kris
/
boringssl
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2985 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: feff406782
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'feff406782'
${ noResults }
boringssl/ssl/tls13_server.c

484 regels
15 KiB
Ruw Blame Geschiedenis 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/bytestring.h>

  21. #include <openssl/digest.h>

  22. #include <openssl/err.h>

  23. #include <openssl/mem.h>

  24. #include <openssl/rand.h>

  25. #include <openssl/stack.h>

  26. 

  27. #include "internal.h"

  28. 

  29. 

  30. enum server_hs_state_t {

  31.   state_process_client_hello = 0,

  32.   state_send_server_hello,

  33.   state_send_encrypted_extensions,

  34.   state_send_certificate_request,

  35.   state_send_server_certificate,

  36.   state_send_server_certificate_verify,

  37.   state_complete_server_certificate_verify,

  38.   state_send_server_finished,

  39.   state_flush,

  40.   state_read_client_second_flight,

  41.   state_process_client_certificate,

  42.   state_process_client_certificate_verify,

  43.   state_process_client_finished,

  44.   state_done,

  45. };

  46. 

  47. static enum ssl_hs_wait_t do_process_client_hello(SSL *ssl, SSL_HANDSHAKE *hs) {

  48.   if (!tls13_check_message_type(ssl, SSL3_MT_CLIENT_HELLO)) {

  49.     return ssl_hs_error;

  50.   }

  51. 

  52.   struct ssl_early_callback_ctx early_ctx;

  53.   uint16_t client_wire_version;

  54.   CBS client_random, session_id, cipher_suites, compression_methods;

  55. 

  56.   memset(&early_ctx, 0, sizeof(early_ctx));

  57.   early_ctx.ssl = ssl;

  58.   early_ctx.client_hello = ssl->init_msg;

  59.   early_ctx.client_hello_len = ssl->init_num;

  60.   if (!ssl_early_callback_init(&early_ctx)) {

  61.     OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED);

  62.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  63.     return ssl_hs_error;

  64.   }

  65. 

  66.   CBS cbs;

  67.   CBS_init(&cbs, ssl->init_msg, ssl->init_num);

  68.   if (!CBS_get_u16(&cbs, &client_wire_version) ||

  69.       !CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE) ||

  70.       !CBS_get_u8_length_prefixed(&cbs, &session_id) ||

  71.       CBS_len(&session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) {

  72.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  73.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  74.     return ssl_hs_error;

  75.   }

  76. 

  77.   uint16_t min_version, max_version;

  78.   if (!ssl_get_version_range(ssl, &min_version, &max_version)) {

  79.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  80.     return ssl_hs_error;

  81.   }

  82. 

  83.   assert(ssl->s3->have_version);

  84. 

  85.   /* Load the client random. */

  86.   memcpy(ssl->s3->client_random, CBS_data(&client_random), SSL3_RANDOM_SIZE);

  87. 

  88.   ssl->hit = 0;

  89.   if (!ssl_get_new_session(ssl, 1 /* server */)) {

  90.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  91.     return ssl_hs_error;

  92.   }

  93. 

  94.   if (ssl->ctx->dos_protection_cb != NULL &&

  95.       ssl->ctx->dos_protection_cb(&early_ctx) == 0) {

  96.     /* Connection rejected for DOS reasons. */

  97.     OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);

  98.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ACCESS_DENIED);

  99.     return ssl_hs_error;

  100.   }

  101. 

  102.   if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites) ||

  103.       CBS_len(&cipher_suites) == 0 ||

  104.       CBS_len(&cipher_suites) % 2 != 0 ||

  105.       !CBS_get_u8_length_prefixed(&cbs, &compression_methods) ||

  106.       CBS_len(&compression_methods) == 0) {

  107.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  108.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  109.     return ssl_hs_error;

  110.   }

  111. 

