/src/gnutls/lib/handshake-tls13.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2017-2018 Red Hat, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GnuTLS. |
7 | | * |
8 | | * The GnuTLS is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | /* Functions that relate to the TLS handshake procedure. |
24 | | */ |
25 | | |
26 | | #include "gnutls_int.h" |
27 | | #include "errors.h" |
28 | | #include "dh.h" |
29 | | #include "debug.h" |
30 | | #include "algorithms.h" |
31 | | #include "cipher.h" |
32 | | #include "buffers.h" |
33 | | #include "mbuffers.h" |
34 | | #include "kx.h" |
35 | | #include "handshake.h" |
36 | | #include "num.h" |
37 | | #include "hash_int.h" |
38 | | #include "db.h" |
39 | | #include "hello_ext.h" |
40 | | #include "supplemental.h" |
41 | | #include "auth.h" |
42 | | #include "sslv2_compat.h" |
43 | | #include <auth/cert.h> |
44 | | #include "constate.h" |
45 | | #include <record.h> |
46 | | #include <state.h> |
47 | | #include <random.h> |
48 | | #include <dtls.h> |
49 | | #include "secrets.h" |
50 | | #include "tls13/hello_retry.h" |
51 | | #include "tls13/encrypted_extensions.h" |
52 | | #include "tls13/certificate_request.h" |
53 | | #include "tls13/certificate_verify.h" |
54 | | #include "tls13/certificate.h" |
55 | | #include "tls13/early_data.h" |
56 | | #include "tls13/finished.h" |
57 | | #include "tls13/key_update.h" |
58 | | #include "ext/pre_shared_key.h" |
59 | | #include "locks.h" |
60 | | |
61 | | static int generate_rms_keys(gnutls_session_t session); |
62 | | static int generate_hs_traffic_keys(gnutls_session_t session); |
63 | | static int generate_ap_traffic_keys(gnutls_session_t session); |
64 | | |
65 | | #define SAVE_TRANSCRIPT \ |
66 | 0 | if (session->internals.flags & GNUTLS_POST_HANDSHAKE_AUTH) { \ |
67 | 0 | /* If post-handshake auth is in use we need a copy of the original \ |
68 | 0 | * handshake transcript */ \ |
69 | 0 | memcpy( &session->internals.post_handshake_hash_buffer, \ |
70 | 0 | &session->internals.handshake_hash_buffer, \ |
71 | 0 | sizeof(session->internals.handshake_hash_buffer)); \ |
72 | 0 | _gnutls_buffer_init(&session->internals.handshake_hash_buffer); \ |
73 | 0 | } |
74 | | |
75 | | /* |
76 | | * _gnutls13_handshake_client |
77 | | * This function performs the client side of the handshake of the TLS/SSL protocol. |
78 | | */ |
79 | | int _gnutls13_handshake_client(gnutls_session_t session) |
80 | 0 | { |
81 | 0 | int ret = 0; |
82 | |
|
83 | 0 | switch (STATE) { |
84 | 0 | case STATE99: |
85 | 0 | case STATE100: |
86 | 0 | #ifdef TLS13_APPENDIX_D4 |
87 | 0 | if (session->internals.priorities->tls13_compat_mode && |
88 | | /* Key change is indicated by sending an EndOfEarlyData below */ |
89 | 0 | !(session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT)) { |
90 | | /* We send it before keys are generated. That works because CCS |
91 | | * is always being cached and queued and not being sent directly */ |
92 | 0 | ret = |
93 | 0 | _gnutls_send_change_cipher_spec(session, |
94 | 0 | AGAIN(STATE100)); |
95 | 0 | STATE = STATE100; |
96 | 0 | IMED_RET("send change cipher spec", ret, 0); |
97 | 0 | } |
98 | 0 | #endif |
99 | 0 | FALLTHROUGH; |
100 | 0 | case STATE101: |
101 | 0 | STATE = STATE101; |
102 | 0 | ret = generate_hs_traffic_keys(session); |
103 | | /* Note that we check IN_FLIGHT, not ACCEPTED |
104 | | * here. This is because the client sends early data |
105 | | * speculatively. */ |
106 | 0 | IMED_RET_FATAL("generate hs traffic keys", ret, 0); |
107 | 0 | if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) |
108 | 0 | ret = |
109 | 0 | _tls13_read_connection_state_init(session, |
110 | 0 | STAGE_HS); |
111 | 0 | else |
112 | 0 | ret = _tls13_connection_state_init(session, STAGE_HS); |
113 | 0 | IMED_RET_FATAL("set hs traffic keys", ret, 0); |
114 | 0 | FALLTHROUGH; |
