kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5405 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6855e0a470
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6855e0a470'
${ noResults }
boringssl/ssl/tls13_client.cc

927 lines
30 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <limits.h>

  19. #include <string.h>

  20. 

  21. #include <utility>

  22. 

  23. #include <openssl/bytestring.h>

  24. #include <openssl/digest.h>

  25. #include <openssl/err.h>

  26. #include <openssl/mem.h>

  27. #include <openssl/stack.h>

  28. 

  29. #include "../crypto/internal.h"

  30. #include "internal.h"

  31. 

  32. 

  33. namespace bssl {

  34. 

  35. enum client_hs_state_t {

  36.   state_read_hello_retry_request = 0,

  37.   state_send_second_client_hello,

  38.   state_read_server_hello,

  39.   state_read_encrypted_extensions,

  40.   state_read_certificate_request,

  41.   state_read_server_certificate,

  42.   state_read_server_certificate_verify,

  43.   state_server_certificate_reverify,

  44.   state_read_server_finished,

  45.   state_send_end_of_early_data,

  46.   state_send_client_certificate,

  47.   state_send_client_certificate_verify,

  48.   state_complete_second_flight,

  49.   state_done,

  50. };

  51. 

  52. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  53. 

  54. static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {

  55.   SSL *const ssl = hs->ssl;

  56.   assert(ssl->s3->have_version);

  57.   SSLMessage msg;

  58.   if (!ssl->method->get_message(ssl, &msg)) {

  59.     return ssl_hs_read_message;

  60.   }

  61. 

  62.   // Queue up a ChangeCipherSpec for whenever we next send something. This

  63.   // will be before the second ClientHello. If we offered early data, this was

  64.   // already done.

  65.   if (!hs->early_data_offered &&

  66.       !ssl->method->add_change_cipher_spec(ssl)) {

  67.     return ssl_hs_error;

  68.   }

  69. 

  70.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {

  71.     return ssl_hs_error;

  72.   }

  73. 

  74.   CBS body = msg.body, extensions, server_random, session_id;

  75.   uint16_t server_version, cipher_suite;

  76.   uint8_t compression_method;

  77.   if (!CBS_get_u16(&body, &server_version) ||

  78.       !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||

  79.       !CBS_get_u8_length_prefixed(&body, &session_id) ||

  80.       !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||

  81.       !CBS_get_u16(&body, &cipher_suite) ||

  82.       !CBS_get_u8(&body, &compression_method) ||

  83.       compression_method != 0 ||

  84.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  85.       CBS_len(&extensions) == 0 ||

  86.       CBS_len(&body) != 0) {

  87.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  88.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  89.     return ssl_hs_error;

  90.   }

  91. 

  92.   if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {

  93.     hs->tls13_state = state_read_server_hello;

  94.     return ssl_hs_ok;

  95.   }

  96. 

  97.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  98.   // Check if the cipher is a TLS 1.3 cipher.

  99.   if (cipher == NULL ||

  100.       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||

  101.       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {

  102.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  103.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  104.     return ssl_hs_error;

  105.   }

  106. 

  107.   hs->new_cipher = cipher;

  108. 

  109.   if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||

  110.       !hs->transcript.UpdateForHelloRetryRequest()) {

  111.     return ssl_hs_error;

  112.   }

  113. 

  114. 

  115.   bool have_cookie, have_key_share, have_supported_versions;

  116.   CBS cookie, key_share, supported_versions;

  117.   SSL_EXTENSION_TYPE ext_types[] = {

  118.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  119.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  120.       {TLSEXT_TYPE_supported_versions, &have_supported_versions,

  121.        &supported_versions},

  122.   };

  123. 

  124.   uint8_t alert = SSL_AD_DECODE_ERROR;

  125.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  126.                             OPENSSL_ARRAY_SIZE(ext_types),

  127.                             0 /* reject unknown */)) {

  128.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  129.     return ssl_hs_error;

  130.   }

  131. 