  112.   /* TLS 1.3 requires the peer only advertise the null compression. */

  113.   if (CBS_len(&compression_methods) != 1 ||

  114.       CBS_data(&compression_methods)[0] != 0) {

  115.     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);

  116.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);

  117.     return ssl_hs_error;

  118.   }

  119. 

  120.   /* TLS extensions. */

  121.   if (!ssl_parse_clienthello_tlsext(ssl, &cbs)) {

  122.     OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);

  123.     return ssl_hs_error;

  124.   }

  125. 

  126.   /* There should be nothing left over in the message. */

  127.   if (CBS_len(&cbs) != 0) {

  128.     OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_PACKET_LENGTH);

  129.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

  130.     return ssl_hs_error;

  131.   }

  132. 

  133.   /* Let cert callback update server certificates if required.

  134.    *

  135.    * TODO(davidben): Can this get run earlier? */

  136.   if (ssl->cert->cert_cb != NULL) {

  137.     int rv = ssl->cert->cert_cb(ssl, ssl->cert->cert_cb_arg);

  138.     if (rv == 0) {

  139.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);

  140.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);

  141.       return ssl_hs_error;

  142.     }

  143.     if (rv < 0) {

  144.       hs->state = state_process_client_hello;

  145.       return ssl_hs_x509_lookup;

  146.     }

  147.   }

  148. 

  149.   STACK_OF(SSL_CIPHER) *ciphers =

  150.       ssl_bytes_to_cipher_list(ssl, &cipher_suites, max_version);

  151.   if (ciphers == NULL) {

  152.     return ssl_hs_error;

  153.   }

  154. 

  155.   const SSL_CIPHER *cipher =

  156.       ssl3_choose_cipher(ssl, ciphers, ssl_get_cipher_preferences(ssl));

  157.   sk_SSL_CIPHER_free(ciphers);

  158.   if (cipher == NULL) {

  159.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);

  160.     ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);

  161.     return ssl_hs_error;

  162.   }

  163. 

  164.   ssl->session->cipher = cipher;

  165.   ssl->s3->tmp.new_cipher = cipher;

  166. 

  167.   /* The PRF hash is now known. Set up the key schedule and hash the

  168.    * ClientHello. */

  169.   static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  170.   size_t hash_len =

  171.       EVP_MD_size(ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl)));

  172.   if (!tls13_init_key_schedule(ssl, kZeroes, hash_len)) {

  173.     return ssl_hs_error;

  174.   }

  175. 

  176.   /* Resolve PSK and incorporate it into the secret. */

  177.   if (cipher->algorithm_auth == SSL_aPSK) {

  178.     /* TODO(davidben): Support PSK. */

  179.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  180.     return ssl_hs_error;

  181.   } else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {

  182.     return ssl_hs_error;

  183.   }

  184. 

  185.   /* Resolve ECDHE and incorporate it into the secret. */

  186.   if (cipher->algorithm_mkey == SSL_kECDHE) {

  187.     const uint8_t *key_share_buf = NULL;

  188.     size_t key_share_len = 0;

  189.     CBS key_share;

  190.     if (!SSL_early_callback_ctx_extension_get(&early_ctx, TLSEXT_TYPE_key_share,

  191.                                               &key_share_buf, &key_share_len)) {

  192.       OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);

  193.       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);

  194.       return ssl_hs_error;

  195.     }

  196. 

  197.     CBS_init(&key_share, key_share_buf, key_share_len);

  198.     uint8_t *dhe_secret;

  199.     size_t dhe_secret_len;

  200.     uint8_t alert;

  201.     if (!ext_key_share_parse_clienthello(ssl, &dhe_secret, &dhe_secret_len,

  202.                                          &alert, &key_share)) {

  203.       ssl3_send_alert(ssl, SSL3_AL_FATAL, alert);

  204.       return ssl_hs_error;

  205.     }

  206. 

