1 /* $OpenBSD: tls13_server.c,v 1.26 2020/02/23 17:51:36 tb Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include "ssl_locl.h" 20 #include "ssl_tlsext.h" 21 22 #include "tls13_handshake.h" 23 #include "tls13_internal.h" 24 25 static int 26 tls13_accept(struct tls13_ctx *ctx) 27 { 28 if (ctx->mode != TLS13_HS_SERVER) 29 return TLS13_IO_FAILURE; 30 31 return tls13_handshake_perform(ctx); 32 } 33 34 static int 35 tls13_server_init(struct tls13_ctx *ctx) 36 { 37 SSL *s = ctx->ssl; 38 39 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 40 &ctx->hs->max_version)) { 41 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 42 return 0; 43 } 44 s->version = ctx->hs->max_version; 45 46 if (!tls1_transcript_init(s)) 47 return 0; 48 49 if ((s->session = SSL_SESSION_new()) == NULL) 50 return 0; 51 52 if ((ctx->hs->key_share = tls13_key_share_new(NID_X25519)) == NULL) 53 return 0; 54 if (!tls13_key_share_generate(ctx->hs->key_share)) 55 return 0; 56 57 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 58 59 return 1; 60 } 61 62 int 63 tls13_legacy_accept(SSL *ssl) 64 { 65 struct tls13_ctx *ctx = ssl->internal->tls13; 66 int ret; 67 68 if (ctx == NULL) { 69 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 70 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 71 return -1; 72 } 73 ssl->internal->tls13 = ctx; 74 ctx->ssl = ssl; 75 ctx->hs = &S3I(ssl)->hs_tls13; 76 77 if (!tls13_server_init(ctx)) { 78 if (ERR_peek_error() == 0) 79 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 80 return -1; 81 } 82 } 83 84 ERR_clear_error(); 85 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 86 87 ret = tls13_accept(ctx); 88 if (ret == TLS13_IO_USE_LEGACY) 89 return ssl->method->internal->ssl_accept(ssl); 90 if (ret == TLS13_IO_SUCCESS) 91 S3I(ssl)->hs.state = SSL_ST_OK; 92 93 return tls13_legacy_return_code(ssl, ret); 94 } 95 96 int 97 tls13_use_legacy_server(struct tls13_ctx *ctx) 98 { 99 SSL *s = ctx->ssl; 100 CBS cbs; 101 102 s->method = tls_legacy_server_method(); 103 s->internal->handshake_func = s->method->internal->ssl_accept; 104 s->client_version = s->version = s->method->internal->max_version; 105 s->server = 1; 106 107 if (!ssl3_setup_init_buffer(s)) 108 goto err; 109 if (!ssl3_setup_buffers(s)) 110 goto err; 111 if (!ssl_init_wbio_buffer(s, 0)) 112 goto err; 113 114 if (s->bbio != s->wbio) 115 s->wbio = BIO_push(s->bbio, s->wbio); 116 117 /* Stash any unprocessed data from the last record. */ 118 tls13_record_layer_rbuf(ctx->rl, &cbs); 119 if (CBS_len(&cbs) > 0) { 120 if (!CBS_write_bytes(&cbs, 121 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 122 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 123 goto err; 124 125 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 126 S3I(s)->rbuf.left = CBS_len(&cbs); 127 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 128 S3I(s)->rrec.length = CBS_len(&cbs); 129 s->internal->rstate = SSL_ST_READ_BODY; 130 s->internal->packet = S3I(s)->rbuf.buf; 131 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 132 s->internal->mac_packet = 1; 133 } 134 135 /* Stash the current handshake message. */ 136 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 137 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 138 s->internal->init_buf->length, NULL)) 139 goto err; 140 141 S3I(s)->tmp.reuse_message = 1; 142 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 143 S3I(s)->tmp.message_size = CBS_len(&cbs); 144 145 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 146 147 return 1; 148 149 err: 150 return 0; 151 } 152 153 static int 154 tls13_client_hello_is_legacy(CBS *cbs) 155 { 156 CBS extensions_block, extensions, extension_data, versions; 157 uint16_t version, max_version = 0; 158 uint16_t type; 159 160 CBS_dup(cbs, &extensions_block); 161 162 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 163 return 1; 164 165 while (CBS_len(&extensions) > 0) { 166 if (!CBS_get_u16(&extensions, &type)) 167 return 1; 168 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 169 return 1; 170 171 if (type != TLSEXT_TYPE_supported_versions) 172 continue; 173 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 174 return 1; 175 while (CBS_len(&versions) > 0) { 176 if (!CBS_get_u16(&versions, &version)) 177 return 1; 178 if (version >= max_version) 179 max_version = version; 180 } 181 if (CBS_len(&extension_data) != 0) 182 return 1; 183 } 184 185 return (max_version < TLS1_3_VERSION); 186 } 187 188 static int 189 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 190 { 191 CBS cipher_suites, client_random, compression_methods, session_id; 192 STACK_OF(SSL_CIPHER) *ciphers = NULL; 193 const