1 /* $OpenBSD: tls13_client.c,v 1.99 2022/09/11 14:33:07 jsing Exp $ */
2 /*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <openssl/ssl3.h>
19
20 #include "bytestring.h"
21 #include "ssl_locl.h"
22 #include "ssl_sigalgs.h"
23 #include "ssl_tlsext.h"
24 #include "tls13_handshake.h"
25 #include "tls13_internal.h"
26
27 int
tls13_client_init(struct tls13_ctx * ctx)28 tls13_client_init(struct tls13_ctx *ctx)
29 {
30 const uint16_t *groups;
31 size_t groups_len;
32 SSL *s = ctx->ssl;
33
34 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
35 &ctx->hs->our_max_tls_version)) {
36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
37 return 0;
38 }
39 s->version = ctx->hs->our_max_tls_version;
40
41 tls13_record_layer_set_retry_after_phh(ctx->rl,
42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
43
44 if (!ssl_get_new_session(s, 0)) /* XXX */
45 return 0;
46
47 if (!tls1_transcript_init(s))
48 return 0;
49
50 /* Generate a key share using our preferred group. */
51 tls1_get_group_list(s, 0, &groups, &groups_len);
52 if (groups_len < 1)
53 return 0;
54 if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
55 return 0;
56 if (!tls_key_share_generate(ctx->hs->key_share))
57 return 0;
58
59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
60
61 /*
62 * The legacy session identifier should either be set to an
63 * unpredictable 32-byte value or zero length... a non-zero length
64 * legacy session identifier triggers compatibility mode (see RFC 8446
65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
66 */
67 if (ctx->middlebox_compat &&
68 ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
69 arc4random_buf(ctx->hs->tls13.legacy_session_id,
70 sizeof(ctx->hs->tls13.legacy_session_id));
71 ctx->hs->tls13.legacy_session_id_len =
72 sizeof(ctx->hs->tls13.legacy_session_id);
73 }
74
75 return 1;
76 }
77
78 int
tls13_client_connect(struct tls13_ctx * ctx)79 tls13_client_connect(struct tls13_ctx *ctx)
80 {
81 if (ctx->mode != TLS13_HS_CLIENT)
82 return TLS13_IO_FAILURE;
83
84 return tls13_handshake_perform(ctx);
85 }
86
87 static int
tls13_client_hello_build(struct tls13_ctx * ctx,CBB * cbb)88 tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
89 {
90 CBB cipher_suites, compression_methods, session_id;
91 uint16_t client_version;
92 SSL *s = ctx->ssl;
93
94 /* Legacy client version is capped at TLS 1.2. */
95 if (!ssl_max_legacy_version(s, &client_version))
96 goto err;
97
98 if (!CBB_add_u16(cbb, client_version))
99 goto err;
100 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
101 goto err;
102
103 if (!CBB_add_u8_length_prefixed(cbb, &session_id))
104 goto err;
105 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
106 ctx->hs->tls13.legacy_session_id_len))
107 goto err;
108
109 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
110 goto err;
111 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) {
112 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
113 goto err;
114 }
115
116 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods))
117 goto err;
118 if (!CBB_add_u8(&compression_methods, 0))
119 goto err;
120
121 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb))
122 goto err;
123
124 if (!CBB_flush(cbb))
125 goto err;
126
127 return 1;
128
129 err:
130 return 0;
131 }
132
133 int
tls13_client_hello_send(struct tls13_ctx * ctx,CBB * cbb)134 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
135 {
136 if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
137 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
138
139 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
140 tls13_record_layer_allow_legacy_alerts(ctx->rl, 1);
141
142 if (!tls13_client_hello_build(ctx, cbb))
143 return 0;
144
145 return 1;
146 }
147
148 int
tls13_client_hello_sent(struct tls13_ctx * ctx)149 tls13_client_hello_sent(struct tls13_ctx *ctx)
150 {
151 tls1_transcript_freeze(ctx->ssl);
152
153 if (ctx->middlebox_compat) {
154 tls13_record_layer_allow_ccs(ctx->rl, 1);
155 ctx->send_dummy_ccs = 1;
156 }
157
158 return 1;
159 }
160
161 static int
tls13_server_hello_is_legacy(CBS * cbs)162 tls13_server_hello_is_legacy(CBS *cbs)
