1 /* $OpenBSD: tls13_server.c,v 1.69 2021/01/09 10:41:48 tb Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/x509v3.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_tlsext.h" 23 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_server_init(struct tls13_ctx *ctx) 29 { 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 33 &ctx->hs->max_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->max_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53 } 54 55 int 56 tls13_server_accept(struct tls13_ctx *ctx) 57 { 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62 } 63 64 static int 65 tls13_client_hello_is_legacy(CBS *cbs) 66 { 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97 } 98 99 int 100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101 { 102 SSL *s = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * If we got no pre_shared_key, then signature_algorithms and 112 * supported_groups must both be present. 113 */ 114 if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 115 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 116 return 0; 117 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 118 return 0; 119 } 120 121 /* 122 * supported_groups and key_share must either both be present or 123 * both be absent. 124 */ 125 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 126 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 127 return 0; 128 129 /* 130 * XXX - Require server_name from client? If so, we SHOULD enforce 131 * this here - RFC 8446, 9.2. 132 */ 133 134 return 1; 135 } 136 137 static const uint8_t tls13_compression_null_only[] = { 0 }; 138 139 static int 140 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 141 { 142 CBS cipher_suites, client_random, compression_methods, session_id; 143 STACK_OF(SSL_CIPHER) *ciphers = NULL; 144 const SSL_CIPHER *cipher; 145 uint16_t legacy_version; 146 int alert_desc; 147 SSL *s = ctx->ssl; 148 int ret = 0; 149 150 if (!CBS_get_u16(cbs, &legacy_version)) 151 goto err; 152 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 153 goto err; 154 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 155 goto err; 156 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 157 goto err; 158 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 159 goto err; 160 161 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 162 if (!CBS_skip(cbs, CBS_len(cbs))) 163 goto err; 164 return tls13_use_legacy_server(ctx); 165 } 166 167 /* Add decoded values to the current ClientHello hash */ 168 if (!tls13_clienthello_hash_init(ctx)) { 169 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 170 goto err; 171 } 172 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 173 sizeof(legacy_version))) { 174 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 175 goto err; 176 } 177 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 178 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 179 goto err; 180 } 181 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 182 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 183 goto err; 184 } 185 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 186 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 187 goto err; 188 } 189 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 190 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 191 goto err; 192 } 193 194 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 195 ctx->alert = alert_desc; 196 goto err; 197 } 198 199 /* Finalize first ClientHello hash, or validate against it */ 200 if (!ctx->hs->hrr) { 201 if (!tls13_clienthello_hash_finalize(ctx)) { 202 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 203 goto err; 204 } 205 } else { 206 if (!tls13_clienthello_hash_validate(ctx)) { 207 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 208 goto err; 209 } 210 tls13_clienthello_hash_clear(ctx->hs); 211 } 212 213 if (!tls13_client_hello_required_extensions(ctx)) { 214 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 215 goto err; 216 } 217 218 /* 219 * If we got this far we have a supported versions extension that offers 220 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 221 */ 222 if (legacy_version != TLS1_2_VERSION) { 223 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 224 goto err; 225 } 226 227 /* Store legacy session identifier so we can echo it. */ 228 if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { 229 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 230 goto err; 231 } 232 if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, 233 