115 | 0 | case STATE102: |
116 | 0 | ret = _gnutls13_recv_encrypted_extensions(session); |
117 | 0 | STATE = STATE102; |
118 | 0 | IMED_RET("recv encrypted extensions", ret, 0); |
119 | 0 | FALLTHROUGH; |
120 | 0 | case STATE103: |
121 | 0 | ret = _gnutls13_recv_certificate_request(session); |
122 | 0 | STATE = STATE103; |
123 | 0 | IMED_RET("recv certificate request", ret, 0); |
124 | 0 | FALLTHROUGH; |
125 | 0 | case STATE104: |
126 | 0 | ret = _gnutls13_recv_certificate(session); |
127 | 0 | STATE = STATE104; |
128 | 0 | IMED_RET("recv certificate", ret, 0); |
129 | 0 | FALLTHROUGH; |
130 | 0 | case STATE105: |
131 | 0 | ret = _gnutls13_recv_certificate_verify(session); |
132 | 0 | STATE = STATE105; |
133 | 0 | IMED_RET("recv server certificate verify", ret, 0); |
134 | 0 | FALLTHROUGH; |
135 | 0 | case STATE106: |
136 | 0 | ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT); |
137 | 0 | STATE = STATE106; |
138 | 0 | if (ret < 0) |
139 | 0 | return gnutls_assert_val(ret); |
140 | 0 | FALLTHROUGH; |
141 | 0 | case STATE107: |
142 | 0 | ret = _gnutls13_recv_finished(session); |
143 | 0 | STATE = STATE107; |
144 | 0 | IMED_RET("recv finished", ret, 0); |
145 | 0 | FALLTHROUGH; |
146 | 0 | case STATE108: |
147 | 0 | ret = |
148 | 0 | _gnutls13_send_end_of_early_data(session, AGAIN(STATE108)); |
149 | 0 | STATE = STATE108; |
150 | 0 | IMED_RET("send end of early data", ret, 0); |
151 | | |
152 | | /* Note that we check IN_FLIGHT, not ACCEPTED |
153 | | * here. This is because the client sends early data |
154 | | * speculatively. */ |
155 | 0 | if (session->internals.hsk_flags & HSK_EARLY_DATA_IN_FLIGHT) { |
156 | 0 | session->internals.hsk_flags &= |
157 | 0 | ~HSK_EARLY_DATA_IN_FLIGHT; |
158 | 0 | ret = |
159 | 0 | _tls13_write_connection_state_init(session, |
160 | 0 | STAGE_HS); |
161 | 0 | IMED_RET_FATAL |
162 | 0 | ("set hs traffic key after sending early data", ret, |
163 | 0 | 0); |
164 | 0 | } |
165 | 0 | FALLTHROUGH; |
166 | 0 | case STATE109: |
167 | 0 | ret = _gnutls13_send_certificate(session, AGAIN(STATE109)); |
168 | 0 | STATE = STATE109; |
169 | 0 | IMED_RET("send certificate", ret, 0); |
170 | 0 | FALLTHROUGH; |
171 | 0 | case STATE110: |
172 | 0 | ret = |
173 | 0 | _gnutls13_send_certificate_verify(session, AGAIN(STATE110)); |
174 | 0 | STATE = STATE110; |
175 | 0 | IMED_RET("send certificate verify", ret, 0); |
176 | 0 | FALLTHROUGH; |
177 | 0 | case STATE111: |
178 | 0 | ret = _gnutls13_send_finished(session, AGAIN(STATE111)); |
179 | 0 | STATE = STATE111; |
180 | 0 | IMED_RET("send finished", ret, 0); |
181 | 0 | FALLTHROUGH; |
182 | 0 | case STATE112: |
183 | 0 | STATE = STATE112; |
184 | |
|
185 | 0 | ret = generate_ap_traffic_keys(session); |
186 | 0 | IMED_RET_FATAL("generate app keys", ret, 0); |
187 | | |
188 | 0 | ret = generate_rms_keys(session); |
189 | 0 | IMED_RET_FATAL("generate rms keys", ret, 0); |
190 | | |
191 | | /* set traffic keys */ |
192 | 0 | ret = _tls13_connection_state_init(session, STAGE_APP); |
193 | 0 | IMED_RET_FATAL("set app keys", ret, 0); |
194 | | |
195 | 0 | STATE = STATE0; |
196 | 0 | break; |
197 | 0 | default: |
198 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
199 | 0 | } |
200 | | |
201 | | /* no lock of post_negotiation_lock is required here as this is not run |
202 | | * after handshake */ |
203 | 0 | session->internals.recv_state = RECV_STATE_0; |
204 | 0 | session->internals.initial_negotiation_completed = 1; |
205 | |
|
206 | 0 | SAVE_TRANSCRIPT; |
207 | |
|
208 | 0 | if (session->internals.resumed) |
209 | 0 | _gnutls_set_resumed_parameters(session); |
210 | |
|
211 | 0 | return 0; |
212 | 0 | } |
213 | | |
214 | | static int generate_non_auth_rms_keys(gnutls_session_t session) |
215 | 0 | { |
216 | 0 | int ret; |
217 | | /* we simulate client finished */ |
218 | 0 | uint8_t finished[MAX_HASH_SIZE + TLS_HANDSHAKE_HEADER_SIZE]; |