163 {
164 CBS extensions_block, extensions, extension_data;
165 uint16_t selected_version = 0;
166 uint16_t type;
167
168 CBS_dup(cbs, &extensions_block);
169
170 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
171 return 1;
172
173 while (CBS_len(&extensions) > 0) {
174 if (!CBS_get_u16(&extensions, &type))
175 return 1;
176 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
177 return 1;
178
179 if (type != TLSEXT_TYPE_supported_versions)
180 continue;
181 if (!CBS_get_u16(&extension_data, &selected_version))
182 return 1;
183 if (CBS_len(&extension_data) != 0)
184 return 1;
185 }
186
187 return (selected_version < TLS1_3_VERSION);
188 }
189
190 static int
tls13_server_hello_is_retry(CBS * cbs)191 tls13_server_hello_is_retry(CBS *cbs)
192 {
193 CBS server_hello, server_random;
194 uint16_t legacy_version;
195
196 CBS_dup(cbs, &server_hello);
197
198 if (!CBS_get_u16(&server_hello, &legacy_version))
199 return 0;
200 if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE))
201 return 0;
202
203 /* See if this is a HelloRetryRequest. */
204 return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
205 sizeof(tls13_hello_retry_request_hash));
206 }
207
208 static int
tls13_server_hello_process(struct tls13_ctx * ctx,CBS * cbs)209 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
210 {
211 CBS server_random, session_id;
212 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
213 uint16_t cipher_suite, legacy_version;
214 uint8_t compression_method;
215 const SSL_CIPHER *cipher;
216 int alert_desc;
217 SSL *s = ctx->ssl;
218
219 if (!CBS_get_u16(cbs, &legacy_version))
220 goto err;
221 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
222 goto err;
223 if (!CBS_get_u8_length_prefixed(cbs, &session_id))
224 goto err;
225 if (!CBS_get_u16(cbs, &cipher_suite))
226 goto err;
227 if (!CBS_get_u8(cbs, &compression_method))
228 goto err;
229
230 if (tls13_server_hello_is_legacy(cbs)) {
231 if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
232 /*
233 * RFC 8446 section 4.1.3: we must not downgrade if
234 * the server random value contains the TLS 1.2 or 1.1
235 * magical value.
236 */
237 if (!CBS_skip(&server_random, CBS_len(&server_random) -
238 sizeof(tls13_downgrade_12)))
239 goto err;
240 if (CBS_mem_equal(&server_random, tls13_downgrade_12,
241 sizeof(tls13_downgrade_12)) ||
242 CBS_mem_equal(&server_random, tls13_downgrade_11,
243 sizeof(tls13_downgrade_11))) {
244 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
245 goto err;
246 }
247 }
248
249 if (!CBS_skip(cbs, CBS_len(cbs)))
250 goto err;
251
252 ctx->hs->tls13.use_legacy = 1;
253 return 1;
254 }
255
256 /* From here on in we know we are doing TLSv1.3. */
257 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
258 tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
259
260 /* See if this is a HelloRetryRequest. */
261 /* XXX - see if we can avoid doing this twice. */
262 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
263 sizeof(tls13_hello_retry_request_hash))) {
264 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
265 ctx->hs->tls13.hrr = 1;
266 }
267
268 if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
269 ctx->alert = alert_desc;
270 goto err;
271 }
272
273 /*
274 * The supported versions extension indicated 0x0304 or greater.
275 * Ensure that it was 0x0304 and that legacy version is set to 0x0303
276 * (RFC 8446 section 4.2.1).
277 */
278 if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
279 legacy_version != TLS1_2_VERSION) {
280 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
281 goto err;
282 }
283 ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
284 ctx->hs->peer_legacy_version = legacy_version;
285
286 /* The session_id must match. */
287 if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
288 ctx->hs->tls13.legacy_session_id_len)) {
289 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
290 goto err;
291 }
292
293 /*
294 * Ensure that the cipher suite is one that we offered in the client
295 * hello and that it is a TLSv1.3 cipher suite.
