1 /* $OpenBSD: tls13_client.c,v 1.45 2020/02/23 17:51:36 tb Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include <openssl/ssl3.h> 21 22 #include "bytestring.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 static int 28 tls13_connect(struct tls13_ctx *ctx) 29 { 30 if (ctx->mode != TLS13_HS_CLIENT) 31 return TLS13_IO_FAILURE; 32 33 return tls13_handshake_perform(ctx); 34 } 35 36 static int 37 tls13_client_init(struct tls13_ctx *ctx) 38 { 39 SSL *s = ctx->ssl; 40 41 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 42 &ctx->hs->max_version)) { 43 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 44 return 0; 45 } 46 s->client_version = s->version = ctx->hs->max_version; 47 48 if (!ssl_get_new_session(s, 0)) /* XXX */ 49 return 0; 50 51 if (!tls1_transcript_init(s)) 52 return 0; 53 54 if ((ctx->hs->key_share = tls13_key_share_new(NID_X25519)) == NULL) 55 return 0; 56 if (!tls13_key_share_generate(ctx->hs->key_share)) 57 return 0; 58 59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 60 61 return 1; 62 } 63 64 int 65 tls13_legacy_connect(SSL *ssl) 66 { 67 struct tls13_ctx *ctx = ssl->internal->tls13; 68 int ret; 69 70 #ifdef TLS13_USE_LEGACY_CLIENT_AUTH 71 /* XXX drop back to legacy for client auth for now */ 72 if (ssl->cert->key->privatekey != NULL) { 73 ssl->method = tls_legacy_client_method(); 74 return ssl->method->internal->ssl_connect(ssl); 75 } 76 #endif 77 78 if (ctx == NULL) { 79 if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { 80 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 81 return -1; 82 } 83 ssl->internal->tls13 = ctx; 84 ctx->ssl = ssl; 85 ctx->hs = &S3I(ssl)->hs_tls13; 86 87 if (!tls13_client_init(ctx)) { 88 if (ERR_peek_error() == 0) 89 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 90 return -1; 91 } 92 } 93 94 ERR_clear_error(); 95 S3I(ssl)->hs.state = SSL_ST_CONNECT; 96 97 ret = tls13_connect(ctx); 98 if (ret == TLS13_IO_USE_LEGACY) 99 return ssl->method->internal->ssl_connect(ssl); 100 if (ret == TLS13_IO_SUCCESS) 101 S3I(ssl)->hs.state = SSL_ST_OK; 102 103 return tls13_legacy_return_code(ssl, ret); 104 } 105 106 int 107 tls13_use_legacy_client(struct tls13_ctx *ctx) 108 { 109 SSL *s = ctx->ssl; 110 CBS cbs; 111 112 s->method = tls_legacy_client_method(); 113 s->internal->handshake_func = s->method->internal->ssl_connect; 114 s->client_version = s->version = s->method->internal->max_version; 115 116 if (!ssl3_setup_init_buffer(s)) 117 goto err; 118 if (!ssl3_setup_buffers(s)) 119 goto err; 120 if (!ssl_init_wbio_buffer(s, 0)) 121 goto err; 122 123 if (s->bbio != s->wbio) 124 s->wbio = BIO_push(s->bbio, s->wbio); 125 126 /* Stash any unprocessed data from the last record. */ 127 tls13_record_layer_rbuf(ctx->rl, &cbs); 128 if (CBS_len(&cbs) > 0) { 129 if (!CBS_write_bytes(&cbs, 130 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 131 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 132 goto err; 133 134 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 135 S3I(s)->rbuf.left = CBS_len(&cbs); 136 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 137 S3I(s)->rrec.length = CBS_len(&cbs); 138 s->internal->rstate = SSL_ST_READ_BODY; 139 s->internal->packet = S3I(s)->rbuf.buf; 140 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 141 s->internal->mac_packet = 1; 142 } 143 144 /* Stash the current handshake message. */ 145 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 146 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 147 s->internal->init_buf->length, NULL)) 148 goto err; 149 150 S3I(s)->tmp.reuse_message = 1; 151 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 152 S3I(s)->tmp.message_size = CBS_len(&cbs); 153 154 S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; 155 156 return 1; 157 158 err: 159 return 0; 160 } 161 162 static int 163 tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) 164 { 165 CBB cipher_suites, compression_methods, session_id; 166 uint16_t client_version; 167 SSL *s = ctx->ssl; 168 169 /* Legacy client version is capped at TLS 1.2. */ 170 client_version = ctx->hs->max_version; 171 if (client_version > TLS1_2_VERSION) 172 client_version = TLS1_2_VERSION; 173 174 if (!CBB_add_u16(cbb, client_version)) 175 goto err; 176 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) 177 goto err; 178 179 /* Either 32-random bytes or zero length... */ 180 arc4random_buf(ctx->hs->legacy_session_id, 181 sizeof(ctx->hs->legacy_session_id)); 182 ctx->hs->legacy_session_id_len = sizeof(ctx->hs->legacy_session_id); 183 184 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 185 goto err; 186 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 187 ctx->hs->legacy_session_id_len)) 188 goto err; 189 190 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) 191 goto err; 192 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { 193 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); 194 goto err; 195 } 196 197 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) 198 goto err; 199 if (!CBB_add_u8(&compression_methods, 0)) 200 goto err; 201 202 if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH)) 203 goto err; 204 205 if (!CBB_flush(cbb)) 206 goto err; 207 208 return 1; 209 210 err: 211 return 0; 212 } 213 214 int 215 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) 216 { 217 if (ctx->hs->min_version < TLS1_2_VERSION) 218 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 219 220 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ 221 tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); 222 223 if (!tls13_client_hello_build(ctx, cbb)) 224 return 0; 225 226 return 1; 227 } 228 229 int 230 tls13_client_hello_sent(struct tls13_ctx *ctx) 231 { 232 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 233 tls13_record_layer_allow_ccs(ctx->rl, 1); 234 235 tls1_transcript_freeze(ctx->ssl); 236 237 return 1; 238 } 239 240 /* 241 * HelloRetryRequest hash - RFC 8446 section 4.1.3. 242 */ 243 static const uint8_t tls13_hello_retry_request_hash[] = { 244 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, 245 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, 246 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, 247 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, 248 }; 249 250 static int 251 tls13_server_hello_is_legacy(CBS *cbs) 252 { 253 CBS extensions_block, extensions, extension_data; 254 uint16_t selected_version = 0; 255 uint16_t type; 256 257 CBS_dup(cbs, &extensions_block); 258 259 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 260 return 1; 261 262 while (CBS_len(&extensions) > 0) { 263 if (!CBS_get_u16(&extensions, &type)) 264 return 1; 265 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 266 return 1; 267 268 if (type != TLSEXT_TYPE_supported_versions) 269 continue; 270 if (!CBS_get_u16(&extension_data, &selected_version)) 271 return 1; 272 if (CBS_len(&extension_data) != 0) 273 return 1; 274 } 275 276 return (selected_version < TLS1_3_VERSION); 277 } 278 279 static int 280 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) 281 { 282 CBS server_random, session_id; 283 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 284 uint16_t cipher_suite, legacy_version; 285 uint8_t compression_method; 286 const SSL_CIPHER *cipher; 287 int alert_desc; 288 SSL *s = ctx->ssl; 289 290 if (!CBS_get_u16(cbs, &legacy_version)) 291 goto err; 292 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) 293 goto err; 294 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 295 goto err; 296 if (!CBS_get_u16(cbs, &cipher_suite)) 297 goto err; 298 if (!CBS_get_u8(cbs, &compression_method)) 299 goto err; 300 301 if (tls13_server_hello_is_legacy(cbs)) { 302 if (ctx->hs->max_version >= TLS1_3_VERSION) { 303 /* 304 * RFC 8446 section 4.1.3, We must not downgrade if 305 * the server random value contains the TLS 1.2 or 1.1 306 * magical value. 