summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_srvr.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/ssl_srvr.c')
-rw-r--r--src/lib/libssl/ssl_srvr.c272
1 files changed, 136 insertions, 136 deletions
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index 30545320b3..359395051a 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssl_srvr.c,v 1.140 2022/01/11 19:03:15 jsing Exp $ */ 1/* $OpenBSD: ssl_srvr.c,v 1.141 2022/02/05 14:54:10 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -194,12 +194,12 @@ ssl3_accept(SSL *s)
194 s->d1->listen = listen; 194 s->d1->listen = listen;
195 195
196 for (;;) { 196 for (;;) {
197 state = S3I(s)->hs.state; 197 state = s->s3->hs.state;
198 198
199 switch (S3I(s)->hs.state) { 199 switch (s->s3->hs.state) {
200 case SSL_ST_RENEGOTIATE: 200 case SSL_ST_RENEGOTIATE:
201 s->internal->renegotiate = 1; 201 s->internal->renegotiate = 1;
202 /* S3I(s)->hs.state=SSL_ST_ACCEPT; */ 202 /* s->s3->hs.state=SSL_ST_ACCEPT; */
203 203
204 case SSL_ST_BEFORE: 204 case SSL_ST_BEFORE:
205 case SSL_ST_ACCEPT: 205 case SSL_ST_ACCEPT:
@@ -216,8 +216,8 @@ ssl3_accept(SSL *s)
216 } 216 }
217 217
218 if (!ssl_supported_tls_version_range(s, 218 if (!ssl_supported_tls_version_range(s,
219 &S3I(s)->hs.our_min_tls_version, 219 &s->s3->hs.our_min_tls_version,
220 &S3I(s)->hs.our_max_tls_version)) { 220 &s->s3->hs.our_max_tls_version)) {
221 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 221 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
222 ret = -1; 222 ret = -1;
223 goto end; 223 goto end;
@@ -234,7 +234,7 @@ ssl3_accept(SSL *s)
234 234
235 s->internal->init_num = 0; 235 s->internal->init_num = 0;
236 236
237 if (S3I(s)->hs.state != SSL_ST_RENEGOTIATE) { 237 if (s->s3->hs.state != SSL_ST_RENEGOTIATE) {
238 /* 238 /*
239 * Ok, we now need to push on a buffering BIO 239 * Ok, we now need to push on a buffering BIO
240 * so that the output is sent in a way that 240 * so that the output is sent in a way that
@@ -250,9 +250,9 @@ ssl3_accept(SSL *s)
250 goto end; 250 goto end;
251 } 251 }
252 252
253 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 253 s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
254 s->ctx->internal->stats.sess_accept++; 254 s->ctx->internal->stats.sess_accept++;
255 } else if (!SSL_is_dtls(s) && !S3I(s)->send_connection_binding) { 255 } else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) {
256 /* 256 /*
257 * Server attempting to renegotiate with 257 * Server attempting to renegotiate with
258 * client that doesn't support secure 258 * client that doesn't support secure
@@ -265,11 +265,11 @@ ssl3_accept(SSL *s)
265 goto end; 265 goto end;
266 } else { 266 } else {
267 /* 267 /*
268 * S3I(s)->hs.state == SSL_ST_RENEGOTIATE, 268 * s->s3->hs.state == SSL_ST_RENEGOTIATE,
269 * we will just send a HelloRequest. 269 * we will just send a HelloRequest.
270 */ 270 */
271 s->ctx->internal->stats.sess_accept_renegotiate++; 271 s->ctx->internal->stats.sess_accept_renegotiate++;
272 S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_A; 272 s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A;
273 } 273 }
274 break; 274 break;
275 275
@@ -284,10 +284,10 @@ ssl3_accept(SSL *s)
284 if (ret <= 0) 284 if (ret <= 0)
285 goto end; 285 goto end;
286 if (SSL_is_dtls(s)) 286 if (SSL_is_dtls(s))
287 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; 287 s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
288 else 288 else
289 S3I(s)->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C; 289 s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C;
290 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 290 s->s3->hs.state = SSL3_ST_SW_FLUSH;
291 s->internal->init_num = 0; 291 s->internal->init_num = 0;
292 292
293 if (SSL_is_dtls(s)) { 293 if (SSL_is_dtls(s)) {
@@ -299,7 +299,7 @@ ssl3_accept(SSL *s)
299 break; 299 break;
300 300
301 case SSL3_ST_SW_HELLO_REQ_C: 301 case SSL3_ST_SW_HELLO_REQ_C:
302 S3I(s)->hs.state = SSL_ST_OK; 302 s->s3->hs.state = SSL_ST_OK;
303 break; 303 break;
304 304
305 case SSL3_ST_SR_CLNT_HELLO_A: 305 case SSL3_ST_SR_CLNT_HELLO_A:
@@ -314,9 +314,9 @@ ssl3_accept(SSL *s)
314 314
315 if (ret == 1 && 315 if (ret == 1 &&
316 (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE)) 316 (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
317 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A; 317 s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
318 else 318 else
319 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; 319 s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
320 320
321 s->internal->init_num = 0; 321 s->internal->init_num = 0;
322 322
@@ -330,7 +330,7 @@ ssl3_accept(SSL *s)
330 } 330 }
331 331
332 /* If we're just listening, stop here */ 332 /* If we're just listening, stop here */
333 if (listen && S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) { 333 if (listen && s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
334 ret = 2; 334 ret = 2;
335 s->d1->listen = 0; 335 s->d1->listen = 0;
336 /* 336 /*
@@ -350,7 +350,7 @@ ssl3_accept(SSL *s)
350 } 350 }
351 351
352 s->internal->renegotiate = 2; 352 s->internal->renegotiate = 2;
353 S3I(s)->hs.state = SSL3_ST_SW_SRVR_HELLO_A; 353 s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A;
354 s->internal->init_num = 0; 354 s->internal->init_num = 0;
355 } 355 }
356 break; 356 break;
@@ -360,8 +360,8 @@ ssl3_accept(SSL *s)
360 ret = ssl3_send_dtls_hello_verify_request(s); 360 ret = ssl3_send_dtls_hello_verify_request(s);
361 if (ret <= 0) 361 if (ret <= 0)
362 goto end; 362 goto end;
363 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 363 s->s3->hs.state = SSL3_ST_SW_FLUSH;
364 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A; 364 s->s3->hs.tls12.next_state = SSL3_ST_SR_CLNT_HELLO_A;
365 365
366 /* HelloVerifyRequest resets Finished MAC. */ 366 /* HelloVerifyRequest resets Finished MAC. */
367 tls1_transcript_reset(s); 367 tls1_transcript_reset(s);
@@ -378,11 +378,11 @@ ssl3_accept(SSL *s)
378 goto end; 378 goto end;
379 if (s->internal->hit) { 379 if (s->internal->hit) {
380 if (s->internal->tlsext_ticket_expected) 380 if (s->internal->tlsext_ticket_expected)
381 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A; 381 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
382 else 382 else
383 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A; 383 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
