1 /* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <tuple>
21
22 #include <openssl/aead.h>
23 #include <openssl/bytestring.h>
24 #include <openssl/digest.h>
25 #include <openssl/err.h>
26 #include <openssl/mem.h>
27 #include <openssl/rand.h>
28 #include <openssl/stack.h>
29
30 #include "../crypto/internal.h"
31 #include "internal.h"
32
33
34 BSSL_NAMESPACE_BEGIN
35
36 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
37
38 // Allow a minute of ticket age skew in either direction. This covers
39 // transmission delays in ClientHello and NewSessionTicket, as well as
40 // drift between client and server clock rate since the ticket was issued.
41 // See RFC 8446, section 8.3.
42 static const int32_t kMaxTicketAgeSkewSeconds = 60;
43
resolve_ecdhe_secret(SSL_HANDSHAKE * hs,bool * out_need_retry,SSL_CLIENT_HELLO * client_hello)44 static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,
45 SSL_CLIENT_HELLO *client_hello) {
46 SSL *const ssl = hs->ssl;
47 *out_need_retry = false;
48
49 // We only support connections that include an ECDHE key exchange.
50 CBS key_share;
51 if (!ssl_client_hello_get_extension(client_hello, &key_share,
52 TLSEXT_TYPE_key_share)) {
53 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
54 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
55 return 0;
56 }
57
58 bool found_key_share;
59 Array<uint8_t> dhe_secret;
60 uint8_t alert = SSL_AD_DECODE_ERROR;
61 if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
62 &alert, &key_share)) {
63 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
64 return 0;
65 }
66
67 if (!found_key_share) {
68 *out_need_retry = true;
69 return 0;
70 }
71
72 return tls13_advance_key_schedule(hs, dhe_secret);
73 }
74
ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE * hs,CBB * out)75 static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
76 CBB *out) {
77 CBB contents;
78 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||
79 !CBB_add_u16_length_prefixed(out, &contents) ||
80 !CBB_add_u16(&contents, hs->ssl->version) ||
81 !CBB_flush(out)) {
82 return 0;
83 }
84
85 return 1;
86 }
87
choose_tls13_cipher(const SSL * ssl,const SSL_CLIENT_HELLO * client_hello,uint16_t group_id)88 static const SSL_CIPHER *choose_tls13_cipher(
89 const SSL *ssl, const SSL_CLIENT_HELLO *client_hello, uint16_t group_id) {
90 CBS cipher_suites;
91 CBS_init(&cipher_suites, client_hello->cipher_suites,
92 client_hello->cipher_suites_len);
93
94 const uint16_t version = ssl_protocol_version(ssl);
95
96 return ssl_choose_tls13_cipher(cipher_suites, version, group_id);
97 }
98
add_new_session_tickets(SSL_HANDSHAKE * hs,bool * out_sent_tickets)99 static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {
100 SSL *const ssl = hs->ssl;
101 if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a
102 // session ticket.
103 !hs->accept_psk_mode ||
104 // We only implement stateless resumption in TLS 1.3, so skip sending
105 // tickets if disabled.
106 (SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {
107 *out_sent_tickets = false;
108 return true;
109 }
110
111 // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case
112 // the client makes several connections before getting a renewal.
113 static const int kNumTickets = 2;
114
115 // Rebase the session timestamp so that it is measured from ticket
116 // issuance.
117 ssl_session_rebase_time(ssl, hs->new_session.get());
118
119 for (int i = 0; i < kNumTickets; i++) {
120 UniquePtr<SSL_SESSION> session(
121 SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));
122 if (!session) {
123 return false;
124 }
125
126 if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
127 return false;
128 }
129 session->ticket_age_add_valid = true;
130 bool enable_early_data =
131 ssl->enable_early_data &&
132 (!ssl->quic_method || !ssl->config->quic_early_data_context.empty());
133 if (enable_early_data) {
134 // QUIC does not use the max_early_data_size parameter and always sets it
135 // to a fixed value. See draft-ietf-quic-tls-22, section 4.5.
136 session->ticket_max_early_data =
137 ssl->quic_method != nullptr ? 0xffffffff : kMaxEarlyDataAccepted;
138 }
139
140 static_assert(kNumTickets < 256, "Too many tickets");
141 uint8_t nonce[] = {static_cast<uint8_t>(i)};
142
143 ScopedCBB cbb;
144 CBB body, nonce_cbb, ticket, extensions;
145 if (!ssl->method->init_message(ssl, cbb.get(), &body,
146 SSL3_MT_NEW_SESSION_TICKET) ||
147 !CBB_add_u32(&body, session->timeout) ||
148 !CBB_add_u32(&body, session->ticket_age_add) ||
149 !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||
150 !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||
151 !CBB_add_u16_length_prefixed(&body, &ticket) ||
152 !tls13_derive_session_psk(session.get(), nonce) ||
153 !ssl_encrypt_ticket(hs, &ticket, session.get()) ||
154 !CBB_add_u16_length_prefixed(&body, &extensions)) {
155 return false;
156 }
157
158 if (enable_early_data) {
159 CBB early_data;
160 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||
161 !CBB_add_u16_length_prefixed(&extensions, &early_data) ||
162 !CBB_add_u32(&early_data, session->ticket_max_early_data) ||
163 !CBB_flush(&extensions)) {
164 return false;
165 }
166 }
167
168 // Add a fake extension. See draft-davidben-tls-grease-01.
