Adding code to send session as PSK Identity.
BUG=75
Change-Id: Ied864cfccbc0e68d71c55c5ab563da27b7253463
Reviewed-on: https://boringssl-review.googlesource.com/9043
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c
index a1aeeea..1f4475e 100644
--- a/ssl/tls13_server.c
+++ b/ssl/tls13_server.c
@@ -58,9 +58,14 @@
return tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len);
}
- /* TODO(davidben): Support PSK. */
- OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
- return 0;
+ uint8_t resumption_psk[EVP_MAX_MD_SIZE];
+ if (!tls13_resumption_psk(ssl, resumption_psk, hs->hash_len,
+ ssl->s3->new_session) ||
+ !tls13_advance_key_schedule(ssl, resumption_psk, hs->hash_len)) {
+ return 0;
+ }
+
+ return 1;
}
static int resolve_ecdhe_secret(SSL *ssl, int *out_need_retry,
@@ -123,10 +128,45 @@
}
memcpy(ssl->s3->client_random, client_hello.random, client_hello.random_len);
- SSL_set_session(ssl, NULL);
- if (!ssl_get_new_session(ssl, 1 /* server */)) {
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return ssl_hs_error;
+ uint8_t alert = SSL_AD_DECODE_ERROR;
+ SSL_SESSION *session = NULL;
+ CBS pre_shared_key;
+ if (ssl_early_callback_get_extension(&client_hello, &pre_shared_key,
+ TLSEXT_TYPE_pre_shared_key) &&
+ !ssl_ext_pre_shared_key_parse_clienthello(ssl, &session, &alert,
+ &pre_shared_key)) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
+ return 0;
+ }
+
+ uint16_t resumption_cipher;
+ if (session != NULL &&
+ /* We currently only support ECDHE-PSK resumption. */
+ ((session->ticket_flags & SSL_TICKET_ALLOW_DHE_RESUMPTION) == 0 ||
+ /* Only resume if the session's version matches. */
+ session->ssl_version != ssl->version ||
+ !ssl_cipher_get_ecdhe_psk_cipher(session->cipher, &resumption_cipher) ||
+ !ssl_client_cipher_list_contains_cipher(&client_hello,
+ resumption_cipher))) {
+ SSL_SESSION_free(session);
+ session = NULL;
+ }
+
+ if (session == NULL) {
+ if (!ssl_get_new_session(ssl, 1 /* server */)) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return ssl_hs_error;
+ }
+ } else {
+ /* Only authentication information carries over in TLS 1.3. */
+ ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
+ if (ssl->s3->new_session == NULL) {
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return ssl_hs_error;
+ }
+ ssl->s3->session_reused = 1;
+ ssl->verify_result = session->verify_result;
+ SSL_SESSION_free(session);
}
if (ssl->ctx->dos_protection_cb != NULL &&
@@ -156,17 +196,19 @@
}
static enum ssl_hs_wait_t do_select_parameters(SSL *ssl, SSL_HANDSHAKE *hs) {
- /* Call |cert_cb| to update server certificates if required. */
- if (ssl->cert->cert_cb != NULL) {
- int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
- if (rv == 0) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
- return ssl_hs_error;
- }
- if (rv < 0) {
- hs->state = state_select_parameters;
- return ssl_hs_x509_lookup;
+ if (!ssl->s3->session_reused) {
+ /* Call |cert_cb| to update server certificates if required. */
+ if (ssl->cert->cert_cb != NULL) {
+ int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
+ if (rv == 0) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+ return ssl_hs_error;
+ }
+ if (rv < 0) {
+ hs->state = state_select_parameters;
+ return ssl_hs_x509_lookup;
+ }
}
}
@@ -178,25 +220,45 @@
return ssl_hs_error;
}
- const SSL_CIPHER *cipher =
- ssl3_choose_cipher(ssl, &client_hello, ssl_get_cipher_preferences(ssl));
- if (cipher == NULL) {
- OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
- ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
- return ssl_hs_error;
- }
+ if (!ssl->s3->session_reused) {
+ const SSL_CIPHER *cipher =
+ ssl3_choose_cipher(ssl, &client_hello, ssl_get_cipher_preferences(ssl));
+ if (cipher == NULL) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ return ssl_hs_error;
+ }
- ssl->s3->new_session->cipher = cipher;
- ssl->s3->tmp.new_cipher = cipher;
+ ssl->s3->new_session->cipher = cipher;
+ ssl->s3->tmp.new_cipher = cipher;
+ } else {
+ uint16_t resumption_cipher;
+ if (!ssl_cipher_get_ecdhe_psk_cipher(ssl->s3->new_session->cipher,
+ &resumption_cipher)) {
+ OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
+ ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ return ssl_hs_error;
+ }
+ ssl->s3->tmp.new_cipher = SSL_get_cipher_by_value(resumption_cipher);
+ }
ssl->method->received_flight(ssl);
/* The PRF hash is now known. Set up the key schedule and hash the
* ClientHello. */
- size_t hash_len =
+ size_t resumption_ctx_len =
EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
- if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) {
- return ssl_hs_error;
+ if (ssl->s3->session_reused) {
+ uint8_t resumption_ctx[EVP_MAX_MD_SIZE];
+ if (!tls13_resumption_context(ssl, resumption_ctx, resumption_ctx_len,
+ ssl->s3->new_session) ||
+ !tls13_init_key_schedule(ssl, resumption_ctx, resumption_ctx_len)) {
+ return ssl_hs_error;
+ }
+ } else {
+ if (!tls13_init_key_schedule(ssl, kZeroes, resumption_ctx_len)) {
+ return ssl_hs_error;
+ }
}
/* Resolve PSK and incorporate it into the secret. */
@@ -285,6 +347,7 @@
!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
!CBB_add_u16_length_prefixed(&body, &extensions) ||
+ !ssl_ext_pre_shared_key_add_serverhello(ssl, &extensions) ||
!ssl_ext_key_share_add_serverhello(ssl, &extensions) ||
!ssl->method->finish_message(ssl, &cbb)) {
CBB_cleanup(&cbb);
@@ -428,7 +491,7 @@
SSL_HANDSHAKE *hs) {
if (!ssl->s3->tmp.cert_request) {
/* Skip this state. */
- hs->state = state_process_client_certificate_verify;
+ hs->state = state_process_client_finished;
return ssl_hs_ok;
}