  207.     int ok = tls13_advance_key_schedule(ssl, dhe_secret, dhe_secret_len);

  208.     OPENSSL_free(dhe_secret);

  209.     if (!ok) {

  210.       return ssl_hs_error;

  211.     }

  212.   } else if (!tls13_advance_key_schedule(ssl, kZeroes, hash_len)) {

  213.     return ssl_hs_error;

  214.   }

  215. 

  216.   hs->state = state_send_server_hello;

  217.   return ssl_hs_ok;

  218. }

  219. 

  220. static enum ssl_hs_wait_t do_send_server_hello(SSL *ssl, SSL_HANDSHAKE *hs) {

  221.   CBB cbb, body, extensions;

  222.   if (!ssl->method->init_message(ssl, &cbb, &body, SSL3_MT_SERVER_HELLO) ||

  223.       !CBB_add_u16(&body, ssl->version) ||

  224.       !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) ||

  225.       !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||

  226.       !CBB_add_u16(&body, ssl_cipher_get_value(ssl->s3->tmp.new_cipher)) ||

  227.       !CBB_add_u16_length_prefixed(&body, &extensions) ||

  228.       !ext_key_share_add_serverhello(ssl, &extensions) ||

  229.       !ssl->method->finish_message(ssl, &cbb)) {

  230.     CBB_cleanup(&cbb);

  231.     return ssl_hs_error;

  232.   }

  233. 

  234.   hs->state = state_send_encrypted_extensions;

  235.   return ssl_hs_write_message;

  236. }

  237. 

  238. static enum ssl_hs_wait_t do_send_encrypted_extensions(SSL *ssl,

  239.                                                        SSL_HANDSHAKE *hs) {

  240.   if (!tls13_set_handshake_traffic(ssl)) {

  241.     return ssl_hs_error;

  242.   }

  243. 

  244.   CBB cbb, body;

  245.   if (!ssl->method->init_message(ssl, &cbb, &body,

  246.                                  SSL3_MT_ENCRYPTED_EXTENSIONS) ||

  247.       !ssl_add_serverhello_tlsext(ssl, &body) ||

  248.       !ssl->method->finish_message(ssl, &cbb)) {

  249.     CBB_cleanup(&cbb);

  250.     return ssl_hs_error;

  251.   }

  252. 

  253.   hs->state = state_send_certificate_request;

  254.   return ssl_hs_write_message;

  255. }

  256. 

  257. static enum ssl_hs_wait_t do_send_certificate_request(SSL *ssl,

  258.                                                       SSL_HANDSHAKE *hs) {

  259.   /* Determine whether to request a client certificate. */

  260.   ssl->s3->tmp.cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER);

  261.   /* CertificateRequest may only be sent in certificate-based ciphers. */

  262.   if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {

  263.     ssl->s3->tmp.cert_request = 0;

  264.   }

  265. 

  266.   if (!ssl->s3->tmp.cert_request) {

  267.     /* Skip this state. */

  268.     hs->state = state_send_server_certificate;

  269.     return ssl_hs_ok;

  270.   }

  271. 

  272.   CBB cbb, body, sigalgs_cbb;

  273.   if (!ssl->method->init_message(ssl, &cbb, &body,

  274.                                  SSL3_MT_CERTIFICATE_REQUEST) ||

  275.       !CBB_add_u8(&body, 0 /* no certificate_request_context. */)) {

  276.     goto err;

  277.   }

  278. 

  279.   const uint16_t *sigalgs;

  280.   size_t sigalgs_len = tls12_get_psigalgs(ssl, &sigalgs);

  281.   if (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb)) {

  282.     goto err;

  283.   }

  284. 

  285.   for (size_t i = 0; i < sigalgs_len; i++) {

  286.     if (!CBB_add_u16(&sigalgs_cbb, sigalgs[i])) {

  287.       goto err;

  288.     }

  289.   }

  290. 

