xref: /freebsd/crypto/openssl/ssl/statem/statem_clnt.c (revision 4c9a0adad18263ec8725d9bfc5f560c6ad1da8bd)
1 /*
2  * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  * Copyright 2005 Nokia. All rights reserved.
5  *
6  * Licensed under the Apache License 2.0 (the "License").  You may not use
7  * this file except in compliance with the License.  You can obtain a copy
8  * in the file LICENSE in the source distribution or at
9  * https://www.openssl.org/source/license.html
10  */
11 
12 #include <stdio.h>
13 #include <time.h>
14 #include <assert.h>
15 #include "../ssl_local.h"
16 #include "statem_local.h"
17 #include <openssl/buffer.h>
18 #include <openssl/rand.h>
19 #include <openssl/objects.h>
20 #include <openssl/evp.h>
21 #include <openssl/md5.h>
22 #include <openssl/dh.h>
23 #include <openssl/rsa.h>
24 #include <openssl/bn.h>
25 #include <openssl/engine.h>
26 #include <openssl/trace.h>
27 #include <openssl/core_names.h>
28 #include <openssl/param_build.h>
29 #include "internal/cryptlib.h"
30 
31 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
32 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
33 
34 static ossl_inline int cert_req_allowed(SSL *s);
35 static int key_exchange_expected(SSL *s);
36 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
37                                     WPACKET *pkt);
38 
39 /*
40  * Is a CertificateRequest message allowed at the moment or not?
41  *
42  *  Return values are:
43  *  1: Yes
44  *  0: No
45  */
46 static ossl_inline int cert_req_allowed(SSL *s)
47 {
48     /* TLS does not like anon-DH with client cert */
49     if ((s->version > SSL3_VERSION
50          && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL))
51         || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
52         return 0;
53 
54     return 1;
55 }
56 
57 /*
58  * Should we expect the ServerKeyExchange message or not?
59  *
60  *  Return values are:
61  *  1: Yes
62  *  0: No
63  */
64 static int key_exchange_expected(SSL *s)
65 {
66     long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
67 
68     /*
69      * Can't skip server key exchange if this is an ephemeral
70      * ciphersuite or for SRP
71      */
72     if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
73                  | SSL_kSRP)) {
74         return 1;
75     }
76 
77     return 0;
78 }
79 
80 /*
81  * ossl_statem_client_read_transition() encapsulates the logic for the allowed
82  * handshake state transitions when a TLS1.3 client is reading messages from the
83  * server. The message type that the server has sent is provided in |mt|. The
84  * current state is in |s->statem.hand_state|.
85  *
86  * Return values are 1 for success (transition allowed) and  0 on error
87  * (transition not allowed)
88  */
89 static int ossl_statem_client13_read_transition(SSL *s, int mt)
90 {
91     OSSL_STATEM *st = &s->statem;
92 
93     /*
94      * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
95      * yet negotiated TLSv1.3 at that point so that is handled by
96      * ossl_statem_client_read_transition()
97      */
98 
99     switch (st->hand_state) {
100     default:
101         break;
102 
103     case TLS_ST_CW_CLNT_HELLO:
104         /*
105          * This must a ClientHello following a HelloRetryRequest, so the only
106          * thing we can get now is a ServerHello.
107          */
108         if (mt == SSL3_MT_SERVER_HELLO) {
109             st->hand_state = TLS_ST_CR_SRVR_HELLO;
110             return 1;
111         }
112         break;
113 
114     case TLS_ST_CR_SRVR_HELLO:
115         if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
116             st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
117             return 1;
118         }
119         break;
120 
121     case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
122         if (s->hit) {
123             if (mt == SSL3_MT_FINISHED) {
124                 st->hand_state = TLS_ST_CR_FINISHED;
125                 return 1;
126             }
127         } else {
128             if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
129                 st->hand_state = TLS_ST_CR_CERT_REQ;
130                 return 1;
131             }
132             if (mt == SSL3_MT_CERTIFICATE) {
133                 st->hand_state = TLS_ST_CR_CERT;
134                 return 1;
135             }
136         }
137         break;
138 
139     case TLS_ST_CR_CERT_REQ:
140         if (mt == SSL3_MT_CERTIFICATE) {
141             st->hand_state = TLS_ST_CR_CERT;
142             return 1;
143         }
144         break;
145 
146     case TLS_ST_CR_CERT:
147         if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
148             st->hand_state = TLS_ST_CR_CERT_VRFY;
149             return 1;
150         }
151         break;
152 
153     case TLS_ST_CR_CERT_VRFY:
154         if (mt == SSL3_MT_FINISHED) {
155             st->hand_state = TLS_ST_CR_FINISHED;
156             return 1;
157         }
158         break;
159 
160     case TLS_ST_OK:
161         if (mt == SSL3_MT_NEWSESSION_TICKET) {
162             st->hand_state = TLS_ST_CR_SESSION_TICKET;
163             return 1;
164         }
165         if (mt == SSL3_MT_KEY_UPDATE) {
166             st->hand_state = TLS_ST_CR_KEY_UPDATE;
167             return 1;
168         }
169         if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
170 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
171             /* Restore digest for PHA before adding message.*/
172 # error Internal DTLS version error
173 #endif
174             if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
175                 s->post_handshake_auth = SSL_PHA_REQUESTED;
176                 /*
177                  * In TLS, this is called before the message is added to the
178                  * digest. In DTLS, this is expected to be called after adding
179                  * to the digest. Either move the digest restore, or add the
180                  * message here after the swap, or do it after the clientFinished?
181                  */
182                 if (!tls13_restore_handshake_digest_for_pha(s)) {
183                     /* SSLfatal() already called */
184                     return 0;
185                 }
186                 st->hand_state = TLS_ST_CR_CERT_REQ;
187                 return 1;
188             }
189         }
190         break;
191     }
192 
193     /* No valid transition found */
194     return 0;
195 }
196 
197 /*
198  * ossl_statem_client_read_transition() encapsulates the logic for the allowed
199  * handshake state transitions when the client is reading messages from the
200  * server. The message type that the server has sent is provided in |mt|. The
201  * current state is in |s->statem.hand_state|.
202  *
203  * Return values are 1 for success (transition allowed) and  0 on error
204  * (transition not allowed)
205  */
206 int ossl_statem_client_read_transition(SSL *s, int mt)
207 {
208     OSSL_STATEM *st = &s->statem;
209     int ske_expected;
210 
211     /*
212      * Note that after writing the first ClientHello we don't know what version
213      * we are going to negotiate yet, so we don't take this branch until later.
214      */
215     if (SSL_IS_TLS13(s)) {
216         if (!ossl_statem_client13_read_transition(s, mt))
217             goto err;
218         return 1;
219     }
220 
221     switch (st->hand_state) {
222     default:
223         break;
224 
225     case TLS_ST_CW_CLNT_HELLO:
226         if (mt == SSL3_MT_SERVER_HELLO) {
227             st->hand_state = TLS_ST_CR_SRVR_HELLO;
228             return 1;
229         }
230 
231         if (SSL_IS_DTLS(s)) {
232             if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
233                 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
234                 return 1;
235             }
236         }
237         break;
238 
239     case TLS_ST_EARLY_DATA:
240         /*
241          * We've not actually selected TLSv1.3 yet, but we have sent early
242          * data. The only thing allowed now is a ServerHello or a
243          * HelloRetryRequest.
244          */
245         if (mt == SSL3_MT_SERVER_HELLO) {
246             st->hand_state = TLS_ST_CR_SRVR_HELLO;
247             return 1;
248         }
249         break;
250 
251     case TLS_ST_CR_SRVR_HELLO:
252         if (s->hit) {
253             if (s->ext.ticket_expected) {
254                 if (mt == SSL3_MT_NEWSESSION_TICKET) {
255                     st->hand_state = TLS_ST_CR_SESSION_TICKET;
256                     return 1;
257                 }
258             } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
259                 st->hand_state = TLS_ST_CR_CHANGE;
260                 return 1;
261             }
262         } else {
263             if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
264                 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
265                 return 1;
266             } else if (s->version >= TLS1_VERSION
267                        && s->ext.session_secret_cb != NULL
268                        && s->session->ext.tick != NULL
269                        && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
270                 /*
271                  * Normally, we can tell if the server is resuming the session
272                  * from the session ID. EAP-FAST (RFC 4851), however, relies on
273                  * the next server message after the ServerHello to determine if
274                  * the server is resuming.
275                  */
276                 s->hit = 1;
277                 st->hand_state = TLS_ST_CR_CHANGE;
278                 return 1;
279             } else if (!(s->s3.tmp.new_cipher->algorithm_auth
280                          & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
281                 if (mt == SSL3_MT_CERTIFICATE) {
282                     st->hand_state = TLS_ST_CR_CERT;
283                     return 1;
284                 }
285             } else {
286                 ske_expected = key_exchange_expected(s);
287                 /* SKE is optional for some PSK ciphersuites */
288                 if (ske_expected
289                     || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
290                         && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
291                     if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
292                         st->hand_state = TLS_ST_CR_KEY_EXCH;
293                         return 1;
294                     }
295                 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
296                            && cert_req_allowed(s)) {
297                     st->hand_state = TLS_ST_CR_CERT_REQ;
298                     return 1;
299                 } else if (mt == SSL3_MT_SERVER_DONE) {
300                     st->hand_state = TLS_ST_CR_SRVR_DONE;
301                     return 1;
302                 }
303             }
304         }
305         break;
306 
307     case TLS_ST_CR_CERT:
308         /*
309          * The CertificateStatus message is optional even if
310          * |ext.status_expected| is set
311          */
312         if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
313             st->hand_state = TLS_ST_CR_CERT_STATUS;
314             return 1;
315         }
316         /* Fall through */
317 
318     case TLS_ST_CR_CERT_STATUS:
319         ske_expected = key_exchange_expected(s);
320         /* SKE is optional for some PSK ciphersuites */
321         if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)
322                              && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
323             if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
324                 st->hand_state = TLS_ST_CR_KEY_EXCH;
325                 return 1;
326             }
327             goto err;
328         }
329         /* Fall through */
330 
331     case TLS_ST_CR_KEY_EXCH:
332         if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
333             if (cert_req_allowed(s)) {
334                 st->hand_state = TLS_ST_CR_CERT_REQ;
335                 return 1;
336             }
337             goto err;
338         }
339         /* Fall through */
340 
341     case TLS_ST_CR_CERT_REQ:
342         if (mt == SSL3_MT_SERVER_DONE) {
343             st->hand_state = TLS_ST_CR_SRVR_DONE;
344             return 1;
345         }
346         break;
347 
348     case TLS_ST_CW_FINISHED:
349         if (s->ext.ticket_expected) {
350             if (mt == SSL3_MT_NEWSESSION_TICKET) {
351                 st->hand_state = TLS_ST_CR_SESSION_TICKET;
352                 return 1;
353             }
354         } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
355             st->hand_state = TLS_ST_CR_CHANGE;
356             return 1;
357         }
358         break;
359 
360     case TLS_ST_CR_SESSION_TICKET:
361         if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
362             st->hand_state = TLS_ST_CR_CHANGE;
363             return 1;
364         }
365         break;
366 
367     case TLS_ST_CR_CHANGE:
368         if (mt == SSL3_MT_FINISHED) {
369             st->hand_state = TLS_ST_CR_FINISHED;
370             return 1;
371         }
372         break;
373 
374     case TLS_ST_OK:
375         if (mt == SSL3_MT_HELLO_REQUEST) {
376             st->hand_state = TLS_ST_CR_HELLO_REQ;
377             return 1;
378         }
379         break;
380     }
381 
382  err:
383     /* No valid transition found */
384     if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
385         BIO *rbio;
386 
387         /*
388          * CCS messages don't have a message sequence number so this is probably
389          * because of an out-of-order CCS. We'll just drop it.
390          */
391         s->init_num = 0;
392         s->rwstate = SSL_READING;
393         rbio = SSL_get_rbio(s);
394         BIO_clear_retry_flags(rbio);
395         BIO_set_retry_read(rbio);
396         return 0;
397     }
398     SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
399     return 0;
400 }
401 
402 /*
403  * ossl_statem_client13_write_transition() works out what handshake state to
404  * move to next when the TLSv1.3 client is writing messages to be sent to the
405  * server.
406  */
407 static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
408 {
409     OSSL_STATEM *st = &s->statem;
410 
411     /*
412      * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
413      * TLSv1.3 yet at that point. They are handled by
414      * ossl_statem_client_write_transition().
415      */
416     switch (st->hand_state) {
417     default:
418         /* Shouldn't happen */
419         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
420         return WRITE_TRAN_ERROR;
421 
422     case TLS_ST_CR_CERT_REQ:
423         if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
424             st->hand_state = TLS_ST_CW_CERT;
425             return WRITE_TRAN_CONTINUE;
426         }
427         /*
428          * We should only get here if we received a CertificateRequest after
429          * we already sent close_notify
430          */
431         if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) {
432             /* Shouldn't happen - same as default case */
433             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
434             return WRITE_TRAN_ERROR;
435         }
436         st->hand_state = TLS_ST_OK;
437         return WRITE_TRAN_CONTINUE;
438 
439     case TLS_ST_CR_FINISHED:
440         if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
441                 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
442             st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
443         else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
444                  && s->hello_retry_request == SSL_HRR_NONE)
445             st->hand_state = TLS_ST_CW_CHANGE;
446         else
447             st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
448                                                         : TLS_ST_CW_FINISHED;
449         return WRITE_TRAN_CONTINUE;
450 
451     case TLS_ST_PENDING_EARLY_DATA_END:
452         if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
453             st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
454             return WRITE_TRAN_CONTINUE;
455         }
456         /* Fall through */
457 
458     case TLS_ST_CW_END_OF_EARLY_DATA:
459     case TLS_ST_CW_CHANGE:
460         st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
461                                                     : TLS_ST_CW_FINISHED;
462         return WRITE_TRAN_CONTINUE;
463 
464     case TLS_ST_CW_CERT:
465         /* If a non-empty Certificate we also send CertificateVerify */
466         st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
467                                                     : TLS_ST_CW_FINISHED;
468         return WRITE_TRAN_CONTINUE;
469 
470     case TLS_ST_CW_CERT_VRFY:
471         st->hand_state = TLS_ST_CW_FINISHED;
472         return WRITE_TRAN_CONTINUE;
473 
474     case TLS_ST_CR_KEY_UPDATE:
475     case TLS_ST_CW_KEY_UPDATE:
476     case TLS_ST_CR_SESSION_TICKET:
477     case TLS_ST_CW_FINISHED:
478         st->hand_state = TLS_ST_OK;
479         return WRITE_TRAN_CONTINUE;
480 
481     case TLS_ST_OK:
482         if (s->key_update != SSL_KEY_UPDATE_NONE) {
483             st->hand_state = TLS_ST_CW_KEY_UPDATE;
484             return WRITE_TRAN_CONTINUE;
485         }
486 
487         /* Try to read from the server instead */
488         return WRITE_TRAN_FINISHED;
489     }
490 }
491 
492 /*
493  * ossl_statem_client_write_transition() works out what handshake state to
494  * move to next when the client is writing messages to be sent to the server.
