1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 *
113 * Portions of the attached software ("Contribution") are developed by
114 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115 *
116 * The Contribution is licensed pursuant to the OpenSSL open source
117 * license provided above.
118 *
119 * ECC cipher suite support in OpenSSL originally written by
120 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121 *
122 */
123 /* ====================================================================
124 * Copyright 2005 Nokia. All rights reserved.
125 *
126 * The portions of the attached software ("Contribution") is developed by
127 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
128 * license.
129 *
130 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132 * support (see RFC 4279) to OpenSSL.
133 *
134 * No patent licenses or other rights except those expressly stated in
135 * the OpenSSL open source license shall be deemed granted or received
136 * expressly, by implication, estoppel, or otherwise.
137 *
138 * No assurances are provided by Nokia that the Contribution does not
139 * infringe the patent or other intellectual property rights of any third
140 * party or that the license provides you with all the necessary rights
141 * to make use of the Contribution.
142 *
143 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147 * OTHERWISE. */
148
149 #include <openssl/ssl.h>
150
151 #include <assert.h>
152 #include <string.h>
153
154 #include <openssl/bn.h>
155 #include <openssl/bytestring.h>
156 #include <openssl/cipher.h>
157 #include <openssl/curve25519.h>
158 #include <openssl/digest.h>
159 #include <openssl/ec.h>
160 #include <openssl/ecdsa.h>
161 #include <openssl/err.h>
162 #include <openssl/evp.h>
163 #include <openssl/hmac.h>
164 #include <openssl/md5.h>
165 #include <openssl/mem.h>
166 #include <openssl/nid.h>
167 #include <openssl/rand.h>
168 #include <openssl/x509.h>
169
170 #include "internal.h"
171 #include "../crypto/internal.h"
172
173
174 BSSL_NAMESPACE_BEGIN
175
176 bool ssl_client_cipher_list_contains_cipher(
177 const SSL_CLIENT_HELLO *client_hello, uint16_t id) {
178 CBS cipher_suites;
179 CBS_init(&cipher_suites, client_hello->cipher_suites,
180 client_hello->cipher_suites_len);
181
182 while (CBS_len(&cipher_suites) > 0) {
183 uint16_t got_id;
184 if (!CBS_get_u16(&cipher_suites, &got_id)) {
185 return false;
186 }
187
188 if (got_id == id) {
189 return true;
190 }
191 }
192
193 return false;
194 }
195
196 static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
197 const SSL_CLIENT_HELLO *client_hello) {
198 SSL *const ssl = hs->ssl;
199 assert(!ssl->s3->have_version);
200 CBS supported_versions, versions;
201 if (ssl_client_hello_get_extension(client_hello, &supported_versions,
202 TLSEXT_TYPE_supported_versions)) {
203 if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) ||
204 CBS_len(&supported_versions) != 0 ||
ssl_get_client_disabled(const SSL_HANDSHAKE * hs,uint32_t * out_mask_a,uint32_t * out_mask_k)205 CBS_len(&versions) == 0) {
206 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
207 *out_alert = SSL_AD_DECODE_ERROR;
208 return false;
209 }
210 } else {
211 // Convert the ClientHello version to an equivalent supported_versions
212 // extension.
213 static const uint8_t kTLSVersions[] = {
214 0x03, 0x03, // TLS 1.2
215 0x03, 0x02, // TLS 1.1
216 0x03, 0x01, // TLS 1
217 };
ssl_write_client_cipher_list(const SSL_HANDSHAKE * hs,CBB * out,ssl_client_hello_type_t type)218
219 static const uint8_t kDTLSVersions[] = {
220 0xfe, 0xfd, // DTLS 1.2
221 0xfe, 0xff, // DTLS 1.0
222 };
223
224 size_t versions_len = 0;
225 if (SSL_is_dtls(ssl)) {
226 if (client_hello->version <= DTLS1_2_VERSION) {
227 versions_len = 4;
228 } else if (client_hello->version <= DTLS1_VERSION) {
229 versions_len = 2;
230 }
231 CBS_init(&versions, kDTLSVersions + sizeof(kDTLSVersions) - versions_len,
232 versions_len);
233 } else {
234 if (client_hello->version >= TLS1_2_VERSION) {
235 versions_len = 6;
236 } else if (client_hello->version >= TLS1_1_VERSION) {
237 versions_len = 4;
238 } else if (client_hello->version >= TLS1_VERSION) {
239 versions_len = 2;
240 }
241 CBS_init(&versions, kTLSVersions + sizeof(kTLSVersions) - versions_len,
242 versions_len);
243 }
244 }
245
246 if (!ssl_negotiate_version(hs, out_alert, &ssl->version, &versions)) {
247 return false;
248 }
249
250 // At this point, the connection's version is known and |ssl->version| is
251 // fixed. Begin enforcing the record-layer version.
252 ssl->s3->have_version = true;
253 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
254
255 // Handle FALLBACK_SCSV.
256 if (ssl_client_cipher_list_contains_cipher(client_hello,
257 SSL3_CK_FALLBACK_SCSV & 0xffff) &&
258 ssl_protocol_version(ssl) < hs->max_version) {
259 OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
260 *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;
261 return false;
262 }
263
264 return true;
265 }
266
267 static UniquePtr<STACK_OF(SSL_CIPHER)> ssl_parse_client_cipher_list(
268 const SSL_CLIENT_HELLO *client_hello) {
269 CBS cipher_suites;
270 CBS_init(&cipher_suites, client_hello->cipher_suites,
271 client_hello->cipher_suites_len);
272
273 UniquePtr<STACK_OF(SSL_CIPHER)> sk(sk_SSL_CIPHER_new_null());
274 if (!sk) {
275 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
276 return nullptr;
277 }
278
279 while (CBS_len(&cipher_suites) > 0) {
280 uint16_t cipher_suite;
281
282 if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
283 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
284 return nullptr;
285 }
ssl_write_client_hello_without_extensions(const SSL_HANDSHAKE * hs,CBB * cbb,ssl_client_hello_type_t type,bool empty_session_id)286
287 const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite);
288 if (c != NULL && !sk_SSL_CIPHER_push(sk.get(), c)) {
289 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
290 return nullptr;
291 }
292 }
293
294 return sk;
295 }
296
297 // ssl_get_compatible_server_ciphers determines the key exchange and
298 // authentication cipher suite masks compatible with the server configuration
299 // and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
300 // exchange mask and |*out_mask_a| to the authentication mask.
301 static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs,
302 uint32_t *out_mask_k,
303 uint32_t *out_mask_a) {
304 uint32_t mask_k = 0;
305 uint32_t mask_a = 0;
306
307 if (ssl_has_certificate(hs)) {
308 mask_a |= ssl_cipher_auth_mask_for_key(hs->local_pubkey.get());
309 if (EVP_PKEY_id(hs->local_pubkey.get()) == EVP_PKEY_RSA) {
310 mask_k |= SSL_kRSA;
311 }
312 }
313
314 // Check for a shared group to consider ECDHE ciphers.
315 uint16_t unused;
316 if (tls1_get_shared_group(hs, &unused)) {
317 mask_k |= SSL_kECDHE;
318 }
319
320 // PSK requires a server callback.
321 if (hs->config->psk_server_callback != NULL) {
322 mask_k |= SSL_kPSK;
ssl_add_client_hello(SSL_HANDSHAKE * hs)323 mask_a |= SSL_aPSK;
324 }
325
326 *out_mask_k = mask_k;
327 *out_mask_a = mask_a;
328 }
329
330 static const SSL_CIPHER *choose_cipher(
331 SSL_HANDSHAKE *hs, const SSL_CLIENT_HELLO *client_hello,
332 const SSLCipherPreferenceList *server_pref) {
333 SSL *const ssl = hs->ssl;
334 const STACK_OF(SSL_CIPHER) *prio, *allow;
335 // in_group_flags will either be NULL, or will point to an array of bytes
336 // which indicate equal-preference groups in the |prio| stack. See the
337 // comment about |in_group_flags| in the |SSLCipherPreferenceList|
338 // struct.
