1 /* Copyright (c) 2016, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <assert.h> 18 #include <limits.h> 19 #include <string.h> 20 21 #include <openssl/bytestring.h> 22 #include <openssl/digest.h> 23 #include <openssl/err.h> 24 #include <openssl/mem.h> 25 #include <openssl/stack.h> 26 27 #include "../crypto/internal.h" 28 #include "internal.h" 29 30 31 enum client_hs_state_t { 32 state_process_hello_retry_request = 0, 33 state_send_second_client_hello, 34 state_process_server_hello, 35 state_process_change_cipher_spec, 36 state_process_encrypted_extensions, 37 state_continue_second_server_flight, 38 state_process_certificate_request, 39 state_process_server_certificate, 40 state_process_server_certificate_verify, 41 state_process_server_finished, 42 state_send_end_of_early_data, 43 state_send_client_certificate, 44 state_send_client_certificate_verify, 45 state_complete_second_flight, 46 state_done, 47 }; 48 49 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0}; 50 51 static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) { 52 SSL *const ssl = hs->ssl; 53 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) { 54 hs->tls13_state = state_process_server_hello; 55 return ssl_hs_ok; 56 } 57 58 CBS cbs, extensions; 59 uint16_t server_version; 60 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 61 if (!CBS_get_u16(&cbs, &server_version) || 62 !CBS_get_u16_length_prefixed(&cbs, &extensions) || 63 /* HelloRetryRequest may not be empty. */ 64 CBS_len(&extensions) == 0 || 65 CBS_len(&cbs) != 0) { 66 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 67 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 68 return ssl_hs_error; 69 } 70 71 int have_cookie, have_key_share; 72 CBS cookie, key_share; 73 const SSL_EXTENSION_TYPE ext_types[] = { 74 {TLSEXT_TYPE_key_share, &have_key_share, &key_share}, 75 {TLSEXT_TYPE_cookie, &have_cookie, &cookie}, 76 }; 77 78 uint8_t alert = SSL_AD_DECODE_ERROR; 79 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 80 OPENSSL_ARRAY_SIZE(ext_types), 81 0 /* reject unknown */)) { 82 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 83 return ssl_hs_error; 84 } 85 86 if (have_cookie) { 87 CBS cookie_value; 88 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) || 89 CBS_len(&cookie_value) == 0 || 90 CBS_len(&cookie) != 0) { 91 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 92 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 93 return ssl_hs_error; 94 } 95 96 if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) { 97 return ssl_hs_error; 98 } 99 } 100 101 if (have_key_share) { 102 uint16_t group_id; 103 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) { 104 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 105 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 106 return ssl_hs_error; 107 } 108 109 /* The group must be supported. */ 110 const uint16_t *groups; 111 size_t groups_len; 112 tls1_get_grouplist(ssl, &groups, &groups_len); 113 int found = 0; 114 for (size_t i = 0; i < groups_len; i++) { 115 if (groups[i] == group_id) { 116 found = 1; 117 break; 118 } 119 } 120 121 if (!found) { 122 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 123 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 124 return ssl_hs_error; 125 } 126 127 /* Check that the HelloRetryRequest does not request the key share that 128 * was provided in the initial ClientHello. */ 129 if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) { 130 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 131 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 132 return ssl_hs_error; 133 } 134 135 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx); 136 hs->retry_group = group_id; 137 } 138 139 if (!ssl_hash_current_message(hs)) { 140 return ssl_hs_error; 141 } 142 143 hs->received_hello_retry_request = 1; 144 hs->tls13_state = state_send_second_client_hello; 145 /* 0-RTT is rejected if we receive a HelloRetryRequest. */ 146 if (hs->in_early_data) { 147 return ssl_hs_early_data_rejected; 148 } 149 return ssl_hs_ok; 150 } 151 152 