/src/boringssl/ssl/tls13_server.cc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 2016 The BoringSSL Authors |
2 | | // |
3 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
4 | | // you may not use this file except in compliance with the License. |
5 | | // You may obtain a copy of the License at |
6 | | // |
7 | | // https://www.apache.org/licenses/LICENSE-2.0 |
8 | | // |
9 | | // Unless required by applicable law or agreed to in writing, software |
10 | | // distributed under the License is distributed on an "AS IS" BASIS, |
11 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
12 | | // See the License for the specific language governing permissions and |
13 | | // limitations under the License. |
14 | | |
15 | | #include <openssl/ssl.h> |
16 | | |
17 | | #include <assert.h> |
18 | | #include <string.h> |
19 | | |
20 | | #include <algorithm> |
21 | | #include <tuple> |
22 | | |
23 | | #include <openssl/aead.h> |
24 | | #include <openssl/bytestring.h> |
25 | | #include <openssl/digest.h> |
26 | | #include <openssl/err.h> |
27 | | #include <openssl/hpke.h> |
28 | | #include <openssl/mem.h> |
29 | | #include <openssl/rand.h> |
30 | | #include <openssl/stack.h> |
31 | | |
32 | | #include "../crypto/internal.h" |
33 | | #include "internal.h" |
34 | | |
35 | | |
36 | | BSSL_NAMESPACE_BEGIN |
37 | | |
38 | | static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0}; |
39 | | |
40 | | // Allow a minute of ticket age skew in either direction. This covers |
41 | | // transmission delays in ClientHello and NewSessionTicket, as well as |
42 | | // drift between client and server clock rate since the ticket was issued. |
43 | | // See RFC 8446, section 8.3. |
44 | | static const int32_t kMaxTicketAgeSkewSeconds = 60; |
45 | | |
46 | 0 | static bool resolve_pake_secret(SSL_HANDSHAKE *hs) { |
47 | 0 | uint8_t verifier_share[spake2plus::kShareSize]; |
48 | 0 | uint8_t verifier_confirm[spake2plus::kConfirmSize]; |
49 | 0 | uint8_t shared_secret[spake2plus::kSecretSize]; |
50 | 0 | if (!hs->pake_verifier->ProcessProverShare(verifier_share, verifier_confirm, |
51 | 0 | shared_secret, |
52 | 0 | hs->pake_share->pake_message)) { |
53 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
54 | 0 | ssl_send_alert(hs->ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
55 | 0 | return false; |
56 | 0 | } |
57 | | |
58 | 0 | bssl::ScopedCBB cbb; |
59 | 0 | if (!CBB_init(cbb.get(), sizeof(verifier_share) + sizeof(verifier_confirm)) || |
60 | 0 | !CBB_add_bytes(cbb.get(), verifier_share, sizeof(verifier_share)) || |
61 | 0 | !CBB_add_bytes(cbb.get(), verifier_confirm, sizeof(verifier_confirm)) || |
62 | 0 | !CBBFinishArray(cbb.get(), &hs->pake_share_bytes)) { |
63 | 0 | return false; |
64 | 0 | } |
65 | | |
66 | 0 | return tls13_advance_key_schedule( |
67 | 0 | hs, MakeConstSpan(shared_secret, sizeof(shared_secret))); |
68 | 0 | } |
69 | | |
70 | | static bool resolve_ecdhe_secret(SSL_HANDSHAKE *hs, |
71 | 0 | const SSL_CLIENT_HELLO *client_hello) { |
72 | 0 | SSL *const ssl = hs->ssl; |
73 | 0 | const uint16_t group_id = hs->new_session->group_id; |
74 | |
|
75 | 0 | bool found_key_share; |
76 | 0 | Span<const uint8_t> peer_key; |
77 | 0 | uint8_t alert = SSL_AD_DECODE_ERROR; |
78 | 0 | if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &peer_key, |
79 | 0 | &alert, client_hello)) { |
80 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
81 | 0 | return false; |
82 | 0 | } |
83 | | |
84 | 0 | if (!found_key_share) { |
85 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
86 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); |
87 | 0 | return false; |
88 | 0 | } |
89 | | |
90 | 0 | Array<uint8_t> secret; |
91 | 0 | SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); |
92 | 0 | if (hints && !hs->hints_requested && hints->key_share_group_id == group_id && |
93 | 0 | !hints->key_share_secret.empty()) { |
94 | | // Copy the key_share secret from hints. |
95 | 0 | if (!hs->key_share_ciphertext.CopyFrom(hints->key_share_ciphertext) || |
96 | 0 | !secret.CopyFrom(hints->key_share_secret)) { |
97 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
98 | 0 | return false; |
99 | 0 | } |
100 | 0 | } else { |
101 | 0 | ScopedCBB ciphertext; |
102 | 0 | UniquePtr<SSLKeyShare> key_share = SSLKeyShare::Create(group_id); |
103 | 0 | if (!key_share || // |
104 | 0 | !CBB_init(ciphertext.get(), 32) || |
105 | 0 | !key_share->Encap(ciphertext.get(), &secret, &alert, peer_key) || |
106 | 0 | !CBBFinishArray(ciphertext.get(), &hs->key_share_ciphertext)) { |
107 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
108 | 0 | return false; |
109 | 0 | } |
110 | 0 | if (hints && hs->hints_requested) { |
111 | 0 | hints->key_share_group_id = group_id; |
112 | 0 | if (!hints->key_share_ciphertext.CopyFrom(hs->key_share_ciphertext) || |
113 | 0 | !hints->key_share_secret.CopyFrom(secret)) { |
114 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
115 | 0 | return false; |
116 | 0 | } |
117 | 0 | } |
118 | 0 | } |
119 | | |
120 | 0 | return tls13_advance_key_schedule(hs, secret); |
121 | 0 | } |
122 | | |
123 | | static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs, |
124 | 0 | CBB *out) { |
125 | 0 | CBB contents; |
126 | 0 | if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || // |
127 | 0 | !CBB_add_u16_length_prefixed(out, &contents) || // |
128 | 0 | !CBB_add_u16(&contents, hs->ssl->s3->version) || // |
129 | 0 | !CBB_flush(out)) { |
130 | 0 | return 0; |
131 | 0 | } |
132 | | |
133 | 0 | return 1; |
134 | 0 | } |
135 | | |
136 | | static const SSL_CIPHER *choose_tls13_cipher( |
137 | 0 | const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) { |
138 | 0 | CBS cipher_suites; |
139 | 0 | CBS_init(&cipher_suites, client_hello->cipher_suites, |
140 | 0 | client_hello->cipher_suites_len); |
141 | |
|
142 | 0 | const uint16_t version = ssl_protocol_version(ssl); |
143 | |
|
144 | 0 | return ssl_choose_tls13_cipher(cipher_suites, |
145 | 0 | ssl->config->aes_hw_override |
146 | 0 | ? ssl->config->aes_hw_override_value |
147 | 0 | : EVP_has_aes_hardware(), |
148 | 0 | version, ssl->config->compliance_policy); |
149 | 0 | } |
150 | | |
151 | 0 | static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) { |
152 | 0 | SSL *const ssl = hs->ssl; |
153 | 0 | if ( // If the client doesn't accept resumption with PSK_DHE_KE, don't send a |
154 | | // session ticket. |
155 | 0 | !hs->accept_psk_mode || |
156 | | // We only implement stateless resumption in TLS 1.3, so skip sending |
157 | | // tickets if disabled. |
158 | 0 | (SSL_get_options(ssl) & SSL_OP_NO_TICKET) || |
159 | | // Don't send tickets for PAKE connections. We don't support resumption |
160 | | // with PAKEs. |
161 | 0 | hs->pake_verifier != nullptr) { |
162 | 0 | *out_sent_tickets = false; |
163 | 0 | return true; |
164 | 0 | } |
165 | | |
166 | | // Rebase the session timestamp so that it is measured from ticket |
167 | | // issuance. |
168 | 0 | ssl_session_rebase_time(ssl, hs->new_session.get()); |
169 | |
|
170 | 0 | assert(ssl->session_ctx->num_tickets <= kMaxTickets); |
171 | 0 | bool sent_tickets = false; |
172 | 0 | for (size_t i = 0; i < ssl->session_ctx->num_tickets; i++) { |
173 | 0 | UniquePtr<SSL_SESSION> session( |
174 | 0 | SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH)); |
175 | 0 | if (!session) { |
176 | 0 | return false; |
177 | 0 | } |
178 | | |
179 | 0 | if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) { |
180 | 0 | return false; |
181 | 0 | } |
182 | 0 | session->ticket_age_add_valid = true; |
183 | | // TODO(crbug.com/381113363): Remove the SSL_is_dtls check once we support |
184 | | // 0-RTT for DTLS 1.3. |
185 | 0 | bool enable_early_data = |
186 | 0 | ssl->enable_early_data && |
187 | 0 | (!SSL_is_quic(ssl) || !ssl->config->quic_early_data_context.empty()) && |
188 | 0 | !SSL_is_dtls(ssl); |
189 | 0 | if (enable_early_data) { |
190 | | // QUIC does not use the max_early_data_size parameter and always sets it |
191 | | // to a fixed value. See RFC 9001, section 4.6.1. |
192 | 0 | session->ticket_max_early_data = |
193 | 0 | SSL_is_quic(ssl) ? 0xffffffff : kMaxEarlyDataAccepted; |
