tls13_client.cc source code [engine/third_party/boringssl/src/ssl/tls13_client.cc]

1	/ Copyright (c) 2016, Google Inc.*
2	*
3	* Permission to use, copy, modify, and/or distribute this software for any
4	* purpose with or without fee is hereby granted, provided that the above
5	* copyright notice and this permission notice appear in all copies.
6	*
7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15	#include <openssl/ssl.h>
16
17	#include <assert.h>
18	#include <limits.h>
19	#include <string.h>
20
21	#include <utility>
22
23	#include <openssl/bytestring.h>
24	#include <openssl/digest.h>
25	#include <openssl/err.h>
26	#include <openssl/mem.h>
27	#include <openssl/sha.h>
28	#include <openssl/stack.h>
29
30	#include "../crypto/internal.h"
31	#include "internal.h"
32
33
34	BSSL_NAMESPACE_BEGIN
35
36	enum client_hs_state_t {
37	state_read_hello_retry_request = `0`,
38	state_send_second_client_hello,
39	state_read_server_hello,
40	state_read_encrypted_extensions,
41	state_read_certificate_request,
42	state_read_server_certificate,
43	state_read_server_certificate_verify,
44	state_server_certificate_reverify,
45	state_read_server_finished,
46	state_send_end_of_early_data,
47	state_send_client_certificate,
48	state_send_client_certificate_verify,
49	state_complete_second_flight,
50	state_done,
51	};
52
53	static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {`0`};
54
55	static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
56	SSL *const ssl = hs->ssl;
57	assert(ssl->s3->have_version);
58	SSLMessage msg;
59	if (!ssl->method->get_message(ssl, &msg)) {
60	return ssl_hs_read_message;
61	}
62
63	// Queue up a ChangeCipherSpec for whenever we next send something. This
64	// will be before the second ClientHello. If we offered early data, this was
65	// already done.
66	if (!hs->early_data_offered &&
67	!ssl->method->add_change_cipher_spec(ssl)) {
68	return ssl_hs_error;
69	}
70
71	if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
72	return ssl_hs_error;
73	}
74
75	CBS body = msg.body, extensions, server_random, session_id;
76	uint16_t server_version, cipher_suite;
77	uint8_t compression_method;
78	if (!CBS_get_u16(&body, &server_version) \|\|
79	!CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) \|\|
80	!CBS_get_u8_length_prefixed(&body, &session_id) \|\|
81	!CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) \|\|
82	!CBS_get_u16(&body, &cipher_suite) \|\|
83	!CBS_get_u8(&body, &compression_method) \|\|
84	compression_method != `0` \|\|
85	!CBS_get_u16_length_prefixed(&body, &extensions) \|\|
86	CBS_len(&extensions) == `0` \|\|
87	CBS_len(&body) != `0`) {
88	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
89	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
90	return ssl_hs_error;
91	}
92
93	if (!CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
94	hs->tls13_state = state_read_server_hello;
95	return ssl_hs_ok;
96	}
97
98	const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
99	// Check if the cipher is a TLS 1.3 cipher.
100	if (cipher == NULL \|\|
101	SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) \|\|
102	SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
103	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
104	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
105	return ssl_hs_error;
106	}
107
108	hs->new_cipher = cipher;
109
110	if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) \|\|
111	!hs->transcript.UpdateForHelloRetryRequest()) {
112	return ssl_hs_error;
113	}
114
115
116	bool have_cookie, have_key_share, have_supported_versions;
117	CBS cookie, key_share, supported_versions;
118	SSL_EXTENSION_TYPE ext_types[] = {
119	{TLSEXT_TYPE_key_share, &have_key_share, &key_share},
120	{TLSEXT_TYPE_cookie, &have_cookie, &cookie},
121	{TLSEXT_TYPE_supported_versions, &have_supported_versions,
122	&supported_versions},
123	};
124
125	uint8_t alert = SSL_AD_DECODE_ERROR;
126	if (!ssl_parse_extensions(&extensions, &alert, ext_types,
127	OPENSSL_ARRAY_SIZE(ext_types),
128	`0` / reject unknown /)) {
129	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
130	return ssl_hs_error;
131	}
132
133	if (!have_cookie && !have_key_share) {
134	OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);
135	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
136	return ssl_hs_error;
137	}
138	if (have_cookie) {
139	CBS cookie_value;
140	if (!CBS_get_u16_length_prefixed(&cookie, &cookie_value) \|\|
141	CBS_len(&cookie_value) == `0` \|\|
142	CBS_len(&cookie) != `0`) {
143	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
144	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
145	return ssl_hs_error;
146	}
147
148	if (!hs->cookie.CopyFrom(cookie_value)) {
149	return ssl_hs_error;
150	}
151	}
152
153	if (have_key_share) {
154	uint16_t group_id;
155	if (!CBS_get_u16(&key_share, &group_id) \|\| CBS_len(&key_share) != `0`) {
156	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
157	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
158	return ssl_hs_error;
159	}
160
161	// The group must be supported.
