kris
/
boringssl
1
0
派生 0
代码 工单 0 合并请求 0 版本发布 0 百科 动态
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符
5157 提交
12 分支
38 MiB
 
 
 
 
 
 
目录树: 6ae7ddb755
分支列表 标签列表
${ item.name }
创建分支 ${ searchTerm }
从 '6ae7ddb755'
${ noResults }
boringssl/ssl/tls13_server.cc

1035 行
34 KiB
原始文件 Blame 文件历史 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. // Per C99, various stdint.h macros are unavailable in C++ unless some macros

  16. // are defined. C++11 overruled this decision, but older Android NDKs still

  17. // require it.

  18. #if !defined(__STDC_LIMIT_MACROS)

  19. #define __STDC_LIMIT_MACROS

  20. #endif

  21. 

  22. #include <openssl/ssl.h>

  23. 

  24. #include <assert.h>

  25. #include <string.h>

  26. 

  27. #include <openssl/aead.h>

  28. #include <openssl/bytestring.h>

  29. #include <openssl/digest.h>

  30. #include <openssl/err.h>

  31. #include <openssl/mem.h>

  32. #include <openssl/rand.h>

  33. #include <openssl/stack.h>

  34. 

  35. #include "../crypto/internal.h"

  36. #include "internal.h"

  37. 

  38. 

  39. namespace bssl {

  40. 

  41. enum server_hs_state_t {

  42.   state_select_parameters = 0,

  43.   state_select_session,

  44.   state_send_hello_retry_request,

  45.   state_read_second_client_hello,

  46.   state_send_server_hello,

  47.   state_send_server_certificate_verify,

  48.   state_send_server_finished,

  49.   state_read_second_client_flight,

  50.   state_process_end_of_early_data,

  51.   state_read_client_certificate,

  52.   state_read_client_certificate_verify,

  53.   state_read_channel_id,

  54.   state_read_client_finished,

  55.   state_send_new_session_ticket,

  56.   state_done,

  57. };

  58. 

  59. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  60. 

  61. static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,

  62.                                 SSL_CLIENT_HELLO *client_hello) {

  63.   SSL *const ssl = hs->ssl;

  64.   *out_need_retry = false;

  65. 

  66.   // We only support connections that include an ECDHE key exchange.

  67.   CBS key_share;

  68.   if (!ssl_client_hello_get_extension(client_hello, &key_share,

  69.                                       TLSEXT_TYPE_key_share)) {

  70.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  71.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  72.     return 0;

  73.   }

  74. 

  75.   bool found_key_share;

  76.   Array<uint8_t> dhe_secret;

  77.   uint8_t alert = SSL_AD_DECODE_ERROR;

  78.   if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,

  79.                                            &alert, &key_share)) {

  80.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  81.     return 0;

  82.   }

  83. 

  84.   if (!found_key_share) {

  85.     *out_need_retry = true;

  86.     return 0;

  87.   }

  88. 

  89.   return tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size());

  90. }

  91. 

  92. static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,

  93.                                                       CBB *out) {

  94.   CBB contents;

  95.   if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||

  96.       !CBB_add_u16_length_prefixed(out, &contents) ||

  97.       !CBB_add_u16(&contents, hs->ssl->version) ||

  98.       !CBB_flush(out)) {

  99.     return 0;

  100.   }

  101. 

  102.   return 1;

  103. }

  104. 

  105. static const SSL_CIPHER *choose_tls13_cipher(

  106.     const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {

  107.   if (client_hello->cipher_suites_len % 2 != 0) {

  108.     return NULL;

  109.   }

  110. 

  111.   CBS cipher_suites;

  112.   CBS_init(&cipher_suites, client_hello->cipher_suites,

  113.            client_hello->cipher_suites_len);

  114. 

  115.   const int aes_is_fine = EVP_has_aes_hardware();

  116.   const uint16_t version = ssl_protocol_version(ssl);

  117. 

  118.   const SSL_CIPHER *best = NULL;

  119.   while (CBS_len(&cipher_suites) > 0) {

  120.     uint16_t cipher_suite;

  121.     if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {

  122.       return NULL;

  123.     }

  124. 

  125.     // Limit to TLS 1.3 ciphers we know about.

  126.     const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);

  127.     if (candidate == NULL ||

  128.         SSL_CIPHER_get_min_version(candidate) > version ||

  129.         SSL_CIPHER_get_max_version(candidate) < version) {

  130.       continue;

  131.     }

  132. 

  133.     // TLS 1.3 removes legacy ciphers, so honor the client order, but prefer

  134.     // ChaCha20 if we do not have AES hardware.

  135.     if (aes_is_fine) {

  136.       return candidate;

  137.     }

  138. 

  139.     if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {

  140.       return candidate;

  141.     }

  142. 

  143.     if (best == NULL) {

  144.       best = candidate;

  145.     }

  146.   }

  147. 

