xref: /freebsd/crypto/openssl/ssl/statem/statem_lib.c (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
1 /*
2  * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10 
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
23 
24 /*
25  * Map error codes to TLS/SSL alart types.
26  */
27 typedef struct x509err2alert_st {
28     int x509err;
29     int alert;
30 } X509ERR2ALERT;
31 
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34     0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35     0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36     0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37 };
38 
39 /*
40  * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41  * SSL3_RT_CHANGE_CIPHER_SPEC)
42  */
43 int ssl3_do_write(SSL *s, int type)
44 {
45     int ret;
46     size_t written = 0;
47 
48     ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49                            s->init_num, &written);
50     if (ret < 0)
51         return -1;
52     if (type == SSL3_RT_HANDSHAKE)
53         /*
54          * should not be done for 'Hello Request's, but in that case we'll
55          * ignore the result anyway
56          * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57          */
58         if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59                                  && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60                                  && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61             if (!ssl3_finish_mac(s,
62                                  (unsigned char *)&s->init_buf->data[s->init_off],
63                                  written))
64                 return -1;
65     if (written == s->init_num) {
66         if (s->msg_callback)
67             s->msg_callback(1, s->version, type, s->init_buf->data,
68                             (size_t)(s->init_off + s->init_num), s,
69                             s->msg_callback_arg);
70         return 1;
71     }
72     s->init_off += written;
73     s->init_num -= written;
74     return 0;
75 }
76 
77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
78 {
79     size_t msglen;
80 
81     if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82             || !WPACKET_get_length(pkt, &msglen)
83             || msglen > INT_MAX)
84         return 0;
85     s->init_num = (int)msglen;
86     s->init_off = 0;
87 
88     return 1;
89 }
90 
91 int tls_setup_handshake(SSL *s)
92 {
93     int ver_min, ver_max, ok;
94 
95     if (!ssl3_init_finished_mac(s)) {
96         /* SSLfatal() already called */
97         return 0;
98     }
99 
100     /* Reset any extension flags */
101     memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102 
103     if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
105         return 0;
106     }
107 
108     /* Sanity check that we have MD5-SHA1 if we need it */
109     if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110         int md5sha1_needed = 0;
111 
112         /* We don't have MD5-SHA1 - do we need it? */
113         if (SSL_IS_DTLS(s)) {
114             if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
115                 md5sha1_needed = 1;
116         } else {
117             if (ver_max <= TLS1_1_VERSION)
118                 md5sha1_needed = 1;
119         }
120         if (md5sha1_needed) {
121             SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122                           SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123                           "The max supported SSL/TLS version needs the"
124                           " MD5-SHA1 digest but it is not available"
125                           " in the loaded providers. Use (D)TLSv1.2 or"
126                           " above, or load different providers");
127             return 0;
128         }
129 
130         ok = 1;
131         /* Don't allow TLSv1.1 or below to be negotiated */
132         if (SSL_IS_DTLS(s)) {
133             if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134                 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
135         } else {
136             if (ver_min < TLS1_2_VERSION)
137                 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
138         }
139         if (!ok) {
140             /* Shouldn't happen */
141             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
142             return 0;
143         }
144     }
145 
146     ok = 0;
147     if (s->server) {
148         STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
149         int i;
150 
151         /*
152          * Sanity check that the maximum version we accept has ciphers
153          * enabled. For clients we do this check during construction of the
154          * ClientHello.
155          */
156         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157             const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
158 
159             if (SSL_IS_DTLS(s)) {
160                 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161                         DTLS_VERSION_LE(ver_max, c->max_dtls))
162                     ok = 1;
163             } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
164                 ok = 1;
165             }
166             if (ok)
167                 break;
168         }
169         if (!ok) {
170             SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171                           SSL_R_NO_CIPHERS_AVAILABLE,
172                           "No ciphers enabled for max supported "
173                           "SSL/TLS version");
174             return 0;
175         }
176         if (SSL_IS_FIRST_HANDSHAKE(s)) {
177             /* N.B. s->session_ctx == s->ctx here */
178             ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
179         } else {
180             /* N.B. s->ctx may not equal s->session_ctx */
181             ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
182 
183             s->s3.tmp.cert_request = 0;
184         }
185     } else {
186         if (SSL_IS_FIRST_HANDSHAKE(s))
187             ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
188         else
189             ssl_tsan_counter(s->session_ctx,
190                          &s->session_ctx->stats.sess_connect_renegotiate);
191 
192         /* mark client_random uninitialized */
193         memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
194         s->hit = 0;
195 
196         s->s3.tmp.cert_req = 0;
197 
198         if (SSL_IS_DTLS(s))
199             s->statem.use_timer = 1;
200     }
201 
202     return 1;
203 }
204 
205 /*
206  * Size of the to-be-signed TLS13 data, without the hash size itself:
207  * 64 bytes of value 32, 33 context bytes, 1 byte separator
208  */
209 #define TLS13_TBS_START_SIZE            64
210 #define TLS13_TBS_PREAMBLE_SIZE         (TLS13_TBS_START_SIZE + 33 + 1)
211 
212 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
213                                     void **hdata, size_t *hdatalen)
214 {
215 #ifdef CHARSET_EBCDIC
216     static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
217      0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
218      0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
219      0x69, 0x66, 0x79, 0x00 };
220     static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
221      0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
222      0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223      0x69, 0x66, 0x79, 0x00 };
224 #else
225     static const char servercontext[] = "TLS 1.3, server CertificateVerify";
226     static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
227 #endif
228     if (SSL_IS_TLS13(s)) {
229         size_t hashlen;
230 
231         /* Set the first 64 bytes of to-be-signed data to octet 32 */
232         memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
233         /* This copies the 33 bytes of context plus the 0 separator byte */
234         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
235                  || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
236             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237         else
238             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
239 
240         /*
241          * If we're currently reading then we need to use the saved handshake
242          * hash value. We can't use the current handshake hash state because
243          * that includes the CertVerify itself.
244          */
245         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
246                 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
247             memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
248                    s->cert_verify_hash_len);
249             hashlen = s->cert_verify_hash_len;
250         } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
251                                        EVP_MAX_MD_SIZE, &hashlen)) {
252             /* SSLfatal() already called */
253             return 0;
254         }
255 
256         *hdata = tls13tbs;
257         *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
258     } else {
259         size_t retlen;
260         long retlen_l;
261 
262         retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
263         if (retlen_l <= 0) {
264             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
265             return 0;
266         }
267         *hdatalen = retlen;
268     }
269 
270     return 1;
271 }
272 
273 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274 {
275     EVP_PKEY *pkey = NULL;
276     const EVP_MD *md = NULL;
277     EVP_MD_CTX *mctx = NULL;
278     EVP_PKEY_CTX *pctx = NULL;
279     size_t hdatalen = 0, siglen = 0;
280     void *hdata;
281     unsigned char *sig = NULL;
282     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
283     const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
284 
285     if (lu == NULL || s->s3.tmp.cert == NULL) {
286         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
287         goto err;
288     }
289     pkey = s->s3.tmp.cert->privatekey;
290 
291     if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
292         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
293         goto err;
294     }
295 
296     mctx = EVP_MD_CTX_new();
297     if (mctx == NULL) {
298         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
299         goto err;
300     }
301 
302     /* Get the data to be signed */
303     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
304         /* SSLfatal() already called */
305         goto err;
306     }
307 
308     if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
309         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
310         goto err;
311     }
312 
313     if (EVP_DigestSignInit_ex(mctx, &pctx,
314                               md == NULL ? NULL : EVP_MD_get0_name(md),
315                               s->ctx->libctx, s->ctx->propq, pkey,
316                               NULL) <= 0) {
317         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
318         goto err;
319     }
320 
321     if (lu->sig == EVP_PKEY_RSA_PSS) {
322         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
323             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
324                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
325             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
326             goto err;
327         }
328     }
329     if (s->version == SSL3_VERSION) {
330         /*
331          * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
332          * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
333          */
334         if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
335             || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
336                                (int)s->session->master_key_length,
337                                s->session->master_key) <= 0
338             || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
339 
340             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341             goto err;
342         }
343         sig = OPENSSL_malloc(siglen);
344         if (sig == NULL
345                 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
