1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 *
113 * Portions of the attached software ("Contribution") are developed by
114 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115 *
116 * The Contribution is licensed pursuant to the OpenSSL open source
117 * license provided above.
118 *
119 * ECC cipher suite support in OpenSSL originally written by
120 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121 *
122 */
123 /* ====================================================================
124 * Copyright 2005 Nokia. All rights reserved.
125 *
126 * The portions of the attached software ("Contribution") is developed by
127 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
128 * license.
129 *
130 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132 * support (see RFC 4279) to OpenSSL.
133 *
134 * No patent licenses or other rights except those expressly stated in
135 * the OpenSSL open source license shall be deemed granted or received
136 * expressly, by implication, estoppel, or otherwise.
137 *
138 * No assurances are provided by Nokia that the Contribution does not
139 * infringe the patent or other intellectual property rights of any third
140 * party or that the license provides you with all the necessary rights
141 * to make use of the Contribution.
142 *
143 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147 * OTHERWISE.
148 */
149
150 #include <openssl/ssl.h>
151
152 #include <assert.h>
153 #include <limits.h>
154 #include <string.h>
155
156 #include <utility>
157
158 #include <openssl/aead.h>
159 #include <openssl/bn.h>
160 #include <openssl/bytestring.h>
161 #include <openssl/ec_key.h>
162 #include <openssl/ecdsa.h>
163 #include <openssl/err.h>
164 #include <openssl/evp.h>
165 #include <openssl/hpke.h>
166 #include <openssl/md5.h>
167 #include <openssl/mem.h>
168 #include <openssl/rand.h>
169 #include <openssl/sha.h>
170
171 #include "../crypto/internal.h"
172 #include "internal.h"
173
174
175 BSSL_NAMESPACE_BEGIN
176
177 enum ssl_client_hs_state_t {
178 state_start_connect = 0,
179 state_enter_early_data,
180 state_early_reverify_server_certificate,
181 state_read_hello_verify_request,
182 state_read_server_hello,
183 state_tls13,
184 state_read_server_certificate,
185 state_read_certificate_status,
186 state_verify_server_certificate,
187 state_reverify_server_certificate,
188 state_read_server_key_exchange,
189 state_read_certificate_request,
190 state_read_server_hello_done,
191 state_send_client_certificate,
192 state_send_client_key_exchange,
193 state_send_client_certificate_verify,
194 state_send_client_finished,
195 state_finish_flight,
196 state_read_session_ticket,
197 state_process_change_cipher_spec,
198 state_read_server_finished,
199 state_finish_client_handshake,
200 state_done,
201 };
202
203 // ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
204 // disabled algorithms.
ssl_get_client_disabled(const SSL_HANDSHAKE * hs,uint32_t * out_mask_a,uint32_t * out_mask_k)205 static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
206 uint32_t *out_mask_a,
207 uint32_t *out_mask_k) {
208 *out_mask_a = 0;
209 *out_mask_k = 0;
210
211 // PSK requires a client callback.
212 if (hs->config->psk_client_callback == NULL) {
213 *out_mask_a |= SSL_aPSK;
214 *out_mask_k |= SSL_kPSK;
215 }
216 }
217
ssl_write_client_cipher_list(const SSL_HANDSHAKE * hs,CBB * out,ssl_client_hello_type_t type)218 static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
219 ssl_client_hello_type_t type) {
220 const SSL *const ssl = hs->ssl;
221 uint32_t mask_a, mask_k;
222 ssl_get_client_disabled(hs, &mask_a, &mask_k);
223
224 CBB child;
225 if (!CBB_add_u16_length_prefixed(out, &child)) {
226 return false;
227 }
228
229 // Add a fake cipher suite. See RFC 8701.
230 if (ssl->ctx->grease_enabled &&
231 !CBB_add_u16(&child, ssl_get_grease_value(hs, ssl_grease_cipher))) {
232 return false;
233 }
234
235 // Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
236 // hardware support.
237 if (hs->max_version >= TLS1_3_VERSION) {
238 if (!EVP_has_aes_hardware() &&
239 !CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
240 return false;
241 }
242 if (!CBB_add_u16(&child, TLS1_CK_AES_128_GCM_SHA256 & 0xffff) ||
243 !CBB_add_u16(&child, TLS1_CK_AES_256_GCM_SHA384 & 0xffff)) {
244 return false;
245 }
246 if (EVP_has_aes_hardware() &&
247 !CBB_add_u16(&child, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
248 return false;
249 }
250 }
251
252 if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) {
253 bool any_enabled = false;
254 for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) {
255 // Skip disabled ciphers
256 if ((cipher->algorithm_mkey & mask_k) ||
257 (cipher->algorithm_auth & mask_a)) {
258 continue;
259 }
260 if (SSL_CIPHER_get_min_version(cipher) > hs->max_version ||
261 SSL_CIPHER_get_max_version(cipher) < hs->min_version) {
262 continue;
263 }
264 any_enabled = true;
265 if (!CBB_add_u16(&child, SSL_CIPHER_get_protocol_id(cipher))) {
266 return false;
267 }
268 }
269
270 // If all ciphers were disabled, return the error to the caller.
271 if (!any_enabled && hs->max_version < TLS1_3_VERSION) {
272 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
273 return false;
274 }
275 }
276
277 if (ssl->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
278 if (!CBB_add_u16(&child, SSL3_CK_FALLBACK_SCSV & 0xffff)) {
279 return false;
280 }
281 }
282
283 return CBB_flush(out);
284 }
285
ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE * hs,CBB * cbb,ssl_client_hello_type_t type,bool empty_session_id)286 bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,
287 CBB *cbb,
288 ssl_client_hello_type_t type,
289 bool empty_session_id) {
290 const SSL *const ssl = hs->ssl;
291 CBB child;
292 if (!CBB_add_u16(cbb, hs->client_version) ||
293 !CBB_add_bytes(cbb,
294 type == ssl_client_hello_inner ? hs->inner_client_random
295 : ssl->s3->client_random,
296 SSL3_RANDOM_SIZE) ||
297 !CBB_add_u8_length_prefixed(cbb, &child)) {
298 return false;
299 }
300
301 // Do not send a session ID on renegotiation.
302 if (!ssl->s3->initial_handshake_complete &&
303 !empty_session_id &&
304 !CBB_add_bytes(&child, hs->session_id, hs->session_id_len)) {
305 return false;
306 }
307
308 if (SSL_is_dtls(ssl)) {
309 if (!CBB_add_u8_length_prefixed(cbb, &child) ||
310 !CBB_add_bytes(&child, ssl->d1->cookie, ssl->d1->cookie_len)) {
311 return false;
312 }
313 }
314
315 if (!ssl_write_client_cipher_list(hs, cbb, type) ||
316 !CBB_add_u8(cbb, 1 /* one compression method */) ||
317 !CBB_add_u8(cbb, 0 /* null compression */)) {
318 return false;
319 }
320 return true;
321 }
322
ssl_add_client_hello(SSL_HANDSHAKE * hs)323 bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
324 SSL *const ssl = hs->ssl;
325 ScopedCBB cbb;
326 CBB body;
327 ssl_client_hello_type_t type = hs->selected_ech_config
328 ? ssl_client_hello_outer
329 : ssl_client_hello_unencrypted;
330 bool needs_psk_binder;
331 Array<uint8_t> msg;
332 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||
333 !ssl_write_client_hello_without_extensions(hs, &body, type,
334 /*empty_session_id=*/false) ||
335 !ssl_add_clienthello_tlsext(hs, &body, /*out_encoded=*/nullptr,
336 &needs_psk_binder, type, CBB_len(&body)) ||
337 !ssl->method->finish_message(ssl, cbb.get(), &msg)) {
338 return false;
339 }
340
341 // Now that the length prefixes have been computed, fill in the placeholder
342 // PSK binder.
343 if (needs_psk_binder) {
344 // ClientHelloOuter cannot have a PSK binder. Otherwise the
345 // ClientHellOuterAAD computation would break.
346 assert(type != ssl_client_hello_outer);
347 if (!tls13_write_psk_binder(hs, hs->transcript, MakeSpan(msg),
348 /*out_binder_len=*/0)) {
349 return false;
350 }
351 }
352
353 return ssl->method->add_message(ssl, std::move(msg));
354 }
355
parse_server_version(const SSL_HANDSHAKE * hs,uint16_t * out_version,uint8_t * out_alert,const ParsedServerHello & server_hello)356 static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version,
357 uint8_t *out_alert,
358 const ParsedServerHello &server_hello) {
359 // If the outer version is not TLS 1.2, use it.
