it'll be zero. The
+ * Klima-Pokorny-Rosa extension of Bleichenbacher's attack
+ * (http://eprint.iacr.org/2003/052/) exploits the version number
+ * check as a "bad version oracle". Thus version checks are done in
+ * constant time and are treated like any other decryption error.
+ */
+ version_good =
+ constant_time_eq_8(rsa_decrypt[padding_len],
+ (unsigned)(s->client_version >> 8));
+ version_good &=
+ constant_time_eq_8(rsa_decrypt[padding_len + 1],
+ (unsigned)(s->client_version & 0xff));
+
+ /*
+ * The premaster secret must contain the same version number as the
+ * ClientHello to detect version rollback attacks (strangely, the
+ * protocol does not offer such protection for DH ciphersuites).
+ * However, buggy clients exist that send the negotiated protocol
+ * version instead if the server does not support the requested
+ * protocol version. If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
+ * clients.
+ */
+ if (s->options & SSL_OP_TLS_ROLLBACK_BUG) {
+ unsigned char workaround_good;
+ workaround_good = constant_time_eq_8(rsa_decrypt[padding_len],
+ (unsigned)(s->version >> 8));
+ workaround_good &=
+ constant_time_eq_8(rsa_decrypt[padding_len + 1],
+ (unsigned)(s->version & 0xff));
+ version_good |= workaround_good;
+ }
+
+ /*
+ * Both decryption and version must be good for decrypt_good to
+ * remain non-zero (0xff).
+ */
+ decrypt_good &= version_good;
+
+ /*
+ * Now copy rand_premaster_secret over from p using
+ * decrypt_good_mask. If decryption failed, then p does not
+ * contain valid plaintext, however, a check above guarantees
+ * it is still sufficiently large to read from.
+ */
+ for (j = 0; j < sizeof(rand_premaster_secret); j++) {
+ rsa_decrypt[padding_len + j] =
+ constant_time_select_8(decrypt_good,
+ rsa_decrypt[padding_len + j],
+ rand_premaster_secret[j]);
+ }
+
+ if (!ssl_generate_master_secret(s, rsa_decrypt + padding_len,
+ sizeof(rand_premaster_secret), 0)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+
+ ret = 1;
+ err:
+ OPENSSL_free(rsa_decrypt);
+ return ret;
+#else
+ /* Should never happen */
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_RSA, ERR_R_INTERNAL_ERROR);
+ return 0;
#endif
+}
+
+static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
+{
#ifndef OPENSSL_NO_DH
- if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
- EVP_PKEY *skey = NULL;
- DH *cdh;
+ EVP_PKEY *skey = NULL;
+ DH *cdh;
+ unsigned int i;
+ BIGNUM *pub_key;
+ const unsigned char *data;
+ EVP_PKEY *ckey = NULL;
+ int ret = 0;
- if (!PACKET_get_net_2(pkt, &i)) {
- if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
- goto f_err;
- }
- i = 0;
- }
- if (PACKET_remaining(pkt) != i) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
- goto err;
- }
- skey = s->s3->tmp.pkey;
- if (skey == NULL) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_TMP_DH_KEY);
- goto f_err;
- }
+ if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE,
+ SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
+ goto err;
+ }
+ skey = s->s3->tmp.pkey;
+ if (skey == NULL) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
+ goto err;
+ }
- if (PACKET_remaining(pkt) == 0L) {
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_TMP_DH_KEY);
- goto f_err;
- }
- if (!PACKET_get_bytes(pkt, &data, i)) {
- /* We already checked we have enough data */
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
- ckey = EVP_PKEY_new();
- if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
- goto err;
- }
- cdh = EVP_PKEY_get0_DH(ckey);
- cdh->pub_key = BN_bin2bn(data, i, NULL);
- if (cdh->pub_key == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BN_LIB);
- goto err;
- }
+ if (PACKET_remaining(pkt) == 0L) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_MISSING_TMP_DH_KEY);
+ goto err;
+ }
+ if (!PACKET_get_bytes(pkt, &data, i)) {
+ /* We already checked we have enough data */
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ ckey = EVP_PKEY_new();
+ if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) == 0) {
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_BN_LIB);
+ goto err;
+ }
+ cdh = EVP_PKEY_get0_DH(ckey);
+ pub_key = BN_bin2bn(data, i, NULL);
- if (ssl_derive(s, skey, ckey) == 0) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