339 const bool *in_group_flags;
340 // group_min contains the minimal index so far found in a group, or -1 if no
341 // such value exists yet.
342 int group_min = -1;
343
344 UniquePtr<STACK_OF(SSL_CIPHER)> client_pref =
345 ssl_parse_client_cipher_list(client_hello);
346 if (!client_pref) {
347 return nullptr;
348 }
349
350 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
351 prio = server_pref->ciphers.get();
352 in_group_flags = server_pref->in_group_flags;
353 allow = client_pref.get();
354 } else {
355 prio = client_pref.get();
parse_server_version(const SSL_HANDSHAKE * hs,uint16_t * out_version,uint8_t * out_alert,const ParsedServerHello & server_hello)356 in_group_flags = NULL;
357 allow = server_pref->ciphers.get();
358 }
359
360 uint32_t mask_k, mask_a;
361 ssl_get_compatible_server_ciphers(hs, &mask_k, &mask_a);
362
363 for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
364 const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);
365
366 size_t cipher_index;
367 if (// Check if the cipher is supported for the current version.
368 SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) &&
369 ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) &&
370 // Check the cipher is supported for the server configuration.
371 (c->algorithm_mkey & mask_k) &&
372 (c->algorithm_auth & mask_a) &&
373 // Check the cipher is in the |allow| list.
374 sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
375 if (in_group_flags != NULL && in_group_flags[i]) {
376 // This element of |prio| is in a group. Update the minimum index found
377 // so far and continue looking.
378 if (group_min == -1 || (size_t)group_min > cipher_index) {
379 group_min = cipher_index;
380 }
381 } else {
382 if (group_min != -1 && (size_t)group_min < cipher_index) {
383 cipher_index = group_min;
384 }
385 return sk_SSL_CIPHER_value(allow, cipher_index);
386 }
387 }
388
should_offer_early_data(const SSL_HANDSHAKE * hs)389 if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
390 // We are about to leave a group, but we found a match in it, so that's
391 // our answer.
392 return sk_SSL_CIPHER_value(allow, group_min);
393 }
394 }
395
396 return nullptr;
397 }
398
399 static enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) {
400 ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1);
401 hs->state = state12_read_client_hello;
402 return ssl_hs_ok;
403 }
404
405 // is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent
406 // from a JDK 11 client with both TLS 1.3 and a prior version enabled.
407 static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
408 // JDK 11 ClientHellos contain a number of unusual properties which should
409 // limit false positives.
410
411 // JDK 11 does not support ChaCha20-Poly1305. This is unusual: many modern
412 // clients implement ChaCha20-Poly1305.
413 if (ssl_client_cipher_list_contains_cipher(
414 client_hello, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
415 return false;
416 }
417
418 // JDK 11 always sends extensions in a particular order.
419 constexpr uint16_t kMaxFragmentLength = 0x0001;
420 constexpr uint16_t kStatusRequestV2 = 0x0011;
421 static CONSTEXPR_ARRAY struct {
422 uint16_t id;
423 bool required;
424 } kJavaExtensions[] = {
425 {TLSEXT_TYPE_server_name, false},
426 {kMaxFragmentLength, false},
427 {TLSEXT_TYPE_status_request, false},
428 {TLSEXT_TYPE_supported_groups, true},
429 {TLSEXT_TYPE_ec_point_formats, false},
430 {TLSEXT_TYPE_signature_algorithms, true},
431 // Java always sends signature_algorithms_cert.
432 {TLSEXT_TYPE_signature_algorithms_cert, true},
433 {TLSEXT_TYPE_application_layer_protocol_negotiation, false},
434 {kStatusRequestV2, false},
ssl_done_writing_client_hello(SSL_HANDSHAKE * hs)435 {TLSEXT_TYPE_extended_master_secret, false},
436 {TLSEXT_TYPE_supported_versions, true},
437 {TLSEXT_TYPE_cookie, false},
438 {TLSEXT_TYPE_psk_key_exchange_modes, true},
439 {TLSEXT_TYPE_key_share, true},
440 {TLSEXT_TYPE_renegotiate, false},
do_start_connect(SSL_HANDSHAKE * hs)441 {TLSEXT_TYPE_pre_shared_key, false},
442 };
443 Span<const uint8_t> sigalgs, sigalgs_cert;
444 bool has_status_request = false, has_status_request_v2 = false;
445 CBS extensions, supported_groups;
446 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
447 for (const auto &java_extension : kJavaExtensions) {
448 CBS copy = extensions;
449 uint16_t id;
450 if (CBS_get_u16(©, &id) && id == java_extension.id) {
451 // The next extension is the one we expected.
452 extensions = copy;
453 CBS body;
454 if (!CBS_get_u16_length_prefixed(&extensions, &body)) {
455 return false;
456 }
457 switch (id) {
458 case TLSEXT_TYPE_status_request:
459 has_status_request = true;
460 break;
461 case kStatusRequestV2:
462 has_status_request_v2 = true;
463 break;
464 case TLSEXT_TYPE_signature_algorithms:
465 sigalgs = body;
466 break;
467 case TLSEXT_TYPE_signature_algorithms_cert:
468 sigalgs_cert = body;
469 break;
470 case TLSEXT_TYPE_supported_groups:
471 supported_groups = body;
472 break;
473 }
474 } else if (java_extension.required) {
475 return false;
476 }
477 }
478 if (CBS_len(&extensions) != 0) {
479 return false;
480 }
481
482 // JDK 11 never advertises X25519. It is not offered by default, and
483 // -Djdk.tls.namedGroups=x25519 does not work. This is unusual: many modern
484 // clients implement X25519.
485 while (CBS_len(&supported_groups) > 0) {
486 uint16_t group;
487 if (!CBS_get_u16(&supported_groups, &group) ||
488 group == SSL_CURVE_X25519) {
489 return false;
490 }
491 }
492
493 if (// JDK 11 always sends the same contents in signature_algorithms and
494 // signature_algorithms_cert. This is unusual: signature_algorithms_cert,
495 // if omitted, is treated as if it were signature_algorithms.
496 sigalgs != sigalgs_cert ||
497 // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it
498 // sends status_request. This is unusual: status_request_v2 is not widely
499 // implemented.
500 has_status_request != has_status_request_v2) {
501 return false;
502 }
503
504 return true;
505 }
506
507 static bool decrypt_ech(SSL_HANDSHAKE *hs, uint8_t *out_alert,
508 const SSL_CLIENT_HELLO *client_hello) {
509 SSL *const ssl = hs->ssl;
510 CBS body;
511 if (!ssl_client_hello_get_extension(client_hello, &body,
512 TLSEXT_TYPE_encrypted_client_hello)) {
513 return true;
514 }
515 uint8_t type;
516 if (!CBS_get_u8(&body, &type)) {
517 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
518 *out_alert = SSL_AD_DECODE_ERROR;
519 return false;
520 }
521 if (type != ECH_CLIENT_OUTER) {
522 return true;
523 }
524 // This is a ClientHelloOuter ECH extension. Attempt to decrypt it.
525 uint8_t config_id;
526 uint16_t kdf_id, aead_id;
527 CBS enc, payload;
528 if (!CBS_get_u16(&body, &kdf_id) || //
529 !CBS_get_u16(&body, &aead_id) || //
530 !CBS_get_u8(&body, &config_id) ||
531 !CBS_get_u16_length_prefixed(&body, &enc) ||
532 !CBS_get_u16_length_prefixed(&body, &payload) || //
533 CBS_len(&body) != 0) {
534 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
535 *out_alert = SSL_AD_DECODE_ERROR;
do_enter_early_data(SSL_HANDSHAKE * hs)536 return false;
537 }
538
539 {
540 MutexReadLock lock(&ssl->ctx->lock);
541 hs->ech_keys = UpRef(ssl->ctx->ech_keys);
542 }
543
544 if (!hs->ech_keys) {
545 ssl->s3->ech_status = ssl_ech_rejected;
546 return true;
547 }
548
549 for (const auto &config : hs->ech_keys->configs) {
550 hs->ech_hpke_ctx.Reset();
551 if (config_id != config->ech_config().config_id ||
552 !config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id, enc)) {
553 // Ignore the error and try another ECHConfig.
