tls13_server.cc
Go to the documentation of this file.
1 /* Copyright (c) 2016, Google Inc.
2  *
3  * Permission to use, copy, modify, and/or distribute this software for any
4  * purpose with or without fee is hereby granted, provided that the above
5  * copyright notice and this permission notice appear in all copies.
6  *
7  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14 
15 #include <openssl/ssl.h>
16 
17 #include <assert.h>
18 #include <string.h>
19 
20 #include <tuple>
21 
22 #include <openssl/aead.h>
23 #include <openssl/bytestring.h>
24 #include <openssl/digest.h>
25 #include <openssl/err.h>
26 #include <openssl/hpke.h>
27 #include <openssl/mem.h>
28 #include <openssl/rand.h>
29 #include <openssl/stack.h>
30 
31 #include "../crypto/internal.h"
32 #include "internal.h"
33 
34 
35 BSSL_NAMESPACE_BEGIN
36 
37 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
38 
39 // Allow a minute of ticket age skew in either direction. This covers
40 // transmission delays in ClientHello and NewSessionTicket, as well as
41 // drift between client and server clock rate since the ticket was issued.
42 // See RFC 8446, section 8.3.
43 static const int32_t kMaxTicketAgeSkewSeconds = 60;
44 
45 static bool resolve_ecdhe_secret(SSL_HANDSHAKE *hs,
46  const SSL_CLIENT_HELLO *client_hello) {
47  SSL *const ssl = hs->ssl;
48  const uint16_t group_id = hs->new_session->group_id;
49 
50  bool found_key_share;
51  Span<const uint8_t> peer_key;
52  uint8_t alert = SSL_AD_DECODE_ERROR;
53  if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &peer_key,
54  &alert, client_hello)) {
55  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
56  return false;
57  }
58 
59  if (!found_key_share) {
60  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
61  OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
62  return false;
63  }
64 
65  Array<uint8_t> secret;
66  SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
67  if (hints && !hs->hints_requested && hints->key_share_group_id == group_id &&
68  !hints->key_share_secret.empty()) {
69  // Copy DH secret from hints.
70  if (!hs->ecdh_public_key.CopyFrom(hints->key_share_public_key) ||
71  !secret.CopyFrom(hints->key_share_secret)) {
72  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
73  return false;
74  }
75  } else {
76  ScopedCBB public_key;
77  UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id);
78  if (!key_share || //
79  !CBB_init(public_key.get(), 32) ||
80  !key_share->Accept(public_key.get(), &secret, &alert, peer_key) ||
81  !CBBFinishArray(public_key.get(), &hs->ecdh_public_key)) {
82  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
83  return false;
84  }
85  if (hints && hs->hints_requested) {
86  hints->key_share_group_id = group_id;
87  if (!hints->key_share_public_key.CopyFrom(hs->ecdh_public_key) ||
88  !hints->key_share_secret.CopyFrom(secret)) {
89  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
90  return false;
91  }
92  }
93  }
94 
95  return tls13_advance_key_schedule(hs, secret);
96 }
97 
98 static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
99  CBB *out) {
100  CBB contents;
101  if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
102  !CBB_add_u16_length_prefixed(out, &contents) ||
103  !CBB_add_u16(&contents, hs->ssl->version) ||
104  !CBB_flush(out)) {
105  return 0;
106  }
107 
108  return 1;
109 }
110 
111 static const SSL_CIPHER *choose_tls13_cipher(
112  const SSL *ssl, const SSL_CLIENT_HELLO *client_hello, uint16_t group_id) {
113  CBS cipher_suites;
114  CBS_init(&cipher_suites, client_hello->cipher_suites,
115  client_hello->cipher_suites_len);
116 
117  const uint16_t version = ssl_protocol_version(ssl);
118 
119  return ssl_choose_tls13_cipher(cipher_suites, version, group_id);
120 }
121 
122 static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
123  SSL *const ssl = hs->ssl;
124  if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
125  // session ticket.
126  !hs->accept_psk_mode ||
127  // We only implement stateless resumption in TLS 1.3, so skip sending
128  // tickets if disabled.
129  (SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {
130  *out_sent_tickets = false;
131  return true;
132  }
133 
134  // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
135  // the client makes several connections before getting a renewal.
136  static const int kNumTickets = 2;
137 
138  // Rebase the session timestamp so that it is measured from ticket
139  // issuance.
140  ssl_session_rebase_time(ssl, hs->new_session.get());
141 
142  for (int i = 0; i < kNumTickets; i++) {
143  UniquePtr<SSL_SESSION> session(
144  SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
145  if (!session) {
146  return false;
147  }
148 
149  if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
150  return false;
151  }
152  session->ticket_age_add_valid = true;
153  bool enable_early_data =
154  ssl->enable_early_data &&
155  (!ssl->quic_method || !ssl->config->quic_early_data_context.empty());
156  if (enable_early_data) {
157  // QUIC does not use the max_early_data_size parameter and always sets it
158  // to a fixed value. See RFC 9001, section 4.6.1.
159  session->ticket_max_early_data =
160  ssl->quic_method != nullptr ? 0xffffffff : kMaxEarlyDataAccepted;
161  }
162 
163  static_assert(kNumTickets < 256, "Too many tickets");
164  uint8_t nonce[] = {static_cast<uint8_t>(i)};
165 
166  ScopedCBB cbb;
167  CBB body, nonce_cbb, ticket, extensions;
168  if (!ssl->method->init_message(ssl, cbb.get(), &body,
169  SSL3_MT_NEW_SESSION_TICKET) ||
170  !CBB_add_u32(&body, session->timeout) ||
171  !CBB_add_u32(&body, session->ticket_age_add) ||
172  !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||
173  !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||
174  !CBB_add_u16_length_prefixed(&body, &ticket) ||
175  !tls13_derive_session_psk(session.get(), nonce) ||
176  !ssl_encrypt_ticket(hs, &ticket, session.get()) ||
177  !CBB_add_u16_length_prefixed(&body, &extensions)) {
178  return false;
179  }
180 
181  if (enable_early_data) {
182  CBB early_data;
183  if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||
184  !CBB_add_u16_length_prefixed(&extensions, &early_data) ||
185  !CBB_add_u32(&early_data, session->ticket_max_early_data) ||
186  !CBB_flush(&extensions)) {
187  return false;
188  }
189  }
190 
191  // Add a fake extension. See RFC 8701.
192  if (!CBB_add_u16(&extensions,
193  ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||
194  !CBB_add_u16(&extensions, 0 /* empty */)) {
195  return false;
196  }
197 
198  if (!ssl_add_message_cbb(ssl, cbb.get())) {
199  return false;
200  }
201  }
202 
203  *out_sent_tickets = true;
204  return true;
205 }
206 
207 static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
208  // At this point, most ClientHello extensions have already been processed by
209  // the common handshake logic. Resolve the remaining non-PSK parameters.
210  SSL *const ssl = hs->ssl;
211  SSLMessage msg;
212  SSL_CLIENT_HELLO client_hello;
213  if (!hs->GetClientHello(&msg, &client_hello)) {
214  return ssl_hs_error;
215  }
216 
217  if (ssl->quic_method != nullptr && client_hello.session_id_len > 0) {
218  OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_COMPATIBILITY_MODE);
219  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
220  return ssl_hs_error;
221  }
222  OPENSSL_memcpy(hs->session_id, client_hello.session_id,
223  client_hello.session_id_len);
224  hs->session_id_len = client_hello.session_id_len;
225 
226  uint16_t group_id;
227  if (!tls1_get_shared_group(hs, &group_id)) {
228  OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
229  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
230  return ssl_hs_error;
231  }
232 
233  // Negotiate the cipher suite.
234  hs->new_cipher = choose_tls13_cipher(ssl, &client_hello, group_id);
235  if (hs->new_cipher == NULL) {
236  OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
237  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
238  return ssl_hs_error;
239  }
240 
241  // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
242  // deferred. Complete it now.
243  uint8_t alert = SSL_AD_DECODE_ERROR;
244  if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
245  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
246  return ssl_hs_error;
247  }
248 
249  // The PRF hash is now known.
250  if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
251  return ssl_hs_error;
252  }
253 
254  hs->tls13_state = state13_select_session;
255  return ssl_hs_ok;
256 }
257 
258 static enum ssl_ticket_aead_result_t select_session(
259  SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,
260  int32_t *out_ticket_age_skew, bool *out_offered_ticket,
261  const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) {
262  SSL *const ssl = hs->ssl;
263  *out_session = nullptr;
264 
265  CBS pre_shared_key;
266  *out_offered_ticket = ssl_client_hello_get_extension(
267  client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key);
268  if (!*out_offered_ticket) {
269  return ssl_ticket_aead_ignore_ticket;
270  }
271 
272  // Per RFC 8446, section 4.2.9, servers MUST abort the handshake if the client
273  // sends pre_shared_key without psk_key_exchange_modes.
274  CBS unused;
275  if (!ssl_client_hello_get_extension(client_hello, &unused,
276  TLSEXT_TYPE_psk_key_exchange_modes)) {
277  *out_alert = SSL_AD_MISSING_EXTENSION;
278  OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
279  return ssl_ticket_aead_error;
280  }
281 
282  CBS ticket, binders;
283  uint32_t client_ticket_age;
284  if (!ssl_ext_pre_shared_key_parse_clienthello(
285  hs, &ticket, &binders, &client_ticket_age, out_alert, client_hello,
286  &pre_shared_key)) {
287  return ssl_ticket_aead_error;
288  }
289 
290  // If the peer did not offer psk_dhe, ignore the resumption.
291  if (!hs->accept_psk_mode) {
292  return ssl_ticket_aead_ignore_ticket;
293  }
294 
295  // TLS 1.3 session tickets are renewed separately as part of the
296  // NewSessionTicket.
297  bool unused_renew;
298  UniquePtr<SSL_SESSION> session;
299  enum ssl_ticket_aead_result_t ret =
300  ssl_process_ticket(hs, &session, &unused_renew, ticket, {});
301  switch (ret) {
302  case ssl_ticket_aead_success:
303  break;
304  case ssl_ticket_aead_error:
305  *out_alert = SSL_AD_INTERNAL_ERROR;
306  return ret;
307  default:
308  return ret;
309  }
310 
311  if (!ssl_session_is_resumable(hs, session.get()) ||
312  // Historically, some TLS 1.3 tickets were missing ticket_age_add.
