Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 038da9b939ded45b7624ba31c38a2ea55d53d12a / . / ssl / tls13_client.c
blob: c92b53981836903f88a88d87fe2e9dbe38e48e4c [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]18#include <limits.h>
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]19#include <string.h>
20
21#include <openssl/bytestring.h>
22#include <openssl/digest.h>
23#include <openssl/err.h>
24#include <openssl/mem.h>
25#include <openssl/stack.h>
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]26
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]27#include "../crypto/internal.h"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]28#include "internal.h"
29
30
31enum client_hs_state_t {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]32 state_process_hello_retry_request = 0,
33 state_send_second_client_hello,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]34 state_process_server_hello,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]35 state_process_change_cipher_spec,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]36 state_process_encrypted_extensions,
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]37 state_continue_second_server_flight,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]38 state_process_certificate_request,
39 state_process_server_certificate,
40 state_process_server_certificate_verify,
41 state_process_server_finished,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]42 state_send_end_of_early_data,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]43 state_send_client_certificate,
44 state_send_client_certificate_verify,
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]45 state_complete_second_flight,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]46 state_done,
47};
48
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]49static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
50
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]51static enum ssl_hs_wait_t do_process_hello_retry_request(SSL_HANDSHAKE *hs) {
52 SSL *const ssl = hs->ssl;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]53 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]54 hs->tls13_state = state_process_server_hello;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]55 return ssl_hs_ok;
56 }
57
58 CBS cbs, extensions;
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]59 uint16_t server_version;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]60 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]61 if (!CBS_get_u16(&cbs, &server_version) ||
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]62 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]63 /* HelloRetryRequest may not be empty. */
64 CBS_len(&extensions) == 0 ||
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]65 CBS_len(&cbs) != 0) {
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]66 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]67 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
68 return ssl_hs_error;
69 }
70
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]71 int have_cookie, have_key_share;
72 CBS cookie, key_share;
73 const SSL_EXTENSION_TYPE ext_types[] = {
74 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
75 {TLSEXT_TYPE_cookie, &have_cookie, &cookie},
76 };
77
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]78 uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]79 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]80 OPENSSL_ARRAY_SIZE(ext_types),
81 0 /* reject unknown */)) {
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]82 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
83 return ssl_hs_error;
84 }
85
86 if (have_cookie) {
87 CBS cookie_value;
88 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||
89 CBS_len(&cookie_value) == 0 ||
90 CBS_len(&cookie) != 0) {
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]91 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
92 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
93 return ssl_hs_error;
94 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]95
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]96 if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {
97 return ssl_hs_error;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]98 }
99 }
100
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]101 if (have_key_share) {
102 uint16_t group_id;
103 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {
104 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
105 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
106 return ssl_hs_error;
107 }
108
109 /* The group must be supported. */
110 const uint16_t *groups;
111 size_t groups_len;
112 tls1_get_grouplist(ssl, &groups, &groups_len);
113 int found = 0;
114 for (size_t i = 0; i < groups_len; i++) {
115 if (groups[i] == group_id) {
116 found = 1;
117 break;
118 }
119 }
120
121 if (!found) {
122 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
123 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
124 return ssl_hs_error;
125 }
126
127 /* Check that the HelloRetryRequest does not request the key share that
128 * was provided in the initial ClientHello. */
129 if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {
130 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
131 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
132 return ssl_hs_error;
133 }
134
135 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
136 hs->retry_group = group_id;
137 }
138
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]139 if (!ssl_hash_current_message(hs)) {
David Benjaminf71036e2017-01-21 14:49:39 -0500[diff] [blame]140 return ssl_hs_error;
141 }
142
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]143 hs->received_hello_retry_request = 1;
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]144 hs->tls13_state = state_send_second_client_hello;
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]145 /* 0-RTT is rejected if we receive a HelloRetryRequest. */
146 if (hs->in_early_data) {
147 return ssl_hs_early_data_rejected;
148 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]149 return ssl_hs_ok;
150}
151
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]152static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]153 SSL *const ssl = hs->ssl;
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]154 if (!ssl->method->set_write_state(ssl, NULL) ||
155 !ssl_write_client_hello(hs)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]156 return ssl_hs_error;