554 ERR_clear_error();
555 continue;
556 }
557 Array<uint8_t> encoded_client_hello_inner;
558 bool is_decrypt_error;
559 if (!ssl_client_hello_decrypt(hs->ech_hpke_ctx.get(),
560 &encoded_client_hello_inner,
561 &is_decrypt_error, client_hello, payload)) {
562 if (is_decrypt_error) {
563 // Ignore the error and try another ECHConfig.
564 ERR_clear_error();
565 continue;
do_early_reverify_server_certificate(SSL_HANDSHAKE * hs)566 }
567 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
568 return false;
569 }
570
571 // Recover the ClientHelloInner from the EncodedClientHelloInner.
572 bssl::Array<uint8_t> client_hello_inner;
573 if (!ssl_decode_client_hello_inner(ssl, out_alert, &client_hello_inner,
574 encoded_client_hello_inner,
575 client_hello)) {
576 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
577 return false;
578 }
579 hs->ech_client_hello_buf = std::move(client_hello_inner);
580 hs->ech_config_id = config_id;
581 ssl->s3->ech_status = ssl_ech_accepted;
582 return true;
583 }
584
585 // If we did not accept ECH, proceed with the ClientHelloOuter. Note this
586 // could be key mismatch or ECH GREASE, so we must complete the handshake
587 // as usual, except EncryptedExtensions will contain retry configs.
588 ssl->s3->ech_status = ssl_ech_rejected;
589 return true;
590 }
591
592 static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
593 const SSL_CLIENT_HELLO *client_hello) {
594 SSL *const ssl = hs->ssl;
595 CBS sni;
596 if (!ssl_client_hello_get_extension(client_hello, &sni,
597 TLSEXT_TYPE_server_name)) {
598 // No SNI extension to parse.
599 return true;
do_read_hello_verify_request(SSL_HANDSHAKE * hs)600 }
601
602 CBS server_name_list, host_name;
603 uint8_t name_type;
604 if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) ||
605 !CBS_get_u8(&server_name_list, &name_type) ||
606 // Although the server_name extension was intended to be extensible to
607 // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
608 // different name types will cause an error. Further, RFC 4366 originally
609 // defined syntax inextensibly. RFC 6066 corrected this mistake, but
610 // adding new name types is no longer feasible.
611 //
612 // Act as if the extensibility does not exist to simplify parsing.
613 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
614 CBS_len(&server_name_list) != 0 ||
615 CBS_len(&sni) != 0) {
616 *out_alert = SSL_AD_DECODE_ERROR;
617 return false;
618 }
619
620 if (name_type != TLSEXT_NAMETYPE_host_name ||
621 CBS_len(&host_name) == 0 ||
622 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
623 CBS_contains_zero_byte(&host_name)) {
624 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
625 return false;
626 }
627
628 // Copy the hostname as a string.
629 char *raw = nullptr;
630 if (!CBS_strdup(&host_name, &raw)) {
631 *out_alert = SSL_AD_INTERNAL_ERROR;
632 return false;
633 }
634 ssl->s3->hostname.reset(raw);
635
636 hs->should_ack_sni = true;
637 return true;
638 }
639
640 static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
641 SSL *const ssl = hs->ssl;
642
643 SSLMessage msg;
644 if (!ssl->method->get_message(ssl, &msg)) {
645 return ssl_hs_read_message;
646 }
647
ssl_parse_server_hello(ParsedServerHello * out,uint8_t * out_alert,const SSLMessage & msg)648 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
649 return ssl_hs_error;
650 }
651
652 SSL_CLIENT_HELLO client_hello;
653 if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {
654 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
655 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
656 return ssl_hs_error;
657 }
658
659 // ClientHello should be the end of the flight. We check this early to cover
660 // all protocol versions.
661 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
662 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
663 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
664 return ssl_hs_error;
665 }
666
667 if (hs->config->handoff) {
668 return ssl_hs_handoff;
669 }
670
671 uint8_t alert = SSL_AD_DECODE_ERROR;
672 if (!decrypt_ech(hs, &alert, &client_hello)) {
673 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
674 return ssl_hs_error;
675 }
676
677 // ECH may have changed which ClientHello we process. Update |msg| and
678 // |client_hello| in case.
679 if (!hs->GetClientHello(&msg, &client_hello)) {
do_read_server_hello(SSL_HANDSHAKE * hs)680 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
681 return ssl_hs_error;
682 }
683
684 if (!extract_sni(hs, &alert, &client_hello)) {
685 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
686 return ssl_hs_error;
687 }
688
689 hs->state = state12_read_client_hello_after_ech;
690 return ssl_hs_ok;
691 }
692
693 static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) {
694 SSL *const ssl = hs->ssl;
695
696 SSLMessage msg_unused;
697 SSL_CLIENT_HELLO client_hello;
698 if (!hs->GetClientHello(&msg_unused, &client_hello)) {
699 return ssl_hs_error;
700 }
701
702 // Run the early callback.
703 if (ssl->ctx->select_certificate_cb != NULL) {
704 switch (ssl->ctx->select_certificate_cb(&client_hello)) {
705 case ssl_select_cert_retry:
706 return ssl_hs_certificate_selection_pending;
707
708 case ssl_select_cert_error:
709 // Connection rejected.
710 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
711 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
712 return ssl_hs_error;
713
714 default:
715 /* fallthrough */;
716 }
717 }
718
719 // Freeze the version range after the early callback.
720 if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) {
721 return ssl_hs_error;
722 }
723
724 if (hs->config->jdk11_workaround &&
725 is_probably_jdk11_with_tls13(&client_hello)) {
726 hs->apply_jdk11_workaround = true;
727 }
728
729 uint8_t alert = SSL_AD_DECODE_ERROR;
730 if (!negotiate_version(hs, &alert, &client_hello)) {
731 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
732 return ssl_hs_error;
733 }
734
735 hs->client_version = client_hello.version;
736 if (client_hello.random_len != SSL3_RANDOM_SIZE) {
737 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
738 return ssl_hs_error;
739 }
740 OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
741 client_hello.random_len);
742
743 // Only null compression is supported. TLS 1.3 further requires the peer
744 // advertise no other compression.
745 if (OPENSSL_memchr(client_hello.compression_methods, 0,
746 client_hello.compression_methods_len) == NULL ||
747 (ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
748 client_hello.compression_methods_len != 1)) {
749 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
750 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
751 return ssl_hs_error;
752 }
753
754 // TLS extensions.
755 if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {
756 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
757 return ssl_hs_error;
758 }
759
760 hs->state = state12_select_certificate;
761 return ssl_hs_ok;
762 }
763
764 static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
765 SSL *const ssl = hs->ssl;
766
767 // Call |cert_cb| to update server certificates if required.
768 if (hs->config->cert->cert_cb != NULL) {
769 int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
770 if (rv == 0) {
771 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
772 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
773 return ssl_hs_error;
774 }
775 if (rv < 0) {
776 return ssl_hs_x509_lookup;
777 }
778 }
779
780 if (!ssl_on_certificate_selected(hs)) {
781 return ssl_hs_error;
782 }
783
784 if (hs->ocsp_stapling_requested &&
785 ssl->ctx->legacy_ocsp_callback != nullptr) {
786 switch (ssl->ctx->legacy_ocsp_callback(
787 ssl, ssl->ctx->legacy_ocsp_callback_arg)) {
788 case SSL_TLSEXT_ERR_OK:
789 break;
790 case SSL_TLSEXT_ERR_NOACK:
791 hs->ocsp_stapling_requested = false;
792 break;
793 default:
794 OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR);
795 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
796 return ssl_hs_error;
797 }
798 }
799
800 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
801 // Jump to the TLS 1.3 state machine.
802 hs->state = state12_tls13;
803 return ssl_hs_ok;
804 }
805
806 // It should not be possible to negotiate TLS 1.2 with ECH. The
807 // ClientHelloInner decoding function rejects ClientHellos which offer TLS 1.2
808 // or below.
809 assert(ssl->s3->ech_status != ssl_ech_accepted);
810
811 // TODO(davidben): Also compute hints for TLS 1.2. When doing so, update the
812 // check in bssl_shim.cc to test this.
