xref: /freebsd/crypto/openssl/ssl/statem/statem_clnt.c (revision e6bfd18d21b225af6a0ed67ceeaf1293b7b9eba5)
1 /*
2  * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  * Copyright 2005 Nokia. All rights reserved.
5  *
6  * Licensed under the OpenSSL license (the "License").  You may not use
7  * this file except in compliance with the License.  You can obtain a copy
8  * in the file LICENSE in the source distribution or at
9  * https://www.openssl.org/source/license.html
10  */
11 
12 #include <stdio.h>
13 #include <time.h>
14 #include <assert.h>
15 #include "../ssl_local.h"
16 #include "statem_local.h"
17 #include <openssl/buffer.h>
18 #include <openssl/rand.h>
19 #include <openssl/objects.h>
20 #include <openssl/evp.h>
21 #include <openssl/md5.h>
22 #include <openssl/dh.h>
23 #include <openssl/bn.h>
24 #include <openssl/engine.h>
25 #include <internal/cryptlib.h>
26 
27 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
28 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
29 
30 static ossl_inline int cert_req_allowed(SSL *s);
31 static int key_exchange_expected(SSL *s);
32 static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
33                                     WPACKET *pkt);
34 
35 /*
36  * Is a CertificateRequest message allowed at the moment or not?
37  *
38  *  Return values are:
39  *  1: Yes
40  *  0: No
41  */
42 static ossl_inline int cert_req_allowed(SSL *s)
43 {
44     /* TLS does not like anon-DH with client cert */
45     if ((s->version > SSL3_VERSION
46          && (s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL))
47         || (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK)))
48         return 0;
49 
50     return 1;
51 }
52 
53 /*
54  * Should we expect the ServerKeyExchange message or not?
55  *
56  *  Return values are:
57  *  1: Yes
58  *  0: No
59  */
60 static int key_exchange_expected(SSL *s)
61 {
62     long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
63 
64     /*
65      * Can't skip server key exchange if this is an ephemeral
66      * ciphersuite or for SRP
67      */
68     if (alg_k & (SSL_kDHE | SSL_kECDHE | SSL_kDHEPSK | SSL_kECDHEPSK
69                  | SSL_kSRP)) {
70         return 1;
71     }
72 
73     return 0;
74 }
75 
76 /*
77  * ossl_statem_client_read_transition() encapsulates the logic for the allowed
78  * handshake state transitions when a TLS1.3 client is reading messages from the
79  * server. The message type that the server has sent is provided in |mt|. The
80  * current state is in |s->statem.hand_state|.
81  *
82  * Return values are 1 for success (transition allowed) and  0 on error
83  * (transition not allowed)
84  */
85 static int ossl_statem_client13_read_transition(SSL *s, int mt)
86 {
87     OSSL_STATEM *st = &s->statem;
88 
89     /*
90      * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
91      * yet negotiated TLSv1.3 at that point so that is handled by
92      * ossl_statem_client_read_transition()
93      */
94 
95     switch (st->hand_state) {
96     default:
97         break;
98 
99     case TLS_ST_CW_CLNT_HELLO:
100         /*
101          * This must a ClientHello following a HelloRetryRequest, so the only
102          * thing we can get now is a ServerHello.
103          */
104         if (mt == SSL3_MT_SERVER_HELLO) {
105             st->hand_state = TLS_ST_CR_SRVR_HELLO;
106             return 1;
107         }
108         break;
109 
110     case TLS_ST_CR_SRVR_HELLO:
111         if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS) {
112             st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
113             return 1;
114         }
115         break;
116 
117     case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
118         if (s->hit) {
119             if (mt == SSL3_MT_FINISHED) {
120                 st->hand_state = TLS_ST_CR_FINISHED;
121                 return 1;
122             }
123         } else {
124             if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
125                 st->hand_state = TLS_ST_CR_CERT_REQ;
126                 return 1;
127             }
128             if (mt == SSL3_MT_CERTIFICATE) {
129                 st->hand_state = TLS_ST_CR_CERT;
130                 return 1;
131             }
132         }
133         break;
134 
135     case TLS_ST_CR_CERT_REQ:
136         if (mt == SSL3_MT_CERTIFICATE) {
137             st->hand_state = TLS_ST_CR_CERT;
138             return 1;
139         }
140         break;
141 
142     case TLS_ST_CR_CERT:
143         if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
144             st->hand_state = TLS_ST_CR_CERT_VRFY;
145             return 1;
146         }
147         break;
148 
149     case TLS_ST_CR_CERT_VRFY:
150         if (mt == SSL3_MT_FINISHED) {
151             st->hand_state = TLS_ST_CR_FINISHED;
152             return 1;
153         }
154         break;
155 
156     case TLS_ST_OK:
157         if (mt == SSL3_MT_NEWSESSION_TICKET) {
158             st->hand_state = TLS_ST_CR_SESSION_TICKET;
159             return 1;
160         }
161         if (mt == SSL3_MT_KEY_UPDATE) {
162             st->hand_state = TLS_ST_CR_KEY_UPDATE;
163             return 1;
164         }
165         if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
166 #if DTLS_MAX_VERSION != DTLS1_2_VERSION
167 # error TODO(DTLS1.3): Restore digest for PHA before adding message.
168 #endif
169             if (!SSL_IS_DTLS(s) && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
170                 s->post_handshake_auth = SSL_PHA_REQUESTED;
171                 /*
172                  * In TLS, this is called before the message is added to the
173                  * digest. In DTLS, this is expected to be called after adding
174                  * to the digest. Either move the digest restore, or add the
175                  * message here after the swap, or do it after the clientFinished?
176                  */
177                 if (!tls13_restore_handshake_digest_for_pha(s)) {
178                     /* SSLfatal() already called */
179                     return 0;
180                 }
181                 st->hand_state = TLS_ST_CR_CERT_REQ;
182                 return 1;
183             }
184         }
185         break;
186     }
187 
188     /* No valid transition found */
189     return 0;
190 }
191 
192 /*
193  * ossl_statem_client_read_transition() encapsulates the logic for the allowed
194  * handshake state transitions when the client is reading messages from the
195  * server. The message type that the server has sent is provided in |mt|. The
196  * current state is in |s->statem.hand_state|.
197  *
198  * Return values are 1 for success (transition allowed) and  0 on error
199  * (transition not allowed)
200  */
201 int ossl_statem_client_read_transition(SSL *s, int mt)
202 {
203     OSSL_STATEM *st = &s->statem;
204     int ske_expected;
205 
206     /*
207      * Note that after writing the first ClientHello we don't know what version
208      * we are going to negotiate yet, so we don't take this branch until later.
209      */
210     if (SSL_IS_TLS13(s)) {
211         if (!ossl_statem_client13_read_transition(s, mt))
212             goto err;
213         return 1;
214     }
215 
216     switch (st->hand_state) {
217     default:
218         break;
219 
220     case TLS_ST_CW_CLNT_HELLO:
221         if (mt == SSL3_MT_SERVER_HELLO) {
222             st->hand_state = TLS_ST_CR_SRVR_HELLO;
223             return 1;
224         }
225 
226         if (SSL_IS_DTLS(s)) {
227             if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
228                 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
229                 return 1;
230             }
231         }
232         break;
233 
234     case TLS_ST_EARLY_DATA:
235         /*
236          * We've not actually selected TLSv1.3 yet, but we have sent early
237          * data. The only thing allowed now is a ServerHello or a
238          * HelloRetryRequest.
239          */
240         if (mt == SSL3_MT_SERVER_HELLO) {
241             st->hand_state = TLS_ST_CR_SRVR_HELLO;
242             return 1;
243         }
244         break;
245 
246     case TLS_ST_CR_SRVR_HELLO:
247         if (s->hit) {
248             if (s->ext.ticket_expected) {
249                 if (mt == SSL3_MT_NEWSESSION_TICKET) {
250                     st->hand_state = TLS_ST_CR_SESSION_TICKET;
251                     return 1;
252                 }
253             } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
254                 st->hand_state = TLS_ST_CR_CHANGE;
255                 return 1;
256             }
257         } else {
258             if (SSL_IS_DTLS(s) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST) {
259                 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
260                 return 1;
261             } else if (s->version >= TLS1_VERSION
262                        && s->ext.session_secret_cb != NULL
263                        && s->session->ext.tick != NULL
264                        && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
265                 /*
266                  * Normally, we can tell if the server is resuming the session
267                  * from the session ID. EAP-FAST (RFC 4851), however, relies on
268                  * the next server message after the ServerHello to determine if
269                  * the server is resuming.
270                  */
271                 s->hit = 1;
272                 st->hand_state = TLS_ST_CR_CHANGE;
273                 return 1;
274             } else if (!(s->s3->tmp.new_cipher->algorithm_auth
275                          & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) {
276                 if (mt == SSL3_MT_CERTIFICATE) {
277                     st->hand_state = TLS_ST_CR_CERT;
278                     return 1;
279                 }
280             } else {
281                 ske_expected = key_exchange_expected(s);
282                 /* SKE is optional for some PSK ciphersuites */
283                 if (ske_expected
284                     || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
285                         && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
286                     if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
287                         st->hand_state = TLS_ST_CR_KEY_EXCH;
288                         return 1;
289                     }
290                 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST
291                            && cert_req_allowed(s)) {
292                     st->hand_state = TLS_ST_CR_CERT_REQ;
293                     return 1;
294                 } else if (mt == SSL3_MT_SERVER_DONE) {
295                     st->hand_state = TLS_ST_CR_SRVR_DONE;
296                     return 1;
297                 }
298             }
299         }
300         break;
301 
302     case TLS_ST_CR_CERT:
303         /*
304          * The CertificateStatus message is optional even if
305          * |ext.status_expected| is set
306          */
307         if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
308             st->hand_state = TLS_ST_CR_CERT_STATUS;
309             return 1;
310         }
311         /* Fall through */
312 
313     case TLS_ST_CR_CERT_STATUS:
314         ske_expected = key_exchange_expected(s);
315         /* SKE is optional for some PSK ciphersuites */
316         if (ske_expected || ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_PSK)
317                              && mt == SSL3_MT_SERVER_KEY_EXCHANGE)) {
318             if (mt == SSL3_MT_SERVER_KEY_EXCHANGE) {
319                 st->hand_state = TLS_ST_CR_KEY_EXCH;
320                 return 1;
321             }
322             goto err;
323         }
324         /* Fall through */
325 
326     case TLS_ST_CR_KEY_EXCH:
327         if (mt == SSL3_MT_CERTIFICATE_REQUEST) {
328             if (cert_req_allowed(s)) {
329                 st->hand_state = TLS_ST_CR_CERT_REQ;
330                 return 1;
331             }
332             goto err;
333         }
334         /* Fall through */
335 
336     case TLS_ST_CR_CERT_REQ:
337         if (mt == SSL3_MT_SERVER_DONE) {
338             st->hand_state = TLS_ST_CR_SRVR_DONE;
339             return 1;
340         }
341         break;
342 
343     case TLS_ST_CW_FINISHED:
344         if (s->ext.ticket_expected) {
345             if (mt == SSL3_MT_NEWSESSION_TICKET) {
346                 st->hand_state = TLS_ST_CR_SESSION_TICKET;
347                 return 1;
348             }
349         } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
350             st->hand_state = TLS_ST_CR_CHANGE;
351             return 1;
352         }
353         break;
354 
355     case TLS_ST_CR_SESSION_TICKET:
356         if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
357             st->hand_state = TLS_ST_CR_CHANGE;
358             return 1;
359         }
360         break;
361 
362     case TLS_ST_CR_CHANGE:
363         if (mt == SSL3_MT_FINISHED) {
364             st->hand_state = TLS_ST_CR_FINISHED;
365             return 1;
366         }
367         break;
368 
369     case TLS_ST_OK:
370         if (mt == SSL3_MT_HELLO_REQUEST) {
371             st->hand_state = TLS_ST_CR_HELLO_REQ;
372             return 1;
373         }
374         break;
375     }
376 
377  err:
378     /* No valid transition found */
379     if (SSL_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
380         BIO *rbio;
381 
382         /*
383          * CCS messages don't have a message sequence number so this is probably
384          * because of an out-of-order CCS. We'll just drop it.
385          */
386         s->init_num = 0;
387         s->rwstate = SSL_READING;
388         rbio = SSL_get_rbio(s);
389         BIO_clear_retry_flags(rbio);
390         BIO_set_retry_read(rbio);
391         return 0;
392     }
393     SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE,
394              SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION,
395              SSL_R_UNEXPECTED_MESSAGE);
396     return 0;
397 }
398 
399 /*
400  * ossl_statem_client13_write_transition() works out what handshake state to
401  * move to next when the TLSv1.3 client is writing messages to be sent to the
402  * server.
403  */
404 static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
405 {
406     OSSL_STATEM *st = &s->statem;
407 
408     /*
409      * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
410      * TLSv1.3 yet at that point. They are handled by
411      * ossl_statem_client_write_transition().
412      */
413     switch (st->hand_state) {
414     default:
415         /* Shouldn't happen */
416         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
417                  SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION,
418                  ERR_R_INTERNAL_ERROR);
419         return WRITE_TRAN_ERROR;
420 
421     case TLS_ST_CR_CERT_REQ:
422         if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
423             st->hand_state = TLS_ST_CW_CERT;
424             return WRITE_TRAN_CONTINUE;
425         }
426         /*
427          * We should only get here if we received a CertificateRequest after
428          * we already sent close_notify
429          */
430         if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) {
431             /* Shouldn't happen - same as default case */
432             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
433                      SSL_F_OSSL_STATEM_CLIENT13_WRITE_TRANSITION,
434                      ERR_R_INTERNAL_ERROR);
435             return WRITE_TRAN_ERROR;
436         }
437         st->hand_state = TLS_ST_OK;
438         return WRITE_TRAN_CONTINUE;
439 
440     case TLS_ST_CR_FINISHED:
441         if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
442                 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
443             st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
444         else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
445                  && s->hello_retry_request == SSL_HRR_NONE)
446             st->hand_state = TLS_ST_CW_CHANGE;
447         else
448             st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
449                                                         : TLS_ST_CW_FINISHED;
450         return WRITE_TRAN_CONTINUE;
451 
452     case TLS_ST_PENDING_EARLY_DATA_END:
453         if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) {
454             st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
455             return WRITE_TRAN_CONTINUE;
456         }
457         /* Fall through */
458 
459     case TLS_ST_CW_END_OF_EARLY_DATA:
460     case TLS_ST_CW_CHANGE:
461         st->hand_state = (s->s3->tmp.cert_req != 0) ? TLS_ST_CW_CERT
462                                                     : TLS_ST_CW_FINISHED;
463         return WRITE_TRAN_CONTINUE;
464 
465     case TLS_ST_CW_CERT:
466         /* If a non-empty Certificate we also send CertificateVerify */
467         st->hand_state = (s->s3->tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
468                                                     : TLS_ST_CW_FINISHED;
469         return WRITE_TRAN_CONTINUE;
470 
471     case TLS_ST_CW_CERT_VRFY:
472         st->hand_state = TLS_ST_CW_FINISHED;
473         return WRITE_TRAN_CONTINUE;
474 
475     case TLS_ST_CR_KEY_UPDATE:
476     case TLS_ST_CW_KEY_UPDATE:
477     case TLS_ST_CR_SESSION_TICKET:
478     case TLS_ST_CW_FINISHED:
479         st->hand_state = TLS_ST_OK;
480         return WRITE_TRAN_CONTINUE;
481 
482     case TLS_ST_OK:
483         if (s->key_update != SSL_KEY_UPDATE_NONE) {
484             st->hand_state = TLS_ST_CW_KEY_UPDATE;
485             return WRITE_TRAN_CONTINUE;
486         }
487 
488         /* Try to read from the server instead */
489         return WRITE_TRAN_FINISHED;
490     }
491 }
492 
493 /*
494  * ossl_statem_client_write_transition() works out what handshake state to
495  * move to next when the client is writing messages to be sent to the server.
