1*f4fe6251Sjsing /* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */ 28630be86Sjsing /* 3aa78e754Sbeck * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4aa78e754Sbeck * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 58630be86Sjsing * 68630be86Sjsing * Permission to use, copy, modify, and distribute this software for any 78630be86Sjsing * purpose with or without fee is hereby granted, provided that the above 88630be86Sjsing * copyright notice and this permission notice appear in all copies. 98630be86Sjsing * 108630be86Sjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 118630be86Sjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 128630be86Sjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 138630be86Sjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 148630be86Sjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 158630be86Sjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 168630be86Sjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 178630be86Sjsing */ 188630be86Sjsing 1906121fa9Sjsing #include <openssl/x509v3.h> 2006121fa9Sjsing 21c9675a23Stb #include "ssl_local.h" 22eb42ff5bSjsing #include "ssl_sigalgs.h" 230dbd9f91Sjsing #include "ssl_tlsext.h" 248630be86Sjsing #include "tls13_handshake.h" 258630be86Sjsing #include "tls13_internal.h" 268630be86Sjsing 278a834dadSjsing int 288630be86Sjsing tls13_server_init(struct tls13_ctx *ctx) 298630be86Sjsing { 308630be86Sjsing SSL *s = ctx->ssl; 318630be86Sjsing 32d4edc922Sjsing if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 33d4edc922Sjsing &ctx->hs->our_max_tls_version)) { 348630be86Sjsing SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 358630be86Sjsing return 0; 368630be86Sjsing } 37d4edc922Sjsing s->version = ctx->hs->our_max_tls_version; 388630be86Sjsing 3929323c26Sjsing tls13_record_layer_set_retry_after_phh(ctx->rl, 406f7f653bSjsing (s->mode & SSL_MODE_AUTO_RETRY) != 0); 4129323c26Sjsing 4205c39422Sjsing if (!ssl_get_new_session(s, 0)) /* XXX */ 430dbd9f91Sjsing return 0; 448630be86Sjsing 45e095aa7eSjsing tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46e095aa7eSjsing 4705c39422Sjsing if (!tls1_transcript_init(s)) 48c43b2f19Sjsing return 0; 49c43b2f19Sjsing 509b4fd993Sbeck arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 519b4fd993Sbeck 528630be86Sjsing return 1; 538630be86Sjsing } 548630be86Sjsing 558a834dadSjsing int 568a834dadSjsing tls13_server_accept(struct tls13_ctx *ctx) 57d0445389Sjsing { 58d0445389Sjsing if (ctx->mode != TLS13_HS_SERVER) 59d0445389Sjsing return TLS13_IO_FAILURE; 60d0445389Sjsing 61d0445389Sjsing return tls13_handshake_perform(ctx); 62d0445389Sjsing } 63d0445389Sjsing 640dbd9f91Sjsing static int 650dbd9f91Sjsing tls13_client_hello_is_legacy(CBS *cbs) 660dbd9f91Sjsing { 67c43b2f19Sjsing CBS extensions_block, extensions, extension_data, versions; 68c43b2f19Sjsing uint16_t version, max_version = 0; 690dbd9f91Sjsing uint16_t type; 700dbd9f91Sjsing 710dbd9f91Sjsing CBS_dup(cbs, &extensions_block); 720dbd9f91Sjsing 730dbd9f91Sjsing if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 740dbd9f91Sjsing return 1; 750dbd9f91Sjsing 760dbd9f91Sjsing while (CBS_len(&extensions) > 0) { 770dbd9f91Sjsing if (!CBS_get_u16(&extensions, &type)) 780dbd9f91Sjsing return 1; 790dbd9f91Sjsing if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 800dbd9f91Sjsing return 1; 810dbd9f91Sjsing 820dbd9f91Sjsing if (type != TLSEXT_TYPE_supported_versions) 830dbd9f91Sjsing continue; 84c43b2f19Sjsing if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 850dbd9f91Sjsing return 1; 86c43b2f19Sjsing while (CBS_len(&versions) > 0) { 87c43b2f19Sjsing if (!CBS_get_u16(&versions, &version)) 88c43b2f19Sjsing return 1; 89c43b2f19Sjsing if (version >= max_version) 90c43b2f19Sjsing max_version = version; 91c43b2f19Sjsing } 920dbd9f91Sjsing if (CBS_len(&extension_data) != 0) 930dbd9f91Sjsing return 1; 940dbd9f91Sjsing } 950dbd9f91Sjsing 96c43b2f19Sjsing return (max_version < TLS1_3_VERSION); 970dbd9f91Sjsing } 980dbd9f91Sjsing 9956fdfbb6Stb int 10056fdfbb6Stb tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 10156fdfbb6Stb { 10209f16f60Stb SSL *s = ctx->ssl; 10356fdfbb6Stb 10456fdfbb6Stb /* 10556fdfbb6Stb * RFC 8446, section 9.2. If the ClientHello has supported_versions 10656fdfbb6Stb * containing TLSv1.3, presence or absence of some extensions requires 10756fdfbb6Stb * presence or absence of others. 10856fdfbb6Stb */ 10956fdfbb6Stb 11056fdfbb6Stb /* 1119b551600Stb * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we 1129b551600Stb * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies 1139b551600Stb * that we need both signature_algorithms and supported_groups. 11456fdfbb6Stb */ 115b3d6d0e7Stb if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 116b3d6d0e7Stb if (!tlsext_extension_seen(s, 117b3d6d0e7Stb TLSEXT_TYPE_psk_key_exchange_modes)) 118b3d6d0e7Stb return 0; 119b3d6d0e7Stb } else { 12009f16f60Stb if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 12156fdfbb6Stb return 0; 12209f16f60Stb if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 12356fdfbb6Stb return 0; 12456fdfbb6Stb } 12556fdfbb6Stb 12656fdfbb6Stb /* 1272c901073Stb * supported_groups and key_share must either both be present or 1282c901073Stb * both be absent. 1292c901073Stb */ 13009f16f60Stb if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 13109f16f60Stb tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 1322c901073Stb return 0; 1332c901073Stb 1342c901073Stb /* 13556fdfbb6Stb * XXX - Require server_name from client? If so, we SHOULD enforce 13656fdfbb6Stb * this here - RFC 8446, 9.2. 