summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/tls13_server.c')
-rw-r--r--src/lib/libssl/tls13_server.c1110
1 files changed, 0 insertions, 1110 deletions
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
deleted file mode 100644
index d2c7abbf7c..0000000000
--- a/src/lib/libssl/tls13_server.c
+++ /dev/null
@@ -1,1110 +0,0 @@
1/* $OpenBSD: tls13_server.c,v 1.84 2021/07/01 17:53:39 jsing Exp $ */
2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
5 *
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include <openssl/x509v3.h>
20
21#include "ssl_locl.h"
22#include "ssl_sigalgs.h"
23#include "ssl_tlsext.h"
24#include "tls13_handshake.h"
25#include "tls13_internal.h"
26
27int
28tls13_server_init(struct tls13_ctx *ctx)
29{
30 SSL *s = ctx->ssl;
31
32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
33 &ctx->hs->our_max_tls_version)) {
34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
35 return 0;
36 }
37 s->version = ctx->hs->our_max_tls_version;
38
39 tls13_record_layer_set_retry_after_phh(ctx->rl,
40 (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
41
42 if (!ssl_get_new_session(s, 0)) /* XXX */
43 return 0;
44
45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
46
47 if (!tls1_transcript_init(s))
48 return 0;
49
50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
51
52 return 1;
53}
54
55int
56tls13_server_accept(struct tls13_ctx *ctx)
57{
58 if (ctx->mode != TLS13_HS_SERVER)
59 return TLS13_IO_FAILURE;
60
61 return tls13_handshake_perform(ctx);
62}
63
64static int
65tls13_client_hello_is_legacy(CBS *cbs)
66{
67 CBS extensions_block, extensions, extension_data, versions;
68 uint16_t version, max_version = 0;
69 uint16_t type;
70
71 CBS_dup(cbs, &extensions_block);
72
73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
74 return 1;
75
76 while (CBS_len(&extensions) > 0) {
77 if (!CBS_get_u16(&extensions, &type))
78 return 1;
79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
80 return 1;
81
82 if (type != TLSEXT_TYPE_supported_versions)
83 continue;
84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions))
85 return 1;
86 while (CBS_len(&versions) > 0) {
87 if (!CBS_get_u16(&versions, &version))
88 return 1;
89 if (version >= max_version)
90 max_version = version;
91 }
92 if (CBS_len(&extension_data) != 0)
93 return 1;
94 }
95
96 return (max_version < TLS1_3_VERSION);
97}
98
99int
100tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
101{
102 SSL *s = ctx->ssl;
103
104 /*
105 * RFC 8446, section 9.2. If the ClientHello has supported_versions
106 * containing TLSv1.3, presence or absence of some extensions requires
107 * presence or absence of others.
108 */
109
110 /*
111 * If we got no pre_shared_key, then signature_algorithms and
112 * supported_groups must both be present.
113 */
114 if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
115 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms))
116 return 0;
117 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups))
118 return 0;
119 }
120
121 /*
122 * supported_groups and key_share must either both be present or
123 * both be absent.
124 */
125 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) !=
126 tlsext_extension_seen(s, TLSEXT_TYPE_key_share))
127 return 0;
128
129 /*
130 * XXX - Require server_name from client? If so, we SHOULD enforce
131 * this here - RFC 8446, 9.2.
