1 /* Copyright (c) 2016, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 // Per C99, various stdint.h macros are unavailable in C++ unless some macros 16 // are defined. C++11 overruled this decision, but older Android NDKs still 17 // require it. 18 #if !defined(__STDC_LIMIT_MACROS) 19 #define __STDC_LIMIT_MACROS 20 #endif 21 22 #include <openssl/ssl.h> 23 24 #include <assert.h> 25 #include <string.h> 26 27 #include <openssl/aead.h> 28 #include <openssl/bytestring.h> 29 #include <openssl/digest.h> 30 #include <openssl/err.h> 31 #include <openssl/mem.h> 32 #include <openssl/rand.h> 33 #include <openssl/stack.h> 34 35 #include "../crypto/internal.h" 36 #include "internal.h" 37 38 39 namespace bssl { 40 41 enum server_hs_state_t { 42 state_select_parameters = 0, 43 state_select_session, 44 state_send_hello_retry_request, 45 state_read_second_client_hello, 46 state_send_server_hello, 47 state_send_server_certificate_verify, 48 state_send_server_finished, 49 state_read_second_client_flight, 50 state_process_end_of_early_data, 51 state_read_client_certificate, 52 state_read_client_certificate_verify, 53 state_read_channel_id, 54 state_read_client_finished, 55 state_send_new_session_ticket, 56 state_done, 57 }; 58 59 static const uint8_t kZeroes[EVP_MAX_MD_SIZE] = {0}; 60 61 static int resolve_ecdhe_secret(SSL_HANDSHAKE *hs, bool *out_need_retry, 62 SSL_CLIENT_HELLO *client_hello) { 63 SSL *const ssl = hs->ssl; 64 *out_need_retry = false; 65 66 // We only support connections that include an ECDHE key exchange. 67 CBS key_share; 68 if (!ssl_client_hello_get_extension(client_hello, &key_share, 69 TLSEXT_TYPE_key_share)) { 70 OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE); 71 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION); 72 return 0; 73 } 74 75 bool found_key_share; 76 Array<uint8_t> dhe_secret; 77 uint8_t alert = SSL_AD_DECODE_ERROR; 78 if (!ssl_ext_key_share_parse_clienthello(hs, &found_key_share, &dhe_secret, 79 &alert, &key_share)) { 80 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 81 return 0; 82 } 83 84 if (!found_key_share) { 85 *out_need_retry = true; 86 return 0; 87 } 88 89 return tls13_advance_key_schedule(hs, dhe_secret.data(), dhe_secret.size()); 90 } 91 92 static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs, 93 CBB *out) { 94 CBB contents; 95 if (!CBB_add_u16(out, TLSEXT_TYPE_supported_versions) || 96 !CBB_add_u16_length_prefixed(out, &contents) || 97 !CBB_add_u16(&contents, hs->ssl->version) || 98 !CBB_flush(out)) { 99 return 0; 100 } 101 102 return 1; 103 } 104 105 static const SSL_CIPHER *choose_tls13_cipher( 106 const SSL *ssl, const SSL_CLIENT_HELLO *client_hello) { 107 if (client_hello->cipher_suites_len % 2 != 0) { 108 return NULL; 109 } 110 111 CBS cipher_suites; 112 CBS_init(&cipher_suites, client_hello->cipher_suites, 113 client_hello->cipher_suites_len); 114 115 const int aes_is_fine = EVP_has_aes_hardware(); 116 const uint16_t version = ssl_protocol_version(ssl); 117 118 const SSL_CIPHER *best = NULL; 119 while (CBS_len(&cipher_suites) > 0) { 120 uint16_t cipher_suite; 121 if (!CBS_get_u16(&cipher_suites, &cipher_suite)) { 122 return NULL; 123 } 124 125 // Limit to TLS 1.3 ciphers we know about. 126 const SSL_CIPHER *candidate = SSL_get_cipher_by_value(cipher_suite); 127 if (candidate == NULL || 128 SSL_CIPHER_get_min_version(candidate) > version || 129 SSL_CIPHER_get_max_version(candidate) < version) { 130 continue; 131 } 132 133 // TLS 1.3 removes legacy ciphers, so honor the client order, but prefer 134 // ChaCha20 if we do not have AES hardware. 135 if (aes_is_fine) { 136 return candidate; 137 } 138 139 if (candidate->algorithm_enc == SSL_CHACHA20POLY1305) { 140 return candidate; 141 } 142 143 if (best == NULL) { 144 best = candidate; 145 } 146 } 147 148 return best; 149 } 150 151 static int add_new_session_tickets(SSL_HANDSHAKE *hs) { 152 SSL *const ssl = hs->ssl; 153 // TLS 1.3 recommends single-use tickets, so issue multiple tickets in case 154 // the client makes several connections before getting a renewal. 