xref: /openbsd-src/lib/libssl/tls13_lib.c (revision 9c83d7109b1bc23a577588a4a59bd6ddbe44db56) 
1*9c83d710Sjsing /*	$OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
2389212baSjsing /*
3389212baSjsing  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
489458272Sbeck  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
5389212baSjsing  *
6389212baSjsing  * Permission to use, copy, modify, and distribute this software for any
7389212baSjsing  * purpose with or without fee is hereby granted, provided that the above
8389212baSjsing  * copyright notice and this permission notice appear in all copies.
9389212baSjsing  *
10389212baSjsing  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11389212baSjsing  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12389212baSjsing  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13389212baSjsing  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14389212baSjsing  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15389212baSjsing  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16389212baSjsing  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17389212baSjsing  */
18389212baSjsing 
19389212baSjsing #include <stddef.h>
20389212baSjsing 
21389212baSjsing #include <openssl/evp.h>
22389212baSjsing 
23c9675a23Stb #include "ssl_local.h"
2417fca910Sbeck #include "ssl_tlsext.h"
25389212baSjsing #include "tls13_internal.h"
26389212baSjsing 
27709e85ffSbeck /*
28cd23280fStb  * RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than
29cd23280fStb  * 7 days and clients must not cache tickets for longer than 7 days.
30cd23280fStb  */
31cd23280fStb 
32cd23280fStb #define TLS13_MAX_TICKET_LIFETIME	(7 * 24 * 3600)
33cd23280fStb 
34cd23280fStb /*
3541b6c22cSjsing  * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set
3641b6c22cSjsing  * by the server in server random if it is willing to downgrade but supports
3741b6c22cSjsing  * TLSv1.3
38709e85ffSbeck  */
3941b6c22cSjsing const uint8_t tls13_downgrade_12[8] = {
4041b6c22cSjsing 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01,
4141b6c22cSjsing };
4241b6c22cSjsing const uint8_t tls13_downgrade_11[8] = {
4341b6c22cSjsing 	0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00,
4441b6c22cSjsing };
4541b6c22cSjsing 
4641b6c22cSjsing /*
4741b6c22cSjsing  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
4841b6c22cSjsing  */
4941b6c22cSjsing const uint8_t tls13_hello_retry_request_hash[32] = {
5041b6c22cSjsing 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
5141b6c22cSjsing 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
5241b6c22cSjsing 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
5341b6c22cSjsing 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
5441b6c22cSjsing };
5541b6c22cSjsing 
5641b6c22cSjsing /*
5741b6c22cSjsing  * Certificate Verify padding - RFC 8446 section 4.4.3.
5841b6c22cSjsing  */
5941b6c22cSjsing const uint8_t tls13_cert_verify_pad[64] = {
6041b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6141b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6241b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6341b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6441b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6541b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6641b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6741b6c22cSjsing 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
6841b6c22cSjsing };
6941b6c22cSjsing 
7041b6c22cSjsing const uint8_t tls13_cert_client_verify_context[] =
7141b6c22cSjsing     "TLS 1.3, client CertificateVerify";
7241b6c22cSjsing const uint8_t tls13_cert_server_verify_context[] =
7341b6c22cSjsing     "TLS 1.3, server CertificateVerify";
74709e85ffSbeck 
75389212baSjsing const EVP_AEAD *
tls13_cipher_aead(const SSL_CIPHER * cipher)76389212baSjsing tls13_cipher_aead(const SSL_CIPHER *cipher)
77389212baSjsing {
78389212baSjsing 	if (cipher == NULL)
79389212baSjsing 		return NULL;
80389212baSjsing 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
81389212baSjsing 		return NULL;
82389212baSjsing 
83389212baSjsing 	switch (cipher->algorithm_enc) {
84389212baSjsing 	case SSL_AES128GCM:
85389212baSjsing 		return EVP_aead_aes_128_gcm();
86389212baSjsing 	case SSL_AES256GCM:
87389212baSjsing 		return EVP_aead_aes_256_gcm();
88389212baSjsing 	case SSL_CHACHA20POLY1305:
89389212baSjsing 		return EVP_aead_chacha20_poly1305();
90389212baSjsing 	}
91389212baSjsing 
92389212baSjsing 	return NULL;
93389212baSjsing }
94389212baSjsing 
95389212baSjsing const EVP_MD *
