1	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2	* All rights reserved.
3	*
4	* This package is an SSL implementation written
5	* by Eric Young (eay@cryptsoft.com).
6	* The implementation was written so as to conform with Netscapes SSL.
7	*
8	* This library is free for commercial and non-commercial use as long as
9	* the following conditions are aheared to. The following conditions
10	* apply to all code found in this distribution, be it the RC4, RSA,
11	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
12	* included with this distribution is covered by the same copyright terms
13	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
14	*
15	* Copyright remains Eric Young's, and as such any Copyright notices in
16	* the code are not to be removed.
17	* If this package is used in a product, Eric Young should be given attribution
18	* as the author of the parts of the library used.
19	* This can be in the form of a textual message at program startup or
20	* in documentation (online or textual) provided with the package.
21	*
22	* Redistribution and use in source and binary forms, with or without
23	* modification, are permitted provided that the following conditions
24	* are met:
25	* 1. Redistributions of source code must retain the copyright
26	* notice, this list of conditions and the following disclaimer.
27	* 2. Redistributions in binary form must reproduce the above copyright
28	* notice, this list of conditions and the following disclaimer in the
29	* documentation and/or other materials provided with the distribution.
30	* 3. All advertising materials mentioning features or use of this software
31	* must display the following acknowledgement:
32	* "This product includes cryptographic software written by
33	* Eric Young (eay@cryptsoft.com)"
34	* The word 'cryptographic' can be left out if the rouines from the library
35	* being used are not cryptographic related :-).
36	* 4. If you include any Windows specific code (or a derivative thereof) from
37	* the apps directory (application code) you must include an acknowledgement:
38	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39	*
40	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50	* SUCH DAMAGE.
51	*
52	* The licence and distribution terms for any publically available version or
53	* derivative of this code cannot be changed. i.e. this code cannot simply be
54	* copied and put under another distribution licence
55	* [including the GNU Public Licence.]
56	*/
57	/* ====================================================================
58	* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59	*
60	* Redistribution and use in source and binary forms, with or without
61	* modification, are permitted provided that the following conditions
62	* are met:
63	*
64	* 1. Redistributions of source code must retain the above copyright
65	* notice, this list of conditions and the following disclaimer.
66	*
67	* 2. Redistributions in binary form must reproduce the above copyright
68	* notice, this list of conditions and the following disclaimer in
69	* the documentation and/or other materials provided with the
70	* distribution.
71	*
72	* 3. All advertising materials mentioning features or use of this
73	* software must display the following acknowledgment:
74	* "This product includes software developed by the OpenSSL Project
75	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76	*
77	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78	* endorse or promote products derived from this software without
79	* prior written permission. For written permission, please contact
80	* openssl-core@openssl.org.
81	*
82	* 5. Products derived from this software may not be called "OpenSSL"
83	* nor may "OpenSSL" appear in their names without prior written
84	* permission of the OpenSSL Project.
85	*
86	* 6. Redistributions of any form whatsoever must retain the following
87	* acknowledgment:
88	* "This product includes software developed by the OpenSSL Project
89	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90	*
91	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102	* OF THE POSSIBILITY OF SUCH DAMAGE.
103	* ====================================================================
104	*
105	* This product includes cryptographic software written by Eric Young
106	* (eay@cryptsoft.com). This product includes software written by Tim
107	* Hudson (tjh@cryptsoft.com).
108	*
109	*/
110	/* ====================================================================
111	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112	*
113	* Portions of the attached software ("Contribution") are developed by
114	* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115	*
116	* The Contribution is licensed pursuant to the OpenSSL open source
117	* license provided above.
118	*
119	* ECC cipher suite support in OpenSSL originally written by
120	* Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121	*
122	*/
123	/* ====================================================================
124	* Copyright 2005 Nokia. All rights reserved.
125	*
126	* The portions of the attached software ("Contribution") is developed by
127	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
128	* license.
129	*
130	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
131	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132	* support (see RFC 4279) to OpenSSL.
133	*
134	* No patent licenses or other rights except those expressly stated in
135	* the OpenSSL open source license shall be deemed granted or received
136	* expressly, by implication, estoppel, or otherwise.
137	*
138	* No assurances are provided by Nokia that the Contribution does not
139	* infringe the patent or other intellectual property rights of any third
140	* party or that the license provides you with all the necessary rights
141	* to make use of the Contribution.
142	*
143	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147	* OTHERWISE.
148	*/
149
150	#include <openssl/ssl.h>
151
152	#include <assert.h>
153	#include <limits.h>
154	#include <string.h>
155
156	#include <utility>
157
158	#include <openssl/aead.h>
159	#include <openssl/bn.h>
160	#include <openssl/bytestring.h>
161	#include <openssl/ec_key.h>
162	#include <openssl/ecdsa.h>
163	#include <openssl/err.h>
164	#include <openssl/evp.h>
165	#include <openssl/hpke.h>
166	#include <openssl/md5.h>
167	#include <openssl/mem.h>
168	#include <openssl/rand.h>
169	#include <openssl/sha.h>
170
171	#include "../crypto/internal.h"
172	#include "internal.h"
173
174
175	BSSL_NAMESPACE_BEGIN
176
177	enum ssl_client_hs_state_t {
178	state_start_connect = 0,
179	state_enter_early_data,
180	state_early_reverify_server_certificate,
181	state_read_hello_verify_request,
182	state_read_server_hello,
183	state_tls13,
184	state_read_server_certificate,
185	state_read_certificate_status,
186	state_verify_server_certificate,
187	state_reverify_server_certificate,
188	state_read_server_key_exchange,
189	state_read_certificate_request,
190	state_read_server_hello_done,
191	state_send_client_certificate,
192	state_send_client_key_exchange,
193	state_send_client_certificate_verify,
194	state_send_client_finished,
195	state_finish_flight,
196	state_read_session_ticket,
197	state_process_change_cipher_spec,
198	state_read_server_finished,
199	state_finish_client_handshake,
200	state_done,
201	};
202
203	// ssl_get_client_disabled sets |*out_mask_a| and |*out_mask_k| to masks of
204	// disabled algorithms.
205	static void ssl_get_client_disabled(const SSL_HANDSHAKE *hs,
206	uint32_t *out_mask_a,
207	uint32_t *out_mask_k) {
208	*out_mask_a = 0;
209	*out_mask_k = 0;
210
211	// PSK requires a client callback.
212	if (hs->config->psk_client_callback == NULL) {
213	*out_mask_a |= SSL_aPSK;
214	*out_mask_k |= SSL_kPSK;
215	}
216	}
217
218	static bool ssl_write_client_cipher_list(const SSL_HANDSHAKE *hs, CBB *out,
219	ssl_client_hello_type_t type) {
220	const SSL *const ssl = hs->ssl;
221	uint32_t mask_a, mask_k;
222	ssl_get_client_disabled(hs, out_mask_a: &mask_a, out_mask_k: &mask_k);
223
224	CBB child;
225	if (!CBB_add_u16_length_prefixed(cbb: out, out_contents: &child)) {
226	return false;
227	}
228
229	// Add a fake cipher suite. See RFC 8701.
230	if (ssl->ctx->grease_enabled &&
231	!CBB_add_u16(cbb: &child, value: ssl_get_grease_value(hs, index: ssl_grease_cipher))) {
232	return false;
233	}
234
235	// Add TLS 1.3 ciphers. Order ChaCha20-Poly1305 relative to AES-GCM based on
236	// hardware support.
237	if (hs->max_version >= TLS1_3_VERSION) {
238	const bool include_chacha20 = ssl_tls13_cipher_meets_policy(
239	TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff,
240	only_fips: ssl->config->only_fips_cipher_suites_in_tls13);
241
242	if (!EVP_has_aes_hardware() && //
243	include_chacha20 && //
244	!CBB_add_u16(cbb: &child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
245	return false;
246	}
247	if (!CBB_add_u16(cbb: &child, TLS1_3_CK_AES_128_GCM_SHA256 & 0xffff) ||
248	!CBB_add_u16(cbb: &child, TLS1_3_CK_AES_256_GCM_SHA384 & 0xffff)) {
249	return false;
250	}
251	if (EVP_has_aes_hardware() && //
252	include_chacha20 && //
253	!CBB_add_u16(cbb: &child, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
254	return false;
255	}
256	}
257
258	if (hs->min_version < TLS1_3_VERSION && type != ssl_client_hello_inner) {
259	bool any_enabled = false;
260	for (const SSL_CIPHER *cipher : SSL_get_ciphers(ssl)) {
261	// Skip disabled ciphers
262	if ((cipher->algorithm_mkey & mask_k) ||
263	(cipher->algorithm_auth & mask_a)) {
264	continue;
265	}
266	if (SSL_CIPHER_get_min_version(cipher) > hs->max_version ||
267	SSL_CIPHER_get_max_version(cipher) < hs->min_version) {
268	continue;
269	}
270	any_enabled = true;
271	if (!CBB_add_u16(cbb: &child, value: SSL_CIPHER_get_protocol_id(cipher))) {
272	return false;
273	}
274	}
275
276	// If all ciphers were disabled, return the error to the caller.
277	if (!any_enabled && hs->max_version < TLS1_3_VERSION) {
278	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CIPHERS_AVAILABLE);
279	return false;
280	}
281	}
282
283	if (ssl->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
284	if (!CBB_add_u16(cbb: &child, SSL3_CK_FALLBACK_SCSV & 0xffff)) {
285	return false;
286	}
287	}
288
289	return CBB_flush(cbb: out);
290	}
291
292	bool ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE *hs,
293	CBB *cbb,
294	ssl_client_hello_type_t type,
295	bool empty_session_id) {
296	const SSL *const ssl = hs->ssl;
297	CBB child;
298	if (!CBB_add_u16(cbb, value: hs->client_version) ||
299	!CBB_add_bytes(cbb,
300	data: type == ssl_client_hello_inner ? hs->inner_client_random
301	: ssl->s3->client_random,
302	SSL3_RANDOM_SIZE) ||
303	!CBB_add_u8_length_prefixed(cbb, out_contents: &child)) {
304	return false;
305	}
306
307	// Do not send a session ID on renegotiation.
