1 /* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <limits.h>
19 #include <string.h>
20
21 #include <utility>
22
23 #include <openssl/bytestring.h>
24 #include <openssl/digest.h>
25 #include <openssl/err.h>
26 #include <openssl/mem.h>
27 #include <openssl/sha.h>
28 #include <openssl/stack.h>
29
30 #include "../crypto/internal.h"
31 #include "internal.h"
32
33
34 BSSL_NAMESPACE_BEGIN
35
36 enum client_hs_state_t {
37 state_read_hello_retry_request = 0,
38 state_send_second_client_hello,
39 state_read_server_hello,
40 state_read_encrypted_extensions,
41 state_read_certificate_request,
42 state_read_server_certificate,
43 state_read_server_certificate_verify,
44 state_server_certificate_reverify,
45 state_read_server_finished,
46 state_send_end_of_early_data,
47 state_send_client_encrypted_extensions,
48 state_send_client_certificate,
49 state_send_client_certificate_verify,
50 state_complete_second_flight,
51 state_done,
52 };
53
54 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
55
56 // end_of_early_data closes the early data stream for |hs| and switches the
57 // encryption level to |level|. It returns true on success and false on error.
close_early_data(SSL_HANDSHAKE * hs,ssl_encryption_level_t level)58 static bool close_early_data(SSL_HANDSHAKE *hs, ssl_encryption_level_t level) {
59 SSL *const ssl = hs->ssl;
60 assert(hs->in_early_data);
61
62 // Note |can_early_write| may already be false if |SSL_write| exceeded the
63 // early data write limit.
64 hs->can_early_write = false;
65
66 // 0-RTT write states on the client differ between TLS 1.3, DTLS 1.3, and
67 // QUIC. TLS 1.3 has one write encryption level at a time. 0-RTT write keys
68 // overwrite the null cipher and defer handshake write keys. While a
69 // HelloRetryRequest can cause us to rewind back to the null cipher, sequence
70 // numbers have no effect, so we can install a "new" null cipher.
71 //
72 // In QUIC and DTLS 1.3, 0-RTT write state cannot override or defer the normal
73 // write state. The two ClientHello sequence numbers must align, and handshake
74 // write keys must be installed early to ACK the EncryptedExtensions.
75 //
76 // We do not currently implement DTLS 1.3 and, in QUIC, the caller handles
77 // 0-RTT data, so we can skip installing 0-RTT keys and act as if there is one
78 // write level. If we implement DTLS 1.3, we'll need to model this better.
79 if (ssl->quic_method == nullptr) {
80 if (level == ssl_encryption_initial) {
81 bssl::UniquePtr<SSLAEADContext> null_ctx =
82 SSLAEADContext::CreateNullCipher(SSL_is_dtls(ssl));
83 if (!null_ctx ||
84 !ssl->method->set_write_state(ssl, ssl_encryption_initial,
85 std::move(null_ctx),
86 /*secret_for_quic=*/{})) {
87 return false;
88 }
89 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
90 } else {
91 assert(level == ssl_encryption_handshake);
92 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
93 hs->new_session.get(),
94 hs->client_handshake_secret())) {
95 return false;
96 }
97 }
98 }
99
100 assert(ssl->s3->write_level == level);
101 return true;
102 }
103
parse_server_hello_tls13(const SSL_HANDSHAKE * hs,ParsedServerHello * out,uint8_t * out_alert,const SSLMessage & msg)104 static bool parse_server_hello_tls13(const SSL_HANDSHAKE *hs,
105 ParsedServerHello *out, uint8_t *out_alert,
106 const SSLMessage &msg) {
107 if (!ssl_parse_server_hello(out, out_alert, msg)) {
108 return false;
109 }
110 // The RFC8446 version of the structure fixes some legacy values.
111 // Additionally, the session ID must echo the original one.
112 if (out->legacy_version != TLS1_2_VERSION ||
113 out->compression_method != 0 ||
114 !CBS_mem_equal(&out->session_id, hs->session_id, hs->session_id_len) ||
115 CBS_len(&out->extensions) == 0) {
116 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
117 *out_alert = SSL_AD_DECODE_ERROR;
118 return false;
119 }
120 return true;
121 }
122
is_hello_retry_request(const ParsedServerHello & server_hello)123 static bool is_hello_retry_request(const ParsedServerHello &server_hello) {
124 return Span<const uint8_t>(server_hello.random) == kHelloRetryRequest;
125 }
126
check_ech_confirmation(const SSL_HANDSHAKE * hs,bool * out_accepted,uint8_t * out_alert,const ParsedServerHello & server_hello)127 static bool check_ech_confirmation(const SSL_HANDSHAKE *hs, bool *out_accepted,
128 uint8_t *out_alert,
129 const ParsedServerHello &server_hello) {
130 const bool is_hrr = is_hello_retry_request(server_hello);
131 size_t offset;
132 if (is_hrr) {
133 // We check for an unsolicited extension when parsing all of them.
