1 // Copyright 2016 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <algorithm>
21 #include <tuple>
22
23 #include <openssl/aead.h>
24 #include <openssl/bytestring.h>
25 #include <openssl/digest.h>
26 #include <openssl/err.h>
27 #include <openssl/hpke.h>
28 #include <openssl/mem.h>
29 #include <openssl/rand.h>
30 #include <openssl/stack.h>
31
32 #include "../crypto/internal.h"
33 #include "internal.h"
34
35
36 BSSL_NAMESPACE_BEGIN
37
38 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
39
40 // Allow a minute of ticket age skew in either direction. This covers
41 // transmission delays in ClientHello and NewSessionTicket, as well as
42 // drift between client and server clock rate since the ticket was issued.
43 // See RFC 8446, section 8.3.
44 static const int32_t kMaxTicketAgeSkewSeconds = 60;
45
resolve_pake_secret(SSL_HANDSHAKE * hs)46 static bool resolve_pake_secret(SSL_HANDSHAKE *hs) {
47 uint8_t verifier_share[spake2plus::kShareSize];
48 uint8_t verifier_confirm[spake2plus::kConfirmSize];
49 uint8_t shared_secret[spake2plus::kSecretSize];
50 if (!hs->pake_verifier->ProcessProverShare(verifier_share, verifier_confirm,
51 shared_secret,
52 hs->pake_share->pake_message)) {
53 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
54 ssl_send_alert(hs->ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
55 return false;
56 }
57
58 bssl::ScopedCBB cbb;
59 if (!CBB_init(cbb.get(), sizeof(verifier_share) + sizeof(verifier_confirm)) ||
60 !CBB_add_bytes(cbb.get(), verifier_share, sizeof(verifier_share)) ||
61 !CBB_add_bytes(cbb.get(), verifier_confirm, sizeof(verifier_confirm)) ||
62 !CBBFinishArray(cbb.get(), &hs->pake_share_bytes)) {
63 return false;
64 }
65
66 return tls13_advance_key_schedule(
67 hs, MakeConstSpan(shared_secret, sizeof(shared_secret)));
68 }
69
resolve_ecdhe_secret(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello)70 static bool resolve_ecdhe_secret(SSL_HANDSHAKE *hs,
71 const SSL_CLIENT_HELLO *client_hello) {
72 SSL *const ssl = hs->ssl;
73 const uint16_t group_id = hs->new_session->group_id;
74
75 bool found_key_share;
76 Span<const uint8_t> peer_key;
77 uint8_t alert = SSL_AD_DECODE_ERROR;
78 if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &peer_key,
79 &alert, client_hello)) {
80 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
81 return false;
82 }
83
84 if (!found_key_share) {
85 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
86 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
87 return false;
88 }
89
90 Array<uint8_t> secret;
91 SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
92 if (hints && !hs->hints_requested && hints->key_share_group_id == group_id &&
93 !hints->key_share_secret.empty()) {
94 // Copy the key_share secret from hints.
95 if (!hs->key_share_ciphertext.CopyFrom(hints->key_share_ciphertext) ||
96 !secret.CopyFrom(hints->key_share_secret)) {
97 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
98 return false;
99 }
100 } else {
101 ScopedCBB ciphertext;
102 UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
103 if (!key_share || //
104 !CBB_init(ciphertext.get(), 32) ||
105 !key_share->Encap(ciphertext.get(), &secret, &alert, peer_key) ||
106 !CBBFinishArray(ciphertext.get(), &hs->key_share_ciphertext)) {
107 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
108 return false;
109 }
110 if (hints && hs->hints_requested) {
111 hints->key_share_group_id = group_id;
112 if (!hints->key_share_ciphertext.CopyFrom(hs->key_share_ciphertext) ||
113 !hints->key_share_secret.CopyFrom(secret)) {
114 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
115 return false;
116 }
117 }
118 }
119
120 return tls13_advance_key_schedule(hs, secret);
121 }
122
ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)123 static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
124 CBB *out) {
125 CBB contents;
126 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || //
127 !CBB_add_u16_length_prefixed(out, &contents) || //
128 !CBB_add_u16(&contents, hs->ssl->s3->version) || //
129 !CBB_flush(out)) {
130 return 0;
131 }
132
133 return 1;
134 }
135
choose_tls13_cipher(const SSL * ssl,const SSL_CLIENT_HELLO * client_hello)136 static const SSL_CIPHER *choose_tls13_cipher(
137 const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {
138 CBS cipher_suites;
139 CBS_init(&cipher_suites, client_hello->cipher_suites,
140 client_hello->cipher_suites_len);
141
142 const uint16_t version = ssl_protocol_version(ssl);
143
144 return ssl_choose_tls13_cipher(cipher_suites,
145 ssl->config->aes_hw_override
146 ? ssl->config->aes_hw_override_value
147 : EVP_has_aes_hardware(),
148 version, ssl->config->compliance_policy);
149 }
150
add_new_session_tickets(SSL_HANDSHAKE * hs,bool * out_sent_tickets)151 static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
152 SSL *const ssl = hs->ssl;
153 if ( // If the client doesn't accept resumption with PSK_DHE_KE, don't send a
154 // session ticket.
155 !hs->accept_psk_mode ||
156 // We only implement stateless resumption in TLS 1.3, so skip sending
157 // tickets if disabled.
158 (SSL_get_options(ssl) & SSL_OP_NO_TICKET) ||
159 // Don't send tickets for PAKE connections. We don't support resumption
160 // with PAKEs.
161 hs->pake_verifier != nullptr) {
162 *out_sent_tickets = false;
163 return true;
164 }
165
166 // Rebase the session timestamp so that it is measured from ticket
167 // issuance.
168 ssl_session_rebase_time(ssl, hs->new_session.get());
169
170 assert(ssl->session_ctx->num_tickets <= kMaxTickets);
171 bool sent_tickets = false;
172 for (size_t i = 0; i < ssl->session_ctx->num_tickets; i++) {
173 UniquePtr<SSL_SESSION> session(
174 SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
175 if (!session) {
176 return false;
177 }
178
179 if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
180 return false;
181 }
182 session->ticket_age_add_valid = true;
183 // TODO(crbug.com/381113363): Remove the SSL_is_dtls check once we support
184 // 0-RTT for DTLS 1.3.
185 bool enable_early_data =
186 ssl->enable_early_data &&
187 (!SSL_is_quic(ssl) || !ssl->config->quic_early_data_context.empty()) &&
188 !SSL_is_dtls(ssl);
189 if (enable_early_data) {
190 // QUIC does not use the max_early_data_size parameter and always sets it
191 // to a fixed value. See RFC 9001, section 4.6.1.
