Lines Matching +full:- +full:s
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
46 static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt);
52 * The current state is in |s->statem.hand_state|.
57 static int ossl_statem_server13_read_transition(SSL *s, int mt) in ossl_statem_server13_read_transition() argument
59 OSSL_STATEM *st = &s->statem; in ossl_statem_server13_read_transition()
66 switch (st->hand_state) { in ossl_statem_server13_read_transition()
71 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_server13_read_transition()
73 st->hand_state = TLS_ST_SR_CLNT_HELLO; in ossl_statem_server13_read_transition()
77 } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { in ossl_statem_server13_read_transition()
79 st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA; in ossl_statem_server13_read_transition()
88 if (s->s3.tmp.cert_request) { in ossl_statem_server13_read_transition()
90 st->hand_state = TLS_ST_SR_CERT; in ossl_statem_server13_read_transition()
95 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server13_read_transition()
102 if (s->session->peer == NULL) { in ossl_statem_server13_read_transition()
104 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server13_read_transition()
109 st->hand_state = TLS_ST_SR_CERT_VRFY; in ossl_statem_server13_read_transition()
117 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server13_read_transition()
127 if (s->early_data_state == SSL_EARLY_DATA_READING) in ossl_statem_server13_read_transition()
131 && s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_server13_read_transition()
132 st->hand_state = TLS_ST_SR_CERT; in ossl_statem_server13_read_transition()
137 st->hand_state = TLS_ST_SR_KEY_UPDATE; in ossl_statem_server13_read_transition()
151 * current state is in |s->statem.hand_state|.
156 int ossl_statem_server_read_transition(SSL *s, int mt) in ossl_statem_server_read_transition() argument
158 OSSL_STATEM *st = &s->statem; in ossl_statem_server_read_transition()
160 if (SSL_IS_TLS13(s)) { in ossl_statem_server_read_transition()
161 if (!ossl_statem_server13_read_transition(s, mt)) in ossl_statem_server_read_transition()
166 switch (st->hand_state) { in ossl_statem_server_read_transition()
174 st->hand_state = TLS_ST_SR_CLNT_HELLO; in ossl_statem_server_read_transition()
191 if (s->s3.tmp.cert_request) { in ossl_statem_server_read_transition()
192 if (s->version == SSL3_VERSION) { in ossl_statem_server_read_transition()
193 if ((s->verify_mode & SSL_VERIFY_PEER) in ossl_statem_server_read_transition()
194 && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { in ossl_statem_server_read_transition()
196 * This isn't an unexpected message as such - we're just in ossl_statem_server_read_transition()
200 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in ossl_statem_server_read_transition()
204 st->hand_state = TLS_ST_SR_KEY_EXCH; in ossl_statem_server_read_transition()
208 st->hand_state = TLS_ST_SR_KEY_EXCH; in ossl_statem_server_read_transition()
211 } else if (s->s3.tmp.cert_request) { in ossl_statem_server_read_transition()
213 st->hand_state = TLS_ST_SR_CERT; in ossl_statem_server_read_transition()
221 st->hand_state = TLS_ST_SR_KEY_EXCH; in ossl_statem_server_read_transition()
229 * received a Certificate from the client. If so then |s->session->peer| in ossl_statem_server_read_transition()
232 * the case of static DH). In that case |st->no_cert_verify| should be in ossl_statem_server_read_transition()
235 if (s->session->peer == NULL || st->no_cert_verify) { in ossl_statem_server_read_transition()
243 st->hand_state = TLS_ST_SR_CHANGE; in ossl_statem_server_read_transition()
248 st->hand_state = TLS_ST_SR_CERT_VRFY; in ossl_statem_server_read_transition()
256 st->hand_state = TLS_ST_SR_CHANGE; in ossl_statem_server_read_transition()
263 if (s->s3.npn_seen) { in ossl_statem_server_read_transition()
265 st->hand_state = TLS_ST_SR_NEXT_PROTO; in ossl_statem_server_read_transition()
271 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server_read_transition()
282 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server_read_transition()
290 st->hand_state = TLS_ST_SR_CHANGE; in ossl_statem_server_read_transition()
298 if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { in ossl_statem_server_read_transition()
303 * because of an out-of-order CCS. We'll just drop it. in ossl_statem_server_read_transition()
305 s->init_num = 0; in ossl_statem_server_read_transition()
306 s->rwstate = SSL_READING; in ossl_statem_server_read_transition()
307 rbio = SSL_get_rbio(s); in ossl_statem_server_read_transition()
312 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in ossl_statem_server_read_transition()
323 static int send_server_key_exchange(SSL *s) in send_server_key_exchange() argument
325 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in send_server_key_exchange()
331 * the cipher suite is either ECDH-anon or ECDHE. In other cases, in send_server_key_exchange()
332 * the server certificate contains the server's public key for in send_server_key_exchange()
343 && s->cert->psk_identity_hint) in send_server_key_exchange()
365 int send_certificate_request(SSL *s) in send_certificate_request() argument
369 s->verify_mode & SSL_VERIFY_PEER in send_certificate_request()
371 * don't request if post-handshake-only unless doing in send_certificate_request()
372 * post-handshake in TLSv1.3: in send_certificate_request()
374 && (!SSL_IS_TLS13(s) || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) in send_certificate_request()
375 || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) in send_certificate_request()
380 && (s->certreqs_sent < 1 || in send_certificate_request()
381 !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) in send_certificate_request()
387 && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL) in send_certificate_request()
393 || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) in send_certificate_request()
395 && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP) in send_certificate_request()
400 && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) { in send_certificate_request()
412 static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s) in ossl_statem_server13_write_transition() argument
414 OSSL_STATEM *st = &s->statem; in ossl_statem_server13_write_transition()
421 switch (st->hand_state) { in ossl_statem_server13_write_transition()
424 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server13_write_transition()
428 if (s->key_update != SSL_KEY_UPDATE_NONE) { in ossl_statem_server13_write_transition()
429 st->hand_state = TLS_ST_SW_KEY_UPDATE; in ossl_statem_server13_write_transition()
432 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in ossl_statem_server13_write_transition()
433 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server13_write_transition()
436 if (s->ext.extra_tickets_expected > 0) { in ossl_statem_server13_write_transition()
437 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server13_write_transition()
444 st->hand_state = TLS_ST_SW_SRVR_HELLO; in ossl_statem_server13_write_transition()
448 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_server13_write_transition()
449 && s->hello_retry_request != SSL_HRR_COMPLETE) in ossl_statem_server13_write_transition()
450 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server13_write_transition()
451 else if (s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_server13_write_transition()
452 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_server13_write_transition()
454 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; in ossl_statem_server13_write_transition()
458 if (s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_server13_write_transition()
459 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_server13_write_transition()
461 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; in ossl_statem_server13_write_transition()
465 if (s->hit) in ossl_statem_server13_write_transition()
466 st->hand_state = TLS_ST_SW_FINISHED; in ossl_statem_server13_write_transition()
467 else if (send_certificate_request(s)) in ossl_statem_server13_write_transition()
468 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server13_write_transition()
470 st->hand_state = TLS_ST_SW_CERT; in ossl_statem_server13_write_transition()
475 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in ossl_statem_server13_write_transition()
476 s->post_handshake_auth = SSL_PHA_REQUESTED; in ossl_statem_server13_write_transition()
477 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
479 st->hand_state = TLS_ST_SW_CERT; in ossl_statem_server13_write_transition()
484 st->hand_state = TLS_ST_SW_CERT_VRFY; in ossl_statem_server13_write_transition()
488 st->hand_state = TLS_ST_SW_FINISHED; in ossl_statem_server13_write_transition()
492 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_server13_write_transition()
504 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_server13_write_transition()
505 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED; in ossl_statem_server13_write_transition()
506 } else if (!s->ext.ticket_expected) { in ossl_statem_server13_write_transition()
511 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
514 if (s->num_tickets > s->sent_tickets) in ossl_statem_server13_write_transition()
515 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server13_write_transition()
517 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
522 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
530 if (!SSL_IS_FIRST_HANDSHAKE(s) && s->ext.extra_tickets_expected > 0) { in ossl_statem_server13_write_transition()
532 } else if (s->hit || s->num_tickets <= s->sent_tickets) { in ossl_statem_server13_write_transition()
534 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
544 WRITE_TRAN ossl_statem_server_write_transition(SSL *s) in ossl_statem_server_write_transition() argument
546 OSSL_STATEM *st = &s->statem; in ossl_statem_server_write_transition()
553 if (SSL_IS_TLS13(s)) in ossl_statem_server_write_transition()
554 return ossl_statem_server13_write_transition(s); in ossl_statem_server_write_transition()
556 switch (st->hand_state) { in ossl_statem_server_write_transition()
559 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_write_transition()
563 if (st->request_state == TLS_ST_SW_HELLO_REQ) { in ossl_statem_server_write_transition()
565 st->hand_state = TLS_ST_SW_HELLO_REQ; in ossl_statem_server_write_transition()
566 st->request_state = TLS_ST_BEFORE; in ossl_statem_server_write_transition()
570 if (!tls_setup_handshake(s)) { in ossl_statem_server_write_transition()
581 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
585 if (SSL_IS_DTLS(s) && !s->d1->cookie_verified in ossl_statem_server_write_transition()
