Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / dd42a613176ed39d12be02cf21aeae057d9ef6e6 / . / src / ssl / tls13_server.cc
blob: caaf0c7484cf21c60cc3addcdf9b120205193522 [file] [log] [blame]
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]20#include <tuple>
21
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]22#include <openssl/aead.h>
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]23#include <openssl/bytestring.h>
24#include <openssl/digest.h>
25#include <openssl/err.h>
26#include <openssl/mem.h>
27#include <openssl/rand.h>
28#include <openssl/stack.h>
29
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]30#include "../crypto/internal.h"
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]31#include "internal.h"
32
33
Robert Sloan726e9d12018-09-11 11:45:04 -0700[diff] [blame]34BSSL_NAMESPACE_BEGIN
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]35
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]36enum server_hs_state_t {
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]37 state_select_parameters = 0,
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]38 state_select_session,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]39 state_send_hello_retry_request,
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]40 state_read_second_client_hello,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]41 state_send_server_hello,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]42 state_send_server_certificate_verify,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]43 state_send_server_finished,
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]44 state_read_second_client_flight,
45 state_process_end_of_early_data,
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]46 state_read_client_certificate,
47 state_read_client_certificate_verify,
48 state_read_channel_id,
49 state_read_client_finished,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]50 state_send_new_session_ticket,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]51 state_done,
52};
53
54static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
55
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]56static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]57 SSL_CLIENT_HELLO *client_hello) {
58 SSL *const ssl = hs->ssl;
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]59 *out_need_retry = false;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]60
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]61 // We only support connections that include an ECDHE key exchange.
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]62 CBS key_share;
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]63 if (!ssl_client_hello_get_extension(client_hello, &key_share,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]64 TLSEXT_TYPE_key_share)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]65 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]66 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]67 return 0;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]68 }
69
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]70 bool found_key_share;
Robert Sloan4562e9d2017-10-02 10:26:51 -0700[diff] [blame]71 Array<uint8_t> dhe_secret;
David Benjamin7c0d06c2016-08-11 13:26:41 -0400[diff] [blame]72 uint8_t alert = SSL_AD_DECODE_ERROR;
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]73 if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
Robert Sloan4562e9d2017-10-02 10:26:51 -0700[diff] [blame]74 &alert, &key_share)) {
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]75 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]76 return 0;
77 }
78
79 if (!found_key_share) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]80 *out_need_retry = true;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]81 return 0;
82 }
83
Robert Sloan4562e9d2017-10-02 10:26:51 -0700[diff] [blame]84 return tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size());
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]85}
86
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]87static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
88 CBB *out) {
89 CBB contents;
90 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
91 !CBB_add_u16_length_prefixed(out, &contents) ||
92 !CBB_add_u16(&contents, hs->ssl->version) ||
93 !CBB_flush(out)) {
94 return 0;
95 }
96
97 return 1;
98}
99
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]100// CipherScorer produces a "score" for each possible cipher suite offered by
101// the client.
102class CipherScorer {
103 public:
104 CipherScorer(uint16_t group_id)
105 : aes_is_fine_(EVP_has_aes_hardware()),
106 security_128_is_fine_(group_id != SSL_CURVE_CECPQ2) {}
107
108 typedef std::tuple<bool, bool, bool> Score;
109
110 // MinScore returns a |Score| that will compare less than the score of all
111 // cipher suites.
112 Score MinScore() const {
113 return Score(false, false, false);
114 }
115
116 Score Evaluate(const SSL_CIPHER *a) const {
117 return Score(
118 // Something is always preferable to nothing.
119 true,
120 // Either 128-bit is fine, or 256-bit is preferred.
121 security_128_is_fine_ || a->algorithm_enc != SSL_AES128GCM,
122 // Either AES is fine, or else ChaCha20 is preferred.
123 aes_is_fine_ || a->algorithm_enc == SSL_CHACHA20POLY1305);
124 }
125
126 private:
127 const bool aes_is_fine_;
128 const bool security_128_is_fine_;
129};
130
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]131static const SSL_CIPHER *choose_tls13_cipher(
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]132 const SSL *ssl, const SSL_CLIENT_HELLO *client_hello, uint16_t group_id) {
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]133 if (client_hello->cipher_suites_len % 2 != 0) {
134 return nullptr;
135 }
136
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]137 CBS cipher_suites;
138 CBS_init(&cipher_suites, client_hello->cipher_suites,
139 client_hello->cipher_suites_len);
140
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]141 const uint16_t version = ssl_protocol_version(ssl);
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]142
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]143 const SSL_CIPHER *best = nullptr;
144 CipherScorer scorer(group_id);
145 CipherScorer::Score best_score = scorer.MinScore();
146
147 while (CBS_len(&cipher_suites) > 0) {
148 uint16_t cipher_suite;
149 if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
150 return nullptr;
151 }
152
153 // Limit to TLS 1.3 ciphers we know about.