tls13_cipher_hash(const SSL_CIPHER * cipher)96389212baSjsing tls13_cipher_hash(const SSL_CIPHER *cipher)
97389212baSjsing {
98389212baSjsing 	if (cipher == NULL)
99389212baSjsing 		return NULL;
100389212baSjsing 	if (cipher->algorithm_ssl != SSL_TLSV1_3)
101389212baSjsing 		return NULL;
102389212baSjsing 
103389212baSjsing 	switch (cipher->algorithm2) {
104389212baSjsing 	case SSL_HANDSHAKE_MAC_SHA256:
105389212baSjsing 		return EVP_sha256();
106389212baSjsing 	case SSL_HANDSHAKE_MAC_SHA384:
107389212baSjsing 		return EVP_sha384();
108389212baSjsing 	}
109389212baSjsing 
110389212baSjsing 	return NULL;
111389212baSjsing }
112389212baSjsing 
113*9c83d710Sjsing static void
tls13_legacy_alert_cb(int sent,uint8_t alert_level,uint8_t alert_desc,void * arg)114*9c83d710Sjsing tls13_legacy_alert_cb(int sent, uint8_t alert_level, uint8_t alert_desc,
115*9c83d710Sjsing     void *arg)
116*9c83d710Sjsing {
117*9c83d710Sjsing 	uint8_t alert[] = {alert_level, alert_desc};
118*9c83d710Sjsing 	struct tls13_ctx *ctx = arg;
119*9c83d710Sjsing 	SSL *s = ctx->ssl;
120*9c83d710Sjsing 	CBS cbs;
121*9c83d710Sjsing 
122*9c83d710Sjsing 	if (s->msg_callback == NULL)
123*9c83d710Sjsing 		return;
124*9c83d710Sjsing 
125*9c83d710Sjsing 	CBS_init(&cbs, alert, sizeof(alert));
126*9c83d710Sjsing 	ssl_msg_callback_cbs(s, sent, SSL3_RT_ALERT, &cbs);
127*9c83d710Sjsing }
128*9c83d710Sjsing 
129*9c83d710Sjsing static void
tls13_legacy_alert_recv_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)130*9c83d710Sjsing tls13_legacy_alert_recv_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
131*9c83d710Sjsing {
132*9c83d710Sjsing 	tls13_legacy_alert_cb(0, alert_level, alert_desc, arg);
133*9c83d710Sjsing }
134*9c83d710Sjsing 
135*9c83d710Sjsing static void
tls13_legacy_alert_sent_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)136*9c83d710Sjsing tls13_legacy_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
137*9c83d710Sjsing {
138*9c83d710Sjsing 	tls13_legacy_alert_cb(1, alert_level, alert_desc, arg);
139*9c83d710Sjsing }
140*9c83d710Sjsing 
141f7e8f89fSjsing void
tls13_alert_received_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)142*9c83d710Sjsing tls13_alert_received_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
143a6b06cf1Sjsing {
144a6b06cf1Sjsing 	struct tls13_ctx *ctx = arg;
145a6b06cf1Sjsing 
146*9c83d710Sjsing 	if (ctx->alert_recv_cb != NULL)
147*9c83d710Sjsing 		ctx->alert_recv_cb(alert_level, alert_desc, arg);
148*9c83d710Sjsing 
149c957d00cSjsing 	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
150828ae560Sjsing 		ctx->close_notify_recv = 1;
1516f7f653bSjsing 		ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN;
15202876cc3Sjsing 		ctx->ssl->s3->warn_alert = alert_desc;
153a6b06cf1Sjsing 		return;
154a6b06cf1Sjsing 	}
155a6b06cf1Sjsing 
156c957d00cSjsing 	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
157a6b06cf1Sjsing 		/*
158a6b06cf1Sjsing 		 * We treat this as advisory, since a close_notify alert
159a6b06cf1Sjsing 		 * SHOULD follow this alert (RFC 8446 section 6.1).
160a6b06cf1Sjsing 		 */
161a6b06cf1Sjsing 		return;
162a6b06cf1Sjsing 	}
163a6b06cf1Sjsing 
164a6b06cf1Sjsing 	/* All other alerts are treated as fatal in TLSv1.3. */
16502876cc3Sjsing 	ctx->ssl->s3->fatal_alert = alert_desc;
166a6b06cf1Sjsing 
167a6b06cf1Sjsing 	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
168a6b06cf1Sjsing 	ERR_asprintf_error_data("SSL alert number %d", alert_desc);
169a6b06cf1Sjsing 
1704af36d07Sjsing 	SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session);
1714af36d07Sjsing }
1724af36d07Sjsing 
173f7e8f89fSjsing void
tls13_alert_sent_cb(uint8_t alert_level,uint8_t alert_desc,void * arg)174*9c83d710Sjsing tls13_alert_sent_cb(uint8_t alert_level, uint8_t alert_desc, void *arg)
1754af36d07Sjsing {
1764af36d07Sjsing 	struct tls13_ctx *ctx = arg;
1774af36d07Sjsing 
178*9c83d710Sjsing 	if (ctx->alert_sent_cb != NULL)
179*9c83d710Sjsing 		ctx->alert_sent_cb(alert_level, alert_desc, arg);
180*9c83d710Sjsing 
1816b228a2cSjsing 	if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) {
1824af36d07Sjsing 		ctx->close_notify_sent = 1;
1834af36d07Sjsing 		return;
1844af36d07Sjsing 	}
1854af36d07Sjsing 
1866b228a2cSjsing 	if (alert_desc == TLS13_ALERT_USER_CANCELED) {
1874af36d07Sjsing 		return;
1884af36d07Sjsing 	}
1894af36d07Sjsing 
1904af36d07Sjsing 	/* All other alerts are treated as fatal in TLSv1.3. */
191caffe9b5Stb 	if (ctx->error.code == 0)
1924af36d07Sjsing 		SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
193a6b06cf1Sjsing }
194a6b06cf1Sjsing 
1956b92931aStb static void
