kris
/
boringssl
1
0
Креирај огранак 0
Код Дискусије 0 Захтеви за спајање 0 Издања 0 Вики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4373 Комити
12 Гране
38 MiB
 
 
 
 
 
 
Дрво: a1ce85696d
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from 'a1ce85696d'
${ noResults }
boringssl/ssl/tls13_client.c

746 lines
23 KiB
Датотека Blame Историја 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <limits.h>

  19. #include <string.h>

  20. 

  21. #include <openssl/bytestring.h>

  22. #include <openssl/digest.h>

  23. #include <openssl/err.h>

  24. #include <openssl/mem.h>

  25. #include <openssl/stack.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. enum client_hs_state_t {

  32.   state_process_hello_retry_request = 0,

  33.   state_send_second_client_hello,

  34.   state_process_server_hello,

  35.   state_process_encrypted_extensions,

  36.   state_continue_second_server_flight,

  37.   state_process_certificate_request,

  38.   state_process_server_certificate,

  39.   state_process_server_certificate_verify,

  40.   state_process_server_finished,

  41.   state_send_end_of_early_data,

  42.   state_send_client_certificate,

  43.   state_send_client_certificate_verify,

  44.   state_complete_second_flight,

  45.   state_done,

  46. };

  47. 

  48. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  49. 

  50. static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) {

  51.   SSL *const ssl = hs->ssl;

  52.   if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {

  53.     hs->tls13_state = state_process_server_hello;

  54.     return ssl_hs_ok;

  55.   }

  56. 

  57.   CBS cbs, extensions;

  58.   uint16_t server_wire_version;

  59.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  60.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  61.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  62.       /* HelloRetryRequest may not be empty. */

  63.       CBS_len(&extensions) == 0 ||

  64.       CBS_len(&cbs) != 0) {

  65.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  66.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  67.     return ssl_hs_error;

  68.   }

  69. 

  70.   int have_cookie, have_key_share;

  71.   CBS cookie, key_share;

  72.   const SSL_EXTENSION_TYPE ext_types[] = {

  73.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  74.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  75.   };

  76. 

  77.   uint8_t alert = SSL_AD_DECODE_ERROR;

  78.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  79.                             OPENSSL_ARRAY_SIZE(ext_types),

  80.                             0 /* reject unknown */)) {

  81.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  82.     return ssl_hs_error;

  83.   }

  84. 

  85.   if (have_cookie) {

  86.     CBS cookie_value;

  87.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  88.         CBS_len(&cookie_value) == 0 ||

  89.         CBS_len(&cookie) != 0) {

  90.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  91.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  92.       return ssl_hs_error;

  93.     }

  94. 

  95.     if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {

  96.       return ssl_hs_error;

  97.     }

  98.   }

  99. 

  100.   if (have_key_share) {

  101.     uint16_t group_id;

  102.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  103.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  104.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  105.       return ssl_hs_error;

  106.     }

  107. 

  108.     /* The group must be supported. */

  109.     const uint16_t *groups;

  110.     size_t groups_len;

  111.     tls1_get_grouplist(ssl, &groups, &groups_len);

  112.     int found = 0;

  113.     for (size_t i = 0; i < groups_len; i++) {

  114.       if (groups[i] == group_id) {

  115.         found = 1;

  116.         break;

  117.       }

  118.     }

  119. 

  120.     if (!found) {

  121.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  122.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  123.       return ssl_hs_error;

  124.     }

  125. 

  126.     /* Check that the HelloRetryRequest does not request the key share that

  127.      * was provided in the initial ClientHello. */

  128.     if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {

  129.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  130.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  131.       return ssl_hs_error;

  132.     }

  133. 

  134.     SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  135.     hs->retry_group = group_id;

  136.   }

  137. 

  138.   if (!ssl_hash_current_message(hs)) {

  139.     return ssl_hs_error;

  140.   }

  141. 

  142.   hs->received_hello_retry_request = 1;

  143.   hs->tls13_state = state_send_second_client_hello;

  144.   /* 0-RTT is rejected if we receive a HelloRetryRequest. */

  145.   if (hs->in_early_data) {

  146.     return ssl_hs_early_data_rejected;

  147.   }

  148.   return ssl_hs_ok;

  149. }

  150. 