132 */
133
134 return 1;
135}
136
137static const uint8_t tls13_compression_null_only[] = { 0 };
138
139static int
140tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
141{
142 CBS cipher_suites, client_random, compression_methods, session_id;
143 STACK_OF(SSL_CIPHER) *ciphers = NULL;
144 const SSL_CIPHER *cipher;
145 uint16_t legacy_version;
146 int alert_desc;
147 SSL *s = ctx->ssl;
148 int ret = 0;
149
150 if (!CBS_get_u16(cbs, &legacy_version))
151 goto err;
152 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
153 goto err;
154 if (!CBS_get_u8_length_prefixed(cbs, &session_id))
155 goto err;
156 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites))
157 goto err;
158 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
159 goto err;
160
161 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) {
162 if (!CBS_skip(cbs, CBS_len(cbs)))
163 goto err;
164 return tls13_use_legacy_server(ctx);
165 }
166 ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
167
168 /* Ensure we send subsequent alerts with the correct record version. */
169 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
170
171 /* Add decoded values to the current ClientHello hash */
172 if (!tls13_clienthello_hash_init(ctx)) {
173 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
174 goto err;
175 }
176 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version,
177 sizeof(legacy_version))) {
178 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
179 goto err;
180 }
181 if (!tls13_clienthello_hash_update(ctx, &client_random)) {
182 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
183 goto err;
184 }
185 if (!tls13_clienthello_hash_update(ctx, &session_id)) {
186 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
187 goto err;
188 }
189 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) {
190 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
191 goto err;
192 }
193 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) {
194 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
195 goto err;
196 }
197
198 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) {
199 ctx->alert = alert_desc;
200 goto err;
201 }
202
203 /* Finalize first ClientHello hash, or validate against it */
204 if (!ctx->hs->tls13.hrr) {
205 if (!tls13_clienthello_hash_finalize(ctx)) {
206 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
207 goto err;
208 }
209 } else {
210 if (!tls13_clienthello_hash_validate(ctx)) {
211 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
212 goto err;
213 }
214 tls13_clienthello_hash_clear(&ctx->hs->tls13);
215 }
216
217 if (!tls13_client_hello_required_extensions(ctx)) {
218 ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
219 goto err;
220 }
221
222 /*
223 * If we got this far we have a supported versions extension that offers
224 * TLS 1.3 or later. This requires the legacy version be set to 0x0303.
225 */
226 if (legacy_version != TLS1_2_VERSION) {
227 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
228 goto err;
229 }
230
231 /* Store legacy session identifier so we can echo it. */
232 if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
233 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
234 goto err;
235 }
236 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
237 sizeof(ctx->hs->tls13.legacy_session_id),
238 &ctx->hs->tls13.legacy_session_id_len)) {
239 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
240 goto err;
241 }
242
243 /* Parse cipher suites list and select preferred cipher. */
244 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {
245 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
246 goto err;
247 }
248 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
249 if (cipher == NULL) {
250 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0,
251 "no shared cipher found", NULL);
252 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
253 goto err;
254 }
255 ctx->hs->cipher = cipher;
256
257 sk_SSL_CIPHER_free(s->session->ciphers);
258 s->session->ciphers = ciphers;
259 ciphers = NULL;
260
261 /* Ensure only the NULL compression method is advertised. */
262 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only,
263 sizeof(tls13_compression_null_only))) {
264 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
265 goto err;
266 }
267
268 ret = 1;
269
270 err:
271 sk_SSL_CIPHER_free(ciphers);
272
273 return ret;
274}
275
276int
277tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
278{
279 SSL *s = ctx->ssl;
280
281 if (!tls13_client_hello_process(ctx, cbs))
282 goto err;
283
284 /* See if we switched back to the legacy client method. */
285 if (s->method->version < TLS1_3_VERSION)
286 return 1;
287
288 /*
289 * If a matching key share was provided, we do not need to send a
290 * HelloRetryRequest.
291 */
292 /*
293 * XXX - ideally NEGOTIATED would only be added after record protection
294 * has been enabled. This would probably mean using either an
295 * INITIAL | WITHOUT_HRR state, or another intermediate state.
