1 /* Copyright (c) 2016, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <assert.h> 18 #include <string.h> 19 20 #include <openssl/bytestring.h> 21 #include <openssl/err.h> 22 #include <openssl/hkdf.h> 23 #include <openssl/mem.h> 24 #include <openssl/stack.h> 25 #include <openssl/x509.h> 26 27 #include "../crypto/internal.h" 28 #include "internal.h" 29 30 31 /* kMaxKeyUpdates is the number of consecutive KeyUpdates that will be 32 * processed. Without this limit an attacker could force unbounded processing 33 * without being able to return application data. */ 34 static const uint8_t kMaxKeyUpdates = 32; 35 36 int tls13_handshake(SSL_HANDSHAKE *hs, int *out_early_return) { 37 SSL *const ssl = hs->ssl; 38 for (;;) { 39 /* Resolve the operation the handshake was waiting on. */ 40 switch (hs->wait) { 41 case ssl_hs_error: 42 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE); 43 return -1; 44 45 case ssl_hs_flush: 46 case ssl_hs_flush_and_read_message: { 47 int ret = ssl->method->flush_flight(ssl); 48 if (ret <= 0) { 49 return ret; 50 } 51 if (hs->wait != ssl_hs_flush_and_read_message) { 52 break; 53 } 54 ssl->method->expect_flight(ssl); 55 hs->wait = ssl_hs_read_message; 56 /* Fall-through. */ 57 } 58 59 case ssl_hs_read_message: { 60 int ret = ssl->method->ssl_get_message(ssl); 61 if (ret <= 0) { 62 return ret; 63 } 64 break; 65 } 66 67 case ssl_hs_read_change_cipher_spec: { 68 int ret = ssl->method->read_change_cipher_spec(ssl); 69 if (ret <= 0) { 70 return ret; 71 } 72 break; 73 } 74 75 case ssl_hs_read_end_of_early_data: { 76 if (ssl->s3->hs->can_early_read) { 77 /* While we are processing early data, the handshake returns early. */ 78 *out_early_return = 1; 79 return 1; 80 } 81 hs->wait = ssl_hs_ok; 82 break; 83 } 84 85 case ssl_hs_x509_lookup: 86 ssl->rwstate = SSL_X509_LOOKUP; 87 hs->wait = ssl_hs_ok; 88 return -1; 89 90 case ssl_hs_channel_id_lookup: 91 ssl->rwstate = SSL_CHANNEL_ID_LOOKUP; 92 hs->wait = ssl_hs_ok; 93 return -1; 94 95 case ssl_hs_private_key_operation: 96 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION; 97 hs->wait = ssl_hs_ok; 98 return -1; 99 100 case ssl_hs_pending_ticket: 101 ssl->rwstate = SSL_PENDING_TICKET; 102 hs->wait = ssl_hs_ok; 103 return -1; 104 105 case ssl_hs_early_data_rejected: 106 ssl->rwstate = SSL_EARLY_DATA_REJECTED; 107 /* Cause |SSL_write| to start failing immediately. */ 108 hs->can_early_write = 0; 109 return -1; 110 111 case ssl_hs_ok: 112 break; 113 } 114 115 /* Run the state machine again. */ 116 hs->wait = hs->do_tls13_handshake(hs); 117 if (hs->wait == ssl_hs_error) { 118 /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the 119 * first time around. */ 120 return -1; 121 } 122 if (hs->wait == ssl_hs_ok) { 123 /* The handshake has completed. */ 124 return 1; 125 } 126 127 /* Otherwise, loop to the beginning and resolve what was blocking the 128 * handshake. */ 129 } 130 } 131 132 int tls13_get_cert_verify_signature_input( 133 SSL_HANDSHAKE *hs, uint8_t **out, size_t *out_len, 134 enum ssl_cert_verify_context_t cert_verify_context) { 135 CBB cbb; 136 if (!CBB_init(&cbb, 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) { 137 goto err; 138 } 139 140 for (size_t i = 0; i < 64; i++) { 141 if (!CBB_add_u8(&cbb, 0x20)) { 142 goto err; 143 } 144 } 145 146 const uint8_t *context; 147 size_t context_len; 148 if (cert_verify_context == ssl_cert_verify_server) { 149 /* Include the NUL byte. */ 150 static const char kContext[] = "TLS 1.3, server CertificateVerify"; 151 context = (const uint8_t *)kContext; 152 context_len = sizeof(kContext); 153 } else if (cert_verify_context == ssl_cert_verify_client) { 154 static const char kContext[] = "TLS 1.3, client CertificateVerify"; 155 context = (const uint8_t *)kContext; 156 context_len = sizeof(kContext); 157 } else if (cert_verify_context == ssl_cert_verify_channel_id) { 158 static const char kContext[] = "TLS 1.3, Channel ID"; 159 context = (const uint8_t *)kContext; 160 context_len = sizeof(kContext); 