194 | 0 | } |
195 | 0 | session->is_resumable_across_names = ssl->resumption_across_names_enabled; |
196 | |
|
197 | 0 | static_assert(kMaxTickets < 256, "Too many tickets"); |
198 | 0 | assert(i < 256); |
199 | 0 | uint8_t nonce[] = {static_cast<uint8_t>(i)}; |
200 | |
|
201 | 0 | ScopedCBB cbb; |
202 | 0 | CBB body, nonce_cbb, ticket, extensions; |
203 | 0 | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
204 | 0 | SSL3_MT_NEW_SESSION_TICKET) || |
205 | 0 | !CBB_add_u32(&body, session->timeout) || |
206 | 0 | !CBB_add_u32(&body, session->ticket_age_add) || |
207 | 0 | !CBB_add_u8_length_prefixed(&body, &nonce_cbb) || |
208 | 0 | !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) || |
209 | 0 | !tls13_derive_session_psk(session.get(), nonce, SSL_is_dtls(ssl)) || |
210 | 0 | !CBB_add_u16_length_prefixed(&body, &ticket) || |
211 | 0 | !ssl_encrypt_ticket(hs, &ticket, session.get())) { |
212 | 0 | return false; |
213 | 0 | } |
214 | | |
215 | 0 | if (CBB_len(&ticket) == 0) { |
216 | | // The caller decided not to encrypt a ticket. Skip the message. |
217 | 0 | continue; |
218 | 0 | } |
219 | | |
220 | 0 | if (!CBB_add_u16_length_prefixed(&body, &extensions)) { |
221 | 0 | return false; |
222 | 0 | } |
223 | | |
224 | 0 | if (enable_early_data) { |
225 | 0 | CBB early_data; |
226 | 0 | if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) || |
227 | 0 | !CBB_add_u16_length_prefixed(&extensions, &early_data) || |
228 | 0 | !CBB_add_u32(&early_data, session->ticket_max_early_data) || |
229 | 0 | !CBB_flush(&extensions)) { |
230 | 0 | return false; |
231 | 0 | } |
232 | 0 | } |
233 | | |
234 | 0 | SSLFlags flags = 0; |
235 | 0 | if (session->is_resumable_across_names) { |
236 | 0 | flags |= kSSLFlagResumptionAcrossNames; |
237 | 0 | } |
238 | 0 | if (!ssl_add_flags_extension(&extensions, flags)) { |
239 | 0 | return false; |
240 | 0 | } |
241 | | |
242 | | // Add a fake extension. See RFC 8701. |
243 | 0 | if (!CBB_add_u16(&extensions, |
244 | 0 | ssl_get_grease_value(hs, ssl_grease_ticket_extension)) || |
245 | 0 | !CBB_add_u16(&extensions, 0 /* empty */)) { |
246 | 0 | return false; |
247 | 0 | } |
248 | | |
249 | 0 | if (!ssl_add_message_cbb(ssl, cbb.get())) { |
250 | 0 | return false; |
251 | 0 | } |
252 | 0 | sent_tickets = true; |
253 | 0 | } |
254 | | |
255 | 0 | *out_sent_tickets = sent_tickets; |
256 | 0 | return true; |
257 | 0 | } |
258 | | |
259 | | bool ssl_check_tls13_credential_ignoring_issuer(SSL_HANDSHAKE *hs, |
260 | | const SSL_CREDENTIAL *cred, |
261 | 0 | uint16_t *out_sigalg) { |
262 | 0 | switch (cred->type) { |
263 | 0 | case SSLCredentialType::kX509: |
264 | 0 | break; |
265 | 0 | case SSLCredentialType::kDelegated: |
266 | | // Check that the peer supports the signature over the delegated |
267 | | // credential. |
268 | 0 | if (std::find(hs->peer_sigalgs.begin(), hs->peer_sigalgs.end(), |
269 | 0 | cred->dc_algorithm) == hs->peer_sigalgs.end()) { |
270 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_COMMON_SIGNATURE_ALGORITHMS); |
271 | 0 | return false; |
272 | 0 | } |
273 | 0 | break; |
274 | 0 | default: |
275 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE); |
276 | 0 | return false; |
277 | 0 | } |
278 | | |
279 | | // If we reach here then the credential requires a signature. If |cred| is a |
280 | | // delegated credential, this also checks that the peer supports delegated |
281 | | // credentials and matched |dc_cert_verify_algorithm|. |
282 | 0 | return tls1_choose_signature_algorithm(hs, cred, out_sigalg); |
283 | 0 | } |
284 | | |
285 | | static bool check_signature_credential(SSL_HANDSHAKE *hs, |
286 | | const SSL_CREDENTIAL *cred, |
287 | 0 | uint16_t *out_sigalg) { |
288 | 0 | return ssl_check_tls13_credential_ignoring_issuer(hs, cred, out_sigalg) && |
289 | | // Use this credential if it either matches a requested issuer, |
290 | | // or does not require issuer matching. |
291 | 0 | ssl_credential_matches_requested_issuers(hs, cred); |
292 | 0 | } |
293 | | |
294 | | static bool check_pake_credential(SSL_HANDSHAKE *hs, |
295 | 0 | const SSL_CREDENTIAL *cred) { |
296 | 0 | assert(cred->type == SSLCredentialType::kSPAKE2PlusV1Server); |
297 | | // Look for a client PAKE share that matches |cred|. |
298 | 0 | if (hs->pake_share == nullptr || |
299 | 0 | hs->pake_share->named_pake != SSL_PAKE_SPAKE2PLUSV1 || |
300 | 0 | hs->pake_share->client_identity != Span(cred->client_identity) || |
301 | 0 | hs->pake_share->server_identity != Span(cred->server_identity)) { |
302 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_PAKE_MISMATCH); |
303 | 0 | return false; |
304 | 0 | } |
305 | | |
306 | 0 | return true; |
307 | 0 | } |
308 | | |
309 | 0 | static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { |
310 | | // At this point, most ClientHello extensions have already been processed by |
311 | | // the common handshake logic. Resolve the remaining non-PSK parameters. |
312 | 0 | SSL *const ssl = hs->ssl; |
313 | 0 | SSLMessage msg; |
314 | 0 | SSL_CLIENT_HELLO client_hello; |
315 | 0 | if (!hs->GetClientHello(&msg, &client_hello)) { |
316 | 0 | return ssl_hs_error; |
317 | 0 | } |
318 | | |
319 | 0 | if (SSL_is_quic(ssl) && client_hello.session_id_len > 0) { |
320 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_COMPATIBILITY_MODE); |
321 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
322 | 0 | return ssl_hs_error; |
323 | 0 | } |
324 | | // DTLS 1.3 disables compatibility mode, and even if the client advertised a |
325 | | // session ID (for resumption in DTLS 1.2), the server "MUST NOT echo the |
326 | | // 'legacy_session_id' value from the client" (RFC 9147, section 5) as it |
327 | | // would in a TLS 1.3 handshake. |
328 | 0 | if (!SSL_is_dtls(ssl)) { |
329 | 0 | hs->session_id.CopyFrom( |
330 | 0 | Span(client_hello.session_id, client_hello.session_id_len)); |
331 | 0 | } |
332 | |
|
333 | 0 | Array<SSL_CREDENTIAL *> creds; |
334 | 0 | if (!ssl_get_full_credential_list(hs, &creds)) { |
335 | 0 | return ssl_hs_error; |
336 | 0 | } |
337 | 0 | if (creds.empty()) { |
338 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); |
339 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
340 | 0 | return ssl_hs_error; |
341 | 0 | } |
342 | | |
343 | | // Select the credential to use. |
344 | 0 | for (SSL_CREDENTIAL *cred : creds) { |
345 | 0 | ERR_clear_error(); |
346 | 0 | if (cred->type == SSLCredentialType::kSPAKE2PlusV1Server) { |
347 | 0 | if (check_pake_credential(hs, cred)) { |
348 | 0 | hs->credential = UpRef(cred); |
349 | 0 | hs->pake_verifier = MakeUnique<spake2plus::Verifier>(); |
350 | 0 | if (hs->pake_verifier == nullptr || |
351 | 0 | !hs->pake_verifier->Init(cred->pake_context, cred->client_identity, |
352 | 0 | cred->server_identity, |
353 | 0 | cred->password_verifier_w0, |
354 | 0 | cred->registration_record)) { |
355 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
356 | 0 | return ssl_hs_error; |
357 | 0 | } |
358 | 0 | break; |
359 | 0 | } |
360 | 0 | } else { |
361 | 0 | uint16_t sigalg; |
362 | 0 | if (check_signature_credential(hs, cred, &sigalg)) { |
363 | 0 | hs->credential = UpRef(cred); |
364 | 0 | hs->signature_algorithm = sigalg; |
365 | 0 | break; |
366 | 0 | } |
367 | 0 | } |
368 | 0 | } |
369 | 0 | if (hs->credential == nullptr) { |
370 | | // The error from the last attempt is in the error queue. |
371 | 0 | assert(ERR_peek_error() != 0); |
372 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
373 | 0 | return ssl_hs_error; |
374 | 0 | } |
375 | | |
376 | | // Negotiate the cipher suite. |
377 | 0 | hs->new_cipher = choose_tls13_cipher(ssl, &client_hello); |
378 | 0 | if (hs->new_cipher == NULL) { |
379 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); |
380 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
381 | 0 | return ssl_hs_error; |
382 | 0 | } |
383 | | |
384 | | // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was |
385 | | // deferred. Complete it now. |
386 | 0 | uint8_t alert = SSL_AD_DECODE_ERROR; |
387 | 0 | if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { |
388 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
389 | 0 | return ssl_hs_error; |
390 | 0 | } |
391 | | |
392 | | // The PRF hash is now known. |
393 | 0 | if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) { |
394 | 0 | return ssl_hs_error; |
395 | 0 | } |
396 | | |
397 | 0 | hs->tls13_state = state13_select_session; |
398 | 0 | return ssl_hs_ok; |
399 | 0 | } |
400 | | |
401 | | static enum ssl_ticket_aead_result_t select_session( |
402 | | SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session, |
403 | | int32_t *out_ticket_age_skew, bool *out_offered_ticket, |
404 | 0 | const SSLMessage &msg, const SSL_CLIENT_HELLO *client_hello) { |
405 | 0 | SSL *const ssl = hs->ssl; |
406 | 0 | *out_session = nullptr; |
407 | |
|
408 | 0 | CBS pre_shared_key; |
409 | 0 | *out_offered_ticket = ssl_client_hello_get_extension( |
410 | 0 | client_hello, &pre_shared_key, TLSEXT_TYPE_pre_shared_key); |
411 | 0 | if (!*out_offered_ticket) { |
412 | 0 | return ssl_ticket_aead_ignore_ticket; |
413 | 0 | } |
414 | | |
415 | | // Per RFC 8446, section 4.2.9, servers MUST abort the handshake if the client |
416 | | // sends pre_shared_key without psk_key_exchange_modes. |
417 | 0 | CBS unused; |
418 | 0 | if (!ssl_client_hello_get_extension(client_hello, &unused, |
419 | 0 | TLSEXT_TYPE_psk_key_exchange_modes)) { |
420 | 0 | *out_alert = SSL_AD_MISSING_EXTENSION; |
421 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); |
422 | 0 | return ssl_ticket_aead_error; |
423 | 0 | } |
424 | | |
425 | 0 | CBS ticket, binders; |
426 | 0 | uint32_t client_ticket_age; |
427 | 0 | if (!ssl_ext_pre_shared_key_parse_clienthello( |
428 | 0 | hs, &ticket, &binders, &client_ticket_age, out_alert, client_hello, |
429 | 0 | &pre_shared_key)) { |
430 | 0 | return ssl_ticket_aead_error; |
431 | 0 | } |
432 | | |
433 | | // If the peer did not offer psk_dhe, ignore the resumption. |
434 | 0 | if (!hs->accept_psk_mode) { |
435 | 0 | return ssl_ticket_aead_ignore_ticket; |
436 | 0 | } |
437 | | |
438 | | // We do not currently support resumption with PAKEs. |
439 | 0 | if (hs->credential != nullptr && |
440 | 0 | hs->credential->type == SSLCredentialType::kSPAKE2PlusV1Server) { |
441 | 0 | return ssl_ticket_aead_ignore_ticket; |
442 | 0 | } |
443 | | |
444 | | // TLS 1.3 session tickets are renewed separately as part of the |
445 | | // NewSessionTicket. |
446 | 0 | bool unused_renew; |
447 | 0 | UniquePtr<SSL_SESSION> session; |
448 | 0 | enum ssl_ticket_aead_result_t ret = |
449 | 0 | ssl_process_ticket(hs, &session, &unused_renew, ticket, {}); |
450 | 0 | switch (ret) { |
451 | 0 | case ssl_ticket_aead_success: |
452 | 0 | break; |
453 | 0 | case ssl_ticket_aead_error: |
454 | 0 | *out_alert = SSL_AD_INTERNAL_ERROR; |
455 | 0 | return ret; |
456 | 0 | default: |
457 | 0 | return ret; |
458 | 0 | } |
459 | | |
460 | 0 | if (!ssl_session_is_resumable(hs, session.get()) || |
461 | | // Historically, some TLS 1.3 tickets were missing ticket_age_add. |
462 | 0 | !session->ticket_age_add_valid) { |
463 | 0 | return ssl_ticket_aead_ignore_ticket; |
464 | 0 | } |
465 | | |
466 | | // Recover the client ticket age and convert to seconds. |
467 | 0 | client_ticket_age -= session->ticket_age_add; |
468 | 0 | client_ticket_age /= 1000; |
469 | |
|
470 | 0 | OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get()); |
471 | | |
472 | | // Compute the server ticket age in seconds. |
473 | 0 | assert(now.tv_sec >= session->time); |
474 | 0 | uint64_t server_ticket_age = now.tv_sec - session->time; |
475 | | |
476 | | // To avoid overflowing |hs->ticket_age_skew|, we will not resume |
477 | | // 68-year-old sessions. |
478 | 0 | if (server_ticket_age > INT32_MAX) { |
479 | 0 | return ssl_ticket_aead_ignore_ticket; |
480 | 0 | } |
481 | | |
482 | 0 | *out_ticket_age_skew = static_cast<int32_t>(client_ticket_age) - |
483 | 0 | static_cast<int32_t>(server_ticket_age); |
484 | | |
485 | | // Check the PSK binder. |
486 | 0 | if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) { |
487 | 0 | *out_alert = SSL_AD_DECRYPT_ERROR; |
488 | 0 | return ssl_ticket_aead_error; |
489 | 0 | } |
490 | | |
491 | 0 | *out_session = std::move(session); |
492 | 0 | return ssl_ticket_aead_success; |
493 | 0 | } |
494 | | |
495 | | static bool quic_ticket_compatible(const SSL_SESSION *session, |
496 | 0 | const SSL_CONFIG *config) { |
497 | 0 | if (!session->is_quic) { |
498 | 0 | return true; |
499 | 0 | } |
500 | | |
501 | 0 | if (session->quic_early_data_context.empty() || |
502 | 0 | config->quic_early_data_context.size() != |
503 | 0 | session->quic_early_data_context.size() || |
504 | 0 | CRYPTO_memcmp(config->quic_early_data_context.data(), |
505 | 0 | session->quic_early_data_context.data(), |
506 | 0 | session->quic_early_data_context.size()) != 0) { |
507 | 0 | return false; |
508 | 0 | } |
509 | 0 | return true; |
510 | 0 | } |
511 | | |
512 | 0 | static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { |
513 | 0 | SSL *const ssl = hs->ssl; |
514 | 0 | SSLMessage msg; |
515 | 0 | SSL_CLIENT_HELLO client_hello; |
516 | 0 | if (!hs->GetClientHello(&msg, &client_hello)) { |
517 | 0 | return ssl_hs_error; |
518 | 0 | } |
519 | | |
520 | 0 | uint8_t alert = SSL_AD_DECODE_ERROR; |
521 | 0 | UniquePtr<SSL_SESSION> session; |
522 | 0 | bool offered_ticket = false; |
523 | 0 | switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew, |
524 | 0 | &offered_ticket, msg, &client_hello)) { |
525 | 0 | case ssl_ticket_aead_ignore_ticket: |
526 | 0 | assert(!session); |
527 | 0 | if (!ssl_get_new_session(hs)) { |
528 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
529 | 0 | return ssl_hs_error; |
530 | 0 | } |
531 | 0 | break; |
532 | | |
533 | 0 | case ssl_ticket_aead_success: |
534 | | // Carry over authentication information from the previous handshake into |
535 | | // a fresh session. |
536 | 0 | hs->new_session = |
537 | 0 | SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY); |
538 | 0 | if (hs->new_session == nullptr) { |
539 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
540 | 0 | return ssl_hs_error; |
541 | 0 | } |
542 | | |
543 | 0 | ssl->s3->session_reused = true; |
544 | 0 | hs->can_release_private_key = true; |
545 | | |
546 | | // Resumption incorporates fresh key material, so refresh the timeout. |
547 | 0 | ssl_session_renew_timeout(ssl, hs->new_session.get(), |
548 | 0 | ssl->session_ctx->session_psk_dhe_timeout); |
549 | 0 | break; |
550 | | |
551 | 0 | case ssl_ticket_aead_error: |
552 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
553 | 0 | return ssl_hs_error; |
554 | | |
555 | 0 | case ssl_ticket_aead_retry: |
556 | 0 | hs->tls13_state = state13_select_session; |
557 | 0 | return ssl_hs_pending_ticket; |
558 | 0 | } |
559 | | |
560 | | // Negotiate ALPS now, after ALPN is negotiated and |hs->new_session| is |
561 | | // initialized. |
562 | 0 | if (!ssl_negotiate_alps(hs, &alert, &client_hello)) { |
563 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
564 | 0 | return ssl_hs_error; |
565 | 0 | } |
566 | | |
567 | | // Record connection properties in the new session. |
568 | 0 | hs->new_session->cipher = hs->new_cipher; |
569 | | |
570 | | // If using key shares, resolve the supported group and determine if we need |
571 | | // HelloRetryRequest. |
572 | 0 | bool need_hrr = false; |
573 | 0 | if (hs->pake_verifier == nullptr) { |
574 | 0 | if (!tls1_get_shared_group(hs, &hs->new_session->group_id)) { |
575 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_GROUP); |
576 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
577 | 0 | return ssl_hs_error; |
578 | 0 | } |
579 | 0 | bool found_key_share; |
580 | 0 | if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, |
581 | 0 | /*out_key_share=*/nullptr, &alert, |
582 | 0 | &client_hello)) { |
583 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
584 | 0 | return ssl_hs_error; |
585 | 0 | } |
586 | 0 | need_hrr = !found_key_share; |
587 | 0 | } |
588 | | |
589 | | // Determine if we're negotiating 0-RTT. |
590 | 0 | if (!ssl->enable_early_data) { |
591 | 0 | ssl->s3->early_data_reason = ssl_early_data_disabled; |
