1*f4fe6251Sjsing /* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */ 220290792Sjsing /* 320290792Sjsing * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 420290792Sjsing * 520290792Sjsing * Permission to use, copy, modify, and distribute this software for any 620290792Sjsing * purpose with or without fee is hereby granted, provided that the above 720290792Sjsing * copyright notice and this permission notice appear in all copies. 820290792Sjsing * 920290792Sjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1020290792Sjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1120290792Sjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 1220290792Sjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1320290792Sjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 1420290792Sjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 1520290792Sjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1620290792Sjsing */ 1720290792Sjsing 1820290792Sjsing #include <openssl/ssl3.h> 1920290792Sjsing 2020290792Sjsing #include "bytestring.h" 21c9675a23Stb #include "ssl_local.h" 22eb42ff5bSjsing #include "ssl_sigalgs.h" 2320290792Sjsing #include "ssl_tlsext.h" 249b64ae44Sjsing #include "tls13_handshake.h" 2520290792Sjsing #include "tls13_internal.h" 2620290792Sjsing 278a834dadSjsing int 28313fa7fbSjsing tls13_client_init(struct tls13_ctx *ctx) 2920290792Sjsing { 30492b2019Sjsing const uint16_t *groups; 31492b2019Sjsing size_t groups_len; 32313fa7fbSjsing SSL *s = ctx->ssl; 33313fa7fbSjsing 34d4edc922Sjsing if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 35d4edc922Sjsing &ctx->hs->our_max_tls_version)) { 3620290792Sjsing SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 3720290792Sjsing return 0; 3820290792Sjsing } 3901f29c58Sjsing s->version = ctx->hs->our_max_tls_version; 4020290792Sjsing 4129323c26Sjsing tls13_record_layer_set_retry_after_phh(ctx->rl, 426f7f653bSjsing (s->mode & SSL_MODE_AUTO_RETRY) != 0); 4329323c26Sjsing 4420290792Sjsing if (!ssl_get_new_session(s, 0)) /* XXX */ 4520290792Sjsing return 0; 4620290792Sjsing 4720290792Sjsing if (!tls1_transcript_init(s)) 4820290792Sjsing return 0; 4920290792Sjsing 50492b2019Sjsing /* Generate a key share using our preferred group. */ 51492b2019Sjsing tls1_get_group_list(s, 0, &groups, &groups_len); 52492b2019Sjsing if (groups_len < 1) 53492b2019Sjsing return 0; 54b8e3503dSjsing if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL) 554673309bSjsing return 0; 56b8e3503dSjsing if (!tls_key_share_generate(ctx->hs->key_share)) 574673309bSjsing return 0; 584673309bSjsing 5920290792Sjsing arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 6020290792Sjsing 6115eef814Sjsing /* 6215eef814Sjsing * The legacy session identifier should either be set to an 6315eef814Sjsing * unpredictable 32-byte value or zero length... a non-zero length 6415eef814Sjsing * legacy session identifier triggers compatibility mode (see RFC 8446 6515eef814Sjsing * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. 6615eef814Sjsing */ 67c5e6469dSjsing if (ctx->middlebox_compat && 68d4edc922Sjsing ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { 69d4edc922Sjsing arc4random_buf(ctx->hs->tls13.legacy_session_id, 70d4edc922Sjsing sizeof(ctx->hs->tls13.legacy_session_id)); 71d4edc922Sjsing ctx->hs->tls13.legacy_session_id_len = 72d4edc922Sjsing sizeof(ctx->hs->tls13.legacy_session_id); 7315eef814Sjsing } 7415eef814Sjsing 7520290792Sjsing return 1; 7620290792Sjsing } 7720290792Sjsing 788a834dadSjsing int 798a834dadSjsing tls13_client_connect(struct tls13_ctx *ctx) 80d0445389Sjsing { 81d0445389Sjsing if (ctx->mode != TLS13_HS_CLIENT) 82d0445389Sjsing return TLS13_IO_FAILURE; 83d0445389Sjsing 84d0445389Sjsing return tls13_handshake_perform(ctx); 85d0445389Sjsing } 86d0445389Sjsing 8720290792Sjsing static int 880b837ea7Sjsing tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) 8920290792Sjsing { 9020290792Sjsing CBB cipher_suites, compression_methods, session_id; 910b837ea7Sjsing uint16_t client_version; 920b837ea7Sjsing SSL *s = ctx->ssl; 9320290792Sjsing 940b837ea7Sjsing /* Legacy client version is capped at TLS 1.2. */ 9501f29c58Sjsing if (!ssl_max_legacy_version(s, &client_version)) 9601f29c58Sjsing goto err; 970b837ea7Sjsing 980b837ea7Sjsing if (!CBB_add_u16(cbb, client_version)) 9920290792Sjsing goto err; 10020290792Sjsing if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) 10120290792Sjsing goto err; 10220290792Sjsing 10320290792Sjsing if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 10420290792Sjsing goto err; 105d4edc922Sjsing if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 106d4edc922Sjsing ctx->hs->tls13.legacy_session_id_len)) 10720290792Sjsing goto err; 10820290792Sjsing 10920290792Sjsing if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) 11020290792Sjsing goto err; 11120290792Sjsing if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { 11220290792Sjsing SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); 11320290792Sjsing goto err; 11420290792Sjsing } 11520290792Sjsing 11620290792Sjsing if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) 11720290792Sjsing goto err; 11820290792Sjsing if (!CBB_add_u8(&compression_methods, 0)) 11920290792Sjsing goto err; 12020290792Sjsing 1219b8a142fStb if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb)) 12220290792Sjsing goto err; 12320290792Sjsing 