134 SSLExtension ech(TLSEXT_TYPE_encrypted_client_hello);
135 if (!ssl_parse_extensions(&server_hello.extensions, out_alert, {&ech},
136 /*ignore_unknown=*/true)) {
137 return false;
138 }
139 if (!ech.present) {
140 *out_accepted = false;
141 return true;
142 }
143 if (CBS_len(&ech.data) != ECH_CONFIRMATION_SIGNAL_LEN) {
144 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
145 *out_alert = SSL_AD_DECODE_ERROR;
146 return false;
147 }
148 offset = CBS_data(&ech.data) - CBS_data(&server_hello.raw);
149 } else {
150 offset = ssl_ech_confirmation_signal_hello_offset(hs->ssl);
151 }
152
153 if (!hs->selected_ech_config) {
154 *out_accepted = false;
155 return true;
156 }
157
158 uint8_t expected[ECH_CONFIRMATION_SIGNAL_LEN];
159 if (!ssl_ech_accept_confirmation(hs, expected, hs->inner_client_random,
160 hs->inner_transcript, is_hrr,
161 server_hello.raw, offset)) {
162 *out_alert = SSL_AD_INTERNAL_ERROR;
163 return false;
164 }
165
166 *out_accepted = CRYPTO_memcmp(CBS_data(&server_hello.raw) + offset, expected,
167 sizeof(expected)) == 0;
168 return true;
169 }
170
do_read_hello_retry_request(SSL_HANDSHAKE * hs)171 static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
172 SSL *const ssl = hs->ssl;
173 assert(ssl->s3->have_version);
174 SSLMessage msg;
175 if (!ssl->method->get_message(ssl, &msg)) {
176 return ssl_hs_read_message;
177 }
178
179 // Queue up a ChangeCipherSpec for whenever we next send something. This
180 // will be before the second ClientHello. If we offered early data, this was
181 // already done.
182 if (!hs->early_data_offered &&
183 !ssl->method->add_change_cipher_spec(ssl)) {
184 return ssl_hs_error;
185 }
186
187 ParsedServerHello server_hello;
188 uint8_t alert = SSL_AD_DECODE_ERROR;
189 if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
190 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
191 return ssl_hs_error;
192 }
193
194 // The cipher suite must be one we offered. We currently offer all supported
195 // TLS 1.3 ciphers unless policy controls limited it. So we check the version
196 // and that it's ok per policy.
197 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(server_hello.cipher_suite);
198 if (cipher == nullptr ||
199 SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
200 SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
201 !ssl_tls13_cipher_meets_policy(SSL_CIPHER_get_protocol_id(cipher),
202 ssl->config->tls13_cipher_policy)) {
203 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
204 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
205 return ssl_hs_error;
206 }
207
208 hs->new_cipher = cipher;
209
210 const bool is_hrr = is_hello_retry_request(server_hello);
211 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
212 (is_hrr && !hs->transcript.UpdateForHelloRetryRequest())) {
213 return ssl_hs_error;
214 }
215 if (hs->selected_ech_config) {
216 if (!hs->inner_transcript.InitHash(ssl_protocol_version(ssl),
217 hs->new_cipher) ||
218 (is_hrr && !hs->inner_transcript.UpdateForHelloRetryRequest())) {
219 return ssl_hs_error;
220 }
221 }
222
223 // Determine which ClientHello the server is responding to. Run
224 // |check_ech_confirmation| unconditionally, so we validate the extension
225 // contents.
226 bool ech_accepted;
227 if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
228 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
229 return ssl_hs_error;
230 }
231 if (hs->selected_ech_config) {
232 ssl->s3->ech_status = ech_accepted ? ssl_ech_accepted : ssl_ech_rejected;
233 }
234
235 if (!is_hrr) {
236 hs->tls13_state = state_read_server_hello;
237 return ssl_hs_ok;
238 }
239
240 // The ECH extension, if present, was already parsed by
241 // |check_ech_confirmation|.
242 SSLExtension cookie(TLSEXT_TYPE_cookie), key_share(TLSEXT_TYPE_key_share),
243 supported_versions(TLSEXT_TYPE_supported_versions),
244 ech_unused(TLSEXT_TYPE_encrypted_client_hello,
245 hs->selected_ech_config || hs->config->ech_grease_enabled);
246 if (!ssl_parse_extensions(
247 &server_hello.extensions, &alert,
248 {&cookie, &key_share, &supported_versions, &ech_unused},
249 /*ignore_unknown=*/false)) {
250 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
251 return ssl_hs_error;
252 }
253
254 if (!cookie.present && !key_share.present) {
255 OPENSSL_PUT_ERROR(SSL, SSL_R_EMPTY_HELLO_RETRY_REQUEST);
256 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
257 return ssl_hs_error;
258 }
259 if (cookie.present) {
260 CBS cookie_value;
261 if (!CBS_get_u16_length_prefixed(&cookie.data, &cookie_value) ||
262 CBS_len(&cookie_value) == 0 ||
263 CBS_len(&cookie.data) != 0) {
264 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
265 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
266 return ssl_hs_error;
267 }
268
269 if (!hs->cookie.CopyFrom(cookie_value)) {
270 return ssl_hs_error;
271 }
272 }
273
274 if (key_share.present) {
275 uint16_t group_id;
276 if (!CBS_get_u16(&key_share.data, &group_id) ||
277 CBS_len(&key_share.data) != 0) {
278 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
279 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
280 return ssl_hs_error;
281 }
282
283 // The group must be supported.
284 if (!tls1_check_group_id(hs, group_id)) {
285 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
286 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
287 return ssl_hs_error;
288 }
289
290 // Check that the HelloRetryRequest does not request a key share that was
291 // provided in the initial ClientHello.