592 | 0 | } else if (!offered_ticket) { |
593 | 0 | ssl->s3->early_data_reason = ssl_early_data_no_session_offered; |
594 | 0 | } else if (!session) { |
595 | 0 | ssl->s3->early_data_reason = ssl_early_data_session_not_resumed; |
596 | 0 | } else if (session->ticket_max_early_data == 0) { |
597 | 0 | ssl->s3->early_data_reason = ssl_early_data_unsupported_for_session; |
598 | 0 | } else if (!hs->early_data_offered) { |
599 | 0 | ssl->s3->early_data_reason = ssl_early_data_peer_declined; |
600 | 0 | } else if (hs->channel_id_negotiated) { |
601 | | // Channel ID is incompatible with 0-RTT. |
602 | 0 | ssl->s3->early_data_reason = ssl_early_data_channel_id; |
603 | 0 | } else if (Span(ssl->s3->alpn_selected) != session->early_alpn) { |
604 | | // The negotiated ALPN must match the one in the ticket. |
605 | 0 | ssl->s3->early_data_reason = ssl_early_data_alpn_mismatch; |
606 | 0 | } else if (hs->new_session->has_application_settings != |
607 | 0 | session->has_application_settings || |
608 | 0 | Span(hs->new_session->local_application_settings) != |
609 | 0 | session->local_application_settings) { |
610 | 0 | ssl->s3->early_data_reason = ssl_early_data_alps_mismatch; |
611 | 0 | } else if (ssl->s3->ticket_age_skew < -kMaxTicketAgeSkewSeconds || |
612 | 0 | kMaxTicketAgeSkewSeconds < ssl->s3->ticket_age_skew) { |
613 | 0 | ssl->s3->early_data_reason = ssl_early_data_ticket_age_skew; |
614 | 0 | } else if (!quic_ticket_compatible(session.get(), hs->config)) { |
615 | 0 | ssl->s3->early_data_reason = ssl_early_data_quic_parameter_mismatch; |
616 | 0 | } else if (need_hrr) { |
617 | 0 | ssl->s3->early_data_reason = ssl_early_data_hello_retry_request; |
618 | 0 | } else { |
619 | | // |ssl_session_is_resumable| forbids cross-cipher resumptions even if the |
620 | | // PRF hashes match. |
621 | 0 | assert(hs->new_cipher == session->cipher); |
622 | | |
623 | 0 | ssl->s3->early_data_reason = ssl_early_data_accepted; |
624 | 0 | ssl->s3->early_data_accepted = true; |
625 | 0 | } |
626 | | |
627 | | // Store the ALPN and ALPS values in the session for 0-RTT. Note the peer |
628 | | // applications settings are not generally known until client |
629 | | // EncryptedExtensions. |
630 | 0 | if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) { |
631 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
632 | 0 | return ssl_hs_error; |
633 | 0 | } |
634 | | |
635 | | // The peer applications settings are usually received later, in |
636 | | // EncryptedExtensions. But, in 0-RTT handshakes, we carry over the |
637 | | // values from |session|. Do this now, before |session| is discarded. |
638 | 0 | if (ssl->s3->early_data_accepted && |
639 | 0 | hs->new_session->has_application_settings && |
640 | 0 | !hs->new_session->peer_application_settings.CopyFrom( |
641 | 0 | session->peer_application_settings)) { |
642 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
643 | 0 | return ssl_hs_error; |
644 | 0 | } |
645 | | |
646 | | // Copy the QUIC early data context to the session. |
647 | 0 | if (ssl->enable_early_data && SSL_is_quic(ssl)) { |
648 | 0 | if (!hs->new_session->quic_early_data_context.CopyFrom( |
649 | 0 | hs->config->quic_early_data_context)) { |
650 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
651 | 0 | return ssl_hs_error; |
652 | 0 | } |
653 | 0 | } |
654 | | |
655 | 0 | if (ssl->ctx->dos_protection_cb != NULL && |
656 | 0 | ssl->ctx->dos_protection_cb(&client_hello) == 0) { |
657 | | // Connection rejected for DOS reasons. |
658 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); |
659 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
660 | 0 | return ssl_hs_error; |
661 | 0 | } |
662 | | |
663 | 0 | size_t hash_len = EVP_MD_size( |
664 | 0 | ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher)); |
665 | | |
666 | | // Set up the key schedule and incorporate the PSK into the running secret. |
667 | 0 | if (!tls13_init_key_schedule(hs, ssl->s3->session_reused |
668 | 0 | ? Span(hs->new_session->secret) |
669 | 0 | : Span(kZeroes, hash_len)) || |
670 | 0 | !ssl_hash_message(hs, msg)) { |
671 | 0 | return ssl_hs_error; |
672 | 0 | } |
673 | | |
674 | 0 | if (ssl->s3->early_data_accepted) { |
675 | 0 | if (!tls13_derive_early_secret(hs)) { |
676 | 0 | return ssl_hs_error; |
677 | 0 | } |
678 | 0 | } else if (hs->early_data_offered) { |
679 | 0 | ssl->s3->skip_early_data = true; |
680 | 0 | } |
681 | | |
682 | 0 | if (need_hrr) { |
683 | 0 | ssl->method->next_message(ssl); |
684 | 0 | if (!hs->transcript.UpdateForHelloRetryRequest()) { |
685 | 0 | return ssl_hs_error; |
686 | 0 | } |
687 | 0 | hs->tls13_state = state13_send_hello_retry_request; |
688 | 0 | return ssl_hs_ok; |
689 | 0 | } |
690 | | |
691 | 0 | if (hs->pake_verifier) { |
692 | 0 | assert(!ssl->s3->session_reused); |
693 | | // Revealing the PAKE share (notably confirmV) allows the client to confirm |
694 | | // one PAKE guess, so we must deduct from the brute force limit. |
695 | 0 | if (!hs->credential->ClaimPAKEAttempt()) { |
696 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_PAKE_EXHAUSTED); |
697 | 0 | ssl_send_alert(hs->ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
698 | 0 | return ssl_hs_error; |
699 | 0 | } |
700 | 0 | if (!resolve_pake_secret(hs)) { |
701 | 0 | return ssl_hs_error; |
702 | 0 | } |
703 | 0 | } else { |
704 | 0 | if (!resolve_ecdhe_secret(hs, &client_hello)) { |
705 | 0 | return ssl_hs_error; |
706 | 0 | } |
707 | 0 | } |
708 | | |
709 | 0 | ssl->method->next_message(ssl); |
710 | 0 | hs->ech_client_hello_buf.Reset(); |
711 | 0 | hs->tls13_state = state13_send_server_hello; |
712 | 0 | return ssl_hs_ok; |
713 | 0 | } |
714 | | |
715 | 0 | static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { |
716 | 0 | SSL *const ssl = hs->ssl; |
717 | 0 | if (hs->hints_requested) { |
718 | 0 | return ssl_hs_hints_ready; |
719 | 0 | } |
720 | | |
721 | | // Although a server could HelloRetryRequest with PAKEs to request a cookie, |
722 | | // we never do so. |
723 | 0 | assert(hs->pake_verifier == nullptr); |
724 | 0 | ScopedCBB cbb; |
725 | 0 | CBB body, session_id, extensions; |
726 | 0 | if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || |
727 | 0 | !CBB_add_u16(&body, |
728 | 0 | SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION) || |
729 | 0 | !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) || |
730 | 0 | !CBB_add_u8_length_prefixed(&body, &session_id) || |
731 | 0 | !CBB_add_bytes(&session_id, hs->session_id.data(), |
732 | 0 | hs->session_id.size()) || |
733 | 0 | !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) || |
734 | 0 | !CBB_add_u8(&body, 0 /* no compression */) || |
735 | 0 | !CBB_add_u16_length_prefixed(&body, &extensions) || |
736 | 0 | !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) || |
737 | 0 | !CBB_add_u16(&extensions, 2 /* length */) || |
738 | 0 | !CBB_add_u16(&extensions, ssl->s3->version) || |
739 | 0 | !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) || |
740 | 0 | !CBB_add_u16(&extensions, 2 /* length */) || |
741 | 0 | !CBB_add_u16(&extensions, hs->new_session->group_id)) { |
742 | 0 | return ssl_hs_error; |
743 | 0 | } |
744 | 0 | if (hs->ech_is_inner) { |
745 | | // Fill a placeholder for the ECH confirmation value. |
746 | 0 | if (!CBB_add_u16(&extensions, TLSEXT_TYPE_encrypted_client_hello) || |
747 | 0 | !CBB_add_u16(&extensions, ECH_CONFIRMATION_SIGNAL_LEN) || |
748 | 0 | !CBB_add_zeros(&extensions, ECH_CONFIRMATION_SIGNAL_LEN)) { |
749 | 0 | return ssl_hs_error; |
750 | 0 | } |
751 | 0 | } |
752 | 0 | Array<uint8_t> hrr; |
753 | 0 | if (!ssl->method->finish_message(ssl, cbb.get(), &hrr)) { |
754 | 0 | return ssl_hs_error; |
755 | 0 | } |
756 | 0 | if (hs->ech_is_inner) { |
757 | | // Now that the message is encoded, fill in the whole value. |
758 | 0 | size_t offset = hrr.size() - ECH_CONFIRMATION_SIGNAL_LEN; |
759 | 0 | if (!ssl_ech_accept_confirmation( |
760 | 0 | hs, Span(hrr).last(ECH_CONFIRMATION_SIGNAL_LEN), |
761 | 0 | ssl->s3->client_random, hs->transcript, /*is_hrr=*/true, hrr, |
762 | 0 | offset)) { |
763 | 0 | return ssl_hs_error; |
764 | 0 | } |
