1 /*
2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved.
4 *
5 * Licensed under the OpenSSL license (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or at
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include <openssl/ssl.h>
12
13 #include <assert.h>
14
15 #include <utility>
16
17 #include <openssl/rand.h>
18
19 #include "../crypto/internal.h"
20 #include "internal.h"
21
22
23 BSSL_NAMESPACE_BEGIN
24
SSL_HANDSHAKE(SSL * ssl_arg)25 SSL_HANDSHAKE::SSL_HANDSHAKE(SSL *ssl_arg)
26 : ssl(ssl_arg),
27 transcript(SSL_is_dtls(ssl_arg)),
28 inner_transcript(SSL_is_dtls(ssl_arg)),
29 ech_is_inner(false),
30 ech_authenticated_reject(false),
31 scts_requested(false),
32 handshake_finalized(false),
33 accept_psk_mode(false),
34 cert_request(false),
35 certificate_status_expected(false),
36 ocsp_stapling_requested(false),
37 should_ack_sni(false),
38 in_false_start(false),
39 in_early_data(false),
40 early_data_offered(false),
41 can_early_read(false),
42 can_early_write(false),
43 is_early_version(false),
44 next_proto_neg_seen(false),
45 ticket_expected(false),
46 extended_master_secret(false),
47 pending_private_key_op(false),
48 handback(false),
49 hints_requested(false),
50 cert_compression_negotiated(false),
51 apply_jdk11_workaround(false),
52 can_release_private_key(false),
53 channel_id_negotiated(false),
54 received_hello_verify_request(false) {
55 assert(ssl);
56
57 // Draw entropy for all GREASE values at once. This avoids calling
58 // |RAND_bytes| repeatedly and makes the values consistent within a
59 // connection. The latter is so the second ClientHello matches after
60 // HelloRetryRequest and so supported_groups and key_shares are consistent.
61 RAND_bytes(grease_seed, sizeof(grease_seed));
62 }
63
~SSL_HANDSHAKE()64 SSL_HANDSHAKE::~SSL_HANDSHAKE() {
65 ssl->ctx->x509_method->hs_flush_cached_ca_names(this);
66 }
67
GetClientHello(SSLMessage * out_msg,SSL_CLIENT_HELLO * out_client_hello)68 bool SSL_HANDSHAKE::GetClientHello(SSLMessage *out_msg,
69 SSL_CLIENT_HELLO *out_client_hello) {
70 if (!ech_client_hello_buf.empty()) {
71 // If the backing buffer is non-empty, the ClientHelloInner has been set.
72 out_msg->is_v2_hello = false;
73 out_msg->type = SSL3_MT_CLIENT_HELLO;
74 out_msg->raw = CBS(ech_client_hello_buf);
75 size_t header_len =
76 SSL_is_dtls(ssl) ? DTLS1_HM_HEADER_LENGTH : SSL3_HM_HEADER_LENGTH;
77 out_msg->body = CBS(Span(ech_client_hello_buf).subspan(header_len));
78 } else if (!ssl->method->get_message(ssl, out_msg)) {
79 // The message has already been read, so this cannot fail.
80 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
81 return false;
82 }
83
84 if (!ssl_client_hello_init(ssl, out_client_hello, out_msg->body)) {
85 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
86 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
87 return false;
88 }
89 return true;
90 }
91
ssl_handshake_new(SSL * ssl)92 UniquePtr<SSL_HANDSHAKE> ssl_handshake_new(SSL *ssl) {
93 UniquePtr<SSL_HANDSHAKE> hs = MakeUnique<SSL_HANDSHAKE>(ssl);
94 if (!hs || !hs->transcript.Init()) {
95 return nullptr;
96 }
97 hs->config = ssl->config.get();
98 if (!hs->config) {
99 assert(hs->config);
100 return nullptr;
101 }
102 return hs;
103 }
104
ssl_check_message_type(SSL * ssl,const SSLMessage & msg,int type)105 bool ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type) {
106 if (msg.type != type) {
107 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
108 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
109 ERR_add_error_dataf("got type %d, wanted type %d", msg.type, type);
110 return false;
111 }
112
113 return true;
114 }
115
ssl_add_message_cbb(SSL * ssl,CBB * cbb)116 bool ssl_add_message_cbb(SSL *ssl, CBB *cbb) {
117 Array<uint8_t> msg;
118 if (!ssl->method->finish_message(ssl, cbb, &msg) ||
119 !ssl->method->add_message(ssl, std::move(msg))) {
120 return false;
121 }
122
123 return true;
124 }
125
ssl_max_handshake_message_len(const SSL * ssl)126 size_t ssl_max_handshake_message_len(const SSL *ssl) {
127 // kMaxMessageLen is the default maximum message size for handshakes which do
128 // not accept peer certificate chains.
