1 /* $OpenBSD: tls13_server.c,v 1.77 2021/06/08 17:41:52 tb Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/x509v3.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_sigalgs.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_server_init(struct tls13_ctx *ctx) 29 { 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 33 &ctx->hs->our_max_tls_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->our_max_tls_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53 } 54 55 int 56 tls13_server_accept(struct tls13_ctx *ctx) 57 { 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62 } 63 64 static int 65 tls13_client_hello_is_legacy(CBS *cbs) 66 { 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97 } 98 99 int 100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101 { 102 SSL *s = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * If we got no pre_shared_key, then signature_algorithms and 112 * supported_groups must both be present. 113 */ 114 if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 115 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 116 return 0; 117 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 118 return 0; 119 } 120 121 /* 122 * supported_groups and key_share must either both be present or 123 * both be absent. 124 */ 125 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 126 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 127 return 0; 128 129 /* 130 * XXX - Require server_name from client? If so, we SHOULD enforce 131 * this here - RFC 8446, 9.2. 132 */ 133 134 return 1; 135 } 136 137 static const uint8_t tls13_compression_null_only[] = { 0 }; 138 139 static int 140 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 141 { 142 CBS cipher_suites, client_random, compression_methods, session_id; 143 STACK_OF(SSL_CIPHER) *ciphers = NULL; 144 const SSL_CIPHER *cipher; 145 uint16_t legacy_version; 146 int alert_desc; 147 SSL *s = ctx->ssl; 148 int ret = 0; 149 150 if (!CBS_get_u16(cbs, &legacy_version)) 151 goto err; 152 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 153 goto err; 154 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 155 goto err; 156 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 157 goto err; 158 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 159 goto err; 160 161 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 162 if (!CBS_skip(cbs, CBS_len(cbs))) 163 goto err; 164 return tls13_use_legacy_server(ctx); 165 } 166 ctx->hs->negotiated_tls_version = TLS1_3_VERSION; 167 168 /* Ensure we send subsequent alerts with the correct record version. */ 169 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 170 171 /* Add decoded values to the current ClientHello hash */ 172 if (!tls13_clienthello_hash_init(ctx)) { 173 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 174 goto err; 175 } 176 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 177 sizeof(legacy_version))) { 178 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 179 goto err; 180 } 181 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 182 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 183 goto err; 184 } 185 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 186 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 187 goto err; 188 } 189 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 190 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 191 goto err; 192 } 193 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 194 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 195 goto err; 196 } 197 198 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 199 ctx->alert = alert_desc; 200 goto err; 201 } 202 203 /* Finalize first ClientHello hash, or validate against it */ 204 if (!ctx->hs->tls13.hrr) { 205 if (!tls13_clienthello_hash_finalize(ctx)) { 206 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 207 goto err; 208 } 209 } else { 210 if (!tls13_clienthello_hash_validate(ctx)) { 211 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 212 goto err; 213 } 214 tls13_clienthello_hash_clear(&ctx->hs->tls13); 215 } 216 217 if (!tls13_client_hello_required_extensions(ctx)) { 218 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 219 goto err; 220 } 221 222 /* 223 * If we got this far we have a supported versions extension that offers 224 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 225 */ 226 if (legacy_version != TLS1_2_VERSION) { 227 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 228 goto err; 229 } 230 231 /* Store legacy session identifier so we can echo it. */ 232 if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { 233 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 234 goto err; 235 } 236 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 237 sizeof(ctx->hs->tls13.legacy_session_id), 238 &ctx->hs->tls13.legacy_session_id_len)) { 239 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 240 goto err; 241 } 242 243 /* Parse cipher suites list and select preferred cipher. */ 244 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 245 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 246 goto err; 247 } 248 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 249 if (cipher == NULL) { 250 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 251 "no shared cipher found", NULL); 252 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 253 goto err; 254 } 255 ctx->hs->cipher = cipher; 256 257 sk_SSL_CIPHER_free(s->session->ciphers); 258 s->session->ciphers = ciphers; 259 ciphers = NULL; 260 261 /* Ensure only the NULL compression method is advertised. */ 262 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 263 sizeof(tls13_compression_null_only))) { 264 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 265 goto err; 266 } 267 268 ret = 1; 269 270 err: 271 sk_SSL_CIPHER_free(ciphers); 272 273 return ret; 274 } 275 276 int 277 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 278 { 279 SSL *s = ctx->ssl; 280 281 if (!tls13_client_hello_process(ctx, cbs)) 282 goto err; 283 284 /* See if we switched back to the legacy client method. */ 285 if (s->method->internal->version < TLS1_3_VERSION) 286 return 1; 287 288 /* 289 * If a matching key share was provided, we do not need to send a 290 * HelloRetryRequest. 291 */ 292 /* 293 * XXX - ideally NEGOTIATED would only be added after record protection 294 * has been enabled. This would probably mean using either an 295 * INITIAL | WITHOUT_HRR state, or another intermediate state. 296 */ 297 if (ctx->hs->tls13.key_share != NULL) 298 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 299 300 /* XXX - check this is the correct point */ 301 tls13_record_layer_allow_ccs(ctx->rl, 1); 302 303 return 1; 304 305 err: 306 return 0; 307 } 308 309 static int 310 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 311 { 312 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 313 const uint8_t *server_random; 314 CBB session_id; 315 SSL *s = ctx->ssl; 316 uint16_t cipher; 317 318 cipher = SSL_CIPHER_get_value(ctx->hs->cipher); 319 server_random = s->s3->server_random; 320 321 if (hrr) { 322 server_random = tls13_hello_retry_request_hash; 323 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 324 } 325 326 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 327 goto err; 328 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 329 goto err; 330 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 331 goto err; 332 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 333 ctx->hs->tls13.legacy_session_id_len)) 334 goto err; 335 if (!CBB_add_u16(cbb, cipher)) 336 goto err; 337 if (!CBB_add_u8(cbb, 0)) 338 goto err; 339 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 340 goto err; 341 342 if (!CBB_flush(cbb)) 343 goto err; 344 345 return 1; 346 err: 347 return 0; 348 } 349 350 static int 351 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 352 { 353 struct tls13_secrets *secrets; 354 struct tls13_secret context; 355 unsigned char buf[EVP_MAX_MD_SIZE]; 356 uint8_t *shared_key = NULL; 357 size_t shared_key_len = 0; 358 size_t hash_len; 359 SSL *s = ctx->ssl; 360 int ret = 0; 361 362 if (!tls13_key_share_derive(ctx->hs->tls13.key_share, 363 &shared_key, &shared_key_len)) 364 goto err; 365 366 s->session->cipher = ctx->hs->cipher; 367 368 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 369 goto err; 370 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 371 goto err; 372 373 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 374 goto err; 375 ctx->hs->tls13.secrets = secrets; 376 377 /* XXX - pass in hash. */ 378 if (!tls1_transcript_hash_init(s)) 379 goto err; 380 tls1_transcript_free(s); 381 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 382 goto err; 383 context.data = buf; 384 context.len = hash_len; 385 386 /* Early secrets. */ 387 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 388 secrets->zeros.len, &context)) 389 goto err; 390 391 /* Handshake secrets. */ 392 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 393 shared_key_len, &context)) 394 goto err; 395 396 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 397 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 398 399 