kris
/
boringssl
1
0
複製 0
程式碼 問題 0 合併請求 0 版本發佈 0 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4071 提交
12 分支
38 MiB
 
 
 
 
 
 
目錄樹: 6fdea2aba9
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 '6fdea2aba9'
${ noResults }
boringssl/ssl/tls13_client.c

739 line
23 KiB
原始文件 Blame 歷史記錄 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <limits.h>

  19. #include <string.h>

  20. 

  21. #include <openssl/bytestring.h>

  22. #include <openssl/digest.h>

  23. #include <openssl/err.h>

  24. #include <openssl/mem.h>

  25. #include <openssl/stack.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. enum client_hs_state_t {

  32.   state_process_hello_retry_request = 0,

  33.   state_send_second_client_hello,

  34.   state_process_server_hello,

  35.   state_process_encrypted_extensions,

  36.   state_process_certificate_request,

  37.   state_process_server_certificate,

  38.   state_process_server_certificate_verify,

  39.   state_process_server_finished,

  40.   state_send_end_of_early_data,

  41.   state_send_client_certificate,

  42.   state_send_client_certificate_verify,

  43.   state_complete_client_certificate_verify,

  44.   state_complete_second_flight,

  45.   state_done,

  46. };

  47. 

  48. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  49. 

  50. static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) {

  51.   SSL *const ssl = hs->ssl;

  52.   if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {

  53.     hs->tls13_state = state_process_server_hello;

  54.     return ssl_hs_ok;

  55.   }

  56. 

  57.   CBS cbs, extensions;

  58.   uint16_t server_wire_version;

  59.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  60.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  61.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  62.       /* HelloRetryRequest may not be empty. */

  63.       CBS_len(&extensions) == 0 ||

  64.       CBS_len(&cbs) != 0) {

  65.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  66.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  67.     return ssl_hs_error;

  68.   }

  69. 

  70.   int have_cookie, have_key_share;

  71.   CBS cookie, key_share;

  72.   const SSL_EXTENSION_TYPE ext_types[] = {

  73.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  74.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  75.   };

  76. 

  77.   uint8_t alert = SSL_AD_DECODE_ERROR;

  78.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  79.                             OPENSSL_ARRAY_SIZE(ext_types),

  80.                             0 /* reject unknown */)) {

  81.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  82.     return ssl_hs_error;

  83.   }

  84. 

  85.   if (have_cookie) {

  86.     CBS cookie_value;

  87.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  88.         CBS_len(&cookie_value) == 0 ||

  89.         CBS_len(&cookie) != 0) {

  90.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  91.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  92.       return ssl_hs_error;

  93.     }

  94. 

  95.     if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {

  96.       return ssl_hs_error;

  97.     }

  98.   }

  99. 

  100.   if (have_key_share) {

  101.     uint16_t group_id;

  102.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  103.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  104.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  105.       return ssl_hs_error;

  106.     }

  107. 

  108.     /* The group must be supported. */

  109.     const uint16_t *groups;

  110.     size_t groups_len;

  111.     tls1_get_grouplist(ssl, &groups, &groups_len);

  112.     int found = 0;

  113.     for (size_t i = 0; i < groups_len; i++) {

  114.       if (groups[i] == group_id) {

  115.         found = 1;

  116.         break;

  117.       }

  118.     }

  119. 

  120.     if (!found) {

  121.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  122.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  123.       return ssl_hs_error;

  124.     }

  125. 

  126.     /* Check that the HelloRetryRequest does not request the key share that

  127.      * was provided in the initial ClientHello. */

  128.     if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {

  129.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  130.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  131.       return ssl_hs_error;

  132.     }

  133. 

  134.     SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  135.     hs->retry_group = group_id;

  136.   }

  137. 

  138.   if (!ssl_hash_current_message(hs)) {

  139.     return ssl_hs_error;

  140.   }

  141. 

  142.   hs->received_hello_retry_request = 1;

  143.   hs->tls13_state = state_send_second_client_hello;

  144.   return ssl_hs_ok;

  145. }

  146. 

