kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
5480 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Struktur: 1eff9482ca
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „1eff9482ca“
${ noResults }
boringssl/ssl/tls13_server.cc

1032 Zeilen
34 KiB
Originalformat Blame Verlauf 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. // Per C99, various stdint.h macros are unavailable in C++ unless some macros

  16. // are defined. C++11 overruled this decision, but older Android NDKs still

  17. // require it.

  18. #if !defined(__STDC_LIMIT_MACROS)

  19. #define __STDC_LIMIT_MACROS

  20. #endif

  21. 

  22. #include <openssl/ssl.h>

  23. 

  24. #include <assert.h>

  25. #include <string.h>

  26. 

  27. #include <openssl/aead.h>

  28. #include <openssl/bytestring.h>

  29. #include <openssl/digest.h>

  30. #include <openssl/err.h>

  31. #include <openssl/mem.h>

  32. #include <openssl/rand.h>

  33. #include <openssl/stack.h>

  34. 

  35. #include "../crypto/internal.h"

  36. #include "internal.h"

  37. 

  38. 

  39. BSSL_NAMESPACE_BEGIN

  40. 

  41. enum server_hs_state_t {

  42.   state_select_parameters = 0,

  43.   state_select_session,

  44.   state_send_hello_retry_request,

  45.   state_read_second_client_hello,

  46.   state_send_server_hello,

  47.   state_send_server_certificate_verify,

  48.   state_send_server_finished,

  49.   state_read_second_client_flight,

  50.   state_process_end_of_early_data,

  51.   state_read_client_certificate,

  52.   state_read_client_certificate_verify,

  53.   state_read_channel_id,

  54.   state_read_client_finished,

  55.   state_send_new_session_ticket,

  56.   state_done,

  57. };

  58. 

  59. static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  60. 

  61. static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry,

  62.                                 SSL_CLIENT_HELLO *client_hello) {

  63.   SSL *const ssl = hs->ssl;

  64.   *out_need_retry = false;

  65. 

  66.   // We only support connections that include an ECDHE key exchange.

  67.   CBS key_share;

  68.   if (!ssl_client_hello_get_extension(client_hello, &key_share,

  69.                                       TLSEXT_TYPE_key_share)) {

  70.     OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  71.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  72.     return 0;

  73.   }

  74. 

  75.   bool found_key_share;

  76.   Array<uint8_t> dhe_secret;

  77.   uint8_t alert = SSL_AD_DECODE_ERROR;

  78.   if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret,

  79.                                            &alert, &key_share)) {

  80.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  81.     return 0;

  82.   }

  83. 

  84.   if (!found_key_share) {

  85.     *out_need_retry = true;

  86.     return 0;

  87.   }

  88. 

  89.   return tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size());

  90. }

  91. 

  92. static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,

  93.                                                       CBB *out) {

  94.   CBB contents;

  95.   if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) ||

  96.       !CBB_add_u16_length_prefixed(out, &contents) ||

  97.       !CBB_add_u16(&contents, hs->ssl->version) ||

  98.       !CBB_flush(out)) {

  99.     return 0;

  100.   }

  101. 

  102.   return 1;

  103. }

  104. 

  105. static const SSL_CIPHER *choose_tls13_cipher(

  106.     const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) {

  107.   if (client_hello->cipher_suites_len % 2 != 0) {

  108.     return NULL;

  109.   }

  110. 

  111.   CBS cipher_suites;

  112.   CBS_init(&cipher_suites, client_hello->cipher_suites,

  113.            client_hello->cipher_suites_len);

  114. 

  115.   const int aes_is_fine = EVP_has_aes_hardware();

  116.   const uint16_t version = ssl_protocol_version(ssl);

  117. 

  118.   const SSL_CIPHER *best = NULL;

  119.   while (CBS_len(&cipher_suites) > 0) {

  120.     uint16_t cipher_suite;

  121.     if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {

  122.       return NULL;

  123.     }

  124. 

  125.     // Limit to TLS 1.3 ciphers we know about.

  126.     const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite);

  127.     if (candidate == NULL ||

  128.         SSL_CIPHER_get_min_version(candidate) > version ||

  129.         SSL_CIPHER_get_max_version(candidate) < version) {

  130.       continue;

  131.     }

  132. 

  133.     // TLS 1.3 removes legacy ciphers, so honor the client order, but prefer

  134.     // ChaCha20 if we do not have AES hardware.

  135.     if (aes_is_fine) {

  136.       return candidate;

  137.     }

  138. 

  139.     if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) {

  140.       return candidate;

  141.     }

  142. 

  143.     if (best == NULL) {

  144.       best = candidate;

  145.     }

  146.   }

  147. 

  148.   return best;

  149. }

  150. 

  151. static bool add_new_session_tickets(SSL_HANDSHAKE *hs, bool *out_sent_tickets) {

  152.   SSL *const ssl = hs->ssl;

  153.   if (// If the client doesn't accept resumption with PSK_DHE_KE, don't send a

  154.       // session ticket.

