Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / a833c357edae4eb7f47b9808bf744bd9bb0df18d / . / ssl / tls13_client.c
blob: e540b779e2cfd6cff9bade933cb8cdb8150d5255 [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/digest.h>
22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/stack.h>
25#include <openssl/x509.h>
26
27#include "internal.h"
28
29
30enum client_hs_state_t {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]31 state_process_hello_retry_request = 0,
32 state_send_second_client_hello,
33 state_flush_second_client_hello,
34 state_process_server_hello,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]35 state_process_encrypted_extensions,
36 state_process_certificate_request,
37 state_process_server_certificate,
38 state_process_server_certificate_verify,
39 state_process_server_finished,
40 state_certificate_callback,
41 state_send_client_certificate,
42 state_send_client_certificate_verify,
43 state_complete_client_certificate_verify,
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]44 state_send_channel_id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]45 state_send_client_finished,
46 state_flush,
47 state_done,
48};
49
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]50static enum ssl_hs_wait_t do_process_hello_retry_request(SSL *ssl,
51 SSL_HANDSHAKE *hs) {
52 if (ssl->s3->tmp.message_type != SSL3_MT_HELLO_RETRY_REQUEST) {
53 hs->state = state_process_server_hello;
54 return ssl_hs_ok;
55 }
56
57 CBS cbs, extensions;
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]58 uint16_t server_wire_version;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]59 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
60 if (!CBS_get_u16(&cbs, &server_wire_version) ||
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]61 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]62 /* HelloRetryRequest may not be empty. */
63 CBS_len(&extensions) == 0 ||
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]64 CBS_len(&cbs) != 0) {
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]65 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]66 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
67 return ssl_hs_error;
68 }
69
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]70 while (CBS_len(&extensions) != 0) {
71 uint16_t type;
72 CBS extension;
73 if (!CBS_get_u16(&extensions, &type) ||
74 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
75 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
76 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
77 return ssl_hs_error;
78 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]79
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]80 switch (type) {
81 case TLSEXT_TYPE_cookie: {
82 if (hs->cookie != NULL) {
83 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
84 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
85 return ssl_hs_error;
86 }
87
88 /* Cookies may be requested whether or not advertised, so no need to
89 * check. */
90
91 CBS cookie;
92 if (!CBS_get_u16_length_prefixed(&extension, &cookie) ||
93 CBS_len(&cookie) == 0 ||
94 CBS_len(&extension) != 0) {
95 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
96 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
97 return ssl_hs_error;
98 }
99
100 if (!CBS_stow(&cookie, &hs->cookie, &hs->cookie_len)) {
101 return ssl_hs_error;
102 }
103 break;
104 }
105
106 case TLSEXT_TYPE_key_share: {
107 if (hs->retry_group != 0) {
108 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
109 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
110 return ssl_hs_error;
111 }
112
113 /* key_share is always advertised, so no need to check. */
114
115 uint16_t group_id;
116 if (!CBS_get_u16(&extension, &group_id) ||
117 CBS_len(&extension) != 0) {
118 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
119 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
120 return ssl_hs_error;
121 }
122
123 /* The group must be supported. */
124 const uint16_t *groups;
125 size_t groups_len;
126 tls1_get_grouplist(ssl, &groups, &groups_len);
127 int found = 0;
128 for (size_t i = 0; i < groups_len; i++) {
129 if (groups[i] == group_id) {
130 found = 1;
131 break;
132 }
133 }
134
135 if (!found) {
136 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
137 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
138 return ssl_hs_error;
139 }
140
141 /* Check that the HelloRetryRequest does not request the key share that
142 * was provided in the initial ClientHello. */
143 if (SSL_ECDH_CTX_get_id(&hs->ecdh_ctx) == group_id) {
144 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
145 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
146 return ssl_hs_error;
147 }
148
149 SSL_ECDH_CTX_cleanup(&hs->ecdh_ctx);
150 hs->retry_group = group_id;
151 break;
152 }
153
154 default:
155 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
156 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
157 return ssl_hs_error;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]158 }
159 }
160
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]161 hs->received_hello_retry_request = 1;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]162 hs->state = state_send_second_client_hello;
163 return ssl_hs_ok;
164}
165
166static enum ssl_hs_wait_t do_send_second_client_hello(SSL *ssl,
167 SSL_HANDSHAKE *hs) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]168 if (!ssl_write_client_hello(ssl)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]169 return ssl_hs_error;
170 }
171
