kris
/
boringssl
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5667 Commitit
12 Branchit
38 MiB
 
 
 
 
 
 
Puu: 9978f0a865
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from '9978f0a865'
${ noResults }
boringssl/ssl/tls13_client.cc

931 rivejä
30 KiB
Raaka Blame Historia 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <limits.h>

  19. #include <string.h>

  20. 

  21. #include <utility>

  22. 

  23. #include <openssl/bytestring.h>

  24. #include <openssl/digest.h>

  25. #include <openssl/err.h>

  26. #include <openssl/mem.h>

  27. #include <openssl/sha.h>

  28. #include <openssl/stack.h>

  29. 

  30. #include "../crypto/internal.h"

  31. #include "internal.h"

  32. 

  33. 

  34. BSSL_NAMESPACE_BEGIN

  35. 

  36. enum client_hs_state_t {

  37.   state_read_hello_retry_request = 0,

  38.   state_send_second_client_hello,

  39.   state_read_server_hello,

  40.   state_read_encrypted_extensions,

  41.   state_read_certificate_request,

  42.   state_read_server_certificate,

  43.   state_read_server_certificate_verify,

  44.   state_server_certificate_reverify,

  45.   state_read_server_finished,

  46.   state_send_end_of_early_data,

  47.   state_send_client_certificate,

  48.   state_send_client_certificate_verify,

  49.   state_complete_second_flight,

  50.   state_done,

  51. };

  52. 

  53. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  54. 

  55. static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {

  56.   SSL *const ssl = hs->ssl;

  57.   assert(ssl->s3->have_version);

  58.   SSLMessage msg;

  59.   if (!ssl->method->get_message(ssl, &msg)) {

  60.     return ssl_hs_read_message;

  61.   }

  62. 

  63.   // Queue up a ChangeCipherSpec for whenever we next send something. This

  64.   // will be before the second ClientHello. If we offered early data, this was

  65.   // already done.

  66.   if (!hs->early_data_offered &&

  67.       !ssl->method->add_change_cipher_spec(ssl)) {

  68.     return ssl_hs_error;

  69.   }

  70. 

  71.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {

  72.     return ssl_hs_error;

  73.   }

  74. 

  75.   CBS body = msg.body, extensions, server_random, session_id;

  76.   uint16_t server_version, cipher_suite;

  77.   uint8_t compression_method;

  78.   if (!CBS_get_u16(&body, &server_version) ||

  79.       !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||

  80.       !CBS_get_u8_length_prefixed(&body, &session_id) ||

  81.       !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||

  82.       !CBS_get_u16(&body, &cipher_suite) ||

  83.       !CBS_get_u8(&body, &compression_method) ||

  84.       compression_method != 0 ||

  85.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  86.       CBS_len(&extensions) == 0 ||

  87.       CBS_len(&body) != 0) {

  88.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  89.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  90.     return ssl_hs_error;

  91.   }

  92. 

  93.   if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {

  94.     hs->tls13_state = state_read_server_hello;

  95.     return ssl_hs_ok;

  96.   }

  97. 

  98.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  99.   // Check if the cipher is a TLS 1.3 cipher.

  100.   if (cipher == NULL ||

  101.       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||

  102.       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {

  103.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  104.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  105.     return ssl_hs_error;

  106.   }

  107. 

  108.   hs->new_cipher = cipher;

  109. 

  110.   if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||

  111.       !hs->transcript.UpdateForHelloRetryRequest()) {

  112.     return ssl_hs_error;

  113.   }

  114. 

  115. 

  116.   bool have_cookie, have_key_share, have_supported_versions;

  117.   CBS cookie, key_share, supported_versions;

  118.   SSL_EXTENSION_TYPE ext_types[] = {

  119.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  120.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  121.       {TLSEXT_TYPE_supported_versions, &have_supported_versions,

  122.        &supported_versions},

  123.   };

  124. 

  125.   uint8_t alert = SSL_AD_DECODE_ERROR;

  126.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  127.                             OPENSSL_ARRAY_SIZE(ext_types),

  128.                             0 /* reject unknown */)) {

  129.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  130.     return ssl_hs_error;

  131.   }

  132. 