219 | 0 | unsigned spos; |
220 | |
|
221 | 0 | ret = _gnutls13_compute_finished(session->security_parameters.prf, |
222 | 0 | session->key.proto.tls13.hs_ckey, |
223 | 0 | &session-> |
224 | 0 | internals.handshake_hash_buffer, |
225 | 0 | finished + TLS_HANDSHAKE_HEADER_SIZE); |
226 | 0 | if (ret < 0) |
227 | 0 | return gnutls_assert_val(ret); |
228 | | |
229 | 0 | spos = session->internals.handshake_hash_buffer.length; |
230 | |
|
231 | 0 | finished[0] = GNUTLS_HANDSHAKE_FINISHED; |
232 | 0 | _gnutls_write_uint24(session->security_parameters.prf->output_size, |
233 | 0 | finished + 1); |
234 | |
|
235 | 0 | ret = |
236 | 0 | _gnutls_buffer_append_data(&session-> |
237 | 0 | internals.handshake_hash_buffer, |
238 | 0 | finished, |
239 | 0 | TLS_HANDSHAKE_HEADER_SIZE + |
240 | 0 | session->security_parameters. |
241 | 0 | prf->output_size); |
242 | 0 | if (ret < 0) |
243 | 0 | return gnutls_assert_val(ret); |
244 | | |
245 | 0 | ret = |
246 | 0 | _tls13_derive_secret(session, RMS_MASTER_LABEL, |
247 | 0 | sizeof(RMS_MASTER_LABEL) - 1, |
248 | 0 | session->internals.handshake_hash_buffer.data, |
249 | 0 | session->internals. |
250 | 0 | handshake_hash_buffer.length, |
251 | 0 | session->key.proto.tls13.temp_secret, |
252 | 0 | session->key.proto.tls13.ap_rms); |
253 | 0 | if (ret < 0) |
254 | 0 | return gnutls_assert_val(ret); |
255 | | |
256 | 0 | session->internals.handshake_hash_buffer.length = spos; |
257 | |
|
258 | 0 | return 0; |
259 | 0 | } |
260 | | |
261 | | static int generate_rms_keys(gnutls_session_t session) |
262 | 0 | { |
263 | 0 | int ret; |
264 | |
|
265 | 0 | ret = |
266 | 0 | _tls13_derive_secret(session, RMS_MASTER_LABEL, |
267 | 0 | sizeof(RMS_MASTER_LABEL) - 1, |
268 | 0 | session->internals.handshake_hash_buffer.data, |
269 | 0 | session-> |
270 | 0 | internals.handshake_hash_buffer_client_finished_len, |
271 | 0 | session->key.proto.tls13.temp_secret, |
272 | 0 | session->key.proto.tls13.ap_rms); |
273 | 0 | if (ret < 0) |
274 | 0 | return gnutls_assert_val(ret); |
275 | | |
276 | 0 | return 0; |
277 | 0 | } |
278 | | |
279 | | static int generate_ap_traffic_keys(gnutls_session_t session) |
280 | 0 | { |
281 | 0 | int ret; |
282 | 0 | uint8_t zero[MAX_HASH_SIZE]; |
283 | |
|
284 | 0 | ret = |
285 | 0 | _tls13_derive_secret(session, DERIVED_LABEL, |
286 | 0 | sizeof(DERIVED_LABEL) - 1, NULL, 0, |
287 | 0 | session->key.proto.tls13.temp_secret, |
288 | 0 | session->key.proto.tls13.temp_secret); |
289 | 0 | if (ret < 0) |
290 | 0 | return gnutls_assert_val(ret); |
291 | | |
292 | 0 | memset(zero, 0, session->security_parameters.prf->output_size); |
293 | 0 | ret = |
294 | 0 | _tls13_update_secret(session, zero, |
295 | 0 | session->security_parameters.prf->output_size); |
296 | 0 | if (ret < 0) |
297 | 0 | return gnutls_assert_val(ret); |
298 | | |
299 | 0 | ret = |
300 | 0 | _tls13_derive_secret(session, EXPORTER_MASTER_LABEL, |
301 | 0 | sizeof(EXPORTER_MASTER_LABEL) - 1, |
302 | 0 | session->internals.handshake_hash_buffer.data, |
303 | 0 | session-> |
304 | 0 | internals.handshake_hash_buffer_server_finished_len, |
305 | 0 | session->key.proto.tls13.temp_secret, |
306 | 0 | session->key.proto.tls13.ap_expkey); |
307 | 0 | if (ret < 0) |
308 | 0 | return gnutls_assert_val(ret); |
309 | | |
310 | 0 | ret = _gnutls_call_keylog_func(session, "EXPORTER_SECRET", |
311 | 0 | session->key.proto.tls13.ap_expkey, |
312 | 0 | session->security_parameters. |
313 | 0 | prf->output_size); |
314 | 0 | if (ret < 0) |
315 | 0 | return gnutls_assert_val(ret); |
316 | | |
317 | 0 | _gnutls_epoch_bump(session); |
318 | 0 | ret = _gnutls_epoch_dup(session, EPOCH_READ_CURRENT); |
319 | 0 | if (ret < 0) |
320 | 0 | return gnutls_assert_val(ret); |
321 | | |
322 | 0 | return 0; |
323 | 0 | } |
324 | | |
325 | | static int generate_hs_traffic_keys(gnutls_session_t session) |