SSL_CIPHER *cipher; 194 uint16_t legacy_version; 195 uint8_t compression_method; 196 int alert_desc, comp_null; 197 SSL *s = ctx->ssl; 198 int ret = 0; 199 200 if (!CBS_get_u16(cbs, &legacy_version)) 201 goto err; 202 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 203 goto err; 204 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 205 goto err; 206 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 207 goto err; 208 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 209 goto err; 210 211 if (tls13_client_hello_is_legacy(cbs)) { 212 if (!CBS_skip(cbs, CBS_len(cbs))) 213 goto err; 214 return tls13_use_legacy_server(ctx); 215 } 216 217 if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) { 218 ctx->alert = alert_desc; 219 goto err; 220 } 221 222 /* 223 * If we got this far we have a supported versions extension that offers 224 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 225 */ 226 if (legacy_version != TLS1_2_VERSION) { 227 ctx->alert = SSL_AD_PROTOCOL_VERSION; 228 goto err; 229 } 230 231 /* Store legacy session identifier so we can echo it. */ 232 if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { 233 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 234 goto err; 235 } 236 if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, 237 sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len)) 238 goto err; 239 240 /* Parse cipher suites list and select preferred cipher. */ 241 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 242 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 243 goto err; 244 } 245 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 246 if (cipher == NULL) { 247 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 248 "no shared cipher found", NULL); 249 ctx->alert = SSL_AD_HANDSHAKE_FAILURE; 250 goto err; 251 } 252 S3I(s)->hs.new_cipher = cipher; 253 254 /* Ensure they advertise the NULL compression method. */ 255 comp_null = 0; 256 while (CBS_len(&compression_methods) > 0) { 257 if (!CBS_get_u8(&compression_methods, &compression_method)) 258 goto err; 259 if (compression_method == 0) 260 comp_null = 1; 261 } 262 if (!comp_null) { 263 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 264 goto err; 265 } 266 267 ret = 1; 268 269 err: 270 sk_SSL_CIPHER_free(ciphers); 271 272 return ret; 273 } 274 275 int 276 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 277 { 278 SSL *s = ctx->ssl; 279 280 if (!tls13_client_hello_process(ctx, cbs)) 281 goto err; 282 283 /* See if we switched back to the legacy client method. */ 284 if (s->method->internal->version < TLS1_3_VERSION) 285 return 1; 286 287 tls13_record_layer_allow_ccs(ctx->rl, 1); 288 289 return 1; 290 291 err: 292 return 0; 293 } 294 295 int 296 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 297 { 298 return 0; 299 } 300 301 int 302 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) 303 { 304 return 0; 305 } 306 307 int 308 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 309 { 310 return 0; 311 } 312 313 int 314 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 315 { 316 CBS cert_request_context, cert_list, cert_data, cert_exts; 317 struct stack_st_X509 *certs = NULL; 318 SSL *s = ctx->ssl; 319 X509 *cert = NULL; 320 EVP_PKEY *pkey; 321 const uint8_t *p; 322 int cert_idx; 323 int ret = 0; 324 325 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 326 goto err; 327 if (CBS_len(&cert_request_context) != 0) 328 goto err; 329 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 330 goto err; 331 332 if (CBS_len(&cert_list) == 0) 333 return 1; 334 335 if ((certs = sk_X509_new_null()) == NULL) 336 goto err; 337 while (CBS_len(&cert_list) > 0) { 338 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 339 goto err; 340 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 341 goto err; 342 343 p = CBS_data(&cert_data); 344 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 345 goto err; 346 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 347 goto err; 348 349 if (!sk_X509_push(certs, cert)) 350 goto err; 351 352 cert = NULL; 353 } 354 355 /* 356 * At this stage we still have no proof of possession. As such, it would 357 * be preferable to keep the chain and verify once we have successfully 358 * processed the CertificateVerify message. 