12420290792Sjsing if (!CBB_flush(cbb)) 12520290792Sjsing goto err; 12620290792Sjsing 12720290792Sjsing return 1; 12820290792Sjsing 12920290792Sjsing err: 13020290792Sjsing return 0; 13120290792Sjsing } 13220290792Sjsing 13320290792Sjsing int 134dc02d6edSjsing tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) 13520290792Sjsing { 136d4edc922Sjsing if (ctx->hs->our_min_tls_version < TLS1_2_VERSION) 13794ab85a5Stb tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 13894ab85a5Stb 139781d0746Sjsing /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ 140781d0746Sjsing tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); 141781d0746Sjsing 142dc02d6edSjsing if (!tls13_client_hello_build(ctx, cbb)) 14320290792Sjsing return 0; 14420290792Sjsing 14520290792Sjsing return 1; 14620290792Sjsing } 1479b64ae44Sjsing 14894ab85a5Stb int 14994ab85a5Stb tls13_client_hello_sent(struct tls13_ctx *ctx) 15094ab85a5Stb { 1519b437883Sjsing tls1_transcript_freeze(ctx->ssl); 1529b437883Sjsing 15352999e1fSjsing if (ctx->middlebox_compat) { 15452999e1fSjsing tls13_record_layer_allow_ccs(ctx->rl, 1); 155ef59065fSjsing ctx->send_dummy_ccs = 1; 15652999e1fSjsing } 157ef59065fSjsing 15894ab85a5Stb return 1; 15994ab85a5Stb } 16094ab85a5Stb 1619b64ae44Sjsing static int 1621fdae6bfSjsing tls13_server_hello_is_legacy(CBS *cbs) 1631fdae6bfSjsing { 1641fdae6bfSjsing CBS extensions_block, extensions, extension_data; 1651fdae6bfSjsing uint16_t selected_version = 0; 1661fdae6bfSjsing uint16_t type; 1671fdae6bfSjsing 1681fdae6bfSjsing CBS_dup(cbs, &extensions_block); 1691fdae6bfSjsing 1701fdae6bfSjsing if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 1711fdae6bfSjsing return 1; 1721fdae6bfSjsing 1731fdae6bfSjsing while (CBS_len(&extensions) > 0) { 1741fdae6bfSjsing if (!CBS_get_u16(&extensions, &type)) 1751fdae6bfSjsing return 1; 1761fdae6bfSjsing if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 1771fdae6bfSjsing return 1; 1781fdae6bfSjsing 1791fdae6bfSjsing if (type != TLSEXT_TYPE_supported_versions) 1801fdae6bfSjsing continue; 1811fdae6bfSjsing if (!CBS_get_u16(&extension_data, &selected_version)) 1821fdae6bfSjsing return 1; 1831fdae6bfSjsing if (CBS_len(&extension_data) != 0) 1841fdae6bfSjsing return 1; 1851fdae6bfSjsing } 1861fdae6bfSjsing 1871fdae6bfSjsing return (selected_version < TLS1_3_VERSION); 1881fdae6bfSjsing } 1891fdae6bfSjsing 1901fdae6bfSjsing static int 191bb4189d7Sjsing tls13_server_hello_is_retry(CBS *cbs) 192bb4189d7Sjsing { 193bb4189d7Sjsing CBS server_hello, server_random; 194bb4189d7Sjsing uint16_t legacy_version; 195bb4189d7Sjsing 196bb4189d7Sjsing CBS_dup(cbs, &server_hello); 197bb4189d7Sjsing 198bb4189d7Sjsing if (!CBS_get_u16(&server_hello, &legacy_version)) 199bb4189d7Sjsing return 0; 200bb4189d7Sjsing if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE)) 201bb4189d7Sjsing return 0; 202bb4189d7Sjsing 203bb4189d7Sjsing /* See if this is a HelloRetryRequest. */ 204bb4189d7Sjsing return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 205bb4189d7Sjsing sizeof(tls13_hello_retry_request_hash)); 206bb4189d7Sjsing } 207bb4189d7Sjsing 208bb4189d7Sjsing static int 2099b64ae44Sjsing tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) 2109b64ae44Sjsing { 2119b64ae44Sjsing CBS server_random, session_id; 2122d2ee2e9Sjsing uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 2139b64ae44Sjsing uint16_t cipher_suite, legacy_version; 2149b64ae44Sjsing uint8_t compression_method; 2159b64ae44Sjsing const SSL_CIPHER *cipher; 2162bd6a703Sbeck int alert_desc; 2179b64ae44Sjsing SSL *s = ctx->ssl; 2189b64ae44Sjsing 2199b64ae44Sjsing if (!CBS_get_u16(cbs, &legacy_version)) 2209b64ae44Sjsing goto err; 2219b64ae44Sjsing if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) 2229b64ae44Sjsing goto err; 2239b64ae44Sjsing if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 2249b64ae44Sjsing goto err; 2259b64ae44Sjsing if (!CBS_get_u16(cbs, &cipher_suite)) 2269b64ae44Sjsing goto err; 2279b64ae44Sjsing if (!CBS_get_u8(cbs, &compression_method)) 2289b64ae44Sjsing goto err; 2299b64ae44Sjsing 2300571c2d6Sjsing if (tls13_server_hello_is_legacy(cbs)) { 231d4edc922Sjsing if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { 232709e85ffSbeck /* 23366da90e6Stb * RFC 8446 section 4.1.3: we must not downgrade if 234709e85ffSbeck * the server random value contains the TLS 1.2 or 1.1 235709e85ffSbeck * magical value. 236709e85ffSbeck */ 237709e85ffSbeck if (!CBS_skip(&server_random, CBS_len(&server_random) - 238709e85ffSbeck sizeof(tls13_downgrade_12))) 239709e85ffSbeck goto err; 240709e85ffSbeck if (CBS_mem_equal(&server_random, tls13_downgrade_12, 241709e85ffSbeck sizeof(tls13_downgrade_12)) || 242709e85ffSbeck CBS_mem_equal(&server_random, tls13_downgrade_11, 243709e85ffSbeck sizeof(tls13_downgrade_11))) { 244c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 245709e85ffSbeck goto err; 246709e85ffSbeck } 2472a8e2a39Sjsing } 248709e85ffSbeck 2490571c2d6Sjsing if (!CBS_skip(cbs, CBS_len(cbs))) 2500571c2d6Sjsing goto err; 2512d2ee2e9Sjsing 252d4edc922Sjsing ctx->hs->tls13.use_legacy = 1; 2532d2ee2e9Sjsing return 1; 2540571c2d6Sjsing } 2551fdae6bfSjsing 256781d0746Sjsing /* From here on in we know we are doing TLSv1.3. */ 257853fbeebSjsing tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 258781d0746Sjsing tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); 259781d0746Sjsing 2602d2ee2e9Sjsing /* See if this is a HelloRetryRequest. */ 261bb4189d7Sjsing /* XXX - see if we can avoid doing this twice. */ 2622d2ee2e9Sjsing if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 2632d2ee2e9Sjsing sizeof(tls13_hello_retry_request_hash))) { 2642d2ee2e9Sjsing tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 265d4edc922Sjsing ctx->hs->tls13.hrr = 1; 2662d2ee2e9Sjsing } 2672d2ee2e9Sjsing 2689b8a142fStb if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { 2692bd6a703Sbeck ctx->alert = alert_desc; 2709b64ae44Sjsing goto err; 2712bd6a703Sbeck } 2729b64ae44Sjsing 2739b64ae44Sjsing /* 2742d0eb2a9Stb * The supported versions extension indicated 0x0304 or greater. 