tls13_legacy_handshake_message_recv_cb(void * arg)196753de96bStb tls13_legacy_handshake_message_recv_cb(void *arg)
1976b92931aStb {
1986b92931aStb 	struct tls13_ctx *ctx = arg;
1996b92931aStb 	SSL *s = ctx->ssl;
200753de96bStb 	CBS cbs;
2016b92931aStb 
2026f7f653bSjsing 	if (s->msg_callback == NULL)
203753de96bStb 		return;
204753de96bStb 
205753de96bStb 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
206d16eb93aSjsing 	ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs);
2076b92931aStb }
2086b92931aStb 
2096b92931aStb static void
tls13_legacy_handshake_message_sent_cb(void * arg)210753de96bStb tls13_legacy_handshake_message_sent_cb(void *arg)
2116b92931aStb {
2126b92931aStb 	struct tls13_ctx *ctx = arg;
2136b92931aStb 	SSL *s = ctx->ssl;
214753de96bStb 	CBS cbs;
2156b92931aStb 
2166f7f653bSjsing 	if (s->msg_callback == NULL)
217753de96bStb 		return;
218753de96bStb 
219753de96bStb 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
220d16eb93aSjsing 	ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs);
2216b92931aStb }
2226b92931aStb 
22308d6ed5eStb static void
tls13_legacy_info_cb(void * arg,int state,int ret)22408d6ed5eStb tls13_legacy_info_cb(void *arg, int state, int ret)
22508d6ed5eStb {
22608d6ed5eStb 	struct tls13_ctx *ctx = arg;
22708d6ed5eStb 	SSL *s = ctx->ssl;
22808d6ed5eStb 
229545b2b63Sjsing 	ssl_info_callback(s, state, ret);
23008d6ed5eStb }
23108d6ed5eStb 
23289458272Sbeck static int
tls13_legacy_ocsp_status_recv_cb(void * arg)2334770065fSbeck tls13_legacy_ocsp_status_recv_cb(void *arg)
2344770065fSbeck {
2354770065fSbeck 	struct tls13_ctx *ctx = arg;
2364770065fSbeck 	SSL *s = ctx->ssl;
2374770065fSbeck 	int ret;
2384770065fSbeck 
2396f7f653bSjsing 	if (s->ctx->tlsext_status_cb == NULL)
2404770065fSbeck 		return 1;
2414770065fSbeck 
2426f7f653bSjsing 	ret = s->ctx->tlsext_status_cb(s,
2436f7f653bSjsing 	    s->ctx->tlsext_status_arg);
2444770065fSbeck 	if (ret < 0) {
245c957d00cSjsing 		ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
2464770065fSbeck 		SSLerror(s, ERR_R_MALLOC_FAILURE);
2474770065fSbeck 		return 0;
2484770065fSbeck 	}
2494770065fSbeck 	if (ret == 0) {
250c957d00cSjsing 		ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE;
2514770065fSbeck 		SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE);
2524770065fSbeck 		return 0;
2534770065fSbeck 	}
2544770065fSbeck 
2554770065fSbeck 	return 1;
2564770065fSbeck }
2574770065fSbeck 
2584770065fSbeck static int
tls13_phh_update_read_traffic_secret(struct tls13_ctx * ctx)259622f173fSjsing tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx)
26089458272Sbeck {
261d4edc922Sjsing 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
262622f173fSjsing 	struct tls13_secret *secret;
26389458272Sbeck 
264622f173fSjsing 	if (ctx->mode == TLS13_HS_CLIENT) {
265622f173fSjsing 		secret = &secrets->server_application_traffic;
266622f173fSjsing 		if (!tls13_update_server_traffic_secret(secrets))
267622f173fSjsing 			return 0;
268622f173fSjsing 	} else {
269622f173fSjsing 		secret = &secrets->client_application_traffic;
270622f173fSjsing 		if (!tls13_update_client_traffic_secret(secrets))
271622f173fSjsing 			return 0;
272622f173fSjsing 	}
273622f173fSjsing 
2746ea83a9dSjsing 	return tls13_record_layer_set_read_traffic_key(ctx->rl,
2756ea83a9dSjsing 	    secret, ssl_encryption_application);
27689458272Sbeck }
27789458272Sbeck 
27889458272Sbeck static int
tls13_phh_update_write_traffic_secret(struct tls13_ctx * ctx)279622f173fSjsing tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx)
28089458272Sbeck {
281d4edc922Sjsing 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
282622f173fSjsing 	struct tls13_secret *secret;
28389458272Sbeck 
284622f173fSjsing 	if (ctx->mode == TLS13_HS_CLIENT) {
285622f173fSjsing 		secret = &secrets->client_application_traffic;
286622f173fSjsing 		if (!tls13_update_client_traffic_secret(secrets))
287622f173fSjsing 			return 0;
288622f173fSjsing 	} else {
289622f173fSjsing 		secret = &secrets->server_application_traffic;
290622f173fSjsing 		if (!tls13_update_server_traffic_secret(secrets))
291622f173fSjsing 			return 0;
292622f173fSjsing 	}
293622f173fSjsing 
2946ea83a9dSjsing 	return tls13_record_layer_set_write_traffic_key(ctx->rl,
2956ea83a9dSjsing 	    secret, ssl_encryption_application);
29689458272Sbeck }
29789458272Sbeck 
29889458272Sbeck /*
29989458272Sbeck  * XXX arbitrarily chosen limit of 100 post handshake handshake
30089458272Sbeck  * messages in an hour - to avoid a hostile peer from constantly
30189458272Sbeck  * requesting certificates or key renegotiaitons, etc.
