1 /* $OpenBSD: tls13_server.c,v 1.50 2020/05/21 18:34:34 jsing Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include "ssl_locl.h" 20 #include "ssl_tlsext.h" 21 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 int 26 tls13_server_init(struct tls13_ctx *ctx) 27 { 28 SSL *s = ctx->ssl; 29 30 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 31 &ctx->hs->max_version)) { 32 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 33 return 0; 34 } 35 s->version = ctx->hs->max_version; 36 37 if (!ssl_get_new_session(s, 0)) /* XXX */ 38 return 0; 39 40 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 41 42 if (!tls1_transcript_init(s)) 43 return 0; 44 45 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 46 47 return 1; 48 } 49 50 int 51 tls13_server_accept(struct tls13_ctx *ctx) 52 { 53 if (ctx->mode != TLS13_HS_SERVER) 54 return TLS13_IO_FAILURE; 55 56 return tls13_handshake_perform(ctx); 57 } 58 59 static int 60 tls13_client_hello_is_legacy(CBS *cbs) 61 { 62 CBS extensions_block, extensions, extension_data, versions; 63 uint16_t version, max_version = 0; 64 uint16_t type; 65 66 CBS_dup(cbs, &extensions_block); 67 68 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 69 return 1; 70 71 while (CBS_len(&extensions) > 0) { 72 if (!CBS_get_u16(&extensions, &type)) 73 return 1; 74 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 75 return 1; 76 77 if (type != TLSEXT_TYPE_supported_versions) 78 continue; 79 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 80 return 1; 81 while (CBS_len(&versions) > 0) { 82 if (!CBS_get_u16(&versions, &version)) 83 return 1; 84 if (version >= max_version) 85 max_version = version; 86 } 87 if (CBS_len(&extension_data) != 0) 88 return 1; 89 } 90 91 return (max_version < TLS1_3_VERSION); 92 } 93 94 static const uint8_t tls13_compression_null_only[] = { 0 }; 95 96 static int 97 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 98 { 99 CBS cipher_suites, client_random, compression_methods, session_id; 100 STACK_OF(SSL_CIPHER) *ciphers = NULL; 101 const SSL_CIPHER *cipher; 102 uint16_t legacy_version; 103 int alert_desc; 104 SSL *s = ctx->ssl; 105 int ret = 0; 106 107 if (!CBS_get_u16(cbs, &legacy_version)) 108 goto err; 109 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 110 goto err; 111 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 112 goto err; 113 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 114 goto err; 115 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 116 goto err; 117 118 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 119 if (!CBS_skip(cbs, CBS_len(cbs))) 120 goto err; 121 return tls13_use_legacy_server(ctx); 122 } 123 124 if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) { 125 ctx->alert = alert_desc; 126 goto err; 127 } 128 129 /* 130 * If we got this far we have a supported versions extension that offers 131 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 132 */ 133 if (legacy_version != TLS1_2_VERSION) { 134 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 135 goto err; 136 } 137 138 /* Store legacy session identifier so we can echo it. */ 139 if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { 140 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 141 goto err; 142 } 143 if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, 144 sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len)) 145 goto err; 146 147 /* Parse cipher suites list and select preferred cipher. */ 148 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 149 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 150 goto err; 151 } 152 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 153 if (cipher == NULL) { 154 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 155 "no shared cipher found", NULL); 156 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 157 goto err; 158 } 159 S3I(s)->hs.new_cipher = cipher; 160 161 /* Ensure only the NULL compression method is advertised. */ 162 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 163 sizeof(tls13_compression_null_only))) { 164 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 165 goto err; 166 } 167 168 ret = 1; 169 170 err: 171 sk_SSL_CIPHER_free(ciphers); 172 173 return ret; 174 } 175 176 int 177 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 178 { 179 SSL *s = ctx->ssl; 180 181 if (!tls13_client_hello_process(ctx, cbs)) 182 goto err; 183 184 /* See if we switched back to the legacy client method. */ 185 if (s->method->internal->version < TLS1_3_VERSION) 186 return 1; 187 188 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 189 190 /* 191 * If a matching key share was provided, we do not need to send a 192 * HelloRetryRequest. 