kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
4340 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Struktur: 6fff386492
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „6fff386492“
${ noResults }
boringssl/ssl/tls13_server.c

841 Zeilen
27 KiB
Originalformat Blame Verlauf 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/aead.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/digest.h>

  23. #include <openssl/err.h>

  24. #include <openssl/mem.h>

  25. #include <openssl/rand.h>

  26. #include <openssl/stack.h>

  27. 

  28. #include "../crypto/internal.h"

  29. #include "internal.h"

  30. 

  31. 

  32. enum server_hs_state_t {

  33.   state_select_parameters = 0,

  34.   state_select_session,

  35.   state_send_hello_retry_request,

  36.   state_process_second_client_hello,

  37.   state_send_server_hello,

  38.   state_send_server_certificate_verify,

  39.   state_send_server_finished,

  40.   state_read_second_client_flight,

  41.   state_process_end_of_early_data,

  42.   state_process_client_certificate,

  43.   state_process_client_certificate_verify,

  44.   state_process_channel_id,

  45.   state_process_client_finished,

  46.   state_send_new_session_ticket,

  47.   state_done,

  48. };

  49. 

  50. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  51. 

  52. static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, int *out_need_retry,

  53.                                 SSL_CLIENT_HELLO *client_hello) {

  54.   SSL *const ssl = hs->ssl;

  55.   *out_need_retry = 0;

  56. 

  57.   /* We only support connections that include an ECDHE key exchange. */

  58.   CBS key_share;

  59.   if (!ssl_client_hello_get_extension(client_hello, &key_share,

  60.                                       TLSEXT_TYPE_key_share)) {

  61.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  62.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  63.     return 0;

  64.   }

  65. 

  66.   int found_key_share;

  67.   uint8_t *dhe_secret;

  68.   size_t dhe_secret_len;

  69.   uint8_t alert = SSL_AD_DECODE_ERROR;

  70.   if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,

  71.                                            &dhe_secret_len, &alert,

  72.                                            &key_share)) {

  73.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  74.     return 0;

  75.   }

  76. 

  77.   if (!found_key_share) {

  78.     *out_need_retry = 1;

  79.     return 0;

  80.   }

  81. 

  82.   int ok = tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len);

  83.   OPENSSL_free(dhe_secret);

  84.   return ok;

  85. }

  86. 

  87. static const SSL_CIPHER *choose_tls13_cipher(

  88.     const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {

  89.   if (client_hello->cipher_suites_len % 2 != 0) {

  90.     return NULL;

  91.   }

  92. 

  93.   CBS cipher_suites;

  94.   CBS_init(&cipher_suites, client_hello->cipher_suites,

  95.            client_hello->cipher_suites_len);

  96. 

  97.   const int aes_is_fine = EVP_has_aes_hardware();

  98.   const uint16_t version = ssl3_protocol_version(ssl);

  99. 

  100.   const SSL_CIPHER *best = NULL;

  101.   while (CBS_len(&cipher_suites) > 0) {

  102.     uint16_t cipher_suite;

  103.     if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {

  104.       return NULL;

  105.     }

  106. 

  107.     /* Limit to TLS 1.3 ciphers we know about. */

  108.     const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);

  109.     if (candidate == NULL ||

  110.         SSL_CIPHER_get_min_version(candidate) > version ||

  111.         SSL_CIPHER_get_max_version(candidate) < version) {

  112.       continue;

  113.     }

  114. 

  115.     /* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer

  116.      * ChaCha20 if we do not have AES hardware. */

  117.     if (aes_is_fine) {

  118.       return candidate;

  119.     }

  120. 

  121.     if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {

  122.       return candidate;

  123.     }

  124. 

  125.     if (best == NULL) {

  126.       best = candidate;

  127.     }

  128.   }

  129. 

  130.   return best;

  131. }

  132. 