586 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) { in ossl_statem_server_write_transition()
587 st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; in ossl_statem_server_write_transition()
588 } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { in ossl_statem_server_write_transition()
590 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
593 st->hand_state = TLS_ST_SW_SRVR_HELLO; in ossl_statem_server_write_transition()
601 if (s->hit) { in ossl_statem_server_write_transition()
602 if (s->ext.ticket_expected) in ossl_statem_server_write_transition()
603 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server_write_transition()
605 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server_write_transition()
609 if (!(s->s3.tmp.new_cipher->algorithm_auth & in ossl_statem_server_write_transition()
611 st->hand_state = TLS_ST_SW_CERT; in ossl_statem_server_write_transition()
612 } else if (send_server_key_exchange(s)) { in ossl_statem_server_write_transition()
613 st->hand_state = TLS_ST_SW_KEY_EXCH; in ossl_statem_server_write_transition()
614 } else if (send_certificate_request(s)) { in ossl_statem_server_write_transition()
615 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server_write_transition()
617 st->hand_state = TLS_ST_SW_SRVR_DONE; in ossl_statem_server_write_transition()
623 if (s->ext.status_expected) { in ossl_statem_server_write_transition()
624 st->hand_state = TLS_ST_SW_CERT_STATUS; in ossl_statem_server_write_transition()
630 if (send_server_key_exchange(s)) { in ossl_statem_server_write_transition()
631 st->hand_state = TLS_ST_SW_KEY_EXCH; in ossl_statem_server_write_transition()
637 if (send_certificate_request(s)) { in ossl_statem_server_write_transition()
638 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server_write_transition()
644 st->hand_state = TLS_ST_SW_SRVR_DONE; in ossl_statem_server_write_transition()
651 if (s->hit) { in ossl_statem_server_write_transition()
652 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
654 } else if (s->ext.ticket_expected) { in ossl_statem_server_write_transition()
655 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server_write_transition()
657 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server_write_transition()
662 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server_write_transition()
666 st->hand_state = TLS_ST_SW_FINISHED; in ossl_statem_server_write_transition()
670 if (s->hit) { in ossl_statem_server_write_transition()
673 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
682 WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst) in ossl_statem_server_pre_work() argument
684 OSSL_STATEM *st = &s->statem; in ossl_statem_server_pre_work()
686 switch (st->hand_state) { in ossl_statem_server_pre_work()
692 s->shutdown = 0; in ossl_statem_server_pre_work()
693 if (SSL_IS_DTLS(s)) in ossl_statem_server_pre_work()
694 dtls1_clear_sent_buffer(s); in ossl_statem_server_pre_work()
698 s->shutdown = 0; in ossl_statem_server_pre_work()
699 if (SSL_IS_DTLS(s)) { in ossl_statem_server_pre_work()
700 dtls1_clear_sent_buffer(s); in ossl_statem_server_pre_work()
702 st->use_timer = 0; in ossl_statem_server_pre_work()
707 if (SSL_IS_DTLS(s)) { in ossl_statem_server_pre_work()
712 st->use_timer = 1; in ossl_statem_server_pre_work()
718 if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) { in ossl_statem_server_pre_work()
720 return dtls_wait_for_dry(s); in ossl_statem_server_pre_work()
726 if (SSL_IS_TLS13(s) && s->sent_tickets == 0 in ossl_statem_server_pre_work()
727 && s->ext.extra_tickets_expected == 0) { in ossl_statem_server_pre_work()
735 return tls_finish_handshake(s, wst, 0, 0); in ossl_statem_server_pre_work()
737 if (SSL_IS_DTLS(s)) { in ossl_statem_server_pre_work()
742 st->use_timer = 0; in ossl_statem_server_pre_work()
747 if (SSL_IS_TLS13(s)) in ossl_statem_server_pre_work()
749 /* Writes to s->session are only safe for initial handshakes */ in ossl_statem_server_pre_work()
750 if (s->session->cipher == NULL) { in ossl_statem_server_pre_work()
751 s->session->cipher = s->s3.tmp.new_cipher; in ossl_statem_server_pre_work()
752 } else if (s->session->cipher != s->s3.tmp.new_cipher) { in ossl_statem_server_pre_work()
753 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_pre_work()
756 if (!s->method->ssl3_enc->setup_key_block(s)) { in ossl_statem_server_pre_work()
760 if (SSL_IS_DTLS(s)) { in ossl_statem_server_pre_work()
767 st->use_timer = 0; in ossl_statem_server_pre_work()
772 if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING in ossl_statem_server_pre_work()
773 && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) in ossl_statem_server_pre_work()
779 return tls_finish_handshake(s, wst, 1, 1); in ossl_statem_server_pre_work()
809 WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst) in ossl_statem_server_post_work() argument
811 OSSL_STATEM *st = &s->statem; in ossl_statem_server_post_work()
813 s->init_num = 0; in ossl_statem_server_post_work()
815 switch (st->hand_state) { in ossl_statem_server_post_work()
821 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
823 if (!ssl3_init_finished_mac(s)) { in ossl_statem_server_post_work()
830 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
833 if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) { in ossl_statem_server_post_work()
841 s->first_packet = 1; in ossl_statem_server_post_work()
845 if (SSL_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_server_post_work()
846 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 in ossl_statem_server_post_work()
847 && statem_flush(s) != 1) in ossl_statem_server_post_work()
852 if (SSL_IS_DTLS(s) && s->hit) { in ossl_statem_server_post_work()
858 * Add new shared key for SCTP-Auth, will be ignored if no in ossl_statem_server_post_work()
865 labellen = sizeof(labelbuffer) - 1; in ossl_statem_server_post_work()
866 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in ossl_statem_server_post_work()
869 if (SSL_export_keying_material(s, sctpauthkey, in ossl_statem_server_post_work()
873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_post_work()
877 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, in ossl_statem_server_post_work()
881 if (!SSL_IS_TLS13(s) in ossl_statem_server_post_work()
882 || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_server_post_work()
883 && s->hello_retry_request != SSL_HRR_COMPLETE)) in ossl_statem_server_post_work()
888 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_server_post_work()
889 if (!statem_flush(s)) in ossl_statem_server_post_work()
894 if (SSL_IS_TLS13(s)) { in ossl_statem_server_post_work()
895 if (!s->method->ssl3_enc->setup_key_block(s) in ossl_statem_server_post_work()
896 || !s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
902 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED in ossl_statem_server_post_work()
903 && !s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
913 s->statem.enc_read_state = ENC_READ_STATE_ALLOW_PLAIN_ALERTS; in ossl_statem_server_post_work()
918 if (SSL_IS_DTLS(s) && !s->hit) { in ossl_statem_server_post_work()
920 * Change to new shared key of SCTP-Auth, will be ignored if in ossl_statem_server_post_work()
923 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, in ossl_statem_server_post_work()
927 if (!s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
934 if (SSL_IS_DTLS(s)) in ossl_statem_server_post_work()
935 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); in ossl_statem_server_post_work()
939 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
944 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
947 if (SSL_IS_DTLS(s) && s->hit) { in ossl_statem_server_post_work()
949 * Change to new shared key of SCTP-Auth, will be ignored if in ossl_statem_server_post_work()
952 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, in ossl_statem_server_post_work()
956 if (SSL_IS_TLS13(s)) { in ossl_statem_server_post_work()
959 if (!s->method->ssl3_enc->generate_master_secret(s, in ossl_statem_server_post_work()
960 s->master_secret, s->handshake_secret, 0, in ossl_statem_server_post_work()
962 || !s->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
970 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in ossl_statem_server_post_work()
971 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
977 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
979 if (!tls13_update_key(s, 1)) { in ossl_statem_server_post_work()
987 if (SSL_IS_TLS13(s) && statem_flush(s) != 1) { in ossl_statem_server_post_work()
988 if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL in ossl_statem_server_post_work()
995 * waiting to read our post-handshake NewSessionTickets. in ossl_statem_server_post_work()
997 s->rwstate = SSL_NOTHING; in ossl_statem_server_post_work()
1017 int ossl_statem_server_construct_message(SSL *s, WPACKET *pkt, in ossl_statem_server_construct_message() argument
1020 OSSL_STATEM *st = &s->statem; in ossl_statem_server_construct_message()
1022 switch (st->hand_state) { in ossl_statem_server_construct_message()
1025 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in ossl_statem_server_construct_message()
1029 if (SSL_IS_DTLS(s)) in ossl_statem_server_construct_message()
1121 * 2^16-2 + # maximum length of cipher suites array
1123 * 2^8-1 + # maximum length of compression methods
1125 * 2^16-1 # maximum length of extensions
1136 size_t ossl_statem_server_max_message_size(SSL *s) in ossl_statem_server_max_message_size() argument
1138 OSSL_STATEM *st = &s->statem; in ossl_statem_server_max_message_size()
1140 switch (st->hand_state) { in ossl_statem_server_max_message_size()
1152 return s->max_cert_list; in ossl_statem_server_max_message_size()
1179 MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL *s, PACKET *pkt) in ossl_statem_server_process_message() argument
1181 OSSL_STATEM *st = &s->statem; in ossl_statem_server_process_message()
1183 switch (st->hand_state) { in ossl_statem_server_process_message()
1186 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_process_message()
1190 return tls_process_client_hello(s, pkt); in ossl_statem_server_process_message()
1193 return tls_process_end_of_early_data(s, pkt); in ossl_statem_server_process_message()
1196 return tls_process_client_certificate(s, pkt); in ossl_statem_server_process_message()
1199 return tls_process_client_key_exchange(s, pkt); in ossl_statem_server_process_message()
1202 return tls_process_cert_verify(s, pkt); in ossl_statem_server_process_message()
1206 return tls_process_next_proto(s, pkt); in ossl_statem_server_process_message()
1210 return tls_process_change_cipher_spec(s, pkt); in ossl_statem_server_process_message()
1213 return tls_process_finished(s, pkt); in ossl_statem_server_process_message()
1216 return tls_process_key_update(s, pkt); in ossl_statem_server_process_message()