154 const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
155 if (candidate == nullptr ||
156 SSL_CIPHER_get_min_version(candidate) > version ||
157 SSL_CIPHER_get_max_version(candidate) < version) {
158 continue;
159 }
160
161 const CipherScorer::Score candidate_score = scorer.Evaluate(candidate);
162 // |candidate_score| must be larger to displace the current choice. That way
163 // the client's order controls between ciphers with an equal score.
164 if (candidate_score > best_score) {
165 best = candidate;
166 best_score = candidate_score;
167 }
168 }
169
170 return best;
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]171}
172
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]173static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]174 SSL *const ssl = hs->ssl;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]175 if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
176 // session ticket.
177 !hs->accept_psk_mode ||
178 // We only implement stateless resumption in TLS 1.3, so skip sending
179 // tickets if disabled.
180 (SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {
181 *out_sent_tickets = false;
182 return true;
183 }
184
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]185 // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
186 // the client makes several connections before getting a renewal.
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]187 static const int kNumTickets = 2;
188
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]189 // Rebase the session timestamp so that it is measured from ticket
190 // issuance.
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]191 ssl_session_rebase_time(ssl, hs->new_session.get());
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]192
193 for (int i = 0; i < kNumTickets; i++) {
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]194 UniquePtr<SSL_SESSION> session(
195 SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
196 if (!session) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]197 return false;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]198 }
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]199
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]200 if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]201 return false;
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]202 }
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]203 session->ticket_age_add_valid = true;
204 if (ssl->enable_early_data) {
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]205 session->ticket_max_early_data = kMaxEarlyDataAccepted;
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]206 }
207
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]208 static_assert(kNumTickets < 256, "Too many tickets");
209 uint8_t nonce[] = {static_cast<uint8_t>(i)};
210
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]211 ScopedCBB cbb;
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]212 CBB body, nonce_cbb, ticket, extensions;
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]213 if (!ssl->method->init_message(ssl, cbb.get(), &body,
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]214 SSL3_MT_NEW_SESSION_TICKET) ||
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]215 !CBB_add_u32(&body, session->timeout) ||
216 !CBB_add_u32(&body, session->ticket_age_add) ||
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]217 !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||
218 !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]219 !CBB_add_u16_length_prefixed(&body, &ticket) ||
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]220 !tls13_derive_session_psk(session.get(), nonce) ||
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]221 !ssl_encrypt_ticket(hs, &ticket, session.get()) ||
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]222 !CBB_add_u16_length_prefixed(&body, &extensions)) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]223 return false;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]224 }
225
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]226 if (ssl->enable_early_data) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]227 CBB early_data_info;
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]228 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]229 !CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]230 !CBB_add_u32(&early_data_info, session->ticket_max_early_data) ||
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]231 !CBB_flush(&extensions)) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]232 return false;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]233 }
234 }
235
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]236 // Add a fake extension. See draft-davidben-tls-grease-01.
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]237 if (!CBB_add_u16(&extensions,
Robert Sloan309a31e2018-01-29 10:22:47 -0800[diff] [blame]238 ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]239 !CBB_add_u16(&extensions, 0 /* empty */)) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]240 return false;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]241 }
242
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]243 if (!ssl_add_message_cbb(ssl, cbb.get())) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]244 return false;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]245 }
246 }
247
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]248 *out_sent_tickets = true;
249 return true;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]250}
251
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]252static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]253 // At this point, most ClientHello extensions have already been processed by
254 // the common handshake logic. Resolve the remaining non-PSK parameters.
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]255 SSL *const ssl = hs->ssl;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]256 SSLMessage msg;
257 if (!ssl->method->get_message(ssl, &msg)) {
258 return ssl_hs_read_message;
259 }
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]260 SSL_CLIENT_HELLO client_hello;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]261 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]262 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]263 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]264 return ssl_hs_error;
265 }
266
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]267 OPENSSL_memcpy(hs->session_id, client_hello.session_id,
268 client_hello.session_id_len);
269 hs->session_id_len = client_hello.session_id_len;
270
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]271 uint16_t group_id;
272 if (!tls1_get_shared_group(hs, &group_id)) {
273 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
274 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
275 return ssl_hs_error;
276 }
277
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]278 // Negotiate the cipher suite.
Robert Sloan11c28bd2018-12-17 12:09:20 -0800[diff] [blame]279 hs->new_cipher = choose_tls13_cipher(ssl, &client_hello, group_id);
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]280 if (hs->new_cipher == NULL) {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]281 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]282 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]283 return ssl_hs_error;
284 }
285
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]286 // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
287 // deferred. Complete it now.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]288 uint8_t alert = SSL_AD_DECODE_ERROR;
289 if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]290 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]291 return ssl_hs_error;
292 }
293
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]294 // The PRF hash is now known. Set up the key schedule and hash the
295 // ClientHello.