813 if (hs->hints_requested) {
814 return ssl_hs_hints_ready;
815 }
816
817 ssl->s3->early_data_reason = ssl_early_data_protocol_version;
818
819 SSLMessage msg_unused;
820 SSL_CLIENT_HELLO client_hello;
821 if (!hs->GetClientHello(&msg_unused, &client_hello)) {
822 return ssl_hs_error;
823 }
824
825 // Negotiate the cipher suite. This must be done after |cert_cb| so the
826 // certificate is finalized.
827 SSLCipherPreferenceList *prefs = hs->config->cipher_list
828 ? hs->config->cipher_list.get()
829 : ssl->ctx->cipher_list.get();
830 hs->new_cipher = choose_cipher(hs, &client_hello, prefs);
831 if (hs->new_cipher == NULL) {
832 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
833 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
834 return ssl_hs_error;
835 }
836
837 hs->state = state12_select_parameters;
838 return ssl_hs_ok;
839 }
840
841 static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {
842 enum ssl_hs_wait_t wait = tls13_server_handshake(hs);
843 if (wait == ssl_hs_ok) {
844 hs->state = state12_finish_server_handshake;
845 return ssl_hs_ok;
846 }
847
848 return wait;
849 }
850
851 static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
852 SSL *const ssl = hs->ssl;
853
854 SSLMessage msg;
855 if (!ssl->method->get_message(ssl, &msg)) {
856 return ssl_hs_read_message;
857 }
858
859 SSL_CLIENT_HELLO client_hello;
860 if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {
861 return ssl_hs_error;
862 }
863
864 hs->session_id_len = client_hello.session_id_len;
865 // This is checked in |ssl_client_hello_init|.
866 assert(hs->session_id_len <= sizeof(hs->session_id));
867 OPENSSL_memcpy(hs->session_id, client_hello.session_id, hs->session_id_len);
868
869 // Determine whether we are doing session resumption.
870 UniquePtr<SSL_SESSION> session;
871 bool tickets_supported = false, renew_ticket = false;
872 enum ssl_hs_wait_t wait = ssl_get_prev_session(
873 hs, &session, &tickets_supported, &renew_ticket, &client_hello);
874 if (wait != ssl_hs_ok) {
875 return wait;
876 }
877
878 if (session) {
879 if (session->extended_master_secret && !hs->extended_master_secret) {
880 // A ClientHello without EMS that attempts to resume a session with EMS
881 // is fatal to the connection.
882 OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
883 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
884 return ssl_hs_error;
885 }
886
887 if (!ssl_session_is_resumable(hs, session.get()) ||
888 // If the client offers the EMS extension, but the previous session
889 // didn't use it, then negotiate a new session.
890 hs->extended_master_secret != session->extended_master_secret) {
do_tls13(SSL_HANDSHAKE * hs)891 session.reset();
892 }
893 }
894
895 if (session) {
896 // Use the old session.
897 hs->ticket_expected = renew_ticket;
898 ssl->session = std::move(session);
899 ssl->s3->session_reused = true;
900 hs->can_release_private_key = true;
do_read_server_certificate(SSL_HANDSHAKE * hs)901 } else {
902 hs->ticket_expected = tickets_supported;
903 ssl_set_session(ssl, nullptr);
904 if (!ssl_get_new_session(hs)) {
905 return ssl_hs_error;
906 }
907
908 // Assign a session ID if not using session tickets.
909 if (!hs->ticket_expected &&
910 (ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
911 hs->new_session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
912 RAND_bytes(hs->new_session->session_id,
913 hs->new_session->session_id_length);
914 }
915 }
916
917 if (ssl->ctx->dos_protection_cb != NULL &&
918 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
919 // Connection rejected for DOS reasons.
920 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
921 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
922 return ssl_hs_error;
923 }
924
925 if (ssl->session == NULL) {
926 hs->new_session->cipher = hs->new_cipher;
927
928 // Determine whether to request a client certificate.
929 hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
930 // Only request a certificate if Channel ID isn't negotiated.
931 if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
932 hs->channel_id_negotiated) {
933 hs->cert_request = false;
934 }
935 // CertificateRequest may only be sent in certificate-based ciphers.
936 if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
937 hs->cert_request = false;
938 }
939
940 if (!hs->cert_request) {
941 // OpenSSL returns X509_V_OK when no certificates are requested. This is
942 // classed by them as a bug, but it's assumed by at least NGINX.
943 hs->new_session->verify_result = X509_V_OK;
944 }
945 }
946
947 // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
do_read_certificate_status(SSL_HANDSHAKE * hs)948 // deferred. Complete it now.
949 uint8_t alert = SSL_AD_DECODE_ERROR;
950 if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
951 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
952 return ssl_hs_error;
953 }
954
955 // Now that all parameters are known, initialize the handshake hash and hash
956 // the ClientHello.
957 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
958 !ssl_hash_message(hs, msg)) {
959 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
960 return ssl_hs_error;
961 }
962
963 // Handback includes the whole handshake transcript, so we cannot free the
964 // transcript buffer in the handback case.
965 if (!hs->cert_request && !hs->handback) {
966 hs->transcript.FreeBuffer();
967 }
968
969 ssl->method->next_message(ssl);
970
971 hs->state = state12_send_server_hello;
972 return ssl_hs_ok;
973 }
974
975 static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) {
976 out = out.last(in.size());
977 OPENSSL_memcpy(out.data(), in.data(), in.size());
978 }
979
980 static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
981 SSL *const ssl = hs->ssl;
982
983 // We only accept ChannelIDs on connections with ECDHE in order to avoid a
984 // known attack while we fix ChannelID itself.
985 if (hs->channel_id_negotiated &&
986 (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
987 hs->channel_id_negotiated = false;
988 }
989
990 // If this is a resumption and the original handshake didn't support
991 // ChannelID then we didn't record the original handshake hashes in the
992 // session and so cannot resume with ChannelIDs.
993 if (ssl->session != NULL &&
994 ssl->session->original_handshake_hash_len == 0) {
995 hs->channel_id_negotiated = false;
996 }
do_verify_server_certificate(SSL_HANDSHAKE * hs)997
998 struct OPENSSL_timeval now;
999 ssl_get_current_time(ssl, &now);
1000 ssl->s3->server_random[0] = now.tv_sec >> 24;
1001 ssl->s3->server_random[1] = now.tv_sec >> 16;
1002 ssl->s3->server_random[2] = now.tv_sec >> 8;
1003 ssl->s3->server_random[3] = now.tv_sec;
1004 if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) {
1005 return ssl_hs_error;
1006 }
1007
1008 // Implement the TLS 1.3 anti-downgrade feature.
1009 if (ssl_supports_version(hs, TLS1_3_VERSION)) {
1010 if (ssl_protocol_version(ssl) == TLS1_2_VERSION) {
1011 if (hs->apply_jdk11_workaround) {
1012 // JDK 11 implements the TLS 1.3 downgrade signal, so we cannot send it
1013 // here. However, the signal is only effective if all TLS 1.2
1014 // ServerHellos produced by the server are marked. Thus we send a
1015 // different non-standard signal for the time being, until JDK 11.0.2 is
1016 // released and clients have updated.
do_reverify_server_certificate(SSL_HANDSHAKE * hs)1017 copy_suffix(ssl->s3->server_random, kJDK11DowngradeRandom);
1018 } else {
1019 copy_suffix(ssl->s3->server_random, kTLS13DowngradeRandom);
1020 }
1021 } else {
1022 copy_suffix(ssl->s3->server_random, kTLS12DowngradeRandom);
1023 }
1024 }
1025
1026 Span<const uint8_t> session_id;
1027 if (ssl->session != nullptr) {
1028 // Echo the session ID from the ClientHello to indicate resumption.