+ if (pub_key == NULL || !DH_set0_key(cdh, pub_key, NULL)) {
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
+ if (pub_key != NULL)
+ BN_free(pub_key);
+ goto err;
+ }
- EVP_PKEY_free(ckey);
- ckey = NULL;
+ if (ssl_derive(s, skey, ckey) == 0) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
- } else
+ ret = 1;
+ EVP_PKEY_free(s->s3->tmp.pkey);
+ s->s3->tmp.pkey = NULL;
+ err:
+ EVP_PKEY_free(ckey);
+ return ret;
+#else
+ /* Should never happen */
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
+ return 0;
#endif
+}
+static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
+{
#ifndef OPENSSL_NO_EC
- if (alg_k & (SSL_kECDHE | SSL_kECDHr | SSL_kECDHe | SSL_kECDHEPSK)) {
- EVP_PKEY *skey = NULL;
+ EVP_PKEY *skey = s->s3->tmp.pkey;
+ EVP_PKEY *ckey = NULL;
+ int ret = 0;
- /* Let's get server private key and group information */
- if (alg_k & (SSL_kECDHr | SSL_kECDHe)) {
- /* use the certificate */
- skey = s->cert->pkeys[SSL_PKEY_ECC].privatekey;
- } else {
- /*
- * use the ephermeral values we saved when generating the
- * ServerKeyExchange msg.
- */
- skey = s->s3->tmp.pkey;
- }
+ if (PACKET_remaining(pkt) == 0L) {
+ /* We don't support ECDH client auth */
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_MISSING_TMP_ECDH_KEY);
+ goto err;
+ } else {
+ unsigned int i;
+ const unsigned char *data;
- if (PACKET_remaining(pkt) == 0L) {
- /* We don't support ECDH client auth */
- al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_MISSING_TMP_ECDH_KEY);
- goto f_err;
- } else {
- /*
- * Get client's public key from encoded point in the
- * ClientKeyExchange message.
- */
+ /*
+ * Get client's public key from encoded point in the
+ * ClientKeyExchange message.
+ */
- /* Get encoded point length */
- if (!PACKET_get_1(pkt, &i)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
- if (!PACKET_get_bytes(pkt, &data, i)
- || PACKET_remaining(pkt) != 0) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
- goto err;
- }
- ckey = EVP_PKEY_new();
- if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EVP_LIB);
- goto err;
- }
- if (EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(ckey), data, i,
- NULL) == 0) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_EC_LIB);
- goto err;
- }
+ /* Get encoded point length */
+ if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i)
+ || PACKET_remaining(pkt) != 0) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH);
+ goto err;
}
-
- if (ssl_derive(s, skey, ckey) == 0) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
+ ckey = EVP_PKEY_new();
+ if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) {
+ SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB);
+ goto err;
+ }
+ if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) {
+ *al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB);
+ goto err;
}
+ }
- EVP_PKEY_free(ckey);
- ckey = NULL;
+ if (ssl_derive(s, skey, ckey) == 0) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
- return MSG_PROCESS_CONTINUE_PROCESSING;
- } else
+ ret = 1;
+ EVP_PKEY_free(s->s3->tmp.pkey);
+ s->s3->tmp.pkey = NULL;
+ err:
+ EVP_PKEY_free(ckey);
+
+ return ret;
+#else
+ /* Should never happen */
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
+ return 0;
#endif
+}
+
+static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al)
+{
#ifndef OPENSSL_NO_SRP
- if (alg_k & SSL_kSRP) {
- if (!PACKET_get_net_2(pkt, &i)
- || !PACKET_get_bytes(pkt, &data, i)) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_BAD_SRP_A_LENGTH);
- goto f_err;
- }
- if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_BN_LIB);
- goto err;
- }
- if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
- || BN_is_zero(s->srp_ctx.A)) {
- al = SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_BAD_SRP_PARAMETERS);
- goto f_err;
- }
- OPENSSL_free(s->session->srp_username);
- s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
- if (s->session->srp_username == NULL) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto err;
- }
+ unsigned int i;
+ const unsigned char *data;
- if (!srp_generate_server_master_secret(s)) {
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- } else
-#endif /* OPENSSL_NO_SRP */
