From e2496982472bdf233be95c5ea72d1c4dc6c91db3 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Sun, 23 Apr 2023 13:43:47 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20230422'. --- src/lib/libssl/tls13_server.c | 1101 ----------------------------------------- 1 file changed, 1101 deletions(-) delete mode 100644 src/lib/libssl/tls13_server.c (limited to 'src/lib/libssl/tls13_server.c') diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c deleted file mode 100644 index 75510a9085..0000000000 --- a/src/lib/libssl/tls13_server.c +++ /dev/null @@ -1,1101 +0,0 @@ -/* $OpenBSD: tls13_server.c,v 1.105 2022/11/26 16:08:56 tb Exp $ */ -/* - * Copyright (c) 2019, 2020 Joel Sing - * Copyright (c) 2020 Bob Beck - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include - -#include "ssl_local.h" -#include "ssl_sigalgs.h" -#include "ssl_tlsext.h" -#include "tls13_handshake.h" -#include "tls13_internal.h" - -int -tls13_server_init(struct tls13_ctx *ctx) -{ - SSL *s = ctx->ssl; - - if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, - &ctx->hs->our_max_tls_version)) { - SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); - return 0; - } - s->version = ctx->hs->our_max_tls_version; - - tls13_record_layer_set_retry_after_phh(ctx->rl, - (s->mode & SSL_MODE_AUTO_RETRY) != 0); - - if (!ssl_get_new_session(s, 0)) /* XXX */ - return 0; - - tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); - - if (!tls1_transcript_init(s)) - return 0; - - arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); - - return 1; -} - -int -tls13_server_accept(struct tls13_ctx *ctx) -{ - if (ctx->mode != TLS13_HS_SERVER) - return TLS13_IO_FAILURE; - - return tls13_handshake_perform(ctx); -} - -static int -tls13_client_hello_is_legacy(CBS *cbs) -{ - CBS extensions_block, extensions, extension_data, versions; - uint16_t version, max_version = 0; - uint16_t type; - - CBS_dup(cbs, &extensions_block); - - if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) - return 1; - - while (CBS_len(&extensions) > 0) { - if (!CBS_get_u16(&extensions, &type)) - return 1; - if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) - return 1; - - if (type != TLSEXT_TYPE_supported_versions) - continue; - if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) - return 1; - while (CBS_len(&versions) > 0) { - if (!CBS_get_u16(&versions, &version)) - return 1; - if (version >= max_version) - max_version = version; - } - if (CBS_len(&extension_data) != 0) - return 1; - } - - return (max_version < TLS1_3_VERSION); -} - -int -tls13_client_hello_required_extensions(struct tls13_ctx *ctx) -{ - SSL *s = ctx->ssl; - - /* - * RFC 8446, section 9.2. If the ClientHello has supported_versions - * containing TLSv1.3, presence or absence of some extensions requires - * presence or absence of others. - */ - - /* - * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we - * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies - * that we need both signature_algorithms and supported_groups. - */ - if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { - if (!tlsext_extension_seen(s, - TLSEXT_TYPE_psk_key_exchange_modes)) - return 0; - } else { - if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) - return 0; - if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) - return 0; - } - - /* - * supported_groups and key_share must either both be present or - * both be absent. - */ - if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != - tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) - return 0; - - /* - * XXX - Require server_name from client? If so, we SHOULD enforce - * this here - RFC 8446, 9.2. - */ - - return 1; -} - -static const uint8_t tls13_compression_null_only[] = { 0 }; - -static int -tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) -{ - CBS cipher_suites, client_random, compression_methods, session_id; - STACK_OF(SSL_CIPHER) *ciphers = NULL; - const SSL_CIPHER *cipher; - uint16_t legacy_version; - int alert_desc; - SSL *s = ctx->ssl; - int ret = 0; - - if (!CBS_get_u16(cbs, &legacy_version)) - goto err; - if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) - goto err; - if (!CBS_get_u8_length_prefixed(cbs, &session_id)) - goto err; - if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) - goto err; - if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) - goto err; - - if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { - if (!CBS_skip(cbs, CBS_len(cbs))) - goto err; - return tls13_use_legacy_server(ctx); - } - ctx->hs->negotiated_tls_version = TLS1_3_VERSION; - ctx->hs->peer_legacy_version = legacy_version; - - /* Ensure we send subsequent alerts with the correct record version. */ - tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); - - /* - * Ensure that the client has not requested middlebox compatibility mode - * if it is prohibited from doing so. - */ - if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) { - ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; - goto err; - } - - /* Add decoded values to the current ClientHello hash */ - if (!tls13_clienthello_hash_init(ctx)) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, - sizeof(legacy_version))) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - if (!tls13_clienthello_hash_update(ctx, &client_random)) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - if (!tls13_clienthello_hash_update(ctx, &session_id)) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - - if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { - ctx->alert = alert_desc; - goto err; - } - - /* Finalize first ClientHello hash, or validate against it */ - if (!ctx->hs->tls13.hrr) { - if (!tls13_clienthello_hash_finalize(ctx)) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - } else { - if (!tls13_clienthello_hash_validate(ctx)) { - ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; - goto err; - } - tls13_clienthello_hash_clear(&ctx->hs->tls13); - } - - if (!tls13_client_hello_required_extensions(ctx)) { - ctx->alert = TLS13_ALERT_MISSING_EXTENSION; - goto err; - } - - /* - * If we got this far we have a supported versions extension that offers - * TLS 1.3 or later. This requires the legacy version be set to 0x0303. - */ - if (legacy_version != TLS1_2_VERSION) { - ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; - goto err; - } - - /* - * The legacy session identifier must either be zero length or a 32 byte - * value (in which case the client is requesting middlebox compatibility - * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value - * so that we can echo it back to the client. - */ - if (CBS_len(&session_id) != 0 && - CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) { - ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; - goto err; - } - if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, - sizeof(ctx->hs->tls13.legacy_session_id), - &ctx->hs->tls13.legacy_session_id_len)) { - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - goto err; - } - - /* Parse cipher suites list and select preferred cipher. */ - if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { - ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; - goto err; - } - cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); - if (cipher == NULL) { - tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, - "no shared cipher found", NULL); - ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; - goto err; - } - ctx->hs->cipher = cipher; - - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; - ciphers = NULL; - - /* Ensure only the NULL compression method is advertised. */ - if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, - sizeof(tls13_compression_null_only))) { - ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; - goto err; - } - - ret = 1; - - err: - sk_SSL_CIPHER_free(ciphers); - - return ret; -} - -int -tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) -{ - SSL *s = ctx->ssl; - - if (!tls13_client_hello_process(ctx, cbs)) - goto err; - - /* See if we switched back to the legacy client method. */ - if (s->method->version < TLS1_3_VERSION) - return 1; - - /* - * If a matching key share was provided, we do not need to send a - * HelloRetryRequest. - */ - /* - * XXX - ideally NEGOTIATED would only be added after record protection - * has been enabled. This would probably mean using either an - * INITIAL | WITHOUT_HRR state, or another intermediate state. - */ - if (ctx->hs->key_share != NULL) - ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; - - tls13_record_layer_allow_ccs(ctx->rl, 1); - - return 1; - - err: - return 0; -} - -static int -tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) -{ - uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; - const uint8_t *server_random; - CBB session_id; - SSL *s = ctx->ssl; - uint16_t cipher; - - cipher = SSL_CIPHER_get_value(ctx->hs->cipher); - server_random = s->s3->server_random; - - if (hrr) { - server_random = tls13_hello_retry_request_hash; - tlsext_msg_type = SSL_TLSEXT_MSG_HRR; - } - - if (!CBB_add_u16(cbb, TLS1_2_VERSION)) - goto err; - if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) - goto err; - if (!CBB_add_u8_length_prefixed(cbb, &session_id)) - goto err; - if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, - ctx->hs->tls13.legacy_session_id_len)) - goto err; - if (!CBB_add_u16(cbb, cipher)) - goto err; - if (!CBB_add_u8(cbb, 0)) - goto err; - if (!tlsext_server_build(s, tlsext_msg_type, cbb)) - goto err; - - if (!CBB_flush(cbb)) - goto err; - - return 1; - err: - return 0; -} - -static int -tls13_server_engage_record_protection(struct tls13_ctx *ctx) -{ - struct tls13_secrets *secrets; - struct tls13_secret context; - unsigned char buf[EVP_MAX_MD_SIZE]; - uint8_t *shared_key = NULL; - size_t shared_key_len = 0; - size_t hash_len; - SSL *s = ctx->ssl; - int ret = 0; - - if (!tls_key_share_derive(ctx->hs->key_share, &shared_key, - &shared_key_len)) - goto err; - - s->session->cipher = ctx->hs->cipher; - - if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) - goto err; - if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) - goto err; - - if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) - goto err; - ctx->hs->tls13.secrets = secrets; - - /* XXX - pass in hash. */ - if (!tls1_transcript_hash_init(s)) - goto err; - tls1_transcript_free(s); - if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) - goto err; - context.data = buf; - context.len = hash_len; - - /* Early secrets. */ - if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, - secrets->zeros.len, &context)) - goto err; - - /* Handshake secrets. */ - if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, - shared_key_len, &context)) - goto err; - - tls13_record_layer_set_aead(ctx->rl, ctx->aead); - tls13_record_layer_set_hash(ctx->rl, ctx->hash); - - if (!tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->client_handshake_traffic, ssl_encryption_handshake)) - goto err; - if (!tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->server_handshake_traffic, ssl_encryption_handshake)) - goto err; - - ctx->handshake_stage.hs_type |= NEGOTIATED; - if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) - ctx->handshake_stage.hs_type |= WITHOUT_CR; - - ret = 1; - - err: - freezero(shared_key, shared_key_len); - return ret; -} - -int -tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) -{ - int nid; - - ctx->hs->tls13.hrr = 1; - - if (!tls13_synthetic_handshake_message(ctx)) - return 0; - - if (ctx->hs->key_share != NULL) - return 0; - if (!tls1_get_supported_group(ctx->ssl, &nid)) - return 0; - if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group)) - return 0; - - if (!tls13_server_hello_build(ctx, cbb, 1)) - return 0; - - return 1; -} - -int -tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) -{ - /* - * If the client has requested middlebox compatibility mode, - * we MUST send a dummy CCS following our first handshake message. - * See RFC 8446 Appendix D.4. - */ - if (ctx->hs->tls13.legacy_session_id_len > 0) - ctx->send_dummy_ccs_after = 1; - - return 1; -} - -int -tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) -{ - SSL *s = ctx->ssl; - - if (!tls13_client_hello_process(ctx, cbs)) - return 0; - - /* XXX - need further checks. */ - if (s->method->version < TLS1_3_VERSION) - return 0; - - ctx->hs->tls13.hrr = 0; - - return 1; -} - -static int -tls13_servername_process(struct tls13_ctx *ctx) -{ - uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; - - if (!tls13_legacy_servername_process(ctx, &alert)) { - ctx->alert = alert; - return 0; - } - - return 1; -} - -int -tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) -{ - if (ctx->hs->key_share == NULL) - return 0; - if (!tls_key_share_generate(ctx->hs->key_share)) - return 0; - if (!tls13_servername_process(ctx)) - return 0; - - ctx->hs->tls13.server_group = 0; - - if (!tls13_server_hello_build(ctx, cbb, 0)) - return 0; - - return 1; -} - -int -tls13_server_hello_sent(struct tls13_ctx *ctx) -{ - /* - * If the client has requested middlebox compatibility mode, - * we MUST send a dummy CCS following our first handshake message. - * See RFC 8446 Appendix D.4. - */ - if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && - ctx->hs->tls13.legacy_session_id_len > 0) - ctx->send_dummy_ccs_after = 1; - - return tls13_server_engage_record_protection(ctx); -} - -int -tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) -{ - if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) - goto err; - - return 1; - err: - return 