326 | 0 | { |
327 | 0 | int ret; |
328 | 0 | unsigned null_key = 0; |
329 | |
|
330 | 0 | if (unlikely(session->key.proto.tls13.temp_secret_size == 0)) |
331 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
332 | | |
333 | 0 | ret = |
334 | 0 | _tls13_derive_secret(session, DERIVED_LABEL, |
335 | 0 | sizeof(DERIVED_LABEL) - 1, NULL, 0, |
336 | 0 | session->key.proto.tls13.temp_secret, |
337 | 0 | session->key.proto.tls13.temp_secret); |
338 | 0 | if (ret < 0) { |
339 | 0 | gnutls_assert(); |
340 | 0 | return ret; |
341 | 0 | } |
342 | | |
343 | 0 | if ((session->security_parameters.entity == GNUTLS_CLIENT && |
344 | 0 | (!(session->internals.hsk_flags & HSK_KEY_SHARE_RECEIVED) || |
345 | 0 | (!(session->internals.hsk_flags & HSK_PSK_KE_MODE_DHE_PSK) && |
346 | 0 | session->internals.resumed))) || |
347 | 0 | (session->security_parameters.entity == GNUTLS_SERVER && |
348 | 0 | !(session->internals.hsk_flags & HSK_KEY_SHARE_SENT))) { |
349 | |
|
350 | 0 | if ((session->internals.hsk_flags & HSK_PSK_SELECTED) && |
351 | 0 | (session->internals.hsk_flags & HSK_PSK_KE_MODE_PSK)) { |
352 | 0 | null_key = 1; |
353 | 0 | } |
354 | 0 | } |
355 | |
|
356 | 0 | if (null_key) { |
357 | 0 | uint8_t digest[MAX_HASH_SIZE]; |
358 | 0 | unsigned digest_size; |
359 | |
|
360 | 0 | if (unlikely(session->security_parameters.prf == NULL)) |
361 | 0 | return |
362 | 0 | gnutls_assert_val |
363 | 0 | (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
364 | | |
365 | 0 | digest_size = session->security_parameters.prf->output_size; |
366 | 0 | memset(digest, 0, digest_size); |
367 | |
|
368 | 0 | ret = _tls13_update_secret(session, digest, digest_size); |
369 | 0 | if (ret < 0) { |
370 | 0 | gnutls_assert(); |
371 | 0 | return ret; |
372 | 0 | } |
373 | 0 | } else { |
374 | 0 | if (unlikely(session->key.key.size == 0)) |
375 | 0 | return |
376 | 0 | gnutls_assert_val |
377 | 0 | (GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER); |
378 | | |
379 | 0 | ret = |
380 | 0 | _tls13_update_secret(session, session->key.key.data, |
381 | 0 | session->key.key.size); |
382 | 0 | if (ret < 0) { |
383 | 0 | gnutls_assert(); |
384 | 0 | return ret; |
385 | 0 | } |
386 | 0 | } |
387 | | |
388 | 0 | return 0; |
389 | 0 | } |
390 | | |
391 | | /* |
392 | | * _gnutls13_handshake_server |
393 | | * This function does the server stuff of the handshake protocol. |
394 | | */ |
395 | | int _gnutls13_handshake_server(gnutls_session_t session) |
396 | 0 | { |
397 | 0 | int ret = 0; |
398 | |
|
399 | 0 | switch (STATE) { |
400 | 0 | case STATE90: |
401 | 0 | ret = |
402 | 0 | _gnutls13_handshake_hash_buffers_synth(session, |
403 | 0 | session->security_parameters.prf, |
404 | 0 | 0); |
405 | 0 | STATE = STATE90; |
406 | 0 | IMED_RET_FATAL("reset handshake buffers", ret, 0); |
407 | 0 | FALLTHROUGH; |
408 | 0 | case STATE91: |
409 | 0 | ret = |
410 | 0 | _gnutls13_send_hello_retry_request(session, AGAIN(STATE91)); |
411 | 0 | STATE = STATE91; |
412 | 0 | IMED_RET("send hello retry request", ret, 0); |
413 | 0 | FALLTHROUGH; |
414 | 0 | case STATE92: |
415 | 0 | #ifdef TLS13_APPENDIX_D4 |
416 | 0 | if (session->internals.priorities->tls13_compat_mode) { |
417 | 0 | ret = |
418 | 0 | _gnutls_send_change_cipher_spec(session, |
419 | 0 | AGAIN(STATE92)); |
420 | 0 | STATE = STATE92; |
421 | 0 | IMED_RET("send change cipher spec", ret, 0); |
422 | 0 | } |
423 | 0 | #endif |
424 | 0 | FALLTHROUGH; |
425 | 0 | case STATE93: |
426 | 0 | ret = |
427 | 0 | _gnutls_recv_handshake(session, |
428 | 0 | GNUTLS_HANDSHAKE_CLIENT_HELLO, |
429 | 0 | 0, NULL); |
430 | 0 | if (ret == GNUTLS_E_INT_RET_0) { |
431 | | /* this is triggered by post_client_hello, and instructs the |
432 | | * handshake to proceed but be put on hold */ |
433 | 0 | ret = GNUTLS_E_INTERRUPTED; |
434 | 0 | STATE = STATE94; /* hello already parsed -> move to next state */ |
