Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / f2401eb42b65e9f8835a8f84d266cad082516665 / . / ssl / tls13_both.c
blob: 023dc0da08315c7c8d69b2b855420c349b406362 [file] [log] [blame]
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1/* Copyright (c) 2016, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <assert.h>
18#include <string.h>
19
20#include <openssl/bytestring.h>
21#include <openssl/err.h>
22#include <openssl/hkdf.h>
23#include <openssl/mem.h>
24#include <openssl/stack.h>
25#include <openssl/x509.h>
26#include <openssl/x509v3.h>
27
28#include "internal.h"
29
30
31SSL_HANDSHAKE *ssl_handshake_new(enum ssl_hs_wait_t (*do_handshake)(SSL *ssl)) {
32 SSL_HANDSHAKE *hs = OPENSSL_malloc(sizeof(SSL_HANDSHAKE));
33 if (hs == NULL) {
34 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
35 return NULL;
36 }
37 memset(hs, 0, sizeof(SSL_HANDSHAKE));
38 hs->do_handshake = do_handshake;
39 hs->wait = ssl_hs_ok;
40 return hs;
41}
42
43void ssl_handshake_free(SSL_HANDSHAKE *hs) {
44 if (hs == NULL) {
45 return;
46 }
47
48 OPENSSL_cleanse(hs->secret, sizeof(hs->secret));
49 OPENSSL_cleanse(hs->traffic_secret_0, sizeof(hs->traffic_secret_0));
50 if (hs->groups != NULL) {
51 for (size_t i = 0; i < hs->groups_len; i++) {
52 SSL_ECDH_CTX_cleanup(&hs->groups[i]);
53 }
54 OPENSSL_free(hs->groups);
55 }
56 OPENSSL_free(hs->public_key);
57 OPENSSL_free(hs->cert_context);
58 OPENSSL_free(hs);
59}
60
61int tls13_handshake(SSL *ssl) {
62 SSL_HANDSHAKE *hs = ssl->s3->hs;
63
64 for (;;) {
65 /* Resolve the operation the handshake was waiting on. */
66 switch (hs->wait) {
67 case ssl_hs_error:
68 OPENSSL_PUT_ERROR(SSL, SSL_R_SSL_HANDSHAKE_FAILURE);
69 return -1;
70
David Benjaminf2401eb2016-07-18 22:25:05 +0200[diff] [blame^]71 case ssl_hs_flush:
72 case ssl_hs_flush_and_read_message: {
73 int ret = BIO_flush(ssl->wbio);
74 if (ret <= 0) {
75 ssl->rwstate = SSL_WRITING;
76 return ret;
77 }
78 if (hs->wait != ssl_hs_flush_and_read_message) {
79 break;
80 }
81 hs->wait = ssl_hs_read_message;
82 /* Fall-through. */
83 }
84
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]85 case ssl_hs_read_message: {
86 int ret = ssl->method->ssl_get_message(ssl, -1, ssl_dont_hash_message);
87 if (ret <= 0) {
88 return ret;
89 }
90 break;
91 }
92
93 case ssl_hs_write_message: {
94 int ret = ssl->method->write_message(ssl);
95 if (ret <= 0) {
96 return ret;
97 }
98 break;
99 }
100
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]101 case ssl_hs_x509_lookup:
102 ssl->rwstate = SSL_X509_LOOKUP;
103 hs->wait = ssl_hs_ok;
104 return -1;
105
106 case ssl_hs_private_key_operation:
107 ssl->rwstate = SSL_PRIVATE_KEY_OPERATION;
108 hs->wait = ssl_hs_ok;
109 return -1;
110
111 case ssl_hs_ok:
112 break;
113 }
114
115 /* Run the state machine again. */
116 hs->wait = hs->do_handshake(ssl);
117 if (hs->wait == ssl_hs_error) {
118 /* Don't loop around to avoid a stray |SSL_R_SSL_HANDSHAKE_FAILURE| the
119 * first time around. */
120 return -1;
121 }
122 if (hs->wait == ssl_hs_ok) {
123 /* The handshake has completed. */
124 return 1;
125 }
126
127 /* Otherwise, loop to the beginning and resolve what was blocking the
128 * handshake. */
129 }
130}
131
132static int tls13_get_cert_verify_signature_input(SSL *ssl, uint8_t **out,
133 size_t *out_len, int server) {
134 CBB cbb;
135 if (!CBB_init(&cbb, 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
136 goto err;
137 }
138
139 for (size_t i = 0; i < 64; i++) {
140 if (!CBB_add_u8(&cbb, 0x20)) {
141 goto err;
142 }
143 }
144
145 if (server) {
146 /* Include the NUL byte. */
147 static const char kContext[] = "TLS 1.3, server CertificateVerify";
148 if (!CBB_add_bytes(&cbb, (const uint8_t *)kContext, sizeof(kContext))) {
149 goto err;
150 }
151 } else {
152 static const char kContext[] = "TLS 1.3, client CertificateVerify";
153 if (!CBB_add_bytes(&cbb, (const uint8_t *)kContext, sizeof(kContext))) {
154 goto err;
155 }
156 }
157
158 uint8_t context_hashes[2 * EVP_MAX_MD_SIZE];
159 size_t context_hashes_len;
160 if (!tls13_get_context_hashes(ssl, context_hashes, &context_hashes_len) ||
161 !CBB_add_bytes(&cbb, context_hashes, context_hashes_len) ||
