Google Git
Sign in
boringssl / boringssl.git / 47b1e39042bc3208771a8d947f1a1ed2fe5f3d8b / . / ssl / handoff.cc
blob: fdbac18da77758244b329b53ed553977f2d58f79 [file] [log] [blame]
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]1/* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15#include <openssl/ssl.h>
16
17#include <openssl/bytestring.h>
18
19#include "internal.h"
20
21
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]22BSSL_NAMESPACE_BEGIN
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]23
24constexpr int kHandoffVersion = 0;
25constexpr int kHandbackVersion = 0;
26
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]27// early_data_t represents the state of early data in a more compact way than
28// the 3 bits used by the implementation.
29enum early_data_t {
Adam Langleyfbea9de2020-02-06 10:05:55 -0800[diff] [blame]30 early_data_not_offered = 0,
31 early_data_accepted = 1,
32 early_data_rejected_hrr = 2,
33 early_data_skipped = 3,
34
35 early_data_max_value = early_data_skipped,
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]36};
37
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]38// serialize_features adds a description of features supported by this binary to
39// |out|. Returns true on success and false on error.
40static bool serialize_features(CBB *out) {
41 CBB ciphers;
42 if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
43 return false;
44 }
45 Span<const SSL_CIPHER> all_ciphers = AllCiphers();
46 for (const SSL_CIPHER& cipher : all_ciphers) {
47 if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
48 return false;
49 }
50 }
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]51 CBB curves;
52 if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
53 return false;
54 }
55 for (const NamedGroup& g : NamedGroups()) {
56 if (!CBB_add_u16(&curves, g.group_id)) {
57 return false;
58 }
59 }
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]60 return CBB_flush(out);
61}
62
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]63bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
64 SSL_CLIENT_HELLO *out_hello) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]65 const SSL3_STATE *const s3 = ssl->s3;
66 if (!ssl->server ||
67 s3->hs == nullptr ||
David Benjaminf4928302019-08-21 16:04:53 -0400[diff] [blame]68 s3->rwstate != SSL_ERROR_HANDOFF) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]69 return false;
70 }
71
72 CBB seq;
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]73 SSLMessage msg;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]74 Span<const uint8_t> transcript = s3->hs->transcript.buffer();
75 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
76 !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
77 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
78 !CBB_add_asn1_octet_string(&seq,
79 reinterpret_cast<uint8_t *>(s3->hs_buf->data),
80 s3->hs_buf->length) ||
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]81 !serialize_features(&seq) ||
Adam Langleyc9827e02019-04-12 14:46:50 -0700[diff] [blame]82 !CBB_flush(out) ||
83 !ssl->method->get_message(ssl, &msg) ||
84 !ssl_client_hello_init(ssl, out_hello, msg)) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]85 return false;
86 }
87
88 return true;
89}
90
91bool SSL_decline_handoff(SSL *ssl) {
92 const SSL3_STATE *const s3 = ssl->s3;
93 if (!ssl->server ||
94 s3->hs == nullptr ||
David Benjaminf4928302019-08-21 16:04:53 -0400[diff] [blame]95 s3->rwstate != SSL_ERROR_HANDOFF) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]96 return false;
97 }
98
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]99 s3->hs->config->handoff = false;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]100 return true;
101}
102
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]103// apply_remote_features reads a list of supported features from |in| and
104// (possibly) reconfigures |ssl| to disallow the negotation of features whose
105// support has not been indicated. (This prevents the the handshake from
106// committing to features that are not supported on the handoff/handback side.)
