Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 143e8b3fd9b96a4599d303e7800c4043904ff55f / . / ssl / tls13_client.c
blob: cf8b390e0f2f5cd2ba1ac44a3183be87ed244637 [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame^]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/digest.h>
22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/stack.h>
25#include <openssl/x509.h>
26
27#include "internal.h"
28
29
30enum client_hs_state_t {
31 state_process_server_hello = 0,
32 state_process_encrypted_extensions,
33 state_process_certificate_request,
34 state_process_server_certificate,
35 state_process_server_certificate_verify,
36 state_process_server_finished,
37 state_certificate_callback,
38 state_send_client_certificate,
39 state_send_client_certificate_verify,
40 state_complete_client_certificate_verify,
41 state_send_client_finished,
42 state_flush,
43 state_done,
44};
45
46static enum ssl_hs_wait_t do_process_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
47 if (!tls13_check_message_type(ssl, SSL3_MT_SERVER_HELLO)) {
48 return ssl_hs_error;
49 }
50
51 CBS cbs, server_random, extensions;
52 uint16_t server_wire_version;
53 uint16_t cipher_suite;
54 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
55 if (!CBS_get_u16(&cbs, &server_wire_version) ||
56 !CBS_get_bytes(&cbs, &server_random, SSL3_RANDOM_SIZE) ||
57 !CBS_get_u16(&cbs, &cipher_suite) ||
58 !CBS_get_u16_length_prefixed(&cbs, &extensions) ||
59 CBS_len(&cbs) != 0) {
60 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
61 return ssl_hs_error;
62 }
63
64 /* Parse out the extensions. */
65 int have_key_share = 0;
66 CBS key_share;
67 while (CBS_len(&extensions) != 0) {
68 uint16_t type;
69 CBS extension;
70 if (!CBS_get_u16(&extensions, &type) ||
71 !CBS_get_u16_length_prefixed(&extensions, &extension)) {
72 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
73 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
74 return ssl_hs_error;
75 }
76
77 switch (type) {
78 case TLSEXT_TYPE_key_share:
79 if (have_key_share) {
80 OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
81 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
82 return ssl_hs_error;
83 }
84 key_share = extension;
85 have_key_share = 1;
86 break;
87 default:
88 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
89 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
90 return ssl_hs_error;
91 }
92 }
93
94 assert(ssl->s3->have_version);
95 memcpy(ssl->s3->server_random, CBS_data(&server_random), SSL3_RANDOM_SIZE);
96
97 ssl->hit = 0;
98 if (!ssl_get_new_session(ssl, 0)) {
99 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
100 return ssl_hs_error;
101 }
102
103 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(cipher_suite);
104 if (cipher == NULL) {
105 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CIPHER_RETURNED);
106 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
107 return ssl_hs_error;
108 }
109
110 /* Check if the cipher is disabled. */
111 if ((cipher->algorithm_mkey & ssl->cert->mask_k) ||
112 (cipher->algorithm_auth & ssl->cert->mask_a) ||
113 SSL_CIPHER_get_min_version(cipher) > ssl3_protocol_version(ssl) ||
114 SSL_CIPHER_get_max_version(cipher) < ssl3_protocol_version(ssl) ||
115 !sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(ssl), NULL, cipher)) {
116 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CIPHER_RETURNED);
117 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
118 return ssl_hs_error;
119 }
120
121 ssl->session->cipher = cipher;
122 ssl->s3->tmp.new_cipher = cipher;
123
124 /* The PRF hash is now known. Set up the key schedule. */
125 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
126 size_t hash_len =
127 EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
128 if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) {
129 return ssl_hs_error;
130 }
131
132 /* Resolve PSK and incorporate it into the secret. */
133 if (cipher->algorithm_auth == SSL_aPSK) {
134 /* TODO(davidben): Support PSK. */
135 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
136 return ssl_hs_error;
137 } else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
138 return ssl_hs_error;
139 }
140
141 /* Resolve ECDHE and incorporate it into the secret. */
142 if (cipher->algorithm_mkey == SSL_kECDHE) {
143 if (!have_key_share) {
144 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
145 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
146 return ssl_hs_error;
147 }
148
149 uint8_t *dhe_secret;
150 size_t dhe_secret_len;
151 uint8_t alert = SSL_AD_DECODE_ERROR;
152 if (!ext_key_share_parse_serverhello(ssl, &dhe_secret, &dhe_secret_len,
153 &alert, &key_share)) {
