1 /* $OpenBSD: tls13_client.c,v 1.88 2021/10/25 10:01:46 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include <openssl/ssl3.h> 19 20 #include "bytestring.h" 21 #include "ssl_locl.h" 22 #include "ssl_sigalgs.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_client_init(struct tls13_ctx *ctx) 29 { 30 const uint16_t *groups; 31 size_t groups_len; 32 SSL *s = ctx->ssl; 33 34 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 35 &ctx->hs->our_max_tls_version)) { 36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 37 return 0; 38 } 39 s->version = ctx->hs->our_max_tls_version; 40 41 tls13_record_layer_set_retry_after_phh(ctx->rl, 42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 43 44 if (!ssl_get_new_session(s, 0)) /* XXX */ 45 return 0; 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 /* Generate a key share using our preferred group. */ 51 tls1_get_group_list(s, 0, &groups, &groups_len); 52 if (groups_len < 1) 53 return 0; 54 if ((ctx->hs->tls13.key_share = tls13_key_share_new(groups[0])) == NULL) 55 return 0; 56 if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) 57 return 0; 58 59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 60 61 /* 62 * The legacy session identifier should either be set to an 63 * unpredictable 32-byte value or zero length... a non-zero length 64 * legacy session identifier triggers compatibility mode (see RFC 8446 65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. 66 */ 67 if (ctx->middlebox_compat && 68 ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { 69 arc4random_buf(ctx->hs->tls13.legacy_session_id, 70 sizeof(ctx->hs->tls13.legacy_session_id)); 71 ctx->hs->tls13.legacy_session_id_len = 72 sizeof(ctx->hs->tls13.legacy_session_id); 73 } 74 75 return 1; 76 } 77 78 int 79 tls13_client_connect(struct tls13_ctx *ctx) 80 { 81 if (ctx->mode != TLS13_HS_CLIENT) 82 return TLS13_IO_FAILURE; 83 84 return tls13_handshake_perform(ctx); 85 } 86 87 static int 88 tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) 89 { 90 CBB cipher_suites, compression_methods, session_id; 91 uint16_t client_version; 92 SSL *s = ctx->ssl; 93 94 /* Legacy client version is capped at TLS 1.2. */ 95 if (!ssl_max_legacy_version(s, &client_version)) 96 goto err; 97 98 if (!CBB_add_u16(cbb, client_version)) 99 goto err; 100 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) 101 goto err; 102 103 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 104 goto err; 105 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 106 ctx->hs->tls13.legacy_session_id_len)) 107 goto err; 108 109 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) 110 goto err; 111 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { 112 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); 113 goto err; 114 } 115 116 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) 117 goto err; 118 if (!CBB_add_u8(&compression_methods, 0)) 119 goto err; 120 121 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb)) 122 goto err; 123 124 if (!CBB_flush(cbb)) 125 goto err; 126 127 return 1; 128 129 err: 130 return 0; 131 } 132 133 int 134 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) 135 { 136 if (ctx->hs->our_min_tls_version < TLS1_2_VERSION) 137 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 138 139 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ 140 tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); 141 142 if (!tls13_client_hello_build(ctx, cbb)) 143 return 0; 144 145 return 1; 146 } 147 148 int 149 tls13_client_hello_sent(struct tls13_ctx *ctx) 150 { 151 tls13_record_layer_allow_ccs(ctx->rl, 1); 152 153 tls1_transcript_freeze(ctx->ssl); 154 155 if (ctx->middlebox_compat) 156 ctx->send_dummy_ccs = 1; 157 158 return 1; 159 } 160 161 static int 162 tls13_server_hello_is_legacy(CBS *cbs) 163 { 164 CBS extensions_block, extensions, extension_data; 165 uint16_t selected_version = 0; 166 uint16_t type; 167 168 CBS_dup(cbs, &extensions_block); 169 170 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 171 return 1; 172 173 while (CBS_len(&extensions) > 0) { 174 if (!CBS_get_u16(&extensions, &type)) 175 