kris
/
boringssl
1
0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
5126 İşleme
12 Dallar
38 MiB
 
 
 
 
 
 
Ağaç: 3f8074c2de
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'3f8074c2de'den
${ noResults }
boringssl/ssl/tls13_both.cc

560 satır
18 KiB
Ham Suçlama Geçmiş 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <utility>

  21. 

  22. #include <openssl/bytestring.h>

  23. #include <openssl/err.h>

  24. #include <openssl/hkdf.h>

  25. #include <openssl/mem.h>

  26. #include <openssl/stack.h>

  27. #include <openssl/x509.h>

  28. 

  29. #include "../crypto/internal.h"

  30. #include "internal.h"

  31. 

  32. 

  33. namespace bssl {

  34. 

  35. // kMaxKeyUpdates is the number of consecutive KeyUpdates that will be

  36. // processed. Without this limit an attacker could force unbounded processing

  37. // without being able to return application data.

  38. static const uint8_t kMaxKeyUpdates = 32;

  39. 

  40. const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE] = {

  41.     0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c,

  42.     0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb,

  43.     0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,

  44. };

  45. 

  46. // This value was selected by truncating the SHA-256 hash of "Draft TLS 1.3

  47. // Downgrade" to 8 bytes:

  48. //

  49. //   echo -n 'Draft TLS 1.3 Downgrade' | sha256sum | head -c 16

  50. const uint8_t kDraftDowngradeRandom[8] = {0x95, 0xb9, 0x9f, 0x87,

  51.                                           0x22, 0xfe, 0x9b, 0x64};

  52. 

  53. 

  54. bool tls13_get_cert_verify_signature_input(

  55.     SSL_HANDSHAKE *hs, Array<uint8_t> *out,

  56.     enum ssl_cert_verify_context_t cert_verify_context) {

  57.   ScopedCBB cbb;

  58.   if (!CBB_init(cbb.get(), 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {

  59.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  60.     return false;

  61.   }

  62. 

  63.   for (size_t i = 0; i < 64; i++) {

  64.     if (!CBB_add_u8(cbb.get(), 0x20)) {

  65.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  66.       return false;

  67.     }

  68.   }

  69. 

  70.   Span<const char> context;

  71.   if (cert_verify_context == ssl_cert_verify_server) {

  72.     static const char kContext[] = "TLS 1.3, server CertificateVerify";

  73.     context = kContext;

  74.   } else if (cert_verify_context == ssl_cert_verify_client) {

  75.     static const char kContext[] = "TLS 1.3, client CertificateVerify";

  76.     context = kContext;

  77.   } else if (cert_verify_context == ssl_cert_verify_channel_id) {

  78.     static const char kContext[] = "TLS 1.3, Channel ID";

  79.     context = kContext;

  80.   } else {

  81.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  82.     return false;

  83.   }

  84. 

  85.   // Note |context| includes the NUL byte separator.

  86.   if (!CBB_add_bytes(cbb.get(),

  87.                      reinterpret_cast<const uint8_t *>(context.data()),

  88.                      context.size())) {

  89.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  90.     return false;

  91.   }

  92. 

  93.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  94.   size_t context_hash_len;

  95.   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||

  96.       !CBB_add_bytes(cbb.get(), context_hash, context_hash_len) ||

  97.       !CBBFinishArray(cbb.get(), out)) {

  98.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  99.     return false;

  100.   }

  101. 

  102.   return true;

  103. }

  104. 

  105. int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,

  106.                               int allow_anonymous) {

  107.   SSL *const ssl = hs->ssl;

  108.   CBS body = msg.body, context, certificate_list;

  109.   if (!CBS_get_u8_length_prefixed(&body, &context) ||

  110.       CBS_len(&context) != 0 ||

  111.       !CBS_get_u24_length_prefixed(&body, &certificate_list) ||

  112.       CBS_len(&body) != 0) {

  113.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  114.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  115.     return 0;

  116.   }

  117. 

