summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_client.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/tls13_client.c1090
1 files changed, 0 insertions, 1090 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
deleted file mode 100644
index 11eb880a6e..0000000000
--- a/src/lib/libssl/tls13_client.c
+++ /dev/null
@@ -1,1090 +0,0 @@
1/* $OpenBSD: tls13_client.c,v 1.94 2022/02/03 16:33:12 jsing Exp $ */
2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <openssl/ssl3.h>
19
20#include "bytestring.h"
21#include "ssl_locl.h"
22#include "ssl_sigalgs.h"
23#include "ssl_tlsext.h"
24#include "tls13_handshake.h"
25#include "tls13_internal.h"
26
27int
28tls13_client_init(struct tls13_ctx *ctx)
29{
30 const uint16_t *groups;
31 size_t groups_len;
32 SSL *s = ctx->ssl;
33
34 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
35 &ctx->hs->our_max_tls_version)) {
36 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
37 return 0;
38 }
39 s->version = ctx->hs->our_max_tls_version;
40
41 tls13_record_layer_set_retry_after_phh(ctx->rl,
42 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
43
44 if (!ssl_get_new_session(s, 0)) /* XXX */
45 return 0;
46
47 if (!tls1_transcript_init(s))
48 return 0;
49
50 /* Generate a key share using our preferred group. */
51 tls1_get_group_list(s, 0, &groups, &groups_len);
52 if (groups_len < 1)
53 return 0;
54 if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
55 return 0;
56 if (!tls_key_share_generate(ctx->hs->key_share))
57 return 0;
58
59 arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
60
61 /*
62 * The legacy session identifier should either be set to an
63 * unpredictable 32-byte value or zero length... a non-zero length
64 * legacy session identifier triggers compatibility mode (see RFC 8446
65 * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used.
66 */
67 if (ctx->middlebox_compat &&
68 ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
69 arc4random_buf(ctx->hs->tls13.legacy_session_id,
70 sizeof(ctx->hs->tls13.legacy_session_id));
71 ctx->hs->tls13.legacy_session_id_len =
72 sizeof(ctx->hs->tls13.legacy_session_id);
73 }
74
75 return 1;
76}
77
78int
79tls13_client_connect(struct tls13_ctx *ctx)
80{
81 if (ctx->mode != TLS13_HS_CLIENT)
82 return TLS13_IO_FAILURE;
83
84 return tls13_handshake_perform(ctx);
85}
86
87static int
88tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb)
89{
90 CBB cipher_suites, compression_methods, session_id;
91 uint16_t client_version;
92 SSL *s = ctx->ssl;
93
94 /* Legacy client version is capped at TLS 1.2. */
95 if (!ssl_max_legacy_version(s, &client_version))
96 goto err;
97
98 if (!CBB_add_u16(cbb, client_version))
99 goto err;
100 if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
101 goto err;
102
103 if (!CBB_add_u8_length_prefixed(cbb, &session_id))
104 goto err;
105 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
106 ctx->hs->tls13.legacy_session_id_len))
107 goto err;
108
109 if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
110 goto err;
111 if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) {
112 SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
113 goto err;
114 }
115
116 if (!CBB_add_u8_length_prefixed(cbb, &compression_methods))
117 goto err;
118 if (!CBB_add_u8(&compression_methods, 0))
119 goto err;
120
121 if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb))
122 goto err;
123
124 if (!CBB_flush(cbb))
125 goto err;
126
127 return 1;
128
129 err:
130 return 0;
131}
132
133int
134tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb)
135{
136 if (ctx->hs->our_min_tls_version < TLS1_2_VERSION)
137 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
138
139 /* We may receive a pre-TLSv1.3 alert in response to the client hello. */
140 tls13_record_layer_allow_legacy_alerts(ctx->rl, 1);
141
142 if (!tls13_client_hello_build(ctx, cbb))
143 return 0;
144
145 return 1;
146}
147
148int
149tls13_client_hello_sent(struct tls13_ctx *ctx)
150{
151 tls13_record_layer_allow_ccs(ctx->rl, 1);
152
153 tls1_transcript_freeze(ctx->ssl);
154
155 if (ctx->middlebox_compat)