308	if (!ssl->s3->initial_handshake_complete &&
309	!empty_session_id &&
310	!CBB_add_bytes(cbb: &child, data: hs->session_id, len: hs->session_id_len)) {
311	return false;
312	}
313
314	if (SSL_is_dtls(ssl)) {
315	if (!CBB_add_u8_length_prefixed(cbb, out_contents: &child) ||
316	!CBB_add_bytes(cbb: &child, data: hs->dtls_cookie.data(),
317	len: hs->dtls_cookie.size())) {
318	return false;
319	}
320	}
321
322	if (!ssl_write_client_cipher_list(hs, out: cbb, type) ||
323	!CBB_add_u8(cbb, value: 1 /* one compression method */) ||
324	!CBB_add_u8(cbb, value: 0 /* null compression */)) {
325	return false;
326	}
327	return true;
328	}
329
330	bool ssl_add_client_hello(SSL_HANDSHAKE *hs) {
331	SSL *const ssl = hs->ssl;
332	ScopedCBB cbb;
333	CBB body;
334	ssl_client_hello_type_t type = hs->selected_ech_config
335	? ssl_client_hello_outer
336	: ssl_client_hello_unencrypted;
337	bool needs_psk_binder;
338	Array<uint8_t> msg;
339	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CLIENT_HELLO) ||
340	!ssl_write_client_hello_without_extensions(hs, cbb: &body, type,
341	/*empty_session_id=*/false) ||
342	!ssl_add_clienthello_tlsext(hs, out: &body, /*out_encoded=*/nullptr,
343	out_needs_psk_binder: &needs_psk_binder, type, header_len: CBB_len(cbb: &body)) ||
344	!ssl->method->finish_message(ssl, cbb.get(), &msg)) {
345	return false;
346	}
347
348	// Now that the length prefixes have been computed, fill in the placeholder
349	// PSK binder.
350	if (needs_psk_binder) {
351	// ClientHelloOuter cannot have a PSK binder. Otherwise the
352	// ClientHellOuterAAD computation would break.
353	assert(type != ssl_client_hello_outer);
354	if (!tls13_write_psk_binder(hs, transcript: hs->transcript, msg: MakeSpan(c&: msg),
355	/*out_binder_len=*/0)) {
356	return false;
357	}
358	}
359
360	return ssl->method->add_message(ssl, std::move(msg));
361	}
362
363	static bool parse_server_version(const SSL_HANDSHAKE *hs, uint16_t *out_version,
364	uint8_t *out_alert,
365	const ParsedServerHello &server_hello) {
366	// If the outer version is not TLS 1.2, use it.
367	// TODO(davidben): This function doesn't quite match the RFC8446 formulation.
368	if (server_hello.legacy_version != TLS1_2_VERSION) {
369	*out_version = server_hello.legacy_version;
370	return true;
371	}
372
373	SSLExtension supported_versions(TLSEXT_TYPE_supported_versions);
374	CBS extensions = server_hello.extensions;
375	if (!ssl_parse_extensions(cbs: &extensions, out_alert, extensions: {&supported_versions},
376	/*ignore_unknown=*/true)) {
377	return false;
378	}
379
380	if (!supported_versions.present) {
381	*out_version = server_hello.legacy_version;
382	return true;
383	}
384
385	if (!CBS_get_u16(cbs: &supported_versions.data, out: out_version) ||
386	CBS_len(cbs: &supported_versions.data) != 0) {
387	*out_alert = SSL_AD_DECODE_ERROR;
388	return false;
389	}
390
391	return true;
392	}
393
394	// should_offer_early_data returns |ssl_early_data_accepted| if |hs| should
395	// offer early data, and some other reason code otherwise.
396	static ssl_early_data_reason_t should_offer_early_data(
397	const SSL_HANDSHAKE *hs) {
398	const SSL *const ssl = hs->ssl;
399	assert(!ssl->server);
400	if (!ssl->enable_early_data) {
401	return ssl_early_data_disabled;
402	}
403
404	if (hs->max_version < TLS1_3_VERSION) {
405	// We discard inapplicable sessions, so this is redundant with the session
406	// checks below, but reporting that TLS 1.3 was disabled is more useful.
407	return ssl_early_data_protocol_version;
408	}
409
410	if (ssl->session == nullptr) {
411	return ssl_early_data_no_session_offered;
412	}
413
414	if (ssl_session_protocol_version(session: ssl->session.get()) < TLS1_3_VERSION ||
415	ssl->session->ticket_max_early_data == 0) {
416	return ssl_early_data_unsupported_for_session;
417	}
418
419	if (!ssl->session->early_alpn.empty()) {
420	if (!ssl_is_alpn_protocol_allowed(hs, protocol: ssl->session->early_alpn)) {
421	// Avoid reporting a confusing value in |SSL_get0_alpn_selected|.
422	return ssl_early_data_alpn_mismatch;
423	}
424
425	// If the previous connection negotiated ALPS, only offer 0-RTT when the
426	// local are settings are consistent with what we'd offer for this
427	// connection.
428	if (ssl->session->has_application_settings) {
429	Span<const uint8_t> settings;
430	if (!ssl_get_local_application_settings(hs, out_settings: &settings,
431	protocol: ssl->session->early_alpn) ||
432	settings != ssl->session->local_application_settings) {
433	return ssl_early_data_alps_mismatch;
434	}
435	}
436	}
437
438	// Early data has not yet been accepted, but we use it as a success code.
439	return ssl_early_data_accepted;
440	}
441
442	void ssl_done_writing_client_hello(SSL_HANDSHAKE *hs) {
443	hs->ech_client_outer.Reset();
444	hs->cookie.Reset();
445	hs->key_share_bytes.Reset();
446	}
447
448	static enum ssl_hs_wait_t do_start_connect(SSL_HANDSHAKE *hs) {
449	SSL *const ssl = hs->ssl;
450
451	ssl_do_info_callback(ssl, SSL_CB_HANDSHAKE_START, value: 1);
452	// |session_reused| must be reset in case this is a renegotiation.
453	ssl->s3->session_reused = false;
454
455	// Freeze the version range.
456	if (!ssl_get_version_range(hs, out_min_version: &hs->min_version, out_max_version: &hs->max_version)) {
457	return ssl_hs_error;
458	}
459
460	uint8_t ech_enc[EVP_HPKE_MAX_ENC_LENGTH];
461	size_t ech_enc_len;
462	if (!ssl_select_ech_config(hs, out_enc: ech_enc, out_enc_len: &ech_enc_len)) {
463	return ssl_hs_error;
464	}
465
466	// Always advertise the ClientHello version from the original maximum version,
467	// even on renegotiation. The static RSA key exchange uses this field, and
468	// some servers fail when it changes across handshakes.
469	if (SSL_is_dtls(ssl: hs->ssl)) {
470	hs->client_version =
471	hs->max_version >= TLS1_2_VERSION ? DTLS1_2_VERSION : DTLS1_VERSION;
472	} else {
473	hs->client_version =
474	hs->max_version >= TLS1_2_VERSION ? TLS1_2_VERSION : hs->max_version;
475	}
476
477	// If the configured session has expired or is not usable, drop it. We also do
478	// not offer sessions on renegotiation.
479	if (ssl->session != nullptr) {
480	if (ssl->session->is_server ||
481	!ssl_supports_version(hs, version: ssl->session->ssl_version) ||
482	// Do not offer TLS 1.2 sessions with ECH. ClientHelloInner does not
483	// offer TLS 1.2, and the cleartext session ID may leak the server
484	// identity.
485	(hs->selected_ech_config &&
486	ssl_session_protocol_version(session: ssl->session.get()) < TLS1_3_VERSION) ||
487	!SSL_SESSION_is_resumable(session: ssl->session.get()) ||
488	!ssl_session_is_time_valid(ssl, session: ssl->session.get()) ||
489	(ssl->quic_method != nullptr) != ssl->session->is_quic ||
490	ssl->s3->initial_handshake_complete) {
491	ssl_set_session(ssl, session: nullptr);
492	}
493	}
494
495	if (!RAND_bytes(buf: ssl->s3->client_random, len: sizeof(ssl->s3->client_random))) {
496	return ssl_hs_error;
497	}
498	if (hs->selected_ech_config &&
499	!RAND_bytes(buf: hs->inner_client_random, len: sizeof(hs->inner_client_random))) {
500	return ssl_hs_error;
501	}
502
503	// Never send a session ID in QUIC. QUIC uses TLS 1.3 at a minimum and
504	// disables TLS 1.3 middlebox compatibility mode.
505	if (ssl->quic_method == nullptr) {
506	const bool has_id_session = ssl->session != nullptr &&
507	ssl->session->session_id_length > 0 &&
508	ssl->session->ticket.empty();
509	const bool has_ticket_session =
510	ssl->session != nullptr && !ssl->session->ticket.empty();
511	if (has_id_session) {
512	hs->session_id_len = ssl->session->session_id_length;
513	OPENSSL_memcpy(dst: hs->session_id, src: ssl->session->session_id,
514	n: hs->session_id_len);
515	} else if (has_ticket_session || hs->max_version >= TLS1_3_VERSION) {
516	// Send a random session ID. TLS 1.3 always sends one, and TLS 1.2 session
517	// tickets require a placeholder value to signal resumption.
