2016-07-11 18:19:03 +01:00
|
|
|
/* Copyright (c) 2016, Google Inc.
|
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
|
|
|
#include <assert.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
2016-10-31 23:20:42 +00:00
|
|
|
#include <openssl/aead.h>
|
2016-07-11 18:19:03 +01:00
|
|
|
#include <openssl/bytestring.h>
|
|
|
|
#include <openssl/digest.h>
|
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/mem.h>
|
|
|
|
#include <openssl/rand.h>
|
|
|
|
#include <openssl/stack.h>
|
|
|
|
|
2016-12-13 06:07:13 +00:00
|
|
|
#include "../crypto/internal.h"
|
2016-07-11 18:19:03 +01:00
|
|
|
#include "internal.h"
|
|
|
|
|
|
|
|
|
2016-12-07 20:29:45 +00:00
|
|
|
/* kMaxEarlyDataAccepted is the advertised number of plaintext bytes of early
|
|
|
|
* data that will be accepted. This value should be slightly below
|
|
|
|
* kMaxEarlyDataSkipped in tls_record.c, which is measured in ciphertext. */
|
|
|
|
static const size_t kMaxEarlyDataAccepted = 14336;
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
enum server_hs_state_t {
|
2017-02-03 04:33:21 +00:00
|
|
|
state_select_parameters = 0,
|
2016-07-18 17:40:30 +01:00
|
|
|
state_send_hello_retry_request,
|
|
|
|
state_process_second_client_hello,
|
2016-07-11 18:19:03 +01:00
|
|
|
state_send_server_hello,
|
|
|
|
state_send_server_certificate_verify,
|
|
|
|
state_complete_server_certificate_verify,
|
|
|
|
state_send_server_finished,
|
|
|
|
state_process_client_certificate,
|
|
|
|
state_process_client_certificate_verify,
|
2016-09-24 00:25:11 +01:00
|
|
|
state_process_channel_id,
|
2016-07-11 18:19:03 +01:00
|
|
|
state_process_client_finished,
|
2016-07-27 16:10:52 +01:00
|
|
|
state_send_new_session_ticket,
|
2016-07-11 18:19:03 +01:00
|
|
|
state_done,
|
|
|
|
};
|
|
|
|
|
2016-07-18 17:40:30 +01:00
|
|
|
static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};
|
|
|
|
|
2016-11-17 07:43:08 +00:00
|
|
|
static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, int *out_need_retry,
|
2016-12-04 04:15:13 +00:00
|
|
|
SSL_CLIENT_HELLO *client_hello) {
|
2016-11-17 07:43:08 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-18 17:40:30 +01:00
|
|
|
*out_need_retry = 0;
|
|
|
|
|
2016-09-06 19:13:43 +01:00
|
|
|
/* We only support connections that include an ECDHE key exchange. */
|
2016-07-18 17:40:30 +01:00
|
|
|
CBS key_share;
|
2016-12-04 04:15:13 +00:00
|
|
|
if (!ssl_client_hello_get_extension(client_hello, &key_share,
|
|
|
|
TLSEXT_TYPE_key_share)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
|
2016-11-16 10:10:08 +00:00
|
|
|
return 0;
|
2016-07-18 17:40:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
int found_key_share;
|
|
|
|
uint8_t *dhe_secret;
|
|
|
|
size_t dhe_secret_len;
|
2016-09-21 00:24:40 +01:00
|
|
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
2016-11-17 08:11:16 +00:00
|
|
|
if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,
|
2016-08-02 21:55:05 +01:00
|
|
|
&dhe_secret_len, &alert,
|
|
|
|
&key_share)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!found_key_share) {
|
|
|
|
*out_need_retry = 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-11-17 07:43:08 +00:00
|
|
|
int ok = tls13_advance_key_schedule(hs, dhe_secret, dhe_secret_len);
|
2016-07-18 17:40:30 +01:00
|
|
|
OPENSSL_free(dhe_secret);
|
|
|
|
return ok;
|
|
|
|
}
|
|
|
|
|
2016-11-16 10:07:53 +00:00
|
|
|
static const SSL_CIPHER *choose_tls13_cipher(
|
2016-12-04 04:15:13 +00:00
|
|
|
const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {
|
2016-11-16 10:07:53 +00:00
|
|
|
if (client_hello->cipher_suites_len % 2 != 0) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
CBS cipher_suites;
|
|
|
|
CBS_init(&cipher_suites, client_hello->cipher_suites,
|
|
|
|
client_hello->cipher_suites_len);
|
|
|
|
|
|
|
|
const int aes_is_fine = EVP_has_aes_hardware();
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