  133.   if (!have_cookie && !have_key_share) {

  134.     OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);

  135.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  136.     return ssl_hs_error;

  137.   }

  138.   if (have_cookie) {

  139.     CBS cookie_value;

  140.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  141.         CBS_len(&cookie_value) == 0 ||

  142.         CBS_len(&cookie) != 0) {

  143.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  144.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  145.       return ssl_hs_error;

  146.     }

  147. 

  148.     if (!hs->cookie.CopyFrom(cookie_value)) {

  149.       return ssl_hs_error;

  150.     }

  151.   }

  152. 

  153.   if (have_key_share) {

  154.     uint16_t group_id;

  155.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  156.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  157.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  158.       return ssl_hs_error;

  159.     }

  160. 

  161.     // The group must be supported.

  162.     if (!tls1_check_group_id(hs, group_id)) {

  163.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  164.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  165.       return ssl_hs_error;

  166.     }

  167. 

  168.     // Check that the HelloRetryRequest does not request a key share that was

  169.     // provided in the initial ClientHello.

  170.     if (hs->key_shares[0]->GroupID() == group_id ||

  171.         (hs->key_shares[1] && hs->key_shares[1]->GroupID() == group_id)) {

  172.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  173.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  174.       return ssl_hs_error;

  175.     }

  176. 

  177.     hs->key_shares[0].reset();

  178.     hs->key_shares[1].reset();

  179.     hs->retry_group = group_id;

  180.   }

  181. 

  182.   if (!ssl_hash_message(hs, msg)) {

  183.     return ssl_hs_error;

  184.   }

  185. 

  186.   ssl->method->next_message(ssl);

  187.   hs->received_hello_retry_request = true;

  188.   hs->tls13_state = state_send_second_client_hello;

  189.   // 0-RTT is rejected if we receive a HelloRetryRequest.

  190.   if (hs->in_early_data) {

  191.     return ssl_hs_early_data_rejected;

  192.   }

  193.   return ssl_hs_ok;

  194. }

  195. 

  196. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  197.   SSL *const ssl = hs->ssl;

  198.   // Restore the null cipher. We may have switched due to 0-RTT.

  199.   bssl::UniquePtr<SSLAEADContext> null_ctx =

  200.       SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));

  201.   if (!null_ctx ||

  202.       !ssl->method->set_write_state(ssl, std::move(null_ctx))) {

  203.     return ssl_hs_error;

  204.   }

  205. 

  206.   ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);

  207. 

  208.   if (!ssl_write_client_hello(hs)) {

  209.     return ssl_hs_error;

  210.   }

  211. 

  212.   hs->tls13_state = state_read_server_hello;

  213.   return ssl_hs_flush;

  214. }

  215. 

  216. static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {

  217.   SSL *const ssl = hs->ssl;

  218.   SSLMessage msg;

  219.   if (!ssl->method->get_message(ssl, &msg)) {

  220.     return ssl_hs_read_message;

  221.   }

  222.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {

  223.     return ssl_hs_error;

  224.   }

  225. 

  226.   CBS body = msg.body, server_random, session_id, extensions;

  227.   uint16_t server_version;

  228.   uint16_t cipher_suite;

  229.   uint8_t compression_method;

  230.   if (!CBS_get_u16(&body, &server_version) ||

  231.       !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||

  232.       !CBS_get_u8_length_prefixed(&body, &session_id) ||

  233.       !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||

  234.       !CBS_get_u16(&body, &cipher_suite) ||

  235.       !CBS_get_u8(&body, &compression_method) ||

  236.       compression_method != 0 ||

  237.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  238.       CBS_len(&body) != 0) {

  239.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  240.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  241.     return ssl_hs_error;

  242.   }

  243. 

  244.   if (server_version != TLS1_2_VERSION) {

  245.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  246.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  247.     return ssl_hs_error;

  248.   }

  249. 

