1 /* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <openssl/ssl3.h>
19
20 #include "bytestring.h"
21 #include "ssl_local.h"
22 #include "ssl_sigalgs.h"
23 #include "ssl_tlsext.h"
24 #include "tls13_handshake.h"
25 #include "tls13_internal.h"
26
27 int
tls13_client_init(struct tls13_ctx * ctx)28 tls13_client_init(struct tls13_ctx *ctx)
29 {
30 const uint16_t *groups;
31 size_t groups_len;
32 SSL *s = ctx->ssl;
33
34 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
35 &ctx->hs->our_max_tls_version)) {
36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
37 return 0;
38 }
39 s->version = ctx->hs->our_max_tls_version;
40
41 tls13_record_layer_set_retry_after_phh(ctx->rl,
42 (s->mode & SSL_MODE_AUTO_RETRY) != 0);
43
44 if (!ssl_get_new_session(s, 0)) /* XXX */
45 return 0;
46
47 if (!tls1_transcript_init(s))
48 return 0;
49
50 /* Generate a key share using our preferred group. */
51 tls1_get_group_list(s, 0, &groups, &groups_len);
52 if (groups_len < 1)
53 return 0;
54 if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
55 return 0;
56 if (!tls_key_share_generate(ctx->hs->key_share))
57 return 0;
58
59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
60
61 /*
62 * The legacy session identifier should either be set to an
63 * unpredictable 32-byte value or zero length... a non-zero length
64 * legacy session identifier triggers compatibility mode (see RFC 8446
65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
66 */
67 if (ctx->middlebox_compat &&
68 ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
69 arc4random_buf(ctx->hs->tls13.legacy_session_id,
70 sizeof(ctx->hs->tls13.legacy_session_id));
71 ctx->hs->tls13.legacy_session_id_len =
72 sizeof(ctx->hs->tls13.legacy_session_id);
73 }
74
75 return 1;
76 }
77
78 int
tls13_client_connect(struct tls13_ctx * ctx)79 tls13_client_connect(struct tls13_ctx *ctx)
80 {
81 if (ctx->mode != TLS13_HS_CLIENT)
82 return TLS13_IO_FAILURE;
83
84 return tls13_handshake_perform(ctx);
85 }
86
87 static int
tls13_client_hello_build(struct tls13_ctx * ctx,CBB * cbb)88 tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
89 {
90 CBB cipher_suites, compression_methods, session_id;
91 uint16_t client_version;
92 SSL *s = ctx->ssl;
93
94 /* Legacy client version is capped at TLS 1.2. */
95 if (!ssl_max_legacy_version(s, &client_version))
96 goto err;
97
98 if (!CBB_add_u16(cbb, client_version))
99 goto err;
100 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
101 goto err;
102
103 if (!CBB_add_u8_length_prefixed(cbb, &session_id))
104 goto err;
105 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
106 ctx->hs->tls13.legacy_session_id_len))
107 goto err;
108
109 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
110 goto err;
111 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) {
112 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
113 goto err;
114 }
115
116 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods))
117 goto err;
118 if (!CBB_add_u8(&compression_methods, 0))
119 goto err;
120
121 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb))
122 goto err;
123
124 if (!CBB_flush(cbb))
125 goto err;
126
127 return 1;
128
129 err:
130 return 0;
131 }
132
133 int
tls13_client_hello_send(struct tls13_ctx * ctx,CBB * cbb)134 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
135 {
136 if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
137 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
138
139 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
140 tls13_record_layer_allow_legacy_alerts(ctx->rl, 1);
141
142 if (!tls13_client_hello_build(ctx, cbb))
143 return 0;
144
145 return 1;
146 }
147
148 int
tls13_client_hello_sent(struct tls13_ctx * ctx)149 tls13_client_hello_sent(struct tls13_ctx *ctx)
150 {
151 tls1_transcript_freeze(ctx->ssl);
152
153 if (ctx->middlebox_compat) {
154 tls13_record_layer_allow_ccs(ctx->rl, 1);
155 ctx->send_dummy_ccs = 1;
156 }
157
158 return 1;
159 }
160
161 static int
tls13_server_hello_is_legacy(CBS * cbs)162 tls13_server_hello_is_legacy(CBS *cbs)
163 {
