1 /* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <limits.h>
19 #include <string.h>
20
21 #include <utility>
22
23 #include <openssl/bytestring.h>
24 #include <openssl/digest.h>
25 #include <openssl/err.h>
26 #include <openssl/mem.h>
27 #include <openssl/sha.h>
28 #include <openssl/stack.h>
29
30 #include "../crypto/internal.h"
31 #include "internal.h"
32
33
34 BSSL_NAMESPACE_BEGIN
35
36 enum client_hs_state_t {
37 state_read_hello_retry_request = 0,
38 state_send_second_client_hello,
39 state_read_server_hello,
40 state_read_encrypted_extensions,
41 state_read_certificate_request,
42 state_read_server_certificate,
43 state_read_server_certificate_verify,
44 state_server_certificate_reverify,
45 state_read_server_finished,
46 state_send_end_of_early_data,
47 state_send_client_encrypted_extensions,
48 state_send_client_certificate,
49 state_send_client_certificate_verify,
50 state_complete_second_flight,
51 state_done,
52 };
53
54 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
55
56 // end_of_early_data closes the early data stream for |hs| and switches the
57 // encryption level to |level|. It returns true on success and false on error.
close_early_data(SSL_HANDSHAKE * hs,ssl_encryption_level_t level)58 static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) {
59 SSL *const ssl = hs->ssl;
60 assert(hs->in_early_data);
61
62 // Note |can_early_write| may already be false if |SSL_write| exceeded the
63 // early data write limit.
64 hs->can_early_write = false;
65
66 // 0-RTT write states on the client differ between TLS 1.3, DTLS 1.3, and
67 // QUIC. TLS 1.3 has one write encryption level at a time. 0-RTT write keys
68 // overwrite the null cipher and defer handshake write keys. While a
69 // HelloRetryRequest can cause us to rewind back to the null cipher, sequence
70 // numbers have no effect, so we can install a "new" null cipher.
71 //
72 // In QUIC and DTLS 1.3, 0-RTT write state cannot override or defer the normal
73 // write state. The two ClientHello sequence numbers must align, and handshake
74 // write keys must be installed early to ACK the EncryptedExtensions.
75 //
76 // We do not currently implement DTLS 1.3 and, in QUIC, the caller handles
77 // 0-RTT data, so we can skip installing 0-RTT keys and act as if there is one
78 // write level. If we implement DTLS 1.3, we'll need to model this better.
79 if (ssl->quic_method == nullptr) {
80 if (level == ssl_encryption_initial) {
81 bssl::UniquePtr<SSLAEADContext> null_ctx =
82 SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
83 if (!null_ctx ||
84 !ssl->method->set_write_state(ssl, ssl_encryption_initial,
85 std::move(null_ctx),
86 /*secret_for_quic=*/{})) {
87 return false;
88 }
89 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
90 } else {
91 assert(level == ssl_encryption_handshake);
92 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
93 hs->new_session.get(),
94 hs->client_handshake_secret())) {
95 return false;
96 }
97 }
98 }
99
100 assert(ssl->s3->write_level == level);
101 return true;
102 }
103
parse_server_hello_tls13(const SSL_HANDSHAKE * hs,ParsedServerHello * out,uint8_t * out_alert,const SSLMessage & msg)104 static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs,
105 ParsedServerHello *out, uint8_t *out_alert,
106 const SSLMessage &msg) {
107 if (!ssl_parse_server_hello(out, out_alert, msg)) {
108 return false;
109 }
110 // The RFC8446 version of the structure fixes some legacy values.
111 // Additionally, the session ID must echo the original one.
112 if (out->legacy_version != TLS1_2_VERSION ||
113 out->compression_method != 0 ||
114 !CBS_mem_equal(&out->session_id, hs->session_id, hs->session_id_len) ||
115 CBS_len(&out->extensions) == 0) {
116 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
117 *out_alert = SSL_AD_DECODE_ERROR;
118 return false;
119 }
120 return true;
121 }
122
is_hello_retry_request(const ParsedServerHello & server_hello)123 static bool is_hello_retry_request(const ParsedServerHello &server_hello) {
124 return Span<const uint8_t>(server_hello.random) == kHelloRetryRequest;
125 }
126
check_ech_confirmation(const SSL_HANDSHAKE * hs,bool * out_accepted,uint8_t * out_alert,const ParsedServerHello & server_hello)127 static bool check_ech_confirmation(const SSL_HANDSHAKE *hs, bool *out_accepted,
128 uint8_t *out_alert,
129 const ParsedServerHello &server_hello) {
130 const bool is_hrr = is_hello_retry_request(server_hello);
131 size_t offset;
132 if (is_hrr) {
133 // We check for an unsolicited extension when parsing all of them.
