1 /* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <limits.h>
19 #include <string.h>
20
21 #include <openssl/bytestring.h>
22 #include <openssl/digest.h>
23 #include <openssl/err.h>
24 #include <openssl/mem.h>
25 #include <openssl/stack.h>
26
27 #include "../crypto/internal.h"
28 #include "internal.h"
29
30
31 enum client_hs_state_t {
32 state_process_hello_retry_request = 0,
33 state_send_second_client_hello,
34 state_process_server_hello,
35 state_process_encrypted_extensions,
36 state_process_certificate_request,
37 state_process_server_certificate,
38 state_process_server_certificate_verify,
39 state_process_server_finished,
40 state_send_end_of_early_data,
41 state_send_client_certificate,
42 state_send_client_certificate_verify,
43 state_complete_client_certificate_verify,
44 state_complete_second_flight,
45 state_done,
46 };
47
48 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
49
do_process_hello_retry_request(SSL_HANDSHAKE * hs)50 static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) {
51 SSL *const ssl = hs->ssl;
52 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {
53 hs->tls13_state = state_process_server_hello;
54 return ssl_hs_ok;
55 }
56
57 CBS cbs, extensions;
58 uint16_t server_wire_version;
59 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
60 if (!CBS_get_u16(&cbs, &server_wire_version) ||
61 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
62 /* HelloRetryRequest may not be empty. */
63 CBS_len(&extensions) == 0 ||
64 CBS_len(&cbs) != 0) {
65 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
66 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
67 return ssl_hs_error;
68 }
69
70 int have_cookie, have_key_share;
71 CBS cookie, key_share;
72 const SSL_EXTENSION_TYPE ext_types[] = {
73 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
74 {TLSEXT_TYPE_cookie, &have_cookie, &cookie},
75 };
76
77 uint8_t alert = SSL_AD_DECODE_ERROR;
78 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
79 OPENSSL_ARRAY_SIZE(ext_types),
80 0 /* reject unknown */)) {
81 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
82 return ssl_hs_error;
83 }
84
85 if (have_cookie) {
86 CBS cookie_value;
87 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||
88 CBS_len(&cookie_value) == 0 ||
89 CBS_len(&cookie) != 0) {
90 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
91 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
92 return ssl_hs_error;
93 }
94
95 if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {
96 return ssl_hs_error;
97 }
98 }
99
100 if (have_key_share) {
101 uint16_t group_id;
102 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {
103 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
104 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
105 return ssl_hs_error;
106 }
107
108 /* The group must be supported. */
109 const uint16_t *groups;
110 size_t groups_len;
111 tls1_get_grouplist(ssl, &groups, &groups_len);
112 int found = 0;
113 for (size_t i = 0; i < groups_len; i++) {
114 if (groups[i] == group_id) {
115 found = 1;
116 break;
117 }
118 }
119
120 if (!found) {
121 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
122 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
123 return ssl_hs_error;
124 }
125
126 /* Check that the HelloRetryRequest does not request the key share that
127 * was provided in the initial ClientHello. */
128 if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {
129 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
130 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
131 return ssl_hs_error;
132 }
133
134 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
135 hs->retry_group = group_id;
136 }
137
138 if (!ssl_hash_current_message(hs)) {
139 return ssl_hs_error;
140 }
141
142 hs->received_hello_retry_request = 1;
143 hs->tls13_state = state_send_second_client_hello;
144 return ssl_hs_ok;
145 }
146
do_send_second_client_hello(SSL_HANDSHAKE * hs)147 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
148 SSL *const ssl = hs->ssl;
149 /* TODO(svaldez): Ensure that we set can_early_write to false since 0-RTT is
150 * rejected if we receive a HelloRetryRequest. */
151 if (!ssl->method->set_write_state(ssl, NULL) ||
152 !ssl_write_client_hello(hs)) {
153 return ssl_hs_error;
154 }
155
156 hs->tls13_state = state_process_server_hello;
157 return ssl_hs_flush_and_read_message;
158 }
159
do_process_server_hello(SSL_HANDSHAKE * hs)160 static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {
161 SSL *const ssl = hs->ssl;
162 if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {
163 return ssl_hs_error;
164 }
165
166 CBS cbs, server_random, extensions;