518	hs->session_id_len = sizeof(hs->session_id);
519	if (!RAND_bytes(buf: hs->session_id, len: hs->session_id_len)) {
520	return ssl_hs_error;
521	}
522	}
523	}
524
525	ssl_early_data_reason_t reason = should_offer_early_data(hs);
526	if (reason != ssl_early_data_accepted) {
527	ssl->s3->early_data_reason = reason;
528	} else {
529	hs->early_data_offered = true;
530	}
531
532	if (!ssl_setup_key_shares(hs, /*override_group_id=*/0) ||
533	!ssl_setup_extension_permutation(hs) ||
534	!ssl_encrypt_client_hello(hs, enc: MakeConstSpan(ptr: ech_enc, size: ech_enc_len)) ||
535	!ssl_add_client_hello(hs)) {
536	return ssl_hs_error;
537	}
538
539	hs->state = state_enter_early_data;
540	return ssl_hs_flush;
541	}
542
543	static enum ssl_hs_wait_t do_enter_early_data(SSL_HANDSHAKE *hs) {
544	SSL *const ssl = hs->ssl;
545
546	if (SSL_is_dtls(ssl)) {
547	hs->state = state_read_hello_verify_request;
548	return ssl_hs_ok;
549	}
550
551	if (!hs->early_data_offered) {
552	hs->state = state_read_server_hello;
553	return ssl_hs_ok;
554	}
555
556	ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->session->ssl_version);
557	if (!ssl->method->add_change_cipher_spec(ssl)) {
558	return ssl_hs_error;
559	}
560
561	if (!tls13_init_early_key_schedule(hs, session: ssl->session.get()) ||
562	!tls13_derive_early_secret(hs)) {
563	return ssl_hs_error;
564	}
565
566	// Stash the early data session, so connection properties may be queried out
567	// of it.
568	hs->early_session = UpRef(ptr: ssl->session);
569	hs->state = state_early_reverify_server_certificate;
570	return ssl_hs_ok;
571	}
572
573	static enum ssl_hs_wait_t do_early_reverify_server_certificate(SSL_HANDSHAKE *hs) {
574	if (hs->ssl->ctx->reverify_on_resume) {
575	// Don't send an alert on error. The alert be in early data, which the
576	// server may not accept anyway. It would also be a mismatch between QUIC
577	// and TCP because the QUIC early keys are deferred below.
578	//
579	// TODO(davidben): The client behavior should be to verify the certificate
580	// before deciding whether to offer the session and, if invalid, decline to
581	// send the session.
582	switch (ssl_reverify_peer_cert(hs, /*send_alert=*/false)) {
583	case ssl_verify_ok:
584	break;
585	case ssl_verify_invalid:
586	return ssl_hs_error;
587	case ssl_verify_retry:
588	hs->state = state_early_reverify_server_certificate;
589	return ssl_hs_certificate_verify;
590	}
591	}
592
593	// Defer releasing the 0-RTT key to after certificate reverification, so the
594	// QUIC implementation does not accidentally write data too early.
595	if (!tls13_set_traffic_key(ssl: hs->ssl, level: ssl_encryption_early_data, direction: evp_aead_seal,
596	session: hs->early_session.get(),
597	traffic_secret: hs->early_traffic_secret())) {
598	return ssl_hs_error;
599	}
600
601	hs->in_early_data = true;
602	hs->can_early_write = true;
603	hs->state = state_read_server_hello;
604	return ssl_hs_early_return;
605	}
606
607	static enum ssl_hs_wait_t do_read_hello_verify_request(SSL_HANDSHAKE *hs) {
608	SSL *const ssl = hs->ssl;
609
610	assert(SSL_is_dtls(ssl));
611
612	// When implementing DTLS 1.3, we need to handle the interactions between
613	// HelloVerifyRequest, DTLS 1.3's HelloVerifyRequest removal, and ECH.
614	assert(hs->max_version < TLS1_3_VERSION);
615
616	SSLMessage msg;
617	if (!ssl->method->get_message(ssl, &msg)) {
618	return ssl_hs_read_message;
619	}
620
621	if (msg.type != DTLS1_MT_HELLO_VERIFY_REQUEST) {
622	hs->state = state_read_server_hello;
623	return ssl_hs_ok;
624	}
625
626	CBS hello_verify_request = msg.body, cookie;
627	uint16_t server_version;
628	if (!CBS_get_u16(cbs: &hello_verify_request, out: &server_version) ||
629	!CBS_get_u8_length_prefixed(cbs: &hello_verify_request, out: &cookie) ||
630	CBS_len(cbs: &hello_verify_request) != 0) {
631	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
632	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
633	return ssl_hs_error;
634	}
635
636	if (!hs->dtls_cookie.CopyFrom(in: cookie)) {
637	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
638	return ssl_hs_error;
639	}
640
641	ssl->method->next_message(ssl);
642
643	// DTLS resets the handshake buffer after HelloVerifyRequest.
644	if (!hs->transcript.Init()) {
645	return ssl_hs_error;
646	}
647
648	if (!ssl_add_client_hello(hs)) {
649	return ssl_hs_error;
650	}
651
652	hs->state = state_read_server_hello;
653	return ssl_hs_flush;
654	}
655
656	bool ssl_parse_server_hello(ParsedServerHello *out, uint8_t *out_alert,
657	const SSLMessage &msg) {
658	if (msg.type != SSL3_MT_SERVER_HELLO) {
659	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
660	*out_alert = SSL_AD_UNEXPECTED_MESSAGE;
661	return false;
662	}
663	out->raw = msg.raw;
664	CBS body = msg.body;
665	if (!CBS_get_u16(cbs: &body, out: &out->legacy_version) ||
666	!CBS_get_bytes(cbs: &body, out: &out->random, SSL3_RANDOM_SIZE) ||
667	!CBS_get_u8_length_prefixed(cbs: &body, out: &out->session_id) ||
668	CBS_len(cbs: &out->session_id) > SSL3_SESSION_ID_SIZE ||
669	!CBS_get_u16(cbs: &body, out: &out->cipher_suite) ||
670	!CBS_get_u8(cbs: &body, out: &out->compression_method)) {
671	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
672	*out_alert = SSL_AD_DECODE_ERROR;
673	return false;
674	}
675	// In TLS 1.2 and below, empty extensions blocks may be omitted. In TLS 1.3,
676	// ServerHellos always have extensions, so this can be applied generically.
677	CBS_init(cbs: &out->extensions, data: nullptr, len: 0);
678	if ((CBS_len(cbs: &body) != 0 &&
679	!CBS_get_u16_length_prefixed(cbs: &body, out: &out->extensions)) ||
680	CBS_len(cbs: &body) != 0) {
681	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
682	*out_alert = SSL_AD_DECODE_ERROR;
683	return false;
684	}
685	return true;
686	}
687
688	static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
689	SSL *const ssl = hs->ssl;
690	SSLMessage msg;
691	if (!ssl->method->get_message(ssl, &msg)) {
692	return ssl_hs_read_server_hello;
693	}
694
695	ParsedServerHello server_hello;
696	uint16_t server_version;
697	uint8_t alert = SSL_AD_DECODE_ERROR;
698	if (!ssl_parse_server_hello(out: &server_hello, out_alert: &alert, msg) ||
699	!parse_server_version(hs, out_version: &server_version, out_alert: &alert, server_hello)) {
700	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
701	return ssl_hs_error;
702	}
703
704	if (!ssl_supports_version(hs, version: server_version)) {
705	OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_PROTOCOL);
706	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
707	return ssl_hs_error;
708	}
709
710	assert(ssl->s3->have_version == ssl->s3->initial_handshake_complete);
711	if (!ssl->s3->have_version) {
712	ssl->version = server_version;
713	// At this point, the connection's version is known and ssl->version is
714	// fixed. Begin enforcing the record-layer version.
715	ssl->s3->have_version = true;
716	ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
717	} else if (server_version != ssl->version) {
718	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_SSL_VERSION);
719	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
720	return ssl_hs_error;
721	}
722
723	if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
724	hs->state = state_tls13;
725	return ssl_hs_ok;
726	}
727
728	// Clear some TLS 1.3 state that no longer needs to be retained.
729	hs->key_shares[0].reset();
730	hs->key_shares[1].reset();
731	ssl_done_writing_client_hello(hs);
732
733	// A TLS 1.2 server would not know to skip the early data we offered. Report
734	// an error code sooner. The caller may use this error code to implement the
735	// fallback described in RFC 8446 appendix D.3.
736	if (hs->early_data_offered) {
737	// Disconnect early writes. This ensures subsequent |SSL_write| calls query
738	// the handshake which, in turn, will replay the error code rather than fail
739	// at the |write_shutdown| check. See https://crbug.com/1078515.
740	// TODO(davidben): Should all handshake errors do this? What about record
741	// decryption failures?
742	hs->can_early_write = false;
743	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_VERSION_ON_EARLY_DATA);
744	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_PROTOCOL_VERSION);
745	return ssl_hs_error;
746	}
747
748	// TLS 1.2 handshakes cannot accept ECH.
749	if (hs->selected_ech_config) {
750	ssl->s3->ech_status = ssl_ech_rejected;
751	}
752
753	// Copy over the server random.
754	OPENSSL_memcpy(dst: ssl->s3->server_random, src: CBS_data(cbs: &server_hello.random),
755	SSL3_RANDOM_SIZE);
756
757	// Enforce the TLS 1.3 anti-downgrade feature.
758	if (!ssl->s3->initial_handshake_complete &&
759	ssl_supports_version(hs, TLS1_3_VERSION)) {
760	static_assert(
761	sizeof(kTLS12DowngradeRandom) == sizeof(kTLS13DowngradeRandom),
762	"downgrade signals have different size");
763	static_assert(
764	sizeof(kJDK11DowngradeRandom) == sizeof(kTLS13DowngradeRandom),
765	"downgrade signals have different size");
766	auto suffix =
767	MakeConstSpan(ptr: ssl->s3->server_random, size: sizeof(ssl->s3->server_random))
768	.subspan(SSL3_RANDOM_SIZE - sizeof(kTLS13DowngradeRandom));
769	if (suffix == kTLS12DowngradeRandom || suffix == kTLS13DowngradeRandom ||
770	suffix == kJDK11DowngradeRandom) {
771	OPENSSL_PUT_ERROR(SSL, SSL_R_TLS13_DOWNGRADE);
772	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
773	return ssl_hs_error;
774	}
775	}
776
777	// The cipher must be allowed in the selected version and enabled.
