1 /* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <limits.h>
19 #include <string.h>
20
21 #include <utility>
22
23 #include <openssl/bytestring.h>
24 #include <openssl/digest.h>
25 #include <openssl/err.h>
26 #include <openssl/mem.h>
27 #include <openssl/sha.h>
28 #include <openssl/stack.h>
29
30 #include "../crypto/internal.h"
31 #include "internal.h"
32
33
34 BSSL_NAMESPACE_BEGIN
35
36 enum client_hs_state_t {
37 state_read_hello_retry_request = 0,
38 state_send_second_client_hello,
39 state_read_server_hello,
40 state_read_encrypted_extensions,
41 state_read_certificate_request,
42 state_read_server_certificate,
43 state_read_server_certificate_verify,
44 state_server_certificate_reverify,
45 state_read_server_finished,
46 state_send_end_of_early_data,
47 state_send_client_certificate,
48 state_send_client_certificate_verify,
49 state_complete_second_flight,
50 state_done,
51 };
52
53 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
54
do_read_hello_retry_request(SSL_HANDSHAKE * hs)55 static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
56 SSL *const ssl = hs->ssl;
57 assert(ssl->s3->have_version);
58 SSLMessage msg;
59 if (!ssl->method->get_message(ssl, &msg)) {
60 return ssl_hs_read_message;
61 }
62
63 // Queue up a ChangeCipherSpec for whenever we next send something. This
64 // will be before the second ClientHello. If we offered early data, this was
65 // already done.
66 if (!hs->early_data_offered &&
67 !ssl->method->add_change_cipher_spec(ssl)) {
68 return ssl_hs_error;
69 }
70
71 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
72 return ssl_hs_error;
73 }
74
75 CBS body = msg.body, extensions, server_random, session_id;
76 uint16_t server_version, cipher_suite;
77 uint8_t compression_method;
78 if (!CBS_get_u16(&body, &server_version) ||
79 !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
80 !CBS_get_u8_length_prefixed(&body, &session_id) ||
81 !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
82 !CBS_get_u16(&body, &cipher_suite) ||
83 !CBS_get_u8(&body, &compression_method) ||
84 compression_method != 0 ||
85 !CBS_get_u16_length_prefixed(&body, &extensions) ||
86 CBS_len(&extensions) == 0 ||
87 CBS_len(&body) != 0) {
88 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
89 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
90 return ssl_hs_error;
91 }
92
93 if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
94 hs->tls13_state = state_read_server_hello;
95 return ssl_hs_ok;
96 }
97
98 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
99 // Check if the cipher is a TLS 1.3 cipher.
100 if (cipher == NULL ||
101 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
102 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
103 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
104 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
105 return ssl_hs_error;
106 }
107
108 hs->new_cipher = cipher;
109
110 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
111 !hs->transcript.UpdateForHelloRetryRequest()) {
112 return ssl_hs_error;
113 }
114
115
116 bool have_cookie, have_key_share, have_supported_versions;
117 CBS cookie, key_share, supported_versions;
118 SSL_EXTENSION_TYPE ext_types[] = {
119 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
120 {TLSEXT_TYPE_cookie, &have_cookie, &cookie},
121 {TLSEXT_TYPE_supported_versions, &have_supported_versions,
122 &supported_versions},
123 };
124
125 uint8_t alert = SSL_AD_DECODE_ERROR;
126 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
127 OPENSSL_ARRAY_SIZE(ext_types),
128 0 /* reject unknown */)) {
129 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
130 return ssl_hs_error;
131 }
132
133 if (!have_cookie && !have_key_share) {
134 OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);
135 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
136 return ssl_hs_error;
137 }
138 if (have_cookie) {
139 CBS cookie_value;
140 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||
141 CBS_len(&cookie_value) == 0 ||
142 CBS_len(&cookie) != 0) {
143 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
144 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
145 return ssl_hs_error;
146 }
147
148 if (!hs->cookie.CopyFrom(cookie_value)) {
149 return ssl_hs_error;
150 }
151 }
152
153 if (have_key_share) {
154 uint16_t group_id;
155 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {
156 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
157 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
158 return ssl_hs_error;
159 }
160
161 // The group must be supported.
