Blame - ssl/tls13_server.c - boringssl.googlesource.com/boringssl

blob: 0278b500b48e3d930f29f4433ccfbda435306b5f [file] [log] [blame]

Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	1	/* Copyright (c) 2016, Google Inc.
				2	*
				3	* Permission to use, copy, modify, and/or distribute this software for any
				4	* purpose with or without fee is hereby granted, provided that the above
				5	* copyright notice and this permission notice appear in all copies.
				6	*
				7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
				8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
				9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
				10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
				11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
				12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
				13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
				14
				15	#include <openssl/ssl.h>
				16
				17	#include <assert.h>
				18	#include <string.h>
				19
David Benjamin	abbbee1	2016-10-31 19:20:42 -0400	[diff] [blame]	20	#include <openssl/aead.h>
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	21	#include <openssl/bytestring.h>
				22	#include <openssl/digest.h>
				23	#include <openssl/err.h>
				24	#include <openssl/mem.h>
				25	#include <openssl/rand.h>
				26	#include <openssl/stack.h>
				27
David Benjamin	17cf2cb	2016-12-13 01:07:13 -0500	[diff] [blame]	28	#include "../crypto/internal.h"
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	29	#include "internal.h"
				30
				31
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	32	/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
				33	* data that will be accepted. This value should be slightly below
				34	* kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */
				35	static const size_t kMaxEarlyDataAccepted = 14336;
				36
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	37	enum server_hs_state_t {
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame]	38	state_select_parameters = 0,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	39	state_send_hello_retry_request,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	40	state_process_second_client_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	41	state_send_server_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	42	state_send_server_certificate_verify,
				43	state_complete_server_certificate_verify,
				44	state_send_server_finished,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	45	state_process_client_certificate,
				46	state_process_client_certificate_verify,
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	47	state_process_channel_id,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	48	state_process_client_finished,
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	49	state_send_new_session_ticket,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	50	state_done,
				51	};
				52
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	53	static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
				54
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	55	static int resolve_ecdhe_secret(SSL_HANDSHAKE hs, int out_need_retry,
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	56	SSL_CLIENT_HELLO *client_hello) {
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	57	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	58	*out_need_retry = 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	59
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	60	/* We only support connections that include an ECDHE key exchange. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	61	CBS key_share;
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	62	if (!ssl_client_hello_get_extension(client_hello, &key_share,
				63	TLSEXT_TYPE_key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	64	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
				65	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	66	return 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	67	}
				68
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	69	int found_key_share;
				70	uint8_t *dhe_secret;
				71	size_t dhe_secret_len;
David Benjamin	7e1f984	2016-09-20 19:24:40 -0400	[diff] [blame]	72	uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	73	if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
Steven Valdez	7259f2f	2016-08-02 16:55:05 -0400	[diff] [blame]	74	&dhe_secret_len, &alert,
				75	&key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	76	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				77	return 0;
				78	}
				79
				80	if (!found_key_share) {
				81	*out_need_retry = 1;
				82	return 0;
				83	}
				84
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	85	int ok = tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	86	OPENSSL_free(dhe_secret);
				87	return ok;
				88	}
				89
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	90	static const SSL_CIPHER *choose_tls13_cipher(
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	91	const SSL ssl, const SSL_CLIENT_HELLO client_hello) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	92	if (client_hello->cipher_suites_len % 2 != 0) {
				93	return NULL;
				94	}
				95
				96	CBS cipher_suites;
				97	CBS_init(&cipher_suites, client_hello->cipher_suites,
				98	client_hello->cipher_suites_len);
				99
				100	const int aes_is_fine = EVP_has_aes_hardware();
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	101	const uint16_t version = ssl3_protocol_version(ssl);
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	102
				103	const SSL_CIPHER *best = NULL;
				104	while (CBS_len(&cipher_suites) > 0) {
				105	uint16_t cipher_suite;
				106	if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
				107	return NULL;
				108	}
				109
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	110	/* Limit to TLS 1.3 ciphers we know about. */
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	111	const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	112	if (candidate == NULL \|\|
