Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 803c77a681ea5f0bed2bcacc0d71f26f48e1a596 / . / ssl / tls13_server.c
blob: 984cc5cacf08734dc23e334b190073ffd6bc4c25 [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/digest.h>
22#include <openssl/err.h>
23#include <openssl/mem.h>
24#include <openssl/rand.h>
25#include <openssl/stack.h>
26
27#include "internal.h"
28
29
30enum server_hs_state_t {
31 state_process_client_hello = 0,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]32 state_select_parameters,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]33 state_send_hello_retry_request,
34 state_flush_hello_retry_request,
35 state_process_second_client_hello,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]36 state_send_server_hello,
37 state_send_encrypted_extensions,
38 state_send_certificate_request,
39 state_send_server_certificate,
40 state_send_server_certificate_verify,
41 state_complete_server_certificate_verify,
42 state_send_server_finished,
43 state_flush,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]44 state_process_client_certificate,
45 state_process_client_certificate_verify,
46 state_process_client_finished,
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]47 state_send_new_session_ticket,
48 state_flush_new_session_ticket,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]49 state_done,
50};
51
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]52static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
53
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]54static int resolve_ecdhe_secret(SSL *ssl, int *out_need_retry,
55 struct ssl_early_callback_ctx *early_ctx) {
56 *out_need_retry = 0;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]57
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]58 /* We only support connections that include an ECDHE key exchange. */
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]59 CBS key_share;
David Benjamincec73442016-08-02 17:41:33 -0400[diff] [blame]60 if (!ssl_early_callback_get_extension(early_ctx, &key_share,
61 TLSEXT_TYPE_key_share)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]62 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
63 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
64 return ssl_hs_error;
65 }
66
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]67 int found_key_share;
68 uint8_t *dhe_secret;
69 size_t dhe_secret_len;
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]70 uint8_t alert = SSL_AD_DECODE_ERROR;
Steven Valdez7259f2f2016-08-02 16:55:05 -0400[diff] [blame]71 if (!ssl_ext_key_share_parse_clienthello(ssl, &found_key_share, &dhe_secret,
72 &dhe_secret_len, &alert,
73 &key_share)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]74 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
75 return 0;
76 }
77
78 if (!found_key_share) {
79 *out_need_retry = 1;
80 return 0;
81 }
82
83 int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);
84 OPENSSL_free(dhe_secret);
85 return ok;
86}
87
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]88static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
89 if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
90 return ssl_hs_error;
91 }
92
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]93 struct ssl_early_callback_ctx client_hello;
94 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
David Benjamind7573dc2016-07-20 19:05:22 +0200[diff] [blame]95 ssl->init_num)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]96 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
97 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
98 return ssl_hs_error;
99 }
100
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]101 assert(ssl->s3->have_version);
102
103 /* Load the client random. */
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]104 if (client_hello.random_len != SSL3_RANDOM_SIZE) {
105 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
106 return -1;
107 }
108 memcpy(ssl->s3->client_random, client_hello.random, client_hello.random_len);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]109
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]110 uint8_t alert = SSL_AD_DECODE_ERROR;
111 SSL_SESSION *session = NULL;
112 CBS pre_shared_key;
113 if (ssl_early_callback_get_extension(&client_hello, &pre_shared_key,
114 TLSEXT_TYPE_pre_shared_key) &&
115 !ssl_ext_pre_shared_key_parse_clienthello(ssl, &session, &alert,
116 &pre_shared_key)) {
117 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
118 return 0;
119 }
120
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]121 if (session != NULL &&
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]122 /* Only resume if the session's version matches. */
123 (session->ssl_version != ssl->version ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]124 !ssl_client_cipher_list_contains_cipher(
125 &client_hello, (uint16_t)SSL_CIPHER_get_id(session->cipher)))) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]126 SSL_SESSION_free(session);
127 session = NULL;
128 }
129
130 if (session == NULL) {
131 if (!ssl_get_new_session(ssl, 1 /* server */)) {
132 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
133 return ssl_hs_error;
134 }
135 } else {
136 /* Only authentication information carries over in TLS 1.3. */
