Blame - ssl/tls13_server.c - boringssl.googlesource.com/boringssl

blob: 4136a69378fd57add4a55bc9b8d80bdc684fd18e [file] [log] [blame]

Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	1	/* Copyright (c) 2016, Google Inc.
				2	*
				3	* Permission to use, copy, modify, and/or distribute this software for any
				4	* purpose with or without fee is hereby granted, provided that the above
				5	* copyright notice and this permission notice appear in all copies.
				6	*
				7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
				8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
				9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
				10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
				11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
				12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
				13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
				14
				15	#include <openssl/ssl.h>
				16
				17	#include <assert.h>
				18	#include <string.h>
				19
David Benjamin	abbbee1	2016-10-31 19:20:42 -0400	[diff] [blame]	20	#include <openssl/aead.h>
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	21	#include <openssl/bytestring.h>
				22	#include <openssl/digest.h>
				23	#include <openssl/err.h>
				24	#include <openssl/mem.h>
				25	#include <openssl/rand.h>
				26	#include <openssl/stack.h>
				27
David Benjamin	17cf2cb	2016-12-13 01:07:13 -0500	[diff] [blame]	28	#include "../crypto/internal.h"
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	29	#include "internal.h"
				30
				31
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	32	/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
				33	* data that will be accepted. This value should be slightly below
				34	* kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */
				35	static const size_t kMaxEarlyDataAccepted = 14336;
				36
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	37	enum server_hs_state_t {
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame]	38	state_select_parameters = 0,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	39	state_send_hello_retry_request,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	40	state_process_second_client_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	41	state_send_server_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	42	state_send_server_certificate_verify,
				43	state_complete_server_certificate_verify,
				44	state_send_server_finished,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	45	state_process_client_certificate,
				46	state_process_client_certificate_verify,
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	47	state_process_channel_id,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	48	state_process_client_finished,
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	49	state_send_new_session_ticket,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	50	state_done,
				51	};
				52
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	53	static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
				54
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	55	static int resolve_ecdhe_secret(SSL_HANDSHAKE hs, int out_need_retry,
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	56	SSL_CLIENT_HELLO *client_hello) {
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	57	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	58	*out_need_retry = 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	59
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	60	/* We only support connections that include an ECDHE key exchange. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	61	CBS key_share;
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	62	if (!ssl_client_hello_get_extension(client_hello, &key_share,
				63	TLSEXT_TYPE_key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	64	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
				65	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	66	return 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	67	}
				68
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	69	int found_key_share;
				70	uint8_t *dhe_secret;
				71	size_t dhe_secret_len;
David Benjamin	7e1f984	2016-09-20 19:24:40 -0400	[diff] [blame]	72	uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	73	if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
Steven Valdez	7259f2f	2016-08-02 16:55:05 -0400	[diff] [blame]	74	&dhe_secret_len, &alert,
				75	&key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	76	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				77	return 0;
				78	}
				79
				80	if (!found_key_share) {
				81	*out_need_retry = 1;
				82	return 0;
				83	}
				84
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	85	int ok = tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	86	OPENSSL_free(dhe_secret);
				87	return ok;
				88	}
				89
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	90	static const SSL_CIPHER *choose_tls13_cipher(
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	91	const SSL ssl, const SSL_CLIENT_HELLO client_hello) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	92	if (client_hello->cipher_suites_len % 2 != 0) {
				93	return NULL;
				94	}
				95
				96	CBS cipher_suites;
				97	CBS_init(&cipher_suites, client_hello->cipher_suites,
				98	client_hello->cipher_suites_len);
				99
				100	const int aes_is_fine = EVP_has_aes_hardware();
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	101	const uint16_t version = ssl3_protocol_version(ssl);
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	102
				103	const SSL_CIPHER *best = NULL;
				104	while (CBS_len(&cipher_suites) > 0) {
				105	uint16_t cipher_suite;
				106	if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
				107	return NULL;
				108	}
				109
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	110	/* Limit to TLS 1.3 ciphers we know about. */
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	111	const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	112	if (candidate == NULL \|\|
				113	SSL_CIPHER_get_min_version(candidate) > version \|\|
				114	SSL_CIPHER_get_max_version(candidate) < version) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	115	continue;
				116	}
				117
				118	/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
