Lines Matching refs:s
31 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
32 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
34 static ossl_inline int cert_req_allowed(SSL *s);
35 static int key_exchange_expected(SSL *s);
36 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
46 static ossl_inline int cert_req_allowed(SSL *s) in cert_req_allowed() argument
49 if ((s->version > SSL3_VERSION in cert_req_allowed()
50 && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)) in cert_req_allowed()
51 || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) in cert_req_allowed()
64 static int key_exchange_expected(SSL *s) in key_exchange_expected() argument
66 long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in key_exchange_expected()
89 static int ossl_statem_client13_read_transition(SSL *s, int mt) in ossl_statem_client13_read_transition() argument
91 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_read_transition()
122 if (s->hit) { in ossl_statem_client13_read_transition()
174 if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { in ossl_statem_client13_read_transition()
175 s->post_handshake_auth = SSL_PHA_REQUESTED; in ossl_statem_client13_read_transition()
182 if (!tls13_restore_handshake_digest_for_pha(s)) { in ossl_statem_client13_read_transition()
206 int ossl_statem_client_read_transition(SSL *s, int mt) in ossl_statem_client_read_transition() argument
208 OSSL_STATEM *st = &s->statem; in ossl_statem_client_read_transition()
215 if (SSL_IS_TLS13(s)) { in ossl_statem_client_read_transition()
216 if (!ossl_statem_client13_read_transition(s, mt)) in ossl_statem_client_read_transition()
231 if (SSL_IS_DTLS(s)) { in ossl_statem_client_read_transition()
252 if (s->hit) { in ossl_statem_client_read_transition()
253 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
263 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { in ossl_statem_client_read_transition()
266 } else if (s->version >= TLS1_VERSION in ossl_statem_client_read_transition()
267 && s->ext.session_secret_cb != NULL in ossl_statem_client_read_transition()
268 && s->session->ext.tick != NULL in ossl_statem_client_read_transition()
276 s->hit = 1; in ossl_statem_client_read_transition()
279 } else if (!(s->s3.tmp.new_cipher->algorithm_auth in ossl_statem_client_read_transition()
286 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
289 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
296 && cert_req_allowed(s)) { in ossl_statem_client_read_transition()
312 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { in ossl_statem_client_read_transition()
319 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
321 if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
333 if (cert_req_allowed(s)) { in ossl_statem_client_read_transition()
349 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
384 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { in ossl_statem_client_read_transition()
391 s->init_num = 0; in ossl_statem_client_read_transition()
392 s->rwstate = SSL_READING; in ossl_statem_client_read_transition()
393 rbio = SSL_get_rbio(s); in ossl_statem_client_read_transition()
398 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in ossl_statem_client_read_transition()
407 static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) in ossl_statem_client13_write_transition() argument
409 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_write_transition()
419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
423 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_client13_write_transition()
431 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { in ossl_statem_client13_write_transition()
433 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
440 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY in ossl_statem_client13_write_transition()
441 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client13_write_transition()
443 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client13_write_transition()
444 && s->hello_retry_request == SSL_HRR_NONE) in ossl_statem_client13_write_transition()
447 st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT in ossl_statem_client13_write_transition()
452 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { in ossl_statem_client13_write_transition()
460 st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT in ossl_statem_client13_write_transition()
466 st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY in ossl_statem_client13_write_transition()
482 if (s->key_update != SSL_KEY_UPDATE_NONE) { in ossl_statem_client13_write_transition()
496 WRITE_TRAN ossl_statem_client_write_transition(SSL *s) in ossl_statem_client_write_transition() argument
498 OSSL_STATEM *st = &s->statem; in ossl_statem_client_write_transition()
505 if (SSL_IS_TLS13(s)) in ossl_statem_client_write_transition()
506 return ossl_statem_client13_write_transition(s); in ossl_statem_client_write_transition()
511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_write_transition()
515 if (!s->renegotiate) { in ossl_statem_client_write_transition()
529 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { in ossl_statem_client_write_transition()
534 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) in ossl_statem_client_write_transition()
552 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client_write_transition()
553 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client_write_transition()
567 if (s->s3.tmp.cert_req) in ossl_statem_client_write_transition()
588 if (s->s3.tmp.cert_req == 1) { in ossl_statem_client_write_transition()
593 if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { in ossl_statem_client_write_transition()
603 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_client_write_transition()
605 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { in ossl_statem_client_write_transition()
611 if (!SSL_IS_DTLS(s) && s->s3.npn_seen) in ossl_statem_client_write_transition()
626 if (s->hit) { in ossl_statem_client_write_transition()
634 if (s->hit) { in ossl_statem_client_write_transition()
647 if (ssl3_renegotiate_check(s, 1)) { in ossl_statem_client_write_transition()
648 if (!tls_setup_handshake(s)) { in ossl_statem_client_write_transition()
664 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) in ossl_statem_client_pre_work() argument
666 OSSL_STATEM *st = &s->statem; in ossl_statem_client_pre_work()
674 s->shutdown = 0; in ossl_statem_client_pre_work()
675 if (SSL_IS_DTLS(s)) { in ossl_statem_client_pre_work()
677 if (!ssl3_init_finished_mac(s)) { in ossl_statem_client_pre_work()
685 if (SSL_IS_DTLS(s)) { in ossl_statem_client_pre_work()
686 if (s->hit) { in ossl_statem_client_pre_work()
694 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { in ossl_statem_client_pre_work()
696 return dtls_wait_for_dry(s); in ossl_statem_client_pre_work()
708 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING in ossl_statem_client_pre_work()
709 || s->early_data_state == SSL_EARLY_DATA_NONE) in ossl_statem_client_pre_work()
714 return tls_finish_handshake(s, wst, 0, 1); in ossl_statem_client_pre_work()
718 return tls_finish_handshake(s, wst, 1, 1); in ossl_statem_client_pre_work()
728 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) in ossl_statem_client_post_work() argument
730 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_work()
732 s->init_num = 0; in ossl_statem_client_post_work()
