Lines Matching full:s
16 * Copyright remains Eric Young's, and as such any Copyright notices in
172 static int ssl3_send_client_hello(SSL *s);
173 static int ssl3_get_dtls_hello_verify(SSL *s);
174 static int ssl3_get_server_hello(SSL *s);
175 static int ssl3_get_certificate_request(SSL *s);
176 static int ssl3_get_new_session_ticket(SSL *s);
177 static int ssl3_get_cert_status(SSL *s);
178 static int ssl3_get_server_done(SSL *s);
179 static int ssl3_send_client_verify(SSL *s);
180 static int ssl3_send_client_certificate(SSL *s);
181 static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey);
182 static int ssl3_send_client_key_exchange(SSL *s);
183 static int ssl3_get_server_key_exchange(SSL *s);
184 static int ssl3_get_server_certificate(SSL *s);
185 static int ssl3_check_cert_and_algorithm(SSL *s);
186 static int ssl3_check_finished(SSL *s);
187 static int ssl3_send_client_change_cipher_spec(SSL *s);
188 static int ssl3_send_client_finished(SSL *s);
189 static int ssl3_get_server_finished(SSL *s);
192 ssl3_connect(SSL *s)
200 s->in_handshake++;
201 if (!SSL_in_init(s) || SSL_in_before(s))
202 SSL_clear(s);
205 state = s->s3->hs.state;
207 switch (s->s3->hs.state) {
209 s->renegotiate = 1;
210 s->s3->hs.state = SSL_ST_CONNECT;
211 s->ctx->stats.sess_connect_renegotiate++;
218 s->server = 0;
220 ssl_info_callback(s, SSL_CB_HANDSHAKE_START, 1);
222 if (!ssl_legacy_stack_version(s, s->version)) {
223 SSLerror(s, ERR_R_INTERNAL_ERROR);
228 if (!ssl_supported_tls_version_range(s,
229 &s->s3->hs.our_min_tls_version,
230 &s->s3->hs.our_max_tls_version)) {
231 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
236 if (!ssl_security_version(s,
237 s->s3->hs.our_min_tls_version)) {
238 SSLerror(s, SSL_R_VERSION_TOO_LOW);
243 if (!ssl3_setup_init_buffer(s)) {
247 if (!ssl3_setup_buffers(s)) {
251 if (!ssl_init_wbio_buffer(s, 0)) {
258 if (!tls1_transcript_init(s)) {
263 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
264 s->ctx->stats.sess_connect++;
265 s->init_num = 0;
267 if (SSL_is_dtls(s)) {
269 memset(s->s3->client_random, 0,
270 sizeof(s->s3->client_random));
271 s->d1->send_cookie = 0;
272 s->hit = 0;
278 s->shutdown = 0;
280 if (SSL_is_dtls(s)) {
282 tls1_transcript_reset(s);
284 dtls1_start_timer(s);
287 ret = ssl3_send_client_hello(s);
291 if (SSL_is_dtls(s) && s->d1->send_cookie) {
292 s->s3->hs.state = SSL3_ST_CW_FLUSH;
293 s->s3->hs.tls12.next_state = SSL3_ST_CR_SRVR_HELLO_A;
295 s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
297 s->init_num = 0;
300 if (s->bbio != s->wbio)
301 s->wbio = BIO_push(s->bbio, s->wbio);
307 ret = ssl3_get_server_hello(s);
311 if (s->hit) {
312 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
313 if (!SSL_is_dtls(s)) {
314 if (s->tlsext_ticket_expected) {
316 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
320 tls1_transcript_free(s);
322 } else if (SSL_is_dtls(s)) {
323 s->s3->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
325 s->s3->hs.state = SSL3_ST_CR_CERT_A;
327 s->init_num = 0;
332 ret = ssl3_get_dtls_hello_verify(s);
335 dtls1_stop_timer(s);
336 if (s->d1->send_cookie) /* start again, with a cookie */
337 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A;
339 s->s3->hs.state = SSL3_ST_CR_CERT_A;
340 s->init_num = 0;
345 ret = ssl3_check_finished(s);
349 s->hit = 1;
350 if (s->tlsext_ticket_expected)
351 s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A;
353 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
354 s->init_num = 0;
358 if (!(s->s3->hs.cipher->algorithm_auth &
360 ret = ssl3_get_server_certificate(s);
363 if (s->tlsext_status_expected)
364 s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A;
366 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
