1 /* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <limits.h>
19 #include <string.h>
20
21 #include <utility>
22
23 #include <openssl/bytestring.h>
24 #include <openssl/digest.h>
25 #include <openssl/err.h>
26 #include <openssl/mem.h>
27 #include <openssl/sha.h>
28 #include <openssl/stack.h>
29
30 #include "../crypto/internal.h"
31 #include "internal.h"
32
33
34 BSSL_NAMESPACE_BEGIN
35
36 enum client_hs_state_t {
37 state_read_hello_retry_request = 0,
38 state_send_second_client_hello,
39 state_read_server_hello,
40 state_read_encrypted_extensions,
41 state_read_certificate_request,
42 state_read_server_certificate,
43 state_read_server_certificate_verify,
44 state_server_certificate_reverify,
45 state_read_server_finished,
46 state_send_end_of_early_data,
47 state_send_client_certificate,
48 state_send_client_certificate_verify,
49 state_complete_second_flight,
50 state_done,
51 };
52
53 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
54
do_read_hello_retry_request(SSL_HANDSHAKE * hs)55 static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
56 SSL *const ssl = hs->ssl;
57 assert(ssl->s3->have_version);
58 SSLMessage msg;
59 if (!ssl->method->get_message(ssl, &msg)) {
60 return ssl_hs_read_message;
61 }
62
63 // Queue up a ChangeCipherSpec for whenever we next send something. This
64 // will be before the second ClientHello. If we offered early data, this was
65 // already done.
66 if (!hs->early_data_offered &&
67 !ssl->method->add_change_cipher_spec(ssl)) {
68 return ssl_hs_error;
69 }
70
71 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
72 return ssl_hs_error;
73 }
74
75 CBS body = msg.body, extensions, server_random, session_id;
76 uint16_t server_version, cipher_suite;
77 uint8_t compression_method;
78 if (!CBS_get_u16(&body, &server_version) ||
79 !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
80 !CBS_get_u8_length_prefixed(&body, &session_id) ||
81 !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
82 !CBS_get_u16(&body, &cipher_suite) ||
83 !CBS_get_u8(&body, &compression_method) ||
84 compression_method != 0 ||
85 !CBS_get_u16_length_prefixed(&body, &extensions) ||
86 CBS_len(&extensions) == 0 ||
87 CBS_len(&body) != 0) {
88 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
89 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
90 return ssl_hs_error;
91 }
92
93 if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
94 hs->tls13_state = state_read_server_hello;
95 return ssl_hs_ok;
96 }
97
98 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
99 // Check if the cipher is a TLS 1.3 cipher.
100 if (cipher == NULL ||
101 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
102 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
103 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
104 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
105 return ssl_hs_error;
106 }
107
108 hs->new_cipher = cipher;
109
110 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
111 !hs->transcript.UpdateForHelloRetryRequest()) {
112 return ssl_hs_error;
113 }
114
115
116 bool have_cookie, have_key_share, have_supported_versions;
117 CBS cookie, key_share, supported_versions;
118 SSL_EXTENSION_TYPE ext_types[] = {
119 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
120 {TLSEXT_TYPE_cookie, &have_cookie, &cookie},
121 {TLSEXT_TYPE_supported_versions, &have_supported_versions,
122 &supported_versions},
123 };
124
125 uint8_t alert = SSL_AD_DECODE_ERROR;
126 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
127 OPENSSL_ARRAY_SIZE(ext_types),
128 0 /* reject unknown */)) {
129 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
130 return ssl_hs_error;
131 }
132
133 if (!have_cookie && !have_key_share) {
134 OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);
135 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
136 return ssl_hs_error;
137 }
138 if (have_cookie) {
139 CBS cookie_value;
140 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||
141 CBS_len(&cookie_value) == 0 ||
142 CBS_len(&cookie) != 0) {
143 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
144 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
145 return ssl_hs_error;
146 }
147
148 if (!hs->cookie.CopyFrom(cookie_value)) {
149 return ssl_hs_error;
150 }
151 }
152
153 if (have_key_share) {
154 uint16_t group_id;
155 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {
156 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
157 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
158 return ssl_hs_error;
159 }
160
161 // The group must be supported.
