kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
3578 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Struktur: 8a55ce4954
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „8a55ce4954“
${ noResults }
boringssl/ssl/tls13_client.c

658 Zeilen
20 KiB
Originalformat Blame Verlauf 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bytestring.h>

  21. #include <openssl/digest.h>

  22. #include <openssl/err.h>

  23. #include <openssl/mem.h>

  24. #include <openssl/stack.h>

  25. #include <openssl/x509.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. enum client_hs_state_t {

  32.   state_process_hello_retry_request = 0,

  33.   state_send_second_client_hello,

  34.   state_flush_second_client_hello,

  35.   state_process_server_hello,

  36.   state_process_encrypted_extensions,

  37.   state_process_certificate_request,

  38.   state_process_server_certificate,

  39.   state_process_server_certificate_verify,

  40.   state_process_server_finished,

  41.   state_send_client_certificate,

  42.   state_send_client_certificate_verify,

  43.   state_complete_client_certificate_verify,

  44.   state_send_channel_id,

  45.   state_send_client_finished,

  46.   state_flush,

  47.   state_done,

  48. };

  49. 

  50. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  51. 

  52. static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) {

  53.   SSL *const ssl = hs->ssl;

  54.   if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {

  55.     hs->tls13_state = state_process_server_hello;

  56.     return ssl_hs_ok;

  57.   }

  58. 

  59.   CBS cbs, extensions;

  60.   uint16_t server_wire_version;

  61.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  62.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  63.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  64.       /* HelloRetryRequest may not be empty. */

  65.       CBS_len(&extensions) == 0 ||

  66.       CBS_len(&cbs) != 0) {

  67.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  68.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  69.     return ssl_hs_error;

  70.   }

  71. 

  72.   int have_cookie, have_key_share;

  73.   CBS cookie, key_share;

  74.   const SSL_EXTENSION_TYPE ext_types[] = {

  75.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  76.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  77.   };

  78. 

  79.   uint8_t alert;

  80.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  81.                             OPENSSL_ARRAY_SIZE(ext_types))) {

  82.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  83.     return ssl_hs_error;

  84.   }

  85. 

  86.   if (have_cookie) {

  87.     CBS cookie_value;

  88.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  89.         CBS_len(&cookie_value) == 0 ||

  90.         CBS_len(&cookie) != 0) {

  91.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  92.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  93.       return ssl_hs_error;

  94.     }

  95. 

  96.     if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {

  97.       return ssl_hs_error;

  98.     }

  99.   }

  100. 

  101.   if (have_key_share) {

  102.     uint16_t group_id;

  103.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  104.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  105.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  106.       return ssl_hs_error;

  107.     }

  108. 

  109.     /* The group must be supported. */

  110.     const uint16_t *groups;

  111.     size_t groups_len;

  112.     tls1_get_grouplist(ssl, &groups, &groups_len);

  113.     int found = 0;

  114.     for (size_t i = 0; i < groups_len; i++) {

  115.       if (groups[i] == group_id) {

  116.         found = 1;

  117.         break;

  118.       }

  119.     }

  120. 

  121.     if (!found) {

  122.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  123.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  124.       return ssl_hs_error;

  125.     }

  126. 

  127.     /* Check that the HelloRetryRequest does not request the key share that

  128.      * was provided in the initial ClientHello. */

  129.     if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {

  130.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  131.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  132.       return ssl_hs_error;

  133.     }

  134. 

  135.     SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  136.     hs->retry_group = group_id;

  137.   }

  138. 

  139.   hs->received_hello_retry_request = 1;

  140.   hs->tls13_state = state_send_second_client_hello;

  141.   return ssl_hs_ok;

  142. }

  143. 

  144. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  145.   if (!ssl_write_client_hello(hs)) {

  146.     return ssl_hs_error;

  147.   }

  148. 

  149.   hs->tls13_state = state_flush_second_client_hello;

  150.   return ssl_hs_write_message;

  151. }

  152. 

  153. static enum ssl_hs_wait_t do_flush_second_client_hello(SSL_HANDSHAKE *hs) {

  154.   hs->tls13_state = state_process_server_hello;

  155.   return ssl_hs_flush_and_read_message;

  156. }

  157. 