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]296 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
297 return ssl_hs_error;
298 }
299
300 if (!ssl_hash_message(hs, msg)) {
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]301 return ssl_hs_error;
302 }
303
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]304 hs->tls13_state = state_select_session;
305 return ssl_hs_ok;
306}
Robert Sloan5d625782017-02-13 09:55:39 -0800[diff] [blame]307
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]308static enum ssl_ticket_aead_result_t select_session(
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]309 SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]310 int32_t *out_ticket_age_skew, const SSLMessage &msg,
311 const SSL_CLIENT_HELLO *client_hello) {
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]312 SSL *const ssl = hs->ssl;
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]313 *out_session = NULL;
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]314
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]315 // Decode the ticket if we agreed on a PSK key exchange mode.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]316 CBS pre_shared_key;
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]317 if (!hs->accept_psk_mode ||
318 !ssl_client_hello_get_extension(client_hello, &pre_shared_key,
319 TLSEXT_TYPE_pre_shared_key)) {
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]320 return ssl_ticket_aead_ignore_ticket;
321 }
322
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]323 // Verify that the pre_shared_key extension is the last extension in
324 // ClientHello.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]325 if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
326 client_hello->extensions + client_hello->extensions_len) {
327 OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
328 *out_alert = SSL_AD_ILLEGAL_PARAMETER;
329 return ssl_ticket_aead_error;
330 }
331
332 CBS ticket, binders;
333 uint32_t client_ticket_age;
334 if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &ticket, &binders,
335 &client_ticket_age, out_alert,
336 &pre_shared_key)) {
337 return ssl_ticket_aead_error;
338 }
339
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]340 // TLS 1.3 session tickets are renewed separately as part of the
341 // NewSessionTicket.
342 bool unused_renew;
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]343 UniquePtr<SSL_SESSION> session;
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]344 enum ssl_ticket_aead_result_t ret =
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]345 ssl_process_ticket(hs, &session, &unused_renew, ticket, {});
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]346 switch (ret) {
347 case ssl_ticket_aead_success:
348 break;
349 case ssl_ticket_aead_error:
350 *out_alert = SSL_AD_INTERNAL_ERROR;
351 return ret;
352 default:
353 return ret;
354 }
355
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]356 if (!ssl_session_is_resumable(hs, session.get()) ||
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]357 // Historically, some TLS 1.3 tickets were missing ticket_age_add.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]358 !session->ticket_age_add_valid) {
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]359 return ssl_ticket_aead_ignore_ticket;
360 }
361
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]362 // Recover the client ticket age and convert to seconds.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]363 client_ticket_age -= session->ticket_age_add;
364 client_ticket_age /= 1000;
365
366 struct OPENSSL_timeval now;
367 ssl_get_current_time(ssl, &now);
368
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]369 // Compute the server ticket age in seconds.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]370 assert(now.tv_sec >= session->time);
371 uint64_t server_ticket_age = now.tv_sec - session->time;
372
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]373 // To avoid overflowing |hs->ticket_age_skew|, we will not resume
374 // 68-year-old sessions.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]375 if (server_ticket_age > INT32_MAX) {
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]376 return ssl_ticket_aead_ignore_ticket;
377 }
378
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]379 // TODO(davidben,svaldez): Measure this value to decide on tolerance. For
380 // now, accept all values. https://crbug.com/boringssl/113.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]381 *out_ticket_age_skew =
382 (int32_t)client_ticket_age - (int32_t)server_ticket_age;
383
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]384 // Check the PSK binder.
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]385 if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]386 *out_alert = SSL_AD_DECRYPT_ERROR;
387 return ssl_ticket_aead_error;
388 }
389
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]390 *out_session = std::move(session);
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]391 return ssl_ticket_aead_success;
392}
393
394static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
395 SSL *const ssl = hs->ssl;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]396 SSLMessage msg;
397 if (!ssl->method->get_message(ssl, &msg)) {
398 return ssl_hs_read_message;
399 }
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]400 SSL_CLIENT_HELLO client_hello;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]401 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]402 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]403 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]404 return ssl_hs_error;
405 }
406
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]407 uint8_t alert = SSL_AD_DECODE_ERROR;
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]408 UniquePtr<SSL_SESSION> session;
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]409 switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew, msg,
410 &client_hello)) {
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]411 case ssl_ticket_aead_ignore_ticket:
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]412 assert(!session);
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]413 if (!ssl_get_new_session(hs, 1 /* server */)) {
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]414 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]415 return ssl_hs_error;
416 }
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]417 break;
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]418
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]419 case ssl_ticket_aead_success:
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]420 // Carry over authentication information from the previous handshake into
421 // a fresh session.
Robert Sloanfe7cd212017-08-07 09:03:39 -0700[diff] [blame]422 hs->new_session =
423 SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]424
425 if (ssl->enable_early_data &&
426 // Early data must be acceptable for this ticket.
427 session->ticket_max_early_data != 0 &&
428 // The client must have offered early data.
429 hs->early_data_offered &&
430 // Channel ID is incompatible with 0-RTT.