164 CBS extensions_block, extensions, extension_data;
165 uint16_t selected_version = 0;
166 uint16_t type;
167
168 CBS_dup(cbs, &extensions_block);
169
170 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
171 return 1;
172
173 while (CBS_len(&extensions) > 0) {
174 if (!CBS_get_u16(&extensions, &type))
175 return 1;
176 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
177 return 1;
178
179 if (type != TLSEXT_TYPE_supported_versions)
180 continue;
181 if (!CBS_get_u16(&extension_data, &selected_version))
182 return 1;
183 if (CBS_len(&extension_data) != 0)
184 return 1;
185 }
186
187 return (selected_version < TLS1_3_VERSION);
188 }
189
190 static int
tls13_server_hello_is_retry(CBS * cbs)191 tls13_server_hello_is_retry(CBS *cbs)
192 {
193 CBS server_hello, server_random;
194 uint16_t legacy_version;
195
196 CBS_dup(cbs, &server_hello);
197
198 if (!CBS_get_u16(&server_hello, &legacy_version))
199 return 0;
200 if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE))
201 return 0;
202
203 /* See if this is a HelloRetryRequest. */
204 return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
205 sizeof(tls13_hello_retry_request_hash));
206 }
207
208 static int
tls13_server_hello_process(struct tls13_ctx * ctx,CBS * cbs)209 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
210 {
211 CBS server_random, session_id;
212 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
213 uint16_t cipher_suite, legacy_version;
214 uint8_t compression_method;
215 const SSL_CIPHER *cipher;
216 int alert_desc;
217 SSL *s = ctx->ssl;
218
219 if (!CBS_get_u16(cbs, &legacy_version))
220 goto err;
221 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
222 goto err;
223 if (!CBS_get_u8_length_prefixed(cbs, &session_id))
224 goto err;
225 if (!CBS_get_u16(cbs, &cipher_suite))
226 goto err;
227 if (!CBS_get_u8(cbs, &compression_method))
228 goto err;
229
230 if (tls13_server_hello_is_legacy(cbs)) {
231 if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
232 /*
233 * RFC 8446 section 4.1.3: we must not downgrade if
234 * the server random value contains the TLS 1.2 or 1.1
235 * magical value.
236 */
237 if (!CBS_skip(&server_random, CBS_len(&server_random) -
238 sizeof(tls13_downgrade_12)))
239 goto err;
240 if (CBS_mem_equal(&server_random, tls13_downgrade_12,
241 sizeof(tls13_downgrade_12)) ||
242 CBS_mem_equal(&server_random, tls13_downgrade_11,
243 sizeof(tls13_downgrade_11))) {
244 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
245 goto err;
246 }
247 }
248
249 if (!CBS_skip(cbs, CBS_len(cbs)))
250 goto err;
251
252 ctx->hs->tls13.use_legacy = 1;
253 return 1;
254 }
255
256 /* From here on in we know we are doing TLSv1.3. */
257 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
258 tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
259
260 /* See if this is a HelloRetryRequest. */
261 /* XXX - see if we can avoid doing this twice. */
262 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
263 sizeof(tls13_hello_retry_request_hash))) {
264 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
265 ctx->hs->tls13.hrr = 1;
266 }
267
268 if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
269 ctx->alert = alert_desc;
270 goto err;
271 }
272
273 /*
274 * The supported versions extension indicated 0x0304 or greater.
275 * Ensure that it was 0x0304 and that legacy version is set to 0x0303
276 * (RFC 8446 section 4.2.1).
277 */
278 if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
279 legacy_version != TLS1_2_VERSION) {
280 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
281 goto err;
282 }
283 ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
284 ctx->hs->peer_legacy_version = legacy_version;
285
286 /* The session_id must match. */
287 if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
288 ctx->hs->tls13.legacy_session_id_len)) {
289 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
290 goto err;
291 }
292
293 /*
294 * Ensure that the cipher suite is one that we offered in the client
295 * hello and that it is a TLSv1.3 cipher suite.