162 if (!tls1_check_group_id(hs, group_id)) {
163 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
164 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
165 return ssl_hs_error;
166 }
167
168 // Check that the HelloRetryRequest does not request a key share that was
169 // provided in the initial ClientHello.
170 if (hs->key_shares[0]->GroupID() == group_id ||
171 (hs->key_shares[1] && hs->key_shares[1]->GroupID() == group_id)) {
172 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
173 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
174 return ssl_hs_error;
175 }
176
177 hs->key_shares[0].reset();
178 hs->key_shares[1].reset();
179 hs->retry_group = group_id;
180 }
181
182 if (!ssl_hash_message(hs, msg)) {
183 return ssl_hs_error;
184 }
185
186 ssl->method->next_message(ssl);
187 hs->received_hello_retry_request = true;
188 hs->tls13_state = state_send_second_client_hello;
189 // 0-RTT is rejected if we receive a HelloRetryRequest.
190 if (hs->in_early_data) {
191 ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
192 return ssl_hs_early_data_rejected;
193 }
194 return ssl_hs_ok;
195 }
196
do_send_second_client_hello(SSL_HANDSHAKE * hs)197 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
198 SSL *const ssl = hs->ssl;
199 // Restore the null cipher. We may have switched due to 0-RTT.
200 bssl::UniquePtr<SSLAEADContext> null_ctx =
201 SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
202 if (!null_ctx ||
203 !ssl->method->set_write_state(ssl, std::move(null_ctx))) {
204 return ssl_hs_error;
205 }
206
207 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
208
209 if (!ssl_write_client_hello(hs)) {
210 return ssl_hs_error;
211 }
212
213 hs->tls13_state = state_read_server_hello;
214 return ssl_hs_flush;
215 }
216
do_read_server_hello(SSL_HANDSHAKE * hs)217 static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
218 SSL *const ssl = hs->ssl;
219 SSLMessage msg;
220 if (!ssl->method->get_message(ssl, &msg)) {
221 return ssl_hs_read_message;
222 }
223 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
224 return ssl_hs_error;
225 }
226
227 CBS body = msg.body, server_random, session_id, extensions;
228 uint16_t server_version;
229 uint16_t cipher_suite;
230 uint8_t compression_method;
231 if (!CBS_get_u16(&body, &server_version) ||
232 !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
233 !CBS_get_u8_length_prefixed(&body, &session_id) ||
234 !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
235 !CBS_get_u16(&body, &cipher_suite) ||
236 !CBS_get_u8(&body, &compression_method) ||
237 compression_method != 0 ||
238 !CBS_get_u16_length_prefixed(&body, &extensions) ||
239 CBS_len(&body) != 0) {
240 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
241 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
242 return ssl_hs_error;
243 }
244
245 if (server_version != TLS1_2_VERSION) {
246 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
247 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
248 return ssl_hs_error;
249 }
250
251 // Forbid a second HelloRetryRequest.
252 if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
253 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
254 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
255 return ssl_hs_error;
256 }
257
258 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
259 SSL3_RANDOM_SIZE);
260
261 // Check if the cipher is a TLS 1.3 cipher.
262 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
263 if (cipher == nullptr ||
264 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
265 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
266 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
267 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
268 return ssl_hs_error;
269 }
270
271 // Check that the cipher matches the one in the HelloRetryRequest.
272 if (hs->received_hello_retry_request &&
273 hs->new_cipher != cipher) {
274 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
275 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
276 return ssl_hs_error;
277 }
278
279 // Parse out the extensions.
280 bool have_key_share = false, have_pre_shared_key = false,
281 have_supported_versions = false;
282 CBS key_share, pre_shared_key, supported_versions;
283 SSL_EXTENSION_TYPE ext_types[] = {
284 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
285 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
286 {TLSEXT_TYPE_supported_versions, &have_supported_versions,
287 &supported_versions},
288 };
289
290 uint8_t alert = SSL_AD_DECODE_ERROR;
291 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
292 OPENSSL_ARRAY_SIZE(ext_types),
293 0 /* reject unknown */)) {
294 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
295 return ssl_hs_error;
296 }
297
298 // Recheck supported_versions, in case this is the second ServerHello.