  291.   if (!ssl_add_client_CA_list(ssl, &body) ||

  292.       !CBB_add_u16(&body, 0 /* empty certificate_extensions. */) ||

  293.       !ssl->method->finish_message(ssl, &cbb)) {

  294.     goto err;

  295.   }

  296. 

  297.   hs->state = state_send_server_certificate;

  298.   return ssl_hs_write_message;

  299. 

  300. err:

  301.   CBB_cleanup(&cbb);

  302.   return ssl_hs_error;

  303. }

  304. 

  305. static enum ssl_hs_wait_t do_send_server_certificate(SSL *ssl,

  306.                                                      SSL_HANDSHAKE *hs) {

  307.   if (!ssl_cipher_uses_certificate_auth(ssl->s3->tmp.new_cipher)) {

  308.     hs->state = state_send_server_finished;

  309.     return ssl_hs_ok;

  310.   }

  311. 

  312.   if (!ssl_has_certificate(ssl)) {

  313.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET);

  314.     return ssl_hs_error;

  315.   }

  316. 

  317.   if (!tls13_prepare_certificate(ssl)) {

  318.     return ssl_hs_error;

  319.   }

  320. 

  321.   hs->state = state_send_server_certificate_verify;

  322.   return ssl_hs_write_message;

  323. }

  324. 

  325. static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL *ssl,

  326.                                                             SSL_HANDSHAKE *hs,

  327.                                                             int is_first_run) {

  328.   switch (tls13_prepare_certificate_verify(ssl, is_first_run)) {

  329.     case ssl_private_key_success:

  330.       hs->state = state_send_server_finished;

  331.       return ssl_hs_write_message;

  332. 

  333.     case ssl_private_key_retry:

  334.       hs->state = state_complete_server_certificate_verify;

  335.       return ssl_hs_private_key_operation;

  336. 

  337.     case ssl_private_key_failure:

  338.       return ssl_hs_error;

  339.   }

  340. 

  341.   assert(0);

  342.   return ssl_hs_error;

  343. }

  344. 

  345. static enum ssl_hs_wait_t do_send_server_finished(SSL *ssl, SSL_HANDSHAKE *hs) {

  346.   if (!tls13_prepare_finished(ssl)) {

  347.     return ssl_hs_error;

  348.   }

  349. 

  350.   hs->state = state_flush;

  351.   return ssl_hs_write_message;

  352. }

  353. 

  354. static enum ssl_hs_wait_t do_flush(SSL *ssl, SSL_HANDSHAKE *hs) {

  355.   hs->state = state_read_client_second_flight;

  356.   return ssl_hs_flush;

  357. }

  358. 

  359. static enum ssl_hs_wait_t do_read_client_second_flight(SSL *ssl,

  360.                                                        SSL_HANDSHAKE *hs) {

  361.   /* Update the secret to the master secret and derive traffic keys. */

  362.   static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0};

  363.   if (!tls13_advance_key_schedule(ssl, kZeroes, hs->hash_len) ||

  364.       !tls13_derive_traffic_secret_0(ssl) ||

  365.       !tls13_set_traffic_key(ssl, type_data, evp_aead_seal,

  366.                              hs->traffic_secret_0, hs->hash_len)) {

  367.     return ssl_hs_error;

  368.   }

  369. 

  370.   hs->state = state_process_client_certificate;

  371.   return ssl_hs_read_message;

  372. }

  373. 

  374. static enum ssl_hs_wait_t do_process_client_certificate(SSL *ssl,

  375.                                                         SSL_HANDSHAKE *hs) {

  376.   if (!ssl->s3->tmp.cert_request) {

  377.     /* Skip this state. */

  378.     hs->state = state_process_client_certificate_verify;

  379.     return ssl_hs_ok;

  380.   }

  381. 

  382.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE) ||

  383.       !tls13_process_certificate(ssl) ||

  384.       !ssl->method->hash_current_message(ssl)) {

  385.     return ssl_hs_error;

  386.   }

  387. 