-#ifndef OPENSSL_NO_GOST
- if (alg_k & SSL_kGOST) {
- EVP_PKEY_CTX *pkey_ctx;
- EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
- unsigned char premaster_secret[32], *start;
- size_t outlen = 32, inlen;
- unsigned long alg_a;
- int Ttag, Tclass;
- long Tlen;
- long sess_key_len;
-
- /* Get our certificate private key */
- alg_a = s->s3->tmp.new_cipher->algorithm_auth;
- if (alg_a & SSL_aGOST12) {
- /*
- * New GOST ciphersuites have SSL_aGOST01 bit too
- */
- pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
- if (pk == NULL) {
- pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
- }
- if (pk == NULL) {
- pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
- }
- } else if (alg_a & SSL_aGOST01) {
- pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
- }
+ if (!PACKET_get_net_2(pkt, &i)
+ || !PACKET_get_bytes(pkt, &data, i)) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH);
+ return 0;
+ }
+ if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) {
+ SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB);
+ return 0;
+ }
+ if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) {
+ *al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS);
+ return 0;
+ }
+ OPENSSL_free(s->session->srp_username);
+ s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
+ if (s->session->srp_username == NULL) {
+ SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
- pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
- if (pkey_ctx == NULL) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto f_err;
- }
- if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto f_err;
- }
+ if (!srp_generate_server_master_secret(s)) {
+ SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ return 1;
+#else
+ /* Should never happen */
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_INTERNAL_ERROR);
+ return 0;
+#endif
+}
+
+static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al)
+{
+#ifndef OPENSSL_NO_GOST
+ EVP_PKEY_CTX *pkey_ctx;
+ EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
+ unsigned char premaster_secret[32];
+ const unsigned char *start;
+ size_t outlen = 32, inlen;
+ unsigned long alg_a;
+ int Ttag, Tclass;
+ long Tlen;
+ long sess_key_len;
+ const unsigned char *data;
+ int ret = 0;
+
+ /* Get our certificate private key */
+ alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+ if (alg_a & SSL_aGOST12) {
/*
- * If client certificate is present and is of the same type, maybe
- * use it for key exchange. Don't mind errors from
- * EVP_PKEY_derive_set_peer, because it is completely valid to use a
- * client certificate for authorization only.
+ * New GOST ciphersuites have SSL_aGOST01 bit too
*/
- client_pub_pkey = X509_get0_pubkey(s->session->peer);
- if (client_pub_pkey) {
- if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
- ERR_clear_error();
- }
- /* Decrypt session key */
- sess_key_len = PACKET_remaining(pkt);
- if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
- al = SSL_AD_INTERNAL_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto gerr;
+ pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey;
+ if (pk == NULL) {
+ pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey;
}
- if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag,
- &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
- || Ttag != V_ASN1_SEQUENCE
- || Tclass != V_ASN1_UNIVERSAL) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_DECRYPTION_FAILED);
- goto gerr;
+ if (pk == NULL) {
+ pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
}
- start = data;
- inlen = Tlen;
- if (EVP_PKEY_decrypt
- (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
- al = SSL_AD_DECODE_ERROR;
+ } else if (alg_a & SSL_aGOST01) {
+ pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+ }
+
+ pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
+ if (pkey_ctx == NULL) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+ if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /*
+ * If client certificate is present and is of the same type, maybe
+ * use it for key exchange. Don't mind errors from
+ * EVP_PKEY_derive_set_peer, because it is completely valid to use a
+ * client certificate for authorization only.
