kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5289 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 9c3b120b61
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9c3b120b61'
${ noResults }
boringssl/ssl/tls13_client.cc

908 lines
29 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <limits.h>

  19. #include <string.h>

  20. 

  21. #include <utility>

  22. 

  23. #include <openssl/bytestring.h>

  24. #include <openssl/digest.h>

  25. #include <openssl/err.h>

  26. #include <openssl/mem.h>

  27. #include <openssl/stack.h>

  28. 

  29. #include "../crypto/internal.h"

  30. #include "internal.h"

  31. 

  32. 

  33. namespace bssl {

  34. 

  35. enum client_hs_state_t {

  36.   state_read_hello_retry_request = 0,

  37.   state_send_second_client_hello,

  38.   state_read_server_hello,

  39.   state_read_encrypted_extensions,

  40.   state_read_certificate_request,

  41.   state_read_server_certificate,

  42.   state_read_server_certificate_verify,

  43.   state_read_server_finished,

  44.   state_send_end_of_early_data,

  45.   state_send_client_certificate,

  46.   state_send_client_certificate_verify,

  47.   state_complete_second_flight,

  48.   state_done,

  49. };

  50. 

  51. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  52. 

  53. static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {

  54.   SSL *const ssl = hs->ssl;

  55.   assert(ssl->s3->have_version);

  56.   SSLMessage msg;

  57.   if (!ssl->method->get_message(ssl, &msg)) {

  58.     return ssl_hs_read_message;

  59.   }

  60. 

  61.   // Queue up a ChangeCipherSpec for whenever we next send something. This

  62.   // will be before the second ClientHello. If we offered early data, this was

  63.   // already done.

  64.   if (!hs->early_data_offered &&

  65.       !ssl->method->add_change_cipher_spec(ssl)) {

  66.     return ssl_hs_error;

  67.   }

  68. 

  69.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {

  70.     return ssl_hs_error;

  71.   }

  72. 

  73.   CBS body = msg.body, extensions, server_random, session_id;

  74.   uint16_t server_version, cipher_suite;

  75.   uint8_t compression_method;

  76.   if (!CBS_get_u16(&body, &server_version) ||

  77.       !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||

  78.       !CBS_get_u8_length_prefixed(&body, &session_id) ||

  79.       !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||

  80.       !CBS_get_u16(&body, &cipher_suite) ||

  81.       !CBS_get_u8(&body, &compression_method) ||

  82.       compression_method != 0 ||

  83.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  84.       CBS_len(&extensions) == 0 ||

  85.       CBS_len(&body) != 0) {

  86.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  87.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  88.     return ssl_hs_error;

  89.   }

  90. 

  91.   if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {

  92.     hs->tls13_state = state_read_server_hello;

  93.     return ssl_hs_ok;

  94.   }

  95. 

  96.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  97.   // Check if the cipher is a TLS 1.3 cipher.

  98.   if (cipher == NULL ||

  99.       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||

  100.       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {

  101.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  102.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  103.     return ssl_hs_error;

  104.   }

  105. 

  106.   hs->new_cipher = cipher;

  107. 

  108.   if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||

  109.       !hs->transcript.UpdateForHelloRetryRequest()) {

  110.     return ssl_hs_error;

  111.   }

  112. 

  113. 

  114.   bool have_cookie, have_key_share, have_supported_versions;

  115.   CBS cookie, key_share, supported_versions;

  116.   SSL_EXTENSION_TYPE ext_types[] = {

  117.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  118.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  119.       {TLSEXT_TYPE_supported_versions, &have_supported_versions,

  120.        &supported_versions},

  121.   };

  122. 

  123.   uint8_t alert = SSL_AD_DECODE_ERROR;

  124.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  125.                             OPENSSL_ARRAY_SIZE(ext_types),

  126.                             0 /* reject unknown */)) {

  127.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  128.     return ssl_hs_error;

  129.   }

  130. 

