summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_server.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/tls13_server.c449
1 files changed, 221 insertions, 228 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 16c2e32dba..864e434fda 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_server.c,v 1.32 2020/04/25 18:06:28 jsing Exp $ */ 1/* $OpenBSD: tls13_server.c,v 1.33 2020/04/27 20:15:17 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -23,15 +23,6 @@
23#include "tls13_internal.h" 23#include "tls13_internal.h"
24 24
25static int 25static int
26tls13_accept(struct tls13_ctx *ctx)
27{
28 if (ctx->mode != TLS13_HS_SERVER)
29 return TLS13_IO_FAILURE;
30
31 return tls13_handshake_perform(ctx);
32}
33
34static int
35tls13_server_init(struct tls13_ctx *ctx) 26tls13_server_init(struct tls13_ctx *ctx)
36{ 27{
37 SSL *s = ctx->ssl; 28 SSL *s = ctx->ssl;
@@ -54,6 +45,15 @@ tls13_server_init(struct tls13_ctx *ctx)
54 return 1; 45 return 1;
55} 46}
56 47
48static int
49tls13_accept(struct tls13_ctx *ctx)
50{
51 if (ctx->mode != TLS13_HS_SERVER)
52 return TLS13_IO_FAILURE;
53
54 return tls13_handshake_perform(ctx);
55}
56
57int 57int
58tls13_legacy_accept(SSL *ssl) 58tls13_legacy_accept(SSL *ssl)
59{ 59{
@@ -300,202 +300,6 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
300 return 0; 300 return 0;
301} 301}
302 302
303int
304tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
305{
306 return 0;
307}
308
309int
310tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
311{
312 return 0;
313}
314
315int
316tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
317{
318 return 0;
319}
320
321int
322tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
323{
324 CBS cert_request_context, cert_list, cert_data, cert_exts;
325 struct stack_st_X509 *certs = NULL;
326 SSL *s = ctx->ssl;
327 X509 *cert = NULL;
328 EVP_PKEY *pkey;
329 const uint8_t *p;
330 int cert_idx;
331 int ret = 0;
332
333 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
334 goto err;
335 if (CBS_len(&cert_request_context) != 0)
336 goto err;
337 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
338 goto err;
339
340 if (CBS_len(&cert_list) == 0)
341 return 1;
342
343 if ((certs = sk_X509_new_null()) == NULL)
344 goto err;
345 while (CBS_len(&cert_list) > 0) {
346 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
347 goto err;
348 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
349 goto err;
350
351 p = CBS_data(&cert_data);
352 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
353 goto err;
354 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
355 goto err;
356
357 if (!sk_X509_push(certs, cert))
358 goto err;
359
360 cert = NULL;
361 }
362
363 /*
364 * At this stage we still have no proof of possession. As such, it would
365 * be preferable to keep the chain and verify once we have successfully
366 * processed the CertificateVerify message.
367 */
368 if (ssl_verify_cert_chain(s, certs) <= 0 &&
369 s->verify_mode != SSL_VERIFY_NONE) {
370 ctx->alert = ssl_verify_alarm_type(s->verify_result);
371 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
372 "failed to verify peer certificate", NULL);
373 goto err;
374 }
375 ERR_clear_error();
376
377 cert = sk_X509_value(certs, 0);
378 X509_up_ref(cert);
379
380 if ((pkey = X509_get0_pubkey(cert)) == NULL)
381 goto err;
382 if (EVP_PKEY_missing_parameters(pkey))
383 goto err;
384 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
385 goto err;
386
387 ssl_sess_cert_free(SSI(s)->sess_cert);
388 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
389 goto err;
390
391 SSI(s)->sess_cert->cert_chain = certs;
392 certs = NULL;
393
394 X509_up_ref(cert);
395 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
396 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
397
398 X509_free(s->session->peer);
399
400 X509_up_ref(cert);
401 s->session->peer = cert;
402 s->session->verify_result = s->verify_result;
403
404 ctx->handshake_stage.hs_type |= WITH_CCV;
405 ret = 1;
406
407 err:
408 sk_X509_pop_free(certs, X509_free);
409 X509_free(cert);
410
411 return ret;
412}
413
414int
415tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
416{
417 const struct ssl_sigalg *sigalg;
418 uint16_t signature_scheme;
419 uint8_t *sig_content = NULL;
420 size_t sig_content_len;
421 EVP_MD_CTX *mdctx = NULL;
422 EVP_PKEY_CTX *pctx;
423 EVP_PKEY *pkey;
424 X509 *cert;
425 CBS signature;
426 CBB cbb;
427 int ret = 0;
428
429 memset(&cbb, 0, sizeof(cbb));
430
431 if (!CBS_get_u16(cbs, &signature_scheme))
432 goto err;
433 if (!CBS_get_u16_length_prefixed(cbs, &signature))
434 goto err;
435
436 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
437 tls13_sigalgs_len)) == NULL)
438 goto err;
439
440 if (!CBB_init(&cbb, 0))
441 goto err;
442 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
443 sizeof(tls13_cert_verify_pad)))
444 goto err;