292 if (hs->key_shares[0]->GroupID() == group_id ||
293 (hs->key_shares[1] && hs->key_shares[1]->GroupID() == group_id)) {
294 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
295 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
296 return ssl_hs_error;
297 }
298
299 if (!ssl_setup_key_shares(hs, group_id)) {
300 return ssl_hs_error;
301 }
302 }
303
304 // Although we now know whether ClientHelloInner was used, we currently
305 // maintain both transcripts up to ServerHello. We could swap transcripts
306 // early, but then ClientHello construction and |check_ech_confirmation|
307 // become more complex.
308 if (!ssl_hash_message(hs, msg)) {
309 return ssl_hs_error;
310 }
311 if (ssl->s3->ech_status == ssl_ech_accepted &&
312 !hs->inner_transcript.Update(msg.raw)) {
313 return ssl_hs_error;
314 }
315
316 // HelloRetryRequest should be the end of the flight.
317 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
318 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
319 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
320 return ssl_hs_error;
321 }
322
323 ssl->method->next_message(ssl);
324 ssl->s3->used_hello_retry_request = true;
325 hs->tls13_state = state_send_second_client_hello;
326 // 0-RTT is rejected if we receive a HelloRetryRequest.
327 if (hs->in_early_data) {
328 ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
329 if (!close_early_data(hs, ssl_encryption_initial)) {
330 return ssl_hs_error;
331 }
332 return ssl_hs_early_data_rejected;
333 }
334 return ssl_hs_ok;
335 }
336
do_send_second_client_hello(SSL_HANDSHAKE * hs)337 static enum ssl_hs_wait_t do_send_second_client_hello(SSL_HANDSHAKE *hs) {
338 // Any 0-RTT keys must have been discarded.
339 assert(hs->ssl->s3->write_level == ssl_encryption_initial);
340
341 // Build the second ClientHelloInner, if applicable. The second ClientHello
342 // uses an empty string for |enc|.
343 if (hs->ssl->s3->ech_status == ssl_ech_accepted &&
344 !ssl_encrypt_client_hello(hs, {})) {
345 return ssl_hs_error;
346 }
347
348 if (!ssl_add_client_hello(hs)) {
349 return ssl_hs_error;
350 }
351
352 ssl_done_writing_client_hello(hs);
353 hs->tls13_state = state_read_server_hello;
354 return ssl_hs_flush;
355 }
356
do_read_server_hello(SSL_HANDSHAKE * hs)357 static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
358 SSL *const ssl = hs->ssl;
359 SSLMessage msg;
360 if (!ssl->method->get_message(ssl, &msg)) {
361 return ssl_hs_read_message;
362 }
363 ParsedServerHello server_hello;
364 uint8_t alert = SSL_AD_DECODE_ERROR;
365 if (!parse_server_hello_tls13(hs, &server_hello, &alert, msg)) {
366 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
367 return ssl_hs_error;
368 }
369
370 // Forbid a second HelloRetryRequest.
371 if (is_hello_retry_request(server_hello)) {
372 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
373 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
374 return ssl_hs_error;
375 }
376
377 // Check the cipher suite, in case this is after HelloRetryRequest.
378 if (SSL_CIPHER_get_protocol_id(hs->new_cipher) != server_hello.cipher_suite) {
379 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
380 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
381 return ssl_hs_error;
382 }
383
384 if (ssl->s3->ech_status == ssl_ech_accepted) {
385 if (ssl->s3->used_hello_retry_request) {
386 // HelloRetryRequest and ServerHello must accept ECH consistently.
387 bool ech_accepted;
388 if (!check_ech_confirmation(hs, &ech_accepted, &alert, server_hello)) {
389 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
390 return ssl_hs_error;
391 }
392 if (!ech_accepted) {
393 OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_ECH_NEGOTIATION);
394 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
395 return ssl_hs_error;
396 }
397 }
398
399 hs->transcript = std::move(hs->inner_transcript);
400 hs->extensions.sent = hs->inner_extensions_sent;
401 // Report the inner random value through |SSL_get_client_random|.
402 OPENSSL_memcpy(ssl->s3->client_random, hs->inner_client_random,
403 SSL3_RANDOM_SIZE);
404 }
405
406 OPENSSL_memcpy(ssl->s3->server_random, CBS_data(&server_hello.random),
407 SSL3_RANDOM_SIZE);
408
409 // When offering ECH, |ssl->session| is only offered in ClientHelloInner.
410 const bool pre_shared_key_allowed =
411 ssl->session != nullptr && ssl->s3->ech_status != ssl_ech_rejected;
412 SSLExtension key_share(TLSEXT_TYPE_key_share),
413 pre_shared_key(TLSEXT_TYPE_pre_shared_key, pre_shared_key_allowed),
414 supported_versions(TLSEXT_TYPE_supported_versions);
415 if (!ssl_parse_extensions(&server_hello.extensions, &alert,
416 {&key_share, &pre_shared_key, &supported_versions},
417 /*ignore_unknown=*/false)) {
418 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
419 return ssl_hs_error;
420 }
421
422 // Recheck supported_versions, in case this is after HelloRetryRequest.