740 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
741 && s->max_early_data > 0) { in ossl_statem_client_post_work()
747 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { in ossl_statem_client_post_work()
748 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
755 } else if (!statem_flush(s)) { in ossl_statem_client_post_work()
759 if (SSL_IS_DTLS(s)) { in ossl_statem_client_post_work()
761 s->first_packet = 1; in ossl_statem_client_post_work()
770 EVP_CIPHER_CTX_free(s->enc_write_ctx); in ossl_statem_client_post_work()
771 s->enc_write_ctx = NULL; in ossl_statem_client_post_work()
775 if (tls_client_key_exchange_post_work(s) == 0) { in ossl_statem_client_post_work()
782 if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_client_post_work()
784 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
785 && s->max_early_data > 0) { in ossl_statem_client_post_work()
791 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
796 s->session->cipher = s->s3.tmp.new_cipher; in ossl_statem_client_post_work()
798 s->session->compress_meth = 0; in ossl_statem_client_post_work()
800 if (s->s3.tmp.new_compression == NULL) in ossl_statem_client_post_work()
801 s->session->compress_meth = 0; in ossl_statem_client_post_work()
803 s->session->compress_meth = s->s3.tmp.new_compression->id; in ossl_statem_client_post_work()
805 if (!s->method->ssl3_enc->setup_key_block(s)) { in ossl_statem_client_post_work()
810 if (!s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
816 if (SSL_IS_DTLS(s)) { in ossl_statem_client_post_work()
818 if (s->hit) { in ossl_statem_client_post_work()
823 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, in ossl_statem_client_post_work()
828 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); in ossl_statem_client_post_work()
834 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) { in ossl_statem_client_post_work()
839 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, in ossl_statem_client_post_work()
843 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
846 if (SSL_IS_TLS13(s)) { in ossl_statem_client_post_work()
847 if (!tls13_save_handshake_digest_for_pha(s)) { in ossl_statem_client_post_work()
851 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { in ossl_statem_client_post_work()
852 if (!s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
862 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
864 if (!tls13_update_key(s, 1)) { in ossl_statem_client_post_work()
882 int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, in ossl_statem_client_construct_message() argument
885 OSSL_STATEM *st = &s->statem; in ossl_statem_client_construct_message()
890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in ossl_statem_client_construct_message()
894 if (SSL_IS_DTLS(s)) in ossl_statem_client_construct_message()
955 size_t ossl_statem_client_max_message_size(SSL *s) in ossl_statem_client_max_message_size() argument
957 OSSL_STATEM *st = &s->statem; in ossl_statem_client_max_message_size()
971 return s->max_cert_list; in ossl_statem_client_max_message_size()
988 return s->max_cert_list; in ossl_statem_client_max_message_size()
994 if (s->version == DTLS1_BAD_VER) in ossl_statem_client_max_message_size()
999 return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 in ossl_statem_client_max_message_size()
1016 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) in ossl_statem_client_process_message() argument
1018 OSSL_STATEM *st = &s->statem; in ossl_statem_client_process_message()
1023 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_process_message()
1027 return tls_process_server_hello(s, pkt); in ossl_statem_client_process_message()
1030 return dtls_process_hello_verify(s, pkt); in ossl_statem_client_process_message()
1033 return tls_process_server_certificate(s, pkt); in ossl_statem_client_process_message()
1036 return tls_process_cert_verify(s, pkt); in ossl_statem_client_process_message()
1039 return tls_process_cert_status(s, pkt); in ossl_statem_client_process_message()
1042 return tls_process_key_exchange(s, pkt); in ossl_statem_client_process_message()
1045 return tls_process_certificate_request(s, pkt); in ossl_statem_client_process_message()
1048 return tls_process_server_done(s, pkt); in ossl_statem_client_process_message()
1051 return tls_process_change_cipher_spec(s, pkt); in ossl_statem_client_process_message()
1054 return tls_process_new_session_ticket(s, pkt); in ossl_statem_client_process_message()
1057 return tls_process_finished(s, pkt); in ossl_statem_client_process_message()
1060 return tls_process_hello_req(s, pkt); in ossl_statem_client_process_message()
1063 return tls_process_encrypted_extensions(s, pkt); in ossl_statem_client_process_message()
1066 return tls_process_key_update(s, pkt); in ossl_statem_client_process_message()
1074 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst) in ossl_statem_client_post_process_message() argument
1076 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_process_message()
1081 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_post_process_message()
1085 return tls_post_process_server_certificate(s, wst); in ossl_statem_client_post_process_message()
1089 return tls_prepare_client_certificate(s, wst); in ossl_statem_client_post_process_message()
1093 int tls_construct_client_hello(SSL *s, WPACKET *pkt) in tls_construct_client_hello() argument
1101 SSL_SESSION *sess = s->session; in tls_construct_client_hello()
1105 protverr = ssl_set_client_hello_version(s); in tls_construct_client_hello()
1107 SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); in tls_construct_client_hello()
1112 || !ssl_version_supported(s, sess->ssl_version, NULL) in tls_construct_client_hello()
1114 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1115 && !ssl_get_new_session(s, 0)) { in tls_construct_client_hello()
1122 p = s->s3.client_random; in tls_construct_client_hello()
1128 if (SSL_IS_DTLS(s)) { in tls_construct_client_hello()
1131 for (idx = 0; idx < sizeof(s->s3.client_random); idx++) { in tls_construct_client_hello()
1138 i = (s->hello_retry_request == SSL_HRR_NONE); in tls_construct_client_hello()
1141 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), in tls_construct_client_hello()
1143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1180 if (!WPACKET_put_bytes_u16(pkt, s->client_version) in tls_construct_client_hello()
1181 || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { in tls_construct_client_hello()
1182 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1187 session_id = s->session->session_id; in tls_construct_client_hello()
1188 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { in tls_construct_client_hello()
1189 if (s->version == TLS1_3_VERSION in tls_construct_client_hello()
1190 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { in tls_construct_client_hello()
1191 sess_id_len = sizeof(s->tmp_session_id); in tls_construct_client_hello()
1192 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1193 session_id = s->tmp_session_id; in tls_construct_client_hello()
1194 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1195 && RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id, in tls_construct_client_hello()
1197 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1204 assert(s->session->session_id_length <= sizeof(s->session->session_id)); in tls_construct_client_hello()