1225 WORK_STATE ossl_statem_server_post_process_message(SSL *s, WORK_STATE wst) in ossl_statem_server_post_process_message() argument
1227 OSSL_STATEM *st = &s->statem; in ossl_statem_server_post_process_message()
1229 switch (st->hand_state) { in ossl_statem_server_post_process_message()
1232 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_post_process_message()
1236 return tls_post_process_client_hello(s, wst); in ossl_statem_server_post_process_message()
1239 return tls_post_process_client_key_exchange(s, wst); in ossl_statem_server_post_process_message()
1244 /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
1245 static int ssl_check_srp_ext_ClientHello(SSL *s) in ssl_check_srp_ext_ClientHello() argument
1250 if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) && in ssl_check_srp_ext_ClientHello()
1251 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { in ssl_check_srp_ext_ClientHello()
1252 if (s->srp_ctx.login == NULL) { in ssl_check_srp_ext_ClientHello()
1257 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, in ssl_check_srp_ext_ClientHello()
1259 return -1; in ssl_check_srp_ext_ClientHello()
1261 ret = ssl_srp_server_param_with_username_intern(s, &al); in ssl_check_srp_ext_ClientHello()
1265 SSLfatal(s, al, in ssl_check_srp_ext_ClientHello()
1269 return -1; in ssl_check_srp_ext_ClientHello()
1288 int dtls_construct_hello_verify_request(SSL *s, WPACKET *pkt) in dtls_construct_hello_verify_request() argument
1291 if (s->ctx->app_gen_cookie_cb == NULL || in dtls_construct_hello_verify_request()
1292 s->ctx->app_gen_cookie_cb(s, s->d1->cookie, in dtls_construct_hello_verify_request()
1295 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); in dtls_construct_hello_verify_request()
1298 s->d1->cookie_len = cookie_leni; in dtls_construct_hello_verify_request()
1300 if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, in dtls_construct_hello_verify_request()
1301 s->d1->cookie_len)) { in dtls_construct_hello_verify_request()
1302 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); in dtls_construct_hello_verify_request()
1309 /*-
1318 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1319 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1323 static void ssl_check_for_safari(SSL *s, const CLIENTHELLO_MSG *hello) in ssl_check_for_safari() argument
1329 0x00, 0x17, /* P-256 */ in ssl_check_for_safari()
1330 0x00, 0x18, /* P-384 */ in ssl_check_for_safari()
1331 0x00, 0x19, /* P-521 */ in ssl_check_for_safari()
1341 0x05, 0x01, /* SHA-384/RSA */ in ssl_check_for_safari()
1342 0x04, 0x01, /* SHA-256/RSA */ in ssl_check_for_safari()
1343 0x02, 0x01, /* SHA-1/RSA */ in ssl_check_for_safari()
1344 0x04, 0x03, /* SHA-256/ECDSA */ in ssl_check_for_safari()
1345 0x02, 0x03, /* SHA-1/ECDSA */ in ssl_check_for_safari()
1353 tmppkt = hello->extensions; in ssl_check_for_safari()
1364 ext_len = TLS1_get_client_version(s) >= TLS1_2_VERSION ? in ssl_check_for_safari()
1367 s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, in ssl_check_for_safari()
1375 MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt) in tls_process_client_hello() argument
1383 if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { in tls_process_client_hello()
1384 if (!ossl_assert(!SSL_IS_TLS13(s))) { in tls_process_client_hello()
1385 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1388 if (!RENEG_OPTIONS_OK(s->options) in tls_process_client_hello()
1389 || (!s->s3.send_connection_binding in tls_process_client_hello()
1390 && (s->options in tls_process_client_hello()
1392 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); in tls_process_client_hello()
1395 s->renegotiate = 1; in tls_process_client_hello()
1396 s->new_session = 1; in tls_process_client_hello()
1401 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1408 clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); in tls_process_client_hello()
1411 if (clienthello->isv2) { in tls_process_client_hello()
1414 if (!SSL_IS_FIRST_HANDSHAKE(s) in tls_process_client_hello()
1415 || s->hello_retry_request != SSL_HRR_NONE) { in tls_process_client_hello()
1416 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_client_hello()
1420 /*- in tls_process_client_hello()
1421 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 in tls_process_client_hello()
1426 * 0-1 msg_length - decoded by the record layer in tls_process_client_hello()
1427 * 2 msg_type - s->init_msg points here in tls_process_client_hello()
1428 * 3-4 version in tls_process_client_hello()
1429 * 5-6 cipher_spec_length in tls_process_client_hello()
1430 * 7-8 session_id_length in tls_process_client_hello()
1431 * 9-10 challenge_length in tls_process_client_hello()
1442 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1447 if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { in tls_process_client_hello()
1448 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_client_hello()
1453 if (clienthello->isv2) { in tls_process_client_hello()
1465 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH); in tls_process_client_hello()
1470 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1474 if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, in tls_process_client_hello()
1476 || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len) in tls_process_client_hello()
1480 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH); in tls_process_client_hello()
1483 clienthello->session_id_len = session_id_len; in tls_process_client_hello()
1486 * here rather than sizeof(clienthello->random) because that is the limit in tls_process_client_hello()
1488 * sizeof(clienthello->random) does. in tls_process_client_hello()
1492 memset(clienthello->random, 0, SSL3_RANDOM_SIZE); in tls_process_client_hello()
1494 clienthello->random + SSL3_RANDOM_SIZE - in tls_process_client_hello()
1498 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1502 PACKET_null_init(&clienthello->extensions); in tls_process_client_hello()
1505 if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE) in tls_process_client_hello()
1507 || !PACKET_copy_all(&session_id, clienthello->session_id, in tls_process_client_hello()
1509 &clienthello->session_id_len)) { in tls_process_client_hello()
1510 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1514 if (SSL_IS_DTLS(s)) { in tls_process_client_hello()
1516 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1519 if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, in tls_process_client_hello()
1521 &clienthello->dtls_cookie_len)) { in tls_process_client_hello()
1522 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1530 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { in tls_process_client_hello()
1531 if (clienthello->dtls_cookie_len == 0) { in tls_process_client_hello()
1538 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { in tls_process_client_hello()
1539 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1544 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1550 PACKET_null_init(&clienthello->extensions); in tls_process_client_hello()
1552 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions) in tls_process_client_hello()
1554 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1560 if (!PACKET_copy_all(&compression, clienthello->compressions, in tls_process_client_hello()
1562 &clienthello->compressions_len)) { in tls_process_client_hello()
1563 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1568 extensions = clienthello->extensions; in tls_process_client_hello()
1569 if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO, in tls_process_client_hello()
1570 &clienthello->pre_proc_exts, in tls_process_client_hello()
1571 &clienthello->pre_proc_exts_len, 1)) { in tls_process_client_hello()
1575 s->clienthello = clienthello; in tls_process_client_hello()
1581 OPENSSL_free(clienthello->pre_proc_exts); in tls_process_client_hello()
1587 static int tls_early_post_process_client_hello(SSL *s) in tls_early_post_process_client_hello() argument
1600 CLIENTHELLO_MSG *clienthello = s->clienthello; in tls_early_post_process_client_hello()
1605 if (s->ctx->client_hello_cb != NULL) { in tls_early_post_process_client_hello()
1607 switch (s->ctx->client_hello_cb(s, &al, s->ctx->client_hello_cb_arg)) { in tls_early_post_process_client_hello()
1611 s->rwstate = SSL_CLIENT_HELLO_CB; in tls_early_post_process_client_hello()
1612 return -1; in tls_early_post_process_client_hello()
1615 SSLfatal(s, al, SSL_R_CALLBACK_FAILED); in tls_early_post_process_client_hello()
1621 memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE); in tls_early_post_process_client_hello()
1625 if (clienthello->isv2) { in tls_early_post_process_client_hello()
1626 if (clienthello->legacy_version == SSL2_VERSION in tls_early_post_process_client_hello()
1627 || (clienthello->legacy_version & 0xff00) in tls_early_post_process_client_hello()
1633 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNKNOWN_PROTOCOL); in tls_early_post_process_client_hello()
1637 s->client_version = clienthello->legacy_version; in tls_early_post_process_client_hello()
1643 if (!SSL_IS_DTLS(s)) { in tls_early_post_process_client_hello()
1644 protverr = ssl_choose_server_version(s, clienthello, &dgrd); in tls_early_post_process_client_hello()
1645 } else if (s->method->version != DTLS_ANY_VERSION && in tls_early_post_process_client_hello()
1646 DTLS_VERSION_LT((int)clienthello->legacy_version, s->version)) { in tls_early_post_process_client_hello()
1653 if (SSL_IS_FIRST_HANDSHAKE(s)) { in tls_early_post_process_client_hello()
1655 s->version = s->client_version = clienthello->legacy_version; in tls_early_post_process_client_hello()
1657 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr); in tls_early_post_process_client_hello()
1662 if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_early_post_process_client_hello()
1663 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); in tls_early_post_process_client_hello()
1667 if (SSL_IS_DTLS(s)) { in tls_early_post_process_client_hello()
1669 if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { in tls_early_post_process_client_hello()
1670 if (s->ctx->app_verify_cookie_cb != NULL) { in tls_early_post_process_client_hello()
1671 if (s->ctx->app_verify_cookie_cb(s, clienthello->dtls_cookie, in tls_early_post_process_client_hello()
1672 clienthello->dtls_cookie_len) == 0) { in tls_early_post_process_client_hello()
1673 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
1679 } else if (s->d1->cookie_len != clienthello->dtls_cookie_len in tls_early_post_process_client_hello()
1680 || memcmp(clienthello->dtls_cookie, s->d1->cookie, in tls_early_post_process_client_hello()
1681 s->d1->cookie_len) != 0) { in tls_early_post_process_client_hello()
1682 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH); in tls_early_post_process_client_hello()