129 static const size_t kMaxMessageLen = 16384;
130
131 if (SSL_in_init(ssl)) {
132 SSL_CONFIG *config = ssl->config.get(); // SSL_in_init() implies not NULL.
133 if ((!ssl->server || (config->verify_mode & SSL_VERIFY_PEER)) &&
134 kMaxMessageLen < ssl->max_cert_list) {
135 return ssl->max_cert_list;
136 }
137 return kMaxMessageLen;
138 }
139
140 if (ssl_protocol_version(ssl) < TLS1_3_VERSION) {
141 // In TLS 1.2 and below, the largest acceptable post-handshake message is
142 // a HelloRequest.
143 return 0;
144 }
145
146 if (ssl->server) {
147 // The largest acceptable post-handshake message for a server is a
148 // KeyUpdate. We will never initiate post-handshake auth.
149 return 1;
150 }
151
152 // Clients must accept NewSessionTicket, so allow the default size.
153 return kMaxMessageLen;
154 }
155
ssl_hash_message(SSL_HANDSHAKE * hs,const SSLMessage & msg)156 bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
157 // V2ClientHello messages are pre-hashed.
158 if (msg.is_v2_hello) {
159 return true;
160 }
161
162 return hs->transcript.Update(msg.raw);
163 }
164
ssl_parse_extensions(const CBS * cbs,uint8_t * out_alert,std::initializer_list<SSLExtension * > extensions,bool ignore_unknown)165 bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
166 std::initializer_list<SSLExtension *> extensions,
167 bool ignore_unknown) {
168 // Reset everything.
169 for (SSLExtension *ext : extensions) {
170 ext->present = false;
171 CBS_init(&ext->data, nullptr, 0);
172 if (!ext->allowed) {
173 assert(!ignore_unknown);
174 }
175 }
176
177 CBS copy = *cbs;
178 while (CBS_len(©) != 0) {
179 uint16_t type;
180 CBS data;
181 if (!CBS_get_u16(©, &type) ||
182 !CBS_get_u16_length_prefixed(©, &data)) {
183 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
184 *out_alert = SSL_AD_DECODE_ERROR;
185 return false;
186 }
187
188 SSLExtension *found = nullptr;
189 for (SSLExtension *ext : extensions) {
190 if (type == ext->type && ext->allowed) {
191 found = ext;
192 break;
193 }
194 }
195
196 if (found == nullptr) {
197 if (ignore_unknown) {
198 continue;
199 }
200 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
201 ERR_add_error_dataf("extension %u", unsigned{type});
202 *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
203 return false;
204 }
205
206 // Duplicate ext_types are forbidden.
207 if (found->present) {
208 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
209 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
210 return false;
211 }
212
213 found->present = true;
214 found->data = data;
215 }
216
217 return true;
218 }
219
ssl_verify_peer_cert(SSL_HANDSHAKE * hs)220 enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {
221 SSL *const ssl = hs->ssl;
222 const SSL_SESSION *prev_session = ssl->s3->established_session.get();
223 if (prev_session != NULL) {
224 // If renegotiating, the server must not change the server certificate. See
225 // https://mitls.org/pages/attacks/3SHAKE. We never resume on renegotiation,
226 // so this check is sufficient to ensure the reported peer certificate never
227 // changes on renegotiation.
