1 /* $OpenBSD: tls13_client.c,v 1.54.4.1 2020/05/19 20:22:33 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include <openssl/ssl3.h> 21 22 #include "bytestring.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_client_init(struct tls13_ctx *ctx) 29 { 30 const uint16_t *groups; 31 size_t groups_len; 32 SSL *s = ctx->ssl; 33 34 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 35 &ctx->hs->max_version)) { 36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 37 return 0; 38 } 39 s->client_version = s->version = ctx->hs->max_version; 40 41 if (!ssl_get_new_session(s, 0)) /* XXX */ 42 return 0; 43 44 if (!tls1_transcript_init(s)) 45 return 0; 46 47 /* Generate a key share using our preferred group. */ 48 tls1_get_group_list(s, 0, &groups, &groups_len); 49 if (groups_len < 1) 50 return 0; 51 if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL) 52 return 0; 53 if (!tls13_key_share_generate(ctx->hs->key_share)) 54 return 0; 55 56 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 57 58 /* 59 * The legacy session identifier should either be set to an 60 * unpredictable 32-byte value or zero length... a non-zero length 61 * legacy session identifier triggers compatibility mode (see RFC 8446 62 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. 63 */ 64 if (ctx->hs->max_version >= TLS1_3_VERSION) { 65 arc4random_buf(ctx->hs->legacy_session_id, 66 sizeof(ctx->hs->legacy_session_id)); 67 ctx->hs->legacy_session_id_len = 68 sizeof(ctx->hs->legacy_session_id); 69 } 70 71 return 1; 72 } 73 74 int 75 tls13_client_connect(struct tls13_ctx *ctx) 76 { 77 if (ctx->mode != TLS13_HS_CLIENT) 78 return TLS13_IO_FAILURE; 79 80 return tls13_handshake_perform(ctx); 81 } 82 83 static int 84 tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) 85 { 86 CBB cipher_suites, compression_methods, session_id; 87 uint16_t client_version; 88 SSL *s = ctx->ssl; 89 90 /* Legacy client version is capped at TLS 1.2. */ 91 client_version = ctx->hs->max_version; 92 if (client_version > TLS1_2_VERSION) 93 client_version = TLS1_2_VERSION; 94 95 if (!CBB_add_u16(cbb, client_version)) 96 goto err; 97 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) 98 goto err; 99 100 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 101 goto err; 102 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 103 ctx->hs->legacy_session_id_len)) 104 goto err; 105 106 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) 107 goto err; 108 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { 109 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); 110 goto err; 111 } 112 113 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) 114 goto err; 115 if (!CBB_add_u8(&compression_methods, 0)) 116 goto err; 117 118 if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH)) 119 goto err; 120 121 if (!CBB_flush(cbb)) 122 goto err; 123 124 return 1; 125 126 err: 127 return 0; 128 } 129 130 int 131 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) 132 { 133 if (ctx->hs->min_version < TLS1_2_VERSION) 134 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 135 136 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ 137 tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); 138 139 if (!tls13_client_hello_build(ctx, cbb)) 140 return 0; 141 142 return 1; 143 } 144 145 int 146 tls13_client_hello_sent(struct tls13_ctx *ctx) 147 { 148 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 149 tls13_record_layer_allow_ccs(ctx->rl, 1); 150 151 tls1_transcript_freeze(ctx->ssl); 152 153 return 1; 154 } 155 156 static int 157 tls13_server_hello_is_legacy(CBS *cbs) 158 { 159 CBS extensions_block, extensions, extension_data; 160 uint16_t selected_version = 0; 161 uint16_t type; 162 163 CBS_dup(cbs, &extensions_block); 164 165 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 166 return 1; 167 168 while (CBS_len(&extensions) > 0) { 169 if (!CBS_get_u16(&extensions, &type)) 170 return 1; 171 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 172 return 1; 173 174 if (type != TLSEXT_TYPE_supported_versions) 175 continue; 176 if (!CBS_get_u16(&extension_data, &selected_version)) 177 return 1; 178 if (CBS_len(&extension_data) != 0) 179 return 1; 180 } 181 182 return (selected_version < TLS1_3_VERSION); 183 } 184 185 static int 186 tls13_server_hello_is_retry(CBS *cbs) 187 { 188 CBS server_hello, server_random; 189 uint16_t legacy_version; 190 191 