1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 *
113 * Portions of the attached software ("Contribution") are developed by
114 * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115 *
116 * The Contribution is licensed pursuant to the OpenSSL open source
117 * license provided above.
118 *
119 * ECC cipher suite support in OpenSSL originally written by
120 * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121 *
122 */
123 /* ====================================================================
124 * Copyright 2005 Nokia. All rights reserved.
125 *
126 * The portions of the attached software ("Contribution") is developed by
127 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
128 * license.
129 *
130 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132 * support (see RFC 4279) to OpenSSL.
133 *
134 * No patent licenses or other rights except those expressly stated in
135 * the OpenSSL open source license shall be deemed granted or received
136 * expressly, by implication, estoppel, or otherwise.
137 *
138 * No assurances are provided by Nokia that the Contribution does not
139 * infringe the patent or other intellectual property rights of any third
140 * party or that the license provides you with all the necessary rights
141 * to make use of the Contribution.
142 *
143 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147 * OTHERWISE. */
148
149 #include <openssl/ssl.h>
150
151 #include <assert.h>
152 #include <string.h>
153
154 #include <openssl/bn.h>
155 #include <openssl/bytestring.h>
156 #include <openssl/cipher.h>
157 #include <openssl/ec.h>
158 #include <openssl/ecdsa.h>
159 #include <openssl/err.h>
160 #include <openssl/evp.h>
161 #include <openssl/hmac.h>
162 #include <openssl/md5.h>
163 #include <openssl/mem.h>
164 #include <openssl/nid.h>
165 #include <openssl/rand.h>
166 #include <openssl/x509.h>
167
168 #include "internal.h"
169 #include "../crypto/internal.h"
170
171
172 BSSL_NAMESPACE_BEGIN
173
ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO * client_hello,uint16_t id)174 bool ssl_client_cipher_list_contains_cipher(
175 const SSL_CLIENT_HELLO *client_hello, uint16_t id) {
176 CBS cipher_suites;
177 CBS_init(&cipher_suites, client_hello->cipher_suites,
178 client_hello->cipher_suites_len);
179
180 while (CBS_len(&cipher_suites) > 0) {
181 uint16_t got_id;
182 if (!CBS_get_u16(&cipher_suites, &got_id)) {
183 return false;
184 }
185
186 if (got_id == id) {
187 return true;
188 }
189 }
190
191 return false;
192 }
193
negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)194 static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
195 const SSL_CLIENT_HELLO *client_hello) {
196 SSL *const ssl = hs->ssl;
197 assert(!ssl->s3->have_version);
198 CBS supported_versions, versions;
199 if (ssl_client_hello_get_extension(client_hello, &supported_versions,
200 TLSEXT_TYPE_supported_versions)) {
201 if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) ||
202 CBS_len(&supported_versions) != 0 ||
203 CBS_len(&versions) == 0) {
204 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
205 *out_alert = SSL_AD_DECODE_ERROR;
206 return false;
207 }
208 } else {
209 // Convert the ClientHello version to an equivalent supported_versions
210 // extension.
211 static const uint8_t kTLSVersions[] = {
212 0x03, 0x03, // TLS 1.2
213 0x03, 0x02, // TLS 1.1
214 0x03, 0x01, // TLS 1
215 };
216
217 static const uint8_t kDTLSVersions[] = {
218 0xfe, 0xfd, // DTLS 1.2
219 0xfe, 0xff, // DTLS 1.0
220 };
221
222 size_t versions_len = 0;
223 if (SSL_is_dtls(ssl)) {
224 if (client_hello->version <= DTLS1_2_VERSION) {
225 versions_len = 4;
226 } else if (client_hello->version <= DTLS1_VERSION) {
227 versions_len = 2;
228 }
229 CBS_init(&versions, kDTLSVersions + sizeof(kDTLSVersions) - versions_len,
230 versions_len);
231 } else {
232 if (client_hello->version >= TLS1_2_VERSION) {
233 versions_len = 6;
234 } else if (client_hello->version >= TLS1_1_VERSION) {
235 versions_len = 4;
236 } else if (client_hello->version >= TLS1_VERSION) {
237 versions_len = 2;
238 }
239 CBS_init(&versions, kTLSVersions + sizeof(kTLSVersions) - versions_len,
240 versions_len);
241 }
242 }
243
244 if (!ssl_negotiate_version(hs, out_alert, &ssl->version, &versions)) {
245 return false;
246 }
247
248 // At this point, the connection's version is known and |ssl->version| is
249 // fixed. Begin enforcing the record-layer version.
250 ssl->s3->have_version = true;
251 ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
252
253 // Handle FALLBACK_SCSV.
254 if (ssl_client_cipher_list_contains_cipher(client_hello,
255 SSL3_CK_FALLBACK_SCSV & 0xffff) &&
256 ssl_protocol_version(ssl) < hs->max_version) {
257 OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
258 *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;
259 return false;
260 }
261
262 return true;
263 }
264
ssl_parse_client_cipher_list(const SSL_CLIENT_HELLO * client_hello)265 static UniquePtr<STACK_OF(SSL_CIPHER)> ssl_parse_client_cipher_list(
266 const SSL_CLIENT_HELLO *client_hello) {
267 CBS cipher_suites;
268 CBS_init(&cipher_suites, client_hello->cipher_suites,
269 client_hello->cipher_suites_len);
270
271 UniquePtr<STACK_OF(SSL_CIPHER)> sk(sk_SSL_CIPHER_new_null());
272 if (!sk) {
273 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
274 return nullptr;
275 }
276
277 while (CBS_len(&cipher_suites) > 0) {
278 uint16_t cipher_suite;
279
280 if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
281 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
282 return nullptr;
283 }
284
285 const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite);
286 if (c != NULL && !sk_SSL_CIPHER_push(sk.get(), c)) {
287 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
288 return nullptr;
289 }
290 }
291
292 return sk;
293 }
294
295 // ssl_get_compatible_server_ciphers determines the key exchange and
296 // authentication cipher suite masks compatible with the server configuration
297 // and current ClientHello parameters of |hs|. It sets |*out_mask_k| to the key
298 // exchange mask and |*out_mask_a| to the authentication mask.
ssl_get_compatible_server_ciphers(SSL_HANDSHAKE * hs,uint32_t * out_mask_k,uint32_t * out_mask_a)299 static void ssl_get_compatible_server_ciphers(SSL_HANDSHAKE *hs,
300 uint32_t *out_mask_k,
301 uint32_t *out_mask_a) {
302 uint32_t mask_k = 0;
303 uint32_t mask_a = 0;
304
305 if (ssl_has_certificate(hs)) {
306 mask_a |= ssl_cipher_auth_mask_for_key(hs->local_pubkey.get());
307 if (EVP_PKEY_id(hs->local_pubkey.get()) == EVP_PKEY_RSA) {
308 mask_k |= SSL_kRSA;
309 }
310 }
311
312 // Check for a shared group to consider ECDHE ciphers.
313 uint16_t unused;
314 if (tls1_get_shared_group(hs, &unused)) {
315 mask_k |= SSL_kECDHE;
316 }
317
318 // PSK requires a server callback.