				119	* ChaCha20 if we do not have AES hardware. */
				120	if (aes_is_fine) {
				121	return candidate;
				122	}
				123
				124	if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
				125	return candidate;
				126	}
				127
				128	if (best == NULL) {
				129	best = candidate;
				130	}
				131	}
				132
				133	return best;
				134	}
				135
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	136	static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
				137	SSL *const ssl = hs->ssl;
David Benjamin	650aa1c	2016-12-20 18:55:16 -0500	[diff] [blame]	138
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	139	SSL_CLIENT_HELLO client_hello;
				140	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				141	ssl->init_num)) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	142	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				143	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				144	return ssl_hs_error;
				145	}
				146
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	147	/* Negotiate the cipher suite. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	148	hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
				149	if (hs->new_cipher == NULL) {
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	150	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
				151	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
				152	return ssl_hs_error;
				153	}
				154
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	155	/* The PRF hash is now known. Set up the key schedule and hash the
				156	* ClientHello. */
				157	if (!tls13_init_key_schedule(hs) \|\|
				158	!ssl_hash_current_message(hs)) {
				159	return ssl_hs_error;
				160	}
				161
				162
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	163	/* Decode the ticket if we agree on a PSK key exchange mode. */
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	164	uint8_t alert = SSL_AD_DECODE_ERROR;
				165	SSL_SESSION *session = NULL;
David Benjamin	35ac5b7	2017-03-03 15:05:56 -0500	[diff] [blame]	166	uint32_t client_ticket_age = 0;
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	167	CBS pre_shared_key, binders;
				168	if (hs->accept_psk_mode &&
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	169	ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
				170	TLSEXT_TYPE_pre_shared_key)) {
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	171	/* Verify that the pre_shared_key extension is the last extension in
				172	* ClientHello. */
				173	if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
				174	client_hello.extensions + client_hello.extensions_len) {
				175	OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
				176	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				177	return ssl_hs_error;
				178	}
				179
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	180	if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
David Benjamin	35ac5b7	2017-03-03 15:05:56 -0500	[diff] [blame]	181	&client_ticket_age, &alert,
				182	&pre_shared_key)) {
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	183	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				184	return ssl_hs_error;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	185	}
				186	}
				187
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	188	if (session != NULL &&
David Benjamin	35ac5b7	2017-03-03 15:05:56 -0500	[diff] [blame]	189	(!ssl_session_is_resumable(hs, session) \|\|
				190	/* Historically, some TLS 1.3 tickets were missing ticket_age_add. */
				191	!session->ticket_age_add_valid)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	192	SSL_SESSION_free(session);
				193	session = NULL;
				194	}
				195
David Benjamin	35ac5b7	2017-03-03 15:05:56 -0500	[diff] [blame]	196	if (session != NULL) {
				197	/* Recover the client ticket age and convert to seconds. */
				198	client_ticket_age -= session->ticket_age_add;
				199	client_ticket_age /= 1000;
				200
				201	struct OPENSSL_timeval now;
				202	ssl_get_current_time(ssl, &now);
				203
				204	/* Compute the server ticket age in seconds. */
				205	assert(now.tv_sec >= session->time);
				206	uint64_t server_ticket_age = now.tv_sec - session->time;
				207
				208	/* To avoid overflowing \|hs->ticket_age_skew\|, we will not resume
				209	* 68-year-old sessions. */
				210	if (server_ticket_age > INT32_MAX) {
				211	SSL_SESSION_free(session);
				212	session = NULL;
				213	} else {
				214	/* TODO(davidben,svaldez): Measure this value to decide on tolerance. For
				215	* now, accept all values. https://crbug.com/boringssl/113. */
				216	ssl->s3->ticket_age_skew =
				217	(int32_t)client_ticket_age - (int32_t)server_ticket_age;
				218	}
				219	}
				220
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	221	/* Set up the new session, either using the original one as a template or
				222	* creating a fresh one. */
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	223	if (session == NULL) {
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	224	if (!ssl_get_new_session(hs, 1 /* server */)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	225	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				226	return ssl_hs_error;
				227	}
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	228
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	229	hs->new_session->cipher = hs->new_cipher;
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	230
				231	/* On new sessions, stash the SNI value in the session. */
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	232	if (hs->hostname != NULL) {
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	233	OPENSSL_free(hs->new_session->tlsext_hostname);
				234	hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
				235	if (hs->new_session->tlsext_hostname == NULL) {
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	236	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				237	return ssl_hs_error;
				238	}
				239	}
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	240	} else {
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	241	/* Check the PSK binder. */
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	242	if (!tls13_verify_psk_binder(hs, session, &binders)) {
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	243	SSL_SESSION_free(session);
