xref: /freebsd/crypto/openssl/ssl/statem/statem_lib.c (revision db33c6f3ae9d1231087710068ee4ea5398aacca7)
1 /*
2  * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  *
5  * Licensed under the Apache License 2.0 (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10 
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/rsa.h>
21 #include <openssl/x509.h>
22 #include <openssl/trace.h>
23 
24 /*
25  * Map error codes to TLS/SSL alart types.
26  */
27 typedef struct x509err2alert_st {
28     int x509err;
29     int alert;
30 } X509ERR2ALERT;
31 
32 /* Fixed value used in the ServerHello random field to identify an HRR */
33 const unsigned char hrrrandom[] = {
34     0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
35     0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
36     0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
37 };
38 
39 /*
40  * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
41  * SSL3_RT_CHANGE_CIPHER_SPEC)
42  */
43 int ssl3_do_write(SSL *s, int type)
44 {
45     int ret;
46     size_t written = 0;
47 
48     ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
49                            s->init_num, &written);
50     if (ret <= 0)
51         return -1;
52     if (type == SSL3_RT_HANDSHAKE)
53         /*
54          * should not be done for 'Hello Request's, but in that case we'll
55          * ignore the result anyway
56          * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
57          */
58         if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
59                                  && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
60                                  && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
61             if (!ssl3_finish_mac(s,
62                                  (unsigned char *)&s->init_buf->data[s->init_off],
63                                  written))
64                 return -1;
65     if (written == s->init_num) {
66         if (s->msg_callback)
67             s->msg_callback(1, s->version, type, s->init_buf->data,
68                             (size_t)(s->init_off + s->init_num), s,
69                             s->msg_callback_arg);
70         return 1;
71     }
72     s->init_off += written;
73     s->init_num -= written;
74     return 0;
75 }
76 
77 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
78 {
79     size_t msglen;
80 
81     if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
82             || !WPACKET_get_length(pkt, &msglen)
83             || msglen > INT_MAX)
84         return 0;
85     s->init_num = (int)msglen;
86     s->init_off = 0;
87 
88     return 1;
89 }
90 
91 int tls_setup_handshake(SSL *s)
92 {
93     int ver_min, ver_max, ok;
94 
95     if (!ssl3_init_finished_mac(s)) {
96         /* SSLfatal() already called */
97         return 0;
98     }
99 
100     /* Reset any extension flags */
101     memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
102 
103     if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
104         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_NO_PROTOCOLS_AVAILABLE);
105         return 0;
106     }
107 
108     /* Sanity check that we have MD5-SHA1 if we need it */
109     if (s->ctx->ssl_digest_methods[SSL_MD_MD5_SHA1_IDX] == NULL) {
110         int md5sha1_needed = 0;
111 
112         /* We don't have MD5-SHA1 - do we need it? */
113         if (SSL_IS_DTLS(s)) {
114             if (DTLS_VERSION_LE(ver_max, DTLS1_VERSION))
115                 md5sha1_needed = 1;
116         } else {
117             if (ver_max <= TLS1_1_VERSION)
118                 md5sha1_needed = 1;
119         }
120         if (md5sha1_needed) {
121             SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
122                           SSL_R_NO_SUITABLE_DIGEST_ALGORITHM,
123                           "The max supported SSL/TLS version needs the"
124                           " MD5-SHA1 digest but it is not available"
125                           " in the loaded providers. Use (D)TLSv1.2 or"
126                           " above, or load different providers");
127             return 0;
128         }
129 
130         ok = 1;
131         /* Don't allow TLSv1.1 or below to be negotiated */
132         if (SSL_IS_DTLS(s)) {
133             if (DTLS_VERSION_LT(ver_min, DTLS1_2_VERSION))
134                 ok = SSL_set_min_proto_version(s, DTLS1_2_VERSION);
135         } else {
136             if (ver_min < TLS1_2_VERSION)
137                 ok = SSL_set_min_proto_version(s, TLS1_2_VERSION);
138         }
139         if (!ok) {
140             /* Shouldn't happen */
141             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_INTERNAL_ERROR);
142             return 0;
143         }
144     }
145 
146     ok = 0;
147     if (s->server) {
148         STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
149         int i;
150 
151         /*
152          * Sanity check that the maximum version we accept has ciphers
153          * enabled. For clients we do this check during construction of the
154          * ClientHello.
155          */
156         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
157             const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
158 
159             if (SSL_IS_DTLS(s)) {
160                 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
161                         DTLS_VERSION_LE(ver_max, c->max_dtls))
162                     ok = 1;
163             } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
164                 ok = 1;
165             }
166             if (ok)
167                 break;
168         }
169         if (!ok) {
170             SSLfatal_data(s, SSL_AD_HANDSHAKE_FAILURE,
171                           SSL_R_NO_CIPHERS_AVAILABLE,
172                           "No ciphers enabled for max supported "
173                           "SSL/TLS version");
174             return 0;
175         }
176         if (SSL_IS_FIRST_HANDSHAKE(s)) {
177             /* N.B. s->session_ctx == s->ctx here */
178             ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_accept);
179         } else {
180             /* N.B. s->ctx may not equal s->session_ctx */
181             ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_renegotiate);
182 
183             s->s3.tmp.cert_request = 0;
184         }
185     } else {
186         if (SSL_IS_FIRST_HANDSHAKE(s))
187             ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_connect);
188         else
189             ssl_tsan_counter(s->session_ctx,
190                          &s->session_ctx->stats.sess_connect_renegotiate);
191 
192         /* mark client_random uninitialized */
193         memset(s->s3.client_random, 0, sizeof(s->s3.client_random));
194         s->hit = 0;
195 
196         s->s3.tmp.cert_req = 0;
197 
198         if (SSL_IS_DTLS(s))
199             s->statem.use_timer = 1;
200     }
201 
202     return 1;
203 }
204 
205 /*
206  * Size of the to-be-signed TLS13 data, without the hash size itself:
207  * 64 bytes of value 32, 33 context bytes, 1 byte separator
208  */
209 #define TLS13_TBS_START_SIZE            64
210 #define TLS13_TBS_PREAMBLE_SIZE         (TLS13_TBS_START_SIZE + 33 + 1)
211 
212 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
213                                     void **hdata, size_t *hdatalen)
214 {
215 #ifdef CHARSET_EBCDIC
216     static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
217      0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
218      0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
219      0x69, 0x66, 0x79, 0x00 };
220     static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
221      0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
222      0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
223      0x69, 0x66, 0x79, 0x00 };
224 #else
225     static const char servercontext[] = "TLS 1.3, server CertificateVerify";
226     static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
227 #endif
228     if (SSL_IS_TLS13(s)) {
229         size_t hashlen;
230 
231         /* Set the first 64 bytes of to-be-signed data to octet 32 */
232         memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
233         /* This copies the 33 bytes of context plus the 0 separator byte */
234         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
235                  || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
236             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
237         else
238             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
239 
240         /*
241          * If we're currently reading then we need to use the saved handshake
242          * hash value. We can't use the current handshake hash state because
243          * that includes the CertVerify itself.
244          */
245         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
246                 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
247             memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
248                    s->cert_verify_hash_len);
249             hashlen = s->cert_verify_hash_len;
250         } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
251                                        EVP_MAX_MD_SIZE, &hashlen)) {
252             /* SSLfatal() already called */
253             return 0;
254         }
255 
256         *hdata = tls13tbs;
257         *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
258     } else {
259         size_t retlen;
260         long retlen_l;
261 
262         retlen = retlen_l = BIO_get_mem_data(s->s3.handshake_buffer, hdata);
263         if (retlen_l <= 0) {
264             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
265             return 0;
266         }
267         *hdatalen = retlen;
268     }
269 
270     return 1;
271 }
272 
273 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
274 {
275     EVP_PKEY *pkey = NULL;
276     const EVP_MD *md = NULL;
277     EVP_MD_CTX *mctx = NULL;
278     EVP_PKEY_CTX *pctx = NULL;
279     size_t hdatalen = 0, siglen = 0;
280     void *hdata;
281     unsigned char *sig = NULL;
282     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
283     const SIGALG_LOOKUP *lu = s->s3.tmp.sigalg;
284 
285     if (lu == NULL || s->s3.tmp.cert == NULL) {
286         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
287         goto err;
288     }
289     pkey = s->s3.tmp.cert->privatekey;
290 
291     if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
292         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
293         goto err;
294     }
295 
296     mctx = EVP_MD_CTX_new();
297     if (mctx == NULL) {
298         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
299         goto err;
300     }
301 
302     /* Get the data to be signed */
303     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
304         /* SSLfatal() already called */
305         goto err;
306     }
307 
308     if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
309         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
310         goto err;
311     }
312 
313     if (EVP_DigestSignInit_ex(mctx, &pctx,
314                               md == NULL ? NULL : EVP_MD_get0_name(md),
315                               s->ctx->libctx, s->ctx->propq, pkey,
316                               NULL) <= 0) {
317         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
318         goto err;
319     }
320 
321     if (lu->sig == EVP_PKEY_RSA_PSS) {
322         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
323             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
324                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
325             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
326             goto err;
327         }
328     }
329     if (s->version == SSL3_VERSION) {
330         /*
331          * Here we use EVP_DigestSignUpdate followed by EVP_DigestSignFinal
332          * in order to add the EVP_CTRL_SSL3_MASTER_SECRET call between them.