319 if (hs->config->psk_server_callback != NULL) {
320 mask_k |= SSL_kPSK;
321 mask_a |= SSL_aPSK;
322 }
323
324 *out_mask_k = mask_k;
325 *out_mask_a = mask_a;
326 }
327
choose_cipher(SSL_HANDSHAKE * hs,const SSL_CLIENT_HELLO * client_hello,const SSLCipherPreferenceList * server_pref)328 static const SSL_CIPHER *choose_cipher(
329 SSL_HANDSHAKE *hs, const SSL_CLIENT_HELLO *client_hello,
330 const SSLCipherPreferenceList *server_pref) {
331 SSL *const ssl = hs->ssl;
332 const STACK_OF(SSL_CIPHER) *prio, *allow;
333 // in_group_flags will either be NULL, or will point to an array of bytes
334 // which indicate equal-preference groups in the |prio| stack. See the
335 // comment about |in_group_flags| in the |SSLCipherPreferenceList|
336 // struct.
337 const bool *in_group_flags;
338 // group_min contains the minimal index so far found in a group, or -1 if no
339 // such value exists yet.
340 int group_min = -1;
341
342 UniquePtr<STACK_OF(SSL_CIPHER)> client_pref =
343 ssl_parse_client_cipher_list(client_hello);
344 if (!client_pref) {
345 return nullptr;
346 }
347
348 if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
349 prio = server_pref->ciphers.get();
350 in_group_flags = server_pref->in_group_flags;
351 allow = client_pref.get();
352 } else {
353 prio = client_pref.get();
354 in_group_flags = NULL;
355 allow = server_pref->ciphers.get();
356 }
357
358 uint32_t mask_k, mask_a;
359 ssl_get_compatible_server_ciphers(hs, &mask_k, &mask_a);
360
361 for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
362 const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);
363
364 size_t cipher_index;
365 if (// Check if the cipher is supported for the current version.
366 SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) &&
367 ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) &&
368 // Check the cipher is supported for the server configuration.
369 (c->algorithm_mkey & mask_k) &&
370 (c->algorithm_auth & mask_a) &&
371 // Check the cipher is in the |allow| list.
372 sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
373 if (in_group_flags != NULL && in_group_flags[i]) {
374 // This element of |prio| is in a group. Update the minimum index found
375 // so far and continue looking.
376 if (group_min == -1 || (size_t)group_min > cipher_index) {
377 group_min = cipher_index;
378 }
379 } else {
380 if (group_min != -1 && (size_t)group_min < cipher_index) {
381 cipher_index = group_min;
382 }
383 return sk_SSL_CIPHER_value(allow, cipher_index);
384 }
385 }
386
387 if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
388 // We are about to leave a group, but we found a match in it, so that's
389 // our answer.
390 return sk_SSL_CIPHER_value(allow, group_min);
391 }
392 }
393
394 return nullptr;
395 }
396
do_start_accept(SSL_HANDSHAKE * hs)397 static enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) {
398 ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1);
399 hs->state = state12_read_client_hello;
400 return ssl_hs_ok;
401 }
402
403 // is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent
404 // from a JDK 11 client with both TLS 1.3 and a prior version enabled.
is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO * client_hello)405 static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
406 // JDK 11 ClientHellos contain a number of unusual properties which should
407 // limit false positives.
408
409 // JDK 11 does not support ChaCha20-Poly1305. This is unusual: many modern
410 // clients implement ChaCha20-Poly1305.
411 if (ssl_client_cipher_list_contains_cipher(
412 client_hello, TLS1_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
413 return false;
414 }
415
416 // JDK 11 always sends extensions in a particular order.
417 constexpr uint16_t kMaxFragmentLength = 0x0001;
418 constexpr uint16_t kStatusRequestV2 = 0x0011;
419 static CONSTEXPR_ARRAY struct {
420 uint16_t id;
421 bool required;
422 } kJavaExtensions[] = {
423 {TLSEXT_TYPE_server_name, false},
424 {kMaxFragmentLength, false},
425 {TLSEXT_TYPE_status_request, false},
426 {TLSEXT_TYPE_supported_groups, true},
427 {TLSEXT_TYPE_ec_point_formats, false},
428 {TLSEXT_TYPE_signature_algorithms, true},
429 // Java always sends signature_algorithms_cert.
430 {TLSEXT_TYPE_signature_algorithms_cert, true},
431 {TLSEXT_TYPE_application_layer_protocol_negotiation, false},
432 {kStatusRequestV2, false},
433 {TLSEXT_TYPE_extended_master_secret, false},
434 {TLSEXT_TYPE_supported_versions, true},
435 {TLSEXT_TYPE_cookie, false},
436 {TLSEXT_TYPE_psk_key_exchange_modes, true},
437 {TLSEXT_TYPE_key_share, true},
438 {TLSEXT_TYPE_renegotiate, false},
439 {TLSEXT_TYPE_pre_shared_key, false},
440 };
441 Span<const uint8_t> sigalgs, sigalgs_cert;
442 bool has_status_request = false, has_status_request_v2 = false;
443 CBS extensions, supported_groups;
444 CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
445 for (const auto &java_extension : kJavaExtensions) {
446 CBS copy = extensions;
447 uint16_t id;
448 if (CBS_get_u16(©, &id) && id == java_extension.id) {
449 // The next extension is the one we expected.
450 extensions = copy;
451 CBS body;
452 if (!CBS_get_u16_length_prefixed(&extensions, &body)) {
453 return false;
454 }
455 switch (id) {
456 case TLSEXT_TYPE_status_request:
457 has_status_request = true;
458 break;
459 case kStatusRequestV2:
460 has_status_request_v2 = true;
461 break;
462 case TLSEXT_TYPE_signature_algorithms:
463 sigalgs = body;
464 break;
465 case TLSEXT_TYPE_signature_algorithms_cert:
466 sigalgs_cert = body;
467 break;
468 case TLSEXT_TYPE_supported_groups:
469 supported_groups = body;
470 break;
471 }
472 } else if (java_extension.required) {
473 return false;
474 }
475 }
476 if (CBS_len(&extensions) != 0) {
477 return false;
478 }
479
480 // JDK 11 never advertises X25519. It is not offered by default, and
481 // -Djdk.tls.namedGroups=x25519 does not work. This is unusual: many modern
482 // clients implement X25519.
483 while (CBS_len(&supported_groups) > 0) {
484 uint16_t group;
485 if (!CBS_get_u16(&supported_groups, &group) ||
486 group == SSL_CURVE_X25519) {
487 return false;
488 }
489 }
490
491 if (// JDK 11 always sends the same contents in signature_algorithms and
492 // signature_algorithms_cert. This is unusual: signature_algorithms_cert,
493 // if omitted, is treated as if it were signature_algorithms.
494 sigalgs != sigalgs_cert ||
495 // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it
496 // sends status_request. This is unusual: status_request_v2 is not widely
497 // implemented.
498 has_status_request != has_status_request_v2) {
499 return false;
500 }
501
502 return true;
503 }
504
extract_sni(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)505 static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
506 const SSL_CLIENT_HELLO *client_hello) {
507 SSL *const ssl = hs->ssl;
508 CBS sni;
509 if (!ssl_client_hello_get_extension(client_hello, &sni,
510 TLSEXT_TYPE_server_name)) {
511 // No SNI extension to parse.
512 return true;
513 }
514
515 CBS server_name_list, host_name;
516 uint8_t name_type;
517 if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) ||
518 !CBS_get_u8(&server_name_list, &name_type) ||
519 // Although the server_name extension was intended to be extensible to
520 // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
521 // different name types will cause an error. Further, RFC 4366 originally
522 // defined syntax inextensibly. RFC 6066 corrected this mistake, but
523 // adding new name types is no longer feasible.
