1 /* $OpenBSD: tls13_server.c,v 1.103 2022/09/17 17:14:06 jsing Exp $ */
2 /*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include <openssl/x509v3.h>
20
21 #include "ssl_locl.h"
22 #include "ssl_sigalgs.h"
23 #include "ssl_tlsext.h"
24 #include "tls13_handshake.h"
25 #include "tls13_internal.h"
26
27 int
tls13_server_init(struct tls13_ctx * ctx)28 tls13_server_init(struct tls13_ctx *ctx)
29 {
30 SSL *s = ctx->ssl;
31
32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
33 &ctx->hs->our_max_tls_version)) {
34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
35 return 0;
36 }
37 s->version = ctx->hs->our_max_tls_version;
38
39 tls13_record_layer_set_retry_after_phh(ctx->rl,
40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
41
42 if (!ssl_get_new_session(s, 0)) /* XXX */
43 return 0;
44
45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
46
47 if (!tls1_transcript_init(s))
48 return 0;
49
50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
51
52 return 1;
53 }
54
55 int
tls13_server_accept(struct tls13_ctx * ctx)56 tls13_server_accept(struct tls13_ctx *ctx)
57 {
58 if (ctx->mode != TLS13_HS_SERVER)
59 return TLS13_IO_FAILURE;
60
61 return tls13_handshake_perform(ctx);
62 }
63
64 static int
tls13_client_hello_is_legacy(CBS * cbs)65 tls13_client_hello_is_legacy(CBS *cbs)
66 {
67 CBS extensions_block, extensions, extension_data, versions;
68 uint16_t version, max_version = 0;
69 uint16_t type;
70
71 CBS_dup(cbs, &extensions_block);
72
73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
74 return 1;
75
76 while (CBS_len(&extensions) > 0) {
77 if (!CBS_get_u16(&extensions, &type))
78 return 1;
79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
80 return 1;
81
82 if (type != TLSEXT_TYPE_supported_versions)
83 continue;
84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions))
85 return 1;
86 while (CBS_len(&versions) > 0) {
87 if (!CBS_get_u16(&versions, &version))
88 return 1;
89 if (version >= max_version)
90 max_version = version;
91 }
92 if (CBS_len(&extension_data) != 0)
93 return 1;
94 }
95
96 return (max_version < TLS1_3_VERSION);
97 }
98
99 int
tls13_client_hello_required_extensions(struct tls13_ctx * ctx)100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
101 {
102 SSL *s = ctx->ssl;
103
104 /*
105 * RFC 8446, section 9.2. If the ClientHello has supported_versions
106 * containing TLSv1.3, presence or absence of some extensions requires
107 * presence or absence of others.
108 */
109
110 /*
111 * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we
112 * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies
113 * that we need both signature_algorithms and supported_groups.
114 */
115 if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
116 if (!tlsext_extension_seen(s,
117 TLSEXT_TYPE_psk_key_exchange_modes))
118 return 0;
119 } else {
120 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms))
121 return 0;
122 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups))
123 return 0;
124 }
125
126 /*
127 * supported_groups and key_share must either both be present or
128 * both be absent.
129 */
130 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) !=
131 tlsext_extension_seen(s, TLSEXT_TYPE_key_share))
132 return 0;
133
134 /*
135 * XXX - Require server_name from client? If so, we SHOULD enforce
136 * this here - RFC 8446, 9.2.
137 */
138
139 return 1;
140 }
141
142 static const uint8_t tls13_compression_null_only[] = { 0 };
143
144 static int
tls13_client_hello_process(struct tls13_ctx * ctx,CBS * cbs)145 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
146 {
147 CBS cipher_suites, client_random, compression_methods, session_id;
148 STACK_OF(SSL_CIPHER) *ciphers = NULL;
149 const SSL_CIPHER *cipher;
150 uint16_t legacy_version;
151 int alert_desc;
152 SSL *s = ctx->ssl;
153 int ret = 0;
154
155 if (!CBS_get_u16(cbs, &legacy_version))
156 goto err;
157 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
158 goto err;
159 if (!CBS_get_u8_length_prefixed(cbs, &session_id))
160 goto err;
161 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites))
162 goto err;
163 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
164 goto err;
165
166 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) {
167 if (!CBS_skip(cbs, CBS_len(cbs)))
168 goto err;
169 return tls13_use_legacy_server(ctx);
170 }
171 ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
172 ctx->hs->peer_legacy_version = legacy_version;
173
174 /* Ensure we send subsequent alerts with the correct record version. */
175 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
176
177 /*
178 * Ensure that the client has not requested middlebox compatibility mode
179 * if it is prohibited from doing so.