  148.   return best;

  149. }

  150. 

  151. static int add_new_session_tickets(SSL_HANDSHAKE *hs) {

  152.   SSL *const ssl = hs->ssl;

  153.   // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case

  154.   // the client makes several connections before getting a renewal.

  155.   static const int kNumTickets = 2;

  156. 

  157.   // Rebase the session timestamp so that it is measured from ticket

  158.   // issuance.

  159.   ssl_session_rebase_time(ssl, hs->new_session.get());

  160. 

  161.   for (int i = 0; i < kNumTickets; i++) {

  162.     UniquePtr<SSL_SESSION> session(

  163.         SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));

  164.     if (!session) {

  165.       return 0;

  166.     }

  167. 

  168.     if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {

  169.       return 0;

  170.     }

  171.     session->ticket_age_add_valid = 1;

  172.     if (ssl->cert->enable_early_data) {

  173.       session->ticket_max_early_data = kMaxEarlyDataAccepted;

  174.     }

  175. 

  176.     static_assert(kNumTickets < 256, "Too many tickets");

  177.     uint8_t nonce[] = {static_cast<uint8_t>(i)};

  178. 

  179.     ScopedCBB cbb;

  180.     CBB body, nonce_cbb, ticket, extensions;

  181.     if (!ssl->method->init_message(ssl, cbb.get(), &body,

  182.                                    SSL3_MT_NEW_SESSION_TICKET) ||

  183.         !CBB_add_u32(&body, session->timeout) ||

  184.         !CBB_add_u32(&body, session->ticket_age_add) ||

  185.         !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||

  186.         !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||

  187.         !CBB_add_u16_length_prefixed(&body, &ticket) ||

  188.         !tls13_derive_session_psk(session.get(), nonce) ||

  189.         !ssl_encrypt_ticket(ssl, &ticket, session.get()) ||

  190.         !CBB_add_u16_length_prefixed(&body, &extensions)) {

  191.       return 0;

  192.     }

  193. 

  194.     if (ssl->cert->enable_early_data) {

  195.       CBB early_data_info;

  196.       if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||

  197.           !CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||

  198.           !CBB_add_u32(&early_data_info, session->ticket_max_early_data) ||

  199.           !CBB_flush(&extensions)) {

  200.         return 0;

  201.       }

  202.     }

  203. 

  204.     // Add a fake extension. See draft-davidben-tls-grease-01.

  205.     if (!CBB_add_u16(&extensions,

  206.                      ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||

  207.         !CBB_add_u16(&extensions, 0 /* empty */)) {

  208.       return 0;

  209.     }

  210. 

  211.     if (!ssl_add_message_cbb(ssl, cbb.get())) {

  212.       return 0;

  213.     }

  214.   }

  215. 

  216.   return 1;

  217. }

  218. 

  219. static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {

  220.   // At this point, most ClientHello extensions have already been processed by

  221.   // the common handshake logic. Resolve the remaining non-PSK parameters.

  222.   SSL *const ssl = hs->ssl;

  223.   SSLMessage msg;

  224.   if (!ssl->method->get_message(ssl, &msg)) {

  225.     return ssl_hs_read_message;

  226.   }

  227.   SSL_CLIENT_HELLO client_hello;

  228.   if (!ssl_client_hello_init(ssl, &client_hello, msg)) {

  229.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  230.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  231.     return ssl_hs_error;

  232.   }

  233. 

  234.   OPENSSL_memcpy(hs->session_id, client_hello.session_id,

  235.                  client_hello.session_id_len);

  236.   hs->session_id_len = client_hello.session_id_len;

  237. 

  238.   // Negotiate the cipher suite.

  239.   hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);

  240.   if (hs->new_cipher == NULL) {

  241.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);

  242.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

  243.     return ssl_hs_error;

  244.   }

  245. 

  246.   // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was

  247.   // deferred. Complete it now.

  248.   uint8_t alert = SSL_AD_DECODE_ERROR;

  249.   if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {

  250.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  251.     return ssl_hs_error;

  252.   }

  253. 

  254.   // The PRF hash is now known. Set up the key schedule and hash the

  255.   // ClientHello.

  256.   if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {

  257.     return ssl_hs_error;

  258.   }

  259. 

  260.   if (!ssl_hash_message(hs, msg)) {

  261.     return ssl_hs_error;

  262.   }

  263. 

  264.   hs->tls13_state = state_select_session;

  265.   return ssl_hs_ok;

  266. }

  267. 

  268. static enum ssl_ticket_aead_result_t select_session(

  269.     SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,

  270.     int32_t *out_ticket_age_skew, const SSLMessage &msg,

  271.     const SSL_CLIENT_HELLO *client_hello) {

  272.   SSL *const ssl = hs->ssl;

  273.   *out_session = NULL;

  274. 

  275.   // Decode the ticket if we agreed on a PSK key exchange mode.