return 1; 176 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 177 return 1; 178 179 if (type != TLSEXT_TYPE_supported_versions) 180 continue; 181 if (!CBS_get_u16(&extension_data, &selected_version)) 182 return 1; 183 if (CBS_len(&extension_data) != 0) 184 return 1; 185 } 186 187 return (selected_version < TLS1_3_VERSION); 188 } 189 190 static int 191 tls13_server_hello_is_retry(CBS *cbs) 192 { 193 CBS server_hello, server_random; 194 uint16_t legacy_version; 195 196 CBS_dup(cbs, &server_hello); 197 198 if (!CBS_get_u16(&server_hello, &legacy_version)) 199 return 0; 200 if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE)) 201 return 0; 202 203 /* See if this is a HelloRetryRequest. */ 204 return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 205 sizeof(tls13_hello_retry_request_hash)); 206 } 207 208 static int 209 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) 210 { 211 CBS server_random, session_id; 212 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 213 uint16_t cipher_suite, legacy_version; 214 uint8_t compression_method; 215 const SSL_CIPHER *cipher; 216 int alert_desc; 217 SSL *s = ctx->ssl; 218 219 if (!CBS_get_u16(cbs, &legacy_version)) 220 goto err; 221 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) 222 goto err; 223 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 224 goto err; 225 if (!CBS_get_u16(cbs, &cipher_suite)) 226 goto err; 227 if (!CBS_get_u8(cbs, &compression_method)) 228 goto err; 229 230 if (tls13_server_hello_is_legacy(cbs)) { 231 if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { 232 /* 233 * RFC 8446 section 4.1.3: we must not downgrade if 234 * the server random value contains the TLS 1.2 or 1.1 235 * magical value. 236 */ 237 if (!CBS_skip(&server_random, CBS_len(&server_random) - 238 sizeof(tls13_downgrade_12))) 239 goto err; 240 if (CBS_mem_equal(&server_random, tls13_downgrade_12, 241 sizeof(tls13_downgrade_12)) || 242 CBS_mem_equal(&server_random, tls13_downgrade_11, 243 sizeof(tls13_downgrade_11))) { 244 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 245 goto err; 246 } 247 } 248 249 if (!CBS_skip(cbs, CBS_len(cbs))) 250 goto err; 251 252 ctx->hs->tls13.use_legacy = 1; 253 return 1; 254 } 255 256 /* From here on in we know we are doing TLSv1.3. */ 257 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 258 tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); 259 260 /* See if this is a HelloRetryRequest. */ 261 /* XXX - see if we can avoid doing this twice. */ 262 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 263 sizeof(tls13_hello_retry_request_hash))) { 264 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 265 ctx->hs->tls13.hrr = 1; 266 } 267 268 if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { 269 ctx->alert = alert_desc; 270 goto err; 271 } 272 273 /* 274 * The supported versions extension indicated 0x0304 or greater. 275 * Ensure that it was 0x0304 and that legacy version is set to 0x0303 276 * (RFC 8446 section 4.2.1). 277 */ 278 if (ctx->hs->tls13.server_version != TLS1_3_VERSION || 279 legacy_version != TLS1_2_VERSION) { 280 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 281 goto err; 282 } 283 ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version; 284 ctx->hs->peer_legacy_version = legacy_version; 285 286 /* The session_id must match. */ 287 if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id, 288 ctx->hs->tls13.legacy_session_id_len)) { 289 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 290 goto err; 291 } 292 293 /* 294 * Ensure that the cipher suite is one that we offered in the client 295 * hello and that it is a TLSv1.3 cipher suite. 296 */ 297 cipher = ssl3_get_cipher_by_value(cipher_suite); 298 if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { 299 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 300 goto err; 301 } 302 if (cipher->algorithm_ssl != SSL_TLSV1_3) { 303 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 304 goto err; 305 } 306 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) { 307 /* 308 * A ServerHello following a HelloRetryRequest MUST use the same 309 * cipher suite (RFC 8446 section 4.1.4). 