161 } else { 162 goto err; 163 } 164 165 if (!CBB_add_bytes(&cbb, context, context_len)) { 166 goto err; 167 } 168 169 uint8_t context_hash[EVP_MAX_MD_SIZE]; 170 size_t context_hash_len; 171 if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, context_hash, 172 &context_hash_len) || 173 !CBB_add_bytes(&cbb, context_hash, context_hash_len) || 174 !CBB_finish(&cbb, out, out_len)) { 175 goto err; 176 } 177 178 return 1; 179 180 err: 181 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 182 CBB_cleanup(&cbb); 183 return 0; 184 } 185 186 int tls13_process_certificate(SSL_HANDSHAKE *hs, int allow_anonymous) { 187 SSL *const ssl = hs->ssl; 188 CBS cbs, context, certificate_list; 189 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 190 if (!CBS_get_u8_length_prefixed(&cbs, &context) || 191 CBS_len(&context) != 0) { 192 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 193 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 194 return 0; 195 } 196 197 const int retain_sha256 = 198 ssl->server && ssl->retain_only_sha256_of_client_certs; 199 int ret = 0; 200 201 EVP_PKEY *pkey = NULL; 202 STACK_OF(CRYPTO_BUFFER) *certs = sk_CRYPTO_BUFFER_new_null(); 203 if (certs == NULL) { 204 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 205 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 206 goto err; 207 } 208 209 if (!CBS_get_u24_length_prefixed(&cbs, &certificate_list)) { 210 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 211 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 212 goto err; 213 } 214 215 while (CBS_len(&certificate_list) > 0) { 216 CBS certificate, extensions; 217 if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) || 218 !CBS_get_u16_length_prefixed(&certificate_list, &extensions) || 219 CBS_len(&certificate) == 0) { 220 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 221 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH); 222 goto err; 223 } 224 225 if (sk_CRYPTO_BUFFER_num(certs) == 0) { 226 pkey = ssl_cert_parse_pubkey(&certificate); 227 if (pkey == NULL) { 228 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 229 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 230 goto err; 231 } 232 /* TLS 1.3 always uses certificate keys for signing thus the correct 233 * keyUsage is enforced. */ 234 if (!ssl_cert_check_digital_signature_key_usage(&certificate)) { 235 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 236 goto err; 237 } 238 239 if (retain_sha256) { 240 /* Retain the hash of the leaf certificate if requested. */ 241 SHA256(CBS_data(&certificate), CBS_len(&certificate), 242 hs->new_session->peer_sha256); 243 } 244 } 245 246 CRYPTO_BUFFER *buf = 247 CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool); 248 if (buf == NULL || 249 !sk_CRYPTO_BUFFER_push(certs, buf)) { 250 CRYPTO_BUFFER_free(buf); 251 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 252 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 253 goto err; 254 } 255 256 /* Parse out the extensions. */ 257 int have_status_request = 0, have_sct = 0; 258 CBS status_request, sct; 259 const SSL_EXTENSION_TYPE ext_types[] = { 260 {TLSEXT_TYPE_status_request, &have_status_request, &status_request}, 261 {TLSEXT_TYPE_certificate_timestamp, &have_sct, &sct}, 262 }; 263 264 uint8_t alert = SSL_AD_DECODE_ERROR; 265 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 266 OPENSSL_ARRAY_SIZE(ext_types), 267 0 /* reject unknown */)) { 268 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 269 goto err; 270 } 271 272 /* All Certificate extensions are parsed, but only the leaf extensions are 273 * stored. */ 274 if (have_status_request) { 275 if (ssl->server || !ssl->ocsp_stapling_enabled) { 276 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 277 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 278 goto err; 279 } 280 281 uint8_t status_type; 282 CBS ocsp_response; 283 if (!CBS_get_u8(&status_request, &status_type) || 284 status_type != TLSEXT_STATUSTYPE_ocsp || 