1*8fb009dcSAndroid Build Coastguard Worker /* Copyright (C) 1995-1998 Eric Young ([email protected])
2*8fb009dcSAndroid Build Coastguard Worker * All rights reserved.
3*8fb009dcSAndroid Build Coastguard Worker *
4*8fb009dcSAndroid Build Coastguard Worker * This package is an SSL implementation written
5*8fb009dcSAndroid Build Coastguard Worker * by Eric Young ([email protected]).
6*8fb009dcSAndroid Build Coastguard Worker * The implementation was written so as to conform with Netscapes SSL.
7*8fb009dcSAndroid Build Coastguard Worker *
8*8fb009dcSAndroid Build Coastguard Worker * This library is free for commercial and non-commercial use as long as
9*8fb009dcSAndroid Build Coastguard Worker * the following conditions are aheared to. The following conditions
10*8fb009dcSAndroid Build Coastguard Worker * apply to all code found in this distribution, be it the RC4, RSA,
11*8fb009dcSAndroid Build Coastguard Worker * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12*8fb009dcSAndroid Build Coastguard Worker * included with this distribution is covered by the same copyright terms
13*8fb009dcSAndroid Build Coastguard Worker * except that the holder is Tim Hudson ([email protected]).
14*8fb009dcSAndroid Build Coastguard Worker *
15*8fb009dcSAndroid Build Coastguard Worker * Copyright remains Eric Young's, and as such any Copyright notices in
16*8fb009dcSAndroid Build Coastguard Worker * the code are not to be removed.
17*8fb009dcSAndroid Build Coastguard Worker * If this package is used in a product, Eric Young should be given attribution
18*8fb009dcSAndroid Build Coastguard Worker * as the author of the parts of the library used.
19*8fb009dcSAndroid Build Coastguard Worker * This can be in the form of a textual message at program startup or
20*8fb009dcSAndroid Build Coastguard Worker * in documentation (online or textual) provided with the package.
21*8fb009dcSAndroid Build Coastguard Worker *
22*8fb009dcSAndroid Build Coastguard Worker * Redistribution and use in source and binary forms, with or without
23*8fb009dcSAndroid Build Coastguard Worker * modification, are permitted provided that the following conditions
24*8fb009dcSAndroid Build Coastguard Worker * are met:
25*8fb009dcSAndroid Build Coastguard Worker * 1. Redistributions of source code must retain the copyright
26*8fb009dcSAndroid Build Coastguard Worker * notice, this list of conditions and the following disclaimer.
27*8fb009dcSAndroid Build Coastguard Worker * 2. Redistributions in binary form must reproduce the above copyright
28*8fb009dcSAndroid Build Coastguard Worker * notice, this list of conditions and the following disclaimer in the
29*8fb009dcSAndroid Build Coastguard Worker * documentation and/or other materials provided with the distribution.
30*8fb009dcSAndroid Build Coastguard Worker * 3. All advertising materials mentioning features or use of this software
31*8fb009dcSAndroid Build Coastguard Worker * must display the following acknowledgement:
32*8fb009dcSAndroid Build Coastguard Worker * "This product includes cryptographic software written by
33*8fb009dcSAndroid Build Coastguard Worker * Eric Young ([email protected])"
34*8fb009dcSAndroid Build Coastguard Worker * The word 'cryptographic' can be left out if the rouines from the library
35*8fb009dcSAndroid Build Coastguard Worker * being used are not cryptographic related :-).
36*8fb009dcSAndroid Build Coastguard Worker * 4. If you include any Windows specific code (or a derivative thereof) from
37*8fb009dcSAndroid Build Coastguard Worker * the apps directory (application code) you must include an acknowledgement:
38*8fb009dcSAndroid Build Coastguard Worker * "This product includes software written by Tim Hudson ([email protected])"
39*8fb009dcSAndroid Build Coastguard Worker *
40*8fb009dcSAndroid Build Coastguard Worker * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41*8fb009dcSAndroid Build Coastguard Worker * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42*8fb009dcSAndroid Build Coastguard Worker * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43*8fb009dcSAndroid Build Coastguard Worker * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44*8fb009dcSAndroid Build Coastguard Worker * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45*8fb009dcSAndroid Build Coastguard Worker * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46*8fb009dcSAndroid Build Coastguard Worker * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47*8fb009dcSAndroid Build Coastguard Worker * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48*8fb009dcSAndroid Build Coastguard Worker * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49*8fb009dcSAndroid Build Coastguard Worker * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50*8fb009dcSAndroid Build Coastguard Worker * SUCH DAMAGE.
51*8fb009dcSAndroid Build Coastguard Worker *
52*8fb009dcSAndroid Build Coastguard Worker * The licence and distribution terms for any publically available version or
53*8fb009dcSAndroid Build Coastguard Worker * derivative of this code cannot be changed. i.e. this code cannot simply be
54*8fb009dcSAndroid Build Coastguard Worker * copied and put under another distribution licence
55*8fb009dcSAndroid Build Coastguard Worker * [including the GNU Public Licence.]
56*8fb009dcSAndroid Build Coastguard Worker */
57*8fb009dcSAndroid Build Coastguard Worker /* ====================================================================
58*8fb009dcSAndroid Build Coastguard Worker * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59*8fb009dcSAndroid Build Coastguard Worker *
60*8fb009dcSAndroid Build Coastguard Worker * Redistribution and use in source and binary forms, with or without
61*8fb009dcSAndroid Build Coastguard Worker * modification, are permitted provided that the following conditions
62*8fb009dcSAndroid Build Coastguard Worker * are met:
63*8fb009dcSAndroid Build Coastguard Worker *
64*8fb009dcSAndroid Build Coastguard Worker * 1. Redistributions of source code must retain the above copyright
65*8fb009dcSAndroid Build Coastguard Worker * notice, this list of conditions and the following disclaimer.
66*8fb009dcSAndroid Build Coastguard Worker *
67*8fb009dcSAndroid Build Coastguard Worker * 2. Redistributions in binary form must reproduce the above copyright
68*8fb009dcSAndroid Build Coastguard Worker * notice, this list of conditions and the following disclaimer in
69*8fb009dcSAndroid Build Coastguard Worker * the documentation and/or other materials provided with the
70*8fb009dcSAndroid Build Coastguard Worker * distribution.
71*8fb009dcSAndroid Build Coastguard Worker *
72*8fb009dcSAndroid Build Coastguard Worker * 3. All advertising materials mentioning features or use of this
73*8fb009dcSAndroid Build Coastguard Worker * software must display the following acknowledgment:
74*8fb009dcSAndroid Build Coastguard Worker * "This product includes software developed by the OpenSSL Project
75*8fb009dcSAndroid Build Coastguard Worker * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76*8fb009dcSAndroid Build Coastguard Worker *
77*8fb009dcSAndroid Build Coastguard Worker * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78*8fb009dcSAndroid Build Coastguard Worker * endorse or promote products derived from this software without
79*8fb009dcSAndroid Build Coastguard Worker * prior written permission. For written permission, please contact
80*8fb009dcSAndroid Build Coastguard Worker * [email protected].
81*8fb009dcSAndroid Build Coastguard Worker *
82*8fb009dcSAndroid Build Coastguard Worker * 5. Products derived from this software may not be called "OpenSSL"
83*8fb009dcSAndroid Build Coastguard Worker * nor may "OpenSSL" appear in their names without prior written
84*8fb009dcSAndroid Build Coastguard Worker * permission of the OpenSSL Project.
85*8fb009dcSAndroid Build Coastguard Worker *
86*8fb009dcSAndroid Build Coastguard Worker * 6. Redistributions of any form whatsoever must retain the following
87*8fb009dcSAndroid Build Coastguard Worker * acknowledgment:
88*8fb009dcSAndroid Build Coastguard Worker * "This product includes software developed by the OpenSSL Project
89*8fb009dcSAndroid Build Coastguard Worker * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90*8fb009dcSAndroid Build Coastguard Worker *
91*8fb009dcSAndroid Build Coastguard Worker * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92*8fb009dcSAndroid Build Coastguard Worker * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93*8fb009dcSAndroid Build Coastguard Worker * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94*8fb009dcSAndroid Build Coastguard Worker * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95*8fb009dcSAndroid Build Coastguard Worker * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96*8fb009dcSAndroid Build Coastguard Worker * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97*8fb009dcSAndroid Build Coastguard Worker * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98*8fb009dcSAndroid Build Coastguard Worker * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99*8fb009dcSAndroid Build Coastguard Worker * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100*8fb009dcSAndroid Build Coastguard Worker * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101*8fb009dcSAndroid Build Coastguard Worker * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102*8fb009dcSAndroid Build Coastguard Worker * OF THE POSSIBILITY OF SUCH DAMAGE.
103*8fb009dcSAndroid Build Coastguard Worker * ====================================================================
104*8fb009dcSAndroid Build Coastguard Worker *
105*8fb009dcSAndroid Build Coastguard Worker * This product includes cryptographic software written by Eric Young
106*8fb009dcSAndroid Build Coastguard Worker * ([email protected]). This product includes software written by Tim
107*8fb009dcSAndroid Build Coastguard Worker * Hudson ([email protected]).
108*8fb009dcSAndroid Build Coastguard Worker *
109*8fb009dcSAndroid Build Coastguard Worker */
110*8fb009dcSAndroid Build Coastguard Worker /* ====================================================================
111*8fb009dcSAndroid Build Coastguard Worker * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112*8fb009dcSAndroid Build Coastguard Worker *
113*8fb009dcSAndroid Build Coastguard Worker * Portions of the attached software ("Contribution") are developed by
114*8fb009dcSAndroid Build Coastguard Worker * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
115*8fb009dcSAndroid Build Coastguard Worker *
116*8fb009dcSAndroid Build Coastguard Worker * The Contribution is licensed pursuant to the OpenSSL open source
117*8fb009dcSAndroid Build Coastguard Worker * license provided above.
118*8fb009dcSAndroid Build Coastguard Worker *
119*8fb009dcSAndroid Build Coastguard Worker * ECC cipher suite support in OpenSSL originally written by
120*8fb009dcSAndroid Build Coastguard Worker * Vipul Gupta and Sumit Gupta of Sun Microsystems Laboratories.
121*8fb009dcSAndroid Build Coastguard Worker *
122*8fb009dcSAndroid Build Coastguard Worker */
123*8fb009dcSAndroid Build Coastguard Worker /* ====================================================================
124*8fb009dcSAndroid Build Coastguard Worker * Copyright 2005 Nokia. All rights reserved.
125*8fb009dcSAndroid Build Coastguard Worker *
126*8fb009dcSAndroid Build Coastguard Worker * The portions of the attached software ("Contribution") is developed by
127*8fb009dcSAndroid Build Coastguard Worker * Nokia Corporation and is licensed pursuant to the OpenSSL open source
128*8fb009dcSAndroid Build Coastguard Worker * license.
129*8fb009dcSAndroid Build Coastguard Worker *
130*8fb009dcSAndroid Build Coastguard Worker * The Contribution, originally written by Mika Kousa and Pasi Eronen of
131*8fb009dcSAndroid Build Coastguard Worker * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
132*8fb009dcSAndroid Build Coastguard Worker * support (see RFC 4279) to OpenSSL.
133*8fb009dcSAndroid Build Coastguard Worker *
134*8fb009dcSAndroid Build Coastguard Worker * No patent licenses or other rights except those expressly stated in
135*8fb009dcSAndroid Build Coastguard Worker * the OpenSSL open source license shall be deemed granted or received
136*8fb009dcSAndroid Build Coastguard Worker * expressly, by implication, estoppel, or otherwise.
137*8fb009dcSAndroid Build Coastguard Worker *
138*8fb009dcSAndroid Build Coastguard Worker * No assurances are provided by Nokia that the Contribution does not
139*8fb009dcSAndroid Build Coastguard Worker * infringe the patent or other intellectual property rights of any third
140*8fb009dcSAndroid Build Coastguard Worker * party or that the license provides you with all the necessary rights
141*8fb009dcSAndroid Build Coastguard Worker * to make use of the Contribution.
142*8fb009dcSAndroid Build Coastguard Worker *
143*8fb009dcSAndroid Build Coastguard Worker * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
144*8fb009dcSAndroid Build Coastguard Worker * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
145*8fb009dcSAndroid Build Coastguard Worker * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
146*8fb009dcSAndroid Build Coastguard Worker * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
147*8fb009dcSAndroid Build Coastguard Worker * OTHERWISE. */
148*8fb009dcSAndroid Build Coastguard Worker
149*8fb009dcSAndroid Build Coastguard Worker #include <openssl/ssl.h>
150*8fb009dcSAndroid Build Coastguard Worker
151*8fb009dcSAndroid Build Coastguard Worker #include <assert.h>
152*8fb009dcSAndroid Build Coastguard Worker #include <string.h>
153*8fb009dcSAndroid Build Coastguard Worker
154*8fb009dcSAndroid Build Coastguard Worker #include <openssl/bn.h>
155*8fb009dcSAndroid Build Coastguard Worker #include <openssl/bytestring.h>
156*8fb009dcSAndroid Build Coastguard Worker #include <openssl/cipher.h>
157*8fb009dcSAndroid Build Coastguard Worker #include <openssl/curve25519.h>
158*8fb009dcSAndroid Build Coastguard Worker #include <openssl/digest.h>
159*8fb009dcSAndroid Build Coastguard Worker #include <openssl/ec.h>
160*8fb009dcSAndroid Build Coastguard Worker #include <openssl/ecdsa.h>
161*8fb009dcSAndroid Build Coastguard Worker #include <openssl/err.h>
162*8fb009dcSAndroid Build Coastguard Worker #include <openssl/evp.h>
163*8fb009dcSAndroid Build Coastguard Worker #include <openssl/hmac.h>
164*8fb009dcSAndroid Build Coastguard Worker #include <openssl/md5.h>
165*8fb009dcSAndroid Build Coastguard Worker #include <openssl/mem.h>
166*8fb009dcSAndroid Build Coastguard Worker #include <openssl/nid.h>
167*8fb009dcSAndroid Build Coastguard Worker #include <openssl/rand.h>
168*8fb009dcSAndroid Build Coastguard Worker #include <openssl/x509.h>
169*8fb009dcSAndroid Build Coastguard Worker
170*8fb009dcSAndroid Build Coastguard Worker #include "internal.h"
171*8fb009dcSAndroid Build Coastguard Worker #include "../crypto/internal.h"
172*8fb009dcSAndroid Build Coastguard Worker
173*8fb009dcSAndroid Build Coastguard Worker
174*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_BEGIN
175*8fb009dcSAndroid Build Coastguard Worker
ssl_client_cipher_list_contains_cipher(const SSL_CLIENT_HELLO * client_hello,uint16_t id)176*8fb009dcSAndroid Build Coastguard Worker bool ssl_client_cipher_list_contains_cipher(
177*8fb009dcSAndroid Build Coastguard Worker const SSL_CLIENT_HELLO *client_hello, uint16_t id) {
178*8fb009dcSAndroid Build Coastguard Worker CBS cipher_suites;
179*8fb009dcSAndroid Build Coastguard Worker CBS_init(&cipher_suites, client_hello->cipher_suites,
180*8fb009dcSAndroid Build Coastguard Worker client_hello->cipher_suites_len);
181*8fb009dcSAndroid Build Coastguard Worker
182*8fb009dcSAndroid Build Coastguard Worker while (CBS_len(&cipher_suites) > 0) {
183*8fb009dcSAndroid Build Coastguard Worker uint16_t got_id;
184*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16(&cipher_suites, &got_id)) {
185*8fb009dcSAndroid Build Coastguard Worker return false;
186*8fb009dcSAndroid Build Coastguard Worker }
187*8fb009dcSAndroid Build Coastguard Worker
188*8fb009dcSAndroid Build Coastguard Worker if (got_id == id) {
189*8fb009dcSAndroid Build Coastguard Worker return true;
190*8fb009dcSAndroid Build Coastguard Worker }
191*8fb009dcSAndroid Build Coastguard Worker }
192*8fb009dcSAndroid Build Coastguard Worker
193*8fb009dcSAndroid Build Coastguard Worker return false;
194*8fb009dcSAndroid Build Coastguard Worker }
195*8fb009dcSAndroid Build Coastguard Worker
negotiate_version(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)196*8fb009dcSAndroid Build Coastguard Worker static bool negotiate_version(SSL_HANDSHAKE *hs, uint8_t *out_alert,
197*8fb009dcSAndroid Build Coastguard Worker const SSL_CLIENT_HELLO *client_hello) {
198*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
199*8fb009dcSAndroid Build Coastguard Worker assert(!ssl->s3->have_version);
200*8fb009dcSAndroid Build Coastguard Worker CBS supported_versions, versions;
201*8fb009dcSAndroid Build Coastguard Worker if (ssl_client_hello_get_extension(client_hello, &supported_versions,
202*8fb009dcSAndroid Build Coastguard Worker TLSEXT_TYPE_supported_versions)) {
203*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u8_length_prefixed(&supported_versions, &versions) ||
204*8fb009dcSAndroid Build Coastguard Worker CBS_len(&supported_versions) != 0 ||
205*8fb009dcSAndroid Build Coastguard Worker CBS_len(&versions) == 0) {
206*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
207*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL_AD_DECODE_ERROR;
208*8fb009dcSAndroid Build Coastguard Worker return false;
209*8fb009dcSAndroid Build Coastguard Worker }
210*8fb009dcSAndroid Build Coastguard Worker } else {
211*8fb009dcSAndroid Build Coastguard Worker // Convert the ClientHello version to an equivalent supported_versions
212*8fb009dcSAndroid Build Coastguard Worker // extension.
213*8fb009dcSAndroid Build Coastguard Worker static const uint8_t kTLSVersions[] = {
214*8fb009dcSAndroid Build Coastguard Worker 0x03, 0x03, // TLS 1.2
215*8fb009dcSAndroid Build Coastguard Worker 0x03, 0x02, // TLS 1.1
216*8fb009dcSAndroid Build Coastguard Worker 0x03, 0x01, // TLS 1
217*8fb009dcSAndroid Build Coastguard Worker };
218*8fb009dcSAndroid Build Coastguard Worker
219*8fb009dcSAndroid Build Coastguard Worker static const uint8_t kDTLSVersions[] = {
220*8fb009dcSAndroid Build Coastguard Worker 0xfe, 0xfd, // DTLS 1.2
221*8fb009dcSAndroid Build Coastguard Worker 0xfe, 0xff, // DTLS 1.0
222*8fb009dcSAndroid Build Coastguard Worker };
223*8fb009dcSAndroid Build Coastguard Worker
224*8fb009dcSAndroid Build Coastguard Worker size_t versions_len = 0;
225*8fb009dcSAndroid Build Coastguard Worker if (SSL_is_dtls(ssl)) {
226*8fb009dcSAndroid Build Coastguard Worker if (client_hello->version <= DTLS1_2_VERSION) {
227*8fb009dcSAndroid Build Coastguard Worker versions_len = 4;
228*8fb009dcSAndroid Build Coastguard Worker } else if (client_hello->version <= DTLS1_VERSION) {
229*8fb009dcSAndroid Build Coastguard Worker versions_len = 2;
230*8fb009dcSAndroid Build Coastguard Worker }
231*8fb009dcSAndroid Build Coastguard Worker versions = MakeConstSpan(kDTLSVersions).last(versions_len);
232*8fb009dcSAndroid Build Coastguard Worker } else {
233*8fb009dcSAndroid Build Coastguard Worker if (client_hello->version >= TLS1_2_VERSION) {
234*8fb009dcSAndroid Build Coastguard Worker versions_len = 6;
235*8fb009dcSAndroid Build Coastguard Worker } else if (client_hello->version >= TLS1_1_VERSION) {
236*8fb009dcSAndroid Build Coastguard Worker versions_len = 4;
237*8fb009dcSAndroid Build Coastguard Worker } else if (client_hello->version >= TLS1_VERSION) {
238*8fb009dcSAndroid Build Coastguard Worker versions_len = 2;
239*8fb009dcSAndroid Build Coastguard Worker }
240*8fb009dcSAndroid Build Coastguard Worker versions = MakeConstSpan(kTLSVersions).last(versions_len);
241*8fb009dcSAndroid Build Coastguard Worker }
242*8fb009dcSAndroid Build Coastguard Worker }
243*8fb009dcSAndroid Build Coastguard Worker
244*8fb009dcSAndroid Build Coastguard Worker if (!ssl_negotiate_version(hs, out_alert, &ssl->version, &versions)) {
245*8fb009dcSAndroid Build Coastguard Worker return false;
246*8fb009dcSAndroid Build Coastguard Worker }
247*8fb009dcSAndroid Build Coastguard Worker
248*8fb009dcSAndroid Build Coastguard Worker // At this point, the connection's version is known and |ssl->version| is
249*8fb009dcSAndroid Build Coastguard Worker // fixed. Begin enforcing the record-layer version.