192 session->ticket_max_early_data =
193 SSL_is_quic(ssl) ? 0xffffffff : kMaxEarlyDataAccepted;
194 }
195 session->is_resumable_across_names = ssl->resumption_across_names_enabled;
196
197 static_assert(kMaxTickets < 256, "Too many tickets");
198 assert(i < 256);
199 uint8_t nonce[] = {static_cast<uint8_t>(i)};
200
201 ScopedCBB cbb;
202 CBB body, nonce_cbb, ticket, extensions;
203 if (!ssl->method->init_message(ssl, cbb.get(), &body,
204 SSL3_MT_NEW_SESSION_TICKET) ||
205 !CBB_add_u32(&body, session->timeout) ||
206 !CBB_add_u32(&body, session->ticket_age_add) ||
207 !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||
208 !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||
209 !tls13_derive_session_psk(session.get(), nonce, SSL_is_dtls(ssl)) ||
210 !CBB_add_u16_length_prefixed(&body, &ticket) ||
211 !ssl_encrypt_ticket(hs, &ticket, session.get())) {
212 return false;
213 }
214
215 if (CBB_len(&ticket) == 0) {
216 // The caller decided not to encrypt a ticket. Skip the message.
217 continue;
218 }
219
220 if (!CBB_add_u16_length_prefixed(&body, &extensions)) {
221 return false;
222 }
223
224 if (enable_early_data) {
225 CBB early_data;
226 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||
227 !CBB_add_u16_length_prefixed(&extensions, &early_data) ||
228 !CBB_add_u32(&early_data, session->ticket_max_early_data) ||
229 !CBB_flush(&extensions)) {
230 return false;
231 }
232 }
233
234 SSLFlags flags = 0;
235 if (session->is_resumable_across_names) {
236 flags |= kSSLFlagResumptionAcrossNames;
237 }
238 if (!ssl_add_flags_extension(&extensions, flags)) {
239 return false;
240 }
241
242 // Add a fake extension. See RFC 8701.
243 if (!CBB_add_u16(&extensions,
244 ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||
245 !CBB_add_u16(&extensions, 0 /* empty */)) {
246 return false;
247 }
248
249 if (!ssl_add_message_cbb(ssl, cbb.get())) {
250 return false;
251 }
252 sent_tickets = true;
253 }
254
255 *out_sent_tickets = sent_tickets;
256 return true;
257 }
258
ssl_check_tls13_credential_ignoring_issuer(SSL_HANDSHAKE * hs,const SSL_CREDENTIAL * cred,uint16_t * out_sigalg)259 bool ssl_check_tls13_credential_ignoring_issuer(SSL_HANDSHAKE *hs,
260 const SSL_CREDENTIAL *cred,
261 uint16_t *out_sigalg) {
262 switch (cred->type) {
263 case SSLCredentialType::kX509:
264 break;
265 case SSLCredentialType::kDelegated:
266 // Check that the peer supports the signature over the delegated
267 // credential.
268 if (std::find(hs->peer_sigalgs.begin(), hs->peer_sigalgs.end(),
269 cred->dc_algorithm) == hs->peer_sigalgs.end()) {
270 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS);
271 return false;
272 }
273 break;
274 default:
275 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
276 return false;
277 }
278
279 // If we reach here then the credential requires a signature. If |cred| is a
280 // delegated credential, this also checks that the peer supports delegated
281 // credentials and matched |dc_cert_verify_algorithm|.
282 return tls1_choose_signature_algorithm(hs, cred, out_sigalg);
283 }
284
check_signature_credential(SSL_HANDSHAKE * hs,const SSL_CREDENTIAL * cred,uint16_t * out_sigalg)285 static bool check_signature_credential(SSL_HANDSHAKE *hs,
286 const SSL_CREDENTIAL *cred,
287 uint16_t *out_sigalg) {
288 return ssl_check_tls13_credential_ignoring_issuer(hs, cred, out_sigalg) &&
289 // Use this credential if it either matches a requested issuer,
290 // or does not require issuer matching.
291 ssl_credential_matches_requested_issuers(hs, cred);
292 }
293
check_pake_credential(SSL_HANDSHAKE * hs,const SSL_CREDENTIAL * cred)294 static bool check_pake_credential(SSL_HANDSHAKE *hs,
295 const SSL_CREDENTIAL *cred) {
296 assert(cred->type == SSLCredentialType::kSPAKE2PlusV1Server);
297 // Look for a client PAKE share that matches |cred|.
298 if (hs->pake_share == nullptr ||
299 hs->pake_share->named_pake != SSL_PAKE_SPAKE2PLUSV1 ||
300 hs->pake_share->client_identity != Span(cred->client_identity) ||
301 hs->pake_share->server_identity != Span(cred->server_identity)) {
302 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_PAKE_MISMATCH);
303 return false;
304 }
305
306 return true;
307 }
308
do_select_parameters(SSL_HANDSHAKE * hs)309 static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
310 // At this point, most ClientHello extensions have already been processed by
311 // the common handshake logic. Resolve the remaining non-PSK parameters.
312 SSL *const ssl = hs->ssl;
313 SSLMessage msg;
314 SSL_CLIENT_HELLO client_hello;
315 if (!hs->GetClientHello(&msg, &client_hello)) {
316 return ssl_hs_error;
317 }
318
319 if (SSL_is_quic(ssl) && client_hello.session_id_len > 0) {
320 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_COMPATIBILITY_MODE);
321 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
322 return ssl_hs_error;
323 }
324 // DTLS 1.3 disables compatibility mode, and even if the client advertised a
325 // session ID (for resumption in DTLS 1.2), the server "MUST NOT echo the
326 // 'legacy_session_id' value from the client" (RFC 9147, section 5) as it
327 // would in a TLS 1.3 handshake.
328 if (!SSL_is_dtls(ssl)) {
329 hs->session_id.CopyFrom(
330 Span(client_hello.session_id, client_hello.session_id_len));
331 }
332
333 Array<SSL_CREDENTIAL *> creds;
334 if (!ssl_get_full_credential_list(hs, &creds)) {
335 return ssl_hs_error;
336 }
337 if (creds.empty()) {
338 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
339 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
340 return ssl_hs_error;
341 }
342
343 // Select the credential to use.
344 for (SSL_CREDENTIAL *cred : creds) {
345 ERR_clear_error();
346 if (cred->type == SSLCredentialType::kSPAKE2PlusV1Server) {
347 if (check_pake_credential(hs, cred)) {
348 hs->credential = UpRef(cred);
349 hs->pake_verifier = MakeUnique<spake2plus::Verifier>();
350 if (hs->pake_verifier == nullptr ||
351 !hs->pake_verifier->Init(cred->pake_context, cred->client_identity,
352 cred->server_identity,
353 cred->password_verifier_w0,
354 cred->registration_record)) {
355 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
356 return ssl_hs_error;
357 }
358 break;
359 }
360 } else {
361 uint16_t sigalg;
362 if (check_signature_credential(hs, cred, &sigalg)) {
363 hs->credential = UpRef(cred);
364 hs->signature_algorithm = sigalg;
365 break;
366 }
367 }
368 }
369 if (hs->credential == nullptr) {
370 // The error from the last attempt is in the error queue.
371 assert(ERR_peek_error() != 0);
372 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
373 return ssl_hs_error;
374 }
375
376 // Negotiate the cipher suite.
377 hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
378 if (hs->new_cipher == NULL) {
379 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
380 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
381 return ssl_hs_error;
382 }
383
384 // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
385 // deferred. Complete it now.
386 uint8_t alert = SSL_AD_DECODE_ERROR;
387 if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
388 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
389 return ssl_hs_error;
390 }
391
392 // The PRF hash is now known.