  118.   UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs(sk_CRYPTO_BUFFER_new_null());

  119.   if (!certs) {

  120.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  121.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  122.     return 0;

  123.   }

  124. 

  125.   const bool retain_sha256 =

  126.       ssl->server && ssl->retain_only_sha256_of_client_certs;

  127.   UniquePtr<EVP_PKEY> pkey;

  128.   while (CBS_len(&certificate_list) > 0) {

  129.     CBS certificate, extensions;

  130.     if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||

  131.         !CBS_get_u16_length_prefixed(&certificate_list, &extensions) ||

  132.         CBS_len(&certificate) == 0) {

  133.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  134.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);

  135.       return 0;

  136.     }

  137. 

  138.     if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {

  139.       pkey = ssl_cert_parse_pubkey(&certificate);

  140.       if (!pkey) {

  141.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  142.         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  143.         return 0;

  144.       }

  145.       // TLS 1.3 always uses certificate keys for signing thus the correct

  146.       // keyUsage is enforced.

  147.       if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {

  148.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  149.         return 0;

  150.       }

  151. 

  152.       if (retain_sha256) {

  153.         // Retain the hash of the leaf certificate if requested.

  154.         SHA256(CBS_data(&certificate), CBS_len(&certificate),

  155.                hs->new_session->peer_sha256);

  156.       }

  157.     }

  158. 

  159.     UniquePtr<CRYPTO_BUFFER> buf(

  160.         CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool));

  161.     if (!buf ||

  162.         !PushToStack(certs.get(), std::move(buf))) {

  163.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  164.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  165.       return 0;

  166.     }

  167. 

  168.     // Parse out the extensions.

  169.     bool have_status_request = false, have_sct = false;

  170.     CBS status_request, sct;

  171.     const SSL_EXTENSION_TYPE ext_types[] = {

  172.         {TLSEXT_TYPE_status_request, &have_status_request, &status_request},

  173.         {TLSEXT_TYPE_certificate_timestamp, &have_sct, &sct},

  174.     };

  175. 

  176.     uint8_t alert = SSL_AD_DECODE_ERROR;

  177.     if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  178.                               OPENSSL_ARRAY_SIZE(ext_types),

  179.                               0 /* reject unknown */)) {

  180.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  181.       return 0;

  182.     }

  183. 

  184.     // All Certificate extensions are parsed, but only the leaf extensions are

  185.     // stored.

  186.     if (have_status_request) {

  187.       if (ssl->server || !ssl->ocsp_stapling_enabled) {

  188.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  189.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  190.         return 0;

  191.       }

  192. 

  193.       uint8_t status_type;

  194.       CBS ocsp_response;

  195.       if (!CBS_get_u8(&status_request, &status_type) ||

  196.           status_type != TLSEXT_STATUSTYPE_ocsp ||

  197.           !CBS_get_u24_length_prefixed(&status_request, &ocsp_response) ||

  198.           CBS_len(&ocsp_response) == 0 ||

  199.           CBS_len(&status_request) != 0) {

  200.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  201.         return 0;

  202.       }

  203. 

  204.       if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {

  205.         CRYPTO_BUFFER_free(hs->new_session->ocsp_response);

  206.         hs->new_session->ocsp_response =

  207.             CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool);

  208.         if (hs->new_session->ocsp_response == nullptr) {

  209.           ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  210.           return 0;

  211.         }

  212.       }

  213.     }

  214. 

  215.     if (have_sct) {

  216.       if (ssl->server || !ssl->signed_cert_timestamps_enabled) {

  217.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  218.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  219.         return 0;

  220.       }

  221. 

  222.       if (!ssl_is_sct_list_valid(&sct)) {

  223.         OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);

  224.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  225.         return 0;

  226.       }

  227. 