  132.   if (!have_cookie && !have_key_share) {

  133.     OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);

  134.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  135.     return ssl_hs_error;

  136.   }

  137.   if (have_cookie) {

  138.     CBS cookie_value;

  139.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  140.         CBS_len(&cookie_value) == 0 ||

  141.         CBS_len(&cookie) != 0) {

  142.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  143.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  144.       return ssl_hs_error;

  145.     }

  146. 

  147.     if (!hs->cookie.CopyFrom(cookie_value)) {

  148.       return ssl_hs_error;

  149.     }

  150.   }

  151. 

  152.   if (have_key_share) {

  153.     uint16_t group_id;

  154.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  155.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  156.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  157.       return ssl_hs_error;

  158.     }

  159. 

  160.     // The group must be supported.

  161.     if (!tls1_check_group_id(hs, group_id)) {

  162.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  163.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  164.       return ssl_hs_error;

  165.     }

  166. 

  167.     // Check that the HelloRetryRequest does not request the key share that

  168.     // was provided in the initial ClientHello.

  169.     if (hs->key_share->GroupID() == group_id) {

  170.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  171.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  172.       return ssl_hs_error;

  173.     }

  174. 

  175.     hs->key_share.reset();

  176.     hs->retry_group = group_id;

  177.   }

  178. 

  179.   if (!ssl_hash_message(hs, msg)) {

  180.     return ssl_hs_error;

  181.   }

  182. 

  183.   ssl->method->next_message(ssl);

  184.   hs->received_hello_retry_request = true;

  185.   hs->tls13_state = state_send_second_client_hello;

  186.   // 0-RTT is rejected if we receive a HelloRetryRequest.

  187.   if (hs->in_early_data) {

  188.     return ssl_hs_early_data_rejected;

  189.   }

  190.   return ssl_hs_ok;

  191. }

  192. 

  193. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  194.   SSL *const ssl = hs->ssl;

  195.   // Restore the null cipher. We may have switched due to 0-RTT.

  196.   bssl::UniquePtr<SSLAEADContext> null_ctx =

  197.       SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));

  198.   if (!null_ctx ||

  199.       !ssl->method->set_write_state(ssl, std::move(null_ctx))) {

  200.     return ssl_hs_error;

  201.   }

  202. 

  203.   ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);

  204. 

  205.   if (!ssl_write_client_hello(hs)) {

  206.     return ssl_hs_error;

  207.   }

  208. 

  209.   hs->tls13_state = state_read_server_hello;

  210.   return ssl_hs_flush;

  211. }

  212. 

  213. static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {

  214.   SSL *const ssl = hs->ssl;

  215.   SSLMessage msg;

  216.   if (!ssl->method->get_message(ssl, &msg)) {

  217.     return ssl_hs_read_message;

  218.   }

  219.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {

  220.     return ssl_hs_error;

  221.   }

  222. 

  223.   CBS body = msg.body, server_random, session_id, extensions;

  224.   uint16_t server_version;

  225.   uint16_t cipher_suite;

  226.   uint8_t compression_method;

  227.   if (!CBS_get_u16(&body, &server_version) ||

  228.       !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||

  229.       !CBS_get_u8_length_prefixed(&body, &session_id) ||

  230.       !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||

  231.       !CBS_get_u16(&body, &cipher_suite) ||

  232.       !CBS_get_u8(&body, &compression_method) ||

  233.       compression_method != 0 ||

  234.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  235.       CBS_len(&body) != 0) {

  236.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  237.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  238.     return ssl_hs_error;

  239.   }

  240. 

  241.   if (server_version != TLS1_2_VERSION) {

  242.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  243.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  244.     return ssl_hs_error;

  245.   }

  246. 

  247.   // Forbid a second HelloRetryRequest.

  248.   if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {

  249.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  250.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  251.     return ssl_hs_error;

  252.   }

  253. 

  254.   OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),

  255.                  SSL3_RANDOM_SIZE);

  256. 