  131.   if (!have_cookie && !have_key_share) {

  132.     OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);

  133.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  134.     return ssl_hs_error;

  135.   }

  136.   if (have_cookie) {

  137.     CBS cookie_value;

  138.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  139.         CBS_len(&cookie_value) == 0 ||

  140.         CBS_len(&cookie) != 0) {

  141.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  142.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  143.       return ssl_hs_error;

  144.     }

  145. 

  146.     if (!hs->cookie.CopyFrom(cookie_value)) {

  147.       return ssl_hs_error;

  148.     }

  149.   }

  150. 

  151.   if (have_key_share) {

  152.     uint16_t group_id;

  153.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  154.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  155.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  156.       return ssl_hs_error;

  157.     }

  158. 

  159.     // The group must be supported.

  160.     if (!tls1_check_group_id(hs, group_id)) {

  161.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  162.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  163.       return ssl_hs_error;

  164.     }

  165. 

  166.     // Check that the HelloRetryRequest does not request the key share that

  167.     // was provided in the initial ClientHello.

  168.     if (hs->key_share->GroupID() == group_id) {

  169.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  170.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  171.       return ssl_hs_error;

  172.     }

  173. 

  174.     hs->key_share.reset();

  175.     hs->retry_group = group_id;

  176.   }

  177. 

  178.   if (!ssl_hash_message(hs, msg)) {

  179.     return ssl_hs_error;

  180.   }

  181. 

  182.   ssl->method->next_message(ssl);

  183.   hs->received_hello_retry_request = true;

  184.   hs->tls13_state = state_send_second_client_hello;

  185.   // 0-RTT is rejected if we receive a HelloRetryRequest.

  186.   if (hs->in_early_data) {

  187.     return ssl_hs_early_data_rejected;

  188.   }

  189.   return ssl_hs_ok;

  190. }

  191. 

  192. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  193.   SSL *const ssl = hs->ssl;

  194.   // Restore the null cipher. We may have switched due to 0-RTT.

  195.   bssl::UniquePtr<SSLAEADContext> null_ctx =

  196.       SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));

  197.   if (!null_ctx ||

  198.       !ssl->method->set_write_state(ssl, std::move(null_ctx))) {

  199.     return ssl_hs_error;

  200.   }

  201. 

  202.   ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);

  203. 

  204.   if (!ssl_write_client_hello(hs)) {

  205.     return ssl_hs_error;

  206.   }

  207. 

  208.   hs->tls13_state = state_read_server_hello;

  209.   return ssl_hs_flush;

  210. }

  211. 

  212. static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {

  213.   SSL *const ssl = hs->ssl;

  214.   SSLMessage msg;

  215.   if (!ssl->method->get_message(ssl, &msg)) {

  216.     return ssl_hs_read_message;

  217.   }

  218.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {

  219.     return ssl_hs_error;

  220.   }

  221. 

  222.   CBS body = msg.body, server_random, session_id, extensions;

  223.   uint16_t server_version;

  224.   uint16_t cipher_suite;

  225.   uint8_t compression_method;

  226.   if (!CBS_get_u16(&body, &server_version) ||

  227.       !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||

  228.       !CBS_get_u8_length_prefixed(&body, &session_id) ||

  229.       !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||

  230.       !CBS_get_u16(&body, &cipher_suite) ||

  231.       !CBS_get_u8(&body, &compression_method) ||

  232.       compression_method != 0 ||

  233.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  234.       CBS_len(&body) != 0) {

  235.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  236.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  237.     return ssl_hs_error;

  238.   }

  239. 

  240.   if (server_version != TLS1_2_VERSION) {

  241.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  242.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  243.     return ssl_hs_error;

  244.   }

  245. 

  246.   // Forbid a second HelloRetryRequest.

  247.   if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {

  248.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);

  249.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);

  250.     return ssl_hs_error;

  251.   }

  252. 