  133. static int add_new_session_tickets(SSL_HANDSHAKE *hs) {

  134.   SSL *const ssl = hs->ssl;

  135.   /* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case

  136.    * the client makes several connections before getting a renewal. */

  137.   static const int kNumTickets = 2;

  138. 

  139.   SSL_SESSION *session = hs->new_session;

  140.   CBB cbb;

  141.   CBB_zero(&cbb);

  142. 

  143.   /* Rebase the session timestamp so that it is measured from ticket

  144.    * issuance. */

  145.   ssl_session_rebase_time(ssl, session);

  146. 

  147.   for (int i = 0; i < kNumTickets; i++) {

  148.     if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {

  149.       goto err;

  150.     }

  151.     session->ticket_age_add_valid = 1;

  152. 

  153.     CBB body, ticket, extensions;

  154.     if (!ssl->method->init_message(ssl, &cbb, &body,

  155.                                    SSL3_MT_NEW_SESSION_TICKET) ||

  156.         !CBB_add_u32(&body, session->timeout) ||

  157.         !CBB_add_u32(&body, session->ticket_age_add) ||

  158.         !CBB_add_u16_length_prefixed(&body, &ticket) ||

  159.         !ssl_encrypt_ticket(ssl, &ticket, session) ||

  160.         !CBB_add_u16_length_prefixed(&body, &extensions)) {

  161.       goto err;

  162.     }

  163. 

  164.     if (ssl->cert->enable_early_data) {

  165.       session->ticket_max_early_data = kMaxEarlyDataAccepted;

  166. 

  167.       CBB early_data_info;

  168.       if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) ||

  169.           !CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||

  170.           !CBB_add_u32(&early_data_info, session->ticket_max_early_data) ||

  171.           !CBB_flush(&extensions)) {

  172.         goto err;

  173.       }

  174.     }

  175. 

  176.     /* Add a fake extension. See draft-davidben-tls-grease-01. */

  177.     if (!CBB_add_u16(&extensions,

  178.                      ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||

  179.         !CBB_add_u16(&extensions, 0 /* empty */)) {

  180.       goto err;

  181.     }

  182. 

  183.     if (!ssl_add_message_cbb(ssl, &cbb)) {

  184.       goto err;

  185.     }

  186.   }

  187. 

  188.   return 1;

  189. 

  190. err:

  191.   CBB_cleanup(&cbb);

  192.   return 0;

  193. }

  194. 

  195. static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {

  196.   /* At this point, most ClientHello extensions have already been processed by

  197.    * the common handshake logic. Resolve the remaining non-PSK parameters. */

  198.   SSL *const ssl = hs->ssl;

  199. 

  200.   SSL_CLIENT_HELLO client_hello;

  201.   if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,

  202.                              ssl->init_num)) {

  203.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  204.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  205.     return ssl_hs_error;

  206.   }

  207. 

  208.   /* Negotiate the cipher suite. */

  209.   hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);

  210.   if (hs->new_cipher == NULL) {

  211.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);

  212.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

  213.     return ssl_hs_error;

  214.   }

  215. 

  216.   /* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was

  217.    * deferred. Complete it now. */

  218.   uint8_t alert = SSL_AD_DECODE_ERROR;

  219.   if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {

  220.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  221.     return ssl_hs_error;

  222.   }

  223. 

  224.   /* The PRF hash is now known. Set up the key schedule and hash the

  225.    * ClientHello. */

  226.   if (!tls13_init_key_schedule(hs) ||

  227.       !ssl_hash_current_message(hs)) {

  228.     return ssl_hs_error;

  229.   }

  230. 

  231.   hs->tls13_state = state_select_session;

  232.   return ssl_hs_ok;

  233. }

  234. 

  235. static enum ssl_ticket_aead_result_t select_session(

  236.     SSL_HANDSHAKE *hs, uint8_t *out_alert, SSL_SESSION **out_session,

  237.     int32_t *out_ticket_age_skew, const SSL_CLIENT_HELLO *client_hello) {

  238.   SSL *const ssl = hs->ssl;

  239.   *out_session = NULL;

  240. 