  257.   // Check if the cipher is a TLS 1.3 cipher.

  258.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  259.   if (cipher == nullptr ||

  260.       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||

  261.       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {

  262.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  263.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  264.     return ssl_hs_error;

  265.   }

  266. 

  267.   // Check that the cipher matches the one in the HelloRetryRequest.

  268.   if (hs->received_hello_retry_request &&

  269.       hs->new_cipher != cipher) {

  270.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  271.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  272.     return ssl_hs_error;

  273.   }

  274. 

  275.   // Parse out the extensions.

  276.   bool have_key_share = false, have_pre_shared_key = false,

  277.        have_supported_versions = false;

  278.   CBS key_share, pre_shared_key, supported_versions;

  279.   SSL_EXTENSION_TYPE ext_types[] = {

  280.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  281.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  282.       {TLSEXT_TYPE_supported_versions, &have_supported_versions,

  283.        &supported_versions},

  284.   };

  285. 

  286.   uint8_t alert = SSL_AD_DECODE_ERROR;

  287.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  288.                             OPENSSL_ARRAY_SIZE(ext_types),

  289.                             0 /* reject unknown */)) {

  290.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  291.     return ssl_hs_error;

  292.   }

  293. 

  294.   if (ssl_is_draft28(ssl->version)) {

  295.     // Recheck supported_versions, in case this is the second ServerHello.

  296.     uint16_t version;

  297.     if (!have_supported_versions ||

  298.         !CBS_get_u16(&supported_versions, &version) ||

  299.         version != ssl->version) {

  300.       OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);

  301.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  302.       return ssl_hs_error;

  303.     }

  304.   }

  305. 

  306.   alert = SSL_AD_DECODE_ERROR;

  307.   if (have_pre_shared_key) {

  308.     if (ssl->session == NULL) {

  309.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  310.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  311.       return ssl_hs_error;

  312.     }

  313. 

  314.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  315.                                                   &pre_shared_key)) {

  316.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  317.       return ssl_hs_error;

  318.     }

  319. 

  320.     if (ssl->session->ssl_version != ssl->version) {

  321.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  322.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  323.       return ssl_hs_error;

  324.     }

  325. 

  326.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  327.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  328.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  329.       return ssl_hs_error;

  330.     }

  331. 

  332.     if (!ssl_session_is_context_valid(hs, ssl->session.get())) {

  333.       // This is actually a client application bug.

  334.       OPENSSL_PUT_ERROR(SSL,

  335.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  336.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  337.       return ssl_hs_error;

  338.     }

  339. 

  340.     ssl->s3->session_reused = true;

  341.     // Only authentication information carries over in TLS 1.3.

  342.     hs->new_session =

  343.         SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);

  344.     if (!hs->new_session) {

  345.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  346.       return ssl_hs_error;

  347.     }

  348.     ssl_set_session(ssl, NULL);

  349. 

  350.     // Resumption incorporates fresh key material, so refresh the timeout.

  351.     ssl_session_renew_timeout(ssl, hs->new_session.get(),

  352.                               ssl->session_ctx->session_psk_dhe_timeout);

  353.   } else if (!ssl_get_new_session(hs, 0)) {

  354.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  355.     return ssl_hs_error;

  356.   }

  357. 

  358.   hs->new_session->cipher = cipher;

  359.   hs->new_cipher = cipher;

  360. 

  361.   size_t hash_len =

  362.       EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));

  363. 

  364.   // Set up the key schedule and incorporate the PSK into the running secret.

  365.   if (ssl->s3->session_reused) {

  366.     if (!tls13_init_key_schedule(hs, hs->new_session->master_key,

  367.                                  hs->new_session->master_key_length)) {

  368.       return ssl_hs_error;

  369.     }

  370.   } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {

  371.     return ssl_hs_error;

  372.   }

  373. 

  374.   if (!have_key_share) {

  375.     // We do not support psk_ke and thus always require a key share.