  155.       !hs->accept_psk_mode ||

  156.       // We only implement stateless resumption in TLS 1.3, so skip sending

  157.       // tickets if disabled.

  158.       (SSL_get_options(ssl) & SSL_OP_NO_TICKET)) {

  159.     *out_sent_tickets = false;

  160.     return true;

  161.   }

  162. 

  163.   // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case

  164.   // the client makes several connections before getting a renewal.

  165.   static const int kNumTickets = 2;

  166. 

  167.   // Rebase the session timestamp so that it is measured from ticket

  168.   // issuance.

  169.   ssl_session_rebase_time(ssl, hs->new_session.get());

  170. 

  171.   for (int i = 0; i < kNumTickets; i++) {

  172.     UniquePtr<SSL_SESSION> session(

  173.         SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH));

  174.     if (!session) {

  175.       return false;

  176.     }

  177. 

  178.     if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) {

  179.       return false;

  180.     }

  181.     session->ticket_age_add_valid = true;

  182.     if (ssl->enable_early_data) {

  183.       session->ticket_max_early_data = kMaxEarlyDataAccepted;

  184.     }

  185. 

  186.     static_assert(kNumTickets < 256, "Too many tickets");

  187.     uint8_t nonce[] = {static_cast<uint8_t>(i)};

  188. 

  189.     ScopedCBB cbb;

  190.     CBB body, nonce_cbb, ticket, extensions;

  191.     if (!ssl->method->init_message(ssl, cbb.get(), &body,

  192.                                    SSL3_MT_NEW_SESSION_TICKET) ||

  193.         !CBB_add_u32(&body, session->timeout) ||

  194.         !CBB_add_u32(&body, session->ticket_age_add) ||

  195.         !CBB_add_u8_length_prefixed(&body, &nonce_cbb) ||

  196.         !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) ||

  197.         !CBB_add_u16_length_prefixed(&body, &ticket) ||

  198.         !tls13_derive_session_psk(session.get(), nonce) ||

  199.         !ssl_encrypt_ticket(hs, &ticket, session.get()) ||

  200.         !CBB_add_u16_length_prefixed(&body, &extensions)) {

  201.       return false;

  202.     }

  203. 

  204.     if (ssl->enable_early_data) {

  205.       CBB early_data_info;

  206.       if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) ||

  207.           !CBB_add_u16_length_prefixed(&extensions, &early_data_info) ||

  208.           !CBB_add_u32(&early_data_info, session->ticket_max_early_data) ||

  209.           !CBB_flush(&extensions)) {

  210.         return false;

  211.       }

  212.     }

  213. 

  214.     // Add a fake extension. See draft-davidben-tls-grease-01.

  215.     if (!CBB_add_u16(&extensions,

  216.                      ssl_get_grease_value(hs, ssl_grease_ticket_extension)) ||

  217.         !CBB_add_u16(&extensions, 0 /* empty */)) {

  218.       return false;

  219.     }

  220. 

  221.     if (!ssl_add_message_cbb(ssl, cbb.get())) {

  222.       return false;

  223.     }

  224.   }

  225. 

  226.   *out_sent_tickets = true;

  227.   return true;

  228. }

  229. 

  230. static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {

  231.   // At this point, most ClientHello extensions have already been processed by

  232.   // the common handshake logic. Resolve the remaining non-PSK parameters.

  233.   SSL *const ssl = hs->ssl;

  234.   SSLMessage msg;

  235.   if (!ssl->method->get_message(ssl, &msg)) {

  236.     return ssl_hs_read_message;

  237.   }

  238.   SSL_CLIENT_HELLO client_hello;

  239.   if (!ssl_client_hello_init(ssl, &client_hello, msg)) {

  240.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  241.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  242.     return ssl_hs_error;

  243.   }

  244. 

  245.   OPENSSL_memcpy(hs->session_id, client_hello.session_id,

  246.                  client_hello.session_id_len);

  247.   hs->session_id_len = client_hello.session_id_len;

  248. 

  249.   // Negotiate the cipher suite.

  250.   hs->new_cipher = choose_tls13_cipher(ssl, &client_hello);

  251.   if (hs->new_cipher == NULL) {

  252.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);

  253.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

  254.     return ssl_hs_error;

  255.   }

  256. 

  257.   // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was

  258.   // deferred. Complete it now.

  259.   uint8_t alert = SSL_AD_DECODE_ERROR;

  260.   if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {

  261.     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  262.     return ssl_hs_error;

  263.   }

  264. 

  265.   // The PRF hash is now known. Set up the key schedule and hash the

  266.   // ClientHello.

  267.   if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) {

  268.     return ssl_hs_error;

  269.   }

  270. 

  271.   if (!ssl_hash_message(hs, msg)) {

  272.     return ssl_hs_error;

  273.   }

  274. 