423 uint16_t version;
424 if (!supported_versions.present ||
425 !CBS_get_u16(&supported_versions.data, &version) ||
426 CBS_len(&supported_versions.data) != 0 ||
427 version != ssl->version) {
428 OPENSSL_PUT_ERROR(SSL, SSL_R_SECOND_SERVERHELLO_VERSION_MISMATCH);
429 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
430 return ssl_hs_error;
431 }
432
433 alert = SSL_AD_DECODE_ERROR;
434 if (pre_shared_key.present) {
435 if (!ssl_ext_pre_shared_key_parse_serverhello(hs, &alert,
436 &pre_shared_key.data)) {
437 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
438 return ssl_hs_error;
439 }
440
441 if (ssl->session->ssl_version != ssl->version) {
442 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
443 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
444 return ssl_hs_error;
445 }
446
447 if (ssl->session->cipher->algorithm_prf != hs->new_cipher->algorithm_prf) {
448 OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_PRF_HASH_MISMATCH);
449 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
450 return ssl_hs_error;
451 }
452
453 if (!ssl_session_is_context_valid(hs, ssl->session.get())) {
454 // This is actually a client application bug.
455 OPENSSL_PUT_ERROR(SSL,
456 SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
457 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
458 return ssl_hs_error;
459 }
460
461 ssl->s3->session_reused = true;
462 hs->can_release_private_key = true;
463 // Only authentication information carries over in TLS 1.3.
464 hs->new_session =
465 SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_DUP_AUTH_ONLY);
466 if (!hs->new_session) {
467 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
468 return ssl_hs_error;
469 }
470 ssl_set_session(ssl, NULL);
471
472 // Resumption incorporates fresh key material, so refresh the timeout.
473 ssl_session_renew_timeout(ssl, hs->new_session.get(),
474 ssl->session_ctx->session_psk_dhe_timeout);
475 } else if (!ssl_get_new_session(hs)) {
476 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
477 return ssl_hs_error;
478 }
479
480 hs->new_session->cipher = hs->new_cipher;
481
482 // Set up the key schedule and incorporate the PSK into the running secret.
483 size_t hash_len = EVP_MD_size(
484 ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
485 if (!tls13_init_key_schedule(
486 hs, ssl->s3->session_reused
487 ? MakeConstSpan(hs->new_session->secret,
488 hs->new_session->secret_length)
489 : MakeConstSpan(kZeroes, hash_len))) {
490 return ssl_hs_error;
491 }
492
493 if (!key_share.present) {
494 // We do not support psk_ke and thus always require a key share.
495 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
496 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
497 return ssl_hs_error;
498 }
499
500 // Resolve ECDHE and incorporate it into the secret.
501 Array<uint8_t> dhe_secret;
502 alert = SSL_AD_DECODE_ERROR;
503 if (!ssl_ext_key_share_parse_serverhello(hs, &dhe_secret, &alert,
504 &key_share.data)) {
505 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
506 return ssl_hs_error;
507 }
508
509 if (!tls13_advance_key_schedule(hs, dhe_secret) ||
510 !ssl_hash_message(hs, msg) ||
511 !tls13_derive_handshake_secrets(hs)) {
512 return ssl_hs_error;
513 }
514
515 // If currently sending early data over TCP, we defer installing client
516 // traffic keys to when the early data stream is closed. See
517 // |close_early_data|. Note if the server has already rejected 0-RTT via
518 // HelloRetryRequest, |in_early_data| is already false.
519 if (!hs->in_early_data || ssl->quic_method != nullptr) {
520 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
521 hs->new_session.get(),
522 hs->client_handshake_secret())) {
523 return ssl_hs_error;
524 }
525 }
526
527 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
528 hs->new_session.get(),
529 hs->server_handshake_secret())) {
530 return ssl_hs_error;
531 }
532
533 ssl->method->next_message(ssl);
534 hs->tls13_state = state_read_encrypted_extensions;
535 return ssl_hs_ok;
536 }
537
do_read_encrypted_extensions(SSL_HANDSHAKE * hs)538 static enum ssl_hs_wait_t do_read_encrypted_extensions(SSL_HANDSHAKE *hs) {
539 SSL *const ssl = hs->ssl;
540 SSLMessage msg;
541 if (!ssl->method->get_message(ssl, &msg)) {
542 return ssl_hs_read_message;
543 }
544 if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
545 return ssl_hs_error;
546 }
547
548 CBS body = msg.body, extensions;
549 if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
550 CBS_len(&body) != 0) {
551 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
552 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
553 return ssl_hs_error;
554 }
555
556 if (!ssl_parse_serverhello_tlsext(hs, &extensions)) {
557 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
558 return ssl_hs_error;
559 }
560
561 if (ssl->s3->early_data_accepted) {
562 // The extension parser checks the server resumed the session.
563 assert(ssl->s3->session_reused);
564 // If offering ECH, the server may not accept early data with
565 // ClientHelloOuter. We do not offer sessions with ClientHelloOuter, so this
566 // this should be implied by checking |session_reused|.
567 assert(ssl->s3->ech_status != ssl_ech_rejected);
568
569 if (hs->early_session->cipher != hs->new_session->cipher) {
570 OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_MISMATCH_ON_EARLY_DATA);
571 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
572 return ssl_hs_error;
573 }
574 if (MakeConstSpan(hs->early_session->early_alpn) !=
575 ssl->s3->alpn_selected) {
576 OPENSSL_PUT_ERROR(SSL, SSL_R_ALPN_MISMATCH_ON_EARLY_DATA);
577 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
578 return ssl_hs_error;
579 }
580 // Channel ID is incompatible with 0-RTT. The ALPS extension should be
581 // negotiated implicitly.
