/src/boringssl/ssl/handshake_server.cc
Line | Count | Source (jump to first uncovered line) |
1 | | // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved. |
3 | | // Copyright 2005 Nokia. All rights reserved. |
4 | | // |
5 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
6 | | // you may not use this file except in compliance with the License. |
7 | | // You may obtain a copy of the License at |
8 | | // |
9 | | // https://www.apache.org/licenses/LICENSE-2.0 |
10 | | // |
11 | | // Unless required by applicable law or agreed to in writing, software |
12 | | // distributed under the License is distributed on an "AS IS" BASIS, |
13 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14 | | // See the License for the specific language governing permissions and |
15 | | // limitations under the License. |
16 | | |
17 | | #include <openssl/ssl.h> |
18 | | |
19 | | #include <assert.h> |
20 | | #include <string.h> |
21 | | |
22 | | #include <openssl/bn.h> |
23 | | #include <openssl/bytestring.h> |
24 | | #include <openssl/cipher.h> |
25 | | #include <openssl/curve25519.h> |
26 | | #include <openssl/digest.h> |
27 | | #include <openssl/ec.h> |
28 | | #include <openssl/ecdsa.h> |
29 | | #include <openssl/err.h> |
30 | | #include <openssl/evp.h> |
31 | | #include <openssl/hmac.h> |
32 | | #include <openssl/md5.h> |
33 | | #include <openssl/mem.h> |
34 | | #include <openssl/nid.h> |
35 | | #include <openssl/rand.h> |
36 | | #include <openssl/x509.h> |
37 | | |
38 | | #include "../crypto/internal.h" |
39 | | #include "internal.h" |
40 | | |
41 | | |
42 | | BSSL_NAMESPACE_BEGIN |
43 | | |
44 | | bool ssl_client_cipher_list_contains_cipher( |
45 | 16.6k | const SSL_CLIENT_HELLO *client_hello, uint16_t id) { |
46 | 16.6k | CBS cipher_suites; |
47 | 16.6k | CBS_init(&cipher_suites, client_hello->cipher_suites, |
48 | 16.6k | client_hello->cipher_suites_len); |
49 | | |
50 | 257k | while (CBS_len(&cipher_suites) > 0) { |
51 | 241k | uint16_t got_id; |
52 | 241k | if (!CBS_get_u16(&cipher_suites, &got_id)) { |
53 | 0 | return false; |
54 | 0 | } |
55 | | |
56 | 241k | if (got_id == id) { |
57 | 376 | return true; |
58 | 376 | } |
59 | 241k | } |
60 | | |
61 | 16.2k | return false; |
62 | 16.6k | } |
63 | | |
64 | | static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
65 | 12.0k | const SSL_CLIENT_HELLO *client_hello) { |
66 | 12.0k | SSL *const ssl = hs->ssl; |
67 | 12.0k | assert(ssl->s3->version == 0); |
68 | 12.0k | CBS supported_versions, versions; |
69 | 12.0k | if (ssl_client_hello_get_extension(client_hello, &supported_versions, |
70 | 12.0k | TLSEXT_TYPE_supported_versions)) { |
71 | 4.33k | if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) || // |
72 | 4.33k | CBS_len(&supported_versions) != 0 || // |
73 | 4.33k | CBS_len(&versions) == 0) { |
74 | 17 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
75 | 17 | *out_alert = SSL_AD_DECODE_ERROR; |
76 | 17 | return false; |
77 | 17 | } |
78 | 7.72k | } else { |
79 | | // Convert the ClientHello version to an equivalent supported_versions |
80 | | // extension. |
81 | 7.72k | static const uint8_t kTLSVersions[] = { |
82 | 7.72k | 0x03, 0x03, // TLS 1.2 |
83 | 7.72k | 0x03, 0x02, // TLS 1.1 |
84 | 7.72k | 0x03, 0x01, // TLS 1 |
85 | 7.72k | }; |
86 | | |
87 | 7.72k | static const uint8_t kDTLSVersions[] = { |
88 | 7.72k | 0xfe, 0xfd, // DTLS 1.2 |
89 | 7.72k | 0xfe, 0xff, // DTLS 1.0 |
90 | 7.72k | }; |
91 | | |
92 | 7.72k | size_t versions_len = 0; |
93 | 7.72k | if (SSL_is_dtls(ssl)) { |
94 | 1.75k | if (client_hello->version <= DTLS1_2_VERSION) { |
95 | 1.18k | versions_len = 4; |
96 | 1.18k | } else if (client_hello->version <= DTLS1_VERSION) { |
97 | 568 | versions_len = 2; |
98 | 568 | } |
99 | 1.75k | versions = Span(kDTLSVersions).last(versions_len); |
100 | 5.97k | } else { |
101 | 5.97k | if (client_hello->version >= TLS1_2_VERSION) { |
102 | 3.93k | versions_len = 6; |
103 | 3.93k | } else if (client_hello->version >= TLS1_1_VERSION) { |
104 | 493 | versions_len = 4; |
105 | 1.54k | } else if (client_hello->version >= TLS1_VERSION) { |
106 | 1.51k | versions_len = 2; |
107 | 1.51k | } |
108 | 5.97k | versions = Span(kTLSVersions).last(versions_len); |
109 | 5.97k | } |
110 | 7.72k | } |
111 | | |
112 | 12.0k | if (!ssl_negotiate_version(hs, out_alert, &ssl->s3->version, &versions)) { |
113 | 56 | return false; |
114 | 56 | } |
115 | | |
116 | | // Handle FALLBACK_SCSV. |
117 | 11.9k | if (ssl_client_cipher_list_contains_cipher(client_hello, |
118 | 11.9k | SSL3_CK_FALLBACK_SCSV & 0xffff) && |
119 | 11.9k | ssl_protocol_version(ssl) < hs->max_version) { |
120 | 7 | OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK); |
121 | 7 | *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK; |
122 | 7 | return false; |
123 | 7 | } |
124 | | |
125 | 11.9k | return true; |
126 | 11.9k | } |
127 | | |
128 | | static UniquePtr<STACK_OF(SSL_CIPHER)> ssl_parse_client_cipher_list( |
129 | 6.89k | const SSL_CLIENT_HELLO *client_hello) { |
130 | 6.89k | CBS cipher_suites; |
131 | 6.89k | CBS_init(&cipher_suites, client_hello->cipher_suites, |
132 | 6.89k | client_hello->cipher_suites_len); |
133 | | |
134 | 6.89k | UniquePtr<STACK_OF(SSL_CIPHER)> sk(sk_SSL_CIPHER_new_null()); |
135 | 6.89k | if (!sk) { |
136 | 0 | return nullptr; |
137 | 0 | } |
138 | | |
139 | 100k | while (CBS_len(&cipher_suites) > 0) { |
140 | 93.8k | uint16_t cipher_suite; |
141 | | |
142 | 93.8k | if (!CBS_get_u16(&cipher_suites, &cipher_suite)) { |
143 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); |
144 | 0 | return nullptr; |
145 | 0 | } |
146 | | |
147 | 93.8k | const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite); |
148 | 93.8k | if (c != NULL && !sk_SSL_CIPHER_push(sk.get(), c)) { |
149 | 0 | return nullptr; |
150 | 0 | } |
151 | 93.8k | } |
152 | | |
153 | 6.89k | return sk; |
154 | 6.89k | } |
155 | | |
156 | | static const SSL_CIPHER *choose_cipher(SSL_HANDSHAKE *hs, |
157 | | const STACK_OF(SSL_CIPHER) *client_pref, |
158 | 6.89k | uint32_t mask_k, uint32_t mask_a) { |
159 | 6.89k | SSL *const ssl = hs->ssl; |
160 | 6.89k | const STACK_OF(SSL_CIPHER) *prio, *allow; |
161 | | // in_group_flags will either be NULL, or will point to an array of bytes |
162 | | // which indicate equal-preference groups in the |prio| stack. See the |
163 | | // comment about |in_group_flags| in the |SSLCipherPreferenceList| |
164 | | // struct. |
165 | 6.89k | const bool *in_group_flags; |
166 | | // best_index contains the index of the best matching cipher suite found so |
167 | | // far, indexed into |allow|. If |best_index| is |SIZE_MAX|, no matching |
168 | | // cipher suite has been found yet. |
169 | 6.89k | size_t best_index = SIZE_MAX; |
170 | | |
171 | 6.89k | const SSLCipherPreferenceList *server_pref = |
172 | 6.89k | hs->config->cipher_list ? hs->config->cipher_list.get() |
173 | 6.89k | : ssl->ctx->cipher_list.get(); |
174 | 6.89k | if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { |
175 | 0 | prio = server_pref->ciphers.get(); |
176 | 0 | in_group_flags = server_pref->in_group_flags; |
177 | 0 | allow = client_pref; |
178 | 6.89k | } else { |
179 | 6.89k | prio = client_pref; |
180 | 6.89k | in_group_flags = nullptr; |
181 | 6.89k | allow = server_pref->ciphers.get(); |
182 | 6.89k | } |
183 | | |
184 | 21.0k | for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) { |
185 | 20.6k | const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i); |
186 | 20.6k | const bool in_group = in_group_flags != nullptr && in_group_flags[i]; |
187 | | |
188 | 20.6k | size_t cipher_index; |
189 | 20.6k | if ( // Check if the cipher is supported for the current version. |
190 | 20.6k | SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) && // |
191 | 20.6k | ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && // |
192 | | // Check the cipher is supported for the server configuration. |
193 | 20.6k | (c->algorithm_mkey & mask_k) && // |
194 | 20.6k | (c->algorithm_auth & mask_a) && // |
195 | | // Check the cipher is in the |allow| list. |
196 | 20.6k | sk_SSL_CIPHER_find(allow, &cipher_index, c)) { |
197 | | // Within a group, |allow|'s preference order applies. |
198 | 6.53k | if (best_index == SIZE_MAX || best_index > cipher_index) { |
199 | 6.53k | best_index = cipher_index; |
200 | 6.53k | } |
201 | 6.53k | } |
202 | | |
203 | | // We are about to leave a (possibly singleton) group, but we found a match |
204 | | // in it, so that's our answer. |
205 | 20.6k | if (!in_group && best_index != SIZE_MAX) { |
206 | 6.53k | return sk_SSL_CIPHER_value(allow, best_index); |
207 | 6.53k | } |
208 | 20.6k | } |
209 | | |
210 | | // The final cipher suite must end a group, so, if we found a match, we must |
211 | | // have returned early above. |
212 | 352 | assert(best_index == SIZE_MAX); |
213 | 352 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); |
214 | 352 | return nullptr; |
215 | 352 | } |
216 | | |
217 | | struct TLS12ServerParams { |
218 | 13.7k | bool ok() const { return cipher != nullptr; } |
219 | | |
220 | | const SSL_CIPHER *cipher = nullptr; |
221 | | uint16_t signature_algorithm = 0; |
222 | | }; |
223 | | |
224 | | static TLS12ServerParams choose_params(SSL_HANDSHAKE *hs, |
225 | | const SSL_CREDENTIAL *cred, |
226 | | const STACK_OF(SSL_CIPHER) *client_pref, |
227 | 6.89k | bool has_ecdhe_group) { |
228 | | // Determine the usable cipher suites. |
229 | 6.89k | uint32_t mask_k = 0, mask_a = 0; |
230 | 6.89k | if (has_ecdhe_group) { |
231 | 5.56k | mask_k |= SSL_kECDHE; |
232 | 5.56k | } |
233 | 6.89k | if (hs->config->psk_server_callback != nullptr) { |
234 | 0 | mask_k |= SSL_kPSK; |
235 | 0 | mask_a |= SSL_aPSK; |
236 | 0 | } |
237 | 6.89k | uint16_t sigalg = 0; |
238 | 6.89k | if (cred != nullptr && cred->type == SSLCredentialType::kX509) { |
239 | 6.89k | bool sign_ok = tls1_choose_signature_algorithm(hs, cred, &sigalg); |
240 | 6.89k | ERR_clear_error(); |
241 | | |
242 | | // ECDSA keys must additionally be checked against the peer's supported |
243 | | // curve list. |
244 | 6.89k | int key_type = EVP_PKEY_id(cred->pubkey.get()); |
245 | 6.89k | if (key_type == EVP_PKEY_EC) { |
