Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 5440fe0cd10aab3c106eadf9873bb6d61344e29f / . / ssl / tls13_client.c
blob: ead5b82eefa507515ef71ed9710bba7873feca5f [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/digest.h>
22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/stack.h>
25#include <openssl/x509.h>
26
27#include "internal.h"
28
29
30enum client_hs_state_t {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]31 state_process_hello_retry_request = 0,
32 state_send_second_client_hello,
33 state_flush_second_client_hello,
34 state_process_server_hello,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]35 state_process_encrypted_extensions,
36 state_process_certificate_request,
37 state_process_server_certificate,
38 state_process_server_certificate_verify,
39 state_process_server_finished,
40 state_certificate_callback,
41 state_send_client_certificate,
42 state_send_client_certificate_verify,
43 state_complete_client_certificate_verify,
44 state_send_client_finished,
45 state_flush,
46 state_done,
47};
48
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]49static enum ssl_hs_wait_t do_process_hello_retry_request(SSL *ssl,
50 SSL_HANDSHAKE *hs) {
51 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {
52 hs->state = state_process_server_hello;
53 return ssl_hs_ok;
54 }
55
56 CBS cbs, extensions;
57 uint16_t server_wire_version, cipher_suite, group_id;
58 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
59 if (!CBS_get_u16(&cbs, &server_wire_version) ||
60 !CBS_get_u16(&cbs, &cipher_suite) ||
61 !CBS_get_u16(&cbs, &group_id) ||
62 /* We do not currently parse any HelloRetryRequest extensions. */
63 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
64 CBS_len(&cbs) != 0) {
65 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
66 return ssl_hs_error;
67 }
68
69 /* TODO(svaldez): Don't do early_data on HelloRetryRequest. */
70
71 const uint16_t *groups;
72 size_t groups_len;
73 tls1_get_grouplist(ssl, 0 /* local groups */, &groups, &groups_len);
74 int found = 0;
75 for (size_t i = 0; i < groups_len; i++) {
76 if (groups[i] == group_id) {
77 found = 1;
78 break;
79 }
80 }
81
82 if (!found) {
83 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
84 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
85 return ssl_hs_error;
86 }
87
88 for (size_t i = 0; i < ssl->s3->hs->groups_len; i++) {
89 /* Check that the HelloRetryRequest does not request a key share that was
90 * provided in the initial ClientHello.
91 *
92 * TODO(svaldez): Don't enforce this check when the HelloRetryRequest is due
93 * to a cookie. */
94 if (SSL_ECDH_CTX_get_id(&ssl->s3->hs->groups[i]) == group_id) {
95 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
96 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
97 return ssl_hs_error;
98 }
99 }
100
101 ssl_handshake_clear_groups(ssl->s3->hs);
102 ssl->s3->hs->retry_group = group_id;
103
104 hs->state = state_send_second_client_hello;
105 return ssl_hs_ok;
106}
107
108static enum ssl_hs_wait_t do_send_second_client_hello(SSL *ssl,
109 SSL_HANDSHAKE *hs) {
110 CBB cbb, body;
111 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CLIENT_HELLO) ||
112 !ssl_add_client_hello_body(ssl, &body) ||
113 !ssl->method->finish_message(ssl, &cbb)) {
114 CBB_cleanup(&cbb);
115 return ssl_hs_error;
116 }
117
118 hs->state = state_flush_second_client_hello;
119 return ssl_hs_write_message;
120}
121
122static enum ssl_hs_wait_t do_flush_second_client_hello(SSL *ssl,
123 SSL_HANDSHAKE *hs) {
124 hs->state = state_process_server_hello;
125 return ssl_hs_flush_and_read_message;
126}
127
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]128static enum ssl_hs_wait_t do_process_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
129 if (!tls13_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {
130 return ssl_hs_error;
131 }
132
133 CBS cbs, server_random, extensions;
134 uint16_t server_wire_version;
135 uint16_t cipher_suite;
136 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
137 if (!CBS_get_u16(&cbs, &server_wire_version) ||
138 !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||
139 !CBS_get_u16(&cbs, &cipher_suite) ||
140 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
141 CBS_len(&cbs) != 0) {
142 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]143 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