765 | 0 | } |
766 | | |
767 | 0 | if (!ssl->method->add_message(ssl, std::move(hrr)) || |
768 | 0 | !ssl->method->add_change_cipher_spec(ssl)) { |
769 | 0 | return ssl_hs_error; |
770 | 0 | } |
771 | | |
772 | 0 | ssl->s3->used_hello_retry_request = true; |
773 | 0 | hs->tls13_state = state13_read_second_client_hello; |
774 | 0 | return ssl_hs_flush; |
775 | 0 | } |
776 | | |
777 | 0 | static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) { |
778 | 0 | SSL *const ssl = hs->ssl; |
779 | 0 | SSLMessage msg; |
780 | 0 | if (!ssl->method->get_message(ssl, &msg)) { |
781 | 0 | return ssl_hs_read_message; |
782 | 0 | } |
783 | 0 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) { |
784 | 0 | return ssl_hs_error; |
785 | 0 | } |
786 | 0 | SSL_CLIENT_HELLO client_hello; |
787 | 0 | if (!SSL_parse_client_hello(ssl, &client_hello, CBS_data(&msg.body), |
788 | 0 | CBS_len(&msg.body))) { |
789 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
790 | 0 | return ssl_hs_error; |
791 | 0 | } |
792 | | |
793 | 0 | if (ssl->s3->ech_status == ssl_ech_accepted) { |
794 | | // If we previously accepted the ClientHelloInner, the second ClientHello |
795 | | // must contain an outer encrypted_client_hello extension. |
796 | 0 | CBS ech_body; |
797 | 0 | if (!ssl_client_hello_get_extension(&client_hello, &ech_body, |
798 | 0 | TLSEXT_TYPE_encrypted_client_hello)) { |
799 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); |
800 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); |
801 | 0 | return ssl_hs_error; |
802 | 0 | } |
803 | 0 | uint16_t kdf_id, aead_id; |
804 | 0 | uint8_t type, config_id; |
805 | 0 | CBS enc, payload; |
806 | 0 | if (!CBS_get_u8(&ech_body, &type) || // |
807 | 0 | type != ECH_CLIENT_OUTER || // |
808 | 0 | !CBS_get_u16(&ech_body, &kdf_id) || // |
809 | 0 | !CBS_get_u16(&ech_body, &aead_id) || |
810 | 0 | !CBS_get_u8(&ech_body, &config_id) || |
811 | 0 | !CBS_get_u16_length_prefixed(&ech_body, &enc) || |
812 | 0 | !CBS_get_u16_length_prefixed(&ech_body, &payload) || |
813 | 0 | CBS_len(&ech_body) != 0) { |
814 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
815 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
816 | 0 | return ssl_hs_error; |
817 | 0 | } |
818 | | |
819 | 0 | if (kdf_id != EVP_HPKE_KDF_id(EVP_HPKE_CTX_kdf(hs->ech_hpke_ctx.get())) || |
820 | 0 | aead_id != |
821 | 0 | EVP_HPKE_AEAD_id(EVP_HPKE_CTX_aead(hs->ech_hpke_ctx.get())) || |
822 | 0 | config_id != hs->ech_config_id || CBS_len(&enc) > 0) { |
823 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
824 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
825 | 0 | return ssl_hs_error; |
826 | 0 | } |
827 | | |
828 | | // Decrypt the payload with the HPKE context from the first ClientHello. |
829 | 0 | uint8_t alert = SSL_AD_DECODE_ERROR; |
830 | 0 | bool unused; |
831 | 0 | if (!ssl_client_hello_decrypt(hs, &alert, &unused, |
832 | 0 | &hs->ech_client_hello_buf, &client_hello, |
833 | 0 | payload)) { |
834 | | // Decryption failure is fatal in the second ClientHello. |
835 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); |
836 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
837 | 0 | return ssl_hs_error; |
838 | 0 | } |
839 | | |
840 | | // Reparse |client_hello| from the buffer owned by |hs|. |
841 | 0 | if (!hs->GetClientHello(&msg, &client_hello)) { |
842 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
843 | 0 | return ssl_hs_error; |
844 | 0 | } |
845 | 0 | } |
846 | | |
847 | | // We perform all our negotiation based on the first ClientHello (for |
848 | | // consistency with what |select_certificate_cb| observed), which is in the |
849 | | // transcript, so we can ignore most of this second one. |
850 | | // |
851 | | // We do, however, check the second PSK binder. This covers the client key |
852 | | // share, in case we ever send half-RTT data (we currently do not). It is also |
853 | | // a tricky computation, so we enforce the peer handled it correctly. |
854 | 0 | if (ssl->s3->session_reused) { |
855 | 0 | CBS pre_shared_key; |
856 | 0 | if (!ssl_client_hello_get_extension(&client_hello, &pre_shared_key, |
857 | 0 | TLSEXT_TYPE_pre_shared_key)) { |
858 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_INCONSISTENT_CLIENT_HELLO); |
859 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
860 | 0 | return ssl_hs_error; |
861 | 0 | } |
862 | | |
863 | 0 | CBS ticket, binders; |
864 | 0 | uint32_t client_ticket_age; |
865 | 0 | uint8_t alert = SSL_AD_DECODE_ERROR; |
866 | 0 | if (!ssl_ext_pre_shared_key_parse_clienthello( |
867 | 0 | hs, &ticket, &binders, &client_ticket_age, &alert, &client_hello, |
868 | 0 | &pre_shared_key)) { |
869 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
870 | 0 | return ssl_hs_error; |
871 | 0 | } |
872 | | |
873 | | // Note it is important that we do not obtain a new |SSL_SESSION| from |
874 | | // |ticket|. We have already selected parameters based on the first |
875 | | // ClientHello (in the transcript) and must not switch partway through. |
876 | 0 | if (!tls13_verify_psk_binder(hs, hs->new_session.get(), msg, &binders)) { |
877 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
878 | 0 | return ssl_hs_error; |
879 | 0 | } |
880 | 0 | } |
881 | | |
882 | | // Although a server could HelloRetryRequest with PAKEs to request a cookie, |
883 | | // we never do so. |
884 | 0 | assert(hs->pake_verifier == nullptr); |
885 | 0 | if (!resolve_ecdhe_secret(hs, &client_hello)) { |
886 | 0 | return ssl_hs_error; |
887 | 0 | } |
888 | | |
889 | 0 | if (!ssl_hash_message(hs, msg)) { |
890 | 0 | return ssl_hs_error; |
891 | 0 | } |
892 | | |
893 | | // ClientHello should be the end of the flight. |
894 | 0 | if (ssl->method->has_unprocessed_handshake_data(ssl)) { |
895 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); |
896 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA); |
897 | 0 | return ssl_hs_error; |
898 | 0 | } |
899 | | |
900 | 0 | ssl->method->next_message(ssl); |
901 | 0 | hs->ech_client_hello_buf.Reset(); |
902 | 0 | hs->tls13_state = state13_send_server_hello; |
903 | 0 | return ssl_hs_ok; |
904 | 0 | } |
905 | | |
906 | 0 | static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { |
907 | 0 | SSL *const ssl = hs->ssl; |
908 | |
|
909 | 0 | Span<uint8_t> random(ssl->s3->server_random); |
910 | |
|
911 | 0 | SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); |
912 | 0 | if (hints && !hs->hints_requested && |
913 | 0 | hints->server_random_tls13.size() == random.size()) { |
914 | 0 | OPENSSL_memcpy(random.data(), hints->server_random_tls13.data(), |
915 | 0 | random.size()); |
916 | 0 | } else { |
917 | 0 | RAND_bytes(random.data(), random.size()); |
918 | 0 | if (hints && hs->hints_requested && |
919 | 0 | !hints->server_random_tls13.CopyFrom(random)) { |
920 | 0 | return ssl_hs_error; |
921 | 0 | } |
922 | 0 | } |
923 | | |
924 | 0 | Array<uint8_t> server_hello; |
925 | 0 | ScopedCBB cbb; |
926 | 0 | CBB body, extensions, session_id; |
927 | 0 | if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || |
928 | 0 | !CBB_add_u16(&body, |
929 | 0 | SSL_is_dtls(ssl) ? DTLS1_2_VERSION : TLS1_2_VERSION) || |
930 | 0 | !CBB_add_bytes(&body, ssl->s3->server_random, |
931 | 0 | sizeof(ssl->s3->server_random)) || |
932 | 0 | !CBB_add_u8_length_prefixed(&body, &session_id) || |
933 | 0 | !CBB_add_bytes(&session_id, hs->session_id.data(), |
934 | 0 | hs->session_id.size()) || |
935 | 0 | !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) || |
936 | 0 | !CBB_add_u8(&body, 0) || |
937 | 0 | !CBB_add_u16_length_prefixed(&body, &extensions) || |
938 | 0 | !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) || |
939 | 0 | !ssl_ext_pake_add_serverhello(hs, &extensions) || |
940 | 0 | !ssl_ext_key_share_add_serverhello(hs, &extensions) || |
941 | 0 | !ssl_ext_supported_versions_add_serverhello(hs, &extensions) || |
942 | 0 | !ssl->method->finish_message(ssl, cbb.get(), &server_hello)) { |
943 | 0 | return ssl_hs_error; |
944 | 0 | } |
945 | | |
946 | 0 | assert(ssl->s3->ech_status != ssl_ech_accepted || hs->ech_is_inner); |
947 | 0 | if (hs->ech_is_inner) { |