  147. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  148.   SSL *const ssl = hs->ssl;

  149.   /* TODO(svaldez): Ensure that we set can_early_write to false since 0-RTT is

  150.    * rejected if we receive a HelloRetryRequest. */

  151.   if (!ssl->method->set_write_state(ssl, NULL) ||

  152.       !ssl_write_client_hello(hs)) {

  153.     return ssl_hs_error;

  154.   }

  155. 

  156.   hs->tls13_state = state_process_server_hello;

  157.   return ssl_hs_flush_and_read_message;

  158. }

  159. 

  160. static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {

  161.   SSL *const ssl = hs->ssl;

  162.   if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {

  163.     return ssl_hs_error;

  164.   }

  165. 

  166.   CBS cbs, server_random, extensions;

  167.   uint16_t server_wire_version;

  168.   uint16_t cipher_suite;

  169.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  170.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  171.       !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||

  172.       !CBS_get_u16(&cbs, &cipher_suite) ||

  173.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  174.       CBS_len(&cbs) != 0) {

  175.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  176.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  177.     return ssl_hs_error;

  178.   }

  179. 

  180.   if (server_wire_version != ssl->version) {

  181.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  182.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  183.     return ssl_hs_error;

  184.   }

  185. 

  186.   assert(ssl->s3->have_version);

  187.   OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),

  188.                  SSL3_RANDOM_SIZE);

  189. 

  190.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  191.   if (cipher == NULL) {

  192.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);

  193.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  194.     return ssl_hs_error;

  195.   }

  196. 

  197.   /* Check if the cipher is a TLS 1.3 cipher. */

  198.   if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||

  199.       SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {

  200.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  201.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  202.     return ssl_hs_error;

  203.   }

  204. 

  205.   /* Parse out the extensions. */

  206.   int have_key_share = 0, have_pre_shared_key = 0;

  207.   CBS key_share, pre_shared_key;

  208.   const SSL_EXTENSION_TYPE ext_types[] = {

  209.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  210.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  211.   };

  212. 

  213.   uint8_t alert = SSL_AD_DECODE_ERROR;

  214.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  215.                             OPENSSL_ARRAY_SIZE(ext_types),

  216.                             0 /* reject unknown */)) {

  217.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  218.     return ssl_hs_error;

  219.   }

  220. 

  221.   alert = SSL_AD_DECODE_ERROR;

  222.   if (have_pre_shared_key) {

  223.     if (ssl->session == NULL) {

  224.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  225.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  226.       return ssl_hs_error;

  227.     }

  228. 

  229.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  230.                                                   &pre_shared_key)) {

  231.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  232.       return ssl_hs_error;

  233.     }

  234. 

  235.     if (ssl->session->ssl_version != ssl->version) {

  236.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  237.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  238.       return ssl_hs_error;

  239.     }

  240. 

  241.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  242.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  243.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  244.       return ssl_hs_error;

  245.     }

  246. 

  247.     if (!ssl_session_is_context_valid(ssl, ssl->session)) {

  248.       /* This is actually a client application bug. */

  249.       OPENSSL_PUT_ERROR(SSL,

  250.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  251.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  252.       return ssl_hs_error;

  253.     }

  254. 

  255.     ssl->s3->session_reused = 1;

  256.     /* Only authentication information carries over in TLS 1.3. */

  257.     hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);

  258.     if (hs->new_session == NULL) {

  259.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  260.       return ssl_hs_error;

  261.     }

  262. 

  263.     /* Resumption incorporates fresh key material, so refresh the timeout. */

  264.     ssl_session_renew_timeout(ssl, hs->new_session,

  265.                               ssl->session_ctx->session_psk_dhe_timeout);

  266.   } else if (!ssl_get_new_session(hs, 0)) {

  267.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  268.     return ssl_hs_error;

  269.   }

  270. 

  271.   hs->new_session->cipher = cipher;

  272.   hs->new_cipher = cipher;

  273. 

  274.   /* The PRF hash is now known. Set up the key schedule. */

  275.   if (!tls13_init_key_schedule(hs)) {

  276.     return ssl_hs_error;

  277.   }

  278. 

