1 /* $OpenBSD: tls13_server.c,v 1.99 2022/07/02 16:00:12 tb Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/x509v3.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_sigalgs.h" 23 #include "ssl_tlsext.h" 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 int 28 tls13_server_init(struct tls13_ctx *ctx) 29 { 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 33 &ctx->hs->our_max_tls_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->our_max_tls_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53 } 54 55 int 56 tls13_server_accept(struct tls13_ctx *ctx) 57 { 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62 } 63 64 static int 65 tls13_client_hello_is_legacy(CBS *cbs) 66 { 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97 } 98 99 int 100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101 { 102 SSL *s = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we 112 * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies 113 * that we need both signature_algorithms and supported_groups. 114 */ 115 if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 116 if (!tlsext_extension_seen(s, 117 TLSEXT_TYPE_psk_key_exchange_modes)) 118 return 0; 119 } else { 120 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 121 return 0; 122 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 123 return 0; 124 } 125 126 /* 127 * supported_groups and key_share must either both be present or 128 * both be absent. 129 */ 130 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 131 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 132 return 0; 133 134 /* 135 * XXX - Require server_name from client? If so, we SHOULD enforce 136 * this here - RFC 8446, 9.2. 137 */ 138 139 return 1; 140 } 141 142 static const uint8_t tls13_compression_null_only[] = { 0 }; 143 144 static int 145 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 146 { 147 CBS cipher_suites, client_random, compression_methods, session_id; 148 STACK_OF(SSL_CIPHER) *ciphers = NULL; 149 const SSL_CIPHER *cipher; 150 uint16_t legacy_version; 151 int alert_desc; 152 SSL *s = ctx->ssl; 153 int ret = 0; 154 155 if (!CBS_get_u16(cbs, &legacy_version)) 156 goto err; 157 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 158 goto err; 159 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 160 goto err; 161 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 162 goto err; 163 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 164 goto err; 165 166 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 167 if (!CBS_skip(cbs, CBS_len(cbs))) 168 goto err; 169 return tls13_use_legacy_server(ctx); 170 } 171 ctx->hs->negotiated_tls_version = TLS1_3_VERSION; 172 ctx->hs->peer_legacy_version = legacy_version; 173 174 /* Ensure we send subsequent alerts with the correct record version. */ 175 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 176 177 /* Add decoded values to the current ClientHello hash */ 178 if (!tls13_clienthello_hash_init(ctx)) { 179 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 180 goto err; 181 } 182 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 183 sizeof(legacy_version))) { 184 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 185 goto err; 186 } 187 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 188 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 189 goto err; 190 } 191 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 192 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 193 goto err; 194 } 195 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 196 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 197 goto err; 198 } 199 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 200 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 201 goto err; 202 } 203 204 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 205 ctx->alert = alert_desc; 206 goto err; 207 } 208 209 /* Finalize first ClientHello hash, or validate against it */ 210 if (!ctx->hs->tls13.hrr) { 211 if (!tls13_clienthello_hash_finalize(ctx)) { 212 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 213 goto err; 214 } 215 } else { 216 if (!tls13_clienthello_hash_validate(ctx)) { 217 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 218 goto err; 219 } 220 tls13_clienthello_hash_clear(&ctx->hs->tls13); 221 } 222 223 if (!tls13_client_hello_required_extensions(ctx)) { 224 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 225 goto err; 226 } 227 228 /* 229 * If we got this far we have a supported versions extension that offers 230 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 231 */ 