diff options
Diffstat (limited to 'crypto/openssl/ssl/statem/statem_srvr.c')
| -rw-r--r-- | crypto/openssl/ssl/statem/statem_srvr.c | 1009 |
1 files changed, 515 insertions, 494 deletions
diff --git a/crypto/openssl/ssl/statem/statem_srvr.c b/crypto/openssl/ssl/statem/statem_srvr.c index 43986121efd3..6079176f9988 100644 --- a/crypto/openssl/ssl/statem/statem_srvr.c +++ b/crypto/openssl/ssl/statem/statem_srvr.c @@ -32,24 +32,24 @@ #include <openssl/comp.h> #include "internal/comp.h" -#define TICKET_NONCE_SIZE 8 +#define TICKET_NONCE_SIZE 8 typedef struct { - ASN1_TYPE *kxBlob; - ASN1_TYPE *opaqueBlob; + ASN1_TYPE *kxBlob; + ASN1_TYPE *opaqueBlob; } GOST_KX_MESSAGE; DECLARE_ASN1_FUNCTIONS(GOST_KX_MESSAGE) ASN1_SEQUENCE(GOST_KX_MESSAGE) = { - ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY), - ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY), + ASN1_SIMPLE(GOST_KX_MESSAGE, kxBlob, ASN1_ANY), + ASN1_OPT(GOST_KX_MESSAGE, opaqueBlob, ASN1_ANY), } ASN1_SEQUENCE_END(GOST_KX_MESSAGE) IMPLEMENT_ASN1_FUNCTIONS(GOST_KX_MESSAGE) static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s, - WPACKET *pkt); + WPACKET *pkt); static ossl_inline int received_client_cert(const SSL_CONNECTION *sc) { @@ -86,7 +86,7 @@ static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt) } break; } else if (s->ext.early_data == SSL_EARLY_DATA_ACCEPTED - && !SSL_NO_EOED(s)) { + && !SSL_NO_EOED(s)) { if (mt == SSL3_MT_END_OF_EARLY_DATA) { st->hand_state = TLS_ST_SR_END_OF_EARLY_DATA; return 1; @@ -104,7 +104,7 @@ static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt) } #ifndef OPENSSL_NO_COMP_ALG if (mt == SSL3_MT_COMPRESSED_CERTIFICATE - && s->ext.compress_certificate_sent) { + && s->ext.compress_certificate_sent) { st->hand_state = TLS_ST_SR_COMP_CERT; return 1; } @@ -154,7 +154,7 @@ static int ossl_statem_server13_read_transition(SSL_CONNECTION *s, int mt) } #ifndef OPENSSL_NO_COMP_ALG if (mt == SSL3_MT_COMPRESSED_CERTIFICATE - && s->ext.compress_certificate_sent) { + && s->ext.compress_certificate_sent) { st->hand_state = TLS_ST_SR_COMP_CERT; return 1; } @@ -226,7 +226,7 @@ int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt) * cert. */ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); return 0; } st->hand_state = TLS_ST_SR_KEY_EXCH; @@ -321,7 +321,7 @@ int ossl_statem_server_read_transition(SSL_CONNECTION *s, int mt) break; } - err: +err: /* No valid transition found */ if (SSL_CONNECTION_IS_DTLS(s) && mt == SSL3_MT_CHANGE_CIPHER_SPEC) { BIO *rbio; @@ -361,10 +361,10 @@ static int send_server_key_exchange(SSL_CONNECTION *s) * key exchange. */ if (alg_k & (SSL_kDHE | SSL_kECDHE) - /* - * PSK: send ServerKeyExchange if PSK identity hint if - * provided - */ + /* + * PSK: send ServerKeyExchange if PSK identity hint if + * provided + */ #ifndef OPENSSL_NO_PSK /* Only send SKE if we have identity hint for plain PSK */ || ((alg_k & (SSL_kPSK | SSL_kRSAPSK)) @@ -376,7 +376,7 @@ static int send_server_key_exchange(SSL_CONNECTION *s) /* SRP: send ServerKeyExchange */ || (alg_k & SSL_kSRP) #endif - ) { + ) { return 1; } @@ -414,40 +414,39 @@ static int get_compressed_certificate_alg(SSL_CONNECTION *sc) int send_certificate_request(SSL_CONNECTION *s) { if ( - /* don't request cert unless asked for it: */ - s->verify_mode & SSL_VERIFY_PEER - /* - * don't request if post-handshake-only unless doing - * post-handshake in TLSv1.3: - */ - && (!SSL_CONNECTION_IS_TLS13(s) - || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) - || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) - /* - * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert - * a second time: - */ - && (s->certreqs_sent < 1 || - !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) - /* - * never request cert in anonymous ciphersuites (see - * section "Certificate request" in SSL 3 drafts and in - * RFC 2246): - */ - && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL) - /* - * ... except when the application insists on - * verification (against the specs, but statem_clnt.c accepts - * this for SSL 3) - */ - || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) - /* don't request certificate for SRP auth */ - && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP) - /* - * With normal PSK Certificates and Certificate Requests - * are omitted - */ - && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) { + /* don't request cert unless asked for it: */ + s->verify_mode & SSL_VERIFY_PEER + /* + * don't request if post-handshake-only unless doing + * post-handshake in TLSv1.3: + */ + && (!SSL_CONNECTION_IS_TLS13(s) + || !(s->verify_mode & SSL_VERIFY_POST_HANDSHAKE) + || s->post_handshake_auth == SSL_PHA_REQUEST_PENDING) + /* + * if SSL_VERIFY_CLIENT_ONCE is set, don't request cert + * a second time: + */ + && (s->certreqs_sent < 1 || !(s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) + /* + * never request cert in anonymous ciphersuites (see + * section "Certificate request" in SSL 3 drafts and in + * RFC 2246): + */ + && (!(s->s3.tmp.new_cipher->algorithm_auth & SSL_aNULL) + /* + * ... except when the application insists on + * verification (against the specs, but statem_clnt.c accepts + * this for SSL 3) + */ + || (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) + /* don't request certificate for SRP auth */ + && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aSRP) + /* + * With normal PSK Certificates and Certificate Requests + * are omitted + */ + && !(s->s3.tmp.new_cipher->algorithm_auth & SSL_aPSK)) { return 1; } @@ -503,7 +502,7 @@ static WRITE_TRAN ossl_statem_server13_write_transition(SSL_CONNECTION *s) case TLS_ST_SW_SRVR_HELLO: if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 - && s->hello_retry_request != SSL_HRR_COMPLETE) + && s->hello_retry_request != SSL_HRR_COMPLETE) st->hand_state = TLS_ST_SW_CHANGE; else if (s->hello_retry_request == SSL_HRR_PENDING) st->hand_state = TLS_ST_EARLY_DATA; @@ -670,8 +669,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL_CONNECTION *s) } else { /* Check if it is anon DH or anon ECDH, */ /* normal PSK or SRP */ - if (!(s->s3.tmp.new_cipher->algorithm_auth & - (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { + if (!(s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP | SSL_aPSK))) { st->hand_state = TLS_ST_SW_CERT; } else if (send_server_key_exchange(s)) { st->hand_state = TLS_ST_SW_KEY_EXCH; @@ -791,7 +789,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_SESSION_TICKET: if (SSL_CONNECTION_IS_TLS13(s) && s->sent_tickets == 0 - && s->ext.extra_tickets_expected == 0) { + && s->ext.extra_tickets_expected == 0) { /* * Actually this is the end of the handshake, but we're going * straight into writing the session ticket out. So we finish off @@ -837,7 +835,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_EARLY_DATA: if (s->early_data_state != SSL_EARLY_DATA_ACCEPTING - && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) + && (s->s3.flags & TLS1_FLAGS_STATELESS) == 0) return WORK_FINISHED_CONTINUE; /* @@ -847,8 +845,7 @@ WORK_STATE ossl_statem_server_pre_work(SSL_CONNECTION *s, WORK_STATE wst) if (SSL_NO_EOED(s) && s->ext.early_data == SSL_EARLY_DATA_ACCEPTED && s->early_data_state != SSL_EARLY_DATA_FINISHED_READING) { s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; - if (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE - | SSL3_CHANGE_CIPHER_SERVER_READ)) { + if (!ssl->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return WORK_ERROR; } @@ -928,7 +925,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (SSL_CONNECTION_IS_TLS13(s) && s->hello_retry_request == SSL_HRR_PENDING) { if ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) == 0 - && statem_flush(s) != 1) + && statem_flush(s) != 1) return WORK_MORE_A; break; } @@ -943,7 +940,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) * SCTP used. */ memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, - sizeof(DTLS1_SCTP_AUTH_LABEL)); + sizeof(DTLS1_SCTP_AUTH_LABEL)); /* Don't include the terminating zero. */ labellen = sizeof(labelbuffer) - 1; @@ -951,20 +948,21 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) labellen += 1; if (SSL_export_keying_material(ssl, sctpauthkey, - sizeof(sctpauthkey), labelbuffer, - labellen, NULL, 0, - 0) <= 0) { + sizeof(sctpauthkey), labelbuffer, + labellen, NULL, 0, + 0) + <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return WORK_ERROR; } BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, - sizeof(sctpauthkey), sctpauthkey); + sizeof(sctpauthkey), sctpauthkey); } #endif if (!SSL_CONNECTION_IS_TLS13(s) - || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 - && s->hello_retry_request != SSL_HRR_COMPLETE)) + || ((s->options & SSL_OP_ENABLE_MIDDLEBOX_COMPAT) != 0 + && s->hello_retry_request != SSL_HRR_COMPLETE)) break; /* Fall through */ @@ -979,14 +977,14 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) if (!ssl->method->ssl3_enc->setup_key_block(s) || !tls13_store_handshake_traffic_hash(s) || !ssl->method->ssl3_enc->change_cipher_state(s, - SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_WRITE)) { /* SSLfatal() already called */ return WORK_ERROR; } if (s->ext.early_data != SSL_EARLY_DATA_ACCEPTED && !ssl->method->ssl3_enc->change_cipher_state(s, - SSL3_CC_HANDSHAKE |SSL3_CHANGE_CIPHER_SERVER_READ)) { + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { /* SSLfatal() already called */ return WORK_ERROR; } @@ -1007,11 +1005,11 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) * no SCTP used. */ BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, - 0, NULL); + 0, NULL); } #endif if (!ssl->method->ssl3_enc->change_cipher_state(s, - SSL3_CHANGE_CIPHER_SERVER_WRITE)) { + SSL3_CHANGE_CIPHER_SERVER_WRITE)) { /* SSLfatal() already called */ return WORK_ERROR; } @@ -1032,20 +1030,20 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) * no SCTP used. */ BIO_ctrl(SSL_get_wbio(ssl), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, - 0, NULL); + 0, NULL); } #endif if (SSL_CONNECTION_IS_TLS13(s)) { /* TLS 1.3 gets the secret size from the handshake md */ size_t dummy; if (!ssl->method->ssl3_enc->generate_master_secret(s, - s->master_secret, s->handshake_secret, 0, - &dummy) + s->master_secret, s->handshake_secret, 0, + &dummy) || !tls13_store_server_finished_hash(s) || !ssl->method->ssl3_enc->change_cipher_state(s, - SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) - /* SSLfatal() already called */ - return WORK_ERROR; + SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_WRITE)) + /* SSLfatal() already called */ + return WORK_ERROR; } break; @@ -1055,7 +1053,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) return WORK_MORE_A; } else { if (!SSL_CONNECTION_IS_TLS13(s) - || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) + || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } break; @@ -1063,7 +1061,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) case TLS_ST_SW_ENCRYPTED_EXTENSIONS: if (!s->hit && !send_certificate_request(s)) { if (!SSL_CONNECTION_IS_TLS13(s) - || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) + || (s->options & SSL_OP_NO_TX_CERTIFICATE_COMPRESSION) != 0) s->ext.compress_certificate_from_peer[0] = TLSEXT_comp_cert_none; } break; @@ -1081,7 +1079,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) clear_sys_error(); if (SSL_CONNECTION_IS_TLS13(s) && statem_flush(s) != 1) { if (SSL_get_error(ssl, 0) == SSL_ERROR_SYSCALL - && conn_is_closed()) { + && conn_is_closed()) { /* * We ignore connection closed errors in TLSv1.3 when sending a * NewSessionTicket and behave as if we were successful. This is @@ -1110,7 +1108,7 @@ WORK_STATE ossl_statem_server_post_work(SSL_CONNECTION *s, WORK_STATE wst) * 0: Error */ int ossl_statem_server_construct_message(SSL_CONNECTION *s, - confunc_f *confunc, int *mt) + confunc_f *confunc, int *mt) { OSSL_STATEM *st = &s->statem; @@ -1161,7 +1159,6 @@ int ossl_statem_server_construct_message(SSL_CONNECTION *s, *mt = SSL3_MT_CERTIFICATE_VERIFY; break; - case TLS_ST_SW_KEY_EXCH: *confunc = tls_construct_server_key_exchange; *mt = SSL3_MT_SERVER_KEY_EXCHANGE; @@ -1226,10 +1223,10 @@ int ossl_statem_server_construct_message(SSL_CONNECTION *s, * 2 + # length of extensions * 2^16-1 # maximum length of extensions */ -#define CLIENT_HELLO_MAX_LENGTH 131396 +#define CLIENT_HELLO_MAX_LENGTH 131396 -#define CLIENT_KEY_EXCH_MAX_LENGTH 2048 -#define NEXT_PROTO_MAX_LENGTH 514 +#define CLIENT_KEY_EXCH_MAX_LENGTH 2048 +#define NEXT_PROTO_MAX_LENGTH 514 /* * Returns the maximum allowed length for the current message that we are @@ -1280,7 +1277,7 @@ size_t ossl_statem_server_max_message_size(SSL_CONNECTION *s) * Process a message that the server has received from the client. */ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s, - PACKET *pkt) + PACKET *pkt) { OSSL_STATEM *st = &s->statem; @@ -1323,7 +1320,6 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s, case TLS_ST_SR_KEY_UPDATE: return tls_process_key_update(s, pkt); - } } @@ -1332,7 +1328,7 @@ MSG_PROCESS_RETURN ossl_statem_server_process_message(SSL_CONNECTION *s, * from the client */ WORK_STATE ossl_statem_server_post_process_message(SSL_CONNECTION *s, - WORK_STATE wst) + WORK_STATE wst) { OSSL_STATEM *st = &s->statem; @@ -1357,15 +1353,14 @@ static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s) int ret; int al = SSL_AD_UNRECOGNIZED_NAME; - if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) && - (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { + if ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_kSRP) && (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) { if (s->srp_ctx.login == NULL) { /* * RFC 5054 says SHOULD reject, we do so if There is no srp * login name */ SSLfatal(s, SSL_AD_UNKNOWN_PSK_IDENTITY, - SSL_R_PSK_IDENTITY_NOT_FOUND); + SSL_R_PSK_IDENTITY_NOT_FOUND); return -1; } else { ret = ssl_srp_server_param_with_username_intern(s, &al); @@ -1373,9 +1368,9 @@ static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s) return 0; if (ret == SSL3_AL_FATAL) { SSLfatal(s, al, - al == SSL_AD_UNKNOWN_PSK_IDENTITY - ? SSL_R_PSK_IDENTITY_NOT_FOUND - : SSL_R_CLIENTHELLO_TLSEXT); + al == SSL_AD_UNKNOWN_PSK_IDENTITY + ? SSL_R_PSK_IDENTITY_NOT_FOUND + : SSL_R_CLIENTHELLO_TLSEXT); return -1; } } @@ -1385,25 +1380,26 @@ static int ssl_check_srp_ext_ClientHello(SSL_CONNECTION *s) #endif int dtls_raw_hello_verify_request(WPACKET *pkt, unsigned char *cookie, - size_t cookie_len) + size_t cookie_len) { /* Always use DTLS 1.0 version: see RFC 6347 */ if (!WPACKET_put_bytes_u16(pkt, DTLS1_VERSION) - || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len)) + || !WPACKET_sub_memcpy_u8(pkt, cookie, cookie_len)) return 0; return 1; } CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, - WPACKET *pkt) + WPACKET *pkt) { unsigned int cookie_leni; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); if (sctx->app_gen_cookie_cb == NULL || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s), s->d1->cookie, - &cookie_leni) == 0 + &cookie_leni) + == 0 || cookie_leni > DTLS1_COOKIE_LENGTH) { SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE); return CON_FUNC_ERROR; @@ -1411,7 +1407,7 @@ CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, s->d1->cookie_len = cookie_leni; if (!dtls_raw_hello_verify_request(pkt, s->d1->cookie, - s->d1->cookie_len)) { + s->d1->cookie_len)) { SSLfatal(s, SSL_AD_NO_ALERT, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } @@ -1434,29 +1430,45 @@ CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s, * 10.8..10.8.3 (which don't work). */ static void ssl_check_for_safari(SSL_CONNECTION *s, - const CLIENTHELLO_MSG *hello) + const CLIENTHELLO_MSG *hello) { static const unsigned char kSafariExtensionsBlock[] = { - 0x00, 0x0a, /* elliptic_curves extension */ - 0x00, 0x08, /* 8 bytes */ - 0x00, 0x06, /* 6 bytes of curve ids */ - 0x00, 0x17, /* P-256 */ - 0x00, 0x18, /* P-384 */ - 0x00, 0x19, /* P-521 */ - - 0x00, 0x0b, /* ec_point_formats */ - 0x00, 0x02, /* 2 bytes */ - 0x01, /* 1 point format */ - 0x00, /* uncompressed */ + 0x00, + 0x0a, /* elliptic_curves extension */ + 0x00, + 0x08, /* 8 bytes */ + 0x00, + 0x06, /* 6 bytes of curve ids */ + 0x00, + 0x17, /* P-256 */ + 0x00, + 0x18, /* P-384 */ + 0x00, + 0x19, /* P-521 */ + + 0x00, + 0x0b, /* ec_point_formats */ + 0x00, + 0x02, /* 2 bytes */ + 0x01, /* 1 point format */ + 0x00, /* uncompressed */ /* The following is only present in TLS 1.2 */ - 0x00, 0x0d, /* signature_algorithms */ - 0x00, 0x0c, /* 12 bytes */ - 0x00, 0x0a, /* 10 bytes */ - 0x05, 0x01, /* SHA-384/RSA */ - 0x04, 0x01, /* SHA-256/RSA */ - 0x02, 0x01, /* SHA-1/RSA */ - 0x04, 0x03, /* SHA-256/ECDSA */ - 0x02, 0x03, /* SHA-1/ECDSA */ + 0x00, + 0x0d, /* signature_algorithms */ + 0x00, + 0x0c, /* 12 bytes */ + 0x00, + 0x0a, /* 10 bytes */ + 0x05, + 0x01, /* SHA-384/RSA */ + 0x04, + 0x01, /* SHA-256/RSA */ + 0x02, + 0x01, /* SHA-1/RSA */ + 0x04, + 0x03, /* SHA-256/ECDSA */ + 0x02, + 0x03, /* SHA-1/ECDSA */ }; /* Length of the common prefix (first two extensions). */ static const size_t kSafariCommonExtensionsLength = 18; @@ -1476,16 +1488,18 @@ static void ssl_check_for_safari(SSL_CONNECTION *s, return; ext_len = TLS1_get_client_version( - SSL_CONNECTION_GET_SSL(s)) >= TLS1_2_VERSION ? - sizeof(kSafariExtensionsBlock) : kSafariCommonExtensionsLength; + SSL_CONNECTION_GET_SSL(s)) + >= TLS1_2_VERSION + ? sizeof(kSafariExtensionsBlock) + : kSafariCommonExtensionsLength; s->s3.is_probably_safari = PACKET_equal(&tmppkt, kSafariExtensionsBlock, - ext_len); + ext_len); } -#define RENEG_OPTIONS_OK(options) \ +#define RENEG_OPTIONS_OK(options) \ ((options & SSL_OP_NO_RENEGOTIATION) == 0 \ - && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0) + && (options & SSL_OP_ALLOW_CLIENT_RENEGOTIATION) != 0) MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) { @@ -1501,9 +1515,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) goto err; } if (!RENEG_OPTIONS_OK(s->options) - || (!s->s3.send_connection_binding - && (s->options - & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) == 0)) { + || (!s->s3.send_connection_binding + && (s->options + & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) + == 0)) { ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_NO_RENEGOTIATION); return MSG_PROCESS_FINISHED_READING; } @@ -1527,7 +1542,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) unsigned int mt; if (!SSL_IS_FIRST_HANDSHAKE(s) - || s->hello_retry_request != SSL_HRR_NONE) { + || s->hello_retry_request != SSL_HRR_NONE) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); goto err; } @@ -1587,7 +1602,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) } if (!PACKET_get_sub_packet(pkt, &clienthello->ciphersuites, - ciphersuite_len) + ciphersuite_len) || !PACKET_copy_bytes(pkt, clienthello->session_id, session_id_len) || !PACKET_get_sub_packet(pkt, &challenge, challenge_len) /* No extensions. */ @@ -1603,11 +1618,11 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) * sizeof(clienthello->random) does. */ challenge_len = challenge_len > SSL3_RANDOM_SIZE - ? SSL3_RANDOM_SIZE : challenge_len; + ? SSL3_RANDOM_SIZE + : challenge_len; memset(clienthello->random, 0, SSL3_RANDOM_SIZE); if (!PACKET_copy_bytes(&challenge, - clienthello->random + SSL3_RANDOM_SIZE - - challenge_len, challenge_len) + clienthello->random + SSL3_RANDOM_SIZE - challenge_len, challenge_len) /* Advertise only null compression. */ || !PACKET_buf_init(&compression, &null_compression, 1)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -1620,8 +1635,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) if (!PACKET_copy_bytes(pkt, clienthello->random, SSL3_RANDOM_SIZE) || !PACKET_get_length_prefixed_1(pkt, &session_id) || !PACKET_copy_all(&session_id, clienthello->session_id, - SSL_MAX_SSL_SESSION_ID_LENGTH, - &clienthello->session_id_len)) { + SSL_MAX_SSL_SESSION_ID_LENGTH, + &clienthello->session_id_len)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); goto err; } @@ -1632,8 +1647,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) goto err; } if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie, - DTLS1_COOKIE_LENGTH, - &clienthello->dtls_cookie_len)) { + DTLS1_COOKIE_LENGTH, + &clienthello->dtls_cookie_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -1665,7 +1680,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) PACKET_null_init(&clienthello->extensions); } else { if (!PACKET_get_length_prefixed_2(pkt, &clienthello->extensions) - || PACKET_remaining(pkt) != 0) { + || PACKET_remaining(pkt) != 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); goto err; } @@ -1673,8 +1688,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) } if (!PACKET_copy_all(&compression, clienthello->compressions, - MAX_COMPRESSIONS_SIZE, - &clienthello->compressions_len)) { + MAX_COMPRESSIONS_SIZE, + &clienthello->compressions_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -1682,8 +1697,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) /* Preserve the raw extensions PACKET for later use */ extensions = clienthello->extensions; if (!tls_collect_extensions(s, &extensions, SSL_EXT_CLIENT_HELLO, - &clienthello->pre_proc_exts, - &clienthello->pre_proc_exts_len, 1)) { + &clienthello->pre_proc_exts, + &clienthello->pre_proc_exts_len, 1)) { /* SSLfatal already been called */ goto err; } @@ -1691,7 +1706,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt) return MSG_PROCESS_CONTINUE_PROCESSING; - err: +err: if (clienthello != NULL) OPENSSL_free(clienthello->pre_proc_exts); OPENSSL_free(clienthello); @@ -1741,8 +1756,8 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (clienthello->isv2) { if (clienthello->legacy_version == SSL2_VERSION - || (clienthello->legacy_version & 0xff00) - != (SSL3_VERSION_MAJOR << 8)) { + || (clienthello->legacy_version & 0xff00) + != (SSL3_VERSION_MAJOR << 8)) { /* * This is real SSLv2 or something completely unknown. We don't * support it. @@ -1778,16 +1793,18 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (SSL_get_options(ssl) & SSL_OP_COOKIE_EXCHANGE) { if (sctx->app_verify_cookie_cb != NULL) { if (sctx->app_verify_cookie_cb(ussl, clienthello->dtls_cookie, - clienthello->dtls_cookie_len) == 0) { + clienthello->dtls_cookie_len) + == 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_COOKIE_MISMATCH); + SSL_R_COOKIE_MISMATCH); goto err; /* else cookie verification succeeded */ } /* default verification */ } else if (s->d1->cookie_len != clienthello->dtls_cookie_len - || memcmp(clienthello->dtls_cookie, s->d1->cookie, - s->d1->cookie_len) != 0) { + || memcmp(clienthello->dtls_cookie, s->d1->cookie, + s->d1->cookie_len) + != 0) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_COOKIE_MISMATCH); goto err; } @@ -1798,9 +1815,9 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) s->hit = 0; if (!ssl_cache_cipherlist(s, &clienthello->ciphersuites, - clienthello->isv2) || - !ossl_bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, - &scsvs, clienthello->isv2, 1)) { + clienthello->isv2) + || !ossl_bytes_to_cipher_list(s, &clienthello->ciphersuites, &ciphers, + &scsvs, clienthello->isv2, 1)) { /* SSLfatal() already called */ goto err; } @@ -1814,12 +1831,11 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (s->renegotiate) { /* SCSV is fatal if renegotiating */ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); goto err; } s->s3.send_connection_binding = 1; - } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && - !ssl_check_version_downgrade(s)) { + } else if (SSL_CIPHER_get_id(c) == SSL3_CK_FALLBACK_SCSV && !ssl_check_version_downgrade(s)) { /* * This SCSV indicates that the client previously tried * a higher version. We should fail if the current version @@ -1828,7 +1844,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * an insecure downgrade. */ SSLfatal(s, SSL_AD_INAPPROPRIATE_FALLBACK, - SSL_R_INAPPROPRIATE_FALLBACK); + SSL_R_INAPPROPRIATE_FALLBACK); goto err; } } @@ -1836,16 +1852,15 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) /* For TLSv1.3 we must select the ciphersuite *before* session resumption */ if (SSL_CONNECTION_IS_TLS13(s)) { - const SSL_CIPHER *cipher = - ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl)); + const SSL_CIPHER *cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(ssl)); if (cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); goto err; } if (s->hello_retry_request == SSL_HRR_PENDING - && (s->s3.tmp.new_cipher == NULL - || s->s3.tmp.new_cipher->id != cipher->id)) { + && (s->s3.tmp.new_cipher == NULL + || s->s3.tmp.new_cipher->id != cipher->id)) { /* * A previous HRR picked a different ciphersuite to the one we * just selected. Something must have changed. @@ -1858,8 +1873,8 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) /* We need to do this before getting the session */ if (!tls_parse_extension(s, TLSEXT_IDX_extended_master_secret, - SSL_EXT_CLIENT_HELLO, - clienthello->pre_proc_exts, NULL, 0)) { + SSL_EXT_CLIENT_HELLO, + clienthello->pre_proc_exts, NULL, 0)) { /* SSLfatal() already called */ goto err; } @@ -1880,9 +1895,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if (clienthello->isv2 || - (s->new_session && - (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { + if (clienthello->isv2 || (s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s, 1)) { /* SSLfatal() already called */ goto err; @@ -1906,7 +1919,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) if (SSL_CONNECTION_IS_TLS13(s)) { memcpy(s->tmp_session_id, s->clienthello->session_id, - s->clienthello->session_id_len); + s->clienthello->session_id_len); s->tmp_session_id_len = s->clienthello->session_id_len; } @@ -1918,15 +1931,16 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) j = 0; id = s->session->cipher->id; - OSSL_TRACE_BEGIN(TLS_CIPHER) { + OSSL_TRACE_BEGIN(TLS_CIPHER) + { BIO_printf(trc_out, "client sent %d ciphers\n", - sk_SSL_CIPHER_num(ciphers)); + sk_SSL_CIPHER_num(ciphers)); } for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { c = sk_SSL_CIPHER_value(ciphers, i); if (trc_out != NULL) BIO_printf(trc_out, "client [%2d of %2d]:%s\n", i, - sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c)); + sk_SSL_CIPHER_num(ciphers), SSL_CIPHER_get_name(c)); if (c->id == id) { j = 1; break; @@ -1938,7 +1952,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) * to reuse it */ SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_R_REQUIRED_CIPHER_MISSING); + SSL_R_REQUIRED_CIPHER_MISSING); OSSL_TRACE_CANCEL(TLS_CIPHER); goto err; } @@ -1952,9 +1966,10 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } /* Make sure at least the null compression is supported. */ if (memchr(clienthello->compressions, 0, - clienthello->compressions_len) == NULL) { + clienthello->compressions_len) + == NULL) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); + SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); goto err; } @@ -1963,7 +1978,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) /* TLS extensions */ if (!tls_parse_all_extensions(s, SSL_EXT_CLIENT_HELLO, - clienthello->pre_proc_exts, NULL, 0, 1)) { + clienthello->pre_proc_exts, NULL, 0, 1)) { /* SSLfatal() already called */ goto err; } @@ -1989,10 +2004,10 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } if (!s->hit - && s->version >= TLS1_VERSION - && !SSL_CONNECTION_IS_TLS13(s) - && !SSL_CONNECTION_IS_DTLS(s) - && s->ext.session_secret_cb != NULL) { + && s->version >= TLS1_VERSION + && !SSL_CONNECTION_IS_TLS13(s) + && !SSL_CONNECTION_IS_DTLS(s) + && s->ext.session_secret_cb != NULL) { const SSL_CIPHER *pref_cipher = NULL; /* * s->session->master_key_length is a size_t, but this is an int for @@ -2002,10 +2017,10 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) master_key_length = sizeof(s->session->master_key); if (s->ext.session_secret_cb(ussl, s->session->master_key, - &master_key_length, ciphers, - &pref_cipher, - s->ext.session_secret_cb_arg) - && master_key_length > 0) { + &master_key_length, ciphers, + &pref_cipher, + s->ext.session_secret_cb_arg) + && master_key_length > 0) { s->session->master_key_length = master_key_length; s->hit = 1; s->peer_ciphers = ciphers; @@ -2016,7 +2031,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) /* check if some cipher was preferred by call back */ if (pref_cipher == NULL) pref_cipher = ssl3_choose_cipher(s, s->peer_ciphers, - SSL_get_ciphers(ssl)); + SSL_get_ciphers(ssl)); if (pref_cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_NO_SHARED_CIPHER); goto err; @@ -2044,7 +2059,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) */ if (clienthello->compressions_len != 1) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_R_INVALID_COMPRESSION_ALGORITHM); + SSL_R_INVALID_COMPRESSION_ALGORITHM); goto err; } } @@ -2057,7 +2072,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) /* Can't disable compression */ if (!ssl_allow_compression(s)) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_INCONSISTENT_COMPRESSION); + SSL_R_INCONSISTENT_COMPRESSION); goto err; } /* Look for resumed compression method */ @@ -2070,7 +2085,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } if (s->s3.tmp.new_compression == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_INVALID_COMPRESSION_ALGORITHM); + SSL_R_INVALID_COMPRESSION_ALGORITHM); goto err; } /* Look for resumed method in compression list */ @@ -2080,7 +2095,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) } if (k >= clienthello->compressions_len) { SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, - SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); + SSL_R_REQUIRED_COMPRESSION_ALGORITHM_MISSING); goto err; } } else if (s->hit) { @@ -2147,7 +2162,7 @@ static int tls_early_post_process_client_hello(SSL_CONNECTION *s) OPENSSL_free(s->clienthello); s->clienthello = NULL; return 1; - err: +err: sk_SSL_CIPHER_free(ciphers); sk_SSL_CIPHER_free(scsvs); OPENSSL_free(clienthello->pre_proc_exts); @@ -2174,7 +2189,7 @@ static int tls_handle_status_request(SSL_CONNECTION *s) * influence which certificate is sent */ if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && sctx != NULL - && sctx->ext.status_cb != NULL) { + && sctx->ext.status_cb != NULL) { int ret; /* If no certificate can't return certificate status */ @@ -2185,7 +2200,7 @@ static int tls_handle_status_request(SSL_CONNECTION *s) */ s->cert->key = s->s3.tmp.cert; ret = sctx->ext.status_cb(SSL_CONNECTION_GET_USER_SSL(s), - sctx->ext.status_arg); + sctx->ext.status_arg); switch (ret) { /* We don't want to send a status request response */ case SSL_TLSEXT_ERR_NOACK: @@ -2220,10 +2235,10 @@ int tls_handle_alpn(SSL_CONNECTION *s) if (sctx->ext.alpn_select_cb != NULL && s->s3.alpn_proposed != NULL) { int r = sctx->ext.alpn_select_cb(SSL_CONNECTION_GET_USER_SSL(s), - &selected, &selected_len, - s->s3.alpn_proposed, - (unsigned int)s->s3.alpn_proposed_len, - sctx->ext.alpn_select_cb_arg); + &selected, &selected_len, + s->s3.alpn_proposed, + (unsigned int)s->s3.alpn_proposed_len, + sctx->ext.alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { OPENSSL_free(s->s3.alpn_selected); @@ -2241,9 +2256,10 @@ int tls_handle_alpn(SSL_CONNECTION *s) /* Check ALPN is consistent with session */ if (s->session->ext.alpn_selected == NULL - || selected_len != s->session->ext.alpn_selected_len - || memcmp(selected, s->session->ext.alpn_selected, - selected_len) != 0) { + || selected_len != s->session->ext.alpn_selected_len + || memcmp(selected, s->session->ext.alpn_selected, + selected_len) + != 0) { /* Not consistent so can't be used for early_data */ s->ext.early_data_ok = 0; @@ -2255,14 +2271,14 @@ int tls_handle_alpn(SSL_CONNECTION *s) */ if (!ossl_assert(s->session->ext.alpn_selected == NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, - ERR_R_INTERNAL_ERROR); + ERR_R_INTERNAL_ERROR); return 0; } s->session->ext.alpn_selected = OPENSSL_memdup(selected, - selected_len); + selected_len); if (s->session->ext.alpn_selected == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, - ERR_R_INTERNAL_ERROR); + ERR_R_INTERNAL_ERROR); return 0; } s->session->ext.alpn_selected_len = selected_len; @@ -2272,7 +2288,7 @@ int tls_handle_alpn(SSL_CONNECTION *s) return 1; } else if (r != SSL_TLSEXT_ERR_NOACK) { SSLfatal(s, SSL_AD_NO_APPLICATION_PROTOCOL, - SSL_R_NO_APPLICATION_PROTOCOL); + SSL_R_NO_APPLICATION_PROTOCOL); return 0; } /* @@ -2325,13 +2341,12 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) /* In TLSv1.3 we selected the ciphersuite before resumption */ if (!SSL_CONNECTION_IS_TLS13(s)) { - cipher = - ssl3_choose_cipher(s, s->peer_ciphers, - SSL_get_ciphers(ssl)); + cipher = ssl3_choose_cipher(s, s->peer_ciphers, + SSL_get_ciphers(ssl)); if (cipher == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_NO_SHARED_CIPHER); + SSL_R_NO_SHARED_CIPHER); goto err; } s->s3.tmp.new_cipher = cipher; @@ -2343,10 +2358,10 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) } /* check whether we should disable session resumption */ if (s->not_resumable_session_cb != NULL) - s->session->not_resumable = - s->not_resumable_session_cb(ussl, - ((s->s3.tmp.new_cipher->algorithm_mkey - & (SSL_kDHE | SSL_kECDHE)) != 0)); + s->session->not_resumable = s->not_resumable_session_cb(ussl, + ((s->s3.tmp.new_cipher->algorithm_mkey + & (SSL_kDHE | SSL_kECDHE)) + != 0)); if (s->session->not_resumable) /* do not send a session ticket */ s->ext.ticket_expected = 0; @@ -2407,7 +2422,7 @@ WORK_STATE tls_post_process_client_hello(SSL_CONNECTION *s, WORK_STATE wst) #endif return WORK_FINISHED_STOP; - err: +err: return WORK_ERROR; } @@ -2418,18 +2433,19 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) int version; unsigned char *session_id; int usetls13 = SSL_CONNECTION_IS_TLS13(s) - || s->hello_retry_request == SSL_HRR_PENDING; + || s->hello_retry_request == SSL_HRR_PENDING; version = usetls13 ? TLS1_2_VERSION : s->version; if (!WPACKET_put_bytes_u16(pkt, version) - /* - * Random stuff. Filling of the server_random takes place in - * tls_process_client_hello() - */ - || !WPACKET_memcpy(pkt, - s->hello_retry_request == SSL_HRR_PENDING - ? hrrrandom : s->s3.server_random, - SSL3_RANDOM_SIZE)) { + /* + * Random stuff. Filling of the server_random takes place in + * tls_process_client_hello() + */ + || !WPACKET_memcpy(pkt, + s->hello_retry_request == SSL_HRR_PENDING + ? hrrrandom + : s->s3.server_random, + SSL3_RANDOM_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } @@ -2453,7 +2469,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) * to send back. */ if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) - && !s->hit) + && !s->hit) s->session->session_id_length = 0; if (usetls13) { @@ -2480,20 +2496,20 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) #endif if (!WPACKET_sub_memcpy_u8(pkt, session_id, sl) - || !SSL_CONNECTION_GET_SSL(s)->method->put_cipher_by_char(s->s3.tmp.new_cipher, - pkt, &len) - || !WPACKET_put_bytes_u8(pkt, compm)) { + || !SSL_CONNECTION_GET_SSL(s)->method->put_cipher_by_char(s->s3.tmp.new_cipher, + pkt, &len) + || !WPACKET_put_bytes_u8(pkt, compm)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } if (!tls_construct_extensions(s, pkt, - s->hello_retry_request == SSL_HRR_PENDING - ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST - : (SSL_CONNECTION_IS_TLS13(s) - ? SSL_EXT_TLS1_3_SERVER_HELLO - : SSL_EXT_TLS1_2_SERVER_HELLO), - NULL, 0)) { + s->hello_retry_request == SSL_HRR_PENDING + ? SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST + : (SSL_CONNECTION_IS_TLS13(s) + ? SSL_EXT_TLS1_3_SERVER_HELLO + : SSL_EXT_TLS1_2_SERVER_HELLO), + NULL, 0)) { /* SSLfatal() already called */ return CON_FUNC_ERROR; } @@ -2513,7 +2529,7 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) return CON_FUNC_ERROR; } } else if (!