  275.   hs->tls13_state = state_select_session;

  276.   return ssl_hs_ok;

  277. }

  278. 

  279. static enum ssl_ticket_aead_result_t select_session(

  280.     SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session,

  281.     int32_t *out_ticket_age_skew, const SSLMessage &msg,

  282.     const SSL_CLIENT_HELLO *client_hello) {

  283.   SSL *const ssl = hs->ssl;

  284.   *out_session = NULL;

  285. 

  286.   // Decode the ticket if we agreed on a PSK key exchange mode.

  287.   CBS pre_shared_key;

  288.   if (!hs->accept_psk_mode ||

  289.       !ssl_client_hello_get_extension(client_hello, &pre_shared_key,

  290.                                       TLSEXT_TYPE_pre_shared_key)) {

  291.     return ssl_ticket_aead_ignore_ticket;

  292.   }

  293. 

  294.   // Verify that the pre_shared_key extension is the last extension in

  295.   // ClientHello.

  296.   if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) !=

  297.       client_hello->extensions + client_hello->extensions_len) {

  298.     OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST);

  299.     *out_alert = SSL_AD_ILLEGAL_PARAMETER;

  300.     return ssl_ticket_aead_error;

  301.   }

  302. 

  303.   CBS ticket, binders;

  304.   uint32_t client_ticket_age;

  305.   if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &ticket, &binders,

  306.                                                 &client_ticket_age, out_alert,

  307.                                                 &pre_shared_key)) {

  308.     return ssl_ticket_aead_error;

  309.   }

  310. 

  311.   // TLS 1.3 session tickets are renewed separately as part of the

  312.   // NewSessionTicket.

  313.   bool unused_renew;

  314.   UniquePtr<SSL_SESSION> session;

  315.   enum ssl_ticket_aead_result_t ret =

  316.       ssl_process_ticket(hs, &session, &unused_renew, ticket, {});

  317.   switch (ret) {

  318.     case ssl_ticket_aead_success:

  319.       break;

  320.     case ssl_ticket_aead_error:

  321.       *out_alert = SSL_AD_INTERNAL_ERROR;

  322.       return ret;

  323.     default:

  324.       return ret;

  325.   }

  326. 

  327.   if (!ssl_session_is_resumable(hs, session.get()) ||

  328.       // Historically, some TLS 1.3 tickets were missing ticket_age_add.

  329.       !session->ticket_age_add_valid) {

  330.     return ssl_ticket_aead_ignore_ticket;

  331.   }

  332. 

  333.   // Recover the client ticket age and convert to seconds.

  334.   client_ticket_age -= session->ticket_age_add;

  335.   client_ticket_age /= 1000;

  336. 

  337.   struct OPENSSL_timeval now;

  338.   ssl_get_current_time(ssl, &now);

  339. 

  340.   // Compute the server ticket age in seconds.

  341.   assert(now.tv_sec >= session->time);

  342.   uint64_t server_ticket_age = now.tv_sec - session->time;

  343. 

  344.   // To avoid overflowing |hs->ticket_age_skew|, we will not resume

  345.   // 68-year-old sessions.

  346.   if (server_ticket_age > INT32_MAX) {

  347.     return ssl_ticket_aead_ignore_ticket;

  348.   }

  349. 

  350.   // TODO(davidben,svaldez): Measure this value to decide on tolerance. For

  351.   // now, accept all values. https://crbug.com/boringssl/113.

  352.   *out_ticket_age_skew =

  353.       (int32_t)client_ticket_age - (int32_t)server_ticket_age;

  354. 

  355.   // Check the PSK binder.

  356.   if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) {

  357.     *out_alert = SSL_AD_DECRYPT_ERROR;

  358.     return ssl_ticket_aead_error;

  359.   }

  360. 

  361.   *out_session = std::move(session);

  362.   return ssl_ticket_aead_success;

  363. }

  364. 

  365. static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) {

  366.   SSL *const ssl = hs->ssl;

  367.   SSLMessage msg;

  368.   if (!ssl->method->get_message(ssl, &msg)) {

  369.     return ssl_hs_read_message;

  370.   }

  371.   SSL_CLIENT_HELLO client_hello;

  372.   if (!ssl_client_hello_init(ssl, &client_hello, msg)) {

  373.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  374.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  375.     return ssl_hs_error;

  376.   }

  377. 

  378.   uint8_t alert = SSL_AD_DECODE_ERROR;

  379.   UniquePtr<SSL_SESSION> session;

  380.   switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew, msg,

  381.                          &client_hello)) {

  382.     case ssl_ticket_aead_ignore_ticket:

  383.       assert(!session);

  384.       if (!ssl_get_new_session(hs, 1 /* server */)) {

  385.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  386.         return ssl_hs_error;

  387.       }

  388.       break;

  389. 

  390.     case ssl_ticket_aead_success:

  391.       // Carry over authentication information from the previous handshake into

  392.       // a fresh session.