1685 s->d1->cookie_verified = 1; in tls_early_post_process_client_hello()
1687 if (s->method->version == DTLS_ANY_VERSION) { in tls_early_post_process_client_hello()
1688 protverr = ssl_choose_server_version(s, clienthello, &dgrd); in tls_early_post_process_client_hello()
1690 s->version = s->client_version; in tls_early_post_process_client_hello()
1691 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr); in tls_early_post_process_client_hello()
1697 s->hit = 0; in tls_early_post_process_client_hello()
1699 if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, in tls_early_post_process_client_hello()
1700 clienthello->isv2) || in tls_early_post_process_client_hello()
1701 !bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, &scsvs, in tls_early_post_process_client_hello()
1702 clienthello->isv2, 1)) { in tls_early_post_process_client_hello()
1707 s->s3.send_connection_binding = 0; in tls_early_post_process_client_hello()
1708 /* Check what signalling cipher-suite values were received. */ in tls_early_post_process_client_hello()
1713 if (s->renegotiate) { in tls_early_post_process_client_hello()
1715 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
1719 s->s3.send_connection_binding = 1; in tls_early_post_process_client_hello()
1721 !ssl_check_version_downgrade(s)) { in tls_early_post_process_client_hello()
1729 SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK, in tls_early_post_process_client_hello()
1737 if (SSL_IS_TLS13(s)) { in tls_early_post_process_client_hello()
1739 ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); in tls_early_post_process_client_hello()
1742 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); in tls_early_post_process_client_hello()
1745 if (s->hello_retry_request == SSL_HRR_PENDING in tls_early_post_process_client_hello()
1746 && (s->s3.tmp.new_cipher == NULL in tls_early_post_process_client_hello()
1747 || s->s3.tmp.new_cipher->id != cipher->id)) { in tls_early_post_process_client_hello()
1752 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER); in tls_early_post_process_client_hello()
1755 s->s3.tmp.new_cipher = cipher; in tls_early_post_process_client_hello()
1759 if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, in tls_early_post_process_client_hello()
1761 clienthello->pre_proc_exts, NULL, 0)) { in tls_early_post_process_client_hello()
1773 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather in tls_early_post_process_client_hello()
1777 * request renegotiation but not a new session (s->new_session remains in tls_early_post_process_client_hello()
1782 if (clienthello->isv2 || in tls_early_post_process_client_hello()
1783 (s->new_session && in tls_early_post_process_client_hello()
1784 (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { in tls_early_post_process_client_hello()
1785 if (!ssl_get_new_session(s, 1)) { in tls_early_post_process_client_hello()
1790 i = ssl_get_prev_session(s, clienthello); in tls_early_post_process_client_hello()
1793 s->hit = 1; in tls_early_post_process_client_hello()
1794 } else if (i == -1) { in tls_early_post_process_client_hello()
1799 if (!ssl_get_new_session(s, 1)) { in tls_early_post_process_client_hello()
1806 if (SSL_IS_TLS13(s)) { in tls_early_post_process_client_hello()
1807 memcpy(s->tmp_session_id, s->clienthello->session_id, in tls_early_post_process_client_hello()
1808 s->clienthello->session_id_len); in tls_early_post_process_client_hello()
1809 s->tmp_session_id_len = s->clienthello->session_id_len; in tls_early_post_process_client_hello()
1816 if (!SSL_IS_TLS13(s) && s->hit) { in tls_early_post_process_client_hello()
1818 id = s->session->cipher->id; in tls_early_post_process_client_hello()
1827 BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i, in tls_early_post_process_client_hello()
1829 if (c->id == id) { in tls_early_post_process_client_hello()
1839 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_early_post_process_client_hello()
1847 for (loop = 0; loop < clienthello->compressions_len; loop++) { in tls_early_post_process_client_hello()
1848 if (clienthello->compressions[loop] == 0) in tls_early_post_process_client_hello()
1852 if (loop >= clienthello->compressions_len) { in tls_early_post_process_client_hello()
1854 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_COMPRESSION_SPECIFIED); in tls_early_post_process_client_hello()
1858 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) in tls_early_post_process_client_hello()
1859 ssl_check_for_safari(s, clienthello); in tls_early_post_process_client_hello()
1862 if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, in tls_early_post_process_client_hello()
1863 clienthello->pre_proc_exts, NULL, 0, 1)) { in tls_early_post_process_client_hello()
1869 * Check if we want to use external pre-shared secret for this handshake in tls_early_post_process_client_hello()
1876 pos = s->s3.server_random; in tls_early_post_process_client_hello()
1877 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) { in tls_early_post_process_client_hello()
1878 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_early_post_process_client_hello()
1883 if (!s->hit in tls_early_post_process_client_hello()
1884 && s->version >= TLS1_VERSION in tls_early_post_process_client_hello()
1885 && !SSL_IS_TLS13(s) in tls_early_post_process_client_hello()
1886 && !SSL_IS_DTLS(s) in tls_early_post_process_client_hello()
1887 && s->ext.session_secret_cb) { in tls_early_post_process_client_hello()
1890 * s->session->master_key_length is a size_t, but this is an int for in tls_early_post_process_client_hello()
1895 master_key_length = sizeof(s->session->master_key); in tls_early_post_process_client_hello()
1896 if (s->ext.session_secret_cb(s, s->session->master_key, in tls_early_post_process_client_hello()
1899 s->ext.session_secret_cb_arg) in tls_early_post_process_client_hello()
1901 s->session->master_key_length = master_key_length; in tls_early_post_process_client_hello()
1902 s->hit = 1; in tls_early_post_process_client_hello()
1903 s->peer_ciphers = ciphers; in tls_early_post_process_client_hello()
1904 s->session->verify_result = X509_V_OK; in tls_early_post_process_client_hello()
1910 pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers, in tls_early_post_process_client_hello()
1911 SSL_get_ciphers(s)); in tls_early_post_process_client_hello()
1913 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); in tls_early_post_process_client_hello()
1917 s->session->cipher = pref_cipher; in tls_early_post_process_client_hello()
1918 sk_SSL_CIPHER_free(s->cipher_list); in tls_early_post_process_client_hello()
1919 s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers); in tls_early_post_process_client_hello()
1920 sk_SSL_CIPHER_free(s->cipher_list_by_id); in tls_early_post_process_client_hello()
1921 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers); in tls_early_post_process_client_hello()
1927 * options, we will now look for them. We have complen-1 compression in tls_early_post_process_client_hello()
1930 s->s3.tmp.new_compression = NULL; in tls_early_post_process_client_hello()
1931 if (SSL_IS_TLS13(s)) { in tls_early_post_process_client_hello()
1937 if (clienthello->compressions_len != 1) { in tls_early_post_process_client_hello()
1938 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_early_post_process_client_hello()
1945 else if (s->session->compress_meth != 0) { in tls_early_post_process_client_hello()
1946 int m, comp_id = s->session->compress_meth; in tls_early_post_process_client_hello()
1950 if (!ssl_allow_compression(s)) { in tls_early_post_process_client_hello()
1951 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
1956 for (m = 0; m < sk_SSL_COMP_num(s->ctx->comp_methods); m++) { in tls_early_post_process_client_hello()
1957 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); in tls_early_post_process_client_hello()
1958 if (comp_id == comp->id) { in tls_early_post_process_client_hello()
1959 s->s3.tmp.new_compression = comp; in tls_early_post_process_client_hello()
1963 if (s->s3.tmp.new_compression == NULL) { in tls_early_post_process_client_hello()
1964 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
1969 for (k = 0; k < clienthello->compressions_len; k++) { in tls_early_post_process_client_hello()
1970 if (clienthello->compressions[k] == comp_id) in tls_early_post_process_client_hello()
1973 if (k >= clienthello->compressions_len) { in tls_early_post_process_client_hello()
1974 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_early_post_process_client_hello()
1978 } else if (s->hit) { in tls_early_post_process_client_hello()
1980 } else if (ssl_allow_compression(s) && s->ctx->comp_methods) { in tls_early_post_process_client_hello()
1985 nn = sk_SSL_COMP_num(s->ctx->comp_methods); in tls_early_post_process_client_hello()
1987 comp = sk_SSL_COMP_value(s->ctx->comp_methods, m); in tls_early_post_process_client_hello()
1988 v = comp->id; in tls_early_post_process_client_hello()
1989 for (o = 0; o < clienthello->compressions_len; o++) { in tls_early_post_process_client_hello()
1990 if (v == clienthello->compressions[o]) { in tls_early_post_process_client_hello()
1999 s->s3.tmp.new_compression = comp; in tls_early_post_process_client_hello()
2008 if (s->session->compress_meth != 0) { in tls_early_post_process_client_hello()
2009 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); in tls_early_post_process_client_hello()
2015 * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher in tls_early_post_process_client_hello()
2018 if (!s->hit || SSL_IS_TLS13(s)) { in tls_early_post_process_client_hello()
2019 sk_SSL_CIPHER_free(s->peer_ciphers); in tls_early_post_process_client_hello()
2020 s->peer_ciphers = ciphers; in tls_early_post_process_client_hello()
2022 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_early_post_process_client_hello()
2028 if (!s->hit) { in tls_early_post_process_client_hello()
2030 s->session->compress_meth = 0; in tls_early_post_process_client_hello()
2032 s->session->compress_meth = (comp == NULL) ? 0 : comp->id; in tls_early_post_process_client_hello()
2034 if (!tls1_set_server_sigalgs(s)) { in tls_early_post_process_client_hello()
2042 OPENSSL_free(clienthello->pre_proc_exts); in tls_early_post_process_client_hello()
2043 OPENSSL_free(s->clienthello); in tls_early_post_process_client_hello()
2044 s->clienthello = NULL; in tls_early_post_process_client_hello()
2049 OPENSSL_free(clienthello->pre_proc_exts); in tls_early_post_process_client_hello()
2050 OPENSSL_free(s->clienthello); in tls_early_post_process_client_hello()
2051 s->clienthello = NULL; in tls_early_post_process_client_hello()
2060 static int tls_handle_status_request(SSL *s) in tls_handle_status_request() argument
2062 s->ext.status_expected = 0; in tls_handle_status_request()