(s->verify_mode & SSL_VERIFY_PEER) - && !ssl3_digest_cached_records(s, 0)) { + && !ssl3_digest_cached_records(s, 0)) { /* SSLfatal() already called */; return CON_FUNC_ERROR; } @@ -2533,7 +2549,7 @@ CON_FUNC_RETURN tls_construct_server_done(SSL_CONNECTION *s, WPACKET *pkt) } CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, - WPACKET *pkt) + WPACKET *pkt) { EVP_PKEY *pkdh = NULL; unsigned char *encodedPoint = NULL; @@ -2567,124 +2583,122 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, /* Plain PSK or RSAPSK nothing to do */ if (type & (SSL_kPSK | SSL_kRSAPSK)) { } else -#endif /* !OPENSSL_NO_PSK */ - if (type & (SSL_kDHE | SSL_kDHEPSK)) { - CERT *cert = s->cert; - EVP_PKEY *pkdhp = NULL; - - if (s->cert->dh_tmp_auto) { - pkdh = ssl_get_auto_dh(s); - if (pkdh == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; +#endif /* !OPENSSL_NO_PSK */ + if (type & (SSL_kDHE | SSL_kDHEPSK)) { + CERT *cert = s->cert; + EVP_PKEY *pkdhp = NULL; + + if (s->cert->dh_tmp_auto) { + pkdh = ssl_get_auto_dh(s); + if (pkdh == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + goto err; + } + pkdhp = pkdh; + } else { + pkdhp = cert->dh_tmp; } - pkdhp = pkdh; - } else { - pkdhp = cert->dh_tmp; - } #if !defined(OPENSSL_NO_DEPRECATED_3_0) - if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { - pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_USER_SSL(s), - 0, 1024)); - if (pkdh == NULL) { + if ((pkdhp == NULL) && (s->cert->dh_tmp_cb != NULL)) { + pkdh = ssl_dh_to_pkey(s->cert->dh_tmp_cb(SSL_CONNECTION_GET_USER_SSL(s), + 0, 1024)); + if (pkdh == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + goto err; + } + pkdhp = pkdh; + } +#endif + if (pkdhp == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); + goto err; + } + if (!ssl_security(s, SSL_SECOP_TMP_DH, + EVP_PKEY_get_security_bits(pkdhp), 0, pkdhp)) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); + goto err; + } + if (s->s3.tmp.pkey != NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } - pkdhp = pkdh; - } -#endif - if (pkdhp == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_TMP_DH_KEY); - goto err; - } - if (!ssl_security(s, SSL_SECOP_TMP_DH, - EVP_PKEY_get_security_bits(pkdhp), 0, pkdhp)) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_DH_KEY_TOO_SMALL); - goto err; - } - if (s->s3.tmp.pkey != NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; - } - s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp); - if (s->s3.tmp.pkey == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; - } + s->s3.tmp.pkey = ssl_generate_pkey(s, pkdhp); + if (s->s3.tmp.pkey == NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + goto err; + } - EVP_PKEY_free(pkdh); - pkdh = NULL; + EVP_PKEY_free(pkdh); + pkdh = NULL; - /* These BIGNUMs need to be freed when we're finished */ - freer = 1; - if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P, - &r[0]) + /* These BIGNUMs need to be freed when we're finished */ + freer = 1; + if (!EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_P, + &r[0]) || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, OSSL_PKEY_PARAM_FFC_G, - &r[1]) + &r[1]) || !EVP_PKEY_get_bn_param(s->s3.tmp.pkey, - OSSL_PKEY_PARAM_PUB_KEY, &r[2])) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; - } - } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { + OSSL_PKEY_PARAM_PUB_KEY, &r[2])) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + goto err; + } + } else if (type & (SSL_kECDHE | SSL_kECDHEPSK)) { - if (s->s3.tmp.pkey != NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); - goto err; - } + if (s->s3.tmp.pkey != NULL) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); + goto err; + } - /* Get NID of appropriate shared curve */ - curve_id = tls1_shared_group(s, -2); - if (curve_id == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); - goto err; - } - /* Cache the group used in the SSL_SESSION */ - s->session->kex_group = curve_id; - /* Generate a new key for this curve */ - s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id); - if (s->s3.tmp.pkey == NULL) { - /* SSLfatal() already called */ - goto err; - } + /* Get NID of appropriate shared curve */ + curve_id = tls1_shared_group(s, -2); + if (curve_id == 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, + SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); + goto err; + } + /* Cache the group used in the SSL_SESSION */ + s->session->kex_group = curve_id; + /* Generate a new key for this curve */ + s->s3.tmp.pkey = ssl_generate_pkey_group(s, curve_id); + if (s->s3.tmp.pkey == NULL) { + /* SSLfatal() already called */ + goto err; + } - /* Encode the public key. */ - encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey, - &encodedPoint); - if (encodedlen == 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); - goto err; - } + /* Encode the public key. */ + encodedlen = EVP_PKEY_get1_encoded_public_key(s->s3.tmp.pkey, + &encodedPoint); + if (encodedlen == 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EC_LIB); + goto err; + } - /* - * We'll generate the serverKeyExchange message explicitly so we - * can set these to NULLs - */ - r[0] = NULL; - r[1] = NULL; - r[2] = NULL; - r[3] = NULL; - } else + /* + * We'll generate the serverKeyExchange message explicitly so we + * can set these to NULLs + */ + r[0] = NULL; + r[1] = NULL; + r[2] = NULL; + r[3] = NULL; + } else #ifndef OPENSSL_NO_SRP - if (type & SSL_kSRP) { - if ((s->srp_ctx.N == NULL) || - (s->srp_ctx.g == NULL) || - (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM); + if (type & SSL_kSRP) { + if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) || (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_MISSING_SRP_PARAM); + goto err; + } + r[0] = s->srp_ctx.N; + r[1] = s->srp_ctx.g; + r[2] = s->srp_ctx.s; + r[3] = s->srp_ctx.B; + } else +#endif + { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); goto err; } - r[0] = s->srp_ctx.N; - r[1] = s->srp_ctx.g; - r[2] = s->srp_ctx.s; - r[3] = s->srp_ctx.B; - } else -#endif - { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); - goto err; - } if (((s->s3.tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) != 0) || ((s->s3.tmp.new_cipher->algorithm_mkey & SSL_PSK)) != 0) { @@ -2697,15 +2711,16 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, #ifndef OPENSSL_NO_PSK if (type & SSL_PSK) { size_t len = (s->cert->psk_identity_hint == NULL) - ? 0 : strlen(s->cert->psk_identity_hint); + ? 