169 if (!CBB_add_u16(&extensions,
170 ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||
171 !CBB_add_u16(&extensions, 0 /* empty */)) {
172 return false;
173 }
174
175 if (!ssl_add_message_cbb(ssl, cbb.get())) {
176 return false;
177 }
178 }
179
180 *out_sent_tickets = true;
181 return true;
182 }
183
do_select_parameters(SSL_HANDSHAKE * hs)184 static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
185 // At this point, most ClientHello extensions have already been processed by
186 // the common handshake logic. Resolve the remaining non-PSK parameters.
187 SSL *const ssl = hs->ssl;
188 SSLMessage msg;
189 if (!ssl->method->get_message(ssl, &msg)) {
190 return ssl_hs_read_message;
191 }
192 SSL_CLIENT_HELLO client_hello;
193 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
194 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
195 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
196 return ssl_hs_error;
197 }
198
199 OPENSSL_memcpy(hs->session_id, client_hello.session_id,
200 client_hello.session_id_len);
201 hs->session_id_len = client_hello.session_id_len;
202
203 uint16_t group_id;
204 if (!tls1_get_shared_group(hs, &group_id)) {
205 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP);
206 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
207 return ssl_hs_error;
208 }
209
210 // Negotiate the cipher suite.
211 hs->new_cipher = choose_tls13_cipher(ssl, &client_hello, group_id);
212 if (hs->new_cipher == NULL) {
213 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
214 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
215 return ssl_hs_error;
216 }
217
218 // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
219 // deferred. Complete it now.
220 uint8_t alert = SSL_AD_DECODE_ERROR;
221 if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
222 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
223 return ssl_hs_error;
224 }
225
226 // The PRF hash is now known. Set up the key schedule and hash the
227 // ClientHello.
228 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {
229 return ssl_hs_error;
230 }
231
232 hs->tls13_state = state13_select_session;
233 return ssl_hs_ok;
234 }
235
select_session(SSL_HANDSHAKE * hs,uint8_t * out_alert,UniquePtr<SSL_SESSION> * out_session,int32_t * out_ticket_age_skew,bool * out_offered_ticket,const SSLMessage & msg,const SSL_CLIENT_HELLO * client_hello)236 static enum ssl_ticket_aead_result_t select_session(
237 SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,
238 int32_t *out_ticket_age_skew, bool *out_offered_ticket,
239 const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) {
240 SSL *const ssl = hs->ssl;
241 *out_session = nullptr;
242
243 CBS pre_shared_key;
244 *out_offered_ticket = ssl_client_hello_get_extension(
245 client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key);
246 if (!*out_offered_ticket) {
247 return ssl_ticket_aead_ignore_ticket;
248 }
249
250 CBS ticket, binders;
251 uint32_t client_ticket_age;
252 if (!ssl_ext_pre_shared_key_parse_clienthello(
253 hs, &ticket, &binders, &client_ticket_age, out_alert, client_hello,
254 &pre_shared_key)) {
255 return ssl_ticket_aead_error;
256 }
257
258 // If the peer did not offer psk_dhe, ignore the resumption.
259 if (!hs->accept_psk_mode) {
260 return ssl_ticket_aead_ignore_ticket;
261 }
262
263 // TLS 1.3 session tickets are renewed separately as part of the
264 // NewSessionTicket.
265 bool unused_renew;
266 UniquePtr<SSL_SESSION> session;
267 enum ssl_ticket_aead_result_t ret =
268 ssl_process_ticket(hs, &session, &unused_renew, ticket, {});
269 switch (ret) {
270 case ssl_ticket_aead_success:
271 break;
272 case ssl_ticket_aead_error:
273 *out_alert = SSL_AD_INTERNAL_ERROR;
274 return ret;
275 default:
276 return ret;
277 }
278
279 if (!ssl_session_is_resumable(hs, session.get()) ||
280 // Historically, some TLS 1.3 tickets were missing ticket_age_add.
281 !session->ticket_age_add_valid) {
282 return ssl_ticket_aead_ignore_ticket;
283 }
284
285 // Recover the client ticket age and convert to seconds.
286 client_ticket_age -= session->ticket_age_add;
287 client_ticket_age /= 1000;
288
289 struct OPENSSL_timeval now;
290 ssl_get_current_time(ssl, &now);
291
292 // Compute the server ticket age in seconds.
