kris
/
boringssl
1
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
3679 Incheckningar
12 Grenar
38 MiB
 
 
 
 
 
 
Träd: 5fc99c6603
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '5fc99c6603'
${ noResults }
boringssl/ssl/tls13_client.c

712 rader
22 KiB
Blame Historik 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bytestring.h>

  21. #include <openssl/digest.h>

  22. #include <openssl/err.h>

  23. #include <openssl/mem.h>

  24. #include <openssl/stack.h>

  25. #include <openssl/x509.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. enum client_hs_state_t {

  32.   state_process_hello_retry_request = 0,

  33.   state_send_second_client_hello,

  34.   state_flush_second_client_hello,

  35.   state_process_server_hello,

  36.   state_process_encrypted_extensions,

  37.   state_process_certificate_request,

  38.   state_process_server_certificate,

  39.   state_process_server_certificate_verify,

  40.   state_process_server_finished,

  41.   state_send_client_certificate,

  42.   state_send_client_certificate_verify,

  43.   state_complete_client_certificate_verify,

  44.   state_send_channel_id,

  45.   state_send_client_finished,

  46.   state_flush,

  47.   state_done,

  48. };

  49. 

  50. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  51. 

  52. static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) {

  53.   SSL *const ssl = hs->ssl;

  54.   if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {

  55.     hs->tls13_state = state_process_server_hello;

  56.     return ssl_hs_ok;

  57.   }

  58. 

  59.   CBS cbs, extensions;

  60.   uint16_t server_wire_version;

  61.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  62.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  63.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  64.       /* HelloRetryRequest may not be empty. */

  65.       CBS_len(&extensions) == 0 ||

  66.       CBS_len(&cbs) != 0) {

  67.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  68.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  69.     return ssl_hs_error;

  70.   }

  71. 

  72.   int have_cookie, have_key_share;

  73.   CBS cookie, key_share;

  74.   const SSL_EXTENSION_TYPE ext_types[] = {

  75.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  76.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  77.   };

  78. 

  79.   uint8_t alert;

  80.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  81.                             OPENSSL_ARRAY_SIZE(ext_types),

  82.                             0 /* reject unknown */)) {

  83.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  84.     return ssl_hs_error;

  85.   }

  86. 

  87.   if (have_cookie) {

  88.     CBS cookie_value;

  89.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  90.         CBS_len(&cookie_value) == 0 ||

  91.         CBS_len(&cookie) != 0) {

  92.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  93.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  94.       return ssl_hs_error;

  95.     }

  96. 

  97.     if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {

  98.       return ssl_hs_error;

  99.     }

  100.   }

  101. 

  102.   if (have_key_share) {

  103.     uint16_t group_id;

  104.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  105.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  106.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  107.       return ssl_hs_error;

  108.     }

  109. 

  110.     /* The group must be supported. */

  111.     const uint16_t *groups;

  112.     size_t groups_len;

  113.     tls1_get_grouplist(ssl, &groups, &groups_len);

  114.     int found = 0;

  115.     for (size_t i = 0; i < groups_len; i++) {

  116.       if (groups[i] == group_id) {

  117.         found = 1;

  118.         break;

  119.       }

  120.     }

  121. 

  122.     if (!found) {

  123.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  124.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  125.       return ssl_hs_error;

  126.     }

  127. 

  128.     /* Check that the HelloRetryRequest does not request the key share that

  129.      * was provided in the initial ClientHello. */

  130.     if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {

  131.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  132.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  133.       return ssl_hs_error;

  134.     }

  135. 

  136.     SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  137.     hs->retry_group = group_id;

  138.   }

  139. 

  140.   hs->received_hello_retry_request = 1;

  141.   hs->tls13_state = state_send_second_client_hello;

  142.   return ssl_hs_ok;

  143. }

  144. 

  145. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  146.   if (!ssl_write_client_hello(hs)) {

  147.     return ssl_hs_error;

  148.   }

  149. 

  150.   hs->tls13_state = state_flush_second_client_hello;

  151.   return ssl_hs_write_message;

  152. }

  153. 

  154. static enum ssl_hs_wait_t do_flush_second_client_hello(SSL_HANDSHAKE *hs) {

  155.   hs->tls13_state = state_process_server_hello;

  156.   return ssl_hs_flush_and_read_message;

  157. }

  158. 

  159. static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {

  160.   SSL *const ssl = hs->ssl;

  161.   if (!tls13_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {

  162.     return ssl_hs_error;

  163.   }

  164. 