  279.   /* Incorporate the PSK into the running secret. */

  280.   if (ssl->s3->session_reused) {

  281.     if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,

  282.                                     hs->new_session->master_key_length)) {

  283.       return ssl_hs_error;

  284.     }

  285.   } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {

  286.     return ssl_hs_error;

  287.   }

  288. 

  289.   if (!have_key_share) {

  290.     /* We do not support psk_ke and thus always require a key share. */

  291.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  292.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  293.     return ssl_hs_error;

  294.   }

  295. 

  296.   /* Resolve ECDHE and incorporate it into the secret. */

  297.   uint8_t *dhe_secret;

  298.   size_t dhe_secret_len;

  299.   alert = SSL_AD_DECODE_ERROR;

  300.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,

  301.                                            &alert, &key_share)) {

  302.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  303.     return ssl_hs_error;

  304.   }

  305. 

  306.   if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {

  307.     OPENSSL_free(dhe_secret);

  308.     return ssl_hs_error;

  309.   }

  310.   OPENSSL_free(dhe_secret);

  311. 

  312.   if (!ssl_hash_current_message(hs) ||

  313.       !tls13_derive_handshake_secrets(hs) ||

  314.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,

  315.                              hs->hash_len)) {

  316.     return ssl_hs_error;

  317.   }

  318. 

  319.   /* If not sending early data, set client traffic keys now so that alerts are

  320.    * encrypted. */

  321.   if (!hs->early_data_offered &&

  322.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  323.                              hs->hash_len)) {

  324.     return ssl_hs_error;

  325.   }

  326. 

  327.   hs->tls13_state = state_process_encrypted_extensions;

  328.   return ssl_hs_read_message;

  329. }

  330. 

  331. static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) {

  332.   SSL *const ssl = hs->ssl;

  333.   if (!ssl_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  334.     return ssl_hs_error;

  335.   }

  336. 

  337.   CBS cbs;

  338.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  339.   if (!ssl_parse_serverhello_tlsext(hs, &cbs)) {

  340.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  341.     return ssl_hs_error;

  342.   }

  343.   if (CBS_len(&cbs) != 0) {

  344.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  345.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  346.     return ssl_hs_error;

  347.   }

  348. 

  349.   /* Store the negotiated ALPN in the session. */

  350.   if (ssl->s3->alpn_selected != NULL) {

  351.     hs->new_session->early_alpn =

  352.         BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);

  353.     if (hs->new_session->early_alpn == NULL) {

  354.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  355.       return ssl_hs_error;

  356.     }

  357.     hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;

  358.   }

  359. 

  360.   if (ssl->early_data_accepted) {

  361.     if (ssl->session->cipher != hs->new_session->cipher ||

  362.         ssl->session->early_alpn_len != ssl->s3->alpn_selected_len ||

  363.         OPENSSL_memcmp(ssl->session->early_alpn, ssl->s3->alpn_selected,

  364.                        ssl->s3->alpn_selected_len) != 0) {

  365.       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);

  366.       return ssl_hs_error;

  367.     }

  368.     if (ssl->s3->tlsext_channel_id_valid) {

  369.       OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA);

  370.       return ssl_hs_error;

  371.     }

  372.   }

  373. 

  374.   /* Release offered session now that it is no longer needed. */

  375.   if (ssl->s3->session_reused) {

  376.     ssl_set_session(ssl, NULL);

  377.   }

  378. 

  379.   if (!ssl_hash_current_message(hs)) {

  380.     return ssl_hs_error;

  381.   }

  382. 

  383.   hs->tls13_state = state_process_certificate_request;

  384.   return ssl_hs_read_message;

  385. }

  386. 

  387. static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) {

  388.   SSL *const ssl = hs->ssl;

  389.   /* CertificateRequest may only be sent in non-resumption handshakes. */

  390.   if (ssl->s3->session_reused) {

  391.     hs->tls13_state = state_process_server_finished;

  392.     return ssl_hs_ok;

  393.   }

  394. 