162	if (!tls1_check_group_id(hs, group_id)) {
163	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
164	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
165	return ssl_hs_error;
166	}
167
168	// Check that the HelloRetryRequest does not request a key share that was
169	// provided in the initial ClientHello.
170	if (hs->key_shares[`0`]->GroupID() == group_id \|\|
171	(hs->key_shares[`1`] && hs->key_shares[`1`]->GroupID() == group_id)) {
172	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
173	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
174	return ssl_hs_error;
175	}
176
177	hs->key_shares[`0`].reset();
178	hs->key_shares[`1`].reset();
179	hs->retry_group = group_id;
180	}
181
182	if (!ssl_hash_message(hs, msg)) {
183	return ssl_hs_error;
184	}
185
186	ssl->method->next_message(ssl);
187	hs->received_hello_retry_request = true;
188	hs->tls13_state = state_send_second_client_hello;
189	// 0-RTT is rejected if we receive a HelloRetryRequest.
190	if (hs->in_early_data) {
191	ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
192	return ssl_hs_early_data_rejected;
193	}
194	return ssl_hs_ok;
195	}
196
197	static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
198	SSL *const ssl = hs->ssl;
199	// Restore the null cipher. We may have switched due to 0-RTT.
200	bssl::UniquePtr<SSLAEADContext> null_ctx =
201	SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
202	if (!null_ctx \|\|
203	!ssl->method->set_write_state(ssl, std::move(null_ctx))) {
204	return ssl_hs_error;
205	}
206
207	ssl->s3->aead_write_ctx ->SetVersionIfNullCipher(ssl->version);
208
209	if (!ssl_write_client_hello(hs)) {
210	return ssl_hs_error;
211	}
212
213	hs->tls13_state = state_read_server_hello;
214	return ssl_hs_flush;
215	}
216
217	static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
218	SSL *const ssl = hs->ssl;
219	SSLMessage msg;
220	if (!ssl->method->get_message(ssl, &msg)) {
221	return ssl_hs_read_message;
222	}
223	if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO)) {
224	return ssl_hs_error;
225	}
226
227	CBS body = msg.body, server_random, session_id, extensions;
228	uint16_t server_version;
229	uint16_t cipher_suite;
230	uint8_t compression_method;
231	if (!CBS_get_u16(&body, &server_version) \|\|
232	!CBS_get_bytes(&body, &server_random, SSL3_RANDOM_SIZE) \|\|
233	!CBS_get_u8_length_prefixed(&body, &session_id) \|\|
234	!CBS_mem_equal(&session_id, hs->session_id, hs->session_id_len) \|\|
235	!CBS_get_u16(&body, &cipher_suite) \|\|
236	!CBS_get_u8(&body, &compression_method) \|\|
237	compression_method != `0` \|\|
238	!CBS_get_u16_length_prefixed(&body, &extensions) \|\|
239	CBS_len(&body) != `0`) {
240	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
241	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
242	return ssl_hs_error;
243	}
244
245	if (server_version != TLS1_2_VERSION) {
246	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
247	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_NUMBER);
248	return ssl_hs_error;
249	}
250
251	// Forbid a second HelloRetryRequest.
252	if (CBS_mem_equal(&server_random, kHelloRetryRequest, SSL3_RANDOM_SIZE)) {
253	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
254	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
255	return ssl_hs_error;
256	}
257
258	OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_random),
259	SSL3_RANDOM_SIZE);
260
261	// Check if the cipher is a TLS 1.3 cipher.
262	const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
263	if (cipher == nullptr \|\|
264	SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) \|\|
265	SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl)) {
266	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
267	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
268	return ssl_hs_error;
269	}
270
271	// Check that the cipher matches the one in the HelloRetryRequest.
