Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / boringssl / f0c4a6c4bbde5229ceb86740703243fe5c436aad / . / src / ssl / tls13_server.c
blob: 48279a7957d2d8f3ef0edcaed759df2b6e54fca5 [file] [log] [blame]
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/digest.h>
22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/rand.h>
25#include <openssl/stack.h>
26
27#include "internal.h"
28
29
30enum server_hs_state_t {
31 state_process_client_hello = 0,
32 state_select_parameters,
33 state_send_hello_retry_request,
34 state_flush_hello_retry_request,
35 state_process_second_client_hello,
36 state_send_server_hello,
37 state_send_encrypted_extensions,
38 state_send_certificate_request,
39 state_send_server_certificate,
40 state_send_server_certificate_verify,
41 state_complete_server_certificate_verify,
42 state_send_server_finished,
43 state_flush,
44 state_process_client_certificate,
45 state_process_client_certificate_verify,
46 state_process_client_finished,
47 state_send_new_session_ticket,
48 state_flush_new_session_ticket,
49 state_done,
50};
51
52static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
53
54static int resolve_psk_secret(SSL *ssl) {
55 SSL_HANDSHAKE *hs = ssl->s3->hs;
56
57 if (ssl->s3->tmp.new_cipher->algorithm_auth != SSL_aPSK) {
58 return tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len);
59 }
60
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]61 uint8_t resumption_psk[EVP_MAX_MD_SIZE];
62 if (!tls13_resumption_psk(ssl, resumption_psk, hs->hash_len,
63 ssl->s3->new_session) ||
64 !tls13_advance_key_schedule(ssl, resumption_psk, hs->hash_len)) {
65 return 0;
66 }
67
68 return 1;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]69}
70
71static int resolve_ecdhe_secret(SSL *ssl, int *out_need_retry,
72 struct ssl_early_callback_ctx *early_ctx) {
73 *out_need_retry = 0;
74 SSL_HANDSHAKE *hs = ssl->s3->hs;
75
76 if (ssl->s3->tmp.new_cipher->algorithm_mkey != SSL_kECDHE) {
77 return tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len);
78 }
79
80 CBS key_share;
81 if (!ssl_early_callback_get_extension(early_ctx, &key_share,
82 TLSEXT_TYPE_key_share)) {
83 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
84 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
85 return ssl_hs_error;
86 }
87
88 int found_key_share;
89 uint8_t *dhe_secret;
90 size_t dhe_secret_len;
91 uint8_t alert;
92 if (!ssl_ext_key_share_parse_clienthello(ssl, &found_key_share, &dhe_secret,
93 &dhe_secret_len, &alert,
94 &key_share)) {
95 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
96 return 0;
97 }
98
99 if (!found_key_share) {
100 *out_need_retry = 1;
101 return 0;
102 }
103
104 int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);
105 OPENSSL_free(dhe_secret);
106 return ok;
107}
108
109static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
110 if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
111 return ssl_hs_error;
112 }
113
114 struct ssl_early_callback_ctx client_hello;
115 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
116 ssl->init_num)) {
117 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
118 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
119 return ssl_hs_error;
120 }
121
122 assert(ssl->s3->have_version);
123
124 /* Load the client random. */
125 if (client_hello.random_len != SSL3_RANDOM_SIZE) {
126 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
127 return -1;
128 }
129 memcpy(ssl->s3->client_random, client_hello.random, client_hello.random_len);
130
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]131 uint8_t alert = SSL_AD_DECODE_ERROR;
132 SSL_SESSION *session = NULL;
133 CBS pre_shared_key;
134 if (ssl_early_callback_get_extension(&client_hello, &pre_shared_key,
135 TLSEXT_TYPE_pre_shared_key) &&
136 !ssl_ext_pre_shared_key_parse_clienthello(ssl, &session, &alert,
137 &pre_shared_key)) {
138 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
139 return 0;
140 }
141
142 uint16_t resumption_cipher;
143 if (session != NULL &&
144 /* We currently only support ECDHE-PSK resumption. */
145 ((session->ticket_flags & SSL_TICKET_ALLOW_DHE_RESUMPTION) == 0 ||
146 /* Only resume if the session's version matches. */
147 session->ssl_version != ssl->version ||
148 !ssl_cipher_get_ecdhe_psk_cipher(session->cipher, &resumption_cipher) ||
149 !ssl_client_cipher_list_contains_cipher(&client_hello,
150 resumption_cipher))) {