307 */ 308 if (!CBS_skip(&server_random, CBS_len(&server_random) - 309 sizeof(tls13_downgrade_12))) 310 goto err; 311 if (CBS_mem_equal(&server_random, tls13_downgrade_12, 312 sizeof(tls13_downgrade_12)) || 313 CBS_mem_equal(&server_random, tls13_downgrade_11, 314 sizeof(tls13_downgrade_11))) { 315 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 316 goto err; 317 } 318 } 319 320 if (!CBS_skip(cbs, CBS_len(cbs))) 321 goto err; 322 323 ctx->hs->use_legacy = 1; 324 return 1; 325 } 326 327 /* From here on in we know we are doing TLSv1.3. */ 328 tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); 329 330 /* See if this is a Hello Retry Request. */ 331 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 332 sizeof(tls13_hello_retry_request_hash))) { 333 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 334 ctx->hs->hrr = 1; 335 } 336 337 if (!tlsext_client_parse(s, cbs, &alert_desc, tlsext_msg_type)) { 338 ctx->alert = alert_desc; 339 goto err; 340 } 341 342 /* 343 * See if a supported versions extension was returned. If it was then 344 * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3). 345 * Otherwise, fallback to the legacy version, ensuring that it is both 346 * within range and not TLS 1.3 or greater (which must use the 347 * supported version extension. 348 */ 349 if (ctx->hs->server_version != 0) { 350 if (legacy_version != TLS1_2_VERSION) { 351 ctx->alert = SSL_AD_PROTOCOL_VERSION; 352 goto err; 353 } 354 } else { 355 if (legacy_version < ctx->hs->min_version || 356 legacy_version > ctx->hs->max_version || 357 legacy_version > TLS1_2_VERSION) { 358 ctx->alert = SSL_AD_PROTOCOL_VERSION; 359 goto err; 360 } 361 ctx->hs->server_version = legacy_version; 362 } 363 364 /* The session_id must match. */ 365 if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, 366 ctx->hs->legacy_session_id_len)) { 367 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 368 goto err; 369 } 370 371 /* 372 * Ensure that the cipher suite is one that we offered in the client 373 * hello and that it matches the TLS version selected. 374 */ 375 cipher = ssl3_get_cipher_by_value(cipher_suite); 376 if (cipher == NULL || 377 sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) { 378 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 379 goto err; 380 } 381 if (ctx->hs->server_version == TLS1_3_VERSION && 382 cipher->algorithm_ssl != SSL_TLSV1_3) { 383 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 384 goto err; 385 } 386 /* XXX - move this to hs_tls13? */ 387 S3I(s)->hs.new_cipher = cipher; 388 389 if (compression_method != 0) { 390 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 391 goto err; 392 } 393 394 return 1; 395 396 err: 397 if (ctx->alert == 0) 398 ctx->alert = TLS1_AD_DECODE_ERROR; 399 400 return 0; 401 } 402 403 static int 404 tls13_client_synthetic_handshake_message(struct tls13_ctx *ctx) 405 { 406 struct tls13_handshake_msg *hm = NULL; 407 unsigned char buf[EVP_MAX_MD_SIZE]; 408 size_t hash_len; 409 CBB cbb; 410 CBS cbs; 411 SSL *s = ctx->ssl; 412 int ret = 0; 413 414 /* 415 * Replace ClientHello with synthetic handshake message - see 416 * RFC 8446 section 4.4.1. 417 */ 418 if (!tls1_transcript_hash_init(s)) 419 goto err; 420 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 421 goto err; 422 423 if ((hm = tls13_handshake_msg_new()) == NULL) 424 goto err; 425 if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH)) 426 goto err; 427 if (!CBB_add_bytes(&cbb, buf, hash_len)) 428 goto err; 429 if (!tls13_handshake_msg_finish(hm)) 430 goto err; 431 432 tls13_handshake_msg_data(hm, &cbs); 433 434 tls1_transcript_reset(ctx->ssl); 435 if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) 436 goto err; 437 438 ret = 1; 439 440 err: 441 tls13_handshake_msg_free(hm); 442 443 return ret; 444 } 445 446 static int 447 tls13_client_engage_record_protection(struct tls13_ctx *ctx) 448 { 449 struct tls13_secrets *secrets; 450 struct tls13_secret context; 451 unsigned char buf[EVP_MAX_MD_SIZE]; 452 uint8_t *shared_key = NULL; 453 size_t shared_key_len = 0; 454 size_t hash_len; 455 SSL *s = ctx->ssl; 456 int ret = 0; 457 458 /* Derive the shared key and engage record protection. */ 459 460 if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, 461 &shared_key_len)) 462 goto err; 463 464 s->session->cipher = S3I(s)->hs.new_cipher; 465 s->session->ssl_version = ctx->hs->server_version; 466 467 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 468 goto err; 469 