1 /* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/x509v3.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_tlsext.h" 23 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_server_init(struct tls13_ctx *ctx) 29 { 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 33 &ctx->hs->max_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->max_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53 } 54 55 int 56 tls13_server_accept(struct tls13_ctx *ctx) 57 { 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62 } 63 64 static int 65 tls13_client_hello_is_legacy(CBS *cbs) 66 { 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97 } 98 99 int 100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101 { 102 SSL *ssl = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * If we got no pre_shared_key, then signature_algorithms and 112 * supported_groups must both be present. 113 */ 114 if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) { 115 if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms)) 116 return 0; 117 if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups)) 118 return 0; 119 } 120 121 /* 122 * supported_groups and key_share must either both be present or 123 * both be absent. 124 */ 125 if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) != 126 tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share)) 127 return 0; 128 129 /* 130 * XXX - Require server_name from client? If so, we SHOULD enforce 131 * this here - RFC 8446, 9.2. 132 */ 133 134 return 1; 135 } 136 137 static const uint8_t tls13_compression_null_only[] = { 0 }; 138 139 static int 140 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 141 { 142 CBS cipher_suites, client_random, compression_methods, session_id; 143 STACK_OF(SSL_CIPHER) *ciphers = NULL; 144 const SSL_CIPHER *cipher; 145 uint16_t legacy_version; 146 int alert_desc; 147 SSL *s = ctx->ssl; 148 int ret = 0; 149 150 if (!CBS_get_u16(cbs, &legacy_version)) 151 goto err; 152 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 153 goto err; 154 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 155 goto err; 156 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 157 goto err; 158 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 159 goto err; 160 161 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 162 if (!CBS_skip(cbs, CBS_len(cbs))) 163 goto err; 164 return tls13_use_legacy_server(ctx); 165 } 166 167 /* Add decoded values to the current ClientHello hash */ 168 if (!tls13_clienthello_hash_init(ctx)) { 169 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 170 goto err; 171 } 172 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 173 sizeof(legacy_version))) { 174 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 175 goto err; 176 } 177 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 178 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 179 goto err; 180 } 181 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 182 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 183 goto err; 184 } 185 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 186 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 187 goto err; 188 } 189 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 190 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 191 goto err; 192 } 193 194 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 195 ctx->alert = alert_desc; 196 goto err; 197 } 198 199 /* Finalize first ClientHello hash, or validate against it */ 200 if (!ctx->hs->hrr) { 201 if (!tls13_clienthello_hash_finalize(ctx)) { 202 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 203 goto err; 204 } 205 } else { 206 if (!tls13_clienthello_hash_validate(ctx)) { 207 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 208 goto err; 209 } 210 tls13_clienthello_hash_clear(ctx->hs); 211 } 212 213 if (!tls13_client_hello_required_extensions(ctx)) { 214 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 215 goto err; 216 } 217 218 /* 219 * If we got this far we have a supported versions extension that offers 220 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 221 */ 222 if (legacy_version != TLS1_2_VERSION) { 223 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 224 goto err; 225 } 226 227 /* Store legacy session identifier so we can echo it. */ 228 