180 */
181 if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) {
182 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
183 goto err;
184 }
185
186 /* Add decoded values to the current ClientHello hash */
187 if (!tls13_clienthello_hash_init(ctx)) {
188 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
189 goto err;
190 }
191 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version,
192 sizeof(legacy_version))) {
193 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
194 goto err;
195 }
196 if (!tls13_clienthello_hash_update(ctx, &client_random)) {
197 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
198 goto err;
199 }
200 if (!tls13_clienthello_hash_update(ctx, &session_id)) {
201 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
202 goto err;
203 }
204 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) {
205 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
206 goto err;
207 }
208 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) {
209 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
210 goto err;
211 }
212
213 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) {
214 ctx->alert = alert_desc;
215 goto err;
216 }
217
218 /* Finalize first ClientHello hash, or validate against it */
219 if (!ctx->hs->tls13.hrr) {
220 if (!tls13_clienthello_hash_finalize(ctx)) {
221 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
222 goto err;
223 }
224 } else {
225 if (!tls13_clienthello_hash_validate(ctx)) {
226 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
227 goto err;
228 }
229 tls13_clienthello_hash_clear(&ctx->hs->tls13);
230 }
231
232 if (!tls13_client_hello_required_extensions(ctx)) {
233 ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
234 goto err;
235 }
236
237 /*
238 * If we got this far we have a supported versions extension that offers
239 * TLS 1.3 or later. This requires the legacy version be set to 0x0303.
240 */
241 if (legacy_version != TLS1_2_VERSION) {
242 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
243 goto err;
244 }
245
246 /*
247 * The legacy session identifier must either be zero length or a 32 byte
248 * value (in which case the client is requesting middlebox compatibility
249 * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value
250 * so that we can echo it back to the client.
251 */
252 if (CBS_len(&session_id) != 0 &&
253 CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) {
254 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
255 goto err;
256 }
257 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
258 sizeof(ctx->hs->tls13.legacy_session_id),
259 &ctx->hs->tls13.legacy_session_id_len)) {
260 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
261 goto err;
262 }
263
264 /* Parse cipher suites list and select preferred cipher. */
265 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {
266 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
267 goto err;
268 }
269 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
270 if (cipher == NULL) {
271 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0,
272 "no shared cipher found", NULL);
273 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
274 goto err;
275 }
276 ctx->hs->cipher = cipher;
277
278 sk_SSL_CIPHER_free(s->session->ciphers);
279 s->session->ciphers = ciphers;
280 ciphers = NULL;
281
282 /* Ensure only the NULL compression method is advertised. */
283 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only,
284 sizeof(tls13_compression_null_only))) {
285 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
286 goto err;
287 }
288
289 ret = 1;
290
291 err:
292 sk_SSL_CIPHER_free(ciphers);
293
294 return ret;
295 }
296
297 int
tls13_client_hello_recv(struct tls13_ctx * ctx,CBS * cbs)298 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
299 {
300 SSL *s = ctx->ssl;
301
302 if (!tls13_client_hello_process(ctx, cbs))
303 goto err;
304
305 /* See if we switched back to the legacy client method. */
306 if (s->method->version < TLS1_3_VERSION)
307 return 1;
308
309 /*
310 * If a matching key share was provided, we do not need to send a
311 * HelloRetryRequest.
312 */
313 /*
314 * XXX - ideally NEGOTIATED would only be added after record protection
315 * has been enabled. This would probably mean using either an
316 * INITIAL | WITHOUT_HRR state, or another intermediate state.