  241.   /* Decode the ticket if we agreed on a PSK key exchange mode. */

  242.   CBS pre_shared_key;

  243.   if (!hs->accept_psk_mode ||

  244.       !ssl_client_hello_get_extension(client_hello, &pre_shared_key,

  245.                                       TLSEXT_TYPE_pre_shared_key)) {

  246.     return ssl_ticket_aead_ignore_ticket;

  247.   }

  248. 

  249.   /* Verify that the pre_shared_key extension is the last extension in

  250.    * ClientHello. */

  251.   if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=

  252.       client_hello->extensions + client_hello->extensions_len) {

  253.     OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);

  254.     *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  255.     return ssl_ticket_aead_error;

  256.   }

  257. 

  258.   CBS ticket, binders;

  259.   uint32_t client_ticket_age;

  260.   if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &ticket, &binders,

  261.                                                 &client_ticket_age, out_alert,

  262.                                                 &pre_shared_key)) {

  263.     return ssl_ticket_aead_error;

  264.   }

  265. 

  266.   /* TLS 1.3 session tickets are renewed separately as part of the

  267.    * NewSessionTicket. */

  268.   int unused_renew;

  269.   SSL_SESSION *session = NULL;

  270.   enum ssl_ticket_aead_result_t ret =

  271.       ssl_process_ticket(ssl, &session, &unused_renew, CBS_data(&ticket),

  272.                          CBS_len(&ticket), NULL, 0);

  273.   switch (ret) {

  274.     case ssl_ticket_aead_success:

  275.       break;

  276.     case ssl_ticket_aead_error:

  277.       *out_alert = SSL_AD_INTERNAL_ERROR;

  278.       return ret;

  279.     default:

  280.       return ret;

  281.   }

  282. 

  283.   if (!ssl_session_is_resumable(hs, session) ||

  284.       /* Historically, some TLS 1.3 tickets were missing ticket_age_add. */

  285.       !session->ticket_age_add_valid) {

  286.     SSL_SESSION_free(session);

  287.     return ssl_ticket_aead_ignore_ticket;

  288.   }

  289. 

  290.   /* Recover the client ticket age and convert to seconds. */

  291.   client_ticket_age -= session->ticket_age_add;

  292.   client_ticket_age /= 1000;

  293. 

  294.   struct OPENSSL_timeval now;

  295.   ssl_get_current_time(ssl, &now);

  296. 

  297.   /* Compute the server ticket age in seconds. */

  298.   assert(now.tv_sec >= session->time);

  299.   uint64_t server_ticket_age = now.tv_sec - session->time;

  300. 

  301.   /* To avoid overflowing |hs->ticket_age_skew|, we will not resume

  302.    * 68-year-old sessions. */

  303.   if (server_ticket_age > INT32_MAX) {

  304.     SSL_SESSION_free(session);

  305.     return ssl_ticket_aead_ignore_ticket;

  306.   }

  307. 

  308.   /* TODO(davidben,svaldez): Measure this value to decide on tolerance. For

  309.    * now, accept all values. https://crbug.com/boringssl/113. */

  310.   *out_ticket_age_skew =

  311.       (int32_t)client_ticket_age - (int32_t)server_ticket_age;

  312. 

  313.   /* Check the PSK binder. */

  314.   if (!tls13_verify_psk_binder(hs, session, &binders)) {

  315.     SSL_SESSION_free(session);

  316.     *out_alert = SSL_AD_DECRYPT_ERROR;

  317.     return ssl_ticket_aead_error;

  318.   }

  319. 

  320.   *out_session = session;

  321.   return ssl_ticket_aead_success;

  322. }

  323. 

