Lines Matching full:s
31 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
32 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
34 static ossl_inline int cert_req_allowed(SSL *s);
35 static int key_exchange_expected(SSL *s);
36 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
46 static ossl_inline int cert_req_allowed(SSL *s) in cert_req_allowed() argument
49 if ((s->version > SSL3_VERSION in cert_req_allowed()
50 && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)) in cert_req_allowed()
51 || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) in cert_req_allowed()
64 static int key_exchange_expected(SSL *s) in key_exchange_expected() argument
66 long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in key_exchange_expected()
84 * current state is in |s->statem.hand_state|.
89 static int ossl_statem_client13_read_transition(SSL *s, int mt) in ossl_statem_client13_read_transition() argument
91 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_read_transition()
122 if (s->hit) { in ossl_statem_client13_read_transition()
174 if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) { in ossl_statem_client13_read_transition()
175 s->post_handshake_auth = SSL_PHA_REQUESTED; in ossl_statem_client13_read_transition()
182 if (!tls13_restore_handshake_digest_for_pha(s)) { in ossl_statem_client13_read_transition()
201 * current state is in |s->statem.hand_state|.
206 int ossl_statem_client_read_transition(SSL *s, int mt) in ossl_statem_client_read_transition() argument
208 OSSL_STATEM *st = &s->statem; in ossl_statem_client_read_transition()
215 if (SSL_IS_TLS13(s)) { in ossl_statem_client_read_transition()
216 if (!ossl_statem_client13_read_transition(s, mt)) in ossl_statem_client_read_transition()
231 if (SSL_IS_DTLS(s)) { in ossl_statem_client_read_transition()
252 if (s->hit) { in ossl_statem_client_read_transition()
253 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
263 if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) { in ossl_statem_client_read_transition()
266 } else if (s->version >= TLS1_VERSION in ossl_statem_client_read_transition()
267 && s->ext.session_secret_cb != NULL in ossl_statem_client_read_transition()
268 && s->session->ext.tick != NULL in ossl_statem_client_read_transition()
276 s->hit = 1; in ossl_statem_client_read_transition()
279 } else if (!(s->s3.tmp.new_cipher->algorithm_auth in ossl_statem_client_read_transition()
286 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
289 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
296 && cert_req_allowed(s)) { in ossl_statem_client_read_transition()
312 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { in ossl_statem_client_read_transition()
319 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
321 if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
333 if (cert_req_allowed(s)) { in ossl_statem_client_read_transition()
349 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
384 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { in ossl_statem_client_read_transition()
391 s->init_num = 0; in ossl_statem_client_read_transition()
392 s->rwstate = SSL_READING; in ossl_statem_client_read_transition()
393 rbio = SSL_get_rbio(s); in ossl_statem_client_read_transition()
398 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in ossl_statem_client_read_transition()
407 static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s) in ossl_statem_client13_write_transition() argument
409 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_write_transition()
419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
423 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_client13_write_transition()
431 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { in ossl_statem_client13_write_transition()
433 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
440 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY in ossl_statem_client13_write_transition()
441 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client13_write_transition()
443 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client13_write_transition()
444 && s->hello_retry_request == SSL_HRR_NONE) in ossl_statem_client13_write_transition()
447 st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT in ossl_statem_client13_write_transition()
452 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { in ossl_statem_client13_write_transition()
460 st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT in ossl_statem_client13_write_transition()
466 st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY in ossl_statem_client13_write_transition()
482 if (s->key_update != SSL_KEY_UPDATE_NONE) { in ossl_statem_client13_write_transition()
496 WRITE_TRAN ossl_statem_client_write_transition(SSL *s) in ossl_statem_client_write_transition() argument
498 OSSL_STATEM *st = &s->statem; in ossl_statem_client_write_transition()
505 if (SSL_IS_TLS13(s)) in ossl_statem_client_write_transition()
506 return ossl_statem_client13_write_transition(s); in ossl_statem_client_write_transition()
511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_write_transition()
515 if (!s->renegotiate) { in ossl_statem_client_write_transition()
529 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { in ossl_statem_client_write_transition()
534 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) in ossl_statem_client_write_transition()
552 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client_write_transition()
553 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client_write_transition()
567 if (s->s3.tmp.cert_req) in ossl_statem_client_write_transition()
585 * need to skip the certificate verify message when client's in ossl_statem_client_write_transition()
588 if (s->s3.tmp.cert_req == 1) { in ossl_statem_client_write_transition()
593 if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { in ossl_statem_client_write_transition()
603 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_client_write_transition()
605 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { in ossl_statem_client_write_transition()
611 if (!SSL_IS_DTLS(s) && s->s3.npn_seen) in ossl_statem_client_write_transition()
626 if (s->hit) { in ossl_statem_client_write_transition()
634 if (s->hit) { in ossl_statem_client_write_transition()
647 if (ssl3_renegotiate_check(s, 1)) { in ossl_statem_client_write_transition()
648 if (!tls_setup_handshake(s)) { in ossl_statem_client_write_transition()
664 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst) in ossl_statem_client_pre_work() argument
666 OSSL_STATEM *st = &s->statem; in ossl_statem_client_pre_work()
674 s->shutdown = 0; in ossl_statem_client_pre_work()
675 if (SSL_IS_DTLS(s)) { in ossl_statem_client_pre_work()
677 if (!ssl3_init_finished_mac(s)) { in ossl_statem_client_pre_work()
685 if (SSL_IS_DTLS(s)) { in ossl_statem_client_pre_work()
686 if (s->hit) { in ossl_statem_client_pre_work()
694 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) { in ossl_statem_client_pre_work()
696 return dtls_wait_for_dry(s); in ossl_statem_client_pre_work()
708 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING in ossl_statem_client_pre_work()
709 || s->early_data_state == SSL_EARLY_DATA_NONE) in ossl_statem_client_pre_work()
714 return tls_finish_handshake(s, wst, 0, 1); in ossl_statem_client_pre_work()
718 return tls_finish_handshake(s, wst, 1, 1); in ossl_statem_client_pre_work()
728 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst) in ossl_statem_client_post_work() argument
730 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_work()
732 s->init_num = 0; in ossl_statem_client_post_work()
740 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
