jcs.org / openbsd-src
jcs's openbsd hax
openbsd
fork atom
openbsd-src / lib / libssl / tls13_server.c
at jcs 1089 lines 27 kB view raw
beck Add a MLKEM768_X25519 hybrid key share.
e8b75686
1/* $OpenBSD: tls13_server.c,v 1.112 2025/12/04 21:03:42 beck Exp $ */ 2/* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19#include <openssl/x509v3.h> 20 21#include "ssl_local.h" 22#include "ssl_sigalgs.h" 23#include "ssl_tlsext.h" 24#include "tls13_handshake.h" 25#include "tls13_internal.h" 26 27int 28tls13_server_init(struct tls13_ctx *ctx) 29{ 30 SSL *s = ctx->ssl; 31 32 if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, 33 &ctx->hs->our_max_tls_version)) { 34 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 35 return 0; 36 } 37 s->version = ctx->hs->our_max_tls_version; 38 39 tls13_record_layer_set_retry_after_phh(ctx->rl, 40 (s->mode & SSL_MODE_AUTO_RETRY) != 0); 41 42 if (!ssl_get_new_session(s, 0)) /* XXX */ 43 return 0; 44 45 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); 46 47 if (!tls1_transcript_init(s)) 48 return 0; 49 50 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 51 52 return 1; 53} 54 55int 56tls13_server_accept(struct tls13_ctx *ctx) 57{ 58 if (ctx->mode != TLS13_HS_SERVER) 59 return TLS13_IO_FAILURE; 60 61 return tls13_handshake_perform(ctx); 62} 63 64static int 65tls13_client_hello_is_legacy(CBS *cbs) 66{ 67 CBS extensions_block, extensions, extension_data, versions; 68 uint16_t version, max_version = 0; 69 uint16_t type; 70 71 CBS_dup(cbs, &extensions_block); 72 73 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 74 return 1; 75 76 while (CBS_len(&extensions) > 0) { 77 if (!CBS_get_u16(&extensions, &type)) 78 return 1; 79 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 80 return 1; 81 82 if (type != TLSEXT_TYPE_supported_versions) 83 continue; 84 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 85 return 1; 86 while (CBS_len(&versions) > 0) { 87 if (!CBS_get_u16(&versions, &version)) 88 return 1; 89 if (version >= max_version) 90 max_version = version; 91 } 92 if (CBS_len(&extension_data) != 0) 93 return 1; 94 } 95 96 return (max_version < TLS1_3_VERSION); 97} 98 99int 100tls13_client_hello_required_extensions(struct tls13_ctx *ctx) 101{ 102 SSL *s = ctx->ssl; 103 104 /* 105 * RFC 8446, section 9.2. If the ClientHello has supported_versions 106 * containing TLSv1.3, presence or absence of some extensions requires 107 * presence or absence of others. 108 */ 109 110 /* 111 * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we 112 * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies 113 * that we need both signature_algorithms and supported_groups. 114 */ 115 if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { 116 if (!tlsext_extension_seen(s, 117 TLSEXT_TYPE_psk_key_exchange_modes)) 118 return 0; 119 } else { 120 if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) 121 return 0; 122 if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) 123 return 0; 124 } 125 126 /* 127 * supported_groups and key_share must either both be present or 128 * both be absent. 129 */ 130 if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) != 131 tlsext_extension_seen(s, TLSEXT_TYPE_key_share)) 132 return 0; 133 134 /* 135 * XXX - Require server_name from client? If so, we SHOULD enforce 136 * this here - RFC 8446, 9.2. 137 */ 138 139 return 1; 140} 141 142static const uint8_t tls13_compression_null_only[] = { 0 }; 143 144static int 145tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 146{ 147 CBS cipher_suites, client_random, compression_methods, session_id; 148 STACK_OF(SSL_CIPHER) *ciphers = NULL; 149 const SSL_CIPHER *cipher; 150 uint16_t legacy_version; 151 int alert_desc; 152 SSL *s = ctx->ssl; 153 int ret = 0; 154 155 if (!CBS_get_u16(cbs, &legacy_version)) 156 goto err; 157 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 158 goto err; 159 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 160 goto err; 161 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 162 goto err; 163 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 164 goto err; 165 166 if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { 167 if (!CBS_skip(cbs, CBS_len(cbs))) 168 goto err; 169 return tls13_use_legacy_server(ctx); 170 } 171 ctx->hs->negotiated_tls_version = TLS1_3_VERSION; 172 