250*8fb009dcSAndroid Build Coastguard Worker ssl->s3->have_version = true;
251*8fb009dcSAndroid Build Coastguard Worker ssl->s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
252*8fb009dcSAndroid Build Coastguard Worker
253*8fb009dcSAndroid Build Coastguard Worker // Handle FALLBACK_SCSV.
254*8fb009dcSAndroid Build Coastguard Worker if (ssl_client_cipher_list_contains_cipher(client_hello,
255*8fb009dcSAndroid Build Coastguard Worker SSL3_CK_FALLBACK_SCSV & 0xffff) &&
256*8fb009dcSAndroid Build Coastguard Worker ssl_protocol_version(ssl) < hs->max_version) {
257*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_INAPPROPRIATE_FALLBACK);
258*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL3_AD_INAPPROPRIATE_FALLBACK;
259*8fb009dcSAndroid Build Coastguard Worker return false;
260*8fb009dcSAndroid Build Coastguard Worker }
261*8fb009dcSAndroid Build Coastguard Worker
262*8fb009dcSAndroid Build Coastguard Worker return true;
263*8fb009dcSAndroid Build Coastguard Worker }
264*8fb009dcSAndroid Build Coastguard Worker
ssl_parse_client_cipher_list(const SSL_CLIENT_HELLO * client_hello)265*8fb009dcSAndroid Build Coastguard Worker static UniquePtr<STACK_OF(SSL_CIPHER)> ssl_parse_client_cipher_list(
266*8fb009dcSAndroid Build Coastguard Worker const SSL_CLIENT_HELLO *client_hello) {
267*8fb009dcSAndroid Build Coastguard Worker CBS cipher_suites;
268*8fb009dcSAndroid Build Coastguard Worker CBS_init(&cipher_suites, client_hello->cipher_suites,
269*8fb009dcSAndroid Build Coastguard Worker client_hello->cipher_suites_len);
270*8fb009dcSAndroid Build Coastguard Worker
271*8fb009dcSAndroid Build Coastguard Worker UniquePtr<STACK_OF(SSL_CIPHER)> sk(sk_SSL_CIPHER_new_null());
272*8fb009dcSAndroid Build Coastguard Worker if (!sk) {
273*8fb009dcSAndroid Build Coastguard Worker return nullptr;
274*8fb009dcSAndroid Build Coastguard Worker }
275*8fb009dcSAndroid Build Coastguard Worker
276*8fb009dcSAndroid Build Coastguard Worker while (CBS_len(&cipher_suites) > 0) {
277*8fb009dcSAndroid Build Coastguard Worker uint16_t cipher_suite;
278*8fb009dcSAndroid Build Coastguard Worker
279*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16(&cipher_suites, &cipher_suite)) {
280*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
281*8fb009dcSAndroid Build Coastguard Worker return nullptr;
282*8fb009dcSAndroid Build Coastguard Worker }
283*8fb009dcSAndroid Build Coastguard Worker
284*8fb009dcSAndroid Build Coastguard Worker const SSL_CIPHER *c = SSL_get_cipher_by_value(cipher_suite);
285*8fb009dcSAndroid Build Coastguard Worker if (c != NULL && !sk_SSL_CIPHER_push(sk.get(), c)) {
286*8fb009dcSAndroid Build Coastguard Worker return nullptr;
287*8fb009dcSAndroid Build Coastguard Worker }
288*8fb009dcSAndroid Build Coastguard Worker }
289*8fb009dcSAndroid Build Coastguard Worker
290*8fb009dcSAndroid Build Coastguard Worker return sk;
291*8fb009dcSAndroid Build Coastguard Worker }
292*8fb009dcSAndroid Build Coastguard Worker
choose_cipher(SSL_HANDSHAKE * hs,const STACK_OF (SSL_CIPHER)* client_pref,uint32_t mask_k,uint32_t mask_a)293*8fb009dcSAndroid Build Coastguard Worker static const SSL_CIPHER *choose_cipher(SSL_HANDSHAKE *hs,
294*8fb009dcSAndroid Build Coastguard Worker const STACK_OF(SSL_CIPHER) *client_pref,
295*8fb009dcSAndroid Build Coastguard Worker uint32_t mask_k, uint32_t mask_a) {
296*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
297*8fb009dcSAndroid Build Coastguard Worker const STACK_OF(SSL_CIPHER) *prio, *allow;
298*8fb009dcSAndroid Build Coastguard Worker // in_group_flags will either be NULL, or will point to an array of bytes
299*8fb009dcSAndroid Build Coastguard Worker // which indicate equal-preference groups in the |prio| stack. See the
300*8fb009dcSAndroid Build Coastguard Worker // comment about |in_group_flags| in the |SSLCipherPreferenceList|
301*8fb009dcSAndroid Build Coastguard Worker // struct.
302*8fb009dcSAndroid Build Coastguard Worker const bool *in_group_flags;
303*8fb009dcSAndroid Build Coastguard Worker // group_min contains the minimal index so far found in a group, or -1 if no
304*8fb009dcSAndroid Build Coastguard Worker // such value exists yet.
305*8fb009dcSAndroid Build Coastguard Worker int group_min = -1;
306*8fb009dcSAndroid Build Coastguard Worker
307*8fb009dcSAndroid Build Coastguard Worker const SSLCipherPreferenceList *server_pref =
308*8fb009dcSAndroid Build Coastguard Worker hs->config->cipher_list ? hs->config->cipher_list.get()
309*8fb009dcSAndroid Build Coastguard Worker : ssl->ctx->cipher_list.get();
310*8fb009dcSAndroid Build Coastguard Worker if (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
311*8fb009dcSAndroid Build Coastguard Worker prio = server_pref->ciphers.get();
312*8fb009dcSAndroid Build Coastguard Worker in_group_flags = server_pref->in_group_flags;
313*8fb009dcSAndroid Build Coastguard Worker allow = client_pref;
314*8fb009dcSAndroid Build Coastguard Worker } else {
315*8fb009dcSAndroid Build Coastguard Worker prio = client_pref;
316*8fb009dcSAndroid Build Coastguard Worker in_group_flags = NULL;
317*8fb009dcSAndroid Build Coastguard Worker allow = server_pref->ciphers.get();
318*8fb009dcSAndroid Build Coastguard Worker }
319*8fb009dcSAndroid Build Coastguard Worker
320*8fb009dcSAndroid Build Coastguard Worker for (size_t i = 0; i < sk_SSL_CIPHER_num(prio); i++) {
321*8fb009dcSAndroid Build Coastguard Worker const SSL_CIPHER *c = sk_SSL_CIPHER_value(prio, i);
322*8fb009dcSAndroid Build Coastguard Worker
323*8fb009dcSAndroid Build Coastguard Worker size_t cipher_index;
324*8fb009dcSAndroid Build Coastguard Worker if (// Check if the cipher is supported for the current version.
325*8fb009dcSAndroid Build Coastguard Worker SSL_CIPHER_get_min_version(c) <= ssl_protocol_version(ssl) &&
326*8fb009dcSAndroid Build Coastguard Worker ssl_protocol_version(ssl) <= SSL_CIPHER_get_max_version(c) &&
327*8fb009dcSAndroid Build Coastguard Worker // Check the cipher is supported for the server configuration.
328*8fb009dcSAndroid Build Coastguard Worker (c->algorithm_mkey & mask_k) &&
329*8fb009dcSAndroid Build Coastguard Worker (c->algorithm_auth & mask_a) &&
330*8fb009dcSAndroid Build Coastguard Worker // Check the cipher is in the |allow| list.
331*8fb009dcSAndroid Build Coastguard Worker sk_SSL_CIPHER_find(allow, &cipher_index, c)) {
332*8fb009dcSAndroid Build Coastguard Worker if (in_group_flags != NULL && in_group_flags[i]) {
333*8fb009dcSAndroid Build Coastguard Worker // This element of |prio| is in a group. Update the minimum index found
334*8fb009dcSAndroid Build Coastguard Worker // so far and continue looking.
335*8fb009dcSAndroid Build Coastguard Worker if (group_min == -1 || (size_t)group_min > cipher_index) {
336*8fb009dcSAndroid Build Coastguard Worker group_min = cipher_index;
337*8fb009dcSAndroid Build Coastguard Worker }
338*8fb009dcSAndroid Build Coastguard Worker } else {
339*8fb009dcSAndroid Build Coastguard Worker if (group_min != -1 && (size_t)group_min < cipher_index) {
340*8fb009dcSAndroid Build Coastguard Worker cipher_index = group_min;
341*8fb009dcSAndroid Build Coastguard Worker }
342*8fb009dcSAndroid Build Coastguard Worker return sk_SSL_CIPHER_value(allow, cipher_index);
343*8fb009dcSAndroid Build Coastguard Worker }
344*8fb009dcSAndroid Build Coastguard Worker }
345*8fb009dcSAndroid Build Coastguard Worker
346*8fb009dcSAndroid Build Coastguard Worker if (in_group_flags != NULL && !in_group_flags[i] && group_min != -1) {
347*8fb009dcSAndroid Build Coastguard Worker // We are about to leave a group, but we found a match in it, so that's
348*8fb009dcSAndroid Build Coastguard Worker // our answer.
349*8fb009dcSAndroid Build Coastguard Worker return sk_SSL_CIPHER_value(allow, group_min);
350*8fb009dcSAndroid Build Coastguard Worker }
351*8fb009dcSAndroid Build Coastguard Worker }
352*8fb009dcSAndroid Build Coastguard Worker
353*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
354*8fb009dcSAndroid Build Coastguard Worker return nullptr;
355*8fb009dcSAndroid Build Coastguard Worker }
356*8fb009dcSAndroid Build Coastguard Worker
357*8fb009dcSAndroid Build Coastguard Worker struct TLS12ServerParams {
okTLS12ServerParams358*8fb009dcSAndroid Build Coastguard Worker bool ok() const { return cipher != nullptr; }
359*8fb009dcSAndroid Build Coastguard Worker
360*8fb009dcSAndroid Build Coastguard Worker const SSL_CIPHER *cipher = nullptr;
361*8fb009dcSAndroid Build Coastguard Worker uint16_t signature_algorithm = 0;
362*8fb009dcSAndroid Build Coastguard Worker };
363*8fb009dcSAndroid Build Coastguard Worker
choose_params(SSL_HANDSHAKE * hs,const SSL_CREDENTIAL * cred,const STACK_OF (SSL_CIPHER)* client_pref,bool has_ecdhe_group)364*8fb009dcSAndroid Build Coastguard Worker static TLS12ServerParams choose_params(SSL_HANDSHAKE *hs,
365*8fb009dcSAndroid Build Coastguard Worker const SSL_CREDENTIAL *cred,
366*8fb009dcSAndroid Build Coastguard Worker const STACK_OF(SSL_CIPHER) *client_pref,
367*8fb009dcSAndroid Build Coastguard Worker bool has_ecdhe_group) {
368*8fb009dcSAndroid Build Coastguard Worker // Determine the usable cipher suites.
369*8fb009dcSAndroid Build Coastguard Worker uint32_t mask_k = 0, mask_a = 0;
370*8fb009dcSAndroid Build Coastguard Worker if (has_ecdhe_group) {
371*8fb009dcSAndroid Build Coastguard Worker mask_k |= SSL_kECDHE;
372*8fb009dcSAndroid Build Coastguard Worker }
373*8fb009dcSAndroid Build Coastguard Worker if (hs->config->psk_server_callback != nullptr) {
374*8fb009dcSAndroid Build Coastguard Worker mask_k |= SSL_kPSK;
375*8fb009dcSAndroid Build Coastguard Worker mask_a |= SSL_aPSK;
376*8fb009dcSAndroid Build Coastguard Worker }
377*8fb009dcSAndroid Build Coastguard Worker uint16_t sigalg = 0;
378*8fb009dcSAndroid Build Coastguard Worker if (cred != nullptr && cred->type == SSLCredentialType::kX509) {
379*8fb009dcSAndroid Build Coastguard Worker bool sign_ok = tls1_choose_signature_algorithm(hs, cred, &sigalg);
380*8fb009dcSAndroid Build Coastguard Worker ERR_clear_error();
381*8fb009dcSAndroid Build Coastguard Worker
382*8fb009dcSAndroid Build Coastguard Worker // ECDSA keys must additionally be checked against the peer's supported
383*8fb009dcSAndroid Build Coastguard Worker // curve list.
384*8fb009dcSAndroid Build Coastguard Worker int key_type = EVP_PKEY_id(cred->pubkey.get());
385*8fb009dcSAndroid Build Coastguard Worker if (hs->config->check_ecdsa_curve && key_type == EVP_PKEY_EC) {
386*8fb009dcSAndroid Build Coastguard Worker EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(cred->pubkey.get());
387*8fb009dcSAndroid Build Coastguard Worker uint16_t group_id;
388*8fb009dcSAndroid Build Coastguard Worker if (!ssl_nid_to_group_id(
389*8fb009dcSAndroid Build Coastguard Worker &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||
390*8fb009dcSAndroid Build Coastguard Worker std::find(hs->peer_supported_group_list.begin(),
391*8fb009dcSAndroid Build Coastguard Worker hs->peer_supported_group_list.end(),
392*8fb009dcSAndroid Build Coastguard Worker group_id) == hs->peer_supported_group_list.end()) {
393*8fb009dcSAndroid Build Coastguard Worker sign_ok = false;
394*8fb009dcSAndroid Build Coastguard Worker
395*8fb009dcSAndroid Build Coastguard Worker // If this would make us unable to pick any cipher, return an error.
396*8fb009dcSAndroid Build Coastguard Worker // This is not strictly necessary, but it gives us a more specific
397*8fb009dcSAndroid Build Coastguard Worker // error to help the caller diagnose issues.
398*8fb009dcSAndroid Build Coastguard Worker if (mask_a == 0) {
399*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CURVE);
400*8fb009dcSAndroid Build Coastguard Worker return TLS12ServerParams();
401*8fb009dcSAndroid Build Coastguard Worker }
402*8fb009dcSAndroid Build Coastguard Worker }
403*8fb009dcSAndroid Build Coastguard Worker }
404*8fb009dcSAndroid Build Coastguard Worker
405*8fb009dcSAndroid Build Coastguard Worker mask_a |= ssl_cipher_auth_mask_for_key(cred->pubkey.get(), sign_ok);
406*8fb009dcSAndroid Build Coastguard Worker if (key_type == EVP_PKEY_RSA) {
407*8fb009dcSAndroid Build Coastguard Worker mask_k |= SSL_kRSA;
408*8fb009dcSAndroid Build Coastguard Worker }
409*8fb009dcSAndroid Build Coastguard Worker }
410*8fb009dcSAndroid Build Coastguard Worker
411*8fb009dcSAndroid Build Coastguard Worker TLS12ServerParams params;
412*8fb009dcSAndroid Build Coastguard Worker params.cipher = choose_cipher(hs, client_pref, mask_k, mask_a);
413*8fb009dcSAndroid Build Coastguard Worker if (params.cipher == nullptr) {
414*8fb009dcSAndroid Build Coastguard Worker return TLS12ServerParams();
415*8fb009dcSAndroid Build Coastguard Worker }
416*8fb009dcSAndroid Build Coastguard Worker if (ssl_cipher_requires_server_key_exchange(params.cipher) &&
417*8fb009dcSAndroid Build Coastguard Worker ssl_cipher_uses_certificate_auth(params.cipher)) {
418*8fb009dcSAndroid Build Coastguard Worker params.signature_algorithm = sigalg;
419*8fb009dcSAndroid Build Coastguard Worker }
420*8fb009dcSAndroid Build Coastguard Worker return params;
421*8fb009dcSAndroid Build Coastguard Worker }
422*8fb009dcSAndroid Build Coastguard Worker
do_start_accept(SSL_HANDSHAKE * hs)423*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_start_accept(SSL_HANDSHAKE *hs) {
424*8fb009dcSAndroid Build Coastguard Worker ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_START, 1);
425*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_hello;
426*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
427*8fb009dcSAndroid Build Coastguard Worker }
428*8fb009dcSAndroid Build Coastguard Worker
429*8fb009dcSAndroid Build Coastguard Worker // is_probably_jdk11_with_tls13 returns whether |client_hello| was probably sent
430*8fb009dcSAndroid Build Coastguard Worker // from a JDK 11 client with both TLS 1.3 and a prior version enabled.
is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO * client_hello)431*8fb009dcSAndroid Build Coastguard Worker static bool is_probably_jdk11_with_tls13(const SSL_CLIENT_HELLO *client_hello) {
432*8fb009dcSAndroid Build Coastguard Worker // JDK 11 ClientHellos contain a number of unusual properties which should
433*8fb009dcSAndroid Build Coastguard Worker // limit false positives.
434*8fb009dcSAndroid Build Coastguard Worker
435*8fb009dcSAndroid Build Coastguard Worker // JDK 11 does not support ChaCha20-Poly1305. This is unusual: many modern
436*8fb009dcSAndroid Build Coastguard Worker // clients implement ChaCha20-Poly1305.
437*8fb009dcSAndroid Build Coastguard Worker if (ssl_client_cipher_list_contains_cipher(
438*8fb009dcSAndroid Build Coastguard Worker client_hello, TLS1_3_CK_CHACHA20_POLY1305_SHA256 & 0xffff)) {
439*8fb009dcSAndroid Build Coastguard Worker return false;
440*8fb009dcSAndroid Build Coastguard Worker }
441*8fb009dcSAndroid Build Coastguard Worker
442*8fb009dcSAndroid Build Coastguard Worker // JDK 11 always sends extensions in a particular order.
443*8fb009dcSAndroid Build Coastguard Worker constexpr uint16_t kMaxFragmentLength = 0x0001;
444*8fb009dcSAndroid Build Coastguard Worker constexpr uint16_t kStatusRequestV2 = 0x0011;
445*8fb009dcSAndroid Build Coastguard Worker static constexpr struct {
446*8fb009dcSAndroid Build Coastguard Worker uint16_t id;
447*8fb009dcSAndroid Build Coastguard Worker bool required;
448*8fb009dcSAndroid Build Coastguard Worker } kJavaExtensions[] = {
449*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_server_name, false},
450*8fb009dcSAndroid Build Coastguard Worker {kMaxFragmentLength, false},
451*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_status_request, false},
452*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_supported_groups, true},
453*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_ec_point_formats, false},
454*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_signature_algorithms, true},
455*8fb009dcSAndroid Build Coastguard Worker // Java always sends signature_algorithms_cert.
