Lines Matching +full:s +full:-
2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
51 static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s,
56 return sc->session->peer_rpk != NULL || sc->session->peer != NULL; in received_client_cert()
63 * The current state is in |s->statem.hand_state|.
68 static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt) in ossl_statem_server13_read_transition() argument
70 OSSL_STATEM *st = &s->statem; in ossl_statem_server13_read_transition()
77 switch (st->hand_state) { in ossl_statem_server13_read_transition()
82 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_server13_read_transition()
84 st->hand_state = TLS_ST_SR_CLNT_HELLO; in ossl_statem_server13_read_transition()
88 } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED in ossl_statem_server13_read_transition()
89 && !SSL_NO_EOED(s)) { in ossl_statem_server13_read_transition()
91 st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA; in ossl_statem_server13_read_transition()
100 if (s->s3.tmp.cert_request) { in ossl_statem_server13_read_transition()
102 st->hand_state = TLS_ST_SR_CERT; in ossl_statem_server13_read_transition()
107 && s->ext.compress_certificate_sent) { in ossl_statem_server13_read_transition()
108 st->hand_state = TLS_ST_SR_COMP_CERT; in ossl_statem_server13_read_transition()
114 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server13_read_transition()
122 if (!received_client_cert(s)) { in ossl_statem_server13_read_transition()
124 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server13_read_transition()
129 st->hand_state = TLS_ST_SR_CERT_VRFY; in ossl_statem_server13_read_transition()
137 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server13_read_transition()
147 if (s->early_data_state == SSL_EARLY_DATA_READING) in ossl_statem_server13_read_transition()
150 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_server13_read_transition()
152 st->hand_state = TLS_ST_SR_CERT; in ossl_statem_server13_read_transition()
157 && s->ext.compress_certificate_sent) { in ossl_statem_server13_read_transition()
158 st->hand_state = TLS_ST_SR_COMP_CERT; in ossl_statem_server13_read_transition()
164 if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) { in ossl_statem_server13_read_transition()
165 st->hand_state = TLS_ST_SR_KEY_UPDATE; in ossl_statem_server13_read_transition()
179 * current state is in |s->statem.hand_state|.
184 int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt) in ossl_statem_server_read_transition() argument
186 OSSL_STATEM *st = &s->statem; in ossl_statem_server_read_transition()
188 if (SSL_CONNECTION_IS_TLS13(s)) { in ossl_statem_server_read_transition()
189 if (!ossl_statem_server13_read_transition(s, mt)) in ossl_statem_server_read_transition()
194 switch (st->hand_state) { in ossl_statem_server_read_transition()
202 st->hand_state = TLS_ST_SR_CLNT_HELLO; in ossl_statem_server_read_transition()
219 if (s->s3.tmp.cert_request) { in ossl_statem_server_read_transition()
220 if (s->version == SSL3_VERSION) { in ossl_statem_server_read_transition()
221 if ((s->verify_mode & SSL_VERIFY_PEER) in ossl_statem_server_read_transition()
222 && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { in ossl_statem_server_read_transition()
224 * This isn't an unexpected message as such - we're just in ossl_statem_server_read_transition()
228 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in ossl_statem_server_read_transition()
232 st->hand_state = TLS_ST_SR_KEY_EXCH; in ossl_statem_server_read_transition()
236 st->hand_state = TLS_ST_SR_KEY_EXCH; in ossl_statem_server_read_transition()
239 } else if (s->s3.tmp.cert_request) { in ossl_statem_server_read_transition()
241 st->hand_state = TLS_ST_SR_CERT; in ossl_statem_server_read_transition()
249 st->hand_state = TLS_ST_SR_KEY_EXCH; in ossl_statem_server_read_transition()
257 * received a Certificate from the client. If so then |s->session->peer| in ossl_statem_server_read_transition()
260 * the case of static DH). In that case |st->no_cert_verify| should be in ossl_statem_server_read_transition()
263 if (!received_client_cert(s) || st->no_cert_verify) { in ossl_statem_server_read_transition()
271 st->hand_state = TLS_ST_SR_CHANGE; in ossl_statem_server_read_transition()
276 st->hand_state = TLS_ST_SR_CERT_VRFY; in ossl_statem_server_read_transition()
284 st->hand_state = TLS_ST_SR_CHANGE; in ossl_statem_server_read_transition()
291 if (s->s3.npn_seen) { in ossl_statem_server_read_transition()
293 st->hand_state = TLS_ST_SR_NEXT_PROTO; in ossl_statem_server_read_transition()
299 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server_read_transition()
310 st->hand_state = TLS_ST_SR_FINISHED; in ossl_statem_server_read_transition()
318 st->hand_state = TLS_ST_SR_CHANGE; in ossl_statem_server_read_transition()
326 if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { in ossl_statem_server_read_transition()
331 * because of an out-of-order CCS. We'll just drop it. in ossl_statem_server_read_transition()
333 s->init_num = 0; in ossl_statem_server_read_transition()
334 s->rwstate = SSL_READING; in ossl_statem_server_read_transition()
335 rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s)); in ossl_statem_server_read_transition()
340 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in ossl_statem_server_read_transition()
351 static int send_server_key_exchange(SSL_CONNECTION *s) in send_server_key_exchange() argument
353 unsigned long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in send_server_key_exchange()
359 * the cipher suite is either ECDH-anon or ECDHE. In other cases, in send_server_key_exchange()
360 * the server certificate contains the server's public key for in send_server_key_exchange()
371 && s->cert->psk_identity_hint) in send_server_key_exchange()
394 int *alg = sc->ext.compress_certificate_from_peer; in get_compressed_certificate_alg()
396 if (sc->s3.tmp.cert == NULL) in get_compressed_certificate_alg()
400 if (sc->s3.tmp.cert->comp_cert[*alg] != NULL) in get_compressed_certificate_alg()
414 int send_certificate_request(SSL_CONNECTION *s) in send_certificate_request() argument
418 s->verify_mode & SSL_VERIFY_PEER in send_certificate_request()
420 * don't request if post-handshake-only unless doing in send_certificate_request()
421 * post-handshake in TLSv1.3: in send_certificate_request()
423 && (!SSL_CONNECTION_IS_TLS13(s) in send_certificate_request()
424 || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) in send_certificate_request()
425 || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) in send_certificate_request()
430 && (s->certreqs_sent < 1 || in send_certificate_request()
431 !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) in send_certificate_request()
437 && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL) in send_certificate_request()
443 || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) in send_certificate_request()
445 && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP) in send_certificate_request()
450 && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) { in send_certificate_request()
460 return sc->ext.server_cert_type == TLSEXT_cert_type_x509 in do_compressed_cert()
469 static WRITE_TRAN ossl_statem_server13_write_transition(SSL_CONNECTION *s) in ossl_statem_server13_write_transition() argument
471 OSSL_STATEM *st = &s->statem; in ossl_statem_server13_write_transition()
478 switch (st->hand_state) { in ossl_statem_server13_write_transition()
481 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server13_write_transition()
485 if (s->key_update != SSL_KEY_UPDATE_NONE) { in ossl_statem_server13_write_transition()
486 st->hand_state = TLS_ST_SW_KEY_UPDATE; in ossl_statem_server13_write_transition()
489 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in ossl_statem_server13_write_transition()
490 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server13_write_transition()
493 if (s->ext.extra_tickets_expected > 0) { in ossl_statem_server13_write_transition()
494 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server13_write_transition()
501 st->hand_state = TLS_ST_SW_SRVR_HELLO; in ossl_statem_server13_write_transition()
505 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_server13_write_transition()
506 && s->hello_retry_request != SSL_HRR_COMPLETE) in ossl_statem_server13_write_transition()
507 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server13_write_transition()
508 else if (s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_server13_write_transition()
509 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_server13_write_transition()
511 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; in ossl_statem_server13_write_transition()
515 if (s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_server13_write_transition()
516 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_server13_write_transition()
518 st->hand_state = TLS_ST_SW_ENCRYPTED_EXTENSIONS; in ossl_statem_server13_write_transition()
522 if (s->hit) in ossl_statem_server13_write_transition()
523 st->hand_state = TLS_ST_SW_FINISHED; in ossl_statem_server13_write_transition()
524 else if (send_certificate_request(s)) in ossl_statem_server13_write_transition()
525 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server13_write_transition()
526 else if (do_compressed_cert(s)) in ossl_statem_server13_write_transition()
527 st->hand_state = TLS_ST_SW_COMP_CERT; in ossl_statem_server13_write_transition()
529 st->hand_state = TLS_ST_SW_CERT; in ossl_statem_server13_write_transition()
534 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in ossl_statem_server13_write_transition()
535 s->post_handshake_auth = SSL_PHA_REQUESTED; in ossl_statem_server13_write_transition()
536 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
537 } else if (do_compressed_cert(s)) { in ossl_statem_server13_write_transition()
538 st->hand_state = TLS_ST_SW_COMP_CERT; in ossl_statem_server13_write_transition()
540 st->hand_state = TLS_ST_SW_CERT; in ossl_statem_server13_write_transition()
546 st->hand_state = TLS_ST_SW_CERT_VRFY; in ossl_statem_server13_write_transition()
550 st->hand_state = TLS_ST_SW_FINISHED; in ossl_statem_server13_write_transition()
554 st->hand_state = TLS_ST_EARLY_DATA; in ossl_statem_server13_write_transition()
555 s->ts_msg_write = ossl_time_now(); in ossl_statem_server13_write_transition()
562 s->ts_msg_read = ossl_time_now(); in ossl_statem_server13_write_transition()
568 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_server13_write_transition()
569 s->post_handshake_auth = SSL_PHA_EXT_RECEIVED; in ossl_statem_server13_write_transition()
570 } else if (!s->ext.ticket_expected) { in ossl_statem_server13_write_transition()
575 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
578 if (s->num_tickets > s->sent_tickets) in ossl_statem_server13_write_transition()
579 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server13_write_transition()
581 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
586 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
594 if (!SSL_IS_FIRST_HANDSHAKE(s) && s->ext.extra_tickets_expected > 0) { in ossl_statem_server13_write_transition()
596 } else if (s->hit || s->num_tickets <= s->sent_tickets) { in ossl_statem_server13_write_transition()
598 st->hand_state = TLS_ST_OK; in ossl_statem_server13_write_transition()
608 WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s) in ossl_statem_server_write_transition() argument
610 OSSL_STATEM *st = &s->statem; in ossl_statem_server_write_transition()
617 if (SSL_CONNECTION_IS_TLS13(s)) in ossl_statem_server_write_transition()
618 return ossl_statem_server13_write_transition(s); in ossl_statem_server_write_transition()
620 switch (st->hand_state) { in ossl_statem_server_write_transition()