296 */
297 if (ctx->hs->tls13.key_share != NULL)
298 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
299
300 /* XXX - check this is the correct point */
301 tls13_record_layer_allow_ccs(ctx->rl, 1);
302
303 return 1;
304
305 err:
306 return 0;
307}
308
309static int
310tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
311{
312 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
313 const uint8_t *server_random;
314 CBB session_id;
315 SSL *s = ctx->ssl;
316 uint16_t cipher;
317
318 cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
319 server_random = s->s3->server_random;
320
321 if (hrr) {
322 server_random = tls13_hello_retry_request_hash;
323 tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
324 }
325
326 if (!CBB_add_u16(cbb, TLS1_2_VERSION))
327 goto err;
328 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE))
329 goto err;
330 if (!CBB_add_u8_length_prefixed(cbb, &session_id))
331 goto err;
332 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
333 ctx->hs->tls13.legacy_session_id_len))
334 goto err;
335 if (!CBB_add_u16(cbb, cipher))
336 goto err;
337 if (!CBB_add_u8(cbb, 0))
338 goto err;
339 if (!tlsext_server_build(s, tlsext_msg_type, cbb))
340 goto err;
341
342 if (!CBB_flush(cbb))
343 goto err;
344
345 return 1;
346 err:
347 return 0;
348}
349
350static int
351tls13_server_engage_record_protection(struct tls13_ctx *ctx)
352{
353 struct tls13_secrets *secrets;
354 struct tls13_secret context;
355 unsigned char buf[EVP_MAX_MD_SIZE];
356 uint8_t *shared_key = NULL;
357 size_t shared_key_len = 0;
358 size_t hash_len;
359 SSL *s = ctx->ssl;
360 int ret = 0;
361
362 if (!tls13_key_share_derive(ctx->hs->tls13.key_share,
363 &shared_key, &shared_key_len))
364 goto err;
365
366 s->session->cipher = ctx->hs->cipher;
367
368 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
369 goto err;
370 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
371 goto err;
372
373 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
374 goto err;
375 ctx->hs->tls13.secrets = secrets;
376
377 /* XXX - pass in hash. */
378 if (!tls1_transcript_hash_init(s))
379 goto err;
380 tls1_transcript_free(s);
381 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
382 goto err;
383 context.data = buf;
384 context.len = hash_len;
385
386 /* Early secrets. */
387 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
388 secrets->zeros.len, &context))
389 goto err;
390
391 /* Handshake secrets. */
392 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
393 shared_key_len, &context))
394 goto err;
395
396 tls13_record_layer_set_aead(ctx->rl, ctx->aead);
397 tls13_record_layer_set_hash(ctx->rl, ctx->hash);
398
399 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
400 &secrets->client_handshake_traffic))
401 goto err;
402 if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
403 &secrets->server_handshake_traffic))
404 goto err;
405
406 ctx->handshake_stage.hs_type |= NEGOTIATED;
407 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER))
408 ctx->handshake_stage.hs_type |= WITHOUT_CR;
409
410 ret = 1;
411
412 err:
413 freezero(shared_key, shared_key_len);
414 return ret;
415}
416
417int
418tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
419{
420 int nid;
421
422 ctx->hs->tls13.hrr = 1;
423
424 if (!tls13_synthetic_handshake_message(ctx))
425 return 0;
426
427 if (ctx->hs->tls13.key_share != NULL)
428 return 0;
429 if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
430 return 0;
431 if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
432 return 0;
433
434 if (!tls13_server_hello_build(ctx, cbb, 1))
435 return 0;
436
437 return 1;
438}
439
440int
441tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
442{
443 /*
444 * If the client has requested middlebox compatibility mode,
445 * we MUST send a dummy CCS following our first handshake message.
446 * See RFC 8446 Appendix D.4.