359 */ 360 if (ssl_verify_cert_chain(s, certs) <= 0 && 361 s->verify_mode != SSL_VERIFY_NONE) { 362 ctx->alert = ssl_verify_alarm_type(s->verify_result); 363 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 364 "failed to verify peer certificate", NULL); 365 goto err; 366 } 367 ERR_clear_error(); 368 369 cert = sk_X509_value(certs, 0); 370 X509_up_ref(cert); 371 372 if ((pkey = X509_get0_pubkey(cert)) == NULL) 373 goto err; 374 if (EVP_PKEY_missing_parameters(pkey)) 375 goto err; 376 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 377 goto err; 378 379 ssl_sess_cert_free(SSI(s)->sess_cert); 380 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 381 goto err; 382 383 SSI(s)->sess_cert->cert_chain = certs; 384 certs = NULL; 385 386 X509_up_ref(cert); 387 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 388 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 389 390 X509_free(s->session->peer); 391 392 X509_up_ref(cert); 393 s->session->peer = cert; 394 s->session->verify_result = s->verify_result; 395 396 ctx->handshake_stage.hs_type |= WITH_CCV; 397 ret = 1; 398 399 err: 400 sk_X509_pop_free(certs, X509_free); 401 X509_free(cert); 402 403 return ret; 404 } 405 406 int 407 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 408 { 409 const struct ssl_sigalg *sigalg; 410 uint16_t signature_scheme; 411 uint8_t *sig_content = NULL; 412 size_t sig_content_len; 413 EVP_MD_CTX *mdctx = NULL; 414 EVP_PKEY_CTX *pctx; 415 EVP_PKEY *pkey; 416 X509 *cert; 417 CBS signature; 418 CBB cbb; 419 int ret = 0; 420 421 memset(&cbb, 0, sizeof(cbb)); 422 423 if (!CBS_get_u16(cbs, &signature_scheme)) 424 goto err; 425 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 426 goto err; 427 428 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 429 tls13_sigalgs_len)) == NULL) 430 goto err; 431 432 if (!CBB_init(&cbb, 0)) 433 goto err; 434 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 435 sizeof(tls13_cert_verify_pad))) 436 goto err; 437 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 438 strlen(tls13_cert_client_verify_context))) 439 goto err; 440 if (!CBB_add_u8(&cbb, 0)) 441 goto err; 442 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 443 ctx->hs->transcript_hash_len)) 444 goto err; 445 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 446 goto err; 447 448 if ((cert = ctx->ssl->session->peer) == NULL) 449 goto err; 450 if ((pkey = X509_get0_pubkey(cert)) == NULL) 451 goto err; 452 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 453 goto err; 454 455 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 456 goto err; 457 458 if ((mdctx = EVP_MD_CTX_new()) == NULL) 459 goto err; 460 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 461 goto err; 462 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 463 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 464 goto err; 465 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 466 goto err; 467 } 468 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 469 ctx->alert = TLS1_AD_DECRYPT_ERROR; 470 goto err; 471 } 472 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 473 CBS_len(&signature)) <= 0) { 474 ctx->alert = TLS1_AD_DECRYPT_ERROR; 475 goto err; 476 } 477 478 ret = 1; 479 480 err: 481 if (!ret && ctx->alert == 0) { 482 ctx->alert = TLS1_AD_DECODE_ERROR; 483 } 484 CBB_cleanup(&cbb); 485 EVP_MD_CTX_free(mdctx); 486 free(sig_content); 487 488 return ret; 489 } 490 491 int 492 tls13_client_key_update_send(struct tls13_ctx *ctx, CBB *cbb) 493 { 494 return 0; 495 } 496 497 int 498 tls13_client_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) 499 { 500 return 0; 501 } 502 503 static int 504 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb) 505 { 506 CBB session_id; 507 SSL *s = ctx->ssl; 508 uint16_t cipher; 509 510 cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); 511 512 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 513 goto err; 514 if (!CBB_add_bytes(cbb, s->s3->server_random, SSL3_RANDOM_SIZE)) 515 goto err; 516 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 517 goto err; 518 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 519 ctx->hs->legacy_session_id_len)) 520 goto err; 521 if (!CBB_add_u16(cbb, cipher)) 522 goto err; 523 if (!CBB_add_u8(cbb, 0)) 524 goto err; 525 if (!tlsext_server_build(s, cbb, SSL_TLSEXT_MSG_SH)) 526 goto err; 527 528 if (!CBB_flush(cbb)) 529 goto err; 530 531 return 1; 532 err: 533 return 0; 534 } 535 536 int 537 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 538 { 539 if (!tls13_server_hello_build(ctx, cbb)) 540 return 0; 541 542 return 1; 543 } 544 545 int 546 tls13_server_hello_sent(struct tls13_ctx *ctx) 547 { 548 struct tls13_secrets *secrets; 549 struct tls13_secret context; 550 unsigned char buf[EVP_MAX_MD_SIZE]; 551 uint8_t *shared_key = NULL; 552 size_t shared_key_len = 0; 553 size_t hash_len; 554 SSL *s = ctx->ssl; 555 int ret = 0; 556 557 /* XXX - handle other key share types. */ 558 if (ctx->hs->key_share == NULL) { 559 /* XXX - alert. */ 560 goto err; 