1 /* $OpenBSD: tls13_client.c,v 1.73 2021/02/25 17:06:05 jsing Exp $ */ 2 /* 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 #include "ssl_locl.h" 19 20 #include <openssl/ssl3.h> 21 22 #include "bytestring.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_client_init(struct tls13_ctx *ctx) 29 { 30 const uint16_t *groups; 31 size_t groups_len; 32 SSL *s = ctx->ssl; 33 34 if (!ssl_supported_tls_version_range(s, &ctx->hs->min_version, 35 &ctx->hs->max_version)) { 36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 37 return 0; 38 } 39 s->client_version = s->version = ctx->hs->max_version; 40 41 tls13_record_layer_set_retry_after_phh(ctx->rl, 42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 43 44 if (!ssl_get_new_session(s, 0)) /* XXX */ 45 return 0; 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 /* Generate a key share using our preferred group. */ 51 tls1_get_group_list(s, 0, &groups, &groups_len); 52 if (groups_len < 1) 53 return 0; 54 if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL) 55 return 0; 56 if (!tls13_key_share_generate(ctx->hs->key_share)) 57 return 0; 58 59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); 60 61 /* 62 * The legacy session identifier should either be set to an 63 * unpredictable 32-byte value or zero length... a non-zero length 64 * legacy session identifier triggers compatibility mode (see RFC 8446 65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. 66 */ 67 if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) { 68 arc4random_buf(ctx->hs->legacy_session_id, 69 sizeof(ctx->hs->legacy_session_id)); 70 ctx->hs->legacy_session_id_len = 71 sizeof(ctx->hs->legacy_session_id); 72 } 73 74 return 1; 75 } 76 77 int 78 tls13_client_connect(struct tls13_ctx *ctx) 79 { 80 if (ctx->mode != TLS13_HS_CLIENT) 81 return TLS13_IO_FAILURE; 82 83 return tls13_handshake_perform(ctx); 84 } 85 86 static int 87 tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) 88 { 89 CBB cipher_suites, compression_methods, session_id; 90 uint16_t client_version; 91 SSL *s = ctx->ssl; 92 93 /* Legacy client version is capped at TLS 1.2. */ 94 client_version = ctx->hs->max_version; 95 if (client_version > TLS1_2_VERSION) 96 client_version = TLS1_2_VERSION; 97 98 if (!CBB_add_u16(cbb, client_version)) 99 goto err; 100 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) 101 goto err; 102 103 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 104 goto err; 105 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 106 ctx->hs->legacy_session_id_len)) 107 goto err; 108 109 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) 110 goto err; 111 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { 112 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); 113 goto err; 114 } 115 116 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) 117 goto err; 118 if (!CBB_add_u8(&compression_methods, 0)) 119 goto err; 120 121 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb)) 122 goto err; 123 124 if (!CBB_flush(cbb)) 125 goto err; 126 127 return 1; 128 129 err: 130 return 0; 131 } 132 133 int 134 tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) 135 { 136 if (ctx->hs->min_version < TLS1_2_VERSION) 137 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 138 139 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ 140 tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); 141 142 if (!tls13_client_hello_build(ctx, cbb)) 143 return 0; 144 145 return 1; 146 } 147 148 int 149 tls13_client_hello_sent(struct tls13_ctx *ctx) 150 { 151 tls13_record_layer_allow_ccs(ctx->rl, 1); 152 153 tls1_transcript_freeze(ctx->ssl); 154 155 if (ctx->middlebox_compat) 156 ctx->send_dummy_ccs = 1; 157 158 return 1; 159 } 160 161 static int 162 tls13_server_hello_is_legacy(CBS *cbs) 163 { 164 CBS extensions_block, extensions, extension_data; 165 uint16_t selected_version = 0; 166 uint16_t type; 167 168 CBS_dup(cbs, &extensions_block); 169 170 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 171 return 1; 172 173 while (CBS_len(&extensions) > 