const uint16_t version = ssl3_protocol_version(ssl);
|
2016-11-16 10:07:53 +00:00
|
|
|
|
|
|
|
const SSL_CIPHER *best = NULL;
|
|
|
|
while (CBS_len(&cipher_suites) > 0) {
|
|
|
|
uint16_t cipher_suite;
|
|
|
|
if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
/* Limit to TLS 1.3 ciphers we know about. */
|
2016-11-16 10:07:53 +00:00
|
|
|
const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
if (candidate == NULL ||
|
|
|
|
SSL_CIPHER_get_min_version(candidate) > version ||
|
|
|
|
SSL_CIPHER_get_max_version(candidate) < version) {
|
2016-11-16 10:07:53 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* TLS 1.3 removes legacy ciphers, so honor the client order, but prefer
|
|
|
|
* ChaCha20 if we do not have AES hardware. */
|
|
|
|
if (aes_is_fine) {
|
|
|
|
return candidate;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {
|
|
|
|
return candidate;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (best == NULL) {
|
|
|
|
best = candidate;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return best;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2017-02-03 04:33:21 +00:00
|
|
|
/* The short record header extension is incompatible with early data. */
|
|
|
|
if (ssl->s3->skip_early_data && ssl->s3->short_header) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
|
2016-12-20 23:55:16 +00:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
SSL_CLIENT_HELLO client_hello;
|
|
|
|
if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
|
|
|
|
ssl->init_num)) {
|
2016-11-16 10:07:53 +00:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
/* Negotiate the cipher suite. */
|
|
|
|
ssl->s3->tmp.new_cipher = choose_tls13_cipher(ssl, &client_hello);
|
|
|
|
if (ssl->s3->tmp.new_cipher == NULL) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Decode the ticket if we agree on a PSK key exchange mode. */
|
2016-11-16 08:08:23 +00:00
|
|
|
uint8_t alert = SSL_AD_DECODE_ERROR;
|
2016-11-01 17:39:36 +00:00
|
|
|
SSL_SESSION *session = NULL;
|
2016-11-16 08:08:23 +00:00
|
|
|
CBS pre_shared_key, binders;
|
|
|
|
if (hs->accept_psk_mode &&
|
2016-12-04 04:15:13 +00:00
|
|
|
ssl_client_hello_get_extension(&client_hello, &pre_shared_key,
|
|
|
|
TLSEXT_TYPE_pre_shared_key)) {
|
2016-11-16 08:08:23 +00:00
|
|
|
/* Verify that the pre_shared_key extension is the last extension in
|
|
|
|
* ClientHello. */
|
|
|
|
if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=
|
|
|
|
client_hello.extensions + client_hello.extensions_len) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
2016-11-01 17:39:36 +00:00
|
|
|
|
2016-11-17 08:11:16 +00:00
|
|
|
if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &session, &binders,
|
2016-11-16 08:08:23 +00:00
|
|
|
&alert, &pre_shared_key)) {
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
|
|
return ssl_hs_error;
|
2016-11-01 17:39:36 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-07-29 19:32:55 +01:00
|
|
|
if (session != NULL &&
|
2016-11-12 03:36:06 +00:00
|
|
|
!ssl_session_is_resumable(ssl, session)) {
|
2016-07-29 19:32:55 +01:00
|
|
|
SSL_SESSION_free(session);
|
|
|
|
session = NULL;
|
|
|
|
}
|
|
|
|
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
/* Set up the new session, either using the original one as a template or
|
|
|
|
* creating a fresh one. */
|
2016-07-29 19:32:55 +01:00
|
|
|
if (session == NULL) {
|
2016-11-17 08:20:47 +00:00
|
|
|
if (!ssl_get_new_session(hs, 1 /* server */)) {
|
2016-07-29 19:32:55 +01:00
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
|
|
|
|
ssl->s3->new_session->cipher = ssl->s3->tmp.new_cipher;
|
|
|
|
|
|
|
|
/* On new sessions, stash the SNI value in the session. */
|
2016-11-17 07:43:08 +00:00
|
|
|
if (hs->hostname != NULL) {
|
2017-02-06 17:06:01 +00:00
|
|
|
OPENSSL_free(ssl->s3->new_session->tlsext_hostname);
|
2016-11-17 07:43:08 +00:00
|
|
|
ssl->s3->new_session->tlsext_hostname = BUF_strdup(hs->hostname);