582 if (hs->channel_id_negotiated ||
583 hs->new_session->has_application_settings) {
584 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION_ON_EARLY_DATA);
585 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
586 return ssl_hs_error;
587 }
588 hs->new_session->has_application_settings =
589 hs->early_session->has_application_settings;
590 if (!hs->new_session->local_application_settings.CopyFrom(
591 hs->early_session->local_application_settings) ||
592 !hs->new_session->peer_application_settings.CopyFrom(
593 hs->early_session->peer_application_settings)) {
594 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
595 return ssl_hs_error;
596 }
597 }
598
599 // Store the negotiated ALPN in the session.
600 if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
601 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
602 return ssl_hs_error;
603 }
604
605 if (!ssl_hash_message(hs, msg)) {
606 return ssl_hs_error;
607 }
608
609 ssl->method->next_message(ssl);
610 hs->tls13_state = state_read_certificate_request;
611 if (hs->in_early_data && !ssl->s3->early_data_accepted) {
612 if (!close_early_data(hs, ssl_encryption_handshake)) {
613 return ssl_hs_error;
614 }
615 return ssl_hs_early_data_rejected;
616 }
617 return ssl_hs_ok;
618 }
619
do_read_certificate_request(SSL_HANDSHAKE * hs)620 static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
621 SSL *const ssl = hs->ssl;
622 // CertificateRequest may only be sent in non-resumption handshakes.
623 if (ssl->s3->session_reused) {
624 if (ssl->ctx->reverify_on_resume && !ssl->s3->early_data_accepted) {
625 hs->tls13_state = state_server_certificate_reverify;
626 return ssl_hs_ok;
627 }
628 hs->tls13_state = state_read_server_finished;
629 return ssl_hs_ok;
630 }
631
632 SSLMessage msg;
633 if (!ssl->method->get_message(ssl, &msg)) {
634 return ssl_hs_read_message;
635 }
636
637 // CertificateRequest is optional.
638 if (msg.type != SSL3_MT_CERTIFICATE_REQUEST) {
639 hs->tls13_state = state_read_server_certificate;
640 return ssl_hs_ok;
641 }
642
643
644 SSLExtension sigalgs(TLSEXT_TYPE_signature_algorithms),
645 ca(TLSEXT_TYPE_certificate_authorities);
646 CBS body = msg.body, context, extensions, supported_signature_algorithms;
647 uint8_t alert = SSL_AD_DECODE_ERROR;
648 if (!CBS_get_u8_length_prefixed(&body, &context) ||
649 // The request context is always empty during the handshake.
650 CBS_len(&context) != 0 ||
651 !CBS_get_u16_length_prefixed(&body, &extensions) || //
652 CBS_len(&body) != 0 ||
653 !ssl_parse_extensions(&extensions, &alert, {&sigalgs, &ca},
654 /*ignore_unknown=*/true) ||
655 !sigalgs.present ||
656 !CBS_get_u16_length_prefixed(&sigalgs.data,
657 &supported_signature_algorithms) ||
658 !tls1_parse_peer_sigalgs(hs, &supported_signature_algorithms)) {
659 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
660 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
661 return ssl_hs_error;
662 }
663
664 if (ca.present) {
665 hs->ca_names = ssl_parse_client_CA_list(ssl, &alert, &ca.data);
666 if (!hs->ca_names) {
667 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
668 return ssl_hs_error;
669 }
670 } else {
671 hs->ca_names.reset(sk_CRYPTO_BUFFER_new_null());
672 if (!hs->ca_names) {
673 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
674 return ssl_hs_error;
675 }
676 }
677
678 hs->cert_request = true;
679 ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
680
681 if (!ssl_hash_message(hs, msg)) {
682 return ssl_hs_error;
683 }
684
685 ssl->method->next_message(ssl);
686 hs->tls13_state = state_read_server_certificate;
687 return ssl_hs_ok;
688 }
689
do_read_server_certificate(SSL_HANDSHAKE * hs)690 static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
691 SSL *const ssl = hs->ssl;
692 SSLMessage msg;
693 if (!ssl->method->get_message(ssl, &msg)) {
694 return ssl_hs_read_message;
695 }
696
697 if (msg.type != SSL3_MT_COMPRESSED_CERTIFICATE &&
698 !ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
699 return ssl_hs_error;
700 }
701
702 if (!tls13_process_certificate(hs, msg, false /* certificate required */) ||
703 !ssl_hash_message(hs, msg)) {
704 return ssl_hs_error;
705 }
706
707 ssl->method->next_message(ssl);
708 hs->tls13_state = state_read_server_certificate_verify;
709 return ssl_hs_ok;
710 }
711
do_read_server_certificate_verify(SSL_HANDSHAKE * hs)712 static enum ssl_hs_wait_t do_read_server_certificate_verify(SSL_HANDSHAKE *hs) {
713 SSL *const ssl = hs->ssl;
714 SSLMessage msg;
715 if (!ssl->method->get_message(ssl, &msg)) {
716 return ssl_hs_read_message;
717 }
718 switch (ssl_verify_peer_cert(hs)) {
719 case ssl_verify_ok:
720 break;
721 case ssl_verify_invalid:
722 return ssl_hs_error;
723 case ssl_verify_retry:
724 hs->tls13_state = state_read_server_certificate_verify;
725 return ssl_hs_certificate_verify;
726 }
727
728 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
729 !tls13_process_certificate_verify(hs, msg) ||
730 !ssl_hash_message(hs, msg)) {
731 return ssl_hs_error;
732 }
733
734 ssl->method->next_message(ssl);
735 hs->tls13_state = state_read_server_finished;
736 return ssl_hs_ok;
737 }
738
do_server_certificate_reverify(SSL_HANDSHAKE * hs)739 static enum ssl_hs_wait_t do_server_certificate_reverify(SSL_HANDSHAKE *hs) {
740 switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {
741 case ssl_verify_ok:
742 break;
743 case ssl_verify_invalid:
744 return ssl_hs_error;
745 case ssl_verify_retry:
746 hs->tls13_state = state_server_certificate_reverify;
747 return ssl_hs_certificate_verify;
748 }
749 hs->tls13_state = state_read_server_finished;
750 return ssl_hs_ok;
751 }
752
do_read_server_finished(SSL_HANDSHAKE * hs)753 static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
754 SSL *const ssl = hs->ssl;
755 SSLMessage msg;
756 if (!ssl->method->get_message(ssl, &msg)) {
757 return ssl_hs_read_message;
758 }
759 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
760 !tls13_process_finished(hs, msg, false /* don't use saved value */) ||
761 !ssl_hash_message(hs, msg) ||
762 // Update the secret to the master secret and derive traffic keys.