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) { 153 SSL *const ssl = hs->ssl; 154 if (!ssl->method->set_write_state(ssl, NULL) || 155 !ssl_write_client_hello(hs)) { 156 return ssl_hs_error; 157 } 158 159 hs->tls13_state = state_process_server_hello; 160 return ssl_hs_flush_and_read_message; 161 } 162 163 static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) { 164 SSL *const ssl = hs->ssl; 165 if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) { 166 return ssl_hs_error; 167 } 168 169 CBS cbs, server_random, session_id, extensions; 170 uint16_t server_version; 171 uint16_t cipher_suite; 172 uint8_t compression_method; 173 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 174 if (!CBS_get_u16(&cbs, &server_version) || 175 !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) || 176 (ssl->version == TLS1_3_EXPERIMENT_VERSION && 177 !CBS_get_u8_length_prefixed(&cbs, &session_id)) || 178 !CBS_get_u16(&cbs, &cipher_suite) || 179 (ssl->version == TLS1_3_EXPERIMENT_VERSION && 180 (!CBS_get_u8(&cbs, &compression_method) || compression_method != 0)) || 181 !CBS_get_u16_length_prefixed(&cbs, &extensions) || 182 CBS_len(&cbs) != 0) { 183 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 184 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 185 return ssl_hs_error; 186 } 187 188 uint16_t expected_version = 189 ssl->version == TLS1_3_EXPERIMENT_VERSION ? TLS1_2_VERSION : ssl->version; 190 if (server_version != expected_version) { 191 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 192 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER); 193 return ssl_hs_error; 194 } 195 196 assert(ssl->s3->have_version); 197 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random), 198 SSL3_RANDOM_SIZE); 199 200 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); 201 if (cipher == NULL) { 202 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED); 203 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 204 return ssl_hs_error; 205 } 206 207 /* Check if the cipher is a TLS 1.3 cipher. */ 208 if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) || 209 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) { 210 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); 211 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 212 return ssl_hs_error; 213 } 214 215 /* Parse out the extensions. */ 216 int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0; 217 CBS key_share, pre_shared_key, supported_versions; 218 const SSL_EXTENSION_TYPE ext_types[] = { 219 {TLSEXT_TYPE_key_share, &have_key_share, &key_share}, 220 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key}, 221 {TLSEXT_TYPE_supported_versions, &have_supported_versions, 222 &supported_versions}, 223 }; 224 225 uint8_t alert = SSL_AD_DECODE_ERROR; 226 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 227 OPENSSL_ARRAY_SIZE(ext_types), 228 0 /* reject unknown */)) { 229 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 230 return ssl_hs_error; 231 } 232 233 /* supported_versions is parsed in handshake_client to select the experimental 234 * TLS 1.3 version. */ 235 if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) { 236 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 237 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 238 return ssl_hs_error; 239 } 240 241 alert = SSL_AD_DECODE_ERROR; 242 if (have_pre_shared_key) { 243 if (ssl->session == NULL) { 244 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 245 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 246 return ssl_hs_error; 247 } 248 249 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert, 250 &pre_shared_key)) { 251 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 252 return ssl_hs_error; 253 } 254 255 if (ssl->session->ssl_version != ssl->version) { 256 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED); 257 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 258 return ssl_hs_error; 259 } 260 261 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) { 262 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH); 