155 static const int kNumTickets = 2; 156 157 // Rebase the session timestamp so that it is measured from ticket 158 // issuance. 159 ssl_session_rebase_time(ssl, hs->new_session.get()); 160 161 for (int i = 0; i < kNumTickets; i++) { 162 UniquePtr<SSL_SESSION> session( 163 SSL_SESSION_dup(hs->new_session.get(), SSL_SESSION_INCLUDE_NONAUTH)); 164 if (!session) { 165 return 0; 166 } 167 168 if (!RAND_bytes((uint8_t *)&session->ticket_age_add, 4)) { 169 return 0; 170 } 171 session->ticket_age_add_valid = 1; 172 if (ssl->cert->enable_early_data) { 173 session->ticket_max_early_data = kMaxEarlyDataAccepted; 174 } 175 176 static_assert(kNumTickets < 256, "Too many tickets"); 177 uint8_t nonce[] = {static_cast<uint8_t>(i)}; 178 179 ScopedCBB cbb; 180 CBB body, nonce_cbb, ticket, extensions; 181 if (!ssl->method->init_message(ssl, cbb.get(), &body, 182 SSL3_MT_NEW_SESSION_TICKET) || 183 !CBB_add_u32(&body, session->timeout) || 184 !CBB_add_u32(&body, session->ticket_age_add) || 185 !CBB_add_u8_length_prefixed(&body, &nonce_cbb) || 186 !CBB_add_bytes(&nonce_cbb, nonce, sizeof(nonce)) || 187 !CBB_add_u16_length_prefixed(&body, &ticket) || 188 !tls13_derive_session_psk(session.get(), nonce) || 189 !ssl_encrypt_ticket(ssl, &ticket, session.get()) || 190 !CBB_add_u16_length_prefixed(&body, &extensions)) { 191 return 0; 192 } 193 194 if (ssl->cert->enable_early_data) { 195 CBB early_data_info; 196 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_early_data) || 197 !CBB_add_u16_length_prefixed(&extensions, &early_data_info) || 198 !CBB_add_u32(&early_data_info, session->ticket_max_early_data) || 199 !CBB_flush(&extensions)) { 200 return 0; 201 } 202 } 203 204 // Add a fake extension. See draft-davidben-tls-grease-01. 205 if (!CBB_add_u16(&extensions, 206 ssl_get_grease_value(hs, ssl_grease_ticket_extension)) || 207 !CBB_add_u16(&extensions, 0 /* empty */)) { 208 return 0; 209 } 210 211 if (!ssl_add_message_cbb(ssl, cbb.get())) { 212 return 0; 213 } 214 } 215 216 return 1; 217 } 218 219 static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) { 220 // At this point, most ClientHello extensions have already been processed by 221 // the common handshake logic. Resolve the remaining non-PSK parameters. 222 SSL *const ssl = hs->ssl; 223 SSLMessage msg; 224 if (!ssl->method->get_message(ssl, &msg)) { 225 return ssl_hs_read_message; 226 } 227 SSL_CLIENT_HELLO client_hello; 228 if (!ssl_client_hello_init(ssl, &client_hello, msg)) { 229 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED); 230 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 231 return ssl_hs_error; 232 } 233 234 OPENSSL_memcpy(hs->session_id, client_hello.session_id, 235 client_hello.session_id_len); 236 hs->session_id_len = client_hello.session_id_len; 237 238 // Negotiate the cipher suite. 239 hs->new_cipher = choose_tls13_cipher(ssl, &client_hello); 240 if (hs->new_cipher == NULL) { 241 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER); 242 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); 243 return ssl_hs_error; 244 } 245 246 // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was 247 // deferred. Complete it now. 248 uint8_t alert = SSL_AD_DECODE_ERROR; 249 if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) { 250 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 251 return ssl_hs_error; 252 } 253 254 // The PRF hash is now known. Set up the key schedule and hash the 255 // ClientHello. 256 if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher)) { 257 return ssl_hs_error; 258 } 259 260 if (!ssl_hash_message(hs, msg)) { 261 return ssl_hs_error; 262 } 263 264 hs->tls13_state = state_select_session; 265 return ssl_hs_ok; 266 } 267 268 static enum ssl_ticket_aead_result_t select_session( 269 SSL_HANDSHAKE *hs, uint8_t *out_alert, UniquePtr<SSL_SESSION> *out_session, 270 int32_t *out_ticket_age_skew, const SSLMessage &msg, 271 const SSL_CLIENT_HELLO *client_hello) { 272 SSL *const ssl = hs->ssl; 273 *out_session = NULL; 274 275 // Decode the ticket if we agreed on a PSK key exchange mode. 276 CBS pre_shared_key; 277 if (!hs->accept_psk_mode || 278 !ssl_client_hello_get_extension(client_hello, &pre_shared_key, 279 TLSEXT_TYPE_pre_shared_key)) { 280 return ssl_ticket_aead_ignore_ticket; 281 } 282 283 // Verify that the pre_shared_key extension is the last extension in 284 // ClientHello. 