299 uint16_t version;
300 if (!have_supported_versions ||
301 !CBS_get_u16(&supported_versions, &version) ||
302 version != ssl->version) {
303 OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
304 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
305 return ssl_hs_error;
306 }
307
308 alert = SSL_AD_DECODE_ERROR;
309 if (have_pre_shared_key) {
310 if (ssl->session == NULL) {
311 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
312 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
313 return ssl_hs_error;
314 }
315
316 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
317 &pre_shared_key)) {
318 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
319 return ssl_hs_error;
320 }
321
322 if (ssl->session->ssl_version != ssl->version) {
323 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
324 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
325 return ssl_hs_error;
326 }
327
328 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {
329 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
330 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
331 return ssl_hs_error;
332 }
333
334 if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
335 // This is actually a client application bug.
336 OPENSSL_PUT_ERROR(SSL,
337 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
338 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
339 return ssl_hs_error;
340 }
341
342 ssl->s3->session_reused = true;
343 // Only authentication information carries over in TLS 1.3.
344 hs->new_session =
345 SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
346 if (!hs->new_session) {
347 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
348 return ssl_hs_error;
349 }
350 ssl_set_session(ssl, NULL);
351
352 // Resumption incorporates fresh key material, so refresh the timeout.
353 ssl_session_renew_timeout(ssl, hs->new_session.get(),
354 ssl->session_ctx->session_psk_dhe_timeout);
355 } else if (!ssl_get_new_session(hs, 0)) {
356 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
357 return ssl_hs_error;
358 }
359
360 hs->new_session->cipher = cipher;
361 hs->new_cipher = cipher;
362
363 size_t hash_len =
364 EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));
365
366 // Set up the key schedule and incorporate the PSK into the running secret.
367 if (ssl->s3->session_reused) {
368 if (!tls13_init_key_schedule(
369 hs, MakeConstSpan(hs->new_session->master_key,
370 hs->new_session->master_key_length))) {
371 return ssl_hs_error;
372 }
373 } else if (!tls13_init_key_schedule(hs, MakeConstSpan(kZeroes, hash_len))) {
374 return ssl_hs_error;
375 }
376
377 if (!have_key_share) {
378 // We do not support psk_ke and thus always require a key share.
379 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
380 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
381 return ssl_hs_error;
382 }
383
384 // Resolve ECDHE and incorporate it into the secret.
385 Array<uint8_t> dhe_secret;
386 alert = SSL_AD_DECODE_ERROR;
387 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
388 &key_share)) {
389 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
390 return ssl_hs_error;
391 }
392
393 if (!tls13_advance_key_schedule(hs, dhe_secret) ||
394 !ssl_hash_message(hs, msg) ||
395 !tls13_derive_handshake_secrets(hs) ||
396 !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
397 hs->server_handshake_secret())) {
398 return ssl_hs_error;
399 }
400
401 if (!hs->early_data_offered) {
402 // If not sending early data, set client traffic keys now so that alerts are
403 // encrypted.
404 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
405 hs->client_handshake_secret())) {
406 return ssl_hs_error;
407 }
408 }
409
410 ssl->method->next_message(ssl);
411 hs->tls13_state = state_read_encrypted_extensions;
412 return ssl_hs_ok;
413 }
414
do_read_encrypted_extensions(SSL_HANDSHAKE * hs)415 static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
416 SSL *const ssl = hs->ssl;
417 SSLMessage msg;
418 if (!ssl->method->get_message(ssl, &msg)) {
419 return ssl_hs_read_message;
420 }
421 if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
422 return ssl_hs_error;
423 }
424
425 CBS body = msg.body;
426 if (!ssl_parse_serverhello_tlsext(hs, &body)) {
427 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
428 return ssl_hs_error;
429 }
430 if (CBS_len(&body) != 0) {
431 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
432 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
433 return ssl_hs_error;
434 }
435
436 // Store the negotiated ALPN in the session.