156 ctx->send_dummy_ccs = 1;
157
158 return 1;
159}
160
161static int
162tls13_server_hello_is_legacy(CBS *cbs)
163{
164 CBS extensions_block, extensions, extension_data;
165 uint16_t selected_version = 0;
166 uint16_t type;
167
168 CBS_dup(cbs, &extensions_block);
169
170 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
171 return 1;
172
173 while (CBS_len(&extensions) > 0) {
174 if (!CBS_get_u16(&extensions, &type))
175 return 1;
176 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
177 return 1;
178
179 if (type != TLSEXT_TYPE_supported_versions)
180 continue;
181 if (!CBS_get_u16(&extension_data, &selected_version))
182 return 1;
183 if (CBS_len(&extension_data) != 0)
184 return 1;
185 }
186
187 return (selected_version < TLS1_3_VERSION);
188}
189
190static int
191tls13_server_hello_is_retry(CBS *cbs)
192{
193 CBS server_hello, server_random;
194 uint16_t legacy_version;
195
196 CBS_dup(cbs, &server_hello);
197
198 if (!CBS_get_u16(&server_hello, &legacy_version))
199 return 0;
200 if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE))
201 return 0;
202
203 /* See if this is a HelloRetryRequest. */
204 return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
205 sizeof(tls13_hello_retry_request_hash));
206}
207
208static int
209tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
210{
211 CBS server_random, session_id;
212 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
213 uint16_t cipher_suite, legacy_version;
214 uint8_t compression_method;
215 const SSL_CIPHER *cipher;
216 int alert_desc;
217 SSL *s = ctx->ssl;
218
219 if (!CBS_get_u16(cbs, &legacy_version))
220 goto err;
221 if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
222 goto err;
223 if (!CBS_get_u8_length_prefixed(cbs, &session_id))
224 goto err;
225 if (!CBS_get_u16(cbs, &cipher_suite))
226 goto err;
227 if (!CBS_get_u8(cbs, &compression_method))
228 goto err;
229
230 if (tls13_server_hello_is_legacy(cbs)) {
231 if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) {
232 /*
233 * RFC 8446 section 4.1.3: we must not downgrade if
234 * the server random value contains the TLS 1.2 or 1.1
235 * magical value.
236 */
237 if (!CBS_skip(&server_random, CBS_len(&server_random) -
238 sizeof(tls13_downgrade_12)))
239 goto err;
240 if (CBS_mem_equal(&server_random, tls13_downgrade_12,
241 sizeof(tls13_downgrade_12)) ||
242 CBS_mem_equal(&server_random, tls13_downgrade_11,
243 sizeof(tls13_downgrade_11))) {
244 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
245 goto err;
246 }
247 }
248
249 if (!CBS_skip(cbs, CBS_len(cbs)))
250 goto err;
251
252 ctx->hs->tls13.use_legacy = 1;
253 return 1;
254 }
255
256 /* From here on in we know we are doing TLSv1.3. */
257 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
258 tls13_record_layer_allow_legacy_alerts(ctx->rl, 0);
259
260 /* See if this is a HelloRetryRequest. */
261 /* XXX - see if we can avoid doing this twice. */
262 if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
263 sizeof(tls13_hello_retry_request_hash))) {
264 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
265 ctx->hs->tls13.hrr = 1;
266 }
267
268 if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) {
269 ctx->alert = alert_desc;
270 goto err;
271 }
272
273 /*
274 * The supported versions extension indicated 0x0304 or greater.
275 * Ensure that it was 0x0304 and that legacy version is set to 0x0303
276 * (RFC 8446 section 4.2.1).
277 */
278 if (ctx->hs->tls13.server_version != TLS1_3_VERSION ||
279 legacy_version != TLS1_2_VERSION) {
280 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
281 goto err;
282 }
283 ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version;
284 ctx->hs->peer_legacy_version = legacy_version;
285
286 /* The session_id must match. */
287 if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id,
288 ctx->hs->tls13.legacy_session_id_len)) {
289 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
290 goto err;
291 }
292
293 /*
294 * Ensure that the cipher suite is one that we offered in the client
295 * hello and that it is a TLSv1.3 cipher suite.