  276.   CBS pre_shared_key;

  277.   if (!hs->accept_psk_mode ||

  278.       !ssl_client_hello_get_extension(client_hello, &pre_shared_key,

  279.                                       TLSEXT_TYPE_pre_shared_key)) {

  280.     return ssl_ticket_aead_ignore_ticket;

  281.   }

  282. 

  283.   // Verify that the pre_shared_key extension is the last extension in

  284.   // ClientHello.

  285.   if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=

  286.       client_hello->extensions + client_hello->extensions_len) {

  287.     OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);

  288.     *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  289.     return ssl_ticket_aead_error;

  290.   }

  291. 

  292.   CBS ticket, binders;

  293.   uint32_t client_ticket_age;

  294.   if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &ticket, &binders,

  295.                                                 &client_ticket_age, out_alert,

  296.                                                 &pre_shared_key)) {

  297.     return ssl_ticket_aead_error;

  298.   }

  299. 

  300.   // TLS 1.3 session tickets are renewed separately as part of the

  301.   // NewSessionTicket.

  302.   bool unused_renew;

  303.   UniquePtr<SSL_SESSION> session;

  304.   enum ssl_ticket_aead_result_t ret =

  305.       ssl_process_ticket(ssl, &session, &unused_renew, CBS_data(&ticket),

  306.                          CBS_len(&ticket), NULL, 0);

  307.   switch (ret) {

  308.     case ssl_ticket_aead_success:

  309.       break;

  310.     case ssl_ticket_aead_error:

  311.       *out_alert = SSL_AD_INTERNAL_ERROR;

  312.       return ret;

  313.     default:

  314.       return ret;

  315.   }

  316. 

  317.   if (!ssl_session_is_resumable(hs, session.get()) ||

  318.       // Historically, some TLS 1.3 tickets were missing ticket_age_add.

  319.       !session->ticket_age_add_valid) {

  320.     return ssl_ticket_aead_ignore_ticket;

  321.   }

  322. 

  323.   // Recover the client ticket age and convert to seconds.

  324.   client_ticket_age -= session->ticket_age_add;

  325.   client_ticket_age /= 1000;

  326. 

  327.   struct OPENSSL_timeval now;

  328.   ssl_get_current_time(ssl, &now);

  329. 

  330.   // Compute the server ticket age in seconds.

  331.   assert(now.tv_sec >= session->time);

  332.   uint64_t server_ticket_age = now.tv_sec - session->time;

  333. 

  334.   // To avoid overflowing |hs->ticket_age_skew|, we will not resume

  335.   // 68-year-old sessions.

  336.   if (server_ticket_age > INT32_MAX) {

  337.     return ssl_ticket_aead_ignore_ticket;

  338.   }

  339. 

  340.   // TODO(davidben,svaldez): Measure this value to decide on tolerance. For

  341.   // now, accept all values. https://crbug.com/boringssl/113.

  342.   *out_ticket_age_skew =

  343.       (int32_t)client_ticket_age - (int32_t)server_ticket_age;

  344. 

  345.   // Check the PSK binder.

  346.   if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {

  347.     *out_alert = SSL_AD_DECRYPT_ERROR;

  348.     return ssl_ticket_aead_error;

  349.   }

  350. 

  351.   *out_session = std::move(session);

  352.   return ssl_ticket_aead_success;

  353. }

  354. 

  355. static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {

  356.   SSL *const ssl = hs->ssl;

  357.   SSLMessage msg;

  358.   if (!ssl->method->get_message(ssl, &msg)) {

  359.     return ssl_hs_read_message;

  360.   }

  361.   SSL_CLIENT_HELLO client_hello;

  362.   if (!ssl_client_hello_init(ssl, &client_hello, msg)) {

  363.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  364.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  365.     return ssl_hs_error;

  366.   }

  367. 

  368.   uint8_t alert = SSL_AD_DECODE_ERROR;

  369.   UniquePtr<SSL_SESSION> session;

  370.   switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew, msg,

  371.                          &client_hello)) {

  372.     case ssl_ticket_aead_ignore_ticket:

  373.       assert(!session);

  374.       if (!ssl_get_new_session(hs, 1 /* server */)) {

  375.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  376.         return ssl_hs_error;

  377.       }

  378.       break;

  379. 

  380.     case ssl_ticket_aead_success:

  381.       // Carry over authentication information from the previous handshake into

  382.       // a fresh session.

  383.       hs->new_session =

  384.           SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);

  385. 

  386.       if (ssl->cert->enable_early_data &&

  387.           // Early data must be acceptable for this ticket.

  388.           session->ticket_max_early_data != 0 &&

  389.           // The client must have offered early data.

  390.           hs->early_data_offered &&

  391.           // Channel ID is incompatible with 0-RTT.