13756fdfbb6Stb */ 13856fdfbb6Stb 13956fdfbb6Stb return 1; 14056fdfbb6Stb } 14156fdfbb6Stb 142cccb618bStb static const uint8_t tls13_compression_null_only[] = { 0 }; 143cccb618bStb 1440dbd9f91Sjsing static int 1450dbd9f91Sjsing tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 1460dbd9f91Sjsing { 1470dbd9f91Sjsing CBS cipher_suites, client_random, compression_methods, session_id; 14810361718Sjsing STACK_OF(SSL_CIPHER) *ciphers = NULL; 14910361718Sjsing const SSL_CIPHER *cipher; 1500dbd9f91Sjsing uint16_t legacy_version; 151cccb618bStb int alert_desc; 1520dbd9f91Sjsing SSL *s = ctx->ssl; 15310361718Sjsing int ret = 0; 1540dbd9f91Sjsing 1550dbd9f91Sjsing if (!CBS_get_u16(cbs, &legacy_version)) 1560dbd9f91Sjsing goto err; 1570dbd9f91Sjsing if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 1580dbd9f91Sjsing goto err; 1590dbd9f91Sjsing if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 1600dbd9f91Sjsing goto err; 161c43b2f19Sjsing if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 1620dbd9f91Sjsing goto err; 1630dbd9f91Sjsing if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 1640dbd9f91Sjsing goto err; 1650dbd9f91Sjsing 16635a46db7Sjsing if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 1670dbd9f91Sjsing if (!CBS_skip(cbs, CBS_len(cbs))) 1680dbd9f91Sjsing goto err; 1690dbd9f91Sjsing return tls13_use_legacy_server(ctx); 1700dbd9f91Sjsing } 171d4edc922Sjsing ctx->hs->negotiated_tls_version = TLS1_3_VERSION; 17201f29c58Sjsing ctx->hs->peer_legacy_version = legacy_version; 1730dbd9f91Sjsing 1746f6f3cb9Stb /* Ensure we send subsequent alerts with the correct record version. */ 1756f6f3cb9Stb tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 1766f6f3cb9Stb 177a096b0faSjsing /* 178a096b0faSjsing * Ensure that the client has not requested middlebox compatibility mode 179a096b0faSjsing * if it is prohibited from doing so. 180a096b0faSjsing */ 181a096b0faSjsing if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) { 182a096b0faSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 183a096b0faSjsing goto err; 184a096b0faSjsing } 185a096b0faSjsing 186095832a3Sbeck /* Add decoded values to the current ClientHello hash */ 187095832a3Sbeck if (!tls13_clienthello_hash_init(ctx)) { 188095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 189095832a3Sbeck goto err; 190095832a3Sbeck } 191095832a3Sbeck if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 192095832a3Sbeck sizeof(legacy_version))) { 193095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 194095832a3Sbeck goto err; 195095832a3Sbeck } 196095832a3Sbeck if (!tls13_clienthello_hash_update(ctx, &client_random)) { 197095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 198095832a3Sbeck goto err; 199095832a3Sbeck } 200095832a3Sbeck if (!tls13_clienthello_hash_update(ctx, &session_id)) { 201095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 202095832a3Sbeck goto err; 203095832a3Sbeck } 204095832a3Sbeck if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 205095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 206095832a3Sbeck goto err; 207095832a3Sbeck } 208095832a3Sbeck if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 209095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 210095832a3Sbeck goto err; 211095832a3Sbeck } 212095832a3Sbeck 2139b8a142fStb if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 21410361718Sjsing ctx->alert = alert_desc; 2150dbd9f91Sjsing goto err; 21610361718Sjsing } 2170dbd9f91Sjsing 218095832a3Sbeck /* Finalize first ClientHello hash, or validate against it */ 219d4edc922Sjsing if (!ctx->hs->tls13.hrr) { 220095832a3Sbeck if (!tls13_clienthello_hash_finalize(ctx)) { 221095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 222095832a3Sbeck goto err; 223095832a3Sbeck } 224095832a3Sbeck } else { 225095832a3Sbeck if (!tls13_clienthello_hash_validate(ctx)) { 226095832a3Sbeck ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 227095832a3Sbeck goto err; 228095832a3Sbeck } 229d4edc922Sjsing tls13_clienthello_hash_clear(&ctx->hs->tls13); 230095832a3Sbeck } 231095832a3Sbeck 23256fdfbb6Stb if (!tls13_client_hello_required_extensions(ctx)) { 23356fdfbb6Stb ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 23456fdfbb6Stb goto err; 23556fdfbb6Stb } 23656fdfbb6Stb 23710361718Sjsing /* 23810361718Sjsing * If we got this far we have a supported versions extension that offers 23910361718Sjsing * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 24010361718Sjsing */ 24110361718Sjsing if (legacy_version != TLS1_2_VERSION) { 242c957d00cSjsing ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 24310361718Sjsing goto err; 24410361718Sjsing } 24510361718Sjsing 246a096b0faSjsing /* 247a096b0faSjsing * The legacy session identifier must either be zero length or a 32 byte 248a096b0faSjsing * value (in which case the client is requesting middlebox compatibility 249a096b0faSjsing * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value 250a096b0faSjsing * so that we can echo it back to the client. 