  151. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  152.   SSL *const ssl = hs->ssl;

  153.   if (!ssl->method->set_write_state(ssl, NULL) ||

  154.       !ssl_write_client_hello(hs)) {

  155.     return ssl_hs_error;

  156.   }

  157. 

  158.   hs->tls13_state = state_process_server_hello;

  159.   return ssl_hs_flush_and_read_message;

  160. }

  161. 

  162. static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {

  163.   SSL *const ssl = hs->ssl;

  164.   if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {

  165.     return ssl_hs_error;

  166.   }

  167. 

  168.   CBS cbs, server_random, extensions;

  169.   uint16_t server_wire_version;

  170.   uint16_t cipher_suite;

  171.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  172.   if (!CBS_get_u16(&cbs, &server_wire_version) ||

  173.       !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||

  174.       !CBS_get_u16(&cbs, &cipher_suite) ||

  175.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  176.       CBS_len(&cbs) != 0) {

  177.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  178.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  179.     return ssl_hs_error;

  180.   }

  181. 

  182.   if (server_wire_version != ssl->version) {

  183.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  184.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  185.     return ssl_hs_error;

  186.   }

  187. 

  188.   assert(ssl->s3->have_version);

  189.   OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),

  190.                  SSL3_RANDOM_SIZE);

  191. 

  192.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  193.   if (cipher == NULL) {

  194.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);

  195.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  196.     return ssl_hs_error;

  197.   }

  198. 

  199.   /* Check if the cipher is a TLS 1.3 cipher. */

  200.   if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||

  201.       SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {

  202.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  203.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  204.     return ssl_hs_error;

  205.   }

  206. 

  207.   /* Parse out the extensions. */

  208.   int have_key_share = 0, have_pre_shared_key = 0;

  209.   CBS key_share, pre_shared_key;

  210.   const SSL_EXTENSION_TYPE ext_types[] = {

  211.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  212.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  213.   };

  214. 

  215.   uint8_t alert = SSL_AD_DECODE_ERROR;

  216.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  217.                             OPENSSL_ARRAY_SIZE(ext_types),

  218.                             0 /* reject unknown */)) {

  219.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  220.     return ssl_hs_error;

  221.   }

  222. 

  223.   alert = SSL_AD_DECODE_ERROR;

  224.   if (have_pre_shared_key) {

  225.     if (ssl->session == NULL) {

  226.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  227.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  228.       return ssl_hs_error;

  229.     }

  230. 

  231.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  232.                                                   &pre_shared_key)) {

  233.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  234.       return ssl_hs_error;

  235.     }

  236. 

  237.     if (ssl->session->ssl_version != ssl->version) {

  238.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  239.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  240.       return ssl_hs_error;

  241.     }

  242. 

  243.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  244.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  245.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  246.       return ssl_hs_error;

  247.     }

  248. 

  249.     if (!ssl_session_is_context_valid(ssl, ssl->session)) {

  250.       /* This is actually a client application bug. */

  251.       OPENSSL_PUT_ERROR(SSL,

  252.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  253.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  254.       return ssl_hs_error;

  255.     }

  256. 

  257.     ssl->s3->session_reused = 1;

  258.     /* Only authentication information carries over in TLS 1.3. */

  259.     hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);

  260.     if (hs->new_session == NULL) {

  261.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  262.       return ssl_hs_error;

  263.     }

  264.     ssl_set_session(ssl, NULL);

  265. 

  266.     /* Resumption incorporates fresh key material, so refresh the timeout. */

  267.     ssl_session_renew_timeout(ssl, hs->new_session,

  268.                               ssl->session_ctx->session_psk_dhe_timeout);

  269.   } else if (!ssl_get_new_session(hs, 0)) {

  270.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  271.     return ssl_hs_error;

  272.   }

  273. 

  274.   hs->new_session->cipher = cipher;

  275.   hs->new_cipher = cipher;

  276. 

