X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_srvr.c;h=cc737ba846a1214d1282014431e849c451690d0d;hp=a45acbd30ca909c5abf4f08490dc2b750b6e5961;hb=a29fa98cebdb2904dcf844d1aea7d1be3b6b913a;hpb=340a282853abbc9a95bfe63f58e6451a271df5a6 diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index a45acbd30c..cc737ba846 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -47,7 +47,6 @@ * OTHERWISE. */ - #include #include "../ssl_locl.h" #include "statem_locl.h" @@ -64,8 +63,9 @@ static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, - STACK_OF(SSL_CIPHER) **skp, - int sslv2format, int *al); + STACK_OF(SSL_CIPHER) + **skp, int sslv2format, + int *al); /* * server_read_transition() encapsulates the logic for the allowed handshake @@ -81,7 +81,10 @@ int ossl_statem_server_read_transition(SSL *s, int mt) { OSSL_STATEM *st = &s->statem; - switch(st->hand_state) { + switch (st->hand_state) { + default: + break; + case TLS_ST_BEFORE: case DTLS_ST_SW_HELLO_VERIFY_REQUEST: if (mt == SSL3_MT_CLIENT_HELLO) { @@ -207,9 +210,6 @@ int ossl_statem_server_read_transition(SSL *s, int mt) return 1; } break; - - default: - break; } /* No valid transition found */ @@ -237,7 +237,7 @@ static int send_server_key_exchange(SSL *s) * the server certificate contains the server's public key for * key exchange. */ - if (alg_k & (SSL_kDHE|SSL_kECDHE) + if (alg_k & (SSL_kDHE | SSL_kECDHE) /* * PSK: send ServerKeyExchange if PSK identity hint if * provided @@ -253,7 +253,7 @@ static int send_server_key_exchange(SSL *s) /* SRP: send ServerKeyExchange */ || (alg_k & SSL_kSRP) #endif - ) { + ) { return 1; } @@ -284,11 +284,11 @@ static int send_certificate_request(SSL *s) * RFC 2246): */ && (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) - /* - * ... except when the application insists on - * verification (against the specs, but statem_clnt.c accepts - * this for SSL 3) - */ + /* + * ... except when the application insists on + * verification (against the specs, but statem_clnt.c accepts + * this for SSL 3) + */ || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) /* don't request certificate for SRP auth */ && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aSRP) @@ -311,113 +311,113 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s) { OSSL_STATEM *st = &s->statem; - switch(st->hand_state) { - case TLS_ST_BEFORE: - /* Just go straight to trying to read from the client */; - return WRITE_TRAN_FINISHED; - - case TLS_ST_OK: - /* We must be trying to renegotiate */ - st->hand_state = TLS_ST_SW_HELLO_REQ; - return WRITE_TRAN_CONTINUE; + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return WRITE_TRAN_ERROR; - case TLS_ST_SW_HELLO_REQ: - st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); - return WRITE_TRAN_CONTINUE; + case TLS_ST_BEFORE: + /* Just go straight to trying to read from the client */ + return WRITE_TRAN_FINISHED; - case TLS_ST_SR_CLNT_HELLO: - if (SSL_IS_DTLS(s) && !s->d1->cookie_verified - && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) - st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; - else - st->hand_state = TLS_ST_SW_SRVR_HELLO; - return WRITE_TRAN_CONTINUE; + case TLS_ST_OK: + /* We must be trying to renegotiate */ + st->hand_state = TLS_ST_SW_HELLO_REQ; + return WRITE_TRAN_CONTINUE; - case DTLS_ST_SW_HELLO_VERIFY_REQUEST: - return WRITE_TRAN_FINISHED; + case TLS_ST_SW_HELLO_REQ: + st->hand_state = TLS_ST_OK; + ossl_statem_set_in_init(s, 0); + return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_SRVR_HELLO: - if (s->hit) { - if (s->tlsext_ticket_expected) - st->hand_state = TLS_ST_SW_SESSION_TICKET; - else - st->hand_state = TLS_ST_SW_CHANGE; - } else { - /* Check if it is anon DH or anon ECDH, */ - /* normal PSK or SRP */ - if (!(s->s3->tmp.new_cipher->algorithm_auth & - (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { - st->hand_state = TLS_ST_SW_CERT; - } else if (send_server_key_exchange(s)) { - st->hand_state = TLS_ST_SW_KEY_EXCH; - } else if (send_certificate_request(s)) { - st->hand_state = TLS_ST_SW_CERT_REQ; - } else { - st->hand_state = TLS_ST_SW_SRVR_DONE; - } - } - return WRITE_TRAN_CONTINUE; + case TLS_ST_SR_CLNT_HELLO: + if (SSL_IS_DTLS(s) && !s->d1->cookie_verified + && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) + st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; + else + st->hand_state = TLS_ST_SW_SRVR_HELLO; + return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_CERT: - if (s->tlsext_status_expected) { - st->hand_state = TLS_ST_SW_CERT_STATUS; - return WRITE_TRAN_CONTINUE; - } - /* Fall through */ + case DTLS_ST_SW_HELLO_VERIFY_REQUEST: + return WRITE_TRAN_FINISHED; - case TLS_ST_SW_CERT_STATUS: - if (send_server_key_exchange(s)) { + case TLS_ST_SW_SRVR_HELLO: + if (s->hit) { + if (s->tlsext_ticket_expected) + st->hand_state = TLS_ST_SW_SESSION_TICKET; + else + st->hand_state = TLS_ST_SW_CHANGE; + } else { + /* Check if it is anon DH or anon ECDH, */ + /* normal PSK or SRP */ + if (!(s->s3->tmp.new_cipher->algorithm_auth & + (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { + st->hand_state = TLS_ST_SW_CERT; + } else if (send_server_key_exchange(s)) { st->hand_state = TLS_ST_SW_KEY_EXCH; - return WRITE_TRAN_CONTINUE; - } - /* Fall through */ - - case TLS_ST_SW_KEY_EXCH: - if (send_certificate_request(s)) { + } else if (send_certificate_request(s)) { st->hand_state = TLS_ST_SW_CERT_REQ; - return WRITE_TRAN_CONTINUE; + } else { + st->hand_state = TLS_ST_SW_SRVR_DONE; } - /* Fall through */ + } + return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_CERT_REQ: - st->hand_state = TLS_ST_SW_SRVR_DONE; + case TLS_ST_SW_CERT: + if (s->tlsext_status_expected) { + st->hand_state = TLS_ST_SW_CERT_STATUS; return WRITE_TRAN_CONTINUE; + } + /* Fall through */ - case TLS_ST_SW_SRVR_DONE: - return WRITE_TRAN_FINISHED; - - case TLS_ST_SR_FINISHED: - if (s->hit) { - st->hand_state = TLS_ST_OK; - ossl_statem_set_in_init(s, 0); - return WRITE_TRAN_CONTINUE; - } else if (s->tlsext_ticket_expected) { - st->hand_state = TLS_ST_SW_SESSION_TICKET; - } else { - st->hand_state = TLS_ST_SW_CHANGE; - } + case