0) { 174 if (!CBS_get_u16(&extensions, &type)) 175 return 1; 176 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 177 return 1; 178 179 if (type != TLSEXT_TYPE_supported_versions) 180 continue; 181 if (!CBS_get_u16(&extension_data, &selected_version)) 182 return 1; 183 if (CBS_len(&extension_data) != 0) 184 return 1; 185 } 186 187 return (selected_version < TLS1_3_VERSION); 188 } 189 190 static int 191 tls13_server_hello_is_retry(CBS *cbs) 192 { 193 CBS server_hello, server_random; 194 uint16_t legacy_version; 195 196 CBS_dup(cbs, &server_hello); 197 198 if (!CBS_get_u16(&server_hello, &legacy_version)) 199 return 0; 200 if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE)) 201 return 0; 202 203 /* See if this is a HelloRetryRequest. */ 204 return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 205 sizeof(tls13_hello_retry_request_hash)); 206 } 207 208 static int 209 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) 210 { 211 CBS server_random, session_id; 212 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 213 uint16_t cipher_suite, legacy_version; 214 uint8_t compression_method; 215 const SSL_CIPHER *cipher; 216 int alert_desc; 217 SSL *s = ctx->ssl; 218 219 if (!CBS_get_u16(cbs, &legacy_version)) 220 goto err; 221 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) 222 goto err; 223 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 224 goto err; 225 if (!CBS_get_u16(cbs, &cipher_suite)) 226 goto err; 227 if (!CBS_get_u8(cbs, &compression_method)) 228 goto err; 229 230 if (tls13_server_hello_is_legacy(cbs)) { 231 if (ctx->hs->max_version >= TLS1_3_VERSION) { 232 /* 233 * RFC 8446 section 4.1.3: we must not downgrade if 234 * the server random value contains the TLS 1.2 or 1.1 235 * magical value. 236 */ 237 if (!CBS_skip(&server_random, CBS_len(&server_random) - 238 sizeof(tls13_downgrade_12))) 239 goto err; 240 if (CBS_mem_equal(&server_random, tls13_downgrade_12, 241 sizeof(tls13_downgrade_12)) || 242 CBS_mem_equal(&server_random, tls13_downgrade_11, 243 sizeof(tls13_downgrade_11))) { 244 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 245 goto err; 246 } 247 } 248 249 if (!CBS_skip(cbs, CBS_len(cbs))) 250 goto err; 251 252 ctx->hs->use_legacy = 1; 253 return 1; 254 } 255 256 /* From here on in we know we are doing TLSv1.3. */ 257 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 258 tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); 259 260 /* See if this is a HelloRetryRequest. */ 261 /* XXX - see if we can avoid doing this twice. */ 262 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, 263 sizeof(tls13_hello_retry_request_hash))) { 264 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 265 ctx->hs->hrr = 1; 266 } 267 268 if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { 269 ctx->alert = alert_desc; 270 goto err; 271 } 272 273 /* 274 * The supported versions extension indicated 0x0304 or greater. 275 * Ensure that it was 0x0304 and that legacy version is set to 0x0303 276 * (RFC 8446 section 4.2.1). 277 */ 278 if (ctx->hs->server_version != TLS1_3_VERSION || 279 legacy_version != TLS1_2_VERSION) { 280 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 281 goto err; 282 } 283 284 /* The session_id must match. */ 285 if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, 286 ctx->hs->legacy_session_id_len)) { 287 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 288 goto err; 289 } 290 291 /* 292 * Ensure that the cipher suite is one that we offered in the client 293 * hello and that it is a TLSv1.3 cipher suite. 