summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/tls13_client.c208
-rw-r--r--src/lib/libssl/tls13_server.c449
2 files changed, 328 insertions, 329 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index dffabf1753..70a33b7131 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_client.c,v 1.51 2020/04/22 17:05:07 jsing Exp $ */ 1/* $OpenBSD: tls13_client.c,v 1.52 2020/04/27 20:15:17 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -25,15 +25,6 @@
25#include "tls13_internal.h" 25#include "tls13_internal.h"
26 26
27static int 27static int
28tls13_connect(struct tls13_ctx *ctx)
29{
30 if (ctx->mode != TLS13_HS_CLIENT)
31 return TLS13_IO_FAILURE;
32
33 return tls13_handshake_perform(ctx);
34}
35
36static int
37tls13_client_init(struct tls13_ctx *ctx) 28tls13_client_init(struct tls13_ctx *ctx)
38{ 29{
39 const uint16_t *groups; 30 const uint16_t *groups;
@@ -80,6 +71,15 @@ tls13_client_init(struct tls13_ctx *ctx)
80 return 1; 71 return 1;
81} 72}
82 73
74static int
75tls13_connect(struct tls13_ctx *ctx)
76{
77 if (ctx->mode != TLS13_HS_CLIENT)
78 return TLS13_IO_FAILURE;
79
80 return tls13_handshake_perform(ctx);
81}
82
83int 83int
84tls13_legacy_connect(SSL *ssl) 84tls13_legacy_connect(SSL *ssl)
85{ 85{
@@ -570,6 +570,33 @@ tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs)
570} 570}
571 571
572int 572int
573tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
574{
575 /*
576 * Ensure that the server supported group is one that we listed in our
577 * supported groups and is not the same as the key share we previously
578 * offered.
579 */
580 if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group))
581 return 0; /* XXX alert */
582 if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
583 return 0; /* XXX alert */
584
585 /* Switch to new key share. */
586 tls13_key_share_free(ctx->hs->key_share);
587 if ((ctx->hs->key_share =
588 tls13_key_share_new(ctx->hs->server_group)) == NULL)
589 return 0;
590 if (!tls13_key_share_generate(ctx->hs->key_share))
591 return 0;
592
593 if (!tls13_client_hello_build(ctx, cbb))
594 return 0;
595
596 return 1;
597}
598
599int
573tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 600tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
574{ 601{
575 SSL *s = ctx->ssl; 602 SSL *s = ctx->ssl;
@@ -608,33 +635,6 @@ tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
608} 635}
609 636
610int 637int
611tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
612{
613 /*
614 * Ensure that the server supported group is one that we listed in our
615 * supported groups and is not the same as the key share we previously
616 * offered.
617 */
618 if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group))
619 return 0; /* XXX alert */
620 if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share))
621 return 0; /* XXX alert */
622
623 /* Switch to new key share. */
624 tls13_key_share_free(ctx->hs->key_share);
625 if ((ctx->hs->key_share =
626 tls13_key_share_new(ctx->hs->server_group)) == NULL)
627 return 0;
628 if (!tls13_key_share_generate(ctx->hs->key_share))
629 return 0;
630
631 if (!tls13_client_hello_build(ctx, cbb))
632 return 0;
633
634 return 1;
635}
636
637int
638tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) 638tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs)
639{ 639{
640 int alert_desc; 640 int alert_desc;
@@ -945,70 +945,6 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
945} 945}
946 946
947int 947int
948tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
949{
950 struct tls13_secrets *secrets = ctx->hs->secrets;
951 struct tls13_secret context = { .data = "", .len = 0 };
952 struct tls13_secret finished_key;
953 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
954 size_t transcript_hash_len;
955 uint8_t key[EVP_MAX_MD_SIZE];
956 uint8_t *verify_data;
957 size_t hmac_len;
958 unsigned int hlen;
959 HMAC_CTX *hmac_ctx = NULL;
960 int ret = 0;
961
962 finished_key.data = key;
963 finished_key.len = EVP_MD_size(ctx->hash);
964
965 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
966 &secrets->client_handshake_traffic, "finished",
967 &context))
968 goto err;
969
970 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
971 sizeof(transcript_hash), &transcript_hash_len))
972 goto err;
973
974 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
975 goto err;
976 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
977 ctx->hash, NULL))
978 goto err;
979 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
980 goto err;
981
982 hmac_len = HMAC_size(hmac_ctx);
983 if (!CBB_add_space(cbb, &verify_data, hmac_len))
984 goto err;
985 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
986 goto err;
987 if (hlen != hmac_len)
988 goto err;
989
990 ret = 1;
991
992 err:
993 HMAC_CTX_free(hmac_ctx);
994
995 return ret;
996}
997
998int
999tls13_client_finished_sent(struct tls13_ctx *ctx)
1000{
1001 struct tls13_secrets *secrets = ctx->hs->secrets;
1002
1003 /*
1004 * Any records following the client finished message must be encrypted
1005 * using the client application traffic keys.