317 */
318 if (ctx->hs->key_share != NULL)
319 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
320
321 tls13_record_layer_allow_ccs(ctx->rl, 1);
322
323 return 1;
324
325 err:
326 return 0;
327 }
328
329 static int
tls13_server_hello_build(struct tls13_ctx * ctx,CBB * cbb,int hrr)330 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
331 {
332 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
333 const uint8_t *server_random;
334 CBB session_id;
335 SSL *s = ctx->ssl;
336 uint16_t cipher;
337
338 cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
339 server_random = s->s3->server_random;
340
341 if (hrr) {
342 server_random = tls13_hello_retry_request_hash;
343 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
344 }
345
346 if (!CBB_add_u16(cbb, TLS1_2_VERSION))
347 goto err;
348 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE))
349 goto err;
350 if (!CBB_add_u8_length_prefixed(cbb, &session_id))
351 goto err;
352 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
353 ctx->hs->tls13.legacy_session_id_len))
354 goto err;
355 if (!CBB_add_u16(cbb, cipher))
356 goto err;
357 if (!CBB_add_u8(cbb, 0))
358 goto err;
359 if (!tlsext_server_build(s, tlsext_msg_type, cbb))
360 goto err;
361
362 if (!CBB_flush(cbb))
363 goto err;
364
365 return 1;
366 err:
367 return 0;
368 }
369
370 static int
tls13_server_engage_record_protection(struct tls13_ctx * ctx)371 tls13_server_engage_record_protection(struct tls13_ctx *ctx)
372 {
373 struct tls13_secrets *secrets;
374 struct tls13_secret context;
375 unsigned char buf[EVP_MAX_MD_SIZE];
376 uint8_t *shared_key = NULL;
377 size_t shared_key_len = 0;
378 size_t hash_len;
379 SSL *s = ctx->ssl;
380 int ret = 0;
381
382 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
383 &shared_key_len))
384 goto err;
385
386 s->session->cipher = ctx->hs->cipher;
387
388 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
389 goto err;
390 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
391 goto err;
392
393 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
394 goto err;
395 ctx->hs->tls13.secrets = secrets;
396
397 /* XXX - pass in hash. */
398 if (!tls1_transcript_hash_init(s))
399 goto err;
400 tls1_transcript_free(s);
401 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
402 goto err;
403 context.data = buf;
404 context.len = hash_len;
405
406 /* Early secrets. */
407 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
408 secrets->zeros.len, &context))
409 goto err;
410
411 /* Handshake secrets. */
412 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
413 shared_key_len, &context))
414 goto err;
415
416 tls13_record_layer_set_aead(ctx->rl, ctx->aead);
417 tls13_record_layer_set_hash(ctx->rl, ctx->hash);
418
419 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
420 &secrets->client_handshake_traffic, ssl_encryption_handshake))
421 goto err;
422 if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
423 &secrets->server_handshake_traffic, ssl_encryption_handshake))
424 goto err;
425
426 ctx->handshake_stage.hs_type |= NEGOTIATED;
427 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER))
428 ctx->handshake_stage.hs_type |= WITHOUT_CR;
429
430 ret = 1;
431
432 err:
433 freezero(shared_key, shared_key_len);
434 return ret;
435 }
436
437 int
tls13_server_hello_retry_request_send(struct tls13_ctx * ctx,CBB * cbb)438 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
439 {
440 int nid;
441
442 ctx->hs->tls13.hrr = 1;
443
444 if (!tls13_synthetic_handshake_message(ctx))
445 return 0;
446
447 if (ctx->hs->key_share != NULL)
448 return 0;
449 if (!tls1_get_supported_group(ctx->ssl, &nid))
450 return 0;
451 if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
452 return 0;
453
454 if (!tls13_server_hello_build(ctx, cbb, 1))
455 return 0;
456
457 return 1;
458 }
459
460 int
tls13_server_hello_retry_request_sent(struct tls13_ctx * ctx)461 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
462 {
463 /*
464 * If the client has requested middlebox compatibility mode,
465 * we MUST send a dummy CCS following our first handshake message.
466 * See RFC 8446 Appendix D.4.