763 !tls13_advance_key_schedule(
764 hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
765 !tls13_derive_application_secrets(hs)) {
766 return ssl_hs_error;
767 }
768
769 // Finished should be the end of the flight.
770 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
771 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
772 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
773 return ssl_hs_error;
774 }
775
776 ssl->method->next_message(ssl);
777 hs->tls13_state = state_send_end_of_early_data;
778 return ssl_hs_ok;
779 }
780
do_send_end_of_early_data(SSL_HANDSHAKE * hs)781 static enum ssl_hs_wait_t do_send_end_of_early_data(SSL_HANDSHAKE *hs) {
782 SSL *const ssl = hs->ssl;
783
784 if (ssl->s3->early_data_accepted) {
785 // QUIC omits the EndOfEarlyData message. See RFC 9001, section 8.3.
786 if (ssl->quic_method == nullptr) {
787 ScopedCBB cbb;
788 CBB body;
789 if (!ssl->method->init_message(ssl, cbb.get(), &body,
790 SSL3_MT_END_OF_EARLY_DATA) ||
791 !ssl_add_message_cbb(ssl, cbb.get())) {
792 return ssl_hs_error;
793 }
794 }
795
796 if (!close_early_data(hs, ssl_encryption_handshake)) {
797 return ssl_hs_error;
798 }
799 }
800
801 hs->tls13_state = state_send_client_encrypted_extensions;
802 return ssl_hs_ok;
803 }
804
do_send_client_encrypted_extensions(SSL_HANDSHAKE * hs)805 static enum ssl_hs_wait_t do_send_client_encrypted_extensions(
806 SSL_HANDSHAKE *hs) {
807 SSL *const ssl = hs->ssl;
808 // For now, only one extension uses client EncryptedExtensions. This function
809 // may be generalized if others use it in the future.
810 if (hs->new_session->has_application_settings &&
811 !ssl->s3->early_data_accepted) {
812 ScopedCBB cbb;
813 CBB body, extensions, extension;
814 uint16_t extension_type = TLSEXT_TYPE_application_settings_old;
815 if (hs->config->alps_use_new_codepoint) {
816 extension_type = TLSEXT_TYPE_application_settings;
817 }
818 if (!ssl->method->init_message(ssl, cbb.get(), &body,
819 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
820 !CBB_add_u16_length_prefixed(&body, &extensions) ||
821 !CBB_add_u16(&extensions, extension_type) ||
822 !CBB_add_u16_length_prefixed(&extensions, &extension) ||
823 !CBB_add_bytes(&extension,
824 hs->new_session->local_application_settings.data(),
825 hs->new_session->local_application_settings.size()) ||
826 !ssl_add_message_cbb(ssl, cbb.get())) {
827 return ssl_hs_error;
828 }
829 }
830
831 hs->tls13_state = state_send_client_certificate;
832 return ssl_hs_ok;
833 }
834
check_credential(SSL_HANDSHAKE * hs,const SSL_CREDENTIAL * cred,uint16_t * out_sigalg)835 static bool check_credential(SSL_HANDSHAKE *hs, const SSL_CREDENTIAL *cred,
836 uint16_t *out_sigalg) {
837 if (cred->type != SSLCredentialType::kX509) {
838 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
839 return false;
840 }
841
842 // All currently supported credentials require a signature.
843 return tls1_choose_signature_algorithm(hs, cred, out_sigalg);
844 }
845
do_send_client_certificate(SSL_HANDSHAKE * hs)846 static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
847 SSL *const ssl = hs->ssl;
848
849 // The peer didn't request a certificate.
850 if (!hs->cert_request) {
851 hs->tls13_state = state_complete_second_flight;
852 return ssl_hs_ok;
853 }
854
855 if (ssl->s3->ech_status == ssl_ech_rejected) {
856 // Do not send client certificates on ECH reject. We have not authenticated
857 // the server for the name that can learn the certificate.
858 SSL_certs_clear(ssl);
859 } else if (hs->config->cert->cert_cb != nullptr) {
860 // Call cert_cb to update the certificate.
861 int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
862 if (rv == 0) {
863 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
864 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
865 return ssl_hs_error;
866 }
867 if (rv < 0) {
868 hs->tls13_state = state_send_client_certificate;
869 return ssl_hs_x509_lookup;
870 }
871 }
872
873 Array<SSL_CREDENTIAL *> creds;
874 if (!ssl_get_credential_list(hs, &creds)) {
875 return ssl_hs_error;
876 }
877
878 if (!creds.empty()) {
879 // Select the credential to use.
