Lines Matching refs:s
43 int ssl3_do_write(SSL *s, int type) in ssl3_do_write() argument
48 ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], in ssl3_do_write()
49 s->init_num, &written); in ssl3_do_write()
58 if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET in ssl3_do_write()
59 && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE in ssl3_do_write()
60 && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE)) in ssl3_do_write()
61 if (!ssl3_finish_mac(s, in ssl3_do_write()
62 (unsigned char *)&s->init_buf->data[s->init_off], in ssl3_do_write()
65 if (written == s->init_num) { in ssl3_do_write()
66 if (s->msg_callback) in ssl3_do_write()
67 s->msg_callback(1, s->version, type, s->init_buf->data, in ssl3_do_write()
68 (size_t)(s->init_off + s->init_num), s, in ssl3_do_write()
69 s->msg_callback_arg); in ssl3_do_write()
72 s->init_off += written; in ssl3_do_write()
73 s->init_num -= written; in ssl3_do_write()
77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype) in tls_close_construct_packet() argument
85 s->init_num = (int)msglen; in tls_close_construct_packet()
86 s->init_off = 0; in tls_close_construct_packet()
91 int tls_setup_handshake(SSL *s) in tls_setup_handshake() argument
95 if (!ssl3_init_finished_mac(s)) { in tls_setup_handshake()
101 memset(s->ext.extflags, 0, sizeof(s->ext.extflags)); in tls_setup_handshake()
103 if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) { in tls_setup_handshake()
104 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE); in tls_setup_handshake()
109 if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) { in tls_setup_handshake()
113 if (SSL_IS_DTLS(s)) { in tls_setup_handshake()
121 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, in tls_setup_handshake()
132 if (SSL_IS_DTLS(s)) { in tls_setup_handshake()
134 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION); in tls_setup_handshake()
137 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION); in tls_setup_handshake()
141 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); in tls_setup_handshake()
147 if (s->server) { in tls_setup_handshake()
148 STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s); in tls_setup_handshake()
159 if (SSL_IS_DTLS(s)) { in tls_setup_handshake()
170 SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE, in tls_setup_handshake()
176 if (SSL_IS_FIRST_HANDSHAKE(s)) { in tls_setup_handshake()
178 tsan_counter(&s->session_ctx->stats.sess_accept); in tls_setup_handshake()
181 tsan_counter(&s->ctx->stats.sess_accept_renegotiate); in tls_setup_handshake()
183 s->s3.tmp.cert_request = 0; in tls_setup_handshake()
186 if (SSL_IS_FIRST_HANDSHAKE(s)) in tls_setup_handshake()
187 tsan_counter(&s->session_ctx->stats.sess_connect); in tls_setup_handshake()
189 tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); in tls_setup_handshake()
192 memset(s->s3.client_random, 0, sizeof(s->s3.client_random)); in tls_setup_handshake()
193 s->hit = 0; in tls_setup_handshake()
195 s->s3.tmp.cert_req = 0; in tls_setup_handshake()
197 if (SSL_IS_DTLS(s)) in tls_setup_handshake()
198 s->statem.use_timer = 1; in tls_setup_handshake()
211 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, in get_cert_verify_tbs_data() argument
227 if (SSL_IS_TLS13(s)) { in get_cert_verify_tbs_data()
233 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY in get_cert_verify_tbs_data()
234 || s->statem.hand_state == TLS_ST_SW_CERT_VRFY) in get_cert_verify_tbs_data()
244 if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY in get_cert_verify_tbs_data()
245 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) { in get_cert_verify_tbs_data()
246 memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash, in get_cert_verify_tbs_data()
247 s->cert_verify_hash_len); in get_cert_verify_tbs_data()
248 hashlen = s->cert_verify_hash_len; in get_cert_verify_tbs_data()
249 } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE, in get_cert_verify_tbs_data()
261 retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata); in get_cert_verify_tbs_data()
263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in get_cert_verify_tbs_data()
272 int tls_construct_cert_verify(SSL *s, WPACKET *pkt) in tls_construct_cert_verify() argument
282 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; in tls_construct_cert_verify()
284 if (lu == NULL || s->s3.tmp.cert == NULL) { in tls_construct_cert_verify()
285 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cert_verify()
288 pkey = s->s3.tmp.cert->privatekey; in tls_construct_cert_verify()
290 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) { in tls_construct_cert_verify()