1029 session_id = MakeConstSpan(hs->session_id, hs->session_id_len);
1030 } else {
1031 session_id = MakeConstSpan(hs->new_session->session_id,
1032 hs->new_session->session_id_length);
1033 }
do_read_server_key_exchange(SSL_HANDSHAKE * hs)1034
1035 ScopedCBB cbb;
1036 CBB body, session_id_bytes;
1037 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
1038 !CBB_add_u16(&body, ssl->version) ||
1039 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
1040 !CBB_add_u8_length_prefixed(&body, &session_id_bytes) ||
1041 !CBB_add_bytes(&session_id_bytes, session_id.data(), session_id.size()) ||
1042 !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
1043 !CBB_add_u8(&body, 0 /* no compression */) ||
1044 !ssl_add_serverhello_tlsext(hs, &body) ||
1045 !ssl_add_message_cbb(ssl, cbb.get())) {
1046 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1047 return ssl_hs_error;
1048 }
1049
1050 if (ssl->session != NULL) {
1051 hs->state = state12_send_server_finished;
1052 } else {
1053 hs->state = state12_send_server_certificate;
1054 }
1055 return ssl_hs_ok;
1056 }
1057
1058 static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
1059 SSL *const ssl = hs->ssl;
1060 ScopedCBB cbb;
1061
1062 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1063 if (!ssl_has_certificate(hs)) {
1064 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
1065 return ssl_hs_error;
1066 }
1067
1068 if (!ssl_output_cert_chain(hs)) {
1069 return ssl_hs_error;
1070 }
1071
1072 if (hs->certificate_status_expected) {
1073 CBB body, ocsp_response;
1074 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1075 SSL3_MT_CERTIFICATE_STATUS) ||
1076 !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) ||
1077 !CBB_add_u24_length_prefixed(&body, &ocsp_response) ||
1078 !CBB_add_bytes(
1079 &ocsp_response,
1080 CRYPTO_BUFFER_data(hs->config->cert->ocsp_response.get()),
1081 CRYPTO_BUFFER_len(hs->config->cert->ocsp_response.get())) ||
1082 !ssl_add_message_cbb(ssl, cbb.get())) {
1083 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1084 return ssl_hs_error;
1085 }
1086 }
1087 }
1088
1089 // Assemble ServerKeyExchange parameters if needed.
1090 uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1091 uint32_t alg_a = hs->new_cipher->algorithm_auth;
1092 if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) ||
1093 ((alg_a & SSL_aPSK) && hs->config->psk_identity_hint)) {
1094 // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
1095 // the client and server randoms for the signing transcript.
1096 CBB child;
1097 if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) ||
1098 !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
1099 !CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) {
1100 return ssl_hs_error;
1101 }
1102
1103 // PSK ciphers begin with an identity hint.
1104 if (alg_a & SSL_aPSK) {
1105 size_t len = hs->config->psk_identity_hint == nullptr
1106 ? 0
1107 : strlen(hs->config->psk_identity_hint.get());
1108 if (!CBB_add_u16_length_prefixed(cbb.get(), &child) ||
1109 !CBB_add_bytes(&child,
1110 (const uint8_t *)hs->config->psk_identity_hint.get(),
1111 len)) {
1112 return ssl_hs_error;
1113 }
1114 }
1115
1116 if (alg_k & SSL_kECDHE) {
1117 // Determine the group to use.
1118 uint16_t group_id;
1119 if (!tls1_get_shared_group(hs, &group_id)) {
1120 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1121 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1122 return ssl_hs_error;
1123 }
1124 hs->new_session->group_id = group_id;
1125
1126 // Set up ECDH, generate a key, and emit the public half.
1127 hs->key_shares[0] = SSLKeyShare::Create(group_id);
1128 if (!hs->key_shares[0] ||
1129 !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
1130 !CBB_add_u16(cbb.get(), group_id) ||
1131 !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
1132 !hs->key_shares[0]->Offer(&child)) {
1133 return ssl_hs_error;
1134 }
1135 } else {
1136 assert(alg_k & SSL_kPSK);
1137 }
1138
1139 if (!CBBFinishArray(cbb.get(), &hs->server_params)) {
1140 return ssl_hs_error;
1141 }
1142 }
1143
1144 hs->state = state12_send_server_key_exchange;
1145 return ssl_hs_ok;
1146 }
1147
1148 static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) {
1149 SSL *const ssl = hs->ssl;
1150
1151 if (hs->server_params.size() == 0) {
1152 hs->state = state12_send_server_hello_done;
1153 return ssl_hs_ok;
1154 }
1155
1156 ScopedCBB cbb;
1157 CBB body, child;
1158 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1159 SSL3_MT_SERVER_KEY_EXCHANGE) ||
1160 // |hs->server_params| contains a prefix for signing.
1161 hs->server_params.size() < 2 * SSL3_RANDOM_SIZE ||
1162 !CBB_add_bytes(&body, hs->server_params.data() + 2 * SSL3_RANDOM_SIZE,
1163 hs->server_params.size() - 2 * SSL3_RANDOM_SIZE)) {
1164 return ssl_hs_error;
1165 }
1166
1167 // Add a signature.
1168 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1169 if (!ssl_has_private_key(hs)) {
1170 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1171 return ssl_hs_error;
1172 }
1173
1174 // Determine the signature algorithm.
1175 uint16_t signature_algorithm;
1176 if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
1177 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1178 return ssl_hs_error;
1179 }
1180 if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1181 if (!CBB_add_u16(&body, signature_algorithm)) {
1182 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1183 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1184 return ssl_hs_error;
1185 }
1186 }
1187
1188 // Add space for the signature.
1189 const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
1190 uint8_t *ptr;
1191 if (!CBB_add_u16_length_prefixed(&body, &child) ||
1192 !CBB_reserve(&child, &ptr, max_sig_len)) {
1193 return ssl_hs_error;
1194 }
1195
1196 size_t sig_len;
1197 switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len,
1198 signature_algorithm, hs->server_params)) {
1199 case ssl_private_key_success:
1200 if (!CBB_did_write(&child, sig_len)) {
1201 return ssl_hs_error;
1202 }
1203 break;
1204 case ssl_private_key_failure:
1205 return ssl_hs_error;
1206 case ssl_private_key_retry:
1207 return ssl_hs_private_key_operation;
1208 }
1209 }
1210
do_read_certificate_request(SSL_HANDSHAKE * hs)1211 hs->can_release_private_key = true;
1212 if (!ssl_add_message_cbb(ssl, cbb.get())) {
1213 return ssl_hs_error;
1214 }
1215
1216 hs->server_params.Reset();
1217
1218 hs->state = state12_send_server_hello_done;
1219 return ssl_hs_ok;
1220 }
1221
1222 static enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) {
1223 SSL *const ssl = hs->ssl;
1224
1225 ScopedCBB cbb;
1226 CBB body;
1227
1228 if (hs->cert_request) {
1229 CBB cert_types, sigalgs_cbb;
1230 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1231 SSL3_MT_CERTIFICATE_REQUEST) ||
1232 !CBB_add_u8_length_prefixed(&body, &cert_types) ||
1233 !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) ||
1234 !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN) ||
1235 (ssl_protocol_version(ssl) >= TLS1_2_VERSION &&
1236 (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) ||
1237 !tls12_add_verify_sigalgs(hs, &sigalgs_cbb))) ||
1238 !ssl_add_client_CA_list(hs, &body) ||
1239 !ssl_add_message_cbb(ssl, cbb.get())) {
1240 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1241 return ssl_hs_error;
1242 }
1243 }
1244
1245 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1246 SSL3_MT_SERVER_HELLO_DONE) ||
1247 !ssl_add_message_cbb(ssl, cbb.get())) {
1248 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1249 return ssl_hs_error;
1250 }
1251
1252 hs->state = state12_read_client_certificate;
1253 return ssl_hs_flush;
1254 }
1255
1256 static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
1257 SSL *const ssl = hs->ssl;
1258
1259 if (hs->handback && hs->new_cipher->algorithm_mkey == SSL_kECDHE) {
1260 return ssl_hs_handback;
1261 }
1262 if (!hs->cert_request) {
1263 hs->state = state12_verify_client_certificate;
1264 return ssl_hs_ok;
1265 }
1266
1267 SSLMessage msg;
1268 if (!ssl->method->get_message(ssl, &msg)) {
1269 return ssl_hs_read_message;
1270 }
1271
1272 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
1273 return ssl_hs_error;
1274 }
1275
1276 if (!ssl_hash_message(hs, msg)) {
1277 return ssl_hs_error;
1278 }
1279
1280 CBS certificate_msg = msg.body;
1281 uint8_t alert = SSL_AD_DECODE_ERROR;
1282 if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey,
do_read_server_hello_done(SSL_HANDSHAKE * hs)1283 hs->config->retain_only_sha256_of_client_certs
1284 ? hs->new_session->peer_sha256
1285 : nullptr,
1286 &certificate_msg, ssl->ctx->pool)) {
1287 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1288 return ssl_hs_error;
1289 }
1290
1291 if (CBS_len(&certificate_msg) != 0 ||
1292 !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
1293 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1294 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1295 return ssl_hs_error;
1296 }
1297
1298 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
1299 // No client certificate so the handshake buffer may be discarded.