285 !CBS_get_u24_length_prefixed(&status_request, &ocsp_response) || 286 CBS_len(&ocsp_response) == 0 || 287 CBS_len(&status_request) != 0) { 288 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 289 goto err; 290 } 291 292 if (sk_CRYPTO_BUFFER_num(certs) == 1 && 293 !CBS_stow(&ocsp_response, &hs->new_session->ocsp_response, 294 &hs->new_session->ocsp_response_length)) { 295 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 296 goto err; 297 } 298 } 299 300 if (have_sct) { 301 if (ssl->server || !ssl->signed_cert_timestamps_enabled) { 302 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 303 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 304 goto err; 305 } 306 307 if (!ssl_is_sct_list_valid(&sct)) { 308 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION); 309 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 310 goto err; 311 } 312 313 if (sk_CRYPTO_BUFFER_num(certs) == 1 && 314 !CBS_stow( 315 &sct, &hs->new_session->tlsext_signed_cert_timestamp_list, 316 &hs->new_session->tlsext_signed_cert_timestamp_list_length)) { 317 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 318 goto err; 319 } 320 } 321 } 322 323 if (CBS_len(&cbs) != 0) { 324 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 325 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 326 goto err; 327 } 328 329 EVP_PKEY_free(hs->peer_pubkey); 330 hs->peer_pubkey = pkey; 331 pkey = NULL; 332 333 sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free); 334 hs->new_session->certs = certs; 335 certs = NULL; 336 337 if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session)) { 338 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 339 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 340 goto err; 341 } 342 343 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { 344 if (!allow_anonymous) { 345 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 346 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED); 347 goto err; 348 } 349 350 /* OpenSSL returns X509_V_OK when no certificates are requested. This is 351 * classed by them as a bug, but it's assumed by at least NGINX. */ 352 hs->new_session->verify_result = X509_V_OK; 353 354 /* No certificate, so nothing more to do. */ 355 ret = 1; 356 goto err; 357 } 358 359 hs->new_session->peer_sha256_valid = retain_sha256; 360 361 if (!ssl->ctx->x509_method->session_verify_cert_chain(hs->new_session, 362 ssl)) { 363 goto err; 364 } 365 366 ret = 1; 367 368 err: 369 sk_CRYPTO_BUFFER_pop_free(certs, CRYPTO_BUFFER_free); 370 EVP_PKEY_free(pkey); 371 return ret; 372 } 373 374 int tls13_process_certificate_verify(SSL_HANDSHAKE *hs) { 375 SSL *const ssl = hs->ssl; 376 if (hs->peer_pubkey == NULL) { 377 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 378 return 0; 379 } 380 381 CBS cbs, signature; 382 uint16_t signature_algorithm; 383 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 384 if (!CBS_get_u16(&cbs, &signature_algorithm) || 385 !CBS_get_u16_length_prefixed(&cbs, &signature) || 386 CBS_len(&cbs) != 0) { 387 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 388 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 389 return 0; 390 } 391 392 uint8_t alert = SSL_AD_DECODE_ERROR; 393 if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) { 394 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 395 return 0; 396 } 397 hs->new_session->peer_signature_algorithm = signature_algorithm; 398 399 uint8_t *msg = NULL; 400 size_t msg_len; 401 if (!tls13_get_cert_verify_signature_input( 402 hs, &msg, &msg_len, 403 ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) { 404 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 405 return 0; 406 } 407 bssl::UniquePtr<uint8_t> free_msg(msg); 408 409 int sig_ok = 410 ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature), 411 signature_algorithm, hs->peer_pubkey, msg, msg_len); 412 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 413 sig_ok = 1; 414 ERR_clear_error(); 415 #endif 416 if (!sig_ok) { 417 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); 418 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 419 return 0; 420 } 421 422 return 1; 423 } 424 425 int tls13_process_finished(SSL_HANDSHAKE *hs, int use_saved_value) { 426 SSL *const ssl = hs->ssl; 427 uint8_t verify_data_buf[EVP_MAX_MD_SIZE]; 428 const uint8_t *verify_data; 429 size_t verify_data_len; 430 if (use_saved_value) { 431 assert(ssl->server); 432 verify_data = hs->expected_client_finished; 433 verify_data_len = hs->hash_len; 434 } else { 435 if (!tls13_finished_mac(hs, verify_data_buf, &verify_data_len, 436 !ssl->server)) { 437 return 0; 438 } 439 verify_data = verify_data_buf; 440 } 441 442 int finished_ok = 443 ssl->init_num == verify_data_len && 444 CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) == 0; 445 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 446 finished_ok = 1; 447 #endif 448 if (!finished_ok) { 449 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 450 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED); 451 return 0; 452 } 453 454 return 1; 455 } 456 457 int tls13_add_certificate(SSL_HANDSHAKE *hs) { 458 SSL *const ssl = hs->ssl; 459 bssl::ScopedCBB cbb; 460 CBB body, certificate_list; 461 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) || 462 /* The request context is always empty in the handshake. */ 463 !CBB_add_u8(&body, 0) || 464 !CBB_add_u24_length_prefixed(&body, &certificate_list)) { 465 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 466 return 0; 467 } 468 469 if (!ssl_has_certificate(ssl)) { 470 return ssl_add_message_cbb(ssl, cbb.get()); 471 } 472 473 CERT *cert = ssl->cert; 474 CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cert->chain, 0); 475 CBB leaf, extensions; 476 if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) || 477 !CBB_add_bytes(&leaf, CRYPTO_BUFFER_data(leaf_buf), 478 CRYPTO_BUFFER_len(leaf_buf)) || 479 !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) { 480 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 481 return 0; 482 } 483 484 if (hs->scts_requested && ssl->cert->signed_cert_timestamp_list != NULL) { 485 CBB contents; 486 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) || 487 !CBB_add_u16_length_prefixed(&extensions, &contents) || 488 !CBB_add_bytes( 489 &contents, 490 CRYPTO_BUFFER_data(ssl->cert->signed_cert_timestamp_list), 491 CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) || 492 !CBB_flush(&extensions)) { 493 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 494 return 0; 495 } 496 } 497 498 if (hs->ocsp_stapling_requested && 499 ssl->cert->ocsp_response != NULL) { 500 CBB contents, ocsp_response; 501 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) || 502 !CBB_add_u16_length_prefixed(&extensions, &contents) || 503 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) || 504 !CBB_add_u24_length_prefixed(&contents, &ocsp_response) || 505 !CBB_add_bytes(&ocsp_response, 506 CRYPTO_BUFFER_data(ssl->cert->ocsp_response), 507 CRYPTO_BUFFER_len(ssl->cert->ocsp_response)) || 508 !CBB_flush(&extensions)) { 509 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 510 return 0; 511 } 512 } 513 514 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain); i++) { 515 CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cert->chain, i); 516 CBB child; 517 if (!CBB_add_u24_length_prefixed(&certificate_list, &child) || 518 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cert_buf), 519 CRYPTO_BUFFER_len(cert_buf)) || 520 !CBB_add_u16(&certificate_list, 0 /* no extensions */)) { 521 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 522 return 0; 523 } 524 } 525 526 return ssl_add_message_cbb(ssl, cbb.get()); 527 } 528 529 enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) { 530 SSL *const ssl = hs->ssl; 531 uint16_t signature_algorithm; 532 if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { 533 return ssl_private_key_failure; 534 } 535 536 bssl::ScopedCBB cbb; 537 CBB