1 // Copyright 2016 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <utility>
21
22 #include <openssl/bytestring.h>
23 #include <openssl/err.h>
24 #include <openssl/hkdf.h>
25 #include <openssl/mem.h>
26 #include <openssl/stack.h>
27 #include <openssl/x509.h>
28
29 #include "../crypto/internal.h"
30 #include "internal.h"
31
32
33 BSSL_NAMESPACE_BEGIN
34
35 // kMaxKeyUpdates is the number of consecutive KeyUpdates that will be
36 // processed. Without this limit an attacker could force unbounded processing
37 // without being able to return application data.
38 static const uint8_t kMaxKeyUpdates = 32;
39
40 const uint8_t kHelloRetryRequest[SSL3_RANDOM_SIZE] = {
41 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 0xbe, 0x1d, 0x8c,
42 0x02, 0x1e, 0x65, 0xb8, 0x91, 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb,
43 0x8c, 0x5e, 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
44 };
45
46 // See RFC 8446, section 4.1.3.
47 const uint8_t kTLS12DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e,
48 0x47, 0x52, 0x44, 0x00};
49 const uint8_t kTLS13DowngradeRandom[8] = {0x44, 0x4f, 0x57, 0x4e,
50 0x47, 0x52, 0x44, 0x01};
51
52 // This is a non-standard randomly-generated value.
53 const uint8_t kJDK11DowngradeRandom[8] = {0xed, 0xbf, 0xb4, 0xa8,
54 0xc2, 0x47, 0x10, 0xff};
55
tls13_get_cert_verify_signature_input(SSL_HANDSHAKE * hs,Array<uint8_t> * out,enum ssl_cert_verify_context_t cert_verify_context)56 bool tls13_get_cert_verify_signature_input(
57 SSL_HANDSHAKE *hs, Array<uint8_t> *out,
58 enum ssl_cert_verify_context_t cert_verify_context) {
59 ScopedCBB cbb;
60 if (!CBB_init(cbb.get(), 64 + 33 + 1 + 2 * EVP_MAX_MD_SIZE)) {
61 return false;
62 }
63
64 for (size_t i = 0; i < 64; i++) {
65 if (!CBB_add_u8(cbb.get(), 0x20)) {
66 return false;
67 }
68 }
69
70 Span<const char> context;
71 if (cert_verify_context == ssl_cert_verify_server) {
72 static const char kContext[] = "TLS 1.3, server CertificateVerify";
73 context = kContext;
74 } else if (cert_verify_context == ssl_cert_verify_client) {
75 static const char kContext[] = "TLS 1.3, client CertificateVerify";
76 context = kContext;
77 } else if (cert_verify_context == ssl_cert_verify_channel_id) {
78 static const char kContext[] = "TLS 1.3, Channel ID";
79 context = kContext;
80 } else {
81 return false;
82 }
83
84 // Note |context| includes the NUL byte separator.
85 if (!CBB_add_bytes(cbb.get(),
86 reinterpret_cast<const uint8_t *>(context.data()),
87 context.size())) {
88 return false;
89 }
90
91 uint8_t context_hash[EVP_MAX_MD_SIZE];
92 size_t context_hash_len;
93 if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||
94 !CBB_add_bytes(cbb.get(), context_hash, context_hash_len) ||
95 !CBBFinishArray(cbb.get(), out)) {
96 return false;
97 }
98
99 return true;
100 }
101
tls13_process_certificate(SSL_HANDSHAKE * hs,const SSLMessage & msg,bool allow_anonymous)102 bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
103 bool allow_anonymous) {
104 SSL *const ssl = hs->ssl;
105 CBS body = msg.body;
106 bssl::UniquePtr<CRYPTO_BUFFER> decompressed;
107
108 if (msg.type == SSL3_MT_COMPRESSED_CERTIFICATE) {
109 CBS compressed;
110 uint16_t alg_id;
111 uint32_t uncompressed_len;
112
113 if (!CBS_get_u16(&body, &alg_id) ||
114 !CBS_get_u24(&body, &uncompressed_len) ||
115 !CBS_get_u24_length_prefixed(&body, &compressed) ||
116 CBS_len(&body) != 0) {
117 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
118 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
119 return false;
120 }
121
122 if (uncompressed_len > ssl->max_cert_list) {
123 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
124 OPENSSL_PUT_ERROR(SSL, SSL_R_UNCOMPRESSED_CERT_TOO_LARGE);
125 ERR_add_error_dataf("requested=%u",
126 static_cast<unsigned>(uncompressed_len));
127 return false;
128 }
129
130 ssl_cert_decompression_func_t decompress = nullptr;
131 for (const auto &alg : ssl->ctx->cert_compression_algs) {
132 if (alg.alg_id == alg_id) {
133 decompress = alg.decompress;
134 break;
135 }
136 }
137
138 if (decompress == nullptr) {