393 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
394 return ssl_hs_error;
395 }
396
397 hs->tls13_state = state13_select_session;
398 return ssl_hs_ok;
399 }
400
select_session(SSL_HANDSHAKE * hs,uint8_t * out_alert,UniquePtr<SSL_SESSION> * out_session,int32_t * out_ticket_age_skew,bool * out_offered_ticket,const SSLMessage & msg,const SSL_CLIENT_HELLO * client_hello)401 static enum ssl_ticket_aead_result_t select_session(
402 SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,
403 int32_t *out_ticket_age_skew, bool *out_offered_ticket,
404 const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) {
405 SSL *const ssl = hs->ssl;
406 *out_session = nullptr;
407
408 CBS pre_shared_key;
409 *out_offered_ticket = ssl_client_hello_get_extension(
410 client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key);
411 if (!*out_offered_ticket) {
412 return ssl_ticket_aead_ignore_ticket;
413 }
414
415 // Per RFC 8446, section 4.2.9, servers MUST abort the handshake if the client
416 // sends pre_shared_key without psk_key_exchange_modes.
417 CBS unused;
418 if (!ssl_client_hello_get_extension(client_hello, &unused,
419 TLSEXT_TYPE_psk_key_exchange_modes)) {
420 *out_alert = SSL_AD_MISSING_EXTENSION;
421 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
422 return ssl_ticket_aead_error;
423 }
424
425 CBS ticket, binders;
426 uint32_t client_ticket_age;
427 if (!ssl_ext_pre_shared_key_parse_clienthello(
428 hs, &ticket, &binders, &client_ticket_age, out_alert, client_hello,
429 &pre_shared_key)) {
430 return ssl_ticket_aead_error;
431 }
432
433 // If the peer did not offer psk_dhe, ignore the resumption.
434 if (!hs->accept_psk_mode) {
435 return ssl_ticket_aead_ignore_ticket;
436 }
437
438 // We do not currently support resumption with PAKEs.
439 if (hs->credential != nullptr &&
440 hs->credential->type == SSLCredentialType::kSPAKE2PlusV1Server) {
441 return ssl_ticket_aead_ignore_ticket;
442 }
443
444 // TLS 1.3 session tickets are renewed separately as part of the
445 // NewSessionTicket.
446 bool unused_renew;
447 UniquePtr<SSL_SESSION> session;
448 enum ssl_ticket_aead_result_t ret =
449 ssl_process_ticket(hs, &session, &unused_renew, ticket, {});
450 switch (ret) {
451 case ssl_ticket_aead_success:
452 break;
453 case ssl_ticket_aead_error:
454 *out_alert = SSL_AD_INTERNAL_ERROR;
455 return ret;
456 default:
457 return ret;
458 }
459
460 if (!ssl_session_is_resumable(hs, session.get()) ||
461 // Historically, some TLS 1.3 tickets were missing ticket_age_add.
462 !session->ticket_age_add_valid) {
463 return ssl_ticket_aead_ignore_ticket;
464 }
465
466 // Recover the client ticket age and convert to seconds.
467 client_ticket_age -= session->ticket_age_add;
468 client_ticket_age /= 1000;
469
470 OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get());
471
472 // Compute the server ticket age in seconds.
473 assert(now.tv_sec >= session->time);
474 uint64_t server_ticket_age = now.tv_sec - session->time;
475
476 // To avoid overflowing |hs->ticket_age_skew|, we will not resume
477 // 68-year-old sessions.
478 if (server_ticket_age > INT32_MAX) {
479 return ssl_ticket_aead_ignore_ticket;
480 }
481
482 *out_ticket_age_skew = static_cast<int32_t>(client_ticket_age) -
483 static_cast<int32_t>(server_ticket_age);
484
485 // Check the PSK binder.
486 if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
487 *out_alert = SSL_AD_DECRYPT_ERROR;
488 return ssl_ticket_aead_error;
489 }
490
491 *out_session = std::move(session);
492 return ssl_ticket_aead_success;
493 }
494
quic_ticket_compatible(const SSL_SESSION * session,const SSL_CONFIG * config)495 static bool quic_ticket_compatible(const SSL_SESSION *session,
496 const SSL_CONFIG *config) {
497 if (!session->is_quic) {
498 return true;
499 }
500
501 if (session->quic_early_data_context.empty() ||
502 config->quic_early_data_context.size() !=
503 session->quic_early_data_context.size() ||
504 CRYPTO_memcmp(config->quic_early_data_context.data(),
505 session->quic_early_data_context.data(),
506 session->quic_early_data_context.size()) != 0) {
507 return false;
508 }
509 return true;
510 }
511
do_select_session(SSL_HANDSHAKE * hs)512 static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
513 SSL *const ssl = hs->ssl;
514 SSLMessage msg;
515 SSL_CLIENT_HELLO client_hello;
516 if (!hs->GetClientHello(&msg, &client_hello)) {
517 return ssl_hs_error;
518 }
519
520 uint8_t alert = SSL_AD_DECODE_ERROR;
521 UniquePtr<SSL_SESSION> session;
522 bool offered_ticket = false;
523 switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,
524 &offered_ticket, msg, &client_hello)) {
525 case ssl_ticket_aead_ignore_ticket:
526 assert(!session);
527 if (!ssl_get_new_session(hs)) {
528 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
529 return ssl_hs_error;
530 }
531 break;
532
533 case ssl_ticket_aead_success:
534 // Carry over authentication information from the previous handshake into
535 // a fresh session.
536 hs->new_session =
537 SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
538 if (hs->new_session == nullptr) {
539 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
540 return ssl_hs_error;
541 }
542
543 ssl->s3->session_reused = true;
544 hs->can_release_private_key = true;
545
546 // Resumption incorporates fresh key material, so refresh the timeout.
547 ssl_session_renew_timeout(ssl, hs->new_session.get(),
548 ssl->session_ctx->session_psk_dhe_timeout);
549 break;
550
551 case ssl_ticket_aead_error:
552 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
553 return ssl_hs_error;
554
555 case ssl_ticket_aead_retry:
556 hs->tls13_state = state13_select_session;
557 return ssl_hs_pending_ticket;
558 }
559
560 // Negotiate ALPS now, after ALPN is negotiated and |hs->new_session| is
561 // initialized.
562 if (!ssl_negotiate_alps(hs, &alert, &client_hello)) {
563 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
564 return ssl_hs_error;
565 }
566
567 // Record connection properties in the new session.
568 hs->new_session->cipher = hs->new_cipher;
569
570 // If using key shares, resolve the supported group and determine if we need
571 // HelloRetryRequest.
572 bool need_hrr = false;
573 if (hs->pake_verifier == nullptr) {
574 if (!tls1_get_shared_group(hs, &hs->new_session->group_id)) {
575 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
576 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
577 return ssl_hs_error;
578 }
579 bool found_key_share;
580 if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share,
581 /*out_key_share=*/nullptr, &alert,
582 &client_hello)) {
583 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
584 return ssl_hs_error;
585 }
586 need_hrr = !found_key_share;
587 }
588
589 // Determine if we're negotiating 0-RTT.