  392.           !ssl->s3->tlsext_channel_id_valid &&

  393.           // If Token Binding is negotiated, reject 0-RTT.

  394.           !ssl->s3->token_binding_negotiated &&

  395.           // Custom extensions is incompatible with 0-RTT.

  396.           hs->custom_extensions.received == 0 &&

  397.           // The negotiated ALPN must match the one in the ticket.

  398.           ssl->s3->alpn_selected ==

  399.               MakeConstSpan(session->early_alpn, session->early_alpn_len)) {

  400.         ssl->s3->early_data_accepted = true;

  401.       }

  402. 

  403.       if (hs->new_session == NULL) {

  404.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  405.         return ssl_hs_error;

  406.       }

  407. 

  408.       ssl->s3->session_reused = true;

  409. 

  410.       // Resumption incorporates fresh key material, so refresh the timeout.

  411.       ssl_session_renew_timeout(ssl, hs->new_session.get(),

  412.                                 ssl->session_ctx->session_psk_dhe_timeout);

  413.       break;

  414. 

  415.     case ssl_ticket_aead_error:

  416.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  417.       return ssl_hs_error;

  418. 

  419.     case ssl_ticket_aead_retry:

  420.       hs->tls13_state = state_select_session;

  421.       return ssl_hs_pending_ticket;

  422.   }

  423. 

  424.   // Record connection properties in the new session.

  425.   hs->new_session->cipher = hs->new_cipher;

  426. 

  427.   // Store the initial negotiated ALPN in the session.

  428.   if (!ssl->s3->alpn_selected.empty()) {

  429.     hs->new_session->early_alpn = (uint8_t *)BUF_memdup(

  430.         ssl->s3->alpn_selected.data(), ssl->s3->alpn_selected.size());

  431.     if (hs->new_session->early_alpn == NULL) {

  432.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  433.       return ssl_hs_error;

  434.     }

  435.     hs->new_session->early_alpn_len = ssl->s3->alpn_selected.size();

  436.   }

  437. 

  438.   if (ssl->ctx->dos_protection_cb != NULL &&

  439.       ssl->ctx->dos_protection_cb(&client_hello) == 0) {

  440.     // Connection rejected for DOS reasons.

  441.     OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);

  442.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  443.     return ssl_hs_error;

  444.   }

  445. 

  446.   size_t hash_len = EVP_MD_size(

  447.       ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));

  448. 

  449.   // Set up the key schedule and incorporate the PSK into the running secret.

  450.   if (ssl->s3->session_reused) {

  451.     if (!tls13_init_key_schedule(hs, hs->new_session->master_key,

  452.                                     hs->new_session->master_key_length)) {

  453.       return ssl_hs_error;

  454.     }

  455.   } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {

  456.     return ssl_hs_error;

  457.   }

  458. 

  459.   if (ssl->s3->early_data_accepted) {

  460.     if (!tls13_derive_early_secrets(hs)) {

  461.       return ssl_hs_error;

  462.     }

  463.   } else if (hs->early_data_offered) {

  464.     ssl->s3->skip_early_data = true;

  465.   }

  466. 

  467.   // Resolve ECDHE and incorporate it into the secret.

  468.   bool need_retry;

  469.   if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {

  470.     if (need_retry) {

  471.       ssl->s3->early_data_accepted = false;

  472.       ssl->s3->skip_early_data = true;

  473.       ssl->method->next_message(ssl);

  474.       if (!hs->transcript.UpdateForHelloRetryRequest()) {

  475.         return ssl_hs_error;

  476.       }

  477.       hs->tls13_state = state_send_hello_retry_request;

  478.       return ssl_hs_ok;

  479.     }

  480.     return ssl_hs_error;

  481.   }

  482. 

  483.   ssl->method->next_message(ssl);

  484.   hs->tls13_state = state_send_server_hello;

  485.   return ssl_hs_ok;

  486. }

  487. 

  488. static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {

  489.   SSL *const ssl = hs->ssl;

  490. 

  491. 

  492.   ScopedCBB cbb;

  493.   CBB body, session_id, extensions;

  494.   uint16_t group_id;

  495.   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||

  496.       !CBB_add_u16(&body, TLS1_2_VERSION) ||

  497.       !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||

  498.       !CBB_add_u8_length_prefixed(&body, &session_id) ||

  499.       !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||

  500.       !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||

  501.       !CBB_add_u8(&body, 0 /* no compression */) ||

  502.       !tls1_get_shared_group(hs, &group_id) ||

  503.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  504.       !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) ||

  505.       !CBB_add_u16(&extensions, 2 /* length */) ||

  506.       !CBB_add_u16(&extensions, ssl->version) ||

  507.       !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||

  508.       !CBB_add_u16(&extensions, 2 /* length */) ||

  509.       !CBB_add_u16(&extensions, group_id) ||

  510.       !ssl_add_message_cbb(ssl, cbb.get())) {

  511.     return ssl_hs_error;

  512.   }

  513. 

