Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 143e8b3fd9b96a4599d303e7800c4043904ff55f / . / ssl / tls13_server.c
blob: ce65abfb33dd7b8cace8b428e1904c49632d4aaa [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame^]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/digest.h>
22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/rand.h>
25#include <openssl/stack.h>
26
27#include "internal.h"
28
29
30enum server_hs_state_t {
31 state_process_client_hello = 0,
32 state_send_server_hello,
33 state_send_encrypted_extensions,
34 state_send_certificate_request,
35 state_send_server_certificate,
36 state_send_server_certificate_verify,
37 state_complete_server_certificate_verify,
38 state_send_server_finished,
39 state_flush,
40 state_read_client_second_flight,
41 state_process_client_certificate,
42 state_process_client_certificate_verify,
43 state_process_client_finished,
44 state_done,
45};
46
47static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
48 if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
49 return ssl_hs_error;
50 }
51
52 struct ssl_early_callback_ctx early_ctx;
53 uint16_t client_wire_version;
54 CBS client_random, session_id, cipher_suites, compression_methods;
55
56 memset(&early_ctx, 0, sizeof(early_ctx));
57 early_ctx.ssl = ssl;
58 early_ctx.client_hello = ssl->init_msg;
59 early_ctx.client_hello_len = ssl->init_num;
60 if (!ssl_early_callback_init(&early_ctx)) {
61 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
62 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
63 return ssl_hs_error;
64 }
65
66 CBS cbs;
67 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
68 if (!CBS_get_u16(&cbs, &client_wire_version) ||
69 !CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE) ||
70 !CBS_get_u8_length_prefixed(&cbs, &session_id) ||
71 CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {
72 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
73 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
74 return ssl_hs_error;
75 }
76
77 uint16_t min_version, max_version;
78 if (!ssl_get_version_range(ssl, &min_version, &max_version)) {
79 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
80 return ssl_hs_error;
81 }
82
83 assert(ssl->s3->have_version);
84
85 /* Load the client random. */
86 memcpy(ssl->s3->client_random, CBS_data(&client_random), SSL3_RANDOM_SIZE);
87
88 ssl->hit = 0;
89 if (!ssl_get_new_session(ssl, 1 /* server */)) {
90 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
91 return ssl_hs_error;
92 }
93
94 if (ssl->ctx->dos_protection_cb != NULL &&
95 ssl->ctx->dos_protection_cb(&early_ctx) == 0) {
96 /* Connection rejected for DOS reasons. */
97 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
98 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ACCESS_DENIED);
99 return ssl_hs_error;
100 }
101
102 if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites) ||
103 CBS_len(&cipher_suites) == 0 ||
104 CBS_len(&cipher_suites) % 2 != 0 ||
105 !CBS_get_u8_length_prefixed(&cbs, &compression_methods) ||
106 CBS_len(&compression_methods) == 0) {
107 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
108 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
109 return ssl_hs_error;
110 }
111
112 /* TLS 1.3 requires the peer only advertise the null compression. */
113 if (CBS_len(&compression_methods) != 1 ||
114 CBS_data(&compression_methods)[0] != 0) {
115 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
116 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
117 return ssl_hs_error;
118 }
119
120 /* TLS extensions. */
121 if (!ssl_parse_clienthello_tlsext(ssl, &cbs)) {
122 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
123 return ssl_hs_error;
124 }
125
126 /* There should be nothing left over in the message. */
127 if (CBS_len(&cbs) != 0) {
128 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);
129 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
130 return ssl_hs_error;
131 }
132
133 /* Let cert callback update server certificates if required.