435 | 0 | } else { |
436 | 0 | STATE = STATE93; |
437 | 0 | } |
438 | |
|
439 | 0 | IMED_RET("recv client hello", ret, 0); |
440 | 0 | FALLTHROUGH; |
441 | 0 | case STATE94: |
442 | 0 | ret = _gnutls_send_server_hello(session, AGAIN(STATE94)); |
443 | 0 | STATE = STATE94; |
444 | 0 | IMED_RET("send hello", ret, 0); |
445 | 0 | FALLTHROUGH; |
446 | 0 | case STATE99: |
447 | 0 | case STATE100: |
448 | 0 | #ifdef TLS13_APPENDIX_D4 |
449 | | /* don't send CCS twice: when HRR has already been |
450 | | * sent, CCS should have followed it (see above) */ |
451 | 0 | if (session->internals.priorities->tls13_compat_mode && |
452 | 0 | !(session->internals.hsk_flags & HSK_HRR_SENT)) { |
453 | 0 | ret = |
454 | 0 | _gnutls_send_change_cipher_spec(session, |
455 | 0 | AGAIN(STATE100)); |
456 | 0 | STATE = STATE100; |
457 | 0 | IMED_RET("send change cipher spec", ret, 0); |
458 | 0 | } |
459 | 0 | #endif |
460 | 0 | FALLTHROUGH; |
461 | 0 | case STATE101: |
462 | 0 | STATE = STATE101; |
463 | |
|
464 | 0 | ret = generate_hs_traffic_keys(session); |
465 | 0 | IMED_RET_FATAL("generate hs traffic keys", ret, 0); |
466 | | |
467 | 0 | if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) { |
468 | 0 | ret = |
469 | 0 | _tls13_write_connection_state_init(session, |
470 | 0 | STAGE_HS); |
471 | 0 | } else { |
472 | 0 | ret = _tls13_connection_state_init(session, STAGE_HS); |
473 | 0 | } |
474 | 0 | IMED_RET_FATAL("set hs traffic keys", ret, 0); |
475 | 0 | FALLTHROUGH; |
476 | 0 | case STATE102: |
477 | 0 | ret = |
478 | 0 | _gnutls13_send_encrypted_extensions(session, |
479 | 0 | AGAIN(STATE102)); |
480 | 0 | STATE = STATE102; |
481 | 0 | IMED_RET("send encrypted extensions", ret, 0); |
482 | 0 | FALLTHROUGH; |
483 | 0 | case STATE103: |
484 | 0 | ret = |
485 | 0 | _gnutls13_send_certificate_request(session, |
486 | 0 | AGAIN(STATE103)); |
487 | 0 | STATE = STATE103; |
488 | 0 | IMED_RET("send certificate request", ret, 0); |
489 | 0 | FALLTHROUGH; |
490 | 0 | case STATE104: |
491 | 0 | ret = _gnutls13_send_certificate(session, AGAIN(STATE104)); |
492 | 0 | STATE = STATE104; |
493 | 0 | IMED_RET("send certificate", ret, 0); |
494 | 0 | FALLTHROUGH; |
495 | 0 | case STATE105: |
496 | 0 | ret = |
497 | 0 | _gnutls13_send_certificate_verify(session, AGAIN(STATE105)); |
498 | 0 | STATE = STATE105; |
499 | 0 | IMED_RET("send certificate verify", ret, 0); |
500 | 0 | FALLTHROUGH; |
501 | 0 | case STATE106: |
502 | 0 | ret = _gnutls13_send_finished(session, AGAIN(STATE106)); |
503 | 0 | STATE = STATE106; |
504 | 0 | IMED_RET("send finished", ret, 0); |
505 | 0 | FALLTHROUGH; |
506 | 0 | case STATE107: |
507 | 0 | ret = _gnutls13_recv_end_of_early_data(session); |
508 | 0 | STATE = STATE107; |
509 | 0 | IMED_RET("recv end of early data", ret, 0); |
510 | | |
511 | 0 | if (session->internals.hsk_flags & HSK_EARLY_DATA_ACCEPTED) { |
512 | 0 | ret = |
513 | 0 | _tls13_read_connection_state_init(session, |
514 | 0 | STAGE_HS); |
515 | 0 | IMED_RET_FATAL |
516 | 0 | ("set hs traffic key after receiving early data", |
517 | 0 | ret, 0); |
518 | 0 | } |
519 | 0 | FALLTHROUGH; |
520 | 0 | case STATE108: |
521 | | /* At this point our sending keys should be the app keys |
522 | | * see 4.4.4 at draft-ietf-tls-tls13-28 */ |
523 | 0 | ret = generate_ap_traffic_keys(session); |
524 | 0 | IMED_RET_FATAL("generate app keys", ret, 0); |
525 | | |
526 | | /* If the session is unauthenticated, try to optimize the handshake by |
527 | | * sending the session ticket early. */ |
528 | 0 | if (! |
529 | 0 | (session->internals.hsk_flags & (HSK_CRT_REQ_SENT | |
530 | 0 | HSK_PSK_SELECTED))) { |
531 | 0 | STATE = STATE108; |
532 | |
|
533 | 0 | ret = generate_non_auth_rms_keys(session); |
534 | 0 | IMED_RET_FATAL("generate rms keys", ret, 0); |
535 | | |
536 | 0 | session->internals.hsk_flags |= HSK_EARLY_START_USED; |