313  !session->ticket_age_add_valid) {
314  return ssl_ticket_aead_ignore_ticket;
315  }
316 
317  // Recover the client ticket age and convert to seconds.
318  client_ticket_age -= session->ticket_age_add;
319  client_ticket_age /= 1000;
320 
321  struct OPENSSL_timeval now;
322  ssl_get_current_time(ssl, &now);
323 
324  // Compute the server ticket age in seconds.
325  assert(now.tv_sec >= session->time);
326  uint64_t server_ticket_age = now.tv_sec - session->time;
327 
328  // To avoid overflowing |hs->ticket_age_skew|, we will not resume
329  // 68-year-old sessions.
330  if (server_ticket_age > INT32_MAX) {
331  return ssl_ticket_aead_ignore_ticket;
332  }
333 
334  *out_ticket_age_skew = static_cast<int32_t>(client_ticket_age) -
335  static_cast<int32_t>(server_ticket_age);
336 
337  // Check the PSK binder.
338  if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
339  *out_alert = SSL_AD_DECRYPT_ERROR;
340  return ssl_ticket_aead_error;
341  }
342 
343  *out_session = std::move(session);
344  return ssl_ticket_aead_success;
345 }
346 
347 static bool quic_ticket_compatible(const SSL_SESSION *session,
348  const SSL_CONFIG *config) {
349  if (!session->is_quic) {
350  return true;
351  }
352 
353  if (session->quic_early_data_context.empty() ||
354  config->quic_early_data_context.size() !=
355  session->quic_early_data_context.size() ||
356  CRYPTO_memcmp(config->quic_early_data_context.data(),
357  session->quic_early_data_context.data(),
358  session->quic_early_data_context.size()) != 0) {
359  return false;
360  }
361  return true;
362 }
363 
364 static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
365  SSL *const ssl = hs->ssl;
366  SSLMessage msg;
367  SSL_CLIENT_HELLO client_hello;
368  if (!hs->GetClientHello(&msg, &client_hello)) {
369  return ssl_hs_error;
370  }
371 
372  uint8_t alert = SSL_AD_DECODE_ERROR;
373  UniquePtr<SSL_SESSION> session;
374  bool offered_ticket = false;
375  switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,
376  &offered_ticket, msg, &client_hello)) {
377  case ssl_ticket_aead_ignore_ticket:
378  assert(!session);
379  if (!ssl_get_new_session(hs)) {
380  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
381  return ssl_hs_error;
382  }
383  break;
384 
385  case ssl_ticket_aead_success:
386  // Carry over authentication information from the previous handshake into
387  // a fresh session.
388  hs->new_session =
389  SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
390  if (hs->new_session == nullptr) {
391  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
392  return ssl_hs_error;
393  }
394 
395  ssl->s3->session_reused = true;
396  hs->can_release_private_key = true;
397 
398  // Resumption incorporates fresh key material, so refresh the timeout.
399  ssl_session_renew_timeout(ssl, hs->new_session.get(),
400  ssl->session_ctx->session_psk_dhe_timeout);
401  break;
402 
403  case ssl_ticket_aead_error:
404  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
405  return ssl_hs_error;
406 
407  case ssl_ticket_aead_retry:
408  hs->tls13_state = state13_select_session;
409  return ssl_hs_pending_ticket;
410  }
411 
412  // Negotiate ALPS now, after ALPN is negotiated and |hs->new_session| is
413  // initialized.
414  if (!ssl_negotiate_alps(hs, &alert, &client_hello)) {
415  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
416  return ssl_hs_error;
417  }
418 
419  // Record connection properties in the new session.
420  hs->new_session->cipher = hs->new_cipher;
421  if (!tls1_get_shared_group(hs, &hs->new_session->group_id)) {
422  OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
423  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
424  return ssl_hs_error;
425  }
426 
427  // Determine if we need HelloRetryRequest.
428  bool found_key_share;
429  if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share,
430  /*out_key_share=*/nullptr, &alert,
431  &client_hello)) {
432  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
433  return ssl_hs_error;
434  }
435 
436  // Determine if we're negotiating 0-RTT.
437  if (!ssl->enable_early_data) {
438  ssl->s3->early_data_reason = ssl_early_data_disabled;
439  } else if (!offered_ticket) {
440  ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
441  } else if (!session) {
442  ssl->s3->early_data_reason = ssl_early_data_session_not_resumed;
443  } else if (session->ticket_max_early_data == 0) {
444  ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
445  } else if (!hs->early_data_offered) {
446  ssl->s3->early_data_reason = ssl_early_data_peer_declined;
447  } else if (hs->channel_id_negotiated) {
448  // Channel ID is incompatible with 0-RTT.
449  ssl->s3->early_data_reason = ssl_early_data_channel_id;
450  } else if (MakeConstSpan(ssl->s3->alpn_selected) != session->early_alpn) {
451  // The negotiated ALPN must match the one in the ticket.
452  ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
453  } else if (hs->new_session->has_application_settings !=
454  session->has_application_settings ||
455  MakeConstSpan(hs->new_session->local_application_settings) !=
456  session->local_application_settings) {
457  ssl->s3->early_data_reason = ssl_early_data_alps_mismatch;
458  } else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds ||
459  kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {
460  ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;
461  } else if (!quic_ticket_compatible(session.get(), hs->config)) {
462  ssl->s3->early_data_reason = ssl_early_data_quic_parameter_mismatch;
463  } else if (!found_key_share) {
464  ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
465  } else {
466  // |ssl_session_is_resumable| forbids cross-cipher resumptions even if the
467  // PRF hashes match.
468  assert(hs->new_cipher == session->cipher);
469 
470  ssl->s3->early_data_reason = ssl_early_data_accepted;
471  ssl->s3->early_data_accepted = true;
472  }
473 
474  // Store the ALPN and ALPS values in the session for 0-RTT. Note the peer
475  // applications settings are not generally known until client
476  // EncryptedExtensions.
477  if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
478  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
479  return ssl_hs_error;
480  }
481 
482  // The peer applications settings are usually received later, in
483  // EncryptedExtensions. But, in 0-RTT handshakes, we carry over the
484  // values from |session|. Do this now, before |session| is discarded.
485  if (ssl->s3->early_data_accepted &&
486  hs->new_session->has_application_settings &&
487  !hs->new_session->peer_application_settings.CopyFrom(
488  session->peer_application_settings)) {
489  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
490  return ssl_hs_error;
491  }
492 
493  // Copy the QUIC early data context to the session.
494  if (ssl->enable_early_data && ssl->quic_method) {
495  if (!hs->new_session->quic_early_data_context.CopyFrom(
496  hs->config->quic_early_data_context)) {
497  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
498  return ssl_hs_error;
499  }
500  }
501 
502  if (ssl->ctx->dos_protection_cb != NULL &&
503  ssl->ctx->dos_protection_cb(&client_hello) == 0) {
504  // Connection rejected for DOS reasons.
505  OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
506  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
507  return ssl_hs_error;
508  }
509 
510  size_t hash_len = EVP_MD_size(
511  ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
512 
513  // Set up the key schedule and incorporate the PSK into the running secret.
514  if (!tls13_init_key_schedule(
515  hs, ssl->s3->session_reused
516  ? MakeConstSpan(hs->new_session->secret,
517  hs->new_session->secret_length)
518  : MakeConstSpan(kZeroes, hash_len)) ||
519  !ssl_hash_message(hs, msg)) {
520  return ssl_hs_error;
521  }
522 
523  if (ssl->s3->early_data_accepted) {
524  if (!tls13_derive_early_secret(hs)) {
525  return ssl_hs_error;
526  }
527  } else if (hs->early_data_offered) {
528  ssl->s3->skip_early_data = true;
529  }
530 
531  if (!found_key_share) {
532  ssl->method->next_message(ssl);
533  if (!hs->transcript.UpdateForHelloRetryRequest()) {
534  return ssl_hs_error;
535  }
536  hs->tls13_state = state13_send_hello_retry_request;
537  return ssl_hs_ok;
538  }
539 
540  if (!resolve_ecdhe_secret(hs, &client_hello)) {
541  return ssl_hs_error;
542  }
543 
544  ssl->method->next_message(ssl);
545  hs->ech_client_hello_buf.Reset();
546  hs->tls13_state = state13_send_server_hello;
547  return ssl_hs_ok;
548 }
549 
550 static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
551  SSL *const ssl = hs->ssl;
552  if (hs->hints_requested) {
553  return ssl_hs_hints_ready;
554  }
555 
556  ScopedCBB cbb;
557  CBB body, session_id, extensions;
558  uint16_t group_id;
559  if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
560  !CBB_add_u16(&body, TLS1_2_VERSION) ||
561  !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||
562  !CBB_add_u8_length_prefixed(&body, &session_id) ||
563  !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
564  !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
565  !CBB_add_u8(&body, 0 /* no compression */) ||
566  !tls1_get_shared_group(hs, &group_id) ||
567  !CBB_add_u16_length_prefixed(&body, &extensions) ||
568  !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) ||
569  !CBB_add_u16(&extensions, 2 /* length */) ||
570  !CBB_add_u16(&extensions, ssl->version) ||
571  !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
572  !CBB_add_u16(&extensions, 2 /* length */) ||
573  !CBB_add_u16(&extensions, group_id)) {
574  return ssl_hs_error;
575  }
576  if (hs->ech_is_inner) {
577  // Fill a placeholder for the ECH confirmation value.
578  if (!CBB_add_u16(&extensions, TLSEXT_TYPE_encrypted_client_hello) ||
579  !CBB_add_u16(&extensions, ECH_CONFIRMATION_SIGNAL_LEN) ||
580  !CBB_add_zeros(&extensions, ECH_CONFIRMATION_SIGNAL_LEN)) {
581  return ssl_hs_error;
582  }
583  }
584  Array<uint8_t> hrr;
585  if (!ssl->method->finish_message(ssl, cbb.get(), &hrr)) {
586  return ssl_hs_error;
587  }
588  if (hs->ech_is_inner) {
589  // Now that the message is encoded, fill in the whole value.