232 if (legacy_version != TLS1_2_VERSION) { 233 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 234 goto err; 235 } 236 237 /* Store legacy session identifier so we can echo it. */ 238 if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { 239 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 240 goto err; 241 } 242 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 243 sizeof(ctx->hs->tls13.legacy_session_id), 244 &ctx->hs->tls13.legacy_session_id_len)) { 245 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 246 goto err; 247 } 248 249 /* Parse cipher suites list and select preferred cipher. */ 250 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 251 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 252 goto err; 253 } 254 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 255 if (cipher == NULL) { 256 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 257 "no shared cipher found", NULL); 258 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 259 goto err; 260 } 261 ctx->hs->cipher = cipher; 262 263 sk_SSL_CIPHER_free(s->session->ciphers); 264 s->session->ciphers = ciphers; 265 ciphers = NULL; 266 267 /* Ensure only the NULL compression method is advertised. */ 268 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 269 sizeof(tls13_compression_null_only))) { 270 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 271 goto err; 272 } 273 274 ret = 1; 275 276 err: 277 sk_SSL_CIPHER_free(ciphers); 278 279 return ret; 280 } 281 282 int 283 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 284 { 285 SSL *s = ctx->ssl; 286 287 if (!tls13_client_hello_process(ctx, cbs)) 288 goto err; 289 290 /* See if we switched back to the legacy client method. */ 291 if (s->method->version < TLS1_3_VERSION) 292 return 1; 293 294 /* 295 * If a matching key share was provided, we do not need to send a 296 * HelloRetryRequest. 297 */ 298 /* 299 * XXX - ideally NEGOTIATED would only be added after record protection 300 * has been enabled. This would probably mean using either an 301 * INITIAL | WITHOUT_HRR state, or another intermediate state. 302 */ 303 if (ctx->hs->key_share != NULL) 304 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 305 306 /* XXX - check this is the correct point */ 307 tls13_record_layer_allow_ccs(ctx->rl, 1); 308 309 return 1; 310 311 err: 312 return 0; 313 } 314 315 static int 316 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 317 { 318 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 319 const uint8_t *server_random; 320 CBB session_id; 321 SSL *s = ctx->ssl; 322 uint16_t cipher; 323 324 cipher = SSL_CIPHER_get_value(ctx->hs->cipher); 325 server_random = s->s3->server_random; 326 327 if (hrr) { 328 server_random = tls13_hello_retry_request_hash; 329 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 330 } 331 332 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 333 goto err; 334 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 335 goto err; 336 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 337 goto err; 338 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 339 ctx->hs->tls13.legacy_session_id_len)) 340 goto err; 341 if (!CBB_add_u16(cbb, cipher)) 342 goto err; 343 if (!CBB_add_u8(cbb, 0)) 344 goto err; 345 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 346 goto err; 347 348 if (!CBB_flush(cbb)) 349 goto err; 350 351 return 1; 352 err: 353 return 0; 354 } 355 356 static int 357 tls13_server_engage_record_protection(struct tls13_ctx *ctx) 358 { 359 struct tls13_secrets *secrets; 360 struct tls13_secret context; 361 unsigned char buf[EVP_MAX_MD_SIZE]; 362 uint8_t *shared_key = NULL; 363 size_t shared_key_len = 0; 364 size_t hash_len; 365 SSL *s = ctx->ssl; 366 int ret = 0; 367 368 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key, 369 &shared_key_len)) 370 goto err; 371 372 s->session->cipher = ctx->hs->cipher; 373 374 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 375 goto err; 376 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 377 goto err; 378 379 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 380 goto err; 381 ctx->hs->tls13.secrets = secrets; 382 383 /* XXX - pass in hash. */ 384 if (!tls1_transcript_hash_init(s)) 385 goto err; 386 tls1_transcript_free(s); 387 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 388 goto err; 389 context.data = buf; 390 context.len = hash_len; 391 392 /* Early secrets. */ 393 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 394 secrets->zeros.len, &context)) 395 goto err; 396 397 /* Handshake secrets. */ 398 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 