Lines Matching +full:s +full:-
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
33 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
35 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s,
38 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s);
39 static int key_exchange_expected(SSL_CONNECTION *s);
40 static int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
45 return sc->session->peer_rpk != NULL || sc->session->peer != NULL; in received_server_cert()
55 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s) in cert_req_allowed() argument
57 /* TLS does not like anon-DH with client cert */ in cert_req_allowed()
58 if ((s->version > SSL3_VERSION in cert_req_allowed()
59 && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)) in cert_req_allowed()
60 || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) in cert_req_allowed()
73 static int key_exchange_expected(SSL_CONNECTION *s) in key_exchange_expected() argument
75 long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in key_exchange_expected()
93 * current state is in |s->statem.hand_state|.
98 static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt) in ossl_statem_client13_read_transition() argument
100 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_read_transition()
108 switch (st->hand_state) { in ossl_statem_client13_read_transition()
118 st->hand_state = TLS_ST_CR_SRVR_HELLO; in ossl_statem_client13_read_transition()
125 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS; in ossl_statem_client13_read_transition()
131 if (s->hit) { in ossl_statem_client13_read_transition()
133 st->hand_state = TLS_ST_CR_FINISHED; in ossl_statem_client13_read_transition()
138 st->hand_state = TLS_ST_CR_CERT_REQ; in ossl_statem_client13_read_transition()
142 st->hand_state = TLS_ST_CR_CERT; in ossl_statem_client13_read_transition()
147 && s->ext.compress_certificate_sent) { in ossl_statem_client13_read_transition()
148 st->hand_state = TLS_ST_CR_COMP_CERT; in ossl_statem_client13_read_transition()
157 st->hand_state = TLS_ST_CR_CERT; in ossl_statem_client13_read_transition()
162 && s->ext.compress_certificate_sent) { in ossl_statem_client13_read_transition()
163 st->hand_state = TLS_ST_CR_COMP_CERT; in ossl_statem_client13_read_transition()
172 st->hand_state = TLS_ST_CR_CERT_VRFY; in ossl_statem_client13_read_transition()
179 st->hand_state = TLS_ST_CR_FINISHED; in ossl_statem_client13_read_transition()
186 st->hand_state = TLS_ST_CR_SESSION_TICKET; in ossl_statem_client13_read_transition()
189 if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) { in ossl_statem_client13_read_transition()
190 st->hand_state = TLS_ST_CR_KEY_UPDATE; in ossl_statem_client13_read_transition()
198 if (!SSL_CONNECTION_IS_DTLS(s) in ossl_statem_client13_read_transition()
199 && s->post_handshake_auth == SSL_PHA_EXT_SENT) { in ossl_statem_client13_read_transition()
200 s->post_handshake_auth = SSL_PHA_REQUESTED; in ossl_statem_client13_read_transition()
207 if (!tls13_restore_handshake_digest_for_pha(s)) { in ossl_statem_client13_read_transition()
211 st->hand_state = TLS_ST_CR_CERT_REQ; in ossl_statem_client13_read_transition()
226 * current state is in |s->statem.hand_state|.
231 int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt) in ossl_statem_client_read_transition() argument
233 OSSL_STATEM *st = &s->statem; in ossl_statem_client_read_transition()
240 if (SSL_CONNECTION_IS_TLS13(s)) { in ossl_statem_client_read_transition()
241 if (!ossl_statem_client13_read_transition(s, mt)) in ossl_statem_client_read_transition()
246 switch (st->hand_state) { in ossl_statem_client_read_transition()
252 st->hand_state = TLS_ST_CR_SRVR_HELLO; in ossl_statem_client_read_transition()
256 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_read_transition()
258 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; in ossl_statem_client_read_transition()
271 st->hand_state = TLS_ST_CR_SRVR_HELLO; in ossl_statem_client_read_transition()
277 if (s->hit) { in ossl_statem_client_read_transition()
278 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
280 st->hand_state = TLS_ST_CR_SESSION_TICKET; in ossl_statem_client_read_transition()
284 st->hand_state = TLS_ST_CR_CHANGE; in ossl_statem_client_read_transition()
288 if (SSL_CONNECTION_IS_DTLS(s) in ossl_statem_client_read_transition()
290 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST; in ossl_statem_client_read_transition()
292 } else if (s->version >= TLS1_VERSION in ossl_statem_client_read_transition()
293 && s->ext.session_secret_cb != NULL in ossl_statem_client_read_transition()
294 && s->session->ext.tick != NULL in ossl_statem_client_read_transition()
298 * from the session ID. EAP-FAST (RFC 4851), however, relies on in ossl_statem_client_read_transition()
302 s->hit = 1; in ossl_statem_client_read_transition()
303 st->hand_state = TLS_ST_CR_CHANGE; in ossl_statem_client_read_transition()
305 } else if (!(s->s3.tmp.new_cipher->algorithm_auth in ossl_statem_client_read_transition()
308 st->hand_state = TLS_ST_CR_CERT; in ossl_statem_client_read_transition()
312 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
315 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
318 st->hand_state = TLS_ST_CR_KEY_EXCH; in ossl_statem_client_read_transition()
322 && cert_req_allowed(s)) { in ossl_statem_client_read_transition()
323 st->hand_state = TLS_ST_CR_CERT_REQ; in ossl_statem_client_read_transition()
326 st->hand_state = TLS_ST_CR_SRVR_DONE; in ossl_statem_client_read_transition()
339 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { in ossl_statem_client_read_transition()
340 st->hand_state = TLS_ST_CR_CERT_STATUS; in ossl_statem_client_read_transition()
346 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
348 if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
351 st->hand_state = TLS_ST_CR_KEY_EXCH; in ossl_statem_client_read_transition()
360 if (cert_req_allowed(s)) { in ossl_statem_client_read_transition()
361 st->hand_state = TLS_ST_CR_CERT_REQ; in ossl_statem_client_read_transition()
370 st->hand_state = TLS_ST_CR_SRVR_DONE; in ossl_statem_client_read_transition()
376 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
378 st->hand_state = TLS_ST_CR_SESSION_TICKET; in ossl_statem_client_read_transition()
382 st->hand_state = TLS_ST_CR_CHANGE; in ossl_statem_client_read_transition()
389 st->hand_state = TLS_ST_CR_CHANGE; in ossl_statem_client_read_transition()
396 st->hand_state = TLS_ST_CR_FINISHED; in ossl_statem_client_read_transition()
403 st->hand_state = TLS_ST_CR_HELLO_REQ; in ossl_statem_client_read_transition()
411 if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { in ossl_statem_client_read_transition()
416 * because of an out-of-order CCS. We'll just drop it. in ossl_statem_client_read_transition()
418 s->init_num = 0; in ossl_statem_client_read_transition()
419 s->rwstate = SSL_READING; in ossl_statem_client_read_transition()
420 rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s)); in ossl_statem_client_read_transition()
425 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in ossl_statem_client_read_transition()
432 return sc->ext.client_cert_type == TLSEXT_cert_type_x509 in do_compressed_cert()
433 && sc->ext.compress_certificate_from_peer[0] != TLSEXT_comp_cert_none; in do_compressed_cert()
441 static WRITE_TRAN ossl_statem_client13_write_transition(SSL_CONNECTION *s) in ossl_statem_client13_write_transition() argument
443 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_write_transition()
450 switch (st->hand_state) { in ossl_statem_client13_write_transition()
453 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
457 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_client13_write_transition()
458 if (do_compressed_cert(s)) in ossl_statem_client13_write_transition()
459 st->hand_state = TLS_ST_CW_COMP_CERT; in ossl_statem_client13_write_transition()
461 st->hand_state = TLS_ST_CW_CERT; in ossl_statem_client13_write_transition()
468 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { in ossl_statem_client13_write_transition()
469 /* Shouldn't happen - same as default case */ in ossl_statem_client13_write_transition()
470 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
473 st->hand_state = TLS_ST_OK; in ossl_statem_client13_write_transition()
477 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY in ossl_statem_client13_write_transition()
478 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client13_write_transition()
479 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END; in ossl_statem_client13_write_transition()
480 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client13_write_transition()
481 && s->hello_retry_request == SSL_HRR_NONE) in ossl_statem_client13_write_transition()
482 st->hand_state = TLS_ST_CW_CHANGE; in ossl_statem_client13_write_transition()
483 else if (s->s3.tmp.cert_req == 0) in ossl_statem_client13_write_transition()
484 st->hand_state = TLS_ST_CW_FINISHED; in ossl_statem_client13_write_transition()
485 else if (do_compressed_cert(s)) in ossl_statem_client13_write_transition()
486 st->hand_state = TLS_ST_CW_COMP_CERT; in ossl_statem_client13_write_transition()
488 st->hand_state = TLS_ST_CW_CERT; in ossl_statem_client13_write_transition()
490 s->ts_msg_read = ossl_time_now(); in ossl_statem_client13_write_transition()
494 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED && !SSL_NO_EOED(s)) { in ossl_statem_client13_write_transition()
495 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA; in ossl_statem_client13_write_transition()
502 if (s->s3.tmp.cert_req == 0) in ossl_statem_client13_write_transition()
503 st->hand_state = TLS_ST_CW_FINISHED; in ossl_statem_client13_write_transition()
504 else if (do_compressed_cert(s)) in ossl_statem_client13_write_transition()
505 st->hand_state = TLS_ST_CW_COMP_CERT; in ossl_statem_client13_write_transition()
507 st->hand_state = TLS_ST_CW_CERT; in ossl_statem_client13_write_transition()
512 /* If a non-empty Certificate we also send CertificateVerify */ in ossl_statem_client13_write_transition()
513 st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY in ossl_statem_client13_write_transition()
518 st->hand_state = TLS_ST_CW_FINISHED; in ossl_statem_client13_write_transition()
525 st->hand_state = TLS_ST_OK; in ossl_statem_client13_write_transition()