447 */
448 if (ctx->hs->tls13.legacy_session_id_len > 0)
449 ctx->send_dummy_ccs_after = 1;
450
451 return 1;
452}
453
454int
455tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
456{
457 SSL *s = ctx->ssl;
458
459 if (!tls13_client_hello_process(ctx, cbs))
460 return 0;
461
462 /* XXX - need further checks. */
463 if (s->method->version < TLS1_3_VERSION)
464 return 0;
465
466 ctx->hs->tls13.hrr = 0;
467
468 return 1;
469}
470
471static int
472tls13_servername_process(struct tls13_ctx *ctx)
473{
474 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
475
476 if (!tls13_legacy_servername_process(ctx, &alert)) {
477 ctx->alert = alert;
478 return 0;
479 }
480
481 return 1;
482}
483
484int
485tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
486{
487 if (ctx->hs->tls13.key_share == NULL)
488 return 0;
489 if (!tls13_key_share_generate(ctx->hs->tls13.key_share))
490 return 0;
491 if (!tls13_servername_process(ctx))
492 return 0;
493
494 ctx->hs->tls13.server_group = 0;
495
496 if (!tls13_server_hello_build(ctx, cbb, 0))
497 return 0;
498
499 return 1;
500}
501
502int
503tls13_server_hello_sent(struct tls13_ctx *ctx)
504{
505 /*
506 * If the client has requested middlebox compatibility mode,
507 * we MUST send a dummy CCS following our first handshake message.
508 * See RFC 8446 Appendix D.4.
509 */
510 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
511 ctx->hs->tls13.legacy_session_id_len > 0)
512 ctx->send_dummy_ccs_after = 1;
513
514 return tls13_server_engage_record_protection(ctx);
515}
516
517int
518tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
519{
520 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb))
521 goto err;
522
523 return 1;
524 err:
525 return 0;
526}
527
528int
529tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
530{
531 CBB certificate_request_context;
532
533 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
534 goto err;
535 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb))
536 goto err;
537
538 if (!CBB_flush(cbb))
539 goto err;
540
541 return 1;
542 err:
543 return 0;
544}
545
546static int
547tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
548 int *ok, const struct ssl_sigalg **out_sigalg)
549{
550 const struct ssl_sigalg *sigalg;
551 SSL *s = ctx->ssl;
552
553 *ok = 0;
554 *out_sigalg = NULL;
555
556 if (cpk->x509 == NULL || cpk->privatekey == NULL)
557 goto done;
558
559 if (!X509_check_purpose(cpk->x509, -1, 0))
560 return 0;
561
562 /*
563 * The digitalSignature bit MUST be set if the Key Usage extension is
564 * present as per RFC 8446 section 4.4.2.2.
565 */
566 if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) &&
567 !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
568 goto done;
569
570 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
571 goto done;
572
573 *ok = 1;
574 *out_sigalg = sigalg;
575
576 done:
577 return 1;
578}
579
580static int
581tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk,
582 const struct ssl_sigalg **out_sigalg)
583{
584 SSL *s = ctx->ssl;
585 const struct ssl_sigalg *sigalg;
586 CERT_PKEY *cpk;
587 int cert_ok;
588
589 *out_cpk = NULL;
590 *out_sigalg = NULL;
591
592 cpk = &s->cert->pkeys[SSL_PKEY_ECC];
593 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
594 return 0;
595 if (cert_ok)
596 goto done;
597
598 cpk = &s->cert->pkeys[SSL_PKEY_RSA];
599 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
600 return 0;
601 if (cert_ok)
602 goto done;
603
604 cpk = NULL;
605 sigalg = NULL;
606
607 done:
608 *out_cpk = cpk;
609 *out_sigalg = sigalg;
610
611 return 1;
612}
613
614int
615tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
616{
617 SSL *s = ctx->ssl;
618 CBB cert_request_context, cert_list;
619 const struct ssl_sigalg *sigalg;
620 X509_STORE_CTX *xsc = NULL;
621 STACK_OF(X509) *chain;
622 CERT_PKEY *cpk;
623 X509 *cert;
624 int i, ret = 0;
625
626 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg))
627 goto err;
628
629 if (cpk == NULL) {
630 /* A server must always provide a certificate. */
631 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
632 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0,
633 "no server certificate", NULL);
634 goto err;
635 }
636
637 ctx->hs->tls13.cpk = cpk;
638 ctx->hs->our_sigalg = sigalg;
639
640 if ((chain = cpk->chain) == NULL)
641 chain = s->ctx->extra_certs;
642
643 if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
644 if ((xsc = X509_STORE_CTX_new()) == NULL)
645 goto err;
646 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
647 goto err;
648 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
649 X509_V_FLAG_LEGACY_VERIFY);
650 X509_verify_cert(xsc);
651 ERR_clear_error();
652 chain = xsc->chain;
653 }
654
655 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
656 goto err;
657 if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
658 goto err;
659
660 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build))
661 goto err;
662
663 for (i = 0; i < sk_X509_num(chain); i++) {
664 cert = sk_X509_value(chain, i);
665
666 /*
667 * In the case of auto chain, the leaf certificate will be at
668 * the top of the chain - skip over it as we've already added
669 * it earlier.