  514.   if (!ssl->method->add_change_cipher_spec(ssl)) {

  515.     return ssl_hs_error;

  516.   }

  517. 

  518.   hs->sent_hello_retry_request = true;

  519.   hs->tls13_state = state_read_second_client_hello;

  520.   return ssl_hs_flush;

  521. }

  522. 

  523. static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {

  524.   SSL *const ssl = hs->ssl;

  525.   SSLMessage msg;

  526.   if (!ssl->method->get_message(ssl, &msg)) {

  527.     return ssl_hs_read_message;

  528.   }

  529.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {

  530.     return ssl_hs_error;

  531.   }

  532.   SSL_CLIENT_HELLO client_hello;

  533.   if (!ssl_client_hello_init(ssl, &client_hello, msg)) {

  534.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  535.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  536.     return ssl_hs_error;

  537.   }

  538. 

  539.   bool need_retry;

  540.   if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {

  541.     if (need_retry) {

  542.       // Only send one HelloRetryRequest.

  543.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  544.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  545.     }

  546.     return ssl_hs_error;

  547.   }

  548. 

  549.   if (!ssl_hash_message(hs, msg)) {

  550.     return ssl_hs_error;

  551.   }

  552. 

  553.   ssl->method->next_message(ssl);

  554.   hs->tls13_state = state_send_server_hello;

  555.   return ssl_hs_ok;

  556. }

  557. 

  558. static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {

  559.   SSL *const ssl = hs->ssl;

  560. 

  561.   // Send a ServerHello.

  562.   ScopedCBB cbb;

  563.   CBB body, extensions, session_id;

  564.   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||

  565.       !CBB_add_u16(&body, TLS1_2_VERSION) ||

  566.       !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||

  567.       !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||

  568.       !CBB_add_u8_length_prefixed(&body, &session_id) ||

  569.       !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||

  570.       !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||

  571.       !CBB_add_u8(&body, 0) ||

  572.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  573.       !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||

  574.       !ssl_ext_key_share_add_serverhello(hs, &extensions) ||

  575.       !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||

  576.       !ssl_add_message_cbb(ssl, cbb.get())) {

  577.     return ssl_hs_error;

  578.   }

  579. 

  580.   if (!hs->sent_hello_retry_request &&

  581.       !ssl->method->add_change_cipher_spec(ssl)) {

  582.     return ssl_hs_error;

  583.   }

  584. 

  585.   // Derive and enable the handshake traffic secrets.

  586.   if (!tls13_derive_handshake_secrets(hs) ||

  587.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,

  588.                              hs->hash_len)) {

  589.     return ssl_hs_error;

  590.   }

  591. 

  592.   // Send EncryptedExtensions.

  593.   if (!ssl->method->init_message(ssl, cbb.get(), &body,

  594.                                  SSL3_MT_ENCRYPTED_EXTENSIONS) ||

  595.       !ssl_add_serverhello_tlsext(hs, &body) ||

  596.       !ssl_add_message_cbb(ssl, cbb.get())) {

  597.     return ssl_hs_error;

  598.   }

  599. 

  600.   if (!ssl->s3->session_reused) {

  601.     // Determine whether to request a client certificate.

  602.     hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);

  603.     // Only request a certificate if Channel ID isn't negotiated.

  604.     if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&

  605.         ssl->s3->tlsext_channel_id_valid) {

  606.       hs->cert_request = false;

  607.     }

  608.   }

  609. 

  610.   // Send a CertificateRequest, if necessary.

  611.   if (hs->cert_request) {

  612.     CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;

  613.     if (!ssl->method->init_message(ssl, cbb.get(), &body,

  614.                                    SSL3_MT_CERTIFICATE_REQUEST) ||

  615.         !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||

  616.         !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) ||

  617.         !CBB_add_u16(&cert_request_extensions,

  618.                      TLSEXT_TYPE_signature_algorithms) ||

  619.         !CBB_add_u16_length_prefixed(&cert_request_extensions,

  620.                                      &sigalg_contents) ||

  621.         !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||

  622.         !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb,

  623.                                   false /* online signature */)) {

  624.       return ssl_hs_error;

  625.     }

  626. 

  627.     if (tls12_has_different_verify_sigalgs_for_certs(ssl)) {

  628.       if (!CBB_add_u16(&cert_request_extensions,

  629.                        TLSEXT_TYPE_signature_algorithms_cert) ||

  630.           !CBB_add_u16_length_prefixed(&cert_request_extensions,

  631.                                        &sigalg_contents) ||

  632.           !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||

  633.           !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */)) {

  634.         return ssl_hs_error;

  635.       }

  636.     }

  637. 