296 */
297 cipher = ssl3_get_cipher_by_value(cipher_suite);
298 if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
299 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
300 goto err;
301 }
302 if (cipher->algorithm_ssl != SSL_TLSV1_3) {
303 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
304 goto err;
305 }
306 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) {
307 /*
308 * A ServerHello following a HelloRetryRequest MUST use the same
309 * cipher suite (RFC 8446 section 4.1.4).
310 */
311 if (ctx->hs->cipher != cipher) {
312 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
313 goto err;
314 }
315 }
316 ctx->hs->cipher = cipher;
317
318 if (compression_method != 0) {
319 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
320 goto err;
321 }
322
323 return 1;
324
325 err:
326 if (ctx->alert == 0)
327 ctx->alert = TLS13_ALERT_DECODE_ERROR;
328
329 return 0;
330 }
331
332 static int
tls13_client_engage_record_protection(struct tls13_ctx * ctx)333 tls13_client_engage_record_protection(struct tls13_ctx *ctx)
334 {
335 struct tls13_secrets *secrets;
336 struct tls13_secret context;
337 unsigned char buf[EVP_MAX_MD_SIZE];
338 uint8_t *shared_key = NULL;
339 size_t shared_key_len = 0;
340 size_t hash_len;
341 SSL *s = ctx->ssl;
342 int ret = 0;
343
344 /* Derive the shared key and engage record protection. */
345
346 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
347 &shared_key_len))
348 goto err;
349
350 s->session->cipher = ctx->hs->cipher;
351 s->session->ssl_version = ctx->hs->tls13.server_version;
352
353 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
354 goto err;
355 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
356 goto err;
357
358 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
359 goto err;
360 ctx->hs->tls13.secrets = secrets;
361
362 /* XXX - pass in hash. */
363 if (!tls1_transcript_hash_init(s))
364 goto err;
365 tls1_transcript_free(s);
366 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
367 goto err;
368 context.data = buf;
369 context.len = hash_len;
370
371 /* Early secrets. */
372 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
373 secrets->zeros.len, &context))
374 goto err;
375
376 /* Handshake secrets. */
377 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
378 shared_key_len, &context))
379 goto err;
380
381 tls13_record_layer_set_aead(ctx->rl, ctx->aead);
382 tls13_record_layer_set_hash(ctx->rl, ctx->hash);
383
384 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
385 &secrets->server_handshake_traffic, ssl_encryption_handshake))
386 goto err;
387 if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
388 &secrets->client_handshake_traffic, ssl_encryption_handshake))
389 goto err;
390
391 ret = 1;
392
393 err:
394 freezero(shared_key, shared_key_len);
395
396 return ret;
397 }
398
399 int
tls13_server_hello_retry_request_recv(struct tls13_ctx * ctx,CBS * cbs)400 tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
401 {
402 /*
403 * The state machine has no way of knowing if we're going to receive a
404 * HelloRetryRequest or a ServerHello. As such, we have to handle
405 * this case here and hand off to the appropriate function.
406 */
407 if (!tls13_server_hello_is_retry(cbs)) {
408 ctx->handshake_stage.hs_type |= WITHOUT_HRR;
409 return tls13_server_hello_recv(ctx, cbs);
410 }
411
412 if (!tls13_server_hello_process(ctx, cbs))
413 return 0;
414
415 /*
416 * This may have been a TLSv1.2 or earlier ServerHello that just
417 * happened to have matching server random...
418 */
419 if (ctx->hs->tls13.use_legacy)
420 return tls13_use_legacy_client(ctx);
421
422 if (!ctx->hs->tls13.hrr)
423 return 0;
424
425 if (!tls13_synthetic_handshake_message(ctx))
426 return 0;
427 if (!tls13_handshake_msg_record(ctx))
428 return 0;
429
430 ctx->hs->tls13.hrr = 0;
431
432 return 1;
433 }
434
435 int
tls13_client_hello_retry_send(struct tls13_ctx * ctx,CBB * cbb)436 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
437 {
438 /*
439 * Ensure that the server supported group is one that we listed in our
440 * supported groups and is not the same as the key share we previously
441 * offered.
