kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
e907ed4c4b
boringssl/ssl/handoff.cc
Matthew Braithwaite d2ed382e64 Serialize SSL configuration in handoff and check it on application. 
A split SSL handshake may involve 2 binaries, potentially built at
different versions: call them the "handoff/handback" binary and the
"handshake" binary.  We would like to guarantee that the
handoff/handback binary does not make any promises that the handshake
binary cannot keep.

As a start, this commit serializes |kCiphers| to the handoff message.
When the handoff message is applied to an |SSL|, any configured
ciphers not listed in the handoff message will be removed, in order to
prevent them from being negotiated.

Subsequent commits will apply the same approach to other lists of features.

Change-Id: Idf6dbeadb750c076ab0509c09b9d3f22eb162b9c
Reviewed-on: https://boringssl-review.googlesource.com/c/29264
Reviewed-by: Matt Braithwaite <mab@google.com>
2018-11-02 19:45:42 +00:00

428 lines
15 KiB
C++
Raw Blame History

/* Copyright (c) 2018, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/ssl.h>
#include <openssl/bytestring.h>
#include "internal.h"
BSSL_NAMESPACE_BEGIN
constexpr int kHandoffVersion = 0;
constexpr int kHandbackVersion = 0;
// serialize_features adds a description of features supported by this binary to
// |out|. Returns true on success and false on error.
static bool serialize_features(CBB *out) {
CBB ciphers;
if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
return false;
}
Span<const SSL_CIPHER> all_ciphers = AllCiphers();
for (const SSL_CIPHER& cipher : all_ciphers) {
if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
return false;
}
}
return CBB_flush(out);
}
bool SSL_serialize_handoff(const SSL *ssl, CBB *out) {
const SSL3_STATE *const s3 = ssl->s3;
if (!ssl->server ||
s3->hs == nullptr ||
s3->rwstate != SSL_HANDOFF) {
return false;
}
CBB seq;
Span<const uint8_t> transcript = s3->hs->transcript.buffer();
if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
!CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
!CBB_add_asn1_octet_string(&seq,
reinterpret_cast<uint8_t *>(s3->hs_buf->data),
s3->hs_buf->length) ||
!serialize_features(&seq) ||
!CBB_flush(out)) {
return false;
}
return true;
}
bool SSL_decline_handoff(SSL *ssl) {
const SSL3_STATE *const s3 = ssl->s3;
if (!ssl->server ||
s3->hs == nullptr ||
s3->rwstate != SSL_HANDOFF) {
return false;
}
s3->hs->config->handoff = false;
return true;
}
// apply_remote_features reads a list of supported features from |in| and
// (possibly) reconfigures |ssl| to disallow the negotation of features whose
// support has not been indicated. (This prevents the the handshake from
// committing to features that are not supported on the handoff/handback side.)
static bool apply_remote_features(SSL *ssl, CBS *in) {
CBS ciphers;
if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
return false;
}
bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
while (CBS_len(&ciphers)) {
uint16_t id;
if (!CBS_get_u16(&ciphers, &id)) {
return false;
}
const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
if (!cipher) {
continue;
}
if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
return false;
}
}
STACK_OF(SSL_CIPHER) *configured =
ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
: ssl->ctx->cipher_list->ciphers.get();
bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
for (const SSL_CIPHER *configured_cipher : configured) {
if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
continue;
}
if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
return false;
}
}
if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
return false;
}
}
for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
ssl->config->cipher_list->Remove(unsupported_cipher);
}
return sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) > 0;
}
bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
if (ssl->method->is_dtls) {
return false;
}
CBS seq, handoff_cbs(handoff);
uint64_t handoff_version;
if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1_uint64(&seq, &handoff_version) ||
handoff_version != kHandoffVersion) {
return false;
}
CBS transcript, hs_buf;
if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