524 //
525 // Act as if the extensibility does not exist to simplify parsing.
526 !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
527 CBS_len(&server_name_list) != 0 ||
528 CBS_len(&sni) != 0) {
529 *out_alert = SSL_AD_DECODE_ERROR;
530 return false;
531 }
532
533 if (name_type != TLSEXT_NAMETYPE_host_name ||
534 CBS_len(&host_name) == 0 ||
535 CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
536 CBS_contains_zero_byte(&host_name)) {
537 *out_alert = SSL_AD_UNRECOGNIZED_NAME;
538 return false;
539 }
540
541 // Copy the hostname as a string.
542 char *raw = nullptr;
543 if (!CBS_strdup(&host_name, &raw)) {
544 *out_alert = SSL_AD_INTERNAL_ERROR;
545 return false;
546 }
547 ssl->s3->hostname.reset(raw);
548
549 hs->should_ack_sni = true;
550 return true;
551 }
552
do_read_client_hello(SSL_HANDSHAKE * hs)553 static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
554 SSL *const ssl = hs->ssl;
555
556 SSLMessage msg;
557 if (!ssl->method->get_message(ssl, &msg)) {
558 return ssl_hs_read_message;
559 }
560
561 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
562 return ssl_hs_error;
563 }
564
565 SSL_CLIENT_HELLO client_hello;
566 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
567 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
568 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
569 return ssl_hs_error;
570 }
571
572 // ClientHello should be the end of the flight. We check this early to cover
573 // all protocol versions.
574 if (ssl->method->has_unprocessed_handshake_data(ssl)) {
575 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
576 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
577 return ssl_hs_error;
578 }
579
580 if (hs->config->handoff) {
581 return ssl_hs_handoff;
582 }
583
584 uint8_t alert = SSL_AD_DECODE_ERROR;
585 if (!extract_sni(hs, &alert, &client_hello)) {
586 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
587 return ssl_hs_error;
588 }
589
590 // Run the early callback.
591 if (ssl->ctx->select_certificate_cb != NULL) {
592 switch (ssl->ctx->select_certificate_cb(&client_hello)) {
593 case ssl_select_cert_retry:
594 return ssl_hs_certificate_selection_pending;
595
596 case ssl_select_cert_error:
597 // Connection rejected.
598 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
599 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
600 return ssl_hs_error;
601
602 default:
603 /* fallthrough */;
604 }
605 }
606
607 // Freeze the version range after the early callback.
608 if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) {
609 return ssl_hs_error;
610 }
611
612 if (hs->config->jdk11_workaround &&
613 is_probably_jdk11_with_tls13(&client_hello)) {
614 hs->apply_jdk11_workaround = true;
615 }
616
617 if (!negotiate_version(hs, &alert, &client_hello)) {
618 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
619 return ssl_hs_error;
620 }
621
622 hs->client_version = client_hello.version;
623 if (client_hello.random_len != SSL3_RANDOM_SIZE) {
624 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
625 return ssl_hs_error;
626 }
627 OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
628 client_hello.random_len);
629
630 // Only null compression is supported. TLS 1.3 further requires the peer
631 // advertise no other compression.
632 if (OPENSSL_memchr(client_hello.compression_methods, 0,
633 client_hello.compression_methods_len) == NULL ||
634 (ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
635 client_hello.compression_methods_len != 1)) {
636 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
637 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
638 return ssl_hs_error;
639 }
640
641 // TLS extensions.
642 if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {
643 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
644 return ssl_hs_error;
645 }
646
647 hs->state = state12_select_certificate;
648 return ssl_hs_ok;
649 }
650
do_select_certificate(SSL_HANDSHAKE * hs)651 static enum ssl_hs_wait_t do_select_certificate(SSL_HANDSHAKE *hs) {
652 SSL *const ssl = hs->ssl;
653
654 SSLMessage msg;
655 if (!ssl->method->get_message(ssl, &msg)) {
656 return ssl_hs_read_message;
657 }
658
659 // Call |cert_cb| to update server certificates if required.
660 if (hs->config->cert->cert_cb != NULL) {
661 int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
662 if (rv == 0) {
663 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
664 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
665 return ssl_hs_error;
666 }
667 if (rv < 0) {
668 return ssl_hs_x509_lookup;
669 }
670 }
671
672 if (!ssl_on_certificate_selected(hs)) {
673 return ssl_hs_error;
674 }
675
676 if (hs->ocsp_stapling_requested &&
677 ssl->ctx->legacy_ocsp_callback != nullptr) {
678 switch (ssl->ctx->legacy_ocsp_callback(
679 ssl, ssl->ctx->legacy_ocsp_callback_arg)) {
680 case SSL_TLSEXT_ERR_OK:
681 break;
682 case SSL_TLSEXT_ERR_NOACK:
683 hs->ocsp_stapling_requested = false;
684 break;
685 default:
686 OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR);
687 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
688 return ssl_hs_error;
689 }
690 }
691
692 if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
693 // Jump to the TLS 1.3 state machine.
694 hs->state = state12_tls13;
695 return ssl_hs_ok;
696 }
697
698 ssl->s3->early_data_reason = ssl_early_data_protocol_version;
699
700 SSL_CLIENT_HELLO client_hello;
701 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
702 return ssl_hs_error;
703 }
704
705 // Negotiate the cipher suite. This must be done after |cert_cb| so the
706 // certificate is finalized.
707 SSLCipherPreferenceList *prefs = hs->config->cipher_list
708 ? hs->config->cipher_list.get()
709 : ssl->ctx->cipher_list.get();
710 hs->new_cipher = choose_cipher(hs, &client_hello, prefs);
711 if (hs->new_cipher == NULL) {
712 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
713 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
714 return ssl_hs_error;
715 }
716
717 hs->state = state12_select_parameters;
718 return ssl_hs_ok;
719 }
720
do_tls13(SSL_HANDSHAKE * hs)721 static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {
722 enum ssl_hs_wait_t wait = tls13_server_handshake(hs);
723 if (wait == ssl_hs_ok) {
724 hs->state = state12_finish_server_handshake;
725 return ssl_hs_ok;
726 }
727
728 return wait;
729 }
730
do_select_parameters(SSL_HANDSHAKE * hs)731 static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
732 SSL *const ssl = hs->ssl;
733
734 SSLMessage msg;
735 if (!ssl->method->get_message(ssl, &msg)) {
736 return ssl_hs_read_message;
737 }
738
739 SSL_CLIENT_HELLO client_hello;
740 if (!ssl_client_hello_init(ssl, &client_hello, msg)) {
741 return ssl_hs_error;
742 }
743
744 // Determine whether we are doing session resumption.
745 UniquePtr<SSL_SESSION> session;
746 bool tickets_supported = false, renew_ticket = false;
747 enum ssl_hs_wait_t wait = ssl_get_prev_session(
748 hs, &session, &tickets_supported, &renew_ticket, &client_hello);
749 if (wait != ssl_hs_ok) {
750 return wait;
751 }
752
753 if (session) {
754 if (session->extended_master_secret && !hs->extended_master_secret) {
755 // A ClientHello without EMS that attempts to resume a session with EMS
756 // is fatal to the connection.
757 OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
758 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
759 return ssl_hs_error;
760 }
761
762 if (!ssl_session_is_resumable(hs, session.get()) ||
763 // If the client offers the EMS extension, but the previous session
764 // didn't use it, then negotiate a new session.
765 hs->extended_master_secret != session->extended_master_secret) {
766 session.reset();
767 }
768 }
769
770 if (session) {
771 // Use the old session.