296 */
297 cipher = ssl3_get_cipher_by_value(cipher_suite);
298 if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
299 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
300 goto err;
301 }
302 if (cipher->algorithm_ssl != SSL_TLSV1_3) {
303 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
304 goto err;
305 }
306 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) {
307 /*
308 * A ServerHello following a HelloRetryRequest MUST use the same
309 * cipher suite (RFC 8446 section 4.1.4).
310 */
311 if (ctx->hs->cipher != cipher) {
312 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
313 goto err;
314 }
315 }
316 ctx->hs->cipher = cipher;
317
318 if (compression_method != 0) {
319 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
320 goto err;
321 }
322
323 return 1;
324
325 err:
326 if (ctx->alert == 0)
327 ctx->alert = TLS13_ALERT_DECODE_ERROR;
328
329 return 0;
330 }
331
332 static int
tls13_client_engage_record_protection(struct tls13_ctx * ctx)333 tls13_client_engage_record_protection(struct tls13_ctx *ctx)
334 {
335 struct tls13_secrets *secrets;
336 struct tls13_secret context;
337 unsigned char buf[EVP_MAX_MD_SIZE];
338 uint8_t *shared_key = NULL;
339 size_t shared_key_len = 0;
340 size_t hash_len;
341 SSL *s = ctx->ssl;
342 int ret = 0;
343
344 /* Derive the shared key and engage record protection. */
345
346 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
347 &shared_key_len))
348 goto err;
349
350 s->session->cipher_value = ctx->hs->cipher->value;
351 s->session->ssl_version = ctx->hs->tls13.server_version;
352
353 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
354 goto err;
355 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
356 goto err;
357
358 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
359 goto err;
360 ctx->hs->tls13.secrets = secrets;
361
362 /* XXX - pass in hash. */
363 if (!tls1_transcript_hash_init(s))
364 goto err;
365 tls1_transcript_free(s);
366 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
367 goto err;
368 context.data = buf;
369 context.len = hash_len;
370
371 /* Early secrets. */
372 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
373 secrets->zeros.len, &context))
374 goto err;
375
376 /* Handshake secrets. */
377 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
378 shared_key_len, &context))
379 goto err;
380
381 tls13_record_layer_set_aead(ctx->rl, ctx->aead);
382 tls13_record_layer_set_hash(ctx->rl, ctx->hash);
383
384 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
385 &secrets->server_handshake_traffic, ssl_encryption_handshake))
386 goto err;
387 if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
388 &secrets->client_handshake_traffic, ssl_encryption_handshake))
389 goto err;
390
391 ret = 1;
392
393 err:
394 freezero(shared_key, shared_key_len);
395
396 return ret;
397 }
398
399 int
tls13_server_hello_retry_request_recv(struct tls13_ctx * ctx,CBS * cbs)400 tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
401 {
402 /*
403 * The state machine has no way of knowing if we're going to receive a
404 * HelloRetryRequest or a ServerHello. As such, we have to handle
405 * this case here and hand off to the appropriate function.
406 */
407 if (!tls13_server_hello_is_retry(cbs)) {
408 ctx->handshake_stage.hs_type |= WITHOUT_HRR;
409 return tls13_server_hello_recv(ctx, cbs);
410 }
411
412 if (!tls13_server_hello_process(ctx, cbs))
413 return 0;
414
415 /*
416 * This may have been a TLSv1.2 or earlier ServerHello that just
417 * happened to have matching server random...
418 */
419 if (ctx->hs->tls13.use_legacy)
420 return tls13_use_legacy_client(ctx);
421
422 if (!ctx->hs->tls13.hrr)
423 return 0;
424
425 if (!tls13_synthetic_handshake_message(ctx))
426 return 0;
427 if (!tls13_handshake_msg_record(ctx))
428 return 0;
429
430 ctx->hs->tls13.hrr = 0;
431
432 return 1;
433 }
434
435 int
tls13_client_hello_retry_send(struct tls13_ctx * ctx,CBB * cbb)436 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
437 {
438 /*
439 * Ensure that the server supported group is one that we listed in our
440 * supported groups and is not the same as the key share we previously
441 * offered.