384 } else { 384 } else {
385 S3I(s)->hs.state = SSL3_ST_SW_CERT_A; 385 s->s3->hs.state = SSL3_ST_SW_CERT_A;
386 } 386 }
387 s->internal->init_num = 0; 387 s->internal->init_num = 0;
388 break; 388 break;
@@ -390,7 +390,7 @@ ssl3_accept(SSL *s)
390 case SSL3_ST_SW_CERT_A: 390 case SSL3_ST_SW_CERT_A:
391 case SSL3_ST_SW_CERT_B: 391 case SSL3_ST_SW_CERT_B:
392 /* Check if it is anon DH or anon ECDH. */ 392 /* Check if it is anon DH or anon ECDH. */
393 if (!(S3I(s)->hs.cipher->algorithm_auth & 393 if (!(s->s3->hs.cipher->algorithm_auth &
394 SSL_aNULL)) { 394 SSL_aNULL)) {
395 if (SSL_is_dtls(s)) 395 if (SSL_is_dtls(s))
396 dtls1_start_timer(s); 396 dtls1_start_timer(s);
@@ -398,19 +398,19 @@ ssl3_accept(SSL *s)
398 if (ret <= 0) 398 if (ret <= 0)
399 goto end; 399 goto end;
400 if (s->internal->tlsext_status_expected) 400 if (s->internal->tlsext_status_expected)
401 S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_A; 401 s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A;
402 else 402 else
403 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A; 403 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
404 } else { 404 } else {
405 skip = 1; 405 skip = 1;
406 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A; 406 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
407 } 407 }
408 s->internal->init_num = 0; 408 s->internal->init_num = 0;
409 break; 409 break;
410 410
411 case SSL3_ST_SW_KEY_EXCH_A: 411 case SSL3_ST_SW_KEY_EXCH_A:
412 case SSL3_ST_SW_KEY_EXCH_B: 412 case SSL3_ST_SW_KEY_EXCH_B:
413 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 413 alg_k = s->s3->hs.cipher->algorithm_mkey;
414 414
415 /* 415 /*
416 * Only send if using a DH key exchange. 416 * Only send if using a DH key exchange.
@@ -429,7 +429,7 @@ ssl3_accept(SSL *s)
429 } else 429 } else
430 skip = 1; 430 skip = 1;
431 431
432 S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_A; 432 s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A;
433 s->internal->init_num = 0; 433 s->internal->init_num = 0;
434 break; 434 break;
435 435
@@ -455,24 +455,24 @@ ssl3_accept(SSL *s)
455 if (!(s->verify_mode & SSL_VERIFY_PEER) || 455 if (!(s->verify_mode & SSL_VERIFY_PEER) ||
456 ((s->session->peer_cert != NULL) && 456 ((s->session->peer_cert != NULL) &&
457 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) || 457 (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
458 ((S3I(s)->hs.cipher->algorithm_auth & 458 ((s->s3->hs.cipher->algorithm_auth &
459 SSL_aNULL) && !(s->verify_mode & 459 SSL_aNULL) && !(s->verify_mode &
460 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { 460 SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
461 /* No cert request. */ 461 /* No cert request. */
462 skip = 1; 462 skip = 1;
463 S3I(s)->hs.tls12.cert_request = 0; 463 s->s3->hs.tls12.cert_request = 0;
464 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; 464 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
465 465
466 if (!SSL_is_dtls(s)) 466 if (!SSL_is_dtls(s))
467 tls1_transcript_free(s); 467 tls1_transcript_free(s);
468 } else { 468 } else {
469 S3I(s)->hs.tls12.cert_request = 1; 469 s->s3->hs.tls12.cert_request = 1;
470 if (SSL_is_dtls(s)) 470 if (SSL_is_dtls(s))
471 dtls1_start_timer(s); 471 dtls1_start_timer(s);
472 ret = ssl3_send_certificate_request(s); 472 ret = ssl3_send_certificate_request(s);
473 if (ret <= 0) 473 if (ret <= 0)
474 goto end; 474 goto end;
475 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; 475 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A;
476 s->internal->init_num = 0; 476 s->internal->init_num = 0;
477 } 477 }
478 break; 478 break;
@@ -484,8 +484,8 @@ ssl3_accept(SSL *s)
484 ret = ssl3_send_server_done(s); 484 ret = ssl3_send_server_done(s);
485 if (ret <= 0) 485 if (ret <= 0)
486 goto end; 486 goto end;
487 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_CERT_A; 487 s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A;
488 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 488 s->s3->hs.state = SSL3_ST_SW_FLUSH;
489 s->internal->init_num = 0; 489 s->internal->init_num = 0;
490 break; 490 break;
491 491
@@ -506,25 +506,25 @@ ssl3_accept(SSL *s)
506 /* If the write error was fatal, stop trying. */ 506 /* If the write error was fatal, stop trying. */
507 if (!BIO_should_retry(s->wbio)) { 507 if (!BIO_should_retry(s->wbio)) {
508 s->internal->rwstate = SSL_NOTHING; 508 s->internal->rwstate = SSL_NOTHING;
509 S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; 509 s->s3->hs.state = s->s3->hs.tls12.next_state;
510 } 510 }
511 } 511 }
512 ret = -1; 512 ret = -1;
513 goto end; 513 goto end;
514 } 514 }
515 s->internal->rwstate = SSL_NOTHING; 515 s->internal->rwstate = SSL_NOTHING;
516 S3I(s)->hs.state = S3I(s)->hs.tls12.next_state; 516 s->s3->hs.state = s->s3->hs.tls12.next_state;
517 break; 517 break;
518 518
519 case SSL3_ST_SR_CERT_A: 519 case SSL3_ST_SR_CERT_A:
520 case SSL3_ST_SR_CERT_B: 520 case SSL3_ST_SR_CERT_B:
521 if (S3I(s)->hs.tls12.cert_request) { 521 if (s->s3->hs.tls12.cert_request) {
522 ret = ssl3_get_client_certificate(s); 522 ret = ssl3_get_client_certificate(s);
523 if (ret <= 0) 523 if (ret <= 0)
524 goto end; 524 goto end;
525 } 525 }
526 s->internal->init_num = 0; 526 s->internal->init_num = 0;
527 S3I(s)->hs.state = SSL3_ST_SR_KEY_EXCH_A; 527 s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A;
528 break; 528 break;
529 529
530 case SSL3_ST_SR_KEY_EXCH_A: 530 case SSL3_ST_SR_KEY_EXCH_A:
@@ -534,21 +534,21 @@ ssl3_accept(SSL *s)
534 goto end; 534 goto end;
535 535
536 if (SSL_is_dtls(s)) { 536 if (SSL_is_dtls(s)) {
537 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 537 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
538 s->internal->init_num = 0; 538 s->internal->init_num = 0;
539 } 539 }
540 540
541 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 541 alg_k = s->s3->hs.cipher->algorithm_mkey;
542 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) { 542 if (s->s3->flags & TLS1_FLAGS_SKIP_CERT_VERIFY) {
543 /* 543 /*
544 * A GOST client may use the key from its 544 * A GOST client may use the key from its
545 * certificate for key exchange, in which case 545 * certificate for key exchange, in which case
546 * the CertificateVerify message is not sent. 546 * the CertificateVerify message is not sent.