772 hs->ticket_expected = renew_ticket;
773 ssl->session = std::move(session);
774 ssl->s3->session_reused = true;
775 } else {
776 hs->ticket_expected = tickets_supported;
777 ssl_set_session(ssl, NULL);
778 if (!ssl_get_new_session(hs, 1 /* server */)) {
779 return ssl_hs_error;
780 }
781
782 // Clear the session ID if we want the session to be single-use.
783 if (!(ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
784 hs->new_session->session_id_length = 0;
785 }
786 }
787
788 if (ssl->ctx->dos_protection_cb != NULL &&
789 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
790 // Connection rejected for DOS reasons.
791 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
792 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
793 return ssl_hs_error;
794 }
795
796 if (ssl->session == NULL) {
797 hs->new_session->cipher = hs->new_cipher;
798
799 // Determine whether to request a client certificate.
800 hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
801 // Only request a certificate if Channel ID isn't negotiated.
802 if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
803 ssl->s3->channel_id_valid) {
804 hs->cert_request = false;
805 }
806 // CertificateRequest may only be sent in certificate-based ciphers.
807 if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
808 hs->cert_request = false;
809 }
810
811 if (!hs->cert_request) {
812 // OpenSSL returns X509_V_OK when no certificates are requested. This is
813 // classed by them as a bug, but it's assumed by at least NGINX.
814 hs->new_session->verify_result = X509_V_OK;
815 }
816 }
817
818 // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
819 // deferred. Complete it now.
820 uint8_t alert = SSL_AD_DECODE_ERROR;
821 if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
822 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
823 return ssl_hs_error;
824 }
825
826 // Now that all parameters are known, initialize the handshake hash and hash
827 // the ClientHello.
828 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
829 !ssl_hash_message(hs, msg)) {
830 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
831 return ssl_hs_error;
832 }
833
834 // Handback includes the whole handshake transcript, so we cannot free the
835 // transcript buffer in the handback case.
836 if (!hs->cert_request && !hs->handback) {
837 hs->transcript.FreeBuffer();
838 }
839
840 ssl->method->next_message(ssl);
841
842 hs->state = state12_send_server_hello;
843 return ssl_hs_ok;
844 }
845
copy_suffix(Span<uint8_t> out,Span<const uint8_t> in)846 static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) {
847 out = out.subspan(out.size() - in.size());
848 assert(out.size() == in.size());
849 OPENSSL_memcpy(out.data(), in.data(), in.size());
850 }
851
do_send_server_hello(SSL_HANDSHAKE * hs)852 static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
853 SSL *const ssl = hs->ssl;
854
855 // We only accept ChannelIDs on connections with ECDHE in order to avoid a
856 // known attack while we fix ChannelID itself.
857 if (ssl->s3->channel_id_valid &&
858 (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
859 ssl->s3->channel_id_valid = false;
860 }
861
862 // If this is a resumption and the original handshake didn't support
863 // ChannelID then we didn't record the original handshake hashes in the
864 // session and so cannot resume with ChannelIDs.
865 if (ssl->session != NULL &&
866 ssl->session->original_handshake_hash_len == 0) {
867 ssl->s3->channel_id_valid = false;
868 }
869
870 struct OPENSSL_timeval now;
871 ssl_get_current_time(ssl, &now);
872 ssl->s3->server_random[0] = now.tv_sec >> 24;
873 ssl->s3->server_random[1] = now.tv_sec >> 16;
874 ssl->s3->server_random[2] = now.tv_sec >> 8;
875 ssl->s3->server_random[3] = now.tv_sec;
876 if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) {
877 return ssl_hs_error;
878 }
879
880 // Implement the TLS 1.3 anti-downgrade feature.
881 if (ssl_supports_version(hs, TLS1_3_VERSION)) {
882 if (ssl_protocol_version(ssl) == TLS1_2_VERSION) {
883 if (hs->apply_jdk11_workaround) {
884 // JDK 11 implements the TLS 1.3 downgrade signal, so we cannot send it
885 // here. However, the signal is only effective if all TLS 1.2
886 // ServerHellos produced by the server are marked. Thus we send a
887 // different non-standard signal for the time being, until JDK 11.0.2 is
888 // released and clients have updated.
889 copy_suffix(ssl->s3->server_random, kJDK11DowngradeRandom);
890 } else {
891 copy_suffix(ssl->s3->server_random, kTLS13DowngradeRandom);
892 }
893 } else {
894 copy_suffix(ssl->s3->server_random, kTLS12DowngradeRandom);
895 }
896 }
897
898 const SSL_SESSION *session = hs->new_session.get();
899 if (ssl->session != nullptr) {
900 session = ssl->session.get();
901 }
902
903 ScopedCBB cbb;
904 CBB body, session_id;
905 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
906 !CBB_add_u16(&body, ssl->version) ||
907 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
908 !CBB_add_u8_length_prefixed(&body, &session_id) ||
909 !CBB_add_bytes(&session_id, session->session_id,
910 session->session_id_length) ||
911 !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
912 !CBB_add_u8(&body, 0 /* no compression */) ||
913 !ssl_add_serverhello_tlsext(hs, &body) ||
914 !ssl_add_message_cbb(ssl, cbb.get())) {
915 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
916 return ssl_hs_error;
917 }
918
919 if (ssl->session != NULL) {
920 hs->state = state12_send_server_finished;
921 } else {
922 hs->state = state12_send_server_certificate;
923 }
924 return ssl_hs_ok;
925 }
926
do_send_server_certificate(SSL_HANDSHAKE * hs)927 static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
928 SSL *const ssl = hs->ssl;
929 ScopedCBB cbb;
930
931 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
932 if (!ssl_has_certificate(hs)) {
933 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
934 return ssl_hs_error;
935 }
936
937 if (!ssl_output_cert_chain(hs)) {
938 return ssl_hs_error;
939 }
940
941 if (hs->certificate_status_expected) {
942 CBB body, ocsp_response;
943 if (!ssl->method->init_message(ssl, cbb.get(), &body,
944 SSL3_MT_CERTIFICATE_STATUS) ||
945 !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) ||
946 !CBB_add_u24_length_prefixed(&body, &ocsp_response) ||
947 !CBB_add_bytes(
948 &ocsp_response,
949 CRYPTO_BUFFER_data(hs->config->cert->ocsp_response.get()),
950 CRYPTO_BUFFER_len(hs->config->cert->ocsp_response.get())) ||
951 !ssl_add_message_cbb(ssl, cbb.get())) {
952 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
953 return ssl_hs_error;
954 }
955 }
956 }
957
958 // Assemble ServerKeyExchange parameters if needed.
959 uint32_t alg_k = hs->new_cipher->algorithm_mkey;
960 uint32_t alg_a = hs->new_cipher->algorithm_auth;
961 if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) ||
962 ((alg_a & SSL_aPSK) && hs->config->psk_identity_hint)) {
963 // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
964 // the client and server randoms for the signing transcript.
965 CBB child;
966 if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) ||
967 !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
968 !CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) {
969 return ssl_hs_error;
970 }
971
972 // PSK ciphers begin with an identity hint.
973 if (alg_a & SSL_aPSK) {
974 size_t len = hs->config->psk_identity_hint == nullptr
975 ? 0
976 : strlen(hs->config->psk_identity_hint.get());
977 if (!CBB_add_u16_length_prefixed(cbb.get(), &child) ||
978 !CBB_add_bytes(&child,
979 (const uint8_t *)hs->config->psk_identity_hint.get(),
980 len)) {
981 return ssl_hs_error;
982 }
983 }
984
985 if (alg_k & SSL_kECDHE) {
986 // Determine the group to use.