  158. static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {

  159.   SSL *const ssl = hs->ssl;

  160.   if (!tls13_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {

  161.     return ssl_hs_error;

  162.   }

  163. 

  164.   CBS cbs, server_random, extensions;

  165.   uint16_t server_wire_version;

  166.   uint16_t cipher_suite;

  167.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  168.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  169.       !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||

  170.       !CBS_get_u16(&cbs, &cipher_suite) ||

  171.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  172.       CBS_len(&cbs) != 0) {

  173.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  174.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  175.     return ssl_hs_error;

  176.   }

  177. 

  178.   if (server_wire_version != ssl->version) {

  179.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  180.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  181.     return ssl_hs_error;

  182.   }

  183. 

  184.   assert(ssl->s3->have_version);

  185.   memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);

  186. 

  187.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  188.   if (cipher == NULL) {

  189.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);

  190.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  191.     return ssl_hs_error;

  192.   }

  193. 

  194.   /* Check if the cipher is a TLS 1.3 cipher. */

  195.   if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||

  196.       SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {

  197.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  198.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  199.     return ssl_hs_error;

  200.   }

  201. 

  202.   /* Parse out the extensions. */

  203.   int have_key_share = 0, have_pre_shared_key = 0;

  204.   CBS key_share, pre_shared_key;

  205.   const SSL_EXTENSION_TYPE ext_types[] = {

  206.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  207.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  208.   };

  209. 

  210.   uint8_t alert;

  211.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  212.                             OPENSSL_ARRAY_SIZE(ext_types))) {

  213.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  214.     return ssl_hs_error;

  215.   }

  216. 

  217.   /* We only support PSK_DHE_KE. */

  218.   if (!have_key_share) {

  219.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  220.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  221.     return ssl_hs_error;

  222.   }

  223. 

  224.   alert = SSL_AD_DECODE_ERROR;

  225.   if (have_pre_shared_key) {

  226.     if (ssl->session == NULL) {

  227.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  228.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  229.       return ssl_hs_error;

  230.     }

  231. 

  232.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  233.                                                   &pre_shared_key)) {

  234.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  235.       return ssl_hs_error;

  236.     }

  237. 

  238.     if (ssl->session->ssl_version != ssl->version) {

  239.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  240.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  241.       return ssl_hs_error;

  242.     }

  243. 

  244.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  245.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  246.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  247.       return ssl_hs_error;

  248.     }

  249. 

  250.     if (!ssl_session_is_context_valid(ssl, ssl->session)) {

  251.       /* This is actually a client application bug. */

  252.       OPENSSL_PUT_ERROR(SSL,

  253.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  254.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  255.       return ssl_hs_error;

  256.     }

  257. 

  258.     ssl->s3->session_reused = 1;

  259.     /* Only authentication information carries over in TLS 1.3. */

  260.     ssl->s3->new_session =

  261.         SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);

  262.     if (ssl->s3->new_session == NULL) {

  263.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  264.       return ssl_hs_error;

  265.     }

  266.     ssl_set_session(ssl, NULL);

  267.   } else if (!ssl_get_new_session(hs, 0)) {

  268.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  269.     return ssl_hs_error;

  270.   }

  271. 

  272.   ssl->s3->new_session->cipher = cipher;

  273.   ssl->s3->tmp.new_cipher = cipher;

  274. 

  275.   /* The PRF hash is now known. Set up the key schedule. */

  276.   size_t hash_len =

  277.       EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));

  278.   if (!tls13_init_key_schedule(hs)) {

  279.     return ssl_hs_error;

  280.   }

  281. 

  282.   /* Incorporate the PSK into the running secret. */

  283.   if (ssl->s3->session_reused) {

  284.     if (!tls13_advance_key_schedule(hs, ssl->s3->new_session->master_key,

  285.                                     ssl->s3->new_session->master_key_length)) {

  286.       return ssl_hs_error;

  287.     }

  288.   } else if (!tls13_advance_key_schedule(hs, kZeroes, hash_len)) {

  289.     return ssl_hs_error;

  290.   }

  291. 

  292.   /* Resolve ECDHE and incorporate it into the secret. */

  293.   uint8_t *dhe_secret;

  294.   size_t dhe_secret_len;

  295.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,

  296.                                            &alert, &key_share)) {

  297.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  298.     return ssl_hs_error;

  299.   }

  300. 