246 | 0 | uint16_t group_id; |
247 | 0 | if (!ssl_nid_to_group_id(&group_id, |
248 | 0 | EVP_PKEY_get_ec_curve_nid(cred->pubkey.get())) || |
249 | 0 | std::find(hs->peer_supported_group_list.begin(), |
250 | 0 | hs->peer_supported_group_list.end(), |
251 | 0 | group_id) == hs->peer_supported_group_list.end()) { |
252 | 0 | sign_ok = false; |
253 | | |
254 | | // If this would make us unable to pick any cipher, return an error. |
255 | | // This is not strictly necessary, but it gives us a more specific |
256 | | // error to help the caller diagnose issues. |
257 | 0 | if (mask_a == 0) { |
258 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); |
259 | 0 | return TLS12ServerParams(); |
260 | 0 | } |
261 | 0 | } |
262 | 0 | } |
263 | | |
264 | 6.89k | mask_a |= ssl_cipher_auth_mask_for_key(cred->pubkey.get(), sign_ok); |
265 | 6.89k | if (key_type == EVP_PKEY_RSA) { |
266 | 6.89k | mask_k |= SSL_kRSA; |
267 | 6.89k | } |
268 | 6.89k | } |
269 | | |
270 | 6.89k | TLS12ServerParams params; |
271 | 6.89k | params.cipher = choose_cipher(hs, client_pref, mask_k, mask_a); |
272 | 6.89k | if (params.cipher == nullptr || |
273 | 6.89k | (cred != nullptr && |
274 | 6.53k | !ssl_credential_matches_requested_issuers(hs, cred))) { |
275 | 352 | return TLS12ServerParams(); |
276 | 352 | } |
277 | | // Only report the selected signature algorithm if it will be used. |
278 | 6.53k | if (ssl_cipher_requires_server_key_exchange(params.cipher) && |
279 | 6.53k | ssl_cipher_uses_certificate_auth(params.cipher)) { |
280 | 5.39k | params.signature_algorithm = sigalg; |
281 | 5.39k | } |
282 | 6.53k | return params; |
283 | 6.89k | } |
284 | | |
285 | 14.3k | static enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) { |
286 | 14.3k | ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1); |
287 | 14.3k | hs->state = state12_read_client_hello; |
288 | 14.3k | return ssl_hs_ok; |
289 | 14.3k | } |
290 | | |
291 | | // is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent |
292 | | // from a JDK 11 client with both TLS 1.3 and a prior version enabled. |
293 | 0 | static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) { |
294 | | // JDK 11 ClientHellos contain a number of unusual properties which should |
295 | | // limit false positives. |
296 | | |
297 | | // JDK 11 does not support ChaCha20-Poly1305. This is unusual: many modern |
298 | | // clients implement ChaCha20-Poly1305. |
299 | 0 | if (ssl_client_cipher_list_contains_cipher( |
300 | 0 | client_hello, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) { |
301 | 0 | return false; |
302 | 0 | } |
303 | | |
304 | | // JDK 11 always sends extensions in a particular order. |
305 | 0 | constexpr uint16_t kMaxFragmentLength = 0x0001; |
306 | 0 | constexpr uint16_t kStatusRequestV2 = 0x0011; |
307 | 0 | static constexpr struct { |
308 | 0 | uint16_t id; |
309 | 0 | bool required; |
310 | 0 | } kJavaExtensions[] = { |
311 | 0 | {TLSEXT_TYPE_server_name, false}, |
312 | 0 | {kMaxFragmentLength, false}, |
313 | 0 | {TLSEXT_TYPE_status_request, false}, |
314 | 0 | {TLSEXT_TYPE_supported_groups, true}, |
315 | 0 | {TLSEXT_TYPE_ec_point_formats, false}, |
316 | 0 | {TLSEXT_TYPE_signature_algorithms, true}, |
317 | | // Java always sends signature_algorithms_cert. |
318 | 0 | {TLSEXT_TYPE_signature_algorithms_cert, true}, |
319 | 0 | {TLSEXT_TYPE_application_layer_protocol_negotiation, false}, |
320 | 0 | {kStatusRequestV2, false}, |
321 | 0 | {TLSEXT_TYPE_extended_master_secret, false}, |
322 | 0 | {TLSEXT_TYPE_supported_versions, true}, |
323 | 0 | {TLSEXT_TYPE_cookie, false}, |
324 | 0 | {TLSEXT_TYPE_psk_key_exchange_modes, true}, |
325 | 0 | {TLSEXT_TYPE_key_share, true}, |
326 | 0 | {TLSEXT_TYPE_renegotiate, false}, |
327 | 0 | {TLSEXT_TYPE_pre_shared_key, false}, |
328 | 0 | }; |
329 | 0 | Span<const uint8_t> sigalgs, sigalgs_cert; |
330 | 0 | bool has_status_request = false, has_status_request_v2 = false; |
331 | 0 | CBS extensions, supported_groups; |
332 | 0 | CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len); |
333 | 0 | for (const auto &java_extension : kJavaExtensions) { |
334 | 0 | CBS copy = extensions; |
335 | 0 | uint16_t id; |
336 | 0 | if (CBS_get_u16(©, &id) && id == java_extension.id) { |
337 | | // The next extension is the one we expected. |
338 | 0 | extensions = copy; |
339 | 0 | CBS body; |
340 | 0 | if (!CBS_get_u16_length_prefixed(&extensions, &body)) { |
341 | 0 | return false; |
342 | 0 | } |
343 | 0 | switch (id) { |
344 | 0 | case TLSEXT_TYPE_status_request: |
345 | 0 | has_status_request = true; |
346 | 0 | break; |
347 | 0 | case kStatusRequestV2: |
348 | 0 | has_status_request_v2 = true; |
349 | 0 | break; |
350 | 0 | case TLSEXT_TYPE_signature_algorithms: |
351 | 0 | sigalgs = body; |
352 | 0 | break; |
353 | 0 | case TLSEXT_TYPE_signature_algorithms_cert: |
354 | 0 | sigalgs_cert = body; |
355 | 0 | break; |
356 | 0 | case TLSEXT_TYPE_supported_groups: |
357 | 0 | supported_groups = body; |
358 | 0 | break; |
359 | 0 | } |
360 | 0 | } else if (java_extension.required) { |
361 | 0 | return false; |
362 | 0 | } |
363 | 0 | } |
364 | 0 | if (CBS_len(&extensions) != 0) { |
365 | 0 | return false; |
366 | 0 | } |
367 | | |
368 | | // JDK 11 never advertises X25519. It is not offered by default, and |
369 | | // -Djdk.tls.namedGroups=x25519 does not work. This is unusual: many modern |
370 | | // clients implement X25519. |
371 | 0 | while (CBS_len(&supported_groups) > 0) { |
372 | 0 | uint16_t group; |
373 | 0 | if (!CBS_get_u16(&supported_groups, &group) || // |
374 | 0 | group == SSL_GROUP_X25519) { |
375 | 0 | return false; |
376 | 0 | } |
377 | 0 | } |
378 | | |
379 | 0 | if ( // JDK 11 always sends the same contents in signature_algorithms and |
380 | | // signature_algorithms_cert. This is unusual: |
381 | | // signature_algorithms_cert, if omitted, is treated as if it were |
382 | | // signature_algorithms. |
383 | 0 | sigalgs != sigalgs_cert || |
384 | | // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it |
385 | | // sends status_request. This is unusual: status_request_v2 is not widely |
386 | | // implemented. |
387 | 0 | has_status_request != has_status_request_v2) { |
388 | 0 | return false; |
389 | 0 | } |
390 | | |
391 | 0 | return true; |
392 | 0 | } |
393 | | |
394 | | static bool decrypt_ech(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
395 | 12.2k | const SSL_CLIENT_HELLO *client_hello) { |
396 | 12.2k | SSL *const ssl = hs->ssl; |
397 | 12.2k | CBS body; |
398 | 12.2k | if (!ssl_client_hello_get_extension(client_hello, &body, |
399 | 12.2k | TLSEXT_TYPE_encrypted_client_hello)) { |
400 | 11.7k | return true; |
401 | 11.7k | } |
402 | 546 | uint8_t type; |
403 | 546 | if (!CBS_get_u8(&body, &type)) { |
404 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
405 | 3 | *out_alert = SSL_AD_DECODE_ERROR; |
406 | 3 | return false; |
407 | 3 | } |
408 | 543 | if (type != ECH_CLIENT_OUTER) { |
409 | 118 | return true; |
410 | 118 | } |
411 | | // This is a ClientHelloOuter ECH extension. Attempt to decrypt it. |
412 | 425 | uint8_t config_id; |
413 | 425 | uint16_t kdf_id, aead_id; |
414 | 425 | CBS enc, payload; |
415 | 425 | if (!CBS_get_u16(&body, &kdf_id) || // |
416 | 425 | !CBS_get_u16(&body, &aead_id) || // |
417 | 425 | !CBS_get_u8(&body, &config_id) || |
418 | 425 | !CBS_get_u16_length_prefixed(&body, &enc) || |
419 | 425 | !CBS_get_u16_length_prefixed(&body, &payload) || // |
420 | 425 | CBS_len(&body) != 0) { |
421 | 30 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
422 | 30 | *out_alert = SSL_AD_DECODE_ERROR; |
423 | 30 | return false; |
424 | 30 | } |
425 | | |
426 | 395 | { |
427 | 395 | MutexReadLock lock(&ssl->ctx->lock); |
428 | 395 | hs->ech_keys = UpRef(ssl->ctx->ech_keys); |
429 | 395 | } |
430 | | |
431 | 395 | if (!hs->ech_keys) { |
432 | 0 | ssl->s3->ech_status = ssl_ech_rejected; |
433 | 0 | return true; |
434 | 0 | } |
435 | | |
436 | 395 | for (const auto &config : hs->ech_keys->configs) { |
437 | 395 | hs->ech_hpke_ctx.Reset(); |
438 | 395 | if (config_id != config->ech_config().config_id || |
439 | 395 | !config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id, enc)) { |
440 | | // Ignore the error and try another ECHConfig. |
441 | 94 | ERR_clear_error(); |
442 | 94 | continue; |
443 | 94 | } |
444 | 301 | bool is_decrypt_error; |
445 | 301 | if (!ssl_client_hello_decrypt(hs, out_alert, &is_decrypt_error, |
446 | 301 | &hs->ech_client_hello_buf, client_hello, |
447 | 301 | payload)) { |
448 | 174 | if (is_decrypt_error) { |
449 | | // Ignore the error and try another ECHConfig. |
450 | 38 | ERR_clear_error(); |
451 | | // The |out_alert| calling convention currently relies on a default of |
452 | | // |SSL_AD_DECODE_ERROR|. https://crbug.com/boringssl/373 tracks |
453 | | // switching to sum types, which avoids this. |
454 | 38 | *out_alert = SSL_AD_DECODE_ERROR; |
455 | 38 | continue; |
456 | 38 | } |
457 | 136 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); |
458 | 136 | return false; |
459 | 174 | } |
460 | 127 | hs->ech_config_id = config_id; |
461 | 127 | ssl->s3->ech_status = ssl_ech_accepted; |
462 | 127 | return true; |
463 | 301 | } |
464 | | |
465 | | // If we did not accept ECH, proceed with the ClientHelloOuter. Note this |
466 | | // could be key mismatch or ECH GREASE, so we must complete the handshake |
467 | | // as usual, except EncryptedExtensions will contain retry configs. |
468 | 132 | ssl->s3->ech_status = ssl_ech_rejected; |
469 | 132 | return true; |
470 | 395 | } |
471 | | |
472 | | static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
473 | 12.1k | const SSL_CLIENT_HELLO *client_hello) { |
474 | 12.1k | SSL *const ssl = hs->ssl; |
475 | 12.1k | CBS sni; |
476 | 12.1k | if (!ssl_client_hello_get_extension(client_hello, &sni, |
477 | 12.1k | TLSEXT_TYPE_server_name)) { |
478 | | // No SNI extension to parse. |
479 | | // |
480 | | // Clear state in case we previously extracted SNI from ClientHelloOuter. |
481 | 4.24k | ssl->s3->hostname.reset(); |
482 | 4.24k | return true; |
483 | 4.24k | } |
484 | | |
485 | 7.85k | CBS server_name_list, host_name; |
