Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 2 | * All rights reserved. |
| 3 | * |
| 4 | * This package is an SSL implementation written |
| 5 | * by Eric Young (eay@cryptsoft.com). |
| 6 | * The implementation was written so as to conform with Netscapes SSL. |
| 7 | * |
| 8 | * This library is free for commercial and non-commercial use as long as |
| 9 | * the following conditions are aheared to. The following conditions |
| 10 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 12 | * included with this distribution is covered by the same copyright terms |
| 13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 14 | * |
| 15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 16 | * the code are not to be removed. |
| 17 | * If this package is used in a product, Eric Young should be given attribution |
| 18 | * as the author of the parts of the library used. |
| 19 | * This can be in the form of a textual message at program startup or |
| 20 | * in documentation (online or textual) provided with the package. |
| 21 | * |
| 22 | * Redistribution and use in source and binary forms, with or without |
| 23 | * modification, are permitted provided that the following conditions |
| 24 | * are met: |
| 25 | * 1. Redistributions of source code must retain the copyright |
| 26 | * notice, this list of conditions and the following disclaimer. |
| 27 | * 2. Redistributions in binary form must reproduce the above copyright |
| 28 | * notice, this list of conditions and the following disclaimer in the |
| 29 | * documentation and/or other materials provided with the distribution. |
| 30 | * 3. All advertising materials mentioning features or use of this software |
| 31 | * must display the following acknowledgement: |
| 32 | * "This product includes cryptographic software written by |
| 33 | * Eric Young (eay@cryptsoft.com)" |
| 34 | * The word 'cryptographic' can be left out if the rouines from the library |
| 35 | * being used are not cryptographic related :-). |
| 36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 37 | * the apps directory (application code) you must include an acknowledgement: |
| 38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 39 | * |
| 40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 50 | * SUCH DAMAGE. |
| 51 | * |
| 52 | * The licence and distribution terms for any publically available version or |
| 53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 54 | * copied and put under another distribution licence |
| 55 | * [including the GNU Public Licence.] |
| 56 | */ |
| 57 | /* ==================================================================== |
| 58 | * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. |
| 59 | * |
| 60 | * Redistribution and use in source and binary forms, with or without |
| 61 | * modification, are permitted provided that the following conditions |
| 62 | * are met: |
| 63 | * |
| 64 | * 1. Redistributions of source code must retain the above copyright |
| 65 | * notice, this list of conditions and the following disclaimer. |
| 66 | * |
| 67 | * 2. Redistributions in binary form must reproduce the above copyright |
| 68 | * notice, this list of conditions and the following disclaimer in |
| 69 | * the documentation and/or other materials provided with the |
| 70 | * distribution. |
| 71 | * |
| 72 | * 3. All advertising materials mentioning features or use of this |
| 73 | * software must display the following acknowledgment: |
| 74 | * "This product includes software developed by the OpenSSL Project |
| 75 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 76 | * |
| 77 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 78 | * endorse or promote products derived from this software without |
| 79 | * prior written permission. For written permission, please contact |
| 80 | * openssl-core@openssl.org. |
| 81 | * |
| 82 | * 5. Products derived from this software may not be called "OpenSSL" |
| 83 | * nor may "OpenSSL" appear in their names without prior written |
| 84 | * permission of the OpenSSL Project. |
| 85 | * |
| 86 | * 6. Redistributions of any form whatsoever must retain the following |
| 87 | * acknowledgment: |
| 88 | * "This product includes software developed by the OpenSSL Project |
| 89 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 90 | * |
| 91 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 92 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 93 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 94 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 95 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 96 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 97 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 98 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 99 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 100 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 101 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 102 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 103 | * ==================================================================== |
