1 /* $OpenBSD: tls13_server.c,v 1.103 2022/09/17 17:14:06 jsing Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/x509v3.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_sigalgs.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_server_init(struct tls13_ctx *ctx) 29 { 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 33 &ctx->hs->our_max_tls_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->our_max_tls_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53 } 54 55 int 56 tls13_server_accept(struct tls13_ctx *ctx) 57 { 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62 } 63 64 static int 65 tls13_client_hello_is_legacy(CBS *cbs) 66 { 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97 } 98 99 int 100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101 { 102 SSL *s = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we 112 * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies 113 * that we need both signature_algorithms and supported_groups. 114 */ 115 if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 116 if (!tlsext_extension_seen(s, 117 TLSEXT_TYPE_psk_key_exchange_modes)) 118 return 0; 119 } else { 120 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 121 return 0; 122 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 123 return 0; 124 } 125 126 /* 127 * supported_groups and key_share must either both be present or 128 * both be absent. 129 */ 130 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 131 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 132 return 0; 133 134 /* 135 * XXX - Require server_name from client? If so, we SHOULD enforce 136 * this here - RFC 8446, 9.2. 137 */ 138 139 return 1; 140 } 141 142 static const uint8_t tls13_compression_null_only[] = { 0 }; 143 144 static int 145 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 146 { 147 CBS cipher_suites, client_random, compression_methods, session_id; 148 STACK_OF(SSL_CIPHER) *ciphers = NULL; 149 const SSL_CIPHER *cipher; 150 uint16_t legacy_version; 151 int alert_desc; 152 SSL *s = ctx->ssl; 153 int ret = 0; 154 155 if (!CBS_get_u16(cbs, &legacy_version)) 156 goto err; 157 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 158 goto err; 159 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 160 goto err; 161 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 162 goto err; 163 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 164 goto err; 165 166 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 167 if (!CBS_skip(cbs, CBS_len(cbs))) 168 goto err; 169 return tls13_use_legacy_server(ctx); 170 } 171 ctx->hs->negotiated_tls_version = TLS1_3_VERSION; 172 ctx->hs->peer_legacy_version = legacy_version; 173 174 /* Ensure we send subsequent alerts with the correct record version. */ 175 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 176 177 /* 178 * Ensure that the client has not requested middlebox compatibility mode 179 * if it is prohibited from doing so. 180 */ 181 if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) { 182 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 183 goto err; 184 } 185 186 /* Add decoded values to the current ClientHello hash */ 187 if (!tls13_clienthello_hash_init(ctx)) { 188 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 189 goto err; 190 } 191 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 192 sizeof(legacy_version))) { 193 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 194 goto err; 195 } 196 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 197 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 198 goto err; 199 } 200 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 201 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 202 goto err; 203 } 204 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 205 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 206 goto err; 207 } 208 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 209 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 210 goto err; 211 } 212 213 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 214 ctx->alert = alert_desc; 215 goto err; 216 } 217 218 /* Finalize first ClientHello hash, or validate against it */ 219 if (!ctx->hs->tls13.hrr) { 220 if (!tls13_clienthello_hash_finalize(ctx)) { 221 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 222 goto err; 223 } 224 } else { 225 if (!tls13_clienthello_hash_validate(ctx)) { 226 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 227 goto err; 228 } 229 tls13_clienthello_hash_clear(&ctx->hs->tls13); 230 } 231 232 if (!tls13_client_hello_required_extensions(ctx)) { 233 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 234 goto err; 235 } 236 237 /* 238 * If we got this far we have a supported versions extension that offers 239 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 240 */ 241 if (legacy_version != TLS1_2_VERSION) { 242 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 243 goto err; 244 } 245 246 /* 247 * The legacy session identifier must either be zero length or a 32 byte 248 * value (in which case the client is requesting middlebox compatibility 249 * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value 250 * so that we can echo it back to the client. 