228 assert(!ssl->server);
229 if (sk_CRYPTO_BUFFER_num(prev_session->certs.get()) !=
230 sk_CRYPTO_BUFFER_num(hs->new_session->certs.get())) {
231 OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
232 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
233 return ssl_verify_invalid;
234 }
235
236 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(hs->new_session->certs.get());
237 i++) {
238 const CRYPTO_BUFFER *old_cert =
239 sk_CRYPTO_BUFFER_value(prev_session->certs.get(), i);
240 const CRYPTO_BUFFER *new_cert =
241 sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), i);
242 if (Span(CRYPTO_BUFFER_data(old_cert), CRYPTO_BUFFER_len(old_cert)) !=
243 Span(CRYPTO_BUFFER_data(new_cert), CRYPTO_BUFFER_len(new_cert))) {
244 OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_CERT_CHANGED);
245 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
246 return ssl_verify_invalid;
247 }
248 }
249
250 // The certificate is identical, so we may skip re-verifying the
251 // certificate. Since we only authenticated the previous one, copy other
252 // authentication from the established session and ignore what was newly
253 // received.
254 hs->new_session->ocsp_response = UpRef(prev_session->ocsp_response);
255 hs->new_session->signed_cert_timestamp_list =
256 UpRef(prev_session->signed_cert_timestamp_list);
257 hs->new_session->verify_result = prev_session->verify_result;
258 return ssl_verify_ok;
259 }
260
261 uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
262 enum ssl_verify_result_t ret;
263 if (hs->config->custom_verify_callback != nullptr) {
264 ret = hs->config->custom_verify_callback(ssl, &alert);
265 switch (ret) {
266 case ssl_verify_ok:
267 hs->new_session->verify_result = X509_V_OK;
268 break;
269 case ssl_verify_invalid:
270 // If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result.
271 if (hs->config->verify_mode == SSL_VERIFY_NONE) {
272 ERR_clear_error();
273 ret = ssl_verify_ok;
274 }
275 hs->new_session->verify_result = X509_V_ERR_APPLICATION_VERIFICATION;
276 break;
277 case ssl_verify_retry:
278 break;
279 }
280 } else {
281 ret = ssl->ctx->x509_method->session_verify_cert_chain(
282 hs->new_session.get(), hs, &alert)
283 ? ssl_verify_ok
284 : ssl_verify_invalid;
285 }
286
287 if (ret == ssl_verify_invalid) {
288 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
289 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
290 }
291
292 // Emulate OpenSSL's client OCSP callback. OpenSSL verifies certificates
293 // before it receives the OCSP, so it needs a second callback for OCSP.
294 if (ret == ssl_verify_ok && !ssl->server &&
295 hs->config->ocsp_stapling_enabled &&
296 ssl->ctx->legacy_ocsp_callback != nullptr) {
297 int cb_ret =
298 ssl->ctx->legacy_ocsp_callback(ssl, ssl->ctx->legacy_ocsp_callback_arg);
299 if (cb_ret <= 0) {
300 OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR);
301 ssl_send_alert(ssl, SSL3_AL_FATAL,
302 cb_ret == 0 ? SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE
303 : SSL_AD_INTERNAL_ERROR);
304 ret = ssl_verify_invalid;
305 }
306 }
307
308 return ret;
309 }
310
311 // Verifies a stored certificate when resuming a session. A few things are
312 // different from verify_peer_cert:
313 // 1. We can't be renegotiating if we're resuming a session.
314 // 2. The session is immutable, so we don't support verify_mode ==
315 // SSL_VERIFY_NONE
316 // 3. We don't call the OCSP callback.
317 // 4. We only support custom verify callbacks.
ssl_reverify_peer_cert(SSL_HANDSHAKE * hs,bool send_alert)318 enum ssl_verify_result_t ssl_reverify_peer_cert(SSL_HANDSHAKE *hs,
319 bool send_alert) {
320 SSL *const ssl = hs->ssl;
321 assert(ssl->s3->established_session == nullptr);
322 assert(hs->config->verify_mode != SSL_VERIFY_NONE);
323
324 uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
325 enum ssl_verify_result_t ret = ssl_verify_invalid;
326 if (hs->config->custom_verify_callback != nullptr) {
327 ret = hs->config->custom_verify_callback(ssl, &alert);
328 }
329
330 if (ret == ssl_verify_invalid) {
331 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
332 if (send_alert) {
333 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
334 }
335 }
336
337 return ret;
338 }
339
grease_index_to_value(const SSL_HANDSHAKE * hs,enum ssl_grease_index_t index)340 static uint16_t grease_index_to_value(const SSL_HANDSHAKE *hs,
341 enum ssl_grease_index_t index) {
342 // This generates a random value of the form 0xωaωa, for all 0 ≤ ω < 16.