107static bool apply_remote_features(SSL *ssl, CBS *in) {
108 CBS ciphers;
109 if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
110 return false;
111 }
112 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
113 while (CBS_len(&ciphers)) {
114 uint16_t id;
115 if (!CBS_get_u16(&ciphers, &id)) {
116 return false;
117 }
118 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
119 if (!cipher) {
120 continue;
121 }
122 if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
123 return false;
124 }
125 }
126 STACK_OF(SSL_CIPHER) *configured =
127 ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
128 : ssl->ctx->cipher_list->ciphers.get();
129 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
130 for (const SSL_CIPHER *configured_cipher : configured) {
131 if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
132 continue;
133 }
134 if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
135 return false;
136 }
137 }
138 if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
139 ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
140 if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
141 return false;
142 }
143 }
144 for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
145 ssl->config->cipher_list->Remove(unsupported_cipher);
146 }
Matthew Braithwaitec65eb2c2018-11-02 17:29:35 -0700[diff] [blame]147 if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {
148 return false;
149 }
150
151 CBS curves;
152 if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
153 return false;
154 }
155 Array<uint16_t> supported_curves;
156 if (!supported_curves.Init(CBS_len(&curves) / 2)) {
157 return false;
158 }
159 size_t idx = 0;
160 while (CBS_len(&curves)) {
161 uint16_t curve;
162 if (!CBS_get_u16(&curves, &curve)) {
163 return false;
164 }
165 supported_curves[idx++] = curve;
166 }
167 Span<const uint16_t> configured_curves =
168 tls1_get_grouplist(ssl->s3->hs.get());
169 Array<uint16_t> new_configured_curves;
170 if (!new_configured_curves.Init(configured_curves.size())) {
171 return false;
172 }
173 idx = 0;
174 for (uint16_t configured_curve : configured_curves) {
175 bool ok = false;
176 for (uint16_t supported_curve : supported_curves) {
177 if (supported_curve == configured_curve) {
178 ok = true;
179 break;
180 }
181 }
182 if (ok) {
183 new_configured_curves[idx++] = configured_curve;
184 }
185 }
186 if (idx == 0) {
187 return false;
188 }
189 new_configured_curves.Shrink(idx);
190 ssl->config->supported_group_list = std::move(new_configured_curves);
191
192 return true;
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]193}
194
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]195// uses_disallowed_feature returns true iff |ssl| enables a feature that
196// disqualifies it for split handshakes.
197static bool uses_disallowed_feature(const SSL *ssl) {
198 return ssl->method->is_dtls || (ssl->config->cert && ssl->config->cert->dc) ||
199 ssl->config->quic_transport_params.size() > 0;
200}
201
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]202bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]203 if (uses_disallowed_feature(ssl)) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]204 return false;
205 }
206
207 CBS seq, handoff_cbs(handoff);
208 uint64_t handoff_version;
209 if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
210 !CBS_get_asn1_uint64(&seq, &handoff_version) ||
211 handoff_version != kHandoffVersion) {
212 return false;
213 }
214
215 CBS transcript, hs_buf;
216 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
Matthew Braithwaited2ed3822018-07-10 16:27:22 -0700[diff] [blame]217 !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
218 !apply_remote_features(ssl, &seq)) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]219 return false;
220 }
221
222 SSL_set_accept_state(ssl);
223
224 SSL3_STATE *const s3 = ssl->s3;
225 s3->v2_hello_done = true;
226 s3->has_message = true;
227
228 s3->hs_buf.reset(BUF_MEM_new());
229 if (!s3->hs_buf ||
230 !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
231 return false;
232 }
233
234 if (CBS_len(&transcript) != 0) {
235 s3->hs->transcript.Update(transcript);
236 s3->is_v2_hello = true;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]237 }
Matthew Braithwaiteb7bc80a2018-04-13 15:51:30 -0700[diff] [blame]238 s3->hs->handback = true;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]239
240 return true;
241}
242
243bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]244 if (!ssl->server || uses_disallowed_feature(ssl)) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]245 return false;
246 }
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]247 const SSL3_STATE *const s3 = ssl->s3;
248 SSL_HANDSHAKE *const hs = s3->hs.get();
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]249 handback_t type;
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]250 switch (hs->state) {
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]251 case state12_read_change_cipher_spec:
252 type = handback_after_session_resumption;
253 break;
254 case state12_read_client_certificate:
255 type = handback_after_ecdhe;
256 break;
257 case state12_finish_server_handshake:
258 type = handback_after_handshake;
259 break;
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]260 case state12_tls13:
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]261 if (hs->tls13_state != state13_send_half_rtt_ticket) {
262 return false;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]263 }
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]264 type = handback_tls13;
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]265 break;
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]266 default:
267 return false;
268 }
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]269
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]270 size_t hostname_len = 0;
271 if (s3->hostname) {
272 hostname_len = strlen(s3->hostname.get());
273 }
274
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]275 Span<const uint8_t> transcript;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]276 if (type != handback_after_handshake) {
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]277 transcript = s3->hs->transcript.buffer();
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]278 }
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]279 size_t write_iv_len = 0;
280 const uint8_t *write_iv = nullptr;
281 if ((type == handback_after_session_resumption ||
282 type == handback_after_handshake) &&
283 ssl->version == TLS1_VERSION &&
284 SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
285 !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
286 return false;
287 }
288 size_t read_iv_len = 0;
289 const uint8_t *read_iv = nullptr;
290 if (type == handback_after_handshake &&
291 ssl->version == TLS1_VERSION &&
292 SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
293 !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
294 return false;
295 }
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]296
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]297 // TODO(mab): make sure everything is serialized.