263 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 264 return ssl_hs_error; 265 } 266 267 if (!ssl_session_is_context_valid(ssl, ssl->session)) { 268 /* This is actually a client application bug. */ 269 OPENSSL_PUT_ERROR(SSL, 270 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 271 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 272 return ssl_hs_error; 273 } 274 275 ssl->s3->session_reused = 1; 276 /* Only authentication information carries over in TLS 1.3. */ 277 hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY); 278 if (hs->new_session == NULL) { 279 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 280 return ssl_hs_error; 281 } 282 ssl_set_session(ssl, NULL); 283 284 /* Resumption incorporates fresh key material, so refresh the timeout. */ 285 ssl_session_renew_timeout(ssl, hs->new_session, 286 ssl->session_ctx->session_psk_dhe_timeout); 287 } else if (!ssl_get_new_session(hs, 0)) { 288 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 289 return ssl_hs_error; 290 } 291 292 hs->new_session->cipher = cipher; 293 hs->new_cipher = cipher; 294 295 /* The PRF hash is now known. Set up the key schedule. */ 296 if (!tls13_init_key_schedule(hs)) { 297 return ssl_hs_error; 298 } 299 300 /* Incorporate the PSK into the running secret. */ 301 if (ssl->s3->session_reused) { 302 if (!tls13_advance_key_schedule(hs, hs->new_session->master_key, 303 hs->new_session->master_key_length)) { 304 return ssl_hs_error; 305 } 306 } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) { 307 return ssl_hs_error; 308 } 309 310 if (!have_key_share) { 311 /* We do not support psk_ke and thus always require a key share. */ 312 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); 313 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); 314 return ssl_hs_error; 315 } 316 317 /* Resolve ECDHE and incorporate it into the secret. */ 318 uint8_t *dhe_secret; 319 size_t dhe_secret_len; 320 alert = SSL_AD_DECODE_ERROR; 321 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len, 322 &alert, &key_share)) { 323 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 324 return ssl_hs_error; 325 } 326 327 if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) { 328 OPENSSL_free(dhe_secret); 329 return ssl_hs_error; 330 } 331 OPENSSL_free(dhe_secret); 332 333 if (!ssl_hash_current_message(hs) || 334 !tls13_derive_handshake_secrets(hs)) { 335 return ssl_hs_error; 336 } 337 hs->tls13_state = state_process_change_cipher_spec; 338 return ssl->version == TLS1_3_EXPERIMENT_VERSION 339 ? ssl_hs_read_change_cipher_spec 340 : ssl_hs_ok; 341 } 342 343 static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) { 344 SSL *const ssl = hs->ssl; 345 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret, 346 hs->hash_len)) { 347 return ssl_hs_error; 348 } 349 350 if (!hs->early_data_offered) { 351 /* If not sending early data, set client traffic keys now so that alerts are 352 * encrypted. */ 353 if ((ssl->version == TLS1_3_EXPERIMENT_VERSION && 354 !ssl3_add_change_cipher_spec(ssl)) || 355 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, 356 hs->hash_len)) { 357 return ssl_hs_error; 358 } 359 } 360 361 hs->tls13_state = state_process_encrypted_extensions; 362 return ssl_hs_read_message; 363 } 364 365 static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) { 366 SSL *const ssl = hs->ssl; 367 if (!ssl_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) { 368 return ssl_hs_error; 369 } 370 371 CBS cbs; 372 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 373 if (!ssl_parse_serverhello_tlsext(hs, &cbs)) { 374 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); 375 return ssl_hs_error; 376 } 377 if (CBS_len(&cbs) != 0) { 378 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 379 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 380 return ssl_hs_error; 381 } 382 383 /* Store the negotiated ALPN in the session. */ 384 if (ssl->s3->alpn_selected != NULL) { 385 hs->new_session->early_alpn = (uint8_t *)BUF_memdup( 386 ssl->s3->alpn_selected, ssl->s3->alpn_selected_len); 