kris
/
boringssl
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4415 Commitit
12 Branchit
38 MiB
 
 
 
 
 
 
Puu: c386440683
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from 'c386440683'
${ noResults }
boringssl/ssl/tls13_client.cc

779 rivejä
25 KiB
Raaka Blame Historia 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <limits.h>

  19. #include <string.h>

  20. 

  21. #include <openssl/bytestring.h>

  22. #include <openssl/digest.h>

  23. #include <openssl/err.h>

  24. #include <openssl/mem.h>

  25. #include <openssl/stack.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. enum client_hs_state_t {

  32.   state_process_hello_retry_request = 0,

  33.   state_send_second_client_hello,

  34.   state_process_server_hello,

  35.   state_process_change_cipher_spec,

  36.   state_process_encrypted_extensions,

  37.   state_continue_second_server_flight,

  38.   state_process_certificate_request,

  39.   state_process_server_certificate,

  40.   state_process_server_certificate_verify,

  41.   state_process_server_finished,

  42.   state_send_end_of_early_data,

  43.   state_send_client_certificate,

  44.   state_send_client_certificate_verify,

  45.   state_complete_second_flight,

  46.   state_done,

  47. };

  48. 

  49. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  50. 

  51. static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) {

  52.   SSL *const ssl = hs->ssl;

  53.   if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {

  54.     hs->tls13_state = state_process_server_hello;

  55.     return ssl_hs_ok;

  56.   }

  57. 

  58.   CBS cbs, extensions;

  59.   uint16_t server_version;

  60.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  61.   if (!CBS_get_u16(&cbs, &server_version) ||

  62.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  63.       /* HelloRetryRequest may not be empty. */

  64.       CBS_len(&extensions) == 0 ||

  65.       CBS_len(&cbs) != 0) {

  66.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  67.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  68.     return ssl_hs_error;

  69.   }

  70. 

  71.   int have_cookie, have_key_share;

  72.   CBS cookie, key_share;

  73.   const SSL_EXTENSION_TYPE ext_types[] = {

  74.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  75.       {TLSEXT_TYPE_cookie, &have_cookie, &cookie},

  76.   };

  77. 

  78.   uint8_t alert = SSL_AD_DECODE_ERROR;

  79.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  80.                             OPENSSL_ARRAY_SIZE(ext_types),

  81.                             0 /* reject unknown */)) {

  82.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  83.     return ssl_hs_error;

  84.   }

  85. 

  86.   if (have_cookie) {

  87.     CBS cookie_value;

  88.     if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||

  89.         CBS_len(&cookie_value) == 0 ||

  90.         CBS_len(&cookie) != 0) {

  91.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  92.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  93.       return ssl_hs_error;

  94.     }

  95. 

  96.     if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {

  97.       return ssl_hs_error;

  98.     }

  99.   }

  100. 

  101.   if (have_key_share) {

  102.     uint16_t group_id;

  103.     if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {

  104.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  105.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  106.       return ssl_hs_error;

  107.     }

  108. 

  109.     /* The group must be supported. */

  110.     const uint16_t *groups;

  111.     size_t groups_len;

  112.     tls1_get_grouplist(ssl, &groups, &groups_len);

  113.     int found = 0;

  114.     for (size_t i = 0; i < groups_len; i++) {

  115.       if (groups[i] == group_id) {

  116.         found = 1;

  117.         break;

  118.       }

  119.     }

  120. 

  121.     if (!found) {

  122.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  123.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  124.       return ssl_hs_error;

  125.     }

  126. 

  127.     /* Check that the HelloRetryRequest does not request the key share that

  128.      * was provided in the initial ClientHello. */

  129.     if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {

  130.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  131.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  132.       return ssl_hs_error;

  133.     }

  134. 

  135.     SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  136.     hs->retry_group = group_id;

  137.   }

  138. 

  139.   if (!ssl_hash_current_message(hs)) {

  140.     return ssl_hs_error;

  141.   }

  142. 

  143.   hs->received_hello_retry_request = 1;

  144.   hs->tls13_state = state_send_second_client_hello;

  145.   /* 0-RTT is rejected if we receive a HelloRetryRequest. */

  146.   if (hs->in_early_data) {

  147.     return ssl_hs_early_data_rejected;

  148.   }

  149.   return ssl_hs_ok;

  150. }

  151. 