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 470 goto err; 471 472 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 473 goto err; 474 S3I(ctx->ssl)->hs_tls13.secrets = secrets; 475 476 /* XXX - pass in hash. */ 477 if (!tls1_transcript_hash_init(s)) 478 goto err; 479 tls1_transcript_free(s); 480 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 481 goto err; 482 context.data = buf; 483 context.len = hash_len; 484 485 /* Early secrets. */ 486 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 487 secrets->zeros.len, &context)) 488 goto err; 489 490 /* Handshake secrets. */ 491 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 492 shared_key_len, &context)) 493 goto err; 494 495 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 496 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 497 498 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 499 &secrets->server_handshake_traffic)) 500 goto err; 501 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 502 &secrets->client_handshake_traffic)) 503 goto err; 504 505 ret = 1; 506 507 err: 508 freezero(shared_key, shared_key_len); 509 510 return ret; 511 } 512 513 int 514 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 515 { 516 SSL *s = ctx->ssl; 517 518 /* 519 * We may have received a legacy (pre-TLSv1.3) server hello, 520 * a TLSv1.3 server hello or a TLSv1.3 hello retry request. 521 */ 522 if (!tls13_server_hello_process(ctx, cbs)) 523 return 0; 524 525 tls1_transcript_unfreeze(s); 526 527 if (ctx->hs->hrr) { 528 if (!tls13_client_synthetic_handshake_message(ctx)) 529 return 0; 530 } 531 532 if (!tls13_handshake_msg_record(ctx)) 533 return 0; 534 535 if (ctx->hs->use_legacy) 536 return tls13_use_legacy_client(ctx); 537 538 if (!ctx->hs->hrr) { 539 if (!tls13_client_engage_record_protection(ctx)) 540 return 0; 541 } 542 543 ctx->handshake_stage.hs_type |= NEGOTIATED; 544 if (ctx->hs->hrr) 545 ctx->handshake_stage.hs_type |= WITH_HRR; 546 547 ctx->hs->hrr = 0; 548 549 return 1; 550 } 551 552 int 553 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 554 { 555 int nid; 556 557 /* 558 * Ensure that the server supported group is not the same 559 * as the one we previously offered and that it was one that 560 * we listed in our supported groups. 561 */ 562 if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) 563 return 0; /* XXX alert */ 564 if ((nid = tls1_ec_curve_id2nid(ctx->hs->server_group)) == 0) 565 return 0; 566 if (nid != NID_X25519 && nid != NID_X9_62_prime256v1 && nid != NID_secp384r1) 567 return 0; /* XXX alert */ 568 569 /* Switch to new key share. */ 570 tls13_key_share_free(ctx->hs->key_share); 571 if ((ctx->hs->key_share = tls13_key_share_new(nid)) == NULL) 572 return 0; 573 if (!tls13_key_share_generate(ctx->hs->key_share)) 574 return 0; 575 576 if (!tls13_client_hello_build(ctx, cbb)) 577 return 0; 578 579 return 1; 580 } 581 582 int 583 tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 584 { 585 if (!tls13_server_hello_process(ctx, cbs)) 586 return 0; 587 588 if (ctx->hs->use_legacy) 589 return 0; /* XXX alert */ 590 591 if (ctx->hs->hrr) 592 return 0; /* XXX alert */ 593 594 if (!tls13_client_engage_record_protection(ctx)) 595 return 0; 596 597 return 1; 598 } 599 600 int 601 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) 602 { 603 int alert_desc; 604 605 if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_EE)) { 606 ctx->alert = alert_desc; 607 goto err; 608 } 609 610 return 1; 611 612 err: 613 if (ctx->alert == 0) 614 ctx->alert = TLS1_AD_DECODE_ERROR; 615 616 return 0; 617 } 618 619 int 620 tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) 621 { 622 CBS cert_request_context; 623 int alert_desc; 624 625 /* 626 * Thanks to poor state design in the RFC, this function can be called 627 * when we actually have a certificate message instead of a certificate 628 * request... in that case we call the certificate handler after 629 * switching state, to avoid advancing state. 