Blame - ssl/tls13_server.cc - boringssl.git

blob: a3940b640f4b4013ca98952dfa4efdbee62d7075 [file] [log] [blame]

Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	1	/* Copyright (c) 2016, Google Inc.
				2	*
				3	* Permission to use, copy, modify, and/or distribute this software for any
				4	* purpose with or without fee is hereby granted, provided that the above
				5	* copyright notice and this permission notice appear in all copies.
				6	*
				7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
				8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
				9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
				10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
				11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
				12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
				13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
				14
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	15	// Per C99, various stdint.h macros are unavailable in C++ unless some macros
				16	// are defined. C++11 overruled this decision, but older Android NDKs still
				17	// require it.
David Benjamin	d304a2f	2017-07-12 23:00:28 -0400	[diff] [blame]	18	#if !defined(__STDC_LIMIT_MACROS)
				19	#define __STDC_LIMIT_MACROS
				20	#endif
				21
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	22	#include <openssl/ssl.h>
				23
				24	#include <assert.h>
				25	#include <string.h>
				26
David Benjamin	abbbee1	2016-10-31 19:20:42 -0400	[diff] [blame]	27	#include <openssl/aead.h>
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	28	#include <openssl/bytestring.h>
				29	#include <openssl/digest.h>
				30	#include <openssl/err.h>
				31	#include <openssl/mem.h>
				32	#include <openssl/rand.h>
				33	#include <openssl/stack.h>
				34
David Benjamin	17cf2cb	2016-12-13 01:07:13 -0500	[diff] [blame]	35	#include "../crypto/internal.h"
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	36	#include "internal.h"
				37
				38
David Benjamin	86e95b8	2017-07-18 16:34:25 -0400	[diff] [blame]	39	namespace bssl {
				40
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	41	enum server_hs_state_t {
David Benjamin	daa0539	2017-02-02 23:33:21 -0500	[diff] [blame]	42	state_select_parameters = 0,
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	43	state_select_session,
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	44	state_send_hello_retry_request,
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	45	state_read_second_client_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	46	state_send_server_hello,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	47	state_send_server_certificate_verify,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	48	state_send_server_finished,
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	49	state_read_second_client_flight,
				50	state_process_end_of_early_data,
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	51	state_read_client_certificate,
				52	state_read_client_certificate_verify,
				53	state_read_channel_id,
				54	state_read_client_finished,
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	55	state_send_new_session_ticket,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	56	state_done,
				57	};
				58
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	59	static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
				60
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	61	static int resolve_ecdhe_secret(SSL_HANDSHAKE hs, bool out_need_retry,
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	62	SSL_CLIENT_HELLO *client_hello) {
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	63	SSL *const ssl = hs->ssl;
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	64	*out_need_retry = false;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	65
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	66	// We only support connections that include an ECDHE key exchange.
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	67	CBS key_share;
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	68	if (!ssl_client_hello_get_extension(client_hello, &key_share,
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	69	TLSEXT_TYPE_key_share)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	70	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	71	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	72	return 0;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	73	}
				74
David Benjamin	74795b3	2017-08-31 15:13:12 -0400	[diff] [blame]	75	bool found_key_share;
David Benjamin	499742c	2017-07-22 12:45:38 -0400	[diff] [blame]	76	Array<uint8_t> dhe_secret;
David Benjamin	7e1f984	2016-09-20 19:24:40 -0400	[diff] [blame]	77	uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	78	if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
David Benjamin	499742c	2017-07-22 12:45:38 -0400	[diff] [blame]	79	&alert, &key_share)) {
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	80	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	81	return 0;
				82	}
				83
				84	if (!found_key_share) {
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	85	*out_need_retry = true;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	86	return 0;
				87	}
				88
David Benjamin	499742c	2017-07-22 12:45:38 -0400	[diff] [blame]	89	return tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size());
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	90	}
				91
Steven Valdez	038da9b	2017-07-10 12:57:25 -0400	[diff] [blame]	92	static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
				93	CBB *out) {
				94	CBB contents;
				95	if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) \|\|
				96	!CBB_add_u16_length_prefixed(out, &contents) \|\|
				97	!CBB_add_u16(&contents, hs->ssl->version) \|\|
				98	!CBB_flush(out)) {
				99	return 0;
				100	}
				101
				102	return 1;
				103	}
				104
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	105	static const SSL_CIPHER *choose_tls13_cipher(
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	106	const SSL ssl, const SSL_CLIENT_HELLO client_hello) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	107	if (client_hello->cipher_suites_len % 2 != 0) {
				108	return NULL;
				109	}
				110
				111	CBS cipher_suites;
				112	CBS_init(&cipher_suites, client_hello->cipher_suites,
				113	client_hello->cipher_suites_len);
				114
				115	const int aes_is_fine = EVP_has_aes_hardware();
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	116	const uint16_t version = ssl_protocol_version(ssl);
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	117
				118	const SSL_CIPHER *best = NULL;
				119	while (CBS_len(&cipher_suites) > 0) {
				120	uint16_t cipher_suite;
				121	if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
				122	return NULL;
				123	}
				124
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	125	// Limit to TLS 1.3 ciphers we know about.
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	126	const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	127	if (candidate == NULL \|\|
				128	SSL_CIPHER_get_min_version(candidate) > version \|\|
				129	SSL_CIPHER_get_max_version(candidate) < version) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	130	continue;
				131	}
				132
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	133	// TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
				134	// ChaCha20 if we do not have AES hardware.
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	135	if (aes_is_fine) {
				136	return candidate;
				137	}
				138
				139	if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
				140	return candidate;
				141	}
				142
				143	if (best == NULL) {
				144	best = candidate;
				145	}
				146	}
				147
				148	return best;
				149	}
				150
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	151	static bool add_new_session_tickets(SSL_HANDSHAKE hs, bool out_sent_tickets) {
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	152	SSL *const ssl = hs->ssl;
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	153	if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
				154	// session ticket.