2752d0eb2a9Stb * Ensure that it was 0x0304 and that legacy version is set to 0x0303 2762d0eb2a9Stb * (RFC 8446 section 4.2.1). 2779b64ae44Sjsing */ 278d4edc922Sjsing if (ctx->hs->tls13.server_version != TLS1_3_VERSION || 2792d0eb2a9Stb legacy_version != TLS1_2_VERSION) { 280c957d00cSjsing ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 2819b64ae44Sjsing goto err; 2829b64ae44Sjsing } 283d4edc922Sjsing ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version; 28401f29c58Sjsing ctx->hs->peer_legacy_version = legacy_version; 2859b64ae44Sjsing 28687b47fe3Sbeck /* The session_id must match. */ 287d4edc922Sjsing if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id, 288d4edc922Sjsing ctx->hs->tls13.legacy_session_id_len)) { 289c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 29087b47fe3Sbeck goto err; 29187b47fe3Sbeck } 2929b64ae44Sjsing 2939b64ae44Sjsing /* 2949b64ae44Sjsing * Ensure that the cipher suite is one that we offered in the client 2952d0eb2a9Stb * hello and that it is a TLSv1.3 cipher suite. 2969b64ae44Sjsing */ 2979b64ae44Sjsing cipher = ssl3_get_cipher_by_value(cipher_suite); 2988b316ce8Sjsing if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { 299c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 3009b64ae44Sjsing goto err; 3019b64ae44Sjsing } 3022d0eb2a9Stb if (cipher->algorithm_ssl != SSL_TLSV1_3) { 303c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 3049b64ae44Sjsing goto err; 3059b64ae44Sjsing } 306ded62235Sjsing if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) { 307ded62235Sjsing /* 308ded62235Sjsing * A ServerHello following a HelloRetryRequest MUST use the same 309ded62235Sjsing * cipher suite (RFC 8446 section 4.1.4). 310ded62235Sjsing */ 311ded62235Sjsing if (ctx->hs->cipher != cipher) { 312ded62235Sjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 313ded62235Sjsing goto err; 314ded62235Sjsing } 315ded62235Sjsing } 316661440b7Sjsing ctx->hs->cipher = cipher; 3179b64ae44Sjsing 3189b64ae44Sjsing if (compression_method != 0) { 319c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 3209b64ae44Sjsing goto err; 3219b64ae44Sjsing } 3229b64ae44Sjsing 3239b64ae44Sjsing return 1; 3249b64ae44Sjsing 3259b64ae44Sjsing err: 3262bd6a703Sbeck if (ctx->alert == 0) 327c957d00cSjsing ctx->alert = TLS13_ALERT_DECODE_ERROR; 3282d2ee2e9Sjsing 3299b64ae44Sjsing return 0; 3309b64ae44Sjsing } 3319b64ae44Sjsing 3322d2ee2e9Sjsing static int 3332d2ee2e9Sjsing tls13_client_engage_record_protection(struct tls13_ctx *ctx) 3349b64ae44Sjsing { 3359b64ae44Sjsing struct tls13_secrets *secrets; 3369b64ae44Sjsing struct tls13_secret context; 3379b64ae44Sjsing unsigned char buf[EVP_MAX_MD_SIZE]; 3389b64ae44Sjsing uint8_t *shared_key = NULL; 3394673309bSjsing size_t shared_key_len = 0; 3409b64ae44Sjsing size_t hash_len; 3419b64ae44Sjsing SSL *s = ctx->ssl; 3429b64ae44Sjsing int ret = 0; 3439b64ae44Sjsing 3442d2ee2e9Sjsing /* Derive the shared key and engage record protection. */ 3459b64ae44Sjsing 346b8e3503dSjsing if (!tls_key_share_derive(ctx->hs->key_share, &shared_key, 3474673309bSjsing &shared_key_len)) 3489b64ae44Sjsing goto err; 3499b64ae44Sjsing 350*f4fe6251Sjsing s->session->cipher_value = ctx->hs->cipher->value; 351d4edc922Sjsing s->session->ssl_version = ctx->hs->tls13.server_version; 3529b64ae44Sjsing 353661440b7Sjsing if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 3549b64ae44Sjsing goto err; 355661440b7Sjsing if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 3569b64ae44Sjsing goto err; 3579b64ae44Sjsing 3589b64ae44Sjsing if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 3599b64ae44Sjsing goto err; 360d4edc922Sjsing ctx->hs->tls13.secrets = secrets; 3619b64ae44Sjsing 3629b64ae44Sjsing /* XXX - pass in hash. */ 363df40b63bSjsing if (!tls1_transcript_hash_init(s)) 3649b64ae44Sjsing goto err; 365daaa2dc5Sjsing tls1_transcript_free(s); 366df40b63bSjsing if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 3679b64ae44Sjsing goto err; 3689b64ae44Sjsing context.data = buf; 3699b64ae44Sjsing context.len = hash_len; 3709b64ae44Sjsing 3719b64ae44Sjsing /* Early secrets. */ 3729b64ae44Sjsing if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 3739b64ae44Sjsing secrets->zeros.len, &context)) 3749b64ae44Sjsing goto err; 3759b64ae44Sjsing 3769b64ae44Sjsing /* Handshake secrets. */ 377d4edc922Sjsing if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 3784673309bSjsing shared_key_len, &context)) 3799b64ae44Sjsing goto err; 3809b64ae44Sjsing 3819b64ae44Sjsing tls13_record_layer_set_aead(ctx->rl, ctx->aead); 3829b64ae44Sjsing tls13_record_layer_set_hash(ctx->rl, ctx->hash); 3839b64ae44Sjsing 38446f83330Sjsing