TLS_ST_SW_CERT_STATUS: + if (send_server_key_exchange(s)) { + st->hand_state = TLS_ST_SW_KEY_EXCH; return WRITE_TRAN_CONTINUE; + } + /* Fall through */ - case TLS_ST_SW_SESSION_TICKET: - st->hand_state = TLS_ST_SW_CHANGE; + case TLS_ST_SW_KEY_EXCH: + if (send_certificate_request(s)) { + st->hand_state = TLS_ST_SW_CERT_REQ; return WRITE_TRAN_CONTINUE; + } + /* Fall through */ - case TLS_ST_SW_CHANGE: - st->hand_state = TLS_ST_SW_FINISHED; - return WRITE_TRAN_CONTINUE; + case TLS_ST_SW_CERT_REQ: + st->hand_state = TLS_ST_SW_SRVR_DONE; + return WRITE_TRAN_CONTINUE; - case TLS_ST_SW_FINISHED: - if (s->hit) { - return WRITE_TRAN_FINISHED; - } + case TLS_ST_SW_SRVR_DONE: + return WRITE_TRAN_FINISHED; + + case TLS_ST_SR_FINISHED: + if (s->hit) { st->hand_state = TLS_ST_OK; ossl_statem_set_in_init(s, 0); return WRITE_TRAN_CONTINUE; + } else if (s->tlsext_ticket_expected) { + st->hand_state = TLS_ST_SW_SESSION_TICKET; + } else { + st->hand_state = TLS_ST_SW_CHANGE; + } + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_SESSION_TICKET: + st->hand_state = TLS_ST_SW_CHANGE; + return WRITE_TRAN_CONTINUE; + + case TLS_ST_SW_CHANGE: + st->hand_state = TLS_ST_SW_FINISHED; + return WRITE_TRAN_CONTINUE; - default: - /* Shouldn't happen */ - return WRITE_TRAN_ERROR; + case TLS_ST_SW_FINISHED: + if (s->hit) { + return WRITE_TRAN_FINISHED; + } + st->hand_state = TLS_ST_OK; + ossl_statem_set_in_init(s, 0); + return WRITE_TRAN_CONTINUE; } } @@ -429,17 +429,21 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) { OSSL_STATEM *st = &s->statem; - switch(st->hand_state) { + switch (st->hand_state) { + default: + /* No pre work to be done */ + break; + case TLS_ST_SW_HELLO_REQ: s->shutdown = 0; if (SSL_IS_DTLS(s)) - dtls1_clear_record_buffer(s); + dtls1_clear_sent_buffer(s); break; case DTLS_ST_SW_HELLO_VERIFY_REQUEST: s->shutdown = 0; if (SSL_IS_DTLS(s)) { - dtls1_clear_record_buffer(s); + dtls1_clear_sent_buffer(s); /* We don't buffer this message so don't use the timer */ st->use_timer = 0; } @@ -491,10 +495,6 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) case TLS_ST_OK: return tls_finish_handshake(s, wst); - - default: - /* No pre work to be done */ - break; } return WORK_FINISHED_CONTINUE; @@ -510,7 +510,11 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) s->init_num = 0; - switch(st->hand_state) { + switch (st->hand_state) { + default: + /* No post work to be done */ + break; + case TLS_ST_SW_HELLO_REQ: if (statem_flush(s) != 1) return WORK_MORE_A; @@ -549,8 +553,9 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) sizeof(DTLS1_SCTP_AUTH_LABEL)); if (SSL_export_keying_material(s, sctpauthkey, - sizeof(sctpauthkey), labelbuffer, - sizeof(labelbuffer), NULL, 0, 0) <= 0) { + sizeof(sctpauthkey), labelbuffer, + sizeof(labelbuffer), NULL, 0, + 0) <= 0) { ossl_statem_set_error(s); return WORK_ERROR; } @@ -573,7 +578,8 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) } #endif if (!s->method->ssl3_enc->change_cipher_state(s, - SSL3_CHANGE_CIPHER_SERVER_WRITE)) { + SSL3_CHANGE_CIPHER_SERVER_WRITE)) + { ossl_statem_set_error(s); return WORK_ERROR; } @@ -601,10 +607,6 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) } #endif break; - - default: - /* No post work to be done */ - break; } return WORK_FINISHED_CONTINUE; @@ -621,7 +623,11 @@ int ossl_statem_server_construct_message(SSL *s) { OSSL_STATEM *st = &s->statem; - switch(st->hand_state) { + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return 0; + case DTLS_ST_SW_HELLO_VERIFY_REQUEST: return dtls_construct_hello_verify_request(s); @@ -661,13 +667,7 @@ int ossl_statem_server_construct_message(SSL *s) ssl3_enc->server_finished_label, s->method-> ssl3_enc->server_finished_label_len); - - default: - /* Shouldn't happen */ - break; } - - return 0; } /* @@ -698,7 +698,11 @@ unsigned long ossl_statem_server_max_message_size(SSL *s) { OSSL_STATEM *st = &s->statem; - switch(st->hand_state) { + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return 0; + case TLS_ST_SR_CLNT_HELLO: return CLIENT_HELLO_MAX_LENGTH; @@ -721,13 +725,7 @@ unsigned long ossl_statem_server_max_message_size(SSL *s) case TLS_ST_SR_FINISHED: return FINISHED_MAX_LENGTH; - - default: - /* Shouldn't happen */ - break; } - - return 0; } /* @@ -737,7 +735,11 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) { OSSL_STATEM *st = &s->statem; - switch(st->hand_state) { + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return MSG_PROCESS_ERROR; + case TLS_ST_SR_CLNT_HELLO: return tls_process_client_hello(s, pkt); @@ -760,13 +762,7 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) case TLS_ST_SR_FINISHED: return tls_process_finished(s, pkt); - - default: - /* Shouldn't happen */ - break; } - - return MSG_PROCESS_ERROR; } /* @@ -777,7 +773,11 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) { OSSL_STATEM *st = &s->statem; - switch(st->hand_state) { + switch (st->hand_state) { + default: + /* Shouldn't happen */ + return WORK_ERROR; + case TLS_ST_SR_CLNT_HELLO: return tls_post_process_client_hello(s, wst); @@ -786,11 +786,10 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) case TLS_ST_SR_CERT_VRFY: #ifndef OPENSSL_NO_SCTP - if ( /* Is this SCTP? */ - BIO_dgram_is_sctp(SSL_get_wbio(s)) - /* Are we renegotiating? */ - && s->renegotiate - && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { + if ( /* Is this SCTP? */ + BIO_dgram_is_sctp(SSL_get_wbio(s)) + /* Are we renegotiating? */ + && s->renegotiate && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { s->s3->in_read_app_data = 2; s->rwstate = SSL_READING; BIO_clear_retry_flags(SSL_get_rbio(s)); @@ -802,13 +801,8 @@ WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) } #endif return WORK_FINISHED_CONTINUE; - - default: - break; } - /* Shouldn't happen */ - return WORK_ERROR; } #ifndef OPENSSL_NO_SRP @@ -837,41 +831,35 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) int tls_construct_hello_request(SSL *s) { - if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) { + WPACKET pkt; + + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, SSL3_MT_HELLO_REQUEST) + || !ssl_close_construct_packet(s, &pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR); ossl_statem_set_error(s); + WPACKET_cleanup(&pkt); return 