496  */
497 WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
498 {
499     OSSL_STATEM *st = &s->statem;
500 
501     /*
502      * Note that immediately before/after a ClientHello we don't know what
503      * version we are going to negotiate yet, so we don't take this branch until
504      * later
505      */
506     if (SSL_IS_TLS13(s))
507         return ossl_statem_client13_write_transition(s);
508 
509     switch (st->hand_state) {
510     default:
511         /* Shouldn't happen */
512         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
513                  SSL_F_OSSL_STATEM_CLIENT_WRITE_TRANSITION,
514                  ERR_R_INTERNAL_ERROR);
515         return WRITE_TRAN_ERROR;
516 
517     case TLS_ST_OK:
518         if (!s->renegotiate) {
519             /*
520              * We haven't requested a renegotiation ourselves so we must have
521              * received a message from the server. Better read it.
522              */
523             return WRITE_TRAN_FINISHED;
524         }
525         /* Renegotiation */
526         /* fall thru */
527     case TLS_ST_BEFORE:
528         st->hand_state = TLS_ST_CW_CLNT_HELLO;
529         return WRITE_TRAN_CONTINUE;
530 
531     case TLS_ST_CW_CLNT_HELLO:
532         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
533             /*
534              * We are assuming this is a TLSv1.3 connection, although we haven't
535              * actually selected a version yet.
536              */
537             if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0)
538                 st->hand_state = TLS_ST_CW_CHANGE;
539             else
540                 st->hand_state = TLS_ST_EARLY_DATA;
541             return WRITE_TRAN_CONTINUE;
542         }
543         /*
544          * No transition at the end of writing because we don't know what
545          * we will be sent
546          */
547         return WRITE_TRAN_FINISHED;
548 
549     case TLS_ST_CR_SRVR_HELLO:
550         /*
551          * We only get here in TLSv1.3. We just received an HRR, so issue a
552          * CCS unless middlebox compat mode is off, or we already issued one
553          * because we did early data.
554          */
555         if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0
556                 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
557             st->hand_state = TLS_ST_CW_CHANGE;
558         else
559             st->hand_state = TLS_ST_CW_CLNT_HELLO;
560         return WRITE_TRAN_CONTINUE;
561 
562     case TLS_ST_EARLY_DATA:
563         return WRITE_TRAN_FINISHED;
564 
565     case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
566         st->hand_state = TLS_ST_CW_CLNT_HELLO;
567         return WRITE_TRAN_CONTINUE;
568 
569     case TLS_ST_CR_SRVR_DONE:
570         if (s->s3->tmp.cert_req)
571             st->hand_state = TLS_ST_CW_CERT;
572         else
573             st->hand_state = TLS_ST_CW_KEY_EXCH;
574         return WRITE_TRAN_CONTINUE;
575 
576     case TLS_ST_CW_CERT:
577         st->hand_state = TLS_ST_CW_KEY_EXCH;
578         return WRITE_TRAN_CONTINUE;
579 
580     case TLS_ST_CW_KEY_EXCH:
581         /*
582          * For TLS, cert_req is set to 2, so a cert chain of nothing is
583          * sent, but no verify packet is sent
584          */
585         /*
586          * XXX: For now, we do not support client authentication in ECDH
587          * cipher suites with ECDH (rather than ECDSA) certificates. We
588          * need to skip the certificate verify message when client's
589          * ECDH public key is sent inside the client certificate.
590          */
591         if (s->s3->tmp.cert_req == 1) {
592             st->hand_state = TLS_ST_CW_CERT_VRFY;
593         } else {
594             st->hand_state = TLS_ST_CW_CHANGE;
595         }
596         if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
597             st->hand_state = TLS_ST_CW_CHANGE;
598         }
599         return WRITE_TRAN_CONTINUE;
600 
601     case TLS_ST_CW_CERT_VRFY:
602         st->hand_state = TLS_ST_CW_CHANGE;
603         return WRITE_TRAN_CONTINUE;
604 
605     case TLS_ST_CW_CHANGE:
606         if (s->hello_retry_request == SSL_HRR_PENDING) {
607             st->hand_state = TLS_ST_CW_CLNT_HELLO;
608         } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
609             st->hand_state = TLS_ST_EARLY_DATA;
610         } else {
611 #if defined(OPENSSL_NO_NEXTPROTONEG)
612             st->hand_state = TLS_ST_CW_FINISHED;
613 #else
614             if (!SSL_IS_DTLS(s) && s->s3->npn_seen)
615                 st->hand_state = TLS_ST_CW_NEXT_PROTO;
616             else
617                 st->hand_state = TLS_ST_CW_FINISHED;
618 #endif
619         }
620         return WRITE_TRAN_CONTINUE;
621 
622 #if !defined(OPENSSL_NO_NEXTPROTONEG)
623     case TLS_ST_CW_NEXT_PROTO:
624         st->hand_state = TLS_ST_CW_FINISHED;
625         return WRITE_TRAN_CONTINUE;
626 #endif
627 
628     case TLS_ST_CW_FINISHED:
629         if (s->hit) {
630             st->hand_state = TLS_ST_OK;
631             return WRITE_TRAN_CONTINUE;
632         } else {
633             return WRITE_TRAN_FINISHED;
634         }
635 
636     case TLS_ST_CR_FINISHED:
637         if (s->hit) {
638             st->hand_state = TLS_ST_CW_CHANGE;
639             return WRITE_TRAN_CONTINUE;
640         } else {
641             st->hand_state = TLS_ST_OK;
642             return WRITE_TRAN_CONTINUE;
643         }
644 
645     case TLS_ST_CR_HELLO_REQ:
646         /*
647          * If we can renegotiate now then do so, otherwise wait for a more
648          * convenient time.
649          */
650         if (ssl3_renegotiate_check(s, 1)) {
651             if (!tls_setup_handshake(s)) {
652                 /* SSLfatal() already called */
653                 return WRITE_TRAN_ERROR;
654             }
655             st->hand_state = TLS_ST_CW_CLNT_HELLO;
656             return WRITE_TRAN_CONTINUE;
657         }
658         st->hand_state = TLS_ST_OK;
659         return WRITE_TRAN_CONTINUE;
660     }
661 }
662 
663 /*
664  * Perform any pre work that needs to be done prior to sending a message from
665  * the client to the server.
666  */
667 WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
668 {
669     OSSL_STATEM *st = &s->statem;
670 
671     switch (st->hand_state) {
672     default:
673         /* No pre work to be done */
674         break;
675 
676     case TLS_ST_CW_CLNT_HELLO:
677         s->shutdown = 0;
678         if (SSL_IS_DTLS(s)) {
679             /* every DTLS ClientHello resets Finished MAC */
680             if (!ssl3_init_finished_mac(s)) {
681                 /* SSLfatal() already called */
682                 return WORK_ERROR;
683             }
684         }
685         break;
686 
687     case TLS_ST_CW_CHANGE:
688         if (SSL_IS_DTLS(s)) {
689             if (s->hit) {
690                 /*
691                  * We're into the last flight so we don't retransmit these
692                  * messages unless we need to.
693                  */
694                 st->use_timer = 0;
695             }
696 #ifndef OPENSSL_NO_SCTP
697             if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
698                 /* Calls SSLfatal() as required */
699                 return dtls_wait_for_dry(s);
700             }
701 #endif
702         }
703         break;
704 
705     case TLS_ST_PENDING_EARLY_DATA_END:
706         /*
707          * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
708          * attempt to write early data before calling SSL_read() then we press
709          * on with the handshake. Otherwise we pause here.
710          */
711         if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
712                 || s->early_data_state == SSL_EARLY_DATA_NONE)
713             return WORK_FINISHED_CONTINUE;
714         /* Fall through */
715 
716     case TLS_ST_EARLY_DATA:
717         return tls_finish_handshake(s, wst, 0, 1);
718 
719     case TLS_ST_OK:
720         /* Calls SSLfatal() as required */
721         return tls_finish_handshake(s, wst, 1, 1);
722     }
723 
724     return WORK_FINISHED_CONTINUE;
725 }
726 
727 /*
728  * Perform any work that needs to be done after sending a message from the
729  * client to the server.
730  */
731 WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
732 {
733     OSSL_STATEM *st = &s->statem;
734 
735     s->init_num = 0;
736 
737     switch (st->hand_state) {
738     default:
739         /* No post work to be done */
740         break;
741 
742     case TLS_ST_CW_CLNT_HELLO:
743         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
744                 && s->max_early_data > 0) {
745             /*
746              * We haven't selected TLSv1.3 yet so we don't call the change
747              * cipher state function associated with the SSL_METHOD. Instead
748              * we call tls13_change_cipher_state() directly.
749              */
750             if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) {
751                 if (!tls13_change_cipher_state(s,
752                             SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
753                     /* SSLfatal() already called */
754                     return WORK_ERROR;
755                 }
756             }
757             /* else we're in compat mode so we delay flushing until after CCS */
758         } else if (!statem_flush(s)) {
759             return WORK_MORE_A;
760         }
761 
762         if (SSL_IS_DTLS(s)) {
763             /* Treat the next message as the first packet */
764             s->first_packet = 1;
765         }
766         break;
767 
768     case TLS_ST_CW_END_OF_EARLY_DATA:
769         /*
770          * We set the enc_write_ctx back to NULL because we may end up writing
771          * in cleartext again if we get a HelloRetryRequest from the server.
772          */
773         EVP_CIPHER_CTX_free(s->enc_write_ctx);
774         s->enc_write_ctx = NULL;
775         break;
776 
777     case TLS_ST_CW_KEY_EXCH:
778         if (tls_client_key_exchange_post_work(s) == 0) {
779             /* SSLfatal() already called */
780             return WORK_ERROR;
781         }
782         break;
783 
784     case TLS_ST_CW_CHANGE:
785         if (SSL_IS_TLS13(s) || s->hello_retry_request == SSL_HRR_PENDING)
786             break;
787         if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
788                     && s->max_early_data > 0) {
789             /*
790              * We haven't selected TLSv1.3 yet so we don't call the change
791              * cipher state function associated with the SSL_METHOD. Instead
792              * we call tls13_change_cipher_state() directly.
793              */
794             if (!tls13_change_cipher_state(s,
795                         SSL3_CC_EARLY | SSL3_CHANGE_CIPHER_CLIENT_WRITE))
796                 return WORK_ERROR;
797             break;
798         }
799         s->session->cipher = s->s3->tmp.new_cipher;
800 #ifdef OPENSSL_NO_COMP
801         s->session->compress_meth = 0;
802 #else
803         if (s->s3->tmp.new_compression == NULL)
804             s->session->compress_meth = 0;
805         else
806             s->session->compress_meth = s->s3->tmp.new_compression->id;
807 #endif
808         if (!s->method->ssl3_enc->setup_key_block(s)) {
809             /* SSLfatal() already called */
810             return WORK_ERROR;
811         }
812 
813         if (!s->method->ssl3_enc->change_cipher_state(s,
814                                           SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
815             /* SSLfatal() already called */
816             return WORK_ERROR;
817         }
818 
819         if (SSL_IS_DTLS(s)) {
820 #ifndef OPENSSL_NO_SCTP
821             if (s->hit) {
822                 /*
823                  * Change to new shared key of SCTP-Auth, will be ignored if
824                  * no SCTP used.
825                  */
826                 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
827                          0, NULL);
828             }
829 #endif
830 
831             dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
832         }
833         break;
834 
835     case TLS_ST_CW_FINISHED:
836 #ifndef OPENSSL_NO_SCTP
837         if (wst == WORK_MORE_A && SSL_IS_DTLS(s) && s->hit == 0) {
838             /*
839              * Change to new shared key of SCTP-Auth, will be ignored if
840              * no SCTP used.
841              */
842             BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
843                      0, NULL);
844         }
845 #endif
846         if (statem_flush(s) != 1)
847             return WORK_MORE_B;
848 
849         if (SSL_IS_TLS13(s)) {
850             if (!tls13_save_handshake_digest_for_pha(s)) {
851                 /* SSLfatal() already called */
852                 return WORK_ERROR;
853             }
854             if (s->post_handshake_auth != SSL_PHA_REQUESTED) {
855                 if (!s->method->ssl3_enc->change_cipher_state(s,
856                         SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
857                     /* SSLfatal() already called */
858                     return WORK_ERROR;
859                 }
860             }
861         }
862         break;
863 
864     case TLS_ST_CW_KEY_UPDATE:
865         if (statem_flush(s) != 1)
866             return WORK_MORE_A;
867         if (!tls13_update_key(s, 1)) {
868             /* SSLfatal() already called */
869             return WORK_ERROR;
870         }
871         break;
872     }
873 
874     return WORK_FINISHED_CONTINUE;
875 }
876 
877 /*
878  * Get the message construction function and message type for sending from the
879  * client
880  *
881  * Valid return values are:
882  *   1: Success
883  *   0: Error
884  */
885 int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
886                                          confunc_f *confunc, int *mt)
887 {
888     OSSL_STATEM *st = &s->statem;
889 
890     switch (st->hand_state) {
891     default:
892         /* Shouldn't happen */
893         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
894                  SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE,
895                  SSL_R_BAD_HANDSHAKE_STATE);
896         return 0;
897 
898     case TLS_ST_CW_CHANGE:
899         if (SSL_IS_DTLS(s))
900             *confunc = dtls_construct_change_cipher_spec;
901         else
902             *confunc = tls_construct_change_cipher_spec;
903         *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
904         break;
905 
906     case TLS_ST_CW_CLNT_HELLO:
907         *confunc = tls_construct_client_hello;
908         *mt = SSL3_MT_CLIENT_HELLO;
909         break;
910 
911     case TLS_ST_CW_END_OF_EARLY_DATA:
912         *confunc = tls_construct_end_of_early_data;
913         *mt = SSL3_MT_END_OF_EARLY_DATA;
914         break;
915 
916     case TLS_ST_PENDING_EARLY_DATA_END:
917         *confunc = NULL;
918         *mt = SSL3_MT_DUMMY;
919         break;
920 
921     case TLS_ST_CW_CERT:
922         *confunc = tls_construct_client_certificate;
923         *mt = SSL3_MT_CERTIFICATE;
924         break;
925 
926     case TLS_ST_CW_KEY_EXCH:
927         *confunc = tls_construct_client_key_exchange;
928         *mt = SSL3_MT_CLIENT_KEY_EXCHANGE;
929         break;
930 
931     case TLS_ST_CW_CERT_VRFY:
932         *confunc = tls_construct_cert_verify;
933         *mt = SSL3_MT_CERTIFICATE_VERIFY;
934         break;
935 
936 #if !defined(OPENSSL_NO_NEXTPROTONEG)
937     case TLS_ST_CW_NEXT_PROTO:
938         *confunc = tls_construct_next_proto;
939         *mt = SSL3_MT_NEXT_PROTO;
940         break;
941 #endif
942     case TLS_ST_CW_FINISHED:
943         *confunc = tls_construct_finished;
944         *mt = SSL3_MT_FINISHED;
945         break;
946 
947     case TLS_ST_CW_KEY_UPDATE:
948         *confunc = tls_construct_key_update;
949         *mt = SSL3_MT_KEY_UPDATE;
950         break;
951     }
952 
953     return 1;
954 }
955 
956 /*
957  * Returns the maximum allowed length for the current message that we are
958  * reading. Excludes the message header.