0; -} - -int -tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) -{ - CBB certificate_request_context; - - if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) - goto err; - if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) - goto err; - - if (!CBB_flush(cbb)) - goto err; - - return 1; - err: - return 0; -} - -static int -tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk, - int *ok, const struct ssl_sigalg **out_sigalg) -{ - const struct ssl_sigalg *sigalg; - SSL *s = ctx->ssl; - - *ok = 0; - *out_sigalg = NULL; - - if (cpk->x509 == NULL || cpk->privatekey == NULL) - goto done; - - /* - * The digitalSignature bit MUST be set if the Key Usage extension is - * present as per RFC 8446 section 4.4.2.2. - */ - if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)) - goto done; - - if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) - goto done; - - *ok = 1; - *out_sigalg = sigalg; - - done: - return 1; -} - -static int -tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk, - const struct ssl_sigalg **out_sigalg) -{ - SSL *s = ctx->ssl; - const struct ssl_sigalg *sigalg; - SSL_CERT_PKEY *cpk; - int cert_ok; - - *out_cpk = NULL; - *out_sigalg = NULL; - - cpk = &s->cert->pkeys[SSL_PKEY_ECC]; - if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) - return 0; - if (cert_ok) - goto done; - - cpk = &s->cert->pkeys[SSL_PKEY_RSA]; - if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) - return 0; - if (cert_ok) - goto done; - - cpk = NULL; - sigalg = NULL; - - done: - *out_cpk = cpk; - *out_sigalg = sigalg; - - return 1; -} - -int -tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) -{ - SSL *s = ctx->ssl; - CBB cert_request_context, cert_list; - const struct ssl_sigalg *sigalg; - X509_STORE_CTX *xsc = NULL; - STACK_OF(X509) *chain; - SSL_CERT_PKEY *cpk; - X509 *cert; - int i, ret = 0; - - if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) - goto err; - - if (cpk == NULL) { - /* A server must always provide a certificate. */ - ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; - tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, - "no server certificate", NULL); - goto err; - } - - ctx->hs->tls13.cpk = cpk; - ctx->hs->our_sigalg = sigalg; - - if ((chain = cpk->chain) == NULL) - chain = s->ctx->extra_certs; - - if (chain == NULL && !(s->mode & SSL_MODE_NO_AUTO_CHAIN)) { - if ((xsc = X509_STORE_CTX_new()) == NULL) - goto err; - if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) - goto err; - X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), - X509_V_FLAG_LEGACY_VERIFY); - X509_verify_cert(xsc); - ERR_clear_error(); - chain = X509_STORE_CTX_get0_chain(xsc); - } - - if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) - goto err; - if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) - goto err; - - if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) - goto err; - - for (i = 0; i < sk_X509_num(chain); i++) { - cert = sk_X509_value(chain, i); - - /* - * In the case of auto chain, the leaf certificate will be at - * the top of the chain - skip over it as we've already added - * it earlier. - */ - if (i == 0 && cert == cpk->x509) - continue; - - /* - * XXX we don't send extensions with chain certs to avoid sending - * a leaf ocsp staple with the chain certs. This needs to get - * fixed. - */ - if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) - goto err; - } - - if (!CBB_flush(cbb)) - goto err; - - ret = 1; - - err: - X509_STORE_CTX_free(xsc); - - return ret; -} - -int -tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) -{ - const struct ssl_sigalg *sigalg; - uint8_t *sig = NULL, *sig_content = NULL; - size_t sig_len, sig_content_len; - EVP_MD_CTX *mdctx = NULL; - EVP_PKEY_CTX *pctx; - EVP_PKEY *pkey; - const SSL_CERT_PKEY *cpk; - CBB sig_cbb; - int ret = 0; - - memset(&sig_cbb, 0, sizeof(sig_cbb)); - - if ((cpk = ctx->hs->tls13.cpk) == NULL) - goto err; - if ((sigalg = ctx->hs->our_sigalg) == NULL) - goto err; - pkey = cpk->privatekey; - - if (!CBB_init(&sig_cbb, 0)) - goto err; - if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, - sizeof(tls13_cert_verify_pad))) - goto err; - if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, - strlen(tls13_cert_server_verify_context))) - goto err; - if (!CBB_add_u8(&sig_cbb, 0)) - goto err; - if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, - ctx->hs->tls13.transcript_hash_len)) - goto err; - if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) - goto err; - - if ((mdctx = EVP_MD_CTX_new()) == NULL) - goto