547 */ 547 */
548 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A; 548 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
549 s->internal->init_num = 0; 549 s->internal->init_num = 0;
550 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { 550 } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) {
551 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 551 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
552 s->internal->init_num = 0; 552 s->internal->init_num = 0;
553 if (!s->session->peer_cert) 553 if (!s->session->peer_cert)
554 break; 554 break;
@@ -558,7 +558,7 @@ ssl3_accept(SSL *s)
558 */ 558 */
559 tls1_transcript_freeze(s); 559 tls1_transcript_freeze(s);
560 } else { 560 } else {
561 S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; 561 s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A;
562 s->internal->init_num = 0; 562 s->internal->init_num = 0;
563 563
564 tls1_transcript_free(s); 564 tls1_transcript_free(s);
@@ -568,8 +568,8 @@ ssl3_accept(SSL *s)
568 * a client cert, it can be verified. 568 * a client cert, it can be verified.
569 */ 569 */
570 if (!tls1_transcript_hash_value(s, 570 if (!tls1_transcript_hash_value(s,
571 S3I(s)->hs.tls12.cert_verify, 571 s->s3->hs.tls12.cert_verify,
572 sizeof(S3I(s)->hs.tls12.cert_verify), 572 sizeof(s->s3->hs.tls12.cert_verify),
573 NULL)) { 573 NULL)) {
574 ret = -1; 574 ret = -1;
575 goto end; 575 goto end;
@@ -588,7 +588,7 @@ ssl3_accept(SSL *s)
588 ret = ssl3_get_cert_verify(s); 588 ret = ssl3_get_cert_verify(s);
589 if (ret <= 0) 589 if (ret <= 0)
590 goto end; 590 goto end;
591 S3I(s)->hs.state = SSL3_ST_SR_FINISHED_A; 591 s->s3->hs.state = SSL3_ST_SR_FINISHED_A;
592 s->internal->init_num = 0; 592 s->internal->init_num = 0;
593 break; 593 break;
594 594
@@ -605,11 +605,11 @@ ssl3_accept(SSL *s)
605 if (SSL_is_dtls(s)) 605 if (SSL_is_dtls(s))
606 dtls1_stop_timer(s); 606 dtls1_stop_timer(s);
607 if (s->internal->hit) 607 if (s->internal->hit)
608 S3I(s)->hs.state = SSL_ST_OK; 608 s->s3->hs.state = SSL_ST_OK;
609 else if (s->internal->tlsext_ticket_expected) 609 else if (s->internal->tlsext_ticket_expected)
610 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_A; 610 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A;
611 else 611 else
612 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A; 612 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
613 s->internal->init_num = 0; 613 s->internal->init_num = 0;
614 break; 614 break;
615 615
@@ -618,7 +618,7 @@ ssl3_accept(SSL *s)
618 ret = ssl3_send_newsession_ticket(s); 618 ret = ssl3_send_newsession_ticket(s);
619 if (ret <= 0) 619 if (ret <= 0)
620 goto end; 620 goto end;
621 S3I(s)->hs.state = SSL3_ST_SW_CHANGE_A; 621 s->s3->hs.state = SSL3_ST_SW_CHANGE_A;
622 s->internal->init_num = 0; 622 s->internal->init_num = 0;
623 break; 623 break;
624 624
@@ -627,7 +627,7 @@ ssl3_accept(SSL *s)
627 ret = ssl3_send_cert_status(s); 627 ret = ssl3_send_cert_status(s);
628 if (ret <= 0) 628 if (ret <= 0)
629 goto end; 629 goto end;
630 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_A; 630 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A;
631 s->internal->init_num = 0; 631 s->internal->init_num = 0;
632 break; 632 break;
633 633
@@ -637,9 +637,9 @@ ssl3_accept(SSL *s)
637 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); 637 SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B);
638 if (ret <= 0) 638 if (ret <= 0)
639 goto end; 639 goto end;
640 S3I(s)->hs.state = SSL3_ST_SW_FINISHED_A; 640 s->s3->hs.state = SSL3_ST_SW_FINISHED_A;
641 s->internal->init_num = 0; 641 s->internal->init_num = 0;
642 s->session->cipher = S3I(s)->hs.cipher; 642 s->session->cipher = s->s3->hs.cipher;
643 643
644 if (!tls1_setup_key_block(s)) { 644 if (!tls1_setup_key_block(s)) {
645 ret = -1; 645 ret = -1;
@@ -657,12 +657,12 @@ ssl3_accept(SSL *s)
657 SSL3_ST_SW_FINISHED_B); 657 SSL3_ST_SW_FINISHED_B);
658 if (ret <= 0) 658 if (ret <= 0)
659 goto end; 659 goto end;
660 S3I(s)->hs.state = SSL3_ST_SW_FLUSH; 660 s->s3->hs.state = SSL3_ST_SW_FLUSH;
661 if (s->internal->hit) { 661 if (s->internal->hit) {
662 S3I(s)->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A; 662 s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A;
663 tls1_transcript_free(s); 663 tls1_transcript_free(s);
664 } else 664 } else
665 S3I(s)->hs.tls12.next_state = SSL_ST_OK; 665 s->s3->hs.tls12.next_state = SSL_ST_OK;
666 s->internal->init_num = 0; 666 s->internal->init_num = 0;
667 break; 667 break;
668 668
@@ -670,7 +670,7 @@ ssl3_accept(SSL *s)
670 /* clean a few things up */ 670 /* clean a few things up */
671 tls1_cleanup_key_block(s); 671 tls1_cleanup_key_block(s);
672 672
673 if (S3I(s)->handshake_transcript != NULL) { 673 if (s->s3->handshake_transcript != NULL) {
674 SSLerror(s, ERR_R_INTERNAL_ERROR); 674 SSLerror(s, ERR_R_INTERNAL_ERROR);
675 ret = -1; 675 ret = -1;
676 goto end; 676 goto end;
@@ -717,18 +717,18 @@ ssl3_accept(SSL *s)
717 /* break; */ 717 /* break; */
718 } 718 }
719 719
720 if (!S3I(s)->hs.tls12.reuse_message && !skip) { 720 if (!s->s3->hs.tls12.reuse_message && !skip) {
721 if (s->internal->debug) { 721 if (s->internal->debug) {
722 if ((ret = BIO_flush(s->wbio)) <= 0) 722 if ((ret = BIO_flush(s->wbio)) <= 0)
723 goto end; 723 goto end;
724 } 724 }
725 725
726 726
727 if (S3I(s)->hs.state != state) { 727 if (s->s3->hs.state != state) {
728 new_state = S3I(s)->hs.state; 728 new_state = s->s3->hs.state;
729 S3I(s)->hs.state = state; 729 s->s3->hs.state = state;
730 ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1); 730 ssl_info_callback(s, SSL_CB_ACCEPT_LOOP, 1);
731 S3I(s)->hs.state = new_state; 731 s->s3->hs.state = new_state;
732 } 732 }
733 } 733 }
734 skip = 0; 734 skip = 0;
@@ -748,14 +748,14 @@ ssl3_send_hello_request(SSL *s)
748 748
749 memset(&cbb, 0, sizeof(cbb)); 749 memset(&cbb, 0, sizeof(cbb));
750 750
751 if (S3I(s)->hs.state == SSL3_ST_SW_HELLO_REQ_A) { 751 if (s->s3->hs.state == SSL3_ST_SW_HELLO_REQ_A) {
752 if (!ssl3_handshake_msg_start(s, &cbb, &hello, 752 if (!ssl3_handshake_msg_start(s, &cbb, &hello,
753 SSL3_MT_HELLO_REQUEST)) 753 SSL3_MT_HELLO_REQUEST))
754 goto err; 754 goto err;
755 if (!ssl3_handshake_msg_finish(s, &cbb)) 755 if (!ssl3_handshake_msg_finish(s, &cbb))
756 goto err; 756 goto err;
757 757
758 S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_B; 758 s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_B;
759 } 759 }
760 760
761 /* SSL3_ST_SW_HELLO_REQ_B */ 761 /* SSL3_ST_SW_HELLO_REQ_B */
@@ -790,8 +790,8 @@ ssl3_get_client_hello(SSL *s)
790 * If we are SSLv3, we will respond with SSLv3, even if prompted with 790 * If we are SSLv3, we will respond with SSLv3, even if prompted with
791 * TLSv1. 791 * TLSv1.