  165.   CBS cbs, server_random, extensions;

  166.   uint16_t server_wire_version;

  167.   uint16_t cipher_suite;

  168.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  169.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  170.       !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||

  171.       !CBS_get_u16(&cbs, &cipher_suite) ||

  172.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  173.       CBS_len(&cbs) != 0) {

  174.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  175.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  176.     return ssl_hs_error;

  177.   }

  178. 

  179.   if (server_wire_version != ssl->version) {

  180.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  181.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  182.     return ssl_hs_error;

  183.   }

  184. 

  185.   assert(ssl->s3->have_version);

  186.   OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),

  187.                  SSL3_RANDOM_SIZE);

  188. 

  189.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  190.   if (cipher == NULL) {

  191.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);

  192.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  193.     return ssl_hs_error;

  194.   }

  195. 

  196.   /* Check if the cipher is a TLS 1.3 cipher. */

  197.   if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||

  198.       SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {

  199.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  200.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  201.     return ssl_hs_error;

  202.   }

  203. 

  204.   /* Parse out the extensions. */

  205.   int have_key_share = 0, have_pre_shared_key = 0, have_short_header = 0;

  206.   CBS key_share, pre_shared_key, short_header;

  207.   const SSL_EXTENSION_TYPE ext_types[] = {

  208.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  209.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  210.       {TLSEXT_TYPE_short_header, &have_short_header, &short_header},

  211.   };

  212. 

  213.   uint8_t alert;

  214.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  215.                             OPENSSL_ARRAY_SIZE(ext_types),

  216.                             0 /* reject unknown */)) {

  217.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  218.     return ssl_hs_error;

  219.   }

  220. 

  221.   alert = SSL_AD_DECODE_ERROR;

  222.   if (have_pre_shared_key) {

  223.     if (ssl->session == NULL) {

  224.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  225.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  226.       return ssl_hs_error;

  227.     }

  228. 

  229.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  230.                                                   &pre_shared_key)) {

  231.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  232.       return ssl_hs_error;

  233.     }

  234. 

  235.     if (ssl->session->ssl_version != ssl->version) {

  236.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  237.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  238.       return ssl_hs_error;

  239.     }

  240. 

  241.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  242.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  243.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  244.       return ssl_hs_error;

  245.     }

  246. 

  247.     if (!ssl_session_is_context_valid(ssl, ssl->session)) {

  248.       /* This is actually a client application bug. */

  249.       OPENSSL_PUT_ERROR(SSL,

  250.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  251.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  252.       return ssl_hs_error;

  253.     }

  254. 

  255.     ssl->s3->session_reused = 1;

  256.     /* Only authentication information carries over in TLS 1.3. */

  257.     ssl->s3->new_session =

  258.         SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);

  259.     if (ssl->s3->new_session == NULL) {

  260.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  261.       return ssl_hs_error;

  262.     }

  263.     ssl_set_session(ssl, NULL);

  264.   } else if (!ssl_get_new_session(hs, 0)) {

  265.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  266.     return ssl_hs_error;

  267.   }

  268. 

  269.   ssl->s3->new_session->cipher = cipher;

  270.   ssl->s3->tmp.new_cipher = cipher;

  271. 

  272.   /* The PRF hash is now known. Set up the key schedule. */

  273.   size_t hash_len =

  274.       EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));

  275.   if (!tls13_init_key_schedule(hs)) {

  276.     return ssl_hs_error;

  277.   }

  278. 

  279.   /* Incorporate the PSK into the running secret. */

  280.   if (ssl->s3->session_reused) {

  281.     if (!tls13_advance_key_schedule(hs, ssl->s3->new_session->master_key,

  282.                                     ssl->s3->new_session->master_key_length)) {

  283.       return ssl_hs_error;

  284.     }

  285.   } else if (!tls13_advance_key_schedule(hs, kZeroes, hash_len)) {

  286.     return ssl_hs_error;

  287.   }

  288. 

  289.   if (!have_key_share) {

  290.     /* We do not support psk_ke and thus always require a key share. */

  291.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  292.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  293.     return ssl_hs_error;

  294.   }

  295. 

  296.   /* Resolve ECDHE and incorporate it into the secret. */

  297.   uint8_t *dhe_secret;

  298.   size_t dhe_secret_len;

  299.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,

  300.                                            &alert, &key_share)) {

  301.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  302.     return ssl_hs_error;

  303.   }

  304. 

  305.   if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {

  306.     OPENSSL_free(dhe_secret);

  307.     return ssl_hs_error;

  308.   }

  309.   OPENSSL_free(dhe_secret);

  310. 