495  */
496 WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
497 {
498     OSSL_STATEM *st = &s->statem;
499 
500     /*
501      * Note that immediately before/after a ClientHello we don't know what
502      * version we are going to negotiate yet, so we don't take this branch until
503      * later
504      */
505     if (SSL_IS_TLS13(s))
506         return ossl_statem_client13_write_transition(s);
507 
508     switch (st->hand_state) {
509     default:
510         /* Shouldn't happen */
511         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
512         return WRITE_TRAN_ERROR;
513 
514     case TLS_ST_OK:
515         if (!s->renegotiate) {
516             /*
517              * We haven't requested a renegotiation ourselves so we must have
518              * received a message from the server. Better read it.
519              */
520             return WRITE_TRAN_FINISHED;
521         }
522         /* Renegotiation */
523         /* fall thru */
524     case TLS_ST_BEFORE:
525         st->hand_state = TLS_ST_CW_CLNT_HELLO;
526         return WRITE_TRAN_CONTINUE;
527 
528     case TLS_ST_CW_CLNT_HELLO:
529         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
530             /*
531              * We are assuming this is a TLSv1.3 connection, although we haven't
532              * actually selected a version yet.
533              */
534             if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
535                 st->hand_state = TLS_ST_CW_CHANGE;
536             else
537                 st->hand_state = TLS_ST_EARLY_DATA;
538             return WRITE_TRAN_CONTINUE;
539         }
540         /*
541          * No transition at the end of writing because we don't know what
542          * we will be sent
543          */
544         return WRITE_TRAN_FINISHED;
545 
546     case TLS_ST_CR_SRVR_HELLO:
547         /*
548          * We only get here in TLSv1.3. We just received an HRR, so issue a
549          * CCS unless middlebox compat mode is off, or we already issued one
550          * because we did early data.
551          */
552         if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
553                 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
554             st->hand_state = TLS_ST_CW_CHANGE;
555         else
556             st->hand_state = TLS_ST_CW_CLNT_HELLO;
557         return WRITE_TRAN_CONTINUE;
558 
559     case TLS_ST_EARLY_DATA:
560         return WRITE_TRAN_FINISHED;
561 
562     case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
563         st->hand_state = TLS_ST_CW_CLNT_HELLO;
564         return WRITE_TRAN_CONTINUE;
565 
566     case TLS_ST_CR_SRVR_DONE:
567         if (s->s3.tmp.cert_req)
568             st->hand_state = TLS_ST_CW_CERT;
569         else
570             st->hand_state = TLS_ST_CW_KEY_EXCH;
571         return WRITE_TRAN_CONTINUE;
572 
573     case TLS_ST_CW_CERT:
574         st->hand_state = TLS_ST_CW_KEY_EXCH;
575         return WRITE_TRAN_CONTINUE;
576 
577     case TLS_ST_CW_KEY_EXCH:
578         /*
579          * For TLS, cert_req is set to 2, so a cert chain of nothing is
580          * sent, but no verify packet is sent
581          */
582         /*
583          * XXX: For now, we do not support client authentication in ECDH
584          * cipher suites with ECDH (rather than ECDSA) certificates. We
585          * need to skip the certificate verify message when client's
586          * ECDH public key is sent inside the client certificate.
587          */
588         if (s->s3.tmp.cert_req == 1) {
589             st->hand_state = TLS_ST_CW_CERT_VRFY;
590         } else {
591             st->hand_state = TLS_ST_CW_CHANGE;
592         }
593         if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
594             st->hand_state = TLS_ST_CW_CHANGE;
595         }
596         return WRITE_TRAN_CONTINUE;
597 
598     case TLS_ST_CW_CERT_VRFY:
599         st->hand_state = TLS_ST_CW_CHANGE;
600         return WRITE_TRAN_CONTINUE;
601 
602     case TLS_ST_CW_CHANGE:
603         if (s->hello_retry_request == SSL_HRR_PENDING) {
604             st->hand_state = TLS_ST_CW_CLNT_HELLO;
605         } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
606             st->hand_state = TLS_ST_EARLY_DATA;
607         } else {
608 #if defined(OPENSSL_NO_NEXTPROTONEG)
609             st->hand_state = TLS_ST_CW_FINISHED;
610 #else
611             if (!SSL_IS_DTLS(s) && s->s3.npn_seen)
612                 st->hand_state = TLS_ST_CW_NEXT_PROTO;
613             else
614                 st->hand_state = TLS_ST_CW_FINISHED;
615 #endif
616         }
617         return WRITE_TRAN_CONTINUE;
618 
619 #if !defined(OPENSSL_NO_NEXTPROTONEG)
620     case TLS_ST_CW_NEXT_PROTO:
621         st->hand_state = TLS_ST_CW_FINISHED;
622         return WRITE_TRAN_CONTINUE;
623 #endif
624 
625     case TLS_ST_CW_FINISHED:
626         if (s->hit) {
627             st->hand_state = TLS_ST_OK;
628             return WRITE_TRAN_CONTINUE;
629         } else {
630             return WRITE_TRAN_FINISHED;
631         }
632 
633     case TLS_ST_CR_FINISHED:
634         if (s->hit) {
635             st->hand_state = TLS_ST_CW_CHANGE;
636             return WRITE_TRAN_CONTINUE;
637         } else {
638             st->hand_state = TLS_ST_OK;
639             return WRITE_TRAN_CONTINUE;
640         }
641 
642     case TLS_ST_CR_HELLO_REQ:
643         /*
644          * If we can renegotiate now then do so, otherwise wait for a more
645          * convenient time.
646          */
647         if (ssl3_renegotiate_check(s, 1)) {
648             if (!tls_setup_handshake(s)) {
649                 /* SSLfatal() already called */
650                 return WRITE_TRAN_ERROR;
651             }
652             st->hand_state = TLS_ST_CW_CLNT_HELLO;
653             return WRITE_TRAN_CONTINUE;
654         }
655         st->hand_state = TLS_ST_OK;
656         return WRITE_TRAN_CONTINUE;
657     }
658 }
659 
660 /*
661  * Perform any pre work that needs to be done prior to sending a message from
662  * the client to the server.
663  */
664 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
665 {
666     OSSL_STATEM *st = &s->statem;
667 
668     switch (st->hand_state) {
669     default:
670         /* No pre work to be done */
671         break;
672 
673     case TLS_ST_CW_CLNT_HELLO:
674         s->shutdown = 0;
675         if (SSL_IS_DTLS(s)) {
676             /* every DTLS ClientHello resets Finished MAC */
677             if (!ssl3_init_finished_mac(s)) {
678                 /* SSLfatal() already called */
679                 return WORK_ERROR;
680             }
681         }
682         break;
683 
684     case TLS_ST_CW_CHANGE:
685         if (SSL_IS_DTLS(s)) {
686             if (s->hit) {
687                 /*
688                  * We're into the last flight so we don't retransmit these
689                  * messages unless we need to.
690                  */
691                 st->use_timer = 0;
692             }
693 #ifndef OPENSSL_NO_SCTP
694             if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
695                 /* Calls SSLfatal() as required */
696                 return dtls_wait_for_dry(s);
697             }
698 #endif
699         }
700         break;
701 
702     case TLS_ST_PENDING_EARLY_DATA_END:
703         /*
704          * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
705          * attempt to write early data before calling SSL_read() then we press
706          * on with the handshake. Otherwise we pause here.
707          */
708         if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
709                 || s->early_data_state == SSL_EARLY_DATA_NONE)
710             return WORK_FINISHED_CONTINUE;
711         /* Fall through */
712 
713     case TLS_ST_EARLY_DATA:
714         return tls_finish_handshake(s, wst, 0, 1);
715 
716     case TLS_ST_OK:
717         /* Calls SSLfatal() as required */
718         return tls_finish_handshake(s, wst, 1, 1);
719     }
720 
721     return WORK_FINISHED_CONTINUE;
722 }
723 
724 /*
725  * Perform any work that needs to be done after sending a message from the
726  * client to the server.
727  */
728 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
729 {
730     OSSL_STATEM *st = &s->statem;
731 
732     s->init_num = 0;
733 
734     switch (st->hand_state) {
735     default:
736         /* No post work to be done */
737         break;
738 
739     case TLS_ST_CW_CLNT_HELLO:
740         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
741                 && s->max_early_data > 0) {
742             /*
743              * We haven't selected TLSv1.3 yet so we don't call the change
744              * cipher state function associated with the SSL_METHOD. Instead
745              * we call tls13_change_cipher_state() directly.
746              */
747             if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
748                 if (!tls13_change_cipher_state(s,
749                             SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
750                     /* SSLfatal() already called */
751                     return WORK_ERROR;
752                 }
753             }
754             /* else we're in compat mode so we delay flushing until after CCS */
755         } else if (!statem_flush(s)) {
756             return WORK_MORE_A;
757         }
758 
759         if (SSL_IS_DTLS(s)) {
760             /* Treat the next message as the first packet */
761             s->first_packet = 1;
762         }
763         break;
764 
765     case TLS_ST_CW_END_OF_EARLY_DATA:
766         /*
767          * We set the enc_write_ctx back to NULL because we may end up writing
768          * in cleartext again if we get a HelloRetryRequest from the server.
769          */
770         EVP_CIPHER_CTX_free(s->enc_write_ctx);
771         s->enc_write_ctx = NULL;
772         break;
773 
774     case TLS_ST_CW_KEY_EXCH:
775         if (tls_client_key_exchange_post_work(s) == 0) {
776             /* SSLfatal() already called */
777             return WORK_ERROR;
778         }
779         break;
780 
781     case TLS_ST_CW_CHANGE:
782         if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING)
783             break;
784         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
785                     && s->max_early_data > 0) {
786             /*
787              * We haven't selected TLSv1.3 yet so we don't call the change
788              * cipher state function associated with the SSL_METHOD. Instead
789              * we call tls13_change_cipher_state() directly.
790              */
791             if (!tls13_change_cipher_state(s,
792                         SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
793                 return WORK_ERROR;
794             break;
795         }
796         s->session->cipher = s->s3.tmp.new_cipher;
797 #ifdef OPENSSL_NO_COMP
798         s->session->compress_meth = 0;
799 #else
800         if (s->s3.tmp.new_compression == NULL)
801             s->session->compress_meth = 0;
802         else
803             s->session->compress_meth = s->s3.tmp.new_compression->id;
804 #endif
805         if (!s->method->ssl3_enc->setup_key_block(s)) {
806             /* SSLfatal() already called */
807             return WORK_ERROR;
808         }
809 
810         if (!s->method->ssl3_enc->change_cipher_state(s,
811                                           SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
812             /* SSLfatal() already called */
813             return WORK_ERROR;
814         }
815 
816         if (SSL_IS_DTLS(s)) {
817 #ifndef OPENSSL_NO_SCTP
818             if (s->hit) {
819                 /*
820                  * Change to new shared key of SCTP-Auth, will be ignored if
821                  * no SCTP used.
822                  */
823                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
824                          0, NULL);
825             }
826 #endif
827 
828             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
829         }
830         break;
831 
832     case TLS_ST_CW_FINISHED:
833 #ifndef OPENSSL_NO_SCTP
834         if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
835             /*
836              * Change to new shared key of SCTP-Auth, will be ignored if
837              * no SCTP used.
838              */
839             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
840                      0, NULL);
841         }
842 #endif
843         if (statem_flush(s) != 1)
844             return WORK_MORE_B;
845 
846         if (SSL_IS_TLS13(s)) {
847             if (!tls13_save_handshake_digest_for_pha(s)) {
848                 /* SSLfatal() already called */
849                 return WORK_ERROR;
850             }
851             if (s->post_handshake_auth != SSL_PHA_REQUESTED) {
852                 if (!s->method->ssl3_enc->change_cipher_state(s,
853                         SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
854                     /* SSLfatal() already called */
855                     return WORK_ERROR;
856                 }
857             }
858         }
859         break;
860 
861     case TLS_ST_CW_KEY_UPDATE:
862         if (statem_flush(s) != 1)
863             return WORK_MORE_A;
864         if (!tls13_update_key(s, 1)) {
865             /* SSLfatal() already called */
866             return WORK_ERROR;
867         }
868         break;
869     }
870 
871     return WORK_FINISHED_CONTINUE;
872 }
873 
874 /*
875  * Get the message construction function and message type for sending from the
876  * client
877  *
878  * Valid return values are:
879  *   1: Success
880  *   0: Error
881  */
882 int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
883                                          confunc_f *confunc, int *mt)
884 {
885     OSSL_STATEM *st = &s->statem;
886 
887     switch (st->hand_state) {
888     default:
889         /* Shouldn't happen */
890         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE);
891         return 0;
892 
893     case TLS_ST_CW_CHANGE:
894         if (SSL_IS_DTLS(s))
895             *confunc = dtls_construct_change_cipher_spec;
896         else
897             *confunc = tls_construct_change_cipher_spec;
898         *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
899         break;
900 
901     case TLS_ST_CW_CLNT_HELLO:
902         *confunc = tls_construct_client_hello;
903         *mt = SSL3_MT_CLIENT_HELLO;
904         break;
905 
906     case TLS_ST_CW_END_OF_EARLY_DATA:
907         *confunc = tls_construct_end_of_early_data;
908         *mt = SSL3_MT_END_OF_EARLY_DATA;
909         break;
910 
911     case TLS_ST_PENDING_EARLY_DATA_END:
912         *confunc = NULL;
913         *mt = SSL3_MT_DUMMY;
914         break;
915 
916     case TLS_ST_CW_CERT:
917         *confunc = tls_construct_client_certificate;
918         *mt = SSL3_MT_CERTIFICATE;
919         break;
920 
921     case TLS_ST_CW_KEY_EXCH:
922         *confunc = tls_construct_client_key_exchange;
923         *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
924         break;
925 
926     case TLS_ST_CW_CERT_VRFY:
927         *confunc = tls_construct_cert_verify;
928         *mt = SSL3_MT_CERTIFICATE_VERIFY;
929         break;
930 
931 #if !defined(OPENSSL_NO_NEXTPROTONEG)
932     case TLS_ST_CW_NEXT_PROTO:
933         *confunc = tls_construct_next_proto;
934         *mt = SSL3_MT_NEXT_PROTO;
935         break;
936 #endif
937     case TLS_ST_CW_FINISHED:
938         *confunc = tls_construct_finished;
939         *mt = SSL3_MT_FINISHED;
940         break;
941 
942     case TLS_ST_CW_KEY_UPDATE:
943         *confunc = tls_construct_key_update;
944         *mt = SSL3_MT_KEY_UPDATE;
945         break;
946     }
947 
948     return 1;
949 }
950 
951 /*
952  * Returns the maximum allowed length for the current message that we are
953  * reading. Excludes the message header.