193 */ 194 /* 195 * XXX - ideally NEGOTIATED would only be added after record protection 196 * has been enabled. This would probably mean using either an 197 * INITIAL | WITHOUT_HRR state, or another intermediate state. 198 */ 199 if (ctx->hs->key_share != NULL) 200 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 201 202 /* XXX - check this is the correct point */ 203 tls13_record_layer_allow_ccs(ctx->rl, 1); 204 205 return 1; 206 207 err: 208 return 0; 209 } 210 211 static int 212 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 213 { 214 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 215 const uint8_t *server_random; 216 CBB session_id; 217 SSL *s = ctx->ssl; 218 uint16_t cipher; 219 220 cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); 221 server_random = s->s3->server_random; 222 223 if (hrr) { 224 server_random = tls13_hello_retry_request_hash; 225 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 226 } 227 228 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 229 goto err; 230 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 231 goto err; 232 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 233 goto err; 234 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 235 ctx->hs->legacy_session_id_len)) 236 goto err; 237 if (!CBB_add_u16(cbb, cipher)) 238 goto err; 239 if (!CBB_add_u8(cbb, 0)) 240 goto err; 241 if (!tlsext_server_build(s, cbb, tlsext_msg_type)) 242 goto err; 243 244 if (!CBB_flush(cbb)) 245 goto err; 246 247 return 1; 248 err: 249 return 0; 250 } 251 252 static int 253 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 254 { 255 struct tls13_secrets *secrets; 256 struct tls13_secret context; 257 unsigned char buf[EVP_MAX_MD_SIZE]; 258 uint8_t *shared_key = NULL; 259 size_t shared_key_len = 0; 260 size_t hash_len; 261 SSL *s = ctx->ssl; 262 int ret = 0; 263 264 if (!tls13_key_share_derive(ctx->hs->key_share, 265 &shared_key, &shared_key_len)) 266 goto err; 267 268 s->session->cipher = S3I(s)->hs.new_cipher; 269 270 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 271 goto err; 272 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 273 goto err; 274 275 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 276 goto err; 277 ctx->hs->secrets = secrets; 278 279 /* XXX - pass in hash. */ 280 if (!tls1_transcript_hash_init(s)) 281 goto err; 282 tls1_transcript_free(s); 283 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 284 goto err; 285 context.data = buf; 286 context.len = hash_len; 287 288 /* Early secrets. */ 289 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 290 secrets->zeros.len, &context)) 291 goto err; 292 293 /* Handshake secrets. */ 294 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 295 shared_key_len, &context)) 296 goto err; 297 298 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 299 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 300 301 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 302 &secrets->client_handshake_traffic)) 303 goto err; 304 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 305 &secrets->server_handshake_traffic)) 306 goto err; 307 308 ctx->handshake_stage.hs_type |= NEGOTIATED; 309 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 310 ctx->handshake_stage.hs_type |= WITHOUT_CR; 311 312 ret = 1; 313 314 err: 315 freezero(shared_key, shared_key_len); 316 return ret; 317 } 318 319 int 320 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 321 { 322 int nid; 323 324 ctx->hs->hrr = 1; 325 326 if (!tls13_synthetic_handshake_message(ctx)) 327 return 0; 328 329 if (ctx->hs->key_share != NULL) 330 return 0; 331 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 332 return 0; 333 if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0) 334 return 0; 335 336 if (!tls13_server_hello_build(ctx, cbb, 1)) 337 return 0; 338 339 return 1; 340 } 341 342 int 343 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 344 { 345 /* 346 * If the client has requested middlebox compatibility mode, 347 * we MUST send a dummy CCS following our first handshake message. 348 * See RFC 8446 Appendix D.4. 