  638.     if (ssl_has_client_CAs(ssl)) {

  639.       CBB ca_contents;

  640.       if (!CBB_add_u16(&cert_request_extensions,

  641.                        TLSEXT_TYPE_certificate_authorities) ||

  642.           !CBB_add_u16_length_prefixed(&cert_request_extensions,

  643.                                        &ca_contents) ||

  644.           !ssl_add_client_CA_list(ssl, &ca_contents) ||

  645.           !CBB_flush(&cert_request_extensions)) {

  646.         return ssl_hs_error;

  647.       }

  648.     }

  649. 

  650.     if (!ssl_add_message_cbb(ssl, cbb.get())) {

  651.       return ssl_hs_error;

  652.     }

  653.   }

  654. 

  655.   // Send the server Certificate message, if necessary.

  656.   if (!ssl->s3->session_reused) {

  657.     if (!ssl_has_certificate(ssl)) {

  658.       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);

  659.       return ssl_hs_error;

  660.     }

  661. 

  662.     if (!tls13_add_certificate(hs)) {

  663.       return ssl_hs_error;

  664.     }

  665. 

  666.     hs->tls13_state = state_send_server_certificate_verify;

  667.     return ssl_hs_ok;

  668.   }

  669. 

  670.   hs->tls13_state = state_send_server_finished;

  671.   return ssl_hs_ok;

  672. }

  673. 

  674. static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {

  675.   switch (tls13_add_certificate_verify(hs)) {

  676.     case ssl_private_key_success:

  677.       hs->tls13_state = state_send_server_finished;

  678.       return ssl_hs_ok;

  679. 

  680.     case ssl_private_key_retry:

  681.       hs->tls13_state = state_send_server_certificate_verify;

  682.       return ssl_hs_private_key_operation;

  683. 

  684.     case ssl_private_key_failure:

  685.       return ssl_hs_error;

  686.   }

  687. 

  688.   assert(0);

  689.   return ssl_hs_error;

  690. }

  691. 

  692. static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {

  693.   SSL *const ssl = hs->ssl;

  694.   if (!tls13_add_finished(hs) ||

  695.       // Update the secret to the master secret and derive traffic keys.

  696.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  697.       !tls13_derive_application_secrets(hs) ||

  698.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,

  699.                              hs->hash_len)) {

  700.     return ssl_hs_error;

  701.   }

  702. 

  703.   if (ssl->s3->early_data_accepted) {

  704.     // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on

  705.     // the wire sooner and also avoids triggering a write on |SSL_read| when

  706.     // processing the client Finished. This requires computing the client

  707.     // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1.

  708.     static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,

  709.                                                0, 0};

  710.     if (!hs->transcript.Update(kEndOfEarlyData)) {

  711.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  712.       return ssl_hs_error;

  713.     }

  714. 

  715.     size_t finished_len;

  716.     if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,

  717.                             0 /* client */)) {

  718.       return ssl_hs_error;

  719.     }

  720. 

  721.     if (finished_len != hs->hash_len) {

  722.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  723.       return ssl_hs_error;

  724.     }

  725. 

  726.     // Feed the predicted Finished into the transcript. This allows us to derive

  727.     // the resumption secret early and send half-RTT tickets.

  728.     //

  729.     // TODO(davidben): This will need to be updated for DTLS 1.3.

  730.     assert(!SSL_is_dtls(hs->ssl));

  731.     assert(hs->hash_len <= 0xff);

  732.     uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0,

  733.                          static_cast<uint8_t>(hs->hash_len)};

  734.     if (!hs->transcript.Update(header) ||

  735.         !hs->transcript.Update(

  736.             MakeConstSpan(hs->expected_client_finished, hs->hash_len)) ||

  737.         !tls13_derive_resumption_secret(hs) ||

  738.         !add_new_session_tickets(hs)) {

  739.       return ssl_hs_error;

  740.     }

  741.   }

  742. 

  743.   hs->tls13_state = state_read_second_client_flight;

  744.   return ssl_hs_flush;

  745. }

  746. 

  747. static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {

  748.   SSL *const ssl = hs->ssl;

  749.   if (ssl->s3->early_data_accepted) {

  750.     if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->early_traffic_secret,

  751.                                hs->hash_len)) {

  752.       return ssl_hs_error;

  753.     }

  754.     hs->can_early_write = true;

  755.     hs->can_early_read = true;

  756.     hs->in_early_data = true;

  757.   }

  758.   hs->tls13_state = state_process_end_of_early_data;

  759.   return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data

  760.                                       : ssl_hs_ok;

  761. }

  762. 

  763. static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {

  764.   SSL *const ssl = hs->ssl;

  765.   if (hs->early_data_offered) {

  766.     // If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec

  767.     // message will be in the discarded early data.

  768.     if (hs->ssl->s3->early_data_accepted) {

  769.       SSLMessage msg;

  770.       if (!ssl->method->get_message(ssl, &msg)) {

  771.         return ssl_hs_read_message;

  772.       }

  773. 

