Blame - ssl/tls13_server.c - boringssl.googlesource.com/boringssl

blob: 402c2343163b21f6aba8d9d849f880ac8f168282 [file] [log] [blame]

Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	1	/* Copyright (c) 2016, Google Inc.
				2	*
				3	* Permission to use, copy, modify, and/or distribute this software for any
				4	* purpose with or without fee is hereby granted, provided that the above
				5	* copyright notice and this permission notice appear in all copies.
				6	*
				7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
				8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
				9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
				10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
				11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
				12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
				13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
				14
				15	#include <openssl/ssl.h>
				16
				17	#include <assert.h>
				18	#include <string.h>
				19
David Benjamin	abbbee1	2016-10-31 19:20:42 -0400	[diff] [blame]	20	#include <openssl/aead.h>
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	21	#include <openssl/bytestring.h>
				22	#include <openssl/digest.h>
				23	#include <openssl/err.h>
				24	#include <openssl/mem.h>
				25	#include <openssl/rand.h>
				26	#include <openssl/stack.h>
				27
David Benjamin	17cf2cb	2016-12-13 01:07:13 -0500	[diff] [blame]	28	#include "../crypto/internal.h"
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	29	#include "internal.h"
				30
				31
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	32	/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
				33	* data that will be accepted. This value should be slightly below
				34	* kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */
				35	static const size_t kMaxEarlyDataAccepted = 14336;
				36
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	37	enum server_hs_state_t {
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame]	38	state_select_parameters = 0,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	39	state_send_hello_retry_request,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	40	state_process_second_client_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	41	state_send_server_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	42	state_send_server_certificate_verify,
				43	state_complete_server_certificate_verify,
				44	state_send_server_finished,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	45	state_process_client_certificate,
				46	state_process_client_certificate_verify,
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	47	state_process_channel_id,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	48	state_process_client_finished,
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	49	state_send_new_session_ticket,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	50	state_done,
				51	};
				52
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	53	static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
				54
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	55	static int resolve_ecdhe_secret(SSL_HANDSHAKE hs, int out_need_retry,
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	56	SSL_CLIENT_HELLO *client_hello) {
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	57	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	58	*out_need_retry = 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	59
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	60	/* We only support connections that include an ECDHE key exchange. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	61	CBS key_share;
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	62	if (!ssl_client_hello_get_extension(client_hello, &key_share,
				63	TLSEXT_TYPE_key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	64	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
				65	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	66	return 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	67	}
				68
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	69	int found_key_share;
				70	uint8_t *dhe_secret;
				71	size_t dhe_secret_len;
David Benjamin	7e1f984	2016-09-20 19:24:40 -0400	[diff] [blame]	72	uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	73	if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
Steven Valdez	7259f2f	2016-08-02 16:55:05 -0400	[diff] [blame]	74	&dhe_secret_len, &alert,
				75	&key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	76	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				77	return 0;
				78	}
				79
				80	if (!found_key_share) {
				81	*out_need_retry = 1;
				82	return 0;
				83	}
				84
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	85	int ok = tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	86	OPENSSL_free(dhe_secret);
				87	return ok;
				88	}
				89
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	90	static const SSL_CIPHER *choose_tls13_cipher(
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	91	const SSL ssl, const SSL_CLIENT_HELLO client_hello) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	92	if (client_hello->cipher_suites_len % 2 != 0) {
				93	return NULL;
				94	}
				95
				96	CBS cipher_suites;
				97	CBS_init(&cipher_suites, client_hello->cipher_suites,
				98	client_hello->cipher_suites_len);
				99
				100	const int aes_is_fine = EVP_has_aes_hardware();
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	101	const uint16_t version = ssl3_protocol_version(ssl);
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	102
				103	const SSL_CIPHER *best = NULL;
				104	while (CBS_len(&cipher_suites) > 0) {
				105	uint16_t cipher_suite;
				106	if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
				107	return NULL;
				108	}
				109
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	110	/* Limit to TLS 1.3 ciphers we know about. */
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	111	const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	112	if (candidate == NULL \|\|
				113	SSL_CIPHER_get_min_version(candidate) > version \|\|
				114	SSL_CIPHER_get_max_version(candidate) < version) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	115	continue;
				116	}
				117
				118	/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
				119	* ChaCha20 if we do not have AES hardware. */
				120	if (aes_is_fine) {
				121	return candidate;
				122	}
				123
				124	if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
				125	return candidate;
				126	}
				127
				128	if (best == NULL) {
				129	best = candidate;
				130	}
				131	}
				132
				133	return best;
				134	}
				135
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	136	static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
				137	SSL *const ssl = hs->ssl;
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame]	138	/* The short record header extension is incompatible with early data. */
				139	if (ssl->s3->skip_early_data && ssl->s3->short_header) {
				140	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
David Benjamin	650aa1c	2016-12-20 18:55:16 -0500	[diff] [blame]	141	return ssl_hs_error;
				142	}
				143
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	144	SSL_CLIENT_HELLO client_hello;