1006 */
1007 return tls13_record_layer_set_write_traffic_key(ctx->rl,
1008 &secrets->client_application_traffic);
1009}
1010
1011int
1012tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 948tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
1013{ 949{
1014 SSL *s = ctx->ssl; 950 SSL *s = ctx->ssl;
@@ -1135,3 +1071,73 @@ tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
1135 1071
1136 return ret; 1072 return ret;
1137} 1073}
1074
1075int
1076tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
1077{
1078 return 0;
1079}
1080
1081int
1082tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb)
1083{
1084 struct tls13_secrets *secrets = ctx->hs->secrets;
1085 struct tls13_secret context = { .data = "", .len = 0 };
1086 struct tls13_secret finished_key;
1087 uint8_t transcript_hash[EVP_MAX_MD_SIZE];
1088 size_t transcript_hash_len;
1089 uint8_t key[EVP_MAX_MD_SIZE];
1090 uint8_t *verify_data;
1091 size_t hmac_len;
1092 unsigned int hlen;
1093 HMAC_CTX *hmac_ctx = NULL;
1094 int ret = 0;
1095
1096 finished_key.data = key;
1097 finished_key.len = EVP_MD_size(ctx->hash);
1098
1099 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1100 &secrets->client_handshake_traffic, "finished",
1101 &context))
1102 goto err;
1103
1104 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
1105 sizeof(transcript_hash), &transcript_hash_len))
1106 goto err;
1107
1108 if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1109 goto err;
1110 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1111 ctx->hash, NULL))
1112 goto err;
1113 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
1114 goto err;
1115
1116 hmac_len = HMAC_size(hmac_ctx);
1117 if (!CBB_add_space(cbb, &verify_data, hmac_len))
1118 goto err;
1119 if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1120 goto err;
1121 if (hlen != hmac_len)
1122 goto err;
1123
1124 ret = 1;
1125
1126 err:
1127 HMAC_CTX_free(hmac_ctx);
1128
1129 return ret;
1130}
1131
1132int
1133tls13_client_finished_sent(struct tls13_ctx *ctx)
1134{
1135 struct tls13_secrets *secrets = ctx->hs->secrets;
1136
1137 /*
1138 * Any records following the client finished message must be encrypted
1139 * using the client application traffic keys.