741 && s->max_early_data > 0) { in ossl_statem_client_post_work()
747 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { in ossl_statem_client_post_work()
748 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
755 } else if (!statem_flush(s)) { in ossl_statem_client_post_work()
759 if (SSL_IS_DTLS(s)) { in ossl_statem_client_post_work()
761 s->first_packet = 1; in ossl_statem_client_post_work()
770 EVP_CIPHER_CTX_free(s->enc_write_ctx); in ossl_statem_client_post_work()
771 s->enc_write_ctx = NULL; in ossl_statem_client_post_work()
775 if (tls_client_key_exchange_post_work(s) == 0) { in ossl_statem_client_post_work()
782 if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_client_post_work()
784 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
785 && s->max_early_data > 0) { in ossl_statem_client_post_work()
791 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
796 s->session->cipher = s->s3.tmp.new_cipher; in ossl_statem_client_post_work()
798 s->session->compress_meth = 0; in ossl_statem_client_post_work()
800 if (s->s3.tmp.new_compression == NULL) in ossl_statem_client_post_work()
801 s->session->compress_meth = 0; in ossl_statem_client_post_work()
803 s->session->compress_meth = s->s3.tmp.new_compression->id; in ossl_statem_client_post_work()
805 if (!s->method->ssl3_enc->setup_key_block(s)) { in ossl_statem_client_post_work()
810 if (!s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
816 if (SSL_IS_DTLS(s)) { in ossl_statem_client_post_work()
818 if (s->hit) { in ossl_statem_client_post_work()
823 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, in ossl_statem_client_post_work()
828 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); in ossl_statem_client_post_work()
834 if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) { in ossl_statem_client_post_work()
839 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, in ossl_statem_client_post_work()
843 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
846 if (SSL_IS_TLS13(s)) { in ossl_statem_client_post_work()
847 if (!tls13_save_handshake_digest_for_pha(s)) { in ossl_statem_client_post_work()
851 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { in ossl_statem_client_post_work()
852 if (!s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
862 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
864 if (!tls13_update_key(s, 1)) { in ossl_statem_client_post_work()
882 int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt, in ossl_statem_client_construct_message() argument
885 OSSL_STATEM *st = &s->statem; in ossl_statem_client_construct_message()
890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in ossl_statem_client_construct_message()
894 if (SSL_IS_DTLS(s)) in ossl_statem_client_construct_message()
955 size_t ossl_statem_client_max_message_size(SSL *s) in ossl_statem_client_max_message_size() argument
957 OSSL_STATEM *st = &s->statem; in ossl_statem_client_max_message_size()
971 return s->max_cert_list; in ossl_statem_client_max_message_size()
984 * Set to s->max_cert_list for compatibility with previous releases. In in ossl_statem_client_max_message_size()
988 return s->max_cert_list; in ossl_statem_client_max_message_size()
994 if (s->version == DTLS1_BAD_VER) in ossl_statem_client_max_message_size()
999 return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 in ossl_statem_client_max_message_size()
1016 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt) in ossl_statem_client_process_message() argument
1018 OSSL_STATEM *st = &s->statem; in ossl_statem_client_process_message()
1023 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_process_message()
1027 return tls_process_server_hello(s, pkt); in ossl_statem_client_process_message()
1030 return dtls_process_hello_verify(s, pkt); in ossl_statem_client_process_message()
1033 return tls_process_server_certificate(s, pkt); in ossl_statem_client_process_message()
1036 return tls_process_cert_verify(s, pkt); in ossl_statem_client_process_message()
1039 return tls_process_cert_status(s, pkt); in ossl_statem_client_process_message()
1042 return tls_process_key_exchange(s, pkt); in ossl_statem_client_process_message()
1045 return tls_process_certificate_request(s, pkt); in ossl_statem_client_process_message()
1048 return tls_process_server_done(s, pkt); in ossl_statem_client_process_message()
1051 return tls_process_change_cipher_spec(s, pkt); in ossl_statem_client_process_message()
1054 return tls_process_new_session_ticket(s, pkt); in ossl_statem_client_process_message()
1057 return tls_process_finished(s, pkt); in ossl_statem_client_process_message()
1060 return tls_process_hello_req(s, pkt); in ossl_statem_client_process_message()
1063 return tls_process_encrypted_extensions(s, pkt); in ossl_statem_client_process_message()
1066 return tls_process_key_update(s, pkt); in ossl_statem_client_process_message()
1074 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst) in ossl_statem_client_post_process_message() argument
1076 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_process_message()
1081 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_post_process_message()
1085 return tls_post_process_server_certificate(s, wst); in ossl_statem_client_post_process_message()
1089 return tls_prepare_client_certificate(s, wst); in ossl_statem_client_post_process_message()
1093 int tls_construct_client_hello(SSL *s, WPACKET *pkt) in tls_construct_client_hello() argument
1101 SSL_SESSION *sess = s->session; in tls_construct_client_hello()
1105 protverr = ssl_set_client_hello_version(s); in tls_construct_client_hello()
1107 SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); in tls_construct_client_hello()
1112 || !ssl_version_supported(s, sess->ssl_version, NULL) in tls_construct_client_hello()
1114 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1115 && !ssl_get_new_session(s, 0)) { in tls_construct_client_hello()
1122 p = s->s3.client_random; in tls_construct_client_hello()
1128 if (SSL_IS_DTLS(s)) { in tls_construct_client_hello()
1131 for (idx = 0; idx < sizeof(s->s3.client_random); idx++) { in tls_construct_client_hello()
1138 i = (s->hello_retry_request == SSL_HRR_NONE); in tls_construct_client_hello()
1141 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), in tls_construct_client_hello()
1143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1180 if (!WPACKET_put_bytes_u16(pkt, s->client_version) in tls_construct_client_hello()
1181 || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { in tls_construct_client_hello()
1182 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1187 session_id = s->session->session_id; in tls_construct_client_hello()
1188 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { in tls_construct_client_hello()
1189 if (s->version == TLS1_3_VERSION in tls_construct_client_hello()
1190 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { in tls_construct_client_hello()
1191 sess_id_len = sizeof(s->tmp_session_id); in tls_construct_client_hello()
1192 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1193 session_id = s->tmp_session_id; in tls_construct_client_hello()
1194 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1195 && RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id, in tls_construct_client_hello()
1197 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1204 assert(s->session->session_id_length <= sizeof(s->session->session_id)); in tls_construct_client_hello()
1205 sess_id_len = s->session->session_id_length; in tls_construct_client_hello()
1206 if (s->version == TLS1_3_VERSION) { in tls_construct_client_hello()