  253.   OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),

  254.                  SSL3_RANDOM_SIZE);

  255. 

  256.   // Check if the cipher is a TLS 1.3 cipher.

  257.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  258.   if (cipher == nullptr ||

  259.       SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||

  260.       SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {

  261.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  262.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  263.     return ssl_hs_error;

  264.   }

  265. 

  266.   // Check that the cipher matches the one in the HelloRetryRequest.

  267.   if (hs->received_hello_retry_request &&

  268.       hs->new_cipher != cipher) {

  269.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  270.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  271.     return ssl_hs_error;

  272.   }

  273. 

  274.   // Parse out the extensions.

  275.   bool have_key_share = false, have_pre_shared_key = false,

  276.        have_supported_versions = false;

  277.   CBS key_share, pre_shared_key, supported_versions;

  278.   SSL_EXTENSION_TYPE ext_types[] = {

  279.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  280.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  281.       {TLSEXT_TYPE_supported_versions, &have_supported_versions,

  282.        &supported_versions},

  283.   };

  284. 

  285.   uint8_t alert = SSL_AD_DECODE_ERROR;

  286.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  287.                             OPENSSL_ARRAY_SIZE(ext_types),

  288.                             0 /* reject unknown */)) {

  289.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  290.     return ssl_hs_error;

  291.   }

  292. 

  293.   if (ssl_is_draft28(ssl->version)) {

  294.     // Recheck supported_versions, in case this is the second ServerHello.

  295.     uint16_t version;

  296.     if (!have_supported_versions ||

  297.         !CBS_get_u16(&supported_versions, &version) ||

  298.         version != ssl->version) {

  299.       OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);

  300.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  301.       return ssl_hs_error;

  302.     }

  303.   }

  304. 

  305.   alert = SSL_AD_DECODE_ERROR;

  306.   if (have_pre_shared_key) {

  307.     if (ssl->session == NULL) {

  308.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  309.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  310.       return ssl_hs_error;

  311.     }

  312. 

  313.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  314.                                                   &pre_shared_key)) {

  315.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  316.       return ssl_hs_error;

  317.     }

  318. 

  319.     if (ssl->session->ssl_version != ssl->version) {

  320.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  321.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  322.       return ssl_hs_error;

  323.     }

  324. 

  325.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  326.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  327.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  328.       return ssl_hs_error;

  329.     }

  330. 

  331.     if (!ssl_session_is_context_valid(hs, ssl->session)) {

  332.       // This is actually a client application bug.

  333.       OPENSSL_PUT_ERROR(SSL,

  334.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  335.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  336.       return ssl_hs_error;

  337.     }

  338. 

  339.     ssl->s3->session_reused = true;

  340.     // Only authentication information carries over in TLS 1.3.

  341.     hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);

  342.     if (!hs->new_session) {

  343.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  344.       return ssl_hs_error;

  345.     }

  346.     ssl_set_session(ssl, NULL);

  347. 

  348.     // Resumption incorporates fresh key material, so refresh the timeout.

  349.     ssl_session_renew_timeout(ssl, hs->new_session.get(),

  350.                               ssl->session_ctx->session_psk_dhe_timeout);

  351.   } else if (!ssl_get_new_session(hs, 0)) {

  352.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  353.     return ssl_hs_error;

  354.   }

  355. 

  356.   hs->new_session->cipher = cipher;

  357.   hs->new_cipher = cipher;

  358. 

  359.   size_t hash_len =

  360.       EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));

  361. 

  362.   // Set up the key schedule and incorporate the PSK into the running secret.

  363.   if (ssl->s3->session_reused) {

  364.     if (!tls13_init_key_schedule(hs, hs->new_session->master_key,

  365.                                  hs->new_session->master_key_length)) {

  366.       return ssl_hs_error;

  367.     }

  368.   } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {

  369.     return ssl_hs_error;

  370.   }

  371. 