285 if (CBS_data(&pre_shared_key) + CBS_len(&pre_shared_key) != 286 client_hello->extensions + client_hello->extensions_len) { 287 OPENSSL_PUT_ERROR(SSL, SSL_R_PRE_SHARED_KEY_MUST_BE_LAST); 288 *out_alert = SSL_AD_ILLEGAL_PARAMETER; 289 return ssl_ticket_aead_error; 290 } 291 292 CBS ticket, binders; 293 uint32_t client_ticket_age; 294 if (!ssl_ext_pre_shared_key_parse_clienthello(hs, &ticket, &binders, 295 &client_ticket_age, out_alert, 296 &pre_shared_key)) { 297 return ssl_ticket_aead_error; 298 } 299 300 // TLS 1.3 session tickets are renewed separately as part of the 301 // NewSessionTicket. 302 bool unused_renew; 303 UniquePtr<SSL_SESSION> session; 304 enum ssl_ticket_aead_result_t ret = 305 ssl_process_ticket(ssl, &session, &unused_renew, CBS_data(&ticket), 306 CBS_len(&ticket), NULL, 0); 307 switch (ret) { 308 case ssl_ticket_aead_success: 309 break; 310 case ssl_ticket_aead_error: 311 *out_alert = SSL_AD_INTERNAL_ERROR; 312 return ret; 313 default: 314 return ret; 315 } 316 317 if (!ssl_session_is_resumable(hs, session.get()) || 318 // Historically, some TLS 1.3 tickets were missing ticket_age_add. 319 !session->ticket_age_add_valid) { 320 return ssl_ticket_aead_ignore_ticket; 321 } 322 323 // Recover the client ticket age and convert to seconds. 324 client_ticket_age -= session->ticket_age_add; 325 client_ticket_age /= 1000; 326 327 struct OPENSSL_timeval now; 328 ssl_get_current_time(ssl, &now); 329 330 // Compute the server ticket age in seconds. 331 assert(now.tv_sec >= session->time); 332 uint64_t server_ticket_age = now.tv_sec - session->time; 333 334 // To avoid overflowing |hs->ticket_age_skew|, we will not resume 335 // 68-year-old sessions. 336 if (server_ticket_age > INT32_MAX) { 337 return ssl_ticket_aead_ignore_ticket; 338 } 339 340 // TODO(davidben,svaldez): Measure this value to decide on tolerance. For 341 // now, accept all values. https://crbug.com/boringssl/113. 342 *out_ticket_age_skew = 343 (int32_t)client_ticket_age - (int32_t)server_ticket_age; 344 345 // Check the PSK binder. 346 if (!tls13_verify_psk_binder(hs, session.get(), msg, &binders)) { 347 *out_alert = SSL_AD_DECRYPT_ERROR; 348 return ssl_ticket_aead_error; 349 } 350 351 *out_session = std::move(session); 352 return ssl_ticket_aead_success; 353 } 354 355 static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { 356 SSL *const ssl = hs->ssl; 357 SSLMessage msg; 358 if (!ssl->method->get_message(ssl, &msg)) { 359 return ssl_hs_read_message; 360 } 361 SSL_CLIENT_HELLO client_hello; 362 if (!ssl_client_hello_init(ssl, &client_hello, msg)) { 363 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED); 364 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 365 return ssl_hs_error; 366 } 367 368 uint8_t alert = SSL_AD_DECODE_ERROR; 369 UniquePtr<SSL_SESSION> session; 370 switch (select_session(hs, &alert, &session, &ssl->s3->ticket_age_skew, msg, 371 &client_hello)) { 372 case ssl_ticket_aead_ignore_ticket: 373 assert(!session); 374 if (!ssl_get_new_session(hs, 1 /* server */)) { 375 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 376 return ssl_hs_error; 377 } 378 break; 379 380 case ssl_ticket_aead_success: 381 // Carry over authentication information from the previous handshake into 382 // a fresh session. 383 hs->new_session = 384 SSL_SESSION_dup(session.get(), SSL_SESSION_DUP_AUTH_ONLY); 385 386 if (ssl->cert->enable_early_data && 387 // Early data must be acceptable for this ticket. 388 session->ticket_max_early_data != 0 && 389 // The client must have offered early data. 390 hs->early_data_offered && 391 // Channel ID is incompatible with 0-RTT. 392 !ssl->s3->tlsext_channel_id_valid && 393 // If Token Binding is negotiated, reject 0-RTT. 394 !ssl->token_binding_negotiated && 395 // Custom extensions is incompatible with 0-RTT. 396 hs->custom_extensions.received == 0 && 397 // The negotiated ALPN must match the one in the ticket. 