134 SSLExtension ech(TLSEXT_TYPE_encrypted_client_hello);
135 if (!ssl_parse_extensions(&server_hello.extensions, out_alert, {&ech},
136 /*ignore_unknown=*/true)) {
137 return false;
138 }
139 if (!ech.present) {
140 *out_accepted = false;
141 return true;
142 }
143 if (CBS_len(&ech.data) != ECH_CONFIRMATION_SIGNAL_LEN) {
144 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
145 *out_alert = SSL_AD_DECODE_ERROR;
146 return false;
147 }
148 offset = CBS_data(&ech.data) - CBS_data(&server_hello.raw);
149 } else {
150 offset = ssl_ech_confirmation_signal_hello_offset(hs->ssl);
151 }
152
153 if (!hs->selected_ech_config) {
154 *out_accepted = false;
155 return true;
156 }
157
158 uint8_t expected[ECH_CONFIRMATION_SIGNAL_LEN];
159 if (!ssl_ech_accept_confirmation(hs, expected, hs->inner_client_random,
160 hs->inner_transcript, is_hrr,
161 server_hello.raw, offset)) {
162 *out_alert = SSL_AD_INTERNAL_ERROR;
163 return false;
164 }
165
166 *out_accepted = CRYPTO_memcmp(CBS_data(&server_hello.raw) + offset, expected,
167 sizeof(expected)) == 0;
168 return true;
169 }
170
do_read_hello_retry_request(SSL_HANDSHAKE * hs)171 static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
172 SSL *const ssl = hs->ssl;
173 assert(ssl->s3->have_version);
174 SSLMessage msg;
175 if (!ssl->method->get_message(ssl, &msg)) {
176 return ssl_hs_read_message;
177 }
178
179 // Queue up a ChangeCipherSpec for whenever we next send something. This
180 // will be before the second ClientHello. If we offered early data, this was
181 // already done.
182 if (!hs->early_data_offered &&
183 !ssl->method->add_change_cipher_spec(ssl)) {
184 return ssl_hs_error;
185 }
186
187 ParsedServerHello server_hello;
188 uint8_t alert = SSL_AD_DECODE_ERROR;
189 if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
190 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
191 return ssl_hs_error;
192 }
193
194 // The cipher suite must be one we offered. We currently offer all supported
195 // TLS 1.3 ciphers unless policy controls limited it. So we check the version
196 // and that it's ok per policy.
197 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
198 if (cipher == nullptr ||
199 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
200 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
201 !ssl_tls13_cipher_meets_policy(
202 SSL_CIPHER_get_value(cipher),
203 ssl->config->only_fips_cipher_suites_in_tls13)) {
204 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
205 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
206 return ssl_hs_error;
207 }
208
209 hs->new_cipher = cipher;
210
211 const bool is_hrr = is_hello_retry_request(server_hello);
212 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
213 (is_hrr && !hs->transcript.UpdateForHelloRetryRequest())) {
214 return ssl_hs_error;
215 }
216 if (hs->selected_ech_config) {
217 if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
218 hs->new_cipher) ||
219 (is_hrr && !hs->inner_transcript.UpdateForHelloRetryRequest())) {
220 return ssl_hs_error;
221 }
222 }
223
224 // Determine which ClientHello the server is responding to. Run
225 // |check_ech_confirmation| unconditionally, so we validate the extension
226 // contents.
227 bool ech_accepted;
228 if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
229 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
230 return ssl_hs_error;
231 }
232 if (hs->selected_ech_config) {
233 ssl->s3->ech_status = ech_accepted ? ssl_ech_accepted : ssl_ech_rejected;
234 }
235
236 if (!is_hrr) {
237 hs->tls13_state = state_read_server_hello;
238 return ssl_hs_ok;
239 }
240
241 // The ECH extension, if present, was already parsed by
242 // |check_ech_confirmation|.
243 SSLExtension cookie(TLSEXT_TYPE_cookie), key_share(TLSEXT_TYPE_key_share),
244 supported_versions(TLSEXT_TYPE_supported_versions),
245 ech_unused(TLSEXT_TYPE_encrypted_client_hello,
246 hs->selected_ech_config || hs->config->ech_grease_enabled);
247 if (!ssl_parse_extensions(
248 &server_hello.extensions, &alert,
249 {&cookie, &key_share, &supported_versions, &ech_unused},
250 /*ignore_unknown=*/false)) {
251 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
252 return ssl_hs_error;
253 }
254
255 if (!cookie.present && !key_share.present) {
256 OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);
257 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
258 return ssl_hs_error;
259 }
260 if (cookie.present) {
261 CBS cookie_value;
262 if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) ||
263 CBS_len(&cookie_value) == 0 ||
264 CBS_len(&cookie.data) != 0) {
265 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
266 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
267 return ssl_hs_error;
268 }
269
270 if (!hs->cookie.CopyFrom(cookie_value)) {
271 return ssl_hs_error;
272 }
273 }
274
275 if (key_share.present) {
276 uint16_t group_id;
277 if (!CBS_get_u16(&key_share.data, &group_id) ||
278 CBS_len(&key_share.data) != 0) {
279 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
280 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
281 return ssl_hs_error;
282 }
283
284 // The group must be supported.