1207 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1208 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); in tls_construct_client_hello()
1215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1220 if (SSL_IS_DTLS(s)) { in tls_construct_client_hello()
1221 if (s->d1->cookie_len > sizeof(s->d1->cookie) in tls_construct_client_hello()
1222 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, in tls_construct_client_hello()
1223 s->d1->cookie_len)) { in tls_construct_client_hello()
1224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1231 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1235 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) { in tls_construct_client_hello()
1240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1246 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1250 if (ssl_allow_compression(s) in tls_construct_client_hello()
1251 && s->ctx->comp_methods in tls_construct_client_hello()
1252 && (SSL_IS_DTLS(s) || s->s3.tmp.max_ver < TLS1_3_VERSION)) { in tls_construct_client_hello()
1253 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods); in tls_construct_client_hello()
1255 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i); in tls_construct_client_hello()
1257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1270 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { in tls_construct_client_hello()
1278 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt) in dtls_process_hello_verify() argument
1285 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1290 if (cookie_len > sizeof(s->d1->cookie)) { in dtls_process_hello_verify()
1291 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG); in dtls_process_hello_verify()
1295 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { in dtls_process_hello_verify()
1296 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1299 s->d1->cookie_len = cookie_len; in dtls_process_hello_verify()
1304 static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars) in set_client_ciphersuite() argument
1310 c = ssl_get_cipher_by_char(s, cipherchars, 0); in set_client_ciphersuite()
1313 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED); in set_client_ciphersuite()
1318 * or it's not allowed for the selected protocol. So we return an error. in set_client_ciphersuite()
1320 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { in set_client_ciphersuite()
1321 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1325 sk = ssl_get_ciphers_by_id(s); in set_client_ciphersuite()
1329 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1333 if (SSL_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL in set_client_ciphersuite()
1334 && s->s3.tmp.new_cipher->id != c->id) { in set_client_ciphersuite()
1336 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1345 if (s->session->cipher != NULL) in set_client_ciphersuite()
1346 s->session->cipher_id = s->session->cipher->id; in set_client_ciphersuite()
1347 if (s->hit && (s->session->cipher_id != c->id)) { in set_client_ciphersuite()
1348 if (SSL_IS_TLS13(s)) { in set_client_ciphersuite()
1349 const EVP_MD *md = ssl_md(s->ctx, c->algorithm2); in set_client_ciphersuite()
1356 || md != ssl_md(s->ctx, s->session->cipher->algorithm2)) { in set_client_ciphersuite()
1357 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1366 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1371 s->s3.tmp.new_cipher = c; in set_client_ciphersuite()
1376 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt) in tls_process_server_hello() argument
1391 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1396 if (s->version == TLS1_3_VERSION in tls_process_server_hello()
1400 if (s->hello_retry_request != SSL_HRR_NONE) { in tls_process_server_hello()
1401 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_server_hello()
1404 s->hello_retry_request = SSL_HRR_PENDING; in tls_process_server_hello()
1407 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1411 if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) { in tls_process_server_hello()
1412 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1419 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1423 if (session_id_len > sizeof(s->session->session_id) in tls_process_server_hello()
1425 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG); in tls_process_server_hello()
1430 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1435 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1444 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_hello()
1449 if (!tls_collect_extensions(s, &extpkt, in tls_process_server_hello()
1457 if (!ssl_choose_client_version(s, sversion, extensions)) { in tls_process_server_hello()
1463 if (SSL_IS_TLS13(s) || hrr) { in tls_process_server_hello()
1465 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1470 if (session_id_len != s->tmp_session_id_len in tls_process_server_hello()
1471 || memcmp(PACKET_data(&session_id), s->tmp_session_id, in tls_process_server_hello()
1473 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID); in tls_process_server_hello()
1479 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1484 return tls_process_as_hello_retry_request(s, &extpkt); in tls_process_server_hello()
1491 context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO in tls_process_server_hello()
1493 if (!tls_validate_all_contexts(s, context, extensions)) { in tls_process_server_hello()
1494 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); in tls_process_server_hello()
1498 s->hit = 0; in tls_process_server_hello()
1500 if (SSL_IS_TLS13(s)) { in tls_process_server_hello()
1505 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_server_hello()
1506 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, in tls_process_server_hello()
1511 /* This will set s->hit if we are resuming */ in tls_process_server_hello()
1512 if (!tls_parse_extension(s, TLSEXT_IDX_psk, in tls_process_server_hello()
1531 if (s->version >= TLS1_VERSION in tls_process_server_hello()
1532 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { in tls_process_server_hello()
1535 * s->session->master_key_length is a size_t, but this is an int for in tls_process_server_hello()
1539 master_key_length = sizeof(s->session->master_key); in tls_process_server_hello()
1540 if (s->ext.session_secret_cb(s, s->session->master_key, in tls_process_server_hello()
1543 s->ext.session_secret_cb_arg) in tls_process_server_hello()
1545 s->session->master_key_length = master_key_length; in tls_process_server_hello()
1546 s->session->cipher = pref_cipher ? in tls_process_server_hello()
1547 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); in tls_process_server_hello()
1549 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1555 && session_id_len == s->session->session_id_length in tls_process_server_hello()
1556 && memcmp(PACKET_data(&session_id), s->session->session_id, in tls_process_server_hello()
1558 s->hit = 1; in tls_process_server_hello()
1561 if (s->hit) { in tls_process_server_hello()
1562 if (s->sid_ctx_length != s->session->sid_ctx_length in tls_process_server_hello()
1563 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { in tls_process_server_hello()
1565 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1577 if (s->session->session_id_length > 0) { in tls_process_server_hello()
1578 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); in tls_process_server_hello()
1579 if (!ssl_get_new_session(s, 0)) { in tls_process_server_hello()
1585 s->session->ssl_version = s->version; in tls_process_server_hello()
1592 if (!SSL_IS_TLS13(s)) { in tls_process_server_hello()
1593 s->session->session_id_length = session_id_len; in tls_process_server_hello()