139 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
140 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERT_COMPRESSION_ALG);
141 ERR_add_error_dataf("alg=%d", static_cast<int>(alg_id));
142 return false;
143 }
144
145 CRYPTO_BUFFER *decompressed_ptr = nullptr;
146 if (!decompress(ssl, &decompressed_ptr, uncompressed_len,
147 CBS_data(&compressed), CBS_len(&compressed))) {
148 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
149 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_DECOMPRESSION_FAILED);
150 ERR_add_error_dataf("alg=%d", static_cast<int>(alg_id));
151 return false;
152 }
153 decompressed.reset(decompressed_ptr);
154
155 if (CRYPTO_BUFFER_len(decompressed_ptr) != uncompressed_len) {
156 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
157 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_DECOMPRESSION_FAILED);
158 ERR_add_error_dataf(
159 "alg=%d got=%u expected=%u", static_cast<int>(alg_id),
160 static_cast<unsigned>(CRYPTO_BUFFER_len(decompressed_ptr)),
161 static_cast<unsigned>(uncompressed_len));
162 return false;
163 }
164
165 CBS_init(&body, CRYPTO_BUFFER_data(decompressed_ptr),
166 CRYPTO_BUFFER_len(decompressed_ptr));
167 } else {
168 assert(msg.type == SSL3_MT_CERTIFICATE);
169 }
170
171 CBS context, certificate_list;
172 if (!CBS_get_u8_length_prefixed(&body, &context) || //
173 CBS_len(&context) != 0 || //
174 !CBS_get_u24_length_prefixed(&body, &certificate_list) || //
175 CBS_len(&body) != 0) {
176 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
177 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
178 return false;
179 }
180
181 UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs(sk_CRYPTO_BUFFER_new_null());
182 if (!certs) {
183 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
184 return false;
185 }
186
187 const bool retain_sha256 =
188 ssl->server && hs->config->retain_only_sha256_of_client_certs;
189 UniquePtr<EVP_PKEY> pkey;
190 while (CBS_len(&certificate_list) > 0) {
191 CBS certificate, extensions;
192 if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||
193 !CBS_get_u16_length_prefixed(&certificate_list, &extensions) ||
194 CBS_len(&certificate) == 0) {
195 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
196 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
197 return false;
198 }
199
200 const bool is_leaf = sk_CRYPTO_BUFFER_num(certs.get()) == 0;
201 if (is_leaf) {
202 pkey = ssl_cert_parse_pubkey(&certificate);
203 if (!pkey) {
204 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
205 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
206 return false;
207 }
208 // TLS 1.3 always uses certificate keys for signing thus the correct
209 // keyUsage is enforced.
210 if (!ssl_cert_check_key_usage(&certificate,
211 key_usage_digital_signature)) {
212 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
213 return false;
214 }
215
216 if (retain_sha256) {
217 // Retain the hash of the leaf certificate if requested.
218 SHA256(CBS_data(&certificate), CBS_len(&certificate),
219 hs->new_session->peer_sha256);
220 }
221 }
222
223 UniquePtr<CRYPTO_BUFFER> buf(
224 CRYPTO_BUFFER_new_from_CBS(&certificate, ssl->ctx->pool));
225 if (!buf || //
226 !PushToStack(certs.get(), std::move(buf))) {
227 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
228 return false;
229 }
230
231 // Parse out the extensions.
232 SSLExtension status_request(
233 TLSEXT_TYPE_status_request,
234 !ssl->server && hs->config->ocsp_stapling_enabled);
235 SSLExtension sct(
236 TLSEXT_TYPE_certificate_timestamp,
237 !ssl->server && hs->config->signed_cert_timestamps_enabled);
238 SSLExtension trust_anchors(
239 TLSEXT_TYPE_trust_anchors,
240 !ssl->server && is_leaf &&
241 hs->config->requested_trust_anchors.has_value());
242 uint8_t alert = SSL_AD_DECODE_ERROR;
243 if (!ssl_parse_extensions(&extensions, &alert,
244 {&status_request, &sct, &trust_anchors},
245 /*ignore_unknown=*/false)) {
246 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
247 return false;
248 }
249
250 // All Certificate extensions are parsed, but only the leaf extensions are
251 // stored.