486 | 7.85k | uint8_t name_type; |
487 | 7.85k | if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) || // |
488 | 7.85k | !CBS_get_u8(&server_name_list, &name_type) || // |
489 | | // Although the server_name extension was intended to be extensible to |
490 | | // new name types and multiple names, OpenSSL 1.0.x had a bug which meant |
491 | | // different name types will cause an error. Further, RFC 4366 originally |
492 | | // defined syntax inextensibly. RFC 6066 corrected this mistake, but |
493 | | // adding new name types is no longer feasible. |
494 | | // |
495 | | // Act as if the extensibility does not exist to simplify parsing. |
496 | 7.85k | !CBS_get_u16_length_prefixed(&server_name_list, &host_name) || // |
497 | 7.85k | CBS_len(&server_name_list) != 0 || // |
498 | 7.85k | CBS_len(&sni) != 0) { |
499 | 30 | *out_alert = SSL_AD_DECODE_ERROR; |
500 | 30 | return false; |
501 | 30 | } |
502 | | |
503 | 7.82k | if (name_type != TLSEXT_NAMETYPE_host_name || // |
504 | 7.82k | CBS_len(&host_name) == 0 || // |
505 | 7.82k | CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || // |
506 | 7.82k | CBS_contains_zero_byte(&host_name)) { |
507 | 17 | *out_alert = SSL_AD_UNRECOGNIZED_NAME; |
508 | 17 | return false; |
509 | 17 | } |
510 | | |
511 | | // Copy the hostname as a string. |
512 | 7.81k | char *raw = nullptr; |
513 | 7.81k | if (!CBS_strdup(&host_name, &raw)) { |
514 | 0 | *out_alert = SSL_AD_INTERNAL_ERROR; |
515 | 0 | return false; |
516 | 0 | } |
517 | 7.81k | ssl->s3->hostname.reset(raw); |
518 | 7.81k | return true; |
519 | 7.81k | } |
520 | | |
521 | 71.5k | static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { |
522 | 71.5k | SSL *const ssl = hs->ssl; |
523 | | |
524 | 71.5k | SSLMessage msg; |
525 | 71.5k | if (!ssl->method->get_message(ssl, &msg)) { |
526 | 58.9k | return ssl_hs_read_message; |
527 | 58.9k | } |
528 | | |
529 | 12.5k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) { |
530 | 40 | return ssl_hs_error; |
531 | 40 | } |
532 | | |
533 | 12.5k | SSL_CLIENT_HELLO client_hello; |
534 | 12.5k | if (!SSL_parse_client_hello(ssl, &client_hello, CBS_data(&msg.body), |
535 | 12.5k | CBS_len(&msg.body))) { |
536 | 206 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
537 | 206 | return ssl_hs_error; |
538 | 206 | } |
539 | | |
540 | | // ClientHello should be the end of the flight. We check this early to cover |
541 | | // all protocol versions. |
542 | 12.2k | if (ssl->method->has_unprocessed_handshake_data(ssl)) { |
543 | 13 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); |
544 | 13 | OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA); |
545 | 13 | return ssl_hs_error; |
546 | 13 | } |
547 | | |
548 | 12.2k | if (hs->config->handoff) { |
549 | 9 | return ssl_hs_handoff; |
550 | 9 | } |
551 | | |
552 | 12.2k | uint8_t alert = SSL_AD_DECODE_ERROR; |
553 | | // We check for rejection status in case we've rewound the state machine after |
554 | | // determining `ClientHelloInner` is invalid. |
555 | 12.2k | if (ssl->s3->ech_status != ssl_ech_rejected && |
556 | 12.2k | !decrypt_ech(hs, &alert, &client_hello)) { |
557 | 169 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
558 | 169 | return ssl_hs_error; |
559 | 169 | } |
560 | | |
561 | | // ECH may have changed which ClientHello we process. Update |msg| and |
562 | | // |client_hello| in case. |
563 | 12.1k | if (!hs->GetClientHello(&msg, &client_hello)) { |
564 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
565 | 0 | return ssl_hs_error; |
566 | 0 | } |
567 | | |
568 | 12.1k | if (!extract_sni(hs, &alert, &client_hello)) { |
569 | 47 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
570 | 47 | return ssl_hs_error; |
571 | 47 | } |
572 | | |
573 | 12.0k | hs->state = state12_read_client_hello_after_ech; |
574 | 12.0k | return ssl_hs_ok; |
575 | 12.1k | } |
576 | | |
577 | 12.0k | static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) { |
578 | 12.0k | SSL *const ssl = hs->ssl; |
579 | | |
580 | 12.0k | SSLMessage msg_unused; |
581 | 12.0k | SSL_CLIENT_HELLO client_hello; |
582 | 12.0k | if (!hs->GetClientHello(&msg_unused, &client_hello)) { |
583 | 0 | return ssl_hs_error; |
584 | 0 | } |
585 | | |
586 | | // Run the early callback. |
587 | 12.0k | if (ssl->ctx->select_certificate_cb != NULL) { |
588 | 0 | switch (ssl->ctx->select_certificate_cb(&client_hello)) { |
589 | 0 | case ssl_select_cert_retry: |
590 | 0 | return ssl_hs_certificate_selection_pending; |
591 | | |
592 | 0 | case ssl_select_cert_disable_ech: |
593 | 0 | hs->ech_client_hello_buf.Reset(); |
594 | 0 | hs->ech_keys = nullptr; |
595 | 0 | hs->state = state12_read_client_hello; |
596 | 0 | ssl->s3->ech_status = ssl_ech_rejected; |
597 | 0 | return ssl_hs_ok; |
598 | | |
599 | 0 | case ssl_select_cert_error: |
600 | | // Connection rejected. |
601 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); |
602 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
603 | 0 | return ssl_hs_error; |
604 | | |
605 | 0 | default: |
606 | 0 | /* fallthrough */; |
607 | 0 | } |
608 | 0 | } |
609 | | |
610 | | // Freeze the version range after the early callback. |
611 | 12.0k | if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) { |
612 | 0 | return ssl_hs_error; |
613 | 0 | } |
614 | | |
615 | 12.0k | if (hs->config->jdk11_workaround && |
616 | 12.0k | is_probably_jdk11_with_tls13(&client_hello)) { |
617 | 0 | hs->apply_jdk11_workaround = true; |
618 | 0 | } |
619 | | |
620 | 12.0k | uint8_t alert = SSL_AD_DECODE_ERROR; |
621 | 12.0k | if (!negotiate_version(hs, &alert, &client_hello)) { |
622 | 80 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
623 | 80 | return ssl_hs_error; |
624 | 80 | } |
625 | | |
626 | 11.9k | hs->client_version = client_hello.version; |
627 | 11.9k | if (client_hello.random_len != SSL3_RANDOM_SIZE) { |
628 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
629 | 0 | return ssl_hs_error; |
630 | 0 | } |
631 | 11.9k | OPENSSL_memcpy(ssl->s3->client_random, client_hello.random, |
632 | 11.9k | client_hello.random_len); |
633 | | |
634 | | // Only null compression is supported. TLS 1.3 further requires the peer |
635 | | // advertise no other compression. |
636 | 11.9k | if (OPENSSL_memchr(client_hello.compression_methods, 0, |
637 | 11.9k | client_hello.compression_methods_len) == NULL || |
638 | 11.9k | (ssl_protocol_version(ssl) >= TLS1_3_VERSION && |
639 | 11.9k | client_hello.compression_methods_len != 1)) { |
640 | 33 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST); |
641 | 33 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
642 | 33 | return ssl_hs_error; |
643 | 33 | } |
644 | | |
645 | | // TLS extensions. |
646 | 11.9k | if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) { |
647 | 895 | OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); |
648 | 895 | return ssl_hs_error; |
649 | 895 | } |
650 | | |
651 | 11.0k | hs->state = state12_cert_callback; |
652 | 11.0k | return ssl_hs_ok; |
653 | 11.9k | } |
654 | | |
655 | 11.0k | static enum ssl_hs_wait_t do_cert_callback(SSL_HANDSHAKE *hs) { |
656 | 11.0k | SSL *const ssl = hs->ssl; |
657 | | |
658 | | // Call |cert_cb| to update server certificates if required. |
659 | 11.0k | if (hs->config->cert->cert_cb != NULL) { |
660 | 0 | int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg); |
661 | 0 | if (rv == 0) { |
662 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR); |
663 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
664 | 0 | return ssl_hs_error; |
665 | 0 | } |
666 | 0 | if (rv < 0) { |
667 | 0 | return ssl_hs_x509_lookup; |
668 | 0 | } |
669 | 0 | } |
670 | | |
671 | 11.0k | if (hs->ocsp_stapling_requested && |
672 | 11.0k | ssl->ctx->legacy_ocsp_callback != nullptr) { |
673 | 0 | switch (ssl->ctx->legacy_ocsp_callback( |
674 | 0 | ssl, ssl->ctx->legacy_ocsp_callback_arg)) { |
675 | 0 | case SSL_TLSEXT_ERR_OK: |
676 | 0 | break; |
677 | 0 | case SSL_TLSEXT_ERR_NOACK: |
678 | 0 | hs->ocsp_stapling_requested = false; |
679 | 0 | break; |
680 | 0 | default: |
681 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR); |
682 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
683 | 0 | return ssl_hs_error; |
684 | 0 | } |
685 | 0 | } |
686 | | |
687 | 11.0k | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
688 | | // Jump to the TLS 1.3 state machine. |
689 | 4.16k | hs->state = state12_tls13; |
690 | 4.16k | return ssl_hs_ok; |
691 | 4.16k | } |
692 | | |
693 | | // It should not be possible to negotiate TLS 1.2 with ECH. The |
694 | | // ClientHelloInner decoding function rejects ClientHellos which offer TLS 1.2 |
695 | | // or below. |
696 | 6.89k | assert(ssl->s3->ech_status != ssl_ech_accepted); |
697 | | |
698 | 6.89k | ssl->s3->early_data_reason = ssl_early_data_protocol_version; |
699 | | |
700 | 6.89k | hs->state = state12_select_parameters; |
701 | 6.89k | return ssl_hs_ok; |
702 | 6.89k | } |
703 | | |
704 | 37.6k | static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) { |
705 | 37.6k | enum ssl_hs_wait_t wait = tls13_server_handshake(hs); |
706 | 37.6k | if (wait == ssl_hs_ok) { |
707 | 2.31k | hs->state = state12_finish_server_handshake; |
708 | 2.31k | return ssl_hs_ok; |
709 | 2.31k | } |
710 | | |
711 | 35.2k | return wait; |
712 | 37.6k | } |
713 | | |
714 | 6.89k | static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { |
715 | 6.89k | SSL *const ssl = hs->ssl; |
716 | 6.89k | SSLMessage msg; |
717 | 6.89k | SSL_CLIENT_HELLO client_hello; |
718 | 6.89k | if (!hs->GetClientHello(&msg, &client_hello)) { |
719 | 0 | return ssl_hs_error; |
720 | 0 | } |
721 | | |
722 | | // Determine the ECDHE group to use, if we are to use ECDHE. |
723 | 6.89k | uint16_t group_id = 0; |
724 | 6.89k | bool has_ecdhe_group = tls1_get_shared_group(hs, &group_id); |
725 | | |
726 | | // Select the credential and cipher suite. This must be done after |cert_cb| |
727 | | // runs, so the final credential list is known. |
728 | | // |
729 | | // TODO(davidben): In the course of picking these, we also pick the ECDHE |
730 | | // group and signature algorithm. It would be tidier if we saved that decision |
