kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4426 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 3a1dd46e4e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3a1dd46e4e'
${ noResults }
boringssl/ssl/tls13_both.cc

663 lines
20 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bytestring.h>

  21. #include <openssl/err.h>

  22. #include <openssl/hkdf.h>

  23. #include <openssl/mem.h>

  24. #include <openssl/stack.h>

  25. #include <openssl/x509.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. /* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be

  32.  * processed. Without this limit an attacker could force unbounded processing

  33.  * without being able to return application data. */

  34. static const uint8_t kMaxKeyUpdates = 32;

  35. 

  36. int tls13_handshake(SSL_HANDSHAKE *hs, int *out_early_return) {

  37.   SSL *const ssl = hs->ssl;

  38.   for (;;) {

  39.     /* Resolve the operation the handshake was waiting on. */

  40.     switch (hs->wait) {

  41.       case ssl_hs_error:

  42.         OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);

  43.         return -1;

  44. 

  45.       case ssl_hs_flush:

  46.       case ssl_hs_flush_and_read_message: {

  47.         int ret = ssl->method->flush_flight(ssl);

  48.         if (ret <= 0) {

  49.           return ret;

  50.         }

  51.         if (hs->wait != ssl_hs_flush_and_read_message) {

  52.           break;

  53.         }

  54.         ssl->method->expect_flight(ssl);

  55.         hs->wait = ssl_hs_read_message;

  56.         SSL_FALLTHROUGH;

  57.       }

  58. 

  59.       case ssl_hs_read_message: {

  60.         int ret = ssl->method->ssl_get_message(ssl);

  61.         if (ret <= 0) {

  62.           return ret;

  63.         }

  64.         break;

  65.       }

  66. 

  67.       case ssl_hs_read_change_cipher_spec: {

  68.         int ret = ssl->method->read_change_cipher_spec(ssl);

  69.         if (ret <= 0) {

  70.           return ret;

  71.         }

  72.         break;

  73.       }

  74. 

  75.       case ssl_hs_read_end_of_early_data: {

  76.         if (ssl->s3->hs->can_early_read) {

  77.           /* While we are processing early data, the handshake returns early. */

  78.           *out_early_return = 1;

  79.           return 1;

  80.         }

  81.         hs->wait = ssl_hs_ok;

  82.         break;

  83.       }

  84. 

  85.       case ssl_hs_x509_lookup:

  86.         ssl->rwstate = SSL_X509_LOOKUP;

  87.         hs->wait = ssl_hs_ok;

  88.         return -1;

  89. 

  90.       case ssl_hs_channel_id_lookup:

  91.         ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;

  92.         hs->wait = ssl_hs_ok;

  93.         return -1;

  94. 

  95.       case ssl_hs_private_key_operation:

  96.         ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;

  97.         hs->wait = ssl_hs_ok;

  98.         return -1;

  99. 

  100.       case ssl_hs_pending_ticket:

  101.         ssl->rwstate = SSL_PENDING_TICKET;

  102.         hs->wait = ssl_hs_ok;

  103.         return -1;

  104. 

  105.       case ssl_hs_certificate_verify:

  106.         ssl->rwstate = SSL_CERTIFICATE_VERIFY;

  107.         hs->wait = ssl_hs_ok;

  108.         return -1;

  109. 

  110.       case ssl_hs_early_data_rejected:

  111.         ssl->rwstate = SSL_EARLY_DATA_REJECTED;

  112.         /* Cause |SSL_write| to start failing immediately. */

  113.         hs->can_early_write = 0;

  114.         return -1;

  115. 

  116.       case ssl_hs_ok:

  117.         break;

  118.     }

  119. 

  120.     /* Run the state machine again. */

  121.     hs->wait = hs->do_tls13_handshake(hs);

  122.     if (hs->wait == ssl_hs_error) {

  123.       /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the

  124.        * first time around. */

  125.       return -1;

  126.     }

  127.     if (hs->wait == ssl_hs_ok) {

  128.       /* The handshake has completed. */

  129.       return 1;

  130.     }

  131. 

  132.     /* Otherwise, loop to the beginning and resolve what was blocking the

  133.      * handshake. */

  134.   }

  135. }

  136. 

  137. int tls13_get_cert_verify_signature_input(

  138.     SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len,

  139.     enum ssl_cert_verify_context_t cert_verify_context) {

  140.   CBB cbb;

  141.   if (!CBB_init(&cbb, 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {

  142.     goto err;

  143.   }

  144. 

  145.   for (size_t i = 0; i < 64; i++) {

  146.     if (!CBB_add_u8(&cbb, 0x20)) {

  147.       goto err;

  148.     }

  149.   }

  150. 