!apply_remote_features(ssl, &seq)) {
return false;
}
SSL_set_accept_state(ssl);
SSL3_STATE *const s3 = ssl->s3;
s3->v2_hello_done = true;
s3->has_message = true;
s3->hs_buf.reset(BUF_MEM_new());
if (!s3->hs_buf ||
!BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
return false;
}
if (CBS_len(&transcript) != 0) {
s3->hs->transcript.Update(transcript);
s3->is_v2_hello = true;
}
s3->hs->handback = true;
return true;
}
bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
if (!ssl->server || ssl->method->is_dtls) {
return false;
}
handback_t type;
switch (ssl->s3->hs->state) {
case state12_read_change_cipher_spec:
type = handback_after_session_resumption;
break;
case state12_read_client_certificate:
type = handback_after_ecdhe;
break;
case state12_finish_server_handshake:
type = handback_after_handshake;
break;
default:
return false;
}
const SSL3_STATE *const s3 = ssl->s3;
size_t hostname_len = 0;
if (s3->hostname) {
hostname_len = strlen(s3->hostname.get());
}
Span<const uint8_t> transcript;
if (type == handback_after_ecdhe ||
type == handback_after_session_resumption) {
transcript = s3->hs->transcript.buffer();
}
size_t write_iv_len = 0;
const uint8_t *write_iv = nullptr;
if ((type == handback_after_session_resumption ||
type == handback_after_handshake) &&
ssl->version == TLS1_VERSION &&
SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
!s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
return false;
}
size_t read_iv_len = 0;
const uint8_t *read_iv = nullptr;
if (type == handback_after_handshake &&
ssl->version == TLS1_VERSION &&
SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
!s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
return false;
}
// TODO(mab): make sure everything is serialized.
CBB seq, key_share;
const SSL_SESSION *session =
s3->session_reused ? ssl->session.get() : s3->hs->new_session.get();
if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
!CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
!CBB_add_asn1_uint64(&seq, type) ||
!CBB_add_asn1_octet_string(&seq, s3->read_sequence,
sizeof(s3->read_sequence)) ||
!CBB_add_asn1_octet_string(&seq, s3->write_sequence,
sizeof(s3->write_sequence)) ||
!CBB_add_asn1_octet_string(&seq, s3->server_random,
sizeof(s3->server_random)) ||
!CBB_add_asn1_octet_string(&seq, s3->client_random,
sizeof(s3->client_random)) ||
!CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
!CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
!CBB_add_asn1_bool(&seq, s3->session_reused) ||
!CBB_add_asn1_bool(&seq, s3->channel_id_valid) ||
!ssl_session_serialize(session, &seq) ||
!CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
s3->next_proto_negotiated.size()) ||
!CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
s3->alpn_selected.size()) ||
!CBB_add_asn1_octet_string(
&seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
hostname_len) ||
!CBB_add_asn1_octet_string(&seq, s3->channel_id,
sizeof(s3->channel_id)) ||
!CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||
!CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||
!CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
!CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
!CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
!CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
!CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
!CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
!CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
return false;
}
if (type == handback_after_ecdhe &&
!s3->hs->key_share->Serialize(&key_share)) {
return false;
}
return CBB_flush(out);
}
bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
if (ssl->do_handshake != nullptr ||
ssl->method->is_dtls) {
return false;
}
SSL3_STATE *const s3 = ssl->s3;
uint64_t handback_version, negotiated_token_binding_param, cipher, type;
CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
next_proto, alpn, hostname, channel_id, transcript, key_share;
int session_reused, channel_id_valid, cert_request, extended_master_secret,
ticket_expected, token_binding_negotiated, next_proto_neg_seen;
SSL_SESSION *session = nullptr;
CBS handback_cbs(handback);
if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
!CBS_get_asn1_uint64(&seq, &handback_version) ||