				113	SSL_CIPHER_get_min_version(candidate) > version \|\|
				114	SSL_CIPHER_get_max_version(candidate) < version) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	115	continue;
				116	}
				117
				118	/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
				119	* ChaCha20 if we do not have AES hardware. */
				120	if (aes_is_fine) {
				121	return candidate;
				122	}
				123
				124	if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
				125	return candidate;
				126	}
				127
				128	if (best == NULL) {
				129	best = candidate;
				130	}
				131	}
				132
				133	return best;
				134	}
				135
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	136	static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
				137	SSL *const ssl = hs->ssl;
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame]	138	/* The short record header extension is incompatible with early data. */
				139	if (ssl->s3->skip_early_data && ssl->s3->short_header) {
				140	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
David Benjamin	650aa1c	2016-12-20 18:55:16 -0500	[diff] [blame]	141	return ssl_hs_error;
				142	}
				143
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	144	SSL_CLIENT_HELLO client_hello;
				145	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				146	ssl->init_num)) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	147	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				148	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				149	return ssl_hs_error;
				150	}
				151
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	152	/* Negotiate the cipher suite. */
				153	ssl->s3->tmp.new_cipher = choose_tls13_cipher(ssl, &client_hello);
				154	if (ssl->s3->tmp.new_cipher == NULL) {
				155	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
				156	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
				157	return ssl_hs_error;
				158	}
				159
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	160	/* The PRF hash is now known. Set up the key schedule and hash the
				161	* ClientHello. */
				162	if (!tls13_init_key_schedule(hs) \|\|
				163	!ssl_hash_current_message(hs)) {
				164	return ssl_hs_error;
				165	}
				166
				167
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	168	/* Decode the ticket if we agree on a PSK key exchange mode. */
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	169	uint8_t alert = SSL_AD_DECODE_ERROR;
				170	SSL_SESSION *session = NULL;
				171	CBS pre_shared_key, binders;
				172	if (hs->accept_psk_mode &&
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	173	ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
				174	TLSEXT_TYPE_pre_shared_key)) {
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	175	/* Verify that the pre_shared_key extension is the last extension in
				176	* ClientHello. */
				177	if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
				178	client_hello.extensions + client_hello.extensions_len) {
				179	OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
				180	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				181	return ssl_hs_error;
				182	}
				183
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	184	if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	185	&alert, &pre_shared_key)) {
				186	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				187	return ssl_hs_error;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	188	}
				189	}
				190
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	191	if (session != NULL &&
David Benjamin	75f9914	2016-11-12 12:36:06 +0900	[diff] [blame]	192	!ssl_session_is_resumable(ssl, session)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	193	SSL_SESSION_free(session);
				194	session = NULL;
				195	}
				196
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	197	/* Set up the new session, either using the original one as a template or
				198	* creating a fresh one. */
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	199	if (session == NULL) {
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	200	if (!ssl_get_new_session(hs, 1 /* server */)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	201	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				202	return ssl_hs_error;
				203	}
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	204
				205	ssl->s3->new_session->cipher = ssl->s3->tmp.new_cipher;
				206
				207	/* On new sessions, stash the SNI value in the session. */
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	208	if (hs->hostname != NULL) {
Steven Valdez	2f82a0e	2017-02-06 12:06:01 -0500	[diff] [blame]	209	OPENSSL_free(ssl->s3->new_session->tlsext_hostname);
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	210	ssl->s3->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	211	if (ssl->s3->new_session->tlsext_hostname == NULL) {
				212	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				213	return ssl_hs_error;
				214	}
				215	}
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	216	} else {
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	217	/* Check the PSK binder. */
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	218	if (!tls13_verify_psk_binder(hs, session, &binders)) {
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	219	SSL_SESSION_free(session);
				220	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
				221	return ssl_hs_error;
				222	}
				223
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	224	/* Only authentication information carries over in TLS 1.3. */
				225	ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
				226	if (ssl->s3->new_session == NULL) {
				227	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				228	return ssl_hs_error;
				229	}
				230	ssl->s3->session_reused = 1;
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	231	SSL_SESSION_free(session);
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	232