431 !ssl->s3->channel_id_valid &&
432 // If Token Binding is negotiated, reject 0-RTT.
433 !ssl->s3->token_binding_negotiated &&
434 // The negotiated ALPN must match the one in the ticket.
435 MakeConstSpan(ssl->s3->alpn_selected) == session->early_alpn) {
436 ssl->s3->early_data_accepted = true;
Pete Bentleyf8d8b732019-08-08 12:52:37 +0100[diff] [blame]437 }
438
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]439 if (hs->new_session == NULL) {
440 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
441 return ssl_hs_error;
Pete Bentleya5c947b2019-08-09 14:24:27 +0000[diff] [blame]442 }
443
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]444 ssl->s3->session_reused = true;
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]445
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]446 // Resumption incorporates fresh key material, so refresh the timeout.
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]447 ssl_session_renew_timeout(ssl, hs->new_session.get(),
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]448 ssl->session_ctx->session_psk_dhe_timeout);
449 break;
450
451 case ssl_ticket_aead_error:
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]452 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]453 return ssl_hs_error;
454
455 case ssl_ticket_aead_retry:
456 hs->tls13_state = state_select_session;
457 return ssl_hs_pending_ticket;
458 }
459
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]460 // Record connection properties in the new session.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]461 hs->new_session->cipher = hs->new_cipher;
462
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]463 // Store the initial negotiated ALPN in the session.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]464 if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
465 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
466 return ssl_hs_error;
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]467 }
468
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]469 if (ssl->ctx->dos_protection_cb != NULL &&
470 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]471 // Connection rejected for DOS reasons.
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]472 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]473 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]474 return ssl_hs_error;
475 }
476
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]477 size_t hash_len = EVP_MD_size(
478 ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
479
480 // Set up the key schedule and incorporate the PSK into the running secret.
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]481 if (ssl->s3->session_reused) {
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]482 if (!tls13_init_key_schedule(hs, hs->new_session->master_key,
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]483 hs->new_session->master_key_length)) {
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]484 return ssl_hs_error;
485 }
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]486 } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]487 return ssl_hs_error;
488 }
489
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]490 if (ssl->s3->early_data_accepted) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]491 if (!tls13_derive_early_secrets(hs)) {
492 return ssl_hs_error;
493 }
494 } else if (hs->early_data_offered) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]495 ssl->s3->skip_early_data = true;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]496 }
497
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]498 // Resolve ECDHE and incorporate it into the secret.
499 bool need_retry;
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]500 if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]501 if (need_retry) {
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]502 ssl->s3->early_data_accepted = false;
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]503 ssl->s3->skip_early_data = true;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]504 ssl->method->next_message(ssl);
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]505 if (!hs->transcript.UpdateForHelloRetryRequest()) {
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]506 return ssl_hs_error;
507 }
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]508 hs->tls13_state = state_send_hello_retry_request;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]509 return ssl_hs_ok;
510 }
511 return ssl_hs_error;
512 }
513
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]514 ssl->method->next_message(ssl);
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]515 hs->tls13_state = state_send_server_hello;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]516 return ssl_hs_ok;
517}
518
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]519static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
520 SSL *const ssl = hs->ssl;
Robert Sloand5c22152017-11-13 09:22:12 -0800[diff] [blame]521
522
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]523 ScopedCBB cbb;
524 CBB body, session_id, extensions;
525 uint16_t group_id;
526 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
527 !CBB_add_u16(&body, TLS1_2_VERSION) ||
528 !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||
529 !CBB_add_u8_length_prefixed(&body, &session_id) ||
530 !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
531 !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
532 !CBB_add_u8(&body, 0 /* no compression */) ||
533 !tls1_get_shared_group(hs, &group_id) ||
534 !CBB_add_u16_length_prefixed(&body, &extensions) ||
535 !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) ||
536 !CBB_add_u16(&extensions, 2 /* length */) ||
537 !CBB_add_u16(&extensions, ssl->version) ||
538 !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
539 !CBB_add_u16(&extensions, 2 /* length */) ||
540 !CBB_add_u16(&extensions, group_id) ||
541 !ssl_add_message_cbb(ssl, cbb.get())) {
542 return ssl_hs_error;
543 }
Robert Sloand5c22152017-11-13 09:22:12 -0800[diff] [blame]544
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]545 if (!ssl->method->add_change_cipher_spec(ssl)) {
546 return ssl_hs_error;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]547 }
548
Robert Sloand5c22152017-11-13 09:22:12 -0800[diff] [blame]549 hs->sent_hello_retry_request = true;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]550 hs->tls13_state = state_read_second_client_hello;
551 return ssl_hs_flush;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]552}
553
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]554static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]555 SSL *const ssl = hs->ssl;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]556 SSLMessage msg;
557 if (!ssl->method->get_message(ssl, &msg)) {
558 return ssl_hs_read_message;
559 }
560 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]561 return ssl_hs_error;
562 }
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]563 SSL_CLIENT_HELLO client_hello;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]564 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]565 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]566 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]567 return ssl_hs_error;
568 }
569
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]570 bool need_retry;
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]571 if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]572 if (need_retry) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]573 // Only send one HelloRetryRequest.