  301.   if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {

  302.     OPENSSL_free(dhe_secret);

  303.     return ssl_hs_error;

  304.   }

  305.   OPENSSL_free(dhe_secret);

  306. 

  307.   /* If there was no HelloRetryRequest, the version negotiation logic has

  308.    * already hashed the message. */

  309.   if (hs->received_hello_retry_request &&

  310.       !ssl_hash_current_message(ssl)) {

  311.     return ssl_hs_error;

  312.   }

  313. 

  314.   if (!tls13_set_handshake_traffic(hs)) {

  315.     return ssl_hs_error;

  316.   }

  317. 

  318.   hs->tls13_state = state_process_encrypted_extensions;

  319.   return ssl_hs_read_message;

  320. }

  321. 

  322. static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) {

  323.   SSL *const ssl = hs->ssl;

  324.   if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  325.     return ssl_hs_error;

  326.   }

  327. 

  328.   CBS cbs;

  329.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  330.   if (!ssl_parse_serverhello_tlsext(hs, &cbs)) {

  331.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  332.     return ssl_hs_error;

  333.   }

  334.   if (CBS_len(&cbs) != 0) {

  335.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  336.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  337.     return ssl_hs_error;

  338.   }

  339. 

  340.   if (!ssl_hash_current_message(ssl)) {

  341.     return ssl_hs_error;

  342.   }

  343. 

  344.   hs->tls13_state = state_process_certificate_request;

  345.   return ssl_hs_read_message;

  346. }

  347. 

  348. static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) {

  349.   SSL *const ssl = hs->ssl;

  350.   /* CertificateRequest may only be sent in non-resumption handshakes. */

  351.   if (ssl->s3->session_reused) {

  352.     hs->tls13_state = state_process_server_finished;

  353.     return ssl_hs_ok;

  354.   }

  355. 

  356.   /* CertificateRequest is optional. */

  357.   if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {

  358.     hs->tls13_state = state_process_server_certificate;

  359.     return ssl_hs_ok;

  360.   }

  361. 

  362.   CBS cbs, context, supported_signature_algorithms;

  363.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  364.   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||

  365.       /* The request context is always empty during the handshake. */

  366.       CBS_len(&context) != 0 ||

  367.       !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||

  368.       CBS_len(&supported_signature_algorithms) == 0 ||

  369.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  370.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  371.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  372.     return ssl_hs_error;

  373.   }

  374. 

  375.   uint8_t alert;

  376.   STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);

  377.   if (ca_sk == NULL) {

  378.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  379.     return ssl_hs_error;

  380.   }

  381. 

  382.   /* Ignore extensions. */

  383.   CBS extensions;

  384.   if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  385.       CBS_len(&cbs) != 0) {

  386.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  387.     sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);

  388.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  389.     return ssl_hs_error;

  390.   }

  391. 

  392.   hs->cert_request = 1;

  393.   sk_X509_NAME_pop_free(hs->ca_names, X509_NAME_free);

  394.   hs->ca_names = ca_sk;

  395. 

  396.   if (!ssl_hash_current_message(ssl)) {

  397.     return ssl_hs_error;

  398.   }

  399. 

  400.   hs->tls13_state = state_process_server_certificate;

  401.   return ssl_hs_read_message;

  402. }

  403. 

  404. static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) {

  405.   SSL *const ssl = hs->ssl;

  406.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  407.       !tls13_process_certificate(ssl, 0 /* certificate required */) ||

  408.       !ssl_hash_current_message(ssl)) {

  409.     return ssl_hs_error;

  410.   }

  411. 

  412.   hs->tls13_state = state_process_server_certificate_verify;

  413.   return ssl_hs_read_message;

  414. }

  415. 

  416. static enum ssl_hs_wait_t do_process_server_certificate_verify(

  417.     SSL_HANDSHAKE *hs) {

  418.   SSL *const ssl = hs->ssl;

  419.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  420.       !tls13_process_certificate_verify(ssl) ||

  421.       !ssl_hash_current_message(ssl)) {

  422.     return ssl_hs_error;

  423.   }

  424. 