285 if (!tls1_check_group_id(hs, group_id)) {
286 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
287 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
288 return ssl_hs_error;
289 }
290
291 // Check that the HelloRetryRequest does not request a key share that was
292 // provided in the initial ClientHello.
293 if (hs->key_shares[0]->GroupID() == group_id ||
294 (hs->key_shares[1] && hs->key_shares[1]->GroupID() == group_id)) {
295 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
296 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
297 return ssl_hs_error;
298 }
299
300 if (!ssl_setup_key_shares(hs, group_id)) {
301 return ssl_hs_error;
302 }
303 }
304
305 // Although we now know whether ClientHelloInner was used, we currently
306 // maintain both transcripts up to ServerHello. We could swap transcripts
307 // early, but then ClientHello construction and |check_ech_confirmation|
308 // become more complex.
309 if (!ssl_hash_message(hs, msg)) {
310 return ssl_hs_error;
311 }
312 if (ssl->s3->ech_status == ssl_ech_accepted &&
313 !hs->inner_transcript.Update(msg.raw)) {
314 return ssl_hs_error;
315 }
316
317 // HelloRetryRequest should be the end of the flight.
318 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
319 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
320 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
321 return ssl_hs_error;
322 }
323
324 ssl->method->next_message(ssl);
325 ssl->s3->used_hello_retry_request = true;
326 hs->tls13_state = state_send_second_client_hello;
327 // 0-RTT is rejected if we receive a HelloRetryRequest.
328 if (hs->in_early_data) {
329 ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
330 if (!close_early_data(hs, ssl_encryption_initial)) {
331 return ssl_hs_error;
332 }
333 return ssl_hs_early_data_rejected;
334 }
335 return ssl_hs_ok;
336 }
337
do_send_second_client_hello(SSL_HANDSHAKE * hs)338 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
339 // Any 0-RTT keys must have been discarded.
340 assert(hs->ssl->s3->write_level == ssl_encryption_initial);
341
342 // Build the second ClientHelloInner, if applicable. The second ClientHello
343 // uses an empty string for |enc|.
344 if (hs->ssl->s3->ech_status == ssl_ech_accepted &&
345 !ssl_encrypt_client_hello(hs, {})) {
346 return ssl_hs_error;
347 }
348
349 if (!ssl_add_client_hello(hs)) {
350 return ssl_hs_error;
351 }
352
353 ssl_done_writing_client_hello(hs);
354 hs->tls13_state = state_read_server_hello;
355 return ssl_hs_flush;
356 }
357
do_read_server_hello(SSL_HANDSHAKE * hs)358 static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
359 SSL *const ssl = hs->ssl;
360 SSLMessage msg;
361 if (!ssl->method->get_message(ssl, &msg)) {
362 return ssl_hs_read_message;
363 }
364 ParsedServerHello server_hello;
365 uint8_t alert = SSL_AD_DECODE_ERROR;
366 if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
367 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
368 return ssl_hs_error;
369 }
370
371 // Forbid a second HelloRetryRequest.
372 if (is_hello_retry_request(server_hello)) {
373 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
374 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
375 return ssl_hs_error;
376 }
377
378 // Check the cipher suite, in case this is after HelloRetryRequest.
379 if (SSL_CIPHER_get_protocol_id(hs->new_cipher) != server_hello.cipher_suite) {
380 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
381 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
382 return ssl_hs_error;
383 }
384
385 if (ssl->s3->ech_status == ssl_ech_accepted) {
386 if (ssl->s3->used_hello_retry_request) {
387 // HelloRetryRequest and ServerHello must accept ECH consistently.
388 bool ech_accepted;
389 if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
390 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
391 return ssl_hs_error;
392 }
393 if (!ech_accepted) {
394 OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_ECH_NEGOTIATION);
395 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
396 return ssl_hs_error;
397 }
398 }
399
400 hs->transcript = std::move(hs->inner_transcript);
401 hs->extensions.sent = hs->inner_extensions_sent;
402 // Report the inner random value through |SSL_get_client_random|.
403 OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
404 SSL3_RANDOM_SIZE);
405 }
406
407 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),
408 SSL3_RANDOM_SIZE);
409
410 // When offering ECH, |ssl->session| is only offered in ClientHelloInner.
411 const bool pre_shared_key_allowed =
412 ssl->session != nullptr && ssl->s3->ech_status != ssl_ech_rejected;
413 SSLExtension key_share(TLSEXT_TYPE_key_share),
414 pre_shared_key(TLSEXT_TYPE_pre_shared_key, pre_shared_key_allowed),
415 supported_versions(TLSEXT_TYPE_supported_versions);
416 if (!ssl_parse_extensions(&server_hello.extensions, &alert,
417 {&key_share, &pre_shared_key, &supported_versions},
418 /*ignore_unknown=*/false)) {
419 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
420 return ssl_hs_error;
421 }
422
423 // Recheck supported_versions, in case this is after HelloRetryRequest.