0; } return 1; } -unsigned int dtls_raw_hello_verify_request(unsigned char *buf, - unsigned char *cookie, - unsigned char cookie_len) +int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, + unsigned char cookie_len) { - unsigned int msg_len; - unsigned char *p; - - p = buf; /* Always use DTLS 1.0 version: see RFC 6347 */ - *(p++) = DTLS1_VERSION >> 8; - *(p++) = DTLS1_VERSION & 0xFF; - - *(p++) = (unsigned char)cookie_len; - memcpy(p, cookie, cookie_len); - p += cookie_len; - msg_len = p - buf; + if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION) + || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len)) + return 0; - return msg_len; + return 1; } int dtls_construct_hello_verify_request(SSL *s) { - unsigned int len; - unsigned char *buf; - - buf = (unsigned char *)s->init_buf->data; + size_t msglen; + WPACKET pkt; if (s->ctx->app_gen_cookie_cb == NULL || s->ctx->app_gen_cookie_cb(s, s->d1->cookie, @@ -883,15 +871,28 @@ int dtls_construct_hello_verify_request(SSL *s) return 0; } - len = dtls_raw_hello_verify_request(&buf[DTLS1_HM_HEADER_LENGTH], - s->d1->cookie, s->d1->cookie_len); - - dtls1_set_message_header(s, DTLS1_MT_HELLO_VERIFY_REQUEST, len, 0, - len); - len += DTLS1_HM_HEADER_LENGTH; + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, + DTLS1_MT_HELLO_VERIFY_REQUEST) + || !dtls_raw_hello_verify_request(&pkt, s->d1->cookie, + s->d1->cookie_len) + /* + * We don't call close_construct_packet() because we don't want + * to buffer this message + */ + || !WPACKET_close(&pkt) + || !WPACKET_get_length(&pkt, &msglen) + || !WPACKET_finish(&pkt)) { + SSLerr(SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); + WPACKET_cleanup(&pkt); + ossl_statem_set_error(s); + return 0; + } /* number of bytes to write */ - s->init_num = len; + s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH; + s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH; + s->init_num = (int)msglen; s->init_off = 0; return 1; @@ -936,7 +937,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) */ if (!PACKET_get_1(pkt, &mt) - || mt != SSL2_MT_CLIENT_HELLO) { + || mt != SSL2_MT_CLIENT_HELLO) { /* * Should never happen. We should have tested this in the record * layer in order to have determined that this is a SSLv2 record @@ -968,7 +969,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) * use version from inside client hello, not from record header (may * differ: see RFC 2246, Appendix E, second paragraph) */ - if(!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) { + if (!PACKET_get_net_2(pkt, (unsigned int *)&s->client_version)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); goto f_err; @@ -1012,8 +1013,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) PACKET challenge; if (!PACKET_get_net_2(pkt, &cipher_len) - || !PACKET_get_net_2(pkt, &session_id_len) - || !PACKET_get_net_2(pkt, &challenge_len)) { + || !PACKET_get_net_2(pkt, &session_id_len) + || !PACKET_get_net_2(pkt, &challenge_len)) { SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_RECORD_LENGTH_MISMATCH); al = SSL_AD_DECODE_ERROR; @@ -1080,15 +1081,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) */ if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (PACKET_remaining(&cookie) == 0) - return 1; + return 1; } } if (!PACKET_get_length_prefixed_2(pkt, &cipher_suites) || !PACKET_get_length_prefixed_1(pkt, &compression)) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); - goto f_err; + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; } /* Could be empty. */ extensions = *pkt; @@ -1099,16 +1100,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (s->ctx->app_verify_cookie_cb != NULL) { if (s->ctx->app_verify_cookie_cb(s, PACKET_data(&cookie), - PACKET_remaining(&cookie)) == 0) { + PACKET_remaining(&cookie)) == + 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); goto f_err; /* else cookie verification succeeded */ } - /* default verification */ - } else if (!PACKET_equal(&cookie, s->d1->cookie, - s->d1->cookie_len)) { + /* default verification */ + } else if (!PACKET_equal(&cookie, s->d1->cookie, s->d1->cookie_len)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH); goto f_err; @@ -1183,8 +1184,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) id = s->session->cipher->id; #ifdef CIPHER_DEBUG - fprintf(stderr, "client sent %d ciphers\n", - sk_SSL_CIPHER_num(ciphers)); + fprintf(stderr, "client sent %d ciphers\n", sk_SSL_CIPHER_num(ciphers)); #endif for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { c = sk_SSL_CIPHER_value(ciphers, i); @@ -1405,7 +1405,8 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); if (rv == 0) { al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CERT_CB_ERROR); + SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_CERT_CB_ERROR); goto f_err; } if (rv < 0) { @@ -1414,17 +1415,19 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) } s->rwstate = SSL_NOTHING; } - cipher = ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); + cipher = + ssl3_choose_cipher(s, s->session->ciphers, SSL_get_ciphers(s)); if (cipher == NULL) { - SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER); + SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER); goto f_err; } s->s3->tmp.new_cipher = cipher; /* check whether we should disable session resumption */ if (s->not_resumable_session_cb != NULL) s->session->not_resumable = s->not_resumable_session_cb(s, - ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)); + ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) != 0)); if (s->session->not_resumable) /* do not send a session ticket */ s->tlsext_ticket_expected = 0; @@ -1443,8 +1446,8 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) /*- * we now have the following setup. * client_random - * cipher_list - our prefered list of ciphers - * ciphers - the clients prefered list of ciphers + * cipher_list - our preferred list of ciphers + * ciphers - the clients preferred list of ciphers * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. @@ -1454,7 +1457,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) /* Handles TLS extensions that we couldn't check earlier */ if (s->version >= SSL3_VERSION) { - if (ssl_check_clienthello_tlsext_late(s) <= 0) { + if (!ssl_check_clienthello_tlsext_late(s, &al)) { SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); goto f_err; @@ -1480,7 +1483,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) */ if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY) SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, - SSL_R_CLIENTHELLO_TLSEXT); + SSL_R_CLIENTHELLO_TLSEXT); goto f_err; } } @@ -1496,26 +1499,21 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) int tls_construct_server_hello(SSL *s) { - unsigned char *buf; - unsigned char *p, *d; - int i, sl; - int al = 0; - unsigned long l; - - buf = (unsigned char *)s->init_buf->data; - - /* Do the message type and length last */ - d = p = ssl_handshake_start(s); - - *(p++) = s->version >> 8; - *(p++) = s->version & 0xff; - - /* - * Random stuff. Filling of the server_random takes place in - * tls_process_client_hello() - */ - memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); - p += SSL3_RANDOM_SIZE; + int sl, compm, al = SSL_AD_INTERNAL_ERROR; + size_t len; + WPACKET pkt; + + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, SSL3_MT_SERVER_HELLO) + || !WPACKET_put_bytes_u16(&pkt, s->version) + /* + * Random stuff. Filling of the server_random takes place in + * tls_process_client_hello() + */ + || !WPACKET_memcpy(&pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + goto err; + } /*- * There are several cases for the session ID to send @@ -1541,67 +1539,59 @@ int tls_construct_server_hello(SSL *s) sl = s->session->session_id_length; if (sl > (int)sizeof(s->session->session_id)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; + goto err; } - *(p++) = sl; - memcpy(p, s->session->session_id, sl); - p += sl; - - /* put the cipher */ - i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p); - p += i; - /* put the compression method */ + /* set up the compression method */ #ifdef OPENSSL_NO_COMP - *(p++) = 0; + compm = 0; #else if (s->s3->tmp.new_compression == NULL) - *(p++) = 0; + compm = 0; else - *(p++) = s->s3->tmp.new_compression->id; + compm = s->s3->tmp.new_compression->id; #endif - if (ssl_prepare_serverhello_tlsext(s) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); - ossl_statem_set_error(s); - return 0; - } - if ((p = - ssl_add_serverhello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH, - &al)) == NULL) { - ssl3_send_alert(s, SSL3_AL_FATAL, al); - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; - } - - /* do the header */ - l = (p - d); - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_HELLO, l)) { + if (!WPACKET_sub_memcpy_u8(&pkt, s->session->session_id, sl) + || !s->method->put_cipher_by_char(s->s3->tmp.new_cipher, &pkt, &len) + || !WPACKET_put_bytes_u8(&pkt, compm) + || !ssl_prepare_serverhello_tlsext(s) + || !ssl_add_serverhello_tlsext(s, &pkt, &al) + || !ssl_close_construct_packet(s, &pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; + goto err; } return 1; + err: + WPACKET_cleanup(&pkt); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + ossl_statem_set_error(s); + return 0; } int tls_construct_server_done(SSL *s) { - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) { + WPACKET pkt; + + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, SSL3_MT_SERVER_DONE) + || !ssl_close_construct_packet(s, &pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR); - ossl_statem_set_error(s); - return 0; + goto err; } if (!s->s3->tmp.cert_request) { - if (!ssl3_digest_cached_records(s, 0)) { - ossl_statem_set_error(s); - } + if (!ssl3_digest_cached_records(s, 0)) + goto err; } - return 1; + + err: + WPACKET_cleanup(&pkt); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + ossl_statem_set_error(s); + return 0; } int tls_construct_server_key_exchange(SSL *s) @@ -1616,36 +1606,30 @@ int tls_construct_server_key_exchange(SSL *s) #endif EVP_PKEY *pkey; const EVP_MD *md = NULL; - unsigned char *p, *d; - int al, i; + int al = SSL_AD_INTERNAL_ERROR, i; unsigned long type; - int n; const BIGNUM *r[4]; - int nr[4], kn; - BUF_MEM *buf; EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); + WPACKET pkt; + size_t paramlen, paramoffset; + + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, + SSL3_MT_SERVER_KEY_EXCHANGE) + || !WPACKET_get_total_written(&pkt, ¶moffset)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); + goto f_err; + } if (md_ctx == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); - al = SSL_AD_INTERNAL_ERROR; goto f_err; } type = s->s3->tmp.new_cipher->algorithm_mkey; - buf = s->init_buf; - r[0] = r[1] = r[2] = r[3] = NULL; - n = 0; #ifndef OPENSSL_NO_PSK - if (type & SSL_PSK) { - /* - * reserve size for record length and PSK identity hint - */ - n += 2; - if (s->cert->psk_identity_hint) - n += strlen(s->cert->psk_identity_hint); - } /* Plain PSK or RSAPSK nothing to do */ if (type & (SSL_kPSK | SSL_kRSAPSK)) { } else @@ -1662,7 +1646,6 @@ int tls_construct_server_key_exchange(SSL *s) pkdh = EVP_PKEY_new(); if (pkdh == NULL || dhp == NULL) { DH_free(dhp); - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -1676,7 +1659,6 @@ int tls_construct_server_key_exchange(SSL *s) DH *dhp = s->cert->dh_tmp_cb(s, 0, 1024); pkdh = ssl_dh_to_pkey(dhp); if (pkdh == NULL) { - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; @@ -1702,7 +1684,7 @@ int tls_construct_server_key_exchange(SSL *s) goto err; } - s->s3->tmp.pkey = ssl_generate_pkey(pkdhp, NID_undef); + s->s3->tmp.pkey = ssl_generate_pkey(pkdhp); if (s->s3->tmp.pkey == NULL) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); @@ -1736,31 +1718,21 @@ int tls_construct_server_key_exchange(SSL *s) SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); goto err; } - s->s3->tmp.pkey = ssl_generate_pkey(NULL, nid); + s->s3->tmp.pkey = ssl_generate_pkey_curve(curve_id); /* Generate a new key for this curve */ if (s->s3->tmp.pkey == NULL) { - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EVP_LIB); goto