137 ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
138 if (ssl->s3->new_session == NULL) {
139 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
140 return ssl_hs_error;
141 }
142 ssl->s3->session_reused = 1;
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]143 SSL_SESSION_free(session);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]144 }
145
146 if (ssl->ctx->dos_protection_cb != NULL &&
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]147 ssl->ctx->dos_protection_cb(&client_hello) == 0) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]148 /* Connection rejected for DOS reasons. */
149 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]150 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]151 return ssl_hs_error;
152 }
153
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]154 /* TLS 1.3 requires the peer only advertise the null compression. */
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]155 if (client_hello.compression_methods_len != 1 ||
156 client_hello.compression_methods[0] != 0) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]157 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
158 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
159 return ssl_hs_error;
160 }
161
162 /* TLS extensions. */
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]163 if (!ssl_parse_clienthello_tlsext(ssl, &client_hello)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]164 OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
165 return ssl_hs_error;
166 }
167
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]168 hs->state = state_select_parameters;
169 return ssl_hs_ok;
170}
171
172static enum ssl_hs_wait_t do_select_parameters(SSL *ssl, SSL_HANDSHAKE *hs) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]173 if (!ssl->s3->session_reused) {
174 /* Call |cert_cb| to update server certificates if required. */
175 if (ssl->cert->cert_cb != NULL) {
176 int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);
177 if (rv == 0) {
178 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
179 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
180 return ssl_hs_error;
181 }
182 if (rv < 0) {
183 hs->state = state_select_parameters;
184 return ssl_hs_x509_lookup;
185 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]186 }
187 }
188
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]189 struct ssl_early_callback_ctx client_hello;
190 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
191 ssl->init_num)) {
192 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
193 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
194 return ssl_hs_error;
195 }
196
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]197 if (!ssl->s3->session_reused) {
198 const SSL_CIPHER *cipher =
199 ssl3_choose_cipher(ssl, &client_hello, ssl_get_cipher_preferences(ssl));
200 if (cipher == NULL) {
201 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
202 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
203 return ssl_hs_error;
204 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]205
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]206 ssl->s3->new_session->cipher = cipher;
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]207 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]208
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]209 ssl->s3->tmp.new_cipher = ssl->s3->new_session->cipher;
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]210 ssl->method->received_flight(ssl);
211
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]212
213 /* The PRF hash is now known. */
214 size_t hash_len =
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]215 EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]216
217 /* Derive resumption material. */
218 uint8_t resumption_ctx[EVP_MAX_MD_SIZE] = {0};
219 uint8_t psk_secret[EVP_MAX_MD_SIZE] = {0};
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]220 if (ssl->s3->session_reused) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]221 if (!tls13_resumption_context(ssl, resumption_ctx, hash_len,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]222 ssl->s3->new_session) ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]223 !tls13_resumption_psk(ssl, psk_secret, hash_len,
224 ssl->s3->new_session)) {
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]225 return ssl_hs_error;
226 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]227 }
228
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]229 /* Set up the key schedule, hash in the ClientHello, and incorporate the PSK
230 * into the running secret. */
231 if (!tls13_init_key_schedule(ssl, resumption_ctx, hash_len) ||
232 !tls13_advance_key_schedule(ssl, psk_secret, hash_len)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]233 return ssl_hs_error;
234 }
235
236 /* Resolve ECDHE and incorporate it into the secret. */
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]237 int need_retry;
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]238 if (!resolve_ecdhe_secret(ssl, &need_retry, &client_hello)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]239 if (need_retry) {
240 hs->state = state_send_hello_retry_request;
241 return ssl_hs_ok;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]242 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]243 return ssl_hs_error;