ctx->hs->peer_legacy_version = legacy_version; 173 174 /* Ensure we send subsequent alerts with the correct record version. */ 175 tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); 176 177 /* 178 * Ensure that the client has not requested middlebox compatibility mode 179 * if it is prohibited from doing so. 180 */ 181 if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) { 182 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 183 goto err; 184 } 185 186 /* Add decoded values to the current ClientHello hash */ 187 if (!tls13_clienthello_hash_init(ctx)) { 188 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 189 goto err; 190 } 191 if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, 192 sizeof(legacy_version))) { 193 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 194 goto err; 195 } 196 if (!tls13_clienthello_hash_update(ctx, &client_random)) { 197 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 198 goto err; 199 } 200 if (!tls13_clienthello_hash_update(ctx, &session_id)) { 201 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 202 goto err; 203 } 204 if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { 205 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 206 goto err; 207 } 208 if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { 209 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 210 goto err; 211 } 212 213 if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { 214 ctx->alert = alert_desc; 215 goto err; 216 } 217 218 /* Finalize first ClientHello hash, or validate against it */ 219 if (!ctx->hs->tls13.hrr) { 220 if (!tls13_clienthello_hash_finalize(ctx)) { 221 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 222 goto err; 223 } 224 } else { 225 if (!tls13_clienthello_hash_validate(ctx)) { 226 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 227 goto err; 228 } 229 tls13_clienthello_hash_clear(&ctx->hs->tls13); 230 } 231 232 if (!tls13_client_hello_required_extensions(ctx)) { 233 ctx->alert = TLS13_ALERT_MISSING_EXTENSION; 234 goto err; 235 } 236 237 /* 238 * If we got this far we have a supported versions extension that offers 239 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 240 */ 241 if (legacy_version != TLS1_2_VERSION) { 242 ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 243 goto err; 244 } 245 246 /* 247 * The legacy session identifier must either be zero length or a 32 byte 248 * value (in which case the client is requesting middlebox compatibility 249 * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value 250 * so that we can echo it back to the client. 251 */ 252 if (CBS_len(&session_id) != 0 && 253 CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) { 254 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 255 goto err; 256 } 257 if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 258 sizeof(ctx->hs->tls13.legacy_session_id), 259 &ctx->hs->tls13.legacy_session_id_len)) { 260 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 261 goto err; 262 } 263 264 /* Parse cipher suites list and select preferred cipher. */ 265 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 266 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 267 goto err; 268 } 269 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 270 if (cipher == NULL) { 271 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 272 "no shared cipher found", NULL); 273 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 274 goto err; 275 } 276 ctx->hs->cipher = cipher; 277 278 sk_SSL_CIPHER_free(s->s3->hs.client_ciphers); 279 s->s3->hs.client_ciphers = ciphers; 280 ciphers = NULL; 281 282 /* Ensure only the NULL compression method is advertised. */ 283 if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 284 sizeof(tls13_compression_null_only))) { 285 ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 286 goto err; 287 } 288 289 ret = 1; 290 291 err: 292 sk_SSL_CIPHER_free(ciphers); 293 294 return ret; 295} 296 297int 298tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 299{ 300 SSL *s = ctx->ssl; 301 302 if (!tls13_client_hello_process(ctx, cbs)) 303 goto err; 304 305 /* See if we switched back to the legacy client method. */ 306 if (s->method->version < TLS1_3_VERSION) 307 return 1; 308 309 /* 310 * If a matching key share was provided, we do not need to send a 311 * HelloRetryRequest. 