590 if (!ssl->enable_early_data) {
591 ssl->s3->early_data_reason = ssl_early_data_disabled;
592 } else if (!offered_ticket) {
593 ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
594 } else if (!session) {
595 ssl->s3->early_data_reason = ssl_early_data_session_not_resumed;
596 } else if (session->ticket_max_early_data == 0) {
597 ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
598 } else if (!hs->early_data_offered) {
599 ssl->s3->early_data_reason = ssl_early_data_peer_declined;
600 } else if (hs->channel_id_negotiated) {
601 // Channel ID is incompatible with 0-RTT.
602 ssl->s3->early_data_reason = ssl_early_data_channel_id;
603 } else if (Span(ssl->s3->alpn_selected) != session->early_alpn) {
604 // The negotiated ALPN must match the one in the ticket.
605 ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
606 } else if (hs->new_session->has_application_settings !=
607 session->has_application_settings ||
608 Span(hs->new_session->local_application_settings) !=
609 session->local_application_settings) {
610 ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;
611 } else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds ||
612 kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {
613 ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;
614 } else if (!quic_ticket_compatible(session.get(), hs->config)) {
615 ssl->s3->early_data_reason = ssl_early_data_quic_parameter_mismatch;
616 } else if (need_hrr) {
617 ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
618 } else {
619 // |ssl_session_is_resumable| forbids cross-cipher resumptions even if the
620 // PRF hashes match.
621 assert(hs->new_cipher == session->cipher);
622
623 ssl->s3->early_data_reason = ssl_early_data_accepted;
624 ssl->s3->early_data_accepted = true;
625 }
626
627 // Store the ALPN and ALPS values in the session for 0-RTT. Note the peer
628 // applications settings are not generally known until client
629 // EncryptedExtensions.
630 if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
631 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
632 return ssl_hs_error;
633 }
634
635 // The peer applications settings are usually received later, in
636 // EncryptedExtensions. But, in 0-RTT handshakes, we carry over the
637 // values from |session|. Do this now, before |session| is discarded.
638 if (ssl->s3->early_data_accepted &&
639 hs->new_session->has_application_settings &&
640 !hs->new_session->peer_application_settings.CopyFrom(
641 session->peer_application_settings)) {
642 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
643 return ssl_hs_error;
644 }
645
646 // Copy the QUIC early data context to the session.
647 if (ssl->enable_early_data && SSL_is_quic(ssl)) {
648 if (!hs->new_session->quic_early_data_context.CopyFrom(
649 hs->config->quic_early_data_context)) {
650 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
651 return ssl_hs_error;
652 }
653 }
654
655 if (ssl->ctx->dos_protection_cb != NULL &&
656 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
657 // Connection rejected for DOS reasons.
658 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
659 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
660 return ssl_hs_error;
661 }
662
663 size_t hash_len = EVP_MD_size(
664 ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
665
666 // Set up the key schedule and incorporate the PSK into the running secret.
667 if (!tls13_init_key_schedule(hs, ssl->s3->session_reused
668 ? Span(hs->new_session->secret)
669 : Span(kZeroes, hash_len)) ||
670 !ssl_hash_message(hs, msg)) {
671 return ssl_hs_error;
672 }
673
674 if (ssl->s3->early_data_accepted) {
675 if (!tls13_derive_early_secret(hs)) {
676 return ssl_hs_error;
677 }
678 } else if (hs->early_data_offered) {
679 ssl->s3->skip_early_data = true;
680 }
681
682 if (need_hrr) {
683 ssl->method->next_message(ssl);
684 if (!hs->transcript.UpdateForHelloRetryRequest()) {
685 return ssl_hs_error;
686 }
687 hs->tls13_state = state13_send_hello_retry_request;
688 return ssl_hs_ok;
689 }
690
691 if (hs->pake_verifier) {
692 assert(!ssl->s3->session_reused);
693 // Revealing the PAKE share (notably confirmV) allows the client to confirm
694 // one PAKE guess, so we must deduct from the brute force limit.
695 if (!hs->credential->ClaimPAKEAttempt()) {
696 OPENSSL_PUT_ERROR(SSL, SSL_R_PAKE_EXHAUSTED);
697 ssl_send_alert(hs->ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
698 return ssl_hs_error;
699 }
700 if (!resolve_pake_secret(hs)) {
701 return ssl_hs_error;
702 }
703 } else {
704 if (!resolve_ecdhe_secret(hs, &client_hello)) {
705 return ssl_hs_error;
706 }
707 }
708
709 ssl->method->next_message(ssl);
710 hs->ech_client_hello_buf.Reset();
711 hs->tls13_state = state13_send_server_hello;
712 return ssl_hs_ok;
713 }
714
do_send_hello_retry_request(SSL_HANDSHAKE * hs)715 static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
716 SSL *const ssl = hs->ssl;
717 if (hs->hints_requested) {
718 return ssl_hs_hints_ready;
719 }
720
721 // Although a server could HelloRetryRequest with PAKEs to request a cookie,
722 // we never do so.
723 assert(hs->pake_verifier == nullptr);
724 ScopedCBB cbb;
725 CBB body, session_id, extensions;
726 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
727 !CBB_add_u16(&body,
728 SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION) ||
729 !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||
730 !CBB_add_u8_length_prefixed(&body, &session_id) ||
731 !CBB_add_bytes(&session_id, hs->session_id.data(),
732 hs->session_id.size()) ||
733 !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
734 !CBB_add_u8(&body, 0 /* no compression */) ||
735 !CBB_add_u16_length_prefixed(&body, &extensions) ||
736 !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) ||
737 !CBB_add_u16(&extensions, 2 /* length */) ||
738 !CBB_add_u16(&extensions, ssl->s3->version) ||
739 !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
740 !CBB_add_u16(&extensions, 2 /* length */) ||
741 !CBB_add_u16(&extensions, hs->new_session->group_id)) {
742 return ssl_hs_error;
743 }
744 if (hs->ech_is_inner) {
745 // Fill a placeholder for the ECH confirmation value.
746 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_encrypted_client_hello) ||
747 !CBB_add_u16(&extensions, ECH_CONFIRMATION_SIGNAL_LEN) ||
748 !CBB_add_zeros(&extensions, ECH_CONFIRMATION_SIGNAL_LEN)) {
749 return ssl_hs_error;
750 }
751 }
752 Array<uint8_t> hrr;
753 if (!ssl->method->finish_message(ssl, cbb.get(), &hrr)) {
754 return ssl_hs_error;
755 }
756 if (hs->ech_is_inner) {
757 // Now that the message is encoded, fill in the whole value.
758 size_t offset = hrr.size() - ECH_CONFIRMATION_SIGNAL_LEN;
759 if (!ssl_ech_accept_confirmation(
760 hs, Span(hrr).last(ECH_CONFIRMATION_SIGNAL_LEN),
761 ssl->s3->client_random, hs->transcript, /*is_hrr=*/true, hrr,
762 offset)) {
763 return ssl_hs_error;
764 }
765 }
766
767 if (!ssl->method->add_message(ssl, std::move(hrr)) ||
768 !ssl->method->add_change_cipher_spec(ssl)) {
769 return ssl_hs_error;
770 }
771
772 ssl->s3->used_hello_retry_request = true;
773 hs->tls13_state = state13_read_second_client_hello;
774 return ssl_hs_flush;
775 }
776
do_read_second_client_hello(SSL_HANDSHAKE * hs)777 static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
778 SSL *const ssl = hs->ssl;
779 SSLMessage msg;
780 if (!ssl->method->get_message(ssl, &msg)) {
781 return ssl_hs_read_message;
782 }
783 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
784 return ssl_hs_error;
785 }
786 SSL_CLIENT_HELLO client_hello;
787 if (!SSL_parse_client_hello(ssl, &client_hello, CBS_data(&msg.body),
788 CBS_len(&msg.body))) {
789 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
790 return ssl_hs_error;
791 }
792
793 if (ssl->s3->ech_status == ssl_ech_accepted) {
794 // If we previously accepted the ClientHelloInner, the second ClientHello
795 // must contain an outer encrypted_client_hello extension.
