1 /* Copyright (c) 2016, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <assert.h> 18 #include <limits.h> 19 #include <string.h> 20 21 #include <openssl/bytestring.h> 22 #include <openssl/digest.h> 23 #include <openssl/err.h> 24 #include <openssl/mem.h> 25 #include <openssl/stack.h> 26 27 #include "../crypto/internal.h" 28 #include "internal.h" 29 30 31 enum client_hs_state_t { 32 state_process_hello_retry_request = 0, 33 state_send_second_client_hello, 34 state_process_server_hello, 35 state_process_encrypted_extensions, 36 state_process_certificate_request, 37 state_process_server_certificate, 38 state_process_server_certificate_verify, 39 state_process_server_finished, 40 state_send_end_of_early_data, 41 state_send_client_certificate, 42 state_send_client_certificate_verify, 43 state_complete_client_certificate_verify, 44 state_complete_second_flight, 45 state_done, 46 }; 47 48 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0}; 49 50 static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) { 51 SSL *const ssl = hs->ssl; 52 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) { 53 hs->tls13_state = state_process_server_hello; 54 return ssl_hs_ok; 55 } 56 57 CBS cbs, extensions; 58 uint16_t server_wire_version; 59 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 60 if (!CBS_get_u16(&cbs, &server_wire_version) || 61 !CBS_get_u16_length_prefixed(&cbs, &extensions) || 62 /* HelloRetryRequest may not be empty. */ 63 CBS_len(&extensions) == 0 || 64 CBS_len(&cbs) != 0) { 65 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 66 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 67 return ssl_hs_error; 68 } 69 70 int have_cookie, have_key_share; 71 CBS cookie, key_share; 72 const SSL_EXTENSION_TYPE ext_types[] = { 73 {TLSEXT_TYPE_key_share, &have_key_share, &key_share}, 74 {TLSEXT_TYPE_cookie, &have_cookie, &cookie}, 75 }; 76 77 uint8_t alert = SSL_AD_DECODE_ERROR; 78 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 79 OPENSSL_ARRAY_SIZE(ext_types), 80 0 /* reject unknown */)) { 81 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 82 return ssl_hs_error; 83 } 84 85 if (have_cookie) { 86 CBS cookie_value; 87 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) || 88 CBS_len(&cookie_value) == 0 || 89 CBS_len(&cookie) != 0) { 90 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 91 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 92 return ssl_hs_error; 93 } 94 95 if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) { 96 return ssl_hs_error; 97 } 98 } 99 100 if (have_key_share) { 101 uint16_t group_id; 102 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) { 103 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 104 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 105 return ssl_hs_error; 106 } 107 108 /* The group must be supported. */ 109 const uint16_t *groups; 110 size_t groups_len; 111 tls1_get_grouplist(ssl, &groups, &groups_len); 112 int found = 0; 113 for (size_t i = 0; i < groups_len; i++) { 114 if (groups[i] == group_id) { 115 found = 1; 116 break; 117 } 118 } 119 120 if (!found) { 121 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 122 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 123 return ssl_hs_error; 124 } 125 126 /* Check that the HelloRetryRequest does not request the key share that 127 * was provided in the initial ClientHello. */ 128 if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) { 129 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 130 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 131 return ssl_hs_error; 132 } 133 134 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx); 135 hs->retry_group = group_id; 136 } 137 138 if (!ssl_hash_current_message(hs)) { 139 return ssl_hs_error; 140 } 141 142 hs->received_hello_retry_request = 1; 143 hs->tls13_state = state_send_second_client_hello; 144 return ssl_hs_ok; 145 } 146 147 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) { 148 SSL *const ssl = hs->ssl; 149 /* TODO(svaldez): Ensure that we set can_early_write to false since 0-RTT is 150 * rejected if we receive a HelloRetryRequest. */ 151 if (!ssl->method->set_write_state(ssl, NULL) || 152 !ssl_write_client_hello(hs)) { 153 return ssl_hs_error; 154 } 155 156 hs->tls13_state = state_process_server_hello; 157 return ssl_hs_flush_and_read_message; 158 } 159 160 static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) { 161 SSL *const ssl = hs->ssl; 162 if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) { 163 return ssl_hs_error; 164 } 165 166 CBS cbs, server_random, extensions; 167 uint16_t server_wire_version; 168 uint16_t cipher_suite; 169 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 170 if (!CBS_get_u16(&cbs, &server_wire_version) || 171 !