1 /* $OpenBSD: tls13_server.c,v 1.87 2021/10/25 10:01:46 jsing Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/x509v3.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_sigalgs.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_server_init(struct tls13_ctx *ctx) 29 { 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 33 &ctx->hs->our_max_tls_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->our_max_tls_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53 } 54 55 int 56 tls13_server_accept(struct tls13_ctx *ctx) 57 { 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62 } 63 64 static int 65 tls13_client_hello_is_legacy(CBS *cbs) 66 { 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97 } 98 99 int 100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101 { 102 SSL *s = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * If we got no pre_shared_key, then signature_algorithms and 112 * supported_groups must both be present. 113 */ 114 if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 115 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 116 return 0; 117 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 118 return 0; 119 } 120 121 /* 122 * supported_groups and key_share must either both be present or 123 * both be absent. 124 */ 125 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 126 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 127 return 0; 128 129 /* 130 * XXX - Require server_name from client? If so, we SHOULD enforce 131 * this here - RFC 8446, 9.2. 132 */ 133 134 return 1; 135 } 136 137 static const uint8_t tls13_compression_null_only[] = { 0 }; 138 139 static int 140 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 141 { 142 CBS cipher_suites, client_random, compression_methods, session_id; 143 STACK_OF(SSL_CIPHER) *ciphers = NULL; 144 const SSL_CIPHER *cipher; 145 uint16_t legacy_version; 146 int alert_desc; 147 SSL *s = ctx->ssl; 148 int ret = 0; 149 150 if (!CBS_get_u16(cbs, &legacy_version)) 151 goto err; 152 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 153 goto err; 154 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 155 goto err; 156 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 157 goto err; 158 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 159 goto err; 160 161 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 162 if (!CBS_skip(cbs, CBS_len(cbs))) 163 goto err; 164 return tls13_use_legacy_server(ctx); 165 } 166 ctx->hs->negotiated_tls_version = TLS1_3_VERSION; 167 ctx->hs->peer_legacy_version = legacy_version; 168 169 /* Ensure we send subsequent alerts with the correct record version. */ 170 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 171 172 /* Add decoded values to the current ClientHello hash */ 173 if (!tls13_clienthello_hash_init(ctx)) { 174 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 175 goto err; 176 } 177 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 178 sizeof(legacy_version))) { 179 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 180 goto err; 181 } 182 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 183 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 184 goto err; 185 } 186 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 187 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 188 goto err; 189 } 190 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 191 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 192 goto err; 193 } 194 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 195 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 196 goto err; 197 } 198 199 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 200 ctx->alert = alert_desc; 201 goto err; 202 } 203 204 /* Finalize first ClientHello hash, or validate against it */ 205 if (!ctx->hs->tls13.hrr) { 206 if (!tls13_clienthello_hash_finalize(ctx)) { 207 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 208 goto err; 209 } 210 } else { 211 if (!tls13_clienthello_hash_validate(ctx)) { 212 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 213 goto err; 214 } 215 tls13_clienthello_hash_clear(&ctx->hs->tls13); 216 } 217 218 if (!tls13_client_hello_required_extensions(ctx)) { 219 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 220 goto err; 221 } 222 223 /* 224 * If we got this far we have a supported versions extension that offers 225 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 226 */ 227 if (legacy_version != TLS1_2_VERSION) { 228 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 229 goto err; 230 } 231 232 /* Store legacy session identifier so we can