948 | | // Fill in the ECH confirmation signal. |
949 | 0 | const size_t offset = ssl_ech_confirmation_signal_hello_offset(ssl); |
950 | 0 | Span<uint8_t> random_suffix = random.last(ECH_CONFIRMATION_SIGNAL_LEN); |
951 | 0 | if (!ssl_ech_accept_confirmation(hs, random_suffix, ssl->s3->client_random, |
952 | 0 | hs->transcript, |
953 | 0 | /*is_hrr=*/false, server_hello, offset)) { |
954 | 0 | return ssl_hs_error; |
955 | 0 | } |
956 | | |
957 | | // Update |server_hello|. |
958 | 0 | Span<uint8_t> server_hello_out = |
959 | 0 | Span(server_hello).subspan(offset, ECH_CONFIRMATION_SIGNAL_LEN); |
960 | 0 | OPENSSL_memcpy(server_hello_out.data(), random_suffix.data(), |
961 | 0 | ECH_CONFIRMATION_SIGNAL_LEN); |
962 | 0 | } |
963 | | |
964 | 0 | if (!ssl->method->add_message(ssl, std::move(server_hello))) { |
965 | 0 | return ssl_hs_error; |
966 | 0 | } |
967 | | |
968 | 0 | hs->key_share_ciphertext.Reset(); // No longer needed. |
969 | 0 | if (!ssl->s3->used_hello_retry_request && |
970 | 0 | !ssl->method->add_change_cipher_spec(ssl)) { |
971 | 0 | return ssl_hs_error; |
972 | 0 | } |
973 | | |
974 | | // Derive and enable the handshake traffic secrets. |
975 | 0 | if (!tls13_derive_handshake_secrets(hs) || |
976 | 0 | !tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_seal, |
977 | 0 | hs->new_session.get(), |
978 | 0 | hs->server_handshake_secret)) { |
979 | 0 | return ssl_hs_error; |
980 | 0 | } |
981 | | |
982 | | // Send EncryptedExtensions. |
983 | 0 | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
984 | 0 | SSL3_MT_ENCRYPTED_EXTENSIONS) || |
985 | 0 | !ssl_add_serverhello_tlsext(hs, &body) || |
986 | 0 | !ssl_add_message_cbb(ssl, cbb.get())) { |
987 | 0 | return ssl_hs_error; |
988 | 0 | } |
989 | | |
990 | 0 | if (!ssl->s3->session_reused && !hs->pake_verifier) { |
991 | | // Determine whether to request a client certificate. |
992 | 0 | hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER); |
993 | 0 | } |
994 | | |
995 | | // Send a CertificateRequest, if necessary. |
996 | 0 | if (hs->cert_request) { |
997 | 0 | CBB cert_request_extensions, sigalg_contents, sigalgs_cbb; |
998 | 0 | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
999 | 0 | SSL3_MT_CERTIFICATE_REQUEST) || |
1000 | 0 | !CBB_add_u8(&body, 0 /* no certificate_request_context. */) || |
1001 | 0 | !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) || |
1002 | 0 | !CBB_add_u16(&cert_request_extensions, |
1003 | 0 | TLSEXT_TYPE_signature_algorithms) || |
1004 | 0 | !CBB_add_u16_length_prefixed(&cert_request_extensions, |
1005 | 0 | &sigalg_contents) || |
1006 | 0 | !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) || |
1007 | 0 | !tls12_add_verify_sigalgs(hs, &sigalgs_cbb)) { |
1008 | 0 | return ssl_hs_error; |
1009 | 0 | } |
1010 | | |
1011 | 0 | if (ssl_has_client_CAs(hs->config)) { |
1012 | 0 | CBB ca_contents; |
1013 | 0 | if (!CBB_add_u16(&cert_request_extensions, |
1014 | 0 | TLSEXT_TYPE_certificate_authorities) || |
1015 | 0 | !CBB_add_u16_length_prefixed(&cert_request_extensions, |
1016 | 0 | &ca_contents) || |
1017 | 0 | !ssl_add_client_CA_list(hs, &ca_contents) || |
1018 | 0 | !CBB_flush(&cert_request_extensions)) { |
1019 | 0 | return ssl_hs_error; |
1020 | 0 | } |
1021 | 0 | } |
1022 | | |
1023 | 0 | if (!ssl_add_message_cbb(ssl, cbb.get())) { |
1024 | 0 | return ssl_hs_error; |
1025 | 0 | } |
1026 | 0 | } |
1027 | | |
1028 | | // Send the server Certificate message, if necessary. |
1029 | 0 | if (!ssl->s3->session_reused && !hs->pake_verifier) { |
1030 | 0 | if (!tls13_add_certificate(hs)) { |
1031 | 0 | return ssl_hs_error; |
1032 | 0 | } |
1033 | | |
1034 | 0 | hs->tls13_state = state13_send_server_certificate_verify; |
1035 | 0 | return ssl_hs_ok; |
1036 | 0 | } |
1037 | | |
1038 | 0 | hs->tls13_state = state13_send_server_finished; |
1039 | 0 | return ssl_hs_ok; |
1040 | 0 | } |
1041 | | |
1042 | 0 | static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) { |
1043 | 0 | switch (tls13_add_certificate_verify(hs)) { |
1044 | 0 | case ssl_private_key_success: |
1045 | 0 | hs->tls13_state = state13_send_server_finished; |
1046 | 0 | return ssl_hs_ok; |
1047 | | |
1048 | 0 | case ssl_private_key_retry: |
1049 | 0 | hs->tls13_state = state13_send_server_certificate_verify; |
1050 | 0 | return ssl_hs_private_key_operation; |
1051 | | |
1052 | 0 | case ssl_private_key_failure: |
1053 | 0 | return ssl_hs_error; |
1054 | 0 | } |
1055 | | |
1056 | 0 | assert(0); |
1057 | 0 | return ssl_hs_error; |
1058 | 0 | } |
1059 | | |
1060 | 0 | static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { |
1061 | 0 | SSL *const ssl = hs->ssl; |
1062 | 0 | if (hs->hints_requested) { |
1063 | 0 | return ssl_hs_hints_ready; |
1064 | 0 | } |
1065 | | |
1066 | 0 | hs->can_release_private_key = true; |
1067 | 0 | if (!tls13_add_finished(hs) || |
1068 | | // Update the secret to the master secret and derive traffic keys. |
1069 | 0 | !tls13_advance_key_schedule(hs, |
1070 | 0 | Span(kZeroes, hs->transcript.DigestLen())) || |
1071 | 0 | !tls13_derive_application_secrets(hs) || |
1072 | 0 | !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal, |
1073 | 0 | hs->new_session.get(), |
1074 | 0 | hs->server_traffic_secret_0)) { |
1075 | 0 | return ssl_hs_error; |
1076 | 0 | } |
1077 | | |
1078 | 0 | hs->tls13_state = state13_send_half_rtt_ticket; |
1079 | 0 | return hs->handback ? ssl_hs_handback : ssl_hs_ok; |
1080 | 0 | } |
1081 | | |
1082 | 0 | static enum ssl_hs_wait_t do_send_half_rtt_ticket(SSL_HANDSHAKE *hs) { |
1083 | 0 | SSL *const ssl = hs->ssl; |
1084 | |
|
1085 | 0 | if (ssl->s3->early_data_accepted) { |
1086 | | // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on |
1087 | | // the wire sooner and also avoids triggering a write on |SSL_read| when |
1088 | | // processing the client Finished. This requires computing the client |
1089 | | // Finished early. See RFC 8446, section 4.6.1. |
1090 | 0 | static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 0, |
1091 | 0 | 0}; |
1092 | 0 | if (!SSL_is_quic(ssl) && !hs->transcript.Update(kEndOfEarlyData)) { |
1093 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1094 | 0 | return ssl_hs_error; |
1095 | 0 | } |
1096 | | |
1097 | 0 | size_t finished_len; |
1098 | 0 | hs->expected_client_finished.Resize(hs->transcript.DigestLen()); |
1099 | 0 | if (!tls13_finished_mac(hs, hs->expected_client_finished.data(), |
1100 | 0 | &finished_len, false /* client */)) { |
1101 | 0 | return ssl_hs_error; |
1102 | 0 | } |
1103 | | |
1104 | 0 | if (finished_len != hs->expected_client_finished.size()) { |
1105 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1106 | 0 | return ssl_hs_error; |
1107 | 0 | } |
1108 | | |
1109 | | // Feed the predicted Finished into the transcript. This allows us to derive |
1110 | | // the resumption secret early and send half-RTT tickets. |
1111 | | // |
1112 | | // TODO(crbug.com/381113363): Don't use half-RTT tickets with DTLS 1.3. |
1113 | | // TODO(crbug.com/376939532): Perhaps don't use half-RTT tickets at all. |
1114 | 0 | assert(!SSL_is_dtls(hs->ssl)); |
1115 | 0 | assert(hs->expected_client_finished.size() <= 0xff); |
1116 | 0 | uint8_t header[4] = { |
1117 | 0 | SSL3_MT_FINISHED, 0, 0, |
1118 | 0 | static_cast<uint8_t>(hs->expected_client_finished.size())}; |
1119 | 0 | bool unused_sent_tickets; |
1120 | 0 | if (!hs->transcript.Update(header) || |
1121 | 0 | !hs->transcript.Update(hs->expected_client_finished) || |
1122 | 0 | !tls13_derive_resumption_secret(hs) || |
1123 | 0 | !add_new_session_tickets(hs, &unused_sent_tickets)) { |
1124 | 0 | return ssl_hs_error; |
1125 | 0 | } |
1126 | 0 | } |
1127 | | |
1128 | 0 | hs->tls13_state = state13_read_second_client_flight; |
1129 | 0 | return ssl_hs_flush; |
1130 | 0 | } |
1131 | | |
1132 | 0 | static bool uses_end_of_early_data(const SSL *ssl) { |
1133 | | // DTLS and QUIC omit the EndOfEarlyData message. See RFC 9001, section 8.3, |
1134 | | // and RFC 9147, section 5.6. |
1135 | 0 | return !SSL_is_quic(ssl) && !SSL_is_dtls(ssl); |
1136 | 0 | } |
1137 | | |
1138 | 0 | static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) { |