369 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
371 s->init_num = 0;
376 ret = ssl3_get_server_key_exchange(s);
379 s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A;
380 s->init_num = 0;
386 if (!ssl3_check_cert_and_algorithm(s)) {
394 ret = ssl3_get_certificate_request(s);
397 s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A;
398 s->init_num = 0;
403 ret = ssl3_get_server_done(s);
406 if (SSL_is_dtls(s))
407 dtls1_stop_timer(s);
408 if (s->s3->hs.tls12.cert_request)
409 s->s3->hs.state = SSL3_ST_CW_CERT_A;
411 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
412 s->init_num = 0;
420 if (SSL_is_dtls(s))
421 dtls1_start_timer(s);
422 ret = ssl3_send_client_certificate(s);
425 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A;
426 s->init_num = 0;
431 if (SSL_is_dtls(s))
432 dtls1_start_timer(s);
433 ret = ssl3_send_client_key_exchange(s);
449 * message when client's ECDH public key is sent
452 if (s->s3->hs.tls12.cert_request == 1) {
453 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_A;
455 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
456 s->s3->change_cipher_spec = 0;
459 s->init_num = 0;
464 if (SSL_is_dtls(s))
465 dtls1_start_timer(s);
466 ret = ssl3_send_client_verify(s);
469 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
470 s->init_num = 0;
471 s->s3->change_cipher_spec = 0;
476 if (SSL_is_dtls(s) && !s->hit)
477 dtls1_start_timer(s);
478 ret = ssl3_send_client_change_cipher_spec(s);
482 s->s3->hs.state = SSL3_ST_CW_FINISHED_A;
483 s->init_num = 0;
484 s->session->cipher_value = s->s3->hs.cipher->value;
486 if (!tls1_setup_key_block(s)) {
490 if (!tls1_change_write_cipher_state(s)) {
498 if (SSL_is_dtls(s) && !s->hit)
499 dtls1_start_timer(s);
500 ret = ssl3_send_client_finished(s);
503 if (!SSL_is_dtls(s))
504 s->s3->flags |= SSL3_FLAGS_CCS_OK;
505 s->s3->hs.state = SSL3_ST_CW_FLUSH;
508 if (s->hit) {
509 s->s3->hs.tls12.next_state = SSL_ST_OK;
512 if (s->tlsext_ticket_expected)
513 s->s3->hs.tls12.next_state =
516 s->s3->hs.tls12.next_state =
519 s->init_num = 0;
524 ret = ssl3_get_new_session_ticket(s);
527 s->s3->hs.state = SSL3_ST_CR_FINISHED_A;
528 s->init_num = 0;
533 ret = ssl3_get_cert_status(s);
536 s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A;
537 s->init_num = 0;
542 if (SSL_is_dtls(s))
543 s->d1->change_cipher_spec_ok = 1;
545 s->s3->flags |= SSL3_FLAGS_CCS_OK;
546 ret = ssl3_get_server_finished(s);
549 if (SSL_is_dtls(s))
550 dtls1_stop_timer(s);
552 if (s->hit)
553 s->s3->hs.state = SSL3_ST_CW_CHANGE_A;
555 s->s3->hs.state = SSL_ST_OK;
556 s->init_num = 0;
560 s->rwstate = SSL_WRITING;
561 if (BIO_flush(s->wbio) <= 0) {
562 if (SSL_is_dtls(s)) {
564 if (!BIO_should_retry(s->wbio)) {
565 s->rwstate = SSL_NOTHING;
566 s->s3->hs.state = s->s3->hs.tls12.next_state;
572 s->rwstate = SSL_NOTHING;
573 s->s3->hs.state = s->s3->hs.tls12.next_state;
578 tls1_cleanup_key_block(s);
580 if (s->s3->handshake_transcript != NULL) {
581 SSLerror(s, ERR_R_INTERNAL_ERROR);
586 if (!SSL_is_dtls(s))
587 ssl3_release_init_buffer(s);
589 ssl_free_wbio_buffer(s);
591 s->init_num = 0;
592 s->renegotiate = 0;
593 s->new_session = 0;
595 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
596 if (s->hit)
597 s->ctx->stats.sess_hit++;
600 /* s->server=0; */
601 s->handshake_func = ssl3_connect;
602 s->ctx->stats.sess_connect_good++;
604 ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1);
606 if (SSL_is_dtls(s)) {
608 s->d1->handshake_read_seq = 0;
609 s->d1->next_handshake_write_seq = 0;
616 SSLerror(s, SSL_R_UNKNOWN_STATE);
623 if (!s->s3->hs.tls12.reuse_message && !skip) {
624 if (s->s3->hs.state != state) {
625 new_state = s->s3->hs.state;