529 if (s->key_update != SSL_KEY_UPDATE_NONE) { in ossl_statem_client13_write_transition()
530 st->hand_state = TLS_ST_CW_KEY_UPDATE; in ossl_statem_client13_write_transition()
543 WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) in ossl_statem_client_write_transition() argument
545 OSSL_STATEM *st = &s->statem; in ossl_statem_client_write_transition()
552 if (SSL_CONNECTION_IS_TLS13(s)) in ossl_statem_client_write_transition()
553 return ossl_statem_client13_write_transition(s); in ossl_statem_client_write_transition()
555 switch (st->hand_state) { in ossl_statem_client_write_transition()
558 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_write_transition()
562 if (!s->renegotiate) { in ossl_statem_client_write_transition()
572 st->hand_state = TLS_ST_CW_CLNT_HELLO; in ossl_statem_client_write_transition()
576 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_write_transition()
577 && !SSL_IS_QUIC_HANDSHAKE(s)) { in ossl_statem_client_write_transition()
582 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) in ossl_statem_client_write_transition()
583 st->hand_state = TLS_ST_CW_CHANGE; in ossl_statem_client_write_transition()
585 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_client_write_transition()
592 s->ts_msg_write = ossl_time_now(); in ossl_statem_client_write_transition()
601 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client_write_transition()
602 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client_write_transition()
603 st->hand_state = TLS_ST_CW_CHANGE; in ossl_statem_client_write_transition()
605 st->hand_state = TLS_ST_CW_CLNT_HELLO; in ossl_statem_client_write_transition()
609 s->ts_msg_write = ossl_time_now(); in ossl_statem_client_write_transition()
613 st->hand_state = TLS_ST_CW_CLNT_HELLO; in ossl_statem_client_write_transition()
617 s->ts_msg_read = ossl_time_now(); in ossl_statem_client_write_transition()
618 if (s->s3.tmp.cert_req) in ossl_statem_client_write_transition()
619 st->hand_state = TLS_ST_CW_CERT; in ossl_statem_client_write_transition()
621 st->hand_state = TLS_ST_CW_KEY_EXCH; in ossl_statem_client_write_transition()
625 st->hand_state = TLS_ST_CW_KEY_EXCH; in ossl_statem_client_write_transition()
636 * need to skip the certificate verify message when client's in ossl_statem_client_write_transition()
639 if (s->s3.tmp.cert_req == 1) { in ossl_statem_client_write_transition()
640 st->hand_state = TLS_ST_CW_CERT_VRFY; in ossl_statem_client_write_transition()
642 st->hand_state = TLS_ST_CW_CHANGE; in ossl_statem_client_write_transition()
644 if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { in ossl_statem_client_write_transition()
645 st->hand_state = TLS_ST_CW_CHANGE; in ossl_statem_client_write_transition()
650 st->hand_state = TLS_ST_CW_CHANGE; in ossl_statem_client_write_transition()
654 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_client_write_transition()
655 st->hand_state = TLS_ST_CW_CLNT_HELLO; in ossl_statem_client_write_transition()
656 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { in ossl_statem_client_write_transition()
657 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_client_write_transition()
660 st->hand_state = TLS_ST_CW_FINISHED; in ossl_statem_client_write_transition()
662 if (!SSL_CONNECTION_IS_DTLS(s) && s->s3.npn_seen) in ossl_statem_client_write_transition()
663 st->hand_state = TLS_ST_CW_NEXT_PROTO; in ossl_statem_client_write_transition()
665 st->hand_state = TLS_ST_CW_FINISHED; in ossl_statem_client_write_transition()
672 st->hand_state = TLS_ST_CW_FINISHED; in ossl_statem_client_write_transition()
677 if (s->hit) { in ossl_statem_client_write_transition()
678 st->hand_state = TLS_ST_OK; in ossl_statem_client_write_transition()
685 if (s->hit) { in ossl_statem_client_write_transition()
686 st->hand_state = TLS_ST_CW_CHANGE; in ossl_statem_client_write_transition()
689 st->hand_state = TLS_ST_OK; in ossl_statem_client_write_transition()
698 if (ssl3_renegotiate_check(SSL_CONNECTION_GET_SSL(s), 1)) { in ossl_statem_client_write_transition()
699 if (!tls_setup_handshake(s)) { in ossl_statem_client_write_transition()
703 st->hand_state = TLS_ST_CW_CLNT_HELLO; in ossl_statem_client_write_transition()
706 st->hand_state = TLS_ST_OK; in ossl_statem_client_write_transition()
715 WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst) in ossl_statem_client_pre_work() argument
717 OSSL_STATEM *st = &s->statem; in ossl_statem_client_pre_work()
719 switch (st->hand_state) { in ossl_statem_client_pre_work()
725 s->shutdown = 0; in ossl_statem_client_pre_work()
726 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_pre_work()
728 if (!ssl3_init_finished_mac(s)) { in ossl_statem_client_pre_work()
732 } else if (s->ext.early_data == SSL_EARLY_DATA_REJECTED) { in ossl_statem_client_pre_work()
739 if (!ssl_set_new_record_layer(s, in ossl_statem_client_pre_work()
753 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_pre_work()
754 if (s->hit) { in ossl_statem_client_pre_work()
759 st->use_timer = 0; in ossl_statem_client_pre_work()
762 if (BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))) { in ossl_statem_client_pre_work()
764 return dtls_wait_for_dry(s); in ossl_statem_client_pre_work()
776 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING in ossl_statem_client_pre_work()
777 || s->early_data_state == SSL_EARLY_DATA_NONE) in ossl_statem_client_pre_work()
782 return tls_finish_handshake(s, wst, 0, 1); in ossl_statem_client_pre_work()
786 return tls_finish_handshake(s, wst, 1, 1); in ossl_statem_client_pre_work()
796 WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) in ossl_statem_client_post_work() argument
798 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_work()
799 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in ossl_statem_client_post_work()
801 s->init_num = 0; in ossl_statem_client_post_work()
803 switch (st->hand_state) { in ossl_statem_client_post_work()
809 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
810 && s->max_early_data > 0) { in ossl_statem_client_post_work()
816 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { in ossl_statem_client_post_work()
817 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
824 } else if (!statem_flush(s)) { in ossl_statem_client_post_work()
828 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_post_work()
830 s->first_packet = 1; in ossl_statem_client_post_work()
835 if (tls_client_key_exchange_post_work(s) == 0) { in ossl_statem_client_post_work()
842 if (SSL_CONNECTION_IS_TLS13(s) in ossl_statem_client_post_work()
843 || s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_client_post_work()
845 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
846 && s->max_early_data > 0) { in ossl_statem_client_post_work()
852 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
857 s->session->cipher = s->s3.tmp.new_cipher; in ossl_statem_client_post_work()
859 s->session->compress_meth = 0; in ossl_statem_client_post_work()
861 if (s->s3.tmp.new_compression == NULL) in ossl_statem_client_post_work()
862 s->session->compress_meth = 0; in ossl_statem_client_post_work()
864 s->session->compress_meth = s->s3.tmp.new_compression->id; in ossl_statem_client_post_work()
866 if (!ssl->method->ssl3_enc->setup_key_block(s)) { in ossl_statem_client_post_work()
871 if (!ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
878 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { in ossl_statem_client_post_work()
880 * Change to new shared key of SCTP-Auth, will be ignored if in ossl_statem_client_post_work()
891 if (wst == WORK_MORE_A && SSL_CONNECTION_IS_DTLS(s) && s->hit == 0) { in ossl_statem_client_post_work()
893 * Change to new shared key of SCTP-Auth, will be ignored if in ossl_statem_client_post_work()
900 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
903 if (SSL_CONNECTION_IS_TLS13(s)) { in ossl_statem_client_post_work()
904 if (!tls13_save_handshake_digest_for_pha(s)) { in ossl_statem_client_post_work()
908 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { in ossl_statem_client_post_work()
909 if (!ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
919 if (SSL_IS_QUIC_HANDSHAKE(s) in ossl_statem_client_post_work()
920 && !ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
930 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
932 if (!tls13_update_key(s, 1)) { in ossl_statem_client_post_work()
950 int ossl_statem_client_construct_message(SSL_CONNECTION *s, in ossl_statem_client_construct_message() argument
953 OSSL_STATEM *st = &s->statem; in ossl_statem_client_construct_message()
955 switch (st->hand_state) { in ossl_statem_client_construct_message()
958 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in ossl_statem_client_construct_message()
962 if (SSL_CONNECTION_IS_DTLS(s)) in ossl_statem_client_construct_message()
1030 size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s) in ossl_statem_client_max_message_size() argument
1032 OSSL_STATEM *st = &s->statem; in ossl_statem_client_max_message_size()
1034 switch (st->hand_state) { in ossl_statem_client_max_message_size()
1047 return s->max_cert_list; in ossl_statem_client_max_message_size()
1060 * Set to s->max_cert_list for compatibility with previous releases. In in ossl_statem_client_max_message_size()
1064 return s->max_cert_list; in ossl_statem_client_max_message_size()
1070 if (s->version == DTLS1_BAD_VER) in ossl_statem_client_max_message_size()
1075 return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 in ossl_statem_client_max_message_size()
1092 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL_CONNECTION *s, in ossl_statem_client_process_message() argument
1095 OSSL_STATEM *st = &s->statem; in ossl_statem_client_process_message()
1097 switch (st->hand_state) { in ossl_statem_client_process_message()
1100 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_process_message()
1104 return tls_process_server_hello(s, pkt); in ossl_statem_client_process_message()
1107 return dtls_process_hello_verify(s, pkt); in ossl_statem_client_process_message()
1110 return tls_process_server_certificate(s, pkt); in ossl_statem_client_process_message()
1114 return tls_process_server_compressed_certificate(s, pkt); in ossl_statem_client_process_message()
1118 return tls_process_cert_verify(s, pkt); in ossl_statem_client_process_message()