959  */
960 size_t ossl_statem_client_max_message_size(SSL *s)
961 {
962     OSSL_STATEM *st = &s->statem;
963 
964     switch (st->hand_state) {
965     default:
966         /* Shouldn't happen */
967         return 0;
968 
969     case TLS_ST_CR_SRVR_HELLO:
970         return SERVER_HELLO_MAX_LENGTH;
971 
972     case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
973         return HELLO_VERIFY_REQUEST_MAX_LENGTH;
974 
975     case TLS_ST_CR_CERT:
976         return s->max_cert_list;
977 
978     case TLS_ST_CR_CERT_VRFY:
979         return SSL3_RT_MAX_PLAIN_LENGTH;
980 
981     case TLS_ST_CR_CERT_STATUS:
982         return SSL3_RT_MAX_PLAIN_LENGTH;
983 
984     case TLS_ST_CR_KEY_EXCH:
985         return SERVER_KEY_EXCH_MAX_LENGTH;
986 
987     case TLS_ST_CR_CERT_REQ:
988         /*
989          * Set to s->max_cert_list for compatibility with previous releases. In
990          * practice these messages can get quite long if servers are configured
991          * to provide a long list of acceptable CAs
992          */
993         return s->max_cert_list;
994 
995     case TLS_ST_CR_SRVR_DONE:
996         return SERVER_HELLO_DONE_MAX_LENGTH;
997 
998     case TLS_ST_CR_CHANGE:
999         if (s->version == DTLS1_BAD_VER)
1000             return 3;
1001         return CCS_MAX_LENGTH;
1002 
1003     case TLS_ST_CR_SESSION_TICKET:
1004         return (SSL_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13
1005                                  : SESSION_TICKET_MAX_LENGTH_TLS12;
1006 
1007     case TLS_ST_CR_FINISHED:
1008         return FINISHED_MAX_LENGTH;
1009 
1010     case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1011         return ENCRYPTED_EXTENSIONS_MAX_LENGTH;
1012 
1013     case TLS_ST_CR_KEY_UPDATE:
1014         return KEY_UPDATE_MAX_LENGTH;
1015     }
1016 }
1017 
1018 /*
1019  * Process a message that the client has been received from the server.
1020  */
1021 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
1022 {
1023     OSSL_STATEM *st = &s->statem;
1024 
1025     switch (st->hand_state) {
1026     default:
1027         /* Shouldn't happen */
1028         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1029                  SSL_F_OSSL_STATEM_CLIENT_PROCESS_MESSAGE,
1030                  ERR_R_INTERNAL_ERROR);
1031         return MSG_PROCESS_ERROR;
1032 
1033     case TLS_ST_CR_SRVR_HELLO:
1034         return tls_process_server_hello(s, pkt);
1035 
1036     case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1037         return dtls_process_hello_verify(s, pkt);
1038 
1039     case TLS_ST_CR_CERT:
1040         return tls_process_server_certificate(s, pkt);
1041 
1042     case TLS_ST_CR_CERT_VRFY:
1043         return tls_process_cert_verify(s, pkt);
1044 
1045     case TLS_ST_CR_CERT_STATUS:
1046         return tls_process_cert_status(s, pkt);
1047 
1048     case TLS_ST_CR_KEY_EXCH:
1049         return tls_process_key_exchange(s, pkt);
1050 
1051     case TLS_ST_CR_CERT_REQ:
1052         return tls_process_certificate_request(s, pkt);
1053 
1054     case TLS_ST_CR_SRVR_DONE:
1055         return tls_process_server_done(s, pkt);
1056 
1057     case TLS_ST_CR_CHANGE:
1058         return tls_process_change_cipher_spec(s, pkt);
1059 
1060     case TLS_ST_CR_SESSION_TICKET:
1061         return tls_process_new_session_ticket(s, pkt);
1062 
1063     case TLS_ST_CR_FINISHED:
1064         return tls_process_finished(s, pkt);
1065 
1066     case TLS_ST_CR_HELLO_REQ:
1067         return tls_process_hello_req(s, pkt);
1068 
1069     case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1070         return tls_process_encrypted_extensions(s, pkt);
1071 
1072     case TLS_ST_CR_KEY_UPDATE:
1073         return tls_process_key_update(s, pkt);
1074     }
1075 }
1076 
1077 /*
1078  * Perform any further processing required following the receipt of a message
1079  * from the server
1080  */
1081 WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
1082 {
1083     OSSL_STATEM *st = &s->statem;
1084 
1085     switch (st->hand_state) {
1086     default:
1087         /* Shouldn't happen */
1088         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1089                  SSL_F_OSSL_STATEM_CLIENT_POST_PROCESS_MESSAGE,
1090                  ERR_R_INTERNAL_ERROR);
1091         return WORK_ERROR;
1092 
1093     case TLS_ST_CR_CERT_VRFY:
1094     case TLS_ST_CR_CERT_REQ:
1095         return tls_prepare_client_certificate(s, wst);
1096     }
1097 }
1098 
1099 int tls_construct_client_hello(SSL *s, WPACKET *pkt)
1100 {
1101     unsigned char *p;
1102     size_t sess_id_len;
1103     int i, protverr;
1104 #ifndef OPENSSL_NO_COMP
1105     SSL_COMP *comp;
1106 #endif
1107     SSL_SESSION *sess = s->session;
1108     unsigned char *session_id;
1109 
1110     /* Work out what SSL/TLS/DTLS version to use */
1111     protverr = ssl_set_client_hello_version(s);
1112     if (protverr != 0) {
1113         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1114                  protverr);
1115         return 0;
1116     }
1117 
1118     if (sess == NULL
1119             || !ssl_version_supported(s, sess->ssl_version, NULL)
1120             || !SSL_SESSION_is_resumable(sess)) {
1121         if (s->hello_retry_request == SSL_HRR_NONE
1122                 && !ssl_get_new_session(s, 0)) {
1123             /* SSLfatal() already called */
1124             return 0;
1125         }
1126     }
1127     /* else use the pre-loaded session */
1128 
1129     p = s->s3->client_random;
1130 
1131     /*
1132      * for DTLS if client_random is initialized, reuse it, we are
1133      * required to use same upon reply to HelloVerify
1134      */
1135     if (SSL_IS_DTLS(s)) {
1136         size_t idx;
1137         i = 1;
1138         for (idx = 0; idx < sizeof(s->s3->client_random); idx++) {
1139             if (p[idx]) {
1140                 i = 0;
1141                 break;
1142             }
1143         }
1144     } else {
1145         i = (s->hello_retry_request == SSL_HRR_NONE);
1146     }
1147 
1148     if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random),
1149                                    DOWNGRADE_NONE) <= 0) {
1150         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1151                  ERR_R_INTERNAL_ERROR);
1152         return 0;
1153     }
1154 
1155     /*-
1156      * version indicates the negotiated version: for example from
1157      * an SSLv2/v3 compatible client hello). The client_version
1158      * field is the maximum version we permit and it is also
1159      * used in RSA encrypted premaster secrets. Some servers can
1160      * choke if we initially report a higher version then
1161      * renegotiate to a lower one in the premaster secret. This
1162      * didn't happen with TLS 1.0 as most servers supported it
1163      * but it can with TLS 1.1 or later if the server only supports
1164      * 1.0.
1165      *
1166      * Possible scenario with previous logic:
1167      *      1. Client hello indicates TLS 1.2
1168      *      2. Server hello says TLS 1.0
1169      *      3. RSA encrypted premaster secret uses 1.2.
1170      *      4. Handshake proceeds using TLS 1.0.
1171      *      5. Server sends hello request to renegotiate.
1172      *      6. Client hello indicates TLS v1.0 as we now
1173      *         know that is maximum server supports.
1174      *      7. Server chokes on RSA encrypted premaster secret
1175      *         containing version 1.0.
1176      *
1177      * For interoperability it should be OK to always use the
1178      * maximum version we support in client hello and then rely
1179      * on the checking of version to ensure the servers isn't
1180      * being inconsistent: for example initially negotiating with
1181      * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1182      * client_version in client hello and not resetting it to
1183      * the negotiated version.
1184      *
1185      * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
1186      * supported_versions extension for the real supported versions.
1187      */
1188     if (!WPACKET_put_bytes_u16(pkt, s->client_version)
1189             || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
1190         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1191                  ERR_R_INTERNAL_ERROR);
1192         return 0;
1193     }
1194 
1195     /* Session ID */
1196     session_id = s->session->session_id;
1197     if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) {
1198         if (s->version == TLS1_3_VERSION
1199                 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) {
1200             sess_id_len = sizeof(s->tmp_session_id);
1201             s->tmp_session_id_len = sess_id_len;
1202             session_id = s->tmp_session_id;
1203             if (s->hello_retry_request == SSL_HRR_NONE
1204                     && RAND_bytes(s->tmp_session_id, sess_id_len) <= 0) {
1205                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1206                          SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1207                          ERR_R_INTERNAL_ERROR);
1208                 return 0;
1209             }
1210         } else {
1211             sess_id_len = 0;
1212         }
1213     } else {
1214         assert(s->session->session_id_length <= sizeof(s->session->session_id));
1215         sess_id_len = s->session->session_id_length;
1216         if (s->version == TLS1_3_VERSION) {
1217             s->tmp_session_id_len = sess_id_len;
1218             memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
1219         }
1220     }
1221     if (!WPACKET_start_sub_packet_u8(pkt)
1222             || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
1223                                                     sess_id_len))
1224             || !WPACKET_close(pkt)) {
1225         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1226                  ERR_R_INTERNAL_ERROR);
1227         return 0;
1228     }
1229 
1230     /* cookie stuff for DTLS */
1231     if (SSL_IS_DTLS(s)) {
1232         if (s->d1->cookie_len > sizeof(s->d1->cookie)
1233                 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,
1234                                           s->d1->cookie_len)) {
1235             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1236                      ERR_R_INTERNAL_ERROR);
1237             return 0;
1238         }
1239     }
1240 
1241     /* Ciphers supported */
1242     if (!WPACKET_start_sub_packet_u16(pkt)) {
1243         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1244                  ERR_R_INTERNAL_ERROR);
1245         return 0;
1246     }
1247 
1248     if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) {
1249         /* SSLfatal() already called */
1250         return 0;
1251     }
1252     if (!WPACKET_close(pkt)) {
1253         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1254                  ERR_R_INTERNAL_ERROR);
1255         return 0;
1256     }
1257 
1258     /* COMPRESSION */
1259     if (!WPACKET_start_sub_packet_u8(pkt)) {
1260         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1261                  ERR_R_INTERNAL_ERROR);
1262         return 0;
1263     }
1264 #ifndef OPENSSL_NO_COMP
1265     if (ssl_allow_compression(s)
1266             && s->ctx->comp_methods
1267             && (SSL_IS_DTLS(s) || s->s3->tmp.max_ver < TLS1_3_VERSION)) {
1268         int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
1269         for (i = 0; i < compnum; i++) {
1270             comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
1271             if (!WPACKET_put_bytes_u8(pkt, comp->id)) {
1272                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1273                          SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1274                          ERR_R_INTERNAL_ERROR);
1275                 return 0;
1276             }
1277         }
1278     }
1279 #endif
1280     /* Add the NULL method */
1281     if (!WPACKET_put_bytes_u8(pkt, 0) || !WPACKET_close(pkt)) {
1282         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CLIENT_HELLO,
1283                  ERR_R_INTERNAL_ERROR);
1284         return 0;
1285     }
1286 
1287     /* TLS extensions */
1288     if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) {
1289         /* SSLfatal() already called */
1290         return 0;
1291     }
1292 
1293     return 1;
1294 }
1295 
1296 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
1297 {
1298     size_t cookie_len;
1299     PACKET cookiepkt;
1300 
1301     if (!PACKET_forward(pkt, 2)
1302         || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
1303         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
1304                  SSL_R_LENGTH_MISMATCH);
1305         return MSG_PROCESS_ERROR;
1306     }
1307 
1308     cookie_len = PACKET_remaining(&cookiepkt);
1309     if (cookie_len > sizeof(s->d1->cookie)) {
1310         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
1311                  SSL_R_LENGTH_TOO_LONG);
1312         return MSG_PROCESS_ERROR;
1313     }
1314 
1315     if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
1316         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_DTLS_PROCESS_HELLO_VERIFY,
1317                  SSL_R_LENGTH_MISMATCH);
1318         return MSG_PROCESS_ERROR;
1319     }
1320     s->d1->cookie_len = cookie_len;
1321 
1322     return MSG_PROCESS_FINISHED_READING;
1323 }
1324 
1325 static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
1326 {
1327     STACK_OF(SSL_CIPHER) *sk;
1328     const SSL_CIPHER *c;
1329     int i;
1330 
1331     c = ssl_get_cipher_by_char(s, cipherchars, 0);
1332     if (c == NULL) {
1333         /* unknown cipher */
1334         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1335                  SSL_R_UNKNOWN_CIPHER_RETURNED);
1336         return 0;
1337     }
1338     /*
1339      * If it is a disabled cipher we either didn't send it in client hello,
1340      * or it's not allowed for the selected protocol. So we return an error.
1341      */
1342     if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) {
1343         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1344                  SSL_R_WRONG_CIPHER_RETURNED);
1345         return 0;
1346     }
1347 
1348     sk = ssl_get_ciphers_by_id(s);
1349     i = sk_SSL_CIPHER_find(sk, c);
1350     if (i < 0) {
1351         /* we did not say we would use this cipher */
1352         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1353                  SSL_R_WRONG_CIPHER_RETURNED);
1354         return 0;
1355     }
1356 
1357     if (SSL_IS_TLS13(s) && s->s3->tmp.new_cipher != NULL
1358             && s->s3->tmp.new_cipher->id != c->id) {
1359         /* ServerHello selected a different ciphersuite to that in the HRR */
1360         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1361                  SSL_R_WRONG_CIPHER_RETURNED);
1362         return 0;
1363     }
1364 
1365     /*
1366      * Depending on the session caching (internal/external), the cipher
1367      * and/or cipher_id values may not be set. Make sure that cipher_id is
1368      * set and use it for comparison.
1369      */
1370     if (s->session->cipher != NULL)
1371         s->session->cipher_id = s->session->cipher->id;
1372     if (s->hit && (s->session->cipher_id != c->id)) {
1373         if (SSL_IS_TLS13(s)) {
1374             /*
1375              * In TLSv1.3 it is valid for the server to select a different
1376              * ciphersuite as long as the hash is the same.
1377              */
1378             if (ssl_md(c->algorithm2)
1379                     != ssl_md(s->session->cipher->algorithm2)) {
1380                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1381                          SSL_F_SET_CLIENT_CIPHERSUITE,
1382                          SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
1383                 return 0;
1384             }
1385         } else {
1386             /*
1387              * Prior to TLSv1.3 resuming a session always meant using the same
1388              * ciphersuite.