293 assert(now.tv_sec >= session->time);
294 uint64_t server_ticket_age = now.tv_sec - session->time;
295
296 // To avoid overflowing |hs->ticket_age_skew|, we will not resume
297 // 68-year-old sessions.
298 if (server_ticket_age > INT32_MAX) {
299 return ssl_ticket_aead_ignore_ticket;
300 }
301
302 *out_ticket_age_skew = static_cast<int32_t>(client_ticket_age) -
303 static_cast<int32_t>(server_ticket_age);
304
305 // Check the PSK binder.
306 if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {
307 *out_alert = SSL_AD_DECRYPT_ERROR;
308 return ssl_ticket_aead_error;
309 }
310
311 *out_session = std::move(session);
312 return ssl_ticket_aead_success;
313 }
314
quic_ticket_compatible(const SSL_SESSION * session,const SSL_CONFIG * config)315 static bool quic_ticket_compatible(const SSL_SESSION *session,
316 const SSL_CONFIG *config) {
317 if (!session->is_quic) {
318 return true;
319 }
320
321 if (session->quic_early_data_context.empty() ||
322 config->quic_early_data_context.size() !=
323 session->quic_early_data_context.size() ||
324 CRYPTO_memcmp(config->quic_early_data_context.data(),
325 session->quic_early_data_context.data(),
326 session->quic_early_data_context.size()) != 0) {
327 return false;
328 }
329 return true;
330 }
331
do_select_session(SSL_HANDSHAKE * hs)332 static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {
333 SSL *const ssl = hs->ssl;
334 SSLMessage msg;
335 if (!ssl->method->get_message(ssl, &msg)) {
336 return ssl_hs_read_message;
337 }
338 SSL_CLIENT_HELLO client_hello;
339 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
340 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
341 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
342 return ssl_hs_error;
343 }
344
345 uint8_t alert = SSL_AD_DECODE_ERROR;
346 UniquePtr<SSL_SESSION> session;
347 bool offered_ticket = false;
348 switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew,
349 &offered_ticket, msg, &client_hello)) {
350 case ssl_ticket_aead_ignore_ticket:
351 assert(!session);
352 if (!ssl->enable_early_data) {
353 ssl->s3->early_data_reason = ssl_early_data_disabled;
354 } else if (!offered_ticket) {
355 ssl->s3->early_data_reason = ssl_early_data_no_session_offered;
356 } else {
357 ssl->s3->early_data_reason = ssl_early_data_session_not_resumed;
358 }
359 if (!ssl_get_new_session(hs, 1 /* server */)) {
360 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
361 return ssl_hs_error;
362 }
363 break;
364
365 case ssl_ticket_aead_success:
366 // Carry over authentication information from the previous handshake into
367 // a fresh session.
368 hs->new_session =
369 SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);
370 if (hs->new_session == nullptr) {
371 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
372 return ssl_hs_error;
373 }
374
375 // |ssl_session_is_resumable| forbids cross-cipher resumptions even if the
376 // PRF hashes match.
377 assert(hs->new_cipher == session->cipher);
378
379 if (!ssl->enable_early_data) {
380 ssl->s3->early_data_reason = ssl_early_data_disabled;
381 } else if (session->ticket_max_early_data == 0) {
382 ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session;
383 } else if (!hs->early_data_offered) {
384 ssl->s3->early_data_reason = ssl_early_data_peer_declined;
385 } else if (ssl->s3->channel_id_valid) {
386 // Channel ID is incompatible with 0-RTT.
387 ssl->s3->early_data_reason = ssl_early_data_channel_id;
388 } else if (ssl->s3->token_binding_negotiated) {
389 // Token Binding is incompatible with 0-RTT.
390 ssl->s3->early_data_reason = ssl_early_data_token_binding;
391 } else if (MakeConstSpan(ssl->s3->alpn_selected) != session->early_alpn) {
392 // The negotiated ALPN must match the one in the ticket.
393 ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch;
394 } else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds ||
395 kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) {
396 ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew;
397 } else if (!quic_ticket_compatible(session.get(), hs->config)) {
398 ssl->s3->early_data_reason = ssl_early_data_quic_parameter_mismatch;
399 } else {
400 ssl->s3->early_data_reason = ssl_early_data_accepted;
401 ssl->s3->early_data_accepted = true;
402 }
403
404 ssl->s3->session_reused = true;
405
406 // Resumption incorporates fresh key material, so refresh the timeout.
407 ssl_session_renew_timeout(ssl, hs->new_session.get(),
408 ssl->session_ctx->session_psk_dhe_timeout);
409 break;
410
411 case ssl_ticket_aead_error:
412 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
413 return ssl_hs_error;
414
415 case ssl_ticket_aead_retry:
416 hs->tls13_state = state13_select_session;
417 return ssl_hs_pending_ticket;
418 }
419
420 // Record connection properties in the new session.
