1 /* $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <stddef.h>
20
21 #include <openssl/evp.h>
22
23 #include "ssl_local.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_internal.h"
26
27 /*
28 * RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than
29 * 7 days and clients must not cache tickets for longer than 7 days.
30 */
31
32 #define TLS13_MAX_TICKET_LIFETIME (7 * 24 * 3600)
33
34 /*
35 * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
36 * by the server in server random if it is willing to downgrade but supports
37 * TLSv1.3
38 */
39 const uint8_t tls13_downgrade_12[8] = {
40 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
41 };
42 const uint8_t tls13_downgrade_11[8] = {
43 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
44 };
45
46 /*
47 * HelloRetryRequest hash - RFC 8446 section 4.1.3.
48 */
49 const uint8_t tls13_hello_retry_request_hash[32] = {
50 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
51 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
52 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
53 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
54 };
55
56 /*
57 * Certificate Verify padding - RFC 8446 section 4.4.3.
58 */
59 const uint8_t tls13_cert_verify_pad[64] = {
60 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
61 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
62 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
63 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
64 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
65 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
66 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
67 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
68 };
69
70 const uint8_t tls13_cert_client_verify_context[] =
71 "TLS 1.3, client CertificateVerify";
72 const uint8_t tls13_cert_server_verify_context[] =
73 "TLS 1.3, server CertificateVerify";
74
75 const EVP_AEAD *
tls13_cipher_aead(const SSL_CIPHER * cipher)76 tls13_cipher_aead(const SSL_CIPHER *cipher)
77 {
78 if (cipher == NULL)
79 return NULL;
80 if (cipher->algorithm_ssl != SSL_TLSV1_3)
81 return NULL;
82
83 switch (cipher->algorithm_enc) {
84 case SSL_AES128GCM:
85 return EVP_aead_aes_128_gcm();
86 case SSL_AES256GCM:
87 return EVP_aead_aes_256_gcm();
88 case SSL_CHACHA20POLY1305:
89 return EVP_aead_chacha20_poly1305();
90 }
91
92 return NULL;
93 }
94
95 const EVP_MD *
tls13_cipher_hash(const SSL_CIPHER * cipher)96 tls13_cipher_hash(const SSL_CIPHER *cipher)
97 {
98 if (cipher == NULL)
99 return NULL;
100 if (cipher->algorithm_ssl != SSL_TLSV1_3)
101 return NULL;
102
103 switch (cipher->algorithm2) {
104 case SSL_HANDSHAKE_MAC_SHA256:
105 return EVP_sha256();
106 case SSL_HANDSHAKE_MAC_SHA384:
107 return EVP_sha384();
108 }
109
110 return NULL;
111 }
112
113 static void
tls13_legacy_alert_cb(int sent,uint8_t alert_level,uint8_t alert_desc,void * arg)114 tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc,
115 void *arg)
116 {
117 uint8_t alert[] = {alert_level, alert_desc};
118 struct tls13_ctx *ctx = arg;
119 SSL *s = ctx->ssl;
120 CBS cbs;
121
122 if (s->msg_callback == NULL)
123 return;
124
125 CBS_init(&cbs, alert, sizeof(alert));
126 ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs);
127 }
128
129 static void
tls13_legacy_alert_recv_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)130 tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
131 {
132 tls13_legacy_alert_cb(0, alert_level, alert_desc, arg);
133 }
134
135 static void
tls13_legacy_alert_sent_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)136 tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
137 {
138 tls13_legacy_alert_cb(1, alert_level, alert_desc, arg);
139 }
140
141 void
tls13_alert_received_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)142 tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
143 {
144 struct tls13_ctx *ctx = arg;
145
146 if (ctx->alert_recv_cb != NULL)
147 ctx->alert_recv_cb(alert_level, alert_desc, arg);
148
149 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
150 ctx->close_notify_recv = 1;
151 ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
152 ctx->ssl->s3->warn_alert = alert_desc;
153 return;
154 }
155
156 if (alert_desc == TLS13_ALERT_USER_CANCELED) {
157 /*
158 * We treat this as advisory, since a close_notify alert
159 * SHOULD follow this alert (RFC 8446 section 6.1).