778	const SSL_CIPHER *cipher = SSL_get_cipher_by_value(value: server_hello.cipher_suite);
779	uint32_t mask_a, mask_k;
780	ssl_get_client_disabled(hs, out_mask_a: &mask_a, out_mask_k: &mask_k);
781	if (cipher == nullptr ||
782	(cipher->algorithm_mkey & mask_k) ||
783	(cipher->algorithm_auth & mask_a) ||
784	SSL_CIPHER_get_min_version(cipher) > ssl_protocol_version(ssl) ||
785	SSL_CIPHER_get_max_version(cipher) < ssl_protocol_version(ssl) ||
786	!sk_SSL_CIPHER_find(sk: SSL_get_ciphers(ssl), out_index: nullptr, p: cipher)) {
787	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
788	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
789	return ssl_hs_error;
790	}
791
792	hs->new_cipher = cipher;
793
794	if (hs->session_id_len != 0 &&
795	CBS_mem_equal(cbs: &server_hello.session_id, data: hs->session_id,
796	len: hs->session_id_len)) {
797	// Echoing the ClientHello session ID in TLS 1.2, whether from the session
798	// or a synthetic one, indicates resumption. If there was no session (or if
799	// the session was only offered in ECH ClientHelloInner), this was the
800	// TLS 1.3 compatibility mode session ID. As we know this is not a session
801	// the server knows about, any server resuming it is in error. Reject the
802	// first connection deterministicly, rather than installing an invalid
803	// session into the session cache. https://crbug.com/796910
804	if (ssl->session == nullptr || ssl->s3->ech_status == ssl_ech_rejected) {
805	OPENSSL_PUT_ERROR(SSL, SSL_R_SERVER_ECHOED_INVALID_SESSION_ID);
806	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
807	return ssl_hs_error;
808	}
809	if (ssl->session->ssl_version != ssl->version) {
810	OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
811	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
812	return ssl_hs_error;
813	}
814	if (ssl->session->cipher != hs->new_cipher) {
815	OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
816	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
817	return ssl_hs_error;
818	}
819	if (!ssl_session_is_context_valid(hs, session: ssl->session.get())) {
820	// This is actually a client application bug.
821	OPENSSL_PUT_ERROR(SSL,
822	SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
823	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
824	return ssl_hs_error;
825	}
826	// We never offer sessions on renegotiation.
827	assert(!ssl->s3->initial_handshake_complete);
828	ssl->s3->session_reused = true;
829	} else {
830	// The session wasn't resumed. Create a fresh SSL_SESSION to fill out.
831	ssl_set_session(ssl, NULL);
832	if (!ssl_get_new_session(hs)) {
833	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
834	return ssl_hs_error;
835	}
836	// Note: session_id could be empty.
837	hs->new_session->session_id_length = CBS_len(cbs: &server_hello.session_id);
838	OPENSSL_memcpy(dst: hs->new_session->session_id,
839	src: CBS_data(cbs: &server_hello.session_id),
840	n: CBS_len(cbs: &server_hello.session_id));
841	hs->new_session->cipher = hs->new_cipher;
842	}
843
844	// Now that the cipher is known, initialize the handshake hash and hash the
845	// ServerHello.
846	if (!hs->transcript.InitHash(version: ssl_protocol_version(ssl), cipher: hs->new_cipher) ||
847	!ssl_hash_message(hs, msg)) {
848	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
849	return ssl_hs_error;
850	}
851
852	// If doing a full handshake, the server may request a client certificate
853	// which requires hashing the handshake transcript. Otherwise, the handshake
854	// buffer may be released.
855	if (ssl->session != NULL ||
856	!ssl_cipher_uses_certificate_auth(cipher: hs->new_cipher)) {
857	hs->transcript.FreeBuffer();
858	}
859
860	// Only the NULL compression algorithm is supported.
861	if (server_hello.compression_method != 0) {
862	OPENSSL_PUT_ERROR(SSL, SSL_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
863	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
864	return ssl_hs_error;
865	}
866
867	if (!ssl_parse_serverhello_tlsext(hs, extensions: &server_hello.extensions)) {
868	OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
869	return ssl_hs_error;
870	}
871
872	if (ssl->session != NULL &&
873	hs->extended_master_secret != ssl->session->extended_master_secret) {
874	if (ssl->session->extended_master_secret) {
875	OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
876	} else {
877	OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION);
878	}
879	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
880	return ssl_hs_error;
881	}
882
883	ssl->method->next_message(ssl);
884
885	if (ssl->session != NULL) {
886	if (ssl->ctx->reverify_on_resume &&
887	ssl_cipher_uses_certificate_auth(cipher: hs->new_cipher)) {
888	hs->state = state_reverify_server_certificate;
889	} else {
890	hs->state = state_read_session_ticket;
891	}
892	return ssl_hs_ok;
893	}
894
895	hs->state = state_read_server_certificate;
896	return ssl_hs_ok;
897	}
898
899	static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {
900	enum ssl_hs_wait_t wait = tls13_client_handshake(hs);
901	if (wait == ssl_hs_ok) {
902	hs->state = state_finish_client_handshake;
903	return ssl_hs_ok;
904	}
905
906	return wait;
907	}
908
909	static enum ssl_hs_wait_t do_read_server_certificate(SSL_HANDSHAKE *hs) {
910	SSL *const ssl = hs->ssl;
911
912	if (!ssl_cipher_uses_certificate_auth(cipher: hs->new_cipher)) {
913	hs->state = state_read_certificate_status;
914	return ssl_hs_ok;
915	}
916
917	SSLMessage msg;
918	if (!ssl->method->get_message(ssl, &msg)) {
919	return ssl_hs_read_message;
920	}
921
922	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
923	!ssl_hash_message(hs, msg)) {
924	return ssl_hs_error;
925	}
926
927	CBS body = msg.body;
928	uint8_t alert = SSL_AD_DECODE_ERROR;
929	if (!ssl_parse_cert_chain(out_alert: &alert, out_chain: &hs->new_session->certs, out_pubkey: &hs->peer_pubkey,
930	NULL, cbs: &body, pool: ssl->ctx->pool)) {
931	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
932	return ssl_hs_error;
933	}
934
935	if (sk_CRYPTO_BUFFER_num(sk: hs->new_session->certs.get()) == 0 ||
936	CBS_len(cbs: &body) != 0 ||
937	!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
938	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
939	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
940	return ssl_hs_error;
941	}
942
943	if (!ssl_check_leaf_certificate(
944	hs, pkey: hs->peer_pubkey.get(),
945	leaf: sk_CRYPTO_BUFFER_value(sk: hs->new_session->certs.get(), i: 0))) {
946	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
947	return ssl_hs_error;
948	}
949
950	ssl->method->next_message(ssl);
951
952	hs->state = state_read_certificate_status;
953	return ssl_hs_ok;
954	}
955
956	static enum ssl_hs_wait_t do_read_certificate_status(SSL_HANDSHAKE *hs) {
957	SSL *const ssl = hs->ssl;
958
959	if (!hs->certificate_status_expected) {
960	hs->state = state_verify_server_certificate;
961	return ssl_hs_ok;
962	}
963
964	SSLMessage msg;
965	if (!ssl->method->get_message(ssl, &msg)) {
966	return ssl_hs_read_message;
967	}
968
969	if (msg.type != SSL3_MT_CERTIFICATE_STATUS) {
970	// A server may send status_request in ServerHello and then change its mind
971	// about sending CertificateStatus.
972	hs->state = state_verify_server_certificate;
973	return ssl_hs_ok;
974	}
975
976	if (!ssl_hash_message(hs, msg)) {
977	return ssl_hs_error;
978	}
979
980	CBS certificate_status = msg.body, ocsp_response;
981	uint8_t status_type;
982	if (!CBS_get_u8(cbs: &certificate_status, out: &status_type) ||
983	status_type != TLSEXT_STATUSTYPE_ocsp ||
984	!CBS_get_u24_length_prefixed(cbs: &certificate_status, out: &ocsp_response) ||
985	CBS_len(cbs: &ocsp_response) == 0 ||
986	CBS_len(cbs: &certificate_status) != 0) {
987	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
988	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
989	return ssl_hs_error;
990	}
991
992	hs->new_session->ocsp_response.reset(
993	p: CRYPTO_BUFFER_new_from_CBS(cbs: &ocsp_response, pool: ssl->ctx->pool));
994	if (hs->new_session->ocsp_response == nullptr) {
995	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
996	return ssl_hs_error;
997	}
998
999	ssl->method->next_message(ssl);
1000
1001	hs->state = state_verify_server_certificate;
1002	return ssl_hs_ok;
1003	}
1004
1005	static enum ssl_hs_wait_t do_verify_server_certificate(SSL_HANDSHAKE *hs) {
1006	if (!ssl_cipher_uses_certificate_auth(cipher: hs->new_cipher)) {
1007	hs->state = state_read_server_key_exchange;
1008	return ssl_hs_ok;
1009	}
1010
1011	switch (ssl_verify_peer_cert(hs)) {
1012	case ssl_verify_ok:
1013	break;
1014	case ssl_verify_invalid:
1015	return ssl_hs_error;
1016	case ssl_verify_retry:
1017	hs->state = state_verify_server_certificate;
1018	return ssl_hs_certificate_verify;
1019	}
1020
1021	hs->state = state_read_server_key_exchange;
1022	return ssl_hs_ok;
1023	}
1024
1025	static enum ssl_hs_wait_t do_reverify_server_certificate(SSL_HANDSHAKE *hs) {
1026	assert(hs->ssl->ctx->reverify_on_resume);
1027
1028	switch (ssl_reverify_peer_cert(hs, /*send_alert=*/true)) {
1029	case ssl_verify_ok:
1030	break;
1031	case ssl_verify_invalid:
1032	return ssl_hs_error;
1033	case ssl_verify_retry:
1034	hs->state = state_reverify_server_certificate;
1035	return ssl_hs_certificate_verify;
1036	}
1037
1038	hs->state = state_read_session_ticket;
1039	return ssl_hs_ok;
1040	}
1041
1042	static enum ssl_hs_wait_t do_read_server_key_exchange(SSL_HANDSHAKE *hs) {
1043	SSL *const ssl = hs->ssl;
1044	SSLMessage msg;
1045	if (!ssl->method->get_message(ssl, &msg)) {
1046	return ssl_hs_read_message;
1047	}
1048
1049	if (msg.type != SSL3_MT_SERVER_KEY_EXCHANGE) {
1050	// Some ciphers (pure PSK) have an optional ServerKeyExchange message.
