Validate that the provided key_share is in supported_groups

[openssl.git] / ssl / statem / statem_srvr.c
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index ca7f5afe4b581badadc55ce43901c7baaf87c9ea..c8c0b8e17a596305b1ad47fb9cf8ff3a37631151 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -68,10 +68,90 @@ static STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                                                        int *al);
  
  /*
                                                        int *al);
  
  /*
- * server_read_transition() encapsulates the logic for the allowed handshake
- * state transitions when the server is reading messages from the client. The
- * message type that the client has sent is provided in |mt|. The current state
- * is in |s->statem.hand_state|.
+ * ossl_statem_server13_read_transition() encapsulates the logic for the allowed
+ * handshake state transitions when a TLSv1.3 server is reading messages from
+ * the client. The message type that the client has sent is provided in |mt|.
+ * The current state is in |s->statem.hand_state|.
+ *
+ *  Valid return values are:
+ *  1: Success (transition allowed)
+ *  0: Error (transition not allowed)
+ */
+static int ossl_statem_server13_read_transition(SSL *s, int mt)
+{
+    OSSL_STATEM *st = &s->statem;
+
+    /*
+     * Note: There is no case for TLS_ST_BEFORE because at that stage we have
+     * not negotiated TLSv1.3 yet, so that case is handled by
+     * ossl_statem_server_read_transition()
+     */
+    switch (st->hand_state) {
+    default:
+        break;
+
+    case TLS_ST_SW_SRVR_DONE:
+        if (s->s3->tmp.cert_request) {
+            if (mt == SSL3_MT_CERTIFICATE) {
+                st->hand_state = TLS_ST_SR_CERT;
+                return 1;
+            }
+        } else {
+            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+                st->hand_state = TLS_ST_SR_CHANGE;
+                return 1;
+            }
+        }
+        break;
+
+    case TLS_ST_SR_CERT:
+        if (s->session->peer == NULL) {
+            if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+                st->hand_state = TLS_ST_SR_CHANGE;
+                return 1;
+            }
+        } else {
+            if (mt == SSL3_MT_CERTIFICATE_VERIFY) {
+                st->hand_state = TLS_ST_SR_CERT_VRFY;
+                return 1;
+            }
+        }
+        break;
+
+    case TLS_ST_SR_CERT_VRFY:
+        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+            st->hand_state = TLS_ST_SR_CHANGE;
+            return 1;
+        }
+        break;
+
+    case TLS_ST_SR_CHANGE:
+        if (mt == SSL3_MT_FINISHED) {
+            st->hand_state = TLS_ST_SR_FINISHED;
+            return 1;
+        }
+        break;
+
+    case TLS_ST_SW_FINISHED:
+        if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+            st->hand_state = TLS_ST_SR_CHANGE;
+            return 1;
+        }
+        break;
+    }
+
+    /* No valid transition found */
+    ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_UNEXPECTED_MESSAGE);
+    SSLerr(SSL_F_OSSL_STATEM_SERVER13_READ_TRANSITION,
+           SSL_R_UNEXPECTED_MESSAGE);
+    return 0;
+}
+
+/*
+ * ossl_statem_server_read_transition() encapsulates the logic for the allowed
+ * handshake state transitions when the server is reading messages from the
+ * client. The message type that the client has sent is provided in |mt|. The
+ * current state is in |s->statem.hand_state|.
   *
   *  Valid return values are:
   *  1: Success (transition allowed)
   *
   *  Valid return values are:
   *  1: Success (transition allowed)
@@ -81,6 +161,9 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
  {
      OSSL_STATEM *st = &s->statem;
  
  {
      OSSL_STATEM *st = &s->statem;
  
+    if (s->method->version == TLS1_3_VERSION)
+        return ossl_statem_server13_read_transition(s, mt);
+
      switch (st->hand_state) {
      default:
          break;
      switch (st->hand_state) {
      default:
          break;
@@ -304,13 +387,116 @@ static int send_certificate_request(SSL *s)
  }
  