  152. static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {

  153.   SSL *const ssl = hs->ssl;

  154.   if (!ssl->method->set_write_state(ssl, NULL) ||

  155.       !ssl_write_client_hello(hs)) {

  156.     return ssl_hs_error;

  157.   }

  158. 

  159.   hs->tls13_state = state_process_server_hello;

  160.   return ssl_hs_flush_and_read_message;

  161. }

  162. 

  163. static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {

  164.   SSL *const ssl = hs->ssl;

  165.   if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {

  166.     return ssl_hs_error;

  167.   }

  168. 

  169.   CBS cbs, server_random, session_id, extensions;

  170.   uint16_t server_version;

  171.   uint16_t cipher_suite;

  172.   uint8_t compression_method;

  173.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  174.   if (!CBS_get_u16(&cbs, &server_version) ||

  175.       !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||

  176.       (ssl->version == TLS1_3_EXPERIMENT_VERSION &&

  177.        !CBS_get_u8_length_prefixed(&cbs, &session_id)) ||

  178.       !CBS_get_u16(&cbs, &cipher_suite) ||

  179.       (ssl->version == TLS1_3_EXPERIMENT_VERSION &&

  180.        (!CBS_get_u8(&cbs, &compression_method) || compression_method != 0)) ||

  181.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  182.       CBS_len(&cbs) != 0) {

  183.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  184.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  185.     return ssl_hs_error;

  186.   }

  187. 

  188.   uint16_t expected_version =

  189.       ssl->version == TLS1_3_EXPERIMENT_VERSION ? TLS1_2_VERSION : ssl->version;

  190.   if (server_version != expected_version) {

  191.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  192.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);

  193.     return ssl_hs_error;

  194.   }

  195. 

  196.   assert(ssl->s3->have_version);

  197.   OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),

  198.                  SSL3_RANDOM_SIZE);

  199. 

  200.   const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);

  201.   if (cipher == NULL) {

  202.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);

  203.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  204.     return ssl_hs_error;

  205.   }

  206. 

  207.   /* Check if the cipher is a TLS 1.3 cipher. */

  208.   if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||

  209.       SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {

  210.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);

  211.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  212.     return ssl_hs_error;

  213.   }

  214. 

  215.   /* Parse out the extensions. */

  216.   int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0;

  217.   CBS key_share, pre_shared_key, supported_versions;

  218.   const SSL_EXTENSION_TYPE ext_types[] = {

  219.       {TLSEXT_TYPE_key_share, &have_key_share, &key_share},

  220.       {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},

  221.       {TLSEXT_TYPE_supported_versions, &have_supported_versions,

  222.        &supported_versions},

  223.   };

  224. 

  225.   uint8_t alert = SSL_AD_DECODE_ERROR;

  226.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  227.                             OPENSSL_ARRAY_SIZE(ext_types),

  228.                             0 /* reject unknown */)) {

  229.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  230.     return ssl_hs_error;

  231.   }

  232. 

  233.   /* supported_versions is parsed in handshake_client to select the experimental

  234.    * TLS 1.3 version. */

  235.   if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) {

  236.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  237.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  238.     return ssl_hs_error;

  239.   }

  240. 

  241.   alert = SSL_AD_DECODE_ERROR;

  242.   if (have_pre_shared_key) {

  243.     if (ssl->session == NULL) {

  244.       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);

  245.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);

  246.       return ssl_hs_error;

  247.     }

  248. 

  249.     if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,

  250.                                                   &pre_shared_key)) {

  251.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  252.       return ssl_hs_error;

  253.     }

  254. 

  255.     if (ssl->session->ssl_version != ssl->version) {

  256.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);

  257.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  258.       return ssl_hs_error;

  259.     }

  260. 

  261.     if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {

  262.       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);

  263.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  264.       return ssl_hs_error;

  265.     }

  266. 

  267.     if (!ssl_session_is_context_valid(ssl, ssl->session)) {

  268.       /* This is actually a client application bug. */

  269.       OPENSSL_PUT_ERROR(SSL,

  270.                         SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

  271.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  272.       return ssl_hs_error;

  273.     }

  274. 

  275.     ssl->s3->session_reused = 1;

  276.     /* Only authentication information carries over in TLS 1.3. */

  277.     hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);

  278.     if (hs->new_session == NULL) {

  279.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  280.       return ssl_hs_error;

  281.     }

  282.     ssl_set_session(ssl, NULL);

  283. 