  250.   // Forbid a second HelloRetryRequest.

  251.   if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {

  252.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  253.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  254.     return ssl_hs_error;

  255.   }

  256. 

  257.   OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),

  258.                  SSL3_RANDOM_SIZE);

  259. 

  260.   // Check if the cipher is a TLS 1.3 cipher.

  261.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  262.   if (cipher == nullptr ||

  263.       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||

  264.       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {

  265.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  266.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  267.     return ssl_hs_error;

  268.   }

  269. 

  270.   // Check that the cipher matches the one in the HelloRetryRequest.

  271.   if (hs->received_hello_retry_request &&

  272.       hs->new_cipher != cipher) {

  273.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  274.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  275.     return ssl_hs_error;

  276.   }

  277. 

  278.   // Parse out the extensions.

  279.   bool have_key_share = false, have_pre_shared_key = false,

  280.        have_supported_versions = false;

  281.   CBS key_share, pre_shared_key, supported_versions;

  282.   SSL_EXTENSION_TYPE ext_types[] = {

  283.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  284.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  285.       {TLSEXT_TYPE_supported_versions, &have_supported_versions,

  286.        &supported_versions},

  287.   };

  288. 

  289.   uint8_t alert = SSL_AD_DECODE_ERROR;

  290.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  291.                             OPENSSL_ARRAY_SIZE(ext_types),

  292.                             0 /* reject unknown */)) {

  293.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  294.     return ssl_hs_error;

  295.   }

  296. 

  297.   // Recheck supported_versions, in case this is the second ServerHello.

  298.   uint16_t version;

  299.   if (!have_supported_versions ||

  300.       !CBS_get_u16(&supported_versions, &version) ||

  301.       version != ssl->version) {

  302.     OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);

  303.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  304.     return ssl_hs_error;

  305.   }

  306. 

  307.   alert = SSL_AD_DECODE_ERROR;

  308.   if (have_pre_shared_key) {

  309.     if (ssl->session == NULL) {

  310.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  311.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  312.       return ssl_hs_error;

  313.     }

  314. 

  315.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  316.                                                   &pre_shared_key)) {

  317.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  318.       return ssl_hs_error;

  319.     }

  320. 

  321.     if (ssl->session->ssl_version != ssl->version) {

  322.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  323.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  324.       return ssl_hs_error;

  325.     }

  326. 

  327.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  328.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  329.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  330.       return ssl_hs_error;

  331.     }

  332. 

  333.     if (!ssl_session_is_context_valid(hs, ssl->session.get())) {

  334.       // This is actually a client application bug.

  335.       OPENSSL_PUT_ERROR(SSL,

  336.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  337.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  338.       return ssl_hs_error;

  339.     }

  340. 

  341.     ssl->s3->session_reused = true;

  342.     // Only authentication information carries over in TLS 1.3.

  343.     hs->new_session =

  344.         SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);

  345.     if (!hs->new_session) {

  346.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  347.       return ssl_hs_error;

  348.     }

  349.     ssl_set_session(ssl, NULL);

  350. 

  351.     // Resumption incorporates fresh key material, so refresh the timeout.

  352.     ssl_session_renew_timeout(ssl, hs->new_session.get(),

  353.                               ssl->session_ctx->session_psk_dhe_timeout);

  354.   } else if (!ssl_get_new_session(hs, 0)) {

  355.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  356.     return ssl_hs_error;

  357.   }

  358. 

  359.   hs->new_session->cipher = cipher;

  360.   hs->new_cipher = cipher;

  361. 

  362.   size_t hash_len =

  363.       EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));

  364. 

  365.   // Set up the key schedule and incorporate the PSK into the running secret.

  366.   if (ssl->s3->session_reused) {

  367.     if (!tls13_init_key_schedule(hs, hs->new_session->master_key,

  368.                                  hs->new_session->master_key_length)) {

  369.       return ssl_hs_error;

  370.     }

  371.   } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {

  372.     return ssl_hs_error;

  373.   }

  374. 

  375.   if (!have_key_share) {

  376.     // We do not support psk_ke and thus always require a key share.