30289458272Sbeck  */
30389458272Sbeck static int
tls13_phh_limit_check(struct tls13_ctx * ctx)30489458272Sbeck tls13_phh_limit_check(struct tls13_ctx *ctx)
30589458272Sbeck {
30689458272Sbeck 	time_t now = time(NULL);
30789458272Sbeck 
30889458272Sbeck 	if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) {
30989458272Sbeck 		if (ctx->phh_count > TLS13_PHH_LIMIT)
31089458272Sbeck 			return 0;
31189458272Sbeck 	} else
31289458272Sbeck 		ctx->phh_count = 0;
31389458272Sbeck 	ctx->phh_count++;
31489458272Sbeck 	ctx->phh_last_seen = now;
31589458272Sbeck 	return 1;
31689458272Sbeck }
31789458272Sbeck 
31889458272Sbeck static ssize_t
tls13_key_update_recv(struct tls13_ctx * ctx,CBS * cbs)31989458272Sbeck tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
32089458272Sbeck {
32183aac8c8Stb 	struct tls13_handshake_msg *hs_msg = NULL;
322fa57fcd6Stb 	CBB cbb_hs;
323fa57fcd6Stb 	CBS cbs_hs;
324799f07abSbeck 	uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
325799f07abSbeck 	uint8_t key_update_request;
326799f07abSbeck 	ssize_t ret;
32789458272Sbeck 
328799f07abSbeck 	if (!CBS_get_u8(cbs, &key_update_request)) {
329799f07abSbeck 		alert = TLS13_ALERT_DECODE_ERROR;
33089458272Sbeck 		goto err;
331799f07abSbeck 	}
332799f07abSbeck 	if (CBS_len(cbs) != 0) {
333799f07abSbeck 		alert = TLS13_ALERT_DECODE_ERROR;
33489458272Sbeck 		goto err;
335799f07abSbeck 	}
336799f07abSbeck 	if (key_update_request > 1) {
337799f07abSbeck 		alert = TLS13_ALERT_ILLEGAL_PARAMETER;
338799f07abSbeck 		goto err;
339799f07abSbeck 	}
34089458272Sbeck 
341622f173fSjsing 	if (!tls13_phh_update_read_traffic_secret(ctx))
34289458272Sbeck 		goto err;
34389458272Sbeck 
34417b56951Stb 	if (key_update_request == 0)
34517b56951Stb 		return TLS13_IO_SUCCESS;
34617b56951Stb 
347622f173fSjsing 	/* Our peer requested that we update our write traffic keys. */
34883aac8c8Stb 	if ((hs_msg = tls13_handshake_msg_new()) == NULL)
34983aac8c8Stb 		goto err;
35017b56951Stb 	if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE))
35189458272Sbeck 		goto err;
352fa57fcd6Stb 	if (!CBB_add_u8(&cbb_hs, 0))
35389458272Sbeck 		goto err;
35483aac8c8Stb 	if (!tls13_handshake_msg_finish(hs_msg))
35589458272Sbeck 		goto err;
356799f07abSbeck 
35783aac8c8Stb 	ctx->key_update_request = 1;
358fa57fcd6Stb 	tls13_handshake_msg_data(hs_msg, &cbs_hs);
359fa57fcd6Stb 	ret = tls13_record_layer_phh(ctx->rl, &cbs_hs);
36089458272Sbeck 
36183aac8c8Stb 	tls13_handshake_msg_free(hs_msg);
36283aac8c8Stb 	hs_msg = NULL;
36389458272Sbeck 
36489458272Sbeck 	return ret;
36583aac8c8Stb 
36689458272Sbeck  err:
36783aac8c8Stb 	tls13_handshake_msg_free(hs_msg);
36883aac8c8Stb 
369799f07abSbeck 	return tls13_send_alert(ctx->rl, alert);
37089458272Sbeck }
37189458272Sbeck 
372ede6d6deStb /* RFC 8446 section 4.6.1 */
373ede6d6deStb static ssize_t
tls13_new_session_ticket_recv(struct tls13_ctx * ctx,CBS * cbs)374ede6d6deStb tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs)
375ede6d6deStb {
376ede6d6deStb 	struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
377ede6d6deStb 	struct tls13_secret nonce;
378ede6d6deStb 	uint32_t ticket_lifetime, ticket_age_add;
379ede6d6deStb 	CBS ticket_nonce, ticket;
380ede6d6deStb 	SSL_SESSION *sess = NULL;
381ede6d6deStb 	int alert, session_id_length;
382ede6d6deStb 	ssize_t ret = 0;
383ede6d6deStb 
384ede6d6deStb 	memset(&nonce, 0, sizeof(nonce));
