1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <openssl/bytestring.h>
18
19 #include "internal.h"
20
21
22 BSSL_NAMESPACE_BEGIN
23
24 constexpr int kHandoffVersion = 0;
25 constexpr int kHandbackVersion = 0;
26
27 // serialize_features adds a description of features supported by this binary to
28 // |out|. Returns true on success and false on error.
serialize_features(CBB * out)29 static bool serialize_features(CBB *out) {
30 CBB ciphers;
31 if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
32 return false;
33 }
34 Span<const SSL_CIPHER> all_ciphers = AllCiphers();
35 for (const SSL_CIPHER& cipher : all_ciphers) {
36 if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
37 return false;
38 }
39 }
40 CBB curves;
41 if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
42 return false;
43 }
44 for (const NamedGroup& g : NamedGroups()) {
45 if (!CBB_add_u16(&curves, g.group_id)) {
46 return false;
47 }
48 }
49 return CBB_flush(out);
50 }
51
SSL_serialize_handoff(const SSL * ssl,CBB * out,SSL_CLIENT_HELLO * out_hello)52 bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
53 SSL_CLIENT_HELLO *out_hello) {
54 const SSL3_STATE *const s3 = ssl->s3;
55 if (!ssl->server ||
56 s3->hs == nullptr ||
57 s3->rwstate != SSL_ERROR_HANDOFF) {
58 return false;
59 }
60
61 CBB seq;
62 SSLMessage msg;
63 Span<const uint8_t> transcript = s3->hs->transcript.buffer();
64 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
65 !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
66 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
67 !CBB_add_asn1_octet_string(&seq,
68 reinterpret_cast<uint8_t *>(s3->hs_buf->data),
69 s3->hs_buf->length) ||
70 !serialize_features(&seq) ||
71 !CBB_flush(out) ||
72 !ssl->method->get_message(ssl, &msg) ||
73 !ssl_client_hello_init(ssl, out_hello, msg)) {
74 return false;
75 }
76
77 return true;
78 }
79
SSL_decline_handoff(SSL * ssl)80 bool SSL_decline_handoff(SSL *ssl) {
81 const SSL3_STATE *const s3 = ssl->s3;
82 if (!ssl->server ||
83 s3->hs == nullptr ||
84 s3->rwstate != SSL_ERROR_HANDOFF) {
85 return false;
86 }
87
88 s3->hs->config->handoff = false;
89 return true;
90 }
91
92 // apply_remote_features reads a list of supported features from |in| and
93 // (possibly) reconfigures |ssl| to disallow the negotation of features whose
94 // support has not been indicated. (This prevents the the handshake from
95 // committing to features that are not supported on the handoff/handback side.)
apply_remote_features(SSL * ssl,CBS * in)96 static bool apply_remote_features(SSL *ssl, CBS *in) {
97 CBS ciphers;
98 if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
99 return false;
100 }
101 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
102 while (CBS_len(&ciphers)) {
103 uint16_t id;
104 if (!CBS_get_u16(&ciphers, &id)) {
105 return false;
106 }
107 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
108 if (!cipher) {
109 continue;
110 }
111 if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
112 return false;
113 }
114 }
115 STACK_OF(SSL_CIPHER) *configured =
116 ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
117 : ssl->ctx->cipher_list->ciphers.get();
118 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
119 for (const SSL_CIPHER *configured_cipher : configured) {
120 if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
121 continue;
122 }
123 if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
124 return false;
125 }
126 }
127 if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
128 ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
129 if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
130 return false;
131 }
132 }
133 for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
134 ssl->config->cipher_list->Remove(unsupported_cipher);
135 }
136 if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {
137 return false;
138 }
139
140 CBS curves;
141 if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
142 return false;
143 }
144 Array<uint16_t> supported_curves;
145 if (!supported_curves.Init(CBS_len(&curves) / 2)) {
146 return false;
147 }
148 size_t idx = 0;
149 while (CBS_len(&curves)) {
150 uint16_t curve;
151 if (!CBS_get_u16(&curves, &curve)) {
152 return false;
153 }
154 supported_curves[idx++] = curve;
155 }
156 Span<const uint16_t> configured_curves =
157 tls1_get_grouplist(ssl->s3->hs.get());
158 Array<uint16_t> new_configured_curves;
159 if (!new_configured_curves.Init(configured_curves.size())) {
160 return false;
161 }
162 idx = 0;
163 for (uint16_t configured_curve : configured_curves) {
164 bool ok = false;
165 for (uint16_t supported_curve : supported_curves) {
166 if (supported_curve == configured_curve) {
167 ok = true;
168 break;
169 }
170 }
171 if (ok) {
172 new_configured_curves[idx++] = configured_curve;
173 }
174 }
175 if (idx == 0) {
176 return false;
177 }
178 new_configured_curves.Shrink(idx);
179 ssl->config->supported_group_list = std::move(new_configured_curves);
180
181 return true;
182 }
183
SSL_apply_handoff(SSL * ssl,Span<const uint8_t> handoff)184 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
185 if (ssl->method->is_dtls) {
186 return false;
187 }
188
189 CBS seq, handoff_cbs(handoff);
190 uint64_t handoff_version;
191 if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