  228.       if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {

  229.         CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list);

  230.         hs->new_session->signed_cert_timestamp_list =

  231.             CRYPTO_BUFFER_new_from_CBS(&sct, ssl->ctx->pool);

  232.         if (hs->new_session->signed_cert_timestamp_list == nullptr) {

  233.           ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  234.           return 0;

  235.         }

  236.       }

  237.     }

  238.   }

  239. 

  240.   // Store a null certificate list rather than an empty one if the peer didn't

  241.   // send certificates.

  242.   if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {

  243.     certs.reset();

  244.   }

  245. 

  246.   hs->peer_pubkey = std::move(pkey);

  247. 

  248.   sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free);

  249.   hs->new_session->certs = certs.release();

  250. 

  251.   if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {

  252.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  253.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  254.     return 0;

  255.   }

  256. 

  257.   if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {

  258.     if (!allow_anonymous) {

  259.       OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

  260.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED);

  261.       return 0;

  262.     }

  263. 

  264.     // OpenSSL returns X509_V_OK when no certificates are requested. This is

  265.     // classed by them as a bug, but it's assumed by at least NGINX.

  266.     hs->new_session->verify_result = X509_V_OK;

  267. 

  268.     // No certificate, so nothing more to do.

  269.     return 1;

  270.   }

  271. 

  272.   hs->new_session->peer_sha256_valid = retain_sha256;

  273.   return 1;

  274. }

  275. 

  276. int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) {

  277.   SSL *const ssl = hs->ssl;

  278.   if (hs->peer_pubkey == NULL) {

  279.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  280.     return 0;

  281.   }

  282. 

  283.   CBS body = msg.body, signature;

  284.   uint16_t signature_algorithm;

  285.   if (!CBS_get_u16(&body, &signature_algorithm) ||

  286.       !CBS_get_u16_length_prefixed(&body, &signature) ||

  287.       CBS_len(&body) != 0) {

  288.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  289.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  290.     return 0;

  291.   }

  292. 

  293.   uint8_t alert = SSL_AD_DECODE_ERROR;

  294.   if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) {

  295.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  296.     return 0;

  297.   }

  298.   hs->new_session->peer_signature_algorithm = signature_algorithm;

  299. 

  300.   Array<uint8_t> input;

  301.   if (!tls13_get_cert_verify_signature_input(

  302.           hs, &input,

  303.           ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {

  304.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  305.     return 0;

  306.   }

  307. 

  308.   bool sig_ok = ssl_public_key_verify(ssl, signature, signature_algorithm,

  309.                                       hs->peer_pubkey.get(), input);

  310. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  311.   sig_ok = true;

  312.   ERR_clear_error();

  313. #endif

  314.   if (!sig_ok) {

  315.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);

  316.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  317.     return 0;

  318.   }

  319. 

  320.   return 1;

  321. }

  322. 

  323. int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,

  324.                            int use_saved_value) {

  325.   SSL *const ssl = hs->ssl;

  326.   uint8_t verify_data_buf[EVP_MAX_MD_SIZE];

  327.   const uint8_t *verify_data;

  328.   size_t verify_data_len;

  329.   if (use_saved_value) {

  330.     assert(ssl->server);

  331.     verify_data = hs->expected_client_finished;

  332.     verify_data_len = hs->hash_len;

  333.   } else {

  334.     if (!tls13_finished_mac(hs, verify_data_buf, &verify_data_len,

  335.                             !ssl->server)) {

  336.       return 0;

  337.     }

  338.     verify_data = verify_data_buf;

  339.   }

  340. 

  341.   int finished_ok = CBS_mem_equal(&msg.body, verify_data, verify_data_len);

  342. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  343.   finished_ok = 1;

  344. #endif

  345.   if (!finished_ok) {

  346.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  347.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  348.     return 0;

  349.   }

  350. 

  351.   return 1;

  352. }

  353. 