272	if (hs->received_hello_retry_request &&
273	hs->new_cipher != cipher) {
274	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
275	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
276	return ssl_hs_error;
277	}
278
279	// Parse out the extensions.
280	bool have_key_share = false, have_pre_shared_key = false,
281	have_supported_versions = false;
282	CBS key_share, pre_shared_key, supported_versions;
283	SSL_EXTENSION_TYPE ext_types[] = {
284	{TLSEXT_TYPE_key_share, &have_key_share, &key_share},
285	{TLSEXT_TYPE_pre_shared_key, &have_pre_shared_key, &pre_shared_key},
286	{TLSEXT_TYPE_supported_versions, &have_supported_versions,
287	&supported_versions},
288	};
289
290	uint8_t alert = SSL_AD_DECODE_ERROR;
291	if (!ssl_parse_extensions(&extensions, &alert, ext_types,
292	OPENSSL_ARRAY_SIZE(ext_types),
293	`0` / reject unknown /)) {
294	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
295	return ssl_hs_error;
296	}
297
298	// Recheck supported_versions, in case this is the second ServerHello.
299	uint16_t version;
300	if (!have_supported_versions \|\|
301	!CBS_get_u16(&supported_versions, &version) \|\|
302	version != ssl->version) {
303	OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
304	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
305	return ssl_hs_error;
306	}
307
308	alert = SSL_AD_DECODE_ERROR;
309	if (have_pre_shared_key) {
310	if (ssl->session == NULL) {
311	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
312	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
313	return ssl_hs_error;
314	}
315
316	if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
317	&pre_shared_key)) {
318	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
319	return ssl_hs_error;
320	}
321
322	if (ssl->session ->ssl_version != ssl->version) {
323	OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
324	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
325	return ssl_hs_error;
326	}
327
328	if (ssl->session ->cipher->algorithm_prf != cipher->algorithm_prf) {
329	OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
330	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
331	return ssl_hs_error;
332	}
333
334	if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
335	// This is actually a client application bug.
336	OPENSSL_PUT_ERROR(SSL,
337	SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
338	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
339	return ssl_hs_error;
340	}
341
342	ssl->s3->session_reused = true;
343	// Only authentication information carries over in TLS 1.3.
344	hs->new_session =
345	SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
346	if (!hs->new_session) {
347	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
348	return ssl_hs_error;
349	}
350	ssl_set_session(ssl, NULL);
351
352	// Resumption incorporates fresh key material, so refresh the timeout.
353	ssl_session_renew_timeout(ssl, hs->new_session.get(),
354	ssl->session_ctx ->session_psk_dhe_timeout);
355	} else if (!ssl_get_new_session(hs, `0`)) {
356	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
357	return ssl_hs_error;
358	}
359
360	hs->new_session ->cipher = cipher;
361	hs->new_cipher = cipher;
362
363	size_t hash_len =
364	EVP_MD_size(ssl_get_handshake_digest(ssl_protocol_version(ssl), cipher));
365
366	// Set up the key schedule and incorporate the PSK into the running secret.
367	if (ssl->s3->session_reused) {
368	if (!tls13_init_key_schedule(hs, hs->new_session ->master_key,
369	hs->new_session ->master_key_length)) {
370	return ssl_hs_error;
371	}
372	} else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {
373	return ssl_hs_error;
374	}
375
376	if (!have_key_share) {
377	// We do not support psk_ke and thus always require a key share.
378	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
379	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
380	return ssl_hs_error;
381	}
382
383	// Resolve ECDHE and incorporate it into the secret.
384	Array<uint8_t> dhe_secret;
385	alert = SSL_AD_DECODE_ERROR;
386	if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
387	&key_share)) {
388	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
389	return ssl_hs_error;
390	}
391
392	if (!tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()) \|\|
393	!ssl_hash_message(hs, msg) \|\| !tls13_derive_handshake_secrets(hs) \|\|
394	!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
395	hs->server_handshake_secret, hs->hash_len)) {
396	return ssl_hs_error;
397	}
398
399	if (!hs->early_data_offered) {
400	// If not sending early data, set client traffic keys now so that alerts are
401	// encrypted.
