Lines Matching refs:s
32 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s,
34 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s,
37 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s);
38 static int key_exchange_expected(SSL_CONNECTION *s);
39 static int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk,
54 static ossl_inline int cert_req_allowed(SSL_CONNECTION *s) in cert_req_allowed() argument
57 if ((s->version > SSL3_VERSION in cert_req_allowed()
58 && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL)) in cert_req_allowed()
59 || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP | SSL_aPSK))) in cert_req_allowed()
72 static int key_exchange_expected(SSL_CONNECTION *s) in key_exchange_expected() argument
74 long alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in key_exchange_expected()
97 static int ossl_statem_client13_read_transition(SSL_CONNECTION *s, int mt) in ossl_statem_client13_read_transition() argument
99 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_read_transition()
130 if (s->hit) { in ossl_statem_client13_read_transition()
146 && s->ext.compress_certificate_sent) { in ossl_statem_client13_read_transition()
161 && s->ext.compress_certificate_sent) { in ossl_statem_client13_read_transition()
188 if (mt == SSL3_MT_KEY_UPDATE && !SSL_IS_QUIC_HANDSHAKE(s)) { in ossl_statem_client13_read_transition()
197 if (!SSL_CONNECTION_IS_DTLS(s) in ossl_statem_client13_read_transition()
198 && s->post_handshake_auth == SSL_PHA_EXT_SENT) { in ossl_statem_client13_read_transition()
199 s->post_handshake_auth = SSL_PHA_REQUESTED; in ossl_statem_client13_read_transition()
206 if (!tls13_restore_handshake_digest_for_pha(s)) { in ossl_statem_client13_read_transition()
230 int ossl_statem_client_read_transition(SSL_CONNECTION *s, int mt) in ossl_statem_client_read_transition() argument
232 OSSL_STATEM *st = &s->statem; in ossl_statem_client_read_transition()
239 if (SSL_CONNECTION_IS_TLS13(s)) { in ossl_statem_client_read_transition()
240 if (!ossl_statem_client13_read_transition(s, mt)) in ossl_statem_client_read_transition()
255 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_read_transition()
276 if (s->hit) { in ossl_statem_client_read_transition()
277 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
287 if (SSL_CONNECTION_IS_DTLS(s) in ossl_statem_client_read_transition()
291 } else if (s->version >= TLS1_VERSION in ossl_statem_client_read_transition()
292 && s->ext.session_secret_cb != NULL in ossl_statem_client_read_transition()
293 && s->session->ext.tick != NULL in ossl_statem_client_read_transition()
301 s->hit = 1; in ossl_statem_client_read_transition()
304 } else if (!(s->s3.tmp.new_cipher->algorithm_auth in ossl_statem_client_read_transition()
311 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
314 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
321 && cert_req_allowed(s)) { in ossl_statem_client_read_transition()
338 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) { in ossl_statem_client_read_transition()
345 ske_expected = key_exchange_expected(s); in ossl_statem_client_read_transition()
347 if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK) in ossl_statem_client_read_transition()
359 if (cert_req_allowed(s)) { in ossl_statem_client_read_transition()
375 if (s->ext.ticket_expected) { in ossl_statem_client_read_transition()
410 if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { in ossl_statem_client_read_transition()
417 s->init_num = 0; in ossl_statem_client_read_transition()
418 s->rwstate = SSL_READING; in ossl_statem_client_read_transition()
419 rbio = SSL_get_rbio(SSL_CONNECTION_GET_SSL(s)); in ossl_statem_client_read_transition()
424 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in ossl_statem_client_read_transition()
440 static WRITE_TRAN ossl_statem_client13_write_transition(SSL_CONNECTION *s) in ossl_statem_client13_write_transition() argument
442 OSSL_STATEM *st = &s->statem; in ossl_statem_client13_write_transition()
452 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
456 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in ossl_statem_client13_write_transition()
457 if (do_compressed_cert(s)) in ossl_statem_client13_write_transition()
467 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)) { in ossl_statem_client13_write_transition()
469 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client13_write_transition()
476 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY in ossl_statem_client13_write_transition()
477 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client13_write_transition()
479 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client13_write_transition()
480 && s->hello_retry_request == SSL_HRR_NONE) in ossl_statem_client13_write_transition()
482 else if (s->s3.tmp.cert_req == 0) in ossl_statem_client13_write_transition()
484 else if (do_compressed_cert(s)) in ossl_statem_client13_write_transition()
489 s->ts_msg_read = ossl_time_now(); in ossl_statem_client13_write_transition()
493 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED) { in ossl_statem_client13_write_transition()
501 if (s->s3.tmp.cert_req == 0) in ossl_statem_client13_write_transition()
503 else if (do_compressed_cert(s)) in ossl_statem_client13_write_transition()
512 st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY in ossl_statem_client13_write_transition()
528 if (s->key_update != SSL_KEY_UPDATE_NONE) { in ossl_statem_client13_write_transition()
542 WRITE_TRAN ossl_statem_client_write_transition(SSL_CONNECTION *s) in ossl_statem_client_write_transition() argument
544 OSSL_STATEM *st = &s->statem; in ossl_statem_client_write_transition()
551 if (SSL_CONNECTION_IS_TLS13(s)) in ossl_statem_client_write_transition()
552 return ossl_statem_client13_write_transition(s); in ossl_statem_client_write_transition()
557 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_write_transition()
561 if (!s->renegotiate) { in ossl_statem_client_write_transition()
575 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { in ossl_statem_client_write_transition()
580 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) in ossl_statem_client_write_transition()
590 s->ts_msg_write = ossl_time_now(); in ossl_statem_client_write_transition()
599 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 in ossl_statem_client_write_transition()
600 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) in ossl_statem_client_write_transition()
607 s->ts_msg_write = ossl_time_now(); in ossl_statem_client_write_transition()
615 s->ts_msg_read = ossl_time_now(); in ossl_statem_client_write_transition()
616 if (s->s3.tmp.cert_req) in ossl_statem_client_write_transition()
637 if (s->s3.tmp.cert_req == 1) { in ossl_statem_client_write_transition()
642 if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { in ossl_statem_client_write_transition()
652 if (s->hello_retry_request == SSL_HRR_PENDING) { in ossl_statem_client_write_transition()
654 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) { in ossl_statem_client_write_transition()
660 if (!SSL_CONNECTION_IS_DTLS(s) && s->s3.npn_seen) in ossl_statem_client_write_transition()
675 if (s->hit) { in ossl_statem_client_write_transition()
683 if (s->hit) { in ossl_statem_client_write_transition()
696 if (ssl3_renegotiate_check(SSL_CONNECTION_GET_SSL(s), 1)) { in ossl_statem_client_write_transition()
697 if (!tls_setup_handshake(s)) { in ossl_statem_client_write_transition()
713 WORK_STATE ossl_statem_client_pre_work(SSL_CONNECTION *s, WORK_STATE wst) in ossl_statem_client_pre_work() argument
715 OSSL_STATEM *st = &s->statem; in ossl_statem_client_pre_work()
723 s->shutdown = 0; in ossl_statem_client_pre_work()
724 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_pre_work()
726 if (!ssl3_init_finished_mac(s)) { in ossl_statem_client_pre_work()
730 } else if (s->ext.early_data == SSL_EARLY_DATA_REJECTED) { in ossl_statem_client_pre_work()
737 if (!ssl_set_new_record_layer(s, in ossl_statem_client_pre_work()
751 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_pre_work()
752 if (s->hit) { in ossl_statem_client_pre_work()
760 if (BIO_dgram_is_sctp(SSL_get_wbio(SSL_CONNECTION_GET_SSL(s)))) { in ossl_statem_client_pre_work()