590  size_t offset = hrr.size() - ECH_CONFIRMATION_SIGNAL_LEN;
591  if (!ssl_ech_accept_confirmation(
592  hs, MakeSpan(hrr).last(ECH_CONFIRMATION_SIGNAL_LEN),
593  ssl->s3->client_random, hs->transcript, /*is_hrr=*/true, hrr,
594  offset)) {
595  return ssl_hs_error;
596  }
597  }
598 
599  if (!ssl->method->add_message(ssl, std::move(hrr)) ||
600  !ssl->method->add_change_cipher_spec(ssl)) {
601  return ssl_hs_error;
602  }
603 
604  ssl->s3->used_hello_retry_request = true;
605  hs->tls13_state = state13_read_second_client_hello;
606  return ssl_hs_flush;
607 }
608 
609 static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
610  SSL *const ssl = hs->ssl;
611  SSLMessage msg;
612  if (!ssl->method->get_message(ssl, &msg)) {
613  return ssl_hs_read_message;
614  }
615  if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
616  return ssl_hs_error;
617  }
618  SSL_CLIENT_HELLO client_hello;
619  if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {
620  OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
621  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
622  return ssl_hs_error;
623  }
624 
625  if (ssl->s3->ech_status == ssl_ech_accepted) {
626  // If we previously accepted the ClientHelloInner, the second ClientHello
627  // must contain an outer encrypted_client_hello extension.
628  CBS ech_body;
629  if (!ssl_client_hello_get_extension(&client_hello, &ech_body,
630  TLSEXT_TYPE_encrypted_client_hello)) {
631  OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
632  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
633  return ssl_hs_error;
634  }
635  uint16_t kdf_id, aead_id;
636  uint8_t type, config_id;
637  CBS enc, payload;
638  if (!CBS_get_u8(&ech_body, &type) || //
639  type != ECH_CLIENT_OUTER || //
640  !CBS_get_u16(&ech_body, &kdf_id) || //
641  !CBS_get_u16(&ech_body, &aead_id) ||
642  !CBS_get_u8(&ech_body, &config_id) ||
643  !CBS_get_u16_length_prefixed(&ech_body, &enc) ||
644  !CBS_get_u16_length_prefixed(&ech_body, &payload) ||
645  CBS_len(&ech_body) != 0) {
646  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
647  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
648  return ssl_hs_error;
649  }
650 
651  if (kdf_id != EVP_HPKE_KDF_id(EVP_HPKE_CTX_kdf(hs->ech_hpke_ctx.get())) ||
652  aead_id !=
653  EVP_HPKE_AEAD_id(EVP_HPKE_CTX_aead(hs->ech_hpke_ctx.get())) ||
654  config_id != hs->ech_config_id || CBS_len(&enc) > 0) {
655  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
656  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
657  return ssl_hs_error;
658  }
659 
660  // Decrypt the payload with the HPKE context from the first ClientHello.
661  Array<uint8_t> encoded_client_hello_inner;
662  bool unused;
663  if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
664  &encoded_client_hello_inner, &unused,
665  &client_hello, payload)) {
666  // Decryption failure is fatal in the second ClientHello.
667  OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
668  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
669  return ssl_hs_error;
670  }
671 
672  // Recover the ClientHelloInner from the EncodedClientHelloInner.
673  uint8_t alert = SSL_AD_DECODE_ERROR;
674  bssl::Array<uint8_t> client_hello_inner;
675  if (!ssl_decode_client_hello_inner(ssl, &alert, &client_hello_inner,
676  encoded_client_hello_inner,
677  &client_hello)) {
678  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
679  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
680  return ssl_hs_error;
681  }
682  hs->ech_client_hello_buf = std::move(client_hello_inner);
683 
684  // Reparse |client_hello| from the buffer owned by |hs|.
685  if (!hs->GetClientHello(&msg, &client_hello)) {
686  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
687  return ssl_hs_error;
688  }
689  }
690 
691  // We perform all our negotiation based on the first ClientHello (for
692  // consistency with what |select_certificate_cb| observed), which is in the
693  // transcript, so we can ignore most of this second one.
694  //
695  // We do, however, check the second PSK binder. This covers the client key
696  // share, in case we ever send half-RTT data (we currently do not). It is also
697  // a tricky computation, so we enforce the peer handled it correctly.
698  if (ssl->s3->session_reused) {
699  CBS pre_shared_key;
700  if (!ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
701  TLSEXT_TYPE_pre_shared_key)) {
702  OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_CLIENT_HELLO);
703  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
704  return ssl_hs_error;
705  }
706 
707  CBS ticket, binders;
708  uint32_t client_ticket_age;
709  uint8_t alert = SSL_AD_DECODE_ERROR;
710  if (!ssl_ext_pre_shared_key_parse_clienthello(
711  hs, &ticket, &binders, &client_ticket_age, &alert, &client_hello,
712  &pre_shared_key)) {
713  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
714  return ssl_hs_error;
715  }
716 
717  // Note it is important that we do not obtain a new |SSL_SESSION| from
718  // |ticket|. We have already selected parameters based on the first
719  // ClientHello (in the transcript) and must not switch partway through.
720  if (!tls13_verify_psk_binder(hs, hs->new_session.get(), msg, &binders)) {
721  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
722  return ssl_hs_error;
723  }
724  }
725 
726  if (!resolve_ecdhe_secret(hs, &client_hello)) {
727  return ssl_hs_error;
728  }
729 
730  if (!ssl_hash_message(hs, msg)) {
731  return ssl_hs_error;
732  }
733 
734  // ClientHello should be the end of the flight.
735  if (ssl->method->has_unprocessed_handshake_data(ssl)) {
736  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
737  OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
738  return ssl_hs_error;
739  }
740 
741  ssl->method->next_message(ssl);
742  hs->ech_client_hello_buf.Reset();
743  hs->tls13_state = state13_send_server_hello;
744  return ssl_hs_ok;
745 }
746 
747 static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
748  SSL *const ssl = hs->ssl;
749 
750  Span<uint8_t> random(ssl->s3->server_random);
751 
752  SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
753  if (hints && !hs->hints_requested &&
754  hints->server_random.size() == random.size()) {
755  OPENSSL_memcpy(random.data(), hints->server_random.data(), random.size());
756  } else {
757  RAND_bytes(random.data(), random.size());
758  if (hints && hs->hints_requested &&
759  !hints->server_random.CopyFrom(random)) {
760  return ssl_hs_error;
761  }
762  }
763 
764  Array<uint8_t> server_hello;
765  ScopedCBB cbb;
766  CBB body, extensions, session_id;
767  if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
768  !CBB_add_u16(&body, TLS1_2_VERSION) ||
769  !CBB_add_bytes(&body, ssl->s3->server_random,
770  sizeof(ssl->s3->server_random)) ||
771  !CBB_add_u8_length_prefixed(&body, &session_id) ||
772  !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
773  !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
774  !CBB_add_u8(&body, 0) ||
775  !CBB_add_u16_length_prefixed(&body, &extensions) ||
776  !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
777  !ssl_ext_key_share_add_serverhello(hs, &extensions) ||
778  !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||
779  !ssl->method->finish_message(ssl, cbb.get(), &server_hello)) {
780  return ssl_hs_error;
781  }
782 
783  assert(ssl->s3->ech_status != ssl_ech_accepted || hs->ech_is_inner);
784  if (hs->ech_is_inner) {
785  // Fill in the ECH confirmation signal.
786  const size_t offset = ssl_ech_confirmation_signal_hello_offset(ssl);
787  Span<uint8_t> random_suffix = random.last(ECH_CONFIRMATION_SIGNAL_LEN);
788  if (!ssl_ech_accept_confirmation(hs, random_suffix, ssl->s3->client_random,
789  hs->transcript,
790  /*is_hrr=*/false, server_hello, offset)) {
791  return ssl_hs_error;
792  }
793 
794  // Update |server_hello|.
795  Span<uint8_t> server_hello_out =
796  MakeSpan(server_hello).subspan(offset, ECH_CONFIRMATION_SIGNAL_LEN);
797  OPENSSL_memcpy(server_hello_out.data(), random_suffix.data(),
798  ECH_CONFIRMATION_SIGNAL_LEN);
799  }
800 
801  if (!ssl->method->add_message(ssl, std::move(server_hello))) {
802  return ssl_hs_error;
803  }
804 
805  hs->ecdh_public_key.Reset(); // No longer needed.
806  if (!ssl->s3->used_hello_retry_request &&
807  !ssl->method->add_change_cipher_spec(ssl)) {
808  return ssl_hs_error;
809  }
810 
811  // Derive and enable the handshake traffic secrets.
812  if (!tls13_derive_handshake_secrets(hs) ||
813  !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
814  hs->new_session.get(),
815  hs->server_handshake_secret())) {
816  return ssl_hs_error;
817  }
818 
819  // Send EncryptedExtensions.
820  if (!ssl->method->init_message(ssl, cbb.get(), &body,
821  SSL3_MT_ENCRYPTED_EXTENSIONS) ||
822  !ssl_add_serverhello_tlsext(hs, &body) ||
823  !ssl_add_message_cbb(ssl, cbb.get())) {
824  return ssl_hs_error;
825  }
826 
827  if (!ssl->s3->session_reused) {
828  // Determine whether to request a client certificate.
829  hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
830  // Only request a certificate if Channel ID isn't negotiated.
831  if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
832  hs->channel_id_negotiated) {
833  hs->cert_request = false;
834  }
835  }
836 
837  // Send a CertificateRequest, if necessary.
838  if (hs->cert_request) {
839  CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;
840  if (!ssl->method->init_message(ssl, cbb.get(), &body,
841  SSL3_MT_CERTIFICATE_REQUEST) ||
842  !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||
843  !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) ||
844  !CBB_add_u16(&cert_request_extensions,
845  TLSEXT_TYPE_signature_algorithms) ||
846  !CBB_add_u16_length_prefixed(&cert_request_extensions,
847  &sigalg_contents) ||
848  !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
849  !tls12_add_verify_sigalgs(hs, &sigalgs_cbb)) {
850  return ssl_hs_error;
851  }
852 
853  if (ssl_has_client_CAs(hs->config)) {
854  CBB ca_contents;
855  if (!CBB_add_u16(&cert_request_extensions,
856  TLSEXT_TYPE_certificate_authorities) ||
857  !CBB_add_u16_length_prefixed(&cert_request_extensions,
858  &ca_contents) ||
859  !ssl_add_client_CA_list(hs, &ca_contents) ||
860  !CBB_flush(&cert_request_extensions)) {
861  return ssl_hs_error;
862  }
863  }
864 
865  if (!ssl_add_message_cbb(ssl, cbb.get())) {
866  return ssl_hs_error;
867  }
868  }
869 
870  // Send the server Certificate message, if necessary.