if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { 229 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 230 goto err; 231 } 232 if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, 233 sizeof(ctx->hs->legacy_session_id), 234 &ctx->hs->legacy_session_id_len)) { 235 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 236 goto err; 237 } 238 239 /* Parse cipher suites list and select preferred cipher. */ 240 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 241 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 242 goto err; 243 } 244 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 245 if (cipher == NULL) { 246 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 247 "no shared cipher found", NULL); 248 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 249 goto err; 250 } 251 S3I(s)->hs.new_cipher = cipher; 252 253 /* Ensure only the NULL compression method is advertised. */ 254 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 255 sizeof(tls13_compression_null_only))) { 256 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 257 goto err; 258 } 259 260 ret = 1; 261 262 err: 263 sk_SSL_CIPHER_free(ciphers); 264 265 return ret; 266 } 267 268 int 269 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 270 { 271 SSL *s = ctx->ssl; 272 273 if (!tls13_client_hello_process(ctx, cbs)) 274 goto err; 275 276 /* See if we switched back to the legacy client method. */ 277 if (s->method->internal->version < TLS1_3_VERSION) 278 return 1; 279 280 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 281 282 /* 283 * If a matching key share was provided, we do not need to send a 284 * HelloRetryRequest. 285 */ 286 /* 287 * XXX - ideally NEGOTIATED would only be added after record protection 288 * has been enabled. This would probably mean using either an 289 * INITIAL | WITHOUT_HRR state, or another intermediate state. 290 */ 291 if (ctx->hs->key_share != NULL) 292 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 293 294 /* XXX - check this is the correct point */ 295 tls13_record_layer_allow_ccs(ctx->rl, 1); 296 297 return 1; 298 299 err: 300 return 0; 301 } 302 303 static int 304 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 305 { 306 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 307 const uint8_t *server_random; 308 CBB session_id; 309 SSL *s = ctx->ssl; 310 uint16_t cipher; 311 312 cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); 313 server_random = s->s3->server_random; 314 315 if (hrr) { 316 server_random = tls13_hello_retry_request_hash; 317 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 318 } 319 320 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 321 goto err; 322 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 323 goto err; 324 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 325 goto err; 326 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 327 ctx->hs->legacy_session_id_len)) 328 goto err; 329 if (!CBB_add_u16(cbb, cipher)) 330 goto err; 331 if (!CBB_add_u8(cbb, 0)) 332 goto err; 333 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 334 goto err; 335 336 if (!CBB_flush(cbb)) 337 goto err; 338 339 return 1; 340 err: 341 return 0; 342 } 343 344 static int 345 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 346 { 347 struct tls13_secrets *secrets; 348 struct tls13_secret context; 349 unsigned char buf[EVP_MAX_MD_SIZE]; 350 uint8_t *shared_key = NULL; 351 size_t shared_key_len = 0; 352 size_t hash_len; 353 SSL *s = ctx->ssl; 354 int ret = 0; 355 356 if (!tls13_key_share_derive(ctx->hs->key_share, 357 &shared_key, &shared_key_len)) 358 goto err; 359 360 s->session->cipher = S3I(s)->hs.new_cipher; 361 362 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 363 goto err; 364 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 365 goto err; 366 367 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 368 goto err; 369 ctx->hs->secrets = secrets; 370 371 /* XXX - pass in hash. */ 372 if (!tls1_transcript_hash_init(s)) 373 goto err; 374 tls1_transcript_free(s); 375 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 376 goto err; 377 context.data = buf; 378 context.len = hash_len; 379 380 /* Early secrets. */ 381 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 382 secrets->zeros.len, &context)) 383 goto err; 384 385 /* Handshake secrets. */ 386 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 