  /*
  }
  
  /*
- * server_write_transition() works out what handshake state to move to next
- * when the server is writing messages to be sent to the client.
+ * ossl_statem_server13_write_transition() works out what handshake state to
+ * move to next when a TLSv1.3 server is writing messages to be sent to the
+ * client.
+ *
+ * Return values:
+ * WRITE_TRAN_ERROR - an error occurred
+ * WRITE_TRAN_CONTINUE - Successful transition, more writing to be done
+ * WRITE_TRAN_FINISHED - Successful transition, no more writing to be done
+ */
+static WRITE_TRAN ossl_statem_server13_write_transition(SSL *s)
+{
+    OSSL_STATEM *st = &s->statem;
+
+    /*
+     * No case for TLS_ST_BEFORE, because at that stage we have not negotiated
+     * TLSv1.3 yet, so that is handled by ossl_statem_server_write_transition()
+     */
+
+    switch (st->hand_state) {
+    default:
+        /* Shouldn't happen */
+        return WRITE_TRAN_ERROR;
+
+    case TLS_ST_SR_CLNT_HELLO:
+        st->hand_state = TLS_ST_SW_SRVR_HELLO;
+        return WRITE_TRAN_CONTINUE;
+
+    case TLS_ST_SW_SRVR_HELLO:
+        if (s->hit) {
+            if (s->tlsext_ticket_expected)
+                st->hand_state = TLS_ST_SW_SESSION_TICKET;
+            else
+                st->hand_state = TLS_ST_SW_CHANGE;
+        } else {
+            st->hand_state = TLS_ST_SW_CERT;
+        }
+        return WRITE_TRAN_CONTINUE;
+
+    case TLS_ST_SW_CERT:
+        if (s->tlsext_status_expected) {
+            st->hand_state = TLS_ST_SW_CERT_STATUS;
+            return WRITE_TRAN_CONTINUE;
+        }
+        /* Fall through */
+
+    case TLS_ST_SW_CERT_STATUS:
+        if (send_certificate_request(s)) {
+            st->hand_state = TLS_ST_SW_CERT_REQ;
+            return WRITE_TRAN_CONTINUE;
+        }
+        /* Fall through */
+
+    case TLS_ST_SW_CERT_REQ:
+        st->hand_state = TLS_ST_SW_SRVR_DONE;
+        return WRITE_TRAN_CONTINUE;
+
+    case TLS_ST_SW_SRVR_DONE:
+        return WRITE_TRAN_FINISHED;
+
+    case TLS_ST_SR_FINISHED:
+        if (s->hit) {
+            st->hand_state = TLS_ST_OK;
+            ossl_statem_set_in_init(s, 0);
+            return WRITE_TRAN_CONTINUE;
+        } else if (s->tlsext_ticket_expected) {
+            st->hand_state = TLS_ST_SW_SESSION_TICKET;
+        } else {
+            st->hand_state = TLS_ST_SW_CHANGE;
+        }
+        return WRITE_TRAN_CONTINUE;
+
+    case TLS_ST_SW_SESSION_TICKET:
+        st->hand_state = TLS_ST_SW_CHANGE;
+        return WRITE_TRAN_CONTINUE;
+
+    case TLS_ST_SW_CHANGE:
+        st->hand_state = TLS_ST_SW_FINISHED;
+        return WRITE_TRAN_CONTINUE;
+
+    case TLS_ST_SW_FINISHED:
+        if (s->hit) {
+            return WRITE_TRAN_FINISHED;
+        }
+        st->hand_state = TLS_ST_OK;
+        ossl_statem_set_in_init(s, 0);
+        return WRITE_TRAN_CONTINUE;
+    }
+}
+
+/*
+ * ossl_statem_server_write_transition() works out what handshake state to move
+ * to next when the server is writing messages to be sent to the client.
+ *
+ * Return values:
+ * WRITE_TRAN_ERROR - an error occurred
+ * WRITE_TRAN_CONTINUE - Successful transition, more writing to be done
+ * WRITE_TRAN_FINISHED - Successful transition, no more writing to be done
   */
  WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
  {
      OSSL_STATEM *st = &s->statem;
  