251a096b0faSjsing */ 252a096b0faSjsing if (CBS_len(&session_id) != 0 && 253a096b0faSjsing CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) { 254c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 2553365064dSjsing goto err; 2563365064dSjsing } 257d4edc922Sjsing if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 258d4edc922Sjsing sizeof(ctx->hs->tls13.legacy_session_id), 259d4edc922Sjsing &ctx->hs->tls13.legacy_session_id_len)) { 260095832a3Sbeck ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 2613365064dSjsing goto err; 262095832a3Sbeck } 2633365064dSjsing 26410361718Sjsing /* Parse cipher suites list and select preferred cipher. */ 26510361718Sjsing if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 266c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 26710361718Sjsing goto err; 26810361718Sjsing } 26910361718Sjsing cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 27010361718Sjsing if (cipher == NULL) { 27110361718Sjsing tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 27210361718Sjsing "no shared cipher found", NULL); 273c957d00cSjsing ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 27410361718Sjsing goto err; 27510361718Sjsing } 276661440b7Sjsing ctx->hs->cipher = cipher; 27710361718Sjsing 2781a5be6e3Sjsing sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); 2791a5be6e3Sjsing s->s3->hs.client_ciphers = ciphers; 2805fd104f8Stb ciphers = NULL; 2815fd104f8Stb 282cccb618bStb /* Ensure only the NULL compression method is advertised. */ 283cccb618bStb if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 284cccb618bStb sizeof(tls13_compression_null_only))) { 285c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 28610361718Sjsing goto err; 28710361718Sjsing } 28810361718Sjsing 28910361718Sjsing ret = 1; 2900dbd9f91Sjsing 2910dbd9f91Sjsing err: 29210361718Sjsing sk_SSL_CIPHER_free(ciphers); 29310361718Sjsing 29410361718Sjsing return ret; 2950dbd9f91Sjsing } 2960dbd9f91Sjsing 2970dbd9f91Sjsing int 2980571c2d6Sjsing tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 299eb818a3eSjsing { 3000dbd9f91Sjsing SSL *s = ctx->ssl; 3010dbd9f91Sjsing 3020dbd9f91Sjsing if (!tls13_client_hello_process(ctx, cbs)) 3030dbd9f91Sjsing goto err; 3040dbd9f91Sjsing 3050dbd9f91Sjsing /* See if we switched back to the legacy client method. */ 3066ba40c14Sjsing if (s->method->version < TLS1_3_VERSION) 3070dbd9f91Sjsing return 1; 3080dbd9f91Sjsing 3095c60a123Sjsing /* 310f113bc44Sjsing * If a matching key share was provided, we do not need to send a 311f113bc44Sjsing * HelloRetryRequest. 312f113bc44Sjsing */ 313f113bc44Sjsing /* 314f113bc44Sjsing * XXX - ideally NEGOTIATED would only be added after record protection 315f113bc44Sjsing * has been enabled. This would probably mean using either an 316f113bc44Sjsing * INITIAL | WITHOUT_HRR state, or another intermediate state. 3175c60a123Sjsing */ 318b8e3503dSjsing if (ctx->hs->key_share != NULL) 319f113bc44Sjsing ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 3205c60a123Sjsing 321138e3c44Stb tls13_record_layer_allow_ccs(ctx->rl, 1); 322138e3c44Stb 3230dbd9f91Sjsing return 1; 3240dbd9f91Sjsing 3250dbd9f91Sjsing err: 326eb818a3eSjsing return 0; 327eb818a3eSjsing } 328eb818a3eSjsing 329d0445389Sjsing static int 330f62c22f4Sjsing tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 331d0445389Sjsing { 332f62c22f4Sjsing uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 333f62c22f4Sjsing const uint8_t *server_random; 334d0445389Sjsing CBB session_id; 335d0445389Sjsing SSL *s = ctx->ssl; 336d0445389Sjsing uint16_t cipher; 337d0445389Sjsing 338661440b7Sjsing cipher = SSL_CIPHER_get_value(ctx->hs->cipher); 339f62c22f4Sjsing server_random = s->s3->server_random; 340f62c22f4Sjsing 341f62c22f4Sjsing if (hrr) { 342f62c22f4Sjsing server_random = tls13_hello_retry_request_hash; 343f62c22f4Sjsing tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 344f62c22f4Sjsing } 345d0445389Sjsing 346d0445389Sjsing if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 347d0445389Sjsing goto err; 348f62c22f4Sjsing if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 349d0445389Sjsing goto err; 350d0445389Sjsing if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 351d0445389Sjsing goto err; 352d4edc922Sjsing if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 353d4edc922Sjsing ctx->hs->tls13.legacy_session_id_len)) 354d0445389Sjsing goto err; 355d0445389Sjsing if (!CBB_add_u16(cbb, cipher)) 356d0445389Sjsing goto err; 357d0445389Sjsing if (!CBB_add_u8(cbb, 0)) 358d0445389Sjsing goto err; 3599b8a142fStb if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 360d0445389Sjsing goto err; 361d0445389Sjsing 362d0445389Sjsing if (!CBB_flush(cbb)) 363d0445389Sjsing goto err; 364d0445389Sjsing 365d0445389Sjsing return 1; 366d0445389Sjsing err: 367d0445389Sjsing return 0; 368d0445389Sjsing } 369d0445389Sjsing 3707752f9fdSjsing static int 3717752f9fdSjsing tls13_server_engage_record_protection(struct tls13_ctx *ctx) 372d0445389Sjsing { 373d0445389Sjsing struct tls13_secrets *secrets; 374d0445389Sjsing struct tls13_secret context; 375d0445389Sjsing unsigned char buf[EVP_MAX_MD_SIZE]; 376d0445389Sjsing uint8_t *shared_key = NULL; 377d0445389Sjsing size_t shared_key_len = 0; 378d0445389Sjsing size_t hash_len; 379d0445389Sjsing SSL *s = ctx->ssl; 380d0445389Sjsing int ret = 0; 381d0445389Sjsing 382aebe2672Sjsing if (!tls_key_share_derive(ctx->hs->key_share, &shared_key, 383aebe2672Sjsing &shared_key_len)) 384d0445389Sjsing goto err; 385d0445389Sjsing 386*f4fe6251Sjsing s->session->cipher_value = ctx->hs->cipher->value; 387d0445389Sjsing 388661440b7Sjsing if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 389d0445389Sjsing goto err; 390661440b7Sjsing if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 391d0445389Sjsing goto err; 392d0445389Sjsing 393d0445389Sjsing if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 394d0445389Sjsing goto err; 395d4edc922Sjsing ctx->hs->tls13.secrets = secrets; 396d0445389Sjsing 397d0445389Sjsing /* XXX - pass in hash. */ 398d0445389Sjsing if (!tls1_transcript_hash_init(s)) 399d0445389Sjsing goto err; 400d0445389Sjsing tls1_transcript_free(s); 401d0445389Sjsing if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 402d0445389Sjsing goto err; 403d0445389Sjsing context.data = buf; 404d0445389Sjsing context.len = hash_len; 405d0445389Sjsing 406d0445389Sjsing /* Early secrets. */ 407d0445389Sjsing if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 408d0445389Sjsing secrets->zeros.len, &context)) 409d0445389Sjsing goto err; 410d0445389Sjsing 411d0445389Sjsing /* Handshake secrets. */ 412d4edc922Sjsing if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 413d0445389Sjsing shared_key_len, &context)) 414d0445389Sjsing goto err; 415d0445389Sjsing 416d0445389Sjsing tls13_record_layer_set_aead(ctx->rl, ctx->aead); 417d0445389Sjsing tls13_record_layer_set_hash(ctx->rl, ctx->hash); 418d0445389Sjsing 419d0445389Sjsing if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 4206ea83a9dSjsing &secrets->client_handshake_traffic, ssl_encryption_handshake)) 421d0445389Sjsing goto err; 422d0445389Sjsing if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 4236ea83a9dSjsing &secrets->server_handshake_traffic, ssl_encryption_handshake)) 424d0445389Sjsing goto err; 425d0445389Sjsing 426d0445389Sjsing ctx->handshake_stage.hs_type |= NEGOTIATED; 427d0445389Sjsing if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 428d0445389Sjsing ctx->handshake_stage.hs_type |= WITHOUT_CR; 429d0445389Sjsing 430d0445389Sjsing ret = 1; 431d0445389Sjsing 432d0445389Sjsing err: 433d0445389Sjsing freezero(shared_key, shared_key_len); 434d0445389Sjsing return ret; 435d0445389Sjsing } 436d0445389Sjsing 437d0445389Sjsing int 4387752f9fdSjsing tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 4397752f9fdSjsing { 440f62c22f4Sjsing int nid; 441f62c22f4Sjsing 442d4edc922Sjsing ctx->hs->tls13.hrr = 1; 443e87fcc94Sjsing 444f62c22f4Sjsing if (!tls13_synthetic_handshake_message(ctx)) 4457752f9fdSjsing return 0; 446f62c22f4Sjsing 447b8e3503dSjsing if (ctx->hs->key_share != NULL) 448f62c22f4Sjsing return 0; 449c5270c5dStb if (!tls1_get_supported_group(ctx->ssl, &nid)) 450f62c22f4Sjsing return 0; 451c5270c5dStb if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group)) 452f62c22f4Sjsing return 0; 453f62c22f4Sjsing 454f62c22f4Sjsing if (!tls13_server_hello_build(ctx, cbb, 1)) 455f62c22f4Sjsing return 0; 456f62c22f4Sjsing 457f62c22f4Sjsing return 1; 4587752f9fdSjsing } 4597752f9fdSjsing 4607752f9fdSjsing int 461e0a52b2dStb tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 462e0a52b2dStb { 463e0a52b2dStb /* 464e0a52b2dStb * If the client has requested middlebox compatibility mode, 465e0a52b2dStb * we MUST send a dummy CCS following our first handshake message. 466e0a52b2dStb * See RFC 8446 Appendix D.4. 467e0a52b2dStb */ 468d4edc922Sjsing if (ctx->hs->tls13.legacy_session_id_len > 0) 469e0a52b2dStb ctx->send_dummy_ccs_after = 1; 470e0a52b2dStb 471e0a52b2dStb return 1; 472e0a52b2dStb } 473e0a52b2dStb 474e0a52b2dStb int 4757752f9fdSjsing tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 4767752f9fdSjsing { 477f62c22f4Sjsing SSL *s = ctx->ssl; 478f62c22f4Sjsing 479f62c22f4Sjsing if (!tls13_client_hello_process(ctx, cbs)) 4807752f9fdSjsing return 0; 481f62c22f4Sjsing 482f62c22f4Sjsing /* XXX - need further checks. */ 4836ba40c14Sjsing if (s->method->version < TLS1_3_VERSION) 484f62c22f4Sjsing return 0; 485f62c22f4Sjsing 486d4edc922Sjsing ctx->hs->tls13.hrr = 0; 487ec90fc19Stb 488f62c22f4Sjsing return 1; 4897752f9fdSjsing } 4907752f9fdSjsing 491e4de2a75Sjsing static int 492e4de2a75Sjsing tls13_servername_process(struct tls13_ctx *ctx) 493e4de2a75Sjsing { 494e4de2a75Sjsing uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 495e4de2a75Sjsing 496e4de2a75Sjsing if (!tls13_legacy_servername_process(ctx, &alert)) { 497e4de2a75Sjsing ctx->alert = alert; 498e4de2a75Sjsing return 0; 499e4de2a75Sjsing } 500e4de2a75Sjsing 501e4de2a75Sjsing return 1; 502e4de2a75Sjsing } 503e4de2a75Sjsing 5047752f9fdSjsing int 5057752f9fdSjsing tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 5067752f9fdSjsing { 507b8e3503dSjsing if (ctx->hs->key_share == NULL) 5087752f9fdSjsing return 0; 509b8e3503dSjsing if (!tls_key_share_generate(ctx->hs->key_share)) 5107752f9fdSjsing return 0; 511e4de2a75Sjsing if (!tls13_servername_process(ctx)) 512e4de2a75Sjsing return 0; 5137752f9fdSjsing 514d4edc922Sjsing ctx->hs->tls13.server_group = 0; 515f62c22f4Sjsing 516f62c22f4Sjsing if (!tls13_server_hello_build(ctx, cbb, 0)) 5177752f9fdSjsing return 0; 5187752f9fdSjsing 5197752f9fdSjsing return 1; 5207752f9fdSjsing } 5217752f9fdSjsing 5227752f9fdSjsing int 5237752f9fdSjsing tls13_server_hello_sent(struct tls13_ctx *ctx) 5247752f9fdSjsing { 525e0a52b2dStb /* 526e0a52b2dStb * If the client has requested middlebox compatibility mode, 527e0a52b2dStb * we MUST send a dummy CCS following our first handshake message. 528e0a52b2dStb * See RFC 8446 Appendix D.4. 