954  */
955 size_t ossl_statem_client_max_message_size(SSL *s)
956 {
957     OSSL_STATEM *st = &s->statem;
958 
959     switch (st->hand_state) {
960     default:
961         /* Shouldn't happen */
962         return 0;
963 
964     case TLS_ST_CR_SRVR_HELLO:
965         return SERVER_HELLO_MAX_LENGTH;
966 
967     case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
968         return HELLO_VERIFY_REQUEST_MAX_LENGTH;
969 
970     case TLS_ST_CR_CERT:
971         return s->max_cert_list;
972 
973     case TLS_ST_CR_CERT_VRFY:
974         return SSL3_RT_MAX_PLAIN_LENGTH;
975 
976     case TLS_ST_CR_CERT_STATUS:
977         return SSL3_RT_MAX_PLAIN_LENGTH;
978 
979     case TLS_ST_CR_KEY_EXCH:
980         return SERVER_KEY_EXCH_MAX_LENGTH;
981 
982     case TLS_ST_CR_CERT_REQ:
983         /*
984          * Set to s->max_cert_list for compatibility with previous releases. In
985          * practice these messages can get quite long if servers are configured
986          * to provide a long list of acceptable CAs
987          */
988         return s->max_cert_list;
989 
990     case TLS_ST_CR_SRVR_DONE:
991         return SERVER_HELLO_DONE_MAX_LENGTH;
992 
993     case TLS_ST_CR_CHANGE:
994         if (s->version == DTLS1_BAD_VER)
995             return 3;
996         return CCS_MAX_LENGTH;
997 
998     case TLS_ST_CR_SESSION_TICKET:
999         return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
1000                                  : SESSION_TICKET_MAX_LENGTH_TLS12;
1001 
1002     case TLS_ST_CR_FINISHED:
1003         return FINISHED_MAX_LENGTH;
1004 
1005     case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1006         return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
1007 
1008     case TLS_ST_CR_KEY_UPDATE:
1009         return KEY_UPDATE_MAX_LENGTH;
1010     }
1011 }
1012 
1013 /*
1014  * Process a message that the client has received from the server.
1015  */
1016 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
1017 {
1018     OSSL_STATEM *st = &s->statem;
1019 
1020     switch (st->hand_state) {
1021     default:
1022         /* Shouldn't happen */
1023         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1024         return MSG_PROCESS_ERROR;
1025 
1026     case TLS_ST_CR_SRVR_HELLO:
1027         return tls_process_server_hello(s, pkt);
1028 
1029     case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1030         return dtls_process_hello_verify(s, pkt);
1031 
1032     case TLS_ST_CR_CERT:
1033         return tls_process_server_certificate(s, pkt);
1034 
1035     case TLS_ST_CR_CERT_VRFY:
1036         return tls_process_cert_verify(s, pkt);
1037 
1038     case TLS_ST_CR_CERT_STATUS:
1039         return tls_process_cert_status(s, pkt);
1040 
1041     case TLS_ST_CR_KEY_EXCH:
1042         return tls_process_key_exchange(s, pkt);
1043 
1044     case TLS_ST_CR_CERT_REQ:
1045         return tls_process_certificate_request(s, pkt);
1046 
1047     case TLS_ST_CR_SRVR_DONE:
1048         return tls_process_server_done(s, pkt);
1049 
1050     case TLS_ST_CR_CHANGE:
1051         return tls_process_change_cipher_spec(s, pkt);
1052 
1053     case TLS_ST_CR_SESSION_TICKET:
1054         return tls_process_new_session_ticket(s, pkt);
1055 
1056     case TLS_ST_CR_FINISHED:
1057         return tls_process_finished(s, pkt);
1058 
1059     case TLS_ST_CR_HELLO_REQ:
1060         return tls_process_hello_req(s, pkt);
1061 
1062     case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1063         return tls_process_encrypted_extensions(s, pkt);
1064 
1065     case TLS_ST_CR_KEY_UPDATE:
1066         return tls_process_key_update(s, pkt);
1067     }
1068 }
1069 
1070 /*
1071  * Perform any further processing required following the receipt of a message
1072  * from the server
1073  */
1074 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
1075 {
1076     OSSL_STATEM *st = &s->statem;
1077 
1078     switch (st->hand_state) {
1079     default:
1080         /* Shouldn't happen */
1081         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1082         return WORK_ERROR;
1083 
1084     case TLS_ST_CR_CERT:
1085         return tls_post_process_server_certificate(s, wst);
1086 
1087     case TLS_ST_CR_CERT_VRFY:
1088     case TLS_ST_CR_CERT_REQ:
1089         return tls_prepare_client_certificate(s, wst);
1090     }
1091 }
1092 
1093 int tls_construct_client_hello(SSL *s, WPACKET *pkt)
1094 {
1095     unsigned char *p;
1096     size_t sess_id_len;
1097     int i, protverr;
1098 #ifndef OPENSSL_NO_COMP
1099     SSL_COMP *comp;
1100 #endif
1101     SSL_SESSION *sess = s->session;
1102     unsigned char *session_id;
1103 
1104     /* Work out what SSL/TLS/DTLS version to use */
1105     protverr = ssl_set_client_hello_version(s);
1106     if (protverr != 0) {
1107         SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr);
1108         return 0;
1109     }
1110 
1111     if (sess == NULL
1112             || !ssl_version_supported(s, sess->ssl_version, NULL)
1113             || !SSL_SESSION_is_resumable(sess)) {
1114         if (s->hello_retry_request == SSL_HRR_NONE
1115                 && !ssl_get_new_session(s, 0)) {
1116             /* SSLfatal() already called */
1117             return 0;
1118         }
1119     }
1120     /* else use the pre-loaded session */
1121 
1122     p = s->s3.client_random;
1123 
1124     /*
1125      * for DTLS if client_random is initialized, reuse it, we are
1126      * required to use same upon reply to HelloVerify
1127      */
1128     if (SSL_IS_DTLS(s)) {
1129         size_t idx;
1130         i = 1;
1131         for (idx = 0; idx < sizeof(s->s3.client_random); idx++) {
1132             if (p[idx]) {
1133                 i = 0;
1134                 break;
1135             }
1136         }
1137     } else {
1138         i = (s->hello_retry_request == SSL_HRR_NONE);
1139     }
1140 
1141     if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
1142                                    DOWNGRADE_NONE) <= 0) {
1143         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1144         return 0;
1145     }
1146 
1147     /*-
1148      * version indicates the negotiated version: for example from
1149      * an SSLv2/v3 compatible client hello). The client_version
1150      * field is the maximum version we permit and it is also
1151      * used in RSA encrypted premaster secrets. Some servers can
1152      * choke if we initially report a higher version then
1153      * renegotiate to a lower one in the premaster secret. This
1154      * didn't happen with TLS 1.0 as most servers supported it
1155      * but it can with TLS 1.1 or later if the server only supports
1156      * 1.0.
1157      *
1158      * Possible scenario with previous logic:
1159      *      1. Client hello indicates TLS 1.2
1160      *      2. Server hello says TLS 1.0
1161      *      3. RSA encrypted premaster secret uses 1.2.
1162      *      4. Handshake proceeds using TLS 1.0.
1163      *      5. Server sends hello request to renegotiate.
1164      *      6. Client hello indicates TLS v1.0 as we now
1165      *         know that is maximum server supports.
1166      *      7. Server chokes on RSA encrypted premaster secret
1167      *         containing version 1.0.
1168      *
1169      * For interoperability it should be OK to always use the
1170      * maximum version we support in client hello and then rely
1171      * on the checking of version to ensure the servers isn't
1172      * being inconsistent: for example initially negotiating with
1173      * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1174      * client_version in client hello and not resetting it to
1175      * the negotiated version.
1176      *
1177      * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
1178      * supported_versions extension for the real supported versions.
1179      */
1180     if (!WPACKET_put_bytes_u16(pkt, s->client_version)
1181             || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) {
1182         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1183         return 0;
1184     }
1185 
1186     /* Session ID */
1187     session_id = s->session->session_id;
1188     if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) {
1189         if (s->version == TLS1_3_VERSION
1190                 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
1191             sess_id_len = sizeof(s->tmp_session_id);
1192             s->tmp_session_id_len = sess_id_len;
1193             session_id = s->tmp_session_id;
1194             if (s->hello_retry_request == SSL_HRR_NONE
1195                     && RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id,
1196                                      sess_id_len, 0) <= 0) {
1197                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1198                 return 0;
1199             }
1200         } else {
1201             sess_id_len = 0;
1202         }
1203     } else {
1204         assert(s->session->session_id_length <= sizeof(s->session->session_id));
1205         sess_id_len = s->session->session_id_length;
1206         if (s->version == TLS1_3_VERSION) {
1207             s->tmp_session_id_len = sess_id_len;
1208             memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
1209         }
1210     }
1211     if (!WPACKET_start_sub_packet_u8(pkt)
1212             || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
1213                                                     sess_id_len))
1214             || !WPACKET_close(pkt)) {
1215         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1216         return 0;
1217     }
1218 
1219     /* cookie stuff for DTLS */
1220     if (SSL_IS_DTLS(s)) {
1221         if (s->d1->cookie_len > sizeof(s->d1->cookie)
1222                 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
1223                                           s->d1->cookie_len)) {
1224             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1225             return 0;
1226         }
1227     }
1228 
1229     /* Ciphers supported */
1230     if (!WPACKET_start_sub_packet_u16(pkt)) {
1231         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1232         return 0;
1233     }
1234 
1235     if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) {
1236         /* SSLfatal() already called */
1237         return 0;
1238     }
1239     if (!WPACKET_close(pkt)) {
1240         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1241         return 0;
1242     }
1243 
1244     /* COMPRESSION */
1245     if (!WPACKET_start_sub_packet_u8(pkt)) {
1246         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1247         return 0;
1248     }
1249 #ifndef OPENSSL_NO_COMP
1250     if (ssl_allow_compression(s)
1251             && s->ctx->comp_methods
1252             && (SSL_IS_DTLS(s) || s->s3.tmp.max_ver < TLS1_3_VERSION)) {
1253         int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
1254         for (i = 0; i < compnum; i++) {
1255             comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
1256             if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
1257                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1258                 return 0;
1259             }
1260         }
1261     }
1262 #endif
1263     /* Add the NULL method */
1264     if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
1265         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1266         return 0;
1267     }
1268 
1269     /* TLS extensions */
1270     if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
1271         /* SSLfatal() already called */
1272         return 0;
1273     }
1274 
1275     return 1;
1276 }
1277 
1278 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
1279 {
1280     size_t cookie_len;
1281     PACKET cookiepkt;
1282 
1283     if (!PACKET_forward(pkt, 2)
1284         || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
1285         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1286         return MSG_PROCESS_ERROR;
1287     }
1288 
1289     cookie_len = PACKET_remaining(&cookiepkt);
1290     if (cookie_len > sizeof(s->d1->cookie)) {
1291         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG);
1292         return MSG_PROCESS_ERROR;
1293     }
1294 
1295     if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
1296         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1297         return MSG_PROCESS_ERROR;
1298     }
1299     s->d1->cookie_len = cookie_len;
1300 
1301     return MSG_PROCESS_FINISHED_READING;
1302 }
1303 
1304 static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
1305 {
1306     STACK_OF(SSL_CIPHER) *sk;
1307     const SSL_CIPHER *c;
1308     int i;
1309 
1310     c = ssl_get_cipher_by_char(s, cipherchars, 0);
1311     if (c == NULL) {
1312         /* unknown cipher */
1313         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED);
1314         return 0;
1315     }
1316     /*
1317      * If it is a disabled cipher we either didn't send it in client hello,
1318      * or it's not allowed for the selected protocol. So we return an error.
1319      */
1320     if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
1321         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
1322         return 0;
1323     }
1324 
1325     sk = ssl_get_ciphers_by_id(s);
1326     i = sk_SSL_CIPHER_find(sk, c);
1327     if (i < 0) {
1328         /* we did not say we would use this cipher */
1329         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
1330         return 0;
1331     }
1332 
1333     if (SSL_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL
1334             && s->s3.tmp.new_cipher->id != c->id) {
1335         /* ServerHello selected a different ciphersuite to that in the HRR */
1336         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED);
1337         return 0;
1338     }
1339 
1340     /*
1341      * Depending on the session caching (internal/external), the cipher
1342      * and/or cipher_id values may not be set. Make sure that cipher_id is
1343      * set and use it for comparison.
1344      */
1345     if (s->session->cipher != NULL)
1346         s->session->cipher_id = s->session->cipher->id;
1347     if (s->hit && (s->session->cipher_id != c->id)) {
1348         if (SSL_IS_TLS13(s)) {
1349             const EVP_MD *md = ssl_md(s->ctx, c->algorithm2);
1350 
1351             /*
1352              * In TLSv1.3 it is valid for the server to select a different
1353              * ciphersuite as long as the hash is the same.
1354              */
1355             if (md == NULL
1356                     || md != ssl_md(s->ctx, s->session->cipher->algorithm2)) {
1357                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1358                          SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
1359                 return 0;
1360             }
1361         } else {
1362             /*
1363              * Prior to TLSv1.3 resuming a session always meant using the same
1364              * ciphersuite.