160 */
161 return;
162 }
163
164 /* All other alerts are treated as fatal in TLSv1.3. */
165 ctx->ssl->s3->fatal_alert = alert_desc;
166
167 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
168 ERR_asprintf_error_data("SSL alert number %d", alert_desc);
169
170 SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
171 }
172
173 void
tls13_alert_sent_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)174 tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
175 {
176 struct tls13_ctx *ctx = arg;
177
178 if (ctx->alert_sent_cb != NULL)
179 ctx->alert_sent_cb(alert_level, alert_desc, arg);
180
181 if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
182 ctx->close_notify_sent = 1;
183 return;
184 }
185
186 if (alert_desc == TLS13_ALERT_USER_CANCELED) {
187 return;
188 }
189
190 /* All other alerts are treated as fatal in TLSv1.3. */
191 if (ctx->error.code == 0)
192 SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
193 }
194
195 static void
tls13_legacy_handshake_message_recv_cb(void * arg)196 tls13_legacy_handshake_message_recv_cb(void *arg)
197 {
198 struct tls13_ctx *ctx = arg;
199 SSL *s = ctx->ssl;
200 CBS cbs;
201
202 if (s->msg_callback == NULL)
203 return;
204
205 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
206 ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
207 }
208
209 static void
tls13_legacy_handshake_message_sent_cb(void * arg)210 tls13_legacy_handshake_message_sent_cb(void *arg)
211 {
212 struct tls13_ctx *ctx = arg;
213 SSL *s = ctx->ssl;
214 CBS cbs;
215
216 if (s->msg_callback == NULL)
217 return;
218
219 tls13_handshake_msg_data(ctx->hs_msg, &cbs);
220 ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
221 }
222
223 static void
tls13_legacy_info_cb(void * arg,int state,int ret)224 tls13_legacy_info_cb(void *arg, int state, int ret)
225 {
226 struct tls13_ctx *ctx = arg;
227 SSL *s = ctx->ssl;
228
229 ssl_info_callback(s, state, ret);
230 }
231
232 static int
tls13_legacy_ocsp_status_recv_cb(void * arg)233 tls13_legacy_ocsp_status_recv_cb(void *arg)
234 {
235 struct tls13_ctx *ctx = arg;
236 SSL *s = ctx->ssl;
237 int ret;
238
239 if (s->ctx->tlsext_status_cb == NULL)
240 return 1;
241
242 ret = s->ctx->tlsext_status_cb(s,
243 s->ctx->tlsext_status_arg);
244 if (ret < 0) {
245 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
246 SSLerror(s, ERR_R_MALLOC_FAILURE);
247 return 0;
248 }
249 if (ret == 0) {
250 ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
251 SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
252 return 0;
253 }
254
255 return 1;
256 }
257
258 static int
tls13_phh_update_read_traffic_secret(struct tls13_ctx * ctx)259 tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
260 {
261 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
262 struct tls13_secret *secret;
263
264 if (ctx->mode == TLS13_HS_CLIENT) {
265 secret = &secrets->server_application_traffic;
266 if (!tls13_update_server_traffic_secret(secrets))
267 return 0;
268 } else {
269 secret = &secrets->client_application_traffic;
270 if (!tls13_update_client_traffic_secret(secrets))
271 return 0;
272 }
273
274 return tls13_record_layer_set_read_traffic_key(ctx->rl,
275 secret, ssl_encryption_application);
276 }
277
278 static int
tls13_phh_update_write_traffic_secret(struct tls13_ctx * ctx)279 tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
280 {
281 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
282 struct tls13_secret *secret;
283
284 if (ctx->mode == TLS13_HS_CLIENT) {
285 secret = &secrets->client_application_traffic;
286 if (!tls13_update_client_traffic_secret(secrets))
287 return 0;
288 } else {
289 secret = &secrets->server_application_traffic;
290 if (!tls13_update_server_traffic_secret(secrets))
291 return 0;
292 }
293
294 return tls13_record_layer_set_write_traffic_key(ctx->rl,
295 secret, ssl_encryption_application);
296 }
297
298 /*
299 * XXX arbitrarily chosen limit of 100 post handshake handshake
300 * messages in an hour - to avoid a hostile peer from constantly
301 * requesting certificates or key renegotiaitons, etc.