  376.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  377.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  378.     return ssl_hs_error;

  379.   }

  380. 

  381.   // Resolve ECDHE and incorporate it into the secret.

  382.   Array<uint8_t> dhe_secret;

  383.   alert = SSL_AD_DECODE_ERROR;

  384.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,

  385.                                            &key_share)) {

  386.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  387.     return ssl_hs_error;

  388.   }

  389. 

  390.   if (!tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()) ||

  391.       !ssl_hash_message(hs, msg) ||

  392.       !tls13_derive_handshake_secrets(hs) ||

  393.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,

  394.                              hs->hash_len)) {

  395.     return ssl_hs_error;

  396.   }

  397. 

  398.   if (!hs->early_data_offered) {

  399.     // If not sending early data, set client traffic keys now so that alerts are

  400.     // encrypted.

  401.     if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  402.                                hs->hash_len)) {

  403.       return ssl_hs_error;

  404.     }

  405.   }

  406. 

  407.   ssl->method->next_message(ssl);

  408.   hs->tls13_state = state_read_encrypted_extensions;

  409.   return ssl_hs_ok;

  410. }

  411. 

  412. static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {

  413.   SSL *const ssl = hs->ssl;

  414.   SSLMessage msg;

  415.   if (!ssl->method->get_message(ssl, &msg)) {

  416.     return ssl_hs_read_message;

  417.   }

  418.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  419.     return ssl_hs_error;

  420.   }

  421. 

  422.   CBS body = msg.body;

  423.   if (!ssl_parse_serverhello_tlsext(hs, &body)) {

  424.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  425.     return ssl_hs_error;

  426.   }

  427.   if (CBS_len(&body) != 0) {

  428.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  429.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  430.     return ssl_hs_error;

  431.   }

  432. 

  433.   // Store the negotiated ALPN in the session.

  434.   if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {

  435.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  436.     return ssl_hs_error;

  437.   }

  438. 

  439.   if (ssl->s3->early_data_accepted) {

  440.     if (hs->early_session->cipher != hs->new_session->cipher ||

  441.         MakeConstSpan(hs->early_session->early_alpn) !=

  442.             ssl->s3->alpn_selected) {

  443.       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);

  444.       return ssl_hs_error;

  445.     }

  446.     if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated) {

  447.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);

  448.       return ssl_hs_error;

  449.     }

  450.   }

  451. 

  452.   if (!ssl_hash_message(hs, msg)) {

  453.     return ssl_hs_error;

  454.   }

  455. 

  456.   ssl->method->next_message(ssl);

  457.   hs->tls13_state = state_read_certificate_request;

  458.   if (hs->in_early_data && !ssl->s3->early_data_accepted) {

  459.     return ssl_hs_early_data_rejected;

  460.   }

  461.   return ssl_hs_ok;

  462. }

  463. 

  464. static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {

  465.   SSL *const ssl = hs->ssl;

  466.   // CertificateRequest may only be sent in non-resumption handshakes.

  467.   if (ssl->s3->session_reused) {

  468.     if (ssl->ctx->reverify_on_resume) {

  469.       hs->tls13_state = state_server_certificate_reverify;

  470.       return ssl_hs_ok;

  471.     }

  472.     hs->tls13_state = state_read_server_finished;

  473.     return ssl_hs_ok;

  474.   }

  475. 

  476.   SSLMessage msg;

  477.   if (!ssl->method->get_message(ssl, &msg)) {

  478.     return ssl_hs_read_message;

  479.   }

  480. 

  481.   // CertificateRequest is optional.

  482.   if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {

  483.     hs->tls13_state = state_read_server_certificate;

  484.     return ssl_hs_ok;

  485.   }

  486. 

  487. 

  488.   bool have_sigalgs = false, have_ca = false;

  489.   CBS sigalgs, ca;

  490.   const SSL_EXTENSION_TYPE ext_types[] = {

  491.     {TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},

  492.     {TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},

  493.   };

  494. 