333          */
334         if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
335             || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
336                                (int)s->session->master_key_length,
337                                s->session->master_key) <= 0
338             || EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) {
339 
340             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
341             goto err;
342         }
343         sig = OPENSSL_malloc(siglen);
344         if (sig == NULL
345                 || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
346             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
347             goto err;
348         }
349     } else {
350         /*
351          * Here we *must* use EVP_DigestSign() because Ed25519/Ed448 does not
352          * support streaming via EVP_DigestSignUpdate/EVP_DigestSignFinal
353          */
354         if (EVP_DigestSign(mctx, NULL, &siglen, hdata, hdatalen) <= 0) {
355             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
356             goto err;
357         }
358         sig = OPENSSL_malloc(siglen);
359         if (sig == NULL
360                 || EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
361             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
362             goto err;
363         }
364     }
365 
366 #ifndef OPENSSL_NO_GOST
367     {
368         int pktype = lu->sig;
369 
370         if (pktype == NID_id_GostR3410_2001
371             || pktype == NID_id_GostR3410_2012_256
372             || pktype == NID_id_GostR3410_2012_512)
373             BUF_reverse(sig, NULL, siglen);
374     }
375 #endif
376 
377     if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
378         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
379         goto err;
380     }
381 
382     /* Digest cached records and discard handshake buffer */
383     if (!ssl3_digest_cached_records(s, 0)) {
384         /* SSLfatal() already called */
385         goto err;
386     }
387 
388     OPENSSL_free(sig);
389     EVP_MD_CTX_free(mctx);
390     return 1;
391  err:
392     OPENSSL_free(sig);
393     EVP_MD_CTX_free(mctx);
394     return 0;
395 }
396 
397 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
398 {
399     EVP_PKEY *pkey = NULL;
400     const unsigned char *data;
401 #ifndef OPENSSL_NO_GOST
402     unsigned char *gost_data = NULL;
403 #endif
404     MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
405     int j;
406     unsigned int len;
407     X509 *peer;
408     const EVP_MD *md = NULL;
409     size_t hdatalen = 0;
410     void *hdata;
411     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
412     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
413     EVP_PKEY_CTX *pctx = NULL;
414 
415     if (mctx == NULL) {
416         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
417         goto err;
418     }
419 
420     peer = s->session->peer;
421     pkey = X509_get0_pubkey(peer);
422     if (pkey == NULL) {
423         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
424         goto err;
425     }
426 
427     if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
428         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
429                  SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
430         goto err;
431     }
432 
433     if (SSL_USE_SIGALGS(s)) {
434         unsigned int sigalg;
435 
436         if (!PACKET_get_net_2(pkt, &sigalg)) {
437             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_PACKET);
438             goto err;
439         }
440         if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
441             /* SSLfatal() already called */
442             goto err;
443         }
444     } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
445             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
446                      SSL_R_LEGACY_SIGALG_DISALLOWED_OR_UNSUPPORTED);
447             goto err;
448     }
449 
450     if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
451         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
452         goto err;
453     }
454 
455     if (SSL_USE_SIGALGS(s))
456         OSSL_TRACE1(TLS, "USING TLSv1.2 HASH %s\n",
457                     md == NULL ? "n/a" : EVP_MD_get0_name(md));
458 
459     /* Check for broken implementations of GOST ciphersuites */
460     /*
461      * If key is GOST and len is exactly 64 or 128, it is signature without
462      * length field (CryptoPro implementations at least till TLS 1.2)
463      */
464 #ifndef OPENSSL_NO_GOST
465     if (!SSL_USE_SIGALGS(s)
466         && ((PACKET_remaining(pkt) == 64
467              && (EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2001
468                  || EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_256))
469             || (PACKET_remaining(pkt) == 128
470                 && EVP_PKEY_get_id(pkey) == NID_id_GostR3410_2012_512))) {
471         len = PACKET_remaining(pkt);
472     } else
473 #endif
474     if (!PACKET_get_net_2(pkt, &len)) {
475         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
476         goto err;
477     }
478 
479     if (!PACKET_get_bytes(pkt, &data, len)) {
480         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
481         goto err;
482     }
483     if (PACKET_remaining(pkt) != 0) {
484         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
485         goto err;
486     }
487 
488     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
489         /* SSLfatal() already called */
490         goto err;
491     }
492 
493     OSSL_TRACE1(TLS, "Using client verify alg %s\n",
494                 md == NULL ? "n/a" : EVP_MD_get0_name(md));
495 
496     if (EVP_DigestVerifyInit_ex(mctx, &pctx,
497                                 md == NULL ? NULL : EVP_MD_get0_name(md),
498                                 s->ctx->libctx, s->ctx->propq, pkey,
499                                 NULL) <= 0) {
500         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
501         goto err;
502     }
503 #ifndef OPENSSL_NO_GOST
504     {
505         int pktype = EVP_PKEY_get_id(pkey);
506         if (pktype == NID_id_GostR3410_2001
507             || pktype == NID_id_GostR3410_2012_256
508             || pktype == NID_id_GostR3410_2012_512) {
509             if ((gost_data = OPENSSL_malloc(len)) == NULL) {
510                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
511                 goto err;
512             }
513             BUF_reverse(gost_data, data, len);
514             data = gost_data;
515         }
516     }
517 #endif
518 
519     if (SSL_USE_PSS(s)) {
520         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
521             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
522                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
523             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
524             goto err;
525         }
526     }
527     if (s->version == SSL3_VERSION) {
528         if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
529                 || EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
530                                    (int)s->session->master_key_length,
531                                     s->session->master_key) <= 0) {
532             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
533             goto err;
534         }
535         if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
536             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
537             goto err;
538         }
539     } else {
540         j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
541         if (j <= 0) {
542             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_BAD_SIGNATURE);
543             goto err;
544         }
545     }
546 
547     /*
548      * In TLSv1.3 on the client side we make sure we prepare the client
549      * certificate after the CertVerify instead of when we get the
550      * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
551      * comes *before* the Certificate message. In TLSv1.2 it comes after. We
552      * want to make sure that SSL_get1_peer_certificate() will return the actual
553      * server certificate from the client_cert_cb callback.
554      */
555     if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
556         ret = MSG_PROCESS_CONTINUE_PROCESSING;
557     else
558         ret = MSG_PROCESS_CONTINUE_READING;
559  err:
560     BIO_free(s->s3.handshake_buffer);
561     s->s3.handshake_buffer = NULL;
562     EVP_MD_CTX_free(mctx);
563 #ifndef OPENSSL_NO_GOST
564     OPENSSL_free(gost_data);
565 #endif
566     return ret;
567 }
568 
569 int tls_construct_finished(SSL *s, WPACKET *pkt)
570 {
571     size_t finish_md_len;
572     const char *sender;
573     size_t slen;
574 
575     /* This is a real handshake so make sure we clean it up at the end */
576     if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
577         s->statem.cleanuphand = 1;
578 
579     /*
580      * We only change the keys if we didn't already do this when we sent the
581      * client certificate
582      */
583     if (SSL_IS_TLS13(s)
584             && !s->server
585             && s->s3.tmp.cert_req == 0
586             && (!s->method->ssl3_enc->change_cipher_state(s,
587                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
588         /* SSLfatal() already called */
589         return 0;
590     }
591 
592     if (s->server) {
593         sender = s->method->ssl3_enc->server_finished_label;
594         slen = s->method->ssl3_enc->server_finished_label_len;
595     } else {
596         sender = s->method->ssl3_enc->client_finished_label;
597         slen = s->method->ssl3_enc->client_finished_label_len;
598     }
599 
600     finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
601                                                           sender, slen,
602                                                           s->s3.tmp.finish_md);
603     if (finish_md_len == 0) {
604         /* SSLfatal() already called */
605         return 0;
606     }
607 
608     s->s3.tmp.finish_md_len = finish_md_len;
609 
610     if (!WPACKET_memcpy(pkt, s->s3.tmp.finish_md, finish_md_len)) {
611         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
612         return 0;
613     }
614 
615     /*
616      * Log the master secret, if logging is enabled. We don't log it for
617      * TLSv1.3: there's a different key schedule for that.
618      */
619     if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
620                                             s->session->master_key,
621                                             s->session->master_key_length)) {
622         /* SSLfatal() already called */
623         return 0;
624     }
625 
626     /*
627      * Copy the finished so we can use it for renegotiation checks
628      */
629     if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
630         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
631         return 0;
632     }
633     if (!s->server) {
634         memcpy(s->s3.previous_client_finished, s->s3.tmp.finish_md,
635                finish_md_len);
636         s->s3.previous_client_finished_len = finish_md_len;
637     } else {
638         memcpy(s->s3.previous_server_finished, s->s3.tmp.finish_md,
639                finish_md_len);
640         s->s3.previous_server_finished_len = finish_md_len;
641     }
642 
643     return 1;
644 }
645 
646 int tls_construct_key_update(SSL *s, WPACKET *pkt)
647 {
648     if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
649         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
650         return 0;
651     }
652 
653     s->key_update = SSL_KEY_UPDATE_NONE;
654     return 1;
655 }
656 
657 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
658 {
659     unsigned int updatetype;
660 
661     /*
662      * A KeyUpdate message signals a key change so the end of the message must
663      * be on a record boundary.