  393.       hs->new_session =

  394.           SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY);

  395. 

  396.       if (ssl->enable_early_data &&

  397.           // Early data must be acceptable for this ticket.

  398.           session->ticket_max_early_data != 0 &&

  399.           // The client must have offered early data.

  400.           hs->early_data_offered &&

  401.           // Channel ID is incompatible with 0-RTT.

  402.           !ssl->s3->channel_id_valid &&

  403.           // If Token Binding is negotiated, reject 0-RTT.

  404.           !ssl->s3->token_binding_negotiated &&

  405.           // The negotiated ALPN must match the one in the ticket.

  406.           MakeConstSpan(ssl->s3->alpn_selected) == session->early_alpn) {

  407.         ssl->s3->early_data_accepted = true;

  408.       }

  409. 

  410.       if (hs->new_session == NULL) {

  411.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  412.         return ssl_hs_error;

  413.       }

  414. 

  415.       ssl->s3->session_reused = true;

  416. 

  417.       // Resumption incorporates fresh key material, so refresh the timeout.

  418.       ssl_session_renew_timeout(ssl, hs->new_session.get(),

  419.                                 ssl->session_ctx->session_psk_dhe_timeout);

  420.       break;

  421. 

  422.     case ssl_ticket_aead_error:

  423.       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);

  424.       return ssl_hs_error;

  425. 

  426.     case ssl_ticket_aead_retry:

  427.       hs->tls13_state = state_select_session;

  428.       return ssl_hs_pending_ticket;

  429.   }

  430. 

  431.   // Record connection properties in the new session.

  432.   hs->new_session->cipher = hs->new_cipher;

  433. 

  434.   // Store the initial negotiated ALPN in the session.

  435.   if (!hs->new_session->early_alpn.CopyFrom(ssl->s3->alpn_selected)) {

  436.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  437.     return ssl_hs_error;

  438.   }

  439. 

  440.   if (ssl->ctx->dos_protection_cb != NULL &&

  441.       ssl->ctx->dos_protection_cb(&client_hello) == 0) {

  442.     // Connection rejected for DOS reasons.

  443.     OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);

  444.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  445.     return ssl_hs_error;

  446.   }

  447. 

  448.   size_t hash_len = EVP_MD_size(

  449.       ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher));

  450. 

  451.   // Set up the key schedule and incorporate the PSK into the running secret.

  452.   if (ssl->s3->session_reused) {

  453.     if (!tls13_init_key_schedule(hs, hs->new_session->master_key,

  454.                                     hs->new_session->master_key_length)) {

  455.       return ssl_hs_error;

  456.     }

  457.   } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) {

  458.     return ssl_hs_error;

  459.   }

  460. 

  461.   if (ssl->s3->early_data_accepted) {

  462.     if (!tls13_derive_early_secrets(hs)) {

  463.       return ssl_hs_error;

  464.     }

  465.   } else if (hs->early_data_offered) {

  466.     ssl->s3->skip_early_data = true;

  467.   }

  468. 

  469.   // Resolve ECDHE and incorporate it into the secret.

  470.   bool need_retry;

  471.   if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {

  472.     if (need_retry) {

  473.       ssl->s3->early_data_accepted = false;

  474.       ssl->s3->skip_early_data = true;

  475.       ssl->method->next_message(ssl);

  476.       if (!hs->transcript.UpdateForHelloRetryRequest()) {

  477.         return ssl_hs_error;

  478.       }

  479.       hs->tls13_state = state_send_hello_retry_request;

  480.       return ssl_hs_ok;

  481.     }

  482.     return ssl_hs_error;

  483.   }

  484. 

  485.   ssl->method->next_message(ssl);

  486.   hs->tls13_state = state_send_server_hello;

  487.   return ssl_hs_ok;

  488. }

  489. 

  490. static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {

  491.   SSL *const ssl = hs->ssl;

  492. 

  493. 

  494.   ScopedCBB cbb;

  495.   CBB body, session_id, extensions;

  496.   uint16_t group_id;

  497.   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||

  498.       !CBB_add_u16(&body, TLS1_2_VERSION) ||

  499.       !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||

  500.       !CBB_add_u8_length_prefixed(&body, &session_id) ||

  501.       !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||

  502.       !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||

  503.       !CBB_add_u8(&body, 0 /* no compression */) ||

  504.       !tls1_get_shared_group(hs, &group_id) ||

  505.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  506.       !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) ||

  507.       !CBB_add_u16(&extensions, 2 /* length */) ||

  508.       !CBB_add_u16(&extensions, ssl->version) ||

  509.       !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) ||

  510.       !CBB_add_u16(&extensions, 2 /* length */) ||

  511.       !CBB_add_u16(&extensions, group_id) ||

  512.       !ssl_add_message_cbb(ssl, cbb.get())) {

  513.     return ssl_hs_error;

  514.   }

  515. 

