Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / d816874c52418665cd348a3e2babd575686cf695 / . / ssl / tls13_client.cc
blob: 51d275caf5beceea9078e8061a7a9c4d69bc4e5a [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]18#include <limits.h>
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]19#include <string.h>
20
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]21#include <utility>
22
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]23#include <openssl/bytestring.h>
24#include <openssl/digest.h>
25#include <openssl/err.h>
26#include <openssl/mem.h>
27#include <openssl/stack.h>
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]28
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]29#include "../crypto/internal.h"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]30#include "internal.h"
31
32
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]33namespace bssl {
34
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]35enum client_hs_state_t {
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]36 state_read_hello_retry_request = 0,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]37 state_send_second_client_hello,
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]38 state_read_server_hello,
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]39 state_process_change_cipher_spec,
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]40 state_read_encrypted_extensions,
41 state_read_certificate_request,
42 state_read_server_certificate,
43 state_read_server_certificate_verify,
44 state_read_server_finished,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]45 state_send_end_of_early_data,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]46 state_send_client_certificate,
47 state_send_client_certificate_verify,
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]48 state_complete_second_flight,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]49 state_done,
50};
51
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]52static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
53
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]54static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]55 SSL *const ssl = hs->ssl;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]56 SSLMessage msg;
57 if (!ssl->method->get_message(ssl, &msg)) {
58 return ssl_hs_read_message;
59 }
60 if (msg.type != SSL3_MT_HELLO_RETRY_REQUEST) {
61 hs->tls13_state = state_read_server_hello;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]62 return ssl_hs_ok;
63 }
64
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]65 CBS body = msg.body, extensions;
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame]66 uint16_t server_version;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]67 if (!CBS_get_u16(&body, &server_version) ||
68 !CBS_get_u16_length_prefixed(&body, &extensions) ||
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]69 // HelloRetryRequest may not be empty.
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]70 CBS_len(&extensions) == 0 ||
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]71 CBS_len(&body) != 0) {
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]72 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]73 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
74 return ssl_hs_error;
75 }
76
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]77 int have_cookie, have_key_share;
78 CBS cookie, key_share;
79 const SSL_EXTENSION_TYPE ext_types[] = {
80 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
81 {TLSEXT_TYPE_cookie, &have_cookie, &cookie},
82 };
83
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]84 uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]85 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]86 OPENSSL_ARRAY_SIZE(ext_types),
87 0 /* reject unknown */)) {
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]88 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
89 return ssl_hs_error;
90 }
91
92 if (have_cookie) {
93 CBS cookie_value;
94 if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) ||
95 CBS_len(&cookie_value) == 0 ||
96 CBS_len(&cookie) != 0) {
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]97 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
98 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
99 return ssl_hs_error;
100 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]101
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]102 if (!CBS_stow(&cookie_value, &hs->cookie, &hs->cookie_len)) {
103 return ssl_hs_error;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]104 }
105 }
106
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]107 if (have_key_share) {
108 uint16_t group_id;
109 if (!CBS_get_u16(&key_share, &group_id) || CBS_len(&key_share) != 0) {
110 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
111 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
112 return ssl_hs_error;
113 }
114
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]115 // The group must be supported.
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]116 const uint16_t *groups;
117 size_t groups_len;
118 tls1_get_grouplist(ssl, &groups, &groups_len);
119 int found = 0;
120 for (size_t i = 0; i < groups_len; i++) {
121 if (groups[i] == group_id) {
122 found = 1;
123 break;
124 }
125 }
126
127 if (!found) {
128 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
129 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
130 return ssl_hs_error;
131 }
132
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]133 // Check that the HelloRetryRequest does not request the key share that
134 // was provided in the initial ClientHello.