162 if (!tls1_check_group_id(hs, group_id)) {
163 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
164 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
165 return ssl_hs_error;
166 }
167
168 // Check that the HelloRetryRequest does not request a key share that was
169 // provided in the initial ClientHello.
170 if (hs->key_shares[0]->GroupID() == group_id ||
171 (hs->key_shares[1] && hs->key_shares[1]->GroupID() == group_id)) {
172 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
173 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
174 return ssl_hs_error;
175 }
176
177 hs->key_shares[0].reset();
178 hs->key_shares[1].reset();
179 hs->retry_group = group_id;
180 }
181
182 if (!ssl_hash_message(hs, msg)) {
183 return ssl_hs_error;
184 }
185
186 ssl->method->next_message(ssl);
187 hs->received_hello_retry_request = true;
188 hs->tls13_state = state_send_second_client_hello;
189 // 0-RTT is rejected if we receive a HelloRetryRequest.
190 if (hs->in_early_data) {
191 return ssl_hs_early_data_rejected;
192 }
193 return ssl_hs_ok;
194 }
195
do_send_second_client_hello(SSL_HANDSHAKE * hs)196 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
197 SSL *const ssl = hs->ssl;
198 // Restore the null cipher. We may have switched due to 0-RTT.
199 bssl::UniquePtr<SSLAEADContext> null_ctx =
200 SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
201 if (!null_ctx ||
202 !ssl->method->set_write_state(ssl, std::move(null_ctx))) {
203 return ssl_hs_error;
204 }
205
206 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
207
208 if (!ssl_write_client_hello(hs)) {
209 return ssl_hs_error;
210 }
211
212 hs->tls13_state = state_read_server_hello;
213 return ssl_hs_flush;
214 }
215
do_read_server_hello(SSL_HANDSHAKE * hs)216 static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
217 SSL *const ssl = hs->ssl;
218 SSLMessage msg;
219 if (!ssl->method->get_message(ssl, &msg)) {
220 return ssl_hs_read_message;
221 }
222 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
223 return ssl_hs_error;
224 }
225
226 CBS body = msg.body, server_random, session_id, extensions;
227 uint16_t server_version;
228 uint16_t cipher_suite;
229 uint8_t compression_method;
230 if (!CBS_get_u16(&body, &server_version) ||
231 !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
232 !CBS_get_u8_length_prefixed(&body, &session_id) ||
233 !CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) ||
234 !CBS_get_u16(&body, &cipher_suite) ||
235 !CBS_get_u8(&body, &compression_method) ||
236 compression_method != 0 ||
237 !CBS_get_u16_length_prefixed(&body, &extensions) ||
238 CBS_len(&body) != 0) {
239 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
240 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
241 return ssl_hs_error;
242 }
243
244 if (server_version != TLS1_2_VERSION) {
245 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
246 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
247 return ssl_hs_error;
248 }
249
250 // Forbid a second HelloRetryRequest.
251 if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
252 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
253 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
254 return ssl_hs_error;
255 }
256
257 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
258 SSL3_RANDOM_SIZE);
259
260 // Check if the cipher is a TLS 1.3 cipher.
261 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
262 if (cipher == nullptr ||
263 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
264 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
265 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
266 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
267 return ssl_hs_error;
268 }
269
270 // Check that the cipher matches the one in the HelloRetryRequest.
271 if (hs->received_hello_retry_request &&
272 hs->new_cipher != cipher) {
273 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
274 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
275 return ssl_hs_error;
276 }
277
278 // Parse out the extensions.
279 bool have_key_share = false, have_pre_shared_key = false,
280 have_supported_versions = false;
281 CBS key_share, pre_shared_key, supported_versions;
282 SSL_EXTENSION_TYPE ext_types[] = {
283 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
284 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
285 {TLSEXT_TYPE_supported_versions, &have_supported_versions,
286 &supported_versions},
287 };
288
289 uint8_t alert = SSL_AD_DECODE_ERROR;
290 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
291 OPENSSL_ARRAY_SIZE(ext_types),
292 0 /* reject unknown */)) {
293 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
294 return ssl_hs_error;
295 }
296
297 // Recheck supported_versions, in case this is the second ServerHello.