796 CBS ech_body;
797 if (!ssl_client_hello_get_extension(&client_hello, &ech_body,
798 TLSEXT_TYPE_encrypted_client_hello)) {
799 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
800 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
801 return ssl_hs_error;
802 }
803 uint16_t kdf_id, aead_id;
804 uint8_t type, config_id;
805 CBS enc, payload;
806 if (!CBS_get_u8(&ech_body, &type) || //
807 type != ECH_CLIENT_OUTER || //
808 !CBS_get_u16(&ech_body, &kdf_id) || //
809 !CBS_get_u16(&ech_body, &aead_id) ||
810 !CBS_get_u8(&ech_body, &config_id) ||
811 !CBS_get_u16_length_prefixed(&ech_body, &enc) ||
812 !CBS_get_u16_length_prefixed(&ech_body, &payload) ||
813 CBS_len(&ech_body) != 0) {
814 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
815 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
816 return ssl_hs_error;
817 }
818
819 if (kdf_id != EVP_HPKE_KDF_id(EVP_HPKE_CTX_kdf(hs->ech_hpke_ctx.get())) ||
820 aead_id !=
821 EVP_HPKE_AEAD_id(EVP_HPKE_CTX_aead(hs->ech_hpke_ctx.get())) ||
822 config_id != hs->ech_config_id || CBS_len(&enc) > 0) {
823 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
824 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
825 return ssl_hs_error;
826 }
827
828 // Decrypt the payload with the HPKE context from the first ClientHello.
829 uint8_t alert = SSL_AD_DECODE_ERROR;
830 bool unused;
831 if (!ssl_client_hello_decrypt(hs, &alert, &unused,
832 &hs->ech_client_hello_buf, &client_hello,
833 payload)) {
834 // Decryption failure is fatal in the second ClientHello.
835 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
836 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
837 return ssl_hs_error;
838 }
839
840 // Reparse |client_hello| from the buffer owned by |hs|.
841 if (!hs->GetClientHello(&msg, &client_hello)) {
842 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
843 return ssl_hs_error;
844 }
845 }
846
847 // We perform all our negotiation based on the first ClientHello (for
848 // consistency with what |select_certificate_cb| observed), which is in the
849 // transcript, so we can ignore most of this second one.
850 //
851 // We do, however, check the second PSK binder. This covers the client key
852 // share, in case we ever send half-RTT data (we currently do not). It is also
853 // a tricky computation, so we enforce the peer handled it correctly.
854 if (ssl->s3->session_reused) {
855 CBS pre_shared_key;
856 if (!ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
857 TLSEXT_TYPE_pre_shared_key)) {
858 OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_CLIENT_HELLO);
859 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
860 return ssl_hs_error;
861 }
862
863 CBS ticket, binders;
864 uint32_t client_ticket_age;
865 uint8_t alert = SSL_AD_DECODE_ERROR;
866 if (!ssl_ext_pre_shared_key_parse_clienthello(
867 hs, &ticket, &binders, &client_ticket_age, &alert, &client_hello,
868 &pre_shared_key)) {
869 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
870 return ssl_hs_error;
871 }
872
873 // Note it is important that we do not obtain a new |SSL_SESSION| from
874 // |ticket|. We have already selected parameters based on the first
875 // ClientHello (in the transcript) and must not switch partway through.
876 if (!tls13_verify_psk_binder(hs, hs->new_session.get(), msg, &binders)) {
877 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
878 return ssl_hs_error;
879 }
880 }
881
882 // Although a server could HelloRetryRequest with PAKEs to request a cookie,
883 // we never do so.
884 assert(hs->pake_verifier == nullptr);
885 if (!resolve_ecdhe_secret(hs, &client_hello)) {
886 return ssl_hs_error;
887 }
888
889 if (!ssl_hash_message(hs, msg)) {
890 return ssl_hs_error;
891 }
892
893 // ClientHello should be the end of the flight.
894 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
895 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
896 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
897 return ssl_hs_error;
898 }
899
900 ssl->method->next_message(ssl);
901 hs->ech_client_hello_buf.Reset();
902 hs->tls13_state = state13_send_server_hello;
903 return ssl_hs_ok;
904 }
905
do_send_server_hello(SSL_HANDSHAKE * hs)906 static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
907 SSL *const ssl = hs->ssl;
908
909 Span<uint8_t> random(ssl->s3->server_random);
910
911 SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
912 if (hints && !hs->hints_requested &&
913 hints->server_random_tls13.size() == random.size()) {
914 OPENSSL_memcpy(random.data(), hints->server_random_tls13.data(),
915 random.size());
916 } else {
917 RAND_bytes(random.data(), random.size());
918 if (hints && hs->hints_requested &&
919 !hints->server_random_tls13.CopyFrom(random)) {
920 return ssl_hs_error;
921 }
922 }
923
924 Array<uint8_t> server_hello;
925 ScopedCBB cbb;
926 CBB body, extensions, session_id;
927 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
928 !CBB_add_u16(&body,
929 SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION) ||
930 !CBB_add_bytes(&body, ssl->s3->server_random,
931 sizeof(ssl->s3->server_random)) ||
932 !CBB_add_u8_length_prefixed(&body, &session_id) ||
933 !CBB_add_bytes(&session_id, hs->session_id.data(),
934 hs->session_id.size()) ||
935 !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
936 !CBB_add_u8(&body, 0) ||
937 !CBB_add_u16_length_prefixed(&body, &extensions) ||
938 !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
939 !ssl_ext_pake_add_serverhello(hs, &extensions) ||
940 !ssl_ext_key_share_add_serverhello(hs, &extensions) ||
941 !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||
942 !ssl->method->finish_message(ssl, cbb.get(), &server_hello)) {
943 return ssl_hs_error;
944 }
945
946 assert(ssl->s3->ech_status != ssl_ech_accepted || hs->ech_is_inner);
947 if (hs->ech_is_inner) {
948 // Fill in the ECH confirmation signal.
949 const size_t offset = ssl_ech_confirmation_signal_hello_offset(ssl);
950 Span<uint8_t> random_suffix = random.last(ECH_CONFIRMATION_SIGNAL_LEN);
951 if (!ssl_ech_accept_confirmation(hs, random_suffix, ssl->s3->client_random,
952 hs->transcript,
953 /*is_hrr=*/false, server_hello, offset)) {
954 return ssl_hs_error;
955 }
956
957 // Update |server_hello|.