252 if (status_request.present) {
253 uint8_t status_type;
254 CBS ocsp_response;
255 if (!CBS_get_u8(&status_request.data, &status_type) ||
256 status_type != TLSEXT_STATUSTYPE_ocsp ||
257 !CBS_get_u24_length_prefixed(&status_request.data, &ocsp_response) ||
258 CBS_len(&ocsp_response) == 0 || CBS_len(&status_request.data) != 0) {
259 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
260 return false;
261 }
262
263 if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
264 hs->new_session->ocsp_response.reset(
265 CRYPTO_BUFFER_new_from_CBS(&ocsp_response, ssl->ctx->pool));
266 if (hs->new_session->ocsp_response == nullptr) {
267 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
268 return false;
269 }
270 }
271 }
272
273 if (sct.present) {
274 if (!ssl_is_sct_list_valid(&sct.data)) {
275 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
276 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
277 return false;
278 }
279
280 if (sk_CRYPTO_BUFFER_num(certs.get()) == 1) {
281 hs->new_session->signed_cert_timestamp_list.reset(
282 CRYPTO_BUFFER_new_from_CBS(&sct.data, ssl->ctx->pool));
283 if (hs->new_session->signed_cert_timestamp_list == nullptr) {
284 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
285 return false;
286 }
287 }
288 }
289
290 if (trust_anchors.present) {
291 if (CBS_len(&trust_anchors.data) != 0) {
292 OPENSSL_PUT_ERROR(SSL, SSL_R_ERROR_PARSING_EXTENSION);
293 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
294 return false;
295 }
296 hs->peer_matched_trust_anchor = true;
297 }
298 }
299
300 // Store a null certificate list rather than an empty one if the peer didn't
301 // send certificates.
302 if (sk_CRYPTO_BUFFER_num(certs.get()) == 0) {
303 certs.reset();
304 }
305
306 hs->peer_pubkey = std::move(pkey);
307 hs->new_session->certs = std::move(certs);
308
309 if (!ssl->ctx->x509_method->session_cache_objects(hs->new_session.get())) {
310 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
311 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
312 return false;
313 }
314
315 if (sk_CRYPTO_BUFFER_num(hs->new_session->certs.get()) == 0) {
316 if (!allow_anonymous) {
317 OPENSSL_PUT_ERROR(SSL, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
318 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_CERTIFICATE_REQUIRED);
319 return false;
320 }
321
322 // OpenSSL returns X509_V_OK when no certificates are requested. This is
323 // classed by them as a bug, but it's assumed by at least NGINX.
324 hs->new_session->verify_result = X509_V_OK;
325
326 // No certificate, so nothing more to do.
327 return true;
328 }
329
330 hs->new_session->peer_sha256_valid = retain_sha256;
331 return true;
332 }
333
tls13_process_certificate_verify(SSL_HANDSHAKE * hs,const SSLMessage & msg)334 bool tls13_process_certificate_verify(SSL_HANDSHAKE *hs,
335 const SSLMessage &msg) {
336 SSL *const ssl = hs->ssl;
337 if (hs->peer_pubkey == NULL) {
338 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
339 return false;
340 }
341
342 CBS body = msg.body, signature;
343 uint16_t signature_algorithm;
344 if (!CBS_get_u16(&body, &signature_algorithm) || //
345 !CBS_get_u16_length_prefixed(&body, &signature) || //
346 CBS_len(&body) != 0) {
347 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
348 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
349 return false;
350 }
351
352 uint8_t alert = SSL_AD_DECODE_ERROR;
353 if (!tls12_check_peer_sigalg(hs, &alert, signature_algorithm,
354 hs->peer_pubkey.get())) {
355 ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
356 return false;
357 }
358 hs->new_session->peer_signature_algorithm = signature_algorithm;
359
360 Array<uint8_t> input;
361 if (!tls13_get_cert_verify_signature_input(
362 hs, &input,
363 ssl->server ? ssl_cert_verify_client : ssl_cert_verify_server)) {
364 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
365 return false;
366 }
367
368 if (!ssl_public_key_verify(ssl, signature, signature_algorithm,
369 hs->peer_pubkey.get(), input)) {
370 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE);
