Ejemplo n.º 1
0
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
  SSL *const ssl = hs->ssl;
  if (!tls13_add_finished(hs) ||
      /* Update the secret to the master secret and derive traffic keys. */
      !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
      !tls13_derive_application_secrets(hs) ||
      !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
                             hs->hash_len)) {
    return ssl_hs_error;
  }

  hs->tls13_state = state_process_client_certificate;
  return ssl_hs_flush_and_read_message;
}
Ejemplo n.º 2
0
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
  SSL *const ssl = hs->ssl;
  if (!tls13_add_finished(hs) ||
      /* Update the secret to the master secret and derive traffic keys. */
      !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
      !tls13_derive_application_secrets(hs) ||
      !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
                             hs->hash_len)) {
    return ssl_hs_error;
  }

  if (ssl->early_data_accepted) {
    /* If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
     * the wire sooner and also avoids triggering a write on |SSL_read| when
     * processing the client Finished. This requires computing the client
     * Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. */
    size_t finished_len;
    if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,
                            0 /* client */)) {
      return ssl_hs_error;
    }

    if (finished_len != hs->hash_len) {
      OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
      return ssl_hs_error;
    }

    /* Feed the predicted Finished into the transcript. This allows us to derive
     * the resumption secret early and send half-RTT tickets.
     *
     * TODO(davidben): This will need to be updated for DTLS 1.3. */
    assert(!SSL_is_dtls(hs->ssl));
    uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0, hs->hash_len};
    if (!SSL_TRANSCRIPT_update(&hs->transcript, header, sizeof(header)) ||
        !SSL_TRANSCRIPT_update(&hs->transcript, hs->expected_client_finished,
                               hs->hash_len) ||
        !tls13_derive_resumption_secret(hs) ||
        !add_new_session_tickets(hs)) {
      return ssl_hs_error;
    }
  }

  hs->tls13_state = state_read_second_client_flight;
  return ssl_hs_flush;
}