  354. int tls13_add_certificate(SSL_HANDSHAKE *hs) {

  355.   SSL *const ssl = hs->ssl;

  356.   ScopedCBB cbb;

  357.   CBB body, certificate_list;

  358.   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) ||

  359.       // The request context is always empty in the handshake.

  360.       !CBB_add_u8(&body, 0) ||

  361.       !CBB_add_u24_length_prefixed(&body, &certificate_list)) {

  362.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  363.     return 0;

  364.   }

  365. 

  366.   if (!ssl_has_certificate(ssl)) {

  367.     return ssl_add_message_cbb(ssl, cbb.get());

  368.   }

  369. 

  370.   CERT *cert = ssl->cert;

  371.   CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cert->chain.get(), 0);

  372.   CBB leaf, extensions;

  373.   if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) ||

  374.       !CBB_add_bytes(&leaf, CRYPTO_BUFFER_data(leaf_buf),

  375.                      CRYPTO_BUFFER_len(leaf_buf)) ||

  376.       !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {

  377.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  378.     return 0;

  379.   }

  380. 

  381.   if (hs->scts_requested && ssl->cert->signed_cert_timestamp_list != nullptr) {

  382.     CBB contents;

  383.     if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) ||

  384.         !CBB_add_u16_length_prefixed(&extensions, &contents) ||

  385.         !CBB_add_bytes(

  386.             &contents,

  387.             CRYPTO_BUFFER_data(ssl->cert->signed_cert_timestamp_list.get()),

  388.             CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list.get())) ||

  389.         !CBB_flush(&extensions)) {

  390.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  391.       return 0;

  392.     }

  393.   }

  394. 

  395.   if (hs->ocsp_stapling_requested &&

  396.       ssl->cert->ocsp_response != NULL) {

  397.     CBB contents, ocsp_response;

  398.     if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) ||

  399.         !CBB_add_u16_length_prefixed(&extensions, &contents) ||

  400.         !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||

  401.         !CBB_add_u24_length_prefixed(&contents, &ocsp_response) ||

  402.         !CBB_add_bytes(&ocsp_response,

  403.                        CRYPTO_BUFFER_data(ssl->cert->ocsp_response.get()),

  404.                        CRYPTO_BUFFER_len(ssl->cert->ocsp_response.get())) ||

  405.         !CBB_flush(&extensions)) {

  406.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  407.       return 0;

  408.     }

  409.   }

  410. 

  411.   for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain.get()); i++) {

  412.     CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cert->chain.get(), i);

  413.     CBB child;

  414.     if (!CBB_add_u24_length_prefixed(&certificate_list, &child) ||

  415.         !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cert_buf),

  416.                        CRYPTO_BUFFER_len(cert_buf)) ||

  417.         !CBB_add_u16(&certificate_list, 0 /* no extensions */)) {

  418.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  419.       return 0;

  420.     }

  421.   }

  422. 

  423.   return ssl_add_message_cbb(ssl, cbb.get());

  424. }

  425. 

  426. enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {

  427.   SSL *const ssl = hs->ssl;

  428.   uint16_t signature_algorithm;

  429.   if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {

  430.     return ssl_private_key_failure;

  431.   }

  432. 

  433.   ScopedCBB cbb;

  434.   CBB body;

  435.   if (!ssl->method->init_message(ssl, cbb.get(), &body,

  436.                                  SSL3_MT_CERTIFICATE_VERIFY) ||

  437.       !CBB_add_u16(&body, signature_algorithm)) {

  438.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  439.     return ssl_private_key_failure;

  440.   }

  441. 

  442.   // Sign the digest.

  443.   CBB child;

  444.   const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());

  445.   uint8_t *sig;

  446.   size_t sig_len;

  447.   if (!CBB_add_u16_length_prefixed(&body, &child) ||

  448.       !CBB_reserve(&child, &sig, max_sig_len)) {

  449.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  450.     return ssl_private_key_failure;

  451.   }

  452. 