762 return dtls_wait_for_dry(s); in ossl_statem_client_pre_work()
774 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING in ossl_statem_client_pre_work()
775 || s->early_data_state == SSL_EARLY_DATA_NONE) in ossl_statem_client_pre_work()
780 return tls_finish_handshake(s, wst, 0, 1); in ossl_statem_client_pre_work()
784 return tls_finish_handshake(s, wst, 1, 1); in ossl_statem_client_pre_work()
794 WORK_STATE ossl_statem_client_post_work(SSL_CONNECTION *s, WORK_STATE wst) in ossl_statem_client_post_work() argument
796 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_work()
797 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in ossl_statem_client_post_work()
799 s->init_num = 0; in ossl_statem_client_post_work()
807 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
808 && s->max_early_data > 0) { in ossl_statem_client_post_work()
814 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0) { in ossl_statem_client_post_work()
815 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
822 } else if (!statem_flush(s)) { in ossl_statem_client_post_work()
826 if (SSL_CONNECTION_IS_DTLS(s)) { in ossl_statem_client_post_work()
828 s->first_packet = 1; in ossl_statem_client_post_work()
833 if (tls_client_key_exchange_post_work(s) == 0) { in ossl_statem_client_post_work()
840 if (SSL_CONNECTION_IS_TLS13(s) in ossl_statem_client_post_work()
841 || s->hello_retry_request == SSL_HRR_PENDING) in ossl_statem_client_post_work()
843 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in ossl_statem_client_post_work()
844 && s->max_early_data > 0) { in ossl_statem_client_post_work()
850 if (!tls13_change_cipher_state(s, in ossl_statem_client_post_work()
855 s->session->cipher = s->s3.tmp.new_cipher; in ossl_statem_client_post_work()
857 s->session->compress_meth = 0; in ossl_statem_client_post_work()
859 if (s->s3.tmp.new_compression == NULL) in ossl_statem_client_post_work()
860 s->session->compress_meth = 0; in ossl_statem_client_post_work()
862 s->session->compress_meth = s->s3.tmp.new_compression->id; in ossl_statem_client_post_work()
864 if (!ssl->method->ssl3_enc->setup_key_block(s)) { in ossl_statem_client_post_work()
869 if (!ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
876 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { in ossl_statem_client_post_work()
889 if (wst == WORK_MORE_A && SSL_CONNECTION_IS_DTLS(s) && s->hit == 0) { in ossl_statem_client_post_work()
898 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
901 if (SSL_CONNECTION_IS_TLS13(s)) { in ossl_statem_client_post_work()
902 if (!tls13_save_handshake_digest_for_pha(s)) { in ossl_statem_client_post_work()
906 if (s->post_handshake_auth != SSL_PHA_REQUESTED) { in ossl_statem_client_post_work()
907 if (!ssl->method->ssl3_enc->change_cipher_state(s, in ossl_statem_client_post_work()
917 if (statem_flush(s) != 1) in ossl_statem_client_post_work()
919 if (!tls13_update_key(s, 1)) { in ossl_statem_client_post_work()
937 int ossl_statem_client_construct_message(SSL_CONNECTION *s, in ossl_statem_client_construct_message() argument
940 OSSL_STATEM *st = &s->statem; in ossl_statem_client_construct_message()
945 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); in ossl_statem_client_construct_message()
949 if (SSL_CONNECTION_IS_DTLS(s)) in ossl_statem_client_construct_message()
1017 size_t ossl_statem_client_max_message_size(SSL_CONNECTION *s) in ossl_statem_client_max_message_size() argument
1019 OSSL_STATEM *st = &s->statem; in ossl_statem_client_max_message_size()
1034 return s->max_cert_list; in ossl_statem_client_max_message_size()
1051 return s->max_cert_list; in ossl_statem_client_max_message_size()
1057 if (s->version == DTLS1_BAD_VER) in ossl_statem_client_max_message_size()
1062 return (SSL_CONNECTION_IS_TLS13(s)) ? SESSION_TICKET_MAX_LENGTH_TLS13 in ossl_statem_client_max_message_size()
1079 MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL_CONNECTION *s, in ossl_statem_client_process_message() argument
1082 OSSL_STATEM *st = &s->statem; in ossl_statem_client_process_message()
1087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_process_message()
1091 return tls_process_server_hello(s, pkt); in ossl_statem_client_process_message()
1094 return dtls_process_hello_verify(s, pkt); in ossl_statem_client_process_message()
1097 return tls_process_server_certificate(s, pkt); in ossl_statem_client_process_message()
1101 return tls_process_server_compressed_certificate(s, pkt); in ossl_statem_client_process_message()
1105 return tls_process_cert_verify(s, pkt); in ossl_statem_client_process_message()
1108 return tls_process_cert_status(s, pkt); in ossl_statem_client_process_message()
1111 return tls_process_key_exchange(s, pkt); in ossl_statem_client_process_message()
1114 return tls_process_certificate_request(s, pkt); in ossl_statem_client_process_message()
1117 return tls_process_server_done(s, pkt); in ossl_statem_client_process_message()
1120 return tls_process_change_cipher_spec(s, pkt); in ossl_statem_client_process_message()
1123 return tls_process_new_session_ticket(s, pkt); in ossl_statem_client_process_message()
1126 return tls_process_finished(s, pkt); in ossl_statem_client_process_message()
1129 return tls_process_hello_req(s, pkt); in ossl_statem_client_process_message()
1132 return tls_process_encrypted_extensions(s, pkt); in ossl_statem_client_process_message()
1135 return tls_process_key_update(s, pkt); in ossl_statem_client_process_message()
1143 WORK_STATE ossl_statem_client_post_process_message(SSL_CONNECTION *s, in ossl_statem_client_post_process_message() argument
1146 OSSL_STATEM *st = &s->statem; in ossl_statem_client_post_process_message()
1151 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ossl_statem_client_post_process_message()
1156 return tls_post_process_server_certificate(s, wst); in ossl_statem_client_post_process_message()
1160 return tls_prepare_client_certificate(s, wst); in ossl_statem_client_post_process_message()
1164 CON_FUNC_RETURN tls_construct_client_hello(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_client_hello() argument
1172 SSL_SESSION *sess = s->session; in tls_construct_client_hello()
1174 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_client_hello()
1177 protverr = ssl_set_client_hello_version(s); in tls_construct_client_hello()
1179 SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr); in tls_construct_client_hello()
1184 || !ssl_version_supported(s, sess->ssl_version, NULL) in tls_construct_client_hello()
1186 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1187 && !ssl_get_new_session(s, 0)) { in tls_construct_client_hello()
1194 p = s->s3.client_random; in tls_construct_client_hello()
1200 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_construct_client_hello()
1203 for (idx = 0; idx < sizeof(s->s3.client_random); idx++) { in tls_construct_client_hello()
1210 i = (s->hello_retry_request == SSL_HRR_NONE); in tls_construct_client_hello()
1213 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random), in tls_construct_client_hello()
1215 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1252 if (!WPACKET_put_bytes_u16(pkt, s->client_version) in tls_construct_client_hello()
1253 || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE)) { in tls_construct_client_hello()
1254 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1259 session_id = s->session->session_id; in tls_construct_client_hello()
1260 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION) { in tls_construct_client_hello()
1261 if (s->version == TLS1_3_VERSION in tls_construct_client_hello()
1262 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) { in tls_construct_client_hello()
1263 sess_id_len = sizeof(s->tmp_session_id); in tls_construct_client_hello()
1264 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1265 session_id = s->tmp_session_id; in tls_construct_client_hello()
1266 if (s->hello_retry_request == SSL_HRR_NONE in tls_construct_client_hello()
1267 && RAND_bytes_ex(sctx->libctx, s->tmp_session_id, in tls_construct_client_hello()
1269 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1276 assert(s->session->session_id_length <= sizeof(s->session->session_id)); in tls_construct_client_hello()