421 hs->new_session->cipher = hs->new_cipher;
422
423 // Store the initial negotiated ALPN in the session.
424 if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {
425 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
426 return ssl_hs_error;
427 }
428
429 if (ssl->ctx->dos_protection_cb != NULL &&
430 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
431 // Connection rejected for DOS reasons.
432 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
433 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
434 return ssl_hs_error;
435 }
436
437 size_t hash_len = EVP_MD_size(
438 ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));
439
440 // Set up the key schedule and incorporate the PSK into the running secret.
441 if (ssl->s3->session_reused) {
442 if (!tls13_init_key_schedule(
443 hs, MakeConstSpan(hs->new_session->master_key,
444 hs->new_session->master_key_length))) {
445 return ssl_hs_error;
446 }
447 } else if (!tls13_init_key_schedule(hs, MakeConstSpan(kZeroes, hash_len))) {
448 return ssl_hs_error;
449 }
450
451 if (!ssl_hash_message(hs, msg)) {
452 return ssl_hs_error;
453 }
454
455 if (ssl->s3->early_data_accepted) {
456 if (!tls13_derive_early_secret(hs)) {
457 return ssl_hs_error;
458 }
459 } else if (hs->early_data_offered) {
460 ssl->s3->skip_early_data = true;
461 }
462
463 // Resolve ECDHE and incorporate it into the secret.
464 bool need_retry;
465 if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
466 if (need_retry) {
467 if (ssl->s3->early_data_accepted) {
468 ssl->s3->early_data_reason = ssl_early_data_hello_retry_request;
469 ssl->s3->early_data_accepted = false;
470 }
471 ssl->s3->skip_early_data = true;
472 ssl->method->next_message(ssl);
473 if (!hs->transcript.UpdateForHelloRetryRequest()) {
474 return ssl_hs_error;
475 }
476 hs->tls13_state = state13_send_hello_retry_request;
477 return ssl_hs_ok;
478 }
479 return ssl_hs_error;
480 }
481
482 ssl->method->next_message(ssl);
483 hs->tls13_state = state13_send_server_hello;
484 return ssl_hs_ok;
485 }
486
do_send_hello_retry_request(SSL_HANDSHAKE * hs)487 static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
488 SSL *const ssl = hs->ssl;
489
490
491 ScopedCBB cbb;
492 CBB body, session_id, extensions;
493 uint16_t group_id;
494 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
495 !CBB_add_u16(&body, TLS1_2_VERSION) ||
496 !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||
497 !CBB_add_u8_length_prefixed(&body, &session_id) ||
498 !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
499 !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
500 !CBB_add_u8(&body, 0 /* no compression */) ||
501 !tls1_get_shared_group(hs, &group_id) ||
502 !CBB_add_u16_length_prefixed(&body, &extensions) ||
503 !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) ||
504 !CBB_add_u16(&extensions, 2 /* length */) ||
505 !CBB_add_u16(&extensions, ssl->version) ||
506 !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
507 !CBB_add_u16(&extensions, 2 /* length */) ||
508 !CBB_add_u16(&extensions, group_id) ||
509 !ssl_add_message_cbb(ssl, cbb.get())) {
510 return ssl_hs_error;
511 }
512
513 if (!ssl->method->add_change_cipher_spec(ssl)) {
514 return ssl_hs_error;
515 }
516
517 ssl->s3->used_hello_retry_request = true;
518 hs->tls13_state = state13_read_second_client_hello;
519 return ssl_hs_flush;
520 }
521
do_read_second_client_hello(SSL_HANDSHAKE * hs)522 static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {
523 SSL *const ssl = hs->ssl;
524 SSLMessage msg;
525 if (!ssl->method->get_message(ssl, &msg)) {
526 return ssl_hs_read_message;
527 }
528 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
529 return ssl_hs_error;
530 }
531 SSL_CLIENT_HELLO client_hello;
532 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
533 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
534 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
535 return ssl_hs_error;
536 }
537
538 // We perform all our negotiation based on the first ClientHello (for
539 // consistency with what |select_certificate_cb| observed), which is in the
540 // transcript, so we can ignore most of this second one.
541 //
542 // We do, however, check the second PSK binder. This covers the client key
543 // share, in case we ever send half-RTT data (we currently do not). It is also
544 // a tricky computation, so we enforce the peer handled it correctly.
