int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
{
- EVP_PKEY *pkey;
- const EVP_MD *md;
+ EVP_PKEY *pkey = s->cert->key->privatekey;
+ const EVP_MD *md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
size_t hdatalen = 0, siglen = 0;
unsigned char tls13tbs[TLS13_TBS_PREAMBLE_SIZE + EVP_MAX_MD_SIZE];
int pktype, ispss = 0;
- if (s->server) {
- /* Only happens in TLSv1.3 */
- /*
- * TODO(TLS1.3): This needs to change. We should not get this from the
- * cipher. However, for now, we have not done the work to separate the
- * certificate type from the ciphersuite
- */
- pkey = ssl_get_sign_pkey(s, s->s3->tmp.new_cipher, &md);
- if (pkey == NULL)
- goto err;
- } else {
- md = s->s3->tmp.md[s->cert->key - s->cert->pkeys];
- pkey = s->cert->key->privatekey;
- }
pktype = EVP_PKEY_id(pkey);
mctx = EVP_MD_CTX_new();
peer = s->session->peer;
pkey = X509_get0_pubkey(peer);
+ if (pkey == NULL) {
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
+
pktype = EVP_PKEY_id(pkey);
type = X509_certificate_type(peer, pkey);
goto err;
}
- /* Log the master secret, if logging is enabled. */
- if (!ssl_log_master_secret(s, s->s3->client_random, SSL3_RANDOM_SIZE,
- s->session->master_key,
- s->session->master_key_length))
+ /*
+ * Log the master secret, if logging is enabled. We don't log it for
+ * TLSv1.3: there's a different key schedule for that.
+ */
+ if (!SSL_IS_TLS13(s) && !ssl_log_secret(s, MASTER_SECRET_LABEL,
+ s->session->master_key,
+ s->session->master_key_length))
return 0;
/*
default:
return -1;
case EVP_PKEY_RSA:
- return SSL_PKEY_RSA_ENC;
+ return SSL_PKEY_RSA;
case EVP_PKEY_DSA:
return SSL_PKEY_DSA_SIGN;
#ifndef OPENSSL_NO_EC
switch (server_version) {
default:
+ if (!SSL_IS_TLS13(s)) {
+ if (version_cmp(s, client_version, s->version) < 0)
+ return SSL_R_WRONG_SSL_VERSION;
+ /*
+ * If this SSL handle is not from a version flexible method we don't
+ * (and never did) check min/max FIPS or Suite B constraints. Hope
+ * that's OK. It is up to the caller to not choose fixed protocol
+ * versions they don't want. If not, then easy to fix, just return
+ * ssl_method_error(s, s->method)
+ */
+ return 0;
+ }
/*
- * TODO(TLS1.3): This check will fail if someone attempts to do
- * renegotiation in TLS1.3 at the moment. We need to ensure we disable
- * renegotiation for TLS1.3
- */
- if (version_cmp(s, client_version, s->version) < 0)
- return SSL_R_WRONG_SSL_VERSION;
- /*
- * If this SSL handle is not from a version flexible method we don't
- * (and never did) check min/max FIPS or Suite B constraints. Hope
- * that's OK. It is up to the caller to not choose fixed protocol
- * versions they don't want. If not, then easy to fix, just return
- * ssl_method_error(s, s->method)
+ * Fall through if we are TLSv1.3 already (this means we must be after
+ * a HelloRetryRequest
*/
- return 0;
case TLS_ANY_VERSION:
table = tls_version_table;
break;
}
if (best_vers > 0) {
+ if (SSL_IS_TLS13(s)) {
+ /*
+ * We get here if this is after a HelloRetryRequest. In this
+ * case we just check that we still negotiated TLSv1.3
+ */
+ if (best_vers != TLS1_3_VERSION)
+ return SSL_R_UNSUPPORTED_PROTOCOL;
+ return 0;
+ }
s->version = best_vers;
s->method = best_method;
return 0;
continue;
if (vent->cmeth == NULL)
break;
+ if (s->hello_retry_request && version != TLS1_3_VERSION)
+ return SSL_R_WRONG_SSL_VERSION;
+
method = vent->cmeth();
err = ssl_method_error(s, method);
if (err != 0)