167 uint16_t server_wire_version;
168 uint16_t cipher_suite;
169 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
170 if (!CBS_get_u16(&cbs, &server_wire_version) ||
171 !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||
172 !CBS_get_u16(&cbs, &cipher_suite) ||
173 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
174 CBS_len(&cbs) != 0) {
175 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
176 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
177 return ssl_hs_error;
178 }
179
180 if (server_wire_version != ssl->version) {
181 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
182 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
183 return ssl_hs_error;
184 }
185
186 assert(ssl->s3->have_version);
187 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
188 SSL3_RANDOM_SIZE);
189
190 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
191 if (cipher == NULL) {
192 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
193 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
194 return ssl_hs_error;
195 }
196
197 /* Check if the cipher is a TLS 1.3 cipher. */
198 if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
199 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {
200 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
201 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
202 return ssl_hs_error;
203 }
204
205 /* Parse out the extensions. */
206 int have_key_share = 0, have_pre_shared_key = 0;
207 CBS key_share, pre_shared_key;
208 const SSL_EXTENSION_TYPE ext_types[] = {
209 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
210 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
211 };
212
213 uint8_t alert = SSL_AD_DECODE_ERROR;
214 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
215 OPENSSL_ARRAY_SIZE(ext_types),
216 0 /* reject unknown */)) {
217 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
218 return ssl_hs_error;
219 }
220
221 alert = SSL_AD_DECODE_ERROR;
222 if (have_pre_shared_key) {
223 if (ssl->session == NULL) {
224 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
225 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
226 return ssl_hs_error;
227 }
228
229 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
230 &pre_shared_key)) {
231 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
232 return ssl_hs_error;
233 }
234
235 if (ssl->session->ssl_version != ssl->version) {
236 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
237 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
238 return ssl_hs_error;
239 }
240
241 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {
242 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
243 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
244 return ssl_hs_error;
245 }
246
247 if (!ssl_session_is_context_valid(ssl, ssl->session)) {
248 /* This is actually a client application bug. */
249 OPENSSL_PUT_ERROR(SSL,
250 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
251 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
252 return ssl_hs_error;
253 }
254
255 ssl->s3->session_reused = 1;
256 /* Only authentication information carries over in TLS 1.3. */
257 hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
258 if (hs->new_session == NULL) {
259 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
260 return ssl_hs_error;
261 }
262
263 /* Resumption incorporates fresh key material, so refresh the timeout. */
264 ssl_session_renew_timeout(ssl, hs->new_session,
265 ssl->session_ctx->session_psk_dhe_timeout);
266 } else if (!ssl_get_new_session(hs, 0)) {
267 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
268 return ssl_hs_error;
269 }
270
271 hs->new_session->cipher = cipher;
272 hs->new_cipher = cipher;
273
274 /* The PRF hash is now known. Set up the key schedule. */
275 if (!tls13_init_key_schedule(hs)) {
276 return ssl_hs_error;
277 }
278
279 /* Incorporate the PSK into the running secret. */
280 if (ssl->s3->session_reused) {
281 if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
282 hs->new_session->master_key_length)) {
283 return ssl_hs_error;
284 }
285 } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {
286 return ssl_hs_error;
287 }
288
289 if (!have_key_share) {
290 /* We do not support psk_ke and thus always require a key share. */
291 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
292 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
293 return ssl_hs_error;
294 }
295
296 /* Resolve ECDHE and incorporate it into the secret. */
297 uint8_t *dhe_secret;
298 size_t dhe_secret_len;
299 alert = SSL_AD_DECODE_ERROR;
300 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,
301 &alert, &key_share)) {
