1 /* Copyright (c) 2016, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <assert.h> 18 #include <string.h> 19 20 #include <utility> 21 22 #include <openssl/bytestring.h> 23 #include <openssl/err.h> 24 #include <openssl/hkdf.h> 25 #include <openssl/mem.h> 26 #include <openssl/stack.h> 27 #include <openssl/x509.h> 28 29 #include "../crypto/internal.h" 30 #include "internal.h" 31 32 33 namespace bssl { 34 35 // kMaxKeyUpdates is the number of consecutive KeyUpdates that will be 36 // processed. Without this limit an attacker could force unbounded processing 37 // without being able to return application data. 38 static const uint8_t kMaxKeyUpdates = 32; 39 40 const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE] = { 41 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c, 42 0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 43 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 44 }; 45 46 // This value was selected by truncating the SHA-256 hash of "Draft TLS 1.3 47 // Downgrade" to 8 bytes: 48 // 49 // echo -n 'Draft TLS 1.3 Downgrade' | sha256sum | head -c 16 50 const uint8_t kDraftDowngradeRandom[8] = {0x95, 0xb9, 0x9f, 0x87, 51 0x22, 0xfe, 0x9b, 0x64}; 52 53 54 bool tls13_get_cert_verify_signature_input( 55 SSL_HANDSHAKE *hs, Array<uint8_t> *out, 56 enum ssl_cert_verify_context_t cert_verify_context) { 57 ScopedCBB cbb; 58 if (!CBB_init(cbb.get(), 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) { 59 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 60 return false; 61 } 62 63 for (size_t i = 0; i < 64; i++) { 64 if (!CBB_add_u8(cbb.get(), 0x20)) { 65 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 66 return false; 67 } 68 } 69 70 Span<const char> context; 71 if (cert_verify_context == ssl_cert_verify_server) { 72 static const char kContext[] = "TLS 1.3, server CertificateVerify"; 73 context = kContext; 74 } else if (cert_verify_context == ssl_cert_verify_client) { 75 static const char kContext[] = "TLS 1.3, client CertificateVerify"; 76 context = kContext; 77 } else if (cert_verify_context == ssl_cert_verify_channel_id) { 78 static const char kContext[] = "TLS 1.3, Channel ID"; 79 context = kContext; 80 } else { 81 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 82 return false; 83 } 84 85 // Note |context| includes the NUL byte separator. 86 if (!CBB_add_bytes(cbb.get(), 87 reinterpret_cast<const uint8_t *>(context.data()), 88 context.size())) { 89 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 90 return false; 91 } 92 93 uint8_t context_hash[EVP_MAX_MD_SIZE]; 94 size_t context_hash_len; 95 if (!hs->transcript.GetHash(context_hash, &context_hash_len) || 96 !CBB_add_bytes(cbb.get(), context_hash, context_hash_len) || 97 !CBBFinishArray(cbb.get(), out)) { 98 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 99 return false; 100 } 101 102 return true; 103 } 104 105 int tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, 106 int allow_anonymous) { 107 SSL *const ssl = hs->ssl; 108 CBS body = msg.body, context, certificate_list; 109 if (!CBS_get_u8_length_prefixed(&body, &context) || 110 CBS_len(&context) != 0 || 111 !CBS_get_u24_length_prefixed(&body, &certificate_list) || 112 CBS_len(&body) != 0) { 113 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 114 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 115 return 0; 116 } 117 118 UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs(sk_CRYPTO_BUFFER_new_null()); 119 if (!certs) { 120 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 121 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 122 return 0; 123 } 124 125 const bool retain_sha256 = 126 ssl->server && ssl->retain_only_sha256_of_client_certs; 127 UniquePtr<EVP_PKEY> pkey; 128 while (CBS_len(&certificate_list) > 0) { 129 CBS certificate, extensions; 130 if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) || 131 !CBS_get_u16_length_prefixed(&certificate_list, &extensions) || 132 CBS_len(&certificate) == 0) { 133 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 134 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH); 135 return 0; 136 } 137 138 if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) { 139 pkey = ssl_cert_parse_pubkey(&certificate); 140 if (!pkey) { 141 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 142 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 143 return 0; 144 } 145 // TLS 1.3 always uses certificate keys for signing thus the correct 146 // keyUsage is enforced. 