1051	if (ssl_cipher_requires_server_key_exchange(cipher: hs->new_cipher)) {
1052	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
1053	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1054	return ssl_hs_error;
1055	}
1056
1057	hs->state = state_read_certificate_request;
1058	return ssl_hs_ok;
1059	}
1060
1061	if (!ssl_hash_message(hs, msg)) {
1062	return ssl_hs_error;
1063	}
1064
1065	uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1066	uint32_t alg_a = hs->new_cipher->algorithm_auth;
1067	CBS server_key_exchange = msg.body;
1068	if (alg_a & SSL_aPSK) {
1069	CBS psk_identity_hint;
1070
1071	// Each of the PSK key exchanges begins with a psk_identity_hint.
1072	if (!CBS_get_u16_length_prefixed(cbs: &server_key_exchange,
1073	out: &psk_identity_hint)) {
1074	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1075	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1076	return ssl_hs_error;
1077	}
1078
1079	// Store the PSK identity hint for the ClientKeyExchange. Assume that the
1080	// maximum length of a PSK identity hint can be as long as the maximum
1081	// length of a PSK identity. Also do not allow NULL characters; identities
1082	// are saved as C strings.
1083	//
1084	// TODO(davidben): Should invalid hints be ignored? It's a hint rather than
1085	// a specific identity.
1086	if (CBS_len(cbs: &psk_identity_hint) > PSK_MAX_IDENTITY_LEN ||
1087	CBS_contains_zero_byte(cbs: &psk_identity_hint)) {
1088	OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
1089	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1090	return ssl_hs_error;
1091	}
1092
1093	// Save non-empty identity hints as a C string. Empty identity hints we
1094	// treat as missing. Plain PSK makes it possible to send either no hint
1095	// (omit ServerKeyExchange) or an empty hint, while ECDHE_PSK can only spell
1096	// empty hint. Having different capabilities is odd, so we interpret empty
1097	// and missing as identical.
1098	char *raw = nullptr;
1099	if (CBS_len(cbs: &psk_identity_hint) != 0 &&
1100	!CBS_strdup(cbs: &psk_identity_hint, out_ptr: &raw)) {
1101	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1102	return ssl_hs_error;
1103	}
1104	hs->peer_psk_identity_hint.reset(p: raw);
1105	}
1106
1107	if (alg_k & SSL_kECDHE) {
1108	// Parse the server parameters.
1109	uint8_t group_type;
1110	uint16_t group_id;
1111	CBS point;
1112	if (!CBS_get_u8(cbs: &server_key_exchange, out: &group_type) ||
1113	group_type != NAMED_CURVE_TYPE ||
1114	!CBS_get_u16(cbs: &server_key_exchange, out: &group_id) ||
1115	!CBS_get_u8_length_prefixed(cbs: &server_key_exchange, out: &point)) {
1116	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1117	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1118	return ssl_hs_error;
1119	}
1120
1121	// Ensure the group is consistent with preferences.
1122	if (!tls1_check_group_id(ssl: hs, group_id)) {
1123	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
1124	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1125	return ssl_hs_error;
1126	}
1127
1128	// Save the group and peer public key for later.
1129	hs->new_session->group_id = group_id;
1130	if (!hs->peer_key.CopyFrom(in: point)) {
1131	return ssl_hs_error;
1132	}
1133	} else if (!(alg_k & SSL_kPSK)) {
1134	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
1135	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1136	return ssl_hs_error;
1137	}
1138
1139	// At this point, |server_key_exchange| contains the signature, if any, while
1140	// |msg.body| contains the entire message. From that, derive a CBS containing
1141	// just the parameter.
1142	CBS parameter;
1143	CBS_init(cbs: &parameter, data: CBS_data(cbs: &msg.body),
1144	len: CBS_len(cbs: &msg.body) - CBS_len(cbs: &server_key_exchange));
1145
1146	// ServerKeyExchange should be signed by the server's public key.
1147	if (ssl_cipher_uses_certificate_auth(cipher: hs->new_cipher)) {
1148	uint16_t signature_algorithm = 0;
1149	if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1150	if (!CBS_get_u16(cbs: &server_key_exchange, out: &signature_algorithm)) {
1151	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1152	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1153	return ssl_hs_error;
1154	}
1155	uint8_t alert = SSL_AD_DECODE_ERROR;
1156	if (!tls12_check_peer_sigalg(hs, out_alert: &alert, sigalg: signature_algorithm)) {
1157	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
1158	return ssl_hs_error;
1159	}
1160	hs->new_session->peer_signature_algorithm = signature_algorithm;
1161	} else if (!tls1_get_legacy_signature_algorithm(out: &signature_algorithm,
1162	pkey: hs->peer_pubkey.get())) {
1163	OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
1164	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);
1165	return ssl_hs_error;
1166	}
1167
1168	// The last field in |server_key_exchange| is the signature.
1169	CBS signature;
1170	if (!CBS_get_u16_length_prefixed(cbs: &server_key_exchange, out: &signature) ||
1171	CBS_len(cbs: &server_key_exchange) != 0) {
1172	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1173	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1174	return ssl_hs_error;
1175	}
1176
1177	ScopedCBB transcript;
1178	Array<uint8_t> transcript_data;
1179	if (!CBB_init(cbb: transcript.get(),
1180	initial_capacity: 2 * SSL3_RANDOM_SIZE + CBS_len(cbs: &parameter)) ||
1181	!CBB_add_bytes(cbb: transcript.get(), data: ssl->s3->client_random,
1182	SSL3_RANDOM_SIZE) ||
1183	!CBB_add_bytes(cbb: transcript.get(), data: ssl->s3->server_random,
1184	SSL3_RANDOM_SIZE) ||
1185	!CBB_add_bytes(cbb: transcript.get(), data: CBS_data(cbs: &parameter),
1186	len: CBS_len(cbs: &parameter)) ||
1187	!CBBFinishArray(cbb: transcript.get(), out: &transcript_data)) {
1188	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1189	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1190	return ssl_hs_error;
1191	}
1192
1193	if (!ssl_public_key_verify(ssl, signature, sigalg: signature_algorithm,
1194	pkey: hs->peer_pubkey.get(), in: transcript_data)) {
1195	// bad signature
1196	OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
1197	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1198	return ssl_hs_error;
1199	}
1200	} else {
1201	// PSK ciphers are the only supported certificate-less ciphers.
1202	assert(alg_a == SSL_aPSK);
1203
1204	if (CBS_len(cbs: &server_key_exchange) > 0) {
1205	OPENSSL_PUT_ERROR(SSL, SSL_R_EXTRA_DATA_IN_MESSAGE);
1206	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1207	return ssl_hs_error;
1208	}
1209	}
1210
1211	ssl->method->next_message(ssl);
1212	hs->state = state_read_certificate_request;
1213	return ssl_hs_ok;
1214	}
1215
1216	static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
1217	SSL *const ssl = hs->ssl;
1218
1219	if (!ssl_cipher_uses_certificate_auth(cipher: hs->new_cipher)) {
1220	hs->state = state_read_server_hello_done;
1221	return ssl_hs_ok;
1222	}
1223
1224	SSLMessage msg;
1225	if (!ssl->method->get_message(ssl, &msg)) {
1226	return ssl_hs_read_message;
1227	}
1228
1229	if (msg.type == SSL3_MT_SERVER_HELLO_DONE) {
1230	// If we get here we don't need the handshake buffer as we won't be doing
1231	// client auth.
1232	hs->transcript.FreeBuffer();
1233	hs->state = state_read_server_hello_done;
1234	return ssl_hs_ok;
1235	}
1236
1237	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_REQUEST) ||
1238	!ssl_hash_message(hs, msg)) {
1239	return ssl_hs_error;
1240	}
1241
1242	// Get the certificate types.
1243	CBS body = msg.body, certificate_types;
1244	if (!CBS_get_u8_length_prefixed(cbs: &body, out: &certificate_types)) {
1245	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1246	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1247	return ssl_hs_error;
1248	}
1249
1250	if (!hs->certificate_types.CopyFrom(in: certificate_types)) {
1251	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1252	return ssl_hs_error;
1253	}
1254
1255	if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1256	CBS supported_signature_algorithms;
1257	if (!CBS_get_u16_length_prefixed(cbs: &body, out: &supported_signature_algorithms) ||
1258	!tls1_parse_peer_sigalgs(hs, sigalgs: &supported_signature_algorithms)) {
1259	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1260	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1261	return ssl_hs_error;
1262	}
1263	}
1264
1265	uint8_t alert = SSL_AD_DECODE_ERROR;
1266	UniquePtr<STACK_OF(CRYPTO_BUFFER)> ca_names =
1267	ssl_parse_client_CA_list(ssl, out_alert: &alert, cbs: &body);
1268	if (!ca_names) {
1269	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
1270	return ssl_hs_error;
1271	}
1272
1273	if (CBS_len(cbs: &body) != 0) {
1274	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1275	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1276	return ssl_hs_error;
1277	}
1278
1279	hs->cert_request = true;
1280	hs->ca_names = std::move(ca_names);
1281	ssl->ctx->x509_method->hs_flush_cached_ca_names(hs);
1282
1283	ssl->method->next_message(ssl);
1284	hs->state = state_read_server_hello_done;
1285	return ssl_hs_ok;
1286	}
1287
1288	static enum ssl_hs_wait_t do_read_server_hello_done(SSL_HANDSHAKE *hs) {
1289	SSL *const ssl = hs->ssl;
1290	SSLMessage msg;
1291	if (!ssl->method->get_message(ssl, &msg)) {
1292	return ssl_hs_read_message;
1293	}
1294
1295	if (!ssl_check_message_type(ssl, msg, SSL3_MT_SERVER_HELLO_DONE) ||
1296	!ssl_hash_message(hs, msg)) {
1297	return ssl_hs_error;
1298	}
1299
1300	// ServerHelloDone is empty.