402	if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
403	hs->client_handshake_secret, hs->hash_len)) {
404	return ssl_hs_error;
405	}
406	}
407
408	ssl->method->next_message(ssl);
409	hs->tls13_state = state_read_encrypted_extensions;
410	return ssl_hs_ok;
411	}
412
413	static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
414	SSL *const ssl = hs->ssl;
415	SSLMessage msg;
416	if (!ssl->method->get_message(ssl, &msg)) {
417	return ssl_hs_read_message;
418	}
419	if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
420	return ssl_hs_error;
421	}
422
423	CBS body = msg.body;
424	if (!ssl_parse_serverhello_tlsext(hs, &body)) {
425	OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
426	return ssl_hs_error;
427	}
428	if (CBS_len(&body) != `0`) {
429	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
430	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
431	return ssl_hs_error;
432	}
433
434	// Store the negotiated ALPN in the session.
435	if (!hs->new_session ->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
436	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
437	return ssl_hs_error;
438	}
439
440	if (ssl->s3->early_data_accepted) {
441	if (hs->early_session ->cipher != hs->new_session ->cipher \|\|
442	MakeConstSpan(hs->early_session ->early_alpn) !=
443	ssl->s3->alpn_selected) {
444	OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
445	return ssl_hs_error;
446	}
447	if (ssl->s3->channel_id_valid \|\| ssl->s3->token_binding_negotiated) {
448	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
449	return ssl_hs_error;
450	}
451	}
452
453	if (!ssl_hash_message(hs, msg)) {
454	return ssl_hs_error;
455	}
456
457	ssl->method->next_message(ssl);
458	hs->tls13_state = state_read_certificate_request;
459	if (hs->in_early_data && !ssl->s3->early_data_accepted) {
460	return ssl_hs_early_data_rejected;
461	}
462	return ssl_hs_ok;
463	}
464
465	static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
466	SSL *const ssl = hs->ssl;
467	// CertificateRequest may only be sent in non-resumption handshakes.
468	if (ssl->s3->session_reused) {
469	if (ssl->ctx ->reverify_on_resume && !ssl->s3->early_data_accepted) {
470	hs->tls13_state = state_server_certificate_reverify;
471	return ssl_hs_ok;
472	}
473	hs->tls13_state = state_read_server_finished;
474	return ssl_hs_ok;
475	}
476
477	SSLMessage msg;
478	if (!ssl->method->get_message(ssl, &msg)) {
479	return ssl_hs_read_message;
480	}
481
482	// CertificateRequest is optional.
483	if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
484	hs->tls13_state = state_read_server_certificate;
485	return ssl_hs_ok;
486	}
487
488
489	bool have_sigalgs = false, have_ca = false;
490	CBS sigalgs, ca;
491	const SSL_EXTENSION_TYPE ext_types[] = {
492	{TLSEXT_TYPE_signature_algorithms, &have_sigalgs, &sigalgs},
493	{TLSEXT_TYPE_certificate_authorities, &have_ca, &ca},
494	};
495
496	CBS body = msg.body, context, extensions, supported_signature_algorithms;
497	uint8_t alert = SSL_AD_DECODE_ERROR;
498	if (!CBS_get_u8_length_prefixed(&body, &context) \|\|
499	// The request context is always empty during the handshake.
500	CBS_len(&context) != `0` \|\|
501	!CBS_get_u16_length_prefixed(&body, &extensions) \|\|
502	CBS_len(&body) != `0` \|\|
503	!ssl_parse_extensions(&extensions, &alert, ext_types,
504	OPENSSL_ARRAY_SIZE(ext_types),
505	`1` / accept unknown /) \|\|
506	(have_ca && CBS_len(&ca) == `0`) \|\|
507	!have_sigalgs \|\|
508	!CBS_get_u16_length_prefixed(&sigalgs,
509	&supported_signature_algorithms) \|\|
510	!tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
511	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
512	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
513	return ssl_hs_error;
514	}
515
516	if (have_ca) {
517	hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca);
518	if (!hs->ca_names) {
519	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
520	return ssl_hs_error;
521	}
522	} else {
523	hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());
524	if (!hs->ca_names) {
525	OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
526	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
527	return ssl_hs_error;
528	}
529	}
530
531	hs->cert_request = true;
532	ssl->ctx ->x509_method->hs_flush_cached_ca_names(hs);
533
534	if (!ssl_hash_message(hs, msg)) {
535	return ssl_hs_error;
536	}
537
