kris
/
boringssl
1
0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
3729 İşleme
12 Dallar
38 MiB
 
 
 
 
 
 
Ağaç: 47383aadff
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'47383aadff'den
${ noResults }
boringssl/ssl/tls13_both.c

641 satır
19 KiB
Ham Suçlama Geçmiş 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bytestring.h>

  21. #include <openssl/err.h>

  22. #include <openssl/hkdf.h>

  23. #include <openssl/mem.h>

  24. #include <openssl/stack.h>

  25. #include <openssl/x509.h>

  26. #include <openssl/x509v3.h>

  27. 

  28. #include "../crypto/internal.h"

  29. #include "internal.h"

  30. 

  31. 

  32. /* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be

  33.  * processed. Without this limit an attacker could force unbounded processing

  34.  * without being able to return application data. */

  35. static const uint8_t kMaxKeyUpdates = 32;

  36. 

  37. int tls13_handshake(SSL_HANDSHAKE *hs) {

  38.   SSL *const ssl = hs->ssl;

  39.   for (;;) {

  40.     /* Resolve the operation the handshake was waiting on. */

  41.     switch (hs->wait) {

  42.       case ssl_hs_error:

  43.         OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);

  44.         return -1;

  45. 

  46.       case ssl_hs_flush:

  47.       case ssl_hs_flush_and_read_message: {

  48.         int ret = ssl->method->flush_flight(ssl);

  49.         if (ret <= 0) {

  50.           return ret;

  51.         }

  52.         if (hs->wait != ssl_hs_flush_and_read_message) {

  53.           break;

  54.         }

  55.         ssl->method->expect_flight(ssl);

  56.         hs->wait = ssl_hs_read_message;

  57.         /* Fall-through. */

  58.       }

  59. 

  60.       case ssl_hs_read_message: {

  61.         int ret = ssl->method->ssl_get_message(ssl, -1, ssl_dont_hash_message);

  62.         if (ret <= 0) {

  63.           return ret;

  64.         }

  65.         break;

  66.       }

  67. 

  68.       case ssl_hs_x509_lookup:

  69.         ssl->rwstate = SSL_X509_LOOKUP;

  70.         hs->wait = ssl_hs_ok;

  71.         return -1;

  72. 

  73.       case ssl_hs_channel_id_lookup:

  74.         ssl->rwstate = SSL_CHANNEL_ID_LOOKUP;

  75.         hs->wait = ssl_hs_ok;

  76.         return -1;

  77. 

  78.       case ssl_hs_private_key_operation:

  79.         ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;

  80.         hs->wait = ssl_hs_ok;

  81.         return -1;

  82. 

  83.       case ssl_hs_ok:

  84.         break;

  85.     }

  86. 

  87.     /* Run the state machine again. */

  88.     hs->wait = hs->do_tls13_handshake(hs);

  89.     if (hs->wait == ssl_hs_error) {

  90.       /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the

  91.        * first time around. */

  92.       return -1;

  93.     }

  94.     if (hs->wait == ssl_hs_ok) {

  95.       /* The handshake has completed. */

  96.       return 1;

  97.     }

  98. 

  99.     /* Otherwise, loop to the beginning and resolve what was blocking the

  100.      * handshake. */

  101.   }

  102. }

  103. 

  104. int tls13_get_cert_verify_signature_input(

  105.     SSL *ssl, uint8_t **out, size_t *out_len,

  106.     enum ssl_cert_verify_context_t cert_verify_context) {

  107.   CBB cbb;

  108.   if (!CBB_init(&cbb, 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {

  109.     goto err;

  110.   }

  111. 

  112.   for (size_t i = 0; i < 64; i++) {

  113.     if (!CBB_add_u8(&cbb, 0x20)) {

  114.       goto err;

  115.     }

  116.   }

  117. 

  118.   const uint8_t *context;

  119.   size_t context_len;

  120.   if (cert_verify_context == ssl_cert_verify_server) {

  121.     /* Include the NUL byte. */

  122.     static const char kContext[] = "TLS 1.3, server CertificateVerify";

  123.     context = (const uint8_t *)kContext;

  124.     context_len = sizeof(kContext);

  125.   } else if (cert_verify_context == ssl_cert_verify_client) {

  126.     static const char kContext[] = "TLS 1.3, client CertificateVerify";

  127.     context = (const uint8_t *)kContext;

  128.     context_len = sizeof(kContext);

  129.   } else if (cert_verify_context == ssl_cert_verify_channel_id) {

  130.     static const char kContext[] = "TLS 1.3, Channel ID";

  131.     context = (const uint8_t *)kContext;

  132.     context_len = sizeof(kContext);

  133.   } else {

  134.     goto err;

  135.   }

  136. 