442 */
443 if (!tls1_check_group(ctx->ssl, ctx->hs->tls13.server_group))
444 return 0; /* XXX alert */
445 if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share))
446 return 0; /* XXX alert */
447
448 /* Switch to new key share. */
449 tls_key_share_free(ctx->hs->key_share);
450 if ((ctx->hs->key_share =
451 tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
452 return 0;
453 if (!tls_key_share_generate(ctx->hs->key_share))
454 return 0;
455
456 if (!tls13_client_hello_build(ctx, cbb))
457 return 0;
458
459 return 1;
460 }
461
462 int
tls13_server_hello_recv(struct tls13_ctx * ctx,CBS * cbs)463 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
464 {
465 SSL *s = ctx->ssl;
466
467 /*
468 * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3
469 * ServerHello. HelloRetryRequests have already been handled.
470 */
471 if (!tls13_server_hello_process(ctx, cbs))
472 return 0;
473
474 if (ctx->handshake_stage.hs_type & WITHOUT_HRR) {
475 tls1_transcript_unfreeze(s);
476 if (!tls13_handshake_msg_record(ctx))
477 return 0;
478 }
479
480 if (ctx->hs->tls13.use_legacy) {
481 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
482 return 0;
483 return tls13_use_legacy_client(ctx);
484 }
485
486 if (ctx->hs->tls13.hrr) {
487 /* The server has sent two HelloRetryRequests. */
488 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
489 return 0;
490 }
491
492 if (!tls13_client_engage_record_protection(ctx))
493 return 0;
494
495 ctx->handshake_stage.hs_type |= NEGOTIATED;
496
497 return 1;
498 }
499
500 int
tls13_server_encrypted_extensions_recv(struct tls13_ctx * ctx,CBS * cbs)501 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs)
502 {
503 int alert_desc;
504
505 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) {
506 ctx->alert = alert_desc;
507 return 0;
508 }
509
510 return 1;
511 }
512
513 int
tls13_server_certificate_request_recv(struct tls13_ctx * ctx,CBS * cbs)514 tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs)
515 {
516 CBS cert_request_context;
517 int alert_desc;
518
519 /*
520 * Thanks to poor state design in the RFC, this function can be called
521 * when we actually have a certificate message instead of a certificate
522 * request... in that case we call the certificate handler after
523 * switching state, to avoid advancing state.
524 */
525 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) {
526 ctx->handshake_stage.hs_type |= WITHOUT_CR;
527 return tls13_server_certificate_recv(ctx, cbs);
528 }
529
530 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
531 goto err;
532 if (CBS_len(&cert_request_context) != 0)
533 goto err;
534
535 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) {
536 ctx->alert = alert_desc;
537 goto err;
538 }
539
540 return 1;
541
542 err:
543 if (ctx->alert == 0)
544 ctx->alert = TLS13_ALERT_DECODE_ERROR;
545
546 return 0;
547 }
548
549 int
tls13_server_certificate_recv(struct tls13_ctx * ctx,CBS * cbs)550 tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
551 {
552 CBS cert_request_context, cert_list, cert_data;
553 struct stack_st_X509 *certs = NULL;
554 SSL *s = ctx->ssl;
555 X509 *cert = NULL;
556 const uint8_t *p;
557 int alert_desc;
558 int ret = 0;
559
560 if ((certs = sk_X509_new_null()) == NULL)
561 goto err;
562
563 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
564 goto err;
565 if (CBS_len(&cert_request_context) != 0)
566 goto err;
567 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
568 goto err;
569
570 while (CBS_len(&cert_list) > 0) {
571 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
572 goto err;
573
574 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT,
575 &cert_list, &alert_desc)) {
576 ctx->alert = alert_desc;
577 goto err;
578 }
579
580 p = CBS_data(&cert_data);
581 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
582 goto err;
583 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
584 goto err;
585
586 if (!sk_X509_push(certs, cert))
587 goto err;
588
589 cert = NULL;
590 }
591
592 /* A server must always provide a non-empty certificate list. */
593 if (sk_X509_num(certs) < 1) {
594 ctx->alert = TLS13_ALERT_DECODE_ERROR;
595 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
596 "peer failed to provide a certificate", NULL);
597 goto err;
598 }
599
600 /*
601 * At this stage we still have no proof of possession. As such, it would
602 * be preferable to keep the chain and verify once we have successfully
603 * processed the CertificateVerify message.