body; 538 if (!ssl->method->init_message(ssl, cbb.get(), &body, 539 SSL3_MT_CERTIFICATE_VERIFY) || 540 !CBB_add_u16(&body, signature_algorithm)) { 541 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 542 return ssl_private_key_failure; 543 } 544 545 /* Sign the digest. */ 546 CBB child; 547 const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey); 548 uint8_t *sig; 549 size_t sig_len; 550 if (!CBB_add_u16_length_prefixed(&body, &child) || 551 !CBB_reserve(&child, &sig, max_sig_len)) { 552 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 553 return ssl_private_key_failure; 554 } 555 556 uint8_t *msg = NULL; 557 size_t msg_len; 558 if (!tls13_get_cert_verify_signature_input( 559 hs, &msg, &msg_len, 560 ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) { 561 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 562 return ssl_private_key_failure; 563 } 564 bssl::UniquePtr<uint8_t> free_msg(msg); 565 566 enum ssl_private_key_result_t sign_result = ssl_private_key_sign( 567 hs, sig, &sig_len, max_sig_len, signature_algorithm, msg, msg_len); 568 if (sign_result != ssl_private_key_success) { 569 return sign_result; 570 } 571 572 if (!CBB_did_write(&child, sig_len) || 573 !ssl_add_message_cbb(ssl, cbb.get())) { 574 return ssl_private_key_failure; 575 } 576 577 return ssl_private_key_success; 578 } 579 580 int tls13_add_finished(SSL_HANDSHAKE *hs) { 581 SSL *const ssl = hs->ssl; 582 size_t verify_data_len; 583 uint8_t verify_data[EVP_MAX_MD_SIZE]; 584 585 if (!tls13_finished_mac(hs, verify_data, &verify_data_len, ssl->server)) { 586 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 587 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED); 588 return 0; 589 } 590 591 CBB cbb, body; 592 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) || 593 !CBB_add_bytes(&body, verify_data, verify_data_len) || 594 !ssl_add_message_cbb(ssl, &cbb)) { 595 CBB_cleanup(&cbb); 596 return 0; 597 } 598 599 return 1; 600 } 601 602 static int tls13_receive_key_update(SSL *ssl) { 603 CBS cbs; 604 uint8_t key_update_request; 605 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 606 if (!CBS_get_u8(&cbs, &key_update_request) || 607 CBS_len(&cbs) != 0 || 608 (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED && 609 key_update_request != SSL_KEY_UPDATE_REQUESTED)) { 610 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 611 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 612 return 0; 613 } 614 615 if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) { 616 return 0; 617 } 618 619 /* Acknowledge the KeyUpdate */ 620 if (key_update_request == SSL_KEY_UPDATE_REQUESTED && 621 !ssl->s3->key_update_pending) { 622 CBB cbb, body; 623 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_KEY_UPDATE) || 624 !CBB_add_u8(&body, SSL_KEY_UPDATE_NOT_REQUESTED) || 625 !ssl_add_message_cbb(ssl, &cbb) || 626 !tls13_rotate_traffic_key(ssl, evp_aead_seal)) { 627 CBB_cleanup(&cbb); 628 return 0; 629 } 630 631 /* Suppress KeyUpdate acknowledgments until this change is written to the 632 * wire. This prevents us from accumulating write obligations when read and 633 * write progress at different rates. See draft-ietf-tls-tls13-18, section 634 * 4.5.3. */ 635 ssl->s3->key_update_pending = 1; 636 } 637 638 return 1; 639 } 640 641 int tls13_post_handshake(SSL *ssl) { 642 if (ssl->s3->tmp.message_type == SSL3_MT_KEY_UPDATE) { 643 ssl->s3->key_update_count++; 644 if (ssl->s3->key_update_count > kMaxKeyUpdates) { 645 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES); 646 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 647 return 0; 648 } 649 650 return tls13_receive_key_update(ssl); 651 } 652 653 ssl->s3->key_update_count = 0; 654 655 if (ssl->s3->tmp.message_type == SSL3_MT_NEW_SESSION_TICKET && 656 !ssl->server) { 657 return tls13_process_new_session_ticket(ssl); 658 } 659 660 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 661 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 662 return 0; 663 } 664