  372.   if (!have_key_share) {

  373.     // We do not support psk_ke and thus always require a key share.

  374.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  375.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  376.     return ssl_hs_error;

  377.   }

  378. 

  379.   // Resolve ECDHE and incorporate it into the secret.

  380.   Array<uint8_t> dhe_secret;

  381.   alert = SSL_AD_DECODE_ERROR;

  382.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,

  383.                                            &key_share)) {

  384.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  385.     return ssl_hs_error;

  386.   }

  387. 

  388.   if (!tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()) ||

  389.       !ssl_hash_message(hs, msg) ||

  390.       !tls13_derive_handshake_secrets(hs) ||

  391.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,

  392.                              hs->hash_len)) {

  393.     return ssl_hs_error;

  394.   }

  395. 

  396.   if (!hs->early_data_offered) {

  397.     // If not sending early data, set client traffic keys now so that alerts are

  398.     // encrypted.

  399.     if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  400.                                hs->hash_len)) {

  401.       return ssl_hs_error;

  402.     }

  403.   }

  404. 

  405.   ssl->method->next_message(ssl);

  406.   hs->tls13_state = state_read_encrypted_extensions;

  407.   return ssl_hs_ok;

  408. }

  409. 

  410. static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {

  411.   SSL *const ssl = hs->ssl;

  412.   SSLMessage msg;

  413.   if (!ssl->method->get_message(ssl, &msg)) {

  414.     return ssl_hs_read_message;

  415.   }

  416.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  417.     return ssl_hs_error;

  418.   }

  419. 

  420.   CBS body = msg.body;

  421.   if (!ssl_parse_serverhello_tlsext(hs, &body)) {

  422.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  423.     return ssl_hs_error;

  424.   }

  425.   if (CBS_len(&body) != 0) {

  426.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  427.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  428.     return ssl_hs_error;

  429.   }

  430. 

  431.   // Store the negotiated ALPN in the session.

  432.   if (!ssl->s3->alpn_selected.empty()) {

  433.     hs->new_session->early_alpn = (uint8_t *)BUF_memdup(

  434.         ssl->s3->alpn_selected.data(), ssl->s3->alpn_selected.size());

  435.     if (hs->new_session->early_alpn == NULL) {

  436.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  437.       return ssl_hs_error;

  438.     }

  439.     hs->new_session->early_alpn_len = ssl->s3->alpn_selected.size();

  440.   }

  441. 

  442.   if (ssl->s3->early_data_accepted) {

  443.     if (hs->early_session->cipher != hs->new_session->cipher ||

  444.         MakeConstSpan(hs->early_session->early_alpn,

  445.                       hs->early_session->early_alpn_len) !=

  446.             ssl->s3->alpn_selected) {

  447.       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);

  448.       return ssl_hs_error;

  449.     }

  450.     if (ssl->s3->tlsext_channel_id_valid || hs->received_custom_extension ||

  451.         ssl->s3->token_binding_negotiated) {

  452.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);

  453.       return ssl_hs_error;

  454.     }

  455.   }

  456. 

  457.   if (!ssl_hash_message(hs, msg)) {

  458.     return ssl_hs_error;

  459.   }

  460. 

  461.   ssl->method->next_message(ssl);

  462.   hs->tls13_state = state_read_certificate_request;

  463.   if (hs->in_early_data && !ssl->s3->early_data_accepted) {

  464.     return ssl_hs_early_data_rejected;

  465.   }

  466.   return ssl_hs_ok;

  467. }

  468. 

  469. static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {

  470.   SSL *const ssl = hs->ssl;

  471.   // CertificateRequest may only be sent in non-resumption handshakes.

  472.   if (ssl->s3->session_reused) {

  473.     hs->tls13_state = state_read_server_finished;

  474.     return ssl_hs_ok;

  475.   }

  476. 