291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cert_verify()
297 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cert_verify()
302 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { in tls_construct_cert_verify()
307 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { in tls_construct_cert_verify()
308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cert_verify()
314 s->ctx->libctx, s->ctx->propq, pkey, in tls_construct_cert_verify()
316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cert_verify()
324 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cert_verify()
328 if (s->version == SSL3_VERSION) { in tls_construct_cert_verify()
335 (int)s->session->master_key_length, in tls_construct_cert_verify()
336 s->session->master_key) <= 0 in tls_construct_cert_verify()
339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cert_verify()
345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cert_verify()
354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cert_verify()
360 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cert_verify()
377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cert_verify()
382 if (!ssl3_digest_cached_records(s, 0)) { in tls_construct_cert_verify()
396 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) in tls_process_cert_verify() argument
415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cert_verify()
419 peer = s->session->peer; in tls_process_cert_verify()
422 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cert_verify()
427 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_cert_verify()
432 if (SSL_USE_SIGALGS(s)) { in tls_process_cert_verify()
436 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET); in tls_process_cert_verify()
439 if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) { in tls_process_cert_verify()
443 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { in tls_process_cert_verify()
444 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cert_verify()
448 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { in tls_process_cert_verify()
449 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cert_verify()
453 if (SSL_USE_SIGALGS(s)) in tls_process_cert_verify()
463 if (!SSL_USE_SIGALGS(s) in tls_process_cert_verify()
473 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_verify()
478 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_verify()
482 if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) { in tls_process_cert_verify()
492 s->ctx->libctx, s->ctx->propq, pkey, in tls_process_cert_verify()
494 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_cert_verify()
504 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cert_verify()
513 if (SSL_USE_PSS(s)) { in tls_process_cert_verify()
517 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_cert_verify()
521 if (s->version == SSL3_VERSION) { in tls_process_cert_verify()
524 (int)s->session->master_key_length, in tls_process_cert_verify()
525 s->session->master_key) <= 0) { in tls_process_cert_verify()
526 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_cert_verify()
530 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); in tls_process_cert_verify()
536 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); in tls_process_cert_verify()
549 if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1) in tls_process_cert_verify()
554 BIO_free(s->s3.handshake_buffer); in tls_process_cert_verify()
555 s->s3.handshake_buffer = NULL; in tls_process_cert_verify()
563 int tls_construct_finished(SSL *s, WPACKET *pkt) in tls_construct_finished() argument
570 if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED) in tls_construct_finished()
571 s->statem.cleanuphand = 1; in tls_construct_finished()
577 if (SSL_IS_TLS13(s) in tls_construct_finished()
578 && !s->server in tls_construct_finished()
579 && s->s3.tmp.cert_req == 0 in tls_construct_finished()
580 && (!s->method->ssl3_enc->change_cipher_state(s, in tls_construct_finished()
586 if (s->server) { in tls_construct_finished()
587 sender = s->method->ssl3_enc->server_finished_label; in tls_construct_finished()
588 slen = s->method->ssl3_enc->server_finished_label_len; in tls_construct_finished()
590 sender = s->method->ssl3_enc->client_finished_label; in tls_construct_finished()
591 slen = s->method->ssl3_enc->client_finished_label_len; in tls_construct_finished()
594 finish_md_len = s->method->ssl3_enc->final_finish_mac(s, in tls_construct_finished()
596 s->s3.tmp.finish_md); in tls_construct_finished()
602 s->s3.tmp.finish_md_len = finish_md_len; in tls_construct_finished()
