xref: /freebsd/crypto/openssl/ssl/statem/statem_lib.c (revision fe815331bb40604ba31312acf7e4619674631777)
1 /*
2  * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4  *
5  * Licensed under the OpenSSL license (the "License").  You may not use
6  * this file except in compliance with the License.  You can obtain a copy
7  * in the file LICENSE in the source distribution or at
8  * https://www.openssl.org/source/license.html
9  */
10 
11 #include <limits.h>
12 #include <string.h>
13 #include <stdio.h>
14 #include "../ssl_local.h"
15 #include "statem_local.h"
16 #include "internal/cryptlib.h"
17 #include <openssl/buffer.h>
18 #include <openssl/objects.h>
19 #include <openssl/evp.h>
20 #include <openssl/x509.h>
21 
22 /*
23  * Map error codes to TLS/SSL alart types.
24  */
25 typedef struct x509err2alert_st {
26     int x509err;
27     int alert;
28 } X509ERR2ALERT;
29 
30 /* Fixed value used in the ServerHello random field to identify an HRR */
31 const unsigned char hrrrandom[] = {
32     0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 0x02,
33     0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
34     0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c
35 };
36 
37 /*
38  * send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or
39  * SSL3_RT_CHANGE_CIPHER_SPEC)
40  */
41 int ssl3_do_write(SSL *s, int type)
42 {
43     int ret;
44     size_t written = 0;
45 
46     ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off],
47                            s->init_num, &written);
48     if (ret < 0)
49         return -1;
50     if (type == SSL3_RT_HANDSHAKE)
51         /*
52          * should not be done for 'Hello Request's, but in that case we'll
53          * ignore the result anyway
54          * TLS1.3 KeyUpdate and NewSessionTicket do not need to be added
55          */
56         if (!SSL_IS_TLS13(s) || (s->statem.hand_state != TLS_ST_SW_SESSION_TICKET
57                                  && s->statem.hand_state != TLS_ST_CW_KEY_UPDATE
58                                  && s->statem.hand_state != TLS_ST_SW_KEY_UPDATE))
59             if (!ssl3_finish_mac(s,
60                                  (unsigned char *)&s->init_buf->data[s->init_off],
61                                  written))
62                 return -1;
63     if (written == s->init_num) {
64         if (s->msg_callback)
65             s->msg_callback(1, s->version, type, s->init_buf->data,
66                             (size_t)(s->init_off + s->init_num), s,
67                             s->msg_callback_arg);
68         return 1;
69     }
70     s->init_off += written;
71     s->init_num -= written;
72     return 0;
73 }
74 
75 int tls_close_construct_packet(SSL *s, WPACKET *pkt, int htype)
76 {
77     size_t msglen;
78 
79     if ((htype != SSL3_MT_CHANGE_CIPHER_SPEC && !WPACKET_close(pkt))
80             || !WPACKET_get_length(pkt, &msglen)
81             || msglen > INT_MAX)
82         return 0;
83     s->init_num = (int)msglen;
84     s->init_off = 0;
85 
86     return 1;
87 }
88 
89 int tls_setup_handshake(SSL *s)
90 {
91     if (!ssl3_init_finished_mac(s)) {
92         /* SSLfatal() already called */
93         return 0;
94     }
95 
96     /* Reset any extension flags */
97     memset(s->ext.extflags, 0, sizeof(s->ext.extflags));
98 
99     if (s->server) {
100         STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(s);
101         int i, ver_min, ver_max, ok = 0;
102 
103         /*
104          * Sanity check that the maximum version we accept has ciphers
105          * enabled. For clients we do this check during construction of the
106          * ClientHello.
107          */
108         if (ssl_get_min_max_version(s, &ver_min, &ver_max, NULL) != 0) {
109             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_SETUP_HANDSHAKE,
110                      ERR_R_INTERNAL_ERROR);
111             return 0;
112         }
113         for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) {
114             const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
115 
116             if (SSL_IS_DTLS(s)) {
117                 if (DTLS_VERSION_GE(ver_max, c->min_dtls) &&
118                         DTLS_VERSION_LE(ver_max, c->max_dtls))
119                     ok = 1;
120             } else if (ver_max >= c->min_tls && ver_max <= c->max_tls) {
121                 ok = 1;
122             }
123             if (ok)
124                 break;
125         }
126         if (!ok) {
127             SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_SETUP_HANDSHAKE,
128                      SSL_R_NO_CIPHERS_AVAILABLE);
129             ERR_add_error_data(1, "No ciphers enabled for max supported "
130                                   "SSL/TLS version");
131             return 0;
132         }
133         if (SSL_IS_FIRST_HANDSHAKE(s)) {
134             /* N.B. s->session_ctx == s->ctx here */
135             tsan_counter(&s->session_ctx->stats.sess_accept);
136         } else {
137             /* N.B. s->ctx may not equal s->session_ctx */
138             tsan_counter(&s->ctx->stats.sess_accept_renegotiate);
139 
140             s->s3->tmp.cert_request = 0;
141         }
142     } else {
143         if (SSL_IS_FIRST_HANDSHAKE(s))
144             tsan_counter(&s->session_ctx->stats.sess_connect);
145         else
146             tsan_counter(&s->session_ctx->stats.sess_connect_renegotiate);
147 
148         /* mark client_random uninitialized */
149         memset(s->s3->client_random, 0, sizeof(s->s3->client_random));
150         s->hit = 0;
151 
152         s->s3->tmp.cert_req = 0;
153 
154         if (SSL_IS_DTLS(s))
155             s->statem.use_timer = 1;
156     }
157 
158     return 1;
159 }
160 
161 /*
162  * Size of the to-be-signed TLS13 data, without the hash size itself:
163  * 64 bytes of value 32, 33 context bytes, 1 byte separator
164  */
165 #define TLS13_TBS_START_SIZE            64
166 #define TLS13_TBS_PREAMBLE_SIZE         (TLS13_TBS_START_SIZE + 33 + 1)
167 
168 static int get_cert_verify_tbs_data(SSL *s, unsigned char *tls13tbs,
169                                     void **hdata, size_t *hdatalen)
170 {
171 #ifdef CHARSET_EBCDIC
172     static const char servercontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
173      0x33, 0x2c, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x43, 0x65,
174      0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
175      0x69, 0x66, 0x79, 0x00 };
176     static const char clientcontext[] = { 0x54, 0x4c, 0x53, 0x20, 0x31, 0x2e,
177      0x33, 0x2c, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x43, 0x65,
178      0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x56, 0x65, 0x72,
179      0x69, 0x66, 0x79, 0x00 };
180 #else
181     static const char servercontext[] = "TLS 1.3, server CertificateVerify";
182     static const char clientcontext[] = "TLS 1.3, client CertificateVerify";
183 #endif
184     if (SSL_IS_TLS13(s)) {
185         size_t hashlen;
186 
187         /* Set the first 64 bytes of to-be-signed data to octet 32 */
188         memset(tls13tbs, 32, TLS13_TBS_START_SIZE);
189         /* This copies the 33 bytes of context plus the 0 separator byte */
190         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
191                  || s->statem.hand_state == TLS_ST_SW_CERT_VRFY)
192             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, servercontext);
193         else
194             strcpy((char *)tls13tbs + TLS13_TBS_START_SIZE, clientcontext);
195 
196         /*
197          * If we're currently reading then we need to use the saved handshake
198          * hash value. We can't use the current handshake hash state because
199          * that includes the CertVerify itself.
200          */
201         if (s->statem.hand_state == TLS_ST_CR_CERT_VRFY
202                 || s->statem.hand_state == TLS_ST_SR_CERT_VRFY) {
203             memcpy(tls13tbs + TLS13_TBS_PREAMBLE_SIZE, s->cert_verify_hash,
204                    s->cert_verify_hash_len);
205             hashlen = s->cert_verify_hash_len;
206         } else if (!ssl_handshake_hash(s, tls13tbs + TLS13_TBS_PREAMBLE_SIZE,
207                                        EVP_MAX_MD_SIZE, &hashlen)) {
208             /* SSLfatal() already called */
209             return 0;
210         }
211 
212         *hdata = tls13tbs;
213         *hdatalen = TLS13_TBS_PREAMBLE_SIZE + hashlen;
214     } else {
215         size_t retlen;
216         long retlen_l;
217 
218         retlen = retlen_l = BIO_get_mem_data(s->s3->handshake_buffer, hdata);
219         if (retlen_l <= 0) {
220             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_GET_CERT_VERIFY_TBS_DATA,
221                      ERR_R_INTERNAL_ERROR);
222             return 0;
223         }
224         *hdatalen = retlen;
225     }
226 
227     return 1;
228 }
229 
230 int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
231 {
232     EVP_PKEY *pkey = NULL;
233     const EVP_MD *md = NULL;
234     EVP_MD_CTX *mctx = NULL;
235     EVP_PKEY_CTX *pctx = NULL;
236     size_t hdatalen = 0, siglen = 0;
237     void *hdata;
238     unsigned char *sig = NULL;
239     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
240     const SIGALG_LOOKUP *lu = s->s3->tmp.sigalg;
241 
242     if (lu == NULL || s->s3->tmp.cert == NULL) {
243         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
244                  ERR_R_INTERNAL_ERROR);
245         goto err;
246     }
247     pkey = s->s3->tmp.cert->privatekey;
248 
249     if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
250         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
251                  ERR_R_INTERNAL_ERROR);
252         goto err;
253     }
254 
255     mctx = EVP_MD_CTX_new();
256     if (mctx == NULL) {
257         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
258                  ERR_R_MALLOC_FAILURE);
259         goto err;
260     }
261 
262     /* Get the data to be signed */
263     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
264         /* SSLfatal() already called */
265         goto err;
266     }
267 
268     if (SSL_USE_SIGALGS(s) && !WPACKET_put_bytes_u16(pkt, lu->sigalg)) {
269         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
270                  ERR_R_INTERNAL_ERROR);
271         goto err;
272     }
273     siglen = EVP_PKEY_size(pkey);
274     sig = OPENSSL_malloc(siglen);
275     if (sig == NULL) {
276         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
277                  ERR_R_MALLOC_FAILURE);
278         goto err;
279     }
280 
281     if (EVP_DigestSignInit(mctx, &pctx, md, NULL, pkey) <= 0) {
282         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
283                  ERR_R_EVP_LIB);
284         goto err;
285     }
286 
287     if (lu->sig == EVP_PKEY_RSA_PSS) {
288         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
289             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
290                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
291             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
292                      ERR_R_EVP_LIB);
293             goto err;
294         }
295     }
296     if (s->version == SSL3_VERSION) {
297         if (EVP_DigestSignUpdate(mctx, hdata, hdatalen) <= 0
298             || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
299                                 (int)s->session->master_key_length,
300                                 s->session->master_key)
301             || EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) {
302 
303             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
304                      ERR_R_EVP_LIB);
305             goto err;
306         }
307     } else if (EVP_DigestSign(mctx, sig, &siglen, hdata, hdatalen) <= 0) {
308         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
309                  ERR_R_EVP_LIB);
310         goto err;
311     }
312 
313 #ifndef OPENSSL_NO_GOST
314     {
315         int pktype = lu->sig;
316 