312 */ 313 /* 314 * XXX - ideally NEGOTIATED would only be added after record protection 315 * has been enabled. This would probably mean using either an 316 * INITIAL | WITHOUT_HRR state, or another intermediate state. 317 */ 318 if (ctx->hs->key_share != NULL) 319 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 320 321 tls13_record_layer_allow_ccs(ctx->rl, 1); 322 323 return 1; 324 325 err: 326 return 0; 327} 328 329static int 330tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb) 331{ 332 uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 333 const uint8_t *server_random; 334 CBB session_id; 335 SSL *s = ctx->ssl; 336 uint16_t cipher; 337 338 cipher = SSL_CIPHER_get_value(ctx->hs->cipher); 339 server_random = s->s3->server_random; 340 341 if (ctx->hs->tls13.hrr) { 342 server_random = tls13_hello_retry_request_hash; 343 tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 344 } 345 346 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 347 goto err; 348 if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 349 goto err; 350 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 351 goto err; 352 if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, 353 ctx->hs->tls13.legacy_session_id_len)) 354 goto err; 355 if (!CBB_add_u16(cbb, cipher)) 356 goto err; 357 if (!CBB_add_u8(cbb, 0)) 358 goto err; 359 if (!tlsext_server_build(s, tlsext_msg_type, cbb)) 360 goto err; 361 362 if (!CBB_flush(cbb)) 363 goto err; 364 365 return 1; 366 err: 367 return 0; 368} 369 370static int 371tls13_server_engage_record_protection(struct tls13_ctx *ctx) 372{ 373 struct tls13_secrets *secrets; 374 struct tls13_secret context; 375 unsigned char buf[EVP_MAX_MD_SIZE]; 376 uint8_t *shared_key = NULL; 377 size_t shared_key_len = 0; 378 size_t hash_len; 379 SSL *s = ctx->ssl; 380 int ret = 0; 381 382 if (!tls_key_share_derive(ctx->hs->key_share, &shared_key, 383 &shared_key_len)) 384 goto err; 385 386 s->session->cipher_value = ctx->hs->cipher->value; 387 388 if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) 389 goto err; 390 if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) 391 goto err; 392 393 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 394 goto err; 395 ctx->hs->tls13.secrets = secrets; 396 397 /* XXX - pass in hash. */ 398 if (!tls1_transcript_hash_init(s)) 399 goto err; 400 tls1_transcript_free(s); 401 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 402 goto err; 403 context.data = buf; 404 context.len = hash_len; 405 406 /* Early secrets. */ 407 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 408 secrets->zeros.len, &context)) 409 goto err; 410 411 /* Handshake secrets. */ 412 if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, 413 shared_key_len, &context)) 414 goto err; 415 416 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 417 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 418 419 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 420 &secrets->client_handshake_traffic, ssl_encryption_handshake)) 421 goto err; 422 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 423 &secrets->server_handshake_traffic, ssl_encryption_handshake)) 424 goto err; 425 426 ctx->handshake_stage.hs_type |= NEGOTIATED; 427 if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 428 ctx->handshake_stage.hs_type |= WITHOUT_CR; 429 430 ret = 1; 431 432 err: 433 freezero(shared_key, shared_key_len); 434 return ret; 435} 436 437int 438tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 439{ 440 ctx->hs->tls13.hrr = 1; 441 442 if (!tls13_synthetic_handshake_message(ctx)) 443 return 0; 444 445 if (ctx->hs->key_share != NULL) 446 return 0; 447 if (ctx->hs->tls13.server_group == 0) 448 return 0; 449 450 if (!tls13_server_hello_build(ctx, cbb)) 451 return 0; 452 453 return 1; 454} 455 456int 457tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) 458{ 459 /* 460 * If the client has requested middlebox compatibility mode, 461 * we MUST send a dummy CCS following our first handshake message. 462 * See RFC 8446 Appendix D.4. 