871  if (!ssl->s3->session_reused) {
872  if (!ssl_has_certificate(hs)) {
873  OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
874  return ssl_hs_error;
875  }
876 
877  if (!tls13_add_certificate(hs)) {
878  return ssl_hs_error;
879  }
880 
881  hs->tls13_state = state13_send_server_certificate_verify;
882  return ssl_hs_ok;
883  }
884 
885  hs->tls13_state = state13_send_server_finished;
886  return ssl_hs_ok;
887 }
888 
889 static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
890  switch (tls13_add_certificate_verify(hs)) {
891  case ssl_private_key_success:
892  hs->tls13_state = state13_send_server_finished;
893  return ssl_hs_ok;
894 
895  case ssl_private_key_retry:
896  hs->tls13_state = state13_send_server_certificate_verify;
897  return ssl_hs_private_key_operation;
898 
899  case ssl_private_key_failure:
900  return ssl_hs_error;
901  }
902 
903  assert(0);
904  return ssl_hs_error;
905 }
906 
907 static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
908  SSL *const ssl = hs->ssl;
909  if (hs->hints_requested) {
910  return ssl_hs_hints_ready;
911  }
912 
913  hs->can_release_private_key = true;
914  if (!tls13_add_finished(hs) ||
915  // Update the secret to the master secret and derive traffic keys.
916  !tls13_advance_key_schedule(
917  hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
918  !tls13_derive_application_secrets(hs) ||
919  !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
920  hs->new_session.get(),
921  hs->server_traffic_secret_0())) {
922  return ssl_hs_error;
923  }
924 
925  hs->tls13_state = state13_send_half_rtt_ticket;
926  return hs->handback ? ssl_hs_handback : ssl_hs_ok;
927 }
928 
929 static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) {
930  SSL *const ssl = hs->ssl;
931 
932  if (ssl->s3->early_data_accepted) {
933  // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
934  // the wire sooner and also avoids triggering a write on |SSL_read| when
935  // processing the client Finished. This requires computing the client
936  // Finished early. See RFC 8446, section 4.6.1.
937  static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
938  0, 0};
939  if (ssl->quic_method == nullptr &&
940  !hs->transcript.Update(kEndOfEarlyData)) {
941  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
942  return ssl_hs_error;
943  }
944 
945  size_t finished_len;
946  if (!tls13_finished_mac(hs, hs->expected_client_finished().data(),
947  &finished_len, false /* client */)) {
948  return ssl_hs_error;
949  }
950 
951  if (finished_len != hs->expected_client_finished().size()) {
952  OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
953  return ssl_hs_error;
954  }
955 
956  // Feed the predicted Finished into the transcript. This allows us to derive
957  // the resumption secret early and send half-RTT tickets.
958  //
959  // TODO(davidben): This will need to be updated for DTLS 1.3.
960  assert(!SSL_is_dtls(hs->ssl));
961  assert(hs->expected_client_finished().size() <= 0xff);
962  uint8_t header[4] = {
963  SSL3_MT_FINISHED, 0, 0,
964  static_cast<uint8_t>(hs->expected_client_finished().size())};
965  bool unused_sent_tickets;
966  if (!hs->transcript.Update(header) ||
967  !hs->transcript.Update(hs->expected_client_finished()) ||
968  !tls13_derive_resumption_secret(hs) ||
969  !add_new_session_tickets(hs, &unused_sent_tickets)) {
970  return ssl_hs_error;
971  }
972  }
973 
974  hs->tls13_state = state13_read_second_client_flight;
975  return ssl_hs_flush;
976 }
977 
978 static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
979  SSL *const ssl = hs->ssl;
980  if (ssl->s3->early_data_accepted) {
981  if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
982  hs->new_session.get(),
983  hs->early_traffic_secret())) {
984  return ssl_hs_error;
985  }
986  hs->can_early_write = true;
987  hs->can_early_read = true;
988  hs->in_early_data = true;
989  }
990 
991  // QUIC doesn't use an EndOfEarlyData message (RFC 9001, section 8.3), so we
992  // switch to client_handshake_secret before the early return.
993  if (ssl->quic_method != nullptr) {
994  if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
995  hs->new_session.get(),
996  hs->client_handshake_secret())) {
997  return ssl_hs_error;
998  }
999  hs->tls13_state = state13_process_end_of_early_data;
1000  return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;
1001  }
1002 
1003  hs->tls13_state = state13_process_end_of_early_data;
1004  return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
1005  : ssl_hs_ok;
1006 }
1007 
1008 static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
1009  SSL *const ssl = hs->ssl;
1010  // In protocols that use EndOfEarlyData, we must consume the extra message and
1011  // switch to client_handshake_secret after the early return.
1012  if (ssl->quic_method == nullptr) {
1013  // If early data was not accepted, the EndOfEarlyData will be in the
1014  // discarded early data.
1015  if (hs->ssl->s3->early_data_accepted) {
1016  SSLMessage msg;
1017  if (!ssl->method->get_message(ssl, &msg)) {
1018  return ssl_hs_read_message;
1019  }
1020  if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
1021  return ssl_hs_error;
1022  }
1023  if (CBS_len(&msg.body) != 0) {
1024  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1025  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1026  return ssl_hs_error;
1027  }
1028  ssl->method->next_message(ssl);
1029  }
1030  if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
1031  hs->new_session.get(),
1032  hs->client_handshake_secret())) {
1033  return ssl_hs_error;
1034  }
1035  }
1036  hs->tls13_state = state13_read_client_encrypted_extensions;
1037  return ssl_hs_ok;
1038 }
1039 
1040 static enum ssl_hs_wait_t do_read_client_encrypted_extensions(
1041  SSL_HANDSHAKE *hs) {
1042  SSL *const ssl = hs->ssl;
1043  // For now, only one extension uses client EncryptedExtensions. This function
1044  // may be generalized if others use it in the future.
1045  if (hs->new_session->has_application_settings &&
1046  !ssl->s3->early_data_accepted) {
1047  SSLMessage msg;
1048  if (!ssl->method->get_message(ssl, &msg)) {
1049  return ssl_hs_read_message;
1050  }
1051  if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
1052  return ssl_hs_error;
1053  }
1054 
1055  CBS body = msg.body, extensions;
1056  if (!CBS_get_u16_length_prefixed(&body, &extensions) ||
1057  CBS_len(&body) != 0) {
1058  OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1059  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1060  return ssl_hs_error;
1061  }
1062 
1063  SSLExtension application_settings(TLSEXT_TYPE_application_settings);
1064  uint8_t alert = SSL_AD_DECODE_ERROR;
1065  if (!ssl_parse_extensions(&extensions, &alert, {&application_settings},
1066  /*ignore_unknown=*/false)) {
1067  ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1068  return ssl_hs_error;
1069  }
1070 
1071  if (!application_settings.present) {
1072  OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION);
1073  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
1074  return ssl_hs_error;
1075  }
1076 
1077  // Note that, if 0-RTT was accepted, these values will already have been
1078  // initialized earlier.
1079  if (!hs->new_session->peer_application_settings.CopyFrom(
1080  application_settings.data) ||
1081  !ssl_hash_message(hs, msg)) {
1082  ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1083  return ssl_hs_error;
1084  }
1085 
1086  ssl->method->next_message(ssl);
1087  }
1088 
1089  hs->tls13_state = state13_read_client_certificate;
1090  return ssl_hs_ok;
1091 }
1092 
1093 static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
1094  SSL *const ssl = hs->ssl;
1095  if (!hs->cert_request) {
1096  if (!ssl->s3->session_reused) {
1097  // OpenSSL returns X509_V_OK when no certificates are requested. This is
1098  // classed by them as a bug, but it's assumed by at least NGINX. (Only do
1099  // this in full handshakes as resumptions should carry over the previous
1100  // |verify_result|, though this is a no-op because servers do not
1101  // implement the client's odd soft-fail mode.)
1102  hs->new_session->verify_result = X509_V_OK;
1103  }
1104 
1105  // Skip this state.
1106  hs->tls13_state = state13_read_channel_id;
1107  return ssl_hs_ok;
1108  }
1109 
1110  const bool allow_anonymous =
1111  (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
1112  SSLMessage msg;
1113  if (!ssl->method->get_message(ssl, &msg)) {
1114  return ssl_hs_read_message;
1115  }
1116  if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
1117  !tls13_process_certificate(hs, msg, allow_anonymous) ||
1118  !ssl_hash_message(hs, msg)) {
1119  return ssl_hs_error;
1120  }
1121 
1122  ssl->method->next_message(ssl);
1123  hs->tls13_state = state13_read_client_certificate_verify;
1124  return ssl_hs_ok;
1125 }
1126 
1127 static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
1128  SSL *const ssl = hs->ssl;
1129  if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
1130  // Skip this state.
1131  hs->tls13_state = state13_read_channel_id;
1132  return ssl_hs_ok;
1133  }
1134 
1135  SSLMessage msg;
1136  if (!ssl->method->get_message(ssl, &msg)) {
1137  return ssl_hs_read_message;
1138  }
1139 
1140  switch (ssl_verify_peer_cert(hs)) {
1141  case ssl_verify_ok:
1142  break;
1143  case ssl_verify_invalid:
1144  return ssl_hs_error;
1145  case ssl_verify_retry:
1146  hs->tls13_state = state13_read_client_certificate_verify;
1147  return ssl_hs_certificate_verify;
1148  }
1149 
1150  if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
1151  !tls13_process_certificate_verify(hs, msg) ||
1152  !ssl_hash_message(hs, msg)) {
1153  return ssl_hs_error;
1154  }
1155 
1156  ssl->method->next_message(ssl);
1157  hs->tls13_state = state13_read_channel_id;
1158  return ssl_hs_ok;
1159 }
1160 
1161 static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
1162  SSL *const ssl = hs->ssl;
1163  if (!hs->channel_id_negotiated) {
1164  hs->tls13_state = state13_read_client_finished;
1165  return ssl_hs_ok;
1166  }
1167 
1168  SSLMessage msg;
1169  if (!ssl->method->get_message(ssl, &msg)) {
1170  return ssl_hs_read_message;
1171  }
1172  if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
1173  !tls1_verify_channel_id(hs, msg) ||
1174  !ssl_hash_message(hs, msg)) {
1175  return ssl_hs_error;
1176  }
1177 
1178  ssl->method->next_message(ssl);
1179  hs->tls13_state = state13_read_client_finished;
1180  return ssl_hs_ok;
1181 }
1182 
1183 static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
1184  SSL *const ssl = hs->ssl;
1185  SSLMessage msg;
1186  if (!ssl->method->get_message(ssl, &msg)) {
1187  return ssl_hs_read_message;
1188  }
1189  if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
1190  // If early data was accepted, we've already computed the client Finished
1191  // and derived the resumption secret.