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 400 &secrets->client_handshake_traffic)) 401 goto err; 402 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 403 &secrets->server_handshake_traffic)) 404 goto err; 405 406 ctx->handshake_stage.hs_type |= NEGOTIATED; 407 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 408 ctx->handshake_stage.hs_type |= WITHOUT_CR; 409 410 ret = 1; 411 412 err: 413 freezero(shared_key, shared_key_len); 414 return ret; 415 } 416 417 int 418 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 419 { 420 int nid; 421 422 ctx->hs->tls13.hrr = 1; 423 424 if (!tls13_synthetic_handshake_message(ctx)) 425 return 0; 426 427 if (ctx->hs->tls13.key_share != NULL) 428 return 0; 429 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 430 return 0; 431 if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) 432 return 0; 433 434 if (!tls13_server_hello_build(ctx, cbb, 1)) 435 return 0; 436 437 return 1; 438 } 439 440 int 441 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 442 { 443 /* 444 * If the client has requested middlebox compatibility mode, 445 * we MUST send a dummy CCS following our first handshake message. 446 * See RFC 8446 Appendix D.4. 447 */ 448 if (ctx->hs->tls13.legacy_session_id_len > 0) 449 ctx->send_dummy_ccs_after = 1; 450 451 return 1; 452 } 453 454 int 455 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 456 { 457 SSL *s = ctx->ssl; 458 459 if (!tls13_client_hello_process(ctx, cbs)) 460 return 0; 461 462 /* XXX - need further checks. */ 463 if (s->method->internal->version < TLS1_3_VERSION) 464 return 0; 465 466 ctx->hs->tls13.hrr = 0; 467 468 return 1; 469 } 470 471 static int 472 tls13_servername_process(struct tls13_ctx *ctx) 473 { 474 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 475 476 if (!tls13_legacy_servername_process(ctx, &alert)) { 477 ctx->alert = alert; 478 return 0; 479 } 480 481 return 1; 482 } 483 484 int 485 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 486 { 487 if (ctx->hs->tls13.key_share == NULL) 488 return 0; 489 if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) 490 return 0; 491 if (!tls13_servername_process(ctx)) 492 return 0; 493 494 ctx->hs->tls13.server_group = 0; 495 496 if (!tls13_server_hello_build(ctx, cbb, 0)) 497 return 0; 498 499 return 1; 500 } 501 502 int 503 tls13_server_hello_sent(struct tls13_ctx *ctx) 504 { 505 /* 506 * If the client has requested middlebox compatibility mode, 507 * we MUST send a dummy CCS following our first handshake message. 508 * See RFC 8446 Appendix D.4. 509 */ 510 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 511 ctx->hs->tls13.legacy_session_id_len > 0) 512 ctx->send_dummy_ccs_after = 1; 513 514 return tls13_server_engage_record_protection(ctx); 515 } 516 517 int 518 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 519 { 520 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 521 goto err; 522 523 return 1; 524 err: 525 return 0; 526 } 527 528 int 529 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 530 { 531 CBB certificate_request_context; 532 533 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 534 goto err; 535 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 536 goto err; 537 538 if (!CBB_flush(cbb)) 539 goto err; 540 541 return 1; 542 err: 543 return 0; 544 } 545 546 static int 547 tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, 548 int *ok, const struct ssl_sigalg **out_sigalg) 549 { 550 const struct ssl_sigalg *sigalg; 551 SSL *s = ctx->ssl; 552 553 *ok = 0; 554 *out_sigalg = NULL; 555 556 if (cpk->x509 == NULL || cpk->privatekey == NULL) 557 goto done; 558 559 if (!X509_check_purpose(cpk->x509, -1, 0)) 560 return 0; 561 562 /* 563 * The digitalSignature bit MUST be set if the Key Usage extension is 564 * present as per RFC 8446 section 4.4.2.2. 565 */ 566 if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && 567 !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) 568 goto done; 569 570 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 571 goto done; 572 573 *ok = 1; 574 *out_sigalg = sigalg; 575 576 done: 577 return 1; 578 } 579 580 static int 581 tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, 582 const struct ssl_sigalg **out_sigalg) 583 { 584 SSL *s = ctx->ssl; 585 const struct ssl_sigalg *sigalg; 586 CERT_PKEY *cpk; 587 int cert_ok; 588 589 *out_cpk = NULL; 590 *out_sigalg = NULL; 591 592 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 593 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 594 return 0; 595 if (cert_ok) 596 goto done; 597 598 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 