463 */ 464 if (ctx->hs->tls13.legacy_session_id_len > 0) 465 ctx->send_dummy_ccs_after = 1; 466 467 return 1; 468} 469 470int 471tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 472{ 473 SSL *s = ctx->ssl; 474 475 if (!tls13_client_hello_process(ctx, cbs)) 476 return 0; 477 478 /* XXX - need further checks. */ 479 if (s->method->version < TLS1_3_VERSION) 480 return 0; 481 482 ctx->hs->tls13.hrr = 0; 483 484 return 1; 485} 486 487static int 488tls13_servername_process(struct tls13_ctx *ctx) 489{ 490 uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; 491 492 if (!tls13_legacy_servername_process(ctx, &alert)) { 493 ctx->alert = alert; 494 return 0; 495 } 496 497 return 1; 498} 499 500int 501tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 502{ 503 if (ctx->hs->key_share == NULL) 504 return 0; 505 if (!tls_key_share_server_generate(ctx->hs->key_share)) 506 return 0; 507 if (!tls13_servername_process(ctx)) 508 return 0; 509 510 if (!tls13_server_hello_build(ctx, cbb)) 511 return 0; 512 513 return 1; 514} 515 516int 517tls13_server_hello_sent(struct tls13_ctx *ctx) 518{ 519 /* 520 * If the client has requested middlebox compatibility mode, 521 * we MUST send a dummy CCS following our first handshake message. 522 * See RFC 8446 Appendix D.4. 523 */ 524 if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && 525 ctx->hs->tls13.legacy_session_id_len > 0) 526 ctx->send_dummy_ccs_after = 1; 527 528 return tls13_server_engage_record_protection(ctx); 529} 530 531int 532tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 533{ 534 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) 535 goto err; 536 537 return 1; 538 err: 539 return 0; 540} 541 542int 543tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 544{ 545 CBB certificate_request_context; 546 547 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 548 goto err; 549 if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) 550 goto err; 551 552 if (!CBB_flush(cbb)) 553 goto err; 554 555 return 1; 556 err: 557 return 0; 558} 559 560static int 561tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk, 562 int *ok, const struct ssl_sigalg **out_sigalg) 563{ 564 const struct ssl_sigalg *sigalg; 565 SSL *s = ctx->ssl; 566 567 *ok = 0; 568 *out_sigalg = NULL; 569 570 if (cpk->x509 == NULL || cpk->privatekey == NULL) 571 goto done; 572 573 /* 574 * The digitalSignature bit MUST be set if the Key Usage extension is 575 * present as per RFC 8446 section 4.4.2.2. 576 */ 577 if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE)) 578 goto done; 579 580 if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) 581 goto done; 582 583 *ok = 1; 584 *out_sigalg = sigalg; 585 586 done: 587 return 1; 588} 589 590static int 591tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk, 592 const struct ssl_sigalg **out_sigalg) 593{ 594 SSL *s = ctx->ssl; 595 const struct ssl_sigalg *sigalg; 596 SSL_CERT_PKEY *cpk; 597 int cert_ok; 598 599 *out_cpk = NULL; 600 *out_sigalg = NULL; 601 602 cpk = &s->cert->pkeys[SSL_PKEY_ECC]; 603 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 604 return 0; 605 if (cert_ok) 606 goto done; 607 608 cpk = &s->cert->pkeys[SSL_PKEY_RSA]; 609 if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) 610 return 0; 611 if (cert_ok) 612 goto done; 613 614 cpk = NULL; 615 sigalg = NULL; 616 617 done: 618 *out_cpk = cpk; 619 *out_sigalg = sigalg; 620 621 return 1; 622} 623 624int 625tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 626{ 627 SSL *s = ctx->ssl; 628 CBB cert_request_context, cert_list; 629 const struct ssl_sigalg *sigalg; 630 X509_STORE_CTX *xsc = NULL; 631 STACK_OF(X509) *chain; 632 SSL_CERT_PKEY *cpk; 633 X509 *cert; 634 int i, ret = 0; 635 636 if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) 637 goto err; 638 639 if (cpk == NULL) { 640 /* A server must always provide a certificate. */ 641 ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 642 tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, 643 "no server certificate", NULL); 644 goto err; 645 } 646 647 ctx->hs->tls13.cpk = cpk; 648 ctx->hs->our_sigalg = sigalg; 649 650 if ((chain = cpk->chain) == NULL) 651 chain = s->ctx->extra_certs; 652 653 if (chain == NULL && !