537 | 0 | _gnutls_handshake_log |
538 | 0 | ("HSK[%p]: unauthenticated session eligible for early start\n", |
539 | 0 | session); |
540 | 0 | } |
541 | | |
542 | 0 | ret = _tls13_write_connection_state_init(session, STAGE_APP); |
543 | 0 | IMED_RET_FATAL("set write app keys", ret, 0); |
544 | | |
545 | 0 | _gnutls_handshake_log |
546 | 0 | ("HSK[%p]: switching early to application traffic keys\n", |
547 | 0 | session); |
548 | |
|
549 | 0 | FALLTHROUGH; |
550 | 0 | case STATE109: |
551 | 0 | if (session->internals.resumed) |
552 | 0 | _gnutls_set_resumed_parameters(session); |
553 | |
|
554 | 0 | if (session->internals.hsk_flags & HSK_EARLY_START_USED) { |
555 | 0 | if (! |
556 | 0 | (session-> |
557 | 0 | internals.flags & GNUTLS_NO_AUTO_SEND_TICKET) |
558 | 0 | && _gnutls13_can_send_session_ticket(session)) { |
559 | 0 | ret = |
560 | 0 | _gnutls13_send_session_ticket(session, |
561 | 0 | TLS13_TICKETS_TO_SEND, |
562 | 0 | AGAIN |
563 | 0 | (STATE109)); |
564 | 0 | } |
565 | |
|
566 | 0 | STATE = STATE109; |
567 | 0 | IMED_RET("send session ticket", ret, 0); |
568 | | |
569 | | /* complete this phase of the handshake. We |
570 | | * should be called again by gnutls_record_recv() |
571 | | */ |
572 | | |
573 | 0 | if (session-> |
574 | 0 | internals.flags & GNUTLS_ENABLE_EARLY_START) { |
575 | 0 | STATE = STATE113; /* finished */ |
576 | 0 | gnutls_assert(); |
577 | |
|
578 | 0 | session->internals.recv_state = |
579 | 0 | RECV_STATE_EARLY_START; |
580 | 0 | return 0; |
581 | 0 | } |
582 | 0 | } |
583 | 0 | FALLTHROUGH; |
584 | 0 | case STATE110: |
585 | 0 | ret = _gnutls13_recv_certificate(session); |
586 | 0 | STATE = STATE110; |
587 | 0 | IMED_RET("recv certificate", ret, 0); |
588 | 0 | FALLTHROUGH; |
589 | 0 | case STATE111: |
590 | 0 | ret = _gnutls13_recv_certificate_verify(session); |
591 | 0 | STATE = STATE111; |
592 | 0 | IMED_RET("recv certificate verify", ret, 0); |
593 | 0 | FALLTHROUGH; |
594 | 0 | case STATE112: |
595 | 0 | ret = _gnutls_run_verify_callback(session, GNUTLS_CLIENT); |
596 | 0 | STATE = STATE112; |
597 | 0 | if (ret < 0) |
598 | 0 | return gnutls_assert_val(ret); |
599 | 0 | FALLTHROUGH; |
600 | 0 | case STATE113: /* can enter from STATE109 */ |
601 | 0 | ret = _gnutls13_recv_finished(session); |
602 | 0 | STATE = STATE113; |
603 | 0 | IMED_RET("recv finished", ret, 0); |
604 | 0 | FALLTHROUGH; |
605 | 0 | case STATE114: |
606 | | /* If we did request a client certificate, then we can |
607 | | * only send the tickets here */ |
608 | 0 | STATE = STATE114; |
609 | |
|
610 | 0 | if (!(session->internals.hsk_flags & HSK_EARLY_START_USED)) { |
611 | 0 | ret = generate_rms_keys(session); |
612 | 0 | IMED_RET_FATAL("generate rms keys", ret, 0); |
613 | 0 | } |
614 | | |
615 | 0 | ret = _tls13_read_connection_state_init(session, STAGE_APP); |
616 | 0 | IMED_RET_FATAL("set read app keys", ret, 0); |
617 | |
|
618 | 0 | FALLTHROUGH; |
619 | 0 | case STATE115: |
620 | 0 | if (! |
621 | 0 | (session->internals.hsk_flags & (HSK_TLS13_TICKET_SENT | |
622 | 0 | HSK_EARLY_START_USED)) |
623 | 0 | && !(session->internals.flags & GNUTLS_NO_AUTO_SEND_TICKET) |
624 | 0 | && _gnutls13_can_send_session_ticket(session)) { |
625 | 0 | ret = |
626 | 0 | _gnutls13_send_session_ticket(session, |
627 | 0 | TLS13_TICKETS_TO_SEND, |
628 | 0 | AGAIN(STATE115)); |
629 | 0 | STATE = STATE115; |
630 | 0 | IMED_RET("send session ticket", ret, 0); |
631 | 0 | } |
632 | | |
633 | 0 | STATE = STATE0; |
634 | 0 | break; |
635 | 0 | default: |
636 | 0 | return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); |
637 | 0 | } |
638 | | |
639 | | /* explicitly reset any early start flags */ |
640 | 0 | gnutls_mutex_lock(&session->internals.post_negotiation_lock); |
641 | 0 | session->internals.recv_state = RECV_STATE_0; |
642 | 0 | session->internals.initial_negotiation_completed = 1; |