437 if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
438 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
439 return ssl_hs_error;
440 }
441
442 if (ssl->s3->early_data_accepted) {
443 if (hs->early_session->cipher != hs->new_session->cipher ||
444 MakeConstSpan(hs->early_session->early_alpn) !=
445 ssl->s3->alpn_selected) {
446 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
447 return ssl_hs_error;
448 }
449 if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated) {
450 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
451 return ssl_hs_error;
452 }
453 }
454
455 if (!ssl_hash_message(hs, msg)) {
456 return ssl_hs_error;
457 }
458
459 ssl->method->next_message(ssl);
460 hs->tls13_state = state_read_certificate_request;
461 if (hs->in_early_data && !ssl->s3->early_data_accepted) {
462 return ssl_hs_early_data_rejected;
463 }
464 return ssl_hs_ok;
465 }
466
do_read_certificate_request(SSL_HANDSHAKE * hs)467 static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
468 SSL *const ssl = hs->ssl;
469 // CertificateRequest may only be sent in non-resumption handshakes.
470 if (ssl->s3->session_reused) {
471 if (ssl->ctx->reverify_on_resume && !ssl->s3->early_data_accepted) {
472 hs->tls13_state = state_server_certificate_reverify;
473 return ssl_hs_ok;
474 }
475 hs->tls13_state = state_read_server_finished;
476 return ssl_hs_ok;
477 }
478
479 SSLMessage msg;
480 if (!ssl->method->get_message(ssl, &msg)) {
481 return ssl_hs_read_message;
482 }
483
484 // CertificateRequest is optional.
485 if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
486 hs->tls13_state = state_read_server_certificate;
487 return ssl_hs_ok;
488 }
489
490
491 bool have_sigalgs = false, have_ca = false;
492 CBS sigalgs, ca;
493 const SSL_EXTENSION_TYPE ext_types[] = {
494 {TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},
495 {TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},
496 };
497
498 CBS body = msg.body, context, extensions, supported_signature_algorithms;
499 uint8_t alert = SSL_AD_DECODE_ERROR;
500 if (!CBS_get_u8_length_prefixed(&body, &context) ||
501 // The request context is always empty during the handshake.
502 CBS_len(&context) != 0 ||
503 !CBS_get_u16_length_prefixed(&body, &extensions) ||
504 CBS_len(&body) != 0 ||
505 !ssl_parse_extensions(&extensions, &alert, ext_types,
506 OPENSSL_ARRAY_SIZE(ext_types),
507 1 /* accept unknown */) ||
508 (have_ca && CBS_len(&ca) == 0) ||
509 !have_sigalgs ||
510 !CBS_get_u16_length_prefixed(&sigalgs,
511 &supported_signature_algorithms) ||
512 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
513 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
514 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
515 return ssl_hs_error;
516 }
517
518 if (have_ca) {
519 hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);
520 if (!hs->ca_names) {
521 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
522 return ssl_hs_error;
523 }
524 } else {
525 hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());
526 if (!hs->ca_names) {
527 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
528 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
529 return ssl_hs_error;
530 }
531 }
532
533 hs->cert_request = true;
534 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
535
536 if (!ssl_hash_message(hs, msg)) {
537 return ssl_hs_error;
538 }
539
540 ssl->method->next_message(ssl);
541 hs->tls13_state = state_read_server_certificate;
542 return ssl_hs_ok;
543 }
544
do_read_server_certificate(SSL_HANDSHAKE * hs)545 static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
546 SSL *const ssl = hs->ssl;
547 SSLMessage msg;
548 if (!ssl->method->get_message(ssl, &msg)) {
549 return ssl_hs_read_message;
550 }
551
552 if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&
553 !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
554 return ssl_hs_error;
555 }
556
557 if (!tls13_process_certificate(hs, msg, false /* certificate required */) ||
558 !ssl_hash_message(hs, msg)) {
559 return ssl_hs_error;
560 }
561
562 ssl->method->next_message(ssl);