				233	/* Resumption incorporates fresh key material, so refresh the timeout. */
				234	ssl_session_renew_timeout(ssl, ssl->s3->new_session,
Alessandro Ghedini	33fe4a0	2017-02-06 13:40:10 +0000	[diff] [blame]	235	ssl->initial_ctx->session_psk_dhe_timeout);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	236	}
				237
				238	if (ssl->ctx->dos_protection_cb != NULL &&
David Benjamin	e14ff06	2016-08-09 16:21:24 -0400	[diff] [blame]	239	ssl->ctx->dos_protection_cb(&client_hello) == 0) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	240	/* Connection rejected for DOS reasons. */
				241	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
David Benjamin	2c66e07	2016-09-16 15:58:00 -0400	[diff] [blame]	242	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	243	return ssl_hs_error;
				244	}
				245
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	246	/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
				247	* deferred. Complete it now. */
Adam Langley	c68e5b9	2017-02-08 13:33:15 -0800	[diff] [blame]	248	alert = SSL_AD_DECODE_ERROR;
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	249	if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
David Benjamin	9ef31f0	2016-10-31 18:01:13 -0400	[diff] [blame]	250	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				251	return ssl_hs_error;
				252	}
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	253
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	254	/* Incorporate the PSK into the running secret. */
				255	if (ssl->s3->session_reused) {
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	256	if (!tls13_advance_key_schedule(hs, ssl->s3->new_session->master_key,
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	257	ssl->s3->new_session->master_key_length)) {
				258	return ssl_hs_error;
				259	}
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	260	} else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	261	return ssl_hs_error;
				262	}
				263
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	264	ssl->method->received_flight(ssl);
				265
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	266	/* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	267	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	268	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	269	if (need_retry) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	270	hs->tls13_state = state_send_hello_retry_request;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	271	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	272	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	273	return ssl_hs_error;
				274	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	275
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	276	hs->tls13_state = state_send_server_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	277	return ssl_hs_ok;
				278	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	279
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	280	static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
				281	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	282	CBB cbb, body, extensions;
				283	uint16_t group_id;
				284	if (!ssl->method->init_message(ssl, &cbb, &body,
				285	SSL3_MT_HELLO_RETRY_REQUEST) \|\|
				286	!CBB_add_u16(&body, ssl->version) \|\|
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	287	!tls1_get_shared_group(hs, &group_id) \|\|
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	288	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	3baa6e1	2016-10-07 21:10:38 -0400	[diff] [blame]	289	!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) \|\|
				290	!CBB_add_u16(&extensions, 2 /* length */) \|\|
				291	!CBB_add_u16(&extensions, group_id) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	292	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	293	CBB_cleanup(&cbb);
				294	return ssl_hs_error;
				295	}
				296
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	297	hs->tls13_state = state_process_second_client_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	298	return ssl_hs_flush_and_read_message;
				299	}
				300
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	301	static enum ssl_hs_wait_t do_process_second_client_hello(SSL_HANDSHAKE *hs) {
				302	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	303	if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	304	return ssl_hs_error;
				305	}
				306
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	307	SSL_CLIENT_HELLO client_hello;
				308	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				309	ssl->init_num)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	310	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				311	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				312	return ssl_hs_error;
				313	}
				314
				315	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	316	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	317	if (need_retry) {
				318	/* Only send one HelloRetryRequest. */
				319	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				320	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	321	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	322	return ssl_hs_error;
				323	}
				324
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	325	if (!ssl_hash_current_message(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	326	return ssl_hs_error;
				327	}
				328
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	329	ssl->method->received_flight(ssl);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	330	hs->tls13_state = state_send_server_hello;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	331	return ssl_hs_ok;
				332	}
				333
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	334	static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
				335	SSL *const ssl = hs->ssl;
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	336
				337	/* Send a ServerHello. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	338	CBB cbb, body, extensions;