298 uint16_t version;
299 if (!have_supported_versions ||
300 !CBS_get_u16(&supported_versions, &version) ||
301 version != ssl->version) {
302 OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
303 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
304 return ssl_hs_error;
305 }
306
307 alert = SSL_AD_DECODE_ERROR;
308 if (have_pre_shared_key) {
309 if (ssl->session == NULL) {
310 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
311 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
312 return ssl_hs_error;
313 }
314
315 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
316 &pre_shared_key)) {
317 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
318 return ssl_hs_error;
319 }
320
321 if (ssl->session->ssl_version != ssl->version) {
322 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
323 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
324 return ssl_hs_error;
325 }
326
327 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {
328 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
329 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
330 return ssl_hs_error;
331 }
332
333 if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
334 // This is actually a client application bug.
335 OPENSSL_PUT_ERROR(SSL,
336 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
337 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
338 return ssl_hs_error;
339 }
340
341 ssl->s3->session_reused = true;
342 // Only authentication information carries over in TLS 1.3.
343 hs->new_session =
344 SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
345 if (!hs->new_session) {
346 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
347 return ssl_hs_error;
348 }
349 ssl_set_session(ssl, NULL);
350
351 // Resumption incorporates fresh key material, so refresh the timeout.
352 ssl_session_renew_timeout(ssl, hs->new_session.get(),
353 ssl->session_ctx->session_psk_dhe_timeout);
354 } else if (!ssl_get_new_session(hs, 0)) {
355 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
356 return ssl_hs_error;
357 }
358
359 hs->new_session->cipher = cipher;
360 hs->new_cipher = cipher;
361
362 size_t hash_len =
363 EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));
364
365 // Set up the key schedule and incorporate the PSK into the running secret.
366 if (ssl->s3->session_reused) {
367 if (!tls13_init_key_schedule(hs, hs->new_session->master_key,
368 hs->new_session->master_key_length)) {
369 return ssl_hs_error;
370 }
371 } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {
372 return ssl_hs_error;
373 }
374
375 if (!have_key_share) {
376 // We do not support psk_ke and thus always require a key share.
377 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
378 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
379 return ssl_hs_error;
380 }
381
382 // Resolve ECDHE and incorporate it into the secret.
383 Array<uint8_t> dhe_secret;
384 alert = SSL_AD_DECODE_ERROR;
385 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
386 &key_share)) {
387 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
388 return ssl_hs_error;
389 }
390
391 if (!tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()) ||
392 !ssl_hash_message(hs, msg) || !tls13_derive_handshake_secrets(hs) ||
393 !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
394 hs->server_handshake_secret, hs->hash_len)) {
395 return ssl_hs_error;
396 }
397
398 if (!hs->early_data_offered) {
399 // If not sending early data, set client traffic keys now so that alerts are
400 // encrypted.
401 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
402 hs->client_handshake_secret, hs->hash_len)) {
403 return ssl_hs_error;
404 }
405 }
406
407 ssl->method->next_message(ssl);
408 hs->tls13_state = state_read_encrypted_extensions;
409 return ssl_hs_ok;
410 }
411
do_read_encrypted_extensions(SSL_HANDSHAKE * hs)412 static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
413 SSL *const ssl = hs->ssl;
414 SSLMessage msg;
415 if (!ssl->method->get_message(ssl, &msg)) {
416 return ssl_hs_read_message;
417 }
418 if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
419 return ssl_hs_error;
420 }
421
422 CBS body = msg.body;
423 if (!ssl_parse_serverhello_tlsext(hs, &body)) {
424 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
425 return ssl_hs_error;
426 }
427 if (CBS_len(&body) != 0) {
428 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
429 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
430 return ssl_hs_error;
431 }
432
433 // Store the negotiated ALPN in the session.
