summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_server.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/tls13_server.c1104
1 files changed, 0 insertions, 1104 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
deleted file mode 100644
index 4ac84a808c..0000000000
--- a/src/lib/libssl/tls13_server.c
+++ /dev/null
@@ -1,1104 +0,0 @@
1/* $OpenBSD: tls13_server.c,v 1.96 2022/02/03 16:33:12 jsing Exp $ */
2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include <openssl/x509v3.h>
20
21#include "ssl_locl.h"
22#include "ssl_sigalgs.h"
23#include "ssl_tlsext.h"
24#include "tls13_handshake.h"
25#include "tls13_internal.h"
26
27int
28tls13_server_init(struct tls13_ctx *ctx)
29{
30 SSL *s = ctx->ssl;
31
32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
33 &ctx->hs->our_max_tls_version)) {
34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
35 return 0;
36 }
37 s->version = ctx->hs->our_max_tls_version;
38
39 tls13_record_layer_set_retry_after_phh(ctx->rl,
40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
41
42 if (!ssl_get_new_session(s, 0)) /* XXX */
43 return 0;
44
45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
46
47 if (!tls1_transcript_init(s))
48 return 0;
49
50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
51
52 return 1;
53}
54
55int
56tls13_server_accept(struct tls13_ctx *ctx)
57{
58 if (ctx->mode != TLS13_HS_SERVER)
59 return TLS13_IO_FAILURE;
60
61 return tls13_handshake_perform(ctx);
62}
63
64static int
65tls13_client_hello_is_legacy(CBS *cbs)
66{
67 CBS extensions_block, extensions, extension_data, versions;
68 uint16_t version, max_version = 0;
69 uint16_t type;
70
71 CBS_dup(cbs, &extensions_block);
72
73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
74 return 1;
75
76 while (CBS_len(&extensions) > 0) {
77 if (!CBS_get_u16(&extensions, &type))
78 return 1;
79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
80 return 1;
81
82 if (type != TLSEXT_TYPE_supported_versions)
83 continue;
84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions))
85 return 1;
86 while (CBS_len(&versions) > 0) {
87 if (!CBS_get_u16(&versions, &version))
88 return 1;
89 if (version >= max_version)
90 max_version = version;
91 }
92 if (CBS_len(&extension_data) != 0)
93 return 1;
94 }
95
96 return (max_version < TLS1_3_VERSION);
97}
98
99int
100tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
101{
102 SSL *s = ctx->ssl;
103
104 /*
105 * RFC 8446, section 9.2. If the ClientHello has supported_versions
106 * containing TLSv1.3, presence or absence of some extensions requires
107 * presence or absence of others.
108 */
109
110 /*
111 * If we got no pre_shared_key, then signature_algorithms and
112 * supported_groups must both be present.
113 */
114 if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
115 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms))
116 return 0;
117 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups))
118 return 0;
119 }
120
121 /*
122 * supported_groups and key_share must either both be present or
123 * both be absent.
124 */
125 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) !=
126 tlsext_extension_seen(s, TLSEXT_TYPE_key_share))
127 return 0;
128
129 /*
130 * XXX - Require server_name from client? If so, we SHOULD enforce
131 * this here - RFC 8446, 9.2.