1205 sess_id_len = s->session->session_id_length; in tls_construct_client_hello()
1206 if (s->version == TLS1_3_VERSION) { in tls_construct_client_hello()
1207 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1208 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); in tls_construct_client_hello()
1215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1220 if (SSL_IS_DTLS(s)) { in tls_construct_client_hello()
1221 if (s->d1->cookie_len > sizeof(s->d1->cookie) in tls_construct_client_hello()
1222 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, in tls_construct_client_hello()
1223 s->d1->cookie_len)) { in tls_construct_client_hello()
1224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1231 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1235 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { in tls_construct_client_hello()
1240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1250 if (ssl_allow_compression(s) in tls_construct_client_hello()
1251 && s->ctx->comp_methods in tls_construct_client_hello()
1252 && (SSL_IS_DTLS(s) || s->s3.tmp.max_ver < TLS1_3_VERSION)) { in tls_construct_client_hello()
1253 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); in tls_construct_client_hello()
1255 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); in tls_construct_client_hello()
1257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1270 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { in tls_construct_client_hello()
1278 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) in dtls_process_hello_verify() argument
1285 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1290 if (cookie_len > sizeof(s->d1->cookie)) { in dtls_process_hello_verify()
1291 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG); in dtls_process_hello_verify()
1295 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { in dtls_process_hello_verify()
1296 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1299 s->d1->cookie_len = cookie_len; in dtls_process_hello_verify()
1304 static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) in set_client_ciphersuite() argument
1310 c = ssl_get_cipher_by_char(s, cipherchars, 0); in set_client_ciphersuite()
1313 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED); in set_client_ciphersuite()
1320 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { in set_client_ciphersuite()
1321 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1325 sk = ssl_get_ciphers_by_id(s); in set_client_ciphersuite()
1329 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1333 if (SSL_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL in set_client_ciphersuite()
1334 && s->s3.tmp.new_cipher->id != c->id) { in set_client_ciphersuite()
1336 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1345 if (s->session->cipher != NULL) in set_client_ciphersuite()
1346 s->session->cipher_id = s->session->cipher->id; in set_client_ciphersuite()
1347 if (s->hit && (s->session->cipher_id != c->id)) { in set_client_ciphersuite()
1348 if (SSL_IS_TLS13(s)) { in set_client_ciphersuite()
1353 if (ssl_md(s->ctx, c->algorithm2) in set_client_ciphersuite()
1354 != ssl_md(s->ctx, s->session->cipher->algorithm2)) { in set_client_ciphersuite()
1355 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1364 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1369 s->s3.tmp.new_cipher = c; in set_client_ciphersuite()
1374 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) in tls_process_server_hello() argument
1389 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1394 if (s->version == TLS1_3_VERSION in tls_process_server_hello()
1398 s->hello_retry_request = SSL_HRR_PENDING; in tls_process_server_hello()
1401 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1405 if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) { in tls_process_server_hello()
1406 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1413 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1417 if (session_id_len > sizeof(s->session->session_id) in tls_process_server_hello()
1419 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG); in tls_process_server_hello()
1424 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1429 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_hello()
1443 if (!tls_collect_extensions(s, &extpkt, in tls_process_server_hello()
1451 if (!ssl_choose_client_version(s, sversion, extensions)) { in tls_process_server_hello()
1457 if (SSL_IS_TLS13(s) || hrr) { in tls_process_server_hello()
1459 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1464 if (session_id_len != s->tmp_session_id_len in tls_process_server_hello()
1465 || memcmp(PACKET_data(&session_id), s->tmp_session_id, in tls_process_server_hello()
1467 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID); in tls_process_server_hello()
1473 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1478 return tls_process_as_hello_retry_request(s, &extpkt); in tls_process_server_hello()
1485 context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO in tls_process_server_hello()
1487 if (!tls_validate_all_contexts(s, context, extensions)) { in tls_process_server_hello()
1488 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); in tls_process_server_hello()
1492 s->hit = 0; in tls_process_server_hello()
1494 if (SSL_IS_TLS13(s)) { in tls_process_server_hello()
1499 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_server_hello()
1500 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, in tls_process_server_hello()
1506 if (!tls_parse_extension(s, TLSEXT_IDX_psk, in tls_process_server_hello()
1525 if (s->version >= TLS1_VERSION in tls_process_server_hello()
1526 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { in tls_process_server_hello()
1533 master_key_length = sizeof(s->session->master_key); in tls_process_server_hello()
1534 if (s->ext.session_secret_cb(s, s->session->master_key, in tls_process_server_hello()
1537 s->ext.session_secret_cb_arg) in tls_process_server_hello()
1539 s->session->master_key_length = master_key_length; in tls_process_server_hello()
1540 s->session->cipher = pref_cipher ? in tls_process_server_hello()
1541 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); in tls_process_server_hello()
1543 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1549 && session_id_len == s->session->session_id_length in tls_process_server_hello()
1550 && memcmp(PACKET_data(&session_id), s->session->session_id, in tls_process_server_hello()
1552 s->hit = 1; in tls_process_server_hello()
1555 if (s->hit) { in tls_process_server_hello()
1556 if (s->sid_ctx_length != s->session->sid_ctx_length in tls_process_server_hello()
1557 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { in tls_process_server_hello()
1559 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1571 if (s->session->session_id_length > 0) { in tls_process_server_hello()
1572 tsan_counter(&s->session_ctx->stats.sess_miss); in tls_process_server_hello()
1573 if (!ssl_get_new_session(s, 0)) { in tls_process_server_hello()
1579 s->session->ssl_version = s->version; in tls_process_server_hello()
1586 if (!SSL_IS_TLS13(s)) { in tls_process_server_hello()
1587 s->session->session_id_length = session_id_len; in tls_process_server_hello()
1590 memcpy(s->session->session_id, PACKET_data(&session_id), in tls_process_server_hello()