302 */
303 static int
tls13_phh_limit_check(struct tls13_ctx * ctx)304 tls13_phh_limit_check(struct tls13_ctx *ctx)
305 {
306 time_t now = time(NULL);
307
308 if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
309 if (ctx->phh_count > TLS13_PHH_LIMIT)
310 return 0;
311 } else
312 ctx->phh_count = 0;
313 ctx->phh_count++;
314 ctx->phh_last_seen = now;
315 return 1;
316 }
317
318 static ssize_t
tls13_key_update_recv(struct tls13_ctx * ctx,CBS * cbs)319 tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
320 {
321 struct tls13_handshake_msg *hs_msg = NULL;
322 CBB cbb_hs;
323 CBS cbs_hs;
324 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
325 uint8_t key_update_request;
326 ssize_t ret;
327
328 if (!CBS_get_u8(cbs, &key_update_request)) {
329 alert = TLS13_ALERT_DECODE_ERROR;
330 goto err;
331 }
332 if (CBS_len(cbs) != 0) {
333 alert = TLS13_ALERT_DECODE_ERROR;
334 goto err;
335 }
336 if (key_update_request > 1) {
337 alert = TLS13_ALERT_ILLEGAL_PARAMETER;
338 goto err;
339 }
340
341 if (!tls13_phh_update_read_traffic_secret(ctx))
342 goto err;
343
344 if (key_update_request == 0)
345 return TLS13_IO_SUCCESS;
346
347 /* Our peer requested that we update our write traffic keys. */
348 if ((hs_msg = tls13_handshake_msg_new()) == NULL)
349 goto err;
350 if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
351 goto err;
352 if (!CBB_add_u8(&cbb_hs, 0))
353 goto err;
354 if (!tls13_handshake_msg_finish(hs_msg))
355 goto err;
356
357 ctx->key_update_request = 1;
358 tls13_handshake_msg_data(hs_msg, &cbs_hs);
359 ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
360
361 tls13_handshake_msg_free(hs_msg);
362 hs_msg = NULL;
363
364 return ret;
365
366 err:
367 tls13_handshake_msg_free(hs_msg);
368
369 return tls13_send_alert(ctx->rl, alert);
370 }
371
372 /* RFC 8446 section 4.6.1 */
373 static ssize_t
tls13_new_session_ticket_recv(struct tls13_ctx * ctx,CBS * cbs)374 tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs)
375 {
376 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
377 struct tls13_secret nonce;
378 uint32_t ticket_lifetime, ticket_age_add;
379 CBS ticket_nonce, ticket;
380 SSL_SESSION *sess = NULL;
381 int alert, session_id_length;
382 ssize_t ret = 0;
383
384 memset(&nonce, 0, sizeof(nonce));
385
386 if (ctx->mode != TLS13_HS_CLIENT) {
387 alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
388 goto err;
389 }
390
391 alert = TLS13_ALERT_DECODE_ERROR;
392
393 if (!CBS_get_u32(cbs, &ticket_lifetime))
394 goto err;
395 if (!CBS_get_u32(cbs, &ticket_age_add))
396 goto err;
397 if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce))
398 goto err;
399 if (!CBS_get_u16_length_prefixed(cbs, &ticket))
400 goto err;
401 /* Extensions can only contain early_data, which we currently ignore. */
402 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert))
403 goto err;
404
405 if (CBS_len(cbs) != 0)
406 goto err;
407
408 /* Zero indicates that the ticket should be discarded immediately. */
409 if (ticket_lifetime == 0) {
410 ret = TLS13_IO_SUCCESS;
411 goto done;
412 }
413
414 /* Servers MUST NOT use any value larger than 7 days. */
415 if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) {
416 alert = TLS13_ALERT_ILLEGAL_PARAMETER;
417 goto err;
418 }
419
420 alert = TLS13_ALERT_INTERNAL_ERROR;
421
422 /*
423 * Create new session instead of modifying the current session.
424 * The current session could already be in the session cache.