147 if (!ssl_cert_check_digital_signature_key_usage(&certificate)) { 148 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 149 return 0; 150 } 151 152 if (retain_sha256) { 153 // Retain the hash of the leaf certificate if requested. 154 SHA256(CBS_data(&certificate), CBS_len(&certificate), 155 hs->new_session->peer_sha256); 156 } 157 } 158 159 UniquePtr<CRYPTO_BUFFER> buf( 160 CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool)); 161 if (!buf || 162 !PushToStack(certs.get(), std::move(buf))) { 163 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 164 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 165 return 0; 166 } 167 168 // Parse out the extensions. 169 bool have_status_request = false, have_sct = false; 170 CBS status_request, sct; 171 const SSL_EXTENSION_TYPE ext_types[] = { 172 {TLSEXT_TYPE_status_request, &have_status_request, &status_request}, 173 {TLSEXT_TYPE_certificate_timestamp, &have_sct, &sct}, 174 }; 175 176 uint8_t alert = SSL_AD_DECODE_ERROR; 177 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 178 OPENSSL_ARRAY_SIZE(ext_types), 179 0 /* reject unknown */)) { 180 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 181 return 0; 182 } 183 184 // All Certificate extensions are parsed, but only the leaf extensions are 185 // stored. 186 if (have_status_request) { 187 if (ssl->server || !ssl->ocsp_stapling_enabled) { 188 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 189 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 190 return 0; 191 } 192 193 uint8_t status_type; 194 CBS ocsp_response; 195 if (!CBS_get_u8(&status_request, &status_type) || 196 status_type != TLSEXT_STATUSTYPE_ocsp || 197 !CBS_get_u24_length_prefixed(&status_request, &ocsp_response) || 198 CBS_len(&ocsp_response) == 0 || 199 CBS_len(&status_request) != 0) { 200 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 201 return 0; 202 } 203 204 if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) { 205 CRYPTO_BUFFER_free(hs->new_session->ocsp_response); 206 hs->new_session->ocsp_response = 207 CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool); 208 if (hs->new_session->ocsp_response == nullptr) { 209 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 210 return 0; 211 } 212 } 213 } 214 215 if (have_sct) { 216 if (ssl->server || !ssl->signed_cert_timestamps_enabled) { 217 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 218 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 219 return 0; 220 } 221 222 if (!ssl_is_sct_list_valid(&sct)) { 223 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION); 224 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 225 return 0; 226 } 227 228 if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) { 229 CRYPTO_BUFFER_free(hs->new_session->signed_cert_timestamp_list); 230 hs->new_session->signed_cert_timestamp_list = 231 CRYPTO_BUFFER_new_from_CBS(&sct, ssl->ctx->pool); 232 if (hs->new_session->signed_cert_timestamp_list == nullptr) { 233 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 234 return 0; 235 } 236 } 237 } 238 } 239 240 // Store a null certificate list rather than an empty one if the peer didn't 241 // send certificates. 242 if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) { 243 certs.reset(); 244 } 245 246 hs->peer_pubkey = std::move(pkey); 247 248 sk_CRYPTO_BUFFER_pop_free(hs->new_session->certs, CRYPTO_BUFFER_free); 249 hs->new_session->certs = certs.release(); 250 251 if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) { 252 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 253 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 254 return 0; 255 } 256 257 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { 258 if (!allow_anonymous) { 259 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); 260 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED); 261 return 0; 262 } 263 264 // OpenSSL returns X509_V_OK when no certificates are requested. This is 265 // classed by them as a bug, but it's assumed by at least NGINX. 