387 shared_key_len, &context)) 388 goto err; 389 390 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 391 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 392 393 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 394 &secrets->client_handshake_traffic)) 395 goto err; 396 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 397 &secrets->server_handshake_traffic)) 398 goto err; 399 400 ctx->handshake_stage.hs_type |= NEGOTIATED; 401 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 402 ctx->handshake_stage.hs_type |= WITHOUT_CR; 403 404 ret = 1; 405 406 err: 407 freezero(shared_key, shared_key_len); 408 return ret; 409 } 410 411 int 412 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 413 { 414 int nid; 415 416 ctx->hs->hrr = 1; 417 418 if (!tls13_synthetic_handshake_message(ctx)) 419 return 0; 420 421 if (ctx->hs->key_share != NULL) 422 return 0; 423 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 424 return 0; 425 if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0) 426 return 0; 427 428 if (!tls13_server_hello_build(ctx, cbb, 1)) 429 return 0; 430 431 return 1; 432 } 433 434 int 435 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 436 { 437 /* 438 * If the client has requested middlebox compatibility mode, 439 * we MUST send a dummy CCS following our first handshake message. 440 * See RFC 8446 Appendix D.4. 441 */ 442 if (ctx->hs->legacy_session_id_len > 0) 443 ctx->send_dummy_ccs_after = 1; 444 445 return 1; 446 } 447 448 int 449 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 450 { 451 SSL *s = ctx->ssl; 452 453 if (!tls13_client_hello_process(ctx, cbs)) 454 return 0; 455 456 /* XXX - need further checks. */ 457 if (s->method->internal->version < TLS1_3_VERSION) 458 return 0; 459 460 ctx->hs->hrr = 0; 461 462 return 1; 463 } 464 465 static int 466 tls13_servername_process(struct tls13_ctx *ctx) 467 { 468 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 469 470 if (!tls13_legacy_servername_process(ctx, &alert)) { 471 ctx->alert = alert; 472 return 0; 473 } 474 475 return 1; 476 } 477 478 int 479 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 480 { 481 if (ctx->hs->key_share == NULL) 482 return 0; 483 if (!tls13_key_share_generate(ctx->hs->key_share)) 484 return 0; 485 if (!tls13_servername_process(ctx)) 486 return 0; 487 488 ctx->hs->server_group = 0; 489 490 if (!tls13_server_hello_build(ctx, cbb, 0)) 491 return 0; 492 493 return 1; 494 } 495 496 int 497 tls13_server_hello_sent(struct tls13_ctx *ctx) 498 { 499 /* 500 * If the client has requested middlebox compatibility mode, 501 * we MUST send a dummy CCS following our first handshake message. 502 * See RFC 8446 Appendix D.4. 503 */ 504 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 505 ctx->hs->legacy_session_id_len > 0) 506 ctx->send_dummy_ccs_after = 1; 507 508 return tls13_server_engage_record_protection(ctx); 509 } 510 511 int 512 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 513 { 514 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 515 goto err; 516 517 return 1; 518 err: 519 return 0; 520 } 521 522 int 523 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 524 { 525 CBB certificate_request_context; 526 527 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 528 goto err; 529 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 530 goto err; 531 532 if (!CBB_flush(cbb)) 533 goto err; 534 535 return 1; 536 err: 537 return 0; 538 } 539 540 static int 541 tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, 542 int *ok, const struct ssl_sigalg **out_sigalg) 543 { 544 const struct ssl_sigalg *sigalg; 545 SSL *s = ctx->ssl; 546 547 *ok = 0; 548 *out_sigalg = NULL; 549 550 if (cpk->x509 == NULL || cpk->privatekey == NULL) 551 goto done; 552 553 if (!X509_check_purpose(cpk->x509, -1, 0)) 554 return 0; 555 556 /* 557 * The digitalSignature bit MUST be set if the Key Usage extension is 558 * present as per RFC 8446 section 4.4.2.2. 559 */ 560 if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && 561 !