f_err; } /* Encode the public key. */ - encodedlen = EC_KEY_key2buf(EVP_PKEY_get0_EC_KEY(s->s3->tmp.pkey), - POINT_CONVERSION_UNCOMPRESSED, - &encodedPoint, NULL); - + encodedlen = EVP_PKEY_get1_tls_encodedpoint(s->s3->tmp.pkey, + &encodedPoint); if (encodedlen == 0) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_EC_LIB); goto err; } - /* - * We only support named (not generic) curves in ECDH ephemeral key - * exchanges. In this situation, we need four additional bytes to - * encode the entire ServerECDHParams structure. - */ - n += 4 + encodedlen; - /* * We'll generate the serverKeyExchange message explicitly so we * can set these to NULLs @@ -1792,95 +1764,101 @@ int tls_construct_server_key_exchange(SSL *s) SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); goto f_err; } - for (i = 0; i < 4 && r[i] != NULL; i++) { - nr[i] = BN_num_bytes(r[i]); -#ifndef OPENSSL_NO_SRP - if ((i == 2) && (type & SSL_kSRP)) - n += 1 + nr[i]; - else -#endif - n += 2 + nr[i]; - } - if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL|SSL_aSRP)) + if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)) { if ((pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md)) == NULL) { al = SSL_AD_DECODE_ERROR; goto f_err; } - kn = EVP_PKEY_size(pkey); - /* Allow space for signature algorithm */ - if (SSL_USE_SIGALGS(s)) - kn += 2; - /* Allow space for signature length */ - kn += 2; } else { pkey = NULL; - kn = 0; - } - - if (!BUF_MEM_grow_clean(buf, n + SSL_HM_HEADER_LENGTH(s) + kn)) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_BUF); - goto err; } - d = p = ssl_handshake_start(s); #ifndef OPENSSL_NO_PSK if (type & SSL_PSK) { - /* copy PSK identity hint */ - if (s->cert->psk_identity_hint) { - size_t len = strlen(s->cert->psk_identity_hint); - if (len > PSK_MAX_IDENTITY_LEN) { - /* - * Should not happen - we already checked this when we set - * the identity hint - */ - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, - ERR_R_INTERNAL_ERROR); - goto err; - } - s2n(len, p); - memcpy(p, s->cert->psk_identity_hint, len); - p += len; - } else { - s2n(0, p); + size_t len = (s->cert->psk_identity_hint == NULL) + ? 0 : strlen(s->cert->psk_identity_hint); + + /* + * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already + * checked this when we set the identity hint - but just in case + */ + if (len > PSK_MAX_IDENTITY_LEN + || !WPACKET_sub_memcpy_u16(&pkt, s->cert->psk_identity_hint, + len)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; } } #endif for (i = 0; i < 4 && r[i] != NULL; i++) { + unsigned char *binval; + int res; + #ifndef OPENSSL_NO_SRP if ((i == 2) && (type & SSL_kSRP)) { - *p = nr[i]; - p++; + res = WPACKET_start_sub_packet_u8(&pkt); } else #endif - s2n(nr[i], p); - BN_bn2bin(r[i], p); - p += nr[i]; + res = WPACKET_start_sub_packet_u16(&pkt); + + if (!res) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + +#ifndef OPENSSL_NO_DH + /*- + * for interoperability with some versions of the Microsoft TLS + * stack, we need to zero pad the DHE pub key to the same length + * as the prime + */ + if ((i == 2) && (type & (SSL_kDHE | SSL_kDHEPSK))) { + size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]); + + if (len > 0) { + if (!WPACKET_allocate_bytes(&pkt, len, &binval)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + memset(binval, 0, len); + } + } +#endif + if (!WPACKET_allocate_bytes(&pkt, BN_num_bytes(r[i]), &binval) + || !WPACKET_close(&pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } + + BN_bn2bin(r[i], binval); } #ifndef OPENSSL_NO_EC if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { /* - * XXX: For now, we only support named (not generic) curves. In - * this situation, the serverKeyExchange message has: [1 byte - * CurveType], [2 byte CurveName] [1 byte length of encoded - * point], followed by the actual encoded point itself + * We only support named (not generic) curves. In this situation, the + * ServerKeyExchange message has: [1 byte CurveType], [2 byte CurveName] + * [1 byte length of encoded point], followed by the actual encoded + * point itself */ - *p = NAMED_CURVE_TYPE; - p += 1; - *p = 0; - p += 1; - *p = curve_id; - p += 1; - *p = encodedlen; - p += 1; - memcpy(p, encodedPoint, encodedlen); + if (!WPACKET_put_bytes_u8(&pkt, NAMED_CURVE_TYPE) + || !WPACKET_put_bytes_u8(&pkt, 0) + || !WPACKET_put_bytes_u8(&pkt, curve_id) + || !WPACKET_sub_memcpy_u8(&pkt, encodedPoint, encodedlen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } OPENSSL_free(encodedPoint); encodedPoint = NULL; - p += encodedlen; } #endif @@ -1891,36 +1869,49 @@ int tls_construct_server_key_exchange(SSL *s) * points to the space at the end. */ if (md) { + unsigned char *sigbytes1, *sigbytes2; + unsigned int siglen; + + /* Get length of the parameters we have written above */ + if (!WPACKET_get_length(&pkt, ¶mlen)) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); + goto f_err; + } /* send signature algorithm */ if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(p, pkey, md)) { + if (!tls12_get_sigandhash(&pkt, pkey, md)) { /* Should never happen */ - al = SSL_AD_INTERNAL_ERROR; SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; } - p += 2; } #ifdef SSL_DEBUG fprintf(stderr, "Using hash %s\n", EVP_MD_name(md)); #endif - if (EVP_SignInit_ex(md_ctx, md, NULL) <= 0 + /* + * Create the signature. We don't know the actual length of the sig + * until after we've created it, so we reserve enough bytes for it + * up front, and then properly allocate them in the WPACKET + * afterwards. + */ + if (!WPACKET_sub_reserve_bytes_u16(&pkt, EVP_PKEY_size(pkey), + &sigbytes1) + || EVP_SignInit_ex(md_ctx, md, NULL) <= 0 || EVP_SignUpdate(md_ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE) <= 0 || EVP_SignUpdate(md_ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE) <= 0 - || EVP_SignUpdate(md_ctx, d, n) <= 0 - || EVP_SignFinal(md_ctx, &(p[2]), - (unsigned int *)&i, pkey) <= 0) { - SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_LIB_EVP); - al = SSL_AD_INTERNAL_ERROR; + || EVP_SignUpdate(md_ctx, s->init_buf->data + paramoffset, + paramlen) <= 0 + || EVP_SignFinal(md_ctx, sigbytes1, &siglen, pkey) <= 0 + || !WPACKET_sub_allocate_bytes_u16(&pkt, siglen, &sigbytes2) + || sigbytes1 != sigbytes2) { + SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, + ERR_R_INTERNAL_ERROR); goto f_err; } - s2n(i, p); - n += i + 2; - if (SSL_USE_SIGALGS(s)) - n += 2; } else { /* Is this error check actually needed? */ al = SSL_AD_HANDSHAKE_FAILURE; @@ -1930,8 +1921,7 @@ int tls_construct_server_key_exchange(SSL *s) } } - if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_KEY_EXCHANGE, n)) { - al = SSL_AD_HANDSHAKE_FAILURE; + if (!ssl_close_construct_packet(s, &pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; } @@ -1949,69 +1939,72 @@ int tls_construct_server_key_exchange(SSL *s) #endif EVP_MD_CTX_free(md_ctx); ossl_statem_set_error(s); + WPACKET_cleanup(&pkt); return 0; } int tls_construct_certificate_request(SSL *s) { - unsigned char *p, *d; - int i, j, nl, off, n; + int i, nl; STACK_OF(X509_NAME) *sk = NULL; - X509_NAME *name; - BUF_MEM *buf; + WPACKET pkt; - buf = s->init_buf; + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, + SSL3_MT_CERTIFICATE_REQUEST)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } - d = p = ssl_handshake_start(s); /* get the list of acceptable cert types */ - p++; - n = ssl3_get_req_cert_type(s, p); - d[0] = n; - p += n; - n++; + if (!WPACKET_start_sub_packet_u8(&pkt) + || !ssl3_get_req_cert_type(s, &pkt) + || !WPACKET_close(&pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } if (SSL_USE_SIGALGS(s)) { const unsigned char *psigs; - unsigned char *etmp = p; nl = tls12_get_psigalgs(s, &psigs); - /* Skip over length for now */ - p += 2; - nl = tls12_copy_sigalgs(s, p, psigs, nl); - /* Now fill in length */ - s2n(nl, etmp); - p += nl; - n += nl + 2; + if (!WPACKET_start_sub_packet_u16(&pkt) + || !tls12_copy_sigalgs(s, &pkt, psigs, nl) + || !WPACKET_close(&pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, + ERR_R_INTERNAL_ERROR); + goto err; + } } - off = n; - p += 2; - n += 2; + /* Start sub-packet for client CA list */ + if (!WPACKET_start_sub_packet_u16(&pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); + goto err; + } sk = SSL_get_client_CA_list(s); - nl = 0; if (sk != NULL) { for (i = 0; i < sk_X509_NAME_num(sk); i++) { - name = sk_X509_NAME_value(sk, i); - j = i2d_X509_NAME(name, NULL); - if (!BUF_MEM_grow_clean - (buf, SSL_HM_HEADER_LENGTH(s) + n + j + 2)) { + unsigned char *namebytes; + X509_NAME *name = sk_X509_NAME_value(sk, i); + int namelen; + + if (name == NULL + || (namelen = i2d_X509_NAME(name, NULL)) < 0 + || !WPACKET_sub_allocate_bytes_u16(&pkt, namelen, + &namebytes) + || i2d_X509_NAME(name, &namebytes) != namelen) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, - ERR_R_BUF_LIB); + ERR_R_INTERNAL_ERROR); goto err; } - p = ssl_handshake_start(s) + n; - s2n(j, p); - i2d_X509_NAME(name, &p); - n += 2 + j; - nl += 2 + j; } } /* else no CA names */ - p = ssl_handshake_start(s) + off; - s2n(nl, p); - if (!ssl_set_handshake_header(s, SSL3_MT_CERTIFICATE_REQUEST, n)) { + if (!WPACKET_close(&pkt) + || !ssl_close_construct_packet(s, &pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST, ERR_R_INTERNAL_ERROR); goto err; } @@ -2020,6 +2013,8 @@ int tls_construct_certificate_request(SSL *s) return 1; err: + WPACKET_cleanup(&pkt); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); ossl_statem_set_error(s); return 0; } @@ -2043,8 +2038,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) } if (s->psk_server_callback == NULL) { *al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, - SSL_R_PSK_NO_SERVER_CB); + SSLerr(SSL_F_TLS_PROCESS_CKE_PSK_PREAMBLE, SSL_R_PSK_NO_SERVER_CB); return 0; } @@ -2055,7 +2049,7 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) } psklen = s->psk_server_callback(s, s->session->psk_identity, - psk, sizeof(psk)); + psk, sizeof(psk)); if (psklen > PSK_MAX_PSK_LEN) { *al = SSL_AD_INTERNAL_ERROR; @@ -2092,7 +2086,6 @@ static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt, int *al) #endif } - static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) { #ifndef OPENSSL_NO_RSA @@ -2151,8 +2144,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ - if (RAND_bytes(rand_premaster_secret, - sizeof(rand_premaster_secret)) <= 0) + if (RAND_bytes(rand_premaster_secret, sizeof(rand_premaster_secret)) <= 0) goto err; /* @@ -2180,7 +2172,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt, int *al) padding_len = decrypt_len - SSL_MAX_MASTER_KEY_LENGTH; decrypt_good = constant_time_eq_int_8(rsa_decrypt[0], 0) & - constant_time_eq_int_8(rsa_decrypt[1], 2); + constant_time_eq_int_8(rsa_decrypt[1], 2); for (j = 2; j < padding_len - 1; j++) { decrypt_good &= ~constant_time_is_zero_8(rsa_decrypt[j]); } @@ -2269,17 +2261,12 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al) EVP_PKEY *ckey = NULL; int ret = 0; - if (!PACKET_get_net_2(pkt, &i)) { + if (!PACKET_get_net_2(pkt, &i) || PACKET_remaining(pkt) != i) { *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); goto err; } - if (PACKET_remaining(pkt) != i) { - SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, - SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); - goto err; - } skey = s->s3->tmp.pkey; if (skey == NULL) { *al = SSL_AD_HANDSHAKE_FAILURE; @@ -2355,23 +2342,19 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al) */ /* Get encoded point length */ - if (!PACKET_get_1(pkt, &i)) { + if (!PACKET_get_1(pkt, &i) || !PACKET_get_bytes(pkt, &data, i) + || PACKET_remaining(pkt) != 0) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, SSL_R_LENGTH_MISMATCH); goto err; } - if (!PACKET_get_bytes(pkt, &data, i) - || PACKET_remaining(pkt) != 0) { - SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB); - goto err; - } ckey = EVP_PKEY_new(); if (ckey == NULL || EVP_PKEY_copy_parameters(ckey, skey) <= 0) { SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EVP_LIB); goto err; } - if (EC_KEY_oct2key(EVP_PKEY_get0_EC_KEY(ckey), data, i, - NULL) == 0) { + if (EVP_PKEY_set1_tls_encodedpoint(ckey, data, i) == 0) { + *al = SSL_AD_HANDSHAKE_FAILURE; SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_EC_LIB); goto