David Benjaminc642aca2017-07-19 23:28:43 -0400[diff] [blame]135 if (hs->key_share->GroupID() == group_id) {
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]136 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
137 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
138 return ssl_hs_error;
139 }
140
David Benjaminc642aca2017-07-19 23:28:43 -0400[diff] [blame]141 hs->key_share.reset();
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]142 hs->retry_group = group_id;
143 }
144
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]145 if (!ssl_hash_message(hs, msg)) {
David Benjaminf71036e2017-01-21 14:49:39 -0500[diff] [blame]146 return ssl_hs_error;
147 }
148
David Benjamin8f94c312017-08-01 17:35:55 -0400[diff] [blame]149 ssl->method->next_message(ssl);
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]150 hs->received_hello_retry_request = 1;
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]151 hs->tls13_state = state_send_second_client_hello;
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]152 // 0-RTT is rejected if we receive a HelloRetryRequest.
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]153 if (hs->in_early_data) {
154 return ssl_hs_early_data_rejected;
155 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]156 return ssl_hs_ok;
157}
158
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]159static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]160 SSL *const ssl = hs->ssl;
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]161 // Restore the null cipher. We may have switched due to 0-RTT.
David Benjamincfc11c22017-07-18 22:45:18 -0400[diff] [blame]162 bssl::UniquePtr<SSLAEADContext> null_ctx = SSLAEADContext::CreateNullCipher();
163 if (!null_ctx ||
164 !ssl->method->set_write_state(ssl, std::move(null_ctx)) ||
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]165 !ssl_write_client_hello(hs)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]166 return ssl_hs_error;
167 }
168
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]169 hs->tls13_state = state_read_server_hello;
170 return ssl_hs_flush;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]171}
172
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]173static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]174 SSL *const ssl = hs->ssl;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]175 SSLMessage msg;
176 if (!ssl->method->get_message(ssl, &msg)) {
177 return ssl_hs_read_message;
178 }
179 if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]180 return ssl_hs_error;
181 }
182
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]183 CBS body = msg.body, server_random, session_id, extensions;
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame]184 uint16_t server_version;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]185 uint16_t cipher_suite;
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]186 uint8_t compression_method;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]187 if (!CBS_get_u16(&body, &server_version) ||
188 !CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) ||
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]189 (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]190 !CBS_get_u8_length_prefixed(&body, &session_id)) ||
191 !CBS_get_u16(&body, &cipher_suite) ||
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]192 (ssl->version == TLS1_3_EXPERIMENT_VERSION &&
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]193 (!CBS_get_u8(&body, &compression_method) || compression_method != 0)) ||
194 !CBS_get_u16_length_prefixed(&body, &extensions) ||
195 CBS_len(&body) != 0) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]196 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]197 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
198 return ssl_hs_error;
199 }
200
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame]201 uint16_t expected_version =
202 ssl->version == TLS1_3_EXPERIMENT_VERSION ? TLS1_2_VERSION : ssl->version;
203 if (server_version != expected_version) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]204 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
205 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]206 return ssl_hs_error;
207 }
208
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]209 assert(ssl->s3->have_version);
David Benjamin17cf2cb2016-12-13 01:07:13 -0500[diff] [blame]210 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
211 SSL3_RANDOM_SIZE);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]212
213 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
214 if (cipher == NULL) {
215 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
216 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
217 return ssl_hs_error;
218 }
219
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]220 // Check if the cipher is a TLS 1.3 cipher.
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]221 if (SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
222 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl)) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]223 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
224 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
225 return ssl_hs_error;
226 }
227
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]228 // Parse out the extensions.
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame]229 int have_key_share = 0, have_pre_shared_key = 0, have_supported_versions = 0;
230 CBS key_share, pre_shared_key, supported_versions;
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]231 const SSL_EXTENSION_TYPE ext_types[] = {
232 {TLSEXT_TYPE_key_share, &have_key_share, &key_share},
233 {TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame]234 {TLSEXT_TYPE_supported_versions, &have_supported_versions,
235 &supported_versions},
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]236 };
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]237
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]238 uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]239 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]240 OPENSSL_ARRAY_SIZE(ext_types),
241 0 /* reject unknown */)) {
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]242 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
243 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]244 }
245
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]246 // supported_versions is parsed in handshake_client to select the experimental
247 // TLS 1.3 version.