  477.   SSLMessage msg;

  478.   if (!ssl->method->get_message(ssl, &msg)) {

  479.     return ssl_hs_read_message;

  480.   }

  481. 

  482.   // CertificateRequest is optional.

  483.   if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {

  484.     hs->tls13_state = state_read_server_certificate;

  485.     return ssl_hs_ok;

  486.   }

  487. 

  488. 

  489.   bool have_sigalgs = false, have_ca = false;

  490.   CBS sigalgs, ca;

  491.   const SSL_EXTENSION_TYPE ext_types[] = {

  492.     {TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},

  493.     {TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},

  494.   };

  495. 

  496.   CBS body = msg.body, context, extensions, supported_signature_algorithms;

  497.   uint8_t alert = SSL_AD_DECODE_ERROR;

  498.   if (!CBS_get_u8_length_prefixed(&body, &context) ||

  499.       // The request context is always empty during the handshake.

  500.       CBS_len(&context) != 0 ||

  501.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  502.       CBS_len(&body) != 0 ||

  503.       !ssl_parse_extensions(&extensions, &alert, ext_types,

  504.                             OPENSSL_ARRAY_SIZE(ext_types),

  505.                             1 /* accept unknown */) ||

  506.       (have_ca && CBS_len(&ca) == 0) ||

  507.       !have_sigalgs ||

  508.       !CBS_get_u16_length_prefixed(&sigalgs,

  509.                                    &supported_signature_algorithms) ||

  510.       CBS_len(&supported_signature_algorithms) == 0 ||

  511.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  512.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  513.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  514.     return ssl_hs_error;

  515.   }

  516. 

  517.   if (have_ca) {

  518.     hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);

  519.     if (!hs->ca_names) {

  520.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  521.       return ssl_hs_error;

  522.     }

  523.   } else {

  524.     hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());

  525.     if (!hs->ca_names) {

  526.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  527.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  528.       return ssl_hs_error;

  529.     }

  530.   }

  531. 

  532.   hs->cert_request = true;

  533.   ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  534. 

  535.   if (!ssl_hash_message(hs, msg)) {

  536.     return ssl_hs_error;

  537.   }

  538. 

  539.   ssl->method->next_message(ssl);

  540.   hs->tls13_state = state_read_server_certificate;

  541.   return ssl_hs_ok;

  542. }

  543. 

  544. static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {

  545.   SSL *const ssl = hs->ssl;

  546.   SSLMessage msg;

  547.   if (!ssl->method->get_message(ssl, &msg)) {

  548.     return ssl_hs_read_message;

  549.   }

  550. 

  551.   if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&

  552.       !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {

  553.     return ssl_hs_error;

  554.   }

  555. 

  556.   if (!tls13_process_certificate(hs, msg, 0 /* certificate required */) ||

  557.       !ssl_hash_message(hs, msg)) {

  558.     return ssl_hs_error;

  559.   }

  560. 

  561.   ssl->method->next_message(ssl);

  562.   hs->tls13_state = state_read_server_certificate_verify;

  563.   return ssl_hs_ok;

  564. }

  565. 

  566. static enum ssl_hs_wait_t do_read_server_certificate_verify(

  567.     SSL_HANDSHAKE *hs) {

  568.   SSL *const ssl = hs->ssl;

  569.   SSLMessage msg;

  570.   if (!ssl->method->get_message(ssl, &msg)) {

  571.     return ssl_hs_read_message;

  572.   }

  573.   switch (ssl_verify_peer_cert(hs)) {

  574.     case ssl_verify_ok:

  575.       break;

  576.     case ssl_verify_invalid:

  577.       return ssl_hs_error;

  578.     case ssl_verify_retry:

  579.       hs->tls13_state = state_read_server_certificate_verify;

  580.       return ssl_hs_certificate_verify;

  581.   }

  582. 

  583.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||

  584.       !tls13_process_certificate_verify(hs, msg) ||

  585.       !ssl_hash_message(hs, msg)) {

  586.     return ssl_hs_error;

  587.   }

  588. 