157 }
158
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]159 hs->tls13_state = state_process_server_hello;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]160 return ssl_hs_flush_and_read_message;
161}
162
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]163static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {
164 SSL *const ssl = hs->ssl;
David Benjamin276b7e82017-01-21 14:13:39 -0500[diff] [blame]165 if (!ssl_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]166 return ssl_hs_error;
167 }
168
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]169 CBS cbs, server_random, session_id, extensions;
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]170 uint16_t server_version;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]171 uint16_t cipher_suite;
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]172 uint8_t compression_method;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]173 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]174 if (!CBS_get_u16(&cbs, &server_version) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]175 !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]176 (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
177 !CBS_get_u8_length_prefixed(&cbs, &session_id)) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]178 !CBS_get_u16(&cbs, &cipher_suite) ||
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]179 (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
180 (!CBS_get_u8(&cbs, &compression_method) || compression_method != 0)) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]181 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
182 CBS_len(&cbs) != 0) {
183 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]184 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
185 return ssl_hs_error;
186 }
187
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]188 uint16_t expected_version =
189 ssl->version == TLS1_3_EXPERIMENT_VERSION ? TLS1_2_VERSION : ssl->version;
190 if (server_version != expected_version) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]191 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
192 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]193 return ssl_hs_error;
194 }
195
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]196 assert(ssl->s3->have_version);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]197 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
198 SSL3_RANDOM_SIZE);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]199
200 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
201 if (cipher == NULL) {
202 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
203 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
204 return ssl_hs_error;
205 }
206
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]207 /* Check if the cipher is a TLS 1.3 cipher. */
208 if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
209 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]210 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
211 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
212 return ssl_hs_error;
213 }
214
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]215 /* Parse out the extensions. */
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]216 int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0;
217 CBS key_share, pre_shared_key, supported_versions;
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]218 const SSL_EXTENSION_TYPE ext_types[] = {
219 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
220 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]221 {TLSEXT_TYPE_supported_versions, &have_supported_versions,
222 &supported_versions},
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]223 };
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]224
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]225 uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]226 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]227 OPENSSL_ARRAY_SIZE(ext_types),
228 0 /* reject unknown */)) {
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]229 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
230 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]231 }
232
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame^]233 /* supported_versions is parsed in handshake_client to select the experimental
234 * TLS 1.3 version. */
235 if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) {
236 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
237 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
238 return ssl_hs_error;
239 }
240
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]241 alert = SSL_AD_DECODE_ERROR;
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]242 if (have_pre_shared_key) {
243 if (ssl->session == NULL) {
244 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
245 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
246 return ssl_hs_error;
247 }
248
David Benjamin8baf9632016-11-17 17:11:16 +0900[diff] [blame]249 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]250 &pre_shared_key)) {
251 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
252 return ssl_hs_error;
253 }
254
255 if (ssl->session->ssl_version != ssl->version) {
256 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
257 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
258 return ssl_hs_error;
259 }
260
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]261 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {
262 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]263 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
264 return ssl_hs_error;
265 }
266
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]267 if (!ssl_session_is_context_valid(ssl, ssl->session)) {
268 /* This is actually a client application bug. */
269 OPENSSL_PUT_ERROR(SSL,
270 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
271 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
272 return ssl_hs_error;
273 }
274
275 ssl->s3->session_reused = 1;
276 /* Only authentication information carries over in TLS 1.3. */
David Benjamin45738dd2017-02-09 20:01:26 -0500[diff] [blame]277 hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
278 if (hs->new_session == NULL) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]279 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
280 return ssl_hs_error;
281 }
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]282 ssl_set_session(ssl, NULL);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]283