Steven Valdez038da9b2017-07-10 12:57:25 -0400[diff] [blame]248 if (have_supported_versions && ssl->version != TLS1_3_EXPERIMENT_VERSION) {
249 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
250 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
251 return ssl_hs_error;
252 }
253
David Benjaminffb11072016-11-13 10:32:10 +0900[diff] [blame]254 alert = SSL_AD_DECODE_ERROR;
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]255 if (have_pre_shared_key) {
256 if (ssl->session == NULL) {
257 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
258 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
259 return ssl_hs_error;
260 }
261
David Benjamin8baf9632016-11-17 17:11:16 +0900[diff] [blame]262 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]263 &pre_shared_key)) {
264 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
265 return ssl_hs_error;
266 }
267
268 if (ssl->session->ssl_version != ssl->version) {
269 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
270 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
271 return ssl_hs_error;
272 }
273
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]274 if (ssl->session->cipher->algorithm_prf != cipher->algorithm_prf) {
275 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]276 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
277 return ssl_hs_error;
278 }
279
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]280 if (!ssl_session_is_context_valid(ssl, ssl->session)) {
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]281 // This is actually a client application bug.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]282 OPENSSL_PUT_ERROR(SSL,
283 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
284 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
285 return ssl_hs_error;
286 }
287
288 ssl->s3->session_reused = 1;
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]289 // Only authentication information carries over in TLS 1.3.
David Benjamin45738dd2017-02-09 20:01:26 -0500[diff] [blame]290 hs->new_session = SSL_SESSION_dup(ssl->session, SSL_SESSION_DUP_AUTH_ONLY);
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]291 if (!hs->new_session) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]292 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
293 return ssl_hs_error;
294 }
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]295 ssl_set_session(ssl, NULL);
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]296
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]297 // Resumption incorporates fresh key material, so refresh the timeout.
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]298 ssl_session_renew_timeout(ssl, hs->new_session.get(),
David Benjaminbe497062017-03-10 16:08:36 -0500[diff] [blame]299 ssl->session_ctx->session_psk_dhe_timeout);
David Benjaminf3c8f8d2016-11-17 17:20:47 +0900[diff] [blame]300 } else if (!ssl_get_new_session(hs, 0)) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]301 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]302 return ssl_hs_error;
303 }
304
David Benjamin45738dd2017-02-09 20:01:26 -0500[diff] [blame]305 hs->new_session->cipher = cipher;
306 hs->new_cipher = cipher;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]307
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]308 // The PRF hash is now known. Set up the key schedule.
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]309 if (!tls13_init_key_schedule(hs)) {
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]310 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]311 }
312
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]313 // Incorporate the PSK into the running secret.
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]314 if (ssl->s3->session_reused) {
David Benjamin45738dd2017-02-09 20:01:26 -0500[diff] [blame]315 if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
316 hs->new_session->master_key_length)) {
David Benjamin8f820b42016-11-30 11:24:40 -0500[diff] [blame]317 return ssl_hs_error;
318 }
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]319 } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]320 return ssl_hs_error;
321 }
322
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]323 if (!have_key_share) {
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]324 // We do not support psk_ke and thus always require a key share.
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]325 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
326 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
327 return ssl_hs_error;
328 }
329
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]330 // Resolve ECDHE and incorporate it into the secret.
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]331 uint8_t *dhe_secret;
332 size_t dhe_secret_len;
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]333 alert = SSL_AD_DECODE_ERROR;
David Benjamin8baf9632016-11-17 17:11:16 +0900[diff] [blame]334 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &dhe_secret_len,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]335 &alert, &key_share)) {
336 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
337 return ssl_hs_error;
338 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]339
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]340 if (!tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]341 OPENSSL_free(dhe_secret);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]342 return ssl_hs_error;
343 }
344 OPENSSL_free(dhe_secret);
345
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]346 if (!ssl_hash_message(hs, msg) ||
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]347 !tls13_derive_handshake_secrets(hs)) {
348 return ssl_hs_error;
349 }
David Benjamin8f94c312017-08-01 17:35:55 -0400[diff] [blame]350
351 ssl->method->next_message(ssl);
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]352 hs->tls13_state = state_process_change_cipher_spec;
353 return ssl->version == TLS1_3_EXPERIMENT_VERSION
354 ? ssl_hs_read_change_cipher_spec
355 : ssl_hs_ok;
356}
357
358static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
359 SSL *const ssl = hs->ssl;
360 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_handshake_secret,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]361 hs->hash_len)) {
362 return ssl_hs_error;
363 }
364
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]365 if (!hs->early_data_offered) {
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]366 // If not sending early data, set client traffic keys now so that alerts are
367 // encrypted.