399 shared_key_len, &context)) 400 goto err; 401 402 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 403 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 404 405 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 406 &secrets->client_handshake_traffic)) 407 goto err; 408 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 409 &secrets->server_handshake_traffic)) 410 goto err; 411 412 ctx->handshake_stage.hs_type |= NEGOTIATED; 413 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 414 ctx->handshake_stage.hs_type |= WITHOUT_CR; 415 416 ret = 1; 417 418 err: 419 freezero(shared_key, shared_key_len); 420 return ret; 421 } 422 423 int 424 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 425 { 426 int nid; 427 428 ctx->hs->tls13.hrr = 1; 429 430 if (!tls13_synthetic_handshake_message(ctx)) 431 return 0; 432 433 if (ctx->hs->key_share != NULL) 434 return 0; 435 if (!tls1_get_supported_group(ctx->ssl, &nid)) 436 return 0; 437 if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group)) 438 return 0; 439 440 if (!tls13_server_hello_build(ctx, cbb, 1)) 441 return 0; 442 443 return 1; 444 } 445 446 int 447 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 448 { 449 /* 450 * If the client has requested middlebox compatibility mode, 451 * we MUST send a dummy CCS following our first handshake message. 452 * See RFC 8446 Appendix D.4. 453 */ 454 if (ctx->hs->tls13.legacy_session_id_len > 0) 455 ctx->send_dummy_ccs_after = 1; 456 457 return 1; 458 } 459 460 int 461 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 462 { 463 SSL *s = ctx->ssl; 464 465 if (!tls13_client_hello_process(ctx, cbs)) 466 return 0; 467 468 /* XXX - need further checks. */ 469 if (s->method->version < TLS1_3_VERSION) 470 return 0; 471 472 ctx->hs->tls13.hrr = 0; 473 474 return 1; 475 } 476 477 static int 478 tls13_servername_process(struct tls13_ctx *ctx) 479 { 480 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 481 482 if (!tls13_legacy_servername_process(ctx, &alert)) { 483 ctx->alert = alert; 484 return 0; 485 } 486 487 return 1; 488 } 489 490 int 491 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 492 { 493 if (ctx->hs->key_share == NULL) 494 return 0; 495 if (!tls_key_share_generate(ctx->hs->key_share)) 496 return 0; 497 if (!tls13_servername_process(ctx)) 498 return 0; 499 500 ctx->hs->tls13.server_group = 0; 501 502 if (!tls13_server_hello_build(ctx, cbb, 0)) 503 return 0; 504 505 return 1; 506 } 507 508 int 509 tls13_server_hello_sent(struct tls13_ctx *ctx) 510 { 511 /* 512 * If the client has requested middlebox compatibility mode, 513 * we MUST send a dummy CCS following our first handshake message. 514 * See RFC 8446 Appendix D.4. 515 */ 516 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 517 ctx->hs->tls13.legacy_session_id_len > 0) 518 ctx->send_dummy_ccs_after = 1; 519 520 return tls13_server_engage_record_protection(ctx); 521 } 522 523 int 524 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 525 { 526 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 527 goto err; 528 529 return 1; 530 err: 531 return 0; 532 } 533 534 int 535 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 536 { 537 CBB certificate_request_context; 538 539 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 540 goto err; 541 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 542 goto err; 543 544 if (!CBB_flush(cbb)) 545 goto err; 546 547 return 1; 548 err: 549 return 0; 550 } 551 552 static int 553 tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk, 554 int *ok, const struct ssl_sigalg **out_sigalg) 555 { 556 const struct ssl_sigalg *sigalg; 557 SSL *s = ctx->ssl; 558 559 *ok = 0; 560 *out_sigalg = NULL; 561 562 if (cpk->x509 == NULL || cpk->privatekey == NULL) 563 goto done; 564 565 /* 566 * The digitalSignature bit MUST be set if the Key Usage extension is 567 * present as per RFC 8446 section 4.4.2.2. 