				145	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				146	ssl->init_num)) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	147	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				148	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				149	return ssl_hs_error;
				150	}
				151
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	152	/* Negotiate the cipher suite. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	153	hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
				154	if (hs->new_cipher == NULL) {
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	155	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
				156	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
				157	return ssl_hs_error;
				158	}
				159
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	160	/* The PRF hash is now known. Set up the key schedule and hash the
				161	* ClientHello. */
				162	if (!tls13_init_key_schedule(hs) \|\|
				163	!ssl_hash_current_message(hs)) {
				164	return ssl_hs_error;
				165	}
				166
				167
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	168	/* Decode the ticket if we agree on a PSK key exchange mode. */
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	169	uint8_t alert = SSL_AD_DECODE_ERROR;
				170	SSL_SESSION *session = NULL;
				171	CBS pre_shared_key, binders;
				172	if (hs->accept_psk_mode &&
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	173	ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
				174	TLSEXT_TYPE_pre_shared_key)) {
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	175	/* Verify that the pre_shared_key extension is the last extension in
				176	* ClientHello. */
				177	if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
				178	client_hello.extensions + client_hello.extensions_len) {
				179	OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
				180	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				181	return ssl_hs_error;
				182	}
				183
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	184	if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	185	&alert, &pre_shared_key)) {
				186	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				187	return ssl_hs_error;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	188	}
				189	}
				190
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	191	if (session != NULL &&
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	192	!ssl_session_is_resumable(hs, session)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	193	SSL_SESSION_free(session);
				194	session = NULL;
				195	}
				196
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	197	/* Set up the new session, either using the original one as a template or
				198	* creating a fresh one. */
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	199	if (session == NULL) {
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	200	if (!ssl_get_new_session(hs, 1 /* server */)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	201	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				202	return ssl_hs_error;
				203	}
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	204
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	205	hs->new_session->cipher = hs->new_cipher;
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	206
				207	/* On new sessions, stash the SNI value in the session. */
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	208	if (hs->hostname != NULL) {
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	209	OPENSSL_free(hs->new_session->tlsext_hostname);
				210	hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
				211	if (hs->new_session->tlsext_hostname == NULL) {
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	212	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				213	return ssl_hs_error;
				214	}
				215	}
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	216	} else {
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	217	/* Check the PSK binder. */
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	218	if (!tls13_verify_psk_binder(hs, session, &binders)) {
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	219	SSL_SESSION_free(session);
				220	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
				221	return ssl_hs_error;
				222	}
				223
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	224	/* Only authentication information carries over in TLS 1.3. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	225	hs->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
				226	if (hs->new_session == NULL) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	227	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				228	return ssl_hs_error;
				229	}
				230	ssl->s3->session_reused = 1;
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	231	SSL_SESSION_free(session);
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	232
				233	/* Resumption incorporates fresh key material, so refresh the timeout. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	234	ssl_session_renew_timeout(ssl, hs->new_session,
Alessandro Ghedini	33fe4a0	2017-02-06 13:40:10 +0000	[diff] [blame]	235	ssl->initial_ctx->session_psk_dhe_timeout);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	236	}
				237
				238	if (ssl->ctx->dos_protection_cb != NULL &&
David Benjamin	e14ff06	2016-08-09 16:21:24 -0400	[diff] [blame]	239	ssl->ctx->dos_protection_cb(&client_hello) == 0) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	240	/* Connection rejected for DOS reasons. */
				241	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
David Benjamin	2c66e07	2016-09-16 15:58:00 -0400	[diff] [blame]	242	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	243	return ssl_hs_error;
				244	}
				245
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	246	/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
				247	* deferred. Complete it now. */
Adam Langley	c68e5b9	2017-02-08 13:33:15 -0800	[diff] [blame]	248	alert = SSL_AD_DECODE_ERROR;
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	249	if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
David Benjamin	9ef31f0	2016-10-31 18:01:13 -0400	[diff] [blame]	250	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				251	return ssl_hs_error;
				252	}
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	253
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	254	/* Store the initial negotiated ALPN in the session. */
				255	if (ssl->s3->alpn_selected != NULL) {
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	256	hs->new_session->early_alpn =
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	257	BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	258	if (hs->new_session->early_alpn == NULL) {
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	259	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				260	return ssl_hs_error;
				261	}
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	262	hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	263	}
				264
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	265	/* Incorporate the PSK into the running secret. */
				266	if (ssl->s3->session_reused) {
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	267	if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
				268	hs->new_session->master_key_length)) {
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	269	return ssl_hs_error;
				270	}