664      */
665     if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
666         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
667         return MSG_PROCESS_ERROR;
668     }
669 
670     if (!PACKET_get_1(pkt, &updatetype)
671             || PACKET_remaining(pkt) != 0) {
672         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_KEY_UPDATE);
673         return MSG_PROCESS_ERROR;
674     }
675 
676     /*
677      * There are only two defined key update types. Fail if we get a value we
678      * didn't recognise.
679      */
680     if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
681             && updatetype != SSL_KEY_UPDATE_REQUESTED) {
682         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_R_BAD_KEY_UPDATE);
683         return MSG_PROCESS_ERROR;
684     }
685 
686     /*
687      * If we get a request for us to update our sending keys too then, we need
688      * to additionally send a KeyUpdate message. However that message should
689      * not also request an update (otherwise we get into an infinite loop).
690      */
691     if (updatetype == SSL_KEY_UPDATE_REQUESTED)
692         s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
693 
694     if (!tls13_update_key(s, 0)) {
695         /* SSLfatal() already called */
696         return MSG_PROCESS_ERROR;
697     }
698 
699     return MSG_PROCESS_FINISHED_READING;
700 }
701 
702 /*
703  * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
704  * to far.
705  */
706 int ssl3_take_mac(SSL *s)
707 {
708     const char *sender;
709     size_t slen;
710 
711     if (!s->server) {
712         sender = s->method->ssl3_enc->server_finished_label;
713         slen = s->method->ssl3_enc->server_finished_label_len;
714     } else {
715         sender = s->method->ssl3_enc->client_finished_label;
716         slen = s->method->ssl3_enc->client_finished_label_len;
717     }
718 
719     s->s3.tmp.peer_finish_md_len =
720         s->method->ssl3_enc->final_finish_mac(s, sender, slen,
721                                               s->s3.tmp.peer_finish_md);
722 
723     if (s->s3.tmp.peer_finish_md_len == 0) {
724         /* SSLfatal() already called */
725         return 0;
726     }
727 
728     return 1;
729 }
730 
731 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
732 {
733     size_t remain;
734 
735     remain = PACKET_remaining(pkt);
736     /*
737      * 'Change Cipher Spec' is just a single byte, which should already have
738      * been consumed by ssl_get_message() so there should be no bytes left,
739      * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
740      */
741     if (SSL_IS_DTLS(s)) {
742         if ((s->version == DTLS1_BAD_VER
743              && remain != DTLS1_CCS_HEADER_LENGTH + 1)
744             || (s->version != DTLS1_BAD_VER
745                 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
746             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
747             return MSG_PROCESS_ERROR;
748         }
749     } else {
750         if (remain != 0) {
751             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_CHANGE_CIPHER_SPEC);
752             return MSG_PROCESS_ERROR;
753         }
754     }
755 
756     /* Check we have a cipher to change to */
757     if (s->s3.tmp.new_cipher == NULL) {
758         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_CCS_RECEIVED_EARLY);
759         return MSG_PROCESS_ERROR;
760     }
761 
762     s->s3.change_cipher_spec = 1;
763     if (!ssl3_do_change_cipher_spec(s)) {
764         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
765         return MSG_PROCESS_ERROR;
766     }
767 
768     if (SSL_IS_DTLS(s)) {
769         dtls1_reset_seq_numbers(s, SSL3_CC_READ);
770 
771         if (s->version == DTLS1_BAD_VER)
772             s->d1->handshake_read_seq++;
773 
774 #ifndef OPENSSL_NO_SCTP
775         /*
776          * Remember that a CCS has been received, so that an old key of
777          * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
778          * SCTP is used
779          */
780         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
781 #endif
782     }
783 
784     return MSG_PROCESS_CONTINUE_READING;
785 }
786 
787 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
788 {
789     size_t md_len;
790 
791 
792     /* This is a real handshake so make sure we clean it up at the end */
793     if (s->server) {
794         /*
795         * To get this far we must have read encrypted data from the client. We
796         * no longer tolerate unencrypted alerts. This value is ignored if less
797         * than TLSv1.3
798         */
799         s->statem.enc_read_state = ENC_READ_STATE_VALID;
800         if (s->post_handshake_auth != SSL_PHA_REQUESTED)
801             s->statem.cleanuphand = 1;
802         if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
803                 /* SSLfatal() already called */
804                 return MSG_PROCESS_ERROR;
805         }
806     }
807 
808     /*
809      * In TLSv1.3 a Finished message signals a key change so the end of the
810      * message must be on a record boundary.
811      */
812     if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
813         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_NOT_ON_RECORD_BOUNDARY);
814         return MSG_PROCESS_ERROR;
815     }
816 
817     /* If this occurs, we have missed a message */
818     if (!SSL_IS_TLS13(s) && !s->s3.change_cipher_spec) {
819         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_R_GOT_A_FIN_BEFORE_A_CCS);
820         return MSG_PROCESS_ERROR;
821     }
822     s->s3.change_cipher_spec = 0;
823 
824     md_len = s->s3.tmp.peer_finish_md_len;
825 
826     if (md_len != PACKET_remaining(pkt)) {
827         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_DIGEST_LENGTH);
828         return MSG_PROCESS_ERROR;
829     }
830 
831     if (CRYPTO_memcmp(PACKET_data(pkt), s->s3.tmp.peer_finish_md,
832                       md_len) != 0) {
833         SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_R_DIGEST_CHECK_FAILED);
834         return MSG_PROCESS_ERROR;
835     }
836 
837     /*
838      * Copy the finished so we can use it for renegotiation checks
839      */
840     if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
841         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
842         return MSG_PROCESS_ERROR;
843     }
844     if (s->server) {
845         memcpy(s->s3.previous_client_finished, s->s3.tmp.peer_finish_md,
846                md_len);
847         s->s3.previous_client_finished_len = md_len;
848     } else {
849         memcpy(s->s3.previous_server_finished, s->s3.tmp.peer_finish_md,
850                md_len);
851         s->s3.previous_server_finished_len = md_len;
852     }
853 
854     /*
855      * In TLS1.3 we also have to change cipher state and do any final processing
856      * of the initial server flight (if we are a client)
857      */
858     if (SSL_IS_TLS13(s)) {
859         if (s->server) {
860             if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
861                     !s->method->ssl3_enc->change_cipher_state(s,
862                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
863                 /* SSLfatal() already called */
864                 return MSG_PROCESS_ERROR;
865             }
866         } else {
867             /* TLS 1.3 gets the secret size from the handshake md */
868             size_t dummy;
869             if (!s->method->ssl3_enc->generate_master_secret(s,
870                     s->master_secret, s->handshake_secret, 0,
871                     &dummy)) {
872                 /* SSLfatal() already called */
873                 return MSG_PROCESS_ERROR;
874             }
875             if (!s->method->ssl3_enc->change_cipher_state(s,
876                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
877                 /* SSLfatal() already called */
878                 return MSG_PROCESS_ERROR;
879             }
880             if (!tls_process_initial_server_flight(s)) {
881                 /* SSLfatal() already called */
882                 return MSG_PROCESS_ERROR;
883             }
884         }
885     }
886 
887     return MSG_PROCESS_FINISHED_READING;
888 }
889 
890 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
891 {
892     if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
893         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
894         return 0;
895     }
896 
897     return 1;
898 }
899 
900 /* Add a certificate to the WPACKET */
901 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
902 {
903     int len;
904     unsigned char *outbytes;
905 
906     len = i2d_X509(x, NULL);
907     if (len < 0) {
908         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BUF_LIB);
909         return 0;
910     }
911     if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
912             || i2d_X509(x, &outbytes) != len) {
913         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
914         return 0;
915     }
916 
917     if (SSL_IS_TLS13(s)
918             && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
919                                          chain)) {
920         /* SSLfatal() already called */
921         return 0;
922     }
923 
924     return 1;
925 }
926 
927 /* Add certificate chain to provided WPACKET */
928 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
929 {
930     int i, chain_count;
931     X509 *x;
932     STACK_OF(X509) *extra_certs;
933     STACK_OF(X509) *chain = NULL;
934     X509_STORE *chain_store;
935 
936     if (cpk == NULL || cpk->x509 == NULL)
937         return 1;
938 
939     x = cpk->x509;
940 
941     /*
942      * If we have a certificate specific chain use it, else use parent ctx.
