1 // Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include <openssl/ssl.h>
16
17 #include <assert.h>
18 #include <string.h>
19
20 #include <openssl/err.h>
21
22 #include "../crypto/internal.h"
23 #include "internal.h"
24
25
26 BSSL_NAMESPACE_BEGIN
27
tls_on_handshake_complete(SSL * ssl)28 static void tls_on_handshake_complete(SSL *ssl) {
29 // The handshake should have released its final message.
30 assert(!ssl->s3->has_message);
31
32 // During the handshake, |hs_buf| is retained. Release if it there is no
33 // excess in it. There should not be any excess because the handshake logic
34 // rejects unprocessed data after each Finished message. Note this means we do
35 // not allow a TLS 1.2 HelloRequest to be packed into the same record as
36 // Finished. (Schannel also rejects this.)
37 assert(!ssl->s3->hs_buf || ssl->s3->hs_buf->length == 0);
38 if (ssl->s3->hs_buf && ssl->s3->hs_buf->length == 0) {
39 ssl->s3->hs_buf.reset();
40 }
41 }
42
tls_set_read_state(SSL * ssl,ssl_encryption_level_t level,UniquePtr<SSLAEADContext> aead_ctx,Span<const uint8_t> traffic_secret)43 static bool tls_set_read_state(SSL *ssl, ssl_encryption_level_t level,
44 UniquePtr<SSLAEADContext> aead_ctx,
45 Span<const uint8_t> traffic_secret) {
46 // Cipher changes are forbidden if the current epoch has leftover data.
47 if (tls_has_unprocessed_handshake_data(ssl)) {
48 OPENSSL_PUT_ERROR(SSL, SSL_R_EXCESS_HANDSHAKE_DATA);
49 ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
50 return false;
51 }
52
53 if (SSL_is_quic(ssl)) {
54 if ((ssl->s3->hs == nullptr || !ssl->s3->hs->hints_requested) &&
55 !ssl->quic_method->set_read_secret(ssl, level, aead_ctx->cipher(),
56 traffic_secret.data(),
57 traffic_secret.size())) {
58 return false;
59 }
60
61 // QUIC only uses |ssl| for handshake messages, which never use early data
62 // keys, so we return without installing anything. This avoids needing to
63 // have two secrets active at once in 0-RTT.
64 if (level == ssl_encryption_early_data) {
65 return true;
66 }
67 ssl->s3->quic_read_level = level;
68 }
69
70 ssl->s3->read_sequence = 0;
71 ssl->s3->aead_read_ctx = std::move(aead_ctx);
72 return true;
73 }
74
tls_set_write_state(SSL * ssl,ssl_encryption_level_t level,UniquePtr<SSLAEADContext> aead_ctx,Span<const uint8_t> traffic_secret)75 static bool tls_set_write_state(SSL *ssl, ssl_encryption_level_t level,
76 UniquePtr<SSLAEADContext> aead_ctx,
77 Span<const uint8_t> traffic_secret) {
78 if (!tls_flush_pending_hs_data(ssl)) {
79 return false;
80 }
81
82 if (SSL_is_quic(ssl)) {
83 if ((ssl->s3->hs == nullptr || !ssl->s3->hs->hints_requested) &&
84 !ssl->quic_method->set_write_secret(ssl, level, aead_ctx->cipher(),
85 traffic_secret.data(),
86 traffic_secret.size())) {
87 return false;
88 }
89
90 // QUIC only uses |ssl| for handshake messages, which never use early data
91 // keys, so we return without installing anything. This avoids needing to
92 // have two secrets active at once in 0-RTT.
93 if (level == ssl_encryption_early_data) {
94 return true;
95 }
96 ssl->s3->quic_write_level = level;
97 }
98
99 ssl->s3->write_sequence = 0;
100 ssl->s3->aead_write_ctx = std::move(aead_ctx);
101 return true;
102 }
103
tls_finish_flight(SSL * ssl)104 static void tls_finish_flight(SSL *ssl) {
105 // We don't track whether a flight is complete in TLS and instead always flush
106 // every queued message in |tls_flush|, whether the flight is complete or not.