1140 */
1141 return tls13_record_layer_set_write_traffic_key(ctx->rl,
1142 &secrets->client_application_traffic);
1143}
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 16c2e32dba..864e434fda 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_server.c,v 1.32 2020/04/25 18:06:28 jsing Exp $ */ 1/* $OpenBSD: tls13_server.c,v 1.33 2020/04/27 20:15:17 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -23,15 +23,6 @@
23#include "tls13_internal.h" 23#include "tls13_internal.h"
24 24
25static int 25static int
26tls13_accept(struct tls13_ctx *ctx)
27{
28 if (ctx->mode != TLS13_HS_SERVER)
29 return TLS13_IO_FAILURE;
30
31 return tls13_handshake_perform(ctx);
32}
33
34static int
35tls13_server_init(struct tls13_ctx *ctx) 26tls13_server_init(struct tls13_ctx *ctx)
36{ 27{
37 SSL *s = ctx->ssl; 28 SSL *s = ctx->ssl;
@@ -54,6 +45,15 @@ tls13_server_init(struct tls13_ctx *ctx)
54 return 1; 45 return 1;
55} 46}
56 47
48static int
49tls13_accept(struct tls13_ctx *ctx)
50{
51 if (ctx->mode != TLS13_HS_SERVER)
52 return TLS13_IO_FAILURE;
53
54 return tls13_handshake_perform(ctx);
55}
56
57int 57int
58tls13_legacy_accept(SSL *ssl) 58tls13_legacy_accept(SSL *ssl)
59{ 59{
@@ -300,202 +300,6 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
300 return 0; 300 return 0;
301} 301}
302 302
303int
304tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
305{
306 return 0;
307}
308
309int
310tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
311{
312 return 0;
313}
314
315int
316tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
317{
318 return 0;
319}
320
321int
322tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
323{
324 CBS cert_request_context, cert_list, cert_data, cert_exts;
325 struct stack_st_X509 *certs = NULL;
326 SSL *s = ctx->ssl;
327 X509 *cert = NULL;
328 EVP_PKEY *pkey;
329 const uint8_t *p;
330 int cert_idx;
331 int ret = 0;
332
333 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
334 goto err;
335 if (CBS_len(&cert_request_context) != 0)
336 goto err;
337 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
338 goto err;
339
340 if (CBS_len(&cert_list) == 0)
341 return 1;
342
343 if ((certs = sk_X509_new_null()) == NULL)
344 goto err;
345 while (CBS_len(&cert_list) > 0) {
346 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
347 goto err;
348 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
349 goto err;
350
351 p = CBS_data(&cert_data);
352 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
353 goto err;
354 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
355 goto err;
356
357 if (!sk_X509_push(certs, cert))
358 goto err;
359
360 cert = NULL;
361 }
362
363 /*
364 * At this stage we still have no proof of possession. As such, it would
365 * be preferable to keep the chain and verify once we have successfully
366 * processed the CertificateVerify message.
367 */
368 if (ssl_verify_cert_chain(s, certs) <= 0 &&
369 s->verify_mode != SSL_VERIFY_NONE) {
370 ctx->alert = ssl_verify_alarm_type(s->verify_result);
371 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
372 "failed to verify peer certificate", NULL);
373 goto err;
374 }
375 ERR_clear_error();
376
377 cert = sk_X509_value(certs, 0);
378 X509_up_ref(cert);
379
380 if ((pkey = X509_get0_pubkey(cert)) == NULL)
381 goto err;
382 if (EVP_PKEY_missing_parameters(pkey))
383 goto err;
384 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
385 goto err;
386
387 ssl_sess_cert_free(SSI(s)->sess_cert);
388 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
389 goto err;
390
391 SSI(s)->sess_cert->cert_chain = certs;
392 certs = NULL;
393
394 X509_up_ref(cert);
395 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
396 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
397
398 X509_free(s->session->peer);
399
400 X509_up_ref(cert);
401 s->session->peer = cert;
402 s->session->verify_result = s->verify_result;
403
404 ctx->handshake_stage.hs_type |= WITH_CCV;
405 ret = 1;
406
407 err:
408 sk_X509_pop_free(certs, X509_free);
409 X509_free(cert);
410
411 return ret;
412}
413
414int
415tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
416{
417 const struct ssl_sigalg *sigalg;
418 uint16_t signature_scheme;
419 uint8_t *sig_content = NULL;
420 size_t sig_content_len;
421 EVP_MD_CTX *mdctx = NULL;
422 EVP_PKEY_CTX *pctx;
423 EVP_PKEY *pkey;
424 X509 *cert;
425 CBS signature;
426 CBB cbb;
427 int ret = 0;
428
429 memset(&cbb, 0, sizeof(cbb));
430
431 if (!CBS_get_u16(cbs, &signature_scheme))
432 goto err;
433 if (!CBS_get_u16_length_prefixed(cbs, &signature))
434 goto err;
435
436 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
437 tls13_sigalgs_len)) == NULL)
438 goto err;
439
440 if (!CBB_init(&cbb, 0))
441 goto err;
442 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
443 sizeof(tls13_cert_verify_pad)))
444 goto err;
445 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