317         if (pktype == NID_id_GostR3410_2001
318             || pktype == NID_id_GostR3410_2012_256
319             || pktype == NID_id_GostR3410_2012_512)
320             BUF_reverse(sig, NULL, siglen);
321     }
322 #endif
323 
324     if (!WPACKET_sub_memcpy_u16(pkt, sig, siglen)) {
325         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
326                  ERR_R_INTERNAL_ERROR);
327         goto err;
328     }
329 
330     /* Digest cached records and discard handshake buffer */
331     if (!ssl3_digest_cached_records(s, 0)) {
332         /* SSLfatal() already called */
333         goto err;
334     }
335 
336     OPENSSL_free(sig);
337     EVP_MD_CTX_free(mctx);
338     return 1;
339  err:
340     OPENSSL_free(sig);
341     EVP_MD_CTX_free(mctx);
342     return 0;
343 }
344 
345 MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
346 {
347     EVP_PKEY *pkey = NULL;
348     const unsigned char *data;
349 #ifndef OPENSSL_NO_GOST
350     unsigned char *gost_data = NULL;
351 #endif
352     MSG_PROCESS_RETURN ret = MSG_PROCESS_ERROR;
353     int j;
354     unsigned int len;
355     X509 *peer;
356     const EVP_MD *md = NULL;
357     size_t hdatalen = 0;
358     void *hdata;
359     unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
360     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
361     EVP_PKEY_CTX *pctx = NULL;
362 
363     if (mctx == NULL) {
364         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
365                  ERR_R_MALLOC_FAILURE);
366         goto err;
367     }
368 
369     peer = s->session->peer;
370     pkey = X509_get0_pubkey(peer);
371     if (pkey == NULL) {
372         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
373                  ERR_R_INTERNAL_ERROR);
374         goto err;
375     }
376 
377     if (ssl_cert_lookup_by_pkey(pkey, NULL) == NULL) {
378         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_CERT_VERIFY,
379                  SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE);
380         goto err;
381     }
382 
383     if (SSL_USE_SIGALGS(s)) {
384         unsigned int sigalg;
385 
386         if (!PACKET_get_net_2(pkt, &sigalg)) {
387             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
388                      SSL_R_BAD_PACKET);
389             goto err;
390         }
391         if (tls12_check_peer_sigalg(s, sigalg, pkey) <= 0) {
392             /* SSLfatal() already called */
393             goto err;
394         }
395     } else if (!tls1_set_peer_legacy_sigalg(s, pkey)) {
396             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
397                      ERR_R_INTERNAL_ERROR);
398             goto err;
399     }
400 
401     if (!tls1_lookup_md(s->s3->tmp.peer_sigalg, &md)) {
402         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
403                  ERR_R_INTERNAL_ERROR);
404         goto err;
405     }
406 
407 #ifdef SSL_DEBUG
408     if (SSL_USE_SIGALGS(s))
409         fprintf(stderr, "USING TLSv1.2 HASH %s\n",
410                 md == NULL ? "n/a" : EVP_MD_name(md));
411 #endif
412 
413     /* Check for broken implementations of GOST ciphersuites */
414     /*
415      * If key is GOST and len is exactly 64 or 128, it is signature without
416      * length field (CryptoPro implementations at least till TLS 1.2)
417      */
418 #ifndef OPENSSL_NO_GOST
419     if (!SSL_USE_SIGALGS(s)
420         && ((PACKET_remaining(pkt) == 64
421              && (EVP_PKEY_id(pkey) == NID_id_GostR3410_2001
422                  || EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_256))
423             || (PACKET_remaining(pkt) == 128
424                 && EVP_PKEY_id(pkey) == NID_id_GostR3410_2012_512))) {
425         len = PACKET_remaining(pkt);
426     } else
427 #endif
428     if (!PACKET_get_net_2(pkt, &len)) {
429         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
430                  SSL_R_LENGTH_MISMATCH);
431         goto err;
432     }
433 
434     j = EVP_PKEY_size(pkey);
435     if (((int)len > j) || ((int)PACKET_remaining(pkt) > j)
436         || (PACKET_remaining(pkt) == 0)) {
437         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
438                  SSL_R_WRONG_SIGNATURE_SIZE);
439         goto err;
440     }
441     if (!PACKET_get_bytes(pkt, &data, len)) {
442         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
443                  SSL_R_LENGTH_MISMATCH);
444         goto err;
445     }
446 
447     if (!get_cert_verify_tbs_data(s, tls13tbs, &hdata, &hdatalen)) {
448         /* SSLfatal() already called */
449         goto err;
450     }
451 
452 #ifdef SSL_DEBUG
453     fprintf(stderr, "Using client verify alg %s\n",
454             md == NULL ? "n/a" : EVP_MD_name(md));
455 #endif
456     if (EVP_DigestVerifyInit(mctx, &pctx, md, NULL, pkey) <= 0) {
457         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
458                  ERR_R_EVP_LIB);
459         goto err;
460     }
461 #ifndef OPENSSL_NO_GOST
462     {
463         int pktype = EVP_PKEY_id(pkey);
464         if (pktype == NID_id_GostR3410_2001
465             || pktype == NID_id_GostR3410_2012_256
466             || pktype == NID_id_GostR3410_2012_512) {
467             if ((gost_data = OPENSSL_malloc(len)) == NULL) {
468                 SSLfatal(s, SSL_AD_INTERNAL_ERROR,
469                          SSL_F_TLS_PROCESS_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
470                 goto err;
471             }
472             BUF_reverse(gost_data, data, len);
473             data = gost_data;
474         }
475     }
476 #endif
477 
478     if (SSL_USE_PSS(s)) {
479         if (EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) <= 0
480             || EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx,
481                                                 RSA_PSS_SALTLEN_DIGEST) <= 0) {
482             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
483                      ERR_R_EVP_LIB);
484             goto err;
485         }
486     }
487     if (s->version == SSL3_VERSION) {
488         if (EVP_DigestVerifyUpdate(mctx, hdata, hdatalen) <= 0
489                 || !EVP_MD_CTX_ctrl(mctx, EVP_CTRL_SSL3_MASTER_SECRET,
490                                     (int)s->session->master_key_length,
491                                     s->session->master_key)) {
492             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
493                      ERR_R_EVP_LIB);
494             goto err;
495         }
496         if (EVP_DigestVerifyFinal(mctx, data, len) <= 0) {
497             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
498                      SSL_R_BAD_SIGNATURE);
499             goto err;
500         }
501     } else {
502         j = EVP_DigestVerify(mctx, data, len, hdata, hdatalen);
503         if (j <= 0) {
504             SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
505                      SSL_R_BAD_SIGNATURE);
506             goto err;
507         }
508     }
509 
510     /*
511      * In TLSv1.3 on the client side we make sure we prepare the client
512      * certificate after the CertVerify instead of when we get the
513      * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
514      * comes *before* the Certificate message. In TLSv1.2 it comes after. We
515      * want to make sure that SSL_get_peer_certificate() will return the actual
516      * server certificate from the client_cert_cb callback.
517      */
518     if (!s->server && SSL_IS_TLS13(s) && s->s3->tmp.cert_req == 1)
519         ret = MSG_PROCESS_CONTINUE_PROCESSING;
520     else
521         ret = MSG_PROCESS_CONTINUE_READING;
522  err:
523     BIO_free(s->s3->handshake_buffer);
524     s->s3->handshake_buffer = NULL;
525     EVP_MD_CTX_free(mctx);
526 #ifndef OPENSSL_NO_GOST
527     OPENSSL_free(gost_data);
528 #endif
529     return ret;
530 }
531 
532 int tls_construct_finished(SSL *s, WPACKET *pkt)
533 {
534     size_t finish_md_len;
535     const char *sender;
536     size_t slen;
537 
538     /* This is a real handshake so make sure we clean it up at the end */
539     if (!s->server && s->post_handshake_auth != SSL_PHA_REQUESTED)
540         s->statem.cleanuphand = 1;
541 
542     /*
543      * We only change the keys if we didn't already do this when we sent the
544      * client certificate
545      */
546     if (SSL_IS_TLS13(s)
547             && !s->server
548             && s->s3->tmp.cert_req == 0
549             && (!s->method->ssl3_enc->change_cipher_state(s,
550                     SSL3_CC_HANDSHAKE | SSL3_CHANGE_CIPHER_CLIENT_WRITE))) {;
551         /* SSLfatal() already called */
552         return 0;
553     }
554 
555     if (s->server) {
556         sender = s->method->ssl3_enc->server_finished_label;
557         slen = s->method->ssl3_enc->server_finished_label_len;
558     } else {
559         sender = s->method->ssl3_enc->client_finished_label;
560         slen = s->method->ssl3_enc->client_finished_label_len;
561     }
562 
563     finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
564                                                           sender, slen,
565                                                           s->s3->tmp.finish_md);
566     if (finish_md_len == 0) {
567         /* SSLfatal() already called */
568         return 0;
569     }
570 
571     s->s3->tmp.finish_md_len = finish_md_len;
572 
573     if (!WPACKET_memcpy(pkt, s->s3->tmp.finish_md, finish_md_len)) {
574         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
575                  ERR_R_INTERNAL_ERROR);
576         return 0;
577     }
578 
579     /*
580      * Log the master secret, if logging is enabled. We don't log it for
581      * TLSv1.3: there's a different key schedule for that.
582      */
583     if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
584                                             s->session->master_key,
585                                             s->session->master_key_length)) {
586         /* SSLfatal() already called */
587         return 0;
588     }
589 
590     /*
591      * Copy the finished so we can use it for renegotiation checks
592      */
593     if (!ossl_assert(finish_md_len <= EVP_MAX_MD_SIZE)) {
594         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_FINISHED,
595                  ERR_R_INTERNAL_ERROR);
596         return 0;
597     }
598     if (!s->server) {
599         memcpy(s->s3->previous_client_finished, s->s3->tmp.finish_md,
600                finish_md_len);
601         s->s3->previous_client_finished_len = finish_md_len;
602     } else {
603         memcpy(s->s3->previous_server_finished, s->s3->tmp.finish_md,
604                finish_md_len);
605         s->s3->previous_server_finished_len = finish_md_len;
606     }
607 
608     return 1;
609 }
610 
611 int tls_construct_key_update(SSL *s, WPACKET *pkt)
612 {
613     if (!WPACKET_put_bytes_u8(pkt, s->key_update)) {
614         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_KEY_UPDATE,
615                  ERR_R_INTERNAL_ERROR);
616         return 0;
617     }
618 
619     s->key_update = SSL_KEY_UPDATE_NONE;
620     return 1;
621 }
622 
623 MSG_PROCESS_RETURN tls_process_key_update(SSL *s, PACKET *pkt)
624 {
625     unsigned int updatetype;
626 
627     /*
628      * A KeyUpdate message signals a key change so the end of the message must
629      * be on a record boundary.
630      */
631     if (RECORD_LAYER_processed_read_pending(&s->rlayer)) {
632         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_KEY_UPDATE,
633                  SSL_R_NOT_ON_RECORD_BOUNDARY);
634         return MSG_PROCESS_ERROR;
635     }
636 
637     if (!PACKET_get_1(pkt, &updatetype)
638             || PACKET_remaining(pkt) != 0) {
639         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_KEY_UPDATE,
640                  SSL_R_BAD_KEY_UPDATE);
641         return MSG_PROCESS_ERROR;
642     }
643 
644     /*
645      * There are only two defined key update types. Fail if we get a value we
646      * didn't recognise.
