Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / feff406782b1299a8ceda60253a0879053b39805 / . / ssl / tls13_both.c
blob: 4e9feaa5ed3d4801bedfad3090c7bce0bb58d51c [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/err.h>
22#include <openssl/hkdf.h>
23#include <openssl/mem.h>
24#include <openssl/stack.h>
25#include <openssl/x509.h>
26#include <openssl/x509v3.h>
27
28#include "internal.h"
29
30
31SSL_HANDSHAKE *ssl_handshake_new(enum ssl_hs_wait_t (*do_handshake)(SSL *ssl)) {
32 SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));
33 if (hs == NULL) {
34 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
35 return NULL;
36 }
37 memset(hs, 0, sizeof(SSL_HANDSHAKE));
38 hs->do_handshake = do_handshake;
39 hs->wait = ssl_hs_ok;
40 return hs;
41}
42
43void ssl_handshake_free(SSL_HANDSHAKE *hs) {
44 if (hs == NULL) {
45 return;
46 }
47
48 OPENSSL_cleanse(hs->secret, sizeof(hs->secret));
49 OPENSSL_cleanse(hs->traffic_secret_0, sizeof(hs->traffic_secret_0));
50 if (hs->groups != NULL) {
51 for (size_t i = 0; i < hs->groups_len; i++) {
52 SSL_ECDH_CTX_cleanup(&hs->groups[i]);
53 }
54 OPENSSL_free(hs->groups);
55 }
56 OPENSSL_free(hs->public_key);
57 OPENSSL_free(hs->cert_context);
58 OPENSSL_free(hs);
59}
60
61int tls13_handshake(SSL *ssl) {
62 SSL_HANDSHAKE *hs = ssl->s3->hs;
63
64 for (;;) {
65 /* Resolve the operation the handshake was waiting on. */
66 switch (hs->wait) {
67 case ssl_hs_error:
68 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
69 return -1;
70
71 case ssl_hs_read_message: {
72 int ret = ssl->method->ssl_get_message(ssl, -1, ssl_dont_hash_message);
73 if (ret <= 0) {
74 return ret;
75 }
76 break;
77 }
78
79 case ssl_hs_write_message: {
80 int ret = ssl->method->write_message(ssl);
81 if (ret <= 0) {
82 return ret;
83 }
84 break;
85 }
86
87 case ssl_hs_flush: {
88 int ret = BIO_flush(ssl->wbio);
89 if (ret <= 0) {
90 ssl->rwstate = SSL_WRITING;
91 return ret;
92 }
93 break;
94 }
95
96 case ssl_hs_x509_lookup:
97 ssl->rwstate = SSL_X509_LOOKUP;
98 hs->wait = ssl_hs_ok;
99 return -1;
100
101 case ssl_hs_private_key_operation:
102 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
103 hs->wait = ssl_hs_ok;
104 return -1;
105
106 case ssl_hs_ok:
107 break;
108 }
109
110 /* Run the state machine again. */
111 hs->wait = hs->do_handshake(ssl);
112 if (hs->wait == ssl_hs_error) {
113 /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
114 * first time around. */
115 return -1;
116 }
117 if (hs->wait == ssl_hs_ok) {
118 /* The handshake has completed. */
119 return 1;
120 }
121
122 /* Otherwise, loop to the beginning and resolve what was blocking the
123 * handshake. */
124 }
125}
126
127static int tls13_get_cert_verify_signature_input(SSL *ssl, uint8_t **out,
128 size_t *out_len, int server) {
129 CBB cbb;
130 if (!CBB_init(&cbb, 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
131 goto err;
132 }
133
134 for (size_t i = 0; i < 64; i++) {
135 if (!CBB_add_u8(&cbb, 0x20)) {
136 goto err;
137 }
138 }
139
140 if (server) {
141 /* Include the NUL byte. */
142 static const char kContext[] = "TLS 1.3, server CertificateVerify";
143 if (!CBB_add_bytes(&cbb, (const uint8_t *)kContext, sizeof(kContext))) {
144 goto err;
145 }
146 } else {
147 static const char kContext[] = "TLS 1.3, client CertificateVerify";
148 if (!CBB_add_bytes(&cbb, (const uint8_t *)kContext, sizeof(kContext))) {
149 goto err;
150 }
151 }
152
153 uint8_t context_hashes[2 * EVP_MAX_MD_SIZE];
154 size_t context_hashes_len;
155 if (!tls13_get_context_hashes(ssl, context_hashes, &context_hashes_len) ||
156 !CBB_add_bytes(&cbb, context_hashes, context_hashes_len) ||
157 !CBB_finish(&cbb, out, out_len)) {
158 goto err;
159 }
160
161 return 1;
162
163err:
164 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
165 CBB_cleanup(&cbb);
166 return 0;
167}
168
169int tls13_process_certificate(SSL *ssl) {