371 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
372 return false;
373 }
374
375 return true;
376 }
377
tls13_process_finished(SSL_HANDSHAKE * hs,const SSLMessage & msg,bool use_saved_value)378 bool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
379 bool use_saved_value) {
380 SSL *const ssl = hs->ssl;
381 uint8_t verify_data_buf[EVP_MAX_MD_SIZE];
382 Span<const uint8_t> verify_data;
383 if (use_saved_value) {
384 assert(ssl->server);
385 verify_data = hs->expected_client_finished;
386 } else {
387 size_t len;
388 if (!tls13_finished_mac(hs, verify_data_buf, &len, !ssl->server)) {
389 return false;
390 }
391 verify_data = Span(verify_data_buf, len);
392 }
393
394 bool finished_ok =
395 CBS_mem_equal(&msg.body, verify_data.data(), verify_data.size());
396 if (CRYPTO_fuzzer_mode_enabled()) {
397 finished_ok = true;
398 }
399 if (!finished_ok) {
400 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
401 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
402 return false;
403 }
404
405 return true;
406 }
407
tls13_add_certificate(SSL_HANDSHAKE * hs)408 bool tls13_add_certificate(SSL_HANDSHAKE *hs) {
409 SSL *const ssl = hs->ssl;
410 const SSL_CREDENTIAL *cred = hs->credential.get();
411
412 ScopedCBB cbb;
413 CBB *body, body_storage, certificate_list;
414
415 if (hs->cert_compression_negotiated) {
416 if (!CBB_init(cbb.get(), 1024)) {
417 return false;
418 }
419 body = cbb.get();
420 } else {
421 body = &body_storage;
422 if (!ssl->method->init_message(ssl, cbb.get(), body, SSL3_MT_CERTIFICATE)) {
423 return false;
424 }
425 }
426
427 if ( // The request context is always empty in the handshake.
428 !CBB_add_u8(body, 0) ||
429 !CBB_add_u24_length_prefixed(body, &certificate_list)) {
430 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
431 return false;
432 }
433
434 if (hs->credential == nullptr) {
435 return ssl_add_message_cbb(ssl, cbb.get());
436 }
437
438 assert(hs->credential->UsesX509());
439 CRYPTO_BUFFER *leaf_buf = sk_CRYPTO_BUFFER_value(cred->chain.get(), 0);
440 CBB leaf, extensions;
441 if (!CBB_add_u24_length_prefixed(&certificate_list, &leaf) ||
442 !CBB_add_bytes(&leaf, CRYPTO_BUFFER_data(leaf_buf),
443 CRYPTO_BUFFER_len(leaf_buf)) ||
444 !CBB_add_u16_length_prefixed(&certificate_list, &extensions)) {
445 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
446 return false;
447 }
448
449 if (hs->scts_requested && cred->signed_cert_timestamp_list != nullptr) {
450 CBB contents;
451 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_certificate_timestamp) ||
452 !CBB_add_u16_length_prefixed(&extensions, &contents) ||
453 !CBB_add_bytes(
454 &contents,
455 CRYPTO_BUFFER_data(cred->signed_cert_timestamp_list.get()),
456 CRYPTO_BUFFER_len(cred->signed_cert_timestamp_list.get())) ||
457 !CBB_flush(&extensions)) {
458 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
459 return false;
460 }
461 }
462
463 if (hs->ocsp_stapling_requested && cred->ocsp_response != NULL) {
464 CBB contents, ocsp_response;
465 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_status_request) ||
466 !CBB_add_u16_length_prefixed(&extensions, &contents) ||
467 !CBB_add_u8(&contents, TLSEXT_STATUSTYPE_ocsp) ||
468 !CBB_add_u24_length_prefixed(&contents, &ocsp_response) ||
469 !CBB_add_bytes(&ocsp_response,
470 CRYPTO_BUFFER_data(cred->ocsp_response.get()),
471 CRYPTO_BUFFER_len(cred->ocsp_response.get())) ||
472 !CBB_flush(&extensions)) {
473 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
474 return false;
475 }
476 }
477
478 if (cred->type == SSLCredentialType::kDelegated) {
479 CBB child;
480 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_delegated_credential) ||
481 !CBB_add_u16_length_prefixed(&extensions, &child) ||
482 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cred->dc.get()),
483 CRYPTO_BUFFER_len(cred->dc.get())) ||
484 !CBB_flush(&extensions)) {
485 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
486 return false;
487 }
488 }
489
490 if (hs->matched_peer_trust_anchor) {
491 // Let the peer know we matched a requested trust anchor.