172 hs->state = state_flush_second_client_hello;
173 return ssl_hs_write_message;
174}
175
176static enum ssl_hs_wait_t do_flush_second_client_hello(SSL *ssl,
177 SSL_HANDSHAKE *hs) {
178 hs->state = state_process_server_hello;
179 return ssl_hs_flush_and_read_message;
180}
181
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]182static enum ssl_hs_wait_t do_process_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
183 if (!tls13_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {
184 return ssl_hs_error;
185 }
186
187 CBS cbs, server_random, extensions;
188 uint16_t server_wire_version;
189 uint16_t cipher_suite;
190 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
191 if (!CBS_get_u16(&cbs, &server_wire_version) ||
192 !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||
193 !CBS_get_u16(&cbs, &cipher_suite) ||
194 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
195 CBS_len(&cbs) != 0) {
196 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]197 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
198 return ssl_hs_error;
199 }
200
201 if (server_wire_version != ssl->version) {
202 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
203 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]204 return ssl_hs_error;
205 }
206
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]207 assert(ssl->s3->have_version);
208 memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
209
210 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
211 if (cipher == NULL) {
212 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
213 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
214 return ssl_hs_error;
215 }
216
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]217 /* Check if the cipher is a TLS 1.3 cipher. */
218 if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
219 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]220 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
221 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
222 return ssl_hs_error;
223 }
224
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]225 /* Parse out the extensions. */
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]226 int have_key_share = 0, have_pre_shared_key = 0;
227 CBS key_share, pre_shared_key;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]228 while (CBS_len(&extensions) != 0) {
229 uint16_t type;
230 CBS extension;
231 if (!CBS_get_u16(&extensions, &type) ||
232 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
233 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
234 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
235 return ssl_hs_error;
236 }
237
238 switch (type) {
239 case TLSEXT_TYPE_key_share:
240 if (have_key_share) {
241 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]242 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]243 return ssl_hs_error;
244 }
245 key_share = extension;
246 have_key_share = 1;
247 break;
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]248 case TLSEXT_TYPE_pre_shared_key:
249 if (have_pre_shared_key) {
250 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]251 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]252 return ssl_hs_error;
253 }
254 pre_shared_key = extension;
255 have_pre_shared_key = 1;
256 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]257 default:
258 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
259 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
260 return ssl_hs_error;
261 }
262 }
263
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]264 /* We only support PSK_DHE_KE. */
265 if (!have_key_share) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]266 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
267 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
268 return ssl_hs_error;
269 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]270
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]271 uint8_t alert = SSL_AD_DECODE_ERROR;
272 if (have_pre_shared_key) {
273 if (ssl->session == NULL) {
274 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
275 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
276 return ssl_hs_error;
277 }
278
279 if (!ssl_ext_pre_shared_key_parse_serverhello(ssl, &alert,
280 &pre_shared_key)) {
281 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
282 return ssl_hs_error;
283 }
284
285 if (ssl->session->ssl_version != ssl->version) {
286 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
287 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
288 return ssl_hs_error;
289 }
290
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]291 if (ssl->session->cipher != cipher) {
292 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
293 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
294 return ssl_hs_error;
295 }
296
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]297 if (!ssl_session_is_context_valid(ssl, ssl->session)) {
298 /* This is actually a client application bug. */
299 OPENSSL_PUT_ERROR(SSL,
300 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
301 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
302 return ssl_hs_error;
303 }
304
305 ssl->s3->session_reused = 1;
306 /* Only authentication information carries over in TLS 1.3. */
307 ssl->s3->new_session =
308 SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
309 if (ssl->s3->new_session == NULL) {
310 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
311 return ssl_hs_error;
312 }