  277.   /* The PRF hash is now known. Set up the key schedule. */

  278.   if (!tls13_init_key_schedule(hs)) {

  279.     return ssl_hs_error;

  280.   }

  281. 

  282.   /* Incorporate the PSK into the running secret. */

  283.   if (ssl->s3->session_reused) {

  284.     if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,

  285.                                     hs->new_session->master_key_length)) {

  286.       return ssl_hs_error;

  287.     }

  288.   } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {

  289.     return ssl_hs_error;

  290.   }

  291. 

  292.   if (!have_key_share) {

  293.     /* We do not support psk_ke and thus always require a key share. */

  294.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  295.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  296.     return ssl_hs_error;

  297.   }

  298. 

  299.   /* Resolve ECDHE and incorporate it into the secret. */

  300.   uint8_t *dhe_secret;

  301.   size_t dhe_secret_len;

  302.   alert = SSL_AD_DECODE_ERROR;

  303.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,

  304.                                            &alert, &key_share)) {

  305.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  306.     return ssl_hs_error;

  307.   }

  308. 

  309.   if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {

  310.     OPENSSL_free(dhe_secret);

  311.     return ssl_hs_error;

  312.   }

  313.   OPENSSL_free(dhe_secret);

  314. 

  315.   if (!ssl_hash_current_message(hs) ||

  316.       !tls13_derive_handshake_secrets(hs) ||

  317.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,

  318.                              hs->hash_len)) {

  319.     return ssl_hs_error;

  320.   }

  321. 

  322.   /* If not sending early data, set client traffic keys now so that alerts are

  323.    * encrypted. */

  324.   if (!hs->early_data_offered &&

  325.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  326.                              hs->hash_len)) {

  327.     return ssl_hs_error;

  328.   }

  329. 

  330.   hs->tls13_state = state_process_encrypted_extensions;

  331.   return ssl_hs_read_message;

  332. }

  333. 

  334. static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) {

  335.   SSL *const ssl = hs->ssl;

  336.   if (!ssl_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  337.     return ssl_hs_error;

  338.   }

  339. 

  340.   CBS cbs;

  341.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  342.   if (!ssl_parse_serverhello_tlsext(hs, &cbs)) {

  343.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  344.     return ssl_hs_error;

  345.   }

  346.   if (CBS_len(&cbs) != 0) {

  347.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  348.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  349.     return ssl_hs_error;

  350.   }

  351. 

  352.   /* Store the negotiated ALPN in the session. */

  353.   if (ssl->s3->alpn_selected != NULL) {

  354.     hs->new_session->early_alpn =

  355.         BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);

  356.     if (hs->new_session->early_alpn == NULL) {

  357.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  358.       return ssl_hs_error;

  359.     }

  360.     hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;

  361.   }

  362. 

  363.   if (ssl->early_data_accepted) {

  364.     if (hs->early_session->cipher != hs->new_session->cipher ||

  365.         hs->early_session->early_alpn_len != ssl->s3->alpn_selected_len ||

  366.         OPENSSL_memcmp(hs->early_session->early_alpn, ssl->s3->alpn_selected,

  367.                        ssl->s3->alpn_selected_len) != 0) {

  368.       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);

  369.       return ssl_hs_error;

  370.     }

  371.     if (ssl->s3->tlsext_channel_id_valid) {

  372.       OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA);

  373.       return ssl_hs_error;

  374.     }

  375.   }

  376. 

  377.   if (!ssl_hash_current_message(hs)) {

  378.     return ssl_hs_error;

  379.   }

  380. 

  381.   hs->tls13_state = state_continue_second_server_flight;

  382.   if (hs->in_early_data && !ssl->early_data_accepted) {

  383.     return ssl_hs_early_data_rejected;

  384.   }

  385.   return ssl_hs_ok;

  386. }

  387. 

  388. static enum ssl_hs_wait_t do_continue_second_server_flight(SSL_HANDSHAKE *hs) {

  389.   hs->tls13_state = state_process_certificate_request;

  390.   return ssl_hs_read_message;

  391. }

  392. 