958 Span<uint8_t> server_hello_out =
959 Span(server_hello).subspan(offset, ECH_CONFIRMATION_SIGNAL_LEN);
960 OPENSSL_memcpy(server_hello_out.data(), random_suffix.data(),
961 ECH_CONFIRMATION_SIGNAL_LEN);
962 }
963
964 if (!ssl->method->add_message(ssl, std::move(server_hello))) {
965 return ssl_hs_error;
966 }
967
968 hs->key_share_ciphertext.Reset(); // No longer needed.
969 if (!ssl->s3->used_hello_retry_request &&
970 !ssl->method->add_change_cipher_spec(ssl)) {
971 return ssl_hs_error;
972 }
973
974 // Derive and enable the handshake traffic secrets.
975 if (!tls13_derive_handshake_secrets(hs) ||
976 !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
977 hs->new_session.get(),
978 hs->server_handshake_secret)) {
979 return ssl_hs_error;
980 }
981
982 // Send EncryptedExtensions.
983 if (!ssl->method->init_message(ssl, cbb.get(), &body,
984 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
985 !ssl_add_serverhello_tlsext(hs, &body) ||
986 !ssl_add_message_cbb(ssl, cbb.get())) {
987 return ssl_hs_error;
988 }
989
990 if (!ssl->s3->session_reused && !hs->pake_verifier) {
991 // Determine whether to request a client certificate.
992 hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
993 }
994
995 // Send a CertificateRequest, if necessary.
996 if (hs->cert_request) {
997 CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;
998 if (!ssl->method->init_message(ssl, cbb.get(), &body,
999 SSL3_MT_CERTIFICATE_REQUEST) ||
1000 !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||
1001 !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) ||
1002 !CBB_add_u16(&cert_request_extensions,
1003 TLSEXT_TYPE_signature_algorithms) ||
1004 !CBB_add_u16_length_prefixed(&cert_request_extensions,
1005 &sigalg_contents) ||
1006 !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
1007 !tls12_add_verify_sigalgs(hs, &sigalgs_cbb)) {
1008 return ssl_hs_error;
1009 }
1010
1011 if (ssl_has_client_CAs(hs->config)) {
1012 CBB ca_contents;
1013 if (!CBB_add_u16(&cert_request_extensions,
1014 TLSEXT_TYPE_certificate_authorities) ||
1015 !CBB_add_u16_length_prefixed(&cert_request_extensions,
1016 &ca_contents) ||
1017 !ssl_add_client_CA_list(hs, &ca_contents) ||
1018 !CBB_flush(&cert_request_extensions)) {
1019 return ssl_hs_error;
1020 }
1021 }
1022
1023 if (!ssl_add_message_cbb(ssl, cbb.get())) {
1024 return ssl_hs_error;
1025 }
1026 }
1027
1028 // Send the server Certificate message, if necessary.
1029 if (!ssl->s3->session_reused && !hs->pake_verifier) {
1030 if (!tls13_add_certificate(hs)) {
1031 return ssl_hs_error;
1032 }
1033
1034 hs->tls13_state = state13_send_server_certificate_verify;
1035 return ssl_hs_ok;
1036 }
1037
1038 hs->tls13_state = state13_send_server_finished;
1039 return ssl_hs_ok;
1040 }
1041
do_send_server_certificate_verify(SSL_HANDSHAKE * hs)1042 static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
1043 switch (tls13_add_certificate_verify(hs)) {
1044 case ssl_private_key_success:
1045 hs->tls13_state = state13_send_server_finished;
1046 return ssl_hs_ok;
1047
1048 case ssl_private_key_retry:
1049 hs->tls13_state = state13_send_server_certificate_verify;
1050 return ssl_hs_private_key_operation;
1051
1052 case ssl_private_key_failure:
1053 return ssl_hs_error;
1054 }
1055
1056 assert(0);
1057 return ssl_hs_error;
1058 }
1059
do_send_server_finished(SSL_HANDSHAKE * hs)1060 static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
1061 SSL *const ssl = hs->ssl;
1062 if (hs->hints_requested) {
1063 return ssl_hs_hints_ready;
1064 }
1065
1066 hs->can_release_private_key = true;
1067 if (!tls13_add_finished(hs) ||
1068 // Update the secret to the master secret and derive traffic keys.
1069 !tls13_advance_key_schedule(hs,
1070 Span(kZeroes, hs->transcript.DigestLen())) ||
1071 !tls13_derive_application_secrets(hs) ||
1072 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
1073 hs->new_session.get(),
1074 hs->server_traffic_secret_0)) {
1075 return ssl_hs_error;
1076 }
1077
1078 hs->tls13_state = state13_send_half_rtt_ticket;
1079 return hs->handback ? ssl_hs_handback : ssl_hs_ok;
1080 }
1081
do_send_half_rtt_ticket(SSL_HANDSHAKE * hs)1082 static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) {
1083 SSL *const ssl = hs->ssl;
1084
1085 if (ssl->s3->early_data_accepted) {
1086 // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
1087 // the wire sooner and also avoids triggering a write on |SSL_read| when
1088 // processing the client Finished. This requires computing the client
1089 // Finished early. See RFC 8446, section 4.6.1.
1090 static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0,
1091 0};
1092 if (!SSL_is_quic(ssl) && !hs->transcript.Update(kEndOfEarlyData)) {
1093 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1094 return ssl_hs_error;
1095 }
1096
1097 size_t finished_len;
1098 hs->expected_client_finished.Resize(hs->transcript.DigestLen());
1099 if (!tls13_finished_mac(hs, hs->expected_client_finished.data(),
1100 &finished_len, false /* client */)) {
1101 return ssl_hs_error;
1102 }
1103
1104 if (finished_len != hs->expected_client_finished.size()) {
1105 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1106 return ssl_hs_error;
1107 }
1108
1109 // Feed the predicted Finished into the transcript. This allows us to derive
1110 // the resumption secret early and send half-RTT tickets.
1111 //
1112 // TODO(crbug.com/381113363): Don't use half-RTT tickets with DTLS 1.3.
1113 // TODO(crbug.com/376939532): Perhaps don't use half-RTT tickets at all.
1114 assert(!SSL_is_dtls(hs->ssl));
1115 assert(hs->expected_client_finished.size() <= 0xff);
1116 uint8_t header[4] = {
1117 SSL3_MT_FINISHED, 0, 0,
1118 static_cast<uint8_t>(hs->expected_client_finished.size())};
1119 bool unused_sent_tickets;
1120 if (!hs->transcript.Update(header) ||
1121 !hs->transcript.Update(hs->expected_client_finished) ||
1122 !tls13_derive_resumption_secret(hs) ||
1123 !add_new_session_tickets(hs, &unused_sent_tickets)) {
1124 return ssl_hs_error;
1125 }
1126 }
1127
1128 hs->tls13_state = state13_read_second_client_flight;
1129 return ssl_hs_flush;
1130 }
1131
uses_end_of_early_data(const SSL * ssl)1132 static bool uses_end_of_early_data(const SSL *ssl) {
1133 // DTLS and QUIC omit the EndOfEarlyData message. See RFC 9001, section 8.3,
1134 // and RFC 9147, section 5.6.