sizeof(ctx->hs->legacy_session_id), 234 &ctx->hs->legacy_session_id_len)) { 235 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 236 goto err; 237 } 238 239 /* Parse cipher suites list and select preferred cipher. */ 240 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 241 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 242 goto err; 243 } 244 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 245 if (cipher == NULL) { 246 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 247 "no shared cipher found", NULL); 248 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 249 goto err; 250 } 251 S3I(s)->hs.new_cipher = cipher; 252 253 sk_SSL_CIPHER_free(s->session->ciphers); 254 s->session->ciphers = ciphers; 255 ciphers = NULL; 256 257 /* Ensure only the NULL compression method is advertised. */ 258 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 259 sizeof(tls13_compression_null_only))) { 260 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 261 goto err; 262 } 263 264 ret = 1; 265 266 err: 267 sk_SSL_CIPHER_free(ciphers); 268 269 return ret; 270 } 271 272 int 273 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 274 { 275 SSL *s = ctx->ssl; 276 277 if (!tls13_client_hello_process(ctx, cbs)) 278 goto err; 279 280 /* See if we switched back to the legacy client method. */ 281 if (s->method->internal->version < TLS1_3_VERSION) 282 return 1; 283 284 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 285 286 /* 287 * If a matching key share was provided, we do not need to send a 288 * HelloRetryRequest. 289 */ 290 /* 291 * XXX - ideally NEGOTIATED would only be added after record protection 292 * has been enabled. This would probably mean using either an 293 * INITIAL | WITHOUT_HRR state, or another intermediate state. 294 */ 295 if (ctx->hs->key_share != NULL) 296 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 297 298 /* XXX - check this is the correct point */ 299 tls13_record_layer_allow_ccs(ctx->rl, 1); 300 301 return 1; 302 303 err: 304 return 0; 305 } 306 307 static int 308 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 309 { 310 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 311 const uint8_t *server_random; 312 CBB session_id; 313 SSL *s = ctx->ssl; 314 uint16_t cipher; 315 316 cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); 317 server_random = s->s3->server_random; 318 319 if (hrr) { 320 server_random = tls13_hello_retry_request_hash; 321 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 322 } 323 324 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 325 goto err; 326 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 327 goto err; 328 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 329 goto err; 330 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 331 ctx->hs->legacy_session_id_len)) 332 goto err; 333 if (!CBB_add_u16(cbb, cipher)) 334 goto err; 335 if (!CBB_add_u8(cbb, 0)) 336 goto err; 337 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 338 goto err; 339 340 if (!CBB_flush(cbb)) 341 goto err; 342 343 return 1; 344 err: 345 return 0; 346 } 347 348 static int 349 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 350 { 351 struct tls13_secrets *secrets; 352 struct tls13_secret context; 353 unsigned char buf[EVP_MAX_MD_SIZE]; 354 uint8_t *shared_key = NULL; 355 size_t shared_key_len = 0; 356 size_t hash_len; 357 SSL *s = ctx->ssl; 358 int ret = 0; 359 360 if (!tls13_key_share_derive(ctx->hs->key_share, 361 &shared_key, &shared_key_len)) 362 goto err; 363 364 s->session->cipher = S3I(s)->hs.new_cipher; 365 366 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 367 goto err; 368 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 369 goto err; 370 371 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 372 goto err; 373 ctx->hs->secrets = secrets; 374 375 /* XXX - pass in hash. */ 376 if (!tls1_transcript_hash_init(s)) 377 goto err; 378 tls1_transcript_free(s); 379 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 380 goto err; 381 context.data = buf; 382 context.len = hash_len; 383 384 /* Early secrets. */ 385 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 386 secrets->zeros.len, &context)) 387 goto err; 388 389 /* Handshake secrets. */ 390 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 391 shared_key_len, &context)) 392 goto err; 393 394 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 395 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 396 397 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 398 &secrets->client_handshake_traffic)) 399 goto