/src/boringssl/ssl/handshake_server.cc
Line | Count | Source |
1 | | // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
2 | | // Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved. |
3 | | // Copyright 2005 Nokia. All rights reserved. |
4 | | // |
5 | | // Licensed under the Apache License, Version 2.0 (the "License"); |
6 | | // you may not use this file except in compliance with the License. |
7 | | // You may obtain a copy of the License at |
8 | | // |
9 | | // https://www.apache.org/licenses/LICENSE-2.0 |
10 | | // |
11 | | // Unless required by applicable law or agreed to in writing, software |
12 | | // distributed under the License is distributed on an "AS IS" BASIS, |
13 | | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14 | | // See the License for the specific language governing permissions and |
15 | | // limitations under the License. |
16 | | |
17 | | #include <openssl/ssl.h> |
18 | | |
19 | | #include <assert.h> |
20 | | #include <string.h> |
21 | | |
22 | | #include <openssl/bn.h> |
23 | | #include <openssl/bytestring.h> |
24 | | #include <openssl/cipher.h> |
25 | | #include <openssl/curve25519.h> |
26 | | #include <openssl/digest.h> |
27 | | #include <openssl/ec.h> |
28 | | #include <openssl/ecdsa.h> |
29 | | #include <openssl/err.h> |
30 | | #include <openssl/evp.h> |
31 | | #include <openssl/hmac.h> |
32 | | #include <openssl/md5.h> |
33 | | #include <openssl/mem.h> |
34 | | #include <openssl/nid.h> |
35 | | #include <openssl/rand.h> |
36 | | #include <openssl/x509.h> |
37 | | |
38 | | #include "../crypto/bytestring/internal.h" |
39 | | #include "../crypto/internal.h" |
40 | | #include "internal.h" |
41 | | |
42 | | |
43 | | BSSL_NAMESPACE_BEGIN |
44 | | |
45 | | bool ssl_client_cipher_list_contains_cipher( |
46 | 19.7k | const SSL_CLIENT_HELLO *client_hello, uint16_t id) { |
47 | 19.7k | CBS cipher_suites; |
48 | 19.7k | CBS_init(&cipher_suites, client_hello->cipher_suites, |
49 | 19.7k | client_hello->cipher_suites_len); |
50 | | |
51 | 286k | while (CBS_len(&cipher_suites) > 0) { |
52 | 267k | uint16_t got_id; |
53 | 267k | if (!CBS_get_u16(&cipher_suites, &got_id)) { |
54 | 0 | return false; |
55 | 0 | } |
56 | | |
57 | 267k | if (got_id == id) { |
58 | 395 | return true; |
59 | 395 | } |
60 | 267k | } |
61 | | |
62 | 19.3k | return false; |
63 | 19.7k | } |
64 | | |
65 | | static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
66 | 13.8k | const SSL_CLIENT_HELLO *client_hello) { |
67 | 13.8k | SSL *const ssl = hs->ssl; |
68 | 13.8k | assert(ssl->s3->version == 0); |
69 | 13.8k | CBS supported_versions, versions; |
70 | 13.8k | if (ssl_client_hello_get_extension(client_hello, &supported_versions, |
71 | 13.8k | TLSEXT_TYPE_supported_versions)) { |
72 | 4.84k | if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) || // |
73 | 4.83k | CBS_len(&supported_versions) != 0 || // |
74 | 4.83k | CBS_len(&versions) == 0) { |
75 | 17 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
76 | 17 | *out_alert = SSL_AD_DECODE_ERROR; |
77 | 17 | return false; |
78 | 17 | } |
79 | 9.01k | } else { |
80 | | // Convert the ClientHello version to an equivalent supported_versions |
81 | | // extension. |
82 | 9.01k | static const uint8_t kTLSVersions[] = { |
83 | 9.01k | 0x03, 0x03, // TLS 1.2 |
84 | 9.01k | 0x03, 0x02, // TLS 1.1 |
85 | 9.01k | 0x03, 0x01, // TLS 1 |
86 | 9.01k | }; |
87 | | |
88 | 9.01k | static const uint8_t kDTLSVersions[] = { |
89 | 9.01k | 0xfe, 0xfd, // DTLS 1.2 |
90 | 9.01k | 0xfe, 0xff, // DTLS 1.0 |
91 | 9.01k | }; |
92 | | |
93 | 9.01k | size_t versions_len = 0; |
94 | 9.01k | if (SSL_is_dtls(ssl)) { |
95 | 1.97k | if (client_hello->version <= DTLS1_2_VERSION) { |
96 | 1.36k | versions_len = 4; |
97 | 1.36k | } else if (client_hello->version <= DTLS1_VERSION) { |
98 | 611 | versions_len = 2; |
99 | 611 | } |
100 | 1.97k | versions = Span(kDTLSVersions).last(versions_len); |
101 | 7.04k | } else { |
102 | 7.04k | if (client_hello->version >= TLS1_2_VERSION) { |
103 | 4.61k | versions_len = 6; |
104 | 4.61k | } else if (client_hello->version >= TLS1_1_VERSION) { |
105 | 680 | versions_len = 4; |
106 | 1.74k | } else if (client_hello->version >= TLS1_VERSION) { |
107 | 1.72k | versions_len = 2; |
108 | 1.72k | } |
109 | 7.04k | versions = Span(kTLSVersions).last(versions_len); |
110 | 7.04k | } |
111 | 9.01k | } |
112 | | |
113 | 13.8k | if (!ssl_negotiate_version(hs, out_alert, &ssl->s3->version, &versions)) { |
114 | 51 | return false; |
115 | 51 | } |
116 | | |
117 | | // Handle FALLBACK_SCSV. |
118 | 13.7k | if (ssl_client_cipher_list_contains_cipher(client_hello, |
119 | 13.7k | SSL_CIPHER_FALLBACK_SCSV) && |
120 | 28 | ssl_protocol_version(ssl) < hs->max_version) { |
121 | 7 | OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK); |
122 | 7 | *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK; |
123 | 7 | return false; |
124 | 7 | } |
125 | | |
126 | 13.7k | return true; |
127 | 13.7k | } |
128 | | |
129 | | static UniquePtr<STACK_OF(SSL_CIPHER)> ssl_parse_client_cipher_list( |
130 | 7.96k | const SSL_CLIENT_HELLO *client_hello) { |
131 | 7.96k | CBS cipher_suites; |
132 | 7.96k | CBS_init(&cipher_suites, client_hello->cipher_suites, |
133 | 7.96k | client_hello->cipher_suites_len); |
134 | | |
135 | 7.96k | UniquePtr<STACK_OF(SSL_CIPHER)> sk(sk_SSL_CIPHER_new_null()); |
136 | 7.96k | if (!sk) { |
137 | 0 | return nullptr; |
138 | 0 | } |
139 | | |
140 | 103k | while (CBS_len(&cipher_suites) > 0) { |
141 | 95.1k | uint16_t cipher_suite; |
142 | | |
143 | 95.1k | if (!CBS_get_u16(&cipher_suites, &cipher_suite)) { |
144 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); |
145 | 0 | return nullptr; |
146 | 0 | } |
147 | | |
148 | 95.1k | const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite); |
149 | 95.1k | if (c != nullptr && !sk_SSL_CIPHER_push(sk.get(), c)) { |
150 | 0 | return nullptr; |
151 | 0 | } |
152 | 95.1k | } |
153 | | |
154 | 7.96k | return sk; |
155 | 7.96k | } |
156 | | |
157 | | static const SSL_CIPHER *choose_cipher(SSL_HANDSHAKE *hs, |
158 | | const STACK_OF(SSL_CIPHER) *client_pref, |
159 | 7.96k | uint32_t mask_k, uint32_t mask_a) { |
160 | 7.96k | SSL *const ssl = hs->ssl; |
161 | 7.96k | const STACK_OF(SSL_CIPHER) *prio, *allow; |
162 | | // in_group_flags will either be NULL, or will point to an array of bytes |
163 | | // which indicate equal-preference groups in the |prio| stack. See the |
164 | | // comment about |in_group_flags| in the |SSLCipherPreferenceList| |
165 | | // struct. |
166 | 7.96k | const bool *in_group_flags; |
167 | | // best_index contains the index of the best matching cipher suite found so |
168 | | // far, indexed into |allow|. If |best_index| is |SIZE_MAX|, no matching |
169 | | // cipher suite has been found yet. |
170 | 7.96k | size_t best_index = SIZE_MAX; |
171 | | |
172 | 7.96k | const SSLCipherPreferenceList *server_pref = |
173 | 7.96k | hs->config->cipher_list ? hs->config->cipher_list.get() |
174 | 7.96k | : ssl->ctx->cipher_list.get(); |
175 | 7.96k | if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { |
176 | 0 | prio = server_pref->ciphers.get(); |
177 | 0 | in_group_flags = server_pref->in_group_flags; |
178 | 0 | allow = client_pref; |
179 | 7.96k | } else { |
180 | 7.96k | prio = client_pref; |
181 | 7.96k | in_group_flags = nullptr; |
182 | 7.96k | allow = server_pref->ciphers.get(); |
183 | 7.96k | } |
184 | | |
185 | 22.5k | for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) { |
186 | 22.0k | const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i); |
187 | 22.0k | const bool in_group = in_group_flags != nullptr && in_group_flags[i]; |
188 | | |
189 | 22.0k | size_t cipher_index; |
190 | 22.0k | if ( // Check if the cipher is supported for the current version. |
191 | 22.0k | SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) && // |
192 | 12.0k | ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) && // |
193 | | // Check the cipher is supported for the server configuration. |
194 | 12.0k | (c->algorithm_mkey & mask_k) && // |
195 | 10.1k | (c->algorithm_auth & mask_a) && // |
196 | | // Check the cipher is in the |allow| list. |
197 | 7.71k | sk_SSL_CIPHER_find(allow, &cipher_index, c)) { |
198 | | // Within a group, |allow|'s preference order applies. |
199 | 7.50k | if (best_index == SIZE_MAX || best_index > cipher_index) { |
200 | 7.50k | best_index = cipher_index; |
201 | 7.50k | } |
202 | 7.50k | } |
203 | | |
204 | | // We are about to leave a (possibly singleton) group, but we found a match |
205 | | // in it, so that's our answer. |
206 | 22.0k | if (!in_group && best_index != SIZE_MAX) { |
207 | 7.50k | return sk_SSL_CIPHER_value(allow, best_index); |
208 | 7.50k | } |
209 | 22.0k | } |
210 | | |
211 | | // The final cipher suite must end a group, so, if we found a match, we must |
212 | | // have returned early above. |
213 | 7.96k | assert(best_index == SIZE_MAX); |
214 | 456 | OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); |
215 | 456 | return nullptr; |
216 | 456 | } |
217 | | |
218 | | struct TLS12ServerParams { |
219 | 15.9k | bool ok() const { return cipher != nullptr; } |
220 | | |
221 | | const SSL_CIPHER *cipher = nullptr; |
222 | | uint16_t signature_algorithm = 0; |
223 | | }; |
224 | | |
225 | | static TLS12ServerParams choose_params(SSL_HANDSHAKE *hs, |
226 | | const SSL_CREDENTIAL *cred, |
227 | | const STACK_OF(SSL_CIPHER) *client_pref, |
228 | 7.96k | bool has_ecdhe_group) { |
229 | | // Determine the usable cipher suites. |
230 | 7.96k | uint32_t mask_k = 0, mask_a = 0; |
231 | 7.96k | if (has_ecdhe_group) { |
232 | 6.40k | mask_k |= SSL_kECDHE; |
233 | 6.40k | } |
234 | 7.96k | if (hs->config->psk_server_callback != nullptr) { |
235 | 0 | mask_k |= SSL_kPSK; |
236 | 0 | mask_a |= SSL_aPSK; |
237 | 0 | } |
238 | 7.96k | uint16_t sigalg = 0; |
239 | 7.96k | if (cred != nullptr && cred->type == SSLCredentialType::kX509) { |
240 | 7.96k | bool sign_ok = tls1_choose_signature_algorithm(hs, cred, &sigalg); |
241 | 7.96k | ERR_clear_error(); |
242 | | |
243 | | // ECDSA keys must additionally be checked against the peer's supported |
244 | | // curve list. |