  393. static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) {

  394.   SSL *const ssl = hs->ssl;

  395.   /* CertificateRequest may only be sent in non-resumption handshakes. */

  396.   if (ssl->s3->session_reused) {

  397.     hs->tls13_state = state_process_server_finished;

  398.     return ssl_hs_ok;

  399.   }

  400. 

  401.   /* CertificateRequest is optional. */

  402.   if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {

  403.     hs->tls13_state = state_process_server_certificate;

  404.     return ssl_hs_ok;

  405.   }

  406. 

  407.   CBS cbs, context, supported_signature_algorithms;

  408.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  409.   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||

  410.       /* The request context is always empty during the handshake. */

  411.       CBS_len(&context) != 0 ||

  412.       !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||

  413.       CBS_len(&supported_signature_algorithms) == 0 ||

  414.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  415.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  416.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  417.     return ssl_hs_error;

  418.   }

  419. 

  420.   uint8_t alert = SSL_AD_DECODE_ERROR;

  421.   STACK_OF(CRYPTO_BUFFER) *ca_names =

  422.       ssl_parse_client_CA_list(ssl, &alert, &cbs);

  423.   if (ca_names == NULL) {

  424.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  425.     return ssl_hs_error;

  426.   }

  427. 

  428.   /* Ignore extensions. */

  429.   CBS extensions;

  430.   if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  431.       CBS_len(&cbs) != 0) {

  432.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  433.     sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free);

  434.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  435.     return ssl_hs_error;

  436.   }

  437. 

  438.   hs->cert_request = 1;

  439.   sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);

  440.   hs->ca_names = ca_names;

  441.   ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  442. 

  443.   if (!ssl_hash_current_message(hs)) {

  444.     return ssl_hs_error;

  445.   }

  446. 

  447.   hs->tls13_state = state_process_server_certificate;

  448.   return ssl_hs_read_message;

  449. }

  450. 

  451. static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) {

  452.   SSL *const ssl = hs->ssl;

  453.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  454.       !tls13_process_certificate(hs, 0 /* certificate required */) ||

  455.       !ssl_hash_current_message(hs)) {

  456.     return ssl_hs_error;

  457.   }

  458. 

  459.   hs->tls13_state = state_process_server_certificate_verify;

  460.   return ssl_hs_read_message;

  461. }

  462. 

  463. static enum ssl_hs_wait_t do_process_server_certificate_verify(

  464.     SSL_HANDSHAKE *hs) {

  465.   SSL *const ssl = hs->ssl;

  466.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  467.       !tls13_process_certificate_verify(hs) ||

  468.       !ssl_hash_current_message(hs)) {

  469.     return ssl_hs_error;

  470.   }

  471. 

  472.   hs->tls13_state = state_process_server_finished;

  473.   return ssl_hs_read_message;

  474. }

  475. 

  476. static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) {

  477.   SSL *const ssl = hs->ssl;

  478.   if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) ||

  479.       !tls13_process_finished(hs, 0 /* don't use saved value */) ||

  480.       !ssl_hash_current_message(hs) ||

  481.       /* Update the secret to the master secret and derive traffic keys. */

  482.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  483.       !tls13_derive_application_secrets(hs)) {

  484.     return ssl_hs_error;

  485.   }

  486. 

  487.   ssl->method->received_flight(ssl);

  488.   hs->tls13_state = state_send_end_of_early_data;

  489.   return ssl_hs_ok;

  490. }

  491. 

  492. static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {

  493.   SSL *const ssl = hs->ssl;

  494. 

  495.   if (ssl->early_data_accepted) {

  496.     hs->can_early_write = 0;

  497.     if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,

  498.                                 TLS1_AD_END_OF_EARLY_DATA)) {

  499.       return ssl_hs_error;

  500.     }

  501.   }

  502. 

  503.   if (hs->early_data_offered &&

  504.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  505.                              hs->hash_len)) {

  506.     return ssl_hs_error;

  507.   }

  508. 

  509.   hs->tls13_state = state_send_client_certificate;

  510.   return ssl_hs_ok;

  511. }

  512. 