387 if (hs->new_session->early_alpn == NULL) { 388 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 389 return ssl_hs_error; 390 } 391 hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len; 392 } 393 394 if (ssl->early_data_accepted) { 395 if (hs->early_session->cipher != hs->new_session->cipher || 396 hs->early_session->early_alpn_len != ssl->s3->alpn_selected_len || 397 OPENSSL_memcmp(hs->early_session->early_alpn, ssl->s3->alpn_selected, 398 ssl->s3->alpn_selected_len) != 0) { 399 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA); 400 return ssl_hs_error; 401 } 402 if (ssl->s3->tlsext_channel_id_valid) { 403 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA); 404 return ssl_hs_error; 405 } 406 } 407 408 if (!ssl_hash_current_message(hs)) { 409 return ssl_hs_error; 410 } 411 412 hs->tls13_state = state_continue_second_server_flight; 413 if (hs->in_early_data && !ssl->early_data_accepted) { 414 return ssl_hs_early_data_rejected; 415 } 416 return ssl_hs_ok; 417 } 418 419 static enum ssl_hs_wait_t do_continue_second_server_flight(SSL_HANDSHAKE *hs) { 420 hs->tls13_state = state_process_certificate_request; 421 return ssl_hs_read_message; 422 } 423 424 static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) { 425 SSL *const ssl = hs->ssl; 426 /* CertificateRequest may only be sent in non-resumption handshakes. */ 427 if (ssl->s3->session_reused) { 428 hs->tls13_state = state_process_server_finished; 429 return ssl_hs_ok; 430 } 431 432 /* CertificateRequest is optional. */ 433 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) { 434 hs->tls13_state = state_process_server_certificate; 435 return ssl_hs_ok; 436 } 437 438 CBS cbs, context, supported_signature_algorithms; 439 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 440 if (!CBS_get_u8_length_prefixed(&cbs, &context) || 441 /* The request context is always empty during the handshake. */ 442 CBS_len(&context) != 0 || 443 !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) || 444 CBS_len(&supported_signature_algorithms) == 0 || 445 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) { 446 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 447 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 448 return ssl_hs_error; 449 } 450 451 uint8_t alert = SSL_AD_DECODE_ERROR; 452 STACK_OF(CRYPTO_BUFFER) *ca_names = 453 ssl_parse_client_CA_list(ssl, &alert, &cbs); 454 if (ca_names == NULL) { 455 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 456 return ssl_hs_error; 457 } 458 459 /* Ignore extensions. */ 460 CBS extensions; 461 if (!CBS_get_u16_length_prefixed(&cbs, &extensions) || 462 CBS_len(&cbs) != 0) { 463 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 464 sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free); 465 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 466 return ssl_hs_error; 467 } 468 469 hs->cert_request = 1; 470 sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free); 471 hs->ca_names = ca_names; 472 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs); 473 474 if (!ssl_hash_current_message(hs)) { 475 return ssl_hs_error; 476 } 477 478 hs->tls13_state = state_process_server_certificate; 479 return ssl_hs_read_message; 480 } 481 482 static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) { 483 SSL *const ssl = hs->ssl; 484 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) || 485 !tls13_process_certificate(hs, 0 /* certificate required */) || 486 !ssl_hash_current_message(hs)) { 487 return ssl_hs_error; 488 } 489 490 hs->tls13_state = state_process_server_certificate_verify; 491 return ssl_hs_read_message; 492 } 493 494 static enum ssl_hs_wait_t do_process_server_certificate_verify( 495 SSL_HANDSHAKE *hs) { 496 SSL *const ssl = hs->ssl; 497 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) || 498 !tls13_process_certificate_verify(hs) || 499 !ssl_hash_current_message(hs)) { 500 return ssl_hs_error; 501 } 502 503 hs->tls13_state = state_process_server_finished; 504 return ssl_hs_read_message; 505 } 506 507 