731 | | // and avoided redoing it later. |
732 | 6.89k | UniquePtr<STACK_OF(SSL_CIPHER)> client_pref = |
733 | 6.89k | ssl_parse_client_cipher_list(&client_hello); |
734 | 6.89k | if (client_pref == nullptr) { |
735 | 0 | return ssl_hs_error; |
736 | 0 | } |
737 | 6.89k | Array<SSL_CREDENTIAL *> creds; |
738 | 6.89k | if (!ssl_get_full_credential_list(hs, &creds)) { |
739 | 0 | return ssl_hs_error; |
740 | 0 | } |
741 | 6.89k | TLS12ServerParams params; |
742 | 6.89k | if (creds.empty()) { |
743 | | // The caller may have configured no credentials, but set a PSK callback. |
744 | 0 | params = |
745 | 0 | choose_params(hs, /*cred=*/nullptr, client_pref.get(), has_ecdhe_group); |
746 | 6.89k | } else { |
747 | | // Select the first credential which works. |
748 | 6.89k | for (SSL_CREDENTIAL *cred : creds) { |
749 | 6.89k | ERR_clear_error(); |
750 | 6.89k | params = choose_params(hs, cred, client_pref.get(), has_ecdhe_group); |
751 | 6.89k | if (params.ok()) { |
752 | 6.53k | hs->credential = UpRef(cred); |
753 | 6.53k | break; |
754 | 6.53k | } |
755 | 6.89k | } |
756 | 6.89k | } |
757 | 6.89k | if (!params.ok()) { |
758 | | // The error from the last attempt is in the error queue. |
759 | 352 | assert(ERR_peek_error() != 0); |
760 | 352 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
761 | 352 | return ssl_hs_error; |
762 | 352 | } |
763 | 6.53k | hs->new_cipher = params.cipher; |
764 | 6.53k | hs->signature_algorithm = params.signature_algorithm; |
765 | | |
766 | | // |SSL_parse_client_hello| checks that |client_hello.session_id| is not too |
767 | | // large. |
768 | 6.53k | hs->session_id.CopyFrom( |
769 | 6.53k | Span(client_hello.session_id, client_hello.session_id_len)); |
770 | | |
771 | | // Determine whether we are doing session resumption. |
772 | 6.53k | UniquePtr<SSL_SESSION> session; |
773 | 6.53k | bool tickets_supported = false, renew_ticket = false; |
774 | 6.53k | enum ssl_hs_wait_t wait = ssl_get_prev_session( |
775 | 6.53k | hs, &session, &tickets_supported, &renew_ticket, &client_hello); |
776 | 6.53k | if (wait != ssl_hs_ok) { |
777 | 0 | return wait; |
778 | 0 | } |
779 | | |
780 | 6.53k | if (session) { |
781 | 473 | if (session->extended_master_secret && !hs->extended_master_secret) { |
782 | | // A ClientHello without EMS that attempts to resume a session with EMS |
783 | | // is fatal to the connection. |
784 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION); |
785 | 3 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
786 | 3 | return ssl_hs_error; |
787 | 3 | } |
788 | | |
789 | 470 | if (!ssl_session_is_resumable(hs, session.get()) || |
790 | | // If the client offers the EMS extension, but the previous session |
791 | | // didn't use it, then negotiate a new session. |
792 | 470 | hs->extended_master_secret != session->extended_master_secret) { |
793 | 100 | session.reset(); |
794 | 100 | } |
795 | 470 | } |
796 | | |
797 | 6.53k | if (session) { |
798 | | // Use the old session. |
799 | 370 | hs->ticket_expected = renew_ticket; |
800 | 370 | ssl->session = std::move(session); |
801 | 370 | ssl->s3->session_reused = true; |
802 | 370 | hs->can_release_private_key = true; |
803 | 6.16k | } else { |
804 | 6.16k | hs->ticket_expected = tickets_supported; |
805 | 6.16k | ssl_set_session(ssl, nullptr); |
806 | 6.16k | if (!ssl_get_new_session(hs)) { |
807 | 0 | return ssl_hs_error; |
808 | 0 | } |
809 | | |
810 | | // Assign a session ID if not using session tickets. |
811 | 6.16k | if (!hs->ticket_expected && |
812 | 6.16k | (ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) { |
813 | 3.44k | hs->new_session->session_id.ResizeForOverwrite( |
814 | 3.44k | SSL3_SSL_SESSION_ID_LENGTH); |
815 | 3.44k | RAND_bytes(hs->new_session->session_id.data(), |
816 | 3.44k | hs->new_session->session_id.size()); |
817 | 3.44k | } |
818 | 6.16k | } |
819 | | |
820 | 6.53k | if (ssl->ctx->dos_protection_cb != NULL && |
821 | 6.53k | ssl->ctx->dos_protection_cb(&client_hello) == 0) { |
822 | | // Connection rejected for DOS reasons. |
823 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); |
824 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
825 | 0 | return ssl_hs_error; |
826 | 0 | } |
827 | | |
828 | 6.53k | if (ssl->session == NULL) { |
829 | 6.16k | hs->new_session->cipher = hs->new_cipher; |
830 | 6.16k | if (hs->new_session->cipher->algorithm_mkey & SSL_kECDHE) { |
831 | 5.14k | assert(has_ecdhe_group); |
832 | 5.14k | hs->new_session->group_id = group_id; |
833 | 5.14k | } |
834 | | |
835 | | // Determine whether to request a client certificate. CertificateRequest may |
836 | | // only be sent in certificate-based ciphers. |
837 | 6.16k | hs->cert_request = (hs->config->verify_mode & SSL_VERIFY_PEER) && |
838 | 6.16k | ssl_cipher_uses_certificate_auth(hs->new_cipher); |
839 | 6.16k | if (!hs->cert_request) { |
840 | | // OpenSSL returns X509_V_OK when no certificates are requested. This is |
841 | | // classed by them as a bug, but it's assumed by at least NGINX. |
842 | 2.66k | hs->new_session->verify_result = X509_V_OK; |
843 | 2.66k | } |
844 | 6.16k | } |
845 | | |
846 | | // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was |
847 | | // deferred. Complete it now. |
848 | 6.53k | uint8_t alert = SSL_AD_DECODE_ERROR; |
849 | 6.53k | if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { |
850 | 39 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
851 | 39 | return ssl_hs_error; |
852 | 39 | } |
853 | | |
854 | | // Now that all parameters are known, initialize the handshake hash and hash |
855 | | // the ClientHello. |
856 | 6.49k | if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) { |
857 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
858 | 0 | return ssl_hs_error; |
859 | 0 | } |
860 | | |
861 | | // Handback includes the whole handshake transcript, so we cannot free the |
862 | | // transcript buffer in the handback case. |
863 | 6.49k | if (!hs->cert_request && !hs->handback) { |
864 | 2.99k | hs->transcript.FreeBuffer(); |
865 | 2.99k | } |
866 | | |
867 | 6.49k | if (!ssl_hash_message(hs, msg)) { |
868 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
869 | 0 | return ssl_hs_error; |
870 | 0 | } |
871 | | |
872 | 6.49k | ssl->method->next_message(ssl); |
873 | | |
874 | 6.49k | hs->state = state12_send_server_hello; |
875 | 6.49k | return ssl_hs_ok; |
876 | 6.49k | } |
877 | | |
878 | 6.49k | static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) { |
879 | 6.49k | out = out.last(in.size()); |
880 | 6.49k | OPENSSL_memcpy(out.data(), in.data(), in.size()); |
881 | 6.49k | } |
882 | | |
883 | 6.49k | static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { |
884 | 6.49k | SSL *const ssl = hs->ssl; |
885 | | |
886 | | // We only accept ChannelIDs on connections with ECDHE in order to avoid a |
887 | | // known attack while we fix ChannelID itself. |
888 | 6.49k | if (hs->channel_id_negotiated && |
889 | 6.49k | (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) { |
890 | 4 | hs->channel_id_negotiated = false; |
891 | 4 | } |
892 | | |
893 | | // If this is a resumption and the original handshake didn't support |
894 | | // ChannelID then we didn't record the original handshake hashes in the |
895 | | // session and so cannot resume with ChannelIDs. |
896 | 6.49k | if (ssl->session != nullptr && |
897 | 6.49k | ssl->session->original_handshake_hash.empty()) { |
898 | 264 | hs->channel_id_negotiated = false; |
899 | 264 | } |
900 | | |
901 | 6.49k | SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); |
902 | 6.49k | if (hints && !hs->hints_requested && |
903 | 6.49k | hints->server_random_tls12.size() == SSL3_RANDOM_SIZE) { |
904 | 726 | OPENSSL_memcpy(ssl->s3->server_random, hints->server_random_tls12.data(), |
905 | 726 | SSL3_RANDOM_SIZE); |
906 | 5.77k | } else { |
907 | 5.77k | OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get()); |
908 | 5.77k | CRYPTO_store_u32_be(ssl->s3->server_random, |
909 | 5.77k | static_cast<uint32_t>(now.tv_sec)); |
910 | 5.77k | if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) { |
911 | 0 | return ssl_hs_error; |
912 | 0 | } |
913 | 5.77k | if (hints && hs->hints_requested && |
914 | 5.77k | !hints->server_random_tls12.CopyFrom(ssl->s3->server_random)) { |
915 | 0 | return ssl_hs_error; |
916 | 0 | } |
917 | 5.77k | } |
918 | | |
919 | | // Implement the TLS 1.3 anti-downgrade feature. |
920 | 6.49k | if (hs->max_version >= TLS1_3_VERSION) { |
921 | 6.49k | if (ssl_protocol_version(ssl) == TLS1_2_VERSION) { |
922 | 4.38k | if (hs->apply_jdk11_workaround) { |
923 | | // JDK 11 implements the TLS 1.3 downgrade signal, so we cannot send it |
924 | | // here. However, the signal is only effective if all TLS 1.2 |
925 | | // ServerHellos produced by the server are marked. Thus we send a |
926 | | // different non-standard signal for the time being, until JDK 11.0.2 is |
927 | | // released and clients have updated. |
928 | 0 | copy_suffix(ssl->s3->server_random, kJDK11DowngradeRandom); |
929 | 4.38k | } else { |
930 | 4.38k | copy_suffix(ssl->s3->server_random, kTLS13DowngradeRandom); |
931 | 4.38k | } |
932 | 4.38k | } else { |
933 | 2.10k | copy_suffix(ssl->s3->server_random, kTLS12DowngradeRandom); |
934 | 2.10k | } |
935 | 6.49k | } |
936 | | |
937 | 6.49k | Span<const uint8_t> session_id; |
938 | 6.49k | if (ssl->session != nullptr) { |
939 | | // Echo the session ID from the ClientHello to indicate resumption. |
940 | 370 | session_id = hs->session_id; |
941 | 6.12k | } else { |
942 | 6.12k | session_id = hs->new_session->session_id; |
943 | 6.12k | } |
944 | | |
945 | 6.49k | ScopedCBB cbb; |
946 | 6.49k | CBB body, session_id_bytes; |
947 | 6.49k | if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || |
948 | 6.49k | !CBB_add_u16(&body, ssl->s3->version) || |
949 | 6.49k | !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || |
950 | 6.49k | !CBB_add_u8_length_prefixed(&body, &session_id_bytes) || |
951 | 6.49k | !CBB_add_bytes(&session_id_bytes, session_id.data(), session_id.size()) || |
952 | 6.49k | !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) || |