284 /* Resumption incorporates fresh key material, so refresh the timeout. */
David Benjamin45738dd2017-02-09 20:01:26 -0500[diff] [blame]285 ssl_session_renew_timeout(ssl, hs->new_session,
David Benjaminbe497062017-03-10 16:08:36 -0500[diff] [blame]286 ssl->session_ctx->session_psk_dhe_timeout);
David Benjaminf3c8f8d2016-11-17 17:20:47 +0900[diff] [blame]287 } else if (!ssl_get_new_session(hs, 0)) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]288 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]289 return ssl_hs_error;
290 }
291
David Benjamin45738dd2017-02-09 20:01:26 -0500[diff] [blame]292 hs->new_session->cipher = cipher;
293 hs->new_cipher = cipher;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]294
295 /* The PRF hash is now known. Set up the key schedule. */
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]296 if (!tls13_init_key_schedule(hs)) {
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]297 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]298 }
299
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]300 /* Incorporate the PSK into the running secret. */
301 if (ssl->s3->session_reused) {
David Benjamin45738dd2017-02-09 20:01:26 -0500[diff] [blame]302 if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
303 hs->new_session->master_key_length)) {
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]304 return ssl_hs_error;
305 }
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]306 } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]307 return ssl_hs_error;
308 }
309
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]310 if (!have_key_share) {
311 /* We do not support psk_ke and thus always require a key share. */
312 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
313 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
314 return ssl_hs_error;
315 }
316
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]317 /* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]318 uint8_t *dhe_secret;
319 size_t dhe_secret_len;
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]320 alert = SSL_AD_DECODE_ERROR;
David Benjamin8baf9632016-11-17 17:11:16 +0900[diff] [blame]321 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]322 &alert, &key_share)) {
323 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
324 return ssl_hs_error;
325 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]326
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]327 if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]328 OPENSSL_free(dhe_secret);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]329 return ssl_hs_error;
330 }
331 OPENSSL_free(dhe_secret);
332
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]333 if (!ssl_hash_current_message(hs) ||
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]334 !tls13_derive_handshake_secrets(hs)) {
335 return ssl_hs_error;
336 }
337 hs->tls13_state = state_process_change_cipher_spec;
338 return ssl->version == TLS1_3_EXPERIMENT_VERSION
339 ? ssl_hs_read_change_cipher_spec
340 : ssl_hs_ok;
341}
342
343static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
344 SSL *const ssl = hs->ssl;
345 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]346 hs->hash_len)) {
347 return ssl_hs_error;
348 }
349
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]350 if (!hs->early_data_offered) {
351 /* If not sending early data, set client traffic keys now so that alerts are
352 * encrypted. */
353 if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
354 !ssl3_add_change_cipher_spec(ssl)) ||
355 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
356 hs->hash_len)) {
357 return ssl_hs_error;
358 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]359 }
360
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]361 hs->tls13_state = state_process_encrypted_extensions;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]362 return ssl_hs_read_message;
363}
364
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]365static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL_HANDSHAKE *hs) {
366 SSL *const ssl = hs->ssl;
David Benjamin276b7e82017-01-21 14:13:39 -0500[diff] [blame]367 if (!ssl_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]368 return ssl_hs_error;
369 }
370
371 CBS cbs;
372 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
David Benjamin8c880a22016-12-03 02:20:34 -0500[diff] [blame]373 if (!ssl_parse_serverhello_tlsext(hs, &cbs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]374 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
375 return ssl_hs_error;
376 }
377 if (CBS_len(&cbs) != 0) {
378 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
379 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
380 return ssl_hs_error;
381 }
382
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]383 /* Store the negotiated ALPN in the session. */
384 if (ssl->s3->alpn_selected != NULL) {
385 hs->new_session->early_alpn =
386 BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
387 if (hs->new_session->early_alpn == NULL) {
388 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
389 return ssl_hs_error;
390 }
391 hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;
392 }
393
394 if (ssl->early_data_accepted) {
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]395 if (hs->early_session->cipher != hs->new_session->cipher ||
396 hs->early_session->early_alpn_len != ssl->s3->alpn_selected_len ||
397 OPENSSL_memcmp(hs->early_session->early_alpn, ssl->s3->alpn_selected,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]398 ssl->s3->alpn_selected_len) != 0) {
399 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
400 return ssl_hs_error;
401 }
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]402 if (ssl->s3->tlsext_channel_id_valid) {
403 OPENSSL_PUT_ERROR(SSL, SSL_R_CHANNEL_ID_ON_EARLY_DATA);
404 return ssl_hs_error;
405 }
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]406 }
407
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]408 if (!ssl_hash_current_message(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]409 return ssl_hs_error;
410 }
411
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]412 hs->tls13_state = state_continue_second_server_flight;
413 if (hs->in_early_data && !ssl->early_data_accepted) {
414 return ssl_hs_early_data_rejected;
415 }
416 return ssl_hs_ok;
417}
418