132 */
133
134 return 1;
135}
136
137static const uint8_t tls13_compression_null_only[] = { 0 };
138
139static int
140tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
141{
142 CBS cipher_suites, client_random, compression_methods, session_id;
143 STACK_OF(SSL_CIPHER) *ciphers = NULL;
144 const SSL_CIPHER *cipher;
145 uint16_t legacy_version;
146 int alert_desc;
147 SSL *s = ctx->ssl;
148 int ret = 0;
149
150 if (!CBS_get_u16(cbs, &legacy_version))
151 goto err;
152 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
153 goto err;
154 if (!CBS_get_u8_length_prefixed(cbs, &session_id))
155 goto err;
156 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites))
157 goto err;
158 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
159 goto err;
160
161 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) {
162 if (!CBS_skip(cbs, CBS_len(cbs)))
163 goto err;
164 return tls13_use_legacy_server(ctx);
165 }
166 ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
167 ctx->hs->peer_legacy_version = legacy_version;
168
169 /* Ensure we send subsequent alerts with the correct record version. */
170 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
171
172 /* Add decoded values to the current ClientHello hash */
173 if (!tls13_clienthello_hash_init(ctx)) {
174 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
175 goto err;
176 }
177 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version,
178 sizeof(legacy_version))) {
179 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
180 goto err;
181 }
182 if (!tls13_clienthello_hash_update(ctx, &client_random)) {
183 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
184 goto err;
185 }
186 if (!tls13_clienthello_hash_update(ctx, &session_id)) {
187 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
188 goto err;
189 }
190 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) {
191 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
192 goto err;
193 }
194 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) {
195 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
196 goto err;
197 }
198
199 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) {
200 ctx->alert = alert_desc;
201 goto err;
202 }
203
204 /* Finalize first ClientHello hash, or validate against it */
205 if (!ctx->hs->tls13.hrr) {
206 if (!tls13_clienthello_hash_finalize(ctx)) {
207 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
208 goto err;
209 }
210 } else {
211 if (!tls13_clienthello_hash_validate(ctx)) {
212 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
213 goto err;
214 }
215 tls13_clienthello_hash_clear(&ctx->hs->tls13);
216 }
217
218 if (!tls13_client_hello_required_extensions(ctx)) {
219 ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
220 goto err;
221 }
222
223 /*
224 * If we got this far we have a supported versions extension that offers
225 * TLS 1.3 or later. This requires the legacy version be set to 0x0303.
226 */
227 if (legacy_version != TLS1_2_VERSION) {
228 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
229 goto err;
230 }
231
232 /* Store legacy session identifier so we can echo it. */
233 if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
234 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
235 goto err;
236 }
237 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
238 sizeof(ctx->hs->tls13.legacy_session_id),
239 &ctx->hs->tls13.legacy_session_id_len)) {
240 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
241 goto err;
242 }
243
244 /* Parse cipher suites list and select preferred cipher. */
245 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {
246 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
247 goto err;
248 }
249 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
250 if (cipher == NULL) {
251 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0,
252 "no shared cipher found", NULL);
253 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
254 goto err;
255 }
256 ctx->hs->cipher = cipher;
257
258 sk_SSL_CIPHER_free(s->session->ciphers);
259 s->session->ciphers = ciphers;
260 ciphers = NULL;
261
262 /* Ensure only the NULL compression method is advertised. */
263 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only,
264 sizeof(tls13_compression_null_only))) {
265 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
266 goto err;
267 }
268
269 ret = 1;
270
271 err:
272 sk_SSL_CIPHER_free(ciphers);
273
274 return ret;
275}
276
277int
278tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
279{
280 SSL *s = ctx->ssl;
281
282 if (!tls13_client_hello_process(ctx, cbs))
283 goto err;
284
285 /* See if we switched back to the legacy client method. */
286 if (s->method->version < TLS1_3_VERSION)
287 return 1;
288
289 /*
290 * If a matching key share was provided, we do not need to send a
291 * HelloRetryRequest.
292 */
293 /*
294 * XXX - ideally NEGOTIATED would only be added after record protection
295 * has been enabled. This would probably mean using either an
296 * INITIAL | WITHOUT_HRR state, or another intermediate state.