1365              */
1366             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1367                      SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1368             return 0;
1369         }
1370     }
1371     s->s3.tmp.new_cipher = c;
1372 
1373     return 1;
1374 }
1375 
1376 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
1377 {
1378     PACKET session_id, extpkt;
1379     size_t session_id_len;
1380     const unsigned char *cipherchars;
1381     int hrr = 0;
1382     unsigned int compression;
1383     unsigned int sversion;
1384     unsigned int context;
1385     RAW_EXTENSION *extensions = NULL;
1386 #ifndef OPENSSL_NO_COMP
1387     SSL_COMP *comp;
1388 #endif
1389 
1390     if (!PACKET_get_net_2(pkt, &sversion)) {
1391         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1392         goto err;
1393     }
1394 
1395     /* load the server random */
1396     if (s->version == TLS1_3_VERSION
1397             && sversion == TLS1_2_VERSION
1398             && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
1399             && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
1400         if (s->hello_retry_request != SSL_HRR_NONE) {
1401             SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
1402             goto err;
1403         }
1404         s->hello_retry_request = SSL_HRR_PENDING;
1405         hrr = 1;
1406         if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
1407             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1408             goto err;
1409         }
1410     } else {
1411         if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) {
1412             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1413             goto err;
1414         }
1415     }
1416 
1417     /* Get the session-id. */
1418     if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1419         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1420         goto err;
1421     }
1422     session_id_len = PACKET_remaining(&session_id);
1423     if (session_id_len > sizeof(s->session->session_id)
1424         || session_id_len > SSL3_SESSION_ID_SIZE) {
1425         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG);
1426         goto err;
1427     }
1428 
1429     if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
1430         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1431         goto err;
1432     }
1433 
1434     if (!PACKET_get_1(pkt, &compression)) {
1435         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1436         goto err;
1437     }
1438 
1439     /* TLS extensions */
1440     if (PACKET_remaining(pkt) == 0 && !hrr) {
1441         PACKET_null_init(&extpkt);
1442     } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
1443                || PACKET_remaining(pkt) != 0) {
1444         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1445         goto err;
1446     }
1447 
1448     if (!hrr) {
1449         if (!tls_collect_extensions(s, &extpkt,
1450                                     SSL_EXT_TLS1_2_SERVER_HELLO
1451                                     | SSL_EXT_TLS1_3_SERVER_HELLO,
1452                                     &extensions, NULL, 1)) {
1453             /* SSLfatal() already called */
1454             goto err;
1455         }
1456 
1457         if (!ssl_choose_client_version(s, sversion, extensions)) {
1458             /* SSLfatal() already called */
1459             goto err;
1460         }
1461     }
1462 
1463     if (SSL_IS_TLS13(s) || hrr) {
1464         if (compression != 0) {
1465             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1466                      SSL_R_INVALID_COMPRESSION_ALGORITHM);
1467             goto err;
1468         }
1469 
1470         if (session_id_len != s->tmp_session_id_len
1471                 || memcmp(PACKET_data(&session_id), s->tmp_session_id,
1472                           session_id_len) != 0) {
1473             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID);
1474             goto err;
1475         }
1476     }
1477 
1478     if (hrr) {
1479         if (!set_client_ciphersuite(s, cipherchars)) {
1480             /* SSLfatal() already called */
1481             goto err;
1482         }
1483 
1484         return tls_process_as_hello_retry_request(s, &extpkt);
1485     }
1486 
1487     /*
1488      * Now we have chosen the version we need to check again that the extensions
1489      * are appropriate for this version.
1490      */
1491     context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
1492                               : SSL_EXT_TLS1_2_SERVER_HELLO;
1493     if (!tls_validate_all_contexts(s, context, extensions)) {
1494         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION);
1495         goto err;
1496     }
1497 
1498     s->hit = 0;
1499 
1500     if (SSL_IS_TLS13(s)) {
1501         /*
1502          * In TLSv1.3 a ServerHello message signals a key change so the end of
1503          * the message must be on a record boundary.
1504          */
1505         if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1506             SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1507                      SSL_R_NOT_ON_RECORD_BOUNDARY);
1508             goto err;
1509         }
1510 
1511         /* This will set s->hit if we are resuming */
1512         if (!tls_parse_extension(s, TLSEXT_IDX_psk,
1513                                  SSL_EXT_TLS1_3_SERVER_HELLO,
1514                                  extensions, NULL, 0)) {
1515             /* SSLfatal() already called */
1516             goto err;
1517         }
1518     } else {
1519         /*
1520          * Check if we can resume the session based on external pre-shared
1521          * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1522          * Resumption based on server-side state works with session IDs.
1523          * Resumption based on pre-shared Protected Access Credentials (PACs)
1524          * works by overriding the SessionTicket extension at the application
1525          * layer, and does not send a session ID. (We do not know whether
1526          * EAP-FAST servers would honour the session ID.) Therefore, the session
1527          * ID alone is not a reliable indicator of session resumption, so we
1528          * first check if we can resume, and later peek at the next handshake
1529          * message to see if the server wants to resume.
1530          */
1531         if (s->version >= TLS1_VERSION
1532                 && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
1533             const SSL_CIPHER *pref_cipher = NULL;
1534             /*
1535              * s->session->master_key_length is a size_t, but this is an int for
1536              * backwards compat reasons
1537              */
1538             int master_key_length;
1539             master_key_length = sizeof(s->session->master_key);
1540             if (s->ext.session_secret_cb(s, s->session->master_key,
1541                                          &master_key_length,
1542                                          NULL, &pref_cipher,
1543                                          s->ext.session_secret_cb_arg)
1544                      && master_key_length > 0) {
1545                 s->session->master_key_length = master_key_length;
1546                 s->session->cipher = pref_cipher ?
1547                     pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
1548             } else {
1549                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1550                 goto err;
1551             }
1552         }
1553 
1554         if (session_id_len != 0
1555                 && session_id_len == s->session->session_id_length
1556                 && memcmp(PACKET_data(&session_id), s->session->session_id,
1557                           session_id_len) == 0)
1558             s->hit = 1;
1559     }
1560 
1561     if (s->hit) {
1562         if (s->sid_ctx_length != s->session->sid_ctx_length
1563                 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1564             /* actually a client application bug */
1565             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1566                      SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1567             goto err;
1568         }
1569     } else {
1570         /*
1571          * If we were trying for session-id reuse but the server
1572          * didn't resume, make a new SSL_SESSION.
1573          * In the case of EAP-FAST and PAC, we do not send a session ID,
1574          * so the PAC-based session secret is always preserved. It'll be
1575          * overwritten if the server refuses resumption.
1576          */
1577         if (s->session->session_id_length > 0) {
1578             ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss);
1579             if (!ssl_get_new_session(s, 0)) {
1580                 /* SSLfatal() already called */
1581                 goto err;
1582             }
1583         }
1584 
1585         s->session->ssl_version = s->version;
1586         /*
1587          * In TLSv1.2 and below we save the session id we were sent so we can
1588          * resume it later. In TLSv1.3 the session id we were sent is just an
1589          * echo of what we originally sent in the ClientHello and should not be
1590          * used for resumption.
1591          */
1592         if (!SSL_IS_TLS13(s)) {
1593             s->session->session_id_length = session_id_len;
1594             /* session_id_len could be 0 */
1595             if (session_id_len > 0)
1596                 memcpy(s->session->session_id, PACKET_data(&session_id),
1597                        session_id_len);
1598         }
1599     }
1600 
1601     /* Session version and negotiated protocol version should match */
1602     if (s->version != s->session->ssl_version) {
1603         SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1604                  SSL_R_SSL_SESSION_VERSION_MISMATCH);
1605         goto err;
1606     }
1607     /*
1608      * Now that we know the version, update the check to see if it's an allowed
1609      * version.
1610      */
1611     s->s3.tmp.min_ver = s->version;
1612     s->s3.tmp.max_ver = s->version;
1613 
1614     if (!set_client_ciphersuite(s, cipherchars)) {
1615         /* SSLfatal() already called */
1616         goto err;
1617     }
1618 
1619 #ifdef OPENSSL_NO_COMP
1620     if (compression != 0) {
1621         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1622                  SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1623         goto err;
1624     }
1625     /*
1626      * If compression is disabled we'd better not try to resume a session
1627      * using compression.
1628      */
1629     if (s->session->compress_meth != 0) {
1630         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION);
1631         goto err;
1632     }
1633 #else
1634     if (s->hit && compression != s->session->compress_meth) {
1635         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1636                  SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1637         goto err;
1638     }
1639     if (compression == 0)
1640         comp = NULL;
1641     else if (!ssl_allow_compression(s)) {
1642         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED);
1643         goto err;
1644     } else {
1645         comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1646     }
1647 
1648     if (compression != 0 && comp == NULL) {
1649         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1650                  SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1651         goto err;
1652     } else {
1653         s->s3.tmp.new_compression = comp;
1654     }
1655 #endif
1656 
1657     if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) {
1658         /* SSLfatal() already called */
1659         goto err;
1660     }
1661 
1662 #ifndef OPENSSL_NO_SCTP
1663     if (SSL_IS_DTLS(s) && s->hit) {
1664         unsigned char sctpauthkey[64];
1665         char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1666         size_t labellen;
1667 
1668         /*
1669          * Add new shared key for SCTP-Auth, will be ignored if
1670          * no SCTP used.
1671          */
1672         memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1673                sizeof(DTLS1_SCTP_AUTH_LABEL));
1674 
1675         /* Don't include the terminating zero. */
1676         labellen = sizeof(labelbuffer) - 1;
1677         if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
1678             labellen += 1;
1679 
1680         if (SSL_export_keying_material(s, sctpauthkey,
1681                                        sizeof(sctpauthkey),
1682                                        labelbuffer,
1683                                        labellen, NULL, 0, 0) <= 0) {
1684             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1685             goto err;
1686         }
1687 
1688         BIO_ctrl(SSL_get_wbio(s),
1689                  BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1690                  sizeof(sctpauthkey), sctpauthkey);
1691     }
1692 #endif
1693 
1694     /*
1695      * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1696      * we're done with this message
1697      */
1698     if (SSL_IS_TLS13(s)
1699             && (!s->method->ssl3_enc->setup_key_block(s)
1700                 || !s->method->ssl3_enc->change_cipher_state(s,
1701                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
1702         /* SSLfatal() already called */
1703         goto err;
1704     }
1705 
1706     OPENSSL_free(extensions);
1707     return MSG_PROCESS_CONTINUE_READING;
1708  err:
1709     OPENSSL_free(extensions);
1710     return MSG_PROCESS_ERROR;
1711 }
1712 
1713 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s,
1714                                                              PACKET *extpkt)
1715 {
1716     RAW_EXTENSION *extensions = NULL;
1717 
1718     /*
1719      * If we were sending early_data then the enc_write_ctx is now invalid and
1720      * should not be used.
1721      */
1722     EVP_CIPHER_CTX_free(s->enc_write_ctx);
1723     s->enc_write_ctx = NULL;
1724 
1725     if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
1726                                 &extensions, NULL, 1)
1727             || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
1728                                          extensions, NULL, 0, 1)) {
1729         /* SSLfatal() already called */
1730         goto err;
1731     }
1732 
1733     OPENSSL_free(extensions);
1734     extensions = NULL;
1735 
1736     if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) {
1737         /*
1738          * We didn't receive a cookie or a new key_share so the next
1739          * ClientHello will not change
1740          */
1741         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR);
1742         goto err;
1743     }
1744 
1745     /*
1746      * Re-initialise the Transcript Hash. We're going to prepopulate it with
1747      * a synthetic message_hash in place of ClientHello1.
1748      */
1749     if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
1750         /* SSLfatal() already called */
1751         goto err;
1752     }
1753 
1754     /*
1755      * Add this message to the Transcript Hash. Normally this is done
1756      * automatically prior to the message processing stage. However due to the
1757      * need to create the synthetic message hash, we defer that step until now
1758      * for HRR messages.
1759      */
1760     if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1761                                 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1762         /* SSLfatal() already called */
1763         goto err;
1764     }
1765 
1766     return MSG_PROCESS_FINISHED_READING;
1767  err:
1768     OPENSSL_free(extensions);
1769     return MSG_PROCESS_ERROR;
1770 }
1771 
1772 /* prepare server cert verification by setting s->session->peer_chain from pkt */
1773 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
1774 {
1775     unsigned long cert_list_len, cert_len;
1776     X509 *x = NULL;
1777     const unsigned char *certstart, *certbytes;
1778     size_t chainidx;
1779     unsigned int context = 0;
1780 
1781     if ((s->session->peer_chain = sk_X509_new_null()) == NULL) {
1782         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1783         goto err;
1784     }
1785 
1786     if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
1787             || context != 0
1788             || !PACKET_get_net_3(pkt, &cert_list_len)
1789             || PACKET_remaining(pkt) != cert_list_len
1790             || PACKET_remaining(pkt) == 0) {
1791         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1792         goto err;
1793     }
1794     for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
1795         if (!PACKET_get_net_3(pkt, &cert_len)
1796             || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
1797             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
1798             goto err;
1799         }
1800 
1801         certstart = certbytes;
1802         x = X509_new_ex(s->ctx->libctx, s->ctx->propq);
1803         if (x == NULL) {
1804             SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE);
1805             ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
1806             goto err;
1807         }
1808         if (d2i_X509(&x, (const unsigned char **)&certbytes,
1809                      cert_len) == NULL) {
1810             SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB);
1811             goto err;
1812         }
1813 
1814         if (certbytes != (certstart + cert_len)) {
1815             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH);
1816             goto err;
1817         }
1818 
1819         if (SSL_IS_TLS13(s)) {
1820             RAW_EXTENSION *rawexts = NULL;
1821             PACKET extensions;
1822 
1823             if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
1824                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
1825                 goto err;
1826             }
1827             if (!tls_collect_extensions(s, &extensions,
1828                                         SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
1829                                         NULL, chainidx == 0)
1830                 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
1831                                              rawexts, x, chainidx,
1832                                              PACKET_remaining(pkt) == 0)) {
1833                 OPENSSL_free(rawexts);
1834                 /* SSLfatal already called */
1835                 goto err;
1836             }
1837             OPENSSL_free(rawexts);
1838         }
1839 
1840         if (!sk_X509_push(s->session->peer_chain, x)) {
1841             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
1842             goto err;
1843         }
1844         x = NULL;
1845     }
1846     return MSG_PROCESS_CONTINUE_PROCESSING;
1847 
1848  err:
1849     X509_free(x);
1850     sk_X509_pop_free(s->session->peer_chain, X509_free);
1851     s->session->peer_chain = NULL;
1852     return MSG_PROCESS_ERROR;
1853 }
1854 
1855 /*
1856  * Verify the s->session->peer_chain and check server cert type.