| 104 | * |
| 105 | * This product includes cryptographic software written by Eric Young |
| 106 | * (eay@cryptsoft.com). This product includes software written by Tim |
| 107 | * Hudson (tjh@cryptsoft.com). */ |
| 108 | /* ==================================================================== |
| 109 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
| 110 | * ECC cipher suite support in OpenSSL originally developed by |
| 111 | * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ |
| 112 | |
| 113 | #include <openssl/ssl.h> |
| 114 | |
| 115 | #include <assert.h> |
| 116 | |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 117 | #include <utility> |
| 118 | |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame] | 119 | #include <openssl/rand.h> |
| 120 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 121 | #include "../crypto/internal.h" |
| 122 | #include "internal.h" |
| 123 | |
| 124 | |
Robert Sloan | 726e9d1 | 2018-09-11 11:45:04 -0700 | [diff] [blame] | 125 | BSSL_NAMESPACE_BEGIN |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 126 | |
| 127 | SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg) |
| 128 | : ssl(ssl_arg), |
| 129 | scts_requested(false), |
| 130 | needs_psk_binder(false), |
| 131 | received_hello_retry_request(false), |
Robert Sloan | d5c2215 | 2017-11-13 09:22:12 -0800 | [diff] [blame] | 132 | sent_hello_retry_request(false), |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 133 | handshake_finalized(false), |
| 134 | accept_psk_mode(false), |
| 135 | cert_request(false), |
| 136 | certificate_status_expected(false), |
| 137 | ocsp_stapling_requested(false), |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 138 | delegated_credential_requested(false), |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 139 | should_ack_sni(false), |
| 140 | in_false_start(false), |
| 141 | in_early_data(false), |
| 142 | early_data_offered(false), |
| 143 | can_early_read(false), |
| 144 | can_early_write(false), |
| 145 | next_proto_neg_seen(false), |
| 146 | ticket_expected(false), |
| 147 | extended_master_secret(false), |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame] | 148 | pending_private_key_op(false), |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 149 | grease_seeded(false), |
| 150 | handback(false), |
Robert Sloan | c9abfe4 | 2018-11-26 12:19:07 -0800 | [diff] [blame] | 151 | cert_compression_negotiated(false), |
| 152 | apply_jdk11_workaround(false) { |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 153 | assert(ssl); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 154 | } |
| 155 | |
| 156 | SSL_HANDSHAKE::~SSL_HANDSHAKE() { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 157 | ssl->ctx->x509_method->hs_flush_cached_ca_names(this); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 158 | } |
| 159 | |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 160 | UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl) { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 161 | UniquePtr<SSL_HANDSHAKE> hs = MakeUnique<SSL_HANDSHAKE>(ssl); |
Robert Sloan | d9e572d | 2018-08-27 12:27:00 -0700 | [diff] [blame] | 162 | if (!hs || !hs->transcript.Init()) { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 163 | return nullptr; |
| 164 | } |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 165 | hs->config = ssl->config.get(); |
| 166 | if (!hs->config) { |
| 167 | assert(hs->config); |
| 168 | return nullptr; |
| 169 | } |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 170 | return hs; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 171 | } |
| 172 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 173 | bool ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type) { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 174 | if (msg.type != type) { |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 175 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 176 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); |
| 177 | ERR_add_error_dataf("got type %d, wanted type %d", msg.type, type); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 178 | return false; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 179 | } |
| 180 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 181 | return true; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 182 | } |