297 */
298 if (ctx->hs->key_share != NULL)
299 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
300
301 /* XXX - check this is the correct point */
302 tls13_record_layer_allow_ccs(ctx->rl, 1);
303
304 return 1;
305
306 err:
307 return 0;
308}
309
310static int
311tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
312{
313 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
314 const uint8_t *server_random;
315 CBB session_id;
316 SSL *s = ctx->ssl;
317 uint16_t cipher;
318
319 cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
320 server_random = s->s3->server_random;
321
322 if (hrr) {
323 server_random = tls13_hello_retry_request_hash;
324 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
325 }
326
327 if (!CBB_add_u16(cbb, TLS1_2_VERSION))
328 goto err;
329 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE))
330 goto err;
331 if (!CBB_add_u8_length_prefixed(cbb, &session_id))
332 goto err;
333 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
334 ctx->hs->tls13.legacy_session_id_len))
335 goto err;
336 if (!CBB_add_u16(cbb, cipher))
337 goto err;
338 if (!CBB_add_u8(cbb, 0))
339 goto err;
340 if (!tlsext_server_build(s, tlsext_msg_type, cbb))
341 goto err;
342
343 if (!CBB_flush(cbb))
344 goto err;
345
346 return 1;
347 err:
348 return 0;
349}
350
351static int
352tls13_server_engage_record_protection(struct tls13_ctx *ctx)
353{
354 struct tls13_secrets *secrets;
355 struct tls13_secret context;
356 unsigned char buf[EVP_MAX_MD_SIZE];
357 uint8_t *shared_key = NULL;
358 size_t shared_key_len = 0;
359 size_t hash_len;
360 SSL *s = ctx->ssl;
361 int ret = 0;
362
363 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
364 &shared_key_len))
365 goto err;
366
367 s->session->cipher = ctx->hs->cipher;
368
369 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
370 goto err;
371 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
372 goto err;
373
374 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
375 goto err;
376 ctx->hs->tls13.secrets = secrets;
377
378 /* XXX - pass in hash. */
379 if (!tls1_transcript_hash_init(s))
380 goto err;
381 tls1_transcript_free(s);
382 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
383 goto err;
384 context.data = buf;
385 context.len = hash_len;
386
387 /* Early secrets. */
388 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
389 secrets->zeros.len, &context))
390 goto err;
391
392 /* Handshake secrets. */
393 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
394 shared_key_len, &context))
395 goto err;
396
397 tls13_record_layer_set_aead(ctx->rl, ctx->aead);
398 tls13_record_layer_set_hash(ctx->rl, ctx->hash);
399
400 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
401 &secrets->client_handshake_traffic))
402 goto err;
403 if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
404 &secrets->server_handshake_traffic))
405 goto err;
406
407 ctx->handshake_stage.hs_type |= NEGOTIATED;
408 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER))
409 ctx->handshake_stage.hs_type |= WITHOUT_CR;
410
411 ret = 1;
412
413 err:
414 freezero(shared_key, shared_key_len);
415 return ret;
416}
417
418int
419tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
420{
421 int nid;
422
423 ctx->hs->tls13.hrr = 1;
424
425 if (!tls13_synthetic_handshake_message(ctx))
426 return 0;
427
428 if (ctx->hs->key_share != NULL)
429 return 0;
430 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
431 return 0;
432 if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
433 return 0;
434
435 if (!tls13_server_hello_build(ctx, cbb, 1))
436 return 0;
437
438 return 1;
439}
440
441int
442tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
443{
444 /*
445 * If the client has requested middlebox compatibility mode,
446 * we MUST send a dummy CCS following our first handshake message.
447 * See RFC 8446 Appendix D.4.
448 */
449 if (ctx->hs->tls13.legacy_session_id_len > 0)
450 ctx->send_dummy_ccs_after = 1;
451
452 return 1;
453}
454
455int
456tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
457{
458 SSL *s = ctx->ssl;
459
460 if (!tls13_client_hello_process(ctx, cbs))
461 return 0;
462
463 /* XXX - need further checks. */
464 if (s->method->version < TLS1_3_VERSION)
465 return 0;
466
467 ctx->hs->tls13.hrr = 0;
468
469 return 1;
470}
471
472static int
473tls13_servername_process(struct tls13_ctx *ctx)
474{
475 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
476
477 if (!tls13_legacy_servername_process(ctx, &alert)) {
478 ctx->alert = alert;
479 return 0;
480 }
481
482 return 1;
483}
484
485int
486tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
487{
488 if (ctx->hs->key_share == NULL)
489 return 0;
490 if (!tls_key_share_generate(ctx->hs->key_share))
491 return 0;
492 if (!tls13_servername_process(ctx))
493 return 0;
494
495 ctx->hs->tls13.server_group = 0;
496
497 if (!tls13_server_hello_build(ctx, cbb, 0))
498 return 0;
499
500 return 1;
501}
502
503int
504tls13_server_hello_sent(struct tls13_ctx *ctx)
505{
506 /*
507 * If the client has requested middlebox compatibility mode,
508 * we MUST send a dummy CCS following our first handshake message.