1596 memcpy(s->session->session_id, PACKET_data(&session_id), in tls_process_server_hello()
1602 if (s->version != s->session->ssl_version) { in tls_process_server_hello()
1603 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, in tls_process_server_hello()
1608 * Now that we know the version, update the check to see if it's an allowed in tls_process_server_hello()
1611 s->s3.tmp.min_ver = s->version; in tls_process_server_hello()
1612 s->s3.tmp.max_ver = s->version; in tls_process_server_hello()
1614 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1621 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1629 if (s->session->compress_meth != 0) { in tls_process_server_hello()
1630 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); in tls_process_server_hello()
1634 if (s->hit && compression != s->session->compress_meth) { in tls_process_server_hello()
1635 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1641 else if (!ssl_allow_compression(s)) { in tls_process_server_hello()
1642 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED); in tls_process_server_hello()
1645 comp = ssl3_comp_find(s->ctx->comp_methods, compression); in tls_process_server_hello()
1649 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1653 s->s3.tmp.new_compression = comp; in tls_process_server_hello()
1657 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { in tls_process_server_hello()
1663 if (SSL_IS_DTLS(s) && s->hit) { in tls_process_server_hello()
1677 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_process_server_hello()
1680 if (SSL_export_keying_material(s, sctpauthkey, in tls_process_server_hello()
1684 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1688 BIO_ctrl(SSL_get_wbio(s), in tls_process_server_hello()
1698 if (SSL_IS_TLS13(s) in tls_process_server_hello()
1699 && (!s->method->ssl3_enc->setup_key_block(s) in tls_process_server_hello()
1700 || !s->method->ssl3_enc->change_cipher_state(s, in tls_process_server_hello()
1713 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, in tls_process_as_hello_retry_request() argument
1722 EVP_CIPHER_CTX_free(s->enc_write_ctx); in tls_process_as_hello_retry_request()
1723 s->enc_write_ctx = NULL; in tls_process_as_hello_retry_request()
1725 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1727 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1736 if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { in tls_process_as_hello_retry_request()
1741 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR); in tls_process_as_hello_retry_request()
1749 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { in tls_process_as_hello_retry_request()
1760 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, in tls_process_as_hello_retry_request()
1761 s->init_num + SSL3_HM_HEADER_LENGTH)) { in tls_process_as_hello_retry_request()
1772 /* prepare server cert verification by setting s->session->peer_chain from pkt */
1773 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) in tls_process_server_certificate() argument
1781 if ((s->session->peer_chain = sk_X509_new_null()) == NULL) { in tls_process_server_certificate()
1782 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_server_certificate()
1786 if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) in tls_process_server_certificate()
1791 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_certificate()
1797 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
1802 x = X509_new_ex(s->ctx->libctx, s->ctx->propq); in tls_process_server_certificate()
1804 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_server_certificate()
1810 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB); in tls_process_server_certificate()
1815 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
1819 if (SSL_IS_TLS13(s)) { in tls_process_server_certificate()
1824 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_certificate()
1827 if (!tls_collect_extensions(s, &extensions, in tls_process_server_certificate()
1830 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, in tls_process_server_certificate()
1840 if (!sk_X509_push(s->session->peer_chain, x)) { in tls_process_server_certificate()
1841 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_server_certificate()
1850 sk_X509_pop_free(s->session->peer_chain, X509_free); in tls_process_server_certificate()
1851 s->session->peer_chain = NULL; in tls_process_server_certificate()
1856 * Verify the s->session->peer_chain and check server cert type.
1857 * On success set s->session->peer and s->session->verify_result.
1860 WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst) in tls_post_process_server_certificate() argument
1868 if (s->rwstate == SSL_RETRY_VERIFY) in tls_post_process_server_certificate()
1869 s->rwstate = SSL_NOTHING; in tls_post_process_server_certificate()
1870 i = ssl_verify_cert_chain(s, s->session->peer_chain); in tls_post_process_server_certificate()
1871 if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) { in tls_post_process_server_certificate()
1888 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { in tls_post_process_server_certificate()
1889 SSLfatal(s, ssl_x509err2alert(s->verify_result), in tls_post_process_server_certificate()
1893 ERR_clear_error(); /* but we keep s->verify_result */ in tls_post_process_server_certificate()
1896 * Inconsistency alert: cert_chain does include the peer's certificate, in tls_post_process_server_certificate()
1899 x = sk_X509_value(s->session->peer_chain, 0); in tls_post_process_server_certificate()
1904 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_post_process_server_certificate()
1910 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
1918 if (!SSL_IS_TLS13(s)) { in tls_post_process_server_certificate()
1919 if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { in tls_post_process_server_certificate()
1920 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
1925 X509_free(s->session->peer); in tls_post_process_server_certificate()
1927 s->session->peer = x; in tls_post_process_server_certificate()
1928 s->session->verify_result = s->verify_result; in tls_post_process_server_certificate()
1931 if (SSL_IS_TLS13(s) in tls_post_process_server_certificate()
1932 && !ssl_handshake_hash(s, s->cert_verify_hash, in tls_post_process_server_certificate()
1933 sizeof(s->cert_verify_hash), in tls_post_process_server_certificate()
1934 &s->cert_verify_hash_len)) { in tls_post_process_server_certificate()
1941 static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt) in tls_process_ske_psk_preamble() argument
1949 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_psk_preamble()
1960 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG); in tls_process_ske_psk_preamble()
1965 OPENSSL_free(s->session->psk_identity_hint); in tls_process_ske_psk_preamble()
1966 s->session->psk_identity_hint = NULL; in tls_process_ske_psk_preamble()
1968 &s->session->psk_identity_hint)) { in tls_process_ske_psk_preamble()
1969 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
1975 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
1980 static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_srp() argument
1989 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_srp()
1993 if ((s->srp_ctx.N = in tls_process_ske_srp()
1996 || (s->srp_ctx.g = in tls_process_ske_srp()
1999 || (s->srp_ctx.s = in tls_process_ske_srp()
2002 || (s->srp_ctx.B = in tls_process_ske_srp()
2005 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_srp()
2009 if (!srp_verify_server_param(s)) { in tls_process_ske_srp()
2015 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_srp()
2016 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_srp()