623 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_write_transition()
627 if (st->request_state == TLS_ST_SW_HELLO_REQ) { in ossl_statem_server_write_transition()
629 st->hand_state = TLS_ST_SW_HELLO_REQ; in ossl_statem_server_write_transition()
630 st->request_state = TLS_ST_BEFORE; in ossl_statem_server_write_transition()
634 if (!tls_setup_handshake(s)) { in ossl_statem_server_write_transition()
645 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
649 if (SSL_CONNECTION_IS_DTLS(s) && !s->d1->cookie_verified in ossl_statem_server_write_transition()
650 && (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE)) { in ossl_statem_server_write_transition()
651 st->hand_state = DTLS_ST_SW_HELLO_VERIFY_REQUEST; in ossl_statem_server_write_transition()
652 } else if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { in ossl_statem_server_write_transition()
654 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
657 st->hand_state = TLS_ST_SW_SRVR_HELLO; in ossl_statem_server_write_transition()
665 if (s->hit) { in ossl_statem_server_write_transition()
666 if (s->ext.ticket_expected) in ossl_statem_server_write_transition()
667 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server_write_transition()
669 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server_write_transition()
673 if (!(s->s3.tmp.new_cipher->algorithm_auth & in ossl_statem_server_write_transition()
675 st->hand_state = TLS_ST_SW_CERT; in ossl_statem_server_write_transition()
676 } else if (send_server_key_exchange(s)) { in ossl_statem_server_write_transition()
677 st->hand_state = TLS_ST_SW_KEY_EXCH; in ossl_statem_server_write_transition()
678 } else if (send_certificate_request(s)) { in ossl_statem_server_write_transition()
679 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server_write_transition()
681 st->hand_state = TLS_ST_SW_SRVR_DONE; in ossl_statem_server_write_transition()
687 if (s->ext.status_expected) { in ossl_statem_server_write_transition()
688 st->hand_state = TLS_ST_SW_CERT_STATUS; in ossl_statem_server_write_transition()
694 if (send_server_key_exchange(s)) { in ossl_statem_server_write_transition()
695 st->hand_state = TLS_ST_SW_KEY_EXCH; in ossl_statem_server_write_transition()
701 if (send_certificate_request(s)) { in ossl_statem_server_write_transition()
702 st->hand_state = TLS_ST_SW_CERT_REQ; in ossl_statem_server_write_transition()
708 st->hand_state = TLS_ST_SW_SRVR_DONE; in ossl_statem_server_write_transition()
712 s->ts_msg_write = ossl_time_now(); in ossl_statem_server_write_transition()
716 s->ts_msg_read = ossl_time_now(); in ossl_statem_server_write_transition()
717 if (s->hit) { in ossl_statem_server_write_transition()
718 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
720 } else if (s->ext.ticket_expected) { in ossl_statem_server_write_transition()
721 st->hand_state = TLS_ST_SW_SESSION_TICKET; in ossl_statem_server_write_transition()
723 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server_write_transition()
728 st->hand_state = TLS_ST_SW_CHANGE; in ossl_statem_server_write_transition()
732 st->hand_state = TLS_ST_SW_FINISHED; in ossl_statem_server_write_transition()
736 if (s->hit) { in ossl_statem_server_write_transition()
739 st->hand_state = TLS_ST_OK; in ossl_statem_server_write_transition()
748 WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) in ossl_statem_server_pre_work() argument
750 OSSL_STATEM *st = &s->statem; in ossl_statem_server_pre_work()
751 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in ossl_statem_server_pre_work()
753 switch (st->hand_state) { in ossl_statem_server_pre_work()
759 s->shutdown = 0; in ossl_statem_server_pre_work()
760 if (SSL_CONNECTION_IS_DTLS(s)) in ossl_statem_server_pre_work()
761 dtls1_clear_sent_buffer(s); in ossl_statem_server_pre_work()
765 s->shutdown = 0; in ossl_statem_server_pre_work()
766 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_server_pre_work()
767 dtls1_clear_sent_buffer(s); in ossl_statem_server_pre_work()
769 st->use_timer = 0; in ossl_statem_server_pre_work()
774 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_server_pre_work()
779 st->use_timer = 1; in ossl_statem_server_pre_work()
785 if (SSL_CONNECTION_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(ssl))) { in ossl_statem_server_pre_work()
787 return dtls_wait_for_dry(s); in ossl_statem_server_pre_work()
793 if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0 in ossl_statem_server_pre_work()
794 && s->ext.extra_tickets_expected == 0) { in ossl_statem_server_pre_work()
802 return tls_finish_handshake(s, wst, 0, 0); in ossl_statem_server_pre_work()
804 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_server_pre_work()
809 st->use_timer = 0; in ossl_statem_server_pre_work()
814 if (SSL_CONNECTION_IS_TLS13(s)) in ossl_statem_server_pre_work()
816 /* Writes to s->session are only safe for initial handshakes */ in ossl_statem_server_pre_work()
817 if (s->session->cipher == NULL) { in ossl_statem_server_pre_work()
818 s->session->cipher = s->s3.tmp.new_cipher; in ossl_statem_server_pre_work()
819 } else if (s->session->cipher != s->s3.tmp.new_cipher) { in ossl_statem_server_pre_work()
820 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_pre_work()
823 if (!ssl->method->ssl3_enc->setup_key_block(s)) { in ossl_statem_server_pre_work()
827 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_server_pre_work()
834 st->use_timer = 0; in ossl_statem_server_pre_work()
839 if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING in ossl_statem_server_pre_work()
840 && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) in ossl_statem_server_pre_work()
844 * In QUIC with 0-RTT we just carry on when otherwise we would stop in ossl_statem_server_pre_work()
847 if (SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED in ossl_statem_server_pre_work()
848 && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING) { in ossl_statem_server_pre_work()
849 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; in ossl_statem_server_pre_work()
850 if (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE in ossl_statem_server_pre_work()
852 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_pre_work()
861 return tls_finish_handshake(s, wst, 1, 1); in ossl_statem_server_pre_work()
891 WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) in ossl_statem_server_post_work() argument
893 OSSL_STATEM *st = &s->statem; in ossl_statem_server_post_work()
894 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in ossl_statem_server_post_work()
896 s->init_num = 0; in ossl_statem_server_post_work()
898 switch (st->hand_state) { in ossl_statem_server_post_work()
904 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
906 if (!ssl3_init_finished_mac(s)) { in ossl_statem_server_post_work()
913 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
916 if (s->version != DTLS1_BAD_VER && !ssl3_init_finished_mac(s)) { in ossl_statem_server_post_work()
924 s->first_packet = 1; in ossl_statem_server_post_work()
928 if (SSL_CONNECTION_IS_TLS13(s) in ossl_statem_server_post_work()
929 && s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_server_post_work()
930 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 in ossl_statem_server_post_work()
931 && statem_flush(s) != 1) in ossl_statem_server_post_work()
936 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { in ossl_statem_server_post_work()
942 * Add new shared key for SCTP-Auth, will be ignored if no in ossl_statem_server_post_work()
949 labellen = sizeof(labelbuffer) - 1; in ossl_statem_server_post_work()
950 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in ossl_statem_server_post_work()
957 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_post_work()
965 if (!SSL_CONNECTION_IS_TLS13(s) in ossl_statem_server_post_work()
966 || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_server_post_work()
967 && s->hello_retry_request != SSL_HRR_COMPLETE)) in ossl_statem_server_post_work()
972 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_server_post_work()
973 if (!statem_flush(s)) in ossl_statem_server_post_work()
978 if (SSL_CONNECTION_IS_TLS13(s)) { in ossl_statem_server_post_work()
979 if (!ssl->method->ssl3_enc->setup_key_block(s) in ossl_statem_server_post_work()
980 || !tls13_store_handshake_traffic_hash(s) in ossl_statem_server_post_work()
981 || !ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
987 if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED in ossl_statem_server_post_work()
988 && !ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
998 if (s->rlayer.rrlmethod->set_plain_alerts != NULL) in ossl_statem_server_post_work()
999 s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 1); in ossl_statem_server_post_work()
1004 if (SSL_CONNECTION_IS_DTLS(s) && !s->hit) { in ossl_statem_server_post_work()
1006 * Change to new shared key of SCTP-Auth, will be ignored if in ossl_statem_server_post_work()
1013 if (!ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
1021 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
1026 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
1029 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { in ossl_statem_server_post_work()
1031 * Change to new shared key of SCTP-Auth, will be ignored if in ossl_statem_server_post_work()
1038 if (SSL_CONNECTION_IS_TLS13(s)) { in ossl_statem_server_post_work()
1041 if (!ssl->method->ssl3_enc->generate_master_secret(s, in ossl_statem_server_post_work()
1042 s->master_secret, s->handshake_secret, 0, in ossl_statem_server_post_work()
1044 || !tls13_store_server_finished_hash(s) in ossl_statem_server_post_work()
1045 || !ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_server_post_work()
1053 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in ossl_statem_server_post_work()
1054 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
1057 if (!SSL_CONNECTION_IS_TLS13(s) in ossl_statem_server_post_work()
1058 || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) in ossl_statem_server_post_work()
1059 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; in ossl_statem_server_post_work()
1064 if (!s->hit && !send_certificate_request(s)) { in ossl_statem_server_post_work()
1065 if (!SSL_CONNECTION_IS_TLS13(s) in ossl_statem_server_post_work()
1066 || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) in ossl_statem_server_post_work()
1067 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; in ossl_statem_server_post_work()
1072 if (statem_flush(s) != 1) in ossl_statem_server_post_work()
1074 if (!tls13_update_key(s, 1)) { in ossl_statem_server_post_work()
1082 if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) { in ossl_statem_server_post_work()
1090 * waiting to read our post-handshake NewSessionTickets. in ossl_statem_server_post_work()
1092 s->rwstate = SSL_NOTHING; in ossl_statem_server_post_work()
1112 int ossl_statem_server_construct_message(SSL_CONNECTION *s, in ossl_statem_server_construct_message() argument
1115 OSSL_STATEM *st = &s->statem; in ossl_statem_server_construct_message()
1117 switch (st->hand_state) { in ossl_statem_server_construct_message()
1120 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in ossl_statem_server_construct_message()
1124 if (SSL_CONNECTION_IS_DTLS(s)) in ossl_statem_server_construct_message()
1223 * 2^16-2 + # maximum length of cipher suites array
1225 * 2^8-1 + # maximum length of compression methods
1227 * 2^16-1 # maximum length of extensions
1238 size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s) in ossl_statem_server_max_message_size() argument
1240 OSSL_STATEM *st = &s->statem; in ossl_statem_server_max_message_size()
1242 switch (st->hand_state) { in ossl_statem_server_max_message_size()
1255 return s->max_cert_list; in ossl_statem_server_max_message_size()