943      */
944     if (cpk->chain != NULL)
945         extra_certs = cpk->chain;
946     else
947         extra_certs = s->ctx->extra_certs;
948 
949     if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
950         chain_store = NULL;
951     else if (s->cert->chain_store)
952         chain_store = s->cert->chain_store;
953     else
954         chain_store = s->ctx->cert_store;
955 
956     if (chain_store != NULL) {
957         X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new_ex(s->ctx->libctx,
958                                                        s->ctx->propq);
959 
960         if (xs_ctx == NULL) {
961             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
962             return 0;
963         }
964         if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
965             X509_STORE_CTX_free(xs_ctx);
966             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_X509_LIB);
967             return 0;
968         }
969         /*
970          * It is valid for the chain not to be complete (because normally we
971          * don't include the root cert in the chain). Therefore we deliberately
972          * ignore the error return from this call. We're not actually verifying
973          * the cert - we're just building as much of the chain as we can
974          */
975         (void)X509_verify_cert(xs_ctx);
976         /* Don't leave errors in the queue */
977         ERR_clear_error();
978         chain = X509_STORE_CTX_get0_chain(xs_ctx);
979         i = ssl_security_cert_chain(s, chain, NULL, 0);
980         if (i != 1) {
981 #if 0
982             /* Dummy error calls so mkerr generates them */
983             ERR_raise(ERR_LIB_SSL, SSL_R_EE_KEY_TOO_SMALL);
984             ERR_raise(ERR_LIB_SSL, SSL_R_CA_KEY_TOO_SMALL);
985             ERR_raise(ERR_LIB_SSL, SSL_R_CA_MD_TOO_WEAK);
986 #endif
987             X509_STORE_CTX_free(xs_ctx);
988             SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
989             return 0;
990         }
991         chain_count = sk_X509_num(chain);
992         for (i = 0; i < chain_count; i++) {
993             x = sk_X509_value(chain, i);
994 
995             if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
996                 /* SSLfatal() already called */
997                 X509_STORE_CTX_free(xs_ctx);
998                 return 0;
999             }
1000         }
1001         X509_STORE_CTX_free(xs_ctx);
1002     } else {
1003         i = ssl_security_cert_chain(s, extra_certs, x, 0);
1004         if (i != 1) {
1005             SSLfatal(s, SSL_AD_INTERNAL_ERROR, i);
1006             return 0;
1007         }
1008         if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
1009             /* SSLfatal() already called */
1010             return 0;
1011         }
1012         for (i = 0; i < sk_X509_num(extra_certs); i++) {
1013             x = sk_X509_value(extra_certs, i);
1014             if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
1015                 /* SSLfatal() already called */
1016                 return 0;
1017             }
1018         }
1019     }
1020     return 1;
1021 }
1022 
1023 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1024 {
1025     if (!WPACKET_start_sub_packet_u24(pkt)) {
1026         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1027         return 0;
1028     }
1029 
1030     if (!ssl_add_cert_chain(s, pkt, cpk))
1031         return 0;
1032 
1033     if (!WPACKET_close(pkt)) {
1034         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1035         return 0;
1036     }
1037 
1038     return 1;
1039 }
1040 
1041 /*
1042  * Tidy up after the end of a handshake. In the case of SCTP this may result
1043  * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1044  * freed up as well.
1045  */
1046 WORK_STATE tls_finish_handshake(SSL *s, ossl_unused WORK_STATE wst,
1047                                 int clearbufs, int stop)
1048 {
1049     void (*cb) (const SSL *ssl, int type, int val) = NULL;
1050     int cleanuphand = s->statem.cleanuphand;
1051 
1052     if (clearbufs) {
1053         if (!SSL_IS_DTLS(s)
1054 #ifndef OPENSSL_NO_SCTP
1055             /*
1056              * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1057              * messages that require it. Therefore, DTLS procedures for retransmissions
1058              * MUST NOT be used.
1059              * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1060              */
1061             || BIO_dgram_is_sctp(SSL_get_wbio(s))
1062 #endif
1063             ) {
1064             /*
1065              * We don't do this in DTLS over UDP because we may still need the init_buf
1066              * in case there are any unexpected retransmits
1067              */
1068             BUF_MEM_free(s->init_buf);
1069             s->init_buf = NULL;
1070         }
1071 
1072         if (!ssl_free_wbio_buffer(s)) {
1073             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
1074             return WORK_ERROR;
1075         }
1076         s->init_num = 0;
1077     }
1078 
1079     if (SSL_IS_TLS13(s) && !s->server
1080             && s->post_handshake_auth == SSL_PHA_REQUESTED)
1081         s->post_handshake_auth = SSL_PHA_EXT_SENT;
1082 
1083     /*
1084      * Only set if there was a Finished message and this isn't after a TLSv1.3
1085      * post handshake exchange
1086      */
1087     if (cleanuphand) {
1088         /* skipped if we just sent a HelloRequest */
1089         s->renegotiate = 0;
1090         s->new_session = 0;
1091         s->statem.cleanuphand = 0;
1092         s->ext.ticket_expected = 0;
1093 
1094         ssl3_cleanup_key_block(s);
1095 
1096         if (s->server) {
1097             /*
1098              * In TLSv1.3 we update the cache as part of constructing the
1099              * NewSessionTicket
1100              */
1101             if (!SSL_IS_TLS13(s))
1102                 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1103 
1104             /* N.B. s->ctx may not equal s->session_ctx */
1105             ssl_tsan_counter(s->ctx, &s->ctx->stats.sess_accept_good);
1106             s->handshake_func = ossl_statem_accept;
1107         } else {
1108             if (SSL_IS_TLS13(s)) {
1109                 /*
1110                  * We encourage applications to only use TLSv1.3 tickets once,
1111                  * so we remove this one from the cache.
1112                  */
1113                 if ((s->session_ctx->session_cache_mode
1114                      & SSL_SESS_CACHE_CLIENT) != 0)
1115                     SSL_CTX_remove_session(s->session_ctx, s->session);
1116             } else {
1117                 /*
1118                  * In TLSv1.3 we update the cache as part of processing the
1119                  * NewSessionTicket
1120                  */
1121                 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1122             }
1123             if (s->hit)
1124                 ssl_tsan_counter(s->session_ctx,
1125                                  &s->session_ctx->stats.sess_hit);
1126 
1127             s->handshake_func = ossl_statem_connect;
1128             ssl_tsan_counter(s->session_ctx,
1129                              &s->session_ctx->stats.sess_connect_good);
1130         }
1131 
1132         if (SSL_IS_DTLS(s)) {
1133             /* done with handshaking */
1134             s->d1->handshake_read_seq = 0;
1135             s->d1->handshake_write_seq = 0;
1136             s->d1->next_handshake_write_seq = 0;
1137             dtls1_clear_received_buffer(s);
1138         }
1139     }
1140 
1141     if (s->info_callback != NULL)
1142         cb = s->info_callback;
1143     else if (s->ctx->info_callback != NULL)
1144         cb = s->ctx->info_callback;
1145 
1146     /* The callback may expect us to not be in init at handshake done */
1147     ossl_statem_set_in_init(s, 0);
1148 
1149     if (cb != NULL) {
1150         if (cleanuphand
1151                 || !SSL_IS_TLS13(s)
1152                 || SSL_IS_FIRST_HANDSHAKE(s))
1153             cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1154     }
1155 
1156     if (!stop) {
1157         /* If we've got more work to do we go back into init */
1158         ossl_statem_set_in_init(s, 1);
1159         return WORK_FINISHED_CONTINUE;
1160     }
1161 
1162     return WORK_FINISHED_STOP;
1163 }
1164 
1165 int tls_get_message_header(SSL *s, int *mt)
1166 {
1167     /* s->init_num < SSL3_HM_HEADER_LENGTH */
1168     int skip_message, i, recvd_type;
1169     unsigned char *p;
1170     size_t l, readbytes;
1171 
1172     p = (unsigned char *)s->init_buf->data;
1173 
1174     do {
1175         while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1176             i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1177                                           &p[s->init_num],
1178                                           SSL3_HM_HEADER_LENGTH - s->init_num,
1179                                           0, &readbytes);
1180             if (i <= 0) {
1181                 s->rwstate = SSL_READING;
1182                 return 0;
1183             }
1184             if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1185                 /*
1186                  * A ChangeCipherSpec must be a single byte and may not occur
1187                  * in the middle of a handshake message.
1188                  */
1189                 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1190                     SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1191                              SSL_R_BAD_CHANGE_CIPHER_SPEC);
1192                     return 0;
1193                 }
1194                 if (s->statem.hand_state == TLS_ST_BEFORE
1195                         && (s->s3.flags & TLS1_FLAGS_STATELESS) != 0) {
1196                     /*
1197                      * We are stateless and we received a CCS. Probably this is
1198                      * from a client between the first and second ClientHellos.
1199                      * We should ignore this, but return an error because we do
1200                      * not return success until we see the second ClientHello
1201                      * with a valid cookie.
1202                      */
1203                     return 0;
1204                 }
1205                 s->s3.tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1206                 s->init_num = readbytes - 1;
1207                 s->init_msg = s->init_buf->data;
1208                 s->s3.tmp.message_size = readbytes;
1209                 return 1;
1210             } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1211                 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1212                          SSL_R_CCS_RECEIVED_EARLY);
1213                 return 0;
1214             }
1215             s->init_num += readbytes;
1216         }
1217 
1218         skip_message = 0;
1219         if (!s->server)
1220             if (s->statem.hand_state != TLS_ST_OK
1221                     && p[0] == SSL3_MT_HELLO_REQUEST)
1222                 /*
1223                  * The server may always send 'Hello Request' messages --
1224                  * we are doing a handshake anyway now, so ignore them if
1225                  * their format is correct. Does not count for 'Finished'
1226                  * MAC.