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
if (ssl->s3->new_session->tlsext_hostname == NULL) {
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
}
|
2016-07-29 19:32:55 +01:00
|
|
|
} else {
|
2016-11-01 17:39:36 +00:00
|
|
|
/* Check the PSK binder. */
|
|
|
|
if (!tls13_verify_psk_binder(ssl, session, &binders)) {
|
|
|
|
SSL_SESSION_free(session);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-07-29 19:32:55 +01:00
|
|
|
/* Only authentication information carries over in TLS 1.3. */
|
|
|
|
ssl->s3->new_session = SSL_SESSION_dup(session, SSL_SESSION_DUP_AUTH_ONLY);
|
|
|
|
if (ssl->s3->new_session == NULL) {
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
ssl->s3->session_reused = 1;
|
|
|
|
SSL_SESSION_free(session);
|
2017-01-28 19:00:32 +00:00
|
|
|
|
|
|
|
/* Resumption incorporates fresh key material, so refresh the timeout. */
|
|
|
|
ssl_session_renew_timeout(ssl, ssl->s3->new_session,
|
|
|
|
ssl->session_psk_dhe_timeout);
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if (ssl->ctx->dos_protection_cb != NULL &&
|
2016-08-09 21:21:24 +01:00
|
|
|
ssl->ctx->dos_protection_cb(&client_hello) == 0) {
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Connection rejected for DOS reasons. */
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
|
2016-09-16 20:58:00 +01:00
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
/* HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
|
|
|
|
* deferred. Complete it now. */
|
2016-11-17 08:20:47 +00:00
|
|
|
if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
|
2016-10-31 22:01:13 +00:00
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
2016-09-06 19:13:43 +01:00
|
|
|
|
2017-01-21 19:49:39 +00:00
|
|
|
/* The PRF hash is now known. Set up the key schedule and hash the
|
|
|
|
* ClientHello. */
|
2016-09-06 19:13:43 +01:00
|
|
|
size_t hash_len =
|
2016-07-11 18:19:03 +01:00
|
|
|
EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));
|
2017-01-21 19:49:39 +00:00
|
|
|
if (!tls13_init_key_schedule(hs) ||
|
|
|
|
!ssl_hash_current_message(ssl)) {
|
2016-11-30 16:24:40 +00:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
2016-09-06 19:13:43 +01:00
|
|
|
|
2016-11-30 16:24:40 +00:00
|
|
|
/* Incorporate the PSK into the running secret. */
|
2016-07-29 19:32:55 +01:00
|
|
|
if (ssl->s3->session_reused) {
|
2016-11-17 07:43:08 +00:00
|
|
|
if (!tls13_advance_key_schedule(hs, ssl->s3->new_session->master_key,
|
2016-11-30 16:24:40 +00:00
|
|
|
ssl->s3->new_session->master_key_length)) {
|
2016-07-29 19:32:55 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
2016-11-17 07:43:08 +00:00
|
|
|
} else if (!tls13_advance_key_schedule(hs, kZeroes, hash_len)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
Negotiate ciphers before resumption.
This changes our resumption strategy. Before, we would negotiate ciphers
only on fresh handshakes. On resumption, we would blindly use whatever
was in the session.
Instead, evaluate cipher suite preferences on every handshake.
Resumption requires that the saved cipher suite match the one that would
have been negotiated anyway. If client or server preferences changed
sufficiently, we decline the session.
This is much easier to reason about (we always pick the best cipher
suite), simpler, and avoids getting stuck under old preferences if
tickets are continuously renewed. Notably, although TLS 1.2 ticket
renewal does not work in practice, TLS 1.3 will renew tickets like
there's no tomorrow.
It also means we don't need dedicated code to avoid resuming a cipher
which has since been disabled. (That dedicated code was a little odd
anyway since the mask_k, etc., checks didn't occur. When cert_cb was
skipped on resumption, one could resume without ever configuring a
certificate! So we couldn't know whether to mask off RSA or ECDSA cipher
suites.)
Add tests which assert on this new arrangement.
