Bug Summary

File:out/../deps/openssl/openssl/ssl/statem/statem_clnt.c
Warning:line 1362, column 39
Access to field 'algorithm2' results in a dereference of a null pointer (loaded from field 'cipher')

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name statem_clnt.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_NO_HW -D OPENSSL_API_COMPAT=0x10100001L -D STATIC_LEGACY -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D MODULESDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl/lib/openssl-modules" -D OPENSSLDIR="/home/maurizio/node-v18.6.0/out/Release/obj.target/deps/openssl" -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto -I ../deps/openssl/config/archs/linux-x86_64/asm/crypto/include/internal -I ../deps/openssl/config/archs/linux-x86_64/asm/providers/common/include -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/ssl/statem/statem_clnt.c
1/*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12#include <stdio.h>
13#include <time.h>
14#include <assert.h>
15#include "../ssl_local.h"
16#include "statem_local.h"
17#include <openssl/buffer.h>
18#include <openssl/rand.h>
19#include <openssl/objects.h>
20#include <openssl/evp.h>
21#include <openssl/md5.h>
22#include <openssl/dh.h>
23#include <openssl/rsa.h>
24#include <openssl/bn.h>
25#include <openssl/engine.h>
26#include <openssl/trace.h>
27#include <openssl/core_names.h>
28#include <openssl/param_build.h>
29#include "internal/cryptlib.h"
30
31static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s, PACKET *pkt);
32static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt);
33
34static ossl_inlineinline int cert_req_allowed(SSL *s);
35static int key_exchange_expected(SSL *s);
36static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk,
37 WPACKET *pkt);
38
39/*
40 * Is a CertificateRequest message allowed at the moment or not?
41 *
42 * Return values are:
43 * 1: Yes
44 * 0: No
45 */
46static ossl_inlineinline int cert_req_allowed(SSL *s)
47{
48 /* TLS does not like anon-DH with client cert */
49 if ((s->version > SSL3_VERSION0x0300
50 && (s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL0x00000004U))
51 || (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aSRP0x00000040U | SSL_aPSK0x00000010U)))
52 return 0;
53
54 return 1;
55}
56
57/*
58 * Should we expect the ServerKeyExchange message or not?
59 *
60 * Return values are:
61 * 1: Yes
62 * 0: No
63 */
64static int key_exchange_expected(SSL *s)
65{
66 long alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
67
68 /*
69 * Can't skip server key exchange if this is an ephemeral
70 * ciphersuite or for SRP
71 */
72 if (alg_k & (SSL_kDHE0x00000002U | SSL_kECDHE0x00000004U | SSL_kDHEPSK0x00000100U | SSL_kECDHEPSK0x00000080U
73 | SSL_kSRP0x00000020U)) {
74 return 1;
75 }
76
77 return 0;
78}
79
80/*
81 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
82 * handshake state transitions when a TLS1.3 client is reading messages from the
83 * server. The message type that the server has sent is provided in |mt|. The
84 * current state is in |s->statem.hand_state|.
85 *
86 * Return values are 1 for success (transition allowed) and 0 on error
87 * (transition not allowed)
88 */
89static int ossl_statem_client13_read_transition(SSL *s, int mt)
90{
91 OSSL_STATEM *st = &s->statem;
92
93 /*
94 * Note: There is no case for TLS_ST_CW_CLNT_HELLO, because we haven't
95 * yet negotiated TLSv1.3 at that point so that is handled by
96 * ossl_statem_client_read_transition()
97 */
98
99 switch (st->hand_state) {
100 default:
101 break;
102
103 case TLS_ST_CW_CLNT_HELLO:
104 /*
105 * This must a ClientHello following a HelloRetryRequest, so the only
106 * thing we can get now is a ServerHello.
107 */
108 if (mt == SSL3_MT_SERVER_HELLO2) {
109 st->hand_state = TLS_ST_CR_SRVR_HELLO;
110 return 1;
111 }
112 break;
113
114 case TLS_ST_CR_SRVR_HELLO:
115 if (mt == SSL3_MT_ENCRYPTED_EXTENSIONS8) {
116 st->hand_state = TLS_ST_CR_ENCRYPTED_EXTENSIONS;
117 return 1;
118 }
119 break;
120
121 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
122 if (s->hit) {
123 if (mt == SSL3_MT_FINISHED20) {
124 st->hand_state = TLS_ST_CR_FINISHED;
125 return 1;
126 }
127 } else {
128 if (mt == SSL3_MT_CERTIFICATE_REQUEST13) {
129 st->hand_state = TLS_ST_CR_CERT_REQ;
130 return 1;
131 }
132 if (mt == SSL3_MT_CERTIFICATE11) {
133 st->hand_state = TLS_ST_CR_CERT;
134 return 1;
135 }
136 }
137 break;
138
139 case TLS_ST_CR_CERT_REQ:
140 if (mt == SSL3_MT_CERTIFICATE11) {
141 st->hand_state = TLS_ST_CR_CERT;
142 return 1;
143 }
144 break;
145
146 case TLS_ST_CR_CERT:
147 if (mt == SSL3_MT_CERTIFICATE_VERIFY15) {
148 st->hand_state = TLS_ST_CR_CERT_VRFY;
149 return 1;
150 }
151 break;
152
153 case TLS_ST_CR_CERT_VRFY:
154 if (mt == SSL3_MT_FINISHED20) {
155 st->hand_state = TLS_ST_CR_FINISHED;
156 return 1;
157 }
158 break;
159
160 case TLS_ST_OK:
161 if (mt == SSL3_MT_NEWSESSION_TICKET4) {
162 st->hand_state = TLS_ST_CR_SESSION_TICKET;
163 return 1;
164 }
165 if (mt == SSL3_MT_KEY_UPDATE24) {
166 st->hand_state = TLS_ST_CR_KEY_UPDATE;
167 return 1;
168 }
169 if (mt == SSL3_MT_CERTIFICATE_REQUEST13) {
170#if DTLS_MAX_VERSION_INTERNAL0xFEFD != DTLS1_2_VERSION0xFEFD
171 /* Restore digest for PHA before adding message.*/
172# error Internal DTLS version error
173#endif
174 if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->post_handshake_auth == SSL_PHA_EXT_SENT) {
175 s->post_handshake_auth = SSL_PHA_REQUESTED;
176 /*
177 * In TLS, this is called before the message is added to the
178 * digest. In DTLS, this is expected to be called after adding
179 * to the digest. Either move the digest restore, or add the
180 * message here after the swap, or do it after the clientFinished?
181 */
182 if (!tls13_restore_handshake_digest_for_pha(s)) {
183 /* SSLfatal() already called */
184 return 0;
185 }
186 st->hand_state = TLS_ST_CR_CERT_REQ;
187 return 1;
188 }
189 }
190 break;
191 }
192
193 /* No valid transition found */
194 return 0;
195}
196
197/*
198 * ossl_statem_client_read_transition() encapsulates the logic for the allowed
199 * handshake state transitions when the client is reading messages from the
200 * server. The message type that the server has sent is provided in |mt|. The
201 * current state is in |s->statem.hand_state|.
202 *
203 * Return values are 1 for success (transition allowed) and 0 on error
204 * (transition not allowed)
205 */
206int ossl_statem_client_read_transition(SSL *s, int mt)
207{
208 OSSL_STATEM *st = &s->statem;
209 int ske_expected;
210
211 /*
212 * Note that after writing the first ClientHello we don't know what version
213 * we are going to negotiate yet, so we don't take this branch until later.
214 */
215 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
216 if (!ossl_statem_client13_read_transition(s, mt))
217 goto err;
218 return 1;
219 }
220
221 switch (st->hand_state) {
222 default:
223 break;
224
225 case TLS_ST_CW_CLNT_HELLO:
226 if (mt == SSL3_MT_SERVER_HELLO2) {
227 st->hand_state = TLS_ST_CR_SRVR_HELLO;
228 return 1;
229 }
230
231 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
232 if (mt == DTLS1_MT_HELLO_VERIFY_REQUEST3) {
233 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
234 return 1;
235 }
236 }
237 break;
238
239 case TLS_ST_EARLY_DATA:
240 /*
241 * We've not actually selected TLSv1.3 yet, but we have sent early
242 * data. The only thing allowed now is a ServerHello or a
243 * HelloRetryRequest.
244 */
245 if (mt == SSL3_MT_SERVER_HELLO2) {
246 st->hand_state = TLS_ST_CR_SRVR_HELLO;
247 return 1;
248 }
249 break;
250
251 case TLS_ST_CR_SRVR_HELLO:
252 if (s->hit) {
253 if (s->ext.ticket_expected) {
254 if (mt == SSL3_MT_NEWSESSION_TICKET4) {
255 st->hand_state = TLS_ST_CR_SESSION_TICKET;
256 return 1;
257 }
258 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
259 st->hand_state = TLS_ST_CR_CHANGE;
260 return 1;
261 }
262 } else {
263 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && mt == DTLS1_MT_HELLO_VERIFY_REQUEST3) {
264 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
265 return 1;
266 } else if (s->version >= TLS1_VERSION0x0301
267 && s->ext.session_secret_cb != NULL((void*)0)
268 && s->session->ext.tick != NULL((void*)0)
269 && mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
270 /*
271 * Normally, we can tell if the server is resuming the session
272 * from the session ID. EAP-FAST (RFC 4851), however, relies on
273 * the next server message after the ServerHello to determine if
274 * the server is resuming.
275 */
276 s->hit = 1;
277 st->hand_state = TLS_ST_CR_CHANGE;
278 return 1;
279 } else if (!(s->s3.tmp.new_cipher->algorithm_auth
280 & (SSL_aNULL0x00000004U | SSL_aSRP0x00000040U | SSL_aPSK0x00000010U))) {
281 if (mt == SSL3_MT_CERTIFICATE11) {
282 st->hand_state = TLS_ST_CR_CERT;
283 return 1;
284 }
285 } else {
286 ske_expected = key_exchange_expected(s);
287 /* SKE is optional for some PSK ciphersuites */
288 if (ske_expected
289 || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK(0x00000008U | 0x00000040U | 0x00000080U | 0x00000100U))
290 && mt == SSL3_MT_SERVER_KEY_EXCHANGE12)) {
291 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE12) {
292 st->hand_state = TLS_ST_CR_KEY_EXCH;
293 return 1;
294 }
295 } else if (mt == SSL3_MT_CERTIFICATE_REQUEST13
296 && cert_req_allowed(s)) {
297 st->hand_state = TLS_ST_CR_CERT_REQ;
298 return 1;
299 } else if (mt == SSL3_MT_SERVER_DONE14) {
300 st->hand_state = TLS_ST_CR_SRVR_DONE;
301 return 1;
302 }
303 }
304 }
305 break;
306
307 case TLS_ST_CR_CERT:
308 /*
309 * The CertificateStatus message is optional even if
310 * |ext.status_expected| is set
311 */
312 if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS22) {
313 st->hand_state = TLS_ST_CR_CERT_STATUS;
314 return 1;
315 }
316 /* Fall through */
317
318 case TLS_ST_CR_CERT_STATUS:
319 ske_expected = key_exchange_expected(s);
320 /* SKE is optional for some PSK ciphersuites */
321 if (ske_expected || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK(0x00000008U | 0x00000040U | 0x00000080U | 0x00000100U))
322 && mt == SSL3_MT_SERVER_KEY_EXCHANGE12)) {
323 if (mt == SSL3_MT_SERVER_KEY_EXCHANGE12) {
324 st->hand_state = TLS_ST_CR_KEY_EXCH;
325 return 1;
326 }
327 goto err;
328 }
329 /* Fall through */
330
331 case TLS_ST_CR_KEY_EXCH:
332 if (mt == SSL3_MT_CERTIFICATE_REQUEST13) {
333 if (cert_req_allowed(s)) {
334 st->hand_state = TLS_ST_CR_CERT_REQ;
335 return 1;
336 }
337 goto err;
338 }
339 /* Fall through */
340
341 case TLS_ST_CR_CERT_REQ:
342 if (mt == SSL3_MT_SERVER_DONE14) {
343 st->hand_state = TLS_ST_CR_SRVR_DONE;
344 return 1;
345 }
346 break;
347
348 case TLS_ST_CW_FINISHED:
349 if (s->ext.ticket_expected) {
350 if (mt == SSL3_MT_NEWSESSION_TICKET4) {
351 st->hand_state = TLS_ST_CR_SESSION_TICKET;
352 return 1;
353 }
354 } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
355 st->hand_state = TLS_ST_CR_CHANGE;
356 return 1;
357 }
358 break;
359
360 case TLS_ST_CR_SESSION_TICKET:
361 if (mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
362 st->hand_state = TLS_ST_CR_CHANGE;
363 return 1;
364 }
365 break;
366
367 case TLS_ST_CR_CHANGE:
368 if (mt == SSL3_MT_FINISHED20) {
369 st->hand_state = TLS_ST_CR_FINISHED;
370 return 1;
371 }
372 break;
373
374 case TLS_ST_OK:
375 if (mt == SSL3_MT_HELLO_REQUEST0) {
376 st->hand_state = TLS_ST_CR_HELLO_REQ;
377 return 1;
378 }
379 break;
380 }
381
382 err:
383 /* No valid transition found */
384 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && mt == SSL3_MT_CHANGE_CIPHER_SPEC0x0101) {
385 BIO *rbio;
386
387 /*
388 * CCS messages don't have a message sequence number so this is probably
389 * because of an out-of-order CCS. We'll just drop it.
390 */
391 s->init_num = 0;
392 s->rwstate = SSL_READING3;
393 rbio = SSL_get_rbio(s);
394 BIO_clear_retry_flags(rbio)BIO_clear_flags(rbio, ((0x01|0x02|0x04)|0x08));
395 BIO_set_retry_read(rbio)BIO_set_flags(rbio, (0x01|0x08));
396 return 0;
397 }
398 SSLfatal(s, SSL3_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 398, __func__), ossl_statem_fatal)((s), (10), (244), ((void
*)0));
399 return 0;
400}
401
402/*
403 * ossl_statem_client13_write_transition() works out what handshake state to
404 * move to next when the TLSv1.3 client is writing messages to be sent to the
405 * server.
406 */
407static WRITE_TRAN ossl_statem_client13_write_transition(SSL *s)
408{
409 OSSL_STATEM *st = &s->statem;
410
411 /*
412 * Note: There are no cases for TLS_ST_BEFORE because we haven't negotiated
413 * TLSv1.3 yet at that point. They are handled by
414 * ossl_statem_client_write_transition().
415 */
416 switch (st->hand_state) {
417 default:
418 /* Shouldn't happen */
419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 419, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
420 return WRITE_TRAN_ERROR;
421
422 case TLS_ST_CR_CERT_REQ:
423 if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
424 st->hand_state = TLS_ST_CW_CERT;
425 return WRITE_TRAN_CONTINUE;
426 }
427 /*
428 * We should only get here if we received a CertificateRequest after
429 * we already sent close_notify
430 */
431 if (!ossl_assert((s->shutdown & SSL_SENT_SHUTDOWN) != 0)(((s->shutdown & 1) != 0) != 0)) {
432 /* Shouldn't happen - same as default case */
433 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 433, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
434 return WRITE_TRAN_ERROR;
435 }
436 st->hand_state = TLS_ST_OK;
437 return WRITE_TRAN_CONTINUE;
438
439 case TLS_ST_CR_FINISHED:
440 if (s->early_data_state == SSL_EARLY_DATA_WRITE_RETRY
441 || s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING)
442 st->hand_state = TLS_ST_PENDING_EARLY_DATA_END;
443 else if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0
444 && s->hello_retry_request == SSL_HRR_NONE)
445 st->hand_state = TLS_ST_CW_CHANGE;
446 else
447 st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
448 : TLS_ST_CW_FINISHED;
449 return WRITE_TRAN_CONTINUE;
450
451 case TLS_ST_PENDING_EARLY_DATA_END:
452 if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED2) {
453 st->hand_state = TLS_ST_CW_END_OF_EARLY_DATA;
454 return WRITE_TRAN_CONTINUE;
455 }
456 /* Fall through */
457
458 case TLS_ST_CW_END_OF_EARLY_DATA:
459 case TLS_ST_CW_CHANGE:
460 st->hand_state = (s->s3.tmp.cert_req != 0) ? TLS_ST_CW_CERT
461 : TLS_ST_CW_FINISHED;
462 return WRITE_TRAN_CONTINUE;
463
464 case TLS_ST_CW_CERT:
465 /* If a non-empty Certificate we also send CertificateVerify */
466 st->hand_state = (s->s3.tmp.cert_req == 1) ? TLS_ST_CW_CERT_VRFY
467 : TLS_ST_CW_FINISHED;
468 return WRITE_TRAN_CONTINUE;
469
470 case TLS_ST_CW_CERT_VRFY:
471 st->hand_state = TLS_ST_CW_FINISHED;
472 return WRITE_TRAN_CONTINUE;
473
474 case TLS_ST_CR_KEY_UPDATE:
475 case TLS_ST_CW_KEY_UPDATE:
476 case TLS_ST_CR_SESSION_TICKET:
477 case TLS_ST_CW_FINISHED:
478 st->hand_state = TLS_ST_OK;
479 return WRITE_TRAN_CONTINUE;
480
481 case TLS_ST_OK:
482 if (s->key_update != SSL_KEY_UPDATE_NONE-1) {
483 st->hand_state = TLS_ST_CW_KEY_UPDATE;
484 return WRITE_TRAN_CONTINUE;
485 }
486
487 /* Try to read from the server instead */
488 return WRITE_TRAN_FINISHED;
489 }
490}
491
492/*
493 * ossl_statem_client_write_transition() works out what handshake state to
494 * move to next when the client is writing messages to be sent to the server.
495 */
496WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
497{
498 OSSL_STATEM *st = &s->statem;
499
500 /*
501 * Note that immediately before/after a ClientHello we don't know what
502 * version we are going to negotiate yet, so we don't take this branch until
503 * later
504 */
505 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000))
506 return ossl_statem_client13_write_transition(s);
507
508 switch (st->hand_state) {
509 default:
510 /* Shouldn't happen */
511 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 511, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
512 return WRITE_TRAN_ERROR;
513
514 case TLS_ST_OK:
515 if (!s->renegotiate) {
516 /*
517 * We haven't requested a renegotiation ourselves so we must have
518 * received a message from the server. Better read it.
519 */
520 return WRITE_TRAN_FINISHED;
521 }
522 /* Renegotiation */
523 /* fall thru */
524 case TLS_ST_BEFORE:
525 st->hand_state = TLS_ST_CW_CLNT_HELLO;
526 return WRITE_TRAN_CONTINUE;
527
528 case TLS_ST_CW_CLNT_HELLO:
529 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
530 /*
531 * We are assuming this is a TLSv1.3 connection, although we haven't
532 * actually selected a version yet.