604 if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) { in tls_construct_finished()
605 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_finished()
613 if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL, in tls_construct_finished()
614 s->session->master_key, in tls_construct_finished()
615 s->session->master_key_length)) { in tls_construct_finished()
624 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_finished()
627 if (!s->server) { in tls_construct_finished()
628 memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md, in tls_construct_finished()
630 s->s3.previous_client_finished_len = finish_md_len; in tls_construct_finished()
632 memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md, in tls_construct_finished()
634 s->s3.previous_server_finished_len = finish_md_len; in tls_construct_finished()
640 int tls_construct_key_update(SSL *s, WPACKET *pkt) in tls_construct_key_update() argument
642 if (!WPACKET_put_bytes_u8(pkt, s->key_update)) { in tls_construct_key_update()
643 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_key_update()
647 s->key_update = SSL_KEY_UPDATE_NONE; in tls_construct_key_update()
651 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) in tls_process_key_update() argument
659 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_key_update()
660 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); in tls_process_key_update()
666 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE); in tls_process_key_update()
676 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE); in tls_process_key_update()
686 s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; in tls_process_key_update()
688 if (!tls13_update_key(s, 0)) { in tls_process_key_update()
700 int ssl3_take_mac(SSL *s) in ssl3_take_mac() argument
705 if (!s->server) { in ssl3_take_mac()
706 sender = s->method->ssl3_enc->server_finished_label; in ssl3_take_mac()
707 slen = s->method->ssl3_enc->server_finished_label_len; in ssl3_take_mac()
709 sender = s->method->ssl3_enc->client_finished_label; in ssl3_take_mac()
710 slen = s->method->ssl3_enc->client_finished_label_len; in ssl3_take_mac()
713 s->s3.tmp.peer_finish_md_len = in ssl3_take_mac()
714 s->method->ssl3_enc->final_finish_mac(s, sender, slen, in ssl3_take_mac()
715 s->s3.tmp.peer_finish_md); in ssl3_take_mac()
717 if (s->s3.tmp.peer_finish_md_len == 0) { in ssl3_take_mac()
725 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) in tls_process_change_cipher_spec() argument
735 if (SSL_IS_DTLS(s)) { in tls_process_change_cipher_spec()
736 if ((s->version == DTLS1_BAD_VER in tls_process_change_cipher_spec()
738 || (s->version != DTLS1_BAD_VER in tls_process_change_cipher_spec()
740 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); in tls_process_change_cipher_spec()
745 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC); in tls_process_change_cipher_spec()
751 if (s->s3.tmp.new_cipher == NULL) { in tls_process_change_cipher_spec()
752 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY); in tls_process_change_cipher_spec()
756 s->s3.change_cipher_spec = 1; in tls_process_change_cipher_spec()
757 if (!ssl3_do_change_cipher_spec(s)) { in tls_process_change_cipher_spec()
758 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_change_cipher_spec()
762 if (SSL_IS_DTLS(s)) { in tls_process_change_cipher_spec()
763 dtls1_reset_seq_numbers(s, SSL3_CC_READ); in tls_process_change_cipher_spec()
765 if (s->version == DTLS1_BAD_VER) in tls_process_change_cipher_spec()
766 s->d1->handshake_read_seq++; in tls_process_change_cipher_spec()
774 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL); in tls_process_change_cipher_spec()
781 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) in tls_process_finished() argument
787 if (s->server) { in tls_process_finished()
793 s->statem.enc_read_state = ENC_READ_STATE_VALID; in tls_process_finished()
794 if (s->post_handshake_auth != SSL_PHA_REQUESTED) in tls_process_finished()
795 s->statem.cleanuphand = 1; in tls_process_finished()
796 if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) { in tls_process_finished()
806 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_finished()
807 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); in tls_process_finished()
812 if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) { in tls_process_finished()
813 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS); in tls_process_finished()
816 s->s3.change_cipher_spec = 0; in tls_process_finished()
818 md_len = s->s3.tmp.peer_finish_md_len; in tls_process_finished()
821 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH); in tls_process_finished()
