tls13_server.cc source code [dart_sdk/third_party/boringssl/src/ssl/tls13_server.cc]

1	/ Copyright (c) 2016, Google Inc.*
2	*
3	* Permission to use, copy, modify, and/or distribute this software for any
4	* purpose with or without fee is hereby granted, provided that the above
5	* copyright notice and this permission notice appear in all copies.
6	*
7	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15	#include <openssl/ssl.h>
16
17	#include <assert.h>
18	#include <string.h>
19
20	#include <tuple>
21
22	#include <openssl/aead.h>
23	#include <openssl/bytestring.h>
24	#include <openssl/digest.h>
25	#include <openssl/err.h>
26	#include <openssl/hpke.h>
27	#include <openssl/mem.h>
28	#include <openssl/rand.h>
29	#include <openssl/stack.h>
30
31	#include "../crypto/internal.h"
32	#include "internal.h"
33
34
35	BSSL_NAMESPACE_BEGIN
36
37	static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {`0`};
38
39	// Allow a minute of ticket age skew in either direction. This covers
40	// transmission delays in ClientHello and NewSessionTicket, as well as
41	// drift between client and server clock rate since the ticket was issued.
42	// See RFC 8446, section 8.3.
43	static const int32_t kMaxTicketAgeSkewSeconds = `60`;
44
45	static bool resolve_ecdhe_secret(SSL_HANDSHAKE *hs,
46	const SSL_CLIENT_HELLO *client_hello) {
47	SSL *const ssl = hs->ssl;
48	const uint16_t group_id = hs->new_session->group_id;
49
50	bool found_key_share;
51	Span<const uint8_t> peer_key;
52	uint8_t alert = SSL_AD_DECODE_ERROR;
53	if (!ssl_ext_key_share_parse_clienthello(hs, out_found: &found_key_share, out_peer_key: &peer_key,
54	out_alert: &alert, client_hello)) {
55	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
56	return false;
57	}
58
59	if (!found_key_share) {
60	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
61	OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
62	return false;
63	}
64
65	Array<uint8_t> secret;
66	SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
67	if (hints && !hs->hints_requested && hints->key_share_group_id == group_id &&
68	!hints->key_share_secret.empty()) {
69	// Copy the key_share secret from hints.
70	if (!hs->key_share_ciphertext.CopyFrom(hints->key_share_ciphertext) \|\|
71	!secret.CopyFrom(hints->key_share_secret)) {
72	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
73	return false;
74	}
75	} else {
76	ScopedCBB ciphertext;
77	UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
78	if (!key_share \|\| //
79	!CBB_init(cbb: ciphertext.get(), initial_capacity: `32`) \|\|
80	!key_share->Encap(ciphertext.get(), &secret, &alert, peer_key) \|\|
81	!CBBFinishArray(cbb: ciphertext.get(), out: &hs->key_share_ciphertext)) {
82	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
83	return false;
84	}
85	if (hints && hs->hints_requested) {
86	hints->key_share_group_id = group_id;
87	if (!hints->key_share_ciphertext.CopyFrom(hs->key_share_ciphertext) \|\|
88	!hints->key_share_secret.CopyFrom(secret)) {
89	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
90	return false;
91	}
92	}
93	}
94
95	return tls13_advance_key_schedule(hs, secret);
96	}
97
98	static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
99	CBB *out) {
100	CBB contents;
101	if (!CBB_add_u16(cbb: out, TLSEXT_TYPE_supported_versions) \|\|
102	!CBB_add_u16_length_prefixed(cbb: out, out_contents: &contents) \|\|
103	!CBB_add_u16(cbb: &contents, value: hs->ssl->version) \|\|
104	!CBB_flush(cbb: out)) {
105	return `0`;
106	}
107
108	return `1`;
109	}
110
111	static const SSL_CIPHER *choose_tls13_cipher(
112	const SSL ssl, const* SSL_CLIENT_HELLO *client_hello, uint16_t group_id) {
113	CBS cipher_suites;
114	CBS_init(cbs: &cipher_suites, data: client_hello->cipher_suites,
115	len: client_hello->cipher_suites_len);
116
117	const uint16_t version = ssl_protocol_version(ssl);
118
119	return ssl_choose_tls13_cipher(cipher_suites, version, group_id,
120	ssl->config->only_fips_cipher_suites_in_tls13);
121	}
122
123	static bool add_new_session_tickets(SSL_HANDSHAKE hs, bool* *out_sent_tickets) {
124	SSL *const ssl = hs->ssl;
125	if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
126	// session ticket.
127	!hs->accept_psk_mode \|\|
128	// We only implement stateless resumption in TLS 1.3, so skip sending
129	// tickets if disabled.
130	(SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {
131	out_sent_tickets = false*;
132	return true;
133	}
134
135	// Rebase the session timestamp so that it is measured from ticket
136	// issuance.
137	ssl_session_rebase_time(ssl, hs->new_session.get());
138
139	assert(ssl->session_ctx->num_tickets <= kMaxTickets);
140	for (size_t i = `0`; i < ssl->session_ctx->num_tickets; i++) {
141	UniquePtr<SSL_SESSION> session(
142	SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
143	if (!session) {
144	return false;
145	}
146
147	if (!RAND_bytes((uint8_t *)&session->ticket_age_add, `4`)) {
148	return false;
149	}
150	session->ticket_age_add_valid = true;
151	bool enable_early_data =
152	ssl->enable_early_data &&
153	(!ssl->quic_method \|\| !ssl->config->quic_early_data_context.empty());
154	if (enable_early_data) {
155	// QUIC does not use the max_early_data_size parameter and always sets it
156	// to a fixed value. See RFC 9001, section 4.6.1.
157	session->ticket_max_early_data =
158	ssl->quic_method != nullptr ? `0xffffffff` : kMaxEarlyDataAccepted;
159	}
160
161	static_assert(kMaxTickets < `256`, "Too many tickets");
162	assert(i < `256`);
163	uint8_t nonce[] = {static_cast<uint8_t>(i)};
164
165	ScopedCBB cbb;
166	CBB body, nonce_cbb, ticket, extensions;
167	if (!ssl->method->init_message(ssl, cbb.get(), &body,
168	SSL3_MT_NEW_SESSION_TICKET) \|\|
169	!CBB_add_u32(&body, session->timeout) \|\|
170	!CBB_add_u32(&body, session->ticket_age_add) \|\|
171	!CBB_add_u8_length_prefixed(&body, &nonce_cbb) \|\|
172	!CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) \|\|
173	!CBB_add_u16_length_prefixed(&body, &ticket) \|\|
174	!tls13_derive_session_psk(session.get(), nonce) \|\|
175	!ssl_encrypt_ticket(hs, &ticket, session.get()) \|\|
176	!CBB_add_u16_length_prefixed(&body, &extensions)) {
177	return false;
178	}
179
180	if (enable_early_data) {
181	CBB early_data;
182	if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) \|\|
183	!CBB_add_u16_length_prefixed(&extensions, &early_data) \|\|
184	!CBB_add_u32(&early_data, session->ticket_max_early_data) \|\|
185	!CBB_flush(&extensions)) {
186	return false;
187	}
188	}
189
190	// Add a fake extension. See RFC 8701.