630 */ 631 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { 632 ctx->handshake_stage.hs_type |= WITHOUT_CR; 633 return tls13_server_certificate_recv(ctx, cbs); 634 } 635 636 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 637 goto err; 638 if (CBS_len(&cert_request_context) != 0) 639 goto err; 640 641 if (!tlsext_client_parse(ctx->ssl, cbs, &alert_desc, SSL_TLSEXT_MSG_CR)) { 642 ctx->alert = alert_desc; 643 goto err; 644 } 645 646 return 1; 647 648 err: 649 if (ctx->alert == 0) 650 ctx->alert = TLS1_AD_DECODE_ERROR; 651 return 0; 652 } 653 654 int 655 tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 656 { 657 CBS cert_request_context, cert_list, cert_data, cert_exts; 658 struct stack_st_X509 *certs = NULL; 659 SSL *s = ctx->ssl; 660 X509 *cert = NULL; 661 EVP_PKEY *pkey; 662 const uint8_t *p; 663 int cert_idx; 664 int ret = 0; 665 666 if ((certs = sk_X509_new_null()) == NULL) 667 goto err; 668 669 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 670 goto err; 671 if (CBS_len(&cert_request_context) != 0) 672 goto err; 673 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 674 goto err; 675 676 while (CBS_len(&cert_list) > 0) { 677 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 678 goto err; 679 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 680 goto err; 681 682 p = CBS_data(&cert_data); 683 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 684 goto err; 685 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 686 goto err; 687 688 if (!sk_X509_push(certs, cert)) 689 goto err; 690 691 cert = NULL; 692 } 693 694 /* 695 * At this stage we still have no proof of possession. As such, it would 696 * be preferable to keep the chain and verify once we have successfully 697 * processed the CertificateVerify message. 698 */ 699 if (ssl_verify_cert_chain(s, certs) <= 0 && 700 s->verify_mode != SSL_VERIFY_NONE) { 701 ctx->alert = ssl_verify_alarm_type(s->verify_result); 702 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 703 "failed to verify peer certificate", NULL); 704 goto err; 705 } 706 ERR_clear_error(); 707 708 cert = sk_X509_value(certs, 0); 709 X509_up_ref(cert); 710 711 if ((pkey = X509_get0_pubkey(cert)) == NULL) 712 goto err; 713 if (EVP_PKEY_missing_parameters(pkey)) 714 goto err; 715 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 716 goto err; 717 718 ssl_sess_cert_free(SSI(s)->sess_cert); 719 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 720 goto err; 721 722 SSI(s)->sess_cert->cert_chain = certs; 723 certs = NULL; 724 725 X509_up_ref(cert); 726 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 727 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 728 729 X509_free(s->session->peer); 730 731 X509_up_ref(cert); 732 s->session->peer = cert; 733 s->session->verify_result = s->verify_result; 734 735 ret = 1; 736 737 err: 738 sk_X509_pop_free(certs, X509_free); 739 X509_free(cert); 740 741 return ret; 742 } 743 744 int 745 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 746 { 747 const struct ssl_sigalg *sigalg; 748 uint16_t signature_scheme; 749 uint8_t *sig_content = NULL; 750 size_t sig_content_len; 751 EVP_MD_CTX *mdctx = NULL; 752 EVP_PKEY_CTX *pctx; 753 EVP_PKEY *pkey; 754 X509 *cert; 755 CBS signature; 756 CBB cbb; 757 int ret = 0; 758 759 memset(&cbb, 0, sizeof(cbb)); 760 761 if (!CBS_get_u16(cbs, &signature_scheme)) 762 goto err; 763 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 764 goto err; 765 766 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 767 tls13_sigalgs_len)) == NULL) 768 goto err; 769 770 if (!CBB_init(&cbb, 0)) 771 goto err; 772 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 773 sizeof(tls13_cert_verify_pad))) 774 goto err; 775 if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, 776 strlen(tls13_cert_server_verify_context))) 777 goto err; 778 if (!CBB_add_u8(&cbb, 0)) 779 goto err; 780 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 781 ctx->hs->transcript_hash_len)) 782 goto err; 783 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 784 goto err; 785 786 if ((cert = ctx->ssl->session->peer) == NULL) 787 goto err; 788 if ((pkey = X509_get0_pubkey(cert)) == NULL) 789 goto err; 790 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 