647      */
648     if (updatetype != SSL_KEY_UPDATE_NOT_REQUESTED
649             && updatetype != SSL_KEY_UPDATE_REQUESTED) {
650         SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_PROCESS_KEY_UPDATE,
651                  SSL_R_BAD_KEY_UPDATE);
652         return MSG_PROCESS_ERROR;
653     }
654 
655     /*
656      * If we get a request for us to update our sending keys too then, we need
657      * to additionally send a KeyUpdate message. However that message should
658      * not also request an update (otherwise we get into an infinite loop).
659      */
660     if (updatetype == SSL_KEY_UPDATE_REQUESTED)
661         s->key_update = SSL_KEY_UPDATE_NOT_REQUESTED;
662 
663     if (!tls13_update_key(s, 0)) {
664         /* SSLfatal() already called */
665         return MSG_PROCESS_ERROR;
666     }
667 
668     return MSG_PROCESS_FINISHED_READING;
669 }
670 
671 /*
672  * ssl3_take_mac calculates the Finished MAC for the handshakes messages seen
673  * to far.
674  */
675 int ssl3_take_mac(SSL *s)
676 {
677     const char *sender;
678     size_t slen;
679 
680     if (!s->server) {
681         sender = s->method->ssl3_enc->server_finished_label;
682         slen = s->method->ssl3_enc->server_finished_label_len;
683     } else {
684         sender = s->method->ssl3_enc->client_finished_label;
685         slen = s->method->ssl3_enc->client_finished_label_len;
686     }
687 
688     s->s3->tmp.peer_finish_md_len =
689         s->method->ssl3_enc->final_finish_mac(s, sender, slen,
690                                               s->s3->tmp.peer_finish_md);
691 
692     if (s->s3->tmp.peer_finish_md_len == 0) {
693         /* SSLfatal() already called */
694         return 0;
695     }
696 
697     return 1;
698 }
699 
700 MSG_PROCESS_RETURN tls_process_change_cipher_spec(SSL *s, PACKET *pkt)
701 {
702     size_t remain;
703 
704     remain = PACKET_remaining(pkt);
705     /*
706      * 'Change Cipher Spec' is just a single byte, which should already have
707      * been consumed by ssl_get_message() so there should be no bytes left,
708      * unless we're using DTLS1_BAD_VER, which has an extra 2 bytes
709      */
710     if (SSL_IS_DTLS(s)) {
711         if ((s->version == DTLS1_BAD_VER
712              && remain != DTLS1_CCS_HEADER_LENGTH + 1)
713             || (s->version != DTLS1_BAD_VER
714                 && remain != DTLS1_CCS_HEADER_LENGTH - 1)) {
715             SSLfatal(s, SSL_AD_DECODE_ERROR,
716                      SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
717                     SSL_R_BAD_CHANGE_CIPHER_SPEC);
718             return MSG_PROCESS_ERROR;
719         }
720     } else {
721         if (remain != 0) {
722             SSLfatal(s, SSL_AD_DECODE_ERROR,
723                      SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
724                      SSL_R_BAD_CHANGE_CIPHER_SPEC);
725             return MSG_PROCESS_ERROR;
726         }
727     }
728 
729     /* Check we have a cipher to change to */
730     if (s->s3->tmp.new_cipher == NULL) {
731         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
732                  SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC, SSL_R_CCS_RECEIVED_EARLY);
733         return MSG_PROCESS_ERROR;
734     }
735 
736     s->s3->change_cipher_spec = 1;
737     if (!ssl3_do_change_cipher_spec(s)) {
738         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CHANGE_CIPHER_SPEC,
739                  ERR_R_INTERNAL_ERROR);
740         return MSG_PROCESS_ERROR;
741     }
742 
743     if (SSL_IS_DTLS(s)) {
744         dtls1_reset_seq_numbers(s, SSL3_CC_READ);
745 
746         if (s->version == DTLS1_BAD_VER)
747             s->d1->handshake_read_seq++;
748 
749 #ifndef OPENSSL_NO_SCTP
750         /*
751          * Remember that a CCS has been received, so that an old key of
752          * SCTP-Auth can be deleted when a CCS is sent. Will be ignored if no
753          * SCTP is used
754          */
755         BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_AUTH_CCS_RCVD, 1, NULL);
756 #endif
757     }
758 
759     return MSG_PROCESS_CONTINUE_READING;
760 }
761 
762 MSG_PROCESS_RETURN tls_process_finished(SSL *s, PACKET *pkt)
763 {
764     size_t md_len;
765 
766 
767     /* This is a real handshake so make sure we clean it up at the end */
768     if (s->server) {
769         /*
770         * To get this far we must have read encrypted data from the client. We
771         * no longer tolerate unencrypted alerts. This value is ignored if less
772         * than TLSv1.3
773         */
774         s->statem.enc_read_state = ENC_READ_STATE_VALID;
775         if (s->post_handshake_auth != SSL_PHA_REQUESTED)
776             s->statem.cleanuphand = 1;
777         if (SSL_IS_TLS13(s) && !tls13_save_handshake_digest_for_pha(s)) {
778                 /* SSLfatal() already called */
779                 return MSG_PROCESS_ERROR;
780         }
781     }
782 
783     /*
784      * In TLSv1.3 a Finished message signals a key change so the end of the
785      * message must be on a record boundary.
786      */
787     if (SSL_IS_TLS13(s) && RECORD_LAYER_processed_read_pending(&s->rlayer)) {
788         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
789                  SSL_R_NOT_ON_RECORD_BOUNDARY);
790         return MSG_PROCESS_ERROR;
791     }
792 
793     /* If this occurs, we have missed a message */
794     if (!SSL_IS_TLS13(s) && !s->s3->change_cipher_spec) {
795         SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_TLS_PROCESS_FINISHED,
796                  SSL_R_GOT_A_FIN_BEFORE_A_CCS);
797         return MSG_PROCESS_ERROR;
798     }
799     s->s3->change_cipher_spec = 0;
800 
801     md_len = s->s3->tmp.peer_finish_md_len;
802 
803     if (md_len != PACKET_remaining(pkt)) {
804         SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_FINISHED,
805                  SSL_R_BAD_DIGEST_LENGTH);
806         return MSG_PROCESS_ERROR;
807     }
808 
809     if (CRYPTO_memcmp(PACKET_data(pkt), s->s3->tmp.peer_finish_md,
810                       md_len) != 0) {
811         SSLfatal(s, SSL_AD_DECRYPT_ERROR, SSL_F_TLS_PROCESS_FINISHED,
812                  SSL_R_DIGEST_CHECK_FAILED);
813         return MSG_PROCESS_ERROR;
814     }
815 
816     /*
817      * Copy the finished so we can use it for renegotiation checks
818      */
819     if (!ossl_assert(md_len <= EVP_MAX_MD_SIZE)) {
820         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_FINISHED,
821                  ERR_R_INTERNAL_ERROR);
822         return MSG_PROCESS_ERROR;
823     }
824     if (s->server) {
825         memcpy(s->s3->previous_client_finished, s->s3->tmp.peer_finish_md,
826                md_len);
827         s->s3->previous_client_finished_len = md_len;
828     } else {
829         memcpy(s->s3->previous_server_finished, s->s3->tmp.peer_finish_md,
830                md_len);
831         s->s3->previous_server_finished_len = md_len;
832     }
833 
834     /*
835      * In TLS1.3 we also have to change cipher state and do any final processing
836      * of the initial server flight (if we are a client)
837      */
838     if (SSL_IS_TLS13(s)) {
839         if (s->server) {
840             if (s->post_handshake_auth != SSL_PHA_REQUESTED &&
841                     !s->method->ssl3_enc->change_cipher_state(s,
842                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_SERVER_READ)) {
843                 /* SSLfatal() already called */
844                 return MSG_PROCESS_ERROR;
845             }
846         } else {
847             /* TLS 1.3 gets the secret size from the handshake md */
848             size_t dummy;
849             if (!s->method->ssl3_enc->generate_master_secret(s,
850                     s->master_secret, s->handshake_secret, 0,
851                     &dummy)) {
852                 /* SSLfatal() already called */
853                 return MSG_PROCESS_ERROR;
854             }
855             if (!s->method->ssl3_enc->change_cipher_state(s,
856                     SSL3_CC_APPLICATION | SSL3_CHANGE_CIPHER_CLIENT_READ)) {
857                 /* SSLfatal() already called */
858                 return MSG_PROCESS_ERROR;
859             }
860             if (!tls_process_initial_server_flight(s)) {
861                 /* SSLfatal() already called */
862                 return MSG_PROCESS_ERROR;
863             }
864         }
865     }
866 
867     return MSG_PROCESS_FINISHED_READING;
868 }
869 
870 int tls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
871 {
872     if (!WPACKET_put_bytes_u8(pkt, SSL3_MT_CCS)) {
873         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
874                  SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
875         return 0;
876     }
877 
878     return 1;
879 }
880 
881 /* Add a certificate to the WPACKET */
882 static int ssl_add_cert_to_wpacket(SSL *s, WPACKET *pkt, X509 *x, int chain)
883 {
884     int len;
885     unsigned char *outbytes;
886 
887     len = i2d_X509(x, NULL);
888     if (len < 0) {
889         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
890                  ERR_R_BUF_LIB);
891         return 0;
892     }
893     if (!WPACKET_sub_allocate_bytes_u24(pkt, len, &outbytes)
894             || i2d_X509(x, &outbytes) != len) {
895         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_TO_WPACKET,
896                  ERR_R_INTERNAL_ERROR);
897         return 0;
898     }
899 
900     if (SSL_IS_TLS13(s)
901             && !tls_construct_extensions(s, pkt, SSL_EXT_TLS1_3_CERTIFICATE, x,
902                                          chain)) {
903         /* SSLfatal() already called */
904         return 0;
905     }
906 
907     return 1;
908 }
909 
910 /* Add certificate chain to provided WPACKET */
911 static int ssl_add_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
912 {
913     int i, chain_count;
914     X509 *x;
915     STACK_OF(X509) *extra_certs;
916     STACK_OF(X509) *chain = NULL;
917     X509_STORE *chain_store;
918 
919     if (cpk == NULL || cpk->x509 == NULL)
920         return 1;
921 
922     x = cpk->x509;
923 
924     /*
925      * If we have a certificate specific chain use it, else use parent ctx.