				244	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
				245	return ssl_hs_error;
				246	}
				247
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	248	/* Only authentication information carries over in TLS 1.3. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	249	hs->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
				250	if (hs->new_session == NULL) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	251	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				252	return ssl_hs_error;
				253	}
				254	ssl->s3->session_reused = 1;
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	255	SSL_SESSION_free(session);
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	256
				257	/* Resumption incorporates fresh key material, so refresh the timeout. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	258	ssl_session_renew_timeout(ssl, hs->new_session,
David Benjamin	be49706	2017-03-10 16:08:36 -0500	[diff] [blame]	259	ssl->session_ctx->session_psk_dhe_timeout);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	260	}
				261
				262	if (ssl->ctx->dos_protection_cb != NULL &&
David Benjamin	e14ff06	2016-08-09 16:21:24 -0400	[diff] [blame]	263	ssl->ctx->dos_protection_cb(&client_hello) == 0) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	264	/* Connection rejected for DOS reasons. */
				265	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
David Benjamin	2c66e07	2016-09-16 15:58:00 -0400	[diff] [blame]	266	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	267	return ssl_hs_error;
				268	}
				269
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	270	/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
				271	* deferred. Complete it now. */
Adam Langley	c68e5b9	2017-02-08 13:33:15 -0800	[diff] [blame]	272	alert = SSL_AD_DECODE_ERROR;
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	273	if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
David Benjamin	9ef31f0	2016-10-31 18:01:13 -0400	[diff] [blame]	274	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				275	return ssl_hs_error;
				276	}
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	277
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	278	/* Store the initial negotiated ALPN in the session. */
				279	if (ssl->s3->alpn_selected != NULL) {
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	280	hs->new_session->early_alpn =
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	281	BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	282	if (hs->new_session->early_alpn == NULL) {
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	283	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				284	return ssl_hs_error;
				285	}
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	286	hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	287	}
				288
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	289	/* Incorporate the PSK into the running secret. */
				290	if (ssl->s3->session_reused) {
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	291	if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,
				292	hs->new_session->master_key_length)) {
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	293	return ssl_hs_error;
				294	}
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	295	} else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	296	return ssl_hs_error;
				297	}
				298
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	299	ssl->method->received_flight(ssl);
				300
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	301	/* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	302	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	303	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	304	if (need_retry) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	305	hs->tls13_state = state_send_hello_retry_request;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	306	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	307	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	308	return ssl_hs_error;
				309	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	310
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	311	hs->tls13_state = state_send_server_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	312	return ssl_hs_ok;
				313	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	314
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	315	static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
				316	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	317	CBB cbb, body, extensions;
				318	uint16_t group_id;
				319	if (!ssl->method->init_message(ssl, &cbb, &body,
				320	SSL3_MT_HELLO_RETRY_REQUEST) \|\|
				321	!CBB_add_u16(&body, ssl->version) \|\|
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	322	!tls1_get_shared_group(hs, &group_id) \|\|
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	323	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	3baa6e1	2016-10-07 21:10:38 -0400	[diff] [blame]	324	!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) \|\|
				325	!CBB_add_u16(&extensions, 2 /* length */) \|\|
				326	!CBB_add_u16(&extensions, group_id) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	327	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	328	CBB_cleanup(&cbb);
				329	return ssl_hs_error;
				330	}
				331
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	332	hs->tls13_state = state_process_second_client_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	333	return ssl_hs_flush_and_read_message;
				334	}
				335
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	336	static enum ssl_hs_wait_t do_process_second_client_hello(SSL_HANDSHAKE *hs) {
				337	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	338	if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	339	return ssl_hs_error;
				340	}
				341
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	342	SSL_CLIENT_HELLO client_hello;
				343	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				344	ssl->init_num)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	345	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				346	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				347	return ssl_hs_error;
				348	}
				349