398 ssl->s3->alpn_selected == 399 MakeConstSpan(session->early_alpn, session->early_alpn_len)) { 400 ssl->s3->early_data_accepted = true; 401 } 402 403 if (hs->new_session == NULL) { 404 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 405 return ssl_hs_error; 406 } 407 408 ssl->s3->session_reused = true; 409 410 // Resumption incorporates fresh key material, so refresh the timeout. 411 ssl_session_renew_timeout(ssl, hs->new_session.get(), 412 ssl->session_ctx->session_psk_dhe_timeout); 413 break; 414 415 case ssl_ticket_aead_error: 416 ssl_send_alert(ssl, SSL3_AL_FATAL, alert); 417 return ssl_hs_error; 418 419 case ssl_ticket_aead_retry: 420 hs->tls13_state = state_select_session; 421 return ssl_hs_pending_ticket; 422 } 423 424 // Record connection properties in the new session. 425 hs->new_session->cipher = hs->new_cipher; 426 427 // Store the initial negotiated ALPN in the session. 428 if (!ssl->s3->alpn_selected.empty()) { 429 hs->new_session->early_alpn = (uint8_t *)BUF_memdup( 430 ssl->s3->alpn_selected.data(), ssl->s3->alpn_selected.size()); 431 if (hs->new_session->early_alpn == NULL) { 432 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 433 return ssl_hs_error; 434 } 435 hs->new_session->early_alpn_len = ssl->s3->alpn_selected.size(); 436 } 437 438 if (ssl->ctx->dos_protection_cb != NULL && 439 ssl->ctx->dos_protection_cb(&client_hello) == 0) { 440 // Connection rejected for DOS reasons. 441 OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED); 442 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); 443 return ssl_hs_error; 444 } 445 446 size_t hash_len = EVP_MD_size( 447 ssl_get_handshake_digest(ssl_protocol_version(ssl), hs->new_cipher)); 448 449 // Set up the key schedule and incorporate the PSK into the running secret. 450 if (ssl->s3->session_reused) { 451 if (!tls13_init_key_schedule(hs, hs->new_session->master_key, 452 hs->new_session->master_key_length)) { 453 return ssl_hs_error; 454 } 455 } else if (!tls13_init_key_schedule(hs, kZeroes, hash_len)) { 456 return ssl_hs_error; 457 } 458 459 if (ssl->s3->early_data_accepted) { 460 if (!tls13_derive_early_secrets(hs)) { 461 return ssl_hs_error; 462 } 463 } else if (hs->early_data_offered) { 464 ssl->s3->skip_early_data = true; 465 } 466 467 // Resolve ECDHE and incorporate it into the secret. 468 bool need_retry; 469 if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) { 470 if (need_retry) { 471 ssl->s3->early_data_accepted = false; 472 ssl->s3->skip_early_data = true; 473 ssl->method->next_message(ssl); 474 if (!hs->transcript.UpdateForHelloRetryRequest()) { 475 return ssl_hs_error; 476 } 477 hs->tls13_state = state_send_hello_retry_request; 478 return ssl_hs_ok; 479 } 480 return ssl_hs_error; 481 } 482 483 ssl->method->next_message(ssl); 484 hs->tls13_state = state_send_server_hello; 485 return ssl_hs_ok; 486 } 487 488 static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) { 489 SSL *const ssl = hs->ssl; 490 491 492 ScopedCBB cbb; 493 CBB body, session_id, extensions; 494 uint16_t group_id; 495 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || 496 !CBB_add_u16(&body, TLS1_2_VERSION) || 497 !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) || 498 !CBB_add_u8_length_prefixed(&body, &session_id) || 499 !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) || 500 !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) || 501 !CBB_add_u8(&body, 0 /* no compression */) || 502 !tls1_get_shared_group(hs, &group_id) || 503 !CBB_add_u16_length_prefixed(&body, &extensions) || 504 !CBB_add_u16(&extensions, TLSEXT_TYPE_supported_versions) || 505 !CBB_add_u16(&extensions, 2 /* length */) || 506 !CBB_add_u16(&extensions, ssl->version) || 507 !CBB_add_u16(&extensions, TLSEXT_TYPE_key_share) || 508 !CBB_add_u16(&extensions, 2 /* length */) || 509 !CBB_add_u16(&extensions, group_id) || 510 !ssl_add_message_cbb(ssl, cbb.get())) { 511 return ssl_hs_error; 512 } 513 514 if (!ssl->method->add_change_cipher_spec(ssl)) { 515 return ssl_hs_error; 