1282 MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s, in ossl_statem_server_process_message() argument
1285 OSSL_STATEM *st = &s->statem; in ossl_statem_server_process_message()
1287 switch (st->hand_state) { in ossl_statem_server_process_message()
1290 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_process_message()
1294 return tls_process_client_hello(s, pkt); in ossl_statem_server_process_message()
1297 return tls_process_end_of_early_data(s, pkt); in ossl_statem_server_process_message()
1300 return tls_process_client_certificate(s, pkt); in ossl_statem_server_process_message()
1304 return tls_process_client_compressed_certificate(s, pkt); in ossl_statem_server_process_message()
1308 return tls_process_client_key_exchange(s, pkt); in ossl_statem_server_process_message()
1311 return tls_process_cert_verify(s, pkt); in ossl_statem_server_process_message()
1315 return tls_process_next_proto(s, pkt); in ossl_statem_server_process_message()
1319 return tls_process_change_cipher_spec(s, pkt); in ossl_statem_server_process_message()
1322 return tls_process_finished(s, pkt); in ossl_statem_server_process_message()
1325 return tls_process_key_update(s, pkt); in ossl_statem_server_process_message()
1334 WORK_STATE ossl_statem_server_post_process_message(SSL_CONNECTION *s, in ossl_statem_server_post_process_message() argument
1337 OSSL_STATEM *st = &s->statem; in ossl_statem_server_post_process_message()
1339 switch (st->hand_state) { in ossl_statem_server_post_process_message()
1342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_server_post_process_message()
1346 return tls_post_process_client_hello(s, wst); in ossl_statem_server_post_process_message()
1349 return tls_post_process_client_key_exchange(s, wst); in ossl_statem_server_post_process_message()
1354 /* Returns 1 on success, 0 for retryable error, -1 for fatal error */
1355 static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s) in ssl_check_srp_ext_ClientHello() argument
1360 if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) && in ssl_check_srp_ext_ClientHello()
1361 (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { in ssl_check_srp_ext_ClientHello()
1362 if (s->srp_ctx.login == NULL) { in ssl_check_srp_ext_ClientHello()
1367 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, in ssl_check_srp_ext_ClientHello()
1369 return -1; in ssl_check_srp_ext_ClientHello()
1371 ret = ssl_srp_server_param_with_username_intern(s, &al); in ssl_check_srp_ext_ClientHello()
1375 SSLfatal(s, al, in ssl_check_srp_ext_ClientHello()
1379 return -1; in ssl_check_srp_ext_ClientHello()
1398 CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, in dtls_construct_hello_verify_request() argument
1402 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in dtls_construct_hello_verify_request()
1404 if (sctx->app_gen_cookie_cb == NULL in dtls_construct_hello_verify_request()
1405 || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s), s->d1->cookie, in dtls_construct_hello_verify_request()
1408 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); in dtls_construct_hello_verify_request()
1411 s->d1->cookie_len = cookie_leni; in dtls_construct_hello_verify_request()
1413 if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, in dtls_construct_hello_verify_request()
1414 s->d1->cookie_len)) { in dtls_construct_hello_verify_request()
1415 SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); in dtls_construct_hello_verify_request()
1422 /*-
1431 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
1432 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
1436 static void ssl_check_for_safari(SSL_CONNECTION *s, in ssl_check_for_safari() argument
1443 0x00, 0x17, /* P-256 */ in ssl_check_for_safari()
1444 0x00, 0x18, /* P-384 */ in ssl_check_for_safari()
1445 0x00, 0x19, /* P-521 */ in ssl_check_for_safari()
1455 0x05, 0x01, /* SHA-384/RSA */ in ssl_check_for_safari()
1456 0x04, 0x01, /* SHA-256/RSA */ in ssl_check_for_safari()
1457 0x02, 0x01, /* SHA-1/RSA */ in ssl_check_for_safari()
1458 0x04, 0x03, /* SHA-256/ECDSA */ in ssl_check_for_safari()
1459 0x02, 0x03, /* SHA-1/ECDSA */ in ssl_check_for_safari()
1467 tmppkt = hello->extensions; in ssl_check_for_safari()
1479 SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION ? in ssl_check_for_safari()
1482 s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, in ssl_check_for_safari()
1490 MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) in tls_process_client_hello() argument
1498 if (s->renegotiate == 0 && !SSL_IS_FIRST_HANDSHAKE(s)) { in tls_process_client_hello()
1499 if (!ossl_assert(!SSL_CONNECTION_IS_TLS13(s))) { in tls_process_client_hello()
1500 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1503 if (!RENEG_OPTIONS_OK(s->options) in tls_process_client_hello()
1504 || (!s->s3.send_connection_binding in tls_process_client_hello()
1505 && (s->options in tls_process_client_hello()
1507 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); in tls_process_client_hello()
1510 s->renegotiate = 1; in tls_process_client_hello()
1511 s->new_session = 1; in tls_process_client_hello()
1516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1523 clienthello->isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer); in tls_process_client_hello()
1526 if (clienthello->isv2) { in tls_process_client_hello()
1529 if (!SSL_IS_FIRST_HANDSHAKE(s) in tls_process_client_hello()
1530 || s->hello_retry_request != SSL_HRR_NONE) { in tls_process_client_hello()
1531 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_client_hello()
1535 /*- in tls_process_client_hello()
1536 * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 in tls_process_client_hello()
1541 * 0-1 msg_length - decoded by the record layer in tls_process_client_hello()
1542 * 2 msg_type - s->init_msg points here in tls_process_client_hello()
1543 * 3-4 version in tls_process_client_hello()
1544 * 5-6 cipher_spec_length in tls_process_client_hello()
1545 * 7-8 session_id_length in tls_process_client_hello()
1546 * 9-10 challenge_length in tls_process_client_hello()
1557 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1562 if (!PACKET_get_net_2(pkt, &clienthello->legacy_version)) { in tls_process_client_hello()
1563 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_client_hello()
1568 if (clienthello->isv2) { in tls_process_client_hello()
1580 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH); in tls_process_client_hello()
1585 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1589 if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, in tls_process_client_hello()
1591 || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len) in tls_process_client_hello()
1595 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_RECORD_LENGTH_MISMATCH); in tls_process_client_hello()
1598 clienthello->session_id_len = session_id_len; in tls_process_client_hello()
1601 * here rather than sizeof(clienthello->random) because that is the limit in tls_process_client_hello()
1603 * sizeof(clienthello->random) does. in tls_process_client_hello()
1607 memset(clienthello->random, 0, SSL3_RANDOM_SIZE); in tls_process_client_hello()
1609 clienthello->random + SSL3_RANDOM_SIZE - in tls_process_client_hello()
1613 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1617 PACKET_null_init(&clienthello->extensions); in tls_process_client_hello()
1620 if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE) in tls_process_client_hello()
1622 || !PACKET_copy_all(&session_id, clienthello->session_id, in tls_process_client_hello()
1624 &clienthello->session_id_len)) { in tls_process_client_hello()
1625 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1629 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_process_client_hello()
1631 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1634 if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, in tls_process_client_hello()
1636 &clienthello->dtls_cookie_len)) { in tls_process_client_hello()
1637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1645 if (SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_COOKIE_EXCHANGE) { in tls_process_client_hello()
1646 if (clienthello->dtls_cookie_len == 0) { in tls_process_client_hello()
1653 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->ciphersuites)) { in tls_process_client_hello()
1654 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1659 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1665 PACKET_null_init(&clienthello->extensions); in tls_process_client_hello()
1667 if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions) in tls_process_client_hello()
1669 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_hello()
1675 if (!PACKET_copy_all(&compression, clienthello->compressions, in tls_process_client_hello()
1677 &clienthello->compressions_len)) { in tls_process_client_hello()
1678 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_client_hello()
1683 extensions = clienthello->extensions; in tls_process_client_hello()
1684 if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO, in tls_process_client_hello()
1685 &clienthello->pre_proc_exts, in tls_process_client_hello()
1686 &clienthello->pre_proc_exts_len, 1)) { in tls_process_client_hello()
1690 s->clienthello = clienthello; in tls_process_client_hello()
1696 OPENSSL_free(clienthello->pre_proc_exts); in tls_process_client_hello()
1702 static int tls_early_post_process_client_hello(SSL_CONNECTION *s) in tls_early_post_process_client_hello() argument
1714 CLIENTHELLO_MSG *clienthello = s->clienthello; in tls_early_post_process_client_hello()
1716 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_early_post_process_client_hello()
1717 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_early_post_process_client_hello()
1718 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); in tls_early_post_process_client_hello()
1722 if (sctx->client_hello_cb != NULL) { in tls_early_post_process_client_hello()
1724 switch (sctx->client_hello_cb(ussl, &al, sctx->client_hello_cb_arg)) { in tls_early_post_process_client_hello()
1728 s->rwstate = SSL_CLIENT_HELLO_CB; in tls_early_post_process_client_hello()
1729 return -1; in tls_early_post_process_client_hello()
1732 SSLfatal(s, al, SSL_R_CALLBACK_FAILED); in tls_early_post_process_client_hello()
1738 memcpy(s->s3.client_random, clienthello->random, SSL3_RANDOM_SIZE); in tls_early_post_process_client_hello()
1742 if (clienthello->isv2) { in tls_early_post_process_client_hello()
1743 if (clienthello->legacy_version == SSL2_VERSION in tls_early_post_process_client_hello()
1744 || (clienthello->legacy_version & 0xff00) in tls_early_post_process_client_hello()
1750 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNKNOWN_PROTOCOL); in tls_early_post_process_client_hello()
1754 s->client_version = clienthello->legacy_version; in tls_early_post_process_client_hello()
1758 protverr = ssl_choose_server_version(s, clienthello, &dgrd); in tls_early_post_process_client_hello()
1761 if (SSL_IS_FIRST_HANDSHAKE(s)) { in tls_early_post_process_client_hello()
1763 s->version = s->client_version = clienthello->legacy_version; in tls_early_post_process_client_hello()
1765 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, protverr); in tls_early_post_process_client_hello()
1770 if (SSL_CONNECTION_IS_TLS13(s) in tls_early_post_process_client_hello()
1771 && RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_early_post_process_client_hello()
1772 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); in tls_early_post_process_client_hello()
1776 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_early_post_process_client_hello()
1779 if (sctx->app_verify_cookie_cb != NULL) { in tls_early_post_process_client_hello()
1780 if (sctx->app_verify_cookie_cb(ussl, clienthello->dtls_cookie, in tls_early_post_process_client_hello()