  137.   if (!CBB_add_bytes(&cbb, context, context_len)) {

  138.     goto err;

  139.   }

  140. 

  141.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  142.   size_t context_hash_len;

  143.   if (!tls13_get_context_hash(ssl, context_hash, &context_hash_len) ||

  144.       !CBB_add_bytes(&cbb, context_hash, context_hash_len) ||

  145.       !CBB_finish(&cbb, out, out_len)) {

  146.     goto err;

  147.   }

  148. 

  149.   return 1;

  150. 

  151. err:

  152.   OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  153.   CBB_cleanup(&cbb);

  154.   return 0;

  155. }

  156. 

  157. int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) {

  158.   SSL *const ssl = hs->ssl;

  159.   CBS cbs, context, certificate_list;

  160.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  161.   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||

  162.       CBS_len(&context) != 0) {

  163.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  164.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  165.     return 0;

  166.   }

  167. 

  168.   const int retain_sha256 =

  169.       ssl->server && ssl->retain_only_sha256_of_client_certs;

  170.   int ret = 0;

  171. 

  172.   EVP_PKEY *pkey = NULL;

  173.   STACK_OF(CRYPTO_BUFFER) *certs = sk_CRYPTO_BUFFER_new_null();

  174.   if (certs == NULL) {

  175.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  176.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  177.     goto err;

  178.   }

  179. 

  180.   if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list)) {

  181.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  182.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  183.     goto err;

  184.   }

  185. 

  186.   while (CBS_len(&certificate_list) > 0) {

  187.     CBS certificate, extensions;

  188.     if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||

  189.         !CBS_get_u16_length_prefixed(&certificate_list, &extensions) ||

  190.         CBS_len(&certificate) == 0) {

  191.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  192.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);

  193.       goto err;

  194.     }

  195. 

  196.     if (sk_CRYPTO_BUFFER_num(certs) == 0) {

  197.       pkey = ssl_cert_parse_pubkey(&certificate);

  198.       if (pkey == NULL) {

  199.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  200.         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  201.         goto err;

  202.       }

  203.       /* TLS 1.3 always uses certificate keys for signing thus the correct

  204.        * keyUsage is enforced. */

  205.       if (!ssl_cert_check_digital_signature_key_usage(&certificate)) {

  206.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  207.         goto err;

  208.       }

  209. 

  210.       if (retain_sha256) {

  211.         /* Retain the hash of the leaf certificate if requested. */

  212.         SHA256(CBS_data(&certificate), CBS_len(&certificate),

  213.                ssl->s3->new_session->peer_sha256);

  214.       }

  215.     }

  216. 

  217.     CRYPTO_BUFFER *buf =

  218.         CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool);

  219.     if (buf == NULL ||

  220.         !sk_CRYPTO_BUFFER_push(certs, buf)) {

  221.       CRYPTO_BUFFER_free(buf);

  222.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  223.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  224.       goto err;

  225.     }

  226. 

  227.     /* Parse out the extensions. */

  228.     int have_status_request = 0, have_sct = 0;

  229.     CBS status_request, sct;

  230.     const SSL_EXTENSION_TYPE ext_types[] = {

  231.         {TLSEXT_TYPE_status_request, &have_status_request, &status_request},

  232.         {TLSEXT_TYPE_certificate_timestamp, &have_sct, &sct},

  233.     };

  234. 

  235.     uint8_t alert;

  236.     if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  237.                               OPENSSL_ARRAY_SIZE(ext_types),

  238.                               0 /* reject unknown */)) {

  239.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  240.       goto err;

  241.     }

  242. 

  243.     /* All Certificate extensions are parsed, but only the leaf extensions are

  244.      * stored. */

  245.     if (have_status_request) {

  246.       if (ssl->server || !ssl->ocsp_stapling_enabled) {

  247.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  248.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  249.         goto err;

  250.       }

  251. 

  252.       uint8_t status_type;

  253.       CBS ocsp_response;

  254.       if (!CBS_get_u8(&status_request, &status_type) ||

  255.           status_type != TLSEXT_STATUSTYPE_ocsp ||

  256.           !CBS_get_u24_length_prefixed(&status_request, &ocsp_response) ||

  257.           CBS_len(&ocsp_response) == 0 ||

  258.           CBS_len(&status_request) != 0) {

  259.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  260.         goto err;

  261.       }

  262. 