| 183 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 184 | bool ssl_add_message_cbb(SSL *ssl, CBB *cbb) { |
Robert Sloan | 4562e9d | 2017-10-02 10:26:51 -0700 | [diff] [blame] | 185 | Array<uint8_t> msg; |
| 186 | if (!ssl->method->finish_message(ssl, cbb, &msg) || |
| 187 | !ssl->method->add_message(ssl, std::move(msg))) { |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 188 | return false; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 189 | } |
| 190 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 191 | return true; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 192 | } |
| 193 | |
| 194 | size_t ssl_max_handshake_message_len(const SSL *ssl) { |
| 195 | // kMaxMessageLen is the default maximum message size for handshakes which do |
| 196 | // not accept peer certificate chains. |
| 197 | static const size_t kMaxMessageLen = 16384; |
| 198 | |
| 199 | if (SSL_in_init(ssl)) { |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 200 | SSL_CONFIG *config = ssl->config.get(); // SSL_in_init() implies not NULL. |
| 201 | if ((!ssl->server || (config->verify_mode & SSL_VERIFY_PEER)) && |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 202 | kMaxMessageLen < ssl->max_cert_list) { |
| 203 | return ssl->max_cert_list; |
| 204 | } |
| 205 | return kMaxMessageLen; |
| 206 | } |
| 207 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 208 | if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 209 | // In TLS 1.2 and below, the largest acceptable post-handshake message is |
| 210 | // a HelloRequest. |
| 211 | return 0; |
| 212 | } |
| 213 | |
| 214 | if (ssl->server) { |
| 215 | // The largest acceptable post-handshake message for a server is a |
| 216 | // KeyUpdate. We will never initiate post-handshake auth. |
| 217 | return 1; |
| 218 | } |
| 219 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 220 | // Clients must accept NewSessionTicket, so allow the default size. |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 221 | return kMaxMessageLen; |
| 222 | } |
| 223 | |
| 224 | bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) { |
| 225 | // V2ClientHello messages are pre-hashed. |
| 226 | if (msg.is_v2_hello) { |
| 227 | return true; |
| 228 | } |
| 229 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 230 | return hs->transcript.Update(msg.raw); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 231 | } |
| 232 | |
| 233 | int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, |
| 234 | const SSL_EXTENSION_TYPE *ext_types, |
| 235 | size_t num_ext_types, int ignore_unknown) { |
| 236 | // Reset everything. |
| 237 | for (size_t i = 0; i < num_ext_types; i++) { |
| 238 | *ext_types[i].out_present = 0; |
| 239 | CBS_init(ext_types[i].out_data, NULL, 0); |
| 240 | } |
| 241 | |
| 242 | CBS copy = *cbs; |
| 243 | while (CBS_len(©) != 0) { |
| 244 | uint16_t type; |
| 245 | CBS data; |
| 246 | if (!CBS_get_u16(©, &type) || |
| 247 | !CBS_get_u16_length_prefixed(©, &data)) { |
| 248 | OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); |
| 249 | *out_alert = SSL_AD_DECODE_ERROR; |
| 250 | return 0; |
| 251 | } |
| 252 | |
| 253 | const SSL_EXTENSION_TYPE *ext_type = NULL; |
| 254 | for (size_t i = 0; i < num_ext_types; i++) { |
| 255 | if (type == ext_types[i].type) { |
| 256 | ext_type = &ext_types[i]; |
| 257 | break; |
| 258 | } |
| 259 | } |
| 260 | |
| 261 | if (ext_type == NULL) { |
| 262 | if (ignore_unknown) { |
| 263 | continue; |
| 264 | } |
| 265 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); |
| 266 | *out_alert = SSL_AD_UNSUPPORTED_EXTENSION; |
| 267 | return 0; |
| 268 | } |
| 269 | |
| 270 | // Duplicate ext_types are forbidden. |
| 271 | if (*ext_type->out_present) { |
| 272 | OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION); |
| 273 | *out_alert = SSL_AD_ILLEGAL_PARAMETER; |
| 274 | return 0; |
| 275 | } |
| 276 | |
| 277 | *ext_type->out_present = 1; |
| 278 | *ext_type->out_data = data; |
| 279 | } |
| 280 | |
| 281 | return 1; |
| 282 | } |
| 283 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 284 | enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) { |
| 285 | SSL *const ssl = hs->ssl; |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 286 | const SSL_SESSION *prev_session = ssl->s3->established_session.get(); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 287 | if (prev_session != NULL) { |
| 288 | // If renegotiating, the server must not change the server certificate. See |
| 289 | // https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation, |
| 290 | // so this check is sufficient to ensure the reported peer certificate never |
| 291 | // changes on renegotiation. |