244 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]245
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]246 hs->state = state_send_server_hello;
247 return ssl_hs_ok;
248}
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]249
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]250static enum ssl_hs_wait_t do_send_hello_retry_request(SSL *ssl,
251 SSL_HANDSHAKE *hs) {
252 CBB cbb, body, extensions;
253 uint16_t group_id;
254 if (!ssl->method->init_message(ssl, &cbb, &body,
255 SSL3_MT_HELLO_RETRY_REQUEST) ||
256 !CBB_add_u16(&body, ssl->version) ||
257 !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
258 !tls1_get_shared_group(ssl, &group_id) ||
259 !CBB_add_u16(&body, group_id) ||
260 !CBB_add_u16_length_prefixed(&body, &extensions) ||
261 !ssl->method->finish_message(ssl, &cbb)) {
262 CBB_cleanup(&cbb);
263 return ssl_hs_error;
264 }
265
266 hs->state = state_flush_hello_retry_request;
267 return ssl_hs_write_message;
268}
269
270static enum ssl_hs_wait_t do_flush_hello_retry_request(SSL *ssl,
271 SSL_HANDSHAKE *hs) {
272 hs->state = state_process_second_client_hello;
273 return ssl_hs_flush_and_read_message;
274}
275
276static enum ssl_hs_wait_t do_process_second_client_hello(SSL *ssl,
277 SSL_HANDSHAKE *hs) {
278 if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
279 return ssl_hs_error;
280 }
281
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]282 struct ssl_early_callback_ctx client_hello;
283 if (!ssl_early_callback_init(ssl, &client_hello, ssl->init_msg,
David Benjamind7573dc2016-07-20 19:05:22 +0200[diff] [blame]284 ssl->init_num)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]285 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
286 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
287 return ssl_hs_error;
288 }
289
290 int need_retry;
David Benjamine14ff062016-08-09 16:21:24 -0400[diff] [blame]291 if (!resolve_ecdhe_secret(ssl, &need_retry, &client_hello)) {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]292 if (need_retry) {
293 /* Only send one HelloRetryRequest. */
294 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
295 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]296 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]297 return ssl_hs_error;
298 }
299
300 if (!ssl->method->hash_current_message(ssl)) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]301 return ssl_hs_error;
302 }
303
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]304 ssl->method->received_flight(ssl);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]305 hs->state = state_send_server_hello;
306 return ssl_hs_ok;
307}
308
309static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {
310 CBB cbb, body, extensions;
311 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
312 !CBB_add_u16(&body, ssl->version) ||
313 !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
314 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
315 !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
316 !CBB_add_u16_length_prefixed(&body, &extensions) ||
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]317 !ssl_ext_pre_shared_key_add_serverhello(ssl, &extensions) ||
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]318 !ssl_ext_key_share_add_serverhello(ssl, &extensions)) {
319 goto err;
320 }
321
322 if (!ssl->s3->session_reused) {
323 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_signature_algorithms) ||
324 !CBB_add_u16(&extensions, 0)) {
325 goto err;
326 }
327 }
328
329 if (!ssl->method->finish_message(ssl, &cbb)) {
330 goto err;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]331 }
332
333 hs->state = state_send_encrypted_extensions;
334 return ssl_hs_write_message;
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]335
336err:
337 CBB_cleanup(&cbb);
338 return ssl_hs_error;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]339}
340
341static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL *ssl,
342 SSL_HANDSHAKE *hs) {
343 if (!tls13_set_handshake_traffic(ssl)) {
344 return ssl_hs_error;
345 }
346
347 CBB cbb, body;
348 if (!ssl->method->init_message(ssl, &cbb, &body,
349 SSL3_MT_ENCRYPTED_EXTENSIONS) ||
350 !ssl_add_serverhello_tlsext(ssl, &body) ||
351 !ssl->method->finish_message(ssl, &cbb)) {
352 CBB_cleanup(&cbb);
353 return ssl_hs_error;
354 }
355
356 hs->state = state_send_certificate_request;
357 return ssl_hs_write_message;
358}
359
360static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl,
361 SSL_HANDSHAKE *hs) {
362 /* Determine whether to request a client certificate. */
363 ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]364 /* CertificateRequest may only be sent in non-resumption handshakes. */
365 if (ssl->s3->session_reused) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]366 ssl->s3->tmp.cert_request = 0;
367 }
368
369 if (!ssl->s3->tmp.cert_request) {
370 /* Skip this state. */
371 hs->state = state_send_server_certificate;
372 return ssl_hs_ok;
373 }
374
375 CBB cbb, body, sigalgs_cbb;
376 if (!ssl->method->init_message(ssl, &cbb, &body,
377 SSL3_MT_CERTIFICATE_REQUEST) ||
378 !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
379 goto err;
380 }
381
382 const uint16_t *sigalgs;