  311.   /* Negotiate short record headers. */

  312.   if (have_short_header) {

  313.     if (CBS_len(&short_header) != 0) {

  314.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  315.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  316.       return ssl_hs_error;

  317.     }

  318. 

  319.     if (!ssl->ctx->short_header_enabled) {

  320.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  321.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  322.       return ssl_hs_error;

  323.     }

  324. 

  325.     ssl->s3->short_header = 1;

  326.   }

  327. 

  328.   /* If there was no HelloRetryRequest, the version negotiation logic has

  329.    * already hashed the message. */

  330.   if (hs->received_hello_retry_request &&

  331.       !ssl_hash_current_message(ssl)) {

  332.     return ssl_hs_error;

  333.   }

  334. 

  335.   if (!tls13_derive_handshake_secrets(hs) ||

  336.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,

  337.                              hs->hash_len) ||

  338.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  339.                              hs->hash_len)) {

  340.     return ssl_hs_error;

  341.   }

  342. 

  343.   hs->tls13_state = state_process_encrypted_extensions;

  344.   return ssl_hs_read_message;

  345. }

  346. 

  347. static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) {

  348.   SSL *const ssl = hs->ssl;

  349.   if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  350.     return ssl_hs_error;

  351.   }

  352. 

  353.   CBS cbs;

  354.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  355.   if (!ssl_parse_serverhello_tlsext(hs, &cbs)) {

  356.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  357.     return ssl_hs_error;

  358.   }

  359.   if (CBS_len(&cbs) != 0) {

  360.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  361.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  362.     return ssl_hs_error;

  363.   }

  364. 

  365.   if (!ssl_hash_current_message(ssl)) {

  366.     return ssl_hs_error;

  367.   }

  368. 

  369.   hs->tls13_state = state_process_certificate_request;

  370.   return ssl_hs_read_message;

  371. }

  372. 

  373. static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) {

  374.   SSL *const ssl = hs->ssl;

  375.   /* CertificateRequest may only be sent in non-resumption handshakes. */

  376.   if (ssl->s3->session_reused) {

  377.     hs->tls13_state = state_process_server_finished;

  378.     return ssl_hs_ok;

  379.   }

  380. 

  381.   /* CertificateRequest is optional. */

  382.   if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {

  383.     hs->tls13_state = state_process_server_certificate;

  384.     return ssl_hs_ok;

  385.   }

  386. 

  387.   CBS cbs, context, supported_signature_algorithms;

  388.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  389.   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||

  390.       /* The request context is always empty during the handshake. */

  391.       CBS_len(&context) != 0 ||

  392.       !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||

  393.       CBS_len(&supported_signature_algorithms) == 0 ||

  394.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  395.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  396.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  397.     return ssl_hs_error;

  398.   }

  399. 

  400.   uint8_t alert;

  401.   STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);

  402.   if (ca_sk == NULL) {

  403.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  404.     return ssl_hs_error;

  405.   }

  406. 

  407.   /* Ignore extensions. */

  408.   CBS extensions;

  409.   if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  410.       CBS_len(&cbs) != 0) {

  411.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  412.     sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);

  413.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  414.     return ssl_hs_error;

  415.   }

  416. 

  417.   hs->cert_request = 1;

  418.   sk_X509_NAME_pop_free(hs->ca_names, X509_NAME_free);

  419.   hs->ca_names = ca_sk;

  420. 

  421.   if (!ssl_hash_current_message(ssl)) {

  422.     return ssl_hs_error;

  423.   }

  424. 

  425.   hs->tls13_state = state_process_server_certificate;

  426.   return ssl_hs_read_message;

  427. }

  428. 

  429. static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) {

  430.   SSL *const ssl = hs->ssl;

  431.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  432.       !tls13_process_certificate(hs, 0 /* certificate required */) ||

  433.       !ssl_hash_current_message(ssl)) {

  434.     return ssl_hs_error;

  435.   }

  436. 

  437.   hs->tls13_state = state_process_server_certificate_verify;

  438.   return ssl_hs_read_message;

  439. }

  440. 

  441. static enum ssl_hs_wait_t do_process_server_certificate_verify(

  442.     SSL_HANDSHAKE *hs) {

  443.   SSL *const ssl = hs->ssl;

  444.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  445.       !tls13_process_certificate_verify(hs) ||

  446.       !ssl_hash_current_message(ssl)) {

  447.     return ssl_hs_error;

  448.   }

  449. 

  450.   hs->tls13_state = state_process_server_finished;

  451.   return ssl_hs_read_message;

  452. }

  453. 