294 */ 295 cipher = ssl3_get_cipher_by_value(cipher_suite); 296 if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { 297 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 298 goto err; 299 } 300 if (cipher->algorithm_ssl != SSL_TLSV1_3) { 301 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 302 goto err; 303 } 304 /* XXX - move this to hs_tls13? */ 305 S3I(s)->hs.new_cipher = cipher; 306 307 if (compression_method != 0) { 308 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 309 goto err; 310 } 311 312 return 1; 313 314 err: 315 if (ctx->alert == 0) 316 ctx->alert = TLS13_ALERT_DECODE_ERROR; 317 318 return 0; 319 } 320 321 static int 322 tls13_client_engage_record_protection(struct tls13_ctx *ctx) 323 { 324 struct tls13_secrets *secrets; 325 struct tls13_secret context; 326 unsigned char buf[EVP_MAX_MD_SIZE]; 327 uint8_t *shared_key = NULL; 328 size_t shared_key_len = 0; 329 size_t hash_len; 330 SSL *s = ctx->ssl; 331 int ret = 0; 332 333 /* Derive the shared key and engage record protection. */ 334 335 if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, 336 &shared_key_len)) 337 goto err; 338 339 s->session->cipher = S3I(s)->hs.new_cipher; 340 s->session->ssl_version = ctx->hs->server_version; 341 342 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 343 goto err; 344 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 345 goto err; 346 347 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 348 goto err; 349 ctx->hs->secrets = secrets; 350 351 /* XXX - pass in hash. */ 352 if (!tls1_transcript_hash_init(s)) 353 goto err; 354 tls1_transcript_free(s); 355 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 356 goto err; 357 context.data = buf; 358 context.len = hash_len; 359 360 /* Early secrets. */ 361 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 362 secrets->zeros.len, &context)) 363 goto err; 364 365 /* Handshake secrets. */ 366 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 367 shared_key_len, &context)) 368 goto err; 369 370 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 371 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 372 373 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 374 &secrets->server_handshake_traffic)) 375 goto err; 376 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 377 &secrets->client_handshake_traffic)) 378 goto err; 379 380 ret = 1; 381 382 err: 383 freezero(shared_key, shared_key_len); 384 385 return ret; 386 } 387 388 int 389 tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) 390 { 391 /* 392 * The state machine has no way of knowing if we're going to receive a 393 * HelloRetryRequest or a ServerHello. As such, we have to handle 394 * this case here and hand off to the appropriate function. 395 */ 396 if (!tls13_server_hello_is_retry(cbs)) { 397 ctx->handshake_stage.hs_type |= WITHOUT_HRR; 398 return tls13_server_hello_recv(ctx, cbs); 399 } 400 401 if (!tls13_server_hello_process(ctx, cbs)) 402 return 0; 403 404 /* 405 * This may have been a TLSv1.2 or earlier ServerHello that just happened 406 * to have matching server random... 407 */ 408 if (ctx->hs->use_legacy) 409 return tls13_use_legacy_client(ctx); 410 411 if (!ctx->hs->hrr) 412 return 0; 413 414 if (!tls13_synthetic_handshake_message(ctx)) 415 return 0; 416 if (!tls13_handshake_msg_record(ctx)) 417 return 0; 418 419 ctx->hs->hrr = 0; 420 421 return 1; 422 } 423 424 int 425 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 426 { 427 /* 428 * Ensure that the server supported group is one that we listed in our 429 * supported groups and is not the same as the key share we previously 430 * offered. 431 */ 432 if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) 433 return 0; /* XXX alert */ 434 if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) 435 return 0; /* XXX alert */ 436 437 /* Switch to new key share. */ 438 tls13_key_share_free(ctx->hs->key_share); 439 if ((ctx->hs->key_share = 440 tls13_key_share_new(ctx->hs->server_group)) == NULL) 441 return 0; 442 if (!tls13_key_share_generate(ctx->hs->key_share)) 443 return 0; 444 445 if (!tls13_client_hello_build(ctx, cbb)) 446 return 0; 447 448 return 1; 449 } 450 451 int 452 tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 453 { 454 SSL *s = ctx->ssl; 455 456 /* 457 * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3 458 * ServerHello. HelloRetryRequests have already been handled. 