  377.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  378.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  379.     return ssl_hs_error;

  380.   }

  381. 

  382.   // Resolve ECDHE and incorporate it into the secret.

  383.   Array<uint8_t> dhe_secret;

  384.   alert = SSL_AD_DECODE_ERROR;

  385.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,

  386.                                            &key_share)) {

  387.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  388.     return ssl_hs_error;

  389.   }

  390. 

  391.   if (!tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()) ||

  392.       !ssl_hash_message(hs, msg) || !tls13_derive_handshake_secrets(hs) ||

  393.       !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,

  394.                              hs->server_handshake_secret, hs->hash_len)) {

  395.     return ssl_hs_error;

  396.   }

  397. 

  398.   if (!hs->early_data_offered) {

  399.     // If not sending early data, set client traffic keys now so that alerts are

  400.     // encrypted.

  401.     if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,

  402.                                hs->client_handshake_secret, hs->hash_len)) {

  403.       return ssl_hs_error;

  404.     }

  405.   }

  406. 

  407.   ssl->method->next_message(ssl);

  408.   hs->tls13_state = state_read_encrypted_extensions;

  409.   return ssl_hs_ok;

  410. }

  411. 

  412. static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {

  413.   SSL *const ssl = hs->ssl;

  414.   SSLMessage msg;

  415.   if (!ssl->method->get_message(ssl, &msg)) {

  416.     return ssl_hs_read_message;

  417.   }

  418.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  419.     return ssl_hs_error;

  420.   }

  421. 

  422.   CBS body = msg.body;

  423.   if (!ssl_parse_serverhello_tlsext(hs, &body)) {

  424.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  425.     return ssl_hs_error;

  426.   }

  427.   if (CBS_len(&body) != 0) {

  428.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  429.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  430.     return ssl_hs_error;

  431.   }

  432. 

  433.   // Store the negotiated ALPN in the session.

  434.   if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {

  435.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  436.     return ssl_hs_error;

  437.   }

  438. 

  439.   if (ssl->s3->early_data_accepted) {

  440.     if (hs->early_session->cipher != hs->new_session->cipher ||

  441.         MakeConstSpan(hs->early_session->early_alpn) !=

  442.             ssl->s3->alpn_selected) {

  443.       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);

  444.       return ssl_hs_error;

  445.     }

  446.     if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated) {

  447.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);

  448.       return ssl_hs_error;

  449.     }

  450.   }

  451. 

  452.   if (!ssl_hash_message(hs, msg)) {

  453.     return ssl_hs_error;

  454.   }

  455. 

  456.   ssl->method->next_message(ssl);

  457.   hs->tls13_state = state_read_certificate_request;

  458.   if (hs->in_early_data && !ssl->s3->early_data_accepted) {

  459.     return ssl_hs_early_data_rejected;

  460.   }

  461.   return ssl_hs_ok;

  462. }

  463. 

  464. static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {

  465.   SSL *const ssl = hs->ssl;

  466.   // CertificateRequest may only be sent in non-resumption handshakes.

  467.   if (ssl->s3->session_reused) {

  468.     if (ssl->ctx->reverify_on_resume && !ssl->s3->early_data_accepted) {

  469.       hs->tls13_state = state_server_certificate_reverify;

  470.       return ssl_hs_ok;

  471.     }

  472.     hs->tls13_state = state_read_server_finished;

  473.     return ssl_hs_ok;

  474.   }

  475. 

  476.   SSLMessage msg;

  477.   if (!ssl->method->get_message(ssl, &msg)) {

  478.     return ssl_hs_read_message;

  479.   }

  480. 

  481.   // CertificateRequest is optional.

  482.   if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {

  483.     hs->tls13_state = state_read_server_certificate;

  484.     return ssl_hs_ok;

  485.   }

  486. 

  487. 

  488.   bool have_sigalgs = false, have_ca = false;

  489.   CBS sigalgs, ca;

  490.   const SSL_EXTENSION_TYPE ext_types[] = {

  491.     {TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},

  492.     {TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},

  493.   };

  494. 