346             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
347             goto err;
348         }
349     } else {
350         /*
351          * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
352          * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
353          */
354         if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
355             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
356             goto err;
357         }
358         sig = OPENSSL_malloc(siglen);
359         if (sig == NULL
360                 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
361             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
362             goto err;
363         }
364     }
365 
366 #ifndef OPENSSL_NO_GOST
367     {
368         int pktype = lu->sig;
369 
370         if (pktype == NID_id_GostR3410_2001
371             || pktype == NID_id_GostR3410_2012_256
372             || pktype == NID_id_GostR3410_2012_512)
373             BUF_reverse(sig, NULL, siglen);
374     }
375 #endif
376 
377     if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
378         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379         goto err;
380     }
381 
382     /* Digest cached records and discard handshake buffer */
383     if (!ssl3_digest_cached_records(s, 0)) {
384         /* SSLfatal() already called */
385         goto err;
386     }
387 
388     OPENSSL_free(sig);
389     EVP_MD_CTX_free(mctx);
390     return 1;
391  err:
392     OPENSSL_free(sig);
393     EVP_MD_CTX_free(mctx);
394     return 0;
395 }
396 
397 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
398 {
399     EVP_PKEY *pkey = NULL;
400     const unsigned char *data;
401 #ifndef OPENSSL_NO_GOST
402     unsigned char *gost_data = NULL;
403 #endif
404     MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
405     int j;
406     unsigned int len;
407     X509 *peer;
408     const EVP_MD *md = NULL;
409     size_t hdatalen = 0;
410     void *hdata;
411     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
412     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
413     EVP_PKEY_CTX *pctx = NULL;
414 
415     if (mctx == NULL) {
416         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
417         goto err;
418     }
419 
420     peer = s->session->peer;
421     pkey = X509_get0_pubkey(peer);
422     if (pkey == NULL) {
423         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
424         goto err;
425     }
426 
427     if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
428         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
429                  SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
430         goto err;
431     }
432 
433     if (SSL_USE_SIGALGS(s)) {
434         unsigned int sigalg;
435 
436         if (!PACKET_get_net_2(pkt, &sigalg)) {
437             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
438             goto err;
439         }
440         if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
441             /* SSLfatal() already called */
442             goto err;
443         }
444     } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
445             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
446                      SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
447             goto err;
448     }
449 
450     if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
451         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
452         goto err;
453     }
454 
455     if (SSL_USE_SIGALGS(s))
456         OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
457                     md == NULL ? "n/a" : EVP_MD_get0_name(md));
458 
459     /* Check for broken implementations of GOST ciphersuites */
460     /*
461      * If key is GOST and len is exactly 64 or 128, it is signature without
462      * length field (CryptoPro implementations at least till TLS 1.2)
463      */
464 #ifndef OPENSSL_NO_GOST
465     if (!SSL_USE_SIGALGS(s)
466         && ((PACKET_remaining(pkt) == 64
467              && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
468                  || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
469             || (PACKET_remaining(pkt) == 128
470                 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
471         len = PACKET_remaining(pkt);
472     } else
473 #endif
474     if (!PACKET_get_net_2(pkt, &len)) {
475         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
476         goto err;
477     }
478 
479     if (!PACKET_get_bytes(pkt, &data, len)) {
480         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
481         goto err;
482     }
483 
484     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
485         /* SSLfatal() already called */
486         goto err;
487     }
488 
489     OSSL_TRACE1(TLS, "Using client verify alg %s\n",
490                 md == NULL ? "n/a" : EVP_MD_get0_name(md));
491 
492     if (EVP_DigestVerifyInit_ex(mctx, &pctx,
493                                 md == NULL ? NULL : EVP_MD_get0_name(md),
494                                 s->ctx->libctx, s->ctx->propq, pkey,
495                                 NULL) <= 0) {
496         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
497         goto err;
498     }
499 #ifndef OPENSSL_NO_GOST
500     {
501         int pktype = EVP_PKEY_get_id(pkey);
502         if (pktype == NID_id_GostR3410_2001
503             || pktype == NID_id_GostR3410_2012_256
504             || pktype == NID_id_GostR3410_2012_512) {
505             if ((gost_data = OPENSSL_malloc(len)) == NULL) {
506                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
507                 goto err;
508             }
509             BUF_reverse(gost_data, data, len);
510             data = gost_data;
511         }
512     }
513 #endif
514 
515     if (SSL_USE_PSS(s)) {
516         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
517             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
518                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
519             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
520             goto err;
521         }
522     }
523     if (s->version == SSL3_VERSION) {
524         if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
525                 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
526                                    (int)s->session->master_key_length,
527                                     s->session->master_key) <= 0) {
528             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
529             goto err;
530         }
531         if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
532             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
533             goto err;
534         }
535     } else {
536         j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
537         if (j <= 0) {
538             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
539             goto err;
540         }
541     }
542 
543     /*
544      * In TLSv1.3 on the client side we make sure we prepare the client
545      * certificate after the CertVerify instead of when we get the
546      * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
547      * comes *before* the Certificate message. In TLSv1.2 it comes after. We
548      * want to make sure that SSL_get1_peer_certificate() will return the actual
549      * server certificate from the client_cert_cb callback.
550      */
551     if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
552         ret = MSG_PROCESS_CONTINUE_PROCESSING;
553     else
554         ret = MSG_PROCESS_CONTINUE_READING;
555  err:
556     BIO_free(s->s3.handshake_buffer);
557     s->s3.handshake_buffer = NULL;
558     EVP_MD_CTX_free(mctx);
559 #ifndef OPENSSL_NO_GOST
560     OPENSSL_free(gost_data);
561 #endif
562     return ret;
563 }
564 
565 int tls_construct_finished(SSL *s, WPACKET *pkt)
566 {
567     size_t finish_md_len;
568     const char *sender;
569     size_t slen;
570 
571     /* This is a real handshake so make sure we clean it up at the end */
572     if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
573         s->statem.cleanuphand = 1;
574 
575     /*
576      * We only change the keys if we didn't already do this when we sent the
577      * client certificate
578      */
579     if (SSL_IS_TLS13(s)
580             && !s->server
581             && s->s3.tmp.cert_req == 0
582             && (!s->method->ssl3_enc->change_cipher_state(s,
583                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
584         /* SSLfatal() already called */
585         return 0;
586     }
587 
588     if (s->server) {
589         sender = s->method->ssl3_enc->server_finished_label;
590         slen = s->method->ssl3_enc->server_finished_label_len;
591     } else {
592         sender = s->method->ssl3_enc->client_finished_label;
593         slen = s->method->ssl3_enc->client_finished_label_len;
594     }
595 
596     finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
597                                                           sender, slen,
598                                                           s->s3.tmp.finish_md);
599     if (finish_md_len == 0) {
600         /* SSLfatal() already called */
601         return 0;
602     }
603 
604     s->s3.tmp.finish_md_len = finish_md_len;
605 
606     if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
607         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
608         return 0;
609     }
610 
611     /*
612      * Log the master secret, if logging is enabled. We don't log it for
613      * TLSv1.3: there's a different key schedule for that.
614      */
615     if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
616                                             s->session->master_key,
617                                             s->session->master_key_length)) {
618         /* SSLfatal() already called */
619         return 0;
620     }
621 
622     /*
623      * Copy the finished so we can use it for renegotiation checks
624      */
625     if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
626         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
627         return 0;
628     }
629     if (!s->server) {
630         memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
631                finish_md_len);
632         s->s3.previous_client_finished_len = finish_md_len;
633     } else {
634         memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
635                finish_md_len);
636         s->s3.previous_server_finished_len = finish_md_len;
637     }
638 
639     return 1;
640 }
641 
642 int tls_construct_key_update(SSL *s, WPACKET *pkt)
643 {
644     if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
645         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
646         return 0;
647     }
648 
649     s->key_update = SSL_KEY_UPDATE_NONE;
650     return 1;
651 }
652 
653 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
654 {
655     unsigned int updatetype;
656 
657     /*
658      * A KeyUpdate message signals a key change so the end of the message must
659      * be on a record boundary.
660      */
661     if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
662         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
663         return MSG_PROCESS_ERROR;
664     }
665 
666     if (!PACKET_get_1(pkt, &updatetype)
667             || PACKET_remaining(pkt) != 0) {
668         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
669         return MSG_PROCESS_ERROR;
670     }
671 
672     /*
673      * There are only two defined key update types. Fail if we get a value we
674      * didn't recognise.
675      */
676     if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
677             && updatetype != SSL_KEY_UPDATE_REQUESTED) {
678         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
679         return MSG_PROCESS_ERROR;
680     }
681 
682     /*
683      * If we get a request for us to update our sending keys too then, we need
684      * to additionally send a KeyUpdate message. However that message should
685      * not also request an update (otherwise we get into an infinite loop).