825 if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md, in tls_process_finished()
827 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED); in tls_process_finished()
835 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_finished()
838 if (s->server) { in tls_process_finished()
839 memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md, in tls_process_finished()
841 s->s3.previous_client_finished_len = md_len; in tls_process_finished()
843 memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md, in tls_process_finished()
845 s->s3.previous_server_finished_len = md_len; in tls_process_finished()
852 if (SSL_IS_TLS13(s)) { in tls_process_finished()
853 if (s->server) { in tls_process_finished()
854 if (s->post_handshake_auth != SSL_PHA_REQUESTED && in tls_process_finished()
855 !s->method->ssl3_enc->change_cipher_state(s, in tls_process_finished()
863 if (!s->method->ssl3_enc->generate_master_secret(s, in tls_process_finished()
864 s->master_secret, s->handshake_secret, 0, in tls_process_finished()
869 if (!s->method->ssl3_enc->change_cipher_state(s, in tls_process_finished()
874 if (!tls_process_initial_server_flight(s)) { in tls_process_finished()
884 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt) in tls_construct_change_cipher_spec() argument
887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_change_cipher_spec()
895 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain) in ssl_add_cert_to_wpacket() argument
902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB); in ssl_add_cert_to_wpacket()
907 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_add_cert_to_wpacket()
911 if (SSL_IS_TLS13(s) in ssl_add_cert_to_wpacket()
912 && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x, in ssl_add_cert_to_wpacket()
922 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) in ssl_add_cert_chain() argument
941 extra_certs = s->ctx->extra_certs; in ssl_add_cert_chain()
943 if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs) in ssl_add_cert_chain()
945 else if (s->cert->chain_store) in ssl_add_cert_chain()
946 chain_store = s->cert->chain_store; in ssl_add_cert_chain()
948 chain_store = s->ctx->cert_store; in ssl_add_cert_chain()
951 X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx, in ssl_add_cert_chain()
952 s->ctx->propq); in ssl_add_cert_chain()
955 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in ssl_add_cert_chain()
960 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB); in ssl_add_cert_chain()
973 i = ssl_security_cert_chain(s, chain, NULL, 0); in ssl_add_cert_chain()
982 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); in ssl_add_cert_chain()
989 if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) { in ssl_add_cert_chain()
997 i = ssl_security_cert_chain(s, extra_certs, x, 0); in ssl_add_cert_chain()
999 SSLfatal(s, SSL_AD_INTERNAL_ERROR, i); in ssl_add_cert_chain()
1002 if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) { in ssl_add_cert_chain()
1008 if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) { in ssl_add_cert_chain()
1017 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk) in ssl3_output_cert_chain() argument
1020 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl3_output_cert_chain()
1024 if (!ssl_add_cert_chain(s, pkt, cpk)) in ssl3_output_cert_chain()
1028 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl3_output_cert_chain()
1040 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst, in tls_finish_handshake() argument
1044 int cleanuphand = s->statem.cleanuphand; in tls_finish_handshake()
1047 if (!SSL_IS_DTLS(s) in tls_finish_handshake()
1055 || BIO_dgram_is_sctp(SSL_get_wbio(s)) in tls_finish_handshake()
1062 BUF_MEM_free(s->init_buf); in tls_finish_handshake()
1063 s->init_buf = NULL; in tls_finish_handshake()
1066 if (!ssl_free_wbio_buffer(s)) { in tls_finish_handshake()
1067 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_finish_handshake()
1070 s->init_num = 0; in tls_finish_handshake()
1073 if (SSL_IS_TLS13(s) && !s->server in tls_finish_handshake()
1074 && s->post_handshake_auth == SSL_PHA_REQUESTED) in tls_finish_handshake()
1075 s->post_handshake_auth = SSL_PHA_EXT_SENT; in tls_finish_handshake()
1083 s->renegotiate = 0; in tls_finish_handshake()
1084 s->new_session = 0; in tls_finish_handshake()
1085 s->statem.cleanuphand = 0; in tls_finish_handshake()
1086 s->ext.ticket_expected = 0; in tls_finish_handshake()
1088 ssl3_cleanup_key_block(s); in tls_finish_handshake()
1090 if (s->server) { in tls_finish_handshake()
1095 if (!SSL_IS_TLS13(s)) in tls_finish_handshake()