if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 3856ea83a9dSjsing &secrets->server_handshake_traffic, ssl_encryption_handshake)) 38646f83330Sjsing goto err; 38746f83330Sjsing if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 3886ea83a9dSjsing &secrets->client_handshake_traffic, ssl_encryption_handshake)) 3899b64ae44Sjsing goto err; 3909b64ae44Sjsing 3919b64ae44Sjsing ret = 1; 3929b64ae44Sjsing 3939b64ae44Sjsing err: 3944673309bSjsing freezero(shared_key, shared_key_len); 3954673309bSjsing 3969b64ae44Sjsing return ret; 3979b64ae44Sjsing } 3983fd04f17Sjsing 3993fd04f17Sjsing int 400bb4189d7Sjsing tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) 401bb4189d7Sjsing { 402bb4189d7Sjsing /* 403bb4189d7Sjsing * The state machine has no way of knowing if we're going to receive a 404bb4189d7Sjsing * HelloRetryRequest or a ServerHello. As such, we have to handle 405bb4189d7Sjsing * this case here and hand off to the appropriate function. 406bb4189d7Sjsing */ 407bb4189d7Sjsing if (!tls13_server_hello_is_retry(cbs)) { 408bb4189d7Sjsing ctx->handshake_stage.hs_type |= WITHOUT_HRR; 409bb4189d7Sjsing return tls13_server_hello_recv(ctx, cbs); 410bb4189d7Sjsing } 411bb4189d7Sjsing 412bb4189d7Sjsing if (!tls13_server_hello_process(ctx, cbs)) 413bb4189d7Sjsing return 0; 414bb4189d7Sjsing 415bb4189d7Sjsing /* 416b6141e29Stb * This may have been a TLSv1.2 or earlier ServerHello that just 417b6141e29Stb * happened to have matching server random... 418bb4189d7Sjsing */ 419d4edc922Sjsing if (ctx->hs->tls13.use_legacy) 420bb4189d7Sjsing return tls13_use_legacy_client(ctx); 421bb4189d7Sjsing 422d4edc922Sjsing if (!ctx->hs->tls13.hrr) 423bb4189d7Sjsing return 0; 424bb4189d7Sjsing 42570bdc49bSjsing if (!tls13_synthetic_handshake_message(ctx)) 426bb4189d7Sjsing return 0; 427bb4189d7Sjsing if (!tls13_handshake_msg_record(ctx)) 428bb4189d7Sjsing return 0; 429bb4189d7Sjsing 430d4edc922Sjsing ctx->hs->tls13.hrr = 0; 431bb4189d7Sjsing 432bb4189d7Sjsing return 1; 433bb4189d7Sjsing } 434bb4189d7Sjsing 435bb4189d7Sjsing int 436d0445389Sjsing tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 437d0445389Sjsing { 438d0445389Sjsing /* 439d0445389Sjsing * Ensure that the server supported group is one that we listed in our 440d0445389Sjsing * supported groups and is not the same as the key share we previously 441d0445389Sjsing * offered. 442d0445389Sjsing */ 443c5270c5dStb if (!tls1_check_group(ctx->ssl, ctx->hs->tls13.server_group)) 444d0445389Sjsing return 0; /* XXX alert */ 445b8e3503dSjsing if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share)) 446d0445389Sjsing return 0; /* XXX alert */ 447d0445389Sjsing 448d0445389Sjsing /* Switch to new key share. */ 449b8e3503dSjsing tls_key_share_free(ctx->hs->key_share); 450b8e3503dSjsing if ((ctx->hs->key_share = 451b8e3503dSjsing tls_key_share_new(ctx->hs->tls13.server_group)) == NULL) 452d0445389Sjsing return 0; 453b8e3503dSjsing if (!tls_key_share_generate(ctx->hs->key_share)) 454d0445389Sjsing return 0; 455d0445389Sjsing 456d0445389Sjsing if (!tls13_client_hello_build(ctx, cbb)) 457d0445389Sjsing return 0; 458d0445389Sjsing 459d0445389Sjsing return 1; 460d0445389Sjsing } 461d0445389Sjsing 462d0445389Sjsing int 4632d2ee2e9Sjsing tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 4642d2ee2e9Sjsing { 4659b437883Sjsing SSL *s = ctx->ssl; 4669b437883Sjsing 4672d2ee2e9Sjsing /* 468bb4189d7Sjsing * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3 469bb4189d7Sjsing * ServerHello. HelloRetryRequests have already been handled. 4702d2ee2e9Sjsing */ 4712d2ee2e9Sjsing if (!tls13_server_hello_process(ctx, cbs)) 4722d2ee2e9Sjsing return 0; 4732d2ee2e9Sjsing 474bb4189d7Sjsing if (ctx->handshake_stage.hs_type & WITHOUT_HRR) { 4759b437883Sjsing tls1_transcript_unfreeze(s); 4769b437883Sjsing if (!tls13_handshake_msg_record(ctx)) 4779b437883Sjsing return 0; 478bb4189d7Sjsing } 4799b437883Sjsing 480d4edc922Sjsing if (ctx->hs->tls13.use_legacy) { 481bb4189d7Sjsing if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) 482bb4189d7Sjsing return 0; 4832d2ee2e9Sjsing return tls13_use_legacy_client(ctx); 484bb4189d7Sjsing } 4852d2ee2e9Sjsing 486d4edc922Sjsing if (ctx->hs->tls13.hrr) { 487bb4189d7Sjsing /* The server has sent two HelloRetryRequests. */ 488c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 4892d2ee2e9Sjsing return 0; 4909b437883Sjsing } 4912d2ee2e9Sjsing 492bb4189d7Sjsing if (!tls13_client_engage_record_protection(ctx)) 493bb4189d7Sjsing return 0; 4942d2ee2e9Sjsing 495bb4189d7Sjsing ctx->handshake_stage.hs_type |= NEGOTIATED; 4962d2ee2e9Sjsing 4972d2ee2e9Sjsing return 1; 4982d2ee2e9Sjsing } 4992d2ee2e9Sjsing 5002d2ee2e9Sjsing int 5010571c2d6Sjsing tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) 5023fd04f17Sjsing { 5032bd6a703Sbeck int alert_desc; 5043fd04f17Sjsing 5059b8a142fStb if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) { 5062bd6a703Sbeck ctx->alert = alert_desc; 5074d7879d4Stb return 0; 5082bd6a703Sbeck } 5093fd04f17Sjsing 5103fd04f17Sjsing return 1; 5113fd04f17Sjsing } 5121d05a235Sjsing 5131d05a235Sjsing int 5140571c2d6Sjsing tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) 5151d05a235Sjsing { 51640ef3650Sbeck CBS cert_request_context; 51740ef3650Sbeck int alert_desc; 51840ef3650Sbeck 5191d05a235Sjsing /* 5201d05a235Sjsing * Thanks to poor state design in the RFC, this function can be called 5211d05a235Sjsing * when we actually have a certificate message instead of a certificate 5221d05a235Sjsing * request... in that case we call the certificate handler after 5231d05a235Sjsing * switching state, to avoid advancing state. 