987 uint16_t group_id;
988 if (!tls1_get_shared_group(hs, &group_id)) {
989 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
990 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
991 return ssl_hs_error;
992 }
993 hs->new_session->group_id = group_id;
994
995 // Set up ECDH, generate a key, and emit the public half.
996 hs->key_shares[0] = SSLKeyShare::Create(group_id);
997 if (!hs->key_shares[0] ||
998 !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
999 !CBB_add_u16(cbb.get(), group_id) ||
1000 !CBB_add_u8_length_prefixed(cbb.get(), &child) ||
1001 !hs->key_shares[0]->Offer(&child)) {
1002 return ssl_hs_error;
1003 }
1004 } else {
1005 assert(alg_k & SSL_kPSK);
1006 }
1007
1008 if (!CBBFinishArray(cbb.get(), &hs->server_params)) {
1009 return ssl_hs_error;
1010 }
1011 }
1012
1013 hs->state = state12_send_server_key_exchange;
1014 return ssl_hs_ok;
1015 }
1016
do_send_server_key_exchange(SSL_HANDSHAKE * hs)1017 static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) {
1018 SSL *const ssl = hs->ssl;
1019
1020 if (hs->server_params.size() == 0) {
1021 hs->state = state12_send_server_hello_done;
1022 return ssl_hs_ok;
1023 }
1024
1025 ScopedCBB cbb;
1026 CBB body, child;
1027 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1028 SSL3_MT_SERVER_KEY_EXCHANGE) ||
1029 // |hs->server_params| contains a prefix for signing.
1030 hs->server_params.size() < 2 * SSL3_RANDOM_SIZE ||
1031 !CBB_add_bytes(&body, hs->server_params.data() + 2 * SSL3_RANDOM_SIZE,
1032 hs->server_params.size() - 2 * SSL3_RANDOM_SIZE)) {
1033 return ssl_hs_error;
1034 }
1035
1036 // Add a signature.
1037 if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1038 if (!ssl_has_private_key(hs)) {
1039 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1040 return ssl_hs_error;
1041 }
1042
1043 // Determine the signature algorithm.
1044 uint16_t signature_algorithm;
1045 if (!tls1_choose_signature_algorithm(hs, &signature_algorithm)) {
1046 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1047 return ssl_hs_error;
1048 }
1049 if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1050 if (!CBB_add_u16(&body, signature_algorithm)) {
1051 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1052 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1053 return ssl_hs_error;
1054 }
1055 }
1056
1057 // Add space for the signature.
1058 const size_t max_sig_len = EVP_PKEY_size(hs->local_pubkey.get());
1059 uint8_t *ptr;
1060 if (!CBB_add_u16_length_prefixed(&body, &child) ||
1061 !CBB_reserve(&child, &ptr, max_sig_len)) {
1062 return ssl_hs_error;
1063 }
1064
1065 size_t sig_len;
1066 switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len,
1067 signature_algorithm, hs->server_params)) {
1068 case ssl_private_key_success:
1069 if (!CBB_did_write(&child, sig_len)) {
1070 return ssl_hs_error;
1071 }
1072 break;
1073 case ssl_private_key_failure:
1074 return ssl_hs_error;
1075 case ssl_private_key_retry:
1076 return ssl_hs_private_key_operation;
1077 }
1078 }
1079
1080 if (!ssl_add_message_cbb(ssl, cbb.get())) {
1081 return ssl_hs_error;
1082 }
1083
1084 hs->server_params.Reset();
1085
1086 hs->state = state12_send_server_hello_done;
1087 return ssl_hs_ok;
1088 }
1089
do_send_server_hello_done(SSL_HANDSHAKE * hs)1090 static enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) {
1091 SSL *const ssl = hs->ssl;
1092
1093 ScopedCBB cbb;
1094 CBB body;
1095
1096 if (hs->cert_request) {
1097 CBB cert_types, sigalgs_cbb;
1098 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1099 SSL3_MT_CERTIFICATE_REQUEST) ||
1100 !CBB_add_u8_length_prefixed(&body, &cert_types) ||
1101 !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) ||
1102 !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN) ||
1103 (ssl_protocol_version(ssl) >= TLS1_2_VERSION &&
1104 (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) ||
1105 !tls12_add_verify_sigalgs(hs, &sigalgs_cbb))) ||
1106 !ssl_add_client_CA_list(hs, &body) ||
1107 !ssl_add_message_cbb(ssl, cbb.get())) {
1108 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1109 return ssl_hs_error;
1110 }
1111 }
1112
1113 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1114 SSL3_MT_SERVER_HELLO_DONE) ||
1115 !ssl_add_message_cbb(ssl, cbb.get())) {
1116 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1117 return ssl_hs_error;
1118 }
1119
1120 hs->state = state12_read_client_certificate;
1121 return ssl_hs_flush;
1122 }
1123
do_read_client_certificate(SSL_HANDSHAKE * hs)1124 static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
1125 SSL *const ssl = hs->ssl;
1126
1127 if (hs->handback && hs->new_cipher->algorithm_mkey == SSL_kECDHE) {
1128 return ssl_hs_handback;
1129 }
1130 if (!hs->cert_request) {
1131 hs->state = state12_verify_client_certificate;
1132 return ssl_hs_ok;
1133 }
1134
1135 SSLMessage msg;
1136 if (!ssl->method->get_message(ssl, &msg)) {
1137 return ssl_hs_read_message;
1138 }
1139
1140 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
1141 return ssl_hs_error;
1142 }
1143
1144 if (!ssl_hash_message(hs, msg)) {
1145 return ssl_hs_error;
1146 }
1147
1148 CBS certificate_msg = msg.body;
1149 uint8_t alert = SSL_AD_DECODE_ERROR;
1150 if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey,
1151 hs->config->retain_only_sha256_of_client_certs
1152 ? hs->new_session->peer_sha256
1153 : nullptr,
1154 &certificate_msg, ssl->ctx->pool)) {
1155 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1156 return ssl_hs_error;
1157 }
1158
1159 if (CBS_len(&certificate_msg) != 0 ||
1160 !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
1161 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1162 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1163 return ssl_hs_error;
1164 }
1165
1166 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
1167 // No client certificate so the handshake buffer may be discarded.
1168 hs->transcript.FreeBuffer();
1169
1170 if (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
1171 // Fail for TLS only if we required a certificate
1172 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1173 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1174 return ssl_hs_error;
1175 }
1176
1177 // OpenSSL returns X509_V_OK when no certificates are received. This is
1178 // classed by them as a bug, but it's assumed by at least NGINX.
1179 hs->new_session->verify_result = X509_V_OK;
1180 } else if (hs->config->retain_only_sha256_of_client_certs) {
1181 // The hash will have been filled in.