442 */
443 if (!tls1_check_group(ctx->ssl, ctx->hs->tls13.server_group))
444 return 0; /* XXX alert */
445 if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share))
446 return 0; /* XXX alert */
447
448 /* Switch to new key share. */
449 tls_key_share_free(ctx->hs->key_share);
450 if ((ctx->hs->key_share =
451 tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
452 return 0;
453 if (!tls_key_share_generate(ctx->hs->key_share))
454 return 0;
455
456 if (!tls13_client_hello_build(ctx, cbb))
457 return 0;
458
459 return 1;
460 }
461
462 int
tls13_server_hello_recv(struct tls13_ctx * ctx,CBS * cbs)463 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
464 {
465 SSL *s = ctx->ssl;
466
467 /*
468 * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3
469 * ServerHello. HelloRetryRequests have already been handled.
470 */
471 if (!tls13_server_hello_process(ctx, cbs))
472 return 0;
473
474 if (ctx->handshake_stage.hs_type & WITHOUT_HRR) {
475 tls1_transcript_unfreeze(s);
476 if (!tls13_handshake_msg_record(ctx))
477 return 0;
478 }
479
480 if (ctx->hs->tls13.use_legacy) {
481 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
482 return 0;
483 return tls13_use_legacy_client(ctx);
484 }
485
486 if (ctx->hs->tls13.hrr) {
487 /* The server has sent two HelloRetryRequests. */
488 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
489 return 0;
490 }
491
492 if (!tls13_client_engage_record_protection(ctx))
493 return 0;
494
495 ctx->handshake_stage.hs_type |= NEGOTIATED;
496
497 return 1;
498 }
499
500 int
tls13_server_encrypted_extensions_recv(struct tls13_ctx * ctx,CBS * cbs)501 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs)
502 {
503 int alert_desc;
504
505 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) {
506 ctx->alert = alert_desc;
507 return 0;
508 }
509
510 return 1;
511 }
512
513 int
tls13_server_certificate_request_recv(struct tls13_ctx * ctx,CBS * cbs)514 tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs)
515 {
516 CBS cert_request_context;
517 int alert_desc;
518
519 /*
520 * Thanks to poor state design in the RFC, this function can be called
521 * when we actually have a certificate message instead of a certificate
522 * request... in that case we call the certificate handler after
523 * switching state, to avoid advancing state.
524 */
525 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) {
526 ctx->handshake_stage.hs_type |= WITHOUT_CR;
527 return tls13_server_certificate_recv(ctx, cbs);
528 }
529
530 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
531 goto err;
532 if (CBS_len(&cert_request_context) != 0)
533 goto err;
534
535 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) {
536 ctx->alert = alert_desc;
537 goto err;
538 }
539
540 return 1;
541
542 err:
543 if (ctx->alert == 0)
544 ctx->alert = TLS13_ALERT_DECODE_ERROR;
545
546 return 0;
547 }
548
549 int
tls13_server_certificate_recv(struct tls13_ctx * ctx,CBS * cbs)550 tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
551 {
552 CBS cert_request_context, cert_list, cert_data;
553 struct stack_st_X509 *certs = NULL;
554 SSL *s = ctx->ssl;
555 X509 *cert = NULL;
556 const uint8_t *p;
557 int alert_desc;
558 int ret = 0;
559
560 if ((certs = sk_X509_new_null()) == NULL)
561 goto err;
562
563 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
564 goto err;
565 if (CBS_len(&cert_request_context) != 0)
566 goto err;
567 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
568 goto err;
569
570 while (CBS_len(&cert_list) > 0) {
571 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
572 goto err;
573
574 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT,
575 &cert_list, &alert_desc)) {
576 ctx->alert = alert_desc;
577 goto err;
578 }
579
580 p = CBS_data(&cert_data);
581 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
582 goto err;
583 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
584 goto err;
585
586 if (!sk_X509_push(certs, cert))
587 goto err;
588
589 cert = NULL;
590 }
591
592 /* A server must always provide a non-empty certificate list. */
593 if (sk_X509_num(certs) < 1) {
594 ctx->alert = TLS13_ALERT_DECODE_ERROR;
595 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
596 "peer failed to provide a certificate", NULL);
597 goto err;
598 }
599
600 /*
601 * At this stage we still have no proof of possession. As such, it would
602 * be preferable to keep the chain and verify once we have successfully
603 * processed the CertificateVerify message.