446 strlen(tls13_cert_client_verify_context)))
447 goto err;
448 if (!CBB_add_u8(&cbb, 0))
449 goto err;
450 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
451 ctx->hs->transcript_hash_len))
452 goto err;
453 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
454 goto err;
455
456 if ((cert = ctx->ssl->session->peer) == NULL)
457 goto err;
458 if ((pkey = X509_get0_pubkey(cert)) == NULL)
459 goto err;
460 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
461 goto err;
462
463 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
464 goto err;
465
466 if ((mdctx = EVP_MD_CTX_new()) == NULL)
467 goto err;
468 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
469 goto err;
470 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
471 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
472 goto err;
473 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
474 goto err;
475 }
476 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
477 ctx->alert = TLS1_AD_DECRYPT_ERROR;
478 goto err;
479 }
480 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
481 CBS_len(&signature)) <= 0) {
482 ctx->alert = TLS1_AD_DECRYPT_ERROR;
483 goto err;
484 }
485
486 ret = 1;
487
488 err:
489 if (!ret && ctx->alert == 0) {
490 ctx->alert = TLS1_AD_DECODE_ERROR;
491 }
492 CBB_cleanup(&cbb);
493 EVP_MD_CTX_free(mdctx);
494 free(sig_content);
495
496 return ret;
497}
498
499static int 303static int
500tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb) 304tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb)
501{ 305{
@@ -530,6 +334,18 @@ err:
530} 334}
531 335
532int 336int
337tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
338{
339 return 0;
340}
341
342int
343tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
344{
345 return 0;
346}
347
348int
533tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 349tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
534{ 350{
535 if (ctx->hs->key_share == NULL) 351 if (ctx->hs->key_share == NULL)
@@ -613,15 +429,27 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
613} 429}
614 430
615int 431int
616tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 432tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
617{ 433{
434 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE))
435 goto err;
436
437 return 1;
438 err:
618 return 0; 439 return 0;
619} 440}
620 441
621int 442int
622tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 443tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
623{ 444{
624 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE)) 445 CBB certificate_request_context;
446
447 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
448 goto err;
449 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR))
450 goto err;
451
452 if (!CBB_flush(cbb))
625 goto err; 453 goto err;
626 454
627 return 1; 455 return 1;
@@ -672,25 +500,6 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
672 return ret; 500 return ret;
673} 501}
674 502
675/* XXX - move up. */
676int
677tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
678{
679 CBB certificate_request_context;
680
681 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
682 goto err;
683 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR))
684 goto err;
685
686 if (!CBB_flush(cbb))
687 goto err;
688
689 return 1;
690 err:
691 return 0;
692}
693
694int 503int
695tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 504tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
696{ 505{
@@ -850,6 +659,190 @@ tls13_server_finished_sent(struct tls13_ctx *ctx)
850} 659}
851 660
852int 661int
662tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
663{
664 CBS cert_request_context, cert_list, cert_data, cert_exts;
665 struct stack_st_X509 *certs = NULL;
666 SSL *s = ctx->ssl;
667 X509 *cert = NULL;
668 EVP_PKEY *pkey;
669 const uint8_t *p;
670 int cert_idx;
671 int ret = 0;
672
673 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
674 goto err;
675 if (CBS_len(&cert_request_context) != 0)
676 goto err;
677 if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
678 goto err;
679
680 if (CBS_len(&cert_list) == 0)
681 return 1;
682
683 if ((certs = sk_X509_new_null()) == NULL)
684 goto err;
685 while (CBS_len(&cert_list) > 0) {
686 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
687 goto err;
688 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
689 goto err;
690
691 p = CBS_data(&cert_data);
692 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
693 goto err;
694 if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
695 goto err;
696
697 if (!sk_X509_push(certs, cert))
698 goto err;
699
700 cert = NULL;
701 }
702
703 /*
704 * At this stage we still have no proof of possession. As such, it would
705 * be preferable to keep the chain and verify once we have successfully
706 * processed the CertificateVerify message.