563 hs->tls13_state = state_read_server_certificate_verify;
564 return ssl_hs_ok;
565 }
566
do_read_server_certificate_verify(SSL_HANDSHAKE * hs)567 static enum ssl_hs_wait_t do_read_server_certificate_verify(
568 SSL_HANDSHAKE *hs) {
569 SSL *const ssl = hs->ssl;
570 SSLMessage msg;
571 if (!ssl->method->get_message(ssl, &msg)) {
572 return ssl_hs_read_message;
573 }
574 switch (ssl_verify_peer_cert(hs)) {
575 case ssl_verify_ok:
576 break;
577 case ssl_verify_invalid:
578 return ssl_hs_error;
579 case ssl_verify_retry:
580 hs->tls13_state = state_read_server_certificate_verify;
581 return ssl_hs_certificate_verify;
582 }
583
584 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
585 !tls13_process_certificate_verify(hs, msg) ||
586 !ssl_hash_message(hs, msg)) {
587 return ssl_hs_error;
588 }
589
590 ssl->method->next_message(ssl);
591 hs->tls13_state = state_read_server_finished;
592 return ssl_hs_ok;
593 }
594
do_server_certificate_reverify(SSL_HANDSHAKE * hs)595 static enum ssl_hs_wait_t do_server_certificate_reverify(
596 SSL_HANDSHAKE *hs) {
597 switch (ssl_reverify_peer_cert(hs)) {
598 case ssl_verify_ok:
599 break;
600 case ssl_verify_invalid:
601 return ssl_hs_error;
602 case ssl_verify_retry:
603 hs->tls13_state = state_server_certificate_reverify;
604 return ssl_hs_certificate_verify;
605 }
606 hs->tls13_state = state_read_server_finished;
607 return ssl_hs_ok;
608 }
609
do_read_server_finished(SSL_HANDSHAKE * hs)610 static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
611 SSL *const ssl = hs->ssl;
612 SSLMessage msg;
613 if (!ssl->method->get_message(ssl, &msg)) {
614 return ssl_hs_read_message;
615 }
616 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
617 !tls13_process_finished(hs, msg, false /* don't use saved value */) ||
618 !ssl_hash_message(hs, msg) ||
619 // Update the secret to the master secret and derive traffic keys.
620 !tls13_advance_key_schedule(
621 hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
622 !tls13_derive_application_secrets(hs)) {
623 return ssl_hs_error;
624 }
625
626 ssl->method->next_message(ssl);
627 hs->tls13_state = state_send_end_of_early_data;
628 return ssl_hs_ok;
629 }
630
do_send_end_of_early_data(SSL_HANDSHAKE * hs)631 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
632 SSL *const ssl = hs->ssl;
633
634 if (ssl->s3->early_data_accepted) {
635 hs->can_early_write = false;
636 // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
637 // section 8.3.
638 if (ssl->quic_method == nullptr) {
639 ScopedCBB cbb;
640 CBB body;
641 if (!ssl->method->init_message(ssl, cbb.get(), &body,
642 SSL3_MT_END_OF_EARLY_DATA) ||
643 !ssl_add_message_cbb(ssl, cbb.get())) {
644 return ssl_hs_error;
645 }
646 }
647 }
648
649 if (hs->early_data_offered) {
650 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
651 hs->client_handshake_secret())) {
652 return ssl_hs_error;
653 }
654 }
655
656 hs->tls13_state = state_send_client_certificate;
657 return ssl_hs_ok;
658 }
659
do_send_client_certificate(SSL_HANDSHAKE * hs)660 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
661 SSL *const ssl = hs->ssl;
662
663 // The peer didn't request a certificate.
664 if (!hs->cert_request) {
665 hs->tls13_state = state_complete_second_flight;
666 return ssl_hs_ok;
667 }
668
669 // Call cert_cb to update the certificate.
670 if (hs->config->cert->cert_cb != NULL) {
671 int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
672 if (rv == 0) {
673 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
674 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
675 return ssl_hs_error;
676 }
677 if (rv < 0) {
678 hs->tls13_state = state_send_client_certificate;
679 return ssl_hs_x509_lookup;
680 }
681 }
682
683 if (!ssl_on_certificate_selected(hs) ||
684 !tls13_add_certificate(hs)) {
685 return ssl_hs_error;
686 }
687
688 hs->tls13_state = state_send_client_certificate_verify;
689 return ssl_hs_ok;
690 }
691
do_send_client_certificate_verify(SSL_HANDSHAKE * hs)692 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
693 // Don't send CertificateVerify if there is no certificate.