456*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_signature_algorithms_cert, true},
457*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_application_layer_protocol_negotiation, false},
458*8fb009dcSAndroid Build Coastguard Worker {kStatusRequestV2, false},
459*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_extended_master_secret, false},
460*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_supported_versions, true},
461*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_cookie, false},
462*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_psk_key_exchange_modes, true},
463*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_key_share, true},
464*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_renegotiate, false},
465*8fb009dcSAndroid Build Coastguard Worker {TLSEXT_TYPE_pre_shared_key, false},
466*8fb009dcSAndroid Build Coastguard Worker };
467*8fb009dcSAndroid Build Coastguard Worker Span<const uint8_t> sigalgs, sigalgs_cert;
468*8fb009dcSAndroid Build Coastguard Worker bool has_status_request = false, has_status_request_v2 = false;
469*8fb009dcSAndroid Build Coastguard Worker CBS extensions, supported_groups;
470*8fb009dcSAndroid Build Coastguard Worker CBS_init(&extensions, client_hello->extensions, client_hello->extensions_len);
471*8fb009dcSAndroid Build Coastguard Worker for (const auto &java_extension : kJavaExtensions) {
472*8fb009dcSAndroid Build Coastguard Worker CBS copy = extensions;
473*8fb009dcSAndroid Build Coastguard Worker uint16_t id;
474*8fb009dcSAndroid Build Coastguard Worker if (CBS_get_u16(©, &id) && id == java_extension.id) {
475*8fb009dcSAndroid Build Coastguard Worker // The next extension is the one we expected.
476*8fb009dcSAndroid Build Coastguard Worker extensions = copy;
477*8fb009dcSAndroid Build Coastguard Worker CBS body;
478*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16_length_prefixed(&extensions, &body)) {
479*8fb009dcSAndroid Build Coastguard Worker return false;
480*8fb009dcSAndroid Build Coastguard Worker }
481*8fb009dcSAndroid Build Coastguard Worker switch (id) {
482*8fb009dcSAndroid Build Coastguard Worker case TLSEXT_TYPE_status_request:
483*8fb009dcSAndroid Build Coastguard Worker has_status_request = true;
484*8fb009dcSAndroid Build Coastguard Worker break;
485*8fb009dcSAndroid Build Coastguard Worker case kStatusRequestV2:
486*8fb009dcSAndroid Build Coastguard Worker has_status_request_v2 = true;
487*8fb009dcSAndroid Build Coastguard Worker break;
488*8fb009dcSAndroid Build Coastguard Worker case TLSEXT_TYPE_signature_algorithms:
489*8fb009dcSAndroid Build Coastguard Worker sigalgs = body;
490*8fb009dcSAndroid Build Coastguard Worker break;
491*8fb009dcSAndroid Build Coastguard Worker case TLSEXT_TYPE_signature_algorithms_cert:
492*8fb009dcSAndroid Build Coastguard Worker sigalgs_cert = body;
493*8fb009dcSAndroid Build Coastguard Worker break;
494*8fb009dcSAndroid Build Coastguard Worker case TLSEXT_TYPE_supported_groups:
495*8fb009dcSAndroid Build Coastguard Worker supported_groups = body;
496*8fb009dcSAndroid Build Coastguard Worker break;
497*8fb009dcSAndroid Build Coastguard Worker }
498*8fb009dcSAndroid Build Coastguard Worker } else if (java_extension.required) {
499*8fb009dcSAndroid Build Coastguard Worker return false;
500*8fb009dcSAndroid Build Coastguard Worker }
501*8fb009dcSAndroid Build Coastguard Worker }
502*8fb009dcSAndroid Build Coastguard Worker if (CBS_len(&extensions) != 0) {
503*8fb009dcSAndroid Build Coastguard Worker return false;
504*8fb009dcSAndroid Build Coastguard Worker }
505*8fb009dcSAndroid Build Coastguard Worker
506*8fb009dcSAndroid Build Coastguard Worker // JDK 11 never advertises X25519. It is not offered by default, and
507*8fb009dcSAndroid Build Coastguard Worker // -Djdk.tls.namedGroups=x25519 does not work. This is unusual: many modern
508*8fb009dcSAndroid Build Coastguard Worker // clients implement X25519.
509*8fb009dcSAndroid Build Coastguard Worker while (CBS_len(&supported_groups) > 0) {
510*8fb009dcSAndroid Build Coastguard Worker uint16_t group;
511*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16(&supported_groups, &group) ||
512*8fb009dcSAndroid Build Coastguard Worker group == SSL_GROUP_X25519) {
513*8fb009dcSAndroid Build Coastguard Worker return false;
514*8fb009dcSAndroid Build Coastguard Worker }
515*8fb009dcSAndroid Build Coastguard Worker }
516*8fb009dcSAndroid Build Coastguard Worker
517*8fb009dcSAndroid Build Coastguard Worker if (// JDK 11 always sends the same contents in signature_algorithms and
518*8fb009dcSAndroid Build Coastguard Worker // signature_algorithms_cert. This is unusual: signature_algorithms_cert,
519*8fb009dcSAndroid Build Coastguard Worker // if omitted, is treated as if it were signature_algorithms.
520*8fb009dcSAndroid Build Coastguard Worker sigalgs != sigalgs_cert ||
521*8fb009dcSAndroid Build Coastguard Worker // When TLS 1.2 or below is enabled, JDK 11 sends status_request_v2 iff it
522*8fb009dcSAndroid Build Coastguard Worker // sends status_request. This is unusual: status_request_v2 is not widely
523*8fb009dcSAndroid Build Coastguard Worker // implemented.
524*8fb009dcSAndroid Build Coastguard Worker has_status_request != has_status_request_v2) {
525*8fb009dcSAndroid Build Coastguard Worker return false;
526*8fb009dcSAndroid Build Coastguard Worker }
527*8fb009dcSAndroid Build Coastguard Worker
528*8fb009dcSAndroid Build Coastguard Worker return true;
529*8fb009dcSAndroid Build Coastguard Worker }
530*8fb009dcSAndroid Build Coastguard Worker
decrypt_ech(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)531*8fb009dcSAndroid Build Coastguard Worker static bool decrypt_ech(SSL_HANDSHAKE *hs, uint8_t *out_alert,
532*8fb009dcSAndroid Build Coastguard Worker const SSL_CLIENT_HELLO *client_hello) {
533*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
534*8fb009dcSAndroid Build Coastguard Worker CBS body;
535*8fb009dcSAndroid Build Coastguard Worker if (!ssl_client_hello_get_extension(client_hello, &body,
536*8fb009dcSAndroid Build Coastguard Worker TLSEXT_TYPE_encrypted_client_hello)) {
537*8fb009dcSAndroid Build Coastguard Worker return true;
538*8fb009dcSAndroid Build Coastguard Worker }
539*8fb009dcSAndroid Build Coastguard Worker uint8_t type;
540*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u8(&body, &type)) {
541*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
542*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL_AD_DECODE_ERROR;
543*8fb009dcSAndroid Build Coastguard Worker return false;
544*8fb009dcSAndroid Build Coastguard Worker }
545*8fb009dcSAndroid Build Coastguard Worker if (type != ECH_CLIENT_OUTER) {
546*8fb009dcSAndroid Build Coastguard Worker return true;
547*8fb009dcSAndroid Build Coastguard Worker }
548*8fb009dcSAndroid Build Coastguard Worker // This is a ClientHelloOuter ECH extension. Attempt to decrypt it.
549*8fb009dcSAndroid Build Coastguard Worker uint8_t config_id;
550*8fb009dcSAndroid Build Coastguard Worker uint16_t kdf_id, aead_id;
551*8fb009dcSAndroid Build Coastguard Worker CBS enc, payload;
552*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16(&body, &kdf_id) || //
553*8fb009dcSAndroid Build Coastguard Worker !CBS_get_u16(&body, &aead_id) || //
554*8fb009dcSAndroid Build Coastguard Worker !CBS_get_u8(&body, &config_id) ||
555*8fb009dcSAndroid Build Coastguard Worker !CBS_get_u16_length_prefixed(&body, &enc) ||
556*8fb009dcSAndroid Build Coastguard Worker !CBS_get_u16_length_prefixed(&body, &payload) || //
557*8fb009dcSAndroid Build Coastguard Worker CBS_len(&body) != 0) {
558*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
559*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL_AD_DECODE_ERROR;
560*8fb009dcSAndroid Build Coastguard Worker return false;
561*8fb009dcSAndroid Build Coastguard Worker }
562*8fb009dcSAndroid Build Coastguard Worker
563*8fb009dcSAndroid Build Coastguard Worker {
564*8fb009dcSAndroid Build Coastguard Worker MutexReadLock lock(&ssl->ctx->lock);
565*8fb009dcSAndroid Build Coastguard Worker hs->ech_keys = UpRef(ssl->ctx->ech_keys);
566*8fb009dcSAndroid Build Coastguard Worker }
567*8fb009dcSAndroid Build Coastguard Worker
568*8fb009dcSAndroid Build Coastguard Worker if (!hs->ech_keys) {
569*8fb009dcSAndroid Build Coastguard Worker ssl->s3->ech_status = ssl_ech_rejected;
570*8fb009dcSAndroid Build Coastguard Worker return true;
571*8fb009dcSAndroid Build Coastguard Worker }
572*8fb009dcSAndroid Build Coastguard Worker
573*8fb009dcSAndroid Build Coastguard Worker for (const auto &config : hs->ech_keys->configs) {
574*8fb009dcSAndroid Build Coastguard Worker hs->ech_hpke_ctx.Reset();
575*8fb009dcSAndroid Build Coastguard Worker if (config_id != config->ech_config().config_id ||
576*8fb009dcSAndroid Build Coastguard Worker !config->SetupContext(hs->ech_hpke_ctx.get(), kdf_id, aead_id, enc)) {
577*8fb009dcSAndroid Build Coastguard Worker // Ignore the error and try another ECHConfig.
578*8fb009dcSAndroid Build Coastguard Worker ERR_clear_error();
579*8fb009dcSAndroid Build Coastguard Worker continue;
580*8fb009dcSAndroid Build Coastguard Worker }
581*8fb009dcSAndroid Build Coastguard Worker bool is_decrypt_error;
582*8fb009dcSAndroid Build Coastguard Worker if (!ssl_client_hello_decrypt(hs, out_alert, &is_decrypt_error,
583*8fb009dcSAndroid Build Coastguard Worker &hs->ech_client_hello_buf, client_hello,
584*8fb009dcSAndroid Build Coastguard Worker payload)) {
585*8fb009dcSAndroid Build Coastguard Worker if (is_decrypt_error) {
586*8fb009dcSAndroid Build Coastguard Worker // Ignore the error and try another ECHConfig.
587*8fb009dcSAndroid Build Coastguard Worker ERR_clear_error();
588*8fb009dcSAndroid Build Coastguard Worker // The |out_alert| calling convention currently relies on a default of
589*8fb009dcSAndroid Build Coastguard Worker // |SSL_AD_DECODE_ERROR|. https://crbug.com/boringssl/373 tracks
590*8fb009dcSAndroid Build Coastguard Worker // switching to sum types, which avoids this.
591*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL_AD_DECODE_ERROR;
592*8fb009dcSAndroid Build Coastguard Worker continue;
593*8fb009dcSAndroid Build Coastguard Worker }
594*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
595*8fb009dcSAndroid Build Coastguard Worker return false;
596*8fb009dcSAndroid Build Coastguard Worker }
597*8fb009dcSAndroid Build Coastguard Worker hs->ech_config_id = config_id;
598*8fb009dcSAndroid Build Coastguard Worker ssl->s3->ech_status = ssl_ech_accepted;
599*8fb009dcSAndroid Build Coastguard Worker return true;
600*8fb009dcSAndroid Build Coastguard Worker }
601*8fb009dcSAndroid Build Coastguard Worker
602*8fb009dcSAndroid Build Coastguard Worker // If we did not accept ECH, proceed with the ClientHelloOuter. Note this
603*8fb009dcSAndroid Build Coastguard Worker // could be key mismatch or ECH GREASE, so we must complete the handshake
604*8fb009dcSAndroid Build Coastguard Worker // as usual, except EncryptedExtensions will contain retry configs.
605*8fb009dcSAndroid Build Coastguard Worker ssl->s3->ech_status = ssl_ech_rejected;
606*8fb009dcSAndroid Build Coastguard Worker return true;
607*8fb009dcSAndroid Build Coastguard Worker }
608*8fb009dcSAndroid Build Coastguard Worker
extract_sni(SSL_HANDSHAKE * hs,uint8_t * out_alert,const SSL_CLIENT_HELLO * client_hello)609*8fb009dcSAndroid Build Coastguard Worker static bool extract_sni(SSL_HANDSHAKE *hs, uint8_t *out_alert,
610*8fb009dcSAndroid Build Coastguard Worker const SSL_CLIENT_HELLO *client_hello) {
611*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
612*8fb009dcSAndroid Build Coastguard Worker CBS sni;
613*8fb009dcSAndroid Build Coastguard Worker if (!ssl_client_hello_get_extension(client_hello, &sni,
614*8fb009dcSAndroid Build Coastguard Worker TLSEXT_TYPE_server_name)) {
615*8fb009dcSAndroid Build Coastguard Worker // No SNI extension to parse.
616*8fb009dcSAndroid Build Coastguard Worker //
617*8fb009dcSAndroid Build Coastguard Worker // Clear state in case we previously extracted SNI from ClientHelloOuter.
618*8fb009dcSAndroid Build Coastguard Worker ssl->s3->hostname.reset();
619*8fb009dcSAndroid Build Coastguard Worker return true;
620*8fb009dcSAndroid Build Coastguard Worker }
621*8fb009dcSAndroid Build Coastguard Worker
622*8fb009dcSAndroid Build Coastguard Worker CBS server_name_list, host_name;
623*8fb009dcSAndroid Build Coastguard Worker uint8_t name_type;
624*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16_length_prefixed(&sni, &server_name_list) ||
625*8fb009dcSAndroid Build Coastguard Worker !CBS_get_u8(&server_name_list, &name_type) ||
626*8fb009dcSAndroid Build Coastguard Worker // Although the server_name extension was intended to be extensible to
627*8fb009dcSAndroid Build Coastguard Worker // new name types and multiple names, OpenSSL 1.0.x had a bug which meant
628*8fb009dcSAndroid Build Coastguard Worker // different name types will cause an error. Further, RFC 4366 originally
629*8fb009dcSAndroid Build Coastguard Worker // defined syntax inextensibly. RFC 6066 corrected this mistake, but
630*8fb009dcSAndroid Build Coastguard Worker // adding new name types is no longer feasible.
631*8fb009dcSAndroid Build Coastguard Worker //
632*8fb009dcSAndroid Build Coastguard Worker // Act as if the extensibility does not exist to simplify parsing.
633*8fb009dcSAndroid Build Coastguard Worker !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||
634*8fb009dcSAndroid Build Coastguard Worker CBS_len(&server_name_list) != 0 ||
635*8fb009dcSAndroid Build Coastguard Worker CBS_len(&sni) != 0) {
636*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL_AD_DECODE_ERROR;
637*8fb009dcSAndroid Build Coastguard Worker return false;
638*8fb009dcSAndroid Build Coastguard Worker }
639*8fb009dcSAndroid Build Coastguard Worker
640*8fb009dcSAndroid Build Coastguard Worker if (name_type != TLSEXT_NAMETYPE_host_name ||
641*8fb009dcSAndroid Build Coastguard Worker CBS_len(&host_name) == 0 ||
642*8fb009dcSAndroid Build Coastguard Worker CBS_len(&host_name) > TLSEXT_MAXLEN_host_name ||
643*8fb009dcSAndroid Build Coastguard Worker CBS_contains_zero_byte(&host_name)) {
644*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL_AD_UNRECOGNIZED_NAME;
645*8fb009dcSAndroid Build Coastguard Worker return false;
646*8fb009dcSAndroid Build Coastguard Worker }
647*8fb009dcSAndroid Build Coastguard Worker
648*8fb009dcSAndroid Build Coastguard Worker // Copy the hostname as a string.
649*8fb009dcSAndroid Build Coastguard Worker char *raw = nullptr;
650*8fb009dcSAndroid Build Coastguard Worker if (!CBS_strdup(&host_name, &raw)) {
651*8fb009dcSAndroid Build Coastguard Worker *out_alert = SSL_AD_INTERNAL_ERROR;
652*8fb009dcSAndroid Build Coastguard Worker return false;
653*8fb009dcSAndroid Build Coastguard Worker }
654*8fb009dcSAndroid Build Coastguard Worker ssl->s3->hostname.reset(raw);
655*8fb009dcSAndroid Build Coastguard Worker return true;
656*8fb009dcSAndroid Build Coastguard Worker }
657*8fb009dcSAndroid Build Coastguard Worker
do_read_client_hello(SSL_HANDSHAKE * hs)658*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_client_hello(SSL_HANDSHAKE *hs) {
659*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
660*8fb009dcSAndroid Build Coastguard Worker
661*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg;
662*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->get_message(ssl, &msg)) {
663*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_read_message;
664*8fb009dcSAndroid Build Coastguard Worker }
665*8fb009dcSAndroid Build Coastguard Worker
666*8fb009dcSAndroid Build Coastguard Worker if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_HELLO)) {
667*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
668*8fb009dcSAndroid Build Coastguard Worker }
669*8fb009dcSAndroid Build Coastguard Worker
670*8fb009dcSAndroid Build Coastguard Worker SSL_CLIENT_HELLO client_hello;
671*8fb009dcSAndroid Build Coastguard Worker if (!ssl_client_hello_init(ssl, &client_hello, msg.body)) {
672*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
673*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
674*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
675*8fb009dcSAndroid Build Coastguard Worker }
676*8fb009dcSAndroid Build Coastguard Worker
677*8fb009dcSAndroid Build Coastguard Worker // ClientHello should be the end of the flight. We check this early to cover
678*8fb009dcSAndroid Build Coastguard Worker // all protocol versions.
679*8fb009dcSAndroid Build Coastguard Worker if (ssl->method->has_unprocessed_handshake_data(ssl)) {
680*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
681*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
682*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
683*8fb009dcSAndroid Build Coastguard Worker }
684*8fb009dcSAndroid Build Coastguard Worker
685*8fb009dcSAndroid Build Coastguard Worker if (hs->config->handoff) {
686*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_handoff;
687*8fb009dcSAndroid Build Coastguard Worker }
688*8fb009dcSAndroid Build Coastguard Worker
689*8fb009dcSAndroid Build Coastguard Worker uint8_t alert = SSL_AD_DECODE_ERROR;
690*8fb009dcSAndroid Build Coastguard Worker // We check for rejection status in case we've rewound the state machine after
691*8fb009dcSAndroid Build Coastguard Worker // determining `ClientHelloInner` is invalid.
692*8fb009dcSAndroid Build Coastguard Worker if (ssl->s3->ech_status != ssl_ech_rejected &&
693*8fb009dcSAndroid Build Coastguard Worker !decrypt_ech(hs, &alert, &client_hello)) {
694*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
695*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
696*8fb009dcSAndroid Build Coastguard Worker }
697*8fb009dcSAndroid Build Coastguard Worker
698*8fb009dcSAndroid Build Coastguard Worker // ECH may have changed which ClientHello we process. Update |msg| and
699*8fb009dcSAndroid Build Coastguard Worker // |client_hello| in case.
700*8fb009dcSAndroid Build Coastguard Worker if (!hs->GetClientHello(&msg, &client_hello)) {
701*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
702*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
703*8fb009dcSAndroid Build Coastguard Worker }
704*8fb009dcSAndroid Build Coastguard Worker
705*8fb009dcSAndroid Build Coastguard Worker if (!extract_sni(hs, &alert, &client_hello)) {
706*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
707*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
708*8fb009dcSAndroid Build Coastguard Worker }
709*8fb009dcSAndroid Build Coastguard Worker
710*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_hello_after_ech;
711*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
712*8fb009dcSAndroid Build Coastguard Worker }
713*8fb009dcSAndroid Build Coastguard Worker
do_read_client_hello_after_ech(SSL_HANDSHAKE * hs)714*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_client_hello_after_ech(SSL_HANDSHAKE *hs) {
715*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
716*8fb009dcSAndroid Build Coastguard Worker
717*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg_unused;
718*8fb009dcSAndroid Build Coastguard Worker SSL_CLIENT_HELLO client_hello;
719*8fb009dcSAndroid Build Coastguard Worker if (!hs->GetClientHello(&msg_unused, &client_hello)) {
720*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
721*8fb009dcSAndroid Build Coastguard Worker }
722*8fb009dcSAndroid Build Coastguard Worker
723*8fb009dcSAndroid Build Coastguard Worker // Run the early callback.