385ede6d6deStb 
386ede6d6deStb 	if (ctx->mode != TLS13_HS_CLIENT) {
387ede6d6deStb 		alert = TLS13_ALERT_UNEXPECTED_MESSAGE;
388ede6d6deStb 		goto err;
389ede6d6deStb 	}
390ede6d6deStb 
391ede6d6deStb 	alert = TLS13_ALERT_DECODE_ERROR;
392ede6d6deStb 
393ede6d6deStb 	if (!CBS_get_u32(cbs, &ticket_lifetime))
394ede6d6deStb 		goto err;
395ede6d6deStb 	if (!CBS_get_u32(cbs, &ticket_age_add))
396ede6d6deStb 		goto err;
397ede6d6deStb 	if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce))
398ede6d6deStb 		goto err;
399ede6d6deStb 	if (!CBS_get_u16_length_prefixed(cbs, &ticket))
400ede6d6deStb 		goto err;
401ede6d6deStb 	/* Extensions can only contain early_data, which we currently ignore. */
402ede6d6deStb 	if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert))
403ede6d6deStb 		goto err;
404ede6d6deStb 
405ede6d6deStb 	if (CBS_len(cbs) != 0)
406ede6d6deStb 		goto err;
407ede6d6deStb 
408ede6d6deStb 	/* Zero indicates that the ticket should be discarded immediately. */
409ede6d6deStb 	if (ticket_lifetime == 0) {
410ede6d6deStb 		ret = TLS13_IO_SUCCESS;
411ede6d6deStb 		goto done;
412ede6d6deStb 	}
413ede6d6deStb 
414ede6d6deStb 	/* Servers MUST NOT use any value larger than 7 days. */
415ede6d6deStb 	if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) {
416ede6d6deStb 		alert = TLS13_ALERT_ILLEGAL_PARAMETER;
417ede6d6deStb 		goto err;
418ede6d6deStb 	}
419ede6d6deStb 
420ede6d6deStb 	alert = TLS13_ALERT_INTERNAL_ERROR;
421ede6d6deStb 
422ede6d6deStb 	/*
423ede6d6deStb 	 * Create new session instead of modifying the current session.
424ede6d6deStb 	 * The current session could already be in the session cache.
425ede6d6deStb 	 */
426ede6d6deStb 	if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL)
427ede6d6deStb 		goto err;
428ede6d6deStb 
429ede6d6deStb 	sess->time = time(NULL);
430ede6d6deStb 
431ede6d6deStb 	sess->tlsext_tick_lifetime_hint = ticket_lifetime;
432ede6d6deStb 	sess->tlsext_tick_age_add = ticket_age_add;
433ede6d6deStb 
434ede6d6deStb 	if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen))
435ede6d6deStb 		goto err;
436ede6d6deStb 
437ede6d6deStb 	/* XXX - ensure this doesn't overflow session_id if hash is changed. */
438ede6d6deStb 	if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket),
439ede6d6deStb 	    sess->session_id, &session_id_length, EVP_sha256(), NULL))
440ede6d6deStb 		goto err;
441ede6d6deStb 	sess->session_id_length = session_id_length;
442ede6d6deStb 
443ede6d6deStb 	if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len))
444ede6d6deStb 		goto err;
445ede6d6deStb 
446ede6d6deStb 	if (!tls13_secret_init(&sess->resumption_master_secret, 256))
447ede6d6deStb 		goto err;
448ede6d6deStb 
449ede6d6deStb 	if (!tls13_derive_secret(&sess->resumption_master_secret,
450ede6d6deStb 	    secrets->digest, &secrets->resumption_master, "resumption",
451ede6d6deStb 	    &nonce))
452ede6d6deStb 		goto err;
453ede6d6deStb 
454ede6d6deStb 	SSL_SESSION_free(ctx->ssl->session);
455ede6d6deStb 	ctx->ssl->session = sess;
456ede6d6deStb 	sess = NULL;
457ede6d6deStb 
458ede6d6deStb 	ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT);
459ede6d6deStb 
460ede6d6deStb 	ret = TLS13_IO_SUCCESS;
461ede6d6deStb 	goto done;
462ede6d6deStb 
463ede6d6deStb  err:
464ede6d6deStb 	ret = tls13_send_alert(ctx->rl, alert);
465ede6d6deStb 
466ede6d6deStb  done:
467ede6d6deStb 	tls13_secret_cleanup(&nonce);