1596 if (s->version != s->session->ssl_version) { in tls_process_server_hello()
1597 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, in tls_process_server_hello()
1605 s->s3.tmp.min_ver = s->version; in tls_process_server_hello()
1606 s->s3.tmp.max_ver = s->version; in tls_process_server_hello()
1608 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1615 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1623 if (s->session->compress_meth != 0) { in tls_process_server_hello()
1624 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); in tls_process_server_hello()
1628 if (s->hit && compression != s->session->compress_meth) { in tls_process_server_hello()
1629 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1635 else if (!ssl_allow_compression(s)) { in tls_process_server_hello()
1636 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED); in tls_process_server_hello()
1639 comp = ssl3_comp_find(s->ctx->comp_methods, compression); in tls_process_server_hello()
1643 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1647 s->s3.tmp.new_compression = comp; in tls_process_server_hello()
1651 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { in tls_process_server_hello()
1657 if (SSL_IS_DTLS(s) && s->hit) { in tls_process_server_hello()
1671 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_process_server_hello()
1674 if (SSL_export_keying_material(s, sctpauthkey, in tls_process_server_hello()
1678 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1682 BIO_ctrl(SSL_get_wbio(s), in tls_process_server_hello()
1692 if (SSL_IS_TLS13(s) in tls_process_server_hello()
1693 && (!s->method->ssl3_enc->setup_key_block(s) in tls_process_server_hello()
1694 || !s->method->ssl3_enc->change_cipher_state(s, in tls_process_server_hello()
1707 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, in tls_process_as_hello_retry_request() argument
1716 EVP_CIPHER_CTX_free(s->enc_write_ctx); in tls_process_as_hello_retry_request()
1717 s->enc_write_ctx = NULL; in tls_process_as_hello_retry_request()
1719 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1721 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1730 if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { in tls_process_as_hello_retry_request()
1735 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR); in tls_process_as_hello_retry_request()
1743 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { in tls_process_as_hello_retry_request()
1754 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, in tls_process_as_hello_retry_request()
1755 s->init_num + SSL3_HM_HEADER_LENGTH)) { in tls_process_as_hello_retry_request()
1767 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) in tls_process_server_certificate() argument
1775 if ((s->session->peer_chain = sk_X509_new_null()) == NULL) { in tls_process_server_certificate()
1776 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_server_certificate()
1780 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) in tls_process_server_certificate()
1785 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_certificate()
1791 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
1796 x = X509_new_ex(s->ctx->libctx, s->ctx->propq); in tls_process_server_certificate()
1798 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_server_certificate()
1804 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB); in tls_process_server_certificate()
1809 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
1813 if (SSL_IS_TLS13(s)) { in tls_process_server_certificate()
1818 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_certificate()
1821 if (!tls_collect_extensions(s, &extensions, in tls_process_server_certificate()
1824 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, in tls_process_server_certificate()
1834 if (!sk_X509_push(s->session->peer_chain, x)) { in tls_process_server_certificate()
1835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_server_certificate()
1844 sk_X509_pop_free(s->session->peer_chain, X509_free); in tls_process_server_certificate()
1845 s->session->peer_chain = NULL; in tls_process_server_certificate()
1854 WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) in tls_post_process_server_certificate() argument
1862 i = ssl_verify_cert_chain(s, s->session->peer_chain); in tls_post_process_server_certificate()
1864 s->rwstate = SSL_RETRY_VERIFY; in tls_post_process_server_certificate()
1881 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { in tls_post_process_server_certificate()
1882 SSLfatal(s, ssl_x509err2alert(s->verify_result), in tls_post_process_server_certificate()
1892 x = sk_X509_value(s->session->peer_chain, 0); in tls_post_process_server_certificate()
1897 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_post_process_server_certificate()
1903 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
1911 if (!SSL_IS_TLS13(s)) { in tls_post_process_server_certificate()
1912 if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { in tls_post_process_server_certificate()
1913 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
1918 X509_free(s->session->peer); in tls_post_process_server_certificate()
1920 s->session->peer = x; in tls_post_process_server_certificate()
1921 s->session->verify_result = s->verify_result; in tls_post_process_server_certificate()
1924 if (SSL_IS_TLS13(s) in tls_post_process_server_certificate()
1925 && !ssl_handshake_hash(s, s->cert_verify_hash, in tls_post_process_server_certificate()
1926 sizeof(s->cert_verify_hash), in tls_post_process_server_certificate()
1927 &s->cert_verify_hash_len)) { in tls_post_process_server_certificate()
1934 static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt) in tls_process_ske_psk_preamble() argument
1942 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_psk_preamble()
1953 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG); in tls_process_ske_psk_preamble()
1958 OPENSSL_free(s->session->psk_identity_hint); in tls_process_ske_psk_preamble()
1959 s->session->psk_identity_hint = NULL; in tls_process_ske_psk_preamble()
1961 &s->session->psk_identity_hint)) { in tls_process_ske_psk_preamble()
1962 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
1968 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
1973 static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_srp() argument
1982 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_srp()
1986 if ((s->srp_ctx.N = in tls_process_ske_srp()
1989 || (s->srp_ctx.g = in tls_process_ske_srp()
1992 || (s->srp_ctx.s = in tls_process_ske_srp()
1995 || (s->srp_ctx.B = in tls_process_ske_srp()
1998 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_srp()
2002 if (!srp_verify_server_param(s)) { in tls_process_ske_srp()
2008 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_srp()
2009 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_srp()
2013 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_srp()
2018 static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_dhe() argument
2031 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_dhe()
2041 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_dhe()
2052 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2056 pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); in tls_process_ske_dhe()
2058 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2063 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2068 pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq); in tls_process_ske_dhe()