568 */ 569 if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)) 570 goto done; 571 572 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 573 goto done; 574 575 *ok = 1; 576 *out_sigalg = sigalg; 577 578 done: 579 return 1; 580 } 581 582 static int 583 tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk, 584 const struct ssl_sigalg **out_sigalg) 585 { 586 SSL *s = ctx->ssl; 587 const struct ssl_sigalg *sigalg; 588 SSL_CERT_PKEY *cpk; 589 int cert_ok; 590 591 *out_cpk = NULL; 592 *out_sigalg = NULL; 593 594 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 595 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 596 return 0; 597 if (cert_ok) 598 goto done; 599 600 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 601 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 602 return 0; 603 if (cert_ok) 604 goto done; 605 606 cpk = NULL; 607 sigalg = NULL; 608 609 done: 610 *out_cpk = cpk; 611 *out_sigalg = sigalg; 612 613 return 1; 614 } 615 616 int 617 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 618 { 619 SSL *s = ctx->ssl; 620 CBB cert_request_context, cert_list; 621 const struct ssl_sigalg *sigalg; 622 X509_STORE_CTX *xsc = NULL; 623 STACK_OF(X509) *chain; 624 SSL_CERT_PKEY *cpk; 625 X509 *cert; 626 int i, ret = 0; 627 628 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 629 goto err; 630 631 if (cpk == NULL) { 632 /* A server must always provide a certificate. */ 633 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 634 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 635 "no server certificate", NULL); 636 goto err; 637 } 638 639 ctx->hs->tls13.cpk = cpk; 640 ctx->hs->our_sigalg = sigalg; 641 642 if ((chain = cpk->chain) == NULL) 643 chain = s->ctx->extra_certs; 644 645 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { 646 if ((xsc = X509_STORE_CTX_new()) == NULL) 647 goto err; 648 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 649 goto err; 650 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 651 X509_V_FLAG_LEGACY_VERIFY); 652 X509_verify_cert(xsc); 653 ERR_clear_error(); 654 chain = X509_STORE_CTX_get0_chain(xsc); 655 } 656 657 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 658 goto err; 659 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 660 goto err; 661 662 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 663 goto err; 664 665 for (i = 0; i < sk_X509_num(chain); i++) { 666 cert = sk_X509_value(chain, i); 667 668 /* 669 * In the case of auto chain, the leaf certificate will be at 670 * the top of the chain - skip over it as we've already added 671 * it earlier. 672 */ 673 if (i == 0 && cert == cpk->x509) 674 continue; 675 676 /* 677 * XXX we don't send extensions with chain certs to avoid sending 678 * a leaf ocsp staple with the chain certs. This needs to get 679 * fixed. 680 */ 681 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 682 goto err; 683 } 684 685 if (!CBB_flush(cbb)) 686 goto err; 687 688 ret = 1; 689 690 err: 691 X509_STORE_CTX_free(xsc); 692 693 return ret; 694 } 695 696 int 697 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 698 { 699 const struct ssl_sigalg *sigalg; 700 uint8_t *sig = NULL, *sig_content = NULL; 701 size_t sig_len, sig_content_len; 702 EVP_MD_CTX *mdctx = NULL; 703 EVP_PKEY_CTX *pctx; 704 EVP_PKEY *pkey; 705 const SSL_CERT_PKEY *cpk; 706 CBB sig_cbb; 707 int ret = 0; 708 709 memset(&sig_cbb, 0, sizeof(sig_cbb)); 710 711 if ((cpk = ctx->hs->tls13.cpk) == NULL) 712 goto err; 713 if ((sigalg = ctx->hs->our_sigalg) == NULL) 714 goto err; 715 pkey = cpk->privatekey; 716 717 if (!CBB_init(&sig_cbb, 0)) 718 goto err; 719 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 720 sizeof(tls13_cert_verify_pad))) 721 goto err; 722 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 723 strlen(tls13_cert_server_verify_context))) 724 goto err; 725 if (!CBB_add_u8(&sig_cbb, 0)) 726 goto err; 727 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 728 ctx->hs->tls13.transcript_hash_len)) 729 goto err; 730 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 731 goto err; 732 733 if ((mdctx = EVP_MD_CTX_new()) == NULL) 734 goto err; 735 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 736 goto err; 737 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 738 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 739 goto err; 740 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 741 goto err; 742 } 743 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 744 goto err; 745 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 746 goto err; 747 if ((sig = calloc(1, sig_len)) == NULL) 748 goto err; 749 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 750 goto err; 751 752 if (!CBB_add_u16(cbb, sigalg->value)) 753 goto err; 754 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 755 goto err; 756 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 757 goto err; 758 759 if (!CBB_flush(cbb)) 760 goto err; 761 762 ret = 1; 763 764 err: 765 if (!ret && ctx->alert == 0) 766 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 767 768 CBB_cleanup(&sig_cbb); 769 EVP_MD_CTX_free(mdctx); 770 free(sig_content); 771 free(sig); 772 773 return ret; 774 } 775 776 int 777 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 778 { 779 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 