1121 return tls_process_cert_status(s, pkt); in ossl_statem_client_process_message()
1124 return tls_process_key_exchange(s, pkt); in ossl_statem_client_process_message()
1127 return tls_process_certificate_request(s, pkt); in ossl_statem_client_process_message()
1130 return tls_process_server_done(s, pkt); in ossl_statem_client_process_message()
1133 return tls_process_change_cipher_spec(s, pkt); in ossl_statem_client_process_message()
1136 return tls_process_new_session_ticket(s, pkt); in ossl_statem_client_process_message()
1139 return tls_process_finished(s, pkt); in ossl_statem_client_process_message()
1142 return tls_process_hello_req(s, pkt); in ossl_statem_client_process_message()
1145 return tls_process_encrypted_extensions(s, pkt); in ossl_statem_client_process_message()
1148 return tls_process_key_update(s, pkt); in ossl_statem_client_process_message()
1156 WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s, in ossl_statem_client_post_process_message() argument
1159 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_process_message()
1161 switch (st->hand_state) { in ossl_statem_client_post_process_message()
1164 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_post_process_message()
1169 return tls_post_process_server_certificate(s, wst); in ossl_statem_client_post_process_message()
1173 return tls_prepare_client_certificate(s, wst); in ossl_statem_client_post_process_message()
1177 CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_client_hello() argument
1185 SSL_SESSION *sess = s->session; in tls_construct_client_hello()
1187 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_client_hello()
1190 protverr = ssl_set_client_hello_version(s); in tls_construct_client_hello()
1192 SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); in tls_construct_client_hello()
1197 || !ssl_version_supported(s, sess->ssl_version, NULL) in tls_construct_client_hello()
1199 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1200 && !ssl_get_new_session(s, 0)) { in tls_construct_client_hello()
1205 /* else use the pre-loaded session */ in tls_construct_client_hello()
1207 p = s->s3.client_random; in tls_construct_client_hello()
1213 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_construct_client_hello()
1216 for (idx = 0; idx < sizeof(s->s3.client_random); idx++) { in tls_construct_client_hello()
1223 i = (s->hello_retry_request == SSL_HRR_NONE); in tls_construct_client_hello()
1226 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), in tls_construct_client_hello()
1228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1232 /*- in tls_construct_client_hello()
1265 if (!WPACKET_put_bytes_u16(pkt, s->client_version) in tls_construct_client_hello()
1266 || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { in tls_construct_client_hello()
1267 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1272 session_id = s->session->session_id; in tls_construct_client_hello()
1273 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { in tls_construct_client_hello()
1274 if (s->version == TLS1_3_VERSION in tls_construct_client_hello()
1275 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { in tls_construct_client_hello()
1276 sess_id_len = sizeof(s->tmp_session_id); in tls_construct_client_hello()
1277 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1278 session_id = s->tmp_session_id; in tls_construct_client_hello()
1279 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1280 && RAND_bytes_ex(sctx->libctx, s->tmp_session_id, in tls_construct_client_hello()
1282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1289 assert(s->session->session_id_length <= sizeof(s->session->session_id)); in tls_construct_client_hello()
1290 sess_id_len = s->session->session_id_length; in tls_construct_client_hello()
1291 if (s->version == TLS1_3_VERSION) { in tls_construct_client_hello()
1292 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1293 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); in tls_construct_client_hello()
1300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1305 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_construct_client_hello()
1306 if (s->d1->cookie_len > sizeof(s->d1->cookie) in tls_construct_client_hello()
1307 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, in tls_construct_client_hello()
1308 s->d1->cookie_len)) { in tls_construct_client_hello()
1309 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1320 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)), in tls_construct_client_hello()
1326 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1336 if (ssl_allow_compression(s) in tls_construct_client_hello()
1337 && sctx->comp_methods in tls_construct_client_hello()
1338 && (SSL_CONNECTION_IS_DTLS(s) in tls_construct_client_hello()
1339 || s->s3.tmp.max_ver < TLS1_3_VERSION)) { in tls_construct_client_hello()
1340 int compnum = sk_SSL_COMP_num(sctx->comp_methods); in tls_construct_client_hello()
1342 comp = sk_SSL_COMP_value(sctx->comp_methods, i); in tls_construct_client_hello()
1343 if (!WPACKET_put_bytes_u8(pkt, comp->id)) { in tls_construct_client_hello()
1344 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1357 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { in tls_construct_client_hello()
1365 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt) in dtls_process_hello_verify() argument
1372 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1377 if (cookie_len > sizeof(s->d1->cookie)) { in dtls_process_hello_verify()
1378 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG); in dtls_process_hello_verify()
1382 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { in dtls_process_hello_verify()
1383 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1386 s->d1->cookie_len = cookie_len; in dtls_process_hello_verify()
1391 static int set_client_ciphersuite(SSL_CONNECTION *s, in set_client_ciphersuite() argument
1397 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in set_client_ciphersuite()
1399 c = ssl_get_cipher_by_char(s, cipherchars, 0); in set_client_ciphersuite()
1402 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED); in set_client_ciphersuite()
1407 * or it's not allowed for the selected protocol. So we return an error. in set_client_ciphersuite()
1409 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { in set_client_ciphersuite()
1410 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1414 sk = ssl_get_ciphers_by_id(s); in set_client_ciphersuite()
1418 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1422 if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL in set_client_ciphersuite()
1423 && s->s3.tmp.new_cipher->id != c->id) { in set_client_ciphersuite()
1425 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1434 if (s->session->cipher != NULL) in set_client_ciphersuite()
1435 s->session->cipher_id = s->session->cipher->id; in set_client_ciphersuite()
1436 if (s->hit && (s->session->cipher_id != c->id)) { in set_client_ciphersuite()
1437 if (SSL_CONNECTION_IS_TLS13(s)) { in set_client_ciphersuite()
1438 const EVP_MD *md = ssl_md(sctx, c->algorithm2); in set_client_ciphersuite()
1440 if (!ossl_assert(s->session->cipher != NULL)) { in set_client_ciphersuite()
1441 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in set_client_ciphersuite()
1449 || md != ssl_md(sctx, s->session->cipher->algorithm2)) { in set_client_ciphersuite()
1450 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1459 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1464 s->s3.tmp.new_cipher = c; in set_client_ciphersuite()
1469 MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) in tls_process_server_hello() argument
1479 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_process_server_hello()
1480 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); in tls_process_server_hello()
1486 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1491 if (s->version == TLS1_3_VERSION in tls_process_server_hello()
1495 if (s->hello_retry_request != SSL_HRR_NONE) { in tls_process_server_hello()
1496 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_server_hello()
1499 s->hello_retry_request = SSL_HRR_PENDING; in tls_process_server_hello()
1501 if (!ssl_set_record_protocol_version(s, s->version)) { in tls_process_server_hello()
1502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1507 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1511 if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) { in tls_process_server_hello()
1512 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1517 /* Get the session-id. */ in tls_process_server_hello()
1519 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1523 if (session_id_len > sizeof(s->session->session_id) in tls_process_server_hello()
1525 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG); in tls_process_server_hello()
1530 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1535 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1544 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_hello()
1549 if (!tls_collect_extensions(s, &extpkt, in tls_process_server_hello()
1557 if (!ssl_choose_client_version(s, sversion, extensions)) { in tls_process_server_hello()
1563 if (SSL_CONNECTION_IS_TLS13(s) || hrr) { in tls_process_server_hello()
1565 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1570 if (session_id_len != s->tmp_session_id_len in tls_process_server_hello()
1571 || memcmp(PACKET_data(&session_id), s->tmp_session_id, in tls_process_server_hello()
1573 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID); in tls_process_server_hello()
1579 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1584 return tls_process_as_hello_retry_request(s, &extpkt); in tls_process_server_hello()
1591 context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO in tls_process_server_hello()
1593 if (!tls_validate_all_contexts(s, context, extensions)) { in tls_process_server_hello()
1594 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); in tls_process_server_hello()
1598 s->hit = 0; in tls_process_server_hello()
1600 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_hello()
1605 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_server_hello()