298 CBB seq, key_share;
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]299 const SSL_SESSION *session;
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]300 if (type == handback_tls13) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]301 session = hs->new_session.get();
302 } else {
303 session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
304 }
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]305 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
306 !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]307 !CBB_add_asn1_uint64(&seq, type) ||
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]308 !CBB_add_asn1_octet_string(&seq, s3->read_sequence,
309 sizeof(s3->read_sequence)) ||
310 !CBB_add_asn1_octet_string(&seq, s3->write_sequence,
311 sizeof(s3->write_sequence)) ||
312 !CBB_add_asn1_octet_string(&seq, s3->server_random,
313 sizeof(s3->server_random)) ||
314 !CBB_add_asn1_octet_string(&seq, s3->client_random,
315 sizeof(s3->client_random)) ||
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]316 !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
317 !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]318 !CBB_add_asn1_bool(&seq, s3->session_reused) ||
David Benjamin46853762018-07-03 14:01:26 -0400[diff] [blame]319 !CBB_add_asn1_bool(&seq, s3->channel_id_valid) ||
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]320 !ssl_session_serialize(session, &seq) ||
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]321 !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
322 s3->next_proto_negotiated.size()) ||
323 !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
324 s3->alpn_selected.size()) ||
325 !CBB_add_asn1_octet_string(
326 &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
327 hostname_len) ||
David Benjamin46853762018-07-03 14:01:26 -0400[diff] [blame]328 !CBB_add_asn1_octet_string(&seq, s3->channel_id,
329 sizeof(s3->channel_id)) ||
David Benjamin9f0e7cb2018-04-12 15:36:30 -0400[diff] [blame]330 !CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||
331 !CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]332 !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
333 !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
334 !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
335 !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
336 !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
337 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
338 !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]339 return false;
340 }
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]341 if (type == handback_after_ecdhe &&
Adam Langley7b935932018-11-12 13:53:42 -0800[diff] [blame]342 !s3->hs->key_shares[0]->Serialize(&key_share)) {
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]343 return false;
344 }
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]345 if (type == handback_tls13) {
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]346 early_data_t early_data;
347 // Check early data invariants.