533 */
534 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0)
535 st->hand_state = TLS_ST_CW_CHANGE;
536 else
537 st->hand_state = TLS_ST_EARLY_DATA;
538 return WRITE_TRAN_CONTINUE;
539 }
540 /*
541 * No transition at the end of writing because we don't know what
542 * we will be sent
543 */
544 return WRITE_TRAN_FINISHED;
545
546 case TLS_ST_CR_SRVR_HELLO:
547 /*
548 * We only get here in TLSv1.3. We just received an HRR, so issue a
549 * CCS unless middlebox compat mode is off, or we already issued one
550 * because we did early data.
551 */
552 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0
553 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING)
554 st->hand_state = TLS_ST_CW_CHANGE;
555 else
556 st->hand_state = TLS_ST_CW_CLNT_HELLO;
557 return WRITE_TRAN_CONTINUE;
558
559 case TLS_ST_EARLY_DATA:
560 return WRITE_TRAN_FINISHED;
561
562 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
563 st->hand_state = TLS_ST_CW_CLNT_HELLO;
564 return WRITE_TRAN_CONTINUE;
565
566 case TLS_ST_CR_SRVR_DONE:
567 if (s->s3.tmp.cert_req)
568 st->hand_state = TLS_ST_CW_CERT;
569 else
570 st->hand_state = TLS_ST_CW_KEY_EXCH;
571 return WRITE_TRAN_CONTINUE;
572
573 case TLS_ST_CW_CERT:
574 st->hand_state = TLS_ST_CW_KEY_EXCH;
575 return WRITE_TRAN_CONTINUE;
576
577 case TLS_ST_CW_KEY_EXCH:
578 /*
579 * For TLS, cert_req is set to 2, so a cert chain of nothing is
580 * sent, but no verify packet is sent
581 */
582 /*
583 * XXX: For now, we do not support client authentication in ECDH
584 * cipher suites with ECDH (rather than ECDSA) certificates. We
585 * need to skip the certificate verify message when client's
586 * ECDH public key is sent inside the client certificate.
587 */
588 if (s->s3.tmp.cert_req == 1) {
589 st->hand_state = TLS_ST_CW_CERT_VRFY;
590 } else {
591 st->hand_state = TLS_ST_CW_CHANGE;
592 }
593 if (s->s3.flags & TLS1_FLAGS_SKIP_CERT_VERIFY0x0010) {
594 st->hand_state = TLS_ST_CW_CHANGE;
595 }
596 return WRITE_TRAN_CONTINUE;
597
598 case TLS_ST_CW_CERT_VRFY:
599 st->hand_state = TLS_ST_CW_CHANGE;
600 return WRITE_TRAN_CONTINUE;
601
602 case TLS_ST_CW_CHANGE:
603 if (s->hello_retry_request == SSL_HRR_PENDING) {
604 st->hand_state = TLS_ST_CW_CLNT_HELLO;
605 } else if (s->early_data_state == SSL_EARLY_DATA_CONNECTING) {
606 st->hand_state = TLS_ST_EARLY_DATA;
607 } else {
608#if defined(OPENSSL_NO_NEXTPROTONEG)
609 st->hand_state = TLS_ST_CW_FINISHED;
610#else
611 if (!SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->s3.npn_seen)
612 st->hand_state = TLS_ST_CW_NEXT_PROTO;
613 else
614 st->hand_state = TLS_ST_CW_FINISHED;
615#endif
616 }
617 return WRITE_TRAN_CONTINUE;
618
619#if !defined(OPENSSL_NO_NEXTPROTONEG)
620 case TLS_ST_CW_NEXT_PROTO:
621 st->hand_state = TLS_ST_CW_FINISHED;
622 return WRITE_TRAN_CONTINUE;
623#endif
624
625 case TLS_ST_CW_FINISHED:
626 if (s->hit) {
627 st->hand_state = TLS_ST_OK;
628 return WRITE_TRAN_CONTINUE;
629 } else {
630 return WRITE_TRAN_FINISHED;
631 }
632
633 case TLS_ST_CR_FINISHED:
634 if (s->hit) {
635 st->hand_state = TLS_ST_CW_CHANGE;
636 return WRITE_TRAN_CONTINUE;
637 } else {
638 st->hand_state = TLS_ST_OK;
639 return WRITE_TRAN_CONTINUE;
640 }
641
642 case TLS_ST_CR_HELLO_REQ:
643 /*
644 * If we can renegotiate now then do so, otherwise wait for a more
645 * convenient time.
646 */
647 if (ssl3_renegotiate_check(s, 1)) {
648 if (!tls_setup_handshake(s)) {
649 /* SSLfatal() already called */
650 return WRITE_TRAN_ERROR;
651 }
652 st->hand_state = TLS_ST_CW_CLNT_HELLO;
653 return WRITE_TRAN_CONTINUE;
654 }
655 st->hand_state = TLS_ST_OK;
656 return WRITE_TRAN_CONTINUE;
657 }
658}
659
660/*
661 * Perform any pre work that needs to be done prior to sending a message from
662 * the client to the server.
663 */
664WORK_STATE ossl_statem_client_pre_work(SSL *s, WORK_STATE wst)
665{
666 OSSL_STATEM *st = &s->statem;
667
668 switch (st->hand_state) {
669 default:
670 /* No pre work to be done */
671 break;
672
673 case TLS_ST_CW_CLNT_HELLO:
674 s->shutdown = 0;
675 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
676 /* every DTLS ClientHello resets Finished MAC */
677 if (!ssl3_init_finished_mac(s)) {
678 /* SSLfatal() already called */
679 return WORK_ERROR;
680 }
681 }
682 break;
683
684 case TLS_ST_CW_CHANGE:
685 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
686 if (s->hit) {
687 /*
688 * We're into the last flight so we don't retransmit these
689 * messages unless we need to.
690 */
691 st->use_timer = 0;
692 }
693#ifndef OPENSSL_NO_SCTP
694 if (BIO_dgram_is_sctp(SSL_get_wbio(s))) {
695 /* Calls SSLfatal() as required */
696 return dtls_wait_for_dry(s);
697 }
698#endif
699 }
700 break;
701
702 case TLS_ST_PENDING_EARLY_DATA_END:
703 /*
704 * If we've been called by SSL_do_handshake()/SSL_write(), or we did not
705 * attempt to write early data before calling SSL_read() then we press
706 * on with the handshake. Otherwise we pause here.
707 */
708 if (s->early_data_state == SSL_EARLY_DATA_FINISHED_WRITING
709 || s->early_data_state == SSL_EARLY_DATA_NONE)
710 return WORK_FINISHED_CONTINUE;
711 /* Fall through */
712
713 case TLS_ST_EARLY_DATA:
714 return tls_finish_handshake(s, wst, 0, 1);
715
716 case TLS_ST_OK:
717 /* Calls SSLfatal() as required */
718 return tls_finish_handshake(s, wst, 1, 1);
719 }
720
721 return WORK_FINISHED_CONTINUE;
722}
723
724/*
725 * Perform any work that needs to be done after sending a message from the
726 * client to the server.
727 */
728WORK_STATE ossl_statem_client_post_work(SSL *s, WORK_STATE wst)
729{
730 OSSL_STATEM *st = &s->statem;
731
732 s->init_num = 0;
733
734 switch (st->hand_state) {
735 default:
736 /* No post work to be done */
737 break;
738
739 case TLS_ST_CW_CLNT_HELLO:
740 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
741 && s->max_early_data > 0) {
742 /*
743 * We haven't selected TLSv1.3 yet so we don't call the change
744 * cipher state function associated with the SSL_METHOD. Instead
745 * we call tls13_change_cipher_state() directly.
746 */
747 if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) == 0) {
748 if (!tls13_change_cipher_state(s,
749 SSL3_CC_EARLY0x040 | SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010|0x002))) {
750 /* SSLfatal() already called */
751 return WORK_ERROR;
752 }
753 }
754 /* else we're in compat mode so we delay flushing until after CCS */
755 } else if (!statem_flush(s)) {
756 return WORK_MORE_A;
757 }
758
759 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
760 /* Treat the next message as the first packet */
761 s->first_packet = 1;
762 }
763 break;
764
765 case TLS_ST_CW_END_OF_EARLY_DATA:
766 /*
767 * We set the enc_write_ctx back to NULL because we may end up writing
768 * in cleartext again if we get a HelloRetryRequest from the server.
769 */
770 EVP_CIPHER_CTX_free(s->enc_write_ctx);
771 s->enc_write_ctx = NULL((void*)0);
772 break;
773
774 case TLS_ST_CW_KEY_EXCH:
775 if (tls_client_key_exchange_post_work(s) == 0) {
776 /* SSLfatal() already called */
777 return WORK_ERROR;
778 }
779 break;
780
781 case TLS_ST_CW_CHANGE:
782 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) || s->hello_retry_request == SSL_HRR_PENDING)
783 break;
784 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
785 && s->max_early_data > 0) {
786 /*
787 * We haven't selected TLSv1.3 yet so we don't call the change
788 * cipher state function associated with the SSL_METHOD. Instead
789 * we call tls13_change_cipher_state() directly.
790 */
791 if (!tls13_change_cipher_state(s,
792 SSL3_CC_EARLY0x040 | SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010|0x002)))
793 return WORK_ERROR;
794 break;
795 }
796 s->session->cipher = s->s3.tmp.new_cipher;
797#ifdef OPENSSL_NO_COMP
798 s->session->compress_meth = 0;
799#else
800 if (s->s3.tmp.new_compression == NULL((void*)0))
801 s->session->compress_meth = 0;
802 else
803 s->session->compress_meth = s->s3.tmp.new_compression->id;
804#endif
805 if (!s->method->ssl3_enc->setup_key_block(s)) {
806 /* SSLfatal() already called */
807 return WORK_ERROR;
808 }
809
810 if (!s->method->ssl3_enc->change_cipher_state(s,
811 SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010|0x002))) {
812 /* SSLfatal() already called */
813 return WORK_ERROR;
814 }
815
816 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
817#ifndef OPENSSL_NO_SCTP
818 if (s->hit) {
819 /*
820 * Change to new shared key of SCTP-Auth, will be ignored if
821 * no SCTP used.
822 */
823 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
824 0, NULL((void*)0));
825 }
826#endif
827
828 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE0x002);
829 }
830 break;
831
832 case TLS_ST_CW_FINISHED:
833#ifndef OPENSSL_NO_SCTP
834 if (wst == WORK_MORE_A && SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->hit == 0) {
835 /*
836 * Change to new shared key of SCTP-Auth, will be ignored if
837 * no SCTP used.
838 */
839 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY,
840 0, NULL((void*)0));
841 }
842#endif
843 if (statem_flush(s) != 1)
844 return WORK_MORE_B;
845
846 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
847 if (!tls13_save_handshake_digest_for_pha(s)) {
848 /* SSLfatal() already called */
849 return WORK_ERROR;
850 }
851 if (s->post_handshake_auth != SSL_PHA_REQUESTED) {
852 if (!s->method->ssl3_enc->change_cipher_state(s,
853 SSL3_CC_APPLICATION0x100 | SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010|0x002))) {
854 /* SSLfatal() already called */
855 return WORK_ERROR;
856 }
857 }
858 }
859 break;
860
861 case TLS_ST_CW_KEY_UPDATE:
862 if (statem_flush(s) != 1)
863 return WORK_MORE_A;
864 if (!tls13_update_key(s, 1)) {
865 /* SSLfatal() already called */
866 return WORK_ERROR;
867 }
868 break;
869 }
870
871 return WORK_FINISHED_CONTINUE;
872}
873
874/*
875 * Get the message construction function and message type for sending from the
876 * client
877 *
878 * Valid return values are:
879 * 1: Success
880 * 0: Error
881 */
882int ossl_statem_client_construct_message(SSL *s, WPACKET *pkt,
883 confunc_f *confunc, int *mt)
884{
885 OSSL_STATEM *st = &s->statem;
886
887 switch (st->hand_state) {
888 default:
889 /* Shouldn't happen */
890 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 890, __func__), ossl_statem_fatal)((s), (80), (236), ((void
*)0));
891 return 0;
892
893 case TLS_ST_CW_CHANGE:
894 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8))
895 *confunc = dtls_construct_change_cipher_spec;
896 else
897 *confunc = tls_construct_change_cipher_spec;
898 *mt = SSL3_MT_CHANGE_CIPHER_SPEC0x0101;
899 break;
900
901 case TLS_ST_CW_CLNT_HELLO:
902 *confunc = tls_construct_client_hello;
903 *mt = SSL3_MT_CLIENT_HELLO1;
904 break;
905
906 case TLS_ST_CW_END_OF_EARLY_DATA:
907#ifndef OPENSSL_NO_QUIC
908 /* QUIC does not send EndOfEarlyData, RFC9001 S8.3 */
909 if (SSL_IS_QUIC(s)(s->quic_method != ((void*)0))) {
910 *confunc = NULL((void*)0);
911 *mt = SSL3_MT_DUMMY-1;
912 break;
913 }
914#endif
915 *confunc = tls_construct_end_of_early_data;
916 *mt = SSL3_MT_END_OF_EARLY_DATA5;
917 break;
918
919 case TLS_ST_PENDING_EARLY_DATA_END:
920 *confunc = NULL((void*)0);
921 *mt = SSL3_MT_DUMMY-1;
922 break;
923
924 case TLS_ST_CW_CERT:
925 *confunc = tls_construct_client_certificate;
926 *mt = SSL3_MT_CERTIFICATE11;
927 break;
928
929 case TLS_ST_CW_KEY_EXCH:
930 *confunc = tls_construct_client_key_exchange;
931 *mt = SSL3_MT_CLIENT_KEY_EXCHANGE16;
932 break;
933
934 case TLS_ST_CW_CERT_VRFY:
935 *confunc = tls_construct_cert_verify;
936 *mt = SSL3_MT_CERTIFICATE_VERIFY15;
937 break;
938
939#if !defined(OPENSSL_NO_NEXTPROTONEG)
940 case TLS_ST_CW_NEXT_PROTO:
941 *confunc = tls_construct_next_proto;
942 *mt = SSL3_MT_NEXT_PROTO67;
943 break;
944#endif
945 case TLS_ST_CW_FINISHED:
946 *confunc = tls_construct_finished;
947 *mt = SSL3_MT_FINISHED20;
948 break;
949
950 case TLS_ST_CW_KEY_UPDATE:
951 *confunc = tls_construct_key_update;
952 *mt = SSL3_MT_KEY_UPDATE24;
953 break;
954 }
955
956 return 1;
957}
958
959/*
960 * Returns the maximum allowed length for the current message that we are
961 * reading. Excludes the message header.
962 */
963size_t ossl_statem_client_max_message_size(SSL *s)
964{
965 OSSL_STATEM *st = &s->statem;
966
967 switch (st->hand_state) {
968 default:
969 /* Shouldn't happen */
970 return 0;
971
972 case TLS_ST_CR_SRVR_HELLO:
973 return SERVER_HELLO_MAX_LENGTH65607;
974
975 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
976 return HELLO_VERIFY_REQUEST_MAX_LENGTH258;
977
978 case TLS_ST_CR_CERT:
979 return s->max_cert_list;
980
981 case TLS_ST_CR_CERT_VRFY:
982 return SSL3_RT_MAX_PLAIN_LENGTH16384;
983
984 case TLS_ST_CR_CERT_STATUS:
985 return SSL3_RT_MAX_PLAIN_LENGTH16384;
986
987 case TLS_ST_CR_KEY_EXCH:
988 return SERVER_KEY_EXCH_MAX_LENGTH102400;
989
990 case TLS_ST_CR_CERT_REQ:
991 /*
992 * Set to s->max_cert_list for compatibility with previous releases. In
993 * practice these messages can get quite long if servers are configured
994 * to provide a long list of acceptable CAs
995 */
996 return s->max_cert_list;
997
998 case TLS_ST_CR_SRVR_DONE:
999 return SERVER_HELLO_DONE_MAX_LENGTH0;
1000
1001 case TLS_ST_CR_CHANGE:
1002 if (s->version == DTLS1_BAD_VER0x0100)
1003 return 3;
1004 return CCS_MAX_LENGTH1;
1005
1006 case TLS_ST_CR_SESSION_TICKET:
1007 return (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) ? SESSION_TICKET_MAX_LENGTH_TLS13131338
1008 : SESSION_TICKET_MAX_LENGTH_TLS1265541;
1009
1010 case TLS_ST_CR_FINISHED:
1011 return FINISHED_MAX_LENGTH64;
1012
1013 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1014 return ENCRYPTED_EXTENSIONS_MAX_LENGTH20000;
1015
1016 case TLS_ST_CR_KEY_UPDATE:
1017 return KEY_UPDATE_MAX_LENGTH1;
1018 }
1019}
1020
1021/*
1022 * Process a message that the client has received from the server.