296 */
297 cipher = ssl3_get_cipher_by_value(cipher_suite);
298 if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) {
299 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
300 goto err;
301 }
302 if (cipher->algorithm_ssl != SSL_TLSV1_3) {
303 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
304 goto err;
305 }
306 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) {
307 /*
308 * A ServerHello following a HelloRetryRequest MUST use the same
309 * cipher suite (RFC 8446 section 4.1.4).
310 */
311 if (ctx->hs->cipher != cipher) {
312 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
313 goto err;
314 }
315 }
316 ctx->hs->cipher = cipher;
317
318 if (compression_method != 0) {
319 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
320 goto err;
321 }
322
323 return 1;
324
325 err:
326 if (ctx->alert == 0)
327 ctx->alert = TLS13_ALERT_DECODE_ERROR;
328
329 return 0;
330}
331
332static int
333tls13_client_engage_record_protection(struct tls13_ctx *ctx)
334{
335 struct tls13_secrets *secrets;
336 struct tls13_secret context;
337 unsigned char buf[EVP_MAX_MD_SIZE];
338 uint8_t *shared_key = NULL;
339 size_t shared_key_len = 0;
340 size_t hash_len;
341 SSL *s = ctx->ssl;
342 int ret = 0;
343
344 /* Derive the shared key and engage record protection. */
345
346 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
347 &shared_key_len))
348 goto err;
349
350 s->session->cipher = ctx->hs->cipher;
351 s->session->ssl_version = ctx->hs->tls13.server_version;
352
353 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
354 goto err;
355 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
356 goto err;
357
358 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
359 goto err;
360 ctx->hs->tls13.secrets = secrets;
361
362 /* XXX - pass in hash. */
363 if (!tls1_transcript_hash_init(s))
364 goto err;
365 tls1_transcript_free(s);
366 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
367 goto err;
368 context.data = buf;
369 context.len = hash_len;
370
371 /* Early secrets. */
372 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
373 secrets->zeros.len, &context))
374 goto err;
375
376 /* Handshake secrets. */
377 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
378 shared_key_len, &context))
379 goto err;
380
381 tls13_record_layer_set_aead(ctx->rl, ctx->aead);
382 tls13_record_layer_set_hash(ctx->rl, ctx->hash);
383
384 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
385 &secrets->server_handshake_traffic))
386 goto err;
387 if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
388 &secrets->client_handshake_traffic))
389 goto err;
390
391 ret = 1;
392
393 err:
394 freezero(shared_key, shared_key_len);
395
396 return ret;
397}
398
399int
400tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
401{
402 /*
403 * The state machine has no way of knowing if we're going to receive a
404 * HelloRetryRequest or a ServerHello. As such, we have to handle
405 * this case here and hand off to the appropriate function.
406 */
407 if (!tls13_server_hello_is_retry(cbs)) {
408 ctx->handshake_stage.hs_type |= WITHOUT_HRR;
409 return tls13_server_hello_recv(ctx, cbs);
410 }
411
412 if (!tls13_server_hello_process(ctx, cbs))
413 return 0;
414
415 /*
416 * This may have been a TLSv1.2 or earlier ServerHello that just
417 * happened to have matching server random...
418 */
419 if (ctx->hs->tls13.use_legacy)
420 return tls13_use_legacy_client(ctx);
421
422 if (!ctx->hs->tls13.hrr)
423 return 0;
424
425 if (!tls13_synthetic_handshake_message(ctx))
426 return 0;
427 if (!tls13_handshake_msg_record(ctx))
428 return 0;
429
430 ctx->hs->tls13.hrr = 0;
431
432 return 1;
433}
434
435int
436tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
437{
438 /*
439 * Ensure that the server supported group is one that we listed in our
440 * supported groups and is not the same as the key share we previously
441 * offered.