245 | 7.96k | int key_type = EVP_PKEY_id(cred->pubkey.get()); |
246 | 7.96k | if (key_type == EVP_PKEY_EC) { |
247 | 0 | uint16_t group_id; |
248 | 0 | if (!ssl_nid_to_group_id(&group_id, |
249 | 0 | EVP_PKEY_get_ec_curve_nid(cred->pubkey.get())) || |
250 | 0 | std::find(hs->peer_supported_group_list.begin(), |
251 | 0 | hs->peer_supported_group_list.end(), |
252 | 0 | group_id) == hs->peer_supported_group_list.end()) { |
253 | 0 | sign_ok = false; |
254 | | |
255 | | // If this would make us unable to pick any cipher, return an error. |
256 | | // This is not strictly necessary, but it gives us a more specific |
257 | | // error to help the caller diagnose issues. |
258 | 0 | if (mask_a == 0) { |
259 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); |
260 | 0 | return TLS12ServerParams(); |
261 | 0 | } |
262 | 0 | } |
263 | 0 | } |
264 | | |
265 | 7.96k | mask_a |= ssl_cipher_auth_mask_for_key(cred->pubkey.get(), sign_ok); |
266 | 7.96k | if (key_type == EVP_PKEY_RSA) { |
267 | 7.96k | mask_k |= SSL_kRSA; |
268 | 7.96k | } |
269 | 7.96k | } |
270 | | |
271 | 7.96k | TLS12ServerParams params; |
272 | 7.96k | params.cipher = choose_cipher(hs, client_pref, mask_k, mask_a); |
273 | 7.96k | if (params.cipher == nullptr || |
274 | 7.50k | (cred != nullptr && |
275 | 7.50k | !ssl_credential_matches_requested_issuers(hs, cred))) { |
276 | 456 | return TLS12ServerParams(); |
277 | 456 | } |
278 | | // Only report the selected signature algorithm if it will be used. |
279 | 7.50k | if (ssl_cipher_requires_server_key_exchange(params.cipher) && |
280 | 6.15k | ssl_cipher_uses_certificate_auth(params.cipher)) { |
281 | 6.15k | params.signature_algorithm = sigalg; |
282 | 6.15k | } |
283 | 7.50k | return params; |
284 | 7.96k | } |
285 | | |
286 | 16.2k | static enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) { |
287 | 16.2k | ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1); |
288 | 16.2k | hs->state = state12_read_client_hello; |
289 | 16.2k | return ssl_hs_ok; |
290 | 16.2k | } |
291 | | |
292 | | // is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent |
293 | | // from a JDK 11 client with both TLS 1.3 and a prior version enabled. |
294 | 0 | static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) { |
295 | | // JDK 11 ClientHellos contain a number of unusual properties which should |
296 | | // limit false positives. |
297 | | |
298 | | // JDK 11 does not support ChaCha20-Poly1305. This is unusual: many modern |
299 | | // clients implement ChaCha20-Poly1305. |
300 | 0 | if (ssl_client_cipher_list_contains_cipher( |
301 | 0 | client_hello, SSL_CIPHER_CHACHA20_POLY1305_SHA256)) { |
302 | 0 | return false; |
303 | 0 | } |
304 | | |
305 | | // JDK 11 always sends extensions in a particular order. |
306 | 0 | constexpr uint16_t kMaxFragmentLength = 0x0001; |
307 | 0 | constexpr uint16_t kStatusRequestV2 = 0x0011; |
308 | 0 | static constexpr struct { |
309 | 0 | uint16_t id; |
310 | 0 | bool required; |
311 | 0 | } kJavaExtensions[] = { |
312 | 0 | {TLSEXT_TYPE_server_name, false}, |
313 | 0 | {kMaxFragmentLength, false}, |
314 | 0 | {TLSEXT_TYPE_status_request, false}, |
315 | 0 | {TLSEXT_TYPE_supported_groups, true}, |
316 | 0 | {TLSEXT_TYPE_ec_point_formats, false}, |
317 | 0 | {TLSEXT_TYPE_signature_algorithms, true}, |
318 | | // Java always sends signature_algorithms_cert. |
319 | 0 | {TLSEXT_TYPE_signature_algorithms_cert, true}, |
320 | 0 | {TLSEXT_TYPE_application_layer_protocol_negotiation, false}, |
321 | 0 | {kStatusRequestV2, false}, |
322 | 0 | {TLSEXT_TYPE_extended_master_secret, false}, |
323 | 0 | {TLSEXT_TYPE_supported_versions, true}, |
324 | 0 | {TLSEXT_TYPE_cookie, false}, |
325 | 0 | {TLSEXT_TYPE_psk_key_exchange_modes, true}, |
326 | 0 | {TLSEXT_TYPE_key_share, true}, |
327 | 0 | {TLSEXT_TYPE_renegotiate, false}, |
328 | 0 | {TLSEXT_TYPE_pre_shared_key, false}, |
329 | 0 | }; |
330 | 0 | Span<const uint8_t> sigalgs, sigalgs_cert; |
331 | 0 | bool has_status_request = false, has_status_request_v2 = false; |
332 | 0 | CBS extensions, supported_groups; |
333 | 0 | CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len); |
334 | 0 | for (const auto &java_extension : kJavaExtensions) { |
335 | 0 | CBS copy = extensions; |
336 | 0 | uint16_t id; |
337 | 0 | if (CBS_get_u16(©, &id) && id == java_extension.id) { |
338 | | // The next extension is the one we expected. |
339 | 0 | extensions = copy; |
340 | 0 | CBS body; |
341 | 0 | if (!CBS_get_u16_length_prefixed(&extensions, &body)) { |
342 | 0 | return false; |
343 | 0 | } |
344 | 0 | switch (id) { |
345 | 0 | case TLSEXT_TYPE_status_request: |
346 | 0 | has_status_request = true; |
347 | 0 | break; |
348 | 0 | case kStatusRequestV2: |
349 | 0 | has_status_request_v2 = true; |
350 | 0 | break; |
351 | 0 | case TLSEXT_TYPE_signature_algorithms: |
352 | 0 | sigalgs = body; |
353 | 0 | break; |
354 | 0 | case TLSEXT_TYPE_signature_algorithms_cert: |
355 | 0 | sigalgs_cert = body; |
356 | 0 | break; |
357 | 0 | case TLSEXT_TYPE_supported_groups: |
358 | 0 | supported_groups = body; |
359 | 0 | break; |
360 | 0 | } |
361 | 0 | } else if (java_extension.required) { |
362 | 0 | return false; |
363 | 0 | } |
364 | 0 | } |
365 | 0 | if (CBS_len(&extensions) != 0) { |
366 | 0 | return false; |
367 | 0 | } |
368 | | |
369 | | // JDK 11 never advertises X25519. It is not offered by default, and |
370 | | // -Djdk.tls.namedGroups=x25519 does not work. This is unusual: many modern |
371 | | // clients implement X25519. |
372 | 0 | while (CBS_len(&supported_groups) > 0) { |
373 | 0 | uint16_t group; |
374 | 0 | if (!CBS_get_u16(&supported_groups, &group) || // |
375 | 0 | group == SSL_GROUP_X25519) { |
376 | 0 | return false; |
377 | 0 | } |
378 | 0 | } |
379 | | |
380 | 0 | if ( // JDK 11 always sends the same contents in signature_algorithms and |
381 | | // signature_algorithms_cert. This is unusual: |
382 | | // signature_algorithms_cert, if omitted, is treated as if it were |
383 | | // signature_algorithms. |
384 | 0 | sigalgs != sigalgs_cert || |
385 | | // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it |
386 | | // sends status_request. This is unusual: status_request_v2 is not widely |
387 | | // implemented. |
388 | 0 | has_status_request != has_status_request_v2) { |
389 | 0 | return false; |
390 | 0 | } |
391 | | |
392 | 0 | return true; |
393 | 0 | } |
394 | | |
395 | | static bool decrypt_ech(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
396 | 14.0k | const SSL_CLIENT_HELLO *client_hello) { |
397 | 14.0k | SSL *const ssl = hs->ssl; |
398 | 14.0k | CBS body; |
399 | 14.0k | if (!ssl_client_hello_get_extension(client_hello, &body, |
400 | 14.0k | TLSEXT_TYPE_encrypted_client_hello)) { |
401 | 13.4k | return true; |
402 | 13.4k | } |
403 | 649 | uint8_t type; |
404 | 649 | if (!CBS_get_u8(&body, &type)) { |
405 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
406 | 3 | *out_alert = SSL_AD_DECODE_ERROR; |
407 | 3 | return false; |
408 | 3 | } |
409 | 646 | if (type != ECH_CLIENT_OUTER) { |
410 | 184 | return true; |
411 | 184 | } |
412 | | // This is a ClientHelloOuter ECH extension. Attempt to decrypt it. |
413 | 462 | uint8_t config_id; |
414 | 462 | uint16_t kdf_id, aead_id; |
415 | 462 | CBS enc, payload; |
416 | 462 | if (!CBS_get_u16(&body, &kdf_id) || // |
417 | 459 | !CBS_get_u16(&body, &aead_id) || // |
418 | 456 | !CBS_get_u8(&body, &config_id) || |
419 | 453 | !CBS_get_u16_length_prefixed(&body, &enc) || |
420 | 449 | !CBS_get_u16_length_prefixed(&body, &payload) || // |
421 | 445 | CBS_len(&body) != 0) { |
422 | 20 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
423 | 20 | *out_alert = SSL_AD_DECODE_ERROR; |
424 | 20 | return false; |
425 | 20 | } |
426 | | |
427 | 442 | { |
428 | 442 | MutexReadLock lock(&ssl->ctx->lock); |
429 | 442 | hs->ech_keys = UpRef(ssl->ctx->ech_keys); |
430 | 442 | } |
431 | | |
432 | 442 | if (!hs->ech_keys) { |
433 | 0 | ssl->s3->ech_status = ssl_ech_rejected; |
434 | 0 | return true; |
435 | 0 | } |
436 | | |
437 | 442 | for (const auto &config : hs->ech_keys->configs) { |
438 | 442 | hs->ech_hpke_ctx.Reset(); |
439 | 442 | if (config_id != config->ech_config().config_id || |
440 | 413 | !config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id, enc)) { |
441 | | // Ignore the error and try another ECHConfig. |
442 | 120 | ERR_clear_error(); |
443 | 120 | continue; |
444 | 120 | } |
445 | 322 | bool is_decrypt_error; |
446 | 322 | if (!ssl_client_hello_decrypt(hs, out_alert, &is_decrypt_error, |
447 | 322 | &hs->ech_client_hello_buf, client_hello, |
448 | 322 | payload)) { |
449 | 188 | if (is_decrypt_error) { |
450 | | // Ignore the error and try another ECHConfig. |
451 | 47 | ERR_clear_error(); |
452 | | // The |out_alert| calling convention currently relies on a default of |
453 | | // |SSL_AD_DECODE_ERROR|. https://crbug.com/boringssl/373 tracks |
454 | | // switching to sum types, which avoids this. |
455 | 47 | *out_alert = SSL_AD_DECODE_ERROR; |
456 | 47 | continue; |
457 | 47 | } |
458 | 141 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); |
459 | 141 | return false; |
460 | 188 | } |
461 | 134 | hs->ech_config_id = config_id; |
462 | 134 | ssl->s3->ech_status = ssl_ech_accepted; |
463 | 134 | return true; |
464 | 322 | } |
465 | | |
466 | | // If we did not accept ECH, proceed with the ClientHelloOuter. Note this |
467 | | // could be key mismatch or ECH GREASE, so we must complete the handshake |
468 | | // as usual, except EncryptedExtensions will contain retry configs. |
469 | 167 | ssl->s3->ech_status = ssl_ech_rejected; |
470 | 167 | return true; |
471 | 442 | } |
472 | | |
473 | | static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert, |
474 | 13.9k | const SSL_CLIENT_HELLO *client_hello) { |
475 | 13.9k | SSL *const ssl = hs->ssl; |
476 | 13.9k | CBS sni; |
477 | 13.9k | if (!ssl_client_hello_get_extension(client_hello, &sni, |
478 | 13.9k | TLSEXT_TYPE_server_name)) { |
479 | | // No SNI extension to parse. |
480 | | // |
481 | | // Clear state in case we previously extracted SNI from ClientHelloOuter. |
482 | 5.48k | ssl->s3->hostname.reset(); |
483 | 5.48k | return true; |
484 | 5.48k | } |
485 | | |