1023 */
1024MSG_PROCESS_RETURN ossl_statem_client_process_message(SSL *s, PACKET *pkt)
1025{
1026 OSSL_STATEM *st = &s->statem;
1027
1028 switch (st->hand_state) {
1029 default:
1030 /* Shouldn't happen */
1031 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1031, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1032 return MSG_PROCESS_ERROR;
1033
1034 case TLS_ST_CR_SRVR_HELLO:
1035 return tls_process_server_hello(s, pkt);
1036
1037 case DTLS_ST_CR_HELLO_VERIFY_REQUEST:
1038 return dtls_process_hello_verify(s, pkt);
1039
1040 case TLS_ST_CR_CERT:
1041 return tls_process_server_certificate(s, pkt);
1042
1043 case TLS_ST_CR_CERT_VRFY:
1044 return tls_process_cert_verify(s, pkt);
1045
1046 case TLS_ST_CR_CERT_STATUS:
1047 return tls_process_cert_status(s, pkt);
1048
1049 case TLS_ST_CR_KEY_EXCH:
1050 return tls_process_key_exchange(s, pkt);
1051
1052 case TLS_ST_CR_CERT_REQ:
1053 return tls_process_certificate_request(s, pkt);
1054
1055 case TLS_ST_CR_SRVR_DONE:
1056 return tls_process_server_done(s, pkt);
1057
1058 case TLS_ST_CR_CHANGE:
1059 return tls_process_change_cipher_spec(s, pkt);
1060
1061 case TLS_ST_CR_SESSION_TICKET:
1062 return tls_process_new_session_ticket(s, pkt);
1063
1064 case TLS_ST_CR_FINISHED:
1065 return tls_process_finished(s, pkt);
1066
1067 case TLS_ST_CR_HELLO_REQ:
1068 return tls_process_hello_req(s, pkt);
1069
1070 case TLS_ST_CR_ENCRYPTED_EXTENSIONS:
1071 return tls_process_encrypted_extensions(s, pkt);
1072
1073 case TLS_ST_CR_KEY_UPDATE:
1074 return tls_process_key_update(s, pkt);
1075 }
1076}
1077
1078/*
1079 * Perform any further processing required following the receipt of a message
1080 * from the server
1081 */
1082WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
1083{
1084 OSSL_STATEM *st = &s->statem;
1085
1086 switch (st->hand_state) {
1087 default:
1088 /* Shouldn't happen */
1089 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1089, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1090 return WORK_ERROR;
1091
1092 case TLS_ST_CR_CERT:
1093 return tls_post_process_server_certificate(s, wst);
1094
1095 case TLS_ST_CR_CERT_VRFY:
1096 case TLS_ST_CR_CERT_REQ:
1097 return tls_prepare_client_certificate(s, wst);
1098 }
1099}
1100
1101int tls_construct_client_hello(SSL *s, WPACKET *pkt)
1102{
1103 unsigned char *p;
1104 size_t sess_id_len;
1105 int i, protverr;
1106#ifndef OPENSSL_NO_COMP
1107 SSL_COMP *comp;
1108#endif
1109 SSL_SESSION *sess = s->session;
1110 unsigned char *session_id;
1111
1112 /* Work out what SSL/TLS/DTLS version to use */
1113 protverr = ssl_set_client_hello_version(s);
1114 if (protverr != 0) {
1115 SSLfatal(s, SSL_AD_INTERNAL_ERROR, protverr)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1115, __func__), ossl_statem_fatal)((s), (80), (protverr), (
(void*)0));
1116 return 0;
1117 }
1118
1119 if (sess == NULL((void*)0)
1120 || !ssl_version_supported(s, sess->ssl_version, NULL((void*)0))
1121 || !SSL_SESSION_is_resumable(sess)) {
1122 if (s->hello_retry_request == SSL_HRR_NONE
1123 && !ssl_get_new_session(s, 0)) {
1124 /* SSLfatal() already called */
1125 return 0;
1126 }
1127 }
1128 /* else use the pre-loaded session */
1129
1130 p = s->s3.client_random;
1131
1132 /*
1133 * for DTLS if client_random is initialized, reuse it, we are
1134 * required to use same upon reply to HelloVerify
1135 */
1136 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
1137 size_t idx;
1138 i = 1;
1139 for (idx = 0; idx < sizeof(s->s3.client_random); idx++) {
1140 if (p[idx]) {
1141 i = 0;
1142 break;
1143 }
1144 }
1145 } else {
1146 i = (s->hello_retry_request == SSL_HRR_NONE);
1147 }
1148
1149 if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3.client_random),
1150 DOWNGRADE_NONE) <= 0) {
1151 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1151, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1152 return 0;
1153 }
1154
1155 /*-
1156 * version indicates the negotiated version: for example from
1157 * an SSLv2/v3 compatible client hello). The client_version
1158 * field is the maximum version we permit and it is also
1159 * used in RSA encrypted premaster secrets. Some servers can
1160 * choke if we initially report a higher version then
1161 * renegotiate to a lower one in the premaster secret. This
1162 * didn't happen with TLS 1.0 as most servers supported it
1163 * but it can with TLS 1.1 or later if the server only supports
1164 * 1.0.
1165 *
1166 * Possible scenario with previous logic:
1167 * 1. Client hello indicates TLS 1.2
1168 * 2. Server hello says TLS 1.0
1169 * 3. RSA encrypted premaster secret uses 1.2.
1170 * 4. Handshake proceeds using TLS 1.0.
1171 * 5. Server sends hello request to renegotiate.
1172 * 6. Client hello indicates TLS v1.0 as we now
1173 * know that is maximum server supports.
1174 * 7. Server chokes on RSA encrypted premaster secret
1175 * containing version 1.0.
1176 *
1177 * For interoperability it should be OK to always use the
1178 * maximum version we support in client hello and then rely
1179 * on the checking of version to ensure the servers isn't
1180 * being inconsistent: for example initially negotiating with
1181 * TLS 1.0 and renegotiating with TLS 1.2. We do this by using
1182 * client_version in client hello and not resetting it to
1183 * the negotiated version.
1184 *
1185 * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
1186 * supported_versions extension for the real supported versions.
1187 */
1188 if (!WPACKET_put_bytes_u16(pkt, s->client_version)WPACKET_put_bytes__((pkt), (s->client_version), 2)
1189 || !WPACKET_memcpy(pkt, s->s3.client_random, SSL3_RANDOM_SIZE32)) {
1190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1190, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1191 return 0;
1192 }
1193
1194 /* Session ID */
1195 session_id = s->session->session_id;
1196 if (s->new_session || s->session->ssl_version == TLS1_3_VERSION0x0304) {
1197 if (s->version == TLS1_3_VERSION0x0304
1198 && (s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT((uint64_t)1 << (uint64_t)20)) != 0) {
1199 sess_id_len = sizeof(s->tmp_session_id);
1200 s->tmp_session_id_len = sess_id_len;
1201 session_id = s->tmp_session_id;
1202 if (s->hello_retry_request == SSL_HRR_NONE
1203 && RAND_bytes_ex(s->ctx->libctx, s->tmp_session_id,
1204 sess_id_len, 0) <= 0) {
1205 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1205, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1206 return 0;
1207 }
1208 } else {
1209 sess_id_len = 0;
1210 }
1211 } else {
1212 assert(s->session->session_id_length <= sizeof(s->session->session_id))((void) (0));
1213 sess_id_len = s->session->session_id_length;
1214 if (s->version == TLS1_3_VERSION0x0304) {
1215 s->tmp_session_id_len = sess_id_len;
1216 memcpy(s->tmp_session_id, s->session->session_id, sess_id_len);
1217 }
1218 }
1219 if (!WPACKET_start_sub_packet_u8(pkt)WPACKET_start_sub_packet_len__((pkt), 1)
1220 || (sess_id_len != 0 && !WPACKET_memcpy(pkt, session_id,
1221 sess_id_len))
1222 || !WPACKET_close(pkt)) {
1223 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1223, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1224 return 0;
1225 }
1226
1227 /* cookie stuff for DTLS */
1228 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
1229 if (s->d1->cookie_len > sizeof(s->d1->cookie)
1230 || !WPACKET_sub_memcpy_u8(pkt, s->d1->cookie,WPACKET_sub_memcpy__((pkt), (s->d1->cookie), (s->d1->
cookie_len), 1)
1231 s->d1->cookie_len)WPACKET_sub_memcpy__((pkt), (s->d1->cookie), (s->d1->
cookie_len), 1)) {
1232 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1232, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1233 return 0;
1234 }
1235 }
1236
1237 /* Ciphers supported */
1238 if (!WPACKET_start_sub_packet_u16(pkt)WPACKET_start_sub_packet_len__((pkt), 2)) {
1239 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1239, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1240 return 0;
1241 }
1242
1243 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), pkt)) {
1244 /* SSLfatal() already called */
1245 return 0;
1246 }
1247 if (!WPACKET_close(pkt)) {
1248 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1248, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1249 return 0;
1250 }
1251
1252 /* COMPRESSION */
1253 if (!WPACKET_start_sub_packet_u8(pkt)WPACKET_start_sub_packet_len__((pkt), 1)) {
1254 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1254, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1255 return 0;
1256 }
1257#ifndef OPENSSL_NO_COMP
1258 if (ssl_allow_compression(s)
1259 && s->ctx->comp_methods
1260 && (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) || s->s3.tmp.max_ver < TLS1_3_VERSION0x0304)) {
1261 int compnum = sk_SSL_COMP_num(s->ctx->comp_methods)OPENSSL_sk_num(ossl_check_const_SSL_COMP_sk_type(s->ctx->
comp_methods));
1262 for (i = 0; i < compnum; i++) {
1263 comp = sk_SSL_COMP_value(s->ctx->comp_methods, i)((SSL_COMP *)OPENSSL_sk_value(ossl_check_const_SSL_COMP_sk_type
(s->ctx->comp_methods), (i)));
1264 if (!WPACKET_put_bytes_u8(pkt, comp->id)WPACKET_put_bytes__((pkt), (comp->id), 1)) {
1265 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1265, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1266 return 0;
1267 }
1268 }
1269 }
1270#endif
1271 /* Add the NULL method */
1272 if (!WPACKET_put_bytes_u8(pkt, 0)WPACKET_put_bytes__((pkt), (0), 1) || !WPACKET_close(pkt)) {
1273 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1273, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1274 return 0;
1275 }
1276
1277 /* TLS extensions */
1278 if (!tls_construct_extensions(s, pkt, SSL_EXT_CLIENT_HELLO0x0080, NULL((void*)0), 0)) {
1279 /* SSLfatal() already called */
1280 return 0;
1281 }
1282
1283 return 1;
1284}
1285
1286MSG_PROCESS_RETURN dtls_process_hello_verify(SSL *s, PACKET *pkt)
1287{
1288 size_t cookie_len;
1289 PACKET cookiepkt;
1290
1291 if (!PACKET_forward(pkt, 2)
1292 || !PACKET_get_length_prefixed_1(pkt, &cookiepkt)) {
1293 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1293, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1294 return MSG_PROCESS_ERROR;
1295 }
1296
1297 cookie_len = PACKET_remaining(&cookiepkt);
1298 if (cookie_len > sizeof(s->d1->cookie)) {
1299 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_LENGTH_TOO_LONG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1299, __func__), ossl_statem_fatal)((s), (47), (404), ((void
*)0));
1300 return MSG_PROCESS_ERROR;
1301 }
1302
1303 if (!PACKET_copy_bytes(&cookiepkt, s->d1->cookie, cookie_len)) {
1304 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1304, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1305 return MSG_PROCESS_ERROR;
1306 }
1307 s->d1->cookie_len = cookie_len;
1308
1309 return MSG_PROCESS_FINISHED_READING;
1310}
1311
1312static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
1313{
1314 STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk;
1315 const SSL_CIPHER *c;
1316 int i;
1317
1318 c = ssl_get_cipher_by_char(s, cipherchars, 0);
1319 if (c == NULL((void*)0)) {
1
Assuming 'c' is not equal to NULL
2
Taking false branch
1320 /* unknown cipher */
1321 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1321, __func__), ossl_statem_fatal)((s), (47), (248), ((void
*)0));
1322 return 0;
1323 }
1324 /*
1325 * If it is a disabled cipher we either didn't send it in client hello,
1326 * or it's not allowed for the selected protocol. So we return an error.
1327 */
1328 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_CHECK(3 | (1 << 16)), 1)) {
3
Assuming the condition is false
4
Taking false branch
1329 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1329, __func__), ossl_statem_fatal)((s), (47), (261), ((void
*)0));
1330 return 0;
1331 }
1332
1333 sk = ssl_get_ciphers_by_id(s);
1334 i = sk_SSL_CIPHER_find(sk, c)OPENSSL_sk_find(ossl_check_SSL_CIPHER_sk_type(sk), ossl_check_SSL_CIPHER_type
(c));
1335 if (i < 0) {
5
Assuming 'i' is >= 0
1336 /* we did not say we would use this cipher */
1337 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1337, __func__), ossl_statem_fatal)((s), (47), (261), ((void
*)0));
1338 return 0;
1339 }
1340
1341 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) && s->s3.tmp.new_cipher != NULL((void*)0)
6
Taking false branch
7
Assuming the condition is true
8
Assuming field 'version' is >= 772
9
Assuming field 'version' is not equal to 65536
10
Assuming field 'new_cipher' is equal to NULL
1342 && s->s3.tmp.new_cipher->id != c->id) {
1343 /* ServerHello selected a different ciphersuite to that in the HRR */
1344 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CIPHER_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1344, __func__), ossl_statem_fatal)((s), (47), (261), ((void
*)0));
1345 return 0;
1346 }
1347
1348 /*
1349 * Depending on the session caching (internal/external), the cipher
1350 * and/or cipher_id values may not be set. Make sure that cipher_id is
1351 * set and use it for comparison.
1352 */
1353 if (s->session->cipher != NULL((void*)0))
11
Assuming field 'cipher' is equal to NULL
1354 s->session->cipher_id = s->session->cipher->id;
1355 if (s->hit && (s->session->cipher_id != c->id)) {
12
Assuming field 'hit' is not equal to 0
13
Assuming field 'cipher_id' is not equal to field 'id'
1356 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
14
Taking true branch
15
Taking true branch
1357 /*
1358 * In TLSv1.3 it is valid for the server to select a different
1359 * ciphersuite as long as the hash is the same.
1360 */
1361 if (ssl_md(s->ctx, c->algorithm2)
1362 != ssl_md(s->ctx, s->session->cipher->algorithm2)) {
16
Access to field 'algorithm2' results in a dereference of a null pointer (loaded from field 'cipher')
1363 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1364, __func__), ossl_statem_fatal)((s), (47), (218), ((void
*)0))
1364 SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1364, __func__), ossl_statem_fatal)((s), (47), (218), ((void
*)0));
1365 return 0;
1366 }
1367 } else {
1368 /*
1369 * Prior to TLSv1.3 resuming a session always meant using the same
1370 * ciphersuite.
1371 */
1372 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1373, __func__), ossl_statem_fatal)((s), (47), (197), ((void
*)0))
1373 SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1373, __func__), ossl_statem_fatal)((s), (47), (197), ((void
*)0));
1374 return 0;
1375 }
1376 }
1377 s->s3.tmp.new_cipher = c;
1378
1379 return 1;
1380}
1381
1382MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
1383{
1384 PACKET session_id, extpkt;
1385 size_t session_id_len;
1386 const unsigned char *cipherchars;
1387 int hrr = 0;
1388 unsigned int compression;
1389 unsigned int sversion;
1390 unsigned int context;
1391 RAW_EXTENSION *extensions = NULL((void*)0);
1392#ifndef OPENSSL_NO_COMP
1393 SSL_COMP *comp;
1394#endif
1395
1396 if (!PACKET_get_net_2(pkt, &sversion)) {
1397 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1397, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1398 goto err;
1399 }
1400
1401 /* load the server random */
1402 if (s->version == TLS1_3_VERSION0x0304
1403 && sversion == TLS1_2_VERSION0x0303
1404 && PACKET_remaining(pkt) >= SSL3_RANDOM_SIZE32
1405 && memcmp(hrrrandom, PACKET_data(pkt), SSL3_RANDOM_SIZE32) == 0) {
1406 if (s->hello_retry_request != SSL_HRR_NONE) {
1407 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1407, __func__), ossl_statem_fatal)((s), (10), (244), ((void
*)0));
1408 goto err;
1409 }
1410 s->hello_retry_request = SSL_HRR_PENDING;
1411 hrr = 1;
1412 if (!PACKET_forward(pkt, SSL3_RANDOM_SIZE32)) {
1413 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1413, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1414 goto err;
1415 }
1416 } else {
1417 if (!PACKET_copy_bytes(pkt, s->s3.server_random, SSL3_RANDOM_SIZE32)) {
1418 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1418, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1419 goto err;
1420 }
1421 }
1422
1423 /* Get the session-id. */
1424 if (!PACKET_get_length_prefixed_1(pkt, &session_id)) {
1425 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1425, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1426 goto err;
1427 }
1428 session_id_len = PACKET_remaining(&session_id);
1429 if (session_id_len > sizeof(s->session->session_id)
1430 || session_id_len > SSL3_SESSION_ID_SIZE32) {
1431 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_SSL3_SESSION_ID_TOO_LONG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1431, __func__), ossl_statem_fatal)((s), (47), (300), ((void
*)0));
1432 goto err;
1433 }
1434
1435 if (!PACKET_get_bytes(pkt, &cipherchars, TLS_CIPHER_LEN2)) {
1436 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1436, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1437 goto err;
1438 }
1439
1440 if (!PACKET_get_1(pkt, &compression)) {
1441 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1441, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1442 goto err;
1443 }
1444
1445 /* TLS extensions */
1446 if (PACKET_remaining(pkt) == 0 && !hrr) {
1447 PACKET_null_init(&extpkt);
1448 } else if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
1449 || PACKET_remaining(pkt) != 0) {
1450 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1450, __func__), ossl_statem_fatal)((s), (50), (271), ((void
*)0));
1451 goto err;
1452 }
1453
1454 if (!hrr) {
1455 if (!tls_collect_extensions(s, &extpkt,
1456 SSL_EXT_TLS1_2_SERVER_HELLO0x0100
1457 | SSL_EXT_TLS1_3_SERVER_HELLO0x0200,
1458 &extensions, NULL((void*)0), 1)) {
1459 /* SSLfatal() already called */
1460 goto err;
1461 }
1462
1463 if (!ssl_choose_client_version(s, sversion, extensions)) {
1464 /* SSLfatal() already called */
1465 goto err;
1466 }
1467 }
1468
1469 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) || hrr) {
1470 if (compression != 0) {
1471 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1472, __func__), ossl_statem_fatal)((s), (47), (341), ((void
*)0))
1472 SSL_R_INVALID_COMPRESSION_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1472, __func__), ossl_statem_fatal)((s), (47), (341), ((void
*)0));
1473 goto err;
1474 }
1475
1476 if (session_id_len != s->tmp_session_id_len
1477 || memcmp(PACKET_data(&session_id), s->tmp_session_id,
1478 session_id_len) != 0) {
1479 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_INVALID_SESSION_ID)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1479, __func__), ossl_statem_fatal)((s), (47), (999), ((void
*)0));
1480 goto err;
1481 }
1482 }
1483
1484 if (hrr) {
1485 if (!set_client_ciphersuite(s, cipherchars)) {
1486 /* SSLfatal() already called */
1487 goto err;
1488 }
1489
1490 return tls_process_as_hello_retry_request(s, &extpkt);
1491 }
1492
1493 /*
1494 * Now we have chosen the version we need to check again that the extensions
1495 * are appropriate for this version.
1496 */
1497 context = SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) ? SSL_EXT_TLS1_3_SERVER_HELLO0x0200
1498 : SSL_EXT_TLS1_2_SERVER_HELLO0x0100;
1499 if (!tls_validate_all_contexts(s, context, extensions)) {
1500 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_EXTENSION)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1500, __func__), ossl_statem_fatal)((s), (47), (110), ((void
*)0));
1501 goto err;
1502 }
1503
1504 s->hit = 0;
1505
1506 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
1507 /*
1508 * In TLSv1.3 a ServerHello message signals a key change so the end of
1509 * the message must be on a record boundary.
1510 */
1511 if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
1512 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1513, __func__), ossl_statem_fatal)((s), (10), (182), ((void
*)0))
1513 SSL_R_NOT_ON_RECORD_BOUNDARY)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1513, __func__), ossl_statem_fatal)((s), (10), (182), ((void
*)0));
1514 goto err;
1515 }
1516
1517 /* This will set s->hit if we are resuming */
1518 if (!tls_parse_extension(s, TLSEXT_IDX_psk,
1519 SSL_EXT_TLS1_3_SERVER_HELLO0x0200,
1520 extensions, NULL((void*)0), 0)) {
1521 /* SSLfatal() already called */
1522 goto err;
1523 }
1524 } else {
1525 /*
1526 * Check if we can resume the session based on external pre-shared
1527 * secret. EAP-FAST (RFC 4851) supports two types of session resumption.