				155	!hs->accept_psk_mode \|\|
				156	// We only implement stateless resumption in TLS 1.3, so skip sending
				157	// tickets if disabled.
				158	(SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {
				159	*out_sent_tickets = false;
				160	return true;
				161	}
				162
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	163	// TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
				164	// the client makes several connections before getting a renewal.
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	165	static const int kNumTickets = 2;
				166
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	167	// Rebase the session timestamp so that it is measured from ticket
				168	// issuance.
David Benjamin	31b0c9b	2017-07-20 14:49:15 -0400	[diff] [blame]	169	ssl_session_rebase_time(ssl, hs->new_session.get());
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	170
				171	for (int i = 0; i < kNumTickets; i++) {
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	172	UniquePtr<SSL_SESSION> session(
				173	SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
				174	if (!session) {
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	175	return false;
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	176	}
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	177
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	178	if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	179	return false;
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	180	}
David Benjamin	a3a71e9	2018-06-29 13:24:45 -0400	[diff] [blame]	181	session->ticket_age_add_valid = true;
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	182	if (ssl->enable_early_data) {
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	183	session->ticket_max_early_data = kMaxEarlyDataAccepted;
Steven Valdez	be165a2	2017-10-10 11:45:01 -0400	[diff] [blame]	184	}
				185
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	186	static_assert(kNumTickets < 256, "Too many tickets");
				187	uint8_t nonce[] = {static_cast<uint8_t>(i)};
				188
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	189	ScopedCBB cbb;
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	190	CBB body, nonce_cbb, ticket, extensions;
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	191	if (!ssl->method->init_message(ssl, cbb.get(), &body,
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	192	SSL3_MT_NEW_SESSION_TICKET) \|\|
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	193	!CBB_add_u32(&body, session->timeout) \|\|
				194	!CBB_add_u32(&body, session->ticket_age_add) \|\|
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	195	!CBB_add_u8_length_prefixed(&body, &nonce_cbb) \|\|
				196	!CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) \|\|
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	197	!CBB_add_u16_length_prefixed(&body, &ticket) \|\|
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	198	!tls13_derive_session_psk(session.get(), nonce) \|\|
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	199	!ssl_encrypt_ticket(hs, &ticket, session.get()) \|\|
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	200	!CBB_add_u16_length_prefixed(&body, &extensions)) {
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	201	return false;
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	202	}
				203
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	204	if (ssl->enable_early_data) {
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	205	CBB early_data_info;
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	206	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) \|\|
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	207	!CBB_add_u16_length_prefixed(&extensions, &early_data_info) \|\|
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	208	!CBB_add_u32(&early_data_info, session->ticket_max_early_data) \|\|
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	209	!CBB_flush(&extensions)) {
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	210	return false;
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	211	}
				212	}
				213
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	214	// Add a fake extension. See draft-davidben-tls-grease-01.
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	215	if (!CBB_add_u16(&extensions,
David Benjamin	a7bc944	2018-01-18 10:08:53 -0500	[diff] [blame]	216	ssl_get_grease_value(hs, ssl_grease_ticket_extension)) \|\|
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	217	!CBB_add_u16(&extensions, 0 /* empty */)) {
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	218	return false;
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	219	}
				220
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	221	if (!ssl_add_message_cbb(ssl, cbb.get())) {
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	222	return false;
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	223	}
				224	}
				225
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	226	*out_sent_tickets = true;
				227	return true;
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	228	}
				229
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	230	static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	231	// At this point, most ClientHello extensions have already been processed by
				232	// the common handshake logic. Resolve the remaining non-PSK parameters.
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	233	SSL *const ssl = hs->ssl;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	234	SSLMessage msg;
				235	if (!ssl->method->get_message(ssl, &msg)) {
				236	return ssl_hs_read_message;
				237	}
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	238	SSL_CLIENT_HELLO client_hello;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	239	if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	240	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	241	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
David Benjamin	34202b9	2016-11-16 19:07:53 +0900	[diff] [blame]	242	return ssl_hs_error;
				243	}
				244
Steven Valdez	520e122	2017-06-13 12:45:25 -0400	[diff] [blame]	245	OPENSSL_memcpy(hs->session_id, client_hello.session_id,
				246	client_hello.session_id_len);
				247	hs->session_id_len = client_hello.session_id_len;
				248
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	249	// Negotiate the cipher suite.
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	250	hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);
				251	if (hs->new_cipher == NULL) {
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	252	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	253	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	254	return ssl_hs_error;
				255	}
				256
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	257	// HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
				258	// deferred. Complete it now.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	259	uint8_t alert = SSL_AD_DECODE_ERROR;
				260	if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	261	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	262	return ssl_hs_error;
				263	}
				264
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	265	// The PRF hash is now known. Set up the key schedule and hash the
				266	// ClientHello.