154 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
155 return ssl_hs_error;
156 }
157
158 int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);
159 OPENSSL_free(dhe_secret);
160 if (!ok) {
161 return ssl_hs_error;
162 }
163 } else {
164 if (have_key_share) {
165 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
166 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_EXTENSION);
167 return ssl_hs_error;
168 }
169 if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
170 return ssl_hs_error;
171 }
172 return ssl_hs_error;
173 }
174
175 if (!tls13_set_handshake_traffic(ssl)) {
176 return ssl_hs_error;
177 }
178
179 hs->state = state_process_encrypted_extensions;
180 return ssl_hs_read_message;
181}
182
183static enum ssl_hs_wait_t do_process_encrypted_extensions(SSL *ssl,
184 SSL_HANDSHAKE *hs) {
185 if (!tls13_check_message_type(ssl, SSL3_MT_ENCRYPTED_EXTENSIONS)) {
186 return ssl_hs_error;
187 }
188
189 CBS cbs;
190 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
191 if (!ssl_parse_serverhello_tlsext(ssl, &cbs)) {
192 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
193 return ssl_hs_error;
194 }
195 if (CBS_len(&cbs) != 0) {
196 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
197 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
198 return ssl_hs_error;
199 }
200
201 if (!ssl->method->hash_current_message(ssl)) {
202 return ssl_hs_error;
203 }
204
205 hs->state = state_process_certificate_request;
206 return ssl_hs_read_message;
207}
208
209static enum ssl_hs_wait_t do_process_certificate_request(SSL *ssl,
210 SSL_HANDSHAKE *hs) {
211 ssl->s3->tmp.cert_request = 0;
212
213 /* CertificateRequest may only be sent in certificate-based ciphers. */
214 if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
215 hs->state = state_process_server_finished;
216 return ssl_hs_ok;
217 }
218
219 /* CertificateRequest is optional. */
220 if (ssl->s3->tmp.message_type != SSL3_MT_CERTIFICATE_REQUEST) {
221 hs->state = state_process_server_certificate;
222 return ssl_hs_ok;
223 }
224
225 CBS cbs, context, supported_signature_algorithms;
226 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
227 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
228 !CBS_stow(&context, &ssl->s3->hs->cert_context,
229 &ssl->s3->hs->cert_context_len) ||
230 !CBS_get_u16_length_prefixed(&cbs, &supported_signature_algorithms) ||
231 !tls1_parse_peer_sigalgs(ssl, &supported_signature_algorithms)) {
232 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
233 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
234 return ssl_hs_error;
235 }
236
237 uint8_t alert;
238 STACK_OF(X509_NAME) *ca_sk = ssl_parse_client_CA_list(ssl, &alert, &cbs);
239 if (ca_sk == NULL) {
240 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
241 return ssl_hs_error;
242 }
243
244 /* Ignore extensions. */
245 CBS extensions;
246 if (!CBS_get_u16_length_prefixed(&cbs, &extensions) ||
247 CBS_len(&cbs) != 0) {
248 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
249 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
250 return ssl_hs_error;
251 }
252
253 ssl->s3->tmp.cert_request = 1;
254 sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
255 ssl->s3->tmp.ca_names = ca_sk;
256
257 if (!ssl->method->hash_current_message(ssl)) {
258 return ssl_hs_error;
259 }
260
261 hs->state = state_process_server_certificate;
262 return ssl_hs_read_message;
263}
264
265static enum ssl_hs_wait_t do_process_server_certificate(SSL *ssl,
266 SSL_HANDSHAKE *hs) {
267 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
268 !tls13_process_certificate(ssl) ||
269 !ssl->method->hash_current_message(ssl)) {
270 return ssl_hs_error;
271 }
272
273 hs->state = state_process_server_certificate_verify;
274 return ssl_hs_read_message;
275}
276
277static enum ssl_hs_wait_t do_process_server_certificate_verify(
278 SSL *ssl, SSL_HANDSHAKE *hs) {
279 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
280 !tls13_process_certificate_verify(ssl) ||
281 !ssl->method->hash_current_message(ssl)) {
282 return 0;
283 }
284
285 hs->state = state_process_server_finished;
286 return ssl_hs_read_message;
287}
288
289static enum ssl_hs_wait_t do_process_server_finished(SSL *ssl,
290 SSL_HANDSHAKE *hs) {
291 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
292
293 if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||
294 !tls13_process_finished(ssl) ||
295 !ssl->method->hash_current_message(ssl) ||
296 /* Update the secret to the master secret and derive traffic keys. */
297 !tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||
298 !tls13_derive_traffic_secret_0(ssl)) {
299 return ssl_hs_error;