686      */
687     if (updatetype == SSL_KEY_UPDATE_REQUESTED)
688         s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
689 
690     if (!tls13_update_key(s, 0)) {
691         /* SSLfatal() already called */
692         return MSG_PROCESS_ERROR;
693     }
694 
695     return MSG_PROCESS_FINISHED_READING;
696 }
697 
698 /*
699  * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
700  * to far.
701  */
702 int ssl3_take_mac(SSL *s)
703 {
704     const char *sender;
705     size_t slen;
706 
707     if (!s->server) {
708         sender = s->method->ssl3_enc->server_finished_label;
709         slen = s->method->ssl3_enc->server_finished_label_len;
710     } else {
711         sender = s->method->ssl3_enc->client_finished_label;
712         slen = s->method->ssl3_enc->client_finished_label_len;
713     }
714 
715     s->s3.tmp.peer_finish_md_len =
716         s->method->ssl3_enc->final_finish_mac(s, sender, slen,
717                                               s->s3.tmp.peer_finish_md);
718 
719     if (s->s3.tmp.peer_finish_md_len == 0) {
720         /* SSLfatal() already called */
721         return 0;
722     }
723 
724     return 1;
725 }
726 
727 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
728 {
729     size_t remain;
730 
731     remain = PACKET_remaining(pkt);
732     /*
733      * 'Change Cipher Spec' is just a single byte, which should already have
734      * been consumed by ssl_get_message() so there should be no bytes left,
735      * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
736      */
737     if (SSL_IS_DTLS(s)) {
738         if ((s->version == DTLS1_BAD_VER
739              && remain != DTLS1_CCS_HEADER_LENGTH + 1)
740             || (s->version != DTLS1_BAD_VER
741                 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
742             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
743             return MSG_PROCESS_ERROR;
744         }
745     } else {
746         if (remain != 0) {
747             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
748             return MSG_PROCESS_ERROR;
749         }
750     }
751 
752     /* Check we have a cipher to change to */
753     if (s->s3.tmp.new_cipher == NULL) {
754         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
755         return MSG_PROCESS_ERROR;
756     }
757 
758     s->s3.change_cipher_spec = 1;
759     if (!ssl3_do_change_cipher_spec(s)) {
760         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
761         return MSG_PROCESS_ERROR;
762     }
763 
764     if (SSL_IS_DTLS(s)) {
765         dtls1_reset_seq_numbers(s, SSL3_CC_READ);
766 
767         if (s->version == DTLS1_BAD_VER)
768             s->d1->handshake_read_seq++;
769 
770 #ifndef OPENSSL_NO_SCTP
771         /*
772          * Remember that a CCS has been received, so that an old key of
773          * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
774          * SCTP is used
775          */
776         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
777 #endif
778     }
779 
780     return MSG_PROCESS_CONTINUE_READING;
781 }
782 
783 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
784 {
785     size_t md_len;
786 
787 
788     /* This is a real handshake so make sure we clean it up at the end */
789     if (s->server) {
790         /*
791         * To get this far we must have read encrypted data from the client. We
792         * no longer tolerate unencrypted alerts. This value is ignored if less
793         * than TLSv1.3
794         */
795         s->statem.enc_read_state = ENC_READ_STATE_VALID;
796         if (s->post_handshake_auth != SSL_PHA_REQUESTED)
797             s->statem.cleanuphand = 1;
798         if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
799                 /* SSLfatal() already called */
800                 return MSG_PROCESS_ERROR;
801         }
802     }
803 
804     /*
805      * In TLSv1.3 a Finished message signals a key change so the end of the
806      * message must be on a record boundary.
807      */
808     if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
809         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
810         return MSG_PROCESS_ERROR;
811     }
812 
813     /* If this occurs, we have missed a message */
814     if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
815         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
816         return MSG_PROCESS_ERROR;
817     }
818     s->s3.change_cipher_spec = 0;
819 
820     md_len = s->s3.tmp.peer_finish_md_len;
821 
822     if (md_len != PACKET_remaining(pkt)) {
823         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
824         return MSG_PROCESS_ERROR;
825     }
826 
827     if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
828                       md_len) != 0) {
829         SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
830         return MSG_PROCESS_ERROR;
831     }
832 
833     /*
834      * Copy the finished so we can use it for renegotiation checks
835      */
836     if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
837         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
838         return MSG_PROCESS_ERROR;
839     }
840     if (s->server) {
841         memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
842                md_len);
843         s->s3.previous_client_finished_len = md_len;
844     } else {
845         memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
846                md_len);
847         s->s3.previous_server_finished_len = md_len;
848     }
849 
850     /*
851      * In TLS1.3 we also have to change cipher state and do any final processing
852      * of the initial server flight (if we are a client)
853      */
854     if (SSL_IS_TLS13(s)) {
855         if (s->server) {
856             if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
857                     !s->method->ssl3_enc->change_cipher_state(s,
858                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
859                 /* SSLfatal() already called */
860                 return MSG_PROCESS_ERROR;
861             }
862         } else {
863             /* TLS 1.3 gets the secret size from the handshake md */
864             size_t dummy;
865             if (!s->method->ssl3_enc->generate_master_secret(s,
866                     s->master_secret, s->handshake_secret, 0,
867                     &dummy)) {
868                 /* SSLfatal() already called */
869                 return MSG_PROCESS_ERROR;
870             }
871             if (!s->method->ssl3_enc->change_cipher_state(s,
872                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
873                 /* SSLfatal() already called */
874                 return MSG_PROCESS_ERROR;
875             }
876             if (!tls_process_initial_server_flight(s)) {
877                 /* SSLfatal() already called */
878                 return MSG_PROCESS_ERROR;
879             }
880         }
881     }
882 
883     return MSG_PROCESS_FINISHED_READING;
884 }
885 
886 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
887 {
888     if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
889         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
890         return 0;
891     }
892 
893     return 1;
894 }
895 
896 /* Add a certificate to the WPACKET */
897 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
898 {
899     int len;
900     unsigned char *outbytes;
901 
902     len = i2d_X509(x, NULL);
903     if (len < 0) {
904         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
905         return 0;
906     }
907     if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
908             || i2d_X509(x, &outbytes) != len) {
909         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
910         return 0;
911     }
912 
913     if (SSL_IS_TLS13(s)
914             && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
915                                          chain)) {
916         /* SSLfatal() already called */
917         return 0;
918     }
919 
920     return 1;
921 }
922 
923 /* Add certificate chain to provided WPACKET */
924 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
925 {
926     int i, chain_count;
927     X509 *x;
928     STACK_OF(X509) *extra_certs;
929     STACK_OF(X509) *chain = NULL;
930     X509_STORE *chain_store;
931 
932     if (cpk == NULL || cpk->x509 == NULL)
933         return 1;
934 
935     x = cpk->x509;
936 
937     /*
938      * If we have a certificate specific chain use it, else use parent ctx.
939      */
940     if (cpk->chain != NULL)
941         extra_certs = cpk->chain;
942     else
943         extra_certs = s->ctx->extra_certs;
944 
945     if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
946         chain_store = NULL;
947     else if (s->cert->chain_store)
948         chain_store = s->cert->chain_store;
949     else
950         chain_store = s->ctx->cert_store;
951 
952     if (chain_store != NULL) {
953         X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
954                                                        s->ctx->propq);
955 
956         if (xs_ctx == NULL) {
957             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
958             return 0;
959         }
960         if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
961             X509_STORE_CTX_free(xs_ctx);
962             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
963             return 0;
964         }
965         /*
966          * It is valid for the chain not to be complete (because normally we
967          * don't include the root cert in the chain). Therefore we deliberately
968          * ignore the error return from this call. We're not actually verifying
969          * the cert - we're just building as much of the chain as we can
970          */
971         (void)X509_verify_cert(xs_ctx);
972         /* Don't leave errors in the queue */
973         ERR_clear_error();
974         chain = X509_STORE_CTX_get0_chain(xs_ctx);
975         i = ssl_security_cert_chain(s, chain, NULL, 0);
976         if (i != 1) {
977 #if 0
978             /* Dummy error calls so mkerr generates them */
979             ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
980             ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
981             ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
982 #endif
983             X509_STORE_CTX_free(xs_ctx);
984             SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
985             return 0;
986         }
987         chain_count = sk_X509_num(chain);
988         for (i = 0; i < chain_count; i++) {
989             x = sk_X509_value(chain, i);
990 
991             if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
992                 /* SSLfatal() already called */
993                 X509_STORE_CTX_free(xs_ctx);
994                 return 0;
995             }
996         }
997         X509_STORE_CTX_free(xs_ctx);
998     } else {
999         i = ssl_security_cert_chain(s, extra_certs, x, 0);
1000         if (i != 1) {
1001             SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1002             return 0;
1003         }
1004         if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1005             /* SSLfatal() already called */
1006             return 0;
1007         }
1008         for (i = 0; i < sk_X509_num(extra_certs); i++) {
1009             x = sk_X509_value(extra_certs, i);
1010             if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1011                 /* SSLfatal() already called */
1012                 return 0;
1013             }
1014         }
1015     }
1016     return 1;
1017 }
1018 
1019 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1020 {
1021     if (!WPACKET_start_sub_packet_u24(pkt)) {
1022         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1023         return 0;
1024     }
1025 
1026     if (!ssl_add_cert_chain(s, pkt, cpk))
1027         return 0;
1028 
1029     if (!WPACKET_close(pkt)) {
1030         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1031         return 0;
1032     }
1033 
1034     return 1;
1035 }
1036 
1037 /*
1038  * Tidy up after the end of a handshake. In the case of SCTP this may result
1039  * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1040  * freed up as well.