626 s->s3->hs.state = state;
627 ssl_info_callback(s, SSL_CB_CONNECT_LOOP, 1);
628 s->s3->hs.state = new_state;
635 s->in_handshake--;
636 ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret);
642 ssl3_send_client_hello(SSL *s)
651 if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_A) {
652 SSL_SESSION *sess = s->session;
654 if (!ssl_max_supported_version(s, &max_version)) {
655 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
658 s->version = max_version;
660 if (sess == NULL || sess->ssl_version != s->version ||
663 if (!ssl_get_new_session(s, 0))
673 if (!SSL_is_dtls(s) || s->d1->send_cookie == 0)
674 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
676 if (!ssl3_handshake_msg_start(s, &cbb, &client_hello,
680 if (!CBB_add_u16(&client_hello, s->version))
684 if (!CBB_add_bytes(&client_hello, s->s3->client_random,
685 sizeof(s->s3->client_random)))
691 if (!s->new_session &&
692 s->session->session_id_length > 0) {
693 sl = s->session->session_id_length;
694 if (sl > sizeof(s->session->session_id)) {
695 SSLerror(s, ERR_R_INTERNAL_ERROR);
699 s->session->session_id, sl))
704 if (SSL_is_dtls(s)) {
705 if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
706 SSLerror(s, ERR_R_INTERNAL_ERROR);
711 if (!CBB_add_bytes(&cookie, s->d1->cookie,
712 s->d1->cookie_len))
719 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s),
721 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
733 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) {
734 SSLerror(s, ERR_R_INTERNAL_ERROR);
738 if (!ssl3_handshake_msg_finish(s, &cbb))
741 s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_B;
745 return (ssl3_handshake_write(s));
754 ssl3_get_dtls_hello_verify(SSL *s)
761 if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A,
762 DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list)) <= 0)
765 if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
766 s->d1->send_cookie = 0;
767 s->s3->hs.tls12.reuse_message = 1;
771 if (s->init_num < 0)
774 CBS_init(&hello_verify_request, s->init_msg,
775 s->init_num);
790 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
791 s->version = (s->version & 0xff00) | (ssl_version & 0xff);
796 if (!CBS_write_bytes(&cookie, s->d1->cookie,
797 sizeof(s->d1->cookie), &cookie_len)) {
798 s->d1->cookie_len = 0;
802 s->d1->cookie_len = cookie_len;
803 s->d1->send_cookie = 1;
810 ssl3_send_alert(s, SSL3_AL_FATAL, al);
815 ssl3_get_server_hello(SSL *s)
824 s->first_packet = 1;
825 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A,
828 s->first_packet = 0;
830 if (s->init_num < 0)
833 CBS_init(&cbs, s->init_msg, s->init_num);
835 if (SSL_is_dtls(s)) {
836 if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) {
837 if (s->d1->send_cookie == 0) {
838 s->s3->hs.tls12.reuse_message = 1;
843 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
849 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_HELLO) {
851 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
858 if (!ssl_check_version_from_server(s, server_version)) {
859 SSLerror(s, SSL_R_WRONG_SSL_VERSION);
860 s->version = (s->version & 0xff00) | (server_version & 0xff);
864 s->s3->hs.peer_legacy_version = server_version;
865 s->version = server_version;
867 s->s3->hs.negotiated_tls_version = ssl_tls_version(server_version);
868 if (s->s3->hs.negotiated_tls_version == 0) {
869 SSLerror(s, ERR_R_INTERNAL_ERROR);
874 SSLerror(s, ERR_R_INTERNAL_ERROR);
877 s->method = method;
882 if (!CBS_write_bytes(&server_random, s->s3->server_random,
883 sizeof(s->s3->server_random), NULL))
886 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
887 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
895 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION &&