1606 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, in tls_process_server_hello()
1611 /* This will set s->hit if we are resuming */ in tls_process_server_hello()
1612 if (!tls_parse_extension(s, TLSEXT_IDX_psk, in tls_process_server_hello()
1620 * Check if we can resume the session based on external pre-shared in tls_process_server_hello()
1621 * secret. EAP-FAST (RFC 4851) supports two types of session resumption. in tls_process_server_hello()
1622 * Resumption based on server-side state works with session IDs. in tls_process_server_hello()
1623 * Resumption based on pre-shared Protected Access Credentials (PACs) in tls_process_server_hello()
1626 * EAP-FAST servers would honour the session ID.) Therefore, the session in tls_process_server_hello()
1631 if (s->version >= TLS1_VERSION in tls_process_server_hello()
1632 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { in tls_process_server_hello()
1635 * s->session->master_key_length is a size_t, but this is an int for in tls_process_server_hello()
1640 master_key_length = sizeof(s->session->master_key); in tls_process_server_hello()
1641 if (s->ext.session_secret_cb(ussl, s->session->master_key, in tls_process_server_hello()
1644 s->ext.session_secret_cb_arg) in tls_process_server_hello()
1646 s->session->master_key_length = master_key_length; in tls_process_server_hello()
1647 s->session->cipher = pref_cipher ? in tls_process_server_hello()
1648 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); in tls_process_server_hello()
1650 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1656 && session_id_len == s->session->session_id_length in tls_process_server_hello()
1657 && memcmp(PACKET_data(&session_id), s->session->session_id, in tls_process_server_hello()
1659 s->hit = 1; in tls_process_server_hello()
1662 if (s->hit) { in tls_process_server_hello()
1663 if (s->sid_ctx_length != s->session->sid_ctx_length in tls_process_server_hello()
1664 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { in tls_process_server_hello()
1666 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1672 * If we were trying for session-id reuse but the server in tls_process_server_hello()
1674 * In the case of EAP-FAST and PAC, we do not send a session ID, in tls_process_server_hello()
1675 * so the PAC-based session secret is always preserved. It'll be in tls_process_server_hello()
1678 if (s->session->session_id_length > 0) { in tls_process_server_hello()
1679 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); in tls_process_server_hello()
1680 if (!ssl_get_new_session(s, 0)) { in tls_process_server_hello()
1686 s->session->ssl_version = s->version; in tls_process_server_hello()
1693 if (!SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_hello()
1694 s->session->session_id_length = session_id_len; in tls_process_server_hello()
1697 memcpy(s->session->session_id, PACKET_data(&session_id), in tls_process_server_hello()
1703 if (s->version != s->session->ssl_version) { in tls_process_server_hello()
1704 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, in tls_process_server_hello()
1709 * Now that we know the version, update the check to see if it's an allowed in tls_process_server_hello()
1712 s->s3.tmp.min_ver = s->version; in tls_process_server_hello()
1713 s->s3.tmp.max_ver = s->version; in tls_process_server_hello()
1715 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1722 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1730 if (s->session->compress_meth != 0) { in tls_process_server_hello()
1731 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); in tls_process_server_hello()
1735 if (s->hit && compression != s->session->compress_meth) { in tls_process_server_hello()
1736 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1742 else if (!ssl_allow_compression(s)) { in tls_process_server_hello()
1743 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED); in tls_process_server_hello()
1746 comp = ssl3_comp_find(SSL_CONNECTION_GET_CTX(s)->comp_methods, in tls_process_server_hello()
1751 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1755 s->s3.tmp.new_compression = comp; in tls_process_server_hello()
1759 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { in tls_process_server_hello()
1765 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { in tls_process_server_hello()
1771 * Add new shared key for SCTP-Auth, will be ignored if in tls_process_server_hello()
1778 labellen = sizeof(labelbuffer) - 1; in tls_process_server_hello()
1779 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_process_server_hello()
1786 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1797 * In TLSv1.3 we have some post-processing to change cipher state, otherwise in tls_process_server_hello()
1800 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_hello()
1801 if (!ssl->method->ssl3_enc->setup_key_block(s) in tls_process_server_hello()
1802 || !tls13_store_handshake_traffic_hash(s)) { in tls_process_server_hello()
1807 * If we're not doing early-data and we're not going to send a dummy CCS in tls_process_server_hello()
1815 if (SSL_IS_QUIC_HANDSHAKE(s) in tls_process_server_hello()
1816 || (s->early_data_state == SSL_EARLY_DATA_NONE in tls_process_server_hello()
1817 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0)) { in tls_process_server_hello()
1818 if (!ssl->method->ssl3_enc->change_cipher_state(s, in tls_process_server_hello()
1824 if (!ssl->method->ssl3_enc->change_cipher_state(s, in tls_process_server_hello()
1838 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, in tls_process_as_hello_retry_request() argument
1847 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING in tls_process_as_hello_retry_request()
1848 && !ssl_set_new_record_layer(s, in tls_process_as_hello_retry_request()
1858 s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION); in tls_process_as_hello_retry_request()
1860 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1862 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1871 if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { in tls_process_as_hello_retry_request()
1876 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR); in tls_process_as_hello_retry_request()
1881 * Re-initialise the Transcript Hash. We're going to prepopulate it with in tls_process_as_hello_retry_request()
1884 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { in tls_process_as_hello_retry_request()
1895 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, in tls_process_as_hello_retry_request()
1896 s->init_num + SSL3_HM_HEADER_LENGTH)) { in tls_process_as_hello_retry_request()
1921 EVP_PKEY_free(sc->session->peer_rpk); in tls_process_server_rpk()
1922 sc->session->peer_rpk = peer_rpk; in tls_process_server_rpk()
1934 if (sc->session->peer_rpk == NULL) { in tls_post_process_server_rpk()
1940 if (sc->rwstate == SSL_RETRY_VERIFY) in tls_post_process_server_rpk()
1941 sc->rwstate = SSL_NOTHING; in tls_post_process_server_rpk()
1944 v_ok = ssl_verify_rpk(sc, sc->session->peer_rpk); in tls_post_process_server_rpk()
1945 if (v_ok <= 0 && sc->verify_mode != SSL_VERIFY_NONE) { in tls_post_process_server_rpk()
1947 SSLfatal(sc, ssl_x509err2alert(sc->verify_result), in tls_post_process_server_rpk()
1951 ERR_pop_to_mark(); /* but we keep s->verify_result */ in tls_post_process_server_rpk()
1952 if (v_ok > 0 && sc->rwstate == SSL_RETRY_VERIFY) { in tls_post_process_server_rpk()
1956 if ((clu = ssl_cert_lookup_by_pkey(sc->session->peer_rpk, &certidx, in tls_post_process_server_rpk()
1968 if ((clu->amask & sc->s3.tmp.new_cipher->algorithm_auth) == 0) { in tls_post_process_server_rpk()
1975 X509_free(sc->session->peer); in tls_post_process_server_rpk()
1976 sc->session->peer = NULL; in tls_post_process_server_rpk()
1977 sk_X509_pop_free(sc->session->peer_chain, X509_free); in tls_post_process_server_rpk()
1978 sc->session->peer_chain = NULL; in tls_post_process_server_rpk()
1979 sc->session->verify_result = sc->verify_result; in tls_post_process_server_rpk()
1983 && !ssl_handshake_hash(sc, sc->cert_verify_hash, in tls_post_process_server_rpk()
1984 sizeof(sc->cert_verify_hash), in tls_post_process_server_rpk()
1985 &sc->cert_verify_hash_len)) { in tls_post_process_server_rpk()
1993 /* prepare server cert verification by setting s->session->peer_chain from pkt */
1994 MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, in tls_process_server_certificate() argument
2002 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_server_certificate()
2004 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) in tls_process_server_certificate()
2005 return tls_process_server_rpk(s, pkt); in tls_process_server_certificate()
2006 if (s->ext.server_cert_type != TLSEXT_cert_type_x509) { in tls_process_server_certificate()
2007 SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE, in tls_process_server_certificate()
2012 if ((s->session->peer_chain = sk_X509_new_null()) == NULL) { in tls_process_server_certificate()
2013 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_server_certificate()
2017 if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) in tls_process_server_certificate()
2022 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_certificate()
2028 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
2033 x = X509_new_ex(sctx->libctx, sctx->propq); in tls_process_server_certificate()
2035 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); in tls_process_server_certificate()
2040 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB); in tls_process_server_certificate()
2045 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
2049 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_certificate()
2054 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_certificate()
2057 if (!tls_collect_extensions(s, &extensions, in tls_process_server_certificate()
2060 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, in tls_process_server_certificate()
2070 if (!sk_X509_push(s->session->peer_chain, x)) { in tls_process_server_certificate()
2071 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_server_certificate()
2080 OSSL_STACK_OF_X509_free(s->session->peer_chain); in tls_process_server_certificate()
2081 s->session->peer_chain = NULL; in tls_process_server_certificate()
2086 * Verify the s->session->peer_chain and check server cert type.