302 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
303 return ssl_hs_error;
304 }
305
306 if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {
307 OPENSSL_free(dhe_secret);
308 return ssl_hs_error;
309 }
310 OPENSSL_free(dhe_secret);
311
312 if (!ssl_hash_current_message(hs) ||
313 !tls13_derive_handshake_secrets(hs) ||
314 !tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,
315 hs->hash_len)) {
316 return ssl_hs_error;
317 }
318
319 /* If not sending early data, set client traffic keys now so that alerts are
320 * encrypted. */
321 if (!hs->early_data_offered &&
322 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
323 hs->hash_len)) {
324 return ssl_hs_error;
325 }
326
327 hs->tls13_state = state_process_encrypted_extensions;
328 return ssl_hs_read_message;
329 }
330
do_process_encrypted_extensions(SSL_HANDSHAKE * hs)331 static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) {
332 SSL *const ssl = hs->ssl;
333 if (!ssl_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
334 return ssl_hs_error;
335 }
336
337 CBS cbs;
338 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
339 if (!ssl_parse_serverhello_tlsext(hs, &cbs)) {
340 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
341 return ssl_hs_error;
342 }
343 if (CBS_len(&cbs) != 0) {
344 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
345 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
346 return ssl_hs_error;
347 }
348
349 /* Store the negotiated ALPN in the session. */
350 if (ssl->s3->alpn_selected != NULL) {
351 hs->new_session->early_alpn =
352 BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
353 if (hs->new_session->early_alpn == NULL) {
354 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
355 return ssl_hs_error;
356 }
357 hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;
358 }
359
360 if (ssl->early_data_accepted) {
361 if (ssl->session->cipher != hs->new_session->cipher ||
362 ssl->session->early_alpn_len != ssl->s3->alpn_selected_len ||
363 OPENSSL_memcmp(ssl->session->early_alpn, ssl->s3->alpn_selected,
364 ssl->s3->alpn_selected_len) != 0) {
365 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
366 return ssl_hs_error;
367 }
368 if (ssl->s3->tlsext_channel_id_valid) {
369 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA);
370 return ssl_hs_error;
371 }
372 }
373
374 /* Release offered session now that it is no longer needed. */
375 if (ssl->s3->session_reused) {
376 ssl_set_session(ssl, NULL);
377 }
378
379 if (!ssl_hash_current_message(hs)) {
380 return ssl_hs_error;
381 }
382
383 hs->tls13_state = state_process_certificate_request;
384 return ssl_hs_read_message;
385 }
386
do_process_certificate_request(SSL_HANDSHAKE * hs)387 static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) {
388 SSL *const ssl = hs->ssl;
389 /* CertificateRequest may only be sent in non-resumption handshakes. */
390 if (ssl->s3->session_reused) {
391 hs->tls13_state = state_process_server_finished;
392 return ssl_hs_ok;
393 }
394
395 /* CertificateRequest is optional. */
396 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
397 hs->tls13_state = state_process_server_certificate;
398 return ssl_hs_ok;
399 }
400
401 CBS cbs, context, supported_signature_algorithms;
402 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
403 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
404 /* The request context is always empty during the handshake. */
405 CBS_len(&context) != 0 ||
406 !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
407 CBS_len(&supported_signature_algorithms) == 0 ||
408 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
409 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
410 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
411 return ssl_hs_error;
412 }
413
414 uint8_t alert = SSL_AD_DECODE_ERROR;
415 STACK_OF(CRYPTO_BUFFER) *ca_names =
416 ssl_parse_client_CA_list(ssl, &alert, &cbs);
417 if (ca_names == NULL) {
418 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
419 return ssl_hs_error;
420 }
421
422 /* Ignore extensions. */
423 CBS extensions;
424 if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
425 CBS_len(&cbs) != 0) {
426 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
427 sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free);
428 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
429 return ssl_hs_error;
430 }
431
432 hs->cert_request = 1;
433 sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);
434 hs->ca_names = ca_names;
435 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
436
437 if (!ssl_hash_current_message(hs)) {
438 return ssl_hs_error;
439 }
440
441 hs->tls13_state = state_process_server_certificate;