191	if (!CBB_add_u16(cbb: &extensions,
192	value: ssl_get_grease_value(hs, index: ssl_grease_ticket_extension)) \|\|
193	!CBB_add_u16(cbb: &extensions, value: `0` / empty /)) {
194	return false;
195	}
196
197	if (!ssl_add_message_cbb(ssl, cbb: cbb.get())) {
198	return false;
199	}
200	}
201
202	out_sent_tickets = true*;
203	return true;
204	}
205
206	static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
207	// At this point, most ClientHello extensions have already been processed by
208	// the common handshake logic. Resolve the remaining non-PSK parameters.
209	SSL *const ssl = hs->ssl;
210	SSLMessage msg;
211	SSL_CLIENT_HELLO client_hello;
212	if (!hs->GetClientHello(out_msg: &msg, out_client_hello: &client_hello)) {
213	return ssl_hs_error;
214	}
215
216	if (ssl->quic_method != nullptr && client_hello.session_id_len > `0`) {
217	OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_COMPATIBILITY_MODE);
218	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
219	return ssl_hs_error;
220	}
221	OPENSSL_memcpy(dst: hs->session_id, src: client_hello.session_id,
222	n: client_hello.session_id_len);
223	hs->session_id_len = client_hello.session_id_len;
224
225	uint16_t group_id;
226	if (!tls1_get_shared_group(hs, out_group_id: &group_id)) {
227	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
228	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
229	return ssl_hs_error;
230	}
231
232	// Negotiate the cipher suite.
233	hs->new_cipher = choose_tls13_cipher(ssl, client_hello: &client_hello, group_id);
234	if (hs->new_cipher == NULL) {
235	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
236	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
237	return ssl_hs_error;
238	}
239
240	// HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
241	// deferred. Complete it now.
242	uint8_t alert = SSL_AD_DECODE_ERROR;
243	if (!ssl_negotiate_alpn(hs, out_alert: &alert, client_hello: &client_hello)) {
244	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
245	return ssl_hs_error;
246	}
247
248	// The PRF hash is now known.
249	if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
250	return ssl_hs_error;
251	}
252
253	hs->tls13_state = state13_select_session;
254	return ssl_hs_ok;
255	}
256
257	static enum ssl_ticket_aead_result_t select_session(
258	SSL_HANDSHAKE hs, uint8_t out_alert, UniquePtr<SSL_SESSION> *out_session,
259	int32_t out_ticket_age_skew, bool* *out_offered_ticket,
260	const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) {
261	SSL *const ssl = hs->ssl;
262	out_session = nullptr*;
263
264	CBS pre_shared_key;
265	*out_offered_ticket = ssl_client_hello_get_extension(
266	client_hello, out: &pre_shared_key, TLSEXT_TYPE_pre_shared_key);
267	if (!*out_offered_ticket) {
268	return ssl_ticket_aead_ignore_ticket;
269	}
270
271	// Per RFC 8446, section 4.2.9, servers MUST abort the handshake if the client
272	// sends pre_shared_key without psk_key_exchange_modes.
273	CBS unused;
274	if (!ssl_client_hello_get_extension(client_hello, out: &unused,
275	TLSEXT_TYPE_psk_key_exchange_modes)) {
276	*out_alert = SSL_AD_MISSING_EXTENSION;
277	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
278	return ssl_ticket_aead_error;
279	}
280
281	CBS ticket, binders;
282	uint32_t client_ticket_age;
283	if (!ssl_ext_pre_shared_key_parse_clienthello(
284	hs, out_ticket: &ticket, out_binders: &binders, out_obfuscated_ticket_age: &client_ticket_age, out_alert, client_hello,
285	contents: &pre_shared_key)) {
286	return ssl_ticket_aead_error;
287	}
288
289	// If the peer did not offer psk_dhe, ignore the resumption.
290	if (!hs->accept_psk_mode) {
291	return ssl_ticket_aead_ignore_ticket;
292	}
293
294	// TLS 1.3 session tickets are renewed separately as part of the
295	// NewSessionTicket.
296	bool unused_renew;
297	UniquePtr<SSL_SESSION> session;
298	enum ssl_ticket_aead_result_t ret =
299	ssl_process_ticket(hs, &session, &unused_renew, ticket, {});
300	switch (ret) {
301	case ssl_ticket_aead_success:
302	break;
303	case ssl_ticket_aead_error:
304	*out_alert = SSL_AD_INTERNAL_ERROR;
305	return ret;
306	default:
307	return ret;
308	}
309
310	if (!ssl_session_is_resumable(hs, session.get()) \|\|
311	// Historically, some TLS 1.3 tickets were missing ticket_age_add.
312	!session->ticket_age_add_valid) {
313	return ssl_ticket_aead_ignore_ticket;
314	}
315
316	// Recover the client ticket age and convert to seconds.
317	client_ticket_age -= session->ticket_age_add;
318	client_ticket_age /= `1000`;
319
320	struct OPENSSL_timeval now;
321	ssl_get_current_time(ssl, out_clock: &now);
322
323	// Compute the server ticket age in seconds.
324	assert(now.tv_sec >= session->time);
325	uint64_t server_ticket_age = now.tv_sec - session->time;
326
327	// To avoid overflowing \|hs->ticket_age_skew\|, we will not resume
328	// 68-year-old sessions.
329	if (server_ticket_age > INT32_MAX) {
330	return ssl_ticket_aead_ignore_ticket;
331	}
332
333	out_ticket_age_skew = static_cast*<int32_t>(client_ticket_age) -
334	static_cast<int32_t>(server_ticket_age);
335
336	// Check the PSK binder.