604 */
605 if (ssl_verify_cert_chain(s, certs) <= 0 &&
606 s->verify_mode != SSL_VERIFY_NONE) {
607 ctx->alert = ssl_verify_alarm_type(s->verify_result);
608 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
609 "failed to verify peer certificate", NULL);
610 goto err;
611 }
612 s->session->verify_result = s->verify_result;
613 ERR_clear_error();
614
615 if (!tls_process_peer_certs(s, certs))
616 goto err;
617
618 if (ctx->ocsp_status_recv_cb != NULL &&
619 !ctx->ocsp_status_recv_cb(ctx))
620 goto err;
621
622 ret = 1;
623
624 err:
625 sk_X509_pop_free(certs, X509_free);
626 X509_free(cert);
627
628 return ret;
629 }
630
631 int
tls13_server_certificate_verify_recv(struct tls13_ctx * ctx,CBS * cbs)632 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
633 {
634 const struct ssl_sigalg *sigalg;
635 uint16_t signature_scheme;
636 uint8_t *sig_content = NULL;
637 size_t sig_content_len;
638 EVP_MD_CTX *mdctx = NULL;
639 EVP_PKEY_CTX *pctx;
640 EVP_PKEY *pkey;
641 X509 *cert;
642 CBS signature;
643 CBB cbb;
644 int ret = 0;
645
646 memset(&cbb, 0, sizeof(cbb));
647
648 if (!CBS_get_u16(cbs, &signature_scheme))
649 goto err;
650 if (!CBS_get_u16_length_prefixed(cbs, &signature))
651 goto err;
652
653 if (!CBB_init(&cbb, 0))
654 goto err;
655 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
656 sizeof(tls13_cert_verify_pad)))
657 goto err;
658 if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context,
659 strlen(tls13_cert_server_verify_context)))
660 goto err;
661 if (!CBB_add_u8(&cbb, 0))
662 goto err;
663 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
664 ctx->hs->tls13.transcript_hash_len))
665 goto err;
666 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
667 goto err;
668
669 if ((cert = ctx->ssl->session->peer_cert) == NULL)
670 goto err;
671 if ((pkey = X509_get0_pubkey(cert)) == NULL)
672 goto err;
673 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
674 signature_scheme)) == NULL)
675 goto err;
676 ctx->hs->peer_sigalg = sigalg;
677
678 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
679 goto err;
680
681 if ((mdctx = EVP_MD_CTX_new()) == NULL)
682 goto err;
683 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
684 goto err;
685 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
686 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
687 goto err;
688 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
689 goto err;
690 }
691 if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature),
692 sig_content, sig_content_len) <= 0) {
693 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
694 goto err;
695 }
696
697 ret = 1;
698
699 err:
700 if (!ret && ctx->alert == 0)
701 ctx->alert = TLS13_ALERT_DECODE_ERROR;
702 CBB_cleanup(&cbb);
703 EVP_MD_CTX_free(mdctx);
704 free(sig_content);
705
706 return ret;
707 }
708
709 int
tls13_server_finished_recv(struct tls13_ctx * ctx,CBS * cbs)710 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
711 {
712 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
713 struct tls13_secret context = { .data = "", .len = 0 };
714 struct tls13_secret finished_key;
715 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
716 size_t transcript_hash_len;
717 uint8_t *verify_data = NULL;
718 size_t verify_data_len;
719 uint8_t key[EVP_MAX_MD_SIZE];
720 HMAC_CTX *hmac_ctx = NULL;
721 unsigned int hlen;
722 int ret = 0;
723
724 /*
725 * Verify server finished.
726 */
727 finished_key.data = key;
728 finished_key.len = EVP_MD_size(ctx->hash);
729
730 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
731 &secrets->server_handshake_traffic, "finished",
732 &context))
733 goto err;
734
735 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
736 goto err;
737 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
738 ctx->hash, NULL))
739 goto err;
740 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
741 ctx->hs->tls13.transcript_hash_len))
742 goto err;
743 verify_data_len = HMAC_size(hmac_ctx);
744 if ((verify_data = calloc(1, verify_data_len)) == NULL)
745 goto err;
746 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
747 goto err;
748 if (hlen != verify_data_len)
749 goto err;
750
751 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
752 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
753 goto err;
754 }
755
756 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
757 sizeof(ctx->hs->peer_finished),
758 &ctx->hs->peer_finished_len))
759 goto err;
760
761 if (!CBS_skip(cbs, verify_data_len))
762 goto err;
763
764 /*
765 * Derive application traffic keys.