| 292 | assert(!ssl->server); |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 293 | if (sk_CRYPTO_BUFFER_num(prev_session->certs.get()) != |
| 294 | sk_CRYPTO_BUFFER_num(hs->new_session->certs.get())) { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 295 | OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 296 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 297 | return ssl_verify_invalid; |
| 298 | } |
| 299 | |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 300 | for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()); |
| 301 | i++) { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 302 | const CRYPTO_BUFFER *old_cert = |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 303 | sk_CRYPTO_BUFFER_value(prev_session->certs.get(), i); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 304 | const CRYPTO_BUFFER *new_cert = |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 305 | sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), i); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 306 | if (CRYPTO_BUFFER_len(old_cert) != CRYPTO_BUFFER_len(new_cert) || |
| 307 | OPENSSL_memcmp(CRYPTO_BUFFER_data(old_cert), |
| 308 | CRYPTO_BUFFER_data(new_cert), |
| 309 | CRYPTO_BUFFER_len(old_cert)) != 0) { |
| 310 | OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 311 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 312 | return ssl_verify_invalid; |
| 313 | } |
| 314 | } |
| 315 | |
| 316 | // The certificate is identical, so we may skip re-verifying the |
| 317 | // certificate. Since we only authenticated the previous one, copy other |
| 318 | // authentication from the established session and ignore what was newly |
| 319 | // received. |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 320 | hs->new_session->ocsp_response = UpRef(prev_session->ocsp_response); |
| 321 | hs->new_session->signed_cert_timestamp_list = |
| 322 | UpRef(prev_session->signed_cert_timestamp_list); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 323 | hs->new_session->verify_result = prev_session->verify_result; |
| 324 | return ssl_verify_ok; |
| 325 | } |
| 326 | |
| 327 | uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN; |
| 328 | enum ssl_verify_result_t ret; |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 329 | if (hs->config->custom_verify_callback != nullptr) { |
| 330 | ret = hs->config->custom_verify_callback(ssl, &alert); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 331 | switch (ret) { |
| 332 | case ssl_verify_ok: |
| 333 | hs->new_session->verify_result = X509_V_OK; |
| 334 | break; |
| 335 | case ssl_verify_invalid: |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame] | 336 | // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 337 | if (hs->config->verify_mode == SSL_VERIFY_NONE) { |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame] | 338 | ERR_clear_error(); |
| 339 | ret = ssl_verify_ok; |
| 340 | } |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 341 | hs->new_session->verify_result = X509_V_ERR_APPLICATION_VERIFICATION; |
| 342 | break; |
| 343 | case ssl_verify_retry: |
| 344 | break; |
| 345 | } |
| 346 | } else { |
| 347 | ret = ssl->ctx->x509_method->session_verify_cert_chain( |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 348 | hs->new_session.get(), hs, &alert) |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 349 | ? ssl_verify_ok |
| 350 | : ssl_verify_invalid; |
| 351 | } |
| 352 | |
| 353 | if (ret == ssl_verify_invalid) { |
| 354 | OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED); |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 355 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 356 | } |
| 357 | |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 358 | // Emulate OpenSSL's client OCSP callback. OpenSSL verifies certificates |
| 359 | // before it receives the OCSP, so it needs a second callback for OCSP. |
| 360 | if (ret == ssl_verify_ok && !ssl->server && |
| 361 | hs->config->ocsp_stapling_enabled && |
| 362 | ssl->ctx->legacy_ocsp_callback != nullptr) { |
| 363 | int cb_ret = |
| 364 | ssl->ctx->legacy_ocsp_callback(ssl, ssl->ctx->legacy_ocsp_callback_arg); |
| 365 | if (cb_ret <= 0) { |
| 366 | OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR); |
| 367 | ssl_send_alert(ssl, SSL3_AL_FATAL, |
| 368 | cb_ret == 0 ? SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE |
| 369 | : SSL_AD_INTERNAL_ERROR); |
| 370 | ret = ssl_verify_invalid; |
| 371 | } |
| 372 | } |
| 373 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 374 | return ret; |
| 375 | } |
| 376 | |
Robert Sloan | d9e572d | 2018-08-27 12:27:00 -0700 | [diff] [blame] | 377 | // Verifies a stored certificate when resuming a session. A few things are |
| 378 | // different from verify_peer_cert: |