handback_version != kHandbackVersion ||
!CBS_get_asn1_uint64(&seq, &type)) {
return false;
}
if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
!CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
!CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
CBS_len(&server_rand) != sizeof(s3->server_random) ||
!CBS_copy_bytes(&server_rand, s3->server_random,
sizeof(s3->server_random)) ||
!CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
CBS_len(&client_rand) != sizeof(s3->client_random) ||
!CBS_copy_bytes(&client_rand, s3->client_random,
sizeof(s3->client_random)) ||
!CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1_bool(&seq, &session_reused) ||
!CBS_get_asn1_bool(&seq, &channel_id_valid)) {
return false;
}
s3->hs = ssl_handshake_new(ssl);
if (session_reused) {
ssl->session =
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
session = ssl->session.get();
} else {
s3->hs->new_session =
SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
session = s3->hs->new_session.get();
}
if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||
CBS_len(&channel_id) != sizeof(s3->channel_id) ||
!CBS_copy_bytes(&channel_id, s3->channel_id,
sizeof(s3->channel_id)) ||
!CBS_get_asn1_bool(&seq, &token_binding_negotiated) ||
!CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) ||
!CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
!CBS_get_asn1_bool(&seq, &cert_request) ||
!CBS_get_asn1_bool(&seq, &extended_master_secret) ||
!CBS_get_asn1_bool(&seq, &ticket_expected) ||
!CBS_get_asn1_uint64(&seq, &cipher)) {
return false;
}
if ((s3->hs->new_cipher =
SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
return false;
}
if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
!CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
return false;
}
ssl->version = session->ssl_version;
s3->have_version = true;
if (!ssl_method_supports_version(ssl->method, ssl->version) ||
session->cipher != s3->hs->new_cipher ||
ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
return false;
}
ssl->do_handshake = ssl_server_handshake;
ssl->server = true;
switch (type) {
case handback_after_session_resumption:
ssl->s3->hs->state = state12_read_change_cipher_spec;
if (!session_reused) {
return false;
}
break;
case handback_after_ecdhe:
ssl->s3->hs->state = state12_read_client_certificate;
if (session_reused) {
return false;
}
break;
case handback_after_handshake:
ssl->s3->hs->state = state12_finish_server_handshake;
break;
default:
return false;
}
s3->session_reused = session_reused;
s3->channel_id_valid = channel_id_valid;
s3->next_proto_negotiated.CopyFrom(next_proto);
s3->alpn_selected.CopyFrom(alpn);
const size_t hostname_len = CBS_len(&hostname);
if (hostname_len == 0) {
s3->hostname.reset();
} else {
char *hostname_str = nullptr;
if (!CBS_strdup(&hostname, &hostname_str)) {
return false;
}
s3->hostname.reset(hostname_str);
}
s3->token_binding_negotiated = token_binding_negotiated;
s3->negotiated_token_binding_param =
static_cast<uint8_t>(negotiated_token_binding_param);
s3->hs->next_proto_neg_seen = next_proto_neg_seen;
s3->hs->wait = ssl_hs_flush;
s3->hs->extended_master_secret = extended_master_secret;
s3->hs->ticket_expected = ticket_expected;
s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
s3->hs->cert_request = cert_request;
Array<uint8_t> key_block;
if ((type == handback_after_session_resumption ||
type == handback_after_handshake) &&
(!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
write_iv) ||
!CBS_copy_bytes(&write_seq, s3->write_sequence,
sizeof(s3->write_sequence)))) {
return false;
}
if (type == handback_after_handshake &&
(!tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,
read_iv) ||
!CBS_copy_bytes(&read_seq, s3->read_sequence,
sizeof(s3->read_sequence)))) {
return false;
}
if ((type == handback_after_ecdhe ||
type == handback_after_session_resumption) &&
(!s3->hs->transcript.Init() ||
!s3->hs->transcript.InitHash(ssl_protocol_version(ssl),
s3->hs->new_cipher) ||
!s3->hs->transcript.Update(transcript))) {
return false;
}
if (type == handback_after_ecdhe &&
(s3->hs->key_share = SSLKeyShare::Create(&key_share)) == nullptr) {
return false;
}
return CBS_len(&seq) == 0;
}
BSSL_NAMESPACE_END
Reference in New Issue View Git Blame Copy Permalink