310 */ 311 if (ctx->hs->cipher != cipher) { 312 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 313 goto err; 314 } 315 } 316 ctx->hs->cipher = cipher; 317 318 if (compression_method != 0) { 319 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 320 goto err; 321 } 322 323 return 1; 324 325 err: 326 if (ctx->alert == 0) 327 ctx->alert = TLS13_ALERT_DECODE_ERROR; 328 329 return 0; 330 } 331 332 static int 333 tls13_client_engage_record_protection(struct tls13_ctx *ctx) 334 { 335 struct tls13_secrets *secrets; 336 struct tls13_secret context; 337 unsigned char buf[EVP_MAX_MD_SIZE]; 338 uint8_t *shared_key = NULL; 339 size_t shared_key_len = 0; 340 size_t hash_len; 341 SSL *s = ctx->ssl; 342 int ret = 0; 343 344 /* Derive the shared key and engage record protection. */ 345 346 if (!tls13_key_share_derive(ctx->hs->tls13.key_share, &shared_key, 347 &shared_key_len)) 348 goto err; 349 350 s->session->cipher = ctx->hs->cipher; 351 s->session->ssl_version = ctx->hs->tls13.server_version; 352 353 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 354 goto err; 355 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 356 goto err; 357 358 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 359 goto err; 360 ctx->hs->tls13.secrets = secrets; 361 362 /* XXX - pass in hash. */ 363 if (!tls1_transcript_hash_init(s)) 364 goto err; 365 tls1_transcript_free(s); 366 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 367 goto err; 368 context.data = buf; 369 context.len = hash_len; 370 371 /* Early secrets. */ 372 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 373 secrets->zeros.len, &context)) 374 goto err; 375 376 /* Handshake secrets. */ 377 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 378 shared_key_len, &context)) 379 goto err; 380 381 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 382 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 383 384 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 385 &secrets->server_handshake_traffic)) 386 goto err; 387 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 388 &secrets->client_handshake_traffic)) 389 goto err; 390 391 ret = 1; 392 393 err: 394 freezero(shared_key, shared_key_len); 395 396 return ret; 397 } 398 399 int 400 tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) 401 { 402 /* 403 * The state machine has no way of knowing if we're going to receive a 404 * HelloRetryRequest or a ServerHello. As such, we have to handle 405 * this case here and hand off to the appropriate function. 406 */ 407 if (!tls13_server_hello_is_retry(cbs)) { 408 ctx->handshake_stage.hs_type |= WITHOUT_HRR; 409 return tls13_server_hello_recv(ctx, cbs); 410 } 411 412 if (!tls13_server_hello_process(ctx, cbs)) 413 return 0; 414 415 /* 416 * This may have been a TLSv1.2 or earlier ServerHello that just 417 * happened to have matching server random... 418 */ 419 if (ctx->hs->tls13.use_legacy) 420 return tls13_use_legacy_client(ctx); 421 422 if (!ctx->hs->tls13.hrr) 423 return 0; 424 425 if (!tls13_synthetic_handshake_message(ctx)) 426 return 0; 427 if (!tls13_handshake_msg_record(ctx)) 428 return 0; 429 430 ctx->hs->tls13.hrr = 0; 431 432 return 1; 433 } 434 435 int 436 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 437 { 438 /* 439 * Ensure that the server supported group is one that we listed in our 440 * supported groups and is not the same as the key share we previously 441 * offered. 442 */ 443 if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group)) 444 return 0; /* XXX alert */ 445 if (ctx->hs->tls13.server_group == tls13_key_share_group(ctx->hs->tls13.key_share)) 446 return 0; /* XXX alert */ 447 448 /* Switch to new key share. */ 449 tls13_key_share_free(ctx->hs->tls13.key_share); 450 if ((ctx->hs->tls13.key_share = 451 tls13_key_share_new(ctx->hs->tls13.server_group)) == NULL) 452 return 0; 453 if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) 454 return 0; 455 456 if (!tls13_client_hello_build(ctx, cbb)) 457 return 0; 458 459 return 1; 460 } 461 462 int 463 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 464 { 465 SSL *s = ctx->ssl; 466 467 /* 468 * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3 469 * ServerHello. HelloRetryRequests have already been handled. 