David Benjamin4d0be242016-09-01 01:10:07 -0400[diff] [blame]313 ssl_set_session(ssl, NULL);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]314 } else if (!ssl_get_new_session(ssl, 0)) {
315 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]316 return ssl_hs_error;
317 }
318
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]319 ssl->s3->new_session->cipher = cipher;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]320 ssl->s3->tmp.new_cipher = cipher;
321
322 /* The PRF hash is now known. Set up the key schedule. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]323 size_t hash_len =
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]324 EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]325
326 /* Derive resumption material. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]327 uint8_t psk_secret[EVP_MAX_MD_SIZE] = {0};
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]328 if (ssl->s3->session_reused) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]329 if (hash_len != (size_t) ssl->s3->new_session->master_key_length) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]330 return ssl_hs_error;
331 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]332 memcpy(psk_secret, ssl->s3->new_session->master_key, hash_len);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]333 }
334
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]335 /* Set up the key schedule, hash in the ClientHello, and incorporate the PSK
336 * into the running secret. */
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]337 if (!tls13_init_key_schedule(ssl) ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]338 !tls13_advance_key_schedule(ssl, psk_secret, hash_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]339 return ssl_hs_error;
340 }
341
342 /* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]343 uint8_t *dhe_secret;
344 size_t dhe_secret_len;
345 if (!ssl_ext_key_share_parse_serverhello(ssl, &dhe_secret, &dhe_secret_len,
346 &alert, &key_share)) {
347 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
348 return ssl_hs_error;
349 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]350
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]351 if (!tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]352 OPENSSL_free(dhe_secret);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]353 return ssl_hs_error;
354 }
355 OPENSSL_free(dhe_secret);
356
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]357 /* If there was no HelloRetryRequest, the version negotiation logic has
358 * already hashed the message. */
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]359 if (hs->received_hello_retry_request &&
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]360 !ssl_hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]361 return ssl_hs_error;
362 }
363
364 if (!tls13_set_handshake_traffic(ssl)) {
365 return ssl_hs_error;
366 }
367
368 hs->state = state_process_encrypted_extensions;
369 return ssl_hs_read_message;
370}
371
372static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL *ssl,
373 SSL_HANDSHAKE *hs) {
374 if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
375 return ssl_hs_error;
376 }
377
378 CBS cbs;
379 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
380 if (!ssl_parse_serverhello_tlsext(ssl, &cbs)) {
381 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
382 return ssl_hs_error;
383 }
384 if (CBS_len(&cbs) != 0) {
385 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
386 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
387 return ssl_hs_error;
388 }
389
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]390 if (!ssl_hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]391 return ssl_hs_error;
392 }
393
394 hs->state = state_process_certificate_request;
395 return ssl_hs_read_message;
396}
397
398static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl,
399 SSL_HANDSHAKE *hs) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]400 /* CertificateRequest may only be sent in non-resumption handshakes. */
401 if (ssl->s3->session_reused) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]402 hs->state = state_process_server_finished;
403 return ssl_hs_ok;
404 }
405
406 /* CertificateRequest is optional. */
407 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
408 hs->state = state_process_server_certificate;
409 return ssl_hs_ok;
410 }
411
412 CBS cbs, context, supported_signature_algorithms;
413 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
414 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]415 /* The request context is always empty during the handshake. */
416 CBS_len(&context) != 0 ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]417 !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]418 CBS_len(&supported_signature_algorithms) == 0 ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]419 !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
420 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
421 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
422 return ssl_hs_error;
423 }
424
425 uint8_t alert;
426 STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);
427 if (ca_sk == NULL) {
428 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
429 return ssl_hs_error;
430 }
431
432 /* Ignore extensions. */
433 CBS extensions;
434 if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
435 CBS_len(&cbs) != 0) {
436 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]437 sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]438 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