  495.   CBS body = msg.body, context, extensions, supported_signature_algorithms;

  496.   uint8_t alert = SSL_AD_DECODE_ERROR;

  497.   if (!CBS_get_u8_length_prefixed(&body, &context) ||

  498.       // The request context is always empty during the handshake.

  499.       CBS_len(&context) != 0 ||

  500.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  501.       CBS_len(&body) != 0 ||

  502.       !ssl_parse_extensions(&extensions, &alert, ext_types,

  503.                             OPENSSL_ARRAY_SIZE(ext_types),

  504.                             1 /* accept unknown */) ||

  505.       (have_ca && CBS_len(&ca) == 0) ||

  506.       !have_sigalgs ||

  507.       !CBS_get_u16_length_prefixed(&sigalgs,

  508.                                    &supported_signature_algorithms) ||

  509.       CBS_len(&supported_signature_algorithms) == 0 ||

  510.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  511.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  512.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  513.     return ssl_hs_error;

  514.   }

  515. 

  516.   if (have_ca) {

  517.     hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);

  518.     if (!hs->ca_names) {

  519.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  520.       return ssl_hs_error;

  521.     }

  522.   } else {

  523.     hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());

  524.     if (!hs->ca_names) {

  525.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  526.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  527.       return ssl_hs_error;

  528.     }

  529.   }

  530. 

  531.   hs->cert_request = true;

  532.   ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  533. 

  534.   if (!ssl_hash_message(hs, msg)) {

  535.     return ssl_hs_error;

  536.   }

  537. 

  538.   ssl->method->next_message(ssl);

  539.   hs->tls13_state = state_read_server_certificate;

  540.   return ssl_hs_ok;

  541. }

  542. 

  543. static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {

  544.   SSL *const ssl = hs->ssl;

  545.   SSLMessage msg;

  546.   if (!ssl->method->get_message(ssl, &msg)) {

  547.     return ssl_hs_read_message;

  548.   }

  549. 

  550.   if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&

  551.       !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {

  552.     return ssl_hs_error;

  553.   }

  554. 

  555.   if (!tls13_process_certificate(hs, msg, 0 /* certificate required */) ||

  556.       !ssl_hash_message(hs, msg)) {

  557.     return ssl_hs_error;

  558.   }

  559. 

  560.   ssl->method->next_message(ssl);

  561.   hs->tls13_state = state_read_server_certificate_verify;

  562.   return ssl_hs_ok;

  563. }

  564. 

  565. static enum ssl_hs_wait_t do_read_server_certificate_verify(

  566.     SSL_HANDSHAKE *hs) {

  567.   SSL *const ssl = hs->ssl;

  568.   SSLMessage msg;

  569.   if (!ssl->method->get_message(ssl, &msg)) {

  570.     return ssl_hs_read_message;

  571.   }

  572.   switch (ssl_verify_peer_cert(hs)) {

  573.     case ssl_verify_ok:

  574.       break;

  575.     case ssl_verify_invalid:

  576.       return ssl_hs_error;

  577.     case ssl_verify_retry:

  578.       hs->tls13_state = state_read_server_certificate_verify;

  579.       return ssl_hs_certificate_verify;

  580.   }

  581. 

  582.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||

  583.       !tls13_process_certificate_verify(hs, msg) ||

  584.       !ssl_hash_message(hs, msg)) {

  585.     return ssl_hs_error;

  586.   }

  587. 

  588.   ssl->method->next_message(ssl);

  589.   hs->tls13_state = state_read_server_finished;

  590.   return ssl_hs_ok;

  591. }

  592. 

  593. static enum ssl_hs_wait_t do_server_certificate_reverify(

  594.     SSL_HANDSHAKE *hs) {

  595.   switch (ssl_reverify_peer_cert(hs)) {

  596.     case ssl_verify_ok:

  597.       break;

  598.     case ssl_verify_invalid:

  599.       return ssl_hs_error;

  600.     case ssl_verify_retry:

  601.       hs->tls13_state = state_server_certificate_reverify;

  602.       return ssl_hs_certificate_verify;

  603.   }

  604.   hs->tls13_state = state_read_server_finished;

  605.   return ssl_hs_ok;

  606. }

  607. 