1528 * Resumption based on server-side state works with session IDs.
1529 * Resumption based on pre-shared Protected Access Credentials (PACs)
1530 * works by overriding the SessionTicket extension at the application
1531 * layer, and does not send a session ID. (We do not know whether
1532 * EAP-FAST servers would honour the session ID.) Therefore, the session
1533 * ID alone is not a reliable indicator of session resumption, so we
1534 * first check if we can resume, and later peek at the next handshake
1535 * message to see if the server wants to resume.
1536 */
1537 if (s->version >= TLS1_VERSION0x0301
1538 && s->ext.session_secret_cb != NULL((void*)0) && s->session->ext.tick) {
1539 const SSL_CIPHER *pref_cipher = NULL((void*)0);
1540 /*
1541 * s->session->master_key_length is a size_t, but this is an int for
1542 * backwards compat reasons
1543 */
1544 int master_key_length;
1545 master_key_length = sizeof(s->session->master_key);
1546 if (s->ext.session_secret_cb(s, s->session->master_key,
1547 &master_key_length,
1548 NULL((void*)0), &pref_cipher,
1549 s->ext.session_secret_cb_arg)
1550 && master_key_length > 0) {
1551 s->session->master_key_length = master_key_length;
1552 s->session->cipher = pref_cipher ?
1553 pref_cipher : ssl_get_cipher_by_char(s, cipherchars, 0);
1554 } else {
1555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1555, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1556 goto err;
1557 }
1558 }
1559
1560 if (session_id_len != 0
1561 && session_id_len == s->session->session_id_length
1562 && memcmp(PACKET_data(&session_id), s->session->session_id,
1563 session_id_len) == 0)
1564 s->hit = 1;
1565 }
1566
1567 if (s->hit) {
1568 if (s->sid_ctx_length != s->session->sid_ctx_length
1569 || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) {
1570 /* actually a client application bug */
1571 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1572, __func__), ossl_statem_fatal)((s), (47), (272), ((void
*)0))
1572 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1572, __func__), ossl_statem_fatal)((s), (47), (272), ((void
*)0));
1573 goto err;
1574 }
1575 } else {
1576 /*
1577 * If we were trying for session-id reuse but the server
1578 * didn't resume, make a new SSL_SESSION.
1579 * In the case of EAP-FAST and PAC, we do not send a session ID,
1580 * so the PAC-based session secret is always preserved. It'll be
1581 * overwritten if the server refuses resumption.
1582 */
1583 if (s->session->session_id_length > 0) {
1584 ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_miss);
1585 if (!ssl_get_new_session(s, 0)) {
1586 /* SSLfatal() already called */
1587 goto err;
1588 }
1589 }
1590
1591 s->session->ssl_version = s->version;
1592 /*
1593 * In TLSv1.2 and below we save the session id we were sent so we can
1594 * resume it later. In TLSv1.3 the session id we were sent is just an
1595 * echo of what we originally sent in the ClientHello and should not be
1596 * used for resumption.
1597 */
1598 if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
1599 s->session->session_id_length = session_id_len;
1600 /* session_id_len could be 0 */
1601 if (session_id_len > 0)
1602 memcpy(s->session->session_id, PACKET_data(&session_id),
1603 session_id_len);
1604 }
1605 }
1606
1607 /* Session version and negotiated protocol version should match */
1608 if (s->version != s->session->ssl_version) {
1609 SSLfatal(s, SSL_AD_PROTOCOL_VERSION,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1610, __func__), ossl_statem_fatal)((s), (70), (210), ((void
*)0))
1610 SSL_R_SSL_SESSION_VERSION_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1610, __func__), ossl_statem_fatal)((s), (70), (210), ((void
*)0));
1611 goto err;
1612 }
1613 /*
1614 * Now that we know the version, update the check to see if it's an allowed
1615 * version.
1616 */
1617 s->s3.tmp.min_ver = s->version;
1618 s->s3.tmp.max_ver = s->version;
1619
1620 if (!set_client_ciphersuite(s, cipherchars)) {
1621 /* SSLfatal() already called */
1622 goto err;
1623 }
1624
1625#ifdef OPENSSL_NO_COMP
1626 if (compression != 0) {
1627 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1628, __func__), ossl_statem_fatal)((s), (47), (257), ((void
*)0))
1628 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1628, __func__), ossl_statem_fatal)((s), (47), (257), ((void
*)0));
1629 goto err;
1630 }
1631 /*
1632 * If compression is disabled we'd better not try to resume a session
1633 * using compression.
1634 */
1635 if (s->session->compress_meth != 0) {
1636 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_INCONSISTENT_COMPRESSION)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1636, __func__), ossl_statem_fatal)((s), (40), (340), ((void
*)0));
1637 goto err;
1638 }
1639#else
1640 if (s->hit && compression != s->session->compress_meth) {
1641 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1642, __func__), ossl_statem_fatal)((s), (47), (344), ((void
*)0))
1642 SSL_R_OLD_SESSION_COMPRESSION_ALGORITHM_NOT_RETURNED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1642, __func__), ossl_statem_fatal)((s), (47), (344), ((void
*)0));
1643 goto err;
1644 }
1645 if (compression == 0)
1646 comp = NULL((void*)0);
1647 else if (!ssl_allow_compression(s)) {
1648 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_COMPRESSION_DISABLED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1648, __func__), ossl_statem_fatal)((s), (47), (343), ((void
*)0));
1649 goto err;
1650 } else {
1651 comp = ssl3_comp_find(s->ctx->comp_methods, compression);
1652 }
1653
1654 if (compression != 0 && comp == NULL((void*)0)) {
1655 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1656, __func__), ossl_statem_fatal)((s), (47), (257), ((void
*)0))
1656 SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1656, __func__), ossl_statem_fatal)((s), (47), (257), ((void
*)0));
1657 goto err;
1658 } else {
1659 s->s3.tmp.new_compression = comp;
1660 }
1661#endif
1662
1663 if (!tls_parse_all_extensions(s, context, extensions, NULL((void*)0), 0, 1)) {
1664 /* SSLfatal() already called */
1665 goto err;
1666 }
1667
1668#ifndef OPENSSL_NO_SCTP
1669 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8) && s->hit) {
1670 unsigned char sctpauthkey[64];
1671 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
1672 size_t labellen;
1673
1674 /*
1675 * Add new shared key for SCTP-Auth, will be ignored if
1676 * no SCTP used.
1677 */
1678 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
1679 sizeof(DTLS1_SCTP_AUTH_LABEL));
1680
1681 /* Don't include the terminating zero. */
1682 labellen = sizeof(labelbuffer) - 1;
1683 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG0x00000400U)
1684 labellen += 1;
1685
1686 if (SSL_export_keying_material(s, sctpauthkey,
1687 sizeof(sctpauthkey),
1688 labelbuffer,
1689 labellen, NULL((void*)0), 0, 0) <= 0) {
1690 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1690, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1691 goto err;
1692 }
1693
1694 BIO_ctrl(SSL_get_wbio(s),
1695 BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
1696 sizeof(sctpauthkey), sctpauthkey);
1697 }
1698#endif
1699
1700 /*
1701 * In TLSv1.3 we have some post-processing to change cipher state, otherwise
1702 * we're done with this message
1703 */
1704 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)
1705 && (!s->method->ssl3_enc->setup_key_block(s)
1706 || !s->method->ssl3_enc->change_cipher_state(s,
1707 SSL3_CC_HANDSHAKE0x080 | SSL3_CHANGE_CIPHER_CLIENT_READ(0x010|0x001)))) {
1708 /* SSLfatal() already called */
1709 goto err;
1710 }
1711
1712 OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1712);
1713 return MSG_PROCESS_CONTINUE_READING;
1714 err:
1715 OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1715);
1716 return MSG_PROCESS_ERROR;
1717}
1718
1719static MSG_PROCESS_RETURN tls_process_as_hello_retry_request(SSL *s,
1720 PACKET *extpkt)
1721{
1722 RAW_EXTENSION *extensions = NULL((void*)0);
1723
1724 /*
1725 * If we were sending early_data then the enc_write_ctx is now invalid and
1726 * should not be used.
1727 */
1728 EVP_CIPHER_CTX_free(s->enc_write_ctx);
1729 s->enc_write_ctx = NULL((void*)0);
1730
1731 if (!tls_collect_extensions(s, extpkt, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST0x0800,
1732 &extensions, NULL((void*)0), 1)
1733 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST0x0800,
1734 extensions, NULL((void*)0), 0, 1)) {
1735 /* SSLfatal() already called */
1736 goto err;
1737 }
1738
1739 OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1739);
1740 extensions = NULL((void*)0);
1741
1742 if (s->ext.tls13_cookie_len == 0 && s->s3.tmp.pkey != NULL((void*)0)) {
1743 /*
1744 * We didn't receive a cookie or a new key_share so the next
1745 * ClientHello will not change
1746 */
1747 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_NO_CHANGE_FOLLOWING_HRR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1747, __func__), ossl_statem_fatal)((s), (47), (214), ((void
*)0));
1748 goto err;
1749 }
1750
1751 /*
1752 * Re-initialise the Transcript Hash. We're going to prepopulate it with
1753 * a synthetic message_hash in place of ClientHello1.
1754 */
1755 if (!create_synthetic_message_hash(s, NULL((void*)0), 0, NULL((void*)0), 0)) {
1756 /* SSLfatal() already called */
1757 goto err;
1758 }
1759
1760 /*
1761 * Add this message to the Transcript Hash. Normally this is done
1762 * automatically prior to the message processing stage. However due to the
1763 * need to create the synthetic message hash, we defer that step until now
1764 * for HRR messages.
1765 */
1766 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1767 s->init_num + SSL3_HM_HEADER_LENGTH4)) {
1768 /* SSLfatal() already called */
1769 goto err;
1770 }
1771
1772 return MSG_PROCESS_FINISHED_READING;
1773 err:
1774 OPENSSL_free(extensions)CRYPTO_free(extensions, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1774);
1775 return MSG_PROCESS_ERROR;
1776}
1777
1778/* prepare server cert verification by setting s->session->peer_chain from pkt */
1779MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt)
1780{
1781 unsigned long cert_list_len, cert_len;
1782 X509 *x = NULL((void*)0);
1783 const unsigned char *certstart, *certbytes;
1784 size_t chainidx;
1785 unsigned int context = 0;
1786
1787 if ((s->session->peer_chain = sk_X509_new_null()((struct stack_st_X509 *)OPENSSL_sk_new_null())) == NULL((void*)0)) {
1788 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1788, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1789 goto err;
1790 }
1791
1792 if ((SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) && !PACKET_get_1(pkt, &context))
1793 || context != 0
1794 || !PACKET_get_net_3(pkt, &cert_list_len)
1795 || PACKET_remaining(pkt) != cert_list_len
1796 || PACKET_remaining(pkt) == 0) {
1797 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1797, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1798 goto err;
1799 }
1800 for (chainidx = 0; PACKET_remaining(pkt); chainidx++) {
1801 if (!PACKET_get_net_3(pkt, &cert_len)
1802 || !PACKET_get_bytes(pkt, &certbytes, cert_len)) {
1803 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1803, __func__), ossl_statem_fatal)((s), (50), (135), ((void
*)0));
1804 goto err;
1805 }
1806
1807 certstart = certbytes;
1808 x = X509_new_ex(s->ctx->libctx, s->ctx->propq);
1809 if (x == NULL((void*)0)) {
1810 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1810, __func__), ossl_statem_fatal)((s), (50), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1811 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
,1811,__func__), ERR_set_error)((20),((256|((0x1 << 18L
)|(0x2 << 18L)))),((void*)0));
1812 goto err;
1813 }
1814 if (d2i_X509(&x, (const unsigned char **)&certbytes,
1815 cert_len) == NULL((void*)0)) {
1816 SSLfatal(s, SSL_AD_BAD_CERTIFICATE, ERR_R_ASN1_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1816, __func__), ossl_statem_fatal)((s), (42), ((13 | (0x2 <<
18L))), ((void*)0));
1817 goto err;
1818 }
1819
1820 if (certbytes != (certstart + cert_len)) {
1821 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CERT_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1821, __func__), ossl_statem_fatal)((s), (50), (135), ((void
*)0));
1822 goto err;
1823 }
1824
1825 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
1826 RAW_EXTENSION *rawexts = NULL((void*)0);
1827 PACKET extensions;
1828
1829 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
1830 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1830, __func__), ossl_statem_fatal)((s), (50), (271), ((void
*)0));
1831 goto err;
1832 }
1833 if (!tls_collect_extensions(s, &extensions,
1834 SSL_EXT_TLS1_3_CERTIFICATE0x1000, &rawexts,
1835 NULL((void*)0), chainidx == 0)
1836 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE0x1000,
1837 rawexts, x, chainidx,
1838 PACKET_remaining(pkt) == 0)) {
1839 OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1839);
1840 /* SSLfatal already called */
1841 goto err;
1842 }
1843 OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1843);
1844 }
1845
1846 if (!sk_X509_push(s->session->peer_chain, x)OPENSSL_sk_push(ossl_check_X509_sk_type(s->session->peer_chain
), ossl_check_X509_type(x))) {
1847 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1847, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1848 goto err;
1849 }
1850 x = NULL((void*)0);
1851 }
1852 return MSG_PROCESS_CONTINUE_PROCESSING;
1853
1854 err:
1855 X509_free(x);
1856 sk_X509_pop_free(s->session->peer_chain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s->session->
peer_chain),ossl_check_X509_freefunc_type(X509_free));
1857 s->session->peer_chain = NULL((void*)0);
1858 return MSG_PROCESS_ERROR;
1859}
1860
1861/*
1862 * Verify the s->session->peer_chain and check server cert type.
1863 * On success set s->session->peer and s->session->verify_result.
1864 * Else the peer certificate verification callback may request retry.
1865 */
1866WORK_STATE tls_post_process_server_certificate(SSL *s, WORK_STATE wst)
1867{
1868 X509 *x;
1869 EVP_PKEY *pkey = NULL((void*)0);
1870 const SSL_CERT_LOOKUP *clu;
1871 size_t certidx;
1872 int i;
1873
1874 if (s->rwstate == SSL_RETRY_VERIFY8)
1875 s->rwstate = SSL_NOTHING1;
1876 i = ssl_verify_cert_chain(s, s->session->peer_chain);
1877 if (i > 0 && s->rwstate == SSL_RETRY_VERIFY8) {
1878 return WORK_MORE_A;
1879 }
1880 /*
1881 * The documented interface is that SSL_VERIFY_PEER should be set in order
1882 * for client side verification of the server certificate to take place.
1883 * However, historically the code has only checked that *any* flag is set
1884 * to cause server verification to take place. Use of the other flags makes
1885 * no sense in client mode. An attempt to clean up the semantics was
1886 * reverted because at least one application *only* set
1887 * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
1888 * server verification to take place, after the clean up it silently did
1889 * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
1890 * sent to them because they are void functions. Therefore, we now use the
1891 * (less clean) historic behaviour of performing validation if any flag is
1892 * set. The *documented* interface remains the same.
1893 */
1894 if (s->verify_mode != SSL_VERIFY_NONE0x00 && i <= 0) {
1895 SSLfatal(s, ssl_x509err2alert(s->verify_result),(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1896, __func__), ossl_statem_fatal)((s), (ssl_x509err2alert
(s->verify_result)), (134), ((void*)0))
1896 SSL_R_CERTIFICATE_VERIFY_FAILED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1896, __func__), ossl_statem_fatal)((s), (ssl_x509err2alert
(s->verify_result)), (134), ((void*)0));
1897 return WORK_ERROR;
1898 }
1899 ERR_clear_error(); /* but we keep s->verify_result */
1900
1901 /*
1902 * Inconsistency alert: cert_chain does include the peer's certificate,
1903 * which we don't include in statem_srvr.c
1904 */
1905 x = sk_X509_value(s->session->peer_chain, 0)((X509 *)OPENSSL_sk_value(ossl_check_const_X509_sk_type(s->
session->peer_chain), (0)));
1906
1907 pkey = X509_get0_pubkey(x);
1908
1909 if (pkey == NULL((void*)0) || EVP_PKEY_missing_parameters(pkey)) {
1910 SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1911, __func__), ossl_statem_fatal)((s), (80), (239), ((void
*)0))
1911 SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1911, __func__), ossl_statem_fatal)((s), (80), (239), ((void
*)0));
1912 return WORK_ERROR;
1913 }
1914
1915 if ((clu = ssl_cert_lookup_by_pkey(pkey, &certidx)) == NULL((void*)0)) {
1916 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_UNKNOWN_CERTIFICATE_TYPE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1916, __func__), ossl_statem_fatal)((s), (47), (247), ((void
*)0));
1917 return WORK_ERROR;
1918 }
1919 /*
1920 * Check certificate type is consistent with ciphersuite. For TLS 1.3
1921 * skip check since TLS 1.3 ciphersuites can be used with any certificate
1922 * type.
1923 */
1924 if (!SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
1925 if ((clu->amask & s->s3.tmp.new_cipher->algorithm_auth) == 0) {
1926 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CERTIFICATE_TYPE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1926, __func__), ossl_statem_fatal)((s), (47), (383), ((void
*)0));
1927 return WORK_ERROR;
1928 }
1929 }
1930
1931 X509_free(s->session->peer);
1932 X509_up_ref(x);
1933 s->session->peer = x;
1934 s->session->verify_result = s->verify_result;
1935
1936 /* Save the current hash state for when we receive the CertificateVerify */
1937 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)
1938 && !ssl_handshake_hash(s, s->cert_verify_hash,
1939 sizeof(s->cert_verify_hash),
1940 &s->cert_verify_hash_len)) {
1941 /* SSLfatal() already called */;
1942 return WORK_ERROR;
1943 }
1944 return WORK_FINISHED_CONTINUE;
1945}
1946
1947static int tls_process_ske_psk_preamble(SSL *s, PACKET *pkt)
1948{
1949#ifndef OPENSSL_NO_PSK
1950 PACKET psk_identity_hint;
1951
1952 /* PSK ciphersuites are preceded by an identity hint */
1953
1954 if (!PACKET_get_length_prefixed_2(pkt, &psk_identity_hint)) {
1955 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1955, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1956 return 0;
1957 }
1958
1959 /*
1960 * Store PSK identity hint for later use, hint is used in
1961 * tls_construct_client_key_exchange. Assume that the maximum length of
1962 * a PSK identity hint can be as long as the maximum length of a PSK
1963 * identity.