486 | 8.44k | CBS server_name_list, host_name; |
487 | 8.44k | uint8_t name_type; |
488 | 8.44k | if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) || // |
489 | 8.42k | !CBS_get_u8(&server_name_list, &name_type) || // |
490 | | // Although the server_name extension was intended to be extensible to |
491 | | // new name types and multiple names, OpenSSL 1.0.x had a bug which meant |
492 | | // different name types will cause an error. Further, RFC 4366 originally |
493 | | // defined syntax inextensibly. RFC 6066 corrected this mistake, but |
494 | | // adding new name types is no longer feasible. |
495 | | // |
496 | | // Act as if the extensibility does not exist to simplify parsing. |
497 | 8.41k | !CBS_get_u16_length_prefixed(&server_name_list, &host_name) || // |
498 | 8.41k | CBS_len(&server_name_list) != 0 || // |
499 | 8.41k | CBS_len(&sni) != 0) { |
500 | 35 | *out_alert = SSL_AD_DECODE_ERROR; |
501 | 35 | return false; |
502 | 35 | } |
503 | | |
504 | 8.40k | if (name_type != TLSEXT_NAMETYPE_host_name || // |
505 | 8.38k | CBS_len(&host_name) == 0 || // |
506 | 8.38k | CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || // |
507 | 8.38k | CBS_contains_zero_byte(&host_name)) { |
508 | 25 | *out_alert = SSL_AD_UNRECOGNIZED_NAME; |
509 | 25 | return false; |
510 | 25 | } |
511 | | |
512 | | // Copy the hostname as a string. |
513 | 8.38k | char *raw = nullptr; |
514 | 8.38k | if (!CBS_strdup(&host_name, &raw)) { |
515 | 0 | *out_alert = SSL_AD_INTERNAL_ERROR; |
516 | 0 | return false; |
517 | 0 | } |
518 | 8.38k | ssl->s3->hostname.reset(raw); |
519 | 8.38k | return true; |
520 | 8.38k | } |
521 | | |
522 | 87.4k | static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) { |
523 | 87.4k | SSL *const ssl = hs->ssl; |
524 | | |
525 | 87.4k | SSLMessage msg; |
526 | 87.4k | if (!ssl->method->get_message(ssl, &msg)) { |
527 | 73.1k | return ssl_hs_read_message; |
528 | 73.1k | } |
529 | | |
530 | 14.3k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) { |
531 | 31 | return ssl_hs_error; |
532 | 31 | } |
533 | | |
534 | 14.3k | SSL_CLIENT_HELLO client_hello; |
535 | 14.3k | if (!SSL_parse_client_hello(ssl, &client_hello, CBS_data(&msg.body), |
536 | 14.3k | CBS_len(&msg.body))) { |
537 | 196 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
538 | 196 | return ssl_hs_error; |
539 | 196 | } |
540 | | |
541 | | // ClientHello should be the end of the flight. We check this early to cover |
542 | | // all protocol versions. |
543 | 14.1k | if (ssl->method->has_unprocessed_handshake_data(ssl)) { |
544 | 14 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); |
545 | 14 | OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA); |
546 | 14 | return ssl_hs_error; |
547 | 14 | } |
548 | | |
549 | 14.0k | if (hs->config->handoff) { |
550 | 6 | return ssl_hs_handoff; |
551 | 6 | } |
552 | | |
553 | 14.0k | uint8_t alert = SSL_AD_DECODE_ERROR; |
554 | | // We check for rejection status in case we've rewound the state machine after |
555 | | // determining `ClientHelloInner` is invalid. |
556 | 14.0k | if (ssl->s3->ech_status != ssl_ech_rejected && |
557 | 14.0k | !decrypt_ech(hs, &alert, &client_hello)) { |
558 | 164 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
559 | 164 | return ssl_hs_error; |
560 | 164 | } |
561 | | |
562 | | // ECH may have changed which ClientHello we process. Update |msg| and |
563 | | // |client_hello| in case. |
564 | 13.9k | if (!hs->GetClientHello(&msg, &client_hello)) { |
565 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
566 | 0 | return ssl_hs_error; |
567 | 0 | } |
568 | | |
569 | 13.9k | if (!extract_sni(hs, &alert, &client_hello)) { |
570 | 60 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
571 | 60 | return ssl_hs_error; |
572 | 60 | } |
573 | | |
574 | 13.8k | hs->state = state12_read_client_hello_after_ech; |
575 | 13.8k | return ssl_hs_ok; |
576 | 13.9k | } |
577 | | |
578 | 13.8k | static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) { |
579 | 13.8k | SSL *const ssl = hs->ssl; |
580 | | |
581 | 13.8k | SSLMessage msg_unused; |
582 | 13.8k | SSL_CLIENT_HELLO client_hello; |
583 | 13.8k | if (!hs->GetClientHello(&msg_unused, &client_hello)) { |
584 | 0 | return ssl_hs_error; |
585 | 0 | } |
586 | | |
587 | | // Run the early callback. |
588 | 13.8k | if (ssl->ctx->select_certificate_cb != nullptr) { |
589 | 0 | switch (ssl->ctx->select_certificate_cb(&client_hello)) { |
590 | 0 | case ssl_select_cert_retry: |
591 | 0 | return ssl_hs_certificate_selection_pending; |
592 | | |
593 | 0 | case ssl_select_cert_disable_ech: |
594 | 0 | hs->ech_client_hello_buf.Reset(); |
595 | 0 | hs->ech_keys = nullptr; |
596 | 0 | hs->state = state12_read_client_hello; |
597 | 0 | ssl->s3->ech_status = ssl_ech_rejected; |
598 | 0 | return ssl_hs_ok; |
599 | | |
600 | 0 | case ssl_select_cert_error: |
601 | | // Connection rejected. |
602 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); |
603 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
604 | 0 | return ssl_hs_error; |
605 | | |
606 | 0 | default: |
607 | 0 | /* fallthrough */; |
608 | 0 | } |
609 | 0 | } |
610 | | |
611 | | // Freeze the version range after the early callback. |
612 | 13.8k | if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) { |
613 | 0 | return ssl_hs_error; |
614 | 0 | } |
615 | | |
616 | 13.8k | if (hs->config->jdk11_workaround && |
617 | 0 | is_probably_jdk11_with_tls13(&client_hello)) { |
618 | 0 | hs->apply_jdk11_workaround = true; |
619 | 0 | } |
620 | | |
621 | 13.8k | uint8_t alert = SSL_AD_DECODE_ERROR; |
622 | 13.8k | if (!negotiate_version(hs, &alert, &client_hello)) { |
623 | 75 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
624 | 75 | return ssl_hs_error; |
625 | 75 | } |
626 | | |
627 | 13.7k | hs->client_version = client_hello.version; |
628 | 13.7k | if (client_hello.random_len != SSL3_RANDOM_SIZE) { |
629 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
630 | 0 | return ssl_hs_error; |
631 | 0 | } |
632 | 13.7k | OPENSSL_memcpy(ssl->s3->client_random, client_hello.random, |
633 | 13.7k | client_hello.random_len); |
634 | | |
635 | | // Only null compression is supported. TLS 1.3 further requires the peer |
636 | | // advertise no other compression. |
637 | 13.7k | if (OPENSSL_memchr(client_hello.compression_methods, 0, |
638 | 13.7k | client_hello.compression_methods_len) == nullptr || |
639 | 13.7k | (ssl_protocol_version(ssl) >= TLS1_3_VERSION && |
640 | 4.75k | client_hello.compression_methods_len != 1)) { |
641 | 30 | OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST); |
642 | 30 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
643 | 30 | return ssl_hs_error; |
644 | 30 | } |
645 | | |
646 | | // TLS extensions. |
647 | 13.7k | if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) { |
648 | 1.12k | OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT); |
649 | 1.12k | return ssl_hs_error; |
650 | 1.12k | } |
651 | | |
652 | 12.6k | hs->state = state12_cert_callback; |
653 | 12.6k | return ssl_hs_ok; |
654 | 13.7k | } |
655 | | |
656 | 12.6k | static enum ssl_hs_wait_t do_cert_callback(SSL_HANDSHAKE *hs) { |
657 | 12.6k | SSL *const ssl = hs->ssl; |
658 | | |
659 | | // Call |cert_cb| to update server certificates if required. |
660 | 12.6k | if (hs->config->cert->cert_cb != nullptr) { |
661 | 0 | int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg); |
662 | 0 | if (rv == 0) { |
663 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR); |
664 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
665 | 0 | return ssl_hs_error; |
666 | 0 | } |
667 | 0 | if (rv < 0) { |
668 | 0 | return ssl_hs_x509_lookup; |
669 | 0 | } |
670 | 0 | } |
671 | | |
672 | 12.6k | if (hs->ocsp_stapling_requested && |
673 | 5.99k | ssl->ctx->legacy_ocsp_callback != nullptr) { |
674 | 0 | switch (ssl->ctx->legacy_ocsp_callback( |
675 | 0 | ssl, ssl->ctx->legacy_ocsp_callback_arg)) { |
676 | 0 | case SSL_TLSEXT_ERR_OK: |
677 | 0 | break; |
678 | 0 | case SSL_TLSEXT_ERR_NOACK: |
679 | 0 | hs->ocsp_stapling_requested = false; |
680 | 0 | break; |
681 | 0 | default: |
682 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR); |
683 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
684 | 0 | return ssl_hs_error; |
685 | 0 | } |
686 | 0 | } |
687 | | |
688 | 12.6k | if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) { |
689 | | // Jump to the TLS 1.3 state machine. |
690 | 4.67k | hs->state = state12_tls13; |
691 | 4.67k | return ssl_hs_ok; |
692 | 4.67k | } |
693 | | |
694 | | // It should not be possible to negotiate TLS 1.2 with ECH. The |
695 | | // ClientHelloInner decoding function rejects ClientHellos which offer TLS 1.2 |
696 | | // or below. |
697 | 12.6k | assert(ssl->s3->ech_status != ssl_ech_accepted); |
698 | | |
699 | 7.96k | ssl->s3->early_data_reason = ssl_early_data_protocol_version; |
700 | | |
701 | 7.96k | hs->state = state12_select_parameters; |
702 | 7.96k | return ssl_hs_ok; |
703 | 7.96k | } |
704 | | |
705 | 43.5k | static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) { |
706 | 43.5k | enum ssl_hs_wait_t wait = tls13_server_handshake(hs); |
707 | 43.5k | if (wait == ssl_hs_ok) { |
708 | 2.57k | hs->state = state12_finish_server_handshake; |
709 | 2.57k | return ssl_hs_ok; |
710 | 2.57k | } |
711 | | |
712 | 40.9k | return wait; |
713 | 43.5k | } |
714 | | |
715 | 7.96k | static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { |
716 | 7.96k | SSL *const ssl = hs->ssl; |
717 | 7.96k | SSLMessage msg; |
718 | 7.96k | SSL_CLIENT_HELLO client_hello; |
719 | 7.96k | if (!hs->GetClientHello(&msg, &client_hello)) { |
720 | 0 | return ssl_hs_error; |
721 | 0 | } |
722 | | |
723 | | // Determine the ECDHE group to use, if we are to use ECDHE. |
724 | 7.96k | uint16_t group_id = 0; |
725 | 7.96k | bool has_ecdhe_group = tls1_get_shared_group(hs, &group_id); |
726 | | |
727 | | // Select the credential and cipher suite. This must be done after |cert_cb| |
728 | | // runs, so the final credential list is known. |
729 | | // |
730 | | // TODO(davidben): In the course of picking these, we also pick the ECDHE |
731 | | // group and signature algorithm. It would be tidier if we saved that decision |