  516.   if (!ssl->method->add_change_cipher_spec(ssl)) {

  517.     return ssl_hs_error;

  518.   }

  519. 

  520.   hs->sent_hello_retry_request = true;

  521.   hs->tls13_state = state_read_second_client_hello;

  522.   return ssl_hs_flush;

  523. }

  524. 

  525. static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) {

  526.   SSL *const ssl = hs->ssl;

  527.   SSLMessage msg;

  528.   if (!ssl->method->get_message(ssl, &msg)) {

  529.     return ssl_hs_read_message;

  530.   }

  531.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {

  532.     return ssl_hs_error;

  533.   }

  534.   SSL_CLIENT_HELLO client_hello;

  535.   if (!ssl_client_hello_init(ssl, &client_hello, msg)) {

  536.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  537.     ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  538.     return ssl_hs_error;

  539.   }

  540. 

  541.   bool need_retry;

  542.   if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) {

  543.     if (need_retry) {

  544.       // Only send one HelloRetryRequest.

  545.       ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  546.       OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);

  547.     }

  548.     return ssl_hs_error;

  549.   }

  550. 

  551.   if (!ssl_hash_message(hs, msg)) {

  552.     return ssl_hs_error;

  553.   }

  554. 

  555.   ssl->method->next_message(ssl);

  556.   hs->tls13_state = state_send_server_hello;

  557.   return ssl_hs_ok;

  558. }

  559. 

  560. static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {

  561.   SSL *const ssl = hs->ssl;

  562. 

  563.   // Send a ServerHello.

  564.   ScopedCBB cbb;

  565.   CBB body, extensions, session_id;

  566.   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||

  567.       !CBB_add_u16(&body, TLS1_2_VERSION) ||

  568.       !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||

  569.       !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||

  570.       !CBB_add_u8_length_prefixed(&body, &session_id) ||

  571.       !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||

  572.       !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||

  573.       !CBB_add_u8(&body, 0) ||

  574.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  575.       !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||

  576.       !ssl_ext_key_share_add_serverhello(hs, &extensions) ||

  577.       !ssl_ext_supported_versions_add_serverhello(hs, &extensions) ||

  578.       !ssl_add_message_cbb(ssl, cbb.get())) {

  579.     return ssl_hs_error;

  580.   }

  581. 

  582.   if (!hs->sent_hello_retry_request &&

  583.       !ssl->method->add_change_cipher_spec(ssl)) {

  584.     return ssl_hs_error;

  585.   }

  586. 

  587.   // Derive and enable the handshake traffic secrets.

  588.   if (!tls13_derive_handshake_secrets(hs) ||

  589.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret,

  590.                              hs->hash_len)) {

  591.     return ssl_hs_error;

  592.   }

  593. 

  594.   // Send EncryptedExtensions.

  595.   if (!ssl->method->init_message(ssl, cbb.get(), &body,

  596.                                  SSL3_MT_ENCRYPTED_EXTENSIONS) ||

  597.       !ssl_add_serverhello_tlsext(hs, &body) ||

  598.       !ssl_add_message_cbb(ssl, cbb.get())) {

  599.     return ssl_hs_error;

  600.   }

  601. 

  602.   if (!ssl->s3->session_reused) {

  603.     // Determine whether to request a client certificate.

  604.     hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);

  605.     // Only request a certificate if Channel ID isn't negotiated.

  606.     if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&

  607.         ssl->s3->channel_id_valid) {

  608.       hs->cert_request = false;

  609.     }

  610.   }

  611. 

  612.   // Send a CertificateRequest, if necessary.

  613.   if (hs->cert_request) {

  614.     CBB cert_request_extensions, sigalg_contents, sigalgs_cbb;

  615.     if (!ssl->method->init_message(ssl, cbb.get(), &body,

  616.                                    SSL3_MT_CERTIFICATE_REQUEST) ||

  617.         !CBB_add_u8(&body, 0 /* no certificate_request_context. */) ||

  618.         !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) ||

  619.         !CBB_add_u16(&cert_request_extensions,

  620.                      TLSEXT_TYPE_signature_algorithms) ||

  621.         !CBB_add_u16_length_prefixed(&cert_request_extensions,

  622.                                      &sigalg_contents) ||

  623.         !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||

  624.         !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb,

  625.                                   false /* online signature */)) {

  626.       return ssl_hs_error;

  627.     }

  628. 

  629.     if (tls12_has_different_verify_sigalgs_for_certs(ssl)) {

  630.       if (!CBB_add_u16(&cert_request_extensions,

  631.                        TLSEXT_TYPE_signature_algorithms_cert) ||

  632.           !CBB_add_u16_length_prefixed(&cert_request_extensions,

  633.                                        &sigalg_contents) ||

  634.           !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) ||

  635.           !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb, true /* certs */)) {

  636.         return ssl_hs_error;

  637.       }

  638.     }

  639. 