419static enum ssl_hs_wait_t do_continue_second_server_flight(SSL_HANDSHAKE *hs) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]420 hs->tls13_state = state_process_certificate_request;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]421 return ssl_hs_read_message;
422}
423
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]424static enum ssl_hs_wait_t do_process_certificate_request(SSL_HANDSHAKE *hs) {
425 SSL *const ssl = hs->ssl;
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]426 /* CertificateRequest may only be sent in non-resumption handshakes. */
427 if (ssl->s3->session_reused) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]428 hs->tls13_state = state_process_server_finished;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]429 return ssl_hs_ok;
430 }
431
432 /* CertificateRequest is optional. */
433 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]434 hs->tls13_state = state_process_server_certificate;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]435 return ssl_hs_ok;
436 }
437
438 CBS cbs, context, supported_signature_algorithms;
439 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
440 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]441 /* The request context is always empty during the handshake. */
442 CBS_len(&context) != 0 ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]443 !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]444 CBS_len(&supported_signature_algorithms) == 0 ||
David Benjaminf3c8f8d2016-11-17 17:20:47 +0900[diff] [blame]445 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]446 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
447 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
448 return ssl_hs_error;
449 }
450
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]451 uint8_t alert = SSL_AD_DECODE_ERROR;
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]452 STACK_OF(CRYPTO_BUFFER) *ca_names =
453 ssl_parse_client_CA_list(ssl, &alert, &cbs);
454 if (ca_names == NULL) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]455 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
456 return ssl_hs_error;
457 }
458
459 /* Ignore extensions. */
460 CBS extensions;
461 if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
462 CBS_len(&cbs) != 0) {
463 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]464 sk_CRYPTO_BUFFER_pop_free(ca_names, CRYPTO_BUFFER_free);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]465 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
466 return ssl_hs_error;
467 }
468
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]469 hs->cert_request = 1;
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]470 sk_CRYPTO_BUFFER_pop_free(hs->ca_names, CRYPTO_BUFFER_free);
471 hs->ca_names = ca_names;
472 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]473
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]474 if (!ssl_hash_current_message(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]475 return ssl_hs_error;
476 }
477
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]478 hs->tls13_state = state_process_server_certificate;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]479 return ssl_hs_read_message;
480}
481
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]482static enum ssl_hs_wait_t do_process_server_certificate(SSL_HANDSHAKE *hs) {
483 SSL *const ssl = hs->ssl;
David Benjamin276b7e82017-01-21 14:13:39 -0500[diff] [blame]484 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
Adam Langley0c294252016-12-12 11:46:09 -0800[diff] [blame]485 !tls13_process_certificate(hs, 0 /* certificate required */) ||
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]486 !ssl_hash_current_message(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]487 return ssl_hs_error;
488 }
489
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]490 hs->tls13_state = state_process_server_certificate_verify;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]491 return ssl_hs_read_message;
492}
493
494static enum ssl_hs_wait_t do_process_server_certificate_verify(
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]495 SSL_HANDSHAKE *hs) {
496 SSL *const ssl = hs->ssl;
David Benjamin276b7e82017-01-21 14:13:39 -0500[diff] [blame]497 if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
Adam Langley0c294252016-12-12 11:46:09 -0800[diff] [blame]498 !tls13_process_certificate_verify(hs) ||
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]499 !ssl_hash_current_message(hs)) {
David Benjamin6929f272016-11-16 19:10:08 +0900[diff] [blame]500 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]501 }
502
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]503 hs->tls13_state = state_process_server_finished;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]504 return ssl_hs_read_message;
505}
506
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]507static enum ssl_hs_wait_t do_process_server_finished(SSL_HANDSHAKE *hs) {
508 SSL *const ssl = hs->ssl;
David Benjamin276b7e82017-01-21 14:13:39 -0500[diff] [blame]509 if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) ||
David Benjamin794cc592017-03-25 22:24:23 -0500[diff] [blame]510 !tls13_process_finished(hs, 0 /* don't use saved value */) ||
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]511 !ssl_hash_current_message(hs) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]512 /* Update the secret to the master secret and derive traffic keys. */
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]513 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
514 !tls13_derive_application_secrets(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]515 return ssl_hs_error;
516 }
517
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]518 ssl->method->received_flight(ssl);
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]519 hs->tls13_state = state_send_end_of_early_data;
520 return ssl_hs_ok;
521}
522
523static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
524 SSL *const ssl = hs->ssl;
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]525
526 if (ssl->early_data_accepted) {
527 hs->can_early_write = 0;
528 if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,
529 TLS1_AD_END_OF_EARLY_DATA)) {
530 return ssl_hs_error;
531 }
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]532 }
533
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]534 if (hs->early_data_offered) {
535 if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
536 !ssl3_add_change_cipher_spec(ssl)) ||
537 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
538 hs->hash_len)) {