5241d05a235Sjsing */ 5251d05a235Sjsing if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { 5261d05a235Sjsing ctx->handshake_stage.hs_type |= WITHOUT_CR; 5270571c2d6Sjsing return tls13_server_certificate_recv(ctx, cbs); 5281d05a235Sjsing } 5291d05a235Sjsing 53040ef3650Sbeck if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 53140ef3650Sbeck goto err; 53240ef3650Sbeck if (CBS_len(&cert_request_context) != 0) 53340ef3650Sbeck goto err; 5341d05a235Sjsing 5359b8a142fStb if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) { 53640ef3650Sbeck ctx->alert = alert_desc; 53740ef3650Sbeck goto err; 53840ef3650Sbeck } 53940ef3650Sbeck 54040ef3650Sbeck return 1; 54140ef3650Sbeck 54240ef3650Sbeck err: 54340ef3650Sbeck if (ctx->alert == 0) 544c957d00cSjsing ctx->alert = TLS13_ALERT_DECODE_ERROR; 545ef59065fSjsing 5461d05a235Sjsing return 0; 5471d05a235Sjsing } 5481d05a235Sjsing 5491d05a235Sjsing int 5500571c2d6Sjsing tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 5511d05a235Sjsing { 5524770065fSbeck CBS cert_request_context, cert_list, cert_data; 5531d05a235Sjsing struct stack_st_X509 *certs = NULL; 5541d05a235Sjsing SSL *s = ctx->ssl; 5551d05a235Sjsing X509 *cert = NULL; 5561d05a235Sjsing const uint8_t *p; 557ad618767Sjsing int alert_desc; 5581d05a235Sjsing int ret = 0; 5591d05a235Sjsing 5601d05a235Sjsing if ((certs = sk_X509_new_null()) == NULL) 5611d05a235Sjsing goto err; 5621d05a235Sjsing 5630571c2d6Sjsing if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 5641d05a235Sjsing goto err; 5651d05a235Sjsing if (CBS_len(&cert_request_context) != 0) 5661d05a235Sjsing goto err; 5670571c2d6Sjsing if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 5681d05a235Sjsing goto err; 5691d05a235Sjsing 5701d05a235Sjsing while (CBS_len(&cert_list) > 0) { 5711d05a235Sjsing if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 5721d05a235Sjsing goto err; 5734770065fSbeck 5749b8a142fStb if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT, 5759b8a142fStb &cert_list, &alert_desc)) { 5764770065fSbeck ctx->alert = alert_desc; 5771d05a235Sjsing goto err; 5784770065fSbeck } 5791d05a235Sjsing 5801d05a235Sjsing p = CBS_data(&cert_data); 5811d05a235Sjsing if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 5821d05a235Sjsing goto err; 5831d05a235Sjsing if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 5841d05a235Sjsing goto err; 5851d05a235Sjsing 5861d05a235Sjsing if (!sk_X509_push(certs, cert)) 5871d05a235Sjsing goto err; 5881d05a235Sjsing 5891d05a235Sjsing cert = NULL; 5901d05a235Sjsing } 5911d05a235Sjsing 592e480694fSjsing /* A server must always provide a non-empty certificate list. */ 593e480694fSjsing if (sk_X509_num(certs) < 1) { 594a1c5a4deSjsing ctx->alert = TLS13_ALERT_DECODE_ERROR; 595e480694fSjsing tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 596e480694fSjsing "peer failed to provide a certificate", NULL); 597e480694fSjsing goto err; 598e480694fSjsing } 599e480694fSjsing 6001d05a235Sjsing /* 6011d05a235Sjsing * At this stage we still have no proof of possession. As such, it would 6021d05a235Sjsing * be preferable to keep the chain and verify once we have successfully 6031d05a235Sjsing * processed the CertificateVerify message. 6041d05a235Sjsing */ 6051d05a235Sjsing if (ssl_verify_cert_chain(s, certs) <= 0 && 6061d05a235Sjsing s->verify_mode != SSL_VERIFY_NONE) { 6072f00a6aeSbeck ctx->alert = ssl_verify_alarm_type(s->verify_result); 608c9989395Sjsing tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 609c9989395Sjsing "failed to verify peer certificate", NULL); 6101d05a235Sjsing goto err; 6111d05a235Sjsing } 612ad618767Sjsing s->session->verify_result = s->verify_result; 6131d05a235Sjsing ERR_clear_error(); 6141d05a235Sjsing 615ad618767Sjsing if (!tls_process_peer_certs(s, certs)) 6161d05a235Sjsing goto err; 61715b5e1ecSjsing 6184770065fSbeck if (ctx->ocsp_status_recv_cb != NULL && 6194770065fSbeck !ctx->ocsp_status_recv_cb(ctx)) 6204770065fSbeck goto err; 6214770065fSbeck 6221d05a235Sjsing ret = 1; 6231d05a235Sjsing 6241d05a235Sjsing err: 6251d05a235Sjsing sk_X509_pop_free(certs, X509_free); 6261d05a235Sjsing X509_free(cert); 6271d05a235Sjsing 6281d05a235Sjsing return ret; 6291d05a235Sjsing } 6301d05a235Sjsing 6311d05a235Sjsing int 6320571c2d6Sjsing tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 6331d05a235Sjsing { 6341d05a235Sjsing const struct ssl_sigalg *sigalg; 6351d05a235Sjsing uint16_t signature_scheme; 6361d05a235Sjsing uint8_t *sig_content = NULL; 6371d05a235Sjsing size_t sig_content_len; 6381d05a235Sjsing EVP_MD_CTX *mdctx = NULL; 6391d05a235Sjsing EVP_PKEY_CTX *pctx; 6401d05a235Sjsing EVP_PKEY *pkey; 6411d05a235Sjsing X509 *cert; 6420571c2d6Sjsing CBS signature; 6431d05a235Sjsing CBB cbb; 6441d05a235Sjsing int ret = 0; 6451d05a235Sjsing 6461d05a235Sjsing memset(&cbb, 0, sizeof(cbb)); 6471d05a235Sjsing 6480571c2d6Sjsing if (!CBS_get_u16(cbs, &signature_scheme)) 6491d05a235Sjsing goto err; 6500571c2d6Sjsing if (!CBS_get_u16_length_prefixed(cbs, &signature)) 6511d05a235Sjsing goto err; 6521d05a235Sjsing 6531d05a235Sjsing if (!CBB_init(&cbb, 0)) 6541d05a235Sjsing goto err; 6552a0f8bf3Sbeck if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 