434 if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
435 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
436 return ssl_hs_error;
437 }
438
439 if (ssl->s3->early_data_accepted) {
440 if (hs->early_session->cipher != hs->new_session->cipher ||
441 MakeConstSpan(hs->early_session->early_alpn) !=
442 ssl->s3->alpn_selected) {
443 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
444 return ssl_hs_error;
445 }
446 if (ssl->s3->channel_id_valid || ssl->s3->token_binding_negotiated) {
447 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
448 return ssl_hs_error;
449 }
450 }
451
452 if (!ssl_hash_message(hs, msg)) {
453 return ssl_hs_error;
454 }
455
456 ssl->method->next_message(ssl);
457 hs->tls13_state = state_read_certificate_request;
458 if (hs->in_early_data && !ssl->s3->early_data_accepted) {
459 return ssl_hs_early_data_rejected;
460 }
461 return ssl_hs_ok;
462 }
463
do_read_certificate_request(SSL_HANDSHAKE * hs)464 static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
465 SSL *const ssl = hs->ssl;
466 // CertificateRequest may only be sent in non-resumption handshakes.
467 if (ssl->s3->session_reused) {
468 if (ssl->ctx->reverify_on_resume && !ssl->s3->early_data_accepted) {
469 hs->tls13_state = state_server_certificate_reverify;
470 return ssl_hs_ok;
471 }
472 hs->tls13_state = state_read_server_finished;
473 return ssl_hs_ok;
474 }
475
476 SSLMessage msg;
477 if (!ssl->method->get_message(ssl, &msg)) {
478 return ssl_hs_read_message;
479 }
480
481 // CertificateRequest is optional.
482 if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
483 hs->tls13_state = state_read_server_certificate;
484 return ssl_hs_ok;
485 }
486
487
488 bool have_sigalgs = false, have_ca = false;
489 CBS sigalgs, ca;
490 const SSL_EXTENSION_TYPE ext_types[] = {
491 {TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},
492 {TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},
493 };
494
495 CBS body = msg.body, context, extensions, supported_signature_algorithms;
496 uint8_t alert = SSL_AD_DECODE_ERROR;
497 if (!CBS_get_u8_length_prefixed(&body, &context) ||
498 // The request context is always empty during the handshake.
499 CBS_len(&context) != 0 ||
500 !CBS_get_u16_length_prefixed(&body, &extensions) ||
501 CBS_len(&body) != 0 ||
502 !ssl_parse_extensions(&extensions, &alert, ext_types,
503 OPENSSL_ARRAY_SIZE(ext_types),
504 1 /* accept unknown */) ||
505 (have_ca && CBS_len(&ca) == 0) ||
506 !have_sigalgs ||
507 !CBS_get_u16_length_prefixed(&sigalgs,
508 &supported_signature_algorithms) ||
509 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
510 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
511 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
512 return ssl_hs_error;
513 }
514
515 if (have_ca) {
516 hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);
517 if (!hs->ca_names) {
518 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
519 return ssl_hs_error;
520 }
521 } else {
522 hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());
523 if (!hs->ca_names) {
524 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
525 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
526 return ssl_hs_error;
527 }
528 }
529
530 hs->cert_request = true;
531 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
532
533 if (!ssl_hash_message(hs, msg)) {
534 return ssl_hs_error;
535 }
536
537 ssl->method->next_message(ssl);
538 hs->tls13_state = state_read_server_certificate;
539 return ssl_hs_ok;
540 }
541
do_read_server_certificate(SSL_HANDSHAKE * hs)542 static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
543 SSL *const ssl = hs->ssl;
544 SSLMessage msg;
545 if (!ssl->method->get_message(ssl, &msg)) {
546 return ssl_hs_read_message;
547 }
548
549 if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&
550 !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
551 return ssl_hs_error;
552 }
553
554 if (!tls13_process_certificate(hs, msg, false /* certificate required */) ||
555 !ssl_hash_message(hs, msg)) {