2070 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL in tls_handle_status_request()
2071 && s->ctx->ext.status_cb != NULL) { in tls_handle_status_request()
2075 if (s->s3.tmp.cert != NULL) { in tls_handle_status_request()
2080 s->cert->key = s->s3.tmp.cert; in tls_handle_status_request()
2081 ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg); in tls_handle_status_request()
2085 s->ext.status_expected = 0; in tls_handle_status_request()
2089 if (s->ext.ocsp.resp) in tls_handle_status_request()
2090 s->ext.status_expected = 1; in tls_handle_status_request()
2095 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CLIENTHELLO_TLSEXT); in tls_handle_status_request()
2108 int tls_handle_alpn(SSL *s) in tls_handle_alpn() argument
2113 if (s->ctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) { in tls_handle_alpn()
2114 int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len, in tls_handle_alpn()
2115 s->s3.alpn_proposed, in tls_handle_alpn()
2116 (unsigned int)s->s3.alpn_proposed_len, in tls_handle_alpn()
2117 s->ctx->ext.alpn_select_cb_arg); in tls_handle_alpn()
2120 OPENSSL_free(s->s3.alpn_selected); in tls_handle_alpn()
2121 s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len); in tls_handle_alpn()
2122 if (s->s3.alpn_selected == NULL) { in tls_handle_alpn()
2123 s->s3.alpn_selected_len = 0; in tls_handle_alpn()
2124 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_handle_alpn()
2127 s->s3.alpn_selected_len = selected_len; in tls_handle_alpn()
2130 s->s3.npn_seen = 0; in tls_handle_alpn()
2134 if (s->session->ext.alpn_selected == NULL in tls_handle_alpn()
2135 || selected_len != s->session->ext.alpn_selected_len in tls_handle_alpn()
2136 || memcmp(selected, s->session->ext.alpn_selected, in tls_handle_alpn()
2139 s->ext.early_data_ok = 0; in tls_handle_alpn()
2141 if (!s->hit) { in tls_handle_alpn()
2147 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { in tls_handle_alpn()
2148 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_handle_alpn()
2152 s->session->ext.alpn_selected = OPENSSL_memdup(selected, in tls_handle_alpn()
2154 if (s->session->ext.alpn_selected == NULL) { in tls_handle_alpn()
2155 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_handle_alpn()
2159 s->session->ext.alpn_selected_len = selected_len; in tls_handle_alpn()
2165 SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, in tls_handle_alpn()
2176 if (s->session->ext.alpn_selected != NULL) { in tls_handle_alpn()
2178 s->ext.early_data_ok = 0; in tls_handle_alpn()
2184 WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst) in tls_post_process_client_hello() argument
2189 int rv = tls_early_post_process_client_hello(s); in tls_post_process_client_hello()
2199 if (!s->hit || SSL_IS_TLS13(s)) { in tls_post_process_client_hello()
2201 if (!s->hit && s->cert->cert_cb != NULL) { in tls_post_process_client_hello()
2202 int rv = s->cert->cert_cb(s, s->cert->cert_cb_arg); in tls_post_process_client_hello()
2204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR); in tls_post_process_client_hello()
2208 s->rwstate = SSL_X509_LOOKUP; in tls_post_process_client_hello()
2211 s->rwstate = SSL_NOTHING; in tls_post_process_client_hello()
2215 if (!SSL_IS_TLS13(s)) { in tls_post_process_client_hello()
2217 ssl3_choose_cipher(s, s->peer_ciphers, SSL_get_ciphers(s)); in tls_post_process_client_hello()
2220 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_post_process_client_hello()
2224 s->s3.tmp.new_cipher = cipher; in tls_post_process_client_hello()
2226 if (!s->hit) { in tls_post_process_client_hello()
2227 if (!tls_choose_sigalg(s, 1)) { in tls_post_process_client_hello()
2232 if (s->not_resumable_session_cb != NULL) in tls_post_process_client_hello()
2233 s->session->not_resumable = in tls_post_process_client_hello()
2234 s->not_resumable_session_cb(s, in tls_post_process_client_hello()
2235 ((s->s3.tmp.new_cipher->algorithm_mkey in tls_post_process_client_hello()
2237 if (s->session->not_resumable) in tls_post_process_client_hello()
2239 s->ext.ticket_expected = 0; in tls_post_process_client_hello()
2242 /* Session-id reuse */ in tls_post_process_client_hello()
2243 s->s3.tmp.new_cipher = s->session->cipher; in tls_post_process_client_hello()
2246 /*- in tls_post_process_client_hello()
2249 * cipher_list - our preferred list of ciphers in tls_post_process_client_hello()
2250 * ciphers - the clients preferred list of ciphers in tls_post_process_client_hello()
2251 * compression - basically ignored right now in tls_post_process_client_hello()
2252 * ssl version is set - sslv3 in tls_post_process_client_hello()
2253 * s->session - The ssl session has been setup. in tls_post_process_client_hello()
2254 * s->hit - session reuse flag in tls_post_process_client_hello()
2255 * s->s3.tmp.new_cipher - the new cipher to use. in tls_post_process_client_hello()
2262 if (!tls_handle_status_request(s)) { in tls_post_process_client_hello()
2272 if (!SSL_IS_TLS13(s) && !tls_handle_alpn(s)) { in tls_post_process_client_hello()
2282 if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) { in tls_post_process_client_hello()
2286 s->rwstate = SSL_X509_LOOKUP; in tls_post_process_client_hello()
2301 int tls_construct_server_hello(SSL *s, WPACKET *pkt) in tls_construct_server_hello() argument
2307 int usetls13 = SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING; in tls_construct_server_hello()
2309 version = usetls13 ? TLS1_2_VERSION : s->version; in tls_construct_server_hello()
2316 s->hello_retry_request == SSL_HRR_PENDING in tls_construct_server_hello()
2317 ? hrrrandom : s->s3.server_random, in tls_construct_server_hello()
2319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_hello()
2323 /*- in tls_construct_server_hello()
2326 * - For session reuse from the session cache, in tls_construct_server_hello()
2328 * - If stateless session reuse (using a session ticket) in tls_construct_server_hello()
2329 * is successful, we send back the client's "session ID" in tls_construct_server_hello()
2331 * - If it is a new session, we send back the new in tls_construct_server_hello()
2333 * - However, if we want the new session to be single-use, in tls_construct_server_hello()
2334 * we send back a 0-length session ID. in tls_construct_server_hello()
2335 * - In TLSv1.3 we echo back the session id sent to us by the client in tls_construct_server_hello()
2337 * s->hit is non-zero in either case of session reuse, in tls_construct_server_hello()
2341 if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) in tls_construct_server_hello()
2342 && !s->hit) in tls_construct_server_hello()
2343 s->session->session_id_length = 0; in tls_construct_server_hello()
2346 sl = s->tmp_session_id_len; in tls_construct_server_hello()
2347 session_id = s->tmp_session_id; in tls_construct_server_hello()
2349 sl = s->session->session_id_length; in tls_construct_server_hello()
2350 session_id = s->session->session_id; in tls_construct_server_hello()
2353 if (sl > sizeof(s->session->session_id)) { in tls_construct_server_hello()
2354 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_hello()
2362 if (usetls13 || s->s3.tmp.new_compression == NULL) in tls_construct_server_hello()
2365 compm = s->s3.tmp.new_compression->id; in tls_construct_server_hello()
2369 || !s->method->put_cipher_by_char(s->s3.tmp.new_cipher, pkt, &len) in tls_construct_server_hello()
2371 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_hello()
2375 if (!tls_construct_extensions(s, pkt, in tls_construct_server_hello()
2376 s->hello_retry_request == SSL_HRR_PENDING in tls_construct_server_hello()
2378 : (SSL_IS_TLS13(s) in tls_construct_server_hello()
2386 if (s->hello_retry_request == SSL_HRR_PENDING) { in tls_construct_server_hello()
2388 SSL_SESSION_free(s->session); in tls_construct_server_hello()
2389 s->session = NULL; in tls_construct_server_hello()
2390 s->hit = 0; in tls_construct_server_hello()
2393 * Re-initialise the Transcript Hash. We're going to prepopulate it with in tls_construct_server_hello()
2396 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { in tls_construct_server_hello()
2400 } else if (!(s->verify_mode & SSL_VERIFY_PEER) in tls_construct_server_hello()
2401 && !ssl3_digest_cached_records(s, 0)) { in tls_construct_server_hello()
2409 int tls_construct_server_done(SSL *s, WPACKET *pkt) in tls_construct_server_done() argument
2411 if (!s->s3.tmp.cert_request) { in tls_construct_server_done()
2412 if (!ssl3_digest_cached_records(s, 0)) { in tls_construct_server_done()
2420 int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt) in tls_construct_server_key_exchange() argument
2426 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; in tls_construct_server_key_exchange()
2436 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2441 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_server_key_exchange()
2445 type = s->s3.tmp.new_cipher->algorithm_mkey; in tls_construct_server_key_exchange()
2454 CERT *cert = s->cert; in tls_construct_server_key_exchange()
2457 if (s->cert->dh_tmp_auto) { in tls_construct_server_key_exchange()
2458 pkdh = ssl_get_auto_dh(s); in tls_construct_server_key_exchange()
2460 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2465 pkdhp = cert->dh_tmp; in tls_construct_server_key_exchange()
2468 if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { in tls_construct_server_key_exchange()
2469 pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(s, 0, 1024)); in tls_construct_server_key_exchange()
2471 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2478 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); in tls_construct_server_key_exchange()
2481 if (!ssl_security(s, SSL_SECOP_TMP_DH, in tls_construct_server_key_exchange()
2483 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); in tls_construct_server_key_exchange()
2486 if (s->s3.tmp.pkey != NULL) { in tls_construct_server_key_exchange()
2487 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2491 s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp); in tls_construct_server_key_exchange()
2492 if (s->s3.tmp.pkey == NULL) { in tls_construct_server_key_exchange()
2493 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2502 if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P, in tls_construct_server_key_exchange()
2504 || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_G, in tls_construct_server_key_exchange()
2506 || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, in tls_construct_server_key_exchange()
2508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2513 if (s->s3.tmp.pkey != NULL) { in tls_construct_server_key_exchange()
2514 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2519 curve_id = tls1_shared_group(s, -2); in tls_construct_server_key_exchange()
2521 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_server_key_exchange()