643 | 0 | gnutls_mutex_unlock(&session->internals.post_negotiation_lock); |
644 | |
|
645 | 0 | SAVE_TRANSCRIPT; |
646 | |
|
647 | 0 | return 0; |
648 | 0 | } |
649 | | |
650 | | /* Processes handshake messages received asynchronously after initial handshake. |
651 | | * |
652 | | * It is called once per message and should return success, or a fatal error code. |
653 | | */ |
654 | | int _gnutls13_recv_async_handshake(gnutls_session_t session) |
655 | 0 | { |
656 | 0 | int ret; |
657 | 0 | handshake_buffer_st hsk; |
658 | 0 | recv_state_t next_state = RECV_STATE_0; |
659 | | |
660 | | /* The following messages are expected asynchronously after |
661 | | * the handshake process is complete */ |
662 | 0 | if (unlikely(session->internals.handshake_in_progress)) |
663 | 0 | return gnutls_assert_val(GNUTLS_E_UNEXPECTED_PACKET); |
664 | | |
665 | 0 | do { |
666 | 0 | _gnutls_handshake_buffer_init(&hsk); |
667 | | |
668 | | /* the received handshake message has already been pushed into |
669 | | * handshake buffers. As we do not need to use the handshake hash |
670 | | * buffers we call the lower level receive functions */ |
671 | 0 | ret = |
672 | 0 | _gnutls_handshake_io_recv_int(session, GNUTLS_HANDSHAKE_ANY, |
673 | 0 | &hsk, 0); |
674 | 0 | if (ret < 0) { |
675 | 0 | gnutls_assert(); |
676 | 0 | goto cleanup; |
677 | 0 | } |
678 | 0 | session->internals.last_handshake_in = hsk.htype; |
679 | |
|
680 | 0 | ret = |
681 | 0 | _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_PRE, |
682 | 0 | 1, hsk.data.data, hsk.data.length); |
683 | 0 | if (ret < 0) { |
684 | 0 | gnutls_assert(); |
685 | 0 | goto cleanup; |
686 | 0 | } |
687 | | |
688 | 0 | switch (hsk.htype) { |
689 | 0 | case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: |
690 | 0 | if (! |
691 | 0 | (session->security_parameters.entity == |
692 | 0 | GNUTLS_CLIENT) |
693 | 0 | || !(session->internals.flags & GNUTLS_POST_HANDSHAKE_AUTH)) { |
694 | 0 | ret = |
695 | 0 | gnutls_assert_val |
696 | 0 | (GNUTLS_E_UNEXPECTED_PACKET); |
697 | 0 | goto cleanup; |
698 | 0 | } |
699 | | |
700 | 0 | _gnutls_buffer_reset(&session->internals.reauth_buffer); |
701 | | |
702 | | /* include the handshake headers in reauth buffer */ |
703 | 0 | ret = |
704 | 0 | _gnutls_buffer_append_data(&session-> |
705 | 0 | internals.reauth_buffer, |
706 | 0 | hsk.header, |
707 | 0 | hsk.header_size); |
708 | 0 | if (ret < 0) { |
709 | 0 | gnutls_assert(); |
710 | 0 | goto cleanup; |
711 | 0 | } |
712 | | |
713 | 0 | ret = |
714 | 0 | _gnutls_buffer_append_data(&session-> |
715 | 0 | internals.reauth_buffer, |
716 | 0 | hsk.data.data, |
717 | 0 | hsk.data.length); |
718 | 0 | if (ret < 0) { |
719 | 0 | gnutls_assert(); |
720 | 0 | goto cleanup; |
721 | 0 | } |
722 | | |
723 | 0 | if (session->internals.flags & GNUTLS_AUTO_REAUTH) { |
724 | 0 | ret = gnutls_reauth(session, 0); |
725 | 0 | if (ret == GNUTLS_E_AGAIN |
726 | 0 | || ret == GNUTLS_E_INTERRUPTED) { |
727 | 0 | next_state = RECV_STATE_REAUTH; |
728 | 0 | } else if (ret < 0) { |
729 | 0 | gnutls_assert(); |
730 | 0 | goto cleanup; |
731 | 0 | } |
732 | 0 | } else { |
733 | | /* Application is expected to handle re-authentication |
734 | | * explicitly. */ |
735 | 0 | ret = GNUTLS_E_REAUTH_REQUEST; |
736 | 0 | } |
737 | | |
738 | 0 | goto cleanup; |
739 | | |
740 | 0 | case GNUTLS_HANDSHAKE_KEY_UPDATE: |
741 | 0 | ret = _gnutls13_recv_key_update(session, &hsk.data); |
742 | 0 | if (ret < 0) { |
743 | 0 | gnutls_assert(); |
744 | 0 | goto cleanup; |
745 | 0 | } |
746 | | |
747 | | /* Handshake messages MUST NOT span key changes, i.e., we |
748 | | * should not have any other pending handshake messages from |
749 | | * the same record. */ |
750 | 0 | if (session->internals.handshake_recv_buffer_size != 0) { |
751 | 0 | ret = |
752 | 0 | gnutls_assert_val |