151 SSL_SESSION_free(session);
152 session = NULL;
153 }
154
155 if (session == NULL) {
156 if (!ssl_get_new_session(ssl, 1 /* server */)) {
157 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
158 return ssl_hs_error;
159 }
160 } else {
161 /* Only authentication information carries over in TLS 1.3. */
162 ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
163 if (ssl->s3->new_session == NULL) {
164 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
165 return ssl_hs_error;
166 }
167 ssl->s3->session_reused = 1;
168 SSL_SESSION_free(session);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]169 }
170
171 if (ssl->ctx->dos_protection_cb != NULL &&
172 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
173 /* Connection rejected for DOS reasons. */
174 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
175 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ACCESS_DENIED);
176 return ssl_hs_error;
177 }
178
179 /* TLS 1.3 requires the peer only advertise the null compression. */
180 if (client_hello.compression_methods_len != 1 ||
181 client_hello.compression_methods[0] != 0) {
182 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
183 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
184 return ssl_hs_error;
185 }
186
187 /* TLS extensions. */
188 if (!ssl_parse_clienthello_tlsext(ssl, &client_hello)) {
189 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
190 return ssl_hs_error;
191 }
192
193 hs->state = state_select_parameters;
194 return ssl_hs_ok;
195}
196
197static enum ssl_hs_wait_t do_select_parameters(SSL *ssl, SSL_HANDSHAKE *hs) {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]198 if (!ssl->s3->session_reused) {
199 /* Call |cert_cb| to update server certificates if required. */
200 if (ssl->cert->cert_cb != NULL) {
201 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
202 if (rv == 0) {
203 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
204 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
205 return ssl_hs_error;
206 }
207 if (rv < 0) {
208 hs->state = state_select_parameters;
209 return ssl_hs_x509_lookup;
210 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]211 }
212 }
213
214 struct ssl_early_callback_ctx client_hello;
215 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
216 ssl->init_num)) {
217 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
218 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
219 return ssl_hs_error;
220 }
221
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]222 if (!ssl->s3->session_reused) {
223 const SSL_CIPHER *cipher =
224 ssl3_choose_cipher(ssl, &client_hello, ssl_get_cipher_preferences(ssl));
225 if (cipher == NULL) {
226 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
227 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
228 return ssl_hs_error;
229 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]230
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]231 ssl->s3->new_session->cipher = cipher;
232 ssl->s3->tmp.new_cipher = cipher;
233 } else {
234 uint16_t resumption_cipher;
235 if (!ssl_cipher_get_ecdhe_psk_cipher(ssl->s3->new_session->cipher,
236 &resumption_cipher)) {
237 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
238 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
239 return ssl_hs_error;
240 }
241 ssl->s3->tmp.new_cipher = SSL_get_cipher_by_value(resumption_cipher);
242 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]243
244 ssl->method->received_flight(ssl);
245
246 /* The PRF hash is now known. Set up the key schedule and hash the
247 * ClientHello. */
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]248 size_t resumption_ctx_len =
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]249 EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]250 if (ssl->s3->session_reused) {
251 uint8_t resumption_ctx[EVP_MAX_MD_SIZE];
252 if (!tls13_resumption_context(ssl, resumption_ctx, resumption_ctx_len,
253 ssl->s3->new_session) ||
254 !tls13_init_key_schedule(ssl, resumption_ctx, resumption_ctx_len)) {
255 return ssl_hs_error;
256 }
257 } else {
258 if (!tls13_init_key_schedule(ssl, kZeroes, resumption_ctx_len)) {
259 return ssl_hs_error;
260 }
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]261 }
262
263 /* Resolve PSK and incorporate it into the secret. */
264 if (!resolve_psk_secret(ssl)) {
265 return ssl_hs_error;