1192  !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||
1193  // evp_aead_seal keys have already been switched.
1194  !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
1195  hs->new_session.get(),
1196  hs->client_traffic_secret_0())) {
1197  return ssl_hs_error;
1198  }
1199 
1200  if (!ssl->s3->early_data_accepted) {
1201  if (!ssl_hash_message(hs, msg) ||
1202  !tls13_derive_resumption_secret(hs)) {
1203  return ssl_hs_error;
1204  }
1205 
1206  // We send post-handshake tickets as part of the handshake in 1-RTT.
1207  hs->tls13_state = state13_send_new_session_ticket;
1208  } else {
1209  // We already sent half-RTT tickets.
1210  hs->tls13_state = state13_done;
1211  }
1212 
1213  ssl->method->next_message(ssl);
1214  return ssl_hs_ok;
1215 }
1216 
1217 static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
1218  bool sent_tickets;
1219  if (!add_new_session_tickets(hs, &sent_tickets)) {
1220  return ssl_hs_error;
1221  }
1222 
1223  hs->tls13_state = state13_done;
1224  // In TLS 1.3, the NewSessionTicket isn't flushed until the server performs a
1225  // write, to prevent a non-reading client from causing the server to hang in
1226  // the case of a small server write buffer. Consumers which don't write data
1227  // to the client will need to do a zero-byte write if they wish to flush the
1228  // tickets.
1229  if (hs->ssl->quic_method != nullptr && sent_tickets) {
1230  return ssl_hs_flush;
1231  }
1232  return ssl_hs_ok;
1233 }
1234 
1235 enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
1236  while (hs->tls13_state != state13_done) {
1237  enum ssl_hs_wait_t ret = ssl_hs_error;
1238  enum tls13_server_hs_state_t state =
1239  static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
1240  switch (state) {
1241  case state13_select_parameters:
1242  ret = do_select_parameters(hs);
1243  break;
1244  case state13_select_session:
1245  ret = do_select_session(hs);
1246  break;
1247  case state13_send_hello_retry_request:
1248  ret = do_send_hello_retry_request(hs);
1249  break;
1250  case state13_read_second_client_hello:
1251  ret = do_read_second_client_hello(hs);
1252  break;
1253  case state13_send_server_hello:
1254  ret = do_send_server_hello(hs);
1255  break;
1256  case state13_send_server_certificate_verify:
1257  ret = do_send_server_certificate_verify(hs);
1258  break;
1259  case state13_send_server_finished:
1260  ret = do_send_server_finished(hs);
1261  break;
1262  case state13_send_half_rtt_ticket:
1263  ret = do_send_half_rtt_ticket(hs);
1264  break;
1265  case state13_read_second_client_flight:
1266  ret = do_read_second_client_flight(hs);
1267  break;
1268  case state13_process_end_of_early_data:
1269  ret = do_process_end_of_early_data(hs);
1270  break;
1271  case state13_read_client_encrypted_extensions:
1272  ret = do_read_client_encrypted_extensions(hs);
1273  break;
1274  case state13_read_client_certificate:
1275  ret = do_read_client_certificate(hs);
1276  break;
1277  case state13_read_client_certificate_verify:
1278  ret = do_read_client_certificate_verify(hs);
1279  break;
1280  case state13_read_channel_id:
1281  ret = do_read_channel_id(hs);
1282  break;
1283  case state13_read_client_finished:
1284  ret = do_read_client_finished(hs);
1285  break;
1286  case state13_send_new_session_ticket:
1287  ret = do_send_new_session_ticket(hs);
1288  break;
1289  case state13_done:
1290  ret = ssl_hs_ok;
1291  break;
1292  }
1293 
1294  if (hs->tls13_state != state) {
1295  ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
1296  }
1297 
1298  if (ret != ssl_hs_ok) {
1299  return ret;
1300  }
1301  }
1302 
1303  return ssl_hs_ok;
1304 }
1305 
1306 const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
1307  enum tls13_server_hs_state_t state =
1308  static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
1309  switch (state) {
1310  case state13_select_parameters:
1311  return "TLS 1.3 server select_parameters";
1312  case state13_select_session:
1313  return "TLS 1.3 server select_session";
1314  case state13_send_hello_retry_request:
1315  return "TLS 1.3 server send_hello_retry_request";
1316  case state13_read_second_client_hello:
1317  return "TLS 1.3 server read_second_client_hello";
1318  case state13_send_server_hello:
1319  return "TLS 1.3 server send_server_hello";
1320  case state13_send_server_certificate_verify:
1321  return "TLS 1.3 server send_server_certificate_verify";
1322  case state13_send_half_rtt_ticket:
1323  return "TLS 1.3 server send_half_rtt_ticket";
1324  case state13_send_server_finished:
1325  return "TLS 1.3 server send_server_finished";
1326  case state13_read_second_client_flight:
1327  return "TLS 1.3 server read_second_client_flight";
1328  case state13_process_end_of_early_data:
1329  return "TLS 1.3 server process_end_of_early_data";
1330  case state13_read_client_encrypted_extensions:
1331  return "TLS 1.3 server read_client_encrypted_extensions";
1332  case state13_read_client_certificate:
1333  return "TLS 1.3 server read_client_certificate";
1334  case state13_read_client_certificate_verify:
1335  return "TLS 1.3 server read_client_certificate_verify";
1336  case state13_read_channel_id:
1337  return "TLS 1.3 server read_channel_id";
1338  case state13_read_client_finished:
1339  return "TLS 1.3 server read_client_finished";
1340  case state13_send_new_session_ticket:
1341  return "TLS 1.3 server send_new_session_ticket";
1342  case state13_done:
1343  return "TLS 1.3 server done";
1344  }
1345 
1346  return "TLS 1.3 server unknown";
1347 }
1348 
1349 BSSL_NAMESPACE_END
tls13_add_finished
bool tls13_add_finished(SSL_HANDSHAKE *hs)
Definition: tls13_both.cc:642
ssl_send_alert
void ssl_send_alert(SSL *ssl, int level, int desc)
Definition: s3_pkt.cc:379
SSL_HANDSHAKE::hints_requested
bool hints_requested
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2026
tls13_server_handshake
enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1235
ssl_ext_key_share_add_serverhello
bool ssl_ext_key_share_add_serverhello(SSL_HANDSHAKE *hs, CBB *out)
Definition: extensions.cc:2437
ssl_st::enable_early_data
bool enable_early_data
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3784
ssl_early_callback_ctx::cipher_suites
const uint8_t * cipher_suites
Definition: ssl.h:4195
ssl_hs_hints_ready
@ ssl_hs_hints_ready
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1627
ssl_cipher_st
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:520
do_send_half_rtt_ticket
static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:929
do_select_parameters
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:207
ssl_has_certificate
bool ssl_has_certificate(const SSL_HANDSHAKE *hs)
Definition: ssl_cert.cc:340
SSL_AD_UNEXPECTED_MESSAGE
#define SSL_AD_UNEXPECTED_MESSAGE
Definition: ssl.h:3795
state13_send_server_hello
@ state13_send_server_hello
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1671
SSLTranscript::UpdateForHelloRetryRequest
bool UpdateForHelloRetryRequest()
Definition: ssl_transcript.cc:183
CBB_flush
#define CBB_flush
Definition: boringssl_prefix_symbols.h:1045
SSL3_MT_FINISHED
#define SSL3_MT_FINISHED
Definition: ssl3.h:310
state13_process_end_of_early_data
@ state13_process_end_of_early_data
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1676
ssl_early_data_ticket_age_skew
ssl_early_data_ticket_age_skew
Definition: ssl.h:3578
public_key
Definition: hrss.c:1881
CBB_init
#define CBB_init
Definition: boringssl_prefix_symbols.h:1047
gen_build_yaml.out
dictionary out
Definition: src/benchmark/gen_build_yaml.py:24
RAND_bytes
#define RAND_bytes
Definition: boringssl_prefix_symbols.h:2060
ssl_session_st::is_quic
bool is_quic
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3925
now
static double now(void)
Definition: test/core/fling/client.cc:130
CBS_get_u16
#define CBS_get_u16
Definition: boringssl_prefix_symbols.h:1073
tls13_derive_session_psk
bool tls13_derive_session_psk(SSL_SESSION *session, Span< const uint8_t > nonce)
Definition: tls13_enc.cc:374
Span::size
size_t size() const
Definition: boringssl-with-bazel/src/include/openssl/span.h:133
SSLTranscript::InitHash
bool InitHash(uint16_t version, const SSL_CIPHER *cipher)
Definition: ssl_transcript.cc:161
SSL_HANDSHAKE::hints
UniquePtr< SSL_HANDSHAKE_HINTS > hints
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1943
Span::last
Span last(size_t len)
Definition: boringssl-with-bazel/src/include/openssl/span.h:181
cbs_st
Definition: bytestring.h:39
SSL3_MT_SERVER_HELLO
#define SSL3_MT_SERVER_HELLO
Definition: ssl3.h:300
state13_done
@ state13_done
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1683
state13_send_server_finished
@ state13_send_server_finished
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1673
ssl_session_st::quic_early_data_context
bssl::Array< uint8_t > quic_early_data_context
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3933
SSL_HANDSHAKE::ech_client_hello_buf
Array< uint8_t > ech_client_hello_buf
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1845
SSL_R_MISSING_EXTENSION
#define SSL_R_MISSING_EXTENSION
Definition: ssl.h:5431
Array::data
const T * data() const
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:274
SSL_R_NO_SHARED_GROUP
#define SSL_R_NO_SHARED_GROUP
Definition: ssl.h:5533
SSL_HANDSHAKE::session_id_len
uint8_t session_id_len
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2059
ssl_verify_ok
ssl_verify_ok
Definition: ssl.h:2412
do_send_server_finished
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:907
do_read_channel_id
static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1161
uint16_t
unsigned short uint16_t
Definition: stdint-msvc2008.h:79
SSL_HANDSHAKE::ech_config_id
uint8_t ech_config_id