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	267	if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
				268	return ssl_hs_error;
				269	}
				270
				271	if (!ssl_hash_message(hs, msg)) {
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	272	return ssl_hs_error;
				273	}
				274
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	275	hs->tls13_state = state_select_session;
				276	return ssl_hs_ok;
				277	}
Steven Valdez	908ac19	2017-01-12 13:17:07 -0500	[diff] [blame]	278
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	279	static enum ssl_ticket_aead_result_t select_session(
David Benjamin	37af90f	2017-07-29 01:42:16 -0400	[diff] [blame]	280	SSL_HANDSHAKE hs, uint8_t out_alert, UniquePtr<SSL_SESSION> *out_session,
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	281	int32_t *out_ticket_age_skew, const SSLMessage &msg,
				282	const SSL_CLIENT_HELLO *client_hello) {
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	283	SSL *const ssl = hs->ssl;
				284	*out_session = NULL;
				285
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	286	// Decode the ticket if we agreed on a PSK key exchange mode.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	287	CBS pre_shared_key;
				288	if (!hs->accept_psk_mode \|\|
				289	!ssl_client_hello_get_extension(client_hello, &pre_shared_key,
				290	TLSEXT_TYPE_pre_shared_key)) {
				291	return ssl_ticket_aead_ignore_ticket;
				292	}
				293
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	294	// Verify that the pre_shared_key extension is the last extension in
				295	// ClientHello.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	296	if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
				297	client_hello->extensions + client_hello->extensions_len) {
				298	OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
				299	*out_alert = SSL_AD_ILLEGAL_PARAMETER;
				300	return ssl_ticket_aead_error;
				301	}
				302
				303	CBS ticket, binders;
				304	uint32_t client_ticket_age;
				305	if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &ticket, &binders,
				306	&client_ticket_age, out_alert,
				307	&pre_shared_key)) {
				308	return ssl_ticket_aead_error;
				309	}
				310
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	311	// TLS 1.3 session tickets are renewed separately as part of the
				312	// NewSessionTicket.
David Benjamin	fd45ee7	2017-08-31 14:49:09 -0400	[diff] [blame]	313	bool unused_renew;
David Benjamin	37af90f	2017-07-29 01:42:16 -0400	[diff] [blame]	314	UniquePtr<SSL_SESSION> session;
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	315	enum ssl_ticket_aead_result_t ret =
David Benjamin	2865567	2018-07-18 23:23:25 -0400	[diff] [blame^]	316	ssl_process_ticket(hs, &session, &unused_renew, ticket, {});
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	317	switch (ret) {
				318	case ssl_ticket_aead_success:
				319	break;
				320	case ssl_ticket_aead_error:
				321	*out_alert = SSL_AD_INTERNAL_ERROR;
				322	return ret;
				323	default:
				324	return ret;
				325	}
				326
David Benjamin	37af90f	2017-07-29 01:42:16 -0400	[diff] [blame]	327	if (!ssl_session_is_resumable(hs, session.get()) \|\|
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	328	// Historically, some TLS 1.3 tickets were missing ticket_age_add.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	329	!session->ticket_age_add_valid) {
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	330	return ssl_ticket_aead_ignore_ticket;
				331	}
				332
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	333	// Recover the client ticket age and convert to seconds.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	334	client_ticket_age -= session->ticket_age_add;
				335	client_ticket_age /= 1000;
				336
				337	struct OPENSSL_timeval now;
				338	ssl_get_current_time(ssl, &now);
				339
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	340	// Compute the server ticket age in seconds.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	341	assert(now.tv_sec >= session->time);
				342	uint64_t server_ticket_age = now.tv_sec - session->time;
				343
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	344	// To avoid overflowing \|hs->ticket_age_skew\|, we will not resume
				345	// 68-year-old sessions.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	346	if (server_ticket_age > INT32_MAX) {
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	347	return ssl_ticket_aead_ignore_ticket;
				348	}
				349
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	350	// TODO(davidben,svaldez): Measure this value to decide on tolerance. For
				351	// now, accept all values. https://crbug.com/boringssl/113.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	352	*out_ticket_age_skew =
				353	(int32_t)client_ticket_age - (int32_t)server_ticket_age;
				354
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	355	// Check the PSK binder.
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	356	if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	357	*out_alert = SSL_AD_DECRYPT_ERROR;
				358	return ssl_ticket_aead_error;
				359	}
				360
David Benjamin	37af90f	2017-07-29 01:42:16 -0400	[diff] [blame]	361	*out_session = std::move(session);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	362	return ssl_ticket_aead_success;
				363	}
				364
				365	static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
				366	SSL *const ssl = hs->ssl;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	367	SSLMessage msg;
				368	if (!ssl->method->get_message(ssl, &msg)) {
				369	return ssl_hs_read_message;
				370	}
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	371	SSL_CLIENT_HELLO client_hello;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	372	if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	373	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	374	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	375	return ssl_hs_error;
				376	}
				377
David Benjamin	4eb95cc	2016-11-16 17:08:23 +0900	[diff] [blame]	378	uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin	37af90f	2017-07-29 01:42:16 -0400	[diff] [blame]	379	UniquePtr<SSL_SESSION> session;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	380	switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew, msg,
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	381	&client_hello)) {
				382	case ssl_ticket_aead_ignore_ticket:
David Benjamin	37af90f	2017-07-29 01:42:16 -0400	[diff] [blame]	383	assert(!session);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	384	if (!ssl_get_new_session(hs, 1 /* server */)) {
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	385	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
David Benjamin	f01f42a	2016-11-16 19:05:33 +0900	[diff] [blame]	386	return ssl_hs_error;
				387	}
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	388	break;
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	389
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	390	case ssl_ticket_aead_success:
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	391	// Carry over authentication information from the previous handshake into
				392	// a fresh session.
David Benjamin	37af90f	2017-07-29 01:42:16 -0400	[diff] [blame]	393	hs->new_session =
				394	SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	395
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	396	if (ssl->enable_early_data &&
David Benjamin	8e7bbba	2017-10-13 17:18:35 -0400	[diff] [blame]	397	// Early data must be acceptable for this ticket.
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	398	session->ticket_max_early_data != 0 &&
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	399	// The client must have offered early data.
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	400	hs->early_data_offered &&
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	401	// Channel ID is incompatible with 0-RTT.
David Benjamin	4685376	2018-07-03 14:01:26 -0400	[diff] [blame]	402	!ssl->s3->channel_id_valid &&
Nick Harper	36fcc4c	2017-09-21 15:02:22 -0700	[diff] [blame]	403	// If Token Binding is negotiated, reject 0-RTT.
David Benjamin	9f0e7cb	2018-04-12 15:36:30 -0400	[diff] [blame]	404	!ssl->s3->token_binding_negotiated &&
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	405	// The negotiated ALPN must match the one in the ticket.