1857  * On success set s->session->peer and s->session->verify_result.
1858  * Else the peer certificate verification callback may request retry.
1859  */
1860 WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst)
1861 {
1862     X509 *x;
1863     EVP_PKEY *pkey = NULL;
1864     const SSL_CERT_LOOKUP *clu;
1865     size_t certidx;
1866     int i;
1867 
1868     if (s->rwstate == SSL_RETRY_VERIFY)
1869         s->rwstate = SSL_NOTHING;
1870     i = ssl_verify_cert_chain(s, s->session->peer_chain);
1871     if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) {
1872         return WORK_MORE_A;
1873     }
1874     /*
1875      * The documented interface is that SSL_VERIFY_PEER should be set in order
1876      * for client side verification of the server certificate to take place.
1877      * However, historically the code has only checked that *any* flag is set
1878      * to cause server verification to take place. Use of the other flags makes
1879      * no sense in client mode. An attempt to clean up the semantics was
1880      * reverted because at least one application *only* set
1881      * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
1882      * server verification to take place, after the clean up it silently did
1883      * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
1884      * sent to them because they are void functions. Therefore, we now use the
1885      * (less clean) historic behaviour of performing validation if any flag is
1886      * set. The *documented* interface remains the same.
1887      */
1888     if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
1889         SSLfatal(s, ssl_x509err2alert(s->verify_result),
1890                  SSL_R_CERTIFICATE_VERIFY_FAILED);
1891         return WORK_ERROR;
1892     }
1893     ERR_clear_error();          /* but we keep s->verify_result */
1894 
1895     /*
1896      * Inconsistency alert: cert_chain does include the peer's certificate,
1897      * which we don't include in statem_srvr.c
1898      */
1899     x = sk_X509_value(s->session->peer_chain, 0);
1900 
1901     pkey = X509_get0_pubkey(x);
1902 
1903     if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
1904         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1905                  SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1906         return WORK_ERROR;
1907     }
1908 
1909     if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) {
1910         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1911         return WORK_ERROR;
1912     }
1913     /*
1914      * Check certificate type is consistent with ciphersuite. For TLS 1.3
1915      * skip check since TLS 1.3 ciphersuites can be used with any certificate
1916      * type.
1917      */
1918     if (!SSL_IS_TLS13(s)) {
1919         if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) {
1920             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE);
1921             return WORK_ERROR;
1922         }
1923     }
1924 
1925     X509_free(s->session->peer);
1926     X509_up_ref(x);
1927     s->session->peer = x;
1928     s->session->verify_result = s->verify_result;
1929 
1930     /* Save the current hash state for when we receive the CertificateVerify */
1931     if (SSL_IS_TLS13(s)
1932             && !ssl_handshake_hash(s, s->cert_verify_hash,
1933                                    sizeof(s->cert_verify_hash),
1934                                    &s->cert_verify_hash_len)) {
1935         /* SSLfatal() already called */;
1936         return WORK_ERROR;
1937     }
1938     return WORK_FINISHED_CONTINUE;
1939 }
1940 
1941 static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt)
1942 {
1943 #ifndef OPENSSL_NO_PSK
1944     PACKET psk_identity_hint;
1945 
1946     /* PSK ciphersuites are preceded by an identity hint */
1947 
1948     if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
1949         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1950         return 0;
1951     }
1952 
1953     /*
1954      * Store PSK identity hint for later use, hint is used in
1955      * tls_construct_client_key_exchange.  Assume that the maximum length of
1956      * a PSK identity hint can be as long as the maximum length of a PSK
1957      * identity.
1958      */
1959     if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
1960         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG);
1961         return 0;
1962     }
1963 
1964     if (PACKET_remaining(&psk_identity_hint) == 0) {
1965         OPENSSL_free(s->session->psk_identity_hint);
1966         s->session->psk_identity_hint = NULL;
1967     } else if (!PACKET_strndup(&psk_identity_hint,
1968                                &s->session->psk_identity_hint)) {
1969         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1970         return 0;
1971     }
1972 
1973     return 1;
1974 #else
1975     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1976     return 0;
1977 #endif
1978 }
1979 
1980 static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
1981 {
1982 #ifndef OPENSSL_NO_SRP
1983     PACKET prime, generator, salt, server_pub;
1984 
1985     if (!PACKET_get_length_prefixed_2(pkt, &prime)
1986         || !PACKET_get_length_prefixed_2(pkt, &generator)
1987         || !PACKET_get_length_prefixed_1(pkt, &salt)
1988         || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
1989         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
1990         return 0;
1991     }
1992 
1993     if ((s->srp_ctx.N =
1994          BN_bin2bn(PACKET_data(&prime),
1995                    (int)PACKET_remaining(&prime), NULL)) == NULL
1996         || (s->srp_ctx.g =
1997             BN_bin2bn(PACKET_data(&generator),
1998                       (int)PACKET_remaining(&generator), NULL)) == NULL
1999         || (s->srp_ctx.s =
2000             BN_bin2bn(PACKET_data(&salt),
2001                       (int)PACKET_remaining(&salt), NULL)) == NULL
2002         || (s->srp_ctx.B =
2003             BN_bin2bn(PACKET_data(&server_pub),
2004                       (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
2005         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
2006         return 0;
2007     }
2008 
2009     if (!srp_verify_server_param(s)) {
2010         /* SSLfatal() already called */
2011         return 0;
2012     }
2013 
2014     /* We must check if there is a certificate */
2015     if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
2016         *pkey = X509_get0_pubkey(s->session->peer);
2017 
2018     return 1;
2019 #else
2020     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2021     return 0;
2022 #endif
2023 }
2024 
2025 static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
2026 {
2027     PACKET prime, generator, pub_key;
2028     EVP_PKEY *peer_tmp = NULL;
2029     BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
2030     EVP_PKEY_CTX *pctx = NULL;
2031     OSSL_PARAM *params = NULL;
2032     OSSL_PARAM_BLD *tmpl = NULL;
2033     int ret = 0;
2034 
2035     if (!PACKET_get_length_prefixed_2(pkt, &prime)
2036         || !PACKET_get_length_prefixed_2(pkt, &generator)
2037         || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
2038         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2039         return 0;
2040     }
2041 
2042     p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
2043     g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
2044                   NULL);
2045     bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
2046                           (int)PACKET_remaining(&pub_key), NULL);
2047     if (p == NULL || g == NULL || bnpub_key == NULL) {
2048         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB);
2049         goto err;
2050     }
2051 
2052     tmpl = OSSL_PARAM_BLD_new();
2053     if (tmpl == NULL
2054             || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
2055             || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g)
2056             || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY,
2057                                        bnpub_key)
2058             || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
2059         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2060         goto err;
2061     }
2062 
2063     pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
2064     if (pctx == NULL) {
2065         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2066         goto err;
2067     }
2068     if (EVP_PKEY_fromdata_init(pctx) <= 0
2069             || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR, params) <= 0) {
2070         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE);
2071         goto err;
2072     }
2073 
2074     EVP_PKEY_CTX_free(pctx);
2075     pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq);
2076     if (pctx == NULL
2077             /*
2078              * EVP_PKEY_param_check() will verify that the DH params are using
2079              * a safe prime. In this context, because we're using ephemeral DH,
2080              * we're ok with it not being a safe prime.
2081              * EVP_PKEY_param_check_quick() skips the safe prime check.
2082              */
2083             || EVP_PKEY_param_check_quick(pctx) != 1
2084             || EVP_PKEY_public_check(pctx) != 1) {
2085         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE);
2086         goto err;
2087     }
2088 
2089     if (!ssl_security(s, SSL_SECOP_TMP_DH,
2090                       EVP_PKEY_get_security_bits(peer_tmp),
2091                       0, peer_tmp)) {
2092         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL);
2093         goto err;
2094     }
2095 
2096     s->s3.peer_tmp = peer_tmp;
2097     peer_tmp = NULL;
2098 
2099     /*
2100      * FIXME: This makes assumptions about which ciphersuites come with
2101      * public keys. We should have a less ad-hoc way of doing this
2102      */
2103     if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
2104         *pkey = X509_get0_pubkey(s->session->peer);
2105     /* else anonymous DH, so no certificate or pkey. */
2106 
2107     ret = 1;
2108 
2109  err:
2110     OSSL_PARAM_BLD_free(tmpl);
2111     OSSL_PARAM_free(params);
2112     EVP_PKEY_free(peer_tmp);
2113     EVP_PKEY_CTX_free(pctx);
2114     BN_free(p);
2115     BN_free(g);
2116     BN_free(bnpub_key);
2117 
2118     return ret;
2119 }
2120 
2121 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
2122 {
2123     PACKET encoded_pt;
2124     unsigned int curve_type, curve_id;
2125 
2126     /*
2127      * Extract elliptic curve parameters and the server's ephemeral ECDH
2128      * public key. We only support named (not generic) curves and
2129      * ECParameters in this case is just three bytes.
2130      */
2131     if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) {
2132         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
2133         return 0;
2134     }
2135     /*
2136      * Check curve is named curve type and one of our preferences, if not
2137      * server has sent an invalid curve.
2138      */
2139     if (curve_type != NAMED_CURVE_TYPE
2140             || !tls1_check_group_id(s, curve_id, 1)) {
2141         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE);
2142         return 0;
2143     }
2144 
2145     if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) {
2146         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2147                  SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
2148         return 0;
2149     }
2150 
2151     if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
2152         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2153         return 0;
2154     }
2155 
2156     if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
2157                                          PACKET_data(&encoded_pt),
2158                                          PACKET_remaining(&encoded_pt)) <= 0) {
2159         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT);
2160         return 0;
2161     }
2162 
2163     /*
2164      * The ECC/TLS specification does not mention the use of DSA to sign
2165      * ECParameters in the server key exchange message. We do support RSA
2166      * and ECDSA.
2167      */
2168     if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA)
2169         *pkey = X509_get0_pubkey(s->session->peer);
2170     else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA)
2171         *pkey = X509_get0_pubkey(s->session->peer);
2172     /* else anonymous ECDH, so no certificate or pkey. */
2173 
2174     /* Cache the agreed upon group in the SSL_SESSION */
2175     s->session->kex_group = curve_id;
2176     return 1;
2177 }
2178 
2179 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
2180 {
2181     long alg_k;
2182     EVP_PKEY *pkey = NULL;
2183     EVP_MD_CTX *md_ctx = NULL;
2184     EVP_PKEY_CTX *pctx = NULL;
2185     PACKET save_param_start, signature;
2186 
2187     alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
2188 
2189     save_param_start = *pkt;
2190 
2191     EVP_PKEY_free(s->s3.peer_tmp);
2192     s->s3.peer_tmp = NULL;
2193 
2194     if (alg_k & SSL_PSK) {
2195         if (!tls_process_ske_psk_preamble(s, pkt)) {
2196             /* SSLfatal() already called */
2197             goto err;
2198         }
2199     }
2200 
2201     /* Nothing else to do for plain PSK or RSAPSK */
2202     if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
2203     } else if (alg_k & SSL_kSRP) {
2204         if (!tls_process_ske_srp(s, pkt, &pkey)) {
2205             /* SSLfatal() already called */
2206             goto err;
2207         }
2208     } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2209         if (!tls_process_ske_dhe(s, pkt, &pkey)) {
2210             /* SSLfatal() already called */
2211             goto err;
2212         }
2213     } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
2214         if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
2215             /* SSLfatal() already called */
2216             goto err;
2217         }
2218     } else if (alg_k) {
2219         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE);
2220         goto err;
2221     }
2222 
2223     /* if it was signed, check the signature */
2224     if (pkey != NULL) {
2225         PACKET params;
2226         const EVP_MD *md = NULL;
2227         unsigned char *tbs;
2228         size_t tbslen;
2229         int rv;
2230 
2231         /*
2232          * |pkt| now points to the beginning of the signature, so the difference
2233          * equals the length of the parameters.