  388.   hs->state = state_process_client_certificate_verify;

  389.   return ssl_hs_read_message;

  390. }

  391. 

  392. static enum ssl_hs_wait_t do_process_client_certificate_verify(

  393.     SSL *ssl, SSL_HANDSHAKE *hs) {

  394.   if (ssl->session->peer == NULL) {

  395.     /* Skip this state. */

  396.     hs->state = state_process_client_finished;

  397.     return ssl_hs_ok;

  398.   }

  399. 

  400.   if (!tls13_check_message_type(ssl, SSL3_MT_CERTIFICATE_VERIFY) ||

  401.       !tls13_process_certificate_verify(ssl) ||

  402.       !ssl->method->hash_current_message(ssl)) {

  403.     return 0;

  404.   }

  405. 

  406.   hs->state = state_process_client_finished;

  407.   return ssl_hs_read_message;

  408. }

  409. 

  410. static enum ssl_hs_wait_t do_process_client_finished(SSL *ssl,

  411.                                                      SSL_HANDSHAKE *hs) {

  412.   if (!tls13_check_message_type(ssl, SSL3_MT_FINISHED) ||

  413.       !tls13_process_finished(ssl) ||

  414.       !ssl->method->hash_current_message(ssl) ||

  415.       /* evp_aead_seal keys have already been switched. */

  416.       !tls13_set_traffic_key(ssl, type_data, evp_aead_open,

  417.                              hs->traffic_secret_0, hs->hash_len) ||

  418.       !tls13_finalize_keys(ssl)) {

  419.     return ssl_hs_error;

  420.   }

  421. 

  422.   hs->state = state_done;

  423.   return ssl_hs_ok;

  424. }

  425. 

  426. enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl) {

  427.   SSL_HANDSHAKE *hs = ssl->s3->hs;

  428. 

  429.   while (hs->state != state_done) {

  430.     enum ssl_hs_wait_t ret = ssl_hs_error;

  431.     enum server_hs_state_t state = hs->state;

  432.     switch (state) {

  433.       case state_process_client_hello:

  434.         ret = do_process_client_hello(ssl, hs);

  435.         break;

  436.       case state_send_server_hello:

  437.         ret = do_send_server_hello(ssl, hs);

  438.         break;

  439.       case state_send_encrypted_extensions:

  440.         ret = do_send_encrypted_extensions(ssl, hs);

  441.         break;

  442.       case state_send_certificate_request:

  443.         ret = do_send_certificate_request(ssl, hs);

  444.         break;

  445.       case state_send_server_certificate:

  446.         ret = do_send_server_certificate(ssl, hs);

  447.         break;

  448.       case state_send_server_certificate_verify:

  449.         ret = do_send_server_certificate_verify(ssl, hs, 1 /* first run */);

  450.       break;

  451.       case state_complete_server_certificate_verify:

  452.         ret = do_send_server_certificate_verify(ssl, hs, 0 /* complete */);

  453.       break;

  454.       case state_send_server_finished:

  455.         ret = do_send_server_finished(ssl, hs);

  456.         break;

  457.       case state_flush:

  458.         ret = do_flush(ssl, hs);

  459.         break;

  460.       case state_read_client_second_flight:

  461.         ret = do_read_client_second_flight(ssl, hs);

  462.         break;

  463.       case state_process_client_certificate:

  464.         ret = do_process_client_certificate(ssl, hs);

  465.         break;

  466.       case state_process_client_certificate_verify:

  467.         ret = do_process_client_certificate_verify(ssl, hs);

  468.         break;

  469.       case state_process_client_finished:

  470.         ret = do_process_client_finished(ssl, hs);

  471.         break;

  472.       case state_done:

  473.         ret = ssl_hs_ok;

  474.         break;

  475.     }

  476. 

  477.     if (ret != ssl_hs_ok) {

  478.       return ret;

  479.     }

  480.   }

  481. 

  482.   return ssl_hs_ok;

  483. }