1301	if (CBS_len(cbs: &msg.body) != 0) {
1302	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1303	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1304	return ssl_hs_error;
1305	}
1306
1307	// ServerHelloDone should be the end of the flight.
1308	if (ssl->method->has_unprocessed_handshake_data(ssl)) {
1309	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
1310	OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
1311	return ssl_hs_error;
1312	}
1313
1314	ssl->method->next_message(ssl);
1315	hs->state = state_send_client_certificate;
1316	return ssl_hs_ok;
1317	}
1318
1319	static enum ssl_hs_wait_t do_send_client_certificate(SSL_HANDSHAKE *hs) {
1320	SSL *const ssl = hs->ssl;
1321
1322	// The peer didn't request a certificate.
1323	if (!hs->cert_request) {
1324	hs->state = state_send_client_key_exchange;
1325	return ssl_hs_ok;
1326	}
1327
1328	if (ssl->s3->ech_status == ssl_ech_rejected) {
1329	// Do not send client certificates on ECH reject. We have not authenticated
1330	// the server for the name that can learn the certificate.
1331	SSL_certs_clear(ssl);
1332	} else if (hs->config->cert->cert_cb != nullptr) {
1333	// Call cert_cb to update the certificate.
1334	int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
1335	if (rv == 0) {
1336	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1337	OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
1338	return ssl_hs_error;
1339	}
1340	if (rv < 0) {
1341	hs->state = state_send_client_certificate;
1342	return ssl_hs_x509_lookup;
1343	}
1344	}
1345
1346	if (!ssl_has_certificate(hs)) {
1347	// Without a client certificate, the handshake buffer may be released.
1348	hs->transcript.FreeBuffer();
1349	}
1350
1351	if (!ssl_on_certificate_selected(hs) ||
1352	!ssl_output_cert_chain(hs)) {
1353	return ssl_hs_error;
1354	}
1355
1356
1357	hs->state = state_send_client_key_exchange;
1358	return ssl_hs_ok;
1359	}
1360
1361	static_assert(sizeof(size_t) >= sizeof(unsigned),
1362	"size_t is smaller than unsigned");
1363
1364	static enum ssl_hs_wait_t do_send_client_key_exchange(SSL_HANDSHAKE *hs) {
1365	SSL *const ssl = hs->ssl;
1366	ScopedCBB cbb;
1367	CBB body;
1368	if (!ssl->method->init_message(ssl, cbb.get(), &body,
1369	SSL3_MT_CLIENT_KEY_EXCHANGE)) {
1370	return ssl_hs_error;
1371	}
1372
1373	Array<uint8_t> pms;
1374	uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1375	uint32_t alg_a = hs->new_cipher->algorithm_auth;
1376	if (ssl_cipher_uses_certificate_auth(cipher: hs->new_cipher)) {
1377	const CRYPTO_BUFFER *leaf =
1378	sk_CRYPTO_BUFFER_value(sk: hs->new_session->certs.get(), i: 0);
1379	CBS leaf_cbs;
1380	CRYPTO_BUFFER_init_CBS(buf: leaf, out: &leaf_cbs);
1381
1382	// Check the key usage matches the cipher suite. We do this unconditionally
1383	// for non-RSA certificates. In particular, it's needed to distinguish ECDH
1384	// certificates, which we do not support, from ECDSA certificates.
1385	// Historically, we have not checked RSA key usages, so it is controlled by
1386	// a flag for now. See https://crbug.com/795089.
1387	ssl_key_usage_t intended_use = (alg_k & SSL_kRSA)
1388	? key_usage_encipherment
1389	: key_usage_digital_signature;
1390	if (!ssl_cert_check_key_usage(in: &leaf_cbs, bit: intended_use)) {
1391	if (hs->config->enforce_rsa_key_usage ||
1392	EVP_PKEY_id(pkey: hs->peer_pubkey.get()) != EVP_PKEY_RSA) {
1393	return ssl_hs_error;
1394	}
1395	ERR_clear_error();
1396	ssl->s3->was_key_usage_invalid = true;
1397	}
1398	}
1399
1400	// If using a PSK key exchange, prepare the pre-shared key.
1401	unsigned psk_len = 0;
1402	uint8_t psk[PSK_MAX_PSK_LEN];
1403	if (alg_a & SSL_aPSK) {
1404	if (hs->config->psk_client_callback == NULL) {
1405	OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_NO_CLIENT_CB);
1406	return ssl_hs_error;
1407	}
1408
1409	char identity[PSK_MAX_IDENTITY_LEN + 1];
1410	OPENSSL_memset(dst: identity, c: 0, n: sizeof(identity));
1411	psk_len = hs->config->psk_client_callback(
1412	ssl, hs->peer_psk_identity_hint.get(), identity, sizeof(identity), psk,
1413	sizeof(psk));
1414	if (psk_len == 0) {
1415	OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1416	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1417	return ssl_hs_error;
1418	}
1419	assert(psk_len <= PSK_MAX_PSK_LEN);
1420
1421	hs->new_session->psk_identity.reset(p: OPENSSL_strdup(s: identity));
1422	if (hs->new_session->psk_identity == nullptr) {
1423	return ssl_hs_error;
1424	}
1425
1426	// Write out psk_identity.
1427	CBB child;
1428	if (!CBB_add_u16_length_prefixed(cbb: &body, out_contents: &child) ||
1429	!CBB_add_bytes(cbb: &child, data: (const uint8_t *)identity,
1430	len: OPENSSL_strnlen(s: identity, len: sizeof(identity))) ||
1431	!CBB_flush(cbb: &body)) {
1432	return ssl_hs_error;
1433	}
1434	}
1435
1436	// Depending on the key exchange method, compute |pms|.
1437	if (alg_k & SSL_kRSA) {
1438	if (!pms.Init(SSL_MAX_MASTER_KEY_LENGTH)) {
1439	return ssl_hs_error;
1440	}
1441
1442	RSA *rsa = EVP_PKEY_get0_RSA(pkey: hs->peer_pubkey.get());
1443	if (rsa == NULL) {
1444	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1445	return ssl_hs_error;
1446	}
1447
1448	pms[0] = hs->client_version >> 8;
1449	pms[1] = hs->client_version & 0xff;
1450	if (!RAND_bytes(buf: &pms[2], SSL_MAX_MASTER_KEY_LENGTH - 2)) {
1451	return ssl_hs_error;
1452	}
1453
1454	CBB enc_pms;
1455	uint8_t *ptr;
1456	size_t enc_pms_len;
1457	if (!CBB_add_u16_length_prefixed(cbb: &body, out_contents: &enc_pms) ||
1458	!CBB_reserve(cbb: &enc_pms, out_data: &ptr, len: RSA_size(rsa)) ||
1459	!RSA_encrypt(rsa, out_len: &enc_pms_len, out: ptr, max_out: RSA_size(rsa), in: pms.data(),
1460	in_len: pms.size(), RSA_PKCS1_PADDING) ||
1461	!CBB_did_write(cbb: &enc_pms, len: enc_pms_len) ||
1462	!CBB_flush(cbb: &body)) {
1463	return ssl_hs_error;
1464	}
1465	} else if (alg_k & SSL_kECDHE) {
1466	CBB child;
1467	if (!CBB_add_u8_length_prefixed(cbb: &body, out_contents: &child)) {
1468	return ssl_hs_error;
1469	}
1470
1471	// Generate a premaster secret and encapsulate it.
1472	bssl::UniquePtr<SSLKeyShare> kem =
1473	SSLKeyShare::Create(group_id: hs->new_session->group_id);
1474	uint8_t alert = SSL_AD_DECODE_ERROR;
1475	if (!kem || !kem->Encap(out_ciphertext: &child, out_secret: &pms, out_alert: &alert, peer_key: hs->peer_key)) {
1476	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
1477	return ssl_hs_error;
1478	}
1479	if (!CBB_flush(cbb: &body)) {
1480	return ssl_hs_error;
1481	}
1482
1483	// The peer key can now be discarded.
1484	hs->peer_key.Reset();
1485	} else if (alg_k & SSL_kPSK) {
1486	// For plain PSK, other_secret is a block of 0s with the same length as
1487	// the pre-shared key.
1488	if (!pms.Init(new_size: psk_len)) {
1489	return ssl_hs_error;
1490	}
1491	OPENSSL_memset(dst: pms.data(), c: 0, n: pms.size());
1492	} else {
1493	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1494	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1495	return ssl_hs_error;
1496	}
1497
1498	// For a PSK cipher suite, other_secret is combined with the pre-shared
1499	// key.