953 | 6.49k | !CBB_add_u8(&body, 0 /* no compression */) || |
954 | 6.49k | !ssl_add_serverhello_tlsext(hs, &body) || |
955 | 6.49k | !ssl_add_message_cbb(ssl, cbb.get())) { |
956 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
957 | 0 | return ssl_hs_error; |
958 | 0 | } |
959 | | |
960 | 6.49k | if (ssl->session != nullptr) { |
961 | | // No additional hints to generate in resumption. |
962 | 370 | if (hs->hints_requested) { |
963 | 0 | return ssl_hs_hints_ready; |
964 | 0 | } |
965 | 370 | hs->state = state12_send_server_finished; |
966 | 6.12k | } else { |
967 | 6.12k | hs->state = state12_send_server_certificate; |
968 | 6.12k | } |
969 | 6.49k | return ssl_hs_ok; |
970 | 6.49k | } |
971 | | |
972 | 6.12k | static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { |
973 | 6.12k | SSL *const ssl = hs->ssl; |
974 | 6.12k | ScopedCBB cbb; |
975 | | |
976 | 6.12k | if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { |
977 | 6.12k | assert(hs->credential != nullptr); |
978 | 6.12k | if (!ssl_send_tls12_certificate(hs)) { |
979 | 0 | return ssl_hs_error; |
980 | 0 | } |
981 | | |
982 | 6.12k | if (hs->certificate_status_expected) { |
983 | 2.28k | CBB body, ocsp_response; |
984 | 2.28k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
985 | 2.28k | SSL3_MT_CERTIFICATE_STATUS) || |
986 | 2.28k | !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) || |
987 | 2.28k | !CBB_add_u24_length_prefixed(&body, &ocsp_response) || |
988 | 2.28k | !CBB_add_bytes( |
989 | 2.28k | &ocsp_response, |
990 | 2.28k | CRYPTO_BUFFER_data(hs->credential->ocsp_response.get()), |
991 | 2.28k | CRYPTO_BUFFER_len(hs->credential->ocsp_response.get())) || |
992 | 2.28k | !ssl_add_message_cbb(ssl, cbb.get())) { |
993 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
994 | 0 | return ssl_hs_error; |
995 | 0 | } |
996 | 2.28k | } |
997 | 6.12k | } |
998 | | |
999 | | // Assemble ServerKeyExchange parameters if needed. |
1000 | 6.12k | uint32_t alg_k = hs->new_cipher->algorithm_mkey; |
1001 | 6.12k | uint32_t alg_a = hs->new_cipher->algorithm_auth; |
1002 | 6.12k | if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) || |
1003 | 6.12k | ((alg_a & SSL_aPSK) && hs->config->psk_identity_hint)) { |
1004 | | // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend |
1005 | | // the client and server randoms for the signing transcript. |
1006 | 5.12k | CBB child; |
1007 | 5.12k | if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) || |
1008 | 5.12k | !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) || |
1009 | 5.12k | !CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) { |
1010 | 0 | return ssl_hs_error; |
1011 | 0 | } |
1012 | | |
1013 | | // PSK ciphers begin with an identity hint. |
1014 | 5.12k | if (alg_a & SSL_aPSK) { |
1015 | 0 | size_t len = hs->config->psk_identity_hint == nullptr |
1016 | 0 | ? 0 |
1017 | 0 | : strlen(hs->config->psk_identity_hint.get()); |
1018 | 0 | if (!CBB_add_u16_length_prefixed(cbb.get(), &child) || |
1019 | 0 | !CBB_add_bytes(&child, |
1020 | 0 | (const uint8_t *)hs->config->psk_identity_hint.get(), |
1021 | 0 | len)) { |
1022 | 0 | return ssl_hs_error; |
1023 | 0 | } |
1024 | 0 | } |
1025 | | |
1026 | 5.12k | if (alg_k & SSL_kECDHE) { |
1027 | 5.12k | assert(hs->new_session->group_id != 0); |
1028 | 5.12k | hs->key_shares[0] = SSLKeyShare::Create(hs->new_session->group_id); |
1029 | 5.12k | if (!hs->key_shares[0] || // |
1030 | 5.12k | !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || // |
1031 | 5.12k | !CBB_add_u16(cbb.get(), hs->new_session->group_id) || // |
1032 | 5.12k | !CBB_add_u8_length_prefixed(cbb.get(), &child)) { |
1033 | 0 | return ssl_hs_error; |
1034 | 0 | } |
1035 | | |
1036 | 5.12k | SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); |
1037 | 5.12k | bool hint_ok = false; |
1038 | 5.12k | if (hints && !hs->hints_requested && |
1039 | 5.12k | hints->ecdhe_group_id == hs->new_session->group_id && |
1040 | 5.12k | !hints->ecdhe_public_key.empty() && |
1041 | 5.12k | !hints->ecdhe_private_key.empty()) { |
1042 | 584 | CBS cbs = CBS(hints->ecdhe_private_key); |
1043 | 584 | hint_ok = hs->key_shares[0]->DeserializePrivateKey(&cbs); |
1044 | 584 | } |
1045 | 5.12k | if (hint_ok) { |
1046 | | // Reuse the ECDH key from handshake hints. |
1047 | 569 | if (!CBB_add_bytes(&child, hints->ecdhe_public_key.data(), |
1048 | 569 | hints->ecdhe_public_key.size())) { |
1049 | 0 | return ssl_hs_error; |
1050 | 0 | } |
1051 | 4.55k | } else { |
1052 | | // Generate a key, and emit the public half. |
1053 | 4.55k | if (!hs->key_shares[0]->Generate(&child)) { |
1054 | 0 | return ssl_hs_error; |
1055 | 0 | } |
1056 | | // If generating hints, save the ECDHE key. |
1057 | 4.55k | if (hints && hs->hints_requested) { |
1058 | 0 | bssl::ScopedCBB private_key_cbb; |
1059 | 0 | if (!hints->ecdhe_public_key.CopyFrom( |
1060 | 0 | Span(CBB_data(&child), CBB_len(&child))) || |
1061 | 0 | !CBB_init(private_key_cbb.get(), 32) || |
1062 | 0 | !hs->key_shares[0]->SerializePrivateKey(private_key_cbb.get()) || |
1063 | 0 | !CBBFinishArray(private_key_cbb.get(), |
1064 | 0 | &hints->ecdhe_private_key)) { |
1065 | 0 | return ssl_hs_error; |
1066 | 0 | } |
1067 | 0 | hints->ecdhe_group_id = hs->new_session->group_id; |
1068 | 0 | } |
1069 | 4.55k | } |
1070 | 5.12k | } else { |
1071 | 0 | assert(alg_k & SSL_kPSK); |
1072 | 0 | } |
1073 | | |
1074 | 5.12k | if (!CBBFinishArray(cbb.get(), &hs->server_params)) { |
1075 | 0 | return ssl_hs_error; |
1076 | 0 | } |
1077 | 5.12k | } |
1078 | | |
1079 | 6.12k | hs->state = state12_send_server_key_exchange; |
1080 | 6.12k | return ssl_hs_ok; |
1081 | 6.12k | } |
1082 | | |
1083 | 6.12k | static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { |
1084 | 6.12k | SSL *const ssl = hs->ssl; |
1085 | | |
1086 | 6.12k | if (hs->server_params.size() == 0) { |
1087 | 999 | hs->state = state12_send_server_hello_done; |
1088 | 999 | return ssl_hs_ok; |
1089 | 999 | } |
1090 | | |
1091 | 5.12k | ScopedCBB cbb; |
1092 | 5.12k | CBB body, child; |
1093 | 5.12k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1094 | 5.12k | SSL3_MT_SERVER_KEY_EXCHANGE) || |
1095 | | // |hs->server_params| contains a prefix for signing. |
1096 | 5.12k | hs->server_params.size() < 2 * SSL3_RANDOM_SIZE || |
1097 | 5.12k | !CBB_add_bytes(&body, hs->server_params.data() + 2 * SSL3_RANDOM_SIZE, |
1098 | 5.12k | hs->server_params.size() - 2 * SSL3_RANDOM_SIZE)) { |
1099 | 0 | return ssl_hs_error; |
1100 | 0 | } |
1101 | | |
1102 | | // Add a signature. |
1103 | 5.12k | if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { |
1104 | | // Determine the signature algorithm. |
1105 | 5.12k | uint16_t signature_algorithm; |
1106 | 5.12k | if (!tls1_choose_signature_algorithm(hs, hs->credential.get(), |
1107 | 5.12k | &signature_algorithm)) { |
1108 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
1109 | 0 | return ssl_hs_error; |
1110 | 0 | } |
1111 | 5.12k | if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) { |
1112 | 3.44k | if (!CBB_add_u16(&body, signature_algorithm)) { |
1113 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1114 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1115 | 0 | return ssl_hs_error; |
1116 | 0 | } |
1117 | 3.44k | } |
1118 | | |
1119 | | // Add space for the signature. |
1120 | 5.12k | const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get()); |
1121 | 5.12k | uint8_t *ptr; |
1122 | 5.12k | if (!CBB_add_u16_length_prefixed(&body, &child) || |
1123 | 5.12k | !CBB_reserve(&child, &ptr, max_sig_len)) { |
1124 | 0 | return ssl_hs_error; |
1125 | 0 | } |
1126 | | |
1127 | 5.12k | size_t sig_len; |
1128 | 5.12k | switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len, |
1129 | 5.12k | signature_algorithm, hs->server_params)) { |
1130 | 5.12k | case ssl_private_key_success: |
1131 | 5.12k | if (!CBB_did_write(&child, sig_len)) { |
1132 | 0 | return ssl_hs_error; |
1133 | 0 | } |
1134 | 5.12k | break; |
1135 | 5.12k | case ssl_private_key_failure: |
1136 | 0 | return ssl_hs_error; |
1137 | 0 | case ssl_private_key_retry: |
1138 | 0 | return ssl_hs_private_key_operation; |
1139 | 5.12k | } |
1140 | 5.12k | } |
1141 | | |
1142 | 5.12k | hs->can_release_private_key = true; |
1143 | 5.12k | if (!ssl_add_message_cbb(ssl, cbb.get())) { |
1144 | 0 | return ssl_hs_error; |
1145 | 0 | } |
1146 | | |
1147 | 5.12k | hs->server_params.Reset(); |
1148 | | |
1149 | 5.12k | hs->state = state12_send_server_hello_done; |
1150 | 5.12k | return ssl_hs_ok; |
1151 | 5.12k | } |
1152 | | |
1153 | 6.12k | static enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) { |
1154 | 6.12k | SSL *const ssl = hs->ssl; |
1155 | 6.12k | if (hs->hints_requested) { |
1156 | 0 | return ssl_hs_hints_ready; |
1157 | 0 | } |
1158 | | |
1159 | 6.12k | ScopedCBB cbb; |
1160 | 6.12k | CBB body; |
1161 | | |
1162 | 6.12k | if (hs->cert_request) { |
1163 | 3.50k | CBB cert_types, sigalgs_cbb; |
1164 | 3.50k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1165 | 3.50k | SSL3_MT_CERTIFICATE_REQUEST) || |
1166 | 3.50k | !CBB_add_u8_length_prefixed(&body, &cert_types) || |
1167 | 3.50k | !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) || |
1168 | 3.50k | !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN) || |
1169 | 3.50k | (ssl_protocol_version(ssl) >= TLS1_2_VERSION && |
1170 | 3.50k | (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) || |
1171 | 2.34k | !tls12_add_verify_sigalgs(hs, &sigalgs_cbb))) || |
1172 | 3.50k | !ssl_add_client_CA_list(hs, &body) || |
1173 | 3.50k | !ssl_add_message_cbb(ssl, cbb.get())) { |
1174 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1175 | 0 | return ssl_hs_error; |
1176 | 0 | } |
1177 | 3.50k | } |
1178 | | |
1179 | 6.12k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1180 | 6.12k | SSL3_MT_SERVER_HELLO_DONE) || |
1181 | 6.12k | !ssl_add_message_cbb(ssl, cbb.get())) { |
1182 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1183 | 0 | return ssl_hs_error; |
1184 | 0 | } |
1185 | | |
1186 | 6.12k | hs->state = state12_read_client_certificate; |
1187 | 6.12k | return ssl_hs_flush; |
1188 | 6.12k | } |
1189 | | |
