Blame - ssl/tls13_server.c - boringssl.googlesource.com/boringssl

blob: db5fb2426b039d1d0c049b34b0a418738e2b41d2 [file] [log] [blame]

Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	1	/* Copyright (c) 2016, Google Inc.
				2	*
				3	* Permission to use, copy, modify, and/or distribute this software for any
				4	* purpose with or without fee is hereby granted, provided that the above
				5	* copyright notice and this permission notice appear in all copies.
				6	*
				7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
				8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
				9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
				10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
				11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
				12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
				13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
				14
				15	#include <openssl/ssl.h>
				16
				17	#include <assert.h>
				18	#include <string.h>
				19
David Benjamin	abbbee1	2016-10-31 19:20:42 -0400	[diff] [blame]	20	#include <openssl/aead.h>
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	21	#include <openssl/bytestring.h>
				22	#include <openssl/digest.h>
				23	#include <openssl/err.h>
				24	#include <openssl/mem.h>
				25	#include <openssl/rand.h>
				26	#include <openssl/stack.h>
				27
David Benjamin	17cf2cb	2016-12-13 01:07:13 -0500	[diff] [blame]	28	#include "../crypto/internal.h"
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	29	#include "internal.h"
				30
				31
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	32	/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
				33	* data that will be accepted. This value should be slightly below
				34	* kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */
				35	static const size_t kMaxEarlyDataAccepted = 14336;
				36
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	37	enum server_hs_state_t {
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame^]	38	state_select_parameters = 0,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	39	state_send_hello_retry_request,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	40	state_process_second_client_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	41	state_send_server_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	42	state_send_server_certificate_verify,
				43	state_complete_server_certificate_verify,
				44	state_send_server_finished,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	45	state_process_client_certificate,
				46	state_process_client_certificate_verify,
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	47	state_process_channel_id,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	48	state_process_client_finished,
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	49	state_send_new_session_ticket,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	50	state_done,
				51	};
				52
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	53	static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
				54
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	55	static int resolve_ecdhe_secret(SSL_HANDSHAKE hs, int out_need_retry,
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	56	SSL_CLIENT_HELLO *client_hello) {
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	57	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	58	*out_need_retry = 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	59
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	60	/* We only support connections that include an ECDHE key exchange. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	61	CBS key_share;
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	62	if (!ssl_client_hello_get_extension(client_hello, &key_share,
				63	TLSEXT_TYPE_key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	64	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
				65	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	66	return 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	67	}
				68
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	69	int found_key_share;
				70	uint8_t *dhe_secret;
				71	size_t dhe_secret_len;
David Benjamin	7e1f984	2016-09-20 19:24:40 -0400	[diff] [blame]	72	uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	73	if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
Steven Valdez	7259f2f	2016-08-02 16:55:05 -0400	[diff] [blame]	74	&dhe_secret_len, &alert,
				75	&key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	76	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				77	return 0;
				78	}
				79
				80	if (!found_key_share) {
				81	*out_need_retry = 1;
				82	return 0;
				83	}
				84
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	85	int ok = tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	86	OPENSSL_free(dhe_secret);
				87	return ok;
				88	}
				89
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	90	static const SSL_CIPHER *choose_tls13_cipher(
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	91	const SSL ssl, const SSL_CLIENT_HELLO client_hello) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	92	if (client_hello->cipher_suites_len % 2 != 0) {
				93	return NULL;
				94	}
				95
				96	CBS cipher_suites;
				97	CBS_init(&cipher_suites, client_hello->cipher_suites,
				98	client_hello->cipher_suites_len);
				99
				100	const int aes_is_fine = EVP_has_aes_hardware();
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	101	const uint16_t version = ssl3_protocol_version(ssl);
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	102
				103	const SSL_CIPHER *best = NULL;
				104	while (CBS_len(&cipher_suites) > 0) {
				105	uint16_t cipher_suite;
				106	if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
				107	return NULL;
				108	}
				109
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	110	/* Limit to TLS 1.3 ciphers we know about. */
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	111	const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	112	if (candidate == NULL \|\|