1300 hs->transcript.FreeBuffer();
1301
1302 if (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
1303 // Fail for TLS only if we required a certificate
1304 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1305 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1306 return ssl_hs_error;
1307 }
1308
1309 // OpenSSL returns X509_V_OK when no certificates are received. This is
1310 // classed by them as a bug, but it's assumed by at least NGINX.
1311 hs->new_session->verify_result = X509_V_OK;
1312 } else if (hs->config->retain_only_sha256_of_client_certs) {
1313 // The hash will have been filled in.
do_send_client_certificate(SSL_HANDSHAKE * hs)1314 hs->new_session->peer_sha256_valid = 1;
1315 }
1316
1317 ssl->method->next_message(ssl);
1318 hs->state = state12_verify_client_certificate;
1319 return ssl_hs_ok;
1320 }
1321
1322 static enum ssl_hs_wait_t do_verify_client_certificate(SSL_HANDSHAKE *hs) {
1323 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) > 0) {
1324 switch (ssl_verify_peer_cert(hs)) {
1325 case ssl_verify_ok:
1326 break;
1327 case ssl_verify_invalid:
1328 return ssl_hs_error;
1329 case ssl_verify_retry:
1330 return ssl_hs_certificate_verify;
1331 }
1332 }
1333
1334 hs->state = state12_read_client_key_exchange;
1335 return ssl_hs_ok;
1336 }
1337
1338 static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
1339 SSL *const ssl = hs->ssl;
1340 SSLMessage msg;
1341 if (!ssl->method->get_message(ssl, &msg)) {
1342 return ssl_hs_read_message;
1343 }
1344
1345 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_KEY_EXCHANGE)) {
1346 return ssl_hs_error;
1347 }
1348
1349 CBS client_key_exchange = msg.body;
1350 uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1351 uint32_t alg_a = hs->new_cipher->algorithm_auth;
1352
1353 // If using a PSK key exchange, parse the PSK identity.
1354 if (alg_a & SSL_aPSK) {
1355 CBS psk_identity;
1356
1357 // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
1358 // then this is the only field in the message.
do_send_client_key_exchange(SSL_HANDSHAKE * hs)1359 if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
1360 ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
1361 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1362 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1363 return ssl_hs_error;
1364 }
1365
1366 if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN ||
1367 CBS_contains_zero_byte(&psk_identity)) {
1368 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
1369 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1370 return ssl_hs_error;
1371 }
1372 char *raw = nullptr;
1373 if (!CBS_strdup(&psk_identity, &raw)) {
1374 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1375 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1376 return ssl_hs_error;
1377 }
1378 hs->new_session->psk_identity.reset(raw);
1379 }
1380
1381 // Depending on the key exchange method, compute |premaster_secret|.
1382 Array<uint8_t> premaster_secret;
1383 if (alg_k & SSL_kRSA) {
1384 CBS encrypted_premaster_secret;
1385 if (!CBS_get_u16_length_prefixed(&client_key_exchange,
1386 &encrypted_premaster_secret) ||
1387 CBS_len(&client_key_exchange) != 0) {
1388 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1389 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1390 return ssl_hs_error;
1391 }
1392
1393 // Allocate a buffer large enough for an RSA decryption.
1394 Array<uint8_t> decrypt_buf;
1395 if (!decrypt_buf.Init(EVP_PKEY_size(hs->local_pubkey.get()))) {
1396 return ssl_hs_error;
1397 }
1398
1399 // Decrypt with no padding. PKCS#1 padding will be removed as part of the
1400 // timing-sensitive code below.
1401 size_t decrypt_len;
1402 switch (ssl_private_key_decrypt(hs, decrypt_buf.data(), &decrypt_len,
1403 decrypt_buf.size(),
1404 encrypted_premaster_secret)) {
1405 case ssl_private_key_success:
1406 break;
1407 case ssl_private_key_failure:
1408 return ssl_hs_error;
1409 case ssl_private_key_retry:
1410 return ssl_hs_private_key_operation;
1411 }
1412
1413 if (decrypt_len != decrypt_buf.size()) {
1414 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1415 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1416 return ssl_hs_error;
1417 }
1418
1419 CONSTTIME_SECRET(decrypt_buf.data(), decrypt_len);
1420
1421 // Prepare a random premaster, to be used on invalid padding. See RFC 5246,
1422 // section 7.4.7.1.
1423 if (!premaster_secret.Init(SSL_MAX_MASTER_KEY_LENGTH) ||
1424 !RAND_bytes(premaster_secret.data(), premaster_secret.size())) {
1425 return ssl_hs_error;
1426 }
1427
1428 // The smallest padded premaster is 11 bytes of overhead. Small keys are
1429 // publicly invalid.
1430 if (decrypt_len < 11 + premaster_secret.size()) {
1431 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1432 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1433 return ssl_hs_error;
1434 }
1435
1436 // Check the padding. See RFC 3447, section 7.2.2.
1437 size_t padding_len = decrypt_len - premaster_secret.size();
1438 uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
1439 constant_time_eq_int_8(decrypt_buf[1], 2);
1440 for (size_t i = 2; i < padding_len - 1; i++) {
1441 good &= ~constant_time_is_zero_8(decrypt_buf[i]);
1442 }
1443 good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);
1444
1445 // The premaster secret must begin with |client_version|. This too must be
1446 // checked in constant time (http://eprint.iacr.org/2003/052/).
1447 good &= constant_time_eq_8(decrypt_buf[padding_len],
1448 (unsigned)(hs->client_version >> 8));
1449 good &= constant_time_eq_8(decrypt_buf[padding_len + 1],
1450 (unsigned)(hs->client_version & 0xff));
1451
1452 // Select, in constant time, either the decrypted premaster or the random
1453 // premaster based on |good|.
1454 for (size_t i = 0; i < premaster_secret.size(); i++) {
1455 premaster_secret[i] = constant_time_select_8(
1456 good, decrypt_buf[padding_len + i], premaster_secret[i]);
1457 }
1458 } else if (alg_k & SSL_kECDHE) {
1459 // Parse the ClientKeyExchange.
1460 CBS peer_key;
1461 if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) ||
1462 CBS_len(&client_key_exchange) != 0) {
1463 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1464 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1465 return ssl_hs_error;
1466 }
1467
1468 // Compute the premaster.
1469 uint8_t alert = SSL_AD_DECODE_ERROR;
1470 if (!hs->key_shares[0]->Finish(&premaster_secret, &alert, peer_key)) {
1471 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1472 return ssl_hs_error;
1473 }
1474
1475 // The key exchange state may now be discarded.
1476 hs->key_shares[0].reset();
1477 hs->key_shares[1].reset();
1478 } else if (!(alg_k & SSL_kPSK)) {
1479 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1480 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1481 return ssl_hs_error;
1482 }
1483
1484 // For a PSK cipher suite, the actual pre-master secret is combined with the
1485 // pre-shared key.
1486 if (alg_a & SSL_aPSK) {
1487 if (hs->config->psk_server_callback == NULL) {
1488 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1489 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1490 return ssl_hs_error;
1491 }
1492
1493 // Look up the key for the identity.