349 */ 350 if (ctx->hs->legacy_session_id_len > 0) 351 ctx->send_dummy_ccs_after = 1; 352 353 return 1; 354 } 355 356 int 357 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 358 { 359 SSL *s = ctx->ssl; 360 361 if (!tls13_client_hello_process(ctx, cbs)) 362 return 0; 363 364 /* XXX - need further checks. */ 365 if (s->method->internal->version < TLS1_3_VERSION) 366 return 0; 367 368 return 1; 369 } 370 371 int 372 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 373 { 374 if (ctx->hs->key_share == NULL) 375 return 0; 376 if (!tls13_key_share_generate(ctx->hs->key_share)) 377 return 0; 378 379 ctx->hs->server_group = 0; 380 381 if (!tls13_server_hello_build(ctx, cbb, 0)) 382 return 0; 383 384 return 1; 385 } 386 387 int 388 tls13_server_hello_sent(struct tls13_ctx *ctx) 389 { 390 /* 391 * If the client has requested middlebox compatibility mode, 392 * we MUST send a dummy CCS following our first handshake message. 393 * See RFC 8446 Appendix D.4. 394 */ 395 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 396 ctx->hs->legacy_session_id_len > 0) 397 ctx->send_dummy_ccs_after = 1; 398 399 return tls13_server_engage_record_protection(ctx); 400 } 401 402 int 403 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 404 { 405 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE)) 406 goto err; 407 408 return 1; 409 err: 410 return 0; 411 } 412 413 int 414 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 415 { 416 CBB certificate_request_context; 417 418 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 419 goto err; 420 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR)) 421 goto err; 422 423 if (!CBB_flush(cbb)) 424 goto err; 425 426 return 1; 427 err: 428 return 0; 429 } 430 431 int 432 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 433 { 434 SSL *s = ctx->ssl; 435 CBB cert_request_context, cert_list; 436 STACK_OF(X509) *chain; 437 CERT_PKEY *cpk; 438 X509 *cert; 439 int i, ret = 0; 440 441 /* XXX - Need to revisit certificate selection. */ 442 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 443 if (cpk->x509 == NULL) { 444 /* A server must always provide a certificate. */ 445 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 446 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 447 "no server certificate", NULL); 448 goto err; 449 } 450 451 if ((chain = cpk->chain) == NULL) 452 chain = s->ctx->extra_certs; 453 454 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 455 goto err; 456 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 457 goto err; 458 459 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 460 goto err; 461 462 for (i = 0; i < sk_X509_num(chain); i++) { 463 cert = sk_X509_value(chain, i); 464 if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_server_build)) 465 goto err; 466 } 467 468 if (!CBB_flush(cbb)) 469 goto err; 470 471 ret = 1; 472 473 err: 474 return ret; 475 } 476 477 int 478 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 479 { 480 SSL *s = ctx->ssl; 481 const struct ssl_sigalg *sigalg = NULL; 482 uint8_t *sig = NULL, *sig_content = NULL; 483 size_t sig_len, sig_content_len; 484 EVP_MD_CTX *mdctx = NULL; 485 EVP_PKEY_CTX *pctx; 486 EVP_PKEY *pkey; 487 CERT_PKEY *cpk; 488 CBB sig_cbb; 489 int ret = 0; 490 491 memset(&sig_cbb, 0, sizeof(sig_cbb)); 492 493 /* XXX - Need to revisit certificate selection. */ 494 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 495 pkey = cpk->privatekey; 496 497 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 498 /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */ 499 goto err; 500 } 501 502 if (!CBB_init(&sig_cbb, 0)) 503 goto err; 504 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 505 sizeof(tls13_cert_verify_pad))) 506 goto err; 507 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 508 strlen(tls13_cert_server_verify_context))) 509 goto err; 510 if (!CBB_add_u8(&sig_cbb, 0)) 511 goto err; 512 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 513 ctx->hs->transcript_hash_len)) 514 goto err; 515 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 516 goto err; 517 518 if ((mdctx = EVP_MD_CTX_new()) == NULL) 519 goto err; 520 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 521 goto err; 522 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 523 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 524 goto err; 525 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 526 goto err; 527 } 528 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 529 goto err; 530 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 531 goto err; 532 if ((sig = calloc(1, sig_len)) == NULL) 533 goto err; 534 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 535 goto err; 536 537 if (!CBB_add_u16(cbb, sigalg->value)) 538 goto err; 539 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 540 goto err; 541 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 542 goto err; 543 