  324. static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {

  325.   SSL *const ssl = hs->ssl;

  326.   SSL_CLIENT_HELLO client_hello;

  327.   if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,

  328.                              ssl->init_num)) {

  329.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  330.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  331.     return ssl_hs_error;

  332.   }

  333. 

  334.   uint8_t alert = SSL_AD_DECODE_ERROR;

  335.   SSL_SESSION *session = NULL;

  336.   switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,

  337.                          &client_hello)) {

  338.     case ssl_ticket_aead_ignore_ticket:

  339.       assert(session == NULL);

  340.       if (!ssl_get_new_session(hs, 1 /* server */)) {

  341.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  342.         return ssl_hs_error;

  343.       }

  344.       break;

  345. 

  346.     case ssl_ticket_aead_success:

  347.       /* Carry over authentication information from the previous handshake into

  348.        * a fresh session. */

  349.       hs->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);

  350. 

  351.       if (/* Early data must be acceptable for this ticket. */

  352.           ssl->cert->enable_early_data &&

  353.           session->ticket_max_early_data != 0 &&

  354.           /* The client must have offered early data. */

  355.           hs->early_data_offered &&

  356.           /* Channel ID is incompatible with 0-RTT. */

  357.           !ssl->s3->tlsext_channel_id_valid &&

  358.           /* The negotiated ALPN must match the one in the ticket. */

  359.           ssl->s3->alpn_selected_len == session->early_alpn_len &&

  360.           OPENSSL_memcmp(ssl->s3->alpn_selected, session->early_alpn,

  361.                          ssl->s3->alpn_selected_len) == 0) {

  362.         ssl->early_data_accepted = 1;

  363.       }

  364. 

  365.       SSL_SESSION_free(session);

  366.       if (hs->new_session == NULL) {

  367.         ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  368.         return ssl_hs_error;

  369.       }

  370. 

  371.       ssl->s3->session_reused = 1;

  372. 

  373.       /* Resumption incorporates fresh key material, so refresh the timeout. */

  374.       ssl_session_renew_timeout(ssl, hs->new_session,

  375.                                 ssl->session_ctx->session_psk_dhe_timeout);

  376.       break;

  377. 

  378.     case ssl_ticket_aead_error:

  379.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  380.       return ssl_hs_error;

  381. 

  382.     case ssl_ticket_aead_retry:

  383.       hs->tls13_state = state_select_session;

  384.       return ssl_hs_pending_ticket;

  385.   }

  386. 

  387.   /* Record connection properties in the new session. */

  388.   hs->new_session->cipher = hs->new_cipher;

  389. 

  390.   if (hs->hostname != NULL) {

  391.     OPENSSL_free(hs->new_session->tlsext_hostname);

  392.     hs->new_session->tlsext_hostname = BUF_strdup(hs->hostname);

  393.     if (hs->new_session->tlsext_hostname == NULL) {

  394.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  395.       return ssl_hs_error;

  396.     }

  397.   }

  398. 

  399.   /* Store the initial negotiated ALPN in the session. */

  400.   if (ssl->s3->alpn_selected != NULL) {

  401.     hs->new_session->early_alpn =

  402.         BUF_memdup(ssl->s3->alpn_selected, ssl->s3->alpn_selected_len);

  403.     if (hs->new_session->early_alpn == NULL) {

  404.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  405.       return ssl_hs_error;

  406.     }

  407.     hs->new_session->early_alpn_len = ssl->s3->alpn_selected_len;

  408.   }

  409. 

  410.   if (ssl->ctx->dos_protection_cb != NULL &&

  411.       ssl->ctx->dos_protection_cb(&client_hello) == 0) {

  412.     /* Connection rejected for DOS reasons. */

  413.     OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);

  414.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  415.     return ssl_hs_error;

  416.   }

  417. 