1277 sess_id_len = s->session->session_id_length; in tls_construct_client_hello()
1278 if (s->version == TLS1_3_VERSION) { in tls_construct_client_hello()
1279 s->tmp_session_id_len = sess_id_len; in tls_construct_client_hello()
1280 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len); in tls_construct_client_hello()
1287 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1292 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_construct_client_hello()
1293 if (s->d1->cookie_len > sizeof(s->d1->cookie) in tls_construct_client_hello()
1294 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie, in tls_construct_client_hello()
1295 s->d1->cookie_len)) { in tls_construct_client_hello()
1296 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1303 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1307 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(SSL_CONNECTION_GET_SSL(s)), in tls_construct_client_hello()
1313 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1319 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1323 if (ssl_allow_compression(s) in tls_construct_client_hello()
1325 && (SSL_CONNECTION_IS_DTLS(s) in tls_construct_client_hello()
1326 || s->s3.tmp.max_ver < TLS1_3_VERSION)) { in tls_construct_client_hello()
1331 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1339 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_hello()
1344 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO, NULL, 0)) { in tls_construct_client_hello()
1352 MSG_PROCESS_RETURN dtls_process_hello_verify(SSL_CONNECTION *s, PACKET *pkt) in dtls_process_hello_verify() argument
1359 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1364 if (cookie_len > sizeof(s->d1->cookie)) { in dtls_process_hello_verify()
1365 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG); in dtls_process_hello_verify()
1369 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) { in dtls_process_hello_verify()
1370 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in dtls_process_hello_verify()
1373 s->d1->cookie_len = cookie_len; in dtls_process_hello_verify()
1378 static int set_client_ciphersuite(SSL_CONNECTION *s, in set_client_ciphersuite() argument
1384 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in set_client_ciphersuite()
1386 c = ssl_get_cipher_by_char(s, cipherchars, 0); in set_client_ciphersuite()
1389 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED); in set_client_ciphersuite()
1396 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK, 1)) { in set_client_ciphersuite()
1397 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1401 sk = ssl_get_ciphers_by_id(s); in set_client_ciphersuite()
1405 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1409 if (SSL_CONNECTION_IS_TLS13(s) && s->s3.tmp.new_cipher != NULL in set_client_ciphersuite()
1410 && s->s3.tmp.new_cipher->id != c->id) { in set_client_ciphersuite()
1412 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED); in set_client_ciphersuite()
1421 if (s->session->cipher != NULL) in set_client_ciphersuite()
1422 s->session->cipher_id = s->session->cipher->id; in set_client_ciphersuite()
1423 if (s->hit && (s->session->cipher_id != c->id)) { in set_client_ciphersuite()
1424 if (SSL_CONNECTION_IS_TLS13(s)) { in set_client_ciphersuite()
1427 if (!ossl_assert(s->session->cipher != NULL)) { in set_client_ciphersuite()
1428 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in set_client_ciphersuite()
1436 || md != ssl_md(sctx, s->session->cipher->algorithm2)) { in set_client_ciphersuite()
1437 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1446 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in set_client_ciphersuite()
1451 s->s3.tmp.new_cipher = c; in set_client_ciphersuite()
1456 MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt) in tls_process_server_hello() argument
1466 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_process_server_hello()
1467 SSL *ussl = SSL_CONNECTION_GET_USER_SSL(s); in tls_process_server_hello()
1473 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1478 if (s->version == TLS1_3_VERSION in tls_process_server_hello()
1482 if (s->hello_retry_request != SSL_HRR_NONE) { in tls_process_server_hello()
1483 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_server_hello()
1486 s->hello_retry_request = SSL_HRR_PENDING; in tls_process_server_hello()
1488 if (!ssl_set_record_protocol_version(s, s->version)) { in tls_process_server_hello()
1489 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1494 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1498 if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE)) { in tls_process_server_hello()
1499 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1506 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1510 if (session_id_len > sizeof(s->session->session_id) in tls_process_server_hello()
1512 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG); in tls_process_server_hello()
1517 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1522 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_hello()
1531 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_hello()
1536 if (!tls_collect_extensions(s, &extpkt, in tls_process_server_hello()
1544 if (!ssl_choose_client_version(s, sversion, extensions)) { in tls_process_server_hello()
1550 if (SSL_CONNECTION_IS_TLS13(s) || hrr) { in tls_process_server_hello()
1552 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1557 if (session_id_len != s->tmp_session_id_len in tls_process_server_hello()
1558 || memcmp(PACKET_data(&session_id), s->tmp_session_id, in tls_process_server_hello()
1560 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID); in tls_process_server_hello()
1566 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1571 return tls_process_as_hello_retry_request(s, &extpkt); in tls_process_server_hello()
1578 context = SSL_CONNECTION_IS_TLS13(s) ? SSL_EXT_TLS1_3_SERVER_HELLO in tls_process_server_hello()
1580 if (!tls_validate_all_contexts(s, context, extensions)) { in tls_process_server_hello()
1581 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION); in tls_process_server_hello()
1585 s->hit = 0; in tls_process_server_hello()
1587 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_hello()
1592 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) { in tls_process_server_hello()
1593 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, in tls_process_server_hello()
1599 if (!tls_parse_extension(s, TLSEXT_IDX_psk, in tls_process_server_hello()
1618 if (s->version >= TLS1_VERSION in tls_process_server_hello()
1619 && s->ext.session_secret_cb != NULL && s->session->ext.tick) { in tls_process_server_hello()
1627 master_key_length = sizeof(s->session->master_key); in tls_process_server_hello()
1628 if (s->ext.session_secret_cb(ussl, s->session->master_key, in tls_process_server_hello()
1631 s->ext.session_secret_cb_arg) in tls_process_server_hello()
1633 s->session->master_key_length = master_key_length; in tls_process_server_hello()
1634 s->session->cipher = pref_cipher ? in tls_process_server_hello()
1635 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0); in tls_process_server_hello()
1637 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1643 && session_id_len == s->session->session_id_length in tls_process_server_hello()
1644 && memcmp(PACKET_data(&session_id), s->session->session_id, in tls_process_server_hello()
1646 s->hit = 1; in tls_process_server_hello()
1649 if (s->hit) { in tls_process_server_hello()
1650 if (s->sid_ctx_length != s->session->sid_ctx_length in tls_process_server_hello()
1651 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { in tls_process_server_hello()
1653 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1665 if (s->session->session_id_length > 0) { in tls_process_server_hello()
1666 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss); in tls_process_server_hello()
1667 if (!ssl_get_new_session(s, 0)) { in tls_process_server_hello()
1673 s->session->ssl_version = s->version; in tls_process_server_hello()
1680 if (!SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_hello()
1681 s->session->session_id_length = session_id_len; in tls_process_server_hello()