1781 clienthello->dtls_cookie_len) == 0) { in tls_early_post_process_client_hello()
1782 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
1788 } else if (s->d1->cookie_len != clienthello->dtls_cookie_len in tls_early_post_process_client_hello()
1789 || memcmp(clienthello->dtls_cookie, s->d1->cookie, in tls_early_post_process_client_hello()
1790 s->d1->cookie_len) != 0) { in tls_early_post_process_client_hello()
1791 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH); in tls_early_post_process_client_hello()
1794 s->d1->cookie_verified = 1; in tls_early_post_process_client_hello()
1798 s->hit = 0; in tls_early_post_process_client_hello()
1800 if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, in tls_early_post_process_client_hello()
1801 clienthello->isv2) || in tls_early_post_process_client_hello()
1802 !ossl_bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, in tls_early_post_process_client_hello()
1803 &scsvs, clienthello->isv2, 1)) { in tls_early_post_process_client_hello()
1808 s->s3.send_connection_binding = 0; in tls_early_post_process_client_hello()
1809 /* Check what signalling cipher-suite values were received. */ in tls_early_post_process_client_hello()
1814 if (s->renegotiate) { in tls_early_post_process_client_hello()
1816 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
1820 s->s3.send_connection_binding = 1; in tls_early_post_process_client_hello()
1822 !ssl_check_version_downgrade(s)) { in tls_early_post_process_client_hello()
1830 SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK, in tls_early_post_process_client_hello()
1838 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_early_post_process_client_hello()
1840 ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl)); in tls_early_post_process_client_hello()
1843 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); in tls_early_post_process_client_hello()
1846 if (s->hello_retry_request == SSL_HRR_PENDING in tls_early_post_process_client_hello()
1847 && (s->s3.tmp.new_cipher == NULL in tls_early_post_process_client_hello()
1848 || s->s3.tmp.new_cipher->id != cipher->id)) { in tls_early_post_process_client_hello()
1853 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_CIPHER); in tls_early_post_process_client_hello()
1856 s->s3.tmp.new_cipher = cipher; in tls_early_post_process_client_hello()
1860 if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, in tls_early_post_process_client_hello()
1862 clienthello->pre_proc_exts, NULL, 0)) { in tls_early_post_process_client_hello()
1874 * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION (it's a new flag rather in tls_early_post_process_client_hello()
1878 * request renegotiation but not a new session (s->new_session remains in tls_early_post_process_client_hello()
1883 if (clienthello->isv2 || in tls_early_post_process_client_hello()
1884 (s->new_session && in tls_early_post_process_client_hello()
1885 (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { in tls_early_post_process_client_hello()
1886 if (!ssl_get_new_session(s, 1)) { in tls_early_post_process_client_hello()
1891 i = ssl_get_prev_session(s, clienthello); in tls_early_post_process_client_hello()
1894 s->hit = 1; in tls_early_post_process_client_hello()
1895 } else if (i == -1) { in tls_early_post_process_client_hello()
1900 if (!ssl_get_new_session(s, 1)) { in tls_early_post_process_client_hello()
1907 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_early_post_process_client_hello()
1908 memcpy(s->tmp_session_id, s->clienthello->session_id, in tls_early_post_process_client_hello()
1909 s->clienthello->session_id_len); in tls_early_post_process_client_hello()
1910 s->tmp_session_id_len = s->clienthello->session_id_len; in tls_early_post_process_client_hello()
1917 if (!SSL_CONNECTION_IS_TLS13(s) && s->hit) { in tls_early_post_process_client_hello()
1919 id = s->session->cipher->id; in tls_early_post_process_client_hello()
1928 BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i, in tls_early_post_process_client_hello()
1930 if (c->id == id) { in tls_early_post_process_client_hello()
1940 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_early_post_process_client_hello()
1949 if (clienthello->compressions_len == 0) { in tls_early_post_process_client_hello()
1950 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_NO_COMPRESSION_SPECIFIED); in tls_early_post_process_client_hello()
1954 if (memchr(clienthello->compressions, 0, in tls_early_post_process_client_hello()
1955 clienthello->compressions_len) == NULL) { in tls_early_post_process_client_hello()
1956 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_early_post_process_client_hello()
1961 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG) in tls_early_post_process_client_hello()
1962 ssl_check_for_safari(s, clienthello); in tls_early_post_process_client_hello()
1965 if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, in tls_early_post_process_client_hello()
1966 clienthello->pre_proc_exts, NULL, 0, 1)) { in tls_early_post_process_client_hello()
1972 * Check if we want to use external pre-shared secret for this handshake in tls_early_post_process_client_hello()
1979 pos = s->s3.server_random; in tls_early_post_process_client_hello()
1980 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE, dgrd) <= 0) { in tls_early_post_process_client_hello()
1981 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_early_post_process_client_hello()
1986 if (!s->hit && !tls1_set_server_sigalgs(s)) { in tls_early_post_process_client_hello()
1991 if (!s->hit in tls_early_post_process_client_hello()
1992 && s->version >= TLS1_VERSION in tls_early_post_process_client_hello()
1993 && !SSL_CONNECTION_IS_TLS13(s) in tls_early_post_process_client_hello()
1994 && !SSL_CONNECTION_IS_DTLS(s) in tls_early_post_process_client_hello()
1995 && s->ext.session_secret_cb != NULL) { in tls_early_post_process_client_hello()
1998 * s->session->master_key_length is a size_t, but this is an int for in tls_early_post_process_client_hello()
2003 master_key_length = sizeof(s->session->master_key); in tls_early_post_process_client_hello()
2004 if (s->ext.session_secret_cb(ussl, s->session->master_key, in tls_early_post_process_client_hello()
2007 s->ext.session_secret_cb_arg) in tls_early_post_process_client_hello()
2009 s->session->master_key_length = master_key_length; in tls_early_post_process_client_hello()
2010 s->hit = 1; in tls_early_post_process_client_hello()
2011 s->peer_ciphers = ciphers; in tls_early_post_process_client_hello()
2012 s->session->verify_result = X509_V_OK; in tls_early_post_process_client_hello()
2018 pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers, in tls_early_post_process_client_hello()
2021 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); in tls_early_post_process_client_hello()
2025 s->session->cipher = pref_cipher; in tls_early_post_process_client_hello()
2026 sk_SSL_CIPHER_free(s->cipher_list); in tls_early_post_process_client_hello()
2027 s->cipher_list = sk_SSL_CIPHER_dup(s->peer_ciphers); in tls_early_post_process_client_hello()
2028 sk_SSL_CIPHER_free(s->cipher_list_by_id); in tls_early_post_process_client_hello()
2029 s->cipher_list_by_id = sk_SSL_CIPHER_dup(s->peer_ciphers); in tls_early_post_process_client_hello()
2035 * options, we will now look for them. We have complen-1 compression in tls_early_post_process_client_hello()
2038 s->s3.tmp.new_compression = NULL; in tls_early_post_process_client_hello()
2039 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_early_post_process_client_hello()
2045 if (clienthello->compressions_len != 1) { in tls_early_post_process_client_hello()
2046 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_early_post_process_client_hello()
2053 else if (s->session->compress_meth != 0) { in tls_early_post_process_client_hello()
2054 int m, comp_id = s->session->compress_meth; in tls_early_post_process_client_hello()
2058 if (!ssl_allow_compression(s)) { in tls_early_post_process_client_hello()
2059 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
2064 for (m = 0; m < sk_SSL_COMP_num(sctx->comp_methods); m++) { in tls_early_post_process_client_hello()
2065 comp = sk_SSL_COMP_value(sctx->comp_methods, m); in tls_early_post_process_client_hello()
2066 if (comp_id == comp->id) { in tls_early_post_process_client_hello()
2067 s->s3.tmp.new_compression = comp; in tls_early_post_process_client_hello()
2071 if (s->s3.tmp.new_compression == NULL) { in tls_early_post_process_client_hello()
2072 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_early_post_process_client_hello()
2077 for (k = 0; k < clienthello->compressions_len; k++) { in tls_early_post_process_client_hello()
2078 if (clienthello->compressions[k] == comp_id) in tls_early_post_process_client_hello()
2081 if (k >= clienthello->compressions_len) { in tls_early_post_process_client_hello()
2082 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_early_post_process_client_hello()
2086 } else if (s->hit) { in tls_early_post_process_client_hello()
2088 } else if (ssl_allow_compression(s) && sctx->comp_methods) { in tls_early_post_process_client_hello()
2093 nn = sk_SSL_COMP_num(sctx->comp_methods); in tls_early_post_process_client_hello()
2095 comp = sk_SSL_COMP_value(sctx->comp_methods, m); in tls_early_post_process_client_hello()
2096 v = comp->id; in tls_early_post_process_client_hello()
2097 for (o = 0; o < clienthello->compressions_len; o++) { in tls_early_post_process_client_hello()
2098 if (v == clienthello->compressions[o]) { in tls_early_post_process_client_hello()
2107 s->s3.tmp.new_compression = comp; in tls_early_post_process_client_hello()
2116 if (s->session->compress_meth != 0) { in tls_early_post_process_client_hello()
2117 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); in tls_early_post_process_client_hello()
2123 * Given s->peer_ciphers and SSL_get_ciphers, we must pick a cipher in tls_early_post_process_client_hello()
2126 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { in tls_early_post_process_client_hello()
2127 sk_SSL_CIPHER_free(s->peer_ciphers); in tls_early_post_process_client_hello()
2128 s->peer_ciphers = ciphers; in tls_early_post_process_client_hello()
2130 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_early_post_process_client_hello()
2136 if (!s->hit) { in tls_early_post_process_client_hello()
2138 s->session->compress_meth = 0; in tls_early_post_process_client_hello()
2140 s->session->compress_meth = (comp == NULL) ? 0 : comp->id; in tls_early_post_process_client_hello()
2146 OPENSSL_free(clienthello->pre_proc_exts); in tls_early_post_process_client_hello()
2147 OPENSSL_free(s->clienthello); in tls_early_post_process_client_hello()
2148 s->clienthello = NULL; in tls_early_post_process_client_hello()
2153 OPENSSL_free(clienthello->pre_proc_exts); in tls_early_post_process_client_hello()
2154 OPENSSL_free(s->clienthello); in tls_early_post_process_client_hello()
2155 s->clienthello = NULL; in tls_early_post_process_client_hello()
2164 static int tls_handle_status_request(SSL_CONNECTION *s) in tls_handle_status_request() argument
2166 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_handle_status_request()
2168 s->ext.status_expected = 0; in tls_handle_status_request()
2176 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && sctx != NULL in tls_handle_status_request()
2177 && sctx->ext.status_cb != NULL) { in tls_handle_status_request()
2181 if (s->s3.tmp.cert != NULL) { in tls_handle_status_request()
2186 s->cert->key = s->s3.tmp.cert; in tls_handle_status_request()
2187 ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s), in tls_handle_status_request()
2188 sctx->ext.status_arg); in tls_handle_status_request()
2192 s->ext.status_expected = 0; in tls_handle_status_request()
2196 if (s->ext.ocsp.resp) in tls_handle_status_request()
