1 /* Copyright (c) 2016, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/ssl.h> 16 17 #include <assert.h> 18 #include <limits.h> 19 #include <string.h> 20 21 #include <utility> 22 23 #include <openssl/bytestring.h> 24 #include <openssl/digest.h> 25 #include <openssl/err.h> 26 #include <openssl/mem.h> 27 #include <openssl/stack.h> 28 29 #include "../crypto/internal.h" 30 #include "internal.h" 31 32 33 namespace bssl { 34 35 enum client_hs_state_t { 36 state_read_hello_retry_request = 0, 37 state_send_second_client_hello, 38 state_read_server_hello, 39 state_read_encrypted_extensions, 40 state_read_certificate_request, 41 state_read_server_certificate, 42 state_read_server_certificate_verify, 43 state_read_server_finished, 44 state_send_end_of_early_data, 45 state_send_client_certificate, 46 state_send_client_certificate_verify, 47 state_complete_second_flight, 48 state_done, 49 }; 50 51 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0}; 52 53 static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) { 54 SSL *const ssl = hs->ssl; 55 assert(ssl->s3->have_version); 56 SSLMessage msg; 57 if (!ssl->method->get_message(ssl, &msg)) { 58 return ssl_hs_read_message; 59 } 60 61 // Queue up a ChangeCipherSpec for whenever we next send something. This 62 // will be before the second ClientHello. If we offered early data, this was 63 // already done. 64 if (!hs->early_data_offered && 65 !ssl->method->add_change_cipher_spec(ssl)) { 66 return ssl_hs_error; 67 } 68 69 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) { 70 return ssl_hs_error; 71 } 72 73 CBS body = msg.body, extensions, server_random, session_id; 74 uint16_t server_version, cipher_suite; 75 uint8_t compression_method; 76 if (!CBS_get_u16(&body, &server_version) || 77 !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) || 78 !CBS_get_u8_length_prefixed(&body, &session_id) || 79 !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) || 80 !CBS_get_u16(&body, &cipher_suite) || 81 !CBS_get_u8(&body, &compression_method) || 82 compression_method != 0 || 83 !CBS_get_u16_length_prefixed(&body, &extensions) || 84 CBS_len(&extensions) == 0 || 85 CBS_len(&body) != 0) { 86 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 87 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 88 return ssl_hs_error; 89 } 90 91 if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) { 92 hs->tls13_state = state_read_server_hello; 93 return ssl_hs_ok; 94 } 95 96 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); 97 // Check if the cipher is a TLS 1.3 cipher. 98 if (cipher == NULL || 99 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) || 100 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) { 101 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); 102 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 103 return ssl_hs_error; 104 } 105 106 hs->new_cipher = cipher; 107 108 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) || 109 !hs->transcript.UpdateForHelloRetryRequest()) { 110 return ssl_hs_error; 111 } 112 113 114 bool have_cookie, have_key_share, have_supported_versions; 115 CBS cookie, key_share, supported_versions; 116 SSL_EXTENSION_TYPE ext_types[] = { 117 {TLSEXT_TYPE_key_share, &have_key_share, &key_share}, 118 {TLSEXT_TYPE_cookie, &have_cookie, &cookie}, 119 {TLSEXT_TYPE_supported_versions, &have_supported_versions, 120 &supported_versions}, 121 }; 122 123 uint8_t alert = SSL_AD_DECODE_ERROR; 124 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 125 OPENSSL_ARRAY_SIZE(ext_types), 126 0 /* reject unknown */)) { 127 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 128 return ssl_hs_error; 129 } 130 131 if (!have_cookie && !have_key_share) { 132 OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST); 133 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 134 return ssl_hs_error; 135 } 136 if (have_cookie) { 137 CBS cookie_value; 138 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) || 139 CBS_len(&cookie_value) == 0 || 140 CBS_len(&cookie) != 0) { 141 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 142 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 143 return ssl_hs_error; 144 } 145 146 if (!hs->cookie.CopyFrom(cookie_value)) { 147 return ssl_hs_error; 148 } 149 } 150 151 if (have_key_share) { 152 uint16_t group_id; 153 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) { 154 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 155 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 156 return ssl_hs_error; 157 } 158 159 // The group must be supported. 