  284.     /* Resumption incorporates fresh key material, so refresh the timeout. */

  285.     ssl_session_renew_timeout(ssl, hs->new_session,

  286.                               ssl->session_ctx->session_psk_dhe_timeout);

  287.   } else if (!ssl_get_new_session(hs, 0)) {

  288.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  289.     return ssl_hs_error;

  290.   }

  291. 

  292.   hs->new_session->cipher = cipher;

  293.   hs->new_cipher = cipher;

  294. 

  295.   /* The PRF hash is now known. Set up the key schedule. */

  296.   if (!tls13_init_key_schedule(hs)) {

  297.     return ssl_hs_error;

  298.   }

  299. 

  300.   /* Incorporate the PSK into the running secret. */

  301.   if (ssl->s3->session_reused) {

  302.     if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,

  303.                                     hs->new_session->master_key_length)) {

  304.       return ssl_hs_error;

  305.     }

  306.   } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {

  307.     return ssl_hs_error;

  308.   }

  309. 

  310.   if (!have_key_share) {

  311.     /* We do not support psk_ke and thus always require a key share. */

  312.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  313.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  314.     return ssl_hs_error;

  315.   }

  316. 

  317.   /* Resolve ECDHE and incorporate it into the secret. */

  318.   uint8_t *dhe_secret;

  319.   size_t dhe_secret_len;

  320.   alert = SSL_AD_DECODE_ERROR;

  321.   if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,

  322.                                            &alert, &key_share)) {

  323.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  324.     return ssl_hs_error;

  325.   }

  326. 

  327.   if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {

  328.     OPENSSL_free(dhe_secret);

  329.     return ssl_hs_error;

  330.   }

  331.   OPENSSL_free(dhe_secret);

  332. 

  333.   if (!ssl_hash_current_message(hs) ||

  334.       !tls13_derive_handshake_secrets(hs)) {

  335.     return ssl_hs_error;

  336.   }

  337.   hs->tls13_state = state_process_change_cipher_spec;

  338.   return ssl->version == TLS1_3_EXPERIMENT_VERSION

  339.              ? ssl_hs_read_change_cipher_spec

  340.              : ssl_hs_ok;

  341. }

  342. 

  343. static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {

  344.   SSL *const ssl = hs->ssl;

  345.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,

  346.                              hs->hash_len)) {

  347.     return ssl_hs_error;

  348.   }

  349. 

  350.   if (!hs->early_data_offered) {

  351.     /* If not sending early data, set client traffic keys now so that alerts are

  352.      * encrypted. */

  353.     if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&

  354.          !ssl3_add_change_cipher_spec(ssl)) ||

  355.         !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  356.                                hs->hash_len)) {

  357.       return ssl_hs_error;

  358.     }

  359.   }

  360. 

  361.   hs->tls13_state = state_process_encrypted_extensions;

  362.   return ssl_hs_read_message;

  363. }

  364. 

  365. static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) {

  366.   SSL *const ssl = hs->ssl;

  367.   if (!ssl_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {

  368.     return ssl_hs_error;

  369.   }

  370. 

  371.   CBS cbs;

  372.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  373.   if (!ssl_parse_serverhello_tlsext(hs, &cbs)) {

  374.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  375.     return ssl_hs_error;

  376.   }

  377.   if (CBS_len(&cbs) != 0) {

  378.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  379.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  380.     return ssl_hs_error;

  381.   }

  382. 

  383.   /* Store the negotiated ALPN in the session. */

  384.   if (ssl->s3->alpn_selected != NULL) {

  385.     hs->new_session->early_alpn = (uint8_t *)BUF_memdup(

  386.         ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);

  387.     if (hs->new_session->early_alpn == NULL) {

  388.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  389.       return ssl_hs_error;

  390.     }

  391.     hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;

  392.   }

  393. 

  394.   if (ssl->early_data_accepted) {

  395.     if (hs->early_session->cipher != hs->new_session->cipher ||

  396.         hs->early_session->early_alpn_len != ssl->s3->alpn_selected_len ||

  397.         OPENSSL_memcmp(hs->early_session->early_alpn, ssl->s3->alpn_selected,

  398.                        ssl->s3->alpn_selected_len) != 0) {

  399.       OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);

  400.       return ssl_hs_error;

  401.     }

  402.     if (ssl->s3->tlsext_channel_id_valid) {

  403.       OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA);

  404.       return ssl_hs_error;

  405.     }

  406.   }

  407. 