251 */ 252 if (CBS_len(&session_id) != 0 && 253 CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) { 254 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 255 goto err; 256 } 257 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 258 sizeof(ctx->hs->tls13.legacy_session_id), 259 &ctx->hs->tls13.legacy_session_id_len)) { 260 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 261 goto err; 262 } 263 264 /* Parse cipher suites list and select preferred cipher. */ 265 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 266 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 267 goto err; 268 } 269 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 270 if (cipher == NULL) { 271 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 272 "no shared cipher found", NULL); 273 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 274 goto err; 275 } 276 ctx->hs->cipher = cipher; 277 278 sk_SSL_CIPHER_free(s->session->ciphers); 279 s->session->ciphers = ciphers; 280 ciphers = NULL; 281 282 /* Ensure only the NULL compression method is advertised. */ 283 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 284 sizeof(tls13_compression_null_only))) { 285 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 286 goto err; 287 } 288 289 ret = 1; 290 291 err: 292 sk_SSL_CIPHER_free(ciphers); 293 294 return ret; 295 } 296 297 int 298 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 299 { 300 SSL *s = ctx->ssl; 301 302 if (!tls13_client_hello_process(ctx, cbs)) 303 goto err; 304 305 /* See if we switched back to the legacy client method. */ 306 if (s->method->version < TLS1_3_VERSION) 307 return 1; 308 309 /* 310 * If a matching key share was provided, we do not need to send a 311 * HelloRetryRequest. 312 */ 313 /* 314 * XXX - ideally NEGOTIATED would only be added after record protection 315 * has been enabled. This would probably mean using either an 316 * INITIAL | WITHOUT_HRR state, or another intermediate state. 317 */ 318 if (ctx->hs->key_share != NULL) 319 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 320 321 tls13_record_layer_allow_ccs(ctx->rl, 1); 322 323 return 1; 324 325 err: 326 return 0; 327 } 328 329 static int 330 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 331 { 332 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 333 const uint8_t *server_random; 334 CBB session_id; 335 SSL *s = ctx->ssl; 336 uint16_t cipher; 337 338 cipher = SSL_CIPHER_get_value(ctx->hs->cipher); 339 server_random = s->s3->server_random; 340 341 if (hrr) { 342 server_random = tls13_hello_retry_request_hash; 343 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 344 } 345 346 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 347 goto err; 348 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 349 goto err; 350 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 351 goto err; 352 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 353 ctx->hs->tls13.legacy_session_id_len)) 354 goto err; 355 if (!CBB_add_u16(cbb, cipher)) 356 goto err; 357 if (!CBB_add_u8(cbb, 0)) 358 goto err; 359 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 360 goto err; 361 362 if (!CBB_flush(cbb)) 363 goto err; 364 365 return 1; 366 err: 367 return 0; 368 } 369 370 static int 371 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 372 { 373 struct tls13_secrets *secrets; 374 struct tls13_secret context; 375 unsigned char buf[EVP_MAX_MD_SIZE]; 376 uint8_t *shared_key = NULL; 377 size_t shared_key_len = 0; 378 size_t hash_len; 379 SSL *s = ctx->ssl; 380 int ret = 0; 381 382 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key, 383 &shared_key_len)) 384 goto err; 385 386 s->session->cipher = ctx->hs->cipher; 387 388 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 389 goto err; 390 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 391 goto err; 392 393 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 394 goto err; 395 ctx->hs->tls13.secrets = secrets; 396 397 /* XXX - pass in hash. */ 398 if (!tls1_transcript_hash_init(s)) 399 goto err; 400 tls1_transcript_free(s); 401 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 402 goto err; 403 context.data = buf; 404 context.len = hash_len; 405 406 /* Early secrets. */ 407 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 408 secrets->zeros.len, &context)) 409 goto err; 410 411 /* Handshake secrets. */ 412 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 413 shared_key_len, &context)) 414 goto err; 415 416 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 417 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 418 419 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 420 &secrets->client_handshake_traffic, ssl_encryption_handshake)) 421 goto err; 422 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 423 &secrets->server_handshake_traffic, ssl_encryption_handshake)) 424 goto err; 425 426 ctx->handshake_stage.hs_type |= NEGOTIATED; 427 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 428 ctx->handshake_stage.hs_type |= WITHOUT_CR; 429 430 ret = 1; 431 432 err: 433 freezero(shared_key, shared_key_len); 434 return ret; 435 } 436 437 int 438 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 439 { 440 int nid; 441 442 ctx->hs->tls13.hrr = 1; 443 444 if (!tls13_synthetic_handshake_message(ctx)) 445 return 0; 446 447 if (ctx->hs->key_share != NULL) 448 return 0; 449 if (!tls1_get_supported_group(ctx->ssl, &nid)) 450 return 0; 451 if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group)) 452 return 0; 453 454 if (!tls13_server_hello_build(ctx, cbb, 1)) 455 return 0; 456 457 return 1; 458 } 459 460 int 461 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 462 { 463 /* 464 * If the client has requested middlebox compatibility mode, 465 * we MUST send a dummy CCS following our first handshake message. 466 * See RFC 8446 Appendix D.4. 467 */ 468 if (ctx->hs->tls13.legacy_session_id_len > 0) 469 ctx->send_dummy_ccs_after = 1; 470 471 return 1; 472 } 473 474 int 475 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 476 { 477 SSL *s = ctx->ssl; 478 479 if (!tls13_client_hello_process(ctx, cbs)) 480 return 0; 481 482 /* XXX - need further checks. */ 483 if (s->method->version < TLS1_3_VERSION) 484 return 0; 485 486 ctx->hs->tls13.hrr = 0; 487 488 return 1; 489 } 490 491 static int 492 tls13_servername_process(struct tls13_ctx *ctx) 493 { 494 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 495 496 if (!tls13_legacy_servername_process(ctx, &alert)) { 497 ctx->alert = alert; 498 return 0; 499 } 500 501 return 1; 502 } 503 504 int 505 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 506 { 507 if (ctx->hs->key_share == NULL) 508 return 0; 509 if (!tls_key_share_generate(ctx->hs->key_share)) 510 return 0; 511 if (!tls13_servername_process(ctx)) 512 return 0; 513 514 ctx->hs->tls13.server_group = 0; 515 516 if (!tls13_server_hello_build(ctx, cbb, 0)) 517 return 0; 518 519 return 1; 520 } 521 522 int 523 tls13_server_hello_sent(struct tls13_ctx *ctx) 524 { 525 /* 526 * If the client has requested middlebox compatibility mode, 527 * we MUST send a dummy CCS following our first handshake message. 528 * See RFC 8446 Appendix D.4. 529 */ 530 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 531 ctx->hs->tls13.legacy_session_id_len > 0) 532 ctx->send_dummy_ccs_after = 1; 533 534 return tls13_server_engage_record_protection(ctx); 535 } 536 537 int 538 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 539 { 540 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 541 goto err; 542 543 return 1; 544 err: 545 return 0; 546 } 547 548 int 549 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 550 { 551 CBB certificate_request_context; 552 553 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 554 goto err; 555 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 556 goto err; 557 558 if (!CBB_flush(cbb)) 559 goto err; 560 561 return 1; 562 err: 563 return 0; 564 } 565 566 static int 567 tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk, 568 int *ok, const struct ssl_sigalg **out_sigalg) 569 { 570 const struct ssl_sigalg *sigalg; 571 SSL *s = ctx->ssl; 572 573 *ok = 0; 574 *out_sigalg = NULL; 575 576 if (cpk->x509 == NULL || cpk->privatekey == NULL) 577 goto done; 578 579 /* 580 * The digitalSignature bit MUST be set if the Key Usage extension is 581 * present as per RFC 8446 section 4.4.2.2. 