David Benjamin	bfdd1a9	2018-06-29 16:26:38 -0400	[diff] [blame]	406	MakeConstSpan(ssl->s3->alpn_selected) == session->early_alpn) {
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	407	ssl->s3->early_data_accepted = true;
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	408	}
				409
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	410	if (hs->new_session == NULL) {
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	411	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	412	return ssl_hs_error;
				413	}
				414
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	415	ssl->s3->session_reused = true;
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	416
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	417	// Resumption incorporates fresh key material, so refresh the timeout.
David Benjamin	98472cb	2018-05-02 16:05:36 -0400	[diff] [blame]	418	ssl_session_renew_timeout(ssl, hs->new_session.get(),
				419	ssl->session_ctx->session_psk_dhe_timeout);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	420	break;
				421
				422	case ssl_ticket_aead_error:
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	423	ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	424	return ssl_hs_error;
				425
				426	case ssl_ticket_aead_retry:
				427	hs->tls13_state = state_select_session;
				428	return ssl_hs_pending_ticket;
				429	}
				430
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	431	// Record connection properties in the new session.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	432	hs->new_session->cipher = hs->new_cipher;
				433
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	434	// Store the initial negotiated ALPN in the session.
David Benjamin	bfdd1a9	2018-06-29 16:26:38 -0400	[diff] [blame]	435	if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
				436	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
				437	return ssl_hs_error;
Steven Valdez	27a9e6a	2017-02-14 13:20:40 -0500	[diff] [blame]	438	}
				439
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	440	if (ssl->ctx->dos_protection_cb != NULL &&
				441	ssl->ctx->dos_protection_cb(&client_hello) == 0) {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	442	// Connection rejected for DOS reasons.
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	443	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	444	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	445	return ssl_hs_error;
				446	}
				447
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	448	size_t hash_len = EVP_MD_size(
				449	ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
				450
				451	// Set up the key schedule and incorporate the PSK into the running secret.
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	452	if (ssl->s3->session_reused) {
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	453	if (!tls13_init_key_schedule(hs, hs->new_session->master_key,
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	454	hs->new_session->master_key_length)) {
David Benjamin	8f820b4	2016-11-30 11:24:40 -0500	[diff] [blame]	455	return ssl_hs_error;
				456	}
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	457	} else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	458	return ssl_hs_error;
				459	}
				460
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	461	if (ssl->s3->early_data_accepted) {
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	462	if (!tls13_derive_early_secrets(hs)) {
				463	return ssl_hs_error;
				464	}
				465	} else if (hs->early_data_offered) {
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	466	ssl->s3->skip_early_data = true;
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	467	}
				468
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	469	// Resolve ECDHE and incorporate it into the secret.
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	470	bool need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	471	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	472	if (need_retry) {
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	473	ssl->s3->early_data_accepted = false;
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	474	ssl->s3->skip_early_data = true;
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	475	ssl->method->next_message(ssl);
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	476	if (!hs->transcript.UpdateForHelloRetryRequest()) {
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	477	return ssl_hs_error;
				478	}
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	479	hs->tls13_state = state_send_hello_retry_request;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	480	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	481	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	482	return ssl_hs_error;
				483	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	484
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	485	ssl->method->next_message(ssl);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	486	hs->tls13_state = state_send_server_hello;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	487	return ssl_hs_ok;
				488	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	489
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	490	static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
				491	SSL *const ssl = hs->ssl;
Steven Valdez	964b237	2017-11-07 17:09:52 -0500	[diff] [blame]	492
				493
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	494	ScopedCBB cbb;
				495	CBB body, session_id, extensions;
				496	uint16_t group_id;
				497	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) \|\|
				498	!CBB_add_u16(&body, TLS1_2_VERSION) \|\|
				499	!CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) \|\|
				500	!CBB_add_u8_length_prefixed(&body, &session_id) \|\|
				501	!CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) \|\|
				502	!CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) \|\|
				503	!CBB_add_u8(&body, 0 /* no compression */) \|\|
				504	!tls1_get_shared_group(hs, &group_id) \|\|
				505	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
				506	!CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) \|\|
				507	!CBB_add_u16(&extensions, 2 /* length */) \|\|
				508	!CBB_add_u16(&extensions, ssl->version) \|\|
				509	!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) \|\|
				510	!CBB_add_u16(&extensions, 2 /* length */) \|\|
				511	!CBB_add_u16(&extensions, group_id) \|\|
				512	!ssl_add_message_cbb(ssl, cbb.get())) {
				513	return ssl_hs_error;
				514	}
Steven Valdez	964b237	2017-11-07 17:09:52 -0500	[diff] [blame]	515
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	516	if (!ssl->method->add_change_cipher_spec(ssl)) {
				517	return ssl_hs_error;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	518	}
				519
Steven Valdez	964b237	2017-11-07 17:09:52 -0500	[diff] [blame]	520	hs->sent_hello_retry_request = true;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	521	hs->tls13_state = state_read_second_client_hello;
				522	return ssl_hs_flush;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	523	}
				524
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	525	static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	526	SSL *const ssl = hs->ssl;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	527	SSLMessage msg;
				528	if (!ssl->method->get_message(ssl, &msg)) {
				529	return ssl_hs_read_message;
				530	}
				531	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	532	return ssl_hs_error;
				533	}
David Benjamin	731058e	2016-12-03 23:15:13 -0500	[diff] [blame]	534	SSL_CLIENT_HELLO client_hello;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	535	if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	536	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	537	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	538	return ssl_hs_error;
				539	}
				540
David Benjamin	046bc1f	2017-08-31 15:06:42 -0400	[diff] [blame]	541	bool need_retry;
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	542	if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	543	if (need_retry) {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	544	// Only send one HelloRetryRequest.
