X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=0689da0d3e94848e3ea3f10235acc8e8c8514d43;hp=103f3cc3a6b8073b73bc983198db0cd8a6b55aed;hb=e6575156204dfd50a63f6afbe98f6714d0799764;hpb=a71a4966a31b31df72db42c130544462fd6ad624 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 103f3cc3a6..0689da0d3e 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -180,9 +180,9 @@ static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, * 1: Success (transition allowed) * 0: Error (transition not allowed) */ -int server_read_transition(SSL *s, int mt) +int ossl_statem_server_read_transition(SSL *s, int mt) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; switch(st->hand_state) { case TLS_ST_BEFORE: @@ -310,7 +310,7 @@ int server_read_transition(SSL *s, int mt) * 1: Yes * 0: No */ -static inline int send_server_key_exchange(SSL *s) +static int send_server_key_exchange(SSL *s) { unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey; @@ -362,7 +362,7 @@ static inline int send_server_key_exchange(SSL *s) * 1: Yes * 0: No */ -static inline int send_certificate_request(SSL *s) +static int send_certificate_request(SSL *s) { if ( /* don't request cert unless asked for it: */ @@ -391,7 +391,7 @@ static inline int send_certificate_request(SSL *s) * With normal PSK Certificates and Certificate Requests * are omitted */ - && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) { + && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK)) { return 1; } @@ -402,9 +402,9 @@ static inline int send_certificate_request(SSL *s) * server_write_transition() works out what handshake state to move to next * when the server is writing messages to be sent to the client. */ -enum WRITE_TRAN server_write_transition(SSL *s) +WRITE_TRAN ossl_statem_server_write_transition(SSL *s) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; switch(st->hand_state) { case TLS_ST_BEFORE: @@ -520,9 +520,9 @@ enum WRITE_TRAN server_write_transition(SSL *s) * Perform any pre work that needs to be done prior to sending a message from * the server to the client. */ -enum WORK_STATE server_pre_work(SSL *s, enum WORK_STATE wst) +WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; switch(st->hand_state) { case TLS_ST_SW_HELLO_REQ: @@ -599,9 +599,9 @@ enum WORK_STATE server_pre_work(SSL *s, enum WORK_STATE wst) * Perform any work that needs to be done after sending a message from the * server to the client. */ -enum WORK_STATE server_post_work(SSL *s, enum WORK_STATE wst) +WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; s->init_num = 0; @@ -635,8 +635,8 @@ enum WORK_STATE server_post_work(SSL *s, enum WORK_STATE wst) * Add new shared key for SCTP-Auth, will be ignored if no * SCTP used. */ - snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), - DTLS1_SCTP_AUTH_LABEL); + memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, + sizeof(DTLS1_SCTP_AUTH_LABEL)); if (SSL_export_keying_material(s, sctpauthkey, sizeof(sctpauthkey), labelbuffer, @@ -707,9 +707,9 @@ enum WORK_STATE server_post_work(SSL *s, enum WORK_STATE wst) * 1: Success * 0: Error */ -int server_construct_message(SSL *s) +int ossl_statem_server_construct_message(SSL *s) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; switch(st->hand_state) { case DTLS_ST_SW_HELLO_VERIFY_REQUEST: @@ -767,9 +767,9 @@ int server_construct_message(SSL *s) * Returns the maximum allowed length for the current message that we are * reading. Excludes the message header. */ -unsigned long server_max_message_size(SSL *s) +unsigned long ossl_statem_server_max_message_size(SSL *s) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; switch(st->hand_state) { case TLS_ST_SR_CLNT_HELLO: @@ -806,9 +806,9 @@ unsigned long server_max_message_size(SSL *s) /* * Process a message that the server has received from the client. */ -enum MSG_PROCESS_RETURN server_process_message(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; switch(st->hand_state) { case TLS_ST_SR_CLNT_HELLO: @@ -846,9 +846,9 @@ enum MSG_PROCESS_RETURN server_process_message(SSL *s, PACKET *pkt) * Perform any further processing required following the receipt of a message * from the client */ -enum WORK_STATE server_post_process_message(SSL *s, enum WORK_STATE wst) +WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) { - STATEM *st = &s->statem; + OSSL_STATEM *st = &s->statem; switch(st->hand_state) { case TLS_ST_SR_CLNT_HELLO: @@ -876,12 +876,6 @@ enum WORK_STATE server_post_process_message(SSL *s, enum WORK_STATE wst) #endif return WORK_FINISHED_CONTINUE; - - case TLS_ST_SR_FINISHED: - if (s->hit) - return tls_finish_handshake(s, wst); - else - return WORK_FINISHED_STOP; default: break; } @@ -956,7 +950,7 @@ int dtls_construct_hello_verify_request(SSL *s) s->ctx->app_gen_cookie_cb(s, s->d1->cookie, &(s->d1->cookie_len)) == 0 || s->d1->cookie_len > 255) { - SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, + SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); ossl_statem_set_error(s); return 0; @@ -976,7 +970,7 @@ int dtls_construct_hello_verify_request(SSL *s) return 1; } -enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) { int i, al = SSL_AD_INTERNAL_ERROR; unsigned int j, complen = 0; @@ -1145,7 +1139,8 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) /* No extensions. */ || PACKET_remaining(pkt) != 0) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, + SSL_R_RECORD_LENGTH_MISMATCH); al = SSL_AD_DECODE_ERROR; goto f_err; } @@ -1157,7 +1152,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (!PACKET_copy_bytes(&challenge, s->s3->client_random + SSL3_RANDOM_SIZE - challenge_len, challenge_len)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } @@ -1169,14 +1164,14 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (!PACKET_copy_bytes(pkt, s->s3->client_random, SSL3_RANDOM_SIZE) || !PACKET_get_length_prefixed_1(pkt, &session_id)) { al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } if (SSL_IS_DTLS(s)) { if (!PACKET_get_length_prefixed_1(pkt, &cookie)) { al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } /* @@ -1193,7 +1188,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites) || !PACKET_get_length_prefixed_1(pkt, &compression)) { al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } /* Could be empty. */ @@ -1253,7 +1248,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie), PACKET_remaining(&cookie)) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); goto f_err; /* else cookie verification succeeded */ @@ -1262,7 +1257,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); goto f_err; } s->d1->cookie_verified = 1; @@ -1274,7 +1269,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) s->version = DTLS1_2_VERSION; s->method = DTLSv1_2_server_method(); } else if (tls1_suiteb(s)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_ONLY_DTLS_1_2_ALLOWED_IN_SUITEB_MODE); s->version = s->client_version; al = SSL_AD_PROTOCOL_VERSION; @@ -1284,7 +1279,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) s->version = DTLS1_VERSION; s->method = DTLSv1_server_method(); } else { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); s->version = s->client_version; al = SSL_AD_PROTOCOL_VERSION; @@ -1325,7 +1320,7 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * to reuse it */ al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_REQUIRED_CIPHER_MISSING); goto f_err; } @@ -1340,14 +1335,14 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (j >= complen) { /* no compress */ al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_COMPRESSION_SPECIFIED); goto f_err; } /* TLS extensions */ if (s->version >= SSL3_VERSION) { if (!ssl_parse_clienthello_tlsext(s, &extensions)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_PARSE_TLSEXT); goto err; } } @@ -1515,9 +1510,9 @@ enum MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) } -enum WORK_STATE tls_post_process_client_hello(SSL *s, enum WORK_STATE wst) +WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) { - int al; + int al = SSL_AD_HANDSHAKE_FAILURE; SSL_CIPHER *cipher; if (wst == WORK_MORE_A) { @@ -1539,7 +1534,6 @@ enum WORK_STATE tls_post_process_client_hello(SSL *s, enum WORK_STATE wst) cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); if (cipher == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); goto f_err; } @@ -1557,8 +1551,10 @@ enum WORK_STATE tls_post_process_client_hello(SSL *s, enum WORK_STATE wst) } if (!SSL_USE_SIGALGS(s) || !(s->verify_mode & SSL_VERIFY_PEER)) { - if (!ssl3_digest_cached_records(s, 0)) + if (!ssl3_digest_cached_records(s, 0)) { + al = SSL_AD_INTERNAL_ERROR; goto f_err; + } } /*- @@ -1576,7 +1572,8 @@ enum WORK_STATE tls_post_process_client_hello(SSL *s, enum WORK_STATE wst) /* Handles TLS extensions that we couldn't check earlier */ if (s->version >= SSL3_VERSION) { if (ssl_check_clienthello_tlsext_late(s) <= 0) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_CLIENTHELLO_TLSEXT); goto f_err; } } @@ -2263,7 +2260,7 @@ int tls_construct_certificate_request(SSL *s) return 0; } -enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) { int al; unsigned int i; @@ -2313,7 +2310,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) } if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } @@ -2407,7 +2404,8 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) enc_premaster = orig; } else { al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, + SSL_R_LENGTH_MISMATCH); goto f_err; } } @@ -2421,7 +2419,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) */ if (RSA_size(rsa) < SSL_MAX_MASTER_KEY_LENGTH) { al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, RSA_R_KEY_SIZE_TOO_SMALL); goto f_err; } @@ -2429,7 +2427,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) rsa_decrypt = OPENSSL_malloc(RSA_size(rsa)); if (rsa_decrypt == NULL) { al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); goto f_err; } @@ -2890,8 +2888,7 @@ enum MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } -enum WORK_STATE tls_post_process_client_key_exchange(SSL *s, - enum WORK_STATE wst) +WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) { #ifndef OPENSSL_NO_SCTP if (wst == WORK_MORE_A) { @@ -2902,8 +2899,8 @@ enum WORK_STATE tls_post_process_client_key_exchange(SSL *s, * Add new shared key for SCTP-Auth, will be ignored if no SCTP * used. */ - snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL), - DTLS1_SCTP_AUTH_LABEL); + memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, + sizeof(DTLS1_SCTP_AUTH_LABEL)); if (SSL_export_keying_material(s, sctpauthkey, sizeof(sctpauthkey), labelbuffer, @@ -3001,7 +2998,7 @@ enum WORK_STATE tls_post_process_client_key_exchange(SSL *s, return WORK_FINISHED_CONTINUE; } -enum MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) { EVP_PKEY *pkey = NULL; unsigned char *sig, *data; @@ -3177,9 +3174,9 @@ enum MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) return ret; } -enum MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) { - int i, al, ret = MSG_PROCESS_ERROR; + int i, al = SSL_AD_INTERNAL_ERROR, ret = MSG_PROCESS_ERROR; X509 *x = NULL; unsigned long l, llen; const unsigned char *certstart; @@ -3246,7 +3243,6 @@ enum MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) } /* No client certificate so digest cached records */ if (s->s3->handshake_buffer && !ssl3_digest_cached_records(s, 0)) { - al = SSL_AD_INTERNAL_ERROR; goto f_err; } } else { @@ -3498,7 +3494,7 @@ int tls_construct_cert_status(SSL *s) * tls_process_next_proto reads a Next Protocol Negotiation handshake message. * It sets the next_proto member in s if found */ -enum MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) +MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) { PACKET next_proto, padding; size_t next_proto_len;