360 // TODO(davidben): This function doesn't quite match the RFC8446 formulation.
361 if (server_hello.legacy_version != TLS1_2_VERSION) {
362 *out_version = server_hello.legacy_version;
363 return true;
364 }
365
366 SSLExtension supported_versions(TLSEXT_TYPE_supported_versions);
367 CBS extensions = server_hello.extensions;
368 if (!ssl_parse_extensions(&extensions, out_alert, {&supported_versions},
369 /*ignore_unknown=*/true)) {
370 return false;
371 }
372
373 if (!supported_versions.present) {
374 *out_version = server_hello.legacy_version;
375 return true;
376 }
377
378 if (!CBS_get_u16(&supported_versions.data, out_version) ||
379 CBS_len(&supported_versions.data) != 0) {
380 *out_alert = SSL_AD_DECODE_ERROR;
381 return false;
382 }
383
384 return true;
385 }
386
387 // should_offer_early_data returns |ssl_early_data_accepted| if |hs| should
388 // offer early data, and some other reason code otherwise.
should_offer_early_data(const SSL_HANDSHAKE * hs)389 static ssl_early_data_reason_t should_offer_early_data(
390 const SSL_HANDSHAKE *hs) {
391 const SSL *const ssl = hs->ssl;
392 assert(!ssl->server);
393 if (!ssl->enable_early_data) {
394 return ssl_early_data_disabled;
395 }
396
397 if (hs->max_version < TLS1_3_VERSION) {
398 // We discard inapplicable sessions, so this is redundant with the session
399 // checks below, but reporting that TLS 1.3 was disabled is more useful.
400 return ssl_early_data_protocol_version;
401 }
402
403 if (ssl->session == nullptr) {
404 return ssl_early_data_no_session_offered;
405 }
406
407 if (ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION ||
408 ssl->session->ticket_max_early_data == 0) {
409 return ssl_early_data_unsupported_for_session;
410 }
411
412 if (!ssl->session->early_alpn.empty()) {
413 if (!ssl_is_alpn_protocol_allowed(hs, ssl->session->early_alpn)) {
414 // Avoid reporting a confusing value in |SSL_get0_alpn_selected|.
415 return ssl_early_data_alpn_mismatch;
416 }
417
418 // If the previous connection negotiated ALPS, only offer 0-RTT when the
419 // local are settings are consistent with what we'd offer for this
420 // connection.
421 if (ssl->session->has_application_settings) {
422 Span<const uint8_t> settings;
423 if (!ssl_get_local_application_settings(hs, &settings,
424 ssl->session->early_alpn) ||
425 settings != ssl->session->local_application_settings) {
426 return ssl_early_data_alps_mismatch;
427 }
428 }
429 }
430
431 // Early data has not yet been accepted, but we use it as a success code.
432 return ssl_early_data_accepted;
433 }
434
ssl_done_writing_client_hello(SSL_HANDSHAKE * hs)435 void ssl_done_writing_client_hello(SSL_HANDSHAKE *hs) {
436 hs->ech_client_outer.Reset();
437 hs->cookie.Reset();
438 hs->key_share_bytes.Reset();
439 }
440
do_start_connect(SSL_HANDSHAKE * hs)441 static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
442 SSL *const ssl = hs->ssl;
443
444 ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, 1);
445 // |session_reused| must be reset in case this is a renegotiation.
446 ssl->s3->session_reused = false;
447
448 // Freeze the version range.
449 if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) {
450 return ssl_hs_error;
451 }
452
453 uint8_t ech_enc[EVP_HPKE_MAX_ENC_LENGTH];
454 size_t ech_enc_len;
455 if (!ssl_select_ech_config(hs, ech_enc, &ech_enc_len)) {
456 return ssl_hs_error;
457 }
458
459 // Always advertise the ClientHello version from the original maximum version,
460 // even on renegotiation. The static RSA key exchange uses this field, and
461 // some servers fail when it changes across handshakes.
462 if (SSL_is_dtls(hs->ssl)) {
463 hs->client_version =
464 hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;
465 } else {
466 hs->client_version =
467 hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
468 }
469
470 // If the configured session has expired or is not usable, drop it. We also do
471 // not offer sessions on renegotiation.
472 if (ssl->session != nullptr) {
473 if (ssl->session->is_server ||
474 !ssl_supports_version(hs, ssl->session->ssl_version) ||
475 // Do not offer TLS 1.2 sessions with ECH. ClientHelloInner does not
476 // offer TLS 1.2, and the cleartext session ID may leak the server
477 // identity.
478 (hs->selected_ech_config &&
479 ssl_session_protocol_version(ssl->session.get()) < TLS1_3_VERSION) ||
480 !SSL_SESSION_is_resumable(ssl->session.get()) ||
481 !ssl_session_is_time_valid(ssl, ssl->session.get()) ||
482 (ssl->quic_method != nullptr) != ssl->session->is_quic ||
483 ssl->s3->initial_handshake_complete) {
484 ssl_set_session(ssl, nullptr);
485 }
486 }
487
488 if (!RAND_bytes(ssl->s3->client_random, sizeof(ssl->s3->client_random))) {
489 return ssl_hs_error;
490 }
491 if (hs->selected_ech_config &&
492 !RAND_bytes(hs->inner_client_random, sizeof(hs->inner_client_random))) {
493 return ssl_hs_error;
494 }
495
496 // Never send a session ID in QUIC. QUIC uses TLS 1.3 at a minimum and
497 // disables TLS 1.3 middlebox compatibility mode.
498 if (ssl->quic_method == nullptr) {
499 const bool has_id_session = ssl->session != nullptr &&
500 ssl->session->session_id_length > 0 &&
501 ssl->session->ticket.empty();
502 const bool has_ticket_session =
503 ssl->session != nullptr && !ssl->session->ticket.empty();
504 if (has_id_session) {
505 hs->session_id_len = ssl->session->session_id_length;
506 OPENSSL_memcpy(hs->session_id, ssl->session->session_id,
507 hs->session_id_len);
508 } else if (has_ticket_session || hs->max_version >= TLS1_3_VERSION) {
509 // Send a random session ID. TLS 1.3 always sends one, and TLS 1.2 session
510 // tickets require a placeholder value to signal resumption.
511 hs->session_id_len = sizeof(hs->session_id);
512 if (!RAND_bytes(hs->session_id, hs->session_id_len)) {
513 return ssl_hs_error;
514 }
515 }
516 }
517
518 ssl_early_data_reason_t reason = should_offer_early_data(hs);
519 if (reason != ssl_early_data_accepted) {
520 ssl->s3->early_data_reason = reason;
521 } else {
522 hs->early_data_offered = true;
523 }
524
525 if (!ssl_setup_key_shares(hs, /*override_group_id=*/0) ||
526 !ssl_setup_extension_permutation(hs) ||
527 !ssl_encrypt_client_hello(hs, MakeConstSpan(ech_enc, ech_enc_len)) ||
528 !ssl_add_client_hello(hs)) {
529 return ssl_hs_error;
530 }
531
532 hs->state = state_enter_early_data;
533 return ssl_hs_flush;
534 }
535
do_enter_early_data(SSL_HANDSHAKE * hs)536 static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
537 SSL *const ssl = hs->ssl;
538
539 if (SSL_is_dtls(ssl)) {
540 hs->state = state_read_hello_verify_request;
541 return ssl_hs_ok;
542 }
543
544 if (!hs->early_data_offered) {
545 hs->state = state_read_server_hello;
546 return ssl_hs_ok;
547 }
548
549 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->session->ssl_version);
550 if (!ssl->method->add_change_cipher_spec(ssl)) {
551 return ssl_hs_error;
552 }
553
554 if (!tls13_init_early_key_schedule(hs, ssl->session.get()) ||
555 !tls13_derive_early_secret(hs)) {
556 return ssl_hs_error;
557 }
558
559 // Stash the early data session, so connection properties may be queried out
560 // of it.
561 hs->early_session = UpRef(ssl->session);
562 hs->state = state_early_reverify_server_certificate;
563 return ssl_hs_ok;
564 }
565
do_early_reverify_server_certificate(SSL_HANDSHAKE * hs)566 static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs) {
567 if (hs->ssl->ctx->reverify_on_resume) {
568 // Don't send an alert on error. The alert be in early data, which the
569 // server may not accept anyway. It would also be a mismatch between QUIC
570 // and TCP because the QUIC early keys are deferred below.
571 //
572 // TODO(davidben): The client behavior should be to verify the certificate
573 // before deciding whether to offer the session and, if invalid, decline to
574 // send the session.