724*8fb009dcSAndroid Build Coastguard Worker if (ssl->ctx->select_certificate_cb != NULL) {
725*8fb009dcSAndroid Build Coastguard Worker switch (ssl->ctx->select_certificate_cb(&client_hello)) {
726*8fb009dcSAndroid Build Coastguard Worker case ssl_select_cert_retry:
727*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_certificate_selection_pending;
728*8fb009dcSAndroid Build Coastguard Worker
729*8fb009dcSAndroid Build Coastguard Worker case ssl_select_cert_disable_ech:
730*8fb009dcSAndroid Build Coastguard Worker hs->ech_client_hello_buf.Reset();
731*8fb009dcSAndroid Build Coastguard Worker hs->ech_keys = nullptr;
732*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_hello;
733*8fb009dcSAndroid Build Coastguard Worker ssl->s3->ech_status = ssl_ech_rejected;
734*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
735*8fb009dcSAndroid Build Coastguard Worker
736*8fb009dcSAndroid Build Coastguard Worker case ssl_select_cert_error:
737*8fb009dcSAndroid Build Coastguard Worker // Connection rejected.
738*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
739*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
740*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
741*8fb009dcSAndroid Build Coastguard Worker
742*8fb009dcSAndroid Build Coastguard Worker default:
743*8fb009dcSAndroid Build Coastguard Worker /* fallthrough */;
744*8fb009dcSAndroid Build Coastguard Worker }
745*8fb009dcSAndroid Build Coastguard Worker }
746*8fb009dcSAndroid Build Coastguard Worker
747*8fb009dcSAndroid Build Coastguard Worker // Freeze the version range after the early callback.
748*8fb009dcSAndroid Build Coastguard Worker if (!ssl_get_version_range(hs, &hs->min_version, &hs->max_version)) {
749*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
750*8fb009dcSAndroid Build Coastguard Worker }
751*8fb009dcSAndroid Build Coastguard Worker
752*8fb009dcSAndroid Build Coastguard Worker if (hs->config->jdk11_workaround &&
753*8fb009dcSAndroid Build Coastguard Worker is_probably_jdk11_with_tls13(&client_hello)) {
754*8fb009dcSAndroid Build Coastguard Worker hs->apply_jdk11_workaround = true;
755*8fb009dcSAndroid Build Coastguard Worker }
756*8fb009dcSAndroid Build Coastguard Worker
757*8fb009dcSAndroid Build Coastguard Worker uint8_t alert = SSL_AD_DECODE_ERROR;
758*8fb009dcSAndroid Build Coastguard Worker if (!negotiate_version(hs, &alert, &client_hello)) {
759*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
760*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
761*8fb009dcSAndroid Build Coastguard Worker }
762*8fb009dcSAndroid Build Coastguard Worker
763*8fb009dcSAndroid Build Coastguard Worker hs->client_version = client_hello.version;
764*8fb009dcSAndroid Build Coastguard Worker if (client_hello.random_len != SSL3_RANDOM_SIZE) {
765*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
766*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
767*8fb009dcSAndroid Build Coastguard Worker }
768*8fb009dcSAndroid Build Coastguard Worker OPENSSL_memcpy(ssl->s3->client_random, client_hello.random,
769*8fb009dcSAndroid Build Coastguard Worker client_hello.random_len);
770*8fb009dcSAndroid Build Coastguard Worker
771*8fb009dcSAndroid Build Coastguard Worker // Only null compression is supported. TLS 1.3 further requires the peer
772*8fb009dcSAndroid Build Coastguard Worker // advertise no other compression.
773*8fb009dcSAndroid Build Coastguard Worker if (OPENSSL_memchr(client_hello.compression_methods, 0,
774*8fb009dcSAndroid Build Coastguard Worker client_hello.compression_methods_len) == NULL ||
775*8fb009dcSAndroid Build Coastguard Worker (ssl_protocol_version(ssl) >= TLS1_3_VERSION &&
776*8fb009dcSAndroid Build Coastguard Worker client_hello.compression_methods_len != 1)) {
777*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMPRESSION_LIST);
778*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
779*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
780*8fb009dcSAndroid Build Coastguard Worker }
781*8fb009dcSAndroid Build Coastguard Worker
782*8fb009dcSAndroid Build Coastguard Worker // TLS extensions.
783*8fb009dcSAndroid Build Coastguard Worker if (!ssl_parse_clienthello_tlsext(hs, &client_hello)) {
784*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
785*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
786*8fb009dcSAndroid Build Coastguard Worker }
787*8fb009dcSAndroid Build Coastguard Worker
788*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_cert_callback;
789*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
790*8fb009dcSAndroid Build Coastguard Worker }
791*8fb009dcSAndroid Build Coastguard Worker
do_cert_callback(SSL_HANDSHAKE * hs)792*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_cert_callback(SSL_HANDSHAKE *hs) {
793*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
794*8fb009dcSAndroid Build Coastguard Worker
795*8fb009dcSAndroid Build Coastguard Worker // Call |cert_cb| to update server certificates if required.
796*8fb009dcSAndroid Build Coastguard Worker if (hs->config->cert->cert_cb != NULL) {
797*8fb009dcSAndroid Build Coastguard Worker int rv = hs->config->cert->cert_cb(ssl, hs->config->cert->cert_cb_arg);
798*8fb009dcSAndroid Build Coastguard Worker if (rv == 0) {
799*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_CB_ERROR);
800*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
801*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
802*8fb009dcSAndroid Build Coastguard Worker }
803*8fb009dcSAndroid Build Coastguard Worker if (rv < 0) {
804*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_x509_lookup;
805*8fb009dcSAndroid Build Coastguard Worker }
806*8fb009dcSAndroid Build Coastguard Worker }
807*8fb009dcSAndroid Build Coastguard Worker
808*8fb009dcSAndroid Build Coastguard Worker if (hs->ocsp_stapling_requested &&
809*8fb009dcSAndroid Build Coastguard Worker ssl->ctx->legacy_ocsp_callback != nullptr) {
810*8fb009dcSAndroid Build Coastguard Worker switch (ssl->ctx->legacy_ocsp_callback(
811*8fb009dcSAndroid Build Coastguard Worker ssl, ssl->ctx->legacy_ocsp_callback_arg)) {
812*8fb009dcSAndroid Build Coastguard Worker case SSL_TLSEXT_ERR_OK:
813*8fb009dcSAndroid Build Coastguard Worker break;
814*8fb009dcSAndroid Build Coastguard Worker case SSL_TLSEXT_ERR_NOACK:
815*8fb009dcSAndroid Build Coastguard Worker hs->ocsp_stapling_requested = false;
816*8fb009dcSAndroid Build Coastguard Worker break;
817*8fb009dcSAndroid Build Coastguard Worker default:
818*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_OCSP_CB_ERROR);
819*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
820*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
821*8fb009dcSAndroid Build Coastguard Worker }
822*8fb009dcSAndroid Build Coastguard Worker }
823*8fb009dcSAndroid Build Coastguard Worker
824*8fb009dcSAndroid Build Coastguard Worker if (ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
825*8fb009dcSAndroid Build Coastguard Worker // Jump to the TLS 1.3 state machine.
826*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_tls13;
827*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
828*8fb009dcSAndroid Build Coastguard Worker }
829*8fb009dcSAndroid Build Coastguard Worker
830*8fb009dcSAndroid Build Coastguard Worker // It should not be possible to negotiate TLS 1.2 with ECH. The
831*8fb009dcSAndroid Build Coastguard Worker // ClientHelloInner decoding function rejects ClientHellos which offer TLS 1.2
832*8fb009dcSAndroid Build Coastguard Worker // or below.
833*8fb009dcSAndroid Build Coastguard Worker assert(ssl->s3->ech_status != ssl_ech_accepted);
834*8fb009dcSAndroid Build Coastguard Worker
835*8fb009dcSAndroid Build Coastguard Worker ssl->s3->early_data_reason = ssl_early_data_protocol_version;
836*8fb009dcSAndroid Build Coastguard Worker
837*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_select_parameters;
838*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
839*8fb009dcSAndroid Build Coastguard Worker }
840*8fb009dcSAndroid Build Coastguard Worker
do_tls13(SSL_HANDSHAKE * hs)841*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_tls13(SSL_HANDSHAKE *hs) {
842*8fb009dcSAndroid Build Coastguard Worker enum ssl_hs_wait_t wait = tls13_server_handshake(hs);
843*8fb009dcSAndroid Build Coastguard Worker if (wait == ssl_hs_ok) {
844*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_finish_server_handshake;
845*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
846*8fb009dcSAndroid Build Coastguard Worker }
847*8fb009dcSAndroid Build Coastguard Worker
848*8fb009dcSAndroid Build Coastguard Worker return wait;
849*8fb009dcSAndroid Build Coastguard Worker }
850*8fb009dcSAndroid Build Coastguard Worker
do_select_parameters(SSL_HANDSHAKE * hs)851*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_select_parameters(SSL_HANDSHAKE *hs) {
852*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
853*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg;
854*8fb009dcSAndroid Build Coastguard Worker SSL_CLIENT_HELLO client_hello;
855*8fb009dcSAndroid Build Coastguard Worker if (!hs->GetClientHello(&msg, &client_hello)) {
856*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
857*8fb009dcSAndroid Build Coastguard Worker }
858*8fb009dcSAndroid Build Coastguard Worker
859*8fb009dcSAndroid Build Coastguard Worker // Determine the ECDHE group to use, if we are to use ECDHE.
860*8fb009dcSAndroid Build Coastguard Worker uint16_t group_id = 0;
861*8fb009dcSAndroid Build Coastguard Worker bool has_ecdhe_group = tls1_get_shared_group(hs, &group_id);
862*8fb009dcSAndroid Build Coastguard Worker
863*8fb009dcSAndroid Build Coastguard Worker // Select the credential and cipher suite. This must be done after |cert_cb|
864*8fb009dcSAndroid Build Coastguard Worker // runs, so the final credential list is known.
865*8fb009dcSAndroid Build Coastguard Worker //
866*8fb009dcSAndroid Build Coastguard Worker // TODO(davidben): In the course of picking these, we also pick the ECDHE
867*8fb009dcSAndroid Build Coastguard Worker // group and signature algorithm. It would be tidier if we saved that decision
868*8fb009dcSAndroid Build Coastguard Worker // and avoided redoing it later.
869*8fb009dcSAndroid Build Coastguard Worker UniquePtr<STACK_OF(SSL_CIPHER)> client_pref =
870*8fb009dcSAndroid Build Coastguard Worker ssl_parse_client_cipher_list(&client_hello);
871*8fb009dcSAndroid Build Coastguard Worker if (client_pref == nullptr) {
872*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
873*8fb009dcSAndroid Build Coastguard Worker }
874*8fb009dcSAndroid Build Coastguard Worker Array<SSL_CREDENTIAL *> creds;
875*8fb009dcSAndroid Build Coastguard Worker if (!ssl_get_credential_list(hs, &creds)) {
876*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
877*8fb009dcSAndroid Build Coastguard Worker }
878*8fb009dcSAndroid Build Coastguard Worker TLS12ServerParams params;
879*8fb009dcSAndroid Build Coastguard Worker if (creds.empty()) {
880*8fb009dcSAndroid Build Coastguard Worker // The caller may have configured no credentials, but set a PSK callback.
881*8fb009dcSAndroid Build Coastguard Worker params =
882*8fb009dcSAndroid Build Coastguard Worker choose_params(hs, /*cred=*/nullptr, client_pref.get(), has_ecdhe_group);
883*8fb009dcSAndroid Build Coastguard Worker } else {
884*8fb009dcSAndroid Build Coastguard Worker // Select the first credential which works.
885*8fb009dcSAndroid Build Coastguard Worker for (SSL_CREDENTIAL *cred : creds) {
886*8fb009dcSAndroid Build Coastguard Worker ERR_clear_error();
887*8fb009dcSAndroid Build Coastguard Worker params = choose_params(hs, cred, client_pref.get(), has_ecdhe_group);
888*8fb009dcSAndroid Build Coastguard Worker if (params.ok()) {
889*8fb009dcSAndroid Build Coastguard Worker hs->credential = UpRef(cred);
890*8fb009dcSAndroid Build Coastguard Worker break;
891*8fb009dcSAndroid Build Coastguard Worker }
892*8fb009dcSAndroid Build Coastguard Worker }
893*8fb009dcSAndroid Build Coastguard Worker }
894*8fb009dcSAndroid Build Coastguard Worker if (!params.ok()) {
895*8fb009dcSAndroid Build Coastguard Worker // The error from the last attempt is in the error queue.
896*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
897*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
898*8fb009dcSAndroid Build Coastguard Worker }
899*8fb009dcSAndroid Build Coastguard Worker hs->new_cipher = params.cipher;
900*8fb009dcSAndroid Build Coastguard Worker hs->signature_algorithm = params.signature_algorithm;
901*8fb009dcSAndroid Build Coastguard Worker
902*8fb009dcSAndroid Build Coastguard Worker hs->session_id_len = client_hello.session_id_len;
903*8fb009dcSAndroid Build Coastguard Worker // This is checked in |ssl_client_hello_init|.
904*8fb009dcSAndroid Build Coastguard Worker assert(hs->session_id_len <= sizeof(hs->session_id));
905*8fb009dcSAndroid Build Coastguard Worker OPENSSL_memcpy(hs->session_id, client_hello.session_id, hs->session_id_len);
906*8fb009dcSAndroid Build Coastguard Worker
907*8fb009dcSAndroid Build Coastguard Worker // Determine whether we are doing session resumption.
908*8fb009dcSAndroid Build Coastguard Worker UniquePtr<SSL_SESSION> session;
909*8fb009dcSAndroid Build Coastguard Worker bool tickets_supported = false, renew_ticket = false;
910*8fb009dcSAndroid Build Coastguard Worker enum ssl_hs_wait_t wait = ssl_get_prev_session(
911*8fb009dcSAndroid Build Coastguard Worker hs, &session, &tickets_supported, &renew_ticket, &client_hello);
912*8fb009dcSAndroid Build Coastguard Worker if (wait != ssl_hs_ok) {
913*8fb009dcSAndroid Build Coastguard Worker return wait;
914*8fb009dcSAndroid Build Coastguard Worker }
915*8fb009dcSAndroid Build Coastguard Worker
916*8fb009dcSAndroid Build Coastguard Worker if (session) {
917*8fb009dcSAndroid Build Coastguard Worker if (session->extended_master_secret && !hs->extended_master_secret) {
918*8fb009dcSAndroid Build Coastguard Worker // A ClientHello without EMS that attempts to resume a session with EMS
919*8fb009dcSAndroid Build Coastguard Worker // is fatal to the connection.
920*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION);
921*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
922*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
923*8fb009dcSAndroid Build Coastguard Worker }
924*8fb009dcSAndroid Build Coastguard Worker
925*8fb009dcSAndroid Build Coastguard Worker if (!ssl_session_is_resumable(hs, session.get()) ||
926*8fb009dcSAndroid Build Coastguard Worker // If the client offers the EMS extension, but the previous session
927*8fb009dcSAndroid Build Coastguard Worker // didn't use it, then negotiate a new session.
928*8fb009dcSAndroid Build Coastguard Worker hs->extended_master_secret != session->extended_master_secret) {
929*8fb009dcSAndroid Build Coastguard Worker session.reset();
930*8fb009dcSAndroid Build Coastguard Worker }
931*8fb009dcSAndroid Build Coastguard Worker }
932*8fb009dcSAndroid Build Coastguard Worker
933*8fb009dcSAndroid Build Coastguard Worker if (session) {
934*8fb009dcSAndroid Build Coastguard Worker // Use the old session.
935*8fb009dcSAndroid Build Coastguard Worker hs->ticket_expected = renew_ticket;
936*8fb009dcSAndroid Build Coastguard Worker ssl->session = std::move(session);
937*8fb009dcSAndroid Build Coastguard Worker ssl->s3->session_reused = true;
938*8fb009dcSAndroid Build Coastguard Worker hs->can_release_private_key = true;
939*8fb009dcSAndroid Build Coastguard Worker } else {
940*8fb009dcSAndroid Build Coastguard Worker hs->ticket_expected = tickets_supported;
941*8fb009dcSAndroid Build Coastguard Worker ssl_set_session(ssl, nullptr);
942*8fb009dcSAndroid Build Coastguard Worker if (!ssl_get_new_session(hs)) {
943*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
944*8fb009dcSAndroid Build Coastguard Worker }
945*8fb009dcSAndroid Build Coastguard Worker
946*8fb009dcSAndroid Build Coastguard Worker // Assign a session ID if not using session tickets.
947*8fb009dcSAndroid Build Coastguard Worker if (!hs->ticket_expected &&
948*8fb009dcSAndroid Build Coastguard Worker (ssl->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)) {
949*8fb009dcSAndroid Build Coastguard Worker hs->new_session->session_id_length = SSL3_SSL_SESSION_ID_LENGTH;
950*8fb009dcSAndroid Build Coastguard Worker RAND_bytes(hs->new_session->session_id,
951*8fb009dcSAndroid Build Coastguard Worker hs->new_session->session_id_length);
952*8fb009dcSAndroid Build Coastguard Worker }
953*8fb009dcSAndroid Build Coastguard Worker }
954*8fb009dcSAndroid Build Coastguard Worker
955*8fb009dcSAndroid Build Coastguard Worker if (ssl->ctx->dos_protection_cb != NULL &&
956*8fb009dcSAndroid Build Coastguard Worker ssl->ctx->dos_protection_cb(&client_hello) == 0) {
957*8fb009dcSAndroid Build Coastguard Worker // Connection rejected for DOS reasons.
958*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_REJECTED);
959*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
960*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
961*8fb009dcSAndroid Build Coastguard Worker }
962*8fb009dcSAndroid Build Coastguard Worker
963*8fb009dcSAndroid Build Coastguard Worker if (ssl->session == NULL) {
964*8fb009dcSAndroid Build Coastguard Worker hs->new_session->cipher = hs->new_cipher;
965*8fb009dcSAndroid Build Coastguard Worker if (hs->new_session->cipher->algorithm_mkey & SSL_kECDHE) {
966*8fb009dcSAndroid Build Coastguard Worker assert(has_ecdhe_group);
967*8fb009dcSAndroid Build Coastguard Worker hs->new_session->group_id = group_id;
968*8fb009dcSAndroid Build Coastguard Worker }
969*8fb009dcSAndroid Build Coastguard Worker
970*8fb009dcSAndroid Build Coastguard Worker // Determine whether to request a client certificate.
971*8fb009dcSAndroid Build Coastguard Worker hs->cert_request = !!(hs->config->verify_mode & SSL_VERIFY_PEER);
972*8fb009dcSAndroid Build Coastguard Worker // Only request a certificate if Channel ID isn't negotiated.
973*8fb009dcSAndroid Build Coastguard Worker if ((hs->config->verify_mode & SSL_VERIFY_PEER_IF_NO_OBC) &&
974*8fb009dcSAndroid Build Coastguard Worker hs->channel_id_negotiated) {
975*8fb009dcSAndroid Build Coastguard Worker hs->cert_request = false;
976*8fb009dcSAndroid Build Coastguard Worker }
977*8fb009dcSAndroid Build Coastguard Worker // CertificateRequest may only be sent in certificate-based ciphers.