538	ssl->method->next_message(ssl);
539	hs->tls13_state = state_read_server_certificate;
540	return ssl_hs_ok;
541	}
542
543	static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
544	SSL *const ssl = hs->ssl;
545	SSLMessage msg;
546	if (!ssl->method->get_message(ssl, &msg)) {
547	return ssl_hs_read_message;
548	}
549
550	if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&
551	!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
552	return ssl_hs_error;
553	}
554
555	if (!tls13_process_certificate(hs, msg, false / certificate required /) \|\|
556	!ssl_hash_message(hs, msg)) {
557	return ssl_hs_error;
558	}
559
560	ssl->method->next_message(ssl);
561	hs->tls13_state = state_read_server_certificate_verify;
562	return ssl_hs_ok;
563	}
564
565	static enum ssl_hs_wait_t do_read_server_certificate_verify(
566	SSL_HANDSHAKE *hs) {
567	SSL *const ssl = hs->ssl;
568	SSLMessage msg;
569	if (!ssl->method->get_message(ssl, &msg)) {
570	return ssl_hs_read_message;
571	}
572	switch (ssl_verify_peer_cert(hs)) {
573	case ssl_verify_ok:
574	break;
575	case ssl_verify_invalid:
576	return ssl_hs_error;
577	case ssl_verify_retry:
578	hs->tls13_state = state_read_server_certificate_verify;
579	return ssl_hs_certificate_verify;
580	}
581
582	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) \|\|
583	!tls13_process_certificate_verify(hs, msg) \|\|
584	!ssl_hash_message(hs, msg)) {
585	return ssl_hs_error;
586	}
587
588	ssl->method->next_message(ssl);
589	hs->tls13_state = state_read_server_finished;
590	return ssl_hs_ok;
591	}
592
593	static enum ssl_hs_wait_t do_server_certificate_reverify(
594	SSL_HANDSHAKE *hs) {
595	switch (ssl_reverify_peer_cert(hs)) {
596	case ssl_verify_ok:
597	break;
598	case ssl_verify_invalid:
599	return ssl_hs_error;
600	case ssl_verify_retry:
601	hs->tls13_state = state_server_certificate_reverify;
602	return ssl_hs_certificate_verify;
603	}
604	hs->tls13_state = state_read_server_finished;
605	return ssl_hs_ok;
606	}
607
608	static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
609	SSL *const ssl = hs->ssl;
610	SSLMessage msg;
611	if (!ssl->method->get_message(ssl, &msg)) {
612	return ssl_hs_read_message;
613	}
614	if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) \|\|
615	!tls13_process_finished(hs, msg, false / don't use saved value /) \|\|
616	!ssl_hash_message(hs, msg) \|\|
617	// Update the secret to the master secret and derive traffic keys.
618	!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) \|\|
619	!tls13_derive_application_secrets(hs)) {
620	return ssl_hs_error;
621	}
622
623	ssl->method->next_message(ssl);
624	hs->tls13_state = state_send_end_of_early_data;
625	return ssl_hs_ok;
626	}
627
628	static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
629	SSL *const ssl = hs->ssl;
630
631	if (ssl->s3->early_data_accepted) {
632	hs->can_early_write = false;
633	ScopedCBB cbb;
634	CBB body;
635	if (!ssl->method->init_message(ssl, cbb.get(), &body,
636	SSL3_MT_END_OF_EARLY_DATA) \|\|
637	!ssl_add_message_cbb(ssl, cbb.get())) {
638	return ssl_hs_error;
639	}
640	}
641
642	if (hs->early_data_offered) {
643	if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
644	hs->client_handshake_secret, hs->hash_len)) {
645	return ssl_hs_error;
646	}
647	}
648
649	hs->tls13_state = state_send_client_certificate;
650	return ssl_hs_ok;
651	}
652
653	static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
654	SSL *const ssl = hs->ssl;
655
656	// The peer didn't request a certificate.
657	if (!hs->cert_request) {
658	hs->tls13_state = state_complete_second_flight;
659	return ssl_hs_ok;
660	}
661
662	// Call cert_cb to update the certificate.
663	if (hs->config->cert ->cert_cb != NULL) {
664	int rv = hs->config->cert ->cert_cb(ssl, hs->config->cert ->cert_cb_arg);
665	if (rv == `0`) {
666	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
667	OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
668	return ssl_hs_error;
669	}
670	if (rv < `0`) {
671	hs->tls13_state = state_send_client_certificate;
672	return ssl_hs_x509_lookup;
673	}
674	}
675
676	if (!ssl_on_certificate_selected(hs) \|\|
677	!tls13_add_certificate(hs)) {
678	return ssl_hs_error;
679	}
680
681	hs->tls13_state = state_send_client_certificate_verify;
682	return ssl_hs_ok;
683	}
684
685	static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
686	// Don't send CertificateVerify if there is no certificate.