467 */
468 if (ctx->hs->tls13.legacy_session_id_len > 0)
469 ctx->send_dummy_ccs_after = 1;
470
471 return 1;
472 }
473
474 int
tls13_client_hello_retry_recv(struct tls13_ctx * ctx,CBS * cbs)475 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
476 {
477 SSL *s = ctx->ssl;
478
479 if (!tls13_client_hello_process(ctx, cbs))
480 return 0;
481
482 /* XXX - need further checks. */
483 if (s->method->version < TLS1_3_VERSION)
484 return 0;
485
486 ctx->hs->tls13.hrr = 0;
487
488 return 1;
489 }
490
491 static int
tls13_servername_process(struct tls13_ctx * ctx)492 tls13_servername_process(struct tls13_ctx *ctx)
493 {
494 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
495
496 if (!tls13_legacy_servername_process(ctx, &alert)) {
497 ctx->alert = alert;
498 return 0;
499 }
500
501 return 1;
502 }
503
504 int
tls13_server_hello_send(struct tls13_ctx * ctx,CBB * cbb)505 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
506 {
507 if (ctx->hs->key_share == NULL)
508 return 0;
509 if (!tls_key_share_generate(ctx->hs->key_share))
510 return 0;
511 if (!tls13_servername_process(ctx))
512 return 0;
513
514 ctx->hs->tls13.server_group = 0;
515
516 if (!tls13_server_hello_build(ctx, cbb, 0))
517 return 0;
518
519 return 1;
520 }
521
522 int
tls13_server_hello_sent(struct tls13_ctx * ctx)523 tls13_server_hello_sent(struct tls13_ctx *ctx)
524 {
525 /*
526 * If the client has requested middlebox compatibility mode,
527 * we MUST send a dummy CCS following our first handshake message.
528 * See RFC 8446 Appendix D.4.
529 */
530 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
531 ctx->hs->tls13.legacy_session_id_len > 0)
532 ctx->send_dummy_ccs_after = 1;
533
534 return tls13_server_engage_record_protection(ctx);
535 }
536
537 int
tls13_server_encrypted_extensions_send(struct tls13_ctx * ctx,CBB * cbb)538 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
539 {
540 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb))
541 goto err;
542
543 return 1;
544 err:
545 return 0;
546 }
547
548 int
tls13_server_certificate_request_send(struct tls13_ctx * ctx,CBB * cbb)549 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
550 {
551 CBB certificate_request_context;
552
553 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
554 goto err;
555 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb))
556 goto err;
557
558 if (!CBB_flush(cbb))
559 goto err;
560
561 return 1;
562 err:
563 return 0;
564 }
565
566 static int
tls13_server_check_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY * cpk,int * ok,const struct ssl_sigalg ** out_sigalg)567 tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
568 int *ok, const struct ssl_sigalg **out_sigalg)
569 {
570 const struct ssl_sigalg *sigalg;
571 SSL *s = ctx->ssl;
572
573 *ok = 0;
574 *out_sigalg = NULL;
575
576 if (cpk->x509 == NULL || cpk->privatekey == NULL)
577 goto done;
578
579 /*
580 * The digitalSignature bit MUST be set if the Key Usage extension is
581 * present as per RFC 8446 section 4.4.2.2.
582 */
583 if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE))
584 goto done;
585
586 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
587 goto done;
588
589 *ok = 1;
590 *out_sigalg = sigalg;
591
592 done:
593 return 1;
594 }
595
596 static int
tls13_server_select_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY ** out_cpk,const struct ssl_sigalg ** out_sigalg)597 tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
598 const struct ssl_sigalg **out_sigalg)
599 {
600 SSL *s = ctx->ssl;
601 const struct ssl_sigalg *sigalg;
602 SSL_CERT_PKEY *cpk;
603 int cert_ok;
604
605 *out_cpk = NULL;
606 *out_sigalg = NULL;
607
608 cpk = &s->cert->pkeys[SSL_PKEY_ECC];
609 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
610 return 0;
611 if (cert_ok)
612 goto done;
613
614 cpk = &s->cert->pkeys[SSL_PKEY_RSA];
615 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
616 return 0;
617 if (cert_ok)
618 goto done;
619
620 cpk = NULL;
621 sigalg = NULL;
622
623 done:
624 *out_cpk = cpk;
625 *out_sigalg = sigalg;
626
627 return 1;
628 }
629
630 int