792 */ 792 */
793 if (S3I(s)->hs.state == SSL3_ST_SR_CLNT_HELLO_A) 793 if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A)
794 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_B; 794 s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B;
795 795
796 s->internal->first_packet = 1; 796 s->internal->first_packet = 1;
797 if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, 797 if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B,
@@ -845,11 +845,11 @@ ssl3_get_client_hello(SSL *s)
845 al = SSL_AD_PROTOCOL_VERSION; 845 al = SSL_AD_PROTOCOL_VERSION;
846 goto fatal_err; 846 goto fatal_err;
847 } 847 }
848 S3I(s)->hs.peer_legacy_version = client_version; 848 s->s3->hs.peer_legacy_version = client_version;
849 s->version = shared_version; 849 s->version = shared_version;
850 850
851 S3I(s)->hs.negotiated_tls_version = ssl_tls_version(shared_version); 851 s->s3->hs.negotiated_tls_version = ssl_tls_version(shared_version);
852 if (S3I(s)->hs.negotiated_tls_version == 0) { 852 if (s->s3->hs.negotiated_tls_version == 0) {
853 SSLerror(s, ERR_R_INTERNAL_ERROR); 853 SSLerror(s, ERR_R_INTERNAL_ERROR);
854 goto err; 854 goto err;
855 } 855 }
@@ -1015,7 +1015,7 @@ ssl3_get_client_hello(SSL *s)
1015 if (CBS_len(&cbs) != 0) 1015 if (CBS_len(&cbs) != 0)
1016 goto decode_err; 1016 goto decode_err;
1017 1017
1018 if (!S3I(s)->renegotiate_seen && s->internal->renegotiate) { 1018 if (!s->s3->renegotiate_seen && s->internal->renegotiate) {
1019 al = SSL_AD_HANDSHAKE_FAILURE; 1019 al = SSL_AD_HANDSHAKE_FAILURE;
1020 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); 1020 SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
1021 goto fatal_err; 1021 goto fatal_err;
@@ -1034,8 +1034,8 @@ ssl3_get_client_hello(SSL *s)
1034 */ 1034 */
1035 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 1035 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
1036 1036
1037 if (S3I(s)->hs.our_max_tls_version >= TLS1_2_VERSION && 1037 if (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION &&
1038 S3I(s)->hs.negotiated_tls_version < S3I(s)->hs.our_max_tls_version) { 1038 s->s3->hs.negotiated_tls_version < s->s3->hs.our_max_tls_version) {
1039 /* 1039 /*
1040 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 1040 * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3
1041 * we must set the last 8 bytes of the server random to magical 1041 * we must set the last 8 bytes of the server random to magical
@@ -1044,7 +1044,7 @@ ssl3_get_client_hello(SSL *s)
1044 */ 1044 */
1045 size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); 1045 size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12);
1046 uint8_t *magic = &s->s3->server_random[index]; 1046 uint8_t *magic = &s->s3->server_random[index];
1047 if (S3I(s)->hs.negotiated_tls_version == TLS1_2_VERSION) { 1047 if (s->s3->hs.negotiated_tls_version == TLS1_2_VERSION) {
1048 /* Indicate we chose to downgrade to 1.2. */ 1048 /* Indicate we chose to downgrade to 1.2. */
1049 memcpy(magic, tls13_downgrade_12, 1049 memcpy(magic, tls13_downgrade_12,
1050 sizeof(tls13_downgrade_12)); 1050 sizeof(tls13_downgrade_12));
@@ -1107,15 +1107,15 @@ ssl3_get_client_hello(SSL *s)
1107 SSLerror(s, SSL_R_NO_SHARED_CIPHER); 1107 SSLerror(s, SSL_R_NO_SHARED_CIPHER);
1108 goto fatal_err; 1108 goto fatal_err;
1109 } 1109 }
1110 S3I(s)->hs.cipher = c; 1110 s->s3->hs.cipher = c;
1111 } else { 1111 } else {
1112 S3I(s)->hs.cipher = s->session->cipher; 1112 s->s3->hs.cipher = s->session->cipher;
1113 } 1113 }
1114 1114
1115 if (!tls1_transcript_hash_init(s)) 1115 if (!tls1_transcript_hash_init(s))
1116 goto err; 1116 goto err;
1117 1117
1118 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 1118 alg_k = s->s3->hs.cipher->algorithm_mkey;
1119 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || 1119 if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) ||
1120 !(s->verify_mode & SSL_VERIFY_PEER)) 1120 !(s->verify_mode & SSL_VERIFY_PEER))
1121 tls1_transcript_free(s); 1121 tls1_transcript_free(s);
@@ -1160,7 +1160,7 @@ ssl3_send_dtls_hello_verify_request(SSL *s)
1160 1160
1161 memset(&cbb, 0, sizeof(cbb)); 1161 memset(&cbb, 0, sizeof(cbb));
1162 1162
1163 if (S3I(s)->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { 1163 if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) {
1164 if (s->ctx->internal->app_gen_cookie_cb == NULL || 1164 if (s->ctx->internal->app_gen_cookie_cb == NULL ||
1165 s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie, 1165 s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie,
1166 &(s->d1->cookie_len)) == 0) { 1166 &(s->d1->cookie_len)) == 0) {
@@ -1185,10 +1185,10 @@ ssl3_send_dtls_hello_verify_request(SSL *s)
1185 if (!ssl3_handshake_msg_finish(s, &cbb)) 1185 if (!ssl3_handshake_msg_finish(s, &cbb))
1186 goto err; 1186 goto err;
1187 1187
1188 S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; 1188 s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
1189 } 1189 }
1190 1190
1191 /* S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */ 1191 /* s->s3->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
1192 return (ssl3_handshake_write(s)); 1192 return (ssl3_handshake_write(s));
1193 1193
1194 err: 1194 err:
@@ -1205,7 +1205,7 @@ ssl3_send_server_hello(SSL *s)
1205 1205
1206 memset(&cbb, 0, sizeof(cbb)); 1206 memset(&cbb, 0, sizeof(cbb));
1207 1207
1208 if (S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) { 1208 if (s->s3->hs.state == SSL3_ST_SW_SRVR_HELLO_A) {
1209 if (!ssl3_handshake_msg_start(s, &cbb, &server_hello, 1209 if (!ssl3_handshake_msg_start(s, &cbb, &server_hello,
1210 SSL3_MT_SERVER_HELLO)) 1210 SSL3_MT_SERVER_HELLO))