687	if (!ssl_has_certificate(hs)) {
688	hs->tls13_state = state_complete_second_flight;
689	return ssl_hs_ok;
690	}
691
692	switch (tls13_add_certificate_verify(hs)) {
693	case ssl_private_key_success:
694	hs->tls13_state = state_complete_second_flight;
695	return ssl_hs_ok;
696
697	case ssl_private_key_retry:
698	hs->tls13_state = state_send_client_certificate_verify;
699	return ssl_hs_private_key_operation;
700
701	case ssl_private_key_failure:
702	return ssl_hs_error;
703	}
704
705	assert(`0`);
706	return ssl_hs_error;
707	}
708
709	static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
710	SSL *const ssl = hs->ssl;
711
712	// Send a Channel ID assertion if necessary.
713	if (ssl->s3->channel_id_valid) {
714	if (!ssl_do_channel_id_callback(hs)) {
715	hs->tls13_state = state_complete_second_flight;
716	return ssl_hs_error;
717	}
718
719	if (hs->config->channel_id_private == NULL) {
720	return ssl_hs_channel_id_lookup;
721	}
722
723	ScopedCBB cbb;
724	CBB body;
725	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) \|\|
726	!tls1_write_channel_id(hs, &body) \|\|
727	!ssl_add_message_cbb(ssl, cbb.get())) {
728	return ssl_hs_error;
729	}
730	}
731
732	// Send a Finished message.
733	if (!tls13_add_finished(hs)) {
734	return ssl_hs_error;
735	}
736
737	// Derive the final keys and enable them.
738	if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
739	hs->server_traffic_secret_0, hs->hash_len) \|\|
740	!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
741	hs->client_traffic_secret_0, hs->hash_len) \|\|
742	!tls13_derive_resumption_secret(hs)) {
743	return ssl_hs_error;
744	}
745
746	hs->tls13_state = state_done;
747	return ssl_hs_flush;
748	}
749
750	enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
751	while (hs->tls13_state != state_done) {
752	enum ssl_hs_wait_t ret = ssl_hs_error;
753	enum client_hs_state_t state =
754	static_cast<enum client_hs_state_t>(hs->tls13_state);
755	switch (state) {
756	case state_read_hello_retry_request:
757	ret = do_read_hello_retry_request(hs);
758	break;
759	case state_send_second_client_hello:
760	ret = do_send_second_client_hello(hs);
761	break;
762	case state_read_server_hello:
763	ret = do_read_server_hello(hs);
764	break;
765	case state_read_encrypted_extensions:
766	ret = do_read_encrypted_extensions(hs);
767	break;
768	case state_read_certificate_request:
769	ret = do_read_certificate_request(hs);
770	break;
771	case state_read_server_certificate:
772	ret = do_read_server_certificate(hs);
773	break;
774	case state_read_server_certificate_verify:
775	ret = do_read_server_certificate_verify(hs);
776	break;
777	case state_server_certificate_reverify:
778	ret = do_server_certificate_reverify(hs);
779	break;
780	case state_read_server_finished:
781	ret = do_read_server_finished(hs);
782	break;
783	case state_send_end_of_early_data:
784	ret = do_send_end_of_early_data(hs);
785	break;
786	case state_send_client_certificate:
787	ret = do_send_client_certificate(hs);
788	break;
789	case state_send_client_certificate_verify:
790	ret = do_send_client_certificate_verify(hs);
791	break;
792	case state_complete_second_flight:
793	ret = do_complete_second_flight(hs);
794	break;
795	case state_done:
796	ret = ssl_hs_ok;
797	break;
798	}
799
800	if (hs->tls13_state != state) {
801	ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, `1`);
802	}
803
804	if (ret != ssl_hs_ok) {
805	return ret;
806	}
807	}
808
809	return ssl_hs_ok;
810	}
811
812	const char tls13_client_handshake_state(SSL_HANDSHAKE hs) {
813	enum client_hs_state_t state =
814	static_cast<enum client_hs_state_t>(hs->tls13_state);
815	switch (state) {
816	case state_read_hello_retry_request:
817	return "TLS 1.3 client read_hello_retry_request";
818	case state_send_second_client_hello:
819	return "TLS 1.3 client send_second_client_hello";
820	case state_read_server_hello:
821	return "TLS 1.3 client read_server_hello";
822	case state_read_encrypted_extensions:
823	return "TLS 1.3 client read_encrypted_extensions";