459 */ 460 if (!tls13_server_hello_process(ctx, cbs)) 461 return 0; 462 463 if (ctx->handshake_stage.hs_type & WITHOUT_HRR) { 464 tls1_transcript_unfreeze(s); 465 if (!tls13_handshake_msg_record(ctx)) 466 return 0; 467 } 468 469 if (ctx->hs->use_legacy) { 470 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) 471 return 0; 472 return tls13_use_legacy_client(ctx); 473 } 474 475 if (ctx->hs->hrr) { 476 /* The server has sent two HelloRetryRequests. */ 477 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 478 return 0; 479 } 480 481 if (!tls13_client_engage_record_protection(ctx)) 482 return 0; 483 484 ctx->handshake_stage.hs_type |= NEGOTIATED; 485 486 return 1; 487 } 488 489 int 490 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) 491 { 492 int alert_desc; 493 494 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) { 495 ctx->alert = alert_desc; 496 goto err; 497 } 498 499 return 1; 500 501 err: 502 if (ctx->alert == 0) 503 ctx->alert = TLS13_ALERT_DECODE_ERROR; 504 505 return 0; 506 } 507 508 int 509 tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) 510 { 511 CBS cert_request_context; 512 int alert_desc; 513 514 /* 515 * Thanks to poor state design in the RFC, this function can be called 516 * when we actually have a certificate message instead of a certificate 517 * request... in that case we call the certificate handler after 518 * switching state, to avoid advancing state. 519 */ 520 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { 521 ctx->handshake_stage.hs_type |= WITHOUT_CR; 522 return tls13_server_certificate_recv(ctx, cbs); 523 } 524 525 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 526 goto err; 527 if (CBS_len(&cert_request_context) != 0) 528 goto err; 529 530 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) { 531 ctx->alert = alert_desc; 532 goto err; 533 } 534 535 return 1; 536 537 err: 538 if (ctx->alert == 0) 539 ctx->alert = TLS13_ALERT_DECODE_ERROR; 540 541 return 0; 542 } 543 544 int 545 tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 546 { 547 CBS cert_request_context, cert_list, cert_data; 548 struct stack_st_X509 *certs = NULL; 549 SSL *s = ctx->ssl; 550 X509 *cert = NULL; 551 EVP_PKEY *pkey; 552 const uint8_t *p; 553 int cert_idx, alert_desc; 554 int ret = 0; 555 556 if ((certs = sk_X509_new_null()) == NULL) 557 goto err; 558 559 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 560 goto err; 561 if (CBS_len(&cert_request_context) != 0) 562 goto err; 563 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 564 goto err; 565 566 while (CBS_len(&cert_list) > 0) { 567 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 568 goto err; 569 570 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT, 571 &cert_list, &alert_desc)) { 572 ctx->alert = alert_desc; 573 goto err; 574 } 575 576 p = CBS_data(&cert_data); 577 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 578 goto err; 579 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 580 goto err; 581 582 if (!sk_X509_push(certs, cert)) 583 goto err; 584 585 cert = NULL; 586 } 587 588 /* A server must always provide a non-empty certificate list. */ 589 if (sk_X509_num(certs) < 1) { 590 ctx->alert = TLS13_ALERT_DECODE_ERROR; 591 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 592 "peer failed to provide a certificate", NULL); 593 goto err; 594 } 595 596 /* 597 * At this stage we still have no proof of possession. As such, it would 598 * be preferable to keep the chain and verify once we have successfully 599 * processed the CertificateVerify message. 600 */ 601 if (ssl_verify_cert_chain(s, certs) <= 0 && 602 s->verify_mode != SSL_VERIFY_NONE) { 603 ctx->alert = ssl_verify_alarm_type(s->verify_result); 604 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 605 "failed to verify peer certificate", NULL); 606 goto err; 607 } 608 ERR_clear_error(); 609 610 cert = sk_X509_value(certs, 0); 611 X509_up_ref(cert); 612 613 if ((pkey = X509_get0_pubkey(cert)) == NULL) 614 goto err; 615 if (EVP_PKEY_missing_parameters(pkey)) 616 goto err; 617 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 618 goto err; 619 620 ssl_sess_cert_free(SSI(s)->sess_cert); 621 