BUG=116
Change-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6
Reviewed-on: https://boringssl-review.googlesource.com/11847
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-11-16 10:05:33 +00:00
|
|
|
ssl->method->received_flight(ssl);
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Resolve ECDHE and incorporate it into the secret. */
|
2016-07-18 17:40:30 +01:00
|
|
|
int need_retry;
|
2016-11-17 07:43:08 +00:00
|
|
|
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
if (need_retry) {
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_send_hello_retry_request;
|
2016-07-18 17:40:30 +01:00
|
|
|
return ssl_hs_ok;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
2016-07-18 17:40:30 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_send_server_hello;
|
2016-07-18 17:40:30 +01:00
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-07-18 17:40:30 +01:00
|
|
|
CBB cbb, body, extensions;
|
|
|
|
uint16_t group_id;
|
|
|
|
if (!ssl->method->init_message(ssl, &cbb, &body,
|
|
|
|
SSL3_MT_HELLO_RETRY_REQUEST) ||
|
|
|
|
!CBB_add_u16(&body, ssl->version) ||
|
2016-11-17 08:20:47 +00:00
|
|
|
!tls1_get_shared_group(hs, &group_id) ||
|
2016-07-18 17:40:30 +01:00
|
|
|
!CBB_add_u16_length_prefixed(&body, &extensions) ||
|
2016-10-08 02:10:38 +01:00
|
|
|
!CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||
|
|
|
|
!CBB_add_u16(&extensions, 2 /* length */) ||
|
|
|
|
!CBB_add_u16(&extensions, group_id) ||
|
Don't use the buffer BIO in TLS.
On the TLS side, we introduce a running buffer of ciphertext. Queuing up
pending data consists of encrypting the record into the buffer. This
effectively reimplements what the buffer BIO was doing previously, but
this resizes to fit the whole flight.
As part of this, rename all the functions to add to the pending flight
to be more uniform. This CL proposes "add_foo" to add to the pending
flight and "flush_flight" to drain it.
We add an add_alert hook for alerts but, for now, only the SSL 3.0
warning alert (sent mid-handshake) uses this mechanism. Later work will
push this down to the rest of the write path so closure alerts use it
too, as in DTLS. The intended end state is that all the ssl_buffer.c and
wpend_ret logic will only be used for application data and eventually
optionally replaced by the in-place API, while all "incidental" data
will be handled internally.
For now, the two buffers are mutually exclusive. Moving closure alerts
to "incidentals" will change this, but flushing application data early
is tricky due to wpend_ret. (If we call ssl_write_buffer_flush,
do_ssl3_write doesn't realize it still has a wpend_ret to replay.) That
too is all left alone in this change.
To keep the diff down, write_message is retained for now and will be
removed from the state machines in a follow-up change.
BUG=72
Change-Id: Ibce882f5f7196880648f25d5005322ca4055c71d
Reviewed-on: https://boringssl-review.googlesource.com/13224
Reviewed-by: Adam Langley <agl@google.com>
2017-01-03 23:37:41 +00:00
|
|
|
!ssl_add_message_cbb(ssl, &cbb)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
CBB_cleanup(&cbb);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_second_client_hello;
|
2016-07-18 17:40:30 +01:00
|
|
|
return ssl_hs_flush_and_read_message;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_process_second_client_hello(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2017-01-21 19:13:39 +00:00
|
|
|
if (!ssl_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-12-04 04:15:13 +00:00
|
|
|
SSL_CLIENT_HELLO client_hello;
|
|
|
|
if (!ssl_client_hello_init(ssl, &client_hello, ssl->init_msg,
|
|
|
|
ssl->init_num)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
|
|
|
int need_retry;
|
2016-11-17 07:43:08 +00:00
|
|
|
if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {
|
2016-07-18 17:40:30 +01:00
|
|
|
if (need_retry) {
|
|
|
|
/* Only send one HelloRetryRequest. */
|
|
|
|
ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
2016-07-18 17:40:30 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-11-14 08:12:11 +00:00
|
|
|
if (!ssl_hash_current_message(ssl)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-07-22 16:39:29 +01:00
|
|
|
ssl->method->received_flight(ssl);
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_send_server_hello;
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2017-01-13 00:44:57 +00:00
|
|
|
|
|
|
|
/* Send a ServerHello. */
|
2016-07-11 18:19:03 +01:00
|
|
|
CBB cbb, body, extensions;
|
|
|
|
if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||
|
|
|
|
!CBB_add_u16(&body, ssl->version) ||
|
|
|
|
!RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||
|
|
|
|
!CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
|
|
|
|
!CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&body, &extensions) ||
|
2016-11-17 08:11:16 +00:00
|
|
|
!ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||
|
2016-12-21 21:06:54 +00:00
|
|
|
!ssl_ext_key_share_add_serverhello(hs, &extensions)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ssl->s3->short_header) {
|
|
|
|
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_short_header) ||
|
|
|
|
!CBB_add_u16(&extensions, 0 /* empty extension */)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Don't use the buffer BIO in TLS.
On the TLS side, we introduce a running buffer of ciphertext. Queuing up
pending data consists of encrypting the record into the buffer. This
effectively reimplements what the buffer BIO was doing previously, but
this resizes to fit the whole flight.
As part of this, rename all the functions to add to the pending flight
to be more uniform. This CL proposes "add_foo" to add to the pending
flight and "flush_flight" to drain it.