926      */
927     if (cpk->chain != NULL)
928         extra_certs = cpk->chain;
929     else
930         extra_certs = s->ctx->extra_certs;
931 
932     if ((s->mode & SSL_MODE_NO_AUTO_CHAIN) || extra_certs)
933         chain_store = NULL;
934     else if (s->cert->chain_store)
935         chain_store = s->cert->chain_store;
936     else
937         chain_store = s->ctx->cert_store;
938 
939     if (chain_store != NULL) {
940         X509_STORE_CTX *xs_ctx = X509_STORE_CTX_new();
941 
942         if (xs_ctx == NULL) {
943             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
944                      ERR_R_MALLOC_FAILURE);
945             return 0;
946         }
947         if (!X509_STORE_CTX_init(xs_ctx, chain_store, x, NULL)) {
948             X509_STORE_CTX_free(xs_ctx);
949             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN,
950                      ERR_R_X509_LIB);
951             return 0;
952         }
953         /*
954          * It is valid for the chain not to be complete (because normally we
955          * don't include the root cert in the chain). Therefore we deliberately
956          * ignore the error return from this call. We're not actually verifying
957          * the cert - we're just building as much of the chain as we can
958          */
959         (void)X509_verify_cert(xs_ctx);
960         /* Don't leave errors in the queue */
961         ERR_clear_error();
962         chain = X509_STORE_CTX_get0_chain(xs_ctx);
963         i = ssl_security_cert_chain(s, chain, NULL, 0);
964         if (i != 1) {
965 #if 0
966             /* Dummy error calls so mkerr generates them */
967             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_EE_KEY_TOO_SMALL);
968             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_KEY_TOO_SMALL);
969             SSLerr(SSL_F_SSL_ADD_CERT_CHAIN, SSL_R_CA_MD_TOO_WEAK);
970 #endif
971             X509_STORE_CTX_free(xs_ctx);
972             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
973             return 0;
974         }
975         chain_count = sk_X509_num(chain);
976         for (i = 0; i < chain_count; i++) {
977             x = sk_X509_value(chain, i);
978 
979             if (!ssl_add_cert_to_wpacket(s, pkt, x, i)) {
980                 /* SSLfatal() already called */
981                 X509_STORE_CTX_free(xs_ctx);
982                 return 0;
983             }
984         }
985         X509_STORE_CTX_free(xs_ctx);
986     } else {
987         i = ssl_security_cert_chain(s, extra_certs, x, 0);
988         if (i != 1) {
989             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL_ADD_CERT_CHAIN, i);
990             return 0;
991         }
992         if (!ssl_add_cert_to_wpacket(s, pkt, x, 0)) {
993             /* SSLfatal() already called */
994             return 0;
995         }
996         for (i = 0; i < sk_X509_num(extra_certs); i++) {
997             x = sk_X509_value(extra_certs, i);
998             if (!ssl_add_cert_to_wpacket(s, pkt, x, i + 1)) {
999                 /* SSLfatal() already called */
1000                 return 0;
1001             }
1002         }
1003     }
1004     return 1;
1005 }
1006 
1007 unsigned long ssl3_output_cert_chain(SSL *s, WPACKET *pkt, CERT_PKEY *cpk)
1008 {
1009     if (!WPACKET_start_sub_packet_u24(pkt)) {
1010         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1011                  ERR_R_INTERNAL_ERROR);
1012         return 0;
1013     }
1014 
1015     if (!ssl_add_cert_chain(s, pkt, cpk))
1016         return 0;
1017 
1018     if (!WPACKET_close(pkt)) {
1019         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_OUTPUT_CERT_CHAIN,
1020                  ERR_R_INTERNAL_ERROR);
1021         return 0;
1022     }
1023 
1024     return 1;
1025 }
1026 
1027 /*
1028  * Tidy up after the end of a handshake. In the case of SCTP this may result
1029  * in NBIO events. If |clearbufs| is set then init_buf and the wbio buffer is
1030  * freed up as well.
1031  */
1032 WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, int clearbufs, int stop)
1033 {
1034     void (*cb) (const SSL *ssl, int type, int val) = NULL;
1035     int cleanuphand = s->statem.cleanuphand;
1036 
1037     if (clearbufs) {
1038         if (!SSL_IS_DTLS(s)
1039 #ifndef OPENSSL_NO_SCTP
1040             /*
1041              * RFC6083: SCTP provides a reliable and in-sequence transport service for DTLS
1042              * messages that require it. Therefore, DTLS procedures for retransmissions
1043              * MUST NOT be used.
1044              * Hence the init_buf can be cleared when DTLS over SCTP as transport is used.
1045              */
1046             || BIO_dgram_is_sctp(SSL_get_wbio(s))
1047 #endif
1048             ) {
1049             /*
1050              * We don't do this in DTLS over UDP because we may still need the init_buf
1051              * in case there are any unexpected retransmits
1052              */
1053             BUF_MEM_free(s->init_buf);
1054             s->init_buf = NULL;
1055         }
1056 
1057         if (!ssl_free_wbio_buffer(s)) {
1058             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_FINISH_HANDSHAKE,
1059                      ERR_R_INTERNAL_ERROR);
1060             return WORK_ERROR;
1061         }
1062         s->init_num = 0;
1063     }
1064 
1065     if (SSL_IS_TLS13(s) && !s->server
1066             && s->post_handshake_auth == SSL_PHA_REQUESTED)
1067         s->post_handshake_auth = SSL_PHA_EXT_SENT;
1068 
1069     /*
1070      * Only set if there was a Finished message and this isn't after a TLSv1.3
1071      * post handshake exchange
1072      */
1073     if (cleanuphand) {
1074         /* skipped if we just sent a HelloRequest */
1075         s->renegotiate = 0;
1076         s->new_session = 0;
1077         s->statem.cleanuphand = 0;
1078         s->ext.ticket_expected = 0;
1079 
1080         ssl3_cleanup_key_block(s);
1081 
1082         if (s->server) {
1083             /*
1084              * In TLSv1.3 we update the cache as part of constructing the
1085              * NewSessionTicket
1086              */
1087             if (!SSL_IS_TLS13(s))
1088                 ssl_update_cache(s, SSL_SESS_CACHE_SERVER);
1089 
1090             /* N.B. s->ctx may not equal s->session_ctx */
1091             tsan_counter(&s->ctx->stats.sess_accept_good);
1092             s->handshake_func = ossl_statem_accept;
1093         } else {
1094             if (SSL_IS_TLS13(s)) {
1095                 /*
1096                  * We encourage applications to only use TLSv1.3 tickets once,
1097                  * so we remove this one from the cache.
1098                  */
1099                 if ((s->session_ctx->session_cache_mode
1100                      & SSL_SESS_CACHE_CLIENT) != 0)
1101                     SSL_CTX_remove_session(s->session_ctx, s->session);
1102             } else {
1103                 /*
1104                  * In TLSv1.3 we update the cache as part of processing the
1105                  * NewSessionTicket
1106                  */
1107                 ssl_update_cache(s, SSL_SESS_CACHE_CLIENT);
1108             }
1109             if (s->hit)
1110                 tsan_counter(&s->session_ctx->stats.sess_hit);
1111 
1112             s->handshake_func = ossl_statem_connect;
1113             tsan_counter(&s->session_ctx->stats.sess_connect_good);
1114         }
1115 
1116         if (SSL_IS_DTLS(s)) {
1117             /* done with handshaking */
1118             s->d1->handshake_read_seq = 0;
1119             s->d1->handshake_write_seq = 0;
1120             s->d1->next_handshake_write_seq = 0;
1121             dtls1_clear_received_buffer(s);
1122         }
1123     }
1124 
1125     if (s->info_callback != NULL)
1126         cb = s->info_callback;
1127     else if (s->ctx->info_callback != NULL)
1128         cb = s->ctx->info_callback;
1129 
1130     /* The callback may expect us to not be in init at handshake done */
1131     ossl_statem_set_in_init(s, 0);
1132 
1133     if (cb != NULL) {
1134         if (cleanuphand
1135                 || !SSL_IS_TLS13(s)
1136                 || SSL_IS_FIRST_HANDSHAKE(s))
1137             cb(s, SSL_CB_HANDSHAKE_DONE, 1);
1138     }
1139 
1140     if (!stop) {
1141         /* If we've got more work to do we go back into init */
1142         ossl_statem_set_in_init(s, 1);
1143         return WORK_FINISHED_CONTINUE;
1144     }
1145 
1146     return WORK_FINISHED_STOP;
1147 }
1148 
1149 int tls_get_message_header(SSL *s, int *mt)
1150 {
1151     /* s->init_num < SSL3_HM_HEADER_LENGTH */
1152     int skip_message, i, recvd_type;
1153     unsigned char *p;
1154     size_t l, readbytes;
1155 
1156     p = (unsigned char *)s->init_buf->data;
1157 
1158     do {
1159         while (s->init_num < SSL3_HM_HEADER_LENGTH) {
1160             i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &recvd_type,
1161                                           &p[s->init_num],
1162                                           SSL3_HM_HEADER_LENGTH - s->init_num,
1163                                           0, &readbytes);
1164             if (i <= 0) {
1165                 s->rwstate = SSL_READING;
1166                 return 0;
1167             }
1168             if (recvd_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
1169                 /*
1170                  * A ChangeCipherSpec must be a single byte and may not occur
1171                  * in the middle of a handshake message.
1172                  */
1173                 if (s->init_num != 0 || readbytes != 1 || p[0] != SSL3_MT_CCS) {
1174                     SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1175                              SSL_F_TLS_GET_MESSAGE_HEADER,
1176                              SSL_R_BAD_CHANGE_CIPHER_SPEC);
1177                     return 0;
1178                 }
1179                 if (s->statem.hand_state == TLS_ST_BEFORE
1180                         && (s->s3->flags & TLS1_FLAGS_STATELESS) != 0) {
1181                     /*
1182                      * We are stateless and we received a CCS. Probably this is
1183                      * from a client between the first and second ClientHellos.
1184                      * We should ignore this, but return an error because we do
1185                      * not return success until we see the second ClientHello
1186                      * with a valid cookie.
1187                      */
1188                     return 0;
1189                 }
1190                 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
1191                 s->init_num = readbytes - 1;
1192                 s->init_msg = s->init_buf->data;
1193                 s->s3->tmp.message_size = readbytes;
1194                 return 1;
1195             } else if (recvd_type != SSL3_RT_HANDSHAKE) {
1196                 SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE,
1197                          SSL_F_TLS_GET_MESSAGE_HEADER,
1198                          SSL_R_CCS_RECEIVED_EARLY);
1199                 return 0;
1200             }
1201             s->init_num += readbytes;
1202         }
1203 
1204         skip_message = 0;
1205         if (!s->server)
1206             if (s->statem.hand_state != TLS_ST_OK
1207                     && p[0] == SSL3_MT_HELLO_REQUEST)
1208                 /*
1209                  * The server may always send 'Hello Request' messages --
1210                  * we are doing a handshake anyway now, so ignore them if
1211                  * their format is correct. Does not count for 'Finished'
1212                  * MAC.
1213                  */
1214                 if (p[1] == 0 && p[2] == 0 && p[3] == 0) {
1215                     s->init_num = 0;
1216                     skip_message = 1;
1217 
1218                     if (s->msg_callback)
1219                         s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE,
1220                                         p, SSL3_HM_HEADER_LENGTH, s,
1221                                         s->msg_callback_arg);
1222                 }
1223     } while (skip_message);
1224     /* s->init_num == SSL3_HM_HEADER_LENGTH */
1225 
1226     *mt = *p;
1227     s->s3->tmp.message_type = *(p++);
1228 
1229     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1230         /*
1231          * Only happens with SSLv3+ in an SSLv2 backward compatible
1232          * ClientHello
1233          *
1234          * Total message size is the remaining record bytes to read
1235          * plus the SSL3_HM_HEADER_LENGTH bytes that we already read
1236          */
1237         l = RECORD_LAYER_get_rrec_length(&s->rlayer)
1238             + SSL3_HM_HEADER_LENGTH;
1239         s->s3->tmp.message_size = l;
1240 
1241         s->init_msg = s->init_buf->data;
1242         s->init_num = SSL3_HM_HEADER_LENGTH;
1243     } else {
1244         n2l3(p, l);
1245         /* BUF_MEM_grow takes an 'int' parameter */
1246         if (l > (INT_MAX - SSL3_HM_HEADER_LENGTH)) {
1247             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER, SSL_F_TLS_GET_MESSAGE_HEADER,
1248                      SSL_R_EXCESSIVE_MESSAGE_SIZE);
1249             return 0;
1250         }
1251         s->s3->tmp.message_size = l;
1252 
1253         s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH;
1254         s->init_num = 0;
1255     }
1256 
1257     return 1;
1258 }
1259 
1260 int tls_get_message_body(SSL *s, size_t *len)
1261 {
1262     size_t n, readbytes;
1263     unsigned char *p;
1264     int i;
1265 
1266     if (s->s3->tmp.message_type == SSL3_MT_CHANGE_CIPHER_SPEC) {
1267         /* We've already read everything in */
1268         *len = (unsigned long)s->init_num;
1269         return 1;
1270     }
1271 
1272     p = s->init_msg;
1273     n = s->s3->tmp.message_size - s->init_num;
1274     while (n > 0) {
1275         i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, NULL,
1276                                       &p[s->init_num], n, 0, &readbytes);
1277         if (i <= 0) {
1278             s->rwstate = SSL_READING;
1279             *len = 0;
1280             return 0;
1281         }
1282         s->init_num += readbytes;
1283         n -= readbytes;
1284     }
1285 
1286     /*
1287      * If receiving Finished, record MAC of prior handshake messages for
1288      * Finished verification.