780 struct tls13_secret context = { .data = "", .len = 0 }; 781 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 782 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 783 size_t transcript_hash_len; 784 uint8_t *verify_data; 785 size_t verify_data_len; 786 unsigned int hlen; 787 HMAC_CTX *hmac_ctx = NULL; 788 CBS cbs; 789 int ret = 0; 790 791 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 792 goto err; 793 794 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 795 &secrets->server_handshake_traffic, "finished", 796 &context)) 797 goto err; 798 799 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 800 sizeof(transcript_hash), &transcript_hash_len)) 801 goto err; 802 803 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 804 goto err; 805 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 806 ctx->hash, NULL)) 807 goto err; 808 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 809 goto err; 810 811 verify_data_len = HMAC_size(hmac_ctx); 812 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 813 goto err; 814 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 815 goto err; 816 if (hlen != verify_data_len) 817 goto err; 818 819 CBS_init(&cbs, verify_data, verify_data_len); 820 if (!CBS_write_bytes(&cbs, ctx->hs->finished, 821 sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 822 goto err; 823 824 ret = 1; 825 826 err: 827 tls13_secret_cleanup(&finished_key); 828 HMAC_CTX_free(hmac_ctx); 829 830 return ret; 831 } 832 833 int 834 tls13_server_finished_sent(struct tls13_ctx *ctx) 835 { 836 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 837 struct tls13_secret context = { .data = "", .len = 0 }; 838 839 /* 840 * Derive application traffic keys. 841 */ 842 context.data = ctx->hs->tls13.transcript_hash; 843 context.len = ctx->hs->tls13.transcript_hash_len; 844 845 if (!tls13_derive_application_secrets(secrets, &context)) 846 return 0; 847 848 /* 849 * Any records following the server finished message must be encrypted 850 * using the server application traffic keys. 851 */ 852 return tls13_record_layer_set_write_traffic_key(ctx->rl, 853 &secrets->server_application_traffic); 854 } 855 856 int 857 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 858 { 859 CBS cert_request_context, cert_list, cert_data, cert_exts; 860 struct stack_st_X509 *certs = NULL; 861 SSL *s = ctx->ssl; 862 X509 *cert = NULL; 863 EVP_PKEY *pkey; 864 const uint8_t *p; 865 int cert_type; 866 int ret = 0; 867 868 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 869 goto err; 870 if (CBS_len(&cert_request_context) != 0) 871 goto err; 872 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 873 goto err; 874 if (CBS_len(&cert_list) == 0) { 875 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 876 return 1; 877 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 878 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 879 "peer did not provide a certificate", NULL); 880 goto err; 881 } 882 883 if ((certs = sk_X509_new_null()) == NULL) 884 goto err; 885 while (CBS_len(&cert_list) > 0) { 886 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 887 goto err; 888 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 889 goto err; 890 891 p = CBS_data(&cert_data); 892 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 893 goto err; 894 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 895 goto err; 896 897 if (!sk_X509_push(certs, cert)) 898 goto err; 899 900 cert = NULL; 901 } 902 903 /* 904 * At this stage we still have no proof of possession. As such, it would 905 * be preferable to keep the chain and verify once we have successfully 906 * processed the CertificateVerify message. 907 */ 908 if (ssl_verify_cert_chain(s, certs) <= 0) { 909 ctx->alert = ssl_verify_alarm_type(s->verify_result); 910 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 911 "failed to verify peer certificate", NULL); 912 goto err; 913 } 914 ERR_clear_error(); 915 916 /* 917 * Achtung! Due to API inconsistency, a client includes the peer's leaf 918 * certificate in the stored certificate chain, while a server does not. 919 */ 920 cert = sk_X509_shift(certs); 921 922 if ((pkey = X509_get0_pubkey(cert)) == NULL) 923 goto err; 924 if (EVP_PKEY_missing_parameters(pkey)) 925 goto err; 926 if ((cert_type = ssl_cert_type(pkey)) < 0) 927 goto err; 928 929 X509_up_ref(cert); 930 X509_free(s->session->peer_cert); 931 s->session->peer_cert = cert; 932 s->session->peer_cert_type = cert_type; 933 934 s->session->verify_result = s->verify_result; 935 936 sk_X509_pop_free(s->session->cert_chain, X509_free); 