1389              */
1390             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_SET_CLIENT_CIPHERSUITE,
1391                      SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1392             return 0;
1393         }
1394     }
1395     s->s3->tmp.new_cipher = c;
1396 
1397     return 1;
1398 }
1399 
1400 MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
1401 {
1402     PACKET session_id, extpkt;
1403     size_t session_id_len;
1404     const unsigned char *cipherchars;
1405     int hrr = 0;
1406     unsigned int compression;
1407     unsigned int sversion;
1408     unsigned int context;
1409     RAW_EXTENSION *extensions = NULL;
1410 #ifndef OPENSSL_NO_COMP
1411     SSL_COMP *comp;
1412 #endif
1413 
1414     if (!PACKET_get_net_2(pkt, &sversion)) {
1415         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1416                  SSL_R_LENGTH_MISMATCH);
1417         goto err;
1418     }
1419 
1420     /* load the server random */
1421     if (s->version == TLS1_3_VERSION
1422             && sversion == TLS1_2_VERSION
1423             && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE
1424             && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE) == 0) {
1425         if (s->hello_retry_request != SSL_HRR_NONE) {
1426             SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1427                      SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_UNEXPECTED_MESSAGE);
1428             goto err;
1429         }
1430         s->hello_retry_request = SSL_HRR_PENDING;
1431         hrr = 1;
1432         if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE)) {
1433             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1434                      SSL_R_LENGTH_MISMATCH);
1435             goto err;
1436         }
1437     } else {
1438         if (!PACKET_copy_bytes(pkt, s->s3->server_random, SSL3_RANDOM_SIZE)) {
1439             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1440                      SSL_R_LENGTH_MISMATCH);
1441             goto err;
1442         }
1443     }
1444 
1445     /* Get the session-id. */
1446     if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1447         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1448                  SSL_R_LENGTH_MISMATCH);
1449         goto err;
1450     }
1451     session_id_len = PACKET_remaining(&session_id);
1452     if (session_id_len > sizeof(s->session->session_id)
1453         || session_id_len > SSL3_SESSION_ID_SIZE) {
1454         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1455                  SSL_R_SSL3_SESSION_ID_TOO_LONG);
1456         goto err;
1457     }
1458 
1459     if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN)) {
1460         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1461                  SSL_R_LENGTH_MISMATCH);
1462         goto err;
1463     }
1464 
1465     if (!PACKET_get_1(pkt, &compression)) {
1466         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1467                  SSL_R_LENGTH_MISMATCH);
1468         goto err;
1469     }
1470 
1471     /* TLS extensions */
1472     if (PACKET_remaining(pkt) == 0 && !hrr) {
1473         PACKET_null_init(&extpkt);
1474     } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
1475                || PACKET_remaining(pkt) != 0) {
1476         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1477                  SSL_R_BAD_LENGTH);
1478         goto err;
1479     }
1480 
1481     if (!hrr) {
1482         if (!tls_collect_extensions(s, &extpkt,
1483                                     SSL_EXT_TLS1_2_SERVER_HELLO
1484                                     | SSL_EXT_TLS1_3_SERVER_HELLO,
1485                                     &extensions, NULL, 1)) {
1486             /* SSLfatal() already called */
1487             goto err;
1488         }
1489 
1490         if (!ssl_choose_client_version(s, sversion, extensions)) {
1491             /* SSLfatal() already called */
1492             goto err;
1493         }
1494     }
1495 
1496     if (SSL_IS_TLS13(s) || hrr) {
1497         if (compression != 0) {
1498             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1499                      SSL_F_TLS_PROCESS_SERVER_HELLO,
1500                      SSL_R_INVALID_COMPRESSION_ALGORITHM);
1501             goto err;
1502         }
1503 
1504         if (session_id_len != s->tmp_session_id_len
1505                 || memcmp(PACKET_data(&session_id), s->tmp_session_id,
1506                           session_id_len) != 0) {
1507             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1508                      SSL_F_TLS_PROCESS_SERVER_HELLO, SSL_R_INVALID_SESSION_ID);
1509             goto err;
1510         }
1511     }
1512 
1513     if (hrr) {
1514         if (!set_client_ciphersuite(s, cipherchars)) {
1515             /* SSLfatal() already called */
1516             goto err;
1517         }
1518 
1519         return tls_process_as_hello_retry_request(s, &extpkt);
1520     }
1521 
1522     /*
1523      * Now we have chosen the version we need to check again that the extensions
1524      * are appropriate for this version.
1525      */
1526     context = SSL_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO
1527                               : SSL_EXT_TLS1_2_SERVER_HELLO;
1528     if (!tls_validate_all_contexts(s, context, extensions)) {
1529         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1530                  SSL_R_BAD_EXTENSION);
1531         goto err;
1532     }
1533 
1534     s->hit = 0;
1535 
1536     if (SSL_IS_TLS13(s)) {
1537         /*
1538          * In TLSv1.3 a ServerHello message signals a key change so the end of
1539          * the message must be on a record boundary.
1540          */
1541         if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1542             SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1543                      SSL_F_TLS_PROCESS_SERVER_HELLO,
1544                      SSL_R_NOT_ON_RECORD_BOUNDARY);
1545             goto err;
1546         }
1547 
1548         /* This will set s->hit if we are resuming */
1549         if (!tls_parse_extension(s, TLSEXT_IDX_psk,
1550                                  SSL_EXT_TLS1_3_SERVER_HELLO,
1551                                  extensions, NULL, 0)) {
1552             /* SSLfatal() already called */
1553             goto err;
1554         }
1555     } else {
1556         /*
1557          * Check if we can resume the session based on external pre-shared
1558          * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1559          * Resumption based on server-side state works with session IDs.
1560          * Resumption based on pre-shared Protected Access Credentials (PACs)
1561          * works by overriding the SessionTicket extension at the application
1562          * layer, and does not send a session ID. (We do not know whether
1563          * EAP-FAST servers would honour the session ID.) Therefore, the session
1564          * ID alone is not a reliable indicator of session resumption, so we
1565          * first check if we can resume, and later peek at the next handshake
1566          * message to see if the server wants to resume.
1567          */
1568         if (s->version >= TLS1_VERSION
1569                 && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
1570             const SSL_CIPHER *pref_cipher = NULL;
1571             /*
1572              * s->session->master_key_length is a size_t, but this is an int for
1573              * backwards compat reasons
1574              */
1575             int master_key_length;
1576             master_key_length = sizeof(s->session->master_key);
1577             if (s->ext.session_secret_cb(s, s->session->master_key,
1578                                          &master_key_length,
1579                                          NULL, &pref_cipher,
1580                                          s->ext.session_secret_cb_arg)
1581                      && master_key_length > 0) {
1582                 s->session->master_key_length = master_key_length;
1583                 s->session->cipher = pref_cipher ?
1584                     pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
1585             } else {
1586                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1587                          SSL_F_TLS_PROCESS_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
1588                 goto err;
1589             }
1590         }
1591 
1592         if (session_id_len != 0
1593                 && session_id_len == s->session->session_id_length
1594                 && memcmp(PACKET_data(&session_id), s->session->session_id,
1595                           session_id_len) == 0)
1596             s->hit = 1;
1597     }
1598 
1599     if (s->hit) {
1600         if (s->sid_ctx_length != s->session->sid_ctx_length
1601                 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1602             /* actually a client application bug */
1603             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1604                      SSL_F_TLS_PROCESS_SERVER_HELLO,
1605                      SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
1606             goto err;
1607         }
1608     } else {
1609         /*
1610          * If we were trying for session-id reuse but the server
1611          * didn't resume, make a new SSL_SESSION.
1612          * In the case of EAP-FAST and PAC, we do not send a session ID,
1613          * so the PAC-based session secret is always preserved. It'll be
1614          * overwritten if the server refuses resumption.
1615          */
1616         if (s->session->session_id_length > 0) {
1617             tsan_counter(&s->session_ctx->stats.sess_miss);
1618             if (!ssl_get_new_session(s, 0)) {
1619                 /* SSLfatal() already called */
1620                 goto err;
1621             }
1622         }
1623 
1624         s->session->ssl_version = s->version;
1625         /*
1626          * In TLSv1.2 and below we save the session id we were sent so we can
1627          * resume it later. In TLSv1.3 the session id we were sent is just an
1628          * echo of what we originally sent in the ClientHello and should not be
1629          * used for resumption.
1630          */
1631         if (!SSL_IS_TLS13(s)) {
1632             s->session->session_id_length = session_id_len;
1633             /* session_id_len could be 0 */
1634             if (session_id_len > 0)
1635                 memcpy(s->session->session_id, PACKET_data(&session_id),
1636                        session_id_len);
1637         }
1638     }
1639 
1640     /* Session version and negotiated protocol version should match */
1641     if (s->version != s->session->ssl_version) {
1642         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_TLS_PROCESS_SERVER_HELLO,
1643                  SSL_R_SSL_SESSION_VERSION_MISMATCH);
1644         goto err;
1645     }
1646     /*
1647      * Now that we know the version, update the check to see if it's an allowed
1648      * version.
1649      */
1650     s->s3->tmp.min_ver = s->version;
1651     s->s3->tmp.max_ver = s->version;
1652 
1653     if (!set_client_ciphersuite(s, cipherchars)) {
1654         /* SSLfatal() already called */
1655         goto err;
1656     }
1657 
1658 #ifdef OPENSSL_NO_COMP
1659     if (compression != 0) {
1660         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1661                  SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1662         goto err;
1663     }
1664     /*
1665      * If compression is disabled we'd better not try to resume a session
1666      * using compression.
1667      */
1668     if (s->session->compress_meth != 0) {
1669         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SERVER_HELLO,
1670                  SSL_R_INCONSISTENT_COMPRESSION);
1671         goto err;
1672     }
1673 #else
1674     if (s->hit && compression != s->session->compress_meth) {
1675         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1676                  SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED);
1677         goto err;
1678     }
1679     if (compression == 0)
1680         comp = NULL;
1681     else if (!ssl_allow_compression(s)) {
1682         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1683                  SSL_R_COMPRESSION_DISABLED);
1684         goto err;
1685     } else {
1686         comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1687     }
1688 
1689     if (compression != 0 && comp == NULL) {
1690         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SERVER_HELLO,
1691                  SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1692         goto err;
1693     } else {
1694         s->s3->tmp.new_compression = comp;
1695     }
1696 #endif
1697 
1698     if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) {
1699         /* SSLfatal() already called */
1700         goto err;
1701     }
1702 
1703 #ifndef OPENSSL_NO_SCTP
1704     if (SSL_IS_DTLS(s) && s->hit) {
1705         unsigned char sctpauthkey[64];
1706         char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1707         size_t labellen;
1708 
1709         /*
1710          * Add new shared key for SCTP-Auth, will be ignored if
1711          * no SCTP used.
1712          */
1713         memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1714                sizeof(DTLS1_SCTP_AUTH_LABEL));
1715 
1716         /* Don't include the terminating zero. */
1717         labellen = sizeof(labelbuffer) - 1;
1718         if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
1719             labellen += 1;
1720 
1721         if (SSL_export_keying_material(s, sctpauthkey,
1722                                        sizeof(sctpauthkey),
1723                                        labelbuffer,
1724                                        labellen, NULL, 0, 0) <= 0) {
1725             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_HELLO,
1726                      ERR_R_INTERNAL_ERROR);
1727             goto err;
1728         }
1729 
1730         BIO_ctrl(SSL_get_wbio(s),
1731                  BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1732                  sizeof(sctpauthkey), sctpauthkey);
1733     }
1734 #endif
1735 
1736     /*
1737      * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1738      * we're done with this message
1739      */
1740     if (SSL_IS_TLS13(s)
1741             && (!s->method->ssl3_enc->setup_key_block(s)
1742                 || !s->method->ssl3_enc->change_cipher_state(s,
1743                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_READ))) {
1744         /* SSLfatal() already called */
1745         goto err;
1746     }
1747 
1748     OPENSSL_free(extensions);
1749     return MSG_PROCESS_CONTINUE_READING;
1750  err:
1751     OPENSSL_free(extensions);
1752     return MSG_PROCESS_ERROR;
1753 }
1754 
1755 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s,
1756                                                              PACKET *extpkt)
1757 {
1758     RAW_EXTENSION *extensions = NULL;
1759 
1760     /*
1761      * If we were sending early_data then the enc_write_ctx is now invalid and
1762      * should not be used.
1763      */
1764     EVP_CIPHER_CTX_free(s->enc_write_ctx);
1765     s->enc_write_ctx = NULL;
1766 
1767     if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
1768                                 &extensions, NULL, 1)
1769             || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST,
1770                                          extensions, NULL, 0, 1)) {
1771         /* SSLfatal() already called */
1772         goto err;
1773     }
1774 
1775     OPENSSL_free(extensions);
1776     extensions = NULL;
1777 
1778     if (s->ext.tls13_cookie_len == 0
1779 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
1780         && s->s3->tmp.pkey != NULL
1781 #endif
1782         ) {
1783         /*
1784          * We didn't receive a cookie or a new key_share so the next
1785          * ClientHello will not change
1786          */
1787         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1788                  SSL_F_TLS_PROCESS_AS_HELLO_RETRY_REQUEST,
1789                  SSL_R_NO_CHANGE_FOLLOWING_HRR);
1790         goto err;
1791     }
1792 
1793     /*
1794      * Re-initialise the Transcript Hash. We're going to prepopulate it with
1795      * a synthetic message_hash in place of ClientHello1.
1796      */
1797     if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) {
1798         /* SSLfatal() already called */
1799         goto err;
1800     }
1801 
1802     /*
1803      * Add this message to the Transcript Hash. Normally this is done
1804      * automatically prior to the message processing stage. However due to the
1805      * need to create the synthetic message hash, we defer that step until now
1806      * for HRR messages.
1807      */
1808     if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1809                                 s->init_num + SSL3_HM_HEADER_LENGTH)) {
1810         /* SSLfatal() already called */
1811         goto err;
1812     }
1813 
1814     return MSG_PROCESS_FINISHED_READING;
1815  err:
1816     OPENSSL_free(extensions);
1817     return MSG_PROCESS_ERROR;
1818 }
1819 
1820 MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
1821 {
1822     int i;
1823     MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
1824     unsigned long cert_list_len, cert_len;
1825     X509 *x = NULL;
1826     const unsigned char *certstart, *certbytes;
1827     STACK_OF(X509) *sk = NULL;
1828     EVP_PKEY *pkey = NULL;
1829     size_t chainidx, certidx;
1830     unsigned int context = 0;
1831     const SSL_CERT_LOOKUP *clu;
1832 
1833     if ((sk = sk_X509_new_null()) == NULL) {
1834         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1835                  ERR_R_MALLOC_FAILURE);
1836         goto err;
1837     }
1838 
1839     if ((SSL_IS_TLS13(s) && !PACKET_get_1(pkt, &context))
1840             || context != 0
1841             || !PACKET_get_net_3(pkt, &cert_list_len)
1842             || PACKET_remaining(pkt) != cert_list_len
1843             || PACKET_remaining(pkt) == 0) {
1844         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1845                  SSL_R_LENGTH_MISMATCH);
1846         goto err;
1847     }
1848     for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
1849         if (!PACKET_get_net_3(pkt, &cert_len)
1850             || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
1851             SSLfatal(s, SSL_AD_DECODE_ERROR,
1852                      SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1853                      SSL_R_CERT_LENGTH_MISMATCH);
1854             goto err;
1855         }
1856 
1857         certstart = certbytes;
1858         x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len);
1859         if (x == NULL) {
1860             SSLfatal(s, SSL_AD_BAD_CERTIFICATE,
1861                      SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB);
1862             goto err;
1863         }
1864         if (certbytes != (certstart + cert_len)) {
1865             SSLfatal(s, SSL_AD_DECODE_ERROR,
1866                      SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1867                      SSL_R_CERT_LENGTH_MISMATCH);
1868             goto err;
1869         }
1870 
1871         if (SSL_IS_TLS13(s)) {
1872             RAW_EXTENSION *rawexts = NULL;
1873             PACKET extensions;
1874 
1875             if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
1876                 SSLfatal(s, SSL_AD_DECODE_ERROR,
1877                          SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1878                          SSL_R_BAD_LENGTH);
1879                 goto err;
1880             }
1881             if (!tls_collect_extensions(s, &extensions,
1882                                         SSL_EXT_TLS1_3_CERTIFICATE, &rawexts,
1883                                         NULL, chainidx == 0)
1884                 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE,
1885                                              rawexts, x, chainidx,
1886                                              PACKET_remaining(pkt) == 0)) {
1887                 OPENSSL_free(rawexts);
1888                 /* SSLfatal already called */
1889                 goto err;
1890             }
1891             OPENSSL_free(rawexts);
1892         }
1893 
1894         if (!sk_X509_push(sk, x)) {
1895             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
1896                      SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1897                      ERR_R_MALLOC_FAILURE);
1898             goto err;
1899         }
1900         x = NULL;
1901     }
1902 
1903     i = ssl_verify_cert_chain(s, sk);
1904     /*
1905      * The documented interface is that SSL_VERIFY_PEER should be set in order
1906      * for client side verification of the server certificate to take place.