539 return ssl_hs_error;
540 }
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]541 }
542
David Benjamin5edfc8c2016-12-10 15:46:58 -0500[diff] [blame]543 hs->tls13_state = state_send_client_certificate;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]544 return ssl_hs_ok;
545}
546
David Benjamin5edfc8c2016-12-10 15:46:58 -0500[diff] [blame]547static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]548 SSL *const ssl = hs->ssl;
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]549
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]550 /* The peer didn't request a certificate. */
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]551 if (!hs->cert_request) {
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]552 hs->tls13_state = state_complete_second_flight;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]553 return ssl_hs_ok;
554 }
555
556 /* Call cert_cb to update the certificate. */
557 if (ssl->cert->cert_cb != NULL) {
558 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
559 if (rv == 0) {
560 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
561 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
562 return ssl_hs_error;
563 }
564 if (rv < 0) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]565 hs->tls13_state = state_send_client_certificate;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]566 return ssl_hs_x509_lookup;
567 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]568 }
569
David Benjamina232a712017-03-30 15:51:53 -0500[diff] [blame]570 if (!ssl_on_certificate_selected(hs) ||
David Benjamin0f24bed2017-01-12 19:46:50 -0500[diff] [blame]571 !tls13_add_certificate(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]572 return ssl_hs_error;
573 }
574
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]575 hs->tls13_state = state_send_client_certificate_verify;
David Benjamin25ac2512017-01-12 19:31:28 -0500[diff] [blame]576 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]577}
578
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]579static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]580 SSL *const ssl = hs->ssl;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]581 /* Don't send CertificateVerify if there is no certificate. */
582 if (!ssl_has_certificate(ssl)) {
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]583 hs->tls13_state = state_complete_second_flight;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]584 return ssl_hs_ok;
585 }
586
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]587 switch (tls13_add_certificate_verify(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]588 case ssl_private_key_success:
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]589 hs->tls13_state = state_complete_second_flight;
David Benjamin25ac2512017-01-12 19:31:28 -0500[diff] [blame]590 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]591
592 case ssl_private_key_retry:
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]593 hs->tls13_state = state_send_client_certificate_verify;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]594 return ssl_hs_private_key_operation;
595
596 case ssl_private_key_failure:
597 return ssl_hs_error;
598 }
599
600 assert(0);
601 return ssl_hs_error;
602}
603
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]604static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]605 SSL *const ssl = hs->ssl;
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]606
607 /* Send a Channel ID assertion if necessary. */
608 if (ssl->s3->tlsext_channel_id_valid) {
609 if (!ssl_do_channel_id_callback(ssl)) {
610 hs->tls13_state = state_complete_second_flight;
611 return ssl_hs_error;
612 }
613
614 if (ssl->tlsext_channel_id_private == NULL) {
615 return ssl_hs_channel_id_lookup;
616 }
617
618 CBB cbb, body;
619 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]620 !tls1_write_channel_id(hs, &body) ||
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]621 !ssl_add_message_cbb(ssl, &cbb)) {
622 CBB_cleanup(&cbb);
623 return ssl_hs_error;
624 }
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]625 }
626
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]627 /* Send a Finished message. */
David Benjamin0f24bed2017-01-12 19:46:50 -0500[diff] [blame]628 if (!tls13_add_finished(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]629 return ssl_hs_error;
630 }
631
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]632 /* Derive the final keys and enable them. */
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]633 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
634 hs->hash_len) ||
635 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
636 hs->hash_len) ||
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]637 !tls13_derive_resumption_secret(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]638 return ssl_hs_error;
639 }
640
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]641 hs->tls13_state = state_done;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]642 return ssl_hs_flush;
643}
644
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]645enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]646 while (hs->tls13_state != state_done) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]647 enum ssl_hs_wait_t ret = ssl_hs_error;
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]648 enum client_hs_state_t state = hs->tls13_state;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]649 switch (state) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]650 case state_process_hello_retry_request:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]651 ret = do_process_hello_retry_request(hs);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]652 break;
653 case state_send_second_client_hello:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]654 ret = do_send_second_client_hello(hs);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]655 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]656 case state_process_server_hello:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]657 ret = do_process_server_hello(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]658 break;
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]659 case state_process_change_cipher_spec:
660 ret = do_process_change_cipher_spec(hs);
661 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]662 case state_process_encrypted_extensions:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]663 ret = do_process_encrypted_extensions(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]664 break;