337	if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
338	*out_alert = SSL_AD_DECRYPT_ERROR;
339	return ssl_ticket_aead_error;
340	}
341
342	*out_session = std::move(session);
343	return ssl_ticket_aead_success;
344	}
345
346	static bool quic_ticket_compatible(const SSL_SESSION *session,
347	const SSL_CONFIG *config) {
348	if (!session->is_quic) {
349	return true;
350	}
351
352	if (session->quic_early_data_context.empty() \|\|
353	config->quic_early_data_context.size() !=
354	session->quic_early_data_context.size() \|\|
355	CRYPTO_memcmp(a: config->quic_early_data_context.data(),
356	b: session->quic_early_data_context.data(),
357	len: session->quic_early_data_context.size()) != `0`) {
358	return false;
359	}
360	return true;
361	}
362
363	static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
364	SSL *const ssl = hs->ssl;
365	SSLMessage msg;
366	SSL_CLIENT_HELLO client_hello;
367	if (!hs->GetClientHello(out_msg: &msg, out_client_hello: &client_hello)) {
368	return ssl_hs_error;
369	}
370
371	uint8_t alert = SSL_AD_DECODE_ERROR;
372	UniquePtr<SSL_SESSION> session;
373	bool offered_ticket = false;
374	switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,
375	&offered_ticket, msg, &client_hello)) {
376	case ssl_ticket_aead_ignore_ticket:
377	assert(!session);
378	if (!ssl_get_new_session(hs)) {
379	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
380	return ssl_hs_error;
381	}
382	break;
383
384	case ssl_ticket_aead_success:
385	// Carry over authentication information from the previous handshake into
386	// a fresh session.
387	hs->new_session =
388	SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
389	if (hs->new_session == nullptr) {
390	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
391	return ssl_hs_error;
392	}
393
394	ssl->s3->session_reused = true;
395	hs->can_release_private_key = true;
396
397	// Resumption incorporates fresh key material, so refresh the timeout.
398	ssl_session_renew_timeout(ssl, hs->new_session.get(),
399	ssl->session_ctx->session_psk_dhe_timeout);
400	break;
401
402	case ssl_ticket_aead_error:
403	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
404	return ssl_hs_error;
405
406	case ssl_ticket_aead_retry:
407	hs->tls13_state = state13_select_session;
408	return ssl_hs_pending_ticket;
409	}
410
411	// Negotiate ALPS now, after ALPN is negotiated and \|hs->new_session\| is
412	// initialized.
413	if (!ssl_negotiate_alps(hs, out_alert: &alert, client_hello: &client_hello)) {
414	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
415	return ssl_hs_error;
416	}
417
418	// Record connection properties in the new session.
419	hs->new_session->cipher = hs->new_cipher;
420	if (!tls1_get_shared_group(hs, &hs->new_session->group_id)) {
421	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
422	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
423	return ssl_hs_error;
424	}
425
426	// Determine if we need HelloRetryRequest.
427	bool found_key_share;
428	if (!ssl_ext_key_share_parse_clienthello(hs, out_found: &found_key_share,
429	/out_key_share=/out_peer_key: nullptr, out_alert: &alert,
430	client_hello: &client_hello)) {
431	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
432	return ssl_hs_error;
433	}
434
435	// Determine if we're negotiating 0-RTT.
436	if (!ssl->enable_early_data) {
437	ssl->s3->early_data_reason = ssl_early_data_disabled;
438	} else if (!offered_ticket) {
439	ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
440	} else if (!session) {
441	ssl->s3->early_data_reason = ssl_early_data_session_not_resumed;
442	} else if (session->ticket_max_early_data == `0`) {
443	ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
444	} else if (!hs->early_data_offered) {
445	ssl->s3->early_data_reason = ssl_early_data_peer_declined;
446	} else if (hs->channel_id_negotiated) {
447	// Channel ID is incompatible with 0-RTT.
448	ssl->s3->early_data_reason = ssl_early_data_channel_id;
449	} else if (MakeConstSpan(c: ssl->s3->alpn_selected) != session->early_alpn) {
450	// The negotiated ALPN must match the one in the ticket.
451	ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
452	} else if (hs->new_session->has_application_settings !=
453	session->has_application_settings \|\|
454	MakeConstSpan(hs->new_session->local_application_settings) !=
455	session->local_application_settings) {
456	ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;
457	} else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds \|\|
458	kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {
459	ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;
460	} else if (!quic_ticket_compatible(session.get(), hs->config)) {
461	ssl->s3->early_data_reason = ssl_early_data_quic_parameter_mismatch;
462	} else if (!found_key_share) {
463	ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
464	} else {
465	// \|ssl_session_is_resumable\| forbids cross-cipher resumptions even if the
466	// PRF hashes match.
467	assert(hs->new_cipher == session->cipher);
468
469	ssl->s3->early_data_reason = ssl_early_data_accepted;
470	ssl->s3->early_data_accepted = true;
471	}
472
473	// Store the ALPN and ALPS values in the session for 0-RTT. Note the peer
474	// applications settings are not generally known until client
475	// EncryptedExtensions.
476	if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
477	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
478	return ssl_hs_error;
479	}
480
481	// The peer applications settings are usually received later, in
482	// EncryptedExtensions. But, in 0-RTT handshakes, we carry over the
483	// values from \|session\|. Do this now, before \|session\| is discarded.
484	if (ssl->s3->early_data_accepted &&
485	hs->new_session->has_application_settings &&
486	!hs->new_session->peer_application_settings.CopyFrom(
487	session->peer_application_settings)) {
488	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
489	return ssl_hs_error;
490	}
491
492	// Copy the QUIC early data context to the session.
493	if (ssl->enable_early_data && ssl->quic_method) {
494	if (!hs->new_session->quic_early_data_context.CopyFrom(
495	hs->config->quic_early_data_context)) {
496	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
497	return ssl_hs_error;
498	}
499	}
500
501	if (ssl->ctx->dos_protection_cb != NULL &&
502	ssl->ctx->dos_protection_cb(&client_hello) == `0`) {
503	// Connection rejected for DOS reasons.
504	OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
505	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
506	return ssl_hs_error;
507	}
508
509	size_t hash_len = EVP_MD_size(
510	md: ssl_get_handshake_digest(version: ssl_protocol_version(ssl), cipher: hs->new_cipher));
511
512	// Set up the key schedule and incorporate the PSK into the running secret.