  395.   /* CertificateRequest is optional. */

  396.   if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {

  397.     hs->tls13_state = state_process_server_certificate;

  398.     return ssl_hs_ok;

  399.   }

  400. 

  401.   CBS cbs, context, supported_signature_algorithms;

  402.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  403.   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||

  404.       /* The request context is always empty during the handshake. */

  405.       CBS_len(&context) != 0 ||

  406.       !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||

  407.       CBS_len(&supported_signature_algorithms) == 0 ||

  408.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  409.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  410.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  411.     return ssl_hs_error;

  412.   }

  413. 

  414.   uint8_t alert = SSL_AD_DECODE_ERROR;

  415.   STACK_OF(CRYPTO_BUFFER) *ca_names =

  416.       ssl_parse_client_CA_list(ssl, &alert, &cbs);

  417.   if (ca_names == NULL) {

  418.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  419.     return ssl_hs_error;

  420.   }

  421. 

  422.   /* Ignore extensions. */

  423.   CBS extensions;

  424.   if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  425.       CBS_len(&cbs) != 0) {

  426.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  427.     sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free);

  428.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  429.     return ssl_hs_error;

  430.   }

  431. 

  432.   hs->cert_request = 1;

  433.   sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);

  434.   hs->ca_names = ca_names;

  435.   ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  436. 

  437.   if (!ssl_hash_current_message(hs)) {

  438.     return ssl_hs_error;

  439.   }

  440. 

  441.   hs->tls13_state = state_process_server_certificate;

  442.   return ssl_hs_read_message;

  443. }

  444. 

  445. static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) {

  446.   SSL *const ssl = hs->ssl;

  447.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  448.       !tls13_process_certificate(hs, 0 /* certificate required */) ||

  449.       !ssl_hash_current_message(hs)) {

  450.     return ssl_hs_error;

  451.   }

  452. 

  453.   hs->tls13_state = state_process_server_certificate_verify;

  454.   return ssl_hs_read_message;

  455. }

  456. 

  457. static enum ssl_hs_wait_t do_process_server_certificate_verify(

  458.     SSL_HANDSHAKE *hs) {

  459.   SSL *const ssl = hs->ssl;

  460.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  461.       !tls13_process_certificate_verify(hs) ||

  462.       !ssl_hash_current_message(hs)) {

  463.     return ssl_hs_error;

  464.   }

  465. 

  466.   hs->tls13_state = state_process_server_finished;

  467.   return ssl_hs_read_message;

  468. }

  469. 

  470. static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) {

  471.   SSL *const ssl = hs->ssl;

  472.   if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) ||

  473.       !tls13_process_finished(hs, 0 /* don't use saved value */) ||

  474.       !ssl_hash_current_message(hs) ||

  475.       /* Update the secret to the master secret and derive traffic keys. */

  476.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  477.       !tls13_derive_application_secrets(hs)) {

  478.     return ssl_hs_error;

  479.   }

  480. 

  481.   ssl->method->received_flight(ssl);

  482.   hs->tls13_state = state_send_end_of_early_data;

  483.   return ssl_hs_ok;

  484. }

  485. 

  486. static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {

  487.   SSL *const ssl = hs->ssl;

  488.   /* TODO(svaldez): Stop sending early data. */

  489.   if (ssl->early_data_accepted &&

  490.       !ssl->method->add_alert(ssl, SSL3_AL_WARNING,

  491.                               TLS1_AD_END_OF_EARLY_DATA)) {

  492.     return ssl_hs_error;

  493.   }

  494. 

  495.   if (hs->early_data_offered &&

  496.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  497.                              hs->hash_len)) {

  498.     return ssl_hs_error;

  499.   }

  500. 

  501.   hs->tls13_state = state_send_client_certificate;

  502.   return ssl_hs_ok;

  503. }

  504. 

  505. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  506.   SSL *const ssl = hs->ssl;

  507. 

  508.   /* The peer didn't request a certificate. */

  509.   if (!hs->cert_request) {

  510.     hs->tls13_state = state_complete_second_flight;

  511.     return ssl_hs_ok;

  512.   }

  513. 