575 switch (ssl_reverify_peer_cert(hs, /*send_alert=*/false)) {
576 case ssl_verify_ok:
577 break;
578 case ssl_verify_invalid:
579 return ssl_hs_error;
580 case ssl_verify_retry:
581 hs->state = state_early_reverify_server_certificate;
582 return ssl_hs_certificate_verify;
583 }
584 }
585
586 // Defer releasing the 0-RTT key to after certificate reverification, so the
587 // QUIC implementation does not accidentally write data too early.
588 if (!tls13_set_traffic_key(hs->ssl, ssl_encryption_early_data, evp_aead_seal,
589 hs->early_session.get(),
590 hs->early_traffic_secret())) {
591 return ssl_hs_error;
592 }
593
594 hs->in_early_data = true;
595 hs->can_early_write = true;
596 hs->state = state_read_server_hello;
597 return ssl_hs_early_return;
598 }
599
do_read_hello_verify_request(SSL_HANDSHAKE * hs)600 static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
601 SSL *const ssl = hs->ssl;
602
603 assert(SSL_is_dtls(ssl));
604
605 // When implementing DTLS 1.3, we need to handle the interactions between
606 // HelloVerifyRequest, DTLS 1.3's HelloVerifyRequest removal, and ECH.
607 assert(hs->max_version < TLS1_3_VERSION);
608
609 SSLMessage msg;
610 if (!ssl->method->get_message(ssl, &msg)) {
611 return ssl_hs_read_message;
612 }
613
614 if (msg.type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
615 hs->state = state_read_server_hello;
616 return ssl_hs_ok;
617 }
618
619 CBS hello_verify_request = msg.body, cookie;
620 uint16_t server_version;
621 if (!CBS_get_u16(&hello_verify_request, &server_version) ||
622 !CBS_get_u8_length_prefixed(&hello_verify_request, &cookie) ||
623 CBS_len(&cookie) > sizeof(ssl->d1->cookie) ||
624 CBS_len(&hello_verify_request) != 0) {
625 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
626 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
627 return ssl_hs_error;
628 }
629
630 OPENSSL_memcpy(ssl->d1->cookie, CBS_data(&cookie), CBS_len(&cookie));
631 ssl->d1->cookie_len = CBS_len(&cookie);
632
633 ssl->method->next_message(ssl);
634
635 // DTLS resets the handshake buffer after HelloVerifyRequest.
636 if (!hs->transcript.Init()) {
637 return ssl_hs_error;
638 }
639
640 if (!ssl_add_client_hello(hs)) {
641 return ssl_hs_error;
642 }
643
644 hs->state = state_read_server_hello;
645 return ssl_hs_flush;
646 }
647
ssl_parse_server_hello(ParsedServerHello * out,uint8_t * out_alert,const SSLMessage & msg)648 bool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert,
649 const SSLMessage &msg) {
650 if (msg.type != SSL3_MT_SERVER_HELLO) {
651 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
652 *out_alert = SSL_AD_UNEXPECTED_MESSAGE;
653 return false;
654 }
655 out->raw = msg.raw;
656 CBS body = msg.body;
657 if (!CBS_get_u16(&body, &out->legacy_version) ||
658 !CBS_get_bytes(&body, &out->random, SSL3_RANDOM_SIZE) ||
659 !CBS_get_u8_length_prefixed(&body, &out->session_id) ||
660 CBS_len(&out->session_id) > SSL3_SESSION_ID_SIZE ||
661 !CBS_get_u16(&body, &out->cipher_suite) ||
662 !CBS_get_u8(&body, &out->compression_method)) {
663 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
664 *out_alert = SSL_AD_DECODE_ERROR;
665 return false;
666 }
667 // In TLS 1.2 and below, empty extensions blocks may be omitted. In TLS 1.3,
668 // ServerHellos always have extensions, so this can be applied generically.
669 CBS_init(&out->extensions, nullptr, 0);
670 if ((CBS_len(&body) != 0 &&
671 !CBS_get_u16_length_prefixed(&body, &out->extensions)) ||
672 CBS_len(&body) != 0) {
673 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
674 *out_alert = SSL_AD_DECODE_ERROR;
675 return false;
676 }
677 return true;
678 }
679
do_read_server_hello(SSL_HANDSHAKE * hs)680 static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
681 SSL *const ssl = hs->ssl;
682 SSLMessage msg;
683 if (!ssl->method->get_message(ssl, &msg)) {
684 return ssl_hs_read_server_hello;
685 }
686
687 ParsedServerHello server_hello;
688 uint16_t server_version;
689 uint8_t alert = SSL_AD_DECODE_ERROR;
690 if (!ssl_parse_server_hello(&server_hello, &alert, msg) ||
691 !parse_server_version(hs, &server_version, &alert, server_hello)) {
692 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
693 return ssl_hs_error;
694 }
695
696 if (!ssl_supports_version(hs, server_version)) {
697 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
698 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
699 return ssl_hs_error;
700 }
701
702 assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
703 if (!ssl->s3->have_version) {
704 ssl->version = server_version;
705 // At this point, the connection's version is known and ssl->version is
706 // fixed. Begin enforcing the record-layer version.
707 ssl->s3->have_version = true;
708 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
709 } else if (server_version != ssl->version) {
710 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
711 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
712 return ssl_hs_error;
713 }
714
715 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
716 hs->state = state_tls13;
717 return ssl_hs_ok;
718 }
719
720 // Clear some TLS 1.3 state that no longer needs to be retained.
721 hs->key_shares[0].reset();
722 hs->key_shares[1].reset();
723 ssl_done_writing_client_hello(hs);
724
725 // A TLS 1.2 server would not know to skip the early data we offered. Report
726 // an error code sooner. The caller may use this error code to implement the
727 // fallback described in RFC 8446 appendix D.3.
728 if (hs->early_data_offered) {
729 // Disconnect early writes. This ensures subsequent |SSL_write| calls query
730 // the handshake which, in turn, will replay the error code rather than fail
731 // at the |write_shutdown| check. See https://crbug.com/1078515.
732 // TODO(davidben): Should all handshake errors do this? What about record
733 // decryption failures?
734 hs->can_early_write = false;
735 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
736 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
737 return ssl_hs_error;
738 }
739
740 // TLS 1.2 handshakes cannot accept ECH.
741 if (hs->selected_ech_config) {
742 ssl->s3->ech_status = ssl_ech_rejected;
743 }
744
745 // Copy over the server random.
746 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),
747 SSL3_RANDOM_SIZE);
748
749 // Enforce the TLS 1.3 anti-downgrade feature.
750 if (!ssl->s3->initial_handshake_complete &&
751 ssl_supports_version(hs, TLS1_3_VERSION)) {
752 static_assert(
753 sizeof(kTLS12DowngradeRandom) == sizeof(kTLS13DowngradeRandom),
754 "downgrade signals have different size");
755 static_assert(
756 sizeof(kJDK11DowngradeRandom) == sizeof(kTLS13DowngradeRandom),
757 "downgrade signals have different size");
758 auto suffix =
759 MakeConstSpan(ssl->s3->server_random, sizeof(ssl->s3->server_random))
760 .subspan(SSL3_RANDOM_SIZE - sizeof(kTLS13DowngradeRandom));
761 if (suffix == kTLS12DowngradeRandom || suffix == kTLS13DowngradeRandom ||
762 suffix == kJDK11DowngradeRandom) {
763 OPENSSL_PUT_ERROR(SSL, SSL_R_TLS13_DOWNGRADE);
764 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
765 return ssl_hs_error;
766 }
767 }
768
769 // The cipher must be allowed in the selected version and enabled.
770 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
771 uint32_t mask_a, mask_k;
772 ssl_get_client_disabled(hs, &mask_a, &mask_k);
773 if (cipher == nullptr ||
774 (cipher->algorithm_mkey & mask_k) ||
775 (cipher->algorithm_auth & mask_a) ||
776 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
777 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
778 !sk_SSL_CIPHER_find(SSL_get_ciphers(ssl), nullptr, cipher)) {
779 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
780 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
781 return ssl_hs_error;
782 }
783
784 hs->new_cipher = cipher;
785
786 if (hs->session_id_len != 0 &&
787 CBS_mem_equal(&server_hello.session_id, hs->session_id,
788 hs->session_id_len)) {
789 // Echoing the ClientHello session ID in TLS 1.2, whether from the session
790 // or a synthetic one, indicates resumption. If there was no session (or if
791 // the session was only offered in ECH ClientHelloInner), this was the
792 // TLS 1.3 compatibility mode session ID. As we know this is not a session
793 // the server knows about, any server resuming it is in error. Reject the
794 // first connection deterministicly, rather than installing an invalid
795 // session into the session cache. https://crbug.com/796910
796 if (ssl->session == nullptr || ssl->s3->ech_status == ssl_ech_rejected) {
797 OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_ECHOED_INVALID_SESSION_ID);
798 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
799 return ssl_hs_error;
800 }
801 if (ssl->session->ssl_version != ssl->version) {
802 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
803 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
804 return ssl_hs_error;
805 }
806 if (ssl->session->cipher != hs->new_cipher) {
807 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
808 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
809 return ssl_hs_error;
810 }
811 if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
812 // This is actually a client application bug.