  454. static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) {

  455.   SSL *const ssl = hs->ssl;

  456.   if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||

  457.       !tls13_process_finished(hs) ||

  458.       !ssl_hash_current_message(ssl) ||

  459.       /* Update the secret to the master secret and derive traffic keys. */

  460.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  461.       !tls13_derive_application_secrets(hs)) {

  462.     return ssl_hs_error;

  463.   }

  464. 

  465.   ssl->method->received_flight(ssl);

  466.   hs->tls13_state = state_send_client_certificate;

  467.   return ssl_hs_ok;

  468. }

  469. 

  470. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  471.   SSL *const ssl = hs->ssl;

  472.   /* The peer didn't request a certificate. */

  473.   if (!hs->cert_request) {

  474.     hs->tls13_state = state_send_channel_id;

  475.     return ssl_hs_ok;

  476.   }

  477. 

  478.   /* Call cert_cb to update the certificate. */

  479.   if (ssl->cert->cert_cb != NULL) {

  480.     int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);

  481.     if (rv == 0) {

  482.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  483.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  484.       return ssl_hs_error;

  485.     }

  486.     if (rv < 0) {

  487.       hs->tls13_state = state_send_client_certificate;

  488.       return ssl_hs_x509_lookup;

  489.     }

  490.   }

  491. 

  492.   if (!ssl_auto_chain_if_needed(ssl) ||

  493.       !tls13_prepare_certificate(hs)) {

  494.     return ssl_hs_error;

  495.   }

  496. 

  497.   hs->tls13_state = state_send_client_certificate_verify;

  498.   return ssl_hs_write_message;

  499. }

  500. 

  501. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs,

  502.                                                             int is_first_run) {

  503.   SSL *const ssl = hs->ssl;

  504.   /* Don't send CertificateVerify if there is no certificate. */

  505.   if (!ssl_has_certificate(ssl)) {

  506.     hs->tls13_state = state_send_channel_id;

  507.     return ssl_hs_ok;

  508.   }

  509. 

  510.   switch (tls13_prepare_certificate_verify(hs, is_first_run)) {

  511.     case ssl_private_key_success:

  512.       hs->tls13_state = state_send_channel_id;

  513.       return ssl_hs_write_message;

  514. 

  515.     case ssl_private_key_retry:

  516.       hs->tls13_state = state_complete_client_certificate_verify;

  517.       return ssl_hs_private_key_operation;

  518. 

  519.     case ssl_private_key_failure:

  520.       return ssl_hs_error;

  521.   }

  522. 

  523.   assert(0);

  524.   return ssl_hs_error;

  525. }

  526. 

  527. static enum ssl_hs_wait_t do_send_channel_id(SSL_HANDSHAKE *hs) {

  528.   SSL *const ssl = hs->ssl;

  529.   if (!ssl->s3->tlsext_channel_id_valid) {

  530.     hs->tls13_state = state_send_client_finished;

  531.     return ssl_hs_ok;

  532.   }

  533. 

  534.   if (!ssl_do_channel_id_callback(ssl)) {

  535.     return ssl_hs_error;

  536.   }

  537. 

  538.   if (ssl->tlsext_channel_id_private == NULL) {

  539.     return ssl_hs_channel_id_lookup;

  540.   }

  541. 

  542.   CBB cbb, body;

  543.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||

  544.       !tls1_write_channel_id(ssl, &body) ||

  545.       !ssl_complete_message(ssl, &cbb)) {

  546.     CBB_cleanup(&cbb);

  547.     return ssl_hs_error;

  548.   }

  549. 

  550.   hs->tls13_state = state_send_client_finished;

  551.   return ssl_hs_write_message;

  552. }

  553. 

  554. static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {

  555.   if (!tls13_prepare_finished(hs)) {

  556.     return ssl_hs_error;

  557.   }

  558. 

  559.   hs->tls13_state = state_flush;

  560.   return ssl_hs_write_message;

  561. }

  562. 

  563. static enum ssl_hs_wait_t do_flush(SSL_HANDSHAKE *hs) {

  564.   SSL *const ssl = hs->ssl;

  565.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,

  566.                              hs->hash_len) ||

  567.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,

  568.                              hs->hash_len) ||

  569.       !tls13_derive_resumption_secret(hs)) {

  570.     return ssl_hs_error;

  571.   }

  572. 

  573.   hs->tls13_state = state_done;

  574.   return ssl_hs_flush;

  575. }

  576. 