2020 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_srp()
2025 static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_dhe() argument
2038 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_dhe()
2048 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_dhe()
2059 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2063 pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq); in tls_process_ske_dhe()
2065 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2070 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2075 pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq); in tls_process_ske_dhe()
2085 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2089 if (!ssl_security(s, SSL_SECOP_TMP_DH, in tls_process_ske_dhe()
2092 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); in tls_process_ske_dhe()
2096 s->s3.peer_tmp = peer_tmp; in tls_process_ske_dhe()
2103 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_dhe()
2104 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_dhe()
2121 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_ecdhe() argument
2127 * Extract elliptic curve parameters and the server's ephemeral ECDH in tls_process_ske_ecdhe()
2132 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_ske_ecdhe()
2140 || !tls1_check_group_id(s, curve_id, 1)) { in tls_process_ske_ecdhe()
2141 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); in tls_process_ske_ecdhe()
2145 if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { in tls_process_ske_ecdhe()
2146 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_ske_ecdhe()
2152 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_ecdhe()
2156 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, in tls_process_ske_ecdhe()
2159 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); in tls_process_ske_ecdhe()
2168 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) in tls_process_ske_ecdhe()
2169 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_ecdhe()
2170 else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA) in tls_process_ske_ecdhe()
2171 *pkey = X509_get0_pubkey(s->session->peer); in tls_process_ske_ecdhe()
2175 s->session->kex_group = curve_id; in tls_process_ske_ecdhe()
2179 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt) in tls_process_key_exchange() argument
2187 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_process_key_exchange()
2191 EVP_PKEY_free(s->s3.peer_tmp); in tls_process_key_exchange()
2192 s->s3.peer_tmp = NULL; in tls_process_key_exchange()
2195 if (!tls_process_ske_psk_preamble(s, pkt)) { in tls_process_key_exchange()
2204 if (!tls_process_ske_srp(s, pkt, &pkey)) { in tls_process_key_exchange()
2209 if (!tls_process_ske_dhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2214 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2219 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_key_exchange()
2238 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_key_exchange()
2242 if (SSL_USE_SIGALGS(s)) { in tls_process_key_exchange()
2246 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_key_exchange()
2249 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { in tls_process_key_exchange()
2253 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { in tls_process_key_exchange()
2254 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_key_exchange()
2259 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { in tls_process_key_exchange()
2260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_key_exchange()
2264 if (SSL_USE_SIGALGS(s)) in tls_process_key_exchange()
2265 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", in tls_process_key_exchange()
2270 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_key_exchange()
2276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_key_exchange()
2282 s->ctx->libctx, s->ctx->propq, pkey, in tls_process_key_exchange()
2284 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2287 if (SSL_USE_PSS(s)) { in tls_process_key_exchange()
2291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2295 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), in tls_process_key_exchange()
2306 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); in tls_process_key_exchange()
2313 if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) in tls_process_key_exchange()
2316 if (ssl3_check_cert_and_algorithm(s)) { in tls_process_key_exchange()
2317 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA); in tls_process_key_exchange()
2324 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE); in tls_process_key_exchange()
2335 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt) in tls_process_certificate_request() argument
2341 s->s3.tmp.valid_flags[i] = 0; in tls_process_certificate_request()
2343 if (SSL_IS_TLS13(s)) { in tls_process_certificate_request()
2347 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { in tls_process_certificate_request()
2357 OPENSSL_free(s->s3.tmp.ctype); in tls_process_certificate_request()
2358 s->s3.tmp.ctype = NULL; in tls_process_certificate_request()
2359 s->s3.tmp.ctype_len = 0; in tls_process_certificate_request()
2360 OPENSSL_free(s->pha_context); in tls_process_certificate_request()
2361 s->pha_context = NULL; in tls_process_certificate_request()
2362 s->pha_context_len = 0; in tls_process_certificate_request()
2365 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { in tls_process_certificate_request()
2366 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2371 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2374 if (!tls_collect_extensions(s, &extensions, in tls_process_certificate_request()
2377 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, in tls_process_certificate_request()
2384 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2393 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2397 if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) { in tls_process_certificate_request()
2398 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_certificate_request()
2402 if (SSL_USE_SIGALGS(s)) { in tls_process_certificate_request()
2406 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2414 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { in tls_process_certificate_request()
2415 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_certificate_request()
2419 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2420 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_certificate_request()
2426 if (!parse_ca_names(s, pkt)) { in tls_process_certificate_request()
2433 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2438 s->s3.tmp.cert_req = 1; in tls_process_certificate_request()
2448 if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED) in tls_process_certificate_request()
2454 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt) in tls_process_new_session_ticket() argument
2466 || (SSL_IS_TLS13(s) in tls_process_new_session_ticket()
2470 || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen) in tls_process_new_session_ticket()
2472 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2492 if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) { in tls_process_new_session_ticket()
2499 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { in tls_process_new_session_ticket()
2500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_new_session_ticket()
2504 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 in tls_process_new_session_ticket()
2505 && !SSL_IS_TLS13(s)) { in tls_process_new_session_ticket()
2511 SSL_CTX_remove_session(s->session_ctx, s->session); in tls_process_new_session_ticket()
2514 SSL_SESSION_free(s->session); in tls_process_new_session_ticket()