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) 562 goto done; 563 564 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 565 goto done; 566 567 *ok = 1; 568 *out_sigalg = sigalg; 569 570 done: 571 return 1; 572 } 573 574 static int 575 tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, 576 const struct ssl_sigalg **out_sigalg) 577 { 578 SSL *s = ctx->ssl; 579 const struct ssl_sigalg *sigalg; 580 CERT_PKEY *cpk; 581 int cert_ok; 582 583 *out_cpk = NULL; 584 *out_sigalg = NULL; 585 586 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 587 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 588 return 0; 589 if (cert_ok) 590 goto done; 591 592 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 593 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 594 return 0; 595 if (cert_ok) 596 goto done; 597 598 cpk = NULL; 599 sigalg = NULL; 600 601 done: 602 *out_cpk = cpk; 603 *out_sigalg = sigalg; 604 605 return 1; 606 } 607 608 int 609 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 610 { 611 SSL *s = ctx->ssl; 612 CBB cert_request_context, cert_list; 613 const struct ssl_sigalg *sigalg; 614 STACK_OF(X509) *chain; 615 CERT_PKEY *cpk; 616 X509 *cert; 617 int i, ret = 0; 618 619 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 620 goto err; 621 622 if (cpk == NULL) { 623 /* A server must always provide a certificate. */ 624 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 625 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 626 "no server certificate", NULL); 627 goto err; 628 } 629 630 ctx->hs->cpk = cpk; 631 ctx->hs->sigalg = sigalg; 632 633 if ((chain = cpk->chain) == NULL) 634 chain = s->ctx->extra_certs; 635 636 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 637 goto err; 638 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 639 goto err; 640 641 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 642 goto err; 643 644 for (i = 0; i < sk_X509_num(chain); i++) { 645 cert = sk_X509_value(chain, i); 646 /* 647 * XXX we don't send extensions with chain certs to avoid sending 648 * a leaf ocsp stape with the chain certs. This needs to get 649 * fixed 650 */ 651 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 652 goto err; 653 } 654 655 if (!CBB_flush(cbb)) 656 goto err; 657 658 ret = 1; 659 660 err: 661 return ret; 662 } 663 664 int 665 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 666 { 667 const struct ssl_sigalg *sigalg; 668 uint8_t *sig = NULL, *sig_content = NULL; 669 size_t sig_len, sig_content_len; 670 EVP_MD_CTX *mdctx = NULL; 671 EVP_PKEY_CTX *pctx; 672 EVP_PKEY *pkey; 673 const CERT_PKEY *cpk; 674 CBB sig_cbb; 675 int ret = 0; 676 677 memset(&sig_cbb, 0, sizeof(sig_cbb)); 678 679 if ((cpk = ctx->hs->cpk) == NULL) 680 goto err; 681 if ((sigalg = ctx->hs->sigalg) == NULL) 682 goto err; 683 pkey = cpk->privatekey; 684 685 if (!CBB_init(&sig_cbb, 0)) 686 goto err; 687 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 688 sizeof(tls13_cert_verify_pad))) 689 goto err; 690 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 691 strlen(tls13_cert_server_verify_context))) 692 goto err; 693 if (!CBB_add_u8(&sig_cbb, 0)) 694 goto err; 695 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 696 ctx->hs->transcript_hash_len)) 697 goto err; 698 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 699 goto err; 700 701 if ((mdctx = EVP_MD_CTX_new()) == NULL) 702 goto err; 703 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 704 goto err; 705 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 706 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 707 goto err; 708 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 709 goto err; 710 } 711 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 712 goto err; 713 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 714 goto err; 715 if ((sig = calloc(1, sig_len)) == NULL) 716 goto err; 717 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 718 goto err; 719 720 if (!CBB_add_u16(cbb, sigalg->value)) 721 goto err; 722 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 723 goto err; 724 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 725 goto err; 726 727 if (!CBB_flush(cbb)) 728 goto err; 729 730 ret = 1; 731 732 err: 733 if (!ret && ctx->alert == 0) 734 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 735 736 CBB_cleanup(&sig_cbb); 737 EVP_MD_CTX_free(mdctx); 738 free(sig_content); 739 free(sig); 740 741 return ret; 742 } 743 744 int 745 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 746 { 747 struct tls13_secrets *secrets = ctx->hs->secrets; 748 struct tls13_secret context = { .data = "", .len = 0 }; 749 struct tls13_secret