732 | | // and avoided redoing it later. |
733 | 7.96k | UniquePtr<STACK_OF(SSL_CIPHER)> client_pref = |
734 | 7.96k | ssl_parse_client_cipher_list(&client_hello); |
735 | 7.96k | if (client_pref == nullptr) { |
736 | 0 | return ssl_hs_error; |
737 | 0 | } |
738 | 7.96k | Array<SSL_CREDENTIAL *> creds; |
739 | 7.96k | if (!ssl_get_full_credential_list(hs, &creds)) { |
740 | 0 | return ssl_hs_error; |
741 | 0 | } |
742 | 7.96k | TLS12ServerParams params; |
743 | 7.96k | if (creds.empty()) { |
744 | | // The caller may have configured no credentials, but set a PSK callback. |
745 | 0 | params = |
746 | 0 | choose_params(hs, /*cred=*/nullptr, client_pref.get(), has_ecdhe_group); |
747 | 7.96k | } else { |
748 | | // Select the first credential which works. |
749 | 7.96k | for (SSL_CREDENTIAL *cred : creds) { |
750 | 7.96k | ERR_clear_error(); |
751 | 7.96k | params = choose_params(hs, cred, client_pref.get(), has_ecdhe_group); |
752 | 7.96k | if (params.ok()) { |
753 | 7.50k | hs->credential = UpRef(cred); |
754 | 7.50k | break; |
755 | 7.50k | } |
756 | 7.96k | } |
757 | 7.96k | } |
758 | 7.96k | if (!params.ok()) { |
759 | | // The error from the last attempt is in the error queue. |
760 | 456 | assert(ERR_peek_error() != 0); |
761 | 456 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
762 | 456 | return ssl_hs_error; |
763 | 456 | } |
764 | 7.50k | hs->new_cipher = params.cipher; |
765 | 7.50k | hs->signature_algorithm = params.signature_algorithm; |
766 | | |
767 | | // |SSL_parse_client_hello| checks that |client_hello.session_id| is not too |
768 | | // large. |
769 | 7.50k | hs->session_id.CopyFrom( |
770 | 7.50k | Span(client_hello.session_id, client_hello.session_id_len)); |
771 | | |
772 | | // Determine whether we are doing session resumption. |
773 | 7.50k | UniquePtr<SSL_SESSION> session; |
774 | 7.50k | bool tickets_supported = false, renew_ticket = false; |
775 | 7.50k | enum ssl_hs_wait_t wait = ssl_get_prev_session( |
776 | 7.50k | hs, &session, &tickets_supported, &renew_ticket, &client_hello); |
777 | 7.50k | if (wait != ssl_hs_ok) { |
778 | 0 | return wait; |
779 | 0 | } |
780 | | |
781 | 7.50k | if (session) { |
782 | 613 | if (session->extended_master_secret && !hs->extended_master_secret) { |
783 | | // A ClientHello without EMS that attempts to resume a session with EMS |
784 | | // is fatal to the connection. |
785 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION); |
786 | 3 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
787 | 3 | return ssl_hs_error; |
788 | 3 | } |
789 | | |
790 | 610 | if (!ssl_session_is_resumable(hs, session.get()) || |
791 | | // If the client offers the EMS extension, but the previous session |
792 | | // didn't use it, then negotiate a new session. |
793 | 525 | hs->extended_master_secret != session->extended_master_secret) { |
794 | 88 | session.reset(); |
795 | 88 | } |
796 | 610 | } |
797 | | |
798 | 7.50k | if (session) { |
799 | | // Use the old session. |
800 | 522 | hs->ticket_expected = renew_ticket; |
801 | 522 | ssl->session = std::move(session); |
802 | 522 | ssl->s3->session_reused = true; |
803 | 522 | hs->can_release_private_key = true; |
804 | 6.98k | } else { |
805 | 6.98k | hs->ticket_expected = tickets_supported; |
806 | 6.98k | ssl_set_session(ssl, nullptr); |
807 | 6.98k | if (!ssl_get_new_session(hs)) { |
808 | 0 | return ssl_hs_error; |
809 | 0 | } |
810 | | |
811 | | // Assign a session ID if not using session tickets. |
812 | 6.98k | if (!hs->ticket_expected && |
813 | 4.34k | (ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) { |
814 | 4.34k | hs->new_session->session_id.ResizeForOverwrite( |
815 | 4.34k | SSL3_SSL_SESSION_ID_LENGTH); |
816 | 4.34k | RAND_bytes(hs->new_session->session_id.data(), |
817 | 4.34k | hs->new_session->session_id.size()); |
818 | 4.34k | } |
819 | 6.98k | } |
820 | | |
821 | 7.50k | if (ssl->ctx->dos_protection_cb != nullptr && |
822 | 0 | ssl->ctx->dos_protection_cb(&client_hello) == 0) { |
823 | | // Connection rejected for DOS reasons. |
824 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); |
825 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
826 | 0 | return ssl_hs_error; |
827 | 0 | } |
828 | | |
829 | 7.50k | if (ssl->session == nullptr) { |
830 | 6.98k | hs->new_session->cipher = hs->new_cipher; |
831 | 6.98k | if (hs->new_session->cipher->algorithm_mkey & SSL_kECDHE) { |
832 | 5.87k | assert(has_ecdhe_group); |
833 | 5.87k | hs->new_session->group_id = group_id; |
834 | 5.87k | } |
835 | | |
836 | | // Determine whether to request a client certificate. CertificateRequest may |
837 | | // only be sent in certificate-based ciphers. |
838 | 6.98k | hs->cert_request = (hs->config->verify_mode & SSL_VERIFY_PEER) && |
839 | 3.93k | ssl_cipher_uses_certificate_auth(hs->new_cipher); |
840 | 6.98k | if (!hs->cert_request) { |
841 | | // OpenSSL returns X509_V_OK when no certificates are requested. This is |
842 | | // classed by them as a bug, but it's assumed by at least NGINX. |
843 | 3.05k | hs->new_session->verify_result = X509_V_OK; |
844 | 3.05k | } |
845 | 6.98k | } |
846 | | |
847 | | // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was |
848 | | // deferred. Complete it now. |
849 | 7.50k | uint8_t alert = SSL_AD_DECODE_ERROR; |
850 | 7.50k | if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { |
851 | 55 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
852 | 55 | return ssl_hs_error; |
853 | 55 | } |
854 | | |
855 | | // Now that all parameters are known, initialize the handshake hash and hash |
856 | | // the ClientHello. |
857 | 7.44k | if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) { |
858 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
859 | 0 | return ssl_hs_error; |
860 | 0 | } |
861 | | |
862 | | // Handback includes the whole handshake transcript, so we cannot free the |
863 | | // transcript buffer in the handback case. |
864 | 7.44k | if (!hs->cert_request && !hs->handback) { |
865 | 3.51k | hs->transcript.FreeBuffer(); |
866 | 3.51k | } |
867 | | |
868 | 7.44k | if (!ssl_hash_message(hs, msg)) { |
869 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
870 | 0 | return ssl_hs_error; |
871 | 0 | } |
872 | | |
873 | 7.44k | ssl->method->next_message(ssl); |
874 | | |
875 | 7.44k | hs->state = state12_send_server_hello; |
876 | 7.44k | return ssl_hs_ok; |
877 | 7.44k | } |
878 | | |
879 | 7.44k | static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) { |
880 | 7.44k | out = out.last(in.size()); |
881 | 7.44k | OPENSSL_memcpy(out.data(), in.data(), in.size()); |
882 | 7.44k | } |
883 | | |
884 | 7.44k | static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { |
885 | 7.44k | SSL *const ssl = hs->ssl; |
886 | | |
887 | | // We only accept ChannelIDs on connections with ECDHE in order to avoid a |
888 | | // known attack while we fix ChannelID itself. |
889 | 7.44k | if (hs->channel_id_negotiated && |
890 | 342 | (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) { |
891 | 3 | hs->channel_id_negotiated = false; |
892 | 3 | } |
893 | | |
894 | | // If this is a resumption and the original handshake didn't support |
895 | | // ChannelID then we didn't record the original handshake hashes in the |
896 | | // session and so cannot resume with ChannelIDs. |
897 | 7.44k | if (ssl->session != nullptr && |
898 | 522 | ssl->session->original_handshake_hash.empty()) { |
899 | 403 | hs->channel_id_negotiated = false; |
900 | 403 | } |
901 | | |
902 | 7.44k | SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); |
903 | 7.44k | if (hints && !hs->hints_requested && |
904 | 1.23k | hints->server_random_tls12.size() == SSL3_RANDOM_SIZE) { |
905 | 896 | OPENSSL_memcpy(ssl->s3->server_random, hints->server_random_tls12.data(), |
906 | 896 | SSL3_RANDOM_SIZE); |
907 | 6.55k | } else { |
908 | 6.55k | OPENSSL_timeval now = ssl_ctx_get_current_time(ssl->ctx.get()); |
909 | 6.55k | CRYPTO_store_u32_be(ssl->s3->server_random, |
910 | 6.55k | static_cast<uint32_t>(now.tv_sec)); |
911 | 6.55k | if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) { |
912 | 0 | return ssl_hs_error; |
913 | 0 | } |
914 | 6.55k | if (hints && hs->hints_requested && |
915 | 0 | !hints->server_random_tls12.CopyFrom(ssl->s3->server_random)) { |
916 | 0 | return ssl_hs_error; |
917 | 0 | } |
918 | 6.55k | } |
919 | | |
920 | | // Implement the TLS 1.3 anti-downgrade feature. |
921 | 7.44k | if (hs->max_version >= TLS1_3_VERSION) { |
922 | 7.44k | if (ssl_protocol_version(ssl) == TLS1_2_VERSION) { |
923 | 4.98k | if (hs->apply_jdk11_workaround) { |
924 | | // JDK 11 implements the TLS 1.3 downgrade signal, so we cannot send it |
925 | | // here. However, the signal is only effective if all TLS 1.2 |
926 | | // ServerHellos produced by the server are marked. Thus we send a |
927 | | // different non-standard signal for the time being, until JDK 11.0.2 is |
928 | | // released and clients have updated. |
929 | 0 | copy_suffix(ssl->s3->server_random, kJDK11DowngradeRandom); |
930 | 4.98k | } else { |
931 | 4.98k | copy_suffix(ssl->s3->server_random, kTLS13DowngradeRandom); |
932 | 4.98k | } |
933 | 4.98k | } else { |
934 | 2.46k | copy_suffix(ssl->s3->server_random, kTLS12DowngradeRandom); |
935 | 2.46k | } |
936 | 7.44k | } |
937 | | |
938 | 7.44k | Span<const uint8_t> session_id; |
939 | 7.44k | if (ssl->session != nullptr) { |
940 | | // Echo the session ID from the ClientHello to indicate resumption. |
941 | 522 | session_id = hs->session_id; |
942 | 6.92k | } else { |
943 | 6.92k | session_id = hs->new_session->session_id; |
944 | 6.92k | } |
945 | | |
946 | 7.44k | ScopedCBB cbb; |
947 | 7.44k | CBB body, session_id_bytes; |
948 | 7.44k | if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || |
949 | 7.44k | !CBB_add_u16(&body, ssl->s3->version) || |
950 | 7.44k | !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || |
951 | 7.44k | !CBB_add_u8_length_prefixed(&body, &session_id_bytes) || |
952 | 7.44k | !CBB_add_bytes(&session_id_bytes, session_id.data(), session_id.size()) || |
953 | 7.44k | !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) || |