1211 goto err; 1211 goto err;
@@ -1250,7 +1250,7 @@ ssl3_send_server_hello(SSL *s)
1250 1250
1251 /* Cipher suite. */ 1251 /* Cipher suite. */
1252 if (!CBB_add_u16(&server_hello, 1252 if (!CBB_add_u16(&server_hello,
1253 ssl3_cipher_get_value(S3I(s)->hs.cipher))) 1253 ssl3_cipher_get_value(s->s3->hs.cipher)))
1254 goto err; 1254 goto err;
1255 1255
1256 /* Compression method (null). */ 1256 /* Compression method (null). */
@@ -1283,14 +1283,14 @@ ssl3_send_server_done(SSL *s)
1283 1283
1284 memset(&cbb, 0, sizeof(cbb)); 1284 memset(&cbb, 0, sizeof(cbb));
1285 1285
1286 if (S3I(s)->hs.state == SSL3_ST_SW_SRVR_DONE_A) { 1286 if (s->s3->hs.state == SSL3_ST_SW_SRVR_DONE_A) {
1287 if (!ssl3_handshake_msg_start(s, &cbb, &done, 1287 if (!ssl3_handshake_msg_start(s, &cbb, &done,
1288 SSL3_MT_SERVER_DONE)) 1288 SSL3_MT_SERVER_DONE))
1289 goto err; 1289 goto err;
1290 if (!ssl3_handshake_msg_finish(s, &cbb)) 1290 if (!ssl3_handshake_msg_finish(s, &cbb))
1291 goto err; 1291 goto err;
1292 1292
1293 S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_B; 1293 s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_B;
1294 } 1294 }
1295 1295
1296 /* SSL3_ST_SW_SRVR_DONE_B */ 1296 /* SSL3_ST_SW_SRVR_DONE_B */
@@ -1307,8 +1307,8 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1307{ 1307{
1308 int nid = NID_dhKeyAgreement; 1308 int nid = NID_dhKeyAgreement;
1309 1309
1310 tls_key_share_free(S3I(s)->hs.key_share); 1310 tls_key_share_free(s->s3->hs.key_share);
1311 if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL) 1311 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1312 goto err; 1312 goto err;
1313 1313
1314 if (s->cert->dhe_params_auto != 0) { 1314 if (s->cert->dhe_params_auto != 0) {
@@ -1320,14 +1320,14 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1320 SSL_AD_INTERNAL_ERROR); 1320 SSL_AD_INTERNAL_ERROR);
1321 goto err; 1321 goto err;
1322 } 1322 }
1323 tls_key_share_set_key_bits(S3I(s)->hs.key_share, 1323 tls_key_share_set_key_bits(s->s3->hs.key_share,
1324 key_bits); 1324 key_bits);
1325 } else { 1325 } else {
1326 DH *dh_params = s->cert->dhe_params; 1326 DH *dh_params = s->cert->dhe_params;
1327 1327
1328 if (dh_params == NULL && s->cert->dhe_params_cb != NULL) 1328 if (dh_params == NULL && s->cert->dhe_params_cb != NULL)
1329 dh_params = s->cert->dhe_params_cb(s, 0, 1329 dh_params = s->cert->dhe_params_cb(s, 0,
1330 SSL_C_PKEYLENGTH(S3I(s)->hs.cipher)); 1330 SSL_C_PKEYLENGTH(s->s3->hs.cipher));
1331 1331
1332 if (dh_params == NULL) { 1332 if (dh_params == NULL) {
1333 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); 1333 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
@@ -1336,16 +1336,16 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
1336 goto err; 1336 goto err;
1337 } 1337 }
1338 1338
1339 if (!tls_key_share_set_dh_params(S3I(s)->hs.key_share, dh_params)) 1339 if (!tls_key_share_set_dh_params(s->s3->hs.key_share, dh_params))
1340 goto err; 1340 goto err;
1341 } 1341 }
1342 1342
1343 if (!tls_key_share_generate(S3I(s)->hs.key_share)) 1343 if (!tls_key_share_generate(s->s3->hs.key_share))
1344 goto err; 1344 goto err;
1345 1345
1346 if (!tls_key_share_params(S3I(s)->hs.key_share, cbb)) 1346 if (!tls_key_share_params(s->s3->hs.key_share, cbb))
1347 goto err; 1347 goto err;
1348 if (!tls_key_share_public(S3I(s)->hs.key_share, cbb)) 1348 if (!tls_key_share_public(s->s3->hs.key_share, cbb))
1349 goto err; 1349 goto err;
1350 1350
1351 return 1; 1351 return 1;
@@ -1366,11 +1366,11 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1366 goto err; 1366 goto err;
1367 } 1367 }
1368 1368
1369 tls_key_share_free(S3I(s)->hs.key_share); 1369 tls_key_share_free(s->s3->hs.key_share);
1370 if ((S3I(s)->hs.key_share = tls_key_share_new_nid(nid)) == NULL) 1370 if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
1371 goto err; 1371 goto err;
1372 1372
1373 if (!tls_key_share_generate(S3I(s)->hs.key_share)) 1373 if (!tls_key_share_generate(s->s3->hs.key_share))
1374 goto err; 1374 goto err;
1375 1375
1376 /* 1376 /*
@@ -1378,11 +1378,11 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
1378 */ 1378 */
1379 if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE)) 1379 if (!CBB_add_u8(cbb, NAMED_CURVE_TYPE))
1380 goto err; 1380 goto err;
1381 if (!CBB_add_u16(cbb, tls_key_share_group(S3I(s)->hs.key_share))) 1381 if (!CBB_add_u16(cbb, tls_key_share_group(s->s3->hs.key_share)))
1382 goto err; 1382 goto err;
1383 if (!CBB_add_u8_length_prefixed(cbb, &public)) 1383 if (!CBB_add_u8_length_prefixed(cbb, &public))
1384 goto err; 1384 goto err;
1385 if (!tls_key_share_public(S3I(s)->hs.key_share, &public)) 1385 if (!tls_key_share_public(s->s3->hs.key_share, &public))
1386 goto err; 1386 goto err;
1387 if (!CBB_flush(cbb)) 1387 if (!CBB_flush(cbb))
1388 goto err; 1388 goto err;
@@ -1415,7 +1415,7 @@ ssl3_send_server_key_exchange(SSL *s)
1415 if ((md_ctx = EVP_MD_CTX_new()) == NULL) 1415 if ((md_ctx = EVP_MD_CTX_new()) == NULL)
1416 goto err; 1416 goto err;
1417 1417
1418 if (S3I(s)->hs.state == SSL3_ST_SW_KEY_EXCH_A) { 1418 if (s->s3->hs.state == SSL3_ST_SW_KEY_EXCH_A) {
1419 1419
1420 if (!ssl3_handshake_msg_start(s, &cbb, &server_kex, 1420 if (!ssl3_handshake_msg_start(s, &cbb, &server_kex,
1421 SSL3_MT_SERVER_KEY_EXCHANGE)) 1421 SSL3_MT_SERVER_KEY_EXCHANGE))
@@ -1424,7 +1424,7 @@ ssl3_send_server_key_exchange(SSL *s)
1424 if (!CBB_init(&cbb_params, 0)) 1424 if (!CBB_init(&cbb_params, 0))
1425 goto err; 1425 goto err;
1426 1426
1427 type = S3I(s)->hs.cipher->algorithm_mkey; 1427 type = s->s3->hs.cipher->algorithm_mkey;
1428 if (type & SSL_kDHE) { 1428 if (type & SSL_kDHE) {