| 379 | // 1. We can't be renegotiating if we're resuming a session. |
| 380 | // 2. The session is immutable, so we don't support verify_mode == |
| 381 | // SSL_VERIFY_NONE |
| 382 | // 3. We don't call the OCSP callback. |
| 383 | // 4. We only support custom verify callbacks. |
| 384 | enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs) { |
| 385 | SSL *const ssl = hs->ssl; |
| 386 | assert(ssl->s3->established_session == nullptr); |
| 387 | assert(hs->config->verify_mode != SSL_VERIFY_NONE); |
| 388 | |
| 389 | uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN; |
| 390 | enum ssl_verify_result_t ret = ssl_verify_invalid; |
| 391 | if (hs->config->custom_verify_callback != nullptr) { |
| 392 | ret = hs->config->custom_verify_callback(ssl, &alert); |
| 393 | } |
| 394 | |
| 395 | if (ret == ssl_verify_invalid) { |
| 396 | OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED); |
| 397 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
| 398 | } |
| 399 | |
| 400 | return ret; |
| 401 | } |
| 402 | |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame] | 403 | uint16_t ssl_get_grease_value(SSL_HANDSHAKE *hs, |
| 404 | enum ssl_grease_index_t index) { |
| 405 | // Draw entropy for all GREASE values at once. This avoids calling |
| 406 | // |RAND_bytes| repeatedly and makes the values consistent within a |
| 407 | // connection. The latter is so the second ClientHello matches after |
| 408 | // HelloRetryRequest and so supported_groups and key_shares are consistent. |
| 409 | if (!hs->grease_seeded) { |
| 410 | RAND_bytes(hs->grease_seed, sizeof(hs->grease_seed)); |
| 411 | hs->grease_seeded = true; |
| 412 | } |
| 413 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 414 | // This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16. |
Robert Sloan | 309a31e | 2018-01-29 10:22:47 -0800 | [diff] [blame] | 415 | uint16_t ret = hs->grease_seed[index]; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 416 | ret = (ret & 0xf0) | 0x0a; |
| 417 | ret |= ret << 8; |
| 418 | return ret; |
| 419 | } |
| 420 | |
| 421 | enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) { |
| 422 | SSL *const ssl = hs->ssl; |
| 423 | SSLMessage msg; |
| 424 | if (!ssl->method->get_message(ssl, &msg)) { |
| 425 | return ssl_hs_read_message; |
| 426 | } |
| 427 | |
| 428 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED)) { |
| 429 | return ssl_hs_error; |
| 430 | } |
| 431 | |
| 432 | // Snapshot the finished hash before incorporating the new message. |
| 433 | uint8_t finished[EVP_MAX_MD_SIZE]; |
| 434 | size_t finished_len; |
| 435 | if (!hs->transcript.GetFinishedMAC(finished, &finished_len, |
| 436 | SSL_get_session(ssl), !ssl->server) || |
| 437 | !ssl_hash_message(hs, msg)) { |
| 438 | return ssl_hs_error; |
| 439 | } |
| 440 | |
| 441 | int finished_ok = CBS_mem_equal(&msg.body, finished, finished_len); |
| 442 | #if defined(BORINGSSL_UNSAFE_FUZZER_MODE) |
| 443 | finished_ok = 1; |
| 444 | #endif |
| 445 | if (!finished_ok) { |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 446 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 447 | OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED); |
| 448 | return ssl_hs_error; |
| 449 | } |
| 450 | |
| 451 | // Copy the Finished so we can use it for renegotiation checks. |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 452 | if (finished_len > sizeof(ssl->s3->previous_client_finished) || |
| 453 | finished_len > sizeof(ssl->s3->previous_server_finished)) { |
| 454 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
| 455 | return ssl_hs_error; |
| 456 | } |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 457 | |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 458 | if (ssl->server) { |
| 459 | OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len); |
| 460 | ssl->s3->previous_client_finished_len = finished_len; |
| 461 | } else { |
| 462 | OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len); |
| 463 | ssl->s3->previous_server_finished_len = finished_len; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 464 | } |
| 465 | |
| 466 | ssl->method->next_message(ssl); |
| 467 | return ssl_hs_ok; |
| 468 | } |
| 469 | |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 470 | bool ssl_send_finished(SSL_HANDSHAKE *hs) { |
| 471 | SSL *const ssl = hs->ssl; |
| 472 | const SSL_SESSION *session = SSL_get_session(ssl); |
| 473 | |
| 474 | uint8_t finished[EVP_MAX_MD_SIZE]; |
| 475 | size_t finished_len; |
| 476 | if (!hs->transcript.GetFinishedMAC(finished, &finished_len, session, |
| 477 | ssl->server)) { |
| 478 | return 0; |
| 479 | } |
| 480 | |
| 481 | // Log the master secret, if logging is enabled. |