880 for (SSL_CREDENTIAL *cred : creds) {
881 ERR_clear_error();
882 uint16_t sigalg;
883 if (check_credential(hs, cred, &sigalg)) {
884 hs->credential = UpRef(cred);
885 hs->signature_algorithm = sigalg;
886 break;
887 }
888 }
889 if (hs->credential == nullptr) {
890 // The error from the last attempt is in the error queue.
891 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
892 return ssl_hs_error;
893 }
894 }
895
896 if (!tls13_add_certificate(hs)) {
897 return ssl_hs_error;
898 }
899
900 hs->tls13_state = state_send_client_certificate_verify;
901 return ssl_hs_ok;
902 }
903
do_send_client_certificate_verify(SSL_HANDSHAKE * hs)904 static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
905 // Don't send CertificateVerify if there is no certificate.
906 if (hs->credential == nullptr) {
907 hs->tls13_state = state_complete_second_flight;
908 return ssl_hs_ok;
909 }
910
911 switch (tls13_add_certificate_verify(hs)) {
912 case ssl_private_key_success:
913 hs->tls13_state = state_complete_second_flight;
914 return ssl_hs_ok;
915
916 case ssl_private_key_retry:
917 hs->tls13_state = state_send_client_certificate_verify;
918 return ssl_hs_private_key_operation;
919
920 case ssl_private_key_failure:
921 return ssl_hs_error;
922 }
923
924 assert(0);
925 return ssl_hs_error;
926 }
927
do_complete_second_flight(SSL_HANDSHAKE * hs)928 static enum ssl_hs_wait_t do_complete_second_flight(SSL_HANDSHAKE *hs) {
929 SSL *const ssl = hs->ssl;
930 hs->can_release_private_key = true;
931
932 // Send a Channel ID assertion if necessary.
933 if (hs->channel_id_negotiated) {
934 ScopedCBB cbb;
935 CBB body;
936 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
937 !tls1_write_channel_id(hs, &body) ||
938 !ssl_add_message_cbb(ssl, cbb.get())) {
939 return ssl_hs_error;
940 }
941 }
942
943 // Send a Finished message.
944 if (!tls13_add_finished(hs)) {
945 return ssl_hs_error;
946 }
947
948 // Derive the final keys and enable them.
949 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
950 hs->new_session.get(),
951 hs->client_traffic_secret_0()) ||
952 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
953 hs->new_session.get(),
954 hs->server_traffic_secret_0()) ||
955 !tls13_derive_resumption_secret(hs)) {
956 return ssl_hs_error;
957 }
958
959 hs->tls13_state = state_done;
960 return ssl_hs_flush;
961 }
962
tls13_client_handshake(SSL_HANDSHAKE * hs)963 enum ssl_hs_wait_t tls13_client_handshake(SSL_HANDSHAKE *hs) {
964 while (hs->tls13_state != state_done) {
965 enum ssl_hs_wait_t ret = ssl_hs_error;
966 enum client_hs_state_t state =
967 static_cast<enum client_hs_state_t>(hs->tls13_state);
968 switch (state) {
969 case state_read_hello_retry_request:
970 ret = do_read_hello_retry_request(hs);
971 break;
972 case state_send_second_client_hello:
973 ret = do_send_second_client_hello(hs);
974 break;
975 case state_read_server_hello:
976 ret = do_read_server_hello(hs);
977 break;
978 case state_read_encrypted_extensions:
979 ret = do_read_encrypted_extensions(hs);
980 break;
981 case state_read_certificate_request:
982 ret = do_read_certificate_request(hs);
983 break;
984 case state_read_server_certificate:
985 ret = do_read_server_certificate(hs);
986 break;
987 case state_read_server_certificate_verify:
988 ret = do_read_server_certificate_verify(hs);
989 break;
990 case state_server_certificate_reverify:
991 ret = do_server_certificate_reverify(hs);
992 break;
993 case state_read_server_finished:
994 ret = do_read_server_finished(hs);
995 break;
996 case state_send_end_of_early_data:
997 ret = do_send_end_of_early_data(hs);
998 break;
999 case state_send_client_certificate:
1000 ret = do_send_client_certificate(hs);
1001 break;
1002 case state_send_client_encrypted_extensions:
1003 ret = do_send_client_encrypted_extensions(hs);
1004 break;
1005 case state_send_client_certificate_verify:
1006 ret = do_send_client_certificate_verify(hs);
1007 break;
1008 case state_complete_second_flight:
1009 ret = do_complete_second_flight(hs);
1010 break;
1011 case state_done:
1012 ret = ssl_hs_ok;
1013 break;
1014 }
1015
1016 if (hs->tls13_state != state) {
1017 ssl_do_info_callback(hs->ssl, SSL_CB_CONNECT_LOOP, 1);
1018 }
1019
1020 if (ret != ssl_hs_ok) {
1021 return ret;
1022 }
1023 }
1024
1025 return ssl_hs_ok;
1026 }
1027
tls13_client_handshake_state(SSL_HANDSHAKE * hs)1028 const char *tls13_client_handshake_state(SSL_HANDSHAKE *hs) {
1029 enum client_hs_state_t state =
1030 static_cast<enum client_hs_state_t>(hs->tls13_state);
1031 switch (state) {
1032 case state_read_hello_retry_request:
1033 return "TLS 1.3 client read_hello_retry_request";
1034 case state_send_second_client_hello:
1035 return "TLS 1.3 client send_second_client_hello";
1036 case state_read_server_hello:
1037 return "TLS 1.3 client read_server_hello";