				350	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	351	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	352	if (need_retry) {
				353	/* Only send one HelloRetryRequest. */
				354	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				355	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	356	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	357	return ssl_hs_error;
				358	}
				359
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	360	if (!ssl_hash_current_message(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	361	return ssl_hs_error;
				362	}
				363
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	364	ssl->method->received_flight(ssl);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	365	hs->tls13_state = state_send_server_hello;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	366	return ssl_hs_ok;
				367	}
				368
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	369	static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
				370	SSL *const ssl = hs->ssl;
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	371
				372	/* Send a ServerHello. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	373	CBB cbb, body, extensions;
				374	if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) \|\|
				375	!CBB_add_u16(&body, ssl->version) \|\|
				376	!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) \|\|
				377	!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) \|\|
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	378	!CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	379	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	380	!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) \|\|
Steven Valdez	924a352	2017-03-02 16:05:03 -0500	[diff] [blame]	381	!ssl_ext_key_share_add_serverhello(hs, &extensions) \|\|
				382	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	383	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	384	}
				385
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	386	/* Derive and enable the handshake traffic secrets. */
Steven Valdez	4cb8494	2016-12-16 11:29:28 -0500	[diff] [blame]	387	if (!tls13_derive_handshake_secrets(hs) \|\|
				388	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
				389	hs->hash_len) \|\|
				390	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
				391	hs->hash_len)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	392	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	393	}
				394
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	395	/* Send EncryptedExtensions. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	396	if (!ssl->method->init_message(ssl, &cbb, &body,
				397	SSL3_MT_ENCRYPTED_EXTENSIONS) \|\|
David Benjamin	8c880a2	2016-12-03 02:20:34 -0500	[diff] [blame]	398	!ssl_add_serverhello_tlsext(hs, &body) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	399	!ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	400	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	401	}
				402
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	403	/* Determine whether to request a client certificate. */
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	404	hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	405	/* CertificateRequest may only be sent in non-resumption handshakes. */
				406	if (ssl->s3->session_reused) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	407	hs->cert_request = 0;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	408	}
				409
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	410	/* Send a CertificateRequest, if necessary. */
				411	if (hs->cert_request) {
				412	CBB sigalgs_cbb;
				413	if (!ssl->method->init_message(ssl, &cbb, &body,
				414	SSL3_MT_CERTIFICATE_REQUEST) \|\|
				415	!CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
				416	goto err;
				417	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	418
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	419	const uint16_t *sigalgs;
				420	size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
				421	if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
				422	goto err;
				423	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	424
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	425	for (size_t i = 0; i < num_sigalgs; i++) {
				426	if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
				427	goto err;
				428	}
				429	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	430
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	431	if (!ssl_add_client_CA_list(ssl, &body) \|\|
				432	!CBB_add_u16(&body, 0 /* empty certificate_extensions. */) \|\|
				433	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	434	goto err;
				435	}
				436	}
				437
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	438	/* Send the server Certificate message, if necessary. */
				439	if (!ssl->s3->session_reused) {
				440	if (!ssl_has_certificate(ssl)) {
				441	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
				442	goto err;
				443	}
				444
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	445	if (!tls13_add_certificate(hs)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	446	goto err;
				447	}
				448
				449	hs->tls13_state = state_send_server_certificate_verify;
				450	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	451	}
				452
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	453	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	454	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	455
				456	err:
				457	CBB_cleanup(&cbb);
				458	return ssl_hs_error;
				459	}
				460
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	461	static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	462	int is_first_run) {
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	463	switch (tls13_add_certificate_verify(hs, is_first_run)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	464	case ssl_private_key_success:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	465	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	466	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	467
				468	case ssl_private_key_retry:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	469	hs->tls13_state = state_complete_server_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	470	return ssl_hs_private_key_operation;
				471