1429 if (!ssl3_send_server_kex_dhe(s, &cbb_params)) 1429 if (!ssl3_send_server_kex_dhe(s, &cbb_params))
1430 goto err; 1430 goto err;
@@ -1444,13 +1444,13 @@ ssl3_send_server_key_exchange(SSL *s)
1444 goto err; 1444 goto err;
1445 1445
1446 /* Add signature unless anonymous. */ 1446 /* Add signature unless anonymous. */
1447 if (!(S3I(s)->hs.cipher->algorithm_auth & SSL_aNULL)) { 1447 if (!(s->s3->hs.cipher->algorithm_auth & SSL_aNULL)) {
1448 if ((pkey = ssl_get_sign_pkey(s, S3I(s)->hs.cipher, 1448 if ((pkey = ssl_get_sign_pkey(s, s->s3->hs.cipher,
1449 &md, &sigalg)) == NULL) { 1449 &md, &sigalg)) == NULL) {
1450 al = SSL_AD_DECODE_ERROR; 1450 al = SSL_AD_DECODE_ERROR;
1451 goto fatal_err; 1451 goto fatal_err;
1452 } 1452 }
1453 S3I(s)->hs.our_sigalg = sigalg; 1453 s->s3->hs.our_sigalg = sigalg;
1454 1454
1455 /* Send signature algorithm. */ 1455 /* Send signature algorithm. */
1456 if (SSL_USE_SIGALGS(s)) { 1456 if (SSL_USE_SIGALGS(s)) {
@@ -1511,7 +1511,7 @@ ssl3_send_server_key_exchange(SSL *s)
1511 if (!ssl3_handshake_msg_finish(s, &cbb)) 1511 if (!ssl3_handshake_msg_finish(s, &cbb))
1512 goto err; 1512 goto err;
1513 1513
1514 S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_B; 1514 s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_B;
1515 } 1515 }
1516 1516
1517 EVP_MD_CTX_free(md_ctx); 1517 EVP_MD_CTX_free(md_ctx);
@@ -1546,7 +1546,7 @@ ssl3_send_certificate_request(SSL *s)
1546 1546
1547 memset(&cbb, 0, sizeof(cbb)); 1547 memset(&cbb, 0, sizeof(cbb));
1548 1548
1549 if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) { 1549 if (s->s3->hs.state == SSL3_ST_SW_CERT_REQ_A) {
1550 if (!ssl3_handshake_msg_start(s, &cbb, &cert_request, 1550 if (!ssl3_handshake_msg_start(s, &cbb, &cert_request,
1551 SSL3_MT_CERTIFICATE_REQUEST)) 1551 SSL3_MT_CERTIFICATE_REQUEST))
1552 goto err; 1552 goto err;
@@ -1561,7 +1561,7 @@ ssl3_send_certificate_request(SSL *s)
1561 &sigalgs)) 1561 &sigalgs))
1562 goto err; 1562 goto err;
1563 if (!ssl_sigalgs_build( 1563 if (!ssl_sigalgs_build(
1564 S3I(s)->hs.negotiated_tls_version, &sigalgs)) 1564 s->s3->hs.negotiated_tls_version, &sigalgs))
1565 goto err; 1565 goto err;
1566 } 1566 }
1567 1567
@@ -1587,7 +1587,7 @@ ssl3_send_certificate_request(SSL *s)
1587 if (!ssl3_handshake_msg_finish(s, &cbb)) 1587 if (!ssl3_handshake_msg_finish(s, &cbb))
1588 goto err; 1588 goto err;
1589 1589
1590 S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B; 1590 s->s3->hs.state = SSL3_ST_SW_CERT_REQ_B;
1591 } 1591 }
1592 1592
1593 /* SSL3_ST_SW_CERT_REQ_B */ 1593 /* SSL3_ST_SW_CERT_REQ_B */
@@ -1614,8 +1614,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
1614 1614
1615 arc4random_buf(fakekey, sizeof(fakekey)); 1615 arc4random_buf(fakekey, sizeof(fakekey));
1616 1616
1617 fakekey[0] = S3I(s)->hs.peer_legacy_version >> 8; 1617 fakekey[0] = s->s3->hs.peer_legacy_version >> 8;
1618 fakekey[1] = S3I(s)->hs.peer_legacy_version & 0xff; 1618 fakekey[1] = s->s3->hs.peer_legacy_version & 0xff;
1619 1619
1620 pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; 1620 pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey;
1621 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) { 1621 if (pkey == NULL || (rsa = EVP_PKEY_get0_RSA(pkey)) == NULL) {
@@ -1648,8 +1648,8 @@ ssl3_get_client_kex_rsa(SSL *s, CBS *cbs)
1648 /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ 1648 /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */
1649 } 1649 }
1650 1650
1651 if ((al == -1) && !((pms[0] == (S3I(s)->hs.peer_legacy_version >> 8)) && 1651 if ((al == -1) && !((pms[0] == (s->s3->hs.peer_legacy_version >> 8)) &&
1652 (pms[1] == (S3I(s)->hs.peer_legacy_version & 0xff)))) { 1652 (pms[1] == (s->s3->hs.peer_legacy_version & 0xff)))) {
1653 /* 1653 /*
1654 * The premaster secret must contain the same version number 1654 * The premaster secret must contain the same version number
1655 * as the ClientHello to detect version rollback attacks 1655 * as the ClientHello to detect version rollback attacks
@@ -1704,13 +1704,13 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
1704 int decode_error, invalid_key; 1704 int decode_error, invalid_key;
1705 int ret = 0; 1705 int ret = 0;
1706 1706
1707 if (S3I(s)->hs.key_share == NULL) { 1707 if (s->s3->hs.key_share == NULL) {
1708 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); 1708 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1709 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1709 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1710 goto err; 1710 goto err;
1711 } 1711 }
1712 1712
1713 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, cbs, 1713 if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
1714 &decode_error, &invalid_key)) { 1714 &decode_error, &invalid_key)) {
1715 if (decode_error) { 1715 if (decode_error) {
1716 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1716 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1724,7 +1724,7 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
1724 goto err; 1724 goto err;
1725 } 1725 }
1726 1726
1727 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) 1727 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1728 goto err; 1728 goto err;
1729 1729
1730 if (!tls12_derive_master_secret(s, key, key_len)) 1730 if (!tls12_derive_master_secret(s, key, key_len))
@@ -1747,7 +1747,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1747 CBS public; 1747 CBS public;
1748 int ret = 0; 1748 int ret = 0;
1749 1749
1750 if (S3I(s)->hs.key_share == NULL) { 1750 if (s->s3->hs.key_share == NULL) {