tls13_server_certificate_send(struct tls13_ctx * ctx,CBB * cbb)631 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
632 {
633 SSL *s = ctx->ssl;
634 CBB cert_request_context, cert_list;
635 const struct ssl_sigalg *sigalg;
636 X509_STORE_CTX *xsc = NULL;
637 STACK_OF(X509) *chain;
638 SSL_CERT_PKEY *cpk;
639 X509 *cert;
640 int i, ret = 0;
641
642 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg))
643 goto err;
644
645 if (cpk == NULL) {
646 /* A server must always provide a certificate. */
647 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
648 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0,
649 "no server certificate", NULL);
650 goto err;
651 }
652
653 ctx->hs->tls13.cpk = cpk;
654 ctx->hs->our_sigalg = sigalg;
655
656 if ((chain = cpk->chain) == NULL)
657 chain = s->ctx->extra_certs;
658
659 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
660 if ((xsc = X509_STORE_CTX_new()) == NULL)
661 goto err;
662 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
663 goto err;
664 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
665 X509_V_FLAG_LEGACY_VERIFY);
666 X509_verify_cert(xsc);
667 ERR_clear_error();
668 chain = X509_STORE_CTX_get0_chain(xsc);
669 }
670
671 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
672 goto err;
673 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
674 goto err;
675
676 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build))
677 goto err;
678
679 for (i = 0; i < sk_X509_num(chain); i++) {
680 cert = sk_X509_value(chain, i);
681
682 /*
683 * In the case of auto chain, the leaf certificate will be at
684 * the top of the chain - skip over it as we've already added
685 * it earlier.
686 */
687 if (i == 0 && cert == cpk->x509)
688 continue;
689
690 /*
691 * XXX we don't send extensions with chain certs to avoid sending
692 * a leaf ocsp staple with the chain certs. This needs to get
693 * fixed.
694 */
695 if (!tls13_cert_add(ctx, &cert_list, cert, NULL))
696 goto err;
697 }
698
699 if (!CBB_flush(cbb))
700 goto err;
701
702 ret = 1;
703
704 err:
705 X509_STORE_CTX_free(xsc);
706
707 return ret;
708 }
709
710 int
tls13_server_certificate_verify_send(struct tls13_ctx * ctx,CBB * cbb)711 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
712 {
713 const struct ssl_sigalg *sigalg;
714 uint8_t *sig = NULL, *sig_content = NULL;
715 size_t sig_len, sig_content_len;
716 EVP_MD_CTX *mdctx = NULL;
717 EVP_PKEY_CTX *pctx;
718 EVP_PKEY *pkey;
719 const SSL_CERT_PKEY *cpk;
720 CBB sig_cbb;
721 int ret = 0;
722
723 memset(&sig_cbb, 0, sizeof(sig_cbb));
724
725 if ((cpk = ctx->hs->tls13.cpk) == NULL)
726 goto err;
727 if ((sigalg = ctx->hs->our_sigalg) == NULL)
728 goto err;
729 pkey = cpk->privatekey;
730
731 if (!CBB_init(&sig_cbb, 0))
732 goto err;
733 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
734 sizeof(tls13_cert_verify_pad)))
735 goto err;
736 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context,
737 strlen(tls13_cert_server_verify_context)))
738 goto err;
739 if (!CBB_add_u8(&sig_cbb, 0))
740 goto err;
741 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
742 ctx->hs->tls13.transcript_hash_len))
743 goto err;
744 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
745 goto err;
746
747 if ((mdctx = EVP_MD_CTX_new()) == NULL)
748 goto err;
749 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
750 goto err;
751 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
752 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
753 goto err;
754 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
755 goto err;
756 }
757 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
758 goto err;
759 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
760 goto err;
761 if ((sig = calloc(1, sig_len)) == NULL)
762 goto err;
763 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
764 goto err;
765
766 if (!CBB_add_u16(cbb, sigalg->value))
767 goto err;
768 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
769 goto err;
770 if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
771 goto err;
772
773 if (!CBB_flush(cbb))
774 goto err;
775
776 ret = 1;
777
778 err:
779 if (!ret && ctx->alert == 0)