1135 return !SSL_is_quic(ssl) && !SSL_is_dtls(ssl);
1136 }
1137
do_read_second_client_flight(SSL_HANDSHAKE * hs)1138 static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
1139 SSL *const ssl = hs->ssl;
1140 if (ssl->s3->early_data_accepted) {
1141 if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
1142 hs->new_session.get(),
1143 hs->early_traffic_secret)) {
1144 return ssl_hs_error;
1145 }
1146 hs->can_early_write = true;
1147 hs->can_early_read = true;
1148 hs->in_early_data = true;
1149 }
1150
1151 // If the EndOfEarlyData message is not used, switch to
1152 // client_handshake_secret before the early return.
1153 if (!uses_end_of_early_data(ssl)) {
1154 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
1155 hs->new_session.get(),
1156 hs->client_handshake_secret)) {
1157 return ssl_hs_error;
1158 }
1159 hs->tls13_state = state13_process_end_of_early_data;
1160 return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;
1161 }
1162
1163 hs->tls13_state = state13_process_end_of_early_data;
1164 return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
1165 : ssl_hs_ok;
1166 }
1167
do_process_end_of_early_data(SSL_HANDSHAKE * hs)1168 static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
1169 SSL *const ssl = hs->ssl;
1170 // In protocols that use EndOfEarlyData, we must consume the extra message and
1171 // switch to client_handshake_secret after the early return.
1172 if (uses_end_of_early_data(ssl)) {
1173 // If early data was not accepted, the EndOfEarlyData will be in the
1174 // discarded early data.
1175 if (hs->ssl->s3->early_data_accepted) {
1176 SSLMessage msg;
1177 if (!ssl->method->get_message(ssl, &msg)) {
1178 return ssl_hs_read_message;
1179 }
1180 if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
1181 return ssl_hs_error;
1182 }
1183 if (CBS_len(&msg.body) != 0) {
1184 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1185 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1186 return ssl_hs_error;
1187 }
1188 ssl->method->next_message(ssl);
1189 }
1190 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
1191 hs->new_session.get(),
1192 hs->client_handshake_secret)) {
1193 return ssl_hs_error;
1194 }
1195 }
1196 hs->tls13_state = state13_read_client_encrypted_extensions;
1197 return ssl_hs_ok;
1198 }
1199
do_read_client_encrypted_extensions(SSL_HANDSHAKE * hs)1200 static enum ssl_hs_wait_t do_read_client_encrypted_extensions(
1201 SSL_HANDSHAKE *hs) {
1202 SSL *const ssl = hs->ssl;
1203 // For now, only one extension uses client EncryptedExtensions. This function
1204 // may be generalized if others use it in the future.
1205 if (hs->new_session->has_application_settings &&
1206 !ssl->s3->early_data_accepted) {
1207 SSLMessage msg;
1208 if (!ssl->method->get_message(ssl, &msg)) {
1209 return ssl_hs_read_message;
1210 }
1211 if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
1212 return ssl_hs_error;
1213 }
1214
1215 CBS body = msg.body, extensions;
1216 if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
1217 CBS_len(&body) != 0) {
1218 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1219 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1220 return ssl_hs_error;
1221 }
1222
1223 uint16_t extension_type = TLSEXT_TYPE_application_settings_old;
1224 if (hs->config->alps_use_new_codepoint) {
1225 extension_type = TLSEXT_TYPE_application_settings;
1226 }
1227 SSLExtension application_settings(extension_type);
1228 uint8_t alert = SSL_AD_DECODE_ERROR;
1229 if (!ssl_parse_extensions(&extensions, &alert, {&application_settings},
1230 /*ignore_unknown=*/false)) {
1231 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1232 return ssl_hs_error;
1233 }
1234
1235 if (!application_settings.present) {
1236 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
1237 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
1238 return ssl_hs_error;
1239 }
1240
1241 // Note that, if 0-RTT was accepted, these values will already have been
1242 // initialized earlier.
1243 if (!hs->new_session->peer_application_settings.CopyFrom(
1244 application_settings.data) ||
1245 !ssl_hash_message(hs, msg)) {
1246 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1247 return ssl_hs_error;
1248 }
1249
1250 ssl->method->next_message(ssl);
1251 }
1252
1253 hs->tls13_state = state13_read_client_certificate;
1254 return ssl_hs_ok;
1255 }
1256
do_read_client_certificate(SSL_HANDSHAKE * hs)1257 static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
1258 SSL *const ssl = hs->ssl;
1259 if (!hs->cert_request) {
1260 if (!ssl->s3->session_reused) {
1261 // OpenSSL returns X509_V_OK when no certificates are requested. This is
1262 // classed by them as a bug, but it's assumed by at least NGINX. (Only do
1263 // this in full handshakes as resumptions should carry over the previous
1264 // |verify_result|, though this is a no-op because servers do not
1265 // implement the client's odd soft-fail mode.)
1266 hs->new_session->verify_result = X509_V_OK;
1267 }
1268
1269 // Skip this state.
1270 hs->tls13_state = state13_read_channel_id;
1271 return ssl_hs_ok;
1272 }
1273
1274 const bool allow_anonymous =
1275 (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
1276 SSLMessage msg;
1277 if (!ssl->method->get_message(ssl, &msg)) {
1278 return ssl_hs_read_message;
1279 }
1280 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
1281 !tls13_process_certificate(hs, msg, allow_anonymous) ||
1282 !ssl_hash_message(hs, msg)) {
1283 return ssl_hs_error;
1284 }
1285
1286 ssl->method->next_message(ssl);
1287 hs->tls13_state = state13_read_client_certificate_verify;
1288 return ssl_hs_ok;
1289 }
1290
do_read_client_certificate_verify(SSL_HANDSHAKE * hs)1291 static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
1292 SSL *const ssl = hs->ssl;
1293 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
1294 // Skip this state.
1295 hs->tls13_state = state13_read_channel_id;
1296 return ssl_hs_ok;
1297 }
1298
1299 SSLMessage msg;
1300 if (!ssl->method->get_message(ssl, &msg)) {
1301 return ssl_hs_read_message;
1302 }
1303
1304 switch (ssl_verify_peer_cert(hs)) {
1305 case ssl_verify_ok:
1306 break;
1307 case ssl_verify_invalid:
1308 return ssl_hs_error;
1309 case ssl_verify_retry:
1310 hs->tls13_state = state13_read_client_certificate_verify;
1311 return ssl_hs_certificate_verify;
1312 }
1313
1314 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
1315 !tls13_process_certificate_verify(hs, msg) ||
1316 !ssl_hash_message(hs, msg)) {
1317 return ssl_hs_error;
1318 }
1319
1320 ssl->method->next_message(ssl);
1321 hs->tls13_state = state13_read_channel_id;
1322 return ssl_hs_ok;
1323 }
1324
do_read_channel_id(SSL_HANDSHAKE * hs)1325 static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
1326 SSL *const ssl = hs->ssl;
1327 if (!hs->channel_id_negotiated) {
1328 hs->tls13_state = state13_read_client_finished;
1329 return ssl_hs_ok;
1330 }
1331
1332 SSLMessage msg;
1333 if (!ssl->method->get_message(ssl, &msg)) {
1334 return ssl_hs_read_message;
1335 }
1336 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || //
1337 !tls1_verify_channel_id(hs, msg) || //
1338 !ssl_hash_message(hs, msg)) {
1339 return ssl_hs_error;
1340 }
1341
1342 ssl->method->next_message(ssl);
1343 hs->tls13_state = state13_read_client_finished;
1344 return ssl_hs_ok;
1345 }
1346
do_read_client_finished(SSL_HANDSHAKE * hs)1347 static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
1348 SSL *const ssl = hs->ssl;
1349 SSLMessage msg;
1350 if (!ssl->method->get_message(ssl, &msg)) {
1351 return ssl_hs_read_message;
1352 }
1353 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
1354 // If early data was accepted, we've already computed the client Finished
1355 // and derived the resumption secret.