  514.   /* Call cert_cb to update the certificate. */

  515.   if (ssl->cert->cert_cb != NULL) {

  516.     int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);

  517.     if (rv == 0) {

  518.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  519.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  520.       return ssl_hs_error;

  521.     }

  522.     if (rv < 0) {

  523.       hs->tls13_state = state_send_client_certificate;

  524.       return ssl_hs_x509_lookup;

  525.     }

  526.   }

  527. 

  528.   if (!ssl_on_certificate_selected(hs) ||

  529.       !tls13_add_certificate(hs)) {

  530.     return ssl_hs_error;

  531.   }

  532. 

  533.   hs->tls13_state = state_send_client_certificate_verify;

  534.   return ssl_hs_ok;

  535. }

  536. 

  537. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs,

  538.                                                             int is_first_run) {

  539.   SSL *const ssl = hs->ssl;

  540.   /* Don't send CertificateVerify if there is no certificate. */

  541.   if (!ssl_has_certificate(ssl)) {

  542.     hs->tls13_state = state_complete_second_flight;

  543.     return ssl_hs_ok;

  544.   }

  545. 

  546.   switch (tls13_add_certificate_verify(hs, is_first_run)) {

  547.     case ssl_private_key_success:

  548.       hs->tls13_state = state_complete_second_flight;

  549.       return ssl_hs_ok;

  550. 

  551.     case ssl_private_key_retry:

  552.       hs->tls13_state = state_complete_client_certificate_verify;

  553.       return ssl_hs_private_key_operation;

  554. 

  555.     case ssl_private_key_failure:

  556.       return ssl_hs_error;

  557.   }

  558. 

  559.   assert(0);

  560.   return ssl_hs_error;

  561. }

  562. 

  563. static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {

  564.   SSL *const ssl = hs->ssl;

  565. 

  566.   /* Send a Channel ID assertion if necessary. */

  567.   if (ssl->s3->tlsext_channel_id_valid) {

  568.     if (!ssl_do_channel_id_callback(ssl)) {

  569.       hs->tls13_state = state_complete_second_flight;

  570.       return ssl_hs_error;

  571.     }

  572. 

  573.     if (ssl->tlsext_channel_id_private == NULL) {

  574.       return ssl_hs_channel_id_lookup;

  575.     }

  576. 

  577.     CBB cbb, body;

  578.     if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||

  579.         !tls1_write_channel_id(hs, &body) ||

  580.         !ssl_add_message_cbb(ssl, &cbb)) {

  581.       CBB_cleanup(&cbb);

  582.       return ssl_hs_error;

  583.     }

  584.   }

  585. 

  586.   /* Send a Finished message. */

  587.   if (!tls13_add_finished(hs)) {

  588.     return ssl_hs_error;

  589.   }

  590. 

  591.   /* Derive the final keys and enable them. */

  592.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,

  593.                              hs->hash_len) ||

  594.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,

  595.                              hs->hash_len) ||

  596.       !tls13_derive_resumption_secret(hs)) {

  597.     return ssl_hs_error;

  598.   }

  599. 

  600.   hs->tls13_state = state_done;

  601.   return ssl_hs_flush;

  602. }

  603. 

  604. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  605.   while (hs->tls13_state != state_done) {

  606.     enum ssl_hs_wait_t ret = ssl_hs_error;

  607.     enum client_hs_state_t state = hs->tls13_state;

  608.     switch (state) {

  609.       case state_process_hello_retry_request:

  610.         ret = do_process_hello_retry_request(hs);

  611.         break;

  612.       case state_send_second_client_hello:

  613.         ret = do_send_second_client_hello(hs);

  614.         break;

  615.       case state_process_server_hello:

  616.         ret = do_process_server_hello(hs);

  617.         break;

  618.       case state_process_encrypted_extensions:

  619.         ret = do_process_encrypted_extensions(hs);

  620.         break;

  621.       case state_process_certificate_request:

  622.         ret = do_process_certificate_request(hs);

