Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 5440fe0cd10aab3c106eadf9873bb6d61344e29f / . / ssl / tls13_both.c
blob: 3cebdd395f48cbd7e6381773b4d7fe73737982ef [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/err.h>
22#include <openssl/hkdf.h>
23#include <openssl/mem.h>
24#include <openssl/stack.h>
25#include <openssl/x509.h>
26#include <openssl/x509v3.h>
27
28#include "internal.h"
29
30
31SSL_HANDSHAKE *ssl_handshake_new(enum ssl_hs_wait_t (*do_handshake)(SSL *ssl)) {
32 SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));
33 if (hs == NULL) {
34 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
35 return NULL;
36 }
37 memset(hs, 0, sizeof(SSL_HANDSHAKE));
38 hs->do_handshake = do_handshake;
39 hs->wait = ssl_hs_ok;
40 return hs;
41}
42
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]43void ssl_handshake_clear_groups(SSL_HANDSHAKE *hs) {
44 if (hs->groups == NULL) {
45 return;
46 }
47
48 for (size_t i = 0; i < hs->groups_len; i++) {
49 SSL_ECDH_CTX_cleanup(&hs->groups[i]);
50 }
51 OPENSSL_free(hs->groups);
52 hs->groups = NULL;
53 hs->groups_len = 0;
54}
55
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]56void ssl_handshake_free(SSL_HANDSHAKE *hs) {
57 if (hs == NULL) {
58 return;
59 }
60
61 OPENSSL_cleanse(hs->secret, sizeof(hs->secret));
62 OPENSSL_cleanse(hs->traffic_secret_0, sizeof(hs->traffic_secret_0));
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]63 ssl_handshake_clear_groups(hs);
64 OPENSSL_free(hs->key_share_bytes);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]65 OPENSSL_free(hs->public_key);
66 OPENSSL_free(hs->cert_context);
67 OPENSSL_free(hs);
68}
69
70int tls13_handshake(SSL *ssl) {
71 SSL_HANDSHAKE *hs = ssl->s3->hs;
72
73 for (;;) {
74 /* Resolve the operation the handshake was waiting on. */
75 switch (hs->wait) {
76 case ssl_hs_error:
77 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
78 return -1;
79
David Benjaminf2401eb2016-07-18 22:25:05 +0200[diff] [blame]80 case ssl_hs_flush:
81 case ssl_hs_flush_and_read_message: {
82 int ret = BIO_flush(ssl->wbio);
83 if (ret <= 0) {
84 ssl->rwstate = SSL_WRITING;
85 return ret;
86 }
87 if (hs->wait != ssl_hs_flush_and_read_message) {
88 break;
89 }
90 hs->wait = ssl_hs_read_message;
91 /* Fall-through. */
92 }
93
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]94 case ssl_hs_read_message: {
95 int ret = ssl->method->ssl_get_message(ssl, -1, ssl_dont_hash_message);
96 if (ret <= 0) {
97 return ret;
98 }
99 break;
100 }
101
102 case ssl_hs_write_message: {
103 int ret = ssl->method->write_message(ssl);
104 if (ret <= 0) {
105 return ret;
106 }
107 break;
108 }
109
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]110 case ssl_hs_x509_lookup:
111 ssl->rwstate = SSL_X509_LOOKUP;
112 hs->wait = ssl_hs_ok;
113 return -1;
114
115 case ssl_hs_private_key_operation:
116 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
117 hs->wait = ssl_hs_ok;
118 return -1;
119
120 case ssl_hs_ok:
121 break;
122 }
123
124 /* Run the state machine again. */
125 hs->wait = hs->do_handshake(ssl);
126 if (hs->wait == ssl_hs_error) {
127 /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
128 * first time around. */
129 return -1;
130 }
131 if (hs->wait == ssl_hs_ok) {
132 /* The handshake has completed. */
133 return 1;
134 }
135
136 /* Otherwise, loop to the beginning and resolve what was blocking the
137 * handshake. */
138 }
139}
140
141static int tls13_get_cert_verify_signature_input(SSL *ssl, uint8_t **out,
142 size_t *out_len, int server) {
143 CBB cbb;
144 if (!CBB_init(&cbb, 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
145 goto err;
146 }
147
148 for (size_t i = 0; i < 64; i++) {
149 if (!CBB_add_u8(&cbb, 0x20)) {
150 goto err;
151 }
152 }
153
154 if (server) {
155 /* Include the NUL byte. */
156 static const char kContext[] = "TLS 1.3, server CertificateVerify";
157 if (!CBB_add_bytes(&cbb, (const uint8_t *)kContext, sizeof(kContext))) {
158 goto err;
159 }
160 } else {
161 static const char kContext[] = "TLS 1.3, client CertificateVerify";
162 if (!CBB_add_bytes(&cbb, (const uint8_t *)kContext, sizeof(kContext))) {
163 goto err;
164 }
165 }
166