2087 * On success set s->session->peer and s->session->verify_result.
2090 WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, in tls_post_process_server_certificate() argument
2099 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) in tls_post_process_server_certificate()
2100 return tls_post_process_server_rpk(s, wst); in tls_post_process_server_certificate()
2102 if (s->rwstate == SSL_RETRY_VERIFY) in tls_post_process_server_certificate()
2103 s->rwstate = SSL_NOTHING; in tls_post_process_server_certificate()
2120 i = ssl_verify_cert_chain(s, s->session->peer_chain); in tls_post_process_server_certificate()
2121 if (i <= 0 && s->verify_mode != SSL_VERIFY_NONE) { in tls_post_process_server_certificate()
2123 SSLfatal(s, ssl_x509err2alert(s->verify_result), in tls_post_process_server_certificate()
2127 ERR_pop_to_mark(); /* but we keep s->verify_result */ in tls_post_process_server_certificate()
2128 if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) in tls_post_process_server_certificate()
2132 * Inconsistency alert: cert_chain does include the peer's certificate, in tls_post_process_server_certificate()
2135 x = sk_X509_value(s->session->peer_chain, 0); in tls_post_process_server_certificate()
2140 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_post_process_server_certificate()
2146 SSL_CONNECTION_GET_CTX(s))) == NULL) { in tls_post_process_server_certificate()
2147 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
2155 if (!SSL_CONNECTION_IS_TLS13(s)) { in tls_post_process_server_certificate()
2156 if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { in tls_post_process_server_certificate()
2157 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
2163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_post_process_server_certificate()
2167 X509_free(s->session->peer); in tls_post_process_server_certificate()
2168 s->session->peer = x; in tls_post_process_server_certificate()
2169 s->session->verify_result = s->verify_result; in tls_post_process_server_certificate()
2171 EVP_PKEY_free(s->session->peer_rpk); in tls_post_process_server_certificate()
2172 s->session->peer_rpk = NULL; in tls_post_process_server_certificate()
2175 if (SSL_CONNECTION_IS_TLS13(s) in tls_post_process_server_certificate()
2176 && !ssl_handshake_hash(s, s->cert_verify_hash, in tls_post_process_server_certificate()
2177 sizeof(s->cert_verify_hash), in tls_post_process_server_certificate()
2178 &s->cert_verify_hash_len)) { in tls_post_process_server_certificate()
2200 static int tls_process_ske_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) in tls_process_ske_psk_preamble() argument
2208 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_psk_preamble()
2219 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG); in tls_process_ske_psk_preamble()
2224 OPENSSL_free(s->session->psk_identity_hint); in tls_process_ske_psk_preamble()
2225 s->session->psk_identity_hint = NULL; in tls_process_ske_psk_preamble()
2227 &s->session->psk_identity_hint)) { in tls_process_ske_psk_preamble()
2228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
2234 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
2239 static int tls_process_ske_srp(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_srp() argument
2248 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_srp()
2252 if ((s->srp_ctx.N = in tls_process_ske_srp()
2255 || (s->srp_ctx.g = in tls_process_ske_srp()
2258 || (s->srp_ctx.s = in tls_process_ske_srp()
2261 || (s->srp_ctx.B = in tls_process_ske_srp()
2264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_srp()
2268 if (!srp_verify_server_param(s)) { in tls_process_ske_srp()
2274 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_srp()
2275 *pkey = tls_get_peer_pkey(s); in tls_process_ske_srp()
2279 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_srp()
2284 static int tls_process_ske_dhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_dhe() argument
2292 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_ske_dhe()
2298 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_dhe()
2308 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_dhe()
2319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2323 pctx = EVP_PKEY_CTX_new_from_name(sctx->libctx, "DH", sctx->propq); in tls_process_ske_dhe()
2325 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2330 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2335 pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, peer_tmp, sctx->propq); in tls_process_ske_dhe()
2345 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2349 if (!ssl_security(s, SSL_SECOP_TMP_DH, in tls_process_ske_dhe()
2352 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); in tls_process_ske_dhe()
2356 s->s3.peer_tmp = peer_tmp; in tls_process_ske_dhe()
2361 * public keys. We should have a less ad-hoc way of doing this in tls_process_ske_dhe()
2363 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_dhe()
2364 *pkey = tls_get_peer_pkey(s); in tls_process_ske_dhe()
2381 static int tls_process_ske_ecdhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_ecdhe() argument
2387 * Extract elliptic curve parameters and the server's ephemeral ECDH in tls_process_ske_ecdhe()
2392 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_ske_ecdhe()
2400 || !tls1_check_group_id(s, curve_id, 1)) { in tls_process_ske_ecdhe()
2401 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); in tls_process_ske_ecdhe()
2405 if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { in tls_process_ske_ecdhe()
2406 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_ske_ecdhe()
2412 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_ecdhe()
2416 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, in tls_process_ske_ecdhe()
2419 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); in tls_process_ske_ecdhe()
2428 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) in tls_process_ske_ecdhe()
2429 *pkey = tls_get_peer_pkey(s); in tls_process_ske_ecdhe()
2430 else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA) in tls_process_ske_ecdhe()
2431 *pkey = tls_get_peer_pkey(s); in tls_process_ske_ecdhe()
2435 s->session->kex_group = curve_id; in tls_process_ske_ecdhe()
2439 MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) in tls_process_key_exchange() argument
2446 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_key_exchange()
2448 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_process_key_exchange()
2452 EVP_PKEY_free(s->s3.peer_tmp); in tls_process_key_exchange()
2453 s->s3.peer_tmp = NULL; in tls_process_key_exchange()
2456 if (!tls_process_ske_psk_preamble(s, pkt)) { in tls_process_key_exchange()
2465 if (!tls_process_ske_srp(s, pkt, &pkey)) { in tls_process_key_exchange()
2470 if (!tls_process_ske_dhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2475 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2480 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_key_exchange()
2497 PACKET_remaining(&save_param_start) - in tls_process_key_exchange()
2499 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_key_exchange()
2503 if (SSL_USE_SIGALGS(s)) { in tls_process_key_exchange()
2507 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_key_exchange()
2510 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { in tls_process_key_exchange()
2514 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { in tls_process_key_exchange()
2515 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_key_exchange()
2520 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) { in tls_process_key_exchange()
2521 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_key_exchange()
2525 if (SSL_USE_SIGALGS(s)) in tls_process_key_exchange()
2526 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", in tls_process_key_exchange()
2531 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_key_exchange()
2537 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2543 sctx->libctx, sctx->propq, pkey, in tls_process_key_exchange()
2545 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2548 if (SSL_USE_PSS(s)) { in tls_process_key_exchange()
2552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2556 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), in tls_process_key_exchange()