1684 memcpy(s->session->session_id, PACKET_data(&session_id), in tls_process_server_hello()
1690 if (s->version != s->session->ssl_version) { in tls_process_server_hello()
1691 SSLfatal(s, SSL_AD_PROTOCOL_VERSION, in tls_process_server_hello()
1699 s->s3.tmp.min_ver = s->version; in tls_process_server_hello()
1700 s->s3.tmp.max_ver = s->version; in tls_process_server_hello()
1702 if (!set_client_ciphersuite(s, cipherchars)) { in tls_process_server_hello()
1709 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1717 if (s->session->compress_meth != 0) { in tls_process_server_hello()
1718 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION); in tls_process_server_hello()
1722 if (s->hit && compression != s->session->compress_meth) { in tls_process_server_hello()
1723 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1729 else if (!ssl_allow_compression(s)) { in tls_process_server_hello()
1730 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED); in tls_process_server_hello()
1733 comp = ssl3_comp_find(SSL_CONNECTION_GET_CTX(s)->comp_methods, in tls_process_server_hello()
1738 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, in tls_process_server_hello()
1742 s->s3.tmp.new_compression = comp; in tls_process_server_hello()
1746 if (!tls_parse_all_extensions(s, context, extensions, NULL, 0, 1)) { in tls_process_server_hello()
1752 if (SSL_CONNECTION_IS_DTLS(s) && s->hit) { in tls_process_server_hello()
1766 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_process_server_hello()
1773 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_server_hello()
1787 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_hello()
1788 if (!ssl->method->ssl3_enc->setup_key_block(s) in tls_process_server_hello()
1789 || !ssl->method->ssl3_enc->change_cipher_state(s, in tls_process_server_hello()
1803 if (s->early_data_state == SSL_EARLY_DATA_NONE in tls_process_server_hello()
1804 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 in tls_process_server_hello()
1805 && !ssl->method->ssl3_enc->change_cipher_state(s, in tls_process_server_hello()
1819 static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL_CONNECTION *s, in tls_process_as_hello_retry_request() argument
1828 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING in tls_process_as_hello_retry_request()
1829 && !ssl_set_new_record_layer(s, in tls_process_as_hello_retry_request()
1839 s->rlayer.wrlmethod->set_protocol_version(s->rlayer.wrl, TLS1_3_VERSION); in tls_process_as_hello_retry_request()
1841 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1843 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST, in tls_process_as_hello_retry_request()
1852 if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL) { in tls_process_as_hello_retry_request()
1857 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR); in tls_process_as_hello_retry_request()
1865 if (!create_synthetic_message_hash(s, NULL, 0, NULL, 0)) { in tls_process_as_hello_retry_request()
1876 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, in tls_process_as_hello_retry_request()
1877 s->init_num + SSL3_HM_HEADER_LENGTH)) { in tls_process_as_hello_retry_request()
1964 MSG_PROCESS_RETURN tls_process_server_certificate(SSL_CONNECTION *s, in tls_process_server_certificate() argument
1972 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_server_certificate()
1974 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) in tls_process_server_certificate()
1975 return tls_process_server_rpk(s, pkt); in tls_process_server_certificate()
1976 if (s->ext.server_cert_type != TLSEXT_cert_type_x509) { in tls_process_server_certificate()
1977 SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE, in tls_process_server_certificate()
1982 if ((s->session->peer_chain = sk_X509_new_null()) == NULL) { in tls_process_server_certificate()
1983 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_server_certificate()
1987 if ((SSL_CONNECTION_IS_TLS13(s) && !PACKET_get_1(pkt, &context)) in tls_process_server_certificate()
1992 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_certificate()
1998 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
2005 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB); in tls_process_server_certificate()
2010 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB); in tls_process_server_certificate()
2015 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH); in tls_process_server_certificate()
2019 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_server_certificate()
2024 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_server_certificate()
2027 if (!tls_collect_extensions(s, &extensions, in tls_process_server_certificate()
2030 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, in tls_process_server_certificate()
2040 if (!sk_X509_push(s->session->peer_chain, x)) { in tls_process_server_certificate()
2041 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_server_certificate()
2050 OSSL_STACK_OF_X509_free(s->session->peer_chain); in tls_process_server_certificate()
2051 s->session->peer_chain = NULL; in tls_process_server_certificate()
2060 WORK_STATE tls_post_process_server_certificate(SSL_CONNECTION *s, in tls_post_process_server_certificate() argument
2069 if (s->ext.server_cert_type == TLSEXT_cert_type_rpk) in tls_post_process_server_certificate()
2070 return tls_post_process_server_rpk(s, wst); in tls_post_process_server_certificate()
2072 if (s->rwstate == SSL_RETRY_VERIFY) in tls_post_process_server_certificate()
2073 s->rwstate = SSL_NOTHING; in tls_post_process_server_certificate()
2074 i = ssl_verify_cert_chain(s, s->session->peer_chain); in tls_post_process_server_certificate()
2075 if (i > 0 && s->rwstate == SSL_RETRY_VERIFY) { in tls_post_process_server_certificate()
2092 if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) { in tls_post_process_server_certificate()
2093 SSLfatal(s, ssl_x509err2alert(s->verify_result), in tls_post_process_server_certificate()
2103 x = sk_X509_value(s->session->peer_chain, 0); in tls_post_process_server_certificate()
2108 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_post_process_server_certificate()
2114 SSL_CONNECTION_GET_CTX(s))) == NULL) { in tls_post_process_server_certificate()
2115 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
2123 if (!SSL_CONNECTION_IS_TLS13(s)) { in tls_post_process_server_certificate()
2124 if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) { in tls_post_process_server_certificate()
2125 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE); in tls_post_process_server_certificate()
2130 X509_free(s->session->peer); in tls_post_process_server_certificate()
2132 s->session->peer = x; in tls_post_process_server_certificate()
2133 s->session->verify_result = s->verify_result; in tls_post_process_server_certificate()
2135 EVP_PKEY_free(s->session->peer_rpk); in tls_post_process_server_certificate()
2136 s->session->peer_rpk = NULL; in tls_post_process_server_certificate()
2139 if (SSL_CONNECTION_IS_TLS13(s) in tls_post_process_server_certificate()
2140 && !ssl_handshake_hash(s, s->cert_verify_hash, in tls_post_process_server_certificate()
2141 sizeof(s->cert_verify_hash), in tls_post_process_server_certificate()
2142 &s->cert_verify_hash_len)) { in tls_post_process_server_certificate()
2164 static int tls_process_ske_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) in tls_process_ske_psk_preamble() argument
2172 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_psk_preamble()
2183 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG); in tls_process_ske_psk_preamble()
2188 OPENSSL_free(s->session->psk_identity_hint); in tls_process_ske_psk_preamble()
2189 s->session->psk_identity_hint = NULL; in tls_process_ske_psk_preamble()
2191 &s->session->psk_identity_hint)) { in tls_process_ske_psk_preamble()
2192 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
2198 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_psk_preamble()
2203 static int tls_process_ske_srp(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_srp() argument
2212 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_srp()
2216 if ((s->srp_ctx.N = in tls_process_ske_srp()
2219 || (s->srp_ctx.g = in tls_process_ske_srp()
2222 || (s->srp_ctx.s = in tls_process_ske_srp()
