X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Fstatem%2Fstatem_lib.c;h=e9cfee027e6418c919ad282581b5d2a7c4323e63;hp=a18c5cccf48e34d088a3f32f9179c45ff03d4002;hb=fc69f32cd6852e60627969138be80cc665a573dd;hpb=3409a5ff8a44ddaf043d83ed22e657ae871be289 diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c index a18c5cccf4..e9cfee027e 100644 --- a/ssl/statem/statem_lib.c +++ b/ssl/statem/statem_lib.c @@ -11,13 +11,14 @@ #include #include #include -#include "../ssl_locl.h" -#include "statem_locl.h" +#include "../ssl_local.h" +#include "statem_local.h" #include "internal/cryptlib.h" #include #include #include #include +#include /* * Map error codes to TLS/SSL alart types. @@ -137,7 +138,7 @@ int tls_setup_handshake(SSL *s) /* N.B. s->ctx may not equal s->session_ctx */ tsan_counter(&s->ctx->stats.sess_accept_renegotiate); - s->s3->tmp.cert_request = 0; + s->s3.tmp.cert_request = 0; } } else { if (SSL_IS_FIRST_HANDSHAKE(s)) @@ -146,10 +147,10 @@ int tls_setup_handshake(SSL *s) tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate); /* mark client_random uninitialized */ - memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); + memset(s->s3.client_random, 0, sizeof(s->s3.client_random)); s->hit = 0; - s->s3->tmp.cert_req = 0; + s->s3.tmp.cert_req = 0; if (SSL_IS_DTLS(s)) s->statem.use_timer = 1; @@ -168,9 +169,19 @@ int tls_setup_handshake(SSL *s) static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, void **hdata, size_t *hdatalen) { - static const char *servercontext = "TLS 1.3, server CertificateVerify"; - static const char *clientcontext = "TLS 1.3, client CertificateVerify"; - +#ifdef CHARSET_EBCDIC + static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + 0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, + 0x69, 0x66, 0x79, 0x00 }; + static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e, + 0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72, + 0x69, 0x66, 0x79, 0x00 }; +#else + static const char servercontext[] = "TLS 1.3, server CertificateVerify"; + static const char clientcontext[] = "TLS 1.3, client CertificateVerify"; +#endif if (SSL_IS_TLS13(s)) { size_t hashlen; @@ -205,7 +216,7 @@ static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs, size_t retlen; long retlen_l; - retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata); + retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata); if (retlen_l <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA, ERR_R_INTERNAL_ERROR); @@ -227,16 +238,16 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) void *hdata; unsigned char *sig = NULL; unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE]; - const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg; + const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg; - if (lu == NULL || s->s3->tmp.cert == NULL) { + if (lu == NULL || s->s3.tmp.cert == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } - pkey = s->s3->tmp.cert->privatekey; + pkey = s->s3.tmp.cert->privatekey; - if (pkey == NULL || !tls1_lookup_md(lu, &md)) { + if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; @@ -260,15 +271,10 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) ERR_R_INTERNAL_ERROR); goto err; } - siglen = EVP_PKEY_size(pkey); - sig = OPENSSL_malloc(siglen); - if (sig == NULL) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, - ERR_R_MALLOC_FAILURE); - goto err; - } - if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) { + if (EVP_DigestSignInit_ex(mctx, &pctx, + md == NULL ? NULL : EVP_MD_name(md), + s->ctx->propq, pkey, s->ctx->libctx) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; @@ -284,20 +290,48 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt) } } if (s->version == SSL3_VERSION) { + /* + * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal + * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them. + */ if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0 - || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key) - || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { + /* + * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated + * with a call to ssl3_digest_master_key_set_params() + */ + || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key) <= 0 + || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, ERR_R_EVP_LIB); goto err; } - } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, - ERR_R_EVP_LIB); - goto err; + sig = OPENSSL_malloc(siglen); + if (sig == NULL + || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + } else { + /* + * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not + * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal + */ + if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } + sig = OPENSSL_malloc(siglen); + if (sig == NULL + || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY, + ERR_R_EVP_LIB); + goto err; + } } #ifndef OPENSSL_NO_GOST @@ -388,17 +422,15 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) goto err; } - if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) { + if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_INTERNAL_ERROR); goto err; } -#ifdef SSL_DEBUG if (SSL_USE_SIGALGS(s)) - fprintf(stderr, "USING TLSv1.2 HASH %s\n", - md == NULL ? "n/a" : EVP_MD_name(md)); -#endif + OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n", + md == NULL ? "n/a" : EVP_MD_name(md)); /* Check for broken implementations of GOST ciphersuites */ /* @@ -421,13 +453,6 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) goto err; } - j = EVP_PKEY_size(pkey); - if (((int)len > j) || ((int)PACKET_remaining(pkt) > j) - || (PACKET_remaining(pkt) == 0)) { - SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, - SSL_R_WRONG_SIGNATURE_SIZE); - goto err; - } if (!PACKET_get_bytes(pkt, &data, len)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, SSL_R_LENGTH_MISMATCH); @@ -439,11 +464,12 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) goto err; } -#ifdef SSL_DEBUG - fprintf(stderr, "Using client verify alg %s\n", - md == NULL ? "n/a" : EVP_MD_name(md)); -#endif - if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) { + OSSL_TRACE1(TLS, "Using client verify alg %s\n", + md == NULL ? "n/a" : EVP_MD_name(md)); + + if (EVP_DigestVerifyInit_ex(mctx, &pctx, + md == NULL ? NULL : EVP_MD_name(md), + s->ctx->propq, pkey, s->ctx->libctx) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); goto err; @@ -475,10 +501,14 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) } } if (s->version == SSL3_VERSION) { + /* + * TODO(3.0) Replace this when EVP_MD_CTX_ctrl() is deprecated + * with a call to ssl3_digest_master_key_set_params() + */ if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0 - || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key)) { + || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET, + (int)s->session->master_key_length, + s->session->master_key) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_EVP_LIB); goto err; @@ -505,13 +535,13 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt) * want to make sure that SSL_get_peer_certificate() will return the actual * server certificate from the client_cert_cb callback. */ - if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1) + if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1) ret = MSG_PROCESS_CONTINUE_PROCESSING; else ret = MSG_PROCESS_CONTINUE_READING; err: - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; + BIO_free(s->s3.handshake_buffer); + s->s3.handshake_buffer = NULL; EVP_MD_CTX_free(mctx); #ifndef OPENSSL_NO_GOST OPENSSL_free(gost_data); @@ -535,7 +565,7 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) */ if (SSL_IS_TLS13(s) && !s->server - && s->s3->tmp.cert_req == 0 + && s->s3.tmp.cert_req == 0 && (!s->method->ssl3_enc->change_cipher_state(s, SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {; /* SSLfatal() already called */ @@ -552,15 +582,15 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) finish_md_len = s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.finish_md); + s->s3.tmp.finish_md); if (finish_md_len == 0) { /* SSLfatal() already called */ return 0; } - s->s3->tmp.finish_md_len = finish_md_len; + s->s3.tmp.finish_md_len = finish_md_len; - if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) { + if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED, ERR_R_INTERNAL_ERROR); return 0; @@ -586,13 +616,13 @@ int tls_construct_finished(SSL *s, WPACKET *pkt) return 0; } if (!s->server) { - memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md, + memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md, finish_md_len); - s->s3->previous_client_finished_len = finish_md_len; + s->s3.previous_client_finished_len = finish_md_len; } else { - memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md, + memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md, finish_md_len); - s->s3->previous_server_finished_len = finish_md_len; + s->s3.previous_server_finished_len = finish_md_len; } return 1; @@ -645,12 +675,9 @@ MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt) /* * If we get a request for us to update our sending keys too then, we need * to additionally send a KeyUpdate message. However that message should - * not also request an update (otherwise we get into an infinite loop). We - * ignore a request for us to update our sending keys too if we already - * sent close_notify. + * not also request an update (otherwise we get