556 return ssl_hs_error;
557 }
558
559 ssl->method->next_message(ssl);
560 hs->tls13_state = state_read_server_certificate_verify;
561 return ssl_hs_ok;
562 }
563
do_read_server_certificate_verify(SSL_HANDSHAKE * hs)564 static enum ssl_hs_wait_t do_read_server_certificate_verify(
565 SSL_HANDSHAKE *hs) {
566 SSL *const ssl = hs->ssl;
567 SSLMessage msg;
568 if (!ssl->method->get_message(ssl, &msg)) {
569 return ssl_hs_read_message;
570 }
571 switch (ssl_verify_peer_cert(hs)) {
572 case ssl_verify_ok:
573 break;
574 case ssl_verify_invalid:
575 return ssl_hs_error;
576 case ssl_verify_retry:
577 hs->tls13_state = state_read_server_certificate_verify;
578 return ssl_hs_certificate_verify;
579 }
580
581 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
582 !tls13_process_certificate_verify(hs, msg) ||
583 !ssl_hash_message(hs, msg)) {
584 return ssl_hs_error;
585 }
586
587 ssl->method->next_message(ssl);
588 hs->tls13_state = state_read_server_finished;
589 return ssl_hs_ok;
590 }
591
do_server_certificate_reverify(SSL_HANDSHAKE * hs)592 static enum ssl_hs_wait_t do_server_certificate_reverify(
593 SSL_HANDSHAKE *hs) {
594 switch (ssl_reverify_peer_cert(hs)) {
595 case ssl_verify_ok:
596 break;
597 case ssl_verify_invalid:
598 return ssl_hs_error;
599 case ssl_verify_retry:
600 hs->tls13_state = state_server_certificate_reverify;
601 return ssl_hs_certificate_verify;
602 }
603 hs->tls13_state = state_read_server_finished;
604 return ssl_hs_ok;
605 }
606
do_read_server_finished(SSL_HANDSHAKE * hs)607 static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
608 SSL *const ssl = hs->ssl;
609 SSLMessage msg;
610 if (!ssl->method->get_message(ssl, &msg)) {
611 return ssl_hs_read_message;
612 }
613 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
614 !tls13_process_finished(hs, msg, false /* don't use saved value */) ||
615 !ssl_hash_message(hs, msg) ||
616 // Update the secret to the master secret and derive traffic keys.
617 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
618 !tls13_derive_application_secrets(hs)) {
619 return ssl_hs_error;
620 }
621
622 ssl->method->next_message(ssl);
623 hs->tls13_state = state_send_end_of_early_data;
624 return ssl_hs_ok;
625 }
626
do_send_end_of_early_data(SSL_HANDSHAKE * hs)627 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
628 SSL *const ssl = hs->ssl;
629
630 if (ssl->s3->early_data_accepted) {
631 hs->can_early_write = false;
632 ScopedCBB cbb;
633 CBB body;
634 if (!ssl->method->init_message(ssl, cbb.get(), &body,
635 SSL3_MT_END_OF_EARLY_DATA) ||
636 !ssl_add_message_cbb(ssl, cbb.get())) {
637 return ssl_hs_error;
638 }
639 }
640
641 if (hs->early_data_offered) {
642 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
643 hs->client_handshake_secret, hs->hash_len)) {
644 return ssl_hs_error;
645 }
646 }
647
648 hs->tls13_state = state_send_client_certificate;
649 return ssl_hs_ok;
650 }
651
do_send_client_certificate(SSL_HANDSHAKE * hs)652 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
653 SSL *const ssl = hs->ssl;
654
655 // The peer didn't request a certificate.
656 if (!hs->cert_request) {
657 hs->tls13_state = state_complete_second_flight;
658 return ssl_hs_ok;
659 }
660
661 // Call cert_cb to update the certificate.
662 if (hs->config->cert->cert_cb != NULL) {
663 int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
664 if (rv == 0) {
665 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
666 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
667 return ssl_hs_error;
668 }
669 if (rv < 0) {
670 hs->tls13_state = state_send_client_certificate;
671 return ssl_hs_x509_lookup;
672 }
673 }
674
675 if (!ssl_on_certificate_selected(hs) ||
676 !tls13_add_certificate(hs)) {
677 return ssl_hs_error;
678 }
679
680 hs->tls13_state = state_send_client_certificate_verify;
681 return ssl_hs_ok;
682 }
683
do_send_client_certificate_verify(SSL_HANDSHAKE * hs)684 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
685 // Don't send CertificateVerify if there is no certificate.