604 */
605 if (ssl_verify_cert_chain(s, certs) <= 0 &&
606 s->verify_mode != SSL_VERIFY_NONE) {
607 ctx->alert = ssl_verify_alarm_type(s->verify_result);
608 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
609 "failed to verify peer certificate", NULL);
610 goto err;
611 }
612 s->session->verify_result = s->verify_result;
613 ERR_clear_error();
614
615 if (!tls_process_peer_certs(s, certs))
616 goto err;
617
618 if (ctx->ocsp_status_recv_cb != NULL &&
619 !ctx->ocsp_status_recv_cb(ctx))
620 goto err;
621
622 ret = 1;
623
624 err:
625 sk_X509_pop_free(certs, X509_free);
626 X509_free(cert);
627
628 return ret;
629 }
630
631 int
tls13_server_certificate_verify_recv(struct tls13_ctx * ctx,CBS * cbs)632 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
633 {
634 const struct ssl_sigalg *sigalg;
635 uint16_t signature_scheme;
636 uint8_t *sig_content = NULL;
637 size_t sig_content_len;
638 EVP_MD_CTX *mdctx = NULL;
639 EVP_PKEY_CTX *pctx;
640 EVP_PKEY *pkey;
641 X509 *cert;
642 CBS signature;
643 CBB cbb;
644 int ret = 0;
645
646 memset(&cbb, 0, sizeof(cbb));
647
648 if (!CBS_get_u16(cbs, &signature_scheme))
649 goto err;
650 if (!CBS_get_u16_length_prefixed(cbs, &signature))
651 goto err;
652
653 if (!CBB_init(&cbb, 0))
654 goto err;
655 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
656 sizeof(tls13_cert_verify_pad)))
657 goto err;
658 if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context,
659 strlen(tls13_cert_server_verify_context)))
660 goto err;
661 if (!CBB_add_u8(&cbb, 0))
662 goto err;
663 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
664 ctx->hs->tls13.transcript_hash_len))
665 goto err;
666 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
667 goto err;
668
669 if ((cert = ctx->ssl->session->peer_cert) == NULL)
670 goto err;
671 if ((pkey = X509_get0_pubkey(cert)) == NULL)
672 goto err;
673 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
674 signature_scheme)) == NULL)
675 goto err;
676 ctx->hs->peer_sigalg = sigalg;
677
678 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
679 goto err;
680
681 if ((mdctx = EVP_MD_CTX_new()) == NULL)
682 goto err;
683 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
684 goto err;
685 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
686 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
687 goto err;
688 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
689 goto err;
690 }
691 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
692 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
693 goto err;
694 }
695 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
696 CBS_len(&signature)) <= 0) {
697 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
698 goto err;
699 }
700
701 ret = 1;
702
703 err:
704 if (!ret && ctx->alert == 0)
705 ctx->alert = TLS13_ALERT_DECODE_ERROR;
706 CBB_cleanup(&cbb);
707 EVP_MD_CTX_free(mdctx);
708 free(sig_content);
709
710 return ret;
711 }
712
713 int
tls13_server_finished_recv(struct tls13_ctx * ctx,CBS * cbs)714 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
715 {
716 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
717 struct tls13_secret context = { .data = "", .len = 0 };
718 struct tls13_secret finished_key;
719 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
720 size_t transcript_hash_len;
721 uint8_t *verify_data = NULL;
722 size_t verify_data_len;
723 uint8_t key[EVP_MAX_MD_SIZE];
724 HMAC_CTX *hmac_ctx = NULL;
725 unsigned int hlen;
726 int ret = 0;
727
728 /*
729 * Verify server finished.
730 */
731 finished_key.data = key;
732 finished_key.len = EVP_MD_size(ctx->hash);
733
734 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
735 &secrets->server_handshake_traffic, "finished",
736 &context))
737 goto err;
738
739 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
740 goto err;
741 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
742 ctx->hash, NULL))
743 goto err;
744 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
745 ctx->hs->tls13.transcript_hash_len))
746 goto err;
747 verify_data_len = HMAC_size(hmac_ctx);
748 if ((verify_data = calloc(1, verify_data_len)) == NULL)
749 goto err;
750 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
751 goto err;
752 if (hlen != verify_data_len)
753 goto err;
754
755 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
756 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
757 goto err;
758 }
759
760 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
761 sizeof(ctx->hs->peer_finished),
762 &ctx->hs->peer_finished_len))
763 goto err;
764
765 if (!CBS_skip(cbs, verify_data_len))
766 goto err;
767
768 /*
769 * Derive application traffic keys.