  408.   if (!ssl_hash_current_message(hs)) {

  409.     return ssl_hs_error;

  410.   }

  411. 

  412.   hs->tls13_state = state_continue_second_server_flight;

  413.   if (hs->in_early_data && !ssl->early_data_accepted) {

  414.     return ssl_hs_early_data_rejected;

  415.   }

  416.   return ssl_hs_ok;

  417. }

  418. 

  419. static enum ssl_hs_wait_t do_continue_second_server_flight(SSL_HANDSHAKE *hs) {

  420.   hs->tls13_state = state_process_certificate_request;

  421.   return ssl_hs_read_message;

  422. }

  423. 

  424. static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) {

  425.   SSL *const ssl = hs->ssl;

  426.   /* CertificateRequest may only be sent in non-resumption handshakes. */

  427.   if (ssl->s3->session_reused) {

  428.     hs->tls13_state = state_process_server_finished;

  429.     return ssl_hs_ok;

  430.   }

  431. 

  432.   /* CertificateRequest is optional. */

  433.   if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {

  434.     hs->tls13_state = state_process_server_certificate;

  435.     return ssl_hs_ok;

  436.   }

  437. 

  438.   CBS cbs, context, supported_signature_algorithms;

  439.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  440.   if (!CBS_get_u8_length_prefixed(&cbs, &context) ||

  441.       /* The request context is always empty during the handshake. */

  442.       CBS_len(&context) != 0 ||

  443.       !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||

  444.       CBS_len(&supported_signature_algorithms) == 0 ||

  445.       !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {

  446.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  447.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  448.     return ssl_hs_error;

  449.   }

  450. 

  451.   uint8_t alert = SSL_AD_DECODE_ERROR;

  452.   STACK_OF(CRYPTO_BUFFER) *ca_names =

  453.       ssl_parse_client_CA_list(ssl, &alert, &cbs);

  454.   if (ca_names == NULL) {

  455.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  456.     return ssl_hs_error;

  457.   }

  458. 

  459.   /* Ignore extensions. */

  460.   CBS extensions;

  461.   if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  462.       CBS_len(&cbs) != 0) {

  463.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  464.     sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free);

  465.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  466.     return ssl_hs_error;

  467.   }

  468. 

  469.   hs->cert_request = 1;

  470.   sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);

  471.   hs->ca_names = ca_names;

  472.   ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);

  473. 

  474.   if (!ssl_hash_current_message(hs)) {

  475.     return ssl_hs_error;

  476.   }

  477. 

  478.   hs->tls13_state = state_process_server_certificate;

  479.   return ssl_hs_read_message;

  480. }

  481. 

  482. static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) {

  483.   SSL *const ssl = hs->ssl;

  484.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  485.       !tls13_process_certificate(hs, 0 /* certificate required */) ||

  486.       !ssl_hash_current_message(hs)) {

  487.     return ssl_hs_error;

  488.   }

  489. 

  490.   hs->tls13_state = state_process_server_certificate_verify;

  491.   return ssl_hs_read_message;

  492. }

  493. 

  494. static enum ssl_hs_wait_t do_process_server_certificate_verify(

  495.     SSL_HANDSHAKE *hs) {

  496.   SSL *const ssl = hs->ssl;

  497.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  498.       !tls13_process_certificate_verify(hs) ||

  499.       !ssl_hash_current_message(hs)) {

  500.     return ssl_hs_error;

  501.   }

  502. 

  503.   hs->tls13_state = state_process_server_finished;

  504.   return ssl_hs_read_message;

  505. }

  506. 

  507. static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) {

  508.   SSL *const ssl = hs->ssl;

  509.   if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) ||

  510.       !tls13_process_finished(hs, 0 /* don't use saved value */) ||

  511.       !ssl_hash_current_message(hs) ||

  512.       /* Update the secret to the master secret and derive traffic keys. */

  513.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  514.       !tls13_derive_application_secrets(hs)) {

  515.     return ssl_hs_error;

  516.   }

  517. 

  518.   ssl->method->received_flight(ssl);

  519.   hs->tls13_state = state_send_end_of_early_data;

  520.   return ssl_hs_ok;

  521. }

  522. 

  523. static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {

  524.   SSL *const ssl = hs->ssl;

  525. 

  526.   if (ssl->early_data_accepted) {

  527.     hs->can_early_write = 0;

  528.     if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,

  529.                                 TLS1_AD_END_OF_EARLY_DATA)) {

  530.       return ssl_hs_error;

  531.     }

  532.   }

  533. 