509 * See RFC 8446 Appendix D.4.
510 */
511 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
512 ctx->hs->tls13.legacy_session_id_len > 0)
513 ctx->send_dummy_ccs_after = 1;
514
515 return tls13_server_engage_record_protection(ctx);
516}
517
518int
519tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
520{
521 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb))
522 goto err;
523
524 return 1;
525 err:
526 return 0;
527}
528
529int
530tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
531{
532 CBB certificate_request_context;
533
534 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
535 goto err;
536 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb))
537 goto err;
538
539 if (!CBB_flush(cbb))
540 goto err;
541
542 return 1;
543 err:
544 return 0;
545}
546
547static int
548tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
549 int *ok, const struct ssl_sigalg **out_sigalg)
550{
551 const struct ssl_sigalg *sigalg;
552 SSL *s = ctx->ssl;
553
554 *ok = 0;
555 *out_sigalg = NULL;
556
557 if (cpk->x509 == NULL || cpk->privatekey == NULL)
558 goto done;
559
560 /*
561 * The digitalSignature bit MUST be set if the Key Usage extension is
562 * present as per RFC 8446 section 4.4.2.2.
563 */
564 if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE))
565 goto done;
566
567 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
568 goto done;
569
570 *ok = 1;
571 *out_sigalg = sigalg;
572
573 done:
574 return 1;
575}
576
577static int
578tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
579 const struct ssl_sigalg **out_sigalg)
580{
581 SSL *s = ctx->ssl;
582 const struct ssl_sigalg *sigalg;
583 SSL_CERT_PKEY *cpk;
584 int cert_ok;
585
586 *out_cpk = NULL;
587 *out_sigalg = NULL;
588
589 cpk = &s->cert->pkeys[SSL_PKEY_ECC];
590 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
591 return 0;
592 if (cert_ok)
593 goto done;
594
595 cpk = &s->cert->pkeys[SSL_PKEY_RSA];
596 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
597 return 0;
598 if (cert_ok)
599 goto done;
600
601 cpk = NULL;
602 sigalg = NULL;
603
604 done:
605 *out_cpk = cpk;
606 *out_sigalg = sigalg;
607
608 return 1;
609}
610
611int
612tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
613{
614 SSL *s = ctx->ssl;
615 CBB cert_request_context, cert_list;
616 const struct ssl_sigalg *sigalg;
617 X509_STORE_CTX *xsc = NULL;
618 STACK_OF(X509) *chain;
619 SSL_CERT_PKEY *cpk;
620 X509 *cert;
621 int i, ret = 0;
622
623 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg))
624 goto err;
625
626 if (cpk == NULL) {
627 /* A server must always provide a certificate. */
628 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
629 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0,
630 "no server certificate", NULL);
631 goto err;
632 }
633
634 ctx->hs->tls13.cpk = cpk;
635 ctx->hs->our_sigalg = sigalg;
636
637 if ((chain = cpk->chain) == NULL)
638 chain = s->ctx->extra_certs;
639
640 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
641 if ((xsc = X509_STORE_CTX_new()) == NULL)
642 goto err;
643 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
644 goto err;
645 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
646 X509_V_FLAG_LEGACY_VERIFY);
647 X509_verify_cert(xsc);
648 ERR_clear_error();
649 chain = X509_STORE_CTX_get0_chain(xsc);
650 }
651
652 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
653 goto err;
654 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
655 goto err;
656
657 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build))
658 goto err;
659
660 for (i = 0; i < sk_X509_num(chain); i++) {
661 cert = sk_X509_value(chain, i);
662
663 /*
664 * In the case of auto chain, the leaf certificate will be at
665 * the top of the chain - skip over it as we've already added
666 * it earlier.