813 OPENSSL_PUT_ERROR(SSL,
814 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
815 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
816 return ssl_hs_error;
817 }
818 // We never offer sessions on renegotiation.
819 assert(!ssl->s3->initial_handshake_complete);
820 ssl->s3->session_reused = true;
821 } else {
822 // The session wasn't resumed. Create a fresh SSL_SESSION to fill out.
823 ssl_set_session(ssl, NULL);
824 if (!ssl_get_new_session(hs)) {
825 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
826 return ssl_hs_error;
827 }
828 // Note: session_id could be empty.
829 hs->new_session->session_id_length = CBS_len(&server_hello.session_id);
830 OPENSSL_memcpy(hs->new_session->session_id,
831 CBS_data(&server_hello.session_id),
832 CBS_len(&server_hello.session_id));
833 hs->new_session->cipher = hs->new_cipher;
834 }
835
836 // Now that the cipher is known, initialize the handshake hash and hash the
837 // ServerHello.
838 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
839 !ssl_hash_message(hs, msg)) {
840 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
841 return ssl_hs_error;
842 }
843
844 // If doing a full handshake, the server may request a client certificate
845 // which requires hashing the handshake transcript. Otherwise, the handshake
846 // buffer may be released.
847 if (ssl->session != NULL ||
848 !ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
849 hs->transcript.FreeBuffer();
850 }
851
852 // Only the NULL compression algorithm is supported.
853 if (server_hello.compression_method != 0) {
854 OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
855 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
856 return ssl_hs_error;
857 }
858
859 if (!ssl_parse_serverhello_tlsext(hs, &server_hello.extensions)) {
860 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
861 return ssl_hs_error;
862 }
863
864 if (ssl->session != NULL &&
865 hs->extended_master_secret != ssl->session->extended_master_secret) {
866 if (ssl->session->extended_master_secret) {
867 OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
868 } else {
869 OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION);
870 }
871 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
872 return ssl_hs_error;
873 }
874
875 ssl->method->next_message(ssl);
876
877 if (ssl->session != NULL) {
878 if (ssl->ctx->reverify_on_resume &&
879 ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
880 hs->state = state_reverify_server_certificate;
881 } else {
882 hs->state = state_read_session_ticket;
883 }
884 return ssl_hs_ok;
885 }
886
887 hs->state = state_read_server_certificate;
888 return ssl_hs_ok;
889 }
890
do_tls13(SSL_HANDSHAKE * hs)891 static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {
892 enum ssl_hs_wait_t wait = tls13_client_handshake(hs);
893 if (wait == ssl_hs_ok) {
894 hs->state = state_finish_client_handshake;
895 return ssl_hs_ok;
896 }
897
898 return wait;
899 }
900
do_read_server_certificate(SSL_HANDSHAKE * hs)901 static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
902 SSL *const ssl = hs->ssl;
903
904 if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
905 hs->state = state_read_certificate_status;
906 return ssl_hs_ok;
907 }
908
909 SSLMessage msg;
910 if (!ssl->method->get_message(ssl, &msg)) {
911 return ssl_hs_read_message;
912 }
913
914 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
915 !ssl_hash_message(hs, msg)) {
916 return ssl_hs_error;
917 }
918
919 CBS body = msg.body;
920 uint8_t alert = SSL_AD_DECODE_ERROR;
921 if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey,
922 NULL, &body, ssl->ctx->pool)) {
923 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
924 return ssl_hs_error;
925 }
926
927 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0 ||
928 CBS_len(&body) != 0 ||
929 !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
930 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
931 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
932 return ssl_hs_error;
933 }
934
935 if (!ssl_check_leaf_certificate(
936 hs, hs->peer_pubkey.get(),
937 sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0))) {
938 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
939 return ssl_hs_error;
940 }
941
942 ssl->method->next_message(ssl);
943
944 hs->state = state_read_certificate_status;
945 return ssl_hs_ok;
946 }
947
do_read_certificate_status(SSL_HANDSHAKE * hs)948 static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) {
949 SSL *const ssl = hs->ssl;
950
951 if (!hs->certificate_status_expected) {
952 hs->state = state_verify_server_certificate;
953 return ssl_hs_ok;
954 }
955
956 SSLMessage msg;
957 if (!ssl->method->get_message(ssl, &msg)) {
958 return ssl_hs_read_message;
959 }
960
961 if (msg.type != SSL3_MT_CERTIFICATE_STATUS) {
962 // A server may send status_request in ServerHello and then change its mind
963 // about sending CertificateStatus.
964 hs->state = state_verify_server_certificate;
965 return ssl_hs_ok;
966 }
967
968 if (!ssl_hash_message(hs, msg)) {
969 return ssl_hs_error;
970 }
971
972 CBS certificate_status = msg.body, ocsp_response;
973 uint8_t status_type;
974 if (!CBS_get_u8(&certificate_status, &status_type) ||
975 status_type != TLSEXT_STATUSTYPE_ocsp ||
976 !CBS_get_u24_length_prefixed(&certificate_status, &ocsp_response) ||
977 CBS_len(&ocsp_response) == 0 ||
978 CBS_len(&certificate_status) != 0) {
979 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
980 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
981 return ssl_hs_error;
982 }
983
984 hs->new_session->ocsp_response.reset(
985 CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool));
986 if (hs->new_session->ocsp_response == nullptr) {
987 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
988 return ssl_hs_error;
989 }
990
991 ssl->method->next_message(ssl);
992
993 hs->state = state_verify_server_certificate;
994 return ssl_hs_ok;
995 }
996
do_verify_server_certificate(SSL_HANDSHAKE * hs)997 static enum ssl_hs_wait_t do_verify_server_certificate(SSL_HANDSHAKE *hs) {
998 if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
999 hs->state = state_read_server_key_exchange;
1000 return ssl_hs_ok;
1001 }
1002
1003 switch (ssl_verify_peer_cert(hs)) {
1004 case ssl_verify_ok:
1005 break;
1006 case ssl_verify_invalid:
1007 return ssl_hs_error;
1008 case ssl_verify_retry:
1009 hs->state = state_verify_server_certificate;
1010 return ssl_hs_certificate_verify;
1011 }
1012
1013 hs->state = state_read_server_key_exchange;
1014 return ssl_hs_ok;
1015 }
1016
do_reverify_server_certificate(SSL_HANDSHAKE * hs)1017 static enum ssl_hs_wait_t do_reverify_server_certificate(SSL_HANDSHAKE *hs) {
1018 assert(hs->ssl->ctx->reverify_on_resume);
1019
1020 switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {
1021 case ssl_verify_ok:
1022 break;
1023 case ssl_verify_invalid:
1024 return ssl_hs_error;
1025 case ssl_verify_retry:
1026 hs->state = state_reverify_server_certificate;
1027 return ssl_hs_certificate_verify;
1028 }
1029
1030 hs->state = state_read_session_ticket;
1031 return ssl_hs_ok;
1032 }
1033
do_read_server_key_exchange(SSL_HANDSHAKE * hs)1034 static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
1035 SSL *const ssl = hs->ssl;
1036 SSLMessage msg;
1037 if (!ssl->method->get_message(ssl, &msg)) {
1038 return ssl_hs_read_message;
1039 }
1040
1041 if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1042 // Some ciphers (pure PSK) have an optional ServerKeyExchange message.
1043 if (ssl_cipher_requires_server_key_exchange(hs->new_cipher)) {
1044 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
1045 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1046 return ssl_hs_error;
1047 }
1048
1049 hs->state = state_read_certificate_request;
1050 return ssl_hs_ok;
1051 }
1052
1053 if (!ssl_hash_message(hs, msg)) {
1054 return ssl_hs_error;
1055 }
1056
1057 uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1058 uint32_t alg_a = hs->new_cipher->algorithm_auth;
1059 CBS server_key_exchange = msg.body;
1060 if (alg_a & SSL_aPSK) {
1061 CBS psk_identity_hint;
1062
1063 // Each of the PSK key exchanges begins with a psk_identity_hint.