We add an add_alert hook for alerts but, for now, only the SSL 3.0
warning alert (sent mid-handshake) uses this mechanism. Later work will
push this down to the rest of the write path so closure alerts use it
too, as in DTLS. The intended end state is that all the ssl_buffer.c and
wpend_ret logic will only be used for application data and eventually
optionally replaced by the in-place API, while all "incidental" data
will be handled internally.
For now, the two buffers are mutually exclusive. Moving closure alerts
to "incidentals" will change this, but flushing application data early
is tricky due to wpend_ret. (If we call ssl_write_buffer_flush,
do_ssl3_write doesn't realize it still has a wpend_ret to replay.) That
too is all left alone in this change.
To keep the diff down, write_message is retained for now and will be
removed from the state machines in a follow-up change.
BUG=72
Change-Id: Ibce882f5f7196880648f25d5005322ca4055c71d
Reviewed-on: https://boringssl-review.googlesource.com/13224
Reviewed-by: Adam Langley <agl@google.com>
2017-01-03 23:37:41 +00:00
|
|
|
if (!ssl_add_message_cbb(ssl, &cbb)) {
|
2016-09-06 19:13:43 +01:00
|
|
|
goto err;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
/* Derive and enable the handshake traffic secrets. */
|
2016-12-16 16:29:28 +00:00
|
|
|
if (!tls13_derive_handshake_secrets(hs) ||
|
|
|
|
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,
|
|
|
|
hs->hash_len) ||
|
|
|
|
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,
|
|
|
|
hs->hash_len)) {
|
2017-01-13 00:44:57 +00:00
|
|
|
goto err;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
/* Send EncryptedExtensions. */
|
2016-07-11 18:19:03 +01:00
|
|
|
if (!ssl->method->init_message(ssl, &cbb, &body,
|
|
|
|
SSL3_MT_ENCRYPTED_EXTENSIONS) ||
|
2016-12-03 07:20:34 +00:00
|
|
|
!ssl_add_serverhello_tlsext(hs, &body) ||
|
Don't use the buffer BIO in TLS.
On the TLS side, we introduce a running buffer of ciphertext. Queuing up
pending data consists of encrypting the record into the buffer. This
effectively reimplements what the buffer BIO was doing previously, but
this resizes to fit the whole flight.
As part of this, rename all the functions to add to the pending flight
to be more uniform. This CL proposes "add_foo" to add to the pending
flight and "flush_flight" to drain it.
We add an add_alert hook for alerts but, for now, only the SSL 3.0
warning alert (sent mid-handshake) uses this mechanism. Later work will
push this down to the rest of the write path so closure alerts use it
too, as in DTLS. The intended end state is that all the ssl_buffer.c and
wpend_ret logic will only be used for application data and eventually
optionally replaced by the in-place API, while all "incidental" data
will be handled internally.
For now, the two buffers are mutually exclusive. Moving closure alerts
to "incidentals" will change this, but flushing application data early
is tricky due to wpend_ret. (If we call ssl_write_buffer_flush,
do_ssl3_write doesn't realize it still has a wpend_ret to replay.) That
too is all left alone in this change.
To keep the diff down, write_message is retained for now and will be
removed from the state machines in a follow-up change.