				113	SSL_CIPHER_get_min_version(candidate) > version \|\|
				114	SSL_CIPHER_get_max_version(candidate) < version) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	115	continue;
				116	}
				117
				118	/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
				119	* ChaCha20 if we do not have AES hardware. */
				120	if (aes_is_fine) {
				121	return candidate;
				122	}
				123
				124	if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
				125	return candidate;
				126	}
				127
				128	if (best == NULL) {
				129	best = candidate;
				130	}
				131	}
				132
				133	return best;
				134	}
				135
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	136	static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
				137	SSL *const ssl = hs->ssl;
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame^]	138	/* The short record header extension is incompatible with early data. */
				139	if (ssl->s3->skip_early_data && ssl->s3->short_header) {
				140	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
David Benjamin	650aa1c	2016-12-20 18:55:16 -0500	[diff] [blame]	141	return ssl_hs_error;
				142	}
				143
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	144	SSL_CLIENT_HELLO client_hello;
				145	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				146	ssl->init_num)) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	147	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				148	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				149	return ssl_hs_error;
				150	}
				151
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	152	/* Negotiate the cipher suite. */
				153	ssl->s3->tmp.new_cipher = choose_tls13_cipher(ssl, &client_hello);
				154	if (ssl->s3->tmp.new_cipher == NULL) {
				155	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
				156	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
				157	return ssl_hs_error;
				158	}
				159
				160	/* Decode the ticket if we agree on a PSK key exchange mode. */
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	161	uint8_t alert = SSL_AD_DECODE_ERROR;
				162	SSL_SESSION *session = NULL;
				163	CBS pre_shared_key, binders;
				164	if (hs->accept_psk_mode &&
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	165	ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
				166	TLSEXT_TYPE_pre_shared_key)) {
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	167	/* Verify that the pre_shared_key extension is the last extension in
				168	* ClientHello. */
				169	if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
				170	client_hello.extensions + client_hello.extensions_len) {
				171	OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
				172	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				173	return ssl_hs_error;
				174	}
				175
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	176	if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	177	&alert, &pre_shared_key)) {
				178	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				179	return ssl_hs_error;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	180	}
				181	}
				182
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	183	if (session != NULL &&
David Benjamin	75f9914	2016-11-12 12:36:06 +0900	[diff] [blame]	184	!ssl_session_is_resumable(ssl, session)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	185	SSL_SESSION_free(session);
				186	session = NULL;
				187	}
				188
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	189	/* Set up the new session, either using the original one as a template or
				190	* creating a fresh one. */
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	191	if (session == NULL) {
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	192	if (!ssl_get_new_session(hs, 1 /* server */)) {
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	193	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				194	return ssl_hs_error;
				195	}
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	196
				197	ssl->s3->new_session->cipher = ssl->s3->tmp.new_cipher;
				198
				199	/* On new sessions, stash the SNI value in the session. */
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	200	if (hs->hostname != NULL) {
				201	ssl->s3->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	202	if (ssl->s3->new_session->tlsext_hostname == NULL) {
				203	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				204	return ssl_hs_error;
				205	}
				206	}
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	207	} else {
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	208	/* Check the PSK binder. */
				209	if (!tls13_verify_psk_binder(ssl, session, &binders)) {
				210	SSL_SESSION_free(session);
				211	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
				212	return ssl_hs_error;
				213	}
				214
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	215	/* Only authentication information carries over in TLS 1.3. */
				216	ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
				217	if (ssl->s3->new_session == NULL) {
				218	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				219	return ssl_hs_error;
				220	}
				221	ssl->s3->session_reused = 1;
Steven Valdez	4aa154e	2016-07-29 14:32:55 -0400	[diff] [blame]	222	SSL_SESSION_free(session);
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	223
				224	/* Resumption incorporates fresh key material, so refresh the timeout. */
				225	ssl_session_renew_timeout(ssl, ssl->s3->new_session,
				226	ssl->session_psk_dhe_timeout);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	227	}
				228
				229	if (ssl->ctx->dos_protection_cb != NULL &&
David Benjamin	e14ff06	2016-08-09 16:21:24 -0400	[diff] [blame]	230	ssl->ctx->dos_protection_cb(&client_hello) == 0) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	231	/* Connection rejected for DOS reasons. */
				232	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
David Benjamin	2c66e07	2016-09-16 15:58:00 -0400	[diff] [blame]	233	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	234	return ssl_hs_error;
				235	}
				236
