Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 3ef7697ed30f28367395a5aafb57a12a19906d96 / . / ssl / tls13_server.c
blob: 25700694e96f38a2bdbdafb7b4d5ea7157864db5 [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/digest.h>
22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/rand.h>
25#include <openssl/stack.h>
26
27#include "internal.h"
28
29
30enum server_hs_state_t {
31 state_process_client_hello = 0,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]32 state_select_parameters,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]33 state_send_hello_retry_request,
34 state_flush_hello_retry_request,
35 state_process_second_client_hello,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]36 state_send_server_hello,
37 state_send_encrypted_extensions,
38 state_send_certificate_request,
39 state_send_server_certificate,
40 state_send_server_certificate_verify,
41 state_complete_server_certificate_verify,
42 state_send_server_finished,
43 state_flush,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]44 state_process_client_certificate,
45 state_process_client_certificate_verify,
46 state_process_client_finished,
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]47 state_send_new_session_ticket,
48 state_flush_new_session_ticket,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]49 state_done,
50};
51
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]52static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
53
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]54static int resolve_ecdhe_secret(SSL *ssl, int *out_need_retry,
55 struct ssl_early_callback_ctx *early_ctx) {
56 *out_need_retry = 0;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]57
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]58 /* We only support connections that include an ECDHE key exchange. */
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]59 CBS key_share;
David Benjamincec73442016-08-02 17:41:33 -0400[diff] [blame]60 if (!ssl_early_callback_get_extension(early_ctx, &key_share,
61 TLSEXT_TYPE_key_share)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]62 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
63 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
64 return ssl_hs_error;
65 }
66
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]67 int found_key_share;
68 uint8_t *dhe_secret;
69 size_t dhe_secret_len;
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]70 uint8_t alert = SSL_AD_DECODE_ERROR;
Steven Valdez7259f2f2016-08-02 16:55:05 -0400[diff] [blame]71 if (!ssl_ext_key_share_parse_clienthello(ssl, &found_key_share, &dhe_secret,
72 &dhe_secret_len, &alert,
73 &key_share)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]74 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
75 return 0;
76 }
77
78 if (!found_key_share) {
79 *out_need_retry = 1;
80 return 0;
81 }
82
83 int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);
84 OPENSSL_free(dhe_secret);
85 return ok;
86}
87
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]88static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
89 if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
90 return ssl_hs_error;
91 }
92
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]93 struct ssl_early_callback_ctx client_hello;
94 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
David Benjamind7573dc2016-07-20 19:05:22 +0200[diff] [blame]95 ssl->init_num)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]96 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
97 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
98 return ssl_hs_error;
99 }
100
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]101 assert(ssl->s3->have_version);
102
103 /* Load the client random. */
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]104 if (client_hello.random_len != SSL3_RANDOM_SIZE) {
105 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
106 return -1;
107 }
108 memcpy(ssl->s3->client_random, client_hello.random, client_hello.random_len);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]109
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]110 uint8_t alert = SSL_AD_DECODE_ERROR;
111 SSL_SESSION *session = NULL;
112 CBS pre_shared_key;
113 if (ssl_early_callback_get_extension(&client_hello, &pre_shared_key,
114 TLSEXT_TYPE_pre_shared_key) &&
115 !ssl_ext_pre_shared_key_parse_clienthello(ssl, &session, &alert,
116 &pre_shared_key)) {
117 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
118 return 0;
119 }
120
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]121 if (session != NULL &&
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]122 /* Only resume if the session's version matches. */
123 (session->ssl_version != ssl->version ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]124 !ssl_client_cipher_list_contains_cipher(
125 &client_hello, (uint16_t)SSL_CIPHER_get_id(session->cipher)))) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]126 SSL_SESSION_free(session);
127 session = NULL;
128 }
129
130 if (session == NULL) {
131 if (!ssl_get_new_session(ssl, 1 /* server */)) {
132 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
133 return ssl_hs_error;
134 }
135 } else {
136 /* Only authentication information carries over in TLS 1.3. */
137 ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
138 if (ssl->s3->new_session == NULL) {
139 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
140 return ssl_hs_error;
141 }
142 ssl->s3->session_reused = 1;