1096 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); in tls_finish_handshake()
1099 tsan_counter(&s->ctx->stats.sess_accept_good); in tls_finish_handshake()
1100 s->handshake_func = ossl_statem_accept; in tls_finish_handshake()
1102 if (SSL_IS_TLS13(s)) { in tls_finish_handshake()
1107 if ((s->session_ctx->session_cache_mode in tls_finish_handshake()
1109 SSL_CTX_remove_session(s->session_ctx, s->session); in tls_finish_handshake()
1115 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); in tls_finish_handshake()
1117 if (s->hit) in tls_finish_handshake()
1118 tsan_counter(&s->session_ctx->stats.sess_hit); in tls_finish_handshake()
1120 s->handshake_func = ossl_statem_connect; in tls_finish_handshake()
1121 tsan_counter(&s->session_ctx->stats.sess_connect_good); in tls_finish_handshake()
1124 if (SSL_IS_DTLS(s)) { in tls_finish_handshake()
1126 s->d1->handshake_read_seq = 0; in tls_finish_handshake()
1127 s->d1->handshake_write_seq = 0; in tls_finish_handshake()
1128 s->d1->next_handshake_write_seq = 0; in tls_finish_handshake()
1129 dtls1_clear_received_buffer(s); in tls_finish_handshake()
1133 if (s->info_callback != NULL) in tls_finish_handshake()
1134 cb = s->info_callback; in tls_finish_handshake()
1135 else if (s->ctx->info_callback != NULL) in tls_finish_handshake()
1136 cb = s->ctx->info_callback; in tls_finish_handshake()
1139 ossl_statem_set_in_init(s, 0); in tls_finish_handshake()
1143 || !SSL_IS_TLS13(s) in tls_finish_handshake()
1144 || SSL_IS_FIRST_HANDSHAKE(s)) in tls_finish_handshake()
1145 cb(s, SSL_CB_HANDSHAKE_DONE, 1); in tls_finish_handshake()
1150 ossl_statem_set_in_init(s, 1); in tls_finish_handshake()
1157 int tls_get_message_header(SSL *s, int *mt) in tls_get_message_header() argument
1164 p = (unsigned char *)s->init_buf->data; in tls_get_message_header()
1167 while (s->init_num < SSL3_HM_HEADER_LENGTH) { in tls_get_message_header()
1168 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type, in tls_get_message_header()
1169 &p[s->init_num], in tls_get_message_header()
1170 SSL3_HM_HEADER_LENGTH - s->init_num, in tls_get_message_header()
1173 s->rwstate = SSL_READING; in tls_get_message_header()
1181 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) { in tls_get_message_header()
1182 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, in tls_get_message_header()
1186 if (s->statem.hand_state == TLS_ST_BEFORE in tls_get_message_header()
1187 && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) { in tls_get_message_header()
1197 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; in tls_get_message_header()
1198 s->init_num = readbytes - 1; in tls_get_message_header()
1199 s->init_msg = s->init_buf->data; in tls_get_message_header()
1200 s->s3.tmp.message_size = readbytes; in tls_get_message_header()
1203 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, in tls_get_message_header()
1207 s->init_num += readbytes; in tls_get_message_header()
1211 if (!s->server) in tls_get_message_header()
1212 if (s->statem.hand_state != TLS_ST_OK in tls_get_message_header()
1221 s->init_num = 0; in tls_get_message_header()
1224 if (s->msg_callback) in tls_get_message_header()
1225 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, in tls_get_message_header()
1226 p, SSL3_HM_HEADER_LENGTH, s, in tls_get_message_header()
1227 s->msg_callback_arg); in tls_get_message_header()
1233 s->s3.tmp.message_type = *(p++); in tls_get_message_header()
1235 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { in tls_get_message_header()
1243 l = RECORD_LAYER_get_rrec_length(&s->rlayer) in tls_get_message_header()
1245 s->s3.tmp.message_size = l; in tls_get_message_header()
1247 s->init_msg = s->init_buf->data; in tls_get_message_header()
1248 s->init_num = SSL3_HM_HEADER_LENGTH; in tls_get_message_header()
1253 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_get_message_header()
1257 s->s3.tmp.message_size = l; in tls_get_message_header()
1259 s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; in tls_get_message_header()
1260 s->init_num = 0; in tls_get_message_header()
1266 int tls_get_message_body(SSL *s, size_t *len) in tls_get_message_body() argument
1272 if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { in tls_get_message_body()
1274 *len = (unsigned long)s->init_num; in tls_get_message_body()
1278 p = s->init_msg; in tls_get_message_body()
1279 n = s->s3.tmp.message_size - s->init_num; in tls_get_message_body()
1281 i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, in tls_get_message_body()
1282 &p[s->init_num], n, 0, &readbytes); in tls_get_message_body()
1284 s->rwstate = SSL_READING; in tls_get_message_body()