162 !CBB_finish(&cbb, out, out_len)) {
163 goto err;
164 }
165
166 return 1;
167
168err:
169 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
170 CBB_cleanup(&cbb);
171 return 0;
172}
173
174int tls13_process_certificate(SSL *ssl) {
175 CBS cbs, context;
176 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
177 if (!CBS_get_u8_length_prefixed(&cbs, &context) ||
178 CBS_len(&context) != 0) {
179 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
180 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
181 return 0;
182 }
183
184 int ret = 0;
185 uint8_t alert;
186 STACK_OF(X509) *chain = ssl_parse_cert_chain(
187 ssl, &alert,
188 ssl->ctx->retain_only_sha256_of_client_certs ? ssl->session->peer_sha256
189 : NULL,
190 &cbs);
191 if (chain == NULL) {
192 ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
193 goto err;
194 }
195
196 if (CBS_len(&cbs) != 0) {
197 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
198 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
199 goto err;
200 }
201
202 if (sk_X509_num(chain) == 0) {
203 /* Clients must receive a certificate from the server. */
204 if (!ssl->server) {
205 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
206 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
207 goto err;
208 }
209
210 /* Servers may be configured to accept anonymous clients. */
211 if ((ssl->verify_mode & SSL_VERIFY_PEER) &&
212 (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
213 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
214 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
215 goto err;
216 }
217
218 /* No certificate, so nothing more to do. */
219 ret = 1;
220 goto err;
221 }
222
223 if (ssl->server && ssl->ctx->retain_only_sha256_of_client_certs) {
224 /* The hash was filled in by |ssl_parse_cert_chain|. */
225 ssl->session->peer_sha256_valid = 1;
226 }
227
228 X509 *leaf = sk_X509_value(chain, 0);
229 if (!ssl->server && !ssl_check_leaf_certificate(ssl, leaf)) {
230 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
231 goto err;
232 }
233
234 int verify_ret = ssl_verify_cert_chain(ssl, chain);
235 /* If |SSL_VERIFY_NONE|, the error is non-fatal, but we keep the result. */
236 if (ssl->verify_mode != SSL_VERIFY_NONE && verify_ret <= 0) {
237 int al = ssl_verify_alarm_type(ssl->verify_result);
238 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
239 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_VERIFY_FAILED);
240 goto err;
241 }
242 ERR_clear_error();
243
244 ssl->session->verify_result = ssl->verify_result;
245
246 X509_free(ssl->session->peer);
247 /* For historical reasons, the client and server differ on whether the chain
248 * includes the leaf. */
249 if (ssl->server) {
250 ssl->session->peer = sk_X509_shift(chain);
251 } else {
252 ssl->session->peer = X509_up_ref(leaf);
253 }
254
255 sk_X509_pop_free(ssl->session->cert_chain, X509_free);
256 ssl->session->cert_chain = chain;
257 chain = NULL;
258
259 ret = 1;
260
261err:
262 sk_X509_pop_free(chain, X509_free);
263 return ret;
264}
265
266int tls13_process_certificate_verify(SSL *ssl) {
267 int ret = 0;
268 X509 *peer = ssl->session->peer;
269 EVP_PKEY *pkey = NULL;
270 uint8_t *msg = NULL;
271 size_t msg_len;
272
273 /* Filter out unsupported certificate types. */
274 pkey = X509_get_pubkey(peer);
275 if (pkey == NULL) {
276 goto err;
277 }
278
279 CBS cbs, signature;
280 uint16_t signature_algorithm;
281 CBS_init(&cbs, ssl->init_msg, ssl->init_num);
282 if (!CBS_get_u16(&cbs, &signature_algorithm) ||
283 !CBS_get_u16_length_prefixed(&cbs, &signature) ||
284 CBS_len(&cbs) != 0) {
285 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
286 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
287 goto err;
288 }
289
290 int al;
291 if (!tls12_check_peer_sigalg(ssl, &al, signature_algorithm)) {
292 ssl3_send_alert(ssl, SSL3_AL_FATAL, al);
293 goto err;
294 }
295 ssl->s3->tmp.peer_signature_algorithm = signature_algorithm;
296
297 if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
298 !ssl->server)) {
299 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
300 goto err;