1190 | 11.1k | static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { |
1191 | 11.1k | SSL *const ssl = hs->ssl; |
1192 | | |
1193 | 11.1k | if (hs->handback && hs->new_cipher->algorithm_mkey == SSL_kECDHE) { |
1194 | 0 | return ssl_hs_handback; |
1195 | 0 | } |
1196 | 11.1k | if (!hs->cert_request) { |
1197 | 2.62k | hs->state = state12_verify_client_certificate; |
1198 | 2.62k | return ssl_hs_ok; |
1199 | 2.62k | } |
1200 | | |
1201 | 8.55k | SSLMessage msg; |
1202 | 8.55k | if (!ssl->method->get_message(ssl, &msg)) { |
1203 | 5.28k | return ssl_hs_read_message; |
1204 | 5.28k | } |
1205 | | |
1206 | 3.26k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) { |
1207 | 5 | return ssl_hs_error; |
1208 | 5 | } |
1209 | | |
1210 | 3.26k | if (!ssl_hash_message(hs, msg)) { |
1211 | 0 | return ssl_hs_error; |
1212 | 0 | } |
1213 | | |
1214 | 3.26k | CBS certificate_msg = msg.body; |
1215 | 3.26k | uint8_t alert = SSL_AD_DECODE_ERROR; |
1216 | 3.26k | if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey, |
1217 | 3.26k | hs->config->retain_only_sha256_of_client_certs |
1218 | 3.26k | ? hs->new_session->peer_sha256 |
1219 | 3.26k | : nullptr, |
1220 | 3.26k | &certificate_msg, ssl->ctx->pool)) { |
1221 | 638 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
1222 | 638 | return ssl_hs_error; |
1223 | 638 | } |
1224 | | |
1225 | 2.62k | if (CBS_len(&certificate_msg) != 0 || |
1226 | 2.62k | !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) { |
1227 | 512 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1228 | 512 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1229 | 512 | return ssl_hs_error; |
1230 | 512 | } |
1231 | | |
1232 | 2.11k | if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) { |
1233 | | // No client certificate so the handshake buffer may be discarded. |
1234 | 31 | hs->transcript.FreeBuffer(); |
1235 | | |
1236 | 31 | if (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { |
1237 | | // Fail for TLS only if we required a certificate |
1238 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); |
1239 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
1240 | 0 | return ssl_hs_error; |
1241 | 0 | } |
1242 | | |
1243 | | // OpenSSL returns X509_V_OK when no certificates are received. This is |
1244 | | // classed by them as a bug, but it's assumed by at least NGINX. |
1245 | 31 | hs->new_session->verify_result = X509_V_OK; |
1246 | 2.08k | } else if (hs->config->retain_only_sha256_of_client_certs) { |
1247 | | // The hash will have been filled in. |
1248 | 0 | hs->new_session->peer_sha256_valid = true; |
1249 | 0 | } |
1250 | | |
1251 | 2.11k | ssl->method->next_message(ssl); |
1252 | 2.11k | hs->state = state12_verify_client_certificate; |
1253 | 2.11k | return ssl_hs_ok; |
1254 | 2.11k | } |
1255 | | |
1256 | 4.73k | static enum ssl_hs_wait_t do_verify_client_certificate(SSL_HANDSHAKE *hs) { |
1257 | 4.73k | if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) > 0) { |
1258 | 2.08k | switch (ssl_verify_peer_cert(hs)) { |
1259 | 2.08k | case ssl_verify_ok: |
1260 | 2.08k | break; |
1261 | 0 | case ssl_verify_invalid: |
1262 | 0 | return ssl_hs_error; |
1263 | 0 | case ssl_verify_retry: |
1264 | 0 | return ssl_hs_certificate_verify; |
1265 | 2.08k | } |
1266 | 2.08k | } |
1267 | | |
1268 | 4.73k | hs->state = state12_read_client_key_exchange; |
1269 | 4.73k | return ssl_hs_ok; |
1270 | 4.73k | } |
1271 | | |
1272 | 10.4k | static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { |
1273 | 10.4k | SSL *const ssl = hs->ssl; |
1274 | 10.4k | SSLMessage msg; |
1275 | 10.4k | if (!ssl->method->get_message(ssl, &msg)) { |
1276 | 7.02k | return ssl_hs_read_message; |
1277 | 7.02k | } |
1278 | | |
1279 | 3.39k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_KEY_EXCHANGE)) { |
1280 | 8 | return ssl_hs_error; |
1281 | 8 | } |
1282 | | |
1283 | 3.39k | CBS client_key_exchange = msg.body; |
1284 | 3.39k | uint32_t alg_k = hs->new_cipher->algorithm_mkey; |
1285 | 3.39k | uint32_t alg_a = hs->new_cipher->algorithm_auth; |
1286 | | |
1287 | | // If using a PSK key exchange, parse the PSK identity. |
1288 | 3.39k | if (alg_a & SSL_aPSK) { |
1289 | 0 | CBS psk_identity; |
1290 | | |
1291 | | // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK, |
1292 | | // then this is the only field in the message. |
1293 | 0 | if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) || |
1294 | 0 | ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) { |
1295 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1296 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1297 | 0 | return ssl_hs_error; |
1298 | 0 | } |
1299 | | |
1300 | 0 | if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN || |
1301 | 0 | CBS_contains_zero_byte(&psk_identity)) { |
1302 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); |
1303 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
1304 | 0 | return ssl_hs_error; |
1305 | 0 | } |
1306 | 0 | char *raw = nullptr; |
1307 | 0 | if (!CBS_strdup(&psk_identity, &raw)) { |
1308 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1309 | 0 | return ssl_hs_error; |
1310 | 0 | } |
1311 | 0 | hs->new_session->psk_identity.reset(raw); |
1312 | 0 | } |
1313 | | |
1314 | | // Depending on the key exchange method, compute |premaster_secret|. |
1315 | 3.39k | Array<uint8_t> premaster_secret; |
1316 | 3.39k | if (alg_k & SSL_kRSA) { |
1317 | 62 | CBS encrypted_premaster_secret; |
1318 | 62 | if (!CBS_get_u16_length_prefixed(&client_key_exchange, |
1319 | 62 | &encrypted_premaster_secret) || |
1320 | 62 | CBS_len(&client_key_exchange) != 0) { |
1321 | 16 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1322 | 16 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1323 | 16 | return ssl_hs_error; |
1324 | 16 | } |
1325 | | |
1326 | | // Allocate a buffer large enough for an RSA decryption. |
1327 | 46 | Array<uint8_t> decrypt_buf; |
1328 | 46 | if (!decrypt_buf.InitForOverwrite( |
1329 | 46 | EVP_PKEY_size(hs->credential->pubkey.get()))) { |
1330 | 0 | return ssl_hs_error; |
1331 | 0 | } |
1332 | | |
1333 | | // Decrypt with no padding. PKCS#1 padding will be removed as part of the |
1334 | | // timing-sensitive code below. |
1335 | 46 | size_t decrypt_len; |
1336 | 46 | switch (ssl_private_key_decrypt(hs, decrypt_buf.data(), &decrypt_len, |
1337 | 46 | decrypt_buf.size(), |
1338 | 46 | encrypted_premaster_secret)) { |
1339 | 33 | case ssl_private_key_success: |
1340 | 33 | break; |
1341 | 13 | case ssl_private_key_failure: |
1342 | 13 | return ssl_hs_error; |
1343 | 0 | case ssl_private_key_retry: |
1344 | 0 | return ssl_hs_private_key_operation; |
1345 | 46 | } |
1346 | | |
1347 | 33 | if (decrypt_len != decrypt_buf.size()) { |
1348 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); |
1349 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
1350 | 0 | return ssl_hs_error; |
1351 | 0 | } |
1352 | | |
1353 | 33 | CONSTTIME_SECRET(decrypt_buf.data(), decrypt_len); |
1354 | | |
1355 | | // Prepare a random premaster, to be used on invalid padding. See RFC 5246, |
1356 | | // section 7.4.7.1. |
1357 | 33 | if (!premaster_secret.InitForOverwrite(SSL_MAX_MASTER_KEY_LENGTH) || |
1358 | 33 | !RAND_bytes(premaster_secret.data(), premaster_secret.size())) { |
1359 | 0 | return ssl_hs_error; |
1360 | 0 | } |
1361 | | |
1362 | | // The smallest padded premaster is 11 bytes of overhead. Small keys are |
1363 | | // publicly invalid. |
1364 | 33 | if (decrypt_len < 11 + premaster_secret.size()) { |
1365 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); |
1366 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
1367 | 0 | return ssl_hs_error; |
1368 | 0 | } |
1369 | | |
1370 | | // Check the padding. See RFC 8017, section 7.2.2. |
1371 | 33 | size_t padding_len = decrypt_len - premaster_secret.size(); |
1372 | 33 | uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) & |
1373 | 33 | constant_time_eq_int_8(decrypt_buf[1], 2); |
1374 | 6.79k | for (size_t i = 2; i < padding_len - 1; i++) { |
1375 | 6.76k | good &= ~constant_time_is_zero_8(decrypt_buf[i]); |
1376 | 6.76k | } |
1377 | 33 | good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]); |
1378 | | |
1379 | | // The premaster secret must begin with |client_version|. This too must be |
1380 | | // checked in constant time (http://eprint.iacr.org/2003/052/). |
1381 | 33 | good &= constant_time_eq_8(decrypt_buf[padding_len], |
1382 | 33 | (unsigned)(hs->client_version >> 8)); |
1383 | 33 | good &= constant_time_eq_8(decrypt_buf[padding_len + 1], |
1384 | 33 | (unsigned)(hs->client_version & 0xff)); |
1385 | | |
1386 | | // Select, in constant time, either the decrypted premaster or the random |
1387 | | // premaster based on |good|. |
1388 | 1.61k | for (size_t i = 0; i < premaster_secret.size(); i++) { |
1389 | 1.58k | premaster_secret[i] = constant_time_select_8( |
1390 | 1.58k | good, decrypt_buf[padding_len + i], premaster_secret[i]); |
1391 | 1.58k | } |
1392 | 3.32k | } else if (alg_k & SSL_kECDHE) { |
1393 | | // Parse the ClientKeyExchange. |
1394 | 3.32k | CBS ciphertext; |
1395 | 3.32k | if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ciphertext) || |
1396 | 3.32k | CBS_len(&client_key_exchange) != 0) { |
1397 | 24 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1398 | 24 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1399 | 24 | return ssl_hs_error; |
1400 | 24 | } |
1401 | | |
1402 | | // Decapsulate the premaster secret. |
1403 | 3.30k | uint8_t alert = SSL_AD_DECODE_ERROR; |
1404 | 3.30k | if (!hs->key_shares[0]->Decap(&premaster_secret, &alert, ciphertext)) { |
1405 | 69 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
1406 | 69 | return ssl_hs_error; |
1407 | 69 | } |
1408 | | |
1409 | | // The key exchange state may now be discarded. |
1410 | 3.23k | hs->key_shares[0].reset(); |
1411 | 3.23k | hs->key_shares[1].reset(); |
1412 | 3.23k | } else if (!(alg_k & SSL_kPSK)) { |
1413 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1414 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
1415 | 0 | return ssl_hs_error; |
1416 | 0 | } |
1417 | | |
1418 | | // For a PSK cipher suite, the actual pre-master secret is combined with the |