2515 s->session = new_sess; in tls_process_new_session_ticket()
2518 s->session->time = time(NULL); in tls_process_new_session_ticket()
2519 ssl_session_calculate_timeout(s->session); in tls_process_new_session_ticket()
2521 OPENSSL_free(s->session->ext.tick); in tls_process_new_session_ticket()
2522 s->session->ext.tick = NULL; in tls_process_new_session_ticket()
2523 s->session->ext.ticklen = 0; in tls_process_new_session_ticket()
2525 s->session->ext.tick = OPENSSL_malloc(ticklen); in tls_process_new_session_ticket()
2526 if (s->session->ext.tick == NULL) { in tls_process_new_session_ticket()
2527 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_new_session_ticket()
2530 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { in tls_process_new_session_ticket()
2531 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2535 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; in tls_process_new_session_ticket()
2536 s->session->ext.tick_age_add = age_add; in tls_process_new_session_ticket()
2537 s->session->ext.ticklen = ticklen; in tls_process_new_session_ticket()
2539 if (SSL_IS_TLS13(s)) { in tls_process_new_session_ticket()
2544 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2548 if (!tls_collect_extensions(s, &extpkt, in tls_process_new_session_ticket()
2551 || !tls_parse_all_extensions(s, in tls_process_new_session_ticket()
2570 sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq); in tls_process_new_session_ticket()
2573 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls_process_new_session_ticket()
2578 * but s->session->session_id_length is a size_t in tls_process_new_session_ticket()
2580 if (!EVP_Digest(s->session->ext.tick, ticklen, in tls_process_new_session_ticket()
2581 s->session->session_id, &sess_len, in tls_process_new_session_ticket()
2583 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_new_session_ticket()
2588 s->session->session_id_length = sess_len; in tls_process_new_session_ticket()
2589 s->session->not_resumable = 0; in tls_process_new_session_ticket()
2592 if (SSL_IS_TLS13(s)) { in tls_process_new_session_ticket()
2593 const EVP_MD *md = ssl_handshake_md(s); in tls_process_new_session_ticket()
2600 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_new_session_ticket()
2605 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, in tls_process_new_session_ticket()
2610 s->session->master_key, in tls_process_new_session_ticket()
2615 s->session->master_key_length = hashlen; in tls_process_new_session_ticket()
2618 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); in tls_process_new_session_ticket()
2633 int tls_process_cert_status_body(SSL *s, PACKET *pkt) in tls_process_cert_status_body() argument
2640 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE); in tls_process_cert_status_body()
2645 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2648 s->ext.ocsp.resp = OPENSSL_malloc(resplen); in tls_process_cert_status_body()
2649 if (s->ext.ocsp.resp == NULL) { in tls_process_cert_status_body()
2650 s->ext.ocsp.resp_len = 0; in tls_process_cert_status_body()
2651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cert_status_body()
2654 s->ext.ocsp.resp_len = resplen; in tls_process_cert_status_body()
2655 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { in tls_process_cert_status_body()
2656 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2664 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt) in tls_process_cert_status() argument
2666 if (!tls_process_cert_status_body(s, pkt)) { in tls_process_cert_status()
2676 * server's initial flight. In TLS1.3 this is after the Server Finished message.
2680 int tls_process_initial_server_flight(SSL *s) in tls_process_initial_server_flight() argument
2686 if (!ssl3_check_cert_and_algorithm(s)) { in tls_process_initial_server_flight()
2696 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing in tls_process_initial_server_flight()
2697 && s->ctx->ext.status_cb != NULL) { in tls_process_initial_server_flight()
2698 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); in tls_process_initial_server_flight()
2701 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, in tls_process_initial_server_flight()
2706 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_initial_server_flight()
2712 if (s->ct_validation_callback != NULL) { in tls_process_initial_server_flight()
2714 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { in tls_process_initial_server_flight()
2724 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt) in tls_process_server_done() argument
2728 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_done()
2732 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_process_server_done()
2733 if (ssl_srp_calc_a_param_intern(s) <= 0) { in tls_process_server_done()
2734 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); in tls_process_server_done()
2740 if (!tls_process_initial_server_flight(s)) { in tls_process_server_done()
2748 static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt) in tls_construct_cke_psk_preamble() argument
2764 if (s->psk_client_callback == NULL) { in tls_construct_cke_psk_preamble()
2765 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB); in tls_construct_cke_psk_preamble()
2771 psklen = s->psk_client_callback(s, s->session->psk_identity_hint, in tls_construct_cke_psk_preamble()
2776 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2780 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND); in tls_construct_cke_psk_preamble()
2786 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2793 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_psk_preamble()
2797 OPENSSL_free(s->s3.tmp.psk); in tls_construct_cke_psk_preamble()
2798 s->s3.tmp.psk = tmppsk; in tls_construct_cke_psk_preamble()
2799 s->s3.tmp.psklen = psklen; in tls_construct_cke_psk_preamble()
2801 OPENSSL_free(s->session->psk_identity); in tls_construct_cke_psk_preamble()
2802 s->session->psk_identity = tmpidentity; in tls_construct_cke_psk_preamble()
2806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
2825 static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt) in tls_construct_cke_rsa() argument
2834 if (s->session->peer == NULL) { in tls_construct_cke_rsa()
2838 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2842 pkey = X509_get0_pubkey(s->session->peer); in tls_construct_cke_rsa()
2844 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2851 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_rsa()
2855 pms[0] = s->client_version >> 8; in tls_construct_cke_rsa()
2856 pms[1] = s->client_version & 0xff; in tls_construct_cke_rsa()
2857 if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) { in tls_construct_cke_rsa()
2858 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_rsa()
2863 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { in tls_construct_cke_rsa()
2864 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2868 pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pkey, s->ctx->propq); in tls_construct_cke_rsa()
2871 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_rsa()
2876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT); in tls_construct_cke_rsa()
2883 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { in tls_construct_cke_rsa()
2884 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
2889 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { in tls_construct_cke_rsa()
2894 s->s3.tmp.pms = pms; in tls_construct_cke_rsa()
2895 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_rsa()
2905 static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt) in tls_construct_cke_dhe() argument