2234          */
2235         if (!PACKET_get_sub_packet(&save_param_start, &params,
2236                                    PACKET_remaining(&save_param_start) -
2237                                    PACKET_remaining(pkt))) {
2238             SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR);
2239             goto err;
2240         }
2241 
2242         if (SSL_USE_SIGALGS(s)) {
2243             unsigned int sigalg;
2244 
2245             if (!PACKET_get_net_2(pkt, &sigalg)) {
2246                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT);
2247                 goto err;
2248             }
2249             if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
2250                 /* SSLfatal() already called */
2251                 goto err;
2252             }
2253         } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
2254             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2255                      SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
2256             goto err;
2257         }
2258 
2259         if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
2260             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2261                      SSL_R_NO_SUITABLE_DIGEST_ALGORITHM);
2262             goto err;
2263         }
2264         if (SSL_USE_SIGALGS(s))
2265             OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
2266                         md == NULL ? "n/a" : EVP_MD_get0_name(md));
2267 
2268         if (!PACKET_get_length_prefixed_2(pkt, &signature)
2269             || PACKET_remaining(pkt) != 0) {
2270             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2271             goto err;
2272         }
2273 
2274         md_ctx = EVP_MD_CTX_new();
2275         if (md_ctx == NULL) {
2276             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2277             goto err;
2278         }
2279 
2280         if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
2281                                     md == NULL ? NULL : EVP_MD_get0_name(md),
2282                                     s->ctx->libctx, s->ctx->propq, pkey,
2283                                     NULL) <= 0) {
2284             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2285             goto err;
2286         }
2287         if (SSL_USE_PSS(s)) {
2288             if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
2289                 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
2290                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
2291                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2292                 goto err;
2293             }
2294         }
2295         tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
2296                                             PACKET_remaining(&params));
2297         if (tbslen == 0) {
2298             /* SSLfatal() already called */
2299             goto err;
2300         }
2301 
2302         rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
2303                               PACKET_remaining(&signature), tbs, tbslen);
2304         OPENSSL_free(tbs);
2305         if (rv <= 0) {
2306             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
2307             goto err;
2308         }
2309         EVP_MD_CTX_free(md_ctx);
2310         md_ctx = NULL;
2311     } else {
2312         /* aNULL, aSRP or PSK do not need public keys */
2313         if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
2314             && !(alg_k & SSL_PSK)) {
2315             /* Might be wrong key type, check it */
2316             if (ssl3_check_cert_and_algorithm(s)) {
2317                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA);
2318             }
2319             /* else this shouldn't happen, SSLfatal() already called */
2320             goto err;
2321         }
2322         /* still data left over */
2323         if (PACKET_remaining(pkt) != 0) {
2324             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE);
2325             goto err;
2326         }
2327     }
2328 
2329     return MSG_PROCESS_CONTINUE_READING;
2330  err:
2331     EVP_MD_CTX_free(md_ctx);
2332     return MSG_PROCESS_ERROR;
2333 }
2334 
2335 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
2336 {
2337     size_t i;
2338 
2339     /* Clear certificate validity flags */
2340     for (i = 0; i < SSL_PKEY_NUM; i++)
2341         s->s3.tmp.valid_flags[i] = 0;
2342 
2343     if (SSL_IS_TLS13(s)) {
2344         PACKET reqctx, extensions;
2345         RAW_EXTENSION *rawexts = NULL;
2346 
2347         if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
2348             /*
2349              * We already sent close_notify. This can only happen in TLSv1.3
2350              * post-handshake messages. We can't reasonably respond to this, so
2351              * we just ignore it
2352              */
2353             return MSG_PROCESS_FINISHED_READING;
2354         }
2355 
2356         /* Free and zero certificate types: it is not present in TLS 1.3 */
2357         OPENSSL_free(s->s3.tmp.ctype);
2358         s->s3.tmp.ctype = NULL;
2359         s->s3.tmp.ctype_len = 0;
2360         OPENSSL_free(s->pha_context);
2361         s->pha_context = NULL;
2362         s->pha_context_len = 0;
2363 
2364         if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
2365             !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
2366             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2367             return MSG_PROCESS_ERROR;
2368         }
2369 
2370         if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
2371             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH);
2372             return MSG_PROCESS_ERROR;
2373         }
2374         if (!tls_collect_extensions(s, &extensions,
2375                                     SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
2376                                     &rawexts, NULL, 1)
2377             || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
2378                                          rawexts, NULL, 0, 1)) {
2379             /* SSLfatal() already called */
2380             OPENSSL_free(rawexts);
2381             return MSG_PROCESS_ERROR;
2382         }
2383         OPENSSL_free(rawexts);
2384         if (!tls1_process_sigalgs(s)) {
2385             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH);
2386             return MSG_PROCESS_ERROR;
2387         }
2388     } else {
2389         PACKET ctypes;
2390 
2391         /* get the certificate types */
2392         if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
2393             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2394             return MSG_PROCESS_ERROR;
2395         }
2396 
2397         if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) {
2398             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2399             return MSG_PROCESS_ERROR;
2400         }
2401 
2402         if (SSL_USE_SIGALGS(s)) {
2403             PACKET sigalgs;
2404 
2405             if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
2406                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2407                 return MSG_PROCESS_ERROR;
2408             }
2409 
2410             /*
2411              * Despite this being for certificates, preserve compatibility
2412              * with pre-TLS 1.3 and use the regular sigalgs field.
2413              */
2414             if (!tls1_save_sigalgs(s, &sigalgs, 0)) {
2415                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2416                          SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2417                 return MSG_PROCESS_ERROR;
2418             }
2419             if (!tls1_process_sigalgs(s)) {
2420                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2421                 return MSG_PROCESS_ERROR;
2422             }
2423         }
2424 
2425         /* get the CA RDNs */
2426         if (!parse_ca_names(s, pkt)) {
2427             /* SSLfatal() already called */
2428             return MSG_PROCESS_ERROR;
2429         }
2430     }
2431 
2432     if (PACKET_remaining(pkt) != 0) {
2433         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2434         return MSG_PROCESS_ERROR;
2435     }
2436 
2437     /* we should setup a certificate to return.... */
2438     s->s3.tmp.cert_req = 1;
2439 
2440     /*
2441      * In TLSv1.3 we don't prepare the client certificate yet. We wait until
2442      * after the CertificateVerify message has been received. This is because
2443      * in TLSv1.3 the CertificateRequest arrives before the Certificate message
2444      * but in TLSv1.2 it is the other way around. We want to make sure that
2445      * SSL_get1_peer_certificate() returns something sensible in
2446      * client_cert_cb.
2447      */
2448     if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED)
2449         return MSG_PROCESS_CONTINUE_READING;
2450 
2451     return MSG_PROCESS_CONTINUE_PROCESSING;
2452 }
2453 
2454 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
2455 {
2456     unsigned int ticklen;
2457     unsigned long ticket_lifetime_hint, age_add = 0;
2458     unsigned int sess_len;
2459     RAW_EXTENSION *exts = NULL;
2460     PACKET nonce;
2461     EVP_MD *sha256 = NULL;
2462 
2463     PACKET_null_init(&nonce);
2464 
2465     if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
2466         || (SSL_IS_TLS13(s)
2467             && (!PACKET_get_net_4(pkt, &age_add)
2468                 || !PACKET_get_length_prefixed_1(pkt, &nonce)))
2469         || !PACKET_get_net_2(pkt, &ticklen)
2470         || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen)
2471                             : PACKET_remaining(pkt) != ticklen)) {
2472         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2473         goto err;
2474     }
2475 
2476     /*
2477      * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2478      * ticket. We already checked this TLSv1.3 case above, so it should never
2479      * be 0 here in that instance
2480      */
2481     if (ticklen == 0)
2482         return MSG_PROCESS_CONTINUE_READING;
2483 
2484     /*
2485      * Sessions must be immutable once they go into the session cache. Otherwise
2486      * we can get multi-thread problems. Therefore we don't "update" sessions,
2487      * we replace them with a duplicate. In TLSv1.3 we need to do this every
2488      * time a NewSessionTicket arrives because those messages arrive
2489      * post-handshake and the session may have already gone into the session
2490      * cache.
2491      */
2492     if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {
2493         SSL_SESSION *new_sess;
2494 
2495         /*
2496          * We reused an existing session, so we need to replace it with a new
2497          * one
2498          */
2499         if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2500             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2501             goto err;
2502         }
2503 
2504         if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
2505                 && !SSL_IS_TLS13(s)) {
2506             /*
2507              * In TLSv1.2 and below the arrival of a new tickets signals that
2508              * any old ticket we were using is now out of date, so we remove the
2509              * old session from the cache. We carry on if this fails
2510              */
2511             SSL_CTX_remove_session(s->session_ctx, s->session);
2512         }
2513 
2514         SSL_SESSION_free(s->session);
2515         s->session = new_sess;
2516     }
2517 
2518     s->session->time = time(NULL);
2519     ssl_session_calculate_timeout(s->session);
2520 
2521     OPENSSL_free(s->session->ext.tick);
2522     s->session->ext.tick = NULL;
2523     s->session->ext.ticklen = 0;
2524 
2525     s->session->ext.tick = OPENSSL_malloc(ticklen);
2526     if (s->session->ext.tick == NULL) {
2527         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2528         goto err;
2529     }
2530     if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
2531         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2532         goto err;
2533     }
2534 
2535     s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
2536     s->session->ext.tick_age_add = age_add;
2537     s->session->ext.ticklen = ticklen;
2538 
2539     if (SSL_IS_TLS13(s)) {
2540         PACKET extpkt;
2541 
2542         if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
2543                 || PACKET_remaining(pkt) != 0) {
2544             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2545             goto err;
2546         }
2547 
2548         if (!tls_collect_extensions(s, &extpkt,
2549                                     SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts,
2550                                     NULL, 1)
2551                 || !tls_parse_all_extensions(s,
2552                                              SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
2553                                              exts, NULL, 0, 1)) {
2554             /* SSLfatal() already called */
2555             goto err;
2556         }
2557     }
2558 
2559     /*
2560      * There are two ways to detect a resumed ticket session. One is to set
2561      * an appropriate session ID and then the server must return a match in
2562      * ServerHello. This allows the normal client session ID matching to work
2563      * and we know much earlier that the ticket has been accepted. The
2564      * other way is to set zero length session ID when the ticket is
2565      * presented and rely on the handshake to determine session resumption.
2566      * We choose the former approach because this fits in with assumptions
2567      * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
2568      * ticket.
2569      */
2570     sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq);
2571     if (sha256 == NULL) {
2572         /* Error is already recorded */
2573         SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
2574         goto err;
2575     }
2576     /*
2577      * We use sess_len here because EVP_Digest expects an int
2578      * but s->session->session_id_length is a size_t
2579      */
2580     if (!EVP_Digest(s->session->ext.tick, ticklen,
2581                     s->session->session_id, &sess_len,
2582                     sha256, NULL)) {
2583         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2584         goto err;
2585     }
2586     EVP_MD_free(sha256);
2587     sha256 = NULL;
2588     s->session->session_id_length = sess_len;
2589     s->session->not_resumable = 0;
2590 
2591     /* This is a standalone message in TLSv1.3, so there is no more to read */
2592     if (SSL_IS_TLS13(s)) {
2593         const EVP_MD *md = ssl_handshake_md(s);
2594         int hashleni = EVP_MD_get_size(md);
2595         size_t hashlen;
2596         static const unsigned char nonce_label[] = "resumption";
2597 
2598         /* Ensure cast to size_t is safe */
2599         if (!ossl_assert(hashleni >= 0)) {
2600             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2601             goto err;
2602         }
2603         hashlen = (size_t)hashleni;
2604 
2605         if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
2606                                nonce_label,
2607                                sizeof(nonce_label) - 1,
2608                                PACKET_data(&nonce),
2609                                PACKET_remaining(&nonce),
2610                                s->session->master_key,
2611                                hashlen, 1)) {
2612             /* SSLfatal() already called */
2613             goto err;
2614         }
2615         s->session->master_key_length = hashlen;
2616 
2617         OPENSSL_free(exts);
2618         ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
2619         return MSG_PROCESS_FINISHED_READING;
2620     }
2621 
2622     return MSG_PROCESS_CONTINUE_READING;
2623  err:
2624     EVP_MD_free(sha256);
2625     OPENSSL_free(exts);
2626     return MSG_PROCESS_ERROR;
2627 }
2628 
2629 /*
2630  * In TLSv1.3 this is called from the extensions code, otherwise it is used to
2631  * parse a separate message. Returns 1 on success or 0 on failure
2632  */
2633 int tls_process_cert_status_body(SSL *s, PACKET *pkt)
2634 {
2635     size_t resplen;
2636     unsigned int type;
2637 
2638     if (!PACKET_get_1(pkt, &type)
2639         || type != TLSEXT_STATUSTYPE_ocsp) {
2640         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE);
2641         return 0;
2642     }
2643     if (!PACKET_get_net_3_len(pkt, &resplen)
2644         || PACKET_remaining(pkt) != resplen) {
2645         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2646         return 0;
2647     }
2648     s->ext.ocsp.resp = OPENSSL_malloc(resplen);
2649     if (s->ext.ocsp.resp == NULL) {
2650         s->ext.ocsp.resp_len = 0;
2651         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2652         return 0;
2653     }
2654     s->ext.ocsp.resp_len = resplen;
2655     if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
2656         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2657         return 0;
2658     }
2659 
2660     return 1;
2661 }
2662 
2663 
2664 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
2665 {
2666     if (!tls_process_cert_status_body(s, pkt)) {
2667         /* SSLfatal() already called */
2668         return MSG_PROCESS_ERROR;
2669     }
2670 
2671     return MSG_PROCESS_CONTINUE_READING;
2672 }
2673 
2674 /*
2675  * Perform miscellaneous checks and processing after we have received the
2676  * server's initial flight. In TLS1.3 this is after the Server Finished message.
2677  * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2678  * on failure.
2679  */
2680 int tls_process_initial_server_flight(SSL *s)
2681 {
2682     /*
2683      * at this point we check that we have the required stuff from
2684      * the server
2685      */
2686     if (!ssl3_check_cert_and_algorithm(s)) {
2687         /* SSLfatal() already called */
2688         return 0;
2689     }
2690 
2691     /*
2692      * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2693      * |ext.ocsp.resp_len| values will be set if we actually received a status
2694      * message, or NULL and -1 otherwise
2695      */
2696     if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
2697             && s->ctx->ext.status_cb != NULL) {
2698         int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2699 
2700         if (ret == 0) {
2701             SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
2702                      SSL_R_INVALID_STATUS_RESPONSE);
2703             return 0;
2704         }
2705         if (ret < 0) {
2706             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2707                      SSL_R_OCSP_CALLBACK_FAILURE);
2708             return 0;
2709         }
2710     }
2711 #ifndef OPENSSL_NO_CT
2712     if (s->ct_validation_callback != NULL) {
2713         /* Note we validate the SCTs whether or not we abort on error */
2714         if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
2715             /* SSLfatal() already called */
2716             return 0;
2717         }
2718     }
2719 #endif
2720 
2721     return 1;
2722 }
2723 
2724 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
2725 {
2726     if (PACKET_remaining(pkt) > 0) {
2727         /* should contain no data */
2728         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2729         return MSG_PROCESS_ERROR;
2730     }
2731 #ifndef OPENSSL_NO_SRP
2732     if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2733         if (ssl_srp_calc_a_param_intern(s) <= 0) {
2734             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC);
2735             return MSG_PROCESS_ERROR;
2736         }
2737     }
2738 #endif
2739 
2740     if (!tls_process_initial_server_flight(s)) {
2741         /* SSLfatal() already called */
2742         return MSG_PROCESS_ERROR;
2743     }
2744 
2745     return MSG_PROCESS_FINISHED_READING;
2746 }
2747 
2748 static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)
2749 {
2750 #ifndef OPENSSL_NO_PSK
2751     int ret = 0;
2752     /*
2753      * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2754      * \0-terminated identity. The last byte is for us for simulating
2755      * strnlen.