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	237	/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
				238	* deferred. Complete it now. */
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	239	if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
David Benjamin	9ef31f0	2016-10-31 18:01:13 -0400	[diff] [blame]	240	ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
				241	return ssl_hs_error;
				242	}
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	243
David Benjamin	f71036e	2017-01-21 14:49:39 -0500	[diff] [blame]	244	/* The PRF hash is now known. Set up the key schedule and hash the
				245	* ClientHello. */
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	246	size_t hash_len =
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	247	EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
David Benjamin	f71036e	2017-01-21 14:49:39 -0500	[diff] [blame]	248	if (!tls13_init_key_schedule(hs) \|\|
				249	!ssl_hash_current_message(ssl)) {
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	250	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	251	}
				252
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	253	/* Incorporate the PSK into the running secret. */
				254	if (ssl->s3->session_reused) {
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	255	if (!tls13_advance_key_schedule(hs, ssl->s3->new_session->master_key,
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	256	ssl->s3->new_session->master_key_length)) {
				257	return ssl_hs_error;
				258	}
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	259	} else if (!tls13_advance_key_schedule(hs, kZeroes, hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	260	return ssl_hs_error;
				261	}
				262
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	263	ssl->method->received_flight(ssl);
				264
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	265	/* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	266	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	267	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	268	if (need_retry) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	269	hs->tls13_state = state_send_hello_retry_request;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	270	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	271	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	272	return ssl_hs_error;
				273	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	274
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	275	hs->tls13_state = state_send_server_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	276	return ssl_hs_ok;
				277	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	278
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	279	static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
				280	SSL *const ssl = hs->ssl;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	281	CBB cbb, body, extensions;
				282	uint16_t group_id;
				283	if (!ssl->method->init_message(ssl, &cbb, &body,
				284	SSL3_MT_HELLO_RETRY_REQUEST) \|\|
				285	!CBB_add_u16(&body, ssl->version) \|\|
David Benjamin	f3c8f8d	2016-11-17 17:20:47 +0900	[diff] [blame]	286	!tls1_get_shared_group(hs, &group_id) \|\|
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	287	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	3baa6e1	2016-10-07 21:10:38 -0400	[diff] [blame]	288	!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) \|\|
				289	!CBB_add_u16(&extensions, 2 /* length */) \|\|
				290	!CBB_add_u16(&extensions, group_id) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	291	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	292	CBB_cleanup(&cbb);
				293	return ssl_hs_error;
				294	}
				295
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	296	hs->tls13_state = state_process_second_client_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	297	return ssl_hs_flush_and_read_message;
				298	}
				299
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	300	static enum ssl_hs_wait_t do_process_second_client_hello(SSL_HANDSHAKE *hs) {
				301	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	302	if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	303	return ssl_hs_error;
				304	}
				305
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	306	SSL_CLIENT_HELLO client_hello;
				307	if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
				308	ssl->init_num)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	309	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
				310	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				311	return ssl_hs_error;
				312	}
				313
				314	int need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	315	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	316	if (need_retry) {
				317	/* Only send one HelloRetryRequest. */
				318	ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
				319	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	320	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	321	return ssl_hs_error;
				322	}
				323
David Benjamin	ced9479	2016-11-14 17:12:11 +0900	[diff] [blame]	324	if (!ssl_hash_current_message(ssl)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	325	return ssl_hs_error;
				326	}
				327
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	328	ssl->method->received_flight(ssl);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	329	hs->tls13_state = state_send_server_hello;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	330	return ssl_hs_ok;
				331	}
				332
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	333	static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
				334	SSL *const ssl = hs->ssl;
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	335
				336	/* Send a ServerHello. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	337	CBB cbb, body, extensions;
				338	if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) \|\|
				339	!CBB_add_u16(&body, ssl->version) \|\|
				340	!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) \|\|
				341	!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) \|\|