err; 400 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 401 &secrets->server_handshake_traffic)) 402 goto err; 403 404 ctx->handshake_stage.hs_type |= NEGOTIATED; 405 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 406 ctx->handshake_stage.hs_type |= WITHOUT_CR; 407 408 ret = 1; 409 410 err: 411 freezero(shared_key, shared_key_len); 412 return ret; 413 } 414 415 int 416 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 417 { 418 int nid; 419 420 ctx->hs->hrr = 1; 421 422 if (!tls13_synthetic_handshake_message(ctx)) 423 return 0; 424 425 if (ctx->hs->key_share != NULL) 426 return 0; 427 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 428 return 0; 429 if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0) 430 return 0; 431 432 if (!tls13_server_hello_build(ctx, cbb, 1)) 433 return 0; 434 435 return 1; 436 } 437 438 int 439 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 440 { 441 /* 442 * If the client has requested middlebox compatibility mode, 443 * we MUST send a dummy CCS following our first handshake message. 444 * See RFC 8446 Appendix D.4. 445 */ 446 if (ctx->hs->legacy_session_id_len > 0) 447 ctx->send_dummy_ccs_after = 1; 448 449 return 1; 450 } 451 452 int 453 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 454 { 455 SSL *s = ctx->ssl; 456 457 if (!tls13_client_hello_process(ctx, cbs)) 458 return 0; 459 460 /* XXX - need further checks. */ 461 if (s->method->internal->version < TLS1_3_VERSION) 462 return 0; 463 464 ctx->hs->hrr = 0; 465 466 return 1; 467 } 468 469 static int 470 tls13_servername_process(struct tls13_ctx *ctx) 471 { 472 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 473 474 if (!tls13_legacy_servername_process(ctx, &alert)) { 475 ctx->alert = alert; 476 return 0; 477 } 478 479 return 1; 480 } 481 482 int 483 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 484 { 485 if (ctx->hs->key_share == NULL) 486 return 0; 487 if (!tls13_key_share_generate(ctx->hs->key_share)) 488 return 0; 489 if (!tls13_servername_process(ctx)) 490 return 0; 491 492 ctx->hs->server_group = 0; 493 494 if (!tls13_server_hello_build(ctx, cbb, 0)) 495 return 0; 496 497 return 1; 498 } 499 500 int 501 tls13_server_hello_sent(struct tls13_ctx *ctx) 502 { 503 /* 504 * If the client has requested middlebox compatibility mode, 505 * we MUST send a dummy CCS following our first handshake message. 506 * See RFC 8446 Appendix D.4. 507 */ 508 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 509 ctx->hs->legacy_session_id_len > 0) 510 ctx->send_dummy_ccs_after = 1; 511 512 return tls13_server_engage_record_protection(ctx); 513 } 514 515 int 516 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 517 { 518 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 519 goto err; 520 521 return 1; 522 err: 523 return 0; 524 } 525 526 int 527 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 528 { 529 CBB certificate_request_context; 530 531 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 532 goto err; 533 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 534 goto err; 535 536 if (!CBB_flush(cbb)) 537 goto err; 538 539 return 1; 540 err: 541 return 0; 542 } 543 544 static int 545 tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, 546 int *ok, const struct ssl_sigalg **out_sigalg) 547 { 548 const struct ssl_sigalg *sigalg; 549 SSL *s = ctx->ssl; 550 551 *ok = 0; 552 *out_sigalg = NULL; 553 554 if (cpk->x509 == NULL || cpk->privatekey == NULL) 555 goto done; 556 557 if (!X509_check_purpose(cpk->x509, -1, 0)) 558 return 0; 559 560 /* 561 * The digitalSignature bit MUST be set if the Key Usage extension is 562 * present as per RFC 8446 section 4.4.2.2. 563 */ 564 if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && 565 !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) 566 goto done; 567 568 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 569 goto done; 570 571 *ok = 1; 572 *out_sigalg = sigalg; 573 574 done: 575 return 1; 576 } 577 578 static int 579 tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, 580 const struct ssl_sigalg **out_sigalg) 581 { 582 SSL *s = ctx->ssl; 583 const struct ssl_sigalg *sigalg; 584 CERT_PKEY *cpk; 585 int cert_ok; 586 587 *out_cpk = NULL; 588 *out_sigalg = NULL; 589 590 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 591 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 592 return 0; 593 if (cert_ok) 594 goto done; 595 596 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 597 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 598 return 0; 599 if (cert_ok) 600 goto