300 }
301
302 hs->state = state_certificate_callback;
303 return ssl_hs_ok;
304}
305
306static enum ssl_hs_wait_t do_certificate_callback(SSL *ssl, SSL_HANDSHAKE *hs) {
307 /* The peer didn't request a certificate. */
308 if (!ssl->s3->tmp.cert_request) {
309 hs->state = state_send_client_finished;
310 return ssl_hs_ok;
311 }
312
313 /* Call cert_cb to update the certificate. */
314 if (ssl->cert->cert_cb != NULL) {
315 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
316 if (rv == 0) {
317 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
318 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
319 return ssl_hs_error;
320 }
321 if (rv < 0) {
322 hs->state = state_certificate_callback;
323 return ssl_hs_x509_lookup;
324 }
325 }
326
327 hs->state = state_send_client_certificate;
328 return ssl_hs_ok;
329}
330
331static enum ssl_hs_wait_t do_send_client_certificate(SSL *ssl,
332 SSL_HANDSHAKE *hs) {
333 if (!ssl_has_certificate(ssl) && ssl->ctx->client_cert_cb != NULL) {
334 X509 *x509 = NULL;
335 EVP_PKEY *pkey = NULL;
336 int rv = ssl->ctx->client_cert_cb(ssl, &x509, &pkey);
337 if (rv < 0) {
338 hs->state = state_send_client_certificate;
339 return ssl_hs_x509_lookup;
340 }
341
342 int setup_error = rv == 1 && (!SSL_use_certificate(ssl, x509) ||
343 !SSL_use_PrivateKey(ssl, pkey));
344 X509_free(x509);
345 EVP_PKEY_free(pkey);
346 if (setup_error) {
347 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
348 return ssl_hs_error;
349 }
350 }
351
352 if (!tls13_prepare_certificate(ssl)) {
353 return ssl_hs_error;
354 }
355
356 hs->state = state_send_client_certificate_verify;
357 return ssl_hs_write_message;
358}
359
360static enum ssl_hs_wait_t do_send_client_certificate_verify(SSL *ssl,
361 SSL_HANDSHAKE *hs,
362 int is_first_run) {
363 /* Don't send CertificateVerify if there is no certificate. */
364 if (!ssl_has_certificate(ssl)) {
365 hs->state = state_send_client_finished;
366 return ssl_hs_ok;
367 }
368
369 switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {
370 case ssl_private_key_success:
371 hs->state = state_send_client_finished;
372 return ssl_hs_write_message;
373
374 case ssl_private_key_retry:
375 hs->state = state_complete_client_certificate_verify;
376 return ssl_hs_private_key_operation;
377
378 case ssl_private_key_failure:
379 return ssl_hs_error;
380 }
381
382 assert(0);
383 return ssl_hs_error;
384}
385
386static enum ssl_hs_wait_t do_send_client_finished(SSL *ssl, SSL_HANDSHAKE *hs) {
387 if (!tls13_prepare_finished(ssl)) {
388 return ssl_hs_error;
389 }
390
391 hs->state = state_flush;
392 return ssl_hs_write_message;
393}
394
395static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {
396 if (!tls13_set_traffic_key(ssl, type_data, evp_aead_open,
397 hs->traffic_secret_0, hs->hash_len) ||
398 !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,
399 hs->traffic_secret_0, hs->hash_len) ||
400 !tls13_finalize_keys(ssl)) {
401 return ssl_hs_error;
402 }
403
404 hs->state = state_done;
405 return ssl_hs_flush;
406}
407
408enum ssl_hs_wait_t tls13_client_handshake(SSL *ssl) {
409 SSL_HANDSHAKE *hs = ssl->s3->hs;
410
411 while (hs->state != state_done) {
412 enum ssl_hs_wait_t ret = ssl_hs_error;
413 enum client_hs_state_t state = hs->state;
414 switch (state) {
415 case state_process_server_hello:
416 ret = do_process_server_hello(ssl, hs);
417 break;
418 case state_process_encrypted_extensions:
419 ret = do_process_encrypted_extensions(ssl, hs);
420 break;
421 case state_process_certificate_request:
422 ret = do_process_certificate_request(ssl, hs);
423 break;
424 case state_process_server_certificate:
425 ret = do_process_server_certificate(ssl, hs);
426 break;
427 case state_process_server_certificate_verify:
428 ret = do_process_server_certificate_verify(ssl, hs);
429 break;
430 case state_process_server_finished:
431 ret = do_process_server_finished(ssl, hs);
432 break;
433 case state_certificate_callback:
434 ret = do_certificate_callback(ssl, hs);
435 break;
436 case state_send_client_certificate:
437 ret = do_send_client_certificate(ssl, hs);
438 break;
439 case state_send_client_certificate_verify:
440 ret = do_send_client_certificate_verify(ssl, hs, 1 /* first run */);
441 break;
442 case state_complete_client_certificate_verify:
443 ret = do_send_client_certificate_verify(ssl, hs, 0 /* complete */);
444 break;
445 case state_send_client_finished:
446 ret = do_send_client_finished(ssl, hs);
447 break;
448 case state_flush:
449 ret = do_flush(ssl, hs);
450 break;
451 case state_done:
452 ret = ssl_hs_ok;
453 break;
454 }
455
456 if (ret != ssl_hs_ok) {
457 return ret;
458 }
459 }
460
461 return ssl_hs_ok;
462}