134 *
135 * TODO(davidben): Can this get run earlier? */
136 if (ssl->cert->cert_cb != NULL) {
137 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
138 if (rv == 0) {
139 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
140 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
141 return ssl_hs_error;
142 }
143 if (rv < 0) {
144 hs->state = state_process_client_hello;
145 return ssl_hs_x509_lookup;
146 }
147 }
148
149 STACK_OF(SSL_CIPHER) *ciphers =
150 ssl_bytes_to_cipher_list(ssl, &cipher_suites, max_version);
151 if (ciphers == NULL) {
152 return ssl_hs_error;
153 }
154
155 const SSL_CIPHER *cipher =
156 ssl3_choose_cipher(ssl, ciphers, ssl_get_cipher_preferences(ssl));
157 sk_SSL_CIPHER_free(ciphers);
158 if (cipher == NULL) {
159 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
160 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
161 return ssl_hs_error;
162 }
163
164 ssl->session->cipher = cipher;
165 ssl->s3->tmp.new_cipher = cipher;
166
167 /* The PRF hash is now known. Set up the key schedule and hash the
168 * ClientHello. */
169 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
170 size_t hash_len =
171 EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
172 if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) {
173 return ssl_hs_error;
174 }
175
176 /* Resolve PSK and incorporate it into the secret. */
177 if (cipher->algorithm_auth == SSL_aPSK) {
178 /* TODO(davidben): Support PSK. */
179 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
180 return ssl_hs_error;
181 } else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
182 return ssl_hs_error;
183 }
184
185 /* Resolve ECDHE and incorporate it into the secret. */
186 if (cipher->algorithm_mkey == SSL_kECDHE) {
187 const uint8_t *key_share_buf = NULL;
188 size_t key_share_len = 0;
189 CBS key_share;
190 if (!SSL_early_callback_ctx_extension_get(&early_ctx, TLSEXT_TYPE_key_share,
191 &key_share_buf, &key_share_len)) {
192 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
193 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
194 return ssl_hs_error;
195 }
196
197 CBS_init(&key_share, key_share_buf, key_share_len);
198 uint8_t *dhe_secret;
199 size_t dhe_secret_len;
200 uint8_t alert;
201 if (!ext_key_share_parse_clienthello(ssl, &dhe_secret, &dhe_secret_len,
202 &alert, &key_share)) {
203 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
204 return ssl_hs_error;
205 }
206
207 int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);
208 OPENSSL_free(dhe_secret);
209 if (!ok) {
210 return ssl_hs_error;
211 }
212 } else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {
213 return ssl_hs_error;
214 }
215
216 hs->state = state_send_server_hello;
217 return ssl_hs_ok;
218}
219
220static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
221 CBB cbb, body, extensions;
222 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
223 !CBB_add_u16(&body, ssl->version) ||
224 !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
225 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
226 !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
227 !CBB_add_u16_length_prefixed(&body, &extensions) ||
228 !ext_key_share_add_serverhello(ssl, &extensions) ||
229 !ssl->method->finish_message(ssl, &cbb)) {
230 CBB_cleanup(&cbb);
231 return ssl_hs_error;
232 }
233
234 hs->state = state_send_encrypted_extensions;
235 return ssl_hs_write_message;
236}
237
238static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL *ssl,
239 SSL_HANDSHAKE *hs) {
240 if (!tls13_set_handshake_traffic(ssl)) {
241 return ssl_hs_error;
242 }
243
244 CBB cbb, body;
245 if (!ssl->method->init_message(ssl, &cbb, &body,
246 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
247 !ssl_add_serverhello_tlsext(ssl, &body) ||
248 !ssl->method->finish_message(ssl, &cbb)) {
249 CBB_cleanup(&cbb);
250 return ssl_hs_error;
251 }
252
253 hs->state = state_send_certificate_request;
254 return ssl_hs_write_message;
255}
256
257static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl,
258 SSL_HANDSHAKE *hs) {
259 /* Determine whether to request a client certificate. */
260 ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
261 /* CertificateRequest may only be sent in certificate-based ciphers. */
262 if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
263 ssl->s3->tmp.cert_request = 0;
264 }
265
266 if (!ssl->s3->tmp.cert_request) {
267 /* Skip this state. */
268 hs->state = state_send_server_certificate;
269 return ssl_hs_ok;
270 }
271
272 CBB cbb, body, sigalgs_cbb;
273 if (!ssl->method->init_message(ssl, &cbb, &body,
274 SSL3_MT_CERTIFICATE_REQUEST) ||
275 !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
276 goto err;
277 }
278
279 const uint16_t *sigalgs;
280 size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs);
281 if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
282 goto err;
283 }
284
285 for (size_t i = 0; i < sigalgs_len; i++) {
286 if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
287 goto err;
288 }
289 }
290
291 if (!ssl_add_client_CA_list(ssl, &body) ||
292 !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||
293 !ssl->method->finish_message(ssl, &cbb)) {
294 goto err;
295 }
296
297 hs->state = state_send_server_certificate;
298 return ssl_hs_write_message;
299
300err:
301 CBB_cleanup(&cbb);