442 return ssl_hs_read_message;
443 }
444
do_process_server_certificate(SSL_HANDSHAKE * hs)445 static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) {
446 SSL *const ssl = hs->ssl;
447 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
448 !tls13_process_certificate(hs, 0 /* certificate required */) ||
449 !ssl_hash_current_message(hs)) {
450 return ssl_hs_error;
451 }
452
453 hs->tls13_state = state_process_server_certificate_verify;
454 return ssl_hs_read_message;
455 }
456
do_process_server_certificate_verify(SSL_HANDSHAKE * hs)457 static enum ssl_hs_wait_t do_process_server_certificate_verify(
458 SSL_HANDSHAKE *hs) {
459 SSL *const ssl = hs->ssl;
460 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
461 !tls13_process_certificate_verify(hs) ||
462 !ssl_hash_current_message(hs)) {
463 return ssl_hs_error;
464 }
465
466 hs->tls13_state = state_process_server_finished;
467 return ssl_hs_read_message;
468 }
469
do_process_server_finished(SSL_HANDSHAKE * hs)470 static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) {
471 SSL *const ssl = hs->ssl;
472 if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) ||
473 !tls13_process_finished(hs, 0 /* don't use saved value */) ||
474 !ssl_hash_current_message(hs) ||
475 /* Update the secret to the master secret and derive traffic keys. */
476 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
477 !tls13_derive_application_secrets(hs)) {
478 return ssl_hs_error;
479 }
480
481 ssl->method->received_flight(ssl);
482 hs->tls13_state = state_send_end_of_early_data;
483 return ssl_hs_ok;
484 }
485
do_send_end_of_early_data(SSL_HANDSHAKE * hs)486 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
487 SSL *const ssl = hs->ssl;
488 /* TODO(svaldez): Stop sending early data. */
489 if (ssl->early_data_accepted &&
490 !ssl->method->add_alert(ssl, SSL3_AL_WARNING,
491 TLS1_AD_END_OF_EARLY_DATA)) {
492 return ssl_hs_error;
493 }
494
495 if (hs->early_data_offered &&
496 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
497 hs->hash_len)) {
498 return ssl_hs_error;
499 }
500
501 hs->tls13_state = state_send_client_certificate;
502 return ssl_hs_ok;
503 }
504
do_send_client_certificate(SSL_HANDSHAKE * hs)505 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
506 SSL *const ssl = hs->ssl;
507
508 /* The peer didn't request a certificate. */
509 if (!hs->cert_request) {
510 hs->tls13_state = state_complete_second_flight;
511 return ssl_hs_ok;
512 }
513
514 /* Call cert_cb to update the certificate. */
515 if (ssl->cert->cert_cb != NULL) {
516 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
517 if (rv == 0) {
518 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
519 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
520 return ssl_hs_error;
521 }
522 if (rv < 0) {
523 hs->tls13_state = state_send_client_certificate;
524 return ssl_hs_x509_lookup;
525 }
526 }
527
528 if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(ssl) ||
529 !tls13_add_certificate(hs)) {
530 return ssl_hs_error;
531 }
532
533 hs->tls13_state = state_send_client_certificate_verify;
534 return ssl_hs_ok;
535 }
536
do_send_client_certificate_verify(SSL_HANDSHAKE * hs,int is_first_run)537 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs,
538 int is_first_run) {
539 SSL *const ssl = hs->ssl;
540 /* Don't send CertificateVerify if there is no certificate. */
541 if (!ssl_has_certificate(ssl)) {
542 hs->tls13_state = state_complete_second_flight;
543 return ssl_hs_ok;
544 }
545
546 switch (tls13_add_certificate_verify(hs, is_first_run)) {
547 case ssl_private_key_success:
548 hs->tls13_state = state_complete_second_flight;
549 return ssl_hs_ok;
550
551 case ssl_private_key_retry:
552 hs->tls13_state = state_complete_client_certificate_verify;
553 return ssl_hs_private_key_operation;
554
555 case ssl_private_key_failure:
556 return ssl_hs_error;
557 }
558
559 assert(0);
560 return ssl_hs_error;
561 }
562
do_complete_second_flight(SSL_HANDSHAKE * hs)563 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
564 SSL *const ssl = hs->ssl;
565
566 /* Send a Channel ID assertion if necessary. */
567 if (ssl->s3->tlsext_channel_id_valid) {
568 if (!ssl_do_channel_id_callback(ssl)) {
569 hs->tls13_state = state_complete_second_flight;
570 return ssl_hs_error;
571 }
572
573 if (ssl->tlsext_channel_id_private == NULL) {
574 return ssl_hs_channel_id_lookup;
575 }
576
577 CBB cbb, body;
578 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||
579 !tls1_write_channel_id(hs, &body) ||
580 !ssl_add_message_cbb(ssl, &cbb)) {
581 CBB_cleanup(&cbb);
582 return ssl_hs_error;
583 }
584 }
585
586 /* Send a Finished message. */
587 if (!tls13_add_finished(hs)) {