694 if (!ssl_has_certificate(hs)) {
695 hs->tls13_state = state_complete_second_flight;
696 return ssl_hs_ok;
697 }
698
699 switch (tls13_add_certificate_verify(hs)) {
700 case ssl_private_key_success:
701 hs->tls13_state = state_complete_second_flight;
702 return ssl_hs_ok;
703
704 case ssl_private_key_retry:
705 hs->tls13_state = state_send_client_certificate_verify;
706 return ssl_hs_private_key_operation;
707
708 case ssl_private_key_failure:
709 return ssl_hs_error;
710 }
711
712 assert(0);
713 return ssl_hs_error;
714 }
715
do_complete_second_flight(SSL_HANDSHAKE * hs)716 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
717 SSL *const ssl = hs->ssl;
718
719 // Send a Channel ID assertion if necessary.
720 if (ssl->s3->channel_id_valid) {
721 if (!ssl_do_channel_id_callback(hs)) {
722 hs->tls13_state = state_complete_second_flight;
723 return ssl_hs_error;
724 }
725
726 if (hs->config->channel_id_private == NULL) {
727 return ssl_hs_channel_id_lookup;
728 }
729
730 ScopedCBB cbb;
731 CBB body;
732 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
733 !tls1_write_channel_id(hs, &body) ||
734 !ssl_add_message_cbb(ssl, cbb.get())) {
735 return ssl_hs_error;
736 }
737 }
738
739 // Send a Finished message.
740 if (!tls13_add_finished(hs)) {
741 return ssl_hs_error;
742 }
743
744 // Derive the final keys and enable them.
745 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
746 hs->server_traffic_secret_0()) ||
747 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
748 hs->client_traffic_secret_0()) ||
749 !tls13_derive_resumption_secret(hs)) {
750 return ssl_hs_error;
751 }
752
753 hs->tls13_state = state_done;
754 return ssl_hs_flush;
755 }
756
tls13_client_handshake(SSL_HANDSHAKE * hs)757 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
758 while (hs->tls13_state != state_done) {
759 enum ssl_hs_wait_t ret = ssl_hs_error;
760 enum client_hs_state_t state =
761 static_cast<enum client_hs_state_t>(hs->tls13_state);
762 switch (state) {
763 case state_read_hello_retry_request:
764 ret = do_read_hello_retry_request(hs);
765 break;
766 case state_send_second_client_hello:
767 ret = do_send_second_client_hello(hs);
768 break;
769 case state_read_server_hello:
770 ret = do_read_server_hello(hs);
771 break;
772 case state_read_encrypted_extensions:
773 ret = do_read_encrypted_extensions(hs);
774 break;
775 case state_read_certificate_request:
776 ret = do_read_certificate_request(hs);
777 break;
778 case state_read_server_certificate:
779 ret = do_read_server_certificate(hs);
780 break;
781 case state_read_server_certificate_verify:
782 ret = do_read_server_certificate_verify(hs);
783 break;
784 case state_server_certificate_reverify:
785 ret = do_server_certificate_reverify(hs);
786 break;
787 case state_read_server_finished:
788 ret = do_read_server_finished(hs);
789 break;
790 case state_send_end_of_early_data:
791 ret = do_send_end_of_early_data(hs);
792 break;
793 case state_send_client_certificate:
794 ret = do_send_client_certificate(hs);
795 break;
796 case state_send_client_certificate_verify:
797 ret = do_send_client_certificate_verify(hs);
798 break;
799 case state_complete_second_flight:
800 ret = do_complete_second_flight(hs);
801 break;
802 case state_done:
803 ret = ssl_hs_ok;
804 break;
805 }
806
807 if (hs->tls13_state != state) {
808 ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
809 }
810
811 if (ret != ssl_hs_ok) {
812 return ret;
813 }
814 }
815
816 return ssl_hs_ok;
817 }
818
tls13_client_handshake_state(SSL_HANDSHAKE * hs)819 const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
820 enum client_hs_state_t state =
821 static_cast<enum client_hs_state_t>(hs->tls13_state);
822 switch (state) {
823 case state_read_hello_retry_request:
824 return "TLS 1.3 client read_hello_retry_request";
825 case state_send_second_client_hello:
826 return "TLS 1.3 client send_second_client_hello";
827 case state_read_server_hello:
828 return "TLS 1.3 client read_server_hello";
829 case state_read_encrypted_extensions:
830 return "TLS 1.3 client read_encrypted_extensions";
831 case state_read_certificate_request:
832 return "TLS 1.3 client read_certificate_request";