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]383 size_t num_sigalgs = tls12_get_psigalgs(ssl, &sigalgs);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]384 if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
385 goto err;
386 }
387
David Benjamin0fc37ef2016-08-17 15:29:46 -0400[diff] [blame]388 for (size_t i = 0; i < num_sigalgs; i++) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]389 if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
390 goto err;
391 }
392 }
393
394 if (!ssl_add_client_CA_list(ssl, &body) ||
395 !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||
396 !ssl->method->finish_message(ssl, &cbb)) {
397 goto err;
398 }
399
400 hs->state = state_send_server_certificate;
401 return ssl_hs_write_message;
402
403err:
404 CBB_cleanup(&cbb);
405 return ssl_hs_error;
406}
407
408static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl,
409 SSL_HANDSHAKE *hs) {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame^]410 if (ssl->s3->session_reused) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]411 hs->state = state_send_server_finished;
412 return ssl_hs_ok;
413 }
414
415 if (!ssl_has_certificate(ssl)) {
416 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
417 return ssl_hs_error;
418 }
419
420 if (!tls13_prepare_certificate(ssl)) {
421 return ssl_hs_error;
422 }
423
424 hs->state = state_send_server_certificate_verify;
425 return ssl_hs_write_message;
426}
427
428static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL *ssl,
429 SSL_HANDSHAKE *hs,
430 int is_first_run) {
431 switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {
432 case ssl_private_key_success:
433 hs->state = state_send_server_finished;
434 return ssl_hs_write_message;
435
436 case ssl_private_key_retry:
437 hs->state = state_complete_server_certificate_verify;
438 return ssl_hs_private_key_operation;
439
440 case ssl_private_key_failure:
441 return ssl_hs_error;
442 }
443
444 assert(0);
445 return ssl_hs_error;
446}
447
448static enum ssl_hs_wait_t do_send_server_finished(SSL *ssl, SSL_HANDSHAKE *hs) {
449 if (!tls13_prepare_finished(ssl)) {
450 return ssl_hs_error;
451 }
452
453 hs->state = state_flush;
454 return ssl_hs_write_message;
455}
456
457static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]458 /* Update the secret to the master secret and derive traffic keys. */
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]459 if (!tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||
460 !tls13_derive_traffic_secret_0(ssl) ||
461 !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,
462 hs->traffic_secret_0, hs->hash_len)) {
463 return ssl_hs_error;
464 }
465
466 hs->state = state_process_client_certificate;
David Benjaminf2401eb2016-07-18 22:25:05 +0200[diff] [blame]467 return ssl_hs_flush_and_read_message;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]468}
469
470static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,
471 SSL_HANDSHAKE *hs) {
472 if (!ssl->s3->tmp.cert_request) {
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]473 /* OpenSSL returns X509_V_OK when no certificates are requested. This is
David Benjamindd634eb2016-08-18 16:40:28 -0400[diff] [blame]474 * classed by them as a bug, but it's assumed by at least NGINX. */
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]475 ssl->s3->new_session->verify_result = X509_V_OK;
476
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]477 /* Skip this state. */
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]478 hs->state = state_process_client_finished;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]479 return ssl_hs_ok;
480 }
481
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]482 const int allow_anonymous =
483 (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
484
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]485 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]486 !tls13_process_certificate(ssl, allow_anonymous) ||
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]487 !ssl->method->hash_current_message(ssl)) {
488 return ssl_hs_error;
489 }
490
David Benjamin3ce43892016-08-01 19:41:34 -0400[diff] [blame]491 /* For historical reasons, the server's copy of the chain does not include the
492 * leaf while the client's does. */
493 if (sk_X509_num(ssl->s3->new_session->cert_chain) > 0) {
494 X509_free(sk_X509_shift(ssl->s3->new_session->cert_chain));
495 }
496
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]497 hs->state = state_process_client_certificate_verify;
498 return ssl_hs_read_message;
499}
500
501static enum ssl_hs_wait_t do_process_client_certificate_verify(
502 SSL *ssl, SSL_HANDSHAKE *hs) {
Steven Valdez87eab492016-06-27 16:34:59 -0400[diff] [blame]503 if (ssl->s3->new_session->peer == NULL) {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]504 /* Skip this state. */
505 hs->state = state_process_client_finished;
506 return ssl_hs_ok;
507 }
508
509 if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
510 !tls13_process_certificate_verify(ssl) ||
511 !ssl->method->hash_current_message(ssl)) {
512 return 0;
513 }
514
515 hs->state = state_process_client_finished;
516 return ssl_hs_read_message;
517}
518
519static enum ssl_hs_wait_t do_process_client_finished(SSL *ssl,
520 SSL_HANDSHAKE *hs) {