1227                  */
1228                 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1229                     s->init_num = 0;
1230                     skip_message = 1;
1231 
1232                     if (s->msg_callback)
1233                         s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1234                                         p, SSL3_HM_HEADER_LENGTH, s,
1235                                         s->msg_callback_arg);
1236                 }
1237     } while (skip_message);
1238     /* s->init_num == SSL3_HM_HEADER_LENGTH */
1239 
1240     *mt = *p;
1241     s->s3.tmp.message_type = *(p++);
1242 
1243     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1244         /*
1245          * Only happens with SSLv3+ in an SSLv2 backward compatible
1246          * ClientHello
1247          *
1248          * Total message size is the remaining record bytes to read
1249          * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1250          */
1251         l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1252             + SSL3_HM_HEADER_LENGTH;
1253         s->s3.tmp.message_size = l;
1254 
1255         s->init_msg = s->init_buf->data;
1256         s->init_num = SSL3_HM_HEADER_LENGTH;
1257     } else {
1258         n2l3(p, l);
1259         /* BUF_MEM_grow takes an 'int' parameter */
1260         if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1261             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1262                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
1263             return 0;
1264         }
1265         s->s3.tmp.message_size = l;
1266 
1267         s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1268         s->init_num = 0;
1269     }
1270 
1271     return 1;
1272 }
1273 
1274 int tls_get_message_body(SSL *s, size_t *len)
1275 {
1276     size_t n, readbytes;
1277     unsigned char *p;
1278     int i;
1279 
1280     if (s->s3.tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1281         /* We've already read everything in */
1282         *len = (unsigned long)s->init_num;
1283         return 1;
1284     }
1285 
1286     p = s->init_msg;
1287     n = s->s3.tmp.message_size - s->init_num;
1288     while (n > 0) {
1289         i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1290                                       &p[s->init_num], n, 0, &readbytes);
1291         if (i <= 0) {
1292             s->rwstate = SSL_READING;
1293             *len = 0;
1294             return 0;
1295         }
1296         s->init_num += readbytes;
1297         n -= readbytes;
1298     }
1299 
1300     /*
1301      * If receiving Finished, record MAC of prior handshake messages for
1302      * Finished verification.
1303      */
1304     if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1305         /* SSLfatal() already called */
1306         *len = 0;
1307         return 0;
1308     }
1309 
1310     /* Feed this message into MAC computation. */
1311     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1312         if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1313                              s->init_num)) {
1314             /* SSLfatal() already called */
1315             *len = 0;
1316             return 0;
1317         }
1318         if (s->msg_callback)
1319             s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1320                             (size_t)s->init_num, s, s->msg_callback_arg);
1321     } else {
1322         /*
1323          * We defer feeding in the HRR until later. We'll do it as part of
1324          * processing the message
1325          * The TLsv1.3 handshake transcript stops at the ClientFinished
1326          * message.
1327          */
1328 #define SERVER_HELLO_RANDOM_OFFSET  (SSL3_HM_HEADER_LENGTH + 2)
1329         /* KeyUpdate and NewSessionTicket do not need to be added */
1330         if (!SSL_IS_TLS13(s) || (s->s3.tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1331                                  && s->s3.tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1332             if (s->s3.tmp.message_type != SSL3_MT_SERVER_HELLO
1333                     || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1334                     || memcmp(hrrrandom,
1335                               s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1336                               SSL3_RANDOM_SIZE) != 0) {
1337                 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1338                                      s->init_num + SSL3_HM_HEADER_LENGTH)) {
1339                     /* SSLfatal() already called */
1340                     *len = 0;
1341                     return 0;
1342                 }
1343             }
1344         }
1345         if (s->msg_callback)
1346             s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1347                             (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1348                             s->msg_callback_arg);
1349     }
1350 
1351     *len = s->init_num;
1352     return 1;
1353 }
1354 
1355 static const X509ERR2ALERT x509table[] = {
1356     {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1357     {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1358     {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
1359     {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1360     {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1361     {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1362     {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1363     {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1364     {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1365     {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1366     {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1367     {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1368     {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1369     {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1370     {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1371     {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1372     {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1373     {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1374     {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1375     {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1376     {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1377     {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1378     {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1379     {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1380     {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1381     {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1382     {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1383     {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1384     {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1385     {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1386     {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1387     {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1388     {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1389     {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1390     {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1391     {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1392     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1393     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1394     {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1395     {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1396 
1397     /* Last entry; return this if we don't find the value above. */
1398     {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1399 };
1400 
1401 int ssl_x509err2alert(int x509err)
1402 {
1403     const X509ERR2ALERT *tp;
1404 
1405     for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1406         if (tp->x509err == x509err)
1407             break;
1408     return tp->alert;
1409 }
1410 
1411 int ssl_allow_compression(SSL *s)
1412 {
1413     if (s->options & SSL_OP_NO_COMPRESSION)
1414         return 0;
1415     return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1416 }
1417 
1418 static int version_cmp(const SSL *s, int a, int b)
1419 {
1420     int dtls = SSL_IS_DTLS(s);
1421 
1422     if (a == b)
1423         return 0;
1424     if (!dtls)
1425         return a < b ? -1 : 1;
1426     return DTLS_VERSION_LT(a, b) ? -1 : 1;
1427 }
1428 
1429 typedef struct {
1430     int version;
1431     const SSL_METHOD *(*cmeth) (void);
1432     const SSL_METHOD *(*smeth) (void);
1433 } version_info;
1434 
1435 #if TLS_MAX_VERSION_INTERNAL != TLS1_3_VERSION
1436 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1437 #endif
1438 
1439 /* Must be in order high to low */
1440 static const version_info tls_version_table[] = {
1441 #ifndef OPENSSL_NO_TLS1_3
1442     {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1443 #else
1444     {TLS1_3_VERSION, NULL, NULL},
1445 #endif
1446 #ifndef OPENSSL_NO_TLS1_2
1447     {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1448 #else
1449     {TLS1_2_VERSION, NULL, NULL},
1450 #endif
1451 #ifndef OPENSSL_NO_TLS1_1
1452     {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1453 #else
1454     {TLS1_1_VERSION, NULL, NULL},
1455 #endif
1456 #ifndef OPENSSL_NO_TLS1
1457     {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1458 #else
1459     {TLS1_VERSION, NULL, NULL},
1460 #endif
1461 #ifndef OPENSSL_NO_SSL3
1462     {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1463 #else
1464     {SSL3_VERSION, NULL, NULL},
1465 #endif
1466     {0, NULL, NULL},
1467 };
1468 
1469 #if DTLS_MAX_VERSION_INTERNAL != DTLS1_2_VERSION
1470 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1471 #endif
1472 
1473 /* Must be in order high to low */
1474 static const version_info dtls_version_table[] = {
1475 #ifndef OPENSSL_NO_DTLS1_2
1476     {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1477 #else
1478     {DTLS1_2_VERSION, NULL, NULL},
1479 #endif
1480 #ifndef OPENSSL_NO_DTLS1
1481     {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1482     {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1483 #else
1484     {DTLS1_VERSION, NULL, NULL},
1485     {DTLS1_BAD_VER, NULL, NULL},
1486 #endif
1487     {0, NULL, NULL},
1488 };
1489 
1490 /*
1491  * ssl_method_error - Check whether an SSL_METHOD is enabled.
1492  *
1493  * @s: The SSL handle for the candidate method
1494  * @method: the intended method.
1495  *
1496  * Returns 0 on success, or an SSL error reason on failure.
1497  */
1498 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1499 {
1500     int version = method->version;
1501 
1502     if ((s->min_proto_version != 0 &&
1503          version_cmp(s, version, s->min_proto_version) < 0) ||
1504         ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1505         return SSL_R_VERSION_TOO_LOW;
1506 
1507     if (s->max_proto_version != 0 &&
1508         version_cmp(s, version, s->max_proto_version) > 0)
1509         return SSL_R_VERSION_TOO_HIGH;
1510 
1511     if ((s->options & method->mask) != 0)
1512         return SSL_R_UNSUPPORTED_PROTOCOL;
1513     if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1514         return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1515 
1516     return 0;
1517 }
1518 
1519 /*
1520  * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1521  * certificate type, or has PSK or a certificate callback configured, or has
1522  * a servername callback configure. Otherwise returns 0.