167 uint8_t context_hashes[2 * EVP_MAX_MD_SIZE];
168 size_t context_hashes_len;
169 if (!tls13_get_context_hashes(ssl, context_hashes, &context_hashes_len) ||
170 !CBB_add_bytes(&cbb, context_hashes, context_hashes_len) ||
171 !CBB_finish(&cbb, out, out_len)) {
172 goto err;
173 }
174
175 return 1;
176
177err:
178 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
179 CBB_cleanup(&cbb);
180 return 0;
181}
182
183int tls13_process_certificate(SSL *ssl) {
184 CBS cbs, context;
185 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
186 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
187 CBS_len(&context) != 0) {
188 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
189 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
190 return 0;
191 }
192
193 int ret = 0;
194 uint8_t alert;
195 STACK_OF(X509) *chain = ssl_parse_cert_chain(
196 ssl, &alert,
197 ssl->ctx->retain_only_sha256_of_client_certs ? ssl->session->peer_sha256
198 : NULL,
199 &cbs);
200 if (chain == NULL) {
201 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
202 goto err;
203 }
204
205 if (CBS_len(&cbs) != 0) {
206 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
207 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
208 goto err;
209 }
210
211 if (sk_X509_num(chain) == 0) {
212 /* Clients must receive a certificate from the server. */
213 if (!ssl->server) {
214 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
215 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
216 goto err;
217 }
218
219 /* Servers may be configured to accept anonymous clients. */
220 if ((ssl->verify_mode & SSL_VERIFY_PEER) &&
221 (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
222 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
223 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
224 goto err;
225 }
226
227 /* No certificate, so nothing more to do. */
228 ret = 1;
229 goto err;
230 }
231
232 if (ssl->server && ssl->ctx->retain_only_sha256_of_client_certs) {
233 /* The hash was filled in by |ssl_parse_cert_chain|. */
234 ssl->session->peer_sha256_valid = 1;
235 }
236
237 X509 *leaf = sk_X509_value(chain, 0);
238 if (!ssl->server && !ssl_check_leaf_certificate(ssl, leaf)) {
239 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
240 goto err;
241 }
242
243 int verify_ret = ssl_verify_cert_chain(ssl, chain);
244 /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
245 if (ssl->verify_mode != SSL_VERIFY_NONE && verify_ret <= 0) {
246 int al = ssl_verify_alarm_type(ssl->verify_result);
247 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
248 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
249 goto err;
250 }
251 ERR_clear_error();
252
253 ssl->session->verify_result = ssl->verify_result;
254
255 X509_free(ssl->session->peer);
256 /* For historical reasons, the client and server differ on whether the chain
257 * includes the leaf. */
258 if (ssl->server) {
259 ssl->session->peer = sk_X509_shift(chain);
260 } else {
261 ssl->session->peer = X509_up_ref(leaf);
262 }
263
264 sk_X509_pop_free(ssl->session->cert_chain, X509_free);
265 ssl->session->cert_chain = chain;
266 chain = NULL;
267
268 ret = 1;
269
270err:
271 sk_X509_pop_free(chain, X509_free);
272 return ret;
273}
274
275int tls13_process_certificate_verify(SSL *ssl) {
276 int ret = 0;
277 X509 *peer = ssl->session->peer;
278 EVP_PKEY *pkey = NULL;
279 uint8_t *msg = NULL;
280 size_t msg_len;
281
282 /* Filter out unsupported certificate types. */
283 pkey = X509_get_pubkey(peer);
284 if (pkey == NULL) {
285 goto err;
286 }
287
288 CBS cbs, signature;
289 uint16_t signature_algorithm;
290 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
291 if (!CBS_get_u16(&cbs, &signature_algorithm) ||
292 !CBS_get_u16_length_prefixed(&cbs, &signature) ||
293 CBS_len(&cbs) != 0) {
294 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
295 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
296 goto err;
297 }
298
299 int al;
300 if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
301 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
302 goto err;
303 }
304 ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;
305
306 if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