2914 skey = s->s3.peer_tmp; in tls_construct_cke_dhe()
2916 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2920 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_dhe()
2922 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2926 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_dhe()
2936 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2950 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2957 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
2968 static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt) in tls_construct_cke_ecdhe() argument
2975 skey = s->s3.peer_tmp; in tls_construct_cke_ecdhe()
2977 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
2981 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_ecdhe()
2983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_ecdhe()
2987 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_ecdhe()
2996 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); in tls_construct_cke_ecdhe()
3001 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
3012 static int tls_construct_cke_gost(SSL *s, WPACKET *pkt) in tls_construct_cke_gost() argument
3026 if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) in tls_construct_cke_gost()
3032 peer_cert = s->session->peer; in tls_construct_cke_gost()
3034 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost()
3039 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, in tls_construct_cke_gost()
3041 s->ctx->propq); in tls_construct_cke_gost()
3043 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost()
3056 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost()
3063 || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) { in tls_construct_cke_gost()
3064 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3074 || EVP_DigestUpdate(ukm_hash, s->s3.client_random, in tls_construct_cke_gost()
3076 || EVP_DigestUpdate(ukm_hash, s->s3.server_random, in tls_construct_cke_gost()
3079 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3086 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3095 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3102 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3107 s->s3.tmp.pms = pms; in tls_construct_cke_gost()
3108 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost()
3117 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3123 int ossl_gost18_cke_cipher_nid(const SSL *s) in ossl_gost18_cke_cipher_nid() argument
3125 if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0) in ossl_gost18_cke_cipher_nid()
3127 else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0) in ossl_gost18_cke_cipher_nid()
3133 int ossl_gost_ukm(const SSL *s, unsigned char *dgst_buf) in ossl_gost_ukm() argument
3137 const EVP_MD *md = ssl_evp_md_fetch(s->ctx->libctx, NID_id_GostR3411_2012_256, s->ctx->propq); in ossl_gost_ukm()
3144 || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3145 || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3158 static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt) in tls_construct_cke_gost18() argument
3169 int cipher_nid = ossl_gost18_cke_cipher_nid(s); in tls_construct_cke_gost18()
3172 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3176 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { in tls_construct_cke_gost18()
3177 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3185 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost18()
3189 if (RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) { in tls_construct_cke_gost18()
3190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3195 peer_cert = s->session->peer; in tls_construct_cke_gost18()
3197 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost18()
3202 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, in tls_construct_cke_gost18()
3204 s->ctx->propq); in tls_construct_cke_gost18()
3206 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_gost18()
3211 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3218 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3224 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3229 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3235 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3241 s->s3.tmp.pms = pms; in tls_construct_cke_gost18()
3242 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost18()
3250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3255 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt) in tls_construct_cke_srp() argument
3260 if (s->srp_ctx.A == NULL in tls_construct_cke_srp()
3261 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), in tls_construct_cke_srp()
3263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3266 BN_bn2bin(s->srp_ctx.A, abytes); in tls_construct_cke_srp()
3268 OPENSSL_free(s->session->srp_username); in tls_construct_cke_srp()
3269 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); in tls_construct_cke_srp()
3270 if (s->session->srp_username == NULL) { in tls_construct_cke_srp()
3271 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_cke_srp()
3277 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3282 int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt) in tls_construct_client_key_exchange() argument
3286 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_construct_client_key_exchange()
3293 && !tls_construct_cke_psk_preamble(s, pkt)) in tls_construct_client_key_exchange()
3297 if (!tls_construct_cke_rsa(s, pkt)) in tls_construct_client_key_exchange()
3300 if (!tls_construct_cke_dhe(s, pkt)) in tls_construct_client_key_exchange()
3303 if (!tls_construct_cke_ecdhe(s, pkt)) in tls_construct_client_key_exchange()
3306 if (!tls_construct_cke_gost(s, pkt)) in tls_construct_client_key_exchange()
3309 if (!tls_construct_cke_gost18(s, pkt)) in tls_construct_client_key_exchange()
3312 if (!tls_construct_cke_srp(s, pkt)) in tls_construct_client_key_exchange()
3315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_key_exchange()
3321 OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); in tls_construct_client_key_exchange()
3322 s->s3.tmp.pms = NULL; in tls_construct_client_key_exchange()
3323 s->s3.tmp.pmslen = 0; in tls_construct_client_key_exchange()
3325 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); in tls_construct_client_key_exchange()
3326 s->s3.tmp.psk = NULL; in tls_construct_client_key_exchange()
3327 s->s3.tmp.psklen = 0; in tls_construct_client_key_exchange()
3332 int tls_client_key_exchange_post_work(SSL *s) in tls_client_key_exchange_post_work() argument
3337 pms = s->s3.tmp.pms; in tls_client_key_exchange_post_work()
3338 pmslen = s->s3.tmp.pmslen; in tls_client_key_exchange_post_work()
3342 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_client_key_exchange_post_work()
3343 if (!srp_generate_client_master_secret(s)) { in tls_client_key_exchange_post_work()
3351 if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { in tls_client_key_exchange_post_work()
3352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_client_key_exchange_post_work()
3355 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { in tls_client_key_exchange_post_work()
3366 if (SSL_IS_DTLS(s)) { in tls_client_key_exchange_post_work()
3380 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_client_key_exchange_post_work()
3383 if (SSL_export_keying_material(s, sctpauthkey, in tls_client_key_exchange_post_work()
3386 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_client_key_exchange_post_work()
3390 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, in tls_client_key_exchange_post_work()
3398 s->s3.tmp.pms = NULL; in tls_client_key_exchange_post_work()
3399 s->s3.tmp.pmslen = 0; in tls_client_key_exchange_post_work()