static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) { 508 SSL *const ssl = hs->ssl; 509 if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) || 510 !tls13_process_finished(hs, 0 /* don't use saved value */) || 511 !ssl_hash_current_message(hs) || 512 /* Update the secret to the master secret and derive traffic keys. */ 513 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || 514 !tls13_derive_application_secrets(hs)) { 515 return ssl_hs_error; 516 } 517 518 ssl->method->received_flight(ssl); 519 hs->tls13_state = state_send_end_of_early_data; 520 return ssl_hs_ok; 521 } 522 523 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) { 524 SSL *const ssl = hs->ssl; 525 526 if (ssl->early_data_accepted) { 527 hs->can_early_write = 0; 528 if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING, 529 TLS1_AD_END_OF_EARLY_DATA)) { 530 return ssl_hs_error; 531 } 532 } 533 534 if (hs->early_data_offered) { 535 if ((ssl->version == TLS1_3_EXPERIMENT_VERSION && 536 !ssl3_add_change_cipher_spec(ssl)) || 537 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, 538 hs->hash_len)) { 539 return ssl_hs_error; 540 } 541 } 542 543 hs->tls13_state = state_send_client_certificate; 544 return ssl_hs_ok; 545 } 546 547 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { 548 SSL *const ssl = hs->ssl; 549 550 /* The peer didn't request a certificate. */ 551 if (!hs->cert_request) { 552 hs->tls13_state = state_complete_second_flight; 553 return ssl_hs_ok; 554 } 555 556 /* Call cert_cb to update the certificate. */ 557 if (ssl->cert->cert_cb != NULL) { 558 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); 559 if (rv == 0) { 560 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 561 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR); 562 return ssl_hs_error; 563 } 564 if (rv < 0) { 565 hs->tls13_state = state_send_client_certificate; 566 return ssl_hs_x509_lookup; 567 } 568 } 569 570 if (!ssl_on_certificate_selected(hs) || 571 !tls13_add_certificate(hs)) { 572 return ssl_hs_error; 573 } 574 575 hs->tls13_state = state_send_client_certificate_verify; 576 return ssl_hs_ok; 577 } 578 579 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { 580 SSL *const ssl = hs->ssl; 581 /* Don't send CertificateVerify if there is no certificate. */ 582 if (!ssl_has_certificate(ssl)) { 583 hs->tls13_state = state_complete_second_flight; 584 return ssl_hs_ok; 585 } 586 587 switch (tls13_add_certificate_verify(hs)) { 588 case ssl_private_key_success: 589 hs->tls13_state = state_complete_second_flight; 590 return ssl_hs_ok; 591 592 case ssl_private_key_retry: 593 hs->tls13_state = state_send_client_certificate_verify; 594 return ssl_hs_private_key_operation; 595 596 case ssl_private_key_failure: 597 return ssl_hs_error; 598 } 599 600 assert(0); 601 return ssl_hs_error; 602 } 603 604 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) { 605 SSL *const ssl = hs->ssl; 606 607 /* Send a Channel ID assertion if necessary. */ 608 if (ssl->s3->tlsext_channel_id_valid) { 609 if (!ssl_do_channel_id_callback(ssl)) { 610 hs->tls13_state = state_complete_second_flight; 611 return ssl_hs_error; 612 } 613 614 if (ssl->tlsext_channel_id_private == NULL) { 615 return ssl_hs_channel_id_lookup; 616 } 617 618 CBB cbb, body; 619 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) || 620 !tls1_write_channel_id(hs, &body) || 621 !ssl_add_message_cbb(ssl, &cbb)) { 622 CBB_cleanup(&cbb); 623 return ssl_hs_error; 624 } 625 } 626 627 /* Send a Finished message. */ 628 if (!tls13_add_finished(hs)) { 629 return ssl_hs_error; 630 } 631 632 /* Derive the final keys and enable them. */ 633 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0, 634 hs->hash_len) || 635 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0, 636 hs->hash_len) || 637 !tls13_derive_resumption_secret(hs)) { 638 return ssl_hs_error; 639 } 640 641 hs->tls13_state = state_done; 642 return ssl_hs_flush; 643 } 644 645 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) { 646 while (hs->tls13_state != state_done) { 647 enum ssl_hs_wait_t ret = ssl_hs_error; 648 