CBS_dup(cbs, &server_hello); 192 193 if (!CBS_get_u16(&server_hello, &legacy_version)) 194 return 0; 195 if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE)) 196 return 0; 197 198 /* See if this is a HelloRetryRequest. */ 199 return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 200 sizeof(tls13_hello_retry_request_hash)); 201 } 202 203 static int 204 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) 205 { 206 CBS server_random, session_id; 207 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 208 uint16_t cipher_suite, legacy_version; 209 uint8_t compression_method; 210 const SSL_CIPHER *cipher; 211 int alert_desc; 212 SSL *s = ctx->ssl; 213 214 if (!CBS_get_u16(cbs, &legacy_version)) 215 goto err; 216 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) 217 goto err; 218 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 219 goto err; 220 if (!CBS_get_u16(cbs, &cipher_suite)) 221 goto err; 222 if (!CBS_get_u8(cbs, &compression_method)) 223 goto err; 224 225 if (tls13_server_hello_is_legacy(cbs)) { 226 if (ctx->hs->max_version >= TLS1_3_VERSION) { 227 /* 228 * RFC 8446 section 4.1.3, We must not downgrade if 229 * the server random value contains the TLS 1.2 or 1.1 230 * magical value. 231 */ 232 if (!CBS_skip(&server_random, CBS_len(&server_random) - 233 sizeof(tls13_downgrade_12))) 234 goto err; 235 if (CBS_mem_equal(&server_random, tls13_downgrade_12, 236 sizeof(tls13_downgrade_12)) || 237 CBS_mem_equal(&server_random, tls13_downgrade_11, 238 sizeof(tls13_downgrade_11))) { 239 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 240 goto err; 241 } 242 } 243 244 if (!CBS_skip(cbs, CBS_len(cbs))) 245 goto err; 246 247 ctx->hs->use_legacy = 1; 248 return 1; 249 } 250 251 /* From here on in we know we are doing TLSv1.3. */ 252 tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); 253 254 /* See if this is a HelloRetryRequest. */ 255 /* XXX - see if we can avoid doing this twice. */ 256 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 257 sizeof(tls13_hello_retry_request_hash))) { 258 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 259 ctx->hs->hrr = 1; 260 } 261 262 if (!tlsext_client_parse(s, cbs, &alert_desc, tlsext_msg_type)) { 263 ctx->alert = alert_desc; 264 goto err; 265 } 266 267 /* 268 * See if a supported versions extension was returned. If it was then 269 * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3). 270 * Otherwise, fallback to the legacy version, ensuring that it is both 271 * within range and not TLS 1.3 or greater (which must use the 272 * supported version extension. 273 */ 274 if (ctx->hs->server_version != 0) { 275 if (legacy_version != TLS1_2_VERSION) { 276 ctx->alert = SSL_AD_PROTOCOL_VERSION; 277 goto err; 278 } 279 } else { 280 if (legacy_version < ctx->hs->min_version || 281 legacy_version > ctx->hs->max_version || 282 legacy_version > TLS1_2_VERSION) { 283 ctx->alert = SSL_AD_PROTOCOL_VERSION; 284 goto err; 285 } 286 ctx->hs->server_version = legacy_version; 287 } 288 289 /* The session_id must match. */ 290 if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, 291 ctx->hs->legacy_session_id_len)) { 292 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 293 goto err; 294 } 295 296 /* 297 * Ensure that the cipher suite is one that we offered in the client 298 * hello and that it matches the TLS version selected. 299 */ 300 cipher = ssl3_get_cipher_by_value(cipher_suite); 301 if (cipher == NULL || 302 sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) { 303 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 304 goto err; 305 } 306 if (ctx->hs->server_version == TLS1_3_VERSION && 307 cipher->algorithm_ssl != SSL_TLSV1_3) { 308 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 309 goto err; 310 } 311 /* XXX - move this to hs_tls13? */ 312 S3I(s)->hs.new_cipher = cipher; 313 314 if (compression_method != 0) { 315 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 316 goto err; 317 } 318 319 return 1; 320 321 err: 322 if (ctx->alert == 0) 323 ctx->alert = TLS1_AD_DECODE_ERROR; 324 325 return 0; 326 } 327 328 static int 329 tls13_client_engage_record_protection(struct tls13_ctx *ctx) 330 { 331 struct tls13_secrets *secrets; 332 struct tls13_secret context; 333 unsigned char buf[EVP_MAX_MD_SIZE]; 334 uint8_t *shared_key = NULL; 335 size_t shared_key_len = 0; 336 size_t hash_len; 337 SSL *s = ctx->ssl; 338 int ret = 0; 339 340 /* Derive the shared key and engage record protection. */ 341 342 if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, 343 &shared_key_len)) 344 goto err; 345 346 s->session->cipher = S3I(s)->hs.new_cipher; 347 s->session->ssl_version = ctx->hs->server_version; 348 349 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 350 goto err; 351 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 352 goto err; 353 354 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 355 goto err; 356 ctx->hs->secrets = secrets; 357 358 /* XXX - pass in hash. */ 359 if (!tls1_transcript_hash_init(s)) 360 goto err; 361 tls1_transcript_free(s); 362 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 363 goto err; 364 context.data = buf; 365 context.len = hash_len; 366 367 /* Early secrets. */ 368 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 369 secrets->zeros.len, &context)) 370 goto err; 371 372 /* Handshake secrets. */ 373 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 374 shared_key_len, &context)) 375 goto err; 376 377 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 378 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 379 380 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 381 &secrets->server_handshake_traffic)) 382 goto err; 383 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 384 &secrets->client_handshake_traffic)) 385 goto err; 386 387 ret = 1; 388 389 err: 390 freezero(shared_key, shared_key_len); 391 392 return ret; 393 } 394 395 int 396 tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) 397 { 398 /* 399 * The state machine has no way of knowing if we're going to receive a 400 * HelloRetryRequest or a ServerHello. As such, we have to handle 401 * this case here and hand off to the appropriate function. 402 */ 403 if (!tls13_server_hello_is_retry(cbs)) { 404 ctx->handshake_stage.hs_type |= WITHOUT_HRR; 405 return tls13_server_hello_recv(ctx, cbs); 406 } 407 408 if (!tls13_server_hello_process(ctx, cbs)) 409 return 0; 410 411 /* 412 * This may have been a TLSv1.2 or earlier ServerHello that just happened 413 * to have matching server random... 414 */ 415 if (ctx->hs->use_legacy) 416 return tls13_use_legacy_client(ctx); 417 418 if (!ctx->hs->hrr) 419 return 0; 420 421 if (!tls13_synthetic_handshake_message(ctx)) 422 return 0; 423 if (!tls13_handshake_msg_record(ctx)) 424 return 0; 425 426 ctx->hs->hrr = 0; 427 428 return 1; 429 } 430 431 int 432 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 433 { 434 /* 435 * Ensure that the server supported group is one that we listed in our 436 * supported groups and is not the same as the key share we previously 437 * offered. 438 */ 439 if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) 440 return 0; /* XXX alert */ 441 if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) 442 return 0; /* XXX alert */ 443 444 /* Switch to new key share. */ 445 tls13_key_share_free(ctx->hs->key_share); 446 if ((ctx->hs->key_share = 447 tls13_key_share_new(ctx->hs->server_group)) == NULL) 448 return 0; 449 if (!tls13_key_share_generate(ctx->hs->key_share)) 450 return 0; 451 452 if (!tls13_client_hello_build(ctx, cbb)) 453 return 0; 454 455 return 1; 456 } 457 458 int 459 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 460 { 461 SSL *s = ctx->ssl; 462 463 /* 464 * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3 465 * ServerHello. HelloRetryRequests have already been handled. 466 */ 467 if (!tls13_server_hello_process(ctx, cbs)) 468 return 0; 469 470 if (ctx->handshake_stage.hs_type & WITHOUT_HRR) { 471 tls1_transcript_unfreeze(s); 472 if (!tls13_handshake_msg_record(ctx)) 473 return 0; 474 } 475 476 if (ctx->hs->use_legacy) { 477 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) 478 return 0; 479 return tls13_use_legacy_client(ctx); 480 } 481 482 if (ctx->hs->hrr) { 483 /* The server has sent two HelloRetryRequests. */ 484 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 485 return 0; 486 } 487 488 if (!tls13_client_engage_record_protection(ctx)) 489 return 0; 490 491 ctx->handshake_stage.hs_type |= NEGOTIATED; 492 493 return 1; 494 } 495 496 int 497 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) 498 { 499 int alert_desc; 500 501 if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_EE)) { 502 ctx->alert = alert_desc; 503 goto err; 504 } 505 506 return 1; 507 508 err: 509 if (ctx->alert == 0) 510 ctx->alert = TLS1_AD_DECODE_ERROR; 511 512 return 0; 513 } 514 515 int 516 tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) 517 { 518 CBS cert_request_context; 519 int alert_desc; 520 521 /* 522 * Thanks to poor state design in the RFC, this function can be called 523 * when we actually have a certificate message instead of a certificate 524 * request... in that case we call the certificate handler after 525 * switching state, to avoid advancing state. 