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]574 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]575 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
576 }
577 return ssl_hs_error;
578 }
579
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]580 if (!ssl_hash_message(hs, msg)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]581 return ssl_hs_error;
582 }
583
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]584 ssl->method->next_message(ssl);
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]585 hs->tls13_state = state_send_server_hello;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]586 return ssl_hs_ok;
587}
588
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]589static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
590 SSL *const ssl = hs->ssl;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]591
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]592 // Send a ServerHello.
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]593 ScopedCBB cbb;
594 CBB body, extensions, session_id;
595 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]596 !CBB_add_u16(&body, TLS1_2_VERSION) ||
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]597 !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
598 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]599 !CBB_add_u8_length_prefixed(&body, &session_id) ||
600 !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]601 !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]602 !CBB_add_u8(&body, 0) ||
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]603 !CBB_add_u16_length_prefixed(&body, &extensions) ||
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]604 !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
Robert Sloan7d422bc2017-03-06 10:04:29 -0800[diff] [blame]605 !ssl_ext_key_share_add_serverhello(hs, &extensions) ||
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]606 !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]607 !ssl_add_message_cbb(ssl, cbb.get())) {
608 return ssl_hs_error;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]609 }
610
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]611 if (!hs->sent_hello_retry_request &&
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]612 !ssl->method->add_change_cipher_spec(ssl)) {
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]613 return ssl_hs_error;
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]614 }
615
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]616 // Derive and enable the handshake traffic secrets.
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]617 if (!tls13_derive_handshake_secrets(hs) ||
Robert Sloancbf5ea62018-11-05 11:56:34 -0800[diff] [blame]618 !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
619 hs->server_handshake_secret, hs->hash_len)) {
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]620 return ssl_hs_error;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]621 }
622
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]623 // Send EncryptedExtensions.
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]624 if (!ssl->method->init_message(ssl, cbb.get(), &body,
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]625 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]626 !ssl_add_serverhello_tlsext(hs, &body) ||
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]627 !ssl_add_message_cbb(ssl, cbb.get())) {
628 return ssl_hs_error;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]629 }
630
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]631 if (!ssl->s3->session_reused) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]632 // Determine whether to request a client certificate.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]633 hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]634 // Only request a certificate if Channel ID isn't negotiated.
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]635 if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
636 ssl->s3->channel_id_valid) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]637 hs->cert_request = false;
Robert Sloanf6200e72017-07-10 08:09:18 -0700[diff] [blame]638 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]639 }
640
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]641 // Send a CertificateRequest, if necessary.
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]642 if (hs->cert_request) {
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]643 CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;
644 if (!ssl->method->init_message(ssl, cbb.get(), &body,
645 SSL3_MT_CERTIFICATE_REQUEST) ||
646 !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||
647 !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) ||
648 !CBB_add_u16(&cert_request_extensions,
649 TLSEXT_TYPE_signature_algorithms) ||
650 !CBB_add_u16_length_prefixed(&cert_request_extensions,
651 &sigalg_contents) ||
652 !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
Robert Sloan5cbb5c82018-04-24 11:35:46 -0700[diff] [blame]653 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb,
654 false /* online signature */)) {
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]655 return ssl_hs_error;
656 }
657
Robert Sloan5cbb5c82018-04-24 11:35:46 -0700[diff] [blame]658 if (tls12_has_different_verify_sigalgs_for_certs(ssl)) {
659 if (!CBB_add_u16(&cert_request_extensions,
660 TLSEXT_TYPE_signature_algorithms_cert) ||
661 !CBB_add_u16_length_prefixed(&cert_request_extensions,
662 &sigalg_contents) ||
663 !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
664 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */)) {
665 return ssl_hs_error;
666 }
667 }
668
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]669 if (ssl_has_client_CAs(hs->config)) {
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]670 CBB ca_contents;
671 if (!CBB_add_u16(&cert_request_extensions,
672 TLSEXT_TYPE_certificate_authorities) ||
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]673 !CBB_add_u16_length_prefixed(&cert_request_extensions,
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]674 &ca_contents) ||
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]675 !ssl_add_client_CA_list(hs, &ca_contents) ||
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]676 !CBB_flush(&cert_request_extensions)) {
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]677 return ssl_hs_error;
678 }
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]679 }
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]680
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]681 if (!ssl_add_message_cbb(ssl, cbb.get())) {
682 return ssl_hs_error;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]683 }
684 }
685
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]686 // Send the server Certificate message, if necessary.