1041  */
1042 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1043                                 int clearbufs, int stop)
1044 {
1045     void (*cb) (const SSL *ssl, int type, int val) = NULL;
1046     int cleanuphand = s->statem.cleanuphand;
1047 
1048     if (clearbufs) {
1049         if (!SSL_IS_DTLS(s)
1050 #ifndef OPENSSL_NO_SCTP
1051             /*
1052              * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1053              * messages that require it. Therefore, DTLS procedures for retransmissions
1054              * MUST NOT be used.
1055              * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1056              */
1057             || BIO_dgram_is_sctp(SSL_get_wbio(s))
1058 #endif
1059             ) {
1060             /*
1061              * We don't do this in DTLS over UDP because we may still need the init_buf
1062              * in case there are any unexpected retransmits
1063              */
1064             BUF_MEM_free(s->init_buf);
1065             s->init_buf = NULL;
1066         }
1067 
1068         if (!ssl_free_wbio_buffer(s)) {
1069             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1070             return WORK_ERROR;
1071         }
1072         s->init_num = 0;
1073     }
1074 
1075     if (SSL_IS_TLS13(s) && !s->server
1076             && s->post_handshake_auth == SSL_PHA_REQUESTED)
1077         s->post_handshake_auth = SSL_PHA_EXT_SENT;
1078 
1079     /*
1080      * Only set if there was a Finished message and this isn't after a TLSv1.3
1081      * post handshake exchange
1082      */
1083     if (cleanuphand) {
1084         /* skipped if we just sent a HelloRequest */
1085         s->renegotiate = 0;
1086         s->new_session = 0;
1087         s->statem.cleanuphand = 0;
1088         s->ext.ticket_expected = 0;
1089 
1090         ssl3_cleanup_key_block(s);
1091 
1092         if (s->server) {
1093             /*
1094              * In TLSv1.3 we update the cache as part of constructing the
1095              * NewSessionTicket
1096              */
1097             if (!SSL_IS_TLS13(s))
1098                 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1099 
1100             /* N.B. s->ctx may not equal s->session_ctx */
1101             ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
1102             s->handshake_func = ossl_statem_accept;
1103         } else {
1104             if (SSL_IS_TLS13(s)) {
1105                 /*
1106                  * We encourage applications to only use TLSv1.3 tickets once,
1107                  * so we remove this one from the cache.
1108                  */
1109                 if ((s->session_ctx->session_cache_mode
1110                      & SSL_SESS_CACHE_CLIENT) != 0)
1111                     SSL_CTX_remove_session(s->session_ctx, s->session);
1112             } else {
1113                 /*
1114                  * In TLSv1.3 we update the cache as part of processing the
1115                  * NewSessionTicket
1116                  */
1117                 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1118             }
1119             if (s->hit)
1120                 ssl_tsan_counter(s->session_ctx,
1121                                  &s->session_ctx->stats.sess_hit);
1122 
1123             s->handshake_func = ossl_statem_connect;
1124             ssl_tsan_counter(s->session_ctx,
1125                              &s->session_ctx->stats.sess_connect_good);
1126         }
1127 
1128         if (SSL_IS_DTLS(s)) {
1129             /* done with handshaking */
1130             s->d1->handshake_read_seq = 0;
1131             s->d1->handshake_write_seq = 0;
1132             s->d1->next_handshake_write_seq = 0;
1133             dtls1_clear_received_buffer(s);
1134         }
1135     }
1136 
1137     if (s->info_callback != NULL)
1138         cb = s->info_callback;
1139     else if (s->ctx->info_callback != NULL)
1140         cb = s->ctx->info_callback;
1141 
1142     /* The callback may expect us to not be in init at handshake done */
1143     ossl_statem_set_in_init(s, 0);
1144 
1145     if (cb != NULL) {
1146         if (cleanuphand
1147                 || !SSL_IS_TLS13(s)
1148                 || SSL_IS_FIRST_HANDSHAKE(s))
1149             cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1150     }
1151 
1152     if (!stop) {
1153         /* If we've got more work to do we go back into init */
1154         ossl_statem_set_in_init(s, 1);
1155         return WORK_FINISHED_CONTINUE;
1156     }
1157 
1158     return WORK_FINISHED_STOP;
1159 }
1160 
1161 int tls_get_message_header(SSL *s, int *mt)
1162 {
1163     /* s->init_num < SSL3_HM_HEADER_LENGTH */
1164     int skip_message, i, recvd_type;
1165     unsigned char *p;
1166     size_t l, readbytes;
1167 
1168     p = (unsigned char *)s->init_buf->data;
1169 
1170     do {
1171         while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1172             i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1173                                           &p[s->init_num],
1174                                           SSL3_HM_HEADER_LENGTH - s->init_num,
1175                                           0, &readbytes);
1176             if (i <= 0) {
1177                 s->rwstate = SSL_READING;
1178                 return 0;
1179             }
1180             if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1181                 /*
1182                  * A ChangeCipherSpec must be a single byte and may not occur
1183                  * in the middle of a handshake message.
1184                  */
1185                 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1186                     SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1187                              SSL_R_BAD_CHANGE_CIPHER_SPEC);
1188                     return 0;
1189                 }
1190                 if (s->statem.hand_state == TLS_ST_BEFORE
1191                         && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1192                     /*
1193                      * We are stateless and we received a CCS. Probably this is
1194                      * from a client between the first and second ClientHellos.
1195                      * We should ignore this, but return an error because we do
1196                      * not return success until we see the second ClientHello
1197                      * with a valid cookie.
1198                      */
1199                     return 0;
1200                 }
1201                 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1202                 s->init_num = readbytes - 1;
1203                 s->init_msg = s->init_buf->data;
1204                 s->s3.tmp.message_size = readbytes;
1205                 return 1;
1206             } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1207                 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1208                          SSL_R_CCS_RECEIVED_EARLY);
1209                 return 0;
1210             }
1211             s->init_num += readbytes;
1212         }
1213 
1214         skip_message = 0;
1215         if (!s->server)
1216             if (s->statem.hand_state != TLS_ST_OK
1217                     && p[0] == SSL3_MT_HELLO_REQUEST)
1218                 /*
1219                  * The server may always send 'Hello Request' messages --
1220                  * we are doing a handshake anyway now, so ignore them if
1221                  * their format is correct. Does not count for 'Finished'
1222                  * MAC.