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 622 goto err; 623 624 SSI(s)->sess_cert->cert_chain = certs; 625 certs = NULL; 626 627 X509_up_ref(cert); 628 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 629 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 630 631 X509_free(s->session->peer); 632 633 X509_up_ref(cert); 634 s->session->peer = cert; 635 s->session->verify_result = s->verify_result; 636 637 if (ctx->ocsp_status_recv_cb != NULL && 638 !ctx->ocsp_status_recv_cb(ctx)) 639 goto err; 640 641 ret = 1; 642 643 err: 644 sk_X509_pop_free(certs, X509_free); 645 X509_free(cert); 646 647 return ret; 648 } 649 650 int 651 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 652 { 653 const struct ssl_sigalg *sigalg; 654 uint16_t signature_scheme; 655 uint8_t *sig_content = NULL; 656 size_t sig_content_len; 657 EVP_MD_CTX *mdctx = NULL; 658 EVP_PKEY_CTX *pctx; 659 EVP_PKEY *pkey; 660 X509 *cert; 661 CBS signature; 662 CBB cbb; 663 int ret = 0; 664 665 memset(&cbb, 0, sizeof(cbb)); 666 667 if (!CBS_get_u16(cbs, &signature_scheme)) 668 goto err; 669 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 670 goto err; 671 672 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 673 tls13_sigalgs_len)) == NULL) 674 goto err; 675 676 if (!CBB_init(&cbb, 0)) 677 goto err; 678 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 679 sizeof(tls13_cert_verify_pad))) 680 goto err; 681 if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, 682 strlen(tls13_cert_server_verify_context))) 683 goto err; 684 if (!CBB_add_u8(&cbb, 0)) 685 goto err; 686 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 687 ctx->hs->transcript_hash_len)) 688 goto err; 689 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 690 goto err; 691 692 if ((cert = ctx->ssl->session->peer) == NULL) 693 goto err; 694 if ((pkey = X509_get0_pubkey(cert)) == NULL) 695 goto err; 696 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 697 goto err; 698 699 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 700 goto err; 701 702 if ((mdctx = EVP_MD_CTX_new()) == NULL) 703 goto err; 704 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 705 goto err; 706 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 707 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 708 goto err; 709 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 710 goto err; 711 } 712 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 713 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 714 goto err; 715 } 716 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 717 CBS_len(&signature)) <= 0) { 718 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 719 goto err; 720 } 721 722 ret = 1; 723 724 err: 725 if (!ret && ctx->alert == 0) 726 ctx->alert = TLS13_ALERT_DECODE_ERROR; 727 CBB_cleanup(&cbb); 728 EVP_MD_CTX_free(mdctx); 729 free(sig_content); 730 731 return ret; 732 } 733 734 int 735 tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 736 { 737 struct tls13_secrets *secrets = ctx->hs->secrets; 738 struct tls13_secret context = { .data = "", .len = 0 }; 739 struct tls13_secret finished_key; 740 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 741 size_t transcript_hash_len; 742 uint8_t *verify_data = NULL; 743 size_t verify_data_len; 744 uint8_t key[EVP_MAX_MD_SIZE]; 745 HMAC_CTX *hmac_ctx = NULL; 746 unsigned int hlen; 747 SSL *s = ctx->ssl; 748 int ret = 0; 749 750 /* 751 * Verify server finished. 752 */ 753 finished_key.data = key; 754 finished_key.len = EVP_MD_size(ctx->hash); 755 756 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 757 &secrets->server_handshake_traffic, "finished", 758 &context)) 759 goto err; 760 761 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 762 goto err; 763 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 764 ctx->hash, NULL)) 765 goto err; 766 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 767 ctx->hs->transcript_hash_len)) 768 goto err; 769 verify_data_len = HMAC_size(hmac_ctx); 770 if ((verify_data = calloc(1, verify_data_len)) == NULL) 771 goto err; 772 