6562a0f8bf3Sbeck sizeof(tls13_cert_verify_pad))) 6571d05a235Sjsing goto err; 6582a0f8bf3Sbeck if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, 6592a0f8bf3Sbeck strlen(tls13_cert_server_verify_context))) 6601d05a235Sjsing goto err; 6611d05a235Sjsing if (!CBB_add_u8(&cbb, 0)) 6621d05a235Sjsing goto err; 663d4edc922Sjsing if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 664d4edc922Sjsing ctx->hs->tls13.transcript_hash_len)) 6651d05a235Sjsing goto err; 6661d05a235Sjsing if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 6671d05a235Sjsing goto err; 6681d05a235Sjsing 669666c9986Sjsing if ((cert = ctx->ssl->session->peer_cert) == NULL) 6701d05a235Sjsing goto err; 6711d05a235Sjsing if ((pkey = X509_get0_pubkey(cert)) == NULL) 6721d05a235Sjsing goto err; 67321424b10Sjsing if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, 67421424b10Sjsing signature_scheme)) == NULL) 6751d05a235Sjsing goto err; 676adff4236Sjsing ctx->hs->peer_sigalg = sigalg; 6771d05a235Sjsing 6781d05a235Sjsing if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 6791d05a235Sjsing goto err; 6801d05a235Sjsing 6811d05a235Sjsing if ((mdctx = EVP_MD_CTX_new()) == NULL) 6821d05a235Sjsing goto err; 6831d05a235Sjsing if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 6841d05a235Sjsing goto err; 6851d05a235Sjsing if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 6861d05a235Sjsing if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 6871d05a235Sjsing goto err; 6881d05a235Sjsing if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 6891d05a235Sjsing goto err; 6901d05a235Sjsing } 69172ed2a14Stb if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature), 69272ed2a14Stb sig_content, sig_content_len) <= 0) { 693c957d00cSjsing ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 6941d05a235Sjsing goto err; 6951d05a235Sjsing } 6961d05a235Sjsing 6971d05a235Sjsing ret = 1; 6981d05a235Sjsing 6991d05a235Sjsing err: 700b183e949Sbeck if (!ret && ctx->alert == 0) 701c957d00cSjsing ctx->alert = TLS13_ALERT_DECODE_ERROR; 7021d05a235Sjsing CBB_cleanup(&cbb); 7031d05a235Sjsing EVP_MD_CTX_free(mdctx); 7041d05a235Sjsing free(sig_content); 7051d05a235Sjsing 7061d05a235Sjsing return ret; 7071d05a235Sjsing } 70861d65899Sjsing 70961d65899Sjsing int 7100571c2d6Sjsing tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 71161d65899Sjsing { 712d4edc922Sjsing struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 71361d65899Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 71461d65899Sjsing struct tls13_secret finished_key; 71561d65899Sjsing uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 71661d65899Sjsing size_t transcript_hash_len; 71761d65899Sjsing uint8_t *verify_data = NULL; 71861d65899Sjsing size_t verify_data_len; 71961d65899Sjsing uint8_t key[EVP_MAX_MD_SIZE]; 72061d65899Sjsing HMAC_CTX *hmac_ctx = NULL; 72161d65899Sjsing unsigned int hlen; 72261d65899Sjsing int ret = 0; 72361d65899Sjsing 72461d65899Sjsing /* 72561d65899Sjsing * Verify server finished. 72661d65899Sjsing */ 72761d65899Sjsing finished_key.data = key; 72861d65899Sjsing finished_key.len = EVP_MD_size(ctx->hash); 72961d65899Sjsing 73061d65899Sjsing if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 73161d65899Sjsing &secrets->server_handshake_traffic, "finished", 73261d65899Sjsing &context)) 73361d65899Sjsing goto err; 73461d65899Sjsing 73561d65899Sjsing if ((hmac_ctx = HMAC_CTX_new()) == NULL) 73661d65899Sjsing goto err; 73761d65899Sjsing if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 73861d65899Sjsing ctx->hash, NULL)) 73961d65899Sjsing goto err; 740d4edc922Sjsing if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 741d4edc922Sjsing ctx->hs->tls13.transcript_hash_len)) 74261d65899Sjsing goto err; 74361d65899Sjsing verify_data_len = HMAC_size(hmac_ctx); 74461d65899Sjsing if ((verify_data = calloc(1, verify_data_len)) == NULL) 74561d65899Sjsing goto err; 74661d65899Sjsing if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 74761d65899Sjsing goto err; 74861d65899Sjsing if (hlen != verify_data_len) 74961d65899Sjsing goto err; 75061d65899Sjsing 7510571c2d6Sjsing if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 752c957d00cSjsing ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 75361d65899Sjsing goto err; 75461d65899Sjsing } 75561d65899Sjsing 756268dad53Sjsing if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 757268dad53Sjsing sizeof(ctx->hs->peer_finished), 758268dad53Sjsing &ctx->hs->peer_finished_len)) 7590008d085Stb goto err; 7600008d085Stb 7610571c2d6Sjsing if (!CBS_skip(cbs, verify_data_len)) 7620571c2d6Sjsing goto err; 7630571c2d6Sjsing 76461d65899Sjsing /* 76561d65899Sjsing * Derive application traffic keys. 76661d65899Sjsing */ 76761d65899Sjsing if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 76861d65899Sjsing sizeof(transcript_hash), &transcript_hash_len)) 76961d65899Sjsing goto err; 77061d65899Sjsing 77161d65899Sjsing context.data = transcript_hash; 77261d65899Sjsing context.len = transcript_hash_len; 77361d65899Sjsing 77461d65899Sjsing if (!tls13_derive_application_secrets(secrets, &context)) 775112a688bSjsing goto err; 77661d65899Sjsing 777abba3324Sjsing /* 778abba3324Sjsing * Any records following the server finished message must be encrypted 779abba3324Sjsing * using the server application traffic keys. 780abba3324Sjsing */ 781abba3324Sjsing