544 if (!CBB_flush(cbb)) 545 goto err; 546 547 ret = 1; 548 549 err: 550 if (!ret && ctx->alert == 0) 551 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 552 553 CBB_cleanup(&sig_cbb); 554 EVP_MD_CTX_free(mdctx); 555 free(sig_content); 556 free(sig); 557 558 return ret; 559 } 560 561 int 562 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 563 { 564 struct tls13_secrets *secrets = ctx->hs->secrets; 565 struct tls13_secret context = { .data = "", .len = 0 }; 566 struct tls13_secret finished_key; 567 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 568 size_t transcript_hash_len; 569 uint8_t key[EVP_MAX_MD_SIZE]; 570 uint8_t *verify_data; 571 size_t hmac_len; 572 unsigned int hlen; 573 HMAC_CTX *hmac_ctx = NULL; 574 int ret = 0; 575 576 finished_key.data = key; 577 finished_key.len = EVP_MD_size(ctx->hash); 578 579 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 580 &secrets->server_handshake_traffic, "finished", 581 &context)) 582 goto err; 583 584 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 585 sizeof(transcript_hash), &transcript_hash_len)) 586 goto err; 587 588 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 589 goto err; 590 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 591 ctx->hash, NULL)) 592 goto err; 593 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 594 goto err; 595 596 hmac_len = HMAC_size(hmac_ctx); 597 if (!CBB_add_space(cbb, &verify_data, hmac_len)) 598 goto err; 599 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 600 goto err; 601 if (hlen != hmac_len) 602 goto err; 603 604 ret = 1; 605 606 err: 607 HMAC_CTX_free(hmac_ctx); 608 609 return ret; 610 } 611 612 int 613 tls13_server_finished_sent(struct tls13_ctx *ctx) 614 { 615 struct tls13_secrets *secrets = ctx->hs->secrets; 616 struct tls13_secret context = { .data = "", .len = 0 }; 617 618 /* 619 * Derive application traffic keys. 620 */ 621 context.data = ctx->hs->transcript_hash; 622 context.len = ctx->hs->transcript_hash_len; 623 624 if (!tls13_derive_application_secrets(secrets, &context)) 625 return 0; 626 627 /* 628 * Any records following the server finished message must be encrypted 629 * using the server application traffic keys. 630 */ 631 return tls13_record_layer_set_write_traffic_key(ctx->rl, 632 &secrets->server_application_traffic); 633 } 634 635 int 636 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 637 { 638 CBS cert_request_context, cert_list, cert_data, cert_exts; 639 struct stack_st_X509 *certs = NULL; 640 SSL *s = ctx->ssl; 641 X509 *cert = NULL; 642 EVP_PKEY *pkey; 643 const uint8_t *p; 644 int cert_idx; 645 int ret = 0; 646 647 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 648 goto err; 649 if (CBS_len(&cert_request_context) != 0) 650 goto err; 651 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 652 goto err; 653 if (CBS_len(&cert_list) == 0) { 654 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 655 return 1; 656 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 657 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 658 "peer did not provide a certificate", NULL); 659 goto err; 660 } 661 662 if ((certs = sk_X509_new_null()) == NULL) 663 goto err; 664 while (CBS_len(&cert_list) > 0) { 665 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 666 goto err; 667 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 668 goto err; 669 670 p = CBS_data(&cert_data); 671 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 672 goto err; 673 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 674 goto err; 675 676 if (!sk_X509_push(certs, cert)) 677 goto err; 678 679 cert = NULL; 680 } 681 682 /* 683 * At this stage we still have no proof of possession. As such, it would 684 * be preferable to keep the chain and verify once we have successfully 685 * processed the CertificateVerify message. 686 */ 687 if (ssl_verify_cert_chain(s, certs) <= 0) { 688 ctx->alert = ssl_verify_alarm_type(s->verify_result); 689 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 690 "failed to verify peer certificate", NULL); 691 goto err; 692 } 693 ERR_clear_error(); 694 695 cert = sk_X509_value(certs, 0); 696 X509_up_ref(cert); 697 698 if ((pkey = X509_get0_pubkey(cert)) == NULL) 699 goto err; 700 if (EVP_PKEY_missing_parameters(pkey)) 701 goto err; 702 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 703 goto err; 704 705 ssl_sess_cert_free(SSI(s)->sess_cert); 706 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 707 goto err; 708 709 SSI(s)->sess_cert->cert_chain = certs; 710 certs = NULL; 711 712 X509_up_ref(cert); 713 