done; 601 602 cpk = NULL; 603 sigalg = NULL; 604 605 done: 606 *out_cpk = cpk; 607 *out_sigalg = sigalg; 608 609 return 1; 610 } 611 612 int 613 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 614 { 615 SSL *s = ctx->ssl; 616 CBB cert_request_context, cert_list; 617 const struct ssl_sigalg *sigalg; 618 X509_STORE_CTX *xsc = NULL; 619 STACK_OF(X509) *chain; 620 CERT_PKEY *cpk; 621 X509 *cert; 622 int i, ret = 0; 623 624 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 625 goto err; 626 627 if (cpk == NULL) { 628 /* A server must always provide a certificate. */ 629 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 630 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 631 "no server certificate", NULL); 632 goto err; 633 } 634 635 ctx->hs->cpk = cpk; 636 ctx->hs->sigalg = sigalg; 637 638 if ((chain = cpk->chain) == NULL) 639 chain = s->ctx->extra_certs; 640 641 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { 642 if ((xsc = X509_STORE_CTX_new()) == NULL) 643 goto err; 644 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 645 goto err; 646 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 647 X509_V_FLAG_LEGACY_VERIFY); 648 X509_verify_cert(xsc); 649 ERR_clear_error(); 650 chain = xsc->chain; 651 } 652 653 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 654 goto err; 655 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 656 goto err; 657 658 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 659 goto err; 660 661 for (i = 0; i < sk_X509_num(chain); i++) { 662 cert = sk_X509_value(chain, i); 663 664 /* 665 * In the case of auto chain, the leaf certificate will be at 666 * the top of the chain - skip over it as we've already added 667 * it earlier. 668 */ 669 if (i == 0 && cert == cpk->x509) 670 continue; 671 672 /* 673 * XXX we don't send extensions with chain certs to avoid sending 674 * a leaf ocsp staple with the chain certs. This needs to get 675 * fixed. 676 */ 677 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 678 goto err; 679 } 680 681 if (!CBB_flush(cbb)) 682 goto err; 683 684 ret = 1; 685 686 err: 687 X509_STORE_CTX_free(xsc); 688 689 return ret; 690 } 691 692 int 693 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 694 { 695 const struct ssl_sigalg *sigalg; 696 uint8_t *sig = NULL, *sig_content = NULL; 697 size_t sig_len, sig_content_len; 698 EVP_MD_CTX *mdctx = NULL; 699 EVP_PKEY_CTX *pctx; 700 EVP_PKEY *pkey; 701 const CERT_PKEY *cpk; 702 CBB sig_cbb; 703 int ret = 0; 704 705 memset(&sig_cbb, 0, sizeof(sig_cbb)); 706 707 if ((cpk = ctx->hs->cpk) == NULL) 708 goto err; 709 if ((sigalg = ctx->hs->sigalg) == NULL) 710 goto err; 711 pkey = cpk->privatekey; 712 713 if (!CBB_init(&sig_cbb, 0)) 714 goto err; 715 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 716 sizeof(tls13_cert_verify_pad))) 717 goto err; 718 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 719 strlen(tls13_cert_server_verify_context))) 720 goto err; 721 if (!CBB_add_u8(&sig_cbb, 0)) 722 goto err; 723 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 724 ctx->hs->transcript_hash_len)) 725 goto err; 726 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 727 goto err; 728 729 if ((mdctx = EVP_MD_CTX_new()) == NULL) 730 goto err; 731 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 732 goto err; 733 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 734 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 735 goto err; 736 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 737 goto err; 738 } 739 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 740 goto err; 741 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 742 goto err; 743 if ((sig = calloc(1, sig_len)) == NULL) 744 goto err; 745 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 746 goto err; 747 748 if (!CBB_add_u16(cbb, sigalg->value)) 749 goto err; 750 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 751 goto err; 752 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 753 goto err; 754 755 if (!CBB_flush(cbb)) 756 goto err; 757 758 ret = 1; 759 760 err: 761 if (!ret && ctx->alert == 0) 762 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 763 764 CBB_cleanup(&sig_cbb); 765 EVP_MD_CTX_free(mdctx); 766 free(sig_content); 767 free(sig); 768 769 return ret; 770 } 771 772 int 773 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 774 { 775 struct tls13_secrets *secrets = ctx->hs->secrets; 776 struct tls13_secret context = { .data = "", .len = 0 }; 777 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 778 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 