1 /* $OpenBSD: tls13_server.c,v 1.34 2020/04/28 20:37:22 jsing Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include "ssl_locl.h" 20 #include "ssl_tlsext.h" 21 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 int 26 tls13_server_init(struct tls13_ctx *ctx) 27 { 28 SSL *s = ctx->ssl; 29 30 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 31 &ctx->hs->max_version)) { 32 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 33 return 0; 34 } 35 s->version = ctx->hs->max_version; 36 37 if (!tls1_transcript_init(s)) 38 return 0; 39 40 if ((s->session = SSL_SESSION_new()) == NULL) 41 return 0; 42 43 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 44 45 return 1; 46 } 47 48 int 49 tls13_server_accept(struct tls13_ctx *ctx) 50 { 51 if (ctx->mode != TLS13_HS_SERVER) 52 return TLS13_IO_FAILURE; 53 54 return tls13_handshake_perform(ctx); 55 } 56 57 static int 58 tls13_client_hello_is_legacy(CBS *cbs) 59 { 60 CBS extensions_block, extensions, extension_data, versions; 61 uint16_t version, max_version = 0; 62 uint16_t type; 63 64 CBS_dup(cbs, &extensions_block); 65 66 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 67 return 1; 68 69 while (CBS_len(&extensions) > 0) { 70 if (!CBS_get_u16(&extensions, &type)) 71 return 1; 72 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 73 return 1; 74 75 if (type != TLSEXT_TYPE_supported_versions) 76 continue; 77 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 78 return 1; 79 while (CBS_len(&versions) > 0) { 80 if (!CBS_get_u16(&versions, &version)) 81 return 1; 82 if (version >= max_version) 83 max_version = version; 84 } 85 if (CBS_len(&extension_data) != 0) 86 return 1; 87 } 88 89 return (max_version < TLS1_3_VERSION); 90 } 91 92 static int 93 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 94 { 95 CBS cipher_suites, client_random, compression_methods, session_id; 96 STACK_OF(SSL_CIPHER) *ciphers = NULL; 97 const SSL_CIPHER *cipher; 98 uint16_t legacy_version; 99 uint8_t compression_method; 100 int alert_desc, comp_null; 101 SSL *s = ctx->ssl; 102 int ret = 0; 103 104 if (!CBS_get_u16(cbs, &legacy_version)) 105 goto err; 106 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 107 goto err; 108 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 109 goto err; 110 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 111 goto err; 112 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 113 goto err; 114 115 if (tls13_client_hello_is_legacy(cbs)) { 116 if (!CBS_skip(cbs, CBS_len(cbs))) 117 goto err; 118 return tls13_use_legacy_server(ctx); 119 } 120 121 if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) { 122 ctx->alert = alert_desc; 123 goto err; 124 } 125 126 /* 127 * If we got this far we have a supported versions extension that offers 128 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 129 */ 130 if (legacy_version != TLS1_2_VERSION) { 131 ctx->alert = SSL_AD_PROTOCOL_VERSION; 132 goto err; 133 } 134 135 /* Store legacy session identifier so we can echo it. */ 136 if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { 137 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 138 goto err; 139 } 140 if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, 141 sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len)) 142 goto err; 143 144 /* Parse cipher suites list and select preferred cipher. */ 145 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 146 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 147 goto err; 148 } 149 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 150 if (cipher == NULL) { 151 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 152 "no shared cipher found", NULL); 153 ctx->alert = SSL_AD_HANDSHAKE_FAILURE; 154 goto err; 155 } 156 S3I(s)->hs.new_cipher = cipher; 157 158 /* Ensure they advertise the NULL compression method. */ 159 comp_null = 0; 160 while (CBS_len(&compression_methods) > 0) { 161 if (!CBS_get_u8(&compression_methods, &compression_method)) 162 goto err; 163 if (compression_method == 0) 164 comp_null = 1; 165 } 166 if (!comp_null) { 167 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 168 goto err; 169 } 170 171 ret = 1; 172 173 err: 174 sk_SSL_CIPHER_free(ciphers); 175 176 return ret; 177 } 178 179 int 180 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 181 { 182 SSL *s = ctx->ssl; 183 184 if (!tls13_client_hello_process(ctx, cbs)) 185 goto err; 186 187 /* See if we switched back to the legacy client method. */ 188 if (s->method->internal->version < TLS1_3_VERSION) 189 return 1; 190 191 /* 192 * If a matching key share was provided, we do not need to send a 193 * HelloRetryRequest. 