BUG=72
Change-Id: Ibce882f5f7196880648f25d5005322ca4055c71d
Reviewed-on: https://boringssl-review.googlesource.com/13224
Reviewed-by: Adam Langley <agl@google.com>
2017-01-03 23:37:41 +00:00
|
|
|
!ssl_add_message_cbb(ssl, &cbb)) {
|
2017-01-13 00:44:57 +00:00
|
|
|
goto err;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Determine whether to request a client certificate. */
|
2016-11-14 01:32:04 +00:00
|
|
|
hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);
|
2016-09-06 19:13:43 +01:00
|
|
|
/* CertificateRequest may only be sent in non-resumption handshakes. */
|
|
|
|
if (ssl->s3->session_reused) {
|
2016-11-14 01:32:04 +00:00
|
|
|
hs->cert_request = 0;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
/* Send a CertificateRequest, if necessary. */
|
|
|
|
if (hs->cert_request) {
|
|
|
|
CBB sigalgs_cbb;
|
|
|
|
if (!ssl->method->init_message(ssl, &cbb, &body,
|
|
|
|
SSL3_MT_CERTIFICATE_REQUEST) ||
|
|
|
|
!CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {
|
|
|
|
goto err;
|
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
const uint16_t *sigalgs;
|
|
|
|
size_t num_sigalgs = tls12_get_verify_sigalgs(ssl, &sigalgs);
|
|
|
|
if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {
|
|
|
|
goto err;
|
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
for (size_t i = 0; i < num_sigalgs; i++) {
|
|
|
|
if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
2016-07-11 18:19:03 +01:00
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
if (!ssl_add_client_CA_list(ssl, &body) ||
|
|
|
|
!CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||
|
|
|
|
!ssl_add_message_cbb(ssl, &cbb)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
/* Send the server Certificate message, if necessary. */
|
|
|
|
if (!ssl->s3->session_reused) {
|
|
|
|
if (!ssl_has_certificate(ssl)) {
|
|
|
|
OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
2017-01-13 00:46:50 +00:00
|
|
|
if (!tls13_add_certificate(hs)) {
|
2017-01-13 00:44:57 +00:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
hs->tls13_state = state_send_server_certificate_verify;
|
|
|
|
return ssl_hs_ok;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2017-01-13 00:44:57 +00:00
|
|
|
hs->tls13_state = state_send_server_finished;
|
2017-01-13 00:31:28 +00:00
|
|
|
return ssl_hs_ok;
|
2016-07-11 18:19:03 +01:00
|
|
|
|
|
|
|
err:
|
|
|
|
CBB_cleanup(&cbb);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs,
|
2016-07-11 18:19:03 +01:00
|
|
|
int is_first_run) {
|
2017-01-13 00:46:50 +00:00
|
|
|
switch (tls13_add_certificate_verify(hs, is_first_run)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
case ssl_private_key_success:
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_send_server_finished;
|
2017-01-13 00:31:28 +00:00
|
|
|
return ssl_hs_ok;
|
2016-07-11 18:19:03 +01:00
|
|
|
|
|
|
|
case ssl_private_key_retry:
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_complete_server_certificate_verify;
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_private_key_operation;
|
|
|
|
|
|
|
|
case ssl_private_key_failure:
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
|
|
|
assert(0);
|
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2017-01-13 00:46:50 +00:00
|
|
|
if (!tls13_add_finished(hs) ||
|
2017-01-13 00:31:28 +00:00
|
|
|
/* Update the secret to the master secret and derive traffic keys. */
|
|
|
|
!tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||
|
2016-11-17 07:43:08 +00:00
|
|
|
!tls13_derive_application_secrets(hs) ||
|
2016-11-01 17:39:36 +00:00
|
|
|
!tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,
|
|
|
|
hs->hash_len)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_client_certificate;
|
2016-07-18 21:25:05 +01:00
|
|
|
return ssl_hs_flush_and_read_message;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_process_client_certificate(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
|
|
|
if (!hs->cert_request) {
|
2016-08-02 00:16:46 +01:00
|
|
|
/* OpenSSL returns X509_V_OK when no certificates are requested. This is
|
2016-08-18 21:40:28 +01:00
|
|
|
* classed by them as a bug, but it's assumed by at least NGINX. */
|
2016-08-02 00:16:46 +01:00
|
|
|
ssl->s3->new_session->verify_result = X509_V_OK;
|
|
|
|
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Skip this state. */
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_channel_id;
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|
|
|
|
|
2016-08-02 01:16:31 +01:00
|
|
|
const int allow_anonymous =
|
|
|
|
(ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;
|
|
|
|
|
2017-01-21 19:13:39 +00:00
|
|
|
if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||
|
2016-12-12 19:46:09 +00:00
|
|
|
!tls13_process_certificate(hs, allow_anonymous) ||
|
2016-11-14 08:12:11 +00:00
|
|
|
!ssl_hash_current_message(ssl)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_client_certificate_verify;
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_read_message;
|
|
|
|
}
|
|
|
|
|
|
|
|
static enum ssl_hs_wait_t do_process_client_certificate_verify(
|
2016-11-14 01:32:04 +00:00
|
|
|
SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-11-07 20:02:35 +00:00
|
|
|
if (ssl->s3->new_session->x509_peer == NULL) {
|
2016-07-11 18:19:03 +01:00
|
|
|
/* Skip this state. */
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_channel_id;
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|
|
|
|
|
2017-01-21 19:13:39 +00:00
|
|
|
if (!ssl_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||
|
2016-12-12 19:46:09 +00:00
|
|
|
!tls13_process_certificate_verify(hs) ||
|
2016-11-14 08:12:11 +00:00
|
|
|
!ssl_hash_current_message(ssl)) {
|
2016-11-16 10:10:08 +00:00
|
|
|
return ssl_hs_error;
|
2016-07-11 18:19:03 +01:00
|
|
|
}
|
|
|
|
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_channel_id;
|
2016-09-24 00:25:11 +01:00
|
|
|
return ssl_hs_read_message;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_process_channel_id(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2016-09-24 00:25:11 +01:00
|
|
|
if (!ssl->s3->tlsext_channel_id_valid) {
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_client_finished;
|
2016-09-24 00:25:11 +01:00
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|
|
|
|
|
2017-01-21 19:13:39 +00:00
|
|
|
if (!ssl_check_message_type(ssl, SSL3_MT_CHANNEL_ID) ||
|
2016-09-24 00:25:11 +01:00
|
|
|
!tls1_verify_channel_id(ssl) ||
|
2016-11-14 08:12:11 +00:00
|
|
|
!ssl_hash_current_message(ssl)) {
|
2016-09-24 00:25:11 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_process_client_finished;
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_read_message;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_process_client_finished(SSL_HANDSHAKE *hs) {
|
|
|
|
SSL *const ssl = hs->ssl;
|
2017-01-21 19:13:39 +00:00
|
|
|
if (!ssl_check_message_type(ssl, SSL3_MT_FINISHED) ||
|
2016-11-17 07:43:08 +00:00
|
|
|
!tls13_process_finished(hs) ||
|
2016-11-14 08:12:11 +00:00
|
|
|
!ssl_hash_current_message(ssl) ||
|
2016-07-11 18:19:03 +01:00
|
|
|
/* evp_aead_seal keys have already been switched. */
|
2016-11-01 17:39:36 +00:00
|
|
|
!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,
|
|
|
|
hs->hash_len) ||
|
2016-11-17 07:43:08 +00:00
|
|
|
!tls13_derive_resumption_secret(hs)) {
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_error;
|
|
|
|
}
|
|
|
|
|
2016-07-22 16:39:29 +01:00
|
|
|
ssl->method->received_flight(ssl);
|
2016-11-03 20:59:25 +00:00
|
|
|
|
2017-01-28 19:00:32 +00:00
|
|
|
/* Rebase the session timestamp so that it is measured from ticket
|
2016-11-03 20:59:25 +00:00
|
|
|
* issuance. */
|
2017-01-28 19:00:32 +00:00
|
|
|
ssl_session_rebase_time(ssl, ssl->s3->new_session);
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_send_new_session_ticket;
|
2016-07-11 18:19:03 +01:00
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {
|
2017-01-13 00:31:28 +00:00
|
|
|
/* TLS 1.3 recommends single-use tickets, so issue multiple tickets in case the
|
|
|
|
* client makes several connections before getting a renewal. */
|
|
|
|
static const int kNumTickets = 2;
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
SSL *const ssl = hs->ssl;
|
2016-11-01 17:39:36 +00:00
|
|
|
/* If the client doesn't accept resumption with PSK_DHE_KE, don't send a
|
|
|
|
* session ticket. */
|
|
|
|
if (!hs->accept_psk_mode) {
|
2016-12-11 18:30:41 +00:00
|
|
|
hs->tls13_state = state_done;
|
2016-11-01 17:39:36 +00:00
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|
|
|
|
|
2016-07-27 16:10:52 +01:00
|
|
|
SSL_SESSION *session = ssl->s3->new_session;
|
2017-01-13 00:31:28 +00:00
|
|
|
CBB cbb;
|
|
|
|
CBB_zero(&cbb);
|
2016-10-07 20:19:18 +01:00
|
|
|
|
2017-01-13 00:31:28 +00:00
|
|
|
for (int i = 0; i < kNumTickets; i++) {
|
|
|
|
if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {
|
|
|
|
goto err;
|
|
|
|
}
|
2016-12-07 20:29:45 +00:00
|
|
|
|
2017-01-13 00:31:28 +00:00
|
|
|
CBB body, ticket, extensions;
|
|
|
|
if (!ssl->method->init_message(ssl, &cbb, &body,
|
|
|
|