107 }
108
tls_schedule_ack(SSL * ssl)109 static void tls_schedule_ack(SSL *ssl) {
110 // TLS does not use ACKs.
111 }
112
113 static const SSL_PROTOCOL_METHOD kTLSProtocolMethod = {
114 false /* is_dtls */,
115 tls_new,
116 tls_free,
117 tls_get_message,
118 tls_next_message,
119 tls_has_unprocessed_handshake_data,
120 tls_open_handshake,
121 tls_open_change_cipher_spec,
122 tls_open_app_data,
123 tls_write_app_data,
124 tls_dispatch_alert,
125 tls_init_message,
126 tls_finish_message,
127 tls_add_message,
128 tls_add_change_cipher_spec,
129 tls_finish_flight,
130 tls_schedule_ack,
131 tls_flush,
132 tls_on_handshake_complete,
133 tls_set_read_state,
134 tls_set_write_state,
135 };
136
ssl_noop_x509_check_client_CA_names(STACK_OF (CRYPTO_BUFFER)* names)137 static bool ssl_noop_x509_check_client_CA_names(
138 STACK_OF(CRYPTO_BUFFER) *names) {
139 return true;
140 }
141
ssl_noop_x509_clear(CERT * cert)142 static void ssl_noop_x509_clear(CERT *cert) {}
ssl_noop_x509_free(CERT * cert)143 static void ssl_noop_x509_free(CERT *cert) {}
ssl_noop_x509_dup(CERT * new_cert,const CERT * cert)144 static void ssl_noop_x509_dup(CERT *new_cert, const CERT *cert) {}
ssl_noop_x509_flush_cached_leaf(CERT * cert)145 static void ssl_noop_x509_flush_cached_leaf(CERT *cert) {}
ssl_noop_x509_flush_cached_chain(CERT * cert)146 static void ssl_noop_x509_flush_cached_chain(CERT *cert) {}
ssl_noop_x509_session_cache_objects(SSL_SESSION * sess)147 static bool ssl_noop_x509_session_cache_objects(SSL_SESSION *sess) {
148 return true;
149 }
ssl_noop_x509_session_dup(SSL_SESSION * new_session,const SSL_SESSION * session)150 static bool ssl_noop_x509_session_dup(SSL_SESSION *new_session,
151 const SSL_SESSION *session) {
152 return true;
153 }
ssl_noop_x509_session_clear(SSL_SESSION * session)154 static void ssl_noop_x509_session_clear(SSL_SESSION *session) {}
ssl_noop_x509_session_verify_cert_chain(SSL_SESSION * session,SSL_HANDSHAKE * hs,uint8_t * out_alert)155 static bool ssl_noop_x509_session_verify_cert_chain(SSL_SESSION *session,
156 SSL_HANDSHAKE *hs,
157 uint8_t *out_alert) {
158 return false;
159 }
160
ssl_noop_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE * hs)161 static void ssl_noop_x509_hs_flush_cached_ca_names(SSL_HANDSHAKE *hs) {}
ssl_noop_x509_ssl_new(SSL_HANDSHAKE * hs)162 static bool ssl_noop_x509_ssl_new(SSL_HANDSHAKE *hs) { return true; }
ssl_noop_x509_ssl_config_free(SSL_CONFIG * cfg)163 static void ssl_noop_x509_ssl_config_free(SSL_CONFIG *cfg) {}
ssl_noop_x509_ssl_flush_cached_client_CA(SSL_CONFIG * cfg)164 static void ssl_noop_x509_ssl_flush_cached_client_CA(SSL_CONFIG *cfg) {}
ssl_noop_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE * hs)165 static bool ssl_noop_x509_ssl_auto_chain_if_needed(SSL_HANDSHAKE *hs) {
166 return true;
167 }
ssl_noop_x509_ssl_ctx_new(SSL_CTX * ctx)168 static bool ssl_noop_x509_ssl_ctx_new(SSL_CTX *ctx) { return true; }
ssl_noop_x509_ssl_ctx_free(SSL_CTX * ctx)169 static void ssl_noop_x509_ssl_ctx_free(SSL_CTX *ctx) {}
ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX * ctx)170 static void ssl_noop_x509_ssl_ctx_flush_cached_client_CA(SSL_CTX *ctx) {}