  589.   ssl->method->next_message(ssl);

  590.   hs->tls13_state = state_read_server_finished;

  591.   return ssl_hs_ok;

  592. }

  593. 

  594. static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {

  595.   SSL *const ssl = hs->ssl;

  596.   SSLMessage msg;

  597.   if (!ssl->method->get_message(ssl, &msg)) {

  598.     return ssl_hs_read_message;

  599.   }

  600.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||

  601.       !tls13_process_finished(hs, msg, 0 /* don't use saved value */) ||

  602.       !ssl_hash_message(hs, msg) ||

  603.       // Update the secret to the master secret and derive traffic keys.

  604.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  605.       !tls13_derive_application_secrets(hs)) {

  606.     return ssl_hs_error;

  607.   }

  608. 

  609.   ssl->method->next_message(ssl);

  610.   hs->tls13_state = state_send_end_of_early_data;

  611.   return ssl_hs_ok;

  612. }

  613. 

  614. static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {

  615.   SSL *const ssl = hs->ssl;

  616. 

  617.   if (ssl->s3->early_data_accepted) {

  618.     hs->can_early_write = false;

  619.     ScopedCBB cbb;

  620.     CBB body;

  621.     if (!ssl->method->init_message(ssl, cbb.get(), &body,

  622.                                    SSL3_MT_END_OF_EARLY_DATA) ||

  623.         !ssl_add_message_cbb(ssl, cbb.get())) {

  624.       return ssl_hs_error;

  625.     }

  626.   }

  627. 

  628.   if (hs->early_data_offered) {

  629.     if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  630.                                hs->hash_len)) {

  631.       return ssl_hs_error;

  632.     }

  633.   }

  634. 

  635.   hs->tls13_state = state_send_client_certificate;

  636.   return ssl_hs_ok;

  637. }

  638. 

  639. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  640.   SSL *const ssl = hs->ssl;

  641. 

  642.   // The peer didn't request a certificate.

  643.   if (!hs->cert_request) {

  644.     hs->tls13_state = state_complete_second_flight;

  645.     return ssl_hs_ok;

  646.   }

  647. 

  648.   // Call cert_cb to update the certificate.

  649.   if (hs->config->cert->cert_cb != NULL) {

  650.     int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);

  651.     if (rv == 0) {

  652.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  653.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  654.       return ssl_hs_error;

  655.     }

  656.     if (rv < 0) {

  657.       hs->tls13_state = state_send_client_certificate;

  658.       return ssl_hs_x509_lookup;

  659.     }

  660.   }

  661. 

  662.   if (!ssl_on_certificate_selected(hs) ||

  663.       !tls13_add_certificate(hs)) {

  664.     return ssl_hs_error;

  665.   }

  666. 

  667.   hs->tls13_state = state_send_client_certificate_verify;

  668.   return ssl_hs_ok;

  669. }

  670. 

  671. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {

  672.   // Don't send CertificateVerify if there is no certificate.

  673.   if (!ssl_has_certificate(hs->config)) {

  674.     hs->tls13_state = state_complete_second_flight;

  675.     return ssl_hs_ok;

  676.   }

  677. 

  678.   switch (tls13_add_certificate_verify(hs)) {

  679.     case ssl_private_key_success:

  680.       hs->tls13_state = state_complete_second_flight;

  681.       return ssl_hs_ok;

  682. 

  683.     case ssl_private_key_retry:

  684.       hs->tls13_state = state_send_client_certificate_verify;

  685.       return ssl_hs_private_key_operation;

  686. 

  687.     case ssl_private_key_failure:

  688.       return ssl_hs_error;

  689.   }

  690. 

  691.   assert(0);

  692.   return ssl_hs_error;

  693. }

  694. 

  695. static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {

  696.   SSL *const ssl = hs->ssl;

  697. 