582 */ 583 if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)) 584 goto done; 585 586 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 587 goto done; 588 589 *ok = 1; 590 *out_sigalg = sigalg; 591 592 done: 593 return 1; 594 } 595 596 static int 597 tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk, 598 const struct ssl_sigalg **out_sigalg) 599 { 600 SSL *s = ctx->ssl; 601 const struct ssl_sigalg *sigalg; 602 SSL_CERT_PKEY *cpk; 603 int cert_ok; 604 605 *out_cpk = NULL; 606 *out_sigalg = NULL; 607 608 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 609 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 610 return 0; 611 if (cert_ok) 612 goto done; 613 614 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 615 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 616 return 0; 617 if (cert_ok) 618 goto done; 619 620 cpk = NULL; 621 sigalg = NULL; 622 623 done: 624 *out_cpk = cpk; 625 *out_sigalg = sigalg; 626 627 return 1; 628 } 629 630 int 631 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 632 { 633 SSL *s = ctx->ssl; 634 CBB cert_request_context, cert_list; 635 const struct ssl_sigalg *sigalg; 636 X509_STORE_CTX *xsc = NULL; 637 STACK_OF(X509) *chain; 638 SSL_CERT_PKEY *cpk; 639 X509 *cert; 640 int i, ret = 0; 641 642 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 643 goto err; 644 645 if (cpk == NULL) { 646 /* A server must always provide a certificate. */ 647 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 648 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 649 "no server certificate", NULL); 650 goto err; 651 } 652 653 ctx->hs->tls13.cpk = cpk; 654 ctx->hs->our_sigalg = sigalg; 655 656 if ((chain = cpk->chain) == NULL) 657 chain = s->ctx->extra_certs; 658 659 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { 660 if ((xsc = X509_STORE_CTX_new()) == NULL) 661 goto err; 662 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 663 goto err; 664 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 665 X509_V_FLAG_LEGACY_VERIFY); 666 X509_verify_cert(xsc); 667 ERR_clear_error(); 668 chain = X509_STORE_CTX_get0_chain(xsc); 669 } 670 671 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 672 goto err; 673 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 674 goto err; 675 676 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 677 goto err; 678 679 for (i = 0; i < sk_X509_num(chain); i++) { 680 cert = sk_X509_value(chain, i); 681 682 /* 683 * In the case of auto chain, the leaf certificate will be at 684 * the top of the chain - skip over it as we've already added 685 * it earlier. 686 */ 687 if (i == 0 && cert == cpk->x509) 688 continue; 689 690 /* 691 * XXX we don't send extensions with chain certs to avoid sending 692 * a leaf ocsp staple with the chain certs. This needs to get 693 * fixed. 694 */ 695 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 696 goto err; 697 } 698 699 if (!CBB_flush(cbb)) 700 goto err; 701 702 ret = 1; 703 704 err: 705 X509_STORE_CTX_free(xsc); 706 707 return ret; 708 } 709 710 int 711 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 712 { 713 const struct ssl_sigalg *sigalg; 714 uint8_t *sig = NULL, *sig_content = NULL; 715 size_t sig_len, sig_content_len; 716 EVP_MD_CTX *mdctx = NULL; 717 EVP_PKEY_CTX *pctx; 718 EVP_PKEY *pkey; 719 const SSL_CERT_PKEY *cpk; 720 CBB sig_cbb; 721 int ret = 0; 722 723 memset(&sig_cbb, 0, sizeof(sig_cbb)); 724 725 if ((cpk = ctx->hs->tls13.cpk) == NULL) 726 goto err; 727 if ((sigalg = ctx->hs->our_sigalg) == NULL) 728 goto err; 729 pkey = cpk->privatekey; 730 731 if (!CBB_init(&sig_cbb, 0)) 732 goto err; 733 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 734 sizeof(tls13_cert_verify_pad))) 735 goto err; 736 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 737 strlen(tls13_cert_server_verify_context))) 738 goto err; 739 if (!CBB_add_u8(&sig_cbb, 0)) 740 goto err; 741 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 742 ctx->hs->tls13.transcript_hash_len)) 743 goto err; 744 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 745 goto err; 746 747 if ((mdctx = EVP_MD_CTX_new()) == NULL) 748 goto err; 749 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 750 goto err; 751 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 752 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 753 goto err; 754 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 755 goto err; 756 } 757 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 758 goto err; 759 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 760 goto err; 761 if ((sig = calloc(1, sig_len)) == NULL) 762 goto err; 763 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 764 goto err; 765 766 if (!CBB_add_u16(cbb, sigalg->value)) 767 