				339	if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) \|\|
				340	!CBB_add_u16(&body, ssl->version) \|\|
				341	!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) \|\|
				342	!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) \|\|
				343	!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) \|\|
				344	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	345	!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) \|\|
David Benjamin	6f600d6	2016-12-21 16:06:54 -0500	[diff] [blame]	346	!ssl_ext_key_share_add_serverhello(hs, &extensions)) {
				347	goto err;
				348	}
				349
				350	if (ssl->s3->short_header) {
				351	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_short_header) \|\|
				352	!CBB_add_u16(&extensions, 0 /* empty extension */)) {
				353	goto err;
				354	}
				355	}
				356
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	357	if (!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	358	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	359	}
				360
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	361	/* Derive and enable the handshake traffic secrets. */
Steven Valdez	4cb8494	2016-12-16 11:29:28 -0500	[diff] [blame]	362	if (!tls13_derive_handshake_secrets(hs) \|\|
				363	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
				364	hs->hash_len) \|\|
				365	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
				366	hs->hash_len)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	367	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	368	}
				369
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	370	/* Send EncryptedExtensions. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	371	if (!ssl->method->init_message(ssl, &cbb, &body,
				372	SSL3_MT_ENCRYPTED_EXTENSIONS) \|\|
David Benjamin	8c880a2	2016-12-03 02:20:34 -0500	[diff] [blame]	373	!ssl_add_serverhello_tlsext(hs, &body) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	374	!ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	375	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	376	}
				377
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	378	/* Determine whether to request a client certificate. */
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	379	hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	380	/* CertificateRequest may only be sent in non-resumption handshakes. */
				381	if (ssl->s3->session_reused) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	382	hs->cert_request = 0;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	383	}
				384
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	385	/* Send a CertificateRequest, if necessary. */
				386	if (hs->cert_request) {
				387	CBB sigalgs_cbb;
				388	if (!ssl->method->init_message(ssl, &cbb, &body,
				389	SSL3_MT_CERTIFICATE_REQUEST) \|\|
				390	!CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
				391	goto err;
				392	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	393
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	394	const uint16_t *sigalgs;
				395	size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
				396	if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
				397	goto err;
				398	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	399
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	400	for (size_t i = 0; i < num_sigalgs; i++) {
				401	if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
				402	goto err;
				403	}
				404	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	405
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	406	if (!ssl_add_client_CA_list(ssl, &body) \|\|
				407	!CBB_add_u16(&body, 0 /* empty certificate_extensions. */) \|\|
				408	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	409	goto err;
				410	}
				411	}
				412
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	413	/* Send the server Certificate message, if necessary. */
				414	if (!ssl->s3->session_reused) {
				415	if (!ssl_has_certificate(ssl)) {
				416	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
				417	goto err;
				418	}
				419
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	420	if (!tls13_add_certificate(hs)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	421	goto err;
				422	}
				423
				424	hs->tls13_state = state_send_server_certificate_verify;
				425	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	426	}
				427
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	428	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	429	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	430
				431	err:
				432	CBB_cleanup(&cbb);
				433	return ssl_hs_error;
				434	}
				435
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	436	static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	437	int is_first_run) {
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	438	switch (tls13_add_certificate_verify(hs, is_first_run)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	439	case ssl_private_key_success:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	440	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	441	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	442
				443	case ssl_private_key_retry:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	444	hs->tls13_state = state_complete_server_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	445	return ssl_hs_private_key_operation;
				446
				447	case ssl_private_key_failure:
				448	return ssl_hs_error;
				449	}
				450
				451	assert(0);
				452	return ssl_hs_error;
				453	}
				454
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	455	static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	456	SSL *const ssl = hs->ssl;
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	457	if (!tls13_add_finished(hs) \|\|
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	458	/* Update the secret to the master secret and derive traffic keys. */