194 */ 195 /* 196 * XXX - ideally NEGOTIATED would only be added after record protection 197 * has been enabled. This would probably mean using either an 198 * INITIAL | WITHOUT_HRR state, or another intermediate state. 199 */ 200 if (ctx->hs->key_share != NULL) 201 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 202 203 /* XXX - check this is the correct point */ 204 tls13_record_layer_allow_ccs(ctx->rl, 1); 205 206 return 1; 207 208 err: 209 return 0; 210 } 211 212 static int 213 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb) 214 { 215 CBB session_id; 216 SSL *s = ctx->ssl; 217 uint16_t cipher; 218 219 cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); 220 221 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 222 goto err; 223 if (!CBB_add_bytes(cbb, s->s3->server_random, SSL3_RANDOM_SIZE)) 224 goto err; 225 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 226 goto err; 227 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 228 ctx->hs->legacy_session_id_len)) 229 goto err; 230 if (!CBB_add_u16(cbb, cipher)) 231 goto err; 232 if (!CBB_add_u8(cbb, 0)) 233 goto err; 234 if (!tlsext_server_build(s, cbb, SSL_TLSEXT_MSG_SH)) 235 goto err; 236 237 if (!CBB_flush(cbb)) 238 goto err; 239 240 return 1; 241 err: 242 return 0; 243 } 244 245 int 246 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 247 { 248 return 0; 249 } 250 251 int 252 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 253 { 254 return 0; 255 } 256 257 int 258 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 259 { 260 if (ctx->hs->key_share == NULL) 261 return 0; 262 263 if (!tls13_key_share_generate(ctx->hs->key_share)) 264 return 0; 265 266 if (!tls13_server_hello_build(ctx, cbb)) 267 return 0; 268 269 return 1; 270 } 271 272 int 273 tls13_server_hello_sent(struct tls13_ctx *ctx) 274 { 275 struct tls13_secrets *secrets; 276 struct tls13_secret context; 277 unsigned char buf[EVP_MAX_MD_SIZE]; 278 uint8_t *shared_key = NULL; 279 size_t shared_key_len = 0; 280 size_t hash_len; 281 SSL *s = ctx->ssl; 282 int ret = 0; 283 284 if (!tls13_key_share_derive(ctx->hs->key_share, 285 &shared_key, &shared_key_len)) 286 goto err; 287 288 s->session->cipher = S3I(s)->hs.new_cipher; 289 s->session->ssl_version = ctx->hs->server_version; 290 291 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 292 goto err; 293 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 294 goto err; 295 296 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 297 goto err; 298 ctx->hs->secrets = secrets; 299 300 /* XXX - pass in hash. */ 301 if (!tls1_transcript_hash_init(s)) 302 goto err; 303 tls1_transcript_free(s); 304 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 305 goto err; 306 context.data = buf; 307 context.len = hash_len; 308 309 /* Early secrets. */ 310 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 311 secrets->zeros.len, &context)) 312 goto err; 313 314 /* Handshake secrets. */ 315 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 316 shared_key_len, &context)) 317 goto err; 318 319 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 320 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 321 322 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 323 &secrets->client_handshake_traffic)) 324 goto err; 325 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 326 &secrets->server_handshake_traffic)) 327 goto err; 328 329 ctx->handshake_stage.hs_type |= NEGOTIATED; 330 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 331 ctx->handshake_stage.hs_type |= WITHOUT_CR; 332 333 ret = 1; 334 335 err: 336 freezero(shared_key, shared_key_len); 337 