529e0a52b2dStb */ 530e0a52b2dStb if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 531d4edc922Sjsing ctx->hs->tls13.legacy_session_id_len > 0) 532e0a52b2dStb ctx->send_dummy_ccs_after = 1; 533e0a52b2dStb 5347752f9fdSjsing return tls13_server_engage_record_protection(ctx); 5357752f9fdSjsing } 5367752f9fdSjsing 5377752f9fdSjsing int 538d0445389Sjsing tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 539d0445389Sjsing { 5409b8a142fStb if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 541d0445389Sjsing goto err; 542d0445389Sjsing 543d0445389Sjsing return 1; 544d0445389Sjsing err: 545eb818a3eSjsing return 0; 546eb818a3eSjsing } 547eb818a3eSjsing 548eb818a3eSjsing int 549d0445389Sjsing tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 550eb818a3eSjsing { 551d0445389Sjsing CBB certificate_request_context; 552d0445389Sjsing 553d0445389Sjsing if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 554d0445389Sjsing goto err; 5559b8a142fStb if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 556d0445389Sjsing goto err; 557d0445389Sjsing 558d0445389Sjsing if (!CBB_flush(cbb)) 559d0445389Sjsing goto err; 560d0445389Sjsing 561d0445389Sjsing return 1; 562d0445389Sjsing err: 563eb818a3eSjsing return 0; 564eb818a3eSjsing } 565eb818a3eSjsing 56606121fa9Sjsing static int 567ef36d1f9Sjsing tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk, 56806121fa9Sjsing int *ok, const struct ssl_sigalg **out_sigalg) 56906121fa9Sjsing { 57006121fa9Sjsing const struct ssl_sigalg *sigalg; 57106121fa9Sjsing SSL *s = ctx->ssl; 57206121fa9Sjsing 57306121fa9Sjsing *ok = 0; 57406121fa9Sjsing *out_sigalg = NULL; 57506121fa9Sjsing 57606121fa9Sjsing if (cpk->x509 == NULL || cpk->privatekey == NULL) 57706121fa9Sjsing goto done; 57806121fa9Sjsing 57906121fa9Sjsing /* 58006121fa9Sjsing * The digitalSignature bit MUST be set if the Key Usage extension is 58106121fa9Sjsing * present as per RFC 8446 section 4.4.2.2. 58206121fa9Sjsing */ 583ad70d475Stb if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)) 58406121fa9Sjsing goto done; 58506121fa9Sjsing 58606121fa9Sjsing if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 58706121fa9Sjsing goto done; 58806121fa9Sjsing 58906121fa9Sjsing *ok = 1; 59006121fa9Sjsing *out_sigalg = sigalg; 59106121fa9Sjsing 59206121fa9Sjsing done: 59306121fa9Sjsing return 1; 59406121fa9Sjsing } 59506121fa9Sjsing 59606121fa9Sjsing static int 597ef36d1f9Sjsing tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk, 59806121fa9Sjsing const struct ssl_sigalg **out_sigalg) 59906121fa9Sjsing { 60006121fa9Sjsing SSL *s = ctx->ssl; 60106121fa9Sjsing const struct ssl_sigalg *sigalg; 602ef36d1f9Sjsing SSL_CERT_PKEY *cpk; 60306121fa9Sjsing int cert_ok; 60406121fa9Sjsing 60506121fa9Sjsing *out_cpk = NULL; 60606121fa9Sjsing *out_sigalg = NULL; 60706121fa9Sjsing 60806121fa9Sjsing cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 60906121fa9Sjsing if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 61006121fa9Sjsing return 0; 61106121fa9Sjsing if (cert_ok) 61206121fa9Sjsing goto done; 61306121fa9Sjsing 61406121fa9Sjsing cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 61506121fa9Sjsing if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 61606121fa9Sjsing return 0; 61706121fa9Sjsing if (cert_ok) 61806121fa9Sjsing goto done; 61906121fa9Sjsing 6208121cb11Stb cpk = NULL; 6218121cb11Stb sigalg = NULL; 62206121fa9Sjsing 62306121fa9Sjsing done: 62406121fa9Sjsing *out_cpk = cpk; 62506121fa9Sjsing *out_sigalg = sigalg; 62606121fa9Sjsing 62706121fa9Sjsing return 1; 62806121fa9Sjsing } 62906121fa9Sjsing 630eb818a3eSjsing int 631d0445389Sjsing tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 632d0445389Sjsing { 633d0445389Sjsing SSL *s = ctx->ssl; 634d0445389Sjsing CBB cert_request_context, cert_list; 63506121fa9Sjsing const struct ssl_sigalg *sigalg; 6366db356aeSjsing X509_STORE_CTX *xsc = NULL; 637d0445389Sjsing STACK_OF(X509) *chain; 638ef36d1f9Sjsing SSL_CERT_PKEY *cpk; 639d0445389Sjsing X509 *cert; 640d0445389Sjsing int i, ret = 0; 641d0445389Sjsing 6428121cb11Stb if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 6438121cb11Stb goto err; 6448121cb11Stb 6458121cb11Stb if (cpk == NULL) { 646004f5acbSjsing /* A server must always provide a certificate. */ 647004f5acbSjsing ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 648004f5acbSjsing tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 649004f5acbSjsing "no server certificate", NULL); 650004f5acbSjsing goto err; 651004f5acbSjsing } 652d0445389Sjsing 653d4edc922Sjsing ctx->hs->tls13.cpk = cpk; 654adff4236Sjsing ctx->hs->our_sigalg = sigalg; 65506121fa9Sjsing 656d0445389Sjsing if ((chain = cpk->chain) == NULL) 657d0445389Sjsing chain = s->ctx->extra_certs; 658d0445389Sjsing 6596f7f653bSjsing if (chain == NULL && !(s->mode & SSL_MODE_NO_AUTO_CHAIN)) { 6606db356aeSjsing if ((xsc = X509_STORE_CTX_new()) == NULL) 6616db356aeSjsing goto err; 6626db356aeSjsing if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 6636db356aeSjsing goto err; 664fda9215fSjsing X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 665fda9215fSjsing X509_V_FLAG_LEGACY_VERIFY); 6666db356aeSjsing X509_verify_cert(xsc); 6676db356aeSjsing ERR_clear_error(); 668d3771e01Stb chain = X509_STORE_CTX_get0_chain(xsc); 6696db356aeSjsing } 6706db356aeSjsing 671d0445389Sjsing if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 672d0445389Sjsing goto err; 673d0445389Sjsing if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 674d0445389Sjsing goto err; 675d0445389Sjsing 67617fca910Sbeck if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 677d0445389Sjsing goto err; 678d0445389Sjsing 679d0445389Sjsing for (i = 0; i < sk_X509_num(chain); i++) { 680d0445389Sjsing cert = sk_X509_value(chain, i); 6816db356aeSjsing 6826db356aeSjsing /* 6836db356aeSjsing * In the case of auto chain, the leaf certificate will be at 6846db356aeSjsing * the top of the chain - skip over it as we've already added 6856db356aeSjsing * it earlier. 