kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5480 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 1eff9482ca
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1eff9482ca'
${ noResults }
boringssl/ssl/handoff.cc

363 lines
13 KiB
Raw Blame History 

  1. /* Copyright (c) 2018, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <openssl/bytestring.h>

  18. 

  19. #include "internal.h"

  20. 

  21. 

  22. BSSL_NAMESPACE_BEGIN

  23. 

  24. constexpr int kHandoffVersion = 0;

  25. constexpr int kHandbackVersion = 0;

  26. 

  27. bool SSL_serialize_handoff(const SSL *ssl, CBB *out) {

  28.   const SSL3_STATE *const s3 = ssl->s3;

  29.   if (!ssl->server ||

  30.       s3->hs == nullptr ||

  31.       s3->rwstate != SSL_HANDOFF) {

  32.     return false;

  33.   }

  34. 

  35.   CBB seq;

  36.   Span<const uint8_t> transcript = s3->hs->transcript.buffer();

  37.   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||

  38.       !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||

  39.       !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||

  40.       !CBB_add_asn1_octet_string(&seq,

  41.                                  reinterpret_cast<uint8_t *>(s3->hs_buf->data),

  42.                                  s3->hs_buf->length) ||

  43.       !CBB_flush(out)) {

  44.     return false;

  45.   }

  46. 

  47.   return true;

  48. }

  49. 

  50. bool SSL_decline_handoff(SSL *ssl) {

  51.   const SSL3_STATE *const s3 = ssl->s3;

  52.   if (!ssl->server ||

  53.       s3->hs == nullptr ||

  54.       s3->rwstate != SSL_HANDOFF) {

  55.     return false;

  56.   }

  57. 

  58.   s3->hs->config->handoff = false;

  59.   return true;

  60. }

  61. 

  62. bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {

  63.   if (ssl->method->is_dtls) {

  64.     return false;

  65.   }

  66. 

  67.   CBS seq, handoff_cbs(handoff);

  68.   uint64_t handoff_version;

  69.   if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||

  70.       !CBS_get_asn1_uint64(&seq, &handoff_version) ||

  71.       handoff_version != kHandoffVersion) {

  72.     return false;

  73.   }

  74. 

  75.   CBS transcript, hs_buf;

  76.   if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||

  77.       !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING)) {

  78.     return false;

  79.   }

  80. 

  81.   SSL_set_accept_state(ssl);

  82. 

  83.   SSL3_STATE *const s3 = ssl->s3;

  84.   s3->v2_hello_done = true;

  85.   s3->has_message = true;

  86. 

  87.   s3->hs_buf.reset(BUF_MEM_new());

  88.   if (!s3->hs_buf ||

  89.       !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {

  90.     return false;

  91.   }

  92. 

  93.   if (CBS_len(&transcript) != 0) {

  94.     s3->hs->transcript.Update(transcript);

  95.     s3->is_v2_hello = true;

  96.   }

  97.   s3->hs->handback = true;

  98. 

  99.   return true;

  100. }

  101. 

  102. bool SSL_serialize_handback(const SSL *ssl, CBB *out) {

  103.   if (!ssl->server || ssl->method->is_dtls) {

  104.     return false;

  105.   }

  106.   handback_t type;

  107.   switch (ssl->s3->hs->state) {

  108.     case state12_read_change_cipher_spec:

  109.       type = handback_after_session_resumption;

  110.       break;

  111.     case state12_read_client_certificate:

  112.       type = handback_after_ecdhe;

  113.       break;

  114.     case state12_finish_server_handshake:

  115.       type = handback_after_handshake;

  116.       break;

  117.     default:

  118.       return false;

  119.   }

  120. 

  121.   const SSL3_STATE *const s3 = ssl->s3;

  122.   size_t hostname_len = 0;

  123.   if (s3->hostname) {

  124.     hostname_len = strlen(s3->hostname.get());

  125.   }

  126. 

  127.   Span<const uint8_t> transcript;

  128.   if (type == handback_after_ecdhe ||

  129.       type == handback_after_session_resumption) {

  130.     transcript = s3->hs->transcript.buffer();

  131.   }

  132.   size_t write_iv_len = 0;

  133.   const uint8_t *write_iv = nullptr;

  134.   if ((type == handback_after_session_resumption ||

  135.        type == handback_after_handshake) &&

  136.       ssl->version == TLS1_VERSION &&

  137.       SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&

  138.       !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {

  139.     return false;

  140.   }

  141.   size_t read_iv_len = 0;

  142.   const uint8_t *read_iv = nullptr;

  143.   if (type == handback_after_handshake &&

  144.       ssl->version == TLS1_VERSION &&

  145.       SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&

  146.       !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {

  147.       return false;

  148.   }

  149. 