266 hs->new_session->verify_result = X509_V_OK; 267 268 // No certificate, so nothing more to do. 269 return 1; 270 } 271 272 hs->new_session->peer_sha256_valid = retain_sha256; 273 return 1; 274 } 275 276 int tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg) { 277 SSL *const ssl = hs->ssl; 278 if (hs->peer_pubkey == NULL) { 279 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 280 return 0; 281 } 282 283 CBS body = msg.body, signature; 284 uint16_t signature_algorithm; 285 if (!CBS_get_u16(&body, &signature_algorithm) || 286 !CBS_get_u16_length_prefixed(&body, &signature) || 287 CBS_len(&body) != 0) { 288 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 289 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 290 return 0; 291 } 292 293 uint8_t alert = SSL_AD_DECODE_ERROR; 294 if (!tls12_check_peer_sigalg(ssl, &alert, signature_algorithm)) { 295 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 296 return 0; 297 } 298 hs->new_session->peer_signature_algorithm = signature_algorithm; 299 300 Array<uint8_t> input; 301 if (!tls13_get_cert_verify_signature_input( 302 hs, &input, 303 ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) { 304 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 305 return 0; 306 } 307 308 bool sig_ok = ssl_public_key_verify(ssl, signature, signature_algorithm, 309 hs->peer_pubkey.get(), input); 310 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 311 sig_ok = true; 312 ERR_clear_error(); 313 #endif 314 if (!sig_ok) { 315 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); 316 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 317 return 0; 318 } 319 320 return 1; 321 } 322 323 int tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg, 324 int use_saved_value) { 325 SSL *const ssl = hs->ssl; 326 uint8_t verify_data_buf[EVP_MAX_MD_SIZE]; 327 const uint8_t *verify_data; 328 size_t verify_data_len; 329 if (use_saved_value) { 330 assert(ssl->server); 331 verify_data = hs->expected_client_finished; 332 verify_data_len = hs->hash_len; 333 } else { 334 if (!tls13_finished_mac(hs, verify_data_buf, &verify_data_len, 335 !ssl->server)) { 336 return 0; 337 } 338 verify_data = verify_data_buf; 339 } 340 341 int finished_ok = CBS_mem_equal(&msg.body, verify_data, verify_data_len); 342 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) 343 finished_ok = 1; 344 #endif 345 if (!finished_ok) { 346 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); 347 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED); 348 return 0; 349 } 350 351 return 1; 352 } 353 354 int tls13_add_certificate(SSL_HANDSHAKE *hs) { 355 SSL *const ssl = hs->ssl; 356 ScopedCBB cbb; 357 CBB body, certificate_list; 358 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CERTIFICATE) || 359 // The request context is always empty in the handshake. 360 !CBB_add_u8(&body, 0) || 361 !CBB_add_u24_length_prefixed(&body, &certificate_list)) { 362 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 363 return 0; 364 } 365 366 if (!ssl_has_certificate(ssl)) { 367 return ssl_add_message_cbb(ssl, cbb.get()); 368 } 369 370 CERT *cert = ssl->cert; 371 CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cert->chain, 0); 372 CBB leaf, extensions; 373 if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) || 374 !CBB_add_bytes(&leaf, CRYPTO_BUFFER_data(leaf_buf), 375 CRYPTO_BUFFER_len(leaf_buf)) || 376 !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) { 377 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 378 return 0; 379 } 380 381 if (hs->scts_requested && ssl->cert->signed_cert_timestamp_list != NULL) { 382 CBB contents; 383 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) || 384 !CBB_add_u16_length_prefixed(&extensions, &contents) || 385 !CBB_add_bytes( 386 &contents, 387 CRYPTO_BUFFER_data(ssl->cert->signed_cert_timestamp_list), 388 CRYPTO_BUFFER_len(ssl->cert->signed_cert_timestamp_list)) || 389 !CBB_flush(&extensions)) { 390 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 391 return 0; 392 } 393 } 394 395 if (hs->ocsp_stapling_requested && 396 ssl->cert->ocsp_response != NULL) { 397 CBB contents, ocsp_response; 398 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) || 399 !CBB_add_u16_length_prefixed(&extensions, &contents) || 400 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) || 401 !CBB_add_u24_length_prefixed(&contents, &ocsp_response) || 402 !CBB_add_bytes(&ocsp_response, 403 CRYPTO_BUFFER_data(ssl->cert->ocsp_response), 404 CRYPTO_BUFFER_len(ssl->cert->ocsp_response)) || 405 !CBB_flush(&extensions)) { 406 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 407 return 0; 408 } 409 } 410 411 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain); i++) { 412 CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cert->chain, i); 413 CBB child; 414 if (!CBB_add_u24_length_prefixed(&certificate_list, &child) || 415 