667 */
668 if (i == 0 && cert == cpk->x509)
669 continue;
670
671 /*
672 * XXX we don't send extensions with chain certs to avoid sending
673 * a leaf ocsp staple with the chain certs. This needs to get
674 * fixed.
675 */
676 if (!tls13_cert_add(ctx, &cert_list, cert, NULL))
677 goto err;
678 }
679
680 if (!CBB_flush(cbb))
681 goto err;
682
683 ret = 1;
684
685 err:
686 X509_STORE_CTX_free(xsc);
687
688 return ret;
689}
690
691int
692tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
693{
694 const struct ssl_sigalg *sigalg;
695 uint8_t *sig = NULL, *sig_content = NULL;
696 size_t sig_len, sig_content_len;
697 EVP_MD_CTX *mdctx = NULL;
698 EVP_PKEY_CTX *pctx;
699 EVP_PKEY *pkey;
700 const SSL_CERT_PKEY *cpk;
701 CBB sig_cbb;
702 int ret = 0;
703
704 memset(&sig_cbb, 0, sizeof(sig_cbb));
705
706 if ((cpk = ctx->hs->tls13.cpk) == NULL)
707 goto err;
708 if ((sigalg = ctx->hs->our_sigalg) == NULL)
709 goto err;
710 pkey = cpk->privatekey;
711
712 if (!CBB_init(&sig_cbb, 0))
713 goto err;
714 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
715 sizeof(tls13_cert_verify_pad)))
716 goto err;
717 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context,
718 strlen(tls13_cert_server_verify_context)))
719 goto err;
720 if (!CBB_add_u8(&sig_cbb, 0))
721 goto err;
722 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
723 ctx->hs->tls13.transcript_hash_len))
724 goto err;
725 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
726 goto err;
727
728 if ((mdctx = EVP_MD_CTX_new()) == NULL)
729 goto err;
730 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
731 goto err;
732 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
733 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
734 goto err;
735 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
736 goto err;
737 }
738 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
739 goto err;
740 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
741 goto err;
742 if ((sig = calloc(1, sig_len)) == NULL)
743 goto err;
744 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
745 goto err;
746
747 if (!CBB_add_u16(cbb, sigalg->value))
748 goto err;
749 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
750 goto err;
751 if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
752 goto err;
753
754 if (!CBB_flush(cbb))
755 goto err;
756
757 ret = 1;
758
759 err:
760 if (!ret && ctx->alert == 0)
761 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
762
763 CBB_cleanup(&sig_cbb);
764 EVP_MD_CTX_free(mdctx);
765 free(sig_content);
766 free(sig);
767
768 return ret;
769}
770
771int
772tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
773{
774 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
775 struct tls13_secret context = { .data = "", .len = 0 };
776 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
777 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
778 size_t transcript_hash_len;
779 uint8_t *verify_data;
780 size_t verify_data_len;
781 unsigned int hlen;
782 HMAC_CTX *hmac_ctx = NULL;
783 CBS cbs;
784 int ret = 0;
785
786 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
787 goto err;
788
789 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
790 &secrets->server_handshake_traffic, "finished",
791 &context))
792 goto err;
793
794 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
795 sizeof(transcript_hash), &transcript_hash_len))
796 goto err;
797
798 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
799 goto err;
800 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
801 ctx->hash, NULL))
802 goto err;
803 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
804 goto err;
805
806 verify_data_len = HMAC_size(hmac_ctx);
807 if (!CBB_add_space(cbb, &verify_data, verify_data_len))
808 goto err;
809 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
810 goto err;
811 if (hlen != verify_data_len)
812 goto err;
813
814 CBS_init(&cbs, verify_data, verify_data_len);
815 if (!CBS_write_bytes(&cbs, ctx->hs->finished,
816 sizeof(ctx->hs->finished), &ctx->hs->finished_len))
817 goto err;
818
819 ret = 1;
820
821 err:
822 tls13_secret_cleanup(&finished_key);
823 HMAC_CTX_free(hmac_ctx);
824
825 return ret;
826}
827
828int
829tls13_server_finished_sent(struct tls13_ctx *ctx)
830{
831 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
832 struct tls13_secret context = { .data = "", .len = 0 };
833
834 /*
835 * Derive application traffic keys.