1751 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 1751 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1752 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY); 1752 SSLerror(s, SSL_R_MISSING_TMP_DH_KEY);
1753 goto err; 1753 goto err;
@@ -1758,7 +1758,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1758 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 1758 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1759 goto err; 1759 goto err;
1760 } 1760 }
1761 if (!tls_key_share_peer_public(S3I(s)->hs.key_share, &public, 1761 if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
1762 &decode_error, NULL)) { 1762 &decode_error, NULL)) {
1763 if (decode_error) { 1763 if (decode_error) {
1764 SSLerror(s, SSL_R_BAD_PACKET_LENGTH); 1764 SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1767,7 +1767,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
1767 goto err; 1767 goto err;
1768 } 1768 }
1769 1769
1770 if (!tls_key_share_derive(S3I(s)->hs.key_share, &key, &key_len)) 1770 if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len))
1771 goto err; 1771 goto err;
1772 1772
1773 if (!tls12_derive_master_secret(s, key, key_len)) 1773 if (!tls12_derive_master_secret(s, key, key_len))
@@ -1792,7 +1792,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs)
1792 CBS gostblob; 1792 CBS gostblob;
1793 1793
1794 /* Get our certificate private key*/ 1794 /* Get our certificate private key*/
1795 if ((S3I(s)->hs.cipher->algorithm_auth & SSL_aGOST01) != 0) 1795 if ((s->s3->hs.cipher->algorithm_auth & SSL_aGOST01) != 0)
1796 pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; 1796 pkey = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
1797 1797
1798 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) 1798 if ((pkey_ctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL)
@@ -1865,7 +1865,7 @@ ssl3_get_client_key_exchange(SSL *s)
1865 1865
1866 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); 1866 CBS_init(&cbs, s->internal->init_msg, s->internal->init_num);
1867 1867
1868 alg_k = S3I(s)->hs.cipher->algorithm_mkey; 1868 alg_k = s->s3->hs.cipher->algorithm_mkey;
1869 1869
1870 if (alg_k & SSL_kRSA) { 1870 if (alg_k & SSL_kRSA) {
1871 if (!ssl3_get_client_kex_rsa(s, &cbs)) 1871 if (!ssl3_get_client_kex_rsa(s, &cbs))
@@ -1932,8 +1932,8 @@ ssl3_get_cert_verify(SSL *s)
1932 pkey = X509_get0_pubkey(peer_cert); 1932 pkey = X509_get0_pubkey(peer_cert);
1933 type = X509_certificate_type(peer_cert, pkey); 1933 type = X509_certificate_type(peer_cert, pkey);
1934 1934
1935 if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) { 1935 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE_VERIFY) {
1936 S3I(s)->hs.tls12.reuse_message = 1; 1936 s->s3->hs.tls12.reuse_message = 1;
1937 if (peer_cert != NULL) { 1937 if (peer_cert != NULL) {
1938 al = SSL_AD_UNEXPECTED_MESSAGE; 1938 al = SSL_AD_UNEXPECTED_MESSAGE;
1939 SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE); 1939 SSLerror(s, SSL_R_MISSING_VERIFY_MESSAGE);
@@ -1955,7 +1955,7 @@ ssl3_get_cert_verify(SSL *s)
1955 goto fatal_err; 1955 goto fatal_err;
1956 } 1956 }
1957 1957
1958 if (S3I(s)->change_cipher_spec) { 1958 if (s->s3->change_cipher_spec) {
1959 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY); 1959 SSLerror(s, SSL_R_CCS_RECEIVED_EARLY);
1960 al = SSL_AD_UNEXPECTED_MESSAGE; 1960 al = SSL_AD_UNEXPECTED_MESSAGE;
1961 goto fatal_err; 1961 goto fatal_err;
@@ -1984,7 +1984,7 @@ ssl3_get_cert_verify(SSL *s)
1984 al = SSL_AD_DECODE_ERROR; 1984 al = SSL_AD_DECODE_ERROR;
1985 goto fatal_err; 1985 goto fatal_err;
1986 } 1986 }
1987 S3I(s)->hs.peer_sigalg = sigalg; 1987 s->s3->hs.peer_sigalg = sigalg;
1988 1988
1989 if (SSL_USE_SIGALGS(s)) { 1989 if (SSL_USE_SIGALGS(s)) {
1990 EVP_PKEY_CTX *pctx; 1990 EVP_PKEY_CTX *pctx;
@@ -2033,7 +2033,7 @@ ssl3_get_cert_verify(SSL *s)
2033 SSLerror(s, ERR_R_EVP_LIB); 2033 SSLerror(s, ERR_R_EVP_LIB);
2034 goto fatal_err; 2034 goto fatal_err;
2035 } 2035 }
2036 verify = RSA_verify(NID_md5_sha1, S3I(s)->hs.tls12.cert_verify, 2036 verify = RSA_verify(NID_md5_sha1, s->s3->hs.tls12.cert_verify,
2037 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), 2037 MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature),
2038 CBS_len(&signature), rsa); 2038 CBS_len(&signature), rsa);
2039 if (verify < 0) { 2039 if (verify < 0) {
@@ -2055,7 +2055,7 @@ ssl3_get_cert_verify(SSL *s)
2055 goto fatal_err; 2055 goto fatal_err;
2056 } 2056 }
2057 verify = ECDSA_verify(0, 2057 verify = ECDSA_verify(0,
2058 &(S3I(s)->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]), 2058 &(s->s3->hs.tls12.cert_verify[MD5_DIGEST_LENGTH]),
2059 SHA_DIGEST_LENGTH, CBS_data(&signature), 2059 SHA_DIGEST_LENGTH, CBS_data(&signature),
2060 CBS_len(&signature), eckey); 2060 CBS_len(&signature), eckey);
2061 if (verify <= 0) { 2061 if (verify <= 0) {
@@ -2148,7 +2148,7 @@ ssl3_get_client_certificate(SSL *s)
2148 2148
2149 ret = -1; 2149 ret = -1;
2150 2150
2151 if (S3I(s)->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) { 2151 if (s->s3->hs.tls12.message_type == SSL3_MT_CLIENT_KEY_EXCHANGE) {
2152 if ((s->verify_mode & SSL_VERIFY_PEER) && 2152 if ((s->verify_mode & SSL_VERIFY_PEER) &&
2153 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { 2153 (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
2154 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 2154 SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
@@ -2159,17 +2159,17 @@ ssl3_get_client_certificate(SSL *s)
2159 * If tls asked for a client cert, 2159 * If tls asked for a client cert,
2160 * the client must return a 0 list. 2160 * the client must return a 0 list.