  513. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  514.   SSL *const ssl = hs->ssl;

  515. 

  516.   /* The peer didn't request a certificate. */

  517.   if (!hs->cert_request) {

  518.     hs->tls13_state = state_complete_second_flight;

  519.     return ssl_hs_ok;

  520.   }

  521. 

  522.   /* Call cert_cb to update the certificate. */

  523.   if (ssl->cert->cert_cb != NULL) {

  524.     int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);

  525.     if (rv == 0) {

  526.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  527.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  528.       return ssl_hs_error;

  529.     }

  530.     if (rv < 0) {

  531.       hs->tls13_state = state_send_client_certificate;

  532.       return ssl_hs_x509_lookup;

  533.     }

  534.   }

  535. 

  536.   if (!ssl_on_certificate_selected(hs) ||

  537.       !tls13_add_certificate(hs)) {

  538.     return ssl_hs_error;

  539.   }

  540. 

  541.   hs->tls13_state = state_send_client_certificate_verify;

  542.   return ssl_hs_ok;

  543. }

  544. 

  545. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {

  546.   SSL *const ssl = hs->ssl;

  547.   /* Don't send CertificateVerify if there is no certificate. */

  548.   if (!ssl_has_certificate(ssl)) {

  549.     hs->tls13_state = state_complete_second_flight;

  550.     return ssl_hs_ok;

  551.   }

  552. 

  553.   switch (tls13_add_certificate_verify(hs)) {

  554.     case ssl_private_key_success:

  555.       hs->tls13_state = state_complete_second_flight;

  556.       return ssl_hs_ok;

  557. 

  558.     case ssl_private_key_retry:

  559.       hs->tls13_state = state_send_client_certificate_verify;

  560.       return ssl_hs_private_key_operation;

  561. 

  562.     case ssl_private_key_failure:

  563.       return ssl_hs_error;

  564.   }

  565. 

  566.   assert(0);

  567.   return ssl_hs_error;

  568. }

  569. 

  570. static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {

  571.   SSL *const ssl = hs->ssl;

  572. 

  573.   /* Send a Channel ID assertion if necessary. */

  574.   if (ssl->s3->tlsext_channel_id_valid) {

  575.     if (!ssl_do_channel_id_callback(ssl)) {

  576.       hs->tls13_state = state_complete_second_flight;

  577.       return ssl_hs_error;

  578.     }

  579. 

  580.     if (ssl->tlsext_channel_id_private == NULL) {

  581.       return ssl_hs_channel_id_lookup;

  582.     }

  583. 

  584.     CBB cbb, body;

  585.     if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||

  586.         !tls1_write_channel_id(hs, &body) ||

  587.         !ssl_add_message_cbb(ssl, &cbb)) {

  588.       CBB_cleanup(&cbb);

  589.       return ssl_hs_error;

  590.     }

  591.   }

  592. 

  593.   /* Send a Finished message. */

  594.   if (!tls13_add_finished(hs)) {

  595.     return ssl_hs_error;

  596.   }

  597. 

  598.   /* Derive the final keys and enable them. */

  599.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,

  600.                              hs->hash_len) ||

  601.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,

  602.                              hs->hash_len) ||

  603.       !tls13_derive_resumption_secret(hs)) {

  604.     return ssl_hs_error;

  605.   }

  606. 

  607.   hs->tls13_state = state_done;

  608.   return ssl_hs_flush;

  609. }

  610. 

  611. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  612.   while (hs->tls13_state != state_done) {

  613.     enum ssl_hs_wait_t ret = ssl_hs_error;

  614.     enum client_hs_state_t state = hs->tls13_state;

  615.     switch (state) {

  616.       case state_process_hello_retry_request:

  617.         ret = do_process_hello_retry_request(hs);

  618.         break;

  619.       case state_send_second_client_hello:

  620.         ret = do_send_second_client_hello(hs);

  621.         break;

  622.       case state_process_server_hello:

  623.         ret = do_process_server_hello(hs);

  624.         break;

  625.       case state_process_encrypted_extensions:

  626.         ret = do_process_encrypted_extensions(hs);