2526 s->session->kex_group = curve_id; in tls_construct_server_key_exchange()
2528 s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id); in tls_construct_server_key_exchange()
2529 if (s->s3.tmp.pkey == NULL) { in tls_construct_server_key_exchange()
2535 encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey, in tls_construct_server_key_exchange()
2538 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); in tls_construct_server_key_exchange()
2553 if ((s->srp_ctx.N == NULL) || in tls_construct_server_key_exchange()
2554 (s->srp_ctx.g == NULL) || in tls_construct_server_key_exchange()
2555 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { in tls_construct_server_key_exchange()
2556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM); in tls_construct_server_key_exchange()
2559 r[0] = s->srp_ctx.N; in tls_construct_server_key_exchange()
2560 r[1] = s->srp_ctx.g; in tls_construct_server_key_exchange()
2561 r[2] = s->srp_ctx.s; in tls_construct_server_key_exchange()
2562 r[3] = s->srp_ctx.B; in tls_construct_server_key_exchange()
2566 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); in tls_construct_server_key_exchange()
2570 if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) in tls_construct_server_key_exchange()
2571 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { in tls_construct_server_key_exchange()
2574 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2580 size_t len = (s->cert->psk_identity_hint == NULL) in tls_construct_server_key_exchange()
2581 ? 0 : strlen(s->cert->psk_identity_hint); in tls_construct_server_key_exchange()
2584 * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already in tls_construct_server_key_exchange()
2585 * checked this when we set the identity hint - but just in case in tls_construct_server_key_exchange()
2588 || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, in tls_construct_server_key_exchange()
2590 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2608 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2612 /*- in tls_construct_server_key_exchange()
2618 size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]); in tls_construct_server_key_exchange()
2622 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2631 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2649 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2658 EVP_PKEY *pkey = s->s3.tmp.cert->privatekey; in tls_construct_server_key_exchange()
2663 if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) { in tls_construct_server_key_exchange()
2665 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2670 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2674 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { in tls_construct_server_key_exchange()
2675 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2681 s->ctx->libctx, s->ctx->propq, pkey, in tls_construct_server_key_exchange()
2683 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2686 if (lu->sig == EVP_PKEY_RSA_PSS) { in tls_construct_server_key_exchange()
2689 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_server_key_exchange()
2693 tbslen = construct_key_exchange_tbs(s, &tbs, in tls_construct_server_key_exchange()
2694 s->init_buf->data + paramoffset, in tls_construct_server_key_exchange()
2707 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2727 int tls_construct_certificate_request(SSL *s, WPACKET *pkt) in tls_construct_certificate_request() argument
2729 if (SSL_IS_TLS13(s)) { in tls_construct_certificate_request()
2730 /* Send random context when doing post-handshake auth */ in tls_construct_certificate_request()
2731 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in tls_construct_certificate_request()
2732 OPENSSL_free(s->pha_context); in tls_construct_certificate_request()
2733 s->pha_context_len = 32; in tls_construct_certificate_request()
2734 if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) { in tls_construct_certificate_request()
2735 s->pha_context_len = 0; in tls_construct_certificate_request()
2736 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2739 if (RAND_bytes_ex(s->ctx->libctx, s->pha_context, in tls_construct_certificate_request()
2740 s->pha_context_len, 0) <= 0 in tls_construct_certificate_request()
2741 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, in tls_construct_certificate_request()
2742 s->pha_context_len)) { in tls_construct_certificate_request()
2743 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2747 if (!tls13_restore_handshake_digest_for_pha(s)) { in tls_construct_certificate_request()
2753 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2758 if (!tls_construct_extensions(s, pkt, in tls_construct_certificate_request()
2769 || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { in tls_construct_certificate_request()
2770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2774 if (SSL_USE_SIGALGS(s)) { in tls_construct_certificate_request()
2776 size_t nl = tls12_get_psigalgs(s, 1, &psigs); in tls_construct_certificate_request()
2780 || !tls12_copy_sigalgs(s, pkt, psigs, nl) in tls_construct_certificate_request()
2782 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2787 if (!construct_ca_names(s, get_ca_names(s), pkt)) { in tls_construct_certificate_request()
2793 s->certreqs_sent++; in tls_construct_certificate_request()
2794 s->s3.tmp.cert_request = 1; in tls_construct_certificate_request()
2798 static int tls_process_cke_psk_preamble(SSL *s, PACKET *pkt) in tls_process_cke_psk_preamble() argument
2806 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cke_psk_preamble()
2810 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DATA_LENGTH_TOO_LONG); in tls_process_cke_psk_preamble()
2813 if (s->psk_server_callback == NULL) { in tls_process_cke_psk_preamble()
2814 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_SERVER_CB); in tls_process_cke_psk_preamble()
2818 if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { in tls_process_cke_psk_preamble()
2819 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_psk_preamble()
2823 psklen = s->psk_server_callback(s, s->session->psk_identity, in tls_process_cke_psk_preamble()
2827 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_psk_preamble()
2833 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, SSL_R_PSK_IDENTITY_NOT_FOUND); in tls_process_cke_psk_preamble()
2837 OPENSSL_free(s->s3.tmp.psk); in tls_process_cke_psk_preamble()
2838 s->s3.tmp.psk = OPENSSL_memdup(psk, psklen); in tls_process_cke_psk_preamble()
2841 if (s->s3.tmp.psk == NULL) { in tls_process_cke_psk_preamble()
2842 s->s3.tmp.psklen = 0; in tls_process_cke_psk_preamble()
2843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cke_psk_preamble()
2847 s->s3.tmp.psklen = psklen; in tls_process_cke_psk_preamble()
2852 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_psk_preamble()
2857 static int tls_process_cke_rsa(SSL *s, PACKET *pkt) in tls_process_cke_rsa() argument
2867 rsa = s->cert->pkeys[SSL_PKEY_RSA].privatekey; in tls_process_cke_rsa()
2869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_RSA_CERTIFICATE); in tls_process_cke_rsa()
2873 /* SSLv3 and pre-standard DTLS omit the length bytes. */ in tls_process_cke_rsa()
2874 if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) { in tls_process_cke_rsa()
2879 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cke_rsa()
2887 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cke_rsa()
2891 ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, rsa, s->ctx->propq); in tls_process_cke_rsa()
2893 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cke_rsa()
2899 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, in tls_process_cke_rsa()
2906 * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 in tls_process_cke_rsa()
2910 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_rsa()
2915 (unsigned int *)&s->client_version); in tls_process_cke_rsa()
2916 if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0) in tls_process_cke_rsa()
2919 (unsigned int *)&s->version); in tls_process_cke_rsa()
2926 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_rsa()
2936 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_rsa()
2941 if (!ssl_generate_master_secret(s, rsa_decrypt, in tls_process_cke_rsa()
2954 static int tls_process_cke_dhe(SSL *s, PACKET *pkt) in tls_process_cke_dhe() argument
2963 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); in tls_process_cke_dhe()
2966 skey = s->s3.tmp.pkey; in tls_process_cke_dhe()
2968 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); in tls_process_cke_dhe()
2973 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_MISSING_TMP_DH_KEY); in tls_process_cke_dhe()
2978 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_dhe()
2983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); in tls_process_cke_dhe()
2988 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_process_cke_dhe()
2992 if (ssl_derive(s, skey, ckey, 1) == 0) { in tls_process_cke_dhe()
2998 EVP_PKEY_free(s->s3.tmp.pkey); in tls_process_cke_dhe()
2999 s->s3.tmp.pkey = NULL; in tls_process_cke_dhe()
3005 static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt) in tls_process_cke_ecdhe() argument
3007 EVP_PKEY *skey = s->s3.tmp.pkey; in tls_process_cke_ecdhe()
3013 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_TMP_ECDH_KEY); in tls_process_cke_ecdhe()
3020 * Get client's public key from encoded point in the in tls_process_cke_ecdhe()
3027 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cke_ecdhe()
3031 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_ECDH_KEY); in tls_process_cke_ecdhe()
3037 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); in tls_process_cke_ecdhe()
3042 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_process_cke_ecdhe()
3047 if (ssl_derive(s, skey, ckey, 1) == 0) { in tls_process_cke_ecdhe()
3053 EVP_PKEY_free(s->s3.tmp.pkey); in tls_process_cke_ecdhe()
3054 s->s3.tmp.pkey = NULL; in tls_process_cke_ecdhe()
3061 static int tls_process_cke_srp(SSL *s, PACKET *pkt) in tls_process_cke_srp() argument
3069 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRP_A_LENGTH); in tls_process_cke_srp()
3072 if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) { in tls_process_cke_srp()
3073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_cke_srp()
3076 if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) { in tls_process_cke_srp()
3077 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRP_PARAMETERS); in tls_process_cke_srp()
3080 OPENSSL_free(s->session->srp_username); in tls_process_cke_srp()
3081 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); in tls_process_cke_srp()
3082 if (s->session->srp_username == NULL) { in tls_process_cke_srp()
3083 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cke_srp()
3087 if (!srp_generate_server_master_secret(s)) { in tls_process_cke_srp()