1289      */
1290     if (*(s->init_buf->data) == SSL3_MT_FINISHED && !ssl3_take_mac(s)) {
1291         /* SSLfatal() already called */
1292         *len = 0;
1293         return 0;
1294     }
1295 
1296     /* Feed this message into MAC computation. */
1297     if (RECORD_LAYER_is_sslv2_record(&s->rlayer)) {
1298         if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1299                              s->init_num)) {
1300             /* SSLfatal() already called */
1301             *len = 0;
1302             return 0;
1303         }
1304         if (s->msg_callback)
1305             s->msg_callback(0, SSL2_VERSION, 0, s->init_buf->data,
1306                             (size_t)s->init_num, s, s->msg_callback_arg);
1307     } else {
1308         /*
1309          * We defer feeding in the HRR until later. We'll do it as part of
1310          * processing the message
1311          * The TLsv1.3 handshake transcript stops at the ClientFinished
1312          * message.
1313          */
1314 #define SERVER_HELLO_RANDOM_OFFSET  (SSL3_HM_HEADER_LENGTH + 2)
1315         /* KeyUpdate and NewSessionTicket do not need to be added */
1316         if (!SSL_IS_TLS13(s) || (s->s3->tmp.message_type != SSL3_MT_NEWSESSION_TICKET
1317                                  && s->s3->tmp.message_type != SSL3_MT_KEY_UPDATE)) {
1318             if (s->s3->tmp.message_type != SSL3_MT_SERVER_HELLO
1319                     || s->init_num < SERVER_HELLO_RANDOM_OFFSET + SSL3_RANDOM_SIZE
1320                     || memcmp(hrrrandom,
1321                               s->init_buf->data + SERVER_HELLO_RANDOM_OFFSET,
1322                               SSL3_RANDOM_SIZE) != 0) {
1323                 if (!ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
1324                                      s->init_num + SSL3_HM_HEADER_LENGTH)) {
1325                     /* SSLfatal() already called */
1326                     *len = 0;
1327                     return 0;
1328                 }
1329             }
1330         }
1331         if (s->msg_callback)
1332             s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, s->init_buf->data,
1333                             (size_t)s->init_num + SSL3_HM_HEADER_LENGTH, s,
1334                             s->msg_callback_arg);
1335     }
1336 
1337     *len = s->init_num;
1338     return 1;
1339 }
1340 
1341 static const X509ERR2ALERT x509table[] = {
1342     {X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
1343     {X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1344     {X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
1345     {X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
1346     {X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1347     {X509_V_ERR_CERT_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1348     {X509_V_ERR_CERT_REJECTED, SSL_AD_BAD_CERTIFICATE},
1349     {X509_V_ERR_CERT_REVOKED, SSL_AD_CERTIFICATE_REVOKED},
1350     {X509_V_ERR_CERT_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1351     {X509_V_ERR_CERT_UNTRUSTED, SSL_AD_BAD_CERTIFICATE},
1352     {X509_V_ERR_CRL_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
1353     {X509_V_ERR_CRL_NOT_YET_VALID, SSL_AD_BAD_CERTIFICATE},
1354     {X509_V_ERR_CRL_SIGNATURE_FAILURE, SSL_AD_DECRYPT_ERROR},
1355     {X509_V_ERR_DANE_NO_MATCH, SSL_AD_BAD_CERTIFICATE},
1356     {X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, SSL_AD_UNKNOWN_CA},
1357     {X509_V_ERR_EE_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
1358     {X509_V_ERR_EMAIL_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1359     {X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, SSL_AD_BAD_CERTIFICATE},
1360     {X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD, SSL_AD_BAD_CERTIFICATE},
1361     {X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1362     {X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD, SSL_AD_BAD_CERTIFICATE},
1363     {X509_V_ERR_HOSTNAME_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1364     {X509_V_ERR_INVALID_CA, SSL_AD_UNKNOWN_CA},
1365     {X509_V_ERR_INVALID_CALL, SSL_AD_INTERNAL_ERROR},
1366     {X509_V_ERR_INVALID_PURPOSE, SSL_AD_UNSUPPORTED_CERTIFICATE},
1367     {X509_V_ERR_IP_ADDRESS_MISMATCH, SSL_AD_BAD_CERTIFICATE},
1368     {X509_V_ERR_OUT_OF_MEM, SSL_AD_INTERNAL_ERROR},
1369     {X509_V_ERR_PATH_LENGTH_EXCEEDED, SSL_AD_UNKNOWN_CA},
1370     {X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, SSL_AD_UNKNOWN_CA},
1371     {X509_V_ERR_STORE_LOOKUP, SSL_AD_INTERNAL_ERROR},
1372     {X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, SSL_AD_BAD_CERTIFICATE},
1373     {X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1374     {X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE, SSL_AD_BAD_CERTIFICATE},
1375     {X509_V_ERR_UNABLE_TO_GET_CRL, SSL_AD_UNKNOWN_CA},
1376     {X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER, SSL_AD_UNKNOWN_CA},
1377     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, SSL_AD_UNKNOWN_CA},
1378     {X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, SSL_AD_UNKNOWN_CA},
1379     {X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, SSL_AD_UNKNOWN_CA},
1380     {X509_V_ERR_UNSPECIFIED, SSL_AD_INTERNAL_ERROR},
1381 
1382     /* Last entry; return this if we don't find the value above. */
1383     {X509_V_OK, SSL_AD_CERTIFICATE_UNKNOWN}
1384 };
1385 
1386 int ssl_x509err2alert(int x509err)
1387 {
1388     const X509ERR2ALERT *tp;
1389 
1390     for (tp = x509table; tp->x509err != X509_V_OK; ++tp)
1391         if (tp->x509err == x509err)
1392             break;
1393     return tp->alert;
1394 }
1395 
1396 int ssl_allow_compression(SSL *s)
1397 {
1398     if (s->options & SSL_OP_NO_COMPRESSION)
1399         return 0;
1400     return ssl_security(s, SSL_SECOP_COMPRESSION, 0, 0, NULL);
1401 }
1402 
1403 static int version_cmp(const SSL *s, int a, int b)
1404 {
1405     int dtls = SSL_IS_DTLS(s);
1406 
1407     if (a == b)
1408         return 0;
1409     if (!dtls)
1410         return a < b ? -1 : 1;
1411     return DTLS_VERSION_LT(a, b) ? -1 : 1;
1412 }
1413 
1414 typedef struct {
1415     int version;
1416     const SSL_METHOD *(*cmeth) (void);
1417     const SSL_METHOD *(*smeth) (void);
1418 } version_info;
1419 
1420 #if TLS_MAX_VERSION != TLS1_3_VERSION
1421 # error Code needs update for TLS_method() support beyond TLS1_3_VERSION.
1422 #endif
1423 
1424 /* Must be in order high to low */
1425 static const version_info tls_version_table[] = {
1426 #ifndef OPENSSL_NO_TLS1_3
1427     {TLS1_3_VERSION, tlsv1_3_client_method, tlsv1_3_server_method},
1428 #else
1429     {TLS1_3_VERSION, NULL, NULL},
1430 #endif
1431 #ifndef OPENSSL_NO_TLS1_2
1432     {TLS1_2_VERSION, tlsv1_2_client_method, tlsv1_2_server_method},
1433 #else
1434     {TLS1_2_VERSION, NULL, NULL},
1435 #endif
1436 #ifndef OPENSSL_NO_TLS1_1
1437     {TLS1_1_VERSION, tlsv1_1_client_method, tlsv1_1_server_method},
1438 #else
1439     {TLS1_1_VERSION, NULL, NULL},
1440 #endif
1441 #ifndef OPENSSL_NO_TLS1
1442     {TLS1_VERSION, tlsv1_client_method, tlsv1_server_method},
1443 #else
1444     {TLS1_VERSION, NULL, NULL},
1445 #endif
1446 #ifndef OPENSSL_NO_SSL3
1447     {SSL3_VERSION, sslv3_client_method, sslv3_server_method},
1448 #else
1449     {SSL3_VERSION, NULL, NULL},
1450 #endif
1451     {0, NULL, NULL},
1452 };
1453 
1454 #if DTLS_MAX_VERSION != DTLS1_2_VERSION
1455 # error Code needs update for DTLS_method() support beyond DTLS1_2_VERSION.
1456 #endif
1457 
1458 /* Must be in order high to low */
1459 static const version_info dtls_version_table[] = {
1460 #ifndef OPENSSL_NO_DTLS1_2
1461     {DTLS1_2_VERSION, dtlsv1_2_client_method, dtlsv1_2_server_method},
1462 #else
1463     {DTLS1_2_VERSION, NULL, NULL},
1464 #endif
1465 #ifndef OPENSSL_NO_DTLS1
1466     {DTLS1_VERSION, dtlsv1_client_method, dtlsv1_server_method},
1467     {DTLS1_BAD_VER, dtls_bad_ver_client_method, NULL},
1468 #else
1469     {DTLS1_VERSION, NULL, NULL},
1470     {DTLS1_BAD_VER, NULL, NULL},
1471 #endif
1472     {0, NULL, NULL},
1473 };
1474 
1475 /*
1476  * ssl_method_error - Check whether an SSL_METHOD is enabled.
1477  *
1478  * @s: The SSL handle for the candidate method
1479  * @method: the intended method.
1480  *
1481  * Returns 0 on success, or an SSL error reason on failure.
1482  */
1483 static int ssl_method_error(const SSL *s, const SSL_METHOD *method)
1484 {
1485     int version = method->version;
1486 
1487     if ((s->min_proto_version != 0 &&
1488          version_cmp(s, version, s->min_proto_version) < 0) ||
1489         ssl_security(s, SSL_SECOP_VERSION, 0, version, NULL) == 0)
1490         return SSL_R_VERSION_TOO_LOW;
1491 
1492     if (s->max_proto_version != 0 &&
1493         version_cmp(s, version, s->max_proto_version) > 0)
1494         return SSL_R_VERSION_TOO_HIGH;
1495 
1496     if ((s->options & method->mask) != 0)
1497         return SSL_R_UNSUPPORTED_PROTOCOL;
1498     if ((method->flags & SSL_METHOD_NO_SUITEB) != 0 && tls1_suiteb(s))
1499         return SSL_R_AT_LEAST_TLS_1_2_NEEDED_IN_SUITEB_MODE;
1500 
1501     return 0;
1502 }
1503 
1504 /*
1505  * Only called by servers. Returns 1 if the server has a TLSv1.3 capable
1506  * certificate type, or has PSK or a certificate callback configured. Otherwise
1507  * returns 0.