780 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
781
782 CBB_cleanup(&sig_cbb);
783 EVP_MD_CTX_free(mdctx);
784 free(sig_content);
785 free(sig);
786
787 return ret;
788 }
789
790 int
tls13_server_finished_send(struct tls13_ctx * ctx,CBB * cbb)791 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
792 {
793 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
794 struct tls13_secret context = { .data = "", .len = 0 };
795 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
796 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
797 size_t transcript_hash_len;
798 uint8_t *verify_data;
799 size_t verify_data_len;
800 unsigned int hlen;
801 HMAC_CTX *hmac_ctx = NULL;
802 CBS cbs;
803 int ret = 0;
804
805 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
806 goto err;
807
808 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
809 &secrets->server_handshake_traffic, "finished",
810 &context))
811 goto err;
812
813 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
814 sizeof(transcript_hash), &transcript_hash_len))
815 goto err;
816
817 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
818 goto err;
819 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
820 ctx->hash, NULL))
821 goto err;
822 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
823 goto err;
824
825 verify_data_len = HMAC_size(hmac_ctx);
826 if (!CBB_add_space(cbb, &verify_data, verify_data_len))
827 goto err;
828 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
829 goto err;
830 if (hlen != verify_data_len)
831 goto err;
832
833 CBS_init(&cbs, verify_data, verify_data_len);
834 if (!CBS_write_bytes(&cbs, ctx->hs->finished,
835 sizeof(ctx->hs->finished), &ctx->hs->finished_len))
836 goto err;
837
838 ret = 1;
839
840 err:
841 tls13_secret_cleanup(&finished_key);
842 HMAC_CTX_free(hmac_ctx);
843
844 return ret;
845 }
846
847 int
tls13_server_finished_sent(struct tls13_ctx * ctx)848 tls13_server_finished_sent(struct tls13_ctx *ctx)
849 {
850 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
851 struct tls13_secret context = { .data = "", .len = 0 };
852
853 /*
854 * Derive application traffic keys.
855 */
856 context.data = ctx->hs->tls13.transcript_hash;
857 context.len = ctx->hs->tls13.transcript_hash_len;
858
859 if (!tls13_derive_application_secrets(secrets, &context))
860 return 0;
861
862 /*
863 * Any records following the server finished message must be encrypted
864 * using the server application traffic keys.
865 */
866 return tls13_record_layer_set_write_traffic_key(ctx->rl,
867 &secrets->server_application_traffic, ssl_encryption_application);
868 }
869
870 int
tls13_client_certificate_recv(struct tls13_ctx * ctx,CBS * cbs)871 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
872 {
873 CBS cert_request_context, cert_list, cert_data, cert_exts;
874 struct stack_st_X509 *certs = NULL;
875 SSL *s = ctx->ssl;
876 X509 *cert = NULL;
877 const uint8_t *p;
878 int ret = 0;
879
880 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
881 goto err;
882 if (CBS_len(&cert_request_context) != 0)
883 goto err;
884 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
885 goto err;
886 if (CBS_len(&cert_list) == 0) {
887 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
888 return 1;
889 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
890 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
891 "peer did not provide a certificate", NULL);
892 goto err;
893 }
894
895 if ((certs = sk_X509_new_null()) == NULL)
896 goto err;
897 while (CBS_len(&cert_list) > 0) {
898 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
899 goto err;
900 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
901 goto err;
902
903 p = CBS_data(&cert_data);
904 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
905 goto err;
906 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
907 goto err;
908
909 if (!sk_X509_push(certs, cert))
910 goto err;
911
912 cert = NULL;
913 }
914
915 /*
916 * At this stage we still have no proof of possession. As such, it would
917 * be preferable to keep the chain and verify once we have successfully
918 * processed the CertificateVerify message.