  534.   if (hs->early_data_offered) {

  535.     if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&

  536.          !ssl3_add_change_cipher_spec(ssl)) ||

  537.         !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,

  538.                                hs->hash_len)) {

  539.       return ssl_hs_error;

  540.     }

  541.   }

  542. 

  543.   hs->tls13_state = state_send_client_certificate;

  544.   return ssl_hs_ok;

  545. }

  546. 

  547. static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {

  548.   SSL *const ssl = hs->ssl;

  549. 

  550.   /* The peer didn't request a certificate. */

  551.   if (!hs->cert_request) {

  552.     hs->tls13_state = state_complete_second_flight;

  553.     return ssl_hs_ok;

  554.   }

  555. 

  556.   /* Call cert_cb to update the certificate. */

  557.   if (ssl->cert->cert_cb != NULL) {

  558.     int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);

  559.     if (rv == 0) {

  560.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  561.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  562.       return ssl_hs_error;

  563.     }

  564.     if (rv < 0) {

  565.       hs->tls13_state = state_send_client_certificate;

  566.       return ssl_hs_x509_lookup;

  567.     }

  568.   }

  569. 

  570.   if (!ssl_on_certificate_selected(hs) ||

  571.       !tls13_add_certificate(hs)) {

  572.     return ssl_hs_error;

  573.   }

  574. 

  575.   hs->tls13_state = state_send_client_certificate_verify;

  576.   return ssl_hs_ok;

  577. }

  578. 

  579. static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {

  580.   SSL *const ssl = hs->ssl;

  581.   /* Don't send CertificateVerify if there is no certificate. */

  582.   if (!ssl_has_certificate(ssl)) {

  583.     hs->tls13_state = state_complete_second_flight;

  584.     return ssl_hs_ok;

  585.   }

  586. 

  587.   switch (tls13_add_certificate_verify(hs)) {

  588.     case ssl_private_key_success:

  589.       hs->tls13_state = state_complete_second_flight;

  590.       return ssl_hs_ok;

  591. 

  592.     case ssl_private_key_retry:

  593.       hs->tls13_state = state_send_client_certificate_verify;

  594.       return ssl_hs_private_key_operation;

  595. 

  596.     case ssl_private_key_failure:

  597.       return ssl_hs_error;

  598.   }

  599. 

  600.   assert(0);

  601.   return ssl_hs_error;

  602. }

  603. 

  604. static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {

  605.   SSL *const ssl = hs->ssl;

  606. 

  607.   /* Send a Channel ID assertion if necessary. */

  608.   if (ssl->s3->tlsext_channel_id_valid) {

  609.     if (!ssl_do_channel_id_callback(ssl)) {

  610.       hs->tls13_state = state_complete_second_flight;

  611.       return ssl_hs_error;

  612.     }

  613. 

  614.     if (ssl->tlsext_channel_id_private == NULL) {

  615.       return ssl_hs_channel_id_lookup;

  616.     }

  617. 

  618.     CBB cbb, body;

  619.     if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||

  620.         !tls1_write_channel_id(hs, &body) ||

  621.         !ssl_add_message_cbb(ssl, &cbb)) {

  622.       CBB_cleanup(&cbb);

  623.       return ssl_hs_error;

  624.     }

  625.   }

  626. 

  627.   /* Send a Finished message. */

  628.   if (!tls13_add_finished(hs)) {

  629.     return ssl_hs_error;

  630.   }

  631. 

  632.   /* Derive the final keys and enable them. */

  633.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,

  634.                              hs->hash_len) ||

  635.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,

  636.                              hs->hash_len) ||

  637.       !tls13_derive_resumption_secret(hs)) {

  638.     return ssl_hs_error;

  639.   }

  640. 

  641.   hs->tls13_state = state_done;

  642.   return ssl_hs_flush;

  643. }

  644. 