David Benjamin	d1e3ce1	2017-10-06 18:31:15 -0400	[diff] [blame]	545	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	546	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	547	}
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	548	return ssl_hs_error;
				549	}
				550
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	551	if (!ssl_hash_message(hs, msg)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	552	return ssl_hs_error;
				553	}
				554
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	555	ssl->method->next_message(ssl);
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	556	hs->tls13_state = state_send_server_hello;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	557	return ssl_hs_ok;
				558	}
				559
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	560	static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
				561	SSL *const ssl = hs->ssl;
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	562
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	563	// Send a ServerHello.
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	564	ScopedCBB cbb;
				565	CBB body, extensions, session_id;
				566	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) \|\|
Steven Valdez	64cc121	2017-12-04 11:15:37 -0500	[diff] [blame]	567	!CBB_add_u16(&body, TLS1_2_VERSION) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	568	!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) \|\|
				569	!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) \|\|
Steven Valdez	64cc121	2017-12-04 11:15:37 -0500	[diff] [blame]	570	!CBB_add_u8_length_prefixed(&body, &session_id) \|\|
				571	!CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) \|\|
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	572	!CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) \|\|
Steven Valdez	64cc121	2017-12-04 11:15:37 -0500	[diff] [blame]	573	!CBB_add_u8(&body, 0) \|\|
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	574	!CBB_add_u16_length_prefixed(&body, &extensions) \|\|
David Benjamin	8baf963	2016-11-17 17:11:16 +0900	[diff] [blame]	575	!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) \|\|
Steven Valdez	924a352	2017-03-02 16:05:03 -0500	[diff] [blame]	576	!ssl_ext_key_share_add_serverhello(hs, &extensions) \|\|
Steven Valdez	64cc121	2017-12-04 11:15:37 -0500	[diff] [blame]	577	!ssl_ext_supported_versions_add_serverhello(hs, &extensions) \|\|
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	578	!ssl_add_message_cbb(ssl, cbb.get())) {
				579	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	580	}
				581
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	582	if (!hs->sent_hello_retry_request &&
David Benjamin	666d16e	2017-10-06 18:45:16 -0400	[diff] [blame]	583	!ssl->method->add_change_cipher_spec(ssl)) {
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	584	return ssl_hs_error;
Steven Valdez	520e122	2017-06-13 12:45:25 -0400	[diff] [blame]	585	}
				586
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	587	// Derive and enable the handshake traffic secrets.
Steven Valdez	4cb8494	2016-12-16 11:29:28 -0500	[diff] [blame]	588	if (!tls13_derive_handshake_secrets(hs) \|\|
Steven Valdez	4cb8494	2016-12-16 11:29:28 -0500	[diff] [blame]	589	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
				590	hs->hash_len)) {
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	591	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	592	}
				593
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	594	// Send EncryptedExtensions.
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	595	if (!ssl->method->init_message(ssl, cbb.get(), &body,
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	596	SSL3_MT_ENCRYPTED_EXTENSIONS) \|\|
David Benjamin	8c880a2	2016-12-03 02:20:34 -0500	[diff] [blame]	597	!ssl_add_serverhello_tlsext(hs, &body) \|\|
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	598	!ssl_add_message_cbb(ssl, cbb.get())) {
				599	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	600	}
				601
David Benjamin	c3648fa	2017-07-01 10:50:56 -0400	[diff] [blame]	602	if (!ssl->s3->session_reused) {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	603	// Determine whether to request a client certificate.
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	604	hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	605	// Only request a certificate if Channel ID isn't negotiated.
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	606	if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
David Benjamin	4685376	2018-07-03 14:01:26 -0400	[diff] [blame]	607	ssl->s3->channel_id_valid) {
David Benjamin	fd45ee7	2017-08-31 14:49:09 -0400	[diff] [blame]	608	hs->cert_request = false;
David Benjamin	c3648fa	2017-07-01 10:50:56 -0400	[diff] [blame]	609	}
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	610	}
				611
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	612	// Send a CertificateRequest, if necessary.
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	613	if (hs->cert_request) {
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	614	CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;
				615	if (!ssl->method->init_message(ssl, cbb.get(), &body,
				616	SSL3_MT_CERTIFICATE_REQUEST) \|\|
				617	!CBB_add_u8(&body, 0 /* no certificate_request_context. */) \|\|
				618	!CBB_add_u16_length_prefixed(&body, &cert_request_extensions) \|\|
				619	!CBB_add_u16(&cert_request_extensions,
				620	TLSEXT_TYPE_signature_algorithms) \|\|
				621	!CBB_add_u16_length_prefixed(&cert_request_extensions,
				622	&sigalg_contents) \|\|
				623	!CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) \|\|
David Benjamin	e28552d	2018-04-08 13:59:25 -0400	[diff] [blame]	624	!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb,
				625	false /* online signature */)) {
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	626	return ssl_hs_error;
				627	}
				628
David Benjamin	e28552d	2018-04-08 13:59:25 -0400	[diff] [blame]	629	if (tls12_has_different_verify_sigalgs_for_certs(ssl)) {
				630	if (!CBB_add_u16(&cert_request_extensions,
				631	TLSEXT_TYPE_signature_algorithms_cert) \|\|
				632	!CBB_add_u16_length_prefixed(&cert_request_extensions,
				633	&sigalg_contents) \|\|
				634	!CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) \|\|
				635	!tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */)) {
				636	return ssl_hs_error;
				637	}
				638	}
				639
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	640	if (ssl_has_client_CAs(hs->config)) {
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	641	CBB ca_contents;
				642	if (!CBB_add_u16(&cert_request_extensions,
				643	TLSEXT_TYPE_certificate_authorities) \|\|
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	644	!CBB_add_u16_length_prefixed(&cert_request_extensions,
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	645	&ca_contents) \|\|
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	646	!ssl_add_client_CA_list(hs, &ca_contents) \|\|
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	647	!CBB_flush(&cert_request_extensions)) {
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	648	return ssl_hs_error;
				649	}
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	650	}
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	651
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	652	if (!ssl_add_message_cbb(ssl, cbb.get())) {
				653	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	654	}
				655	}
				656
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	657	// Send the server Certificate message, if necessary.