  774.       if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {

  775.         return ssl_hs_error;

  776.       }

  777.       if (CBS_len(&msg.body) != 0) {

  778.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  779.         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  780.         return ssl_hs_error;

  781.       }

  782.       ssl->method->next_message(ssl);

  783.     }

  784.   }

  785.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,

  786.                              hs->hash_len)) {

  787.     return ssl_hs_error;

  788.   }

  789.   hs->tls13_state = ssl->s3->early_data_accepted

  790.                         ? state_read_client_finished

  791.                         : state_read_client_certificate;

  792.   return ssl_hs_ok;

  793. }

  794. 

  795. static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {

  796.   SSL *const ssl = hs->ssl;

  797.   if (!hs->cert_request) {

  798.     // OpenSSL returns X509_V_OK when no certificates are requested. This is

  799.     // classed by them as a bug, but it's assumed by at least NGINX.

  800.     hs->new_session->verify_result = X509_V_OK;

  801. 

  802.     // Skip this state.

  803.     hs->tls13_state = state_read_channel_id;

  804.     return ssl_hs_ok;

  805.   }

  806. 

  807.   const int allow_anonymous =

  808.       (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;

  809.   SSLMessage msg;

  810.   if (!ssl->method->get_message(ssl, &msg)) {

  811.     return ssl_hs_read_message;

  812.   }

  813.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||

  814.       !tls13_process_certificate(hs, msg, allow_anonymous) ||

  815.       !ssl_hash_message(hs, msg)) {

  816.     return ssl_hs_error;

  817.   }

  818. 

  819.   ssl->method->next_message(ssl);

  820.   hs->tls13_state = state_read_client_certificate_verify;

  821.   return ssl_hs_ok;

  822. }

  823. 

  824. static enum ssl_hs_wait_t do_read_client_certificate_verify(

  825.     SSL_HANDSHAKE *hs) {

  826.   SSL *const ssl = hs->ssl;

  827.   if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {

  828.     // Skip this state.

  829.     hs->tls13_state = state_read_channel_id;

  830.     return ssl_hs_ok;

  831.   }

  832. 

  833.   SSLMessage msg;

  834.   if (!ssl->method->get_message(ssl, &msg)) {

  835.     return ssl_hs_read_message;

  836.   }

  837. 

  838.   switch (ssl_verify_peer_cert(hs)) {

  839.     case ssl_verify_ok:

  840.       break;

  841.     case ssl_verify_invalid:

  842.       return ssl_hs_error;

  843.     case ssl_verify_retry:

  844.       hs->tls13_state = state_read_client_certificate_verify;

  845.       return ssl_hs_certificate_verify;

  846.   }

  847. 

  848.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||

  849.       !tls13_process_certificate_verify(hs, msg) ||

  850.       !ssl_hash_message(hs, msg)) {

  851.     return ssl_hs_error;

  852.   }

  853. 

  854.   ssl->method->next_message(ssl);

  855.   hs->tls13_state = state_read_channel_id;

  856.   return ssl_hs_ok;

  857. }

  858. 

  859. static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {

  860.   SSL *const ssl = hs->ssl;

  861.   if (!ssl->s3->tlsext_channel_id_valid) {

  862.     hs->tls13_state = state_read_client_finished;

  863.     return ssl_hs_ok;

  864.   }

  865. 

  866.   SSLMessage msg;

  867.   if (!ssl->method->get_message(ssl, &msg)) {

  868.     return ssl_hs_read_message;

  869.   }

  870.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||

  871.       !tls1_verify_channel_id(hs, msg) ||

  872.       !ssl_hash_message(hs, msg)) {

  873.     return ssl_hs_error;

  874.   }

  875. 

  876.   ssl->method->next_message(ssl);

  877.   hs->tls13_state = state_read_client_finished;

  878.   return ssl_hs_ok;

  879. }

  880. 

  881. static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {

  882.   SSL *const ssl = hs->ssl;

  883.   SSLMessage msg;

  884.   if (!ssl->method->get_message(ssl, &msg)) {

  885.     return ssl_hs_read_message;

  886.   }

  887.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||

  888.       // If early data was accepted, we've already computed the client Finished

  889.       // and derived the resumption secret.

  890.       !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||

  891.       // evp_aead_seal keys have already been switched.

  892.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,

  893.                              hs->hash_len)) {

  894.     return ssl_hs_error;

  895.   }

  896. 

  897.   if (!ssl->s3->early_data_accepted) {

  898.     if (!ssl_hash_message(hs, msg) ||

  899.         !tls13_derive_resumption_secret(hs)) {

  900.       return ssl_hs_error;

  901.     }

  902. 

  903.     // We send post-handshake tickets as part of the handshake in 1-RTT.

  904.     hs->tls13_state = state_send_new_session_ticket;

  905.   } else {

  906.     // We already sent half-RTT tickets.