   */
  WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
  {
      OSSL_STATEM *st = &s->statem;
  
+    /*
+     * Note that before the ClientHello we don't know what version we are going
+     * to negotiate yet, so we don't take this branch until later
+     */
+
+    if (s->method->version == TLS1_3_VERSION)
+        return ossl_statem_server13_write_transition(s);
+
      switch (st->hand_state) {
      default:
          /* Shouldn't happen */
      switch (st->hand_state) {
      default:
          /* Shouldn't happen */
@@ -903,18 +1089,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
      CLIENTHELLO_MSG clienthello;
  
      /*
      CLIENTHELLO_MSG clienthello;
  
      /*
-     * First step is to parse the raw ClientHello data into the CLIENTHELLO_MSG
-     * structure.
+     * First, parse the raw ClientHello data into the CLIENTHELLO_MSG structure.
       */
       */
-
      memset(&clienthello, 0, sizeof(clienthello));
      memset(&clienthello, 0, sizeof(clienthello));
-
      clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
      clienthello.isv2 = RECORD_LAYER_is_sslv2_record(&s->rlayer);
-
      PACKET_null_init(&cookie);
  
      if (clienthello.isv2) {
          unsigned int mt;
      PACKET_null_init(&cookie);
  
      if (clienthello.isv2) {
          unsigned int mt;
+
          /*-
           * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
           * header is sent directly on the wire, not wrapped as a TLS
          /*-
           * An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
           * header is sent directly on the wire, not wrapped as a TLS
@@ -942,7 +1125,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
          }
      }
  
          }
      }
  
-    if (!PACKET_get_net_2(pkt, &clienthello.version)) {
+    if (!PACKET_get_net_2(pkt, &clienthello.legacy_version)) {
          al = SSL_AD_DECODE_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
          goto err;
          al = SSL_AD_DECODE_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
          goto err;
@@ -953,7 +1136,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
          /*
           * Handle an SSLv2 backwards compatible ClientHello
           * Note, this is only for SSLv3+ using the backward compatible format.
          /*
           * Handle an SSLv2 backwards compatible ClientHello
           * Note, this is only for SSLv3+ using the backward compatible format.
-         * Real SSLv2 is not supported, and is rejected above.
+         * Real SSLv2 is not supported, and is rejected below.
           */
          unsigned int ciphersuite_len, session_id_len, challenge_len;
          PACKET challenge;
           */
          unsigned int ciphersuite_len, session_id_len, challenge_len;
          PACKET challenge;
@@ -966,7 +1149,6 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
              al = SSL_AD_DECODE_ERROR;
              goto f_err;
          }
              al = SSL_AD_DECODE_ERROR;
              goto f_err;
          }
-        clienthello.session_id_len = session_id_len;
  
          if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
              al = SSL_AD_DECODE_ERROR;
  
          if (session_id_len > SSL_MAX_SSL_SESSION_ID_LENGTH) {
              al = SSL_AD_DECODE_ERROR;
@@ -976,8 +1158,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
  
          if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
                                     ciphersuite_len)
  
          if (!PACKET_get_sub_packet(pkt, &clienthello.ciphersuites,
                                     ciphersuite_len)
-            || !PACKET_get_sub_packet(pkt, &session_id,
-                                      clienthello.session_id_len)
+            || !PACKET_copy_bytes(pkt, clienthello.session_id, session_id_len)
              || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
              /* No extensions. */
              || PACKET_remaining(pkt) != 0) {
              || !PACKET_get_sub_packet(pkt, &challenge, challenge_len)
              /* No extensions. */
              || PACKET_remaining(pkt) != 0) {
@@ -986,10 +1167,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
              al = SSL_AD_DECODE_ERROR;
              goto f_err;
          }
              al = SSL_AD_DECODE_ERROR;
              goto f_err;
          }
+        clienthello.session_id_len = session_id_len;
  