  151.   const uint8_t *context;

  152.   size_t context_len;

  153.   if (cert_verify_context == ssl_cert_verify_server) {

  154.     /* Include the NUL byte. */

  155.     static const char kContext[] = "TLS 1.3, server CertificateVerify";

  156.     context = (const uint8_t *)kContext;

  157.     context_len = sizeof(kContext);

  158.   } else if (cert_verify_context == ssl_cert_verify_client) {

  159.     static const char kContext[] = "TLS 1.3, client CertificateVerify";

  160.     context = (const uint8_t *)kContext;

  161.     context_len = sizeof(kContext);

  162.   } else if (cert_verify_context == ssl_cert_verify_channel_id) {

  163.     static const char kContext[] = "TLS 1.3, Channel ID";

  164.     context = (const uint8_t *)kContext;

  165.     context_len = sizeof(kContext);

  166.   } else {

  167.     goto err;

  168.   }

  169. 

  170.   if (!CBB_add_bytes(&cbb, context, context_len)) {

  171.     goto err;

  172.   }

  173. 

  174.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  175.   size_t context_hash_len;

  176.   if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, context_hash,

  177.                                &context_hash_len) ||

  178.       !CBB_add_bytes(&cbb, context_hash, context_hash_len) ||

  179.       !CBB_finish(&cbb, out, out_len)) {

  180.     goto err;

  181.   }

  182. 

  183.   return 1;

  184. 

  185. err:

  186.   OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  187.   CBB_cleanup(&cbb);

  188.   return 0;

  189. }

  190. 

  191. int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {

  192.   SSL *const ssl = hs->ssl;

  193.   CBS cbs, context, certificate_list;

  194.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  195.   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||

  196.       CBS_len(&context) != 0) {

  197.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  198.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  199.     return 0;

  200.   }

  201. 

  202.   const int retain_sha256 =

  203.       ssl->server && ssl->retain_only_sha256_of_client_certs;

  204.   int ret = 0;

  205. 

  206.   EVP_PKEY *pkey = NULL;

  207.   STACK_OF(CRYPTO_BUFFER) *certs = sk_CRYPTO_BUFFER_new_null();

  208.   if (certs == NULL) {

  209.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  210.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  211.     goto err;

  212.   }

  213. 

  214.   if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list)) {

  215.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  216.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  217.     goto err;

  218.   }

  219. 

  220.   while (CBS_len(&certificate_list) > 0) {

  221.     CBS certificate, extensions;

  222.     if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||

  223.         !CBS_get_u16_length_prefixed(&certificate_list, &extensions) ||

  224.         CBS_len(&certificate) == 0) {

  225.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  226.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);

  227.       goto err;

  228.     }

  229. 

  230.     if (sk_CRYPTO_BUFFER_num(certs) == 0) {

  231.       pkey = ssl_cert_parse_pubkey(&certificate);

  232.       if (pkey == NULL) {

  233.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  234.         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  235.         goto err;

  236.       }

  237.       /* TLS 1.3 always uses certificate keys for signing thus the correct

  238.        * keyUsage is enforced. */

  239.       if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {

  240.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  241.         goto err;

  242.       }

  243. 

  244.       if (retain_sha256) {

  245.         /* Retain the hash of the leaf certificate if requested. */

  246.         SHA256(CBS_data(&certificate), CBS_len(&certificate),

  247.                hs->new_session->peer_sha256);

  248.       }

  249.     }

  250. 

  251.     CRYPTO_BUFFER *buf =

  252.         CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool);

  253.     if (buf == NULL ||

  254.         !sk_CRYPTO_BUFFER_push(certs, buf)) {

  255.       CRYPTO_BUFFER_free(buf);

  256.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  257.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  258.       goto err;

  259.     }

  260. 

  261.     /* Parse out the extensions. */

  262.     int have_status_request = 0, have_sct = 0;

  263.     CBS status_request, sct;

  264.     const SSL_EXTENSION_TYPE ext_types[] = {

  265.         {TLSEXT_TYPE_status_request, &have_status_request, &status_request},

  266.         {TLSEXT_TYPE_certificate_timestamp, &have_sct, &sct},

  267.     };

  268. 

  269.     uint8_t alert = SSL_AD_DECODE_ERROR;

  270.     if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  271.                               OPENSSL_ARRAY_SIZE(ext_types),

  272.                               0 /* reject unknown */)) {

  273.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  274.       goto err;

  275.     }

  276. 