2078 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2082 if (!ssl_security(s, SSL_SECOP_TMP_DH, in tls_process_ske_dhe()
2085 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); in tls_process_ske_dhe()
2089 s->s3.peer_tmp = peer_tmp; in tls_process_ske_dhe()
2096 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_dhe()
2097 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_dhe()
2114 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_ecdhe() argument
2125 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_ske_ecdhe()
2133 || !tls1_check_group_id(s, curve_id, 1)) { in tls_process_ske_ecdhe()
2134 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); in tls_process_ske_ecdhe()
2138 if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { in tls_process_ske_ecdhe()
2139 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_ske_ecdhe()
2145 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_ecdhe()
2149 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, in tls_process_ske_ecdhe()
2152 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); in tls_process_ske_ecdhe()
2161 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) in tls_process_ske_ecdhe()
2162 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_ecdhe()
2163 else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA) in tls_process_ske_ecdhe()
2164 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_ecdhe()
2168 s->session->kex_group = curve_id; in tls_process_ske_ecdhe()
2172 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) in tls_process_key_exchange() argument
2180 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_process_key_exchange()
2184 EVP_PKEY_free(s->s3.peer_tmp); in tls_process_key_exchange()
2185 s->s3.peer_tmp = NULL; in tls_process_key_exchange()
2188 if (!tls_process_ske_psk_preamble(s, pkt)) { in tls_process_key_exchange()
2197 if (!tls_process_ske_srp(s, pkt, &pkey)) { in tls_process_key_exchange()
2202 if (!tls_process_ske_dhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2207 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2212 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_key_exchange()
2231 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_key_exchange()
2235 if (SSL_USE_SIGALGS(s)) { in tls_process_key_exchange()
2239 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_key_exchange()
2242 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { in tls_process_key_exchange()
2246 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { in tls_process_key_exchange()
2247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_key_exchange()
2251 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { in tls_process_key_exchange()
2252 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_key_exchange()
2256 if (SSL_USE_SIGALGS(s)) in tls_process_key_exchange()
2262 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_key_exchange()
2268 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_key_exchange()
2274 s->ctx->libctx, s->ctx->propq, pkey, in tls_process_key_exchange()
2276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2279 if (SSL_USE_PSS(s)) { in tls_process_key_exchange()
2283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2287 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), in tls_process_key_exchange()
2298 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); in tls_process_key_exchange()
2305 if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) in tls_process_key_exchange()
2308 if (ssl3_check_cert_and_algorithm(s)) { in tls_process_key_exchange()
2309 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA); in tls_process_key_exchange()
2316 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE); in tls_process_key_exchange()
2327 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) in tls_process_certificate_request() argument
2333 s->s3.tmp.valid_flags[i] = 0; in tls_process_certificate_request()
2335 if (SSL_IS_TLS13(s)) { in tls_process_certificate_request()
2339 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { in tls_process_certificate_request()
2349 OPENSSL_free(s->s3.tmp.ctype); in tls_process_certificate_request()
2350 s->s3.tmp.ctype = NULL; in tls_process_certificate_request()
2351 s->s3.tmp.ctype_len = 0; in tls_process_certificate_request()
2352 OPENSSL_free(s->pha_context); in tls_process_certificate_request()
2353 s->pha_context = NULL; in tls_process_certificate_request()
2354 s->pha_context_len = 0; in tls_process_certificate_request()
2357 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { in tls_process_certificate_request()
2358 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2363 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2366 if (!tls_collect_extensions(s, &extensions, in tls_process_certificate_request()
2369 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, in tls_process_certificate_request()
2376 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2385 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2389 if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) { in tls_process_certificate_request()
2390 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_certificate_request()
2394 if (SSL_USE_SIGALGS(s)) { in tls_process_certificate_request()
2398 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2406 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { in tls_process_certificate_request()
2407 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_certificate_request()
2411 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2412 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_certificate_request()
2418 if (!parse_ca_names(s, pkt)) { in tls_process_certificate_request()
2425 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2430 s->s3.tmp.cert_req = 1; in tls_process_certificate_request()
2440 if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) in tls_process_certificate_request()
2446 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) in tls_process_new_session_ticket() argument
2458 || (SSL_IS_TLS13(s) in tls_process_new_session_ticket()
2462 || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) in tls_process_new_session_ticket()
2464 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2484 if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) { in tls_process_new_session_ticket()
2491 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { in tls_process_new_session_ticket()
2492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_new_session_ticket()
2496 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 in tls_process_new_session_ticket()
2497 && !SSL_IS_TLS13(s)) { in tls_process_new_session_ticket()
2503 SSL_CTX_remove_session(s->session_ctx, s->session); in tls_process_new_session_ticket()
2506 SSL_SESSION_free(s->session); in tls_process_new_session_ticket()
2507 s->session = new_sess; in tls_process_new_session_ticket()
2510 s->session->time = time(NULL); in tls_process_new_session_ticket()
2511 ssl_session_calculate_timeout(s->session); in tls_process_new_session_ticket()
2513 OPENSSL_free(s->session->ext.tick); in tls_process_new_session_ticket()
2514 s->session->ext.tick = NULL; in tls_process_new_session_ticket()
2515 s->session->ext.ticklen = 0; in tls_process_new_session_ticket()