954 | 7.44k | !CBB_add_u8(&body, 0 /* no compression */) || |
955 | 7.44k | !ssl_add_serverhello_tlsext(hs, &body) || |
956 | 7.44k | !ssl_add_message_cbb(ssl, cbb.get())) { |
957 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
958 | 0 | return ssl_hs_error; |
959 | 0 | } |
960 | | |
961 | 7.44k | if (ssl->session != nullptr) { |
962 | | // No additional hints to generate in resumption. |
963 | 522 | if (hs->hints_requested) { |
964 | 0 | return ssl_hs_hints_ready; |
965 | 0 | } |
966 | 522 | hs->state = state12_send_server_finished; |
967 | 6.92k | } else { |
968 | 6.92k | hs->state = state12_send_server_certificate; |
969 | 6.92k | } |
970 | 7.44k | return ssl_hs_ok; |
971 | 7.44k | } |
972 | | |
973 | 6.92k | static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) { |
974 | 6.92k | SSL *const ssl = hs->ssl; |
975 | 6.92k | ScopedCBB cbb; |
976 | | |
977 | 6.92k | if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { |
978 | 6.92k | assert(hs->credential != nullptr); |
979 | 6.92k | if (!ssl_send_tls12_certificate(hs)) { |
980 | 0 | return ssl_hs_error; |
981 | 0 | } |
982 | | |
983 | 6.92k | if (hs->certificate_status_expected) { |
984 | 2.49k | CBB body, ocsp_response; |
985 | 2.49k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
986 | 2.49k | SSL3_MT_CERTIFICATE_STATUS) || |
987 | 2.49k | !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) || |
988 | 2.49k | !CBB_add_u24_length_prefixed(&body, &ocsp_response) || |
989 | 2.49k | !CBB_add_bytes( |
990 | 2.49k | &ocsp_response, |
991 | 2.49k | CRYPTO_BUFFER_data(hs->credential->ocsp_response.get()), |
992 | 2.49k | CRYPTO_BUFFER_len(hs->credential->ocsp_response.get())) || |
993 | 2.49k | !ssl_add_message_cbb(ssl, cbb.get())) { |
994 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
995 | 0 | return ssl_hs_error; |
996 | 0 | } |
997 | 2.49k | } |
998 | 6.92k | } |
999 | | |
1000 | | // Assemble ServerKeyExchange parameters if needed. |
1001 | 6.92k | uint32_t alg_k = hs->new_cipher->algorithm_mkey; |
1002 | 6.92k | uint32_t alg_a = hs->new_cipher->algorithm_auth; |
1003 | 6.92k | if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) || |
1004 | 5.85k | ((alg_a & SSL_aPSK) && hs->config->psk_identity_hint)) { |
1005 | | // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend |
1006 | | // the client and server randoms for the signing transcript. |
1007 | 5.85k | CBB child; |
1008 | 5.85k | if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) || |
1009 | 5.85k | !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) || |
1010 | 5.85k | !CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) { |
1011 | 0 | return ssl_hs_error; |
1012 | 0 | } |
1013 | | |
1014 | | // PSK ciphers begin with an identity hint. |
1015 | 5.85k | if (alg_a & SSL_aPSK) { |
1016 | 0 | size_t len = hs->config->psk_identity_hint == nullptr |
1017 | 0 | ? 0 |
1018 | 0 | : strlen(hs->config->psk_identity_hint.get()); |
1019 | 0 | if (!CBB_add_u16_length_prefixed(cbb.get(), &child) || |
1020 | 0 | !CBB_add_bytes(&child, |
1021 | 0 | (const uint8_t *)hs->config->psk_identity_hint.get(), |
1022 | 0 | len)) { |
1023 | 0 | return ssl_hs_error; |
1024 | 0 | } |
1025 | 0 | } |
1026 | | |
1027 | 5.85k | if (alg_k & SSL_kECDHE) { |
1028 | 5.85k | assert(hs->new_session->group_id != 0); |
1029 | 5.85k | UniquePtr<SSLKeyShare> ssl_key_share = |
1030 | 5.85k | SSLKeyShare::Create(hs->new_session->group_id); |
1031 | 5.85k | if (ssl_key_share == nullptr || // |
1032 | 5.85k | !hs->key_shares.TryPushBack(std::move(ssl_key_share)) || // |
1033 | 5.85k | !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) || // |
1034 | 5.85k | !CBB_add_u16(cbb.get(), hs->new_session->group_id) || // |
1035 | 5.85k | !CBB_add_u8_length_prefixed(cbb.get(), &child)) { |
1036 | 0 | return ssl_hs_error; |
1037 | 0 | } |
1038 | | |
1039 | 5.85k | SSL_HANDSHAKE_HINTS *const hints = hs->hints.get(); |
1040 | 5.85k | bool hint_ok = false; |
1041 | 5.85k | if (hints && !hs->hints_requested && |
1042 | 895 | hints->ecdhe_group_id == hs->new_session->group_id && |
1043 | 731 | !hints->ecdhe_public_key.empty() && |
1044 | 728 | !hints->ecdhe_private_key.empty()) { |
1045 | 724 | CBS cbs = CBS(hints->ecdhe_private_key); |
1046 | 724 | hint_ok = hs->key_shares[0]->DeserializePrivateKey(&cbs); |
1047 | 724 | } |
1048 | 5.85k | if (hint_ok) { |
1049 | | // Reuse the ECDH key from handshake hints. |
1050 | 712 | if (!CBB_add_bytes(&child, hints->ecdhe_public_key.data(), |
1051 | 712 | hints->ecdhe_public_key.size())) { |
1052 | 0 | return ssl_hs_error; |
1053 | 0 | } |
1054 | 5.14k | } else { |
1055 | | // Generate a key, and emit the public half. |
1056 | 5.14k | if (!hs->key_shares[0]->Generate(&child)) { |
1057 | 0 | return ssl_hs_error; |
1058 | 0 | } |
1059 | | // If generating hints, save the ECDHE key. |
1060 | 5.14k | if (hints && hs->hints_requested) { |
1061 | 0 | bssl::ScopedCBB private_key_cbb; |
1062 | 0 | if (!hints->ecdhe_public_key.CopyFrom(CBBAsSpan(&child)) || |
1063 | 0 | !CBB_init(private_key_cbb.get(), 32) || |
1064 | 0 | !hs->key_shares[0]->SerializePrivateKey(private_key_cbb.get()) || |
1065 | 0 | !CBBFinishArray(private_key_cbb.get(), |
1066 | 0 | &hints->ecdhe_private_key)) { |
1067 | 0 | return ssl_hs_error; |
1068 | 0 | } |
1069 | 0 | hints->ecdhe_group_id = hs->new_session->group_id; |
1070 | 0 | } |
1071 | 5.14k | } |
1072 | 5.85k | } else { |
1073 | 0 | assert(alg_k & SSL_kPSK); |
1074 | 0 | } |
1075 | | |
1076 | 5.85k | if (!CBBFinishArray(cbb.get(), &hs->server_params)) { |
1077 | 0 | return ssl_hs_error; |
1078 | 0 | } |
1079 | 5.85k | } |
1080 | | |
1081 | 6.92k | hs->state = state12_send_server_key_exchange; |
1082 | 6.92k | return ssl_hs_ok; |
1083 | 6.92k | } |
1084 | | |
1085 | 6.92k | static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) { |
1086 | 6.92k | SSL *const ssl = hs->ssl; |
1087 | | |
1088 | 6.92k | if (hs->server_params.size() == 0) { |
1089 | 1.07k | hs->state = state12_send_server_hello_done; |
1090 | 1.07k | return ssl_hs_ok; |
1091 | 1.07k | } |
1092 | | |
1093 | 5.85k | ScopedCBB cbb; |
1094 | 5.85k | CBB body, child; |
1095 | 5.85k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1096 | 5.85k | SSL3_MT_SERVER_KEY_EXCHANGE) || |
1097 | | // |hs->server_params| contains a prefix for signing. |
1098 | 5.85k | hs->server_params.size() < 2 * SSL3_RANDOM_SIZE || |
1099 | 5.85k | !CBB_add_bytes(&body, hs->server_params.data() + 2 * SSL3_RANDOM_SIZE, |
1100 | 5.85k | hs->server_params.size() - 2 * SSL3_RANDOM_SIZE)) { |
1101 | 0 | return ssl_hs_error; |
1102 | 0 | } |
1103 | | |
1104 | | // Add a signature. |
1105 | 5.85k | if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) { |
1106 | | // Determine the signature algorithm. |
1107 | 5.85k | uint16_t signature_algorithm; |
1108 | 5.85k | if (!tls1_choose_signature_algorithm(hs, hs->credential.get(), |
1109 | 5.85k | &signature_algorithm)) { |
1110 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
1111 | 0 | return ssl_hs_error; |
1112 | 0 | } |
1113 | 5.85k | if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) { |
1114 | 3.90k | if (!CBB_add_u16(&body, signature_algorithm)) { |
1115 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1116 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1117 | 0 | return ssl_hs_error; |
1118 | 0 | } |
1119 | 3.90k | } |
1120 | | |
1121 | | // Add space for the signature. |
1122 | 5.85k | const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get()); |
1123 | 5.85k | uint8_t *ptr; |
1124 | 5.85k | if (!CBB_add_u16_length_prefixed(&body, &child) || |
1125 | 5.85k | !CBB_reserve(&child, &ptr, max_sig_len)) { |
1126 | 0 | return ssl_hs_error; |
1127 | 0 | } |
1128 | | |
1129 | 5.85k | size_t sig_len; |
1130 | 5.85k | switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len, |
1131 | 5.85k | signature_algorithm, hs->server_params)) { |
1132 | 5.85k | case ssl_private_key_success: |
1133 | 5.85k | if (!CBB_did_write(&child, sig_len)) { |
1134 | 0 | return ssl_hs_error; |
1135 | 0 | } |
1136 | 5.85k | break; |
1137 | 5.85k | case ssl_private_key_failure: |
1138 | 0 | return ssl_hs_error; |
1139 | 0 | case ssl_private_key_retry: |
1140 | 0 | return ssl_hs_private_key_operation; |
1141 | 5.85k | } |
1142 | 5.85k | } |
1143 | | |
1144 | 5.85k | hs->can_release_private_key = true; |
1145 | 5.85k | if (!ssl_add_message_cbb(ssl, cbb.get())) { |
1146 | 0 | return ssl_hs_error; |
1147 | 0 | } |
1148 | | |
1149 | 5.85k | hs->server_params.Reset(); |
1150 | | |
1151 | 5.85k | hs->state = state12_send_server_hello_done; |
1152 | 5.85k | return ssl_hs_ok; |
1153 | 5.85k | } |
1154 | | |
1155 | 6.92k | static enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) { |
1156 | 6.92k | SSL *const ssl = hs->ssl; |
1157 | 6.92k | if (hs->hints_requested) { |
1158 | 0 | return ssl_hs_hints_ready; |
1159 | 0 | } |
1160 | | |
1161 | 6.92k | ScopedCBB cbb; |
1162 | 6.92k | CBB body; |
1163 | | |
1164 | 6.92k | if (hs->cert_request) { |
1165 | 3.92k | CBB cert_types, sigalgs_cbb; |
1166 | 3.92k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1167 | 3.92k | SSL3_MT_CERTIFICATE_REQUEST) || |
1168 | 3.92k | !CBB_add_u8_length_prefixed(&body, &cert_types) || |
1169 | 3.92k | !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) || |
1170 | 3.92k | !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN) || |
1171 | 3.92k | (ssl_protocol_version(ssl) >= TLS1_2_VERSION && |
1172 | 2.59k | (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) || |
1173 | 2.59k | !tls12_add_verify_sigalgs(hs, &sigalgs_cbb))) || |
1174 | 3.92k | !ssl_add_client_CA_list(hs, &body) || |
1175 | 3.92k | !ssl_add_message_cbb(ssl, cbb.get())) { |
1176 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1177 | 0 | return ssl_hs_error; |
1178 | 0 | } |
1179 | 3.92k | } |
1180 | | |
1181 | 6.92k | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1182 | 6.92k | SSL3_MT_SERVER_HELLO_DONE) || |
1183 | 6.92k | !ssl_add_message_cbb(ssl, cbb.get())) { |
1184 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1185 | 0 | return ssl_hs_error; |
1186 | 0 | } |
1187 | | |
1188 | 6.92k | hs->state = state12_read_client_certificate; |
1189 | 6.92k | return ssl_hs_flush; |
1190 | 6.92k | } |