goto err; 768 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 769 goto err; 770 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 771 goto err; 772 773 if (!CBB_flush(cbb)) 774 goto err; 775 776 ret = 1; 777 778 err: 779 if (!ret && ctx->alert == 0) 780 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 781 782 CBB_cleanup(&sig_cbb); 783 EVP_MD_CTX_free(mdctx); 784 free(sig_content); 785 free(sig); 786 787 return ret; 788 } 789 790 int 791 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 792 { 793 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 794 struct tls13_secret context = { .data = "", .len = 0 }; 795 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 796 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 797 size_t transcript_hash_len; 798 uint8_t *verify_data; 799 size_t verify_data_len; 800 unsigned int hlen; 801 HMAC_CTX *hmac_ctx = NULL; 802 CBS cbs; 803 int ret = 0; 804 805 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 806 goto err; 807 808 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 809 &secrets->server_handshake_traffic, "finished", 810 &context)) 811 goto err; 812 813 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 814 sizeof(transcript_hash), &transcript_hash_len)) 815 goto err; 816 817 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 818 goto err; 819 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 820 ctx->hash, NULL)) 821 goto err; 822 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 823 goto err; 824 825 verify_data_len = HMAC_size(hmac_ctx); 826 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 827 goto err; 828 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 829 goto err; 830 if (hlen != verify_data_len) 831 goto err; 832 833 CBS_init(&cbs, verify_data, verify_data_len); 834 if (!CBS_write_bytes(&cbs, ctx->hs->finished, 835 sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 836 goto err; 837 838 ret = 1; 839 840 err: 841 tls13_secret_cleanup(&finished_key); 842 HMAC_CTX_free(hmac_ctx); 843 844 return ret; 845 } 846 847 int 848 tls13_server_finished_sent(struct tls13_ctx *ctx) 849 { 850 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 851 struct tls13_secret context = { .data = "", .len = 0 }; 852 853 /* 854 * Derive application traffic keys. 855 */ 856 context.data = ctx->hs->tls13.transcript_hash; 857 context.len = ctx->hs->tls13.transcript_hash_len; 858 859 if (!tls13_derive_application_secrets(secrets, &context)) 860 return 0; 861 862 /* 863 * Any records following the server finished message must be encrypted 864 * using the server application traffic keys. 865 */ 866 return tls13_record_layer_set_write_traffic_key(ctx->rl, 867 &secrets->server_application_traffic, ssl_encryption_application); 868 } 869 870 int 871 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 872 { 873 CBS cert_request_context, cert_list, cert_data, cert_exts; 874 struct stack_st_X509 *certs = NULL; 875 SSL *s = ctx->ssl; 876 X509 *cert = NULL; 877 const uint8_t *p; 878 int ret = 0; 879 880 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 881 goto err; 882 if (CBS_len(&cert_request_context) != 0) 883 goto err; 884 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 885 goto err; 886 if (CBS_len(&cert_list) == 0) { 887 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 888 return 1; 889 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 890 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 891 "peer did not provide a certificate", NULL); 892 goto err; 893 } 894 895 if ((certs = sk_X509_new_null()) == NULL) 896 goto err; 897 while (CBS_len(&cert_list) > 0) { 898 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 899 goto err; 900 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 901 goto err; 902 903 p = CBS_data(&cert_data); 904 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 905 goto err; 906 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 907 goto err; 908 909 if (!sk_X509_push(certs, cert)) 910 goto err; 911 912 cert = NULL; 913 } 914 915 /* 916 * At this stage we still have no proof of possession. As such, it would 917 * be preferable to keep the chain and verify once we have successfully 918 * processed the CertificateVerify message. 