170 CBS cbs, context;
171 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
172 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
173 CBS_len(&context) != 0) {
174 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
175 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
176 return 0;
177 }
178
179 int ret = 0;
180 uint8_t alert;
181 STACK_OF(X509) *chain = ssl_parse_cert_chain(
182 ssl, &alert,
183 ssl->ctx->retain_only_sha256_of_client_certs ? ssl->session->peer_sha256
184 : NULL,
185 &cbs);
186 if (chain == NULL) {
187 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
188 goto err;
189 }
190
191 if (CBS_len(&cbs) != 0) {
192 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
193 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
194 goto err;
195 }
196
197 if (sk_X509_num(chain) == 0) {
198 /* Clients must receive a certificate from the server. */
199 if (!ssl->server) {
200 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
201 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
202 goto err;
203 }
204
205 /* Servers may be configured to accept anonymous clients. */
206 if ((ssl->verify_mode & SSL_VERIFY_PEER) &&
207 (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
208 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
209 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
210 goto err;
211 }
212
213 /* No certificate, so nothing more to do. */
214 ret = 1;
215 goto err;
216 }
217
218 if (ssl->server && ssl->ctx->retain_only_sha256_of_client_certs) {
219 /* The hash was filled in by |ssl_parse_cert_chain|. */
220 ssl->session->peer_sha256_valid = 1;
221 }
222
223 X509 *leaf = sk_X509_value(chain, 0);
224 if (!ssl->server && !ssl_check_leaf_certificate(ssl, leaf)) {
225 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
226 goto err;
227 }
228
229 int verify_ret = ssl_verify_cert_chain(ssl, chain);
230 /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
231 if (ssl->verify_mode != SSL_VERIFY_NONE && verify_ret <= 0) {
232 int al = ssl_verify_alarm_type(ssl->verify_result);
233 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
234 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
235 goto err;
236 }
237 ERR_clear_error();
238
239 ssl->session->verify_result = ssl->verify_result;
240
241 X509_free(ssl->session->peer);
242 /* For historical reasons, the client and server differ on whether the chain
243 * includes the leaf. */
244 if (ssl->server) {
245 ssl->session->peer = sk_X509_shift(chain);
246 } else {
247 ssl->session->peer = X509_up_ref(leaf);
248 }
249
250 sk_X509_pop_free(ssl->session->cert_chain, X509_free);
251 ssl->session->cert_chain = chain;
252 chain = NULL;
253
254 ret = 1;
255
256err:
257 sk_X509_pop_free(chain, X509_free);
258 return ret;
259}
260
261int tls13_process_certificate_verify(SSL *ssl) {
262 int ret = 0;
263 X509 *peer = ssl->session->peer;
264 EVP_PKEY *pkey = NULL;
265 uint8_t *msg = NULL;
266 size_t msg_len;
267
268 /* Filter out unsupported certificate types. */
269 pkey = X509_get_pubkey(peer);
270 if (pkey == NULL) {
271 goto err;
272 }
273
274 CBS cbs, signature;
275 uint16_t signature_algorithm;
276 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
277 if (!CBS_get_u16(&cbs, &signature_algorithm) ||
278 !CBS_get_u16_length_prefixed(&cbs, &signature) ||
279 CBS_len(&cbs) != 0) {
280 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
281 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
282 goto err;
283 }
284
285 int al;
286 if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
287 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
288 goto err;
289 }
290 ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;
291
292 if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
293 !ssl->server)) {
294 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