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]368 if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
369 !ssl3_add_change_cipher_spec(ssl)) ||
370 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
371 hs->hash_len)) {
372 return ssl_hs_error;
373 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]374 }
375
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]376 hs->tls13_state = state_read_encrypted_extensions;
377 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]378}
379
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]380static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]381 SSL *const ssl = hs->ssl;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]382 SSLMessage msg;
383 if (!ssl->method->get_message(ssl, &msg)) {
384 return ssl_hs_read_message;
385 }
386 if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]387 return ssl_hs_error;
388 }
389
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]390 CBS body = msg.body;
391 if (!ssl_parse_serverhello_tlsext(hs, &body)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]392 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
393 return ssl_hs_error;
394 }
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]395 if (CBS_len(&body) != 0) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]396 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
397 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
398 return ssl_hs_error;
399 }
400
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]401 // Store the negotiated ALPN in the session.
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]402 if (ssl->s3->alpn_selected != NULL) {
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]403 hs->new_session->early_alpn = (uint8_t *)BUF_memdup(
404 ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]405 if (hs->new_session->early_alpn == NULL) {
406 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
407 return ssl_hs_error;
408 }
409 hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;
410 }
411
412 if (ssl->early_data_accepted) {
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]413 if (hs->early_session->cipher != hs->new_session->cipher ||
414 hs->early_session->early_alpn_len != ssl->s3->alpn_selected_len ||
415 OPENSSL_memcmp(hs->early_session->early_alpn, ssl->s3->alpn_selected,
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]416 ssl->s3->alpn_selected_len) != 0) {
417 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
418 return ssl_hs_error;
419 }
Steven Valdezf4ecc842017-08-10 14:02:56 -0400[diff] [blame]420 if (ssl->s3->tlsext_channel_id_valid || hs->received_custom_extension) {
421 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
Steven Valdez2a070722017-03-25 20:54:16 -0500[diff] [blame]422 return ssl_hs_error;
423 }
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]424 }
425
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]426 if (!ssl_hash_message(hs, msg)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]427 return ssl_hs_error;
428 }
429
David Benjamin8f94c312017-08-01 17:35:55 -0400[diff] [blame]430 ssl->method->next_message(ssl);
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]431 hs->tls13_state = state_read_certificate_request;
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]432 if (hs->in_early_data && !ssl->early_data_accepted) {
433 return ssl_hs_early_data_rejected;
434 }
435 return ssl_hs_ok;
436}
437
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]438static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]439 SSL *const ssl = hs->ssl;
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]440 // CertificateRequest may only be sent in non-resumption handshakes.
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]441 if (ssl->s3->session_reused) {
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]442 hs->tls13_state = state_read_server_finished;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]443 return ssl_hs_ok;
444 }
445
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]446 SSLMessage msg;
447 if (!ssl->method->get_message(ssl, &msg)) {
448 return ssl_hs_read_message;
449 }
450
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]451 // CertificateRequest is optional.
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]452 if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
453 hs->tls13_state = state_read_server_certificate;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]454 return ssl_hs_ok;
455 }
456
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]457 CBS body = msg.body, context, supported_signature_algorithms;
458 if (!CBS_get_u8_length_prefixed(&body, &context) ||
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]459 // The request context is always empty during the handshake.