1508  */
1509 static int is_tls13_capable(const SSL *s)
1510 {
1511     int i;
1512 #ifndef OPENSSL_NO_EC
1513     int curve;
1514     EC_KEY *eckey;
1515 #endif
1516 
1517 #ifndef OPENSSL_NO_PSK
1518     if (s->psk_server_callback != NULL)
1519         return 1;
1520 #endif
1521 
1522     if (s->psk_find_session_cb != NULL || s->cert->cert_cb != NULL)
1523         return 1;
1524 
1525     for (i = 0; i < SSL_PKEY_NUM; i++) {
1526         /* Skip over certs disallowed for TLSv1.3 */
1527         switch (i) {
1528         case SSL_PKEY_DSA_SIGN:
1529         case SSL_PKEY_GOST01:
1530         case SSL_PKEY_GOST12_256:
1531         case SSL_PKEY_GOST12_512:
1532             continue;
1533         default:
1534             break;
1535         }
1536         if (!ssl_has_cert(s, i))
1537             continue;
1538 #ifndef OPENSSL_NO_EC
1539         if (i != SSL_PKEY_ECC)
1540             return 1;
1541         /*
1542          * Prior to TLSv1.3 sig algs allowed any curve to be used. TLSv1.3 is
1543          * more restrictive so check that our sig algs are consistent with this
1544          * EC cert. See section 4.2.3 of RFC8446.
1545          */
1546         eckey = EVP_PKEY_get0_EC_KEY(s->cert->pkeys[SSL_PKEY_ECC].privatekey);
1547         if (eckey == NULL)
1548             continue;
1549         curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
1550         if (tls_check_sigalg_curve(s, curve))
1551             return 1;
1552 #else
1553         return 1;
1554 #endif
1555     }
1556 
1557     return 0;
1558 }
1559 
1560 /*
1561  * ssl_version_supported - Check that the specified `version` is supported by
1562  * `SSL *` instance
1563  *
1564  * @s: The SSL handle for the candidate method
1565  * @version: Protocol version to test against
1566  *
1567  * Returns 1 when supported, otherwise 0
1568  */
1569 int ssl_version_supported(const SSL *s, int version, const SSL_METHOD **meth)
1570 {
1571     const version_info *vent;
1572     const version_info *table;
1573 
1574     switch (s->method->version) {
1575     default:
1576         /* Version should match method version for non-ANY method */
1577         return version_cmp(s, version, s->version) == 0;
1578     case TLS_ANY_VERSION:
1579         table = tls_version_table;
1580         break;
1581     case DTLS_ANY_VERSION:
1582         table = dtls_version_table;
1583         break;
1584     }
1585 
1586     for (vent = table;
1587          vent->version != 0 && version_cmp(s, version, vent->version) <= 0;
1588          ++vent) {
1589         if (vent->cmeth != NULL
1590                 && version_cmp(s, version, vent->version) == 0
1591                 && ssl_method_error(s, vent->cmeth()) == 0
1592                 && (!s->server
1593                     || version != TLS1_3_VERSION
1594                     || is_tls13_capable(s))) {
1595             if (meth != NULL)
1596                 *meth = vent->cmeth();
1597             return 1;
1598         }
1599     }
1600     return 0;
1601 }
1602 
1603 /*
1604  * ssl_check_version_downgrade - In response to RFC7507 SCSV version
1605  * fallback indication from a client check whether we're using the highest
1606  * supported protocol version.
1607  *
1608  * @s server SSL handle.
1609  *
1610  * Returns 1 when using the highest enabled version, 0 otherwise.
1611  */
1612 int ssl_check_version_downgrade(SSL *s)
1613 {
1614     const version_info *vent;
1615     const version_info *table;
1616 
1617     /*
1618      * Check that the current protocol is the highest enabled version
1619      * (according to s->ctx->method, as version negotiation may have changed
1620      * s->method).
1621      */
1622     if (s->version == s->ctx->method->version)
1623         return 1;
1624 
1625     /*
1626      * Apparently we're using a version-flexible SSL_METHOD (not at its
1627      * highest protocol version).
1628      */
1629     if (s->ctx->method->version == TLS_method()->version)
1630         table = tls_version_table;
1631     else if (s->ctx->method->version == DTLS_method()->version)
1632         table = dtls_version_table;
1633     else {
1634         /* Unexpected state; fail closed. */
1635         return 0;
1636     }
1637 
1638     for (vent = table; vent->version != 0; ++vent) {
1639         if (vent->smeth != NULL && ssl_method_error(s, vent->smeth()) == 0)
1640             return s->version == vent->version;
1641     }
1642     return 0;
1643 }
1644 
1645 /*
1646  * ssl_set_version_bound - set an upper or lower bound on the supported (D)TLS
1647  * protocols, provided the initial (D)TLS method is version-flexible.  This
1648  * function sanity-checks the proposed value and makes sure the method is
1649  * version-flexible, then sets the limit if all is well.
1650  *
1651  * @method_version: The version of the current SSL_METHOD.
1652  * @version: the intended limit.
1653  * @bound: pointer to limit to be updated.
1654  *
1655  * Returns 1 on success, 0 on failure.
1656  */
1657 int ssl_set_version_bound(int method_version, int version, int *bound)
1658 {
1659     if (version == 0) {
1660         *bound = version;
1661         return 1;
1662     }
1663 
1664     /*-
1665      * Restrict TLS methods to TLS protocol versions.
1666      * Restrict DTLS methods to DTLS protocol versions.
1667      * Note, DTLS version numbers are decreasing, use comparison macros.
1668      *
1669      * Note that for both lower-bounds we use explicit versions, not
1670      * (D)TLS_MIN_VERSION.  This is because we don't want to break user
1671      * configurations.  If the MIN (supported) version ever rises, the user's
1672      * "floor" remains valid even if no longer available.  We don't expect the
1673      * MAX ceiling to ever get lower, so making that variable makes sense.
1674      */
1675     switch (method_version) {
1676     default:
1677         /*
1678          * XXX For fixed version methods, should we always fail and not set any
1679          * bounds, always succeed and not set any bounds, or set the bounds and
1680          * arrange to fail later if they are not met?  At present fixed-version
1681          * methods are not subject to controls that disable individual protocol
1682          * versions.
1683          */
1684         return 0;
1685 
1686     case TLS_ANY_VERSION:
1687         if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
1688             return 0;
1689         break;
1690 
1691     case DTLS_ANY_VERSION:
1692         if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
1693             DTLS_VERSION_LT(version, DTLS1_BAD_VER))
1694             return 0;
1695         break;
1696     }
1697 
1698     *bound = version;
1699     return 1;
1700 }
1701 
1702 static void check_for_downgrade(SSL *s, int vers, DOWNGRADE *dgrd)
1703 {
1704     if (vers == TLS1_2_VERSION
1705             && ssl_version_supported(s, TLS1_3_VERSION, NULL)) {
1706         *dgrd = DOWNGRADE_TO_1_2;
1707     } else if (!SSL_IS_DTLS(s)
1708             && vers < TLS1_2_VERSION
1709                /*
1710                 * We need to ensure that a server that disables TLSv1.2
1711                 * (creating a hole between TLSv1.3 and TLSv1.1) can still
1712                 * complete handshakes with clients that support TLSv1.2 and
1713                 * below. Therefore we do not enable the sentinel if TLSv1.3 is
1714                 * enabled and TLSv1.2 is not.
1715                 */
1716             && ssl_version_supported(s, TLS1_2_VERSION, NULL)) {
1717         *dgrd = DOWNGRADE_TO_1_1;
1718     } else {
1719         *dgrd = DOWNGRADE_NONE;
1720     }
1721 }
1722 
1723 /*
1724  * ssl_choose_server_version - Choose server (D)TLS version.  Called when the
1725  * client HELLO is received to select the final server protocol version and
1726  * the version specific method.
1727  *
1728  * @s: server SSL handle.
1729  *
1730  * Returns 0 on success or an SSL error reason number on failure.
1731  */
1732 int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG *hello, DOWNGRADE *dgrd)
1733 {
1734     /*-
1735      * With version-flexible methods we have an initial state with:
1736      *
1737      *   s->method->version == (D)TLS_ANY_VERSION,
1738      *   s->version == (D)TLS_MAX_VERSION.
1739      *
1740      * So we detect version-flexible methods via the method version, not the
1741      * handle version.
1742      */
1743     int server_version = s->method->version;
1744     int client_version = hello->legacy_version;
1745     const version_info *vent;
1746     const version_info *table;
1747     int disabled = 0;
1748     RAW_EXTENSION *suppversions;
1749 
1750     s->client_version = client_version;
1751 
1752     switch (server_version) {
1753     default:
1754         if (!SSL_IS_TLS13(s)) {
1755             if (version_cmp(s, client_version, s->version) < 0)
1756                 return SSL_R_WRONG_SSL_VERSION;
1757             *dgrd = DOWNGRADE_NONE;
1758             /*
1759              * If this SSL handle is not from a version flexible method we don't
1760              * (and never did) check min/max FIPS or Suite B constraints.  Hope
1761              * that's OK.  It is up to the caller to not choose fixed protocol
1762              * versions they don't want.  If not, then easy to fix, just return
1763              * ssl_method_error(s, s->method)
1764              */
1765             return 0;
1766         }
1767         /*
1768          * Fall through if we are TLSv1.3 already (this means we must be after
1769          * a HelloRetryRequest
1770          */
1771         /* fall thru */
1772     case TLS_ANY_VERSION:
1773         table = tls_version_table;
1774         break;
1775     case DTLS_ANY_VERSION:
1776         table = dtls_version_table;
1777         break;
1778     }
1779 
1780     suppversions = &hello->pre_proc_exts[TLSEXT_IDX_supported_versions];
1781 
1782     /* If we did an HRR then supported versions is mandatory */
1783     if (!suppversions->present && s->hello_retry_request != SSL_HRR_NONE)
1784         return SSL_R_UNSUPPORTED_PROTOCOL;
1785 
1786     if (suppversions->present && !SSL_IS_DTLS(s)) {
1787         unsigned int candidate_vers = 0;
1788         unsigned int best_vers = 0;
1789         const SSL_METHOD *best_method = NULL;
1790         PACKET versionslist;
1791 
1792         suppversions->parsed = 1;
1793 
1794         if (!PACKET_as_length_prefixed_1(&suppversions->data, &versionslist)) {
1795             /* Trailing or invalid data? */
1796             return SSL_R_LENGTH_MISMATCH;
1797         }
1798 
1799         /*
1800          * The TLSv1.3 spec says the client MUST set this to TLS1_2_VERSION.
1801          * The spec only requires servers to check that it isn't SSLv3:
1802          * "Any endpoint receiving a Hello message with
1803          * ClientHello.legacy_version or ServerHello.legacy_version set to
1804          * 0x0300 MUST abort the handshake with a "protocol_version" alert."
1805          * We are slightly stricter and require that it isn't SSLv3 or lower.
1806          * We tolerate TLSv1 and TLSv1.1.