1191 | | |
1192 | 14.6k | static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { |
1193 | 14.6k | SSL *const ssl = hs->ssl; |
1194 | | |
1195 | 14.6k | if (hs->handback && hs->new_cipher->algorithm_mkey == SSL_kECDHE) { |
1196 | 0 | return ssl_hs_handback; |
1197 | 0 | } |
1198 | 14.6k | if (!hs->cert_request) { |
1199 | 2.99k | hs->state = state12_verify_client_certificate; |
1200 | 2.99k | return ssl_hs_ok; |
1201 | 2.99k | } |
1202 | | |
1203 | 11.6k | SSLMessage msg; |
1204 | 11.6k | if (!ssl->method->get_message(ssl, &msg)) { |
1205 | 7.95k | return ssl_hs_read_message; |
1206 | 7.95k | } |
1207 | | |
1208 | 3.68k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) { |
1209 | 10 | return ssl_hs_error; |
1210 | 10 | } |
1211 | | |
1212 | 3.67k | if (!ssl_hash_message(hs, msg)) { |
1213 | 0 | return ssl_hs_error; |
1214 | 0 | } |
1215 | | |
1216 | 3.67k | CBS certificate_msg = msg.body; |
1217 | 3.67k | uint8_t alert = SSL_AD_DECODE_ERROR; |
1218 | 3.67k | if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey, |
1219 | 3.67k | hs->config->retain_only_sha256_of_client_certs |
1220 | 3.67k | ? hs->new_session->peer_sha256 |
1221 | 3.67k | : nullptr, |
1222 | 3.67k | &certificate_msg, ssl->ctx->pool)) { |
1223 | 699 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
1224 | 699 | return ssl_hs_error; |
1225 | 699 | } |
1226 | | |
1227 | 2.97k | if (CBS_len(&certificate_msg) != 0 || |
1228 | 2.95k | !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) { |
1229 | 804 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1230 | 804 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1231 | 804 | return ssl_hs_error; |
1232 | 804 | } |
1233 | | |
1234 | 2.16k | if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) { |
1235 | | // No client certificate so the handshake buffer may be discarded. |
1236 | 30 | hs->transcript.FreeBuffer(); |
1237 | | |
1238 | 30 | if (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { |
1239 | | // Fail for TLS only if we required a certificate |
1240 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); |
1241 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
1242 | 0 | return ssl_hs_error; |
1243 | 0 | } |
1244 | | |
1245 | | // OpenSSL returns X509_V_OK when no certificates are received. This is |
1246 | | // classed by them as a bug, but it's assumed by at least NGINX. |
1247 | 30 | hs->new_session->verify_result = X509_V_OK; |
1248 | 2.13k | } else if (hs->config->retain_only_sha256_of_client_certs) { |
1249 | | // The hash will have been filled in. |
1250 | 0 | hs->new_session->peer_sha256_valid = true; |
1251 | 0 | } |
1252 | | |
1253 | 2.16k | ssl->method->next_message(ssl); |
1254 | 2.16k | hs->state = state12_verify_client_certificate; |
1255 | 2.16k | return ssl_hs_ok; |
1256 | 2.16k | } |
1257 | | |
1258 | 5.16k | static enum ssl_hs_wait_t do_verify_client_certificate(SSL_HANDSHAKE *hs) { |
1259 | 5.16k | if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) > 0) { |
1260 | 2.13k | switch (ssl_verify_peer_cert(hs)) { |
1261 | 2.13k | case ssl_verify_ok: |
1262 | 2.13k | break; |
1263 | 0 | case ssl_verify_invalid: |
1264 | 0 | return ssl_hs_error; |
1265 | 0 | case ssl_verify_retry: |
1266 | 0 | return ssl_hs_certificate_verify; |
1267 | 2.13k | } |
1268 | 2.13k | } |
1269 | | |
1270 | 5.16k | hs->state = state12_read_client_key_exchange; |
1271 | 5.16k | return ssl_hs_ok; |
1272 | 5.16k | } |
1273 | | |
1274 | 10.9k | static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) { |
1275 | 10.9k | SSL *const ssl = hs->ssl; |
1276 | 10.9k | SSLMessage msg; |
1277 | 10.9k | if (!ssl->method->get_message(ssl, &msg)) { |
1278 | 7.17k | return ssl_hs_read_message; |
1279 | 7.17k | } |
1280 | | |
1281 | 3.73k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_KEY_EXCHANGE)) { |
1282 | 10 | return ssl_hs_error; |
1283 | 10 | } |
1284 | | |
1285 | 3.72k | CBS client_key_exchange = msg.body; |
1286 | 3.72k | uint32_t alg_k = hs->new_cipher->algorithm_mkey; |
1287 | 3.72k | uint32_t alg_a = hs->new_cipher->algorithm_auth; |
1288 | | |
1289 | | // If using a PSK key exchange, parse the PSK identity. |
1290 | 3.72k | if (alg_a & SSL_aPSK) { |
1291 | 0 | CBS psk_identity; |
1292 | | |
1293 | | // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK, |
1294 | | // then this is the only field in the message. |
1295 | 0 | if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) || |
1296 | 0 | ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) { |
1297 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1298 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1299 | 0 | return ssl_hs_error; |
1300 | 0 | } |
1301 | | |
1302 | 0 | if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN || |
1303 | 0 | CBS_contains_zero_byte(&psk_identity)) { |
1304 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG); |
1305 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); |
1306 | 0 | return ssl_hs_error; |
1307 | 0 | } |
1308 | 0 | char *raw = nullptr; |
1309 | 0 | if (!CBS_strdup(&psk_identity, &raw)) { |
1310 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1311 | 0 | return ssl_hs_error; |
1312 | 0 | } |
1313 | 0 | hs->new_session->psk_identity.reset(raw); |
1314 | 0 | } |
1315 | | |
1316 | | // Depending on the key exchange method, compute |premaster_secret|. |
1317 | 3.72k | Array<uint8_t> premaster_secret; |
1318 | 3.72k | if (alg_k & SSL_kRSA) { |
1319 | 127 | CBS encrypted_premaster_secret; |
1320 | 127 | if (!CBS_get_u16_length_prefixed(&client_key_exchange, |
1321 | 127 | &encrypted_premaster_secret) || |
1322 | 116 | CBS_len(&client_key_exchange) != 0) { |
1323 | 31 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1324 | 31 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1325 | 31 | return ssl_hs_error; |
1326 | 31 | } |
1327 | | |
1328 | | // Allocate a buffer large enough for an RSA decryption. |
1329 | 96 | Array<uint8_t> decrypt_buf; |
1330 | 96 | if (!decrypt_buf.InitForOverwrite( |
1331 | 96 | EVP_PKEY_size(hs->credential->pubkey.get()))) { |
1332 | 0 | return ssl_hs_error; |
1333 | 0 | } |
1334 | | |
1335 | | // Decrypt with no padding. PKCS#1 padding will be removed as part of the |
1336 | | // timing-sensitive code below. |
1337 | 96 | size_t decrypt_len; |
1338 | 96 | switch (ssl_private_key_decrypt(hs, decrypt_buf.data(), &decrypt_len, |
1339 | 96 | decrypt_buf.size(), |
1340 | 96 | encrypted_premaster_secret)) { |
1341 | 87 | case ssl_private_key_success: |
1342 | 87 | break; |
1343 | 9 | case ssl_private_key_failure: |
1344 | 9 | return ssl_hs_error; |
1345 | 0 | case ssl_private_key_retry: |
1346 | 0 | return ssl_hs_private_key_operation; |
1347 | 96 | } |
1348 | | |
1349 | 87 | if (decrypt_len != decrypt_buf.size()) { |
1350 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); |
1351 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
1352 | 0 | return ssl_hs_error; |
1353 | 0 | } |
1354 | | |
1355 | 87 | CONSTTIME_SECRET(decrypt_buf.data(), decrypt_len); |
1356 | | |
1357 | | // Prepare a random premaster, to be used on invalid padding. See RFC 5246, |
1358 | | // section 7.4.7.1. |
1359 | 87 | if (!premaster_secret.InitForOverwrite(SSL_MAX_MASTER_KEY_LENGTH) || |
1360 | 87 | !RAND_bytes(premaster_secret.data(), premaster_secret.size())) { |
1361 | 0 | return ssl_hs_error; |
1362 | 0 | } |
1363 | | |
1364 | | // The smallest padded premaster is 11 bytes of overhead. Small keys are |
1365 | | // publicly invalid. |
1366 | 87 | if (decrypt_len < 11 + premaster_secret.size()) { |
1367 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED); |
1368 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
1369 | 0 | return ssl_hs_error; |
1370 | 0 | } |
1371 | | |
1372 | | // Check the padding. See RFC 8017, section 7.2.2. |
1373 | 87 | size_t padding_len = decrypt_len - premaster_secret.size(); |
1374 | 87 | uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) & |
1375 | 87 | constant_time_eq_int_8(decrypt_buf[1], 2); |
1376 | 17.9k | for (size_t i = 2; i < padding_len - 1; i++) { |
1377 | 17.8k | good &= ~constant_time_is_zero_8(decrypt_buf[i]); |
1378 | 17.8k | } |
1379 | 87 | good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]); |
1380 | | |
1381 | | // The premaster secret must begin with |client_version|. This too must be |
1382 | | // checked in constant time (http://eprint.iacr.org/2003/052/). |
1383 | 87 | good &= constant_time_eq_8(decrypt_buf[padding_len], |
1384 | 87 | (unsigned)(hs->client_version >> 8)); |
1385 | 87 | good &= constant_time_eq_8(decrypt_buf[padding_len + 1], |
1386 | 87 | (unsigned)(hs->client_version & 0xff)); |
1387 | | |
1388 | | // Select, in constant time, either the decrypted premaster or the random |
1389 | | // premaster based on |good|. |
1390 | 4.26k | for (size_t i = 0; i < premaster_secret.size(); i++) { |
1391 | 4.17k | premaster_secret[i] = constant_time_select_8( |
1392 | 4.17k | good, decrypt_buf[padding_len + i], premaster_secret[i]); |
1393 | 4.17k | } |
1394 | 3.59k | } else if (alg_k & SSL_kECDHE) { |
1395 | | // Parse the ClientKeyExchange. |
1396 | 3.59k | CBS ciphertext; |
1397 | 3.59k | if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ciphertext) || |
1398 | 3.59k | CBS_len(&client_key_exchange) != 0) { |
1399 | 11 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1400 | 11 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1401 | 11 | return ssl_hs_error; |
1402 | 11 | } |
1403 | | |
1404 | | // Decapsulate the premaster secret. |
1405 | 3.58k | uint8_t alert = SSL_AD_DECODE_ERROR; |
1406 | 3.58k | if (!hs->key_shares[0]->Decap(&premaster_secret, &alert, ciphertext)) { |
1407 | 191 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
1408 | 191 | return ssl_hs_error; |
1409 | 191 | } |
1410 | | |
1411 | | // The key exchange state may now be discarded. |
1412 | 3.39k | hs->key_shares.clear(); |
1413 | 3.39k | } else if (!(alg_k & SSL_kPSK)) { |
1414 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1415 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); |
1416 | 0 | return ssl_hs_error; |
1417 | 0 | } |
1418 | | |
1419 | | // For a PSK cipher suite, the actual pre-master secret is combined with the |