1523  */
1524 static int is_tls13_capable(const SSL *s)
1525 {
1526     int i;
1527     int curve;
1528 
1529     if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))
1530         return 0;
1531 
1532     /*
1533      * A servername callback can change the available certs, so if a servername
1534      * cb is set then we just assume TLSv1.3 will be ok
1535      */
1536     if (s->ctx->ext.servername_cb != NULL
1537             || s->session_ctx->ext.servername_cb != NULL)
1538         return 1;
1539 
1540 #ifndef OPENSSL_NO_PSK
1541     if (s->psk_server_callback != NULL)
1542         return 1;
1543 #endif
1544 
1545     if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1546         return 1;
1547 
1548     for (i = 0; i < SSL_PKEY_NUM; i++) {
1549         /* Skip over certs disallowed for TLSv1.3 */
1550         switch (i) {
1551         case SSL_PKEY_DSA_SIGN:
1552         case SSL_PKEY_GOST01:
1553         case SSL_PKEY_GOST12_256:
1554         case SSL_PKEY_GOST12_512:
1555             continue;
1556         default:
1557             break;
1558         }
1559         if (!ssl_has_cert(s, i))
1560             continue;
1561         if (i != SSL_PKEY_ECC)
1562             return 1;
1563         /*
1564          * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1565          * more restrictive so check that our sig algs are consistent with this
1566          * EC cert. See section 4.2.3 of RFC8446.
1567          */
1568         curve = ssl_get_EC_curve_nid(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1569         if (tls_check_sigalg_curve(s, curve))
1570             return 1;
1571     }
1572 
1573     return 0;
1574 }
1575 
1576 /*
1577  * ssl_version_supported - Check that the specified `version` is supported by
1578  * `SSL *` instance
1579  *
1580  * @s: The SSL handle for the candidate method
1581  * @version: Protocol version to test against
1582  *
1583  * Returns 1 when supported, otherwise 0
1584  */
1585 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1586 {
1587     const version_info *vent;
1588     const version_info *table;
1589 
1590     switch (s->method->version) {
1591     default:
1592         /* Version should match method version for non-ANY method */
1593         return version_cmp(s, version, s->version) == 0;
1594     case TLS_ANY_VERSION:
1595         table = tls_version_table;
1596         break;
1597     case DTLS_ANY_VERSION:
1598         table = dtls_version_table;
1599         break;
1600     }
1601 
1602     for (vent = table;
1603          vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1604          ++vent) {
1605         if (vent->cmeth != NULL
1606                 && version_cmp(s, version, vent->version) == 0
1607                 && ssl_method_error(s, vent->cmeth()) == 0
1608                 && (!s->server
1609                     || version != TLS1_3_VERSION
1610                     || is_tls13_capable(s))) {
1611             if (meth != NULL)
1612                 *meth = vent->cmeth();
1613             return 1;
1614         }
1615     }
1616     return 0;
1617 }
1618 
1619 /*
1620  * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1621  * fallback indication from a client check whether we're using the highest
1622  * supported protocol version.
1623  *
1624  * @s server SSL handle.
1625  *
1626  * Returns 1 when using the highest enabled version, 0 otherwise.
1627  */
1628 int ssl_check_version_downgrade(SSL *s)
1629 {
1630     const version_info *vent;
1631     const version_info *table;
1632 
1633     /*
1634      * Check that the current protocol is the highest enabled version
1635      * (according to s->ctx->method, as version negotiation may have changed
1636      * s->method).
1637      */
1638     if (s->version == s->ctx->method->version)
1639         return 1;
1640 
1641     /*
1642      * Apparently we're using a version-flexible SSL_METHOD (not at its
1643      * highest protocol version).
1644      */
1645     if (s->ctx->method->version == TLS_method()->version)
1646         table = tls_version_table;
1647     else if (s->ctx->method->version == DTLS_method()->version)
1648         table = dtls_version_table;
1649     else {
1650         /* Unexpected state; fail closed. */
1651         return 0;
1652     }
1653 
1654     for (vent = table; vent->version != 0; ++vent) {
1655         if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1656             return s->version == vent->version;
1657     }
1658     return 0;
1659 }
1660 
1661 /*
1662  * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1663  * protocols, provided the initial (D)TLS method is version-flexible.  This
1664  * function sanity-checks the proposed value and makes sure the method is
1665  * version-flexible, then sets the limit if all is well.
1666  *
1667  * @method_version: The version of the current SSL_METHOD.
1668  * @version: the intended limit.
1669  * @bound: pointer to limit to be updated.
1670  *
1671  * Returns 1 on success, 0 on failure.
1672  */
1673 int ssl_set_version_bound(int method_version, int version, int *bound)
1674 {
1675     int valid_tls;
1676     int valid_dtls;
1677 
1678     if (version == 0) {
1679         *bound = version;
1680         return 1;
1681     }
1682 
1683     valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
1684     valid_dtls =
1685         DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
1686         DTLS_VERSION_GE(version, DTLS1_BAD_VER);
1687 
1688     if (!valid_tls && !valid_dtls)
1689         return 0;
1690 
1691     /*-
1692      * Restrict TLS methods to TLS protocol versions.
1693      * Restrict DTLS methods to DTLS protocol versions.
1694      * Note, DTLS version numbers are decreasing, use comparison macros.
1695      *
1696      * Note that for both lower-bounds we use explicit versions, not
1697      * (D)TLS_MIN_VERSION.  This is because we don't want to break user
1698      * configurations.  If the MIN (supported) version ever rises, the user's
1699      * "floor" remains valid even if no longer available.  We don't expect the
1700      * MAX ceiling to ever get lower, so making that variable makes sense.
1701      *
1702      * We ignore attempts to set bounds on version-inflexible methods,
1703      * returning success.
1704      */
1705     switch (method_version) {
1706     default:
1707         break;
1708 
1709     case TLS_ANY_VERSION:
1710         if (valid_tls)
1711             *bound = version;
1712         break;
1713 
1714     case DTLS_ANY_VERSION:
1715         if (valid_dtls)
1716             *bound = version;
1717         break;
1718     }
1719     return 1;
1720 }
1721 
1722 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1723 {
1724     if (vers == TLS1_2_VERSION
1725             && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1726         *dgrd = DOWNGRADE_TO_1_2;
1727     } else if (!SSL_IS_DTLS(s)
1728             && vers < TLS1_2_VERSION
1729                /*
1730                 * We need to ensure that a server that disables TLSv1.2
1731                 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1732                 * complete handshakes with clients that support TLSv1.2 and
1733                 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1734                 * enabled and TLSv1.2 is not.
1735                 */
1736             && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1737         *dgrd = DOWNGRADE_TO_1_1;
1738     } else {
1739         *dgrd = DOWNGRADE_NONE;
1740     }
1741 }
1742 
1743 /*
1744  * ssl_choose_server_version - Choose server (D)TLS version.  Called when the
1745  * client HELLO is received to select the final server protocol version and
1746  * the version specific method.
1747  *
1748  * @s: server SSL handle.
1749  *
1750  * Returns 0 on success or an SSL error reason number on failure.
1751  */
1752 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1753 {
1754     /*-
1755      * With version-flexible methods we have an initial state with:
1756      *
1757      *   s->method->version == (D)TLS_ANY_VERSION,
1758      *   s->version == (D)TLS_MAX_VERSION_INTERNAL.
1759      *
1760      * So we detect version-flexible methods via the method version, not the
1761      * handle version.
1762      */
1763     int server_version = s->method->version;
1764     int client_version = hello->legacy_version;
1765     const version_info *vent;
1766     const version_info *table;
1767     int disabled = 0;
1768     RAW_EXTENSION *suppversions;
1769 
1770     s->client_version = client_version;
1771 
1772     switch (server_version) {
1773     default:
1774         if (!SSL_IS_TLS13(s)) {
1775             if (version_cmp(s, client_version, s->version) < 0)
1776                 return SSL_R_WRONG_SSL_VERSION;
1777             *dgrd = DOWNGRADE_NONE;
1778             /*
1779              * If this SSL handle is not from a version flexible method we don't
1780              * (and never did) check min/max FIPS or Suite B constraints.  Hope
1781              * that's OK.  It is up to the caller to not choose fixed protocol
1782              * versions they don't want.  If not, then easy to fix, just return
1783              * ssl_method_error(s, s->method)
1784              */
1785             return 0;
1786         }
1787         /*
1788          * Fall through if we are TLSv1.3 already (this means we must be after
1789          * a HelloRetryRequest
1790          */
1791         /* fall thru */
1792     case TLS_ANY_VERSION:
1793         table = tls_version_table;
1794         break;
1795     case DTLS_ANY_VERSION:
1796         table = dtls_version_table;
1797         break;
1798     }
1799 
1800     suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1801 
1802     /* If we did an HRR then supported versions is mandatory */
1803     if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1804         return SSL_R_UNSUPPORTED_PROTOCOL;
1805 
1806     if (suppversions->present && !SSL_IS_DTLS(s)) {
1807         unsigned int candidate_vers = 0;
1808         unsigned int best_vers = 0;
1809         const SSL_METHOD *best_method = NULL;
1810         PACKET versionslist;
1811 
1812         suppversions->parsed = 1;
1813 
1814         if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1815             /* Trailing or invalid data? */
1816             return SSL_R_LENGTH_MISMATCH;
1817         }
1818 
1819         /*
1820          * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1821          * The spec only requires servers to check that it isn't SSLv3:
1822          * "Any endpoint receiving a Hello message with
1823          * ClientHello.legacy_version or ServerHello.legacy_version set to
1824          * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1825          * We are slightly stricter and require that it isn't SSLv3 or lower.