  
-        /* Load the client random and compression list. */
-        challenge_len = challenge_len > SSL3_RANDOM_SIZE ? SSL3_RANDOM_SIZE :
-            challenge_len;
+        /* Load the client random and compression list. We use SSL3_RANDOM_SIZE
+         * here rather than sizeof(clienthello.random) because that is the limit
+         * for SSLv3 and it is fixed. It won't change even if
+         * sizeof(clienthello.random) does.
+         */
+        challenge_len = challenge_len > SSL3_RANDOM_SIZE
+                        ? SSL3_RANDOM_SIZE : challenge_len;
          memset(clienthello.random, 0, SSL3_RANDOM_SIZE);
          if (!PACKET_copy_bytes(&challenge,
                                 clienthello.random + SSL3_RANDOM_SIZE -
          memset(clienthello.random, 0, SSL3_RANDOM_SIZE);
          if (!PACKET_copy_bytes(&challenge,
                                 clienthello.random + SSL3_RANDOM_SIZE -
@@ -1005,7 +1191,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
      } else {
          /* Regular ClientHello. */
          if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
      } else {
          /* Regular ClientHello. */
          if (!PACKET_copy_bytes(pkt, clienthello.random, SSL3_RANDOM_SIZE)
-            || !PACKET_get_length_prefixed_1(pkt, &session_id)) {
+            || !PACKET_get_length_prefixed_1(pkt, &session_id)
+            || !PACKET_copy_all(&session_id, clienthello.session_id,
+                    SSL_MAX_SSL_SESSION_ID_LENGTH,
+                    &clienthello.session_id_len)) {
              al = SSL_AD_DECODE_ERROR;
              SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
              goto f_err;
              al = SSL_AD_DECODE_ERROR;
              SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
              goto f_err;
@@ -1060,18 +1249,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
      }
  
      if (!PACKET_copy_all(&compression, clienthello.compressions,
      }
  
      if (!PACKET_copy_all(&compression, clienthello.compressions,
-                         MAX_COMPRESSIONS_SIZE, &clienthello.compressions_len)
-            || !PACKET_copy_all(&session_id, clienthello.session_id,
-                                SSL_MAX_SSL_SESSION_ID_LENGTH,
-                                &clienthello.session_id_len)) {
+                         MAX_COMPRESSIONS_SIZE,
+                         &clienthello.compressions_len)) {
          al = SSL_AD_DECODE_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
          goto f_err;
      }
  
          al = SSL_AD_DECODE_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
          goto f_err;
      }
  
-    /* We preserve the raw extensions PACKET for later use */
+    /* Preserve the raw extensions PACKET for later use */
      extensions = clienthello.extensions;
      extensions = clienthello.extensions;
-    if (!tls_parse_raw_extensions(&extensions, &clienthello.pre_proc_exts,
+    if (!tls_collect_extensions(&extensions, &clienthello.pre_proc_exts,
                                    &clienthello.num_extensions, &al)) {
          /* SSLerr already been called */
          goto f_err;
                                    &clienthello.num_extensions, &al)) {
          /* SSLerr already been called */
          goto f_err;
@@ -1085,18 +1272,18 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
      /* Choose the version */
  