2225 || (s->srp_ctx.B = in tls_process_ske_srp()
2228 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_srp()
2232 if (!srp_verify_server_param(s)) { in tls_process_ske_srp()
2238 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_srp()
2239 *pkey = tls_get_peer_pkey(s); in tls_process_ske_srp()
2243 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_srp()
2248 static int tls_process_ske_dhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_dhe() argument
2256 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_ske_dhe()
2262 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_dhe()
2272 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB); in tls_process_ske_dhe()
2283 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2289 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_ske_dhe()
2294 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2309 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE); in tls_process_ske_dhe()
2313 if (!ssl_security(s, SSL_SECOP_TMP_DH, in tls_process_ske_dhe()
2316 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); in tls_process_ske_dhe()
2320 s->s3.peer_tmp = peer_tmp; in tls_process_ske_dhe()
2327 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA | SSL_aDSS)) in tls_process_ske_dhe()
2328 *pkey = tls_get_peer_pkey(s); in tls_process_ske_dhe()
2345 static int tls_process_ske_ecdhe(SSL_CONNECTION *s, PACKET *pkt, EVP_PKEY **pkey) in tls_process_ske_ecdhe() argument
2356 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_ske_ecdhe()
2364 || !tls1_check_group_id(s, curve_id, 1)) { in tls_process_ske_ecdhe()
2365 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE); in tls_process_ske_ecdhe()
2369 if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL) { in tls_process_ske_ecdhe()
2370 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_ske_ecdhe()
2376 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_ske_ecdhe()
2380 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp, in tls_process_ske_ecdhe()
2383 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT); in tls_process_ske_ecdhe()
2392 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA) in tls_process_ske_ecdhe()
2393 *pkey = tls_get_peer_pkey(s); in tls_process_ske_ecdhe()
2394 else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA) in tls_process_ske_ecdhe()
2395 *pkey = tls_get_peer_pkey(s); in tls_process_ske_ecdhe()
2399 s->session->kex_group = curve_id; in tls_process_ske_ecdhe()
2403 MSG_PROCESS_RETURN tls_process_key_exchange(SSL_CONNECTION *s, PACKET *pkt) in tls_process_key_exchange() argument
2410 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_key_exchange()
2412 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_process_key_exchange()
2416 EVP_PKEY_free(s->s3.peer_tmp); in tls_process_key_exchange()
2417 s->s3.peer_tmp = NULL; in tls_process_key_exchange()
2420 if (!tls_process_ske_psk_preamble(s, pkt)) { in tls_process_key_exchange()
2429 if (!tls_process_ske_srp(s, pkt, &pkey)) { in tls_process_key_exchange()
2434 if (!tls_process_ske_dhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2439 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) { in tls_process_key_exchange()
2444 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); in tls_process_key_exchange()
2463 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_key_exchange()
2467 if (SSL_USE_SIGALGS(s)) { in tls_process_key_exchange()
2471 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT); in tls_process_key_exchange()
2474 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) { in tls_process_key_exchange()
2478 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) { in tls_process_key_exchange()
2479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_key_exchange()
2484 if (!tls1_lookup_md(sctx, s->s3.tmp.peer_sigalg, &md)) { in tls_process_key_exchange()
2485 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_key_exchange()
2489 if (SSL_USE_SIGALGS(s)) in tls_process_key_exchange()
2495 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_key_exchange()
2501 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2509 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2512 if (SSL_USE_PSS(s)) { in tls_process_key_exchange()
2516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_key_exchange()
2520 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(¶ms), in tls_process_key_exchange()
2531 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE); in tls_process_key_exchange()
2538 if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) in tls_process_key_exchange()
2541 if (ssl3_check_cert_and_algorithm(s)) { in tls_process_key_exchange()
2542 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA); in tls_process_key_exchange()
2549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE); in tls_process_key_exchange()
2560 MSG_PROCESS_RETURN tls_process_certificate_request(SSL_CONNECTION *s, in tls_process_certificate_request() argument
2564 if (s->s3.tmp.valid_flags != NULL) in tls_process_certificate_request()
2565 memset(s->s3.tmp.valid_flags, 0, s->ssl_pkey_num * sizeof(uint32_t)); in tls_process_certificate_request()
2567 s->s3.tmp.valid_flags = OPENSSL_zalloc(s->ssl_pkey_num * sizeof(uint32_t)); in tls_process_certificate_request()
2570 if (s->s3.tmp.valid_flags == NULL) in tls_process_certificate_request()
2573 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_certificate_request()
2577 if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) { in tls_process_certificate_request()
2587 OPENSSL_free(s->s3.tmp.ctype); in tls_process_certificate_request()
2588 s->s3.tmp.ctype = NULL; in tls_process_certificate_request()
2589 s->s3.tmp.ctype_len = 0; in tls_process_certificate_request()
2590 OPENSSL_free(s->pha_context); in tls_process_certificate_request()
2591 s->pha_context = NULL; in tls_process_certificate_request()
2592 s->pha_context_len = 0; in tls_process_certificate_request()
2595 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) { in tls_process_certificate_request()
2596 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2601 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2604 if (!tls_collect_extensions(s, &extensions, in tls_process_certificate_request()
2607 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, in tls_process_certificate_request()
2614 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2615 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH); in tls_process_certificate_request()
2623 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2627 if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) { in tls_process_certificate_request()
2628 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_certificate_request()
2632 if (SSL_USE_SIGALGS(s)) { in tls_process_certificate_request()
2636 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2644 if (!tls1_save_sigalgs(s, &sigalgs, 0)) { in tls_process_certificate_request()
2645 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_certificate_request()
2649 if (!tls1_process_sigalgs(s)) { in tls_process_certificate_request()
2650 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_process_certificate_request()
2656 if (!parse_ca_names(s, pkt)) { in tls_process_certificate_request()
2663 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_certificate_request()
2668 s->s3.tmp.cert_req = 1; in tls_process_certificate_request()
2678 if (SSL_CONNECTION_IS_TLS13(s) in tls_process_certificate_request()
2679 && s->post_handshake_auth != SSL_PHA_REQUESTED) in tls_process_certificate_request()
2685 MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, in tls_process_new_session_ticket() argument
2694 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_new_session_ticket()
2699 || (SSL_CONNECTION_IS_TLS13(s) in tls_process_new_session_ticket()
2703 || (SSL_CONNECTION_IS_TLS13(s) ? (ticklen == 0 in tls_process_new_session_ticket()
2706 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2726 if (SSL_CONNECTION_IS_TLS13(s) || s->session->session_id_length > 0) { in tls_process_new_session_ticket()
2733 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { in tls_process_new_session_ticket()