+ */
+ client_pub_pkey = X509_get0_pubkey(s->session->peer);
+ if (client_pub_pkey) {
+ if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0)
+ ERR_clear_error();
+ }
+ /* Decrypt session key */
+ sess_key_len = PACKET_remaining(pkt);
+ if (!PACKET_get_bytes(pkt, &data, sess_key_len)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag,
+ &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED
+ || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
+ goto err;
+ }
+ start = data;
+ inlen = Tlen;
+ if (EVP_PKEY_decrypt
+ (pkey_ctx, premaster_secret, &outlen, start, inlen) <= 0) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED);
+ goto err;
+ }
+ /* Generate master secret */
+ if (!ssl_generate_master_secret(s, premaster_secret,
+ sizeof(premaster_secret), 0)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ /* Check if pubkey from client certificate was used */
+ if (EVP_PKEY_CTX_ctrl
+ (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
+ s->statem.no_cert_verify = 1;
+
+ ret = 1;
+ err:
+ EVP_PKEY_CTX_free(pkey_ctx);
+ return ret;
+#else
+ /* Should never happen */
+ *al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR);
+ return 0;
+#endif
+}
+
+MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt)
+{
+ int al = -1;
+ unsigned long alg_k;
+
+ alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
+
+ /* For PSK parse and retrieve identity, obtain PSK key */
+ if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt, &al))
+ goto err;
+
+ if (alg_k & SSL_kPSK) {
+ /* Identity extracted earlier: should be nothing left */
+ if (PACKET_remaining(pkt) != 0) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
- SSL_R_DECRYPTION_FAILED);
- goto gerr;
+ SSL_R_LENGTH_MISMATCH);
+ goto err;
}
- /* Generate master secret */
- if (!ssl_generate_master_secret(s, premaster_secret,
- sizeof(premaster_secret), 0)) {
+ /* PSK handled by ssl_generate_master_secret */
+ if (!ssl_generate_master_secret(s, NULL, 0, 0)) {
al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
- goto gerr;
+ goto err;
}
- /* Check if pubkey from client certificate was used */
- if (EVP_PKEY_CTX_ctrl
- (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0)
- s->statem.no_cert_verify = 1;
-
- EVP_PKEY_CTX_free(pkey_ctx);
- return MSG_PROCESS_CONTINUE_PROCESSING;
- gerr:
- EVP_PKEY_CTX_free(pkey_ctx);
- goto f_err;
- } else
-#endif
- {
+ } else if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
+ if (!tls_process_cke_rsa(s, pkt, &al))
+ goto err;
+ } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
+ if (!tls_process_cke_dhe(s, pkt, &al))
+ goto err;
+ } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
+ if (!tls_process_cke_ecdhe(s, pkt, &al))
+ goto err;
+ } else if (alg_k & SSL_kSRP) {
+ if (!tls_process_cke_srp(s, pkt, &al))
+ goto err;
+ } else if (alg_k & SSL_kGOST) {
+ if (!tls_process_cke_gost(s, pkt, &al))
+ goto err;
+ } else {
al = SSL_AD_HANDSHAKE_FAILURE;
- SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE);
- goto f_err;
+ SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE,
+ SSL_R_UNKNOWN_CIPHER_TYPE);
+ goto err;
}
return MSG_PROCESS_CONTINUE_PROCESSING;
- f_err:
- ssl3_send_alert(s, SSL3_AL_FATAL, al);
-#if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_SRP)
err:
-#endif
-#if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
- EVP_PKEY_free(ckey);
-#endif
- OPENSSL_free(rsa_decrypt);
+ if (al != -1)
+ ssl3_send_alert(s, SSL3_AL_FATAL, al);
#ifndef OPENSSL_NO_PSK
OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
s->s3->tmp.psk = NULL;
sizeof(DTLS1_SCTP_AUTH_LABEL));
if (SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ sizeof(sctpauthkey), labelbuffer,
+ sizeof(labelbuffer), NULL, 0,