266 }
267
268 /* Resolve ECDHE and incorporate it into the secret. */
269 int need_retry;
270 if (!resolve_ecdhe_secret(ssl, &need_retry, &client_hello)) {
271 if (need_retry) {
272 hs->state = state_send_hello_retry_request;
273 return ssl_hs_ok;
274 }
275 return ssl_hs_error;
276 }
277
278 hs->state = state_send_server_hello;
279 return ssl_hs_ok;
280}
281
282static enum ssl_hs_wait_t do_send_hello_retry_request(SSL *ssl,
283 SSL_HANDSHAKE *hs) {
284 CBB cbb, body, extensions;
285 uint16_t group_id;
286 if (!ssl->method->init_message(ssl, &cbb, &body,
287 SSL3_MT_HELLO_RETRY_REQUEST) ||
288 !CBB_add_u16(&body, ssl->version) ||
289 !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
290 !tls1_get_shared_group(ssl, &group_id) ||
291 !CBB_add_u16(&body, group_id) ||
292 !CBB_add_u16_length_prefixed(&body, &extensions) ||
293 !ssl->method->finish_message(ssl, &cbb)) {
294 CBB_cleanup(&cbb);
295 return ssl_hs_error;
296 }
297
298 hs->state = state_flush_hello_retry_request;
299 return ssl_hs_write_message;
300}
301
302static enum ssl_hs_wait_t do_flush_hello_retry_request(SSL *ssl,
303 SSL_HANDSHAKE *hs) {
304 hs->state = state_process_second_client_hello;
305 return ssl_hs_flush_and_read_message;
306}
307
308static enum ssl_hs_wait_t do_process_second_client_hello(SSL *ssl,
309 SSL_HANDSHAKE *hs) {
310 if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
311 return ssl_hs_error;
312 }
313
314 struct ssl_early_callback_ctx client_hello;
315 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
316 ssl->init_num)) {
317 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
318 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
319 return ssl_hs_error;
320 }
321
322 int need_retry;
323 if (!resolve_ecdhe_secret(ssl, &need_retry, &client_hello)) {
324 if (need_retry) {
325 /* Only send one HelloRetryRequest. */
326 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
327 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
328 }
329 return ssl_hs_error;
330 }
331
332 if (!ssl->method->hash_current_message(ssl)) {
333 return ssl_hs_error;
334 }
335
336 ssl->method->received_flight(ssl);
337 hs->state = state_send_server_hello;
338 return ssl_hs_ok;
339}
340
341static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
342 CBB cbb, body, extensions;
343 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
344 !CBB_add_u16(&body, ssl->version) ||
345 !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
346 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
347 !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
348 !CBB_add_u16_length_prefixed(&body, &extensions) ||
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]349 !ssl_ext_pre_shared_key_add_serverhello(ssl, &extensions) ||
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]350 !ssl_ext_key_share_add_serverhello(ssl, &extensions) ||
351 !ssl->method->finish_message(ssl, &cbb)) {
352 CBB_cleanup(&cbb);
353 return ssl_hs_error;
354 }
355
356 hs->state = state_send_encrypted_extensions;
357 return ssl_hs_write_message;
358}
359
360static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL *ssl,
361 SSL_HANDSHAKE *hs) {
362 if (!tls13_set_handshake_traffic(ssl)) {
363 return ssl_hs_error;
364 }
365
366 CBB cbb, body;
367 if (!ssl->method->init_message(ssl, &cbb, &body,
368 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
369 !ssl_add_serverhello_tlsext(ssl, &body) ||
370 !ssl->method->finish_message(ssl, &cbb)) {
371 CBB_cleanup(&cbb);
372 return ssl_hs_error;
373 }
374
375 hs->state = state_send_certificate_request;
376 return ssl_hs_write_message;
377}
378
379static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl,
380 SSL_HANDSHAKE *hs) {
381 /* Determine whether to request a client certificate. */
382 ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
383 /* CertificateRequest may only be sent in certificate-based ciphers. */
384 if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
385 ssl->s3->tmp.cert_request = 0;
386 }
387
388 if (!ssl->s3->tmp.cert_request) {
389 /* Skip this state. */
390 hs->state = state_send_server_certificate;
391 return ssl_hs_ok;
392 }
393
394 CBB cbb, body, sigalgs_cbb;
395 if (!ssl->method->init_message(ssl, &cbb, &body,
396 SSL3_MT_CERTIFICATE_REQUEST) ||
397 !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
398 goto err;
399 }
400
401 const uint16_t *sigalgs;