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	271	} else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	272	return ssl_hs_error;
				273	}
				274
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	275	ssl->method->received_flight(ssl);
				276
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	277	/* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	278	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	279	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	280	if (need_retry) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	281	hs->tls13_state = state_send_hello_retry_request;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	282	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	283	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	284	return ssl_hs_error;
				285	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	286
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	287	hs->tls13_state = state_send_server_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	288	return ssl_hs_ok;
				289	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	290
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	291	static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
				292	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	293	CBB cbb, body, extensions;
				294	uint16_t group_id;
				295	if (!ssl->method->init_message(ssl, &cbb, &body,
				296	SSL3_MT_HELLO_RETRY_REQUEST) \|\|
				297	!CBB_add_u16(&body, ssl->version) \|\|
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	298	!tls1_get_shared_group(hs, &group_id) \|\|
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	299	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	3baa6e1	2016-10-07 21:10:38 -0400	[diff] [blame]	300	!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) \|\|
				301	!CBB_add_u16(&extensions, 2 /* length */) \|\|
				302	!CBB_add_u16(&extensions, group_id) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	303	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	304	CBB_cleanup(&cbb);
				305	return ssl_hs_error;
				306	}
				307
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	308	hs->tls13_state = state_process_second_client_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	309	return ssl_hs_flush_and_read_message;
				310	}
				311
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	312	static enum ssl_hs_wait_t do_process_second_client_hello(SSL_HANDSHAKE *hs) {
				313	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	314	if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	315	return ssl_hs_error;
				316	}
				317
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	318	SSL_CLIENT_HELLO client_hello;
				319	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				320	ssl->init_num)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	321	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				322	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				323	return ssl_hs_error;
				324	}
				325
				326	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	327	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	328	if (need_retry) {
				329	/* Only send one HelloRetryRequest. */
				330	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				331	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	332	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	333	return ssl_hs_error;
				334	}
				335
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	336	if (!ssl_hash_current_message(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	337	return ssl_hs_error;
				338	}
				339
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	340	ssl->method->received_flight(ssl);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	341	hs->tls13_state = state_send_server_hello;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	342	return ssl_hs_ok;
				343	}
				344
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	345	static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
				346	SSL *const ssl = hs->ssl;
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	347
				348	/* Send a ServerHello. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	349	CBB cbb, body, extensions;
				350	if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) \|\|
				351	!CBB_add_u16(&body, ssl->version) \|\|
				352	!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) \|\|
				353	!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) \|\|
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	354	!CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	355	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	356	!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) \|\|
David Benjamin	6f600d6	2016-12-21 16:06:54 -0500	[diff] [blame]	357	!ssl_ext_key_share_add_serverhello(hs, &extensions)) {
				358	goto err;
				359	}
				360
				361	if (ssl->s3->short_header) {
				362	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_short_header) \|\|
				363	!CBB_add_u16(&extensions, 0 /* empty extension */)) {
				364	goto err;
				365	}
				366	}
				367
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	368	if (!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	369	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	370	}
				371
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	372	/* Derive and enable the handshake traffic secrets. */
Steven Valdez	4cb8494	2016-12-16 11:29:28 -0500	[diff] [blame]	373	if (!tls13_derive_handshake_secrets(hs) \|\|
				374	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
				375	hs->hash_len) \|\|
				376	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
				377	hs->hash_len)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	378	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	379	}
				380
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	381	/* Send EncryptedExtensions. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	382	if (!ssl->method->init_message(ssl, &cbb, &body,
				383	SSL3_MT_ENCRYPTED_EXTENSIONS) \|\|
David Benjamin	8c880a2	2016-12-03 02:20:34 -0500	[diff] [blame]	384	!ssl_add_serverhello_tlsext(hs, &body) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	385	!ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	386	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	387	}
				388
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	389	/* Determine whether to request a client certificate. */
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	390	hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	391	/* CertificateRequest may only be sent in non-resumption handshakes. */
				392	if (ssl->s3->session_reused) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	393	hs->cert_request = 0;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	394	}
				395
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	396	/* Send a CertificateRequest, if necessary. */
				397	if (hs->cert_request) {
				398	CBB sigalgs_cbb;
				399	if (!ssl->method->init_message(ssl, &cbb, &body,
				400	SSL3_MT_CERTIFICATE_REQUEST) \|\|
				401	!CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
				402	goto err;
				403	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	404
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	405	const uint16_t *sigalgs;
				406	size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
				407	if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
