kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
3004 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Struktur: d5d24fd14e
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „d5d24fd14e“
${ noResults }
boringssl/ssl/tls13_server.c

566 Zeilen
18 KiB
Originalformat Blame Verlauf 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bytestring.h>

  21. #include <openssl/digest.h>

  22. #include <openssl/err.h>

  23. #include <openssl/mem.h>

  24. #include <openssl/rand.h>

  25. #include <openssl/stack.h>

  26. 

  27. #include "internal.h"

  28. 

  29. 

  30. enum server_hs_state_t {

  31.   state_process_client_hello = 0,

  32.   state_send_hello_retry_request,

  33.   state_flush_hello_retry_request,

  34.   state_process_second_client_hello,

  35.   state_send_server_hello,

  36.   state_send_encrypted_extensions,

  37.   state_send_certificate_request,

  38.   state_send_server_certificate,

  39.   state_send_server_certificate_verify,

  40.   state_complete_server_certificate_verify,

  41.   state_send_server_finished,

  42.   state_flush,

  43.   state_process_client_certificate,

  44.   state_process_client_certificate_verify,

  45.   state_process_client_finished,

  46.   state_done,

  47. };

  48. 

  49. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  50. 

  51. static int resolve_psk_secret(SSL *ssl) {

  52.   SSL_HANDSHAKE *hs = ssl->s3->hs;

  53. 

  54.   if (ssl->s3->tmp.new_cipher->algorithm_auth != SSL_aPSK) {

  55.     return tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len);

  56.   }

  57. 

  58.   /* TODO(davidben): Support PSK. */

  59.   OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  60.   return 0;

  61. }

  62. 

  63. static int resolve_ecdhe_secret(SSL *ssl, int *out_need_retry,

  64.                                 struct ssl_early_callback_ctx *early_ctx) {

  65.   *out_need_retry = 0;

  66.   SSL_HANDSHAKE *hs = ssl->s3->hs;

  67. 

  68.   if (ssl->s3->tmp.new_cipher->algorithm_mkey != SSL_kECDHE) {

  69.     return tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len);

  70.   }

  71. 

  72.   const uint8_t *key_share_buf = NULL;

  73.   size_t key_share_len = 0;

  74.   CBS key_share;

  75.   if (!SSL_early_callback_ctx_extension_get(early_ctx, TLSEXT_TYPE_key_share,

  76.                                             &key_share_buf, &key_share_len)) {

  77.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  78.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  79.     return ssl_hs_error;

  80.   }

  81. 

  82.   CBS_init(&key_share, key_share_buf, key_share_len);

  83.   int found_key_share;

  84.   uint8_t *dhe_secret;

  85.   size_t dhe_secret_len;

  86.   uint8_t alert;

  87.   if (!ext_key_share_parse_clienthello(ssl, &found_key_share, &dhe_secret,

  88.                                        &dhe_secret_len, &alert, &key_share)) {

  89.     ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  90.     return 0;

  91.   }

  92. 

  93.   if (!found_key_share) {

  94.     *out_need_retry = 1;

  95.     return 0;

  96.   }

  97. 

  98.   int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);

  99.   OPENSSL_free(dhe_secret);

  100.   return ok;

  101. }

  102. 

  103. static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) {

  104.   if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {

  105.     return ssl_hs_error;

  106.   }

  107. 

  108.   struct ssl_early_callback_ctx early_ctx;

  109.   if (!ssl_early_callback_init(ssl, &early_ctx, ssl->init_msg,

  110.                                ssl->init_num)) {

  111.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  112.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  113.     return ssl_hs_error;

  114.   }

  115. 

  116.   CBS cbs, client_random, session_id, cipher_suites, compression_methods;

  117.   uint16_t client_wire_version;

  118.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  119.   if (!CBS_get_u16(&cbs, &client_wire_version) ||

  120.       !CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE) ||

  121.       !CBS_get_u8_length_prefixed(&cbs, &session_id) ||

  122.       CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {

  123.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  124.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  125.     return ssl_hs_error;

  126.   }

  127. 