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 714 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 715 716 X509_free(s->session->peer); 717 718 X509_up_ref(cert); 719 s->session->peer = cert; 720 s->session->verify_result = s->verify_result; 721 722 ctx->handshake_stage.hs_type |= WITH_CCV; 723 ret = 1; 724 725 err: 726 sk_X509_pop_free(certs, X509_free); 727 X509_free(cert); 728 729 return ret; 730 } 731 732 int 733 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 734 { 735 const struct ssl_sigalg *sigalg; 736 uint16_t signature_scheme; 737 uint8_t *sig_content = NULL; 738 size_t sig_content_len; 739 EVP_MD_CTX *mdctx = NULL; 740 EVP_PKEY_CTX *pctx; 741 EVP_PKEY *pkey; 742 X509 *cert; 743 CBS signature; 744 CBB cbb; 745 int ret = 0; 746 747 memset(&cbb, 0, sizeof(cbb)); 748 749 if (!CBS_get_u16(cbs, &signature_scheme)) 750 goto err; 751 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 752 goto err; 753 754 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 755 tls13_sigalgs_len)) == NULL) 756 goto err; 757 758 if (!CBB_init(&cbb, 0)) 759 goto err; 760 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 761 sizeof(tls13_cert_verify_pad))) 762 goto err; 763 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 764 strlen(tls13_cert_client_verify_context))) 765 goto err; 766 if (!CBB_add_u8(&cbb, 0)) 767 goto err; 768 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 769 ctx->hs->transcript_hash_len)) 770 goto err; 771 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 772 goto err; 773 774 if ((cert = ctx->ssl->session->peer) == NULL) 775 goto err; 776 if ((pkey = X509_get0_pubkey(cert)) == NULL) 777 goto err; 778 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 779 goto err; 780 781 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 782 goto err; 783 784 if ((mdctx = EVP_MD_CTX_new()) == NULL) 785 goto err; 786 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 787 goto err; 788 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 789 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 790 goto err; 791 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 792 goto err; 793 } 794 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 795 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 796 goto err; 797 } 798 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 799 CBS_len(&signature)) <= 0) { 800 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 801 goto err; 802 } 803 804 ret = 1; 805 806 err: 807 if (!ret && ctx->alert == 0) { 808 ctx->alert = TLS13_ALERT_DECODE_ERROR; 809 } 810 CBB_cleanup(&cbb); 811 EVP_MD_CTX_free(mdctx); 812 free(sig_content); 813 814 return ret; 815 } 816 817 int 818 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 819 { 820 return 0; 821 } 822 823 int 824 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 825 { 826 struct tls13_secrets *secrets = ctx->hs->secrets; 827 struct tls13_secret context = { .data = "", .len = 0 }; 828 struct tls13_secret finished_key; 829 uint8_t *verify_data = NULL; 830 size_t verify_data_len; 831 uint8_t key[EVP_MAX_MD_SIZE]; 832 HMAC_CTX *hmac_ctx = NULL; 833 unsigned int hlen; 834 int ret = 0; 835 836 /* 837 * Verify client finished. 838 */ 839 finished_key.data = key; 840 finished_key.len = EVP_MD_size(ctx->hash); 841 842 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 843 &secrets->client_handshake_traffic, "finished", 844 &context)) 845 goto err; 846 847 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 848 goto err; 849 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 850 ctx->hash, NULL)) 851 goto err; 852 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 853 ctx->hs->transcript_hash_len)) 854 goto err; 855 verify_data_len = HMAC_size(hmac_ctx); 856 if ((verify_data = calloc(1, verify_data_len)) == NULL) 857 goto err; 858 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 859 goto err; 860 if (hlen != verify_data_len) 861 goto err; 862 863 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 864 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 865 goto err; 866 } 867 868 if (!CBS_skip(cbs, verify_data_len)) 869 goto err; 870 871 /* 872 * Any records following the client finished message must be encrypted 873 * using the client application traffic keys. 874 */ 875 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 876 &secrets->client_application_traffic)) 877 goto err; 878 879 tls13_record_layer_allow_ccs(ctx->rl, 0); 880 881 ret = 1; 882 883 err: 884 HMAC_CTX_free(hmac_ctx); 885 free(verify_data); 886 887 return ret; 888 } 889