  418.   /* Incorporate the PSK into the running secret. */

  419.   if (ssl->s3->session_reused) {

  420.     if (!tls13_advance_key_schedule(hs, hs->new_session->master_key,

  421.                                     hs->new_session->master_key_length)) {

  422.       return ssl_hs_error;

  423.     }

  424.   } else if (!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len)) {

  425.     return ssl_hs_error;

  426.   }

  427. 

  428.   if (ssl->early_data_accepted) {

  429.     if (!tls13_derive_early_secrets(hs)) {

  430.       return ssl_hs_error;

  431.     }

  432.   } else if (hs->early_data_offered) {

  433.     ssl->s3->skip_early_data = 1;

  434.   }

  435. 

  436.   ssl->method->received_flight(ssl);

  437. 

  438.   /* Resolve ECDHE and incorporate it into the secret. */

  439.   int need_retry;

  440.   if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {

  441.     if (need_retry) {

  442.       ssl->early_data_accepted = 0;

  443.       ssl->s3->skip_early_data = 1;

  444.       hs->tls13_state = state_send_hello_retry_request;

  445.       return ssl_hs_ok;

  446.     }

  447.     return ssl_hs_error;

  448.   }

  449. 

  450.   hs->tls13_state = state_send_server_hello;

  451.   return ssl_hs_ok;

  452. }

  453. 

  454. static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {

  455.   SSL *const ssl = hs->ssl;

  456.   CBB cbb, body, extensions;

  457.   uint16_t group_id;

  458.   if (!ssl->method->init_message(ssl, &cbb, &body,

  459.                                  SSL3_MT_HELLO_RETRY_REQUEST) ||

  460.       !CBB_add_u16(&body, ssl->version) ||

  461.       !tls1_get_shared_group(hs, &group_id) ||

  462.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  463.       !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||

  464.       !CBB_add_u16(&extensions, 2 /* length */) ||

  465.       !CBB_add_u16(&extensions, group_id) ||

  466.       !ssl_add_message_cbb(ssl, &cbb)) {

  467.     CBB_cleanup(&cbb);

  468.     return ssl_hs_error;

  469.   }

  470. 

  471.   hs->tls13_state = state_process_second_client_hello;

  472.   return ssl_hs_flush_and_read_message;

  473. }

  474. 

  475. static enum ssl_hs_wait_t do_process_second_client_hello(SSL_HANDSHAKE *hs) {

  476.   SSL *const ssl = hs->ssl;

  477.   if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {

  478.     return ssl_hs_error;

  479.   }

  480. 

  481.   SSL_CLIENT_HELLO client_hello;

  482.   if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,

  483.                              ssl->init_num)) {

  484.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  485.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  486.     return ssl_hs_error;

  487.   }

  488. 

  489.   int need_retry;

  490.   if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {

  491.     if (need_retry) {

  492.       /* Only send one HelloRetryRequest. */

  493.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  494.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  495.     }

  496.     return ssl_hs_error;

  497.   }

  498. 

  499.   if (!ssl_hash_current_message(hs)) {

  500.     return ssl_hs_error;

  501.   }

  502. 

  503.   ssl->method->received_flight(ssl);

  504.   hs->tls13_state = state_send_server_hello;

  505.   return ssl_hs_ok;

  506. }

  507. 

  508. static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {

  509.   SSL *const ssl = hs->ssl;

  510. 

  511.   /* Send a ServerHello. */

  512.   CBB cbb, body, extensions;

  513.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||

  514.       !CBB_add_u16(&body, ssl->version) ||

  515.       !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||

  516.       !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||

  517.       !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||

  518.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  519.       !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||

  520.       !ssl_ext_key_share_add_serverhello(hs, &extensions) ||

  521.       !ssl_add_message_cbb(ssl, &cbb)) {

  522.     goto err;

  523.   }

  524. 

  525.   /* Derive and enable the handshake traffic secrets. */

  526.   if (!tls13_derive_handshake_secrets(hs) ||

  527.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,

  528.                              hs->hash_len)) {

  529.     goto err;

  530.   }

  531. 