1420 | | // pre-shared key. |
1421 | 3.48k | if (alg_a & SSL_aPSK) { |
1422 | 0 | if (hs->config->psk_server_callback == nullptr) { |
1423 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1424 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1425 | 0 | return ssl_hs_error; |
1426 | 0 | } |
1427 | | |
1428 | | // Look up the key for the identity. |
1429 | 0 | uint8_t psk[PSK_MAX_PSK_LEN]; |
1430 | 0 | unsigned psk_len = hs->config->psk_server_callback( |
1431 | 0 | ssl, hs->new_session->psk_identity.get(), psk, sizeof(psk)); |
1432 | 0 | if (psk_len > PSK_MAX_PSK_LEN) { |
1433 | 0 | OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); |
1434 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); |
1435 | 0 | return ssl_hs_error; |
1436 | 0 | } else if (psk_len == 0) { |
1437 | | // PSK related to the given identity not found. |
1438 | 0 | OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND); |
1439 | 0 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY); |
1440 | 0 | return ssl_hs_error; |
1441 | 0 | } |
1442 | | |
1443 | 0 | if (alg_k & SSL_kPSK) { |
1444 | | // In plain PSK, other_secret is a block of 0s with the same length as the |
1445 | | // pre-shared key. |
1446 | 0 | if (!premaster_secret.Init(psk_len)) { |
1447 | 0 | return ssl_hs_error; |
1448 | 0 | } |
1449 | 0 | } |
1450 | | |
1451 | 0 | ScopedCBB new_premaster; |
1452 | 0 | CBB child; |
1453 | 0 | if (!CBB_init(new_premaster.get(), |
1454 | 0 | 2 + psk_len + 2 + premaster_secret.size()) || |
1455 | 0 | !CBB_add_u16_length_prefixed(new_premaster.get(), &child) || |
1456 | 0 | !CBB_add_bytes(&child, premaster_secret.data(), |
1457 | 0 | premaster_secret.size()) || |
1458 | 0 | !CBB_add_u16_length_prefixed(new_premaster.get(), &child) || |
1459 | 0 | !CBB_add_bytes(&child, psk, psk_len) || |
1460 | 0 | !CBBFinishArray(new_premaster.get(), &premaster_secret)) { |
1461 | 0 | return ssl_hs_error; |
1462 | 0 | } |
1463 | 0 | } |
1464 | | |
1465 | 3.48k | if (!ssl_hash_message(hs, msg)) { |
1466 | 0 | return ssl_hs_error; |
1467 | 0 | } |
1468 | | |
1469 | | // Compute the master secret. |
1470 | 3.48k | hs->new_session->secret.ResizeForOverwrite(SSL3_MASTER_SECRET_SIZE); |
1471 | 3.48k | if (!tls1_generate_master_secret(hs, Span(hs->new_session->secret), |
1472 | 3.48k | premaster_secret)) { |
1473 | 0 | return ssl_hs_error; |
1474 | 0 | } |
1475 | 3.48k | hs->new_session->extended_master_secret = hs->extended_master_secret; |
1476 | | // Declassify the secret to undo the RSA decryption validation above. We are |
1477 | | // not currently running most of the TLS library with constant-time |
1478 | | // validation. |
1479 | | // TODO(crbug.com/42290551): Remove this and cover the TLS library too. |
1480 | 3.48k | CONSTTIME_DECLASSIFY(hs->new_session->secret.data(), |
1481 | 3.48k | hs->new_session->secret.size()); |
1482 | 3.48k | hs->can_release_private_key = true; |
1483 | | |
1484 | 3.48k | ssl->method->next_message(ssl); |
1485 | 3.48k | hs->state = state12_read_client_certificate_verify; |
1486 | 3.48k | return ssl_hs_ok; |
1487 | 3.48k | } |
1488 | | |
1489 | 6.20k | static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) { |
1490 | 6.20k | SSL *const ssl = hs->ssl; |
1491 | | |
1492 | | // Only RSA and ECDSA client certificates are supported, so a |
1493 | | // CertificateVerify is required if and only if there's a client certificate. |
1494 | 6.20k | if (!hs->peer_pubkey) { |
1495 | 1.41k | hs->transcript.FreeBuffer(); |
1496 | 1.41k | hs->state = state12_read_change_cipher_spec; |
1497 | 1.41k | return ssl_hs_ok; |
1498 | 1.41k | } |
1499 | | |
1500 | 4.78k | SSLMessage msg; |
1501 | 4.78k | if (!ssl->method->get_message(ssl, &msg)) { |
1502 | 2.75k | return ssl_hs_read_message; |
1503 | 2.75k | } |
1504 | | |
1505 | 2.02k | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY)) { |
1506 | 4 | return ssl_hs_error; |
1507 | 4 | } |
1508 | | |
1509 | | // The peer certificate must be valid for signing. |
1510 | 2.02k | const CRYPTO_BUFFER *leaf = |
1511 | 2.02k | sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0); |
1512 | 2.02k | CBS leaf_cbs; |
1513 | 2.02k | CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs); |
1514 | 2.02k | if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) { |
1515 | 25 | return ssl_hs_error; |
1516 | 25 | } |
1517 | | |
1518 | 1.99k | CBS certificate_verify = msg.body, signature; |
1519 | | |
1520 | | // Determine the signature algorithm. |
1521 | 1.99k | uint16_t signature_algorithm = 0; |
1522 | 1.99k | if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) { |
1523 | 1.33k | if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) { |
1524 | 5 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1525 | 5 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1526 | 5 | return ssl_hs_error; |
1527 | 5 | } |
1528 | 1.33k | uint8_t alert = SSL_AD_DECODE_ERROR; |
1529 | 1.33k | if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm, |
1530 | 1.33k | hs->peer_pubkey.get())) { |
1531 | 33 | ssl_send_alert(ssl, SSL3_AL_FATAL, alert); |
1532 | 33 | return ssl_hs_error; |
1533 | 33 | } |
1534 | 1.30k | hs->new_session->peer_signature_algorithm = signature_algorithm; |
1535 | 1.30k | } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm, |
1536 | 660 | hs->peer_pubkey.get())) { |
1537 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE); |
1538 | 3 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE); |
1539 | 3 | return ssl_hs_error; |
1540 | 3 | } |
1541 | | |
1542 | | // Parse and verify the signature. |
1543 | 1.95k | if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) || |
1544 | 1.94k | CBS_len(&certificate_verify) != 0) { |
1545 | 17 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1546 | 17 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1547 | 17 | return ssl_hs_error; |
1548 | 17 | } |
1549 | | |
1550 | 1.94k | if (!ssl_public_key_verify(ssl, signature, signature_algorithm, |
1551 | 1.94k | hs->peer_pubkey.get(), hs->transcript.buffer())) { |
1552 | 860 | OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); |
1553 | 860 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); |
1554 | 860 | return ssl_hs_error; |
1555 | 860 | } |
1556 | | |
1557 | | // The handshake buffer is no longer necessary, and we may hash the current |
1558 | | // message. |
1559 | 1.08k | hs->transcript.FreeBuffer(); |
1560 | 1.08k | if (!ssl_hash_message(hs, msg)) { |
1561 | 0 | return ssl_hs_error; |
1562 | 0 | } |
1563 | | |
1564 | 1.08k | ssl->method->next_message(ssl); |
1565 | 1.08k | hs->state = state12_read_change_cipher_spec; |
1566 | 1.08k | return ssl_hs_ok; |
1567 | 1.08k | } |
1568 | | |
1569 | 3.02k | static enum ssl_hs_wait_t do_read_change_cipher_spec(SSL_HANDSHAKE *hs) { |
1570 | 3.02k | if (hs->handback && hs->ssl->session != nullptr) { |
1571 | 0 | return ssl_hs_handback; |
1572 | 0 | } |
1573 | 3.02k | hs->state = state12_process_change_cipher_spec; |
1574 | 3.02k | return ssl_hs_read_change_cipher_spec; |
1575 | 3.02k | } |
1576 | | |
1577 | 969 | static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) { |
1578 | 969 | if (!tls1_change_cipher_state(hs, evp_aead_open)) { |
1579 | 3 | return ssl_hs_error; |
1580 | 3 | } |
1581 | | |
1582 | 966 | hs->state = state12_read_next_proto; |
1583 | 966 | return ssl_hs_ok; |
1584 | 969 | } |
1585 | | |
1586 | 1.22k | static enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) { |
1587 | 1.22k | SSL *const ssl = hs->ssl; |
1588 | | |
1589 | 1.22k | if (!hs->next_proto_neg_seen) { |
1590 | 942 | hs->state = state12_read_channel_id; |
1591 | 942 | return ssl_hs_ok; |
1592 | 942 | } |
1593 | | |
1594 | 282 | SSLMessage msg; |
1595 | 282 | if (!ssl->method->get_message(ssl, &msg)) { |
1596 | 275 | return ssl_hs_read_message; |
1597 | 275 | } |
1598 | | |
1599 | 7 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEXT_PROTO) || |
1600 | 5 | !ssl_hash_message(hs, msg)) { |
1601 | 2 | return ssl_hs_error; |
1602 | 2 | } |
1603 | | |
1604 | 5 | CBS next_protocol = msg.body, selected_protocol, padding; |
1605 | 5 | if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) || |
1606 | 4 | !CBS_get_u8_length_prefixed(&next_protocol, &padding) || |
1607 | 3 | CBS_len(&next_protocol) != 0) { |
1608 | 3 | OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); |
1609 | 3 | ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); |
1610 | 3 | return ssl_hs_error; |
1611 | 3 | } |
1612 | | |
1613 | 2 | if (!ssl->s3->next_proto_negotiated.CopyFrom(selected_protocol)) { |
1614 | 0 | return ssl_hs_error; |
1615 | 0 | } |
1616 | | |
1617 | 2 | ssl->method->next_message(ssl); |
1618 | 2 | hs->state = state12_read_channel_id; |
1619 | 2 | return ssl_hs_ok; |
1620 | 2 | } |
1621 | | |
1622 | 4.36k | static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) { |
1623 | 4.36k | SSL *const ssl = hs->ssl; |
1624 | | |
1625 | 4.36k | if (!hs->channel_id_negotiated) { |
1626 | 639 | hs->state = state12_read_client_finished; |
1627 | 639 | return ssl_hs_ok; |
1628 | 639 | } |
1629 | | |
1630 | 3.72k | SSLMessage msg; |
1631 | 3.72k | if (!ssl->method->get_message(ssl, &msg)) { |
1632 | 3.48k | return ssl_hs_read_message; |
1633 | 3.48k | } |
1634 | | |
1635 | 244 | if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || |
1636 | 241 | !tls1_verify_channel_id(hs, msg) || // |
1637 | 206 | !ssl_hash_message(hs, msg)) { |
1638 | 38 | return ssl_hs_error; |
1639 | 38 | } |
1640 | | |
1641 | 206 | ssl->method->next_message(ssl); |
1642 | 206 | hs->state = state12_read_client_finished; |
1643 | 206 | return ssl_hs_ok; |
1644 | 244 | } |
1645 | | |
1646 | 3.11k | static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { |
1647 | 3.11k | SSL *const ssl = hs->ssl; |
1648 | 3.11k | enum ssl_hs_wait_t wait = ssl_get_finished(hs); |
1649 | 3.11k | if (wait != ssl_hs_ok) { |
1650 | 2.80k | return wait; |
1651 | 2.80k | } |
1652 | | |
1653 | 316 | if (ssl->session != nullptr) { |
1654 | 42 | hs->state = state12_finish_server_handshake; |
1655 | 274 | } else { |
1656 | 274 | hs->state = state12_send_server_finished; |
1657 | 274 | } |
1658 | | |
1659 | | // If this is a full handshake with ChannelID then record the handshake |