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]402 size_t num_sigalgs = tls12_get_psigalgs(ssl, &sigalgs);
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]403 if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
404 goto err;
405 }
406
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]407 for (size_t i = 0; i < num_sigalgs; i++) {
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]408 if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
409 goto err;
410 }
411 }
412
413 if (!ssl_add_client_CA_list(ssl, &body) ||
414 !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||
415 !ssl->method->finish_message(ssl, &cbb)) {
416 goto err;
417 }
418
419 hs->state = state_send_server_certificate;
420 return ssl_hs_write_message;
421
422err:
423 CBB_cleanup(&cbb);
424 return ssl_hs_error;
425}
426
427static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl,
428 SSL_HANDSHAKE *hs) {
429 if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
430 hs->state = state_send_server_finished;
431 return ssl_hs_ok;
432 }
433
434 if (!ssl_has_certificate(ssl)) {
435 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
436 return ssl_hs_error;
437 }
438
439 if (!tls13_prepare_certificate(ssl)) {
440 return ssl_hs_error;
441 }
442
443 hs->state = state_send_server_certificate_verify;
444 return ssl_hs_write_message;
445}
446
447static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL *ssl,
448 SSL_HANDSHAKE *hs,
449 int is_first_run) {
450 switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {
451 case ssl_private_key_success:
452 hs->state = state_send_server_finished;
453 return ssl_hs_write_message;
454
455 case ssl_private_key_retry:
456 hs->state = state_complete_server_certificate_verify;
457 return ssl_hs_private_key_operation;
458
459 case ssl_private_key_failure:
460 return ssl_hs_error;
461 }
462
463 assert(0);
464 return ssl_hs_error;
465}
466
467static enum ssl_hs_wait_t do_send_server_finished(SSL *ssl, SSL_HANDSHAKE *hs) {
468 if (!tls13_prepare_finished(ssl)) {
469 return ssl_hs_error;
470 }
471
472 hs->state = state_flush;
473 return ssl_hs_write_message;
474}
475
476static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {
477 /* Update the secret to the master secret and derive traffic keys. */
478 if (!tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||
479 !tls13_derive_traffic_secret_0(ssl) ||
480 !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,
481 hs->traffic_secret_0, hs->hash_len)) {
482 return ssl_hs_error;
483 }
484
485 hs->state = state_process_client_certificate;
486 return ssl_hs_flush_and_read_message;
487}
488
489static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,
490 SSL_HANDSHAKE *hs) {
491 if (!ssl->s3->tmp.cert_request) {
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]492 /* OpenSSL returns X509_V_OK when no certificates are requested. This is
493 * classed by them as a bug, but it's assumed by at least NGINX. */
494 ssl->s3->new_session->verify_result = X509_V_OK;
495
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]496 /* Skip this state. */
David Benjaminf0c4a6c2016-08-11 13:26:41 -0400[diff] [blame^]497 hs->state = state_process_client_finished;
David Benjaminc895d6b2016-08-11 13:26:41 -0400[diff] [blame]498 return ssl_hs_ok;
499 }
500
501 const int allow_anonymous =
502 (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
503
504 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
505 !tls13_process_certificate(ssl, allow_anonymous) ||
506 !ssl->method->hash_current_message(ssl)) {
507 return ssl_hs_error;
508 }
509
510 /* For historical reasons, the server's copy of the chain does not include the
511 * leaf while the client's does. */
512 if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) {
513 X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain));
514 }
515
516 hs->state = state_process_client_certificate_verify;
517 return ssl_hs_read_message;
518}
519
520static enum ssl_hs_wait_t do_process_client_certificate_verify(
521 SSL *ssl, SSL_HANDSHAKE *hs) {
522 if (ssl->s3->new_session->peer == NULL) {
523 /* Skip this state. */
524 hs->state = state_process_client_finished;
525 return ssl_hs_ok;
526 }
527
528 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
529 !tls13_process_certificate_verify(ssl) ||
530 !ssl->method->hash_current_message(ssl)) {
531 return 0;
532 }
533
534 hs->state = state_process_client_finished;