445 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
446 strlen(tls13_cert_client_verify_context)))
447 goto err;
448 if (!CBB_add_u8(&cbb, 0))
449 goto err;
450 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
451 ctx->hs->transcript_hash_len))
452 goto err;
453 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
454 goto err;
455
456 if ((cert = ctx->ssl->session->peer) == NULL)
457 goto err;
458 if ((pkey = X509_get0_pubkey(cert)) == NULL)
459 goto err;
460 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
461 goto err;
462
463 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
464 goto err;
465
466 if ((mdctx = EVP_MD_CTX_new()) == NULL)
467 goto err;
468 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
469 goto err;
470 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
471 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
472 goto err;
473 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
474 goto err;
475 }
476 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
477 ctx->alert = TLS1_AD_DECRYPT_ERROR;
478 goto err;
479 }
480 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
481 CBS_len(&signature)) <= 0) {
482 ctx->alert = TLS1_AD_DECRYPT_ERROR;
483 goto err;
484 }
485
486 ret = 1;
487
488 err:
489 if (!ret && ctx->alert == 0) {
490 ctx->alert = TLS1_AD_DECODE_ERROR;
491 }
492 CBB_cleanup(&cbb);
493 EVP_MD_CTX_free(mdctx);
494 free(sig_content);
495
496 return ret;
497}
498
499static int 303static int
500tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb) 304tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb)
501{ 305{
@@ -530,6 +334,18 @@ err:
530} 334}
531 335
532int 336int
337tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
338{
339 return 0;
340}
341
342int
343tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
344{
345 return 0;
346}
347
348int
533tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 349tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
534{ 350{
535 if (ctx->hs->key_share == NULL) 351 if (ctx->hs->key_share == NULL)
@@ -613,15 +429,27 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
613} 429}
614 430
615int 431int
616tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 432tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
617{ 433{
434 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE))
435 goto err;
436
437 return 1;
438 err:
618 return 0; 439 return 0;
619} 440}
620 441
621int 442int
622tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 443tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
623{ 444{
624 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE)) 445 CBB certificate_request_context;
446
447 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
448 goto err;
449 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR))
450 goto err;
451
452 if (!CBB_flush(cbb))
625 goto err; 453 goto err;
626 454
627 return 1; 455 return 1;
@@ -672,25 +500,6 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
672 return ret; 500 return ret;
673} 501}
674 502
675/* XXX - move up. */
676int
677tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
678{
679 CBB certificate_request_context;
680
681 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
682 goto err;
683 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR))
684 goto err;
685
686 if (!CBB_flush(cbb))
687 goto err;
688
689 return 1;
690 err:
691 return 0;
692}
693
694int 503int
695tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 504tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
696{ 505{
@@ -850,6 +659,190 @@ tls13_server_finished_sent(struct tls13_ctx *ctx)
850} 659}
851 660
852int 661int
662tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
663{
664 CBS cert_request_context, cert_list, cert_data, cert_exts;
665 struct stack_st_X509 *certs = NULL;
666 SSL *s = ctx->ssl;
667 X509 *cert = NULL;
668 EVP_PKEY *pkey;
669 const uint8_t *p;
670 int cert_idx;
671 int ret = 0;
672
673 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
674 goto err;
675 if (CBS_len(&cert_request_context) != 0)
676 goto err;
677 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
678 goto err;
679
680 if (CBS_len(&cert_list) == 0)
681 return 1;
682
683 if ((certs = sk_X509_new_null()) == NULL)
684 goto err;
685 while (CBS_len(&cert_list) > 0) {
686 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
687 goto err;
688 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
689 goto err;
690
691 p = CBS_data(&cert_data);
692 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
693 goto err;
694 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
695 goto err;
696
697 if (!sk_X509_push(certs, cert))
698 goto err;
699
700 cert = NULL;
701 }
702
703 /*
704 * At this stage we still have no proof of possession. As such, it would
705 * be preferable to keep the chain and verify once we have successfully
706 * processed the CertificateVerify message.