1500	if (alg_a & SSL_aPSK) {
1501	ScopedCBB pms_cbb;
1502	CBB child;
1503	if (!CBB_init(cbb: pms_cbb.get(), initial_capacity: 2 + psk_len + 2 + pms.size()) ||
1504	!CBB_add_u16_length_prefixed(cbb: pms_cbb.get(), out_contents: &child) ||
1505	!CBB_add_bytes(cbb: &child, data: pms.data(), len: pms.size()) ||
1506	!CBB_add_u16_length_prefixed(cbb: pms_cbb.get(), out_contents: &child) ||
1507	!CBB_add_bytes(cbb: &child, data: psk, len: psk_len) ||
1508	!CBBFinishArray(cbb: pms_cbb.get(), out: &pms)) {
1509	return ssl_hs_error;
1510	}
1511	}
1512
1513	// The message must be added to the finished hash before calculating the
1514	// master secret.
1515	if (!ssl_add_message_cbb(ssl, cbb: cbb.get())) {
1516	return ssl_hs_error;
1517	}
1518
1519	hs->new_session->secret_length =
1520	tls1_generate_master_secret(hs, out: hs->new_session->secret, premaster: pms);
1521	if (hs->new_session->secret_length == 0) {
1522	return ssl_hs_error;
1523	}
1524	hs->new_session->extended_master_secret = hs->extended_master_secret;
1525
1526	hs->state = state_send_client_certificate_verify;
1527	return ssl_hs_ok;
1528	}
1529
1530	static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL_HANDSHAKE *hs) {
1531	SSL *const ssl = hs->ssl;
1532
1533	if (!hs->cert_request || !ssl_has_certificate(hs)) {
1534	hs->state = state_send_client_finished;
1535	return ssl_hs_ok;
1536	}
1537
1538	assert(ssl_has_private_key(hs));
1539	ScopedCBB cbb;
1540	CBB body, child;
1541	if (!ssl->method->init_message(ssl, cbb.get(), &body,
1542	SSL3_MT_CERTIFICATE_VERIFY)) {
1543	return ssl_hs_error;
1544	}
1545
1546	uint16_t signature_algorithm;
1547	if (!tls1_choose_signature_algorithm(hs, out: &signature_algorithm)) {
1548	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1549	return ssl_hs_error;
1550	}
1551	if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1552	// Write out the digest type in TLS 1.2.
1553	if (!CBB_add_u16(cbb: &body, value: signature_algorithm)) {
1554	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1555	return ssl_hs_error;
1556	}
1557	}
1558
1559	// Set aside space for the signature.
1560	const size_t max_sig_len = EVP_PKEY_size(pkey: hs->local_pubkey.get());
1561	uint8_t *ptr;
1562	if (!CBB_add_u16_length_prefixed(cbb: &body, out_contents: &child) ||
1563	!CBB_reserve(cbb: &child, out_data: &ptr, len: max_sig_len)) {
1564	return ssl_hs_error;
1565	}
1566
1567	size_t sig_len = max_sig_len;
1568	switch (ssl_private_key_sign(hs, out: ptr, out_len: &sig_len, max_out: max_sig_len,
1569	sigalg: signature_algorithm,
1570	in: hs->transcript.buffer())) {
1571	case ssl_private_key_success:
1572	break;
1573	case ssl_private_key_failure:
1574	return ssl_hs_error;
1575	case ssl_private_key_retry:
1576	hs->state = state_send_client_certificate_verify;
1577	return ssl_hs_private_key_operation;
1578	}
1579
1580	if (!CBB_did_write(cbb: &child, len: sig_len) ||
1581	!ssl_add_message_cbb(ssl, cbb: cbb.get())) {
1582	return ssl_hs_error;
1583	}
1584
1585	// The handshake buffer is no longer necessary.
1586	hs->transcript.FreeBuffer();
1587
1588	hs->state = state_send_client_finished;
1589	return ssl_hs_ok;
1590	}
1591
1592	static enum ssl_hs_wait_t do_send_client_finished(SSL_HANDSHAKE *hs) {
1593	SSL *const ssl = hs->ssl;
1594	hs->can_release_private_key = true;
1595	if (!ssl->method->add_change_cipher_spec(ssl) ||
1596	!tls1_change_cipher_state(hs, direction: evp_aead_seal)) {
1597	return ssl_hs_error;
1598	}
1599
1600	if (hs->next_proto_neg_seen) {
1601	static const uint8_t kZero[32] = {0};
1602	size_t padding_len =
1603	32 - ((ssl->s3->next_proto_negotiated.size() + 2) % 32);
1604
1605	ScopedCBB cbb;
1606	CBB body, child;
1607	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_NEXT_PROTO) ||
1608	!CBB_add_u8_length_prefixed(cbb: &body, out_contents: &child) ||
1609	!CBB_add_bytes(cbb: &child, data: ssl->s3->next_proto_negotiated.data(),
1610	len: ssl->s3->next_proto_negotiated.size()) ||
1611	!CBB_add_u8_length_prefixed(cbb: &body, out_contents: &child) ||
1612	!CBB_add_bytes(cbb: &child, data: kZero, len: padding_len) ||
1613	!ssl_add_message_cbb(ssl, cbb: cbb.get())) {
1614	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1615	return ssl_hs_error;
1616	}
1617	}
1618
1619	if (hs->channel_id_negotiated) {
1620	ScopedCBB cbb;
1621	CBB body;
1622	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_CHANNEL_ID) ||
1623	!tls1_write_channel_id(hs, cbb: &body) ||
1624	!ssl_add_message_cbb(ssl, cbb: cbb.get())) {
1625	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1626	return ssl_hs_error;
1627	}
1628	}
1629
1630	if (!ssl_send_finished(hs)) {
1631	return ssl_hs_error;
1632	}
1633
1634	hs->state = state_finish_flight;
1635	return ssl_hs_flush;
1636	}
1637
1638	static bool can_false_start(const SSL_HANDSHAKE *hs) {
1639	const SSL *const ssl = hs->ssl;
1640
1641	// False Start bypasses the Finished check's downgrade protection. This can
1642	// enable attacks where we send data under weaker settings than supported
1643	// (e.g. the Logjam attack). Thus we require TLS 1.2 with an ECDHE+AEAD
1644	// cipher, our strongest settings before TLS 1.3.
1645	//
1646	// Now that TLS 1.3 exists, we would like to avoid similar attacks between
1647	// TLS 1.2 and TLS 1.3, but there are too many TLS 1.2 deployments to
1648	// sacrifice False Start on them. Instead, we rely on the ServerHello.random
1649	// downgrade signal, which we unconditionally enforce.
1650	if (SSL_is_dtls(ssl) ||
1651	SSL_version(ssl) != TLS1_2_VERSION ||
1652	hs->new_cipher->algorithm_mkey != SSL_kECDHE ||
1653	hs->new_cipher->algorithm_mac != SSL_AEAD) {
1654	return false;
1655	}
1656
1657	// If ECH was rejected, disable False Start. We run the handshake to
1658	// completion, including the Finished downgrade check, to authenticate the
1659	// recovery flow.
1660	if (ssl->s3->ech_status == ssl_ech_rejected) {
1661	return false;
1662	}
1663
1664	// Additionally require ALPN or NPN by default.
1665	//
1666	// TODO(davidben): Can this constraint be relaxed globally now that cipher
1667	// suite requirements have been tightened?
1668	if (!ssl->ctx->false_start_allowed_without_alpn &&
1669	ssl->s3->alpn_selected.empty() &&
1670	ssl->s3->next_proto_negotiated.empty()) {
1671	return false;
1672	}
1673
1674	return true;
1675	}
1676
1677	static enum ssl_hs_wait_t do_finish_flight(SSL_HANDSHAKE *hs) {
1678	SSL *const ssl = hs->ssl;
1679	if (ssl->session != NULL) {
1680	hs->state = state_finish_client_handshake;
1681	return ssl_hs_ok;
1682	}
1683
1684	// This is a full handshake. If it involves ChannelID, then record the
1685	// handshake hashes at this point in the session so that any resumption of
1686	// this session with ChannelID can sign those hashes.
1687	if (!tls1_record_handshake_hashes_for_channel_id(hs)) {
1688	return ssl_hs_error;
1689	}
1690
1691	hs->state = state_read_session_ticket;
1692
1693	if ((SSL_get_mode(ssl) & SSL_MODE_ENABLE_FALSE_START) &&
1694	can_false_start(hs) &&
1695	// No False Start on renegotiation (would complicate the state machine).
1696	!ssl->s3->initial_handshake_complete) {
1697	hs->in_false_start = true;
1698	hs->can_early_write = true;
1699	return ssl_hs_early_return;
1700	}
1701
1702	return ssl_hs_ok;
1703	}
1704
1705	static enum ssl_hs_wait_t do_read_session_ticket(SSL_HANDSHAKE *hs) {
1706	SSL *const ssl = hs->ssl;
1707
1708	if (!hs->ticket_expected) {
1709	hs->state = state_process_change_cipher_spec;
1710	return ssl_hs_read_change_cipher_spec;
1711	}
1712
1713	SSLMessage msg;
1714	if (!ssl->method->get_message(ssl, &msg)) {
1715	return ssl_hs_read_message;
1716	}
1717
1718	if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEW_SESSION_TICKET) ||
1719	!ssl_hash_message(hs, msg)) {
1720	return ssl_hs_error;
1721	}
1722
1723	CBS new_session_ticket = msg.body, ticket;
1724	uint32_t ticket_lifetime_hint;
1725	if (!CBS_get_u32(cbs: &new_session_ticket, out: &ticket_lifetime_hint) ||
1726	!CBS_get_u16_length_prefixed(cbs: &new_session_ticket, out: &ticket) ||
1727	CBS_len(cbs: &new_session_ticket) != 0) {
1728	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1729	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1730	return ssl_hs_error;
1731	}
1732
1733	if (CBS_len(cbs: &ticket) == 0) {
1734	// RFC 5077 allows a server to change its mind and send no ticket after
1735	// negotiating the extension. The value of |ticket_expected| is checked in
1736	// |ssl_update_cache| so is cleared here to avoid an unnecessary update.