  645. enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {

  646.   while (hs->tls13_state != state_done) {

  647.     enum ssl_hs_wait_t ret = ssl_hs_error;

  648.     enum client_hs_state_t state =

  649.         static_cast<enum client_hs_state_t>(hs->tls13_state);

  650.     switch (state) {

  651.       case state_process_hello_retry_request:

  652.         ret = do_process_hello_retry_request(hs);

  653.         break;

  654.       case state_send_second_client_hello:

  655.         ret = do_send_second_client_hello(hs);

  656.         break;

  657.       case state_process_server_hello:

  658.         ret = do_process_server_hello(hs);

  659.         break;

  660.       case state_process_change_cipher_spec:

  661.         ret = do_process_change_cipher_spec(hs);

  662.         break;

  663.       case state_process_encrypted_extensions:

  664.         ret = do_process_encrypted_extensions(hs);

  665.         break;

  666.       case state_continue_second_server_flight:

  667.         ret = do_continue_second_server_flight(hs);

  668.         break;

  669.       case state_process_certificate_request:

  670.         ret = do_process_certificate_request(hs);

  671.         break;

  672.       case state_process_server_certificate:

  673.         ret = do_process_server_certificate(hs);

  674.         break;

  675.       case state_process_server_certificate_verify:

  676.         ret = do_process_server_certificate_verify(hs);

  677.         break;

  678.       case state_process_server_finished:

  679.         ret = do_process_server_finished(hs);

  680.         break;

  681.       case state_send_end_of_early_data:

  682.         ret = do_send_end_of_early_data(hs);

  683.         break;

  684.       case state_send_client_certificate:

  685.         ret = do_send_client_certificate(hs);

  686.         break;

  687.       case state_send_client_certificate_verify:

  688.         ret = do_send_client_certificate_verify(hs);

  689.         break;

  690.       case state_complete_second_flight:

  691.         ret = do_complete_second_flight(hs);

  692.         break;

  693.       case state_done:

  694.         ret = ssl_hs_ok;

  695.         break;

  696.     }

  697. 

  698.     if (ret != ssl_hs_ok) {

  699.       return ret;

  700.     }

  701.   }

  702. 

  703.   return ssl_hs_ok;

  704. }

  705. 

  706. int tls13_process_new_session_ticket(SSL *ssl) {

  707.   bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_dup(

  708.       ssl->s3->established_session, SSL_SESSION_INCLUDE_NONAUTH));

  709.   if (!session) {

  710.     return 0;

  711.   }

  712. 

  713.   ssl_session_rebase_time(ssl, session.get());

  714. 

  715.   uint32_t server_timeout;

  716.   CBS cbs, ticket, extensions;

  717.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  718.   if (!CBS_get_u32(&cbs, &server_timeout) ||

  719.       !CBS_get_u32(&cbs, &session->ticket_age_add) ||

  720.       !CBS_get_u16_length_prefixed(&cbs, &ticket) ||

  721.       !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||

  722.       !CBS_get_u16_length_prefixed(&cbs, &extensions) ||

  723.       CBS_len(&cbs) != 0) {

  724.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  725.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  726.     return 0;

  727.   }

  728. 

  729.   /* Cap the renewable lifetime by the server advertised value. This avoids

  730.    * wasting bandwidth on 0-RTT when we know the server will reject it. */

  731.   if (session->timeout > server_timeout) {

  732.     session->timeout = server_timeout;

  733.   }

  734. 

  735.   /* Parse out the extensions. */

  736.   int have_early_data_info = 0;

  737.   CBS early_data_info;

  738.   const SSL_EXTENSION_TYPE ext_types[] = {

  739.       {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,

  740.        &early_data_info},

  741.   };

  742. 

  743.   uint8_t alert = SSL_AD_DECODE_ERROR;

  744.   if (!ssl_parse_extensions(&extensions, &alert, ext_types,

  745.                             OPENSSL_ARRAY_SIZE(ext_types),

  746.                             1 /* ignore unknown */)) {

  747.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  748.     return 0;

  749.   }

  750. 

  751.   if (have_early_data_info && ssl->cert->enable_early_data) {

  752.     if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||

  753.         CBS_len(&early_data_info) != 0) {

  754.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  755.       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  756.       return 0;

  757.     }

  758.   }

  759. 

  760.   session->ticket_age_add_valid = 1;

  761.   session->not_resumable = 0;

  762. 

  763.   if (ssl->ctx->new_session_cb != NULL &&

  764.       ssl->ctx->new_session_cb(ssl, session.get())) {

  765.     /* |new_session_cb|'s return value signals that it took ownership. */

  766.     session.release();

  767.   }

  768. 

  769.   return 1;

  770. }

  771. 

  772. void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {

  773.   SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);

  774. 

  775.   OPENSSL_free(hs->key_share_bytes);

  776.   hs->key_share_bytes = NULL;

  777.   hs->key_share_bytes_len = 0;

  778. }