425 */
426 if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL)
427 goto err;
428
429 sess->time = time(NULL);
430
431 sess->tlsext_tick_lifetime_hint = ticket_lifetime;
432 sess->tlsext_tick_age_add = ticket_age_add;
433
434 if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen))
435 goto err;
436
437 /* XXX - ensure this doesn't overflow session_id if hash is changed. */
438 if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
439 sess->session_id, &session_id_length, EVP_sha256(), NULL))
440 goto err;
441 sess->session_id_length = session_id_length;
442
443 if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len))
444 goto err;
445
446 if (!tls13_secret_init(&sess->resumption_master_secret, 256))
447 goto err;
448
449 if (!tls13_derive_secret(&sess->resumption_master_secret,
450 secrets->digest, &secrets->resumption_master, "resumption",
451 &nonce))
452 goto err;
453
454 SSL_SESSION_free(ctx->ssl->session);
455 ctx->ssl->session = sess;
456 sess = NULL;
457
458 ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT);
459
460 ret = TLS13_IO_SUCCESS;
461 goto done;
462
463 err:
464 ret = tls13_send_alert(ctx->rl, alert);
465
466 done:
467 tls13_secret_cleanup(&nonce);
468 SSL_SESSION_free(sess);
469
470 return ret;
471 }
472
473 ssize_t
tls13_phh_received_cb(void * cb_arg)474 tls13_phh_received_cb(void *cb_arg)
475 {
476 ssize_t ret = TLS13_IO_FAILURE;
477 struct tls13_ctx *ctx = cb_arg;
478 CBS cbs;
479
480 if (!tls13_phh_limit_check(ctx))
481 return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
482
483 if ((ctx->hs_msg == NULL) &&
484 ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
485 return TLS13_IO_FAILURE;
486
487 if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
488 TLS13_IO_SUCCESS)
489 return ret;
490
491 if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
492 return TLS13_IO_FAILURE;
493
494 switch(tls13_handshake_msg_type(ctx->hs_msg)) {
495 case TLS13_MT_KEY_UPDATE:
496 ret = tls13_key_update_recv(ctx, &cbs);
497 break;
498 case TLS13_MT_NEW_SESSION_TICKET:
499 ret = tls13_new_session_ticket_recv(ctx, &cbs);
500 break;
501 case TLS13_MT_CERTIFICATE_REQUEST:
502 /* XXX add support if we choose to advertise this */
503 /* FALLTHROUGH */
504 default:
505 ret = TLS13_IO_FAILURE; /* XXX send alert */
506 break;
507 }
508
509 tls13_handshake_msg_free(ctx->hs_msg);
510 ctx->hs_msg = NULL;
511 return ret;
512 }
513
514 void
tls13_phh_done_cb(void * cb_arg)515 tls13_phh_done_cb(void *cb_arg)
516 {
517 struct tls13_ctx *ctx = cb_arg;
518
519 if (ctx->key_update_request) {
520 tls13_phh_update_write_traffic_secret(ctx);
521 ctx->key_update_request = 0;
522 }
523 }
524
525 static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
526 .wire_read = tls13_legacy_wire_read_cb,
527 .wire_write = tls13_legacy_wire_write_cb,
528 .wire_flush = tls13_legacy_wire_flush_cb,
529
530 .alert_recv = tls13_alert_received_cb,
531 .alert_sent = tls13_alert_sent_cb,
532 .phh_recv = tls13_phh_received_cb,
533 .phh_sent = tls13_phh_done_cb,
534 };
535
536 struct tls13_ctx *
tls13_ctx_new(int mode,SSL * ssl)537 tls13_ctx_new(int mode, SSL *ssl)
538 {
539 struct tls13_ctx *ctx = NULL;
540
541 if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
542 goto err;
543
544 ctx->hs = &ssl->s3->hs;
545 ctx->mode = mode;
546 ctx->ssl = ssl;
547
548 if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
549 goto err;
550
551 ctx->alert_sent_cb = tls13_legacy_alert_sent_cb;
552 ctx->alert_recv_cb = tls13_legacy_alert_recv_cb;
553 ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
554 ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
555 ctx->info_cb = tls13_legacy_info_cb;
556 ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
557
558 ctx->middlebox_compat = 1;
559
560 ssl->tls13 = ctx;
561
562 if (SSL_is_quic(ssl)) {
563 if (!tls13_quic_init(ctx))
564 goto err;
565 }
566
567 return ctx;
568
569 err:
570 tls13_ctx_free(ctx);
571
572 return NULL;
573 }
574
575 void
tls13_ctx_free(struct tls13_ctx * ctx)576 tls13_ctx_free(struct tls13_ctx *ctx)
577 {
578 if (ctx == NULL)
579 return;
580
581 tls13_error_clear(&ctx->error);
582 tls13_record_layer_free(ctx->rl);
583 tls13_handshake_msg_free(ctx->hs_msg);
584
585 freezero(ctx, sizeof(struct tls13_ctx));
586 }
587
588 int