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 773 goto err; 774 if (hlen != verify_data_len) 775 goto err; 776 777 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 778 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 779 goto err; 780 } 781 782 if (!CBS_write_bytes(cbs, S3I(s)->tmp.peer_finish_md, 783 sizeof(S3I(s)->tmp.peer_finish_md), 784 &S3I(s)->tmp.peer_finish_md_len)) 785 goto err; 786 787 if (!CBS_skip(cbs, verify_data_len)) 788 goto err; 789 790 /* 791 * Derive application traffic keys. 792 */ 793 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 794 sizeof(transcript_hash), &transcript_hash_len)) 795 goto err; 796 797 context.data = transcript_hash; 798 context.len = transcript_hash_len; 799 800 if (!tls13_derive_application_secrets(secrets, &context)) 801 goto err; 802 803 /* 804 * Any records following the server finished message must be encrypted 805 * using the server application traffic keys. 806 */ 807 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 808 &secrets->server_application_traffic)) 809 goto err; 810 811 tls13_record_layer_allow_ccs(ctx->rl, 0); 812 813 ret = 1; 814 815 err: 816 HMAC_CTX_free(hmac_ctx); 817 free(verify_data); 818 819 return ret; 820 } 821 822 static int 823 tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, 824 int *ok, const struct ssl_sigalg **out_sigalg) 825 { 826 const struct ssl_sigalg *sigalg; 827 SSL *s = ctx->ssl; 828 829 *ok = 0; 830 *out_sigalg = NULL; 831 832 if (cpk->x509 == NULL || cpk->privatekey == NULL) 833 goto done; 834 835 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 836 goto done; 837 838 *ok = 1; 839 *out_sigalg = sigalg; 840 841 done: 842 return 1; 843 } 844 845 static int 846 tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, 847 const struct ssl_sigalg **out_sigalg) 848 { 849 SSL *s = ctx->ssl; 850 const struct ssl_sigalg *sigalg; 851 CERT_PKEY *cpk; 852 int cert_ok; 853 854 *out_cpk = NULL; 855 *out_sigalg = NULL; 856 857 /* 858 * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences 859 * with the certificate_authorities (4.2.4) and oid_filters (4.2.5) 860 * extensions. We should honor the former and must apply the latter. 861 */ 862 863 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 864 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 865 return 0; 866 if (cert_ok) 867 goto done; 868 869 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 870 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 871 return 0; 872 if (cert_ok) 873 goto done; 874 875 cpk = NULL; 876 sigalg = NULL; 877 878 done: 879 *out_cpk = cpk; 880 *out_sigalg = sigalg; 881 882 return 1; 883 } 884 885 int 886 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 887 { 888 SSL *s = ctx->ssl; 889 CBB cert_request_context, cert_list; 890 const struct ssl_sigalg *sigalg; 891 STACK_OF(X509) *chain; 892 CERT_PKEY *cpk; 893 X509 *cert; 894 int i, ret = 0; 895 896 if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) 897 goto err; 898 899 ctx->hs->cpk = cpk; 900 ctx->hs->sigalg = sigalg; 901 902 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 903 goto err; 904 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 905 goto err; 906 907 /* No certificate selected. */ 908 if (cpk == NULL) 909 goto done; 910 911 if ((chain = cpk->chain) == NULL) 912 chain = s->ctx->extra_certs; 913 914 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build)) 915 goto err; 916 917 for (i = 0; i < sk_X509_num(chain); i++) { 918 cert = sk_X509_value(chain, i); 919 if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build)) 920 goto err; 921 } 922 923 ctx->handshake_stage.hs_type |= WITH_CCV; 924 done: 925 if (!CBB_flush(cbb)) 926 goto err; 927 928 ret = 1; 929 930 err: 931 return ret; 932 } 933 934 int 935 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 936 { 937 const struct ssl_sigalg *sigalg; 938 uint8_t *sig = NULL, *sig_content = NULL; 939 size_t sig_len, sig_content_len; 940 EVP_MD_CTX *mdctx = NULL; 941 EVP_PKEY_CTX *pctx; 942 EVP_PKEY *pkey; 943 const CERT_PKEY *cpk; 944 