513	if (!tls13_init_key_schedule(
514	hs, ssl->s3->session_reused
515	? MakeConstSpan(hs->new_session->secret,
516	hs->new_session->secret_length)
517	: MakeConstSpan(ptr: kZeroes, size: hash_len)) \|\|
518	!ssl_hash_message(hs, msg)) {
519	return ssl_hs_error;
520	}
521
522	if (ssl->s3->early_data_accepted) {
523	if (!tls13_derive_early_secret(hs)) {
524	return ssl_hs_error;
525	}
526	} else if (hs->early_data_offered) {
527	ssl->s3->skip_early_data = true;
528	}
529
530	if (!found_key_share) {
531	ssl->method->next_message(ssl);
532	if (!hs->transcript.UpdateForHelloRetryRequest()) {
533	return ssl_hs_error;
534	}
535	hs->tls13_state = state13_send_hello_retry_request;
536	return ssl_hs_ok;
537	}
538
539	if (!resolve_ecdhe_secret(hs, client_hello: &client_hello)) {
540	return ssl_hs_error;
541	}
542
543	ssl->method->next_message(ssl);
544	hs->ech_client_hello_buf.Reset();
545	hs->tls13_state = state13_send_server_hello;
546	return ssl_hs_ok;
547	}
548
549	static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
550	SSL *const ssl = hs->ssl;
551	if (hs->hints_requested) {
552	return ssl_hs_hints_ready;
553	}
554
555	ScopedCBB cbb;
556	CBB body, session_id, extensions;
557	uint16_t group_id;
558	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) \|\|
559	!CBB_add_u16(cbb: &body, TLS1_2_VERSION) \|\|
560	!CBB_add_bytes(cbb: &body, data: kHelloRetryRequest, SSL3_RANDOM_SIZE) \|\|
561	!CBB_add_u8_length_prefixed(cbb: &body, out_contents: &session_id) \|\|
562	!CBB_add_bytes(cbb: &session_id, data: hs->session_id, len: hs->session_id_len) \|\|
563	!CBB_add_u16(cbb: &body, value: SSL_CIPHER_get_protocol_id(cipher: hs->new_cipher)) \|\|
564	!CBB_add_u8(cbb: &body, value: `0` / no compression /) \|\|
565	!tls1_get_shared_group(hs, out_group_id: &group_id) \|\|
566	!CBB_add_u16_length_prefixed(cbb: &body, out_contents: &extensions) \|\|
567	!CBB_add_u16(cbb: &extensions, TLSEXT_TYPE_supported_versions) \|\|
568	!CBB_add_u16(cbb: &extensions, value: `2` / length /) \|\|
569	!CBB_add_u16(cbb: &extensions, value: ssl->version) \|\|
570	!CBB_add_u16(cbb: &extensions, TLSEXT_TYPE_key_share) \|\|
571	!CBB_add_u16(cbb: &extensions, value: `2` / length /) \|\|
572	!CBB_add_u16(cbb: &extensions, value: group_id)) {
573	return ssl_hs_error;
574	}
575	if (hs->ech_is_inner) {
576	// Fill a placeholder for the ECH confirmation value.
577	if (!CBB_add_u16(cbb: &extensions, TLSEXT_TYPE_encrypted_client_hello) \|\|
578	!CBB_add_u16(cbb: &extensions, ECH_CONFIRMATION_SIGNAL_LEN) \|\|
579	!CBB_add_zeros(cbb: &extensions, ECH_CONFIRMATION_SIGNAL_LEN)) {
580	return ssl_hs_error;
581	}
582	}
583	Array<uint8_t> hrr;
584	if (!ssl->method->finish_message(ssl, cbb.get(), &hrr)) {
585	return ssl_hs_error;
586	}
587	if (hs->ech_is_inner) {
588	// Now that the message is encoded, fill in the whole value.
589	size_t offset = hrr.size() - ECH_CONFIRMATION_SIGNAL_LEN;
590	if (!ssl_ech_accept_confirmation(
591	hs, MakeSpan(c&: hrr).last(ECH_CONFIRMATION_SIGNAL_LEN),
592	ssl->s3->client_random, hs->transcript, /is_hrr=/true, hrr,
593	offset)) {
594	return ssl_hs_error;
595	}
596	}
597
598	if (!ssl->method->add_message(ssl, std::move(hrr)) \|\|
599	!ssl->method->add_change_cipher_spec(ssl)) {
600	return ssl_hs_error;
601	}
602
603	ssl->s3->used_hello_retry_request = true;
604	hs->tls13_state = state13_read_second_client_hello;
605	return ssl_hs_flush;
606	}
607
608	static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
609	SSL *const ssl = hs->ssl;
610	SSLMessage msg;
611	if (!ssl->method->get_message(ssl, &msg)) {
612	return ssl_hs_read_message;
613	}
614	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
615	return ssl_hs_error;
616	}
617	SSL_CLIENT_HELLO client_hello;
618	if (!ssl_client_hello_init(ssl, out: &client_hello, body: msg.body)) {
619	OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
620	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
621	return ssl_hs_error;
622	}
623
624	if (ssl->s3->ech_status == ssl_ech_accepted) {
625	// If we previously accepted the ClientHelloInner, the second ClientHello
626	// must contain an outer encrypted_client_hello extension.
627	CBS ech_body;
628	if (!ssl_client_hello_get_extension(client_hello: &client_hello, out: &ech_body,
629	TLSEXT_TYPE_encrypted_client_hello)) {
630	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
631	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
632	return ssl_hs_error;
633	}
634	uint16_t kdf_id, aead_id;
635	uint8_t type, config_id;
636	CBS enc, payload;
637	if (!CBS_get_u8(cbs: &ech_body, out: &type) \|\| //
638	type != ECH_CLIENT_OUTER \|\| //
639	!CBS_get_u16(cbs: &ech_body, out: &kdf_id) \|\| //
640	!CBS_get_u16(cbs: &ech_body, out: &aead_id) \|\|
641	!CBS_get_u8(cbs: &ech_body, out: &config_id) \|\|
642	!CBS_get_u16_length_prefixed(cbs: &ech_body, out: &enc) \|\|
643	!CBS_get_u16_length_prefixed(cbs: &ech_body, out: &payload) \|\|
644	CBS_len(cbs: &ech_body) != `0`) {
645	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
646	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
647	return ssl_hs_error;
648	}
649
650	if (kdf_id != EVP_HPKE_KDF_id(kdf: EVP_HPKE_CTX_kdf(ctx: hs->ech_hpke_ctx.get())) \|\|
651	aead_id !=
652	EVP_HPKE_AEAD_id(aead: EVP_HPKE_CTX_aead(ctx: hs->ech_hpke_ctx.get())) \|\|
653	config_id != hs->ech_config_id \|\| CBS_len(cbs: &enc) > `0`) {
654	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
655	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
656	return ssl_hs_error;
657	}
658
659	// Decrypt the payload with the HPKE context from the first ClientHello.