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	658	if (!ssl->s3->session_reused) {
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	659	if (!ssl_has_certificate(hs->config)) {
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	660	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	661	return ssl_hs_error;
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	662	}
				663
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	664	if (!tls13_add_certificate(hs)) {
David Benjamin	1386aad	2017-07-19 23:57:40 -0400	[diff] [blame]	665	return ssl_hs_error;
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	666	}
				667
				668	hs->tls13_state = state_send_server_certificate_verify;
				669	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	670	}
				671
David Benjamin	81b7bc3	2017-01-12 19:44:57 -0500	[diff] [blame]	672	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	673	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	674	}
				675
David Benjamin	4414874	2017-06-17 13:20:59 -0400	[diff] [blame]	676	static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
				677	switch (tls13_add_certificate_verify(hs)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	678	case ssl_private_key_success:
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	679	hs->tls13_state = state_send_server_finished;
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	680	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	681
				682	case ssl_private_key_retry:
David Benjamin	4414874	2017-06-17 13:20:59 -0400	[diff] [blame]	683	hs->tls13_state = state_send_server_certificate_verify;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	684	return ssl_hs_private_key_operation;
				685
				686	case ssl_private_key_failure:
				687	return ssl_hs_error;
				688	}
				689
				690	assert(0);
				691	return ssl_hs_error;
				692	}
				693
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	694	static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	695	SSL *const ssl = hs->ssl;
David Benjamin	0f24bed	2017-01-12 19:46:50 -0500	[diff] [blame]	696	if (!tls13_add_finished(hs) \|\|
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	697	// Update the secret to the master secret and derive traffic keys.
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	698	!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) \|\|
David Benjamin	6e4fc33	2016-11-17 16:43:08 +0900	[diff] [blame]	699	!tls13_derive_application_secrets(hs) \|\|
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	700	!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
				701	hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	702	return ssl_hs_error;
				703	}
				704
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	705	if (ssl->s3->early_data_accepted) {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	706	// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
				707	// the wire sooner and also avoids triggering a write on \|SSL_read\| when
				708	// processing the client Finished. This requires computing the client
				709	// Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	710	static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
				711	0, 0};
				712	if (!hs->transcript.Update(kEndOfEarlyData)) {
				713	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
				714	return ssl_hs_error;
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	715	}
				716
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	717	size_t finished_len;
				718	if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,
				719	0 /* client */)) {
				720	return ssl_hs_error;
				721	}
				722
				723	if (finished_len != hs->hash_len) {
				724	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
				725	return ssl_hs_error;
				726	}
				727
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	728	// Feed the predicted Finished into the transcript. This allows us to derive
				729	// the resumption secret early and send half-RTT tickets.
				730	//
				731	// TODO(davidben): This will need to be updated for DTLS 1.3.
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	732	assert(!SSL_is_dtls(hs->ssl));
David Benjamin	d304a2f	2017-07-12 23:00:28 -0400	[diff] [blame]	733	assert(hs->hash_len <= 0xff);
David Benjamin	6dc8bf6	2017-07-19 16:38:21 -0400	[diff] [blame]	734	uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0,
				735	static_cast<uint8_t>(hs->hash_len)};
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	736	bool unused_sent_tickets;
David Benjamin	75a1f23	2017-10-11 17:19:19 -0400	[diff] [blame]	737	if (!hs->transcript.Update(header) \|\|
				738	!hs->transcript.Update(
				739	MakeConstSpan(hs->expected_client_finished, hs->hash_len)) \|\|
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	740	!tls13_derive_resumption_secret(hs) \|\|
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	741	!add_new_session_tickets(hs, &unused_sent_tickets)) {
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	742	return ssl_hs_error;
				743	}
				744	}
				745
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	746	hs->tls13_state = state_read_second_client_flight;
				747	return ssl_hs_flush;
				748	}
				749
				750	static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
				751	SSL *const ssl = hs->ssl;
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	752	if (ssl->s3->early_data_accepted) {
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	753	if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->early_traffic_secret,
				754	hs->hash_len)) {
				755	return ssl_hs_error;
				756	}
David Benjamin	fd45ee7	2017-08-31 14:49:09 -0400	[diff] [blame]	757	hs->can_early_write = true;
				758	hs->can_early_read = true;
				759	hs->in_early_data = true;
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	760	}
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	761	hs->tls13_state = state_process_end_of_early_data;
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	762	return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
				763	: ssl_hs_ok;
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	764	}
				765
				766	static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	767	SSL *const ssl = hs->ssl;
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	768	if (hs->early_data_offered) {
				769	// If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec
				770	// message will be in the discarded early data.
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	771	if (hs->ssl->s3->early_data_accepted) {
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	772	SSLMessage msg;
				773	if (!ssl->method->get_message(ssl, &msg)) {
				774	return ssl_hs_read_message;
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	775	}
Steven Valdez	7e5dd25	2018-01-22 15:20:31 -0500	[diff] [blame]	776
				777	if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
				778	return ssl_hs_error;
				779	}
				780	if (CBS_len(&msg.body) != 0) {
				781	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
				782	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
				783	return ssl_hs_error;
				784	}
				785	ssl->method->next_message(ssl);
Steven Valdez	cd8470f	2017-10-11 12:29:36 -0400	[diff] [blame]	786	}
Steven Valdez	520e122	2017-06-13 12:45:25 -0400	[diff] [blame]	787	}
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	788	if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
				789	hs->hash_len)) {
				790	return ssl_hs_error;
				791	}
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	792	hs->tls13_state = ssl->s3->early_data_accepted
				793	? state_read_client_finished
				794	: state_read_client_certificate;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	795	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	796	}
				797
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	798	static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	799	SSL *const ssl = hs->ssl;
				800	if (!hs->cert_request) {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	801	// OpenSSL returns X509_V_OK when no certificates are requested. This is
				802	// classed by them as a bug, but it's assumed by at least NGINX.