899 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
905 SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK);
916 SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG);
928 if (s->tls_session_secret_cb != NULL) {
930 int master_key_length = sizeof(s->session->master_key);
932 if (!s->tls_session_secret_cb(s,
933 s->session->master_key, &master_key_length, NULL,
934 &pref_cipher, s->tls_session_secret_cb_arg)) {
935 SSLerror(s, ERR_R_INTERNAL_ERROR);
939 SSLerror(s, ERR_R_INTERNAL_ERROR);
942 s->session->master_key_length = master_key_length;
949 if ((s->s3->hs.cipher = pref_cipher) == NULL)
950 s->s3->hs.cipher =
952 s->s3->flags |= SSL3_FLAGS_CCS_OK;
955 if (s->session->session_id_length != 0 &&
956 CBS_mem_equal(&session_id, s->session->session_id,
957 s->session->session_id_length)) {
958 if (s->sid_ctx_length != s->session->sid_ctx_length ||
959 timingsafe_memcmp(s->session->sid_ctx,
960 s->sid_ctx, s->sid_ctx_length) != 0) {
963 SSLerror(s, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
966 s->s3->flags |= SSL3_FLAGS_CCS_OK;
967 s->hit = 1;
973 s->hit = 0;
974 if (s->session->session_id_length > 0) {
975 if (!ssl_get_new_session(s, 0)) {
985 if (!CBS_write_bytes(&session_id, s->session->session_id,
986 sizeof(s->session->session_id),
987 &s->session->session_id_length))
990 s->session->ssl_version = s->version;
995 SSLerror(s, SSL_R_UNKNOWN_CIPHER_RETURNED);
1001 s->s3->hs.negotiated_tls_version < TLS1_2_VERSION) {
1003 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1007 if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
1010 SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED);
1019 if (s->hit && (s->session->cipher_value != cipher->value)) {
1021 SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
1024 s->s3->hs.cipher = cipher;
1025 s->session->cipher_value = cipher->value;
1027 if (!tls1_transcript_hash_init(s))
1034 if (!SSL_USE_SIGALGS(s))
1035 tls1_transcript_free(s);
1042 SSLerror(s, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
1046 if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) {
1047 SSLerror(s, SSL_R_PARSE_TLSEXT);
1062 if (!s->s3->renegotiate_seen &&
1063 !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) {
1065 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1069 if (ssl_check_serverhello_tlsext(s) <= 0) {
1070 SSLerror(s, SSL_R_SERVERHELLO_TLSEXT);
1079 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1081 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1087 ssl3_get_server_certificate(SSL *s)
1095 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
1096 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
1101 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1102 s->s3->hs.tls12.reuse_message = 1;
1106 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
1108 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1113 SSLerror(s, ERR_R_MALLOC_FAILURE);
1117 if (s->init_num < 0)
1120 CBS_init(&cbs, s->init_msg, s->init_num);
1133 SSLerror(s, ERR_R_ASN1_LIB);
1139 SSLerror(s, ERR_R_MALLOC_FAILURE);
1147 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1151 if (ssl_verify_cert_chain(s, certs) <= 0 &&
1152 s->verify_mode != SSL_VERIFY_NONE) {
1153 al = ssl_verify_alarm_type(s->verify_result);
1154 SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED);
1157 s->session->verify_result = s->verify_result;
1160 if (!tls_process_peer_certs(s, certs))
1169 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1171 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1181 ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
1186 tls_key_share_free(s->s3->hs.key_share);
1187 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1190 if (!tls_key_share_peer_params(s->s3->hs.key_share, cbs,