1038 case state_read_encrypted_extensions:
1039 return "TLS 1.3 client read_encrypted_extensions";
1040 case state_read_certificate_request:
1041 return "TLS 1.3 client read_certificate_request";
1042 case state_read_server_certificate:
1043 return "TLS 1.3 client read_server_certificate";
1044 case state_read_server_certificate_verify:
1045 return "TLS 1.3 client read_server_certificate_verify";
1046 case state_server_certificate_reverify:
1047 return "TLS 1.3 client server_certificate_reverify";
1048 case state_read_server_finished:
1049 return "TLS 1.3 client read_server_finished";
1050 case state_send_end_of_early_data:
1051 return "TLS 1.3 client send_end_of_early_data";
1052 case state_send_client_encrypted_extensions:
1053 return "TLS 1.3 client send_client_encrypted_extensions";
1054 case state_send_client_certificate:
1055 return "TLS 1.3 client send_client_certificate";
1056 case state_send_client_certificate_verify:
1057 return "TLS 1.3 client send_client_certificate_verify";
1058 case state_complete_second_flight:
1059 return "TLS 1.3 client complete_second_flight";
1060 case state_done:
1061 return "TLS 1.3 client done";
1062 }
1063
1064 return "TLS 1.3 client unknown";
1065 }
1066
tls13_process_new_session_ticket(SSL * ssl,const SSLMessage & msg)1067 bool tls13_process_new_session_ticket(SSL *ssl, const SSLMessage &msg) {
1068 if (ssl->s3->write_shutdown != ssl_shutdown_none) {
1069 // Ignore tickets on shutdown. Callers tend to indiscriminately call
1070 // |SSL_shutdown| before destroying an |SSL|, at which point calling the new
1071 // session callback may be confusing.
1072 return true;
1073 }
1074
1075 CBS body = msg.body;
1076 UniquePtr<SSL_SESSION> session = tls13_create_session_with_ticket(ssl, &body);
1077 if (!session) {
1078 return false;
1079 }
1080
1081 if ((ssl->session_ctx->session_cache_mode & SSL_SESS_CACHE_CLIENT) &&
1082 ssl->session_ctx->new_session_cb != NULL &&
1083 ssl->session_ctx->new_session_cb(ssl, session.get())) {
1084 // |new_session_cb|'s return value signals that it took ownership.
1085 session.release();
1086 }
1087
1088 return true;
1089 }
1090
tls13_create_session_with_ticket(SSL * ssl,CBS * body)1091 UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
1092 UniquePtr<SSL_SESSION> session = SSL_SESSION_dup(
1093 ssl->s3->established_session.get(), SSL_SESSION_INCLUDE_NONAUTH);
1094 if (!session) {
1095 return nullptr;
1096 }
1097
1098 ssl_session_rebase_time(ssl, session.get());
1099
1100 uint32_t server_timeout;
1101 CBS ticket_nonce, ticket, extensions;
1102 if (!CBS_get_u32(body, &server_timeout) ||
1103 !CBS_get_u32(body, &session->ticket_age_add) ||
1104 !CBS_get_u8_length_prefixed(body, &ticket_nonce) ||
1105 !CBS_get_u16_length_prefixed(body, &ticket) ||
1106 !session->ticket.CopyFrom(ticket) ||
1107 !CBS_get_u16_length_prefixed(body, &extensions) ||
1108 CBS_len(body) != 0) {
1109 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1110 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1111 return nullptr;
1112 }
1113
1114 // Cap the renewable lifetime by the server advertised value. This avoids
1115 // wasting bandwidth on 0-RTT when we know the server will reject it.
1116 if (session->timeout > server_timeout) {
1117 session->timeout = server_timeout;
1118 }
1119
1120 if (!tls13_derive_session_psk(session.get(), ticket_nonce)) {
1121 return nullptr;
1122 }
1123
1124 SSLExtension early_data(TLSEXT_TYPE_early_data);
1125 uint8_t alert = SSL_AD_DECODE_ERROR;
1126 if (!ssl_parse_extensions(&extensions, &alert, {&early_data},
1127 /*ignore_unknown=*/true)) {
1128 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1129 return nullptr;
1130 }
1131
1132 if (early_data.present) {
1133 if (!CBS_get_u32(&early_data.data, &session->ticket_max_early_data) ||
1134 CBS_len(&early_data.data) != 0) {
1135 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1136 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1137 return nullptr;
1138 }
1139
1140 // QUIC does not use the max_early_data_size parameter and always sets it to
1141 // a fixed value. See RFC 9001, section 4.6.1.
1142 if (ssl->quic_method != nullptr &&
1143 session->ticket_max_early_data != 0xffffffff) {
1144 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1145 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1146 return nullptr;
1147 }
1148 }
1149
1150 // Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
1151 // Envoy's tests depend on this, although perhaps they shouldn't.
1152 SHA256(CBS_data(&ticket), CBS_len(&ticket), session->session_id);
1153 session->session_id_length = SHA256_DIGEST_LENGTH;
1154
1155 session->ticket_age_add_valid = true;
1156 session->not_resumable = false;
1157
1158 return session;
1159 }
1160
1161 BSSL_NAMESPACE_END
1162