424 uint16_t version;
425 if (!supported_versions.present ||
426 !CBS_get_u16(&supported_versions.data, &version) ||
427 CBS_len(&supported_versions.data) != 0 ||
428 version != ssl->version) {
429 OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
430 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
431 return ssl_hs_error;
432 }
433
434 alert = SSL_AD_DECODE_ERROR;
435 if (pre_shared_key.present) {
436 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
437 &pre_shared_key.data)) {
438 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
439 return ssl_hs_error;
440 }
441
442 if (ssl->session->ssl_version != ssl->version) {
443 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
444 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
445 return ssl_hs_error;
446 }
447
448 if (ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
449 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
450 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
451 return ssl_hs_error;
452 }
453
454 if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
455 // This is actually a client application bug.
456 OPENSSL_PUT_ERROR(SSL,
457 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
458 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
459 return ssl_hs_error;
460 }
461
462 ssl->s3->session_reused = true;
463 hs->can_release_private_key = true;
464 // Only authentication information carries over in TLS 1.3.
465 hs->new_session =
466 SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
467 if (!hs->new_session) {
468 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
469 return ssl_hs_error;
470 }
471 ssl_set_session(ssl, NULL);
472
473 // Resumption incorporates fresh key material, so refresh the timeout.
474 ssl_session_renew_timeout(ssl, hs->new_session.get(),
475 ssl->session_ctx->session_psk_dhe_timeout);
476 } else if (!ssl_get_new_session(hs)) {
477 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
478 return ssl_hs_error;
479 }
480
481 hs->new_session->cipher = hs->new_cipher;
482
483 // Set up the key schedule and incorporate the PSK into the running secret.
484 size_t hash_len = EVP_MD_size(
485 ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
486 if (!tls13_init_key_schedule(
487 hs, ssl->s3->session_reused
488 ? MakeConstSpan(hs->new_session->secret,
489 hs->new_session->secret_length)
490 : MakeConstSpan(kZeroes, hash_len))) {
491 return ssl_hs_error;
492 }
493
494 if (!key_share.present) {
495 // We do not support psk_ke and thus always require a key share.
496 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
497 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
498 return ssl_hs_error;
499 }
500
501 // Resolve ECDHE and incorporate it into the secret.
502 Array<uint8_t> dhe_secret;
503 alert = SSL_AD_DECODE_ERROR;
504 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
505 &key_share.data)) {
506 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
507 return ssl_hs_error;
508 }
509
510 if (!tls13_advance_key_schedule(hs, dhe_secret) ||
511 !ssl_hash_message(hs, msg) ||
512 !tls13_derive_handshake_secrets(hs)) {
513 return ssl_hs_error;
514 }
515
516 // If currently sending early data over TCP, we defer installing client
517 // traffic keys to when the early data stream is closed. See
518 // |close_early_data|. Note if the server has already rejected 0-RTT via
519 // HelloRetryRequest, |in_early_data| is already false.
520 if (!hs->in_early_data || ssl->quic_method != nullptr) {
521 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
522 hs->new_session.get(),
523 hs->client_handshake_secret())) {
524 return ssl_hs_error;
525 }
526 }
527
528 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
529 hs->new_session.get(),
530 hs->server_handshake_secret())) {
531 return ssl_hs_error;
532 }
533
534 ssl->method->next_message(ssl);
535 hs->tls13_state = state_read_encrypted_extensions;
536 return ssl_hs_ok;
537 }
538
do_read_encrypted_extensions(SSL_HANDSHAKE * hs)539 static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
540 SSL *const ssl = hs->ssl;
541 SSLMessage msg;
542 if (!ssl->method->get_message(ssl, &msg)) {
543 return ssl_hs_read_message;
544 }
545 if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
546 return ssl_hs_error;
547 }
548
549 CBS body = msg.body, extensions;
550 if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
551 CBS_len(&body) != 0) {
552 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
553 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
554 return ssl_hs_error;
555 }
556
557 if (!ssl_parse_serverhello_tlsext(hs, &extensions)) {
558 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
559 return ssl_hs_error;
560 }
561
562 if (ssl->s3->early_data_accepted) {
563 // The extension parser checks the server resumed the session.
564 assert(ssl->s3->session_reused);
565 // If offering ECH, the server may not accept early data with
566 // ClientHelloOuter. We do not offer sessions with ClientHelloOuter, so this
567 // this should be implied by checking |session_reused|.