2197 s->ext.status_expected = 1; in tls_handle_status_request()
2202 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CLIENTHELLO_TLSEXT); in tls_handle_status_request()
2215 int tls_handle_alpn(SSL_CONNECTION *s) in tls_handle_alpn() argument
2219 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_handle_alpn()
2221 if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) { in tls_handle_alpn()
2222 int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), in tls_handle_alpn()
2224 s->s3.alpn_proposed, in tls_handle_alpn()
2225 (unsigned int)s->s3.alpn_proposed_len, in tls_handle_alpn()
2226 sctx->ext.alpn_select_cb_arg); in tls_handle_alpn()
2229 OPENSSL_free(s->s3.alpn_selected); in tls_handle_alpn()
2230 s->s3.alpn_selected = OPENSSL_memdup(selected, selected_len); in tls_handle_alpn()
2231 if (s->s3.alpn_selected == NULL) { in tls_handle_alpn()
2232 s->s3.alpn_selected_len = 0; in tls_handle_alpn()
2233 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_handle_alpn()
2236 s->s3.alpn_selected_len = selected_len; in tls_handle_alpn()
2239 s->s3.npn_seen = 0; in tls_handle_alpn()
2243 if (s->session->ext.alpn_selected == NULL in tls_handle_alpn()
2244 || selected_len != s->session->ext.alpn_selected_len in tls_handle_alpn()
2245 || memcmp(selected, s->session->ext.alpn_selected, in tls_handle_alpn()
2248 s->ext.early_data_ok = 0; in tls_handle_alpn()
2250 if (!s->hit) { in tls_handle_alpn()
2256 if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { in tls_handle_alpn()
2257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_handle_alpn()
2261 s->session->ext.alpn_selected = OPENSSL_memdup(selected, in tls_handle_alpn()
2263 if (s->session->ext.alpn_selected == NULL) { in tls_handle_alpn()
2264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_handle_alpn()
2268 s->session->ext.alpn_selected_len = selected_len; in tls_handle_alpn()
2274 SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, in tls_handle_alpn()
2285 if (s->session->ext.alpn_selected != NULL) { in tls_handle_alpn()
2287 s->ext.early_data_ok = 0; in tls_handle_alpn()
2293 WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) in tls_post_process_client_hello() argument
2296 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_post_process_client_hello()
2297 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); in tls_post_process_client_hello()
2300 int rv = tls_early_post_process_client_hello(s); in tls_post_process_client_hello()
2310 if (!s->hit || SSL_CONNECTION_IS_TLS13(s)) { in tls_post_process_client_hello()
2312 if (!s->hit && s->cert->cert_cb != NULL) { in tls_post_process_client_hello()
2313 int rv = s->cert->cert_cb(ussl, s->cert->cert_cb_arg); in tls_post_process_client_hello()
2316 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CERT_CB_ERROR); in tls_post_process_client_hello()
2320 s->rwstate = SSL_X509_LOOKUP; in tls_post_process_client_hello()
2323 s->rwstate = SSL_NOTHING; in tls_post_process_client_hello()
2327 if (!SSL_CONNECTION_IS_TLS13(s)) { in tls_post_process_client_hello()
2329 ssl3_choose_cipher(s, s->peer_ciphers, in tls_post_process_client_hello()
2333 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_post_process_client_hello()
2337 s->s3.tmp.new_cipher = cipher; in tls_post_process_client_hello()
2339 if (!s->hit) { in tls_post_process_client_hello()
2340 if (!tls_choose_sigalg(s, 1)) { in tls_post_process_client_hello()
2345 if (s->not_resumable_session_cb != NULL) in tls_post_process_client_hello()
2346 s->session->not_resumable = in tls_post_process_client_hello()
2347 s->not_resumable_session_cb(ussl, in tls_post_process_client_hello()
2348 ((s->s3.tmp.new_cipher->algorithm_mkey in tls_post_process_client_hello()
2350 if (s->session->not_resumable) in tls_post_process_client_hello()
2352 s->ext.ticket_expected = 0; in tls_post_process_client_hello()
2355 /* Session-id reuse */ in tls_post_process_client_hello()
2356 s->s3.tmp.new_cipher = s->session->cipher; in tls_post_process_client_hello()
2359 /*- in tls_post_process_client_hello()
2362 * cipher_list - our preferred list of ciphers in tls_post_process_client_hello()
2363 * ciphers - the client's preferred list of ciphers in tls_post_process_client_hello()
2364 * compression - basically ignored right now in tls_post_process_client_hello()
2365 * ssl version is set - sslv3 in tls_post_process_client_hello()
2366 * s->session - The ssl session has been setup. in tls_post_process_client_hello()
2367 * s->hit - session reuse flag in tls_post_process_client_hello()
2368 * s->s3.tmp.new_cipher - the new cipher to use. in tls_post_process_client_hello()
2375 if (!tls_handle_status_request(s)) { in tls_post_process_client_hello()
2385 if (!SSL_CONNECTION_IS_TLS13(s) && !tls_handle_alpn(s)) { in tls_post_process_client_hello()
2395 if ((ret = ssl_check_srp_ext_ClientHello(s)) == 0) { in tls_post_process_client_hello()
2399 s->rwstate = SSL_X509_LOOKUP; in tls_post_process_client_hello()
2414 CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_server_hello() argument
2420 int usetls13 = SSL_CONNECTION_IS_TLS13(s) in tls_construct_server_hello()
2421 || s->hello_retry_request == SSL_HRR_PENDING; in tls_construct_server_hello()
2423 version = usetls13 ? TLS1_2_VERSION : s->version; in tls_construct_server_hello()
2430 s->hello_retry_request == SSL_HRR_PENDING in tls_construct_server_hello()
2431 ? hrrrandom : s->s3.server_random, in tls_construct_server_hello()
2433 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_hello()
2437 /*- in tls_construct_server_hello()
2440 * - For session reuse from the session cache, in tls_construct_server_hello()
2442 * - If stateless session reuse (using a session ticket) in tls_construct_server_hello()
2443 * is successful, we send back the client's "session ID" in tls_construct_server_hello()
2445 * - If it is a new session, we send back the new in tls_construct_server_hello()
2447 * - However, if we want the new session to be single-use, in tls_construct_server_hello()
2448 * we send back a 0-length session ID. in tls_construct_server_hello()
2449 * - In TLSv1.3 we echo back the session id sent to us by the client in tls_construct_server_hello()
2451 * s->hit is non-zero in either case of session reuse, in tls_construct_server_hello()
2455 if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) in tls_construct_server_hello()
2456 && !s->hit) in tls_construct_server_hello()
2457 s->session->session_id_length = 0; in tls_construct_server_hello()
2460 sl = s->tmp_session_id_len; in tls_construct_server_hello()
2461 session_id = s->tmp_session_id; in tls_construct_server_hello()
2463 sl = s->session->session_id_length; in tls_construct_server_hello()
2464 session_id = s->session->session_id; in tls_construct_server_hello()
2467 if (sl > sizeof(s->session->session_id)) { in tls_construct_server_hello()
2468 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_hello()
2476 if (usetls13 || s->s3.tmp.new_compression == NULL) in tls_construct_server_hello()
2479 compm = s->s3.tmp.new_compression->id; in tls_construct_server_hello()
2483 || !SSL_CONNECTION_GET_SSL(s)->method->put_cipher_by_char(s->s3.tmp.new_cipher, in tls_construct_server_hello()
2486 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_hello()
2490 if (!tls_construct_extensions(s, pkt, in tls_construct_server_hello()
2491 s->hello_retry_request == SSL_HRR_PENDING in tls_construct_server_hello()
2493 : (SSL_CONNECTION_IS_TLS13(s) in tls_construct_server_hello()
2501 if (s->hello_retry_request == SSL_HRR_PENDING) { in tls_construct_server_hello()
2503 SSL_SESSION_free(s->session); in tls_construct_server_hello()
2504 s->session = NULL; in tls_construct_server_hello()
2505 s->hit = 0; in tls_construct_server_hello()
2508 * Re-initialise the Transcript Hash. We're going to prepopulate it with in tls_construct_server_hello()
2511 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { in tls_construct_server_hello()
2515 } else if (!(s->verify_mode & SSL_VERIFY_PEER) in tls_construct_server_hello()
2516 && !ssl3_digest_cached_records(s, 0)) { in tls_construct_server_hello()
2524 CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_server_done() argument
2526 if (!s->s3.tmp.cert_request) { in tls_construct_server_done()
2527 if (!ssl3_digest_cached_records(s, 0)) { in tls_construct_server_done()
2535 CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, in tls_construct_server_key_exchange() argument
2542 const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; in tls_construct_server_key_exchange()
2551 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_server_key_exchange()
2554 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2559 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_server_key_exchange()
2563 type = s->s3.tmp.new_cipher->algorithm_mkey; in tls_construct_server_key_exchange()
2572 CERT *cert = s->cert; in tls_construct_server_key_exchange()
2575 if (s->cert->dh_tmp_auto) { in tls_construct_server_key_exchange()
2576 pkdh = ssl_get_auto_dh(s); in tls_construct_server_key_exchange()
2578 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2583 pkdhp = cert->dh_tmp; in tls_construct_server_key_exchange()
2586 if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { in tls_construct_server_key_exchange()
2587 pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_USER_SSL(s), in tls_construct_server_key_exchange()
2590 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2597 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); in tls_construct_server_key_exchange()
2600 if (!ssl_security(s, SSL_SECOP_TMP_DH, in tls_construct_server_key_exchange()
2602 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); in tls_construct_server_key_exchange()
2605 if (s->s3.tmp.pkey != NULL) { in tls_construct_server_key_exchange()
2606 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2610 s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp); in tls_construct_server_key_exchange()
2611 if (s->s3.tmp.pkey == NULL) { in tls_construct_server_key_exchange()
2612 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2621 if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P, in tls_construct_server_key_exchange()
2623 || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_G, in tls_construct_server_key_exchange()
2625 || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, in tls_construct_server_key_exchange()
2627 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2632 if (s->s3.tmp.pkey != NULL) { in tls_construct_server_key_exchange()
2633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2638 curve_id = tls1_shared_group(s, -2); in tls_construct_server_key_exchange()
2640 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_server_key_exchange()
2645 s->session->kex_group = curve_id; in tls_construct_server_key_exchange()
2647 s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id); in tls_construct_server_key_exchange()
2648 if (s->s3.tmp.pkey == NULL) { in tls_construct_server_key_exchange()
2654 encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey, in tls_construct_server_key_exchange()
2657 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); in tls_construct_server_key_exchange()
2672 if ((s->srp_ctx.N == NULL) || in tls_construct_server_key_exchange()
2673 (s->srp_ctx.g == NULL) || in tls_construct_server_key_exchange()
2674 (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { in tls_construct_server_key_exchange()
2675 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM); in tls_construct_server_key_exchange()
2678 r[0] = s->srp_ctx.N; in tls_construct_server_key_exchange()
2679 r[1] = s->srp_ctx.g; in tls_construct_server_key_exchange()
2680 r[2] = s->srp_ctx.s; in tls_construct_server_key_exchange()
2681 r[3] = s->srp_ctx.B; in tls_construct_server_key_exchange()