439 return ssl_hs_error;
440 }
441
David Benjamina0486782016-10-06 19:11:32 -0400[diff] [blame]442 ssl->s3->hs->cert_request = 1;
443 sk_X509_NAME_pop_free(ssl->s3->hs->ca_names, X509_NAME_free);
444 ssl->s3->hs->ca_names = ca_sk;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]445
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]446 if (!ssl_hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]447 return ssl_hs_error;
448 }
449
450 hs->state = state_process_server_certificate;
451 return ssl_hs_read_message;
452}
453
454static enum ssl_hs_wait_t do_process_server_certificate(SSL *ssl,
455 SSL_HANDSHAKE *hs) {
456 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]457 !tls13_process_certificate(ssl, 0 /* certificate required */) ||
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]458 !ssl_hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]459 return ssl_hs_error;
460 }
461
462 hs->state = state_process_server_certificate_verify;
463 return ssl_hs_read_message;
464}
465
466static enum ssl_hs_wait_t do_process_server_certificate_verify(
467 SSL *ssl, SSL_HANDSHAKE *hs) {
468 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
469 !tls13_process_certificate_verify(ssl) ||
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]470 !ssl_hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]471 return 0;
472 }
473
474 hs->state = state_process_server_finished;
475 return ssl_hs_read_message;
476}
477
478static enum ssl_hs_wait_t do_process_server_finished(SSL *ssl,
479 SSL_HANDSHAKE *hs) {
480 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]481 if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||
482 !tls13_process_finished(ssl) ||
David Benjaminced94792016-11-14 17:12:11 +0900[diff] [blame]483 !ssl_hash_current_message(ssl) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]484 /* Update the secret to the master secret and derive traffic keys. */
485 !tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]486 !tls13_derive_application_secrets(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]487 return ssl_hs_error;
488 }
489
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]490 ssl->method->received_flight(ssl);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]491 hs->state = state_certificate_callback;
492 return ssl_hs_ok;
493}
494
495static enum ssl_hs_wait_t do_certificate_callback(SSL *ssl, SSL_HANDSHAKE *hs) {
496 /* The peer didn't request a certificate. */
David Benjamina0486782016-10-06 19:11:32 -0400[diff] [blame]497 if (!ssl->s3->hs->cert_request) {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]498 hs->state = state_send_channel_id;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]499 return ssl_hs_ok;
500 }
501
502 /* Call cert_cb to update the certificate. */
503 if (ssl->cert->cert_cb != NULL) {
504 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
505 if (rv == 0) {
506 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
507 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
508 return ssl_hs_error;
509 }
510 if (rv < 0) {
511 hs->state = state_certificate_callback;
512 return ssl_hs_x509_lookup;
513 }
514 }
515
516 hs->state = state_send_client_certificate;
517 return ssl_hs_ok;
518}
519
520static enum ssl_hs_wait_t do_send_client_certificate(SSL *ssl,
521 SSL_HANDSHAKE *hs) {
David Benjamin13f1ebe2016-07-20 10:11:04 +0200[diff] [blame]522 /* Call client_cert_cb to update the certificate. */
523 int should_retry;
524 if (!ssl_do_client_cert_cb(ssl, &should_retry)) {
525 if (should_retry) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]526 hs->state = state_send_client_certificate;
527 return ssl_hs_x509_lookup;
528 }
David Benjamin13f1ebe2016-07-20 10:11:04 +0200[diff] [blame]529 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]530 }
531
532 if (!tls13_prepare_certificate(ssl)) {
533 return ssl_hs_error;
534 }
535
536 hs->state = state_send_client_certificate_verify;
537 return ssl_hs_write_message;
538}
539
540static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL *ssl,
541 SSL_HANDSHAKE *hs,
542 int is_first_run) {
543 /* Don't send CertificateVerify if there is no certificate. */
544 if (!ssl_has_certificate(ssl)) {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]545 hs->state = state_send_channel_id;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]546 return ssl_hs_ok;
547 }
548
549 switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {
550 case ssl_private_key_success:
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]551 hs->state = state_send_channel_id;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]552 return ssl_hs_write_message;
553
554 case ssl_private_key_retry:
555 hs->state = state_complete_client_certificate_verify;
556 return ssl_hs_private_key_operation;
557
558 case ssl_private_key_failure:
559 return ssl_hs_error;
560 }
561
562 assert(0);
563 return ssl_hs_error;
564}
565
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]566static enum ssl_hs_wait_t do_send_channel_id(SSL *ssl, SSL_HANDSHAKE *hs) {
567 if (!ssl->s3->tlsext_channel_id_valid) {
568 hs->state = state_send_client_finished;
569 return ssl_hs_ok;
570 }
571
572 if (!ssl_do_channel_id_callback(ssl)) {
573 return ssl_hs_error;
574 }
575
576 if (ssl->tlsext_channel_id_private == NULL) {
577 return ssl_hs_channel_id_lookup;
578 }
579
580 CBB cbb, body;
581 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CHANNEL_ID) ||
582 !tls1_write_channel_id(ssl, &body) ||