686 if (!ssl_has_certificate(hs)) {
687 hs->tls13_state = state_complete_second_flight;
688 return ssl_hs_ok;
689 }
690
691 switch (tls13_add_certificate_verify(hs)) {
692 case ssl_private_key_success:
693 hs->tls13_state = state_complete_second_flight;
694 return ssl_hs_ok;
695
696 case ssl_private_key_retry:
697 hs->tls13_state = state_send_client_certificate_verify;
698 return ssl_hs_private_key_operation;
699
700 case ssl_private_key_failure:
701 return ssl_hs_error;
702 }
703
704 assert(0);
705 return ssl_hs_error;
706 }
707
do_complete_second_flight(SSL_HANDSHAKE * hs)708 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
709 SSL *const ssl = hs->ssl;
710
711 // Send a Channel ID assertion if necessary.
712 if (ssl->s3->channel_id_valid) {
713 if (!ssl_do_channel_id_callback(hs)) {
714 hs->tls13_state = state_complete_second_flight;
715 return ssl_hs_error;
716 }
717
718 if (hs->config->channel_id_private == NULL) {
719 return ssl_hs_channel_id_lookup;
720 }
721
722 ScopedCBB cbb;
723 CBB body;
724 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
725 !tls1_write_channel_id(hs, &body) ||
726 !ssl_add_message_cbb(ssl, cbb.get())) {
727 return ssl_hs_error;
728 }
729 }
730
731 // Send a Finished message.
732 if (!tls13_add_finished(hs)) {
733 return ssl_hs_error;
734 }
735
736 // Derive the final keys and enable them.
737 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
738 hs->server_traffic_secret_0, hs->hash_len) ||
739 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
740 hs->client_traffic_secret_0, hs->hash_len) ||
741 !tls13_derive_resumption_secret(hs)) {
742 return ssl_hs_error;
743 }
744
745 hs->tls13_state = state_done;
746 return ssl_hs_flush;
747 }
748
tls13_client_handshake(SSL_HANDSHAKE * hs)749 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
750 while (hs->tls13_state != state_done) {
751 enum ssl_hs_wait_t ret = ssl_hs_error;
752 enum client_hs_state_t state =
753 static_cast<enum client_hs_state_t>(hs->tls13_state);
754 switch (state) {
755 case state_read_hello_retry_request:
756 ret = do_read_hello_retry_request(hs);
757 break;
758 case state_send_second_client_hello:
759 ret = do_send_second_client_hello(hs);
760 break;
761 case state_read_server_hello:
762 ret = do_read_server_hello(hs);
763 break;
764 case state_read_encrypted_extensions:
765 ret = do_read_encrypted_extensions(hs);
766 break;
767 case state_read_certificate_request:
768 ret = do_read_certificate_request(hs);
769 break;
770 case state_read_server_certificate:
771 ret = do_read_server_certificate(hs);
772 break;
773 case state_read_server_certificate_verify:
774 ret = do_read_server_certificate_verify(hs);
775 break;
776 case state_server_certificate_reverify:
777 ret = do_server_certificate_reverify(hs);
778 break;
779 case state_read_server_finished:
780 ret = do_read_server_finished(hs);
781 break;
782 case state_send_end_of_early_data:
783 ret = do_send_end_of_early_data(hs);
784 break;
785 case state_send_client_certificate:
786 ret = do_send_client_certificate(hs);
787 break;
788 case state_send_client_certificate_verify:
789 ret = do_send_client_certificate_verify(hs);
790 break;
791 case state_complete_second_flight:
792 ret = do_complete_second_flight(hs);
793 break;
794 case state_done:
795 ret = ssl_hs_ok;
796 break;
797 }
798
799 if (hs->tls13_state != state) {
800 ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
801 }
802
803 if (ret != ssl_hs_ok) {
804 return ret;
805 }
806 }
807
808 return ssl_hs_ok;
809 }
810
tls13_client_handshake_state(SSL_HANDSHAKE * hs)811 const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
812 enum client_hs_state_t state =
813 static_cast<enum client_hs_state_t>(hs->tls13_state);
814 switch (state) {
815 case state_read_hello_retry_request:
816 return "TLS 1.3 client read_hello_retry_request";
817 case state_send_second_client_hello:
818 return "TLS 1.3 client send_second_client_hello";
819 case state_read_server_hello:
820 return "TLS 1.3 client read_server_hello";