1182 hs->new_session->peer_sha256_valid = 1;
1183 }
1184
1185 ssl->method->next_message(ssl);
1186 hs->state = state12_verify_client_certificate;
1187 return ssl_hs_ok;
1188 }
1189
do_verify_client_certificate(SSL_HANDSHAKE * hs)1190 static enum ssl_hs_wait_t do_verify_client_certificate(SSL_HANDSHAKE *hs) {
1191 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) > 0) {
1192 switch (ssl_verify_peer_cert(hs)) {
1193 case ssl_verify_ok:
1194 break;
1195 case ssl_verify_invalid:
1196 return ssl_hs_error;
1197 case ssl_verify_retry:
1198 return ssl_hs_certificate_verify;
1199 }
1200 }
1201
1202 hs->state = state12_read_client_key_exchange;
1203 return ssl_hs_ok;
1204 }
1205
do_read_client_key_exchange(SSL_HANDSHAKE * hs)1206 static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
1207 SSL *const ssl = hs->ssl;
1208 SSLMessage msg;
1209 if (!ssl->method->get_message(ssl, &msg)) {
1210 return ssl_hs_read_message;
1211 }
1212
1213 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_KEY_EXCHANGE)) {
1214 return ssl_hs_error;
1215 }
1216
1217 CBS client_key_exchange = msg.body;
1218 uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1219 uint32_t alg_a = hs->new_cipher->algorithm_auth;
1220
1221 // If using a PSK key exchange, parse the PSK identity.
1222 if (alg_a & SSL_aPSK) {
1223 CBS psk_identity;
1224
1225 // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
1226 // then this is the only field in the message.
1227 if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
1228 ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
1229 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1230 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1231 return ssl_hs_error;
1232 }
1233
1234 if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN ||
1235 CBS_contains_zero_byte(&psk_identity)) {
1236 OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
1237 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1238 return ssl_hs_error;
1239 }
1240 char *raw = nullptr;
1241 if (!CBS_strdup(&psk_identity, &raw)) {
1242 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1243 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1244 return ssl_hs_error;
1245 }
1246 hs->new_session->psk_identity.reset(raw);
1247 }
1248
1249 // Depending on the key exchange method, compute |premaster_secret|.
1250 Array<uint8_t> premaster_secret;
1251 if (alg_k & SSL_kRSA) {
1252 CBS encrypted_premaster_secret;
1253 if (!CBS_get_u16_length_prefixed(&client_key_exchange,
1254 &encrypted_premaster_secret) ||
1255 CBS_len(&client_key_exchange) != 0) {
1256 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1257 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1258 return ssl_hs_error;
1259 }
1260
1261 // Allocate a buffer large enough for an RSA decryption.
1262 Array<uint8_t> decrypt_buf;
1263 if (!decrypt_buf.Init(EVP_PKEY_size(hs->local_pubkey.get()))) {
1264 return ssl_hs_error;
1265 }
1266
1267 // Decrypt with no padding. PKCS#1 padding will be removed as part of the
1268 // timing-sensitive code below.
1269 size_t decrypt_len;
1270 switch (ssl_private_key_decrypt(hs, decrypt_buf.data(), &decrypt_len,
1271 decrypt_buf.size(),
1272 encrypted_premaster_secret)) {
1273 case ssl_private_key_success:
1274 break;
1275 case ssl_private_key_failure:
1276 return ssl_hs_error;
1277 case ssl_private_key_retry:
1278 return ssl_hs_private_key_operation;
1279 }
1280
1281 if (decrypt_len != decrypt_buf.size()) {
1282 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1283 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1284 return ssl_hs_error;
1285 }
1286
1287 CONSTTIME_SECRET(decrypt_buf.data(), decrypt_len);
1288
1289 // Prepare a random premaster, to be used on invalid padding. See RFC 5246,
1290 // section 7.4.7.1.
1291 if (!premaster_secret.Init(SSL_MAX_MASTER_KEY_LENGTH) ||
1292 !RAND_bytes(premaster_secret.data(), premaster_secret.size())) {
1293 return ssl_hs_error;
1294 }
1295
1296 // The smallest padded premaster is 11 bytes of overhead. Small keys are
1297 // publicly invalid.
1298 if (decrypt_len < 11 + premaster_secret.size()) {
1299 OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1300 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1301 return ssl_hs_error;
1302 }
1303
1304 // Check the padding. See RFC 3447, section 7.2.2.
1305 size_t padding_len = decrypt_len - premaster_secret.size();
1306 uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
1307 constant_time_eq_int_8(decrypt_buf[1], 2);
1308 for (size_t i = 2; i < padding_len - 1; i++) {
1309 good &= ~constant_time_is_zero_8(decrypt_buf[i]);
1310 }
1311 good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);
1312
1313 // The premaster secret must begin with |client_version|. This too must be
1314 // checked in constant time (http://eprint.iacr.org/2003/052/).
1315 good &= constant_time_eq_8(decrypt_buf[padding_len],
1316 (unsigned)(hs->client_version >> 8));
1317 good &= constant_time_eq_8(decrypt_buf[padding_len + 1],
1318 (unsigned)(hs->client_version & 0xff));
1319
1320 // Select, in constant time, either the decrypted premaster or the random
1321 // premaster based on |good|.
1322 for (size_t i = 0; i < premaster_secret.size(); i++) {
1323 premaster_secret[i] = constant_time_select_8(
1324 good, decrypt_buf[padding_len + i], premaster_secret[i]);
1325 }
1326 } else if (alg_k & SSL_kECDHE) {
1327 // Parse the ClientKeyExchange.
1328 CBS peer_key;
1329 if (!CBS_get_u8_length_prefixed(&client_key_exchange, &peer_key) ||
1330 CBS_len(&client_key_exchange) != 0) {
1331 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1332 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1333 return ssl_hs_error;
1334 }
1335
1336 // Compute the premaster.
1337 uint8_t alert = SSL_AD_DECODE_ERROR;
1338 if (!hs->key_shares[0]->Finish(&premaster_secret, &alert, peer_key)) {
1339 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1340 return ssl_hs_error;
1341 }
1342
1343 // The key exchange state may now be discarded.
1344 hs->key_shares[0].reset();
1345 hs->key_shares[1].reset();
1346 } else if (!(alg_k & SSL_kPSK)) {
1347 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1348 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1349 return ssl_hs_error;
1350 }
1351
1352 // For a PSK cipher suite, the actual pre-master secret is combined with the
1353 // pre-shared key.
1354 if (alg_a & SSL_aPSK) {
1355 if (hs->config->psk_server_callback == NULL) {
1356 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1357 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1358 return ssl_hs_error;
1359 }
1360
1361 // Look up the key for the identity.
1362 uint8_t psk[PSK_MAX_PSK_LEN];
1363 unsigned psk_len = hs->config->psk_server_callback(
1364 ssl, hs->new_session->psk_identity.get(), psk, sizeof(psk));
1365 if (psk_len > PSK_MAX_PSK_LEN) {
1366 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1367 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1368 return ssl_hs_error;
1369 } else if (psk_len == 0) {
1370 // PSK related to the given identity not found.
1371 OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1372 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY);
1373 return ssl_hs_error;
1374 }
1375
1376 if (alg_k & SSL_kPSK) {
1377 // In plain PSK, other_secret is a block of 0s with the same length as the
1378 // pre-shared key.
1379 if (!premaster_secret.Init(psk_len)) {
1380 return ssl_hs_error;
1381 }
1382 OPENSSL_memset(premaster_secret.data(), 0, premaster_secret.size());
1383 }
1384
1385 ScopedCBB new_premaster;
1386 CBB child;
1387 if (!CBB_init(new_premaster.get(),
1388 2 + psk_len + 2 + premaster_secret.size()) ||
1389 !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||
1390 !CBB_add_bytes(&child, premaster_secret.data(),
1391 premaster_secret.size()) ||
1392 !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||
1393 !CBB_add_bytes(&child, psk, psk_len) ||
1394 !CBBFinishArray(new_premaster.get(), &premaster_secret)) {
1395 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
1396 return ssl_hs_error;
1397 }
1398 }
1399
1400 if (!ssl_hash_message(hs, msg)) {
1401 return ssl_hs_error;
1402 }
1403
1404 // Compute the master secret.