if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 7826ea83a9dSjsing &secrets->server_application_traffic, ssl_encryption_application)) 783112a688bSjsing goto err; 784abba3324Sjsing 785138e3c44Stb tls13_record_layer_allow_ccs(ctx->rl, 0); 786138e3c44Stb 78761d65899Sjsing ret = 1; 78861d65899Sjsing 78961d65899Sjsing err: 79061d65899Sjsing HMAC_CTX_free(hmac_ctx); 79161d65899Sjsing free(verify_data); 79261d65899Sjsing 79361d65899Sjsing return ret; 79461d65899Sjsing } 79561d65899Sjsing 7962414b9ecStb static int 797ef36d1f9Sjsing tls13_client_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk, 7982414b9ecStb int *ok, const struct ssl_sigalg **out_sigalg) 7992414b9ecStb { 8002414b9ecStb const struct ssl_sigalg *sigalg; 8012414b9ecStb SSL *s = ctx->ssl; 8022414b9ecStb 8032414b9ecStb *ok = 0; 8042414b9ecStb *out_sigalg = NULL; 8052414b9ecStb 8062414b9ecStb if (cpk->x509 == NULL || cpk->privatekey == NULL) 8072414b9ecStb goto done; 8082414b9ecStb 8092414b9ecStb if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 8102414b9ecStb goto done; 8112414b9ecStb 8122414b9ecStb *ok = 1; 8132414b9ecStb *out_sigalg = sigalg; 8142414b9ecStb 8152414b9ecStb done: 8162414b9ecStb return 1; 8172414b9ecStb } 8182414b9ecStb 8192414b9ecStb static int 820ef36d1f9Sjsing tls13_client_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk, 8212414b9ecStb const struct ssl_sigalg **out_sigalg) 8222414b9ecStb { 8232414b9ecStb SSL *s = ctx->ssl; 8242414b9ecStb const struct ssl_sigalg *sigalg; 825ef36d1f9Sjsing SSL_CERT_PKEY *cpk; 8262414b9ecStb int cert_ok; 8272414b9ecStb 8282414b9ecStb *out_cpk = NULL; 8292414b9ecStb *out_sigalg = NULL; 8302414b9ecStb 8312414b9ecStb /* 8322414b9ecStb * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences 8332414b9ecStb * with the certificate_authorities (4.2.4) and oid_filters (4.2.5) 8342414b9ecStb * extensions. We should honor the former and must apply the latter. 8352414b9ecStb */ 8362414b9ecStb 8372414b9ecStb cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 8382414b9ecStb if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 8392414b9ecStb return 0; 8402414b9ecStb if (cert_ok) 8412414b9ecStb goto done; 8422414b9ecStb 8432414b9ecStb cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 8442414b9ecStb if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 8452414b9ecStb return 0; 8462414b9ecStb if (cert_ok) 8472414b9ecStb goto done; 8482414b9ecStb 8492414b9ecStb cpk = NULL; 8502414b9ecStb sigalg = NULL; 8512414b9ecStb 8522414b9ecStb done: 8532414b9ecStb *out_cpk = cpk; 8542414b9ecStb *out_sigalg = sigalg; 8552414b9ecStb 8562414b9ecStb return 1; 8572414b9ecStb } 8582414b9ecStb 85961d65899Sjsing int 86040ef3650Sbeck tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 86140ef3650Sbeck { 86240ef3650Sbeck SSL *s = ctx->ssl; 86340ef3650Sbeck CBB cert_request_context, cert_list; 8642414b9ecStb const struct ssl_sigalg *sigalg; 86540ef3650Sbeck STACK_OF(X509) *chain; 866ef36d1f9Sjsing SSL_CERT_PKEY *cpk; 86740ef3650Sbeck X509 *cert; 86840ef3650Sbeck int i, ret = 0; 86940ef3650Sbeck 8702414b9ecStb if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) 8712414b9ecStb goto err; 87240ef3650Sbeck 873d4edc922Sjsing ctx->hs->tls13.cpk = cpk; 874adff4236Sjsing ctx->hs->our_sigalg = sigalg; 87540ef3650Sbeck 87640ef3650Sbeck if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 87740ef3650Sbeck goto err; 87840ef3650Sbeck if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 87940ef3650Sbeck goto err; 88040ef3650Sbeck 8812414b9ecStb /* No certificate selected. */ 8822414b9ecStb if (cpk == NULL) 88340ef3650Sbeck goto done; 88440ef3650Sbeck 8852414b9ecStb if ((chain = cpk->chain) == NULL) 8862414b9ecStb chain = s->ctx->extra_certs; 8872414b9ecStb 88817fca910Sbeck if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build)) 88940ef3650Sbeck goto err; 89040ef3650Sbeck 89140ef3650Sbeck for (i = 0; i < sk_X509_num(chain); i++) { 89240ef3650Sbeck cert = sk_X509_value(chain, i); 89317fca910Sbeck if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build)) 89440ef3650Sbeck goto err; 89540ef3650Sbeck } 89640ef3650Sbeck 89740ef3650Sbeck ctx->handshake_stage.hs_type |= WITH_CCV; 89840ef3650Sbeck done: 89940ef3650Sbeck if (!CBB_flush(cbb)) 90040ef3650Sbeck goto err; 90140ef3650Sbeck 90240ef3650Sbeck ret = 1; 90340ef3650Sbeck 90440ef3650Sbeck err: 90540ef3650Sbeck return ret; 90640ef3650Sbeck } 90740ef3650Sbeck 90840ef3650Sbeck int 90940ef3650Sbeck tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 91040ef3650Sbeck { 9112414b9ecStb const struct ssl_sigalg *sigalg; 91240ef3650Sbeck uint8_t *sig = NULL, *sig_content = NULL; 91340ef3650Sbeck size_t sig_len, sig_content_len; 91440ef3650Sbeck EVP_MD_CTX *mdctx = NULL; 91540ef3650Sbeck EVP_PKEY_CTX *pctx; 91640ef3650Sbeck EVP_PKEY *pkey; 917ef36d1f9Sjsing const SSL_CERT_PKEY *cpk; 91840ef3650Sbeck CBB sig_cbb; 91940ef3650Sbeck int ret = 0; 92040ef3650Sbeck 92140ef3650Sbeck memset(&sig_cbb, 0, sizeof(sig_cbb)); 92240ef3650Sbeck 923d4edc922Sjsing if ((cpk = ctx->hs->tls13.cpk) == NULL) 92440ef3650Sbeck goto err; 925adff4236Sjsing if ((sigalg = ctx->hs->our_sigalg) == NULL) 9262414b9ecStb goto err; 9272414b9ecStb pkey = cpk->privatekey; 92840ef3650Sbeck 92940ef3650Sbeck if (!CBB_init(&sig_cbb, 0)) 93040ef3650Sbeck goto err; 93140ef3650Sbeck if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 93240ef3650Sbeck