Matthew Braithwaite9e233612020-02-04 10:14:06 -0800[diff] [blame]348 if (ssl->enable_early_data ==
349 (s3->early_data_reason == ssl_early_data_disabled)) {
350 return false;
351 }
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]352 if (hs->early_data_offered) {
353 if (s3->early_data_accepted && !s3->skip_early_data) {
354 early_data = early_data_accepted;
355 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
356 early_data = early_data_rejected_hrr;
357 } else if (!s3->early_data_accepted && s3->skip_early_data) {
358 early_data = early_data_skipped;
359 } else {
360 return false;
361 }
362 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
363 early_data = early_data_not_offered;
364 } else {
365 return false;
366 }
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]367 if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
368 hs->client_traffic_secret_0().size()) ||
369 !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
370 hs->server_traffic_secret_0().size()) ||
371 !CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
372 hs->client_handshake_secret().size()) ||
373 !CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
374 hs->server_handshake_secret().size()) ||
375 !CBB_add_asn1_octet_string(&seq, hs->secret().data(),
376 hs->secret().size()) ||
377 !CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
378 s3->exporter_secret_len) ||
379 !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
380 !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]381 !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
382 !CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||
383 !CBB_add_asn1_uint64(&seq, early_data)) {
384 return false;
385 }
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]386 if (early_data == early_data_accepted &&
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]387 !CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
388 hs->early_traffic_secret().size())) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]389 return false;
390 }
391 }
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]392 return CBB_flush(out);
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]393}
394
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]395static bool CopyExact(Span<uint8_t> out, const CBS *in) {
396 if (CBS_len(in) != out.size()) {
397 return false;
398 }
399 OPENSSL_memcpy(out.data(), CBS_data(in), out.size());
400 return true;
401}
402
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]403bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
404 if (ssl->do_handshake != nullptr ||
405 ssl->method->is_dtls) {
406 return false;
407 }
408
409 SSL3_STATE *const s3 = ssl->s3;
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]410 uint64_t handback_version, negotiated_token_binding_param, cipher, type_u64;
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]411
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]412 CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]413 next_proto, alpn, hostname, channel_id, transcript, key_share;
Matthew Braithwaitec5154f72018-04-11 17:00:54 -0700[diff] [blame]414 int session_reused, channel_id_valid, cert_request, extended_master_secret,
415 ticket_expected, token_binding_negotiated, next_proto_neg_seen;
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]416 SSL_SESSION *session = nullptr;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]417
418 CBS handback_cbs(handback);
419 if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
420 !CBS_get_asn1_uint64(&seq, &handback_version) ||
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]421 handback_version != kHandbackVersion ||
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]422 !CBS_get_asn1_uint64(&seq, &type_u64) ||
423 type_u64 > handback_max_value) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]424 return false;
425 }
426
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]427 handback_t type = static_cast<handback_t>(type_u64);
Matthew Braithwaitec5154f72018-04-11 17:00:54 -0700[diff] [blame]428 if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]429 CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
430 !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
431 CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
432 !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
433 CBS_len(&server_rand) != sizeof(s3->server_random) ||
434 !CBS_copy_bytes(&server_rand, s3->server_random,
435 sizeof(s3->server_random)) ||
436 !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
437 CBS_len(&client_rand) != sizeof(s3->client_random) ||
438 !CBS_copy_bytes(&client_rand, s3->client_random,
439 sizeof(s3->client_random)) ||
440 !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
441 !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
442 !CBS_get_asn1_bool(&seq, &session_reused) ||
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]443 !CBS_get_asn1_bool(&seq, &channel_id_valid)) {
444 return false;
445 }
446
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]447 s3->hs = ssl_handshake_new(ssl);
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]448 SSL_HANDSHAKE *const hs = s3->hs.get();
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]449 if (!session_reused || type == handback_tls13) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]450 hs->new_session =
451 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
452 session = hs->new_session.get();
453 } else {
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]454 ssl->session =
David Benjamin50596f82018-07-02 19:47:27 -0400[diff] [blame]455 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