343 uint16_t ret = hs->grease_seed[index];
344 ret = (ret & 0xf0) | 0x0a;
345 ret |= ret << 8;
346 return ret;
347 }
348
ssl_get_grease_value(const SSL_HANDSHAKE * hs,enum ssl_grease_index_t index)349 uint16_t ssl_get_grease_value(const SSL_HANDSHAKE *hs,
350 enum ssl_grease_index_t index) {
351 uint16_t ret = grease_index_to_value(hs, index);
352 if (index == ssl_grease_extension2 &&
353 ret == grease_index_to_value(hs, ssl_grease_extension1)) {
354 // The two fake extensions must not have the same value. GREASE values are
355 // of the form 0x1a1a, 0x2a2a, 0x3a3a, etc., so XOR to generate a different
356 // one.
357 ret ^= 0x1010;
358 }
359 return ret;
360 }
361
ssl_get_finished(SSL_HANDSHAKE * hs)362 enum ssl_hs_wait_t ssl_get_finished(SSL_HANDSHAKE *hs) {
363 SSL *const ssl = hs->ssl;
364 SSLMessage msg;
365 if (!ssl->method->get_message(ssl, &msg)) {
366 return ssl_hs_read_message;
367 }
368
369 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED)) {
370 return ssl_hs_error;
371 }
372
373 // Snapshot the finished hash before incorporating the new message.
374 uint8_t finished[EVP_MAX_MD_SIZE];
375 size_t finished_len;
376 if (!hs->transcript.GetFinishedMAC(finished, &finished_len,
377 ssl_handshake_session(hs), !ssl->server) ||
378 !ssl_hash_message(hs, msg)) {
379 return ssl_hs_error;
380 }
381
382 int finished_ok = CBS_mem_equal(&msg.body, finished, finished_len);
383 #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
384 finished_ok = 1;
385 #endif
386 if (!finished_ok) {
387 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
388 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
389 return ssl_hs_error;
390 }
391
392 // Copy the Finished so we can use it for renegotiation checks.
393 if (finished_len > ssl->s3->previous_client_finished.capacity() ||
394 finished_len > ssl->s3->previous_server_finished.capacity()) {
395 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
396 return ssl_hs_error;
397 }
398
399 if (ssl->server) {
400 ssl->s3->previous_client_finished.CopyFrom(Span(finished, finished_len));
401 } else {
402 ssl->s3->previous_server_finished.CopyFrom(Span(finished, finished_len));
403 }
404
405 // The Finished message should be the end of a flight.
406 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
407 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
408 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
409 return ssl_hs_error;
410 }
411
412 ssl->method->next_message(ssl);
413 return ssl_hs_ok;
414 }
415
ssl_send_finished(SSL_HANDSHAKE * hs)416 bool ssl_send_finished(SSL_HANDSHAKE *hs) {
417 SSL *const ssl = hs->ssl;
418 const SSL_SESSION *session = ssl_handshake_session(hs);
419
420 uint8_t finished_buf[EVP_MAX_MD_SIZE];
421 size_t finished_len;
422 if (!hs->transcript.GetFinishedMAC(finished_buf, &finished_len, session,
423 ssl->server)) {
424 return false;
425 }
426 auto finished = Span(finished_buf, finished_len);
427
428 // Log the master secret, if logging is enabled.
429 if (!ssl_log_secret(ssl, "CLIENT_RANDOM", session->secret)) {
430 return false;
431 }
432
433 // Copy the Finished so we can use it for renegotiation checks.