Robert Sloan | d9e572d | 2018-08-27 12:27:00 -0700 | [diff] [blame] | 482 | if (!ssl_log_secret(ssl, "CLIENT_RANDOM", session->master_key, |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 483 | session->master_key_length)) { |
| 484 | return 0; |
| 485 | } |
| 486 | |
| 487 | // Copy the Finished so we can use it for renegotiation checks. |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 488 | if (finished_len > sizeof(ssl->s3->previous_client_finished) || |
| 489 | finished_len > sizeof(ssl->s3->previous_server_finished)) { |
| 490 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
| 491 | return 0; |
| 492 | } |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 493 | |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 494 | if (ssl->server) { |
| 495 | OPENSSL_memcpy(ssl->s3->previous_server_finished, finished, finished_len); |
| 496 | ssl->s3->previous_server_finished_len = finished_len; |
| 497 | } else { |
| 498 | OPENSSL_memcpy(ssl->s3->previous_client_finished, finished, finished_len); |
| 499 | ssl->s3->previous_client_finished_len = finished_len; |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 500 | } |
| 501 | |
| 502 | ScopedCBB cbb; |
| 503 | CBB body; |
| 504 | if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) || |
| 505 | !CBB_add_bytes(&body, finished, finished_len) || |
| 506 | !ssl_add_message_cbb(ssl, cbb.get())) { |
| 507 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
| 508 | return 0; |
| 509 | } |
| 510 | |
| 511 | return 1; |
| 512 | } |
| 513 | |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 514 | bool ssl_output_cert_chain(SSL_HANDSHAKE *hs) { |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 515 | ScopedCBB cbb; |
| 516 | CBB body; |
Adam Vartanian | bfcf3a7 | 2018-08-10 14:55:24 +0100 | [diff] [blame] | 517 | if (!hs->ssl->method->init_message(hs->ssl, cbb.get(), &body, |
| 518 | SSL3_MT_CERTIFICATE) || |
| 519 | !ssl_add_cert_chain(hs, &body) || |
| 520 | !ssl_add_message_cbb(hs->ssl, cbb.get())) { |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 521 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
| 522 | return false; |
| 523 | } |
| 524 | |
| 525 | return true; |
| 526 | } |
| 527 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 528 | int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) { |
| 529 | SSL *const ssl = hs->ssl; |
| 530 | for (;;) { |
| 531 | // Resolve the operation the handshake was waiting on. |
| 532 | switch (hs->wait) { |
| 533 | case ssl_hs_error: |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 534 | ERR_restore_state(hs->error.get()); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 535 | return -1; |
| 536 | |
| 537 | case ssl_hs_flush: { |
| 538 | int ret = ssl->method->flush_flight(ssl); |
| 539 | if (ret <= 0) { |
| 540 | return ret; |
| 541 | } |
| 542 | break; |
| 543 | } |
| 544 | |
| 545 | case ssl_hs_read_server_hello: |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 546 | case ssl_hs_read_message: |
| 547 | case ssl_hs_read_change_cipher_spec: { |
Robert Sloan | 4c22c5f | 2019-03-01 15:53:37 -0800 | [diff] [blame] | 548 | if (ssl->quic_method) { |
Robert Sloan | cbf5ea6 | 2018-11-05 11:56:34 -0800 | [diff] [blame] | 549 | hs->wait = ssl_hs_ok; |
| 550 | // The change cipher spec is omitted in QUIC. |
| 551 | if (hs->wait != ssl_hs_read_change_cipher_spec) { |
| 552 | ssl->s3->rwstate = SSL_READING; |
| 553 | return -1; |
| 554 | } |
| 555 | break; |
| 556 | } |
| 557 | |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 558 | uint8_t alert = SSL_AD_DECODE_ERROR; |
| 559 | size_t consumed = 0; |
| 560 | ssl_open_record_t ret; |
| 561 | if (hs->wait == ssl_hs_read_change_cipher_spec) { |
| 562 | ret = ssl_open_change_cipher_spec(ssl, &consumed, &alert, |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 563 | ssl->s3->read_buffer.span()); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 564 | } else { |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 565 | ret = ssl_open_handshake(ssl, &consumed, &alert, |
| 566 | ssl->s3->read_buffer.span()); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 567 | } |
| 568 | if (ret == ssl_open_record_error && |
| 569 | hs->wait == ssl_hs_read_server_hello) { |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 570 | uint32_t err = ERR_peek_error(); |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 571 | if (ERR_GET_LIB(err) == ERR_LIB_SSL && |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 572 | ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) { |
| 573 | // Add a dedicated error code to the queue for a handshake_failure |
| 574 | // alert in response to ClientHello. This matches NSS's client |
| 575 | // behavior and gives a better error on a (probable) failure to |