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) || 172 !CBS_get_u16(&cbs, &cipher_suite) || 173 !CBS_get_u16_length_prefixed(&cbs, &extensions) || 174 CBS_len(&cbs) != 0) { 175 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 176 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 177 return ssl_hs_error; 178 } 179 180 if (server_wire_version != ssl->version) { 181 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 182 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER); 183 return ssl_hs_error; 184 } 185 186 assert(ssl->s3->have_version); 187 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random), 188 SSL3_RANDOM_SIZE); 189 190 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); 191 if (cipher == NULL) { 192 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED); 193 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 194 return ssl_hs_error; 195 } 196 197 /* Check if the cipher is a TLS 1.3 cipher. */ 198 if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) || 199 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) { 200 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); 201 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 202 return ssl_hs_error; 203 } 204 205 /* Parse out the extensions. */ 206 int have_key_share = 0, have_pre_shared_key = 0; 207 CBS key_share, pre_shared_key; 208 const SSL_EXTENSION_TYPE ext_types[] = { 209 {TLSEXT_TYPE_key_share, &have_key_share, &key_share}, 210 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key}, 211 }; 212 213 uint8_t alert = SSL_AD_DECODE_ERROR; 214 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 215 OPENSSL_ARRAY_SIZE(ext_types), 216 0 /* reject unknown */)) { 217 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 218 return ssl_hs_error; 219 } 220 221 alert = SSL_AD_DECODE_ERROR; 222 if (have_pre_shared_key) { 223 if (ssl->session == NULL) { 224 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 225 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 226 return ssl_hs_error; 227 } 228 229 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert, 230 &pre_shared_key)) { 231 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 232 return ssl_hs_error; 233 } 234 235 if (ssl->session->ssl_version != ssl->version) { 236 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED); 237 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 238 return ssl_hs_error; 239 } 240 241 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) { 242 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH); 243 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 244 return ssl_hs_error; 245 } 246 247 if (!ssl_session_is_context_valid(ssl, ssl->session)) { 248 /* This is actually a client application bug. */ 249 OPENSSL_PUT_ERROR(SSL, 250 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 251 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 252 return ssl_hs_error; 253 } 254 255 ssl->s3->session_reused = 1; 256 /* Only authentication information carries over in TLS 1.3. */ 257 hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY); 258 if (hs->new_session == NULL) { 259 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 260 return ssl_hs_error; 261 } 262 263 /* Resumption incorporates fresh key material, so refresh the timeout. */ 264 ssl_session_renew_timeout(ssl, hs->new_session, 265 ssl->session_ctx->session_psk_dhe_timeout); 266 } else if (!ssl_get_new_session(hs, 0)) { 267 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 268 return ssl_hs_error; 269 } 270 271 hs->new_session->cipher = cipher; 272 hs->new_cipher = cipher; 273 274 /* The PRF hash is now known. Set up the key schedule. */ 275 if (!tls13_init_key_schedule(hs)) { 276 return ssl_hs_error; 277 } 278 279 /* Incorporate the PSK into the running secret. */ 280 if (ssl->s3->session_reused) { 281 if (!tls13_advance_key_schedule(hs, hs->new_session->master_key, 282 hs->new_session->master_key_length)) { 283 return ssl_hs_error; 284 } 285 } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) { 286 return ssl_hs_error; 287 } 288 289 if (!have_key_share) { 290 /* We do not support psk_ke and thus always require a key share. */ 291 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); 292 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); 293 return ssl_hs_error; 294 } 295 296 /* Resolve ECDHE and incorporate it into the secret. */ 297 uint8_t *dhe_secret; 298 size_t dhe_secret_len; 299 alert = SSL_AD_DECODE_ERROR; 300 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len, 301 &alert, &key_share)) { 302 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 303 return ssl_hs_error; 304 } 305 306 if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) { 307 OPENSSL_free(dhe_secret); 308 return ssl_hs_error; 309 } 310 OPENSSL_free(dhe_secret); 311 312 if (!ssl_hash_current_message(hs) || 313 !tls13_derive_handshake_secrets(hs) || 314 !