CBB sig_cbb; 945 int ret = 0; 946 947 memset(&sig_cbb, 0, sizeof(sig_cbb)); 948 949 if ((cpk = ctx->hs->cpk) == NULL) 950 goto err; 951 if ((sigalg = ctx->hs->sigalg) == NULL) 952 goto err; 953 pkey = cpk->privatekey; 954 955 if (!CBB_init(&sig_cbb, 0)) 956 goto err; 957 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 958 sizeof(tls13_cert_verify_pad))) 959 goto err; 960 if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, 961 strlen(tls13_cert_client_verify_context))) 962 goto err; 963 if (!CBB_add_u8(&sig_cbb, 0)) 964 goto err; 965 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 966 ctx->hs->transcript_hash_len)) 967 goto err; 968 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 969 goto err; 970 971 if ((mdctx = EVP_MD_CTX_new()) == NULL) 972 goto err; 973 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 974 goto err; 975 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 976 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 977 goto err; 978 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 979 goto err; 980 } 981 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 982 goto err; 983 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 984 goto err; 985 if ((sig = calloc(1, sig_len)) == NULL) 986 goto err; 987 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 988 goto err; 989 990 if (!CBB_add_u16(cbb, sigalg->value)) 991 goto err; 992 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 993 goto err; 994 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 995 goto err; 996 997 if (!CBB_flush(cbb)) 998 goto err; 999 1000 ret = 1; 1001 1002 err: 1003 if (!ret && ctx->alert == 0) 1004 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 1005 1006 CBB_cleanup(&sig_cbb); 1007 EVP_MD_CTX_free(mdctx); 1008 free(sig_content); 1009 free(sig); 1010 1011 return ret; 1012 } 1013 1014 int 1015 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) 1016 { 1017 return 0; 1018 } 1019 1020 int 1021 tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) 1022 { 1023 struct tls13_secrets *secrets = ctx->hs->secrets; 1024 struct tls13_secret context = { .data = "", .len = 0 }; 1025 struct tls13_secret finished_key = { .data = NULL, .len = 0 }; 1026 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 1027 size_t transcript_hash_len; 1028 uint8_t *verify_data; 1029 size_t verify_data_len; 1030 unsigned int hlen; 1031 HMAC_CTX *hmac_ctx = NULL; 1032 CBS cbs; 1033 SSL *s = ctx->ssl; 1034 int ret = 0; 1035 1036 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 1037 goto err; 1038 1039 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1040 &secrets->client_handshake_traffic, "finished", 1041 &context)) 1042 goto err; 1043 1044 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 1045 sizeof(transcript_hash), &transcript_hash_len)) 1046 goto err; 1047 1048 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1049 goto err; 1050 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1051 ctx->hash, NULL)) 1052 goto err; 1053 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 1054 goto err; 1055 1056 verify_data_len = HMAC_size(hmac_ctx); 1057 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 1058 goto err; 1059 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1060 goto err; 1061 if (hlen != verify_data_len) 1062 goto err; 1063 1064 CBS_init(&cbs, verify_data, verify_data_len); 1065 if (!CBS_write_bytes(&cbs, S3I(s)->tmp.finish_md, 1066 sizeof(S3I(s)->tmp.finish_md), &S3I(s)->tmp.finish_md_len)) 1067 goto err; 1068 1069 ret = 1; 1070 1071 err: 1072 tls13_secret_cleanup(&finished_key); 1073 HMAC_CTX_free(hmac_ctx); 1074 1075 return ret; 1076 } 1077 1078 int 1079 tls13_client_finished_sent(struct tls13_ctx *ctx) 1080 { 1081 struct tls13_secrets *secrets = ctx->hs->secrets; 1082 1083 /* 1084 * Any records following the client finished message must be encrypted 1085 * using the client application traffic keys. 1086 */ 1087 return tls13_record_layer_set_write_traffic_key(ctx->rl, 1088 &secrets->client_application_traffic); 1089 } 1090