3408 static int ssl3_check_client_certificate(SSL *s) in ssl3_check_client_certificate() argument
3411 if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL) in ssl3_check_client_certificate()
3417 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && in ssl3_check_client_certificate()
3418 !tls1_check_chain(s, NULL, NULL, NULL, -2)) in ssl3_check_client_certificate()
3423 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst) in tls_prepare_client_certificate() argument
3431 if (s->cert->cert_cb) { in tls_prepare_client_certificate()
3432 i = s->cert->cert_cb(s, s->cert->cert_cb_arg); in tls_prepare_client_certificate()
3434 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3438 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); in tls_prepare_client_certificate()
3441 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3443 if (ssl3_check_client_certificate(s)) { in tls_prepare_client_certificate()
3444 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in tls_prepare_client_certificate()
3460 i = ssl_do_client_cert_cb(s, &x509, &pkey); in tls_prepare_client_certificate()
3462 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3465 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3467 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey)) in tls_prepare_client_certificate()
3476 if (i && !ssl3_check_client_certificate(s)) in tls_prepare_client_certificate()
3479 if (s->version == SSL3_VERSION) { in tls_prepare_client_certificate()
3480 s->s3.tmp.cert_req = 0; in tls_prepare_client_certificate()
3481 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); in tls_prepare_client_certificate()
3484 s->s3.tmp.cert_req = 2; in tls_prepare_client_certificate()
3485 if (!ssl3_digest_cached_records(s, 0)) { in tls_prepare_client_certificate()
3492 if (s->post_handshake_auth == SSL_PHA_REQUESTED) in tls_prepare_client_certificate()
3498 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_prepare_client_certificate()
3502 int tls_construct_client_certificate(SSL *s, WPACKET *pkt) in tls_construct_client_certificate() argument
3504 if (SSL_IS_TLS13(s)) { in tls_construct_client_certificate()
3505 if (s->pha_context == NULL) { in tls_construct_client_certificate()
3508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3511 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { in tls_construct_client_certificate()
3512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3516 if (!ssl3_output_cert_chain(s, pkt, in tls_construct_client_certificate()
3517 (s->s3.tmp.cert_req == 2) ? NULL in tls_construct_client_certificate()
3518 : s->cert->key)) { in tls_construct_client_certificate()
3523 if (SSL_IS_TLS13(s) in tls_construct_client_certificate()
3524 && SSL_IS_FIRST_HANDSHAKE(s) in tls_construct_client_certificate()
3525 && (!s->method->ssl3_enc->change_cipher_state(s, in tls_construct_client_certificate()
3531 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); in tls_construct_client_certificate()
3538 int ssl3_check_cert_and_algorithm(SSL *s) in ssl3_check_cert_and_algorithm() argument
3544 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in ssl3_check_cert_and_algorithm()
3545 alg_a = s->s3.tmp.new_cipher->algorithm_auth; in ssl3_check_cert_and_algorithm()
3552 clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx); in ssl3_check_cert_and_algorithm()
3556 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT); in ssl3_check_cert_and_algorithm()
3561 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) in ssl3_check_cert_and_algorithm()
3563 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); in ssl3_check_cert_and_algorithm()
3568 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in ssl3_check_cert_and_algorithm()
3573 if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { in ssl3_check_cert_and_algorithm()
3574 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl3_check_cert_and_algorithm()
3582 int tls_construct_next_proto(SSL *s, WPACKET *pkt) in tls_construct_next_proto() argument
3587 len = s->ext.npn_len; in tls_construct_next_proto()
3590 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) in tls_construct_next_proto()
3592 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_next_proto()
3602 MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt) in tls_process_hello_req() argument
3606 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_hello_req()
3610 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { in tls_process_hello_req()
3611 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); in tls_process_hello_req()
3622 if (SSL_IS_DTLS(s)) in tls_process_hello_req()
3623 SSL_renegotiate(s); in tls_process_hello_req()
3625 SSL_renegotiate_abbreviated(s); in tls_process_hello_req()
3630 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt) in tls_process_encrypted_extensions() argument
3637 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_encrypted_extensions()
3641 if (!tls_collect_extensions(s, &extensions, in tls_process_encrypted_extensions()
3644 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, in tls_process_encrypted_extensions()
3658 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) in ssl_do_client_cert_cb() argument
3662 if (s->ctx->client_cert_engine) { in ssl_do_client_cert_cb()
3663 i = tls_engine_load_ssl_client_cert(s, px509, ppkey); in ssl_do_client_cert_cb()
3668 if (s->ctx->client_cert_cb) in ssl_do_client_cert_cb()
3669 i = s->ctx->client_cert_cb(s, px509, ppkey); in ssl_do_client_cert_cb()
3673 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt) in ssl_cipher_list_to_bytes() argument
3677 int empty_reneg_info_scsv = !s->renegotiate; in ssl_cipher_list_to_bytes()
3680 if (!ssl_set_client_disabled(s)) { in ssl_cipher_list_to_bytes()
3681 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE); in ssl_cipher_list_to_bytes()
3686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3699 if (TLS1_get_version(s) >= TLS1_2_VERSION) in ssl_cipher_list_to_bytes()
3708 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) in ssl_cipher_list_to_bytes()
3716 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) in ssl_cipher_list_to_bytes()
3719 if (!s->method->put_cipher_by_char(c, pkt, &len)) { in ssl_cipher_list_to_bytes()
3720 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3726 if (SSL_IS_DTLS(s)) { in ssl_cipher_list_to_bytes()
3727 if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver) in ssl_cipher_list_to_bytes()
3728 && DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver)) in ssl_cipher_list_to_bytes()
3731 if (c->max_tls >= s->s3.tmp.max_ver in ssl_cipher_list_to_bytes()
3732 && c->min_tls <= s->s3.tmp.max_ver) in ssl_cipher_list_to_bytes()
3746 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE, in ssl_cipher_list_to_bytes()
3756 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { in ssl_cipher_list_to_bytes()
3757 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3761 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { in ssl_cipher_list_to_bytes()
3765 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) { in ssl_cipher_list_to_bytes()
3766 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
3775 int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt) in tls_construct_end_of_early_data() argument
3777 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY in tls_construct_end_of_early_data()
3778 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { in tls_construct_end_of_early_data()
3779 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); in tls_construct_end_of_early_data()
3783 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; in tls_construct_end_of_early_data()