1064 if (!CBS_get_u16_length_prefixed(&server_key_exchange,
1065 &psk_identity_hint)) {
1066 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1067 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1068 return ssl_hs_error;
1069 }
1070
1071 // Store the PSK identity hint for the ClientKeyExchange. Assume that the
1072 // maximum length of a PSK identity hint can be as long as the maximum
1073 // length of a PSK identity. Also do not allow NULL characters; identities
1074 // are saved as C strings.
1075 //
1076 // TODO(davidben): Should invalid hints be ignored? It's a hint rather than
1077 // a specific identity.
1078 if (CBS_len(&psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
1079 CBS_contains_zero_byte(&psk_identity_hint)) {
1080 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
1081 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1082 return ssl_hs_error;
1083 }
1084
1085 // Save non-empty identity hints as a C string. Empty identity hints we
1086 // treat as missing. Plain PSK makes it possible to send either no hint
1087 // (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
1088 // empty hint. Having different capabilities is odd, so we interpret empty
1089 // and missing as identical.
1090 char *raw = nullptr;
1091 if (CBS_len(&psk_identity_hint) != 0 &&
1092 !CBS_strdup(&psk_identity_hint, &raw)) {
1093 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1094 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1095 return ssl_hs_error;
1096 }
1097 hs->peer_psk_identity_hint.reset(raw);
1098 }
1099
1100 if (alg_k & SSL_kECDHE) {
1101 // Parse the server parameters.
1102 uint8_t group_type;
1103 uint16_t group_id;
1104 CBS point;
1105 if (!CBS_get_u8(&server_key_exchange, &group_type) ||
1106 group_type != NAMED_CURVE_TYPE ||
1107 !CBS_get_u16(&server_key_exchange, &group_id) ||
1108 !CBS_get_u8_length_prefixed(&server_key_exchange, &point)) {
1109 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1110 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1111 return ssl_hs_error;
1112 }
1113 hs->new_session->group_id = group_id;
1114
1115 // Ensure the group is consistent with preferences.
1116 if (!tls1_check_group_id(hs, group_id)) {
1117 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
1118 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1119 return ssl_hs_error;
1120 }
1121
1122 // Initialize ECDH and save the peer public key for later.
1123 hs->key_shares[0] = SSLKeyShare::Create(group_id);
1124 if (!hs->key_shares[0] ||
1125 !hs->peer_key.CopyFrom(point)) {
1126 return ssl_hs_error;
1127 }
1128 } else if (!(alg_k & SSL_kPSK)) {
1129 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
1130 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1131 return ssl_hs_error;
1132 }
1133
1134 // At this point, |server_key_exchange| contains the signature, if any, while
1135 // |msg.body| contains the entire message. From that, derive a CBS containing
1136 // just the parameter.
1137 CBS parameter;
1138 CBS_init(¶meter, CBS_data(&msg.body),
1139 CBS_len(&msg.body) - CBS_len(&server_key_exchange));
1140
1141 // ServerKeyExchange should be signed by the server's public key.
1142 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1143 uint16_t signature_algorithm = 0;
1144 if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1145 if (!CBS_get_u16(&server_key_exchange, &signature_algorithm)) {
1146 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1147 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1148 return ssl_hs_error;
1149 }
1150 uint8_t alert = SSL_AD_DECODE_ERROR;
1151 if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) {
1152 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1153 return ssl_hs_error;
1154 }
1155 hs->new_session->peer_signature_algorithm = signature_algorithm;
1156 } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
1157 hs->peer_pubkey.get())) {
1158 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
1159 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);
1160 return ssl_hs_error;
1161 }
1162
1163 // The last field in |server_key_exchange| is the signature.
1164 CBS signature;
1165 if (!CBS_get_u16_length_prefixed(&server_key_exchange, &signature) ||
1166 CBS_len(&server_key_exchange) != 0) {
1167 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1168 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1169 return ssl_hs_error;
1170 }
1171
1172 ScopedCBB transcript;
1173 Array<uint8_t> transcript_data;
1174 if (!CBB_init(transcript.get(),
1175 2 * SSL3_RANDOM_SIZE + CBS_len(¶meter)) ||
1176 !CBB_add_bytes(transcript.get(), ssl->s3->client_random,
1177 SSL3_RANDOM_SIZE) ||
1178 !CBB_add_bytes(transcript.get(), ssl->s3->server_random,
1179 SSL3_RANDOM_SIZE) ||
1180 !CBB_add_bytes(transcript.get(), CBS_data(¶meter),
1181 CBS_len(¶meter)) ||
1182 !CBBFinishArray(transcript.get(), &transcript_data)) {
1183 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1184 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1185 return ssl_hs_error;
1186 }
1187
1188 if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
1189 hs->peer_pubkey.get(), transcript_data)) {
1190 // bad signature
1191 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
1192 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1193 return ssl_hs_error;
1194 }
1195 } else {
1196 // PSK ciphers are the only supported certificate-less ciphers.
1197 assert(alg_a == SSL_aPSK);
1198
1199 if (CBS_len(&server_key_exchange) > 0) {
1200 OPENSSL_PUT_ERROR(SSL, SSL_R_EXTRA_DATA_IN_MESSAGE);
1201 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1202 return ssl_hs_error;
1203 }
1204 }
1205
1206 ssl->method->next_message(ssl);
1207 hs->state = state_read_certificate_request;
1208 return ssl_hs_ok;
1209 }
1210
do_read_certificate_request(SSL_HANDSHAKE * hs)1211 static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
1212 SSL *const ssl = hs->ssl;
1213
1214 if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1215 hs->state = state_read_server_hello_done;
1216 return ssl_hs_ok;
1217 }
1218
1219 SSLMessage msg;
1220 if (!ssl->method->get_message(ssl, &msg)) {
1221 return ssl_hs_read_message;
1222 }
1223
1224 if (msg.type == SSL3_MT_SERVER_HELLO_DONE) {
1225 // If we get here we don't need the handshake buffer as we won't be doing
1226 // client auth.
1227 hs->transcript.FreeBuffer();
1228 hs->state = state_read_server_hello_done;
1229 return ssl_hs_ok;
1230 }
1231
1232 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_REQUEST) ||
1233 !ssl_hash_message(hs, msg)) {
1234 return ssl_hs_error;
1235 }
1236
1237 // Get the certificate types.
1238 CBS body = msg.body, certificate_types;
1239 if (!CBS_get_u8_length_prefixed(&body, &certificate_types)) {
1240 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1241 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1242 return ssl_hs_error;
1243 }
1244
1245 if (!hs->certificate_types.CopyFrom(certificate_types)) {
1246 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1247 return ssl_hs_error;
1248 }
1249
1250 if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1251 CBS supported_signature_algorithms;
1252 if (!CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) ||
1253 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
1254 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1255 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1256 return ssl_hs_error;
1257 }
1258 }
1259
1260 uint8_t alert = SSL_AD_DECODE_ERROR;
1261 UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names =
1262 ssl_parse_client_CA_list(ssl, &alert, &body);
1263 if (!ca_names) {
1264 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1265 return ssl_hs_error;
1266 }
1267
1268 if (CBS_len(&body) != 0) {
1269 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1270 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1271 return ssl_hs_error;
1272 }
1273
1274 hs->cert_request = true;
1275 hs->ca_names = std::move(ca_names);
1276 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
1277
1278 ssl->method->next_message(ssl);
1279 hs->state = state_read_server_hello_done;
1280 return ssl_hs_ok;
1281 }
1282
do_read_server_hello_done(SSL_HANDSHAKE * hs)1283 static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) {
1284 SSL *const ssl = hs->ssl;
1285 SSLMessage msg;
1286 if (!ssl->method->get_message(ssl, &msg)) {
1287 return ssl_hs_read_message;
1288 }
1289
1290 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO_DONE) ||
1291 !ssl_hash_message(hs, msg)) {
1292 return ssl_hs_error;
1293 }
1294
1295 // ServerHelloDone is empty.
1296 if (CBS_len(&msg.body) != 0) {
1297 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1298 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1299 return ssl_hs_error;
1300 }
1301
1302 // ServerHelloDone should be the end of the flight.
1303 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
1304 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1305 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
1306 return ssl_hs_error;
1307 }
1308
1309 ssl->method->next_message(ssl);
1310 hs->state = state_send_client_certificate;
1311 return ssl_hs_ok;
1312 }
1313
do_send_client_certificate(SSL_HANDSHAKE * hs)1314 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
1315 SSL *const ssl = hs->ssl;
1316
1317 // The peer didn't request a certificate.