434 bool ok = ssl->server
435 ? ssl->s3->previous_server_finished.TryCopyFrom(finished)
436 : ssl->s3->previous_client_finished.TryCopyFrom(finished);
437 if (!ok) {
438 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
439 return ssl_hs_error;
440 }
441
442 ScopedCBB cbb;
443 CBB body;
444 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||
445 !CBB_add_bytes(&body, finished.data(), finished.size()) ||
446 !ssl_add_message_cbb(ssl, cbb.get())) {
447 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
448 return false;
449 }
450
451 return true;
452 }
453
ssl_send_tls12_certificate(SSL_HANDSHAKE * hs)454 bool ssl_send_tls12_certificate(SSL_HANDSHAKE *hs) {
455 ScopedCBB cbb;
456 CBB body, certs, cert;
457 if (!hs->ssl->method->init_message(hs->ssl, cbb.get(), &body,
458 SSL3_MT_CERTIFICATE) ||
459 !CBB_add_u24_length_prefixed(&body, &certs)) {
460 return false;
461 }
462
463 if (hs->credential != nullptr) {
464 assert(hs->credential->type == SSLCredentialType::kX509);
465 STACK_OF(CRYPTO_BUFFER) *chain = hs->credential->chain.get();
466 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) {
467 CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i);
468 if (!CBB_add_u24_length_prefixed(&certs, &cert) ||
469 !CBB_add_bytes(&cert, CRYPTO_BUFFER_data(buffer),
470 CRYPTO_BUFFER_len(buffer))) {
471 return false;
472 }
473 }
474 }
475
476 return ssl_add_message_cbb(hs->ssl, cbb.get());
477 }
478
ssl_handshake_session(const SSL_HANDSHAKE * hs)479 const SSL_SESSION *ssl_handshake_session(const SSL_HANDSHAKE *hs) {
480 if (hs->new_session) {
481 return hs->new_session.get();
482 }
483 return hs->ssl->session.get();
484 }
485
ssl_run_handshake(SSL_HANDSHAKE * hs,bool * out_early_return)486 int ssl_run_handshake(SSL_HANDSHAKE *hs, bool *out_early_return) {
487 SSL *const ssl = hs->ssl;
488 for (;;) {
489 // If a timeout during the handshake triggered a DTLS ACK or retransmit, we
490 // resolve that first. E.g., if |ssl_hs_private_key_operation| is slow, the
491 // ACK timer may fire.
492 if (hs->wait != ssl_hs_error && SSL_is_dtls(ssl)) {
493 int ret = ssl->method->flush(ssl);
494 if (ret <= 0) {
495 return ret;
496 }
497 }
498
499 // Resolve the operation the handshake was waiting on. Each condition may
500 // halt the handshake by returning, or continue executing if the handshake
501 // may immediately proceed. Cases which halt the handshake can clear
502 // |hs->wait| to re-enter the state machine on the next iteration, or leave
503 // it set to keep the condition sticky.
504 switch (hs->wait) {
505 case ssl_hs_error:
506 ERR_restore_state(hs->error.get());
507 return -1;
508
509 case ssl_hs_flush: {
510 int ret = ssl->method->flush(ssl);
511 if (ret <= 0) {
512 return ret;
513 }
514 break;
515 }
516
517 case ssl_hs_read_server_hello:
518 case ssl_hs_read_message:
519 case ssl_hs_read_change_cipher_spec: {
520 if (SSL_is_quic(ssl)) {
521 // QUIC has no ChangeCipherSpec messages.
522 assert(hs->wait != ssl_hs_read_change_cipher_spec);
523 // The caller should call |SSL_provide_quic_data|. Clear |hs->wait| so
524 // the handshake can check if there is sufficient data next iteration.
525 ssl->s3->rwstate = SSL_ERROR_WANT_READ;
526 hs->wait = ssl_hs_ok;
527 return -1;
528 }
529
530 uint8_t alert = SSL_AD_DECODE_ERROR;
531 size_t consumed = 0;
532 ssl_open_record_t ret;
533 if (hs->wait == ssl_hs_read_change_cipher_spec) {
534 ret = ssl_open_change_cipher_spec(ssl, &consumed, &alert,
535 ssl->s3->read_buffer.span());
536 } else {
537 ret = ssl_open_handshake(ssl, &consumed, &alert,
538 ssl->s3->read_buffer.span());
539 }
540 if (ret == ssl_open_record_error &&
541 hs->wait == ssl_hs_read_server_hello) {
542 uint32_t err = ERR_peek_error();
543 if (ERR_GET_LIB(err) == ERR_LIB_SSL &&
544 ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE) {
545 // Add a dedicated error code to the queue for a handshake_failure
546 // alert in response to ClientHello. This matches NSS's client
547 // behavior and gives a better error on a (probable) failure to
548 // negotiate initial parameters. Note: this error code comes after
549 // the original one.
550 //
551 // See https://crbug.com/446505.