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]460 CBS_len(&context) != 0 ||
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]461 !CBS_get_u16_length_prefixed(&body, &supported_signature_algorithms) ||
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]462 CBS_len(&supported_signature_algorithms) == 0 ||
David Benjaminf3c8f8d2016-11-17 17:20:47 +0900[diff] [blame]463 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]464 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
465 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
466 return ssl_hs_error;
467 }
468
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]469 uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]470 UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names =
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]471 ssl_parse_client_CA_list(ssl, &alert, &body);
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]472 if (!ca_names) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]473 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
474 return ssl_hs_error;
475 }
476
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]477 // Ignore extensions.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]478 CBS extensions;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]479 if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
480 CBS_len(&body) != 0) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]481 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
482 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
483 return ssl_hs_error;
484 }
485
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]486 hs->cert_request = 1;
David Benjamin31b0c9b2017-07-20 14:49:15 -0400[diff] [blame]487 hs->ca_names = std::move(ca_names);
Adam Langley34b4c822017-02-02 10:57:17 -0800[diff] [blame]488 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]489
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]490 if (!ssl_hash_message(hs, msg)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]491 return ssl_hs_error;
492 }
493
David Benjamin8f94c312017-08-01 17:35:55 -0400[diff] [blame]494 ssl->method->next_message(ssl);
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]495 hs->tls13_state = state_read_server_certificate;
496 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]497}
498
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]499static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]500 SSL *const ssl = hs->ssl;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]501 SSLMessage msg;
502 if (!ssl->method->get_message(ssl, &msg)) {
503 return ssl_hs_read_message;
504 }
505 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
506 !tls13_process_certificate(hs, msg, 0 /* certificate required */) ||
507 !ssl_hash_message(hs, msg)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]508 return ssl_hs_error;
509 }
510
David Benjamin8f94c312017-08-01 17:35:55 -0400[diff] [blame]511 ssl->method->next_message(ssl);
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]512 hs->tls13_state = state_read_server_certificate_verify;
513 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]514}
515
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]516static enum ssl_hs_wait_t do_read_server_certificate_verify(
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]517 SSL_HANDSHAKE *hs) {
518 SSL *const ssl = hs->ssl;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]519 SSLMessage msg;
520 if (!ssl->method->get_message(ssl, &msg)) {
521 return ssl_hs_read_message;
522 }
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]523 switch (ssl_verify_peer_cert(hs)) {
524 case ssl_verify_ok:
525 break;
526 case ssl_verify_invalid:
527 return ssl_hs_error;
528 case ssl_verify_retry:
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]529 hs->tls13_state = state_read_server_certificate_verify;
David Benjamin3a1dd462017-07-11 16:13:10 -0400[diff] [blame]530 return ssl_hs_certificate_verify;
531 }
532
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]533 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
534 !tls13_process_certificate_verify(hs, msg) ||
535 !ssl_hash_message(hs, msg)) {
David Benjamin6929f272016-11-16 19:10:08 +0900[diff] [blame]536 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]537 }
538
David Benjamin8f94c312017-08-01 17:35:55 -0400[diff] [blame]539 ssl->method->next_message(ssl);
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]540 hs->tls13_state = state_read_server_finished;
541 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]542}
543
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]544static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]545 SSL *const ssl = hs->ssl;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]546 SSLMessage msg;
547 if (!ssl->method->get_message(ssl, &msg)) {
548 return ssl_hs_read_message;
549 }
550 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
551 !tls13_process_finished(hs, msg, 0 /* don't use saved value */) ||
552 !ssl_hash_message(hs, msg) ||
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]553 // Update the secret to the master secret and derive traffic keys.