into an infinite loop). */ - if (updatetype == SSL_KEY_UPDATE_REQUESTED - && (s->shutdown & SSL_SENT_SHUTDOWN) == 0) + if (updatetype == SSL_KEY_UPDATE_REQUESTED) s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED; if (!tls13_update_key(s, 0)) { @@ -678,11 +705,11 @@ int ssl3_take_mac(SSL *s) slen = s->method->ssl3_enc->client_finished_label_len; } - s->s3->tmp.peer_finish_md_len = + s->s3.tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, sender, slen, - s->s3->tmp.peer_finish_md); + s->s3.tmp.peer_finish_md); - if (s->s3->tmp.peer_finish_md_len == 0) { + if (s->s3.tmp.peer_finish_md_len == 0) { /* SSLfatal() already called */ return 0; } @@ -720,13 +747,13 @@ MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt) } /* Check we have a cipher to change to */ - if (s->s3->tmp.new_cipher == NULL) { + if (s->s3.tmp.new_cipher == NULL) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY); return MSG_PROCESS_ERROR; } - s->s3->change_cipher_spec = 1; + s->s3.change_cipher_spec = 1; if (!ssl3_do_change_cipher_spec(s)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); @@ -784,14 +811,14 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) } /* If this occurs, we have missed a message */ - if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) { + if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED, SSL_R_GOT_A_FIN_BEFORE_A_CCS); return MSG_PROCESS_ERROR; } - s->s3->change_cipher_spec = 0; + s->s3.change_cipher_spec = 0; - md_len = s->s3->tmp.peer_finish_md_len; + md_len = s->s3.tmp.peer_finish_md_len; if (md_len != PACKET_remaining(pkt)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED, @@ -799,7 +826,7 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } - if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md, + if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md, md_len) != 0) { SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED, SSL_R_DIGEST_CHECK_FAILED); @@ -815,13 +842,13 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } if (s->server) { - memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md, + memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md, md_len); - s->s3->previous_client_finished_len = md_len; + s->s3.previous_client_finished_len = md_len; } else { - memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md, + memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md, md_len); - s->s3->previous_server_finished_len = md_len; + s->s3.previous_server_finished_len = md_len; } /* @@ -837,9 +864,11 @@ MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt) return MSG_PROCESS_ERROR; } } else { + /* TLS 1.3 gets the secret size from the handshake md */ + size_t dummy; if (!s->method->ssl3_enc->generate_master_secret(s, s->master_secret, s->handshake_secret, 0, - &s->session->master_key_length)) { + &dummy)) { /* SSLfatal() already called */ return MSG_PROCESS_ERROR; } @@ -1026,14 +1055,25 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop) int cleanuphand = s->statem.cleanuphand; if (clearbufs) { - if (!SSL_IS_DTLS(s)) { + if (!SSL_IS_DTLS(s) +#ifndef OPENSSL_NO_SCTP /* - * We don't do this in DTLS because we may still need the init_buf + * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS + * messages that require it. Therefore, DTLS procedures for retransmissions + * MUST NOT be used. + * Hence the init_buf can be cleared when DTLS over SCTP as transport is used. + */ + || BIO_dgram_is_sctp(SSL_get_wbio(s)) +#endif + ) { + /* + * We don't do this in DTLS over UDP because we may still need the init_buf * in case there are any unexpected retransmits */ BUF_MEM_free(s->init_buf); s->init_buf = NULL; } + if (!ssl_free_wbio_buffer(s)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE, ERR_R_INTERNAL_ERROR); @@ -1157,7 +1197,7 @@ int tls_get_message_header(SSL *s, int *mt) return 0; } if (s->statem.hand_state == TLS_ST_BEFORE - && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) { + && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) { /* * We are stateless and we received a CCS. Probably this is * from a client between the first and second ClientHellos. @@ -1167,10 +1207,10 @@ int tls_get_message_header(SSL *s, int *mt) */ return 0; } - s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; + s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC; s->init_num = readbytes - 1; s->init_msg = s->init_buf->data; - s->s3->tmp.message_size = readbytes; + s->s3.tmp.message_size = readbytes; return 1; } else if (recvd_type != SSL3_RT_HANDSHAKE) { SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, @@ -1204,7 +1244,7 @@ int tls_get_message_header(SSL *s, int *mt) /* s->init_num == SSL3_HM_HEADER_LENGTH */ *mt = *p; - s->s3->tmp.message_type = *(p++); + s->s3.tmp.message_type = *(p++); if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) { /* @@ -1216,7 +1256,7 @@ int tls_get_message_header(SSL *s, int *mt) */ l = RECORD_LAYER_get_rrec_length(&s->rlayer) + SSL3_HM_HEADER_LENGTH; - s->s3->tmp.message_size = l; + s->s3.tmp.message_size = l; s->init_msg = s->init_buf->data; s->init_num = SSL3_HM_HEADER_LENGTH; @@ -1228,7 +1268,7 @@ int tls_get_message_header(SSL *s, int *mt) SSL_R_EXCESSIVE_MESSAGE_SIZE); return 0; } - s->s3->tmp.message_size = l; + s->s3.tmp.message_size = l; s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; s->init_num = 0; @@ -1243,14 +1283,14 @@ int tls_get_message_body(SSL *s, size_t *len) unsigned char *p; int i; - if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { + if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) { /* We've already read everything in */ *len = (unsigned long)s->init_num; return 1; } p = s->init_msg; - n = s->s3->tmp.message_size - s->init_num; + n = s->s3.tmp.message_size - s->init_num; while (n > 0) { i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL, &p[s->init_num], n, 0, &readbytes); @@ -1293,9 +1333,9 @@ int tls_get_message_body(SSL *s, size_t *len) */ #define SERVER_HELLO_RANDOM_OFFSET (SSL3_HM_HEADER_LENGTH + 2) /* KeyUpdate and NewSessionTicket do not need to be added */ - if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET - && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) { - if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO + if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET + && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) { + if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE || memcmp(hrrrandom, s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET, @@ -1935,7 +1975,7 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) /* Check for downgrades */ if (s->version == TLS1_2_VERSION && real_max > s->version) { if (memcmp(tls12downgrade, - s->s3->server_random + SSL3_RANDOM_SIZE + s->s3.server_random + SSL3_RANDOM_SIZE - sizeof(tls12downgrade), sizeof(tls12downgrade)) == 0) { s->version = origv; @@ -1948,7 +1988,7 @@ int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions) && s->version < TLS1_2_VERSION && real_max > s->version) { if (memcmp(tls11downgrade, - s->s3->server_random + SSL3_RANDOM_SIZE + s->s3.server_random + SSL3_RANDOM_SIZE - sizeof(tls11downgrade), sizeof(tls11downgrade)) == 0) { s->version = origv; @@ -2134,7 +2174,6 @@ int ssl_set_client_hello_version(SSL *s) * used. Returns 1 if the group is in the list (and allowed if |checkallow| is * 1) or 0 otherwise. */ -#ifndef OPENSSL_NO_EC int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, size_t num_groups, int checkallow) { @@ -2148,14 +2187,13 @@ int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups, if (group_id == group && (!checkallow - || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { + || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) { return 1; } } return 0; } -#endif /* Replace ClientHello1 in the transcript hash with a synthetic message */ int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, @@ -2202,7 +2240,7 @@ int create_synthetic_message_hash(SSL *s, const unsigned char *hashval, if (hrr != NULL && (!ssl3_finish_mac(s, hrr, hrrlen) || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, - s->s3->tmp.message_size + s->s3.tmp.message_size + SSL3_HM_HEADER_LENGTH))) { /* SSLfatal() already called */ return 0; @@ -2265,8 +2303,8 @@ int parse_ca_names(SSL *s, PACKET *pkt) xn = NULL; } - sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free); - s->s3->tmp.peer_ca_names = ca_sk; + sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free); + s->s3.tmp.peer_ca_names = ca_sk; return 1; @@ -2342,8 +2380,8 @@ size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs, ERR_R_MALLOC_FAILURE); return 0; } - memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE); - memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE); + memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE); + memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE); memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen); @@ -2370,7 +2408,7 @@ int tls13_save_handshake_digest_for_pha(SSL *s) return 0; } if (!EVP_MD_CTX_copy_ex(s->pha_dgst, - s->s3->handshake_dgst)) { + s->s3.handshake_dgst)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA, ERR_R_INTERNAL_ERROR); @@ -2392,7 +2430,7 @@ int tls13_restore_handshake_digest_for_pha(SSL *s) ERR_R_INTERNAL_ERROR); return 0; } - if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst, + if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst, s->pha_dgst)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,