919 */
920 if (ssl_verify_cert_chain(s, certs) <= 0) {
921 ctx->alert = ssl_verify_alarm_type(s->verify_result);
922 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
923 "failed to verify peer certificate", NULL);
924 goto err;
925 }
926 s->session->verify_result = s->verify_result;
927 ERR_clear_error();
928
929 if (!tls_process_peer_certs(s, certs))
930 goto err;
931
932 ctx->handshake_stage.hs_type |= WITH_CCV;
933 ret = 1;
934
935 err:
936 sk_X509_pop_free(certs, X509_free);
937 X509_free(cert);
938
939 return ret;
940 }
941
942 int
tls13_client_certificate_verify_recv(struct tls13_ctx * ctx,CBS * cbs)943 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
944 {
945 const struct ssl_sigalg *sigalg;
946 uint16_t signature_scheme;
947 uint8_t *sig_content = NULL;
948 size_t sig_content_len;
949 EVP_MD_CTX *mdctx = NULL;
950 EVP_PKEY_CTX *pctx;
951 EVP_PKEY *pkey;
952 X509 *cert;
953 CBS signature;
954 CBB cbb;
955 int ret = 0;
956
957 memset(&cbb, 0, sizeof(cbb));
958
959 if (!CBS_get_u16(cbs, &signature_scheme))
960 goto err;
961 if (!CBS_get_u16_length_prefixed(cbs, &signature))
962 goto err;
963
964 if (!CBB_init(&cbb, 0))
965 goto err;
966 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
967 sizeof(tls13_cert_verify_pad)))
968 goto err;
969 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
970 strlen(tls13_cert_client_verify_context)))
971 goto err;
972 if (!CBB_add_u8(&cbb, 0))
973 goto err;
974 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
975 ctx->hs->tls13.transcript_hash_len))
976 goto err;
977 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
978 goto err;
979
980 if ((cert = ctx->ssl->session->peer_cert) == NULL)
981 goto err;
982 if ((pkey = X509_get0_pubkey(cert)) == NULL)
983 goto err;
984 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
985 signature_scheme)) == NULL)
986 goto err;
987 ctx->hs->peer_sigalg = sigalg;
988
989 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
990 goto err;
991
992 if ((mdctx = EVP_MD_CTX_new()) == NULL)
993 goto err;
994 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
995 goto err;
996 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
997 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
998 goto err;
999 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
1000 goto err;
1001 }
1002 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
1003 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1004 goto err;
1005 }
1006 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
1007 CBS_len(&signature)) <= 0) {
1008 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1009 goto err;
1010 }
1011
1012 ret = 1;
1013
1014 err:
1015 if (!ret && ctx->alert == 0)
1016 ctx->alert = TLS13_ALERT_DECODE_ERROR;
1017
1018 CBB_cleanup(&cbb);
1019 EVP_MD_CTX_free(mdctx);
1020 free(sig_content);
1021
1022 return ret;
1023 }
1024
1025 int
tls13_client_end_of_early_data_recv(struct tls13_ctx * ctx,CBS * cbs)1026 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
1027 {
1028 return 0;
1029 }
1030
1031 int
tls13_client_finished_recv(struct tls13_ctx * ctx,CBS * cbs)1032 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
1033 {
1034 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1035 struct tls13_secret context = { .data = "", .len = 0 };
1036 struct tls13_secret finished_key;
1037 uint8_t *verify_data = NULL;
1038 size_t verify_data_len;
1039 uint8_t key[EVP_MAX_MD_SIZE];
1040 HMAC_CTX *hmac_ctx = NULL;
1041 unsigned int hlen;
1042 int ret = 0;
1043
1044 /*
1045 * Verify client finished.
1046 */
1047 finished_key.data = key;
1048 finished_key.len = EVP_MD_size(ctx->hash);
1049
1050 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1051 &secrets->client_handshake_traffic, "finished",
1052 &context))
1053 goto err;
1054
1055 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1056 goto err;
1057 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1058 ctx->hash, NULL))
1059 goto err;
1060 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
1061 ctx->hs->tls13.transcript_hash_len))
1062 goto err;
1063 verify_data_len = HMAC_size(hmac_ctx);
1064 if ((verify_data = calloc(1, verify_data_len)) == NULL)
1065 goto err;
1066 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1067 goto err;
1068 if (hlen != verify_data_len)
1069 goto err;
1070
1071 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
1072 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1073 goto err;
1074 }
1075
1076 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
1077 sizeof(ctx->hs->peer_finished),
1078 &ctx->hs->peer_finished_len))
1079 goto err;
1080
1081 if (!CBS_skip(cbs, verify_data_len))
1082 goto err;
1083
1084 /*
1085 * Any records following the client finished message must be encrypted
1086 * using the client application traffic keys.
1087 */
1088 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
1089 &secrets->client_application_traffic, ssl_encryption_application))
1090 goto err;
1091
1092 tls13_record_layer_allow_ccs(ctx->rl, 0);
1093
1094 ret = 1;
1095
1096 err:
1097 HMAC_CTX_free(hmac_ctx);
1098 free(verify_data);
1099
1100 return ret;
1101 }
1102