516 } 517 518 hs->sent_hello_retry_request = true; 519 hs->tls13_state = state_read_second_client_hello; 520 return ssl_hs_flush; 521 } 522 523 static enum ssl_hs_wait_t do_read_second_client_hello(SSL_HANDSHAKE *hs) { 524 SSL *const ssl = hs->ssl; 525 SSLMessage msg; 526 if (!ssl->method->get_message(ssl, &msg)) { 527 return ssl_hs_read_message; 528 } 529 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) { 530 return ssl_hs_error; 531 } 532 SSL_CLIENT_HELLO client_hello; 533 if (!ssl_client_hello_init(ssl, &client_hello, msg)) { 534 OPENSSL_PUT_ERROR(SSL, SSL_R_CLIENTHELLO_PARSE_FAILED); 535 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 536 return ssl_hs_error; 537 } 538 539 bool need_retry; 540 if (!resolve_ecdhe_secret(hs, &need_retry, &client_hello)) { 541 if (need_retry) { 542 // Only send one HelloRetryRequest. 543 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); 544 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE); 545 } 546 return ssl_hs_error; 547 } 548 549 if (!ssl_hash_message(hs, msg)) { 550 return ssl_hs_error; 551 } 552 553 ssl->method->next_message(ssl); 554 hs->tls13_state = state_send_server_hello; 555 return ssl_hs_ok; 556 } 557 558 static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) { 559 SSL *const ssl = hs->ssl; 560 561 // Send a ServerHello. 562 ScopedCBB cbb; 563 CBB body, extensions, session_id; 564 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) || 565 !CBB_add_u16(&body, TLS1_2_VERSION) || 566 !RAND_bytes(ssl->s3->server_random, sizeof(ssl->s3->server_random)) || 567 !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) || 568 !CBB_add_u8_length_prefixed(&body, &session_id) || 569 !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) || 570 !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) || 571 !CBB_add_u8(&body, 0) || 572 !CBB_add_u16_length_prefixed(&body, &extensions) || 573 !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) || 574 !ssl_ext_key_share_add_serverhello(hs, &extensions) || 575 !ssl_ext_supported_versions_add_serverhello(hs, &extensions) || 576 !ssl_add_message_cbb(ssl, cbb.get())) { 577 return ssl_hs_error; 578 } 579 580 if (!hs->sent_hello_retry_request && 581 !ssl->method->add_change_cipher_spec(ssl)) { 582 return ssl_hs_error; 583 } 584 585 // Derive and enable the handshake traffic secrets. 586 if (!tls13_derive_handshake_secrets(hs) || 587 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_handshake_secret, 588 hs->hash_len)) { 589 return ssl_hs_error; 590 } 591 592 // Send EncryptedExtensions. 593 if (!ssl->method->init_message(ssl, cbb.get(), &body, 594 SSL3_MT_ENCRYPTED_EXTENSIONS) || 595 !ssl_add_serverhello_tlsext(hs, &body) || 596 !ssl_add_message_cbb(ssl, cbb.get())) { 597 return ssl_hs_error; 598 } 599 600 if (!ssl->s3->session_reused) { 601 // Determine whether to request a client certificate. 602 hs->cert_request = !!(ssl->verify_mode & SSL_VERIFY_PEER); 603 // Only request a certificate if Channel ID isn't negotiated. 604 if ((ssl->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) && 605 ssl->s3->tlsext_channel_id_valid) { 606 hs->cert_request = false; 607 } 608 } 609 610 // Send a CertificateRequest, if necessary. 611 if (hs->cert_request) { 612 CBB cert_request_extensions, sigalg_contents, sigalgs_cbb; 613 if (!ssl->method->init_message(ssl, cbb.get(), &body, 614 SSL3_MT_CERTIFICATE_REQUEST) || 615 !CBB_add_u8(&body, 0 /* no certificate_request_context. */) || 616 !CBB_add_u16_length_prefixed(&body, &cert_request_extensions) || 617 !CBB_add_u16(&cert_request_extensions, 618 TLSEXT_TYPE_signature_algorithms) || 619 !CBB_add_u16_length_prefixed(&cert_request_extensions, 620 &sigalg_contents) || 621 !CBB_add_u16_length_prefixed(&sigalg_contents, &sigalgs_cbb) || 622 !tls12_add_verify_sigalgs(ssl, &sigalgs_cbb)) { 623 return ssl_hs_error; 624 } 625 626 if (ssl_has_client_CAs(ssl)) { 627 CBB ca_contents; 628 if (!CBB_add_u16(&cert_request_extensions, 629 TLSEXT_TYPE_certificate_authorities) || 630 !CBB_add_u16_length_prefixed(&cert_request_extensions, 631 &ca_contents) || 632 !ssl_add_client_CA_list(ssl, &ca_contents) || 633 !CBB_flush(&cert_request_extensions)) { 634 return ssl_hs_error; 635 } 636 } 637 638 if (!ssl_add_message_cbb(ssl, cbb.get())) { 639 return ssl_hs_error; 640 } 641 } 642 643 // Send the server Certificate message, if necessary. 