1907      * However, historically the code has only checked that *any* flag is set
1908      * to cause server verification to take place. Use of the other flags makes
1909      * no sense in client mode. An attempt to clean up the semantics was
1910      * reverted because at least one application *only* set
1911      * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
1912      * server verification to take place, after the clean up it silently did
1913      * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
1914      * sent to them because they are void functions. Therefore, we now use the
1915      * (less clean) historic behaviour of performing validation if any flag is
1916      * set. The *documented* interface remains the same.
1917      */
1918     if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
1919         SSLfatal(s, ssl_x509err2alert(s->verify_result),
1920                  SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1921                  SSL_R_CERTIFICATE_VERIFY_FAILED);
1922         goto err;
1923     }
1924     ERR_clear_error();          /* but we keep s->verify_result */
1925     if (i > 1) {
1926         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
1927                  SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, i);
1928         goto err;
1929     }
1930 
1931     s->session->peer_chain = sk;
1932     /*
1933      * Inconsistency alert: cert_chain does include the peer's certificate,
1934      * which we don't include in statem_srvr.c
1935      */
1936     x = sk_X509_value(sk, 0);
1937     sk = NULL;
1938 
1939     pkey = X509_get0_pubkey(x);
1940 
1941     if (pkey == NULL || EVP_PKEY_missing_parameters(pkey)) {
1942         x = NULL;
1943         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1944                  SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS);
1945         goto err;
1946     }
1947 
1948     if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL) {
1949         x = NULL;
1950         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1951                  SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1952                  SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1953         goto err;
1954     }
1955     /*
1956      * Check certificate type is consistent with ciphersuite. For TLS 1.3
1957      * skip check since TLS 1.3 ciphersuites can be used with any certificate
1958      * type.
1959      */
1960     if (!SSL_IS_TLS13(s)) {
1961         if ((clu->amask & s->s3->tmp.new_cipher->algorithm_auth) == 0) {
1962             x = NULL;
1963             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1964                      SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
1965                      SSL_R_WRONG_CERTIFICATE_TYPE);
1966             goto err;
1967         }
1968     }
1969 
1970     X509_free(s->session->peer);
1971     X509_up_ref(x);
1972     s->session->peer = x;
1973     s->session->verify_result = s->verify_result;
1974     x = NULL;
1975 
1976     /* Save the current hash state for when we receive the CertificateVerify */
1977     if (SSL_IS_TLS13(s)
1978             && !ssl_handshake_hash(s, s->cert_verify_hash,
1979                                    sizeof(s->cert_verify_hash),
1980                                    &s->cert_verify_hash_len)) {
1981         /* SSLfatal() already called */;
1982         goto err;
1983     }
1984 
1985     ret = MSG_PROCESS_CONTINUE_READING;
1986 
1987  err:
1988     X509_free(x);
1989     sk_X509_pop_free(sk, X509_free);
1990     return ret;
1991 }
1992 
1993 static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt)
1994 {
1995 #ifndef OPENSSL_NO_PSK
1996     PACKET psk_identity_hint;
1997 
1998     /* PSK ciphersuites are preceded by an identity hint */
1999 
2000     if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
2001         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
2002                  SSL_R_LENGTH_MISMATCH);
2003         return 0;
2004     }
2005 
2006     /*
2007      * Store PSK identity hint for later use, hint is used in
2008      * tls_construct_client_key_exchange.  Assume that the maximum length of
2009      * a PSK identity hint can be as long as the maximum length of a PSK
2010      * identity.
2011      */
2012     if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN) {
2013         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2014                  SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
2015                  SSL_R_DATA_LENGTH_TOO_LONG);
2016         return 0;
2017     }
2018 
2019     if (PACKET_remaining(&psk_identity_hint) == 0) {
2020         OPENSSL_free(s->session->psk_identity_hint);
2021         s->session->psk_identity_hint = NULL;
2022     } else if (!PACKET_strndup(&psk_identity_hint,
2023                                &s->session->psk_identity_hint)) {
2024         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
2025                  ERR_R_INTERNAL_ERROR);
2026         return 0;
2027     }
2028 
2029     return 1;
2030 #else
2031     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_PSK_PREAMBLE,
2032              ERR_R_INTERNAL_ERROR);
2033     return 0;
2034 #endif
2035 }
2036 
2037 static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
2038 {
2039 #ifndef OPENSSL_NO_SRP
2040     PACKET prime, generator, salt, server_pub;
2041 
2042     if (!PACKET_get_length_prefixed_2(pkt, &prime)
2043         || !PACKET_get_length_prefixed_2(pkt, &generator)
2044         || !PACKET_get_length_prefixed_1(pkt, &salt)
2045         || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
2046         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_SRP,
2047                  SSL_R_LENGTH_MISMATCH);
2048         return 0;
2049     }
2050 
2051     /* TODO(size_t): Convert BN_bin2bn() calls */
2052     if ((s->srp_ctx.N =
2053          BN_bin2bn(PACKET_data(&prime),
2054                    (int)PACKET_remaining(&prime), NULL)) == NULL
2055         || (s->srp_ctx.g =
2056             BN_bin2bn(PACKET_data(&generator),
2057                       (int)PACKET_remaining(&generator), NULL)) == NULL
2058         || (s->srp_ctx.s =
2059             BN_bin2bn(PACKET_data(&salt),
2060                       (int)PACKET_remaining(&salt), NULL)) == NULL
2061         || (s->srp_ctx.B =
2062             BN_bin2bn(PACKET_data(&server_pub),
2063                       (int)PACKET_remaining(&server_pub), NULL)) == NULL) {
2064         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP,
2065                  ERR_R_BN_LIB);
2066         return 0;
2067     }
2068 
2069     if (!srp_verify_server_param(s)) {
2070         /* SSLfatal() already called */
2071         return 0;
2072     }
2073 
2074     /* We must check if there is a certificate */
2075     if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
2076         *pkey = X509_get0_pubkey(s->session->peer);
2077 
2078     return 1;
2079 #else
2080     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_SRP,
2081              ERR_R_INTERNAL_ERROR);
2082     return 0;
2083 #endif
2084 }
2085 
2086 static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
2087 {
2088 #ifndef OPENSSL_NO_DH
2089     PACKET prime, generator, pub_key;
2090     EVP_PKEY *peer_tmp = NULL;
2091 
2092     DH *dh = NULL;
2093     BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
2094 
2095     int check_bits = 0;
2096 
2097     if (!PACKET_get_length_prefixed_2(pkt, &prime)
2098         || !PACKET_get_length_prefixed_2(pkt, &generator)
2099         || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
2100         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2101                  SSL_R_LENGTH_MISMATCH);
2102         return 0;
2103     }
2104 
2105     peer_tmp = EVP_PKEY_new();
2106     dh = DH_new();
2107 
2108     if (peer_tmp == NULL || dh == NULL) {
2109         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2110                  ERR_R_MALLOC_FAILURE);
2111         goto err;
2112     }
2113 
2114     /* TODO(size_t): Convert these calls */
2115     p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL);
2116     g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
2117                   NULL);
2118     bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
2119                           (int)PACKET_remaining(&pub_key), NULL);
2120     if (p == NULL || g == NULL || bnpub_key == NULL) {
2121         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2122                  ERR_R_BN_LIB);
2123         goto err;
2124     }
2125 
2126     /* test non-zero pubkey */
2127     if (BN_is_zero(bnpub_key)) {
2128         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE,
2129                  SSL_R_BAD_DH_VALUE);
2130         goto err;
2131     }
2132 
2133     if (!DH_set0_pqg(dh, p, NULL, g)) {
2134         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2135                  ERR_R_BN_LIB);
2136         goto err;
2137     }
2138     p = g = NULL;
2139 
2140     if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) {
2141         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_DHE,
2142                  SSL_R_BAD_DH_VALUE);
2143         goto err;
2144     }
2145 
2146     if (!DH_set0_key(dh, bnpub_key, NULL)) {
2147         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2148                  ERR_R_BN_LIB);
2149         goto err;
2150     }
2151     bnpub_key = NULL;
2152 
2153     if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
2154         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2155                  ERR_R_EVP_LIB);
2156         goto err;
2157     }
2158     dh = NULL;
2159 
2160     if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
2161                       0, peer_tmp)) {
2162         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
2163                  SSL_R_DH_KEY_TOO_SMALL);
2164         goto err;
2165     }
2166 
2167     s->s3->peer_tmp = peer_tmp;
2168 
2169     /*
2170      * FIXME: This makes assumptions about which ciphersuites come with
2171      * public keys. We should have a less ad-hoc way of doing this
2172      */
2173     if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS))
2174         *pkey = X509_get0_pubkey(s->session->peer);
2175     /* else anonymous DH, so no certificate or pkey. */
2176 
2177     return 1;
2178 
2179  err:
2180     BN_free(p);
2181     BN_free(g);
2182     BN_free(bnpub_key);
2183     DH_free(dh);
2184     EVP_PKEY_free(peer_tmp);
2185 
2186     return 0;
2187 #else
2188     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
2189              ERR_R_INTERNAL_ERROR);
2190     return 0;
2191 #endif
2192 }
2193 
2194 static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
2195 {
2196 #ifndef OPENSSL_NO_EC
2197     PACKET encoded_pt;
2198     unsigned int curve_type, curve_id;
2199 
2200     /*
2201      * Extract elliptic curve parameters and the server's ephemeral ECDH
2202      * public key. We only support named (not generic) curves and
2203      * ECParameters in this case is just three bytes.
2204      */
2205     if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) {
2206         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2207                  SSL_R_LENGTH_TOO_SHORT);
2208         return 0;
2209     }
2210     /*
2211      * Check curve is named curve type and one of our preferences, if not
2212      * server has sent an invalid curve.
2213      */
2214     if (curve_type != NAMED_CURVE_TYPE
2215             || !tls1_check_group_id(s, curve_id, 1)) {
2216         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE,
2217                  SSL_R_WRONG_CURVE);
2218         return 0;
2219     }
2220 
2221     if ((s->s3->peer_tmp = ssl_generate_param_group(curve_id)) == NULL) {
2222         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2223                  SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS);
2224         return 0;
2225     }
2226 
2227     if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
2228         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2229                  SSL_R_LENGTH_MISMATCH);
2230         return 0;
2231     }
2232 
2233     if (!EVP_PKEY_set1_tls_encodedpoint(s->s3->peer_tmp,
2234                                         PACKET_data(&encoded_pt),
2235                                         PACKET_remaining(&encoded_pt))) {
2236         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_SKE_ECDHE,
2237                  SSL_R_BAD_ECPOINT);
2238         return 0;
2239     }
2240 
2241     /*
2242      * The ECC/TLS specification does not mention the use of DSA to sign
2243      * ECParameters in the server key exchange message. We do support RSA
2244      * and ECDSA.
2245      */
2246     if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aECDSA)
2247         *pkey = X509_get0_pubkey(s->session->peer);
2248     else if (s->s3->tmp.new_cipher->algorithm_auth & SSL_aRSA)
2249         *pkey = X509_get0_pubkey(s->session->peer);
2250     /* else anonymous ECDH, so no certificate or pkey. */
2251 
2252     return 1;
2253 #else
2254     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_ECDHE,
2255              ERR_R_INTERNAL_ERROR);
2256     return 0;
2257 #endif
2258 }
2259 
2260 MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
2261 {
2262     long alg_k;
2263     EVP_PKEY *pkey = NULL;
2264     EVP_MD_CTX *md_ctx = NULL;
2265     EVP_PKEY_CTX *pctx = NULL;
2266     PACKET save_param_start, signature;
2267 
2268     alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
2269 
2270     save_param_start = *pkt;
2271 
2272 #if !defined(OPENSSL_NO_EC) || !defined(OPENSSL_NO_DH)
2273     EVP_PKEY_free(s->s3->peer_tmp);
2274     s->s3->peer_tmp = NULL;
2275 #endif
2276 
2277     if (alg_k & SSL_PSK) {
2278         if (!tls_process_ske_psk_preamble(s, pkt)) {
2279             /* SSLfatal() already called */
2280             goto err;
2281         }
2282     }
2283 
2284     /* Nothing else to do for plain PSK or RSAPSK */
2285     if (alg_k & (SSL_kPSK | SSL_kRSAPSK)) {
2286     } else if (alg_k & SSL_kSRP) {
2287         if (!tls_process_ske_srp(s, pkt, &pkey)) {
2288             /* SSLfatal() already called */
2289             goto err;
2290         }
2291     } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
2292         if (!tls_process_ske_dhe(s, pkt, &pkey)) {
2293             /* SSLfatal() already called */
2294             goto err;
2295         }
2296     } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
2297         if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
2298             /* SSLfatal() already called */
2299             goto err;
2300         }
2301     } else if (alg_k) {
2302         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2303                  SSL_R_UNEXPECTED_MESSAGE);
2304         goto err;
2305     }
2306 
2307     /* if it was signed, check the signature */
2308     if (pkey != NULL) {
2309         PACKET params;
2310         int maxsig;
2311         const EVP_MD *md = NULL;
2312         unsigned char *tbs;
2313         size_t tbslen;
2314         int rv;
2315 
2316         /*
2317          * |pkt| now points to the beginning of the signature, so the difference
2318          * equals the length of the parameters.