echo it. */ 233 if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { 234 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 235 goto err; 236 } 237 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 238 sizeof(ctx->hs->tls13.legacy_session_id), 239 &ctx->hs->tls13.legacy_session_id_len)) { 240 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 241 goto err; 242 } 243 244 /* Parse cipher suites list and select preferred cipher. */ 245 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 246 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 247 goto err; 248 } 249 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 250 if (cipher == NULL) { 251 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 252 "no shared cipher found", NULL); 253 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 254 goto err; 255 } 256 ctx->hs->cipher = cipher; 257 258 sk_SSL_CIPHER_free(s->session->ciphers); 259 s->session->ciphers = ciphers; 260 ciphers = NULL; 261 262 /* Ensure only the NULL compression method is advertised. */ 263 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 264 sizeof(tls13_compression_null_only))) { 265 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 266 goto err; 267 } 268 269 ret = 1; 270 271 err: 272 sk_SSL_CIPHER_free(ciphers); 273 274 return ret; 275 } 276 277 int 278 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 279 { 280 SSL *s = ctx->ssl; 281 282 if (!tls13_client_hello_process(ctx, cbs)) 283 goto err; 284 285 /* See if we switched back to the legacy client method. */ 286 if (s->method->version < TLS1_3_VERSION) 287 return 1; 288 289 /* 290 * If a matching key share was provided, we do not need to send a 291 * HelloRetryRequest. 292 */ 293 /* 294 * XXX - ideally NEGOTIATED would only be added after record protection 295 * has been enabled. This would probably mean using either an 296 * INITIAL | WITHOUT_HRR state, or another intermediate state. 297 */ 298 if (ctx->hs->tls13.key_share != NULL) 299 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 300 301 /* XXX - check this is the correct point */ 302 tls13_record_layer_allow_ccs(ctx->rl, 1); 303 304 return 1; 305 306 err: 307 return 0; 308 } 309 310 static int 311 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 312 { 313 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 314 const uint8_t *server_random; 315 CBB session_id; 316 SSL *s = ctx->ssl; 317 uint16_t cipher; 318 319 cipher = SSL_CIPHER_get_value(ctx->hs->cipher); 320 server_random = s->s3->server_random; 321 322 if (hrr) { 323 server_random = tls13_hello_retry_request_hash; 324 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 325 } 326 327 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 328 goto err; 329 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 330 goto err; 331 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 332 goto err; 333 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 334 ctx->hs->tls13.legacy_session_id_len)) 335 goto err; 336 if (!CBB_add_u16(cbb, cipher)) 337 goto err; 338 if (!CBB_add_u8(cbb, 0)) 339 goto err; 340 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 341 goto err; 342 343 if (!CBB_flush(cbb)) 344 goto err; 345 346 return 1; 347 err: 348 return 0; 349 } 350 351 static int 352 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 353 { 354 struct tls13_secrets *secrets; 355 struct tls13_secret context; 356 unsigned char buf[EVP_MAX_MD_SIZE]; 357 uint8_t *shared_key = NULL; 358 size_t shared_key_len = 0; 359 size_t hash_len; 360 SSL *s = ctx->ssl; 361 int ret = 0; 362 363 if (!tls13_key_share_derive(ctx->hs->tls13.key_share, 364 &shared_key, &shared_key_len)) 365 goto err; 366 367 s->session->cipher = ctx->hs->cipher; 368 369 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 370 goto err; 371 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 372 goto err; 373 374 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 375 goto err; 376 ctx->hs->tls13.secrets = secrets; 377 378 /* XXX - pass in hash. */ 379 if (!tls1_transcript_hash_init(s)) 380 goto err; 381 tls1_transcript_free(s); 382 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 383 goto err; 384 context.data = buf; 385 context.len = hash_len; 386 387 /* Early secrets. */ 388 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 389 secrets->zeros.len, &context)) 390 goto err; 391 392 /* Handshake secrets. */ 393 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 394 shared_key_len, &context)) 395 goto err; 396 397 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 398 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 