finished_key; 750 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 751 size_t transcript_hash_len; 752 uint8_t key[EVP_MAX_MD_SIZE]; 753 uint8_t *verify_data; 754 size_t hmac_len; 755 unsigned int hlen; 756 HMAC_CTX *hmac_ctx = NULL; 757 int ret = 0; 758 759 finished_key.data = key; 760 finished_key.len = EVP_MD_size(ctx->hash); 761 762 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 763 &secrets->server_handshake_traffic, "finished", 764 &context)) 765 goto err; 766 767 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 768 sizeof(transcript_hash), &transcript_hash_len)) 769 goto err; 770 771 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 772 goto err; 773 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 774 ctx->hash, NULL)) 775 goto err; 776 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 777 goto err; 778 779 hmac_len = HMAC_size(hmac_ctx); 780 if (!CBB_add_space(cbb, &verify_data, hmac_len)) 781 goto err; 782 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 783 goto err; 784 if (hlen != hmac_len) 785 goto err; 786 787 ret = 1; 788 789 err: 790 HMAC_CTX_free(hmac_ctx); 791 792 return ret; 793 } 794 795 int 796 tls13_server_finished_sent(struct tls13_ctx *ctx) 797 { 798 struct tls13_secrets *secrets = ctx->hs->secrets; 799 struct tls13_secret context = { .data = "", .len = 0 }; 800 801 /* 802 * Derive application traffic keys. 803 */ 804 context.data = ctx->hs->transcript_hash; 805 context.len = ctx->hs->transcript_hash_len; 806 807 if (!tls13_derive_application_secrets(secrets, &context)) 808 return 0; 809 810 /* 811 * Any records following the server finished message must be encrypted 812 * using the server application traffic keys. 813 */ 814 return tls13_record_layer_set_write_traffic_key(ctx->rl, 815 &secrets->server_application_traffic); 816 } 817 818 int 819 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 820 { 821 CBS cert_request_context, cert_list, cert_data, cert_exts; 822 struct stack_st_X509 *certs = NULL; 823 SSL *s = ctx->ssl; 824 X509 *cert = NULL; 825 EVP_PKEY *pkey; 826 const uint8_t *p; 827 int cert_idx; 828 int ret = 0; 829 830 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 831 goto err; 832 if (CBS_len(&cert_request_context) != 0) 833 goto err; 834 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 835 goto err; 836 if (CBS_len(&cert_list) == 0) { 837 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 838 return 1; 839 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 840 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 841 "peer did not provide a certificate", NULL); 842 goto err; 843 } 844 845 if ((certs = sk_X509_new_null()) == NULL) 846 goto err; 847 while (CBS_len(&cert_list) > 0) { 848 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 849 goto err; 850 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 851 goto err; 852 853 p = CBS_data(&cert_data); 854 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 855 goto err; 856 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 857 goto err; 858 859 if (!sk_X509_push(certs, cert)) 860 goto err; 861 862 cert = NULL; 863 } 864 865 /* 866 * At this stage we still have no proof of possession. As such, it would 867 * be preferable to keep the chain and verify once we have successfully 868 * processed the CertificateVerify message. 869 */ 870 if (ssl_verify_cert_chain(s, certs) <= 0) { 871 ctx->alert = ssl_verify_alarm_type(s->verify_result); 872 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 873 "failed to verify peer certificate", NULL); 874 goto err; 875 } 876 ERR_clear_error(); 877 878 cert = sk_X509_value(certs, 0); 879 X509_up_ref(cert); 880 881 if ((pkey = X509_get0_pubkey(cert)) == NULL) 882 goto err; 883 if (EVP_PKEY_missing_parameters(pkey)) 884 goto err; 885 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 886 goto err; 887 888 ssl_sess_cert_free(SSI(s)->sess_cert); 889 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 890 goto err; 891 892 SSI(s)->sess_cert->cert_chain = certs; 893 certs = NULL; 894 895 X509_up_ref(cert); 896 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 897 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 898 899 X509_free(s->session->peer); 900 901 X509_up_ref(cert); 902 s->session->peer = cert; 903 s->session->verify_result = s->verify_result; 904 905 