sizeof(tls13_cert_verify_pad))) 93340ef3650Sbeck goto err; 93440ef3650Sbeck if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, 93540ef3650Sbeck strlen(tls13_cert_client_verify_context))) 93640ef3650Sbeck goto err; 93740ef3650Sbeck if (!CBB_add_u8(&sig_cbb, 0)) 93840ef3650Sbeck goto err; 939d4edc922Sjsing if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 940d4edc922Sjsing ctx->hs->tls13.transcript_hash_len)) 94140ef3650Sbeck goto err; 94240ef3650Sbeck if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 94340ef3650Sbeck goto err; 94440ef3650Sbeck 94540ef3650Sbeck if ((mdctx = EVP_MD_CTX_new()) == NULL) 94640ef3650Sbeck goto err; 94740ef3650Sbeck if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 94840ef3650Sbeck goto err; 94940ef3650Sbeck if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 95040ef3650Sbeck if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 95140ef3650Sbeck goto err; 95240ef3650Sbeck if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 95340ef3650Sbeck goto err; 95440ef3650Sbeck } 95572ed2a14Stb if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len)) 95640ef3650Sbeck goto err; 95740ef3650Sbeck if ((sig = calloc(1, sig_len)) == NULL) 95840ef3650Sbeck goto err; 95972ed2a14Stb if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len)) 96040ef3650Sbeck goto err; 96140ef3650Sbeck 96240ef3650Sbeck if (!CBB_add_u16(cbb, sigalg->value)) 96340ef3650Sbeck goto err; 96440ef3650Sbeck if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 96540ef3650Sbeck goto err; 96640ef3650Sbeck if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 96740ef3650Sbeck goto err; 96840ef3650Sbeck 96940ef3650Sbeck if (!CBB_flush(cbb)) 97040ef3650Sbeck goto err; 97140ef3650Sbeck 97240ef3650Sbeck ret = 1; 97340ef3650Sbeck 97440ef3650Sbeck err: 97540ef3650Sbeck if (!ret && ctx->alert == 0) 976c957d00cSjsing ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 97740ef3650Sbeck 97840ef3650Sbeck CBB_cleanup(&sig_cbb); 97940ef3650Sbeck EVP_MD_CTX_free(mdctx); 98040ef3650Sbeck free(sig_content); 98140ef3650Sbeck free(sig); 98240ef3650Sbeck 98340ef3650Sbeck return ret; 98440ef3650Sbeck } 985d0445389Sjsing 986d0445389Sjsing int 987d0445389Sjsing tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) 988d0445389Sjsing { 989d0445389Sjsing return 0; 990d0445389Sjsing } 991d0445389Sjsing 992d0445389Sjsing int 993d0445389Sjsing tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) 994d0445389Sjsing { 995d4edc922Sjsing struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 996d0445389Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 997ab7db32bStb struct tls13_secret finished_key = { .data = NULL, .len = 0 }; 998d0445389Sjsing uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 999d0445389Sjsing size_t transcript_hash_len; 1000d0445389Sjsing uint8_t *verify_data; 10017f1ecec5Sjsing size_t verify_data_len; 1002d0445389Sjsing unsigned int hlen; 1003d0445389Sjsing HMAC_CTX *hmac_ctx = NULL; 10040008d085Stb CBS cbs; 1005d0445389Sjsing int ret = 0; 1006d0445389Sjsing 1007ab7db32bStb if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 1008ab7db32bStb goto err; 1009d0445389Sjsing 1010d0445389Sjsing if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1011d0445389Sjsing &secrets->client_handshake_traffic, "finished", 1012d0445389Sjsing &context)) 1013d0445389Sjsing goto err; 1014d0445389Sjsing 1015d0445389Sjsing if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 1016d0445389Sjsing sizeof(transcript_hash), &transcript_hash_len)) 1017d0445389Sjsing goto err; 1018d0445389Sjsing 1019d0445389Sjsing if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1020d0445389Sjsing goto err; 1021d0445389Sjsing if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1022d0445389Sjsing ctx->hash, NULL)) 1023d0445389Sjsing goto err; 1024d0445389Sjsing if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 1025d0445389Sjsing goto err; 1026d0445389Sjsing 10277f1ecec5Sjsing verify_data_len = HMAC_size(hmac_ctx); 10287f1ecec5Sjsing if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 1029d0445389Sjsing goto err; 1030d0445389Sjsing if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1031d0445389Sjsing goto err; 10327f1ecec5Sjsing if (hlen != verify_data_len) 1033d0445389Sjsing goto err; 1034d0445389Sjsing 10357f1ecec5Sjsing CBS_init(&cbs, verify_data, verify_data_len); 1036268dad53Sjsing if (!CBS_write_bytes(&cbs, ctx->hs->finished, 1037268dad53Sjsing sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 10380008d085Stb goto err; 10390008d085Stb 1040d0445389Sjsing ret = 1; 1041d0445389Sjsing 1042d0445389Sjsing err: 1043ab7db32bStb tls13_secret_cleanup(&finished_key); 1044d0445389Sjsing HMAC_CTX_free(hmac_ctx); 1045d0445389Sjsing 1046d0445389Sjsing return ret; 1047d0445389Sjsing } 1048d0445389Sjsing 1049d0445389Sjsing int 1050d0445389Sjsing tls13_client_finished_sent(struct tls13_ctx *ctx) 1051d0445389Sjsing { 1052d4edc922Sjsing struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1053d0445389Sjsing 1054d0445389Sjsing /* 1055d0445389Sjsing * Any records following the client finished message must be encrypted 1056d0445389Sjsing * using the client application traffic keys. 1057d0445389Sjsing */ 1058d0445389Sjsing return tls13_record_layer_set_write_traffic_key(ctx->rl, 10596ea83a9dSjsing &secrets->client_application_traffic, ssl_encryption_application); 1060d0445389Sjsing } 1061