  277.     /* All Certificate extensions are parsed, but only the leaf extensions are

  278.      * stored. */

  279.     if (have_status_request) {

  280.       if (ssl->server || !ssl->ocsp_stapling_enabled) {

  281.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  282.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  283.         goto err;

  284.       }

  285. 

  286.       uint8_t status_type;

  287.       CBS ocsp_response;

  288.       if (!CBS_get_u8(&status_request, &status_type) ||

  289.           status_type != TLSEXT_STATUSTYPE_ocsp ||

  290.           !CBS_get_u24_length_prefixed(&status_request, &ocsp_response) ||

  291.           CBS_len(&ocsp_response) == 0 ||

  292.           CBS_len(&status_request) != 0) {

  293.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  294.         goto err;

  295.       }

  296. 

  297.       if (sk_CRYPTO_BUFFER_num(certs) == 1 &&

  298.           !CBS_stow(&ocsp_response, &hs->new_session->ocsp_response,

  299.                     &hs->new_session->ocsp_response_length)) {

  300.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  301.         goto err;

  302.       }

  303.     }

  304. 

  305.     if (have_sct) {

  306.       if (ssl->server || !ssl->signed_cert_timestamps_enabled) {

  307.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  308.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  309.         goto err;

  310.       }

  311. 

  312.       if (!ssl_is_sct_list_valid(&sct)) {

  313.         OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);

  314.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  315.         goto err;

  316.       }

  317. 

  318.       if (sk_CRYPTO_BUFFER_num(certs) == 1 &&

  319.           !CBS_stow(

  320.               &sct, &hs->new_session->tlsext_signed_cert_timestamp_list,

  321.               &hs->new_session->tlsext_signed_cert_timestamp_list_length)) {

  322.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  323.         goto err;

  324.       }

  325.     }

  326.   }

  327. 

  328.   if (CBS_len(&cbs) != 0) {

  329.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  330.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  331.     goto err;

  332.   }

  333. 

  334.   EVP_PKEY_free(hs->peer_pubkey);

  335.   hs->peer_pubkey = pkey;

  336.   pkey = NULL;

  337. 

  338.   sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);

  339.   hs->new_session->certs = certs;

  340.   certs = NULL;

  341. 

  342.   if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session)) {

  343.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  344.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  345.     goto err;

  346.   }

  347. 

  348.   if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {

  349.     if (!allow_anonymous) {

  350.       OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

  351.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED);

  352.       goto err;

  353.     }

  354. 

  355.     /* OpenSSL returns X509_V_OK when no certificates are requested. This is

  356.      * classed by them as a bug, but it's assumed by at least NGINX. */

  357.     hs->new_session->verify_result = X509_V_OK;

  358. 

  359.     /* No certificate, so nothing more to do. */

  360.     ret = 1;

  361.     goto err;

  362.   }

  363. 

  364.   hs->new_session->peer_sha256_valid = retain_sha256;

  365.   ret = 1;

  366. 

  367. err:

  368.   sk_CRYPTO_BUFFER_pop_free(certs, CRYPTO_BUFFER_free);

  369.   EVP_PKEY_free(pkey);

  370.   return ret;

  371. }

  372. 

  373. int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {

  374.   SSL *const ssl = hs->ssl;

  375.   if (hs->peer_pubkey == NULL) {

  376.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  377.     return 0;

  378.   }

  379. 

  380.   CBS cbs, signature;

  381.   uint16_t signature_algorithm;

  382.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  383.   if (!CBS_get_u16(&cbs, &signature_algorithm) ||

  384.       !CBS_get_u16_length_prefixed(&cbs, &signature) ||

  385.       CBS_len(&cbs) != 0) {

  386.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  387.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  388.     return 0;

  389.   }

  390. 

  391.   uint8_t alert = SSL_AD_DECODE_ERROR;

  392.   if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {

  393.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  394.     return 0;

  395.   }

  396.   hs->new_session->peer_signature_algorithm = signature_algorithm;

  397. 

  398.   uint8_t *msg = NULL;

  399.   size_t msg_len;

  400.   if (!tls13_get_cert_verify_signature_input(

  401.           hs, &msg, &msg_len,

  402.           ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {

  403.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  404.     return 0;

  405.   }

  406.   bssl::UniquePtr<uint8_t> free_msg(msg);

  407. 

  408.   int sig_ok =

  409.       ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),

  410.                             signature_algorithm, hs->peer_pubkey, msg, msg_len);

  411. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  412.   sig_ok = 1;

  413.   ERR_clear_error();

  414. #endif

  415.   if (!sig_ok) {

  416.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);

  417.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  418.     return 0;

  419.   }

  420. 