3095 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_srp()
3100 static int tls_process_cke_gost(SSL *s, PACKET *pkt) in tls_process_cke_gost() argument
3114 alg_a = s->s3.tmp.new_cipher->algorithm_auth; in tls_process_cke_gost()
3119 pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey; in tls_process_cke_gost()
3121 pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey; in tls_process_cke_gost()
3124 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; in tls_process_cke_gost()
3127 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; in tls_process_cke_gost()
3130 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq); in tls_process_cke_gost()
3132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cke_gost()
3136 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost()
3145 client_pub_pkey = X509_get0_pubkey(s->session->peer); in tls_process_cke_gost()
3156 || pKX->kxBlob == NULL in tls_process_cke_gost()
3157 || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) { in tls_process_cke_gost()
3158 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3162 if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) { in tls_process_cke_gost()
3163 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3168 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3172 inlen = pKX->kxBlob->value.sequence->length; in tls_process_cke_gost()
3173 start = pKX->kxBlob->value.sequence->data; in tls_process_cke_gost()
3177 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3181 if (!ssl_generate_master_secret(s, premaster_secret, in tls_process_cke_gost()
3187 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, in tls_process_cke_gost()
3189 s->statem.no_cert_verify = 1; in tls_process_cke_gost()
3198 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost()
3203 static int tls_process_cke_gost18(SSL *s, PACKET *pkt) in tls_process_cke_gost18() argument
3213 int cipher_nid = ossl_gost18_cke_cipher_nid(s); in tls_process_cke_gost18()
3216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3220 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { in tls_process_cke_gost18()
3221 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3226 pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ? in tls_process_cke_gost18()
3227 s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : in tls_process_cke_gost18()
3228 s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey; in tls_process_cke_gost18()
3230 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in tls_process_cke_gost18()
3234 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pk, s->ctx->propq); in tls_process_cke_gost18()
3236 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_cke_gost18()
3240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3245 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, in tls_process_cke_gost18()
3247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_process_cke_gost18()
3251 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, in tls_process_cke_gost18()
3253 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_process_cke_gost18()
3260 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost18()
3264 if (!ssl_generate_master_secret(s, premaster_secret, in tls_process_cke_gost18()
3276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3281 MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL *s, PACKET *pkt) in tls_process_client_key_exchange() argument
3285 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_process_client_key_exchange()
3288 if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) { in tls_process_client_key_exchange()
3296 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_key_exchange()
3300 if (!ssl_generate_master_secret(s, NULL, 0, 0)) { in tls_process_client_key_exchange()
3305 if (!tls_process_cke_rsa(s, pkt)) { in tls_process_client_key_exchange()
3310 if (!tls_process_cke_dhe(s, pkt)) { in tls_process_client_key_exchange()
3315 if (!tls_process_cke_ecdhe(s, pkt)) { in tls_process_client_key_exchange()
3320 if (!tls_process_cke_srp(s, pkt)) { in tls_process_client_key_exchange()
3325 if (!tls_process_cke_gost(s, pkt)) { in tls_process_client_key_exchange()
3330 if (!tls_process_cke_gost18(s, pkt)) { in tls_process_client_key_exchange()
3335 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE); in tls_process_client_key_exchange()
3342 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); in tls_process_client_key_exchange()
3343 s->s3.tmp.psk = NULL; in tls_process_client_key_exchange()
3344 s->s3.tmp.psklen = 0; in tls_process_client_key_exchange()
3349 WORK_STATE tls_post_process_client_key_exchange(SSL *s, WORK_STATE wst) in tls_post_process_client_key_exchange() argument
3353 if (SSL_IS_DTLS(s)) { in tls_post_process_client_key_exchange()
3358 * Add new shared key for SCTP-Auth, will be ignored if no SCTP in tls_post_process_client_key_exchange()
3365 labellen = sizeof(labelbuffer) - 1; in tls_post_process_client_key_exchange()
3366 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_post_process_client_key_exchange()
3369 if (SSL_export_keying_material(s, sctpauthkey, in tls_post_process_client_key_exchange()
3373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_post_process_client_key_exchange()
3377 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, in tls_post_process_client_key_exchange()
3383 if (s->statem.no_cert_verify || !s->session->peer) { in tls_post_process_client_key_exchange()
3388 if (!ssl3_digest_cached_records(s, 0)) { in tls_post_process_client_key_exchange()
3394 if (!s->s3.handshake_buffer) { in tls_post_process_client_key_exchange()
3395 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_post_process_client_key_exchange()
3400 * extms we've done this already so this is a no-op in tls_post_process_client_key_exchange()
3402 if (!ssl3_digest_cached_records(s, 1)) { in tls_post_process_client_key_exchange()
3411 MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) in tls_process_client_certificate() argument
3428 s->statem.enc_read_state = ENC_READ_STATE_VALID; in tls_process_client_certificate()
3431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_client_certificate()
3435 if (SSL_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context) in tls_process_client_certificate()
3436 || (s->pha_context == NULL && PACKET_remaining(&context) != 0) in tls_process_client_certificate()
3437 || (s->pha_context != NULL && in tls_process_client_certificate()
3438 !PACKET_equal(&context, s->pha_context, s->pha_context_len)))) { in tls_process_client_certificate()
3439 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); in tls_process_client_certificate()
3445 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_certificate()
3452 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_client_certificate()
3457 x = X509_new_ex(s->ctx->libctx, s->ctx->propq); in tls_process_client_certificate()
3459 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_client_certificate()
3463 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); in tls_process_client_certificate()
3468 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_client_certificate()
3472 if (SSL_IS_TLS13(s)) { in tls_process_client_certificate()
3477 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_client_certificate()
3480 if (!tls_collect_extensions(s, &extensions, in tls_process_client_certificate()
3483 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, in tls_process_client_certificate()
3493 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_client_certificate()
3501 if (s->version == SSL3_VERSION) { in tls_process_client_certificate()
3502 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_process_client_certificate()
3507 else if ((s->verify_mode & SSL_VERIFY_PEER) && in tls_process_client_certificate()
3508 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { in tls_process_client_certificate()
3509 SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED, in tls_process_client_certificate()
3514 if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) { in tls_process_client_certificate()
3520 i = ssl_verify_cert_chain(s, sk); in tls_process_client_certificate()
3522 SSLfatal(s, ssl_x509err2alert(s->verify_result), in tls_process_client_certificate()
3528 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_process_client_certificate()
3536 * we can get multi-thread problems. Therefore we don't "update" sessions, in tls_process_client_certificate()
3538 * a new certificate is received via post-handshake authentication, as the in tls_process_client_certificate()
3542 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in tls_process_client_certificate()
3543 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { in tls_process_client_certificate()
3544 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_process_client_certificate()
3548 SSL_SESSION_free(s->session); in tls_process_client_certificate()
3549 s->session = new_sess; in tls_process_client_certificate()
3552 X509_free(s->session->peer); in tls_process_client_certificate()
3553 s->session->peer = sk_X509_shift(sk); in tls_process_client_certificate()
3554 s->session->verify_result = s->verify_result; in tls_process_client_certificate()
3556 sk_X509_pop_free(s->session->peer_chain, X509_free); in tls_process_client_certificate()
3557 s->session->peer_chain = sk; in tls_process_client_certificate()
3564 if (SSL_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) { in tls_process_client_certificate()
3570 * Inconsistency alert: cert_chain does *not* include the peer's own in tls_process_client_certificate()
3575 if (SSL_IS_TLS13(s)) { in tls_process_client_certificate()
3576 if (!ssl_handshake_hash(s, s->cert_verify_hash, in tls_process_client_certificate()
3577 sizeof(s->cert_verify_hash), in tls_process_client_certificate()
3578 &s->cert_verify_hash_len)) { in tls_process_client_certificate()
3584 s->sent_tickets = 0; in tls_process_client_certificate()
3595 int tls_construct_server_certificate(SSL *s, WPACKET *pkt) in tls_construct_server_certificate() argument
3597 CERT_PKEY *cpk = s->s3.tmp.cert; in tls_construct_server_certificate()
3600 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_certificate()
3608 if (SSL_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { in tls_construct_server_certificate()
3609 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_certificate()
3612 if (!ssl3_output_cert_chain(s, pkt, cpk)) { in tls_construct_server_certificate()
3620 static int create_ticket_prequel(SSL *s, WPACKET *pkt, uint32_t age_add, in create_ticket_prequel() argument
3623 uint32_t timeout = (uint32_t)s->session->timeout; in create_ticket_prequel()
3634 if (SSL_IS_TLS13(s)) { in create_ticket_prequel()