				342	!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) \|\|
				343	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	344	!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) \|\|
David Benjamin	6f600d6	2016-12-21 16:06:54 -0500	[diff] [blame]	345	!ssl_ext_key_share_add_serverhello(hs, &extensions)) {
				346	goto err;
				347	}
				348
				349	if (ssl->s3->short_header) {
				350	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_short_header) \|\|
				351	!CBB_add_u16(&extensions, 0 /* empty extension */)) {
				352	goto err;
				353	}
				354	}
				355
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	356	if (!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	357	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	358	}
				359
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	360	/* Derive and enable the handshake traffic secrets. */
Steven Valdez	4cb8494	2016-12-16 11:29:28 -0500	[diff] [blame]	361	if (!tls13_derive_handshake_secrets(hs) \|\|
				362	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
				363	hs->hash_len) \|\|
				364	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
				365	hs->hash_len)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	366	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	367	}
				368
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	369	/* Send EncryptedExtensions. */
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	370	if (!ssl->method->init_message(ssl, &cbb, &body,
				371	SSL3_MT_ENCRYPTED_EXTENSIONS) \|\|
David Benjamin	8c880a2	2016-12-03 02:20:34 -0500	[diff] [blame]	372	!ssl_add_serverhello_tlsext(hs, &body) \|\|
David Benjamin	daf207a	2017-01-03 18:37:41 -0500	[diff] [blame]	373	!ssl_add_message_cbb(ssl, &cbb)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	374	goto err;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	375	}
				376
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	377	/* Determine whether to request a client certificate. */
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	378	hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
Steven Valdez	803c77a	2016-09-06 14:13:43 -0400	[diff] [blame]	379	/* CertificateRequest may only be sent in non-resumption handshakes. */
				380	if (ssl->s3->session_reused) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	381	hs->cert_request = 0;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	382	}
				383
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	384	/* Send a CertificateRequest, if necessary. */
				385	if (hs->cert_request) {
				386	CBB sigalgs_cbb;
				387	if (!ssl->method->init_message(ssl, &cbb, &body,
				388	SSL3_MT_CERTIFICATE_REQUEST) \|\|
				389	!CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
				390	goto err;
				391	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	392
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	393	const uint16_t *sigalgs;
				394	size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
				395	if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
				396	goto err;
				397	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	398
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	399	for (size_t i = 0; i < num_sigalgs; i++) {
				400	if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
				401	goto err;
				402	}
				403	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	404
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	405	if (!ssl_add_client_CA_list(ssl, &body) \|\|
				406	!CBB_add_u16(&body, 0 /* empty certificate_extensions. */) \|\|
				407	!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	408	goto err;
				409	}
				410	}
				411
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	412	/* Send the server Certificate message, if necessary. */
				413	if (!ssl->s3->session_reused) {
				414	if (!ssl_has_certificate(ssl)) {
				415	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
				416	goto err;
				417	}
				418
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	419	if (!tls13_add_certificate(hs)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	420	goto err;
				421	}
				422
				423	hs->tls13_state = state_send_server_certificate_verify;
				424	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	425	}
				426
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	427	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	428	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	429
				430	err:
				431	CBB_cleanup(&cbb);
				432	return ssl_hs_error;
				433	}
				434
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	435	static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	436	int is_first_run) {
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	437	switch (tls13_add_certificate_verify(hs, is_first_run)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	438	case ssl_private_key_success:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	439	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	440	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	441
				442	case ssl_private_key_retry:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	443	hs->tls13_state = state_complete_server_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	444	return ssl_hs_private_key_operation;
				445
				446	case ssl_private_key_failure:
				447	return ssl_hs_error;
				448	}
				449
				450	assert(0);
				451	return ssl_hs_error;
				452	}
				453
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	454	static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	455	SSL *const ssl = hs->ssl;
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	456	if (!tls13_add_finished(hs) \|\|
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	457	/* Update the secret to the master secret and derive traffic keys. */
				458	!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	459	!tls13_derive_application_secrets(hs) \|\|
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	460	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
				461	hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	462	return ssl_hs_error;