  421.   return 1;

  422. }

  423. 

  424. int tls13_process_finished(SSL_HANDSHAKE *hs, int use_saved_value) {

  425.   SSL *const ssl = hs->ssl;

  426.   uint8_t verify_data_buf[EVP_MAX_MD_SIZE];

  427.   const uint8_t *verify_data;

  428.   size_t verify_data_len;

  429.   if (use_saved_value) {

  430.     assert(ssl->server);

  431.     verify_data = hs->expected_client_finished;

  432.     verify_data_len = hs->hash_len;

  433.   } else {

  434.     if (!tls13_finished_mac(hs, verify_data_buf, &verify_data_len,

  435.                             !ssl->server)) {

  436.       return 0;

  437.     }

  438.     verify_data = verify_data_buf;

  439.   }

  440. 

  441.   int finished_ok =

  442.       ssl->init_num == verify_data_len &&

  443.       CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) == 0;

  444. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  445.   finished_ok = 1;

  446. #endif

  447.   if (!finished_ok) {

  448.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  449.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  450.     return 0;

  451.   }

  452. 

  453.   return 1;

  454. }

  455. 

  456. int tls13_add_certificate(SSL_HANDSHAKE *hs) {

  457.   SSL *const ssl = hs->ssl;

  458.   bssl::ScopedCBB cbb;

  459.   CBB body, certificate_list;

  460.   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||

  461.       /* The request context is always empty in the handshake. */

  462.       !CBB_add_u8(&body, 0) ||

  463.       !CBB_add_u24_length_prefixed(&body, &certificate_list)) {

  464.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  465.     return 0;

  466.   }

  467. 

  468.   if (!ssl_has_certificate(ssl)) {

  469.     return ssl_add_message_cbb(ssl, cbb.get());

  470.   }

  471. 

  472.   CERT *cert = ssl->cert;

  473.   CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cert->chain, 0);

  474.   CBB leaf, extensions;

  475.   if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) ||

  476.       !CBB_add_bytes(&leaf, CRYPTO_BUFFER_data(leaf_buf),

  477.                      CRYPTO_BUFFER_len(leaf_buf)) ||

  478.       !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {

  479.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  480.     return 0;

  481.   }

  482. 

  483.   if (hs->scts_requested && ssl->cert->signed_cert_timestamp_list != NULL) {

  484.     CBB contents;

  485.     if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) ||

  486.         !CBB_add_u16_length_prefixed(&extensions, &contents) ||

  487.         !CBB_add_bytes(

  488.             &contents,

  489.             CRYPTO_BUFFER_data(ssl->cert->signed_cert_timestamp_list),

  490.             CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) ||

  491.         !CBB_flush(&extensions)) {

  492.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  493.       return 0;

  494.     }

  495.   }

  496. 

  497.   if (hs->ocsp_stapling_requested &&

  498.       ssl->cert->ocsp_response != NULL) {

  499.     CBB contents, ocsp_response;

  500.     if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) ||

  501.         !CBB_add_u16_length_prefixed(&extensions, &contents) ||

  502.         !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||

  503.         !CBB_add_u24_length_prefixed(&contents, &ocsp_response) ||

  504.         !CBB_add_bytes(&ocsp_response,

  505.                        CRYPTO_BUFFER_data(ssl->cert->ocsp_response),

  506.                        CRYPTO_BUFFER_len(ssl->cert->ocsp_response)) ||

  507.         !CBB_flush(&extensions)) {

  508.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  509.       return 0;

  510.     }

  511.   }

  512. 

  513.   for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain); i++) {

  514.     CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cert->chain, i);

  515.     CBB child;

  516.     if (!CBB_add_u24_length_prefixed(&certificate_list, &child) ||

  517.         !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cert_buf),

  518.                        CRYPTO_BUFFER_len(cert_buf)) ||

  519.         !CBB_add_u16(&certificate_list, 0 /* no extensions */)) {

  520.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  521.       return 0;

  522.     }

  523.   }

  524. 

  525.   return ssl_add_message_cbb(ssl, cbb.get());

  526. }

  527. 

  528. enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {

  529.   SSL *const ssl = hs->ssl;

  530.   uint16_t signature_algorithm;

  531.   if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {

  532.     return ssl_private_key_failure;

  533.   }

  534. 

  535.   bssl::ScopedCBB cbb;

  536.   CBB body;

  537.   if (!ssl->method->init_message(ssl, cbb.get(), &body,

  538.                                  SSL3_MT_CERTIFICATE_VERIFY) ||

  539.       !CBB_add_u16(&body, signature_algorithm)) {

  540.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  541.     return ssl_private_key_failure;

  542.   }

  543. 