937 s->session->cert_chain = certs; 938 certs = NULL; 939 940 ctx->handshake_stage.hs_type |= WITH_CCV; 941 ret = 1; 942 943 err: 944 sk_X509_pop_free(certs, X509_free); 945 X509_free(cert); 946 947 return ret; 948 } 949 950 int 951 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 952 { 953 const struct ssl_sigalg *sigalg; 954 uint16_t signature_scheme; 955 uint8_t *sig_content = NULL; 956 size_t sig_content_len; 957 EVP_MD_CTX *mdctx = NULL; 958 EVP_PKEY_CTX *pctx; 959 EVP_PKEY *pkey; 960 X509 *cert; 961 CBS signature; 962 CBB cbb; 963 int ret = 0; 964 965 memset(&cbb, 0, sizeof(cbb)); 966 967 if (!CBS_get_u16(cbs, &signature_scheme)) 968 goto err; 969 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 970 goto err; 971 972 if (!CBB_init(&cbb, 0)) 973 goto err; 974 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 975 sizeof(tls13_cert_verify_pad))) 976 goto err; 977 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 978 strlen(tls13_cert_client_verify_context))) 979 goto err; 980 if (!CBB_add_u8(&cbb, 0)) 981 goto err; 982 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 983 ctx->hs->tls13.transcript_hash_len)) 984 goto err; 985 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 986 goto err; 987 988 if ((cert = ctx->ssl->session->peer_cert) == NULL) 989 goto err; 990 if ((pkey = X509_get0_pubkey(cert)) == NULL) 991 goto err; 992 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, 993 signature_scheme)) == NULL) 994 goto err; 995 ctx->hs->peer_sigalg = sigalg; 996 997 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 998 goto err; 999 1000 if ((mdctx = EVP_MD_CTX_new()) == NULL) 1001 goto err; 1002 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 1003 goto err; 1004 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 1005 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 1006 goto err; 1007 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 1008 goto err; 1009 } 1010 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 1011 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1012 goto err; 1013 } 1014 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 1015 CBS_len(&signature)) <= 0) { 1016 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1017 goto err; 1018 } 1019 1020 ret = 1; 1021 1022 err: 1023 if (!ret && ctx->alert == 0) 1024 ctx->alert = TLS13_ALERT_DECODE_ERROR; 1025 1026 CBB_cleanup(&cbb); 1027 EVP_MD_CTX_free(mdctx); 1028 free(sig_content); 1029 1030 return ret; 1031 } 1032 1033 int 1034 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1035 { 1036 return 0; 1037 } 1038 1039 int 1040 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1041 { 1042 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1043 struct tls13_secret context = { .data = "", .len = 0 }; 1044 struct tls13_secret finished_key; 1045 uint8_t *verify_data = NULL; 1046 size_t verify_data_len; 1047 uint8_t key[EVP_MAX_MD_SIZE]; 1048 HMAC_CTX *hmac_ctx = NULL; 1049 unsigned int hlen; 1050 int ret = 0; 1051 1052 /* 1053 * Verify client finished. 1054 */ 1055 finished_key.data = key; 1056 finished_key.len = EVP_MD_size(ctx->hash); 1057 1058 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1059 &secrets->client_handshake_traffic, "finished", 1060 &context)) 1061 goto err; 1062 1063 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1064 goto err; 1065 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1066 ctx->hash, NULL)) 1067 goto err; 1068 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 1069 ctx->hs->tls13.transcript_hash_len)) 1070 goto err; 1071 verify_data_len = HMAC_size(hmac_ctx); 1072 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1073 goto err; 1074 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1075 goto err; 1076 if (hlen != verify_data_len) 1077 goto err; 1078 1079 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1080 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1081 goto err; 1082 } 1083 1084 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 1085 sizeof(ctx->hs->peer_finished), 1086 &ctx->hs->peer_finished_len)) 1087 goto err; 1088 1089 if (!CBS_skip(cbs, verify_data_len)) 1090 goto err; 1091 1092 /* 1093 * Any records following the client finished message must be encrypted 1094 * using the client application traffic keys. 1095 */ 1096 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1097 &secrets->client_application_traffic)) 1098 goto err; 1099 1100 tls13_record_layer_allow_ccs(ctx->rl, 0); 1101 1102 ret = 1; 1103 1104 err: 1105 HMAC_CTX_free(hmac_ctx); 1106 free(verify_data); 1107 1108 return ret; 1109 } 1110