0 + : strlen(s->cert->psk_identity_hint); /* * It should not happen that len > PSK_MAX_IDENTITY_LEN - we already * checked this when we set the identity hint - but just in case */ if (len > PSK_MAX_IDENTITY_LEN - || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, - len)) { + || !WPACKET_sub_memcpy_u16(pkt, s->cert->psk_identity_hint, + len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -2746,7 +2761,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, } if (!WPACKET_allocate_bytes(pkt, BN_num_bytes(r[i]), &binval) - || !WPACKET_close(pkt)) { + || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -2762,9 +2777,9 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, * point itself */ if (!WPACKET_put_bytes_u8(pkt, NAMED_CURVE_TYPE) - || !WPACKET_put_bytes_u8(pkt, 0) - || !WPACKET_put_bytes_u8(pkt, curve_id) - || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { + || !WPACKET_put_bytes_u8(pkt, 0) + || !WPACKET_put_bytes_u8(pkt, curve_id) + || !WPACKET_sub_memcpy_u8(pkt, encodedPoint, encodedlen)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -2796,9 +2811,10 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, } if (EVP_DigestSignInit_ex(md_ctx, &pctx, - md == NULL ? NULL : EVP_MD_get0_name(md), - sctx->libctx, sctx->propq, pkey, - NULL) <= 0) { + md == NULL ? NULL : EVP_MD_get0_name(md), + sctx->libctx, sctx->propq, pkey, + NULL) + <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -2810,18 +2826,18 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, } } tbslen = construct_key_exchange_tbs(s, &tbs, - s->init_buf->data + paramoffset, - paramlen); + s->init_buf->data + paramoffset, + paramlen); if (tbslen == 0) { /* SSLfatal() already called */ goto err; } - if (EVP_DigestSign(md_ctx, NULL, &siglen, tbs, tbslen) <=0 - || !WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) - || EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen) <= 0 - || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) - || sigbytes1 != sigbytes2) { + if (EVP_DigestSign(md_ctx, NULL, &siglen, tbs, tbslen) <= 0 + || !WPACKET_sub_reserve_bytes_u16(pkt, siglen, &sigbytes1) + || EVP_DigestSign(md_ctx, sigbytes1, &siglen, tbs, tbslen) <= 0 + || !WPACKET_sub_allocate_bytes_u16(pkt, siglen, &sigbytes2) + || sigbytes1 != sigbytes2) { OPENSSL_free(tbs); SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -2830,7 +2846,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, } ret = CON_FUNC_SUCCESS; - err: +err: EVP_PKEY_free(pkdh); OPENSSL_free(encodedPoint); EVP_MD_CTX_free(md_ctx); @@ -2844,7 +2860,7 @@ CON_FUNC_RETURN tls_construct_server_key_exchange(SSL_CONNECTION *s, } CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, - WPACKET *pkt) + WPACKET *pkt) { if (SSL_CONNECTION_IS_TLS13(s)) { /* Send random context when doing post-handshake auth */ @@ -2857,9 +2873,10 @@ CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, return CON_FUNC_ERROR; } if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, - s->pha_context, s->pha_context_len, 0) <= 0 - || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, - s->pha_context_len)) { + s->pha_context, s->pha_context_len, 0) + <= 0 + || !WPACKET_sub_memcpy_u8(pkt, s->pha_context, + s->pha_context_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } @@ -2876,8 +2893,8 @@ CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, } if (!tls_construct_extensions(s, pkt, - SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, - 0)) { + SSL_EXT_TLS1_3_CERTIFICATE_REQUEST, NULL, + 0)) { /* SSLfatal() already called */ return CON_FUNC_ERROR; } @@ -2896,9 +2913,9 @@ CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, size_t nl = tls12_get_psigalgs(s, 1, &psigs); if (!WPACKET_start_sub_packet_u16(pkt) - || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) - || !tls12_copy_sigalgs(s, pkt, psigs, nl) - || !WPACKET_close(pkt)) { + || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH) + || !tls12_copy_sigalgs(s, pkt, psigs, nl) + || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return CON_FUNC_ERROR; } @@ -2909,7 +2926,7 @@ CON_FUNC_RETURN tls_construct_certificate_request(SSL_CONNECTION *s, return CON_FUNC_ERROR; } - done: +done: s->certreqs_sent++; s->s3.tmp.cert_request = 1; return CON_FUNC_SUCCESS; @@ -2941,8 +2958,8 @@ static int tls_process_cke_psk_preamble(SSL_CONNECTION *s, PACKET *pkt) } psklen = s->psk_server_callback(SSL_CONNECTION_GET_USER_SSL(s), - s->session->psk_identity, - psk, sizeof(psk)); + s->session->psk_identity, + psk, sizeof(psk)); if (psklen > PSK_MAX_PSK_LEN) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); @@ -3028,23 +3045,24 @@ static int tls_process_cke_rsa(SSL_CONNECTION *s, PACKET *pkt) * See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 */ if (EVP_PKEY_decrypt_init(ctx) <= 0 - || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_WITH_TLS_PADDING) <= 0) { + || EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_WITH_TLS_PADDING) <= 0) { SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); goto err; } *p++ = OSSL_PARAM_construct_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, - (unsigned int *)&s->client_version); - if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0) + (unsigned int *)&s->client_version); + if ((s->options & SSL_OP_TLS_ROLLBACK_BUG) != 0) *p++ = OSSL_PARAM_construct_uint( OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, (unsigned int *)&s->version); *p++ = OSSL_PARAM_construct_end(); if (!EVP_PKEY_CTX_set_params(ctx, params) - || EVP_PKEY_decrypt(ctx, rsa_decrypt, &outlen, - PACKET_data(&enc_premaster), - PACKET_remaining(&enc_premaster)) <= 0) { + || EVP_PKEY_decrypt(ctx, rsa_decrypt, &outlen, + PACKET_data(&enc_premaster), + PACKET_remaining(&enc_premaster)) + <= 0) { SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DECRYPTION_FAILED); goto err; } @@ -3066,7 +3084,7 @@ static int tls_process_cke_rsa(SSL_CONNECTION *s, PACKET *pkt) } ret = 1; - err: +err: OPENSSL_free(rsa_decrypt); EVP_PKEY_CTX_free(ctx); return ret; @@ -3118,7 +3136,7 @@ static int tls_process_cke_dhe(SSL_CONNECTION *s, PACKET *pkt) ret = 1; EVP_PKEY_free(s->s3.tmp.pkey); s->s3.tmp.pkey = NULL; - err: +err: EVP_PKEY_free(ckey); return ret; } @@ -3173,7 +3191,7 @@ static int tls_process_cke_ecdhe(SSL_CONNECTION *s, PACKET *pkt) ret = 1; EVP_PKEY_free(s->s3.tmp.pkey); s->s3.tmp.pkey = NULL; - err: +err: EVP_PKEY_free(ckey); return ret; @@ -3275,10 +3293,10 @@ static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt) * We have nothing to do with this blob so we just skip it */ pKX = d2i_GOST_KX_MESSAGE(NULL, &ptr, PACKET_remaining(pkt)); if (pKX == NULL - || pKX->kxBlob == NULL - || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); - goto err; + || pKX->kxBlob == NULL + || ASN1_TYPE_get(pKX->kxBlob) != V_ASN1_SEQUENCE) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); + goto err; } if (!PACKET_forward(pkt, ptr - PACKET_data(pkt))) { @@ -3295,7 +3313,8 @@ static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt) start = pKX->kxBlob->value.sequence->data; if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, start, - inlen) <= 0) { + inlen) + <= 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_DECRYPTION_FAILED); goto err; } @@ -3306,11 +3325,12 @@ static int tls_process_cke_gost(SSL_CONNECTION *s, PACKET *pkt) } /* Check if pubkey from client certificate was used */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, - NULL) > 0) + NULL) + > 0) s->statem.no_cert_verify = 1; ret = 1; - err: +err: EVP_PKEY_CTX_free(pkey_ctx); GOST_KX_MESSAGE_free(pKX); return ret; @@ -3345,9 +3365,7 @@ static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt) } /* Get our certificate private key */ - pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ? - s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : - s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey; + pk = s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey != NULL ? s->cert->pkeys[SSL_PKEY_GOST12_512].privatekey : s->cert->pkeys[SSL_PKEY_GOST12_256].privatekey; if (pk == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_STATE); goto err; @@ -3365,13 +3383,15 @@ static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt) /* Reuse EVP_PKEY_CTRL_SET_IV, make choice in engine code depending on size */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, - EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) <= 0) { + EVP_PKEY_CTRL_SET_IV, 32, rnd_dgst) + <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); goto err; } if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_DECRYPT, - EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) <= 0) { + EVP_PKEY_CTRL_CIPHER, cipher_nid, NULL) + <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_LIBRARY_BUG); goto err; } @@ -3384,12 +3404,12 @@ static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt) } /* Generate master secret */ if (!ssl_generate_master_secret(s, premaster_secret, outlen, 0)) { - /* SSLfatal() already called */ - goto err; + /* SSLfatal() already called */ + goto err; } ret = 1; - err: +err: EVP_PKEY_CTX_free(pkey_ctx); return ret; #else @@ -3400,7 +3420,7 @@ static int tls_process_cke_gost18(SSL_CONNECTION *s, PACKET *pkt) } MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s, - PACKET *pkt) + PACKET *pkt) { unsigned long alg_k; @@ -3459,7 +3479,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s, } return MSG_PROCESS_CONTINUE_PROCESSING; - err: +err: #ifndef OPENSSL_NO_PSK OPENSSL_clear_free(s->s3.tmp.psk, s->s3.tmp.psklen); s->s3.tmp.psk = NULL; @@ -3469,7 +3489,7 @@ MSG_PROCESS_RETURN tls_process_client_key_exchange(SSL_CONNECTION *s, } WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s, - WORK_STATE wst) + WORK_STATE wst) { #ifndef OPENSSL_NO_SCTP if (wst == WORK_MORE_A) { @@ -3482,7 +3502,7 @@ WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s, * used. */ memcpy(labelbuffer, DTLS1_SCTP_AUTH_LABEL, - sizeof(DTLS1_SCTP_AUTH_LABEL)); + sizeof(DTLS1_SCTP_AUTH_LABEL)); /* Don't include the terminating zero. */ labellen = sizeof(labelbuffer) - 1; @@ -3490,16 +3510,17 @@ WORK_STATE tls_post_process_client_key_exchange(SSL_CONNECTION *s, labellen += 1; if (SSL_export_keying_material(SSL_CONNECTION_GET_SSL(s), - sctpauthkey, - sizeof(sctpauthkey), labelbuffer, - labellen, NULL, 0, - 0) <= 0) { + sctpauthkey, + sizeof(sctpauthkey), labelbuffer, + labellen, NULL, 0, + 0) + <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return WORK_ERROR; } BIO_ctrl(s->wbio, BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY, - sizeof(sctpauthkey), sctpauthkey); + sizeof(sctpauthkey), sctpauthkey); } } #endif @@ -3545,15 +3566,15 @@ MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt) if (peer_rpk == NULL) { if ((sc->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) - && (sc->verify_mode & SSL_VERIFY_PEER)) { + && (sc->verify_mode & SSL_VERIFY_PEER)) { SSLfatal(sc, SSL_AD_CERTIFICATE_REQUIRED, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); goto err; } } else { if (ssl_verify_rpk(sc, peer_rpk) <= 0) { SSLfatal(sc, ssl_x509err2alert(sc->verify_result), - SSL_R_CERTIFICATE_VERIFY_FAILED); + SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; } } @@ -3600,8 +3621,8 @@ MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt) /* Save the current hash state for when we receive the CertificateVerify */ if (!ssl_handshake_hash(sc, sc->cert_verify_hash, - sizeof(sc->cert_verify_hash), - &sc->cert_verify_hash_len)) { + sizeof(sc->cert_verify_hash), + &sc->cert_verify_hash_len)) { /* SSLfatal() already called */; goto err; } @@ -3612,13 +3633,13 @@ MSG_PROCESS_RETURN tls_process_client_rpk(SSL_CONNECTION *sc, PACKET *pkt) ret = MSG_PROCESS_CONTINUE_READING; - err: +err: EVP_PKEY_free(peer_rpk); return ret; } MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, - PACKET *pkt) + PACKET *pkt) { int i; MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR; @@ -3643,7 +3664,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, if (s->ext.client_cert_type != TLSEXT_cert_type_x509) { SSLfatal(s, SSL_AD_UNSUPPORTED_CERTIFICATE, - SSL_R_UNKNOWN_CERTIFICATE_TYPE); + SSL_R_UNKNOWN_CERTIFICATE_TYPE); goto err; } @@ -3654,16 +3675,16 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, if (SSL_CONNECTION_IS_TLS13(s) && (!PACKET_get_length_prefixed_1(pkt, &context) - || (s->pha_context == NULL && PACKET_remaining(&context) != 0) - || (s->pha_context != NULL - && !PACKET_equal(&context, s->pha_context, - s->pha_context_len)))) { + || (s->pha_context == NULL && PACKET_remaining(&context) != 0) + || (s->pha_context != NULL + && !PACKET_equal(&context, s->pha_context, + s->pha_context_len)))) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_INVALID_CONTEXT); goto err; } if (!PACKET_get_length_prefixed_3(pkt, &spkt) - || PACKET_remaining(pkt) != 0) { + || PACKET_remaining(pkt) != 0) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH); goto err; } @@ -3700,11 +3721,11 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, goto err; } if (!tls_collect_extensions(s, &extensions, - SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, - NULL, chainidx == 0) + SSL_EXT_TLS1_3_CERTIFICATE, &rawexts, + NULL, chainidx == 0) || !tls_parse_all_extensions(s, SSL_EXT_TLS1_3_CERTIFICATE, - rawexts, x, chainidx, - PACKET_remaining(&spkt) == 0)) { + rawexts, x, chainidx, + PACKET_remaining(&spkt) == 0)) { OPENSSL_free(rawexts); goto err; } @@ -3722,14 +3743,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, /* TLS does not mind 0 certs returned */ if (s->version == SSL3_VERSION) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_NO_CERTIFICATES_RETURNED); + SSL_R_NO_CERTIFICATES_RETURNED); goto err; } /* Fail for TLS only if we required a certificate */ - else if ((s->verify_mode & SSL_VERIFY_PEER) && - (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { + else if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLfatal(s, SSL_AD_CERTIFICATE_REQUIRED, - SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); goto err; } /* No client certificate so digest cached records */ @@ -3742,13 +3762,13 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, i = ssl_verify_cert_chain(s, sk); if (i <= 0) { SSLfatal(s, ssl_x509err2alert(s->verify_result), - SSL_R_CERTIFICATE_VERIFY_FAILED); + SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; } pkey = X509_get0_pubkey(sk_X509_value(sk, 0)); if (pkey == NULL) { SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, - SSL_R_UNKNOWN_CERTIFICATE_TYPE); + SSL_R_UNKNOWN_CERTIFICATE_TYPE); goto err; } } @@ -3799,8 +3819,8 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, /* Save the current hash state for when we receive the CertificateVerify */ if (SSL_CONNECTION_IS_TLS13(s)) { if (!ssl_handshake_hash(s, s->cert_verify_hash, - sizeof(s->cert_verify_hash), - &s->cert_verify_hash_len)) { + sizeof(s->cert_verify_hash), + &s->cert_verify_hash_len)) { /* SSLfatal() already called */ goto err; } @@ -3811,7 +3831,7 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL_CONNECTION *s, ret = MSG_PROCESS_CONTINUE_READING; - err: +err: X509_free(x); OSSL_STACK_OF_X509_free(sk); return ret; @@ -3885,10 +3905,10 @@ CON_FUNC_RETURN tls_construct_server_compressed_certificate(SSL_CONNECTION *sc, * Use pre-compressed certificate */ if (!WPACKET_put_bytes_u16(pkt, alg) - || !WPACKET_put_bytes_u24(pkt, cc->orig_len) - || !WPACKET_start_sub_packet_u24(pkt) - || !WPACKET_memcpy(pkt, cc->data, cc->len) - || !WPACKET_close(pkt)) + || !WPACKET_put_bytes_u24(pkt, cc->orig_len) + || !WPACKET_start_sub_packet_u24(pkt) + || !WPACKET_memcpy(pkt, cc->data, cc->len) + || !WPACKET_close(pkt)) return 0; sc->s3.tmp.cert->cert_comp_used++; @@ -3897,7 +3917,7 @@ CON_FUNC_RETURN tls_construct_server_compressed_certificate(SSL_CONNECTION *sc, #endif static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, - uint32_t age_add, unsigned char *tick_nonce) + uint32_t age_add, unsigned char *tick_nonce) { uint32_t timeout = (uint32_t)ossl_time2seconds(s->session->timeout); @@ -3912,7 +3932,8 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, if (SSL_CONNECTION_IS_TLS13(s)) { if (ossl_time_compare(s->session->timeout, - ossl_seconds2time(ONE_WEEK_SEC)) > 0) + ossl_seconds2time(ONE_WEEK_SEC)) + > 0) timeout = ONE_WEEK_SEC; } else if (s->hit) timeout = 0; @@ -3924,7 +3945,7 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, if (SSL_CONNECTION_IS_TLS13(s)) { if (!WPACKET_put_bytes_u32(pkt, age_add) - || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { + || !WPACKET_sub_memcpy_u8(pkt, tick_nonce, TICKET_NONCE_SIZE)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -3940,9 +3961,9 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, } static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, - WPACKET *pkt, - uint32_t age_add, - unsigned char *tick_nonce) + WPACKET *pkt, + uint32_t age_add, + unsigned char *tick_nonce) { unsigned char *senc = NULL; EVP_CIPHER_CTX *ctx = NULL; @@ -3999,7 +4020,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, */ const_p = senc; sess = d2i_SSL_SESSION_ex(NULL, &const_p, slen_full, sctx->libctx, - sctx->propq); + sctx->propq); if (sess == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; @@ -4034,13 +4055,13 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, if (tctx->ext.ticket_key_evp_cb != NULL) ret = tctx->ext.ticket_key_evp_cb(ssl, key_name, iv, ctx, - ssl_hmac_get0_EVP_MAC_CTX(hctx), - 1); + ssl_hmac_get0_EVP_MAC_CTX(hctx), + 1); #ifndef OPENSSL_NO_DEPRECATED_3_0 else if (tctx->ext.ticket_key_cb != NULL) /* if 0 is returned, write an empty ticket */ ret = tctx->ext.ticket_key_cb(ssl, key_name, iv, ctx, - ssl_hmac_get0_HMAC_CTX(hctx), 1); + ssl_hmac_get0_HMAC_CTX(hctx), 1); #endif if (ret == 0) { @@ -4055,7 +4076,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, } /* Put timeout and length */ if (!WPACKET_put_bytes_u32(pkt, 0) - || !WPACKET_put_bytes_u16(pkt, 0)) { + || !WPACKET_put_bytes_u16(pkt, 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -4075,7 +4096,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, } } else { EVP_CIPHER *cipher = EVP_CIPHER_fetch(sctx->libctx, "AES-256-CBC", - sctx->propq); + sctx->propq); if (cipher == NULL) { /* Error is already recorded */ @@ -4085,19 +4106,19 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, iv_len = EVP_CIPHER_get_iv_length(cipher); if (iv_len < 0 - || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0 - || !EVP_EncryptInit_ex(ctx, cipher, NULL, - tctx->ext.secure->tick_aes_key, iv) - || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, - sizeof(tctx->ext.secure->tick_hmac_key), - "SHA256")) { + || RAND_bytes_ex(sctx->libctx, iv, iv_len, 0) <= 0 + || !EVP_EncryptInit_ex(ctx, cipher, NULL, + tctx->ext.secure->tick_aes_key, iv) + || !ssl_hmac_init(hctx, tctx->ext.secure->tick_hmac_key, + sizeof(tctx->ext.secure->tick_hmac_key), + "SHA256")) { EVP_CIPHER_free(cipher); SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } EVP_CIPHER_free(cipher); memcpy(key_name, tctx->ext.tick_key_name, - sizeof(tctx->ext.tick_key_name)); + sizeof(tctx->ext.tick_key_name)); } if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { @@ -4106,29 +4127,29 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, } if (!WPACKET_get_total_written(pkt, &macoffset) - /* Output key name */ - || !WPACKET_memcpy(pkt, key_name, sizeof(key_name)) - /* output IV */ - || !WPACKET_memcpy(pkt, iv, iv_len) - || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH, - &encdata1) - /* Encrypt session data */ - || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen) - || !WPACKET_allocate_bytes(pkt, len, &encdata2) - || encdata1 != encdata2 - || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal) - || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2) - || encdata1 + len != encdata2 - || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH - || !WPACKET_get_total_written(pkt, &macendoffset) - || !ssl_hmac_update(hctx, - (unsigned char *)s->init_buf->data + macoffset, - macendoffset - macoffset) - || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1) - || !ssl_hmac_final(hctx, macdata1, &hlen, EVP_MAX_MD_SIZE) - || hlen > EVP_MAX_MD_SIZE - || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) - || macdata1 != macdata2) { + /* Output key name */ + || !WPACKET_memcpy(pkt, key_name, sizeof(key_name)) + /* output IV */ + || !WPACKET_memcpy(pkt, iv, iv_len) + || !WPACKET_reserve_bytes(pkt, slen + EVP_MAX_BLOCK_LENGTH, + &encdata1) + /* Encrypt session data */ + || !EVP_EncryptUpdate(ctx, encdata1, &len, senc, slen) + || !WPACKET_allocate_bytes(pkt, len, &encdata2) + || encdata1 != encdata2 + || !EVP_EncryptFinal(ctx, encdata1 + len, &lenfinal) + || !WPACKET_allocate_bytes(pkt, lenfinal, &encdata2) + || encdata1 + len != encdata2 + || len + lenfinal > slen + EVP_MAX_BLOCK_LENGTH + || !WPACKET_get_total_written(pkt, &macendoffset) + || !ssl_hmac_update(hctx, + (unsigned char *)s->init_buf->data + macoffset, + macendoffset - macoffset) + || !WPACKET_reserve_bytes(pkt, EVP_MAX_MD_SIZE, &macdata1) + || !ssl_hmac_final(hctx, macdata1, &hlen, EVP_MAX_MD_SIZE) + || hlen > EVP_MAX_MD_SIZE + || !WPACKET_allocate_bytes(pkt, hlen, &macdata2) + || macdata1 != macdata2) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -4140,7 +4161,7 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, } ok = CON_FUNC_SUCCESS; - err: +err: OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); ssl_hmac_free(hctx); @@ -4148,8 +4169,8 @@ static CON_FUNC_RETURN construct_stateless_ticket(SSL_CONNECTION *s, } static int construct_stateful_ticket(SSL_CONNECTION *s, WPACKET *pkt, - uint32_t age_add, - unsigned char *tick_nonce) + uint32_t age_add, + unsigned char *tick_nonce) { if (!create_ticket_prequel(s, pkt, age_add, tick_nonce)) { /* SSLfatal() already called */ @@ -4157,8 +4178,8 @@ static int construct_stateful_ticket(SSL_CONNECTION *s, WPACKET *pkt, } if (!WPACKET_memcpy(pkt, s->session->session_id, - s->session->session_id_length) - || !WPACKET_close(pkt)) { + s->session->session_id_length) + || !WPACKET_close(pkt)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -4195,7 +4216,9 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt if (SSL_CONNECTION_IS_TLS13(s)) { size_t i, hashlen; uint64_t nonce; - static const unsigned char nonce_label[] = "resumption"; + /* ASCII: "resumption", in hex for EBCDIC compatibility */ + static const unsigned char nonce_label[] = { 0x72, 0x65, 0x73, 0x75, 0x6D, + 0x70, 0x74, 0x69, 0x6F, 0x6E }; const EVP_MD *md = ssl_handshake_md(s); int hashleni = EVP_MD_get_size(md); @@ -4228,7 +4251,8 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt goto err; } if (RAND_bytes_ex(SSL_CONNECTION_GET_CTX(s)->libctx, - age_add_u.age_add_c, sizeof(age_add_u), 0) <= 0) { + age_add_u.age_add_c, sizeof(age_add_u), 0) + <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -4241,12 +4265,12 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt } if (!tls13_hkdf_expand(s, md, s->resumption_master_secret, - nonce_label, - sizeof(nonce_label) - 1, - tick_nonce, - TICKET_NONCE_SIZE, - s->session->master_key, - hashlen, 1)) { + nonce_label, + sizeof(nonce_label), + tick_nonce, + TICKET_NONCE_SIZE, + s->session->master_key, + hashlen, 1)) { /* SSLfatal() already called */ goto err; } @@ -4256,8 +4280,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt ssl_session_calculate_timeout(s->session); if (s->s3.alpn_selected != NULL) { OPENSSL_free(s->session->ext.alpn_selected); - s->session->ext.alpn_selected = - OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); + s->session->ext.alpn_selected = OPENSSL_memdup(s->s3.alpn_selected, s->s3.alpn_selected_len); if (s->session->ext.alpn_selected == NULL) { s->session->ext.alpn_selected_len = 0; SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); @@ -4268,9 +4291,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt s->session->ext.max_early_data = s->max_early_data; } - if (tctx->generate_ticket_cb != NULL && - tctx->generate_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s), - tctx->ticket_cb_data) == 0) { + if (tctx->generate_ticket_cb != NULL && tctx->generate_ticket_cb(SSL_CONNECTION_GET_USER_SSL(s), tctx->ticket_cb_data) == 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } @@ -4280,9 +4301,9 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt * is no point in using full stateless tickets. */ if (SSL_CONNECTION_IS_TLS13(s) - && ((s->options & SSL_OP_NO_TICKET) != 0 - || (s->max_early_data > 0 - && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { + && ((s->options & SSL_OP_NO_TICKET) != 0 + || (s->max_early_data > 0 + && (s->options & SSL_OP_NO_ANTI_REPLAY) == 0))) { if (!construct_stateful_ticket(s, pkt, age_add_u.age_add, tick_nonce)) { /* SSLfatal() already called */ goto err; @@ -4291,7 +4312,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt CON_FUNC_RETURN tmpret; tmpret = construct_stateless_ticket(s, pkt, age_add_u.age_add, - tick_nonce); + tick_nonce); if (tmpret != CON_FUNC_SUCCESS) { if (tmpret == CON_FUNC_DONT_SEND) { /* Non-fatal. Abort construction but continue */ @@ -4306,8 +4327,8 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt if (SSL_CONNECTION_IS_TLS13(s)) { if (!tls_construct_extensions(s, pkt, - SSL_EXT_TLS1_3_NEW_SESSION_TICKET, - NULL, 0)) { + SSL_EXT_TLS1_3_NEW_SESSION_TICKET, + NULL, 0)) { /* SSLfatal() already called */ goto err; } @@ -4316,7 +4337,7 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt } ret = CON_FUNC_SUCCESS; - err: +err: return ret; } @@ -4327,8 +4348,8 @@ CON_FUNC_RETURN tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt int tls_construct_cert_status_body(SSL_CONNECTION *s, WPACKET *pkt) { if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type) - || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, - s->ext.ocsp.resp_len)) { + || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp, + s->ext.ocsp.resp_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return 0; } @@ -4383,10 +4404,10 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL_CONNECTION *s, PACKET *pkt) #endif static CON_FUNC_RETURN tls_construct_encrypted_extensions(SSL_CONNECTION *s, - WPACKET *pkt) + WPACKET *pkt) { if (!tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS, - NULL, 0)) { + NULL, 0)) { /* SSLfatal() already called */ return CON_FUNC_ERROR; } @@ -4402,7 +4423,7 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt) } if (s->early_data_state != SSL_EARLY_DATA_READING - && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { + && s->early_data_state != SSL_EARLY_DATA_READ_RETRY) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); return MSG_PROCESS_ERROR; } @@ -4418,7 +4439,7 @@ MSG_PROCESS_RETURN tls_process_end_of_early_data(SSL_CONNECTION *s, PACKET *pkt) s->early_data_state = SSL_EARLY_DATA_FINISHED_READING; if (!SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->change_cipher_state(s, - SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { + SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_SERVER_READ)) { /* SSLfatal() already called */ return MSG_PROCESS_ERROR; } |