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2055
do_read_client_certificate
static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1093
SSL_HANDSHAKE::new_cipher
const SSL_CIPHER * new_cipher
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1933
ssl_early_data_no_session_offered
ssl_early_data_no_session_offered
Definition: ssl.h:3565
SSL_R_CLIENTHELLO_PARSE_FAILED
#define SSL_R_CLIENTHELLO_PARSE_FAILED
Definition: ssl.h:5399
ssl_hs_early_return
@ ssl_hs_early_return
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1622
SSL3_MT_CERTIFICATE_VERIFY
#define SSL3_MT_CERTIFICATE_VERIFY
Definition: ssl3.h:308
OPENSSL_PUT_ERROR
#define OPENSSL_PUT_ERROR(library, reason)
Definition: err.h:423
internal.h
ssl_private_key_failure
ssl_private_key_failure
Definition: ssl.h:1236
SSL_HANDSHAKE::early_traffic_secret
Span< uint8_t > early_traffic_secret()
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1779
string.h
TLSEXT_TYPE_early_data
#define TLSEXT_TYPE_early_data
Definition: tls1.h:231
CBB_add_u16_length_prefixed
#define CBB_add_u16_length_prefixed
Definition: boringssl_prefix_symbols.h:1028
CBB_add_u8
#define CBB_add_u8
Definition: boringssl_prefix_symbols.h:1036
ssl_st::config
bssl::UniquePtr< bssl::SSL_CONFIG > config
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3712
SSL_HANDSHAKE::ssl
SSL * ssl
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1726
state13_read_second_client_flight
@ state13_read_second_client_flight
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1675
hpke.h
SSL_AD_INTERNAL_ERROR
#define SSL_AD_INTERNAL_ERROR
Definition: ssl.h:3815
SSL_HANDSHAKE::server_handshake_secret
Span< uint8_t > server_handshake_secret()
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1785
SSL_R_EXCESS_HANDSHAKE_DATA
#define SSL_R_EXCESS_HANDSHAKE_DATA
Definition: ssl.h:5522
ssl_verify_retry
ssl_verify_retry
Definition: ssl.h:2414
ssl_early_data_alps_mismatch
ssl_early_data_alps_mismatch
Definition: ssl.h:3582
ssl_hs_ok
@ ssl_hs_ok
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1611
ECH_CONFIRMATION_SIGNAL_LEN
#define ECH_CONFIRMATION_SIGNAL_LEN
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1515
tls13_verify_psk_binder
bool tls13_verify_psk_binder(const SSL_HANDSHAKE *hs, const SSL_SESSION *session, const SSLMessage &msg, CBS *binders)
Definition: tls13_enc.cc:500
CBS_len
#define CBS_len
Definition: boringssl_prefix_symbols.h:1089
ssl_early_data_alpn_mismatch
ssl_early_data_alpn_mismatch
Definition: ssl.h:3573
ssl_early_data_disabled
ssl_early_data_disabled
Definition: ssl.h:3557
SSL_HANDSHAKE_HINTS::server_random
Array< uint8_t > server_random
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1701
SSL3_MT_CERTIFICATE
#define SSL3_MT_CERTIFICATE
Definition: ssl3.h:304
version
Definition: version.py:1
SSL3_MT_ENCRYPTED_EXTENSIONS
#define SSL3_MT_ENCRYPTED_EXTENSIONS
Definition: ssl3.h:303
state13_send_half_rtt_ticket
@ state13_send_half_rtt_ticket
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1674
ssl_ext_key_share_parse_clienthello
bool ssl_ext_key_share_parse_clienthello(SSL_HANDSHAKE *hs, bool *out_found, Span< const uint8_t > *out_peer_key, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello)
Definition: extensions.cc:2384
SSL_HANDSHAKE::accept_psk_mode
bool accept_psk_mode
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1962
cipher_suites
static const char * cipher_suites
Definition: ssl_utils.cc:78
SSL_AD_ILLEGAL_PARAMETER
#define SSL_AD_ILLEGAL_PARAMETER
Definition: ssl.h:3807
ssl_ech_accept_confirmation
bool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span< uint8_t > out, Span< const uint8_t > client_random, const SSLTranscript &transcript, bool is_hrr, Span< const uint8_t > msg, size_t offset)
Definition: tls13_enc.cc:540
ssl_negotiate_alpn
bool ssl_negotiate_alpn(SSL_HANDSHAKE *hs, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello)
Definition: extensions.cc:1538
ssl_ech_accepted
@ ssl_ech_accepted
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2614
SSL_HANDSHAKE::new_session
UniquePtr< SSL_SESSION > new_session
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1916
X509_V_OK
#define X509_V_OK
Definition: x509.h:1918
ssl_get_current_time
void ssl_get_current_time(const SSL *ssl, struct OPENSSL_timeval *out_clock)
Definition: ssl_lib.cc:354
SSL3_RANDOM_SIZE
#define SSL3_RANDOM_SIZE
Definition: ssl3.h:204
CBS_init
#define CBS_init
Definition: boringssl_prefix_symbols.h:1085
uint8_t
unsigned char uint8_t
Definition: stdint-msvc2008.h:78
tls13_add_certificate
bool tls13_add_certificate(SSL_HANDSHAKE *hs)
Definition: tls13_both.cc:399
SSL3_MT_CLIENT_HELLO
#define SSL3_MT_CLIENT_HELLO
Definition: ssl3.h:299
state13_read_second_client_hello
@ state13_read_second_client_hello
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1670
SSL_CB_ACCEPT_LOOP
#define SSL_CB_ACCEPT_LOOP
Definition: ssl.h:4287
Array::CopyFrom
bool CopyFrom(Span< const T > in)
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:338
ssl_st::quic_method
const SSL_QUIC_METHOD * quic_method
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3769
ssl_choose_tls13_cipher
const SSL_CIPHER * ssl_choose_tls13_cipher(CBS cipher_suites, uint16_t version, uint16_t group_id)
Definition: s3_both.cc:694
EVP_HPKE_CTX_aead
#define EVP_HPKE_CTX_aead
Definition: boringssl_prefix_symbols.h:1535
SSL_R_CONNECTION_REJECTED
#define SSL_R_CONNECTION_REJECTED
Definition: ssl.h:5401
state13_read_client_certificate
@ state13_read_client_certificate
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1678
SSLExtension
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2222
tls13_process_certificate
bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg, bool allow_anonymous)
Definition: tls13_both.cc:107
tls13_finished_mac
bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, bool is_server)
Definition: tls13_enc.cc:356
SSL3_MT_CHANNEL_ID
#define SSL3_MT_CHANNEL_ID
Definition: ssl3.h:316
choose_tls13_cipher
static const SSL_CIPHER * choose_tls13_cipher(const SSL *ssl, const SSL_CLIENT_HELLO *client_hello, uint16_t group_id)
Definition: tls13_server.cc:111
tls13_init_key_schedule
bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span< const uint8_t > psk)
Definition: tls13_enc.cc:61
ssl_early_data_peer_declined
ssl_early_data_peer_declined
Definition: ssl.h:3563
SSL_HANDSHAKE::ech_hpke_ctx
ScopedEVP_HPKE_CTX ech_hpke_ctx
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1884
SSL_HANDSHAKE::can_early_write
bool can_early_write
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2000
uint32_t
unsigned int uint32_t
Definition: stdint-msvc2008.h:80
SSL_HANDSHAKE_HINTS::key_share_group_id
uint16_t key_share_group_id
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1703
TLSEXT_TYPE_supported_versions
#define TLSEXT_TYPE_supported_versions
Definition: tls1.h:232
Array::empty
bool empty() const
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:277
state13_send_server_certificate_verify
@ state13_send_server_certificate_verify
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1672
bytestring.h
ssl_decode_client_hello_inner
bool ssl_decode_client_hello_inner(SSL *ssl, uint8_t *out_alert, Array< uint8_t > *out_client_hello_inner, Span< const uint8_t > encoded_client_hello_inner, const SSL_CLIENT_HELLO *client_hello_outer)
Definition: encrypted_client_hello.cc:125
do_read_client_finished
static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1183
SSL_HANDSHAKE::session_id
uint8_t session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2058
CBB_add_u16
#define CBB_add_u16
Definition: boringssl_prefix_symbols.h:1027
kHelloRetryRequest
const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE]
Definition: tls13_both.cc:40
SSL_HANDSHAKE
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1720
SSL_R_DECRYPTION_FAILED
#define SSL_R_DECRYPTION_FAILED
Definition: ssl.h:5406
absl::move
constexpr absl::remove_reference_t< T > && move(T &&t) noexcept
Definition: abseil-cpp/absl/utility/utility.h:221
Array< uint8_t >
ssl_hash_message
bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg)
Definition: handshake.cc:260
ssl_hs_read_end_of_early_data
@ ssl_hs_read_end_of_early_data
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1624
do_read_client_certificate_verify
static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1127
ssl_early_data_channel_id
ssl_early_data_channel_id
Definition: ssl.h:3575
Array::size
size_t size() const
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:276
SSL_HANDSHAKE::channel_id_negotiated
bool channel_id_negotiated
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2041
CBB_add_zeros
#define CBB_add_zeros
Definition: boringssl_prefix_symbols.h:1038
CBB_add_u8_length_prefixed
#define CBB_add_u8_length_prefixed
Definition: boringssl_prefix_symbols.h:1037
ssl_hs_certificate_verify
@ ssl_hs_certificate_verify
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1626
do_send_hello_retry_request
static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:550
ssl_st
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3698
SSLExtension::present
bool present
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2230
ssl_early_callback_ctx
Definition: ssl.h:4186
ssl_hs_wait_t
ssl_hs_wait_t
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1609
ssl_early_data_unsupported_for_session
ssl_early_data_unsupported_for_session
Definition: ssl.h:3569
state13_send_hello_retry_request
@ state13_send_hello_retry_request
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1669
EVP_MD_size
#define EVP_MD_size
Definition: boringssl_prefix_symbols.h:1579
SSL3_MT_NEW_SESSION_TICKET
#define SSL3_MT_NEW_SESSION_TICKET
Definition: ssl3.h:301
ssl_early_callback_ctx::cipher_suites_len
size_t cipher_suites_len
Definition: ssl.h:4196