Steven Valdez5eead162016-11-11 22:23:25 -0500[diff] [blame]583 !ssl_complete_message(ssl, &cbb)) {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]584 CBB_cleanup(&cbb);
585 return ssl_hs_error;
586 }
587
588 hs->state = state_send_client_finished;
589 return ssl_hs_write_message;
590}
591
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]592static enum ssl_hs_wait_t do_send_client_finished(SSL *ssl, SSL_HANDSHAKE *hs) {
593 if (!tls13_prepare_finished(ssl)) {
594 return ssl_hs_error;
595 }
596
597 hs->state = state_flush;
598 return ssl_hs_write_message;
599}
600
601static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]602 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
603 hs->hash_len) ||
604 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
605 hs->hash_len) ||
606 !tls13_derive_resumption_secret(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]607 return ssl_hs_error;
608 }
609
610 hs->state = state_done;
611 return ssl_hs_flush;
612}
613
614enum ssl_hs_wait_t tls13_client_handshake(SSL *ssl) {
615 SSL_HANDSHAKE *hs = ssl->s3->hs;
616
617 while (hs->state != state_done) {
618 enum ssl_hs_wait_t ret = ssl_hs_error;
619 enum client_hs_state_t state = hs->state;
620 switch (state) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]621 case state_process_hello_retry_request:
622 ret = do_process_hello_retry_request(ssl, hs);
623 break;
624 case state_send_second_client_hello:
625 ret = do_send_second_client_hello(ssl, hs);
626 break;
627 case state_flush_second_client_hello:
628 ret = do_flush_second_client_hello(ssl, hs);
629 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]630 case state_process_server_hello:
631 ret = do_process_server_hello(ssl, hs);
632 break;
633 case state_process_encrypted_extensions:
634 ret = do_process_encrypted_extensions(ssl, hs);
635 break;
636 case state_process_certificate_request:
637 ret = do_process_certificate_request(ssl, hs);
638 break;
639 case state_process_server_certificate:
640 ret = do_process_server_certificate(ssl, hs);
641 break;
642 case state_process_server_certificate_verify:
643 ret = do_process_server_certificate_verify(ssl, hs);
644 break;
645 case state_process_server_finished:
646 ret = do_process_server_finished(ssl, hs);
647 break;
648 case state_certificate_callback:
649 ret = do_certificate_callback(ssl, hs);
650 break;
651 case state_send_client_certificate:
652 ret = do_send_client_certificate(ssl, hs);
653 break;
654 case state_send_client_certificate_verify:
655 ret = do_send_client_certificate_verify(ssl, hs, 1 /* first run */);
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]656 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]657 case state_complete_client_certificate_verify:
658 ret = do_send_client_certificate_verify(ssl, hs, 0 /* complete */);
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]659 break;
660 case state_send_channel_id:
661 ret = do_send_channel_id(ssl, hs);
662 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]663 case state_send_client_finished:
664 ret = do_send_client_finished(ssl, hs);
665 break;
666 case state_flush:
667 ret = do_flush(ssl, hs);
668 break;
669 case state_done:
670 ret = ssl_hs_ok;
671 break;
672 }
673
674 if (ret != ssl_hs_ok) {
675 return ret;
676 }
677 }
678
679 return ssl_hs_ok;
680}
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]681
682int tls13_process_new_session_ticket(SSL *ssl) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]683 SSL_SESSION *session =
684 SSL_SESSION_dup(ssl->s3->established_session,
685 SSL_SESSION_INCLUDE_NONAUTH);
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]686 if (session == NULL) {
687 return 0;
688 }
689
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]690 ssl_session_refresh_time(ssl, session);
691
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]692 CBS cbs, ticket, extensions;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]693 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
Martin Kreichgauerbaafa4a2016-08-09 10:18:40 -0700[diff] [blame]694 if (!CBS_get_u32(&cbs, &session->tlsext_tick_lifetime_hint) ||
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]695 !CBS_get_u32(&cbs, &session->ticket_age_add) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]696 !CBS_get_u16_length_prefixed(&cbs, &ticket) ||
697 !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]698 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]699 CBS_len(&cbs) != 0) {
700 SSL_SESSION_free(session);
701 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
702 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
703 return 0;
704 }
705
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]706 session->ticket_age_add_valid = 1;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]707 session->not_resumable = 0;
708
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]709 if (ssl->ctx->new_session_cb != NULL &&
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]710 ssl->ctx->new_session_cb(ssl, session)) {
711 /* |new_session_cb|'s return value signals that it took ownership. */
712 return 1;
713 }
714
715 SSL_SESSION_free(session);
716 return 1;
717}
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]718
719void ssl_clear_tls13_state(SSL *ssl) {
David Benjaminc8b6b4f2016-09-08 23:47:48 -0400[diff] [blame]720 SSL_ECDH_CTX_cleanup(&ssl->s3->hs->ecdh_ctx);
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]721
722 OPENSSL_free(ssl->s3->hs->key_share_bytes);
723 ssl->s3->hs->key_share_bytes = NULL;
724 ssl->s3->hs->key_share_bytes_len = 0;
725}