1405 hs->new_session->master_key_length = tls1_generate_master_secret(
1406 hs, hs->new_session->master_key, premaster_secret);
1407 if (hs->new_session->master_key_length == 0) {
1408 return ssl_hs_error;
1409 }
1410 hs->new_session->extended_master_secret = hs->extended_master_secret;
1411 CONSTTIME_DECLASSIFY(hs->new_session->master_key,
1412 hs->new_session->master_key_length);
1413
1414 ssl->method->next_message(ssl);
1415 hs->state = state12_read_client_certificate_verify;
1416 return ssl_hs_ok;
1417 }
1418
do_read_client_certificate_verify(SSL_HANDSHAKE * hs)1419 static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
1420 SSL *const ssl = hs->ssl;
1421
1422 // Only RSA and ECDSA client certificates are supported, so a
1423 // CertificateVerify is required if and only if there's a client certificate.
1424 if (!hs->peer_pubkey) {
1425 hs->transcript.FreeBuffer();
1426 hs->state = state12_read_change_cipher_spec;
1427 return ssl_hs_ok;
1428 }
1429
1430 SSLMessage msg;
1431 if (!ssl->method->get_message(ssl, &msg)) {
1432 return ssl_hs_read_message;
1433 }
1434
1435 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY)) {
1436 return ssl_hs_error;
1437 }
1438
1439 // The peer certificate must be valid for signing.
1440 const CRYPTO_BUFFER *leaf =
1441 sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
1442 CBS leaf_cbs;
1443 CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
1444 if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) {
1445 return ssl_hs_error;
1446 }
1447
1448 CBS certificate_verify = msg.body, signature;
1449
1450 // Determine the signature algorithm.
1451 uint16_t signature_algorithm = 0;
1452 if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1453 if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
1454 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1455 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1456 return ssl_hs_error;
1457 }
1458 uint8_t alert = SSL_AD_DECODE_ERROR;
1459 if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm)) {
1460 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1461 return ssl_hs_error;
1462 }
1463 hs->new_session->peer_signature_algorithm = signature_algorithm;
1464 } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
1465 hs->peer_pubkey.get())) {
1466 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
1467 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);
1468 return ssl_hs_error;
1469 }
1470
1471 // Parse and verify the signature.
1472 if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
1473 CBS_len(&certificate_verify) != 0) {
1474 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1475 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1476 return ssl_hs_error;
1477 }
1478
1479 if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
1480 hs->peer_pubkey.get(), hs->transcript.buffer())) {
1481 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
1482 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1483 return ssl_hs_error;
1484 }
1485
1486 // The handshake buffer is no longer necessary, and we may hash the current
1487 // message.
1488 hs->transcript.FreeBuffer();
1489 if (!ssl_hash_message(hs, msg)) {
1490 return ssl_hs_error;
1491 }
1492
1493 ssl->method->next_message(ssl);
1494 hs->state = state12_read_change_cipher_spec;
1495 return ssl_hs_ok;
1496 }
1497
do_read_change_cipher_spec(SSL_HANDSHAKE * hs)1498 static enum ssl_hs_wait_t do_read_change_cipher_spec(SSL_HANDSHAKE *hs) {
1499 if (hs->handback && hs->ssl->session != NULL) {
1500 return ssl_hs_handback;
1501 }
1502 hs->state = state12_process_change_cipher_spec;
1503 return ssl_hs_read_change_cipher_spec;
1504 }
1505
do_process_change_cipher_spec(SSL_HANDSHAKE * hs)1506 static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
1507 if (!tls1_change_cipher_state(hs, evp_aead_open)) {
1508 return ssl_hs_error;
1509 }
1510
1511 hs->state = state12_read_next_proto;
1512 return ssl_hs_ok;
1513 }
1514
do_read_next_proto(SSL_HANDSHAKE * hs)1515 static enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) {
1516 SSL *const ssl = hs->ssl;
1517
1518 if (!hs->next_proto_neg_seen) {
1519 hs->state = state12_read_channel_id;
1520 return ssl_hs_ok;
1521 }
1522
1523 SSLMessage msg;
1524 if (!ssl->method->get_message(ssl, &msg)) {
1525 return ssl_hs_read_message;
1526 }
1527
1528 if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEXT_PROTO) ||
1529 !ssl_hash_message(hs, msg)) {
1530 return ssl_hs_error;
1531 }
1532
1533 CBS next_protocol = msg.body, selected_protocol, padding;
1534 if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
1535 !CBS_get_u8_length_prefixed(&next_protocol, &padding) ||
1536 CBS_len(&next_protocol) != 0) {
1537 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1538 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1539 return ssl_hs_error;
1540 }
1541
1542 if (!ssl->s3->next_proto_negotiated.CopyFrom(selected_protocol)) {
1543 return ssl_hs_error;
1544 }
1545
1546 ssl->method->next_message(ssl);
1547 hs->state = state12_read_channel_id;
1548 return ssl_hs_ok;
1549 }
1550
do_read_channel_id(SSL_HANDSHAKE * hs)1551 static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
1552 SSL *const ssl = hs->ssl;
1553
1554 if (!ssl->s3->channel_id_valid) {
1555 hs->state = state12_read_client_finished;
1556 return ssl_hs_ok;
1557 }
1558
1559 SSLMessage msg;
1560 if (!ssl->method->get_message(ssl, &msg)) {
1561 return ssl_hs_read_message;
1562 }
1563
1564 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
1565 !tls1_verify_channel_id(hs, msg) ||
1566 !ssl_hash_message(hs, msg)) {
1567 return ssl_hs_error;
1568 }
1569
1570 ssl->method->next_message(ssl);
1571 hs->state = state12_read_client_finished;
1572 return ssl_hs_ok;
1573 }
1574
do_read_client_finished(SSL_HANDSHAKE * hs)1575 static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
1576 SSL *const ssl = hs->ssl;
1577 enum ssl_hs_wait_t wait = ssl_get_finished(hs);
1578 if (wait != ssl_hs_ok) {
1579 return wait;
1580 }
1581
1582 if (ssl->session != NULL) {
1583 hs->state = state12_finish_server_handshake;
1584 } else {
1585 hs->state = state12_send_server_finished;
1586 }
1587
1588 // If this is a full handshake with ChannelID then record the handshake
1589 // hashes in |hs->new_session| in case we need them to verify a
1590 // ChannelID signature on a resumption of this session in the future.
1591 if (ssl->session == NULL && ssl->s3->channel_id_valid &&
1592 !tls1_record_handshake_hashes_for_channel_id(hs)) {
1593 return ssl_hs_error;
1594 }
1595
1596 return ssl_hs_ok;
1597 }
1598
do_send_server_finished(SSL_HANDSHAKE * hs)1599 static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
1600 SSL *const ssl = hs->ssl;
1601
1602 if (hs->ticket_expected) {
1603 const SSL_SESSION *session;
1604 UniquePtr<SSL_SESSION> session_copy;
1605 if (ssl->session == NULL) {
1606 // Fix the timeout to measure from the ticket issuance time.
1607 ssl_session_rebase_time(ssl, hs->new_session.get());
1608 session = hs->new_session.get();
1609 } else {
1610 // We are renewing an existing session. Duplicate the session to adjust
1611 // the timeout.