442 */
443 if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group))
444 return 0; /* XXX alert */
445 if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share))
446 return 0; /* XXX alert */
447
448 /* Switch to new key share. */
449 tls_key_share_free(ctx->hs->key_share);
450 if ((ctx->hs->key_share =
451 tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
452 return 0;
453 if (!tls_key_share_generate(ctx->hs->key_share))
454 return 0;
455
456 if (!tls13_client_hello_build(ctx, cbb))
457 return 0;
458
459 return 1;
460}
461
462int
463tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
464{
465 SSL *s = ctx->ssl;
466
467 /*
468 * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3
469 * ServerHello. HelloRetryRequests have already been handled.
470 */
471 if (!tls13_server_hello_process(ctx, cbs))
472 return 0;
473
474 if (ctx->handshake_stage.hs_type & WITHOUT_HRR) {
475 tls1_transcript_unfreeze(s);
476 if (!tls13_handshake_msg_record(ctx))
477 return 0;
478 }
479
480 if (ctx->hs->tls13.use_legacy) {
481 if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR))
482 return 0;
483 return tls13_use_legacy_client(ctx);
484 }
485
486 if (ctx->hs->tls13.hrr) {
487 /* The server has sent two HelloRetryRequests. */
488 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
489 return 0;
490 }
491
492 if (!tls13_client_engage_record_protection(ctx))
493 return 0;
494
495 ctx->handshake_stage.hs_type |= NEGOTIATED;
496
497 return 1;
498}
499
500int
501tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs)
502{
503 int alert_desc;
504
505 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) {
506 ctx->alert = alert_desc;
507 goto err;
508 }
509
510 return 1;
511
512 err:
513 if (ctx->alert == 0)
514 ctx->alert = TLS13_ALERT_DECODE_ERROR;
515
516 return 0;
517}
518
519int
520tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs)
521{
522 CBS cert_request_context;
523 int alert_desc;
524
525 /*
526 * Thanks to poor state design in the RFC, this function can be called
527 * when we actually have a certificate message instead of a certificate
528 * request... in that case we call the certificate handler after
529 * switching state, to avoid advancing state.
530 */
531 if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) {
532 ctx->handshake_stage.hs_type |= WITHOUT_CR;
533 return tls13_server_certificate_recv(ctx, cbs);
534 }
535
536 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
537 goto err;
538 if (CBS_len(&cert_request_context) != 0)
539 goto err;
540
541 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) {
542 ctx->alert = alert_desc;
543 goto err;
544 }
545
546 return 1;
547
548 err:
549 if (ctx->alert == 0)
550 ctx->alert = TLS13_ALERT_DECODE_ERROR;
551
552 return 0;
553}
554
555int
556tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
557{
558 CBS cert_request_context, cert_list, cert_data;
559 struct stack_st_X509 *certs = NULL;
560 SSL *s = ctx->ssl;
561 X509 *cert = NULL;
562 EVP_PKEY *pkey;
563 const uint8_t *p;
564 int alert_desc, cert_type;
565 int ret = 0;
566
567 if ((certs = sk_X509_new_null()) == NULL)
568 goto err;
569
570 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
571 goto err;
572 if (CBS_len(&cert_request_context) != 0)
573 goto err;
574 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
575 goto err;
576
577 while (CBS_len(&cert_list) > 0) {
578 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
579 goto err;
580
581 if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT,
582 &cert_list, &alert_desc)) {
583 ctx->alert = alert_desc;
584 goto err;
585 }
586
587 p = CBS_data(&cert_data);
588 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
589 goto err;
590 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
591 goto err;
592
593 if (!sk_X509_push(certs, cert))
594 goto err;
595
596 cert = NULL;
597 }
598
599 /* A server must always provide a non-empty certificate list. */
600 if (sk_X509_num(certs) < 1) {
601 ctx->alert = TLS13_ALERT_DECODE_ERROR;
602 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
603 "peer failed to provide a certificate", NULL);
604 goto err;
605 }
606
607 /*
608 * At this stage we still have no proof of possession. As such, it would
609 * be preferable to keep the chain and verify once we have successfully
610 * processed the CertificateVerify message.