  532.   /* Send EncryptedExtensions. */

  533.   if (!ssl->method->init_message(ssl, &cbb, &body,

  534.                                  SSL3_MT_ENCRYPTED_EXTENSIONS) ||

  535.       !ssl_add_serverhello_tlsext(hs, &body) ||

  536.       !ssl_add_message_cbb(ssl, &cbb)) {

  537.     goto err;

  538.   }

  539. 

  540.   /* Determine whether to request a client certificate. */

  541.   hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);

  542.   /* CertificateRequest may only be sent in non-resumption handshakes. */

  543.   if (ssl->s3->session_reused) {

  544.     hs->cert_request = 0;

  545.   }

  546. 

  547.   /* Send a CertificateRequest, if necessary. */

  548.   if (hs->cert_request) {

  549.     CBB sigalgs_cbb;

  550.     if (!ssl->method->init_message(ssl, &cbb, &body,

  551.                                    SSL3_MT_CERTIFICATE_REQUEST) ||

  552.         !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||

  553.         !CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) ||

  554.         !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb) ||

  555.         !ssl_add_client_CA_list(ssl, &body) ||

  556.         !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||

  557.         !ssl_add_message_cbb(ssl, &cbb)) {

  558.       goto err;

  559.     }

  560.   }

  561. 

  562.   /* Send the server Certificate message, if necessary. */

  563.   if (!ssl->s3->session_reused) {

  564.     if (!ssl_has_certificate(ssl)) {

  565.       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);

  566.       goto err;

  567.     }

  568. 

  569.     if (!tls13_add_certificate(hs)) {

  570.       goto err;

  571.     }

  572. 

  573.     hs->tls13_state = state_send_server_certificate_verify;

  574.     return ssl_hs_ok;

  575.   }

  576. 

  577.   hs->tls13_state = state_send_server_finished;

  578.   return ssl_hs_ok;

  579. 

  580. err:

  581.   CBB_cleanup(&cbb);

  582.   return ssl_hs_error;

  583. }

  584. 

  585. static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {

  586.   switch (tls13_add_certificate_verify(hs)) {

  587.     case ssl_private_key_success:

  588.       hs->tls13_state = state_send_server_finished;

  589.       return ssl_hs_ok;

  590. 

  591.     case ssl_private_key_retry:

  592.       hs->tls13_state = state_send_server_certificate_verify;

  593.       return ssl_hs_private_key_operation;

  594. 

  595.     case ssl_private_key_failure:

  596.       return ssl_hs_error;

  597.   }

  598. 

  599.   assert(0);

  600.   return ssl_hs_error;

  601. }

  602. 

  603. static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {

  604.   SSL *const ssl = hs->ssl;

  605.   if (!tls13_add_finished(hs) ||

  606.       /* Update the secret to the master secret and derive traffic keys. */

  607.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  608.       !tls13_derive_application_secrets(hs) ||

  609.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,

  610.                              hs->hash_len)) {

  611.     return ssl_hs_error;

  612.   }

  613. 

  614.   if (ssl->early_data_accepted) {

  615.     /* If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on

  616.      * the wire sooner and also avoids triggering a write on |SSL_read| when

  617.      * processing the client Finished. This requires computing the client

  618.      * Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. */

  619.     size_t finished_len;

  620.     if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,

  621.                             0 /* client */)) {

  622.       return ssl_hs_error;

  623.     }

  624. 

  625.     if (finished_len != hs->hash_len) {

  626.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  627.       return ssl_hs_error;

  628.     }

  629. 

  630.     /* Feed the predicted Finished into the transcript. This allows us to derive

  631.      * the resumption secret early and send half-RTT tickets.