978*8fb009dcSAndroid Build Coastguard Worker if (!ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
979*8fb009dcSAndroid Build Coastguard Worker hs->cert_request = false;
980*8fb009dcSAndroid Build Coastguard Worker }
981*8fb009dcSAndroid Build Coastguard Worker
982*8fb009dcSAndroid Build Coastguard Worker if (!hs->cert_request) {
983*8fb009dcSAndroid Build Coastguard Worker // OpenSSL returns X509_V_OK when no certificates are requested. This is
984*8fb009dcSAndroid Build Coastguard Worker // classed by them as a bug, but it's assumed by at least NGINX.
985*8fb009dcSAndroid Build Coastguard Worker hs->new_session->verify_result = X509_V_OK;
986*8fb009dcSAndroid Build Coastguard Worker }
987*8fb009dcSAndroid Build Coastguard Worker }
988*8fb009dcSAndroid Build Coastguard Worker
989*8fb009dcSAndroid Build Coastguard Worker // HTTP/2 negotiation depends on the cipher suite, so ALPN negotiation was
990*8fb009dcSAndroid Build Coastguard Worker // deferred. Complete it now.
991*8fb009dcSAndroid Build Coastguard Worker uint8_t alert = SSL_AD_DECODE_ERROR;
992*8fb009dcSAndroid Build Coastguard Worker if (!ssl_negotiate_alpn(hs, &alert, &client_hello)) {
993*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
994*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
995*8fb009dcSAndroid Build Coastguard Worker }
996*8fb009dcSAndroid Build Coastguard Worker
997*8fb009dcSAndroid Build Coastguard Worker // Now that all parameters are known, initialize the handshake hash and hash
998*8fb009dcSAndroid Build Coastguard Worker // the ClientHello.
999*8fb009dcSAndroid Build Coastguard Worker if (!hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
1000*8fb009dcSAndroid Build Coastguard Worker !ssl_hash_message(hs, msg)) {
1001*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1002*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1003*8fb009dcSAndroid Build Coastguard Worker }
1004*8fb009dcSAndroid Build Coastguard Worker
1005*8fb009dcSAndroid Build Coastguard Worker // Handback includes the whole handshake transcript, so we cannot free the
1006*8fb009dcSAndroid Build Coastguard Worker // transcript buffer in the handback case.
1007*8fb009dcSAndroid Build Coastguard Worker if (!hs->cert_request && !hs->handback) {
1008*8fb009dcSAndroid Build Coastguard Worker hs->transcript.FreeBuffer();
1009*8fb009dcSAndroid Build Coastguard Worker }
1010*8fb009dcSAndroid Build Coastguard Worker
1011*8fb009dcSAndroid Build Coastguard Worker ssl->method->next_message(ssl);
1012*8fb009dcSAndroid Build Coastguard Worker
1013*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_send_server_hello;
1014*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1015*8fb009dcSAndroid Build Coastguard Worker }
1016*8fb009dcSAndroid Build Coastguard Worker
copy_suffix(Span<uint8_t> out,Span<const uint8_t> in)1017*8fb009dcSAndroid Build Coastguard Worker static void copy_suffix(Span<uint8_t> out, Span<const uint8_t> in) {
1018*8fb009dcSAndroid Build Coastguard Worker out = out.last(in.size());
1019*8fb009dcSAndroid Build Coastguard Worker OPENSSL_memcpy(out.data(), in.data(), in.size());
1020*8fb009dcSAndroid Build Coastguard Worker }
1021*8fb009dcSAndroid Build Coastguard Worker
do_send_server_hello(SSL_HANDSHAKE * hs)1022*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
1023*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1024*8fb009dcSAndroid Build Coastguard Worker
1025*8fb009dcSAndroid Build Coastguard Worker // We only accept ChannelIDs on connections with ECDHE in order to avoid a
1026*8fb009dcSAndroid Build Coastguard Worker // known attack while we fix ChannelID itself.
1027*8fb009dcSAndroid Build Coastguard Worker if (hs->channel_id_negotiated &&
1028*8fb009dcSAndroid Build Coastguard Worker (hs->new_cipher->algorithm_mkey & SSL_kECDHE) == 0) {
1029*8fb009dcSAndroid Build Coastguard Worker hs->channel_id_negotiated = false;
1030*8fb009dcSAndroid Build Coastguard Worker }
1031*8fb009dcSAndroid Build Coastguard Worker
1032*8fb009dcSAndroid Build Coastguard Worker // If this is a resumption and the original handshake didn't support
1033*8fb009dcSAndroid Build Coastguard Worker // ChannelID then we didn't record the original handshake hashes in the
1034*8fb009dcSAndroid Build Coastguard Worker // session and so cannot resume with ChannelIDs.
1035*8fb009dcSAndroid Build Coastguard Worker if (ssl->session != NULL &&
1036*8fb009dcSAndroid Build Coastguard Worker ssl->session->original_handshake_hash_len == 0) {
1037*8fb009dcSAndroid Build Coastguard Worker hs->channel_id_negotiated = false;
1038*8fb009dcSAndroid Build Coastguard Worker }
1039*8fb009dcSAndroid Build Coastguard Worker
1040*8fb009dcSAndroid Build Coastguard Worker SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
1041*8fb009dcSAndroid Build Coastguard Worker if (hints && !hs->hints_requested &&
1042*8fb009dcSAndroid Build Coastguard Worker hints->server_random_tls12.size() == SSL3_RANDOM_SIZE) {
1043*8fb009dcSAndroid Build Coastguard Worker OPENSSL_memcpy(ssl->s3->server_random, hints->server_random_tls12.data(),
1044*8fb009dcSAndroid Build Coastguard Worker SSL3_RANDOM_SIZE);
1045*8fb009dcSAndroid Build Coastguard Worker } else {
1046*8fb009dcSAndroid Build Coastguard Worker struct OPENSSL_timeval now;
1047*8fb009dcSAndroid Build Coastguard Worker ssl_get_current_time(ssl, &now);
1048*8fb009dcSAndroid Build Coastguard Worker CRYPTO_store_u32_be(ssl->s3->server_random,
1049*8fb009dcSAndroid Build Coastguard Worker static_cast<uint32_t>(now.tv_sec));
1050*8fb009dcSAndroid Build Coastguard Worker if (!RAND_bytes(ssl->s3->server_random + 4, SSL3_RANDOM_SIZE - 4)) {
1051*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1052*8fb009dcSAndroid Build Coastguard Worker }
1053*8fb009dcSAndroid Build Coastguard Worker if (hints && hs->hints_requested &&
1054*8fb009dcSAndroid Build Coastguard Worker !hints->server_random_tls12.CopyFrom(ssl->s3->server_random)) {
1055*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1056*8fb009dcSAndroid Build Coastguard Worker }
1057*8fb009dcSAndroid Build Coastguard Worker }
1058*8fb009dcSAndroid Build Coastguard Worker
1059*8fb009dcSAndroid Build Coastguard Worker // Implement the TLS 1.3 anti-downgrade feature.
1060*8fb009dcSAndroid Build Coastguard Worker if (ssl_supports_version(hs, TLS1_3_VERSION)) {
1061*8fb009dcSAndroid Build Coastguard Worker if (ssl_protocol_version(ssl) == TLS1_2_VERSION) {
1062*8fb009dcSAndroid Build Coastguard Worker if (hs->apply_jdk11_workaround) {
1063*8fb009dcSAndroid Build Coastguard Worker // JDK 11 implements the TLS 1.3 downgrade signal, so we cannot send it
1064*8fb009dcSAndroid Build Coastguard Worker // here. However, the signal is only effective if all TLS 1.2
1065*8fb009dcSAndroid Build Coastguard Worker // ServerHellos produced by the server are marked. Thus we send a
1066*8fb009dcSAndroid Build Coastguard Worker // different non-standard signal for the time being, until JDK 11.0.2 is
1067*8fb009dcSAndroid Build Coastguard Worker // released and clients have updated.
1068*8fb009dcSAndroid Build Coastguard Worker copy_suffix(ssl->s3->server_random, kJDK11DowngradeRandom);
1069*8fb009dcSAndroid Build Coastguard Worker } else {
1070*8fb009dcSAndroid Build Coastguard Worker copy_suffix(ssl->s3->server_random, kTLS13DowngradeRandom);
1071*8fb009dcSAndroid Build Coastguard Worker }
1072*8fb009dcSAndroid Build Coastguard Worker } else {
1073*8fb009dcSAndroid Build Coastguard Worker copy_suffix(ssl->s3->server_random, kTLS12DowngradeRandom);
1074*8fb009dcSAndroid Build Coastguard Worker }
1075*8fb009dcSAndroid Build Coastguard Worker }
1076*8fb009dcSAndroid Build Coastguard Worker
1077*8fb009dcSAndroid Build Coastguard Worker Span<const uint8_t> session_id;
1078*8fb009dcSAndroid Build Coastguard Worker if (ssl->session != nullptr) {
1079*8fb009dcSAndroid Build Coastguard Worker // Echo the session ID from the ClientHello to indicate resumption.
1080*8fb009dcSAndroid Build Coastguard Worker session_id = MakeConstSpan(hs->session_id, hs->session_id_len);
1081*8fb009dcSAndroid Build Coastguard Worker } else {
1082*8fb009dcSAndroid Build Coastguard Worker session_id = MakeConstSpan(hs->new_session->session_id,
1083*8fb009dcSAndroid Build Coastguard Worker hs->new_session->session_id_length);
1084*8fb009dcSAndroid Build Coastguard Worker }
1085*8fb009dcSAndroid Build Coastguard Worker
1086*8fb009dcSAndroid Build Coastguard Worker ScopedCBB cbb;
1087*8fb009dcSAndroid Build Coastguard Worker CBB body, session_id_bytes;
1088*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_SERVER_HELLO) ||
1089*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u16(&body, ssl->version) ||
1090*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
1091*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8_length_prefixed(&body, &session_id_bytes) ||
1092*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(&session_id_bytes, session_id.data(), session_id.size()) ||
1093*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
1094*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8(&body, 0 /* no compression */) ||
1095*8fb009dcSAndroid Build Coastguard Worker !ssl_add_serverhello_tlsext(hs, &body) ||
1096*8fb009dcSAndroid Build Coastguard Worker !ssl_add_message_cbb(ssl, cbb.get())) {
1097*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1098*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1099*8fb009dcSAndroid Build Coastguard Worker }
1100*8fb009dcSAndroid Build Coastguard Worker
1101*8fb009dcSAndroid Build Coastguard Worker if (ssl->session != nullptr) {
1102*8fb009dcSAndroid Build Coastguard Worker // No additional hints to generate in resumption.
1103*8fb009dcSAndroid Build Coastguard Worker if (hs->hints_requested) {
1104*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_hints_ready;
1105*8fb009dcSAndroid Build Coastguard Worker }
1106*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_send_server_finished;
1107*8fb009dcSAndroid Build Coastguard Worker } else {
1108*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_send_server_certificate;
1109*8fb009dcSAndroid Build Coastguard Worker }
1110*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1111*8fb009dcSAndroid Build Coastguard Worker }
1112*8fb009dcSAndroid Build Coastguard Worker
do_send_server_certificate(SSL_HANDSHAKE * hs)1113*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_send_server_certificate(SSL_HANDSHAKE *hs) {
1114*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1115*8fb009dcSAndroid Build Coastguard Worker ScopedCBB cbb;
1116*8fb009dcSAndroid Build Coastguard Worker
1117*8fb009dcSAndroid Build Coastguard Worker if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1118*8fb009dcSAndroid Build Coastguard Worker assert(hs->credential != nullptr);
1119*8fb009dcSAndroid Build Coastguard Worker if (!ssl_send_tls12_certificate(hs)) {
1120*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1121*8fb009dcSAndroid Build Coastguard Worker }
1122*8fb009dcSAndroid Build Coastguard Worker
1123*8fb009dcSAndroid Build Coastguard Worker if (hs->certificate_status_expected) {
1124*8fb009dcSAndroid Build Coastguard Worker CBB body, ocsp_response;
1125*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->init_message(ssl, cbb.get(), &body,
1126*8fb009dcSAndroid Build Coastguard Worker SSL3_MT_CERTIFICATE_STATUS) ||
1127*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8(&body, TLSEXT_STATUSTYPE_ocsp) ||
1128*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u24_length_prefixed(&body, &ocsp_response) ||
1129*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(
1130*8fb009dcSAndroid Build Coastguard Worker &ocsp_response,
1131*8fb009dcSAndroid Build Coastguard Worker CRYPTO_BUFFER_data(hs->credential->ocsp_response.get()),
1132*8fb009dcSAndroid Build Coastguard Worker CRYPTO_BUFFER_len(hs->credential->ocsp_response.get())) ||
1133*8fb009dcSAndroid Build Coastguard Worker !ssl_add_message_cbb(ssl, cbb.get())) {
1134*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1135*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1136*8fb009dcSAndroid Build Coastguard Worker }
1137*8fb009dcSAndroid Build Coastguard Worker }
1138*8fb009dcSAndroid Build Coastguard Worker }
1139*8fb009dcSAndroid Build Coastguard Worker
1140*8fb009dcSAndroid Build Coastguard Worker // Assemble ServerKeyExchange parameters if needed.
1141*8fb009dcSAndroid Build Coastguard Worker uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1142*8fb009dcSAndroid Build Coastguard Worker uint32_t alg_a = hs->new_cipher->algorithm_auth;
1143*8fb009dcSAndroid Build Coastguard Worker if (ssl_cipher_requires_server_key_exchange(hs->new_cipher) ||
1144*8fb009dcSAndroid Build Coastguard Worker ((alg_a & SSL_aPSK) && hs->config->psk_identity_hint)) {
1145*8fb009dcSAndroid Build Coastguard Worker // Pre-allocate enough room to comfortably fit an ECDHE public key. Prepend
1146*8fb009dcSAndroid Build Coastguard Worker // the client and server randoms for the signing transcript.
1147*8fb009dcSAndroid Build Coastguard Worker CBB child;
1148*8fb009dcSAndroid Build Coastguard Worker if (!CBB_init(cbb.get(), SSL3_RANDOM_SIZE * 2 + 128) ||
1149*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(cbb.get(), ssl->s3->client_random, SSL3_RANDOM_SIZE) ||
1150*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(cbb.get(), ssl->s3->server_random, SSL3_RANDOM_SIZE)) {
1151*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1152*8fb009dcSAndroid Build Coastguard Worker }
1153*8fb009dcSAndroid Build Coastguard Worker
1154*8fb009dcSAndroid Build Coastguard Worker // PSK ciphers begin with an identity hint.
1155*8fb009dcSAndroid Build Coastguard Worker if (alg_a & SSL_aPSK) {
1156*8fb009dcSAndroid Build Coastguard Worker size_t len = hs->config->psk_identity_hint == nullptr
1157*8fb009dcSAndroid Build Coastguard Worker ? 0
1158*8fb009dcSAndroid Build Coastguard Worker : strlen(hs->config->psk_identity_hint.get());
1159*8fb009dcSAndroid Build Coastguard Worker if (!CBB_add_u16_length_prefixed(cbb.get(), &child) ||
1160*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(&child,
1161*8fb009dcSAndroid Build Coastguard Worker (const uint8_t *)hs->config->psk_identity_hint.get(),
1162*8fb009dcSAndroid Build Coastguard Worker len)) {
1163*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1164*8fb009dcSAndroid Build Coastguard Worker }
1165*8fb009dcSAndroid Build Coastguard Worker }
1166*8fb009dcSAndroid Build Coastguard Worker
1167*8fb009dcSAndroid Build Coastguard Worker if (alg_k & SSL_kECDHE) {
1168*8fb009dcSAndroid Build Coastguard Worker assert(hs->new_session->group_id != 0);
1169*8fb009dcSAndroid Build Coastguard Worker hs->key_shares[0] = SSLKeyShare::Create(hs->new_session->group_id);
1170*8fb009dcSAndroid Build Coastguard Worker if (!hs->key_shares[0] ||
1171*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8(cbb.get(), NAMED_CURVE_TYPE) ||
1172*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u16(cbb.get(), hs->new_session->group_id) ||
1173*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8_length_prefixed(cbb.get(), &child)) {
1174*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1175*8fb009dcSAndroid Build Coastguard Worker }
1176*8fb009dcSAndroid Build Coastguard Worker
1177*8fb009dcSAndroid Build Coastguard Worker SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
1178*8fb009dcSAndroid Build Coastguard Worker bool hint_ok = false;
1179*8fb009dcSAndroid Build Coastguard Worker if (hints && !hs->hints_requested &&
1180*8fb009dcSAndroid Build Coastguard Worker hints->ecdhe_group_id == hs->new_session->group_id &&
1181*8fb009dcSAndroid Build Coastguard Worker !hints->ecdhe_public_key.empty() &&
1182*8fb009dcSAndroid Build Coastguard Worker !hints->ecdhe_private_key.empty()) {
1183*8fb009dcSAndroid Build Coastguard Worker CBS cbs = MakeConstSpan(hints->ecdhe_private_key);
1184*8fb009dcSAndroid Build Coastguard Worker hint_ok = hs->key_shares[0]->DeserializePrivateKey(&cbs);
1185*8fb009dcSAndroid Build Coastguard Worker }
1186*8fb009dcSAndroid Build Coastguard Worker if (hint_ok) {
1187*8fb009dcSAndroid Build Coastguard Worker // Reuse the ECDH key from handshake hints.
1188*8fb009dcSAndroid Build Coastguard Worker if (!CBB_add_bytes(&child, hints->ecdhe_public_key.data(),
1189*8fb009dcSAndroid Build Coastguard Worker hints->ecdhe_public_key.size())) {
1190*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1191*8fb009dcSAndroid Build Coastguard Worker }
1192*8fb009dcSAndroid Build Coastguard Worker } else {
1193*8fb009dcSAndroid Build Coastguard Worker // Generate a key, and emit the public half.
1194*8fb009dcSAndroid Build Coastguard Worker if (!hs->key_shares[0]->Generate(&child)) {
1195*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1196*8fb009dcSAndroid Build Coastguard Worker }
1197*8fb009dcSAndroid Build Coastguard Worker // If generating hints, save the ECDHE key.
1198*8fb009dcSAndroid Build Coastguard Worker if (hints && hs->hints_requested) {
1199*8fb009dcSAndroid Build Coastguard Worker bssl::ScopedCBB private_key_cbb;
1200*8fb009dcSAndroid Build Coastguard Worker if (!hints->ecdhe_public_key.CopyFrom(
1201*8fb009dcSAndroid Build Coastguard Worker MakeConstSpan(CBB_data(&child), CBB_len(&child))) ||
1202*8fb009dcSAndroid Build Coastguard Worker !CBB_init(private_key_cbb.get(), 32) ||
1203*8fb009dcSAndroid Build Coastguard Worker !hs->key_shares[0]->SerializePrivateKey(private_key_cbb.get()) ||
1204*8fb009dcSAndroid Build Coastguard Worker !CBBFinishArray(private_key_cbb.get(),
1205*8fb009dcSAndroid Build Coastguard Worker &hints->ecdhe_private_key)) {
1206*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1207*8fb009dcSAndroid Build Coastguard Worker }
1208*8fb009dcSAndroid Build Coastguard Worker hints->ecdhe_group_id = hs->new_session->group_id;
1209*8fb009dcSAndroid Build Coastguard Worker }
1210*8fb009dcSAndroid Build Coastguard Worker }
1211*8fb009dcSAndroid Build Coastguard Worker } else {
1212*8fb009dcSAndroid Build Coastguard Worker assert(alg_k & SSL_kPSK);
1213*8fb009dcSAndroid Build Coastguard Worker }
1214*8fb009dcSAndroid Build Coastguard Worker
1215*8fb009dcSAndroid Build Coastguard Worker if (!CBBFinishArray(cbb.get(), &hs->server_params)) {
1216*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1217*8fb009dcSAndroid Build Coastguard Worker }
1218*8fb009dcSAndroid Build Coastguard Worker }
1219*8fb009dcSAndroid Build Coastguard Worker
1220*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_send_server_key_exchange;
1221*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1222*8fb009dcSAndroid Build Coastguard Worker }
1223*8fb009dcSAndroid Build Coastguard Worker
do_send_server_key_exchange(SSL_HANDSHAKE * hs)1224*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_send_server_key_exchange(SSL_HANDSHAKE *hs) {
1225*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1226*8fb009dcSAndroid Build Coastguard Worker
1227*8fb009dcSAndroid Build Coastguard Worker if (hs->server_params.size() == 0) {
1228*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_send_server_hello_done;
1229*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1230*8fb009dcSAndroid Build Coastguard Worker }
1231*8fb009dcSAndroid Build Coastguard Worker
1232*8fb009dcSAndroid Build Coastguard Worker ScopedCBB cbb;
1233*8fb009dcSAndroid Build Coastguard Worker CBB body, child;
1234*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->init_message(ssl, cbb.get(), &body,
1235*8fb009dcSAndroid Build Coastguard Worker SSL3_MT_SERVER_KEY_EXCHANGE) ||
1236*8fb009dcSAndroid Build Coastguard Worker // |hs->server_params| contains a prefix for signing.