670 */
671 if (i == 0 && cert == cpk->x509)
672 continue;
673
674 /*
675 * XXX we don't send extensions with chain certs to avoid sending
676 * a leaf ocsp staple with the chain certs. This needs to get
677 * fixed.
678 */
679 if (!tls13_cert_add(ctx, &cert_list, cert, NULL))
680 goto err;
681 }
682
683 if (!CBB_flush(cbb))
684 goto err;
685
686 ret = 1;
687
688 err:
689 X509_STORE_CTX_free(xsc);
690
691 return ret;
692}
693
694int
695tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
696{
697 const struct ssl_sigalg *sigalg;
698 uint8_t *sig = NULL, *sig_content = NULL;
699 size_t sig_len, sig_content_len;
700 EVP_MD_CTX *mdctx = NULL;
701 EVP_PKEY_CTX *pctx;
702 EVP_PKEY *pkey;
703 const CERT_PKEY *cpk;
704 CBB sig_cbb;
705 int ret = 0;
706
707 memset(&sig_cbb, 0, sizeof(sig_cbb));
708
709 if ((cpk = ctx->hs->tls13.cpk) == NULL)
710 goto err;
711 if ((sigalg = ctx->hs->our_sigalg) == NULL)
712 goto err;
713 pkey = cpk->privatekey;
714
715 if (!CBB_init(&sig_cbb, 0))
716 goto err;
717 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
718 sizeof(tls13_cert_verify_pad)))
719 goto err;
720 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context,
721 strlen(tls13_cert_server_verify_context)))
722 goto err;
723 if (!CBB_add_u8(&sig_cbb, 0))
724 goto err;
725 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
726 ctx->hs->tls13.transcript_hash_len))
727 goto err;
728 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
729 goto err;
730
731 if ((mdctx = EVP_MD_CTX_new()) == NULL)
732 goto err;
733 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
734 goto err;
735 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
736 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
737 goto err;
738 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
739 goto err;
740 }
741 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
742 goto err;
743 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
744 goto err;
745 if ((sig = calloc(1, sig_len)) == NULL)
746 goto err;
747 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
748 goto err;
749
750 if (!CBB_add_u16(cbb, sigalg->value))
751 goto err;
752 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
753 goto err;
754 if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
755 goto err;
756
757 if (!CBB_flush(cbb))
758 goto err;
759
760 ret = 1;
761
762 err:
763 if (!ret && ctx->alert == 0)
764 ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
765
766 CBB_cleanup(&sig_cbb);
767 EVP_MD_CTX_free(mdctx);
768 free(sig_content);
769 free(sig);
770
771 return ret;
772}
773
774int
775tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
776{
777 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
778 struct tls13_secret context = { .data = "", .len = 0 };
779 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
780 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
781 size_t transcript_hash_len;
782 uint8_t *verify_data;
783 size_t verify_data_len;
784 unsigned int hlen;
785 HMAC_CTX *hmac_ctx = NULL;
786 CBS cbs;
787 int ret = 0;
788
789 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
790 goto err;
791
792 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
793 &secrets->server_handshake_traffic, "finished",
794 &context))
795 goto err;
796
797 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
798 sizeof(transcript_hash), &transcript_hash_len))
799 goto err;
800
801 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
802 goto err;
803 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
804 ctx->hash, NULL))
805 goto err;
806 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
807 goto err;
808
809 verify_data_len = HMAC_size(hmac_ctx);
810 if (!CBB_add_space(cbb, &verify_data, verify_data_len))
811 goto err;
812 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
813 goto err;
814 if (hlen != verify_data_len)
815 goto err;
816
817 CBS_init(&cbs, verify_data, verify_data_len);
818 if (!CBS_write_bytes(&cbs, ctx->hs->finished,
819 sizeof(ctx->hs->finished), &ctx->hs->finished_len))
820 goto err;
821
822 ret = 1;
823
824 err:
825 tls13_secret_cleanup(&finished_key);
826 HMAC_CTX_free(hmac_ctx);
827
828 return ret;
829}
830
831int
832tls13_server_finished_sent(struct tls13_ctx *ctx)
833{
834 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
835 struct tls13_secret context = { .data = "", .len = 0 };
836
837 /*
838 * Derive application traffic keys.