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret, 315 hs->hash_len)) { 316 return ssl_hs_error; 317 } 318 319 /* If not sending early data, set client traffic keys now so that alerts are 320 * encrypted. */ 321 if (!hs->early_data_offered && 322 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, 323 hs->hash_len)) { 324 return ssl_hs_error; 325 } 326 327 hs->tls13_state = state_process_encrypted_extensions; 328 return ssl_hs_read_message; 329 } 330 331 static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) { 332 SSL *const ssl = hs->ssl; 333 if (!ssl_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) { 334 return ssl_hs_error; 335 } 336 337 CBS cbs; 338 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 339 if (!ssl_parse_serverhello_tlsext(hs, &cbs)) { 340 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); 341 return ssl_hs_error; 342 } 343 if (CBS_len(&cbs) != 0) { 344 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 345 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 346 return ssl_hs_error; 347 } 348 349 /* Store the negotiated ALPN in the session. */ 350 if (ssl->s3->alpn_selected != NULL) { 351 hs->new_session->early_alpn = 352 BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len); 353 if (hs->new_session->early_alpn == NULL) { 354 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 355 return ssl_hs_error; 356 } 357 hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len; 358 } 359 360 if (ssl->early_data_accepted) { 361 if (ssl->session->cipher != hs->new_session->cipher || 362 ssl->session->early_alpn_len != ssl->s3->alpn_selected_len || 363 OPENSSL_memcmp(ssl->session->early_alpn, ssl->s3->alpn_selected, 364 ssl->s3->alpn_selected_len) != 0) { 365 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA); 366 return ssl_hs_error; 367 } 368 if (ssl->s3->tlsext_channel_id_valid) { 369 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA); 370 return ssl_hs_error; 371 } 372 } 373 374 /* Release offered session now that it is no longer needed. */ 375 if (ssl->s3->session_reused) { 376 ssl_set_session(ssl, NULL); 377 } 378 379 if (!ssl_hash_current_message(hs)) { 380 return ssl_hs_error; 381 } 382 383 hs->tls13_state = state_process_certificate_request; 384 return ssl_hs_read_message; 385 } 386 387 static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) { 388 SSL *const ssl = hs->ssl; 389 /* CertificateRequest may only be sent in non-resumption handshakes. */ 390 if (ssl->s3->session_reused) { 391 hs->tls13_state = state_process_server_finished; 392 return ssl_hs_ok; 393 } 394 395 /* CertificateRequest is optional. */ 396 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { 397 hs->tls13_state = state_process_server_certificate; 398 return ssl_hs_ok; 399 } 400 401 CBS cbs, context, supported_signature_algorithms; 402 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 403 if (!CBS_get_u8_length_prefixed(&cbs, &context) || 404 /* The request context is always empty during the handshake. */ 405 CBS_len(&context) != 0 || 406 !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) || 407 CBS_len(&supported_signature_algorithms) == 0 || 408 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) { 409 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 410 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 411 return ssl_hs_error; 412 } 413 414 uint8_t alert = SSL_AD_DECODE_ERROR; 415 STACK_OF(CRYPTO_BUFFER) *ca_names = 416 ssl_parse_client_CA_list(ssl, &alert, &cbs); 417 if (ca_names == NULL) { 418 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 419 return ssl_hs_error; 420 } 421 422 /* Ignore extensions. */ 423 CBS extensions; 424 if (!CBS_get_u16_length_prefixed(&cbs, &extensions) || 425 CBS_len(&cbs) != 0) { 426 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 427 sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free); 428 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 429 return ssl_hs_error; 430 } 431 432 hs->cert_request = 1; 433 sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free); 