160 if (!tls1_check_group_id(ssl, group_id)) { 161 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 162 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 163 return ssl_hs_error; 164 } 165 166 // Check that the HelloRetryRequest does not request the key share that 167 // was provided in the initial ClientHello. 168 if (hs->key_share->GroupID() == group_id) { 169 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 170 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 171 return ssl_hs_error; 172 } 173 174 hs->key_share.reset(); 175 hs->retry_group = group_id; 176 } 177 178 if (!ssl_hash_message(hs, msg)) { 179 return ssl_hs_error; 180 } 181 182 ssl->method->next_message(ssl); 183 hs->received_hello_retry_request = true; 184 hs->tls13_state = state_send_second_client_hello; 185 // 0-RTT is rejected if we receive a HelloRetryRequest. 186 if (hs->in_early_data) { 187 return ssl_hs_early_data_rejected; 188 } 189 return ssl_hs_ok; 190 } 191 192 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) { 193 SSL *const ssl = hs->ssl; 194 // Restore the null cipher. We may have switched due to 0-RTT. 195 bssl::UniquePtr<SSLAEADContext> null_ctx = 196 SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl)); 197 if (!null_ctx || 198 !ssl->method->set_write_state(ssl, std::move(null_ctx))) { 199 return ssl_hs_error; 200 } 201 202 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version); 203 204 if (!ssl_write_client_hello(hs)) { 205 return ssl_hs_error; 206 } 207 208 hs->tls13_state = state_read_server_hello; 209 return ssl_hs_flush; 210 } 211 212 static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) { 213 SSL *const ssl = hs->ssl; 214 SSLMessage msg; 215 if (!ssl->method->get_message(ssl, &msg)) { 216 return ssl_hs_read_message; 217 } 218 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) { 219 return ssl_hs_error; 220 } 221 222 CBS body = msg.body, server_random, session_id, extensions; 223 uint16_t server_version; 224 uint16_t cipher_suite; 225 uint8_t compression_method; 226 if (!CBS_get_u16(&body, &server_version) || 227 !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) || 228 !CBS_get_u8_length_prefixed(&body, &session_id) || 229 !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) || 230 !CBS_get_u16(&body, &cipher_suite) || 231 !CBS_get_u8(&body, &compression_method) || 232 compression_method != 0 || 233 !CBS_get_u16_length_prefixed(&body, &extensions) || 234 CBS_len(&body) != 0) { 235 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 236 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 237 return ssl_hs_error; 238 } 239 240 if (server_version != TLS1_2_VERSION) { 241 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 242 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER); 243 return ssl_hs_error; 244 } 245 246 // Forbid a second HelloRetryRequest. 247 if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) { 248 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); 249 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE); 250 return ssl_hs_error; 251 } 252 253 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random), 254 SSL3_RANDOM_SIZE); 255 256 // Check if the cipher is a TLS 1.3 cipher. 257 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite); 258 if (cipher == nullptr || 259 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) || 260 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) { 261 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); 262 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 263 return ssl_hs_error; 264 } 265 266 // Check that the cipher matches the one in the HelloRetryRequest. 