  698.   // Send a Channel ID assertion if necessary.

  699.   if (ssl->s3->tlsext_channel_id_valid) {

  700.     if (!ssl_do_channel_id_callback(hs)) {

  701.       hs->tls13_state = state_complete_second_flight;

  702.       return ssl_hs_error;

  703.     }

  704. 

  705.     if (hs->config->tlsext_channel_id_private == NULL) {

  706.       return ssl_hs_channel_id_lookup;

  707.     }

  708. 

  709.     ScopedCBB cbb;

  710.     CBB body;

  711.     if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||

  712.         !tls1_write_channel_id(hs, &body) ||

  713.         !ssl_add_message_cbb(ssl, cbb.get())) {

  714.       return ssl_hs_error;

  715.     }

  716.   }

  717. 

  718.   // Send a Finished message.

  719.   if (!tls13_add_finished(hs)) {

  720.     return ssl_hs_error;

  721.   }

  722. 

  723.   // Derive the final keys and enable them.

  724.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,

  725.                              hs->hash_len) ||

  726.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,

  727.                              hs->hash_len) ||

  728.       !tls13_derive_resumption_secret(hs)) {

  729.     return ssl_hs_error;

  730.   }

  731. 

  732.   hs->tls13_state = state_done;

  733.   return ssl_hs_flush;

  734. }

  735. 

  736. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  737.   while (hs->tls13_state != state_done) {

  738.     enum ssl_hs_wait_t ret = ssl_hs_error;

  739.     enum client_hs_state_t state =

  740.         static_cast<enum client_hs_state_t>(hs->tls13_state);

  741.     switch (state) {

  742.       case state_read_hello_retry_request:

  743.         ret = do_read_hello_retry_request(hs);

  744.         break;

  745.       case state_send_second_client_hello:

  746.         ret = do_send_second_client_hello(hs);

  747.         break;

  748.       case state_read_server_hello:

  749.         ret = do_read_server_hello(hs);

  750.         break;

  751.       case state_read_encrypted_extensions:

  752.         ret = do_read_encrypted_extensions(hs);

  753.         break;

  754.       case state_read_certificate_request:

  755.         ret = do_read_certificate_request(hs);

  756.         break;

  757.       case state_read_server_certificate:

  758.         ret = do_read_server_certificate(hs);

  759.         break;

  760.       case state_read_server_certificate_verify:

  761.         ret = do_read_server_certificate_verify(hs);

  762.         break;

  763.       case state_read_server_finished:

  764.         ret = do_read_server_finished(hs);

  765.         break;

  766.       case state_send_end_of_early_data:

  767.         ret = do_send_end_of_early_data(hs);

  768.         break;

  769.       case state_send_client_certificate:

  770.         ret = do_send_client_certificate(hs);

  771.         break;

  772.       case state_send_client_certificate_verify:

  773.         ret = do_send_client_certificate_verify(hs);

  774.         break;

  775.       case state_complete_second_flight:

  776.         ret = do_complete_second_flight(hs);

  777.         break;

  778.       case state_done:

  779.         ret = ssl_hs_ok;

  780.         break;

  781.     }

  782. 

  783.     if (hs->tls13_state != state) {

  784.       ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);

  785.     }

  786. 

  787.     if (ret != ssl_hs_ok) {

  788.       return ret;

  789.     }

  790.   }

  791. 

  792.   return ssl_hs_ok;

  793. }

  794. 