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]143 SSL_SESSION_free(session);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]144 }
145
146 if (ssl->ctx->dos_protection_cb != NULL &&
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]147 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]148 /* Connection rejected for DOS reasons. */
149 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]150 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]151 return ssl_hs_error;
152 }
153
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]154 /* TLS 1.3 requires the peer only advertise the null compression. */
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]155 if (client_hello.compression_methods_len != 1 ||
156 client_hello.compression_methods[0] != 0) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]157 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
158 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
159 return ssl_hs_error;
160 }
161
162 /* TLS extensions. */
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]163 if (!ssl_parse_clienthello_tlsext(ssl, &client_hello)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]164 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
165 return ssl_hs_error;
166 }
167
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]168 hs->state = state_select_parameters;
169 return ssl_hs_ok;
170}
171
172static enum ssl_hs_wait_t do_select_parameters(SSL *ssl, SSL_HANDSHAKE *hs) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]173 if (!ssl->s3->session_reused) {
174 /* Call |cert_cb| to update server certificates if required. */
175 if (ssl->cert->cert_cb != NULL) {
176 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
177 if (rv == 0) {
178 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
179 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
180 return ssl_hs_error;
181 }
182 if (rv < 0) {
183 hs->state = state_select_parameters;
184 return ssl_hs_x509_lookup;
185 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]186 }
187 }
188
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]189 struct ssl_early_callback_ctx client_hello;
190 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
191 ssl->init_num)) {
192 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
193 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
194 return ssl_hs_error;
195 }
196
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]197 if (!ssl->s3->session_reused) {
198 const SSL_CIPHER *cipher =
199 ssl3_choose_cipher(ssl, &client_hello, ssl_get_cipher_preferences(ssl));
200 if (cipher == NULL) {
201 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
202 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
203 return ssl_hs_error;
204 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]205
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]206 ssl->s3->new_session->cipher = cipher;
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]207 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]208
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]209 ssl->s3->tmp.new_cipher = ssl->s3->new_session->cipher;
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]210 ssl->method->received_flight(ssl);
211
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]212
213 /* The PRF hash is now known. */
214 size_t hash_len =
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]215 EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]216
217 /* Derive resumption material. */
218 uint8_t resumption_ctx[EVP_MAX_MD_SIZE] = {0};
219 uint8_t psk_secret[EVP_MAX_MD_SIZE] = {0};
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]220 if (ssl->s3->session_reused) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]221 if (!tls13_resumption_context(ssl, resumption_ctx, hash_len,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]222 ssl->s3->new_session) ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]223 !tls13_resumption_psk(ssl, psk_secret, hash_len,
224 ssl->s3->new_session)) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]225 return ssl_hs_error;
226 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]227 }
228
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]229 /* Set up the key schedule, hash in the ClientHello, and incorporate the PSK
230 * into the running secret. */
231 if (!tls13_init_key_schedule(ssl, resumption_ctx, hash_len) ||
232 !tls13_advance_key_schedule(ssl, psk_secret, hash_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]233 return ssl_hs_error;
234 }
235
236 /* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]237 int need_retry;
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]238 if (!resolve_ecdhe_secret(ssl, &need_retry, &client_hello)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]239 if (need_retry) {
240 hs->state = state_send_hello_retry_request;
241 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]242 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]243 return ssl_hs_error;
244 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]245
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]246 hs->state = state_send_server_hello;
247 return ssl_hs_ok;
248}
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]249
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]250static enum ssl_hs_wait_t do_send_hello_retry_request(SSL *ssl,
251 SSL_HANDSHAKE *hs) {
252 CBB cbb, body, extensions;
253 uint16_t group_id;