267 if (hs->received_hello_retry_request && 268 hs->new_cipher != cipher) { 269 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED); 270 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 271 return ssl_hs_error; 272 } 273 274 // Parse out the extensions. 275 bool have_key_share = false, have_pre_shared_key = false, 276 have_supported_versions = false; 277 CBS key_share, pre_shared_key, supported_versions; 278 SSL_EXTENSION_TYPE ext_types[] = { 279 {TLSEXT_TYPE_key_share, &have_key_share, &key_share}, 280 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key}, 281 {TLSEXT_TYPE_supported_versions, &have_supported_versions, 282 &supported_versions}, 283 }; 284 285 uint8_t alert = SSL_AD_DECODE_ERROR; 286 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 287 OPENSSL_ARRAY_SIZE(ext_types), 288 0 /* reject unknown */)) { 289 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 290 return ssl_hs_error; 291 } 292 293 alert = SSL_AD_DECODE_ERROR; 294 if (have_pre_shared_key) { 295 if (ssl->session == NULL) { 296 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION); 297 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION); 298 return ssl_hs_error; 299 } 300 301 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert, 302 &pre_shared_key)) { 303 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 304 return ssl_hs_error; 305 } 306 307 if (ssl->session->ssl_version != ssl->version) { 308 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED); 309 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 310 return ssl_hs_error; 311 } 312 313 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) { 314 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH); 315 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 316 return ssl_hs_error; 317 } 318 319 if (!ssl_session_is_context_valid(ssl, ssl->session)) { 320 // This is actually a client application bug. 321 OPENSSL_PUT_ERROR(SSL, 322 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); 323 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 324 return ssl_hs_error; 325 } 326 327 ssl->s3->session_reused = true; 328 // Only authentication information carries over in TLS 1.3. 329 hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY); 330 if (!hs->new_session) { 331 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 332 return ssl_hs_error; 333 } 334 ssl_set_session(ssl, NULL); 335 336 // Resumption incorporates fresh key material, so refresh the timeout. 337 ssl_session_renew_timeout(ssl, hs->new_session.get(), 338 ssl->session_ctx->session_psk_dhe_timeout); 339 } else if (!ssl_get_new_session(hs, 0)) { 340 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 341 return ssl_hs_error; 342 } 343 344 hs->new_session->cipher = cipher; 345 hs->new_cipher = cipher; 346 347 size_t hash_len = 348 EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher)); 349 350 // Set up the key schedule and incorporate the PSK into the running secret. 351 if (ssl->s3->session_reused) { 352 if (!tls13_init_key_schedule(hs, hs->new_session->master_key, 353 hs->new_session->master_key_length)) { 354 return ssl_hs_error; 355 } 356 } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) { 357 return ssl_hs_error; 358 } 359 360 if (!have_key_share) { 361 // We do not support psk_ke and thus always require a key share. 362 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); 363 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); 364 return ssl_hs_error; 365 } 366 367 // Resolve ECDHE and incorporate it into the secret. 368 Array<uint8_t> dhe_secret; 369 alert = SSL_AD_DECODE_ERROR; 370 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert, 371 &key_share)) { 372 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 373 return ssl_hs_error; 374 } 375 376 if (!tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()) || 377 !ssl_hash_message(hs, msg) || 378 !tls13_derive_handshake_secrets(hs) || 379 !