456 session = ssl->session.get();
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]457 }
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]458
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]459 if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]460 !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
461 !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
462 !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||
David Benjamin46853762018-07-03 14:01:26 -0400[diff] [blame]463 CBS_len(&channel_id) != sizeof(s3->channel_id) ||
464 !CBS_copy_bytes(&channel_id, s3->channel_id,
465 sizeof(s3->channel_id)) ||
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]466 !CBS_get_asn1_bool(&seq, &token_binding_negotiated) ||
467 !CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) ||
468 !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
469 !CBS_get_asn1_bool(&seq, &cert_request) ||
470 !CBS_get_asn1_bool(&seq, &extended_master_secret) ||
471 !CBS_get_asn1_bool(&seq, &ticket_expected) ||
472 !CBS_get_asn1_uint64(&seq, &cipher)) {
473 return false;
474 }
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]475 if ((hs->new_cipher =
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]476 SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
477 return false;
478 }
479 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
480 !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]481 return false;
482 }
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]483 CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]484 server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]485 if (type == handback_tls13) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]486 int used_hello_retry_request, accept_psk_mode;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]487 uint64_t early_data, early_data_reason;
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]488 int64_t ticket_age_skew;
489 if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
490 !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
491 !CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||
492 !CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||
493 !CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||
494 !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
495 !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
496 !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]497 !CBS_get_asn1_int64(&seq, &ticket_age_skew) ||
498 !CBS_get_asn1_uint64(&seq, &early_data_reason) ||
Adam Langleyfbea9de2020-02-06 10:05:55 -0800[diff] [blame]499 early_data_reason > ssl_early_data_reason_max_value ||
500 !CBS_get_asn1_uint64(&seq, &early_data) ||
501 early_data > early_data_max_value) {
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]502 return false;
503 }
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]504 early_data_t early_data_type = static_cast<early_data_t>(early_data);
505 if (early_data_type == early_data_accepted &&
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]506 !CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]507 return false;
508 }
509 if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
510 ticket_age_skew < std::numeric_limits<int32_t>::min()) {
511 return false;
512 }
513 s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
514 s3->used_hello_retry_request = used_hello_retry_request;
515 hs->accept_psk_mode = accept_psk_mode;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]516
517 s3->early_data_reason =
518 static_cast<ssl_early_data_reason_t>(early_data_reason);
Matthew Braithwaite9e233612020-02-04 10:14:06 -0800[diff] [blame]519 ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]520 s3->skip_early_data = false;
521 s3->early_data_accepted = false;
522 hs->early_data_offered = false;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]523 switch (early_data_type) {
524 case early_data_not_offered:
525 break;
526 case early_data_accepted:
527 s3->early_data_accepted = true;
528 hs->early_data_offered = true;
529 hs->can_early_write = true;
530 hs->can_early_read = true;
531 hs->in_early_data = true;
532 break;
533 case early_data_rejected_hrr:
534 hs->early_data_offered = true;
535 break;
536 case early_data_skipped:
537 s3->skip_early_data = true;
538 hs->early_data_offered = true;
539 break;
540 default:
541 return false;
542 }
543 } else {
544 s3->early_data_reason = ssl_early_data_protocol_version;
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]545 }
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]546
Matthew Braithwaitec5154f72018-04-11 17:00:54 -0700[diff] [blame]547 ssl->version = session->ssl_version;
Matthew Braithwaite0e9e0ba2018-04-10 15:40:12 -0700[diff] [blame]548 s3->have_version = true;
549 if (!ssl_method_supports_version(ssl->method, ssl->version) ||
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]550 session->cipher != hs->new_cipher ||
Matthew Braithwaite0e9e0ba2018-04-10 15:40:12 -0700[diff] [blame]551 ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
552 SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
553 return false;
554 }
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]555 ssl->do_handshake = ssl_server_handshake;
556 ssl->server = true;
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]557 switch (type) {
558 case handback_after_session_resumption:
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]559 hs->state = state12_read_change_cipher_spec;
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]560 if (!session_reused) {
561 return false;
562 }
563 break;
564 case handback_after_ecdhe:
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]565 hs->state = state12_read_client_certificate;