  425.   hs->tls13_state = state_process_server_finished;

  426.   return ssl_hs_read_message;

  427. }

  428. 

  429. static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) {

  430.   SSL *const ssl = hs->ssl;

  431.   if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||

  432.       !tls13_process_finished(hs) ||

  433.       !ssl_hash_current_message(ssl) ||

  434.       /* Update the secret to the master secret and derive traffic keys. */

  435.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  436.       !tls13_derive_application_secrets(hs)) {

  437.     return ssl_hs_error;

  438.   }

  439. 

  440.   ssl->method->received_flight(ssl);

  441.   hs->tls13_state = state_send_client_certificate;

  442.   return ssl_hs_ok;

  443. }

  444. 

  445. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  446.   SSL *const ssl = hs->ssl;

  447.   /* The peer didn't request a certificate. */

  448.   if (!hs->cert_request) {

  449.     hs->tls13_state = state_send_channel_id;

  450.     return ssl_hs_ok;

  451.   }

  452. 

  453.   /* Call cert_cb to update the certificate. */

  454.   if (ssl->cert->cert_cb != NULL) {

  455.     int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);

  456.     if (rv == 0) {

  457.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  458.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  459.       return ssl_hs_error;

  460.     }

  461.     if (rv < 0) {

  462.       hs->tls13_state = state_send_client_certificate;

  463.       return ssl_hs_x509_lookup;

  464.     }

  465.   }

  466. 

  467.   if (!tls13_prepare_certificate(hs)) {

  468.     return ssl_hs_error;

  469.   }

  470. 

  471.   hs->tls13_state = state_send_client_certificate_verify;

  472.   return ssl_hs_write_message;

  473. }

  474. 

  475. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs,

  476.                                                             int is_first_run) {

  477.   SSL *const ssl = hs->ssl;

  478.   /* Don't send CertificateVerify if there is no certificate. */

  479.   if (!ssl_has_certificate(ssl)) {

  480.     hs->tls13_state = state_send_channel_id;

  481.     return ssl_hs_ok;

  482.   }

  483. 

  484.   switch (tls13_prepare_certificate_verify(hs, is_first_run)) {

  485.     case ssl_private_key_success:

  486.       hs->tls13_state = state_send_channel_id;

  487.       return ssl_hs_write_message;

  488. 

  489.     case ssl_private_key_retry:

  490.       hs->tls13_state = state_complete_client_certificate_verify;

  491.       return ssl_hs_private_key_operation;

  492. 

  493.     case ssl_private_key_failure:

  494.       return ssl_hs_error;

  495.   }

  496. 

  497.   assert(0);

  498.   return ssl_hs_error;

  499. }

  500. 

  501. static enum ssl_hs_wait_t do_send_channel_id(SSL_HANDSHAKE *hs) {

  502.   SSL *const ssl = hs->ssl;

  503.   if (!ssl->s3->tlsext_channel_id_valid) {

  504.     hs->tls13_state = state_send_client_finished;

  505.     return ssl_hs_ok;

  506.   }

  507. 

  508.   if (!ssl_do_channel_id_callback(ssl)) {

  509.     return ssl_hs_error;

  510.   }

  511. 

  512.   if (ssl->tlsext_channel_id_private == NULL) {

  513.     return ssl_hs_channel_id_lookup;

  514.   }

  515. 

  516.   CBB cbb, body;

  517.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||

  518.       !tls1_write_channel_id(ssl, &body) ||

  519.       !ssl_complete_message(ssl, &cbb)) {

  520.     CBB_cleanup(&cbb);

  521.     return ssl_hs_error;

  522.   }

  523. 

  524.   hs->tls13_state = state_send_client_finished;

  525.   return ssl_hs_write_message;

  526. }

  527. 

  528. static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {

  529.   if (!tls13_prepare_finished(hs)) {

  530.     return ssl_hs_error;

  531.   }

  532. 

  533.   hs->tls13_state = state_flush;

  534.   return ssl_hs_write_message;

  535. }

  536. 

  537. static enum ssl_hs_wait_t do_flush(SSL_HANDSHAKE *hs) {

  538.   SSL *const ssl = hs->ssl;

  539.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,

  540.                              hs->hash_len) ||

  541.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,

  542.                              hs->hash_len) ||

  543.       !tls13_derive_resumption_secret(hs)) {

  544.     return ssl_hs_error;

  545.   }

  546. 