2517 s->session->ext.tick = OPENSSL_malloc(ticklen); in tls_process_new_session_ticket()
2518 if (s->session->ext.tick == NULL) { in tls_process_new_session_ticket()
2519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_new_session_ticket()
2522 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { in tls_process_new_session_ticket()
2523 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2527 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; in tls_process_new_session_ticket()
2528 s->session->ext.tick_age_add = age_add; in tls_process_new_session_ticket()
2529 s->session->ext.ticklen = ticklen; in tls_process_new_session_ticket()
2531 if (SSL_IS_TLS13(s)) { in tls_process_new_session_ticket()
2536 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2540 if (!tls_collect_extensions(s, &extpkt, in tls_process_new_session_ticket()
2543 || !tls_parse_all_extensions(s, in tls_process_new_session_ticket()
2562 sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq); in tls_process_new_session_ticket()
2565 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls_process_new_session_ticket()
2572 if (!EVP_Digest(s->session->ext.tick, ticklen, in tls_process_new_session_ticket()
2573 s->session->session_id, &sess_len, in tls_process_new_session_ticket()
2575 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_new_session_ticket()
2580 s->session->session_id_length = sess_len; in tls_process_new_session_ticket()
2581 s->session->not_resumable = 0; in tls_process_new_session_ticket()
2584 if (SSL_IS_TLS13(s)) { in tls_process_new_session_ticket()
2585 const EVP_MD *md = ssl_handshake_md(s); in tls_process_new_session_ticket()
2592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_new_session_ticket()
2597 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, in tls_process_new_session_ticket()
2602 s->session->master_key, in tls_process_new_session_ticket()
2607 s->session->master_key_length = hashlen; in tls_process_new_session_ticket()
2610 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); in tls_process_new_session_ticket()
2625 int tls_process_cert_status_body(SSL *s, PACKET *pkt) in tls_process_cert_status_body() argument
2632 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE); in tls_process_cert_status_body()
2637 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2640 s->ext.ocsp.resp = OPENSSL_malloc(resplen); in tls_process_cert_status_body()
2641 if (s->ext.ocsp.resp == NULL) { in tls_process_cert_status_body()
2642 s->ext.ocsp.resp_len = 0; in tls_process_cert_status_body()
2643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cert_status_body()
2646 s->ext.ocsp.resp_len = resplen; in tls_process_cert_status_body()
2647 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { in tls_process_cert_status_body()
2648 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2656 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) in tls_process_cert_status() argument
2658 if (!tls_process_cert_status_body(s, pkt)) { in tls_process_cert_status()
2672 int tls_process_initial_server_flight(SSL *s) in tls_process_initial_server_flight() argument
2678 if (!ssl3_check_cert_and_algorithm(s)) { in tls_process_initial_server_flight()
2688 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing in tls_process_initial_server_flight()
2689 && s->ctx->ext.status_cb != NULL) { in tls_process_initial_server_flight()
2690 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); in tls_process_initial_server_flight()
2693 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, in tls_process_initial_server_flight()
2698 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_initial_server_flight()
2704 if (s->ct_validation_callback != NULL) { in tls_process_initial_server_flight()
2706 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { in tls_process_initial_server_flight()
2716 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) in tls_process_server_done() argument
2720 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_done()
2724 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_process_server_done()
2725 if (ssl_srp_calc_a_param_intern(s) <= 0) { in tls_process_server_done()
2726 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); in tls_process_server_done()
2732 if (!tls_process_initial_server_flight(s)) { in tls_process_server_done()
2740 static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) in tls_construct_cke_psk_preamble() argument
2756 if (s->psk_client_callback == NULL) { in tls_construct_cke_psk_preamble()
2757 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB); in tls_construct_cke_psk_preamble()
2763 psklen = s->psk_client_callback(s, s->session->psk_identity_hint, in tls_construct_cke_psk_preamble()
2768 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2772 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND); in tls_construct_cke_psk_preamble()
2778 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2785 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_psk_preamble()
2789 OPENSSL_free(s->s3.tmp.psk); in tls_construct_cke_psk_preamble()
2790 s->s3.tmp.psk = tmppsk; in tls_construct_cke_psk_preamble()
2791 s->s3.tmp.psklen = psklen; in tls_construct_cke_psk_preamble()
2793 OPENSSL_free(s->session->psk_identity); in tls_construct_cke_psk_preamble()
2794 s->session->psk_identity = tmpidentity; in tls_construct_cke_psk_preamble()
2798 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2812 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2817 static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) in tls_construct_cke_rsa() argument
2826 if (s->session->peer == NULL) { in tls_construct_cke_rsa()
2830 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2834 pkey = X509_get0_pubkey(s->session->peer); in tls_construct_cke_rsa()
2836 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_rsa()
2847 pms[0] = s->client_version >> 8; in tls_construct_cke_rsa()
2848 pms[1] = s->client_version & 0xff; in tls_construct_cke_rsa()
2849 if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) { in tls_construct_cke_rsa()
2850 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_rsa()
2855 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { in tls_construct_cke_rsa()
2856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2860 pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pkey, s->ctx->propq); in tls_construct_cke_rsa()
2863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_rsa()
2868 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT); in tls_construct_cke_rsa()
2875 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { in tls_construct_cke_rsa()
2876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2881 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { in tls_construct_cke_rsa()
2886 s->s3.tmp.pms = pms; in tls_construct_cke_rsa()
2887 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_rsa()
2897 static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) in tls_construct_cke_dhe() argument
2906 skey = s->s3.peer_tmp; in tls_construct_cke_dhe()
2908 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2912 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_dhe()
2914 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2918 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_dhe()