552 OPENSSL_PUT_ERROR(SSL, SSL_R_HANDSHAKE_FAILURE_ON_CLIENT_HELLO);
553 }
554 }
555 bool retry;
556 int bio_ret = ssl_handle_open_record(ssl, &retry, ret, consumed, alert);
557 if (bio_ret <= 0) {
558 return bio_ret;
559 }
560 if (retry) {
561 continue;
562 }
563 ssl->s3->read_buffer.DiscardConsumed();
564 break;
565 }
566
567 case ssl_hs_read_end_of_early_data: {
568 if (ssl->s3->hs->can_early_read) {
569 // While we are processing early data, the handshake returns early.
570 *out_early_return = true;
571 return 1;
572 }
573 hs->wait = ssl_hs_ok;
574 break;
575 }
576
577 case ssl_hs_certificate_selection_pending:
578 ssl->s3->rwstate = SSL_ERROR_PENDING_CERTIFICATE;
579 hs->wait = ssl_hs_ok;
580 return -1;
581
582 case ssl_hs_handoff:
583 ssl->s3->rwstate = SSL_ERROR_HANDOFF;
584 hs->wait = ssl_hs_ok;
585 return -1;
586
587 case ssl_hs_handback: {
588 int ret = ssl->method->flush(ssl);
589 if (ret <= 0) {
590 return ret;
591 }
592 ssl->s3->rwstate = SSL_ERROR_HANDBACK;
593 hs->wait = ssl_hs_handback;
594 return -1;
595 }
596
597 // The following cases are associated with callback APIs which expect to
598 // be called each time the state machine runs. Thus they set |hs->wait|
599 // to |ssl_hs_ok| so that, next time, we re-enter the state machine and
600 // call the callback again.
601 case ssl_hs_x509_lookup:
602 ssl->s3->rwstate = SSL_ERROR_WANT_X509_LOOKUP;
603 hs->wait = ssl_hs_ok;
604 return -1;
605 case ssl_hs_private_key_operation:
606 ssl->s3->rwstate = SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
607 hs->wait = ssl_hs_ok;
608 return -1;
609 case ssl_hs_pending_session:
610 ssl->s3->rwstate = SSL_ERROR_PENDING_SESSION;
611 hs->wait = ssl_hs_ok;
612 return -1;
613 case ssl_hs_pending_ticket:
614 ssl->s3->rwstate = SSL_ERROR_PENDING_TICKET;
615 hs->wait = ssl_hs_ok;
616 return -1;
617 case ssl_hs_certificate_verify:
618 ssl->s3->rwstate = SSL_ERROR_WANT_CERTIFICATE_VERIFY;
619 hs->wait = ssl_hs_ok;
620 return -1;
621
622 case ssl_hs_early_data_rejected:
623 assert(ssl->s3->early_data_reason != ssl_early_data_unknown);
624 assert(!hs->can_early_write);
625 ssl->s3->rwstate = SSL_ERROR_EARLY_DATA_REJECTED;
626 return -1;
627
628 case ssl_hs_early_return:
629 if (!ssl->server) {
630 // On ECH reject, the handshake should never complete.
631 assert(ssl->s3->ech_status != ssl_ech_rejected);
632 }
633 *out_early_return = true;
634 hs->wait = ssl_hs_ok;
635 return 1;
636
637 case ssl_hs_hints_ready:
638 ssl->s3->rwstate = SSL_ERROR_HANDSHAKE_HINTS_READY;
639 return -1;
640
641 case ssl_hs_ok:
642 break;
643 }
644
645 // Run the state machine again.
646 hs->wait = ssl->do_handshake(hs);
647 if (hs->wait == ssl_hs_error) {
648 hs->error.reset(ERR_save_state());
649 return -1;
650 }
651 if (hs->wait == ssl_hs_ok) {
652 if (!ssl->server) {
653 // On ECH reject, the handshake should never complete.
654 assert(ssl->s3->ech_status != ssl_ech_rejected);
655 }
656 // The handshake has completed.
657 *out_early_return = false;
658 return 1;
659 }
660 // If the handshake returns |ssl_hs_flush|, implicitly finish the flight.
661 // This is a convenience so we do not need to manually insert this
662 // throughout the handshake.
663 if (hs->wait == ssl_hs_flush) {
664 ssl->method->finish_flight(ssl);
665 }
666
667 // Loop to the beginning and resolve what was blocking the handshake.
668 }
669 }
670
671 BSSL_NAMESPACE_END
672