static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl, SSL_HANDSHAKE *hs) { if (!ssl->s3->tmp.cert_request) { /* Skip this state. */ hs->state = state_process_client_certificate_verify; return ssl_hs_ok; } const int allow_anonymous = (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0; if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) || !tls13_process_certificate(ssl, allow_anonymous) || !ssl->method->hash_current_message(ssl)) { return ssl_hs_error; } /* For historical reasons, the server's copy of the chain does not include the * leaf while the client's does. */ if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) { X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain)); } hs->state = state_process_client_certificate_verify; return ssl_hs_read_message; }
static enum ssl_hs_wait_t do_process_server_certificate(SSL *ssl, SSL_HANDSHAKE *hs) { if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) || !tls13_process_certificate(ssl) || !ssl->method->hash_current_message(ssl)) { return ssl_hs_error; } hs->state = state_process_server_certificate_verify; return ssl_hs_read_message; }
static enum ssl_hs_wait_t do_process_server_certificate(SSL *ssl, SSL_HANDSHAKE *hs) { if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) || !tls13_process_certificate(ssl, 0 /* certificate required */) || !ssl->method->hash_current_message(ssl)) { return ssl_hs_error; } /* Check the certificate matches the cipher suite. * * TODO(davidben): Remove this check when switching to the new TLS 1.3 cipher * suite negotiation. */ if (!ssl_check_leaf_certificate(ssl, ssl->s3->new_session->peer)) { ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return ssl_hs_error; } hs->state = state_process_server_certificate_verify; return ssl_hs_read_message; }
static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) { SSL *const ssl = hs->ssl; if (!hs->cert_request) { /* OpenSSL returns X509_V_OK when no certificates are requested. This is * classed by them as a bug, but it's assumed by at least NGINX. */ ssl->s3->new_session->verify_result = X509_V_OK; /* Skip this state. */ hs->tls13_state = state_process_channel_id; return ssl_hs_ok; } const int allow_anonymous = (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0; if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) || !tls13_process_certificate(hs, allow_anonymous) || !ssl_hash_current_message(ssl)) { return ssl_hs_error; } hs->tls13_state = state_process_client_certificate_verify; return ssl_hs_read_message; }