+ 0) <= 0) {
ossl_statem_set_error(s);
return WORK_ERROR;;
}
}
if ((wst == WORK_MORE_B)
- /* Is this SCTP? */
- && BIO_dgram_is_sctp(SSL_get_wbio(s))
- /* Are we renegotiating? */
- && s->renegotiate
- /* Are we going to skip the CertificateVerify? */
- && (s->session->peer == NULL || s->statem.no_cert_verify)
- && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
+ /* Is this SCTP? */
+ && BIO_dgram_is_sctp(SSL_get_wbio(s))
+ /* Are we renegotiating? */
+ && s->renegotiate
+ /* Are we going to skip the CertificateVerify? */
+ && (s->session->peer == NULL || s->statem.no_cert_verify)
+ && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) {
s->s3->in_read_app_data = 2;
s->rwstate = SSL_READING;
BIO_clear_retry_flags(SSL_get_rbio(s));
}
#endif
- if (s->statem.no_cert_verify) {
- /* No certificate verify so we no longer need the handshake_buffer */
- BIO_free(s->s3->handshake_buffer);
- s->s3->handshake_buffer = NULL;
+ if (s->statem.no_cert_verify || !s->session->peer) {
+ /*
+ * No certificate verify or no peer certificate so we no longer need
+ * the handshake_buffer
+ */
+ if (!ssl3_digest_cached_records(s, 0)) {
+ ossl_statem_set_error(s);
+ return WORK_ERROR;
+ }
return WORK_FINISHED_CONTINUE;
} else {
- if (!s->session->peer) {
- /* No peer certificate so we no longer need the handshake_buffer */
- BIO_free(s->s3->handshake_buffer);
- return WORK_FINISHED_CONTINUE;
- }
if (!s->s3->handshake_buffer) {
SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
{
EVP_PKEY *pkey = NULL;
- unsigned char *sig, *data;
+ const unsigned char *sig, *data;
+#ifndef OPENSSL_NO_GOST
+ unsigned char *gost_data = NULL;
+#endif
int al, ret = MSG_PROCESS_ERROR;
int type = 0, j;
unsigned int len;
* length field (CryptoPro implementations at least till CSP 4.0)
*/
#ifndef OPENSSL_NO_GOST
- if (PACKET_remaining(pkt) == 64 && pkey->type == NID_id_GostR3410_2001) {
+ if (PACKET_remaining(pkt) == 64
+ && EVP_PKEY_id(pkey) == NID_id_GostR3410_2001) {
len = 64;
} else
#endif
}
j = EVP_PKEY_size(pkey);
if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
- || (PACKET_remaining(pkt) == 0)) {
+ || (PACKET_remaining(pkt) == 0)) {
SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE);
al = SSL_AD_DECODE_ERROR;
goto f_err;
al = SSL_AD_INTERNAL_ERROR;
goto f_err;
}
-
#ifndef OPENSSL_NO_GOST
- if (pkey->type == NID_id_GostR3410_2001
- || pkey->type == NID_id_GostR3410_2012_256
- || pkey->type == NID_id_GostR3410_2012_512) {
- BUF_reverse(data, NULL, len);
+ {
+ int pktype = EVP_PKEY_id(pkey);
+ if (pktype == NID_id_GostR3410_2001
+ || pktype == NID_id_GostR3410_2012_256
+ || pktype == NID_id_GostR3410_2012_512) {
+ if ((gost_data = OPENSSL_malloc(len)) == NULL) {
+ SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+ BUF_reverse(gost_data, data, len);
+ data = gost_data;
+ }
}
#endif
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
EVP_MD_CTX_free(mctx);
+#ifndef OPENSSL_NO_GOST
+ OPENSSL_free(gost_data);
+#endif
return ret;
}
int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR;
X509 *x = NULL;
unsigned long l, llen;
- const unsigned char *certstart;
- unsigned char *certbytes;
+ const unsigned char *certstart, *certbytes;
STACK_OF(X509) *sk = NULL;
PACKET spkt;
}
if (!PACKET_get_net_3(pkt, &llen)
- || !PACKET_get_sub_packet(pkt, &spkt, llen)
- || PACKET_remaining(pkt) != 0) {
+ || !PACKET_get_sub_packet(pkt, &spkt, llen)
+ || PACKET_remaining(pkt) != 0) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH);
goto f_err;
while (PACKET_remaining(&spkt) > 0) {
if (!PACKET_get_net_3(&spkt, &l)
- || !PACKET_get_bytes(&spkt, &certbytes, l)) {
+ || !PACKET_get_bytes(&spkt, &certbytes, l)) {
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE,