  263.       if (sk_CRYPTO_BUFFER_num(certs) == 1 &&

  264.           !CBS_stow(&ocsp_response, &ssl->s3->new_session->ocsp_response,

  265.                     &ssl->s3->new_session->ocsp_response_length)) {

  266.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  267.         goto err;

  268.       }

  269.     }

  270. 

  271.     if (have_sct) {

  272.       if (ssl->server || !ssl->signed_cert_timestamps_enabled) {

  273.         OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  274.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  275.         goto err;

  276.       }

  277. 

  278.       if (!ssl_is_sct_list_valid(&sct)) {

  279.         OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);

  280.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  281.         goto err;

  282.       }

  283. 

  284.       if (sk_CRYPTO_BUFFER_num(certs) == 1 &&

  285.           !CBS_stow(&sct,

  286.                     &ssl->s3->new_session->tlsext_signed_cert_timestamp_list,

  287.                     &ssl->s3->new_session

  288.                          ->tlsext_signed_cert_timestamp_list_length)) {

  289.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  290.         goto err;

  291.       }

  292.     }

  293.   }

  294. 

  295.   if (CBS_len(&cbs) != 0) {

  296.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  297.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  298.     goto err;

  299.   }

  300. 

  301.   EVP_PKEY_free(hs->peer_pubkey);

  302.   hs->peer_pubkey = pkey;

  303.   pkey = NULL;

  304. 

  305.   sk_CRYPTO_BUFFER_pop_free(ssl->s3->new_session->certs, CRYPTO_BUFFER_free);

  306.   ssl->s3->new_session->certs = certs;

  307.   certs = NULL;

  308. 

  309.   if (!ssl_session_x509_cache_objects(ssl->s3->new_session)) {

  310.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  311.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  312.     goto err;

  313.   }

  314. 

  315.   if (sk_CRYPTO_BUFFER_num(ssl->s3->new_session->certs) == 0) {

  316.     if (!allow_anonymous) {

  317.       OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);

  318.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED);

  319.       goto err;

  320.     }

  321. 

  322.     /* OpenSSL returns X509_V_OK when no certificates are requested. This is

  323.      * classed by them as a bug, but it's assumed by at least NGINX. */

  324.     ssl->s3->new_session->verify_result = X509_V_OK;

  325. 

  326.     /* No certificate, so nothing more to do. */

  327.     ret = 1;

  328.     goto err;

  329.   }

  330. 

  331.   ssl->s3->new_session->peer_sha256_valid = retain_sha256;

  332. 

  333.   if (!ssl_verify_cert_chain(ssl, &ssl->s3->new_session->verify_result,

  334.                              ssl->s3->new_session->x509_chain)) {

  335.     goto err;

  336.   }

  337. 

  338.   ret = 1;

  339. 

  340. err:

  341.   sk_CRYPTO_BUFFER_pop_free(certs, CRYPTO_BUFFER_free);

  342.   EVP_PKEY_free(pkey);

  343.   return ret;

  344. }

  345. 

  346. int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) {

  347.   SSL *const ssl = hs->ssl;

  348.   int ret = 0;

  349.   uint8_t *msg = NULL;

  350.   size_t msg_len;

  351. 

  352.   if (hs->peer_pubkey == NULL) {

  353.     goto err;

  354.   }

  355. 

  356.   CBS cbs, signature;

  357.   uint16_t signature_algorithm;

  358.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  359.   if (!CBS_get_u16(&cbs, &signature_algorithm) ||

  360.       !CBS_get_u16_length_prefixed(&cbs, &signature) ||

  361.       CBS_len(&cbs) != 0) {

  362.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  363.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  364.     goto err;

  365.   }

  366. 

  367.   int al;

  368.   if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {

  369.     ssl3_send_alert(ssl, SSL3_AL_FATAL, al);

  370.     goto err;

  371.   }

  372.   ssl->s3->new_session->peer_signature_algorithm = signature_algorithm;

  373. 

  374.   if (!tls13_get_cert_verify_signature_input(

  375.           ssl, &msg, &msg_len,

  376.           ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {

  377.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  378.     goto err;

  379.   }

  380. 

  381.   int sig_ok =

  382.       ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),

  383.                             signature_algorithm, hs->peer_pubkey, msg, msg_len);

  384. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  385.   sig_ok = 1;

  386.   ERR_clear_error();

  387. #endif

  388.   if (!sig_ok) {

  389.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);

  390.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  391.     goto err;

  392.   }

  393. 