err; } @@ -2405,7 +2388,7 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) const unsigned char *data; if (!PACKET_get_net_2(pkt, &i) - || !PACKET_get_bytes(pkt, &data, i)) { + || !PACKET_get_bytes(pkt, &data, i)) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_A_LENGTH); return 0; @@ -2414,8 +2397,7 @@ static int tls_process_cke_srp(SSL *s, PACKET *pkt, int *al) SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, ERR_R_BN_LIB); return 0; } - if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 - || BN_is_zero(s->srp_ctx.A)) { + if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) { *al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_TLS_PROCESS_CKE_SRP, SSL_R_BAD_SRP_PARAMETERS); return 0; @@ -2502,10 +2484,9 @@ static int tls_process_cke_gost(SSL *s, PACKET *pkt, int *al) SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, ERR_R_INTERNAL_ERROR); goto err; } - if (ASN1_get_object ((const unsigned char **)&data, &Tlen, &Ttag, - &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED - || Ttag != V_ASN1_SEQUENCE - || Tclass != V_ASN1_UNIVERSAL) { + if (ASN1_get_object((const unsigned char **)&data, &Tlen, &Ttag, + &Tclass, sess_key_len) != V_ASN1_CONSTRUCTED + || Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CKE_GOST, SSL_R_DECRYPTION_FAILED); goto err; @@ -2557,7 +2538,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) /* Identity extracted earlier: should be nothing left */ if (PACKET_remaining(pkt) != 0) { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_LENGTH_MISMATCH); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, + SSL_R_LENGTH_MISMATCH); goto err; } /* PSK handled by ssl_generate_master_secret */ @@ -2583,7 +2565,8 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) goto err; } else { al = SSL_AD_HANDSHAKE_FAILURE; - SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, SSL_R_UNKNOWN_CIPHER_TYPE); + SSLerr(SSL_F_TLS_PROCESS_CLIENT_KEY_EXCHANGE, + SSL_R_UNKNOWN_CIPHER_TYPE); goto err; } @@ -2614,8 +2597,9 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) sizeof(DTLS1_SCTP_AUTH_LABEL)); if (SSL_export_keying_material(s, sctpauthkey, - sizeof(sctpauthkey), labelbuffer, - sizeof(labelbuffer), NULL, 0, 0) <= 0) { + sizeof(sctpauthkey), labelbuffer, + sizeof(labelbuffer), NULL, 0, + 0) <= 0) { ossl_statem_set_error(s); return WORK_ERROR;; } @@ -2627,13 +2611,13 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) } if ((wst == WORK_MORE_B) - /* Is this SCTP? */ - && BIO_dgram_is_sctp(SSL_get_wbio(s)) - /* Are we renegotiating? */ - && s->renegotiate - /* Are we going to skip the CertificateVerify? */ - && (s->session->peer == NULL || s->statem.no_cert_verify) - && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { + /* Is this SCTP? */ + && BIO_dgram_is_sctp(SSL_get_wbio(s)) + /* Are we renegotiating? */ + && s->renegotiate + /* Are we going to skip the CertificateVerify? */ + && (s->session->peer == NULL || s->statem.no_cert_verify) + && BIO_dgram_sctp_msg_waiting(SSL_get_rbio(s))) { s->s3->in_read_app_data = 2; s->rwstate = SSL_READING; BIO_clear_retry_flags(SSL_get_rbio(s)); @@ -2646,8 +2630,9 @@ WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) #endif if (s->statem.no_cert_verify || !s->session->peer) { - /* No certificate verify or no peer certificate so we no longer need the - * handshake_buffer + /* + * No certificate verify or no peer certificate so we no longer need + * the handshake_buffer */ if (!ssl3_digest_cached_records(s, 0)) { ossl_statem_set_error(s); @@ -2757,7 +2742,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } j = EVP_PKEY_size(pkey); if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) - || (PACKET_remaining(pkt) == 0)) { + || (PACKET_remaining(pkt) == 0)) { SSLerr(SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_WRONG_SIGNATURE_SIZE); al = SSL_AD_DECODE_ERROR; goto f_err; @@ -2783,7 +2768,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) al = SSL_AD_INTERNAL_ERROR; goto f_err; } - #ifndef OPENSSL_NO_GOST { int pktype = EVP_PKEY_id(pkey); @@ -2846,8 +2830,8 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) } if (!PACKET_get_net_3(pkt, &llen) - || !PACKET_get_sub_packet(pkt, &spkt, llen) - || PACKET_remaining(pkt) != 0) { + || !PACKET_get_sub_packet(pkt, &spkt, llen) + || PACKET_remaining(pkt) != 0) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_LENGTH_MISMATCH); goto f_err; @@ -2855,7 +2839,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) while (PACKET_remaining(&spkt) > 0) { if (!PACKET_get_net_3(&spkt, &l) - || !PACKET_get_bytes(&spkt, &certbytes, l)) { + || !PACKET_get_bytes(&spkt, &certbytes, l)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, SSL_R_CERT_LENGTH_MISMATCH); @@ -2970,17 +2954,19 @@ int tls_construct_server_certificate(SSL *s) int tls_construct_new_session_ticket(SSL *s) { unsigned char *senc = NULL; - EVP_CIPHER_CTX *ctx; + EVP_CIPHER_CTX *ctx = NULL; HMAC_CTX *hctx = NULL; - unsigned char *p, *macstart; + unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2; const unsigned char *const_p; - int len, slen_full, slen; + int len, slen_full, slen, lenfinal; SSL_SESSION *sess; unsigned int hlen; SSL_CTX *tctx = s->initial_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; int iv_len; + size_t macoffset, macendoffset; + WPACKET pkt; /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -2998,8 +2984,18 @@ int tls_construct_new_session_ticket(SSL *s) return 0; } + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, SSL3_MT_NEWSESSION_TICKET)) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); + goto err; + } + ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); + if (ctx == NULL || hctx == NULL) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + goto err; + } p = senc; if (!i2d_SSL_SESSION(s->session, &p)) @@ -3026,21 +3022,6 @@ int tls_construct_new_session_ticket(SSL *s) } SSL_SESSION_free(sess); - /*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 4 (ticket lifetime hint) + 2 (ticket length) + - * sizeof(keyname) + max_iv_len (iv length) + - * max_enc_block_size (max encrypted session * length) + - * max_md_size (HMAC) + session_length. - */ - if (!BUF_MEM_grow(s->init_buf, - SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) + - EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + - EVP_MAX_MD_SIZE + slen)) - goto err; - - p = ssl_handshake_start(s); /* * Initialize HMAC and cipher contexts. If callback present it does * all the work otherwise use generated values from parent ctx. @@ -3051,10 +3032,15 @@ int tls_construct_new_session_ticket(SSL *s) hctx, 1); if (ret == 0) { - l2n(0, p); /* timeout */ - s2n(0, p); /* length */ - if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s))) + + /* Put timeout and length */ + if (!WPACKET_put_bytes_u32(&pkt, 0) + || !WPACKET_put_bytes_u16(&pkt, 0) + || !ssl_close_construct_packet(s, &pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; + } OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); @@ -3085,44 +3071,40 @@ int tls_construct_new_session_ticket(SSL *s) * for resumed session (for simplicity), and guess that tickets for * new sessions will live as long as their sessions. */ - l2n(s->hit ? 0 : s->session->timeout, p); - - /* Skip ticket length for now */ - p += 2; - /* Output key name */ - macstart = p; - memcpy(p, key_name, sizeof(key_name)); - p += sizeof(key_name); - /* output IV */ - memcpy(p, iv, iv_len); - p += iv_len; - /* Encrypt session data */ - if (!EVP_EncryptUpdate(ctx, p, &len, senc, slen)) - goto err; - p += len; - if (!EVP_EncryptFinal(ctx, p, &len)) + if (!WPACKET_put_bytes_u32(&pkt, s->hit ? 0 : s->session->timeout) + /* Now the actual ticket data */ + || !WPACKET_start_sub_packet_u16(&pkt) + || !WPACKET_get_total_written(&pkt, &macoffset) + /* Output key name */ + || !WPACKET_memcpy(&pkt, key_name, sizeof(key_name)) + /* output IV */ + || !WPACKET_memcpy(&pkt, iv, iv_len) + || !WPACKET_reserve_bytes(&pkt, slen + EVP_MAX_BLOCK_LENGTH, + &encdata1) + /* Encrypt session data */ + || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen) + || !WPACKET_allocate_bytes(&pkt, len, &encdata2) + || encdata1 != encdata2 + || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal) + || !WPACKET_allocate_bytes(&pkt, lenfinal, &encdata2) + || encdata1 + len != encdata2 + || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH + || !WPACKET_get_total_written(&pkt, &macendoffset) + || !HMAC_Update(hctx, + (unsigned char *)s->init_buf->data + macoffset, + macendoffset - macoffset) + || !WPACKET_reserve_bytes(&pkt, EVP_MAX_MD_SIZE, &macdata1) + || !HMAC_Final(hctx, macdata1, &hlen) + || hlen > EVP_MAX_MD_SIZE + || !WPACKET_allocate_bytes(&pkt, hlen, &macdata2) + || macdata1 != macdata2 + || !WPACKET_close(&pkt) + || !ssl_close_construct_packet(s, &pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); goto err; - p += len; - - if (!HMAC_Update(hctx, macstart, p - macstart)) - goto err; - if (!HMAC_Final(hctx, p, &hlen)) - goto err; - + } EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); - ctx = NULL; - hctx = NULL; - - p += hlen; - /* Now write out lengths: p points to end of data written */ - /* Total length */ - len = p - ssl_handshake_start(s); - /* Skip ticket lifetime hint */ - p = ssl_handshake_start(s) + 4; - s2n(len - 6, p); - if (!ssl_set_handshake_header(s, SSL3_MT_NEWSESSION_TICKET, len)) - goto err; OPENSSL_free(senc); return 1; @@ -3130,40 +3112,29 @@ int tls_construct_new_session_ticket(SSL *s) OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); ossl_statem_set_error(s); + WPACKET_cleanup(&pkt); return 0; } int tls_construct_cert_status(SSL *s) { - unsigned char *p; - /*- - * Grow buffer if need be: the length calculation is as - * follows 1 (message type) + 3 (message length) + - * 1 (ocsp response type) + 3 (ocsp response length) - * + (ocsp response) - */ - if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) { + WPACKET pkt; + + if (!WPACKET_init(&pkt, s->init_buf) + || !ssl_set_handshake_header(s, &pkt, SSL3_MT_CERTIFICATE_STATUS) + || !WPACKET_put_bytes_u8(&pkt, s->tlsext_status_type) + || !WPACKET_sub_memcpy_u24(&pkt, s->tlsext_ocsp_resp, + s->tlsext_ocsp_resplen) + || !ssl_close_construct_packet(s, &pkt)) { + SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); ossl_statem_set_error(s); + WPACKET_cleanup(&pkt); return 0; } - p = (unsigned char *)s->init_buf->data; - - /* do the header */ - *(p++) = SSL3_MT_CERTIFICATE_STATUS; - /* message length */ - l2n3(s->tlsext_ocsp_resplen + 4, p); - /* status type */ - *(p++) = s->tlsext_status_type; - /* length of OCSP response */ - l2n3(s->tlsext_ocsp_resplen, p); - /* actual response */ - memcpy(p, s->tlsext_ocsp_resp, s->tlsext_ocsp_resplen); - /* number of bytes to write */ - s->init_num = 8 + s->tlsext_ocsp_resplen; - s->init_off = 0; - return 1; } @@ -3191,8 +3162,7 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) goto err; } - if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, - &next_proto_len)) { + if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) { s->next_proto_negotiated_len = 0; goto err; } @@ -3200,7 +3170,7 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) s->next_proto_negotiated_len = (unsigned char)next_proto_len; return MSG_PROCESS_CONTINUE_READING; -err: + err: ossl_statem_set_error(s); return MSG_PROCESS_ERROR; } @@ -3211,8 +3181,7 @@ err: STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, PACKET *cipher_suites, STACK_OF(SSL_CIPHER) **skp, - int sslv2format, int *al - ) + int sslv2format, int *al) { const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; @@ -3239,7 +3208,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, if ((skp == NULL) || (*skp == NULL)) { sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */ - if(sk == NULL) { + if (sk == NULL) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); *al = SSL_AD_INTERNAL_ERROR; return NULL; @@ -3262,7 +3231,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, * first byte. We don't support any true SSLv2 ciphers, so skip them. */ if (sslv2format && cipher[0] != '\0') - continue; + continue; /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */ if ((cipher[n - 2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&