				408	goto err;
				409	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	410
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	411	for (size_t i = 0; i < num_sigalgs; i++) {
				412	if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
				413	goto err;
				414	}
				415	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	416
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	417	if (!ssl_add_client_CA_list(ssl, &body) \|\|
				418	!CBB_add_u16(&body, 0 /* empty certificate_extensions. */) \|\|
				419	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	420	goto err;
				421	}
				422	}
				423
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	424	/* Send the server Certificate message, if necessary. */
				425	if (!ssl->s3->session_reused) {
				426	if (!ssl_has_certificate(ssl)) {
				427	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
				428	goto err;
				429	}
				430
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	431	if (!tls13_add_certificate(hs)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	432	goto err;
				433	}
				434
				435	hs->tls13_state = state_send_server_certificate_verify;
				436	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	437	}
				438
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	439	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	440	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	441
				442	err:
				443	CBB_cleanup(&cbb);
				444	return ssl_hs_error;
				445	}
				446
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	447	static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	448	int is_first_run) {
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	449	switch (tls13_add_certificate_verify(hs, is_first_run)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	450	case ssl_private_key_success:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	451	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	452	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	453
				454	case ssl_private_key_retry:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	455	hs->tls13_state = state_complete_server_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	456	return ssl_hs_private_key_operation;
				457
				458	case ssl_private_key_failure:
				459	return ssl_hs_error;
				460	}
				461
				462	assert(0);
				463	return ssl_hs_error;
				464	}
				465
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	466	static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	467	SSL *const ssl = hs->ssl;
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	468	if (!tls13_add_finished(hs) \|\|
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	469	/* Update the secret to the master secret and derive traffic keys. */
				470	!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	471	!tls13_derive_application_secrets(hs) \|\|
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	472	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
				473	hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	474	return ssl_hs_error;
				475	}
				476
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	477	hs->tls13_state = state_process_client_certificate;
David Benjamin	f2401eb	2016-07-18 22:25:05 +0200	[diff] [blame]	478	return ssl_hs_flush_and_read_message;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	479	}
				480
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	481	static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) {
				482	SSL *const ssl = hs->ssl;
				483	if (!hs->cert_request) {
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	484	/* OpenSSL returns X509_V_OK when no certificates are requested. This is
David Benjamin	dd634eb	2016-08-18 16:40:28 -0400	[diff] [blame]	485	* classed by them as a bug, but it's assumed by at least NGINX. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	486	hs->new_session->verify_result = X509_V_OK;
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	487
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	488	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	489	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	490	return ssl_hs_ok;
				491	}
				492
David Benjamin	4087df9	2016-08-01 20:16:31 -0400	[diff] [blame]	493	const int allow_anonymous =
				494	(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
				495
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	496	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	497	!tls13_process_certificate(hs, allow_anonymous) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	498	!ssl_hash_current_message(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	499	return ssl_hs_error;
				500	}
				501
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	502	hs->tls13_state = state_process_client_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	503	return ssl_hs_read_message;
				504	}
				505
				506	static enum ssl_hs_wait_t do_process_client_certificate_verify(
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	507	SSL_HANDSHAKE *hs) {
				508	SSL *const ssl = hs->ssl;
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	509	if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	510	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	511	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	512	return ssl_hs_ok;
				513	}
				514
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	515	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	516	!tls13_process_certificate_verify(hs) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	517	!ssl_hash_current_message(hs)) {
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	518	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	519	}
				520
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	521	hs->tls13_state = state_process_channel_id;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	522	return ssl_hs_read_message;
				523	}
				524
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	525	static enum ssl_hs_wait_t do_process_channel_id(SSL_HANDSHAKE *hs) {
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	526	if (!hs->ssl->s3->tlsext_channel_id_valid) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	527	hs->tls13_state = state_process_client_finished;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	528	return ssl_hs_ok;
				529	}
				530
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	531	if (!ssl_check_message_type(hs->ssl, SSL3_MT_CHANNEL_ID) \|\|
				532	!tls1_verify_channel_id(hs) \|\|
				533	!ssl_hash_current_message(hs)) {
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	534	return ssl_hs_error;
				535	}
				536
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	537	hs->tls13_state = state_process_client_finished;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	538	return ssl_hs_read_message;
				539	}
				540
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	541	static enum ssl_hs_wait_t do_process_client_finished(SSL_HANDSHAKE *hs) {
				542	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	543	if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	544	!tls13_process_finished(hs) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	545	!ssl_hash_current_message(hs) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	546	/* evp_aead_seal keys have already been switched. */