1193 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1194 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1198 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1201 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1202 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1208 SSLerror(s, SSL_R_BAD_DH_P_LENGTH);
1209 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1213 SSLerror(s, SSL_R_BAD_DH_PUB_KEY_LENGTH);
1214 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1218 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1219 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1220 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1231 ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
1245 SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE);
1246 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1257 if (!tls1_check_group(s, group_id)) {
1258 SSLerror(s, SSL_R_WRONG_CURVE);
1259 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1263 tls_key_share_free(s->s3->hs.key_share);
1264 if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
1267 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1277 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1278 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1284 ssl3_get_server_key_exchange(SSL *s)
1297 alg_k = s->s3->hs.cipher->algorithm_mkey;
1298 alg_a = s->s3->hs.cipher->algorithm_auth;
1304 if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A,
1305 SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list)) <= 0)
1311 if (s->init_num < 0)
1314 CBS_init(&cbs, s->init_msg, s->init_num);
1316 if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1322 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1327 s->s3->hs.tls12.reuse_message = 1;
1334 if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
1336 if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE))
1342 if (!ssl3_get_server_kex_dhe(s, &cbs))
1345 if (!ssl3_get_server_kex_ecdhe(s, &cbs))
1349 SSLerror(s, SSL_R_UNEXPECTED_MESSAGE);
1368 s->session->peer_cert_type == SSL_PKEY_RSA) {
1369 pkey = X509_get0_pubkey(s->session->peer_cert);
1371 s->session->peer_cert_type == SSL_PKEY_ECC) {
1372 pkey = X509_get0_pubkey(s->session->peer_cert);
1376 SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
1380 if (SSL_USE_SIGALGS(s)) {
1388 SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH);
1392 if ((sigalg = ssl_sigalg_for_peer(s, pkey,
1397 s->s3->hs.peer_sigalg = sigalg;
1410 SSLerror(s, SSL_R_BAD_SIGNATURE);
1417 SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE);
1428 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1431 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1442 ssl3_get_certificate_request(SSL *s)
1450 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A,
1451 SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list)) <= 0)
1456 s->s3->hs.tls12.cert_request = 0;
1458 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_DONE) {
1459 s->s3->hs.tls12.reuse_message = 1;
1464 tls1_transcript_free(s);
1468 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
1469 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1470 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
1475 if (s->s3->hs.cipher->algorithm_auth & SSL_aNULL) {
1476 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1477 SSLerror(s, SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER);
1481 if (s->init_num < 0)
1483 CBS_init(&cert_request, s->init_msg, s->init_num);
1486 SSLerror(s, ERR_R_MALLOC_FAILURE);
1493 if (SSL_USE_SIGALGS(s)) {