2734 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_process_new_session_ticket()
2738 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) != 0 in tls_process_new_session_ticket()
2739 && !SSL_CONNECTION_IS_TLS13(s)) { in tls_process_new_session_ticket()
2745 SSL_CTX_remove_session(s->session_ctx, s->session); in tls_process_new_session_ticket()
2748 SSL_SESSION_free(s->session); in tls_process_new_session_ticket()
2749 s->session = new_sess; in tls_process_new_session_ticket()
2752 s->session->time = ossl_time_now(); in tls_process_new_session_ticket()
2753 ssl_session_calculate_timeout(s->session); in tls_process_new_session_ticket()
2755 OPENSSL_free(s->session->ext.tick); in tls_process_new_session_ticket()
2756 s->session->ext.tick = NULL; in tls_process_new_session_ticket()
2757 s->session->ext.ticklen = 0; in tls_process_new_session_ticket()
2759 s->session->ext.tick = OPENSSL_malloc(ticklen); in tls_process_new_session_ticket()
2760 if (s->session->ext.tick == NULL) { in tls_process_new_session_ticket()
2761 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_new_session_ticket()
2764 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) { in tls_process_new_session_ticket()
2765 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2769 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint; in tls_process_new_session_ticket()
2770 s->session->ext.tick_age_add = age_add; in tls_process_new_session_ticket()
2771 s->session->ext.ticklen = ticklen; in tls_process_new_session_ticket()
2773 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_new_session_ticket()
2778 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_new_session_ticket()
2782 if (!tls_collect_extensions(s, &extpkt, in tls_process_new_session_ticket()
2785 || !tls_parse_all_extensions(s, in tls_process_new_session_ticket()
2807 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls_process_new_session_ticket()
2814 if (!EVP_Digest(s->session->ext.tick, ticklen, in tls_process_new_session_ticket()
2815 s->session->session_id, &sess_len, in tls_process_new_session_ticket()
2817 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_process_new_session_ticket()
2822 s->session->session_id_length = sess_len; in tls_process_new_session_ticket()
2823 s->session->not_resumable = 0; in tls_process_new_session_ticket()
2826 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_process_new_session_ticket()
2827 const EVP_MD *md = ssl_handshake_md(s); in tls_process_new_session_ticket()
2834 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_process_new_session_ticket()
2839 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, in tls_process_new_session_ticket()
2844 s->session->master_key, in tls_process_new_session_ticket()
2849 s->session->master_key_length = hashlen; in tls_process_new_session_ticket()
2852 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); in tls_process_new_session_ticket()
2867 int tls_process_cert_status_body(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cert_status_body() argument
2874 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE); in tls_process_cert_status_body()
2879 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2882 s->ext.ocsp.resp = OPENSSL_malloc(resplen); in tls_process_cert_status_body()
2883 if (s->ext.ocsp.resp == NULL) { in tls_process_cert_status_body()
2884 s->ext.ocsp.resp_len = 0; in tls_process_cert_status_body()
2885 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_process_cert_status_body()
2888 s->ext.ocsp.resp_len = resplen; in tls_process_cert_status_body()
2889 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) { in tls_process_cert_status_body()
2890 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_cert_status_body()
2898 MSG_PROCESS_RETURN tls_process_cert_status(SSL_CONNECTION *s, PACKET *pkt) in tls_process_cert_status() argument
2900 if (!tls_process_cert_status_body(s, pkt)) { in tls_process_cert_status()
2914 int tls_process_initial_server_flight(SSL_CONNECTION *s) in tls_process_initial_server_flight() argument
2916 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_process_initial_server_flight()
2922 if (!ssl3_check_cert_and_algorithm(s)) { in tls_process_initial_server_flight()
2932 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing in tls_process_initial_server_flight()
2934 int ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s), in tls_process_initial_server_flight()
2938 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE, in tls_process_initial_server_flight()
2943 SSLfatal(s, SSL_AD_INTERNAL_ERROR, in tls_process_initial_server_flight()
2949 if (s->ct_validation_callback != NULL) { in tls_process_initial_server_flight()
2951 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER)) { in tls_process_initial_server_flight()
2961 MSG_PROCESS_RETURN tls_process_server_done(SSL_CONNECTION *s, PACKET *pkt) in tls_process_server_done() argument
2965 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_server_done()
2969 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_process_server_done()
2970 if (ssl_srp_calc_a_param_intern(s) <= 0) { in tls_process_server_done()
2971 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC); in tls_process_server_done()
2977 if (!tls_process_initial_server_flight(s)) { in tls_process_server_done()
2985 static int tls_construct_cke_psk_preamble(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_psk_preamble() argument
3001 if (s->psk_client_callback == NULL) { in tls_construct_cke_psk_preamble()
3002 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB); in tls_construct_cke_psk_preamble()
3008 psklen = s->psk_client_callback(SSL_CONNECTION_GET_USER_SSL(s), in tls_construct_cke_psk_preamble()
3009 s->session->psk_identity_hint, in tls_construct_cke_psk_preamble()
3014 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3018 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND); in tls_construct_cke_psk_preamble()
3024 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3031 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_psk_preamble()
3035 OPENSSL_free(s->s3.tmp.psk); in tls_construct_cke_psk_preamble()
3036 s->s3.tmp.psk = tmppsk; in tls_construct_cke_psk_preamble()
3037 s->s3.tmp.psklen = psklen; in tls_construct_cke_psk_preamble()
3039 OPENSSL_free(s->session->psk_identity); in tls_construct_cke_psk_preamble()
3040 s->session->psk_identity = tmpidentity; in tls_construct_cke_psk_preamble()
3044 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3058 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_psk_preamble()
3063 static int tls_construct_cke_rsa(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_rsa() argument
3071 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_cke_rsa()
3073 if (!received_server_cert(s)) { in tls_construct_cke_rsa()
3077 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3081 if ((pkey = tls_get_peer_pkey(s)) == NULL) { in tls_construct_cke_rsa()
3082 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3087 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3094 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_rsa()
3098 pms[0] = s->client_version >> 8; in tls_construct_cke_rsa()
3099 pms[1] = s->client_version & 0xff; in tls_construct_cke_rsa()
3101 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_RAND_LIB); in tls_construct_cke_rsa()
3106 if (s->version > SSL3_VERSION && !WPACKET_start_sub_packet_u16(pkt)) { in tls_construct_cke_rsa()
3107 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3114 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_rsa()
3119 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT); in tls_construct_cke_rsa()
3126 if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) { in tls_construct_cke_rsa()
3127 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_rsa()
3132 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) { in tls_construct_cke_rsa()
3137 s->s3.tmp.pms = pms; in tls_construct_cke_rsa()
3138 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_rsa()
3148 static int tls_construct_cke_dhe(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_dhe() argument
3157 skey = s->s3.peer_tmp; in tls_construct_cke_dhe()