399 400 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 401 &secrets->client_handshake_traffic)) 402 goto err; 403 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 404 &secrets->server_handshake_traffic)) 405 goto err; 406 407 ctx->handshake_stage.hs_type |= NEGOTIATED; 408 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 409 ctx->handshake_stage.hs_type |= WITHOUT_CR; 410 411 ret = 1; 412 413 err: 414 freezero(shared_key, shared_key_len); 415 return ret; 416 } 417 418 int 419 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 420 { 421 int nid; 422 423 ctx->hs->tls13.hrr = 1; 424 425 if (!tls13_synthetic_handshake_message(ctx)) 426 return 0; 427 428 if (ctx->hs->tls13.key_share != NULL) 429 return 0; 430 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 431 return 0; 432 if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) 433 return 0; 434 435 if (!tls13_server_hello_build(ctx, cbb, 1)) 436 return 0; 437 438 return 1; 439 } 440 441 int 442 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 443 { 444 /* 445 * If the client has requested middlebox compatibility mode, 446 * we MUST send a dummy CCS following our first handshake message. 447 * See RFC 8446 Appendix D.4. 448 */ 449 if (ctx->hs->tls13.legacy_session_id_len > 0) 450 ctx->send_dummy_ccs_after = 1; 451 452 return 1; 453 } 454 455 int 456 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 457 { 458 SSL *s = ctx->ssl; 459 460 if (!tls13_client_hello_process(ctx, cbs)) 461 return 0; 462 463 /* XXX - need further checks. */ 464 if (s->method->version < TLS1_3_VERSION) 465 return 0; 466 467 ctx->hs->tls13.hrr = 0; 468 469 return 1; 470 } 471 472 static int 473 tls13_servername_process(struct tls13_ctx *ctx) 474 { 475 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 476 477 if (!tls13_legacy_servername_process(ctx, &alert)) { 478 ctx->alert = alert; 479 return 0; 480 } 481 482 return 1; 483 } 484 485 int 486 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 487 { 488 if (ctx->hs->tls13.key_share == NULL) 489 return 0; 490 if (!tls13_key_share_generate(ctx->hs->tls13.key_share)) 491 return 0; 492 if (!tls13_servername_process(ctx)) 493 return 0; 494 495 ctx->hs->tls13.server_group = 0; 496 497 if (!tls13_server_hello_build(ctx, cbb, 0)) 498 return 0; 499 500 return 1; 501 } 502 503 int 504 tls13_server_hello_sent(struct tls13_ctx *ctx) 505 { 506 /* 507 * If the client has requested middlebox compatibility mode, 508 * we MUST send a dummy CCS following our first handshake message. 509 * See RFC 8446 Appendix D.4. 510 */ 511 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 512 ctx->hs->tls13.legacy_session_id_len > 0) 513 ctx->send_dummy_ccs_after = 1; 514 515 return tls13_server_engage_record_protection(ctx); 516 } 517 518 int 519 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 520 { 521 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 522 goto err; 523 524 return 1; 525 err: 526 return 0; 527 } 528 529 int 530 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 531 { 532 CBB certificate_request_context; 533 534 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 535 goto err; 536 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 537 goto err; 538 539 if (!CBB_flush(cbb)) 540 goto err; 541 542 return 1; 543 err: 544 return 0; 545 } 546 547 static int 548 tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, 549 int *ok, const struct ssl_sigalg **out_sigalg) 550 { 551 const struct ssl_sigalg *sigalg; 552 SSL *s = ctx->ssl; 553 554 *ok = 0; 555 *out_sigalg = NULL; 556 557 if (cpk->x509 == NULL || cpk->privatekey == NULL) 558 goto done; 559 560 if (!X509_check_purpose(cpk->x509, -1, 0)) 561 return 0; 562 563 /* 564 * The digitalSignature bit MUST be set if the Key Usage extension is 565 * present as per RFC 8446 section 4.4.2.2. 566 */ 567 if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && 568 !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) 569 goto done; 570 571 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 572 goto done; 573 574 *ok = 1; 575 *out_sigalg = sigalg; 576 577 done: 578 return 1; 579 } 580 581 static int 582 tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, 583 const struct ssl_sigalg **out_sigalg) 584 { 585 SSL *s = ctx->ssl; 586 const struct ssl_sigalg *sigalg; 587 CERT_PKEY *cpk; 588 int cert_ok; 589 590 *out_cpk = NULL; 591 *out_sigalg = NULL; 592 593 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 594 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 595 return 0; 596 if (cert_ok) 597 goto done; 598 599 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 