568 assert(ssl->s3->ech_status != ssl_ech_rejected);
569
570 if (hs->early_session->cipher != hs->new_session->cipher) {
571 OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA);
572 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
573 return ssl_hs_error;
574 }
575 if (MakeConstSpan(hs->early_session->early_alpn) !=
576 ssl->s3->alpn_selected) {
577 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
578 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
579 return ssl_hs_error;
580 }
581 // Channel ID is incompatible with 0-RTT. The ALPS extension should be
582 // negotiated implicitly.
583 if (hs->channel_id_negotiated ||
584 hs->new_session->has_application_settings) {
585 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
586 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
587 return ssl_hs_error;
588 }
589 hs->new_session->has_application_settings =
590 hs->early_session->has_application_settings;
591 if (!hs->new_session->local_application_settings.CopyFrom(
592 hs->early_session->local_application_settings) ||
593 !hs->new_session->peer_application_settings.CopyFrom(
594 hs->early_session->peer_application_settings)) {
595 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
596 return ssl_hs_error;
597 }
598 }
599
600 // Store the negotiated ALPN in the session.
601 if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
602 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
603 return ssl_hs_error;
604 }
605
606 if (!ssl_hash_message(hs, msg)) {
607 return ssl_hs_error;
608 }
609
610 ssl->method->next_message(ssl);
611 hs->tls13_state = state_read_certificate_request;
612 if (hs->in_early_data && !ssl->s3->early_data_accepted) {
613 if (!close_early_data(hs, ssl_encryption_handshake)) {
614 return ssl_hs_error;
615 }
616 return ssl_hs_early_data_rejected;
617 }
618 return ssl_hs_ok;
619 }
620
do_read_certificate_request(SSL_HANDSHAKE * hs)621 static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
622 SSL *const ssl = hs->ssl;
623 // CertificateRequest may only be sent in non-resumption handshakes.
624 if (ssl->s3->session_reused) {
625 if (ssl->ctx->reverify_on_resume && !ssl->s3->early_data_accepted) {
626 hs->tls13_state = state_server_certificate_reverify;
627 return ssl_hs_ok;
628 }
629 hs->tls13_state = state_read_server_finished;
630 return ssl_hs_ok;
631 }
632
633 SSLMessage msg;
634 if (!ssl->method->get_message(ssl, &msg)) {
635 return ssl_hs_read_message;
636 }
637
638 // CertificateRequest is optional.
639 if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
640 hs->tls13_state = state_read_server_certificate;
641 return ssl_hs_ok;
642 }
643
644
645 SSLExtension sigalgs(TLSEXT_TYPE_signature_algorithms),
646 ca(TLSEXT_TYPE_certificate_authorities);
647 CBS body = msg.body, context, extensions, supported_signature_algorithms;
648 uint8_t alert = SSL_AD_DECODE_ERROR;
649 if (!CBS_get_u8_length_prefixed(&body, &context) ||
650 // The request context is always empty during the handshake.
651 CBS_len(&context) != 0 ||
652 !CBS_get_u16_length_prefixed(&body, &extensions) || //
653 CBS_len(&body) != 0 ||
654 !ssl_parse_extensions(&extensions, &alert, {&sigalgs, &ca},
655 /*ignore_unknown=*/true) ||
656 !sigalgs.present ||
657 !CBS_get_u16_length_prefixed(&sigalgs.data,
658 &supported_signature_algorithms) ||
659 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
660 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
661 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
662 return ssl_hs_error;
663 }
664
665 if (ca.present) {
666 hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca.data);
667 if (!hs->ca_names) {
668 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
669 return ssl_hs_error;
670 }
671 } else {
672 hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());
673 if (!hs->ca_names) {
674 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
675 return ssl_hs_error;
676 }
677 }
678
679 hs->cert_request = true;
680 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
681
682 if (!ssl_hash_message(hs, msg)) {
683 return ssl_hs_error;
684 }
685
686 ssl->method->next_message(ssl);
687 hs->tls13_state = state_read_server_certificate;
688 return ssl_hs_ok;
689 }
690
do_read_server_certificate(SSL_HANDSHAKE * hs)691 static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
692 SSL *const ssl = hs->ssl;
693 SSLMessage msg;
694 if (!ssl->method->get_message(ssl, &msg)) {
695 return ssl_hs_read_message;
696 }
697
698 if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&
699 !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
700 return ssl_hs_error;
701 }
702
703 if (!tls13_process_certificate(hs, msg, false /* certificate required */) ||
704 !ssl_hash_message(hs, msg)) {
705 return ssl_hs_error;