492 CBB empty_contents;
493 if (!CBB_add_u16(&extensions, TLSEXT_TYPE_trust_anchors) || //
494 !CBB_add_u16_length_prefixed(&extensions, &empty_contents) || //
495 !CBB_flush(&extensions)) {
496 return false;
497 }
498 }
499
500 for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cred->chain.get()); i++) {
501 CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cred->chain.get(), i);
502 CBB child;
503 if (!CBB_add_u24_length_prefixed(&certificate_list, &child) ||
504 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(cert_buf),
505 CRYPTO_BUFFER_len(cert_buf)) ||
506 !CBB_add_u16(&certificate_list, 0 /* no extensions */)) {
507 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
508 return false;
509 }
510 }
511
512 if (!hs->cert_compression_negotiated) {
513 return ssl_add_message_cbb(ssl, cbb.get());
514 }
515
516 Array<uint8_t> msg;
517 if (!CBBFinishArray(cbb.get(), &msg)) {
518 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
519 return false;
520 }
521
522 const CertCompressionAlg *alg = nullptr;
523 for (const auto &candidate : ssl->ctx->cert_compression_algs) {
524 if (candidate.alg_id == hs->cert_compression_alg_id) {
525 alg = &candidate;
526 break;
527 }
528 }
529
530 if (alg == nullptr || alg->compress == nullptr) {
531 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
532 return false;
533 }
534
535 CBB compressed;
536 body = &body_storage;
537 if (!ssl->method->init_message(ssl, cbb.get(), body,
538 SSL3_MT_COMPRESSED_CERTIFICATE) ||
539 !CBB_add_u16(body, hs->cert_compression_alg_id) ||
540 msg.size() > (1u << 24) - 1 || //
541 !CBB_add_u24(body, static_cast<uint32_t>(msg.size())) ||
542 !CBB_add_u24_length_prefixed(body, &compressed)) {
543 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
544 return false;
545 }
546
547 SSL_HANDSHAKE_HINTS *const hints = hs->hints.get();
548 if (hints && !hs->hints_requested &&
549 hints->cert_compression_alg_id == hs->cert_compression_alg_id &&
550 hints->cert_compression_input == Span(msg) &&
551 !hints->cert_compression_output.empty()) {
552 if (!CBB_add_bytes(&compressed, hints->cert_compression_output.data(),
553 hints->cert_compression_output.size())) {
554 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
555 return false;
556 }
557 } else {
558 if (!alg->compress(ssl, &compressed, msg.data(), msg.size())) {
559 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
560 return false;
561 }
562 if (hints && hs->hints_requested) {
563 hints->cert_compression_alg_id = hs->cert_compression_alg_id;
564 if (!hints->cert_compression_input.CopyFrom(msg) ||
565 !hints->cert_compression_output.CopyFrom(
566 Span(CBB_data(&compressed), CBB_len(&compressed)))) {
567 return false;
568 }
569 }
570 }
571
572 if (!ssl_add_message_cbb(ssl, cbb.get())) {
573 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
574 return false;
575 }
576
577 return true;
578 }
579
tls13_add_certificate_verify(SSL_HANDSHAKE * hs)580 enum ssl_private_key_result_t tls13_add_certificate_verify(SSL_HANDSHAKE *hs) {
581 SSL *const ssl = hs->ssl;
582 assert(hs->signature_algorithm != 0);
583 ScopedCBB cbb;
584 CBB body;
585 if (!ssl->method->init_message(ssl, cbb.get(), &body,
586 SSL3_MT_CERTIFICATE_VERIFY) ||
587 !CBB_add_u16(&body, hs->signature_algorithm)) {
588 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
589 return ssl_private_key_failure;
590 }
591
592 CBB child;
593 const size_t max_sig_len = EVP_PKEY_size(hs->credential->pubkey.get());
594 uint8_t *sig;
595 size_t sig_len;
596 if (!CBB_add_u16_length_prefixed(&body, &child) ||
597 !CBB_reserve(&child, &sig, max_sig_len)) {
598 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
599 return ssl_private_key_failure;
600 }
601
602 Array<uint8_t> msg;
603 if (!tls13_get_cert_verify_signature_input(
604 hs, &msg,
605 ssl->server ? ssl_cert_verify_server : ssl_cert_verify_client)) {
606 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
607 return ssl_private_key_failure;
608 }
609
610 enum ssl_private_key_result_t sign_result = ssl_private_key_sign(
611 hs, sig, &sig_len, max_sig_len, hs->signature_algorithm, msg);
612 if (sign_result != ssl_private_key_success) {
613 return sign_result;
614 }
615
616 if (!CBB_did_write(&child, sig_len) || //
617 !ssl_add_message_cbb(ssl, cbb.get())) {
618 return ssl_private_key_failure;
619 }
620
621 return ssl_private_key_success;
622 }
623
tls13_add_finished(SSL_HANDSHAKE * hs)624 bool tls13_add_finished(SSL_HANDSHAKE *hs) {
625 SSL *const ssl = hs->ssl;
626 size_t verify_data_len;
627 uint8_t verify_data[EVP_MAX_MD_SIZE];
628
629 if (!tls13_finished_mac(hs, verify_data, &verify_data_len, ssl->server)) {
630 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
631 OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);
632 return false;
633 }
634
635 ScopedCBB cbb;
636 CBB body;
637 if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||
638 !CBB_add_bytes(&body, verify_data, verify_data_len) ||
639 !ssl_add_message_cbb(ssl, cbb.get())) {
640 return false;
641 }
642
643 return true;
644 }
645
tls13_add_key_update(SSL * ssl,int request_type)646 bool tls13_add_key_update(SSL *ssl, int request_type) {
647 if (ssl->s3->key_update_pending) {
648 return true;
649 }
650
651 // We do not support multiple parallel outgoing flights. If there is an
652 // outgoing flight pending, queue the KeyUpdate for later.