return ret; 338 } 339 340 int 341 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 342 { 343 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE)) 344 goto err; 345 346 return 1; 347 err: 348 return 0; 349 } 350 351 int 352 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 353 { 354 CBB certificate_request_context; 355 356 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 357 goto err; 358 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR)) 359 goto err; 360 361 if (!CBB_flush(cbb)) 362 goto err; 363 364 return 1; 365 err: 366 return 0; 367 } 368 369 int 370 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 371 { 372 SSL *s = ctx->ssl; 373 CBB cert_request_context, cert_list; 374 STACK_OF(X509) *chain; 375 CERT_PKEY *cpk; 376 X509 *cert; 377 int i, ret = 0; 378 379 /* XXX - Need to revisit certificate selection. */ 380 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 381 382 if ((chain = cpk->chain) == NULL) 383 chain = s->ctx->extra_certs; 384 385 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 386 goto err; 387 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 388 goto err; 389 390 if (cpk->x509 == NULL) 391 goto done; 392 393 if (!tls13_cert_add(&cert_list, cpk->x509)) 394 goto err; 395 396 for (i = 0; i < sk_X509_num(chain); i++) { 397 cert = sk_X509_value(chain, i); 398 if (!tls13_cert_add(&cert_list, cert)) 399 goto err; 400 } 401 402 done: 403 if (!CBB_flush(cbb)) 404 goto err; 405 406 ret = 1; 407 408 err: 409 return ret; 410 } 411 412 int 413 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 414 { 415 SSL *s = ctx->ssl; 416 const struct ssl_sigalg *sigalg = NULL; 417 uint8_t *sig = NULL, *sig_content = NULL; 418 size_t sig_len, sig_content_len; 419 EVP_MD_CTX *mdctx = NULL; 420 EVP_PKEY_CTX *pctx; 421 EVP_PKEY *pkey; 422 CERT_PKEY *cpk; 423 CBB sig_cbb; 424 int ret = 0; 425 426 memset(&sig_cbb, 0, sizeof(sig_cbb)); 427 428 /* XXX - Need to revisit certificate selection. */ 429 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 430 pkey = cpk->privatekey; 431 432 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 433 /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */ 434 goto err; 435 } 436 437 if (!CBB_init(&sig_cbb, 0)) 438 goto err; 439 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 440 sizeof(tls13_cert_verify_pad))) 441 goto err; 442 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 443 strlen(tls13_cert_server_verify_context))) 444 goto err; 445 if (!CBB_add_u8(&sig_cbb, 0)) 446 goto err; 447 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 448 ctx->hs->transcript_hash_len)) 449 goto err; 450 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 451 goto err; 452 453 if ((mdctx = EVP_MD_CTX_new()) == NULL) 454 goto err; 455 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 456 goto err; 457 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 458 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 459 goto err; 460 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 461 goto err; 462 } 463 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 464 goto err; 465 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 466 goto err; 467 if ((sig = calloc(1, sig_len)) == NULL) 468 goto err; 469 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 470 goto err; 471 472 if (!CBB_add_u16(cbb, sigalg->value)) 473 goto err; 474 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 475 goto err; 476 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 477 goto err; 478 479 if (!CBB_flush(cbb)) 480 goto err; 481 482 ret = 1; 483 484 err: 485 if (!ret && ctx->alert == 0) 486 ctx->alert = TLS1_AD_INTERNAL_ERROR; 487 488 CBB_cleanup(&sig_cbb); 489 EVP_MD_CTX_free(mdctx); 490 free(sig_content); 491 free(sig); 492 493 return ret; 494 } 495 496 int 497 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 498 { 499 struct tls13_secrets *secrets = ctx->hs->secrets; 500 struct tls13_secret context = { .data = "", .len = 0 }; 501 struct tls13_secret finished_key; 502 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 503 size_t transcript_hash_len; 504 uint8_t key[EVP_MAX_MD_SIZE]; 