2567 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); in tls_process_key_exchange()
2574 if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) in tls_process_key_exchange()
2577 if (ssl3_check_cert_and_algorithm(s)) { in tls_process_key_exchange()
2578 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA); in tls_process_key_exchange()
2585 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE); in tls_process_key_exchange()
2596 MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, in tls_process_certificate_request() argument
2600 if (s->s3.tmp.valid_flags != NULL) in tls_process_certificate_request()
2601 memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); in tls_process_certificate_request()
2603 s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); in tls_process_certificate_request()
2606 if (s->s3.tmp.valid_flags == NULL) in tls_process_certificate_request()
2609 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_certificate_request()
2613 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { in tls_process_certificate_request()
2616 * post-handshake messages. We can't reasonably respond to this, so in tls_process_certificate_request()
2623 OPENSSL_free(s->s3.tmp.ctype); in tls_process_certificate_request()
2624 s->s3.tmp.ctype = NULL; in tls_process_certificate_request()
2625 s->s3.tmp.ctype_len = 0; in tls_process_certificate_request()
2626 OPENSSL_free(s->pha_context); in tls_process_certificate_request()
2627 s->pha_context = NULL; in tls_process_certificate_request()
2628 s->pha_context_len = 0; in tls_process_certificate_request()
2631 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { in tls_process_certificate_request()
2632 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2637 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2640 if (!tls_collect_extensions(s, &extensions, in tls_process_certificate_request()
2643 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, in tls_process_certificate_request()
2650 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2659 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2663 if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) { in tls_process_certificate_request()
2664 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_certificate_request()
2668 if (SSL_USE_SIGALGS(s)) { in tls_process_certificate_request()
2672 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2678 * with pre-TLS 1.3 and use the regular sigalgs field. in tls_process_certificate_request()
2680 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { in tls_process_certificate_request()
2681 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_certificate_request()
2685 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_process_certificate_request()
2692 if (!parse_ca_names(s, pkt)) { in tls_process_certificate_request()
2699 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2704 s->s3.tmp.cert_req = 1; in tls_process_certificate_request()
2714 if (SSL_CONNECTION_IS_TLS13(s) in tls_process_certificate_request()
2715 && s->post_handshake_auth != SSL_PHA_REQUESTED) in tls_process_certificate_request()
2721 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, in tls_process_new_session_ticket() argument
2730 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_new_session_ticket()
2735 || (SSL_CONNECTION_IS_TLS13(s) in tls_process_new_session_ticket()
2739 || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0 in tls_process_new_session_ticket()
2742 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2756 * we can get multi-thread problems. Therefore we don't "update" sessions, in tls_process_new_session_ticket()
2759 * post-handshake and the session may have already gone into the session in tls_process_new_session_ticket()
2762 if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) { in tls_process_new_session_ticket()
2769 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { in tls_process_new_session_ticket()
2770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_process_new_session_ticket()
2774 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 in tls_process_new_session_ticket()
2775 && !SSL_CONNECTION_IS_TLS13(s)) { in tls_process_new_session_ticket()
2781 SSL_CTX_remove_session(s->session_ctx, s->session); in tls_process_new_session_ticket()
2784 SSL_SESSION_free(s->session); in tls_process_new_session_ticket()
2785 s->session = new_sess; in tls_process_new_session_ticket()
2788 s->session->time = ossl_time_now(); in tls_process_new_session_ticket()
2789 ssl_session_calculate_timeout(s->session); in tls_process_new_session_ticket()
2791 OPENSSL_free(s->session->ext.tick); in tls_process_new_session_ticket()
2792 s->session->ext.tick = NULL; in tls_process_new_session_ticket()
2793 s->session->ext.ticklen = 0; in tls_process_new_session_ticket()
2795 s->session->ext.tick = OPENSSL_malloc(ticklen); in tls_process_new_session_ticket()
2796 if (s->session->ext.tick == NULL) { in tls_process_new_session_ticket()
2797 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_new_session_ticket()
2800 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { in tls_process_new_session_ticket()
2801 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2805 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; in tls_process_new_session_ticket()
2806 s->session->ext.tick_age_add = age_add; in tls_process_new_session_ticket()
2807 s->session->ext.ticklen = ticklen; in tls_process_new_session_ticket()
2809 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_new_session_ticket()
2814 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2818 if (!tls_collect_extensions(s, &extpkt, in tls_process_new_session_ticket()
2821 || !tls_parse_all_extensions(s, in tls_process_new_session_ticket()
2840 sha256 = EVP_MD_fetch(sctx->libctx, "SHA2-256", sctx->propq); in tls_process_new_session_ticket()
2843 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls_process_new_session_ticket()
2848 * but s->session->session_id_length is a size_t in tls_process_new_session_ticket()
2850 if (!EVP_Digest(s->session->ext.tick, ticklen, in tls_process_new_session_ticket()
2851 s->session->session_id, &sess_len, in tls_process_new_session_ticket()
2853 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_new_session_ticket()
2858 s->session->session_id_length = sess_len; in tls_process_new_session_ticket()
2859 s->session->not_resumable = 0; in tls_process_new_session_ticket()
2862 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_new_session_ticket()
2863 const EVP_MD *md = ssl_handshake_md(s); in tls_process_new_session_ticket()
2870 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_new_session_ticket()
2875 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, in tls_process_new_session_ticket()
2877 sizeof(nonce_label) - 1, in tls_process_new_session_ticket()
2880 s->session->master_key, in tls_process_new_session_ticket()
2885 s->session->master_key_length = hashlen; in tls_process_new_session_ticket()
2888 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); in tls_process_new_session_ticket()
2903 int tls_process_cert_status_body(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cert_status_body() argument
2910 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE); in tls_process_cert_status_body()
2915 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2918 s->ext.ocsp.resp = OPENSSL_malloc(resplen); in tls_process_cert_status_body()
2919 if (s->ext.ocsp.resp == NULL) { in tls_process_cert_status_body()
2920 s->ext.ocsp.resp_len = 0; in tls_process_cert_status_body()
2921 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_cert_status_body()
2924 s->ext.ocsp.resp_len = resplen; in tls_process_cert_status_body()
2925 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { in tls_process_cert_status_body()
2926 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2934 MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cert_status() argument
2936 if (!tls_process_cert_status_body(s, pkt)) { in tls_process_cert_status()
2946 * server's initial flight. In TLS1.3 this is after the Server Finished message.