  632.      *

  633.      * TODO(davidben): This will need to be updated for DTLS 1.3. */

  634.     assert(!SSL_is_dtls(hs->ssl));

  635.     uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0, hs->hash_len};

  636.     if (!SSL_TRANSCRIPT_update(&hs->transcript, header, sizeof(header)) ||

  637.         !SSL_TRANSCRIPT_update(&hs->transcript, hs->expected_client_finished,

  638.                                hs->hash_len) ||

  639.         !tls13_derive_resumption_secret(hs) ||

  640.         !add_new_session_tickets(hs)) {

  641.       return ssl_hs_error;

  642.     }

  643.   }

  644. 

  645.   hs->tls13_state = state_read_second_client_flight;

  646.   return ssl_hs_flush;

  647. }

  648. 

  649. static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {

  650.   SSL *const ssl = hs->ssl;

  651.   if (ssl->early_data_accepted) {

  652.     if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->early_traffic_secret,

  653.                                hs->hash_len)) {

  654.       return ssl_hs_error;

  655.     }

  656.     hs->can_early_write = 1;

  657.     hs->can_early_read = 1;

  658.     hs->in_early_data = 1;

  659.     hs->tls13_state = state_process_end_of_early_data;

  660.     return ssl_hs_read_end_of_early_data;

  661.   }

  662.   hs->tls13_state = state_process_end_of_early_data;

  663.   return ssl_hs_ok;

  664. }

  665. 

  666. static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {

  667.   SSL *const ssl = hs->ssl;

  668.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,

  669.                              hs->hash_len)) {

  670.     return ssl_hs_error;

  671.   }

  672.   hs->tls13_state = ssl->early_data_accepted ? state_process_client_finished

  673.                                              : state_process_client_certificate;

  674.   return ssl_hs_read_message;

  675. }

  676. 

  677. static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) {

  678.   SSL *const ssl = hs->ssl;

  679.   if (!hs->cert_request) {

  680.     /* OpenSSL returns X509_V_OK when no certificates are requested. This is

  681.      * classed by them as a bug, but it's assumed by at least NGINX. */

  682.     hs->new_session->verify_result = X509_V_OK;

  683. 

  684.     /* Skip this state. */

  685.     hs->tls13_state = state_process_channel_id;

  686.     return ssl_hs_ok;

  687.   }

  688. 

  689.   const int allow_anonymous =

  690.       (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;

  691. 

  692.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  693.       !tls13_process_certificate(hs, allow_anonymous) ||

  694.       !ssl_hash_current_message(hs)) {

  695.     return ssl_hs_error;

  696.   }

  697. 

  698.   hs->tls13_state = state_process_client_certificate_verify;

  699.   return ssl_hs_read_message;

  700. }

  701. 

  702. static enum ssl_hs_wait_t do_process_client_certificate_verify(

  703.     SSL_HANDSHAKE *hs) {

  704.   SSL *const ssl = hs->ssl;

  705.   if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) {

  706.     /* Skip this state. */

  707.     hs->tls13_state = state_process_channel_id;

  708.     return ssl_hs_ok;

  709.   }

  710. 

  711.   if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  712.       !tls13_process_certificate_verify(hs) ||

  713.       !ssl_hash_current_message(hs)) {

  714.     return ssl_hs_error;

  715.   }

  716. 

  717.   hs->tls13_state = state_process_channel_id;

  718.   return ssl_hs_read_message;

  719. }

  720. 

  721. static enum ssl_hs_wait_t do_process_channel_id(SSL_HANDSHAKE *hs) {

  722.   if (!hs->ssl->s3->tlsext_channel_id_valid) {

  723.     hs->tls13_state = state_process_client_finished;

  724.     return ssl_hs_ok;

  725.   }

  726. 

  727.   if (!ssl_check_message_type(hs->ssl, SSL3_MT_CHANNEL_ID) ||

  728.       !tls1_verify_channel_id(hs) ||

  729.       !ssl_hash_current_message(hs)) {

  730.     return ssl_hs_error;

  731.   }

  732. 

  733.   hs->tls13_state = state_process_client_finished;

  734.   return ssl_hs_read_message;

  735. }

  736. 