144 return ssl_hs_error;
145 }
146
147 if (server_wire_version != ssl->version) {
148 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
149 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]150 return ssl_hs_error;
151 }
152
153 /* Parse out the extensions. */
154 int have_key_share = 0;
155 CBS key_share;
156 while (CBS_len(&extensions) != 0) {
157 uint16_t type;
158 CBS extension;
159 if (!CBS_get_u16(&extensions, &type) ||
160 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
161 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
162 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
163 return ssl_hs_error;
164 }
165
166 switch (type) {
167 case TLSEXT_TYPE_key_share:
168 if (have_key_share) {
169 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
170 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
171 return ssl_hs_error;
172 }
173 key_share = extension;
174 have_key_share = 1;
175 break;
176 default:
177 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
178 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
179 return ssl_hs_error;
180 }
181 }
182
183 assert(ssl->s3->have_version);
184 memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
185
186 ssl->hit = 0;
187 if (!ssl_get_new_session(ssl, 0)) {
188 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
189 return ssl_hs_error;
190 }
191
192 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
193 if (cipher == NULL) {
194 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
195 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
196 return ssl_hs_error;
197 }
198
199 /* Check if the cipher is disabled. */
200 if ((cipher->algorithm_mkey & ssl->cert->mask_k) ||
201 (cipher->algorithm_auth & ssl->cert->mask_a) ||
202 SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
203 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl) ||
204 !sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(ssl), NULL, cipher)) {
205 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
206 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
207 return ssl_hs_error;
208 }
209
210 ssl->session->cipher = cipher;
211 ssl->s3->tmp.new_cipher = cipher;
212
213 /* The PRF hash is now known. Set up the key schedule. */
214 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
215 size_t hash_len =
216 EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
217 if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) {
218 return ssl_hs_error;
219 }
220
221 /* Resolve PSK and incorporate it into the secret. */
222 if (cipher->algorithm_auth == SSL_aPSK) {
223 /* TODO(davidben): Support PSK. */
224 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
225 return ssl_hs_error;
226 } else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
227 return ssl_hs_error;
228 }
229
230 /* Resolve ECDHE and incorporate it into the secret. */
231 if (cipher->algorithm_mkey == SSL_kECDHE) {
232 if (!have_key_share) {
233 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
234 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
235 return ssl_hs_error;
236 }
237
238 uint8_t *dhe_secret;
239 size_t dhe_secret_len;
240 uint8_t alert = SSL_AD_DECODE_ERROR;
241 if (!ext_key_share_parse_serverhello(ssl, &dhe_secret, &dhe_secret_len,
242 &alert, &key_share)) {
243 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
244 return ssl_hs_error;
245 }
246
247 int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);
248 OPENSSL_free(dhe_secret);
249 if (!ok) {
250 return ssl_hs_error;
251 }
252 } else {
253 if (have_key_share) {
254 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
255 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
256 return ssl_hs_error;
257 }
258 if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
259 return ssl_hs_error;
260 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]261 }
262
263 /* If there was no HelloRetryRequest, the version negotiation logic has
264 * already hashed the message. */
265 if (ssl->s3->hs->retry_group != 0 &&
266 !ssl->method->hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]267 return ssl_hs_error;
268 }
269
270 if (!tls13_set_handshake_traffic(ssl)) {
271 return ssl_hs_error;
272 }
273
274 hs->state = state_process_encrypted_extensions;
275 return ssl_hs_read_message;
276}
277
278static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL *ssl,
279 SSL_HANDSHAKE *hs) {