2950 int tls_process_initial_server_flight(SSL_CONNECTION *s) in tls_process_initial_server_flight() argument
2952 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_initial_server_flight()
2958 if (!ssl3_check_cert_and_algorithm(s)) { in tls_process_initial_server_flight()
2966 * message, or NULL and -1 otherwise in tls_process_initial_server_flight()
2968 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing in tls_process_initial_server_flight()
2969 && sctx->ext.status_cb != NULL) { in tls_process_initial_server_flight()
2970 int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s), in tls_process_initial_server_flight()
2971 sctx->ext.status_arg); in tls_process_initial_server_flight()
2974 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, in tls_process_initial_server_flight()
2979 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_initial_server_flight()
2985 if (s->ct_validation_callback != NULL) { in tls_process_initial_server_flight()
2987 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { in tls_process_initial_server_flight()
2997 MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s, PACKET *pkt) in tls_process_server_done() argument
3001 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_done()
3005 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_process_server_done()
3006 if (ssl_srp_calc_a_param_intern(s) <= 0) { in tls_process_server_done()
3007 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); in tls_process_server_done()
3013 if (!tls_process_initial_server_flight(s)) { in tls_process_server_done()
3021 static int tls_construct_cke_psk_preamble(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_psk_preamble() argument
3027 * \0-terminated identity. The last byte is for us for simulating in tls_construct_cke_psk_preamble()
3037 if (s->psk_client_callback == NULL) { in tls_construct_cke_psk_preamble()
3038 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB); in tls_construct_cke_psk_preamble()
3044 psklen = s->psk_client_callback(SSL_CONNECTION_GET_USER_SSL(s), in tls_construct_cke_psk_preamble()
3045 s->session->psk_identity_hint, in tls_construct_cke_psk_preamble()
3046 identity, sizeof(identity) - 1, in tls_construct_cke_psk_preamble()
3050 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3054 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND); in tls_construct_cke_psk_preamble()
3060 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3067 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_psk_preamble()
3071 OPENSSL_free(s->s3.tmp.psk); in tls_construct_cke_psk_preamble()
3072 s->s3.tmp.psk = tmppsk; in tls_construct_cke_psk_preamble()
3073 s->s3.tmp.psklen = psklen; in tls_construct_cke_psk_preamble()
3075 OPENSSL_free(s->session->psk_identity); in tls_construct_cke_psk_preamble()
3076 s->session->psk_identity = tmpidentity; in tls_construct_cke_psk_preamble()
3080 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3094 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3099 static int tls_construct_cke_rsa(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_rsa() argument
3107 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_cke_rsa()
3109 if (!received_server_cert(s)) { in tls_construct_cke_rsa()
3113 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3117 if ((pkey = tls_get_peer_pkey(s)) == NULL) { in tls_construct_cke_rsa()
3118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3123 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3130 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_rsa()
3134 pms[0] = s->client_version >> 8; in tls_construct_cke_rsa()
3135 pms[1] = s->client_version & 0xff; in tls_construct_cke_rsa()
3136 if (RAND_bytes_ex(sctx->libctx, pms + 2, pmslen - 2, 0) <= 0) { in tls_construct_cke_rsa()
3137 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_RAND_LIB); in tls_construct_cke_rsa()
3142 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { in tls_construct_cke_rsa()
3143 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3147 pctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pkey, sctx->propq); in tls_construct_cke_rsa()
3150 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_rsa()
3155 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT); in tls_construct_cke_rsa()
3162 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { in tls_construct_cke_rsa()
3163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3168 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { in tls_construct_cke_rsa()
3173 s->s3.tmp.pms = pms; in tls_construct_cke_rsa()
3174 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_rsa()
3184 static int tls_construct_cke_dhe(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_dhe() argument
3193 skey = s->s3.peer_tmp; in tls_construct_cke_dhe()
3195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3199 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_dhe()
3201 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3205 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_dhe()
3215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3226 pad_len = prime_len - encoded_pub_len; in tls_construct_cke_dhe()
3229 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3236 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3247 static int tls_construct_cke_ecdhe(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_ecdhe() argument
3254 skey = s->s3.peer_tmp; in tls_construct_cke_ecdhe()
3256 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
3260 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_ecdhe()
3262 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_construct_cke_ecdhe()
3266 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_ecdhe()
3275 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); in tls_construct_cke_ecdhe()
3280 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
3291 static int tls_construct_cke_gost(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_gost() argument
3304 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_cke_gost()
3306 if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) in tls_construct_cke_gost()
3312 if ((pkey = tls_get_peer_pkey(s)) == NULL) { in tls_construct_cke_gost()
3313 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost()
3318 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, in tls_construct_cke_gost()
3320 sctx->propq); in tls_construct_cke_gost()
3322 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost()
3335 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_gost()
3342 || RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) { in tls_construct_cke_gost()
3343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3347 * Compute shared IV and store it in algorithm-specific context in tls_construct_cke_gost()
3353 || EVP_DigestUpdate(ukm_hash, s->s3.client_random, in tls_construct_cke_gost()
3355 || EVP_DigestUpdate(ukm_hash, s->s3.server_random, in tls_construct_cke_gost()
3358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3363 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, in tls_construct_cke_gost()
3365 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3374 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3381 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3386 s->s3.tmp.pms = pms; in tls_construct_cke_gost()
3387 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost()
3396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3402 int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION *s) in ossl_gost18_cke_cipher_nid() argument
3404 if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0) in ossl_gost18_cke_cipher_nid()
3406 else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0) in ossl_gost18_cke_cipher_nid()
3412 int ossl_gost_ukm(const SSL_CONNECTION *s, unsigned char *dgst_buf) in ossl_gost_ukm() argument
3416 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in ossl_gost_ukm()
3417 const EVP_MD *md = ssl_evp_md_fetch(sctx->libctx, NID_id_GostR3411_2012_256, in ossl_gost_ukm()
3418 sctx->propq); in ossl_gost_ukm()
3425 || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3426 || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3439 static int tls_construct_cke_gost18(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_gost18() argument
3450 int cipher_nid = ossl_gost18_cke_cipher_nid(s); in tls_construct_cke_gost18()
3451 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_cke_gost18()
3454 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3458 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { in tls_construct_cke_gost18()
3459 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3463 /* Pre-master secret - random bytes */ in tls_construct_cke_gost18()
3467 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_gost18()
3471 if (RAND_bytes_ex(sctx->libctx, pms, pmslen, 0) <= 0) { in tls_construct_cke_gost18()
3472 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3477 if ((pkey = tls_get_peer_pkey(s)) == NULL) { in tls_construct_cke_gost18()
3478 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost18()
3483 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, in tls_construct_cke_gost18()
3485 sctx->propq); in tls_construct_cke_gost18()
3487 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3497 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, in tls_construct_cke_gost18()
3499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3503 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, in tls_construct_cke_gost18()
3505 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3510 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3522 s->s3.tmp.pms = pms; in tls_construct_cke_gost18()
3523 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost18()
3531 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3536 static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_srp() argument
3541 if (s->srp_ctx.A == NULL in tls_construct_cke_srp()
3542 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), in tls_construct_cke_srp()
3544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3547 BN_bn2bin(s->srp_ctx.A, abytes); in tls_construct_cke_srp()
3549 OPENSSL_free(s->session->srp_username); in tls_construct_cke_srp()
3550 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); in tls_construct_cke_srp()
3551 if (s->session->srp_username == NULL) { in tls_construct_cke_srp()
3552 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_srp()
3558 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3563 CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s, in tls_construct_client_key_exchange() argument
3568 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_construct_client_key_exchange()
3575 && !tls_construct_cke_psk_preamble(s, pkt)) in tls_construct_client_key_exchange()
3579 if (!tls_construct_cke_rsa(s, pkt)) in tls_construct_client_key_exchange()
3582 if (!tls_construct_cke_dhe(s, pkt)) in tls_construct_client_key_exchange()
3585 if (!tls_construct_cke_ecdhe(s, pkt)) in tls_construct_client_key_exchange()
3588 if (!tls_construct_cke_gost(s, pkt)) in tls_construct_client_key_exchange()
3591 if (!tls_construct_cke_gost18(s, pkt)) in tls_construct_client_key_exchange()
3594 if (!tls_construct_cke_srp(s, pkt)) in tls_construct_client_key_exchange()
3597 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_key_exchange()
3603 OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); in tls_construct_client_key_exchange()
3604 s->s3.tmp.pms = NULL; in tls_construct_client_key_exchange()
3605 s->s3.tmp.pmslen = 0; in tls_construct_client_key_exchange()
3607 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); in tls_construct_client_key_exchange()
3608 s->s3.tmp.psk = NULL; in tls_construct_client_key_exchange()
3609 s->s3.tmp.psklen = 0; in tls_construct_client_key_exchange()
3614 int tls_client_key_exchange_post_work(SSL_CONNECTION *s) in tls_client_key_exchange_post_work() argument
3619 pms = s->s3.tmp.pms; in tls_client_key_exchange_post_work()
3620 pmslen = s->s3.tmp.pmslen; in tls_client_key_exchange_post_work()