470 */ 471 if (!tls13_server_hello_process(ctx, cbs)) 472 return 0; 473 474 if (ctx->handshake_stage.hs_type & WITHOUT_HRR) { 475 tls1_transcript_unfreeze(s); 476 if (!tls13_handshake_msg_record(ctx)) 477 return 0; 478 } 479 480 if (ctx->hs->tls13.use_legacy) { 481 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) 482 return 0; 483 return tls13_use_legacy_client(ctx); 484 } 485 486 if (ctx->hs->tls13.hrr) { 487 /* The server has sent two HelloRetryRequests. */ 488 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 489 return 0; 490 } 491 492 if (!tls13_client_engage_record_protection(ctx)) 493 return 0; 494 495 ctx->handshake_stage.hs_type |= NEGOTIATED; 496 497 return 1; 498 } 499 500 int 501 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) 502 { 503 int alert_desc; 504 505 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) { 506 ctx->alert = alert_desc; 507 goto err; 508 } 509 510 return 1; 511 512 err: 513 if (ctx->alert == 0) 514 ctx->alert = TLS13_ALERT_DECODE_ERROR; 515 516 return 0; 517 } 518 519 int 520 tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) 521 { 522 CBS cert_request_context; 523 int alert_desc; 524 525 /* 526 * Thanks to poor state design in the RFC, this function can be called 527 * when we actually have a certificate message instead of a certificate 528 * request... in that case we call the certificate handler after 529 * switching state, to avoid advancing state. 530 */ 531 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { 532 ctx->handshake_stage.hs_type |= WITHOUT_CR; 533 return tls13_server_certificate_recv(ctx, cbs); 534 } 535 536 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 537 goto err; 538 if (CBS_len(&cert_request_context) != 0) 539 goto err; 540 541 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) { 542 ctx->alert = alert_desc; 543 goto err; 544 } 545 546 return 1; 547 548 err: 549 if (ctx->alert == 0) 550 ctx->alert = TLS13_ALERT_DECODE_ERROR; 551 552 return 0; 553 } 554 555 int 556 tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 557 { 558 CBS cert_request_context, cert_list, cert_data; 559 struct stack_st_X509 *certs = NULL; 560 SSL *s = ctx->ssl; 561 X509 *cert = NULL; 562 EVP_PKEY *pkey; 563 const uint8_t *p; 564 int cert_idx, alert_desc; 565 int ret = 0; 566 567 if ((certs = sk_X509_new_null()) == NULL) 568 goto err; 569 570 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 571 goto err; 572 if (CBS_len(&cert_request_context) != 0) 573 goto err; 574 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 575 goto err; 576 577 while (CBS_len(&cert_list) > 0) { 578 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 579 goto err; 580 581 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT, 582 &cert_list, &alert_desc)) { 583 ctx->alert = alert_desc; 584 goto err; 585 } 586 587 p = CBS_data(&cert_data); 588 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 589 goto err; 590 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 591 goto err; 592 593 if (!sk_X509_push(certs, cert)) 594 goto err; 595 596 cert = NULL; 597 } 598 599 /* A server must always provide a non-empty certificate list. */ 600 if (sk_X509_num(certs) < 1) { 601 ctx->alert = TLS13_ALERT_DECODE_ERROR; 602 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 603 "peer failed to provide a certificate", NULL); 604 goto err; 605 } 606 607 /* 608 * At this stage we still have no proof of possession. As such, it would 609 * be preferable to keep the chain and verify once we have successfully 610 * processed the CertificateVerify message. 