1318 if (!hs->cert_request) {
1319 hs->state = state_send_client_key_exchange;
1320 return ssl_hs_ok;
1321 }
1322
1323 if (ssl->s3->ech_status == ssl_ech_rejected) {
1324 // Do not send client certificates on ECH reject. We have not authenticated
1325 // the server for the name that can learn the certificate.
1326 SSL_certs_clear(ssl);
1327 } else if (hs->config->cert->cert_cb != nullptr) {
1328 // Call cert_cb to update the certificate.
1329 int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
1330 if (rv == 0) {
1331 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1332 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
1333 return ssl_hs_error;
1334 }
1335 if (rv < 0) {
1336 hs->state = state_send_client_certificate;
1337 return ssl_hs_x509_lookup;
1338 }
1339 }
1340
1341 if (!ssl_has_certificate(hs)) {
1342 // Without a client certificate, the handshake buffer may be released.
1343 hs->transcript.FreeBuffer();
1344 }
1345
1346 if (!ssl_on_certificate_selected(hs) ||
1347 !ssl_output_cert_chain(hs)) {
1348 return ssl_hs_error;
1349 }
1350
1351
1352 hs->state = state_send_client_key_exchange;
1353 return ssl_hs_ok;
1354 }
1355
1356 static_assert(sizeof(size_t) >= sizeof(unsigned),
1357 "size_t is smaller than unsigned");
1358
do_send_client_key_exchange(SSL_HANDSHAKE * hs)1359 static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
1360 SSL *const ssl = hs->ssl;
1361 ScopedCBB cbb;
1362 CBB body;
1363 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1364 SSL3_MT_CLIENT_KEY_EXCHANGE)) {
1365 return ssl_hs_error;
1366 }
1367
1368 Array<uint8_t> pms;
1369 uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1370 uint32_t alg_a = hs->new_cipher->algorithm_auth;
1371 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1372 const CRYPTO_BUFFER *leaf =
1373 sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
1374 CBS leaf_cbs;
1375 CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
1376
1377 // Check the key usage matches the cipher suite. We do this unconditionally
1378 // for non-RSA certificates. In particular, it's needed to distinguish ECDH
1379 // certificates, which we do not support, from ECDSA certificates.
1380 // Historically, we have not checked RSA key usages, so it is controlled by
1381 // a flag for now. See https://crbug.com/795089.
1382 ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
1383 ? key_usage_encipherment
1384 : key_usage_digital_signature;
1385 if (hs->config->enforce_rsa_key_usage ||
1386 EVP_PKEY_id(hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
1387 if (!ssl_cert_check_key_usage(&leaf_cbs, intended_use)) {
1388 return ssl_hs_error;
1389 }
1390 }
1391 }
1392
1393 // If using a PSK key exchange, prepare the pre-shared key.
1394 unsigned psk_len = 0;
1395 uint8_t psk[PSK_MAX_PSK_LEN];
1396 if (alg_a & SSL_aPSK) {
1397 if (hs->config->psk_client_callback == NULL) {
1398 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_NO_CLIENT_CB);
1399 return ssl_hs_error;
1400 }
1401
1402 char identity[PSK_MAX_IDENTITY_LEN + 1];
1403 OPENSSL_memset(identity, 0, sizeof(identity));
1404 psk_len = hs->config->psk_client_callback(
1405 ssl, hs->peer_psk_identity_hint.get(), identity, sizeof(identity), psk,
1406 sizeof(psk));
1407 if (psk_len == 0) {
1408 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1409 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1410 return ssl_hs_error;
1411 }
1412 assert(psk_len <= PSK_MAX_PSK_LEN);
1413
1414 hs->new_session->psk_identity.reset(OPENSSL_strdup(identity));
1415 if (hs->new_session->psk_identity == nullptr) {
1416 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1417 return ssl_hs_error;
1418 }
1419
1420 // Write out psk_identity.
1421 CBB child;
1422 if (!CBB_add_u16_length_prefixed(&body, &child) ||
1423 !CBB_add_bytes(&child, (const uint8_t *)identity,
1424 OPENSSL_strnlen(identity, sizeof(identity))) ||
1425 !CBB_flush(&body)) {
1426 return ssl_hs_error;
1427 }
1428 }
1429
1430 // Depending on the key exchange method, compute |pms|.
1431 if (alg_k & SSL_kRSA) {
1432 if (!pms.Init(SSL_MAX_MASTER_KEY_LENGTH)) {
1433 return ssl_hs_error;
1434 }
1435
1436 RSA *rsa = EVP_PKEY_get0_RSA(hs->peer_pubkey.get());
1437 if (rsa == NULL) {
1438 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1439 return ssl_hs_error;
1440 }
1441
1442 pms[0] = hs->client_version >> 8;
1443 pms[1] = hs->client_version & 0xff;
1444 if (!RAND_bytes(&pms[2], SSL_MAX_MASTER_KEY_LENGTH - 2)) {
1445 return ssl_hs_error;
1446 }
1447
1448 CBB enc_pms;
1449 uint8_t *ptr;
1450 size_t enc_pms_len;
1451 if (!CBB_add_u16_length_prefixed(&body, &enc_pms) ||
1452 !CBB_reserve(&enc_pms, &ptr, RSA_size(rsa)) ||
1453 !RSA_encrypt(rsa, &enc_pms_len, ptr, RSA_size(rsa), pms.data(),
1454 pms.size(), RSA_PKCS1_PADDING) ||
1455 !CBB_did_write(&enc_pms, enc_pms_len) ||
1456 !CBB_flush(&body)) {
1457 return ssl_hs_error;
1458 }
1459 } else if (alg_k & SSL_kECDHE) {
1460 // Generate a keypair and serialize the public half.
1461 CBB child;
1462 if (!CBB_add_u8_length_prefixed(&body, &child)) {
1463 return ssl_hs_error;
1464 }
1465
1466 // Compute the premaster.
1467 uint8_t alert = SSL_AD_DECODE_ERROR;
1468 if (!hs->key_shares[0]->Accept(&child, &pms, &alert, hs->peer_key)) {
1469 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1470 return ssl_hs_error;
1471 }
1472 if (!CBB_flush(&body)) {
1473 return ssl_hs_error;
1474 }
1475
1476 // The key exchange state may now be discarded.
1477 hs->key_shares[0].reset();
1478 hs->key_shares[1].reset();
1479 hs->peer_key.Reset();
1480 } else if (alg_k & SSL_kPSK) {
1481 // For plain PSK, other_secret is a block of 0s with the same length as
1482 // the pre-shared key.
1483 if (!pms.Init(psk_len)) {
1484 return ssl_hs_error;
1485 }
1486 OPENSSL_memset(pms.data(), 0, pms.size());
1487 } else {
1488 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1489 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1490 return ssl_hs_error;
1491 }
1492
1493 // For a PSK cipher suite, other_secret is combined with the pre-shared
1494 // key.
1495 if (alg_a & SSL_aPSK) {
1496 ScopedCBB pms_cbb;
1497 CBB child;
1498 if (!CBB_init(pms_cbb.get(), 2 + psk_len + 2 + pms.size()) ||
1499 !CBB_add_u16_length_prefixed(pms_cbb.get(), &child) ||
1500 !CBB_add_bytes(&child, pms.data(), pms.size()) ||
1501 !CBB_add_u16_length_prefixed(pms_cbb.get(), &child) ||
1502 !CBB_add_bytes(&child, psk, psk_len) ||
1503 !CBBFinishArray(pms_cbb.get(), &pms)) {
1504 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1505 return ssl_hs_error;
1506 }
1507 }
1508
1509 // The message must be added to the finished hash before calculating the
1510 // master secret.
1511 if (!ssl_add_message_cbb(ssl, cbb.get())) {
1512 return ssl_hs_error;
1513 }
1514
1515 hs->new_session->secret_length =
1516 tls1_generate_master_secret(hs, hs->new_session->secret, pms);
1517 if (hs->new_session->secret_length == 0) {
1518 return ssl_hs_error;
1519 }
1520 hs->new_session->extended_master_secret = hs->extended_master_secret;
1521
1522 hs->state = state_send_client_certificate_verify;
1523 return ssl_hs_ok;
1524 }
1525
do_send_client_certificate_verify(SSL_HANDSHAKE * hs)1526 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
1527 SSL *const ssl = hs->ssl;
1528
1529 if (!hs->cert_request || !ssl_has_certificate(hs)) {
1530 hs->state = state_send_client_finished;
1531 return ssl_hs_ok;
1532 }
1533
1534 assert(ssl_has_private_key(hs));
1535 ScopedCBB cbb;
1536 CBB body, child;
1537 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1538 SSL3_MT_CERTIFICATE_VERIFY)) {
1539 return ssl_hs_error;
1540 }
1541
1542 uint16_t signature_algorithm;
1543 if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
1544 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1545 return ssl_hs_error;
1546 }
1547 if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1548 // Write out the digest type in TLS 1.2.