171
172 const SSL_X509_METHOD ssl_noop_x509_method = {
173 ssl_noop_x509_check_client_CA_names,
174 ssl_noop_x509_clear,
175 ssl_noop_x509_free,
176 ssl_noop_x509_dup,
177 ssl_noop_x509_flush_cached_chain,
178 ssl_noop_x509_flush_cached_leaf,
179 ssl_noop_x509_session_cache_objects,
180 ssl_noop_x509_session_dup,
181 ssl_noop_x509_session_clear,
182 ssl_noop_x509_session_verify_cert_chain,
183 ssl_noop_x509_hs_flush_cached_ca_names,
184 ssl_noop_x509_ssl_new,
185 ssl_noop_x509_ssl_config_free,
186 ssl_noop_x509_ssl_flush_cached_client_CA,
187 ssl_noop_x509_ssl_auto_chain_if_needed,
188 ssl_noop_x509_ssl_ctx_new,
189 ssl_noop_x509_ssl_ctx_free,
190 ssl_noop_x509_ssl_ctx_flush_cached_client_CA,
191 };
192
193 BSSL_NAMESPACE_END
194
195 using namespace bssl;
196
TLS_method(void)197 const SSL_METHOD *TLS_method(void) {
198 static const SSL_METHOD kMethod = {
199 0,
200 &kTLSProtocolMethod,
201 &ssl_crypto_x509_method,
202 };
203 return &kMethod;
204 }
205
SSLv23_method(void)206 const SSL_METHOD *SSLv23_method(void) { return TLS_method(); }
207
TLS_with_buffers_method(void)208 const SSL_METHOD *TLS_with_buffers_method(void) {
209 static const SSL_METHOD kMethod = {
210 0,
211 &kTLSProtocolMethod,
212 &ssl_noop_x509_method,
213 };
214 return &kMethod;
215 }
216
217 // Legacy version-locked methods.
218
TLSv1_2_method(void)219 const SSL_METHOD *TLSv1_2_method(void) {
220 static const SSL_METHOD kMethod = {
221 TLS1_2_VERSION,
222 &kTLSProtocolMethod,
223 &ssl_crypto_x509_method,
224 };
225 return &kMethod;
226 }
227
TLSv1_1_method(void)228 const SSL_METHOD *TLSv1_1_method(void) {
229 static const SSL_METHOD kMethod = {
230 TLS1_1_VERSION,
231 &kTLSProtocolMethod,
232 &ssl_crypto_x509_method,
233 };
234 return &kMethod;
235 }
236
TLSv1_method(void)237 const SSL_METHOD *TLSv1_method(void) {
238 static const SSL_METHOD kMethod = {
239 TLS1_VERSION,
240 &kTLSProtocolMethod,
241 &ssl_crypto_x509_method,
242 };
243 return &kMethod;
244 }
245
246 // Legacy side-specific methods.
247
TLSv1_2_server_method(void)248 const SSL_METHOD *TLSv1_2_server_method(void) { return TLSv1_2_method(); }
249
TLSv1_1_server_method(void)250 const SSL_METHOD *TLSv1_1_server_method(void) { return TLSv1_1_method(); }
251
TLSv1_server_method(void)252 const SSL_METHOD *TLSv1_server_method(void) { return TLSv1_method(); }
253
TLSv1_2_client_method(void)254 const SSL_METHOD *TLSv1_2_client_method(void) { return TLSv1_2_method(); }
255
TLSv1_1_client_method(void)256 const SSL_METHOD *TLSv1_1_client_method(void) { return TLSv1_1_method(); }
257
TLSv1_client_method(void)258 const SSL_METHOD *TLSv1_client_method(void) { return TLSv1_method(); }
259
SSLv23_server_method(void)260 const SSL_METHOD *SSLv23_server_method(void) { return SSLv23_method(); }
261
SSLv23_client_method(void)262 const SSL_METHOD *SSLv23_client_method(void) { return SSLv23_method(); }
263
TLS_server_method(void)264 const SSL_METHOD *TLS_server_method(void) { return TLS_method(); }
265
TLS_client_method(void)266 const SSL_METHOD *TLS_client_method(void) { return TLS_method(); }
267