1288 s->init_num += readbytes; in tls_get_message_body()
1296 if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) { in tls_get_message_body()
1303 if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { in tls_get_message_body()
1304 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, in tls_get_message_body()
1305 s->init_num)) { in tls_get_message_body()
1310 if (s->msg_callback) in tls_get_message_body()
1311 s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data, in tls_get_message_body()
1312 (size_t)s->init_num, s, s->msg_callback_arg); in tls_get_message_body()
1322 if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET in tls_get_message_body()
1323 && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { in tls_get_message_body()
1324 if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO in tls_get_message_body()
1325 || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE in tls_get_message_body()
1327 s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, in tls_get_message_body()
1329 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, in tls_get_message_body()
1330 s->init_num + SSL3_HM_HEADER_LENGTH)) { in tls_get_message_body()
1337 if (s->msg_callback) in tls_get_message_body()
1338 s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data, in tls_get_message_body()
1339 (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s, in tls_get_message_body()
1340 s->msg_callback_arg); in tls_get_message_body()
1343 *len = s->init_num; in tls_get_message_body()
1403 int ssl_allow_compression(SSL *s) in ssl_allow_compression() argument
1405 if (s->options & SSL_OP_NO_COMPRESSION) in ssl_allow_compression()
1407 return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL); in ssl_allow_compression()
1410 static int version_cmp(const SSL *s, int a, int b) in version_cmp() argument
1412 int dtls = SSL_IS_DTLS(s); in version_cmp()
1490 static int ssl_method_error(const SSL *s, const SSL_METHOD *method) in ssl_method_error() argument
1494 if ((s->min_proto_version != 0 && in ssl_method_error()
1495 version_cmp(s, version, s->min_proto_version) < 0) || in ssl_method_error()
1496 ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0) in ssl_method_error()
1499 if (s->max_proto_version != 0 && in ssl_method_error()
1500 version_cmp(s, version, s->max_proto_version) > 0) in ssl_method_error()
1503 if ((s->options & method->mask) != 0) in ssl_method_error()
1505 if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s)) in ssl_method_error()
1516 static int is_tls13_capable(const SSL *s) in is_tls13_capable() argument
1521 if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL)) in is_tls13_capable()
1528 if (s->ctx->ext.servername_cb != NULL in is_tls13_capable()
1529 || s->session_ctx->ext.servername_cb != NULL) in is_tls13_capable()
1533 if (s->psk_server_callback != NULL) in is_tls13_capable()
1537 if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL) in is_tls13_capable()
1551 if (!ssl_has_cert(s, i)) in is_tls13_capable()
1560 curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey); in is_tls13_capable()
1561 if (tls_check_sigalg_curve(s, curve)) in is_tls13_capable()
1577 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth) in ssl_version_supported() argument
1582 switch (s->method->version) { in ssl_version_supported()
1585 return version_cmp(s, version, s->version) == 0; in ssl_version_supported()
1595 vent->version != 0 && version_cmp(s, version, vent->version) <= 0; in ssl_version_supported()
1598 && version_cmp(s, version, vent->version) == 0 in ssl_version_supported()
1599 && ssl_method_error(s, vent->cmeth()) == 0 in ssl_version_supported()
1600 && (!s->server in ssl_version_supported()
1602 || is_tls13_capable(s))) { in ssl_version_supported()
1620 int ssl_check_version_downgrade(SSL *s) in ssl_check_version_downgrade() argument
1630 if (s->version == s->ctx->method->version) in ssl_check_version_downgrade()
1637 if (s->ctx->method->version == TLS_method()->version) in ssl_check_version_downgrade()
1639 else if (s->ctx->method->version == DTLS_method()->version) in ssl_check_version_downgrade()
1647 if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0) in ssl_check_version_downgrade()
1648 return s->version == vent->version; in ssl_check_version_downgrade()
1714 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd) in check_for_downgrade() argument
1717 && ssl_version_supported(s, TLS1_3_VERSION, NULL)) { in check_for_downgrade()
1719 } else if (!SSL_IS_DTLS(s) in check_for_downgrade()
1728 && ssl_version_supported(s, TLS1_2_VERSION, NULL)) { in check_for_downgrade()