1237*8fb009dcSAndroid Build Coastguard Worker hs->server_params.size() < 2 * SSL3_RANDOM_SIZE ||
1238*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(&body, hs->server_params.data() + 2 * SSL3_RANDOM_SIZE,
1239*8fb009dcSAndroid Build Coastguard Worker hs->server_params.size() - 2 * SSL3_RANDOM_SIZE)) {
1240*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1241*8fb009dcSAndroid Build Coastguard Worker }
1242*8fb009dcSAndroid Build Coastguard Worker
1243*8fb009dcSAndroid Build Coastguard Worker // Add a signature.
1244*8fb009dcSAndroid Build Coastguard Worker if (ssl_cipher_uses_certificate_auth(hs->new_cipher)) {
1245*8fb009dcSAndroid Build Coastguard Worker // Determine the signature algorithm.
1246*8fb009dcSAndroid Build Coastguard Worker uint16_t signature_algorithm;
1247*8fb009dcSAndroid Build Coastguard Worker if (!tls1_choose_signature_algorithm(hs, hs->credential.get(),
1248*8fb009dcSAndroid Build Coastguard Worker &signature_algorithm)) {
1249*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1250*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1251*8fb009dcSAndroid Build Coastguard Worker }
1252*8fb009dcSAndroid Build Coastguard Worker if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1253*8fb009dcSAndroid Build Coastguard Worker if (!CBB_add_u16(&body, signature_algorithm)) {
1254*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1255*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1256*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1257*8fb009dcSAndroid Build Coastguard Worker }
1258*8fb009dcSAndroid Build Coastguard Worker }
1259*8fb009dcSAndroid Build Coastguard Worker
1260*8fb009dcSAndroid Build Coastguard Worker // Add space for the signature.
1261*8fb009dcSAndroid Build Coastguard Worker const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get());
1262*8fb009dcSAndroid Build Coastguard Worker uint8_t *ptr;
1263*8fb009dcSAndroid Build Coastguard Worker if (!CBB_add_u16_length_prefixed(&body, &child) ||
1264*8fb009dcSAndroid Build Coastguard Worker !CBB_reserve(&child, &ptr, max_sig_len)) {
1265*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1266*8fb009dcSAndroid Build Coastguard Worker }
1267*8fb009dcSAndroid Build Coastguard Worker
1268*8fb009dcSAndroid Build Coastguard Worker size_t sig_len;
1269*8fb009dcSAndroid Build Coastguard Worker switch (ssl_private_key_sign(hs, ptr, &sig_len, max_sig_len,
1270*8fb009dcSAndroid Build Coastguard Worker signature_algorithm, hs->server_params)) {
1271*8fb009dcSAndroid Build Coastguard Worker case ssl_private_key_success:
1272*8fb009dcSAndroid Build Coastguard Worker if (!CBB_did_write(&child, sig_len)) {
1273*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1274*8fb009dcSAndroid Build Coastguard Worker }
1275*8fb009dcSAndroid Build Coastguard Worker break;
1276*8fb009dcSAndroid Build Coastguard Worker case ssl_private_key_failure:
1277*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1278*8fb009dcSAndroid Build Coastguard Worker case ssl_private_key_retry:
1279*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_private_key_operation;
1280*8fb009dcSAndroid Build Coastguard Worker }
1281*8fb009dcSAndroid Build Coastguard Worker }
1282*8fb009dcSAndroid Build Coastguard Worker
1283*8fb009dcSAndroid Build Coastguard Worker hs->can_release_private_key = true;
1284*8fb009dcSAndroid Build Coastguard Worker if (!ssl_add_message_cbb(ssl, cbb.get())) {
1285*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1286*8fb009dcSAndroid Build Coastguard Worker }
1287*8fb009dcSAndroid Build Coastguard Worker
1288*8fb009dcSAndroid Build Coastguard Worker hs->server_params.Reset();
1289*8fb009dcSAndroid Build Coastguard Worker
1290*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_send_server_hello_done;
1291*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1292*8fb009dcSAndroid Build Coastguard Worker }
1293*8fb009dcSAndroid Build Coastguard Worker
do_send_server_hello_done(SSL_HANDSHAKE * hs)1294*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_send_server_hello_done(SSL_HANDSHAKE *hs) {
1295*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1296*8fb009dcSAndroid Build Coastguard Worker if (hs->hints_requested) {
1297*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_hints_ready;
1298*8fb009dcSAndroid Build Coastguard Worker }
1299*8fb009dcSAndroid Build Coastguard Worker
1300*8fb009dcSAndroid Build Coastguard Worker ScopedCBB cbb;
1301*8fb009dcSAndroid Build Coastguard Worker CBB body;
1302*8fb009dcSAndroid Build Coastguard Worker
1303*8fb009dcSAndroid Build Coastguard Worker if (hs->cert_request) {
1304*8fb009dcSAndroid Build Coastguard Worker CBB cert_types, sigalgs_cbb;
1305*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->init_message(ssl, cbb.get(), &body,
1306*8fb009dcSAndroid Build Coastguard Worker SSL3_MT_CERTIFICATE_REQUEST) ||
1307*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8_length_prefixed(&body, &cert_types) ||
1308*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8(&cert_types, SSL3_CT_RSA_SIGN) ||
1309*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u8(&cert_types, TLS_CT_ECDSA_SIGN) ||
1310*8fb009dcSAndroid Build Coastguard Worker (ssl_protocol_version(ssl) >= TLS1_2_VERSION &&
1311*8fb009dcSAndroid Build Coastguard Worker (!CBB_add_u16_length_prefixed(&body, &sigalgs_cbb) ||
1312*8fb009dcSAndroid Build Coastguard Worker !tls12_add_verify_sigalgs(hs, &sigalgs_cbb))) ||
1313*8fb009dcSAndroid Build Coastguard Worker !ssl_add_client_CA_list(hs, &body) ||
1314*8fb009dcSAndroid Build Coastguard Worker !ssl_add_message_cbb(ssl, cbb.get())) {
1315*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1316*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1317*8fb009dcSAndroid Build Coastguard Worker }
1318*8fb009dcSAndroid Build Coastguard Worker }
1319*8fb009dcSAndroid Build Coastguard Worker
1320*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->init_message(ssl, cbb.get(), &body,
1321*8fb009dcSAndroid Build Coastguard Worker SSL3_MT_SERVER_HELLO_DONE) ||
1322*8fb009dcSAndroid Build Coastguard Worker !ssl_add_message_cbb(ssl, cbb.get())) {
1323*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1324*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1325*8fb009dcSAndroid Build Coastguard Worker }
1326*8fb009dcSAndroid Build Coastguard Worker
1327*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_certificate;
1328*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_flush;
1329*8fb009dcSAndroid Build Coastguard Worker }
1330*8fb009dcSAndroid Build Coastguard Worker
do_read_client_certificate(SSL_HANDSHAKE * hs)1331*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_client_certificate(SSL_HANDSHAKE *hs) {
1332*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1333*8fb009dcSAndroid Build Coastguard Worker
1334*8fb009dcSAndroid Build Coastguard Worker if (hs->handback && hs->new_cipher->algorithm_mkey == SSL_kECDHE) {
1335*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_handback;
1336*8fb009dcSAndroid Build Coastguard Worker }
1337*8fb009dcSAndroid Build Coastguard Worker if (!hs->cert_request) {
1338*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_verify_client_certificate;
1339*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1340*8fb009dcSAndroid Build Coastguard Worker }
1341*8fb009dcSAndroid Build Coastguard Worker
1342*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg;
1343*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->get_message(ssl, &msg)) {
1344*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_read_message;
1345*8fb009dcSAndroid Build Coastguard Worker }
1346*8fb009dcSAndroid Build Coastguard Worker
1347*8fb009dcSAndroid Build Coastguard Worker if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE)) {
1348*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1349*8fb009dcSAndroid Build Coastguard Worker }
1350*8fb009dcSAndroid Build Coastguard Worker
1351*8fb009dcSAndroid Build Coastguard Worker if (!ssl_hash_message(hs, msg)) {
1352*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1353*8fb009dcSAndroid Build Coastguard Worker }
1354*8fb009dcSAndroid Build Coastguard Worker
1355*8fb009dcSAndroid Build Coastguard Worker CBS certificate_msg = msg.body;
1356*8fb009dcSAndroid Build Coastguard Worker uint8_t alert = SSL_AD_DECODE_ERROR;
1357*8fb009dcSAndroid Build Coastguard Worker if (!ssl_parse_cert_chain(&alert, &hs->new_session->certs, &hs->peer_pubkey,
1358*8fb009dcSAndroid Build Coastguard Worker hs->config->retain_only_sha256_of_client_certs
1359*8fb009dcSAndroid Build Coastguard Worker ? hs->new_session->peer_sha256
1360*8fb009dcSAndroid Build Coastguard Worker : nullptr,
1361*8fb009dcSAndroid Build Coastguard Worker &certificate_msg, ssl->ctx->pool)) {
1362*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1363*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1364*8fb009dcSAndroid Build Coastguard Worker }
1365*8fb009dcSAndroid Build Coastguard Worker
1366*8fb009dcSAndroid Build Coastguard Worker if (CBS_len(&certificate_msg) != 0 ||
1367*8fb009dcSAndroid Build Coastguard Worker !ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
1368*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1369*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1370*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1371*8fb009dcSAndroid Build Coastguard Worker }
1372*8fb009dcSAndroid Build Coastguard Worker
1373*8fb009dcSAndroid Build Coastguard Worker if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
1374*8fb009dcSAndroid Build Coastguard Worker // No client certificate so the handshake buffer may be discarded.
1375*8fb009dcSAndroid Build Coastguard Worker hs->transcript.FreeBuffer();
1376*8fb009dcSAndroid Build Coastguard Worker
1377*8fb009dcSAndroid Build Coastguard Worker if (hs->config->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
1378*8fb009dcSAndroid Build Coastguard Worker // Fail for TLS only if we required a certificate
1379*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
1380*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1381*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1382*8fb009dcSAndroid Build Coastguard Worker }
1383*8fb009dcSAndroid Build Coastguard Worker
1384*8fb009dcSAndroid Build Coastguard Worker // OpenSSL returns X509_V_OK when no certificates are received. This is
1385*8fb009dcSAndroid Build Coastguard Worker // classed by them as a bug, but it's assumed by at least NGINX.
1386*8fb009dcSAndroid Build Coastguard Worker hs->new_session->verify_result = X509_V_OK;
1387*8fb009dcSAndroid Build Coastguard Worker } else if (hs->config->retain_only_sha256_of_client_certs) {
1388*8fb009dcSAndroid Build Coastguard Worker // The hash will have been filled in.
1389*8fb009dcSAndroid Build Coastguard Worker hs->new_session->peer_sha256_valid = true;
1390*8fb009dcSAndroid Build Coastguard Worker }
1391*8fb009dcSAndroid Build Coastguard Worker
1392*8fb009dcSAndroid Build Coastguard Worker ssl->method->next_message(ssl);
1393*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_verify_client_certificate;
1394*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1395*8fb009dcSAndroid Build Coastguard Worker }
1396*8fb009dcSAndroid Build Coastguard Worker
do_verify_client_certificate(SSL_HANDSHAKE * hs)1397*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_verify_client_certificate(SSL_HANDSHAKE *hs) {
1398*8fb009dcSAndroid Build Coastguard Worker if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) > 0) {
1399*8fb009dcSAndroid Build Coastguard Worker switch (ssl_verify_peer_cert(hs)) {
1400*8fb009dcSAndroid Build Coastguard Worker case ssl_verify_ok:
1401*8fb009dcSAndroid Build Coastguard Worker break;
1402*8fb009dcSAndroid Build Coastguard Worker case ssl_verify_invalid:
1403*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1404*8fb009dcSAndroid Build Coastguard Worker case ssl_verify_retry:
1405*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_certificate_verify;
1406*8fb009dcSAndroid Build Coastguard Worker }
1407*8fb009dcSAndroid Build Coastguard Worker }
1408*8fb009dcSAndroid Build Coastguard Worker
1409*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_key_exchange;
1410*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1411*8fb009dcSAndroid Build Coastguard Worker }
1412*8fb009dcSAndroid Build Coastguard Worker
do_read_client_key_exchange(SSL_HANDSHAKE * hs)1413*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_client_key_exchange(SSL_HANDSHAKE *hs) {
1414*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1415*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg;
1416*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->get_message(ssl, &msg)) {
1417*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_read_message;
1418*8fb009dcSAndroid Build Coastguard Worker }
1419*8fb009dcSAndroid Build Coastguard Worker
1420*8fb009dcSAndroid Build Coastguard Worker if (!ssl_check_message_type(ssl, msg, SSL3_MT_CLIENT_KEY_EXCHANGE)) {
1421*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1422*8fb009dcSAndroid Build Coastguard Worker }
1423*8fb009dcSAndroid Build Coastguard Worker
1424*8fb009dcSAndroid Build Coastguard Worker CBS client_key_exchange = msg.body;
1425*8fb009dcSAndroid Build Coastguard Worker uint32_t alg_k = hs->new_cipher->algorithm_mkey;
1426*8fb009dcSAndroid Build Coastguard Worker uint32_t alg_a = hs->new_cipher->algorithm_auth;
1427*8fb009dcSAndroid Build Coastguard Worker
1428*8fb009dcSAndroid Build Coastguard Worker // If using a PSK key exchange, parse the PSK identity.
1429*8fb009dcSAndroid Build Coastguard Worker if (alg_a & SSL_aPSK) {
1430*8fb009dcSAndroid Build Coastguard Worker CBS psk_identity;
1431*8fb009dcSAndroid Build Coastguard Worker
1432*8fb009dcSAndroid Build Coastguard Worker // If using PSK, the ClientKeyExchange contains a psk_identity. If PSK,
1433*8fb009dcSAndroid Build Coastguard Worker // then this is the only field in the message.
1434*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16_length_prefixed(&client_key_exchange, &psk_identity) ||
1435*8fb009dcSAndroid Build Coastguard Worker ((alg_k & SSL_kPSK) && CBS_len(&client_key_exchange) != 0)) {
1436*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1437*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1438*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1439*8fb009dcSAndroid Build Coastguard Worker }
1440*8fb009dcSAndroid Build Coastguard Worker
1441*8fb009dcSAndroid Build Coastguard Worker if (CBS_len(&psk_identity) > PSK_MAX_IDENTITY_LEN ||
1442*8fb009dcSAndroid Build Coastguard Worker CBS_contains_zero_byte(&psk_identity)) {
1443*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DATA_LENGTH_TOO_LONG);
1444*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
1445*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1446*8fb009dcSAndroid Build Coastguard Worker }
1447*8fb009dcSAndroid Build Coastguard Worker char *raw = nullptr;
1448*8fb009dcSAndroid Build Coastguard Worker if (!CBS_strdup(&psk_identity, &raw)) {
1449*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1450*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1451*8fb009dcSAndroid Build Coastguard Worker }
1452*8fb009dcSAndroid Build Coastguard Worker hs->new_session->psk_identity.reset(raw);
1453*8fb009dcSAndroid Build Coastguard Worker }
1454*8fb009dcSAndroid Build Coastguard Worker
1455*8fb009dcSAndroid Build Coastguard Worker // Depending on the key exchange method, compute |premaster_secret|.
1456*8fb009dcSAndroid Build Coastguard Worker Array<uint8_t> premaster_secret;
1457*8fb009dcSAndroid Build Coastguard Worker if (alg_k & SSL_kRSA) {
1458*8fb009dcSAndroid Build Coastguard Worker CBS encrypted_premaster_secret;
1459*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16_length_prefixed(&client_key_exchange,
1460*8fb009dcSAndroid Build Coastguard Worker &encrypted_premaster_secret) ||
1461*8fb009dcSAndroid Build Coastguard Worker CBS_len(&client_key_exchange) != 0) {
1462*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1463*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1464*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1465*8fb009dcSAndroid Build Coastguard Worker }
1466*8fb009dcSAndroid Build Coastguard Worker
1467*8fb009dcSAndroid Build Coastguard Worker // Allocate a buffer large enough for an RSA decryption.
1468*8fb009dcSAndroid Build Coastguard Worker Array<uint8_t> decrypt_buf;
1469*8fb009dcSAndroid Build Coastguard Worker if (!decrypt_buf.Init(EVP_PKEY_size(hs->credential->pubkey.get()))) {
1470*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1471*8fb009dcSAndroid Build Coastguard Worker }
1472*8fb009dcSAndroid Build Coastguard Worker
1473*8fb009dcSAndroid Build Coastguard Worker // Decrypt with no padding. PKCS#1 padding will be removed as part of the
1474*8fb009dcSAndroid Build Coastguard Worker // timing-sensitive code below.
1475*8fb009dcSAndroid Build Coastguard Worker size_t decrypt_len;
1476*8fb009dcSAndroid Build Coastguard Worker switch (ssl_private_key_decrypt(hs, decrypt_buf.data(), &decrypt_len,
1477*8fb009dcSAndroid Build Coastguard Worker decrypt_buf.size(),
1478*8fb009dcSAndroid Build Coastguard Worker encrypted_premaster_secret)) {
1479*8fb009dcSAndroid Build Coastguard Worker case ssl_private_key_success:
1480*8fb009dcSAndroid Build Coastguard Worker break;
1481*8fb009dcSAndroid Build Coastguard Worker case ssl_private_key_failure:
1482*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1483*8fb009dcSAndroid Build Coastguard Worker case ssl_private_key_retry:
1484*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_private_key_operation;
1485*8fb009dcSAndroid Build Coastguard Worker }
1486*8fb009dcSAndroid Build Coastguard Worker
1487*8fb009dcSAndroid Build Coastguard Worker if (decrypt_len != decrypt_buf.size()) {
1488*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1489*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1490*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1491*8fb009dcSAndroid Build Coastguard Worker }
1492*8fb009dcSAndroid Build Coastguard Worker
1493*8fb009dcSAndroid Build Coastguard Worker CONSTTIME_SECRET(decrypt_buf.data(), decrypt_len);
1494*8fb009dcSAndroid Build Coastguard Worker
1495*8fb009dcSAndroid Build Coastguard Worker // Prepare a random premaster, to be used on invalid padding. See RFC 5246,
1496*8fb009dcSAndroid Build Coastguard Worker // section 7.4.7.1.