  150.   // TODO(mab): make sure everything is serialized.

  151.   CBB seq, key_share;

  152.   const SSL_SESSION *session =

  153.       s3->session_reused ? ssl->session.get() : s3->hs->new_session.get();

  154.   if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||

  155.       !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||

  156.       !CBB_add_asn1_uint64(&seq, type) ||

  157.       !CBB_add_asn1_octet_string(&seq, s3->read_sequence,

  158.                                  sizeof(s3->read_sequence)) ||

  159.       !CBB_add_asn1_octet_string(&seq, s3->write_sequence,

  160.                                  sizeof(s3->write_sequence)) ||

  161.       !CBB_add_asn1_octet_string(&seq, s3->server_random,

  162.                                  sizeof(s3->server_random)) ||

  163.       !CBB_add_asn1_octet_string(&seq, s3->client_random,

  164.                                  sizeof(s3->client_random)) ||

  165.       !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||

  166.       !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||

  167.       !CBB_add_asn1_bool(&seq, s3->session_reused) ||

  168.       !CBB_add_asn1_bool(&seq, s3->channel_id_valid) ||

  169.       !ssl_session_serialize(session, &seq) ||

  170.       !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),

  171.                                  s3->next_proto_negotiated.size()) ||

  172.       !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),

  173.                                  s3->alpn_selected.size()) ||

  174.       !CBB_add_asn1_octet_string(

  175.           &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),

  176.           hostname_len) ||

  177.       !CBB_add_asn1_octet_string(&seq, s3->channel_id,

  178.                                  sizeof(s3->channel_id)) ||

  179.       !CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||

  180.       !CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||

  181.       !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||

  182.       !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||

  183.       !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||

  184.       !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||

  185.       !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||

  186.       !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||

  187.       !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {

  188.     return false;

  189.   }

  190.   if (type == handback_after_ecdhe &&

  191.       !s3->hs->key_share->Serialize(&key_share)) {

  192.     return false;

  193.   }

  194.   return CBB_flush(out);

  195. }

  196. 

  197. bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {

  198.   if (ssl->do_handshake != nullptr ||

  199.       ssl->method->is_dtls) {

  200.     return false;

  201.   }

  202. 

  203.   SSL3_STATE *const s3 = ssl->s3;

  204.   uint64_t handback_version, negotiated_token_binding_param, cipher, type;

  205. 

  206.   CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,

  207.       next_proto, alpn, hostname, channel_id, transcript, key_share;

  208.   int session_reused, channel_id_valid, cert_request, extended_master_secret,

  209.       ticket_expected, token_binding_negotiated, next_proto_neg_seen;

  210.   SSL_SESSION *session = nullptr;

  211. 

  212.   CBS handback_cbs(handback);

  213.   if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||

  214.       !CBS_get_asn1_uint64(&seq, &handback_version) ||

  215.       handback_version != kHandbackVersion ||

  216.       !CBS_get_asn1_uint64(&seq, &type)) {

  217.     return false;

  218.   }

  219. 

  220.   if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||

  221.       CBS_len(&read_seq) != sizeof(s3->read_sequence) ||

  222.       !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||

  223.       CBS_len(&write_seq) != sizeof(s3->write_sequence) ||

  224.       !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||

  225.       CBS_len(&server_rand) != sizeof(s3->server_random) ||

  226.       !CBS_copy_bytes(&server_rand, s3->server_random,

  227.                       sizeof(s3->server_random)) ||

  228.       !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||

  229.       CBS_len(&client_rand) != sizeof(s3->client_random) ||

  230.       !CBS_copy_bytes(&client_rand, s3->client_random,

  231.                       sizeof(s3->client_random)) ||

  232.       !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||

  233.       !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||

  234.       !CBS_get_asn1_bool(&seq, &session_reused) ||

  235.       !CBS_get_asn1_bool(&seq, &channel_id_valid)) {

  236.     return false;

  237.   }

  238. 

  239.   s3->hs = ssl_handshake_new(ssl);

  240.   if (session_reused) {

  241.     ssl->session =

  242.         SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);

  243.     session = ssl->session.get();

  244.   } else {

  245.     s3->hs->new_session =

  246.         SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);

  247.     session = s3->hs->new_session.get();

  248.   }

  249. 