1612 session_copy =
1613 SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);
1614 if (!session_copy) {
1615 return ssl_hs_error;
1616 }
1617
1618 ssl_session_rebase_time(ssl, session_copy.get());
1619 session = session_copy.get();
1620 }
1621
1622 ScopedCBB cbb;
1623 CBB body, ticket;
1624 if (!ssl->method->init_message(ssl, cbb.get(), &body,
1625 SSL3_MT_NEW_SESSION_TICKET) ||
1626 !CBB_add_u32(&body, session->timeout) ||
1627 !CBB_add_u16_length_prefixed(&body, &ticket) ||
1628 !ssl_encrypt_ticket(hs, &ticket, session) ||
1629 !ssl_add_message_cbb(ssl, cbb.get())) {
1630 return ssl_hs_error;
1631 }
1632 }
1633
1634 if (!ssl->method->add_change_cipher_spec(ssl) ||
1635 !tls1_change_cipher_state(hs, evp_aead_seal) ||
1636 !ssl_send_finished(hs)) {
1637 return ssl_hs_error;
1638 }
1639
1640 if (ssl->session != NULL) {
1641 hs->state = state12_read_change_cipher_spec;
1642 } else {
1643 hs->state = state12_finish_server_handshake;
1644 }
1645 return ssl_hs_flush;
1646 }
1647
do_finish_server_handshake(SSL_HANDSHAKE * hs)1648 static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) {
1649 SSL *const ssl = hs->ssl;
1650
1651 if (hs->handback) {
1652 return ssl_hs_handback;
1653 }
1654
1655 ssl->method->on_handshake_complete(ssl);
1656
1657 // If we aren't retaining peer certificates then we can discard it now.
1658 if (hs->new_session != NULL &&
1659 hs->config->retain_only_sha256_of_client_certs) {
1660 hs->new_session->certs.reset();
1661 ssl->ctx->x509_method->session_clear(hs->new_session.get());
1662 }
1663
1664 if (ssl->session != NULL) {
1665 ssl->s3->established_session = UpRef(ssl->session);
1666 } else {
1667 ssl->s3->established_session = std::move(hs->new_session);
1668 ssl->s3->established_session->not_resumable = false;
1669 }
1670
1671 hs->handshake_finalized = true;
1672 ssl->s3->initial_handshake_complete = true;
1673 ssl_update_cache(hs, SSL_SESS_CACHE_SERVER);
1674
1675 hs->state = state12_done;
1676 return ssl_hs_ok;
1677 }
1678
ssl_server_handshake(SSL_HANDSHAKE * hs)1679 enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) {
1680 while (hs->state != state12_done) {
1681 enum ssl_hs_wait_t ret = ssl_hs_error;
1682 enum tls12_server_hs_state_t state =
1683 static_cast<enum tls12_server_hs_state_t>(hs->state);
1684 switch (state) {
1685 case state12_start_accept:
1686 ret = do_start_accept(hs);
1687 break;
1688 case state12_read_client_hello:
1689 ret = do_read_client_hello(hs);
1690 break;
1691 case state12_select_certificate:
1692 ret = do_select_certificate(hs);
1693 break;
1694 case state12_tls13:
1695 ret = do_tls13(hs);
1696 break;
1697 case state12_select_parameters:
1698 ret = do_select_parameters(hs);
1699 break;
1700 case state12_send_server_hello:
1701 ret = do_send_server_hello(hs);
1702 break;
1703 case state12_send_server_certificate:
1704 ret = do_send_server_certificate(hs);
1705 break;
1706 case state12_send_server_key_exchange:
1707 ret = do_send_server_key_exchange(hs);
1708 break;
1709 case state12_send_server_hello_done:
1710 ret = do_send_server_hello_done(hs);
1711 break;
1712 case state12_read_client_certificate:
1713 ret = do_read_client_certificate(hs);
1714 break;
1715 case state12_verify_client_certificate:
1716 ret = do_verify_client_certificate(hs);
1717 break;
1718 case state12_read_client_key_exchange:
1719 ret = do_read_client_key_exchange(hs);
1720 break;
1721 case state12_read_client_certificate_verify:
1722 ret = do_read_client_certificate_verify(hs);
1723 break;
1724 case state12_read_change_cipher_spec:
1725 ret = do_read_change_cipher_spec(hs);
1726 break;
1727 case state12_process_change_cipher_spec:
1728 ret = do_process_change_cipher_spec(hs);
1729 break;
1730 case state12_read_next_proto:
1731 ret = do_read_next_proto(hs);
1732 break;
1733 case state12_read_channel_id:
1734 ret = do_read_channel_id(hs);
1735 break;
1736 case state12_read_client_finished:
1737 ret = do_read_client_finished(hs);
1738 break;
1739 case state12_send_server_finished:
1740 ret = do_send_server_finished(hs);
1741 break;
1742 case state12_finish_server_handshake:
1743 ret = do_finish_server_handshake(hs);
1744 break;
1745 case state12_done:
1746 ret = ssl_hs_ok;
1747 break;
1748 }
1749
1750 if (hs->state != state) {
1751 ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
1752 }
1753
1754 if (ret != ssl_hs_ok) {
1755 return ret;
1756 }
1757 }
1758
1759 ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);
1760 return ssl_hs_ok;
1761 }
1762
ssl_server_handshake_state(SSL_HANDSHAKE * hs)1763 const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) {
1764 enum tls12_server_hs_state_t state =
1765 static_cast<enum tls12_server_hs_state_t>(hs->state);
1766 switch (state) {
1767 case state12_start_accept:
1768 return "TLS server start_accept";
1769 case state12_read_client_hello:
1770 return "TLS server read_client_hello";
1771 case state12_select_certificate:
1772 return "TLS server select_certificate";
1773 case state12_tls13:
1774 return tls13_server_handshake_state(hs);
1775 case state12_select_parameters:
1776 return "TLS server select_parameters";
1777 case state12_send_server_hello:
1778 return "TLS server send_server_hello";
1779 case state12_send_server_certificate:
1780 return "TLS server send_server_certificate";
1781 case state12_send_server_key_exchange:
1782 return "TLS server send_server_key_exchange";
1783 case state12_send_server_hello_done:
1784 return "TLS server send_server_hello_done";
1785 case state12_read_client_certificate:
1786 return "TLS server read_client_certificate";
1787 case state12_verify_client_certificate:
1788 return "TLS server verify_client_certificate";
1789 case state12_read_client_key_exchange:
1790 return "TLS server read_client_key_exchange";
1791 case state12_read_client_certificate_verify:
1792 return "TLS server read_client_certificate_verify";
1793 case state12_read_change_cipher_spec:
1794 return "TLS server read_change_cipher_spec";
1795 case state12_process_change_cipher_spec:
1796 return "TLS server process_change_cipher_spec";
1797 case state12_read_next_proto:
1798 return "TLS server read_next_proto";
1799 case state12_read_channel_id:
1800 return "TLS server read_channel_id";
1801 case state12_read_client_finished:
1802 return "TLS server read_client_finished";
1803 case state12_send_server_finished:
1804 return "TLS server send_server_finished";
1805 case state12_finish_server_handshake:
1806 return "TLS server finish_server_handshake";
1807 case state12_done:
1808 return "TLS server done";
1809 }
1810
1811 return "TLS server unknown";
1812 }
1813
1814 BSSL_NAMESPACE_END
1815