SSL_R_CERT_LENGTH_MISMATCH);
s->session->peer_chain = sk;
/*
* Inconsistency alert: cert_chain does *not* include the peer's own
- * certificate, while we do include it in s3_clnt.c
+ * certificate, while we do include it in statem_clnt.c
*/
sk = NULL;
ret = MSG_PROCESS_CONTINUE_READING;
return ret;
}
-int tls_construct_server_certificate(SSL *s)
+int tls_construct_server_certificate(SSL *s, WPACKET *pkt)
{
CERT_PKEY *cpk;
cpk = ssl_get_server_send_pkey(s);
if (cpk == NULL) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
- if (!ssl3_output_cert_chain(s, cpk)) {
+ if (!ssl3_output_cert_chain(s, pkt, cpk)) {
SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR);
- ossl_statem_set_error(s);
return 0;
}
return 1;
}
-int tls_construct_new_session_ticket(SSL *s)
+int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
{
unsigned char *senc = NULL;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx = NULL;
HMAC_CTX *hctx = NULL;
- unsigned char *p, *macstart;
+ unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
const unsigned char *const_p;
- int len, slen_full, slen;
+ int len, slen_full, slen, lenfinal;
SSL_SESSION *sess;
unsigned int hlen;
SSL_CTX *tctx = s->initial_ctx;
unsigned char iv[EVP_MAX_IV_LENGTH];
- unsigned char key_name[16];
+ unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
+ int iv_len;
+ size_t macoffset, macendoffset;
/* get session encoding length */
slen_full = i2d_SSL_SESSION(s->session, NULL);
return 0;
}
- EVP_CIPHER_CTX_init(&ctx);
+ ctx = EVP_CIPHER_CTX_new();
hctx = HMAC_CTX_new();
+ if (ctx == NULL || hctx == NULL) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
p = senc;
if (!i2d_SSL_SESSION(s->session, &p))
}
SSL_SESSION_free(sess);
- /*-
- * Grow buffer if need be: the length calculation is as
- * follows handshake_header_length +
- * 4 (ticket lifetime hint) + 2 (ticket length) +
- * 16 (key name) + max_iv_len (iv length) +
- * session_length + max_enc_block_size (max encrypted session
- * length) + max_md_size (HMAC).
- */
- if (!BUF_MEM_grow(s->init_buf,
- SSL_HM_HEADER_LENGTH(s) + 22 + EVP_MAX_IV_LENGTH +
- EVP_MAX_BLOCK_LENGTH + EVP_MAX_MD_SIZE + slen))
- goto err;
-
- p = ssl_handshake_start(s);
/*
* Initialize HMAC and cipher contexts. If callback present it does
* all the work otherwise use generated values from parent ctx.
*/
if (tctx->tlsext_ticket_key_cb) {
- if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx, hctx, 1) < 0)
+ /* if 0 is returned, write an empty ticket */
+ int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx,
+ hctx, 1);
+
+ if (ret == 0) {
+
+ /* Put timeout and length */
+ if (!WPACKET_put_bytes_u32(pkt, 0)
+ || !WPACKET_put_bytes_u16(pkt, 0)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ OPENSSL_free(senc);
+ EVP_CIPHER_CTX_free(ctx);
+ HMAC_CTX_free(hctx);
+ return 1;
+ }
+ if (ret < 0)
goto err;
+ iv_len = EVP_CIPHER_CTX_iv_length(ctx);
} else {
- if (RAND_bytes(iv, 16) <= 0)
+ const EVP_CIPHER *cipher = EVP_aes_256_cbc();
+
+ iv_len = EVP_CIPHER_iv_length(cipher);
+ if (RAND_bytes(iv, iv_len) <= 0)
goto err;
- if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
+ if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
tctx->tlsext_tick_aes_key, iv))
goto err;
- if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16,
+ if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
+ sizeof(tctx->tlsext_tick_hmac_key),
EVP_sha256(), NULL))
goto err;
- memcpy(key_name, tctx->tlsext_tick_key_name, 16);
+ memcpy(key_name, tctx->tlsext_tick_key_name,
+ sizeof(tctx->tlsext_tick_key_name));
}
/*
* for resumed session (for simplicity), and guess that tickets for
* new sessions will live as long as their sessions.