  250.   if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||

  251.       !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||

  252.       !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||

  253.       !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||

  254.       CBS_len(&channel_id) != sizeof(s3->channel_id) ||

  255.       !CBS_copy_bytes(&channel_id, s3->channel_id,

  256.                       sizeof(s3->channel_id)) ||

  257.       !CBS_get_asn1_bool(&seq, &token_binding_negotiated) ||

  258.       !CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) ||

  259.       !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||

  260.       !CBS_get_asn1_bool(&seq, &cert_request) ||

  261.       !CBS_get_asn1_bool(&seq, &extended_master_secret) ||

  262.       !CBS_get_asn1_bool(&seq, &ticket_expected) ||

  263.       !CBS_get_asn1_uint64(&seq, &cipher)) {

  264.     return false;

  265.   }

  266.   if ((s3->hs->new_cipher =

  267.            SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {

  268.     return false;

  269.   }

  270.   if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||

  271.       !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {

  272.     return false;

  273.   }

  274. 

  275.   ssl->version = session->ssl_version;

  276.   s3->have_version = true;

  277.   if (!ssl_method_supports_version(ssl->method, ssl->version) ||

  278.       session->cipher != s3->hs->new_cipher ||

  279.       ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||

  280.       SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {

  281.     return false;

  282.   }

  283.   ssl->do_handshake = ssl_server_handshake;

  284.   ssl->server = true;

  285.   switch (type) {

  286.     case handback_after_session_resumption:

  287.       ssl->s3->hs->state = state12_read_change_cipher_spec;

  288.       if (!session_reused) {

  289.         return false;

  290.       }

  291.       break;

  292.     case handback_after_ecdhe:

  293.       ssl->s3->hs->state = state12_read_client_certificate;

  294.       if (session_reused) {

  295.         return false;

  296.       }

  297.       break;

  298.     case handback_after_handshake:

  299.       ssl->s3->hs->state = state12_finish_server_handshake;

  300.       break;

  301.     default:

  302.       return false;

  303.   }

  304.   s3->session_reused = session_reused;

  305.   s3->channel_id_valid = channel_id_valid;

  306.   s3->next_proto_negotiated.CopyFrom(next_proto);

  307.   s3->alpn_selected.CopyFrom(alpn);

  308. 

  309.   const size_t hostname_len = CBS_len(&hostname);

  310.   if (hostname_len == 0) {

  311.     s3->hostname.reset();

  312.   } else {

  313.     char *hostname_str = nullptr;

  314.     if (!CBS_strdup(&hostname, &hostname_str)) {

  315.       return false;

  316.     }

  317.     s3->hostname.reset(hostname_str);

  318.   }

  319. 

  320.   s3->token_binding_negotiated = token_binding_negotiated;

  321.   s3->negotiated_token_binding_param =

  322.       static_cast<uint8_t>(negotiated_token_binding_param);

  323.   s3->hs->next_proto_neg_seen = next_proto_neg_seen;

  324.   s3->hs->wait = ssl_hs_flush;

  325.   s3->hs->extended_master_secret = extended_master_secret;

  326.   s3->hs->ticket_expected = ticket_expected;

  327.   s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);

  328.   s3->hs->cert_request = cert_request;

  329. 

  330.   Array<uint8_t> key_block;

  331.   if ((type == handback_after_session_resumption ||

  332.        type == handback_after_handshake) &&

  333.       (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,

  334.                             write_iv) ||

  335.        !CBS_copy_bytes(&write_seq, s3->write_sequence,

  336.                        sizeof(s3->write_sequence)))) {

  337.     return false;

  338.   }

  339.   if (type == handback_after_handshake &&

  340.       (!tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,

  341.                             read_iv) ||

  342.        !CBS_copy_bytes(&read_seq, s3->read_sequence,

  343.                        sizeof(s3->read_sequence)))) {

  344.     return false;

  345.   }

  346.   if ((type == handback_after_ecdhe ||

  347.        type == handback_after_session_resumption) &&

  348.       (!s3->hs->transcript.Init() ||

  349.        !s3->hs->transcript.InitHash(ssl_protocol_version(ssl),

  350.                                     s3->hs->new_cipher) ||

  351.        !s3->hs->transcript.Update(transcript))) {

  352.     return false;

  353.   }

  354.   if (type == handback_after_ecdhe &&

  355.       (s3->hs->key_share = SSLKeyShare::Create(&key_share)) == nullptr) {

  356.     return false;

  357.   }

  358. 

  359.   return CBS_len(&seq) == 0;

  360. }

  361. 

  362. BSSL_NAMESPACE_END