545 if (ssl->s3->session_reused) {
546 CBS pre_shared_key;
547 if (!ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
548 TLSEXT_TYPE_pre_shared_key)) {
549 OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_CLIENT_HELLO);
550 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
551 return ssl_hs_error;
552 }
553
554 CBS ticket, binders;
555 uint32_t client_ticket_age;
556 uint8_t alert = SSL_AD_DECODE_ERROR;
557 if (!ssl_ext_pre_shared_key_parse_clienthello(
558 hs, &ticket, &binders, &client_ticket_age, &alert, &client_hello,
559 &pre_shared_key)) {
560 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
561 return ssl_hs_error;
562 }
563
564 // Note it is important that we do not obtain a new |SSL_SESSION| from
565 // |ticket|. We have already selected parameters based on the first
566 // ClientHello (in the transcript) and must not switch partway through.
567 if (!tls13_verify_psk_binder(hs, hs->new_session.get(), msg, &binders)) {
568 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
569 return ssl_hs_error;
570 }
571 }
572
573 bool need_retry;
574 if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
575 if (need_retry) {
576 // Only send one HelloRetryRequest.
577 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
578 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
579 }
580 return ssl_hs_error;
581 }
582
583 if (!ssl_hash_message(hs, msg)) {
584 return ssl_hs_error;
585 }
586
587 // ClientHello should be the end of the flight.
588 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
589 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
590 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
591 return ssl_hs_error;
592 }
593
594 ssl->method->next_message(ssl);
595 hs->tls13_state = state13_send_server_hello;
596 return ssl_hs_ok;
597 }
598
do_send_server_hello(SSL_HANDSHAKE * hs)599 static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
600 SSL *const ssl = hs->ssl;
601
602 // Send a ServerHello.
603 ScopedCBB cbb;
604 CBB body, extensions, session_id;
605 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
606 !CBB_add_u16(&body, TLS1_2_VERSION) ||
607 !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
608 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
609 !CBB_add_u8_length_prefixed(&body, &session_id) ||
610 !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
611 !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
612 !CBB_add_u8(&body, 0) ||
613 !CBB_add_u16_length_prefixed(&body, &extensions) ||
614 !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
615 !ssl_ext_key_share_add_serverhello(hs, &extensions) ||
616 !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||
617 !ssl_add_message_cbb(ssl, cbb.get())) {
618 return ssl_hs_error;
619 }
620
621 if (!ssl->s3->used_hello_retry_request &&
622 !ssl->method->add_change_cipher_spec(ssl)) {
623 return ssl_hs_error;
624 }
625
626 // Derive and enable the handshake traffic secrets.
627 if (!tls13_derive_handshake_secrets(hs) ||
628 !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal,
629 hs->new_session.get(),
630 hs->server_handshake_secret())) {
631 return ssl_hs_error;
632 }
633
634 // Send EncryptedExtensions.
635 if (!ssl->method->init_message(ssl, cbb.get(), &body,
636 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
637 !ssl_add_serverhello_tlsext(hs, &body) ||
638 !ssl_add_message_cbb(ssl, cbb.get())) {
639 return ssl_hs_error;
640 }
641
642 if (!ssl->s3->session_reused) {
643 // Determine whether to request a client certificate.
644 hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
645 // Only request a certificate if Channel ID isn't negotiated.
646 if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
647 ssl->s3->channel_id_valid) {
648 hs->cert_request = false;
649 }
650 }
651
652 // Send a CertificateRequest, if necessary.
653 if (hs->cert_request) {
654 CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;
655 if (!ssl->method->init_message(ssl, cbb.get(), &body,
656 SSL3_MT_CERTIFICATE_REQUEST) ||
657 !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||
658 !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) ||
659 !CBB_add_u16(&cert_request_extensions,
660 TLSEXT_TYPE_signature_algorithms) ||
661 !CBB_add_u16_length_prefixed(&cert_request_extensions,
662 &sigalg_contents) ||
663 !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||
664 !tls12_add_verify_sigalgs(hs, &sigalgs_cbb)) {
665 return ssl_hs_error;
666 }
667
668 if (ssl_has_client_CAs(hs->config)) {
669 CBB ca_contents;
670 if (!CBB_add_u16(&cert_request_extensions,
671 TLSEXT_TYPE_certificate_authorities) ||
672 !CBB_add_u16_length_prefixed(&cert_request_extensions,
673 &ca_contents) ||
674 !ssl_add_client_CA_list(hs, &ca_contents) ||
675 !CBB_flush(&cert_request_extensions)) {
676 return ssl_hs_error;
677 }
678 }
679
680 if (!ssl_add_message_cbb(ssl, cbb.get())) {
681 return ssl_hs_error;
682 }
683 }
684
685 // Send the server Certificate message, if necessary.