254 if (!ssl->method->init_message(ssl, &cbb, &body,
255 SSL3_MT_HELLO_RETRY_REQUEST) ||
256 !CBB_add_u16(&body, ssl->version) ||
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]257 !tls1_get_shared_group(ssl, &group_id) ||
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]258 !CBB_add_u16_length_prefixed(&body, &extensions) ||
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]259 !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
260 !CBB_add_u16(&extensions, 2 /* length */) ||
261 !CBB_add_u16(&extensions, group_id) ||
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]262 !ssl->method->finish_message(ssl, &cbb)) {
263 CBB_cleanup(&cbb);
264 return ssl_hs_error;
265 }
266
267 hs->state = state_flush_hello_retry_request;
268 return ssl_hs_write_message;
269}
270
271static enum ssl_hs_wait_t do_flush_hello_retry_request(SSL *ssl,
272 SSL_HANDSHAKE *hs) {
273 hs->state = state_process_second_client_hello;
274 return ssl_hs_flush_and_read_message;
275}
276
277static enum ssl_hs_wait_t do_process_second_client_hello(SSL *ssl,
278 SSL_HANDSHAKE *hs) {
279 if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
280 return ssl_hs_error;
281 }
282
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]283 struct ssl_early_callback_ctx client_hello;
284 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
David Benjamind7573dc2016-07-20 19:05:22 +0200[diff] [blame]285 ssl->init_num)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]286 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
287 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
288 return ssl_hs_error;
289 }
290
291 int need_retry;
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]292 if (!resolve_ecdhe_secret(ssl, &need_retry, &client_hello)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]293 if (need_retry) {
294 /* Only send one HelloRetryRequest. */
295 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
296 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]297 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]298 return ssl_hs_error;
299 }
300
301 if (!ssl->method->hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]302 return ssl_hs_error;
303 }
304
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]305 ssl->method->received_flight(ssl);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]306 hs->state = state_send_server_hello;
307 return ssl_hs_ok;
308}
309
310static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
311 CBB cbb, body, extensions;
312 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
313 !CBB_add_u16(&body, ssl->version) ||
314 !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
315 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
316 !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
317 !CBB_add_u16_length_prefixed(&body, &extensions) ||
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]318 !ssl_ext_pre_shared_key_add_serverhello(ssl, &extensions) ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]319 !ssl_ext_key_share_add_serverhello(ssl, &extensions)) {
320 goto err;
321 }
322
323 if (!ssl->s3->session_reused) {
324 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_signature_algorithms) ||
325 !CBB_add_u16(&extensions, 0)) {
326 goto err;
327 }
328 }
329
330 if (!ssl->method->finish_message(ssl, &cbb)) {
331 goto err;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]332 }
333
334 hs->state = state_send_encrypted_extensions;
335 return ssl_hs_write_message;
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]336
337err:
338 CBB_cleanup(&cbb);
339 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]340}
341
342static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL *ssl,
343 SSL_HANDSHAKE *hs) {
344 if (!tls13_set_handshake_traffic(ssl)) {
345 return ssl_hs_error;
346 }
347
348 CBB cbb, body;
349 if (!ssl->method->init_message(ssl, &cbb, &body,
350 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
351 !ssl_add_serverhello_tlsext(ssl, &body) ||
352 !ssl->method->finish_message(ssl, &cbb)) {
353 CBB_cleanup(&cbb);
354 return ssl_hs_error;
355 }
356
357 hs->state = state_send_certificate_request;
358 return ssl_hs_write_message;
359}
360
361static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl,
362 SSL_HANDSHAKE *hs) {
363 /* Determine whether to request a client certificate. */
David Benjamina0486782016-10-06 19:11:32 -0400[diff] [blame]364 ssl->s3->hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]365 /* CertificateRequest may only be sent in non-resumption handshakes. */
366 if (ssl->s3->session_reused) {
David Benjamina0486782016-10-06 19:11:32 -0400[diff] [blame]367 ssl->s3->hs->cert_request = 0;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]368 }
369
David Benjamina0486782016-10-06 19:11:32 -0400[diff] [blame]370 if (!ssl->s3->hs->cert_request) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]371 /* Skip this state. */
372 hs->state = state_send_server_certificate;
373 return ssl_hs_ok;
374 }
375
376 CBB cbb, body, sigalgs_cbb;
377 if (!ssl->method->init_message(ssl, &cbb, &body,
378 SSL3_MT_CERTIFICATE_REQUEST) ||
379 !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
380 goto err;
381 }
382
383 const uint16_t *sigalgs;
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame^]384 size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]385 if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
386 goto err;
387 }
388