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]554 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
555 !tls13_derive_application_secrets(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]556 return ssl_hs_error;
557 }
558
David Benjamin8f94c312017-08-01 17:35:55 -0400[diff] [blame]559 ssl->method->next_message(ssl);
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]560 hs->tls13_state = state_send_end_of_early_data;
561 return ssl_hs_ok;
562}
563
564static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
565 SSL *const ssl = hs->ssl;
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]566
567 if (ssl->early_data_accepted) {
568 hs->can_early_write = 0;
569 if (!ssl->method->add_alert(ssl, SSL3_AL_WARNING,
570 TLS1_AD_END_OF_EARLY_DATA)) {
571 return ssl_hs_error;
572 }
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]573 }
574
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]575 if (hs->early_data_offered) {
576 if ((ssl->version == TLS1_3_EXPERIMENT_VERSION &&
577 !ssl3_add_change_cipher_spec(ssl)) ||
578 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_handshake_secret,
579 hs->hash_len)) {
580 return ssl_hs_error;
581 }
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]582 }
583
David Benjamin5edfc8c2016-12-10 15:46:58 -0500[diff] [blame]584 hs->tls13_state = state_send_client_certificate;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]585 return ssl_hs_ok;
586}
587
David Benjamin5edfc8c2016-12-10 15:46:58 -0500[diff] [blame]588static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]589 SSL *const ssl = hs->ssl;
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]590
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]591 // The peer didn't request a certificate.
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]592 if (!hs->cert_request) {
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]593 hs->tls13_state = state_complete_second_flight;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]594 return ssl_hs_ok;
595 }
596
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]597 // Call cert_cb to update the certificate.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]598 if (ssl->cert->cert_cb != NULL) {
599 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
600 if (rv == 0) {
601 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
602 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
603 return ssl_hs_error;
604 }
605 if (rv < 0) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]606 hs->tls13_state = state_send_client_certificate;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]607 return ssl_hs_x509_lookup;
608 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]609 }
610
David Benjamina232a712017-03-30 15:51:53 -0500[diff] [blame]611 if (!ssl_on_certificate_selected(hs) ||
David Benjamin0f24bed2017-01-12 19:46:50 -0500[diff] [blame]612 !tls13_add_certificate(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]613 return ssl_hs_error;
614 }
615
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]616 hs->tls13_state = state_send_client_certificate_verify;
David Benjamin25ac2512017-01-12 19:31:28 -0500[diff] [blame]617 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]618}
619
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]620static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]621 SSL *const ssl = hs->ssl;
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]622 // Don't send CertificateVerify if there is no certificate.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]623 if (!ssl_has_certificate(ssl)) {
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]624 hs->tls13_state = state_complete_second_flight;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]625 return ssl_hs_ok;
626 }
627
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]628 switch (tls13_add_certificate_verify(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]629 case ssl_private_key_success:
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]630 hs->tls13_state = state_complete_second_flight;
David Benjamin25ac2512017-01-12 19:31:28 -0500[diff] [blame]631 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]632
633 case ssl_private_key_retry:
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]634 hs->tls13_state = state_send_client_certificate_verify;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]635 return ssl_hs_private_key_operation;
636
637 case ssl_private_key_failure:
638 return ssl_hs_error;
639 }
640
641 assert(0);
642 return ssl_hs_error;
643}
644
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]645static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]646 SSL *const ssl = hs->ssl;
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]647
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]648 // Send a Channel ID assertion if necessary.
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]649 if (ssl->s3->tlsext_channel_id_valid) {
650 if (!ssl_do_channel_id_callback(ssl)) {
651 hs->tls13_state = state_complete_second_flight;
652 return ssl_hs_error;
653 }
654
655 if (ssl->tlsext_channel_id_private == NULL) {
656 return ssl_hs_channel_id_lookup;
657 }
658
David Benjamin1386aad2017-07-19 23:57:40 -0400[diff] [blame]659 ScopedCBB cbb;
660 CBB body;
661 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
Steven Valdez908ac192017-01-12 13:17:07 -0500[diff] [blame]662 !tls1_write_channel_id(hs, &body) ||
David Benjamin1386aad2017-07-19 23:57:40 -0400[diff] [blame]663 !ssl_add_message_cbb(ssl, cbb.get())) {
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]664 return ssl_hs_error;
665 }
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]666 }
667
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]668 // Send a Finished message.