919 */ 920 if (ssl_verify_cert_chain(s, certs) <= 0) { 921 ctx->alert = ssl_verify_alarm_type(s->verify_result); 922 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 923 "failed to verify peer certificate", NULL); 924 goto err; 925 } 926 s->session->verify_result = s->verify_result; 927 ERR_clear_error(); 928 929 if (!tls_process_peer_certs(s, certs)) 930 goto err; 931 932 ctx->handshake_stage.hs_type |= WITH_CCV; 933 ret = 1; 934 935 err: 936 sk_X509_pop_free(certs, X509_free); 937 X509_free(cert); 938 939 return ret; 940 } 941 942 int 943 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 944 { 945 const struct ssl_sigalg *sigalg; 946 uint16_t signature_scheme; 947 uint8_t *sig_content = NULL; 948 size_t sig_content_len; 949 EVP_MD_CTX *mdctx = NULL; 950 EVP_PKEY_CTX *pctx; 951 EVP_PKEY *pkey; 952 X509 *cert; 953 CBS signature; 954 CBB cbb; 955 int ret = 0; 956 957 memset(&cbb, 0, sizeof(cbb)); 958 959 if (!CBS_get_u16(cbs, &signature_scheme)) 960 goto err; 961 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 962 goto err; 963 964 if (!CBB_init(&cbb, 0)) 965 goto err; 966 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 967 sizeof(tls13_cert_verify_pad))) 968 goto err; 969 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 970 strlen(tls13_cert_client_verify_context))) 971 goto err; 972 if (!CBB_add_u8(&cbb, 0)) 973 goto err; 974 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 975 ctx->hs->tls13.transcript_hash_len)) 976 goto err; 977 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 978 goto err; 979 980 if ((cert = ctx->ssl->session->peer_cert) == NULL) 981 goto err; 982 if ((pkey = X509_get0_pubkey(cert)) == NULL) 983 goto err; 984 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, 985 signature_scheme)) == NULL) 986 goto err; 987 ctx->hs->peer_sigalg = sigalg; 988 989 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 990 goto err; 991 992 if ((mdctx = EVP_MD_CTX_new()) == NULL) 993 goto err; 994 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 995 goto err; 996 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 997 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 998 goto err; 999 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 1000 goto err; 1001 } 1002 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 1003 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1004 goto err; 1005 } 1006 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 1007 CBS_len(&signature)) <= 0) { 1008 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1009 goto err; 1010 } 1011 1012 ret = 1; 1013 1014 err: 1015 if (!ret && ctx->alert == 0) 1016 ctx->alert = TLS13_ALERT_DECODE_ERROR; 1017 1018 CBB_cleanup(&cbb); 1019 EVP_MD_CTX_free(mdctx); 1020 free(sig_content); 1021 1022 return ret; 1023 } 1024 1025 int 1026 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1027 { 1028 return 0; 1029 } 1030 1031 int 1032 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1033 { 1034 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1035 struct tls13_secret context = { .data = "", .len = 0 }; 1036 struct tls13_secret finished_key; 1037 uint8_t *verify_data = NULL; 1038 size_t verify_data_len; 1039 uint8_t key[EVP_MAX_MD_SIZE]; 1040 HMAC_CTX *hmac_ctx = NULL; 1041 unsigned int hlen; 1042 int ret = 0; 1043 1044 /* 1045 * Verify client finished. 1046 */ 1047 finished_key.data = key; 1048 finished_key.len = EVP_MD_size(ctx->hash); 1049 1050 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1051 &secrets->client_handshake_traffic, "finished", 1052 &context)) 1053 goto err; 1054 1055 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1056 goto err; 1057 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1058 ctx->hash, NULL)) 1059 goto err; 1060 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 1061 ctx->hs->tls13.transcript_hash_len)) 1062 goto err; 1063 verify_data_len = HMAC_size(hmac_ctx); 1064 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1065 goto err; 1066 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1067 goto err; 1068 if (hlen != verify_data_len) 1069 goto err; 1070 1071 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1072 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1073 goto err; 1074 } 1075 1076 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 1077 sizeof(ctx->hs->peer_finished), 1078 &ctx->hs->peer_finished_len)) 1079 goto err; 1080 1081 if (!CBS_skip(cbs, verify_data_len)) 1082 goto err; 1083 1084 /* 1085 * Any records following the client finished message must be encrypted 1086 * using the client application traffic keys. 1087 */ 1088 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1089 &secrets->client_application_traffic, ssl_encryption_application)) 1090 goto err; 1091 1092 tls13_record_layer_allow_ccs(ctx->rl, 0); 1093 1094 ret = 1; 1095 1096 err: 1097 HMAC_CTX_free(hmac_ctx); 1098 free(verify_data); 1099 1100 return ret; 1101 } 1102