766 */
767 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
768 sizeof(transcript_hash), &transcript_hash_len))
769 goto err;
770
771 context.data = transcript_hash;
772 context.len = transcript_hash_len;
773
774 if (!tls13_derive_application_secrets(secrets, &context))
775 goto err;
776
777 /*
778 * Any records following the server finished message must be encrypted
779 * using the server application traffic keys.
780 */
781 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
782 &secrets->server_application_traffic, ssl_encryption_application))
783 goto err;
784
785 tls13_record_layer_allow_ccs(ctx->rl, 0);
786
787 ret = 1;
788
789 err:
790 HMAC_CTX_free(hmac_ctx);
791 free(verify_data);
792
793 return ret;
794 }
795
796 static int
tls13_client_check_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY * cpk,int * ok,const struct ssl_sigalg ** out_sigalg)797 tls13_client_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
798 int *ok, const struct ssl_sigalg **out_sigalg)
799 {
800 const struct ssl_sigalg *sigalg;
801 SSL *s = ctx->ssl;
802
803 *ok = 0;
804 *out_sigalg = NULL;
805
806 if (cpk->x509 == NULL || cpk->privatekey == NULL)
807 goto done;
808
809 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
810 goto done;
811
812 *ok = 1;
813 *out_sigalg = sigalg;
814
815 done:
816 return 1;
817 }
818
819 static int
tls13_client_select_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY ** out_cpk,const struct ssl_sigalg ** out_sigalg)820 tls13_client_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
821 const struct ssl_sigalg **out_sigalg)
822 {
823 SSL *s = ctx->ssl;
824 const struct ssl_sigalg *sigalg;
825 SSL_CERT_PKEY *cpk;
826 int cert_ok;
827
828 *out_cpk = NULL;
829 *out_sigalg = NULL;
830
831 /*
832 * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences
833 * with the certificate_authorities (4.2.4) and oid_filters (4.2.5)
834 * extensions. We should honor the former and must apply the latter.
835 */
836
837 cpk = &s->cert->pkeys[SSL_PKEY_ECC];
838 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
839 return 0;
840 if (cert_ok)
841 goto done;
842
843 cpk = &s->cert->pkeys[SSL_PKEY_RSA];
844 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
845 return 0;
846 if (cert_ok)
847 goto done;
848
849 cpk = NULL;
850 sigalg = NULL;
851
852 done:
853 *out_cpk = cpk;
854 *out_sigalg = sigalg;
855
856 return 1;
857 }
858
859 int
tls13_client_certificate_send(struct tls13_ctx * ctx,CBB * cbb)860 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
861 {
862 SSL *s = ctx->ssl;
863 CBB cert_request_context, cert_list;
864 const struct ssl_sigalg *sigalg;
865 STACK_OF(X509) *chain;
866 SSL_CERT_PKEY *cpk;
867 X509 *cert;
868 int i, ret = 0;
869
870 if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
871 goto err;
872
873 ctx->hs->tls13.cpk = cpk;
874 ctx->hs->our_sigalg = sigalg;
875
876 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
877 goto err;
878 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
879 goto err;
880
881 /* No certificate selected. */
882 if (cpk == NULL)
883 goto done;
884
885 if ((chain = cpk->chain) == NULL)
886 chain = s->ctx->extra_certs;
887
888 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build))
889 goto err;
890
891 for (i = 0; i < sk_X509_num(chain); i++) {
892 cert = sk_X509_value(chain, i);
893 if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build))
894 goto err;
895 }
896
897 ctx->handshake_stage.hs_type |= WITH_CCV;
898 done:
899 if (!CBB_flush(cbb))
900 goto err;
901
902 ret = 1;
903
904 err:
905 return ret;
906 }
907
908 int
tls13_client_certificate_verify_send(struct tls13_ctx * ctx,CBB * cbb)909 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
910 {
911 const struct ssl_sigalg *sigalg;
912 uint8_t *sig = NULL, *sig_content = NULL;
913 size_t sig_len, sig_content_len;
914 EVP_MD_CTX *mdctx = NULL;
915 EVP_PKEY_CTX *pctx;
916 EVP_PKEY *pkey;
917 const SSL_CERT_PKEY *cpk;
918 CBB sig_cbb;
919 int ret = 0;
920
921 memset(&sig_cbb, 0, sizeof(sig_cbb));
922
923 if ((cpk = ctx->hs->tls13.cpk) == NULL)