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]687 if (!ssl->s3->session_reused) {
Robert Sloan4c22c5f2019-03-01 15:53:37 -0800[diff] [blame]688 if (!ssl_has_certificate(hs)) {
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]689 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]690 return ssl_hs_error;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]691 }
692
693 if (!tls13_add_certificate(hs)) {
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]694 return ssl_hs_error;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]695 }
696
697 hs->tls13_state = state_send_server_certificate_verify;
698 return ssl_hs_ok;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]699 }
700
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]701 hs->tls13_state = state_send_server_finished;
702 return ssl_hs_ok;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]703}
704
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]705static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
706 switch (tls13_add_certificate_verify(hs)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]707 case ssl_private_key_success:
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]708 hs->tls13_state = state_send_server_finished;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]709 return ssl_hs_ok;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]710
711 case ssl_private_key_retry:
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]712 hs->tls13_state = state_send_server_certificate_verify;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]713 return ssl_hs_private_key_operation;
714
715 case ssl_private_key_failure:
716 return ssl_hs_error;
717 }
718
719 assert(0);
720 return ssl_hs_error;
721}
722
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]723static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]724 SSL *const ssl = hs->ssl;
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]725 if (!tls13_add_finished(hs) ||
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]726 // Update the secret to the master secret and derive traffic keys.
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]727 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]728 !tls13_derive_application_secrets(hs) ||
Robert Sloancbf5ea62018-11-05 11:56:34 -0800[diff] [blame]729 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
730 hs->server_traffic_secret_0, hs->hash_len)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]731 return ssl_hs_error;
732 }
733
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]734 if (ssl->s3->early_data_accepted) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]735 // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
736 // the wire sooner and also avoids triggering a write on |SSL_read| when
737 // processing the client Finished. This requires computing the client
Robert Sloand9e572d2018-08-27 12:27:00 -0700[diff] [blame]738 // Finished early. See RFC 8446, section 4.6.1.
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]739 static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
740 0, 0};
741 if (!hs->transcript.Update(kEndOfEarlyData)) {
742 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
743 return ssl_hs_error;
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]744 }
745
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]746 size_t finished_len;
747 if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,
Robert Sloan726e9d12018-09-11 11:45:04 -0700[diff] [blame]748 false /* client */)) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]749 return ssl_hs_error;
750 }
751
752 if (finished_len != hs->hash_len) {
753 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
754 return ssl_hs_error;
755 }
756
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]757 // Feed the predicted Finished into the transcript. This allows us to derive
758 // the resumption secret early and send half-RTT tickets.
759 //
760 // TODO(davidben): This will need to be updated for DTLS 1.3.
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]761 assert(!SSL_is_dtls(hs->ssl));
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]762 assert(hs->hash_len <= 0xff);
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]763 uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0,
764 static_cast<uint8_t>(hs->hash_len)};
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]765 bool unused_sent_tickets;
Robert Sloan921ef2c2017-10-17 09:02:20 -0700[diff] [blame]766 if (!hs->transcript.Update(header) ||
767 !hs->transcript.Update(
768 MakeConstSpan(hs->expected_client_finished, hs->hash_len)) ||
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]769 !tls13_derive_resumption_secret(hs) ||
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]770 !add_new_session_tickets(hs, &unused_sent_tickets)) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]771 return ssl_hs_error;
772 }
773 }
774
775 hs->tls13_state = state_read_second_client_flight;
776 return ssl_hs_flush;
777}
778
779static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
780 SSL *const ssl = hs->ssl;
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]781 if (ssl->s3->early_data_accepted) {
Robert Sloancbf5ea62018-11-05 11:56:34 -0800[diff] [blame]782 if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
783 hs->early_traffic_secret, hs->hash_len)) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]784 return ssl_hs_error;
785 }
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]786 hs->can_early_write = true;
787 hs->can_early_read = true;
788 hs->in_early_data = true;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]789 }
790 hs->tls13_state = state_process_end_of_early_data;
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]791 return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
792 : ssl_hs_ok;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]793}
794
795static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]796 SSL *const ssl = hs->ssl;
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]797 if (hs->early_data_offered) {
798 // If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec
799 // message will be in the discarded early data.
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]800 if (hs->ssl->s3->early_data_accepted) {
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]801 SSLMessage msg;
802 if (!ssl->method->get_message(ssl, &msg)) {
803 return ssl_hs_read_message;
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]804 }
Robert Sloan8542c082018-02-05 09:07:34 -0800[diff] [blame]805
806 if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
807 return ssl_hs_error;
808 }
809 if (CBS_len(&msg.body) != 0) {
810 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
811 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
812 return ssl_hs_error;
813 }
814 ssl->method->next_message(ssl);
Robert Sloanb1b54b82017-11-06 13:50:02 -0800[diff] [blame]815 }
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]816 }
Robert Sloancbf5ea62018-11-05 11:56:34 -0800[diff] [blame]817 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
818 hs->client_handshake_secret, hs->hash_len)) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]819 return ssl_hs_error;
820 }
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]821 hs->tls13_state = ssl->s3->early_data_accepted
822 ? state_read_client_finished
823 : state_read_client_certificate;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]824 return ssl_hs_ok;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]825}
826
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]827static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]828 SSL *const ssl = hs->ssl;
829 if (!hs->cert_request) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]830 // OpenSSL returns X509_V_OK when no certificates are requested. This is
831 // classed by them as a bug, but it's assumed by at least NGINX.