				459	!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	460	!tls13_derive_application_secrets(hs) \|\|
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	461	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
				462	hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	463	return ssl_hs_error;
				464	}
				465
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	466	hs->tls13_state = state_process_client_certificate;
David Benjamin	f2401eb	2016-07-18 22:25:05 +0200	[diff] [blame]	467	return ssl_hs_flush_and_read_message;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	468	}
				469
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	470	static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) {
				471	SSL *const ssl = hs->ssl;
				472	if (!hs->cert_request) {
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	473	/* OpenSSL returns X509_V_OK when no certificates are requested. This is
David Benjamin	dd634eb	2016-08-18 16:40:28 -0400	[diff] [blame]	474	* classed by them as a bug, but it's assumed by at least NGINX. */
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	475	ssl->s3->new_session->verify_result = X509_V_OK;
				476
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	477	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	478	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	479	return ssl_hs_ok;
				480	}
				481
David Benjamin	4087df9	2016-08-01 20:16:31 -0400	[diff] [blame]	482	const int allow_anonymous =
				483	(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
				484
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	485	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	486	!tls13_process_certificate(hs, allow_anonymous) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	487	!ssl_hash_current_message(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	488	return ssl_hs_error;
				489	}
				490
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	491	hs->tls13_state = state_process_client_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	492	return ssl_hs_read_message;
				493	}
				494
				495	static enum ssl_hs_wait_t do_process_client_certificate_verify(
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	496	SSL_HANDSHAKE *hs) {
				497	SSL *const ssl = hs->ssl;
Adam Langley	46db7af	2017-02-01 15:49:37 -0800	[diff] [blame]	498	if (sk_CRYPTO_BUFFER_num(ssl->s3->new_session->certs) == 0) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	499	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	500	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	501	return ssl_hs_ok;
				502	}
				503
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	504	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	505	!tls13_process_certificate_verify(hs) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	506	!ssl_hash_current_message(hs)) {
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	507	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	508	}
				509
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	510	hs->tls13_state = state_process_channel_id;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	511	return ssl_hs_read_message;
				512	}
				513
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	514	static enum ssl_hs_wait_t do_process_channel_id(SSL_HANDSHAKE *hs) {
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	515	if (!hs->ssl->s3->tlsext_channel_id_valid) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	516	hs->tls13_state = state_process_client_finished;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	517	return ssl_hs_ok;
				518	}
				519
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	520	if (!ssl_check_message_type(hs->ssl, SSL3_MT_CHANNEL_ID) \|\|
				521	!tls1_verify_channel_id(hs) \|\|
				522	!ssl_hash_current_message(hs)) {
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	523	return ssl_hs_error;
				524	}
				525
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	526	hs->tls13_state = state_process_client_finished;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	527	return ssl_hs_read_message;
				528	}
				529
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	530	static enum ssl_hs_wait_t do_process_client_finished(SSL_HANDSHAKE *hs) {
				531	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	532	if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	533	!tls13_process_finished(hs) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	534	!ssl_hash_current_message(hs) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	535	/* evp_aead_seal keys have already been switched. */
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	536	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
				537	hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	538	!tls13_derive_resumption_secret(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	539	return ssl_hs_error;
				540	}
				541
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	542	ssl->method->received_flight(ssl);
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	543
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	544	/* Rebase the session timestamp so that it is measured from ticket
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	545	* issuance. */
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	546	ssl_session_rebase_time(ssl, ssl->s3->new_session);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	547	hs->tls13_state = state_send_new_session_ticket;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	548	return ssl_hs_ok;
				549	}
				550
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	551	static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	552	/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
				553	* client makes several connections before getting a renewal. */
				554	static const int kNumTickets = 2;
				555
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	556	SSL *const ssl = hs->ssl;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	557	/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