  453.   Array<uint8_t> msg;

  454.   if (!tls13_get_cert_verify_signature_input(

  455.           hs, &msg,

  456.           ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {

  457.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  458.     return ssl_private_key_failure;

  459.   }

  460. 

  461.   enum ssl_private_key_result_t sign_result = ssl_private_key_sign(

  462.       hs, sig, &sig_len, max_sig_len, signature_algorithm, msg);

  463.   if (sign_result != ssl_private_key_success) {

  464.     return sign_result;

  465.   }

  466. 

  467.   if (!CBB_did_write(&child, sig_len) ||

  468.       !ssl_add_message_cbb(ssl, cbb.get())) {

  469.     return ssl_private_key_failure;

  470.   }

  471. 

  472.   return ssl_private_key_success;

  473. }

  474. 

  475. int tls13_add_finished(SSL_HANDSHAKE *hs) {

  476.   SSL *const ssl = hs->ssl;

  477.   size_t verify_data_len;

  478.   uint8_t verify_data[EVP_MAX_MD_SIZE];

  479. 

  480.   if (!tls13_finished_mac(hs, verify_data, &verify_data_len, ssl->server)) {

  481.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  482.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  483.     return 0;

  484.   }

  485. 

  486.   ScopedCBB cbb;

  487.   CBB body;

  488.   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||

  489.       !CBB_add_bytes(&body, verify_data, verify_data_len) ||

  490.       !ssl_add_message_cbb(ssl, cbb.get())) {

  491.     return 0;

  492.   }

  493. 

  494.   return 1;

  495. }

  496. 

  497. static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {

  498.   CBS body = msg.body;

  499.   uint8_t key_update_request;

  500.   if (!CBS_get_u8(&body, &key_update_request) ||

  501.       CBS_len(&body) != 0 ||

  502.       (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED &&

  503.        key_update_request != SSL_KEY_UPDATE_REQUESTED)) {

  504.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  505.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  506.     return 0;

  507.   }

  508. 

  509.   if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) {

  510.     return 0;

  511.   }

  512. 

  513.   // Acknowledge the KeyUpdate

  514.   if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&

  515.       !ssl->s3->key_update_pending) {

  516.     ScopedCBB cbb;

  517.     CBB body_cbb;

  518.     if (!ssl->method->init_message(ssl, cbb.get(), &body_cbb,

  519.                                    SSL3_MT_KEY_UPDATE) ||

  520.         !CBB_add_u8(&body_cbb, SSL_KEY_UPDATE_NOT_REQUESTED) ||

  521.         !ssl_add_message_cbb(ssl, cbb.get()) ||

  522.         !tls13_rotate_traffic_key(ssl, evp_aead_seal)) {

  523.       return 0;

  524.     }

  525. 

  526.     // Suppress KeyUpdate acknowledgments until this change is written to the

  527.     // wire. This prevents us from accumulating write obligations when read and

  528.     // write progress at different rates. See draft-ietf-tls-tls13-18, section

  529.     // 4.5.3.

  530.     ssl->s3->key_update_pending = true;

  531.   }

  532. 

  533.   return 1;

  534. }

  535. 

  536. int tls13_post_handshake(SSL *ssl, const SSLMessage &msg) {

  537.   if (msg.type == SSL3_MT_KEY_UPDATE) {

  538.     ssl->s3->key_update_count++;

  539.     if (ssl->s3->key_update_count > kMaxKeyUpdates) {

  540.       OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);

  541.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  542.       return 0;

  543.     }

  544. 

  545.     return tls13_receive_key_update(ssl, msg);

  546.   }

  547. 

  548.   ssl->s3->key_update_count = 0;

  549. 

  550.   if (msg.type == SSL3_MT_NEW_SESSION_TICKET && !ssl->server) {

  551.     return tls13_process_new_session_ticket(ssl, msg);

  552.   }

  553. 

  554.   ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  555.   OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  556.   return 0;

  557. }

  558. 

  559. }  // namespace bssl