434 hs->ca_names = ca_names; 435 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs); 436 437 if (!ssl_hash_current_message(hs)) { 438 return ssl_hs_error; 439 } 440 441 hs->tls13_state = state_process_server_certificate; 442 return ssl_hs_read_message; 443 } 444 445 static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) { 446 SSL *const ssl = hs->ssl; 447 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) || 448 !tls13_process_certificate(hs, 0 /* certificate required */) || 449 !ssl_hash_current_message(hs)) { 450 return ssl_hs_error; 451 } 452 453 hs->tls13_state = state_process_server_certificate_verify; 454 return ssl_hs_read_message; 455 } 456 457 static enum ssl_hs_wait_t do_process_server_certificate_verify( 458 SSL_HANDSHAKE *hs) { 459 SSL *const ssl = hs->ssl; 460 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) || 461 !tls13_process_certificate_verify(hs) || 462 !ssl_hash_current_message(hs)) { 463 return ssl_hs_error; 464 } 465 466 hs->tls13_state = state_process_server_finished; 467 return ssl_hs_read_message; 468 } 469 470 static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) { 471 SSL *const ssl = hs->ssl; 472 if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) || 473 !tls13_process_finished(hs, 0 /* don't use saved value */) || 474 !ssl_hash_current_message(hs) || 475 /* Update the secret to the master secret and derive traffic keys. */ 476 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || 477 !tls13_derive_application_secrets(hs)) { 478 return ssl_hs_error; 479 } 480 481 ssl->method->received_flight(ssl); 482 hs->tls13_state = state_send_end_of_early_data; 483 return ssl_hs_ok; 484 } 485 486 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) { 487 SSL *const ssl = hs->ssl; 488 /* TODO(svaldez): Stop sending early data. */ 489 if (ssl->early_data_accepted && 490 !ssl->method->add_alert(ssl, SSL3_AL_WARNING, 491 TLS1_AD_END_OF_EARLY_DATA)) { 492 return ssl_hs_error; 493 } 494 495 if (hs->early_data_offered && 496 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, 497 hs->hash_len)) { 498 return ssl_hs_error; 499 } 500 501 hs->tls13_state = state_send_client_certificate; 502 return ssl_hs_ok; 503 } 504 505 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { 506 SSL *const ssl = hs->ssl; 507 508 /* The peer didn't request a certificate. */ 509 if (!hs->cert_request) { 510 hs->tls13_state = state_complete_second_flight; 511 return ssl_hs_ok; 512 } 513 514 /* Call cert_cb to update the certificate. */ 515 if (ssl->cert->cert_cb != NULL) { 516 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); 517 if (rv == 0) { 518 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 519 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR); 520 return ssl_hs_error; 521 } 522 if (rv < 0) { 523 hs->tls13_state = state_send_client_certificate; 524 return ssl_hs_x509_lookup; 525 } 526 } 527 528 if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(ssl) || 529 !tls13_add_certificate(hs)) { 530 return ssl_hs_error; 531 } 532 533 hs->tls13_state = state_send_client_certificate_verify; 534 return ssl_hs_ok; 535 } 536 537 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs, 538 int is_first_run) { 539 SSL *const ssl = hs->ssl; 540 /* Don't send CertificateVerify if there is no certificate. */ 541 if (!ssl_has_certificate(ssl)) { 542 hs->tls13_state = state_complete_second_flight; 543 return ssl_hs_ok; 544 } 545 546 switch (tls13_add_certificate_verify(hs, is_first_run)) { 547 case ssl_private_key_success: 548 hs->tls13_state = state_complete_second_flight; 549 return ssl_hs_ok; 550 551 case ssl_private_key_retry: 552 hs->tls13_state = state_complete_client_certificate_verify; 553 return ssl_hs_private_key_operation; 554 555 case ssl_private_key_failure: 556 return ssl_hs_error; 557 } 558 559 assert(0); 560 return ssl_hs_error; 561 } 562 563 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) { 564 SSL *const ssl = hs->ssl; 565 566 /* Send a Channel ID assertion if necessary. */ 567 if (ssl->s3->tlsext_channel_id_valid) { 568 if (!ssl_do_channel_id_callback(ssl)) { 569 hs->tls13_state = state_complete_second_flight; 570 return ssl_hs_error; 571 } 572 573 if (ssl->tlsext_channel_id_private == NULL) { 574 return ssl_hs_channel_id_lookup; 575 } 576 577 CBB cbb, body; 578 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) || 579 !tls1_write_channel_id(hs, &body) || 580 !ssl_add_message_cbb(ssl, &cbb)) { 581 CBB_cleanup(&cbb); 582 return ssl_hs_error; 583 } 584 } 585 586 /* Send a Finished message. */ 587 if (!tls13_add_finished(hs)) { 