6866db356aeSjsing */ 6876db356aeSjsing if (i == 0 && cert == cpk->x509) 6886db356aeSjsing continue; 6896db356aeSjsing 69092931873Sbeck /* 69192931873Sbeck * XXX we don't send extensions with chain certs to avoid sending 692db2542aaStb * a leaf ocsp staple with the chain certs. This needs to get 693db2542aaStb * fixed. 69492931873Sbeck */ 69592931873Sbeck if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 696d0445389Sjsing goto err; 697d0445389Sjsing } 698d0445389Sjsing 699d0445389Sjsing if (!CBB_flush(cbb)) 700d0445389Sjsing goto err; 701d0445389Sjsing 702d0445389Sjsing ret = 1; 703d0445389Sjsing 704d0445389Sjsing err: 7056db356aeSjsing X509_STORE_CTX_free(xsc); 7066db356aeSjsing 707d0445389Sjsing return ret; 708d0445389Sjsing } 709d0445389Sjsing 710d0445389Sjsing int 711d0445389Sjsing tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 712d0445389Sjsing { 71306121fa9Sjsing const struct ssl_sigalg *sigalg; 714d0445389Sjsing uint8_t *sig = NULL, *sig_content = NULL; 715d0445389Sjsing size_t sig_len, sig_content_len; 716d0445389Sjsing EVP_MD_CTX *mdctx = NULL; 717d0445389Sjsing EVP_PKEY_CTX *pctx; 718d0445389Sjsing EVP_PKEY *pkey; 719ef36d1f9Sjsing const SSL_CERT_PKEY *cpk; 720d0445389Sjsing CBB sig_cbb; 721d0445389Sjsing int ret = 0; 722d0445389Sjsing 723d0445389Sjsing memset(&sig_cbb, 0, sizeof(sig_cbb)); 724d0445389Sjsing 725d4edc922Sjsing if ((cpk = ctx->hs->tls13.cpk) == NULL) 726d0445389Sjsing goto err; 727adff4236Sjsing if ((sigalg = ctx->hs->our_sigalg) == NULL) 72806121fa9Sjsing goto err; 72906121fa9Sjsing pkey = cpk->privatekey; 730d0445389Sjsing 731d0445389Sjsing if (!CBB_init(&sig_cbb, 0)) 732d0445389Sjsing goto err; 733d0445389Sjsing if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 734d0445389Sjsing sizeof(tls13_cert_verify_pad))) 735d0445389Sjsing goto err; 736d0445389Sjsing if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 737d0445389Sjsing strlen(tls13_cert_server_verify_context))) 738d0445389Sjsing goto err; 739d0445389Sjsing if (!CBB_add_u8(&sig_cbb, 0)) 740d0445389Sjsing goto err; 741d4edc922Sjsing if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 742d4edc922Sjsing ctx->hs->tls13.transcript_hash_len)) 743d0445389Sjsing goto err; 744d0445389Sjsing if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 745d0445389Sjsing goto err; 746d0445389Sjsing 747d0445389Sjsing if ((mdctx = EVP_MD_CTX_new()) == NULL) 748d0445389Sjsing goto err; 749d0445389Sjsing if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 750d0445389Sjsing goto err; 751d0445389Sjsing if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 752d0445389Sjsing if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 753d0445389Sjsing goto err; 754d0445389Sjsing if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 755d0445389Sjsing goto err; 756d0445389Sjsing } 75772ed2a14Stb if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len)) 758d0445389Sjsing goto err; 759d0445389Sjsing if ((sig = calloc(1, sig_len)) == NULL) 760d0445389Sjsing goto err; 76172ed2a14Stb if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len)) 762d0445389Sjsing goto err; 763d0445389Sjsing 764d0445389Sjsing if (!CBB_add_u16(cbb, sigalg->value)) 765d0445389Sjsing goto err; 766d0445389Sjsing if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 767d0445389Sjsing goto err; 768d0445389Sjsing if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 769d0445389Sjsing goto err; 770d0445389Sjsing 771d0445389Sjsing if (!CBB_flush(cbb)) 772d0445389Sjsing goto err; 773d0445389Sjsing 774d0445389Sjsing ret = 1; 775d0445389Sjsing 776d0445389Sjsing err: 777d0445389Sjsing if (!ret && ctx->alert == 0) 778c957d00cSjsing ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 779d0445389Sjsing 780d0445389Sjsing CBB_cleanup(&sig_cbb); 781d0445389Sjsing EVP_MD_CTX_free(mdctx); 782d0445389Sjsing free(sig_content); 783d0445389Sjsing free(sig); 784d0445389Sjsing 785d0445389Sjsing return ret; 786d0445389Sjsing } 787d0445389Sjsing 788d0445389Sjsing int 789d0445389Sjsing tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 790d0445389Sjsing { 791d4edc922Sjsing struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 792d0445389Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 793ab7db32bStb struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 794d0445389Sjsing uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 795d0445389Sjsing size_t transcript_hash_len; 796d0445389Sjsing uint8_t *verify_data; 7977f1ecec5Sjsing size_t verify_data_len; 798d0445389Sjsing unsigned int hlen; 799d0445389Sjsing HMAC_CTX *hmac_ctx = NULL; 8000008d085Stb CBS cbs; 801d0445389Sjsing int ret = 0; 802d0445389Sjsing 803ab7db32bStb if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 804ab7db32bStb goto err; 805d0445389Sjsing 806d0445389Sjsing if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 807d0445389Sjsing &secrets->server_handshake_traffic, "finished", 808d0445389Sjsing &context)) 809d0445389Sjsing goto err; 810d0445389Sjsing 811d0445389Sjsing if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 812d0445389Sjsing sizeof(transcript_hash), &transcript_hash_len)) 813d0445389Sjsing goto err; 814d0445389Sjsing 815d0445389Sjsing if ((hmac_ctx = HMAC_CTX_new()) == NULL) 816d0445389Sjsing goto err; 817d0445389Sjsing if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 818d0445389Sjsing ctx->hash, NULL)) 819d0445389Sjsing goto err; 820d0445389Sjsing if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 821d0445389Sjsing goto err; 822d0445389Sjsing 8237f1ecec5Sjsing verify_data_len = HMAC_size(hmac_ctx); 8247f1ecec5Sjsing if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 825d0445389Sjsing goto err; 