3635 if (s->session->timeout > ONE_WEEK_SEC) in create_ticket_prequel()
3637 } else if (s->hit) in create_ticket_prequel()
3641 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in create_ticket_prequel()
3645 if (SSL_IS_TLS13(s)) { in create_ticket_prequel()
3648 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in create_ticket_prequel()
3653 /* Start the sub-packet for the actual ticket data */ in create_ticket_prequel()
3655 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in create_ticket_prequel()
3663 * Returns 1 on success, 0 to abort construction of the ticket (non-fatal), or
3664 * -1 on fatal error
3666 static int construct_stateless_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, in construct_stateless_ticket() argument
3677 SSL_CTX *tctx = s->session_ctx; in construct_stateless_ticket()
3680 int iv_len, ok = -1; in construct_stateless_ticket()
3684 slen_full = i2d_SSL_SESSION(s->session, NULL); in construct_stateless_ticket()
3690 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3695 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in construct_stateless_ticket()
3702 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in construct_stateless_ticket()
3707 if (!i2d_SSL_SESSION(s->session, &p)) { in construct_stateless_ticket()
3708 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3718 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3725 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3731 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3742 if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) in construct_stateless_ticket()
3744 if (tctx->ext.ticket_key_evp_cb != NULL) in construct_stateless_ticket()
3749 if (tctx->ext.ticket_key_evp_cb != NULL) in construct_stateless_ticket()
3750 ret = tctx->ext.ticket_key_evp_cb(s, key_name, iv, ctx, in construct_stateless_ticket()
3754 else if (tctx->ext.ticket_key_cb != NULL) in construct_stateless_ticket()
3756 ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx, in construct_stateless_ticket()
3766 if (SSL_IS_TLS13(s)) { in construct_stateless_ticket()
3773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3782 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); in construct_stateless_ticket()
3787 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3791 EVP_CIPHER *cipher = EVP_CIPHER_fetch(s->ctx->libctx, "AES-256-CBC", in construct_stateless_ticket()
3792 s->ctx->propq); in construct_stateless_ticket()
3796 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in construct_stateless_ticket()
3802 || RAND_bytes_ex(s->ctx->libctx, iv, iv_len, 0) <= 0 in construct_stateless_ticket()
3804 tctx->ext.secure->tick_aes_key, iv) in construct_stateless_ticket()
3805 || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, in construct_stateless_ticket()
3806 sizeof(tctx->ext.secure->tick_hmac_key), in construct_stateless_ticket()
3809 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3813 memcpy(key_name, tctx->ext.tick_key_name, in construct_stateless_ticket()
3814 sizeof(tctx->ext.tick_key_name)); in construct_stateless_ticket()
3817 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { in construct_stateless_ticket()
3839 (unsigned char *)s->init_buf->data + macoffset, in construct_stateless_ticket()
3840 macendoffset - macoffset) in construct_stateless_ticket()
3846 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3850 /* Close the sub-packet created by create_ticket_prequel() */ in construct_stateless_ticket()
3852 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3864 static int construct_stateful_ticket(SSL *s, WPACKET *pkt, uint32_t age_add, in construct_stateful_ticket() argument
3867 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { in construct_stateful_ticket()
3872 if (!WPACKET_memcpy(pkt, s->session->session_id, in construct_stateful_ticket()
3873 s->session->session_id_length) in construct_stateful_ticket()
3875 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateful_ticket()
3882 static void tls_update_ticket_counts(SSL *s) in tls_update_ticket_counts() argument
3886 * gets reset to 0 if we send more tickets following a post-handshake in tls_update_ticket_counts()
3890 s->sent_tickets++; in tls_update_ticket_counts()
3891 s->next_ticket_nonce++; in tls_update_ticket_counts()
3892 if (s->ext.extra_tickets_expected > 0) in tls_update_ticket_counts()
3893 s->ext.extra_tickets_expected--; in tls_update_ticket_counts()
3896 int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt) in tls_construct_new_session_ticket() argument
3898 SSL_CTX *tctx = s->session_ctx; in tls_construct_new_session_ticket()
3908 if (SSL_IS_TLS13(s)) { in tls_construct_new_session_ticket()
3912 const EVP_MD *md = ssl_handshake_md(s); in tls_construct_new_session_ticket()
3917 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_new_session_ticket()
3924 * s->session may already be in a cache and so we must not modify it. in tls_construct_new_session_ticket()
3927 if (s->sent_tickets != 0 || s->hit) { in tls_construct_new_session_ticket()
3928 SSL_SESSION *new_sess = ssl_session_dup(s->session, 0); in tls_construct_new_session_ticket()
3935 SSL_SESSION_free(s->session); in tls_construct_new_session_ticket()
3936 s->session = new_sess; in tls_construct_new_session_ticket()
3939 if (!ssl_generate_session_id(s, s->session)) { in tls_construct_new_session_ticket()
3943 if (RAND_bytes_ex(s->ctx->libctx, age_add_u.age_add_c, in tls_construct_new_session_ticket()
3945 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_new_session_ticket()
3948 s->session->ext.tick_age_add = age_add_u.age_add; in tls_construct_new_session_ticket()
3950 nonce = s->next_ticket_nonce; in tls_construct_new_session_ticket()
3951 for (i = TICKET_NONCE_SIZE; i > 0; i--) { in tls_construct_new_session_ticket()
3952 tick_nonce[i - 1] = (unsigned char)(nonce & 0xff); in tls_construct_new_session_ticket()
3956 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, in tls_construct_new_session_ticket()
3958 sizeof(nonce_label) - 1, in tls_construct_new_session_ticket()
3961 s->session->master_key, in tls_construct_new_session_ticket()
3966 s->session->master_key_length = hashlen; in tls_construct_new_session_ticket()
3968 s->session->time = time(NULL); in tls_construct_new_session_ticket()
3969 ssl_session_calculate_timeout(s->session); in tls_construct_new_session_ticket()
3970 if (s->s3.alpn_selected != NULL) { in tls_construct_new_session_ticket()
3971 OPENSSL_free(s->session->ext.alpn_selected); in tls_construct_new_session_ticket()
3972 s->session->ext.alpn_selected = in tls_construct_new_session_ticket()
3973 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); in tls_construct_new_session_ticket()
3974 if (s->session->ext.alpn_selected == NULL) { in tls_construct_new_session_ticket()
3975 s->session->ext.alpn_selected_len = 0; in tls_construct_new_session_ticket()
3976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls_construct_new_session_ticket()
3979 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; in tls_construct_new_session_ticket()
3981 s->session->ext.max_early_data = s->max_early_data; in tls_construct_new_session_ticket()
3984 if (tctx->generate_ticket_cb != NULL && in tls_construct_new_session_ticket()
3985 tctx->generate_ticket_cb(s, tctx->ticket_cb_data) == 0) { in tls_construct_new_session_ticket()
3986 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_new_session_ticket()
3990 * If we are using anti-replay protection then we behave as if in tls_construct_new_session_ticket()
3991 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there in tls_construct_new_session_ticket()
3994 if (SSL_IS_TLS13(s) in tls_construct_new_session_ticket()
3995 && ((s->options & SSL_OP_NO_TICKET) != 0 in tls_construct_new_session_ticket()
3996 || (s->max_early_data > 0 in tls_construct_new_session_ticket()
3997 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { in tls_construct_new_session_ticket()
3998 if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) { in tls_construct_new_session_ticket()
4005 tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add, in tls_construct_new_session_ticket()
4009 ret = 2; /* Non-fatal. Abort construction but continue */ in tls_construct_new_session_ticket()
4011 tls_update_ticket_counts(s); in tls_construct_new_session_ticket()
4018 if (SSL_IS_TLS13(s)) { in tls_construct_new_session_ticket()
4019 if (!tls_construct_extensions(s, pkt, in tls_construct_new_session_ticket()
4025 tls_update_ticket_counts(s); in tls_construct_new_session_ticket()
4026 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); in tls_construct_new_session_ticket()
4038 int tls_construct_cert_status_body(SSL *s, WPACKET *pkt) in tls_construct_cert_status_body() argument
4040 if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) in tls_construct_cert_status_body()
4041 || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, in tls_construct_cert_status_body()
4042 s->ext.ocsp.resp_len)) { in tls_construct_cert_status_body()
4043 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cert_status_body()
4050 int tls_construct_cert_status(SSL *s, WPACKET *pkt) in tls_construct_cert_status() argument
4052 if (!tls_construct_cert_status_body(s, pkt)) { in tls_construct_cert_status()
4063 * It sets the next_proto member in s if found
4065 MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt) in tls_process_next_proto() argument
4070 /*- in tls_process_next_proto()
4080 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_next_proto()
4084 if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { in tls_process_next_proto()
4085 s->ext.npn_len = 0; in tls_process_next_proto()
4086 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_next_proto()
4090 s->ext.npn_len = (unsigned char)next_proto_len; in tls_process_next_proto()
4096 static int tls_construct_encrypted_extensions(SSL *s, WPACKET *pkt) in tls_construct_encrypted_extensions() argument
4098 if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, in tls_construct_encrypted_extensions()
4107 MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL *s, PACKET *pkt) in tls_process_end_of_early_data() argument
4110 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_end_of_early_data()
4114 if (s->early_data_state != SSL_EARLY_DATA_READING in tls_process_end_of_early_data()
4115 && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { in tls_process_end_of_early_data()
4116 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_end_of_early_data()
4124 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_end_of_early_data()
4125 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); in tls_process_end_of_early_data()
4129 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; in tls_process_end_of_early_data()
4130 if (!s->method->ssl3_enc->change_cipher_state(s, in tls_process_end_of_early_data()