David Benjamin	45738dd	2017-02-09 20:01:26 -0500	[diff] [blame]	803	hs->new_session->verify_result = X509_V_OK;
Adam Langley	3764683	2016-08-01 16:16:46 -0700	[diff] [blame]	804
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	805	// Skip this state.
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	806	hs->tls13_state = state_read_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	807	return ssl_hs_ok;
				808	}
				809
David Benjamin	4087df9	2016-08-01 20:16:31 -0400	[diff] [blame]	810	const int allow_anonymous =
Matthew Braithwaite	b7bc80a	2018-04-13 15:51:30 -0700	[diff] [blame]	811	(hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	812	SSLMessage msg;
				813	if (!ssl->method->get_message(ssl, &msg)) {
				814	return ssl_hs_read_message;
				815	}
				816	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) \|\|
				817	!tls13_process_certificate(hs, msg, allow_anonymous) \|\|
				818	!ssl_hash_message(hs, msg)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	819	return ssl_hs_error;
				820	}
				821
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	822	ssl->method->next_message(ssl);
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	823	hs->tls13_state = state_read_client_certificate_verify;
				824	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	825	}
				826
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	827	static enum ssl_hs_wait_t do_read_client_certificate_verify(
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	828	SSL_HANDSHAKE *hs) {
				829	SSL *const ssl = hs->ssl;
David Benjamin	bfdd1a9	2018-06-29 16:26:38 -0400	[diff] [blame]	830	if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	831	// Skip this state.
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	832	hs->tls13_state = state_read_channel_id;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	833	return ssl_hs_ok;
				834	}
				835
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	836	SSLMessage msg;
				837	if (!ssl->method->get_message(ssl, &msg)) {
				838	return ssl_hs_read_message;
				839	}
				840
David Benjamin	3a1dd46	2017-07-11 16:13:10 -0400	[diff] [blame]	841	switch (ssl_verify_peer_cert(hs)) {
				842	case ssl_verify_ok:
				843	break;
				844	case ssl_verify_invalid:
				845	return ssl_hs_error;
				846	case ssl_verify_retry:
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	847	hs->tls13_state = state_read_client_certificate_verify;
David Benjamin	3a1dd46	2017-07-11 16:13:10 -0400	[diff] [blame]	848	return ssl_hs_certificate_verify;
				849	}
				850
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	851	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) \|\|
				852	!tls13_process_certificate_verify(hs, msg) \|\|
				853	!ssl_hash_message(hs, msg)) {
David Benjamin	6929f27	2016-11-16 19:10:08 +0900	[diff] [blame]	854	return ssl_hs_error;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	855	}
				856
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	857	ssl->method->next_message(ssl);
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	858	hs->tls13_state = state_read_channel_id;
				859	return ssl_hs_ok;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	860	}
				861
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	862	static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	863	SSL *const ssl = hs->ssl;
David Benjamin	4685376	2018-07-03 14:01:26 -0400	[diff] [blame]	864	if (!ssl->s3->channel_id_valid) {
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	865	hs->tls13_state = state_read_client_finished;
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	866	return ssl_hs_ok;
				867	}
				868
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	869	SSLMessage msg;
				870	if (!ssl->method->get_message(ssl, &msg)) {
				871	return ssl_hs_read_message;
				872	}
				873	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) \|\|
				874	!tls1_verify_channel_id(hs, msg) \|\|
				875	!ssl_hash_message(hs, msg)) {
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	876	return ssl_hs_error;
				877	}
				878
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	879	ssl->method->next_message(ssl);
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	880	hs->tls13_state = state_read_client_finished;
				881	return ssl_hs_ok;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	882	}
				883
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	884	static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	885	SSL *const ssl = hs->ssl;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	886	SSLMessage msg;
				887	if (!ssl->method->get_message(ssl, &msg)) {
				888	return ssl_hs_read_message;
				889	}
				890	if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) \|\|
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	891	// If early data was accepted, we've already computed the client Finished
				892	// and derived the resumption secret.
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	893	!tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) \|\|
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	894	// evp_aead_seal keys have already been switched.
Steven Valdez	a833c35	2016-11-01 13:39:36 -0400	[diff] [blame]	895	!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	896	hs->hash_len)) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	897	return ssl_hs_error;
				898	}
				899
David Benjamin	02e6256	2017-12-18 18:04:01 -0500	[diff] [blame]	900	if (!ssl->s3->early_data_accepted) {
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	901	if (!ssl_hash_message(hs, msg) \|\|
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	902	!tls13_derive_resumption_secret(hs)) {
				903	return ssl_hs_error;
				904	}
				905
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	906	// We send post-handshake tickets as part of the handshake in 1-RTT.
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	907	hs->tls13_state = state_send_new_session_ticket;
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	908	} else {
David Benjamin	c11ea942	2017-08-29 16:33:21 -0400	[diff] [blame]	909	// We already sent half-RTT tickets.