  640.     if (ssl_has_client_CAs(hs->config)) {

  641.       CBB ca_contents;

  642.       if (!CBB_add_u16(&cert_request_extensions,

  643.                        TLSEXT_TYPE_certificate_authorities) ||

  644.           !CBB_add_u16_length_prefixed(&cert_request_extensions,

  645.                                        &ca_contents) ||

  646.           !ssl_add_client_CA_list(hs, &ca_contents) ||

  647.           !CBB_flush(&cert_request_extensions)) {

  648.         return ssl_hs_error;

  649.       }

  650.     }

  651. 

  652.     if (!ssl_add_message_cbb(ssl, cbb.get())) {

  653.       return ssl_hs_error;

  654.     }

  655.   }

  656. 

  657.   // Send the server Certificate message, if necessary.

  658.   if (!ssl->s3->session_reused) {

  659.     if (!ssl_has_certificate(hs->config)) {

  660.       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);

  661.       return ssl_hs_error;

  662.     }

  663. 

  664.     if (!tls13_add_certificate(hs)) {

  665.       return ssl_hs_error;

  666.     }

  667. 

  668.     hs->tls13_state = state_send_server_certificate_verify;

  669.     return ssl_hs_ok;

  670.   }

  671. 

  672.   hs->tls13_state = state_send_server_finished;

  673.   return ssl_hs_ok;

  674. }

  675. 

  676. static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) {

  677.   switch (tls13_add_certificate_verify(hs)) {

  678.     case ssl_private_key_success:

  679.       hs->tls13_state = state_send_server_finished;

  680.       return ssl_hs_ok;

  681. 

  682.     case ssl_private_key_retry:

  683.       hs->tls13_state = state_send_server_certificate_verify;

  684.       return ssl_hs_private_key_operation;

  685. 

  686.     case ssl_private_key_failure:

  687.       return ssl_hs_error;

  688.   }

  689. 

  690.   assert(0);

  691.   return ssl_hs_error;

  692. }

  693. 

  694. static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {

  695.   SSL *const ssl = hs->ssl;

  696.   if (!tls13_add_finished(hs) ||

  697.       // Update the secret to the master secret and derive traffic keys.

  698.       !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) ||

  699.       !tls13_derive_application_secrets(hs) ||

  700.       !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0,

  701.                              hs->hash_len)) {

  702.     return ssl_hs_error;

  703.   }

  704. 

  705.   if (ssl->s3->early_data_accepted) {

  706.     // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on

  707.     // the wire sooner and also avoids triggering a write on |SSL_read| when

  708.     // processing the client Finished. This requires computing the client

  709.     // Finished early. See RFC 8446, section 4.6.1.

  710.     static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,

  711.                                                0, 0};

  712.     if (!hs->transcript.Update(kEndOfEarlyData)) {

  713.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  714.       return ssl_hs_error;

  715.     }

  716. 

  717.     size_t finished_len;

  718.     if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len,

  719.                             false /* client */)) {

  720.       return ssl_hs_error;

  721.     }

  722. 

  723.     if (finished_len != hs->hash_len) {

  724.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  725.       return ssl_hs_error;

  726.     }

  727. 

  728.     // Feed the predicted Finished into the transcript. This allows us to derive

  729.     // the resumption secret early and send half-RTT tickets.

  730.     //

  731.     // TODO(davidben): This will need to be updated for DTLS 1.3.

  732.     assert(!SSL_is_dtls(hs->ssl));

  733.     assert(hs->hash_len <= 0xff);

  734.     uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0,

  735.                          static_cast<uint8_t>(hs->hash_len)};

  736.     bool unused_sent_tickets;

  737.     if (!hs->transcript.Update(header) ||

  738.         !hs->transcript.Update(

  739.             MakeConstSpan(hs->expected_client_finished, hs->hash_len)) ||

  740.         !tls13_derive_resumption_secret(hs) ||

  741.         !add_new_session_tickets(hs, &unused_sent_tickets)) {

  742.       return ssl_hs_error;

  743.     }

  744.   }

  745. 

  746.   hs->tls13_state = state_read_second_client_flight;

  747.   return ssl_hs_flush;

  748. }

  749. 

  750. static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {

  751.   SSL *const ssl = hs->ssl;

  752.   if (ssl->s3->early_data_accepted) {

  753.     if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->early_traffic_secret,

  754.                                hs->hash_len)) {

  755.       return ssl_hs_error;

  756.     }

  757.     hs->can_early_write = true;

  758.     hs->can_early_read = true;

  759.     hs->in_early_data = true;

  760.   }

  761.   hs->tls13_state = state_process_end_of_early_data;

  762.   return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data

  763.                                       : ssl_hs_ok;

  764. }

  765. 

  766. static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) {

  767.   SSL *const ssl = hs->ssl;

  768.   if (hs->early_data_offered) {

  769.     // If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec

  770.     // message will be in the discarded early data.