      if (clienthello.isv2) {
      /* Choose the version */
  
      if (clienthello.isv2) {
-        if (clienthello.version == 0x0002) {
-            /* This is real SSLv2. We don't support it. */
-            SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
-            goto err;
-        } else if ((clienthello.version & 0xff00) == (SSL3_VERSION_MAJOR << 8)) {
-            /* SSLv3/TLS */
-            s->client_version = clienthello.version;
-        } else {
-            /* No idea what protocol this is */
+        if (clienthello.legacy_version == SSL2_VERSION
+                || (clienthello.legacy_version & 0xff00)
+                   != (SSL3_VERSION_MAJOR << 8)) {
+            /*
+             * This is real SSLv2 or something complete unknown. We don't
+             * support it.
+             */
              SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
              goto err;
          }
              SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL);
              goto err;
          }
+        /* SSLv3/TLS */
+        s->client_version = clienthello.legacy_version;
      }
      /*
       * Do SSL/TLS version negotiation if applicable. For DTLS we just check
      }
      /*
       * Do SSL/TLS version negotiation if applicable. For DTLS we just check
@@ -1105,7 +1292,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
      if (!SSL_IS_DTLS(s)) {
          protverr = ssl_choose_server_version(s, &clienthello);
      } else if (s->method->version != DTLS_ANY_VERSION &&
      if (!SSL_IS_DTLS(s)) {
          protverr = ssl_choose_server_version(s, &clienthello);
      } else if (s->method->version != DTLS_ANY_VERSION &&
-               DTLS_VERSION_LT((int)clienthello.version, s->version)) {
+               DTLS_VERSION_LT((int)clienthello.legacy_version, s->version)) {
          protverr = SSL_R_VERSION_TOO_LOW;
      } else {
          protverr = 0;
          protverr = SSL_R_VERSION_TOO_LOW;
      } else {
          protverr = 0;
@@ -1114,11 +1301,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
      if (protverr) {
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
          if ((!s->enc_write_ctx && !s->write_hash)) {
      if (protverr) {
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, protverr);
          if ((!s->enc_write_ctx && !s->write_hash)) {
-            /*
-             * similar to ssl3_get_record, send alert using remote version
-             * number
-             */
-            s->version = s->client_version = clienthello.version;
+            /* like ssl3_get_record, send alert using remote version number */
+            s->version = s->client_version = clienthello.legacy_version;
          }
          al = SSL_AD_PROTOCOL_VERSION;
          goto f_err;
          }
          al = SSL_AD_PROTOCOL_VERSION;
          goto f_err;
@@ -1160,8 +1344,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
      s->hit = 0;
  
      /* We need to do this before getting the session */
      s->hit = 0;
  
      /* We need to do this before getting the session */
-    if (!tls_check_client_ems_support(s, &clienthello))
-    {
+    if (!tls_check_client_ems_support(s, &clienthello)) {
          /* Only fails if the extension is malformed */
          al = SSL_AD_DECODE_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
          /* Only fails if the extension is malformed */
          al = SSL_AD_DECODE_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
@@ -1212,7 +1395,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
          }
      }
  
          }
      }
  
-    if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &(ciphers),
+    if (ssl_bytes_to_cipher_list(s, &clienthello.ciphersuites, &ciphers,
                                   clienthello.isv2, &al) == NULL) {
          goto f_err;
      }
                                   clienthello.isv2, &al) == NULL) {
          goto f_err;
      }
@@ -1266,6 +1449,15 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
          goto err;
      }
  
          goto err;
      }
  
+    /* Check we've got a key_share for TLSv1.3 */
+    if (s->version == TLS1_3_VERSION && s->s3->peer_tmp == NULL && !s->hit) {
+        /* No suitable share */
+        /* TODO(1.3): Send a HelloRetryRequest */
+        al = SSL_AD_HANDSHAKE_FAILURE;
+        SSLerr(SSL_F_TLS_PROCESS_CLIENT_HELLO, SSL_R_NO_SUITABLE_KEY_SHARE);
+        goto f_err;
+    }
+
      /*
       * Check if we want to use external pre-shared secret for this handshake
       * for not reused session only. We need to generate server_random before
      /*
       * Check if we want to use external pre-shared secret for this handshake
       * for not reused session only. We need to generate server_random before
@@ -1434,8 +1626,8 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
  
      sk_SSL_CIPHER_free(ciphers);
      OPENSSL_free(clienthello.pre_proc_exts);
  
      sk_SSL_CIPHER_free(ciphers);
      OPENSSL_free(clienthello.pre_proc_exts);
-    return MSG_PROCESS_ERROR;
  