2685 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); in tls_construct_server_key_exchange()
2689 if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) in tls_construct_server_key_exchange()
2690 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { in tls_construct_server_key_exchange()
2693 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2699 size_t len = (s->cert->psk_identity_hint == NULL) in tls_construct_server_key_exchange()
2700 ? 0 : strlen(s->cert->psk_identity_hint); in tls_construct_server_key_exchange()
2703 * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already in tls_construct_server_key_exchange()
2704 * checked this when we set the identity hint - but just in case in tls_construct_server_key_exchange()
2707 || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, in tls_construct_server_key_exchange()
2709 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2727 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2731 /*- in tls_construct_server_key_exchange()
2737 size_t len = BN_num_bytes(r[0]) - BN_num_bytes(r[2]); in tls_construct_server_key_exchange()
2741 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2750 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2768 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2777 EVP_PKEY *pkey = s->s3.tmp.cert->privatekey; in tls_construct_server_key_exchange()
2784 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2789 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2793 if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) { in tls_construct_server_key_exchange()
2794 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2800 sctx->libctx, sctx->propq, pkey, in tls_construct_server_key_exchange()
2802 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2805 if (lu->sig == EVP_PKEY_RSA_PSS) { in tls_construct_server_key_exchange()
2808 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_server_key_exchange()
2812 tbslen = construct_key_exchange_tbs(s, &tbs, in tls_construct_server_key_exchange()
2813 s->init_buf->data + paramoffset, in tls_construct_server_key_exchange()
2826 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_key_exchange()
2846 CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, in tls_construct_certificate_request() argument
2849 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_construct_certificate_request()
2850 /* Send random context when doing post-handshake auth */ in tls_construct_certificate_request()
2851 if (s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) { in tls_construct_certificate_request()
2852 OPENSSL_free(s->pha_context); in tls_construct_certificate_request()
2853 s->pha_context_len = 32; in tls_construct_certificate_request()
2854 if ((s->pha_context = OPENSSL_malloc(s->pha_context_len)) == NULL) { in tls_construct_certificate_request()
2855 s->pha_context_len = 0; in tls_construct_certificate_request()
2856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2859 if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, in tls_construct_certificate_request()
2860 s->pha_context, s->pha_context_len, 0) <= 0 in tls_construct_certificate_request()
2861 || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, in tls_construct_certificate_request()
2862 s->pha_context_len)) { in tls_construct_certificate_request()
2863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2867 if (!tls13_restore_handshake_digest_for_pha(s)) { in tls_construct_certificate_request()
2873 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2878 if (!tls_construct_extensions(s, pkt, in tls_construct_certificate_request()
2889 || !ssl3_get_req_cert_type(s, pkt) || !WPACKET_close(pkt)) { in tls_construct_certificate_request()
2890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2894 if (SSL_USE_SIGALGS(s)) { in tls_construct_certificate_request()
2896 size_t nl = tls12_get_psigalgs(s, 1, &psigs); in tls_construct_certificate_request()
2900 || !tls12_copy_sigalgs(s, pkt, psigs, nl) in tls_construct_certificate_request()
2902 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_certificate_request()
2907 if (!construct_ca_names(s, get_ca_names(s), pkt)) { in tls_construct_certificate_request()
2913 s->certreqs_sent++; in tls_construct_certificate_request()
2914 s->s3.tmp.cert_request = 1; in tls_construct_certificate_request()
2918 static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cke_psk_preamble() argument
2926 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cke_psk_preamble()
2930 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DATA_LENGTH_TOO_LONG); in tls_process_cke_psk_preamble()
2933 if (s->psk_server_callback == NULL) { in tls_process_cke_psk_preamble()
2934 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_SERVER_CB); in tls_process_cke_psk_preamble()
2938 if (!PACKET_strndup(&psk_identity, &s->session->psk_identity)) { in tls_process_cke_psk_preamble()
2939 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_psk_preamble()
2943 psklen = s->psk_server_callback(SSL_CONNECTION_GET_USER_SSL(s), in tls_process_cke_psk_preamble()
2944 s->session->psk_identity, in tls_process_cke_psk_preamble()
2948 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_psk_preamble()
2954 SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, SSL_R_PSK_IDENTITY_NOT_FOUND); in tls_process_cke_psk_preamble()
2958 OPENSSL_free(s->s3.tmp.psk); in tls_process_cke_psk_preamble()
2959 s->s3.tmp.psk = OPENSSL_memdup(psk, psklen); in tls_process_cke_psk_preamble()
2962 if (s->s3.tmp.psk == NULL) { in tls_process_cke_psk_preamble()
2963 s->s3.tmp.psklen = 0; in tls_process_cke_psk_preamble()
2964 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_cke_psk_preamble()
2968 s->s3.tmp.psklen = psklen; in tls_process_cke_psk_preamble()
2973 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_psk_preamble()
2978 static int tls_process_cke_rsa(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cke_rsa() argument
2987 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_cke_rsa()
2989 rsa = s->cert->pkeys[SSL_PKEY_RSA].privatekey; in tls_process_cke_rsa()
2991 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_RSA_CERTIFICATE); in tls_process_cke_rsa()
2995 /* SSLv3 and pre-standard DTLS omit the length bytes. */ in tls_process_cke_rsa()
2996 if (s->version == SSL3_VERSION || s->version == DTLS1_BAD_VER) { in tls_process_cke_rsa()
3001 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cke_rsa()
3009 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_cke_rsa()
3013 ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, rsa, sctx->propq); in tls_process_cke_rsa()
3015 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_cke_rsa()
3021 * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, in tls_process_cke_rsa()
3028 * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 in tls_process_cke_rsa()
3032 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_rsa()
3037 (unsigned int *)&s->client_version); in tls_process_cke_rsa()
3038 if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0) in tls_process_cke_rsa()
3041 (unsigned int *)&s->version); in tls_process_cke_rsa()
3048 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_rsa()
3058 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_rsa()
3063 if (!ssl_generate_master_secret(s, rsa_decrypt, outlen, 0)) { in tls_process_cke_rsa()
3075 static int tls_process_cke_dhe(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cke_dhe() argument
3084 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG); in tls_process_cke_dhe()
3087 skey = s->s3.tmp.pkey; in tls_process_cke_dhe()
3089 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); in tls_process_cke_dhe()
3094 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_MISSING_TMP_DH_KEY); in tls_process_cke_dhe()
3099 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_dhe()
3104 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); in tls_process_cke_dhe()
3109 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_process_cke_dhe()
3113 if (ssl_derive(s, skey, ckey, 1) == 0) { in tls_process_cke_dhe()
3119 EVP_PKEY_free(s->s3.tmp.pkey); in tls_process_cke_dhe()
3120 s->s3.tmp.pkey = NULL; in tls_process_cke_dhe()
3126 static int tls_process_cke_ecdhe(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cke_ecdhe() argument
3128 EVP_PKEY *skey = s->s3.tmp.pkey; in tls_process_cke_ecdhe()
3134 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_TMP_ECDH_KEY); in tls_process_cke_ecdhe()
3141 * Get client's public key from encoded point in the in tls_process_cke_ecdhe()
3148 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cke_ecdhe()
3152 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_ECDH_KEY); in tls_process_cke_ecdhe()
3158 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_COPY_PARAMETERS_FAILED); in tls_process_cke_ecdhe()
3163 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_SHARE); in tls_process_cke_ecdhe()
3168 if (ssl_derive(s, skey, ckey, 1) == 0) { in tls_process_cke_ecdhe()
3174 EVP_PKEY_free(s->s3.tmp.pkey); in tls_process_cke_ecdhe()
3175 s->s3.tmp.pkey = NULL; in tls_process_cke_ecdhe()
3182 static int tls_process_cke_srp(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cke_srp() argument
3190 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_SRP_A_LENGTH); in tls_process_cke_srp()
3193 if ((s->srp_ctx.A = BN_bin2bn(data, i, NULL)) == NULL) { in tls_process_cke_srp()
3194 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_cke_srp()
3197 if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0 || BN_is_zero(s->srp_ctx.A)) { in tls_process_cke_srp()
3198 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_SRP_PARAMETERS); in tls_process_cke_srp()
3201 OPENSSL_free(s->session->srp_username); in tls_process_cke_srp()
3202 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); in tls_process_cke_srp()
3203 if (s->session->srp_username == NULL) { in tls_process_cke_srp()
3204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_cke_srp()
3208 if (!srp_generate_server_master_secret(s)) { in tls_process_cke_srp()
3216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_srp()
3221 static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cke_gost() argument
3233 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_cke_gost()
3236 alg_a = s->s3.tmp.new_cipher->algorithm_auth; in tls_process_cke_gost()
3241 pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey; in tls_process_cke_gost()
3243 pk = s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey; in tls_process_cke_gost()
3246 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; in tls_process_cke_gost()
3249 pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; in tls_process_cke_gost()
3252 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq); in tls_process_cke_gost()
3254 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_cke_gost()
3258 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost()
3267 client_pub_pkey = tls_get_peer_pkey(s); in tls_process_cke_gost()
3278 || pKX->kxBlob == NULL in tls_process_cke_gost()
3279 || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) { in tls_process_cke_gost()
3280 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3284 if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) { in tls_process_cke_gost()
3285 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3290 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3294 inlen = pKX->kxBlob->value.sequence->length; in tls_process_cke_gost()
3295 start = pKX->kxBlob->value.sequence->data; in tls_process_cke_gost()
3299 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost()
3303 if (!ssl_generate_master_secret(s, premaster_secret, outlen, 0)) { in tls_process_cke_gost()
3308 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, in tls_process_cke_gost()
3310 s->statem.no_cert_verify = 1; in tls_process_cke_gost()