  795. const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {

  796.   enum client_hs_state_t state =

  797.       static_cast<enum client_hs_state_t>(hs->tls13_state);

  798.   switch (state) {

  799.     case state_read_hello_retry_request:

  800.       return "TLS 1.3 client read_hello_retry_request";

  801.     case state_send_second_client_hello:

  802.       return "TLS 1.3 client send_second_client_hello";

  803.     case state_read_server_hello:

  804.       return "TLS 1.3 client read_server_hello";

  805.     case state_read_encrypted_extensions:

  806.       return "TLS 1.3 client read_encrypted_extensions";

  807.     case state_read_certificate_request:

  808.       return "TLS 1.3 client read_certificate_request";

  809.     case state_read_server_certificate:

  810.       return "TLS 1.3 client read_server_certificate";

  811.     case state_read_server_certificate_verify:

  812.       return "TLS 1.3 client read_server_certificate_verify";

  813.     case state_read_server_finished:

  814.       return "TLS 1.3 client read_server_finished";

  815.     case state_send_end_of_early_data:

  816.       return "TLS 1.3 client send_end_of_early_data";

  817.     case state_send_client_certificate:

  818.       return "TLS 1.3 client send_client_certificate";

  819.     case state_send_client_certificate_verify:

  820.       return "TLS 1.3 client send_client_certificate_verify";

  821.     case state_complete_second_flight:

  822.       return "TLS 1.3 client complete_second_flight";

  823.     case state_done:

  824.       return "TLS 1.3 client done";

  825.   }

  826. 

  827.   return "TLS 1.3 client unknown";

  828. }

  829. 

  830. int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {

  831.   if (ssl->s3->write_shutdown != ssl_shutdown_none) {

  832.     // Ignore tickets on shutdown. Callers tend to indiscriminately call

  833.     // |SSL_shutdown| before destroying an |SSL|, at which point calling the new

  834.     // session callback may be confusing.

  835.     return 1;

  836.   }

  837. 

  838.   UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(

  839.       ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);

  840.   if (!session) {

  841.     return 0;

  842.   }

  843. 

  844.   ssl_session_rebase_time(ssl, session.get());

  845. 

  846.   uint32_t server_timeout;

  847.   CBS body = msg.body, ticket_nonce, ticket, extensions;

  848.   if (!CBS_get_u32(&body, &server_timeout) ||

  849.       !CBS_get_u32(&body, &session->ticket_age_add) ||

  850.       !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||

  851.       !CBS_get_u16_length_prefixed(&body, &ticket) ||

  852.       !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||

  853.       !CBS_get_u16_length_prefixed(&body, &extensions) ||

  854.       CBS_len(&body) != 0) {

  855.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  856.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  857.     return 0;

  858.   }

  859. 

  860.   // Cap the renewable lifetime by the server advertised value. This avoids

  861.   // wasting bandwidth on 0-RTT when we know the server will reject it.

  862.   if (session->timeout > server_timeout) {

  863.     session->timeout = server_timeout;

  864.   }

  865. 

  866.   if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {

  867.     return 0;

  868.   }

  869. 

  870.   // Parse out the extensions.

  871.   bool have_early_data_info = false;

  872.   CBS early_data_info;

  873.   const SSL_EXTENSION_TYPE ext_types[] = {

  874.       {TLSEXT_TYPE_early_data, &have_early_data_info, &early_data_info},

  875.   };

  876. 

  877.   uint8_t alert = SSL_AD_DECODE_ERROR;

  878.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  879.                             OPENSSL_ARRAY_SIZE(ext_types),

  880.                             1 /* ignore unknown */)) {

  881.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  882.     return 0;

  883.   }

  884. 

  885.   if (have_early_data_info && ssl->enable_early_data) {

  886.     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||

  887.         CBS_len(&early_data_info) != 0) {

  888.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  889.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  890.       return 0;

  891.     }

  892.   }

  893. 

  894.   session->ticket_age_add_valid = 1;

  895.   session->not_resumable = 0;

  896. 

  897.   if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&

  898.       ssl->session_ctx->new_session_cb != NULL &&

  899.       ssl->session_ctx->new_session_cb(ssl, session.get())) {

  900.     // |new_session_cb|'s return value signals that it took ownership.

  901.     session.release();

  902.   }

  903. 

  904.   return 1;

  905. }

  906. 

  907. }  // namespace bssl