753 | 0 | (GNUTLS_E_UNEXPECTED_PACKET); |
754 | 0 | goto cleanup; |
755 | 0 | } |
756 | 0 | break; |
757 | 0 | case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: |
758 | 0 | if (session->security_parameters.entity != |
759 | 0 | GNUTLS_CLIENT) { |
760 | 0 | ret = |
761 | 0 | gnutls_assert_val |
762 | 0 | (GNUTLS_E_UNEXPECTED_PACKET); |
763 | 0 | goto cleanup; |
764 | 0 | } |
765 | | |
766 | 0 | ret = _gnutls13_recv_session_ticket(session, &hsk.data); |
767 | 0 | if (ret < 0) { |
768 | 0 | gnutls_assert(); |
769 | 0 | goto cleanup; |
770 | 0 | } |
771 | | |
772 | 0 | memcpy(session->internals. |
773 | 0 | tls13_ticket.resumption_master_secret, |
774 | 0 | session->key.proto.tls13.ap_rms, |
775 | 0 | session->key.proto.tls13.temp_secret_size); |
776 | |
|
777 | 0 | session->internals.tls13_ticket.prf = |
778 | 0 | session->security_parameters.prf; |
779 | 0 | session->internals.hsk_flags |= HSK_TICKET_RECEIVED; |
780 | 0 | break; |
781 | 0 | default: |
782 | 0 | gnutls_assert(); |
783 | 0 | ret = GNUTLS_E_UNEXPECTED_PACKET; |
784 | 0 | goto cleanup; |
785 | 0 | } |
786 | | |
787 | 0 | ret = |
788 | 0 | _gnutls_call_hook_func(session, hsk.htype, GNUTLS_HOOK_POST, |
789 | 0 | 1, hsk.data.data, hsk.data.length); |
790 | 0 | if (ret < 0) { |
791 | 0 | gnutls_assert(); |
792 | 0 | goto cleanup; |
793 | 0 | } |
794 | 0 | _gnutls_handshake_buffer_clear(&hsk); |
795 | |
|
796 | 0 | } while (_gnutls_record_buffer_get_size(session) > 0); |
797 | | |
798 | 0 | session->internals.recv_state = next_state; |
799 | |
|
800 | 0 | return 0; |
801 | | |
802 | 0 | cleanup: |
803 | | /* if we have pending/partial handshake data in buffers, ensure that |
804 | | * next read will read handshake data */ |
805 | 0 | if (_gnutls_record_buffer_get_size(session) > 0) |
806 | 0 | session->internals.recv_state = RECV_STATE_ASYNC_HANDSHAKE; |
807 | 0 | else |
808 | 0 | session->internals.recv_state = next_state; |
809 | |
|
810 | 0 | _gnutls_handshake_buffer_clear(&hsk); |
811 | 0 | return ret; |
812 | 0 | } |
813 | | |
814 | | /** |
815 | | * gnutls_session_ticket_send: |
816 | | * @session: is a #gnutls_session_t type. |
817 | | * @nr: the number of tickets to send |
818 | | * @flags: must be zero |
819 | | * |
820 | | * Sends a fresh session ticket to the peer. This is relevant only |
821 | | * in server side under TLS1.3. This function may also return %GNUTLS_E_AGAIN |
822 | | * or %GNUTLS_E_INTERRUPTED and in that case it must be called again. |
823 | | * |
824 | | * Returns: %GNUTLS_E_SUCCESS on success, or a negative error code. |
825 | | **/ |
826 | | int gnutls_session_ticket_send(gnutls_session_t session, unsigned nr, |
827 | | unsigned flags) |
828 | 0 | { |
829 | 0 | int ret = 0; |
830 | 0 | const version_entry_st *vers = get_version(session); |
831 | |
|
832 | 0 | if (!vers->tls13_sem |
833 | 0 | || session->security_parameters.entity == GNUTLS_CLIENT) |
834 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
835 | | |
836 | 0 | if (nr == 0) |
837 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
838 | | |
839 | 0 | switch (TICKET_STATE) { |
840 | 0 | case TICKET_STATE0: |
841 | 0 | ret = _gnutls_io_write_flush(session); |
842 | 0 | TICKET_STATE = TICKET_STATE0; |
843 | 0 | if (ret < 0) { |
844 | 0 | gnutls_assert(); |
845 | 0 | return ret; |
846 | 0 | } |
847 | 0 | FALLTHROUGH; |
848 | 0 | case TICKET_STATE1: |
849 | 0 | ret = |
850 | 0 | _gnutls13_send_session_ticket(session, nr, |
851 | 0 | TICKET_STATE == |
852 | 0 | TICKET_STATE1 ? 1 : 0); |
853 | 0 | TICKET_STATE = TICKET_STATE1; |
854 | 0 | if (ret < 0) { |
855 | 0 | gnutls_assert(); |
856 | 0 | return ret; |
857 | 0 | } |
858 | 0 | break; |
859 | 0 | default: |
860 | 0 | gnutls_assert(); |
861 | 0 | return GNUTLS_E_INTERNAL_ERROR; |
862 | 0 | } |
863 | | |
864 | 0 | TICKET_STATE = TICKET_STATE0; |
865 | |
|
866 | 0 | return 0; |
867 | 0 | } |