644 if (!ssl->s3->session_reused) { 645 if (!ssl_has_certificate(ssl)) { 646 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_SET); 647 return ssl_hs_error; 648 } 649 650 if (!tls13_add_certificate(hs)) { 651 return ssl_hs_error; 652 } 653 654 hs->tls13_state = state_send_server_certificate_verify; 655 return ssl_hs_ok; 656 } 657 658 hs->tls13_state = state_send_server_finished; 659 return ssl_hs_ok; 660 } 661 662 static enum ssl_hs_wait_t do_send_server_certificate_verify(SSL_HANDSHAKE *hs) { 663 switch (tls13_add_certificate_verify(hs)) { 664 case ssl_private_key_success: 665 hs->tls13_state = state_send_server_finished; 666 return ssl_hs_ok; 667 668 case ssl_private_key_retry: 669 hs->tls13_state = state_send_server_certificate_verify; 670 return ssl_hs_private_key_operation; 671 672 case ssl_private_key_failure: 673 return ssl_hs_error; 674 } 675 676 assert(0); 677 return ssl_hs_error; 678 } 679 680 static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) { 681 SSL *const ssl = hs->ssl; 682 if (!tls13_add_finished(hs) || 683 // Update the secret to the master secret and derive traffic keys. 684 !tls13_advance_key_schedule(hs, kZeroes, hs->hash_len) || 685 !tls13_derive_application_secrets(hs) || 686 !tls13_set_traffic_key(ssl, evp_aead_seal, hs->server_traffic_secret_0, 687 hs->hash_len)) { 688 return ssl_hs_error; 689 } 690 691 if (ssl->s3->early_data_accepted) { 692 // If accepting 0-RTT, we send tickets half-RTT. This gets the tickets on 693 // the wire sooner and also avoids triggering a write on |SSL_read| when 694 // processing the client Finished. This requires computing the client 695 // Finished early. See draft-ietf-tls-tls13-18, section 4.5.1. 696 static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0, 697 0, 0}; 698 if (!hs->transcript.Update(kEndOfEarlyData)) { 699 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 700 return ssl_hs_error; 701 } 702 703 size_t finished_len; 704 if (!tls13_finished_mac(hs, hs->expected_client_finished, &finished_len, 705 0 /* client */)) { 706 return ssl_hs_error; 707 } 708 709 if (finished_len != hs->hash_len) { 710 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR); 711 return ssl_hs_error; 712 } 713 714 // Feed the predicted Finished into the transcript. This allows us to derive 715 // the resumption secret early and send half-RTT tickets. 716 // 717 // TODO(davidben): This will need to be updated for DTLS 1.3. 718 assert(!SSL_is_dtls(hs->ssl)); 719 assert(hs->hash_len <= 0xff); 720 uint8_t header[4] = {SSL3_MT_FINISHED, 0, 0, 721 static_cast<uint8_t>(hs->hash_len)}; 722 if (!hs->transcript.Update(header) || 723 !hs->transcript.Update( 724 MakeConstSpan(hs->expected_client_finished, hs->hash_len)) || 725 !tls13_derive_resumption_secret(hs) || 726 !add_new_session_tickets(hs)) { 727 return ssl_hs_error; 728 } 729 } 730 731 hs->tls13_state = state_read_second_client_flight; 732 return ssl_hs_flush; 733 } 734 735 static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) { 736 SSL *const ssl = hs->ssl; 737 if (ssl->s3->early_data_accepted) { 738 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->early_traffic_secret, 739 hs->hash_len)) { 740 return ssl_hs_error; 741 } 742 hs->can_early_write = true; 743 hs->can_early_read = true; 744 hs->in_early_data = true; 745 } 746 hs->tls13_state = state_process_end_of_early_data; 747 return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data 748 : ssl_hs_ok; 749 } 750 751 static enum ssl_hs_wait_t do_process_end_of_early_data(SSL_HANDSHAKE *hs) { 752 SSL *const ssl = hs->ssl; 753 if (hs->early_data_offered) { 754 // If early data was not accepted, the EndOfEarlyData and ChangeCipherSpec 755 // message will be in the discarded early data. 756 if (hs->ssl->s3->early_data_accepted) { 757 SSLMessage msg; 758 if (!ssl->method->get_message(ssl, &msg)) { 759 return ssl_hs_read_message; 760 } 761 762 if (!ssl_check_message_type(ssl, msg, SSL3_MT_END_OF_EARLY_DATA)) { 763 return ssl_hs_error; 764 } 765 if (CBS_len(&msg.body) != 0) { 766 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); 767 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR); 768 return ssl_hs_error; 769 } 770 ssl->method->next_message(ssl); 771 } 772 } 773 if (!tls13_set_traffic_key(ssl, evp_aead_open, hs->client_handshake_secret, 774 hs->hash_len)) { 775 return ssl_hs_error; 776 } 777 hs->tls13_state = ssl->s3->early_data_accepted 778 ? state_read_client_finished 779 : state_read_client_certificate; 780 return ssl_hs_ok; 781 } 782 783 static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) { 784 SSL *const ssl = hs->ssl; 785 if (!hs->cert_request) { 786 // OpenSSL returns X509_V_OK when no certificates are requested. This is 787 // classed by them as a bug, but it's assumed by at least NGINX. 788 hs->new_session->verify_result = X509_V_OK; 789 790 // Skip this state. 791 hs->tls13_state = state_read_channel_id; 792 return ssl_hs_ok; 793 } 794 795 const int allow_anonymous = 796 (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) == 0; 797 SSLMessage msg; 798 if (!ssl->method->get_message(ssl, &msg)) { 799 return ssl_hs_read_message; 800 } 801 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE) || 802 !tls13_process_certificate(hs, msg, allow_anonymous) || 803 !ssl_hash_message(hs, msg)) { 804 return ssl_hs_error; 805 } 806 807 ssl->method->next_message(ssl); 808 hs->tls13_state = state_read_client_certificate_verify; 809 return ssl_hs_ok; 810 } 811 812 static enum ssl_hs_wait_t do_read_client_certificate_verify( 813 SSL_HANDSHAKE *hs) { 814 SSL *const ssl = hs->ssl; 815 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs) == 0) { 816 // Skip this state. 817 hs->tls13_state = state_read_channel_id; 818 return ssl_hs_ok; 819 } 820 821 SSLMessage msg; 822 if (!ssl->method->get_message(ssl, &msg)) { 823 return ssl_hs_read_message; 824 } 825 826 switch (ssl_verify_peer_cert(hs)) { 827 case ssl_verify_ok: 828 break; 829 case ssl_verify_invalid: 830 return ssl_hs_error; 831 case ssl_verify_retry: 832 hs->tls13_state = state_read_client_certificate_verify; 833 return ssl_hs_certificate_verify; 834 } 835 836 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY) || 837 !tls13_process_certificate_verify(hs, msg) || 838 !ssl_hash_message(hs, msg)) { 839 return ssl_hs_error; 840 } 841 842 ssl->method->next_message(ssl); 843 hs->tls13_state = state_read_channel_id; 844 return ssl_hs_ok; 845 } 846 847 static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) { 848 SSL *const ssl = hs->ssl; 849 if (!ssl->s3->tlsext_channel_id_valid) { 850 hs->tls13_state = state_read_client_finished; 851 return ssl_hs_ok; 852 } 853 854 SSLMessage msg; 855 if (!ssl->method->get_message(ssl, &msg)) { 856 return ssl_hs_read_message; 857 } 858 if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) || 859 !tls1_verify_channel_id(hs, msg) || 860 !ssl_hash_message(hs, msg)) { 861 return ssl_hs_error; 862 } 863 864 ssl->method->next_message(ssl); 865 hs->tls13_state = state_read_client_finished; 866 return ssl_hs_ok; 867 } 868 869 static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) { 870 SSL *const ssl = hs->ssl; 871 SSLMessage msg; 872 if (!ssl->method->get_message(ssl, &msg)) { 873 return ssl_hs_read_message; 874 } 875 if (!ssl_check_message_type(ssl, msg, SSL3_MT_FINISHED) || 876 // If early data was accepted, we've already computed the client Finished 877 // and derived the resumption secret. 878 !tls13_process_finished(hs, msg, ssl->s3->early_data_accepted) || 879 // evp_aead_seal keys have already been switched. 880 !tls13_set_traffic_key(ssl, evp_aead_open, hs->client_traffic_secret_0, 881 hs->hash_len)) { 882 return ssl_hs_error; 883 } 884 885 if (!ssl->s3->early_data_accepted) { 886 if (!ssl_hash_message(hs, msg) || 887 !tls13_derive_resumption_secret(hs)) { 888 return ssl_hs_error; 889 } 890 891 // We send post-handshake tickets as part of the handshake in 1-RTT. 892 hs->tls13_state = state_send_new_session_ticket; 893 } else { 894 // We already sent half-RTT tickets. 