3319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost()
3324 static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cke_gost18() argument
3334 int cipher_nid = ossl_gost18_cke_cipher_nid(s); in tls_process_cke_gost18()
3335 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_cke_gost18()
3338 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3342 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { in tls_process_cke_gost18()
3343 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3348 pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ? in tls_process_cke_gost18()
3349 s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : in tls_process_cke_gost18()
3350 s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey; in tls_process_cke_gost18()
3352 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in tls_process_cke_gost18()
3356 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(sctx->libctx, pk, sctx->propq); in tls_process_cke_gost18()
3358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_cke_gost18()
3362 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3367 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, in tls_process_cke_gost18()
3369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_process_cke_gost18()
3373 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, in tls_process_cke_gost18()
3375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_process_cke_gost18()
3382 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); in tls_process_cke_gost18()
3386 if (!ssl_generate_master_secret(s, premaster_secret, outlen, 0)) { in tls_process_cke_gost18()
3397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_cke_gost18()
3402 MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s, in tls_process_client_key_exchange() argument
3407 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_process_client_key_exchange()
3410 if ((alg_k & SSL_PSK) && !tls_process_cke_psk_preamble(s, pkt)) { in tls_process_client_key_exchange()
3418 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_key_exchange()
3422 if (!ssl_generate_master_secret(s, NULL, 0, 0)) { in tls_process_client_key_exchange()
3427 if (!tls_process_cke_rsa(s, pkt)) { in tls_process_client_key_exchange()
3432 if (!tls_process_cke_dhe(s, pkt)) { in tls_process_client_key_exchange()
3437 if (!tls_process_cke_ecdhe(s, pkt)) { in tls_process_client_key_exchange()
3442 if (!tls_process_cke_srp(s, pkt)) { in tls_process_client_key_exchange()
3447 if (!tls_process_cke_gost(s, pkt)) { in tls_process_client_key_exchange()
3452 if (!tls_process_cke_gost18(s, pkt)) { in tls_process_client_key_exchange()
3457 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_CIPHER_TYPE); in tls_process_client_key_exchange()
3464 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); in tls_process_client_key_exchange()
3465 s->s3.tmp.psk = NULL; in tls_process_client_key_exchange()
3466 s->s3.tmp.psklen = 0; in tls_process_client_key_exchange()
3471 WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s, in tls_post_process_client_key_exchange() argument
3476 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_post_process_client_key_exchange()
3481 * Add new shared key for SCTP-Auth, will be ignored if no SCTP in tls_post_process_client_key_exchange()
3488 labellen = sizeof(labelbuffer) - 1; in tls_post_process_client_key_exchange()
3489 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_post_process_client_key_exchange()
3492 if (SSL_export_keying_material(SSL_CONNECTION_GET_SSL(s), in tls_post_process_client_key_exchange()
3497 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_post_process_client_key_exchange()
3501 BIO_ctrl(s->wbio, BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, in tls_post_process_client_key_exchange()
3507 if (s->statem.no_cert_verify || !received_client_cert(s)) { in tls_post_process_client_key_exchange()
3512 if (!ssl3_digest_cached_records(s, 0)) { in tls_post_process_client_key_exchange()
3518 if (!s->s3.handshake_buffer) { in tls_post_process_client_key_exchange()
3519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_post_process_client_key_exchange()
3524 * extms we've done this already so this is a no-op in tls_post_process_client_key_exchange()
3526 if (!ssl3_digest_cached_records(s, 1)) { in tls_post_process_client_key_exchange()
3547 if ((sc->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) in tls_process_client_rpk()
3548 && (sc->verify_mode & SSL_VERIFY_PEER)) { in tls_process_client_rpk()
3555 SSLfatal(sc, ssl_x509err2alert(sc->verify_result), in tls_process_client_rpk()
3563 * we can get multi-thread problems. Therefore we don't "update" sessions, in tls_process_client_rpk()
3565 * a new RPK (or certificate) is received via post-handshake authentication, in tls_process_client_rpk()
3569 if (sc->post_handshake_auth == SSL_PHA_REQUESTED) { in tls_process_client_rpk()
3570 if ((new_sess = ssl_session_dup(sc->session, 0)) == NULL) { in tls_process_client_rpk()
3575 SSL_SESSION_free(sc->session); in tls_process_client_rpk()
3576 sc->session = new_sess; in tls_process_client_rpk()
3580 X509_free(sc->session->peer); in tls_process_client_rpk()
3581 sc->session->peer = NULL; in tls_process_client_rpk()
3582 sk_X509_pop_free(sc->session->peer_chain, X509_free); in tls_process_client_rpk()
3583 sc->session->peer_chain = NULL; in tls_process_client_rpk()
3585 EVP_PKEY_free(sc->session->peer_rpk); in tls_process_client_rpk()
3586 sc->session->peer_rpk = peer_rpk; in tls_process_client_rpk()
3589 sc->session->verify_result = sc->verify_result; in tls_process_client_rpk()
3602 if (!ssl_handshake_hash(sc, sc->cert_verify_hash, in tls_process_client_rpk()
3603 sizeof(sc->cert_verify_hash), in tls_process_client_rpk()
3604 &sc->cert_verify_hash_len)) { in tls_process_client_rpk()
3610 sc->sent_tickets = 0; in tls_process_client_rpk()
3620 MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, in tls_process_client_certificate() argument
3632 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_client_certificate()
3638 if (s->rlayer.rrlmethod->set_plain_alerts != NULL) in tls_process_client_certificate()
3639 s->rlayer.rrlmethod->set_plain_alerts(s->rlayer.rrl, 0); in tls_process_client_certificate()
3641 if (s->ext.client_cert_type == TLSEXT_cert_type_rpk) in tls_process_client_certificate()
3642 return tls_process_client_rpk(s, pkt); in tls_process_client_certificate()
3644 if (s->ext.client_cert_type != TLSEXT_cert_type_x509) { in tls_process_client_certificate()
3645 SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE, in tls_process_client_certificate()
3651 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_client_certificate()
3655 if (SSL_CONNECTION_IS_TLS13(s) in tls_process_client_certificate()
3657 || (s->pha_context == NULL && PACKET_remaining(&context) != 0) in tls_process_client_certificate()
3658 || (s->pha_context != NULL in tls_process_client_certificate()
3659 && !PACKET_equal(&context, s->pha_context, in tls_process_client_certificate()
3660 s->pha_context_len)))) { in tls_process_client_certificate()
3661 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); in tls_process_client_certificate()
3667 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_client_certificate()
3674 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_client_certificate()
3679 x = X509_new_ex(sctx->libctx, sctx->propq); in tls_process_client_certificate()
3681 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_X509_LIB); in tls_process_client_certificate()
3685 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); in tls_process_client_certificate()
3690 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_client_certificate()
3694 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_client_certificate()
3699 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_client_certificate()
3702 if (!tls_collect_extensions(s, &extensions, in tls_process_client_certificate()
3705 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, in tls_process_client_certificate()
3715 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_client_certificate()
3723 if (s->version == SSL3_VERSION) { in tls_process_client_certificate()
3724 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_process_client_certificate()
3729 else if ((s->verify_mode & SSL_VERIFY_PEER) && in tls_process_client_certificate()
3730 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { in tls_process_client_certificate()
3731 SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED, in tls_process_client_certificate()
3736 if (s->s3.handshake_buffer && !ssl3_digest_cached_records(s, 0)) { in tls_process_client_certificate()
3742 i = ssl_verify_cert_chain(s, sk); in tls_process_client_certificate()
3744 SSLfatal(s, ssl_x509err2alert(s->verify_result), in tls_process_client_certificate()
3750 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_process_client_certificate()
3758 * we can get multi-thread problems. Therefore we don't "update" sessions, in tls_process_client_certificate()
3760 * a new certificate is received via post-handshake authentication, as the in tls_process_client_certificate()
3764 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in tls_process_client_certificate()
3765 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { in tls_process_client_certificate()
3766 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_process_client_certificate()
3770 SSL_SESSION_free(s->session); in tls_process_client_certificate()
3771 s->session = new_sess; in tls_process_client_certificate()
3774 X509_free(s->session->peer); in tls_process_client_certificate()
3775 s->session->peer = sk_X509_shift(sk); in tls_process_client_certificate()
3776 s->session->verify_result = s->verify_result; in tls_process_client_certificate()
3778 OSSL_STACK_OF_X509_free(s->session->peer_chain); in tls_process_client_certificate()
3779 s->session->peer_chain = sk; in tls_process_client_certificate()
3782 EVP_PKEY_free(s->session->peer_rpk); in tls_process_client_certificate()
3783 s->session->peer_rpk = NULL; in tls_process_client_certificate()
3789 if (SSL_CONNECTION_IS_TLS13(s) && !ssl3_digest_cached_records(s, 1)) { in tls_process_client_certificate()
3795 * Inconsistency alert: cert_chain does *not* include the peer's own in tls_process_client_certificate()
3800 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_client_certificate()
3801 if (!ssl_handshake_hash(s, s->cert_verify_hash, in tls_process_client_certificate()
3802 sizeof(s->cert_verify_hash), in tls_process_client_certificate()
3803 &s->cert_verify_hash_len)) { in tls_process_client_certificate()
3809 s->sent_tickets = 0; in tls_process_client_certificate()
3835 CON_FUNC_RETURN tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_server_certificate() argument
3837 CERT_PKEY *cpk = s->s3.tmp.cert; in tls_construct_server_certificate()
3840 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_certificate()
3848 if (SSL_CONNECTION_IS_TLS13(s) && !WPACKET_put_bytes_u8(pkt, 0)) { in tls_construct_server_certificate()
3849 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_certificate()
3852 switch (s->ext.server_cert_type) { in tls_construct_server_certificate()
3854 if (!tls_output_rpk(s, pkt, cpk)) { in tls_construct_server_certificate()
3860 if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) { in tls_construct_server_certificate()
3866 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_server_certificate()
3877 OSSL_COMP_CERT *cc = sc->s3.tmp.cert->comp_cert[alg]; in tls_construct_server_compressed_certificate()
3884 * Server can't compress on-demand in tls_construct_server_compressed_certificate()
3885 * Use pre-compressed certificate in tls_construct_server_compressed_certificate()