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	910	hs->tls13_state = state_done;
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	911	}
				912
David Benjamin	8f94c31	2017-08-01 17:35:55 -0400	[diff] [blame]	913	ssl->method->next_message(ssl);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	914	return ssl_hs_ok;
				915	}
				916
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	917	static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	918	bool sent_tickets;
				919	if (!add_new_session_tickets(hs, &sent_tickets)) {
David Benjamin	794cc59	2017-03-25 22:24:23 -0500	[diff] [blame]	920	return ssl_hs_error;
Steven Valdez	08b65f4	2016-12-07 15:29:45 -0500	[diff] [blame]	921	}
				922
David Benjamin	25ac251	2017-01-12 19:31:28 -0500	[diff] [blame]	923	hs->tls13_state = state_done;
David Benjamin	0cbb1af	2018-07-17 21:26:05 -0400	[diff] [blame]	924	return sent_tickets ? ssl_hs_flush : ssl_hs_ok;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	925	}
				926
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	927	enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
David Benjamin	3977f30	2016-12-11 13:30:41 -0500	[diff] [blame]	928	while (hs->tls13_state != state_done) {
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	929	enum ssl_hs_wait_t ret = ssl_hs_error;
David Benjamin	d304a2f	2017-07-12 23:00:28 -0400	[diff] [blame]	930	enum server_hs_state_t state =
				931	static_cast<enum server_hs_state_t>(hs->tls13_state);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	932	switch (state) {
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	933	case state_select_parameters:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	934	ret = do_select_parameters(hs);
David Benjamin	25fe85b	2016-08-09 20:00:32 -0400	[diff] [blame]	935	break;
David Benjamin	707af29	2017-03-10 17:47:18 -0500	[diff] [blame]	936	case state_select_session:
				937	ret = do_select_session(hs);
				938	break;
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	939	case state_send_hello_retry_request:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	940	ret = do_send_hello_retry_request(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	941	break;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	942	case state_read_second_client_hello:
				943	ret = do_read_second_client_hello(hs);
Steven Valdez	5440fe0	2016-07-18 12:40:30 -0400	[diff] [blame]	944	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	945	case state_send_server_hello:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	946	ret = do_send_server_hello(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	947	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	948	case state_send_server_certificate_verify:
David Benjamin	4414874	2017-06-17 13:20:59 -0400	[diff] [blame]	949	ret = do_send_server_certificate_verify(hs);
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	950	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	951	case state_send_server_finished:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	952	ret = do_send_server_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	953	break;
Steven Valdez	2d85062	2017-01-11 11:34:52 -0500	[diff] [blame]	954	case state_read_second_client_flight:
				955	ret = do_read_second_client_flight(hs);
				956	break;
				957	case state_process_end_of_early_data:
				958	ret = do_process_end_of_early_data(hs);
				959	break;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	960	case state_read_client_certificate:
				961	ret = do_read_client_certificate(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	962	break;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	963	case state_read_client_certificate_verify:
				964	ret = do_read_client_certificate_verify(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	965	break;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	966	case state_read_channel_id:
				967	ret = do_read_channel_id(hs);
Nick Harper	60a85cb	2016-09-23 16:25:11 -0700	[diff] [blame]	968	break;
David Benjamin	7934f08	2017-08-01 16:32:25 -0400	[diff] [blame]	969	case state_read_client_finished:
				970	ret = do_read_client_finished(hs);
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	971	break;
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	972	case state_send_new_session_ticket:
David Benjamin	c3c8882	2016-11-14 10:32:04 +0900	[diff] [blame]	973	ret = do_send_new_session_ticket(hs);
Steven Valdez	1e6f11a	2016-07-27 11:10:52 -0400	[diff] [blame]	974	break;
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	975	case state_done:
				976	ret = ssl_hs_ok;
				977	break;
				978	}
				979
Steven Valdez	4d71a9a	2017-08-14 15:08:34 -0400	[diff] [blame]	980	if (hs->tls13_state != state) {
David Benjamin	f60bcfb	2017-08-18 15:23:44 -0400	[diff] [blame]	981	ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
				982	}
				983
Steven Valdez	143e8b3	2016-07-11 13:19:03 -0400	[diff] [blame]	984	if (ret != ssl_hs_ok) {
				985	return ret;
				986	}
				987	}
				988
				989	return ssl_hs_ok;
				990	}
David Benjamin	86e95b8	2017-07-18 16:34:25 -0400	[diff] [blame]	991
David Benjamin	f60bcfb	2017-08-18 15:23:44 -0400	[diff] [blame]	992	const char tls13_server_handshake_state(SSL_HANDSHAKE hs) {
				993	enum server_hs_state_t state =
				994	static_cast<enum server_hs_state_t>(hs->tls13_state);
				995	switch (state) {
				996	case state_select_parameters:
				997	return "TLS 1.3 server select_parameters";
				998	case state_select_session:
				999	return "TLS 1.3 server select_session";
				1000	case state_send_hello_retry_request:
				1001	return "TLS 1.3 server send_hello_retry_request";
				1002	case state_read_second_client_hello:
				1003	return "TLS 1.3 server read_second_client_hello";
				1004	case state_send_server_hello:
				1005	return "TLS 1.3 server send_server_hello";
				1006	case state_send_server_certificate_verify:
				1007	return "TLS 1.3 server send_server_certificate_verify";
				1008	case state_send_server_finished:
				1009	return "TLS 1.3 server send_server_finished";
				1010	case state_read_second_client_flight:
				1011	return "TLS 1.3 server read_second_client_flight";
David Benjamin	f60bcfb	2017-08-18 15:23:44 -0400	[diff] [blame]	1012	case state_process_end_of_early_data:
				1013	return "TLS 1.3 server process_end_of_early_data";
				1014	case state_read_client_certificate:
				1015	return "TLS 1.3 server read_client_certificate";
				1016	case state_read_client_certificate_verify:
				1017	return "TLS 1.3 server read_client_certificate_verify";
				1018	case state_read_channel_id:
				1019	return "TLS 1.3 server read_channel_id";
				1020	case state_read_client_finished:
				1021	return "TLS 1.3 server read_client_finished";
				1022	case state_send_new_session_ticket:
				1023	return "TLS 1.3 server send_new_session_ticket";
				1024	case state_done:
				1025	return "TLS 1.3 server done";
				1026	}
				1027
				1028	return "TLS 1.3 server unknown";
				1029	}
				1030
David Benjamin	86e95b8	2017-07-18 16:34:25 -0400	[diff] [blame]	1031	} // namespace bssl