839 */
840 context.data = ctx->hs->tls13.transcript_hash;
841 context.len = ctx->hs->tls13.transcript_hash_len;
842
843 if (!tls13_derive_application_secrets(secrets, &context))
844 return 0;
845
846 /*
847 * Any records following the server finished message must be encrypted
848 * using the server application traffic keys.
849 */
850 return tls13_record_layer_set_write_traffic_key(ctx->rl,
851 &secrets->server_application_traffic);
852}
853
854int
855tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
856{
857 CBS cert_request_context, cert_list, cert_data, cert_exts;
858 struct stack_st_X509 *certs = NULL;
859 SSL *s = ctx->ssl;
860 X509 *cert = NULL;
861 EVP_PKEY *pkey;
862 const uint8_t *p;
863 int cert_idx;
864 int ret = 0;
865
866 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
867 goto err;
868 if (CBS_len(&cert_request_context) != 0)
869 goto err;
870 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
871 goto err;
872 if (CBS_len(&cert_list) == 0) {
873 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
874 return 1;
875 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
876 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
877 "peer did not provide a certificate", NULL);
878 goto err;
879 }
880
881 if ((certs = sk_X509_new_null()) == NULL)
882 goto err;
883 while (CBS_len(&cert_list) > 0) {
884 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
885 goto err;
886 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
887 goto err;
888
889 p = CBS_data(&cert_data);
890 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
891 goto err;
892 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
893 goto err;
894
895 if (!sk_X509_push(certs, cert))
896 goto err;
897
898 cert = NULL;
899 }
900
901 /*
902 * At this stage we still have no proof of possession. As such, it would
903 * be preferable to keep the chain and verify once we have successfully
904 * processed the CertificateVerify message.
905 */
906 if (ssl_verify_cert_chain(s, certs) <= 0) {
907 ctx->alert = ssl_verify_alarm_type(s->verify_result);
908 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
909 "failed to verify peer certificate", NULL);
910 goto err;
911 }
912 ERR_clear_error();
913
914 cert = sk_X509_value(certs, 0);
915 X509_up_ref(cert);
916
917 if ((pkey = X509_get0_pubkey(cert)) == NULL)
918 goto err;
919 if (EVP_PKEY_missing_parameters(pkey))
920 goto err;
921 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
922 goto err;
923
924 ssl_sess_cert_free(SSI(s)->sess_cert);
925 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
926 goto err;
927
928 SSI(s)->sess_cert->cert_chain = certs;
929 certs = NULL;
930
931 X509_up_ref(cert);
932 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
933 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
934
935 X509_free(s->session->peer);
936
937 X509_up_ref(cert);
938 s->session->peer = cert;
939 s->session->verify_result = s->verify_result;
940
941 ctx->handshake_stage.hs_type |= WITH_CCV;
942 ret = 1;
943
944 err:
945 sk_X509_pop_free(certs, X509_free);
946 X509_free(cert);
947
948 return ret;
949}
950
951int
952tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
953{
954 const struct ssl_sigalg *sigalg;
955 uint16_t signature_scheme;
956 uint8_t *sig_content = NULL;
957 size_t sig_content_len;
958 EVP_MD_CTX *mdctx = NULL;
959 EVP_PKEY_CTX *pctx;
960 EVP_PKEY *pkey;
961 X509 *cert;
962 CBS signature;
963 CBB cbb;
964 int ret = 0;
965
966 memset(&cbb, 0, sizeof(cbb));
967
968 if (!CBS_get_u16(cbs, &signature_scheme))
969 goto err;
970 if (!CBS_get_u16_length_prefixed(cbs, &signature))
971 goto err;
972
973 if (!CBB_init(&cbb, 0))
974 goto err;
975 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
976 sizeof(tls13_cert_verify_pad)))
977 goto err;