611 */
612 if (ssl_verify_cert_chain(s, certs) <= 0 &&
613 s->verify_mode != SSL_VERIFY_NONE) {
614 ctx->alert = ssl_verify_alarm_type(s->verify_result);
615 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
616 "failed to verify peer certificate", NULL);
617 goto err;
618 }
619 ERR_clear_error();
620
621 cert = sk_X509_value(certs, 0);
622 X509_up_ref(cert);
623
624 if ((pkey = X509_get0_pubkey(cert)) == NULL)
625 goto err;
626 if (EVP_PKEY_missing_parameters(pkey))
627 goto err;
628 if ((cert_type = ssl_cert_type(pkey)) < 0)
629 goto err;
630
631 X509_up_ref(cert);
632 X509_free(s->session->peer_cert);
633 s->session->peer_cert = cert;
634 s->session->peer_cert_type = cert_type;
635
636 s->session->verify_result = s->verify_result;
637
638 sk_X509_pop_free(s->session->cert_chain, X509_free);
639 s->session->cert_chain = certs;
640 certs = NULL;
641
642 if (ctx->ocsp_status_recv_cb != NULL &&
643 !ctx->ocsp_status_recv_cb(ctx))
644 goto err;
645
646 ret = 1;
647
648 err:
649 sk_X509_pop_free(certs, X509_free);
650 X509_free(cert);
651
652 return ret;
653}
654
655int
656tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
657{
658 const struct ssl_sigalg *sigalg;
659 uint16_t signature_scheme;
660 uint8_t *sig_content = NULL;
661 size_t sig_content_len;
662 EVP_MD_CTX *mdctx = NULL;
663 EVP_PKEY_CTX *pctx;
664 EVP_PKEY *pkey;
665 X509 *cert;
666 CBS signature;
667 CBB cbb;
668 int ret = 0;
669
670 memset(&cbb, 0, sizeof(cbb));
671
672 if (!CBS_get_u16(cbs, &signature_scheme))
673 goto err;
674 if (!CBS_get_u16_length_prefixed(cbs, &signature))
675 goto err;
676
677 if (!CBB_init(&cbb, 0))
678 goto err;
679 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
680 sizeof(tls13_cert_verify_pad)))
681 goto err;
682 if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context,
683 strlen(tls13_cert_server_verify_context)))
684 goto err;
685 if (!CBB_add_u8(&cbb, 0))
686 goto err;
687 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
688 ctx->hs->tls13.transcript_hash_len))
689 goto err;
690 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
691 goto err;
692
693 if ((cert = ctx->ssl->session->peer_cert) == NULL)
694 goto err;
695 if ((pkey = X509_get0_pubkey(cert)) == NULL)
696 goto err;
697 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
698 signature_scheme)) == NULL)
699 goto err;
700 ctx->hs->peer_sigalg = sigalg;
701
702 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
703 goto err;
704
705 if ((mdctx = EVP_MD_CTX_new()) == NULL)
706 goto err;
707 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
708 goto err;
709 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
710 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
711 goto err;
712 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
713 goto err;
714 }
715 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
716 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
717 goto err;
718 }
719 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
720 CBS_len(&signature)) <= 0) {
721 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
722 goto err;
723 }
724
725 ret = 1;
726
727 err:
728 if (!ret && ctx->alert == 0)
729 ctx->alert = TLS13_ALERT_DECODE_ERROR;
730 CBB_cleanup(&cbb);
731 EVP_MD_CTX_free(mdctx);
732 free(sig_content);
733
734 return ret;
735}
736
737int
738tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
739{
740 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
741 struct tls13_secret context = { .data = "", .len = 0 };
742 struct tls13_secret finished_key;
743 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
744 size_t transcript_hash_len;
745 uint8_t *verify_data = NULL;
746 size_t verify_data_len;
747 uint8_t key[EVP_MAX_MD_SIZE];
748 HMAC_CTX *hmac_ctx = NULL;
749 unsigned int hlen;
750 int ret = 0;
751
752 /*
753 * Verify server finished.