  
+    return MSG_PROCESS_ERROR;
  }
  
  WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
  }
  
  WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
@@ -1529,6 +1721,9 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
              if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                  SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_CLIENTHELLO_TLSEXT);
              if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                  SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
                         SSL_R_CLIENTHELLO_TLSEXT);
+            else
+                SSLerr(SSL_F_TLS_POST_PROCESS_CLIENT_HELLO,
+                       SSL_R_PSK_IDENTITY_NOT_FOUND);
              goto f_err;
          }
      }
              goto f_err;
          }
      }
@@ -1546,8 +1741,11 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
  {
      int compm, al = SSL_AD_INTERNAL_ERROR;
      size_t sl, len;
  {
      int compm, al = SSL_AD_INTERNAL_ERROR;
      size_t sl, len;
+    int version;
  
  
-    if (!WPACKET_put_bytes_u16(pkt, s->version)
+    /* TODO(TLS1.3): Remove the DRAFT conditional before release */
+    version = SSL_IS_TLS13(s) ? TLS1_3_VERSION_DRAFT : s->version;
+    if (!WPACKET_put_bytes_u16(pkt, version)
                 /*
                  * Random stuff. Filling of the server_random takes place in
                  * tls_process_client_hello()
                 /*
                  * Random stuff. Filling of the server_random takes place in
                  * tls_process_client_hello()
@@ -1733,7 +1931,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
          }
  
          /* Get NID of appropriate shared curve */
          }
  
          /* Get NID of appropriate shared curve */
-        nid = tls1_shared_curve(s, -2);
+        nid = tls1_shared_group(s, -2);
          curve_id = tls1_ec_nid2curve_id(nid);
          if (curve_id == 0) {
              SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
          curve_id = tls1_ec_nid2curve_id(nid);
          if (curve_id == 0) {
              SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
@@ -2304,7 +2502,7 @@ static int tls_process_cke_dhe(SSL *s, PACKET *pkt, int *al)
          goto err;
      }
  
          goto err;
      }
  
-    if (ssl_derive(s, skey, ckey) == 0) {
+    if (ssl_derive(s, skey, ckey, 1) == 0) {
          *al = SSL_AD_INTERNAL_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
          goto err;
          *al = SSL_AD_INTERNAL_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CKE_DHE, ERR_R_INTERNAL_ERROR);
          goto err;
@@ -2364,7 +2562,7 @@ static int tls_process_cke_ecdhe(SSL *s, PACKET *pkt, int *al)
          }
      }
  
          }
      }
  
-    if (ssl_derive(s, skey, ckey) == 0) {
+    if (ssl_derive(s, skey, ckey, 1) == 0) {
          *al = SSL_AD_INTERNAL_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
          goto err;
          *al = SSL_AD_INTERNAL_ERROR;
          SSLerr(SSL_F_TLS_PROCESS_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
          goto err;
@@ -2764,6 +2962,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
          al = SSL_AD_INTERNAL_ERROR;
          goto f_err;
      }
          al = SSL_AD_INTERNAL_ERROR;
          goto f_err;
      }
+
  #ifdef SSL_DEBUG
      fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
  #endif
  #ifdef SSL_DEBUG
      fprintf(stderr, "Using client verify alg %s\n", EVP_MD_name(md));
  #endif
@@ -2919,6 +3118,17 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt)
  
      sk_X509_pop_free(s->session->peer_chain, X509_free);
      s->session->peer_chain = sk;
  
      sk_X509_pop_free(s->session->peer_chain, X509_free);
      s->session->peer_chain = sk;
+
+    /*
+     * Freeze the handshake buffer. For <TLS1.3 we do this after the CKE
+     * message
+     */
+    if (s->version == TLS1_3_VERSION && !ssl3_digest_cached_records(s, 1)) {
+        al = SSL_AD_INTERNAL_ERROR;
+        SSLerr(SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR);
+        goto f_err;
+    }
+
      /*
       * Inconsistency alert: cert_chain does *not* include the peer's own
       * certificate, while we do include it in statem_clnt.c
      /*
       * Inconsistency alert: cert_chain does *not* include the peer's own
       * certificate, while we do include it in statem_clnt.c