1660 | | // hashes in |hs->new_session| in case we need them to verify a |
1661 | | // ChannelID signature on a resumption of this session in the future. |
1662 | 316 | if (ssl->session == nullptr && ssl->s3->channel_id_valid && |
1663 | 4 | !tls1_record_handshake_hashes_for_channel_id(hs)) { |
1664 | 0 | return ssl_hs_error; |
1665 | 0 | } |
1666 | | |
1667 | 316 | return ssl_hs_ok; |
1668 | 316 | } |
1669 | | |
1670 | 796 | static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { |
1671 | 796 | SSL *const ssl = hs->ssl; |
1672 | | |
1673 | 796 | if (hs->ticket_expected) { |
1674 | 247 | const SSL_SESSION *session; |
1675 | 247 | UniquePtr<SSL_SESSION> session_copy; |
1676 | 247 | if (ssl->session == nullptr) { |
1677 | | // Fix the timeout to measure from the ticket issuance time. |
1678 | 134 | ssl_session_rebase_time(ssl, hs->new_session.get()); |
1679 | 134 | session = hs->new_session.get(); |
1680 | 134 | } else { |
1681 | | // We are renewing an existing session. Duplicate the session to adjust |
1682 | | // the timeout. |
1683 | 113 | session_copy = |
1684 | 113 | SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH); |
1685 | 113 | if (!session_copy) { |
1686 | 0 | return ssl_hs_error; |
1687 | 0 | } |
1688 | | |
1689 | 113 | ssl_session_rebase_time(ssl, session_copy.get()); |
1690 | 113 | session = session_copy.get(); |
1691 | 113 | } |
1692 | | |
1693 | 247 | ScopedCBB cbb; |
1694 | 247 | CBB body, ticket; |
1695 | 247 | if (!ssl->method->init_message(ssl, cbb.get(), &body, |
1696 | 247 | SSL3_MT_NEW_SESSION_TICKET) || |
1697 | 247 | !CBB_add_u32(&body, session->timeout) || |
1698 | 247 | !CBB_add_u16_length_prefixed(&body, &ticket) || |
1699 | 247 | !ssl_encrypt_ticket(hs, &ticket, session) || |
1700 | | // |ticket| may be empty to skip sending a ticket. In TLS 1.2, servers |
1701 | | // skip sending tickets by sending empty NewSessionTicket, so no special |
1702 | | // handling is needed. |
1703 | 247 | !ssl_add_message_cbb(ssl, cbb.get())) { |
1704 | 0 | return ssl_hs_error; |
1705 | 0 | } |
1706 | 247 | } |
1707 | | |
1708 | 796 | if (!ssl->method->add_change_cipher_spec(ssl) || // |
1709 | 796 | !tls1_change_cipher_state(hs, evp_aead_seal) || // |
1710 | 796 | !ssl_send_finished(hs)) { |
1711 | 0 | return ssl_hs_error; |
1712 | 0 | } |
1713 | | |
1714 | 796 | if (ssl->session != nullptr) { |
1715 | 522 | hs->state = state12_read_change_cipher_spec; |
1716 | 522 | } else { |
1717 | 274 | hs->state = state12_finish_server_handshake; |
1718 | 274 | } |
1719 | 796 | return ssl_hs_flush; |
1720 | 796 | } |
1721 | | |
1722 | 2.88k | static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) { |
1723 | 2.88k | SSL *const ssl = hs->ssl; |
1724 | | |
1725 | 2.88k | if (hs->handback) { |
1726 | 0 | return ssl_hs_handback; |
1727 | 0 | } |
1728 | | |
1729 | 2.88k | ssl->method->on_handshake_complete(ssl); |
1730 | | |
1731 | | // If we aren't retaining peer certificates then we can discard it now. |
1732 | 2.88k | if (hs->new_session != nullptr && |
1733 | 2.84k | hs->config->retain_only_sha256_of_client_certs) { |
1734 | 0 | hs->new_session->certs.reset(); |
1735 | 0 | ssl->ctx->x509_method->session_clear(hs->new_session.get()); |
1736 | 0 | } |
1737 | | |
1738 | 2.88k | bool has_new_session = hs->new_session != nullptr; |
1739 | 2.88k | if (has_new_session) { |
1740 | 2.84k | assert(ssl->session == nullptr); |
1741 | 2.84k | ssl->s3->established_session = std::move(hs->new_session); |
1742 | 2.84k | ssl->s3->established_session->not_resumable = false; |
1743 | 2.84k | } else { |
1744 | 42 | assert(ssl->session != nullptr); |
1745 | 42 | ssl->s3->established_session = UpRef(ssl->session); |
1746 | 42 | } |
1747 | | |
1748 | 2.88k | hs->handshake_finalized = true; |
1749 | 2.88k | ssl->s3->initial_handshake_complete = true; |
1750 | 2.88k | if (has_new_session) { |
1751 | 2.84k | ssl_update_cache(ssl); |
1752 | 2.84k | } |
1753 | | |
1754 | 2.88k | hs->state = state12_done; |
1755 | 2.88k | return ssl_hs_ok; |
1756 | 2.88k | } |
1757 | | |
1758 | 157k | enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) { |
1759 | 266k | while (hs->state != state12_done) { |
1760 | 263k | enum ssl_hs_wait_t ret = ssl_hs_error; |
1761 | 263k | enum tls12_server_hs_state_t state = |
1762 | 263k | static_cast<enum tls12_server_hs_state_t>(hs->state); |
1763 | 263k | switch (state) { |
1764 | 16.2k | case state12_start_accept: |
1765 | 16.2k | ret = do_start_accept(hs); |
1766 | 16.2k | break; |
1767 | 87.4k | case state12_read_client_hello: |
1768 | 87.4k | ret = do_read_client_hello(hs); |
1769 | 87.4k | break; |
1770 | 13.8k | case state12_read_client_hello_after_ech: |
1771 | 13.8k | ret = do_read_client_hello_after_ech(hs); |
1772 | 13.8k | break; |
1773 | 12.6k | case state12_cert_callback: |
1774 | 12.6k | ret = do_cert_callback(hs); |
1775 | 12.6k | break; |
1776 | 43.5k | case state12_tls13: |
1777 | 43.5k | ret = do_tls13(hs); |
1778 | 43.5k | break; |
1779 | 7.96k | case state12_select_parameters: |
1780 | 7.96k | ret = do_select_parameters(hs); |
1781 | 7.96k | break; |
1782 | 7.44k | case state12_send_server_hello: |
1783 | 7.44k | ret = do_send_server_hello(hs); |
1784 | 7.44k | break; |
1785 | 6.92k | case state12_send_server_certificate: |
1786 | 6.92k | ret = do_send_server_certificate(hs); |
1787 | 6.92k | break; |
1788 | 6.92k | case state12_send_server_key_exchange: |
1789 | 6.92k | ret = do_send_server_key_exchange(hs); |
1790 | 6.92k | break; |
1791 | 6.92k | case state12_send_server_hello_done: |
1792 | 6.92k | ret = do_send_server_hello_done(hs); |
1793 | 6.92k | break; |
1794 | 14.6k | case state12_read_client_certificate: |
1795 | 14.6k | ret = do_read_client_certificate(hs); |
1796 | 14.6k | break; |
1797 | 5.16k | case state12_verify_client_certificate: |
1798 | 5.16k | ret = do_verify_client_certificate(hs); |
1799 | 5.16k | break; |
1800 | 10.9k | case state12_read_client_key_exchange: |
1801 | 10.9k | ret = do_read_client_key_exchange(hs); |
1802 | 10.9k | break; |
1803 | 6.20k | case state12_read_client_certificate_verify: |
1804 | 6.20k | ret = do_read_client_certificate_verify(hs); |
1805 | 6.20k | break; |
1806 | 3.02k | case state12_read_change_cipher_spec: |
1807 | 3.02k | ret = do_read_change_cipher_spec(hs); |
1808 | 3.02k | break; |
1809 | 969 | case state12_process_change_cipher_spec: |
1810 | 969 | ret = do_process_change_cipher_spec(hs); |
1811 | 969 | break; |
1812 | 1.22k | case state12_read_next_proto: |
1813 | 1.22k | ret = do_read_next_proto(hs); |
1814 | 1.22k | break; |
1815 | 4.36k | case state12_read_channel_id: |
1816 | 4.36k | ret = do_read_channel_id(hs); |
1817 | 4.36k | break; |
1818 | 3.11k | case state12_read_client_finished: |
1819 | 3.11k | ret = do_read_client_finished(hs); |
1820 | 3.11k | break; |
1821 | 796 | case state12_send_server_finished: |
1822 | 796 | ret = do_send_server_finished(hs); |
1823 | 796 | break; |
1824 | 2.88k | case state12_finish_server_handshake: |
1825 | 2.88k | ret = do_finish_server_handshake(hs); |
1826 | 2.88k | break; |
1827 | 0 | case state12_done: |
1828 | 0 | ret = ssl_hs_ok; |
1829 | 0 | break; |
1830 | 263k | } |
1831 | | |
1832 | 263k | if (hs->state != state) { |
1833 | 119k | ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1); |
1834 | 119k | } |
1835 | | |
1836 | 263k | if (ret != ssl_hs_ok) { |
1837 | 154k | return ret; |
1838 | 154k | } |
1839 | 263k | } |
1840 | | |
1841 | 2.88k | ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1); |
1842 | 2.88k | return ssl_hs_ok; |
1843 | 157k | } |
1844 | | |
1845 | 0 | const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) { |
1846 | 0 | enum tls12_server_hs_state_t state = |
1847 | 0 | static_cast<enum tls12_server_hs_state_t>(hs->state); |
1848 | 0 | switch (state) { |
1849 | 0 | case state12_start_accept: |
1850 | 0 | return "TLS server start_accept"; |
1851 | 0 | case state12_read_client_hello: |
1852 | 0 | return "TLS server read_client_hello"; |
1853 | 0 | case state12_read_client_hello_after_ech: |
1854 | 0 | return "TLS server read_client_hello_after_ech"; |
1855 | 0 | case state12_cert_callback: |
1856 | 0 | return "TLS server cert_callback"; |
1857 | 0 | case state12_tls13: |
1858 | 0 | return tls13_server_handshake_state(hs); |
1859 | 0 | case state12_select_parameters: |
1860 | 0 | return "TLS server select_parameters"; |
1861 | 0 | case state12_send_server_hello: |
1862 | 0 | return "TLS server send_server_hello"; |
1863 | 0 | case state12_send_server_certificate: |
1864 | 0 | return "TLS server send_server_certificate"; |
1865 | 0 | case state12_send_server_key_exchange: |
1866 | 0 | return "TLS server send_server_key_exchange"; |
1867 | 0 | case state12_send_server_hello_done: |
1868 | 0 | return "TLS server send_server_hello_done"; |
1869 | 0 | case state12_read_client_certificate: |
1870 | 0 | return "TLS server read_client_certificate"; |
1871 | 0 | case state12_verify_client_certificate: |
1872 | 0 | return "TLS server verify_client_certificate"; |
1873 | 0 | case state12_read_client_key_exchange: |
1874 | 0 | return "TLS server read_client_key_exchange"; |
1875 | 0 | case state12_read_client_certificate_verify: |
1876 | 0 | return "TLS server read_client_certificate_verify"; |
1877 | 0 | case state12_read_change_cipher_spec: |
1878 | 0 | return "TLS server read_change_cipher_spec"; |
1879 | 0 | case state12_process_change_cipher_spec: |
1880 | 0 | return "TLS server process_change_cipher_spec"; |
1881 | 0 | case state12_read_next_proto: |
1882 | 0 | return "TLS server read_next_proto"; |
1883 | 0 | case state12_read_channel_id: |
1884 | 0 | return "TLS server read_channel_id"; |
1885 | 0 | case state12_read_client_finished: |
1886 | 0 | return "TLS server read_client_finished"; |
1887 | 0 | case state12_send_server_finished: |
1888 | 0 | return "TLS server send_server_finished"; |
1889 | 0 | case state12_finish_server_handshake: |
1890 | 0 | return "TLS server finish_server_handshake"; |
1891 | 0 | case state12_done: |
1892 | 0 | return "TLS server done"; |
1893 | 0 | } |
1894 | | |
1895 | 0 | return "TLS server unknown"; |
1896 | 0 | } |
1897 | | |
1898 | | BSSL_NAMESPACE_END |