				472	case ssl_private_key_failure:
				473	return ssl_hs_error;
				474	}
				475
				476	assert(0);
				477	return ssl_hs_error;
				478	}
				479
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	480	static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	481	SSL *const ssl = hs->ssl;
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	482	if (!tls13_add_finished(hs) \|\|
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	483	/* Update the secret to the master secret and derive traffic keys. */
				484	!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	485	!tls13_derive_application_secrets(hs) \|\|
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	486	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
				487	hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	488	return ssl_hs_error;
				489	}
				490
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	491	hs->tls13_state = state_process_client_certificate;
David Benjamin	f2401eb	2016-07-18 22:25:05 +0200	[diff] [blame]	492	return ssl_hs_flush_and_read_message;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	493	}
				494
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	495	static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) {
				496	SSL *const ssl = hs->ssl;
				497	if (!hs->cert_request) {
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	498	/* OpenSSL returns X509_V_OK when no certificates are requested. This is
David Benjamin	dd634eb	2016-08-18 16:40:28 -0400	[diff] [blame]	499	* classed by them as a bug, but it's assumed by at least NGINX. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	500	hs->new_session->verify_result = X509_V_OK;
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	501
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	502	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	503	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	504	return ssl_hs_ok;
				505	}
				506
David Benjamin	4087df9	2016-08-01 20:16:31 -0400	[diff] [blame]	507	const int allow_anonymous =
				508	(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
				509
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	510	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	511	!tls13_process_certificate(hs, allow_anonymous) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	512	!ssl_hash_current_message(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	513	return ssl_hs_error;
				514	}
				515
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	516	hs->tls13_state = state_process_client_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	517	return ssl_hs_read_message;
				518	}
				519
				520	static enum ssl_hs_wait_t do_process_client_certificate_verify(
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	521	SSL_HANDSHAKE *hs) {
				522	SSL *const ssl = hs->ssl;
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	523	if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	524	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	525	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	526	return ssl_hs_ok;
				527	}
				528
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	529	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	530	!tls13_process_certificate_verify(hs) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	531	!ssl_hash_current_message(hs)) {
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	532	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	533	}
				534
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	535	hs->tls13_state = state_process_channel_id;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	536	return ssl_hs_read_message;
				537	}
				538
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	539	static enum ssl_hs_wait_t do_process_channel_id(SSL_HANDSHAKE *hs) {
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	540	if (!hs->ssl->s3->tlsext_channel_id_valid) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	541	hs->tls13_state = state_process_client_finished;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	542	return ssl_hs_ok;
				543	}
				544
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	545	if (!ssl_check_message_type(hs->ssl, SSL3_MT_CHANNEL_ID) \|\|
				546	!tls1_verify_channel_id(hs) \|\|
				547	!ssl_hash_current_message(hs)) {
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	548	return ssl_hs_error;
				549	}
				550
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	551	hs->tls13_state = state_process_client_finished;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	552	return ssl_hs_read_message;
				553	}
				554
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	555	static enum ssl_hs_wait_t do_process_client_finished(SSL_HANDSHAKE *hs) {
				556	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	557	if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	558	!tls13_process_finished(hs) \|\|
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	559	!ssl_hash_current_message(hs) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	560	/* evp_aead_seal keys have already been switched. */
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	561	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
				562	hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	563	!tls13_derive_resumption_secret(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	564	return ssl_hs_error;
				565	}
				566
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	567	ssl->method->received_flight(ssl);
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	568
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	569	/* Rebase the session timestamp so that it is measured from ticket
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	570	* issuance. */
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	571	ssl_session_rebase_time(ssl, hs->new_session);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	572	hs->tls13_state = state_send_new_session_ticket;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	573	return ssl_hs_ok;
				574	}
				575
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	576	static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	577	/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
				578	* client makes several connections before getting a renewal. */