660	uint8_t alert = SSL_AD_DECODE_ERROR;
661	bool unused;
662	if (!ssl_client_hello_decrypt(hs, out_alert: &alert, out_is_decrypt_error: &unused,
663	out: &hs->ech_client_hello_buf, client_hello_outer: &client_hello,
664	payload)) {
665	// Decryption failure is fatal in the second ClientHello.
666	OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
667	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
668	return ssl_hs_error;
669	}
670
671	// Reparse \|client_hello\| from the buffer owned by \|hs\|.
672	if (!hs->GetClientHello(out_msg: &msg, out_client_hello: &client_hello)) {
673	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
674	return ssl_hs_error;
675	}
676	}
677
678	// We perform all our negotiation based on the first ClientHello (for
679	// consistency with what \|select_certificate_cb\| observed), which is in the
680	// transcript, so we can ignore most of this second one.
681	//
682	// We do, however, check the second PSK binder. This covers the client key
683	// share, in case we ever send half-RTT data (we currently do not). It is also
684	// a tricky computation, so we enforce the peer handled it correctly.
685	if (ssl->s3->session_reused) {
686	CBS pre_shared_key;
687	if (!ssl_client_hello_get_extension(client_hello: &client_hello, out: &pre_shared_key,
688	TLSEXT_TYPE_pre_shared_key)) {
689	OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_CLIENT_HELLO);
690	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
691	return ssl_hs_error;
692	}
693
694	CBS ticket, binders;
695	uint32_t client_ticket_age;
696	uint8_t alert = SSL_AD_DECODE_ERROR;
697	if (!ssl_ext_pre_shared_key_parse_clienthello(
698	hs, out_ticket: &ticket, out_binders: &binders, out_obfuscated_ticket_age: &client_ticket_age, out_alert: &alert, client_hello: &client_hello,
699	contents: &pre_shared_key)) {
700	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
701	return ssl_hs_error;
702	}
703
704	// Note it is important that we do not obtain a new \|SSL_SESSION\| from
705	// \|ticket\|. We have already selected parameters based on the first
706	// ClientHello (in the transcript) and must not switch partway through.
707	if (!tls13_verify_psk_binder(hs, hs->new_session.get(), msg, &binders)) {
708	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
709	return ssl_hs_error;
710	}
711	}
712
713	if (!resolve_ecdhe_secret(hs, client_hello: &client_hello)) {
714	return ssl_hs_error;
715	}
716
717	if (!ssl_hash_message(hs, msg)) {
718	return ssl_hs_error;
719	}
720
721	// ClientHello should be the end of the flight.
722	if (ssl->method->has_unprocessed_handshake_data(ssl)) {
723	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
724	OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
725	return ssl_hs_error;
726	}
727
728	ssl->method->next_message(ssl);
729	hs->ech_client_hello_buf.Reset();
730	hs->tls13_state = state13_send_server_hello;
731	return ssl_hs_ok;
732	}
733
734	static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
735	SSL *const ssl = hs->ssl;
736
737	Span<uint8_t> random(ssl->s3->server_random);
738
739	SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
740	if (hints && !hs->hints_requested &&
741	hints->server_random_tls13.size() == random.size()) {
742	OPENSSL_memcpy(random.data(), hints->server_random_tls13.data(),
743	random.size());
744	} else {
745	RAND_bytes(random.data(), random.size());
746	if (hints && hs->hints_requested &&
747	!hints->server_random_tls13.CopyFrom(random)) {
748	return ssl_hs_error;
749	}
750	}
751
752	Array<uint8_t> server_hello;
753	ScopedCBB cbb;
754	CBB body, extensions, session_id;
755	if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) \|\|
756	!CBB_add_u16(cbb: &body, TLS1_2_VERSION) \|\|
757	!CBB_add_bytes(cbb: &body, data: ssl->s3->server_random,
758	len: sizeof(ssl->s3->server_random)) \|\|
759	!CBB_add_u8_length_prefixed(cbb: &body, out_contents: &session_id) \|\|
760	!CBB_add_bytes(cbb: &session_id, data: hs->session_id, len: hs->session_id_len) \|\|
761	!CBB_add_u16(cbb: &body, value: SSL_CIPHER_get_protocol_id(cipher: hs->new_cipher)) \|\|
762	!CBB_add_u8(cbb: &body, value: `0`) \|\|
763	!CBB_add_u16_length_prefixed(cbb: &body, out_contents: &extensions) \|\|
764	!ssl_ext_pre_shared_key_add_serverhello(hs, out: &extensions) \|\|
765	!ssl_ext_key_share_add_serverhello(hs, out: &extensions) \|\|
766	!ssl_ext_supported_versions_add_serverhello(hs, out: &extensions) \|\|
767	!ssl->method->finish_message(ssl, cbb.get(), &server_hello)) {
768	return ssl_hs_error;
769	}
770
771	assert(ssl->s3->ech_status != ssl_ech_accepted \|\| hs->ech_is_inner);
772	if (hs->ech_is_inner) {
773	// Fill in the ECH confirmation signal.
774	const size_t offset = ssl_ech_confirmation_signal_hello_offset(ssl);
775	Span<uint8_t> random_suffix = random.last(ECH_CONFIRMATION_SIGNAL_LEN);
776	if (!ssl_ech_accept_confirmation(hs, random_suffix, ssl->s3->client_random,
777	hs->transcript,
778	/is_hrr=/false, server_hello, offset)) {
779	return ssl_hs_error;
780	}
781
782	// Update \|server_hello\|.
783	Span<uint8_t> server_hello_out =
784	MakeSpan(c&: server_hello).subspan(offset, ECH_CONFIRMATION_SIGNAL_LEN);
785	OPENSSL_memcpy(server_hello_out.data(), random_suffix.data(),
786	ECH_CONFIRMATION_SIGNAL_LEN);
787	}
788
789	if (!ssl->method->add_message(ssl, std::move(server_hello))) {
790	return ssl_hs_error;
791	}
792
793	hs->key_share_ciphertext.Reset(); // No longer needed.
794	if (!ssl->s3->used_hello_retry_request &&
795	!ssl->method->add_change_cipher_spec(ssl)) {
796	return ssl_hs_error;
797	}
798
799	// Derive and enable the handshake traffic secrets.
800	if (!tls13_derive_handshake_secrets(hs) \|\|
801	!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
802	hs->new_session.get(),
803	hs->server_handshake_secret())) {
804	return ssl_hs_error;
805	}
806
807	// Send EncryptedExtensions.