707 */
708 if (ssl_verify_cert_chain(s, certs) <= 0 &&
709 s->verify_mode != SSL_VERIFY_NONE) {
710 ctx->alert = ssl_verify_alarm_type(s->verify_result);
711 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
712 "failed to verify peer certificate", NULL);
713 goto err;
714 }
715 ERR_clear_error();
716
717 cert = sk_X509_value(certs, 0);
718 X509_up_ref(cert);
719
720 if ((pkey = X509_get0_pubkey(cert)) == NULL)
721 goto err;
722 if (EVP_PKEY_missing_parameters(pkey))
723 goto err;
724 if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
725 goto err;
726
727 ssl_sess_cert_free(SSI(s)->sess_cert);
728 if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
729 goto err;
730
731 SSI(s)->sess_cert->cert_chain = certs;
732 certs = NULL;
733
734 X509_up_ref(cert);
735 SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
736 SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
737
738 X509_free(s->session->peer);
739
740 X509_up_ref(cert);
741 s->session->peer = cert;
742 s->session->verify_result = s->verify_result;
743
744 ctx->handshake_stage.hs_type |= WITH_CCV;
745 ret = 1;
746
747 err:
748 sk_X509_pop_free(certs, X509_free);
749 X509_free(cert);
750
751 return ret;
752}
753
754int
755tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
756{
757 const struct ssl_sigalg *sigalg;
758 uint16_t signature_scheme;
759 uint8_t *sig_content = NULL;
760 size_t sig_content_len;
761 EVP_MD_CTX *mdctx = NULL;
762 EVP_PKEY_CTX *pctx;
763 EVP_PKEY *pkey;
764 X509 *cert;
765 CBS signature;
766 CBB cbb;
767 int ret = 0;
768
769 memset(&cbb, 0, sizeof(cbb));
770
771 if (!CBS_get_u16(cbs, &signature_scheme))
772 goto err;
773 if (!CBS_get_u16_length_prefixed(cbs, &signature))
774 goto err;
775
776 if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
777 tls13_sigalgs_len)) == NULL)
778 goto err;
779
780 if (!CBB_init(&cbb, 0))
781 goto err;
782 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
783 sizeof(tls13_cert_verify_pad)))
784 goto err;
785 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
786 strlen(tls13_cert_client_verify_context)))
787 goto err;
788 if (!CBB_add_u8(&cbb, 0))
789 goto err;
790 if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
791 ctx->hs->transcript_hash_len))
792 goto err;
793 if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
794 goto err;
795
796 if ((cert = ctx->ssl->session->peer) == NULL)
797 goto err;
798 if ((pkey = X509_get0_pubkey(cert)) == NULL)
799 goto err;
800 if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
801 goto err;
802
803 if (CBS_len(&signature) > EVP_PKEY_size(pkey))
804 goto err;
805
806 if ((mdctx = EVP_MD_CTX_new()) == NULL)
807 goto err;
808 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
809 goto err;
810 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
811 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
812 goto err;
813 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
814 goto err;
815 }
816 if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
817 ctx->alert = TLS1_AD_DECRYPT_ERROR;
818 goto err;
819 }
820 if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
821 CBS_len(&signature)) <= 0) {
822 ctx->alert = TLS1_AD_DECRYPT_ERROR;
823 goto err;
824 }
825
826 ret = 1;
827
828 err:
829 if (!ret && ctx->alert == 0) {
830 ctx->alert = TLS1_AD_DECODE_ERROR;
831 }
832 CBB_cleanup(&cbb);
833 EVP_MD_CTX_free(mdctx);
834 free(sig_content);
835
836 return ret;
837}
838
839int
840tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
841{
842 return 0;
843}
844
845int
853tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 846tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
854{ 847{
855 struct tls13_secrets *secrets = ctx->hs->secrets; 848 struct tls13_secrets *secrets = ctx->hs->secrets;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-22 05:43:00 +0000