1964 */
1965 if (PACKET_remaining(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN256) {
1966 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DATA_LENGTH_TOO_LONG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1966, __func__), ossl_statem_fatal)((s), (40), (146), ((void
*)0));
1967 return 0;
1968 }
1969
1970 if (PACKET_remaining(&psk_identity_hint) == 0) {
1971 OPENSSL_free(s->session->psk_identity_hint)CRYPTO_free(s->session->psk_identity_hint, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1971);
1972 s->session->psk_identity_hint = NULL((void*)0);
1973 } else if (!PACKET_strndup(&psk_identity_hint,
1974 &s->session->psk_identity_hint)) {
1975 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1975, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1976 return 0;
1977 }
1978
1979 return 1;
1980#else
1981 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1981, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
1982 return 0;
1983#endif
1984}
1985
1986static int tls_process_ske_srp(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
1987{
1988#ifndef OPENSSL_NO_SRP
1989 PACKET prime, generator, salt, server_pub;
1990
1991 if (!PACKET_get_length_prefixed_2(pkt, &prime)
1992 || !PACKET_get_length_prefixed_2(pkt, &generator)
1993 || !PACKET_get_length_prefixed_1(pkt, &salt)
1994 || !PACKET_get_length_prefixed_2(pkt, &server_pub)) {
1995 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 1995, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
1996 return 0;
1997 }
1998
1999 if ((s->srp_ctx.N =
2000 BN_bin2bn(PACKET_data(&prime),
2001 (int)PACKET_remaining(&prime), NULL((void*)0))) == NULL((void*)0)
2002 || (s->srp_ctx.g =
2003 BN_bin2bn(PACKET_data(&generator),
2004 (int)PACKET_remaining(&generator), NULL((void*)0))) == NULL((void*)0)
2005 || (s->srp_ctx.s =
2006 BN_bin2bn(PACKET_data(&salt),
2007 (int)PACKET_remaining(&salt), NULL((void*)0))) == NULL((void*)0)
2008 || (s->srp_ctx.B =
2009 BN_bin2bn(PACKET_data(&server_pub),
2010 (int)PACKET_remaining(&server_pub), NULL((void*)0))) == NULL((void*)0)) {
2011 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2011, __func__), ossl_statem_fatal)((s), (80), ((3 | (0x2 <<
18L))), ((void*)0));
2012 return 0;
2013 }
2014
2015 if (!srp_verify_server_param(s)) {
2016 /* SSLfatal() already called */
2017 return 0;
2018 }
2019
2020 /* We must check if there is a certificate */
2021 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA0x00000001U | SSL_aDSS0x00000002U))
2022 *pkey = X509_get0_pubkey(s->session->peer);
2023
2024 return 1;
2025#else
2026 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2026, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2027 return 0;
2028#endif
2029}
2030
2031static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
2032{
2033 PACKET prime, generator, pub_key;
2034 EVP_PKEY *peer_tmp = NULL((void*)0);
2035 BIGNUM *p = NULL((void*)0), *g = NULL((void*)0), *bnpub_key = NULL((void*)0);
2036 EVP_PKEY_CTX *pctx = NULL((void*)0);
2037 OSSL_PARAM *params = NULL((void*)0);
2038 OSSL_PARAM_BLD *tmpl = NULL((void*)0);
2039 int ret = 0;
2040
2041 if (!PACKET_get_length_prefixed_2(pkt, &prime)
2042 || !PACKET_get_length_prefixed_2(pkt, &generator)
2043 || !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
2044 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2044, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2045 return 0;
2046 }
2047
2048 p = BN_bin2bn(PACKET_data(&prime), (int)PACKET_remaining(&prime), NULL((void*)0));
2049 g = BN_bin2bn(PACKET_data(&generator), (int)PACKET_remaining(&generator),
2050 NULL((void*)0));
2051 bnpub_key = BN_bin2bn(PACKET_data(&pub_key),
2052 (int)PACKET_remaining(&pub_key), NULL((void*)0));
2053 if (p == NULL((void*)0) || g == NULL((void*)0) || bnpub_key == NULL((void*)0)) {
2054 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BN_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2054, __func__), ossl_statem_fatal)((s), (80), ((3 | (0x2 <<
18L))), ((void*)0));
2055 goto err;
2056 }
2057
2058 tmpl = OSSL_PARAM_BLD_new();
2059 if (tmpl == NULL((void*)0)
2060 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P"p", p)
2061 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G"g", g)
2062 || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_PUB_KEY"pub",
2063 bnpub_key)
2064 || (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL((void*)0)) {
2065 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2065, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2066 goto err;
2067 }
2068
2069 pctx = EVP_PKEY_CTX_new_from_name(s->ctx->libctx, "DH", s->ctx->propq);
2070 if (pctx == NULL((void*)0)) {
2071 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2071, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2072 goto err;
2073 }
2074 if (EVP_PKEY_fromdata_init(pctx) <= 0
2075 || EVP_PKEY_fromdata(pctx, &peer_tmp, EVP_PKEY_KEYPAIR( ( ( ( 0x04 | 0x80) ) | 0x02 ) | 0x01 ), params) <= 0) {
2076 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_DH_VALUE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2076, __func__), ossl_statem_fatal)((s), (80), (102), ((void
*)0));
2077 goto err;
2078 }
2079
2080 EVP_PKEY_CTX_free(pctx);
2081 pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, peer_tmp, s->ctx->propq);
2082 if (pctx == NULL((void*)0)
2083 /*
2084 * EVP_PKEY_param_check() will verify that the DH params are using
2085 * a safe prime. In this context, because we're using ephemeral DH,
2086 * we're ok with it not being a safe prime.
2087 * EVP_PKEY_param_check_quick() skips the safe prime check.
2088 */
2089 || EVP_PKEY_param_check_quick(pctx) != 1
2090 || EVP_PKEY_public_check(pctx) != 1) {
2091 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_DH_VALUE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2091, __func__), ossl_statem_fatal)((s), (47), (102), ((void
*)0));
2092 goto err;
2093 }
2094
2095 if (!ssl_security(s, SSL_SECOP_TMP_DH(7 | (4 << 16)),
2096 EVP_PKEY_get_security_bits(peer_tmp),
2097 0, peer_tmp)) {
2098 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2098, __func__), ossl_statem_fatal)((s), (40), (394), ((void
*)0));
2099 goto err;
2100 }
2101
2102 s->s3.peer_tmp = peer_tmp;
2103 peer_tmp = NULL((void*)0);
2104
2105 /*
2106 * FIXME: This makes assumptions about which ciphersuites come with
2107 * public keys. We should have a less ad-hoc way of doing this
2108 */
2109 if (s->s3.tmp.new_cipher->algorithm_auth & (SSL_aRSA0x00000001U | SSL_aDSS0x00000002U))
2110 *pkey = X509_get0_pubkey(s->session->peer);
2111 /* else anonymous DH, so no certificate or pkey. */
2112
2113 ret = 1;
2114
2115 err:
2116 OSSL_PARAM_BLD_free(tmpl);
2117 OSSL_PARAM_free(params);
2118 EVP_PKEY_free(peer_tmp);
2119 EVP_PKEY_CTX_free(pctx);
2120 BN_free(p);
2121 BN_free(g);
2122 BN_free(bnpub_key);
2123
2124 return ret;
2125}
2126
2127static int tls_process_ske_ecdhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey)
2128{
2129 PACKET encoded_pt;
2130 unsigned int curve_type, curve_id;
2131
2132 /*
2133 * Extract elliptic curve parameters and the server's ephemeral ECDH
2134 * public key. We only support named (not generic) curves and
2135 * ECParameters in this case is just three bytes.
2136 */
2137 if (!PACKET_get_1(pkt, &curve_type) || !PACKET_get_net_2(pkt, &curve_id)) {
2138 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2138, __func__), ossl_statem_fatal)((s), (50), (160), ((void
*)0));
2139 return 0;
2140 }
2141 /*
2142 * Check curve is named curve type and one of our preferences, if not
2143 * server has sent an invalid curve.
2144 */
2145 if (curve_type != NAMED_CURVE_TYPE3
2146 || !tls1_check_group_id(s, curve_id, 1)) {
2147 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_WRONG_CURVE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2147, __func__), ossl_statem_fatal)((s), (47), (378), ((void
*)0));
2148 return 0;
2149 }
2150
2151 if ((s->s3.peer_tmp = ssl_generate_param_group(s, curve_id)) == NULL((void*)0)) {
2152 SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2153, __func__), ossl_statem_fatal)((s), (80), (314), ((void
*)0))
2153 SSL_R_UNABLE_TO_FIND_ECDH_PARAMETERS)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2153, __func__), ossl_statem_fatal)((s), (80), (314), ((void
*)0));
2154 return 0;
2155 }
2156
2157 if (!PACKET_get_length_prefixed_1(pkt, &encoded_pt)) {
2158 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2158, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2159 return 0;
2160 }
2161
2162 if (EVP_PKEY_set1_encoded_public_key(s->s3.peer_tmp,
2163 PACKET_data(&encoded_pt),
2164 PACKET_remaining(&encoded_pt)) <= 0) {
2165 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_ECPOINT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2165, __func__), ossl_statem_fatal)((s), (47), (306), ((void
*)0));
2166 return 0;
2167 }
2168
2169 /*
2170 * The ECC/TLS specification does not mention the use of DSA to sign
2171 * ECParameters in the server key exchange message. We do support RSA
2172 * and ECDSA.
2173 */
2174 if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aECDSA0x00000008U)
2175 *pkey = X509_get0_pubkey(s->session->peer);
2176 else if (s->s3.tmp.new_cipher->algorithm_auth & SSL_aRSA0x00000001U)
2177 *pkey = X509_get0_pubkey(s->session->peer);
2178 /* else anonymous ECDH, so no certificate or pkey. */
2179
2180 /* Cache the agreed upon group in the SSL_SESSION */
2181 s->session->kex_group = curve_id;
2182 return 1;
2183}
2184
2185MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
2186{
2187 long alg_k;
2188 EVP_PKEY *pkey = NULL((void*)0);
2189 EVP_MD_CTX *md_ctx = NULL((void*)0);
2190 EVP_PKEY_CTX *pctx = NULL((void*)0);
2191 PACKET save_param_start, signature;
2192
2193 alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
2194
2195 save_param_start = *pkt;
2196
2197 EVP_PKEY_free(s->s3.peer_tmp);
2198 s->s3.peer_tmp = NULL((void*)0);
2199
2200 if (alg_k & SSL_PSK(0x00000008U | 0x00000040U | 0x00000080U | 0x00000100U)) {
2201 if (!tls_process_ske_psk_preamble(s, pkt)) {
2202 /* SSLfatal() already called */
2203 goto err;
2204 }
2205 }
2206
2207 /* Nothing else to do for plain PSK or RSAPSK */
2208 if (alg_k & (SSL_kPSK0x00000008U | SSL_kRSAPSK0x00000040U)) {
2209 } else if (alg_k & SSL_kSRP0x00000020U) {
2210 if (!tls_process_ske_srp(s, pkt, &pkey)) {
2211 /* SSLfatal() already called */
2212 goto err;
2213 }
2214 } else if (alg_k & (SSL_kDHE0x00000002U | SSL_kDHEPSK0x00000100U)) {
2215 if (!tls_process_ske_dhe(s, pkt, &pkey)) {
2216 /* SSLfatal() already called */
2217 goto err;
2218 }
2219 } else if (alg_k & (SSL_kECDHE0x00000004U | SSL_kECDHEPSK0x00000080U)) {
2220 if (!tls_process_ske_ecdhe(s, pkt, &pkey)) {
2221 /* SSLfatal() already called */
2222 goto err;
2223 }
2224 } else if (alg_k) {
2225 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2225, __func__), ossl_statem_fatal)((s), (10), (244), ((void
*)0));
2226 goto err;
2227 }
2228
2229 /* if it was signed, check the signature */
2230 if (pkey != NULL((void*)0)) {
2231 PACKET params;
2232 const EVP_MD *md = NULL((void*)0);
2233 unsigned char *tbs;
2234 size_t tbslen;
2235 int rv;
2236
2237 /*
2238 * |pkt| now points to the beginning of the signature, so the difference
2239 * equals the length of the parameters.
2240 */
2241 if (!PACKET_get_sub_packet(&save_param_start, &params,
2242 PACKET_remaining(&save_param_start) -
2243 PACKET_remaining(pkt))) {
2244 SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2244, __func__), ossl_statem_fatal)((s), (50), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2245 goto err;
2246 }
2247
2248 if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2)) {
2249 unsigned int sigalg;
2250
2251 if (!PACKET_get_net_2(pkt, &sigalg)) {
2252 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_TOO_SHORT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2252, __func__), ossl_statem_fatal)((s), (50), (160), ((void
*)0));
2253 goto err;
2254 }
2255 if (tls12_check_peer_sigalg(s, sigalg, pkey) <=0) {
2256 /* SSLfatal() already called */
2257 goto err;
2258 }
2259 } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
2260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2260, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2261 goto err;
2262 }
2263
2264 if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
2265 SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2266, __func__), ossl_statem_fatal)((s), (80), (297), ((void
*)0))
2266 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2266, __func__), ossl_statem_fatal)((s), (80), (297), ((void
*)0));
2267 goto err;
2268 }
2269 if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2))
2270 OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",((void)0)
2271 md == NULL ? "n/a" : EVP_MD_get0_name(md))((void)0);
2272
2273 if (!PACKET_get_length_prefixed_2(pkt, &signature)
2274 || PACKET_remaining(pkt) != 0) {
2275 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2275, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2276 goto err;
2277 }
2278
2279 md_ctx = EVP_MD_CTX_new();
2280 if (md_ctx == NULL((void*)0)) {
2281 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2281, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2282 goto err;
2283 }
2284
2285 if (EVP_DigestVerifyInit_ex(md_ctx, &pctx,
2286 md == NULL((void*)0) ? NULL((void*)0) : EVP_MD_get0_name(md),
2287 s->ctx->libctx, s->ctx->propq, pkey,
2288 NULL((void*)0)) <= 0) {
2289 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2289, __func__), ossl_statem_fatal)((s), (80), ((6 | (0x2 <<
18L))), ((void*)0));
2290 goto err;
2291 }
2292 if (SSL_USE_PSS(s)(s->s3.tmp.peer_sigalg != ((void*)0) && s->s3.tmp
.peer_sigalg->sig == 912)) {
2293 if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING6) <= 0
2294 || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
2295 RSA_PSS_SALTLEN_DIGEST-1) <= 0) {
2296 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2296, __func__), ossl_statem_fatal)((s), (80), ((6 | (0x2 <<
18L))), ((void*)0));
2297 goto err;
2298 }
2299 }
2300 tbslen = construct_key_exchange_tbs(s, &tbs, PACKET_data(&params),
2301 PACKET_remaining(&params));
2302 if (tbslen == 0) {
2303 /* SSLfatal() already called */
2304 goto err;
2305 }
2306
2307 rv = EVP_DigestVerify(md_ctx, PACKET_data(&signature),
2308 PACKET_remaining(&signature), tbs, tbslen);
2309 OPENSSL_free(tbs)CRYPTO_free(tbs, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2309);
2310 if (rv <= 0) {
2311 SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2311, __func__), ossl_statem_fatal)((s), (51), (123), ((void
*)0));
2312 goto err;
2313 }
2314 EVP_MD_CTX_free(md_ctx);
2315 md_ctx = NULL((void*)0);
2316 } else {
2317 /* aNULL, aSRP or PSK do not need public keys */
2318 if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL0x00000004U | SSL_aSRP0x00000040U))
2319 && !(alg_k & SSL_PSK(0x00000008U | 0x00000040U | 0x00000080U | 0x00000100U))) {
2320 /* Might be wrong key type, check it */
2321 if (ssl3_check_cert_and_algorithm(s)) {
2322 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DATA)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2322, __func__), ossl_statem_fatal)((s), (50), (390), ((void
*)0));
2323 }
2324 /* else this shouldn't happen, SSLfatal() already called */
2325 goto err;
2326 }
2327 /* still data left over */
2328 if (PACKET_remaining(pkt) != 0) {
2329 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_EXTRA_DATA_IN_MESSAGE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2329, __func__), ossl_statem_fatal)((s), (50), (153), ((void
*)0));
2330 goto err;
2331 }
2332 }
2333
2334 return MSG_PROCESS_CONTINUE_READING;
2335 err:
2336 EVP_MD_CTX_free(md_ctx);
2337 return MSG_PROCESS_ERROR;
2338}
2339
2340MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
2341{
2342 size_t i;
2343
2344 /* Clear certificate validity flags */
2345 for (i = 0; i < SSL_PKEY_NUM9; i++)
2346 s->s3.tmp.valid_flags[i] = 0;
2347
2348 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
2349 PACKET reqctx, extensions;
2350 RAW_EXTENSION *rawexts = NULL((void*)0);
2351
2352 if ((s->shutdown & SSL_SENT_SHUTDOWN1) != 0) {
2353 /*
2354 * We already sent close_notify. This can only happen in TLSv1.3
2355 * post-handshake messages. We can't reasonably respond to this, so
2356 * we just ignore it
2357 */
2358 return MSG_PROCESS_FINISHED_READING;
2359 }
2360
2361 /* Free and zero certificate types: it is not present in TLS 1.3 */
2362 OPENSSL_free(s->s3.tmp.ctype)CRYPTO_free(s->s3.tmp.ctype, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2362);
2363 s->s3.tmp.ctype = NULL((void*)0);
2364 s->s3.tmp.ctype_len = 0;
2365 OPENSSL_free(s->pha_context)CRYPTO_free(s->pha_context, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2365);
2366 s->pha_context = NULL((void*)0);
2367 s->pha_context_len = 0;
2368
2369 if (!PACKET_get_length_prefixed_1(pkt, &reqctx) ||
2370 !PACKET_memdup(&reqctx, &s->pha_context, &s->pha_context_len)) {
2371 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2371, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2372 return MSG_PROCESS_ERROR;
2373 }
2374
2375 if (!PACKET_get_length_prefixed_2(pkt, &extensions)) {
2376 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2376, __func__), ossl_statem_fatal)((s), (50), (271), ((void
*)0));
2377 return MSG_PROCESS_ERROR;
2378 }
2379 if (!tls_collect_extensions(s, &extensions,
2380 SSL_EXT_TLS1_3_CERTIFICATE_REQUEST0x4000,
2381 &rawexts, NULL((void*)0), 1)
2382 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE_REQUEST0x4000,
2383 rawexts, NULL((void*)0), 0, 1)) {
2384 /* SSLfatal() already called */
2385 OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2385);
2386 return MSG_PROCESS_ERROR;
2387 }
2388 OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2388);
2389 if (!tls1_process_sigalgs(s)) {
2390 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_LENGTH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2390, __func__), ossl_statem_fatal)((s), (80), (271), ((void
*)0));
2391 return MSG_PROCESS_ERROR;
2392 }
2393 } else {
2394 PACKET ctypes;
2395
2396 /* get the certificate types */
2397 if (!PACKET_get_length_prefixed_1(pkt, &ctypes)) {
2398 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2398, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2399 return MSG_PROCESS_ERROR;
2400 }
2401
2402 if (!PACKET_memdup(&ctypes, &s->s3.tmp.ctype, &s->s3.tmp.ctype_len)) {
2403 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2403, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2404 return MSG_PROCESS_ERROR;
2405 }
2406
2407 if (SSL_USE_SIGALGS(s)(s->method->ssl3_enc->enc_flags & 0x2)) {
2408 PACKET sigalgs;
2409
2410 if (!PACKET_get_length_prefixed_2(pkt, &sigalgs)) {
2411 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2411, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2412 return MSG_PROCESS_ERROR;
2413 }
2414
2415 /*
2416 * Despite this being for certificates, preserve compatibility
2417 * with pre-TLS 1.3 and use the regular sigalgs field.