OPENSSL_timeval
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2873
ssl_client_hello_get_extension
bool ssl_client_hello_get_extension(const SSL_CLIENT_HELLO *client_hello, CBS *out, uint16_t extension_type)
Definition: extensions.cc:283
SSL_is_dtls
#define SSL_is_dtls
Definition: boringssl_prefix_symbols.h:402
ssl_get_grease_value
uint16_t ssl_get_grease_value(const SSL_HANDSHAKE *hs, enum ssl_grease_index_t index)
Definition: handshake.cc:454
uint64_t
unsigned __int64 uint64_t
Definition: stdint-msvc2008.h:90
TLSEXT_TYPE_signature_algorithms
#define TLSEXT_TYPE_signature_algorithms
Definition: tls1.h:192
OPENSSL_memcpy
static void * OPENSSL_memcpy(void *dst, const void *src, size_t n)
Definition: third_party/boringssl-with-bazel/src/crypto/internal.h:819
BSSL_NAMESPACE_END
#define BSSL_NAMESPACE_END
Definition: base.h:480
SSL_SESSION_DUP_AUTH_ONLY
#define SSL_SESSION_DUP_AUTH_ONLY
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3170
header
struct absl::base_internal::@2940::AllocList::Header header
SSL_HANDSHAKE::client_traffic_secret_0
Span< uint8_t > client_traffic_secret_0()
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1788
resolve_ecdhe_secret
static bool resolve_ecdhe_secret(SSL_HANDSHAKE *hs, const SSL_CLIENT_HELLO *client_hello)
Definition: tls13_server.cc:45
tls13_derive_early_secret
bool tls13_derive_early_secret(SSL_HANDSHAKE *hs)
Definition: tls13_enc.cc:245
ssl_negotiate_alps
bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello)
Definition: extensions.cc:3034
SSL_AD_MISSING_EXTENSION
#define SSL_AD_MISSING_EXTENSION
Definition: ssl.h:3819
CBS_get_u8
#define CBS_get_u8
Definition: boringssl_prefix_symbols.h:1082
ssl_verify_invalid
ssl_verify_invalid
Definition: ssl.h:2413
err.h
tls13_derive_application_secrets
bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs)
Definition: tls13_enc.cc:278
SSL_R_WRONG_CURVE
#define SSL_R_WRONG_CURVE
Definition: ssl.h:5510
ERR_R_INTERNAL_ERROR
#define ERR_R_INTERNAL_ERROR
Definition: err.h:374
ssl_protocol_version
uint16_t ssl_protocol_version(const SSL *ssl)
Definition: ssl_versions.cc:251
evp_aead_open
@ evp_aead_open
Definition: aead.h:430
TLSEXT_TYPE_key_share
#define TLSEXT_TYPE_key_share
Definition: tls1.h:237
evp_aead_seal
@ evp_aead_seal
Definition: aead.h:431
SSL_VERIFY_PEER
#define SSL_VERIFY_PEER
Definition: ssl.h:2379
do_send_new_session_ticket
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1217
SSL_HANDSHAKE::expected_client_finished
Span< uint8_t > expected_client_finished()
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1794
CBB_add_u32
#define CBB_add_u32
Definition: boringssl_prefix_symbols.h:1032
ssl_hs_pending_ticket
@ ssl_hs_pending_ticket
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1621
conf.extensions
list extensions
Definition: doc/python/sphinx/conf.py:54
SSL_SESSION_dup
OPENSSL_EXPORT UniquePtr< SSL_SESSION > SSL_SESSION_dup(SSL_SESSION *session, int dup_flags)
Definition: ssl_session.cc:191
ssl_ext_supported_versions_add_serverhello
static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs, CBB *out)
Definition: tls13_server.cc:98
tls13_server_hs_state_t
tls13_server_hs_state_t
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1666
EVP_HPKE_CTX_kdf
#define EVP_HPKE_CTX_kdf
Definition: boringssl_prefix_symbols.h:1539
aead.h
state13_read_client_certificate_verify
@ state13_read_client_certificate_verify
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1679
do_read_second_client_hello
static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:609
SSL_HANDSHAKE::server_traffic_secret_0
Span< uint8_t > server_traffic_secret_0()
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1791
Span< const uint8_t >
do_process_end_of_early_data
static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1008
ssl_early_data_quic_parameter_mismatch
ssl_early_data_quic_parameter_mismatch
Definition: ssl.h:3580
SSL_HANDSHAKE::can_release_private_key
bool can_release_private_key
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2037
SSL_HANDSHAKE::transcript
SSLTranscript transcript
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1821
ssl_hs_read_message
@ ssl_hs_read_message
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1613
ssl_early_data_accepted
ssl_early_data_accepted
Definition: ssl.h:3559
msg
std::string msg
Definition: client_interceptors_end2end_test.cc:372
SSL3_AL_FATAL
#define SSL3_AL_FATAL
Definition: ssl3.h:280
SSL_CONFIG::verify_mode
uint8_t verify_mode
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3044
ssl_hs_handback
@ ssl_hs_handback
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1617
SSL_HANDSHAKE::early_data_offered
bool early_data_offered
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1992
ssl_ticket_aead_success
ssl_ticket_aead_success
Definition: ssl.h:2226
ssl_client_hello_init
bool ssl_client_hello_init(const SSL *ssl, SSL_CLIENT_HELLO *out, Span< const uint8_t > body)
Definition: extensions.cc:211
ssl.h
SSL_R_INCONSISTENT_CLIENT_HELLO
#define SSL_R_INCONSISTENT_CLIENT_HELLO
Definition: ssl.h:5570
TLSEXT_TYPE_psk_key_exchange_modes
#define TLSEXT_TYPE_psk_key_exchange_modes
Definition: tls1.h:234
ssl_early_callback_ctx::session_id
const uint8_t * session_id
Definition: ssl.h:4193
kMaxEarlyDataAccepted
static const size_t kMaxEarlyDataAccepted
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3099
ECH_CLIENT_OUTER
#define ECH_CLIENT_OUTER
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1492
state13_select_session
@ state13_select_session
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1668
ssl_process_ticket
enum ssl_ticket_aead_result_t ssl_process_ticket(SSL_HANDSHAKE *hs, UniquePtr< SSL_SESSION > *out_session, bool *out_renew_ticket, Span< const uint8_t > ticket, Span< const uint8_t > session_id)
Definition: extensions.cc:3952
SSL_HANDSHAKE_HINTS::key_share_secret
Array< uint8_t > key_share_secret
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1705
SSL_HANDSHAKE::cert_request
bool cert_request
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1965
tls13_advance_key_schedule
bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span< const uint8_t > in)
Definition: tls13_enc.cc:123
SSL_HANDSHAKE::GetClientHello
bool GetClientHello(SSLMessage *out_msg, SSL_CLIENT_HELLO *out_client_hello)
Definition: handshake.cc:174
SSL_HANDSHAKE::can_early_read
bool can_early_read
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1996
SSLMessage
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1140
ssl_session_renew_timeout
void ssl_session_renew_timeout(SSL *ssl, SSL_SESSION *session, uint32_t timeout)
Definition: ssl_session.cc:319
ssl_session_st
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3787
tls13_process_certificate_verify
bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs, const SSLMessage &msg)
Definition: tls13_both.cc:327
ssl_early_callback_ctx::session_id_len
size_t session_id_len
Definition: ssl.h:4194
CBB_add_bytes
#define CBB_add_bytes
Definition: boringssl_prefix_symbols.h:1025
contents
string_view contents
Definition: elf.cc:597
TLS1_2_VERSION
#define TLS1_2_VERSION
Definition: ssl.h:652
CBBFinishArray
OPENSSL_EXPORT bool CBBFinishArray(CBB *cbb, Array< uint8_t > *out)
Definition: ssl_lib.cc:190
BSSL_NAMESPACE_BEGIN
Definition: trust_token_test.cc:45
ssl_st::s3
bssl::SSL3_STATE * s3
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3730
rand.h
SSLKeyShare::Create
static HAS_VIRTUAL_DESTRUCTOR UniquePtr< SSLKeyShare > Create(uint16_t group_id)
Definition: ssl_key_share.cc:308
digest.h
ssl_hs_flush
@ ssl_hs_flush
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1614
ssl_get_new_session
bool ssl_get_new_session(SSL_HANDSHAKE *hs)
Definition: ssl_session.cc:352
SSL_HANDSHAKE::config
SSL_CONFIG * config
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1729
do_read_client_encrypted_extensions
static enum ssl_hs_wait_t do_read_client_encrypted_extensions(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1040
SSL_R_NO_CERTIFICATE_SET
#define SSL_R_NO_CERTIFICATE_SET
Definition: ssl.h:5441
ssl_encryption_application
ssl_encryption_application
Definition: ssl.h:3285
EVP_HPKE_KDF_id
#define EVP_HPKE_KDF_id
Definition: boringssl_prefix_symbols.h:1548
SSL_R_UNEXPECTED_COMPATIBILITY_MODE
#define SSL_R_UNEXPECTED_COMPATIBILITY_MODE
Definition: ssl.h:5573
ssl_hs_private_key_operation
@ ssl_hs_private_key_operation
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1619
ssl_has_client_CAs
bool ssl_has_client_CAs(const SSL_CONFIG *cfg)
Definition: ssl_cert.cc:664
SSL_HANDSHAKE::ecdh_public_key
Array< uint8_t > ecdh_public_key
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1852
SSL_R_NO_SHARED_CIPHER
#define SSL_R_NO_SHARED_CIPHER
Definition: ssl.h:5451
SSLExtension::data
CBS data
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2231
SSL_AD_DECODE_ERROR
#define SSL_AD_DECODE_ERROR
Definition: ssl.h:3810
ssl_ech_confirmation_signal_hello_offset
size_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl)
Definition: tls13_enc.cc:531
ssl_add_client_CA_list
bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb)
Definition: ssl_cert.cc:675
ssl_private_key_success
ssl_private_key_success
Definition: ssl.h:1234
ret
UniquePtr< SSL_SESSION > ret
Definition: ssl_x509.cc:1029
SSL_HANDSHAKE::ech_is_inner
bool ech_is_inner
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1947
CBS_get_u16_length_prefixed
#define CBS_get_u16_length_prefixed
Definition: boringssl_prefix_symbols.h:1074
SSL_VERIFY_FAIL_IF_NO_PEER_CERT
#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT
Definition: ssl.h:2384
ssl_early_data_hello_retry_request
ssl_early_data_hello_retry_request
Definition: ssl.h:3571
SSLTranscript::Update
bool Update(Span< const uint8_t > in)