*/
- l2n(s->hit ? 0 : s->session->timeout, p);
-
- /* Skip ticket length for now */
- p += 2;
- /* Output key name */
- macstart = p;
- memcpy(p, key_name, 16);
- p += 16;
- /* output IV */
- memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
- p += EVP_CIPHER_CTX_iv_length(&ctx);
- /* Encrypt session data */
- if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen))
- goto err;
- p += len;
- if (!EVP_EncryptFinal(&ctx, p, &len))
+ if (!WPACKET_put_bytes_u32(pkt, s->hit ? 0 : s->session->timeout)
+ /* Now the actual ticket data */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_get_total_written(pkt, &macoffset)
+ /* Output key name */
+ || !WPACKET_memcpy(pkt, key_name, sizeof(key_name))
+ /* output IV */
+ || !WPACKET_memcpy(pkt, iv, iv_len)
+ || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH,
+ &encdata1)
+ /* Encrypt session data */
+ || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen)
+ || !WPACKET_allocate_bytes(pkt, len, &encdata2)
+ || encdata1 != encdata2
+ || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal)
+ || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2)
+ || encdata1 + len != encdata2
+ || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH
+ || !WPACKET_get_total_written(pkt, &macendoffset)
+ || !HMAC_Update(hctx,
+ (unsigned char *)s->init_buf->data + macoffset,
+ macendoffset - macoffset)
+ || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1)
+ || !HMAC_Final(hctx, macdata1, &hlen)
+ || hlen > EVP_MAX_MD_SIZE
+ || !WPACKET_allocate_bytes(pkt, hlen, &macdata2)
+ || macdata1 != macdata2
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
goto err;
- p += len;
-
- if (!HMAC_Update(hctx, macstart, p - macstart))
- goto err;
- if (!HMAC_Final(hctx, p, &hlen))
- goto err;
-
- EVP_CIPHER_CTX_cleanup(&ctx);
+ }
+ EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
-
- p += hlen;
- /* Now write out lengths: p points to end of data written */
- /* Total length */
- len = p - ssl_handshake_start(s);
- /* Skip ticket lifetime hint */
- p = ssl_handshake_start(s) + 4;
- s2n(len - 6, p);
- if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len))
- goto err;
OPENSSL_free(senc);
return 1;
err:
OPENSSL_free(senc);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
HMAC_CTX_free(hctx);
- ossl_statem_set_error(s);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
-int tls_construct_cert_status(SSL *s)
+int tls_construct_cert_status(SSL *s, WPACKET *pkt)
{
- unsigned char *p;
- /*-
- * Grow buffer if need be: the length calculation is as
- * follows 1 (message type) + 3 (message length) +
- * 1 (ocsp response type) + 3 (ocsp response length)
- * + (ocsp response)
- */
- if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
- ossl_statem_set_error(s);
+ if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
+ || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
+ s->tlsext_ocsp_resplen)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
return 0;
}
- p = (unsigned char *)s->init_buf->data;
-
- /* do the header */
- *(p++) = SSL3_MT_CERTIFICATE_STATUS;
- /* message length */
- l2n3(s->tlsext_ocsp_resplen + 4, p);
- /* status type */
- *(p++) = s->tlsext_status_type;
- /* length of OCSP response */
- l2n3(s->tlsext_ocsp_resplen, p);
- /* actual response */
- memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen);
- /* number of bytes to write */
- s->init_num = 8 + s->tlsext_ocsp_resplen;
- s->init_off = 0;
-
return 1;
}
goto err;
}
- if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated,
- &next_proto_len)) {
+ if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) {
s->next_proto_negotiated_len = 0;
goto err;
}
s->next_proto_negotiated_len = (unsigned char)next_proto_len;
return MSG_PROCESS_CONTINUE_READING;
-err:
+ err:
ossl_statem_set_error(s);
return MSG_PROCESS_ERROR;
}
STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
PACKET *cipher_suites,
STACK_OF(SSL_CIPHER) **skp,
- int sslv2format, int *al
- )
+ int sslv2format, int *al)
{
const SSL_CIPHER *c;
STACK_OF(SSL_CIPHER) *sk;
if ((skp == NULL) || (*skp == NULL)) {
sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */
- if(sk == NULL) {
+ if (sk == NULL) {
SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
*al = SSL_AD_INTERNAL_ERROR;
return NULL;
* first byte. We don't support any true SSLv2 ciphers, so skip them.
*/
if (sslv2format && cipher[0] != '\0')
- continue;
+ continue;
/* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
goto err;
}
s->s3->send_connection_binding = 1;
-#ifdef OPENSSL_RI_DEBUG
- fprintf(stderr, "SCSV received by server\n");
-#endif
continue;
}