1356 !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||
1357 // evp_aead_seal keys have already been switched.
1358 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
1359 hs->new_session.get(),
1360 hs->client_traffic_secret_0)) {
1361 return ssl_hs_error;
1362 }
1363
1364 if (!ssl->s3->early_data_accepted) {
1365 if (!ssl_hash_message(hs, msg) || //
1366 !tls13_derive_resumption_secret(hs)) {
1367 return ssl_hs_error;
1368 }
1369
1370 // We send post-handshake tickets as part of the handshake in 1-RTT.
1371 hs->tls13_state = state13_send_new_session_ticket;
1372 } else {
1373 // We already sent half-RTT tickets.
1374 hs->tls13_state = state13_done;
1375 }
1376
1377 if (hs->credential != nullptr &&
1378 hs->credential->type == SSLCredentialType::kSPAKE2PlusV1Server) {
1379 // The client has now confirmed that it does know the correct password, so
1380 // this connection no longer counts towards the brute force limit.
1381 hs->credential->RestorePAKEAttempt();
1382 }
1383
1384 ssl->method->next_message(ssl);
1385 if (SSL_is_dtls(ssl)) {
1386 ssl->method->schedule_ack(ssl);
1387 return ssl_hs_flush;
1388 }
1389 return ssl_hs_ok;
1390 }
1391
do_send_new_session_ticket(SSL_HANDSHAKE * hs)1392 static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
1393 SSL *const ssl = hs->ssl;
1394 bool sent_tickets;
1395 if (!add_new_session_tickets(hs, &sent_tickets)) {
1396 return ssl_hs_error;
1397 }
1398
1399 hs->tls13_state = state13_done;
1400 // In QUIC and DTLS, we can flush the ticket to the transport immediately. In
1401 // TLS over TCP-like transports, we defer until the server performs a write.
1402 // This prevents a non-reading client from causing the server to hang in the
1403 // case of a small server write buffer. Consumers which don't write data to
1404 // the client will need to do a zero-byte write if they wish to flush the
1405 // tickets.
1406 bool should_flush = sent_tickets && (SSL_is_dtls(ssl) || SSL_is_quic(ssl));
1407 return should_flush ? ssl_hs_flush : ssl_hs_ok;
1408 }
1409
tls13_server_handshake(SSL_HANDSHAKE * hs)1410 enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
1411 while (hs->tls13_state != state13_done) {
1412 enum ssl_hs_wait_t ret = ssl_hs_error;
1413 enum tls13_server_hs_state_t state =
1414 static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
1415 switch (state) {
1416 case state13_select_parameters:
1417 ret = do_select_parameters(hs);
1418 break;
1419 case state13_select_session:
1420 ret = do_select_session(hs);
1421 break;
1422 case state13_send_hello_retry_request:
1423 ret = do_send_hello_retry_request(hs);
1424 break;
1425 case state13_read_second_client_hello:
1426 ret = do_read_second_client_hello(hs);
1427 break;
1428 case state13_send_server_hello:
1429 ret = do_send_server_hello(hs);
1430 break;
1431 case state13_send_server_certificate_verify:
1432 ret = do_send_server_certificate_verify(hs);
1433 break;
1434 case state13_send_server_finished:
1435 ret = do_send_server_finished(hs);
1436 break;
1437 case state13_send_half_rtt_ticket:
1438 ret = do_send_half_rtt_ticket(hs);
1439 break;
1440 case state13_read_second_client_flight:
1441 ret = do_read_second_client_flight(hs);
1442 break;
1443 case state13_process_end_of_early_data:
1444 ret = do_process_end_of_early_data(hs);
1445 break;
1446 case state13_read_client_encrypted_extensions:
1447 ret = do_read_client_encrypted_extensions(hs);
1448 break;
1449 case state13_read_client_certificate:
1450 ret = do_read_client_certificate(hs);
1451 break;
1452 case state13_read_client_certificate_verify:
1453 ret = do_read_client_certificate_verify(hs);
1454 break;
1455 case state13_read_channel_id:
1456 ret = do_read_channel_id(hs);
1457 break;
1458 case state13_read_client_finished:
1459 ret = do_read_client_finished(hs);
1460 break;
1461 case state13_send_new_session_ticket:
1462 ret = do_send_new_session_ticket(hs);
1463 break;
1464 case state13_done:
1465 ret = ssl_hs_ok;
1466 break;
1467 }
1468
1469 if (hs->tls13_state != state) {
1470 ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
1471 }
1472
1473 if (ret != ssl_hs_ok) {
1474 return ret;
1475 }
1476 }
1477
1478 return ssl_hs_ok;
1479 }
1480
tls13_server_handshake_state(SSL_HANDSHAKE * hs)1481 const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
1482 enum tls13_server_hs_state_t state =
1483 static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
1484 switch (state) {
1485 case state13_select_parameters:
1486 return "TLS 1.3 server select_parameters";
1487 case state13_select_session:
1488 return "TLS 1.3 server select_session";
1489 case state13_send_hello_retry_request:
1490 return "TLS 1.3 server send_hello_retry_request";
1491 case state13_read_second_client_hello:
1492 return "TLS 1.3 server read_second_client_hello";
1493 case state13_send_server_hello:
1494 return "TLS 1.3 server send_server_hello";
1495 case state13_send_server_certificate_verify:
1496 return "TLS 1.3 server send_server_certificate_verify";
1497 case state13_send_half_rtt_ticket:
1498 return "TLS 1.3 server send_half_rtt_ticket";
1499 case state13_send_server_finished:
1500 return "TLS 1.3 server send_server_finished";
1501 case state13_read_second_client_flight:
1502 return "TLS 1.3 server read_second_client_flight";
1503 case state13_process_end_of_early_data:
1504 return "TLS 1.3 server process_end_of_early_data";
1505 case state13_read_client_encrypted_extensions:
1506 return "TLS 1.3 server read_client_encrypted_extensions";
1507 case state13_read_client_certificate:
1508 return "TLS 1.3 server read_client_certificate";
1509 case state13_read_client_certificate_verify:
1510 return "TLS 1.3 server read_client_certificate_verify";
1511 case state13_read_channel_id:
1512 return "TLS 1.3 server read_channel_id";
1513 case state13_read_client_finished:
1514 return "TLS 1.3 server read_client_finished";
1515 case state13_send_new_session_ticket:
1516 return "TLS 1.3 server send_new_session_ticket";
1517 case state13_done:
1518 return "TLS 1.3 server done";
1519 }
1520
1521 return "TLS 1.3 server unknown";
1522 }
1523
1524 BSSL_NAMESPACE_END
1525