enum client_hs_state_t state = 649 static_cast<enum client_hs_state_t>(hs->tls13_state); 650 switch (state) { 651 case state_process_hello_retry_request: 652 ret = do_process_hello_retry_request(hs); 653 break; 654 case state_send_second_client_hello: 655 ret = do_send_second_client_hello(hs); 656 break; 657 case state_process_server_hello: 658 ret = do_process_server_hello(hs); 659 break; 660 case state_process_change_cipher_spec: 661 ret = do_process_change_cipher_spec(hs); 662 break; 663 case state_process_encrypted_extensions: 664 ret = do_process_encrypted_extensions(hs); 665 break; 666 case state_continue_second_server_flight: 667 ret = do_continue_second_server_flight(hs); 668 break; 669 case state_process_certificate_request: 670 ret = do_process_certificate_request(hs); 671 break; 672 case state_process_server_certificate: 673 ret = do_process_server_certificate(hs); 674 break; 675 case state_process_server_certificate_verify: 676 ret = do_process_server_certificate_verify(hs); 677 break; 678 case state_process_server_finished: 679 ret = do_process_server_finished(hs); 680 break; 681 case state_send_end_of_early_data: 682 ret = do_send_end_of_early_data(hs); 683 break; 684 case state_send_client_certificate: 685 ret = do_send_client_certificate(hs); 686 break; 687 case state_send_client_certificate_verify: 688 ret = do_send_client_certificate_verify(hs); 689 break; 690 case state_complete_second_flight: 691 ret = do_complete_second_flight(hs); 692 break; 693 case state_done: 694 ret = ssl_hs_ok; 695 break; 696 } 697 698 if (ret != ssl_hs_ok) { 699 return ret; 700 } 701 } 702 703 return ssl_hs_ok; 704 } 705 706 int tls13_process_new_session_ticket(SSL *ssl) { 707 bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_dup( 708 ssl->s3->established_session, SSL_SESSION_INCLUDE_NONAUTH)); 709 if (!session) { 710 return 0; 711 } 712 713 ssl_session_rebase_time(ssl, session.get()); 714 715 uint32_t server_timeout; 716 CBS cbs, ticket, extensions; 717 CBS_init(&cbs, ssl->init_msg, ssl->init_num); 718 if (!CBS_get_u32(&cbs, &server_timeout) || 719 !CBS_get_u32(&cbs, &session->ticket_age_add) || 720 !CBS_get_u16_length_prefixed(&cbs, &ticket) || 721 !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) || 722 !CBS_get_u16_length_prefixed(&cbs, &extensions) || 723 CBS_len(&cbs) != 0) { 724 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 725 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 726 return 0; 727 } 728 729 /* Cap the renewable lifetime by the server advertised value. This avoids 730 * wasting bandwidth on 0-RTT when we know the server will reject it. */ 731 if (session->timeout > server_timeout) { 732 session->timeout = server_timeout; 733 } 734 735 /* Parse out the extensions. */ 736 int have_early_data_info = 0; 737 CBS early_data_info; 738 const SSL_EXTENSION_TYPE ext_types[] = { 739 {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info, 740 &early_data_info}, 741 }; 742 743 uint8_t alert = SSL_AD_DECODE_ERROR; 744 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 745 OPENSSL_ARRAY_SIZE(ext_types), 746 1 /* ignore unknown */)) { 747 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert); 748 return 0; 749 } 750 751 if (have_early_data_info && ssl->cert->enable_early_data) { 752 if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) || 753 CBS_len(&early_data_info) != 0) { 754 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 755 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 756 return 0; 757 } 758 } 759 760 session->ticket_age_add_valid = 1; 761 session->not_resumable = 0; 762 763 if (ssl->ctx->new_session_cb != NULL && 764 ssl->ctx->new_session_cb(ssl, session.get())) { 765 /* |new_session_cb|'s return value signals that it took ownership. */ 766 session.release(); 767 } 768 769 return 1; 770 } 771 772 void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) { 773 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx); 774 775 OPENSSL_free(hs->key_share_bytes); 776 hs->key_share_bytes = NULL; 777 hs->key_share_bytes_len = 0; 778 } 779