  128.   uint16_t min_version, max_version;

  129.   if (!ssl_get_version_range(ssl, &min_version, &max_version)) {

  130.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  131.     return ssl_hs_error;

  132.   }

  133. 

  134.   assert(ssl->s3->have_version);

  135. 

  136.   /* Load the client random. */

  137.   memcpy(ssl->s3->client_random, CBS_data(&client_random), SSL3_RANDOM_SIZE);

  138. 

  139.   ssl->hit = 0;

  140.   if (!ssl_get_new_session(ssl, 1 /* server */)) {

  141.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  142.     return ssl_hs_error;

  143.   }

  144. 

  145.   if (ssl->ctx->dos_protection_cb != NULL &&

  146.       ssl->ctx->dos_protection_cb(&early_ctx) == 0) {

  147.     /* Connection rejected for DOS reasons. */

  148.     OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);

  149.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ACCESS_DENIED);

  150.     return ssl_hs_error;

  151.   }

  152. 

  153.   if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites) ||

  154.       CBS_len(&cipher_suites) == 0 ||

  155.       CBS_len(&cipher_suites) % 2 != 0 ||

  156.       !CBS_get_u8_length_prefixed(&cbs, &compression_methods) ||

  157.       CBS_len(&compression_methods) == 0) {

  158.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  159.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  160.     return ssl_hs_error;

  161.   }

  162. 

  163.   /* TLS 1.3 requires the peer only advertise the null compression. */

  164.   if (CBS_len(&compression_methods) != 1 ||

  165.       CBS_data(&compression_methods)[0] != 0) {

  166.     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);

  167.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  168.     return ssl_hs_error;

  169.   }

  170. 

  171.   /* TLS extensions. */

  172.   if (!ssl_parse_clienthello_tlsext(ssl, &cbs)) {

  173.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  174.     return ssl_hs_error;

  175.   }

  176. 

  177.   /* There should be nothing left over in the message. */

  178.   if (CBS_len(&cbs) != 0) {

  179.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);

  180.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  181.     return ssl_hs_error;

  182.   }

  183. 

  184.   /* Let cert callback update server certificates if required.

  185.    *

  186.    * TODO(davidben): Can this get run earlier? */

  187.   if (ssl->cert->cert_cb != NULL) {

  188.     int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);

  189.     if (rv == 0) {

  190.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  191.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  192.       return ssl_hs_error;

  193.     }

  194.     if (rv < 0) {

  195.       hs->state = state_process_client_hello;

  196.       return ssl_hs_x509_lookup;

  197.     }

  198.   }

  199. 

  200.   STACK_OF(SSL_CIPHER) *ciphers =

  201.       ssl_bytes_to_cipher_list(ssl, &cipher_suites, max_version);

  202.   if (ciphers == NULL) {

  203.     return ssl_hs_error;

  204.   }

  205. 

  206.   const SSL_CIPHER *cipher =

  207.       ssl3_choose_cipher(ssl, ciphers, ssl_get_cipher_preferences(ssl));

  208.   sk_SSL_CIPHER_free(ciphers);

  209.   if (cipher == NULL) {

  210.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);

  211.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

  212.     return ssl_hs_error;

  213.   }

  214. 

  215.   ssl->session->cipher = cipher;

  216.   ssl->s3->tmp.new_cipher = cipher;

  217. 

  218.   /* The PRF hash is now known. Set up the key schedule and hash the

  219.    * ClientHello. */

  220.   size_t hash_len =

  221.       EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));

  222.   if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) {

  223.     return ssl_hs_error;

  224.   }

  225. 

  226.   /* Resolve PSK and incorporate it into the secret. */

  227.   if (!resolve_psk_secret(ssl)) {

  228.     return ssl_hs_error;

  229.   }

  230. 

  231.   /* Resolve ECDHE and incorporate it into the secret. */

  232.   int need_retry;

  233.   if (!resolve_ecdhe_secret(ssl, &need_retry, &early_ctx)) {

  234.     if (need_retry) {

  235.       hs->state = state_send_hello_retry_request;

  236.       return ssl_hs_ok;

  237.     }

  238.     return ssl_hs_error;

  239.   }

  240. 