686 if (!ssl->s3->session_reused) {
687 if (!ssl_has_certificate(hs)) {
688 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
689 return ssl_hs_error;
690 }
691
692 if (!tls13_add_certificate(hs)) {
693 return ssl_hs_error;
694 }
695
696 hs->tls13_state = state13_send_server_certificate_verify;
697 return ssl_hs_ok;
698 }
699
700 hs->tls13_state = state13_send_server_finished;
701 return ssl_hs_ok;
702 }
703
do_send_server_certificate_verify(SSL_HANDSHAKE * hs)704 static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {
705 switch (tls13_add_certificate_verify(hs)) {
706 case ssl_private_key_success:
707 hs->tls13_state = state13_send_server_finished;
708 return ssl_hs_ok;
709
710 case ssl_private_key_retry:
711 hs->tls13_state = state13_send_server_certificate_verify;
712 return ssl_hs_private_key_operation;
713
714 case ssl_private_key_failure:
715 return ssl_hs_error;
716 }
717
718 assert(0);
719 return ssl_hs_error;
720 }
721
do_send_server_finished(SSL_HANDSHAKE * hs)722 static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
723 SSL *const ssl = hs->ssl;
724 if (!tls13_add_finished(hs) ||
725 // Update the secret to the master secret and derive traffic keys.
726 !tls13_advance_key_schedule(
727 hs, MakeConstSpan(kZeroes, hs->transcript.DigestLen())) ||
728 !tls13_derive_application_secrets(hs) ||
729 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
730 hs->new_session.get(),
731 hs->server_traffic_secret_0())) {
732 return ssl_hs_error;
733 }
734
735 hs->tls13_state = state13_send_half_rtt_ticket;
736 return hs->handback ? ssl_hs_handback : ssl_hs_ok;
737 }
738
do_send_half_rtt_ticket(SSL_HANDSHAKE * hs)739 static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) {
740 SSL *const ssl = hs->ssl;
741
742 if (ssl->s3->early_data_accepted) {
743 // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on
744 // the wire sooner and also avoids triggering a write on |SSL_read| when
745 // processing the client Finished. This requires computing the client
746 // Finished early. See RFC 8446, section 4.6.1.
747 static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
748 0, 0};
749 if (ssl->quic_method == nullptr &&
750 !hs->transcript.Update(kEndOfEarlyData)) {
751 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
752 return ssl_hs_error;
753 }
754
755 size_t finished_len;
756 if (!tls13_finished_mac(hs, hs->expected_client_finished().data(),
757 &finished_len, false /* client */)) {
758 return ssl_hs_error;
759 }
760
761 if (finished_len != hs->expected_client_finished().size()) {
762 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
763 return ssl_hs_error;
764 }
765
766 // Feed the predicted Finished into the transcript. This allows us to derive
767 // the resumption secret early and send half-RTT tickets.
768 //
769 // TODO(davidben): This will need to be updated for DTLS 1.3.
770 assert(!SSL_is_dtls(hs->ssl));
771 assert(hs->expected_client_finished().size() <= 0xff);
772 uint8_t header[4] = {
773 SSL3_MT_FINISHED, 0, 0,
774 static_cast<uint8_t>(hs->expected_client_finished().size())};
775 bool unused_sent_tickets;
776 if (!hs->transcript.Update(header) ||
777 !hs->transcript.Update(hs->expected_client_finished()) ||
778 !tls13_derive_resumption_secret(hs) ||
779 !add_new_session_tickets(hs, &unused_sent_tickets)) {
780 return ssl_hs_error;
781 }
782 }
783
784 hs->tls13_state = state13_read_second_client_flight;
785 return ssl_hs_flush;
786 }
787
do_read_second_client_flight(SSL_HANDSHAKE * hs)788 static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
789 SSL *const ssl = hs->ssl;
790 if (ssl->s3->early_data_accepted) {
791 if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
792 hs->new_session.get(),
793 hs->early_traffic_secret())) {
794 return ssl_hs_error;
795 }
796 hs->can_early_write = true;
797 hs->can_early_read = true;
798 hs->in_early_data = true;
799 }
800
801 // QUIC doesn't use an EndOfEarlyData message (draft-ietf-quic-tls-22,
802 // section 8.3), so we switch to client_handshake_secret before the early
803 // return.
804 if (ssl->quic_method != nullptr) {
805 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
806 hs->new_session.get(),
807 hs->client_handshake_secret())) {
808 return ssl_hs_error;
809 }
810 hs->tls13_state = state13_read_client_certificate;
811 return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;
812 }
813
814 hs->tls13_state = state13_process_end_of_early_data;
815 return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
816 : ssl_hs_ok;
817 }
818
do_process_end_of_early_data(SSL_HANDSHAKE * hs)819 static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {
820 SSL *const ssl = hs->ssl;
821 // If early data was not accepted, the EndOfEarlyData will be in the discarded
822 // early data.