599 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 600 return 0; 601 if (cert_ok) 602 goto done; 603 604 cpk = NULL; 605 sigalg = NULL; 606 607 done: 608 *out_cpk = cpk; 609 *out_sigalg = sigalg; 610 611 return 1; 612 } 613 614 int 615 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 616 { 617 SSL *s = ctx->ssl; 618 CBB cert_request_context, cert_list; 619 const struct ssl_sigalg *sigalg; 620 X509_STORE_CTX *xsc = NULL; 621 STACK_OF(X509) *chain; 622 CERT_PKEY *cpk; 623 X509 *cert; 624 int i, ret = 0; 625 626 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 627 goto err; 628 629 if (cpk == NULL) { 630 /* A server must always provide a certificate. */ 631 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 632 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 633 "no server certificate", NULL); 634 goto err; 635 } 636 637 ctx->hs->tls13.cpk = cpk; 638 ctx->hs->tls13.sigalg = sigalg; 639 640 if ((chain = cpk->chain) == NULL) 641 chain = s->ctx->extra_certs; 642 643 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { 644 if ((xsc = X509_STORE_CTX_new()) == NULL) 645 goto err; 646 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 647 goto err; 648 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 649 X509_V_FLAG_LEGACY_VERIFY); 650 X509_verify_cert(xsc); 651 ERR_clear_error(); 652 chain = xsc->chain; 653 } 654 655 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 656 goto err; 657 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 658 goto err; 659 660 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 661 goto err; 662 663 for (i = 0; i < sk_X509_num(chain); i++) { 664 cert = sk_X509_value(chain, i); 665 666 /* 667 * In the case of auto chain, the leaf certificate will be at 668 * the top of the chain - skip over it as we've already added 669 * it earlier. 670 */ 671 if (i == 0 && cert == cpk->x509) 672 continue; 673 674 /* 675 * XXX we don't send extensions with chain certs to avoid sending 676 * a leaf ocsp staple with the chain certs. This needs to get 677 * fixed. 678 */ 679 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 680 goto err; 681 } 682 683 if (!CBB_flush(cbb)) 684 goto err; 685 686 ret = 1; 687 688 err: 689 X509_STORE_CTX_free(xsc); 690 691 return ret; 692 } 693 694 int 695 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 696 { 697 const struct ssl_sigalg *sigalg; 698 uint8_t *sig = NULL, *sig_content = NULL; 699 size_t sig_len, sig_content_len; 700 EVP_MD_CTX *mdctx = NULL; 701 EVP_PKEY_CTX *pctx; 702 EVP_PKEY *pkey; 703 const CERT_PKEY *cpk; 704 CBB sig_cbb; 705 int ret = 0; 706 707 memset(&sig_cbb, 0, sizeof(sig_cbb)); 708 709 if ((cpk = ctx->hs->tls13.cpk) == NULL) 710 goto err; 711 if ((sigalg = ctx->hs->tls13.sigalg) == NULL) 712 goto err; 713 pkey = cpk->privatekey; 714 715 if (!CBB_init(&sig_cbb, 0)) 716 goto err; 717 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 718 sizeof(tls13_cert_verify_pad))) 719 goto err; 720 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 721 strlen(tls13_cert_server_verify_context))) 722 goto err; 723 if (!CBB_add_u8(&sig_cbb, 0)) 724 goto err; 725 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 726 ctx->hs->tls13.transcript_hash_len)) 727 goto err; 728 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 729 goto err; 730 731 if ((mdctx = EVP_MD_CTX_new()) == NULL) 732 goto err; 733 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 734 goto err; 735 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 736 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 737 goto err; 738 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 739 goto err; 740 } 741 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 742 goto err; 743 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 744 goto err; 745 if ((sig = calloc(1, sig_len)) == NULL) 746 goto err; 747 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 748 goto err; 749 750 if (!CBB_add_u16(cbb, sigalg->value)) 751 goto err; 752 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 753 goto err; 754 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 755 goto err; 756 757 if (!CBB_flush(cbb)) 758 goto err; 759 760 ret = 1; 761 762 err: 763 if (!ret && ctx->alert == 0) 764 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 765 766 CBB_cleanup(&sig_cbb); 767 EVP_MD_CTX_free(mdctx); 768 free(sig_content); 769 free(sig); 770 771 return ret; 772 } 773 774 int 775 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 776 { 777 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 778 struct tls13_secret context = { .data = "", .len = 0 }; 779 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 780 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 781 size_t transcript_hash_len; 782 uint8_t *verify_data; 783 size_t verify_data_len; 784 unsigned int hlen; 785 HMAC_CTX *hmac_ctx = NULL; 786 CBS cbs; 787 int ret = 0; 788 789 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 790 goto err; 791 792 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 793 &secrets->server_handshake_traffic, "finished", 794 &context)) 795 goto err; 796 797 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 798 sizeof(transcript_hash), &transcript_hash_len)) 799 goto err; 800 801 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 802 goto err; 803 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 804 ctx->hash, NULL)) 805 goto err; 806 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 807 goto err; 808 809 verify_data_len = HMAC_size(hmac_ctx); 810 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 811 goto err; 812 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 813 goto err; 814 if (hlen != verify_data_len) 815 goto err; 816 817 CBS_init(&cbs, verify_data, verify_data_len); 818 if (!CBS_write_bytes(&cbs, ctx->hs->finished, 819 sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 820 goto err; 821 822 ret = 1; 823 824 err: 825 tls13_secret_cleanup(&finished_key); 826 HMAC_CTX_free(hmac_ctx); 827 828 return ret; 829 } 830 831 int 832 tls13_server_finished_sent(struct tls13_ctx *ctx) 833 { 834 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 835 struct tls13_secret context = { .data = "", .len = 0 }; 836 837 /* 838 * Derive application traffic keys. 839 */ 840 context.data = ctx->hs->tls13.transcript_hash; 841 context.len = ctx->hs->tls13.transcript_hash_len; 842 843 if (!tls13_derive_application_secrets(secrets, &context)) 844 return 0; 845 846 /* 847 * Any records following the server finished message must be encrypted 848 * using the server application traffic keys. 849 */ 850 return tls13_record_layer_set_write_traffic_key(ctx->rl, 851 &secrets->server_application_traffic); 852 } 853 854 int 855 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 856 { 857 CBS cert_request_context, cert_list, cert_data, cert_exts; 858 struct stack_st_X509 *certs = NULL; 859 SSL *s = ctx->ssl; 860 X509 *cert = NULL; 861 EVP_PKEY *pkey; 862 const uint8_t *p; 863 int cert_idx; 864 int ret = 0; 865 866 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 867 goto err; 868 if (CBS_len(&cert_request_context) != 0) 869 goto err; 870 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 871 goto err; 872 if (CBS_len(&cert_list) == 0) { 873 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 874 return 1; 875 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 876 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 877 "peer did not provide a certificate", NULL); 878 goto err; 879 } 880 881 if ((certs = sk_X509_new_null()) == NULL) 882 goto err; 883 while (CBS_len(&cert_list) > 0) { 884 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 885 goto err; 886 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 887 goto err; 888 889 p = CBS_data(&cert_data); 890 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 891 goto err; 892 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 893 goto err; 894 895 if (!sk_X509_push(certs, cert)) 896 goto err; 897 898 cert = NULL; 899 } 900 901 /* 902 * At this stage we still have no proof of possession. As such, it would 903 * be preferable to keep the chain and verify once we have successfully 904 * processed the CertificateVerify message. 905 */ 906 if (ssl_verify_cert_chain(s, certs) <= 0) { 907 ctx->alert = ssl_verify_alarm_type(s->verify_result); 908 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 909 "failed to verify peer certificate", NULL); 910 goto err; 911 } 912 ERR_clear_error(); 913 914 cert = sk_X509_value(certs, 0); 915 X509_up_ref(cert); 916 917 if ((pkey = X509_get0_pubkey(cert)) == NULL) 918 goto err; 919 if (EVP_PKEY_missing_parameters(pkey)) 920 goto err; 921 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 922 goto err; 923 924 ssl_sess_cert_free(SSI(s)->sess_cert); 925 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 926 goto err; 927 928 SSI(s)->sess_cert->cert_chain = certs; 929 certs = NULL; 930 931 X509_up_ref(cert); 932 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 933 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 934 935 X509_free(s->session->peer); 936 937 X509_up_ref(cert); 938 s->session->peer = cert; 939 s->session->verify_result = s->verify_result; 940 941 ctx->handshake_stage.hs_type |= WITH_CCV; 942 ret = 1; 943 944 err: 945 sk_X509_pop_free(certs, X509_free); 946 X509_free(cert); 947 948 return ret; 949 } 950 951 int 952 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 953 { 954 const struct ssl_sigalg *sigalg; 955 uint16_t signature_scheme; 956 uint8_t *sig_content = NULL; 957 size_t sig_content_len; 958 EVP_MD_CTX *mdctx = NULL; 959 EVP_PKEY_CTX *pctx; 960 EVP_PKEY *pkey; 961 X509 *cert; 962 CBS signature; 963 CBB cbb; 964 int ret = 0; 965 966 memset(&cbb, 0, sizeof(cbb)); 967 968 if (!CBS_get_u16(cbs, &signature_scheme)) 969 goto err; 970 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 971 goto err; 972 973 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 974 tls13_sigalgs_len)) == NULL) 975 goto err; 976 977 if (!CBB_init(&cbb, 0)) 978 goto err; 979 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 980 sizeof(tls13_cert_verify_pad))) 981 goto err; 982 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 983 strlen(tls13_cert_client_verify_context))) 984 goto err; 985 if (!CBB_add_u8(&cbb, 0)) 986 goto err; 987 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 988 ctx->hs->tls13.transcript_hash_len)) 989 goto err; 990 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 991 goto err; 992 993 if ((cert = ctx->ssl->session->peer) == NULL) 994 goto err; 995 if ((pkey = X509_get0_pubkey(cert)) == NULL) 996 goto err; 997 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 998 goto err; 999 1000 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 1001 goto err; 1002 1003 if ((mdctx = EVP_MD_CTX_new()) == NULL) 1004 goto err; 1005 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 1006 goto err; 1007 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 1008 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 1009 goto err; 1010 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 1011 goto err; 1012 } 1013 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 1014 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1015 goto err; 1016 } 1017 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 1018 CBS_len(&signature)) <= 0) { 1019 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1020 goto err; 1021 } 1022 1023 ret = 1; 1024 1025 err: 1026 if (!ret && ctx->alert == 0) 1027 ctx->alert = TLS13_ALERT_DECODE_ERROR; 1028 1029 CBB_cleanup(&cbb); 1030 EVP_MD_CTX_free(mdctx); 1031 free(sig_content); 1032 1033 return ret; 1034 } 1035 1036 int 1037 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1038 { 1039 return 0; 1040 } 1041 1042 int 1043 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1044 { 1045 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1046 struct tls13_secret context = { .data = "", .len = 0 }; 1047 struct tls13_secret finished_key; 1048 uint8_t *verify_data = NULL; 1049 size_t verify_data_len; 1050 uint8_t key[EVP_MAX_MD_SIZE]; 1051 HMAC_CTX *hmac_ctx = NULL; 1052 unsigned int hlen; 1053 int ret = 0; 1054 1055 /* 1056 * Verify client finished. 1057 */ 1058 finished_key.data = key; 1059 finished_key.len = EVP_MD_size(ctx->hash); 1060 1061 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1062 &secrets->client_handshake_traffic, "finished", 1063 &context)) 1064 goto err; 1065 1066 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1067 goto err; 1068 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1069 ctx->hash, NULL)) 1070 goto err; 1071 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 1072 ctx->hs->tls13.transcript_hash_len)) 1073 goto err; 1074 verify_data_len = HMAC_size(hmac_ctx); 1075 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1076 goto err; 1077 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1078 goto err; 1079 if (hlen != verify_data_len) 1080 goto err; 1081 1082 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1083 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1084 goto err; 1085 } 1086 1087 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 1088 sizeof(ctx->hs->peer_finished), 1089 &ctx->hs->peer_finished_len)) 1090 goto err; 1091 1092 if (!CBS_skip(cbs, verify_data_len)) 1093 goto err; 1094 1095 /* 1096 * Any records following the client finished message must be encrypted 1097 * using the client application traffic keys. 1098 */ 1099 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1100 &secrets->client_application_traffic)) 1101 goto err; 1102 1103 tls13_record_layer_allow_ccs(ctx->rl, 0); 1104 1105 ret = 1; 1106 1107 err: 1108 HMAC_CTX_free(hmac_ctx); 1109 free(verify_data); 1110 1111 return ret; 1112 } 1113