  394.   ret = 1;

  395. 

  396. err:

  397.   OPENSSL_free(msg);

  398.   return ret;

  399. }

  400. 

  401. int tls13_check_message_type(SSL *ssl, int type) {

  402.   if (ssl->s3->tmp.message_type != type) {

  403.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  404.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  405.     ERR_add_error_dataf("got type %d, wanted type %d",

  406.                         ssl->s3->tmp.message_type, type);

  407.     return 0;

  408.   }

  409. 

  410.   return 1;

  411. }

  412. 

  413. int tls13_process_finished(SSL_HANDSHAKE *hs) {

  414.   SSL *const ssl = hs->ssl;

  415.   uint8_t verify_data[EVP_MAX_MD_SIZE];

  416.   size_t verify_data_len;

  417.   if (!tls13_finished_mac(hs, verify_data, &verify_data_len, !ssl->server)) {

  418.     return 0;

  419.   }

  420. 

  421.   int finished_ok =

  422.       ssl->init_num == verify_data_len &&

  423.       CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) == 0;

  424. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  425.   finished_ok = 1;

  426. #endif

  427.   if (!finished_ok) {

  428.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);

  429.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  430.     return 0;

  431.   }

  432. 

  433.   return 1;

  434. }

  435. 

  436. int tls13_add_certificate(SSL_HANDSHAKE *hs) {

  437.   SSL *const ssl = hs->ssl;

  438.   CBB cbb, body, certificate_list;

  439.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||

  440.       /* The request context is always empty in the handshake. */

  441.       !CBB_add_u8(&body, 0) ||

  442.       !CBB_add_u24_length_prefixed(&body, &certificate_list)) {

  443.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  444.     goto err;

  445.   }

  446. 

  447.   if (!ssl_has_certificate(ssl)) {

  448.     if (!ssl_add_message_cbb(ssl, &cbb)) {

  449.       goto err;

  450.     }

  451. 

  452.     return 1;

  453.   }

  454. 

  455.   CERT *cert = ssl->cert;

  456.   CBB leaf, extensions;

  457.   if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) ||

  458.       !ssl_add_cert_to_cbb(&leaf, cert->x509_leaf) ||

  459.       !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {

  460.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  461.     goto err;

  462.   }

  463. 

  464.   if (hs->scts_requested &&

  465.       ssl->ctx->signed_cert_timestamp_list_length != 0) {

  466.     CBB contents;

  467.     if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) ||

  468.         !CBB_add_u16_length_prefixed(&extensions, &contents) ||

  469.         !CBB_add_bytes(&contents, ssl->ctx->signed_cert_timestamp_list,

  470.                        ssl->ctx->signed_cert_timestamp_list_length) ||

  471.         !CBB_flush(&extensions)) {

  472.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  473.       goto err;

  474.     }

  475.   }

  476. 

  477.   if (hs->ocsp_stapling_requested &&

  478.       ssl->ocsp_response != NULL) {

  479.     CBB contents, ocsp_response;

  480.     if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) ||

  481.         !CBB_add_u16_length_prefixed(&extensions, &contents) ||

  482.         !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||

  483.         !CBB_add_u24_length_prefixed(&contents, &ocsp_response) ||

  484.         !CBB_add_bytes(&ocsp_response, CRYPTO_BUFFER_data(ssl->ocsp_response),

  485.                        CRYPTO_BUFFER_len(ssl->ocsp_response)) ||

  486.         !CBB_flush(&extensions)) {

  487.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  488.       goto err;

  489.     }

  490.   }

  491. 

  492.   for (size_t i = 0; i < sk_X509_num(cert->x509_chain); i++) {

  493.     CBB child;

  494.     if (!CBB_add_u24_length_prefixed(&certificate_list, &child) ||

  495.         !ssl_add_cert_to_cbb(&child, sk_X509_value(cert->x509_chain, i)) ||

  496.         !CBB_add_u16(&certificate_list, 0 /* no extensions */)) {

  497.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  498.       goto err;

  499.     }

  500.   }

  501. 

  502.   if (!ssl_add_message_cbb(ssl, &cbb)) {

  503.     goto err;

  504.   }

  505. 

  506.   return 1;

  507. 

  508. err:

  509.   CBB_cleanup(&cbb);

  510.   return 0;

  511. }

  512. 