280 if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
281 return ssl_hs_error;
282 }
283
284 CBS cbs;
285 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
286 if (!ssl_parse_serverhello_tlsext(ssl, &cbs)) {
287 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
288 return ssl_hs_error;
289 }
290 if (CBS_len(&cbs) != 0) {
291 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
292 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
293 return ssl_hs_error;
294 }
295
296 if (!ssl->method->hash_current_message(ssl)) {
297 return ssl_hs_error;
298 }
299
300 hs->state = state_process_certificate_request;
301 return ssl_hs_read_message;
302}
303
304static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl,
305 SSL_HANDSHAKE *hs) {
306 ssl->s3->tmp.cert_request = 0;
307
308 /* CertificateRequest may only be sent in certificate-based ciphers. */
309 if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
310 hs->state = state_process_server_finished;
311 return ssl_hs_ok;
312 }
313
314 /* CertificateRequest is optional. */
315 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
316 hs->state = state_process_server_certificate;
317 return ssl_hs_ok;
318 }
319
320 CBS cbs, context, supported_signature_algorithms;
321 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
322 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
323 !CBS_stow(&context, &ssl->s3->hs->cert_context,
324 &ssl->s3->hs->cert_context_len) ||
325 !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
326 !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
327 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
328 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
329 return ssl_hs_error;
330 }
331
332 uint8_t alert;
333 STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);
334 if (ca_sk == NULL) {
335 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
336 return ssl_hs_error;
337 }
338
339 /* Ignore extensions. */
340 CBS extensions;
341 if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
342 CBS_len(&cbs) != 0) {
343 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
344 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
345 return ssl_hs_error;
346 }
347
348 ssl->s3->tmp.cert_request = 1;
349 sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
350 ssl->s3->tmp.ca_names = ca_sk;
351
352 if (!ssl->method->hash_current_message(ssl)) {
353 return ssl_hs_error;
354 }
355
356 hs->state = state_process_server_certificate;
357 return ssl_hs_read_message;
358}
359
360static enum ssl_hs_wait_t do_process_server_certificate(SSL *ssl,
361 SSL_HANDSHAKE *hs) {
362 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
363 !tls13_process_certificate(ssl) ||
364 !ssl->method->hash_current_message(ssl)) {
365 return ssl_hs_error;
366 }
367
368 hs->state = state_process_server_certificate_verify;
369 return ssl_hs_read_message;
370}
371
372static enum ssl_hs_wait_t do_process_server_certificate_verify(
373 SSL *ssl, SSL_HANDSHAKE *hs) {
374 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
375 !tls13_process_certificate_verify(ssl) ||
376 !ssl->method->hash_current_message(ssl)) {
377 return 0;
378 }
379
380 hs->state = state_process_server_finished;
381 return ssl_hs_read_message;
382}
383
384static enum ssl_hs_wait_t do_process_server_finished(SSL *ssl,
385 SSL_HANDSHAKE *hs) {
386 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
387
388 if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||
389 !tls13_process_finished(ssl) ||
390 !ssl->method->hash_current_message(ssl) ||
391 /* Update the secret to the master secret and derive traffic keys. */
392 !tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||
393 !tls13_derive_traffic_secret_0(ssl)) {
394 return ssl_hs_error;
395 }
396
397 hs->state = state_certificate_callback;
398 return ssl_hs_ok;
399}
400
401static enum ssl_hs_wait_t do_certificate_callback(SSL *ssl, SSL_HANDSHAKE *hs) {
402 /* The peer didn't request a certificate. */
403 if (!ssl->s3->tmp.cert_request) {
404 hs->state = state_send_client_finished;
405 return ssl_hs_ok;
406 }
407
408 /* Call cert_cb to update the certificate. */
409 if (ssl->cert->cert_cb != NULL) {
410 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
411 if (rv == 0) {
412 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
413 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