1497*8fb009dcSAndroid Build Coastguard Worker if (!premaster_secret.Init(SSL_MAX_MASTER_KEY_LENGTH) ||
1498*8fb009dcSAndroid Build Coastguard Worker !RAND_bytes(premaster_secret.data(), premaster_secret.size())) {
1499*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1500*8fb009dcSAndroid Build Coastguard Worker }
1501*8fb009dcSAndroid Build Coastguard Worker
1502*8fb009dcSAndroid Build Coastguard Worker // The smallest padded premaster is 11 bytes of overhead. Small keys are
1503*8fb009dcSAndroid Build Coastguard Worker // publicly invalid.
1504*8fb009dcSAndroid Build Coastguard Worker if (decrypt_len < 11 + premaster_secret.size()) {
1505*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECRYPTION_FAILED);
1506*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1507*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1508*8fb009dcSAndroid Build Coastguard Worker }
1509*8fb009dcSAndroid Build Coastguard Worker
1510*8fb009dcSAndroid Build Coastguard Worker // Check the padding. See RFC 3447, section 7.2.2.
1511*8fb009dcSAndroid Build Coastguard Worker size_t padding_len = decrypt_len - premaster_secret.size();
1512*8fb009dcSAndroid Build Coastguard Worker uint8_t good = constant_time_eq_int_8(decrypt_buf[0], 0) &
1513*8fb009dcSAndroid Build Coastguard Worker constant_time_eq_int_8(decrypt_buf[1], 2);
1514*8fb009dcSAndroid Build Coastguard Worker for (size_t i = 2; i < padding_len - 1; i++) {
1515*8fb009dcSAndroid Build Coastguard Worker good &= ~constant_time_is_zero_8(decrypt_buf[i]);
1516*8fb009dcSAndroid Build Coastguard Worker }
1517*8fb009dcSAndroid Build Coastguard Worker good &= constant_time_is_zero_8(decrypt_buf[padding_len - 1]);
1518*8fb009dcSAndroid Build Coastguard Worker
1519*8fb009dcSAndroid Build Coastguard Worker // The premaster secret must begin with |client_version|. This too must be
1520*8fb009dcSAndroid Build Coastguard Worker // checked in constant time (http://eprint.iacr.org/2003/052/).
1521*8fb009dcSAndroid Build Coastguard Worker good &= constant_time_eq_8(decrypt_buf[padding_len],
1522*8fb009dcSAndroid Build Coastguard Worker (unsigned)(hs->client_version >> 8));
1523*8fb009dcSAndroid Build Coastguard Worker good &= constant_time_eq_8(decrypt_buf[padding_len + 1],
1524*8fb009dcSAndroid Build Coastguard Worker (unsigned)(hs->client_version & 0xff));
1525*8fb009dcSAndroid Build Coastguard Worker
1526*8fb009dcSAndroid Build Coastguard Worker // Select, in constant time, either the decrypted premaster or the random
1527*8fb009dcSAndroid Build Coastguard Worker // premaster based on |good|.
1528*8fb009dcSAndroid Build Coastguard Worker for (size_t i = 0; i < premaster_secret.size(); i++) {
1529*8fb009dcSAndroid Build Coastguard Worker premaster_secret[i] = constant_time_select_8(
1530*8fb009dcSAndroid Build Coastguard Worker good, decrypt_buf[padding_len + i], premaster_secret[i]);
1531*8fb009dcSAndroid Build Coastguard Worker }
1532*8fb009dcSAndroid Build Coastguard Worker } else if (alg_k & SSL_kECDHE) {
1533*8fb009dcSAndroid Build Coastguard Worker // Parse the ClientKeyExchange.
1534*8fb009dcSAndroid Build Coastguard Worker CBS ciphertext;
1535*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u8_length_prefixed(&client_key_exchange, &ciphertext) ||
1536*8fb009dcSAndroid Build Coastguard Worker CBS_len(&client_key_exchange) != 0) {
1537*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1538*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1539*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1540*8fb009dcSAndroid Build Coastguard Worker }
1541*8fb009dcSAndroid Build Coastguard Worker
1542*8fb009dcSAndroid Build Coastguard Worker // Decapsulate the premaster secret.
1543*8fb009dcSAndroid Build Coastguard Worker uint8_t alert = SSL_AD_DECODE_ERROR;
1544*8fb009dcSAndroid Build Coastguard Worker if (!hs->key_shares[0]->Decap(&premaster_secret, &alert, ciphertext)) {
1545*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1546*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1547*8fb009dcSAndroid Build Coastguard Worker }
1548*8fb009dcSAndroid Build Coastguard Worker
1549*8fb009dcSAndroid Build Coastguard Worker // The key exchange state may now be discarded.
1550*8fb009dcSAndroid Build Coastguard Worker hs->key_shares[0].reset();
1551*8fb009dcSAndroid Build Coastguard Worker hs->key_shares[1].reset();
1552*8fb009dcSAndroid Build Coastguard Worker } else if (!(alg_k & SSL_kPSK)) {
1553*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1554*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
1555*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1556*8fb009dcSAndroid Build Coastguard Worker }
1557*8fb009dcSAndroid Build Coastguard Worker
1558*8fb009dcSAndroid Build Coastguard Worker // For a PSK cipher suite, the actual pre-master secret is combined with the
1559*8fb009dcSAndroid Build Coastguard Worker // pre-shared key.
1560*8fb009dcSAndroid Build Coastguard Worker if (alg_a & SSL_aPSK) {
1561*8fb009dcSAndroid Build Coastguard Worker if (hs->config->psk_server_callback == NULL) {
1562*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1563*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1564*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1565*8fb009dcSAndroid Build Coastguard Worker }
1566*8fb009dcSAndroid Build Coastguard Worker
1567*8fb009dcSAndroid Build Coastguard Worker // Look up the key for the identity.
1568*8fb009dcSAndroid Build Coastguard Worker uint8_t psk[PSK_MAX_PSK_LEN];
1569*8fb009dcSAndroid Build Coastguard Worker unsigned psk_len = hs->config->psk_server_callback(
1570*8fb009dcSAndroid Build Coastguard Worker ssl, hs->new_session->psk_identity.get(), psk, sizeof(psk));
1571*8fb009dcSAndroid Build Coastguard Worker if (psk_len > PSK_MAX_PSK_LEN) {
1572*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
1573*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
1574*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1575*8fb009dcSAndroid Build Coastguard Worker } else if (psk_len == 0) {
1576*8fb009dcSAndroid Build Coastguard Worker // PSK related to the given identity not found.
1577*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
1578*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNKNOWN_PSK_IDENTITY);
1579*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1580*8fb009dcSAndroid Build Coastguard Worker }
1581*8fb009dcSAndroid Build Coastguard Worker
1582*8fb009dcSAndroid Build Coastguard Worker if (alg_k & SSL_kPSK) {
1583*8fb009dcSAndroid Build Coastguard Worker // In plain PSK, other_secret is a block of 0s with the same length as the
1584*8fb009dcSAndroid Build Coastguard Worker // pre-shared key.
1585*8fb009dcSAndroid Build Coastguard Worker if (!premaster_secret.Init(psk_len)) {
1586*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1587*8fb009dcSAndroid Build Coastguard Worker }
1588*8fb009dcSAndroid Build Coastguard Worker OPENSSL_memset(premaster_secret.data(), 0, premaster_secret.size());
1589*8fb009dcSAndroid Build Coastguard Worker }
1590*8fb009dcSAndroid Build Coastguard Worker
1591*8fb009dcSAndroid Build Coastguard Worker ScopedCBB new_premaster;
1592*8fb009dcSAndroid Build Coastguard Worker CBB child;
1593*8fb009dcSAndroid Build Coastguard Worker if (!CBB_init(new_premaster.get(),
1594*8fb009dcSAndroid Build Coastguard Worker 2 + psk_len + 2 + premaster_secret.size()) ||
1595*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||
1596*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(&child, premaster_secret.data(),
1597*8fb009dcSAndroid Build Coastguard Worker premaster_secret.size()) ||
1598*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u16_length_prefixed(new_premaster.get(), &child) ||
1599*8fb009dcSAndroid Build Coastguard Worker !CBB_add_bytes(&child, psk, psk_len) ||
1600*8fb009dcSAndroid Build Coastguard Worker !CBBFinishArray(new_premaster.get(), &premaster_secret)) {
1601*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1602*8fb009dcSAndroid Build Coastguard Worker }
1603*8fb009dcSAndroid Build Coastguard Worker }
1604*8fb009dcSAndroid Build Coastguard Worker
1605*8fb009dcSAndroid Build Coastguard Worker if (!ssl_hash_message(hs, msg)) {
1606*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1607*8fb009dcSAndroid Build Coastguard Worker }
1608*8fb009dcSAndroid Build Coastguard Worker
1609*8fb009dcSAndroid Build Coastguard Worker // Compute the master secret.
1610*8fb009dcSAndroid Build Coastguard Worker hs->new_session->secret_length = tls1_generate_master_secret(
1611*8fb009dcSAndroid Build Coastguard Worker hs, hs->new_session->secret, premaster_secret);
1612*8fb009dcSAndroid Build Coastguard Worker if (hs->new_session->secret_length == 0) {
1613*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1614*8fb009dcSAndroid Build Coastguard Worker }
1615*8fb009dcSAndroid Build Coastguard Worker hs->new_session->extended_master_secret = hs->extended_master_secret;
1616*8fb009dcSAndroid Build Coastguard Worker CONSTTIME_DECLASSIFY(hs->new_session->secret, hs->new_session->secret_length);
1617*8fb009dcSAndroid Build Coastguard Worker hs->can_release_private_key = true;
1618*8fb009dcSAndroid Build Coastguard Worker
1619*8fb009dcSAndroid Build Coastguard Worker ssl->method->next_message(ssl);
1620*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_certificate_verify;
1621*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1622*8fb009dcSAndroid Build Coastguard Worker }
1623*8fb009dcSAndroid Build Coastguard Worker
do_read_client_certificate_verify(SSL_HANDSHAKE * hs)1624*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_client_certificate_verify(SSL_HANDSHAKE *hs) {
1625*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1626*8fb009dcSAndroid Build Coastguard Worker
1627*8fb009dcSAndroid Build Coastguard Worker // Only RSA and ECDSA client certificates are supported, so a
1628*8fb009dcSAndroid Build Coastguard Worker // CertificateVerify is required if and only if there's a client certificate.
1629*8fb009dcSAndroid Build Coastguard Worker if (!hs->peer_pubkey) {
1630*8fb009dcSAndroid Build Coastguard Worker hs->transcript.FreeBuffer();
1631*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_change_cipher_spec;
1632*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1633*8fb009dcSAndroid Build Coastguard Worker }
1634*8fb009dcSAndroid Build Coastguard Worker
1635*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg;
1636*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->get_message(ssl, &msg)) {
1637*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_read_message;
1638*8fb009dcSAndroid Build Coastguard Worker }
1639*8fb009dcSAndroid Build Coastguard Worker
1640*8fb009dcSAndroid Build Coastguard Worker if (!ssl_check_message_type(ssl, msg, SSL3_MT_CERTIFICATE_VERIFY)) {
1641*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1642*8fb009dcSAndroid Build Coastguard Worker }
1643*8fb009dcSAndroid Build Coastguard Worker
1644*8fb009dcSAndroid Build Coastguard Worker // The peer certificate must be valid for signing.
1645*8fb009dcSAndroid Build Coastguard Worker const CRYPTO_BUFFER *leaf =
1646*8fb009dcSAndroid Build Coastguard Worker sk_CRYPTO_BUFFER_value(hs->new_session->certs.get(), 0);
1647*8fb009dcSAndroid Build Coastguard Worker CBS leaf_cbs;
1648*8fb009dcSAndroid Build Coastguard Worker CRYPTO_BUFFER_init_CBS(leaf, &leaf_cbs);
1649*8fb009dcSAndroid Build Coastguard Worker if (!ssl_cert_check_key_usage(&leaf_cbs, key_usage_digital_signature)) {
1650*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1651*8fb009dcSAndroid Build Coastguard Worker }
1652*8fb009dcSAndroid Build Coastguard Worker
1653*8fb009dcSAndroid Build Coastguard Worker CBS certificate_verify = msg.body, signature;
1654*8fb009dcSAndroid Build Coastguard Worker
1655*8fb009dcSAndroid Build Coastguard Worker // Determine the signature algorithm.
1656*8fb009dcSAndroid Build Coastguard Worker uint16_t signature_algorithm = 0;
1657*8fb009dcSAndroid Build Coastguard Worker if (ssl_protocol_version(ssl) >= TLS1_2_VERSION) {
1658*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16(&certificate_verify, &signature_algorithm)) {
1659*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1660*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1661*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1662*8fb009dcSAndroid Build Coastguard Worker }
1663*8fb009dcSAndroid Build Coastguard Worker uint8_t alert = SSL_AD_DECODE_ERROR;
1664*8fb009dcSAndroid Build Coastguard Worker if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
1665*8fb009dcSAndroid Build Coastguard Worker hs->peer_pubkey.get())) {
1666*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
1667*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1668*8fb009dcSAndroid Build Coastguard Worker }
1669*8fb009dcSAndroid Build Coastguard Worker hs->new_session->peer_signature_algorithm = signature_algorithm;
1670*8fb009dcSAndroid Build Coastguard Worker } else if (!tls1_get_legacy_signature_algorithm(&signature_algorithm,
1671*8fb009dcSAndroid Build Coastguard Worker hs->peer_pubkey.get())) {
1672*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_ERROR_UNSUPPORTED_CERTIFICATE_TYPE);
1673*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNSUPPORTED_CERTIFICATE);
1674*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1675*8fb009dcSAndroid Build Coastguard Worker }
1676*8fb009dcSAndroid Build Coastguard Worker
1677*8fb009dcSAndroid Build Coastguard Worker // Parse and verify the signature.
1678*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u16_length_prefixed(&certificate_verify, &signature) ||
1679*8fb009dcSAndroid Build Coastguard Worker CBS_len(&certificate_verify) != 0) {
1680*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1681*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1682*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1683*8fb009dcSAndroid Build Coastguard Worker }
1684*8fb009dcSAndroid Build Coastguard Worker
1685*8fb009dcSAndroid Build Coastguard Worker if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
1686*8fb009dcSAndroid Build Coastguard Worker hs->peer_pubkey.get(), hs->transcript.buffer())) {
1687*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
1688*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
1689*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1690*8fb009dcSAndroid Build Coastguard Worker }
1691*8fb009dcSAndroid Build Coastguard Worker
1692*8fb009dcSAndroid Build Coastguard Worker // The handshake buffer is no longer necessary, and we may hash the current
1693*8fb009dcSAndroid Build Coastguard Worker // message.
1694*8fb009dcSAndroid Build Coastguard Worker hs->transcript.FreeBuffer();
1695*8fb009dcSAndroid Build Coastguard Worker if (!ssl_hash_message(hs, msg)) {
1696*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1697*8fb009dcSAndroid Build Coastguard Worker }
1698*8fb009dcSAndroid Build Coastguard Worker
1699*8fb009dcSAndroid Build Coastguard Worker ssl->method->next_message(ssl);
1700*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_change_cipher_spec;
1701*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1702*8fb009dcSAndroid Build Coastguard Worker }
1703*8fb009dcSAndroid Build Coastguard Worker
do_read_change_cipher_spec(SSL_HANDSHAKE * hs)1704*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_change_cipher_spec(SSL_HANDSHAKE *hs) {
1705*8fb009dcSAndroid Build Coastguard Worker if (hs->handback && hs->ssl->session != NULL) {
1706*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_handback;
1707*8fb009dcSAndroid Build Coastguard Worker }
1708*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_process_change_cipher_spec;
1709*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_read_change_cipher_spec;
1710*8fb009dcSAndroid Build Coastguard Worker }
1711*8fb009dcSAndroid Build Coastguard Worker
do_process_change_cipher_spec(SSL_HANDSHAKE * hs)1712*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_process_change_cipher_spec(SSL_HANDSHAKE *hs) {
1713*8fb009dcSAndroid Build Coastguard Worker if (!tls1_change_cipher_state(hs, evp_aead_open)) {
1714*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1715*8fb009dcSAndroid Build Coastguard Worker }
1716*8fb009dcSAndroid Build Coastguard Worker
1717*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_next_proto;
1718*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1719*8fb009dcSAndroid Build Coastguard Worker }
1720*8fb009dcSAndroid Build Coastguard Worker
do_read_next_proto(SSL_HANDSHAKE * hs)1721*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_next_proto(SSL_HANDSHAKE *hs) {
1722*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1723*8fb009dcSAndroid Build Coastguard Worker
1724*8fb009dcSAndroid Build Coastguard Worker if (!hs->next_proto_neg_seen) {
1725*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_channel_id;
1726*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1727*8fb009dcSAndroid Build Coastguard Worker }
1728*8fb009dcSAndroid Build Coastguard Worker
1729*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg;
1730*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->get_message(ssl, &msg)) {
1731*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_read_message;
1732*8fb009dcSAndroid Build Coastguard Worker }
1733*8fb009dcSAndroid Build Coastguard Worker
1734*8fb009dcSAndroid Build Coastguard Worker if (!ssl_check_message_type(ssl, msg, SSL3_MT_NEXT_PROTO) ||
1735*8fb009dcSAndroid Build Coastguard Worker !ssl_hash_message(hs, msg)) {
1736*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1737*8fb009dcSAndroid Build Coastguard Worker }
1738*8fb009dcSAndroid Build Coastguard Worker
1739*8fb009dcSAndroid Build Coastguard Worker CBS next_protocol = msg.body, selected_protocol, padding;
1740*8fb009dcSAndroid Build Coastguard Worker if (!CBS_get_u8_length_prefixed(&next_protocol, &selected_protocol) ||
1741*8fb009dcSAndroid Build Coastguard Worker !CBS_get_u8_length_prefixed(&next_protocol, &padding) ||
1742*8fb009dcSAndroid Build Coastguard Worker CBS_len(&next_protocol) != 0) {
1743*8fb009dcSAndroid Build Coastguard Worker OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
1744*8fb009dcSAndroid Build Coastguard Worker ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
1745*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1746*8fb009dcSAndroid Build Coastguard Worker }
1747*8fb009dcSAndroid Build Coastguard Worker
1748*8fb009dcSAndroid Build Coastguard Worker if (!ssl->s3->next_proto_negotiated.CopyFrom(selected_protocol)) {
1749*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1750*8fb009dcSAndroid Build Coastguard Worker }
1751*8fb009dcSAndroid Build Coastguard Worker
1752*8fb009dcSAndroid Build Coastguard Worker ssl->method->next_message(ssl);
1753*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_channel_id;
1754*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1755*8fb009dcSAndroid Build Coastguard Worker }
1756*8fb009dcSAndroid Build Coastguard Worker
do_read_channel_id(SSL_HANDSHAKE * hs)1757*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_channel_id(SSL_HANDSHAKE *hs) {
1758*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1759*8fb009dcSAndroid Build Coastguard Worker
1760*8fb009dcSAndroid Build Coastguard Worker if (!hs->channel_id_negotiated) {
1761*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_finished;
1762*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1763*8fb009dcSAndroid Build Coastguard Worker }
1764*8fb009dcSAndroid Build Coastguard Worker
1765*8fb009dcSAndroid Build Coastguard Worker SSLMessage msg;
1766*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->get_message(ssl, &msg)) {
1767*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_read_message;
1768*8fb009dcSAndroid Build Coastguard Worker }
1769*8fb009dcSAndroid Build Coastguard Worker
1770*8fb009dcSAndroid Build Coastguard Worker if (!ssl_check_message_type(ssl, msg, SSL3_MT_CHANNEL_ID) ||
1771*8fb009dcSAndroid Build Coastguard Worker !tls1_verify_channel_id(hs, msg) ||
1772*8fb009dcSAndroid Build Coastguard Worker !ssl_hash_message(hs, msg)) {
1773*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1774*8fb009dcSAndroid Build Coastguard Worker }
1775*8fb009dcSAndroid Build Coastguard Worker
1776*8fb009dcSAndroid Build Coastguard Worker ssl->method->next_message(ssl);
1777*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_client_finished;
1778*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1779*8fb009dcSAndroid Build Coastguard Worker }
1780*8fb009dcSAndroid Build Coastguard Worker
do_read_client_finished(SSL_HANDSHAKE * hs)1781*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_read_client_finished(SSL_HANDSHAKE *hs) {
1782*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1783*8fb009dcSAndroid Build Coastguard Worker enum ssl_hs_wait_t wait = ssl_get_finished(hs);
1784*8fb009dcSAndroid Build Coastguard Worker if (wait != ssl_hs_ok) {
1785*8fb009dcSAndroid Build Coastguard Worker return wait;
1786*8fb009dcSAndroid Build Coastguard Worker }
1787*8fb009dcSAndroid Build Coastguard Worker
1788*8fb009dcSAndroid Build Coastguard Worker if (ssl->session != NULL) {
1789*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_finish_server_handshake;
1790*8fb009dcSAndroid Build Coastguard Worker } else {
1791*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_send_server_finished;
1792*8fb009dcSAndroid Build Coastguard Worker }
1793*8fb009dcSAndroid Build Coastguard Worker
1794*8fb009dcSAndroid Build Coastguard Worker // If this is a full handshake with ChannelID then record the handshake
1795*8fb009dcSAndroid Build Coastguard Worker // hashes in |hs->new_session| in case we need them to verify a
1796*8fb009dcSAndroid Build Coastguard Worker // ChannelID signature on a resumption of this session in the future.