588 return ssl_hs_error;
589 }
590
591 /* Derive the final keys and enable them. */
592 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
593 hs->hash_len) ||
594 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
595 hs->hash_len) ||
596 !tls13_derive_resumption_secret(hs)) {
597 return ssl_hs_error;
598 }
599
600 hs->tls13_state = state_done;
601 return ssl_hs_flush;
602 }
603
tls13_client_handshake(SSL_HANDSHAKE * hs)604 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
605 while (hs->tls13_state != state_done) {
606 enum ssl_hs_wait_t ret = ssl_hs_error;
607 enum client_hs_state_t state = hs->tls13_state;
608 switch (state) {
609 case state_process_hello_retry_request:
610 ret = do_process_hello_retry_request(hs);
611 break;
612 case state_send_second_client_hello:
613 ret = do_send_second_client_hello(hs);
614 break;
615 case state_process_server_hello:
616 ret = do_process_server_hello(hs);
617 break;
618 case state_process_encrypted_extensions:
619 ret = do_process_encrypted_extensions(hs);
620 break;
621 case state_process_certificate_request:
622 ret = do_process_certificate_request(hs);
623 break;
624 case state_process_server_certificate:
625 ret = do_process_server_certificate(hs);
626 break;
627 case state_process_server_certificate_verify:
628 ret = do_process_server_certificate_verify(hs);
629 break;
630 case state_process_server_finished:
631 ret = do_process_server_finished(hs);
632 break;
633 case state_send_end_of_early_data:
634 ret = do_send_end_of_early_data(hs);
635 break;
636 case state_send_client_certificate:
637 ret = do_send_client_certificate(hs);
638 break;
639 case state_send_client_certificate_verify:
640 ret = do_send_client_certificate_verify(hs, 1 /* first run */);
641 break;
642 case state_complete_client_certificate_verify:
643 ret = do_send_client_certificate_verify(hs, 0 /* complete */);
644 break;
645 case state_complete_second_flight:
646 ret = do_complete_second_flight(hs);
647 break;
648 case state_done:
649 ret = ssl_hs_ok;
650 break;
651 }
652
653 if (ret != ssl_hs_ok) {
654 return ret;
655 }
656 }
657
658 return ssl_hs_ok;
659 }
660
tls13_process_new_session_ticket(SSL * ssl)661 int tls13_process_new_session_ticket(SSL *ssl) {
662 int ret = 0;
663 SSL_SESSION *session = SSL_SESSION_dup(ssl->s3->established_session,
664 SSL_SESSION_INCLUDE_NONAUTH);
665 if (session == NULL) {
666 return 0;
667 }
668
669 ssl_session_rebase_time(ssl, session);
670
671 uint32_t server_timeout;
672 CBS cbs, ticket, extensions;
673 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
674 if (!CBS_get_u32(&cbs, &server_timeout) ||
675 !CBS_get_u32(&cbs, &session->ticket_age_add) ||
676 !CBS_get_u16_length_prefixed(&cbs, &ticket) ||
677 !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||
678 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
679 CBS_len(&cbs) != 0) {
680 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
681 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
682 goto err;
683 }
684
685 /* Cap the renewable lifetime by the server advertised value. This avoids
686 * wasting bandwidth on 0-RTT when we know the server will reject it. */
687 if (session->timeout > server_timeout) {
688 session->timeout = server_timeout;
689 }
690
691 /* Parse out the extensions. */
692 int have_early_data_info = 0;
693 CBS early_data_info;
694 const SSL_EXTENSION_TYPE ext_types[] = {
695 {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,
696 &early_data_info},
697 };
698
699 uint8_t alert = SSL_AD_DECODE_ERROR;
700 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
701 OPENSSL_ARRAY_SIZE(ext_types),
702 1 /* ignore unknown */)) {
703 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
704 goto err;
705 }
706
707 if (have_early_data_info && ssl->ctx->enable_early_data) {
708 if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
709 CBS_len(&early_data_info) != 0) {
710 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
711 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
712 goto err;
713 }
714 }
715
716 session->ticket_age_add_valid = 1;
717 session->not_resumable = 0;
718
719 if (ssl->ctx->new_session_cb != NULL &&
720 ssl->ctx->new_session_cb(ssl, session)) {
721 /* |new_session_cb|'s return value signals that it took ownership. */
722 session = NULL;
723 }
724
725 ret = 1;
726
727 err:
728 SSL_SESSION_free(session);
729 return ret;
730 }
731
ssl_clear_tls13_state(SSL_HANDSHAKE * hs)732 void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {
733 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
734
735 OPENSSL_free(hs->key_share_bytes);
736 hs->key_share_bytes = NULL;
737 hs->key_share_bytes_len = 0;
738 }
739