1494 uint8_t psk[PSK_MAX_PSK_LEN];
1495 unsigned psk_len = hs->config->psk_server_callback(
1496 ssl, hs->new_session->psk_identity.get(), psk, sizeof(psk));
1497 if (psk_len > PSK_MAX_PSK_LEN) {
1498 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1499 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1500 return ssl_hs_error;
1501 } else if (psk_len == 0) {
1502 // PSK related to the given identity not found.
1503 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1504 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY);
1505 return ssl_hs_error;
1506 }
1507
1508 if (alg_k & SSL_kPSK) {
1509 // In plain PSK, other_secret is a block of 0s with the same length as the
1510 // pre-shared key.
1511 if (!premaster_secret.Init(psk_len)) {
1512 return ssl_hs_error;
1513 }
1514 OPENSSL_memset(premaster_secret.data(), 0, premaster_secret.size());
1515 }
1516
1517 ScopedCBB new_premaster;
1518 CBB child;
1519 if (!CBB_init(new_premaster.get(),
1520 2 + psk_len + 2 + premaster_secret.size()) ||
1521 !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||
1522 !CBB_add_bytes(&child, premaster_secret.data(),
1523 premaster_secret.size()) ||
1524 !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||
1525 !CBB_add_bytes(&child, psk, psk_len) ||
do_send_client_certificate_verify(SSL_HANDSHAKE * hs)1526 !CBBFinishArray(new_premaster.get(), &premaster_secret)) {
1527 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1528 return ssl_hs_error;
1529 }
1530 }
1531
1532 if (!ssl_hash_message(hs, msg)) {
1533 return ssl_hs_error;
1534 }
1535
1536 // Compute the master secret.
1537 hs->new_session->secret_length = tls1_generate_master_secret(
1538 hs, hs->new_session->secret, premaster_secret);
1539 if (hs->new_session->secret_length == 0) {
1540 return ssl_hs_error;
1541 }
1542 hs->new_session->extended_master_secret = hs->extended_master_secret;
1543 CONSTTIME_DECLASSIFY(hs->new_session->secret, hs->new_session->secret_length);
1544 hs->can_release_private_key = true;
1545
1546 ssl->method->next_message(ssl);
1547 hs->state = state12_read_client_certificate_verify;
1548 return ssl_hs_ok;
1549 }
1550
1551 static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
1552 SSL *const ssl = hs->ssl;
1553
1554 // Only RSA and ECDSA client certificates are supported, so a
1555 // CertificateVerify is required if and only if there's a client certificate.
1556 if (!hs->peer_pubkey) {
1557 hs->transcript.FreeBuffer();
1558 hs->state = state12_read_change_cipher_spec;
1559 return ssl_hs_ok;
1560 }
1561
1562 SSLMessage msg;
1563 if (!ssl->method->get_message(ssl, &msg)) {
1564 return ssl_hs_read_message;
1565 }
1566
1567 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY)) {
1568 return ssl_hs_error;
1569 }
1570
1571 // The peer certificate must be valid for signing.
1572 const CRYPTO_BUFFER *leaf =
1573 sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
1574 CBS leaf_cbs;
1575 CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
1576 if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) {
1577 return ssl_hs_error;
1578 }
1579
1580 CBS certificate_verify = msg.body, signature;
1581
1582 // Determine the signature algorithm.
1583 uint16_t signature_algorithm = 0;
1584 if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1585 if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
1586 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1587 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
do_send_client_finished(SSL_HANDSHAKE * hs)1588 return ssl_hs_error;
1589 }
1590 uint8_t alert = SSL_AD_DECODE_ERROR;
1591 if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) {
1592 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1593 return ssl_hs_error;
1594 }
1595 hs->new_session->peer_signature_algorithm = signature_algorithm;
1596 } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
1597 hs->peer_pubkey.get())) {
1598 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
1599 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);
1600 return ssl_hs_error;
1601 }
1602
1603 // Parse and verify the signature.
1604 if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
1605 CBS_len(&certificate_verify) != 0) {
1606 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1607 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1608 return ssl_hs_error;
1609 }
1610
1611 if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
1612 hs->peer_pubkey.get(), hs->transcript.buffer())) {
1613 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
1614 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1615 return ssl_hs_error;
1616 }
1617
1618 // The handshake buffer is no longer necessary, and we may hash the current
1619 // message.
1620 hs->transcript.FreeBuffer();
1621 if (!ssl_hash_message(hs, msg)) {
1622 return ssl_hs_error;
1623 }
1624
1625 ssl->method->next_message(ssl);
1626 hs->state = state12_read_change_cipher_spec;
1627 return ssl_hs_ok;
1628 }
1629
1630 static enum ssl_hs_wait_t do_read_change_cipher_spec(SSL_HANDSHAKE *hs) {
1631 if (hs->handback && hs->ssl->session != NULL) {
1632 return ssl_hs_handback;
1633 }
can_false_start(const SSL_HANDSHAKE * hs)1634 hs->state = state12_process_change_cipher_spec;
1635 return ssl_hs_read_change_cipher_spec;
1636 }
1637
1638 static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
1639 if (!tls1_change_cipher_state(hs, evp_aead_open)) {
1640 return ssl_hs_error;
1641 }
1642
1643 hs->state = state12_read_next_proto;
1644 return ssl_hs_ok;
1645 }
1646
1647 static enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) {
1648 SSL *const ssl = hs->ssl;
1649
1650 if (!hs->next_proto_neg_seen) {
1651 hs->state = state12_read_channel_id;
1652 return ssl_hs_ok;
1653 }
1654
1655 SSLMessage msg;
1656 if (!ssl->method->get_message(ssl, &msg)) {
1657 return ssl_hs_read_message;
1658 }
1659
1660 if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEXT_PROTO) ||
1661 !ssl_hash_message(hs, msg)) {
1662 return ssl_hs_error;
1663 }
1664
1665 CBS next_protocol = msg.body, selected_protocol, padding;
1666 if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
1667 !CBS_get_u8_length_prefixed(&next_protocol, &padding) ||
1668 CBS_len(&next_protocol) != 0) {
1669 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1670 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1671 return ssl_hs_error;
1672 }
do_finish_flight(SSL_HANDSHAKE * hs)1673
1674 if (!ssl->s3->next_proto_negotiated.CopyFrom(selected_protocol)) {
1675 return ssl_hs_error;
1676 }
1677
1678 ssl->method->next_message(ssl);
1679 hs->state = state12_read_channel_id;
1680 return ssl_hs_ok;
1681 }
1682
1683 static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
1684 SSL *const ssl = hs->ssl;
1685
1686 if (!hs->channel_id_negotiated) {
1687 hs->state = state12_read_client_finished;
1688 return ssl_hs_ok;
1689 }
1690
1691 SSLMessage msg;
1692 if (!ssl->method->get_message(ssl, &msg)) {
1693 return ssl_hs_read_message;
1694 }
1695
1696 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
1697 !tls1_verify_channel_id(hs, msg) ||
1698 !ssl_hash_message(hs, msg)) {
1699 return ssl_hs_error;
1700 }
do_read_session_ticket(SSL_HANDSHAKE * hs)1701
1702 ssl->method->next_message(ssl);
1703 hs->state = state12_read_client_finished;
1704 return ssl_hs_ok;
1705 }
1706
1707 static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
1708 SSL *const ssl = hs->ssl;
1709 enum ssl_hs_wait_t wait = ssl_get_finished(hs);
1710 if (wait != ssl_hs_ok) {
1711 return wait;
1712 }
1713
1714 if (ssl->session != NULL) {
1715 hs->state = state12_finish_server_handshake;
1716 } else {
1717 hs->state = state12_send_server_finished;
1718 }
1719
1720 // If this is a full handshake with ChannelID then record the handshake
1721 // hashes in |hs->new_session| in case we need them to verify a
1722 // ChannelID signature on a resumption of this session in the future.
1723 if (ssl->session == NULL && ssl->s3->channel_id_valid &&
1724 !tls1_record_handshake_hashes_for_channel_id(hs)) {
1725 return ssl_hs_error;
1726 }
1727
1728 return ssl_hs_ok;
1729 }
1730
1731 static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
1732 SSL *const ssl = hs->ssl;
1733
1734 if (hs->ticket_expected) {
1735 const SSL_SESSION *session;
1736 UniquePtr<SSL_SESSION> session_copy;
1737 if (ssl->session == NULL) {
1738 // Fix the timeout to measure from the ticket issuance time.