561 } 562 if (!tls13_key_share_derive(ctx->hs->key_share, 563 &shared_key, &shared_key_len)) 564 goto err; 565 566 s->session->cipher = S3I(s)->hs.new_cipher; 567 s->session->ssl_version = ctx->hs->server_version; 568 569 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 570 goto err; 571 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 572 goto err; 573 574 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 575 goto err; 576 S3I(ctx->ssl)->hs_tls13.secrets = secrets; 577 578 /* XXX - pass in hash. */ 579 if (!tls1_transcript_hash_init(s)) 580 goto err; 581 tls1_transcript_free(s); 582 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 583 goto err; 584 context.data = buf; 585 context.len = hash_len; 586 587 /* Early secrets. */ 588 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 589 secrets->zeros.len, &context)) 590 goto err; 591 592 /* Handshake secrets. */ 593 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 594 shared_key_len, &context)) 595 goto err; 596 597 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 598 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 599 600 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 601 &secrets->client_handshake_traffic)) 602 goto err; 603 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 604 &secrets->server_handshake_traffic)) 605 goto err; 606 607 ctx->handshake_stage.hs_type |= NEGOTIATED; 608 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 609 ctx->handshake_stage.hs_type |= WITHOUT_CR; 610 611 ret = 1; 612 613 err: 614 freezero(shared_key, shared_key_len); 615 return ret; 616 } 617 618 int 619 tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 620 { 621 return 0; 622 } 623 624 int 625 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 626 { 627 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE)) 628 goto err; 629 630 return 1; 631 err: 632 return 0; 633 } 634 635 int 636 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 637 { 638 SSL *s = ctx->ssl; 639 CBB cert_request_context, cert_list; 640 STACK_OF(X509) *chain; 641 CERT_PKEY *cpk; 642 X509 *cert; 643 int i, ret = 0; 644 645 /* XXX - Need to revisit certificate selection. */ 646 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 647 648 if ((chain = cpk->chain) == NULL) 649 chain = s->ctx->extra_certs; 650 651 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 652 goto err; 653 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 654 goto err; 655 656 if (cpk->x509 == NULL) 657 goto done; 658 659 if (!tls13_cert_add(&cert_list, cpk->x509)) 660 goto err; 661 662 for (i = 0; i < sk_X509_num(chain); i++) { 663 cert = sk_X509_value(chain, i); 664 if (!tls13_cert_add(&cert_list, cert)) 665 goto err; 666 } 667 668 done: 669 if (!CBB_flush(cbb)) 670 goto err; 671 672 ret = 1; 673 674 err: 675 return ret; 676 } 677 678 /* XXX - move up. */ 679 int 680 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 681 { 682 CBB certificate_request_context; 683 684 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 685 goto err; 686 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR)) 687 goto err; 688 689 if (!CBB_flush(cbb)) 690 goto err; 691 692 return 1; 693 err: 694 return 0; 695 } 696 697 int 698 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 699 { 700 SSL *s = ctx->ssl; 701 const struct ssl_sigalg *sigalg = NULL; 702 uint8_t *sig = NULL, *sig_content = NULL; 703 size_t sig_len, sig_content_len; 704 EVP_MD_CTX *mdctx = NULL; 705 EVP_PKEY_CTX *pctx; 706 EVP_PKEY *pkey; 707 CERT_PKEY *cpk; 708 CBB sig_cbb; 709 int ret = 0; 710 711 memset(&sig_cbb, 0, sizeof(sig_cbb)); 712 713 /* XXX - Need to revisit certificate selection. */ 714 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 715 pkey = cpk->privatekey; 716 717 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 718 /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */ 719 goto err; 720 } 721 722 if (!CBB_init(&sig_cbb, 0)) 723 goto err; 724 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 725 sizeof(tls13_cert_verify_pad))) 726 goto err; 727 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 728 strlen(tls13_cert_server_verify_context))) 729 goto err; 730 if (!CBB_add_u8(&sig_cbb, 0)) 731 goto err; 732 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 733 ctx->hs->transcript_hash_len)) 734 goto err; 735 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 736 goto err; 737 738 if ((mdctx = EVP_MD_CTX_new()) == NULL) 739 goto err; 740 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 741 goto err; 742 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 743 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 