1139 | 0 | SSL *const ssl = hs->ssl; |
1140 | 0 | if (ssl->s3->early_data_accepted) { |
1141 | 0 | if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open, |
1142 | 0 | hs->new_session.get(), |
1143 | 0 | hs->early_traffic_secret)) { |
1144 | 0 | return ssl_hs_error; |
1145 | 0 | } |
1146 | 0 | hs->can_early_write = true; |
1147 | 0 | hs->can_early_read = true; |
1148 | 0 | hs->in_early_data = true; |
1149 | 0 | } |
1150 | | |
1151 | | // If the EndOfEarlyData message is not used, switch to |
1152 | | // client_handshake_secret before the early return. |
1153 | 0 | if (!uses_end_of_early_data(ssl)) { |
1154 | 0 | if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open, |
1155 | 0 | hs->new_session.get(), |
1156 | 0 | hs->client_handshake_secret)) { |
1157 | 0 | return ssl_hs_error; |
1158 | 0 | } |
1159 | 0 | hs->tls13_state = state13_process_end_of_early_data; |
1160 | 0 | return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok; |
1161 | 0 | } |
1162 | | |
1163 | 0 | hs->tls13_state = state13_process_end_of_early_data; |
1164 | 0 | return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data |
1165 | 0 | : ssl_hs_ok; |
1166 | 0 | } |
1167 | | |
1168 | 0 | static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) { |
1169 | 0 | SSL *const ssl = hs->ssl; |
1170 | | // In protocols that use EndOfEarlyData, we must consume the extra message and |
1171 | | // switch to client_handshake_secret after the early return. |
1172 | 0 | if (uses_end_of_early_data(ssl)) { |
1173 | | // If early data was not accepted, the EndOfEarlyData will be in the |
1174 | | // discarded early data. |
1175 | 0 | if (hs->ssl->s3->early_data_accepted) { |
1176 | 0 | SSLMessage msg; |
1177 | 0 | if (!ssl->method->get_message(ssl, &msg)) { |
1178 | 0 | return ssl_hs_read_message; |
1179 | 0 | } |
1180 | 0 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) { |
1181 | 0 | return ssl_hs_error; |
1182 | 0 | } |
1183 | 0 | if (CBS_len(&msg.body) != 0) { |
1184 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1185 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1186 | 0 | return ssl_hs_error; |
1187 | 0 | } |
1188 | 0 | ssl->method->next_message(ssl); |
1189 | 0 | } |
1190 | 0 | if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open, |
1191 | 0 | hs->new_session.get(), |
1192 | 0 | hs->client_handshake_secret)) { |
1193 | 0 | return ssl_hs_error; |
1194 | 0 | } |
1195 | 0 | } |
1196 | 0 | hs->tls13_state = state13_read_client_encrypted_extensions; |
1197 | 0 | return ssl_hs_ok; |
1198 | 0 | } |
1199 | | |
1200 | | static enum ssl_hs_wait_t do_read_client_encrypted_extensions( |
1201 | 0 | SSL_HANDSHAKE *hs) { |
1202 | 0 | SSL *const ssl = hs->ssl; |
1203 | | // For now, only one extension uses client EncryptedExtensions. This function |
1204 | | // may be generalized if others use it in the future. |
1205 | 0 | if (hs->new_session->has_application_settings && |
1206 | 0 | !ssl->s3->early_data_accepted) { |
1207 | 0 | SSLMessage msg; |
1208 | 0 | if (!ssl->method->get_message(ssl, &msg)) { |
1209 | 0 | return ssl_hs_read_message; |
1210 | 0 | } |
1211 | 0 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_ENCRYPTED_EXTENSIONS)) { |
1212 | 0 | return ssl_hs_error; |
1213 | 0 | } |
1214 | | |
1215 | 0 | CBS body = msg.body, extensions; |
1216 | 0 | if (!CBS_get_u16_length_prefixed(&body, &extensions) || |
1217 | 0 | CBS_len(&body) != 0) { |
1218 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1219 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1220 | 0 | return ssl_hs_error; |
1221 | 0 | } |
1222 | | |
1223 | 0 | uint16_t extension_type = TLSEXT_TYPE_application_settings_old; |
1224 | 0 | if (hs->config->alps_use_new_codepoint) { |
1225 | 0 | extension_type = TLSEXT_TYPE_application_settings; |
1226 | 0 | } |
1227 | 0 | SSLExtension application_settings(extension_type); |
1228 | 0 | uint8_t alert = SSL_AD_DECODE_ERROR; |
1229 | 0 | if (!ssl_parse_extensions(&extensions, &alert, {&application_settings}, |
1230 | 0 | /*ignore_unknown=*/false)) { |
1231 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
1232 | 0 | return ssl_hs_error; |
1233 | 0 | } |
1234 | | |
1235 | 0 | if (!application_settings.present) { |
1236 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_EXTENSION); |
1237 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); |
1238 | 0 | return ssl_hs_error; |
1239 | 0 | } |
1240 | | |
1241 | | // Note that, if 0-RTT was accepted, these values will already have been |
1242 | | // initialized earlier. |
1243 | 0 | if (!hs->new_session->peer_application_settings.CopyFrom( |
1244 | 0 | application_settings.data) || |
1245 | 0 | !ssl_hash_message(hs, msg)) { |
1246 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1247 | 0 | return ssl_hs_error; |
1248 | 0 | } |
1249 | | |
1250 | 0 | ssl->method->next_message(ssl); |
1251 | 0 | } |
1252 | | |
1253 | 0 | hs->tls13_state = state13_read_client_certificate; |
1254 | 0 | return ssl_hs_ok; |
1255 | 0 | } |
1256 | | |
1257 | 0 | static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { |
1258 | 0 | SSL *const ssl = hs->ssl; |
1259 | 0 | if (!hs->cert_request) { |
1260 | 0 | if (!ssl->s3->session_reused) { |
1261 | | // OpenSSL returns X509_V_OK when no certificates are requested. This is |
1262 | | // classed by them as a bug, but it's assumed by at least NGINX. (Only do |
1263 | | // this in full handshakes as resumptions should carry over the previous |
1264 | | // |verify_result|, though this is a no-op because servers do not |
1265 | | // implement the client's odd soft-fail mode.) |
1266 | 0 | hs->new_session->verify_result = X509_V_OK; |
1267 | 0 | } |
1268 | | |
1269 | | // Skip this state. |
1270 | 0 | hs->tls13_state = state13_read_channel_id; |
1271 | 0 | return ssl_hs_ok; |
1272 | 0 | } |
1273 | | |
1274 | 0 | const bool allow_anonymous = |
1275 | 0 | (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0; |
1276 | 0 | SSLMessage msg; |
1277 | 0 | if (!ssl->method->get_message(ssl, &msg)) { |
1278 | 0 | return ssl_hs_read_message; |
1279 | 0 | } |
1280 | 0 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) || |
1281 | 0 | !tls13_process_certificate(hs, msg, allow_anonymous) || |
1282 | 0 | !ssl_hash_message(hs, msg)) { |
1283 | 0 | return ssl_hs_error; |
1284 | 0 | } |
1285 | | |
1286 | 0 | ssl->method->next_message(ssl); |
1287 | 0 | hs->tls13_state = state13_read_client_certificate_verify; |
1288 | 0 | return ssl_hs_ok; |
1289 | 0 | } |
1290 | | |
1291 | 0 | static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { |
1292 | 0 | SSL *const ssl = hs->ssl; |
1293 | 0 | if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) { |
1294 | | // Skip this state. |
1295 | 0 | hs->tls13_state = state13_read_channel_id; |
1296 | 0 | return ssl_hs_ok; |
1297 | 0 | } |
1298 | | |
1299 | 0 | SSLMessage msg; |
1300 | 0 | if (!ssl->method->get_message(ssl, &msg)) { |
1301 | 0 | return ssl_hs_read_message; |
1302 | 0 | } |
1303 | | |
1304 | 0 | switch (ssl_verify_peer_cert(hs)) { |
1305 | 0 | case ssl_verify_ok: |
1306 | 0 | break; |
1307 | 0 | case ssl_verify_invalid: |
1308 | 0 | return ssl_hs_error; |
1309 | 0 | case ssl_verify_retry: |
1310 | 0 | hs->tls13_state = state13_read_client_certificate_verify; |
1311 | 0 | return ssl_hs_certificate_verify; |
1312 | 0 | } |
1313 | | |
1314 | 0 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) || |
1315 | 0 | !tls13_process_certificate_verify(hs, msg) || |
1316 | 0 | !ssl_hash_message(hs, msg)) { |
1317 | 0 | return ssl_hs_error; |
1318 | 0 | } |
1319 | | |
1320 | 0 | ssl->method->next_message(ssl); |
1321 | 0 | hs->tls13_state = state13_read_channel_id; |
1322 | 0 | return ssl_hs_ok; |
1323 | 0 | } |
1324 | | |
1325 | 0 | static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) { |
1326 | 0 | SSL *const ssl = hs->ssl; |
1327 | 0 | if (!hs->channel_id_negotiated) { |
1328 | 0 | hs->tls13_state = state13_read_client_finished; |
1329 | 0 | return ssl_hs_ok; |
1330 | 0 | } |
1331 | | |
1332 | 0 | SSLMessage msg; |
1333 | 0 | if (!ssl->method->get_message(ssl, &msg)) { |
1334 | 0 | return ssl_hs_read_message; |
1335 | 0 | } |