526 */ 527 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { 528 ctx->handshake_stage.hs_type |= WITHOUT_CR; 529 return tls13_server_certificate_recv(ctx, cbs); 530 } 531 532 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 533 goto err; 534 if (CBS_len(&cert_request_context) != 0) 535 goto err; 536 537 if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_CR)) { 538 ctx->alert = alert_desc; 539 goto err; 540 } 541 542 return 1; 543 544 err: 545 if (ctx->alert == 0) 546 ctx->alert = TLS1_AD_DECODE_ERROR; 547 return 0; 548 } 549 550 int 551 tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 552 { 553 CBS cert_request_context, cert_list, cert_data, cert_exts; 554 struct stack_st_X509 *certs = NULL; 555 SSL *s = ctx->ssl; 556 X509 *cert = NULL; 557 EVP_PKEY *pkey; 558 const uint8_t *p; 559 int cert_idx; 560 int ret = 0; 561 562 if ((certs = sk_X509_new_null()) == NULL) 563 goto err; 564 565 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 566 goto err; 567 if (CBS_len(&cert_request_context) != 0) 568 goto err; 569 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 570 goto err; 571 572 while (CBS_len(&cert_list) > 0) { 573 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 574 goto err; 575 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 576 goto err; 577 578 p = CBS_data(&cert_data); 579 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 580 goto err; 581 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 582 goto err; 583 584 if (!sk_X509_push(certs, cert)) 585 goto err; 586 587 cert = NULL; 588 } 589 590 /* A server must always provide a non-empty certificate list. */ 591 if (sk_X509_num(certs) < 1) { 592 ctx->alert = SSL_AD_DECODE_ERROR; 593 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 594 "peer failed to provide a certificate", NULL); 595 goto err; 596 } 597 598 /* 599 * At this stage we still have no proof of possession. As such, it would 600 * be preferable to keep the chain and verify once we have successfully 601 * processed the CertificateVerify message. 602 */ 603 if (ssl_verify_cert_chain(s, certs) <= 0 && 604 s->verify_mode != SSL_VERIFY_NONE) { 605 ctx->alert = ssl_verify_alarm_type(s->verify_result); 606 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 607 "failed to verify peer certificate", NULL); 608 goto err; 609 } 610 ERR_clear_error(); 611 612 cert = sk_X509_value(certs, 0); 613 X509_up_ref(cert); 614 615 if ((pkey = X509_get0_pubkey(cert)) == NULL) 616 goto err; 617 if (EVP_PKEY_missing_parameters(pkey)) 618 goto err; 619 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 620 goto err; 621 622 ssl_sess_cert_free(SSI(s)->sess_cert); 623 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 624 goto err; 625 626 SSI(s)->sess_cert->cert_chain = certs; 627 certs = NULL; 628 629 X509_up_ref(cert); 630 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 631 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 632 633 X509_free(s->session->peer); 634 635 X509_up_ref(cert); 636 s->session->peer = cert; 637 s->session->verify_result = s->verify_result; 638 639 ret = 1; 640 641 err: 642 sk_X509_pop_free(certs, X509_free); 643 X509_free(cert); 644 645 return ret; 646 } 647 648 int 649 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 650 { 651 const struct ssl_sigalg *sigalg; 652 uint16_t signature_scheme; 653 uint8_t *sig_content = NULL; 654 size_t sig_content_len; 655 EVP_MD_CTX *mdctx = NULL; 656 EVP_PKEY_CTX *pctx; 657 EVP_PKEY *pkey; 658 X509 *cert; 659 CBS signature; 660 CBB cbb; 661 int ret = 0; 662 663 memset(&cbb, 0, sizeof(cbb)); 664 665 if (!CBS_get_u16(cbs, &signature_scheme)) 666 goto err; 667 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 668 goto err; 669 670 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 671 tls13_sigalgs_len)) == NULL) 672 goto err; 673 674 if (!CBB_init(&cbb, 0)) 675 goto err; 676 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 677 