779 size_t transcript_hash_len; 780 uint8_t *verify_data; 781 size_t verify_data_len; 782 unsigned int hlen; 783 HMAC_CTX *hmac_ctx = NULL; 784 CBS cbs; 785 SSL *s = ctx->ssl; 786 int ret = 0; 787 788 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 789 goto err; 790 791 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 792 &secrets->server_handshake_traffic, "finished", 793 &context)) 794 goto err; 795 796 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 797 sizeof(transcript_hash), &transcript_hash_len)) 798 goto err; 799 800 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 801 goto err; 802 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 803 ctx->hash, NULL)) 804 goto err; 805 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 806 goto err; 807 808 verify_data_len = HMAC_size(hmac_ctx); 809 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 810 goto err; 811 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 812 goto err; 813 if (hlen != verify_data_len) 814 goto err; 815 816 CBS_init(&cbs, verify_data, verify_data_len); 817 if (!CBS_write_bytes(&cbs, S3I(s)->tmp.finish_md, 818 sizeof(S3I(s)->tmp.finish_md), &S3I(s)->tmp.finish_md_len)) 819 goto err; 820 821 ret = 1; 822 823 err: 824 tls13_secret_cleanup(&finished_key); 825 HMAC_CTX_free(hmac_ctx); 826 827 return ret; 828 } 829 830 int 831 tls13_server_finished_sent(struct tls13_ctx *ctx) 832 { 833 struct tls13_secrets *secrets = ctx->hs->secrets; 834 struct tls13_secret context = { .data = "", .len = 0 }; 835 836 /* 837 * Derive application traffic keys. 838 */ 839 context.data = ctx->hs->transcript_hash; 840 context.len = ctx->hs->transcript_hash_len; 841 842 if (!tls13_derive_application_secrets(secrets, &context)) 843 return 0; 844 845 /* 846 * Any records following the server finished message must be encrypted 847 * using the server application traffic keys. 848 */ 849 return tls13_record_layer_set_write_traffic_key(ctx->rl, 850 &secrets->server_application_traffic); 851 } 852 853 int 854 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 855 { 856 CBS cert_request_context, cert_list, cert_data, cert_exts; 857 struct stack_st_X509 *certs = NULL; 858 SSL *s = ctx->ssl; 859 X509 *cert = NULL; 860 EVP_PKEY *pkey; 861 const uint8_t *p; 862 int cert_idx; 863 int ret = 0; 864 865 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 866 goto err; 867 if (CBS_len(&cert_request_context) != 0) 868 goto err; 869 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 870 goto err; 871 if (CBS_len(&cert_list) == 0) { 872 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 873 return 1; 874 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 875 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 876 "peer did not provide a certificate", NULL); 877 goto err; 878 } 879 880 if ((certs = sk_X509_new_null()) == NULL) 881 goto err; 882 while (CBS_len(&cert_list) > 0) { 883 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 884 goto err; 885 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 886 goto err; 887 888 p = CBS_data(&cert_data); 889 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 890 goto err; 891 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 892 goto err; 893 894 if (!sk_X509_push(certs, cert)) 895 goto err; 896 897 cert = NULL; 898 } 899 900 /* 901 * At this stage we still have no proof of possession. As such, it would 902 * be preferable to keep the chain and verify once we have successfully 903 * processed the CertificateVerify message. 904 */ 905 if (ssl_verify_cert_chain(s, certs) <= 0) { 906 ctx->alert = ssl_verify_alarm_type(s->verify_result); 907 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 908 "failed to verify peer certificate", NULL); 909 goto err; 910 } 911 ERR_clear_error(); 912 913 cert = sk_X509_value(certs, 0); 914 X509_up_ref(cert); 915 916 if ((pkey = X509_get0_pubkey(cert)) == NULL) 917 goto err; 918 if (EVP_PKEY_missing_parameters(pkey)) 919 goto err; 920 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 921 goto err; 922 923 ssl_sess_cert_free(SSI(s)->sess_cert); 924 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 925 goto err; 926 927 SSI(s)->sess_cert->cert_chain = certs; 928 certs = NULL; 929 930 X509_up_ref(cert); 931 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 932 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 933 934 X509_free(s->session->peer); 935 936 X509_up_ref(cert); 937 s->session->peer = cert; 938 s->session->verify_result = s->verify_result; 939 940 ctx->handshake_stage.hs_type |= WITH_CCV; 941 ret = 1; 942 943 err: 944 sk_X509_pop_free(certs, X509_free); 945 X509_free(cert); 946 947 return ret; 948 } 949 950 int 951 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 952 { 953 const struct ssl_sigalg *sigalg; 954 uint16_t signature_scheme; 955 uint8_t *sig_content = NULL; 956 size_t sig_content_len; 957 EVP_MD_CTX *mdctx = NULL; 958 EVP_PKEY_CTX *pctx; 959 EVP_PKEY *pkey; 960 X509 *cert; 961 CBS signature; 962 CBB cbb; 963 int ret = 0; 964 965 memset(&cbb, 0, sizeof(cbb)); 966 967 if (!CBS_get_u16(cbs, &signature_scheme)) 968 goto err; 969 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 970 goto err; 971 972 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 973 tls13_sigalgs_len)) == NULL) 974 goto err; 975 976 if (!CBB_init(&cbb, 0)) 977 goto err; 978 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 979 sizeof(tls13_cert_verify_pad))) 980 goto err; 981 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 982 strlen(tls13_cert_client_verify_context))) 983 goto err; 984 if (!CBB_add_u8(&cbb, 0)) 985 goto err; 986 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 987 ctx->hs->transcript_hash_len)) 988 goto err; 989 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 990 goto err; 991 992 if ((cert = ctx->ssl->session->peer) == NULL) 993 goto err; 994 if ((pkey = X509_get0_pubkey(cert)) == NULL) 995 goto err; 996 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 997 goto err; 998 999 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 1000 goto err; 1001 1002 if ((mdctx = EVP_MD_CTX_new()) == NULL) 1003 goto err; 1004 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 1005 goto err; 1006 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 1007 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 1008 goto err; 1009 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 1010 goto err; 1011 } 1012 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 1013 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1014 goto err; 1015 } 1016 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 1017 CBS_len(&signature)) <= 0) { 1018 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1019 goto err; 1020 } 1021 1022 ret = 1; 1023 1024 err: 1025 if (!ret && ctx->alert == 0) 1026 ctx->alert = TLS13_ALERT_DECODE_ERROR; 1027 1028 CBB_cleanup(&cbb); 1029 EVP_MD_CTX_free(mdctx); 1030 free(sig_content); 1031 1032 return ret; 1033 } 1034 1035 int 1036 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1037 { 1038 return 0; 1039 } 1040 1041 int 1042 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1043 { 1044 struct tls13_secrets *secrets = ctx->hs->secrets; 1045 struct tls13_secret context = { .data = "", .len = 0 }; 1046 struct tls13_secret finished_key; 1047 uint8_t *verify_data = NULL; 1048 size_t verify_data_len; 1049 uint8_t key[EVP_MAX_MD_SIZE]; 1050 HMAC_CTX *hmac_ctx = NULL; 1051 unsigned int hlen; 1052 SSL *s = ctx->ssl; 1053 int ret = 0; 1054 1055 /* 1056 * Verify client finished. 1057 */ 1058 finished_key.data = key; 1059 finished_key.len = EVP_MD_size(ctx->hash); 1060 1061 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1062 &secrets->client_handshake_traffic, "finished", 1063 &context)) 1064 goto err; 1065 1066 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1067 goto err; 1068 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1069 ctx->hash, NULL)) 1070 goto err; 1071 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 1072 ctx->hs->transcript_hash_len)) 1073 goto err; 1074 verify_data_len = HMAC_size(hmac_ctx); 1075 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1076 goto err; 1077 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1078 goto err; 1079 if (hlen != verify_data_len) 1080 goto err; 1081 1082 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1083 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1084 goto err; 1085 } 1086 1087 if (!CBS_write_bytes(cbs, S3I(s)->tmp.peer_finish_md, 1088 sizeof(S3I(s)->tmp.peer_finish_md), 1089 &S3I(s)->tmp.peer_finish_md_len)) 1090 goto err; 1091 1092 if (!CBS_skip(cbs, verify_data_len)) 1093 goto err; 1094 1095 /* 1096 * Any records following the client finished message must be encrypted 1097 * using the client application traffic keys. 1098 */ 1099 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1100 &secrets->client_application_traffic)) 1101 goto err; 1102 1103 tls13_record_layer_allow_ccs(ctx->rl, 0); 1104 1105 ret = 1; 1106 1107 err: 1108 HMAC_CTX_free(hmac_ctx); 1109 free(verify_data); 1110 1111 return ret; 1112 } 1113