2756      */
2757     char identity[PSK_MAX_IDENTITY_LEN + 1];
2758     size_t identitylen = 0;
2759     unsigned char psk[PSK_MAX_PSK_LEN];
2760     unsigned char *tmppsk = NULL;
2761     char *tmpidentity = NULL;
2762     size_t psklen = 0;
2763 
2764     if (s->psk_client_callback == NULL) {
2765         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB);
2766         goto err;
2767     }
2768 
2769     memset(identity, 0, sizeof(identity));
2770 
2771     psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2772                                     identity, sizeof(identity) - 1,
2773                                     psk, sizeof(psk));
2774 
2775     if (psklen > PSK_MAX_PSK_LEN) {
2776         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
2777         psklen = PSK_MAX_PSK_LEN;   /* Avoid overrunning the array on cleanse */
2778         goto err;
2779     } else if (psklen == 0) {
2780         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND);
2781         goto err;
2782     }
2783 
2784     identitylen = strlen(identity);
2785     if (identitylen > PSK_MAX_IDENTITY_LEN) {
2786         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2787         goto err;
2788     }
2789 
2790     tmppsk = OPENSSL_memdup(psk, psklen);
2791     tmpidentity = OPENSSL_strdup(identity);
2792     if (tmppsk == NULL || tmpidentity == NULL) {
2793         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2794         goto err;
2795     }
2796 
2797     OPENSSL_free(s->s3.tmp.psk);
2798     s->s3.tmp.psk = tmppsk;
2799     s->s3.tmp.psklen = psklen;
2800     tmppsk = NULL;
2801     OPENSSL_free(s->session->psk_identity);
2802     s->session->psk_identity = tmpidentity;
2803     tmpidentity = NULL;
2804 
2805     if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen))  {
2806         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2807         goto err;
2808     }
2809 
2810     ret = 1;
2811 
2812  err:
2813     OPENSSL_cleanse(psk, psklen);
2814     OPENSSL_cleanse(identity, sizeof(identity));
2815     OPENSSL_clear_free(tmppsk, psklen);
2816     OPENSSL_clear_free(tmpidentity, identitylen);
2817 
2818     return ret;
2819 #else
2820     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2821     return 0;
2822 #endif
2823 }
2824 
2825 static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
2826 {
2827     unsigned char *encdata = NULL;
2828     EVP_PKEY *pkey = NULL;
2829     EVP_PKEY_CTX *pctx = NULL;
2830     size_t enclen;
2831     unsigned char *pms = NULL;
2832     size_t pmslen = 0;
2833 
2834     if (s->session->peer == NULL) {
2835         /*
2836          * We should always have a server certificate with SSL_kRSA.
2837          */
2838         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2839         return 0;
2840     }
2841 
2842     pkey = X509_get0_pubkey(s->session->peer);
2843     if (!EVP_PKEY_is_a(pkey, "RSA")) {
2844         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2845         return 0;
2846     }
2847 
2848     pmslen = SSL_MAX_MASTER_KEY_LENGTH;
2849     pms = OPENSSL_malloc(pmslen);
2850     if (pms == NULL) {
2851         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2852         return 0;
2853     }
2854 
2855     pms[0] = s->client_version >> 8;
2856     pms[1] = s->client_version & 0xff;
2857     if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) {
2858         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2859         goto err;
2860     }
2861 
2862     /* Fix buf for TLS and beyond */
2863     if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
2864         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2865         goto err;
2866     }
2867 
2868     pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pkey, s->ctx->propq);
2869     if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
2870         || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
2871         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
2872         goto err;
2873     }
2874     if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
2875             || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
2876         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT);
2877         goto err;
2878     }
2879     EVP_PKEY_CTX_free(pctx);
2880     pctx = NULL;
2881 
2882     /* Fix buf for TLS and beyond */
2883     if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
2884         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2885         goto err;
2886     }
2887 
2888     /* Log the premaster secret, if logging is enabled. */
2889     if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
2890         /* SSLfatal() already called */
2891         goto err;
2892     }
2893 
2894     s->s3.tmp.pms = pms;
2895     s->s3.tmp.pmslen = pmslen;
2896 
2897     return 1;
2898  err:
2899     OPENSSL_clear_free(pms, pmslen);
2900     EVP_PKEY_CTX_free(pctx);
2901 
2902     return 0;
2903 }
2904 
2905 static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt)
2906 {
2907     EVP_PKEY *ckey = NULL, *skey = NULL;
2908     unsigned char *keybytes = NULL;
2909     int prime_len;
2910     unsigned char *encoded_pub = NULL;
2911     size_t encoded_pub_len, pad_len;
2912     int ret = 0;
2913 
2914     skey = s->s3.peer_tmp;
2915     if (skey == NULL) {
2916         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2917         goto err;
2918     }
2919 
2920     ckey = ssl_generate_pkey(s, skey);
2921     if (ckey == NULL) {
2922         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2923         goto err;
2924     }
2925 
2926     if (ssl_derive(s, ckey, skey, 0) == 0) {
2927         /* SSLfatal() already called */
2928         goto err;
2929     }
2930 
2931     /* send off the data */
2932 
2933     /* Generate encoding of server key */
2934     encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub);
2935     if (encoded_pub_len == 0) {
2936         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2937         EVP_PKEY_free(ckey);
2938         return EXT_RETURN_FAIL;
2939     }
2940 
2941     /*
2942      * For interoperability with some versions of the Microsoft TLS
2943      * stack, we need to zero pad the DHE pub key to the same length
2944      * as the prime.
2945      */
2946     prime_len = EVP_PKEY_get_size(ckey);
2947     pad_len = prime_len - encoded_pub_len;
2948     if (pad_len > 0) {
2949         if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)) {
2950             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2951             goto err;
2952         }
2953         memset(keybytes, 0, pad_len);
2954     }
2955 
2956     if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)) {
2957         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2958         goto err;
2959     }
2960 
2961     ret = 1;
2962  err:
2963     OPENSSL_free(encoded_pub);
2964     EVP_PKEY_free(ckey);
2965     return ret;
2966 }
2967 
2968 static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt)
2969 {
2970     unsigned char *encodedPoint = NULL;
2971     size_t encoded_pt_len = 0;
2972     EVP_PKEY *ckey = NULL, *skey = NULL;
2973     int ret = 0;
2974 
2975     skey = s->s3.peer_tmp;
2976     if (skey == NULL) {
2977         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2978         return 0;
2979     }
2980 
2981     ckey = ssl_generate_pkey(s, skey);
2982     if (ckey == NULL) {
2983         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2984         goto err;
2985     }
2986 
2987     if (ssl_derive(s, ckey, skey, 0) == 0) {
2988         /* SSLfatal() already called */
2989         goto err;
2990     }
2991 
2992     /* Generate encoding of client key */
2993     encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint);
2994 
2995     if (encoded_pt_len == 0) {
2996         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB);
2997         goto err;
2998     }
2999 
3000     if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
3001         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3002         goto err;
3003     }
3004 
3005     ret = 1;
3006  err:
3007     OPENSSL_free(encodedPoint);
3008     EVP_PKEY_free(ckey);
3009     return ret;
3010 }
3011 
3012 static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
3013 {
3014 #ifndef OPENSSL_NO_GOST
3015     /* GOST key exchange message creation */
3016     EVP_PKEY_CTX *pkey_ctx = NULL;
3017     X509 *peer_cert;
3018     size_t msglen;
3019     unsigned int md_len;
3020     unsigned char shared_ukm[32], tmp[256];
3021     EVP_MD_CTX *ukm_hash = NULL;
3022     int dgst_nid = NID_id_GostR3411_94;
3023     unsigned char *pms = NULL;
3024     size_t pmslen = 0;
3025 
3026     if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
3027         dgst_nid = NID_id_GostR3411_2012_256;
3028 
3029     /*
3030      * Get server certificate PKEY and create ctx from it
3031      */
3032     peer_cert = s->session->peer;
3033     if (peer_cert == NULL) {
3034         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3035                  SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3036         return 0;
3037     }
3038 
3039     pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
3040                                           X509_get0_pubkey(peer_cert),
3041                                           s->ctx->propq);
3042     if (pkey_ctx == NULL) {
3043         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3044         return 0;
3045     }
3046     /*
3047      * If we have send a certificate, and certificate key
3048      * parameters match those of server certificate, use
3049      * certificate key for key exchange
3050      */
3051 
3052     /* Otherwise, generate ephemeral key pair */
3053     pmslen = 32;
3054     pms = OPENSSL_malloc(pmslen);
3055     if (pms == NULL) {
3056         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3057         goto err;
3058     }
3059 
3060     if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
3061         /* Generate session key
3062          */
3063         || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
3064         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3065         goto err;
3066     };
3067     /*
3068      * Compute shared IV and store it in algorithm-specific context
3069      * data
3070      */
3071     ukm_hash = EVP_MD_CTX_new();
3072     if (ukm_hash == NULL
3073         || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
3074         || EVP_DigestUpdate(ukm_hash, s->s3.client_random,
3075                             SSL3_RANDOM_SIZE) <= 0
3076         || EVP_DigestUpdate(ukm_hash, s->s3.server_random,
3077                             SSL3_RANDOM_SIZE) <= 0
3078         || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
3079         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3080         goto err;
3081     }
3082     EVP_MD_CTX_free(ukm_hash);
3083     ukm_hash = NULL;
3084     if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3085                           EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) <= 0) {
3086         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3087         goto err;
3088     }
3089     /* Make GOST keytransport blob message */
3090     /*
3091      * Encapsulate it into sequence
3092      */
3093     msglen = 255;
3094     if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
3095         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3096         goto err;
3097     }
3098 
3099     if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
3100             || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
3101             || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
3102         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3103         goto err;
3104     }
3105 
3106     EVP_PKEY_CTX_free(pkey_ctx);
3107     s->s3.tmp.pms = pms;
3108     s->s3.tmp.pmslen = pmslen;
3109 
3110     return 1;
3111  err:
3112     EVP_PKEY_CTX_free(pkey_ctx);
3113     OPENSSL_clear_free(pms, pmslen);
3114     EVP_MD_CTX_free(ukm_hash);
3115     return 0;
3116 #else
3117     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3118     return 0;
3119 #endif
3120 }
3121 
3122 #ifndef OPENSSL_NO_GOST
3123 int ossl_gost18_cke_cipher_nid(const SSL *s)
3124 {
3125     if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0)
3126         return NID_magma_ctr;
3127     else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0)
3128         return NID_kuznyechik_ctr;
3129 
3130     return NID_undef;
3131 }
3132 
3133 int ossl_gost_ukm(const SSL *s, unsigned char *dgst_buf)
3134 {
3135     EVP_MD_CTX * hash = NULL;
3136     unsigned int md_len;
3137     const EVP_MD *md = ssl_evp_md_fetch(s->ctx->libctx, NID_id_GostR3411_2012_256, s->ctx->propq);
3138 
3139     if (md == NULL)
3140         return 0;
3141 
3142     if ((hash = EVP_MD_CTX_new()) == NULL
3143         || EVP_DigestInit(hash, md) <= 0
3144         || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0
3145         || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0
3146         || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
3147         EVP_MD_CTX_free(hash);
3148         ssl_evp_md_free(md);
3149         return 0;
3150     }
3151 
3152     EVP_MD_CTX_free(hash);
3153     ssl_evp_md_free(md);
3154     return 1;
3155 }
3156 #endif
3157 
3158 static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
3159 {
3160 #ifndef OPENSSL_NO_GOST
3161     /* GOST 2018 key exchange message creation */
3162     unsigned char rnd_dgst[32];
3163     unsigned char *encdata = NULL;
3164     EVP_PKEY_CTX *pkey_ctx = NULL;
3165     X509 *peer_cert;
3166     unsigned char *pms = NULL;
3167     size_t pmslen = 0;
3168     size_t msglen;
3169     int cipher_nid = ossl_gost18_cke_cipher_nid(s);
3170 
3171     if (cipher_nid == NID_undef) {
3172         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3173         return 0;
3174     }
3175 
3176     if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
3177         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3178         goto err;
3179     }
3180 
3181     /* Pre-master secret - random bytes */
3182     pmslen = 32;
3183     pms = OPENSSL_malloc(pmslen);
3184     if (pms == NULL) {
3185         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3186         goto err;
3187     }
3188 
3189     if (RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
3190         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3191         goto err;
3192     }
3193 
3194      /* Get server certificate PKEY and create ctx from it */
3195     peer_cert = s->session->peer;
3196     if (peer_cert == NULL) {
3197         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3198                  SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3199         goto err;
3200     }
3201 
3202     pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
3203                                           X509_get0_pubkey(peer_cert),
3204                                           s->ctx->propq);
3205     if (pkey_ctx == NULL) {
3206         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3207         goto err;
3208     }
3209 
3210     if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) {
3211         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3212         goto err;
3213     };
3214 
3215     /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */
3216     if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3217                           EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) {
3218         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3219         goto err;
3220     }
3221 
3222     if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3223                           EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) {
3224         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG);
3225         goto err;
3226     }
3227 
3228     if (EVP_PKEY_encrypt(pkey_ctx, NULL, &msglen, pms, pmslen) <= 0) {
3229         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
3230         goto err;
3231     }
3232 
3233     if (!WPACKET_allocate_bytes(pkt, msglen, &encdata)
3234             || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) {
3235         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
3236         goto err;
3237     }
3238 
3239     EVP_PKEY_CTX_free(pkey_ctx);
3240     pkey_ctx = NULL;
3241     s->s3.tmp.pms = pms;
3242     s->s3.tmp.pmslen = pmslen;
3243 
3244     return 1;
3245  err:
3246     EVP_PKEY_CTX_free(pkey_ctx);
3247     OPENSSL_clear_free(pms, pmslen);
3248     return 0;
3249 #else
3250     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3251     return 0;
3252 #endif
3253 }
3254 
3255 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
3256 {
3257 #ifndef OPENSSL_NO_SRP
3258     unsigned char *abytes = NULL;
3259 
3260     if (s->srp_ctx.A == NULL
3261             || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
3262                                                &abytes)) {
3263         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3264         return 0;
3265     }
3266     BN_bn2bin(s->srp_ctx.A, abytes);
3267 
3268     OPENSSL_free(s->session->srp_username);
3269     s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
3270     if (s->session->srp_username == NULL) {
3271         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3272         return 0;
3273     }
3274 
3275     return 1;
3276 #else
3277     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3278     return 0;
3279 #endif
3280 }
3281 
3282 int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
3283 {
3284     unsigned long alg_k;
3285 
3286     alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3287 
3288     /*
3289      * All of the construct functions below call SSLfatal() if necessary so
3290      * no need to do so here.