1336 | 0 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || // |
1337 | 0 | !tls1_verify_channel_id(hs, msg) || // |
1338 | 0 | !ssl_hash_message(hs, msg)) { |
1339 | 0 | return ssl_hs_error; |
1340 | 0 | } |
1341 | | |
1342 | 0 | ssl->method->next_message(ssl); |
1343 | 0 | hs->tls13_state = state13_read_client_finished; |
1344 | 0 | return ssl_hs_ok; |
1345 | 0 | } |
1346 | | |
1347 | 0 | static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { |
1348 | 0 | SSL *const ssl = hs->ssl; |
1349 | 0 | SSLMessage msg; |
1350 | 0 | if (!ssl->method->get_message(ssl, &msg)) { |
1351 | 0 | return ssl_hs_read_message; |
1352 | 0 | } |
1353 | 0 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) || |
1354 | | // If early data was accepted, we've already computed the client Finished |
1355 | | // and derived the resumption secret. |
1356 | 0 | !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) || |
1357 | | // evp_aead_seal keys have already been switched. |
1358 | 0 | !tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_open, |
1359 | 0 | hs->new_session.get(), |
1360 | 0 | hs->client_traffic_secret_0)) { |
1361 | 0 | return ssl_hs_error; |
1362 | 0 | } |
1363 | | |
1364 | 0 | if (!ssl->s3->early_data_accepted) { |
1365 | 0 | if (!ssl_hash_message(hs, msg) || // |
1366 | 0 | !tls13_derive_resumption_secret(hs)) { |
1367 | 0 | return ssl_hs_error; |
1368 | 0 | } |
1369 | | |
1370 | | // We send post-handshake tickets as part of the handshake in 1-RTT. |
1371 | 0 | hs->tls13_state = state13_send_new_session_ticket; |
1372 | 0 | } else { |
1373 | | // We already sent half-RTT tickets. |
1374 | 0 | hs->tls13_state = state13_done; |
1375 | 0 | } |
1376 | | |
1377 | 0 | if (hs->credential != nullptr && |
1378 | 0 | hs->credential->type == SSLCredentialType::kSPAKE2PlusV1Server) { |
1379 | | // The client has now confirmed that it does know the correct password, so |
1380 | | // this connection no longer counts towards the brute force limit. |
1381 | 0 | hs->credential->RestorePAKEAttempt(); |
1382 | 0 | } |
1383 | |
|
1384 | 0 | ssl->method->next_message(ssl); |
1385 | 0 | if (SSL_is_dtls(ssl)) { |
1386 | 0 | ssl->method->schedule_ack(ssl); |
1387 | 0 | return ssl_hs_flush; |
1388 | 0 | } |
1389 | 0 | return ssl_hs_ok; |
1390 | 0 | } |
1391 | | |
1392 | 0 | static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) { |
1393 | 0 | SSL *const ssl = hs->ssl; |
1394 | 0 | bool sent_tickets; |
1395 | 0 | if (!add_new_session_tickets(hs, &sent_tickets)) { |
1396 | 0 | return ssl_hs_error; |
1397 | 0 | } |
1398 | | |
1399 | 0 | hs->tls13_state = state13_done; |
1400 | | // In QUIC and DTLS, we can flush the ticket to the transport immediately. In |
1401 | | // TLS over TCP-like transports, we defer until the server performs a write. |
1402 | | // This prevents a non-reading client from causing the server to hang in the |
1403 | | // case of a small server write buffer. Consumers which don't write data to |
1404 | | // the client will need to do a zero-byte write if they wish to flush the |
1405 | | // tickets. |
1406 | 0 | bool should_flush = sent_tickets && (SSL_is_dtls(ssl) || SSL_is_quic(ssl)); |
1407 | 0 | return should_flush ? ssl_hs_flush : ssl_hs_ok; |
1408 | 0 | } |
1409 | | |
1410 | 0 | enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) { |
1411 | 0 | while (hs->tls13_state != state13_done) { |
1412 | 0 | enum ssl_hs_wait_t ret = ssl_hs_error; |
1413 | 0 | enum tls13_server_hs_state_t state = |
1414 | 0 | static_cast<enum tls13_server_hs_state_t>(hs->tls13_state); |
1415 | 0 | switch (state) { |
1416 | 0 | case state13_select_parameters: |
1417 | 0 | ret = do_select_parameters(hs); |
1418 | 0 | break; |
1419 | 0 | case state13_select_session: |
1420 | 0 | ret = do_select_session(hs); |
1421 | 0 | break; |
1422 | 0 | case state13_send_hello_retry_request: |
1423 | 0 | ret = do_send_hello_retry_request(hs); |
1424 | 0 | break; |
1425 | 0 | case state13_read_second_client_hello: |
1426 | 0 | ret = do_read_second_client_hello(hs); |
1427 | 0 | break; |
1428 | 0 | case state13_send_server_hello: |
1429 | 0 | ret = do_send_server_hello(hs); |
1430 | 0 | break; |
1431 | 0 | case state13_send_server_certificate_verify: |
1432 | 0 | ret = do_send_server_certificate_verify(hs); |
1433 | 0 | break; |
1434 | 0 | case state13_send_server_finished: |
1435 | 0 | ret = do_send_server_finished(hs); |
1436 | 0 | break; |
1437 | 0 | case state13_send_half_rtt_ticket: |
1438 | 0 | ret = do_send_half_rtt_ticket(hs); |
1439 | 0 | break; |
1440 | 0 | case state13_read_second_client_flight: |
1441 | 0 | ret = do_read_second_client_flight(hs); |
1442 | 0 | break; |
1443 | 0 | case state13_process_end_of_early_data: |
1444 | 0 | ret = do_process_end_of_early_data(hs); |
1445 | 0 | break; |
1446 | 0 | case state13_read_client_encrypted_extensions: |
1447 | 0 | ret = do_read_client_encrypted_extensions(hs); |
1448 | 0 | break; |
1449 | 0 | case state13_read_client_certificate: |
1450 | 0 | ret = do_read_client_certificate(hs); |
1451 | 0 | break; |
1452 | 0 | case state13_read_client_certificate_verify: |
1453 | 0 | ret = do_read_client_certificate_verify(hs); |
1454 | 0 | break; |
1455 | 0 | case state13_read_channel_id: |
1456 | 0 | ret = do_read_channel_id(hs); |
1457 | 0 | break; |
1458 | 0 | case state13_read_client_finished: |
1459 | 0 | ret = do_read_client_finished(hs); |
1460 | 0 | break; |
1461 | 0 | case state13_send_new_session_ticket: |
1462 | 0 | ret = do_send_new_session_ticket(hs); |
1463 | 0 | break; |
1464 | 0 | case state13_done: |
1465 | 0 | ret = ssl_hs_ok; |
1466 | 0 | break; |
1467 | 0 | } |
1468 | | |
1469 | 0 | if (hs->tls13_state != state) { |
1470 | 0 | ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1); |
1471 | 0 | } |
1472 | |
|
1473 | 0 | if (ret != ssl_hs_ok) { |
1474 | 0 | return ret; |
1475 | 0 | } |
1476 | 0 | } |
1477 | | |
1478 | 0 | return ssl_hs_ok; |
1479 | 0 | } |
1480 | | |
1481 | 0 | const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) { |
1482 | 0 | enum tls13_server_hs_state_t state = |
1483 | 0 | static_cast<enum tls13_server_hs_state_t>(hs->tls13_state); |
1484 | 0 | switch (state) { |
1485 | 0 | case state13_select_parameters: |
1486 | 0 | return "TLS 1.3 server select_parameters"; |
1487 | 0 | case state13_select_session: |
1488 | 0 | return "TLS 1.3 server select_session"; |
1489 | 0 | case state13_send_hello_retry_request: |
1490 | 0 | return "TLS 1.3 server send_hello_retry_request"; |
1491 | 0 | case state13_read_second_client_hello: |
1492 | 0 | return "TLS 1.3 server read_second_client_hello"; |
1493 | 0 | case state13_send_server_hello: |
1494 | 0 | return "TLS 1.3 server send_server_hello"; |
1495 | 0 | case state13_send_server_certificate_verify: |
1496 | 0 | return "TLS 1.3 server send_server_certificate_verify"; |
1497 | 0 | case state13_send_half_rtt_ticket: |
1498 | 0 | return "TLS 1.3 server send_half_rtt_ticket"; |
1499 | 0 | case state13_send_server_finished: |
1500 | 0 | return "TLS 1.3 server send_server_finished"; |
1501 | 0 | case state13_read_second_client_flight: |
1502 | 0 | return "TLS 1.3 server read_second_client_flight"; |
1503 | 0 | case state13_process_end_of_early_data: |
1504 | 0 | return "TLS 1.3 server process_end_of_early_data"; |
1505 | 0 | case state13_read_client_encrypted_extensions: |
1506 | 0 | return "TLS 1.3 server read_client_encrypted_extensions"; |
1507 | 0 | case state13_read_client_certificate: |
1508 | 0 | return "TLS 1.3 server read_client_certificate"; |
1509 | 0 | case state13_read_client_certificate_verify: |
1510 | 0 | return "TLS 1.3 server read_client_certificate_verify"; |
1511 | 0 | case state13_read_channel_id: |
1512 | 0 | return "TLS 1.3 server read_channel_id"; |
1513 | 0 | case state13_read_client_finished: |
1514 | 0 | return "TLS 1.3 server read_client_finished"; |
1515 | 0 | case state13_send_new_session_ticket: |
1516 | 0 | return "TLS 1.3 server send_new_session_ticket"; |
1517 | 0 | case state13_done: |
1518 | 0 | return "TLS 1.3 server done"; |
1519 | 0 | } |
1520 | | |
1521 | 0 | return "TLS 1.3 server unknown"; |
1522 | 0 | } |
1523 | | |
1524 | | BSSL_NAMESPACE_END |