sizeof(tls13_cert_verify_pad))) 678 goto err; 679 if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, 680 strlen(tls13_cert_server_verify_context))) 681 goto err; 682 if (!CBB_add_u8(&cbb, 0)) 683 goto err; 684 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 685 ctx->hs->transcript_hash_len)) 686 goto err; 687 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 688 goto err; 689 690 if ((cert = ctx->ssl->session->peer) == NULL) 691 goto err; 692 if ((pkey = X509_get0_pubkey(cert)) == NULL) 693 goto err; 694 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 695 goto err; 696 697 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 698 goto err; 699 700 if ((mdctx = EVP_MD_CTX_new()) == NULL) 701 goto err; 702 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 703 goto err; 704 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 705 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 706 goto err; 707 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 708 goto err; 709 } 710 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 711 ctx->alert = TLS1_AD_DECRYPT_ERROR; 712 goto err; 713 } 714 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 715 CBS_len(&signature)) <= 0) { 716 ctx->alert = TLS1_AD_DECRYPT_ERROR; 717 goto err; 718 } 719 720 ret = 1; 721 722 err: 723 if (!ret && ctx->alert == 0) 724 ctx->alert = TLS1_AD_DECODE_ERROR; 725 CBB_cleanup(&cbb); 726 EVP_MD_CTX_free(mdctx); 727 free(sig_content); 728 729 return ret; 730 } 731 732 int 733 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 734 { 735 struct tls13_secrets *secrets = ctx->hs->secrets; 736 struct tls13_secret context = { .data = "", .len = 0 }; 737 struct tls13_secret finished_key; 738 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 739 size_t transcript_hash_len; 740 uint8_t *verify_data = NULL; 741 size_t verify_data_len; 742 uint8_t key[EVP_MAX_MD_SIZE]; 743 HMAC_CTX *hmac_ctx = NULL; 744 unsigned int hlen; 745 int ret = 0; 746 747 /* 748 * Verify server finished. 749 */ 750 finished_key.data = key; 751 finished_key.len = EVP_MD_size(ctx->hash); 752 753 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 754 &secrets->server_handshake_traffic, "finished", 755 &context)) 756 goto err; 757 758 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 759 goto err; 760 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 761 ctx->hash, NULL)) 762 goto err; 763 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 764 ctx->hs->transcript_hash_len)) 765 goto err; 766 verify_data_len = HMAC_size(hmac_ctx); 767 if ((verify_data = calloc(1, verify_data_len)) == NULL) 768 goto err; 769 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 770 goto err; 771 if (hlen != verify_data_len) 772 goto err; 773 774 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 775 ctx->alert = TLS1_AD_DECRYPT_ERROR; 776 goto err; 777 } 778 779 if (!CBS_skip(cbs, verify_data_len)) 780 goto err; 781 782 /* 783 * Derive application traffic keys. 784 */ 785 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 786 sizeof(transcript_hash), &transcript_hash_len)) 787 goto err; 788 789 context.data = transcript_hash; 790 context.len = transcript_hash_len; 791 792 if (!tls13_derive_application_secrets(secrets, &context)) 793 goto err; 794 795 /* 796 * Any records following the server finished message must be encrypted 797 * using the server application traffic keys. 798 */ 799 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 800 &secrets->server_application_traffic)) 801 goto err; 802 803 tls13_record_layer_allow_ccs(ctx->rl, 0); 804 805 ret = 1; 806 807 err: 808 HMAC_CTX_free(hmac_ctx); 809 free(verify_data); 810 811 return ret; 812 } 813 814 int 815 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 816 { 817 SSL *s = ctx->ssl; 818 CBB cert_request_context, cert_list; 819 STACK_OF(X509) *chain; 820 CERT_PKEY *cpk; 821 X509 *cert; 822 int i, ret = 0; 823 824 /* XXX - Need to revisit certificate selection. */ 825 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 826 827 if ((chain = cpk->chain) == NULL) 828 chain = s->ctx->extra_certs; 829 830 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 831 goto err; 832 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 833 goto err; 834 835 if (cpk->x509 == NULL) 836 goto done; 837 838 if (!tls13_cert_add(&cert_list, cpk->x509)) 839 goto err; 840 841 for (i = 0; i < sk_X509_num(chain); i++) { 