David Benjamin0f24bed2017-01-12 19:46:50 -0500[diff] [blame]669 if (!tls13_add_finished(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]670 return ssl_hs_error;
671 }
672
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]673 // Derive the final keys and enable them.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]674 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->server_traffic_secret_0,
675 hs->hash_len) ||
676 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->client_traffic_secret_0,
677 hs->hash_len) ||
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]678 !tls13_derive_resumption_secret(hs)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]679 return ssl_hs_error;
680 }
681
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]682 hs->tls13_state = state_done;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]683 return ssl_hs_flush;
684}
685
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]686enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
David Benjamin3977f302016-12-11 13:30:41 -0500[diff] [blame]687 while (hs->tls13_state != state_done) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]688 enum ssl_hs_wait_t ret = ssl_hs_error;
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]689 enum client_hs_state_t state =
690 static_cast<enum client_hs_state_t>(hs->tls13_state);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]691 switch (state) {
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]692 case state_read_hello_retry_request:
693 ret = do_read_hello_retry_request(hs);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]694 break;
695 case state_send_second_client_hello:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]696 ret = do_send_second_client_hello(hs);
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]697 break;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]698 case state_read_server_hello:
699 ret = do_read_server_hello(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]700 break;
Steven Valdez520e1222017-06-13 12:45:25 -0400[diff] [blame]701 case state_process_change_cipher_spec:
702 ret = do_process_change_cipher_spec(hs);
703 break;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]704 case state_read_encrypted_extensions:
705 ret = do_read_encrypted_extensions(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]706 break;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]707 case state_read_certificate_request:
708 ret = do_read_certificate_request(hs);
Steven Valdeze831a812017-03-09 14:56:07 -0500[diff] [blame]709 break;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]710 case state_read_server_certificate:
711 ret = do_read_server_certificate(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]712 break;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]713 case state_read_server_certificate_verify:
714 ret = do_read_server_certificate_verify(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]715 break;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]716 case state_read_server_finished:
717 ret = do_read_server_finished(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]718 break;
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]719 case state_send_end_of_early_data:
720 ret = do_send_end_of_early_data(hs);
721 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]722 case state_send_client_certificate:
David Benjaminc3c88822016-11-14 10:32:04 +0900[diff] [blame]723 ret = do_send_client_certificate(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]724 break;
725 case state_send_client_certificate_verify:
David Benjamin44148742017-06-17 13:20:59 -0400[diff] [blame]726 ret = do_send_client_certificate_verify(hs);
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]727 break;
David Benjamin81b7bc32017-01-12 19:44:57 -0500[diff] [blame]728 case state_complete_second_flight:
729 ret = do_complete_second_flight(hs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]730 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]731 case state_done:
732 ret = ssl_hs_ok;
733 break;
734 }
735
Steven Valdez4d71a9a2017-08-14 15:08:34 -0400[diff] [blame]736 if (hs->tls13_state != state) {
David Benjaminf60bcfb2017-08-18 15:23:44 -0400[diff] [blame]737 ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
738 }
739
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]740 if (ret != ssl_hs_ok) {
741 return ret;
742 }
743 }
744
745 return ssl_hs_ok;
746}
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]747
David Benjaminf60bcfb2017-08-18 15:23:44 -0400[diff] [blame]748const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
749 enum client_hs_state_t state =
750 static_cast<enum client_hs_state_t>(hs->tls13_state);
751 switch (state) {
752 case state_read_hello_retry_request:
753 return "TLS 1.3 client read_hello_retry_request";
754 case state_send_second_client_hello:
755 return "TLS 1.3 client send_second_client_hello";
756 case state_read_server_hello:
757 return "TLS 1.3 client read_server_hello";
758 case state_process_change_cipher_spec:
759 return "TLS 1.3 client process_change_cipher_spec";
760 case state_read_encrypted_extensions:
761 return "TLS 1.3 client read_encrypted_extensions";
762 case state_read_certificate_request:
763 return "TLS 1.3 client read_certificate_request";
764 case state_read_server_certificate:
765 return "TLS 1.3 client read_server_certificate";
766 case state_read_server_certificate_verify:
767 return "TLS 1.3 client read_server_certificate_verify";
768 case state_read_server_finished:
769 return "TLS 1.3 client read_server_finished";
770 case state_send_end_of_early_data:
771 return "TLS 1.3 client send_end_of_early_data";
772 case state_send_client_certificate:
773 return "TLS 1.3 client send_client_certificate";
774 case state_send_client_certificate_verify:
775 return "TLS 1.3 client send_client_certificate_verify";
776 case state_complete_second_flight:
777 return "TLS 1.3 client complete_second_flight";
778 case state_done:
779 return "TLS 1.3 client done";
780 }
781
782 return "TLS 1.3 client unknown";
783}
784
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]785int tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]786 UniquePtr<SSL_SESSION> session(SSL_SESSION_dup(ssl->s3->established_session,
787 SSL_SESSION_INCLUDE_NONAUTH));
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]788 if (!session) {
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]789 return 0;
790 }
791
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]792 ssl_session_rebase_time(ssl, session.get());
David Benjamin123db572016-11-03 16:59:25 -0400[diff] [blame]793
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]794 uint32_t server_timeout;
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]795 CBS body = msg.body, ticket, extensions;
796 if (!CBS_get_u32(&body, &server_timeout) ||
797 !CBS_get_u32(&body, &session->ticket_age_add) ||
798 !CBS_get_u16_length_prefixed(&body, &ticket) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]799 !CBS_stow(&ticket, &session->tlsext_tick, &session->tlsext_ticklen) ||
David Benjamin7934f082017-08-01 16:32:25 -0400[diff] [blame]800 !CBS_get_u16_length_prefixed(&body, &extensions) ||
801 CBS_len(&body) != 0) {
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]802 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
803 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]804 return 0;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]805 }
806
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]807 // Cap the renewable lifetime by the server advertised value. This avoids
808 // wasting bandwidth on 0-RTT when we know the server will reject it.
David Benjaminad8f5e12017-02-20 17:00:20 -0500[diff] [blame]809 if (session->timeout > server_timeout) {
810 session->timeout = server_timeout;
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]811 }
812
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]813 // Parse out the extensions.
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]814 int have_early_data_info = 0;
815 CBS early_data_info;
816 const SSL_EXTENSION_TYPE ext_types[] = {
817 {TLSEXT_TYPE_ticket_early_data_info, &have_early_data_info,
818 &early_data_info},
819 };
820
Adam Langleyc68e5b92017-02-08 13:33:15 -0800[diff] [blame]821 uint8_t alert = SSL_AD_DECODE_ERROR;
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]822 if (!ssl_parse_extensions(&extensions, &alert, ext_types,
823 OPENSSL_ARRAY_SIZE(ext_types),
824 1 /* ignore unknown */)) {
825 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]826 return 0;
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]827 }
828
Alessandro Ghedini67bb45f2017-03-30 16:33:24 -0500[diff] [blame]829 if (have_early_data_info && ssl->cert->enable_early_data) {
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]830 if (!CBS_get_u32(&early_data_info, &session->ticket_max_early_data) ||
831 CBS_len(&early_data_info) != 0) {
832 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]833 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]834 return 0;
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]835 }
836 }
837
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]838 session->ticket_age_add_valid = 1;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]839 session->not_resumable = 0;
840
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]841 if (ssl->ctx->new_session_cb != NULL &&
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]842 ssl->ctx->new_session_cb(ssl, session.get())) {
David Benjaminc11ea9422017-08-29 16:33:21 -0400[diff] [blame]843 // |new_session_cb|'s return value signals that it took ownership.
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]844 session.release();
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]845 }
846
David Benjamind304a2f2017-07-12 23:00:28 -0400[diff] [blame]847 return 1;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]848}
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]849
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]850void ssl_clear_tls13_state(SSL_HANDSHAKE *hs) {
David Benjaminc642aca2017-07-19 23:28:43 -0400[diff] [blame]851 hs->key_share.reset();
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]852
David Benjamin6e4fc332016-11-17 16:43:08 +0900[diff] [blame]853 OPENSSL_free(hs->key_share_bytes);
854 hs->key_share_bytes = NULL;
855 hs->key_share_bytes_len = 0;
David Benjamin4fe3c902016-08-16 02:17:03 -0400[diff] [blame]856}
David Benjamin86e95b82017-07-18 16:34:25 -0400[diff] [blame]857
858} // namespace bssl