521 if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||
522 !tls13_process_finished(ssl) ||
523 !ssl->method->hash_current_message(ssl) ||
524 /* evp_aead_seal keys have already been switched. */
525 !tls13_set_traffic_key(ssl, type_data, evp_aead_open,
526 hs->traffic_secret_0, hs->hash_len) ||
527 !tls13_finalize_keys(ssl)) {
528 return ssl_hs_error;
529 }
530
David Benjamin613fe3b2016-07-22 17:39:29 +0200[diff] [blame]531 ssl->method->received_flight(ssl);
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]532 hs->state = state_send_new_session_ticket;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]533 return ssl_hs_ok;
534}
535
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]536static enum ssl_hs_wait_t do_send_new_session_ticket(SSL *ssl,
537 SSL_HANDSHAKE *hs) {
538 SSL_SESSION *session = ssl->s3->new_session;
Martin Kreichgauerbaafa4a2016-08-09 10:18:40 -0700[diff] [blame]539 session->tlsext_tick_lifetime_hint = session->timeout;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]540
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]541 /* TODO(svaldez): Add support for sending 0RTT through TicketEarlyDataInfo
542 * extension. */
543
544 CBB cbb, body, ke_modes, auth_modes, ticket;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]545 if (!ssl->method->init_message(ssl, &cbb, &body,
546 SSL3_MT_NEW_SESSION_TICKET) ||
Martin Kreichgauerbaafa4a2016-08-09 10:18:40 -0700[diff] [blame]547 !CBB_add_u32(&body, session->tlsext_tick_lifetime_hint) ||
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]548 !CBB_add_u8_length_prefixed(&body, &ke_modes) ||
549 !CBB_add_u8(&ke_modes, SSL_PSK_DHE_KE) ||
550 !CBB_add_u8_length_prefixed(&body, &auth_modes) ||
551 !CBB_add_u8(&auth_modes, SSL_PSK_AUTH) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]552 !CBB_add_u16_length_prefixed(&body, &ticket) ||
553 !ssl_encrypt_ticket(ssl, &ticket, session) ||
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]554 !CBB_add_u16(&body, 0 /* no ticket extensions */) ||
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]555 !ssl->method->finish_message(ssl, &cbb)) {
556 CBB_cleanup(&cbb);
557 return ssl_hs_error;
558 }
559
560 hs->session_tickets_sent++;
561
562 hs->state = state_flush_new_session_ticket;
563 return ssl_hs_write_message;
564}
565
566/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
567 * client makes several connections before getting a renewal. */
568static const int kNumTickets = 2;
569
570static enum ssl_hs_wait_t do_flush_new_session_ticket(SSL *ssl,
571 SSL_HANDSHAKE *hs) {
572 if (hs->session_tickets_sent >= kNumTickets) {
573 hs->state = state_done;
574 } else {
575 hs->state = state_send_new_session_ticket;
576 }
577 return ssl_hs_flush;
578}
579
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]580enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl) {
581 SSL_HANDSHAKE *hs = ssl->s3->hs;
582
583 while (hs->state != state_done) {
584 enum ssl_hs_wait_t ret = ssl_hs_error;
585 enum server_hs_state_t state = hs->state;
586 switch (state) {
587 case state_process_client_hello:
588 ret = do_process_client_hello(ssl, hs);
589 break;
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]590 case state_select_parameters:
591 ret = do_select_parameters(ssl, hs);
592 break;
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]593 case state_send_hello_retry_request:
594 ret = do_send_hello_retry_request(ssl, hs);
595 break;
596 case state_flush_hello_retry_request:
597 ret = do_flush_hello_retry_request(ssl, hs);
598 break;
599 case state_process_second_client_hello:
600 ret = do_process_second_client_hello(ssl, hs);
601 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]602 case state_send_server_hello:
603 ret = do_send_server_hello(ssl, hs);
604 break;
605 case state_send_encrypted_extensions:
606 ret = do_send_encrypted_extensions(ssl, hs);
607 break;
608 case state_send_certificate_request:
609 ret = do_send_certificate_request(ssl, hs);
610 break;
611 case state_send_server_certificate:
612 ret = do_send_server_certificate(ssl, hs);
613 break;
614 case state_send_server_certificate_verify:
615 ret = do_send_server_certificate_verify(ssl, hs, 1 /* first run */);
616 break;
617 case state_complete_server_certificate_verify:
618 ret = do_send_server_certificate_verify(ssl, hs, 0 /* complete */);
619 break;
620 case state_send_server_finished:
621 ret = do_send_server_finished(ssl, hs);
622 break;
623 case state_flush:
624 ret = do_flush(ssl, hs);
625 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]626 case state_process_client_certificate:
627 ret = do_process_client_certificate(ssl, hs);
628 break;
629 case state_process_client_certificate_verify:
630 ret = do_process_client_certificate_verify(ssl, hs);
631 break;
632 case state_process_client_finished:
633 ret = do_process_client_finished(ssl, hs);
634 break;
Steven Valdez1e6f11a2016-07-27 11:10:52 -0400[diff] [blame]635 case state_send_new_session_ticket:
636 ret = do_send_new_session_ticket(ssl, hs);
637 break;
638 case state_flush_new_session_ticket:
639 ret = do_flush_new_session_ticket(ssl, hs);
640 break;
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]641 case state_done:
642 ret = ssl_hs_ok;
643 break;
644 }
645
646 if (ret != ssl_hs_ok) {
647 return ret;
648 }
649 }
650
651 return ssl_hs_ok;
652}