2928 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2942 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2949 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2960 static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) in tls_construct_cke_ecdhe() argument
2967 skey = s->s3.peer_tmp; in tls_construct_cke_ecdhe()
2969 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
2973 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_ecdhe()
2975 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_ecdhe()
2979 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_ecdhe()
2988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); in tls_construct_cke_ecdhe()
2993 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
3004 static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) in tls_construct_cke_gost() argument
3018 if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) in tls_construct_cke_gost()
3024 peer_cert = s->session->peer; in tls_construct_cke_gost()
3026 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost()
3031 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, in tls_construct_cke_gost()
3033 s->ctx->propq); in tls_construct_cke_gost()
3035 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost()
3048 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost()
3055 || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) { in tls_construct_cke_gost()
3056 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3066 || EVP_DigestUpdate(ukm_hash, s->s3.client_random, in tls_construct_cke_gost()
3068 || EVP_DigestUpdate(ukm_hash, s->s3.server_random, in tls_construct_cke_gost()
3071 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3078 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3094 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3099 s->s3.tmp.pms = pms; in tls_construct_cke_gost()
3100 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost()
3109 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3115 int ossl_gost18_cke_cipher_nid(const SSL *s) in ossl_gost18_cke_cipher_nid() argument
3117 if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0) in ossl_gost18_cke_cipher_nid()
3119 else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0) in ossl_gost18_cke_cipher_nid()
3125 int ossl_gost_ukm(const SSL *s, unsigned char *dgst_buf) in ossl_gost_ukm() argument
3129 const EVP_MD *md = ssl_evp_md_fetch(s->ctx->libctx, NID_id_GostR3411_2012_256, s->ctx->propq); in ossl_gost_ukm()
3136 || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3137 || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3150 static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt) in tls_construct_cke_gost18() argument
3160 int cipher_nid = ossl_gost18_cke_cipher_nid(s); in tls_construct_cke_gost18()
3163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3167 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { in tls_construct_cke_gost18()
3168 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3176 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost18()
3180 if (RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) { in tls_construct_cke_gost18()
3181 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3186 peer_cert = s->session->peer; in tls_construct_cke_gost18()
3188 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost18()
3193 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, in tls_construct_cke_gost18()
3195 s->ctx->propq); in tls_construct_cke_gost18()
3197 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost18()
3202 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3209 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3221 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3231 s->s3.tmp.pms = pms; in tls_construct_cke_gost18()
3232 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost18()
3240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3245 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt) in tls_construct_cke_srp() argument
3250 if (s->srp_ctx.A == NULL in tls_construct_cke_srp()
3251 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), in tls_construct_cke_srp()
3253 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3256 BN_bn2bin(s->srp_ctx.A, abytes); in tls_construct_cke_srp()
3258 OPENSSL_free(s->session->srp_username); in tls_construct_cke_srp()
3259 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); in tls_construct_cke_srp()
3260 if (s->session->srp_username == NULL) { in tls_construct_cke_srp()
3261 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_srp()
3267 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3272 int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) in tls_construct_client_key_exchange() argument
3276 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_construct_client_key_exchange()
3283 && !tls_construct_cke_psk_preamble(s, pkt)) in tls_construct_client_key_exchange()
3287 if (!tls_construct_cke_rsa(s, pkt)) in tls_construct_client_key_exchange()
3290 if (!tls_construct_cke_dhe(s, pkt)) in tls_construct_client_key_exchange()
3293 if (!tls_construct_cke_ecdhe(s, pkt)) in tls_construct_client_key_exchange()
3296 if (!tls_construct_cke_gost(s, pkt)) in tls_construct_client_key_exchange()
3299 if (!tls_construct_cke_gost18(s, pkt)) in tls_construct_client_key_exchange()
3302 if (!tls_construct_cke_srp(s, pkt)) in tls_construct_client_key_exchange()
3305 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_key_exchange()
3311 OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); in tls_construct_client_key_exchange()
3312 s->s3.tmp.pms = NULL; in tls_construct_client_key_exchange()
3313 s->s3.tmp.pmslen = 0; in tls_construct_client_key_exchange()
3315 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); in tls_construct_client_key_exchange()
3316 s->s3.tmp.psk = NULL; in tls_construct_client_key_exchange()
3317 s->s3.tmp.psklen = 0; in tls_construct_client_key_exchange()
3322 int tls_client_key_exchange_post_work(SSL *s) in tls_client_key_exchange_post_work() argument
3327 pms = s->s3.tmp.pms; in tls_client_key_exchange_post_work()
3328 pmslen = s->s3.tmp.pmslen; in tls_client_key_exchange_post_work()
3332 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_client_key_exchange_post_work()
3333 if (!srp_generate_client_master_secret(s)) { in tls_client_key_exchange_post_work()
3341 if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { in tls_client_key_exchange_post_work()
3342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_client_key_exchange_post_work()
3345 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { in tls_client_key_exchange_post_work()
3356 if (SSL_IS_DTLS(s)) { in tls_client_key_exchange_post_work()
3370 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_client_key_exchange_post_work()
3373 if (SSL_export_keying_material(s, sctpauthkey, in tls_client_key_exchange_post_work()
3376 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_client_key_exchange_post_work()
3380 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, in tls_client_key_exchange_post_work()
3388 s->s3.tmp.pms = NULL; in tls_client_key_exchange_post_work()
3389 s->s3.tmp.pmslen = 0; in tls_client_key_exchange_post_work()
3398 static int ssl3_check_client_certificate(SSL *s) in ssl3_check_client_certificate() argument
3401 if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL) in ssl3_check_client_certificate()
3407 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && in ssl3_check_client_certificate()