1739 ssl_session_rebase_time(ssl, hs->new_session.get());
1740 session = hs->new_session.get();
1741 } else {
1742 // We are renewing an existing session. Duplicate the session to adjust
1743 // the timeout.
1744 session_copy =
1745 SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);
1746 if (!session_copy) {
1747 return ssl_hs_error;
1748 }
1749
1750 ssl_session_rebase_time(ssl, session_copy.get());
1751 session = session_copy.get();
1752 }
1753
1754 ScopedCBB cbb;
1755 CBB body, ticket;
1756 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1757 SSL3_MT_NEW_SESSION_TICKET) ||
1758 !CBB_add_u32(&body, session->timeout) ||
1759 !CBB_add_u16_length_prefixed(&body, &ticket) ||
1760 !ssl_encrypt_ticket(hs, &ticket, session) ||
1761 !ssl_add_message_cbb(ssl, cbb.get())) {
1762 return ssl_hs_error;
1763 }
1764 }
1765
1766 if (!ssl->method->add_change_cipher_spec(ssl) ||
1767 !tls1_change_cipher_state(hs, evp_aead_seal) ||
1768 !ssl_send_finished(hs)) {
do_process_change_cipher_spec(SSL_HANDSHAKE * hs)1769 return ssl_hs_error;
1770 }
1771
1772 if (ssl->session != NULL) {
1773 hs->state = state12_read_change_cipher_spec;
1774 } else {
1775 hs->state = state12_finish_server_handshake;
1776 }
1777 return ssl_hs_flush;
do_read_server_finished(SSL_HANDSHAKE * hs)1778 }
1779
1780 static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) {
1781 SSL *const ssl = hs->ssl;
1782
1783 if (hs->handback) {
1784 return ssl_hs_handback;
1785 }
1786
1787 ssl->method->on_handshake_complete(ssl);
1788
1789 // If we aren't retaining peer certificates then we can discard it now.
1790 if (hs->new_session != NULL &&
1791 hs->config->retain_only_sha256_of_client_certs) {
1792 hs->new_session->certs.reset();
1793 ssl->ctx->x509_method->session_clear(hs->new_session.get());
1794 }
1795
1796 bool has_new_session = hs->new_session != nullptr;
1797 if (has_new_session) {
1798 assert(ssl->session == nullptr);
1799 ssl->s3->established_session = std::move(hs->new_session);
1800 ssl->s3->established_session->not_resumable = false;
1801 } else {
1802 assert(ssl->session != nullptr);
1803 ssl->s3->established_session = UpRef(ssl->session);
1804 }
1805
1806 hs->handshake_finalized = true;
1807 ssl->s3->initial_handshake_complete = true;
1808 if (has_new_session) {
1809 ssl_update_cache(ssl);
1810 }
1811
1812 hs->state = state12_done;
1813 return ssl_hs_ok;
1814 }
1815
1816 enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) {
1817 while (hs->state != state12_done) {
1818 enum ssl_hs_wait_t ret = ssl_hs_error;
1819 enum tls12_server_hs_state_t state =
1820 static_cast<enum tls12_server_hs_state_t>(hs->state);
1821 switch (state) {
1822 case state12_start_accept:
1823 ret = do_start_accept(hs);
1824 break;
1825 case state12_read_client_hello:
1826 ret = do_read_client_hello(hs);
1827 break;
1828 case state12_read_client_hello_after_ech:
1829 ret = do_read_client_hello_after_ech(hs);
1830 break;
1831 case state12_select_certificate:
1832 ret = do_select_certificate(hs);
1833 break;
1834 case state12_tls13:
1835 ret = do_tls13(hs);
1836 break;
1837 case state12_select_parameters:
1838 ret = do_select_parameters(hs);
1839 break;
1840 case state12_send_server_hello:
ssl_client_handshake(SSL_HANDSHAKE * hs)1841 ret = do_send_server_hello(hs);
1842 break;
1843 case state12_send_server_certificate:
1844 ret = do_send_server_certificate(hs);
1845 break;
1846 case state12_send_server_key_exchange:
1847 ret = do_send_server_key_exchange(hs);
1848 break;
1849 case state12_send_server_hello_done:
1850 ret = do_send_server_hello_done(hs);
1851 break;
1852 case state12_read_client_certificate:
1853 ret = do_read_client_certificate(hs);
1854 break;
1855 case state12_verify_client_certificate:
1856 ret = do_verify_client_certificate(hs);
1857 break;
1858 case state12_read_client_key_exchange:
1859 ret = do_read_client_key_exchange(hs);
1860 break;
1861 case state12_read_client_certificate_verify:
1862 ret = do_read_client_certificate_verify(hs);
1863 break;
1864 case state12_read_change_cipher_spec:
1865 ret = do_read_change_cipher_spec(hs);
1866 break;
1867 case state12_process_change_cipher_spec:
1868 ret = do_process_change_cipher_spec(hs);
1869 break;
1870 case state12_read_next_proto:
1871 ret = do_read_next_proto(hs);
1872 break;
1873 case state12_read_channel_id:
1874 ret = do_read_channel_id(hs);
1875 break;
1876 case state12_read_client_finished:
1877 ret = do_read_client_finished(hs);
1878 break;
1879 case state12_send_server_finished:
1880 ret = do_send_server_finished(hs);
1881 break;
1882 case state12_finish_server_handshake:
1883 ret = do_finish_server_handshake(hs);
1884 break;
1885 case state12_done:
1886 ret = ssl_hs_ok;
1887 break;
1888 }
1889
1890 if (hs->state != state) {
1891 ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
1892 }
1893
1894 if (ret != ssl_hs_ok) {
1895 return ret;
1896 }
1897 }
1898
1899 ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);
1900 return ssl_hs_ok;
1901 }
1902
1903 const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) {
1904 enum tls12_server_hs_state_t state =
1905 static_cast<enum tls12_server_hs_state_t>(hs->state);
1906 switch (state) {
1907 case state12_start_accept:
1908 return "TLS server start_accept";
1909 case state12_read_client_hello:
1910 return "TLS server read_client_hello";
1911 case state12_read_client_hello_after_ech:
1912 return "TLS server read_client_hello_after_ech";
1913 case state12_select_certificate:
1914 return "TLS server select_certificate";
1915 case state12_tls13:
1916 return tls13_server_handshake_state(hs);
1917 case state12_select_parameters:
1918 return "TLS server select_parameters";
1919 case state12_send_server_hello:
1920 return "TLS server send_server_hello";
1921 case state12_send_server_certificate:
1922 return "TLS server send_server_certificate";
1923 case state12_send_server_key_exchange:
1924 return "TLS server send_server_key_exchange";
1925 case state12_send_server_hello_done:
1926 return "TLS server send_server_hello_done";
1927 case state12_read_client_certificate:
1928 return "TLS server read_client_certificate";
1929 case state12_verify_client_certificate:
1930 return "TLS server verify_client_certificate";
ssl_client_handshake_state(SSL_HANDSHAKE * hs)1931 case state12_read_client_key_exchange:
1932 return "TLS server read_client_key_exchange";
1933 case state12_read_client_certificate_verify:
1934 return "TLS server read_client_certificate_verify";
1935 case state12_read_change_cipher_spec:
1936 return "TLS server read_change_cipher_spec";
1937 case state12_process_change_cipher_spec:
1938 return "TLS server process_change_cipher_spec";
1939 case state12_read_next_proto:
1940 return "TLS server read_next_proto";
1941 case state12_read_channel_id:
1942 return "TLS server read_channel_id";
1943 case state12_read_client_finished:
1944 return "TLS server read_client_finished";
1945 case state12_send_server_finished:
1946 return "TLS server send_server_finished";
1947 case state12_finish_server_handshake:
1948 return "TLS server finish_server_handshake";
1949 case state12_done:
1950 return "TLS server done";
1951 }
1952
1953 return "TLS server unknown";
1954 }
1955
1956 BSSL_NAMESPACE_END
1957