744 goto err; 745 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 746 goto err; 747 } 748 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 749 goto err; 750 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 751 goto err; 752 if ((sig = calloc(1, sig_len)) == NULL) 753 goto err; 754 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 755 goto err; 756 757 if (!CBB_add_u16(cbb, sigalg->value)) 758 goto err; 759 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 760 goto err; 761 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 762 goto err; 763 764 if (!CBB_flush(cbb)) 765 goto err; 766 767 ret = 1; 768 769 err: 770 if (!ret && ctx->alert == 0) 771 ctx->alert = TLS1_AD_INTERNAL_ERROR; 772 773 CBB_cleanup(&sig_cbb); 774 EVP_MD_CTX_free(mdctx); 775 free(sig_content); 776 free(sig); 777 778 return ret; 779 } 780 781 int 782 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 783 { 784 struct tls13_secrets *secrets = ctx->hs->secrets; 785 struct tls13_secret context = { .data = "", .len = 0 }; 786 struct tls13_secret finished_key; 787 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 788 size_t transcript_hash_len; 789 uint8_t key[EVP_MAX_MD_SIZE]; 790 uint8_t *verify_data; 791 size_t hmac_len; 792 unsigned int hlen; 793 HMAC_CTX *hmac_ctx = NULL; 794 int ret = 0; 795 796 finished_key.data = key; 797 finished_key.len = EVP_MD_size(ctx->hash); 798 799 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 800 &secrets->server_handshake_traffic, "finished", 801 &context)) 802 goto err; 803 804 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 805 sizeof(transcript_hash), &transcript_hash_len)) 806 goto err; 807 808 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 809 goto err; 810 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 811 ctx->hash, NULL)) 812 goto err; 813 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 814 goto err; 815 816 hmac_len = HMAC_size(hmac_ctx); 817 if (!CBB_add_space(cbb, &verify_data, hmac_len)) 818 goto err; 819 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 820 goto err; 821 if (hlen != hmac_len) 822 goto err; 823 824 ret = 1; 825 826 err: 827 HMAC_CTX_free(hmac_ctx); 828 829 return ret; 830 } 831 832 int 833 tls13_server_finished_sent(struct tls13_ctx *ctx) 834 { 835 struct tls13_secrets *secrets = ctx->hs->secrets; 836 struct tls13_secret context = { .data = "", .len = 0 }; 837 838 /* 839 * Derive application traffic keys. 840 */ 841 context.data = ctx->hs->transcript_hash; 842 context.len = ctx->hs->transcript_hash_len; 843 844 if (!tls13_derive_application_secrets(secrets, &context)) 845 return 0; 846 847 /* 848 * Any records following the server finished message must be encrypted 849 * using the server application traffic keys. 850 */ 851 return tls13_record_layer_set_write_traffic_key(ctx->rl, 852 &secrets->server_application_traffic); 853 } 854 855 int 856 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 857 { 858 struct tls13_secrets *secrets = ctx->hs->secrets; 859 struct tls13_secret context = { .data = "", .len = 0 }; 860 struct tls13_secret finished_key; 861 uint8_t *verify_data = NULL; 862 size_t verify_data_len; 863 uint8_t key[EVP_MAX_MD_SIZE]; 864 HMAC_CTX *hmac_ctx = NULL; 865 unsigned int hlen; 866 int ret = 0; 867 868 /* 869 * Verify client finished. 870 */ 871 finished_key.data = key; 872 finished_key.len = EVP_MD_size(ctx->hash); 873 874 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 875 &secrets->client_handshake_traffic, "finished", 876 &context)) 877 goto err; 878 879 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 880 goto err; 881 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 882 ctx->hash, NULL)) 883 goto err; 884 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 885 ctx->hs->transcript_hash_len)) 886 goto err; 887 verify_data_len = HMAC_size(hmac_ctx); 888 if ((verify_data = calloc(1, verify_data_len)) == NULL) 889 goto err; 890 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 891 goto err; 892 if (hlen != verify_data_len) 893 goto err; 894 895 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 896 ctx->alert = TLS1_AD_DECRYPT_ERROR; 897 goto err; 898 } 899 900 if (!CBS_skip(cbs, verify_data_len)) 901 goto err; 902 903 /* 904 * Any records following the client finished message must be encrypted 905 * using the client application traffic keys. 906 */ 907 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 908 &secrets->client_application_traffic)) 909 goto err; 910 911 tls13_record_layer_allow_ccs(ctx->rl, 0); 912 913 ret = 1; 914 915 err: 916 HMAC_CTX_free(hmac_ctx); 917 free(verify_data); 918 919 return ret; 920 } 921