754 */
755 finished_key.data = key;
756 finished_key.len = EVP_MD_size(ctx->hash);
757
758 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
759 &secrets->server_handshake_traffic, "finished",
760 &context))
761 goto err;
762
763 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
764 goto err;
765 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
766 ctx->hash, NULL))
767 goto err;
768 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
769 ctx->hs->tls13.transcript_hash_len))
770 goto err;
771 verify_data_len = HMAC_size(hmac_ctx);
772 if ((verify_data = calloc(1, verify_data_len)) == NULL)
773 goto err;
774 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
775 goto err;
776 if (hlen != verify_data_len)
777 goto err;
778
779 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
780 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
781 goto err;
782 }
783
784 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
785 sizeof(ctx->hs->peer_finished),
786 &ctx->hs->peer_finished_len))
787 goto err;
788
789 if (!CBS_skip(cbs, verify_data_len))
790 goto err;
791
792 /*
793 * Derive application traffic keys.
794 */
795 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
796 sizeof(transcript_hash), &transcript_hash_len))
797 goto err;
798
799 context.data = transcript_hash;
800 context.len = transcript_hash_len;
801
802 if (!tls13_derive_application_secrets(secrets, &context))
803 goto err;
804
805 /*
806 * Any records following the server finished message must be encrypted
807 * using the server application traffic keys.
808 */
809 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
810 &secrets->server_application_traffic))
811 goto err;
812
813 tls13_record_layer_allow_ccs(ctx->rl, 0);
814
815 ret = 1;
816
817 err:
818 HMAC_CTX_free(hmac_ctx);
819 free(verify_data);
820
821 return ret;
822}
823
824static int
825tls13_client_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
826 int *ok, const struct ssl_sigalg **out_sigalg)
827{
828 const struct ssl_sigalg *sigalg;
829 SSL *s = ctx->ssl;
830
831 *ok = 0;
832 *out_sigalg = NULL;
833
834 if (cpk->x509 == NULL || cpk->privatekey == NULL)
835 goto done;
836
837 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
838 goto done;
839
840 *ok = 1;
841 *out_sigalg = sigalg;
842
843 done:
844 return 1;
845}
846
847static int
848tls13_client_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
849 const struct ssl_sigalg **out_sigalg)
850{
851 SSL *s = ctx->ssl;
852 const struct ssl_sigalg *sigalg;
853 SSL_CERT_PKEY *cpk;
854 int cert_ok;
855
856 *out_cpk = NULL;
857 *out_sigalg = NULL;
858
859 /*
860 * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences
861 * with the certificate_authorities (4.2.4) and oid_filters (4.2.5)
862 * extensions. We should honor the former and must apply the latter.
863 */
864
865 cpk = &s->cert->pkeys[SSL_PKEY_ECC];
866 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
867 return 0;
868 if (cert_ok)
869 goto done;
870
871 cpk = &s->cert->pkeys[SSL_PKEY_RSA];
872 if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg))
873 return 0;
874 if (cert_ok)
875 goto done;
876
877 cpk = NULL;
878 sigalg = NULL;
879
880 done:
881 *out_cpk = cpk;
882 *out_sigalg = sigalg;
883
884 return 1;
885}
886
887int
888tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
889{
890 SSL *s = ctx->ssl;
891 CBB cert_request_context, cert_list;
892 const struct ssl_sigalg *sigalg;
893 STACK_OF(X509) *chain;
894 SSL_CERT_PKEY *cpk;
895 X509 *cert;
896 int i, ret = 0;
897
898 if (!tls13_client_select_certificate(ctx, &cpk, &sigalg))
899 goto err;
900
901 ctx->hs->tls13.cpk = cpk;
902 ctx->hs->our_sigalg = sigalg;
903
904 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
905 goto err;
906 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
907 goto err;
908
909 /* No certificate selected. */
910 if (cpk == NULL)
911 goto done;
912
913 if ((chain = cpk->chain) == NULL)
914 chain = s->ctx->extra_certs;
915
916 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build))
917 goto err;
918
919 for (i = 0; i < sk_X509_num(chain); i++) {
920 cert = sk_X509_value(chain, i);
921 if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build))
922 goto err;
923 }
924
925 ctx->handshake_stage.hs_type |= WITH_CCV;
926 done:
927 if (!CBB_flush(cbb))
928 goto err;
929
930 ret = 1;
931
932 err:
933 return ret;
934}
935
936int
937tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
938{
939 const struct ssl_sigalg *sigalg;
940 uint8_t *sig = NULL, *sig_content = NULL;
941 size_t sig_len, sig_content_len;
942 EVP_MD_CTX *mdctx = NULL;
943 EVP_PKEY_CTX *pctx;
944 EVP_PKEY *pkey;
945 const SSL_CERT_PKEY *cpk;
946 CBB sig_cbb;
947 int ret = 0;
948
949 memset(&sig_cbb, 0, sizeof(sig_cbb));
950
951 if ((cpk = ctx->hs->tls13.cpk) == NULL)
952 goto err;
953 if ((sigalg = ctx->hs->our_sigalg) == NULL)
954 goto err;
955 pkey = cpk->privatekey;
956
957 if (!CBB_init(&sig_cbb, 0))
958 goto err;
959 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
960 sizeof(tls13_cert_verify_pad)))
961 goto err;
962 if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context,
963 strlen(tls13_cert_client_verify_context)))
964 goto err;
965 if (!CBB_add_u8(&sig_cbb, 0))
966 goto err;
967 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
968 ctx->hs->tls13.transcript_hash_len))
969 goto err;
970 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
971 goto err;
972
973 if ((mdctx = EVP_MD_CTX_new()) == NULL)
974 goto err;
975 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
976 goto err;
977 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
978 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
979 goto err;
980 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
981 goto err;
982 }
983 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
984 goto err;
985 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
986 goto err;
987 if ((sig = calloc(1, sig_len)) == NULL)
988 goto err;
989 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
990 goto err;
991
992 if (!CBB_add_u16(cbb, sigalg->value))
993 goto err;
994 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
995 goto err;
996 if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
997 goto err;
998
999 if (!CBB_flush(cbb))
1000 goto err;
1001
1002 ret = 1;
1003
1004 err:
1005 if (!ret && ctx->alert == 0)
1006 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
1007
1008 CBB_cleanup(&sig_cbb);
1009 EVP_MD_CTX_free(mdctx);
1010 free(sig_content);
1011 free(sig);
1012
1013 return ret;
1014}
1015
1016int
1017tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
1018{
1019 return 0;
1020}
1021
1022int
1023tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
1024{
1025 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1026 struct tls13_secret context = { .data = "", .len = 0 };
1027 struct tls13_secret finished_key = { .data = NULL, .len = 0 };
1028 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
1029 size_t transcript_hash_len;
1030 uint8_t *verify_data;
1031 size_t verify_data_len;
1032 unsigned int hlen;
1033 HMAC_CTX *hmac_ctx = NULL;
1034 CBS cbs;
1035 int ret = 0;
1036
1037 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
1038 goto err;
1039
1040 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1041 &secrets->client_handshake_traffic, "finished",
1042 &context))
1043 goto err;
1044
1045 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
1046 sizeof(transcript_hash), &transcript_hash_len))
1047 goto err;
1048
1049 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1050 goto err;
1051 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1052 ctx->hash, NULL))
1053 goto err;
1054 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
1055 goto err;
1056
1057 verify_data_len = HMAC_size(hmac_ctx);
1058 if (!CBB_add_space(cbb, &verify_data, verify_data_len))
1059 goto err;
1060 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1061 goto err;
1062 if (hlen != verify_data_len)
1063 goto err;
1064
1065 CBS_init(&cbs, verify_data, verify_data_len);
1066 if (!CBS_write_bytes(&cbs, ctx->hs->finished,
1067 sizeof(ctx->hs->finished), &ctx->hs->finished_len))
1068 goto err;
1069
1070 ret = 1;
1071
1072 err:
1073 tls13_secret_cleanup(&finished_key);
1074 HMAC_CTX_free(hmac_ctx);
1075
1076 return ret;
1077}
1078
1079int
1080tls13_client_finished_sent(struct tls13_ctx *ctx)
1081{
1082 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1083
1084 /*
1085 * Any records following the client finished message must be encrypted
1086 * using the client application traffic keys.
1087 */
1088 return tls13_record_layer_set_write_traffic_key(ctx->rl,
1089 &secrets->client_application_traffic);
1090}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-14 04:29:43 +0000