770 */
771 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
772 sizeof(transcript_hash), &transcript_hash_len))
773 goto err;
774
775 context.data = transcript_hash;
776 context.len = transcript_hash_len;
777
778 if (!tls13_derive_application_secrets(secrets, &context))
779 goto err;
780
781 /*
782 * Any records following the server finished message must be encrypted
783 * using the server application traffic keys.
784 */
785 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
786 &secrets->server_application_traffic, ssl_encryption_application))
787 goto err;
788
789 tls13_record_layer_allow_ccs(ctx->rl, 0);
790
791 ret = 1;
792
793 err:
794 HMAC_CTX_free(hmac_ctx);
795 free(verify_data);
796
797 return ret;
798 }
799
800 static int
tls13_client_check_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY * cpk,int * ok,const struct ssl_sigalg ** out_sigalg)801 tls13_client_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
802 int *ok, const struct ssl_sigalg **out_sigalg)
803 {
804 const struct ssl_sigalg *sigalg;
805 SSL *s = ctx->ssl;
806
807 *ok = 0;
808 *out_sigalg = NULL;
809
810 if (cpk->x509 == NULL || cpk->privatekey == NULL)
811 goto done;
812
813 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
814 goto done;
815
816 *ok = 1;
817 *out_sigalg = sigalg;
818
819 done:
820 return 1;
821 }
822
823 static int
tls13_client_select_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY ** out_cpk,const struct ssl_sigalg ** out_sigalg)824 tls13_client_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
825 const struct ssl_sigalg **out_sigalg)
826 {
827 SSL *s = ctx->ssl;
828 const struct ssl_sigalg *sigalg;
829 SSL_CERT_PKEY *cpk;
830 int cert_ok;
831
832 *out_cpk = NULL;
833 *out_sigalg = NULL;
834
835 /*
836 * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences
837 * with the certificate_authorities (4.2.4) and oid_filters (4.2.5)
838 * extensions. We should honor the former and must apply the latter.
839 */
840
841 cpk = &s->cert->pkeys[SSL_PKEY_ECC];
842 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
843 return 0;
844 if (cert_ok)
845 goto done;
846
847 cpk = &s->cert->pkeys[SSL_PKEY_RSA];
848 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
849 return 0;
850 if (cert_ok)
851 goto done;
852
853 cpk = NULL;
854 sigalg = NULL;
855
856 done:
857 *out_cpk = cpk;
858 *out_sigalg = sigalg;
859
860 return 1;
861 }
862
863 int
tls13_client_certificate_send(struct tls13_ctx * ctx,CBB * cbb)864 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
865 {
866 SSL *s = ctx->ssl;
867 CBB cert_request_context, cert_list;
868 const struct ssl_sigalg *sigalg;
869 STACK_OF(X509) *chain;
870 SSL_CERT_PKEY *cpk;
871 X509 *cert;
872 int i, ret = 0;
873
874 if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
875 goto err;
876
877 ctx->hs->tls13.cpk = cpk;
878 ctx->hs->our_sigalg = sigalg;
879
880 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
881 goto err;
882 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
883 goto err;
884
885 /* No certificate selected. */
886 if (cpk == NULL)
887 goto done;
888
889 if ((chain = cpk->chain) == NULL)
890 chain = s->ctx->extra_certs;
891
892 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build))
893 goto err;
894
895 for (i = 0; i < sk_X509_num(chain); i++) {
896 cert = sk_X509_value(chain, i);
897 if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build))
898 goto err;
899 }
900
901 ctx->handshake_stage.hs_type |= WITH_CCV;
902 done:
903 if (!CBB_flush(cbb))
904 goto err;
905
906 ret = 1;
907
908 err:
909 return ret;
910 }
911
912 int
tls13_client_certificate_verify_send(struct tls13_ctx * ctx,CBB * cbb)913 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
914 {
915 const struct ssl_sigalg *sigalg;
916 uint8_t *sig = NULL, *sig_content = NULL;
917 size_t sig_len, sig_content_len;
918 EVP_MD_CTX *mdctx = NULL;
919 EVP_PKEY_CTX *pctx;
920 EVP_PKEY *pkey;
921 const SSL_CERT_PKEY *cpk;
922 CBB sig_cbb;
923 int ret = 0;
924
925 memset(&sig_cbb, 0, sizeof(sig_cbb));
926
927 if ((cpk = ctx->hs->tls13.cpk) == NULL)
928 goto err;