707 */
708 if (ssl_verify_cert_chain(s, certs) <= 0 &&
709 s->verify_mode != SSL_VERIFY_NONE) {
710 ctx->alert = ssl_verify_alarm_type(s->verify_result);
711 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
712 "failed to verify peer certificate", NULL);
713 goto err;
714 }
715 ERR_clear_error();
716
717 cert = sk_X509_value(certs, 0);
718 X509_up_ref(cert);
719
720 if ((pkey = X509_get0_pubkey(cert)) == NULL)
721 goto err;
722 if (EVP_PKEY_missing_parameters(pkey))
723 goto err;
724 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
725 goto err;
726
727 ssl_sess_cert_free(SSI(s)->sess_cert);
728 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
729 goto err;
730
731 SSI(s)->sess_cert->cert_chain = certs;
732 certs = NULL;
733
734 X509_up_ref(cert);
735 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
736 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
737
738 X509_free(s->session->peer);
739
740 X509_up_ref(cert);
741 s->session->peer = cert;
742 s->session->verify_result = s->verify_result;
743
744 ctx->handshake_stage.hs_type |= WITH_CCV;
745 ret = 1;
746
747 err:
748 sk_X509_pop_free(certs, X509_free);
749 X509_free(cert);
750
751 return ret;
752}
753
754int
755tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
756{
757 const struct ssl_sigalg *sigalg;
758 uint16_t signature_scheme;
759 uint8_t *sig_content = NULL;
760 size_t sig_content_len;
761 EVP_MD_CTX *mdctx = NULL;
762 EVP_PKEY_CTX *pctx;
763 EVP_PKEY *pkey;
764 X509 *cert;
765 CBS signature;
766 CBB cbb;
767 int ret = 0;
768
769 memset(&cbb, 0, sizeof(cbb));
770
771 if (!CBS_get_u16(cbs, &signature_scheme))
772 goto err;
773 if (!CBS_get_u16_length_prefixed(cbs, &signature))
774 goto err;
775
776 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
777 tls13_sigalgs_len)) == NULL)
778 goto err;
779
780 if (!CBB_init(&cbb, 0))
781 goto err;
782 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
783 sizeof(tls13_cert_verify_pad)))
784 goto err;
785 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
786 strlen(tls13_cert_client_verify_context)))
787 goto err;
788 if (!CBB_add_u8(&cbb, 0))
789 goto err;
790 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
791 ctx->hs->transcript_hash_len))
792 goto err;
793 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
794 goto err;
795
796 if ((cert = ctx->ssl->session->peer) == NULL)
797 goto err;
798 if ((pkey = X509_get0_pubkey(cert)) == NULL)
799 goto err;
800 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
801 goto err;
802
803 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
804 goto err;
805
806 if ((mdctx = EVP_MD_CTX_new()) == NULL)
807 goto err;
808 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
809 goto err;
810 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
811 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
812 goto err;
813 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
814 goto err;
815 }
816 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
817 ctx->alert = TLS1_AD_DECRYPT_ERROR;
818 goto err;
819 }
820 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
821 CBS_len(&signature)) <= 0) {
822 ctx->alert = TLS1_AD_DECRYPT_ERROR;
823 goto err;
824 }
825
826 ret = 1;
827
828 err:
829 if (!ret && ctx->alert == 0) {
830 ctx->alert = TLS1_AD_DECODE_ERROR;
831 }
832 CBB_cleanup(&cbb);
833 EVP_MD_CTX_free(mdctx);
834 free(sig_content);
835
836 return ret;
837}
838
839int
840tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
841{
842 return 0;
843}
844
845int
853tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 846tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
854{ 847{
855 struct tls13_secrets *secrets = ctx->hs->secrets; 848 struct tls13_secrets *secrets = ctx->hs->secrets;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-14 11:09:11 +0000