1497 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1501 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1502 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1506 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1507 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
1510 if (!CBS_stow(&sigalgs, &s->s3->hs.sigalgs,
1511 &s->s3->hs.sigalgs_len))
1517 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1523 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1524 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1532 SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG);
1537 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1538 SSLerror(s, SSL_R_CA_DN_TOO_LONG);
1544 ssl3_send_alert(s, SSL3_AL_FATAL,
1546 SSLerror(s, ERR_R_ASN1_LIB);
1551 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1552 SSLerror(s, SSL_R_CA_DN_LENGTH_MISMATCH);
1556 SSLerror(s, ERR_R_MALLOC_FAILURE);
1563 s->s3->hs.tls12.cert_request = 1;
1564 sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free);
1565 s->s3->hs.tls12.ca_names = ca_sk;
1571 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
1586 ssl3_get_new_session_ticket(SSL *s)
1593 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A,
1597 if (s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) {
1598 s->s3->hs.tls12.reuse_message = 1;
1601 if (s->s3->hs.tls12.message_type != SSL3_MT_NEWSESSION_TICKET) {
1603 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1607 if (s->init_num < 0) {
1609 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1613 CBS_init(&cbs, s->init_msg, s->init_num);
1618 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1621 s->session->tlsext_tick_lifetime_hint = lifetime_hint;
1623 if (!CBS_stow(&session_ticket, &s->session->tlsext_tick,
1624 &s->session->tlsext_ticklen)) {
1625 SSLerror(s, ERR_R_MALLOC_FAILURE);
1646 s->session->session_id, &session_id_length, EVP_sha256(), NULL)) {
1648 SSLerror(s, ERR_R_EVP_LIB);
1651 s->session->session_id_length = session_id_length;
1656 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1662 ssl3_get_cert_status(SSL *s)
1668 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A,
1672 if (s->s3->hs.tls12.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) {
1677 if (s->ctx->tlsext_status_cb) {
1678 free(s->tlsext_ocsp_resp);
1679 s->tlsext_ocsp_resp = NULL;
1680 s->tlsext_ocsp_resp_len = 0;
1682 ret = s->ctx->tlsext_status_cb(s,
1683 s->ctx->tlsext_status_arg);
1686 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1691 SSLerror(s, ERR_R_MALLOC_FAILURE);
1695 s->s3->hs.tls12.reuse_message = 1;
1699 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE &&
1700 s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_STATUS) {
1702 SSLerror(s, SSL_R_BAD_MESSAGE_TYPE);
1706 if (s->init_num < 0) {
1709 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1713 CBS_init(&cert_status, s->init_msg, s->init_num);
1718 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1724 SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE);
1731 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1735 if (!CBS_stow(&response, &s->tlsext_ocsp_resp,
1736 &s->tlsext_ocsp_resp_len)) {
1738 SSLerror(s, ERR_R_MALLOC_FAILURE);
1742 if (s->ctx->tlsext_status_cb) {
1743 ret = s->ctx->tlsext_status_cb(s,
1744 s->ctx->tlsext_status_arg);
1747 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
1752 SSLerror(s, ERR_R_MALLOC_FAILURE);
1758 ssl3_send_alert(s, SSL3_AL_FATAL, al);
1763 ssl3_get_server_done(SSL *s)
1767 if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A,
1772 if (s->init_num != 0) {
1774 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1775 SSLerror(s, SSL_R_LENGTH_MISMATCH);
1783 ssl3_send_client_kex_rsa(SSL *s, CBB *cbb)
1798 pkey = X509_get0_pubkey(s->session->peer_cert);