1826          * We tolerate TLSv1 and TLSv1.1.
1827          */
1828         if (client_version <= SSL3_VERSION)
1829             return SSL_R_BAD_LEGACY_VERSION;
1830 
1831         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1832             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1833                 continue;
1834             if (ssl_version_supported(s, candidate_vers, &best_method))
1835                 best_vers = candidate_vers;
1836         }
1837         if (PACKET_remaining(&versionslist) != 0) {
1838             /* Trailing data? */
1839             return SSL_R_LENGTH_MISMATCH;
1840         }
1841 
1842         if (best_vers > 0) {
1843             if (s->hello_retry_request != SSL_HRR_NONE) {
1844                 /*
1845                  * This is after a HelloRetryRequest so we better check that we
1846                  * negotiated TLSv1.3
1847                  */
1848                 if (best_vers != TLS1_3_VERSION)
1849                     return SSL_R_UNSUPPORTED_PROTOCOL;
1850                 return 0;
1851             }
1852             check_for_downgrade(s, best_vers, dgrd);
1853             s->version = best_vers;
1854             s->method = best_method;
1855             return 0;
1856         }
1857         return SSL_R_UNSUPPORTED_PROTOCOL;
1858     }
1859 
1860     /*
1861      * If the supported versions extension isn't present, then the highest
1862      * version we can negotiate is TLSv1.2
1863      */
1864     if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1865         client_version = TLS1_2_VERSION;
1866 
1867     /*
1868      * No supported versions extension, so we just use the version supplied in
1869      * the ClientHello.
1870      */
1871     for (vent = table; vent->version != 0; ++vent) {
1872         const SSL_METHOD *method;
1873 
1874         if (vent->smeth == NULL ||
1875             version_cmp(s, client_version, vent->version) < 0)
1876             continue;
1877         method = vent->smeth();
1878         if (ssl_method_error(s, method) == 0) {
1879             check_for_downgrade(s, vent->version, dgrd);
1880             s->version = vent->version;
1881             s->method = method;
1882             return 0;
1883         }
1884         disabled = 1;
1885     }
1886     return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1887 }
1888 
1889 /*
1890  * ssl_choose_client_version - Choose client (D)TLS version.  Called when the
1891  * server HELLO is received to select the final client protocol version and
1892  * the version specific method.
1893  *
1894  * @s: client SSL handle.
1895  * @version: The proposed version from the server's HELLO.
1896  * @extensions: The extensions received
1897  *
1898  * Returns 1 on success or 0 on error.
1899  */
1900 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1901 {
1902     const version_info *vent;
1903     const version_info *table;
1904     int ret, ver_min, ver_max, real_max, origv;
1905 
1906     origv = s->version;
1907     s->version = version;
1908 
1909     /* This will overwrite s->version if the extension is present */
1910     if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1911                              SSL_EXT_TLS1_2_SERVER_HELLO
1912                              | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1913                              NULL, 0)) {
1914         s->version = origv;
1915         return 0;
1916     }
1917 
1918     if (s->hello_retry_request != SSL_HRR_NONE
1919             && s->version != TLS1_3_VERSION) {
1920         s->version = origv;
1921         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1922         return 0;
1923     }
1924 
1925     switch (s->method->version) {
1926     default:
1927         if (s->version != s->method->version) {
1928             s->version = origv;
1929             SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_WRONG_SSL_VERSION);
1930             return 0;
1931         }
1932         /*
1933          * If this SSL handle is not from a version flexible method we don't
1934          * (and never did) check min/max, FIPS or Suite B constraints.  Hope
1935          * that's OK.  It is up to the caller to not choose fixed protocol
1936          * versions they don't want.  If not, then easy to fix, just return
1937          * ssl_method_error(s, s->method)
1938          */
1939         return 1;
1940     case TLS_ANY_VERSION:
1941         table = tls_version_table;
1942         break;
1943     case DTLS_ANY_VERSION:
1944         table = dtls_version_table;
1945         break;
1946     }
1947 
1948     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1949     if (ret != 0) {
1950         s->version = origv;
1951         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, ret);
1952         return 0;
1953     }
1954     if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1955                        : s->version < ver_min) {
1956         s->version = origv;
1957         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1958         return 0;
1959     } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1960                               : s->version > ver_max) {
1961         s->version = origv;
1962         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1963         return 0;
1964     }
1965 
1966     if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1967         real_max = ver_max;
1968 
1969     /* Check for downgrades */
1970     if (s->version == TLS1_2_VERSION && real_max > s->version) {
1971         if (memcmp(tls12downgrade,
1972                    s->s3.server_random + SSL3_RANDOM_SIZE
1973                                         - sizeof(tls12downgrade),
1974                    sizeof(tls12downgrade)) == 0) {
1975             s->version = origv;
1976             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1977                      SSL_R_INAPPROPRIATE_FALLBACK);
1978             return 0;
1979         }
1980     } else if (!SSL_IS_DTLS(s)
1981                && s->version < TLS1_2_VERSION
1982                && real_max > s->version) {
1983         if (memcmp(tls11downgrade,
1984                    s->s3.server_random + SSL3_RANDOM_SIZE
1985                                         - sizeof(tls11downgrade),
1986                    sizeof(tls11downgrade)) == 0) {
1987             s->version = origv;
1988             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1989                      SSL_R_INAPPROPRIATE_FALLBACK);
1990             return 0;
1991         }
1992     }
1993 
1994     for (vent = table; vent->version != 0; ++vent) {
1995         if (vent->cmeth == NULL || s->version != vent->version)
1996             continue;
1997 
1998         s->method = vent->cmeth();
1999         return 1;
2000     }
2001 
2002     s->version = origv;
2003     SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
2004     return 0;
2005 }
2006 
2007 /*
2008  * ssl_get_min_max_version - get minimum and maximum protocol version
2009  * @s: The SSL connection
2010  * @min_version: The minimum supported version
2011  * @max_version: The maximum supported version
2012  * @real_max:    The highest version below the lowest compile time version hole
2013  *               where that hole lies above at least one run-time enabled
2014  *               protocol.
2015  *
2016  * Work out what version we should be using for the initial ClientHello if the
2017  * version is initially (D)TLS_ANY_VERSION.  We apply any explicit SSL_OP_NO_xxx
2018  * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2019  * constraints and any floor imposed by the security level here,
2020  * so we don't advertise the wrong protocol version to only reject the outcome later.
2021  *
2022  * Computing the right floor matters.  If, e.g., TLS 1.0 and 1.2 are enabled,
2023  * TLS 1.1 is disabled, but the security level, Suite-B  and/or MinProtocol
2024  * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2025  *
2026  * Returns 0 on success or an SSL error reason number on failure.  On failure
2027  * min_version and max_version will also be set to 0.
2028  */
2029 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2030                             int *real_max)
2031 {
2032     int version, tmp_real_max;
2033     int hole;
2034     const SSL_METHOD *single = NULL;
2035     const SSL_METHOD *method;
2036     const version_info *table;
2037     const version_info *vent;
2038 
2039     switch (s->method->version) {
2040     default:
2041         /*
2042          * If this SSL handle is not from a version flexible method we don't
2043          * (and never did) check min/max FIPS or Suite B constraints.  Hope
2044          * that's OK.  It is up to the caller to not choose fixed protocol
2045          * versions they don't want.  If not, then easy to fix, just return
2046          * ssl_method_error(s, s->method)
2047          */
2048         *min_version = *max_version = s->version;
2049         /*
2050          * Providing a real_max only makes sense where we're using a version
2051          * flexible method.
2052          */
2053         if (!ossl_assert(real_max == NULL))
2054             return ERR_R_INTERNAL_ERROR;
2055         return 0;
2056     case TLS_ANY_VERSION:
2057         table = tls_version_table;
2058         break;
2059     case DTLS_ANY_VERSION:
2060         table = dtls_version_table;
2061         break;
2062     }
2063 
2064     /*
2065      * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2066      * below X enabled. This is required in order to maintain the "version
2067      * capability" vector contiguous. Any versions with a NULL client method
2068      * (protocol version client is disabled at compile-time) is also a "hole".
2069      *
2070      * Our initial state is hole == 1, version == 0.  That is, versions above
2071      * the first version in the method table are disabled (a "hole" above
2072      * the valid protocol entries) and we don't have a selected version yet.
2073      *
2074      * Whenever "hole == 1", and we hit an enabled method, its version becomes
2075      * the selected version, and the method becomes a candidate "single"
2076      * method.  We're no longer in a hole, so "hole" becomes 0.
2077      *
2078      * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2079      * as we support a contiguous range of at least two methods.  If we hit
2080      * a disabled method, then hole becomes true again, but nothing else
2081      * changes yet, because all the remaining methods may be disabled too.
2082      * If we again hit an enabled method after the new hole, it becomes
2083      * selected, as we start from scratch.
2084      */
2085     *min_version = version = 0;
2086     hole = 1;
2087     if (real_max != NULL)
2088         *real_max = 0;
2089     tmp_real_max = 0;
2090     for (vent = table; vent->version != 0; ++vent) {
2091         /*
2092          * A table entry with a NULL client method is still a hole in the
2093          * "version capability" vector.