1223                  */
1224                 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1225                     s->init_num = 0;
1226                     skip_message = 1;
1227 
1228                     if (s->msg_callback)
1229                         s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1230                                         p, SSL3_HM_HEADER_LENGTH, s,
1231                                         s->msg_callback_arg);
1232                 }
1233     } while (skip_message);
1234     /* s->init_num == SSL3_HM_HEADER_LENGTH */
1235 
1236     *mt = *p;
1237     s->s3.tmp.message_type = *(p++);
1238 
1239     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1240         /*
1241          * Only happens with SSLv3+ in an SSLv2 backward compatible
1242          * ClientHello
1243          *
1244          * Total message size is the remaining record bytes to read
1245          * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1246          */
1247         l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1248             + SSL3_HM_HEADER_LENGTH;
1249         s->s3.tmp.message_size = l;
1250 
1251         s->init_msg = s->init_buf->data;
1252         s->init_num = SSL3_HM_HEADER_LENGTH;
1253     } else {
1254         n2l3(p, l);
1255         /* BUF_MEM_grow takes an 'int' parameter */
1256         if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1257             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1258                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
1259             return 0;
1260         }
1261         s->s3.tmp.message_size = l;
1262 
1263         s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1264         s->init_num = 0;
1265     }
1266 
1267     return 1;
1268 }
1269 
1270 int tls_get_message_body(SSL *s, size_t *len)
1271 {
1272     size_t n, readbytes;
1273     unsigned char *p;
1274     int i;
1275 
1276     if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1277         /* We've already read everything in */
1278         *len = (unsigned long)s->init_num;
1279         return 1;
1280     }
1281 
1282     p = s->init_msg;
1283     n = s->s3.tmp.message_size - s->init_num;
1284     while (n > 0) {
1285         i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1286                                       &p[s->init_num], n, 0, &readbytes);
1287         if (i <= 0) {
1288             s->rwstate = SSL_READING;
1289             *len = 0;
1290             return 0;
1291         }
1292         s->init_num += readbytes;
1293         n -= readbytes;
1294     }
1295 
1296     /*
1297      * If receiving Finished, record MAC of prior handshake messages for
1298      * Finished verification.
1299      */
1300     if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1301         /* SSLfatal() already called */
1302         *len = 0;
1303         return 0;
1304     }
1305 
1306     /* Feed this message into MAC computation. */
1307     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1308         if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1309                              s->init_num)) {
1310             /* SSLfatal() already called */
1311             *len = 0;
1312             return 0;
1313         }
1314         if (s->msg_callback)
1315             s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1316                             (size_t)s->init_num, s, s->msg_callback_arg);
1317     } else {
1318         /*
1319          * We defer feeding in the HRR until later. We'll do it as part of
1320          * processing the message
1321          * The TLsv1.3 handshake transcript stops at the ClientFinished
1322          * message.
1323          */
1324 #define SERVER_HELLO_RANDOM_OFFSET  (SSL3_HM_HEADER_LENGTH + 2)
1325         /* KeyUpdate and NewSessionTicket do not need to be added */
1326         if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1327                                  && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1328             if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1329                     || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1330                     || memcmp(hrrrandom,
1331                               s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1332                               SSL3_RANDOM_SIZE) != 0) {
1333                 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1334                                      s->init_num + SSL3_HM_HEADER_LENGTH)) {
1335                     /* SSLfatal() already called */
1336                     *len = 0;
1337                     return 0;
1338                 }
1339             }
1340         }
1341         if (s->msg_callback)
1342             s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1343                             (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1344                             s->msg_callback_arg);
1345     }
1346 
1347     *len = s->init_num;
1348     return 1;
1349 }
1350 
1351 static const X509ERR2ALERT x509table[] = {
1352     {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1353     {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1354     {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1355     {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1356     {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1357     {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1358     {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1359     {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1360     {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1361     {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1362     {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1363     {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1364     {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1365     {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1366     {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1367     {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1368     {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1369     {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1370     {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1371     {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1372     {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1373     {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1374     {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1375     {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1376     {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1377     {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1378     {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1379     {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1380     {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1381     {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1382     {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1383     {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1384     {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1385     {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1386     {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1387     {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1388     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1389     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1390     {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1391     {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1392 
1393     /* Last entry; return this if we don't find the value above. */
1394     {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1395 };
1396 
1397 int ssl_x509err2alert(int x509err)
1398 {
1399     const X509ERR2ALERT *tp;
1400 
1401     for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1402         if (tp->x509err == x509err)
1403             break;
1404     return tp->alert;
1405 }
1406 
1407 int ssl_allow_compression(SSL *s)
1408 {
1409     if (s->options & SSL_OP_NO_COMPRESSION)
1410         return 0;
1411     return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1412 }
1413 
1414 static int version_cmp(const SSL *s, int a, int b)
1415 {
1416     int dtls = SSL_IS_DTLS(s);
1417 
1418     if (a == b)
1419         return 0;
1420     if (!dtls)
1421         return a < b ? -1 : 1;
1422     return DTLS_VERSION_LT(a, b) ? -1 : 1;
1423 }
1424 
1425 typedef struct {
1426     int version;
1427     const SSL_METHOD *(*cmeth) (void);
1428     const SSL_METHOD *(*smeth) (void);
1429 } version_info;
1430 
1431 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1432 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1433 #endif
1434 
1435 /* Must be in order high to low */
1436 static const version_info tls_version_table[] = {
1437 #ifndef OPENSSL_NO_TLS1_3
1438     {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1439 #else
1440     {TLS1_3_VERSION, NULL, NULL},
1441 #endif
1442 #ifndef OPENSSL_NO_TLS1_2
1443     {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1444 #else
1445     {TLS1_2_VERSION, NULL, NULL},
1446 #endif
1447 #ifndef OPENSSL_NO_TLS1_1
1448     {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1449 #else
1450     {TLS1_1_VERSION, NULL, NULL},
1451 #endif
1452 #ifndef OPENSSL_NO_TLS1
1453     {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1454 #else
1455     {TLS1_VERSION, NULL, NULL},
1456 #endif
1457 #ifndef OPENSSL_NO_SSL3
1458     {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1459 #else
1460     {SSL3_VERSION, NULL, NULL},
1461 #endif
1462     {0, NULL, NULL},
1463 };
1464 
1465 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1466 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1467 #endif
1468 
1469 /* Must be in order high to low */
1470 static const version_info dtls_version_table[] = {
1471 #ifndef OPENSSL_NO_DTLS1_2
1472     {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1473 #else
1474     {DTLS1_2_VERSION, NULL, NULL},
1475 #endif
1476 #ifndef OPENSSL_NO_DTLS1
1477     {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1478     {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1479 #else
1480     {DTLS1_VERSION, NULL, NULL},
1481     {DTLS1_BAD_VER, NULL, NULL},
1482 #endif
1483     {0, NULL, NULL},
1484 };
1485 
1486 /*
1487  * ssl_method_error - Check whether an SSL_METHOD is enabled.
1488  *
1489  * @s: The SSL handle for the candidate method
1490  * @method: the intended method.
1491  *
1492  * Returns 0 on success, or an SSL error reason on failure.
1493  */
1494 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1495 {
1496     int version = method->version;
1497 
1498     if ((s->min_proto_version != 0 &&
1499          version_cmp(s, version, s->min_proto_version) < 0) ||
1500         ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1501         return SSL_R_VERSION_TOO_LOW;
1502 
1503     if (s->max_proto_version != 0 &&
1504         version_cmp(s, version, s->max_proto_version) > 0)
1505         return SSL_R_VERSION_TOO_HIGH;
1506 
1507     if ((s->options & method->mask) != 0)
1508         return SSL_R_UNSUPPORTED_PROTOCOL;
1509     if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1510         return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1511 
1512     return 0;
1513 }
1514 
1515 /*
1516  * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1517  * certificate type, or has PSK or a certificate callback configured, or has
1518  * a servername callback configure. Otherwise returns 0.
1519  */
1520 static int is_tls13_capable(const SSL *s)
1521 {
1522     int i;
1523     int curve;
1524 
1525     if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1526         return 0;
1527 
1528     /*
1529      * A servername callback can change the available certs, so if a servername
1530      * cb is set then we just assume TLSv1.3 will be ok
1531      */
1532     if (s->ctx->ext.servername_cb != NULL
1533             || s->session_ctx->ext.servername_cb != NULL)
1534         return 1;
1535 
1536 #ifndef OPENSSL_NO_PSK
1537     if (s->psk_server_callback != NULL)
1538         return 1;
1539 #endif
1540 
1541     if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1542         return 1;
1543 
1544     for (i = 0; i < SSL_PKEY_NUM; i++) {
1545         /* Skip over certs disallowed for TLSv1.3 */
1546         switch (i) {
1547         case SSL_PKEY_DSA_SIGN:
1548         case SSL_PKEY_GOST01:
1549         case SSL_PKEY_GOST12_256:
1550         case SSL_PKEY_GOST12_512:
1551             continue;
1552         default:
1553             break;
1554         }
1555         if (!ssl_has_cert(s, i))
1556             continue;
1557         if (i != SSL_PKEY_ECC)
1558             return 1;
1559         /*
1560          * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1561          * more restrictive so check that our sig algs are consistent with this
1562          * EC cert. See section 4.2.3 of RFC8446.