2418 */
2419 if (!tls1_save_sigalgs(s, &sigalgs, 0)) {
2420 SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2421, __func__), ossl_statem_fatal)((s), (80), (360), ((void
*)0))
2421 SSL_R_SIGNATURE_ALGORITHMS_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2421, __func__), ossl_statem_fatal)((s), (80), (360), ((void
*)0));
2422 return MSG_PROCESS_ERROR;
2423 }
2424 if (!tls1_process_sigalgs(s)) {
2425 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2425, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2426 return MSG_PROCESS_ERROR;
2427 }
2428 }
2429
2430 /* get the CA RDNs */
2431 if (!parse_ca_names(s, pkt)) {
2432 /* SSLfatal() already called */
2433 return MSG_PROCESS_ERROR;
2434 }
2435 }
2436
2437 if (PACKET_remaining(pkt) != 0) {
2438 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2438, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2439 return MSG_PROCESS_ERROR;
2440 }
2441
2442 /* we should setup a certificate to return.... */
2443 s->s3.tmp.cert_req = 1;
2444
2445 /*
2446 * In TLSv1.3 we don't prepare the client certificate yet. We wait until
2447 * after the CertificateVerify message has been received. This is because
2448 * in TLSv1.3 the CertificateRequest arrives before the Certificate message
2449 * but in TLSv1.2 it is the other way around. We want to make sure that
2450 * SSL_get1_peer_certificate() returns something sensible in
2451 * client_cert_cb.
2452 */
2453 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) && s->post_handshake_auth != SSL_PHA_REQUESTED)
2454 return MSG_PROCESS_CONTINUE_READING;
2455
2456 return MSG_PROCESS_CONTINUE_PROCESSING;
2457}
2458
2459MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
2460{
2461 unsigned int ticklen;
2462 unsigned long ticket_lifetime_hint, age_add = 0;
2463 unsigned int sess_len;
2464 RAW_EXTENSION *exts = NULL((void*)0);
2465 PACKET nonce;
2466 EVP_MD *sha256 = NULL((void*)0);
2467
2468 PACKET_null_init(&nonce);
2469
2470 if (!PACKET_get_net_4(pkt, &ticket_lifetime_hint)
2471 || (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)
2472 && (!PACKET_get_net_4(pkt, &age_add)
2473 || !PACKET_get_length_prefixed_1(pkt, &nonce)))
2474 || !PACKET_get_net_2(pkt, &ticklen)
2475 || (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) ? (ticklen == 0 || PACKET_remaining(pkt) < ticklen)
2476 : PACKET_remaining(pkt) != ticklen)) {
2477 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2477, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2478 goto err;
2479 }
2480
2481 /*
2482 * Server is allowed to change its mind (in <=TLSv1.2) and send an empty
2483 * ticket. We already checked this TLSv1.3 case above, so it should never
2484 * be 0 here in that instance
2485 */
2486 if (ticklen == 0)
2487 return MSG_PROCESS_CONTINUE_READING;
2488
2489 /*
2490 * Sessions must be immutable once they go into the session cache. Otherwise
2491 * we can get multi-thread problems. Therefore we don't "update" sessions,
2492 * we replace them with a duplicate. In TLSv1.3 we need to do this every
2493 * time a NewSessionTicket arrives because those messages arrive
2494 * post-handshake and the session may have already gone into the session
2495 * cache.
2496 */
2497 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000) || s->session->session_id_length > 0) {
2498 SSL_SESSION *new_sess;
2499
2500 /*
2501 * We reused an existing session, so we need to replace it with a new
2502 * one
2503 */
2504 if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
2505 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2505, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2506 goto err;
2507 }
2508
2509 if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT0x0001) != 0
2510 && !SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
2511 /*
2512 * In TLSv1.2 and below the arrival of a new tickets signals that
2513 * any old ticket we were using is now out of date, so we remove the
2514 * old session from the cache. We carry on if this fails
2515 */
2516 SSL_CTX_remove_session(s->session_ctx, s->session);
2517 }
2518
2519 SSL_SESSION_free(s->session);
2520 s->session = new_sess;
2521 }
2522
2523 s->session->time = time(NULL((void*)0));
2524 ssl_session_calculate_timeout(s->session);
2525
2526 OPENSSL_free(s->session->ext.tick)CRYPTO_free(s->session->ext.tick, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2526);
2527 s->session->ext.tick = NULL((void*)0);
2528 s->session->ext.ticklen = 0;
2529
2530 s->session->ext.tick = OPENSSL_malloc(ticklen)CRYPTO_malloc(ticklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2530);
2531 if (s->session->ext.tick == NULL((void*)0)) {
2532 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2532, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2533 goto err;
2534 }
2535 if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
2536 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2536, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2537 goto err;
2538 }
2539
2540 s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
2541 s->session->ext.tick_age_add = age_add;
2542 s->session->ext.ticklen = ticklen;
2543
2544 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
2545 PACKET extpkt;
2546
2547 if (!PACKET_as_length_prefixed_2(pkt, &extpkt)
2548 || PACKET_remaining(pkt) != 0) {
2549 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2549, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2550 goto err;
2551 }
2552
2553 if (!tls_collect_extensions(s, &extpkt,
2554 SSL_EXT_TLS1_3_NEW_SESSION_TICKET0x2000, &exts,
2555 NULL((void*)0), 1)
2556 || !tls_parse_all_extensions(s,
2557 SSL_EXT_TLS1_3_NEW_SESSION_TICKET0x2000,
2558 exts, NULL((void*)0), 0, 1)) {
2559 /* SSLfatal() already called */
2560 goto err;
2561 }
2562 }
2563
2564 /*
2565 * There are two ways to detect a resumed ticket session. One is to set
2566 * an appropriate session ID and then the server must return a match in
2567 * ServerHello. This allows the normal client session ID matching to work
2568 * and we know much earlier that the ticket has been accepted. The
2569 * other way is to set zero length session ID when the ticket is
2570 * presented and rely on the handshake to determine session resumption.
2571 * We choose the former approach because this fits in with assumptions
2572 * elsewhere in OpenSSL. The session ID is set to the SHA256 hash of the
2573 * ticket.
2574 */
2575 sha256 = EVP_MD_fetch(s->ctx->libctx, "SHA2-256", s->ctx->propq);
2576 if (sha256 == NULL((void*)0)) {
2577 /* Error is already recorded */
2578 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR)ossl_statem_send_fatal((s), (80));
2579 goto err;
2580 }
2581 /*
2582 * We use sess_len here because EVP_Digest expects an int
2583 * but s->session->session_id_length is a size_t
2584 */
2585 if (!EVP_Digest(s->session->ext.tick, ticklen,
2586 s->session->session_id, &sess_len,
2587 sha256, NULL((void*)0))) {
2588 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2588, __func__), ossl_statem_fatal)((s), (80), ((6 | (0x2 <<
18L))), ((void*)0));
2589 goto err;
2590 }
2591 EVP_MD_free(sha256);
2592 sha256 = NULL((void*)0);
2593 s->session->session_id_length = sess_len;
2594 s->session->not_resumable = 0;
2595
2596 /* This is a standalone message in TLSv1.3, so there is no more to read */
2597 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
2598 const EVP_MD *md = ssl_handshake_md(s);
2599 int hashleni = EVP_MD_get_size(md);
2600 size_t hashlen;
2601 static const unsigned char nonce_label[] = "resumption";
2602
2603 /* Ensure cast to size_t is safe */
2604 if (!ossl_assert(hashleni >= 0)((hashleni >= 0) != 0)) {
2605 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2605, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2606 goto err;
2607 }
2608 hashlen = (size_t)hashleni;
2609
2610 if (!tls13_hkdf_expand(s, md, s->resumption_master_secret,
2611 nonce_label,
2612 sizeof(nonce_label) - 1,
2613 PACKET_data(&nonce),
2614 PACKET_remaining(&nonce),
2615 s->session->master_key,
2616 hashlen, 1)) {
2617 /* SSLfatal() already called */
2618 goto err;
2619 }
2620 s->session->master_key_length = hashlen;
2621
2622 OPENSSL_free(exts)CRYPTO_free(exts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2622);
2623 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT0x0001);
2624 return MSG_PROCESS_FINISHED_READING;
2625 }
2626
2627 return MSG_PROCESS_CONTINUE_READING;
2628 err:
2629 EVP_MD_free(sha256);
2630 OPENSSL_free(exts)CRYPTO_free(exts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2630);
2631 return MSG_PROCESS_ERROR;
2632}
2633
2634/*
2635 * In TLSv1.3 this is called from the extensions code, otherwise it is used to
2636 * parse a separate message. Returns 1 on success or 0 on failure
2637 */
2638int tls_process_cert_status_body(SSL *s, PACKET *pkt)
2639{
2640 size_t resplen;
2641 unsigned int type;
2642
2643 if (!PACKET_get_1(pkt, &type)
2644 || type != TLSEXT_STATUSTYPE_ocsp1) {
2645 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_UNSUPPORTED_STATUS_TYPE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2645, __func__), ossl_statem_fatal)((s), (50), (329), ((void
*)0));
2646 return 0;
2647 }
2648 if (!PACKET_get_net_3_len(pkt, &resplen)
2649 || PACKET_remaining(pkt) != resplen) {
2650 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2650, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2651 return 0;
2652 }
2653 s->ext.ocsp.resp = OPENSSL_malloc(resplen)CRYPTO_malloc(resplen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2653);
2654 if (s->ext.ocsp.resp == NULL((void*)0)) {
2655 s->ext.ocsp.resp_len = 0;
2656 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2656, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2657 return 0;
2658 }
2659 s->ext.ocsp.resp_len = resplen;
2660 if (!PACKET_copy_bytes(pkt, s->ext.ocsp.resp, resplen)) {
2661 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2661, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2662 return 0;
2663 }
2664
2665 return 1;
2666}
2667
2668
2669MSG_PROCESS_RETURN tls_process_cert_status(SSL *s, PACKET *pkt)
2670{
2671 if (!tls_process_cert_status_body(s, pkt)) {
2672 /* SSLfatal() already called */
2673 return MSG_PROCESS_ERROR;
2674 }
2675
2676 return MSG_PROCESS_CONTINUE_READING;
2677}
2678
2679/*
2680 * Perform miscellaneous checks and processing after we have received the
2681 * server's initial flight. In TLS1.3 this is after the Server Finished message.
2682 * In <=TLS1.2 this is after the ServerDone message. Returns 1 on success or 0
2683 * on failure.
2684 */
2685int tls_process_initial_server_flight(SSL *s)
2686{
2687 /*
2688 * at this point we check that we have the required stuff from
2689 * the server
2690 */
2691 if (!ssl3_check_cert_and_algorithm(s)) {
2692 /* SSLfatal() already called */
2693 return 0;
2694 }
2695
2696 /*
2697 * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
2698 * |ext.ocsp.resp_len| values will be set if we actually received a status
2699 * message, or NULL and -1 otherwise
2700 */
2701 if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing-1
2702 && s->ctx->ext.status_cb != NULL((void*)0)) {
2703 int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
2704
2705 if (ret == 0) {
2706 SSLfatal(s, SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2707, __func__), ossl_statem_fatal)((s), (113), (328), ((void
*)0))
2707 SSL_R_INVALID_STATUS_RESPONSE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2707, __func__), ossl_statem_fatal)((s), (113), (328), ((void
*)0));
2708 return 0;
2709 }
2710 if (ret < 0) {
2711 SSLfatal(s, SSL_AD_INTERNAL_ERROR,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2712, __func__), ossl_statem_fatal)((s), (80), (305), ((void
*)0))
2712 SSL_R_OCSP_CALLBACK_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2712, __func__), ossl_statem_fatal)((s), (80), (305), ((void
*)0));
2713 return 0;
2714 }
2715 }
2716#ifndef OPENSSL_NO_CT
2717 if (s->ct_validation_callback != NULL((void*)0)) {
2718 /* Note we validate the SCTs whether or not we abort on error */
2719 if (!ssl_validate_ct(s) && (s->verify_mode & SSL_VERIFY_PEER0x01)) {
2720 /* SSLfatal() already called */
2721 return 0;
2722 }
2723 }
2724#endif
2725
2726 return 1;
2727}
2728
2729MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
2730{
2731 if (PACKET_remaining(pkt) > 0) {
2732 /* should contain no data */
2733 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2733, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
2734 return MSG_PROCESS_ERROR;
2735 }
2736#ifndef OPENSSL_NO_SRP
2737 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP0x00000020U) {
2738 if (ssl_srp_calc_a_param_intern(s) <= 0) {
2739 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_SRP_A_CALC)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2739, __func__), ossl_statem_fatal)((s), (80), (361), ((void
*)0));
2740 return MSG_PROCESS_ERROR;
2741 }
2742 }
2743#endif
2744
2745 if (!tls_process_initial_server_flight(s)) {
2746 /* SSLfatal() already called */
2747 return MSG_PROCESS_ERROR;
2748 }
2749
2750 return MSG_PROCESS_FINISHED_READING;
2751}
2752
2753static int tls_construct_cke_psk_preamble(SSL *s, WPACKET *pkt)
2754{
2755#ifndef OPENSSL_NO_PSK
2756 int ret = 0;
2757 /*
2758 * The callback needs PSK_MAX_IDENTITY_LEN + 1 bytes to return a
2759 * \0-terminated identity. The last byte is for us for simulating
2760 * strnlen.
2761 */
2762 char identity[PSK_MAX_IDENTITY_LEN256 + 1];
2763 size_t identitylen = 0;
2764 unsigned char psk[PSK_MAX_PSK_LEN512];
2765 unsigned char *tmppsk = NULL((void*)0);
2766 char *tmpidentity = NULL((void*)0);
2767 size_t psklen = 0;
2768
2769 if (s->psk_client_callback == NULL((void*)0)) {
2770 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_PSK_NO_CLIENT_CB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2770, __func__), ossl_statem_fatal)((s), (80), (224), ((void
*)0));
2771 goto err;
2772 }
2773
2774 memset(identity, 0, sizeof(identity));
2775
2776 psklen = s->psk_client_callback(s, s->session->psk_identity_hint,
2777 identity, sizeof(identity) - 1,
2778 psk, sizeof(psk));
2779
2780 if (psklen > PSK_MAX_PSK_LEN512) {
2781 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2781, __func__), ossl_statem_fatal)((s), (40), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2782 psklen = PSK_MAX_PSK_LEN512; /* Avoid overrunning the array on cleanse */
2783 goto err;
2784 } else if (psklen == 0) {
2785 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_PSK_IDENTITY_NOT_FOUND)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2785, __func__), ossl_statem_fatal)((s), (40), (223), ((void
*)0));
2786 goto err;
2787 }
2788
2789 identitylen = strlen(identity);
2790 if (identitylen > PSK_MAX_IDENTITY_LEN256) {
2791 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2791, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2792 goto err;
2793 }
2794
2795 tmppsk = OPENSSL_memdup(psk, psklen)CRYPTO_memdup((psk), psklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2795);
2796 tmpidentity = OPENSSL_strdup(identity)CRYPTO_strdup(identity, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2796);
2797 if (tmppsk == NULL((void*)0) || tmpidentity == NULL((void*)0)) {
2798 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2798, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2799 goto err;
2800 }
2801
2802 OPENSSL_free(s->s3.tmp.psk)CRYPTO_free(s->s3.tmp.psk, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2802);
2803 s->s3.tmp.psk = tmppsk;
2804 s->s3.tmp.psklen = psklen;
2805 tmppsk = NULL((void*)0);
2806 OPENSSL_free(s->session->psk_identity)CRYPTO_free(s->session->psk_identity, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2806);
2807 s->session->psk_identity = tmpidentity;
2808 tmpidentity = NULL((void*)0);
2809
2810 if (!WPACKET_sub_memcpy_u16(pkt, identity, identitylen)WPACKET_sub_memcpy__((pkt), (identity), (identitylen), 2)) {
2811 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2811, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2812 goto err;
2813 }
2814
2815 ret = 1;
2816
2817 err:
2818 OPENSSL_cleanse(psk, psklen);
2819 OPENSSL_cleanse(identity, sizeof(identity));
2820 OPENSSL_clear_free(tmppsk, psklen)CRYPTO_clear_free(tmppsk, psklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2820);
2821 OPENSSL_clear_free(tmpidentity, identitylen)CRYPTO_clear_free(tmpidentity, identitylen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2821);
2822
2823 return ret;
2824#else
2825 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2825, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2826 return 0;
2827#endif
2828}
2829
2830static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
2831{
2832 unsigned char *encdata = NULL((void*)0);
2833 EVP_PKEY *pkey = NULL((void*)0);
2834 EVP_PKEY_CTX *pctx = NULL((void*)0);
2835 size_t enclen;
2836 unsigned char *pms = NULL((void*)0);
2837 size_t pmslen = 0;
2838
2839 if (s->session->peer == NULL((void*)0)) {
2840 /*
2841 * We should always have a server certificate with SSL_kRSA.