468ede6d6deStb 	SSL_SESSION_free(sess);
469ede6d6deStb 
470ede6d6deStb 	return ret;
471ede6d6deStb }
472ede6d6deStb 
473f7e8f89fSjsing ssize_t
tls13_phh_received_cb(void * cb_arg)474fc718d1dSjsing tls13_phh_received_cb(void *cb_arg)
47589458272Sbeck {
47689458272Sbeck 	ssize_t ret = TLS13_IO_FAILURE;
47789458272Sbeck 	struct tls13_ctx *ctx = cb_arg;
478fc718d1dSjsing 	CBS cbs;
47989458272Sbeck 
48089458272Sbeck 	if (!tls13_phh_limit_check(ctx))
481c957d00cSjsing 		return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE);
48289458272Sbeck 
48389458272Sbeck 	if ((ctx->hs_msg == NULL) &&
48489458272Sbeck 	    ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL))
48589458272Sbeck 		return TLS13_IO_FAILURE;
48689458272Sbeck 
487fc718d1dSjsing 	if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) !=
488fc718d1dSjsing 	    TLS13_IO_SUCCESS)
48989458272Sbeck 		return ret;
49089458272Sbeck 
491fc718d1dSjsing 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
49289458272Sbeck 		return TLS13_IO_FAILURE;
49389458272Sbeck 
49489458272Sbeck 	switch(tls13_handshake_msg_type(ctx->hs_msg)) {
49589458272Sbeck 	case TLS13_MT_KEY_UPDATE:
496fc718d1dSjsing 		ret = tls13_key_update_recv(ctx, &cbs);
49789458272Sbeck 		break;
49889458272Sbeck 	case TLS13_MT_NEW_SESSION_TICKET:
499ede6d6deStb 		ret = tls13_new_session_ticket_recv(ctx, &cbs);
50089458272Sbeck 		break;
50189458272Sbeck 	case TLS13_MT_CERTIFICATE_REQUEST:
50289458272Sbeck 		/* XXX add support if we choose to advertise this */
50389458272Sbeck 		/* FALLTHROUGH */
50489458272Sbeck 	default:
50589458272Sbeck 		ret = TLS13_IO_FAILURE; /* XXX send alert */
50689458272Sbeck 		break;
50789458272Sbeck 	}
50889458272Sbeck 
50989458272Sbeck 	tls13_handshake_msg_free(ctx->hs_msg);
51089458272Sbeck 	ctx->hs_msg = NULL;
51189458272Sbeck 	return ret;
51289458272Sbeck }
51389458272Sbeck 
514f7e8f89fSjsing void
tls13_phh_done_cb(void * cb_arg)5154430b9a0Sjsing tls13_phh_done_cb(void *cb_arg)
5164430b9a0Sjsing {
5174430b9a0Sjsing 	struct tls13_ctx *ctx = cb_arg;
5184430b9a0Sjsing 
5194430b9a0Sjsing 	if (ctx->key_update_request) {
5204430b9a0Sjsing 		tls13_phh_update_write_traffic_secret(ctx);
5214430b9a0Sjsing 		ctx->key_update_request = 0;
5224430b9a0Sjsing 	}
5234430b9a0Sjsing }
5244430b9a0Sjsing 
525f7e8f89fSjsing static const struct tls13_record_layer_callbacks tls13_rl_callbacks = {
526a234fc1eSjsing 	.wire_read = tls13_legacy_wire_read_cb,
527a234fc1eSjsing 	.wire_write = tls13_legacy_wire_write_cb,
5281e0f72feSjsing 	.wire_flush = tls13_legacy_wire_flush_cb,
529f7e8f89fSjsing 
530a234fc1eSjsing 	.alert_recv = tls13_alert_received_cb,
5314af36d07Sjsing 	.alert_sent = tls13_alert_sent_cb,
532a234fc1eSjsing 	.phh_recv = tls13_phh_received_cb,
533a234fc1eSjsing 	.phh_sent = tls13_phh_done_cb,
534a234fc1eSjsing };
535a234fc1eSjsing 
53620290792Sjsing struct tls13_ctx *
tls13_ctx_new(int mode,SSL * ssl)5376a3d21eeSjsing tls13_ctx_new(int mode, SSL *ssl)
53820290792Sjsing {
53920290792Sjsing 	struct tls13_ctx *ctx = NULL;
54020290792Sjsing 
54120290792Sjsing 	if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
54220290792Sjsing 		goto err;
54320290792Sjsing 
5446a3d21eeSjsing 	ctx->hs = &ssl->s3->hs;
54520290792Sjsing 	ctx->mode = mode;
5466a3d21eeSjsing 	ctx->ssl = ssl;
54720290792Sjsing 
548f7e8f89fSjsing 	if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL)