  495.   CBS body = msg.body, context, extensions, supported_signature_algorithms;

  496.   uint8_t alert = SSL_AD_DECODE_ERROR;

  497.   if (!CBS_get_u8_length_prefixed(&body, &context) ||

  498.       // The request context is always empty during the handshake.

  499.       CBS_len(&context) != 0 ||

  500.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  501.       CBS_len(&body) != 0 ||

  502.       !ssl_parse_extensions(&extensions, &alert, ext_types,

  503.                             OPENSSL_ARRAY_SIZE(ext_types),

  504.                             1 /* accept unknown */) ||

  505.       (have_ca && CBS_len(&ca) == 0) ||

  506.       !have_sigalgs ||

  507.       !CBS_get_u16_length_prefixed(&sigalgs,

  508.                                    &supported_signature_algorithms) ||

  509.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  510.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  511.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  512.     return ssl_hs_error;

  513.   }

  514. 

  515.   if (have_ca) {

  516.     hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);

  517.     if (!hs->ca_names) {

  518.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  519.       return ssl_hs_error;

  520.     }

  521.   } else {

  522.     hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());

  523.     if (!hs->ca_names) {

  524.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  525.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  526.       return ssl_hs_error;

  527.     }

  528.   }

  529. 

  530.   hs->cert_request = true;

  531.   ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  532. 

  533.   if (!ssl_hash_message(hs, msg)) {

  534.     return ssl_hs_error;

  535.   }

  536. 

  537.   ssl->method->next_message(ssl);

  538.   hs->tls13_state = state_read_server_certificate;

  539.   return ssl_hs_ok;

  540. }

  541. 

  542. static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {

  543.   SSL *const ssl = hs->ssl;

  544.   SSLMessage msg;

  545.   if (!ssl->method->get_message(ssl, &msg)) {

  546.     return ssl_hs_read_message;

  547.   }

  548. 

  549.   if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&

  550.       !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {

  551.     return ssl_hs_error;

  552.   }

  553. 

  554.   if (!tls13_process_certificate(hs, msg, false /* certificate required */) ||

  555.       !ssl_hash_message(hs, msg)) {

  556.     return ssl_hs_error;

  557.   }

  558. 

  559.   ssl->method->next_message(ssl);

  560.   hs->tls13_state = state_read_server_certificate_verify;

  561.   return ssl_hs_ok;

  562. }

  563. 

  564. static enum ssl_hs_wait_t do_read_server_certificate_verify(

  565.     SSL_HANDSHAKE *hs) {

  566.   SSL *const ssl = hs->ssl;

  567.   SSLMessage msg;

  568.   if (!ssl->method->get_message(ssl, &msg)) {

  569.     return ssl_hs_read_message;

  570.   }

  571.   switch (ssl_verify_peer_cert(hs)) {

  572.     case ssl_verify_ok:

  573.       break;

  574.     case ssl_verify_invalid:

  575.       return ssl_hs_error;

  576.     case ssl_verify_retry:

  577.       hs->tls13_state = state_read_server_certificate_verify;

  578.       return ssl_hs_certificate_verify;

  579.   }

  580. 

  581.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||

  582.       !tls13_process_certificate_verify(hs, msg) ||

  583.       !ssl_hash_message(hs, msg)) {

  584.     return ssl_hs_error;

  585.   }

  586. 

  587.   ssl->method->next_message(ssl);

  588.   hs->tls13_state = state_read_server_finished;

  589.   return ssl_hs_ok;

  590. }

  591. 

  592. static enum ssl_hs_wait_t do_server_certificate_reverify(

  593.     SSL_HANDSHAKE *hs) {

  594.   switch (ssl_reverify_peer_cert(hs)) {

  595.     case ssl_verify_ok:

  596.       break;

  597.     case ssl_verify_invalid:

  598.       return ssl_hs_error;

  599.     case ssl_verify_retry:

  600.       hs->tls13_state = state_server_certificate_reverify;

  601.       return ssl_hs_certificate_verify;

  602.   }

  603.   hs->tls13_state = state_read_server_finished;

  604.   return ssl_hs_ok;

  605. }

  606. 