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]389 for (size_t i = 0; i < num_sigalgs; i++) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]390 if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
391 goto err;
392 }
393 }
394
395 if (!ssl_add_client_CA_list(ssl, &body) ||
396 !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||
397 !ssl->method->finish_message(ssl, &cbb)) {
398 goto err;
399 }
400
401 hs->state = state_send_server_certificate;
402 return ssl_hs_write_message;
403
404err:
405 CBB_cleanup(&cbb);
406 return ssl_hs_error;
407}
408
409static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl,
410 SSL_HANDSHAKE *hs) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]411 if (ssl->s3->session_reused) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]412 hs->state = state_send_server_finished;
413 return ssl_hs_ok;
414 }
415
416 if (!ssl_has_certificate(ssl)) {
417 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
418 return ssl_hs_error;
419 }
420
421 if (!tls13_prepare_certificate(ssl)) {
422 return ssl_hs_error;
423 }
424
425 hs->state = state_send_server_certificate_verify;
426 return ssl_hs_write_message;
427}
428
429static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL *ssl,
430 SSL_HANDSHAKE *hs,
431 int is_first_run) {
432 switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {
433 case ssl_private_key_success:
434 hs->state = state_send_server_finished;
435 return ssl_hs_write_message;
436
437 case ssl_private_key_retry:
438 hs->state = state_complete_server_certificate_verify;
439 return ssl_hs_private_key_operation;
440
441 case ssl_private_key_failure:
442 return ssl_hs_error;
443 }
444
445 assert(0);
446 return ssl_hs_error;
447}
448
449static enum ssl_hs_wait_t do_send_server_finished(SSL *ssl, SSL_HANDSHAKE *hs) {
450 if (!tls13_prepare_finished(ssl)) {
451 return ssl_hs_error;
452 }
453
454 hs->state = state_flush;
455 return ssl_hs_write_message;
456}
457
458static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]459 /* Update the secret to the master secret and derive traffic keys. */
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]460 if (!tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||
461 !tls13_derive_traffic_secret_0(ssl) ||
462 !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]463 hs->server_traffic_secret_0, hs->hash_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]464 return ssl_hs_error;
465 }
466
467 hs->state = state_process_client_certificate;
David Benjaminf2401eb2016-07-18 22:25:05 +0200[diff] [blame]468 return ssl_hs_flush_and_read_message;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]469}
470
471static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,
472 SSL_HANDSHAKE *hs) {
David Benjamina0486782016-10-06 19:11:32 -0400[diff] [blame]473 if (!ssl->s3->hs->cert_request) {
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]474 /* OpenSSL returns X509_V_OK when no certificates are requested. This is
David Benjamindd634eb2016-08-18 16:40:28 -0400[diff] [blame]475 * classed by them as a bug, but it's assumed by at least NGINX. */
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]476 ssl->s3->new_session->verify_result = X509_V_OK;
477
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]478 /* Skip this state. */
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]479 hs->state = state_process_client_finished;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]480 return ssl_hs_ok;
481 }
482
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]483 const int allow_anonymous =
484 (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
485
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]486 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]487 !tls13_process_certificate(ssl, allow_anonymous) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]488 !ssl->method->hash_current_message(ssl)) {
489 return ssl_hs_error;
490 }
491
David Benjamin3ce43892016-08-01 19:41:34 -0400[diff] [blame]492 /* For historical reasons, the server's copy of the chain does not include the
493 * leaf while the client's does. */
494 if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) {
495 X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain));
496 }
497
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]498 hs->state = state_process_client_certificate_verify;
499 return ssl_hs_read_message;
500}
501
502static enum ssl_hs_wait_t do_process_client_certificate_verify(
503 SSL *ssl, SSL_HANDSHAKE *hs) {
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]504 if (ssl->s3->new_session->peer == NULL) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]505 /* Skip this state. */
506 hs->state = state_process_client_finished;
507 return ssl_hs_ok;
508 }
509
510 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
511 !tls13_process_certificate_verify(ssl) ||
512 !ssl->method->hash_current_message(ssl)) {
513 return 0;
514 }
515
516 hs->state = state_process_client_finished;
517 return ssl_hs_read_message;
518}
519
520static enum ssl_hs_wait_t do_process_client_finished(SSL *ssl,
521 SSL_HANDSHAKE *hs) {
522 if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||
523 !tls13_process_finished(ssl) ||
524 !ssl->method->hash_current_message(ssl) ||
525 /* evp_aead_seal keys have already been switched. */
526 !tls13_set_traffic_key(ssl, type_data, evp_aead_open,
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]527 hs->client_traffic_secret_0, hs->hash_len) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]528 !tls13_finalize_keys(ssl)) {