54920290792Sjsing 		goto err;
55020290792Sjsing 
551*9c83d710Sjsing 	ctx->alert_sent_cb = tls13_legacy_alert_sent_cb;
552*9c83d710Sjsing 	ctx->alert_recv_cb = tls13_legacy_alert_recv_cb;
5536b92931aStb 	ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb;
5546b92931aStb 	ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb;
55508d6ed5eStb 	ctx->info_cb = tls13_legacy_info_cb;
5564770065fSbeck 	ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb;
5576b92931aStb 
5580e548c8fSjsing 	ctx->middlebox_compat = 1;
5590e548c8fSjsing 
5606f7f653bSjsing 	ssl->tls13 = ctx;
5616a3d21eeSjsing 
562f7e8f89fSjsing 	if (SSL_is_quic(ssl)) {
563f7e8f89fSjsing 		if (!tls13_quic_init(ctx))
564f7e8f89fSjsing 			goto err;
565f7e8f89fSjsing 	}
566f7e8f89fSjsing 
56720290792Sjsing 	return ctx;
56820290792Sjsing 
56920290792Sjsing  err:
57020290792Sjsing 	tls13_ctx_free(ctx);
57120290792Sjsing 
57220290792Sjsing 	return NULL;
57320290792Sjsing }
57420290792Sjsing 
57520290792Sjsing void
tls13_ctx_free(struct tls13_ctx * ctx)57620290792Sjsing tls13_ctx_free(struct tls13_ctx *ctx)
57720290792Sjsing {
57820290792Sjsing 	if (ctx == NULL)
57920290792Sjsing 		return;
58020290792Sjsing 
581c9989395Sjsing 	tls13_error_clear(&ctx->error);
58220290792Sjsing 	tls13_record_layer_free(ctx->rl);
583070fefd4Stb 	tls13_handshake_msg_free(ctx->hs_msg);
58420290792Sjsing 
58520290792Sjsing 	freezero(ctx, sizeof(struct tls13_ctx));
58620290792Sjsing }
58720290792Sjsing 
5882a0f8bf3Sbeck int
tls13_cert_add(struct tls13_ctx * ctx,CBB * cbb,X509 * cert,int (* build_extensions)(SSL * s,uint16_t msg_type,CBB * cbb))58917fca910Sbeck tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert,
5909b8a142fStb     int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb))
5912a0f8bf3Sbeck {
592c2daf09fSjsing 	CBB cert_data, cert_exts;
5932a0f8bf3Sbeck 	uint8_t *data;
5942a0f8bf3Sbeck 	int cert_len;
5952a0f8bf3Sbeck 
5962a0f8bf3Sbeck 	if ((cert_len = i2d_X509(cert, NULL)) < 0)
5972a0f8bf3Sbeck 		return 0;
5982a0f8bf3Sbeck 
5992a0f8bf3Sbeck 	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
6002a0f8bf3Sbeck 		return 0;
6012a0f8bf3Sbeck 	if (!CBB_add_space(&cert_data, &data, cert_len))
6022a0f8bf3Sbeck 		return 0;
6032a0f8bf3Sbeck 	if (i2d_X509(cert, &data) != cert_len)
6042a0f8bf3Sbeck 		return 0;
60592931873Sbeck 	if (build_extensions != NULL) {
6069b8a142fStb 		if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb))
6072a0f8bf3Sbeck 			return 0;
60892931873Sbeck 	} else {
60992931873Sbeck 		if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
61092931873Sbeck 			return 0;
61192931873Sbeck 	}
6122a0f8bf3Sbeck 	if (!CBB_flush(cbb))
6132a0f8bf3Sbeck 		return 0;
6142a0f8bf3Sbeck 
6152a0f8bf3Sbeck 	return 1;
6162a0f8bf3Sbeck }
61770bdc49bSjsing 
61870bdc49bSjsing int
tls13_synthetic_handshake_message(struct tls13_ctx * ctx)61970bdc49bSjsing tls13_synthetic_handshake_message(struct tls13_ctx *ctx)
62070bdc49bSjsing {
62170bdc49bSjsing 	struct tls13_handshake_msg *hm = NULL;
62270bdc49bSjsing 	unsigned char buf[EVP_MAX_MD_SIZE];
62370bdc49bSjsing 	size_t hash_len;
62470bdc49bSjsing 	CBB cbb;
62570bdc49bSjsing 	CBS cbs;
62670bdc49bSjsing 	SSL *s = ctx->ssl;
62770bdc49bSjsing 	int ret = 0;
62870bdc49bSjsing 
62970bdc49bSjsing 	/*
63070bdc49bSjsing 	 * Replace ClientHello with synthetic handshake message - see
63170bdc49bSjsing 	 * RFC 8446 section 4.4.1.