791 goto err; 792 793 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 794 goto err; 795 796 if ((mdctx = EVP_MD_CTX_new()) == NULL) 797 goto err; 798 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 799 goto err; 800 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 801 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 802 goto err; 803 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 804 goto err; 805 } 806 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 807 ctx->alert = TLS1_AD_DECRYPT_ERROR; 808 goto err; 809 } 810 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 811 CBS_len(&signature)) <= 0) { 812 ctx->alert = TLS1_AD_DECRYPT_ERROR; 813 goto err; 814 } 815 816 ret = 1; 817 818 err: 819 if (!ret && ctx->alert == 0) 820 ctx->alert = TLS1_AD_DECODE_ERROR; 821 CBB_cleanup(&cbb); 822 EVP_MD_CTX_free(mdctx); 823 free(sig_content); 824 825 return ret; 826 } 827 828 int 829 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 830 { 831 struct tls13_secrets *secrets = ctx->hs->secrets; 832 struct tls13_secret context = { .data = "", .len = 0 }; 833 struct tls13_secret finished_key; 834 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 835 size_t transcript_hash_len; 836 uint8_t *verify_data = NULL; 837 size_t verify_data_len; 838 uint8_t key[EVP_MAX_MD_SIZE]; 839 HMAC_CTX *hmac_ctx = NULL; 840 unsigned int hlen; 841 int ret = 0; 842 843 /* 844 * Verify server finished. 845 */ 846 finished_key.data = key; 847 finished_key.len = EVP_MD_size(ctx->hash); 848 849 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 850 &secrets->server_handshake_traffic, "finished", 851 &context)) 852 goto err; 853 854 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 855 goto err; 856 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 857 ctx->hash, NULL)) 858 goto err; 859 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 860 ctx->hs->transcript_hash_len)) 861 goto err; 862 verify_data_len = HMAC_size(hmac_ctx); 863 if ((verify_data = calloc(1, verify_data_len)) == NULL) 864 goto err; 865 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 866 goto err; 867 if (hlen != verify_data_len) 868 goto err; 869 870 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 871 ctx->alert = TLS1_AD_DECRYPT_ERROR; 872 goto err; 873 } 874 875 if (!CBS_skip(cbs, verify_data_len)) 876 goto err; 877 878 /* 879 * Derive application traffic keys. 880 */ 881 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 882 sizeof(transcript_hash), &transcript_hash_len)) 883 goto err; 884 885 context.data = transcript_hash; 886 context.len = transcript_hash_len; 887 888 if (!tls13_derive_application_secrets(secrets, &context)) 889 goto err; 890 891 /* 892 * Any records following the server finished message must be encrypted 893 * using the server application traffic keys. 894 */ 895 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 896 &secrets->server_application_traffic)) 897 goto err; 898 899 tls13_record_layer_allow_ccs(ctx->rl, 0); 900 901 ret = 1; 902 903 err: 904 HMAC_CTX_free(hmac_ctx); 905 free(verify_data); 906 907 return ret; 908 } 909 910 int 911 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) 912 { 913 struct tls13_secrets *secrets = ctx->hs->secrets; 914 struct tls13_secret context = { .data = "", .len = 0 }; 915 struct tls13_secret finished_key; 916 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 917 size_t transcript_hash_len; 918 uint8_t key[EVP_MAX_MD_SIZE]; 919 uint8_t *verify_data; 920 size_t hmac_len; 921 unsigned int hlen; 922 HMAC_CTX *hmac_ctx = NULL; 923 int ret = 0; 924 925 finished_key.data = key; 926 finished_key.len = EVP_MD_size(ctx->hash); 927 928 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 929 &secrets->client_handshake_traffic, "finished", 930 &context)) 931 goto err; 932 933 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 934 sizeof(transcript_hash), &transcript_hash_len)) 935 goto err; 936 937 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 938 goto err; 939 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 940 ctx->hash, NULL)) 941 goto err; 942 