1800 SSLerror(s, ERR_R_INTERNAL_ERROR);
1811 if (!ssl_max_legacy_version(s, &max_legacy_version))
1818 SSLerror(s, ERR_R_MALLOC_FAILURE);
1825 SSLerror(s, SSL_R_BAD_RSA_ENCRYPT);
1836 if (!tls12_derive_master_secret(s, pms, sizeof(pms)))
1849 ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
1856 if (s->s3->hs.key_share == NULL) {
1857 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1858 SSLerror(s, SSL_R_UNABLE_TO_FIND_DH_PARAMETERS);
1862 if (!tls_key_share_generate(s->s3->hs.key_share))
1864 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1866 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1869 if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) {
1870 SSLerror(s, SSL_R_DH_KEY_TOO_SMALL);
1871 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1875 if (!tls12_derive_master_secret(s, key, key_len))
1887 ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
1895 if (s->s3->hs.key_share == NULL) {
1896 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1897 SSLerror(s, ERR_R_INTERNAL_ERROR);
1901 if (!tls_key_share_generate(s->s3->hs.key_share))
1906 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1911 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1914 if (!tls12_derive_master_secret(s, key, key_len))
1926 ssl3_send_client_key_exchange(SSL *s)
1933 if (s->s3->hs.state == SSL3_ST_CW_KEY_EXCH_A) {
1934 alg_k = s->s3->hs.cipher->algorithm_mkey;
1936 if (!ssl3_handshake_msg_start(s, &cbb, &kex,
1941 if (!ssl3_send_client_kex_rsa(s, &kex))
1944 if (!ssl3_send_client_kex_dhe(s, &kex))
1947 if (!ssl3_send_client_kex_ecdhe(s, &kex))
1950 ssl3_send_alert(s, SSL3_AL_FATAL,
1952 SSLerror(s, ERR_R_INTERNAL_ERROR);
1956 if (!ssl3_handshake_msg_finish(s, &cbb))
1959 s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_B;
1963 return (ssl3_handshake_write(s));
1972 ssl3_send_client_verify_sigalgs(SSL *s, EVP_PKEY *pkey,
1986 if (!tls1_transcript_data(s, &hdata, &hdata_len)) {
1987 SSLerror(s, ERR_R_INTERNAL_ERROR);
1991 SSLerror(s, ERR_R_EVP_LIB);
1997 SSLerror(s, ERR_R_EVP_LIB);
2001 SSLerror(s, ERR_R_EVP_LIB);
2005 SSLerror(s, ERR_R_MALLOC_FAILURE);
2009 SSLerror(s, ERR_R_EVP_LIB);
2031 ssl3_send_client_verify_rsa(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2041 if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len))
2049 SSLerror(s, ERR_R_RSA_LIB);
2067 ssl3_send_client_verify_ec(SSL *s, EVP_PKEY *pkey, CBB *cert_verify)
2076 if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL))
2084 SSLerror(s, ERR_R_ECDSA_LIB);
2102 ssl3_send_client_verify(SSL *s)
2110 if (s->s3->hs.state == SSL3_ST_CW_CERT_VRFY_A) {
2111 if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify,
2115 pkey = s->cert->key->privatekey;
2116 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
2117 SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR);
2120 s->s3->hs.our_sigalg = sigalg;
2126 if (SSL_USE_SIGALGS(s)) {
2127 if (!ssl3_send_client_verify_sigalgs(s, pkey, sigalg,
2131 if (!ssl3_send_client_verify_rsa(s, pkey, &cert_verify))
2134 if (!ssl3_send_client_verify_ec(s, pkey, &cert_verify))
2137 SSLerror(s, ERR_R_INTERNAL_ERROR);
2141 tls1_transcript_free(s);
2143 if (!ssl3_handshake_msg_finish(s, &cbb))
2146 s->s3->hs.state = SSL3_ST_CW_CERT_VRFY_B;
2149 return (ssl3_handshake_write(s));
2158 ssl3_send_client_certificate(SSL *s)
2167 if (s->s3->hs.state == SSL3_ST_CW_CERT_A) {
2168 if (s->cert->key->x509 == NULL ||
2169 s->cert->key->privatekey == NULL)
2170 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2172 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2176 if (s->s3->hs.state == SSL3_ST_CW_CERT_B) {
2182 i = ssl_do_client_cert_cb(s, &x509, &pkey);
2184 s->rwstate = SSL_X509_LOOKUP;
2187 s->rwstate = SSL_NOTHING;