808	if (!ssl->method->init_message(ssl, cbb.get(), &body,
809	SSL3_MT_ENCRYPTED_EXTENSIONS) \|\|
810	!ssl_add_serverhello_tlsext(hs, out: &body) \|\|
811	!ssl_add_message_cbb(ssl, cbb: cbb.get())) {
812	return ssl_hs_error;
813	}
814
815	if (!ssl->s3->session_reused) {
816	// Determine whether to request a client certificate.
817	hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
818	// Only request a certificate if Channel ID isn't negotiated.
819	if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
820	hs->channel_id_negotiated) {
821	hs->cert_request = false;
822	}
823	}
824
825	// Send a CertificateRequest, if necessary.
826	if (hs->cert_request) {
827	CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;
828	if (!ssl->method->init_message(ssl, cbb.get(), &body,
829	SSL3_MT_CERTIFICATE_REQUEST) \|\|
830	!CBB_add_u8(cbb: &body, value: `0` / no certificate_request_context. /) \|\|
831	!CBB_add_u16_length_prefixed(cbb: &body, out_contents: &cert_request_extensions) \|\|
832	!CBB_add_u16(cbb: &cert_request_extensions,
833	TLSEXT_TYPE_signature_algorithms) \|\|
834	!CBB_add_u16_length_prefixed(cbb: &cert_request_extensions,
835	out_contents: &sigalg_contents) \|\|
836	!CBB_add_u16_length_prefixed(cbb: &sigalg_contents, out_contents: &sigalgs_cbb) \|\|
837	!tls12_add_verify_sigalgs(hs, out: &sigalgs_cbb)) {
838	return ssl_hs_error;
839	}
840
841	if (ssl_has_client_CAs(cfg: hs->config)) {
842	CBB ca_contents;
843	if (!CBB_add_u16(cbb: &cert_request_extensions,
844	TLSEXT_TYPE_certificate_authorities) \|\|
845	!CBB_add_u16_length_prefixed(cbb: &cert_request_extensions,
846	out_contents: &ca_contents) \|\|
847	!ssl_add_client_CA_list(hs, cbb: &ca_contents) \|\|
848	!CBB_flush(cbb: &cert_request_extensions)) {
849	return ssl_hs_error;
850	}
851	}
852
853	if (!ssl_add_message_cbb(ssl, cbb: cbb.get())) {
854	return ssl_hs_error;
855	}
856	}
857
858	// Send the server Certificate message, if necessary.
859	if (!ssl->s3->session_reused) {
860	if (!ssl_has_certificate(hs)) {
861	OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
862	return ssl_hs_error;
863	}
864
865	if (!tls13_add_certificate(hs)) {
866	return ssl_hs_error;
867	}
868
869	hs->tls13_state = state13_send_server_certificate_verify;
870	return ssl_hs_ok;
871	}
872
873	hs->tls13_state = state13_send_server_finished;
874	return ssl_hs_ok;
875	}
876
877	static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
878	switch (tls13_add_certificate_verify(hs)) {
879	case ssl_private_key_success:
880	hs->tls13_state = state13_send_server_finished;
881	return ssl_hs_ok;
882
883	case ssl_private_key_retry:
884	hs->tls13_state = state13_send_server_certificate_verify;
885	return ssl_hs_private_key_operation;
886
887	case ssl_private_key_failure:
888	return ssl_hs_error;
889	}
890
891	assert(`0`);
892	return ssl_hs_error;
893	}
894
895	static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
896	SSL *const ssl = hs->ssl;
897	if (hs->hints_requested) {
898	return ssl_hs_hints_ready;
899	}
900
901	hs->can_release_private_key = true;
902	if (!tls13_add_finished(hs) \|\|
903	// Update the secret to the master secret and derive traffic keys.
904	!tls13_advance_key_schedule(
905	hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) \|\|
906	!tls13_derive_application_secrets(hs) \|\|
907	!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
908	hs->new_session.get(),
909	hs->server_traffic_secret_0())) {
910	return ssl_hs_error;
911	}
912
913	hs->tls13_state = state13_send_half_rtt_ticket;
914	return hs->handback ? ssl_hs_handback : ssl_hs_ok;
915	}
916
917	static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) {
918	SSL *const ssl = hs->ssl;
919
920	if (ssl->s3->early_data_accepted) {
921	// If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
922	// the wire sooner and also avoids triggering a write on \|SSL_read\| when
923	// processing the client Finished. This requires computing the client
924	// Finished early. See RFC 8446, section 4.6.1.
925	static const uint8_t kEndOfEarlyData[`4`] = {SSL3_MT_END_OF_EARLY_DATA, `0`,
926	`0`, `0`};
927	if (ssl->quic_method == nullptr &&
928	!hs->transcript.Update(kEndOfEarlyData)) {
929	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
930	return ssl_hs_error;
931	}
932
933	size_t finished_len;
934	if (!tls13_finished_mac(hs, hs->expected_client_finished().data(),
935	&finished_len, false / client /)) {
936	return ssl_hs_error;
937	}
938
939	if (finished_len != hs->expected_client_finished().size()) {
940	OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
941	return ssl_hs_error;
942	}
943
944	// Feed the predicted Finished into the transcript. This allows us to derive
945	// the resumption secret early and send half-RTT tickets.
946	//
947	// TODO(davidben): This will need to be updated for DTLS 1.3.
948	assert(!SSL_is_dtls(ssl: hs->ssl));
949	assert(hs->expected_client_finished().size() <= `0xff`);
950	uint8_t header[`4`] = {
951	SSL3_MT_FINISHED, `0`, `0`,
952	static_cast<uint8_t>(hs->expected_client_finished().size())};
953	bool unused_sent_tickets;
954	if (!hs->transcript.Update(header) \|\|
955	!hs->transcript.Update(hs->expected_client_finished()) \|\|
956	!tls13_derive_resumption_secret(hs) \|\|
957	!add_new_session_tickets(hs, out_sent_tickets: &unused_sent_tickets)) {
958	return ssl_hs_error;
959	}
960	}
961
962	hs->tls13_state = state13_read_second_client_flight;
963	return ssl_hs_flush;
964	}
965
966	static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
967	SSL *const ssl = hs->ssl;
968	if (ssl->s3->early_data_accepted) {
969	if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
970	hs->new_session.get(),
971	hs->early_traffic_secret())) {
972	return ssl_hs_error;
973	}
974	hs->can_early_write = true;
975	hs->can_early_read = true;
976	hs->in_early_data = true;
977	}
978
979	// QUIC doesn't use an EndOfEarlyData message (RFC 9001, section 8.3), so we
980	// switch to client_handshake_secret before the early return.