2319          */
2320         if (!PACKET_get_sub_packet(&save_param_start, &params,
2321                                    PACKET_remaining(&save_param_start) -
2322                                    PACKET_remaining(pkt))) {
2323             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2324                      ERR_R_INTERNAL_ERROR);
2325             goto err;
2326         }
2327 
2328         if (SSL_USE_SIGALGS(s)) {
2329             unsigned int sigalg;
2330 
2331             if (!PACKET_get_net_2(pkt, &sigalg)) {
2332                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2333                          SSL_R_LENGTH_TOO_SHORT);
2334                 goto err;
2335             }
2336             if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
2337                 /* SSLfatal() already called */
2338                 goto err;
2339             }
2340         } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
2341             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2342                      ERR_R_INTERNAL_ERROR);
2343             goto err;
2344         }
2345 
2346         if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
2347             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2348                      ERR_R_INTERNAL_ERROR);
2349             goto err;
2350         }
2351 #ifdef SSL_DEBUG
2352         if (SSL_USE_SIGALGS(s))
2353             fprintf(stderr, "USING TLSv1.2 HASH %s\n",
2354                     md == NULL ? "n/a" : EVP_MD_name(md));
2355 #endif
2356 
2357         if (!PACKET_get_length_prefixed_2(pkt, &signature)
2358             || PACKET_remaining(pkt) != 0) {
2359             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2360                      SSL_R_LENGTH_MISMATCH);
2361             goto err;
2362         }
2363         maxsig = EVP_PKEY_size(pkey);
2364         if (maxsig < 0) {
2365             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2366                      ERR_R_INTERNAL_ERROR);
2367             goto err;
2368         }
2369 
2370         /*
2371          * Check signature length
2372          */
2373         if (PACKET_remaining(&signature) > (size_t)maxsig) {
2374             /* wrong packet length */
2375             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2376                    SSL_R_WRONG_SIGNATURE_LENGTH);
2377             goto err;
2378         }
2379 
2380         md_ctx = EVP_MD_CTX_new();
2381         if (md_ctx == NULL) {
2382             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2383                      ERR_R_MALLOC_FAILURE);
2384             goto err;
2385         }
2386 
2387         if (EVP_DigestVerifyInit(md_ctx, &pctx, md, NULL, pkey) <= 0) {
2388             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2389                      ERR_R_EVP_LIB);
2390             goto err;
2391         }
2392         if (SSL_USE_PSS(s)) {
2393             if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
2394                 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
2395                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
2396                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2397                          SSL_F_TLS_PROCESS_KEY_EXCHANGE, ERR_R_EVP_LIB);
2398                 goto err;
2399             }
2400         }
2401         tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
2402                                             PACKET_remaining(&params));
2403         if (tbslen == 0) {
2404             /* SSLfatal() already called */
2405             goto err;
2406         }
2407 
2408         rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
2409                               PACKET_remaining(&signature), tbs, tbslen);
2410         OPENSSL_free(tbs);
2411         if (rv <= 0) {
2412             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2413                      SSL_R_BAD_SIGNATURE);
2414             goto err;
2415         }
2416         EVP_MD_CTX_free(md_ctx);
2417         md_ctx = NULL;
2418     } else {
2419         /* aNULL, aSRP or PSK do not need public keys */
2420         if (!(s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP))
2421             && !(alg_k & SSL_PSK)) {
2422             /* Might be wrong key type, check it */
2423             if (ssl3_check_cert_and_algorithm(s)) {
2424                 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2425                          SSL_R_BAD_DATA);
2426             }
2427             /* else this shouldn't happen, SSLfatal() already called */
2428             goto err;
2429         }
2430         /* still data left over */
2431         if (PACKET_remaining(pkt) != 0) {
2432             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
2433                      SSL_R_EXTRA_DATA_IN_MESSAGE);
2434             goto err;
2435         }
2436     }
2437 
2438     return MSG_PROCESS_CONTINUE_READING;
2439  err:
2440     EVP_MD_CTX_free(md_ctx);
2441     return MSG_PROCESS_ERROR;
2442 }
2443 
2444 MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
2445 {
2446     size_t i;
2447 
2448     /* Clear certificate validity flags */
2449     for (i = 0; i < SSL_PKEY_NUM; i++)
2450         s->s3->tmp.valid_flags[i] = 0;
2451 
2452     if (SSL_IS_TLS13(s)) {
2453         PACKET reqctx, extensions;
2454         RAW_EXTENSION *rawexts = NULL;
2455 
2456         if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
2457             /*
2458              * We already sent close_notify. This can only happen in TLSv1.3
2459              * post-handshake messages. We can't reasonably respond to this, so
2460              * we just ignore it
2461              */
2462             return MSG_PROCESS_FINISHED_READING;
2463         }
2464 
2465         /* Free and zero certificate types: it is not present in TLS 1.3 */
2466         OPENSSL_free(s->s3->tmp.ctype);
2467         s->s3->tmp.ctype = NULL;
2468         s->s3->tmp.ctype_len = 0;
2469         OPENSSL_free(s->pha_context);
2470         s->pha_context = NULL;
2471         s->pha_context_len = 0;
2472 
2473         if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
2474             !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
2475             SSLfatal(s, SSL_AD_DECODE_ERROR,
2476                      SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2477                      SSL_R_LENGTH_MISMATCH);
2478             return MSG_PROCESS_ERROR;
2479         }
2480 
2481         if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
2482             SSLfatal(s, SSL_AD_DECODE_ERROR,
2483                      SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2484                      SSL_R_BAD_LENGTH);
2485             return MSG_PROCESS_ERROR;
2486         }
2487         if (!tls_collect_extensions(s, &extensions,
2488                                     SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
2489                                     &rawexts, NULL, 1)
2490             || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST,
2491                                          rawexts, NULL, 0, 1)) {
2492             /* SSLfatal() already called */
2493             OPENSSL_free(rawexts);
2494             return MSG_PROCESS_ERROR;
2495         }
2496         OPENSSL_free(rawexts);
2497         if (!tls1_process_sigalgs(s)) {
2498             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2499                      SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2500                      SSL_R_BAD_LENGTH);
2501             return MSG_PROCESS_ERROR;
2502         }
2503     } else {
2504         PACKET ctypes;
2505 
2506         /* get the certificate types */
2507         if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
2508             SSLfatal(s, SSL_AD_DECODE_ERROR,
2509                      SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2510                      SSL_R_LENGTH_MISMATCH);
2511             return MSG_PROCESS_ERROR;
2512         }
2513 
2514         if (!PACKET_memdup(&ctypes, &s->s3->tmp.ctype, &s->s3->tmp.ctype_len)) {
2515             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2516                      SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2517                      ERR_R_INTERNAL_ERROR);
2518             return MSG_PROCESS_ERROR;
2519         }
2520 
2521         if (SSL_USE_SIGALGS(s)) {
2522             PACKET sigalgs;
2523 
2524             if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
2525                 SSLfatal(s, SSL_AD_DECODE_ERROR,
2526                          SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2527                          SSL_R_LENGTH_MISMATCH);
2528                 return MSG_PROCESS_ERROR;
2529             }
2530 
2531             /*
2532              * Despite this being for certificates, preserve compatibility
2533              * with pre-TLS 1.3 and use the regular sigalgs field.
2534              */
2535             if (!tls1_save_sigalgs(s, &sigalgs, 0)) {
2536                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2537                          SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2538                          SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2539                 return MSG_PROCESS_ERROR;
2540             }
2541             if (!tls1_process_sigalgs(s)) {
2542                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2543                          SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2544                          ERR_R_MALLOC_FAILURE);
2545                 return MSG_PROCESS_ERROR;
2546             }
2547         }
2548 
2549         /* get the CA RDNs */
2550         if (!parse_ca_names(s, pkt)) {
2551             /* SSLfatal() already called */
2552             return MSG_PROCESS_ERROR;
2553         }
2554     }
2555 
2556     if (PACKET_remaining(pkt) != 0) {
2557         SSLfatal(s, SSL_AD_DECODE_ERROR,
2558                  SSL_F_TLS_PROCESS_CERTIFICATE_REQUEST,
2559                  SSL_R_LENGTH_MISMATCH);
2560         return MSG_PROCESS_ERROR;
2561     }
2562 
2563     /* we should setup a certificate to return.... */
2564     s->s3->tmp.cert_req = 1;
2565 
2566     /*
2567      * In TLSv1.3 we don't prepare the client certificate yet. We wait until
2568      * after the CertificateVerify message has been received. This is because
2569      * in TLSv1.3 the CertificateRequest arrives before the Certificate message
2570      * but in TLSv1.2 it is the other way around. We want to make sure that
2571      * SSL_get_peer_certificate() returns something sensible in
2572      * client_cert_cb.
2573      */
2574     if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED)
2575         return MSG_PROCESS_CONTINUE_READING;
2576 
2577     return MSG_PROCESS_CONTINUE_PROCESSING;
2578 }
2579 
2580 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
2581 {
2582     unsigned int ticklen;
2583     unsigned long ticket_lifetime_hint, age_add = 0;
2584     unsigned int sess_len;
2585     RAW_EXTENSION *exts = NULL;
2586     PACKET nonce;
2587 
2588     PACKET_null_init(&nonce);
2589 
2590     if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
2591         || (SSL_IS_TLS13(s)
2592             && (!PACKET_get_net_4(pkt, &age_add)
2593                 || !PACKET_get_length_prefixed_1(pkt, &nonce)))
2594         || !PACKET_get_net_2(pkt, &ticklen)
2595         || (SSL_IS_TLS13(s) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen)
2596                             : PACKET_remaining(pkt) != ticklen)) {
2597         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2598                  SSL_R_LENGTH_MISMATCH);
2599         goto err;
2600     }
2601 
2602     /*
2603      * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2604      * ticket. We already checked this TLSv1.3 case above, so it should never
2605      * be 0 here in that instance
2606      */
2607     if (ticklen == 0)
2608         return MSG_PROCESS_CONTINUE_READING;
2609 
2610     /*
2611      * Sessions must be immutable once they go into the session cache. Otherwise
2612      * we can get multi-thread problems. Therefore we don't "update" sessions,
2613      * we replace them with a duplicate. In TLSv1.3 we need to do this every
2614      * time a NewSessionTicket arrives because those messages arrive
2615      * post-handshake and the session may have already gone into the session
2616      * cache.
2617      */
2618     if (SSL_IS_TLS13(s) || s->session->session_id_length > 0) {
2619         SSL_SESSION *new_sess;
2620 
2621         /*
2622          * We reused an existing session, so we need to replace it with a new
2623          * one
2624          */
2625         if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2626             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2627                      SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2628                      ERR_R_MALLOC_FAILURE);
2629             goto err;
2630         }
2631 
2632         if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0
2633                 && !SSL_IS_TLS13(s)) {
2634             /*
2635              * In TLSv1.2 and below the arrival of a new tickets signals that
2636              * any old ticket we were using is now out of date, so we remove the
2637              * old session from the cache. We carry on if this fails
2638              */
2639             SSL_CTX_remove_session(s->session_ctx, s->session);
2640         }
2641 
2642         SSL_SESSION_free(s->session);
2643         s->session = new_sess;
2644     }
2645 
2646     /*
2647      * Technically the cast to long here is not guaranteed by the C standard -
2648      * but we use it elsewhere, so this should be ok.
2649      */
2650     s->session->time = (long)time(NULL);
2651 
2652     OPENSSL_free(s->session->ext.tick);
2653     s->session->ext.tick = NULL;
2654     s->session->ext.ticklen = 0;
2655 
2656     s->session->ext.tick = OPENSSL_malloc(ticklen);
2657     if (s->session->ext.tick == NULL) {
2658         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2659                  ERR_R_MALLOC_FAILURE);
2660         goto err;
2661     }
2662     if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
2663         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2664                  SSL_R_LENGTH_MISMATCH);
2665         goto err;
2666     }
2667 
2668     s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
2669     s->session->ext.tick_age_add = age_add;
2670     s->session->ext.ticklen = ticklen;
2671 
2672     if (SSL_IS_TLS13(s)) {
2673         PACKET extpkt;
2674 
2675         if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
2676                 || PACKET_remaining(pkt) != 0) {
2677             SSLfatal(s, SSL_AD_DECODE_ERROR,
2678                      SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2679                      SSL_R_LENGTH_MISMATCH);
2680             goto err;
2681         }
2682 
2683         if (!tls_collect_extensions(s, &extpkt,
2684                                     SSL_EXT_TLS1_3_NEW_SESSION_TICKET, &exts,
2685                                     NULL, 1)
2686                 || !tls_parse_all_extensions(s,
2687                                              SSL_EXT_TLS1_3_NEW_SESSION_TICKET,
2688                                              exts, NULL, 0, 1)) {
2689             /* SSLfatal() already called */
2690             goto err;
2691         }
2692     }
2693 
2694     /*
2695      * There are two ways to detect a resumed ticket session. One is to set
2696      * an appropriate session ID and then the server must return a match in
2697      * ServerHello. This allows the normal client session ID matching to work
2698      * and we know much earlier that the ticket has been accepted. The
2699      * other way is to set zero length session ID when the ticket is
2700      * presented and rely on the handshake to determine session resumption.
2701      * We choose the former approach because this fits in with assumptions
2702      * elsewhere in OpenSSL. The session ID is set to the SHA256 (or SHA1 is
2703      * SHA256 is disabled) hash of the ticket.
2704      */
2705     /*
2706      * TODO(size_t): we use sess_len here because EVP_Digest expects an int
2707      * but s->session->session_id_length is a size_t
2708      */
2709     if (!EVP_Digest(s->session->ext.tick, ticklen,
2710                     s->session->session_id, &sess_len,
2711                     EVP_sha256(), NULL)) {
2712         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2713                  ERR_R_EVP_LIB);
2714         goto err;
2715     }
2716     s->session->session_id_length = sess_len;
2717     s->session->not_resumable = 0;
2718 
2719     /* This is a standalone message in TLSv1.3, so there is no more to read */
2720     if (SSL_IS_TLS13(s)) {
2721         const EVP_MD *md = ssl_handshake_md(s);
2722         int hashleni = EVP_MD_size(md);
2723         size_t hashlen;
2724         static const unsigned char nonce_label[] = "resumption";
2725 
2726         /* Ensure cast to size_t is safe */
2727         if (!ossl_assert(hashleni >= 0)) {
2728             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2729                      SSL_F_TLS_PROCESS_NEW_SESSION_TICKET,
2730                      ERR_R_INTERNAL_ERROR);
2731             goto err;
2732         }
2733         hashlen = (size_t)hashleni;
2734 
2735         if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
2736                                nonce_label,
2737                                sizeof(nonce_label) - 1,
2738                                PACKET_data(&nonce),
2739                                PACKET_remaining(&nonce),
2740                                s->session->master_key,
2741                                hashlen, 1)) {
2742             /* SSLfatal() already called */
2743             goto err;
2744         }
2745         s->session->master_key_length = hashlen;
2746 
2747         OPENSSL_free(exts);
2748         ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
2749         return MSG_PROCESS_FINISHED_READING;
2750     }
2751 
2752     return MSG_PROCESS_CONTINUE_READING;
2753  err:
2754     OPENSSL_free(exts);
2755     return MSG_PROCESS_ERROR;
2756 }
2757 
2758 /*
2759  * In TLSv1.3 this is called from the extensions code, otherwise it is used to
2760  * parse a separate message. Returns 1 on success or 0 on failure
2761  */
2762 int tls_process_cert_status_body(SSL *s, PACKET *pkt)
2763 {
2764     size_t resplen;
2765     unsigned int type;
2766 
2767     if (!PACKET_get_1(pkt, &type)
2768         || type != TLSEXT_STATUSTYPE_ocsp) {
2769         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2770                  SSL_R_UNSUPPORTED_STATUS_TYPE);
2771         return 0;
2772     }
2773     if (!PACKET_get_net_3_len(pkt, &resplen)
2774         || PACKET_remaining(pkt) != resplen) {
2775         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2776                  SSL_R_LENGTH_MISMATCH);
2777         return 0;
2778     }
2779     s->ext.ocsp.resp = OPENSSL_malloc(resplen);
2780     if (s->ext.ocsp.resp == NULL) {
2781         s->ext.ocsp.resp_len = 0;
2782         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2783                  ERR_R_MALLOC_FAILURE);
2784         return 0;
2785     }
2786     s->ext.ocsp.resp_len = resplen;
2787     if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
2788         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_STATUS_BODY,
2789                  SSL_R_LENGTH_MISMATCH);
2790         return 0;
2791     }
2792 
2793     return 1;
2794 }
2795 
2796 
2797 MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
2798 {
2799     if (!tls_process_cert_status_body(s, pkt)) {
2800         /* SSLfatal() already called */
2801         return MSG_PROCESS_ERROR;
2802     }
2803 
2804     return MSG_PROCESS_CONTINUE_READING;
2805 }
2806 
2807 /*
2808  * Perform miscellaneous checks and processing after we have received the
2809  * server's initial flight. In TLS1.3 this is after the Server Finished message.
2810  * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2811  * on failure.