836 */
837 context.data = ctx->hs->tls13.transcript_hash;
838 context.len = ctx->hs->tls13.transcript_hash_len;
839
840 if (!tls13_derive_application_secrets(secrets, &context))
841 return 0;
842
843 /*
844 * Any records following the server finished message must be encrypted
845 * using the server application traffic keys.
846 */
847 return tls13_record_layer_set_write_traffic_key(ctx->rl,
848 &secrets->server_application_traffic);
849}
850
851int
852tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
853{
854 CBS cert_request_context, cert_list, cert_data, cert_exts;
855 struct stack_st_X509 *certs = NULL;
856 SSL *s = ctx->ssl;
857 X509 *cert = NULL;
858 EVP_PKEY *pkey;
859 const uint8_t *p;
860 int cert_type;
861 int ret = 0;
862
863 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
864 goto err;
865 if (CBS_len(&cert_request_context) != 0)
866 goto err;
867 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
868 goto err;
869 if (CBS_len(&cert_list) == 0) {
870 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
871 return 1;
872 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
873 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
874 "peer did not provide a certificate", NULL);
875 goto err;
876 }
877
878 if ((certs = sk_X509_new_null()) == NULL)
879 goto err;
880 while (CBS_len(&cert_list) > 0) {
881 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
882 goto err;
883 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
884 goto err;
885
886 p = CBS_data(&cert_data);
887 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
888 goto err;
889 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
890 goto err;
891
892 if (!sk_X509_push(certs, cert))
893 goto err;
894
895 cert = NULL;
896 }
897
898 /*
899 * At this stage we still have no proof of possession. As such, it would
900 * be preferable to keep the chain and verify once we have successfully
901 * processed the CertificateVerify message.
902 */
903 if (ssl_verify_cert_chain(s, certs) <= 0) {
904 ctx->alert = ssl_verify_alarm_type(s->verify_result);
905 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
906 "failed to verify peer certificate", NULL);
907 goto err;
908 }
909 ERR_clear_error();
910
911 /*
912 * Achtung! Due to API inconsistency, a client includes the peer's leaf
913 * certificate in the stored certificate chain, while a server does not.