978 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
979 strlen(tls13_cert_client_verify_context)))
980 goto err;
981 if (!CBB_add_u8(&cbb, 0))
982 goto err;
983 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
984 ctx->hs->tls13.transcript_hash_len))
985 goto err;
986 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
987 goto err;
988
989 if ((cert = ctx->ssl->session->peer) == NULL)
990 goto err;
991 if ((pkey = X509_get0_pubkey(cert)) == NULL)
992 goto err;
993 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
994 signature_scheme)) == NULL)
995 goto err;
996 ctx->hs->peer_sigalg = sigalg;
997
998 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
999 goto err;
1000
1001 if ((mdctx = EVP_MD_CTX_new()) == NULL)
1002 goto err;
1003 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
1004 goto err;
1005 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
1006 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
1007 goto err;
1008 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
1009 goto err;
1010 }
1011 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
1012 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1013 goto err;
1014 }
1015 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
1016 CBS_len(&signature)) <= 0) {
1017 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1018 goto err;
1019 }
1020
1021 ret = 1;
1022
1023 err:
1024 if (!ret && ctx->alert == 0)
1025 ctx->alert = TLS13_ALERT_DECODE_ERROR;
1026
1027 CBB_cleanup(&cbb);
1028 EVP_MD_CTX_free(mdctx);
1029 free(sig_content);
1030
1031 return ret;
1032}
1033
1034int
1035tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
1036{
1037 return 0;
1038}
1039
1040int
1041tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
1042{
1043 struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1044 struct tls13_secret context = { .data = "", .len = 0 };
1045 struct tls13_secret finished_key;
1046 uint8_t *verify_data = NULL;
1047 size_t verify_data_len;
1048 uint8_t key[EVP_MAX_MD_SIZE];
1049 HMAC_CTX *hmac_ctx = NULL;
1050 unsigned int hlen;
1051 int ret = 0;
1052
1053 /*
1054 * Verify client finished.
1055 */
1056 finished_key.data = key;
1057 finished_key.len = EVP_MD_size(ctx->hash);
1058
1059 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1060 &secrets->client_handshake_traffic, "finished",
1061 &context))
1062 goto err;
1063
1064 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1065 goto err;
1066 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1067 ctx->hash, NULL))
1068 goto err;
1069 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
1070 ctx->hs->tls13.transcript_hash_len))
1071 goto err;
1072 verify_data_len = HMAC_size(hmac_ctx);
1073 if ((verify_data = calloc(1, verify_data_len)) == NULL)
1074 goto err;
1075 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1076 goto err;
1077 if (hlen != verify_data_len)
1078 goto err;
1079
1080 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
1081 ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1082 goto err;
1083 }
1084
1085 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
1086 sizeof(ctx->hs->peer_finished),
1087 &ctx->hs->peer_finished_len))
1088 goto err;
1089
1090 if (!CBS_skip(cbs, verify_data_len))
1091 goto err;
1092
1093 /*
1094 * Any records following the client finished message must be encrypted
1095 * using the client application traffic keys.
1096 */
1097 if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
1098 &secrets->client_application_traffic))
1099 goto err;
1100
1101 tls13_record_layer_allow_ccs(ctx->rl, 0);
1102
1103 ret = 1;
1104
1105 err:
1106 HMAC_CTX_free(hmac_ctx);
1107 free(verify_data);
1108
1109 return ret;
1110}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-02-12 17:30:47 +0000