981	if (ssl->quic_method != nullptr) {
982	if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
983	hs->new_session.get(),
984	hs->client_handshake_secret())) {
985	return ssl_hs_error;
986	}
987	hs->tls13_state = state13_process_end_of_early_data;
988	return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;
989	}
990
991	hs->tls13_state = state13_process_end_of_early_data;
992	return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
993	: ssl_hs_ok;
994	}
995
996	static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
997	SSL *const ssl = hs->ssl;
998	// In protocols that use EndOfEarlyData, we must consume the extra message and
999	// switch to client_handshake_secret after the early return.
1000	if (ssl->quic_method == nullptr) {
1001	// If early data was not accepted, the EndOfEarlyData will be in the
1002	// discarded early data.
1003	if (hs->ssl->s3->early_data_accepted) {
1004	SSLMessage msg;
1005	if (!ssl->method->get_message(ssl, &msg)) {
1006	return ssl_hs_read_message;
1007	}
1008	if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
1009	return ssl_hs_error;
1010	}
1011	if (CBS_len(cbs: &msg.body) != `0`) {
1012	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1013	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1014	return ssl_hs_error;
1015	}
1016	ssl->method->next_message(ssl);
1017	}
1018	if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
1019	hs->new_session.get(),
1020	hs->client_handshake_secret())) {
1021	return ssl_hs_error;
1022	}
1023	}
1024	hs->tls13_state = state13_read_client_encrypted_extensions;
1025	return ssl_hs_ok;
1026	}
1027
1028	static enum ssl_hs_wait_t do_read_client_encrypted_extensions(
1029	SSL_HANDSHAKE *hs) {
1030	SSL *const ssl = hs->ssl;
1031	// For now, only one extension uses client EncryptedExtensions. This function
1032	// may be generalized if others use it in the future.
1033	if (hs->new_session->has_application_settings &&
1034	!ssl->s3->early_data_accepted) {
1035	SSLMessage msg;
1036	if (!ssl->method->get_message(ssl, &msg)) {
1037	return ssl_hs_read_message;
1038	}
1039	if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
1040	return ssl_hs_error;
1041	}
1042
1043	CBS body = msg.body, extensions;
1044	if (!CBS_get_u16_length_prefixed(cbs: &body, out: &extensions) \|\|
1045	CBS_len(cbs: &body) != `0`) {
1046	OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1047	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1048	return ssl_hs_error;
1049	}
1050
1051	SSLExtension application_settings(TLSEXT_TYPE_application_settings);
1052	uint8_t alert = SSL_AD_DECODE_ERROR;
1053	if (!ssl_parse_extensions(&extensions, &alert, {&application_settings},
1054	/ignore_unknown=/false)) {
1055	ssl_send_alert(ssl, SSL3_AL_FATAL, desc: alert);
1056	return ssl_hs_error;
1057	}
1058
1059	if (!application_settings.present) {
1060	OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
1061	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
1062	return ssl_hs_error;
1063	}
1064
1065	// Note that, if 0-RTT was accepted, these values will already have been
1066	// initialized earlier.
1067	if (!hs->new_session->peer_application_settings.CopyFrom(
1068	application_settings.data) \|\|
1069	!ssl_hash_message(hs, msg)) {
1070	ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1071	return ssl_hs_error;
1072	}
1073
1074	ssl->method->next_message(ssl);
1075	}
1076
1077	hs->tls13_state = state13_read_client_certificate;
1078	return ssl_hs_ok;
1079	}
1080
1081	static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
1082	SSL *const ssl = hs->ssl;
1083	if (!hs->cert_request) {
1084	if (!ssl->s3->session_reused) {
1085	// OpenSSL returns X509_V_OK when no certificates are requested. This is
1086	// classed by them as a bug, but it's assumed by at least NGINX. (Only do
1087	// this in full handshakes as resumptions should carry over the previous
1088	// \|verify_result\|, though this is a no-op because servers do not
1089	// implement the client's odd soft-fail mode.)
1090	hs->new_session->verify_result = X509_V_OK;
1091	}
1092
1093	// Skip this state.
1094	hs->tls13_state = state13_read_channel_id;
1095	return ssl_hs_ok;
1096	}
1097
1098	const bool allow_anonymous =
1099	(hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == `0`;
1100	SSLMessage msg;
1101	if (!ssl->method->get_message(ssl, &msg)) {
1102	return ssl_hs_read_message;
1103	}
1104	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) \|\|
1105	!tls13_process_certificate(hs, msg, allow_anonymous) \|\|
1106	!ssl_hash_message(hs, msg)) {
1107	return ssl_hs_error;
1108	}
1109
1110	ssl->method->next_message(ssl);
1111	hs->tls13_state = state13_read_client_certificate_verify;
1112	return ssl_hs_ok;
1113	}
1114
1115	static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
1116	SSL *const ssl = hs->ssl;
1117	if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == `0`) {
1118	// Skip this state.
1119	hs->tls13_state = state13_read_channel_id;
1120	return ssl_hs_ok;
1121	}
1122
1123	SSLMessage msg;
1124	if (!ssl->method->get_message(ssl, &msg)) {
1125	return ssl_hs_read_message;
1126	}
1127
1128	switch (ssl_verify_peer_cert(hs)) {
1129	case ssl_verify_ok:
1130	break;
1131	case ssl_verify_invalid:
1132	return ssl_hs_error;
1133	case ssl_verify_retry:
1134	hs->tls13_state = state13_read_client_certificate_verify;
1135	return ssl_hs_certificate_verify;
1136	}
1137
1138	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) \|\|
1139	!tls13_process_certificate_verify(hs, msg) \|\|
1140	!ssl_hash_message(hs, msg)) {
1141	return ssl_hs_error;
1142	}
1143
1144	ssl->method->next_message(ssl);
1145	hs->tls13_state = state13_read_channel_id;
1146	return ssl_hs_ok;
1147	}
1148
1149	static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
1150	SSL *const ssl = hs->ssl;
1151	if (!hs->channel_id_negotiated) {
1152	hs->tls13_state = state13_read_client_finished;
1153	return ssl_hs_ok;
1154	}
1155
1156	SSLMessage msg;
1157	if (!ssl->method->get_message(ssl, &msg)) {
1158	return ssl_hs_read_message;
1159	}
1160	if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) \|\|
1161	!tls1_verify_channel_id(hs, msg) \|\|
1162	!ssl_hash_message(hs, msg)) {
1163	return ssl_hs_error;
1164	}
1165
1166	ssl->method->next_message(ssl);
1167	hs->tls13_state = state13_read_client_finished;
1168	return ssl_hs_ok;
1169	}
1170
1171	static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
1172	SSL *const ssl = hs->ssl;
1173	SSLMessage msg;
1174	if (!ssl->method->get_message(ssl, &msg)) {
1175	return ssl_hs_read_message;
1176	}
1177	if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) \|\|
1178	// If early data was accepted, we've already computed the client Finished
1179	// and derived the resumption secret.