833 case state_read_server_certificate:
834 return "TLS 1.3 client read_server_certificate";
835 case state_read_server_certificate_verify:
836 return "TLS 1.3 client read_server_certificate_verify";
837 case state_server_certificate_reverify:
838 return "TLS 1.3 client server_certificate_reverify";
839 case state_read_server_finished:
840 return "TLS 1.3 client read_server_finished";
841 case state_send_end_of_early_data:
842 return "TLS 1.3 client send_end_of_early_data";
843 case state_send_client_certificate:
844 return "TLS 1.3 client send_client_certificate";
845 case state_send_client_certificate_verify:
846 return "TLS 1.3 client send_client_certificate_verify";
847 case state_complete_second_flight:
848 return "TLS 1.3 client complete_second_flight";
849 case state_done:
850 return "TLS 1.3 client done";
851 }
852
853 return "TLS 1.3 client unknown";
854 }
855
tls13_process_new_session_ticket(SSL * ssl,const SSLMessage & msg)856 bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
857 if (ssl->s3->write_shutdown != ssl_shutdown_none) {
858 // Ignore tickets on shutdown. Callers tend to indiscriminately call
859 // |SSL_shutdown| before destroying an |SSL|, at which point calling the new
860 // session callback may be confusing.
861 return true;
862 }
863
864 UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
865 ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
866 if (!session) {
867 return false;
868 }
869
870 ssl_session_rebase_time(ssl, session.get());
871
872 uint32_t server_timeout;
873 CBS body = msg.body, ticket_nonce, ticket, extensions;
874 if (!CBS_get_u32(&body, &server_timeout) ||
875 !CBS_get_u32(&body, &session->ticket_age_add) ||
876 !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||
877 !CBS_get_u16_length_prefixed(&body, &ticket) ||
878 !session->ticket.CopyFrom(ticket) ||
879 !CBS_get_u16_length_prefixed(&body, &extensions) ||
880 CBS_len(&body) != 0) {
881 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
882 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
883 return false;
884 }
885
886 // Cap the renewable lifetime by the server advertised value. This avoids
887 // wasting bandwidth on 0-RTT when we know the server will reject it.
888 if (session->timeout > server_timeout) {
889 session->timeout = server_timeout;
890 }
891
892 if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
893 return false;
894 }
895
896 // Parse out the extensions.
897 bool have_early_data = false;
898 CBS early_data;
899 const SSL_EXTENSION_TYPE ext_types[] = {
900 {TLSEXT_TYPE_early_data, &have_early_data, &early_data},
901 };
902
903 uint8_t alert = SSL_AD_DECODE_ERROR;
904 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
905 OPENSSL_ARRAY_SIZE(ext_types),
906 1 /* ignore unknown */)) {
907 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
908 return false;
909 }
910
911 if (have_early_data) {
912 if (!CBS_get_u32(&early_data, &session->ticket_max_early_data) ||
913 CBS_len(&early_data) != 0) {
914 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
915 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
916 return false;
917 }
918
919 // QUIC does not use the max_early_data_size parameter and always sets it to
920 // a fixed value. See draft-ietf-quic-tls-22, section 4.5.
921 if (ssl->quic_method != nullptr &&
922 session->ticket_max_early_data != 0xffffffff) {
923 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
924 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
925 return false;
926 }
927 }
928
929 // Generate a session ID for this session. Some callers expect all sessions to
930 // have a session ID.
931 SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
932 session->session_id_length = SHA256_DIGEST_LENGTH;
933
934 session->ticket_age_add_valid = true;
935 session->not_resumable = false;
936
937 if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
938 ssl->session_ctx->new_session_cb != NULL &&
939 ssl->session_ctx->new_session_cb(ssl, session.get())) {
940 // |new_session_cb|'s return value signals that it took ownership.
941 session.release();
942 }
943
944 return true;
945 }
946
947 BSSL_NAMESPACE_END
948