611 */ 612 if (ssl_verify_cert_chain(s, certs) <= 0 && 613 s->verify_mode != SSL_VERIFY_NONE) { 614 ctx->alert = ssl_verify_alarm_type(s->verify_result); 615 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 616 "failed to verify peer certificate", NULL); 617 goto err; 618 } 619 ERR_clear_error(); 620 621 cert = sk_X509_value(certs, 0); 622 X509_up_ref(cert); 623 624 if ((pkey = X509_get0_pubkey(cert)) == NULL) 625 goto err; 626 if (EVP_PKEY_missing_parameters(pkey)) 627 goto err; 628 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 629 goto err; 630 631 ssl_sess_cert_free(s->session->sess_cert); 632 if ((s->session->sess_cert = ssl_sess_cert_new()) == NULL) 633 goto err; 634 635 s->session->sess_cert->cert_chain = certs; 636 certs = NULL; 637 638 X509_up_ref(cert); 639 s->session->sess_cert->peer_pkeys[cert_idx].x509 = cert; 640 s->session->sess_cert->peer_key = &(s->session->sess_cert->peer_pkeys[cert_idx]); 641 642 X509_free(s->session->peer); 643 644 X509_up_ref(cert); 645 s->session->peer = cert; 646 s->session->verify_result = s->verify_result; 647 648 if (ctx->ocsp_status_recv_cb != NULL && 649 !ctx->ocsp_status_recv_cb(ctx)) 650 goto err; 651 652 ret = 1; 653 654 err: 655 sk_X509_pop_free(certs, X509_free); 656 X509_free(cert); 657 658 return ret; 659 } 660 661 int 662 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 663 { 664 const struct ssl_sigalg *sigalg; 665 uint16_t signature_scheme; 666 uint8_t *sig_content = NULL; 667 size_t sig_content_len; 668 EVP_MD_CTX *mdctx = NULL; 669 EVP_PKEY_CTX *pctx; 670 EVP_PKEY *pkey; 671 X509 *cert; 672 CBS signature; 673 CBB cbb; 674 int ret = 0; 675 676 memset(&cbb, 0, sizeof(cbb)); 677 678 if (!CBS_get_u16(cbs, &signature_scheme)) 679 goto err; 680 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 681 goto err; 682 683 if (!CBB_init(&cbb, 0)) 684 goto err; 685 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 686 sizeof(tls13_cert_verify_pad))) 687 goto err; 688 if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, 689 strlen(tls13_cert_server_verify_context))) 690 goto err; 691 if (!CBB_add_u8(&cbb, 0)) 692 goto err; 693 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 694 ctx->hs->tls13.transcript_hash_len)) 695 goto err; 696 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 697 goto err; 698 699 if ((cert = ctx->ssl->session->peer) == NULL) 700 goto err; 701 if ((pkey = X509_get0_pubkey(cert)) == NULL) 702 goto err; 703 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, 704 signature_scheme)) == NULL) 705 goto err; 706 ctx->hs->peer_sigalg = sigalg; 707 708 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 709 goto err; 710 711 if ((mdctx = EVP_MD_CTX_new()) == NULL) 712 goto err; 713 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 714 goto err; 715 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 716 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 717 goto err; 718 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 719 goto err; 720 } 721 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 722 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 723 goto err; 724 } 725 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 726 CBS_len(&signature)) <= 0) { 727 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 728 goto err; 729 } 730 731 ret = 1; 732 733 err: 734 if (!ret && ctx->alert == 0) 735 ctx->alert = TLS13_ALERT_DECODE_ERROR; 736 CBB_cleanup(&cbb); 737 EVP_MD_CTX_free(mdctx); 738 free(sig_content); 739 740 return ret; 741 } 742 743 int 744 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 745 { 746 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 747 struct tls13_secret context = { .data = "", .len = 0 }; 748 struct tls13_secret finished_key; 749 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 750 size_t transcript_hash_len; 751 uint8_t *verify_data = NULL; 752 size_t verify_data_len; 753 uint8_t key[EVP_MAX_MD_SIZE]; 754 HMAC_CTX *hmac_ctx = NULL; 755 unsigned int hlen; 756 int ret = 0; 757 758 /* 759 * Verify server finished. 