  627.         break;

  628.       case state_continue_second_server_flight:

  629.         ret = do_continue_second_server_flight(hs);

  630.         break;

  631.       case state_process_certificate_request:

  632.         ret = do_process_certificate_request(hs);

  633.         break;

  634.       case state_process_server_certificate:

  635.         ret = do_process_server_certificate(hs);

  636.         break;

  637.       case state_process_server_certificate_verify:

  638.         ret = do_process_server_certificate_verify(hs);

  639.         break;

  640.       case state_process_server_finished:

  641.         ret = do_process_server_finished(hs);

  642.         break;

  643.       case state_send_end_of_early_data:

  644.         ret = do_send_end_of_early_data(hs);

  645.         break;

  646.       case state_send_client_certificate:

  647.         ret = do_send_client_certificate(hs);

  648.         break;

  649.       case state_send_client_certificate_verify:

  650.         ret = do_send_client_certificate_verify(hs);

  651.         break;

  652.       case state_complete_second_flight:

  653.         ret = do_complete_second_flight(hs);

  654.         break;

  655.       case state_done:

  656.         ret = ssl_hs_ok;

  657.         break;

  658.     }

  659. 

  660.     if (ret != ssl_hs_ok) {

  661.       return ret;

  662.     }

  663.   }

  664. 

  665.   return ssl_hs_ok;

  666. }

  667. 

  668. int tls13_process_new_session_ticket(SSL *ssl) {

  669.   int ret = 0;

  670.   SSL_SESSION *session = SSL_SESSION_dup(ssl->s3->established_session,

  671.                                          SSL_SESSION_INCLUDE_NONAUTH);

  672.   if (session == NULL) {

  673.     return 0;

  674.   }

  675. 

  676.   ssl_session_rebase_time(ssl, session);

  677. 

  678.   uint32_t server_timeout;

  679.   CBS cbs, ticket, extensions;

  680.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  681.   if (!CBS_get_u32(&cbs, &server_timeout) ||

  682.       !CBS_get_u32(&cbs, &session->ticket_age_add) ||

  683.       !CBS_get_u16_length_prefixed(&cbs, &ticket) ||

  684.       !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||

  685.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  686.       CBS_len(&cbs) != 0) {

  687.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  688.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  689.     goto err;

  690.   }

  691. 

  692.   /* Cap the renewable lifetime by the server advertised value. This avoids

  693.    * wasting bandwidth on 0-RTT when we know the server will reject it. */

  694.   if (session->timeout > server_timeout) {

  695.     session->timeout = server_timeout;

  696.   }

  697. 

  698.   /* Parse out the extensions. */

  699.   int have_early_data_info = 0;

  700.   CBS early_data_info;

  701.   const SSL_EXTENSION_TYPE ext_types[] = {

  702.       {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,

  703.        &early_data_info},

  704.   };

  705. 

  706.   uint8_t alert = SSL_AD_DECODE_ERROR;

  707.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  708.                             OPENSSL_ARRAY_SIZE(ext_types),

  709.                             1 /* ignore unknown */)) {

  710.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  711.     goto err;

  712.   }

  713. 

  714.   if (have_early_data_info && ssl->cert->enable_early_data) {

  715.     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||

  716.         CBS_len(&early_data_info) != 0) {

  717.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  718.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  719.       goto err;

  720.     }

  721.   }

  722. 

  723.   session->ticket_age_add_valid = 1;

  724.   session->not_resumable = 0;

  725. 

  726.   if (ssl->ctx->new_session_cb != NULL &&

  727.       ssl->ctx->new_session_cb(ssl, session)) {

  728.     /* |new_session_cb|'s return value signals that it took ownership. */

  729.     session = NULL;

  730.   }

  731. 

  732.   ret = 1;

  733. 

  734. err:

  735.   SSL_SESSION_free(session);

  736.   return ret;

  737. }

  738. 

  739. void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {

  740.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  741. 

  742.   OPENSSL_free(hs->key_share_bytes);

  743.   hs->key_share_bytes = NULL;

  744.   hs->key_share_bytes_len = 0;

  745. }