2189 s->s3->hs.state = SSL3_ST_CW_CERT_B;
2190 if (!SSL_use_certificate(s, x509) ||
2191 !SSL_use_PrivateKey(s, pkey))
2195 SSLerror(s, SSL_R_BAD_DATA_RETURNED_BY_CALLBACK);
2201 s->s3->hs.tls12.cert_request = 2;
2204 tls1_transcript_free(s);
2208 s->s3->hs.state = SSL3_ST_CW_CERT_C;
2211 if (s->s3->hs.state == SSL3_ST_CW_CERT_C) {
2212 if (!ssl3_handshake_msg_start(s, &cbb, &client_cert,
2215 if (!ssl3_output_cert_chain(s, &client_cert,
2216 (s->s3->hs.tls12.cert_request == 2) ? NULL : s->cert->key))
2218 if (!ssl3_handshake_msg_finish(s, &cbb))
2221 s->s3->hs.state = SSL3_ST_CW_CERT_D;
2225 return (ssl3_handshake_write(s));
2236 ssl3_check_cert_and_algorithm(SSL *s)
2242 alg_k = s->s3->hs.cipher->algorithm_mkey;
2243 alg_a = s->s3->hs.cipher->algorithm_auth;
2249 if (s->s3->hs.key_share != NULL)
2250 nid = tls_key_share_nid(s->s3->hs.key_share);
2254 if (s->session->peer_cert_type == SSL_PKEY_ECC) {
2255 if (!ssl_check_srvr_ecc_cert_and_alg(s, s->session->peer_cert)) {
2256 SSLerror(s, SSL_R_BAD_ECC_CERT);
2262 i = X509_certificate_type(s->session->peer_cert, NULL);
2266 SSLerror(s, SSL_R_MISSING_RSA_SIGNING_CERT);
2270 SSLerror(s, SSL_R_MISSING_RSA_ENCRYPTING_CERT);
2275 SSLerror(s, SSL_R_MISSING_DH_KEY);
2282 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
2294 ssl3_check_finished(SSL *s)
2299 if (!s->session->tlsext_tick)
2303 if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A,
2304 SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0)
2307 s->s3->hs.tls12.reuse_message = 1;
2308 if ((s->s3->hs.tls12.message_type == SSL3_MT_FINISHED) ||
2309 (s->s3->hs.tls12.message_type == SSL3_MT_NEWSESSION_TICKET))
2316 ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
2318 if (s->ctx->client_cert_cb == NULL)
2321 return s->ctx->client_cert_cb(s, px509, ppkey);
2325 ssl3_send_client_change_cipher_spec(SSL *s)
2332 if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) {
2333 if (!CBB_init_fixed(&cbb, s->init_buf->data,
2334 s->init_buf->length))
2344 s->init_num = (int)outlen;
2345 s->init_off = 0;
2347 if (SSL_is_dtls(s)) {
2348 s->d1->handshake_write_seq =
2349 s->d1->next_handshake_write_seq;
2350 dtls1_set_message_header_int(s, SSL3_MT_CCS, 0,
2351 s->d1->handshake_write_seq, 0, 0);
2352 dtls1_buffer_message(s, 1);
2355 s->s3->hs.state = SSL3_ST_CW_CHANGE_B;
2359 return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC);
2368 ssl3_send_client_finished(SSL *s)
2374 if (s->s3->hs.state == SSL3_ST_CW_FINISHED_A) {
2375 if (!tls12_derive_finished(s))
2379 memcpy(s->s3->previous_client_finished,
2380 s->s3->hs.finished, s->s3->hs.finished_len);
2381 s->s3->previous_client_finished_len =
2382 s->s3->hs.finished_len;
2384 if (!ssl3_handshake_msg_start(s, &cbb, &finished,
2387 if (!CBB_add_bytes(&finished, s->s3->hs.finished,
2388 s->s3->hs.finished_len))
2390 if (!ssl3_handshake_msg_finish(s, &cbb))
2393 s->s3->hs.state = SSL3_ST_CW_FINISHED_B;
2396 return (ssl3_handshake_write(s));
2405 ssl3_get_server_finished(SSL *s)
2411 if ((ret = ssl3_get_message(s, SSL3_ST_CR_FINISHED_A,
2416 if (!s->s3->change_cipher_spec) {
2418 SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
2421 s->s3->change_cipher_spec = 0;
2425 if (s->init_num < 0) {
2427 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2431 CBS_init(&cbs, s->init_msg, s->init_num);
2433 if (s->s3->hs.peer_finished_len != md_len ||
2436 SSLerror(s, SSL_R_BAD_DIGEST_LENGTH);
2440 if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) {
2442 SSLerror(s, SSL_R_DIGEST_CHECK_FAILED);
2448 memcpy(s->s3->previous_server_finished,
2449 s->s3->hs.peer_finished, md_len);
2450 s->s3->previous_server_finished_len = md_len;
2454 ssl3_send_alert(s, SSL3_AL_FATAL, al);