63270bdc49bSjsing 	 */
63370bdc49bSjsing 	if (!tls1_transcript_hash_init(s))
63470bdc49bSjsing 		goto err;
63570bdc49bSjsing 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
63670bdc49bSjsing 		goto err;
63770bdc49bSjsing 
63870bdc49bSjsing 	if ((hm = tls13_handshake_msg_new()) == NULL)
63970bdc49bSjsing 		goto err;
64070bdc49bSjsing 	if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH))
64170bdc49bSjsing 		goto err;
64270bdc49bSjsing 	if (!CBB_add_bytes(&cbb, buf, hash_len))
64370bdc49bSjsing 		goto err;
64470bdc49bSjsing 	if (!tls13_handshake_msg_finish(hm))
64570bdc49bSjsing 		goto err;
64670bdc49bSjsing 
64770bdc49bSjsing 	tls13_handshake_msg_data(hm, &cbs);
64870bdc49bSjsing 
64970bdc49bSjsing 	tls1_transcript_reset(ctx->ssl);
65070bdc49bSjsing 	if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)))
65170bdc49bSjsing 		goto err;
65270bdc49bSjsing 
65370bdc49bSjsing 	ret = 1;
65470bdc49bSjsing 
65570bdc49bSjsing  err:
65670bdc49bSjsing 	tls13_handshake_msg_free(hm);
65770bdc49bSjsing 
65870bdc49bSjsing 	return ret;
65970bdc49bSjsing }
660095832a3Sbeck 
661095832a3Sbeck int
tls13_clienthello_hash_init(struct tls13_ctx * ctx)662095832a3Sbeck tls13_clienthello_hash_init(struct tls13_ctx *ctx)
663095832a3Sbeck {
664d4edc922Sjsing 	if (ctx->hs->tls13.clienthello_md_ctx != NULL)
665095832a3Sbeck 		return 0;
666d4edc922Sjsing 	if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL)
667095832a3Sbeck 		return 0;
668d4edc922Sjsing 	if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx,
669095832a3Sbeck 	    EVP_sha256(), NULL))
670095832a3Sbeck 		return 0;
671095832a3Sbeck 
672d4edc922Sjsing 	if ((ctx->hs->tls13.clienthello_hash == NULL) &&
673d4edc922Sjsing 	    (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) ==
674095832a3Sbeck 	    NULL)
675095832a3Sbeck 		return 0;
676095832a3Sbeck 
677095832a3Sbeck 	return 1;
678095832a3Sbeck }
679095832a3Sbeck 
680095832a3Sbeck void
tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st * hs)681d4edc922Sjsing tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */
682095832a3Sbeck {
683095832a3Sbeck 	EVP_MD_CTX_free(hs->clienthello_md_ctx);
684095832a3Sbeck 	hs->clienthello_md_ctx = NULL;
685095832a3Sbeck 	freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE);
686095832a3Sbeck 	hs->clienthello_hash = NULL;
687095832a3Sbeck }
688095832a3Sbeck 
689095832a3Sbeck int
tls13_clienthello_hash_update_bytes(struct tls13_ctx * ctx,void * data,size_t len)690095832a3Sbeck tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data,
691095832a3Sbeck     size_t len)
692095832a3Sbeck {
693d4edc922Sjsing 	return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len);
694095832a3Sbeck }
695095832a3Sbeck 
696095832a3Sbeck int
tls13_clienthello_hash_update(struct tls13_ctx * ctx,CBS * cbs)697095832a3Sbeck tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs)
698095832a3Sbeck {
699095832a3Sbeck 	return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs),
700095832a3Sbeck 	    CBS_len(cbs));
701095832a3Sbeck }
702095832a3Sbeck 
703095832a3Sbeck int
tls13_clienthello_hash_finalize(struct tls13_ctx * ctx)704095832a3Sbeck tls13_clienthello_hash_finalize(struct tls13_ctx *ctx)
705095832a3Sbeck {
706d4edc922Sjsing 	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
707d4edc922Sjsing 	    ctx->hs->tls13.clienthello_hash,
708d4edc922Sjsing 	    &ctx->hs->tls13.clienthello_hash_len))
709095832a3Sbeck 		return 0;
710d4edc922Sjsing 	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
711d4edc922Sjsing 	ctx->hs->tls13.clienthello_md_ctx = NULL;
712095832a3Sbeck 	return 1;
713095832a3Sbeck }
714095832a3Sbeck 
715095832a3Sbeck int
tls13_clienthello_hash_validate(struct tls13_ctx * ctx)716095832a3Sbeck tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
717095832a3Sbeck {
718095832a3Sbeck 	unsigned char new_ch_hash[EVP_MAX_MD_SIZE];
719095832a3Sbeck 	unsigned int new_ch_hash_len;
720095832a3Sbeck 
721d4edc922Sjsing 	if (ctx->hs->tls13.clienthello_hash == NULL)
722095832a3Sbeck 		return 0;
723095832a3Sbeck 
724d4edc922Sjsing 	if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx,
725095832a3Sbeck 	    new_ch_hash, &new_ch_hash_len))
726095832a3Sbeck 		return 0;
727d4edc922Sjsing 	EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx);
728d4edc922Sjsing 	ctx->hs->tls13.clienthello_md_ctx = NULL;
729095832a3Sbeck 
730d4edc922Sjsing 	if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len)
731095832a3Sbeck 		return 0;
732d4edc922Sjsing 	if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash,
733095832a3Sbeck 	    new_ch_hash_len) != 0)
734095832a3Sbeck 		return 0;
735095832a3Sbeck 
736095832a3Sbeck 	return 1;
737095832a3Sbeck }
738