895 hs->tls13_state = state_done; 896 } 897 898 ssl->method->next_message(ssl); 899 return ssl_hs_ok; 900 } 901 902 static enum ssl_hs_wait_t do_send_new_session_ticket(SSL_HANDSHAKE *hs) { 903 // If the client doesn't accept resumption with PSK_DHE_KE, don't send a 904 // session ticket. 905 if (!hs->accept_psk_mode) { 906 hs->tls13_state = state_done; 907 return ssl_hs_ok; 908 } 909 910 if (!add_new_session_tickets(hs)) { 911 return ssl_hs_error; 912 } 913 914 hs->tls13_state = state_done; 915 return ssl_hs_flush; 916 } 917 918 enum ssl_hs_wait_t tls13_server_handshake(SSL_HANDSHAKE *hs) { 919 while (hs->tls13_state != state_done) { 920 enum ssl_hs_wait_t ret = ssl_hs_error; 921 enum server_hs_state_t state = 922 static_cast<enum server_hs_state_t>(hs->tls13_state); 923 switch (state) { 924 case state_select_parameters: 925 ret = do_select_parameters(hs); 926 break; 927 case state_select_session: 928 ret = do_select_session(hs); 929 break; 930 case state_send_hello_retry_request: 931 ret = do_send_hello_retry_request(hs); 932 break; 933 case state_read_second_client_hello: 934 ret = do_read_second_client_hello(hs); 935 break; 936 case state_send_server_hello: 937 ret = do_send_server_hello(hs); 938 break; 939 case state_send_server_certificate_verify: 940 ret = do_send_server_certificate_verify(hs); 941 break; 942 case state_send_server_finished: 943 ret = do_send_server_finished(hs); 944 break; 945 case state_read_second_client_flight: 946 ret = do_read_second_client_flight(hs); 947 break; 948 case state_process_end_of_early_data: 949 ret = do_process_end_of_early_data(hs); 950 break; 951 case state_read_client_certificate: 952 ret = do_read_client_certificate(hs); 953 break; 954 case state_read_client_certificate_verify: 955 ret = do_read_client_certificate_verify(hs); 956 break; 957 case state_read_channel_id: 958 ret = do_read_channel_id(hs); 959 break; 960 case state_read_client_finished: 961 ret = do_read_client_finished(hs); 962 break; 963 case state_send_new_session_ticket: 964 ret = do_send_new_session_ticket(hs); 965 break; 966 case state_done: 967 ret = ssl_hs_ok; 968 break; 969 } 970 971 if (hs->tls13_state != state) { 972 ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1); 973 } 974 975 if (ret != ssl_hs_ok) { 976 return ret; 977 } 978 } 979 980 return ssl_hs_ok; 981 } 982 983 const char *tls13_server_handshake_state(SSL_HANDSHAKE *hs) { 984 enum server_hs_state_t state = 985 static_cast<enum server_hs_state_t>(hs->tls13_state); 986 switch (state) { 987 case state_select_parameters: 988 return "TLS 1.3 server select_parameters"; 989 case state_select_session: 990 return "TLS 1.3 server select_session"; 991 case state_send_hello_retry_request: 992 return "TLS 1.3 server send_hello_retry_request"; 993 case state_read_second_client_hello: 994 return "TLS 1.3 server read_second_client_hello"; 995 case state_send_server_hello: 996 return "TLS 1.3 server send_server_hello"; 997 case state_send_server_certificate_verify: 998 return "TLS 1.3 server send_server_certificate_verify"; 999 case state_send_server_finished: 1000 return "TLS 1.3 server send_server_finished"; 1001 case state_read_second_client_flight: 1002 return "TLS 1.3 server read_second_client_flight"; 1003 case state_process_end_of_early_data: 1004 return "TLS 1.3 server process_end_of_early_data"; 1005 case state_read_client_certificate: 1006 return "TLS 1.3 server read_client_certificate"; 1007 case state_read_client_certificate_verify: 1008 return "TLS 1.3 server read_client_certificate_verify"; 1009 case state_read_channel_id: 1010 return "TLS 1.3 server read_channel_id"; 1011 case state_read_client_finished: 1012 return "TLS 1.3 server read_client_finished"; 1013 case state_send_new_session_ticket: 1014 return "TLS 1.3 server send_new_session_ticket"; 1015 case state_done: 1016 return "TLS 1.3 server done"; 1017 } 1018 1019 return "TLS 1.3 server unknown"; 1020 } 1021 1022 } // namespace bssl 1023