301 }
302
303 int sig_ok =
304 ssl_public_key_verify(ssl, CBS_data(&signature), CBS_len(&signature),
305 signature_algorithm, pkey, msg, msg_len);
306 if (!sig_ok) {
307 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
308 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
309 goto err;
310 }
311
312 ret = 1;
313
314err:
315 EVP_PKEY_free(pkey);
316 OPENSSL_free(msg);
317 return ret;
318}
319
320int tls13_check_message_type(SSL *ssl, int type) {
321 if (ssl->s3->tmp.message_type != type) {
322 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
323 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
David Benjaminf2401eb2016-07-18 22:25:05 +0200[diff] [blame^]324 ERR_add_error_dataf("got type %d, wanted type %d",
325 ssl->s3->tmp.message_type, type);
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]326 return 0;
327 }
328
329 return 1;
330}
331
332int tls13_process_finished(SSL *ssl) {
333 uint8_t verify_data[EVP_MAX_MD_SIZE];
334 size_t verify_data_len;
335 if (!tls13_finished_mac(ssl, verify_data, &verify_data_len, !ssl->server)) {
336 return 0;
337 }
338
339 if (ssl->init_num != verify_data_len ||
340 CRYPTO_memcmp(verify_data, ssl->init_msg, verify_data_len) != 0) {
341 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
342 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
343 return 0;
344 }
345
346 return 1;
347}
348
349int tls13_prepare_certificate(SSL *ssl) {
350 CBB cbb, body, context;
351 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_CERTIFICATE) ||
352 !CBB_add_u8_length_prefixed(&body, &context) ||
353 !CBB_add_bytes(&context, ssl->s3->hs->cert_context,
354 ssl->s3->hs->cert_context_len) ||
355 !ssl_add_cert_chain(ssl, &body) ||
356 !ssl->method->finish_message(ssl, &cbb)) {
357 CBB_cleanup(&cbb);
358 return 0;
359 }
360
361 return 1;
362}
363
364enum ssl_private_key_result_t tls13_prepare_certificate_verify(
365 SSL *ssl, int is_first_run) {
366 enum ssl_private_key_result_t ret = ssl_private_key_failure;
367 uint8_t *msg = NULL;
368 size_t msg_len;
369 CBB cbb, body;
370 CBB_zero(&cbb);
371
372 uint16_t signature_algorithm;
373 if (!tls1_choose_signature_algorithm(ssl, &signature_algorithm)) {
374 goto err;
375 }
376 if (!ssl->method->init_message(ssl, &cbb, &body,
377 SSL3_MT_CERTIFICATE_VERIFY) ||
378 !CBB_add_u16(&body, signature_algorithm)) {
379 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
380 goto err;
381 }
382
383 /* Sign the digest. */
384 CBB child;
385 const size_t max_sig_len = ssl_private_key_max_signature_len(ssl);
386 uint8_t *sig;
387 size_t sig_len;
388 if (!CBB_add_u16_length_prefixed(&body, &child) ||
389 !CBB_reserve(&child, &sig, max_sig_len)) {
390 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
391 goto err;
392 }
393
394 enum ssl_private_key_result_t sign_result;
395 if (is_first_run) {
396 if (!tls13_get_cert_verify_signature_input(ssl, &msg, &msg_len,
397 ssl->server)) {
398 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
399 goto err;
400 }
401 sign_result = ssl_private_key_sign(ssl, sig, &sig_len, max_sig_len,
402 signature_algorithm, msg, msg_len);
403 } else {
404 sign_result = ssl_private_key_complete(ssl, sig, &sig_len, max_sig_len);
405 }
406
407 if (sign_result != ssl_private_key_success) {
408 ret = sign_result;
409 goto err;
410 }
411
412 if (!CBB_did_write(&child, sig_len) ||
413 !ssl->method->finish_message(ssl, &cbb)) {
414 goto err;
415 }
416
417 ret = ssl_private_key_success;
418
419err:
420 CBB_cleanup(&cbb);
421 OPENSSL_free(msg);
422 return ret;
423}
424
425int tls13_prepare_finished(SSL *ssl) {
426 size_t verify_data_len;
427 uint8_t verify_data[EVP_MAX_MD_SIZE];
428
429 if (!tls13_finished_mac(ssl, verify_data, &verify_data_len, ssl->server)) {
430 ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
431 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
432 return 0;
433 }
434
435 CBB cbb, body;
436 if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_FINISHED) ||
437 !CBB_add_bytes(&body, verify_data, verify_data_len) ||
438 !ssl->method->finish_message(ssl, &cbb)) {
439 CBB_cleanup(&cbb);
440 return 0;
441 }
442
443 return 1;
444}