  771.     if (hs->ssl->s3->early_data_accepted) {

  772.       SSLMessage msg;

  773.       if (!ssl->method->get_message(ssl, &msg)) {

  774.         return ssl_hs_read_message;

  775.       }

  776. 

  777.       if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) {

  778.         return ssl_hs_error;

  779.       }

  780.       if (CBS_len(&msg.body) != 0) {

  781.         ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  782.         OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  783.         return ssl_hs_error;

  784.       }

  785.       ssl->method->next_message(ssl);

  786.     }

  787.   }

  788.   if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret,

  789.                              hs->hash_len)) {

  790.     return ssl_hs_error;

  791.   }

  792.   hs->tls13_state = ssl->s3->early_data_accepted

  793.                         ? state_read_client_finished

  794.                         : state_read_client_certificate;

  795.   return ssl_hs_ok;

  796. }

  797. 

  798. static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {

  799.   SSL *const ssl = hs->ssl;

  800.   if (!hs->cert_request) {

  801.     // OpenSSL returns X509_V_OK when no certificates are requested. This is

  802.     // classed by them as a bug, but it's assumed by at least NGINX.

  803.     hs->new_session->verify_result = X509_V_OK;

  804. 

  805.     // Skip this state.

  806.     hs->tls13_state = state_read_channel_id;

  807.     return ssl_hs_ok;

  808.   }

  809. 

  810.   const bool allow_anonymous =

  811.       (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0;

  812.   SSLMessage msg;

  813.   if (!ssl->method->get_message(ssl, &msg)) {

  814.     return ssl_hs_read_message;

  815.   }

  816.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) ||

  817.       !tls13_process_certificate(hs, msg, allow_anonymous) ||

  818.       !ssl_hash_message(hs, msg)) {

  819.     return ssl_hs_error;

  820.   }

  821. 

  822.   ssl->method->next_message(ssl);

  823.   hs->tls13_state = state_read_client_certificate_verify;

  824.   return ssl_hs_ok;

  825. }

  826. 

  827. static enum ssl_hs_wait_t do_read_client_certificate_verify(

  828.     SSL_HANDSHAKE *hs) {

  829.   SSL *const ssl = hs->ssl;

  830.   if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {

  831.     // Skip this state.

  832.     hs->tls13_state = state_read_channel_id;

  833.     return ssl_hs_ok;

  834.   }

  835. 

  836.   SSLMessage msg;

  837.   if (!ssl->method->get_message(ssl, &msg)) {

  838.     return ssl_hs_read_message;

  839.   }

  840. 

  841.   switch (ssl_verify_peer_cert(hs)) {

  842.     case ssl_verify_ok:

  843.       break;

  844.     case ssl_verify_invalid:

  845.       return ssl_hs_error;

  846.     case ssl_verify_retry:

  847.       hs->tls13_state = state_read_client_certificate_verify;

  848.       return ssl_hs_certificate_verify;

  849.   }

  850. 

  851.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) ||

  852.       !tls13_process_certificate_verify(hs, msg) ||

  853.       !ssl_hash_message(hs, msg)) {

  854.     return ssl_hs_error;

  855.   }

  856. 

  857.   ssl->method->next_message(ssl);

  858.   hs->tls13_state = state_read_channel_id;

  859.   return ssl_hs_ok;

  860. }

  861. 

  862. static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {

  863.   SSL *const ssl = hs->ssl;

  864.   if (!ssl->s3->channel_id_valid) {

  865.     hs->tls13_state = state_read_client_finished;

  866.     return ssl_hs_ok;

  867.   }

  868. 

  869.   SSLMessage msg;

  870.   if (!ssl->method->get_message(ssl, &msg)) {

  871.     return ssl_hs_read_message;

  872.   }

  873.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||

  874.       !tls1_verify_channel_id(hs, msg) ||

  875.       !ssl_hash_message(hs, msg)) {

  876.     return ssl_hs_error;

  877.   }

  878. 

  879.   ssl->method->next_message(ssl);

  880.   hs->tls13_state = state_read_client_finished;

  881.   return ssl_hs_ok;

  882. }

  883. 

  884. static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {

  885.   SSL *const ssl = hs->ssl;

  886.   SSLMessage msg;

  887.   if (!ssl->method->get_message(ssl, &msg)) {

  888.     return ssl_hs_read_message;

  889.   }

  890.   if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) ||

  891.       // If early data was accepted, we've already computed the client Finished

  892.       // and derived the resumption secret.

  893.       !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) ||

  894.       // evp_aead_seal keys have already been switched.

  895.       !tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0,

  896.                              hs->hash_len)) {

  897.     return ssl_hs_error;

  898.   }

  899. 

  900.   if (!ssl->s3->early_data_accepted) {

  901.     if (!ssl_hash_message(hs, msg) ||

  902.         !tls13_derive_resumption_secret(hs)) {

  903.       return ssl_hs_error;

  904.     }

  905. 