2161 */ 2161 */
2162 if (S3I(s)->hs.tls12.cert_request) { 2162 if (s->s3->hs.tls12.cert_request) {
2163 SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 2163 SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST
2164 ); 2164 );
2165 al = SSL_AD_UNEXPECTED_MESSAGE; 2165 al = SSL_AD_UNEXPECTED_MESSAGE;
2166 goto fatal_err; 2166 goto fatal_err;
2167 } 2167 }
2168 S3I(s)->hs.tls12.reuse_message = 1; 2168 s->s3->hs.tls12.reuse_message = 1;
2169 return (1); 2169 return (1);
2170 } 2170 }
2171 2171
2172 if (S3I(s)->hs.tls12.message_type != SSL3_MT_CERTIFICATE) { 2172 if (s->s3->hs.tls12.message_type != SSL3_MT_CERTIFICATE) {
2173 al = SSL_AD_UNEXPECTED_MESSAGE; 2173 al = SSL_AD_UNEXPECTED_MESSAGE;
2174 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE); 2174 SSLerror(s, SSL_R_WRONG_MESSAGE_TYPE);
2175 goto fatal_err; 2175 goto fatal_err;
@@ -2278,7 +2278,7 @@ ssl3_send_server_certificate(SSL *s)
2278 2278
2279 memset(&cbb, 0, sizeof(cbb)); 2279 memset(&cbb, 0, sizeof(cbb));
2280 2280
2281 if (S3I(s)->hs.state == SSL3_ST_SW_CERT_A) { 2281 if (s->s3->hs.state == SSL3_ST_SW_CERT_A) {
2282 if ((cpk = ssl_get_server_send_pkey(s)) == NULL) { 2282 if ((cpk = ssl_get_server_send_pkey(s)) == NULL) {
2283 SSLerror(s, ERR_R_INTERNAL_ERROR); 2283 SSLerror(s, ERR_R_INTERNAL_ERROR);
2284 return (0); 2284 return (0);
@@ -2292,7 +2292,7 @@ ssl3_send_server_certificate(SSL *s)
2292 if (!ssl3_handshake_msg_finish(s, &cbb)) 2292 if (!ssl3_handshake_msg_finish(s, &cbb))
2293 goto err; 2293 goto err;
2294 2294
2295 S3I(s)->hs.state = SSL3_ST_SW_CERT_B; 2295 s->s3->hs.state = SSL3_ST_SW_CERT_B;
2296 } 2296 }
2297 2297
2298 /* SSL3_ST_SW_CERT_B */ 2298 /* SSL3_ST_SW_CERT_B */
@@ -2332,7 +2332,7 @@ ssl3_send_newsession_ticket(SSL *s)
2332 if ((hctx = HMAC_CTX_new()) == NULL) 2332 if ((hctx = HMAC_CTX_new()) == NULL)
2333 goto err; 2333 goto err;
2334 2334
2335 if (S3I(s)->hs.state == SSL3_ST_SW_SESSION_TICKET_A) { 2335 if (s->s3->hs.state == SSL3_ST_SW_SESSION_TICKET_A) {
2336 if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket, 2336 if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket,
2337 SSL3_MT_NEWSESSION_TICKET)) 2337 SSL3_MT_NEWSESSION_TICKET))
2338 goto err; 2338 goto err;
@@ -2417,7 +2417,7 @@ ssl3_send_newsession_ticket(SSL *s)
2417 if (!ssl3_handshake_msg_finish(s, &cbb)) 2417 if (!ssl3_handshake_msg_finish(s, &cbb))
2418 goto err; 2418 goto err;
2419 2419
2420 S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_B; 2420 s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_B;
2421 } 2421 }
2422 2422
2423 EVP_CIPHER_CTX_free(ctx); 2423 EVP_CIPHER_CTX_free(ctx);
@@ -2445,7 +2445,7 @@ ssl3_send_cert_status(SSL *s)
2445 2445
2446 memset(&cbb, 0, sizeof(cbb)); 2446 memset(&cbb, 0, sizeof(cbb));
2447 2447
2448 if (S3I(s)->hs.state == SSL3_ST_SW_CERT_STATUS_A) { 2448 if (s->s3->hs.state == SSL3_ST_SW_CERT_STATUS_A) {
2449 if (!ssl3_handshake_msg_start(s, &cbb, &certstatus, 2449 if (!ssl3_handshake_msg_start(s, &cbb, &certstatus,
2450 SSL3_MT_CERTIFICATE_STATUS)) 2450 SSL3_MT_CERTIFICATE_STATUS))
2451 goto err; 2451 goto err;
@@ -2459,7 +2459,7 @@ ssl3_send_cert_status(SSL *s)
2459 if (!ssl3_handshake_msg_finish(s, &cbb)) 2459 if (!ssl3_handshake_msg_finish(s, &cbb))
2460 goto err; 2460 goto err;
2461 2461
2462 S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_B; 2462 s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_B;
2463 } 2463 }
2464 2464
2465 /* SSL3_ST_SW_CERT_STATUS_B */ 2465 /* SSL3_ST_SW_CERT_STATUS_B */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 09:58:36 +0000