529 return ssl_hs_error;
530 }
531
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]532 ssl->method->received_flight(ssl);
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]533 hs->state = state_send_new_session_ticket;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]534 return ssl_hs_ok;
535}
536
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]537static enum ssl_hs_wait_t do_send_new_session_ticket(SSL *ssl,
538 SSL_HANDSHAKE *hs) {
539 SSL_SESSION *session = ssl->s3->new_session;
Martin Kreichgauerbaafa4a2016-08-09 10:18:40 -0700[diff] [blame]540 session->tlsext_tick_lifetime_hint = session->timeout;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]541
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]542 /* TODO(svaldez): Add support for sending 0RTT through TicketEarlyDataInfo
543 * extension. */
544
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]545 CBB cbb, body, ke_modes, auth_modes, ticket, extensions;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]546 if (!ssl->method->init_message(ssl, &cbb, &body,
547 SSL3_MT_NEW_SESSION_TICKET) ||
Martin Kreichgauerbaafa4a2016-08-09 10:18:40 -0700[diff] [blame]548 !CBB_add_u32(&body, session->tlsext_tick_lifetime_hint) ||
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]549 !CBB_add_u8_length_prefixed(&body, &ke_modes) ||
550 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE) ||
551 !CBB_add_u8_length_prefixed(&body, &auth_modes) ||
552 !CBB_add_u8(&auth_modes, SSL_PSK_AUTH) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]553 !CBB_add_u16_length_prefixed(&body, &ticket) ||
554 !ssl_encrypt_ticket(ssl, &ticket, session) ||
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]555 !CBB_add_u16_length_prefixed(&body, &extensions)) {
556 goto err;
557 }
558
559 /* Add a fake extension. See draft-davidben-tls-grease-01. */
560 if (ssl->ctx->grease_enabled) {
561 if (!CBB_add_u16(&extensions,
562 ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||
563 !CBB_add_u16(&extensions, 0 /* empty */)) {
564 goto err;
565 }
566 }
567
568 if (!ssl->method->finish_message(ssl, &cbb)) {
569 goto err;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]570 }
571
572 hs->session_tickets_sent++;
573
574 hs->state = state_flush_new_session_ticket;
575 return ssl_hs_write_message;
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]576
577err:
578 CBB_cleanup(&cbb);
579 return ssl_hs_error;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]580}
581
582/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
583 * client makes several connections before getting a renewal. */
584static const int kNumTickets = 2;
585
586static enum ssl_hs_wait_t do_flush_new_session_ticket(SSL *ssl,
587 SSL_HANDSHAKE *hs) {
588 if (hs->session_tickets_sent >= kNumTickets) {
589 hs->state = state_done;
590 } else {
591 hs->state = state_send_new_session_ticket;
592 }
593 return ssl_hs_flush;
594}
595
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]596enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl) {
597 SSL_HANDSHAKE *hs = ssl->s3->hs;
598
599 while (hs->state != state_done) {
600 enum ssl_hs_wait_t ret = ssl_hs_error;
601 enum server_hs_state_t state = hs->state;
602 switch (state) {
603 case state_process_client_hello:
604 ret = do_process_client_hello(ssl, hs);
605 break;
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]606 case state_select_parameters:
607 ret = do_select_parameters(ssl, hs);
608 break;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]609 case state_send_hello_retry_request:
610 ret = do_send_hello_retry_request(ssl, hs);
611 break;
612 case state_flush_hello_retry_request:
613 ret = do_flush_hello_retry_request(ssl, hs);
614 break;
615 case state_process_second_client_hello:
616 ret = do_process_second_client_hello(ssl, hs);
617 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]618 case state_send_server_hello:
619 ret = do_send_server_hello(ssl, hs);
620 break;
621 case state_send_encrypted_extensions:
622 ret = do_send_encrypted_extensions(ssl, hs);
623 break;
624 case state_send_certificate_request:
625 ret = do_send_certificate_request(ssl, hs);
626 break;
627 case state_send_server_certificate:
628 ret = do_send_server_certificate(ssl, hs);
629 break;
630 case state_send_server_certificate_verify:
631 ret = do_send_server_certificate_verify(ssl, hs, 1 /* first run */);
632 break;
633 case state_complete_server_certificate_verify:
634 ret = do_send_server_certificate_verify(ssl, hs, 0 /* complete */);
635 break;
636 case state_send_server_finished:
637 ret = do_send_server_finished(ssl, hs);
638 break;
639 case state_flush:
640 ret = do_flush(ssl, hs);
641 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]642 case state_process_client_certificate:
643 ret = do_process_client_certificate(ssl, hs);
644 break;
645 case state_process_client_certificate_verify:
646 ret = do_process_client_certificate_verify(ssl, hs);
647 break;
648 case state_process_client_finished:
649 ret = do_process_client_finished(ssl, hs);
650 break;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]651 case state_send_new_session_ticket:
652 ret = do_send_new_session_ticket(ssl, hs);
653 break;
654 case state_flush_new_session_ticket:
655 ret = do_flush_new_session_ticket(ssl, hs);
656 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]657 case state_done:
658 ret = ssl_hs_ok;
659 break;
660 }
661
662 if (ret != ssl_hs_ok) {
663 return ret;
664 }
665 }
666
667 return ssl_hs_ok;
668}