706 }
707
708 ssl->method->next_message(ssl);
709 hs->tls13_state = state_read_server_certificate_verify;
710 return ssl_hs_ok;
711 }
712
do_read_server_certificate_verify(SSL_HANDSHAKE * hs)713 static enum ssl_hs_wait_t do_read_server_certificate_verify(SSL_HANDSHAKE *hs) {
714 SSL *const ssl = hs->ssl;
715 SSLMessage msg;
716 if (!ssl->method->get_message(ssl, &msg)) {
717 return ssl_hs_read_message;
718 }
719 switch (ssl_verify_peer_cert(hs)) {
720 case ssl_verify_ok:
721 break;
722 case ssl_verify_invalid:
723 return ssl_hs_error;
724 case ssl_verify_retry:
725 hs->tls13_state = state_read_server_certificate_verify;
726 return ssl_hs_certificate_verify;
727 }
728
729 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
730 !tls13_process_certificate_verify(hs, msg) ||
731 !ssl_hash_message(hs, msg)) {
732 return ssl_hs_error;
733 }
734
735 ssl->method->next_message(ssl);
736 hs->tls13_state = state_read_server_finished;
737 return ssl_hs_ok;
738 }
739
do_server_certificate_reverify(SSL_HANDSHAKE * hs)740 static enum ssl_hs_wait_t do_server_certificate_reverify(SSL_HANDSHAKE *hs) {
741 switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {
742 case ssl_verify_ok:
743 break;
744 case ssl_verify_invalid:
745 return ssl_hs_error;
746 case ssl_verify_retry:
747 hs->tls13_state = state_server_certificate_reverify;
748 return ssl_hs_certificate_verify;
749 }
750 hs->tls13_state = state_read_server_finished;
751 return ssl_hs_ok;
752 }
753
do_read_server_finished(SSL_HANDSHAKE * hs)754 static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
755 SSL *const ssl = hs->ssl;
756 SSLMessage msg;
757 if (!ssl->method->get_message(ssl, &msg)) {
758 return ssl_hs_read_message;
759 }
760 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
761 !tls13_process_finished(hs, msg, false /* don't use saved value */) ||
762 !ssl_hash_message(hs, msg) ||
763 // Update the secret to the master secret and derive traffic keys.
764 !tls13_advance_key_schedule(
765 hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
766 !tls13_derive_application_secrets(hs)) {
767 return ssl_hs_error;
768 }
769
770 // Finished should be the end of the flight.
771 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
772 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
773 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
774 return ssl_hs_error;
775 }
776
777 ssl->method->next_message(ssl);
778 hs->tls13_state = state_send_end_of_early_data;
779 return ssl_hs_ok;
780 }
781
do_send_end_of_early_data(SSL_HANDSHAKE * hs)782 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
783 SSL *const ssl = hs->ssl;
784
785 if (ssl->s3->early_data_accepted) {
786 // QUIC omits the EndOfEarlyData message. See RFC 9001, section 8.3.
787 if (ssl->quic_method == nullptr) {
788 ScopedCBB cbb;
789 CBB body;
790 if (!ssl->method->init_message(ssl, cbb.get(), &body,
791 SSL3_MT_END_OF_EARLY_DATA) ||
792 !ssl_add_message_cbb(ssl, cbb.get())) {
793 return ssl_hs_error;
794 }
795 }
796
797 if (!close_early_data(hs, ssl_encryption_handshake)) {
798 return ssl_hs_error;
799 }
800 }
801
802 hs->tls13_state = state_send_client_encrypted_extensions;
803 return ssl_hs_ok;
804 }
805
do_send_client_encrypted_extensions(SSL_HANDSHAKE * hs)806 static enum ssl_hs_wait_t do_send_client_encrypted_extensions(
807 SSL_HANDSHAKE *hs) {
808 SSL *const ssl = hs->ssl;
809 // For now, only one extension uses client EncryptedExtensions. This function
810 // may be generalized if others use it in the future.
811 if (hs->new_session->has_application_settings &&
812 !ssl->s3->early_data_accepted) {
813 ScopedCBB cbb;
814 CBB body, extensions, extension;
815 if (!ssl->method->init_message(ssl, cbb.get(), &body,
816 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
817 !CBB_add_u16_length_prefixed(&body, &extensions) ||
818 !CBB_add_u16(&extensions, TLSEXT_TYPE_application_settings) ||
819 !CBB_add_u16_length_prefixed(&extensions, &extension) ||
820 !CBB_add_bytes(&extension,
821 hs->new_session->local_application_settings.data(),
822 hs->new_session->local_application_settings.size()) ||
823 !ssl_add_message_cbb(ssl, cbb.get())) {
824 return ssl_hs_error;
825 }
826 }
827
828 hs->tls13_state = state_send_client_certificate;
829 return ssl_hs_ok;
830 }
831
do_send_client_certificate(SSL_HANDSHAKE * hs)832 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
833 SSL *const ssl = hs->ssl;
834
835 // The peer didn't request a certificate.
836 if (!hs->cert_request) {
837 hs->tls13_state = state_complete_second_flight;
838 return ssl_hs_ok;
839 }
840
841 if (ssl->s3->ech_status == ssl_ech_rejected) {
842 // Do not send client certificates on ECH reject. We have not authenticated
843 // the server for the name that can learn the certificate.