2094          */
2095         if (vent->cmeth == NULL) {
2096             hole = 1;
2097             tmp_real_max = 0;
2098             continue;
2099         }
2100         method = vent->cmeth();
2101 
2102         if (hole == 1 && tmp_real_max == 0)
2103             tmp_real_max = vent->version;
2104 
2105         if (ssl_method_error(s, method) != 0) {
2106             hole = 1;
2107         } else if (!hole) {
2108             single = NULL;
2109             *min_version = method->version;
2110         } else {
2111             if (real_max != NULL && tmp_real_max != 0)
2112                 *real_max = tmp_real_max;
2113             version = (single = method)->version;
2114             *min_version = version;
2115             hole = 0;
2116         }
2117     }
2118 
2119     *max_version = version;
2120 
2121     /* Fail if everything is disabled */
2122     if (version == 0)
2123         return SSL_R_NO_PROTOCOLS_AVAILABLE;
2124 
2125     return 0;
2126 }
2127 
2128 /*
2129  * ssl_set_client_hello_version - Work out what version we should be using for
2130  * the initial ClientHello.legacy_version field.
2131  *
2132  * @s: client SSL handle.
2133  *
2134  * Returns 0 on success or an SSL error reason number on failure.
2135  */
2136 int ssl_set_client_hello_version(SSL *s)
2137 {
2138     int ver_min, ver_max, ret;
2139 
2140     /*
2141      * In a renegotiation we always send the same client_version that we sent
2142      * last time, regardless of which version we eventually negotiated.
2143      */
2144     if (!SSL_IS_FIRST_HANDSHAKE(s))
2145         return 0;
2146 
2147     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2148 
2149     if (ret != 0)
2150         return ret;
2151 
2152     s->version = ver_max;
2153 
2154     /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2155     if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2156         ver_max = TLS1_2_VERSION;
2157 
2158     s->client_version = ver_max;
2159     return 0;
2160 }
2161 
2162 /*
2163  * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2164  * and |checkallow| is 1 then additionally check if the group is allowed to be
2165  * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2166  * 1) or 0 otherwise.
2167  */
2168 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2169                   size_t num_groups, int checkallow)
2170 {
2171     size_t i;
2172 
2173     if (groups == NULL || num_groups == 0)
2174         return 0;
2175 
2176     for (i = 0; i < num_groups; i++) {
2177         uint16_t group = groups[i];
2178 
2179         if (group_id == group
2180                 && (!checkallow
2181                     || tls_group_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2182             return 1;
2183         }
2184     }
2185 
2186     return 0;
2187 }
2188 
2189 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2190 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2191                                   size_t hashlen, const unsigned char *hrr,
2192                                   size_t hrrlen)
2193 {
2194     unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2195     unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2196 
2197     memset(msghdr, 0, sizeof(msghdr));
2198 
2199     if (hashval == NULL) {
2200         hashval = hashvaltmp;
2201         hashlen = 0;
2202         /* Get the hash of the initial ClientHello */
2203         if (!ssl3_digest_cached_records(s, 0)
2204                 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2205                                        &hashlen)) {
2206             /* SSLfatal() already called */
2207             return 0;
2208         }
2209     }
2210 
2211     /* Reinitialise the transcript hash */
2212     if (!ssl3_init_finished_mac(s)) {
2213         /* SSLfatal() already called */
2214         return 0;
2215     }
2216 
2217     /* Inject the synthetic message_hash message */
2218     msghdr[0] = SSL3_MT_MESSAGE_HASH;
2219     msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2220     if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2221             || !ssl3_finish_mac(s, hashval, hashlen)) {
2222         /* SSLfatal() already called */
2223         return 0;
2224     }
2225 
2226     /*
2227      * Now re-inject the HRR and current message if appropriate (we just deleted
2228      * it when we reinitialised the transcript hash above). Only necessary after
2229      * receiving a ClientHello2 with a cookie.
2230      */
2231     if (hrr != NULL
2232             && (!ssl3_finish_mac(s, hrr, hrrlen)
2233                 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2234                                     s->s3.tmp.message_size
2235                                     + SSL3_HM_HEADER_LENGTH))) {
2236         /* SSLfatal() already called */
2237         return 0;
2238     }
2239 
2240     return 1;
2241 }
2242 
2243 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2244 {
2245     return X509_NAME_cmp(*a, *b);
2246 }
2247 
2248 int parse_ca_names(SSL *s, PACKET *pkt)
2249 {
2250     STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2251     X509_NAME *xn = NULL;
2252     PACKET cadns;
2253 
2254     if (ca_sk == NULL) {
2255         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2256         goto err;
2257     }
2258     /* get the CA RDNs */
2259     if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2260         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2261         goto err;
2262     }
2263 
2264     while (PACKET_remaining(&cadns)) {
2265         const unsigned char *namestart, *namebytes;
2266         unsigned int name_len;
2267 
2268         if (!PACKET_get_net_2(&cadns, &name_len)
2269             || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2270             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_LENGTH_MISMATCH);
2271             goto err;
2272         }
2273 
2274         namestart = namebytes;
2275         if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2276             SSLfatal(s, SSL_AD_DECODE_ERROR, ERR_R_ASN1_LIB);
2277             goto err;
2278         }
2279         if (namebytes != (namestart + name_len)) {
2280             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_CA_DN_LENGTH_MISMATCH);
2281             goto err;
2282         }
2283 
2284         if (!sk_X509_NAME_push(ca_sk, xn)) {
2285             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2286             goto err;
2287         }
2288         xn = NULL;
2289     }
2290 
2291     sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
2292     s->s3.tmp.peer_ca_names = ca_sk;
2293 
2294     return 1;
2295 
2296  err:
2297     sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2298     X509_NAME_free(xn);
2299     return 0;
2300 }
2301 
2302 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2303 {
2304     const STACK_OF(X509_NAME) *ca_sk = NULL;;
2305 
2306     if (s->server) {
2307         ca_sk = SSL_get_client_CA_list(s);
2308         if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2309             ca_sk = NULL;
2310     }
2311 
2312     if (ca_sk == NULL)
2313         ca_sk = SSL_get0_CA_list(s);
2314 
2315     return ca_sk;
2316 }
2317 
2318 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2319 {
2320     /* Start sub-packet for client CA list */
2321     if (!WPACKET_start_sub_packet_u16(pkt)) {
2322         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2323         return 0;
2324     }
2325 
2326     if ((ca_sk != NULL) && !(s->options & SSL_OP_DISABLE_TLSEXT_CA_NAMES)) {
2327         int i;
2328 
2329         for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2330             unsigned char *namebytes;
2331             X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2332             int namelen;
2333 
2334             if (name == NULL
2335                     || (namelen = i2d_X509_NAME(name, NULL)) < 0
2336                     || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2337                                                        &namebytes)
2338                     || i2d_X509_NAME(name, &namebytes) != namelen) {
2339                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2340                 return 0;
2341             }
2342         }
2343     }
2344 
2345     if (!WPACKET_close(pkt)) {
2346         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2347         return 0;
2348     }
2349 
2350     return 1;
2351 }
2352 
2353 /* Create a buffer containing data to be signed for server key exchange */
2354 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2355                                   const void *param, size_t paramlen)
2356 {
2357     size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2358     unsigned char *tbs = OPENSSL_malloc(tbslen);
2359 
2360     if (tbs == NULL) {
2361         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
2362         return 0;
2363     }
2364     memcpy(tbs, s->s3.client_random, SSL3_RANDOM_SIZE);
2365     memcpy(tbs + SSL3_RANDOM_SIZE, s->s3.server_random, SSL3_RANDOM_SIZE);
2366 
2367     memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2368 
2369     *ptbs = tbs;
2370     return tbslen;
2371 }
2372 
2373 /*
2374  * Saves the current handshake digest for Post-Handshake Auth,
2375  * Done after ClientFinished is processed, done exactly once
2376  */
2377 int tls13_save_handshake_digest_for_pha(SSL *s)
2378 {
2379     if (s->pha_dgst == NULL) {
2380         if (!ssl3_digest_cached_records(s, 1))
2381             /* SSLfatal() already called */
2382             return 0;
2383 
2384         s->pha_dgst = EVP_MD_CTX_new();
2385         if (s->pha_dgst == NULL) {
2386             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2387             return 0;
2388         }
2389         if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2390                                 s->s3.handshake_dgst)) {
2391             SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2392             EVP_MD_CTX_free(s->pha_dgst);
2393             s->pha_dgst = NULL;
2394             return 0;
2395         }
2396     }
2397     return 1;
2398 }
2399 
2400 /*
2401  * Restores the Post-Handshake Auth handshake digest
2402  * Done just before sending/processing the Cert Request
2403  */
2404 int tls13_restore_handshake_digest_for_pha(SSL *s)
2405 {
2406     if (s->pha_dgst == NULL) {
2407         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2408         return 0;
2409     }
2410     if (!EVP_MD_CTX_copy_ex(s->s3.handshake_dgst,
2411                             s->pha_dgst)) {
2412         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
2413         return 0;
2414     }
2415     return 1;
2416 }
2417