914 */
915 cert = sk_X509_shift(certs);
916
917 if ((pkey = X509_get0_pubkey(cert)) == NULL)
918 goto err;
919 if (EVP_PKEY_missing_parameters(pkey))
920 goto err;
921 if ((cert_type = ssl_cert_type(pkey)) < 0)
922 goto err;
923
924 X509_up_ref(cert);
925 X509_free(s->session->peer_cert);
926 s->session->peer_cert = cert;
927 s->session->peer_cert_type = cert_type;
928
929 s->session->verify_result = s->verify_result;
930
931 sk_X509_pop_free(s->session->cert_chain, X509_free);
932 s->session->cert_chain = certs;
933 certs = NULL;
934
935 ctx->handshake_stage.hs_type |= WITH_CCV;
936 ret = 1;
937
938 err:
939 sk_X509_pop_free(certs, X509_free);
940 X509_free(cert);
941
942 return ret;
943}
944
945int
946tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
947{
948 const struct ssl_sigalg *sigalg;
949 uint16_t signature_scheme;
950 uint8_t *sig_content = NULL;
951 size_t sig_content_len;
952 EVP_MD_CTX *mdctx = NULL;
953 EVP_PKEY_CTX *pctx;
954 EVP_PKEY *pkey;
955 X509 *cert;
956 CBS signature;
957 CBB cbb;
958 int ret = 0;
959
960 memset(&cbb, 0, sizeof(cbb));
961
962 if (!CBS_get_u16(cbs, &signature_scheme))
963 goto err;
964 if (!CBS_get_u16_length_prefixed(cbs, &signature))
965 goto err;
966
967 if (!CBB_init(&cbb, 0))
968 goto err;
969 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
970 sizeof(tls13_cert_verify_pad)))
971 goto err;
972 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
973 strlen(tls13_cert_client_verify_context)))
974 goto err;
975 if (!CBB_add_u8(&cbb, 0))
976 goto err;
977 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
978 ctx->hs->tls13.transcript_hash_len))
979 goto err;
980 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
981 goto err;
982
983 if ((cert = ctx->ssl->session->peer_cert) == NULL)
984 goto err;
985 if ((pkey = X509_get0_pubkey(cert)) == NULL)
986 goto err;
987 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
988 signature_scheme)) == NULL)
989 goto err;
990 ctx->hs->peer_sigalg = sigalg;
991
992 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
993 goto err;
994
995 if ((mdctx = EVP_MD_CTX_new()) == NULL)
996 goto err;
997 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
998 goto err;
999 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
1000 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
1001 goto err;
1002 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
1003 goto err;
1004 }
1005 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
1006 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1007 goto err;
1008 }
1009 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
1010 CBS_len(&signature)) <= 0) {
1011 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1012 goto err;
1013 }
1014
1015 ret = 1;
1016
1017 err:
1018 if (!ret && ctx->alert == 0)
1019 ctx->alert = TLS13_ALERT_DECODE_ERROR;
1020
1021 CBB_cleanup(&cbb);
1022 EVP_MD_CTX_free(mdctx);
1023 free(sig_content);
1024
1025 return ret;
1026}
1027
1028int
1029tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
1030{
1031 return 0;
1032}
1033
1034int
1035tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
1036{
1037 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1038 struct tls13_secret context = { .data = "", .len = 0 };
1039 struct tls13_secret finished_key;
1040 uint8_t *verify_data = NULL;
1041 size_t verify_data_len;
1042 uint8_t key[EVP_MAX_MD_SIZE];
1043 HMAC_CTX *hmac_ctx = NULL;
1044 unsigned int hlen;
1045 int ret = 0;
1046
1047 /*
1048 * Verify client finished.
1049 */
1050 finished_key.data = key;
1051 finished_key.len = EVP_MD_size(ctx->hash);
1052
1053 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1054 &secrets->client_handshake_traffic, "finished",
1055 &context))
1056 goto err;
1057
1058 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1059 goto err;
1060 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1061 ctx->hash, NULL))
1062 goto err;
1063 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
1064 ctx->hs->tls13.transcript_hash_len))
1065 goto err;
1066 verify_data_len = HMAC_size(hmac_ctx);
1067 if ((verify_data = calloc(1, verify_data_len)) == NULL)
1068 goto err;
1069 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1070 goto err;
1071 if (hlen != verify_data_len)
1072 goto err;
1073
1074 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
1075 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1076 goto err;
1077 }
1078
1079 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
1080 sizeof(ctx->hs->peer_finished),
1081 &ctx->hs->peer_finished_len))
1082 goto err;
1083
1084 if (!CBS_skip(cbs, verify_data_len))
1085 goto err;
1086
1087 /*
1088 * Any records following the client finished message must be encrypted
1089 * using the client application traffic keys.
1090 */
1091 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
1092 &secrets->client_application_traffic))
1093 goto err;
1094
1095 tls13_record_layer_allow_ccs(ctx->rl, 0);
1096
1097 ret = 1;
1098
1099 err:
1100 HMAC_CTX_free(hmac_ctx);
1101 free(verify_data);
1102
1103 return ret;
1104}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-14 04:23:10 +0000