  608. static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {

  609.   SSL *const ssl = hs->ssl;

  610.   SSLMessage msg;

  611.   if (!ssl->method->get_message(ssl, &msg)) {

  612.     return ssl_hs_read_message;

  613.   }

  614.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||

  615.       !tls13_process_finished(hs, msg, 0 /* don't use saved value */) ||

  616.       !ssl_hash_message(hs, msg) ||

  617.       // Update the secret to the master secret and derive traffic keys.

  618.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  619.       !tls13_derive_application_secrets(hs)) {

  620.     return ssl_hs_error;

  621.   }

  622. 

  623.   ssl->method->next_message(ssl);

  624.   hs->tls13_state = state_send_end_of_early_data;

  625.   return ssl_hs_ok;

  626. }

  627. 

  628. static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {

  629.   SSL *const ssl = hs->ssl;

  630. 

  631.   if (ssl->s3->early_data_accepted) {

  632.     hs->can_early_write = false;

  633.     ScopedCBB cbb;

  634.     CBB body;

  635.     if (!ssl->method->init_message(ssl, cbb.get(), &body,

  636.                                    SSL3_MT_END_OF_EARLY_DATA) ||

  637.         !ssl_add_message_cbb(ssl, cbb.get())) {

  638.       return ssl_hs_error;

  639.     }

  640.   }

  641. 

  642.   if (hs->early_data_offered) {

  643.     if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  644.                                hs->hash_len)) {

  645.       return ssl_hs_error;

  646.     }

  647.   }

  648. 

  649.   hs->tls13_state = state_send_client_certificate;

  650.   return ssl_hs_ok;

  651. }

  652. 

  653. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  654.   SSL *const ssl = hs->ssl;

  655. 

  656.   // The peer didn't request a certificate.

  657.   if (!hs->cert_request) {

  658.     hs->tls13_state = state_complete_second_flight;

  659.     return ssl_hs_ok;

  660.   }

  661. 

  662.   // Call cert_cb to update the certificate.

  663.   if (hs->config->cert->cert_cb != NULL) {

  664.     int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);

  665.     if (rv == 0) {

  666.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  667.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  668.       return ssl_hs_error;

  669.     }

  670.     if (rv < 0) {

  671.       hs->tls13_state = state_send_client_certificate;

  672.       return ssl_hs_x509_lookup;

  673.     }

  674.   }

  675. 

  676.   if (!ssl_on_certificate_selected(hs) ||

  677.       !tls13_add_certificate(hs)) {

  678.     return ssl_hs_error;

  679.   }

  680. 

  681.   hs->tls13_state = state_send_client_certificate_verify;

  682.   return ssl_hs_ok;

  683. }

  684. 

  685. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {

  686.   // Don't send CertificateVerify if there is no certificate.

  687.   if (!ssl_has_certificate(hs->config)) {

  688.     hs->tls13_state = state_complete_second_flight;

  689.     return ssl_hs_ok;

  690.   }

  691. 

  692.   switch (tls13_add_certificate_verify(hs)) {

  693.     case ssl_private_key_success:

  694.       hs->tls13_state = state_complete_second_flight;

  695.       return ssl_hs_ok;

  696. 

  697.     case ssl_private_key_retry:

  698.       hs->tls13_state = state_send_client_certificate_verify;

  699.       return ssl_hs_private_key_operation;

  700. 

  701.     case ssl_private_key_failure:

  702.       return ssl_hs_error;

  703.   }

  704. 

  705.   assert(0);

  706.   return ssl_hs_error;

  707. }

  708. 

  709. static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {

  710.   SSL *const ssl = hs->ssl;

  711. 

  712.   // Send a Channel ID assertion if necessary.