3408 !tls1_check_chain(s, NULL, NULL, NULL, -2)) in ssl3_check_client_certificate()
3413 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) in tls_prepare_client_certificate() argument
3421 if (s->cert->cert_cb) { in tls_prepare_client_certificate()
3422 i = s->cert->cert_cb(s, s->cert->cert_cb_arg); in tls_prepare_client_certificate()
3424 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3428 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); in tls_prepare_client_certificate()
3431 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3433 if (ssl3_check_client_certificate(s)) { in tls_prepare_client_certificate()
3434 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in tls_prepare_client_certificate()
3450 i = ssl_do_client_cert_cb(s, &x509, &pkey); in tls_prepare_client_certificate()
3452 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3455 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3457 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) in tls_prepare_client_certificate()
3466 if (i && !ssl3_check_client_certificate(s)) in tls_prepare_client_certificate()
3469 if (s->version == SSL3_VERSION) { in tls_prepare_client_certificate()
3470 s->s3.tmp.cert_req = 0; in tls_prepare_client_certificate()
3471 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); in tls_prepare_client_certificate()
3474 s->s3.tmp.cert_req = 2; in tls_prepare_client_certificate()
3475 if (!ssl3_digest_cached_records(s, 0)) { in tls_prepare_client_certificate()
3482 if (s->post_handshake_auth == SSL_PHA_REQUESTED) in tls_prepare_client_certificate()
3488 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_prepare_client_certificate()
3492 int tls_construct_client_certificate(SSL *s, WPACKET *pkt) in tls_construct_client_certificate() argument
3494 if (SSL_IS_TLS13(s)) { in tls_construct_client_certificate()
3495 if (s->pha_context == NULL) { in tls_construct_client_certificate()
3498 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3501 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { in tls_construct_client_certificate()
3502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3506 if (!ssl3_output_cert_chain(s, pkt, in tls_construct_client_certificate()
3507 (s->s3.tmp.cert_req == 2) ? NULL in tls_construct_client_certificate()
3508 : s->cert->key)) { in tls_construct_client_certificate()
3513 if (SSL_IS_TLS13(s) in tls_construct_client_certificate()
3514 && SSL_IS_FIRST_HANDSHAKE(s) in tls_construct_client_certificate()
3515 && (!s->method->ssl3_enc->change_cipher_state(s, in tls_construct_client_certificate()
3521 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); in tls_construct_client_certificate()
3528 int ssl3_check_cert_and_algorithm(SSL *s) in ssl3_check_cert_and_algorithm() argument
3534 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in ssl3_check_cert_and_algorithm()
3535 alg_a = s->s3.tmp.new_cipher->algorithm_auth; in ssl3_check_cert_and_algorithm()
3542 clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); in ssl3_check_cert_and_algorithm()
3546 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT); in ssl3_check_cert_and_algorithm()
3551 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) in ssl3_check_cert_and_algorithm()
3553 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); in ssl3_check_cert_and_algorithm()
3558 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in ssl3_check_cert_and_algorithm()
3563 if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { in ssl3_check_cert_and_algorithm()
3564 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl3_check_cert_and_algorithm()
3572 int tls_construct_next_proto(SSL *s, WPACKET *pkt) in tls_construct_next_proto() argument
3577 len = s->ext.npn_len; in tls_construct_next_proto()
3580 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) in tls_construct_next_proto()
3582 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_next_proto()
3592 MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) in tls_process_hello_req() argument
3596 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_hello_req()
3600 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { in tls_process_hello_req()
3601 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); in tls_process_hello_req()
3612 if (SSL_IS_DTLS(s)) in tls_process_hello_req()
3613 SSL_renegotiate(s); in tls_process_hello_req()
3615 SSL_renegotiate_abbreviated(s); in tls_process_hello_req()
3620 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) in tls_process_encrypted_extensions() argument
3627 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_encrypted_extensions()
3631 if (!tls_collect_extensions(s, &extensions, in tls_process_encrypted_extensions()
3634 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, in tls_process_encrypted_extensions()
3648 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) in ssl_do_client_cert_cb() argument
3652 if (s->ctx->client_cert_engine) { in ssl_do_client_cert_cb()
3653 i = tls_engine_load_ssl_client_cert(s, px509, ppkey); in ssl_do_client_cert_cb()
3658 if (s->ctx->client_cert_cb) in ssl_do_client_cert_cb()
3659 i = s->ctx->client_cert_cb(s, px509, ppkey); in ssl_do_client_cert_cb()
3663 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) in ssl_cipher_list_to_bytes() argument
3667 int empty_reneg_info_scsv = !s->renegotiate; in ssl_cipher_list_to_bytes()
3670 if (!ssl_set_client_disabled(s)) { in ssl_cipher_list_to_bytes()
3671 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE); in ssl_cipher_list_to_bytes()
3676 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3689 if (TLS1_get_version(s) >= TLS1_2_VERSION) in ssl_cipher_list_to_bytes()
3698 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) in ssl_cipher_list_to_bytes()
3706 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) in ssl_cipher_list_to_bytes()
3709 if (!s->method->put_cipher_by_char(c, pkt, &len)) { in ssl_cipher_list_to_bytes()
3710 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3716 if (SSL_IS_DTLS(s)) { in ssl_cipher_list_to_bytes()
3717 if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver) in ssl_cipher_list_to_bytes()
3718 && DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver)) in ssl_cipher_list_to_bytes()
3721 if (c->max_tls >= s->s3.tmp.max_ver in ssl_cipher_list_to_bytes()
3722 && c->min_tls <= s->s3.tmp.max_ver) in ssl_cipher_list_to_bytes()
3736 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE, in ssl_cipher_list_to_bytes()
3746 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { in ssl_cipher_list_to_bytes()
3747 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3751 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { in ssl_cipher_list_to_bytes()
3755 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { in ssl_cipher_list_to_bytes()
3756 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3765 int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) in tls_construct_end_of_early_data() argument
3767 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY in tls_construct_end_of_early_data()
3768 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { in tls_construct_end_of_early_data()
3769 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); in tls_construct_end_of_early_data()
3773 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; in tls_construct_end_of_early_data()