505 uint8_t *verify_data; 506 size_t hmac_len; 507 unsigned int hlen; 508 HMAC_CTX *hmac_ctx = NULL; 509 int ret = 0; 510 511 finished_key.data = key; 512 finished_key.len = EVP_MD_size(ctx->hash); 513 514 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 515 &secrets->server_handshake_traffic, "finished", 516 &context)) 517 goto err; 518 519 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 520 sizeof(transcript_hash), &transcript_hash_len)) 521 goto err; 522 523 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 524 goto err; 525 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 526 ctx->hash, NULL)) 527 goto err; 528 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 529 goto err; 530 531 hmac_len = HMAC_size(hmac_ctx); 532 if (!CBB_add_space(cbb, &verify_data, hmac_len)) 533 goto err; 534 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 535 goto err; 536 if (hlen != hmac_len) 537 goto err; 538 539 ret = 1; 540 541 err: 542 HMAC_CTX_free(hmac_ctx); 543 544 return ret; 545 } 546 547 int 548 tls13_server_finished_sent(struct tls13_ctx *ctx) 549 { 550 struct tls13_secrets *secrets = ctx->hs->secrets; 551 struct tls13_secret context = { .data = "", .len = 0 }; 552 553 /* 554 * Derive application traffic keys. 555 */ 556 context.data = ctx->hs->transcript_hash; 557 context.len = ctx->hs->transcript_hash_len; 558 559 if (!tls13_derive_application_secrets(secrets, &context)) 560 return 0; 561 562 /* 563 * Any records following the server finished message must be encrypted 564 * using the server application traffic keys. 565 */ 566 return tls13_record_layer_set_write_traffic_key(ctx->rl, 567 &secrets->server_application_traffic); 568 } 569 570 int 571 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 572 { 573 CBS cert_request_context, cert_list, cert_data, cert_exts; 574 struct stack_st_X509 *certs = NULL; 575 SSL *s = ctx->ssl; 576 X509 *cert = NULL; 577 EVP_PKEY *pkey; 578 const uint8_t *p; 579 int cert_idx; 580 int ret = 0; 581 582 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 583 goto err; 584 if (CBS_len(&cert_request_context) != 0) 585 goto err; 586 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 587 goto err; 588 589 if (CBS_len(&cert_list) == 0) 590 return 1; 591 592 if ((certs = sk_X509_new_null()) == NULL) 593 goto err; 594 while (CBS_len(&cert_list) > 0) { 595 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 596 goto err; 597 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 598 goto err; 599 600 p = CBS_data(&cert_data); 601 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 602 goto err; 603 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 604 goto err; 605 606 if (!sk_X509_push(certs, cert)) 607 goto err; 608 609 cert = NULL; 610 } 611 612 /* 613 * At this stage we still have no proof of possession. As such, it would 614 * be preferable to keep the chain and verify once we have successfully 615 * processed the CertificateVerify message. 616 */ 617 if (ssl_verify_cert_chain(s, certs) <= 0 && 618 s->verify_mode != SSL_VERIFY_NONE) { 619 ctx->alert = ssl_verify_alarm_type(s->verify_result); 620 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 621 "failed to verify peer certificate", NULL); 622 goto err; 623 } 624 ERR_clear_error(); 625 626 cert = sk_X509_value(certs, 0); 627 X509_up_ref(cert); 628 629 if ((pkey = X509_get0_pubkey(cert)) == NULL) 630 goto err; 631 if (EVP_PKEY_missing_parameters(pkey)) 632 goto err; 633 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 634 goto err; 635 636 ssl_sess_cert_free(SSI(s)->sess_cert); 637 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 638 goto err; 639 640 SSI(s)->sess_cert->cert_chain = certs; 641 certs = NULL; 642 643 X509_up_ref(cert); 644 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 645 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 646 647 X509_free(s->session->peer); 648 649 X509_up_ref(cert); 650 s->session->peer = cert; 651 s->session->verify_result = s->verify_result; 652 653 ctx->handshake_stage.hs_type |= WITH_CCV; 654 ret = 1; 655 656 err: 657 sk_X509_pop_free(certs, X509_free); 658 X509_free(cert); 