  547.   hs->tls13_state = state_done;

  548.   return ssl_hs_flush;

  549. }

  550. 

  551. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  552.   while (hs->tls13_state != state_done) {

  553.     enum ssl_hs_wait_t ret = ssl_hs_error;

  554.     enum client_hs_state_t state = hs->tls13_state;

  555.     switch (state) {

  556.       case state_process_hello_retry_request:

  557.         ret = do_process_hello_retry_request(hs);

  558.         break;

  559.       case state_send_second_client_hello:

  560.         ret = do_send_second_client_hello(hs);

  561.         break;

  562.       case state_flush_second_client_hello:

  563.         ret = do_flush_second_client_hello(hs);

  564.         break;

  565.       case state_process_server_hello:

  566.         ret = do_process_server_hello(hs);

  567.         break;

  568.       case state_process_encrypted_extensions:

  569.         ret = do_process_encrypted_extensions(hs);

  570.         break;

  571.       case state_process_certificate_request:

  572.         ret = do_process_certificate_request(hs);

  573.         break;

  574.       case state_process_server_certificate:

  575.         ret = do_process_server_certificate(hs);

  576.         break;

  577.       case state_process_server_certificate_verify:

  578.         ret = do_process_server_certificate_verify(hs);

  579.         break;

  580.       case state_process_server_finished:

  581.         ret = do_process_server_finished(hs);

  582.         break;

  583.       case state_send_client_certificate:

  584.         ret = do_send_client_certificate(hs);

  585.         break;

  586.       case state_send_client_certificate_verify:

  587.         ret = do_send_client_certificate_verify(hs, 1 /* first run */);

  588.         break;

  589.       case state_complete_client_certificate_verify:

  590.         ret = do_send_client_certificate_verify(hs, 0 /* complete */);

  591.         break;

  592.       case state_send_channel_id:

  593.         ret = do_send_channel_id(hs);

  594.         break;

  595.       case state_send_client_finished:

  596.         ret = do_send_client_finished(hs);

  597.         break;

  598.       case state_flush:

  599.         ret = do_flush(hs);

  600.         break;

  601.       case state_done:

  602.         ret = ssl_hs_ok;

  603.         break;

  604.     }

  605. 

  606.     if (ret != ssl_hs_ok) {

  607.       return ret;

  608.     }

  609.   }

  610. 

  611.   return ssl_hs_ok;

  612. }

  613. 

  614. int tls13_process_new_session_ticket(SSL *ssl) {

  615.   SSL_SESSION *session =

  616.       SSL_SESSION_dup(ssl->s3->established_session,

  617.                       SSL_SESSION_INCLUDE_NONAUTH);

  618.   if (session == NULL) {

  619.     return 0;

  620.   }

  621. 

  622.   ssl_session_refresh_time(ssl, session);

  623. 

  624.   CBS cbs, ticket, extensions;

  625.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  626.   if (!CBS_get_u32(&cbs, &session->tlsext_tick_lifetime_hint) ||

  627.       !CBS_get_u32(&cbs, &session->ticket_age_add) ||

  628.       !CBS_get_u16_length_prefixed(&cbs, &ticket) ||

  629.       !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||

  630.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  631.       CBS_len(&cbs) != 0) {

  632.     SSL_SESSION_free(session);

  633.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  634.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  635.     return 0;

  636.   }

  637. 

  638.   session->ticket_age_add_valid = 1;

  639.   session->not_resumable = 0;

  640. 

  641.   if (ssl->ctx->new_session_cb != NULL &&

  642.       ssl->ctx->new_session_cb(ssl, session)) {

  643.     /* |new_session_cb|'s return value signals that it took ownership. */

  644.     return 1;

  645.   }

  646. 

  647.   SSL_SESSION_free(session);

  648.   return 1;

  649. }

  650. 

  651. void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {

  652.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  653. 

  654.   OPENSSL_free(hs->key_share_bytes);

  655.   hs->key_share_bytes = NULL;

  656.   hs->key_share_bytes_len = 0;

  657. }