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret, 380 hs->hash_len)) { 381 return ssl_hs_error; 382 } 383 384 if (!hs->early_data_offered) { 385 // If not sending early data, set client traffic keys now so that alerts are 386 // encrypted. 387 if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, 388 hs->hash_len)) { 389 return ssl_hs_error; 390 } 391 } 392 393 ssl->method->next_message(ssl); 394 hs->tls13_state = state_read_encrypted_extensions; 395 return ssl_hs_ok; 396 } 397 398 static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) { 399 SSL *const ssl = hs->ssl; 400 SSLMessage msg; 401 if (!ssl->method->get_message(ssl, &msg)) { 402 return ssl_hs_read_message; 403 } 404 if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) { 405 return ssl_hs_error; 406 } 407 408 CBS body = msg.body; 409 if (!ssl_parse_serverhello_tlsext(hs, &body)) { 410 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); 411 return ssl_hs_error; 412 } 413 if (CBS_len(&body) != 0) { 414 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 415 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 416 return ssl_hs_error; 417 } 418 419 // Store the negotiated ALPN in the session. 420 if (!ssl->s3->alpn_selected.empty()) { 421 hs->new_session->early_alpn = (uint8_t *)BUF_memdup( 422 ssl->s3->alpn_selected.data(), ssl->s3->alpn_selected.size()); 423 if (hs->new_session->early_alpn == NULL) { 424 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 425 return ssl_hs_error; 426 } 427 hs->new_session->early_alpn_len = ssl->s3->alpn_selected.size(); 428 } 429 430 if (ssl->s3->early_data_accepted) { 431 if (hs->early_session->cipher != hs->new_session->cipher || 432 MakeConstSpan(hs->early_session->early_alpn, 433 hs->early_session->early_alpn_len) != 434 ssl->s3->alpn_selected) { 435 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA); 436 return ssl_hs_error; 437 } 438 if (ssl->s3->tlsext_channel_id_valid || hs->received_custom_extension || 439 ssl->token_binding_negotiated) { 440 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA); 441 return ssl_hs_error; 442 } 443 } 444 445 if (!ssl_hash_message(hs, msg)) { 446 return ssl_hs_error; 447 } 448 449 ssl->method->next_message(ssl); 450 hs->tls13_state = state_read_certificate_request; 451 if (hs->in_early_data && !ssl->s3->early_data_accepted) { 452 return ssl_hs_early_data_rejected; 453 } 454 return ssl_hs_ok; 455 } 456 457 static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) { 458 SSL *const ssl = hs->ssl; 459 // CertificateRequest may only be sent in non-resumption handshakes. 460 if (ssl->s3->session_reused) { 461 hs->tls13_state = state_read_server_finished; 462 return ssl_hs_ok; 463 } 464 465 SSLMessage msg; 466 if (!ssl->method->get_message(ssl, &msg)) { 467 return ssl_hs_read_message; 468 } 469 470 // CertificateRequest is optional. 471 if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) { 472 hs->tls13_state = state_read_server_certificate; 473 return ssl_hs_ok; 474 } 475 476 477 bool have_sigalgs = false, have_ca = false; 478 CBS sigalgs, ca; 479 const SSL_EXTENSION_TYPE ext_types[] = { 480 {TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs}, 481 {TLSEXT_TYPE_certificate_authorities, &have_ca, &ca}, 482 }; 483 484 CBS body = msg.body, context, extensions, supported_signature_algorithms; 485 uint8_t alert = SSL_AD_DECODE_ERROR; 486 if (!CBS_get_u8_length_prefixed(&body, &context) || 487 // The request context is always empty during the handshake. 