  907.     hs->tls13_state = state_done;

  908.   }

  909. 

  910.   ssl->method->next_message(ssl);

  911.   return ssl_hs_ok;

  912. }

  913. 

  914. static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {

  915.   // If the client doesn't accept resumption with PSK_DHE_KE, don't send a

  916.   // session ticket.

  917.   if (!hs->accept_psk_mode) {

  918.     hs->tls13_state = state_done;

  919.     return ssl_hs_ok;

  920.   }

  921. 

  922.   if (!add_new_session_tickets(hs)) {

  923.     return ssl_hs_error;

  924.   }

  925. 

  926.   hs->tls13_state = state_done;

  927.   return ssl_hs_flush;

  928. }

  929. 

  930. enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {

  931.   while (hs->tls13_state != state_done) {

  932.     enum ssl_hs_wait_t ret = ssl_hs_error;

  933.     enum server_hs_state_t state =

  934.         static_cast<enum server_hs_state_t>(hs->tls13_state);

  935.     switch (state) {

  936.       case state_select_parameters:

  937.         ret = do_select_parameters(hs);

  938.         break;

  939.       case state_select_session:

  940.         ret = do_select_session(hs);

  941.         break;

  942.       case state_send_hello_retry_request:

  943.         ret = do_send_hello_retry_request(hs);

  944.         break;

  945.       case state_read_second_client_hello:

  946.         ret = do_read_second_client_hello(hs);

  947.         break;

  948.       case state_send_server_hello:

  949.         ret = do_send_server_hello(hs);

  950.         break;

  951.       case state_send_server_certificate_verify:

  952.         ret = do_send_server_certificate_verify(hs);

  953.         break;

  954.       case state_send_server_finished:

  955.         ret = do_send_server_finished(hs);

  956.         break;

  957.       case state_read_second_client_flight:

  958.         ret = do_read_second_client_flight(hs);

  959.         break;

  960.       case state_process_end_of_early_data:

  961.         ret = do_process_end_of_early_data(hs);

  962.         break;

  963.       case state_read_client_certificate:

  964.         ret = do_read_client_certificate(hs);

  965.         break;

  966.       case state_read_client_certificate_verify:

  967.         ret = do_read_client_certificate_verify(hs);

  968.         break;

  969.       case state_read_channel_id:

  970.         ret = do_read_channel_id(hs);

  971.         break;

  972.       case state_read_client_finished:

  973.         ret = do_read_client_finished(hs);

  974.         break;

  975.       case state_send_new_session_ticket:

  976.         ret = do_send_new_session_ticket(hs);

  977.         break;

  978.       case state_done:

  979.         ret = ssl_hs_ok;

  980.         break;

  981.     }

  982. 

  983.     if (hs->tls13_state != state) {

  984.       ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);

  985.     }

  986. 

  987.     if (ret != ssl_hs_ok) {

  988.       return ret;

  989.     }

  990.   }

  991. 

  992.   return ssl_hs_ok;

  993. }

  994. 

  995. const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {

  996.   enum server_hs_state_t state =

  997.       static_cast<enum server_hs_state_t>(hs->tls13_state);

  998.   switch (state) {

  999.     case state_select_parameters:

  1000.       return "TLS 1.3 server select_parameters";

  1001.     case state_select_session:

  1002.       return "TLS 1.3 server select_session";

  1003.     case state_send_hello_retry_request:

  1004.       return "TLS 1.3 server send_hello_retry_request";

  1005.     case state_read_second_client_hello:

  1006.       return "TLS 1.3 server read_second_client_hello";

  1007.     case state_send_server_hello:

  1008.       return "TLS 1.3 server send_server_hello";

  1009.     case state_send_server_certificate_verify:

  1010.       return "TLS 1.3 server send_server_certificate_verify";

  1011.     case state_send_server_finished:

  1012.       return "TLS 1.3 server send_server_finished";

  1013.     case state_read_second_client_flight:

  1014.       return "TLS 1.3 server read_second_client_flight";

  1015.     case state_process_end_of_early_data:

  1016.       return "TLS 1.3 server process_end_of_early_data";

  1017.     case state_read_client_certificate:

  1018.       return "TLS 1.3 server read_client_certificate";

  1019.     case state_read_client_certificate_verify:

  1020.       return "TLS 1.3 server read_client_certificate_verify";

  1021.     case state_read_channel_id:

  1022.       return "TLS 1.3 server read_channel_id";

  1023.     case state_read_client_finished:

  1024.       return "TLS 1.3 server read_client_finished";

  1025.     case state_send_new_session_ticket:

  1026.       return "TLS 1.3 server send_new_session_ticket";

  1027.     case state_done:

  1028.       return "TLS 1.3 server done";

  1029.   }

  1030. 

  1031.   return "TLS 1.3 server unknown";

  1032. }

  1033. 

  1034. }  // namespace bssl