3159 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3163 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_dhe()
3165 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3169 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_dhe()
3179 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3193 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3200 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_dhe()
3211 static int tls_construct_cke_ecdhe(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_ecdhe() argument
3218 skey = s->s3.peer_tmp; in tls_construct_cke_ecdhe()
3220 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
3224 ckey = ssl_generate_pkey(s, skey); in tls_construct_cke_ecdhe()
3226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SSL_LIB); in tls_construct_cke_ecdhe()
3230 if (ssl_derive(s, ckey, skey, 0) == 0) { in tls_construct_cke_ecdhe()
3239 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); in tls_construct_cke_ecdhe()
3244 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_ecdhe()
3255 static int tls_construct_cke_gost(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_gost() argument
3268 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_cke_gost()
3270 if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST12) != 0) in tls_construct_cke_gost()
3276 if ((pkey = tls_get_peer_pkey(s)) == NULL) { in tls_construct_cke_gost()
3277 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost()
3286 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost()
3299 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_gost()
3307 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3317 || EVP_DigestUpdate(ukm_hash, s->s3.client_random, in tls_construct_cke_gost()
3319 || EVP_DigestUpdate(ukm_hash, s->s3.server_random, in tls_construct_cke_gost()
3322 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3329 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3338 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost()
3345 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3350 s->s3.tmp.pms = pms; in tls_construct_cke_gost()
3351 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost()
3360 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost()
3366 int ossl_gost18_cke_cipher_nid(const SSL_CONNECTION *s) in ossl_gost18_cke_cipher_nid() argument
3368 if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA) != 0) in ossl_gost18_cke_cipher_nid()
3370 else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK) != 0) in ossl_gost18_cke_cipher_nid()
3376 int ossl_gost_ukm(const SSL_CONNECTION *s, unsigned char *dgst_buf) in ossl_gost_ukm() argument
3380 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in ossl_gost_ukm()
3389 || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3390 || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE) <= 0 in ossl_gost_ukm()
3403 static int tls_construct_cke_gost18(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_gost18() argument
3414 int cipher_nid = ossl_gost18_cke_cipher_nid(s); in tls_construct_cke_gost18()
3415 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in tls_construct_cke_gost18()
3418 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3422 if (ossl_gost_ukm(s, rnd_dgst) <= 0) { in tls_construct_cke_gost18()
3423 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3431 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_gost18()
3436 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3441 if ((pkey = tls_get_peer_pkey(s)) == NULL) { in tls_construct_cke_gost18()
3442 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in tls_construct_cke_gost18()
3451 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3456 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3463 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3469 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); in tls_construct_cke_gost18()
3474 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3480 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in tls_construct_cke_gost18()
3486 s->s3.tmp.pms = pms; in tls_construct_cke_gost18()
3487 s->s3.tmp.pmslen = pmslen; in tls_construct_cke_gost18()
3495 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_gost18()
3500 static int tls_construct_cke_srp(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_cke_srp() argument
3505 if (s->srp_ctx.A == NULL in tls_construct_cke_srp()
3506 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A), in tls_construct_cke_srp()
3508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3511 BN_bn2bin(s->srp_ctx.A, abytes); in tls_construct_cke_srp()
3513 OPENSSL_free(s->session->srp_username); in tls_construct_cke_srp()
3514 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login); in tls_construct_cke_srp()
3515 if (s->session->srp_username == NULL) { in tls_construct_cke_srp()
3516 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); in tls_construct_cke_srp()
3522 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_cke_srp()
3527 CON_FUNC_RETURN tls_construct_client_key_exchange(SSL_CONNECTION *s, in tls_construct_client_key_exchange() argument
3532 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in tls_construct_client_key_exchange()
3539 && !tls_construct_cke_psk_preamble(s, pkt)) in tls_construct_client_key_exchange()
3543 if (!tls_construct_cke_rsa(s, pkt)) in tls_construct_client_key_exchange()
3546 if (!tls_construct_cke_dhe(s, pkt)) in tls_construct_client_key_exchange()
3549 if (!tls_construct_cke_ecdhe(s, pkt)) in tls_construct_client_key_exchange()
3552 if (!tls_construct_cke_gost(s, pkt)) in tls_construct_client_key_exchange()
3555 if (!tls_construct_cke_gost18(s, pkt)) in tls_construct_client_key_exchange()
3558 if (!tls_construct_cke_srp(s, pkt)) in tls_construct_client_key_exchange()
3561 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_key_exchange()
3567 OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen); in tls_construct_client_key_exchange()
3568 s->s3.tmp.pms = NULL; in tls_construct_client_key_exchange()
3569 s->s3.tmp.pmslen = 0; in tls_construct_client_key_exchange()
3571 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); in tls_construct_client_key_exchange()
3572 s->s3.tmp.psk = NULL; in tls_construct_client_key_exchange()
3573 s->s3.tmp.psklen = 0; in tls_construct_client_key_exchange()
3578 int tls_client_key_exchange_post_work(SSL_CONNECTION *s) in tls_client_key_exchange_post_work() argument
3583 pms = s->s3.tmp.pms; in tls_client_key_exchange_post_work()
3584 pmslen = s->s3.tmp.pmslen; in tls_client_key_exchange_post_work()
3588 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) { in tls_client_key_exchange_post_work()
3589 if (!srp_generate_client_master_secret(s)) { in tls_client_key_exchange_post_work()
3597 if (pms == NULL && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { in tls_client_key_exchange_post_work()
3598 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_PASSED_INVALID_ARGUMENT); in tls_client_key_exchange_post_work()
3601 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) { in tls_client_key_exchange_post_work()
3612 if (SSL_CONNECTION_IS_DTLS(s)) { in tls_client_key_exchange_post_work()
3616 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_client_key_exchange_post_work()
3627 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG) in tls_client_key_exchange_post_work()
3633 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_client_key_exchange_post_work()
3645 s->s3.tmp.pms = NULL; in tls_client_key_exchange_post_work()
3646 s->s3.tmp.pmslen = 0; in tls_client_key_exchange_post_work()
3655 static int ssl3_check_client_certificate(SSL_CONNECTION *s) in ssl3_check_client_certificate() argument
3658 if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL) in ssl3_check_client_certificate()
3664 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT && in ssl3_check_client_certificate()
3665 !tls1_check_chain(s, NULL, NULL, NULL, -2)) in ssl3_check_client_certificate()
3670 WORK_STATE tls_prepare_client_certificate(SSL_CONNECTION *s, WORK_STATE wst) in tls_prepare_client_certificate() argument
3675 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_prepare_client_certificate()
3679 if (s->cert->cert_cb) { in tls_prepare_client_certificate()