2812  */
2813 int tls_process_initial_server_flight(SSL *s)
2814 {
2815     /*
2816      * at this point we check that we have the required stuff from
2817      * the server
2818      */
2819     if (!ssl3_check_cert_and_algorithm(s)) {
2820         /* SSLfatal() already called */
2821         return 0;
2822     }
2823 
2824     /*
2825      * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2826      * |ext.ocsp.resp_len| values will be set if we actually received a status
2827      * message, or NULL and -1 otherwise
2828      */
2829     if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
2830             && s->ctx->ext.status_cb != NULL) {
2831         int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2832 
2833         if (ret == 0) {
2834             SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,
2835                      SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
2836                      SSL_R_INVALID_STATUS_RESPONSE);
2837             return 0;
2838         }
2839         if (ret < 0) {
2840             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2841                      SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
2842                      SSL_R_OCSP_CALLBACK_FAILURE);
2843             return 0;
2844         }
2845     }
2846 #ifndef OPENSSL_NO_CT
2847     if (s->ct_validation_callback != NULL) {
2848         /* Note we validate the SCTs whether or not we abort on error */
2849         if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) {
2850             /* SSLfatal() already called */
2851             return 0;
2852         }
2853     }
2854 #endif
2855 
2856     return 1;
2857 }
2858 
2859 MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
2860 {
2861     if (PACKET_remaining(pkt) > 0) {
2862         /* should contain no data */
2863         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE,
2864                  SSL_R_LENGTH_MISMATCH);
2865         return MSG_PROCESS_ERROR;
2866     }
2867 #ifndef OPENSSL_NO_SRP
2868     if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
2869         if (SRP_Calc_A_param(s) <= 0) {
2870             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SERVER_DONE,
2871                      SSL_R_SRP_A_CALC);
2872             return MSG_PROCESS_ERROR;
2873         }
2874     }
2875 #endif
2876 
2877     if (!tls_process_initial_server_flight(s)) {
2878         /* SSLfatal() already called */
2879         return MSG_PROCESS_ERROR;
2880     }
2881 
2882     return MSG_PROCESS_FINISHED_READING;
2883 }
2884 
2885 static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)
2886 {
2887 #ifndef OPENSSL_NO_PSK
2888     int ret = 0;
2889     /*
2890      * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2891      * \0-terminated identity. The last byte is for us for simulating
2892      * strnlen.
2893      */
2894     char identity[PSK_MAX_IDENTITY_LEN + 1];
2895     size_t identitylen = 0;
2896     unsigned char psk[PSK_MAX_PSK_LEN];
2897     unsigned char *tmppsk = NULL;
2898     char *tmpidentity = NULL;
2899     size_t psklen = 0;
2900 
2901     if (s->psk_client_callback == NULL) {
2902         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2903                  SSL_R_PSK_NO_CLIENT_CB);
2904         goto err;
2905     }
2906 
2907     memset(identity, 0, sizeof(identity));
2908 
2909     psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2910                                     identity, sizeof(identity) - 1,
2911                                     psk, sizeof(psk));
2912 
2913     if (psklen > PSK_MAX_PSK_LEN) {
2914         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2915                  SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE, ERR_R_INTERNAL_ERROR);
2916         psklen = PSK_MAX_PSK_LEN;   /* Avoid overrunning the array on cleanse */
2917         goto err;
2918     } else if (psklen == 0) {
2919         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
2920                  SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2921                  SSL_R_PSK_IDENTITY_NOT_FOUND);
2922         goto err;
2923     }
2924 
2925     identitylen = strlen(identity);
2926     if (identitylen > PSK_MAX_IDENTITY_LEN) {
2927         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2928                  ERR_R_INTERNAL_ERROR);
2929         goto err;
2930     }
2931 
2932     tmppsk = OPENSSL_memdup(psk, psklen);
2933     tmpidentity = OPENSSL_strdup(identity);
2934     if (tmppsk == NULL || tmpidentity == NULL) {
2935         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2936                  ERR_R_MALLOC_FAILURE);
2937         goto err;
2938     }
2939 
2940     OPENSSL_free(s->s3->tmp.psk);
2941     s->s3->tmp.psk = tmppsk;
2942     s->s3->tmp.psklen = psklen;
2943     tmppsk = NULL;
2944     OPENSSL_free(s->session->psk_identity);
2945     s->session->psk_identity = tmpidentity;
2946     tmpidentity = NULL;
2947 
2948     if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen))  {
2949         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2950                  ERR_R_INTERNAL_ERROR);
2951         goto err;
2952     }
2953 
2954     ret = 1;
2955 
2956  err:
2957     OPENSSL_cleanse(psk, psklen);
2958     OPENSSL_cleanse(identity, sizeof(identity));
2959     OPENSSL_clear_free(tmppsk, psklen);
2960     OPENSSL_clear_free(tmpidentity, identitylen);
2961 
2962     return ret;
2963 #else
2964     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_PSK_PREAMBLE,
2965              ERR_R_INTERNAL_ERROR);
2966     return 0;
2967 #endif
2968 }
2969 
2970 static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
2971 {
2972 #ifndef OPENSSL_NO_RSA
2973     unsigned char *encdata = NULL;
2974     EVP_PKEY *pkey = NULL;
2975     EVP_PKEY_CTX *pctx = NULL;
2976     size_t enclen;
2977     unsigned char *pms = NULL;
2978     size_t pmslen = 0;
2979 
2980     if (s->session->peer == NULL) {
2981         /*
2982          * We should always have a server certificate with SSL_kRSA.
2983          */
2984         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2985                  ERR_R_INTERNAL_ERROR);
2986         return 0;
2987     }
2988 
2989     pkey = X509_get0_pubkey(s->session->peer);
2990     if (EVP_PKEY_get0_RSA(pkey) == NULL) {
2991         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
2992                  ERR_R_INTERNAL_ERROR);
2993         return 0;
2994     }
2995 
2996     pmslen = SSL_MAX_MASTER_KEY_LENGTH;
2997     pms = OPENSSL_malloc(pmslen);
2998     if (pms == NULL) {
2999         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
3000                  ERR_R_MALLOC_FAILURE);
3001         return 0;
3002     }
3003 
3004     pms[0] = s->client_version >> 8;
3005     pms[1] = s->client_version & 0xff;
3006     /* TODO(size_t): Convert this function */
3007     if (RAND_bytes(pms + 2, (int)(pmslen - 2)) <= 0) {
3008         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
3009                  ERR_R_MALLOC_FAILURE);
3010         goto err;
3011     }
3012 
3013     /* Fix buf for TLS and beyond */
3014     if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) {
3015         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
3016                  ERR_R_INTERNAL_ERROR);
3017         goto err;
3018     }
3019     pctx = EVP_PKEY_CTX_new(pkey, NULL);
3020     if (pctx == NULL || EVP_PKEY_encrypt_init(pctx) <= 0
3021         || EVP_PKEY_encrypt(pctx, NULL, &enclen, pms, pmslen) <= 0) {
3022         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
3023                  ERR_R_EVP_LIB);
3024         goto err;
3025     }
3026     if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
3027             || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
3028         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
3029                  SSL_R_BAD_RSA_ENCRYPT);
3030         goto err;
3031     }
3032     EVP_PKEY_CTX_free(pctx);
3033     pctx = NULL;
3034 
3035     /* Fix buf for TLS and beyond */
3036     if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {
3037         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
3038                  ERR_R_INTERNAL_ERROR);
3039         goto err;
3040     }
3041 
3042     /* Log the premaster secret, if logging is enabled. */
3043     if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
3044         /* SSLfatal() already called */
3045         goto err;
3046     }
3047 
3048     s->s3->tmp.pms = pms;
3049     s->s3->tmp.pmslen = pmslen;
3050 
3051     return 1;
3052  err:
3053     OPENSSL_clear_free(pms, pmslen);
3054     EVP_PKEY_CTX_free(pctx);
3055 
3056     return 0;
3057 #else
3058     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_RSA,
3059              ERR_R_INTERNAL_ERROR);
3060     return 0;
3061 #endif
3062 }
3063 
3064 static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt)
3065 {
3066 #ifndef OPENSSL_NO_DH
3067     DH *dh_clnt = NULL;
3068     const BIGNUM *pub_key;
3069     EVP_PKEY *ckey = NULL, *skey = NULL;
3070     unsigned char *keybytes = NULL;
3071 
3072     skey = s->s3->peer_tmp;
3073     if (skey == NULL) {
3074         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
3075                  ERR_R_INTERNAL_ERROR);
3076         goto err;
3077     }
3078 
3079     ckey = ssl_generate_pkey(skey);
3080     if (ckey == NULL) {
3081         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
3082                  ERR_R_INTERNAL_ERROR);
3083         goto err;
3084     }
3085 
3086     dh_clnt = EVP_PKEY_get0_DH(ckey);
3087 
3088     if (dh_clnt == NULL) {
3089         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
3090                  ERR_R_INTERNAL_ERROR);
3091         goto err;
3092     }
3093 
3094     if (ssl_derive(s, ckey, skey, 0) == 0) {
3095         /* SSLfatal() already called */
3096         goto err;
3097     }
3098 
3099     /* send off the data */
3100     DH_get0_key(dh_clnt, &pub_key, NULL);
3101     if (!WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(pub_key),
3102                                         &keybytes)) {
3103         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
3104                  ERR_R_INTERNAL_ERROR);
3105         goto err;
3106     }
3107 
3108     BN_bn2bin(pub_key, keybytes);
3109     EVP_PKEY_free(ckey);
3110 
3111     return 1;
3112  err:
3113     EVP_PKEY_free(ckey);
3114     return 0;
3115 #else
3116     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_DHE,
3117              ERR_R_INTERNAL_ERROR);
3118     return 0;
3119 #endif
3120 }
3121 
3122 static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt)
3123 {
3124 #ifndef OPENSSL_NO_EC
3125     unsigned char *encodedPoint = NULL;
3126     size_t encoded_pt_len = 0;
3127     EVP_PKEY *ckey = NULL, *skey = NULL;
3128     int ret = 0;
3129 
3130     skey = s->s3->peer_tmp;
3131     if (skey == NULL) {
3132         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3133                  ERR_R_INTERNAL_ERROR);
3134         return 0;
3135     }
3136 
3137     ckey = ssl_generate_pkey(skey);
3138     if (ckey == NULL) {
3139         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3140                  ERR_R_MALLOC_FAILURE);
3141         goto err;
3142     }
3143 
3144     if (ssl_derive(s, ckey, skey, 0) == 0) {
3145         /* SSLfatal() already called */
3146         goto err;
3147     }
3148 
3149     /* Generate encoding of client key */
3150     encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(ckey, &encodedPoint);
3151 
3152     if (encoded_pt_len == 0) {
3153         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3154                  ERR_R_EC_LIB);
3155         goto err;
3156     }
3157 
3158     if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)) {
3159         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3160                  ERR_R_INTERNAL_ERROR);
3161         goto err;
3162     }
3163 
3164     ret = 1;
3165  err:
3166     OPENSSL_free(encodedPoint);
3167     EVP_PKEY_free(ckey);
3168     return ret;
3169 #else
3170     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_ECDHE,
3171              ERR_R_INTERNAL_ERROR);
3172     return 0;
3173 #endif
3174 }
3175 
3176 static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
3177 {
3178 #ifndef OPENSSL_NO_GOST
3179     /* GOST key exchange message creation */
3180     EVP_PKEY_CTX *pkey_ctx = NULL;
3181     X509 *peer_cert;
3182     size_t msglen;
3183     unsigned int md_len;
3184     unsigned char shared_ukm[32], tmp[256];
3185     EVP_MD_CTX *ukm_hash = NULL;
3186     int dgst_nid = NID_id_GostR3411_94;
3187     unsigned char *pms = NULL;
3188     size_t pmslen = 0;
3189 
3190     if ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0)
3191         dgst_nid = NID_id_GostR3411_2012_256;
3192 
3193     /*
3194      * Get server certificate PKEY and create ctx from it
3195      */
3196     peer_cert = s->session->peer;
3197     if (!peer_cert) {
3198         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3199                SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER);
3200         return 0;
3201     }
3202 
3203     pkey_ctx = EVP_PKEY_CTX_new(X509_get0_pubkey(peer_cert), NULL);
3204     if (pkey_ctx == NULL) {
3205         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3206                  ERR_R_MALLOC_FAILURE);
3207         return 0;
3208     }
3209     /*
3210      * If we have send a certificate, and certificate key
3211      * parameters match those of server certificate, use
3212      * certificate key for key exchange
3213      */
3214 
3215     /* Otherwise, generate ephemeral key pair */
3216     pmslen = 32;
3217     pms = OPENSSL_malloc(pmslen);
3218     if (pms == NULL) {
3219         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3220                  ERR_R_MALLOC_FAILURE);
3221         goto err;
3222     }
3223 
3224     if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
3225         /* Generate session key
3226          * TODO(size_t): Convert this function
3227          */
3228         || RAND_bytes(pms, (int)pmslen) <= 0) {
3229         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3230                  ERR_R_INTERNAL_ERROR);
3231         goto err;
3232     };
3233     /*
3234      * Compute shared IV and store it in algorithm-specific context
3235      * data
3236      */
3237     ukm_hash = EVP_MD_CTX_new();
3238     if (ukm_hash == NULL
3239         || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)) <= 0
3240         || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
3241                             SSL3_RANDOM_SIZE) <= 0
3242         || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
3243                             SSL3_RANDOM_SIZE) <= 0
3244         || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
3245         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3246                  ERR_R_INTERNAL_ERROR);
3247         goto err;
3248     }
3249     EVP_MD_CTX_free(ukm_hash);
3250     ukm_hash = NULL;
3251     if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT,
3252                           EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) {
3253         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3254                  SSL_R_LIBRARY_BUG);
3255         goto err;
3256     }
3257     /* Make GOST keytransport blob message */
3258     /*
3259      * Encapsulate it into sequence
3260      */
3261     msglen = 255;
3262     if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
3263         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3264                  SSL_R_LIBRARY_BUG);
3265         goto err;
3266     }
3267 
3268     if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)
3269             || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81))
3270             || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)) {
3271         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3272                  ERR_R_INTERNAL_ERROR);
3273         goto err;
3274     }
3275 
3276     EVP_PKEY_CTX_free(pkey_ctx);
3277     s->s3->tmp.pms = pms;
3278     s->s3->tmp.pmslen = pmslen;
3279 
3280     return 1;
3281  err:
3282     EVP_PKEY_CTX_free(pkey_ctx);
3283     OPENSSL_clear_free(pms, pmslen);
3284     EVP_MD_CTX_free(ukm_hash);
3285     return 0;
3286 #else
3287     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_GOST,
3288              ERR_R_INTERNAL_ERROR);
3289     return 0;
3290 #endif
3291 }
3292 
3293 static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
3294 {
3295 #ifndef OPENSSL_NO_SRP
3296     unsigned char *abytes = NULL;
3297 
3298     if (s->srp_ctx.A == NULL
3299             || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),
3300                                                &abytes)) {
3301         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP,
3302                  ERR_R_INTERNAL_ERROR);
3303         return 0;
3304     }
3305     BN_bn2bin(s->srp_ctx.A, abytes);
3306 
3307     OPENSSL_free(s->session->srp_username);
3308     s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login);
3309     if (s->session->srp_username == NULL) {
3310         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP,
3311                  ERR_R_MALLOC_FAILURE);
3312         return 0;
3313     }
3314 
3315     return 1;
3316 #else
3317     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CKE_SRP,
3318              ERR_R_INTERNAL_ERROR);
3319     return 0;
3320 #endif
3321 }
3322 
3323 int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
3324 {
3325     unsigned long alg_k;
3326 
3327     alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3328 
3329     /*
3330      * All of the construct functions below call SSLfatal() if necessary so
3331      * no need to do so here.