  513. enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs,

  514.                                                            int is_first_run) {

  515.   SSL *const ssl = hs->ssl;

  516.   enum ssl_private_key_result_t ret = ssl_private_key_failure;

  517.   uint8_t *msg = NULL;

  518.   size_t msg_len;

  519.   CBB cbb, body;

  520.   CBB_zero(&cbb);

  521. 

  522.   uint16_t signature_algorithm;

  523.   if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {

  524.     goto err;

  525.   }

  526.   if (!ssl->method->init_message(ssl, &cbb, &body,

  527.                                  SSL3_MT_CERTIFICATE_VERIFY) ||

  528.       !CBB_add_u16(&body, signature_algorithm)) {

  529.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  530.     goto err;

  531.   }

  532. 

  533.   /* Sign the digest. */

  534.   CBB child;

  535.   const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);

  536.   uint8_t *sig;

  537.   size_t sig_len;

  538.   if (!CBB_add_u16_length_prefixed(&body, &child) ||

  539.       !CBB_reserve(&child, &sig, max_sig_len)) {

  540.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  541.     goto err;

  542.   }

  543. 

  544.   enum ssl_private_key_result_t sign_result;

  545.   if (is_first_run) {

  546.     if (!tls13_get_cert_verify_signature_input(

  547.             ssl, &msg, &msg_len,

  548.             ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {

  549.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  550.       goto err;

  551.     }

  552.     sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len,

  553.                                        signature_algorithm, msg, msg_len);

  554.   } else {

  555.     sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len);

  556.   }

  557. 

  558.   if (sign_result != ssl_private_key_success) {

  559.     ret = sign_result;

  560.     goto err;

  561.   }

  562. 

  563.   if (!CBB_did_write(&child, sig_len) ||

  564.       !ssl_add_message_cbb(ssl, &cbb)) {

  565.     goto err;

  566.   }

  567. 

  568.   ret = ssl_private_key_success;

  569. 

  570. err:

  571.   CBB_cleanup(&cbb);

  572.   OPENSSL_free(msg);

  573.   return ret;

  574. }

  575. 

  576. int tls13_add_finished(SSL_HANDSHAKE *hs) {

  577.   SSL *const ssl = hs->ssl;

  578.   size_t verify_data_len;

  579.   uint8_t verify_data[EVP_MAX_MD_SIZE];

  580. 

  581.   if (!tls13_finished_mac(hs, verify_data, &verify_data_len, ssl->server)) {

  582.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  583.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  584.     return 0;

  585.   }

  586. 

  587.   CBB cbb, body;

  588.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||

  589.       !CBB_add_bytes(&body, verify_data, verify_data_len) ||

  590.       !ssl_add_message_cbb(ssl, &cbb)) {

  591.     CBB_cleanup(&cbb);

  592.     return 0;

  593.   }

  594. 

  595.   return 1;

  596. }

  597. 

  598. static int tls13_receive_key_update(SSL *ssl) {

  599.   CBS cbs;

  600.   uint8_t key_update_request;

  601.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  602.   if (!CBS_get_u8(&cbs, &key_update_request) ||

  603.       CBS_len(&cbs) != 0 ||

  604.       (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED &&

  605.        key_update_request != SSL_KEY_UPDATE_REQUESTED)) {

  606.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  607.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  608.     return 0;

  609.   }

  610. 

  611.   /* TODO(svaldez): Send KeyUpdate if |key_update_request| is

  612.    * |SSL_KEY_UPDATE_REQUESTED|. */

  613.   return tls13_rotate_traffic_key(ssl, evp_aead_open);

  614. }

  615. 

  616. int tls13_post_handshake(SSL *ssl) {

  617.   if (ssl->s3->tmp.message_type == SSL3_MT_KEY_UPDATE) {

  618.     ssl->s3->key_update_count++;

  619.     if (ssl->s3->key_update_count > kMaxKeyUpdates) {

  620.       OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);

  621.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  622.       return 0;

  623.     }

  624. 

  625.     return tls13_receive_key_update(ssl);

  626.   }

  627. 

  628.   ssl->s3->key_update_count = 0;

  629. 

  630.   if (ssl->s3->tmp.message_type == SSL3_MT_NEW_SESSION_TICKET &&

  631.       !ssl->server) {

  632.     return tls13_process_new_session_ticket(ssl);

  633.   }

  634. 

  635.   // TODO(svaldez): Handle post-handshake authentication.

  636. 

  637.   ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  638.   OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  639.   return 0;

  640. }