1563          */
1564         curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1565         if (tls_check_sigalg_curve(s, curve))
1566             return 1;
1567     }
1568 
1569     return 0;
1570 }
1571 
1572 /*
1573  * ssl_version_supported - Check that the specified `version` is supported by
1574  * `SSL *` instance
1575  *
1576  * @s: The SSL handle for the candidate method
1577  * @version: Protocol version to test against
1578  *
1579  * Returns 1 when supported, otherwise 0
1580  */
1581 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1582 {
1583     const version_info *vent;
1584     const version_info *table;
1585 
1586     switch (s->method->version) {
1587     default:
1588         /* Version should match method version for non-ANY method */
1589         return version_cmp(s, version, s->version) == 0;
1590     case TLS_ANY_VERSION:
1591         table = tls_version_table;
1592         break;
1593     case DTLS_ANY_VERSION:
1594         table = dtls_version_table;
1595         break;
1596     }
1597 
1598     for (vent = table;
1599          vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1600          ++vent) {
1601         if (vent->cmeth != NULL
1602                 && version_cmp(s, version, vent->version) == 0
1603                 && ssl_method_error(s, vent->cmeth()) == 0
1604                 && (!s->server
1605                     || version != TLS1_3_VERSION
1606                     || is_tls13_capable(s))) {
1607             if (meth != NULL)
1608                 *meth = vent->cmeth();
1609             return 1;
1610         }
1611     }
1612     return 0;
1613 }
1614 
1615 /*
1616  * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1617  * fallback indication from a client check whether we're using the highest
1618  * supported protocol version.
1619  *
1620  * @s server SSL handle.
1621  *
1622  * Returns 1 when using the highest enabled version, 0 otherwise.
1623  */
1624 int ssl_check_version_downgrade(SSL *s)
1625 {
1626     const version_info *vent;
1627     const version_info *table;
1628 
1629     /*
1630      * Check that the current protocol is the highest enabled version
1631      * (according to s->ctx->method, as version negotiation may have changed
1632      * s->method).
1633      */
1634     if (s->version == s->ctx->method->version)
1635         return 1;
1636 
1637     /*
1638      * Apparently we're using a version-flexible SSL_METHOD (not at its
1639      * highest protocol version).
1640      */
1641     if (s->ctx->method->version == TLS_method()->version)
1642         table = tls_version_table;
1643     else if (s->ctx->method->version == DTLS_method()->version)
1644         table = dtls_version_table;
1645     else {
1646         /* Unexpected state; fail closed. */
1647         return 0;
1648     }
1649 
1650     for (vent = table; vent->version != 0; ++vent) {
1651         if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1652             return s->version == vent->version;
1653     }
1654     return 0;
1655 }
1656 
1657 /*
1658  * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1659  * protocols, provided the initial (D)TLS method is version-flexible.  This
1660  * function sanity-checks the proposed value and makes sure the method is
1661  * version-flexible, then sets the limit if all is well.
1662  *
1663  * @method_version: The version of the current SSL_METHOD.
1664  * @version: the intended limit.
1665  * @bound: pointer to limit to be updated.
1666  *
1667  * Returns 1 on success, 0 on failure.
1668  */
1669 int ssl_set_version_bound(int method_version, int version, int *bound)
1670 {
1671     int valid_tls;
1672     int valid_dtls;
1673 
1674     if (version == 0) {
1675         *bound = version;
1676         return 1;
1677     }
1678 
1679     valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1680     valid_dtls =
1681         DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1682         DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1683 
1684     if (!valid_tls && !valid_dtls)
1685         return 0;
1686 
1687     /*-
1688      * Restrict TLS methods to TLS protocol versions.
1689      * Restrict DTLS methods to DTLS protocol versions.
1690      * Note, DTLS version numbers are decreasing, use comparison macros.
1691      *
1692      * Note that for both lower-bounds we use explicit versions, not
1693      * (D)TLS_MIN_VERSION.  This is because we don't want to break user
1694      * configurations.  If the MIN (supported) version ever rises, the user's
1695      * "floor" remains valid even if no longer available.  We don't expect the
1696      * MAX ceiling to ever get lower, so making that variable makes sense.
1697      *
1698      * We ignore attempts to set bounds on version-inflexible methods,
1699      * returning success.
1700      */
1701     switch (method_version) {
1702     default:
1703         break;
1704 
1705     case TLS_ANY_VERSION:
1706         if (valid_tls)
1707             *bound = version;
1708         break;
1709 
1710     case DTLS_ANY_VERSION:
1711         if (valid_dtls)
1712             *bound = version;
1713         break;
1714     }
1715     return 1;
1716 }
1717 
1718 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1719 {
1720     if (vers == TLS1_2_VERSION
1721             && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1722         *dgrd = DOWNGRADE_TO_1_2;
1723     } else if (!SSL_IS_DTLS(s)
1724             && vers < TLS1_2_VERSION
1725                /*
1726                 * We need to ensure that a server that disables TLSv1.2
1727                 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1728                 * complete handshakes with clients that support TLSv1.2 and
1729                 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1730                 * enabled and TLSv1.2 is not.
1731                 */
1732             && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1733         *dgrd = DOWNGRADE_TO_1_1;
1734     } else {
1735         *dgrd = DOWNGRADE_NONE;
1736     }
1737 }
1738 
1739 /*
1740  * ssl_choose_server_version - Choose server (D)TLS version.  Called when the
1741  * client HELLO is received to select the final server protocol version and
1742  * the version specific method.
1743  *
1744  * @s: server SSL handle.
1745  *
1746  * Returns 0 on success or an SSL error reason number on failure.
1747  */
1748 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1749 {
1750     /*-
1751      * With version-flexible methods we have an initial state with:
1752      *
1753      *   s->method->version == (D)TLS_ANY_VERSION,
1754      *   s->version == (D)TLS_MAX_VERSION_INTERNAL.
1755      *
1756      * So we detect version-flexible methods via the method version, not the
1757      * handle version.
1758      */
1759     int server_version = s->method->version;
1760     int client_version = hello->legacy_version;
1761     const version_info *vent;
1762     const version_info *table;
1763     int disabled = 0;
1764     RAW_EXTENSION *suppversions;
1765 
1766     s->client_version = client_version;
1767 
1768     switch (server_version) {
1769     default:
1770         if (!SSL_IS_TLS13(s)) {
1771             if (version_cmp(s, client_version, s->version) < 0)
1772                 return SSL_R_WRONG_SSL_VERSION;
1773             *dgrd = DOWNGRADE_NONE;
1774             /*
1775              * If this SSL handle is not from a version flexible method we don't
1776              * (and never did) check min/max FIPS or Suite B constraints.  Hope
1777              * that's OK.  It is up to the caller to not choose fixed protocol
1778              * versions they don't want.  If not, then easy to fix, just return
1779              * ssl_method_error(s, s->method)
1780              */
1781             return 0;
1782         }
1783         /*
1784          * Fall through if we are TLSv1.3 already (this means we must be after
1785          * a HelloRetryRequest
1786          */
1787         /* fall thru */
1788     case TLS_ANY_VERSION:
1789         table = tls_version_table;
1790         break;
1791     case DTLS_ANY_VERSION:
1792         table = dtls_version_table;
1793         break;
1794     }
1795 
1796     suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1797 
1798     /* If we did an HRR then supported versions is mandatory */
1799     if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1800         return SSL_R_UNSUPPORTED_PROTOCOL;
1801 
1802     if (suppversions->present && !SSL_IS_DTLS(s)) {
1803         unsigned int candidate_vers = 0;
1804         unsigned int best_vers = 0;
1805         const SSL_METHOD *best_method = NULL;
1806         PACKET versionslist;
1807 
1808         suppversions->parsed = 1;
1809 
1810         if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1811             /* Trailing or invalid data? */
1812             return SSL_R_LENGTH_MISMATCH;
1813         }
1814 
1815         /*
1816          * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1817          * The spec only requires servers to check that it isn't SSLv3:
1818          * "Any endpoint receiving a Hello message with
1819          * ClientHello.legacy_version or ServerHello.legacy_version set to
1820          * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1821          * We are slightly stricter and require that it isn't SSLv3 or lower.
1822          * We tolerate TLSv1 and TLSv1.1.