600 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 601 return 0; 602 if (cert_ok) 603 goto done; 604 605 cpk = NULL; 606 sigalg = NULL; 607 608 done: 609 *out_cpk = cpk; 610 *out_sigalg = sigalg; 611 612 return 1; 613 } 614 615 int 616 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 617 { 618 SSL *s = ctx->ssl; 619 CBB cert_request_context, cert_list; 620 const struct ssl_sigalg *sigalg; 621 X509_STORE_CTX *xsc = NULL; 622 STACK_OF(X509) *chain; 623 CERT_PKEY *cpk; 624 X509 *cert; 625 int i, ret = 0; 626 627 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 628 goto err; 629 630 if (cpk == NULL) { 631 /* A server must always provide a certificate. */ 632 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 633 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 634 "no server certificate", NULL); 635 goto err; 636 } 637 638 ctx->hs->tls13.cpk = cpk; 639 ctx->hs->our_sigalg = sigalg; 640 641 if ((chain = cpk->chain) == NULL) 642 chain = s->ctx->extra_certs; 643 644 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { 645 if ((xsc = X509_STORE_CTX_new()) == NULL) 646 goto err; 647 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 648 goto err; 649 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 650 X509_V_FLAG_LEGACY_VERIFY); 651 X509_verify_cert(xsc); 652 ERR_clear_error(); 653 chain = X509_STORE_CTX_get0_chain(xsc); 654 } 655 656 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 657 goto err; 658 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 659 goto err; 660 661 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 662 goto err; 663 664 for (i = 0; i < sk_X509_num(chain); i++) { 665 cert = sk_X509_value(chain, i); 666 667 /* 668 * In the case of auto chain, the leaf certificate will be at 669 * the top of the chain - skip over it as we've already added 670 * it earlier. 671 */ 672 if (i == 0 && cert == cpk->x509) 673 continue; 674 675 /* 676 * XXX we don't send extensions with chain certs to avoid sending 677 * a leaf ocsp staple with the chain certs. This needs to get 678 * fixed. 679 */ 680 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 681 goto err; 682 } 683 684 if (!CBB_flush(cbb)) 685 goto err; 686 687 ret = 1; 688 689 err: 690 X509_STORE_CTX_free(xsc); 691 692 return ret; 693 } 694 695 int 696 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 697 { 698 const struct ssl_sigalg *sigalg; 699 uint8_t *sig = NULL, *sig_content = NULL; 700 size_t sig_len, sig_content_len; 701 EVP_MD_CTX *mdctx = NULL; 702 EVP_PKEY_CTX *pctx; 703 EVP_PKEY *pkey; 704 const CERT_PKEY *cpk; 705 CBB sig_cbb; 706 int ret = 0; 707 708 memset(&sig_cbb, 0, sizeof(sig_cbb)); 709 710 if ((cpk = ctx->hs->tls13.cpk) == NULL) 711 goto err; 712 if ((sigalg = ctx->hs->our_sigalg) == NULL) 713 goto err; 714 pkey = cpk->privatekey; 715 716 if (!CBB_init(&sig_cbb, 0)) 717 goto err; 718 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 719 sizeof(tls13_cert_verify_pad))) 720 goto err; 721 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 722 strlen(tls13_cert_server_verify_context))) 723 goto err; 724 if (!CBB_add_u8(&sig_cbb, 0)) 725 goto err; 726 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 727 ctx->hs->tls13.transcript_hash_len)) 728 goto err; 729 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 730 goto err; 731 732 if ((mdctx = EVP_MD_CTX_new()) == NULL) 733 goto err; 734 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 735 goto err; 736 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 737 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 738 goto err; 739 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 740 goto err; 741 } 742 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 743 goto err; 744 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 745 goto err; 746 if ((sig = calloc(1, sig_len)) == NULL) 747 goto err; 748 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 749 goto err; 750 751 if (!CBB_add_u16(cbb, sigalg->value)) 752 goto err; 753 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 754 goto err; 755 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 756 goto err; 757 758 if (!CBB_flush(cbb)) 759 goto err; 760 761 ret = 1; 762 763 err: 764 if (!ret && ctx->alert == 0) 765 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 766 767 CBB_cleanup(&sig_cbb); 768 EVP_MD_CTX_free(mdctx); 769 free(sig_content); 770 free(sig); 771 772 return ret; 773 } 774 775 int 776 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 777 { 778 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 779 struct tls13_secret context = { .data = "", .len = 0 }; 780 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 781 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 782 size_t transcript_hash_len; 783 uint8_t *verify_data; 784 size_t verify_data_len; 785 unsigned int hlen; 786 HMAC_CTX *hmac_ctx = NULL; 787 CBS cbs; 788 int ret = 0; 789 790 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 791 goto err; 792 793 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 794 &secrets->server_handshake_traffic, "finished", 795 &context)) 796 goto err; 797 798 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 799 sizeof(transcript_hash), &transcript_hash_len)) 800 goto err; 801 802 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 803 goto err; 804 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 805 ctx->hash, NULL)) 806 goto err; 807 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 808 goto err; 809 810 verify_data_len = HMAC_size(hmac_ctx); 811 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 812 goto err; 813 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 814 goto err; 815 if (hlen != verify_data_len) 816 goto err; 817 818 CBS_init(&cbs, verify_data, verify_data_len); 819 if (!CBS_write_bytes(&cbs, ctx->hs->finished, 820 sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 821 goto err; 822 823 ret = 1; 824 825 err: 826 tls13_secret_cleanup(&finished_key); 827 HMAC_CTX_free(hmac_ctx); 828 829 return ret; 830 } 831 832 int 833 tls13_server_finished_sent(struct tls13_ctx *ctx) 834 { 835 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 836 struct tls13_secret context = { .data = "", .len = 0 }; 837 838 /* 839 * Derive application traffic keys. 840 */ 841 context.data = ctx->hs->tls13.transcript_hash; 842 context.len = ctx->hs->tls13.transcript_hash_len; 843 844 if (!tls13_derive_application_secrets(secrets, &context)) 845 return 0; 846 847 /* 848 * Any records following the server finished message must be encrypted 849 * using the server application traffic keys. 850 */ 851 return tls13_record_layer_set_write_traffic_key(ctx->rl, 852 &secrets->server_application_traffic); 853 } 854 855 int 856 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 857 { 858 CBS cert_request_context, cert_list, cert_data, cert_exts; 859 struct stack_st_X509 *certs = NULL; 860 SSL *s = ctx->ssl; 861 X509 *cert = NULL; 862 EVP_PKEY *pkey; 863 const uint8_t *p; 864 int cert_idx; 865 int ret = 0; 866 867 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 868 goto err; 869 if (CBS_len(&cert_request_context) != 0) 870 goto err; 871 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 872 goto err; 873 if (CBS_len(&cert_list) == 0) { 874 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 875 return 1; 876 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 877 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 878 "peer did not provide a certificate", NULL); 879 goto err; 880 } 881 882 if ((certs = sk_X509_new_null()) == NULL) 883 goto err; 884 while (CBS_len(&cert_list) > 0) { 885 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 886 goto err; 887 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 888 goto err; 889 890 p = CBS_data(&cert_data); 891 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 892 goto err; 893 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 894 goto err; 895 896 if (!sk_X509_push(certs, cert)) 897 goto err; 898 899 cert = NULL; 900 } 901 902 /* 903 * At this stage we still have no proof of possession. As such, it would 904 * be preferable to keep the chain and verify once we have successfully 905 * processed the CertificateVerify message. 906 */ 907 if (ssl_verify_cert_chain(s, certs) <= 0) { 908 ctx->alert = ssl_verify_alarm_type(s->verify_result); 909 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 910 "failed to verify peer certificate", NULL); 911 goto err; 912 } 913 ERR_clear_error(); 914 915 cert = sk_X509_value(certs, 0); 916 X509_up_ref(cert); 917 918 if ((pkey = X509_get0_pubkey(cert)) == NULL) 919 goto err; 920 if (EVP_PKEY_missing_parameters(pkey)) 921 goto err; 922 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 923 goto err; 924 925 ssl_sess_cert_free(s->session->sess_cert); 926 if ((s->session->sess_cert = ssl_sess_cert_new()) == NULL) 927 goto err; 928 929 s->session->sess_cert->cert_chain = certs; 930 certs = NULL; 931 932 X509_up_ref(cert); 933 s->session->sess_cert->peer_pkeys[cert_idx].x509 = cert; 934 s->session->sess_cert->peer_key = &(s->session->sess_cert->peer_pkeys[cert_idx]); 935 936 X509_free(s->session->peer); 937 938 X509_up_ref(cert); 939 