1807          */
1808         if (client_version <= SSL3_VERSION)
1809             return SSL_R_BAD_LEGACY_VERSION;
1810 
1811         while (PACKET_get_net_2(&versionslist, &candidate_vers)) {
1812             if (version_cmp(s, candidate_vers, best_vers) <= 0)
1813                 continue;
1814             if (ssl_version_supported(s, candidate_vers, &best_method))
1815                 best_vers = candidate_vers;
1816         }
1817         if (PACKET_remaining(&versionslist) != 0) {
1818             /* Trailing data? */
1819             return SSL_R_LENGTH_MISMATCH;
1820         }
1821 
1822         if (best_vers > 0) {
1823             if (s->hello_retry_request != SSL_HRR_NONE) {
1824                 /*
1825                  * This is after a HelloRetryRequest so we better check that we
1826                  * negotiated TLSv1.3
1827                  */
1828                 if (best_vers != TLS1_3_VERSION)
1829                     return SSL_R_UNSUPPORTED_PROTOCOL;
1830                 return 0;
1831             }
1832             check_for_downgrade(s, best_vers, dgrd);
1833             s->version = best_vers;
1834             s->method = best_method;
1835             return 0;
1836         }
1837         return SSL_R_UNSUPPORTED_PROTOCOL;
1838     }
1839 
1840     /*
1841      * If the supported versions extension isn't present, then the highest
1842      * version we can negotiate is TLSv1.2
1843      */
1844     if (version_cmp(s, client_version, TLS1_3_VERSION) >= 0)
1845         client_version = TLS1_2_VERSION;
1846 
1847     /*
1848      * No supported versions extension, so we just use the version supplied in
1849      * the ClientHello.
1850      */
1851     for (vent = table; vent->version != 0; ++vent) {
1852         const SSL_METHOD *method;
1853 
1854         if (vent->smeth == NULL ||
1855             version_cmp(s, client_version, vent->version) < 0)
1856             continue;
1857         method = vent->smeth();
1858         if (ssl_method_error(s, method) == 0) {
1859             check_for_downgrade(s, vent->version, dgrd);
1860             s->version = vent->version;
1861             s->method = method;
1862             return 0;
1863         }
1864         disabled = 1;
1865     }
1866     return disabled ? SSL_R_UNSUPPORTED_PROTOCOL : SSL_R_VERSION_TOO_LOW;
1867 }
1868 
1869 /*
1870  * ssl_choose_client_version - Choose client (D)TLS version.  Called when the
1871  * server HELLO is received to select the final client protocol version and
1872  * the version specific method.
1873  *
1874  * @s: client SSL handle.
1875  * @version: The proposed version from the server's HELLO.
1876  * @extensions: The extensions received
1877  *
1878  * Returns 1 on success or 0 on error.
1879  */
1880 int ssl_choose_client_version(SSL *s, int version, RAW_EXTENSION *extensions)
1881 {
1882     const version_info *vent;
1883     const version_info *table;
1884     int ret, ver_min, ver_max, real_max, origv;
1885 
1886     origv = s->version;
1887     s->version = version;
1888 
1889     /* This will overwrite s->version if the extension is present */
1890     if (!tls_parse_extension(s, TLSEXT_IDX_supported_versions,
1891                              SSL_EXT_TLS1_2_SERVER_HELLO
1892                              | SSL_EXT_TLS1_3_SERVER_HELLO, extensions,
1893                              NULL, 0)) {
1894         s->version = origv;
1895         return 0;
1896     }
1897 
1898     if (s->hello_retry_request != SSL_HRR_NONE
1899             && s->version != TLS1_3_VERSION) {
1900         s->version = origv;
1901         SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1902                  SSL_R_WRONG_SSL_VERSION);
1903         return 0;
1904     }
1905 
1906     switch (s->method->version) {
1907     default:
1908         if (s->version != s->method->version) {
1909             s->version = origv;
1910             SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1911                      SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1912                      SSL_R_WRONG_SSL_VERSION);
1913             return 0;
1914         }
1915         /*
1916          * If this SSL handle is not from a version flexible method we don't
1917          * (and never did) check min/max, FIPS or Suite B constraints.  Hope
1918          * that's OK.  It is up to the caller to not choose fixed protocol
1919          * versions they don't want.  If not, then easy to fix, just return
1920          * ssl_method_error(s, s->method)
1921          */
1922         return 1;
1923     case TLS_ANY_VERSION:
1924         table = tls_version_table;
1925         break;
1926     case DTLS_ANY_VERSION:
1927         table = dtls_version_table;
1928         break;
1929     }
1930 
1931     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, &real_max);
1932     if (ret != 0) {
1933         s->version = origv;
1934         SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1935                  SSL_F_SSL_CHOOSE_CLIENT_VERSION, ret);
1936         return 0;
1937     }
1938     if (SSL_IS_DTLS(s) ? DTLS_VERSION_LT(s->version, ver_min)
1939                        : s->version < ver_min) {
1940         s->version = origv;
1941         SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1942                  SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1943         return 0;
1944     } else if (SSL_IS_DTLS(s) ? DTLS_VERSION_GT(s->version, ver_max)
1945                               : s->version > ver_max) {
1946         s->version = origv;
1947         SSLfatal(s, SSL_AD_PROTOCOL_VERSION,
1948                  SSL_F_SSL_CHOOSE_CLIENT_VERSION, SSL_R_UNSUPPORTED_PROTOCOL);
1949         return 0;
1950     }
1951 
1952     if ((s->mode & SSL_MODE_SEND_FALLBACK_SCSV) == 0)
1953         real_max = ver_max;
1954 
1955     /* Check for downgrades */
1956     if (s->version == TLS1_2_VERSION && real_max > s->version) {
1957         if (memcmp(tls12downgrade,
1958                    s->s3->server_random + SSL3_RANDOM_SIZE
1959                                         - sizeof(tls12downgrade),
1960                    sizeof(tls12downgrade)) == 0) {
1961             s->version = origv;
1962             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1963                      SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1964                      SSL_R_INAPPROPRIATE_FALLBACK);
1965             return 0;
1966         }
1967     } else if (!SSL_IS_DTLS(s)
1968                && s->version < TLS1_2_VERSION
1969                && real_max > s->version) {
1970         if (memcmp(tls11downgrade,
1971                    s->s3->server_random + SSL3_RANDOM_SIZE
1972                                         - sizeof(tls11downgrade),
1973                    sizeof(tls11downgrade)) == 0) {
1974             s->version = origv;
1975             SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
1976                      SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1977                      SSL_R_INAPPROPRIATE_FALLBACK);
1978             return 0;
1979         }
1980     }
1981 
1982     for (vent = table; vent->version != 0; ++vent) {
1983         if (vent->cmeth == NULL || s->version != vent->version)
1984             continue;
1985 
1986         s->method = vent->cmeth();
1987         return 1;
1988     }
1989 
1990     s->version = origv;
1991     SSLfatal(s, SSL_AD_PROTOCOL_VERSION, SSL_F_SSL_CHOOSE_CLIENT_VERSION,
1992              SSL_R_UNSUPPORTED_PROTOCOL);
1993     return 0;
1994 }
1995 
1996 /*
1997  * ssl_get_min_max_version - get minimum and maximum protocol version
1998  * @s: The SSL connection
1999  * @min_version: The minimum supported version
2000  * @max_version: The maximum supported version
2001  * @real_max:    The highest version below the lowest compile time version hole
2002  *               where that hole lies above at least one run-time enabled
2003  *               protocol.
2004  *
2005  * Work out what version we should be using for the initial ClientHello if the
2006  * version is initially (D)TLS_ANY_VERSION.  We apply any explicit SSL_OP_NO_xxx
2007  * options, the MinProtocol and MaxProtocol configuration commands, any Suite B
2008  * constraints and any floor imposed by the security level here,
2009  * so we don't advertise the wrong protocol version to only reject the outcome later.
2010  *
2011  * Computing the right floor matters.  If, e.g., TLS 1.0 and 1.2 are enabled,
2012  * TLS 1.1 is disabled, but the security level, Suite-B  and/or MinProtocol
2013  * only allow TLS 1.2, we want to advertise TLS1.2, *not* TLS1.
2014  *
2015  * Returns 0 on success or an SSL error reason number on failure.  On failure
2016  * min_version and max_version will also be set to 0.
2017  */
2018 int ssl_get_min_max_version(const SSL *s, int *min_version, int *max_version,
2019                             int *real_max)
2020 {
2021     int version, tmp_real_max;
2022     int hole;
2023     const SSL_METHOD *single = NULL;
2024     const SSL_METHOD *method;
2025     const version_info *table;
2026     const version_info *vent;
2027 
2028     switch (s->method->version) {
2029     default:
2030         /*
2031          * If this SSL handle is not from a version flexible method we don't
2032          * (and never did) check min/max FIPS or Suite B constraints.  Hope
2033          * that's OK.  It is up to the caller to not choose fixed protocol
2034          * versions they don't want.  If not, then easy to fix, just return
2035          * ssl_method_error(s, s->method)
2036          */
2037         *min_version = *max_version = s->version;
2038         /*
2039          * Providing a real_max only makes sense where we're using a version
2040          * flexible method.
2041          */
2042         if (!ossl_assert(real_max == NULL))
2043             return ERR_R_INTERNAL_ERROR;
2044         return 0;
2045     case TLS_ANY_VERSION:
2046         table = tls_version_table;
2047         break;
2048     case DTLS_ANY_VERSION:
2049         table = dtls_version_table;
2050         break;
2051     }
2052 
2053     /*
2054      * SSL_OP_NO_X disables all protocols above X *if* there are some protocols
2055      * below X enabled. This is required in order to maintain the "version
2056      * capability" vector contiguous. Any versions with a NULL client method
2057      * (protocol version client is disabled at compile-time) is also a "hole".
2058      *
2059      * Our initial state is hole == 1, version == 0.  That is, versions above
2060      * the first version in the method table are disabled (a "hole" above
2061      * the valid protocol entries) and we don't have a selected version yet.
2062      *
2063      * Whenever "hole == 1", and we hit an enabled method, its version becomes
2064      * the selected version, and the method becomes a candidate "single"
2065      * method.  We're no longer in a hole, so "hole" becomes 0.
2066      *
2067      * If "hole == 0" and we hit an enabled method, then "single" is cleared,
2068      * as we support a contiguous range of at least two methods.  If we hit
2069      * a disabled method, then hole becomes true again, but nothing else
2070      * changes yet, because all the remaining methods may be disabled too.
2071      * If we again hit an enabled method after the new hole, it becomes
2072      * selected, as we start from scratch.
2073      */
2074     *min_version = version = 0;
2075     hole = 1;
2076     if (real_max != NULL)
2077         *real_max = 0;
2078     tmp_real_max = 0;
2079     for (vent = table; vent->version != 0; ++vent) {
2080         /*
2081          * A table entry with a NULL client method is still a hole in the
2082          * "version capability" vector.
2083          */
2084         if (vent->cmeth == NULL) {
2085             hole = 1;
2086             tmp_real_max = 0;
2087             continue;
2088         }
2089         method = vent->cmeth();
2090 
2091         if (hole == 1 && tmp_real_max == 0)
2092             tmp_real_max = vent->version;
2093 
2094         if (ssl_method_error(s, method) != 0) {
2095             hole = 1;
2096         } else if (!hole) {
2097             single = NULL;
2098             *min_version = method->version;
2099         } else {
2100             if (real_max != NULL && tmp_real_max != 0)
2101                 *real_max = tmp_real_max;
2102             version = (single = method)->version;
2103             *min_version = version;
2104             hole = 0;
2105         }
2106     }
2107 
2108     *max_version = version;
2109 
2110     /* Fail if everything is disabled */
2111     if (version == 0)
2112         return SSL_R_NO_PROTOCOLS_AVAILABLE;
2113 
2114     return 0;
2115 }
2116 
2117 /*
2118  * ssl_set_client_hello_version - Work out what version we should be using for
2119  * the initial ClientHello.legacy_version field.