  906.     // We send post-handshake tickets as part of the handshake in 1-RTT.

  907.     hs->tls13_state = state_send_new_session_ticket;

  908.   } else {

  909.     // We already sent half-RTT tickets.

  910.     hs->tls13_state = state_done;

  911.   }

  912. 

  913.   ssl->method->next_message(ssl);

  914.   return ssl_hs_ok;

  915. }

  916. 

  917. static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) {

  918.   bool sent_tickets;

  919.   if (!add_new_session_tickets(hs, &sent_tickets)) {

  920.     return ssl_hs_error;

  921.   }

  922. 

  923.   hs->tls13_state = state_done;

  924.   return sent_tickets ? ssl_hs_flush : ssl_hs_ok;

  925. }

  926. 

  927. enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) {

  928.   while (hs->tls13_state != state_done) {

  929.     enum ssl_hs_wait_t ret = ssl_hs_error;

  930.     enum server_hs_state_t state =

  931.         static_cast<enum server_hs_state_t>(hs->tls13_state);

  932.     switch (state) {

  933.       case state_select_parameters:

  934.         ret = do_select_parameters(hs);

  935.         break;

  936.       case state_select_session:

  937.         ret = do_select_session(hs);

  938.         break;

  939.       case state_send_hello_retry_request:

  940.         ret = do_send_hello_retry_request(hs);

  941.         break;

  942.       case state_read_second_client_hello:

  943.         ret = do_read_second_client_hello(hs);

  944.         break;

  945.       case state_send_server_hello:

  946.         ret = do_send_server_hello(hs);

  947.         break;

  948.       case state_send_server_certificate_verify:

  949.         ret = do_send_server_certificate_verify(hs);

  950.         break;

  951.       case state_send_server_finished:

  952.         ret = do_send_server_finished(hs);

  953.         break;

  954.       case state_read_second_client_flight:

  955.         ret = do_read_second_client_flight(hs);

  956.         break;

  957.       case state_process_end_of_early_data:

  958.         ret = do_process_end_of_early_data(hs);

  959.         break;

  960.       case state_read_client_certificate:

  961.         ret = do_read_client_certificate(hs);

  962.         break;

  963.       case state_read_client_certificate_verify:

  964.         ret = do_read_client_certificate_verify(hs);

  965.         break;

  966.       case state_read_channel_id:

  967.         ret = do_read_channel_id(hs);

  968.         break;

  969.       case state_read_client_finished:

  970.         ret = do_read_client_finished(hs);

  971.         break;

  972.       case state_send_new_session_ticket:

  973.         ret = do_send_new_session_ticket(hs);

  974.         break;

  975.       case state_done:

  976.         ret = ssl_hs_ok;

  977.         break;

  978.     }

  979. 

  980.     if (hs->tls13_state != state) {

  981.       ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);

  982.     }

  983. 

  984.     if (ret != ssl_hs_ok) {

  985.       return ret;

  986.     }

  987.   }

  988. 

  989.   return ssl_hs_ok;

  990. }

  991. 

  992. const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) {

  993.   enum server_hs_state_t state =

  994.       static_cast<enum server_hs_state_t>(hs->tls13_state);

  995.   switch (state) {

  996.     case state_select_parameters:

  997.       return "TLS 1.3 server select_parameters";

  998.     case state_select_session:

  999.       return "TLS 1.3 server select_session";

  1000.     case state_send_hello_retry_request:

  1001.       return "TLS 1.3 server send_hello_retry_request";

  1002.     case state_read_second_client_hello:

  1003.       return "TLS 1.3 server read_second_client_hello";

  1004.     case state_send_server_hello:

  1005.       return "TLS 1.3 server send_server_hello";

  1006.     case state_send_server_certificate_verify:

  1007.       return "TLS 1.3 server send_server_certificate_verify";

  1008.     case state_send_server_finished:

  1009.       return "TLS 1.3 server send_server_finished";

  1010.     case state_read_second_client_flight:

  1011.       return "TLS 1.3 server read_second_client_flight";

  1012.     case state_process_end_of_early_data:

  1013.       return "TLS 1.3 server process_end_of_early_data";

  1014.     case state_read_client_certificate:

  1015.       return "TLS 1.3 server read_client_certificate";

  1016.     case state_read_client_certificate_verify:

  1017.       return "TLS 1.3 server read_client_certificate_verify";

  1018.     case state_read_channel_id:

  1019.       return "TLS 1.3 server read_channel_id";

  1020.     case state_read_client_finished:

  1021.       return "TLS 1.3 server read_client_finished";

  1022.     case state_send_new_session_ticket:

  1023.       return "TLS 1.3 server send_new_session_ticket";

  1024.     case state_done:

  1025.       return "TLS 1.3 server done";

  1026.   }

  1027. 

  1028.   return "TLS 1.3 server unknown";

  1029. }

  1030. 

  1031. BSSL_NAMESPACE_END