1549 if (!CBB_add_u16(&body, signature_algorithm)) {
1550 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1551 return ssl_hs_error;
1552 }
1553 }
1554
1555 // Set aside space for the signature.
1556 const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
1557 uint8_t *ptr;
1558 if (!CBB_add_u16_length_prefixed(&body, &child) ||
1559 !CBB_reserve(&child, &ptr, max_sig_len)) {
1560 return ssl_hs_error;
1561 }
1562
1563 size_t sig_len = max_sig_len;
1564 switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len,
1565 signature_algorithm,
1566 hs->transcript.buffer())) {
1567 case ssl_private_key_success:
1568 break;
1569 case ssl_private_key_failure:
1570 return ssl_hs_error;
1571 case ssl_private_key_retry:
1572 hs->state = state_send_client_certificate_verify;
1573 return ssl_hs_private_key_operation;
1574 }
1575
1576 if (!CBB_did_write(&child, sig_len) ||
1577 !ssl_add_message_cbb(ssl, cbb.get())) {
1578 return ssl_hs_error;
1579 }
1580
1581 // The handshake buffer is no longer necessary.
1582 hs->transcript.FreeBuffer();
1583
1584 hs->state = state_send_client_finished;
1585 return ssl_hs_ok;
1586 }
1587
do_send_client_finished(SSL_HANDSHAKE * hs)1588 static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {
1589 SSL *const ssl = hs->ssl;
1590 hs->can_release_private_key = true;
1591 if (!ssl->method->add_change_cipher_spec(ssl) ||
1592 !tls1_change_cipher_state(hs, evp_aead_seal)) {
1593 return ssl_hs_error;
1594 }
1595
1596 if (hs->next_proto_neg_seen) {
1597 static const uint8_t kZero[32] = {0};
1598 size_t padding_len =
1599 32 - ((ssl->s3->next_proto_negotiated.size() + 2) % 32);
1600
1601 ScopedCBB cbb;
1602 CBB body, child;
1603 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_NEXT_PROTO) ||
1604 !CBB_add_u8_length_prefixed(&body, &child) ||
1605 !CBB_add_bytes(&child, ssl->s3->next_proto_negotiated.data(),
1606 ssl->s3->next_proto_negotiated.size()) ||
1607 !CBB_add_u8_length_prefixed(&body, &child) ||
1608 !CBB_add_bytes(&child, kZero, padding_len) ||
1609 !ssl_add_message_cbb(ssl, cbb.get())) {
1610 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1611 return ssl_hs_error;
1612 }
1613 }
1614
1615 if (hs->channel_id_negotiated) {
1616 ScopedCBB cbb;
1617 CBB body;
1618 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
1619 !tls1_write_channel_id(hs, &body) ||
1620 !ssl_add_message_cbb(ssl, cbb.get())) {
1621 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1622 return ssl_hs_error;
1623 }
1624 }
1625
1626 if (!ssl_send_finished(hs)) {
1627 return ssl_hs_error;
1628 }
1629
1630 hs->state = state_finish_flight;
1631 return ssl_hs_flush;
1632 }
1633
can_false_start(const SSL_HANDSHAKE * hs)1634 static bool can_false_start(const SSL_HANDSHAKE *hs) {
1635 const SSL *const ssl = hs->ssl;
1636
1637 // False Start bypasses the Finished check's downgrade protection. This can
1638 // enable attacks where we send data under weaker settings than supported
1639 // (e.g. the Logjam attack). Thus we require TLS 1.2 with an ECDHE+AEAD
1640 // cipher, our strongest settings before TLS 1.3.
1641 //
1642 // Now that TLS 1.3 exists, we would like to avoid similar attacks between
1643 // TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to
1644 // sacrifice False Start on them. Instead, we rely on the ServerHello.random
1645 // downgrade signal, which we unconditionally enforce.
1646 if (SSL_is_dtls(ssl) ||
1647 SSL_version(ssl) != TLS1_2_VERSION ||
1648 hs->new_cipher->algorithm_mkey != SSL_kECDHE ||
1649 hs->new_cipher->algorithm_mac != SSL_AEAD) {
1650 return false;
1651 }
1652
1653 // If ECH was rejected, disable False Start. We run the handshake to
1654 // completion, including the Finished downgrade check, to authenticate the
1655 // recovery flow.
1656 if (ssl->s3->ech_status == ssl_ech_rejected) {
1657 return false;
1658 }
1659
1660 // Additionally require ALPN or NPN by default.
1661 //
1662 // TODO(davidben): Can this constraint be relaxed globally now that cipher
1663 // suite requirements have been tightened?
1664 if (!ssl->ctx->false_start_allowed_without_alpn &&
1665 ssl->s3->alpn_selected.empty() &&
1666 ssl->s3->next_proto_negotiated.empty()) {
1667 return false;
1668 }
1669
1670 return true;
1671 }
1672
do_finish_flight(SSL_HANDSHAKE * hs)1673 static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) {
1674 SSL *const ssl = hs->ssl;
1675 if (ssl->session != NULL) {
1676 hs->state = state_finish_client_handshake;
1677 return ssl_hs_ok;
1678 }
1679
1680 // This is a full handshake. If it involves ChannelID, then record the
1681 // handshake hashes at this point in the session so that any resumption of
1682 // this session with ChannelID can sign those hashes.
1683 if (!tls1_record_handshake_hashes_for_channel_id(hs)) {
1684 return ssl_hs_error;
1685 }
1686
1687 hs->state = state_read_session_ticket;
1688
1689 if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) &&
1690 can_false_start(hs) &&
1691 // No False Start on renegotiation (would complicate the state machine).
1692 !ssl->s3->initial_handshake_complete) {
1693 hs->in_false_start = true;
1694 hs->can_early_write = true;
1695 return ssl_hs_early_return;
1696 }
1697
1698 return ssl_hs_ok;
1699 }
1700
do_read_session_ticket(SSL_HANDSHAKE * hs)1701 static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
1702 SSL *const ssl = hs->ssl;
1703
1704 if (!hs->ticket_expected) {
1705 hs->state = state_process_change_cipher_spec;
1706 return ssl_hs_read_change_cipher_spec;
1707 }
1708
1709 SSLMessage msg;
1710 if (!ssl->method->get_message(ssl, &msg)) {
1711 return ssl_hs_read_message;
1712 }
1713
1714 if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEW_SESSION_TICKET) ||
1715 !ssl_hash_message(hs, msg)) {
1716 return ssl_hs_error;
1717 }
1718
1719 CBS new_session_ticket = msg.body, ticket;
1720 uint32_t ticket_lifetime_hint;
1721 if (!CBS_get_u32(&new_session_ticket, &ticket_lifetime_hint) ||
1722 !CBS_get_u16_length_prefixed(&new_session_ticket, &ticket) ||
1723 CBS_len(&new_session_ticket) != 0) {
1724 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1725 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1726 return ssl_hs_error;
1727 }
1728
1729 if (CBS_len(&ticket) == 0) {
1730 // RFC 5077 allows a server to change its mind and send no ticket after
1731 // negotiating the extension. The value of |ticket_expected| is checked in
1732 // |ssl_update_cache| so is cleared here to avoid an unnecessary update.
1733 hs->ticket_expected = false;
1734 ssl->method->next_message(ssl);
1735 hs->state = state_process_change_cipher_spec;
1736 return ssl_hs_read_change_cipher_spec;
1737 }
1738
1739 if (ssl->session != nullptr) {
1740 // The server is sending a new ticket for an existing session. Sessions are
1741 // immutable once established, so duplicate all but the ticket of the
1742 // existing session.
1743 assert(!hs->new_session);
1744 hs->new_session =
1745 SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);
1746 if (!hs->new_session) {
1747 return ssl_hs_error;
1748 }
1749 }
1750
1751 // |ticket_lifetime_hint| is measured from when the ticket was issued.
1752 ssl_session_rebase_time(ssl, hs->new_session.get());
1753
1754 if (!hs->new_session->ticket.CopyFrom(ticket)) {
1755 return ssl_hs_error;
1756 }
1757 hs->new_session->ticket_lifetime_hint = ticket_lifetime_hint;
1758
1759 // Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
1760 // TODO(davidben): Are external callers relying on this? Try removing this.