tls13_cert_add(struct tls13_ctx * ctx,CBB * cbb,X509 * cert,int (* build_extensions)(SSL * s,uint16_t msg_type,CBB * cbb))589 tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
590 int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
591 {
592 CBB cert_data, cert_exts;
593 uint8_t *data;
594 int cert_len;
595
596 if ((cert_len = i2d_X509(cert, NULL)) < 0)
597 return 0;
598
599 if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
600 return 0;
601 if (!CBB_add_space(&cert_data, &data, cert_len))
602 return 0;
603 if (i2d_X509(cert, &data) != cert_len)
604 return 0;
605 if (build_extensions != NULL) {
606 if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
607 return 0;
608 } else {
609 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
610 return 0;
611 }
612 if (!CBB_flush(cbb))
613 return 0;
614
615 return 1;
616 }
617
618 int
tls13_synthetic_handshake_message(struct tls13_ctx * ctx)619 tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
620 {
621 struct tls13_handshake_msg *hm = NULL;
622 unsigned char buf[EVP_MAX_MD_SIZE];
623 size_t hash_len;
624 CBB cbb;
625 CBS cbs;
626 SSL *s = ctx->ssl;
627 int ret = 0;
628
629 /*
630 * Replace ClientHello with synthetic handshake message - see
631 * RFC 8446 section 4.4.1.
632 */
633 if (!tls1_transcript_hash_init(s))
634 goto err;
635 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
636 goto err;
637
638 if ((hm = tls13_handshake_msg_new()) == NULL)
639 goto err;
640 if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
641 goto err;
642 if (!CBB_add_bytes(&cbb, buf, hash_len))
643 goto err;
644 if (!tls13_handshake_msg_finish(hm))
645 goto err;
646
647 tls13_handshake_msg_data(hm, &cbs);
648
649 tls1_transcript_reset(ctx->ssl);
650 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
651 goto err;
652
653 ret = 1;
654
655 err:
656 tls13_handshake_msg_free(hm);
657
658 return ret;
659 }
660
661 int
tls13_clienthello_hash_init(struct tls13_ctx * ctx)662 tls13_clienthello_hash_init(struct tls13_ctx *ctx)
663 {
664 if (ctx->hs->tls13.clienthello_md_ctx != NULL)
665 return 0;
666 if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
667 return 0;
668 if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
669 EVP_sha256(), NULL))
670 return 0;
671
672 if ((ctx->hs->tls13.clienthello_hash == NULL) &&
673 (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
674 NULL)
675 return 0;
676
677 return 1;
678 }
679
680 void
tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st * hs)681 tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
682 {
683 EVP_MD_CTX_free(hs->clienthello_md_ctx);
684 hs->clienthello_md_ctx = NULL;
685 freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
686 hs->clienthello_hash = NULL;
687 }
688
689 int
tls13_clienthello_hash_update_bytes(struct tls13_ctx * ctx,void * data,size_t len)690 tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
691 size_t len)
692 {
693 return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
694 }
695
696 int
tls13_clienthello_hash_update(struct tls13_ctx * ctx,CBS * cbs)697 tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
698 {
699 return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
700 CBS_len(cbs));
701 }
702
703 int
tls13_clienthello_hash_finalize(struct tls13_ctx * ctx)704 tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
705 {
706 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
707 ctx->hs->tls13.clienthello_hash,
708 &ctx->hs->tls13.clienthello_hash_len))
709 return 0;
710 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
711 ctx->hs->tls13.clienthello_md_ctx = NULL;
712 return 1;
713 }
714
715 int
tls13_clienthello_hash_validate(struct tls13_ctx * ctx)716 tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
717 {
718 unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
719 unsigned int new_ch_hash_len;
720
721 if (ctx->hs->tls13.clienthello_hash == NULL)
722 return 0;
723
724 if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
725 new_ch_hash, &new_ch_hash_len))
726 return 0;
727 EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
728 ctx->hs->tls13.clienthello_md_ctx = NULL;
729
730 if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
731 return 0;
732 if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
733 new_ch_hash_len) != 0)
734 return 0;
735
736 return 1;
737 }
738