Robert Sloana94fe052017-02-21 08:49:28 -0800[diff] [blame]832 hs->new_session->verify_result = X509_V_OK;
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame]833
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]834 // Skip this state.
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]835 hs->tls13_state = state_read_channel_id;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]836 return ssl_hs_ok;
837 }
838
Robert Sloan726e9d12018-09-11 11:45:04 -0700[diff] [blame]839 const bool allow_anonymous =
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]840 (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]841 SSLMessage msg;
842 if (!ssl->method->get_message(ssl, &msg)) {
843 return ssl_hs_read_message;
844 }
845 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
846 !tls13_process_certificate(hs, msg, allow_anonymous) ||
847 !ssl_hash_message(hs, msg)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]848 return ssl_hs_error;
849 }
850
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]851 ssl->method->next_message(ssl);
852 hs->tls13_state = state_read_client_certificate_verify;
853 return ssl_hs_ok;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]854}
855
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]856static enum ssl_hs_wait_t do_read_client_certificate_verify(
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]857 SSL_HANDSHAKE *hs) {
858 SSL *const ssl = hs->ssl;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]859 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]860 // Skip this state.
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]861 hs->tls13_state = state_read_channel_id;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]862 return ssl_hs_ok;
863 }
864
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]865 SSLMessage msg;
866 if (!ssl->method->get_message(ssl, &msg)) {
867 return ssl_hs_read_message;
868 }
869
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]870 switch (ssl_verify_peer_cert(hs)) {
871 case ssl_verify_ok:
872 break;
873 case ssl_verify_invalid:
874 return ssl_hs_error;
875 case ssl_verify_retry:
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]876 hs->tls13_state = state_read_client_certificate_verify;
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]877 return ssl_hs_certificate_verify;
878 }
879
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]880 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
881 !tls13_process_certificate_verify(hs, msg) ||
882 !ssl_hash_message(hs, msg)) {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]883 return ssl_hs_error;
884 }
885
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]886 ssl->method->next_message(ssl);
887 hs->tls13_state = state_read_channel_id;
888 return ssl_hs_ok;
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]889}
890
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]891static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
892 SSL *const ssl = hs->ssl;
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]893 if (!ssl->s3->channel_id_valid) {
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]894 hs->tls13_state = state_read_client_finished;
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]895 return ssl_hs_ok;
896 }
897
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]898 SSLMessage msg;
899 if (!ssl->method->get_message(ssl, &msg)) {
900 return ssl_hs_read_message;
901 }
902 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
903 !tls1_verify_channel_id(hs, msg) ||
904 !ssl_hash_message(hs, msg)) {
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]905 return ssl_hs_error;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]906 }
907
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]908 ssl->method->next_message(ssl);
909 hs->tls13_state = state_read_client_finished;
910 return ssl_hs_ok;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]911}
912
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]913static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]914 SSL *const ssl = hs->ssl;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]915 SSLMessage msg;
916 if (!ssl->method->get_message(ssl, &msg)) {
917 return ssl_hs_read_message;
918 }
919 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]920 // If early data was accepted, we've already computed the client Finished
921 // and derived the resumption secret.
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]922 !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]923 // evp_aead_seal keys have already been switched.
Robert Sloancbf5ea62018-11-05 11:56:34 -0800[diff] [blame]924 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
925 hs->client_traffic_secret_0, hs->hash_len)) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]926 return ssl_hs_error;
927 }
928
Robert Sloan0da43952018-01-03 15:13:14 -0800[diff] [blame]929 if (!ssl->s3->early_data_accepted) {
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]930 if (!ssl_hash_message(hs, msg) ||
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]931 !tls13_derive_resumption_secret(hs)) {
932 return ssl_hs_error;
933 }
934
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]935 // We send post-handshake tickets as part of the handshake in 1-RTT.
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]936 hs->tls13_state = state_send_new_session_ticket;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]937 } else {
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]938 // We already sent half-RTT tickets.