488 CBS_len(&context) != 0 || 489 !CBS_get_u16_length_prefixed(&body, &extensions) || 490 CBS_len(&body) != 0 || 491 !ssl_parse_extensions(&extensions, &alert, ext_types, 492 OPENSSL_ARRAY_SIZE(ext_types), 493 1 /* accept unknown */) || 494 (have_ca && CBS_len(&ca) == 0) || 495 !have_sigalgs || 496 !CBS_get_u16_length_prefixed(&sigalgs, 497 &supported_signature_algorithms) || 498 CBS_len(&supported_signature_algorithms) == 0 || 499 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) { 500 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 501 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 502 return ssl_hs_error; 503 } 504 505 if (have_ca) { 506 hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca); 507 if (!hs->ca_names) { 508 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 509 return ssl_hs_error; 510 } 511 } else { 512 hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null()); 513 if (!hs->ca_names) { 514 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE); 515 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 516 return ssl_hs_error; 517 } 518 } 519 520 hs->cert_request = true; 521 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs); 522 523 if (!ssl_hash_message(hs, msg)) { 524 return ssl_hs_error; 525 } 526 527 ssl->method->next_message(ssl); 528 hs->tls13_state = state_read_server_certificate; 529 return ssl_hs_ok; 530 } 531 532 static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) { 533 SSL *const ssl = hs->ssl; 534 SSLMessage msg; 535 if (!ssl->method->get_message(ssl, &msg)) { 536 return ssl_hs_read_message; 537 } 538 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) || 539 !tls13_process_certificate(hs, msg, 0 /* certificate required */) || 540 !ssl_hash_message(hs, msg)) { 541 return ssl_hs_error; 542 } 543 544 ssl->method->next_message(ssl); 545 hs->tls13_state = state_read_server_certificate_verify; 546 return ssl_hs_ok; 547 } 548 549 static enum ssl_hs_wait_t do_read_server_certificate_verify( 550 SSL_HANDSHAKE *hs) { 551 SSL *const ssl = hs->ssl; 552 SSLMessage msg; 553 if (!ssl->method->get_message(ssl, &msg)) { 554 return ssl_hs_read_message; 555 } 556 switch (ssl_verify_peer_cert(hs)) { 557 case ssl_verify_ok: 558 break; 559 case ssl_verify_invalid: 560 return ssl_hs_error; 561 case ssl_verify_retry: 562 hs->tls13_state = state_read_server_certificate_verify; 563 return ssl_hs_certificate_verify; 564 } 565 566 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) || 567 !tls13_process_certificate_verify(hs, msg) || 568 !ssl_hash_message(hs, msg)) { 569 return ssl_hs_error; 570 } 571 572 ssl->method->next_message(ssl); 573 hs->tls13_state = state_read_server_finished; 574 return ssl_hs_ok; 575 } 576 577 static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) { 578 SSL *const ssl = hs->ssl; 579 SSLMessage msg; 580 if (!ssl->method->get_message(ssl, &msg)) { 581 return ssl_hs_read_message; 582 } 583 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) || 584 !tls13_process_finished(hs, msg, 0 /* don't use saved value */) || 585 !ssl_hash_message(hs, msg) || 586 // Update the secret to the master secret and derive traffic keys. 587 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || 588 !tls13_derive_application_secrets(hs)) { 589 return ssl_hs_error; 590 } 591 592 ssl->method->next_message(ssl); 593 hs->tls13_state = state_send_end_of_early_data; 594 return ssl_hs_ok; 595 } 596 597 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) { 598 SSL *const ssl = hs->ssl; 599 600 if (ssl->s3->early_data_accepted) { 601 hs->can_early_write = false; 602 ScopedCBB cbb; 603 CBB body; 604 if (!ssl->method->init_message(ssl, cbb.get(), &body, 605 SSL3_MT_END_OF_EARLY_DATA) || 606 !ssl_add_message_cbb(ssl, cbb.get())) { 607 return ssl_hs_error; 608 } 609 } 610 611 if (hs->early_data_offered) { 612 if (!tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret, 613 hs->hash_len)) { 614 return ssl_hs_error; 615 } 616 } 617 618 hs->tls13_state = state_send_client_certificate; 619 return ssl_hs_ok; 620 } 621 622 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) { 623 SSL *const ssl = hs->ssl; 624 625 // The peer didn't request a certificate. 626 if (!hs->cert_request) { 627 hs->tls13_state = state_complete_second_flight; 628 return ssl_hs_ok; 629 } 630 631 // Call cert_cb to update the certificate. 