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cert_buf), 416 CRYPTO_BUFFER_len(cert_buf)) || 417 !CBB_add_u16(&certificate_list, 0 /* no extensions */)) { 418 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 419 return 0; 420 } 421 } 422 423 return ssl_add_message_cbb(ssl, cbb.get()); 424 } 425 426 enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) { 427 SSL *const ssl = hs->ssl; 428 uint16_t signature_algorithm; 429 if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) { 430 return ssl_private_key_failure; 431 } 432 433 ScopedCBB cbb; 434 CBB body; 435 if (!ssl->method->init_message(ssl, cbb.get(), &body, 436 SSL3_MT_CERTIFICATE_VERIFY) || 437 !CBB_add_u16(&body, signature_algorithm)) { 438 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 439 return ssl_private_key_failure; 440 } 441 442 // Sign the digest. 443 CBB child; 444 const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get()); 445 uint8_t *sig; 446 size_t sig_len; 447 if (!CBB_add_u16_length_prefixed(&body, &child) || 448 !CBB_reserve(&child, &sig, max_sig_len)) { 449 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 450 return ssl_private_key_failure; 451 } 452 453 Array<uint8_t> msg; 454 if (!tls13_get_cert_verify_signature_input( 455 hs, &msg, 456 ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) { 457 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 458 return ssl_private_key_failure; 459 } 460 461 enum ssl_private_key_result_t sign_result = ssl_private_key_sign( 462 hs, sig, &sig_len, max_sig_len, signature_algorithm, msg); 463 if (sign_result != ssl_private_key_success) { 464 return sign_result; 465 } 466 467 if (!CBB_did_write(&child, sig_len) || 468 !ssl_add_message_cbb(ssl, cbb.get())) { 469 return ssl_private_key_failure; 470 } 471 472 return ssl_private_key_success; 473 } 474 475 int tls13_add_finished(SSL_HANDSHAKE *hs) { 476 SSL *const ssl = hs->ssl; 477 size_t verify_data_len; 478 uint8_t verify_data[EVP_MAX_MD_SIZE]; 479 480 if (!tls13_finished_mac(hs, verify_data, &verify_data_len, ssl->server)) { 481 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 482 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED); 483 return 0; 484 } 485 486 ScopedCBB cbb; 487 CBB body; 488 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) || 489 !CBB_add_bytes(&body, verify_data, verify_data_len) || 490 !ssl_add_message_cbb(ssl, cbb.get())) { 491 return 0; 492 } 493 494 return 1; 495 } 496 497 static int tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) { 498 CBS body = msg.body; 499 uint8_t key_update_request; 500 if (!CBS_get_u8(&body, &key_update_request) || 501 CBS_len(&body) != 0 || 502 (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED && 503 key_update_request != SSL_KEY_UPDATE_REQUESTED)) { 504 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 505 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 506 return 0; 507 } 508 509 if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) { 510 return 0; 511 } 512 513 // Acknowledge the KeyUpdate 514 if (key_update_request == SSL_KEY_UPDATE_REQUESTED && 515 !ssl->s3->key_update_pending) { 516 ScopedCBB cbb; 517 CBB body_cbb; 518 if (!ssl->method->init_message(ssl, cbb.get(), &body_cbb, 519 SSL3_MT_KEY_UPDATE) || 520 !CBB_add_u8(&body_cbb, SSL_KEY_UPDATE_NOT_REQUESTED) || 521 !ssl_add_message_cbb(ssl, cbb.get()) || 522 !tls13_rotate_traffic_key(ssl, evp_aead_seal)) { 523 return 0; 524 } 525 526 // Suppress KeyUpdate acknowledgments until this change is written to the 527 // wire. This prevents us from accumulating write obligations when read and 528 // write progress at different rates. See draft-ietf-tls-tls13-18, section 529 // 4.5.3. 530 ssl->s3->key_update_pending = true; 531 } 532 533 return 1; 534 } 535 536 int tls13_post_handshake(SSL *ssl, const SSLMessage &msg) { 537 if (msg.type == SSL3_MT_KEY_UPDATE) { 538 ssl->s3->key_update_count++; 539 if (ssl->s3->key_update_count > kMaxKeyUpdates) { 540 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES); 541 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 542 return 0; 543 } 544 545 return tls13_receive_key_update(ssl, msg); 546 } 547 548 ssl->s3->key_update_count = 0; 549 550 if (msg.type == SSL3_MT_NEW_SESSION_TICKET && !ssl->server) { 551 return tls13_process_new_session_ticket(ssl, msg); 552 } 553 554 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 555 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 556 return 0; 557 } 558 559 } // namespace bssl 560