2120  *
2121  * @s: client SSL handle.
2122  *
2123  * Returns 0 on success or an SSL error reason number on failure.
2124  */
2125 int ssl_set_client_hello_version(SSL *s)
2126 {
2127     int ver_min, ver_max, ret;
2128 
2129     /*
2130      * In a renegotiation we always send the same client_version that we sent
2131      * last time, regardless of which version we eventually negotiated.
2132      */
2133     if (!SSL_IS_FIRST_HANDSHAKE(s))
2134         return 0;
2135 
2136     ret = ssl_get_min_max_version(s, &ver_min, &ver_max, NULL);
2137 
2138     if (ret != 0)
2139         return ret;
2140 
2141     s->version = ver_max;
2142 
2143     /* TLS1.3 always uses TLS1.2 in the legacy_version field */
2144     if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
2145         ver_max = TLS1_2_VERSION;
2146 
2147     s->client_version = ver_max;
2148     return 0;
2149 }
2150 
2151 /*
2152  * Checks a list of |groups| to determine if the |group_id| is in it. If it is
2153  * and |checkallow| is 1 then additionally check if the group is allowed to be
2154  * used. Returns 1 if the group is in the list (and allowed if |checkallow| is
2155  * 1) or 0 otherwise.
2156  */
2157 #ifndef OPENSSL_NO_EC
2158 int check_in_list(SSL *s, uint16_t group_id, const uint16_t *groups,
2159                   size_t num_groups, int checkallow)
2160 {
2161     size_t i;
2162 
2163     if (groups == NULL || num_groups == 0)
2164         return 0;
2165 
2166     for (i = 0; i < num_groups; i++) {
2167         uint16_t group = groups[i];
2168 
2169         if (group_id == group
2170                 && (!checkallow
2171                     || tls_curve_allowed(s, group, SSL_SECOP_CURVE_CHECK))) {
2172             return 1;
2173         }
2174     }
2175 
2176     return 0;
2177 }
2178 #endif
2179 
2180 /* Replace ClientHello1 in the transcript hash with a synthetic message */
2181 int create_synthetic_message_hash(SSL *s, const unsigned char *hashval,
2182                                   size_t hashlen, const unsigned char *hrr,
2183                                   size_t hrrlen)
2184 {
2185     unsigned char hashvaltmp[EVP_MAX_MD_SIZE];
2186     unsigned char msghdr[SSL3_HM_HEADER_LENGTH];
2187 
2188     memset(msghdr, 0, sizeof(msghdr));
2189 
2190     if (hashval == NULL) {
2191         hashval = hashvaltmp;
2192         hashlen = 0;
2193         /* Get the hash of the initial ClientHello */
2194         if (!ssl3_digest_cached_records(s, 0)
2195                 || !ssl_handshake_hash(s, hashvaltmp, sizeof(hashvaltmp),
2196                                        &hashlen)) {
2197             /* SSLfatal() already called */
2198             return 0;
2199         }
2200     }
2201 
2202     /* Reinitialise the transcript hash */
2203     if (!ssl3_init_finished_mac(s)) {
2204         /* SSLfatal() already called */
2205         return 0;
2206     }
2207 
2208     /* Inject the synthetic message_hash message */
2209     msghdr[0] = SSL3_MT_MESSAGE_HASH;
2210     msghdr[SSL3_HM_HEADER_LENGTH - 1] = (unsigned char)hashlen;
2211     if (!ssl3_finish_mac(s, msghdr, SSL3_HM_HEADER_LENGTH)
2212             || !ssl3_finish_mac(s, hashval, hashlen)) {
2213         /* SSLfatal() already called */
2214         return 0;
2215     }
2216 
2217     /*
2218      * Now re-inject the HRR and current message if appropriate (we just deleted
2219      * it when we reinitialised the transcript hash above). Only necessary after
2220      * receiving a ClientHello2 with a cookie.
2221      */
2222     if (hrr != NULL
2223             && (!ssl3_finish_mac(s, hrr, hrrlen)
2224                 || !ssl3_finish_mac(s, (unsigned char *)s->init_buf->data,
2225                                     s->s3->tmp.message_size
2226                                     + SSL3_HM_HEADER_LENGTH))) {
2227         /* SSLfatal() already called */
2228         return 0;
2229     }
2230 
2231     return 1;
2232 }
2233 
2234 static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
2235 {
2236     return X509_NAME_cmp(*a, *b);
2237 }
2238 
2239 int parse_ca_names(SSL *s, PACKET *pkt)
2240 {
2241     STACK_OF(X509_NAME) *ca_sk = sk_X509_NAME_new(ca_dn_cmp);
2242     X509_NAME *xn = NULL;
2243     PACKET cadns;
2244 
2245     if (ca_sk == NULL) {
2246         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2247                  ERR_R_MALLOC_FAILURE);
2248         goto err;
2249     }
2250     /* get the CA RDNs */
2251     if (!PACKET_get_length_prefixed_2(pkt, &cadns)) {
2252         SSLfatal(s, SSL_AD_DECODE_ERROR,SSL_F_PARSE_CA_NAMES,
2253                  SSL_R_LENGTH_MISMATCH);
2254         goto err;
2255     }
2256 
2257     while (PACKET_remaining(&cadns)) {
2258         const unsigned char *namestart, *namebytes;
2259         unsigned int name_len;
2260 
2261         if (!PACKET_get_net_2(&cadns, &name_len)
2262             || !PACKET_get_bytes(&cadns, &namebytes, name_len)) {
2263             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2264                      SSL_R_LENGTH_MISMATCH);
2265             goto err;
2266         }
2267 
2268         namestart = namebytes;
2269         if ((xn = d2i_X509_NAME(NULL, &namebytes, name_len)) == NULL) {
2270             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2271                      ERR_R_ASN1_LIB);
2272             goto err;
2273         }
2274         if (namebytes != (namestart + name_len)) {
2275             SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_PARSE_CA_NAMES,
2276                      SSL_R_CA_DN_LENGTH_MISMATCH);
2277             goto err;
2278         }
2279 
2280         if (!sk_X509_NAME_push(ca_sk, xn)) {
2281             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_PARSE_CA_NAMES,
2282                      ERR_R_MALLOC_FAILURE);
2283             goto err;
2284         }
2285         xn = NULL;
2286     }
2287 
2288     sk_X509_NAME_pop_free(s->s3->tmp.peer_ca_names, X509_NAME_free);
2289     s->s3->tmp.peer_ca_names = ca_sk;
2290 
2291     return 1;
2292 
2293  err:
2294     sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
2295     X509_NAME_free(xn);
2296     return 0;
2297 }
2298 
2299 const STACK_OF(X509_NAME) *get_ca_names(SSL *s)
2300 {
2301     const STACK_OF(X509_NAME) *ca_sk = NULL;;
2302 
2303     if (s->server) {
2304         ca_sk = SSL_get_client_CA_list(s);
2305         if (ca_sk != NULL && sk_X509_NAME_num(ca_sk) == 0)
2306             ca_sk = NULL;
2307     }
2308 
2309     if (ca_sk == NULL)
2310         ca_sk = SSL_get0_CA_list(s);
2311 
2312     return ca_sk;
2313 }
2314 
2315 int construct_ca_names(SSL *s, const STACK_OF(X509_NAME) *ca_sk, WPACKET *pkt)
2316 {
2317     /* Start sub-packet for client CA list */
2318     if (!WPACKET_start_sub_packet_u16(pkt)) {
2319         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2320                  ERR_R_INTERNAL_ERROR);
2321         return 0;
2322     }
2323 
2324     if (ca_sk != NULL) {
2325         int i;
2326 
2327         for (i = 0; i < sk_X509_NAME_num(ca_sk); i++) {
2328             unsigned char *namebytes;
2329             X509_NAME *name = sk_X509_NAME_value(ca_sk, i);
2330             int namelen;
2331 
2332             if (name == NULL
2333                     || (namelen = i2d_X509_NAME(name, NULL)) < 0
2334                     || !WPACKET_sub_allocate_bytes_u16(pkt, namelen,
2335                                                        &namebytes)
2336                     || i2d_X509_NAME(name, &namebytes) != namelen) {
2337                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2338                          ERR_R_INTERNAL_ERROR);
2339                 return 0;
2340             }
2341         }
2342     }
2343 
2344     if (!WPACKET_close(pkt)) {
2345         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_CA_NAMES,
2346                  ERR_R_INTERNAL_ERROR);
2347         return 0;
2348     }
2349 
2350     return 1;
2351 }
2352 
2353 /* Create a buffer containing data to be signed for server key exchange */
2354 size_t construct_key_exchange_tbs(SSL *s, unsigned char **ptbs,
2355                                   const void *param, size_t paramlen)
2356 {
2357     size_t tbslen = 2 * SSL3_RANDOM_SIZE + paramlen;
2358     unsigned char *tbs = OPENSSL_malloc(tbslen);
2359 
2360     if (tbs == NULL) {
2361         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_CONSTRUCT_KEY_EXCHANGE_TBS,
2362                  ERR_R_MALLOC_FAILURE);
2363         return 0;
2364     }
2365     memcpy(tbs, s->s3->client_random, SSL3_RANDOM_SIZE);
2366     memcpy(tbs + SSL3_RANDOM_SIZE, s->s3->server_random, SSL3_RANDOM_SIZE);
2367 
2368     memcpy(tbs + SSL3_RANDOM_SIZE * 2, param, paramlen);
2369 
2370     *ptbs = tbs;
2371     return tbslen;
2372 }
2373 
2374 /*
2375  * Saves the current handshake digest for Post-Handshake Auth,
2376  * Done after ClientFinished is processed, done exactly once
2377  */
2378 int tls13_save_handshake_digest_for_pha(SSL *s)
2379 {
2380     if (s->pha_dgst == NULL) {
2381         if (!ssl3_digest_cached_records(s, 1))
2382             /* SSLfatal() already called */
2383             return 0;
2384 
2385         s->pha_dgst = EVP_MD_CTX_new();
2386         if (s->pha_dgst == NULL) {
2387             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2388                      SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2389                      ERR_R_INTERNAL_ERROR);
2390             return 0;
2391         }
2392         if (!EVP_MD_CTX_copy_ex(s->pha_dgst,
2393                                 s->s3->handshake_dgst)) {
2394             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2395                      SSL_F_TLS13_SAVE_HANDSHAKE_DIGEST_FOR_PHA,
2396                      ERR_R_INTERNAL_ERROR);
2397             return 0;
2398         }
2399     }
2400     return 1;
2401 }
2402 
2403 /*
2404  * Restores the Post-Handshake Auth handshake digest
2405  * Done just before sending/processing the Cert Request
2406  */
2407 int tls13_restore_handshake_digest_for_pha(SSL *s)
2408 {
2409     if (s->pha_dgst == NULL) {
2410         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2411                  SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2412                  ERR_R_INTERNAL_ERROR);
2413         return 0;
2414     }
2415     if (!EVP_MD_CTX_copy_ex(s->s3->handshake_dgst,
2416                             s->pha_dgst)) {
2417         SSLfatal(s, SSL_AD_INTERNAL_ERROR,
2418                  SSL_F_TLS13_RESTORE_HANDSHAKE_DIGEST_FOR_PHA,
2419                  ERR_R_INTERNAL_ERROR);
2420         return 0;
2421     }
2422     return 1;
2423 }
2424