1419 | | // pre-shared key. |
1420 | 3.26k | if (alg_a & SSL_aPSK) { |
1421 | 0 | if (hs->config->psk_server_callback == NULL) { |
1422 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1423 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1424 | 0 | return ssl_hs_error; |
1425 | 0 | } |
1426 | | |
1427 | | // Look up the key for the identity. |
1428 | 0 | uint8_t psk[PSK_MAX_PSK_LEN]; |
1429 | 0 | unsigned psk_len = hs->config->psk_server_callback( |
1430 | 0 | ssl, hs->new_session->psk_identity.get(), psk, sizeof(psk)); |
1431 | 0 | if (psk_len > PSK_MAX_PSK_LEN) { |
1432 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1433 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1434 | 0 | return ssl_hs_error; |
1435 | 0 | } else if (psk_len == 0) { |
1436 | | // PSK related to the given identity not found. |
1437 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); |
1438 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY); |
1439 | 0 | return ssl_hs_error; |
1440 | 0 | } |
1441 | | |
1442 | 0 | if (alg_k & SSL_kPSK) { |
1443 | | // In plain PSK, other_secret is a block of 0s with the same length as the |
1444 | | // pre-shared key. |
1445 | 0 | if (!premaster_secret.Init(psk_len)) { |
1446 | 0 | return ssl_hs_error; |
1447 | 0 | } |
1448 | 0 | } |
1449 | | |
1450 | 0 | ScopedCBB new_premaster; |
1451 | 0 | CBB child; |
1452 | 0 | if (!CBB_init(new_premaster.get(), |
1453 | 0 | 2 + psk_len + 2 + premaster_secret.size()) || |
1454 | 0 | !CBB_add_u16_length_prefixed(new_premaster.get(), &child) || |
1455 | 0 | !CBB_add_bytes(&child, premaster_secret.data(), |
1456 | 0 | premaster_secret.size()) || |
1457 | 0 | !CBB_add_u16_length_prefixed(new_premaster.get(), &child) || |
1458 | 0 | !CBB_add_bytes(&child, psk, psk_len) || |
1459 | 0 | !CBBFinishArray(new_premaster.get(), &premaster_secret)) { |
1460 | 0 | return ssl_hs_error; |
1461 | 0 | } |
1462 | 0 | } |
1463 | | |
1464 | 3.26k | if (!ssl_hash_message(hs, msg)) { |
1465 | 0 | return ssl_hs_error; |
1466 | 0 | } |
1467 | | |
1468 | | // Compute the master secret. |
1469 | 3.26k | hs->new_session->secret.ResizeForOverwrite(SSL3_MASTER_SECRET_SIZE); |
1470 | 3.26k | if (!tls1_generate_master_secret(hs, Span(hs->new_session->secret), |
1471 | 3.26k | premaster_secret)) { |
1472 | 0 | return ssl_hs_error; |
1473 | 0 | } |
1474 | 3.26k | hs->new_session->extended_master_secret = hs->extended_master_secret; |
1475 | | // Declassify the secret to undo the RSA decryption validation above. We are |
1476 | | // not currently running most of the TLS library with constant-time |
1477 | | // validation. |
1478 | | // TODO(crbug.com/42290551): Remove this and cover the TLS library too. |
1479 | 3.26k | CONSTTIME_DECLASSIFY(hs->new_session->secret.data(), |
1480 | 3.26k | hs->new_session->secret.size()); |
1481 | 3.26k | hs->can_release_private_key = true; |
1482 | | |
1483 | 3.26k | ssl->method->next_message(ssl); |
1484 | 3.26k | hs->state = state12_read_client_certificate_verify; |
1485 | 3.26k | return ssl_hs_ok; |
1486 | 3.26k | } |
1487 | | |
1488 | 5.77k | static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { |
1489 | 5.77k | SSL *const ssl = hs->ssl; |
1490 | | |
1491 | | // Only RSA and ECDSA client certificates are supported, so a |
1492 | | // CertificateVerify is required if and only if there's a client certificate. |
1493 | 5.77k | if (!hs->peer_pubkey) { |
1494 | 1.26k | hs->transcript.FreeBuffer(); |
1495 | 1.26k | hs->state = state12_read_change_cipher_spec; |
1496 | 1.26k | return ssl_hs_ok; |
1497 | 1.26k | } |
1498 | | |
1499 | 4.51k | SSLMessage msg; |
1500 | 4.51k | if (!ssl->method->get_message(ssl, &msg)) { |
1501 | 2.54k | return ssl_hs_read_message; |
1502 | 2.54k | } |
1503 | | |
1504 | 1.96k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY)) { |
1505 | 4 | return ssl_hs_error; |
1506 | 4 | } |
1507 | | |
1508 | | // The peer certificate must be valid for signing. |
1509 | 1.96k | const CRYPTO_BUFFER *leaf = |
1510 | 1.96k | sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0); |
1511 | 1.96k | CBS leaf_cbs; |
1512 | 1.96k | CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs); |
1513 | 1.96k | if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) { |
1514 | 29 | return ssl_hs_error; |
1515 | 29 | } |
1516 | | |
1517 | 1.93k | CBS certificate_verify = msg.body, signature; |
1518 | | |
1519 | | // Determine the signature algorithm. |
1520 | 1.93k | uint16_t signature_algorithm = 0; |
1521 | 1.93k | if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) { |
1522 | 1.27k | if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) { |
1523 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1524 | 3 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1525 | 3 | return ssl_hs_error; |
1526 | 3 | } |
1527 | 1.27k | uint8_t alert = SSL_AD_DECODE_ERROR; |
1528 | 1.27k | if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm, |
1529 | 1.27k | hs->peer_pubkey.get())) { |
1530 | 39 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
1531 | 39 | return ssl_hs_error; |
1532 | 39 | } |
1533 | 1.23k | hs->new_session->peer_signature_algorithm = signature_algorithm; |
1534 | 1.23k | } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm, |
1535 | 659 | hs->peer_pubkey.get())) { |
1536 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE); |
1537 | 3 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE); |
1538 | 3 | return ssl_hs_error; |
1539 | 3 | } |
1540 | | |
1541 | | // Parse and verify the signature. |
1542 | 1.89k | if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) || |
1543 | 1.89k | CBS_len(&certificate_verify) != 0) { |
1544 | 14 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1545 | 14 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1546 | 14 | return ssl_hs_error; |
1547 | 14 | } |
1548 | | |
1549 | 1.87k | if (!ssl_public_key_verify(ssl, signature, signature_algorithm, |
1550 | 1.87k | hs->peer_pubkey.get(), hs->transcript.buffer())) { |
1551 | 835 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); |
1552 | 835 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
1553 | 835 | return ssl_hs_error; |
1554 | 835 | } |
1555 | | |
1556 | | // The handshake buffer is no longer necessary, and we may hash the current |
1557 | | // message. |
1558 | 1.04k | hs->transcript.FreeBuffer(); |
1559 | 1.04k | if (!ssl_hash_message(hs, msg)) { |
1560 | 0 | return ssl_hs_error; |
1561 | 0 | } |
1562 | | |
1563 | 1.04k | ssl->method->next_message(ssl); |
1564 | 1.04k | hs->state = state12_read_change_cipher_spec; |
1565 | 1.04k | return ssl_hs_ok; |
1566 | 1.04k | } |
1567 | | |
1568 | 2.67k | static enum ssl_hs_wait_t do_read_change_cipher_spec(SSL_HANDSHAKE *hs) { |
1569 | 2.67k | if (hs->handback && hs->ssl->session != NULL) { |
1570 | 0 | return ssl_hs_handback; |
1571 | 0 | } |
1572 | 2.67k | hs->state = state12_process_change_cipher_spec; |
1573 | 2.67k | return ssl_hs_read_change_cipher_spec; |
1574 | 2.67k | } |
1575 | | |
1576 | 904 | static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) { |
1577 | 904 | if (!tls1_change_cipher_state(hs, evp_aead_open)) { |
1578 | 3 | return ssl_hs_error; |
1579 | 3 | } |
1580 | | |
1581 | 901 | hs->state = state12_read_next_proto; |
1582 | 901 | return ssl_hs_ok; |
1583 | 904 | } |
1584 | | |
1585 | 1.15k | static enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) { |
1586 | 1.15k | SSL *const ssl = hs->ssl; |
1587 | | |
1588 | 1.15k | if (!hs->next_proto_neg_seen) { |
1589 | 877 | hs->state = state12_read_channel_id; |
1590 | 877 | return ssl_hs_ok; |
1591 | 877 | } |
1592 | | |
1593 | 276 | SSLMessage msg; |
1594 | 276 | if (!ssl->method->get_message(ssl, &msg)) { |
1595 | 269 | return ssl_hs_read_message; |
1596 | 269 | } |
1597 | | |
1598 | 7 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEXT_PROTO) || |
1599 | 7 | !ssl_hash_message(hs, msg)) { |
1600 | 2 | return ssl_hs_error; |
1601 | 2 | } |
1602 | | |
1603 | 5 | CBS next_protocol = msg.body, selected_protocol, padding; |
1604 | 5 | if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) || |
1605 | 5 | !CBS_get_u8_length_prefixed(&next_protocol, &padding) || |
1606 | 5 | CBS_len(&next_protocol) != 0) { |
1607 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1608 | 3 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1609 | 3 | return ssl_hs_error; |
1610 | 3 | } |
1611 | | |
1612 | 2 | if (!ssl->s3->next_proto_negotiated.CopyFrom(selected_protocol)) { |
1613 | 0 | return ssl_hs_error; |
1614 | 0 | } |
1615 | | |
1616 | 2 | ssl->method->next_message(ssl); |
1617 | 2 | hs->state = state12_read_channel_id; |
1618 | 2 | return ssl_hs_ok; |
1619 | 2 | } |
1620 | | |
1621 | 4.28k | static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) { |
1622 | 4.28k | SSL *const ssl = hs->ssl; |
1623 | | |
1624 | 4.28k | if (!hs->channel_id_negotiated) { |
1625 | 599 | hs->state = state12_read_client_finished; |
1626 | 599 | return ssl_hs_ok; |
1627 | 599 | } |
1628 | | |
1629 | 3.68k | SSLMessage msg; |
1630 | 3.68k | if (!ssl->method->get_message(ssl, &msg)) { |
1631 | 3.48k | return ssl_hs_read_message; |
1632 | 3.48k | } |
1633 | | |
1634 | 200 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || |
1635 | 200 | !tls1_verify_channel_id(hs, msg) || // |
1636 | 200 | !ssl_hash_message(hs, msg)) { |
1637 | 42 | return ssl_hs_error; |
1638 | 42 | } |
1639 | | |
1640 | 158 | ssl->method->next_message(ssl); |
1641 | 158 | hs->state = state12_read_client_finished; |
1642 | 158 | return ssl_hs_ok; |
1643 | 200 | } |
1644 | | |
1645 | 2.59k | static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { |
1646 | 2.59k | SSL *const ssl = hs->ssl; |
1647 | 2.59k | enum ssl_hs_wait_t wait = ssl_get_finished(hs); |
1648 | 2.59k | if (wait != ssl_hs_ok) { |
1649 | 2.27k | return wait; |
1650 | 2.27k | } |
1651 | | |
1652 | 323 | if (ssl->session != NULL) { |
1653 | 40 | hs->state = state12_finish_server_handshake; |
1654 | 283 | } else { |
1655 | 283 | hs->state = state12_send_server_finished; |
1656 | 283 | } |
1657 | | |
1658 | | // If this is a full handshake with ChannelID then record the handshake |