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 943 goto err; 944 945 hmac_len = HMAC_size(hmac_ctx); 946 if (!CBB_add_space(cbb, &verify_data, hmac_len)) 947 goto err; 948 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 949 goto err; 950 if (hlen != hmac_len) 951 goto err; 952 953 ret = 1; 954 955 err: 956 HMAC_CTX_free(hmac_ctx); 957 958 return ret; 959 } 960 961 int 962 tls13_client_finished_sent(struct tls13_ctx *ctx) 963 { 964 struct tls13_secrets *secrets = ctx->hs->secrets; 965 966 /* 967 * Any records following the client finished message must be encrypted 968 * using the client application traffic keys. 969 */ 970 return tls13_record_layer_set_write_traffic_key(ctx->rl, 971 &secrets->client_application_traffic); 972 } 973 974 int 975 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 976 { 977 SSL *s = ctx->ssl; 978 CBB cert_request_context, cert_list; 979 STACK_OF(X509) *chain; 980 CERT_PKEY *cpk; 981 X509 *cert; 982 int i, ret = 0; 983 984 /* XXX - Need to revisit certificate selection. */ 985 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 986 987 if ((chain = cpk->chain) == NULL) 988 chain = s->ctx->extra_certs; 989 990 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 991 goto err; 992 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 993 goto err; 994 995 if (cpk->x509 == NULL) 996 goto done; 997 998 if (!tls13_cert_add(&cert_list, cpk->x509)) 999 goto err; 1000 1001 for (i = 0; i < sk_X509_num(chain); i++) { 1002 cert = sk_X509_value(chain, i); 1003 if (!tls13_cert_add(&cert_list, cert)) 1004 goto err; 1005 } 1006 1007 ctx->handshake_stage.hs_type |= WITH_CCV; 1008 done: 1009 if (!CBB_flush(cbb)) 1010 goto err; 1011 1012 ret = 1; 1013 1014 err: 1015 return ret; 1016 } 1017 1018 int 1019 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 1020 { 1021 SSL *s = ctx->ssl; 1022 const struct ssl_sigalg *sigalg = NULL; 1023 uint8_t *sig = NULL, *sig_content = NULL; 1024 size_t sig_len, sig_content_len; 1025 EVP_MD_CTX *mdctx = NULL; 1026 EVP_PKEY_CTX *pctx; 1027 EVP_PKEY *pkey; 1028 CERT_PKEY *cpk; 1029 CBB sig_cbb; 1030 int ret = 0; 1031 1032 memset(&sig_cbb, 0, sizeof(sig_cbb)); 1033 1034 /* XXX - Need to revisit certificate selection. */ 1035 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 1036 pkey = cpk->privatekey; 1037 1038 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 1039 /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */ 1040 goto err; 1041 } 1042 1043 if (!CBB_init(&sig_cbb, 0)) 1044 goto err; 1045 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 1046 sizeof(tls13_cert_verify_pad))) 1047 goto err; 1048 if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, 1049 strlen(tls13_cert_client_verify_context))) 1050 goto err; 1051 if (!CBB_add_u8(&sig_cbb, 0)) 1052 goto err; 1053 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 1054 ctx->hs->transcript_hash_len)) 1055 goto err; 1056 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 1057 goto err; 1058 1059 if ((mdctx = EVP_MD_CTX_new()) == NULL) 1060 goto err; 1061 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 1062 goto err; 1063 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 1064 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 1065 goto err; 1066 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 1067 goto err; 1068 } 1069 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 1070 goto err; 1071 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 1072 goto err; 1073 if ((sig = calloc(1, sig_len)) == NULL) 1074 goto err; 1075 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 1076 goto err; 1077 1078 if (!CBB_add_u16(cbb, sigalg->value)) 1079 goto err; 1080 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 1081 goto err; 1082 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 1083 goto err; 1084 1085 if (!CBB_flush(cbb)) 1086 goto err; 1087 1088 ret = 1; 1089 1090 err: 1091 if (!ret && ctx->alert == 0) 1092 ctx->alert = TLS1_AD_INTERNAL_ERROR; 1093 1094 CBB_cleanup(&sig_cbb); 1095 EVP_MD_CTX_free(mdctx); 1096 free(sig_content); 1097 free(sig); 1098 1099 return ret; 1100 } 1101