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]665 case state_continue_second_server_flight:
666 ret = do_continue_second_server_flight(hs);
667 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]668 case state_process_certificate_request:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]669 ret = do_process_certificate_request(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]670 break;
671 case state_process_server_certificate:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]672 ret = do_process_server_certificate(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]673 break;
674 case state_process_server_certificate_verify:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]675 ret = do_process_server_certificate_verify(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]676 break;
677 case state_process_server_finished:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]678 ret = do_process_server_finished(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]679 break;
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]680 case state_send_end_of_early_data:
681 ret = do_send_end_of_early_data(hs);
682 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]683 case state_send_client_certificate:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]684 ret = do_send_client_certificate(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]685 break;
686 case state_send_client_certificate_verify:
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]687 ret = do_send_client_certificate_verify(hs);
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]688 break;
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]689 case state_complete_second_flight:
690 ret = do_complete_second_flight(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]691 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]692 case state_done:
693 ret = ssl_hs_ok;
694 break;
695 }
696
697 if (ret != ssl_hs_ok) {
698 return ret;
699 }
700 }
701
702 return ssl_hs_ok;
703}
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]704
705int tls13_process_new_session_ticket(SSL *ssl) {
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]706 int ret = 0;
Adam Langley46db7af2017-02-01 15:49:37 -0800[diff] [blame]707 SSL_SESSION *session = SSL_SESSION_dup(ssl->s3->established_session,
708 SSL_SESSION_INCLUDE_NONAUTH);
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]709 if (session == NULL) {
710 return 0;
711 }
712
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]713 ssl_session_rebase_time(ssl, session);
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]714
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]715 uint32_t server_timeout;
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]716 CBS cbs, ticket, extensions;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]717 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]718 if (!CBS_get_u32(&cbs, &server_timeout) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]719 !CBS_get_u32(&cbs, &session->ticket_age_add) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]720 !CBS_get_u16_length_prefixed(&cbs, &ticket) ||
721 !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]722 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]723 CBS_len(&cbs) != 0) {
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]724 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
725 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]726 goto err;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]727 }
728
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]729 /* Cap the renewable lifetime by the server advertised value. This avoids
David Benjaminad8f5e12017-02-20 17:00:20 -0500[diff] [blame]730 * wasting bandwidth on 0-RTT when we know the server will reject it. */
731 if (session->timeout > server_timeout) {
732 session->timeout = server_timeout;
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]733 }
734
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]735 /* Parse out the extensions. */
736 int have_early_data_info = 0;
737 CBS early_data_info;
738 const SSL_EXTENSION_TYPE ext_types[] = {
739 {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,
740 &early_data_info},
741 };
742
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]743 uint8_t alert = SSL_AD_DECODE_ERROR;
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]744 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
745 OPENSSL_ARRAY_SIZE(ext_types),
746 1 /* ignore unknown */)) {
747 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]748 goto err;
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]749 }
750
Alessandro Ghedini67bb45f2017-03-30 16:33:24 -0500[diff] [blame]751 if (have_early_data_info && ssl->cert->enable_early_data) {
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]752 if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
753 CBS_len(&early_data_info) != 0) {
754 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]755 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
756 goto err;
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]757 }
758 }
759
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]760 session->ticket_age_add_valid = 1;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]761 session->not_resumable = 0;
762
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]763 if (ssl->ctx->new_session_cb != NULL &&
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]764 ssl->ctx->new_session_cb(ssl, session)) {
765 /* |new_session_cb|'s return value signals that it took ownership. */
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]766 session = NULL;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]767 }
768
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]769 ret = 1;
770
771err:
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]772 SSL_SESSION_free(session);
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]773 return ret;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]774}
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]775
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]776void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {
777 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]778
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]779 OPENSSL_free(hs->key_share_bytes);
780 hs->key_share_bytes = NULL;
781 hs->key_share_bytes_len = 0;
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]782}