3888 || !WPACKET_put_bytes_u24(pkt, cc->orig_len) in tls_construct_server_compressed_certificate()
3890 || !WPACKET_memcpy(pkt, cc->data, cc->len) in tls_construct_server_compressed_certificate()
3894 sc->s3.tmp.cert->cert_comp_used++; in tls_construct_server_compressed_certificate()
3899 static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, in create_ticket_prequel() argument
3902 uint32_t timeout = (uint32_t)ossl_time2seconds(s->session->timeout); in create_ticket_prequel()
3913 if (SSL_CONNECTION_IS_TLS13(s)) { in create_ticket_prequel()
3914 if (ossl_time_compare(s->session->timeout, in create_ticket_prequel()
3917 } else if (s->hit) in create_ticket_prequel()
3921 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in create_ticket_prequel()
3925 if (SSL_CONNECTION_IS_TLS13(s)) { in create_ticket_prequel()
3928 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in create_ticket_prequel()
3933 /* Start the sub-packet for the actual ticket data */ in create_ticket_prequel()
3935 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in create_ticket_prequel()
3942 static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, in construct_stateless_ticket() argument
3955 SSL_CTX *tctx = s->session_ctx; in construct_stateless_ticket()
3961 SSL *ssl = SSL_CONNECTION_GET_USER_SSL(s); in construct_stateless_ticket()
3962 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in construct_stateless_ticket()
3965 slen_full = i2d_SSL_SESSION(s->session, NULL); in construct_stateless_ticket()
3971 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
3976 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in construct_stateless_ticket()
3982 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in construct_stateless_ticket()
3987 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in construct_stateless_ticket()
3992 if (!i2d_SSL_SESSION(s->session, &p)) { in construct_stateless_ticket()
3993 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4001 sess = d2i_SSL_SESSION_ex(NULL, &const_p, slen_full, sctx->libctx, in construct_stateless_ticket()
4002 sctx->propq); in construct_stateless_ticket()
4004 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4011 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4017 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4028 if (tctx->ext.ticket_key_evp_cb != NULL || tctx->ext.ticket_key_cb != NULL) in construct_stateless_ticket()
4030 if (tctx->ext.ticket_key_evp_cb != NULL) in construct_stateless_ticket()
4035 if (tctx->ext.ticket_key_evp_cb != NULL) in construct_stateless_ticket()
4036 ret = tctx->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx, in construct_stateless_ticket()
4040 else if (tctx->ext.ticket_key_cb != NULL) in construct_stateless_ticket()
4042 ret = tctx->ext.ticket_key_cb(ssl, key_name, iv, ctx, in construct_stateless_ticket()
4052 if (SSL_CONNECTION_IS_TLS13(s)) { in construct_stateless_ticket()
4059 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4068 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); in construct_stateless_ticket()
4073 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4077 EVP_CIPHER *cipher = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC", in construct_stateless_ticket()
4078 sctx->propq); in construct_stateless_ticket()
4082 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in construct_stateless_ticket()
4088 || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0 in construct_stateless_ticket()
4090 tctx->ext.secure->tick_aes_key, iv) in construct_stateless_ticket()
4091 || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, in construct_stateless_ticket()
4092 sizeof(tctx->ext.secure->tick_hmac_key), in construct_stateless_ticket()
4095 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4099 memcpy(key_name, tctx->ext.tick_key_name, in construct_stateless_ticket()
4100 sizeof(tctx->ext.tick_key_name)); in construct_stateless_ticket()
4103 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { in construct_stateless_ticket()
4125 (unsigned char *)s->init_buf->data + macoffset, in construct_stateless_ticket()
4126 macendoffset - macoffset) in construct_stateless_ticket()
4132 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4136 /* Close the sub-packet created by create_ticket_prequel() */ in construct_stateless_ticket()
4138 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateless_ticket()
4150 static int construct_stateful_ticket(SSL_CONNECTION *s, WPACKET *pkt, in construct_stateful_ticket() argument
4154 if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { in construct_stateful_ticket()
4159 if (!WPACKET_memcpy(pkt, s->session->session_id, in construct_stateful_ticket()
4160 s->session->session_id_length) in construct_stateful_ticket()
4162 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in construct_stateful_ticket()
4169 static void tls_update_ticket_counts(SSL_CONNECTION *s) in tls_update_ticket_counts() argument
4173 * gets reset to 0 if we send more tickets following a post-handshake in tls_update_ticket_counts()
4177 s->sent_tickets++; in tls_update_ticket_counts()
4178 s->next_ticket_nonce++; in tls_update_ticket_counts()
4179 if (s->ext.extra_tickets_expected > 0) in tls_update_ticket_counts()
4180 s->ext.extra_tickets_expected--; in tls_update_ticket_counts()
4183 CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_new_session_ticket() argument
4185 SSL_CTX *tctx = s->session_ctx; in tls_construct_new_session_ticket()
4195 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_construct_new_session_ticket()
4199 const EVP_MD *md = ssl_handshake_md(s); in tls_construct_new_session_ticket()
4204 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_new_session_ticket()
4211 * s->session may already be in a cache and so we must not modify it. in tls_construct_new_session_ticket()
4214 if (s->sent_tickets != 0 || s->hit) { in tls_construct_new_session_ticket()
4215 SSL_SESSION *new_sess = ssl_session_dup(s->session, 0); in tls_construct_new_session_ticket()
4222 SSL_SESSION_free(s->session); in tls_construct_new_session_ticket()
4223 s->session = new_sess; in tls_construct_new_session_ticket()
4226 if (!ssl_generate_session_id(s, s->session)) { in tls_construct_new_session_ticket()
4230 if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, in tls_construct_new_session_ticket()
4232 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_new_session_ticket()
4235 s->session->ext.tick_age_add = age_add_u.age_add; in tls_construct_new_session_ticket()
4237 nonce = s->next_ticket_nonce; in tls_construct_new_session_ticket()
4238 for (i = TICKET_NONCE_SIZE; i > 0; i--) { in tls_construct_new_session_ticket()
4239 tick_nonce[i - 1] = (unsigned char)(nonce & 0xff); in tls_construct_new_session_ticket()
4243 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, in tls_construct_new_session_ticket()
4245 sizeof(nonce_label) - 1, in tls_construct_new_session_ticket()
4248 s->session->master_key, in tls_construct_new_session_ticket()
4253 s->session->master_key_length = hashlen; in tls_construct_new_session_ticket()
4255 s->session->time = ossl_time_now(); in tls_construct_new_session_ticket()
4256 ssl_session_calculate_timeout(s->session); in tls_construct_new_session_ticket()
4257 if (s->s3.alpn_selected != NULL) { in tls_construct_new_session_ticket()
4258 OPENSSL_free(s->session->ext.alpn_selected); in tls_construct_new_session_ticket()
4259 s->session->ext.alpn_selected = in tls_construct_new_session_ticket()
4260 OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); in tls_construct_new_session_ticket()
4261 if (s->session->ext.alpn_selected == NULL) { in tls_construct_new_session_ticket()
4262 s->session->ext.alpn_selected_len = 0; in tls_construct_new_session_ticket()
4263 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_new_session_ticket()
4266 s->session->ext.alpn_selected_len = s->s3.alpn_selected_len; in tls_construct_new_session_ticket()
4268 s->session->ext.max_early_data = s->max_early_data; in tls_construct_new_session_ticket()
4271 if (tctx->generate_ticket_cb != NULL && in tls_construct_new_session_ticket()
4272 tctx->generate_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s), in tls_construct_new_session_ticket()
4273 tctx->ticket_cb_data) == 0) { in tls_construct_new_session_ticket()
4274 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_new_session_ticket()
4278 * If we are using anti-replay protection then we behave as if in tls_construct_new_session_ticket()
4279 * SSL_OP_NO_TICKET is set - we are caching tickets anyway so there in tls_construct_new_session_ticket()
4282 if (SSL_CONNECTION_IS_TLS13(s) in tls_construct_new_session_ticket()
4283 && ((s->options & SSL_OP_NO_TICKET) != 0 in tls_construct_new_session_ticket()
4284 || (s->max_early_data > 0 in tls_construct_new_session_ticket()
4285 && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { in tls_construct_new_session_ticket()
4286 if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) { in tls_construct_new_session_ticket()
4293 tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add, in tls_construct_new_session_ticket()
4297 /* Non-fatal. Abort construction but continue */ in tls_construct_new_session_ticket()
4300 tls_update_ticket_counts(s); in tls_construct_new_session_ticket()
4307 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_construct_new_session_ticket()
4308 if (!tls_construct_extensions(s, pkt, in tls_construct_new_session_ticket()
4314 tls_update_ticket_counts(s); in tls_construct_new_session_ticket()
4315 ssl_update_cache(s, SSL_SESS_CACHE_SERVER); in tls_construct_new_session_ticket()
4327 int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cert_status_body() argument
4329 if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) in tls_construct_cert_status_body()
4330 || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, in tls_construct_cert_status_body()
4331 s->ext.ocsp.resp_len)) { in tls_construct_cert_status_body()
4332 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cert_status_body()
4339 CON_FUNC_RETURN tls_construct_cert_status(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cert_status() argument
4341 if (!tls_construct_cert_status_body(s, pkt)) { in tls_construct_cert_status()
4352 * It sets the next_proto member in s if found
4354 MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt) in tls_process_next_proto() argument
4359 /*- in tls_process_next_proto()
4369 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_next_proto()
4373 if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) { in tls_process_next_proto()
4374 s->ext.npn_len = 0; in tls_process_next_proto()
4375 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_next_proto()
4379 s->ext.npn_len = (unsigned char)next_proto_len; in tls_process_next_proto()
4385 static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s, in tls_construct_encrypted_extensions() argument
4388 if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, in tls_construct_encrypted_extensions()
4397 MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt) in tls_process_end_of_early_data() argument
4400 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_end_of_early_data()
4404 if (s->early_data_state != SSL_EARLY_DATA_READING in tls_process_end_of_early_data()
4405 && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { in tls_process_end_of_early_data()
4406 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_end_of_early_data()
4414 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_end_of_early_data()
4415 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY); in tls_process_end_of_early_data()
4419 s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; in tls_process_end_of_early_data()
4420 if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s, in tls_process_end_of_early_data()