err; - if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) - goto err; - if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { - if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) - goto err; - if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) - goto err; - } - if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) - goto err; - if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) - goto err; - if ((sig = calloc(1, sig_len)) == NULL) - goto err; - if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) - goto err; - - if (!CBB_add_u16(cbb, sigalg->value)) - goto err; - if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) - goto err; - if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) - goto err; - - if (!CBB_flush(cbb)) - goto err; - - ret = 1; - - err: - if (!ret && ctx->alert == 0) - ctx->alert = TLS13_ALERT_INTERNAL_ERROR; - - CBB_cleanup(&sig_cbb); - EVP_MD_CTX_free(mdctx); - free(sig_content); - free(sig); - - return ret; -} - -int -tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) -{ - struct tls13_secrets *secrets = ctx->hs->tls13.secrets; - struct tls13_secret context = { .data = "", .len = 0 }; - struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; - uint8_t transcript_hash[EVP_MAX_MD_SIZE]; - size_t transcript_hash_len; - uint8_t *verify_data; - size_t verify_data_len; - unsigned int hlen; - HMAC_CTX *hmac_ctx = NULL; - CBS cbs; - int ret = 0; - - if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) - goto err; - - if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, - &secrets->server_handshake_traffic, "finished", - &context)) - goto err; - - if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, - sizeof(transcript_hash), &transcript_hash_len)) - goto err; - - if ((hmac_ctx = HMAC_CTX_new()) == NULL) - goto err; - if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, - ctx->hash, NULL)) - goto err; - if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) - goto err; - - verify_data_len = HMAC_size(hmac_ctx); - if (!CBB_add_space(cbb, &verify_data, verify_data_len)) - goto err; - if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) - goto err; - if (hlen != verify_data_len) - goto err; - - CBS_init(&cbs, verify_data, verify_data_len); - if (!CBS_write_bytes(&cbs, ctx->hs->finished, - sizeof(ctx->hs->finished), &ctx->hs->finished_len)) - goto err; - - ret = 1; - - err: - tls13_secret_cleanup(&finished_key); - HMAC_CTX_free(hmac_ctx); - - return ret; -} - -int -tls13_server_finished_sent(struct tls13_ctx *ctx) -{ - struct tls13_secrets *secrets = ctx->hs->tls13.secrets; - struct tls13_secret context = { .data = "", .len = 0 }; - - /* - * Derive application traffic keys. - */ - context.data = ctx->hs->tls13.transcript_hash; - context.len = ctx->hs->tls13.transcript_hash_len; - - if (!tls13_derive_application_secrets(secrets, &context)) - return 0; - - /* - * Any records following the server finished message must be encrypted - * using the server application traffic keys. - */ - return tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->server_application_traffic, ssl_encryption_application); -} - -int -tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) -{ - CBS cert_request_context, cert_list, cert_data, cert_exts; - struct stack_st_X509 *certs = NULL; - SSL *s = ctx->ssl; - X509 *cert = NULL; - const uint8_t *p; - int ret = 0; - - if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) - goto err; - if (CBS_len(&cert_request_context) != 0) - goto err; - if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) - goto err; - if (CBS_len(&cert_list) == 0) { - if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) - return 1; - ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; - tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, - "peer did not provide a certificate", NULL); - goto err; - } - - if ((certs = sk_X509_new_null()) == NULL) - goto err; - while (CBS_len(&cert_list) > 0) { - if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) - goto err; - if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) - goto err; - - p = CBS_data(&cert_data); - if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) - goto err; - if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) - goto err; - - if (!sk_X509_push(certs, cert)) - goto err; - - cert = NULL; - } - - /* - * At this stage we still have no proof of possession. As such, it would - * be preferable to keep the chain and verify once we have successfully - * processed the CertificateVerify message. - */ - if (ssl_verify_cert_chain(s, certs) <= 0) { - ctx->alert = ssl_verify_alarm_type(s->verify_result); - tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, - "failed to verify peer certificate", NULL); - goto err; - } - s->session->verify_result = s->verify_result; - ERR_clear_error(); - - if (!tls_process_peer_certs(s, certs)) - goto err; - - ctx->handshake_stage.hs_type |= WITH_CCV; - ret = 1; - - err: - sk_X509_pop_free(certs, X509_free); - X509_free(cert); - - return ret; -} - -int -tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) -{ - const struct ssl_sigalg *sigalg; - uint16_t signature_scheme; - uint8_t *sig_content = NULL; - size_t sig_content_len; - EVP_MD_CTX *mdctx = NULL; - EVP_PKEY_CTX *pctx; - EVP_PKEY *pkey; - X509 *cert; - CBS signature; - CBB cbb; - int ret = 0; - - memset(&cbb, 0, sizeof(cbb)); - - if (!CBS_get_u16(cbs, &signature_scheme)) - goto err; - if (!CBS_get_u16_length_prefixed(cbs, &signature)) - goto err; - - if (!CBB_init(&cbb, 0)) - goto err; - if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, - sizeof(tls13_cert_verify_pad))) - goto err; - if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, - strlen(tls13_cert_client_verify_context))) - goto err; - if (!CBB_add_u8(&cbb, 0)) - goto err; - if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, - ctx->hs->tls13.transcript_hash_len)) - goto err; - if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) - goto err; - - if ((cert = ctx->ssl->session->peer_cert) == NULL) - goto err; - if ((pkey = X509_get0_pubkey(cert)) == NULL) - goto err; - if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, - signature_scheme)) == NULL) - goto err; - ctx->hs->peer_sigalg = sigalg; - - if (CBS_len(&signature) > EVP_PKEY_size(pkey)) - goto err; - - if ((mdctx = EVP_MD_CTX_new()) == NULL) - goto err; - if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) - goto err; - if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { - if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) - goto err; - if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) - goto err; - } - if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { - ctx->alert = TLS13_ALERT_DECRYPT_ERROR; - goto err; - } - if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), - CBS_len(&signature)) <= 0) { - ctx->alert = TLS13_ALERT_DECRYPT_ERROR; - goto err; - } - - ret = 1; - - err: - if (!ret && ctx->alert == 0) - ctx->alert = TLS13_ALERT_DECODE_ERROR; - - CBB_cleanup(&cbb); - EVP_MD_CTX_free(mdctx); - free(sig_content); - - return ret; -} - -int -tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) -{ - return 0; -} - -int -tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) -{ - struct tls13_secrets *secrets = ctx->hs->tls13.secrets; - struct tls13_secret context = { .data = "", .len = 0 }; - struct tls13_secret finished_key; - uint8_t *verify_data = NULL; - size_t verify_data_len; - uint8_t key[EVP_MAX_MD_SIZE]; - HMAC_CTX *hmac_ctx = NULL; - unsigned int hlen; - int ret = 0; - - /* - * Verify client finished. - */ - finished_key.data = key; - finished_key.len = EVP_MD_size(ctx->hash); - - if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, - &secrets->client_handshake_traffic, "finished", - &context)) - goto err; - - if ((hmac_ctx = HMAC_CTX_new()) == NULL) - goto err; - if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, - ctx->hash, NULL)) - goto err; - if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, - ctx->hs->tls13.transcript_hash_len)) - goto err; - verify_data_len = HMAC_size(hmac_ctx); - if ((verify_data = calloc(1, verify_data_len)) == NULL) - goto err; - if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) - goto err; - if (hlen != verify_data_len) - goto err; - - if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { - ctx->alert = TLS13_ALERT_DECRYPT_ERROR; - goto err; - } - - if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, - sizeof(ctx->hs->peer_finished), - &ctx->hs->peer_finished_len)) - goto err; - - if (!CBS_skip(cbs, verify_data_len)) - goto err; - - /* - * Any records following the client finished message must be encrypted - * using the client application traffic keys. - */ - if (!tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->client_application_traffic, ssl_encryption_application)) - goto err; - - tls13_record_layer_allow_ccs(ctx->rl, 0); - - ret = 1; - - err: - HMAC_CTX_free(hmac_ctx); - free(verify_data); - - return ret; -} -- cgit v1.2.3-55-g6feb