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]939 hs->tls13_state = state_done;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]940 }
941
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]942 ssl->method->next_message(ssl);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]943 return ssl_hs_ok;
944}
945
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]946static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
Adam Vartanianbfcf3a72018-08-10 14:55:24 +0100[diff] [blame]947 bool sent_tickets;
948 if (!add_new_session_tickets(hs, &sent_tickets)) {
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]949 return ssl_hs_error;
Robert Sloan69939df2017-01-09 10:53:07 -0800[diff] [blame]950 }
951
Robert Sloan4d1ac502017-02-06 08:36:14 -0800[diff] [blame]952 hs->tls13_state = state_done;
Srinivas Paladugudd42a612019-08-09 19:30:39 +0000[diff] [blame^]953 return sent_tickets ? ssl_hs_flush : ssl_hs_ok;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]954}
955
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]956enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
Steven Valdeze7531f02016-12-14 13:29:57 -0500[diff] [blame]957 while (hs->tls13_state != state_done) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]958 enum ssl_hs_wait_t ret = ssl_hs_error;
Robert Sloana12bf462017-07-17 07:08:26 -0700[diff] [blame]959 enum server_hs_state_t state =
960 static_cast<enum server_hs_state_t>(hs->tls13_state);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]961 switch (state) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]962 case state_select_parameters:
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]963 ret = do_select_parameters(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]964 break;
Robert Sloan1c9db532017-03-13 08:03:59 -0700[diff] [blame]965 case state_select_session:
966 ret = do_select_session(hs);
967 break;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]968 case state_send_hello_retry_request:
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]969 ret = do_send_hello_retry_request(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]970 break;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]971 case state_read_second_client_hello:
972 ret = do_read_second_client_hello(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]973 break;
974 case state_send_server_hello:
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]975 ret = do_send_server_hello(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]976 break;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]977 case state_send_server_certificate_verify:
Robert Sloane56da3e2017-06-26 08:26:42 -0700[diff] [blame]978 ret = do_send_server_certificate_verify(hs);
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]979 break;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]980 case state_send_server_finished:
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]981 ret = do_send_server_finished(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]982 break;
Robert Sloan6d0d00e2017-03-27 07:13:07 -0700[diff] [blame]983 case state_read_second_client_flight:
984 ret = do_read_second_client_flight(hs);
985 break;
986 case state_process_end_of_early_data:
987 ret = do_process_end_of_early_data(hs);
988 break;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]989 case state_read_client_certificate:
990 ret = do_read_client_certificate(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]991 break;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]992 case state_read_client_certificate_verify:
993 ret = do_read_client_certificate_verify(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]994 break;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]995 case state_read_channel_id:
996 ret = do_read_channel_id(hs);
Steven Valdez909b19f2016-11-21 15:35:44 -0500[diff] [blame]997 break;
Robert Sloan84377092017-08-14 09:33:19 -0700[diff] [blame]998 case state_read_client_finished:
999 ret = do_read_client_finished(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1000 break;
1001 case state_send_new_session_ticket:
David Benjamin1b249672016-12-06 18:25:50 -0500[diff] [blame]1002 ret = do_send_new_session_ticket(hs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1003 break;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1004 case state_done:
1005 ret = ssl_hs_ok;
1006 break;
1007 }
1008
Robert Sloana27a6a42017-09-05 08:39:28 -0700[diff] [blame]1009 if (hs->tls13_state != state) {
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]1010 ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
1011 }
1012
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1013 if (ret != ssl_hs_ok) {
1014 return ret;
1015 }
1016 }
1017
1018 return ssl_hs_ok;
1019}
Robert Sloanb6d070c2017-07-24 08:40:01 -0700[diff] [blame]1020
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]1021const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
1022 enum server_hs_state_t state =
1023 static_cast<enum server_hs_state_t>(hs->tls13_state);
1024 switch (state) {
1025 case state_select_parameters:
1026 return "TLS 1.3 server select_parameters";
1027 case state_select_session:
1028 return "TLS 1.3 server select_session";
1029 case state_send_hello_retry_request:
1030 return "TLS 1.3 server send_hello_retry_request";
1031 case state_read_second_client_hello:
1032 return "TLS 1.3 server read_second_client_hello";
1033 case state_send_server_hello:
1034 return "TLS 1.3 server send_server_hello";
1035 case state_send_server_certificate_verify:
1036 return "TLS 1.3 server send_server_certificate_verify";
1037 case state_send_server_finished:
1038 return "TLS 1.3 server send_server_finished";
1039 case state_read_second_client_flight:
1040 return "TLS 1.3 server read_second_client_flight";
Robert Sloan8f860b12017-08-28 07:37:06 -0700[diff] [blame]1041 case state_process_end_of_early_data:
1042 return "TLS 1.3 server process_end_of_early_data";
1043 case state_read_client_certificate:
1044 return "TLS 1.3 server read_client_certificate";
1045 case state_read_client_certificate_verify:
1046 return "TLS 1.3 server read_client_certificate_verify";
1047 case state_read_channel_id:
1048 return "TLS 1.3 server read_channel_id";
1049 case state_read_client_finished:
1050 return "TLS 1.3 server read_client_finished";
1051 case state_send_new_session_ticket:
1052 return "TLS 1.3 server send_new_session_ticket";
1053 case state_done:
1054 return "TLS 1.3 server done";
1055 }
1056
1057 return "TLS 1.3 server unknown";
1058}
1059
Robert Sloan726e9d12018-09-11 11:45:04 -0700[diff] [blame]1060BSSL_NAMESPACE_END