659 660 return ret; 661 } 662 663 int 664 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 665 { 666 const struct ssl_sigalg *sigalg; 667 uint16_t signature_scheme; 668 uint8_t *sig_content = NULL; 669 size_t sig_content_len; 670 EVP_MD_CTX *mdctx = NULL; 671 EVP_PKEY_CTX *pctx; 672 EVP_PKEY *pkey; 673 X509 *cert; 674 CBS signature; 675 CBB cbb; 676 int ret = 0; 677 678 memset(&cbb, 0, sizeof(cbb)); 679 680 if (!CBS_get_u16(cbs, &signature_scheme)) 681 goto err; 682 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 683 goto err; 684 685 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 686 tls13_sigalgs_len)) == NULL) 687 goto err; 688 689 if (!CBB_init(&cbb, 0)) 690 goto err; 691 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 692 sizeof(tls13_cert_verify_pad))) 693 goto err; 694 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 695 strlen(tls13_cert_client_verify_context))) 696 goto err; 697 if (!CBB_add_u8(&cbb, 0)) 698 goto err; 699 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 700 ctx->hs->transcript_hash_len)) 701 goto err; 702 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 703 goto err; 704 705 if ((cert = ctx->ssl->session->peer) == NULL) 706 goto err; 707 if ((pkey = X509_get0_pubkey(cert)) == NULL) 708 goto err; 709 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 710 goto err; 711 712 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 713 goto err; 714 715 if ((mdctx = EVP_MD_CTX_new()) == NULL) 716 goto err; 717 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 718 goto err; 719 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 720 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 721 goto err; 722 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 723 goto err; 724 } 725 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 726 ctx->alert = TLS1_AD_DECRYPT_ERROR; 727 goto err; 728 } 729 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 730 CBS_len(&signature)) <= 0) { 731 ctx->alert = TLS1_AD_DECRYPT_ERROR; 732 goto err; 733 } 734 735 ret = 1; 736 737 err: 738 if (!ret && ctx->alert == 0) { 739 ctx->alert = TLS1_AD_DECODE_ERROR; 740 } 741 CBB_cleanup(&cbb); 742 EVP_MD_CTX_free(mdctx); 743 free(sig_content); 744 745 return ret; 746 } 747 748 int 749 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 750 { 751 return 0; 752 } 753 754 int 755 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 756 { 757 struct tls13_secrets *secrets = ctx->hs->secrets; 758 struct tls13_secret context = { .data = "", .len = 0 }; 759 struct tls13_secret finished_key; 760 uint8_t *verify_data = NULL; 761 size_t verify_data_len; 762 uint8_t key[EVP_MAX_MD_SIZE]; 763 HMAC_CTX *hmac_ctx = NULL; 764 unsigned int hlen; 765 int ret = 0; 766 767 /* 768 * Verify client finished. 769 */ 770 finished_key.data = key; 771 finished_key.len = EVP_MD_size(ctx->hash); 772 773 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 774 &secrets->client_handshake_traffic, "finished", 775 &context)) 776 goto err; 777 778 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 779 goto err; 780 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 781 ctx->hash, NULL)) 782 goto err; 783 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 784 ctx->hs->transcript_hash_len)) 785 goto err; 786 verify_data_len = HMAC_size(hmac_ctx); 787 if ((verify_data = calloc(1, verify_data_len)) == NULL) 788 goto err; 789 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 790 goto err; 791 if (hlen != verify_data_len) 792 goto err; 793 794 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 795 ctx->alert = TLS1_AD_DECRYPT_ERROR; 796 goto err; 797 } 798 799 if (!CBS_skip(cbs, verify_data_len)) 800 goto err; 801 802 /* 803 * Any records following the client finished message must be encrypted 804 * using the client application traffic keys. 805 */ 806 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 807 &secrets->client_application_traffic)) 808 goto err; 809 810 tls13_record_layer_allow_ccs(ctx->rl, 0); 811 812 ret = 1; 813 814 err: 815 HMAC_CTX_free(hmac_ctx); 816 free(verify_data); 817 818 return ret; 819 } 820