1823          */
1824         if (client_version <= SSL3_VERSION)
1825             return SSL_R_BAD_LEGACY_VERSION;
1826 
1827         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1828             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1829                 continue;
1830             if (ssl_version_supported(s, candidate_vers, &best_method))
1831                 best_vers = candidate_vers;
1832         }
1833         if (PACKET_remaining(&versionslist) != 0) {
1834             /* Trailing data? */
1835             return SSL_R_LENGTH_MISMATCH;
1836         }
1837 
1838         if (best_vers > 0) {
1839             if (s->hello_retry_request != SSL_HRR_NONE) {
1840                 /*
1841                  * This is after a HelloRetryRequest so we better check that we
1842                  * negotiated TLSv1.3
1843                  */
1844                 if (best_vers != TLS1_3_VERSION)
1845                     return SSL_R_UNSUPPORTED_PROTOCOL;
1846                 return 0;
1847             }
1848             check_for_downgrade(s, best_vers, dgrd);
1849             s->version = best_vers;
1850             s->method = best_method;
1851             return 0;
1852         }
1853         return SSL_R_UNSUPPORTED_PROTOCOL;
1854     }
1855 
1856     /*
1857      * If the supported versions extension isn't present, then the highest
1858      * version we can negotiate is TLSv1.2
1859      */
1860     if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1861         client_version = TLS1_2_VERSION;
1862 
1863     /*
1864      * No supported versions extension, so we just use the version supplied in
1865      * the ClientHello.
1866      */
1867     for (vent = table; vent->version != 0; ++vent) {
1868         const SSL_METHOD *method;
1869 
1870         if (vent->smeth == NULL ||
1871             version_cmp(s, client_version, vent->version) < 0)
1872             continue;
1873         method = vent->smeth();
1874         if (ssl_method_error(s, method) == 0) {
1875             check_for_downgrade(s, vent->version, dgrd);
1876             s->version = vent->version;
1877             s->method = method;
1878             return 0;
1879         }
1880         disabled = 1;
1881     }
1882     return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1883 }
1884 
1885 /*
1886  * ssl_choose_client_version - Choose client (D)TLS version.  Called when the
1887  * server HELLO is received to select the final client protocol version and
1888  * the version specific method.
1889  *
1890  * @s: client SSL handle.
1891  * @version: The proposed version from the server's HELLO.
1892  * @extensions: The extensions received
1893  *
1894  * Returns 1 on success or 0 on error.
1895  */
1896 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1897 {
1898     const version_info *vent;
1899     const version_info *table;
1900     int ret, ver_min, ver_max, real_max, origv;
1901 
1902     origv = s->version;
1903     s->version = version;
1904 
1905     /* This will overwrite s->version if the extension is present */
1906     if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1907                              SSL_EXT_TLS1_2_SERVER_HELLO
1908                              | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1909                              NULL, 0)) {
1910         s->version = origv;
1911         return 0;
1912     }
1913 
1914     if (s->hello_retry_request != SSL_HRR_NONE
1915             && s->version != TLS1_3_VERSION) {
1916         s->version = origv;
1917         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1918         return 0;
1919     }
1920 
1921     switch (s->method->version) {
1922     default:
1923         if (s->version != s->method->version) {
1924             s->version = origv;
1925             SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1926             return 0;
1927         }
1928         /*
1929          * If this SSL handle is not from a version flexible method we don't
1930          * (and never did) check min/max, FIPS or Suite B constraints.  Hope
1931          * that's OK.  It is up to the caller to not choose fixed protocol
1932          * versions they don't want.  If not, then easy to fix, just return
1933          * ssl_method_error(s, s->method)
1934          */
1935         return 1;
1936     case TLS_ANY_VERSION:
1937         table = tls_version_table;
1938         break;
1939     case DTLS_ANY_VERSION:
1940         table = dtls_version_table;
1941         break;
1942     }
1943 
1944     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1945     if (ret != 0) {
1946         s->version = origv;
1947         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1948         return 0;
1949     }
1950     if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1951                        : s->version < ver_min) {
1952         s->version = origv;
1953         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1954         return 0;
1955     } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1956                               : s->version > ver_max) {
1957         s->version = origv;
1958         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1959         return 0;
1960     }
1961 
1962     if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1963         real_max = ver_max;
1964 
1965     /* Check for downgrades */
1966     if (s->version == TLS1_2_VERSION && real_max > s->version) {
1967         if (memcmp(tls12downgrade,
1968                    s->s3.server_random + SSL3_RANDOM_SIZE
1969                                         - sizeof(tls12downgrade),
1970                    sizeof(tls12downgrade)) == 0) {
1971             s->version = origv;
1972             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1973                      SSL_R_INAPPROPRIATE_FALLBACK);
1974             return 0;
1975         }
1976     } else if (!SSL_IS_DTLS(s)
1977                && s->version < TLS1_2_VERSION
1978                && real_max > s->version) {
1979         if (memcmp(tls11downgrade,
1980                    s->s3.server_random + SSL3_RANDOM_SIZE
1981                                         - sizeof(tls11downgrade),
1982                    sizeof(tls11downgrade)) == 0) {
1983             s->version = origv;
1984             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1985                      SSL_R_INAPPROPRIATE_FALLBACK);
1986             return 0;
1987         }
1988     }
1989 
1990     for (vent = table; vent->version != 0; ++vent) {
1991         if (vent->cmeth == NULL || s->version != vent->version)
1992             continue;
1993 
1994         s->method = vent->cmeth();
1995         return 1;
1996     }
1997 
1998     s->version = origv;
1999     SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2000     return 0;
2001 }
2002 
2003 /*
2004  * ssl_get_min_max_version - get minimum and maximum protocol version
2005  * @s: The SSL connection
2006  * @min_version: The minimum supported version
2007  * @max_version: The maximum supported version
2008  * @real_max:    The highest version below the lowest compile time version hole
2009  *               where that hole lies above at least one run-time enabled
2010  *               protocol.
2011  *
2012  * Work out what version we should be using for the initial ClientHello if the
2013  * version is initially (D)TLS_ANY_VERSION.  We apply any explicit SSL_OP_NO_xxx
2014  * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2015  * constraints and any floor imposed by the security level here,
2016  * so we don't advertise the wrong protocol version to only reject the outcome later.
2017  *
2018  * Computing the right floor matters.  If, e.g., TLS 1.0 and 1.2 are enabled,
2019  * TLS 1.1 is disabled, but the security level, Suite-B  and/or MinProtocol
2020  * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2021  *
2022  * Returns 0 on success or an SSL error reason number on failure.  On failure
2023  * min_version and max_version will also be set to 0.
2024  */
2025 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2026                             int *real_max)
2027 {
2028     int version, tmp_real_max;
2029     int hole;
2030     const SSL_METHOD *single = NULL;
2031     const SSL_METHOD *method;
2032     const version_info *table;
2033     const version_info *vent;
2034 
2035     switch (s->method->version) {
2036     default:
2037         /*
2038          * If this SSL handle is not from a version flexible method we don't
2039          * (and never did) check min/max FIPS or Suite B constraints.  Hope
2040          * that's OK.  It is up to the caller to not choose fixed protocol
2041          * versions they don't want.  If not, then easy to fix, just return
2042          * ssl_method_error(s, s->method)
2043          */
2044         *min_version = *max_version = s->version;
2045         /*
2046          * Providing a real_max only makes sense where we're using a version
2047          * flexible method.
2048          */
2049         if (!ossl_assert(real_max == NULL))
2050             return ERR_R_INTERNAL_ERROR;
2051         return 0;
2052     case TLS_ANY_VERSION:
2053         table = tls_version_table;
2054         break;
2055     case DTLS_ANY_VERSION:
2056         table = dtls_version_table;
2057         break;
2058     }
2059 
2060     /*
2061      * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2062      * below X enabled. This is required in order to maintain the "version
2063      * capability" vector contiguous. Any versions with a NULL client method
2064      * (protocol version client is disabled at compile-time) is also a "hole".
2065      *
2066      * Our initial state is hole == 1, version == 0.  That is, versions above
2067      * the first version in the method table are disabled (a "hole" above
2068      * the valid protocol entries) and we don't have a selected version yet.
2069      *
2070      * Whenever "hole == 1", and we hit an enabled method, its version becomes
2071      * the selected version, and the method becomes a candidate "single"
2072      * method.  We're no longer in a hole, so "hole" becomes 0.
2073      *
2074      * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2075      * as we support a contiguous range of at least two methods.  If we hit
2076      * a disabled method, then hole becomes true again, but nothing else
2077      * changes yet, because all the remaining methods may be disabled too.
2078      * If we again hit an enabled method after the new hole, it becomes
2079      * selected, as we start from scratch.
2080      */
2081     *min_version = version = 0;
2082     hole = 1;
2083     if (real_max != NULL)
2084         *real_max = 0;
2085     tmp_real_max = 0;
2086     for (vent = table; vent->version != 0; ++vent) {
2087         /*
2088          * A table entry with a NULL client method is still a hole in the
2089          * "version capability" vector.