  607. static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {

  608.   SSL *const ssl = hs->ssl;

  609.   SSLMessage msg;

  610.   if (!ssl->method->get_message(ssl, &msg)) {

  611.     return ssl_hs_read_message;

  612.   }

  613.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||

  614.       !tls13_process_finished(hs, msg, false /* don't use saved value */) ||

  615.       !ssl_hash_message(hs, msg) ||

  616.       // Update the secret to the master secret and derive traffic keys.

  617.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  618.       !tls13_derive_application_secrets(hs)) {

  619.     return ssl_hs_error;

  620.   }

  621. 

  622.   ssl->method->next_message(ssl);

  623.   hs->tls13_state = state_send_end_of_early_data;

  624.   return ssl_hs_ok;

  625. }

  626. 

  627. static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {

  628.   SSL *const ssl = hs->ssl;

  629. 

  630.   if (ssl->s3->early_data_accepted) {

  631.     hs->can_early_write = false;

  632.     ScopedCBB cbb;

  633.     CBB body;

  634.     if (!ssl->method->init_message(ssl, cbb.get(), &body,

  635.                                    SSL3_MT_END_OF_EARLY_DATA) ||

  636.         !ssl_add_message_cbb(ssl, cbb.get())) {

  637.       return ssl_hs_error;

  638.     }

  639.   }

  640. 

  641.   if (hs->early_data_offered) {

  642.     if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,

  643.                                hs->client_handshake_secret, hs->hash_len)) {

  644.       return ssl_hs_error;

  645.     }

  646.   }

  647. 

  648.   hs->tls13_state = state_send_client_certificate;

  649.   return ssl_hs_ok;

  650. }

  651. 

  652. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  653.   SSL *const ssl = hs->ssl;

  654. 

  655.   // The peer didn't request a certificate.

  656.   if (!hs->cert_request) {

  657.     hs->tls13_state = state_complete_second_flight;

  658.     return ssl_hs_ok;

  659.   }

  660. 

  661.   // Call cert_cb to update the certificate.

  662.   if (hs->config->cert->cert_cb != NULL) {

  663.     int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);

  664.     if (rv == 0) {

  665.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  666.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  667.       return ssl_hs_error;

  668.     }

  669.     if (rv < 0) {

  670.       hs->tls13_state = state_send_client_certificate;

  671.       return ssl_hs_x509_lookup;

  672.     }

  673.   }

  674. 

  675.   if (!ssl_on_certificate_selected(hs) ||

  676.       !tls13_add_certificate(hs)) {

  677.     return ssl_hs_error;

  678.   }

  679. 

  680.   hs->tls13_state = state_send_client_certificate_verify;

  681.   return ssl_hs_ok;

  682. }

  683. 

  684. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {

  685.   // Don't send CertificateVerify if there is no certificate.

  686.   if (!ssl_has_certificate(hs)) {

  687.     hs->tls13_state = state_complete_second_flight;

  688.     return ssl_hs_ok;

  689.   }

  690. 

  691.   switch (tls13_add_certificate_verify(hs)) {

  692.     case ssl_private_key_success:

  693.       hs->tls13_state = state_complete_second_flight;

  694.       return ssl_hs_ok;

  695. 

  696.     case ssl_private_key_retry:

  697.       hs->tls13_state = state_send_client_certificate_verify;

  698.       return ssl_hs_private_key_operation;

  699. 

  700.     case ssl_private_key_failure:

  701.       return ssl_hs_error;

  702.   }

  703. 

  704.   assert(0);

  705.   return ssl_hs_error;

  706. }

  707. 

  708. static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {

  709.   SSL *const ssl = hs->ssl;

  710. 

  711.   // Send a Channel ID assertion if necessary.

  712.   if (ssl->s3->channel_id_valid) {

  713.     if (!ssl_do_channel_id_callback(hs)) {

  714.       hs->tls13_state = state_complete_second_flight;

  715.       return ssl_hs_error;

  716.     }

  717. 