				463	}
				464
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	465	hs->tls13_state = state_process_client_certificate;
David Benjamin	f2401eb	2016-07-18 22:25:05 +0200	[diff] [blame]	466	return ssl_hs_flush_and_read_message;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	467	}
				468
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	469	static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) {
				470	SSL *const ssl = hs->ssl;
				471	if (!hs->cert_request) {
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	472	/* OpenSSL returns X509_V_OK when no certificates are requested. This is
David Benjamin	dd634eb	2016-08-18 16:40:28 -0400	[diff] [blame]	473	* classed by them as a bug, but it's assumed by at least NGINX. */
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	474	ssl->s3->new_session->verify_result = X509_V_OK;
				475
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	476	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	477	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	478	return ssl_hs_ok;
				479	}
				480
David Benjamin	4087df9	2016-08-01 20:16:31 -0400	[diff] [blame]	481	const int allow_anonymous =
				482	(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
				483
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	484	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	485	!tls13_process_certificate(hs, allow_anonymous) \|\|
David Benjamin	ced9479	2016-11-14 17:12:11 +0900	[diff] [blame]	486	!ssl_hash_current_message(ssl)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	487	return ssl_hs_error;
				488	}
				489
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	490	hs->tls13_state = state_process_client_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	491	return ssl_hs_read_message;
				492	}
				493
				494	static enum ssl_hs_wait_t do_process_client_certificate_verify(
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	495	SSL_HANDSHAKE *hs) {
				496	SSL *const ssl = hs->ssl;
Adam Langley	c5ac2b6	2016-11-07 12:02:35 -0800	[diff] [blame]	497	if (ssl->s3->new_session->x509_peer == NULL) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	498	/* Skip this state. */
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	499	hs->tls13_state = state_process_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	500	return ssl_hs_ok;
				501	}
				502
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	503	if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) \|\|
Adam Langley	0c29425	2016-12-12 11:46:09 -0800	[diff] [blame]	504	!tls13_process_certificate_verify(hs) \|\|
David Benjamin	ced9479	2016-11-14 17:12:11 +0900	[diff] [blame]	505	!ssl_hash_current_message(ssl)) {
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	506	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	507	}
				508
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	509	hs->tls13_state = state_process_channel_id;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	510	return ssl_hs_read_message;
				511	}
				512
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	513	static enum ssl_hs_wait_t do_process_channel_id(SSL_HANDSHAKE *hs) {
				514	SSL *const ssl = hs->ssl;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	515	if (!ssl->s3->tlsext_channel_id_valid) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	516	hs->tls13_state = state_process_client_finished;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	517	return ssl_hs_ok;
				518	}
				519
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	520	if (!ssl_check_message_type(ssl, SSL3_MT_CHANNEL_ID) \|\|
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	521	!tls1_verify_channel_id(ssl) \|\|
David Benjamin	ced9479	2016-11-14 17:12:11 +0900	[diff] [blame]	522	!ssl_hash_current_message(ssl)) {
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	523	return ssl_hs_error;
				524	}
				525
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	526	hs->tls13_state = state_process_client_finished;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	527	return ssl_hs_read_message;
				528	}
				529
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	530	static enum ssl_hs_wait_t do_process_client_finished(SSL_HANDSHAKE *hs) {
				531	SSL *const ssl = hs->ssl;
David Benjamin	276b7e8	2017-01-21 14:13:39 -0500	[diff] [blame]	532	if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	533	!tls13_process_finished(hs) \|\|
David Benjamin	ced9479	2016-11-14 17:12:11 +0900	[diff] [blame]	534	!ssl_hash_current_message(ssl) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	535	/* evp_aead_seal keys have already been switched. */
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	536	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
				537	hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	538	!tls13_derive_resumption_secret(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	539	return ssl_hs_error;
				540	}
				541
David Benjamin	613fe3b	2016-07-22 17:39:29 +0200	[diff] [blame]	542	ssl->method->received_flight(ssl);
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	543
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	544	/* Rebase the session timestamp so that it is measured from ticket
David Benjamin	123db57	2016-11-03 16:59:25 -0400	[diff] [blame]	545	* issuance. */
David Benjamin	17b3083	2017-01-28 14:00:32 -0500	[diff] [blame]	546	ssl_session_rebase_time(ssl, ssl->s3->new_session);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	547	hs->tls13_state = state_send_new_session_ticket;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	548	return ssl_hs_ok;
				549	}
				550
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	551	static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	552	/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
				553	* client makes several connections before getting a renewal. */
				554	static const int kNumTickets = 2;
				555
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	556	SSL *const ssl = hs->ssl;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	557	/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