824	case state_read_certificate_request:
825	return "TLS 1.3 client read_certificate_request";
826	case state_read_server_certificate:
827	return "TLS 1.3 client read_server_certificate";
828	case state_read_server_certificate_verify:
829	return "TLS 1.3 client read_server_certificate_verify";
830	case state_server_certificate_reverify:
831	return "TLS 1.3 client server_certificate_reverify";
832	case state_read_server_finished:
833	return "TLS 1.3 client read_server_finished";
834	case state_send_end_of_early_data:
835	return "TLS 1.3 client send_end_of_early_data";
836	case state_send_client_certificate:
837	return "TLS 1.3 client send_client_certificate";
838	case state_send_client_certificate_verify:
839	return "TLS 1.3 client send_client_certificate_verify";
840	case state_complete_second_flight:
841	return "TLS 1.3 client complete_second_flight";
842	case state_done:
843	return "TLS 1.3 client done";
844	}
845
846	return "TLS 1.3 client unknown";
847	}
848
849	bool tls13_process_new_session_ticket(SSL ssl, const* SSLMessage &msg) {
850	if (ssl->s3->write_shutdown != ssl_shutdown_none) {
851	// Ignore tickets on shutdown. Callers tend to indiscriminately call
852	// \|SSL_shutdown\| before destroying an \|SSL\|, at which point calling the new
853	// session callback may be confusing.
854	return true;
855	}
856
857	UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
858	ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
859	if (!session) {
860	return false;
861	}
862
863	ssl_session_rebase_time(ssl, session.get());
864
865	uint32_t server_timeout;
866	CBS body = msg.body, ticket_nonce, ticket, extensions;
867	if (!CBS_get_u32(&body, &server_timeout) \|\|
868	!CBS_get_u32(&body, &session ->ticket_age_add) \|\|
869	!CBS_get_u8_length_prefixed(&body, &ticket_nonce) \|\|
870	!CBS_get_u16_length_prefixed(&body, &ticket) \|\|
871	!session ->ticket.CopyFrom(ticket) \|\|
872	!CBS_get_u16_length_prefixed(&body, &extensions) \|\|
873	CBS_len(&body) != `0`) {
874	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
875	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
876	return false;
877	}
878
879	// Cap the renewable lifetime by the server advertised value. This avoids
880	// wasting bandwidth on 0-RTT when we know the server will reject it.
881	if (session ->timeout > server_timeout) {
882	session ->timeout = server_timeout;
883	}
884
885	if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
886	return false;
887	}
888
889	// Parse out the extensions.
890	bool have_early_data_info = false;
891	CBS early_data_info;
892	const SSL_EXTENSION_TYPE ext_types[] = {
893	{TLSEXT_TYPE_early_data, &have_early_data_info, &early_data_info},
894	};
895
896	uint8_t alert = SSL_AD_DECODE_ERROR;
897	if (!ssl_parse_extensions(&extensions, &alert, ext_types,
898	OPENSSL_ARRAY_SIZE(ext_types),
899	`1` / ignore unknown /)) {
900	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
901	return false;
902	}
903
904	if (have_early_data_info) {
905	if (!CBS_get_u32(&early_data_info, &session ->ticket_max_early_data) \|\|
906	CBS_len(&early_data_info) != `0`) {
907	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
908	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
909	return false;
910	}
911	}
912
913	// Generate a session ID for this session. Some callers expect all sessions to
914	// have a session ID.
915	SHA256(CBS_data(&ticket), CBS_len(&ticket), session ->session_id);
916	session ->session_id_length = SHA256_DIGEST_LENGTH;
917
918	session ->ticket_age_add_valid = true;
919	session ->not_resumable = false;
920
921	if ((ssl->session_ctx ->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
922	ssl->session_ctx ->new_session_cb != NULL &&
923	ssl->session_ctx ->new_session_cb(ssl, session.get())) {
924	// \|new_session_cb\|'s return value signals that it took ownership.
925	session.release();
926	}
927
928	return true;
929	}
930
931	BSSL_NAMESPACE_END
932

Browse the source code of engine/third_party/boringssl/src/ssl/tls13_client.cc