3291      */
3292     if ((alg_k & SSL_PSK)
3293         && !tls_construct_cke_psk_preamble(s, pkt))
3294         goto err;
3295 
3296     if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3297         if (!tls_construct_cke_rsa(s, pkt))
3298             goto err;
3299     } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3300         if (!tls_construct_cke_dhe(s, pkt))
3301             goto err;
3302     } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3303         if (!tls_construct_cke_ecdhe(s, pkt))
3304             goto err;
3305     } else if (alg_k & SSL_kGOST) {
3306         if (!tls_construct_cke_gost(s, pkt))
3307             goto err;
3308     } else if (alg_k & SSL_kGOST18) {
3309         if (!tls_construct_cke_gost18(s, pkt))
3310             goto err;
3311     } else if (alg_k & SSL_kSRP) {
3312         if (!tls_construct_cke_srp(s, pkt))
3313             goto err;
3314     } else if (!(alg_k & SSL_kPSK)) {
3315         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3316         goto err;
3317     }
3318 
3319     return 1;
3320  err:
3321     OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen);
3322     s->s3.tmp.pms = NULL;
3323     s->s3.tmp.pmslen = 0;
3324 #ifndef OPENSSL_NO_PSK
3325     OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen);
3326     s->s3.tmp.psk = NULL;
3327     s->s3.tmp.psklen = 0;
3328 #endif
3329     return 0;
3330 }
3331 
3332 int tls_client_key_exchange_post_work(SSL *s)
3333 {
3334     unsigned char *pms = NULL;
3335     size_t pmslen = 0;
3336 
3337     pms = s->s3.tmp.pms;
3338     pmslen = s->s3.tmp.pmslen;
3339 
3340 #ifndef OPENSSL_NO_SRP
3341     /* Check for SRP */
3342     if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
3343         if (!srp_generate_client_master_secret(s)) {
3344             /* SSLfatal() already called */
3345             goto err;
3346         }
3347         return 1;
3348     }
3349 #endif
3350 
3351     if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
3352         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
3353         goto err;
3354     }
3355     if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
3356         /* SSLfatal() already called */
3357         /* ssl_generate_master_secret frees the pms even on error */
3358         pms = NULL;
3359         pmslen = 0;
3360         goto err;
3361     }
3362     pms = NULL;
3363     pmslen = 0;
3364 
3365 #ifndef OPENSSL_NO_SCTP
3366     if (SSL_IS_DTLS(s)) {
3367         unsigned char sctpauthkey[64];
3368         char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3369         size_t labellen;
3370 
3371         /*
3372          * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3373          * used.
3374          */
3375         memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3376                sizeof(DTLS1_SCTP_AUTH_LABEL));
3377 
3378         /* Don't include the terminating zero. */
3379         labellen = sizeof(labelbuffer) - 1;
3380         if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
3381             labellen += 1;
3382 
3383         if (SSL_export_keying_material(s, sctpauthkey,
3384                                        sizeof(sctpauthkey), labelbuffer,
3385                                        labellen, NULL, 0, 0) <= 0) {
3386             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3387             goto err;
3388         }
3389 
3390         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3391                  sizeof(sctpauthkey), sctpauthkey);
3392     }
3393 #endif
3394 
3395     return 1;
3396  err:
3397     OPENSSL_clear_free(pms, pmslen);
3398     s->s3.tmp.pms = NULL;
3399     s->s3.tmp.pmslen = 0;
3400     return 0;
3401 }
3402 
3403 /*
3404  * Check a certificate can be used for client authentication. Currently check
3405  * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3406  * certificates can be used and optionally checks suitability for Suite B.
3407  */
3408 static int ssl3_check_client_certificate(SSL *s)
3409 {
3410     /* If no suitable signature algorithm can't use certificate */
3411     if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL)
3412         return 0;
3413     /*
3414      * If strict mode check suitability of chain before using it. This also
3415      * adjusts suite B digest if necessary.
3416      */
3417     if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
3418         !tls1_check_chain(s, NULL, NULL, NULL, -2))
3419         return 0;
3420     return 1;
3421 }
3422 
3423 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
3424 {
3425     X509 *x509 = NULL;
3426     EVP_PKEY *pkey = NULL;
3427     int i;
3428 
3429     if (wst == WORK_MORE_A) {
3430         /* Let cert callback update client certificates if required */
3431         if (s->cert->cert_cb) {
3432             i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
3433             if (i < 0) {
3434                 s->rwstate = SSL_X509_LOOKUP;
3435                 return WORK_MORE_A;
3436             }
3437             if (i == 0) {
3438                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED);
3439                 return WORK_ERROR;
3440             }
3441             s->rwstate = SSL_NOTHING;
3442         }
3443         if (ssl3_check_client_certificate(s)) {
3444             if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
3445                 return WORK_FINISHED_STOP;
3446             }
3447             return WORK_FINISHED_CONTINUE;
3448         }
3449 
3450         /* Fall through to WORK_MORE_B */
3451         wst = WORK_MORE_B;
3452     }
3453 
3454     /* We need to get a client cert */
3455     if (wst == WORK_MORE_B) {
3456         /*
3457          * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3458          * return(-1); We then get retied later
3459          */
3460         i = ssl_do_client_cert_cb(s, &x509, &pkey);
3461         if (i < 0) {
3462             s->rwstate = SSL_X509_LOOKUP;
3463             return WORK_MORE_B;
3464         }
3465         s->rwstate = SSL_NOTHING;
3466         if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3467             if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
3468                 i = 0;
3469         } else if (i == 1) {
3470             i = 0;
3471             ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3472         }
3473 
3474         X509_free(x509);
3475         EVP_PKEY_free(pkey);
3476         if (i && !ssl3_check_client_certificate(s))
3477             i = 0;
3478         if (i == 0) {
3479             if (s->version == SSL3_VERSION) {
3480                 s->s3.tmp.cert_req = 0;
3481                 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3482                 return WORK_FINISHED_CONTINUE;
3483             } else {
3484                 s->s3.tmp.cert_req = 2;
3485                 if (!ssl3_digest_cached_records(s, 0)) {
3486                     /* SSLfatal() already called */
3487                     return WORK_ERROR;
3488                 }
3489             }
3490         }
3491 
3492         if (s->post_handshake_auth == SSL_PHA_REQUESTED)
3493             return WORK_FINISHED_STOP;
3494         return WORK_FINISHED_CONTINUE;
3495     }
3496 
3497     /* Shouldn't ever get here */
3498     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3499     return WORK_ERROR;
3500 }
3501 
3502 int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
3503 {
3504     if (SSL_IS_TLS13(s)) {
3505         if (s->pha_context == NULL) {
3506             /* no context available, add 0-length context */
3507             if (!WPACKET_put_bytes_u8(pkt, 0)) {
3508                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3509                 return 0;
3510             }
3511         } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
3512             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3513             return 0;
3514         }
3515     }
3516     if (!ssl3_output_cert_chain(s, pkt,
3517                                 (s->s3.tmp.cert_req == 2) ? NULL
3518                                                            : s->cert->key)) {
3519         /* SSLfatal() already called */
3520         return 0;
3521     }
3522 
3523     if (SSL_IS_TLS13(s)
3524             && SSL_IS_FIRST_HANDSHAKE(s)
3525             && (!s->method->ssl3_enc->change_cipher_state(s,
3526                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
3527         /*
3528          * This is a fatal error, which leaves enc_write_ctx in an inconsistent
3529          * state and thus ssl3_send_alert may crash.
3530          */
3531         SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER);
3532         return 0;
3533     }
3534 
3535     return 1;
3536 }
3537 
3538 int ssl3_check_cert_and_algorithm(SSL *s)
3539 {
3540     const SSL_CERT_LOOKUP *clu;
3541     size_t idx;
3542     long alg_k, alg_a;
3543 
3544     alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3545     alg_a = s->s3.tmp.new_cipher->algorithm_auth;
3546 
3547     /* we don't have a certificate */
3548     if (!(alg_a & SSL_aCERT))
3549         return 1;
3550 
3551     /* This is the passed certificate */
3552     clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx);
3553 
3554     /* Check certificate is recognised and suitable for cipher */
3555     if (clu == NULL || (alg_a & clu->amask) == 0) {
3556         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT);
3557         return 0;
3558     }
3559 
3560     if (clu->amask & SSL_aECDSA) {
3561         if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
3562             return 1;
3563         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT);
3564         return 0;
3565     }
3566 
3567     if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) {
3568         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3569                  SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3570         return 0;
3571     }
3572 
3573     if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) {
3574         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3575         return 0;
3576     }
3577 
3578     return 1;
3579 }
3580 
3581 #ifndef OPENSSL_NO_NEXTPROTONEG
3582 int tls_construct_next_proto(SSL *s, WPACKET *pkt)
3583 {
3584     size_t len, padding_len;
3585     unsigned char *padding = NULL;
3586 
3587     len = s->ext.npn_len;
3588     padding_len = 32 - ((len + 2) % 32);
3589 
3590     if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
3591             || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
3592         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3593         return 0;
3594     }
3595 
3596     memset(padding, 0, padding_len);
3597 
3598     return 1;
3599 }
3600 #endif
3601 
3602 MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
3603 {
3604     if (PACKET_remaining(pkt) > 0) {
3605         /* should contain no data */
3606         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3607         return MSG_PROCESS_ERROR;
3608     }
3609 
3610     if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
3611         ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
3612         return MSG_PROCESS_FINISHED_READING;
3613     }
3614 
3615     /*
3616      * This is a historical discrepancy (not in the RFC) maintained for
3617      * compatibility reasons. If a TLS client receives a HelloRequest it will
3618      * attempt an abbreviated handshake. However if a DTLS client receives a
3619      * HelloRequest it will do a full handshake. Either behaviour is reasonable
3620      * but doing one for TLS and another for DTLS is odd.
3621      */
3622     if (SSL_IS_DTLS(s))
3623         SSL_renegotiate(s);
3624     else
3625         SSL_renegotiate_abbreviated(s);
3626 
3627     return MSG_PROCESS_FINISHED_READING;
3628 }
3629 
3630 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
3631 {
3632     PACKET extensions;
3633     RAW_EXTENSION *rawexts = NULL;
3634 
3635     if (!PACKET_as_length_prefixed_2(pkt, &extensions)
3636             || PACKET_remaining(pkt) != 0) {
3637         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
3638         goto err;
3639     }
3640 
3641     if (!tls_collect_extensions(s, &extensions,
3642                                 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
3643                                 NULL, 1)
3644             || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
3645                                          rawexts, NULL, 0, 1)) {
3646         /* SSLfatal() already called */
3647         goto err;
3648     }
3649 
3650     OPENSSL_free(rawexts);
3651     return MSG_PROCESS_CONTINUE_READING;
3652 
3653  err:
3654     OPENSSL_free(rawexts);
3655     return MSG_PROCESS_ERROR;
3656 }
3657 
3658 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3659 {
3660     int i = 0;
3661 #ifndef OPENSSL_NO_ENGINE
3662     if (s->ctx->client_cert_engine) {
3663         i = tls_engine_load_ssl_client_cert(s, px509, ppkey);
3664         if (i != 0)
3665             return i;
3666     }
3667 #endif
3668     if (s->ctx->client_cert_cb)
3669         i = s->ctx->client_cert_cb(s, px509, ppkey);
3670     return i;
3671 }
3672 
3673 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
3674 {
3675     int i;
3676     size_t totlen = 0, len, maxlen, maxverok = 0;
3677     int empty_reneg_info_scsv = !s->renegotiate;
3678 
3679     /* Set disabled masks for this session */
3680     if (!ssl_set_client_disabled(s)) {
3681         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE);
3682         return 0;
3683     }
3684 
3685     if (sk == NULL) {
3686         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3687         return 0;
3688     }
3689 
3690 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
3691 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
3692 #  error Max cipher length too short
3693 # endif
3694     /*
3695      * Some servers hang if client hello > 256 bytes as hack workaround
3696      * chop number of supported ciphers to keep it well below this if we
3697      * use TLS v1.2
3698      */
3699     if (TLS1_get_version(s) >= TLS1_2_VERSION)
3700         maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
3701     else
3702 #endif
3703         /* Maximum length that can be stored in 2 bytes. Length must be even */
3704         maxlen = 0xfffe;
3705 
3706     if (empty_reneg_info_scsv)
3707         maxlen -= 2;
3708     if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
3709         maxlen -= 2;
3710 
3711     for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
3712         const SSL_CIPHER *c;
3713 
3714         c = sk_SSL_CIPHER_value(sk, i);
3715         /* Skip disabled ciphers */
3716         if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
3717             continue;
3718 
3719         if (!s->method->put_cipher_by_char(c, pkt, &len)) {
3720             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3721             return 0;
3722         }
3723 
3724         /* Sanity check that the maximum version we offer has ciphers enabled */
3725         if (!maxverok) {
3726             if (SSL_IS_DTLS(s)) {
3727                 if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver)
3728                         && DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver))
3729                     maxverok = 1;
3730             } else {
3731                 if (c->max_tls >= s->s3.tmp.max_ver
3732                         && c->min_tls <= s->s3.tmp.max_ver)
3733                     maxverok = 1;
3734             }
3735         }
3736 
3737         totlen += len;
3738     }
3739 
3740     if (totlen == 0 || !maxverok) {
3741         const char *maxvertext =
3742             !maxverok
3743             ? "No ciphers enabled for max supported SSL/TLS version"
3744             : NULL;
3745 
3746         SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE,
3747                       maxvertext);
3748         return 0;
3749     }
3750 
3751     if (totlen != 0) {
3752         if (empty_reneg_info_scsv) {
3753             static SSL_CIPHER scsv = {
3754                 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3755             };
3756             if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3757                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3758                 return 0;
3759             }
3760         }
3761         if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
3762             static SSL_CIPHER scsv = {
3763                 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3764             };
3765             if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3766                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
3767                 return 0;
3768             }
3769         }
3770     }
3771 
3772     return 1;
3773 }
3774 
3775 int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt)
3776 {
3777     if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
3778             && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
3779         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
3780         return 0;
3781     }
3782 
3783     s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
3784     return 1;
3785 }
3786