535 return ssl_hs_read_message;
536}
537
538static enum ssl_hs_wait_t do_process_client_finished(SSL *ssl,
539 SSL_HANDSHAKE *hs) {
540 if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||
541 !tls13_process_finished(ssl) ||
542 !ssl->method->hash_current_message(ssl) ||
543 /* evp_aead_seal keys have already been switched. */
544 !tls13_set_traffic_key(ssl, type_data, evp_aead_open,
545 hs->traffic_secret_0, hs->hash_len) ||
546 !tls13_finalize_keys(ssl)) {
547 return ssl_hs_error;
548 }
549
550 ssl->method->received_flight(ssl);
551 hs->state = state_send_new_session_ticket;
552 return ssl_hs_ok;
553}
554
555static enum ssl_hs_wait_t do_send_new_session_ticket(SSL *ssl,
556 SSL_HANDSHAKE *hs) {
557 SSL_SESSION *session = ssl->s3->new_session;
558 session->tlsext_tick_lifetime_hint = session->timeout;
559 session->ticket_flags = SSL_TICKET_ALLOW_DHE_RESUMPTION;
560 if (!RAND_bytes((uint8_t *)&session->ticket_age_add,
561 sizeof(session->ticket_age_add))) {
562 return 0;
563 }
564 session->ticket_age_add_valid = 1;
565
566 CBB cbb, body, ticket;
567 if (!ssl->method->init_message(ssl, &cbb, &body,
568 SSL3_MT_NEW_SESSION_TICKET) ||
569 !CBB_add_u32(&body, session->tlsext_tick_lifetime_hint) ||
570 !CBB_add_u32(&body, session->ticket_flags) ||
571 !CBB_add_u32(&body, session->ticket_age_add) ||
572 !CBB_add_u16(&body, 0 /* no ticket extensions */) ||
573 !CBB_add_u16_length_prefixed(&body, &ticket) ||
574 !ssl_encrypt_ticket(ssl, &ticket, session) ||
575 !ssl->method->finish_message(ssl, &cbb)) {
576 CBB_cleanup(&cbb);
577 return ssl_hs_error;
578 }
579
580 hs->session_tickets_sent++;
581
582 hs->state = state_flush_new_session_ticket;
583 return ssl_hs_write_message;
584}
585
586/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
587 * client makes several connections before getting a renewal. */
588static const int kNumTickets = 2;
589
590static enum ssl_hs_wait_t do_flush_new_session_ticket(SSL *ssl,
591 SSL_HANDSHAKE *hs) {
592 if (hs->session_tickets_sent >= kNumTickets) {
593 hs->state = state_done;
594 } else {
595 hs->state = state_send_new_session_ticket;
596 }
597 return ssl_hs_flush;
598}
599
600enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl) {
601 SSL_HANDSHAKE *hs = ssl->s3->hs;
602
603 while (hs->state != state_done) {
604 enum ssl_hs_wait_t ret = ssl_hs_error;
605 enum server_hs_state_t state = hs->state;
606 switch (state) {
607 case state_process_client_hello:
608 ret = do_process_client_hello(ssl, hs);
609 break;
610 case state_select_parameters:
611 ret = do_select_parameters(ssl, hs);
612 break;
613 case state_send_hello_retry_request:
614 ret = do_send_hello_retry_request(ssl, hs);
615 break;
616 case state_flush_hello_retry_request:
617 ret = do_flush_hello_retry_request(ssl, hs);
618 break;
619 case state_process_second_client_hello:
620 ret = do_process_second_client_hello(ssl, hs);
621 break;
622 case state_send_server_hello:
623 ret = do_send_server_hello(ssl, hs);
624 break;
625 case state_send_encrypted_extensions:
626 ret = do_send_encrypted_extensions(ssl, hs);
627 break;
628 case state_send_certificate_request:
629 ret = do_send_certificate_request(ssl, hs);
630 break;
631 case state_send_server_certificate:
632 ret = do_send_server_certificate(ssl, hs);
633 break;
634 case state_send_server_certificate_verify:
635 ret = do_send_server_certificate_verify(ssl, hs, 1 /* first run */);
636 break;
637 case state_complete_server_certificate_verify:
638 ret = do_send_server_certificate_verify(ssl, hs, 0 /* complete */);
639 break;
640 case state_send_server_finished:
641 ret = do_send_server_finished(ssl, hs);
642 break;
643 case state_flush:
644 ret = do_flush(ssl, hs);
645 break;
646 case state_process_client_certificate:
647 ret = do_process_client_certificate(ssl, hs);
648 break;
649 case state_process_client_certificate_verify:
650 ret = do_process_client_certificate_verify(ssl, hs);
651 break;
652 case state_process_client_finished:
653 ret = do_process_client_finished(ssl, hs);
654 break;
655 case state_send_new_session_ticket:
656 ret = do_send_new_session_ticket(ssl, hs);
657 break;
658 case state_flush_new_session_ticket:
659 ret = do_flush_new_session_ticket(ssl, hs);
660 break;
661 case state_done:
662 ret = ssl_hs_ok;
663 break;
664 }
665
666 if (ret != ssl_hs_ok) {
667 return ret;
668 }
669 }
670
671 return ssl_hs_ok;
672}