| 576 | // negotiate initial parameters. Note: this error code comes after |
| 577 | // the original one. |
| 578 | // |
| 579 | // See https://crbug.com/446505. |
| 580 | OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO); |
| 581 | } |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 582 | } |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 583 | bool retry; |
| 584 | int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert); |
| 585 | if (bio_ret <= 0) { |
| 586 | return bio_ret; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 587 | } |
Robert Sloan | 3627296 | 2017-10-23 10:28:39 -0700 | [diff] [blame] | 588 | if (retry) { |
| 589 | continue; |
| 590 | } |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 591 | ssl->s3->read_buffer.DiscardConsumed(); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 592 | break; |
| 593 | } |
| 594 | |
| 595 | case ssl_hs_read_end_of_early_data: { |
| 596 | if (ssl->s3->hs->can_early_read) { |
| 597 | // While we are processing early data, the handshake returns early. |
| 598 | *out_early_return = true; |
| 599 | return 1; |
| 600 | } |
| 601 | hs->wait = ssl_hs_ok; |
| 602 | break; |
| 603 | } |
| 604 | |
| 605 | case ssl_hs_certificate_selection_pending: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 606 | ssl->s3->rwstate = SSL_CERTIFICATE_SELECTION_PENDING; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 607 | hs->wait = ssl_hs_ok; |
| 608 | return -1; |
| 609 | |
Robert Sloan | 8542c08 | 2018-02-05 09:07:34 -0800 | [diff] [blame] | 610 | case ssl_hs_handoff: |
| 611 | ssl->s3->rwstate = SSL_HANDOFF; |
| 612 | hs->wait = ssl_hs_ok; |
| 613 | return -1; |
| 614 | |
Robert Sloan | dc2f609 | 2018-04-10 10:22:33 -0700 | [diff] [blame] | 615 | case ssl_hs_handback: |
| 616 | ssl->s3->rwstate = SSL_HANDBACK; |
| 617 | hs->wait = ssl_hs_handback; |
| 618 | return -1; |
| 619 | |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 620 | case ssl_hs_x509_lookup: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 621 | ssl->s3->rwstate = SSL_X509_LOOKUP; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 622 | hs->wait = ssl_hs_ok; |
| 623 | return -1; |
| 624 | |
| 625 | case ssl_hs_channel_id_lookup: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 626 | ssl->s3->rwstate = SSL_CHANNEL_ID_LOOKUP; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 627 | hs->wait = ssl_hs_ok; |
| 628 | return -1; |
| 629 | |
| 630 | case ssl_hs_private_key_operation: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 631 | ssl->s3->rwstate = SSL_PRIVATE_KEY_OPERATION; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 632 | hs->wait = ssl_hs_ok; |
| 633 | return -1; |
| 634 | |
| 635 | case ssl_hs_pending_session: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 636 | ssl->s3->rwstate = SSL_PENDING_SESSION; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 637 | hs->wait = ssl_hs_ok; |
| 638 | return -1; |
| 639 | |
| 640 | case ssl_hs_pending_ticket: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 641 | ssl->s3->rwstate = SSL_PENDING_TICKET; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 642 | hs->wait = ssl_hs_ok; |
| 643 | return -1; |
| 644 | |
| 645 | case ssl_hs_certificate_verify: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 646 | ssl->s3->rwstate = SSL_CERTIFICATE_VERIFY; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 647 | hs->wait = ssl_hs_ok; |
| 648 | return -1; |
| 649 | |
| 650 | case ssl_hs_early_data_rejected: |
Robert Sloan | 29c1d2c | 2017-10-30 14:10:28 -0700 | [diff] [blame] | 651 | ssl->s3->rwstate = SSL_EARLY_DATA_REJECTED; |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 652 | // Cause |SSL_write| to start failing immediately. |
| 653 | hs->can_early_write = false; |
| 654 | return -1; |
| 655 | |
| 656 | case ssl_hs_early_return: |
| 657 | *out_early_return = true; |
| 658 | hs->wait = ssl_hs_ok; |
| 659 | return 1; |
| 660 | |
| 661 | case ssl_hs_ok: |
| 662 | break; |
| 663 | } |
| 664 | |
| 665 | // Run the state machine again. |
| 666 | hs->wait = ssl->do_handshake(hs); |
| 667 | if (hs->wait == ssl_hs_error) { |
Robert Sloan | 921ef2c | 2017-10-17 09:02:20 -0700 | [diff] [blame] | 668 | hs->error.reset(ERR_save_state()); |
Robert Sloan | a27a6a4 | 2017-09-05 08:39:28 -0700 | [diff] [blame] | 669 | return -1; |
| 670 | } |
| 671 | if (hs->wait == ssl_hs_ok) { |
| 672 | // The handshake has completed. |
| 673 | *out_early_return = false; |
| 674 | return 1; |
| 675 | } |
| 676 | |
| 677 | // Otherwise, loop to the beginning and resolve what was blocking the |
| 678 | // handshake. |
| 679 | } |
| 680 | } |
| 681 | |
Robert Sloan | 726e9d1 | 2018-09-11 11:45:04 -0700 | [diff] [blame] | 682 | BSSL_NAMESPACE_END |