302 return ssl_hs_error;
303}
304
305static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl,
306 SSL_HANDSHAKE *hs) {
307 if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {
308 hs->state = state_send_server_finished;
309 return ssl_hs_ok;
310 }
311
312 if (!ssl_has_certificate(ssl)) {
313 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
314 return ssl_hs_error;
315 }
316
317 if (!tls13_prepare_certificate(ssl)) {
318 return ssl_hs_error;
319 }
320
321 hs->state = state_send_server_certificate_verify;
322 return ssl_hs_write_message;
323}
324
325static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL *ssl,
326 SSL_HANDSHAKE *hs,
327 int is_first_run) {
328 switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {
329 case ssl_private_key_success:
330 hs->state = state_send_server_finished;
331 return ssl_hs_write_message;
332
333 case ssl_private_key_retry:
334 hs->state = state_complete_server_certificate_verify;
335 return ssl_hs_private_key_operation;
336
337 case ssl_private_key_failure:
338 return ssl_hs_error;
339 }
340
341 assert(0);
342 return ssl_hs_error;
343}
344
345static enum ssl_hs_wait_t do_send_server_finished(SSL *ssl, SSL_HANDSHAKE *hs) {
346 if (!tls13_prepare_finished(ssl)) {
347 return ssl_hs_error;
348 }
349
350 hs->state = state_flush;
351 return ssl_hs_write_message;
352}
353
354static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {
355 hs->state = state_read_client_second_flight;
356 return ssl_hs_flush;
357}
358
359static enum ssl_hs_wait_t do_read_client_second_flight(SSL *ssl,
360 SSL_HANDSHAKE *hs) {
361 /* Update the secret to the master secret and derive traffic keys. */
362 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
363 if (!tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||
364 !tls13_derive_traffic_secret_0(ssl) ||
365 !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,
366 hs->traffic_secret_0, hs->hash_len)) {
367 return ssl_hs_error;
368 }
369
370 hs->state = state_process_client_certificate;
371 return ssl_hs_read_message;
372}
373
374static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,
375 SSL_HANDSHAKE *hs) {
376 if (!ssl->s3->tmp.cert_request) {
377 /* Skip this state. */
378 hs->state = state_process_client_certificate_verify;
379 return ssl_hs_ok;
380 }
381
382 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
383 !tls13_process_certificate(ssl) ||
384 !ssl->method->hash_current_message(ssl)) {
385 return ssl_hs_error;
386 }
387
388 hs->state = state_process_client_certificate_verify;
389 return ssl_hs_read_message;
390}
391
392static enum ssl_hs_wait_t do_process_client_certificate_verify(
393 SSL *ssl, SSL_HANDSHAKE *hs) {
394 if (ssl->session->peer == NULL) {
395 /* Skip this state. */
396 hs->state = state_process_client_finished;
397 return ssl_hs_ok;
398 }
399
400 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
401 !tls13_process_certificate_verify(ssl) ||
402 !ssl->method->hash_current_message(ssl)) {
403 return 0;
404 }
405
406 hs->state = state_process_client_finished;
407 return ssl_hs_read_message;
408}
409
410static enum ssl_hs_wait_t do_process_client_finished(SSL *ssl,
411 SSL_HANDSHAKE *hs) {
412 if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||
413 !tls13_process_finished(ssl) ||
414 !ssl->method->hash_current_message(ssl) ||
415 /* evp_aead_seal keys have already been switched. */
416 !tls13_set_traffic_key(ssl, type_data, evp_aead_open,
417 hs->traffic_secret_0, hs->hash_len) ||
418 !tls13_finalize_keys(ssl)) {
419 return ssl_hs_error;
420 }
421
422 hs->state = state_done;
423 return ssl_hs_ok;
424}
425
426enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl) {
427 SSL_HANDSHAKE *hs = ssl->s3->hs;
428
429 while (hs->state != state_done) {
430 enum ssl_hs_wait_t ret = ssl_hs_error;
431 enum server_hs_state_t state = hs->state;
432 switch (state) {
433 case state_process_client_hello:
434 ret = do_process_client_hello(ssl, hs);
435 break;
436 case state_send_server_hello:
437 ret = do_send_server_hello(ssl, hs);
438 break;
439 case state_send_encrypted_extensions:
440 ret = do_send_encrypted_extensions(ssl, hs);
441 break;
442 case state_send_certificate_request:
443 ret = do_send_certificate_request(ssl, hs);
444 break;
445 case state_send_server_certificate:
446 ret = do_send_server_certificate(ssl, hs);
447 break;
448 case state_send_server_certificate_verify:
449 ret = do_send_server_certificate_verify(ssl, hs, 1 /* first run */);
450 break;
451 case state_complete_server_certificate_verify:
452 ret = do_send_server_certificate_verify(ssl, hs, 0 /* complete */);
453 break;
454 case state_send_server_finished:
455 ret = do_send_server_finished(ssl, hs);
456 break;
457 case state_flush:
458 ret = do_flush(ssl, hs);
459 break;
460 case state_read_client_second_flight:
461 ret = do_read_client_second_flight(ssl, hs);
462 break;
463 case state_process_client_certificate:
464 ret = do_process_client_certificate(ssl, hs);
465 break;
466 case state_process_client_certificate_verify:
467 ret = do_process_client_certificate_verify(ssl, hs);
468 break;
469 case state_process_client_finished:
470 ret = do_process_client_finished(ssl, hs);
471 break;
472 case state_done:
473 ret = ssl_hs_ok;
474 break;
475 }
476
477 if (ret != ssl_hs_ok) {
478 return ret;
479 }
480 }
481
482 return ssl_hs_ok;
483}