295 goto err;
296 }
297
298 int sig_ok =
299 ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),
300 signature_algorithm, pkey, msg, msg_len);
301 if (!sig_ok) {
302 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
303 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
304 goto err;
305 }
306
307 ret = 1;
308
309err:
310 EVP_PKEY_free(pkey);
311 OPENSSL_free(msg);
312 return ret;
313}
314
315int tls13_check_message_type(SSL *ssl, int type) {
316 if (ssl->s3->tmp.message_type != type) {
317 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
318 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
319 return 0;
320 }
321
322 return 1;
323}
324
325int tls13_process_finished(SSL *ssl) {
326 uint8_t verify_data[EVP_MAX_MD_SIZE];
327 size_t verify_data_len;
328 if (!tls13_finished_mac(ssl, verify_data, &verify_data_len, !ssl->server)) {
329 return 0;
330 }
331
332 if (ssl->init_num != verify_data_len ||
333 CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) != 0) {
334 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
335 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
336 return 0;
337 }
338
339 return 1;
340}
341
342int tls13_prepare_certificate(SSL *ssl) {
343 CBB cbb, body, context;
344 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||
345 !CBB_add_u8_length_prefixed(&body, &context) ||
346 !CBB_add_bytes(&context, ssl->s3->hs->cert_context,
347 ssl->s3->hs->cert_context_len) ||
348 !ssl_add_cert_chain(ssl, &body) ||
349 !ssl->method->finish_message(ssl, &cbb)) {
350 CBB_cleanup(&cbb);
351 return 0;
352 }
353
354 return 1;
355}
356
357enum ssl_private_key_result_t tls13_prepare_certificate_verify(
358 SSL *ssl, int is_first_run) {
359 enum ssl_private_key_result_t ret = ssl_private_key_failure;
360 uint8_t *msg = NULL;
361 size_t msg_len;
362 CBB cbb, body;
363 CBB_zero(&cbb);
364
365 uint16_t signature_algorithm;
366 if (!tls1_choose_signature_algorithm(ssl, &signature_algorithm)) {
367 goto err;
368 }
369 if (!ssl->method->init_message(ssl, &cbb, &body,
370 SSL3_MT_CERTIFICATE_VERIFY) ||
371 !CBB_add_u16(&body, signature_algorithm)) {
372 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
373 goto err;
374 }
375
376 /* Sign the digest. */
377 CBB child;
378 const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
379 uint8_t *sig;
380 size_t sig_len;
381 if (!CBB_add_u16_length_prefixed(&body, &child) ||
382 !CBB_reserve(&child, &sig, max_sig_len)) {
383 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
384 goto err;
385 }
386
387 enum ssl_private_key_result_t sign_result;
388 if (is_first_run) {
389 if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
390 ssl->server)) {
391 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
392 goto err;
393 }
394 sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len,
395 signature_algorithm, msg, msg_len);
396 } else {
397 sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len);
398 }
399
400 if (sign_result != ssl_private_key_success) {
401 ret = sign_result;
402 goto err;
403 }
404
405 if (!CBB_did_write(&child, sig_len) ||
406 !ssl->method->finish_message(ssl, &cbb)) {
407 goto err;
408 }
409
410 ret = ssl_private_key_success;
411
412err:
413 CBB_cleanup(&cbb);
414 OPENSSL_free(msg);
415 return ret;
416}
417
418int tls13_prepare_finished(SSL *ssl) {
419 size_t verify_data_len;
420 uint8_t verify_data[EVP_MAX_MD_SIZE];
421
422 if (!tls13_finished_mac(ssl, verify_data, &verify_data_len, ssl->server)) {
423 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
424 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
425 return 0;
426 }
427
428 CBB cbb, body;
429 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||
430 !CBB_add_bytes(&body, verify_data, verify_data_len) ||
431 !ssl->method->finish_message(ssl, &cbb)) {
432 CBB_cleanup(&cbb);
433 return 0;
434 }
435
436 return 1;
437}