1659 | | // hashes in |hs->new_session| in case we need them to verify a |
1660 | | // ChannelID signature on a resumption of this session in the future. |
1661 | 323 | if (ssl->session == NULL && ssl->s3->channel_id_valid && |
1662 | 323 | !tls1_record_handshake_hashes_for_channel_id(hs)) { |
1663 | 0 | return ssl_hs_error; |
1664 | 0 | } |
1665 | | |
1666 | 323 | return ssl_hs_ok; |
1667 | 323 | } |
1668 | | |
1669 | 653 | static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { |
1670 | 653 | SSL *const ssl = hs->ssl; |
1671 | | |
1672 | 653 | if (hs->ticket_expected) { |
1673 | 233 | const SSL_SESSION *session; |
1674 | 233 | UniquePtr<SSL_SESSION> session_copy; |
1675 | 233 | if (ssl->session == NULL) { |
1676 | | // Fix the timeout to measure from the ticket issuance time. |
1677 | 151 | ssl_session_rebase_time(ssl, hs->new_session.get()); |
1678 | 151 | session = hs->new_session.get(); |
1679 | 151 | } else { |
1680 | | // We are renewing an existing session. Duplicate the session to adjust |
1681 | | // the timeout. |
1682 | 82 | session_copy = |
1683 | 82 | SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH); |
1684 | 82 | if (!session_copy) { |
1685 | 0 | return ssl_hs_error; |
1686 | 0 | } |
1687 | | |
1688 | 82 | ssl_session_rebase_time(ssl, session_copy.get()); |
1689 | 82 | session = session_copy.get(); |
1690 | 82 | } |
1691 | | |
1692 | 233 | ScopedCBB cbb; |
1693 | 233 | CBB body, ticket; |
1694 | 233 | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1695 | 233 | SSL3_MT_NEW_SESSION_TICKET) || |
1696 | 233 | !CBB_add_u32(&body, session->timeout) || |
1697 | 233 | !CBB_add_u16_length_prefixed(&body, &ticket) || |
1698 | 233 | !ssl_encrypt_ticket(hs, &ticket, session) || |
1699 | | // |ticket| may be empty to skip sending a ticket. In TLS 1.2, servers |
1700 | | // skip sending tickets by sending empty NewSessionTicket, so no special |
1701 | | // handling is needed. |
1702 | 233 | !ssl_add_message_cbb(ssl, cbb.get())) { |
1703 | 0 | return ssl_hs_error; |
1704 | 0 | } |
1705 | 233 | } |
1706 | | |
1707 | 653 | if (!ssl->method->add_change_cipher_spec(ssl) || // |
1708 | 653 | !tls1_change_cipher_state(hs, evp_aead_seal) || // |
1709 | 653 | !ssl_send_finished(hs)) { |
1710 | 0 | return ssl_hs_error; |
1711 | 0 | } |
1712 | | |
1713 | 653 | if (ssl->session != NULL) { |
1714 | 370 | hs->state = state12_read_change_cipher_spec; |
1715 | 370 | } else { |
1716 | 283 | hs->state = state12_finish_server_handshake; |
1717 | 283 | } |
1718 | 653 | return ssl_hs_flush; |
1719 | 653 | } |
1720 | | |
1721 | 2.64k | static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) { |
1722 | 2.64k | SSL *const ssl = hs->ssl; |
1723 | | |
1724 | 2.64k | if (hs->handback) { |
1725 | 0 | return ssl_hs_handback; |
1726 | 0 | } |
1727 | | |
1728 | 2.64k | ssl->method->on_handshake_complete(ssl); |
1729 | | |
1730 | | // If we aren't retaining peer certificates then we can discard it now. |
1731 | 2.64k | if (hs->new_session != NULL && |
1732 | 2.64k | hs->config->retain_only_sha256_of_client_certs) { |
1733 | 0 | hs->new_session->certs.reset(); |
1734 | 0 | ssl->ctx->x509_method->session_clear(hs->new_session.get()); |
1735 | 0 | } |
1736 | | |
1737 | 2.64k | bool has_new_session = hs->new_session != nullptr; |
1738 | 2.64k | if (has_new_session) { |
1739 | 2.60k | assert(ssl->session == nullptr); |
1740 | 2.60k | ssl->s3->established_session = std::move(hs->new_session); |
1741 | 2.60k | ssl->s3->established_session->not_resumable = false; |
1742 | 2.60k | } else { |
1743 | 40 | assert(ssl->session != nullptr); |
1744 | 40 | ssl->s3->established_session = UpRef(ssl->session); |
1745 | 40 | } |
1746 | | |
1747 | 2.64k | hs->handshake_finalized = true; |
1748 | 2.64k | ssl->s3->initial_handshake_complete = true; |
1749 | 2.64k | if (has_new_session) { |
1750 | 2.60k | ssl_update_cache(ssl); |
1751 | 2.60k | } |
1752 | | |
1753 | 2.64k | hs->state = state12_done; |
1754 | 2.64k | return ssl_hs_ok; |
1755 | 2.64k | } |
1756 | | |
1757 | 131k | enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) { |
1758 | 228k | while (hs->state != state12_done) { |
1759 | 225k | enum ssl_hs_wait_t ret = ssl_hs_error; |
1760 | 225k | enum tls12_server_hs_state_t state = |
1761 | 225k | static_cast<enum tls12_server_hs_state_t>(hs->state); |
1762 | 225k | switch (state) { |
1763 | 14.3k | case state12_start_accept: |
1764 | 14.3k | ret = do_start_accept(hs); |
1765 | 14.3k | break; |
1766 | 71.5k | case state12_read_client_hello: |
1767 | 71.5k | ret = do_read_client_hello(hs); |
1768 | 71.5k | break; |
1769 | 12.0k | case state12_read_client_hello_after_ech: |
1770 | 12.0k | ret = do_read_client_hello_after_ech(hs); |
1771 | 12.0k | break; |
1772 | 11.0k | case state12_cert_callback: |
1773 | 11.0k | ret = do_cert_callback(hs); |
1774 | 11.0k | break; |
1775 | 37.6k | case state12_tls13: |
1776 | 37.6k | ret = do_tls13(hs); |
1777 | 37.6k | break; |
1778 | 6.89k | case state12_select_parameters: |
1779 | 6.89k | ret = do_select_parameters(hs); |
1780 | 6.89k | break; |
1781 | 6.49k | case state12_send_server_hello: |
1782 | 6.49k | ret = do_send_server_hello(hs); |
1783 | 6.49k | break; |
1784 | 6.12k | case state12_send_server_certificate: |
1785 | 6.12k | ret = do_send_server_certificate(hs); |
1786 | 6.12k | break; |
1787 | 6.12k | case state12_send_server_key_exchange: |
1788 | 6.12k | ret = do_send_server_key_exchange(hs); |
1789 | 6.12k | break; |
1790 | 6.12k | case state12_send_server_hello_done: |
1791 | 6.12k | ret = do_send_server_hello_done(hs); |
1792 | 6.12k | break; |
1793 | 11.1k | case state12_read_client_certificate: |
1794 | 11.1k | ret = do_read_client_certificate(hs); |
1795 | 11.1k | break; |
1796 | 4.73k | case state12_verify_client_certificate: |
1797 | 4.73k | ret = do_verify_client_certificate(hs); |
1798 | 4.73k | break; |
1799 | 10.4k | case state12_read_client_key_exchange: |
1800 | 10.4k | ret = do_read_client_key_exchange(hs); |
1801 | 10.4k | break; |
1802 | 5.77k | case state12_read_client_certificate_verify: |
1803 | 5.77k | ret = do_read_client_certificate_verify(hs); |
1804 | 5.77k | break; |
1805 | 2.67k | case state12_read_change_cipher_spec: |
1806 | 2.67k | ret = do_read_change_cipher_spec(hs); |
1807 | 2.67k | break; |
1808 | 904 | case state12_process_change_cipher_spec: |
1809 | 904 | ret = do_process_change_cipher_spec(hs); |
1810 | 904 | break; |
1811 | 1.15k | case state12_read_next_proto: |
1812 | 1.15k | ret = do_read_next_proto(hs); |
1813 | 1.15k | break; |
1814 | 4.28k | case state12_read_channel_id: |
1815 | 4.28k | ret = do_read_channel_id(hs); |
1816 | 4.28k | break; |
1817 | 2.59k | case state12_read_client_finished: |
1818 | 2.59k | ret = do_read_client_finished(hs); |
1819 | 2.59k | break; |
1820 | 653 | case state12_send_server_finished: |
1821 | 653 | ret = do_send_server_finished(hs); |
1822 | 653 | break; |
1823 | 2.64k | case state12_finish_server_handshake: |
1824 | 2.64k | ret = do_finish_server_handshake(hs); |
1825 | 2.64k | break; |
1826 | 0 | case state12_done: |
1827 | 0 | ret = ssl_hs_ok; |
1828 | 0 | break; |
1829 | 225k | } |
1830 | | |
1831 | 225k | if (hs->state != state) { |
1832 | 106k | ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1); |
1833 | 106k | } |
1834 | | |
1835 | 225k | if (ret != ssl_hs_ok) { |
1836 | 128k | return ret; |
1837 | 128k | } |
1838 | 225k | } |
1839 | | |
1840 | 2.64k | ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1); |
1841 | 2.64k | return ssl_hs_ok; |
1842 | 131k | } |
1843 | | |
1844 | 0 | const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) { |
1845 | 0 | enum tls12_server_hs_state_t state = |
1846 | 0 | static_cast<enum tls12_server_hs_state_t>(hs->state); |
1847 | 0 | switch (state) { |
1848 | 0 | case state12_start_accept: |
1849 | 0 | return "TLS server start_accept"; |
1850 | 0 | case state12_read_client_hello: |
1851 | 0 | return "TLS server read_client_hello"; |
1852 | 0 | case state12_read_client_hello_after_ech: |
1853 | 0 | return "TLS server read_client_hello_after_ech"; |
1854 | 0 | case state12_cert_callback: |
1855 | 0 | return "TLS server cert_callback"; |
1856 | 0 | case state12_tls13: |
1857 | 0 | return tls13_server_handshake_state(hs); |
1858 | 0 | case state12_select_parameters: |
1859 | 0 | return "TLS server select_parameters"; |
1860 | 0 | case state12_send_server_hello: |
1861 | 0 | return "TLS server send_server_hello"; |
1862 | 0 | case state12_send_server_certificate: |
1863 | 0 | return "TLS server send_server_certificate"; |
1864 | 0 | case state12_send_server_key_exchange: |
1865 | 0 | return "TLS server send_server_key_exchange"; |
1866 | 0 | case state12_send_server_hello_done: |
1867 | 0 | return "TLS server send_server_hello_done"; |
1868 | 0 | case state12_read_client_certificate: |
1869 | 0 | return "TLS server read_client_certificate"; |
1870 | 0 | case state12_verify_client_certificate: |
1871 | 0 | return "TLS server verify_client_certificate"; |
1872 | 0 | case state12_read_client_key_exchange: |
1873 | 0 | return "TLS server read_client_key_exchange"; |
1874 | 0 | case state12_read_client_certificate_verify: |
1875 | 0 | return "TLS server read_client_certificate_verify"; |
1876 | 0 | case state12_read_change_cipher_spec: |
1877 | 0 | return "TLS server read_change_cipher_spec"; |
1878 | 0 | case state12_process_change_cipher_spec: |
1879 | 0 | return "TLS server process_change_cipher_spec"; |
1880 | 0 | case state12_read_next_proto: |
1881 | 0 | return "TLS server read_next_proto"; |
1882 | 0 | case state12_read_channel_id: |
1883 | 0 | return "TLS server read_channel_id"; |
1884 | 0 | case state12_read_client_finished: |
1885 | 0 | return "TLS server read_client_finished"; |
1886 | 0 | case state12_send_server_finished: |
1887 | 0 | return "TLS server send_server_finished"; |
1888 | 0 | case state12_finish_server_handshake: |
1889 | 0 | return "TLS server finish_server_handshake"; |
1890 | 0 | case state12_done: |
1891 | 0 | return "TLS server done"; |
1892 | 0 | } |
1893 | | |
1894 | 0 | return "TLS server unknown"; |
1895 | 0 | } |
1896 | | |
1897 | | BSSL_NAMESPACE_END |