  241.   hs->state = state_send_server_hello;

  242.   return ssl_hs_ok;

  243. }

  244. 

  245. static enum ssl_hs_wait_t do_send_hello_retry_request(SSL *ssl,

  246.                                                       SSL_HANDSHAKE *hs) {

  247.   CBB cbb, body, extensions;

  248.   uint16_t group_id;

  249.   if (!ssl->method->init_message(ssl, &cbb, &body,

  250.                                  SSL3_MT_HELLO_RETRY_REQUEST) ||

  251.       !CBB_add_u16(&body, ssl->version) ||

  252.       !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||

  253.       !tls1_get_shared_group(ssl, &group_id) ||

  254.       !CBB_add_u16(&body, group_id) ||

  255.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  256.       !ssl->method->finish_message(ssl, &cbb)) {

  257.     CBB_cleanup(&cbb);

  258.     return ssl_hs_error;

  259.   }

  260. 

  261.   hs->state = state_flush_hello_retry_request;

  262.   return ssl_hs_write_message;

  263. }

  264. 

  265. static enum ssl_hs_wait_t do_flush_hello_retry_request(SSL *ssl,

  266.                                                        SSL_HANDSHAKE *hs) {

  267.   hs->state = state_process_second_client_hello;

  268.   return ssl_hs_flush_and_read_message;

  269. }

  270. 

  271. static enum ssl_hs_wait_t do_process_second_client_hello(SSL *ssl,

  272.                                                       SSL_HANDSHAKE *hs) {

  273.   if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {

  274.     return ssl_hs_error;

  275.   }

  276. 

  277.   struct ssl_early_callback_ctx early_ctx;

  278.   if (!ssl_early_callback_init(ssl, &early_ctx, ssl->init_msg,

  279.                                ssl->init_num)) {

  280.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  281.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  282.     return ssl_hs_error;

  283.   }

  284. 

  285.   int need_retry;

  286.   if (!resolve_ecdhe_secret(ssl, &need_retry, &early_ctx)) {

  287.     if (need_retry) {

  288.       /* Only send one HelloRetryRequest. */

  289.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  290.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  291.     }

  292.     return ssl_hs_error;

  293.   }

  294. 

  295.   if (!ssl->method->hash_current_message(ssl)) {

  296.     return ssl_hs_error;

  297.   }

  298. 

  299.   hs->state = state_send_server_hello;

  300.   return ssl_hs_ok;

  301. }

  302. 

  303. static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {

  304.   CBB cbb, body, extensions;

  305.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||

  306.       !CBB_add_u16(&body, ssl->version) ||

  307.       !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||

  308.       !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||

  309.       !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||

  310.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  311.       !ext_key_share_add_serverhello(ssl, &extensions) ||

  312.       !ssl->method->finish_message(ssl, &cbb)) {

  313.     CBB_cleanup(&cbb);

  314.     return ssl_hs_error;

  315.   }

  316. 

  317.   hs->state = state_send_encrypted_extensions;

  318.   return ssl_hs_write_message;

  319. }

  320. 

  321. static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL *ssl,

  322.                                                        SSL_HANDSHAKE *hs) {

  323.   if (!tls13_set_handshake_traffic(ssl)) {

  324.     return ssl_hs_error;

  325.   }

  326. 

  327.   CBB cbb, body;

  328.   if (!ssl->method->init_message(ssl, &cbb, &body,

  329.                                  SSL3_MT_ENCRYPTED_EXTENSIONS) ||

  330.       !ssl_add_serverhello_tlsext(ssl, &body) ||

  331.       !ssl->method->finish_message(ssl, &cbb)) {

  332.     CBB_cleanup(&cbb);

  333.     return ssl_hs_error;

  334.   }

  335. 

  336.   hs->state = state_send_certificate_request;

  337.   return ssl_hs_write_message;

  338. }

  339. 