				558	* session ticket. */
				559	if (!hs->accept_psk_mode) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	560	hs->tls13_state = state_done;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	561	return ssl_hs_ok;
				562	}
				563
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	564	SSL_SESSION *session = ssl->s3->new_session;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	565	CBB cbb;
				566	CBB_zero(&cbb);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	567
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	568	for (int i = 0; i < kNumTickets; i++) {
				569	if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
				570	goto err;
				571	}
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	572
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	573	CBB body, ticket, extensions;
				574	if (!ssl->method->init_message(ssl, &cbb, &body,
				575	SSL3_MT_NEW_SESSION_TICKET) \|\|
				576	!CBB_add_u32(&body, session->timeout) \|\|
				577	!CBB_add_u32(&body, session->ticket_age_add) \|\|
				578	!CBB_add_u16_length_prefixed(&body, &ticket) \|\|
				579	!ssl_encrypt_ticket(ssl, &ticket, session) \|\|
				580	!CBB_add_u16_length_prefixed(&body, &extensions)) {
				581	goto err;
				582	}
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	583
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	584	if (ssl->ctx->enable_early_data) {
				585	session->ticket_max_early_data = kMaxEarlyDataAccepted;
				586
				587	CBB early_data_info;
				588	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) \|\|
				589	!CBB_add_u16_length_prefixed(&extensions, &early_data_info) \|\|
				590	!CBB_add_u32(&early_data_info, session->ticket_max_early_data) \|\|
				591	!CBB_flush(&extensions)) {
				592	goto err;
				593	}
				594	}
				595
				596	/* Add a fake extension. See draft-davidben-tls-grease-01. */
				597	if (!CBB_add_u16(&extensions,
				598	ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) \|\|
				599	!CBB_add_u16(&extensions, 0 /* empty */)) {
				600	goto err;
				601	}
				602
				603	if (!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	604	goto err;
				605	}
				606	}
				607
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	608	hs->session_tickets_sent++;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	609	hs->tls13_state = state_done;
				610	return ssl_hs_flush;
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	611
				612	err:
				613	CBB_cleanup(&cbb);
				614	return ssl_hs_error;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	615	}
				616
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	617	enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	618	while (hs->tls13_state != state_done) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	619	enum ssl_hs_wait_t ret = ssl_hs_error;
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	620	enum server_hs_state_t state = hs->tls13_state;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	621	switch (state) {
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	622	case state_select_parameters:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	623	ret = do_select_parameters(hs);
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	624	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	625	case state_send_hello_retry_request:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	626	ret = do_send_hello_retry_request(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	627	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	628	case state_process_second_client_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	629	ret = do_process_second_client_hello(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	630	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	631	case state_send_server_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	632	ret = do_send_server_hello(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	633	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	634	case state_send_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	635	ret = do_send_server_certificate_verify(hs, 1 /* first run */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	636	break;
				637	case state_complete_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	638	ret = do_send_server_certificate_verify(hs, 0 /* complete */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	639	break;
				640	case state_send_server_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	641	ret = do_send_server_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	642	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	643	case state_process_client_certificate:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	644	ret = do_process_client_certificate(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	645	break;
				646	case state_process_client_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	647	ret = do_process_client_certificate_verify(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	648	break;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	649	case state_process_channel_id:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	650	ret = do_process_channel_id(hs);
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	651	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	652	case state_process_client_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	653	ret = do_process_client_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	654	break;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	655	case state_send_new_session_ticket:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	656	ret = do_send_new_session_ticket(hs);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	657	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	658	case state_done:
				659	ret = ssl_hs_ok;
				660	break;
				661	}
				662
				663	if (ret != ssl_hs_ok) {
				664	return ret;
				665	}
				666	}
				667
				668	return ssl_hs_ok;
				669	}