192 !CBS_get_asn1_uint64(&seq, &handoff_version) ||
193 handoff_version != kHandoffVersion) {
194 return false;
195 }
196
197 CBS transcript, hs_buf;
198 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
199 !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
200 !apply_remote_features(ssl, &seq)) {
201 return false;
202 }
203
204 SSL_set_accept_state(ssl);
205
206 SSL3_STATE *const s3 = ssl->s3;
207 s3->v2_hello_done = true;
208 s3->has_message = true;
209
210 s3->hs_buf.reset(BUF_MEM_new());
211 if (!s3->hs_buf ||
212 !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
213 return false;
214 }
215
216 if (CBS_len(&transcript) != 0) {
217 s3->hs->transcript.Update(transcript);
218 s3->is_v2_hello = true;
219 }
220 s3->hs->handback = true;
221
222 return true;
223 }
224
SSL_serialize_handback(const SSL * ssl,CBB * out)225 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
226 if (!ssl->server || ssl->method->is_dtls) {
227 return false;
228 }
229 handback_t type;
230 switch (ssl->s3->hs->state) {
231 case state12_read_change_cipher_spec:
232 type = handback_after_session_resumption;
233 break;
234 case state12_read_client_certificate:
235 type = handback_after_ecdhe;
236 break;
237 case state12_finish_server_handshake:
238 type = handback_after_handshake;
239 break;
240 default:
241 return false;
242 }
243
244 const SSL3_STATE *const s3 = ssl->s3;
245 size_t hostname_len = 0;
246 if (s3->hostname) {
247 hostname_len = strlen(s3->hostname.get());
248 }
249
250 Span<const uint8_t> transcript;
251 if (type == handback_after_ecdhe ||
252 type == handback_after_session_resumption) {
253 transcript = s3->hs->transcript.buffer();
254 }
255 size_t write_iv_len = 0;
256 const uint8_t *write_iv = nullptr;
257 if ((type == handback_after_session_resumption ||
258 type == handback_after_handshake) &&
259 ssl->version == TLS1_VERSION &&
260 SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
261 !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
262 return false;
263 }
264 size_t read_iv_len = 0;
265 const uint8_t *read_iv = nullptr;
266 if (type == handback_after_handshake &&
267 ssl->version == TLS1_VERSION &&
268 SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
269 !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
270 return false;
271 }
272
273 // TODO(mab): make sure everything is serialized.
274 CBB seq, key_share;
275 const SSL_SESSION *session =
276 s3->session_reused ? ssl->session.get() : s3->hs->new_session.get();
277 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
278 !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
279 !CBB_add_asn1_uint64(&seq, type) ||
280 !CBB_add_asn1_octet_string(&seq, s3->read_sequence,
281 sizeof(s3->read_sequence)) ||
282 !CBB_add_asn1_octet_string(&seq, s3->write_sequence,
283 sizeof(s3->write_sequence)) ||
284 !CBB_add_asn1_octet_string(&seq, s3->server_random,
285 sizeof(s3->server_random)) ||
286 !CBB_add_asn1_octet_string(&seq, s3->client_random,
287 sizeof(s3->client_random)) ||
288 !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
289 !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
290 !CBB_add_asn1_bool(&seq, s3->session_reused) ||
291 !CBB_add_asn1_bool(&seq, s3->channel_id_valid) ||
292 !ssl_session_serialize(session, &seq) ||
293 !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
294 s3->next_proto_negotiated.size()) ||
295 !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
296 s3->alpn_selected.size()) ||
297 !CBB_add_asn1_octet_string(
298 &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
299 hostname_len) ||
300 !CBB_add_asn1_octet_string(&seq, s3->channel_id,
301 sizeof(s3->channel_id)) ||
302 !CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||
303 !CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||
304 !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
305 !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
306 !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
307 !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
308 !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
309 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
310 !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
311 return false;
312 }
313 if (type == handback_after_ecdhe &&
314 !s3->hs->key_shares[0]->Serialize(&key_share)) {
315 return false;
316 }
317 return CBB_flush(out);
318 }
319
SSL_apply_handback(SSL * ssl,Span<const uint8_t> handback)320 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
321 if (ssl->do_handshake != nullptr ||
322 ssl->method->is_dtls) {
323 return false;
324 }
325
326 SSL3_STATE *const s3 = ssl->s3;
327 uint64_t handback_version, negotiated_token_binding_param, cipher, type;
328
329 CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
330 next_proto, alpn, hostname, channel_id, transcript, key_share;
331 int session_reused, channel_id_valid, cert_request, extended_master_secret,
332 ticket_expected, token_binding_negotiated, next_proto_neg_seen;
333 SSL_SESSION *session = nullptr;
334
335 CBS handback_cbs(handback);
336 if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
337 !CBS_get_asn1_uint64(&seq, &handback_version) ||
338 handback_version != kHandbackVersion ||
339 !CBS_get_asn1_uint64(&seq, &type)) {