823 if (hs->ssl->s3->early_data_accepted) {
824 SSLMessage msg;
825 if (!ssl->method->get_message(ssl, &msg)) {
826 return ssl_hs_read_message;
827 }
828 if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {
829 return ssl_hs_error;
830 }
831 if (CBS_len(&msg.body) != 0) {
832 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
833 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
834 return ssl_hs_error;
835 }
836 ssl->method->next_message(ssl);
837 }
838 if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
839 hs->new_session.get(),
840 hs->client_handshake_secret())) {
841 return ssl_hs_error;
842 }
843 hs->tls13_state = state13_read_client_certificate;
844 return ssl_hs_ok;
845 }
846
do_read_client_certificate(SSL_HANDSHAKE * hs)847 static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
848 SSL *const ssl = hs->ssl;
849 if (!hs->cert_request) {
850 if (!ssl->s3->session_reused) {
851 // OpenSSL returns X509_V_OK when no certificates are requested. This is
852 // classed by them as a bug, but it's assumed by at least NGINX. (Only do
853 // this in full handshakes as resumptions should carry over the previous
854 // |verify_result|, though this is a no-op because servers do not
855 // implement the client's odd soft-fail mode.)
856 hs->new_session->verify_result = X509_V_OK;
857 }
858
859 // Skip this state.
860 hs->tls13_state = state13_read_channel_id;
861 return ssl_hs_ok;
862 }
863
864 const bool allow_anonymous =
865 (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
866 SSLMessage msg;
867 if (!ssl->method->get_message(ssl, &msg)) {
868 return ssl_hs_read_message;
869 }
870 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||
871 !tls13_process_certificate(hs, msg, allow_anonymous) ||
872 !ssl_hash_message(hs, msg)) {
873 return ssl_hs_error;
874 }
875
876 ssl->method->next_message(ssl);
877 hs->tls13_state = state13_read_client_certificate_verify;
878 return ssl_hs_ok;
879 }
880
do_read_client_certificate_verify(SSL_HANDSHAKE * hs)881 static enum ssl_hs_wait_t do_read_client_certificate_verify(
882 SSL_HANDSHAKE *hs) {
883 SSL *const ssl = hs->ssl;
884 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
885 // Skip this state.
886 hs->tls13_state = state13_read_channel_id;
887 return ssl_hs_ok;
888 }
889
890 SSLMessage msg;
891 if (!ssl->method->get_message(ssl, &msg)) {
892 return ssl_hs_read_message;
893 }
894
895 switch (ssl_verify_peer_cert(hs)) {
896 case ssl_verify_ok:
897 break;
898 case ssl_verify_invalid:
899 return ssl_hs_error;
900 case ssl_verify_retry:
901 hs->tls13_state = state13_read_client_certificate_verify;
902 return ssl_hs_certificate_verify;
903 }
904
905 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||
906 !tls13_process_certificate_verify(hs, msg) ||
907 !ssl_hash_message(hs, msg)) {
908 return ssl_hs_error;
909 }
910
911 ssl->method->next_message(ssl);
912 hs->tls13_state = state13_read_channel_id;
913 return ssl_hs_ok;
914 }
915
do_read_channel_id(SSL_HANDSHAKE * hs)916 static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
917 SSL *const ssl = hs->ssl;
918 if (!ssl->s3->channel_id_valid) {
919 hs->tls13_state = state13_read_client_finished;
920 return ssl_hs_ok;
921 }
922
923 SSLMessage msg;
924 if (!ssl->method->get_message(ssl, &msg)) {
925 return ssl_hs_read_message;
926 }
927 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
928 !tls1_verify_channel_id(hs, msg) ||
929 !ssl_hash_message(hs, msg)) {
930 return ssl_hs_error;
931 }
932
933 ssl->method->next_message(ssl);
934 hs->tls13_state = state13_read_client_finished;
935 return ssl_hs_ok;
936 }
937
do_read_client_finished(SSL_HANDSHAKE * hs)938 static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
939 SSL *const ssl = hs->ssl;
940 SSLMessage msg;
941 if (!ssl->method->get_message(ssl, &msg)) {
942 return ssl_hs_read_message;
943 }
944 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||
945 // If early data was accepted, we've already computed the client Finished
946 // and derived the resumption secret.
947 !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||
948 // evp_aead_seal keys have already been switched.
949 !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open,
950 hs->new_session.get(),
951 hs->client_traffic_secret_0())) {
952 return ssl_hs_error;
953 }
954
955 if (!ssl->s3->early_data_accepted) {
956 if (!ssl_hash_message(hs, msg) ||
957 !tls13_derive_resumption_secret(hs)) {
958 return ssl_hs_error;
959 }
960
961 // We send post-handshake tickets as part of the handshake in 1-RTT.
962 hs->tls13_state = state13_send_new_session_ticket;
963 } else {
964 // We already sent half-RTT tickets.