307 !ssl->server)) {
308 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
309 goto err;
310 }
311
312 int sig_ok =
313 ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),
314 signature_algorithm, pkey, msg, msg_len);
315 if (!sig_ok) {
316 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
317 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
318 goto err;
319 }
320
321 ret = 1;
322
323err:
324 EVP_PKEY_free(pkey);
325 OPENSSL_free(msg);
326 return ret;
327}
328
329int tls13_check_message_type(SSL *ssl, int type) {
330 if (ssl->s3->tmp.message_type != type) {
331 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
332 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
David Benjaminf2401eb2016-07-18 22:25:05 +0200[diff] [blame]333 ERR_add_error_dataf("got type %d, wanted type %d",
334 ssl->s3->tmp.message_type, type);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]335 return 0;
336 }
337
338 return 1;
339}
340
341int tls13_process_finished(SSL *ssl) {
342 uint8_t verify_data[EVP_MAX_MD_SIZE];
343 size_t verify_data_len;
344 if (!tls13_finished_mac(ssl, verify_data, &verify_data_len, !ssl->server)) {
345 return 0;
346 }
347
348 if (ssl->init_num != verify_data_len ||
349 CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) != 0) {
350 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
351 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
352 return 0;
353 }
354
355 return 1;
356}
357
358int tls13_prepare_certificate(SSL *ssl) {
359 CBB cbb, body, context;
360 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||
361 !CBB_add_u8_length_prefixed(&body, &context) ||
362 !CBB_add_bytes(&context, ssl->s3->hs->cert_context,
363 ssl->s3->hs->cert_context_len) ||
364 !ssl_add_cert_chain(ssl, &body) ||
365 !ssl->method->finish_message(ssl, &cbb)) {
366 CBB_cleanup(&cbb);
367 return 0;
368 }
369
370 return 1;
371}
372
373enum ssl_private_key_result_t tls13_prepare_certificate_verify(
374 SSL *ssl, int is_first_run) {
375 enum ssl_private_key_result_t ret = ssl_private_key_failure;
376 uint8_t *msg = NULL;
377 size_t msg_len;
378 CBB cbb, body;
379 CBB_zero(&cbb);
380
381 uint16_t signature_algorithm;
382 if (!tls1_choose_signature_algorithm(ssl, &signature_algorithm)) {
383 goto err;
384 }
385 if (!ssl->method->init_message(ssl, &cbb, &body,
386 SSL3_MT_CERTIFICATE_VERIFY) ||
387 !CBB_add_u16(&body, signature_algorithm)) {
388 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
389 goto err;
390 }
391
392 /* Sign the digest. */
393 CBB child;
394 const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
395 uint8_t *sig;
396 size_t sig_len;
397 if (!CBB_add_u16_length_prefixed(&body, &child) ||
398 !CBB_reserve(&child, &sig, max_sig_len)) {
399 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
400 goto err;
401 }
402
403 enum ssl_private_key_result_t sign_result;
404 if (is_first_run) {
405 if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
406 ssl->server)) {
407 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
408 goto err;
409 }
410 sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len,
411 signature_algorithm, msg, msg_len);
412 } else {
413 sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len);
414 }
415
416 if (sign_result != ssl_private_key_success) {
417 ret = sign_result;
418 goto err;
419 }
420
421 if (!CBB_did_write(&child, sig_len) ||
422 !ssl->method->finish_message(ssl, &cbb)) {
423 goto err;
424 }
425
426 ret = ssl_private_key_success;
427
428err:
429 CBB_cleanup(&cbb);
430 OPENSSL_free(msg);
431 return ret;
432}
433
434int tls13_prepare_finished(SSL *ssl) {
435 size_t verify_data_len;
436 uint8_t verify_data[EVP_MAX_MD_SIZE];
437
438 if (!tls13_finished_mac(ssl, verify_data, &verify_data_len, ssl->server)) {
439 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
440 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
441 return 0;
442 }
443
444 CBB cbb, body;
445 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||
446 !CBB_add_bytes(&body, verify_data, verify_data_len) ||
447 !ssl->method->finish_message(ssl, &cbb)) {
448 CBB_cleanup(&cbb);
449 return 0;
450 }
451
452 return 1;
453}