826d0445389Sjsing if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 827d0445389Sjsing goto err; 8287f1ecec5Sjsing if (hlen != verify_data_len) 829d0445389Sjsing goto err; 830d0445389Sjsing 8317f1ecec5Sjsing CBS_init(&cbs, verify_data, verify_data_len); 832268dad53Sjsing if (!CBS_write_bytes(&cbs, ctx->hs->finished, 833268dad53Sjsing sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 8340008d085Stb goto err; 8350008d085Stb 836d0445389Sjsing ret = 1; 837d0445389Sjsing 838d0445389Sjsing err: 839ab7db32bStb tls13_secret_cleanup(&finished_key); 840d0445389Sjsing HMAC_CTX_free(hmac_ctx); 841d0445389Sjsing 842d0445389Sjsing return ret; 843d0445389Sjsing } 844d0445389Sjsing 845d0445389Sjsing int 846d0445389Sjsing tls13_server_finished_sent(struct tls13_ctx *ctx) 847d0445389Sjsing { 848d4edc922Sjsing struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 849d0445389Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 850d0445389Sjsing 851d0445389Sjsing /* 852d0445389Sjsing * Derive application traffic keys. 853d0445389Sjsing */ 854d4edc922Sjsing context.data = ctx->hs->tls13.transcript_hash; 855d4edc922Sjsing context.len = ctx->hs->tls13.transcript_hash_len; 856d0445389Sjsing 857d0445389Sjsing if (!tls13_derive_application_secrets(secrets, &context)) 858d0445389Sjsing return 0; 859d0445389Sjsing 860d0445389Sjsing /* 861d0445389Sjsing * Any records following the server finished message must be encrypted 862d0445389Sjsing * using the server application traffic keys. 863d0445389Sjsing */ 864d0445389Sjsing return tls13_record_layer_set_write_traffic_key(ctx->rl, 8656ea83a9dSjsing &secrets->server_application_traffic, ssl_encryption_application); 866d0445389Sjsing } 867d0445389Sjsing 868d0445389Sjsing int 8690571c2d6Sjsing tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 870eb818a3eSjsing { 871f25edc96Sbeck CBS cert_request_context, cert_list, cert_data, cert_exts; 872f25edc96Sbeck struct stack_st_X509 *certs = NULL; 873f25edc96Sbeck SSL *s = ctx->ssl; 874f25edc96Sbeck X509 *cert = NULL; 875f25edc96Sbeck const uint8_t *p; 876f25edc96Sbeck int ret = 0; 877f25edc96Sbeck 878f25edc96Sbeck if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 879f25edc96Sbeck goto err; 880f25edc96Sbeck if (CBS_len(&cert_request_context) != 0) 881f25edc96Sbeck goto err; 882f25edc96Sbeck if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 883f25edc96Sbeck goto err; 88494ac48a6Sjsing if (CBS_len(&cert_list) == 0) { 88594ac48a6Sjsing if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 886f25edc96Sbeck return 1; 88794ac48a6Sjsing ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 88894ac48a6Sjsing tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 88994ac48a6Sjsing "peer did not provide a certificate", NULL); 89094ac48a6Sjsing goto err; 89194ac48a6Sjsing } 892f25edc96Sbeck 893f25edc96Sbeck if ((certs = sk_X509_new_null()) == NULL) 894f25edc96Sbeck goto err; 895f25edc96Sbeck while (CBS_len(&cert_list) > 0) { 896f25edc96Sbeck if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 897f25edc96Sbeck goto err; 898f25edc96Sbeck if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 899f25edc96Sbeck goto err; 900f25edc96Sbeck 901f25edc96Sbeck p = CBS_data(&cert_data); 902f25edc96Sbeck if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 903f25edc96Sbeck goto err; 904f25edc96Sbeck if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 905f25edc96Sbeck goto err; 906f25edc96Sbeck 907f25edc96Sbeck if (!sk_X509_push(certs, cert)) 908f25edc96Sbeck goto err; 909f25edc96Sbeck 910f25edc96Sbeck cert = NULL; 911f25edc96Sbeck } 912f25edc96Sbeck 913f25edc96Sbeck /* 914f25edc96Sbeck * At this stage we still have no proof of possession. As such, it would 915f25edc96Sbeck * be preferable to keep the chain and verify once we have successfully 916f25edc96Sbeck * processed the CertificateVerify message. 917f25edc96Sbeck */ 91894ac48a6Sjsing if (ssl_verify_cert_chain(s, certs) <= 0) { 919f25edc96Sbeck ctx->alert = ssl_verify_alarm_type(s->verify_result); 920f25edc96Sbeck tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 921f25edc96Sbeck "failed to verify peer certificate", NULL); 922f25edc96Sbeck goto err; 923f25edc96Sbeck } 924ad618767Sjsing s->session->verify_result = s->verify_result; 925f25edc96Sbeck ERR_clear_error(); 926f25edc96Sbeck 927ad618767Sjsing if (!tls_process_peer_certs(s, certs)) 928f25edc96Sbeck goto err; 92915b5e1ecSjsing 930f25edc96Sbeck ctx->handshake_stage.hs_type |= WITH_CCV; 931f25edc96Sbeck ret = 1; 932f25edc96Sbeck 933f25edc96Sbeck err: 934f25edc96Sbeck sk_X509_pop_free(certs, X509_free); 935f25edc96Sbeck X509_free(cert); 936f25edc96Sbeck 937f25edc96Sbeck return ret; 938eb818a3eSjsing } 939eb818a3eSjsing 940eb818a3eSjsing int 9410571c2d6Sjsing tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 942eb818a3eSjsing { 943f25edc96Sbeck const struct ssl_sigalg *sigalg; 944f25edc96Sbeck uint16_t signature_scheme; 945f25edc96Sbeck uint8_t *sig_content = NULL; 946f25edc96Sbeck size_t sig_content_len; 947f25edc96Sbeck EVP_MD_CTX *mdctx = NULL; 948f25edc96Sbeck EVP_PKEY_CTX *pctx; 949f25edc96Sbeck EVP_PKEY *pkey; 950f25edc96Sbeck X509 *cert; 951f25edc96Sbeck CBS signature; 952f25edc96Sbeck CBB cbb; 953f25edc96Sbeck int ret = 0; 954f25edc96Sbeck 955f25edc96Sbeck memset(&cbb, 0, sizeof(cbb)); 956f25edc96Sbeck 957f25edc96Sbeck if (!CBS_get_u16(cbs, &signature_scheme)) 958f25edc96Sbeck goto err; 959f25edc96Sbeck if (!CBS_get_u16_length_prefixed(cbs, &signature)) 960f25edc96Sbeck goto err; 961f25edc96Sbeck 962f25edc96Sbeck if (!CBB_init(&cbb, 0)) 