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	547	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
				548	hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	549	!tls13_derive_resumption_secret(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	550	return ssl_hs_error;
				551	}
				552
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	553	ssl->method->received_flight(ssl);
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	554
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	555	/* Rebase the session timestamp so that it is measured from ticket
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	556	* issuance. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	557	ssl_session_rebase_time(ssl, hs->new_session);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	558	hs->tls13_state = state_send_new_session_ticket;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	559	return ssl_hs_ok;
				560	}
				561
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	562	static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	563	/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
				564	* client makes several connections before getting a renewal. */
				565	static const int kNumTickets = 2;
				566
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	567	SSL *const ssl = hs->ssl;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	568	/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
				569	* session ticket. */
				570	if (!hs->accept_psk_mode) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	571	hs->tls13_state = state_done;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	572	return ssl_hs_ok;
				573	}
				574
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame^]	575	SSL_SESSION *session = hs->new_session;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	576	CBB cbb;
				577	CBB_zero(&cbb);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	578
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	579	for (int i = 0; i < kNumTickets; i++) {
				580	if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
				581	goto err;
				582	}
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	583
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	584	CBB body, ticket, extensions;
				585	if (!ssl->method->init_message(ssl, &cbb, &body,
				586	SSL3_MT_NEW_SESSION_TICKET) \|\|
				587	!CBB_add_u32(&body, session->timeout) \|\|
				588	!CBB_add_u32(&body, session->ticket_age_add) \|\|
				589	!CBB_add_u16_length_prefixed(&body, &ticket) \|\|
				590	!ssl_encrypt_ticket(ssl, &ticket, session) \|\|
				591	!CBB_add_u16_length_prefixed(&body, &extensions)) {
				592	goto err;
				593	}
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	594
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	595	if (ssl->ctx->enable_early_data) {
				596	session->ticket_max_early_data = kMaxEarlyDataAccepted;
				597
				598	CBB early_data_info;
				599	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) \|\|
				600	!CBB_add_u16_length_prefixed(&extensions, &early_data_info) \|\|
				601	!CBB_add_u32(&early_data_info, session->ticket_max_early_data) \|\|
				602	!CBB_flush(&extensions)) {
				603	goto err;
				604	}
				605	}
				606
				607	/* Add a fake extension. See draft-davidben-tls-grease-01. */
				608	if (!CBB_add_u16(&extensions,
				609	ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) \|\|
				610	!CBB_add_u16(&extensions, 0 /* empty */)) {
				611	goto err;
				612	}
				613
				614	if (!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	615	goto err;
				616	}
				617	}
				618
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	619	hs->session_tickets_sent++;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	620	hs->tls13_state = state_done;
				621	return ssl_hs_flush;
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	622
				623	err:
				624	CBB_cleanup(&cbb);
				625	return ssl_hs_error;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	626	}
				627
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	628	enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	629	while (hs->tls13_state != state_done) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	630	enum ssl_hs_wait_t ret = ssl_hs_error;
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	631	enum server_hs_state_t state = hs->tls13_state;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	632	switch (state) {
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	633	case state_select_parameters:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	634	ret = do_select_parameters(hs);
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	635	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	636	case state_send_hello_retry_request:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	637	ret = do_send_hello_retry_request(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	638	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	639	case state_process_second_client_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	640	ret = do_process_second_client_hello(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	641	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	642	case state_send_server_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	643	ret = do_send_server_hello(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	644	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	645	case state_send_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	646	ret = do_send_server_certificate_verify(hs, 1 /* first run */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	647	break;
				648	case state_complete_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	649	ret = do_send_server_certificate_verify(hs, 0 /* complete */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	650	break;
				651	case state_send_server_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	652	ret = do_send_server_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	653	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	654	case state_process_client_certificate:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	655	ret = do_process_client_certificate(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	656	break;
				657	case state_process_client_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	658	ret = do_process_client_certificate_verify(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	659	break;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	660	case state_process_channel_id:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	661	ret = do_process_channel_id(hs);
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	662	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	663	case state_process_client_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	664	ret = do_process_client_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	665	break;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	666	case state_send_new_session_ticket:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	667	ret = do_send_new_session_ticket(hs);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	668	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	669	case state_done:
				670	ret = ssl_hs_ok;
				671	break;
				672	}
				673
				674	if (ret != ssl_hs_ok) {
				675	return ret;
				676	}
				677	}
				678
				679	return ssl_hs_ok;
				680	}