924 goto err;
925 if ((sigalg = ctx->hs->our_sigalg) == NULL)
926 goto err;
927 pkey = cpk->privatekey;
928
929 if (!CBB_init(&sig_cbb, 0))
930 goto err;
931 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
932 sizeof(tls13_cert_verify_pad)))
933 goto err;
934 if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context,
935 strlen(tls13_cert_client_verify_context)))
936 goto err;
937 if (!CBB_add_u8(&sig_cbb, 0))
938 goto err;
939 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
940 ctx->hs->tls13.transcript_hash_len))
941 goto err;
942 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
943 goto err;
944
945 if ((mdctx = EVP_MD_CTX_new()) == NULL)
946 goto err;
947 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
948 goto err;
949 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
950 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
951 goto err;
952 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
953 goto err;
954 }
955 if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len))
956 goto err;
957 if ((sig = calloc(1, sig_len)) == NULL)
958 goto err;
959 if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len))
960 goto err;
961
962 if (!CBB_add_u16(cbb, sigalg->value))
963 goto err;
964 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
965 goto err;
966 if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
967 goto err;
968
969 if (!CBB_flush(cbb))
970 goto err;
971
972 ret = 1;
973
974 err:
975 if (!ret && ctx->alert == 0)
976 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
977
978 CBB_cleanup(&sig_cbb);
979 EVP_MD_CTX_free(mdctx);
980 free(sig_content);
981 free(sig);
982
983 return ret;
984 }
985
986 int
tls13_client_end_of_early_data_send(struct tls13_ctx * ctx,CBB * cbb)987 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
988 {
989 return 0;
990 }
991
992 int
tls13_client_finished_send(struct tls13_ctx * ctx,CBB * cbb)993 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
994 {
995 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
996 struct tls13_secret context = { .data = "", .len = 0 };
997 struct tls13_secret finished_key = { .data = NULL, .len = 0 };
998 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
999 size_t transcript_hash_len;
1000 uint8_t *verify_data;
1001 size_t verify_data_len;
1002 unsigned int hlen;
1003 HMAC_CTX *hmac_ctx = NULL;
1004 CBS cbs;
1005 int ret = 0;
1006
1007 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
1008 goto err;
1009
1010 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1011 &secrets->client_handshake_traffic, "finished",
1012 &context))
1013 goto err;
1014
1015 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
1016 sizeof(transcript_hash), &transcript_hash_len))
1017 goto err;
1018
1019 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1020 goto err;
1021 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1022 ctx->hash, NULL))
1023 goto err;
1024 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
1025 goto err;
1026
1027 verify_data_len = HMAC_size(hmac_ctx);
1028 if (!CBB_add_space(cbb, &verify_data, verify_data_len))
1029 goto err;
1030 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1031 goto err;
1032 if (hlen != verify_data_len)
1033 goto err;
1034
1035 CBS_init(&cbs, verify_data, verify_data_len);
1036 if (!CBS_write_bytes(&cbs, ctx->hs->finished,
1037 sizeof(ctx->hs->finished), &ctx->hs->finished_len))
1038 goto err;
1039
1040 ret = 1;
1041
1042 err:
1043 tls13_secret_cleanup(&finished_key);
1044 HMAC_CTX_free(hmac_ctx);
1045
1046 return ret;
1047 }
1048
1049 int
tls13_client_finished_sent(struct tls13_ctx * ctx)1050 tls13_client_finished_sent(struct tls13_ctx *ctx)
1051 {
1052 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1053
1054 /*
1055 * Any records following the client finished message must be encrypted
1056 * using the client application traffic keys.
1057 */
1058 return tls13_record_layer_set_write_traffic_key(ctx->rl,
1059 &secrets->client_application_traffic, ssl_encryption_application);
1060 }
1061