632 if (ssl->cert->cert_cb != NULL) { 633 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg); 634 if (rv == 0) { 635 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 636 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR); 637 return ssl_hs_error; 638 } 639 if (rv < 0) { 640 hs->tls13_state = state_send_client_certificate; 641 return ssl_hs_x509_lookup; 642 } 643 } 644 645 if (!ssl_on_certificate_selected(hs) || 646 !tls13_add_certificate(hs)) { 647 return ssl_hs_error; 648 } 649 650 hs->tls13_state = state_send_client_certificate_verify; 651 return ssl_hs_ok; 652 } 653 654 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) { 655 SSL *const ssl = hs->ssl; 656 // Don't send CertificateVerify if there is no certificate. 657 if (!ssl_has_certificate(ssl)) { 658 hs->tls13_state = state_complete_second_flight; 659 return ssl_hs_ok; 660 } 661 662 switch (tls13_add_certificate_verify(hs)) { 663 case ssl_private_key_success: 664 hs->tls13_state = state_complete_second_flight; 665 return ssl_hs_ok; 666 667 case ssl_private_key_retry: 668 hs->tls13_state = state_send_client_certificate_verify; 669 return ssl_hs_private_key_operation; 670 671 case ssl_private_key_failure: 672 return ssl_hs_error; 673 } 674 675 assert(0); 676 return ssl_hs_error; 677 } 678 679 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) { 680 SSL *const ssl = hs->ssl; 681 682 // Send a Channel ID assertion if necessary. 683 if (ssl->s3->tlsext_channel_id_valid) { 684 if (!ssl_do_channel_id_callback(ssl)) { 685 hs->tls13_state = state_complete_second_flight; 686 return ssl_hs_error; 687 } 688 689 if (ssl->tlsext_channel_id_private == NULL) { 690 return ssl_hs_channel_id_lookup; 691 } 692 693 ScopedCBB cbb; 694 CBB body; 695 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) || 696 !tls1_write_channel_id(hs, &body) || 697 !ssl_add_message_cbb(ssl, cbb.get())) { 698 return ssl_hs_error; 699 } 700 } 701 702 // Send a Finished message. 703 if (!tls13_add_finished(hs)) { 704 return ssl_hs_error; 705 } 706 707 // Derive the final keys and enable them. 708 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0, 709 hs->hash_len) || 710 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0, 711 hs->hash_len) || 712 !tls13_derive_resumption_secret(hs)) { 713 return ssl_hs_error; 714 } 715 716 hs->tls13_state = state_done; 717 return ssl_hs_flush; 718 } 719 720 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) { 721 while (hs->tls13_state != state_done) { 722 enum ssl_hs_wait_t ret = ssl_hs_error; 723 enum client_hs_state_t state = 724 static_cast<enum client_hs_state_t>(hs->tls13_state); 725 switch (state) { 726 case state_read_hello_retry_request: 727 ret = do_read_hello_retry_request(hs); 728 break; 729 case state_send_second_client_hello: 730 ret = do_send_second_client_hello(hs); 731 break; 732 case state_read_server_hello: 733 ret = do_read_server_hello(hs); 734 break; 735 case state_read_encrypted_extensions: 736 ret = do_read_encrypted_extensions(hs); 737 break; 738 case state_read_certificate_request: 739 ret = do_read_certificate_request(hs); 740 break; 741 case state_read_server_certificate: 742 ret = do_read_server_certificate(hs); 743 break; 744 case state_read_server_certificate_verify: 745 ret = do_read_server_certificate_verify(hs); 746 break; 747 case state_read_server_finished: 748 ret = do_read_server_finished(hs); 749 break; 750 case state_send_end_of_early_data: 751 ret = do_send_end_of_early_data(hs); 752 break; 753 case state_send_client_certificate: 754 ret = do_send_client_certificate(hs); 755 break; 756 case state_send_client_certificate_verify: 757 ret = do_send_client_certificate_verify(hs); 758 break; 759 case state_complete_second_flight: 760 ret = do_complete_second_flight(hs); 761 break; 762 case state_done: 763 ret = ssl_hs_ok; 764 break; 765 } 766 767 if (hs->tls13_state != state) { 768 ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1); 769 } 770 771 if (ret != ssl_hs_ok) { 772 return ret; 773 } 774 } 775 776 return ssl_hs_ok; 777 } 778 779 const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) { 