1797*8fb009dcSAndroid Build Coastguard Worker if (ssl->session == NULL && ssl->s3->channel_id_valid &&
1798*8fb009dcSAndroid Build Coastguard Worker !tls1_record_handshake_hashes_for_channel_id(hs)) {
1799*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1800*8fb009dcSAndroid Build Coastguard Worker }
1801*8fb009dcSAndroid Build Coastguard Worker
1802*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1803*8fb009dcSAndroid Build Coastguard Worker }
1804*8fb009dcSAndroid Build Coastguard Worker
do_send_server_finished(SSL_HANDSHAKE * hs)1805*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_send_server_finished(SSL_HANDSHAKE *hs) {
1806*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1807*8fb009dcSAndroid Build Coastguard Worker
1808*8fb009dcSAndroid Build Coastguard Worker if (hs->ticket_expected) {
1809*8fb009dcSAndroid Build Coastguard Worker const SSL_SESSION *session;
1810*8fb009dcSAndroid Build Coastguard Worker UniquePtr<SSL_SESSION> session_copy;
1811*8fb009dcSAndroid Build Coastguard Worker if (ssl->session == NULL) {
1812*8fb009dcSAndroid Build Coastguard Worker // Fix the timeout to measure from the ticket issuance time.
1813*8fb009dcSAndroid Build Coastguard Worker ssl_session_rebase_time(ssl, hs->new_session.get());
1814*8fb009dcSAndroid Build Coastguard Worker session = hs->new_session.get();
1815*8fb009dcSAndroid Build Coastguard Worker } else {
1816*8fb009dcSAndroid Build Coastguard Worker // We are renewing an existing session. Duplicate the session to adjust
1817*8fb009dcSAndroid Build Coastguard Worker // the timeout.
1818*8fb009dcSAndroid Build Coastguard Worker session_copy =
1819*8fb009dcSAndroid Build Coastguard Worker SSL_SESSION_dup(ssl->session.get(), SSL_SESSION_INCLUDE_NONAUTH);
1820*8fb009dcSAndroid Build Coastguard Worker if (!session_copy) {
1821*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1822*8fb009dcSAndroid Build Coastguard Worker }
1823*8fb009dcSAndroid Build Coastguard Worker
1824*8fb009dcSAndroid Build Coastguard Worker ssl_session_rebase_time(ssl, session_copy.get());
1825*8fb009dcSAndroid Build Coastguard Worker session = session_copy.get();
1826*8fb009dcSAndroid Build Coastguard Worker }
1827*8fb009dcSAndroid Build Coastguard Worker
1828*8fb009dcSAndroid Build Coastguard Worker ScopedCBB cbb;
1829*8fb009dcSAndroid Build Coastguard Worker CBB body, ticket;
1830*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->init_message(ssl, cbb.get(), &body,
1831*8fb009dcSAndroid Build Coastguard Worker SSL3_MT_NEW_SESSION_TICKET) ||
1832*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u32(&body, session->timeout) ||
1833*8fb009dcSAndroid Build Coastguard Worker !CBB_add_u16_length_prefixed(&body, &ticket) ||
1834*8fb009dcSAndroid Build Coastguard Worker !ssl_encrypt_ticket(hs, &ticket, session) ||
1835*8fb009dcSAndroid Build Coastguard Worker !ssl_add_message_cbb(ssl, cbb.get())) {
1836*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1837*8fb009dcSAndroid Build Coastguard Worker }
1838*8fb009dcSAndroid Build Coastguard Worker }
1839*8fb009dcSAndroid Build Coastguard Worker
1840*8fb009dcSAndroid Build Coastguard Worker if (!ssl->method->add_change_cipher_spec(ssl) ||
1841*8fb009dcSAndroid Build Coastguard Worker !tls1_change_cipher_state(hs, evp_aead_seal) ||
1842*8fb009dcSAndroid Build Coastguard Worker !ssl_send_finished(hs)) {
1843*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_error;
1844*8fb009dcSAndroid Build Coastguard Worker }
1845*8fb009dcSAndroid Build Coastguard Worker
1846*8fb009dcSAndroid Build Coastguard Worker if (ssl->session != NULL) {
1847*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_read_change_cipher_spec;
1848*8fb009dcSAndroid Build Coastguard Worker } else {
1849*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_finish_server_handshake;
1850*8fb009dcSAndroid Build Coastguard Worker }
1851*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_flush;
1852*8fb009dcSAndroid Build Coastguard Worker }
1853*8fb009dcSAndroid Build Coastguard Worker
do_finish_server_handshake(SSL_HANDSHAKE * hs)1854*8fb009dcSAndroid Build Coastguard Worker static enum ssl_hs_wait_t do_finish_server_handshake(SSL_HANDSHAKE *hs) {
1855*8fb009dcSAndroid Build Coastguard Worker SSL *const ssl = hs->ssl;
1856*8fb009dcSAndroid Build Coastguard Worker
1857*8fb009dcSAndroid Build Coastguard Worker if (hs->handback) {
1858*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_handback;
1859*8fb009dcSAndroid Build Coastguard Worker }
1860*8fb009dcSAndroid Build Coastguard Worker
1861*8fb009dcSAndroid Build Coastguard Worker ssl->method->on_handshake_complete(ssl);
1862*8fb009dcSAndroid Build Coastguard Worker
1863*8fb009dcSAndroid Build Coastguard Worker // If we aren't retaining peer certificates then we can discard it now.
1864*8fb009dcSAndroid Build Coastguard Worker if (hs->new_session != NULL &&
1865*8fb009dcSAndroid Build Coastguard Worker hs->config->retain_only_sha256_of_client_certs) {
1866*8fb009dcSAndroid Build Coastguard Worker hs->new_session->certs.reset();
1867*8fb009dcSAndroid Build Coastguard Worker ssl->ctx->x509_method->session_clear(hs->new_session.get());
1868*8fb009dcSAndroid Build Coastguard Worker }
1869*8fb009dcSAndroid Build Coastguard Worker
1870*8fb009dcSAndroid Build Coastguard Worker bool has_new_session = hs->new_session != nullptr;
1871*8fb009dcSAndroid Build Coastguard Worker if (has_new_session) {
1872*8fb009dcSAndroid Build Coastguard Worker assert(ssl->session == nullptr);
1873*8fb009dcSAndroid Build Coastguard Worker ssl->s3->established_session = std::move(hs->new_session);
1874*8fb009dcSAndroid Build Coastguard Worker ssl->s3->established_session->not_resumable = false;
1875*8fb009dcSAndroid Build Coastguard Worker } else {
1876*8fb009dcSAndroid Build Coastguard Worker assert(ssl->session != nullptr);
1877*8fb009dcSAndroid Build Coastguard Worker ssl->s3->established_session = UpRef(ssl->session);
1878*8fb009dcSAndroid Build Coastguard Worker }
1879*8fb009dcSAndroid Build Coastguard Worker
1880*8fb009dcSAndroid Build Coastguard Worker hs->handshake_finalized = true;
1881*8fb009dcSAndroid Build Coastguard Worker ssl->s3->initial_handshake_complete = true;
1882*8fb009dcSAndroid Build Coastguard Worker if (has_new_session) {
1883*8fb009dcSAndroid Build Coastguard Worker ssl_update_cache(ssl);
1884*8fb009dcSAndroid Build Coastguard Worker }
1885*8fb009dcSAndroid Build Coastguard Worker
1886*8fb009dcSAndroid Build Coastguard Worker hs->state = state12_done;
1887*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1888*8fb009dcSAndroid Build Coastguard Worker }
1889*8fb009dcSAndroid Build Coastguard Worker
ssl_server_handshake(SSL_HANDSHAKE * hs)1890*8fb009dcSAndroid Build Coastguard Worker enum ssl_hs_wait_t ssl_server_handshake(SSL_HANDSHAKE *hs) {
1891*8fb009dcSAndroid Build Coastguard Worker while (hs->state != state12_done) {
1892*8fb009dcSAndroid Build Coastguard Worker enum ssl_hs_wait_t ret = ssl_hs_error;
1893*8fb009dcSAndroid Build Coastguard Worker enum tls12_server_hs_state_t state =
1894*8fb009dcSAndroid Build Coastguard Worker static_cast<enum tls12_server_hs_state_t>(hs->state);
1895*8fb009dcSAndroid Build Coastguard Worker switch (state) {
1896*8fb009dcSAndroid Build Coastguard Worker case state12_start_accept:
1897*8fb009dcSAndroid Build Coastguard Worker ret = do_start_accept(hs);
1898*8fb009dcSAndroid Build Coastguard Worker break;
1899*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_hello:
1900*8fb009dcSAndroid Build Coastguard Worker ret = do_read_client_hello(hs);
1901*8fb009dcSAndroid Build Coastguard Worker break;
1902*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_hello_after_ech:
1903*8fb009dcSAndroid Build Coastguard Worker ret = do_read_client_hello_after_ech(hs);
1904*8fb009dcSAndroid Build Coastguard Worker break;
1905*8fb009dcSAndroid Build Coastguard Worker case state12_cert_callback:
1906*8fb009dcSAndroid Build Coastguard Worker ret = do_cert_callback(hs);
1907*8fb009dcSAndroid Build Coastguard Worker break;
1908*8fb009dcSAndroid Build Coastguard Worker case state12_tls13:
1909*8fb009dcSAndroid Build Coastguard Worker ret = do_tls13(hs);
1910*8fb009dcSAndroid Build Coastguard Worker break;
1911*8fb009dcSAndroid Build Coastguard Worker case state12_select_parameters:
1912*8fb009dcSAndroid Build Coastguard Worker ret = do_select_parameters(hs);
1913*8fb009dcSAndroid Build Coastguard Worker break;
1914*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_hello:
1915*8fb009dcSAndroid Build Coastguard Worker ret = do_send_server_hello(hs);
1916*8fb009dcSAndroid Build Coastguard Worker break;
1917*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_certificate:
1918*8fb009dcSAndroid Build Coastguard Worker ret = do_send_server_certificate(hs);
1919*8fb009dcSAndroid Build Coastguard Worker break;
1920*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_key_exchange:
1921*8fb009dcSAndroid Build Coastguard Worker ret = do_send_server_key_exchange(hs);
1922*8fb009dcSAndroid Build Coastguard Worker break;
1923*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_hello_done:
1924*8fb009dcSAndroid Build Coastguard Worker ret = do_send_server_hello_done(hs);
1925*8fb009dcSAndroid Build Coastguard Worker break;
1926*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_certificate:
1927*8fb009dcSAndroid Build Coastguard Worker ret = do_read_client_certificate(hs);
1928*8fb009dcSAndroid Build Coastguard Worker break;
1929*8fb009dcSAndroid Build Coastguard Worker case state12_verify_client_certificate:
1930*8fb009dcSAndroid Build Coastguard Worker ret = do_verify_client_certificate(hs);
1931*8fb009dcSAndroid Build Coastguard Worker break;
1932*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_key_exchange:
1933*8fb009dcSAndroid Build Coastguard Worker ret = do_read_client_key_exchange(hs);
1934*8fb009dcSAndroid Build Coastguard Worker break;
1935*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_certificate_verify:
1936*8fb009dcSAndroid Build Coastguard Worker ret = do_read_client_certificate_verify(hs);
1937*8fb009dcSAndroid Build Coastguard Worker break;
1938*8fb009dcSAndroid Build Coastguard Worker case state12_read_change_cipher_spec:
1939*8fb009dcSAndroid Build Coastguard Worker ret = do_read_change_cipher_spec(hs);
1940*8fb009dcSAndroid Build Coastguard Worker break;
1941*8fb009dcSAndroid Build Coastguard Worker case state12_process_change_cipher_spec:
1942*8fb009dcSAndroid Build Coastguard Worker ret = do_process_change_cipher_spec(hs);
1943*8fb009dcSAndroid Build Coastguard Worker break;
1944*8fb009dcSAndroid Build Coastguard Worker case state12_read_next_proto:
1945*8fb009dcSAndroid Build Coastguard Worker ret = do_read_next_proto(hs);
1946*8fb009dcSAndroid Build Coastguard Worker break;
1947*8fb009dcSAndroid Build Coastguard Worker case state12_read_channel_id:
1948*8fb009dcSAndroid Build Coastguard Worker ret = do_read_channel_id(hs);
1949*8fb009dcSAndroid Build Coastguard Worker break;
1950*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_finished:
1951*8fb009dcSAndroid Build Coastguard Worker ret = do_read_client_finished(hs);
1952*8fb009dcSAndroid Build Coastguard Worker break;
1953*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_finished:
1954*8fb009dcSAndroid Build Coastguard Worker ret = do_send_server_finished(hs);
1955*8fb009dcSAndroid Build Coastguard Worker break;
1956*8fb009dcSAndroid Build Coastguard Worker case state12_finish_server_handshake:
1957*8fb009dcSAndroid Build Coastguard Worker ret = do_finish_server_handshake(hs);
1958*8fb009dcSAndroid Build Coastguard Worker break;
1959*8fb009dcSAndroid Build Coastguard Worker case state12_done:
1960*8fb009dcSAndroid Build Coastguard Worker ret = ssl_hs_ok;
1961*8fb009dcSAndroid Build Coastguard Worker break;
1962*8fb009dcSAndroid Build Coastguard Worker }
1963*8fb009dcSAndroid Build Coastguard Worker
1964*8fb009dcSAndroid Build Coastguard Worker if (hs->state != state) {
1965*8fb009dcSAndroid Build Coastguard Worker ssl_do_info_callback(hs->ssl, SSL_CB_ACCEPT_LOOP, 1);
1966*8fb009dcSAndroid Build Coastguard Worker }
1967*8fb009dcSAndroid Build Coastguard Worker
1968*8fb009dcSAndroid Build Coastguard Worker if (ret != ssl_hs_ok) {
1969*8fb009dcSAndroid Build Coastguard Worker return ret;
1970*8fb009dcSAndroid Build Coastguard Worker }
1971*8fb009dcSAndroid Build Coastguard Worker }
1972*8fb009dcSAndroid Build Coastguard Worker
1973*8fb009dcSAndroid Build Coastguard Worker ssl_do_info_callback(hs->ssl, SSL_CB_HANDSHAKE_DONE, 1);
1974*8fb009dcSAndroid Build Coastguard Worker return ssl_hs_ok;
1975*8fb009dcSAndroid Build Coastguard Worker }
1976*8fb009dcSAndroid Build Coastguard Worker
ssl_server_handshake_state(SSL_HANDSHAKE * hs)1977*8fb009dcSAndroid Build Coastguard Worker const char *ssl_server_handshake_state(SSL_HANDSHAKE *hs) {
1978*8fb009dcSAndroid Build Coastguard Worker enum tls12_server_hs_state_t state =
1979*8fb009dcSAndroid Build Coastguard Worker static_cast<enum tls12_server_hs_state_t>(hs->state);
1980*8fb009dcSAndroid Build Coastguard Worker switch (state) {
1981*8fb009dcSAndroid Build Coastguard Worker case state12_start_accept:
1982*8fb009dcSAndroid Build Coastguard Worker return "TLS server start_accept";
1983*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_hello:
1984*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_client_hello";
1985*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_hello_after_ech:
1986*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_client_hello_after_ech";
1987*8fb009dcSAndroid Build Coastguard Worker case state12_cert_callback:
1988*8fb009dcSAndroid Build Coastguard Worker return "TLS server cert_callback";
1989*8fb009dcSAndroid Build Coastguard Worker case state12_tls13:
1990*8fb009dcSAndroid Build Coastguard Worker return tls13_server_handshake_state(hs);
1991*8fb009dcSAndroid Build Coastguard Worker case state12_select_parameters:
1992*8fb009dcSAndroid Build Coastguard Worker return "TLS server select_parameters";
1993*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_hello:
1994*8fb009dcSAndroid Build Coastguard Worker return "TLS server send_server_hello";
1995*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_certificate:
1996*8fb009dcSAndroid Build Coastguard Worker return "TLS server send_server_certificate";
1997*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_key_exchange:
1998*8fb009dcSAndroid Build Coastguard Worker return "TLS server send_server_key_exchange";
1999*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_hello_done:
2000*8fb009dcSAndroid Build Coastguard Worker return "TLS server send_server_hello_done";
2001*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_certificate:
2002*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_client_certificate";
2003*8fb009dcSAndroid Build Coastguard Worker case state12_verify_client_certificate:
2004*8fb009dcSAndroid Build Coastguard Worker return "TLS server verify_client_certificate";
2005*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_key_exchange:
2006*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_client_key_exchange";
2007*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_certificate_verify:
2008*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_client_certificate_verify";
2009*8fb009dcSAndroid Build Coastguard Worker case state12_read_change_cipher_spec:
2010*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_change_cipher_spec";
2011*8fb009dcSAndroid Build Coastguard Worker case state12_process_change_cipher_spec:
2012*8fb009dcSAndroid Build Coastguard Worker return "TLS server process_change_cipher_spec";
2013*8fb009dcSAndroid Build Coastguard Worker case state12_read_next_proto:
2014*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_next_proto";
2015*8fb009dcSAndroid Build Coastguard Worker case state12_read_channel_id:
2016*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_channel_id";
2017*8fb009dcSAndroid Build Coastguard Worker case state12_read_client_finished:
2018*8fb009dcSAndroid Build Coastguard Worker return "TLS server read_client_finished";
2019*8fb009dcSAndroid Build Coastguard Worker case state12_send_server_finished:
2020*8fb009dcSAndroid Build Coastguard Worker return "TLS server send_server_finished";
2021*8fb009dcSAndroid Build Coastguard Worker case state12_finish_server_handshake:
2022*8fb009dcSAndroid Build Coastguard Worker return "TLS server finish_server_handshake";
2023*8fb009dcSAndroid Build Coastguard Worker case state12_done:
2024*8fb009dcSAndroid Build Coastguard Worker return "TLS server done";
2025*8fb009dcSAndroid Build Coastguard Worker }
2026*8fb009dcSAndroid Build Coastguard Worker
2027*8fb009dcSAndroid Build Coastguard Worker return "TLS server unknown";
2028*8fb009dcSAndroid Build Coastguard Worker }
2029*8fb009dcSAndroid Build Coastguard Worker
2030*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_END
2031