1180	!tls13_process_finished(hs, msg, use_saved_value: ssl->s3->early_data_accepted) \|\|
1181	// evp_aead_seal keys have already been switched.
1182	!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
1183	hs->new_session.get(),
1184	hs->client_traffic_secret_0())) {
1185	return ssl_hs_error;
1186	}
1187
1188	if (!ssl->s3->early_data_accepted) {
1189	if (!ssl_hash_message(hs, msg) \|\|
1190	!tls13_derive_resumption_secret(hs)) {
1191	return ssl_hs_error;
1192	}
1193
1194	// We send post-handshake tickets as part of the handshake in 1-RTT.
1195	hs->tls13_state = state13_send_new_session_ticket;
1196	} else {
1197	// We already sent half-RTT tickets.
1198	hs->tls13_state = state13_done;
1199	}
1200
1201	ssl->method->next_message(ssl);
1202	return ssl_hs_ok;
1203	}
1204
1205	static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
1206	bool sent_tickets;
1207	if (!add_new_session_tickets(hs, out_sent_tickets: &sent_tickets)) {
1208	return ssl_hs_error;
1209	}
1210
1211	hs->tls13_state = state13_done;
1212	// In TLS 1.3, the NewSessionTicket isn't flushed until the server performs a
1213	// write, to prevent a non-reading client from causing the server to hang in
1214	// the case of a small server write buffer. Consumers which don't write data
1215	// to the client will need to do a zero-byte write if they wish to flush the
1216	// tickets.
1217	if (hs->ssl->quic_method != nullptr && sent_tickets) {
1218	return ssl_hs_flush;
1219	}
1220	return ssl_hs_ok;
1221	}
1222
1223	enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
1224	while (hs->tls13_state != state13_done) {
1225	enum ssl_hs_wait_t ret = ssl_hs_error;
1226	enum tls13_server_hs_state_t state =
1227	static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
1228	switch (state) {
1229	case state13_select_parameters:
1230	ret = do_select_parameters(hs);
1231	break;
1232	case state13_select_session:
1233	ret = do_select_session(hs);
1234	break;
1235	case state13_send_hello_retry_request:
1236	ret = do_send_hello_retry_request(hs);
1237	break;
1238	case state13_read_second_client_hello:
1239	ret = do_read_second_client_hello(hs);
1240	break;
1241	case state13_send_server_hello:
1242	ret = do_send_server_hello(hs);
1243	break;
1244	case state13_send_server_certificate_verify:
1245	ret = do_send_server_certificate_verify(hs);
1246	break;
1247	case state13_send_server_finished:
1248	ret = do_send_server_finished(hs);
1249	break;
1250	case state13_send_half_rtt_ticket:
1251	ret = do_send_half_rtt_ticket(hs);
1252	break;
1253	case state13_read_second_client_flight:
1254	ret = do_read_second_client_flight(hs);
1255	break;
1256	case state13_process_end_of_early_data:
1257	ret = do_process_end_of_early_data(hs);
1258	break;
1259	case state13_read_client_encrypted_extensions:
1260	ret = do_read_client_encrypted_extensions(hs);
1261	break;
1262	case state13_read_client_certificate:
1263	ret = do_read_client_certificate(hs);
1264	break;
1265	case state13_read_client_certificate_verify:
1266	ret = do_read_client_certificate_verify(hs);
1267	break;
1268	case state13_read_channel_id:
1269	ret = do_read_channel_id(hs);
1270	break;
1271	case state13_read_client_finished:
1272	ret = do_read_client_finished(hs);
1273	break;
1274	case state13_send_new_session_ticket:
1275	ret = do_send_new_session_ticket(hs);
1276	break;
1277	case state13_done:
1278	ret = ssl_hs_ok;
1279	break;
1280	}
1281
1282	if (hs->tls13_state != state) {
1283	ssl_do_info_callback(ssl: hs->ssl, SSL_CB_ACCEPT_LOOP, value: `1`);
1284	}
1285
1286	if (ret != ssl_hs_ok) {
1287	return ret;
1288	}
1289	}
1290
1291	return ssl_hs_ok;
1292	}
1293
1294	const char tls13_server_handshake_state(SSL_HANDSHAKE hs) {
1295	enum tls13_server_hs_state_t state =
1296	static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
1297	switch (state) {
1298	case state13_select_parameters:
1299	return "TLS 1.3 server select_parameters";
1300	case state13_select_session:
1301	return "TLS 1.3 server select_session";
1302	case state13_send_hello_retry_request:
1303	return "TLS 1.3 server send_hello_retry_request";
1304	case state13_read_second_client_hello:
1305	return "TLS 1.3 server read_second_client_hello";
1306	case state13_send_server_hello:
1307	return "TLS 1.3 server send_server_hello";
1308	case state13_send_server_certificate_verify:
1309	return "TLS 1.3 server send_server_certificate_verify";
1310	case state13_send_half_rtt_ticket:
1311	return "TLS 1.3 server send_half_rtt_ticket";
1312	case state13_send_server_finished:
1313	return "TLS 1.3 server send_server_finished";
1314	case state13_read_second_client_flight:
1315	return "TLS 1.3 server read_second_client_flight";
1316	case state13_process_end_of_early_data:
1317	return "TLS 1.3 server process_end_of_early_data";
1318	case state13_read_client_encrypted_extensions:
1319	return "TLS 1.3 server read_client_encrypted_extensions";
1320	case state13_read_client_certificate:
1321	return "TLS 1.3 server read_client_certificate";
1322	case state13_read_client_certificate_verify:
1323	return "TLS 1.3 server read_client_certificate_verify";
1324	case state13_read_channel_id:
1325	return "TLS 1.3 server read_channel_id";
1326	case state13_read_client_finished:
1327	return "TLS 1.3 server read_client_finished";
1328	case state13_send_new_session_ticket:
1329	return "TLS 1.3 server send_new_session_ticket";
1330	case state13_done:
1331	return "TLS 1.3 server done";
1332	}
1333
1334	return "TLS 1.3 server unknown";
1335	}
1336
1337	BSSL_NAMESPACE_END
1338

source code of dart_sdk/third_party/boringssl/src/ssl/tls13_server.cc