Definition: ssl_transcript.cc:220
ssl_check_message_type
bool ssl_check_message_type(SSL *ssl, const SSLMessage &msg, int type)
Definition: handshake.cc:209
Array::Reset
void Reset()
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:287
EVP_MAX_MD_SIZE
#define EVP_MAX_MD_SIZE
Definition: digest.h:156
EVP_HPKE_AEAD_id
#define EVP_HPKE_AEAD_id
Definition: boringssl_prefix_symbols.h:1534
tls13_process_finished
bool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg, bool use_saved_value)
Definition: tls13_both.cc:369
quic_ticket_compatible
static bool quic_ticket_compatible(const SSL_SESSION *session, const SSL_CONFIG *config)
Definition: tls13_server.cc:347
SSL_HANDSHAKE_HINTS::key_share_public_key
Array< uint8_t > key_share_public_key
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1704
ssl_session_rebase_time
void ssl_session_rebase_time(SSL *ssl, SSL_SESSION *session)
Definition: ssl_session.cc:290
ssl_ext_pre_shared_key_parse_clienthello
bool ssl_ext_pre_shared_key_parse_clienthello(SSL_HANDSHAKE *hs, CBS *out_ticket, CBS *out_binders, uint32_t *out_obfuscated_ticket_age, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello, CBS *contents)
Definition: extensions.cc:2028
state13_read_channel_id
@ state13_read_channel_id
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1680
SSL_AD_HANDSHAKE_FAILURE
#define SSL_AD_HANDSHAKE_FAILURE
Definition: ssl.h:3800
SSL_VERIFY_PEER_IF_NO_OBC
#define SSL_VERIFY_PEER_IF_NO_OBC
Definition: ssl.h:2388
ssl_ticket_aead_ignore_ticket
ssl_ticket_aead_ignore_ticket
Definition: ssl.h:2233
ssl_client_hello_decrypt
bool ssl_client_hello_decrypt(EVP_HPKE_CTX *hpke_ctx, Array< uint8_t > *out, bool *out_is_decrypt_error, const SSL_CLIENT_HELLO *client_hello_outer, Span< const uint8_t > payload)
Definition: encrypted_client_hello.cc:255
ssl_add_message_cbb
bool ssl_add_message_cbb(SSL *ssl, CBB *cbb)
Definition: handshake.cc:220
do_select_session
static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:364
state
Definition: bloaty/third_party/zlib/contrib/blast/blast.c:41
ssl_ticket_aead_retry
ssl_ticket_aead_retry
Definition: ssl.h:2230
state13_select_parameters
@ state13_select_parameters
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1667
SSL_get_options
#define SSL_get_options
Definition: boringssl_prefix_symbols.h:354
ssl_st::method
const bssl::SSL_PROTOCOL_METHOD * method
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3706
config_s
Definition: bloaty/third_party/zlib/deflate.c:120
SSL_HANDSHAKE::client_handshake_secret
Span< uint8_t > client_handshake_secret()
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1782
ssl_encrypt_ticket
int ssl_encrypt_ticket(SSL_HANDSHAKE *hs, CBB *out, const SSL_SESSION *session)
Definition: ssl_session.cc:563
SSL3_MT_END_OF_EARLY_DATA
#define SSL3_MT_END_OF_EARLY_DATA
Definition: ssl3.h:302
ssl_parse_extensions
bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert, std::initializer_list< SSLExtension * > extensions, bool ignore_unknown)
Definition: handshake.cc:269
do_read_second_client_flight
static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:978
state13_read_client_encrypted_extensions
@ state13_read_client_encrypted_extensions
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1677
ssl_verify_peer_cert
enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs)
Definition: handshake.cc:323
SSL_CONFIG
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2960
ssl_encryption_early_data
ssl_encryption_early_data
Definition: ssl.h:3283
TLSEXT_TYPE_application_settings
#define TLSEXT_TYPE_application_settings
Definition: tls1.h:247
do_send_server_certificate_verify
static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:889
Span::data
T * data() const
Definition: boringssl-with-bazel/src/include/openssl/span.h:132
TLSEXT_TYPE_encrypted_client_hello
#define TLSEXT_TYPE_encrypted_client_hello
Definition: tls1.h:251
SSL_CONFIG::quic_early_data_context
Array< uint8_t > quic_early_data_context
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3029
tls13_server_handshake_state
const char * tls13_server_handshake_state(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:1306
do_send_server_hello
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs)
Definition: tls13_server.cc:747
SSL_R_DECODE_ERROR
#define SSL_R_DECODE_ERROR
Definition: ssl.h:5405
tls1_get_shared_group
bool tls1_get_shared_group(SSL_HANDSHAKE *hs, uint16_t *out_group_id)
Definition: extensions.cc:318
mem.h
tls13_derive_resumption_secret
bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs)
Definition: tls13_enc.cc:323
ssl_session_is_resumable
int ssl_session_is_resumable(const SSL_HANDSHAKE *hs, const SSL_SESSION *session)
Definition: ssl_session.cc:610
SSL_HANDSHAKE::tls13_state
int tls13_state
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1741
ssl_st::session_ctx
bssl::UniquePtr< SSL_CTX > session_ctx
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3758
ssl_do_info_callback
void ssl_do_info_callback(const SSL *ssl, int type, int value)
Definition: ssl_lib.cc:316
ssl_add_serverhello_tlsext
bool ssl_add_serverhello_tlsext(SSL_HANDSHAKE *hs, CBB *out)
Definition: extensions.cc:3552
asyncio_get_stats.type
type
Definition: asyncio_get_stats.py:37
kMaxTicketAgeSkewSeconds
static const int32_t kMaxTicketAgeSkewSeconds
Definition: tls13_server.cc:43
TLSEXT_TYPE_pre_shared_key
#define TLSEXT_TYPE_pre_shared_key
Definition: tls1.h:230
SSL_HANDSHAKE_HINTS
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1698
kZeroes
static const BSSL_NAMESPACE_BEGIN uint8_t kZeroes[EVP_MAX_MD_SIZE]
Definition: tls13_server.cc:37
INT32_MAX
#define INT32_MAX
Definition: stdint-msvc2008.h:137
ssl_hs_error
@ ssl_hs_error
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1610
tls1_verify_channel_id
bool tls1_verify_channel_id(SSL_HANDSHAKE *hs, const SSLMessage &msg)
Definition: extensions.cc:4111
int32_t
signed int int32_t
Definition: stdint-msvc2008.h:77
tls13_set_traffic_key
bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level, enum evp_aead_direction_t direction, const SSL_SESSION *session, Span< const uint8_t > traffic_secret)
Definition: tls13_enc.cc:156
select_session
static enum ssl_ticket_aead_result_t select_session(SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr< SSL_SESSION > *out_session, int32_t *out_ticket_age_skew, bool *out_offered_ticket, const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello)
Definition: tls13_server.cc:258
SSL_SESSION_INCLUDE_NONAUTH
#define SSL_SESSION_INCLUDE_NONAUTH
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3172
gen_server_registered_method_bad_client_test_body.payload
list payload
Definition: gen_server_registered_method_bad_client_test_body.py:40
SSL_OP_NO_TICKET
#define SSL_OP_NO_TICKET
Definition: ssl.h:709
ssl_encryption_handshake
ssl_encryption_handshake
Definition: ssl.h:3284
ssl_st::version
uint16_t version
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3715
SSL_CIPHER_get_protocol_id
#define SSL_CIPHER_get_protocol_id
Definition: boringssl_prefix_symbols.h:55
SSL_HANDSHAKE::handback
bool handback
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:2021
SSL_HANDSHAKE::in_early_data
bool in_early_data
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1989
ssl_st::ctx
bssl::UniquePtr< SSL_CTX > ctx
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:3754
state13_read_client_finished
@ state13_read_client_finished
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1681
SSL_AD_DECRYPT_ERROR
#define SSL_AD_DECRYPT_ERROR
Definition: ssl.h:3811
absl::MakeSpan
constexpr Span< T > MakeSpan(T *ptr, size_t size) noexcept
Definition: abseil-cpp/absl/types/span.h:661
ssl_early_data_session_not_resumed
ssl_early_data_session_not_resumed
Definition: ssl.h:3567
ssl_ticket_aead_error
ssl_ticket_aead_error
Definition: ssl.h:2236
sk_CRYPTO_BUFFER_num
#define sk_CRYPTO_BUFFER_num
Definition: boringssl_prefix_symbols.h:558
state13_send_new_session_ticket
@ state13_send_new_session_ticket
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1682
CRYPTO_memcmp
#define CRYPTO_memcmp
Definition: boringssl_prefix_symbols.h:1178
tls13_derive_handshake_secrets
bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs)
Definition: tls13_enc.cc:262
add_new_session_tickets
static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets)
Definition: tls13_server.cc:122
TLSEXT_TYPE_certificate_authorities
#define TLSEXT_TYPE_certificate_authorities
Definition: tls1.h:235
tls12_add_verify_sigalgs
bool tls12_add_verify_sigalgs(const SSL_HANDSHAKE *hs, CBB *out)
Definition: extensions.cc:481
i
uint64_t i
Definition: abseil-cpp/absl/container/btree_benchmark.cc:230
offset
voidpf uLong offset
Definition: bloaty/third_party/zlib/contrib/minizip/ioapi.h:142
tls13_add_certificate_verify
enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs)
Definition: tls13_both.cc:562
SSLTranscript::DigestLen
size_t DigestLen() const
Definition: ssl_transcript.cc:175
ssl_ext_pre_shared_key_add_serverhello
bool ssl_ext_pre_shared_key_add_serverhello(SSL_HANDSHAKE *hs, CBB *out)
Definition: extensions.cc:2094
stack.h
SSL3_MT_CERTIFICATE_REQUEST
#define SSL3_MT_CERTIFICATE_REQUEST
Definition: ssl3.h:306
ssl_get_handshake_digest
const EVP_MD * ssl_get_handshake_digest(uint16_t version, const SSL_CIPHER *cipher)
Definition: ssl_cipher.cc:637
ssl_private_key_retry
ssl_private_key_retry
Definition: ssl.h:1235
absl::MakeConstSpan
constexpr Span< const T > MakeConstSpan(T *ptr, size_t size) noexcept
Definition: abseil-cpp/absl/types/span.h:707
cbb_st
Definition: bytestring.h:375
ssl_grease_ticket_extension
@ ssl_grease_ticket_extension
Definition: third_party/boringssl-with-bazel/src/ssl/internal.h:1636

grpc
Author(s):
autogenerated on Thu Mar 13 2025 03:01:40