2842 */
2843 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2843, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2844 return 0;
2845 }
2846
2847 pkey = X509_get0_pubkey(s->session->peer);
2848 if (!EVP_PKEY_is_a(pkey, "RSA")) {
2849 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2849, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2850 return 0;
2851 }
2852
2853 pmslen = SSL_MAX_MASTER_KEY_LENGTH48;
2854 pms = OPENSSL_malloc(pmslen)CRYPTO_malloc(pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2854);
2855 if (pms == NULL((void*)0)) {
2856 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2856, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2857 return 0;
2858 }
2859
2860 pms[0] = s->client_version >> 8;
2861 pms[1] = s->client_version & 0xff;
2862 if (RAND_bytes_ex(s->ctx->libctx, pms + 2, pmslen - 2, 0) <= 0) {
2863 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2863, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2864 goto err;
2865 }
2866
2867 /* Fix buf for TLS and beyond */
2868 if (s->version > SSL3_VERSION0x0300 && !WPACKET_start_sub_packet_u16(pkt)WPACKET_start_sub_packet_len__((pkt), 2)) {
2869 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2869, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2870 goto err;
2871 }
2872
2873 pctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx, pkey, s->ctx->propq);
2874 if (pctx == NULL((void*)0) || EVP_PKEY_encrypt_init(pctx) <= 0
2875 || EVP_PKEY_encrypt(pctx, NULL((void*)0), &enclen, pms, pmslen) <= 0) {
2876 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2876, __func__), ossl_statem_fatal)((s), (80), ((6 | (0x2 <<
18L))), ((void*)0));
2877 goto err;
2878 }
2879 if (!WPACKET_allocate_bytes(pkt, enclen, &encdata)
2880 || EVP_PKEY_encrypt(pctx, encdata, &enclen, pms, pmslen) <= 0) {
2881 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_RSA_ENCRYPT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2881, __func__), ossl_statem_fatal)((s), (80), (119), ((void
*)0));
2882 goto err;
2883 }
2884 EVP_PKEY_CTX_free(pctx);
2885 pctx = NULL((void*)0);
2886
2887 /* Fix buf for TLS and beyond */
2888 if (s->version > SSL3_VERSION0x0300 && !WPACKET_close(pkt)) {
2889 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2889, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2890 goto err;
2891 }
2892
2893 /* Log the premaster secret, if logging is enabled. */
2894 if (!ssl_log_rsa_client_key_exchange(s, encdata, enclen, pms, pmslen)) {
2895 /* SSLfatal() already called */
2896 goto err;
2897 }
2898
2899 s->s3.tmp.pms = pms;
2900 s->s3.tmp.pmslen = pmslen;
2901
2902 return 1;
2903 err:
2904 OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2904);
2905 EVP_PKEY_CTX_free(pctx);
2906
2907 return 0;
2908}
2909
2910static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt)
2911{
2912 EVP_PKEY *ckey = NULL((void*)0), *skey = NULL((void*)0);
2913 unsigned char *keybytes = NULL((void*)0);
2914 int prime_len;
2915 unsigned char *encoded_pub = NULL((void*)0);
2916 size_t encoded_pub_len, pad_len;
2917 int ret = 0;
2918
2919 skey = s->s3.peer_tmp;
2920 if (skey == NULL((void*)0)) {
2921 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2921, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2922 goto err;
2923 }
2924
2925 ckey = ssl_generate_pkey(s, skey);
2926 if (ckey == NULL((void*)0)) {
2927 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2927, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2928 goto err;
2929 }
2930
2931 if (ssl_derive(s, ckey, skey, 0) == 0) {
2932 /* SSLfatal() already called */
2933 goto err;
2934 }
2935
2936 /* send off the data */
2937
2938 /* Generate encoding of server key */
2939 encoded_pub_len = EVP_PKEY_get1_encoded_public_key(ckey, &encoded_pub);
2940 if (encoded_pub_len == 0) {
2941 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2941, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2942 EVP_PKEY_free(ckey);
2943 return EXT_RETURN_FAIL;
2944 }
2945
2946 /*
2947 * For interoperability with some versions of the Microsoft TLS
2948 * stack, we need to zero pad the DHE pub key to the same length
2949 * as the prime.
2950 */
2951 prime_len = EVP_PKEY_get_size(ckey);
2952 pad_len = prime_len - encoded_pub_len;
2953 if (pad_len > 0) {
2954 if (!WPACKET_sub_allocate_bytes_u16(pkt, pad_len, &keybytes)WPACKET_sub_allocate_bytes__((pkt), (pad_len), (&keybytes
), 2)) {
2955 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2955, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2956 goto err;
2957 }
2958 memset(keybytes, 0, pad_len);
2959 }
2960
2961 if (!WPACKET_sub_memcpy_u16(pkt, encoded_pub, encoded_pub_len)WPACKET_sub_memcpy__((pkt), (encoded_pub), (encoded_pub_len),
2)) {
2962 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2962, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2963 goto err;
2964 }
2965
2966 ret = 1;
2967 err:
2968 OPENSSL_free(encoded_pub)CRYPTO_free(encoded_pub, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2968);
2969 EVP_PKEY_free(ckey);
2970 return ret;
2971}
2972
2973static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt)
2974{
2975 unsigned char *encodedPoint = NULL((void*)0);
2976 size_t encoded_pt_len = 0;
2977 EVP_PKEY *ckey = NULL((void*)0), *skey = NULL((void*)0);
2978 int ret = 0;
2979
2980 skey = s->s3.peer_tmp;
2981 if (skey == NULL((void*)0)) {
2982 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2982, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2983 return 0;
2984 }
2985
2986 ckey = ssl_generate_pkey(s, skey);
2987 if (ckey == NULL((void*)0)) {
2988 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 2988, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
2989 goto err;
2990 }
2991
2992 if (ssl_derive(s, ckey, skey, 0) == 0) {
2993 /* SSLfatal() already called */
2994 goto err;
2995 }
2996
2997 /* Generate encoding of client key */
2998 encoded_pt_len = EVP_PKEY_get1_encoded_public_key(ckey, &encodedPoint);
2999
3000 if (encoded_pt_len == 0) {
3001 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3001, __func__), ossl_statem_fatal)((s), (80), ((16 | (0x2 <<
18L))), ((void*)0));
3002 goto err;
3003 }
3004
3005 if (!WPACKET_sub_memcpy_u8(pkt, encodedPoint, encoded_pt_len)WPACKET_sub_memcpy__((pkt), (encodedPoint), (encoded_pt_len),
1)) {
3006 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3006, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3007 goto err;
3008 }
3009
3010 ret = 1;
3011 err:
3012 OPENSSL_free(encodedPoint)CRYPTO_free(encodedPoint, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3012);
3013 EVP_PKEY_free(ckey);
3014 return ret;
3015}
3016
3017static int tls_construct_cke_gost(SSL *s, WPACKET *pkt)
3018{
3019#ifndef OPENSSL_NO_GOST
3020 /* GOST key exchange message creation */
3021 EVP_PKEY_CTX *pkey_ctx = NULL((void*)0);
3022 X509 *peer_cert;
3023 size_t msglen;
3024 unsigned int md_len;
3025 unsigned char shared_ukm[32], tmp[256];
3026 EVP_MD_CTX *ukm_hash = NULL((void*)0);
3027 int dgst_nid = NID_id_GostR3411_94809;
3028 unsigned char *pms = NULL((void*)0);
3029 size_t pmslen = 0;
3030
3031 if ((s->s3.tmp.new_cipher->algorithm_auth & SSL_aGOST120x00000080U) != 0)
3032 dgst_nid = NID_id_GostR3411_2012_256982;
3033
3034 /*
3035 * Get server certificate PKEY and create ctx from it
3036 */
3037 peer_cert = s->session->peer;
3038 if (peer_cert == NULL((void*)0)) {
3039 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3040, __func__), ossl_statem_fatal)((s), (40), (330), ((void
*)0))
3040 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3040, __func__), ossl_statem_fatal)((s), (40), (330), ((void
*)0));
3041 return 0;
3042 }
3043
3044 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
3045 X509_get0_pubkey(peer_cert),
3046 s->ctx->propq);
3047 if (pkey_ctx == NULL((void*)0)) {
3048 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3048, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3049 return 0;
3050 }
3051 /*
3052 * If we have send a certificate, and certificate key
3053 * parameters match those of server certificate, use
3054 * certificate key for key exchange
3055 */
3056
3057 /* Otherwise, generate ephemeral key pair */
3058 pmslen = 32;
3059 pms = OPENSSL_malloc(pmslen)CRYPTO_malloc(pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3059);
3060 if (pms == NULL((void*)0)) {
3061 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3061, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3062 goto err;
3063 }
3064
3065 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0
3066 /* Generate session key
3067 */
3068 || RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
3069 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3069, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3070 goto err;
3071 };
3072 /*
3073 * Compute shared IV and store it in algorithm-specific context
3074 * data
3075 */
3076 ukm_hash = EVP_MD_CTX_new();
3077 if (ukm_hash == NULL((void*)0)
3078 || EVP_DigestInit(ukm_hash, EVP_get_digestbynid(dgst_nid)EVP_get_digestbyname(OBJ_nid2sn(dgst_nid))) <= 0
3079 || EVP_DigestUpdate(ukm_hash, s->s3.client_random,
3080 SSL3_RANDOM_SIZE32) <= 0
3081 || EVP_DigestUpdate(ukm_hash, s->s3.server_random,
3082 SSL3_RANDOM_SIZE32) <= 0
3083 || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
3084 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3084, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3085 goto err;
3086 }
3087 EVP_MD_CTX_free(ukm_hash);
3088 ukm_hash = NULL((void*)0);
3089 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT(1<<9),
3090 EVP_PKEY_CTRL_SET_IV8, 8, shared_ukm) <= 0) {
3091 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3091, __func__), ossl_statem_fatal)((s), (80), (274), ((void
*)0));
3092 goto err;
3093 }
3094 /* Make GOST keytransport blob message */
3095 /*
3096 * Encapsulate it into sequence
3097 */
3098 msglen = 255;
3099 if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, pms, pmslen) <= 0) {
3100 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3100, __func__), ossl_statem_fatal)((s), (80), (274), ((void
*)0));
3101 goto err;
3102 }
3103
3104 if (!WPACKET_put_bytes_u8(pkt, V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED)WPACKET_put_bytes__((pkt), (16 | 0x20), 1)
3105 || (msglen >= 0x80 && !WPACKET_put_bytes_u8(pkt, 0x81)WPACKET_put_bytes__((pkt), (0x81), 1))
3106 || !WPACKET_sub_memcpy_u8(pkt, tmp, msglen)WPACKET_sub_memcpy__((pkt), (tmp), (msglen), 1)) {
3107 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3107, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3108 goto err;
3109 }
3110
3111 EVP_PKEY_CTX_free(pkey_ctx);
3112 s->s3.tmp.pms = pms;
3113 s->s3.tmp.pmslen = pmslen;
3114
3115 return 1;
3116 err:
3117 EVP_PKEY_CTX_free(pkey_ctx);
3118 OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3118);
3119 EVP_MD_CTX_free(ukm_hash);
3120 return 0;
3121#else
3122 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3122, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3123 return 0;
3124#endif
3125}
3126
3127#ifndef OPENSSL_NO_GOST
3128int ossl_gost18_cke_cipher_nid(const SSL *s)
3129{
3130 if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_MAGMA0x00400000U) != 0)
3131 return NID_magma_ctr1188;
3132 else if ((s->s3.tmp.new_cipher->algorithm_enc & SSL_KUZNYECHIK0x00800000U) != 0)
3133 return NID_kuznyechik_ctr1013;
3134
3135 return NID_undef0;
3136}
3137
3138int ossl_gost_ukm(const SSL *s, unsigned char *dgst_buf)
3139{
3140 EVP_MD_CTX * hash = NULL((void*)0);
3141 unsigned int md_len;
3142 const EVP_MD *md = ssl_evp_md_fetch(s->ctx->libctx, NID_id_GostR3411_2012_256982, s->ctx->propq);
3143
3144 if (md == NULL((void*)0))
3145 return 0;
3146
3147 if ((hash = EVP_MD_CTX_new()) == NULL((void*)0)
3148 || EVP_DigestInit(hash, md) <= 0
3149 || EVP_DigestUpdate(hash, s->s3.client_random, SSL3_RANDOM_SIZE32) <= 0
3150 || EVP_DigestUpdate(hash, s->s3.server_random, SSL3_RANDOM_SIZE32) <= 0
3151 || EVP_DigestFinal_ex(hash, dgst_buf, &md_len) <= 0) {
3152 EVP_MD_CTX_free(hash);
3153 ssl_evp_md_free(md);
3154 return 0;
3155 }
3156
3157 EVP_MD_CTX_free(hash);
3158 ssl_evp_md_free(md);
3159 return 1;
3160}
3161#endif
3162
3163static int tls_construct_cke_gost18(SSL *s, WPACKET *pkt)
3164{
3165#ifndef OPENSSL_NO_GOST
3166 /* GOST 2018 key exchange message creation */
3167 unsigned char rnd_dgst[32];
3168 unsigned char *encdata = NULL((void*)0);
3169 EVP_PKEY_CTX *pkey_ctx = NULL((void*)0);
3170 X509 *peer_cert;
3171 unsigned char *pms = NULL((void*)0);
3172 size_t pmslen = 0;
3173 size_t msglen;
3174 int cipher_nid = ossl_gost18_cke_cipher_nid(s);
3175
3176 if (cipher_nid == NID_undef0) {
3177 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3177, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3178 return 0;
3179 }
3180
3181 if (ossl_gost_ukm(s, rnd_dgst) <= 0) {
3182 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3182, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3183 goto err;
3184 }
3185
3186 /* Pre-master secret - random bytes */
3187 pmslen = 32;
3188 pms = OPENSSL_malloc(pmslen)CRYPTO_malloc(pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3188);
3189 if (pms == NULL((void*)0)) {
3190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3190, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3191 goto err;
3192 }
3193
3194 if (RAND_bytes_ex(s->ctx->libctx, pms, pmslen, 0) <= 0) {
3195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3195, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3196 goto err;
3197 }
3198
3199 /* Get server certificate PKEY and create ctx from it */
3200 peer_cert = s->session->peer;
3201 if (peer_cert == NULL((void*)0)) {
3202 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3203, __func__), ossl_statem_fatal)((s), (40), (330), ((void
*)0))
3203 SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3203, __func__), ossl_statem_fatal)((s), (40), (330), ((void
*)0));
3204 goto err;
3205 }
3206
3207 pkey_ctx = EVP_PKEY_CTX_new_from_pkey(s->ctx->libctx,
3208 X509_get0_pubkey(peer_cert),
3209 s->ctx->propq);
3210 if (pkey_ctx == NULL((void*)0)) {
3211 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3211, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3212 goto err;
3213 }
3214
3215 if (EVP_PKEY_encrypt_init(pkey_ctx) <= 0 ) {
3216 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3216, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3217 goto err;
3218 };
3219
3220 /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code */
3221 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT(1<<9),
3222 EVP_PKEY_CTRL_SET_IV8, 32, rnd_dgst) <= 0) {
3223 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3223, __func__), ossl_statem_fatal)((s), (80), (274), ((void
*)0));
3224 goto err;
3225 }
3226
3227 if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT(1<<9),
3228 EVP_PKEY_CTRL_CIPHER12, cipher_nid, NULL((void*)0)) <= 0) {
3229 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3229, __func__), ossl_statem_fatal)((s), (80), (274), ((void
*)0));
3230 goto err;
3231 }
3232
3233 if (EVP_PKEY_encrypt(pkey_ctx, NULL((void*)0), &msglen, pms, pmslen) <= 0) {
3234 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3234, __func__), ossl_statem_fatal)((s), (80), ((6 | (0x2 <<
18L))), ((void*)0));
3235 goto err;
3236 }
3237
3238 if (!WPACKET_allocate_bytes(pkt, msglen, &encdata)
3239 || EVP_PKEY_encrypt(pkey_ctx, encdata, &msglen, pms, pmslen) <= 0) {
3240 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3240, __func__), ossl_statem_fatal)((s), (80), ((6 | (0x2 <<
18L))), ((void*)0));
3241 goto err;
3242 }
3243
3244 EVP_PKEY_CTX_free(pkey_ctx);
3245 pkey_ctx = NULL((void*)0);
3246 s->s3.tmp.pms = pms;
3247 s->s3.tmp.pmslen = pmslen;
3248
3249 return 1;
3250 err:
3251 EVP_PKEY_CTX_free(pkey_ctx);
3252 OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3252);
3253 return 0;
3254#else
3255 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3255, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3256 return 0;
3257#endif
3258}
3259
3260static int tls_construct_cke_srp(SSL *s, WPACKET *pkt)
3261{
3262#ifndef OPENSSL_NO_SRP
3263 unsigned char *abytes = NULL((void*)0);
3264
3265 if (s->srp_ctx.A == NULL((void*)0)
3266 || !WPACKET_sub_allocate_bytes_u16(pkt, BN_num_bytes(s->srp_ctx.A),WPACKET_sub_allocate_bytes__((pkt), (((BN_num_bits(s->srp_ctx
.A)+7)/8)), (&abytes), 2)
3267 &abytes)WPACKET_sub_allocate_bytes__((pkt), (((BN_num_bits(s->srp_ctx
.A)+7)/8)), (&abytes), 2)) {
3268 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3268, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3269 return 0;
3270 }
3271 BN_bn2bin(s->srp_ctx.A, abytes);
3272
3273 OPENSSL_free(s->session->srp_username)CRYPTO_free(s->session->srp_username, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3273);
3274 s->session->srp_username = OPENSSL_strdup(s->srp_ctx.login)CRYPTO_strdup(s->srp_ctx.login, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3274);
3275 if (s->session->srp_username == NULL((void*)0)) {
3276 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3276, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3277 return 0;
3278 }
3279
3280 return 1;
3281#else
3282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3282, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3283 return 0;
3284#endif
3285}
3286
3287int tls_construct_client_key_exchange(SSL *s, WPACKET *pkt)
3288{
3289 unsigned long alg_k;
3290
3291 alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3292
3293 /*
3294 * All of the construct functions below call SSLfatal() if necessary so
3295 * no need to do so here.
3296 */
3297 if ((alg_k & SSL_PSK(0x00000008U | 0x00000040U | 0x00000080U | 0x00000100U))
3298 && !tls_construct_cke_psk_preamble(s, pkt))
3299 goto err;
3300
3301 if (alg_k & (SSL_kRSA0x00000001U | SSL_kRSAPSK0x00000040U)) {
3302 if (!tls_construct_cke_rsa(s, pkt))
3303 goto err;
3304 } else if (alg_k & (SSL_kDHE0x00000002U | SSL_kDHEPSK0x00000100U)) {
3305 if (!tls_construct_cke_dhe(s, pkt))
3306 goto err;
3307 } else if (alg_k & (SSL_kECDHE0x00000004U | SSL_kECDHEPSK0x00000080U)) {
3308 if (!tls_construct_cke_ecdhe(s, pkt))
3309 goto err;
3310 } else if (alg_k & SSL_kGOST0x00000010U) {
3311 if (!tls_construct_cke_gost(s, pkt))
3312 goto err;
3313 } else if (alg_k & SSL_kGOST180x00000200U) {
3314 if (!tls_construct_cke_gost18(s, pkt))
3315 goto err;
3316 } else if (alg_k & SSL_kSRP0x00000020U) {
3317 if (!tls_construct_cke_srp(s, pkt))
3318 goto err;
3319 } else if (!(alg_k & SSL_kPSK0x00000008U)) {
3320 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3320, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3321 goto err;
3322 }
3323
3324 return 1;
3325 err:
3326 OPENSSL_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen)CRYPTO_clear_free(s->s3.tmp.pms, s->s3.tmp.pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3326);
3327 s->s3.tmp.pms = NULL((void*)0);
3328 s->s3.tmp.pmslen = 0;
3329#ifndef OPENSSL_NO_PSK
3330 OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen)CRYPTO_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3330);
3331 s->s3.tmp.psk = NULL((void*)0);
3332 s->s3.tmp.psklen = 0;
3333#endif
3334 return 0;
3335}
3336
3337int tls_client_key_exchange_post_work(SSL *s)
3338{
3339 unsigned char *pms = NULL((void*)0);
3340 size_t pmslen = 0;
3341
3342 pms = s->s3.tmp.pms;
3343 pmslen = s->s3.tmp.pmslen;
3344
3345#ifndef OPENSSL_NO_SRP
3346 /* Check for SRP */
3347 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP0x00000020U) {
3348 if (!srp_generate_client_master_secret(s)) {
3349 /* SSLfatal() already called */
3350 goto err;
3351 }
3352 return 1;
3353 }
3354#endif
3355
3356 if (pms == NULL((void*)0) && !(s->s3.tmp.new_cipher->algorithm_mkey & SSL_kPSK0x00000008U)) {
3357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3357, __func__), ossl_statem_fatal)((s), (80), ((256|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3358 goto err;
3359 }
3360 if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
3361 /* SSLfatal() already called */
3362 /* ssl_generate_master_secret frees the pms even on error */
3363 pms = NULL((void*)0);
3364 pmslen = 0;
3365 goto err;
3366 }
3367 pms = NULL((void*)0);
3368 pmslen = 0;
3369
3370#ifndef OPENSSL_NO_SCTP
3371 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
3372 unsigned char sctpauthkey[64];
3373 char labelbuffer[sizeof(DTLS1_SCTP_AUTH_LABEL)];
3374 size_t labellen;
3375
3376 /*
3377 * Add new shared key for SCTP-Auth, will be ignored if no SCTP
3378 * used.