929 if ((sigalg = ctx->hs->our_sigalg) == NULL)
930 goto err;
931 pkey = cpk->privatekey;
932
933 if (!CBB_init(&sig_cbb, 0))
934 goto err;
935 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
936 sizeof(tls13_cert_verify_pad)))
937 goto err;
938 if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context,
939 strlen(tls13_cert_client_verify_context)))
940 goto err;
941 if (!CBB_add_u8(&sig_cbb, 0))
942 goto err;
943 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
944 ctx->hs->tls13.transcript_hash_len))
945 goto err;
946 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
947 goto err;
948
949 if ((mdctx = EVP_MD_CTX_new()) == NULL)
950 goto err;
951 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
952 goto err;
953 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
954 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
955 goto err;
956 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
957 goto err;
958 }
959 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
960 goto err;
961 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
962 goto err;
963 if ((sig = calloc(1, sig_len)) == NULL)
964 goto err;
965 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
966 goto err;
967
968 if (!CBB_add_u16(cbb, sigalg->value))
969 goto err;
970 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
971 goto err;
972 if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
973 goto err;
974
975 if (!CBB_flush(cbb))
976 goto err;
977
978 ret = 1;
979
980 err:
981 if (!ret && ctx->alert == 0)
982 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
983
984 CBB_cleanup(&sig_cbb);
985 EVP_MD_CTX_free(mdctx);
986 free(sig_content);
987 free(sig);
988
989 return ret;
990 }
991
992 int
tls13_client_end_of_early_data_send(struct tls13_ctx * ctx,CBB * cbb)993 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
994 {
995 return 0;
996 }
997
998 int
tls13_client_finished_send(struct tls13_ctx * ctx,CBB * cbb)999 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
1000 {
1001 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1002 struct tls13_secret context = { .data = "", .len = 0 };
1003 struct tls13_secret finished_key = { .data = NULL, .len = 0 };
1004 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
1005 size_t transcript_hash_len;
1006 uint8_t *verify_data;
1007 size_t verify_data_len;
1008 unsigned int hlen;
1009 HMAC_CTX *hmac_ctx = NULL;
1010 CBS cbs;
1011 int ret = 0;
1012
1013 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
1014 goto err;
1015
1016 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1017 &secrets->client_handshake_traffic, "finished",
1018 &context))
1019 goto err;
1020
1021 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
1022 sizeof(transcript_hash), &transcript_hash_len))
1023 goto err;
1024
1025 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1026 goto err;
1027 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1028 ctx->hash, NULL))
1029 goto err;
1030 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
1031 goto err;
1032
1033 verify_data_len = HMAC_size(hmac_ctx);
1034 if (!CBB_add_space(cbb, &verify_data, verify_data_len))
1035 goto err;
1036 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1037 goto err;
1038 if (hlen != verify_data_len)
1039 goto err;
1040
1041 CBS_init(&cbs, verify_data, verify_data_len);
1042 if (!CBS_write_bytes(&cbs, ctx->hs->finished,
1043 sizeof(ctx->hs->finished), &ctx->hs->finished_len))
1044 goto err;
1045
1046 ret = 1;
1047
1048 err:
1049 tls13_secret_cleanup(&finished_key);
1050 HMAC_CTX_free(hmac_ctx);
1051
1052 return ret;
1053 }
1054
1055 int
tls13_client_finished_sent(struct tls13_ctx * ctx)1056 tls13_client_finished_sent(struct tls13_ctx *ctx)
1057 {
1058 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1059
1060 /*
1061 * Any records following the client finished message must be encrypted
1062 * using the client application traffic keys.
1063 */
1064 return tls13_record_layer_set_write_traffic_key(ctx->rl,
1065 &secrets->client_application_traffic, ssl_encryption_application);
1066 }
1067