821 case state_read_encrypted_extensions:
822 return "TLS 1.3 client read_encrypted_extensions";
823 case state_read_certificate_request:
824 return "TLS 1.3 client read_certificate_request";
825 case state_read_server_certificate:
826 return "TLS 1.3 client read_server_certificate";
827 case state_read_server_certificate_verify:
828 return "TLS 1.3 client read_server_certificate_verify";
829 case state_server_certificate_reverify:
830 return "TLS 1.3 client server_certificate_reverify";
831 case state_read_server_finished:
832 return "TLS 1.3 client read_server_finished";
833 case state_send_end_of_early_data:
834 return "TLS 1.3 client send_end_of_early_data";
835 case state_send_client_certificate:
836 return "TLS 1.3 client send_client_certificate";
837 case state_send_client_certificate_verify:
838 return "TLS 1.3 client send_client_certificate_verify";
839 case state_complete_second_flight:
840 return "TLS 1.3 client complete_second_flight";
841 case state_done:
842 return "TLS 1.3 client done";
843 }
844
845 return "TLS 1.3 client unknown";
846 }
847
tls13_process_new_session_ticket(SSL * ssl,const SSLMessage & msg)848 bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
849 if (ssl->s3->write_shutdown != ssl_shutdown_none) {
850 // Ignore tickets on shutdown. Callers tend to indiscriminately call
851 // |SSL_shutdown| before destroying an |SSL|, at which point calling the new
852 // session callback may be confusing.
853 return true;
854 }
855
856 UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
857 ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
858 if (!session) {
859 return false;
860 }
861
862 ssl_session_rebase_time(ssl, session.get());
863
864 uint32_t server_timeout;
865 CBS body = msg.body, ticket_nonce, ticket, extensions;
866 if (!CBS_get_u32(&body, &server_timeout) ||
867 !CBS_get_u32(&body, &session->ticket_age_add) ||
868 !CBS_get_u8_length_prefixed(&body, &ticket_nonce) ||
869 !CBS_get_u16_length_prefixed(&body, &ticket) ||
870 !session->ticket.CopyFrom(ticket) ||
871 !CBS_get_u16_length_prefixed(&body, &extensions) ||
872 CBS_len(&body) != 0) {
873 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
874 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
875 return false;
876 }
877
878 // Cap the renewable lifetime by the server advertised value. This avoids
879 // wasting bandwidth on 0-RTT when we know the server will reject it.
880 if (session->timeout > server_timeout) {
881 session->timeout = server_timeout;
882 }
883
884 if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
885 return false;
886 }
887
888 // Parse out the extensions.
889 bool have_early_data_info = false;
890 CBS early_data_info;
891 const SSL_EXTENSION_TYPE ext_types[] = {
892 {TLSEXT_TYPE_early_data, &have_early_data_info, &early_data_info},
893 };
894
895 uint8_t alert = SSL_AD_DECODE_ERROR;
896 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
897 OPENSSL_ARRAY_SIZE(ext_types),
898 1 /* ignore unknown */)) {
899 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
900 return false;
901 }
902
903 if (have_early_data_info && ssl->enable_early_data) {
904 if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
905 CBS_len(&early_data_info) != 0) {
906 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
907 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
908 return false;
909 }
910 }
911
912 // Generate a session ID for this session. Some callers expect all sessions to
913 // have a session ID.
914 SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
915 session->session_id_length = SHA256_DIGEST_LENGTH;
916
917 session->ticket_age_add_valid = true;
918 session->not_resumable = false;
919
920 if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
921 ssl->session_ctx->new_session_cb != NULL &&
922 ssl->session_ctx->new_session_cb(ssl, session.get())) {
923 // |new_session_cb|'s return value signals that it took ownership.
924 session.release();
925 }
926
927 return true;
928 }
929
930 BSSL_NAMESPACE_END
931