  623.         break;

  624.       case state_process_server_certificate:

  625.         ret = do_process_server_certificate(hs);

  626.         break;

  627.       case state_process_server_certificate_verify:

  628.         ret = do_process_server_certificate_verify(hs);

  629.         break;

  630.       case state_process_server_finished:

  631.         ret = do_process_server_finished(hs);

  632.         break;

  633.       case state_send_end_of_early_data:

  634.         ret = do_send_end_of_early_data(hs);

  635.         break;

  636.       case state_send_client_certificate:

  637.         ret = do_send_client_certificate(hs);

  638.         break;

  639.       case state_send_client_certificate_verify:

  640.         ret = do_send_client_certificate_verify(hs, 1 /* first run */);

  641.         break;

  642.       case state_complete_client_certificate_verify:

  643.         ret = do_send_client_certificate_verify(hs, 0 /* complete */);

  644.         break;

  645.       case state_complete_second_flight:

  646.         ret = do_complete_second_flight(hs);

  647.         break;

  648.       case state_done:

  649.         ret = ssl_hs_ok;

  650.         break;

  651.     }

  652. 

  653.     if (ret != ssl_hs_ok) {

  654.       return ret;

  655.     }

  656.   }

  657. 

  658.   return ssl_hs_ok;

  659. }

  660. 

  661. int tls13_process_new_session_ticket(SSL *ssl) {

  662.   int ret = 0;

  663.   SSL_SESSION *session = SSL_SESSION_dup(ssl->s3->established_session,

  664.                                          SSL_SESSION_INCLUDE_NONAUTH);

  665.   if (session == NULL) {

  666.     return 0;

  667.   }

  668. 

  669.   ssl_session_rebase_time(ssl, session);

  670. 

  671.   uint32_t server_timeout;

  672.   CBS cbs, ticket, extensions;

  673.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  674.   if (!CBS_get_u32(&cbs, &server_timeout) ||

  675.       !CBS_get_u32(&cbs, &session->ticket_age_add) ||

  676.       !CBS_get_u16_length_prefixed(&cbs, &ticket) ||

  677.       !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||

  678.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  679.       CBS_len(&cbs) != 0) {

  680.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  681.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  682.     goto err;

  683.   }

  684. 

  685.   /* Cap the renewable lifetime by the server advertised value. This avoids

  686.    * wasting bandwidth on 0-RTT when we know the server will reject it. */

  687.   if (session->timeout > server_timeout) {

  688.     session->timeout = server_timeout;

  689.   }

  690. 

  691.   /* Parse out the extensions. */

  692.   int have_early_data_info = 0;

  693.   CBS early_data_info;

  694.   const SSL_EXTENSION_TYPE ext_types[] = {

  695.       {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,

  696.        &early_data_info},

  697.   };

  698. 

  699.   uint8_t alert = SSL_AD_DECODE_ERROR;

  700.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  701.                             OPENSSL_ARRAY_SIZE(ext_types),

  702.                             1 /* ignore unknown */)) {

  703.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  704.     goto err;

  705.   }

  706. 

  707.   if (have_early_data_info && ssl->cert->enable_early_data) {

  708.     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||

  709.         CBS_len(&early_data_info) != 0) {

  710.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  711.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  712.       goto err;

  713.     }

  714.   }

  715. 

  716.   session->ticket_age_add_valid = 1;

  717.   session->not_resumable = 0;

  718. 

  719.   if (ssl->ctx->new_session_cb != NULL &&

  720.       ssl->ctx->new_session_cb(ssl, session)) {

  721.     /* |new_session_cb|'s return value signals that it took ownership. */

  722.     session = NULL;

  723.   }

  724. 

  725.   ret = 1;

  726. 

  727. err:

  728.   SSL_SESSION_free(session);

  729.   return ret;

  730. }

  731. 

  732. void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {

  733.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  734. 

  735.   OPENSSL_free(hs->key_share_bytes);

  736.   hs->key_share_bytes = NULL;

  737.   hs->key_share_bytes_len = 0;

  738. }