3680 i = s->cert->cert_cb(ssl, s->cert->cert_cb_arg); in tls_prepare_client_certificate()
3682 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED); in tls_prepare_client_certificate()
3689 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3691 if (ssl3_check_client_certificate(s)) { in tls_prepare_client_certificate()
3692 if (s->post_handshake_auth == SSL_PHA_REQUESTED) { in tls_prepare_client_certificate()
3708 i = ssl_do_client_cert_cb(s, &x509, &pkey); in tls_prepare_client_certificate()
3710 s->rwstate = SSL_X509_LOOKUP; in tls_prepare_client_certificate()
3713 s->rwstate = SSL_NOTHING; in tls_prepare_client_certificate()
3725 if (i && !ssl3_check_client_certificate(s)) in tls_prepare_client_certificate()
3728 if (s->version == SSL3_VERSION) { in tls_prepare_client_certificate()
3729 s->s3.tmp.cert_req = 0; in tls_prepare_client_certificate()
3730 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_CERTIFICATE); in tls_prepare_client_certificate()
3733 s->s3.tmp.cert_req = 2; in tls_prepare_client_certificate()
3734 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; in tls_prepare_client_certificate()
3735 if (!ssl3_digest_cached_records(s, 0)) { in tls_prepare_client_certificate()
3742 if (!SSL_CONNECTION_IS_TLS13(s) in tls_prepare_client_certificate()
3743 || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) in tls_prepare_client_certificate()
3744 s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; in tls_prepare_client_certificate()
3746 if (s->post_handshake_auth == SSL_PHA_REQUESTED) in tls_prepare_client_certificate()
3752 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_prepare_client_certificate()
3756 CON_FUNC_RETURN tls_construct_client_certificate(SSL_CONNECTION *s, in tls_construct_client_certificate() argument
3760 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_construct_client_certificate()
3762 if (SSL_CONNECTION_IS_TLS13(s)) { in tls_construct_client_certificate()
3763 if (s->pha_context == NULL) { in tls_construct_client_certificate()
3766 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3769 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)) { in tls_construct_client_certificate()
3770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3774 if (s->s3.tmp.cert_req != 2) in tls_construct_client_certificate()
3775 cpk = s->cert->key; in tls_construct_client_certificate()
3776 switch (s->ext.client_cert_type) { in tls_construct_client_certificate()
3778 if (!tls_output_rpk(s, pkt, cpk)) { in tls_construct_client_certificate()
3784 if (!ssl3_output_cert_chain(s, pkt, cpk, 0)) { in tls_construct_client_certificate()
3790 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_client_certificate()
3799 if (SSL_CONNECTION_IS_TLS13(s) in tls_construct_client_certificate()
3800 && SSL_IS_FIRST_HANDSHAKE(s) in tls_construct_client_certificate()
3801 && (s->early_data_state != SSL_EARLY_DATA_NONE in tls_construct_client_certificate()
3802 || (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0) in tls_construct_client_certificate()
3803 && (!ssl->method->ssl3_enc->change_cipher_state(s, in tls_construct_client_certificate()
3809 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER); in tls_construct_client_certificate()
3917 int ssl3_check_cert_and_algorithm(SSL_CONNECTION *s) in ssl3_check_cert_and_algorithm() argument
3924 alg_k = s->s3.tmp.new_cipher->algorithm_mkey; in ssl3_check_cert_and_algorithm()
3925 alg_a = s->s3.tmp.new_cipher->algorithm_auth; in ssl3_check_cert_and_algorithm()
3932 pkey = tls_get_peer_pkey(s); in ssl3_check_cert_and_algorithm()
3933 clu = ssl_cert_lookup_by_pkey(pkey, &idx, SSL_CONNECTION_GET_CTX(s)); in ssl3_check_cert_and_algorithm()
3937 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT); in ssl3_check_cert_and_algorithm()
3942 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, in ssl3_check_cert_and_algorithm()
3947 if ((alg_k & SSL_kDHE) && (s->s3.peer_tmp == NULL)) { in ssl3_check_cert_and_algorithm()
3948 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl3_check_cert_and_algorithm()
3953 if (s->session->peer_rpk != NULL) in ssl3_check_cert_and_algorithm()
3957 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s)) in ssl3_check_cert_and_algorithm()
3959 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT); in ssl3_check_cert_and_algorithm()
3967 CON_FUNC_RETURN tls_construct_next_proto(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_next_proto() argument
3972 len = s->ext.npn_len; in tls_construct_next_proto()
3975 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len) in tls_construct_next_proto()
3977 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls_construct_next_proto()
3987 MSG_PROCESS_RETURN tls_process_hello_req(SSL_CONNECTION *s, PACKET *pkt) in tls_process_hello_req() argument
3989 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in tls_process_hello_req()
3993 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_hello_req()
3997 if ((s->options & SSL_OP_NO_RENEGOTIATION)) { in tls_process_hello_req()
3998 ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); in tls_process_hello_req()
4009 if (SSL_CONNECTION_IS_DTLS(s)) in tls_process_hello_req()
4017 static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL_CONNECTION *s, in tls_process_encrypted_extensions() argument
4025 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); in tls_process_encrypted_extensions()
4029 if (!tls_collect_extensions(s, &extensions, in tls_process_encrypted_extensions()
4032 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, in tls_process_encrypted_extensions()
4046 int ssl_do_client_cert_cb(SSL_CONNECTION *s, X509 **px509, EVP_PKEY **ppkey) in ssl_do_client_cert_cb() argument
4049 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); in ssl_do_client_cert_cb()
4053 i = tls_engine_load_ssl_client_cert(s, px509, ppkey); in ssl_do_client_cert_cb()
4059 i = sctx->client_cert_cb(SSL_CONNECTION_GET_USER_SSL(s), px509, ppkey); in ssl_do_client_cert_cb()
4063 int ssl_cipher_list_to_bytes(SSL_CONNECTION *s, STACK_OF(SSL_CIPHER) *sk, in ssl_cipher_list_to_bytes() argument
4068 int empty_reneg_info_scsv = !s->renegotiate in ssl_cipher_list_to_bytes()
4069 && !SSL_CONNECTION_IS_DTLS(s) in ssl_cipher_list_to_bytes()
4070 && ssl_security(s, SSL_SECOP_VERSION, 0, TLS1_VERSION, NULL) in ssl_cipher_list_to_bytes()
4071 && s->min_proto_version <= TLS1_VERSION; in ssl_cipher_list_to_bytes()
4072 SSL *ssl = SSL_CONNECTION_GET_SSL(s); in ssl_cipher_list_to_bytes()
4075 if (!ssl_set_client_disabled(s)) { in ssl_cipher_list_to_bytes()
4076 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE); in ssl_cipher_list_to_bytes()
4081 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4103 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) in ssl_cipher_list_to_bytes()
4111 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED, 0)) in ssl_cipher_list_to_bytes()
4115 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4121 int minproto = SSL_CONNECTION_IS_DTLS(s) ? c->min_dtls : c->min_tls; in ssl_cipher_list_to_bytes()
4122 int maxproto = SSL_CONNECTION_IS_DTLS(s) ? c->max_dtls : c->max_tls; in ssl_cipher_list_to_bytes()
4124 if (ssl_version_cmp(s, maxproto, s->s3.tmp.max_ver) >= 0 in ssl_cipher_list_to_bytes()
4125 && ssl_version_cmp(s, minproto, s->s3.tmp.max_ver) <= 0) in ssl_cipher_list_to_bytes()
4138 SSLfatal_data(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_CIPHERS_AVAILABLE, in ssl_cipher_list_to_bytes()
4149 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4153 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { in ssl_cipher_list_to_bytes()
4158 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in ssl_cipher_list_to_bytes()
4167 CON_FUNC_RETURN tls_construct_end_of_early_data(SSL_CONNECTION *s, WPACKET *pkt) in tls_construct_end_of_early_data() argument
4169 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY in tls_construct_end_of_early_data()
4170 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) { in tls_construct_end_of_early_data()
4171 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); in tls_construct_end_of_early_data()
4175 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING; in tls_construct_end_of_early_data()