3624 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_client_key_exchange_post_work()
3625 if (!srp_generate_client_master_secret(s)) { in tls_client_key_exchange_post_work()
3633 if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { in tls_client_key_exchange_post_work()
3634 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_PASSED_INVALID_ARGUMENT); in tls_client_key_exchange_post_work()
3637 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { in tls_client_key_exchange_post_work()
3648 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_client_key_exchange_post_work()
3652 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_client_key_exchange_post_work()
3655 * Add new shared key for SCTP-Auth, will be ignored if no SCTP in tls_client_key_exchange_post_work()
3662 labellen = sizeof(labelbuffer) - 1; in tls_client_key_exchange_post_work()
3663 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_client_key_exchange_post_work()
3669 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_client_key_exchange_post_work()
3681 s->s3.tmp.pms = NULL; in tls_client_key_exchange_post_work()
3682 s->s3.tmp.pmslen = 0; in tls_client_key_exchange_post_work()
3691 static int ssl3_check_client_certificate(SSL_CONNECTION *s) in ssl3_check_client_certificate() argument
3694 if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL) in ssl3_check_client_certificate()
3700 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && in ssl3_check_client_certificate()
3701 !tls1_check_chain(s, NULL, NULL, NULL, -2)) in ssl3_check_client_certificate()
3706 WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) in tls_prepare_client_certificate() argument
3711 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_prepare_client_certificate()
3715 if (s->cert->cert_cb) { in tls_prepare_client_certificate()
3716 i = s->cert->cert_cb(ssl, s->cert->cert_cb_arg); in tls_prepare_client_certificate()
3718 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3722 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); in tls_prepare_client_certificate()
3725 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3727 if (ssl3_check_client_certificate(s)) { in tls_prepare_client_certificate()
3728 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in tls_prepare_client_certificate()
3741 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3742 * return(-1); We then get retied later in tls_prepare_client_certificate()
3744 i = ssl_do_client_cert_cb(s, &x509, &pkey); in tls_prepare_client_certificate()
3746 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3749 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3761 if (i && !ssl3_check_client_certificate(s)) in tls_prepare_client_certificate()
3764 if (s->version == SSL3_VERSION) { in tls_prepare_client_certificate()
3765 s->s3.tmp.cert_req = 0; in tls_prepare_client_certificate()
3766 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); in tls_prepare_client_certificate()
3769 s->s3.tmp.cert_req = 2; in tls_prepare_client_certificate()
3770 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; in tls_prepare_client_certificate()
3771 if (!ssl3_digest_cached_records(s, 0)) { in tls_prepare_client_certificate()
3778 if (!SSL_CONNECTION_IS_TLS13(s) in tls_prepare_client_certificate()
3779 || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) in tls_prepare_client_certificate()
3780 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; in tls_prepare_client_certificate()
3782 if (s->post_handshake_auth == SSL_PHA_REQUESTED) in tls_prepare_client_certificate()
3788 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_prepare_client_certificate()
3792 CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, in tls_construct_client_certificate() argument
3796 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_construct_client_certificate()
3798 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_construct_client_certificate()
3799 if (s->pha_context == NULL) { in tls_construct_client_certificate()
3800 /* no context available, add 0-length context */ in tls_construct_client_certificate()
3802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3805 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { in tls_construct_client_certificate()
3806 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3810 if (s->s3.tmp.cert_req != 2) in tls_construct_client_certificate()
3811 cpk = s->cert->key; in tls_construct_client_certificate()
3812 switch (s->ext.client_cert_type) { in tls_construct_client_certificate()
3814 if (!tls_output_rpk(s, pkt, cpk)) { in tls_construct_client_certificate()
3820 if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) { in tls_construct_client_certificate()
3826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3835 if (SSL_CONNECTION_IS_TLS13(s) in tls_construct_client_certificate()
3836 && !SSL_IS_QUIC_HANDSHAKE(s) in tls_construct_client_certificate()
3837 && SSL_IS_FIRST_HANDSHAKE(s) in tls_construct_client_certificate()
3838 && (s->early_data_state != SSL_EARLY_DATA_NONE in tls_construct_client_certificate()
3839 || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) in tls_construct_client_certificate()
3840 && (!ssl->method->ssl3_enc->change_cipher_state(s, in tls_construct_client_certificate()
3846 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); in tls_construct_client_certificate()
3866 int alg = sc->ext.compress_certificate_from_peer[0]; in tls_construct_client_compressed_certificate()
3868 /* Note that sc->s3.tmp.cert_req == 2 is checked in write transition */ in tls_construct_client_compressed_certificate()
3873 /* Use the |tmppkt| for the to-be-compressed data */ in tls_construct_client_compressed_certificate()
3874 if (sc->pha_context == NULL) { in tls_construct_client_compressed_certificate()
3875 /* no context available, add 0-length context */ in tls_construct_client_compressed_certificate()
3878 } else if (!WPACKET_sub_memcpy_u8(&tmppkt, sc->pha_context, sc->pha_context_len)) in tls_construct_client_compressed_certificate()
3881 if (!ssl3_output_cert_chain(sc, &tmppkt, sc->cert->key, 0)) { in tls_construct_client_compressed_certificate()
3913 (unsigned char *)buf->data, length); in tls_construct_client_compressed_certificate()
3928 && (sc->early_data_state != SSL_EARLY_DATA_NONE in tls_construct_client_compressed_certificate()
3929 || (sc->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) in tls_construct_client_compressed_certificate()
3930 && (!ssl->method->ssl3_enc->change_cipher_state(sc, in tls_construct_client_compressed_certificate()
3933 * This is a fatal error, which leaves sc->enc_write_ctx in an in tls_construct_client_compressed_certificate()
3955 int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) in ssl3_check_cert_and_algorithm() argument
3962 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in ssl3_check_cert_and_algorithm()
3963 alg_a = s->s3.tmp.new_cipher->algorithm_auth; in ssl3_check_cert_and_algorithm()
3970 pkey = tls_get_peer_pkey(s); in ssl3_check_cert_and_algorithm()
3971 clu = ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)); in ssl3_check_cert_and_algorithm()
3974 if (clu == NULL || (alg_a & clu->amask) == 0) { in ssl3_check_cert_and_algorithm()
3975 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT); in ssl3_check_cert_and_algorithm()
3980 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in ssl3_check_cert_and_algorithm()
3985 if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { in ssl3_check_cert_and_algorithm()
3986 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl3_check_cert_and_algorithm()
3991 if (s->session->peer_rpk != NULL) in ssl3_check_cert_and_algorithm()
3994 if (clu->amask & SSL_aECDSA) { in ssl3_check_cert_and_algorithm()
3995 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) in ssl3_check_cert_and_algorithm()
3997 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); in ssl3_check_cert_and_algorithm()
4005 CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_next_proto() argument
4010 len = s->ext.npn_len; in tls_construct_next_proto()
4011 padding_len = 32 - ((len + 2) % 32); in tls_construct_next_proto()
4013 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) in tls_construct_next_proto()
4015 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_next_proto()
4025 MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt) in tls_process_hello_req() argument
4027 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_process_hello_req()
4031 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_hello_req()
4035 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { in tls_process_hello_req()
4036 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); in tls_process_hello_req()
4047 if (SSL_CONNECTION_IS_DTLS(s)) in tls_process_hello_req()
4055 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s, in tls_process_encrypted_extensions() argument
4063 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_encrypted_extensions()
4067 if (!tls_collect_extensions(s, &extensions, in tls_process_encrypted_extensions()
4070 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, in tls_process_encrypted_extensions()
4084 int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey) in ssl_do_client_cert_cb() argument
4087 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in ssl_do_client_cert_cb()
4090 if (sctx->client_cert_engine) { in ssl_do_client_cert_cb()
4091 i = tls_engine_load_ssl_client_cert(s, px509, ppkey); in ssl_do_client_cert_cb()
4096 if (sctx->client_cert_cb) in ssl_do_client_cert_cb()
4097 i = sctx->client_cert_cb(SSL_CONNECTION_GET_USER_SSL(s), px509, ppkey); in ssl_do_client_cert_cb()
4101 int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, in ssl_cipher_list_to_bytes() argument
4106 int empty_reneg_info_scsv = !s->renegotiate in ssl_cipher_list_to_bytes()
4107 && !SSL_CONNECTION_IS_DTLS(s) in ssl_cipher_list_to_bytes()
4108 && ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) in ssl_cipher_list_to_bytes()
4109 && s->min_proto_version <= TLS1_VERSION; in ssl_cipher_list_to_bytes()
4110 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in ssl_cipher_list_to_bytes()
4113 if (!ssl_set_client_disabled(s)) { in ssl_cipher_list_to_bytes()
4114 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE); in ssl_cipher_list_to_bytes()
4119 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4140 maxlen -= 2; in ssl_cipher_list_to_bytes()
4141 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) in ssl_cipher_list_to_bytes()
4142 maxlen -= 2; in ssl_cipher_list_to_bytes()
4149 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) in ssl_cipher_list_to_bytes()
4152 if (!ssl->method->put_cipher_by_char(c, pkt, &len)) { in ssl_cipher_list_to_bytes()
4153 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4159 int minproto = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; in ssl_cipher_list_to_bytes()
4160 int maxproto = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; in ssl_cipher_list_to_bytes()
4162 if (ssl_version_cmp(s, maxproto, s->s3.tmp.max_ver) >= 0 in ssl_cipher_list_to_bytes()
4163 && ssl_version_cmp(s, minproto, s->s3.tmp.max_ver) <= 0) in ssl_cipher_list_to_bytes()
4176 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE, in ssl_cipher_list_to_bytes()
4186 if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) { in ssl_cipher_list_to_bytes()
4187 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4191 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { in ssl_cipher_list_to_bytes()
4195 if (!ssl->method->put_cipher_by_char(&scsv, pkt, &len)) { in ssl_cipher_list_to_bytes()
4196 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4205 CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_end_of_early_data() argument
4207 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY in tls_construct_end_of_early_data()
4208 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { in tls_construct_end_of_early_data()
4209 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); in tls_construct_end_of_early_data()
4213 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; in tls_construct_end_of_early_data()