1744 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd) in ssl_choose_server_version() argument
1755 int server_version = s->method->version; in ssl_choose_server_version()
1762 s->client_version = client_version; in ssl_choose_server_version()
1766 if (!SSL_IS_TLS13(s)) { in ssl_choose_server_version()
1767 if (version_cmp(s, client_version, s->version) < 0) in ssl_choose_server_version()
1795 if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE) in ssl_choose_server_version()
1798 if (suppversions->present && !SSL_IS_DTLS(s)) { in ssl_choose_server_version()
1824 if (version_cmp(s, candidate_vers, best_vers) <= 0) in ssl_choose_server_version()
1826 if (ssl_version_supported(s, candidate_vers, &best_method)) in ssl_choose_server_version()
1835 if (s->hello_retry_request != SSL_HRR_NONE) { in ssl_choose_server_version()
1844 check_for_downgrade(s, best_vers, dgrd); in ssl_choose_server_version()
1845 s->version = best_vers; in ssl_choose_server_version()
1846 s->method = best_method; in ssl_choose_server_version()
1856 if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0) in ssl_choose_server_version()
1867 version_cmp(s, client_version, vent->version) < 0) in ssl_choose_server_version()
1870 if (ssl_method_error(s, method) == 0) { in ssl_choose_server_version()
1871 check_for_downgrade(s, vent->version, dgrd); in ssl_choose_server_version()
1872 s->version = vent->version; in ssl_choose_server_version()
1873 s->method = method; in ssl_choose_server_version()
1892 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) in ssl_choose_client_version() argument
1898 origv = s->version; in ssl_choose_client_version()
1899 s->version = version; in ssl_choose_client_version()
1902 if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions, in ssl_choose_client_version()
1906 s->version = origv; in ssl_choose_client_version()
1910 if (s->hello_retry_request != SSL_HRR_NONE in ssl_choose_client_version()
1911 && s->version != TLS1_3_VERSION) { in ssl_choose_client_version()
1912 s->version = origv; in ssl_choose_client_version()
1913 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); in ssl_choose_client_version()
1917 switch (s->method->version) { in ssl_choose_client_version()
1919 if (s->version != s->method->version) { in ssl_choose_client_version()
1920 s->version = origv; in ssl_choose_client_version()
1921 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION); in ssl_choose_client_version()
1940 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max); in ssl_choose_client_version()
1942 s->version = origv; in ssl_choose_client_version()
1943 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret); in ssl_choose_client_version()
1946 if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min) in ssl_choose_client_version()
1947 : s->version < ver_min) { in ssl_choose_client_version()
1948 s->version = origv; in ssl_choose_client_version()
1949 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); in ssl_choose_client_version()
1951 } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max) in ssl_choose_client_version()
1952 : s->version > ver_max) { in ssl_choose_client_version()
1953 s->version = origv; in ssl_choose_client_version()
1954 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); in ssl_choose_client_version()
1958 if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0) in ssl_choose_client_version()
1962 if (s->version == TLS1_2_VERSION && real_max > s->version) { in ssl_choose_client_version()
1964 s->s3.server_random + SSL3_RANDOM_SIZE in ssl_choose_client_version()
1967 s->version = origv; in ssl_choose_client_version()
1968 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in ssl_choose_client_version()
1972 } else if (!SSL_IS_DTLS(s) in ssl_choose_client_version()
1973 && s->version < TLS1_2_VERSION in ssl_choose_client_version()
1974 && real_max > s->version) { in ssl_choose_client_version()
1976 s->s3.server_random + SSL3_RANDOM_SIZE in ssl_choose_client_version()
1979 s->version = origv; in ssl_choose_client_version()
1980 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in ssl_choose_client_version()
1987 if (vent->cmeth == NULL || s->version != vent->version) in ssl_choose_client_version()
1990 s->method = vent->cmeth(); in ssl_choose_client_version()
1994 s->version = origv; in ssl_choose_client_version()
1995 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL); in ssl_choose_client_version()
2021 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version, in ssl_get_min_max_version() argument
2031 switch (s->method->version) { in ssl_get_min_max_version()
2040 *min_version = *max_version = s->version; in ssl_get_min_max_version()