1761 SHA256(CBS_data(&ticket), CBS_len(&ticket), hs->new_session->session_id);
1762 hs->new_session->session_id_length = SHA256_DIGEST_LENGTH;
1763
1764 ssl->method->next_message(ssl);
1765 hs->state = state_process_change_cipher_spec;
1766 return ssl_hs_read_change_cipher_spec;
1767 }
1768
do_process_change_cipher_spec(SSL_HANDSHAKE * hs)1769 static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
1770 if (!tls1_change_cipher_state(hs, evp_aead_open)) {
1771 return ssl_hs_error;
1772 }
1773
1774 hs->state = state_read_server_finished;
1775 return ssl_hs_ok;
1776 }
1777
do_read_server_finished(SSL_HANDSHAKE * hs)1778 static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
1779 SSL *const ssl = hs->ssl;
1780 enum ssl_hs_wait_t wait = ssl_get_finished(hs);
1781 if (wait != ssl_hs_ok) {
1782 return wait;
1783 }
1784
1785 if (ssl->session != NULL) {
1786 hs->state = state_send_client_finished;
1787 return ssl_hs_ok;
1788 }
1789
1790 hs->state = state_finish_client_handshake;
1791 return ssl_hs_ok;
1792 }
1793
do_finish_client_handshake(SSL_HANDSHAKE * hs)1794 static enum ssl_hs_wait_t do_finish_client_handshake(SSL_HANDSHAKE *hs) {
1795 SSL *const ssl = hs->ssl;
1796 if (ssl->s3->ech_status == ssl_ech_rejected) {
1797 // Release the retry configs.
1798 hs->ech_authenticated_reject = true;
1799 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ECH_REQUIRED);
1800 OPENSSL_PUT_ERROR(SSL, SSL_R_ECH_REJECTED);
1801 return ssl_hs_error;
1802 }
1803
1804 ssl->method->on_handshake_complete(ssl);
1805
1806 // Note TLS 1.2 resumptions with ticket renewal have both |ssl->session| (the
1807 // resumed session) and |hs->new_session| (the session with the new ticket).
1808 bool has_new_session = hs->new_session != nullptr;
1809 if (has_new_session) {
1810 // When False Start is enabled, the handshake reports completion early. The
1811 // caller may then have passed the (then unresuable) |hs->new_session| to
1812 // another thread via |SSL_get0_session| for resumption. To avoid potential
1813 // race conditions in such callers, we duplicate the session before
1814 // clearing |not_resumable|.
1815 ssl->s3->established_session =
1816 SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_DUP_ALL);
1817 if (!ssl->s3->established_session) {
1818 return ssl_hs_error;
1819 }
1820 // Renegotiations do not participate in session resumption.
1821 if (!ssl->s3->initial_handshake_complete) {
1822 ssl->s3->established_session->not_resumable = false;
1823 }
1824
1825 hs->new_session.reset();
1826 } else {
1827 assert(ssl->session != nullptr);
1828 ssl->s3->established_session = UpRef(ssl->session);
1829 }
1830
1831 hs->handshake_finalized = true;
1832 ssl->s3->initial_handshake_complete = true;
1833 if (has_new_session) {
1834 ssl_update_cache(ssl);
1835 }
1836
1837 hs->state = state_done;
1838 return ssl_hs_ok;
1839 }
1840
ssl_client_handshake(SSL_HANDSHAKE * hs)1841 enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs) {
1842 while (hs->state != state_done) {
1843 enum ssl_hs_wait_t ret = ssl_hs_error;
1844 enum ssl_client_hs_state_t state =
1845 static_cast<enum ssl_client_hs_state_t>(hs->state);
1846 switch (state) {
1847 case state_start_connect:
1848 ret = do_start_connect(hs);
1849 break;
1850 case state_enter_early_data:
1851 ret = do_enter_early_data(hs);
1852 break;
1853 case state_early_reverify_server_certificate:
1854 ret = do_early_reverify_server_certificate(hs);
1855 break;
1856 case state_read_hello_verify_request:
1857 ret = do_read_hello_verify_request(hs);
1858 break;
1859 case state_read_server_hello:
1860 ret = do_read_server_hello(hs);
1861 break;
1862 case state_tls13:
1863 ret = do_tls13(hs);
1864 break;
1865 case state_read_server_certificate:
1866 ret = do_read_server_certificate(hs);
1867 break;
1868 case state_read_certificate_status:
1869 ret = do_read_certificate_status(hs);
1870 break;
1871 case state_verify_server_certificate:
1872 ret = do_verify_server_certificate(hs);
1873 break;
1874 case state_reverify_server_certificate:
1875 ret = do_reverify_server_certificate(hs);
1876 break;
1877 case state_read_server_key_exchange:
1878 ret = do_read_server_key_exchange(hs);
1879 break;
1880 case state_read_certificate_request:
1881 ret = do_read_certificate_request(hs);
1882 break;
1883 case state_read_server_hello_done:
1884 ret = do_read_server_hello_done(hs);
1885 break;
1886 case state_send_client_certificate:
1887 ret = do_send_client_certificate(hs);
1888 break;
1889 case state_send_client_key_exchange:
1890 ret = do_send_client_key_exchange(hs);
1891 break;
1892 case state_send_client_certificate_verify:
1893 ret = do_send_client_certificate_verify(hs);
1894 break;
1895 case state_send_client_finished:
1896 ret = do_send_client_finished(hs);
1897 break;
1898 case state_finish_flight:
1899 ret = do_finish_flight(hs);
1900 break;
1901 case state_read_session_ticket:
1902 ret = do_read_session_ticket(hs);
1903 break;
1904 case state_process_change_cipher_spec:
1905 ret = do_process_change_cipher_spec(hs);
1906 break;
1907 case state_read_server_finished:
1908 ret = do_read_server_finished(hs);
1909 break;
1910 case state_finish_client_handshake:
1911 ret = do_finish_client_handshake(hs);
1912 break;
1913 case state_done:
1914 ret = ssl_hs_ok;
1915 break;
1916 }
1917
1918 if (hs->state != state) {
1919 ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
1920 }
1921
1922 if (ret != ssl_hs_ok) {
1923 return ret;
1924 }
1925 }
1926
1927 ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);
1928 return ssl_hs_ok;
1929 }
1930
ssl_client_handshake_state(SSL_HANDSHAKE * hs)1931 const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs) {
1932 enum ssl_client_hs_state_t state =
1933 static_cast<enum ssl_client_hs_state_t>(hs->state);
1934 switch (state) {
1935 case state_start_connect:
1936 return "TLS client start_connect";
1937 case state_enter_early_data:
1938 return "TLS client enter_early_data";
1939 case state_early_reverify_server_certificate:
1940 return "TLS client early_reverify_server_certificate";
1941 case state_read_hello_verify_request:
1942 return "TLS client read_hello_verify_request";
1943 case state_read_server_hello:
1944 return "TLS client read_server_hello";
1945 case state_tls13:
1946 return tls13_client_handshake_state(hs);
1947 case state_read_server_certificate:
1948 return "TLS client read_server_certificate";
1949 case state_read_certificate_status:
1950 return "TLS client read_certificate_status";
1951 case state_verify_server_certificate:
1952 return "TLS client verify_server_certificate";
1953 case state_reverify_server_certificate:
1954 return "TLS client reverify_server_certificate";
1955 case state_read_server_key_exchange:
1956 return "TLS client read_server_key_exchange";
1957 case state_read_certificate_request:
1958 return "TLS client read_certificate_request";
1959 case state_read_server_hello_done:
1960 return "TLS client read_server_hello_done";
1961 case state_send_client_certificate:
1962 return "TLS client send_client_certificate";
1963 case state_send_client_key_exchange:
1964 return "TLS client send_client_key_exchange";
1965 case state_send_client_certificate_verify:
1966 return "TLS client send_client_certificate_verify";
1967 case state_send_client_finished:
1968 return "TLS client send_client_finished";
1969 case state_finish_flight:
1970 return "TLS client finish_flight";
1971 case state_read_session_ticket:
1972 return "TLS client read_session_ticket";
1973 case state_process_change_cipher_spec:
1974 return "TLS client process_change_cipher_spec";
1975 case state_read_server_finished:
1976 return "TLS client read_server_finished";
1977 case state_finish_client_handshake:
1978 return "TLS client finish_client_handshake";
1979 case state_done:
1980 return "TLS client done";
1981 }
1982
1983 return "TLS client unknown";
1984 }
1985
1986 BSSL_NAMESPACE_END
1987