  340. static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl,

  341.                                                       SSL_HANDSHAKE *hs) {

  342.   /* Determine whether to request a client certificate. */

  343.   ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);

  344.   /* CertificateRequest may only be sent in certificate-based ciphers. */

  345.   if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {

  346.     ssl->s3->tmp.cert_request = 0;

  347.   }

  348. 

  349.   if (!ssl->s3->tmp.cert_request) {

  350.     /* Skip this state. */

  351.     hs->state = state_send_server_certificate;

  352.     return ssl_hs_ok;

  353.   }

  354. 

  355.   CBB cbb, body, sigalgs_cbb;

  356.   if (!ssl->method->init_message(ssl, &cbb, &body,

  357.                                  SSL3_MT_CERTIFICATE_REQUEST) ||

  358.       !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {

  359.     goto err;

  360.   }

  361. 

  362.   const uint16_t *sigalgs;

  363.   size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs);

  364.   if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {

  365.     goto err;

  366.   }

  367. 

  368.   for (size_t i = 0; i < sigalgs_len; i++) {

  369.     if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {

  370.       goto err;

  371.     }

  372.   }

  373. 

  374.   if (!ssl_add_client_CA_list(ssl, &body) ||

  375.       !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||

  376.       !ssl->method->finish_message(ssl, &cbb)) {

  377.     goto err;

  378.   }

  379. 

  380.   hs->state = state_send_server_certificate;

  381.   return ssl_hs_write_message;

  382. 

  383. err:

  384.   CBB_cleanup(&cbb);

  385.   return ssl_hs_error;

  386. }

  387. 

  388. static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl,

  389.                                                      SSL_HANDSHAKE *hs) {

  390.   if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {

  391.     hs->state = state_send_server_finished;

  392.     return ssl_hs_ok;

  393.   }

  394. 

  395.   if (!ssl_has_certificate(ssl)) {

  396.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);

  397.     return ssl_hs_error;

  398.   }

  399. 

  400.   if (!tls13_prepare_certificate(ssl)) {

  401.     return ssl_hs_error;

  402.   }

  403. 

  404.   hs->state = state_send_server_certificate_verify;

  405.   return ssl_hs_write_message;

  406. }

  407. 

  408. static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL *ssl,

  409.                                                             SSL_HANDSHAKE *hs,

  410.                                                             int is_first_run) {

  411.   switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {

  412.     case ssl_private_key_success:

  413.       hs->state = state_send_server_finished;

  414.       return ssl_hs_write_message;

  415. 

  416.     case ssl_private_key_retry:

  417.       hs->state = state_complete_server_certificate_verify;

  418.       return ssl_hs_private_key_operation;

  419. 

  420.     case ssl_private_key_failure:

  421.       return ssl_hs_error;

  422.   }

  423. 

  424.   assert(0);

  425.   return ssl_hs_error;

  426. }

  427. 

  428. static enum ssl_hs_wait_t do_send_server_finished(SSL *ssl, SSL_HANDSHAKE *hs) {

  429.   if (!tls13_prepare_finished(ssl)) {

  430.     return ssl_hs_error;

  431.   }

  432. 

  433.   hs->state = state_flush;

  434.   return ssl_hs_write_message;

  435. }

  436. 

  437. static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {

  438.   /* Update the secret to the master secret and derive traffic keys. */

  439.   if (!tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||

  440.       !tls13_derive_traffic_secret_0(ssl) ||

  441.       !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,

  442.                              hs->traffic_secret_0, hs->hash_len)) {

  443.     return ssl_hs_error;

  444.   }

  445. 

  446.   hs->state = state_process_client_certificate;

  447.   return ssl_hs_flush_and_read_message;

  448. }

  449. 

  450. static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,

  451.                                                         SSL_HANDSHAKE *hs) {

  452.   if (!ssl->s3->tmp.cert_request) {

  453.     /* Skip this state. */

  454.     hs->state = state_process_client_certificate_verify;

  455.     return ssl_hs_ok;

  456.   }

  457. 

  458.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  459.       !tls13_process_certificate(ssl) ||

  460.       !ssl->method->hash_current_message(ssl)) {

  461.     return ssl_hs_error;

  462.   }

  463. 