588 return ssl_hs_error; 589 } 590 591 /* Derive the final keys and enable them. */ 592 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0, 593 hs->hash_len) || 594 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0, 595 hs->hash_len) || 596 !tls13_derive_resumption_secret(hs)) { 597 return ssl_hs_error; 598 } 599 600 hs->tls13_state = state_done; 601 return ssl_hs_flush; 602 } 603 604 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) { 605 while (hs->tls13_state != state_done) { 606 enum ssl_hs_wait_t ret = ssl_hs_error; 607 enum client_hs_state_t state = hs->tls13_state; 608 switch (state) { 609 case state_process_hello_retry_request: 610 ret = do_process_hello_retry_request(hs); 611 break; 612 case state_send_second_client_hello: 613 ret = do_send_second_client_hello(hs); 614 break; 615 case state_process_server_hello: 616 ret = do_process_server_hello(hs); 617 break; 618 case state_process_encrypted_extensions: 619 ret = do_process_encrypted_extensions(hs); 620 break; 621 case state_process_certificate_request: 622 ret = do_process_certificate_request(hs); 623 break; 624 case state_process_server_certificate: 625 ret = do_process_server_certificate(hs); 626 break; 627 case state_process_server_certificate_verify: 628 ret = do_process_server_certificate_verify(hs); 629 break; 630 case state_process_server_finished: 631 ret = do_process_server_finished(hs); 632 break; 633 case state_send_end_of_early_data: 634 ret = do_send_end_of_early_data(hs); 635 break; 636 case state_send_client_certificate: 637 ret = do_send_client_certificate(hs); 638 break; 639 case state_send_client_certificate_verify: 640 ret = do_send_client_certificate_verify(hs, 1 /* first run */); 641 break; 642 case state_complete_client_certificate_verify: 643 ret = do_send_client_certificate_verify(hs, 0 /* complete */); 644 break; 645 case state_complete_second_flight: 646 ret = do_complete_second_flight(hs); 647 break; 648 case state_done: 649 ret = ssl_hs_ok; 650 break; 651 } 652 653 if (ret != ssl_hs_ok) { 654 return ret; 655 } 656 } 657 658 return ssl_hs_ok; 659 } 660 661 int tls13_process_new_session_ticket(SSL *ssl) { 662 int ret = 0; 663 SSL_SESSION *session = SSL_SESSION_dup(ssl->s3->established_session, 664 SSL_SESSION_INCLUDE_NONAUTH); 665 if (session == NULL) { 666 return 0; 667 } 668 669 ssl_session_rebase_time(ssl, session); 670 671 uint32_t server_timeout; 672 CBS cbs, ticket, extensions; 673 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 674 if (!CBS_get_u32(&cbs, &server_timeout) || 675 !CBS_get_u32(&cbs, &session->ticket_age_add) || 676 !CBS_get_u16_length_prefixed(&cbs, &ticket) || 677 !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) || 678 !CBS_get_u16_length_prefixed(&cbs, &extensions) || 679 CBS_len(&cbs) != 0) { 680 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 681 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 682 goto err; 683 } 684 685 /* Cap the renewable lifetime by the server advertised value. This avoids 686 * wasting bandwidth on 0-RTT when we know the server will reject it. */ 687 if (session->timeout > server_timeout) { 688 session->timeout = server_timeout; 689 } 690 691 /* Parse out the extensions. */ 692 int have_early_data_info = 0; 693 CBS early_data_info; 694 const SSL_EXTENSION_TYPE ext_types[] = { 695 {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info, 696 &early_data_info}, 697 }; 698 699 uint8_t alert = SSL_AD_DECODE_ERROR; 700 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 701 OPENSSL_ARRAY_SIZE(ext_types), 702 1 /* ignore unknown */)) { 703 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 704 goto err; 705 } 706 707 if (have_early_data_info && ssl->ctx->enable_early_data) { 708 if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) || 709 CBS_len(&early_data_info) != 0) { 710 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 711 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 712 goto err; 713 } 714 } 715 716 session->ticket_age_add_valid = 1; 717 session->not_resumable = 0; 718 719 if (ssl->ctx->new_session_cb != NULL && 720 ssl->ctx->new_session_cb(ssl, session)) { 721 /* |new_session_cb|'s return value signals that it took ownership. */ 722 session = NULL; 723 } 724 725 ret = 1; 726 727 err: 728 SSL_SESSION_free(session); 729 return ret; 730 } 731 732 void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) { 733 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx); 734 735 OPENSSL_free(hs->key_share_bytes); 736 hs->key_share_bytes = NULL; 737 hs->key_share_bytes_len = 0; 738 } 739