760 */ 761 finished_key.data = key; 762 finished_key.len = EVP_MD_size(ctx->hash); 763 764 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 765 &secrets->server_handshake_traffic, "finished", 766 &context)) 767 goto err; 768 769 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 770 goto err; 771 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 772 ctx->hash, NULL)) 773 goto err; 774 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 775 ctx->hs->tls13.transcript_hash_len)) 776 goto err; 777 verify_data_len = HMAC_size(hmac_ctx); 778 if ((verify_data = calloc(1, verify_data_len)) == NULL) 779 goto err; 780 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 781 goto err; 782 if (hlen != verify_data_len) 783 goto err; 784 785 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 786 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 787 goto err; 788 } 789 790 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 791 sizeof(ctx->hs->peer_finished), 792 &ctx->hs->peer_finished_len)) 793 goto err; 794 795 if (!CBS_skip(cbs, verify_data_len)) 796 goto err; 797 798 /* 799 * Derive application traffic keys. 800 */ 801 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 802 sizeof(transcript_hash), &transcript_hash_len)) 803 goto err; 804 805 context.data = transcript_hash; 806 context.len = transcript_hash_len; 807 808 if (!tls13_derive_application_secrets(secrets, &context)) 809 goto err; 810 811 /* 812 * Any records following the server finished message must be encrypted 813 * using the server application traffic keys. 814 */ 815 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 816 &secrets->server_application_traffic)) 817 goto err; 818 819 tls13_record_layer_allow_ccs(ctx->rl, 0); 820 821 ret = 1; 822 823 err: 824 HMAC_CTX_free(hmac_ctx); 825 free(verify_data); 826 827 return ret; 828 } 829 830 static int 831 tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, 832 int *ok, const struct ssl_sigalg **out_sigalg) 833 { 834 const struct ssl_sigalg *sigalg; 835 SSL *s = ctx->ssl; 836 837 *ok = 0; 838 *out_sigalg = NULL; 839 840 if (cpk->x509 == NULL || cpk->privatekey == NULL) 841 goto done; 842 843 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 844 goto done; 845 846 *ok = 1; 847 *out_sigalg = sigalg; 848 849 done: 850 return 1; 851 } 852 853 static int 854 tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, 855 const struct ssl_sigalg **out_sigalg) 856 { 857 SSL *s = ctx->ssl; 858 const struct ssl_sigalg *sigalg; 859 CERT_PKEY *cpk; 860 int cert_ok; 861 862 *out_cpk = NULL; 863 *out_sigalg = NULL; 864 865 /* 866 * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences 867 * with the certificate_authorities (4.2.4) and oid_filters (4.2.5) 868 * extensions. We should honor the former and must apply the latter. 869 */ 870 871 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 872 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 873 return 0; 874 if (cert_ok) 875 goto done; 876 877 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 878 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 879 return 0; 880 if (cert_ok) 881 goto done; 882 883 cpk = NULL; 884 sigalg = NULL; 885 886 done: 887 *out_cpk = cpk; 888 *out_sigalg = sigalg; 889 890 return 1; 891 } 892 893 int 894 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 895 { 896 SSL *s = ctx->ssl; 897 CBB cert_request_context, cert_list; 898 const struct ssl_sigalg *sigalg; 899 STACK_OF(X509) *chain; 900 CERT_PKEY *cpk; 901 X509 *cert; 902 int i, ret = 0; 903 904 if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) 905 goto err; 906 907 ctx->hs->tls13.cpk = cpk; 908 ctx->hs->our_sigalg = sigalg; 909 910 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 911 goto err; 912 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 913 goto err; 914 915 /* No certificate selected. */ 916 if (cpk == NULL) 917 goto done; 918 919 if ((chain = cpk->chain) == NULL) 920 chain = s->ctx->extra_certs; 921 922 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build)) 923 goto err; 924 925 for (i = 0; i < sk_X509_num(chain); i++) { 926 cert = sk_X509_value(chain, i); 927 if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build)) 928 goto err; 929 } 930 931 ctx->handshake_stage.hs_type |= WITH_CCV; 932 done: 933 if (!CBB_flush(cbb)) 934 goto err; 935 936 ret = 1; 937 938 err: 939 return ret; 940 } 941 942 int 943 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 944 { 945 const struct ssl_sigalg *sigalg; 946 uint8_t *sig = NULL, *sig_content = NULL; 947 size_t sig_len, sig_content_len; 948 EVP_MD_CTX *mdctx = NULL; 949 EVP_PKEY_CTX *pctx; 950 EVP_PKEY *pkey; 951 const CERT_PKEY *cpk; 952 CBB sig_cbb; 953 int ret = 0; 954 955 memset(&sig_cbb, 0, sizeof(sig_cbb)); 956 957 if ((cpk = ctx->hs->tls13.cpk) == NULL) 958 goto err; 959 if ((sigalg = ctx->hs->our_sigalg) == NULL) 960 goto err; 961 pkey = cpk->privatekey; 962 963 if (!CBB_init(&sig_cbb, 0)) 964 goto err; 965 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 966 sizeof(tls13_cert_verify_pad))) 967 goto err; 968 if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, 969 strlen(tls13_cert_client_verify_context))) 970 goto err; 971 if (!CBB_add_u8(&sig_cbb, 0)) 972 goto err; 973 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 974 ctx->hs->tls13.transcript_hash_len)) 975 goto err; 976 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 977 goto err; 978 979 if ((mdctx = EVP_MD_CTX_new()) == NULL) 980 goto err; 981 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 982 goto err; 983 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 984 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 985 goto err; 986 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 987 goto err; 988 } 989 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 990 goto err; 991 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 992 goto err; 993 if ((sig = calloc(1, sig_len)) == NULL) 994 goto err; 995 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 996 goto err; 997 998 if (!CBB_add_u16(cbb, sigalg->value)) 999 goto err; 1000 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 1001 goto err; 1002 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 1003 goto err; 1004 1005 if (!CBB_flush(cbb)) 1006 goto err; 1007 1008 ret = 1; 1009 1010 err: 1011 if (!ret && ctx->alert == 0) 1012 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 1013 1014 CBB_cleanup(&sig_cbb); 1015 EVP_MD_CTX_free(mdctx); 1016 free(sig_content); 1017 free(sig); 1018 1019 return ret; 1020 } 1021 1022 int 1023 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) 1024 { 1025 return 0; 1026 } 1027 1028 int 1029 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) 1030 { 1031 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1032 struct tls13_secret context = { .data = "", .len = 0 }; 1033 struct tls13_secret finished_key = { .data = NULL, .len = 0 }; 1034 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 1035 size_t transcript_hash_len; 1036 uint8_t *verify_data; 1037 size_t verify_data_len; 1038 unsigned int hlen; 1039 HMAC_CTX *hmac_ctx = NULL; 1040 CBS cbs; 1041 int ret = 0; 1042 1043 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 1044 goto err; 1045 1046 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1047 &secrets->client_handshake_traffic, "finished", 1048 &context)) 1049 goto err; 1050 1051 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 1052 sizeof(transcript_hash), &transcript_hash_len)) 1053 goto err; 1054 1055 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1056 goto err; 1057 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1058 ctx->hash, NULL)) 1059 goto err; 1060 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 1061 goto err; 1062 1063 verify_data_len = HMAC_size(hmac_ctx); 1064 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 1065 goto err; 1066 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1067 goto err; 1068 if (hlen != verify_data_len) 1069 goto err; 1070 1071 CBS_init(&cbs, verify_data, verify_data_len); 1072 if (!CBS_write_bytes(&cbs, ctx->hs->finished, 1073 sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 1074 goto err; 1075 1076 ret = 1; 1077 1078 err: 1079 tls13_secret_cleanup(&finished_key); 1080 HMAC_CTX_free(hmac_ctx); 1081 1082 return ret; 1083 } 1084 1085 int 1086 tls13_client_finished_sent(struct tls13_ctx *ctx) 1087 { 1088 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1089 1090 /* 1091 * Any records following the client finished message must be encrypted 1092 * using the client application traffic keys. 1093 */ 1094 return tls13_record_layer_set_write_traffic_key(ctx->rl, 1095 &secrets->client_application_traffic); 1096 } 1097