965 hs->tls13_state = state13_done;
966 }
967
968 ssl->method->next_message(ssl);
969 return ssl_hs_ok;
970 }
971
do_send_new_session_ticket(SSL_HANDSHAKE * hs)972 static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
973 bool sent_tickets;
974 if (!add_new_session_tickets(hs, &sent_tickets)) {
975 return ssl_hs_error;
976 }
977
978 hs->tls13_state = state13_done;
979 // In TLS 1.3, the NewSessionTicket isn't flushed until the server performs a
980 // write, to prevent a non-reading client from causing the server to hang in
981 // the case of a small server write buffer. Consumers which don't write data
982 // to the client will need to do a zero-byte write if they wish to flush the
983 // tickets.
984 if (hs->ssl->quic_method != nullptr && sent_tickets) {
985 return ssl_hs_flush;
986 }
987 return ssl_hs_ok;
988 }
989
tls13_server_handshake(SSL_HANDSHAKE * hs)990 enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
991 while (hs->tls13_state != state13_done) {
992 enum ssl_hs_wait_t ret = ssl_hs_error;
993 enum tls13_server_hs_state_t state =
994 static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
995 switch (state) {
996 case state13_select_parameters:
997 ret = do_select_parameters(hs);
998 break;
999 case state13_select_session:
1000 ret = do_select_session(hs);
1001 break;
1002 case state13_send_hello_retry_request:
1003 ret = do_send_hello_retry_request(hs);
1004 break;
1005 case state13_read_second_client_hello:
1006 ret = do_read_second_client_hello(hs);
1007 break;
1008 case state13_send_server_hello:
1009 ret = do_send_server_hello(hs);
1010 break;
1011 case state13_send_server_certificate_verify:
1012 ret = do_send_server_certificate_verify(hs);
1013 break;
1014 case state13_send_server_finished:
1015 ret = do_send_server_finished(hs);
1016 break;
1017 case state13_send_half_rtt_ticket:
1018 ret = do_send_half_rtt_ticket(hs);
1019 break;
1020 case state13_read_second_client_flight:
1021 ret = do_read_second_client_flight(hs);
1022 break;
1023 case state13_process_end_of_early_data:
1024 ret = do_process_end_of_early_data(hs);
1025 break;
1026 case state13_read_client_certificate:
1027 ret = do_read_client_certificate(hs);
1028 break;
1029 case state13_read_client_certificate_verify:
1030 ret = do_read_client_certificate_verify(hs);
1031 break;
1032 case state13_read_channel_id:
1033 ret = do_read_channel_id(hs);
1034 break;
1035 case state13_read_client_finished:
1036 ret = do_read_client_finished(hs);
1037 break;
1038 case state13_send_new_session_ticket:
1039 ret = do_send_new_session_ticket(hs);
1040 break;
1041 case state13_done:
1042 ret = ssl_hs_ok;
1043 break;
1044 }
1045
1046 if (hs->tls13_state != state) {
1047 ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
1048 }
1049
1050 if (ret != ssl_hs_ok) {
1051 return ret;
1052 }
1053 }
1054
1055 return ssl_hs_ok;
1056 }
1057
tls13_server_handshake_state(SSL_HANDSHAKE * hs)1058 const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {
1059 enum tls13_server_hs_state_t state =
1060 static_cast<enum tls13_server_hs_state_t>(hs->tls13_state);
1061 switch (state) {
1062 case state13_select_parameters:
1063 return "TLS 1.3 server select_parameters";
1064 case state13_select_session:
1065 return "TLS 1.3 server select_session";
1066 case state13_send_hello_retry_request:
1067 return "TLS 1.3 server send_hello_retry_request";
1068 case state13_read_second_client_hello:
1069 return "TLS 1.3 server read_second_client_hello";
1070 case state13_send_server_hello:
1071 return "TLS 1.3 server send_server_hello";
1072 case state13_send_server_certificate_verify:
1073 return "TLS 1.3 server send_server_certificate_verify";
1074 case state13_send_half_rtt_ticket:
1075 return "TLS 1.3 server send_half_rtt_ticket";
1076 case state13_send_server_finished:
1077 return "TLS 1.3 server send_server_finished";
1078 case state13_read_second_client_flight:
1079 return "TLS 1.3 server read_second_client_flight";
1080 case state13_process_end_of_early_data:
1081 return "TLS 1.3 server process_end_of_early_data";
1082 case state13_read_client_certificate:
1083 return "TLS 1.3 server read_client_certificate";
1084 case state13_read_client_certificate_verify:
1085 return "TLS 1.3 server read_client_certificate_verify";
1086 case state13_read_channel_id:
1087 return "TLS 1.3 server read_channel_id";
1088 case state13_read_client_finished:
1089 return "TLS 1.3 server read_client_finished";
1090 case state13_send_new_session_ticket:
1091 return "TLS 1.3 server send_new_session_ticket";
1092 case state13_done:
1093 return "TLS 1.3 server done";
1094 }
1095
1096 return "TLS 1.3 server unknown";
1097 }
1098
1099 BSSL_NAMESPACE_END
1100