3379 */
3380 memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL,
3381 sizeof(DTLS1_SCTP_AUTH_LABEL));
3382
3383 /* Don't include the terminating zero. */
3384 labellen = sizeof(labelbuffer) - 1;
3385 if (s->mode & SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG0x00000400U)
3386 labellen += 1;
3387
3388 if (SSL_export_keying_material(s, sctpauthkey,
3389 sizeof(sctpauthkey), labelbuffer,
3390 labellen, NULL((void*)0), 0, 0) <= 0) {
3391 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3391, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3392 goto err;
3393 }
3394
3395 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
3396 sizeof(sctpauthkey), sctpauthkey);
3397 }
3398#endif
3399
3400 return 1;
3401 err:
3402 OPENSSL_clear_free(pms, pmslen)CRYPTO_clear_free(pms, pmslen, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3402);
3403 s->s3.tmp.pms = NULL((void*)0);
3404 s->s3.tmp.pmslen = 0;
3405 return 0;
3406}
3407
3408/*
3409 * Check a certificate can be used for client authentication. Currently check
3410 * cert exists, if we have a suitable digest for TLS 1.2 if static DH client
3411 * certificates can be used and optionally checks suitability for Suite B.
3412 */
3413static int ssl3_check_client_certificate(SSL *s)
3414{
3415 /* If no suitable signature algorithm can't use certificate */
3416 if (!tls_choose_sigalg(s, 0) || s->s3.tmp.sigalg == NULL((void*)0))
3417 return 0;
3418 /*
3419 * If strict mode check suitability of chain before using it. This also
3420 * adjusts suite B digest if necessary.
3421 */
3422 if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT(0x30000|0x00000001U) &&
3423 !tls1_check_chain(s, NULL((void*)0), NULL((void*)0), NULL((void*)0), -2))
3424 return 0;
3425 return 1;
3426}
3427
3428WORK_STATE tls_prepare_client_certificate(SSL *s, WORK_STATE wst)
3429{
3430 X509 *x509 = NULL((void*)0);
3431 EVP_PKEY *pkey = NULL((void*)0);
3432 int i;
3433
3434 if (wst == WORK_MORE_A) {
3435 /* Let cert callback update client certificates if required */
3436 if (s->cert->cert_cb) {
3437 i = s->cert->cert_cb(s, s->cert->cert_cb_arg);
3438 if (i < 0) {
3439 s->rwstate = SSL_X509_LOOKUP4;
3440 return WORK_MORE_A;
3441 }
3442 if (i == 0) {
3443 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_CALLBACK_FAILED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3443, __func__), ossl_statem_fatal)((s), (80), (234), ((void
*)0));
3444 return WORK_ERROR;
3445 }
3446 s->rwstate = SSL_NOTHING1;
3447 }
3448 if (ssl3_check_client_certificate(s)) {
3449 if (s->post_handshake_auth == SSL_PHA_REQUESTED) {
3450 return WORK_FINISHED_STOP;
3451 }
3452 return WORK_FINISHED_CONTINUE;
3453 }
3454
3455 /* Fall through to WORK_MORE_B */
3456 wst = WORK_MORE_B;
3457 }
3458
3459 /* We need to get a client cert */
3460 if (wst == WORK_MORE_B) {
3461 /*
3462 * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
3463 * return(-1); We then get retied later
3464 */
3465 i = ssl_do_client_cert_cb(s, &x509, &pkey);
3466 if (i < 0) {
3467 s->rwstate = SSL_X509_LOOKUP4;
3468 return WORK_MORE_B;
3469 }
3470 s->rwstate = SSL_NOTHING1;
3471 if ((i == 1) && (pkey != NULL((void*)0)) && (x509 != NULL((void*)0))) {
3472 if (!SSL_use_certificate(s, x509) || !SSL_use_PrivateKey(s, pkey))
3473 i = 0;
3474 } else if (i == 1) {
3475 i = 0;
3476 ERR_raise(ERR_LIB_SSL, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
,3476,__func__), ERR_set_error)((20),(106),((void*)0));
3477 }
3478
3479 X509_free(x509);
3480 EVP_PKEY_free(pkey);
3481 if (i && !ssl3_check_client_certificate(s))
3482 i = 0;
3483 if (i == 0) {
3484 if (s->version == SSL3_VERSION0x0300) {
3485 s->s3.tmp.cert_req = 0;
3486 ssl3_send_alert(s, SSL3_AL_WARNING1, SSL_AD_NO_CERTIFICATE41);
3487 return WORK_FINISHED_CONTINUE;
3488 } else {
3489 s->s3.tmp.cert_req = 2;
3490 if (!ssl3_digest_cached_records(s, 0)) {
3491 /* SSLfatal() already called */
3492 return WORK_ERROR;
3493 }
3494 }
3495 }
3496
3497 if (s->post_handshake_auth == SSL_PHA_REQUESTED)
3498 return WORK_FINISHED_STOP;
3499 return WORK_FINISHED_CONTINUE;
3500 }
3501
3502 /* Shouldn't ever get here */
3503 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3503, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3504 return WORK_ERROR;
3505}
3506
3507int tls_construct_client_certificate(SSL *s, WPACKET *pkt)
3508{
3509 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)) {
3510 if (s->pha_context == NULL((void*)0)) {
3511 /* no context available, add 0-length context */
3512 if (!WPACKET_put_bytes_u8(pkt, 0)WPACKET_put_bytes__((pkt), (0), 1)) {
3513 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3513, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3514 return 0;
3515 }
3516 } else if (!WPACKET_sub_memcpy_u8(pkt, s->pha_context, s->pha_context_len)WPACKET_sub_memcpy__((pkt), (s->pha_context), (s->pha_context_len
), 1)) {
3517 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3517, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3518 return 0;
3519 }
3520 }
3521 if (!ssl3_output_cert_chain(s, pkt,
3522 (s->s3.tmp.cert_req == 2) ? NULL((void*)0)
3523 : s->cert->key)) {
3524 /* SSLfatal() already called */
3525 return 0;
3526 }
3527
3528 if (SSL_IS_TLS13(s)(!(s->method->ssl3_enc->enc_flags & 0x8) &&
(s)->method->version >= 0x0304 && (s)->method
->version != 0x10000)
3529 && SSL_IS_FIRST_HANDSHAKE(s)((s)->s3.tmp.finish_md_len == 0 || (s)->s3.tmp.peer_finish_md_len
== 0)
3530 && (!s->method->ssl3_enc->change_cipher_state(s,
3531 SSL3_CC_HANDSHAKE0x080 | SSL3_CHANGE_CIPHER_CLIENT_WRITE(0x010|0x002)))) {
3532 /*
3533 * This is a fatal error, which leaves enc_write_ctx in an inconsistent
3534 * state and thus ssl3_send_alert may crash.
3535 */
3536 SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_CANNOT_CHANGE_CIPHER)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3536, __func__), ossl_statem_fatal)((s), (-1), (109), ((void
*)0));
3537 return 0;
3538 }
3539
3540 return 1;
3541}
3542
3543int ssl3_check_cert_and_algorithm(SSL *s)
3544{
3545 const SSL_CERT_LOOKUP *clu;
3546 size_t idx;
3547 long alg_k, alg_a;
3548
3549 alg_k = s->s3.tmp.new_cipher->algorithm_mkey;
3550 alg_a = s->s3.tmp.new_cipher->algorithm_auth;
3551
3552 /* we don't have a certificate */
3553 if (!(alg_a & SSL_aCERT(0x00000001U | 0x00000002U | 0x00000008U | 0x00000020U | 0x00000080U
)))
3554 return 1;
3555
3556 /* This is the passed certificate */
3557 clu = ssl_cert_lookup_by_pkey(X509_get0_pubkey(s->session->peer), &idx);
3558
3559 /* Check certificate is recognised and suitable for cipher */
3560 if (clu == NULL((void*)0) || (alg_a & clu->amask) == 0) {
3561 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_MISSING_SIGNING_CERT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3561, __func__), ossl_statem_fatal)((s), (40), (221), ((void
*)0));
3562 return 0;
3563 }
3564
3565 if (clu->amask & SSL_aECDSA0x00000008U) {
3566 if (ssl_check_srvr_ecc_cert_and_alg(s->session->peer, s))
3567 return 1;
3568 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_ECC_CERT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3568, __func__), ossl_statem_fatal)((s), (40), (304), ((void
*)0));
3569 return 0;
3570 }
3571
3572 if (alg_k & (SSL_kRSA0x00000001U | SSL_kRSAPSK0x00000040U) && idx != SSL_PKEY_RSA0) {
3573 SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE,(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3574, __func__), ossl_statem_fatal)((s), (40), (169), ((void
*)0))
3574 SSL_R_MISSING_RSA_ENCRYPTING_CERT)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3574, __func__), ossl_statem_fatal)((s), (40), (169), ((void
*)0));
3575 return 0;
3576 }
3577
3578 if ((alg_k & SSL_kDHE0x00000002U) && (s->s3.peer_tmp == NULL((void*)0))) {
3579 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3579, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3580 return 0;
3581 }
3582
3583 return 1;
3584}
3585
3586#ifndef OPENSSL_NO_NEXTPROTONEG
3587int tls_construct_next_proto(SSL *s, WPACKET *pkt)
3588{
3589 size_t len, padding_len;
3590 unsigned char *padding = NULL((void*)0);
3591
3592 len = s->ext.npn_len;
3593 padding_len = 32 - ((len + 2) % 32);
3594
3595 if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)WPACKET_sub_memcpy__((pkt), (s->ext.npn), (len), 1)
3596 || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)WPACKET_sub_allocate_bytes__((pkt), (padding_len), (&padding
), 1)) {
3597 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3597, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3598 return 0;
3599 }
3600
3601 memset(padding, 0, padding_len);
3602
3603 return 1;
3604}
3605#endif
3606
3607MSG_PROCESS_RETURN tls_process_hello_req(SSL *s, PACKET *pkt)
3608{
3609 if (PACKET_remaining(pkt) > 0) {
3610 /* should contain no data */
3611 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3611, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
3612 return MSG_PROCESS_ERROR;
3613 }
3614
3615 if ((s->options & SSL_OP_NO_RENEGOTIATION((uint64_t)1 << (uint64_t)30))) {
3616 ssl3_send_alert(s, SSL3_AL_WARNING1, SSL_AD_NO_RENEGOTIATION100);
3617 return MSG_PROCESS_FINISHED_READING;
3618 }
3619
3620 /*
3621 * This is a historical discrepancy (not in the RFC) maintained for
3622 * compatibility reasons. If a TLS client receives a HelloRequest it will
3623 * attempt an abbreviated handshake. However if a DTLS client receives a
3624 * HelloRequest it will do a full handshake. Either behaviour is reasonable
3625 * but doing one for TLS and another for DTLS is odd.
3626 */
3627 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8))
3628 SSL_renegotiate(s);
3629 else
3630 SSL_renegotiate_abbreviated(s);
3631
3632 return MSG_PROCESS_FINISHED_READING;
3633}
3634
3635static MSG_PROCESS_RETURN tls_process_encrypted_extensions(SSL *s, PACKET *pkt)
3636{
3637 PACKET extensions;
3638 RAW_EXTENSION *rawexts = NULL((void*)0);
3639
3640 if (!PACKET_as_length_prefixed_2(pkt, &extensions)
3641 || PACKET_remaining(pkt) != 0) {
3642 SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3642, __func__), ossl_statem_fatal)((s), (50), (159), ((void
*)0));
3643 goto err;
3644 }
3645
3646 if (!tls_collect_extensions(s, &extensions,
3647 SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS0x0400, &rawexts,
3648 NULL((void*)0), 1)
3649 || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS0x0400,
3650 rawexts, NULL((void*)0), 0, 1)) {
3651 /* SSLfatal() already called */
3652 goto err;
3653 }
3654
3655 OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3655);
3656 return MSG_PROCESS_CONTINUE_READING;
3657
3658 err:
3659 OPENSSL_free(rawexts)CRYPTO_free(rawexts, "../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3659);
3660 return MSG_PROCESS_ERROR;
3661}
3662
3663int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
3664{
3665 int i = 0;
3666#ifndef OPENSSL_NO_ENGINE
3667 if (s->ctx->client_cert_engine) {
3668 i = tls_engine_load_ssl_client_cert(s, px509, ppkey);
3669 if (i != 0)
3670 return i;
3671 }
3672#endif
3673 if (s->ctx->client_cert_cb)
3674 i = s->ctx->client_cert_cb(s, px509, ppkey);
3675 return i;
3676}
3677
3678int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk, WPACKET *pkt)
3679{
3680 int i;
3681 size_t totlen = 0, len, maxlen, maxverok = 0;
3682 int empty_reneg_info_scsv = !s->renegotiate;
3683
3684 /* Set disabled masks for this session */
3685 if (!ssl_set_client_disabled(s)) {
3686 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_PROTOCOLS_AVAILABLE)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3686, __func__), ossl_statem_fatal)((s), (80), (191), ((void
*)0));
3687 return 0;
3688 }
3689
3690 if (sk == NULL((void*)0)) {
3691 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3691, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3692 return 0;
3693 }
3694
3695#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
3696# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
3697# error Max cipher length too short
3698# endif
3699 /*
3700 * Some servers hang if client hello > 256 bytes as hack workaround
3701 * chop number of supported ciphers to keep it well below this if we
3702 * use TLS v1.2
3703 */
3704 if (TLS1_get_version(s)((SSL_version(s) >> 8) == 0x03 ? SSL_version(s) : 0) >= TLS1_2_VERSION0x0303)
3705 maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
3706 else
3707#endif
3708 /* Maximum length that can be stored in 2 bytes. Length must be even */
3709 maxlen = 0xfffe;
3710
3711 if (empty_reneg_info_scsv)
3712 maxlen -= 2;
3713 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV0x00000080U)
3714 maxlen -= 2;
3715
3716 for (i = 0; i < sk_SSL_CIPHER_num(sk)OPENSSL_sk_num(ossl_check_const_SSL_CIPHER_sk_type(sk)) && totlen < maxlen; i++) {
3717 const SSL_CIPHER *c;
3718
3719 c = sk_SSL_CIPHER_value(sk, i)((const SSL_CIPHER *)OPENSSL_sk_value(ossl_check_const_SSL_CIPHER_sk_type
(sk), (i)));
3720 /* Skip disabled ciphers */
3721 if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED(1 | (1 << 16)), 0))
3722 continue;
3723
3724 if (!s->method->put_cipher_by_char(c, pkt, &len)) {
3725 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3725, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3726 return 0;
3727 }
3728
3729 /* Sanity check that the maximum version we offer has ciphers enabled */
3730 if (!maxverok) {
3731 if (SSL_IS_DTLS(s)(s->method->ssl3_enc->enc_flags & 0x8)) {
3732 if (DTLS_VERSION_GE(c->max_dtls, s->s3.tmp.max_ver)((((c->max_dtls) == 0x0100) ? 0xff00 : (c->max_dtls)) <=
(((s->s3.tmp.max_ver) == 0x0100) ? 0xff00 : (s->s3.tmp
.max_ver)))
3733 && DTLS_VERSION_LE(c->min_dtls, s->s3.tmp.max_ver)((((c->min_dtls) == 0x0100) ? 0xff00 : (c->min_dtls)) >=
(((s->s3.tmp.max_ver) == 0x0100) ? 0xff00 : (s->s3.tmp
.max_ver))))
3734 maxverok = 1;
3735 } else {
3736 if (c->max_tls >= s->s3.tmp.max_ver
3737 && c->min_tls <= s->s3.tmp.max_ver)
3738 maxverok = 1;
3739 }
3740 }
3741
3742 totlen += len;
3743 }
3744
3745 if (totlen == 0 || !maxverok) {
3746 const char *maxvertext =
3747 !maxverok
3748 ? "No ciphers enabled for max supported SSL/TLS version"
3749 : NULL((void*)0);
3750
3751 SSLfatal_data(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3751, __func__), ossl_statem_fatal)(s, SSL_AD_INTERNAL_ERROR80, SSL_R_NO_CIPHERS_AVAILABLE181,
3752 maxvertext);
3753 return 0;
3754 }
3755
3756 if (totlen != 0) {
3757 if (empty_reneg_info_scsv) {
3758 static SSL_CIPHER scsv = {
3759 0, NULL((void*)0), NULL((void*)0), SSL3_CK_SCSV0x030000FF, 0, 0, 0, 0, 0, 0, 0, 0, 0
3760 };
3761 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3762 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3762, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3763 return 0;
3764 }
3765 }
3766 if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV0x00000080U) {
3767 static SSL_CIPHER scsv = {
3768 0, NULL((void*)0), NULL((void*)0), SSL3_CK_FALLBACK_SCSV0x03005600, 0, 0, 0, 0, 0, 0, 0, 0, 0
3769 };
3770 if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
3771 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3771, __func__), ossl_statem_fatal)((s), (80), ((259|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3772 return 0;
3773 }
3774 }
3775 }
3776
3777 return 1;
3778}
3779
3780int tls_construct_end_of_early_data(SSL *s, WPACKET *pkt)
3781{
3782 if (s->early_data_state != SSL_EARLY_DATA_WRITE_RETRY
3783 && s->early_data_state != SSL_EARLY_DATA_FINISHED_WRITING) {
3784 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED)(ERR_new(), ERR_set_debug("../deps/openssl/openssl/ssl/statem/statem_clnt.c"
, 3784, __func__), ossl_statem_fatal)((s), (80), ((257|((0x1 <<
18L)|(0x2 << 18L)))), ((void*)0));
3785 return 0;
3786 }
3787
3788 s->early_data_state = SSL_EARLY_DATA_FINISHED_WRITING;
3789 return 1;
3790}