414 return ssl_hs_error;
415 }
416 if (rv < 0) {
417 hs->state = state_certificate_callback;
418 return ssl_hs_x509_lookup;
419 }
420 }
421
422 hs->state = state_send_client_certificate;
423 return ssl_hs_ok;
424}
425
426static enum ssl_hs_wait_t do_send_client_certificate(SSL *ssl,
427 SSL_HANDSHAKE *hs) {
David Benjamin13f1ebe2016-07-20 10:11:04 +0200[diff] [blame]428 /* Call client_cert_cb to update the certificate. */
429 int should_retry;
430 if (!ssl_do_client_cert_cb(ssl, &should_retry)) {
431 if (should_retry) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]432 hs->state = state_send_client_certificate;
433 return ssl_hs_x509_lookup;
434 }
David Benjamin13f1ebe2016-07-20 10:11:04 +0200[diff] [blame]435 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]436 }
437
438 if (!tls13_prepare_certificate(ssl)) {
439 return ssl_hs_error;
440 }
441
442 hs->state = state_send_client_certificate_verify;
443 return ssl_hs_write_message;
444}
445
446static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL *ssl,
447 SSL_HANDSHAKE *hs,
448 int is_first_run) {
449 /* Don't send CertificateVerify if there is no certificate. */
450 if (!ssl_has_certificate(ssl)) {
451 hs->state = state_send_client_finished;
452 return ssl_hs_ok;
453 }
454
455 switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {
456 case ssl_private_key_success:
457 hs->state = state_send_client_finished;
458 return ssl_hs_write_message;
459
460 case ssl_private_key_retry:
461 hs->state = state_complete_client_certificate_verify;
462 return ssl_hs_private_key_operation;
463
464 case ssl_private_key_failure:
465 return ssl_hs_error;
466 }
467
468 assert(0);
469 return ssl_hs_error;
470}
471
472static enum ssl_hs_wait_t do_send_client_finished(SSL *ssl, SSL_HANDSHAKE *hs) {
473 if (!tls13_prepare_finished(ssl)) {
474 return ssl_hs_error;
475 }
476
477 hs->state = state_flush;
478 return ssl_hs_write_message;
479}
480
481static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {
482 if (!tls13_set_traffic_key(ssl, type_data, evp_aead_open,
483 hs->traffic_secret_0, hs->hash_len) ||
484 !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,
485 hs->traffic_secret_0, hs->hash_len) ||
486 !tls13_finalize_keys(ssl)) {
487 return ssl_hs_error;
488 }
489
490 hs->state = state_done;
491 return ssl_hs_flush;
492}
493
494enum ssl_hs_wait_t tls13_client_handshake(SSL *ssl) {
495 SSL_HANDSHAKE *hs = ssl->s3->hs;
496
497 while (hs->state != state_done) {
498 enum ssl_hs_wait_t ret = ssl_hs_error;
499 enum client_hs_state_t state = hs->state;
500 switch (state) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]501 case state_process_hello_retry_request:
502 ret = do_process_hello_retry_request(ssl, hs);
503 break;
504 case state_send_second_client_hello:
505 ret = do_send_second_client_hello(ssl, hs);
506 break;
507 case state_flush_second_client_hello:
508 ret = do_flush_second_client_hello(ssl, hs);
509 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]510 case state_process_server_hello:
511 ret = do_process_server_hello(ssl, hs);
512 break;
513 case state_process_encrypted_extensions:
514 ret = do_process_encrypted_extensions(ssl, hs);
515 break;
516 case state_process_certificate_request:
517 ret = do_process_certificate_request(ssl, hs);
518 break;
519 case state_process_server_certificate:
520 ret = do_process_server_certificate(ssl, hs);
521 break;
522 case state_process_server_certificate_verify:
523 ret = do_process_server_certificate_verify(ssl, hs);
524 break;
525 case state_process_server_finished:
526 ret = do_process_server_finished(ssl, hs);
527 break;
528 case state_certificate_callback:
529 ret = do_certificate_callback(ssl, hs);
530 break;
531 case state_send_client_certificate:
532 ret = do_send_client_certificate(ssl, hs);
533 break;
534 case state_send_client_certificate_verify:
535 ret = do_send_client_certificate_verify(ssl, hs, 1 /* first run */);
536 break;
537 case state_complete_client_certificate_verify:
538 ret = do_send_client_certificate_verify(ssl, hs, 0 /* complete */);
539 break;
540 case state_send_client_finished:
541 ret = do_send_client_finished(ssl, hs);
542 break;
543 case state_flush:
544 ret = do_flush(ssl, hs);
545 break;
546 case state_done:
547 ret = ssl_hs_ok;
548 break;
549 }
550
551 if (ret != ssl_hs_ok) {
552 return ret;
553 }
554 }
555
556 return ssl_hs_ok;
557}