340 return false;
341 }
342
343 if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
344 CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
345 !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
346 CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
347 !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
348 CBS_len(&server_rand) != sizeof(s3->server_random) ||
349 !CBS_copy_bytes(&server_rand, s3->server_random,
350 sizeof(s3->server_random)) ||
351 !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
352 CBS_len(&client_rand) != sizeof(s3->client_random) ||
353 !CBS_copy_bytes(&client_rand, s3->client_random,
354 sizeof(s3->client_random)) ||
355 !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
356 !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
357 !CBS_get_asn1_bool(&seq, &session_reused) ||
358 !CBS_get_asn1_bool(&seq, &channel_id_valid)) {
359 return false;
360 }
361
362 s3->hs = ssl_handshake_new(ssl);
363 if (session_reused) {
364 ssl->session =
365 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
366 session = ssl->session.get();
367 } else {
368 s3->hs->new_session =
369 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
370 session = s3->hs->new_session.get();
371 }
372
373 if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
374 !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
375 !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
376 !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||
377 CBS_len(&channel_id) != sizeof(s3->channel_id) ||
378 !CBS_copy_bytes(&channel_id, s3->channel_id,
379 sizeof(s3->channel_id)) ||
380 !CBS_get_asn1_bool(&seq, &token_binding_negotiated) ||
381 !CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) ||
382 !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
383 !CBS_get_asn1_bool(&seq, &cert_request) ||
384 !CBS_get_asn1_bool(&seq, &extended_master_secret) ||
385 !CBS_get_asn1_bool(&seq, &ticket_expected) ||
386 !CBS_get_asn1_uint64(&seq, &cipher)) {
387 return false;
388 }
389 if ((s3->hs->new_cipher =
390 SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
391 return false;
392 }
393 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
394 !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
395 return false;
396 }
397
398 ssl->version = session->ssl_version;
399 s3->have_version = true;
400 if (!ssl_method_supports_version(ssl->method, ssl->version) ||
401 session->cipher != s3->hs->new_cipher ||
402 ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
403 SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
404 return false;
405 }
406 ssl->do_handshake = ssl_server_handshake;
407 ssl->server = true;
408 switch (type) {
409 case handback_after_session_resumption:
410 ssl->s3->hs->state = state12_read_change_cipher_spec;
411 if (!session_reused) {
412 return false;
413 }
414 break;
415 case handback_after_ecdhe:
416 ssl->s3->hs->state = state12_read_client_certificate;
417 if (session_reused) {
418 return false;
419 }
420 break;
421 case handback_after_handshake:
422 ssl->s3->hs->state = state12_finish_server_handshake;
423 break;
424 default:
425 return false;
426 }
427 s3->session_reused = session_reused;
428 s3->channel_id_valid = channel_id_valid;
429 s3->next_proto_negotiated.CopyFrom(next_proto);
430 s3->alpn_selected.CopyFrom(alpn);
431
432 const size_t hostname_len = CBS_len(&hostname);
433 if (hostname_len == 0) {
434 s3->hostname.reset();
435 } else {
436 char *hostname_str = nullptr;
437 if (!CBS_strdup(&hostname, &hostname_str)) {
438 return false;
439 }
440 s3->hostname.reset(hostname_str);
441 }
442
443 s3->token_binding_negotiated = token_binding_negotiated;
444 s3->negotiated_token_binding_param =
445 static_cast<uint8_t>(negotiated_token_binding_param);
446 s3->hs->next_proto_neg_seen = next_proto_neg_seen;
447 s3->hs->wait = ssl_hs_flush;
448 s3->hs->extended_master_secret = extended_master_secret;
449 s3->hs->ticket_expected = ticket_expected;
450 s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
451 s3->hs->cert_request = cert_request;
452
453 // TODO(davidben): When handoff for TLS 1.3 is added, serialize
454 // |early_data_reason| and stabilize the constants.
455 s3->early_data_reason = ssl_early_data_protocol_version;
456
457 Array<uint8_t> key_block;
458 if ((type == handback_after_session_resumption ||
459 type == handback_after_handshake) &&
460 (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
461 write_iv) ||
462 !CBS_copy_bytes(&write_seq, s3->write_sequence,
463 sizeof(s3->write_sequence)))) {
464 return false;
465 }
466 if (type == handback_after_handshake &&
467 (!tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,
468 read_iv) ||
469 !CBS_copy_bytes(&read_seq, s3->read_sequence,
470 sizeof(s3->read_sequence)))) {
471 return false;
472 }
473 if ((type == handback_after_ecdhe ||
474 type == handback_after_session_resumption) &&
475 (!s3->hs->transcript.Init() ||
476 !s3->hs->transcript.InitHash(ssl_protocol_version(ssl),
477 s3->hs->new_cipher) ||
478 !s3->hs->transcript.Update(transcript))) {
479 return false;
480 }
481 if (type == handback_after_ecdhe &&
482 (s3->hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
483 return false;
484 }
485
486 return CBS_len(&seq) == 0;
487 }
488
489 BSSL_NAMESPACE_END
490