  718.     if (hs->config->channel_id_private == NULL) {

  719.       return ssl_hs_channel_id_lookup;

  720.     }

  721. 

  722.     ScopedCBB cbb;

  723.     CBB body;

  724.     if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||

  725.         !tls1_write_channel_id(hs, &body) ||

  726.         !ssl_add_message_cbb(ssl, cbb.get())) {

  727.       return ssl_hs_error;

  728.     }

  729.   }

  730. 

  731.   // Send a Finished message.

  732.   if (!tls13_add_finished(hs)) {

  733.     return ssl_hs_error;

  734.   }

  735. 

  736.   // Derive the final keys and enable them.

  737.   if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,

  738.                              hs->server_traffic_secret_0, hs->hash_len) ||

  739.       !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,

  740.                              hs->client_traffic_secret_0, hs->hash_len) ||

  741.       !tls13_derive_resumption_secret(hs)) {

  742.     return ssl_hs_error;

  743.   }

  744. 

  745.   hs->tls13_state = state_done;

  746.   return ssl_hs_flush;

  747. }

  748. 

  749. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  750.   while (hs->tls13_state != state_done) {

  751.     enum ssl_hs_wait_t ret = ssl_hs_error;

  752.     enum client_hs_state_t state =

  753.         static_cast<enum client_hs_state_t>(hs->tls13_state);

  754.     switch (state) {

  755.       case state_read_hello_retry_request:

  756.         ret = do_read_hello_retry_request(hs);

  757.         break;

  758.       case state_send_second_client_hello:

  759.         ret = do_send_second_client_hello(hs);

  760.         break;

  761.       case state_read_server_hello:

  762.         ret = do_read_server_hello(hs);

  763.         break;

  764.       case state_read_encrypted_extensions:

  765.         ret = do_read_encrypted_extensions(hs);

  766.         break;

  767.       case state_read_certificate_request:

  768.         ret = do_read_certificate_request(hs);

  769.         break;

  770.       case state_read_server_certificate:

  771.         ret = do_read_server_certificate(hs);

  772.         break;

  773.       case state_read_server_certificate_verify:

  774.         ret = do_read_server_certificate_verify(hs);

  775.         break;

  776.       case state_server_certificate_reverify:

  777.         ret = do_server_certificate_reverify(hs);

  778.         break;

  779.       case state_read_server_finished:

  780.         ret = do_read_server_finished(hs);

  781.         break;

  782.       case state_send_end_of_early_data:

  783.         ret = do_send_end_of_early_data(hs);

  784.         break;

  785.       case state_send_client_certificate:

  786.         ret = do_send_client_certificate(hs);

  787.         break;

  788.       case state_send_client_certificate_verify:

  789.         ret = do_send_client_certificate_verify(hs);

  790.         break;

  791.       case state_complete_second_flight:

  792.         ret = do_complete_second_flight(hs);

  793.         break;

  794.       case state_done:

  795.         ret = ssl_hs_ok;

  796.         break;

  797.     }

  798. 

  799.     if (hs->tls13_state != state) {

  800.       ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);

  801.     }

  802. 

  803.     if (ret != ssl_hs_ok) {

  804.       return ret;

  805.     }

  806.   }

  807. 

  808.   return ssl_hs_ok;

  809. }

  810. 

  811. const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {

  812.   enum client_hs_state_t state =

  813.       static_cast<enum client_hs_state_t>(hs->tls13_state);

  814.   switch (state) {

  815.     case state_read_hello_retry_request:

  816.       return "TLS 1.3 client read_hello_retry_request";

  817.     case state_send_second_client_hello:

  818.       return "TLS 1.3 client send_second_client_hello";

  819.     case state_read_server_hello:

  820.       return "TLS 1.3 client read_server_hello";

  821.     case state_read_encrypted_extensions:

  822.       return "TLS 1.3 client read_encrypted_extensions";

  823.     case state_read_certificate_request:

  824.       return "TLS 1.3 client read_certificate_request";

  825.     case state_read_server_certificate:

  826.       return "TLS 1.3 client read_server_certificate";

  827.     case state_read_server_certificate_verify:

  828.       return "TLS 1.3 client read_server_certificate_verify";

  829.     case state_server_certificate_reverify:

  830.       return "TLS 1.3 client server_certificate_reverify";

  831.     case state_read_server_finished:

  832.       return "TLS 1.3 client read_server_finished";

  833.     case state_send_end_of_early_data:

  834.       return "TLS 1.3 client send_end_of_early_data";

  835.     case state_send_client_certificate:

  836.       return "TLS 1.3 client send_client_certificate";

  837.     case state_send_client_certificate_verify:

  838.       return "TLS 1.3 client send_client_certificate_verify";

  839.     case state_complete_second_flight:

  840.       return "TLS 1.3 client complete_second_flight";

  841.     case state_done:

  842.       return "TLS 1.3 client done";

  843.   }

  844. 

  845.   return "TLS 1.3 client unknown";

  846. }

  847. 

  848. bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {

  849.   if (ssl->s3->write_shutdown != ssl_shutdown_none) {

  850.     // Ignore tickets on shutdown. Callers tend to indiscriminately call

  851.     // |SSL_shutdown| before destroying an |SSL|, at which point calling the new

  852.     // session callback may be confusing.

  853.     return true;

  854.   }

  855. 

  856.   UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(

  857.       ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);

  858.   if (!session) {

  859.     return false;

  860.   }

  861. 

  862.   ssl_session_rebase_time(ssl, session.get());

  863. 

  864.   uint32_t server_timeout;

  865.   CBS body = msg.body, ticket_nonce, ticket, extensions;

  866.   if (!CBS_get_u32(&body, &server_timeout) ||

  867.       !CBS_get_u32(&body, &session->ticket_age_add) ||

  868.       !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||

  869.       !CBS_get_u16_length_prefixed(&body, &ticket) ||

  870.       !session->ticket.CopyFrom(ticket) ||

  871.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  872.       CBS_len(&body) != 0) {

  873.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  874.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  875.     return false;

  876.   }

  877. 

  878.   // Cap the renewable lifetime by the server advertised value. This avoids

  879.   // wasting bandwidth on 0-RTT when we know the server will reject it.

  880.   if (session->timeout > server_timeout) {

  881.     session->timeout = server_timeout;

  882.   }

  883. 

  884.   if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {

  885.     return false;

  886.   }

  887. 

  888.   // Parse out the extensions.

  889.   bool have_early_data_info = false;

  890.   CBS early_data_info;

  891.   const SSL_EXTENSION_TYPE ext_types[] = {

  892.       {TLSEXT_TYPE_early_data, &have_early_data_info, &early_data_info},

  893.   };

  894. 

  895.   uint8_t alert = SSL_AD_DECODE_ERROR;

  896.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  897.                             OPENSSL_ARRAY_SIZE(ext_types),

  898.                             1 /* ignore unknown */)) {

  899.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  900.     return false;

  901.   }

  902. 

  903.   if (have_early_data_info && ssl->enable_early_data) {

  904.     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||

  905.         CBS_len(&early_data_info) != 0) {

  906.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  907.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  908.       return false;

  909.     }

  910.   }

  911. 

  912.   // Generate a session ID for this session. Some callers expect all sessions to

  913.   // have a session ID.

  914.   SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);

  915.   session->session_id_length = SHA256_DIGEST_LENGTH;

  916. 

  917.   session->ticket_age_add_valid = true;

  918.   session->not_resumable = false;

  919. 

  920.   if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&

  921.       ssl->session_ctx->new_session_cb != NULL &&

  922.       ssl->session_ctx->new_session_cb(ssl, session.get())) {

  923.     // |new_session_cb|'s return value signals that it took ownership.

  924.     session.release();

  925.   }

  926. 

  927.   return true;

  928. }

  929. 

  930. BSSL_NAMESPACE_END