  713.   if (ssl->s3->channel_id_valid) {

  714.     if (!ssl_do_channel_id_callback(hs)) {

  715.       hs->tls13_state = state_complete_second_flight;

  716.       return ssl_hs_error;

  717.     }

  718. 

  719.     if (hs->config->channel_id_private == NULL) {

  720.       return ssl_hs_channel_id_lookup;

  721.     }

  722. 

  723.     ScopedCBB cbb;

  724.     CBB body;

  725.     if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||

  726.         !tls1_write_channel_id(hs, &body) ||

  727.         !ssl_add_message_cbb(ssl, cbb.get())) {

  728.       return ssl_hs_error;

  729.     }

  730.   }

  731. 

  732.   // Send a Finished message.

  733.   if (!tls13_add_finished(hs)) {

  734.     return ssl_hs_error;

  735.   }

  736. 

  737.   // Derive the final keys and enable them.

  738.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,

  739.                              hs->hash_len) ||

  740.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,

  741.                              hs->hash_len) ||

  742.       !tls13_derive_resumption_secret(hs)) {

  743.     return ssl_hs_error;

  744.   }

  745. 

  746.   hs->tls13_state = state_done;

  747.   return ssl_hs_flush;

  748. }

  749. 

  750. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  751.   while (hs->tls13_state != state_done) {

  752.     enum ssl_hs_wait_t ret = ssl_hs_error;

  753.     enum client_hs_state_t state =

  754.         static_cast<enum client_hs_state_t>(hs->tls13_state);

  755.     switch (state) {

  756.       case state_read_hello_retry_request:

  757.         ret = do_read_hello_retry_request(hs);

  758.         break;

  759.       case state_send_second_client_hello:

  760.         ret = do_send_second_client_hello(hs);

  761.         break;

  762.       case state_read_server_hello:

  763.         ret = do_read_server_hello(hs);

  764.         break;

  765.       case state_read_encrypted_extensions:

  766.         ret = do_read_encrypted_extensions(hs);

  767.         break;

  768.       case state_read_certificate_request:

  769.         ret = do_read_certificate_request(hs);

  770.         break;

  771.       case state_read_server_certificate:

  772.         ret = do_read_server_certificate(hs);

  773.         break;

  774.       case state_read_server_certificate_verify:

  775.         ret = do_read_server_certificate_verify(hs);

  776.         break;

  777.       case state_server_certificate_reverify:

  778.         ret = do_server_certificate_reverify(hs);

  779.         break;

  780.       case state_read_server_finished:

  781.         ret = do_read_server_finished(hs);

  782.         break;

  783.       case state_send_end_of_early_data:

  784.         ret = do_send_end_of_early_data(hs);

  785.         break;

  786.       case state_send_client_certificate:

  787.         ret = do_send_client_certificate(hs);

  788.         break;

  789.       case state_send_client_certificate_verify:

  790.         ret = do_send_client_certificate_verify(hs);

  791.         break;

  792.       case state_complete_second_flight:

  793.         ret = do_complete_second_flight(hs);

  794.         break;

  795.       case state_done:

  796.         ret = ssl_hs_ok;

  797.         break;

  798.     }

  799. 

  800.     if (hs->tls13_state != state) {

  801.       ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);

  802.     }

  803. 

  804.     if (ret != ssl_hs_ok) {

  805.       return ret;

  806.     }

  807.   }

  808. 

  809.   return ssl_hs_ok;

  810. }

  811. 