2097 if (ssl_method_error(s, method) != 0) { in ssl_get_min_max_version()
2128 int ssl_set_client_hello_version(SSL *s) in ssl_set_client_hello_version() argument
2136 if (!SSL_IS_FIRST_HANDSHAKE(s)) in ssl_set_client_hello_version()
2139 ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL); in ssl_set_client_hello_version()
2144 s->version = ver_max; in ssl_set_client_hello_version()
2147 if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION) in ssl_set_client_hello_version()
2150 s->client_version = ver_max; in ssl_set_client_hello_version()
2160 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, in check_in_list() argument
2173 || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { in check_in_list()
2182 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, in create_synthetic_message_hash() argument
2195 if (!ssl3_digest_cached_records(s, 0) in create_synthetic_message_hash()
2196 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp), in create_synthetic_message_hash()
2204 if (!ssl3_init_finished_mac(s)) { in create_synthetic_message_hash()
2212 if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH) in create_synthetic_message_hash()
2213 || !ssl3_finish_mac(s, hashval, hashlen)) { in create_synthetic_message_hash()
2224 && (!ssl3_finish_mac(s, hrr, hrrlen) in create_synthetic_message_hash()
2225 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, in create_synthetic_message_hash()
2226 s->s3.tmp.message_size in create_synthetic_message_hash()
2240 int parse_ca_names(SSL *s, PACKET *pkt) in parse_ca_names() argument
2247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in parse_ca_names()
2252 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in parse_ca_names()
2262 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in parse_ca_names()
2268 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); in parse_ca_names()
2272 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH); in parse_ca_names()
2277 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in parse_ca_names()
2283 sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); in parse_ca_names()
2284 s->s3.tmp.peer_ca_names = ca_sk; in parse_ca_names()
2294 const STACK_OF(X509_NAME) *get_ca_names(SSL *s) in STACK_OF()
2298 if (s->server) { in STACK_OF()
2299 ca_sk = SSL_get_client_CA_list(s); in STACK_OF()
2305 ca_sk = SSL_get0_CA_list(s); in STACK_OF()
2310 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt) in construct_ca_names() argument
2314 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_ca_names()
2318 if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) { in construct_ca_names()
2331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_ca_names()
2338 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_ca_names()
2346 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, in construct_key_exchange_tbs() argument
2353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in construct_key_exchange_tbs()
2356 memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE); in construct_key_exchange_tbs()
2357 memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE); in construct_key_exchange_tbs()
2369 int tls13_save_handshake_digest_for_pha(SSL *s) in tls13_save_handshake_digest_for_pha() argument
2371 if (s->pha_dgst == NULL) { in tls13_save_handshake_digest_for_pha()
2372 if (!ssl3_digest_cached_records(s, 1)) in tls13_save_handshake_digest_for_pha()
2376 s->pha_dgst = EVP_MD_CTX_new(); in tls13_save_handshake_digest_for_pha()
2377 if (s->pha_dgst == NULL) { in tls13_save_handshake_digest_for_pha()
2378 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_save_handshake_digest_for_pha()
2381 if (!EVP_MD_CTX_copy_ex(s->pha_dgst, in tls13_save_handshake_digest_for_pha()
2382 s->s3.handshake_dgst)) { in tls13_save_handshake_digest_for_pha()
2383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_save_handshake_digest_for_pha()
2384 EVP_MD_CTX_free(s->pha_dgst); in tls13_save_handshake_digest_for_pha()
2385 s->pha_dgst = NULL; in tls13_save_handshake_digest_for_pha()
2396 int tls13_restore_handshake_digest_for_pha(SSL *s) in tls13_restore_handshake_digest_for_pha() argument
2398 if (s->pha_dgst == NULL) { in tls13_restore_handshake_digest_for_pha()
2399 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_restore_handshake_digest_for_pha()
2402 if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst, in tls13_restore_handshake_digest_for_pha()
2403 s->pha_dgst)) { in tls13_restore_handshake_digest_for_pha()
2404 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_restore_handshake_digest_for_pha()