963f25edc96Sbeck goto err; 964f25edc96Sbeck if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 965f25edc96Sbeck sizeof(tls13_cert_verify_pad))) 966f25edc96Sbeck goto err; 967f25edc96Sbeck if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 968f25edc96Sbeck strlen(tls13_cert_client_verify_context))) 969f25edc96Sbeck goto err; 970f25edc96Sbeck if (!CBB_add_u8(&cbb, 0)) 971f25edc96Sbeck goto err; 972d4edc922Sjsing if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 973d4edc922Sjsing ctx->hs->tls13.transcript_hash_len)) 974f25edc96Sbeck goto err; 975f25edc96Sbeck if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 976f25edc96Sbeck goto err; 977f25edc96Sbeck 978666c9986Sjsing if ((cert = ctx->ssl->session->peer_cert) == NULL) 979f25edc96Sbeck goto err; 980f25edc96Sbeck if ((pkey = X509_get0_pubkey(cert)) == NULL) 981f25edc96Sbeck goto err; 98221424b10Sjsing if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, 98321424b10Sjsing signature_scheme)) == NULL) 984f25edc96Sbeck goto err; 985adff4236Sjsing ctx->hs->peer_sigalg = sigalg; 986f25edc96Sbeck 987f25edc96Sbeck if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 988f25edc96Sbeck goto err; 989f25edc96Sbeck 990f25edc96Sbeck if ((mdctx = EVP_MD_CTX_new()) == NULL) 991f25edc96Sbeck goto err; 992f25edc96Sbeck if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 993f25edc96Sbeck goto err; 994f25edc96Sbeck if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 995f25edc96Sbeck if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 996f25edc96Sbeck goto err; 997f25edc96Sbeck if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 998f25edc96Sbeck goto err; 999f25edc96Sbeck } 100072ed2a14Stb if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature), 100172ed2a14Stb sig_content, sig_content_len) <= 0) { 1002c957d00cSjsing ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1003f25edc96Sbeck goto err; 1004f25edc96Sbeck } 1005f25edc96Sbeck 1006f25edc96Sbeck ret = 1; 1007f25edc96Sbeck 1008f25edc96Sbeck err: 100906121fa9Sjsing if (!ret && ctx->alert == 0) 1010c957d00cSjsing ctx->alert = TLS13_ALERT_DECODE_ERROR; 101106121fa9Sjsing 1012f25edc96Sbeck CBB_cleanup(&cbb); 1013f25edc96Sbeck EVP_MD_CTX_free(mdctx); 1014f25edc96Sbeck free(sig_content); 1015f25edc96Sbeck 1016f25edc96Sbeck return ret; 1017eb818a3eSjsing } 1018eb818a3eSjsing 1019eb818a3eSjsing int 1020d0445389Sjsing tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1021eb818a3eSjsing { 1022eb818a3eSjsing return 0; 1023eb818a3eSjsing } 1024eb818a3eSjsing 1025eb818a3eSjsing int 102618f4ffe1Sjsing tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 102718f4ffe1Sjsing { 1028d4edc922Sjsing struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 102918f4ffe1Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 103018f4ffe1Sjsing struct tls13_secret finished_key; 103118f4ffe1Sjsing uint8_t *verify_data = NULL; 103218f4ffe1Sjsing size_t verify_data_len; 103318f4ffe1Sjsing uint8_t key[EVP_MAX_MD_SIZE]; 103418f4ffe1Sjsing HMAC_CTX *hmac_ctx = NULL; 103518f4ffe1Sjsing unsigned int hlen; 103618f4ffe1Sjsing int ret = 0; 103718f4ffe1Sjsing 103818f4ffe1Sjsing /* 103918f4ffe1Sjsing * Verify client finished. 104018f4ffe1Sjsing */ 104118f4ffe1Sjsing finished_key.data = key; 104218f4ffe1Sjsing finished_key.len = EVP_MD_size(ctx->hash); 104318f4ffe1Sjsing 104418f4ffe1Sjsing if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 104518f4ffe1Sjsing &secrets->client_handshake_traffic, "finished", 104618f4ffe1Sjsing &context)) 104718f4ffe1Sjsing goto err; 104818f4ffe1Sjsing 104918f4ffe1Sjsing if ((hmac_ctx = HMAC_CTX_new()) == NULL) 105018f4ffe1Sjsing goto err; 105118f4ffe1Sjsing if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 105218f4ffe1Sjsing ctx->hash, NULL)) 105318f4ffe1Sjsing goto err; 1054d4edc922Sjsing if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 1055d4edc922Sjsing ctx->hs->tls13.transcript_hash_len)) 105618f4ffe1Sjsing goto err; 105718f4ffe1Sjsing verify_data_len = HMAC_size(hmac_ctx); 105818f4ffe1Sjsing if ((verify_data = calloc(1, verify_data_len)) == NULL) 105918f4ffe1Sjsing goto err; 106018f4ffe1Sjsing if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 106118f4ffe1Sjsing goto err; 106218f4ffe1Sjsing if (hlen != verify_data_len) 106318f4ffe1Sjsing goto err; 106418f4ffe1Sjsing 106518f4ffe1Sjsing if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1066c957d00cSjsing ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 106718f4ffe1Sjsing goto err; 106818f4ffe1Sjsing } 106918f4ffe1Sjsing 1070268dad53Sjsing if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 1071268dad53Sjsing sizeof(ctx->hs->peer_finished), 1072268dad53Sjsing &ctx->hs->peer_finished_len)) 10730008d085Stb goto err; 10740008d085Stb 107518f4ffe1Sjsing if (!CBS_skip(cbs, verify_data_len)) 107618f4ffe1Sjsing goto err; 107718f4ffe1Sjsing 107818f4ffe1Sjsing /* 107918f4ffe1Sjsing * Any records following the client finished message must be encrypted 108018f4ffe1Sjsing * using the client application traffic keys. 108118f4ffe1Sjsing */ 108218f4ffe1Sjsing if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 10836ea83a9dSjsing &secrets->client_application_traffic, ssl_encryption_application)) 108418f4ffe1Sjsing goto err; 108518f4ffe1Sjsing 108618f4ffe1Sjsing tls13_record_layer_allow_ccs(ctx->rl, 0); 108718f4ffe1Sjsing 108818f4ffe1Sjsing ret = 1; 108918f4ffe1Sjsing 109018f4ffe1Sjsing err: 109118f4ffe1Sjsing HMAC_CTX_free(hmac_ctx); 109218f4ffe1Sjsing free(verify_data); 109318f4ffe1Sjsing 109418f4ffe1Sjsing return ret; 1095eb818a3eSjsing } 1096