842 cert = sk_X509_value(chain, i); 843 if (!tls13_cert_add(&cert_list, cert)) 844 goto err; 845 } 846 847 ctx->handshake_stage.hs_type |= WITH_CCV; 848 done: 849 if (!CBB_flush(cbb)) 850 goto err; 851 852 ret = 1; 853 854 err: 855 return ret; 856 } 857 858 int 859 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 860 { 861 SSL *s = ctx->ssl; 862 const struct ssl_sigalg *sigalg = NULL; 863 uint8_t *sig = NULL, *sig_content = NULL; 864 size_t sig_len, sig_content_len; 865 EVP_MD_CTX *mdctx = NULL; 866 EVP_PKEY_CTX *pctx; 867 EVP_PKEY *pkey; 868 CERT_PKEY *cpk; 869 CBB sig_cbb; 870 int ret = 0; 871 872 memset(&sig_cbb, 0, sizeof(sig_cbb)); 873 874 /* XXX - Need to revisit certificate selection. */ 875 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 876 pkey = cpk->privatekey; 877 878 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 879 /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */ 880 goto err; 881 } 882 883 if (!CBB_init(&sig_cbb, 0)) 884 goto err; 885 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 886 sizeof(tls13_cert_verify_pad))) 887 goto err; 888 if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, 889 strlen(tls13_cert_client_verify_context))) 890 goto err; 891 if (!CBB_add_u8(&sig_cbb, 0)) 892 goto err; 893 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 894 ctx->hs->transcript_hash_len)) 895 goto err; 896 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 897 goto err; 898 899 if ((mdctx = EVP_MD_CTX_new()) == NULL) 900 goto err; 901 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 902 goto err; 903 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 904 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 905 goto err; 906 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 907 goto err; 908 } 909 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 910 goto err; 911 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 912 goto err; 913 if ((sig = calloc(1, sig_len)) == NULL) 914 goto err; 915 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 916 goto err; 917 918 if (!CBB_add_u16(cbb, sigalg->value)) 919 goto err; 920 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 921 goto err; 922 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 923 goto err; 924 925 if (!CBB_flush(cbb)) 926 goto err; 927 928 ret = 1; 929 930 err: 931 if (!ret && ctx->alert == 0) 932 ctx->alert = TLS1_AD_INTERNAL_ERROR; 933 934 CBB_cleanup(&sig_cbb); 935 EVP_MD_CTX_free(mdctx); 936 free(sig_content); 937 free(sig); 938 939 return ret; 940 } 941 942 int 943 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) 944 { 945 return 0; 946 } 947 948 int 949 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) 950 { 951 struct tls13_secrets *secrets = ctx->hs->secrets; 952 struct tls13_secret context = { .data = "", .len = 0 }; 953 struct tls13_secret finished_key; 954 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 955 size_t transcript_hash_len; 956 uint8_t key[EVP_MAX_MD_SIZE]; 957 uint8_t *verify_data; 958 size_t hmac_len; 959 unsigned int hlen; 960 HMAC_CTX *hmac_ctx = NULL; 961 int ret = 0; 962 963 finished_key.data = key; 964 finished_key.len = EVP_MD_size(ctx->hash); 965 966 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 967 &secrets->client_handshake_traffic, "finished", 968 &context)) 969 goto err; 970 971 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 972 sizeof(transcript_hash), &transcript_hash_len)) 973 goto err; 974 975 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 976 goto err; 977 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 978 ctx->hash, NULL)) 979 goto err; 980 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 981 goto err; 982 983 hmac_len = HMAC_size(hmac_ctx); 984 if (!CBB_add_space(cbb, &verify_data, hmac_len)) 985 goto err; 986 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 987 goto err; 988 if (hlen != hmac_len) 989 goto err; 990 991 ret = 1; 992 993 err: 994 HMAC_CTX_free(hmac_ctx); 995 996 return ret; 997 } 998 999 int 1000 tls13_client_finished_sent(struct tls13_ctx *ctx) 1001 { 1002 struct tls13_secrets *secrets = ctx->hs->secrets; 1003 1004 /* 1005 * Any records following the client finished message must be encrypted 1006 * using the client application traffic keys. 1007 */ 1008 return tls13_record_layer_set_write_traffic_key(ctx->rl, 1009 &secrets->client_application_traffic); 1010 } 1011