				579	static const int kNumTickets = 2;
				580
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	581	SSL *const ssl = hs->ssl;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	582	/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
				583	* session ticket. */
				584	if (!hs->accept_psk_mode) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	585	hs->tls13_state = state_done;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	586	return ssl_hs_ok;
				587	}
				588
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	589	SSL_SESSION *session = hs->new_session;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	590	CBB cbb;
				591	CBB_zero(&cbb);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	592
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	593	for (int i = 0; i < kNumTickets; i++) {
				594	if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
				595	goto err;
				596	}
David Benjamin	35ac5b7	2017-03-03 15:05:56 -0500	[diff] [blame]	597	session->ticket_age_add_valid = 1;
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	598
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	599	CBB body, ticket, extensions;
				600	if (!ssl->method->init_message(ssl, &cbb, &body,
				601	SSL3_MT_NEW_SESSION_TICKET) \|\|
				602	!CBB_add_u32(&body, session->timeout) \|\|
				603	!CBB_add_u32(&body, session->ticket_age_add) \|\|
				604	!CBB_add_u16_length_prefixed(&body, &ticket) \|\|
				605	!ssl_encrypt_ticket(ssl, &ticket, session) \|\|
				606	!CBB_add_u16_length_prefixed(&body, &extensions)) {
				607	goto err;
				608	}
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	609
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	610	if (ssl->ctx->enable_early_data) {
				611	session->ticket_max_early_data = kMaxEarlyDataAccepted;
				612
				613	CBB early_data_info;
				614	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) \|\|
				615	!CBB_add_u16_length_prefixed(&extensions, &early_data_info) \|\|
				616	!CBB_add_u32(&early_data_info, session->ticket_max_early_data) \|\|
				617	!CBB_flush(&extensions)) {
				618	goto err;
				619	}
				620	}
				621
				622	/* Add a fake extension. See draft-davidben-tls-grease-01. */
				623	if (!CBB_add_u16(&extensions,
				624	ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) \|\|
				625	!CBB_add_u16(&extensions, 0 /* empty */)) {
				626	goto err;
				627	}
				628
				629	if (!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	630	goto err;
				631	}
				632	}
				633
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	634	hs->session_tickets_sent++;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	635	hs->tls13_state = state_done;
				636	return ssl_hs_flush;
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	637
				638	err:
				639	CBB_cleanup(&cbb);
				640	return ssl_hs_error;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	641	}
				642
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	643	enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	644	while (hs->tls13_state != state_done) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	645	enum ssl_hs_wait_t ret = ssl_hs_error;
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	646	enum server_hs_state_t state = hs->tls13_state;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	647	switch (state) {
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	648	case state_select_parameters:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	649	ret = do_select_parameters(hs);
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	650	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	651	case state_send_hello_retry_request:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	652	ret = do_send_hello_retry_request(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	653	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	654	case state_process_second_client_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	655	ret = do_process_second_client_hello(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	656	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	657	case state_send_server_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	658	ret = do_send_server_hello(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	659	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	660	case state_send_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	661	ret = do_send_server_certificate_verify(hs, 1 /* first run */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	662	break;
				663	case state_complete_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	664	ret = do_send_server_certificate_verify(hs, 0 /* complete */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	665	break;
				666	case state_send_server_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	667	ret = do_send_server_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	668	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	669	case state_process_client_certificate:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	670	ret = do_process_client_certificate(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	671	break;
				672	case state_process_client_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	673	ret = do_process_client_certificate_verify(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	674	break;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	675	case state_process_channel_id:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	676	ret = do_process_channel_id(hs);
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	677	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	678	case state_process_client_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	679	ret = do_process_client_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	680	break;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	681	case state_send_new_session_ticket:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	682	ret = do_send_new_session_ticket(hs);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	683	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	684	case state_done:
				685	ret = ssl_hs_ok;
				686	break;
				687	}
				688
				689	if (ret != ssl_hs_ok) {
				690	return ret;
				691	}
				692	}
				693
				694	return ssl_hs_ok;
				695	}