780 enum client_hs_state_t state = 781 static_cast<enum client_hs_state_t>(hs->tls13_state); 782 switch (state) { 783 case state_read_hello_retry_request: 784 return "TLS 1.3 client read_hello_retry_request"; 785 case state_send_second_client_hello: 786 return "TLS 1.3 client send_second_client_hello"; 787 case state_read_server_hello: 788 return "TLS 1.3 client read_server_hello"; 789 case state_read_encrypted_extensions: 790 return "TLS 1.3 client read_encrypted_extensions"; 791 case state_read_certificate_request: 792 return "TLS 1.3 client read_certificate_request"; 793 case state_read_server_certificate: 794 return "TLS 1.3 client read_server_certificate"; 795 case state_read_server_certificate_verify: 796 return "TLS 1.3 client read_server_certificate_verify"; 797 case state_read_server_finished: 798 return "TLS 1.3 client read_server_finished"; 799 case state_send_end_of_early_data: 800 return "TLS 1.3 client send_end_of_early_data"; 801 case state_send_client_certificate: 802 return "TLS 1.3 client send_client_certificate"; 803 case state_send_client_certificate_verify: 804 return "TLS 1.3 client send_client_certificate_verify"; 805 case state_complete_second_flight: 806 return "TLS 1.3 client complete_second_flight"; 807 case state_done: 808 return "TLS 1.3 client done"; 809 } 810 811 return "TLS 1.3 client unknown"; 812 } 813 814 int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) { 815 if (ssl->s3->write_shutdown != ssl_shutdown_none) { 816 // Ignore tickets on shutdown. Callers tend to indiscriminately call 817 // |SSL_shutdown| before destroying an |SSL|, at which point calling the new 818 // session callback may be confusing. 819 return 1; 820 } 821 822 UniquePtr<SSL_SESSION> session = SSL_SESSION_dup( 823 ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH); 824 if (!session) { 825 return 0; 826 } 827 828 ssl_session_rebase_time(ssl, session.get()); 829 830 uint32_t server_timeout; 831 CBS body = msg.body, ticket_nonce, ticket, extensions; 832 if (!CBS_get_u32(&body, &server_timeout) || 833 !CBS_get_u32(&body, &session->ticket_age_add) || 834 !CBS_get_u8_length_prefixed(&body, &ticket_nonce) || 835 !CBS_get_u16_length_prefixed(&body, &ticket) || 836 !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) || 837 !CBS_get_u16_length_prefixed(&body, &extensions) || 838 CBS_len(&body) != 0) { 839 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 840 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 841 return 0; 842 } 843 844 // Cap the renewable lifetime by the server advertised value. This avoids 845 // wasting bandwidth on 0-RTT when we know the server will reject it. 846 if (session->timeout > server_timeout) { 847 session->timeout = server_timeout; 848 } 849 850 if (!tls13_derive_session_psk(session.get(), ticket_nonce)) { 851 return 0; 852 } 853 854 // Parse out the extensions. 855 bool have_early_data_info = false; 856 CBS early_data_info; 857 const SSL_EXTENSION_TYPE ext_types[] = { 858 {TLSEXT_TYPE_early_data, &have_early_data_info, &early_data_info}, 859 }; 860 861 uint8_t alert = SSL_AD_DECODE_ERROR; 862 if (!ssl_parse_extensions(&extensions, &alert, ext_types, 863 OPENSSL_ARRAY_SIZE(ext_types), 864 1 /* ignore unknown */)) { 865 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 866 return 0; 867 } 868 869 if (have_early_data_info && ssl->cert->enable_early_data) { 870 if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) || 871 CBS_len(&early_data_info) != 0) { 872 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 873 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 874 return 0; 875 } 876 } 877 878 session->ticket_age_add_valid = 1; 879 session->not_resumable = 0; 880 881 if ((ssl->ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) && 882 ssl->ctx->new_session_cb != NULL && 883 ssl->ctx->new_session_cb(ssl, session.get())) { 884 // |new_session_cb|'s return value signals that it took ownership. 885 session.release(); 886 } 887 888 return 1; 889 } 890 891 } // namespace bssl 892