				558	* session ticket. */
				559	if (!hs->accept_psk_mode) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	560	hs->tls13_state = state_done;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	561	return ssl_hs_ok;
				562	}
				563
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	564	SSL_SESSION *session = ssl->s3->new_session;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	565	CBB cbb;
				566	CBB_zero(&cbb);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	567
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	568	for (int i = 0; i < kNumTickets; i++) {
				569	if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
				570	goto err;
				571	}
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	572
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	573	CBB body, ticket, extensions;
				574	if (!ssl->method->init_message(ssl, &cbb, &body,
				575	SSL3_MT_NEW_SESSION_TICKET) \|\|
				576	!CBB_add_u32(&body, session->timeout) \|\|
				577	!CBB_add_u32(&body, session->ticket_age_add) \|\|
				578	!CBB_add_u16_length_prefixed(&body, &ticket) \|\|
				579	!ssl_encrypt_ticket(ssl, &ticket, session) \|\|
				580	!CBB_add_u16_length_prefixed(&body, &extensions)) {
				581	goto err;
				582	}
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	583
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	584	if (ssl->ctx->enable_early_data) {
				585	session->ticket_max_early_data = kMaxEarlyDataAccepted;
				586
				587	CBB early_data_info;
				588	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) \|\|
				589	!CBB_add_u16_length_prefixed(&extensions, &early_data_info) \|\|
				590	!CBB_add_u32(&early_data_info, session->ticket_max_early_data) \|\|
				591	!CBB_flush(&extensions)) {
				592	goto err;
				593	}
				594	}
				595
				596	/* Add a fake extension. See draft-davidben-tls-grease-01. */
				597	if (!CBB_add_u16(&extensions,
				598	ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) \|\|
				599	!CBB_add_u16(&extensions, 0 /* empty */)) {
				600	goto err;
				601	}
				602
				603	if (!ssl_add_message_cbb(ssl, &cbb)) {
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	604	goto err;
				605	}
				606	}
				607
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	608	hs->session_tickets_sent++;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	609	hs->tls13_state = state_done;
				610	return ssl_hs_flush;
David Benjamin	1a5e8ec	2016-10-07 15:19:18 -0400	[diff] [blame]	611
				612	err:
				613	CBB_cleanup(&cbb);
				614	return ssl_hs_error;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	615	}
				616
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	617	enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	618	while (hs->tls13_state != state_done) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	619	enum ssl_hs_wait_t ret = ssl_hs_error;
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	620	enum server_hs_state_t state = hs->tls13_state;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	621	switch (state) {
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	622	case state_select_parameters:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	623	ret = do_select_parameters(hs);
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	624	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	625	case state_send_hello_retry_request:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	626	ret = do_send_hello_retry_request(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	627	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	628	case state_process_second_client_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	629	ret = do_process_second_client_hello(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	630	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	631	case state_send_server_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	632	ret = do_send_server_hello(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	633	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	634	case state_send_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	635	ret = do_send_server_certificate_verify(hs, 1 /* first run */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	636	break;
				637	case state_complete_server_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	638	ret = do_send_server_certificate_verify(hs, 0 /* complete */);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	639	break;
				640	case state_send_server_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	641	ret = do_send_server_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	642	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	643	case state_process_client_certificate:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	644	ret = do_process_client_certificate(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	645	break;
				646	case state_process_client_certificate_verify:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	647	ret = do_process_client_certificate_verify(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	648	break;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	649	case state_process_channel_id:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	650	ret = do_process_channel_id(hs);
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	651	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	652	case state_process_client_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	653	ret = do_process_client_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	654	break;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	655	case state_send_new_session_ticket:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	656	ret = do_send_new_session_ticket(hs);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	657	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	658	case state_done:
				659	ret = ssl_hs_ok;
				660	break;
				661	}
				662
				663	if (ret != ssl_hs_ok) {
				664	return ret;
				665	}
				666	}
				667
				668	return ssl_hs_ok;
				669	}