  737. static enum ssl_hs_wait_t do_process_client_finished(SSL_HANDSHAKE *hs) {

  738.   SSL *const ssl = hs->ssl;

  739.   if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) ||

  740.       /* If early data was accepted, we've already computed the client Finished

  741.        * and derived the resumption secret. */

  742.       !tls13_process_finished(hs, ssl->early_data_accepted) ||

  743.       /* evp_aead_seal keys have already been switched. */

  744.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,

  745.                              hs->hash_len)) {

  746.     return ssl_hs_error;

  747.   }

  748. 

  749.   ssl->method->received_flight(ssl);

  750. 

  751.   if (!ssl->early_data_accepted) {

  752.     if (!ssl_hash_current_message(hs) ||

  753.         !tls13_derive_resumption_secret(hs)) {

  754.       return ssl_hs_error;

  755.     }

  756. 

  757.     /* We send post-handshake tickets as part of the handshake in 1-RTT. */

  758.     hs->tls13_state = state_send_new_session_ticket;

  759.     return ssl_hs_ok;

  760.   }

  761. 

  762.   hs->tls13_state = state_done;

  763.   return ssl_hs_ok;

  764. }

  765. 

  766. static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {

  767.   /* If the client doesn't accept resumption with PSK_DHE_KE, don't send a

  768.    * session ticket. */

  769.   if (!hs->accept_psk_mode) {

  770.     hs->tls13_state = state_done;

  771.     return ssl_hs_ok;

  772.   }

  773. 

  774.   if (!add_new_session_tickets(hs)) {

  775.     return ssl_hs_error;

  776.   }

  777. 

  778.   hs->tls13_state = state_done;

  779.   return ssl_hs_flush;

  780. }

  781. 

  782. enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {

  783.   while (hs->tls13_state != state_done) {

  784.     enum ssl_hs_wait_t ret = ssl_hs_error;

  785.     enum server_hs_state_t state = hs->tls13_state;

  786.     switch (state) {

  787.       case state_select_parameters:

  788.         ret = do_select_parameters(hs);

  789.         break;

  790.       case state_select_session:

  791.         ret = do_select_session(hs);

  792.         break;

  793.       case state_send_hello_retry_request:

  794.         ret = do_send_hello_retry_request(hs);

  795.         break;

  796.       case state_process_second_client_hello:

  797.         ret = do_process_second_client_hello(hs);

  798.         break;

  799.       case state_send_server_hello:

  800.         ret = do_send_server_hello(hs);

  801.         break;

  802.       case state_send_server_certificate_verify:

  803.         ret = do_send_server_certificate_verify(hs);

  804.         break;

  805.       case state_send_server_finished:

  806.         ret = do_send_server_finished(hs);

  807.         break;

  808.       case state_read_second_client_flight:

  809.         ret = do_read_second_client_flight(hs);

  810.         break;

  811.       case state_process_end_of_early_data:

  812.         ret = do_process_end_of_early_data(hs);

  813.         break;

  814.       case state_process_client_certificate:

  815.         ret = do_process_client_certificate(hs);

  816.         break;

  817.       case state_process_client_certificate_verify:

  818.         ret = do_process_client_certificate_verify(hs);

  819.         break;

  820.       case state_process_channel_id:

  821.         ret = do_process_channel_id(hs);

  822.         break;

  823.       case state_process_client_finished:

  824.         ret = do_process_client_finished(hs);

  825.         break;

  826.       case state_send_new_session_ticket:

  827.         ret = do_send_new_session_ticket(hs);

  828.         break;

  829.       case state_done:

  830.         ret = ssl_hs_ok;

  831.         break;

  832.     }

  833. 

  834.     if (ret != ssl_hs_ok) {

  835.       return ret;

  836.     }

  837.   }

  838. 

  839.   return ssl_hs_ok;

  840. }