  577. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  578.   while (hs->tls13_state != state_done) {

  579.     enum ssl_hs_wait_t ret = ssl_hs_error;

  580.     enum client_hs_state_t state = hs->tls13_state;

  581.     switch (state) {

  582.       case state_process_hello_retry_request:

  583.         ret = do_process_hello_retry_request(hs);

  584.         break;

  585.       case state_send_second_client_hello:

  586.         ret = do_send_second_client_hello(hs);

  587.         break;

  588.       case state_flush_second_client_hello:

  589.         ret = do_flush_second_client_hello(hs);

  590.         break;

  591.       case state_process_server_hello:

  592.         ret = do_process_server_hello(hs);

  593.         break;

  594.       case state_process_encrypted_extensions:

  595.         ret = do_process_encrypted_extensions(hs);

  596.         break;

  597.       case state_process_certificate_request:

  598.         ret = do_process_certificate_request(hs);

  599.         break;

  600.       case state_process_server_certificate:

  601.         ret = do_process_server_certificate(hs);

  602.         break;

  603.       case state_process_server_certificate_verify:

  604.         ret = do_process_server_certificate_verify(hs);

  605.         break;

  606.       case state_process_server_finished:

  607.         ret = do_process_server_finished(hs);

  608.         break;

  609.       case state_send_client_certificate:

  610.         ret = do_send_client_certificate(hs);

  611.         break;

  612.       case state_send_client_certificate_verify:

  613.         ret = do_send_client_certificate_verify(hs, 1 /* first run */);

  614.         break;

  615.       case state_complete_client_certificate_verify:

  616.         ret = do_send_client_certificate_verify(hs, 0 /* complete */);

  617.         break;

  618.       case state_send_channel_id:

  619.         ret = do_send_channel_id(hs);

  620.         break;

  621.       case state_send_client_finished:

  622.         ret = do_send_client_finished(hs);

  623.         break;

  624.       case state_flush:

  625.         ret = do_flush(hs);

  626.         break;

  627.       case state_done:

  628.         ret = ssl_hs_ok;

  629.         break;

  630.     }

  631. 

  632.     if (ret != ssl_hs_ok) {

  633.       return ret;

  634.     }

  635.   }

  636. 

  637.   return ssl_hs_ok;

  638. }

  639. 

  640. int tls13_process_new_session_ticket(SSL *ssl) {

  641.   int ret = 0;

  642.   SSL_SESSION *session =

  643.       SSL_SESSION_dup(ssl->s3->established_session,

  644.                       SSL_SESSION_INCLUDE_NONAUTH);

  645.   if (session == NULL) {

  646.     return 0;

  647.   }

  648. 

  649.   ssl_session_refresh_time(ssl, session);

  650. 

  651.   CBS cbs, ticket, extensions;

  652.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  653.   if (!CBS_get_u32(&cbs, &session->tlsext_tick_lifetime_hint) ||

  654.       !CBS_get_u32(&cbs, &session->ticket_age_add) ||

  655.       !CBS_get_u16_length_prefixed(&cbs, &ticket) ||

  656.       !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||

  657.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  658.       CBS_len(&cbs) != 0) {

  659.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  660.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  661.     goto err;

  662.   }

  663. 

  664.   /* Parse out the extensions. */

  665.   int have_early_data_info = 0;

  666.   CBS early_data_info;

  667.   const SSL_EXTENSION_TYPE ext_types[] = {

  668.       {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,

  669.        &early_data_info},

  670.   };

  671. 

  672.   uint8_t alert;

  673.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  674.                             OPENSSL_ARRAY_SIZE(ext_types),

  675.                             1 /* ignore unknown */)) {

  676.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  677.     goto err;

  678.   }

  679. 

  680.   if (have_early_data_info) {

  681.     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||

  682.         CBS_len(&early_data_info) != 0) {

  683.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  684.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  685.       goto err;

  686.     }

  687.   }

  688. 

  689.   session->ticket_age_add_valid = 1;

  690.   session->not_resumable = 0;

  691. 

  692.   if (ssl->ctx->new_session_cb != NULL &&

  693.       ssl->ctx->new_session_cb(ssl, session)) {

  694.     /* |new_session_cb|'s return value signals that it took ownership. */

  695.     session = NULL;

  696.   }

  697. 

  698.   ret = 1;

  699. 

  700. err:

  701.   SSL_SESSION_free(session);

  702.   return ret;

  703. }

  704. 

  705. void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {

  706.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  707. 

  708.   OPENSSL_free(hs->key_share_bytes);

  709.   hs->key_share_bytes = NULL;

  710.   hs->key_share_bytes_len = 0;

  711. }