844 SSL_certs_clear(ssl);
845 } else if (hs->config->cert->cert_cb != nullptr) {
846 // Call cert_cb to update the certificate.
847 int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
848 if (rv == 0) {
849 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
850 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
851 return ssl_hs_error;
852 }
853 if (rv < 0) {
854 hs->tls13_state = state_send_client_certificate;
855 return ssl_hs_x509_lookup;
856 }
857 }
858
859 if (!ssl_on_certificate_selected(hs) ||
860 !tls13_add_certificate(hs)) {
861 return ssl_hs_error;
862 }
863
864 hs->tls13_state = state_send_client_certificate_verify;
865 return ssl_hs_ok;
866 }
867
do_send_client_certificate_verify(SSL_HANDSHAKE * hs)868 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
869 // Don't send CertificateVerify if there is no certificate.
870 if (!ssl_has_certificate(hs)) {
871 hs->tls13_state = state_complete_second_flight;
872 return ssl_hs_ok;
873 }
874
875 switch (tls13_add_certificate_verify(hs)) {
876 case ssl_private_key_success:
877 hs->tls13_state = state_complete_second_flight;
878 return ssl_hs_ok;
879
880 case ssl_private_key_retry:
881 hs->tls13_state = state_send_client_certificate_verify;
882 return ssl_hs_private_key_operation;
883
884 case ssl_private_key_failure:
885 return ssl_hs_error;
886 }
887
888 assert(0);
889 return ssl_hs_error;
890 }
891
do_complete_second_flight(SSL_HANDSHAKE * hs)892 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
893 SSL *const ssl = hs->ssl;
894 hs->can_release_private_key = true;
895
896 // Send a Channel ID assertion if necessary.
897 if (hs->channel_id_negotiated) {
898 ScopedCBB cbb;
899 CBB body;
900 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
901 !tls1_write_channel_id(hs, &body) ||
902 !ssl_add_message_cbb(ssl, cbb.get())) {
903 return ssl_hs_error;
904 }
905 }
906
907 // Send a Finished message.
908 if (!tls13_add_finished(hs)) {
909 return ssl_hs_error;
910 }
911
912 // Derive the final keys and enable them.
913 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
914 hs->new_session.get(),
915 hs->client_traffic_secret_0()) ||
916 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
917 hs->new_session.get(),
918 hs->server_traffic_secret_0()) ||
919 !tls13_derive_resumption_secret(hs)) {
920 return ssl_hs_error;
921 }
922
923 hs->tls13_state = state_done;
924 return ssl_hs_flush;
925 }
926
tls13_client_handshake(SSL_HANDSHAKE * hs)927 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
928 while (hs->tls13_state != state_done) {
929 enum ssl_hs_wait_t ret = ssl_hs_error;
930 enum client_hs_state_t state =
931 static_cast<enum client_hs_state_t>(hs->tls13_state);
932 switch (state) {
933 case state_read_hello_retry_request:
934 ret = do_read_hello_retry_request(hs);
935 break;
936 case state_send_second_client_hello:
937 ret = do_send_second_client_hello(hs);
938 break;
939 case state_read_server_hello:
940 ret = do_read_server_hello(hs);
941 break;
942 case state_read_encrypted_extensions:
943 ret = do_read_encrypted_extensions(hs);
944 break;
945 case state_read_certificate_request:
946 ret = do_read_certificate_request(hs);
947 break;
948 case state_read_server_certificate:
949 ret = do_read_server_certificate(hs);
950 break;
951 case state_read_server_certificate_verify:
952 ret = do_read_server_certificate_verify(hs);
953 break;
954 case state_server_certificate_reverify:
955 ret = do_server_certificate_reverify(hs);
956 break;
957 case state_read_server_finished:
958 ret = do_read_server_finished(hs);
959 break;
960 case state_send_end_of_early_data:
961 ret = do_send_end_of_early_data(hs);
962 break;
963 case state_send_client_certificate:
964 ret = do_send_client_certificate(hs);
965 break;
966 case state_send_client_encrypted_extensions:
967 ret = do_send_client_encrypted_extensions(hs);
968 break;
969 case state_send_client_certificate_verify:
970 ret = do_send_client_certificate_verify(hs);
971 break;
972 case state_complete_second_flight:
973 ret = do_complete_second_flight(hs);
974 break;
975 case state_done:
976 ret = ssl_hs_ok;
977 break;
978 }
979
980 if (hs->tls13_state != state) {
981 ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
982 }
983
984 if (ret != ssl_hs_ok) {
985 return ret;
986 }
987 }
988
989 return ssl_hs_ok;
990 }
991
tls13_client_handshake_state(SSL_HANDSHAKE * hs)992 const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
993 enum client_hs_state_t state =
994 static_cast<enum client_hs_state_t>(hs->tls13_state);
995 switch (state) {
996 case state_read_hello_retry_request:
997 return "TLS 1.3 client read_hello_retry_request";
998 case state_send_second_client_hello:
999 return "TLS 1.3 client send_second_client_hello";
1000 case state_read_server_hello:
1001 return "TLS 1.3 client read_server_hello";
1002 case state_read_encrypted_extensions:
1003 return "TLS 1.3 client read_encrypted_extensions";
1004 case state_read_certificate_request:
1005 return "TLS 1.3 client read_certificate_request";
1006 case state_read_server_certificate:
1007 return "TLS 1.3 client read_server_certificate";
1008 case state_read_server_certificate_verify:
1009 return "TLS 1.3 client read_server_certificate_verify";
1010 case state_server_certificate_reverify:
1011 return "TLS 1.3 client server_certificate_reverify";
1012 case state_read_server_finished:
1013 return "TLS 1.3 client read_server_finished";
1014 case state_send_end_of_early_data:
1015 return "TLS 1.3 client send_end_of_early_data";
1016 case state_send_client_encrypted_extensions:
1017 return "TLS 1.3 client send_client_encrypted_extensions";
1018 case state_send_client_certificate:
1019 return "TLS 1.3 client send_client_certificate";
1020 case state_send_client_certificate_verify:
1021 return "TLS 1.3 client send_client_certificate_verify";
1022 case state_complete_second_flight:
1023 return "TLS 1.3 client complete_second_flight";
1024 case state_done:
1025 return "TLS 1.3 client done";
1026 }
1027
1028 return "TLS 1.3 client unknown";
1029 }
1030
tls13_process_new_session_ticket(SSL * ssl,const SSLMessage & msg)1031 bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
1032 if (ssl->s3->write_shutdown != ssl_shutdown_none) {
1033 // Ignore tickets on shutdown. Callers tend to indiscriminately call
1034 // |SSL_shutdown| before destroying an |SSL|, at which point calling the new
1035 // session callback may be confusing.
1036 return true;
1037 }
1038
1039 CBS body = msg.body;
1040 UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
1041 if (!session) {
1042 return false;
1043 }
1044
1045 if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
1046 ssl->session_ctx->new_session_cb != NULL &&
1047 ssl->session_ctx->new_session_cb(ssl, session.get())) {
1048 // |new_session_cb|'s return value signals that it took ownership.
1049 session.release();
1050 }
1051
1052 return true;
1053 }
1054
tls13_create_session_with_ticket(SSL * ssl,CBS * body)1055 UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
1056 UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
1057 ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
1058 if (!session) {
1059 return nullptr;
1060 }
1061
1062 ssl_session_rebase_time(ssl, session.get());
1063
1064 uint32_t server_timeout;
1065 CBS ticket_nonce, ticket, extensions;
1066 if (!CBS_get_u32(body, &server_timeout) ||
1067 !CBS_get_u32(body, &session->ticket_age_add) ||
1068 !CBS_get_u8_length_prefixed(body, &ticket_nonce) ||
1069 !CBS_get_u16_length_prefixed(body, &ticket) ||
1070 !session->ticket.CopyFrom(ticket) ||
1071 !CBS_get_u16_length_prefixed(body, &extensions) ||
1072 CBS_len(body) != 0) {
1073 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1074 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1075 return nullptr;
1076 }
1077
1078 // Cap the renewable lifetime by the server advertised value. This avoids
1079 // wasting bandwidth on 0-RTT when we know the server will reject it.
1080 if (session->timeout > server_timeout) {
1081 session->timeout = server_timeout;
1082 }
1083
1084 if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
1085 return nullptr;
1086 }
1087
1088 SSLExtension early_data(TLSEXT_TYPE_early_data);
1089 uint8_t alert = SSL_AD_DECODE_ERROR;
1090 if (!ssl_parse_extensions(&extensions, &alert, {&early_data},
1091 /*ignore_unknown=*/true)) {
1092 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1093 return nullptr;
1094 }
1095
1096 if (early_data.present) {
1097 if (!CBS_get_u32(&early_data.data, &session->ticket_max_early_data) ||
1098 CBS_len(&early_data.data) != 0) {
1099 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1100 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1101 return nullptr;
1102 }
1103
1104 // QUIC does not use the max_early_data_size parameter and always sets it to
1105 // a fixed value. See RFC 9001, section 4.6.1.
1106 if (ssl->quic_method != nullptr &&
1107 session->ticket_max_early_data != 0xffffffff) {
1108 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1109 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1110 return nullptr;
1111 }
1112 }
1113
1114 // Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
1115 // Envoy's tests depend on this, although perhaps they shouldn't.
1116 SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
1117 session->session_id_length = SHA256_DIGEST_LENGTH;
1118
1119 session->ticket_age_add_valid = true;
1120 session->not_resumable = false;
1121
1122 return session;
1123 }
1124
1125 BSSL_NAMESPACE_END
1126