  544.   /* Sign the digest. */

  545.   CBB child;

  546.   const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey);

  547.   uint8_t *sig;

  548.   size_t sig_len;

  549.   if (!CBB_add_u16_length_prefixed(&body, &child) ||

  550.       !CBB_reserve(&child, &sig, max_sig_len)) {

  551.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  552.     return ssl_private_key_failure;

  553.   }

  554. 

  555.   uint8_t *msg = NULL;

  556.   size_t msg_len;

  557.   if (!tls13_get_cert_verify_signature_input(

  558.           hs, &msg, &msg_len,

  559.           ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {

  560.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  561.     return ssl_private_key_failure;

  562.   }

  563.   bssl::UniquePtr<uint8_t> free_msg(msg);

  564. 

  565.   enum ssl_private_key_result_t sign_result = ssl_private_key_sign(

  566.       hs, sig, &sig_len, max_sig_len, signature_algorithm, msg, msg_len);

  567.   if (sign_result != ssl_private_key_success) {

  568.     return sign_result;

  569.   }

  570. 

  571.   if (!CBB_did_write(&child, sig_len) ||

  572.       !ssl_add_message_cbb(ssl, cbb.get())) {

  573.     return ssl_private_key_failure;

  574.   }

  575. 

  576.   return ssl_private_key_success;

  577. }

  578. 

  579. int tls13_add_finished(SSL_HANDSHAKE *hs) {

  580.   SSL *const ssl = hs->ssl;

  581.   size_t verify_data_len;

  582.   uint8_t verify_data[EVP_MAX_MD_SIZE];

  583. 

  584.   if (!tls13_finished_mac(hs, verify_data, &verify_data_len, ssl->server)) {

  585.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  586.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  587.     return 0;

  588.   }

  589. 

  590.   CBB cbb, body;

  591.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||

  592.       !CBB_add_bytes(&body, verify_data, verify_data_len) ||

  593.       !ssl_add_message_cbb(ssl, &cbb)) {

  594.     CBB_cleanup(&cbb);

  595.     return 0;

  596.   }

  597. 

  598.   return 1;

  599. }

  600. 

  601. static int tls13_receive_key_update(SSL *ssl) {

  602.   CBS cbs;

  603.   uint8_t key_update_request;

  604.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  605.   if (!CBS_get_u8(&cbs, &key_update_request) ||

  606.       CBS_len(&cbs) != 0 ||

  607.       (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED &&

  608.        key_update_request != SSL_KEY_UPDATE_REQUESTED)) {

  609.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  610.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  611.     return 0;

  612.   }

  613. 

  614.   if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) {

  615.     return 0;

  616.   }

  617. 

  618.   /* Acknowledge the KeyUpdate */

  619.   if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&

  620.       !ssl->s3->key_update_pending) {

  621.     CBB cbb, body;

  622.     if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_KEY_UPDATE) ||

  623.         !CBB_add_u8(&body, SSL_KEY_UPDATE_NOT_REQUESTED) ||

  624.         !ssl_add_message_cbb(ssl, &cbb) ||

  625.         !tls13_rotate_traffic_key(ssl, evp_aead_seal)) {

  626.       CBB_cleanup(&cbb);

  627.       return 0;

  628.     }

  629. 

  630.     /* Suppress KeyUpdate acknowledgments until this change is written to the

  631.      * wire. This prevents us from accumulating write obligations when read and

  632.      * write progress at different rates. See draft-ietf-tls-tls13-18, section

  633.      * 4.5.3. */

  634.     ssl->s3->key_update_pending = 1;

  635.   }

  636. 

  637.   return 1;

  638. }

  639. 

  640. int tls13_post_handshake(SSL *ssl) {

  641.   if (ssl->s3->tmp.message_type == SSL3_MT_KEY_UPDATE) {

  642.     ssl->s3->key_update_count++;

  643.     if (ssl->s3->key_update_count > kMaxKeyUpdates) {

  644.       OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);

  645.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  646.       return 0;

  647.     }

  648. 

  649.     return tls13_receive_key_update(ssl);

  650.   }

  651. 

  652.   ssl->s3->key_update_count = 0;

  653. 

  654.   if (ssl->s3->tmp.message_type == SSL3_MT_NEW_SESSION_TICKET &&

  655.       !ssl->server) {

  656.     return tls13_process_new_session_ticket(ssl);

  657.   }

  658. 

  659.   ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  660.   OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  661.   return 0;

  662. }