3332      */
3333     if ((alg_k & SSL_PSK)
3334         && !tls_construct_cke_psk_preamble(s, pkt))
3335         goto err;
3336 
3337     if (alg_k & (SSL_kRSA | SSL_kRSAPSK)) {
3338         if (!tls_construct_cke_rsa(s, pkt))
3339             goto err;
3340     } else if (alg_k & (SSL_kDHE | SSL_kDHEPSK)) {
3341         if (!tls_construct_cke_dhe(s, pkt))
3342             goto err;
3343     } else if (alg_k & (SSL_kECDHE | SSL_kECDHEPSK)) {
3344         if (!tls_construct_cke_ecdhe(s, pkt))
3345             goto err;
3346     } else if (alg_k & SSL_kGOST) {
3347         if (!tls_construct_cke_gost(s, pkt))
3348             goto err;
3349     } else if (alg_k & SSL_kSRP) {
3350         if (!tls_construct_cke_srp(s, pkt))
3351             goto err;
3352     } else if (!(alg_k & SSL_kPSK)) {
3353         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3354                  SSL_F_TLS_CONSTRUCT_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
3355         goto err;
3356     }
3357 
3358     return 1;
3359  err:
3360     OPENSSL_clear_free(s->s3->tmp.pms, s->s3->tmp.pmslen);
3361     s->s3->tmp.pms = NULL;
3362     s->s3->tmp.pmslen = 0;
3363 #ifndef OPENSSL_NO_PSK
3364     OPENSSL_clear_free(s->s3->tmp.psk, s->s3->tmp.psklen);
3365     s->s3->tmp.psk = NULL;
3366     s->s3->tmp.psklen = 0;
3367 #endif
3368     return 0;
3369 }
3370 
3371 int tls_client_key_exchange_post_work(SSL *s)
3372 {
3373     unsigned char *pms = NULL;
3374     size_t pmslen = 0;
3375 
3376     pms = s->s3->tmp.pms;
3377     pmslen = s->s3->tmp.pmslen;
3378 
3379 #ifndef OPENSSL_NO_SRP
3380     /* Check for SRP */
3381     if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
3382         if (!srp_generate_client_master_secret(s)) {
3383             /* SSLfatal() already called */
3384             goto err;
3385         }
3386         return 1;
3387     }
3388 #endif
3389 
3390     if (pms == NULL && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) {
3391         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3392                  SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK, ERR_R_MALLOC_FAILURE);
3393         goto err;
3394     }
3395     if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
3396         /* SSLfatal() already called */
3397         /* ssl_generate_master_secret frees the pms even on error */
3398         pms = NULL;
3399         pmslen = 0;
3400         goto err;
3401     }
3402     pms = NULL;
3403     pmslen = 0;
3404 
3405 #ifndef OPENSSL_NO_SCTP
3406     if (SSL_IS_DTLS(s)) {
3407         unsigned char sctpauthkey[64];
3408         char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3409         size_t labellen;
3410 
3411         /*
3412          * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3413          * used.
3414          */
3415         memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3416                sizeof(DTLS1_SCTP_AUTH_LABEL));
3417 
3418         /* Don't include the terminating zero. */
3419         labellen = sizeof(labelbuffer) - 1;
3420         if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)
3421             labellen += 1;
3422 
3423         if (SSL_export_keying_material(s, sctpauthkey,
3424                                        sizeof(sctpauthkey), labelbuffer,
3425                                        labellen, NULL, 0, 0) <= 0) {
3426             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3427                      SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK,
3428                      ERR_R_INTERNAL_ERROR);
3429             goto err;
3430         }
3431 
3432         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3433                  sizeof(sctpauthkey), sctpauthkey);
3434     }
3435 #endif
3436 
3437     return 1;
3438  err:
3439     OPENSSL_clear_free(pms, pmslen);
3440     s->s3->tmp.pms = NULL;
3441     s->s3->tmp.pmslen = 0;
3442     return 0;
3443 }
3444 
3445 /*
3446  * Check a certificate can be used for client authentication. Currently check
3447  * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3448  * certificates can be used and optionally checks suitability for Suite B.
3449  */
3450 static int ssl3_check_client_certificate(SSL *s)
3451 {
3452     /* If no suitable signature algorithm can't use certificate */
3453     if (!tls_choose_sigalg(s, 0) || s->s3->tmp.sigalg == NULL)
3454         return 0;
3455     /*
3456      * If strict mode check suitability of chain before using it. This also
3457      * adjusts suite B digest if necessary.
3458      */
3459     if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT &&
3460         !tls1_check_chain(s, NULL, NULL, NULL, -2))
3461         return 0;
3462     return 1;
3463 }
3464 
3465 WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
3466 {
3467     X509 *x509 = NULL;
3468     EVP_PKEY *pkey = NULL;
3469     int i;
3470 
3471     if (wst == WORK_MORE_A) {
3472         /* Let cert callback update client certificates if required */
3473         if (s->cert->cert_cb) {
3474             i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
3475             if (i < 0) {
3476                 s->rwstate = SSL_X509_LOOKUP;
3477                 return WORK_MORE_A;
3478             }
3479             if (i == 0) {
3480                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3481                          SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
3482                          SSL_R_CALLBACK_FAILED);
3483                 return WORK_ERROR;
3484             }
3485             s->rwstate = SSL_NOTHING;
3486         }
3487         if (ssl3_check_client_certificate(s)) {
3488             if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
3489                 return WORK_FINISHED_STOP;
3490             }
3491             return WORK_FINISHED_CONTINUE;
3492         }
3493 
3494         /* Fall through to WORK_MORE_B */
3495         wst = WORK_MORE_B;
3496     }
3497 
3498     /* We need to get a client cert */
3499     if (wst == WORK_MORE_B) {
3500         /*
3501          * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3502          * return(-1); We then get retied later
3503          */
3504         i = ssl_do_client_cert_cb(s, &x509, &pkey);
3505         if (i < 0) {
3506             s->rwstate = SSL_X509_LOOKUP;
3507             return WORK_MORE_B;
3508         }
3509         s->rwstate = SSL_NOTHING;
3510         if ((i == 1) && (pkey != NULL) && (x509 != NULL)) {
3511             if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
3512                 i = 0;
3513         } else if (i == 1) {
3514             i = 0;
3515             SSLerr(SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
3516                    SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
3517         }
3518 
3519         X509_free(x509);
3520         EVP_PKEY_free(pkey);
3521         if (i && !ssl3_check_client_certificate(s))
3522             i = 0;
3523         if (i == 0) {
3524             if (s->version == SSL3_VERSION) {
3525                 s->s3->tmp.cert_req = 0;
3526                 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE);
3527                 return WORK_FINISHED_CONTINUE;
3528             } else {
3529                 s->s3->tmp.cert_req = 2;
3530                 if (!ssl3_digest_cached_records(s, 0)) {
3531                     /* SSLfatal() already called */
3532                     return WORK_ERROR;
3533                 }
3534             }
3535         }
3536 
3537         if (s->post_handshake_auth == SSL_PHA_REQUESTED)
3538             return WORK_FINISHED_STOP;
3539         return WORK_FINISHED_CONTINUE;
3540     }
3541 
3542     /* Shouldn't ever get here */
3543     SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PREPARE_CLIENT_CERTIFICATE,
3544              ERR_R_INTERNAL_ERROR);
3545     return WORK_ERROR;
3546 }
3547 
3548 int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
3549 {
3550     if (SSL_IS_TLS13(s)) {
3551         if (s->pha_context == NULL) {
3552             /* no context available, add 0-length context */
3553             if (!WPACKET_put_bytes_u8(pkt, 0)) {
3554                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3555                          SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3556                 return 0;
3557             }
3558         } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) {
3559             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3560                      SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
3561             return 0;
3562         }
3563     }
3564     if (!ssl3_output_cert_chain(s, pkt,
3565                                 (s->s3->tmp.cert_req == 2) ? NULL
3566                                                            : s->cert->key)) {
3567         /* SSLfatal() already called */
3568         return 0;
3569     }
3570 
3571     if (SSL_IS_TLS13(s)
3572             && SSL_IS_FIRST_HANDSHAKE(s)
3573             && (!s->method->ssl3_enc->change_cipher_state(s,
3574                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {
3575         /*
3576          * This is a fatal error, which leaves enc_write_ctx in an inconsistent
3577          * state and thus ssl3_send_alert may crash.
3578          */
3579         SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_TLS_CONSTRUCT_CLIENT_CERTIFICATE,
3580                  SSL_R_CANNOT_CHANGE_CIPHER);
3581         return 0;
3582     }
3583 
3584     return 1;
3585 }
3586 
3587 int ssl3_check_cert_and_algorithm(SSL *s)
3588 {
3589     const SSL_CERT_LOOKUP *clu;
3590     size_t idx;
3591     long alg_k, alg_a;
3592 
3593     alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
3594     alg_a = s->s3->tmp.new_cipher->algorithm_auth;
3595 
3596     /* we don't have a certificate */
3597     if (!(alg_a & SSL_aCERT))
3598         return 1;
3599 
3600     /* This is the passed certificate */
3601     clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx);
3602 
3603     /* Check certificate is recognised and suitable for cipher */
3604     if (clu == NULL || (alg_a & clu->amask) == 0) {
3605         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3606                  SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3607                  SSL_R_MISSING_SIGNING_CERT);
3608         return 0;
3609     }
3610 
3611 #ifndef OPENSSL_NO_EC
3612     if (clu->amask & SSL_aECDSA) {
3613         if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
3614             return 1;
3615         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3616                  SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_BAD_ECC_CERT);
3617         return 0;
3618     }
3619 #endif
3620 #ifndef OPENSSL_NO_RSA
3621     if (alg_k & (SSL_kRSA | SSL_kRSAPSK) && idx != SSL_PKEY_RSA) {
3622         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,
3623                  SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3624                  SSL_R_MISSING_RSA_ENCRYPTING_CERT);
3625         return 0;
3626     }
3627 #endif
3628 #ifndef OPENSSL_NO_DH
3629     if ((alg_k & SSL_kDHE) && (s->s3->peer_tmp == NULL)) {
3630         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
3631                  ERR_R_INTERNAL_ERROR);
3632         return 0;
3633     }
3634 #endif
3635 
3636     return 1;
3637 }
3638 
3639 #ifndef OPENSSL_NO_NEXTPROTONEG
3640 int tls_construct_next_proto(SSL *s, WPACKET *pkt)
3641 {
3642     size_t len, padding_len;
3643     unsigned char *padding = NULL;
3644 
3645     len = s->ext.npn_len;
3646     padding_len = 32 - ((len + 2) % 32);
3647 
3648     if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
3649             || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
3650         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_NEXT_PROTO,
3651                  ERR_R_INTERNAL_ERROR);
3652         return 0;
3653     }
3654 
3655     memset(padding, 0, padding_len);
3656 
3657     return 1;
3658 }
3659 #endif
3660 
3661 MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
3662 {
3663     if (PACKET_remaining(pkt) > 0) {
3664         /* should contain no data */
3665         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_HELLO_REQ,
3666                  SSL_R_LENGTH_MISMATCH);
3667         return MSG_PROCESS_ERROR;
3668     }
3669 
3670     if ((s->options & SSL_OP_NO_RENEGOTIATION)) {
3671         ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION);
3672         return MSG_PROCESS_FINISHED_READING;
3673     }
3674 
3675     /*
3676      * This is a historical discrepancy (not in the RFC) maintained for
3677      * compatibility reasons. If a TLS client receives a HelloRequest it will
3678      * attempt an abbreviated handshake. However if a DTLS client receives a
3679      * HelloRequest it will do a full handshake. Either behaviour is reasonable
3680      * but doing one for TLS and another for DTLS is odd.
3681      */
3682     if (SSL_IS_DTLS(s))
3683         SSL_renegotiate(s);
3684     else
3685         SSL_renegotiate_abbreviated(s);
3686 
3687     return MSG_PROCESS_FINISHED_READING;
3688 }
3689 
3690 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
3691 {
3692     PACKET extensions;
3693     RAW_EXTENSION *rawexts = NULL;
3694 
3695     if (!PACKET_as_length_prefixed_2(pkt, &extensions)
3696             || PACKET_remaining(pkt) != 0) {
3697         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_ENCRYPTED_EXTENSIONS,
3698                  SSL_R_LENGTH_MISMATCH);
3699         goto err;
3700     }
3701 
3702     if (!tls_collect_extensions(s, &extensions,
3703                                 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, &rawexts,
3704                                 NULL, 1)
3705             || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS,
3706                                          rawexts, NULL, 0, 1)) {
3707         /* SSLfatal() already called */
3708         goto err;
3709     }
3710 
3711     OPENSSL_free(rawexts);
3712     return MSG_PROCESS_CONTINUE_READING;
3713 
3714  err:
3715     OPENSSL_free(rawexts);
3716     return MSG_PROCESS_ERROR;
3717 }
3718 
3719 int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3720 {
3721     int i = 0;
3722 #ifndef OPENSSL_NO_ENGINE
3723     if (s->ctx->client_cert_engine) {
3724         i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
3725                                         SSL_get_client_CA_list(s),
3726                                         px509, ppkey, NULL, NULL, NULL);
3727         if (i != 0)
3728             return i;
3729     }
3730 #endif
3731     if (s->ctx->client_cert_cb)
3732         i = s->ctx->client_cert_cb(s, px509, ppkey);
3733     return i;
3734 }
3735 
3736 int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
3737 {
3738     int i;
3739     size_t totlen = 0, len, maxlen, maxverok = 0;
3740     int empty_reneg_info_scsv = !s->renegotiate;
3741 
3742     /* Set disabled masks for this session */
3743     if (!ssl_set_client_disabled(s)) {
3744         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
3745                  SSL_R_NO_PROTOCOLS_AVAILABLE);
3746         return 0;
3747     }
3748 
3749     if (sk == NULL) {
3750         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
3751                  ERR_R_INTERNAL_ERROR);
3752         return 0;
3753     }
3754 
3755 #ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
3756 # if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
3757 #  error Max cipher length too short
3758 # endif
3759     /*
3760      * Some servers hang if client hello > 256 bytes as hack workaround
3761      * chop number of supported ciphers to keep it well below this if we
3762      * use TLS v1.2
3763      */
3764     if (TLS1_get_version(s) >= TLS1_2_VERSION)
3765         maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
3766     else
3767 #endif
3768         /* Maximum length that can be stored in 2 bytes. Length must be even */
3769         maxlen = 0xfffe;
3770 
3771     if (empty_reneg_info_scsv)
3772         maxlen -= 2;
3773     if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
3774         maxlen -= 2;
3775 
3776     for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
3777         const SSL_CIPHER *c;
3778 
3779         c = sk_SSL_CIPHER_value(sk, i);
3780         /* Skip disabled ciphers */
3781         if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0))
3782             continue;
3783 
3784         if (!s->method->put_cipher_by_char(c, pkt, &len)) {
3785             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
3786                      ERR_R_INTERNAL_ERROR);
3787             return 0;
3788         }
3789 
3790         /* Sanity check that the maximum version we offer has ciphers enabled */
3791         if (!maxverok) {
3792             if (SSL_IS_DTLS(s)) {
3793                 if (DTLS_VERSION_GE(c->max_dtls, s->s3->tmp.max_ver)
3794                         && DTLS_VERSION_LE(c->min_dtls, s->s3->tmp.max_ver))
3795                     maxverok = 1;
3796             } else {
3797                 if (c->max_tls >= s->s3->tmp.max_ver
3798                         && c->min_tls <= s->s3->tmp.max_ver)
3799                     maxverok = 1;
3800             }
3801         }
3802 
3803         totlen += len;
3804     }
3805 
3806     if (totlen == 0 || !maxverok) {
3807         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_CIPHER_LIST_TO_BYTES,
3808                  SSL_R_NO_CIPHERS_AVAILABLE);
3809 
3810         if (!maxverok)
3811             ERR_add_error_data(1, "No ciphers enabled for max supported "
3812                                   "SSL/TLS version");
3813 
3814         return 0;
3815     }
3816 
3817     if (totlen != 0) {
3818         if (empty_reneg_info_scsv) {
3819             static SSL_CIPHER scsv = {
3820                 0, NULL, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3821             };
3822             if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3823                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3824                          SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3825                 return 0;
3826             }
3827         }
3828         if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
3829             static SSL_CIPHER scsv = {
3830                 0, NULL, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
3831             };
3832             if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3833                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3834                          SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
3835                 return 0;
3836             }
3837         }
3838     }
3839 
3840     return 1;
3841 }
3842 
3843 int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt)
3844 {
3845     if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
3846             && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
3847         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
3848                  SSL_F_TLS_CONSTRUCT_END_OF_EARLY_DATA,
3849                  ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
3850         return 0;
3851     }
3852 
3853     s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
3854     return 1;
3855 }
3856