  464.   hs->state = state_process_client_certificate_verify;

  465.   return ssl_hs_read_message;

  466. }

  467. 

  468. static enum ssl_hs_wait_t do_process_client_certificate_verify(

  469.     SSL *ssl, SSL_HANDSHAKE *hs) {

  470.   if (ssl->session->peer == NULL) {

  471.     /* Skip this state. */

  472.     hs->state = state_process_client_finished;

  473.     return ssl_hs_ok;

  474.   }

  475. 

  476.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  477.       !tls13_process_certificate_verify(ssl) ||

  478.       !ssl->method->hash_current_message(ssl)) {

  479.     return 0;

  480.   }

  481. 

  482.   hs->state = state_process_client_finished;

  483.   return ssl_hs_read_message;

  484. }

  485. 

  486. static enum ssl_hs_wait_t do_process_client_finished(SSL *ssl,

  487.                                                      SSL_HANDSHAKE *hs) {

  488.   if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||

  489.       !tls13_process_finished(ssl) ||

  490.       !ssl->method->hash_current_message(ssl) ||

  491.       /* evp_aead_seal keys have already been switched. */

  492.       !tls13_set_traffic_key(ssl, type_data, evp_aead_open,

  493.                              hs->traffic_secret_0, hs->hash_len) ||

  494.       !tls13_finalize_keys(ssl)) {

  495.     return ssl_hs_error;

  496.   }

  497. 

  498.   hs->state = state_done;

  499.   return ssl_hs_ok;

  500. }

  501. 

  502. enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl) {

  503.   SSL_HANDSHAKE *hs = ssl->s3->hs;

  504. 

  505.   while (hs->state != state_done) {

  506.     enum ssl_hs_wait_t ret = ssl_hs_error;

  507.     enum server_hs_state_t state = hs->state;

  508.     switch (state) {

  509.       case state_process_client_hello:

  510.         ret = do_process_client_hello(ssl, hs);

  511.         break;

  512.       case state_send_hello_retry_request:

  513.         ret = do_send_hello_retry_request(ssl, hs);

  514.         break;

  515.       case state_flush_hello_retry_request:

  516.         ret = do_flush_hello_retry_request(ssl, hs);

  517.         break;

  518.       case state_process_second_client_hello:

  519.         ret = do_process_second_client_hello(ssl, hs);

  520.         break;

  521.       case state_send_server_hello:

  522.         ret = do_send_server_hello(ssl, hs);

  523.         break;

  524.       case state_send_encrypted_extensions:

  525.         ret = do_send_encrypted_extensions(ssl, hs);

  526.         break;

  527.       case state_send_certificate_request:

  528.         ret = do_send_certificate_request(ssl, hs);

  529.         break;

  530.       case state_send_server_certificate:

  531.         ret = do_send_server_certificate(ssl, hs);

  532.         break;

  533.       case state_send_server_certificate_verify:

  534.         ret = do_send_server_certificate_verify(ssl, hs, 1 /* first run */);

  535.       break;

  536.       case state_complete_server_certificate_verify:

  537.         ret = do_send_server_certificate_verify(ssl, hs, 0 /* complete */);

  538.       break;

  539.       case state_send_server_finished:

  540.         ret = do_send_server_finished(ssl, hs);

  541.         break;

  542.       case state_flush:

  543.         ret = do_flush(ssl, hs);

  544.         break;

  545.       case state_process_client_certificate:

  546.         ret = do_process_client_certificate(ssl, hs);

  547.         break;

  548.       case state_process_client_certificate_verify:

  549.         ret = do_process_client_certificate_verify(ssl, hs);

  550.         break;

  551.       case state_process_client_finished:

  552.         ret = do_process_client_finished(ssl, hs);

  553.         break;

  554.       case state_done:

  555.         ret = ssl_hs_ok;

  556.         break;

  557.     }

  558. 

  559.     if (ret != ssl_hs_ok) {

  560.       return ret;

  561.     }

  562.   }

  563. 

  564.   return ssl_hs_ok;

  565. }