SSL3_MT_NEW_SESSION_TICKET) ||
|
|
|
|
!CBB_add_u32(&body, session->timeout) ||
|
|
|
|
!CBB_add_u32(&body, session->ticket_age_add) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&body, &ticket) ||
|
|
|
|
!ssl_encrypt_ticket(ssl, &ticket, session) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&body, &extensions)) {
|
2016-12-07 20:29:45 +00:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
2017-01-13 00:31:28 +00:00
|
|
|
if (ssl->ctx->enable_early_data) {
|
|
|
|
session->ticket_max_early_data = kMaxEarlyDataAccepted;
|
2016-10-07 20:19:18 +01:00
|
|
|
|
2017-01-13 00:31:28 +00:00
|
|
|
CBB early_data_info;
|
|
|
|
if (!CBB_add_u16(&extensions, TLSEXT_TYPE_ticket_early_data_info) ||
|
|
|
|
!CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||
|
|
|
|
!CBB_add_u32(&early_data_info, session->ticket_max_early_data) ||
|
|
|
|
!CBB_flush(&extensions)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
2016-07-27 16:10:52 +01:00
|
|
|
|
2017-01-13 00:31:28 +00:00
|
|
|
/* Add a fake extension. See draft-davidben-tls-grease-01. */
|
|
|
|
if (!CBB_add_u16(&extensions,
|
|
|
|
ssl_get_grease_value(ssl, ssl_grease_ticket_extension)) ||
|
|
|
|
!CBB_add_u16(&extensions, 0 /* empty */)) {
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!ssl_add_message_cbb(ssl, &cbb)) {
|
|
|
|
goto err;
|
|
|
|
}
|
2016-11-03 21:19:16 +00:00
|
|
|
}
|
2016-07-27 16:10:52 +01:00
|
|
|
|
2017-01-13 00:31:28 +00:00
|
|
|
hs->session_tickets_sent++;
|
|
|
|
hs->tls13_state = state_done;
|
|
|
|
return ssl_hs_flush;
|
2016-10-07 20:19:18 +01:00
|
|
|
|
|
|
|
err:
|
|
|
|
CBB_cleanup(&cbb);
|
|
|
|
return ssl_hs_error;
|
2016-07-27 16:10:52 +01:00
|
|
|
}
|
|
|
|
|
2016-11-14 01:32:04 +00:00
|
|
|
enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {
|
2016-12-11 18:30:41 +00:00
|
|
|
while (hs->tls13_state != state_done) {
|
2016-07-11 18:19:03 +01:00
|
|
|
enum ssl_hs_wait_t ret = ssl_hs_error;
|
2016-12-11 18:30:41 +00:00
|
|
|
enum server_hs_state_t state = hs->tls13_state;
|
2016-07-11 18:19:03 +01:00
|
|
|
switch (state) {
|
2016-08-10 01:00:32 +01:00
|
|
|
case state_select_parameters:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_select_parameters(hs);
|
2016-08-10 01:00:32 +01:00
|
|
|
break;
|
2016-07-18 17:40:30 +01:00
|
|
|
case state_send_hello_retry_request:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_send_hello_retry_request(hs);
|
2016-07-18 17:40:30 +01:00
|
|
|
break;
|
|
|
|
case state_process_second_client_hello:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_process_second_client_hello(hs);
|
2016-07-18 17:40:30 +01:00
|
|
|
break;
|
2016-07-11 18:19:03 +01:00
|
|
|
case state_send_server_hello:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_send_server_hello(hs);
|
2016-07-11 18:19:03 +01:00
|
|
|
break;
|
|
|
|
case state_send_server_certificate_verify:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_send_server_certificate_verify(hs, 1 /* first run */);
|
2016-07-11 18:19:03 +01:00
|
|
|
break;
|
|
|
|
case state_complete_server_certificate_verify:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_send_server_certificate_verify(hs, 0 /* complete */);
|
2016-07-11 18:19:03 +01:00
|
|
|
break;
|
|
|
|
case state_send_server_finished:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_send_server_finished(hs);
|
2016-07-11 18:19:03 +01:00
|
|
|
break;
|
|
|
|
case state_process_client_certificate:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_process_client_certificate(hs);
|
2016-07-11 18:19:03 +01:00
|
|
|
break;
|
|
|
|
case state_process_client_certificate_verify:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_process_client_certificate_verify(hs);
|
2016-07-11 18:19:03 +01:00
|
|
|
break;
|
2016-09-24 00:25:11 +01:00
|
|
|
case state_process_channel_id:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_process_channel_id(hs);
|
2016-09-24 00:25:11 +01:00
|
|
|
break;
|
2016-07-11 18:19:03 +01:00
|
|
|
case state_process_client_finished:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_process_client_finished(hs);
|
2016-07-11 18:19:03 +01:00
|
|
|
break;
|
2016-07-27 16:10:52 +01:00
|
|
|
case state_send_new_session_ticket:
|
2016-11-14 01:32:04 +00:00
|
|
|
ret = do_send_new_session_ticket(hs);
|
2016-07-27 16:10:52 +01:00
|
|
|
break;
|
2016-07-11 18:19:03 +01:00
|
|
|
case state_done:
|
|
|
|
ret = ssl_hs_ok;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ret != ssl_hs_ok) {
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return ssl_hs_ok;
|
|
|
|
}
|