653 if (SSL_is_dtls(ssl) && !ssl->d1->outgoing_messages.empty()) {
654 ssl->d1->queued_key_update = request_type == SSL_KEY_UPDATE_REQUESTED
655 ? QueuedKeyUpdate::kUpdateRequested
656 : QueuedKeyUpdate::kUpdateNotRequested;
657 return true;
658 }
659
660 ScopedCBB cbb;
661 CBB body_cbb;
662 if (!ssl->method->init_message(ssl, cbb.get(), &body_cbb,
663 SSL3_MT_KEY_UPDATE) ||
664 !CBB_add_u8(&body_cbb, request_type) ||
665 !ssl_add_message_cbb(ssl, cbb.get())) {
666 return false;
667 }
668
669 // In DTLS, the actual key update is deferred until KeyUpdate is ACKed.
670 if (!SSL_is_dtls(ssl) && !tls13_rotate_traffic_key(ssl, evp_aead_seal)) {
671 return false;
672 }
673
674 // Suppress KeyUpdate acknowledgments until this change is written to the
675 // wire. This prevents us from accumulating write obligations when read and
676 // write progress at different rates. See RFC 8446, section 4.6.3.
677 ssl->s3->key_update_pending = true;
678 ssl->method->finish_flight(ssl);
679 return true;
680 }
681
tls13_receive_key_update(SSL * ssl,const SSLMessage & msg)682 static bool tls13_receive_key_update(SSL *ssl, const SSLMessage &msg) {
683 CBS body = msg.body;
684 uint8_t key_update_request;
685 if (!CBS_get_u8(&body, &key_update_request) || //
686 CBS_len(&body) != 0 || //
687 (key_update_request != SSL_KEY_UPDATE_NOT_REQUESTED && //
688 key_update_request != SSL_KEY_UPDATE_REQUESTED)) {
689 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
690 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
691 return false;
692 }
693
694 if (!tls13_rotate_traffic_key(ssl, evp_aead_open)) {
695 return false;
696 }
697
698 // Acknowledge the KeyUpdate
699 if (key_update_request == SSL_KEY_UPDATE_REQUESTED &&
700 !tls13_add_key_update(ssl, SSL_KEY_UPDATE_NOT_REQUESTED)) {
701 return false;
702 }
703
704 return true;
705 }
706
tls13_post_handshake(SSL * ssl,const SSLMessage & msg)707 bool tls13_post_handshake(SSL *ssl, const SSLMessage &msg) {
708 if (msg.type == SSL3_MT_NEW_SESSION_TICKET && !ssl->server) {
709 return tls13_process_new_session_ticket(ssl, msg);
710 }
711
712 if (msg.type == SSL3_MT_KEY_UPDATE) {
713 ssl->s3->key_update_count++;
714 if (SSL_is_quic(ssl) || ssl->s3->key_update_count > kMaxKeyUpdates) {
715 OPENSSL_PUT_ERROR(SSL, SSL_R_TOO_MANY_KEY_UPDATES);
716 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
717 return false;
718 }
719
720 return tls13_receive_key_update(ssl, msg);
721 }
722
723 ssl->s3->key_update_count = 0;
724
725 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
726 OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
727 return false;
728 }
729
730 BSSL_NAMESPACE_END
731