  812. const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {

  813.   enum client_hs_state_t state =

  814.       static_cast<enum client_hs_state_t>(hs->tls13_state);

  815.   switch (state) {

  816.     case state_read_hello_retry_request:

  817.       return "TLS 1.3 client read_hello_retry_request";

  818.     case state_send_second_client_hello:

  819.       return "TLS 1.3 client send_second_client_hello";

  820.     case state_read_server_hello:

  821.       return "TLS 1.3 client read_server_hello";

  822.     case state_read_encrypted_extensions:

  823.       return "TLS 1.3 client read_encrypted_extensions";

  824.     case state_read_certificate_request:

  825.       return "TLS 1.3 client read_certificate_request";

  826.     case state_read_server_certificate:

  827.       return "TLS 1.3 client read_server_certificate";

  828.     case state_read_server_certificate_verify:

  829.       return "TLS 1.3 client read_server_certificate_verify";

  830.     case state_server_certificate_reverify:

  831.       return "TLS 1.3 client server_certificate_reverify";

  832.     case state_read_server_finished:

  833.       return "TLS 1.3 client read_server_finished";

  834.     case state_send_end_of_early_data:

  835.       return "TLS 1.3 client send_end_of_early_data";

  836.     case state_send_client_certificate:

  837.       return "TLS 1.3 client send_client_certificate";

  838.     case state_send_client_certificate_verify:

  839.       return "TLS 1.3 client send_client_certificate_verify";

  840.     case state_complete_second_flight:

  841.       return "TLS 1.3 client complete_second_flight";

  842.     case state_done:

  843.       return "TLS 1.3 client done";

  844.   }

  845. 

  846.   return "TLS 1.3 client unknown";

  847. }

  848. 

  849. int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {

  850.   if (ssl->s3->write_shutdown != ssl_shutdown_none) {

  851.     // Ignore tickets on shutdown. Callers tend to indiscriminately call

  852.     // |SSL_shutdown| before destroying an |SSL|, at which point calling the new

  853.     // session callback may be confusing.

  854.     return 1;

  855.   }

  856. 

  857.   UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(

  858.       ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);

  859.   if (!session) {

  860.     return 0;

  861.   }

  862. 

  863.   ssl_session_rebase_time(ssl, session.get());

  864. 

  865.   uint32_t server_timeout;

  866.   CBS body = msg.body, ticket_nonce, ticket, extensions;

  867.   if (!CBS_get_u32(&body, &server_timeout) ||

  868.       !CBS_get_u32(&body, &session->ticket_age_add) ||

  869.       !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||

  870.       !CBS_get_u16_length_prefixed(&body, &ticket) ||

  871.       !session->ticket.CopyFrom(ticket) ||

  872.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  873.       CBS_len(&body) != 0) {

  874.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  875.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  876.     return 0;

  877.   }

  878. 

  879.   // Cap the renewable lifetime by the server advertised value. This avoids

  880.   // wasting bandwidth on 0-RTT when we know the server will reject it.

  881.   if (session->timeout > server_timeout) {

  882.     session->timeout = server_timeout;

  883.   }

  884. 

  885.   if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {

  886.     return 0;

  887.   }

  888. 

  889.   // Parse out the extensions.

  890.   bool have_early_data_info = false;

  891.   CBS early_data_info;

  892.   const SSL_EXTENSION_TYPE ext_types[] = {

  893.       {TLSEXT_TYPE_early_data, &have_early_data_info, &early_data_info},

  894.   };

  895. 

  896.   uint8_t alert = SSL_AD_DECODE_ERROR;

  897.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  898.                             OPENSSL_ARRAY_SIZE(ext_types),

  899.                             1 /* ignore unknown */)) {

  900.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  901.     return 0;

  902.   }

  903. 

  904.   if (have_early_data_info && ssl->enable_early_data) {

  905.     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||

  906.         CBS_len(&early_data_info) != 0) {

  907.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  908.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  909.       return 0;

  910.     }

  911.   }

  912. 

  913.   session->ticket_age_add_valid = true;

  914.   session->not_resumable = false;

  915. 

  916.   if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&

  917.       ssl->session_ctx->new_session_cb != NULL &&

  918.       ssl->session_ctx->new_session_cb(ssl, session.get())) {

  919.     // |new_session_cb|'s return value signals that it took ownership.

  920.     session.release();

  921.   }

  922. 

  923.   return 1;

  924. }

  925. 

  926. }  // namespace bssl