ctx->handshake_stage.hs_type |= WITH_CCV; 906 ret = 1; 907 908 err: 909 sk_X509_pop_free(certs, X509_free); 910 X509_free(cert); 911 912 return ret; 913 } 914 915 int 916 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 917 { 918 const struct ssl_sigalg *sigalg; 919 uint16_t signature_scheme; 920 uint8_t *sig_content = NULL; 921 size_t sig_content_len; 922 EVP_MD_CTX *mdctx = NULL; 923 EVP_PKEY_CTX *pctx; 924 EVP_PKEY *pkey; 925 X509 *cert; 926 CBS signature; 927 CBB cbb; 928 int ret = 0; 929 930 memset(&cbb, 0, sizeof(cbb)); 931 932 if (!CBS_get_u16(cbs, &signature_scheme)) 933 goto err; 934 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 935 goto err; 936 937 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 938 tls13_sigalgs_len)) == NULL) 939 goto err; 940 941 if (!CBB_init(&cbb, 0)) 942 goto err; 943 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 944 sizeof(tls13_cert_verify_pad))) 945 goto err; 946 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 947 strlen(tls13_cert_client_verify_context))) 948 goto err; 949 if (!CBB_add_u8(&cbb, 0)) 950 goto err; 951 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 952 ctx->hs->transcript_hash_len)) 953 goto err; 954 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 955 goto err; 956 957 if ((cert = ctx->ssl->session->peer) == NULL) 958 goto err; 959 if ((pkey = X509_get0_pubkey(cert)) == NULL) 960 goto err; 961 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 962 goto err; 963 964 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 965 goto err; 966 967 if ((mdctx = EVP_MD_CTX_new()) == NULL) 968 goto err; 969 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 970 goto err; 971 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 972 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 973 goto err; 974 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 975 goto err; 976 } 977 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 978 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 979 goto err; 980 } 981 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 982 CBS_len(&signature)) <= 0) { 983 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 984 goto err; 985 } 986 987 ret = 1; 988 989 err: 990 if (!ret && ctx->alert == 0) 991 ctx->alert = TLS13_ALERT_DECODE_ERROR; 992 993 CBB_cleanup(&cbb); 994 EVP_MD_CTX_free(mdctx); 995 free(sig_content); 996 997 return ret; 998 } 999 1000 int 1001 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1002 { 1003 return 0; 1004 } 1005 1006 int 1007 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1008 { 1009 struct tls13_secrets *secrets = ctx->hs->secrets; 1010 struct tls13_secret context = { .data = "", .len = 0 }; 1011 struct tls13_secret finished_key; 1012 uint8_t *verify_data = NULL; 1013 size_t verify_data_len; 1014 uint8_t key[EVP_MAX_MD_SIZE]; 1015 HMAC_CTX *hmac_ctx = NULL; 1016 unsigned int hlen; 1017 int ret = 0; 1018 1019 /* 1020 * Verify client finished. 1021 */ 1022 finished_key.data = key; 1023 finished_key.len = EVP_MD_size(ctx->hash); 1024 1025 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1026 &secrets->client_handshake_traffic, "finished", 1027 &context)) 1028 goto err; 1029 1030 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1031 goto err; 1032 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1033 ctx->hash, NULL)) 1034 goto err; 1035 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 1036 ctx->hs->transcript_hash_len)) 1037 goto err; 1038 verify_data_len = HMAC_size(hmac_ctx); 1039 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1040 goto err; 1041 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1042 goto err; 1043 if (hlen != verify_data_len) 1044 goto err; 1045 1046 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1047 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1048 goto err; 1049 } 1050 1051 if (!CBS_skip(cbs, verify_data_len)) 1052 goto err; 1053 1054 /* 1055 * Any records following the client finished message must be encrypted 1056 * using the client application traffic keys. 1057 */ 1058 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1059 &secrets->client_application_traffic)) 1060 goto err; 1061 1062 tls13_record_layer_allow_ccs(ctx->rl, 0); 1063 1064 ret = 1; 1065 1066 err: 1067 HMAC_CTX_free(hmac_ctx); 1068 free(verify_data); 1069 1070 return ret; 1071 } 1072