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]566 if (session_reused) {
567 return false;
568 }
569 break;
570 case handback_after_handshake:
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]571 hs->state = state12_finish_server_handshake;
572 break;
573 case handback_tls13:
574 hs->state = state12_tls13;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]575 hs->tls13_state = state13_send_half_rtt_ticket;
576 break;
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]577 default:
578 return false;
Matthew Braithwaite9fdf7cb2018-05-04 09:28:50 -0700[diff] [blame]579 }
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]580 s3->session_reused = session_reused;
David Benjamin46853762018-07-03 14:01:26 -0400[diff] [blame]581 s3->channel_id_valid = channel_id_valid;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]582 s3->next_proto_negotiated.CopyFrom(next_proto);
583 s3->alpn_selected.CopyFrom(alpn);
584
585 const size_t hostname_len = CBS_len(&hostname);
586 if (hostname_len == 0) {
587 s3->hostname.reset();
588 } else {
589 char *hostname_str = nullptr;
590 if (!CBS_strdup(&hostname, &hostname_str)) {
591 return false;
592 }
593 s3->hostname.reset(hostname_str);
594 }
595
David Benjamin9f0e7cb2018-04-12 15:36:30 -0400[diff] [blame]596 s3->token_binding_negotiated = token_binding_negotiated;
597 s3->negotiated_token_binding_param =
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]598 static_cast<uint8_t>(negotiated_token_binding_param);
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]599 hs->next_proto_neg_seen = next_proto_neg_seen;
600 hs->wait = ssl_hs_flush;
601 hs->extended_master_secret = extended_master_secret;
602 hs->ticket_expected = ticket_expected;
Matthew Braithwaite56986f92018-03-22 11:48:33 -0700[diff] [blame]603 s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]604 hs->cert_request = cert_request;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]605
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]606 if (type != handback_after_handshake &&
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]607 (!hs->transcript.Init() ||
608 !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
609 !hs->transcript.Update(transcript))) {
610 return false;
611 }
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]612 if (type == handback_tls13) {
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]613 hs->ResizeSecrets(hs->transcript.DigestLen());
614 if (!CopyExact(hs->client_traffic_secret_0(), &client_traffic_secret_0) ||
615 !CopyExact(hs->server_traffic_secret_0(), &server_traffic_secret_0) ||
616 !CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
617 !CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
618 !CopyExact(hs->secret(), &secret) ||
619 !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
620 &exporter_secret)) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]621 return false;
622 }
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]623 s3->exporter_secret_len = CBS_len(&exporter_secret);
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]624
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]625 if (s3->early_data_accepted &&
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]626 !CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]627 return false;
628 }
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]629 }
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]630 Array<uint8_t> key_block;
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]631 switch (type) {
632 case handback_after_session_resumption:
633 // The write keys are installed after server Finished, but the client
634 // keys must wait for ChangeCipherSpec.
635 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
636 write_iv)) {
637 return false;
638 }
639 break;
640 case handback_after_ecdhe:
641 // The premaster secret is not yet computed, so install no keys.
642 break;
643 case handback_after_handshake:
644 // The handshake is complete, so both keys are installed.
645 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session->cipher,
646 write_iv) ||
647 !tls1_configure_aead(ssl, evp_aead_open, &key_block, session->cipher,
648 read_iv)) {
649 return false;
650 }
651 break;
652 case handback_tls13:
653 // After server Finished, the application write keys are installed, but
654 // none of the read keys. The read keys are installed in the state machine
655 // immediately after processing handback.
656 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
David Benjamin754d4c92020-02-11 16:27:21 -0500[diff] [blame]657 hs->new_session.get(),
David Benjamin0c306492020-02-09 16:28:52 -0500[diff] [blame]658 hs->server_traffic_secret_0())) {
659 return false;
660 }
661 break;
Matthew Braithwaitef3c98ce2020-01-08 16:55:45 -0800[diff] [blame]662 }
663 if (!CopyExact({s3->read_sequence, sizeof(s3->read_sequence)}, &read_seq) ||
664 !CopyExact({s3->write_sequence, sizeof(s3->write_sequence)},
665 &write_seq)) {
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]666 return false;
667 }
668 if (type == handback_after_ecdhe &&
Matthew Braithwaitecc0c2862019-11-26 18:00:21 -0800[diff] [blame]669 (hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
Matthew Braithwaite3e2b3ee2018-05-10 15:46:42 -0700[diff] [blame]670 return false;
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]671 }
Matthew Braithwaite8f299d52020-02-10 16:15:37 -0800[diff] [blame]672 return true; // Trailing data allowed for extensibility.
Adam Langley3fe8fa72018-01-26 09:14:30 -0800[diff] [blame]673}
674
Joshua Liebow-Feeser8c7c6352018-08-26 18:53:36 -0700[diff] [blame]675BSSL_NAMESPACE_END