s->session->peer = cert; 940 s->session->verify_result = s->verify_result; 941 942 ctx->handshake_stage.hs_type |= WITH_CCV; 943 ret = 1; 944 945 err: 946 sk_X509_pop_free(certs, X509_free); 947 X509_free(cert); 948 949 return ret; 950 } 951 952 int 953 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 954 { 955 const struct ssl_sigalg *sigalg; 956 uint16_t signature_scheme; 957 uint8_t *sig_content = NULL; 958 size_t sig_content_len; 959 EVP_MD_CTX *mdctx = NULL; 960 EVP_PKEY_CTX *pctx; 961 EVP_PKEY *pkey; 962 X509 *cert; 963 CBS signature; 964 CBB cbb; 965 int ret = 0; 966 967 memset(&cbb, 0, sizeof(cbb)); 968 969 if (!CBS_get_u16(cbs, &signature_scheme)) 970 goto err; 971 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 972 goto err; 973 974 if (!CBB_init(&cbb, 0)) 975 goto err; 976 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 977 sizeof(tls13_cert_verify_pad))) 978 goto err; 979 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 980 strlen(tls13_cert_client_verify_context))) 981 goto err; 982 if (!CBB_add_u8(&cbb, 0)) 983 goto err; 984 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 985 ctx->hs->tls13.transcript_hash_len)) 986 goto err; 987 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 988 goto err; 989 990 if ((cert = ctx->ssl->session->peer) == NULL) 991 goto err; 992 if ((pkey = X509_get0_pubkey(cert)) == NULL) 993 goto err; 994 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, 995 signature_scheme)) == NULL) 996 goto err; 997 ctx->hs->peer_sigalg = sigalg; 998 999 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 1000 goto err; 1001 1002 if ((mdctx = EVP_MD_CTX_new()) == NULL) 1003 goto err; 1004 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 1005 goto err; 1006 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 1007 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 1008 goto err; 1009 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 1010 goto err; 1011 } 1012 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 1013 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1014 goto err; 1015 } 1016 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 1017 CBS_len(&signature)) <= 0) { 1018 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1019 goto err; 1020 } 1021 1022 ret = 1; 1023 1024 err: 1025 if (!ret && ctx->alert == 0) 1026 ctx->alert = TLS13_ALERT_DECODE_ERROR; 1027 1028 CBB_cleanup(&cbb); 1029 EVP_MD_CTX_free(mdctx); 1030 free(sig_content); 1031 1032 return ret; 1033 } 1034 1035 int 1036 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1037 { 1038 return 0; 1039 } 1040 1041 int 1042 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1043 { 1044 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1045 struct tls13_secret context = { .data = "", .len = 0 }; 1046 struct tls13_secret finished_key; 1047 uint8_t *verify_data = NULL; 1048 size_t verify_data_len; 1049 uint8_t key[EVP_MAX_MD_SIZE]; 1050 HMAC_CTX *hmac_ctx = NULL; 1051 unsigned int hlen; 1052 int ret = 0; 1053 1054 /* 1055 * Verify client finished. 1056 */ 1057 finished_key.data = key; 1058 finished_key.len = EVP_MD_size(ctx->hash); 1059 1060 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1061 &secrets->client_handshake_traffic, "finished", 1062 &context)) 1063 goto err; 1064 1065 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1066 goto err; 1067 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1068 ctx->hash, NULL)) 1069 goto err; 1070 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 1071 ctx->hs->tls13.transcript_hash_len)) 1072 goto err; 1073 verify_data_len = HMAC_size(hmac_ctx); 1074 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1075 goto err; 1076 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1077 goto err; 1078 if (hlen != verify_data_len) 1079 goto err; 1080 1081 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1082 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1083 goto err; 1084 } 1085 1086 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 1087 sizeof(ctx->hs->peer_finished), 1088 &ctx->hs->peer_finished_len)) 1089 goto err; 1090 1091 if (!CBS_skip(cbs, verify_data_len)) 1092 goto err; 1093 1094 /* 1095 * Any records following the client finished message must be encrypted 1096 * using the client application traffic keys. 1097 */ 1098 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1099 &secrets->client_application_traffic)) 1100 goto err; 1101 1102 tls13_record_layer_allow_ccs(ctx->rl, 0); 1103 1104 ret = 1; 1105 1106 err: 1107 HMAC_CTX_free(hmac_ctx); 1108 free(verify_data); 1109 1110 return ret; 1111 } 1112