2090          */
2091         if (vent->cmeth == NULL) {
2092             hole = 1;
2093             tmp_real_max = 0;
2094             continue;
2095         }
2096         method = vent->cmeth();
2097 
2098         if (hole == 1 && tmp_real_max == 0)
2099             tmp_real_max = vent->version;
2100 
2101         if (ssl_method_error(s, method) != 0) {
2102             hole = 1;
2103         } else if (!hole) {
2104             single = NULL;
2105             *min_version = method->version;
2106         } else {
2107             if (real_max != NULL && tmp_real_max != 0)
2108                 *real_max = tmp_real_max;
2109             version = (single = method)->version;
2110             *min_version = version;
2111             hole = 0;
2112         }
2113     }
2114 
2115     *max_version = version;
2116 
2117     /* Fail if everything is disabled */
2118     if (version == 0)
2119         return SSL_R_NO_PROTOCOLS_AVAILABLE;
2120 
2121     return 0;
2122 }
2123 
2124 /*
2125  * ssl_set_client_hello_version - Work out what version we should be using for
2126  * the initial ClientHello.legacy_version field.
2127  *
2128  * @s: client SSL handle.
2129  *
2130  * Returns 0 on success or an SSL error reason number on failure.
2131  */
2132 int ssl_set_client_hello_version(SSL *s)
2133 {
2134     int ver_min, ver_max, ret;
2135 
2136     /*
2137      * In a renegotiation we always send the same client_version that we sent
2138      * last time, regardless of which version we eventually negotiated.
2139      */
2140     if (!SSL_IS_FIRST_HANDSHAKE(s))
2141         return 0;
2142 
2143     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2144 
2145     if (ret != 0)
2146         return ret;
2147 
2148     s->version = ver_max;
2149 
2150     /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2151     if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2152         ver_max = TLS1_2_VERSION;
2153 
2154     s->client_version = ver_max;
2155     return 0;
2156 }
2157 
2158 /*
2159  * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2160  * and |checkallow| is 1 then additionally check if the group is allowed to be
2161  * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2162  * 1) or 0 otherwise.
2163  */
2164 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2165                   size_t num_groups, int checkallow)
2166 {
2167     size_t i;
2168 
2169     if (groups == NULL || num_groups == 0)
2170         return 0;
2171 
2172     for (i = 0; i < num_groups; i++) {
2173         uint16_t group = groups[i];
2174 
2175         if (group_id == group
2176                 && (!checkallow
2177                     || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2178             return 1;
2179         }
2180     }
2181 
2182     return 0;
2183 }
2184 
2185 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2186 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2187                                   size_t hashlen, const unsigned char *hrr,
2188                                   size_t hrrlen)
2189 {
2190     unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2191     unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2192 
2193     memset(msghdr, 0, sizeof(msghdr));
2194 
2195     if (hashval == NULL) {
2196         hashval = hashvaltmp;
2197         hashlen = 0;
2198         /* Get the hash of the initial ClientHello */
2199         if (!ssl3_digest_cached_records(s, 0)
2200                 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2201                                        &hashlen)) {
2202             /* SSLfatal() already called */
2203             return 0;
2204         }
2205     }
2206 
2207     /* Reinitialise the transcript hash */
2208     if (!ssl3_init_finished_mac(s)) {
2209         /* SSLfatal() already called */
2210         return 0;
2211     }
2212 
2213     /* Inject the synthetic message_hash message */
2214     msghdr[0] = SSL3_MT_MESSAGE_HASH;
2215     msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2216     if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2217             || !ssl3_finish_mac(s, hashval, hashlen)) {
2218         /* SSLfatal() already called */
2219         return 0;
2220     }
2221 
2222     /*
2223      * Now re-inject the HRR and current message if appropriate (we just deleted
2224      * it when we reinitialised the transcript hash above). Only necessary after
2225      * receiving a ClientHello2 with a cookie.
2226      */
2227     if (hrr != NULL
2228             && (!ssl3_finish_mac(s, hrr, hrrlen)
2229                 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2230                                     s->s3.tmp.message_size
2231                                     + SSL3_HM_HEADER_LENGTH))) {
2232         /* SSLfatal() already called */
2233         return 0;
2234     }
2235 
2236     return 1;
2237 }
2238 
2239 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2240 {
2241     return X509_NAME_cmp(*a, *b);
2242 }
2243 
2244 int parse_ca_names(SSL *s, PACKET *pkt)
2245 {
2246     STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2247     X509_NAME *xn = NULL;
2248     PACKET cadns;
2249 
2250     if (ca_sk == NULL) {
2251         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2252         goto err;
2253     }
2254     /* get the CA RDNs */
2255     if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2256         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2257         goto err;
2258     }
2259 
2260     while (PACKET_remaining(&cadns)) {
2261         const unsigned char *namestart, *namebytes;
2262         unsigned int name_len;
2263 
2264         if (!PACKET_get_net_2(&cadns, &name_len)
2265             || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2266             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2267             goto err;
2268         }
2269 
2270         namestart = namebytes;
2271         if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2272             SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2273             goto err;
2274         }
2275         if (namebytes != (namestart + name_len)) {
2276             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2277             goto err;
2278         }
2279 
2280         if (!sk_X509_NAME_push(ca_sk, xn)) {
2281             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2282             goto err;
2283         }
2284         xn = NULL;
2285     }
2286 
2287     sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2288     s->s3.tmp.peer_ca_names = ca_sk;
2289 
2290     return 1;
2291 
2292  err:
2293     sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2294     X509_NAME_free(xn);
2295     return 0;
2296 }
2297 
2298 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2299 {
2300     const STACK_OF(X509_NAME) *ca_sk = NULL;;
2301 
2302     if (s->server) {
2303         ca_sk = SSL_get_client_CA_list(s);
2304         if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2305             ca_sk = NULL;
2306     }
2307 
2308     if (ca_sk == NULL)
2309         ca_sk = SSL_get0_CA_list(s);
2310 
2311     return ca_sk;
2312 }
2313 
2314 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2315 {
2316     /* Start sub-packet for client CA list */
2317     if (!WPACKET_start_sub_packet_u16(pkt)) {
2318         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2319         return 0;
2320     }
2321 
2322     if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2323         int i;
2324 
2325         for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2326             unsigned char *namebytes;
2327             X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2328             int namelen;
2329 
2330             if (name == NULL
2331                     || (namelen = i2d_X509_NAME(name, NULL)) < 0
2332                     || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2333                                                        &namebytes)
2334                     || i2d_X509_NAME(name, &namebytes) != namelen) {
2335                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2336                 return 0;
2337             }
2338         }
2339     }
2340 
2341     if (!WPACKET_close(pkt)) {
2342         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2343         return 0;
2344     }
2345 
2346     return 1;
2347 }
2348 
2349 /* Create a buffer containing data to be signed for server key exchange */
2350 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2351                                   const void *param, size_t paramlen)
2352 {
2353     size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2354     unsigned char *tbs = OPENSSL_malloc(tbslen);
2355 
2356     if (tbs == NULL) {
2357         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2358         return 0;
2359     }
2360     memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2361     memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2362 
2363     memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2364 
2365     *ptbs = tbs;
2366     return tbslen;
2367 }
2368 
2369 /*
2370  * Saves the current handshake digest for Post-Handshake Auth,
2371  * Done after ClientFinished is processed, done exactly once
2372  */
2373 int tls13_save_handshake_digest_for_pha(SSL *s)
2374 {
2375     if (s->pha_dgst == NULL) {
2376         if (!ssl3_digest_cached_records(s, 1))
2377             /* SSLfatal() already called */
2378             return 0;
2379 
2380         s->pha_dgst = EVP_MD_CTX_new();
2381         if (s->pha_dgst == NULL) {
2382             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2383             return 0;
2384         }
2385         if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2386                                 s->s3.handshake_dgst)) {
2387             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2388             EVP_MD_CTX_free(s->pha_dgst);
2389             s->pha_dgst = NULL;
2390             return 0;
2391         }
2392     }
2393     return 1;
2394 }
2395 
2396 /*
2397  * Restores the Post-Handshake Auth handshake digest
2398  * Done just before sending/processing the Cert Request
2399  */
2400 int tls13_restore_handshake_digest_for_pha(SSL *s)
2401 {
2402     if (s->pha_dgst == NULL) {
2403         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2404         return 0;
2405     }
2406     if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2407                             s->pha_dgst)) {
2408         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2409         return 0;
2410     }
2411     return 1;
2412 }
2413