1737	hs->ticket_expected = false;
1738	ssl->method->next_message(ssl);
1739	hs->state = state_process_change_cipher_spec;
1740	return ssl_hs_read_change_cipher_spec;
1741	}
1742
1743	if (ssl->session != nullptr) {
1744	// The server is sending a new ticket for an existing session. Sessions are
1745	// immutable once established, so duplicate all but the ticket of the
1746	// existing session.
1747	assert(!hs->new_session);
1748	hs->new_session =
1749	SSL_SESSION_dup(session: ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);
1750	if (!hs->new_session) {
1751	return ssl_hs_error;
1752	}
1753	}
1754
1755	// |ticket_lifetime_hint| is measured from when the ticket was issued.
1756	ssl_session_rebase_time(ssl, session: hs->new_session.get());
1757
1758	if (!hs->new_session->ticket.CopyFrom(in: ticket)) {
1759	return ssl_hs_error;
1760	}
1761	hs->new_session->ticket_lifetime_hint = ticket_lifetime_hint;
1762
1763	// Historically, OpenSSL filled in fake session IDs for ticket-based sessions.
1764	// TODO(davidben): Are external callers relying on this? Try removing this.
1765	SHA256(data: CBS_data(cbs: &ticket), len: CBS_len(cbs: &ticket), out: hs->new_session->session_id);
1766	hs->new_session->session_id_length = SHA256_DIGEST_LENGTH;
1767
1768	ssl->method->next_message(ssl);
1769	hs->state = state_process_change_cipher_spec;
1770	return ssl_hs_read_change_cipher_spec;
1771	}
1772
1773	static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
1774	if (!tls1_change_cipher_state(hs, direction: evp_aead_open)) {
1775	return ssl_hs_error;
1776	}
1777
1778	hs->state = state_read_server_finished;
1779	return ssl_hs_ok;
1780	}
1781
1782	static enum ssl_hs_wait_t do_read_server_finished(SSL_HANDSHAKE *hs) {
1783	SSL *const ssl = hs->ssl;
1784	enum ssl_hs_wait_t wait = ssl_get_finished(hs);
1785	if (wait != ssl_hs_ok) {
1786	return wait;
1787	}
1788
1789	if (ssl->session != NULL) {
1790	hs->state = state_send_client_finished;
1791	return ssl_hs_ok;
1792	}
1793
1794	hs->state = state_finish_client_handshake;
1795	return ssl_hs_ok;
1796	}
1797
1798	static enum ssl_hs_wait_t do_finish_client_handshake(SSL_HANDSHAKE *hs) {
1799	SSL *const ssl = hs->ssl;
1800	if (ssl->s3->ech_status == ssl_ech_rejected) {
1801	// Release the retry configs.
1802	hs->ech_authenticated_reject = true;
1803	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ECH_REQUIRED);
1804	OPENSSL_PUT_ERROR(SSL, SSL_R_ECH_REJECTED);
1805	return ssl_hs_error;
1806	}
1807
1808	ssl->method->on_handshake_complete(ssl);
1809
1810	// Note TLS 1.2 resumptions with ticket renewal have both |ssl->session| (the
1811	// resumed session) and |hs->new_session| (the session with the new ticket).
1812	bool has_new_session = hs->new_session != nullptr;
1813	if (has_new_session) {
1814	// When False Start is enabled, the handshake reports completion early. The
1815	// caller may then have passed the (then unresuable) |hs->new_session| to
1816	// another thread via |SSL_get0_session| for resumption. To avoid potential
1817	// race conditions in such callers, we duplicate the session before
1818	// clearing |not_resumable|.
1819	ssl->s3->established_session =
1820	SSL_SESSION_dup(session: hs->new_session.get(), SSL_SESSION_DUP_ALL);
1821	if (!ssl->s3->established_session) {
1822	return ssl_hs_error;
1823	}
1824	// Renegotiations do not participate in session resumption.
1825	if (!ssl->s3->initial_handshake_complete) {
1826	ssl->s3->established_session->not_resumable = false;
1827	}
1828
1829	hs->new_session.reset();
1830	} else {
1831	assert(ssl->session != nullptr);
1832	ssl->s3->established_session = UpRef(ptr: ssl->session);
1833	}
1834
1835	hs->handshake_finalized = true;
1836	ssl->s3->initial_handshake_complete = true;
1837	if (has_new_session) {
1838	ssl_update_cache(ssl);
1839	}
1840
1841	hs->state = state_done;
1842	return ssl_hs_ok;
1843	}
1844
1845	enum ssl_hs_wait_t ssl_client_handshake(SSL_HANDSHAKE *hs) {
1846	while (hs->state != state_done) {
1847	enum ssl_hs_wait_t ret = ssl_hs_error;
1848	enum ssl_client_hs_state_t state =
1849	static_cast<enum ssl_client_hs_state_t>(hs->state);
1850	switch (state) {
1851	case state_start_connect:
1852	ret = do_start_connect(hs);
1853	break;
1854	case state_enter_early_data:
1855	ret = do_enter_early_data(hs);
1856	break;
1857	case state_early_reverify_server_certificate:
1858	ret = do_early_reverify_server_certificate(hs);
1859	break;
1860	case state_read_hello_verify_request:
1861	ret = do_read_hello_verify_request(hs);
1862	break;
1863	case state_read_server_hello:
1864	ret = do_read_server_hello(hs);
1865	break;
1866	case state_tls13:
1867	ret = do_tls13(hs);
1868	break;
1869	case state_read_server_certificate:
1870	ret = do_read_server_certificate(hs);
1871	break;
1872	case state_read_certificate_status:
1873	ret = do_read_certificate_status(hs);
1874	break;
1875	case state_verify_server_certificate:
1876	ret = do_verify_server_certificate(hs);
1877	break;
1878	case state_reverify_server_certificate:
1879	ret = do_reverify_server_certificate(hs);
1880	break;
1881	case state_read_server_key_exchange:
1882	ret = do_read_server_key_exchange(hs);
1883	break;
1884	case state_read_certificate_request:
1885	ret = do_read_certificate_request(hs);
1886	break;
1887	case state_read_server_hello_done:
1888	ret = do_read_server_hello_done(hs);
1889	break;
1890	case state_send_client_certificate:
1891	ret = do_send_client_certificate(hs);
1892	break;
1893	case state_send_client_key_exchange:
1894	ret = do_send_client_key_exchange(hs);
1895	break;
1896	case state_send_client_certificate_verify:
1897	ret = do_send_client_certificate_verify(hs);
1898	break;
1899	case state_send_client_finished:
1900	ret = do_send_client_finished(hs);
1901	break;
1902	case state_finish_flight:
1903	ret = do_finish_flight(hs);
1904	break;
1905	case state_read_session_ticket:
1906	ret = do_read_session_ticket(hs);
1907	break;
1908	case state_process_change_cipher_spec:
1909	ret = do_process_change_cipher_spec(hs);
1910	break;
1911	case state_read_server_finished:
1912	ret = do_read_server_finished(hs);
1913	break;
1914	case state_finish_client_handshake:
1915	ret = do_finish_client_handshake(hs);
1916	break;
1917	case state_done:
1918	ret = ssl_hs_ok;
1919	break;
1920	}
1921
1922	if (hs->state != state) {
1923	ssl_do_info_callback(ssl: hs->ssl, SSL_CB_CONNECT_LOOP, value: 1);
1924	}
1925
1926	if (ret != ssl_hs_ok) {
1927	return ret;
1928	}
1929	}
1930
1931	ssl_do_info_callback(ssl: hs->ssl, SSL_CB_HANDSHAKE_DONE, value: 1);
1932	return ssl_hs_ok;
1933	}
1934
1935	const char *ssl_client_handshake_state(SSL_HANDSHAKE *hs) {
1936	enum ssl_client_hs_state_t state =
1937	static_cast<enum ssl_client_hs_state_t>(hs->state);
1938	switch (state) {
1939	case state_start_connect:
1940	return "TLS client start_connect";
1941	case state_enter_early_data:
1942	return "TLS client enter_early_data";
1943	case state_early_reverify_server_certificate:
1944	return "TLS client early_reverify_server_certificate";
1945	case state_read_hello_verify_request:
1946	return "TLS client read_hello_verify_request";
1947	case state_read_server_hello:
1948	return "TLS client read_server_hello";
1949	case state_tls13:
1950	return tls13_client_handshake_state(hs);
1951	case state_read_server_certificate:
1952	return "TLS client read_server_certificate";
1953	case state_read_certificate_status:
1954	return "TLS client read_certificate_status";
1955	case state_verify_server_certificate:
1956	return "TLS client verify_server_certificate";
1957	case state_reverify_server_certificate:
1958	return "TLS client reverify_server_certificate";
1959	case state_read_server_key_exchange:
1960	return "TLS client read_server_key_exchange";
1961	case state_read_certificate_request:
1962	return "TLS client read_certificate_request";
1963	case state_read_server_hello_done:
1964	return "TLS client read_server_hello_done";
1965	case state_send_client_certificate:
1966	return "TLS client send_client_certificate";
1967	case state_send_client_key_exchange:
1968	return "TLS client send_client_key_exchange";
1969	case state_send_client_certificate_verify:
1970	return "TLS client send_client_certificate_verify";
1971	case state_send_client_finished:
1972	return "TLS client send_client_finished";
1973	case state_finish_flight:
1974	return "TLS client finish_flight";
1975	case state_read_session_ticket:
1976	return "TLS client read_session_ticket";
1977	case state_process_change_cipher_spec:
1978	return "TLS client process_change_cipher_spec";
1979	case state_read_server_finished:
1980	return "TLS client read_server_finished";
1981	case state_finish_client_handshake:
1982	return "TLS client finish_client_handshake";
1983	case state_done:
1984	return "TLS client done";
1985	}
1986
1987	return "TLS client unknown";
1988	}
1989
1990	BSSL_NAMESPACE_END
1991