(s->mode & SSL_MODE_NO_AUTO_CHAIN)) { 654 if ((xsc = X509_STORE_CTX_new()) == NULL) 655 goto err; 656 if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) 657 goto err; 658 X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc), 659 X509_V_FLAG_LEGACY_VERIFY); 660 X509_verify_cert(xsc); 661 ERR_clear_error(); 662 chain = X509_STORE_CTX_get0_chain(xsc); 663 } 664 665 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 666 goto err; 667 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 668 goto err; 669 670 if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) 671 goto err; 672 673 for (i = 0; i < sk_X509_num(chain); i++) { 674 cert = sk_X509_value(chain, i); 675 676 /* 677 * In the case of auto chain, the leaf certificate will be at 678 * the top of the chain - skip over it as we've already added 679 * it earlier. 680 */ 681 if (i == 0 && cert == cpk->x509) 682 continue; 683 684 /* 685 * XXX we don't send extensions with chain certs to avoid sending 686 * a leaf ocsp staple with the chain certs. This needs to get 687 * fixed. 688 */ 689 if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) 690 goto err; 691 } 692 693 if (!CBB_flush(cbb)) 694 goto err; 695 696 ret = 1; 697 698 err: 699 X509_STORE_CTX_free(xsc); 700 701 return ret; 702} 703 704int 705tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 706{ 707 const struct ssl_sigalg *sigalg; 708 uint8_t *sig = NULL, *sig_content = NULL; 709 size_t sig_len, sig_content_len; 710 EVP_MD_CTX *mdctx = NULL; 711 EVP_PKEY_CTX *pctx; 712 EVP_PKEY *pkey; 713 const SSL_CERT_PKEY *cpk; 714 CBB sig_cbb; 715 int ret = 0; 716 717 memset(&sig_cbb, 0, sizeof(sig_cbb)); 718 719 if ((cpk = ctx->hs->tls13.cpk) == NULL) 720 goto err; 721 if ((sigalg = ctx->hs->our_sigalg) == NULL) 722 goto err; 723 pkey = cpk->privatekey; 724 725 if (!CBB_init(&sig_cbb, 0)) 726 goto err; 727 if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 728 sizeof(tls13_cert_verify_pad))) 729 goto err; 730 if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 731 strlen(tls13_cert_server_verify_context))) 732 goto err; 733 if (!CBB_add_u8(&sig_cbb, 0)) 734 goto err; 735 if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, 736 ctx->hs->tls13.transcript_hash_len)) 737 goto err; 738 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 739 goto err; 740 741 if ((mdctx = EVP_MD_CTX_new()) == NULL) 742 goto err; 743 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 744 goto err; 745 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 746 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 747 goto err; 748 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 749 goto err; 750 } 751 if (!EVP_DigestSign(mdctx, NULL, &sig_len, sig_content, sig_content_len)) 752 goto err; 753 if ((sig = calloc(1, sig_len)) == NULL) 754 goto err; 755 if (!EVP_DigestSign(mdctx, sig, &sig_len, sig_content, sig_content_len)) 756 goto err; 757 758 if (!CBB_add_u16(cbb, sigalg->value)) 759 goto err; 760 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 761 goto err; 762 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 763 goto err; 764 765 if (!CBB_flush(cbb)) 766 goto err; 767 768 ret = 1; 769 770 err: 771 if (!ret && ctx->alert == 0) 772 ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 773 774 CBB_cleanup(&sig_cbb); 775 EVP_MD_CTX_free(mdctx); 776 free(sig_content); 777 free(sig); 778 779 return ret; 780} 781 782int 783tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 784{ 785 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 786 struct tls13_secret context = { .data = "", .len = 0 }; 787 struct tls13_secret finished_key = { .data = NULL, .len = 0 } ; 788 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 789 size_t transcript_hash_len; 790 uint8_t *verify_data; 791 size_t verify_data_len; 792 unsigned int hlen; 793 HMAC_CTX *hmac_ctx = NULL; 794 CBS cbs; 795 int ret = 0; 796 797 if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) 798 goto err; 799 800 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 801 &secrets->server_handshake_traffic, "finished", 802 &context)) 803 goto err; 804 805 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 806 sizeof(transcript_hash), &transcript_hash_len)) 807 goto err; 808 809 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 810 goto err; 811 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 812 ctx->hash, NULL)) 813 goto err; 814 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 815 goto err; 816 817 verify_data_len = HMAC_size(hmac_ctx); 818 if (!CBB_add_space(cbb, &verify_data, verify_data_len)) 819 goto err; 820 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 821 goto err; 822 if (hlen != verify_data_len) 823 goto err; 824 825 CBS_init(&cbs, verify_data, verify_data_len); 826 if (!CBS_write_bytes(&cbs, ctx->hs->finished, 827 sizeof(ctx->hs->finished), &ctx->hs->finished_len)) 828 goto err; 829 830 ret = 1; 831 832 err: 833 tls13_secret_cleanup(&finished_key); 834 HMAC_CTX_free(hmac_ctx); 835 836 return ret; 837} 838 839int 840tls13_server_finished_sent(struct tls13_ctx *ctx) 841{ 842 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 843 struct tls13_secret context = { .data = "", .len = 0 }; 844 845 /* 846 * Derive application traffic keys. 847 */ 848 context.data = ctx->hs->tls13.transcript_hash; 849 context.len = ctx->hs->tls13.transcript_hash_len; 850 851 if (!tls13_derive_application_secrets(secrets, &context)) 852 return 0; 853 854 /* 855 * Any records following the server finished message must be encrypted 856 * using the server application traffic keys. 857 */ 858 return tls13_record_layer_set_write_traffic_key(ctx->rl, 859 &secrets->server_application_traffic, ssl_encryption_application); 860} 861 862int 863tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 864{ 865 CBS cert_request_context, cert_list, cert_data, cert_exts; 866 struct stack_st_X509 *certs = NULL; 867 SSL *s = ctx->ssl; 868 X509 *cert = NULL; 869 const uint8_t *p; 870 int ret = 0; 871 872 if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 873 goto err; 874 if (CBS_len(&cert_request_context) != 0) 875 goto err; 876 if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 877 goto err; 878 if (CBS_len(&cert_list) == 0) { 879 if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 880 return 1; 881 ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 882 tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 883 "peer did not provide a certificate", NULL); 884 goto err; 885 } 886 887 if ((certs = sk_X509_new_null()) == NULL) 888 goto err; 889 while (CBS_len(&cert_list) > 0) { 890 if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 891 goto err; 892 if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 893 goto err; 894 895 p = CBS_data(&cert_data); 896 if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 897 goto err; 898 if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 899 goto err; 900 901 if (!sk_X509_push(certs, cert)) 902 goto err; 903 904 cert = NULL; 905 } 906 907 /* 908 * At this stage we still have no proof of possession. As such, it would 909 * be preferable to keep the chain and verify once we have successfully 910 * processed the CertificateVerify message. 911 */ 912 if (ssl_verify_cert_chain(s, certs) <= 0) { 913 ctx->alert = ssl_verify_alarm_type(s->verify_result); 914 tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 915 "failed to verify peer certificate", NULL); 916 goto err; 917 } 918 s->session->verify_result = s->verify_result; 919 ERR_clear_error(); 920 921 if (!tls_process_peer_certs(s, certs)) 922 goto err; 923 924 ctx->handshake_stage.hs_type |= WITH_CCV; 925 ret = 1; 926 927 err: 928 sk_X509_pop_free(certs, X509_free); 929 X509_free(cert); 930 931 return ret; 932} 933 934int 935tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 936{ 937 const struct ssl_sigalg *sigalg; 938 uint16_t signature_scheme; 939 uint8_t *sig_content = NULL; 940 size_t sig_content_len; 941 EVP_MD_CTX *mdctx = NULL; 942 EVP_PKEY_CTX *pctx; 943 EVP_PKEY *pkey; 944 X509 *cert; 945 CBS signature; 946 CBB cbb; 947 int ret = 0; 948 949 memset(&cbb, 0, sizeof(cbb)); 950 951 if (!CBS_get_u16(cbs, &signature_scheme)) 952 goto err; 953 if (!CBS_get_u16_length_prefixed(cbs, &signature)) 954 goto err; 955 956 if (!CBB_init(&cbb, 0)) 957 goto err; 958 if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 959 sizeof(tls13_cert_verify_pad))) 960 goto err; 961 if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 962 strlen(tls13_cert_client_verify_context))) 963 goto err; 964 if (!CBB_add_u8(&cbb, 0)) 965 goto err; 966 if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, 967 ctx->hs->tls13.transcript_hash_len)) 968 goto err; 969 if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 970 goto err; 971 972 if ((cert = ctx->ssl->session->peer_cert) == NULL) 973 goto err; 974 if ((pkey = X509_get0_pubkey(cert)) == NULL) 975 goto err; 976 if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, 977 signature_scheme)) == NULL) 978 goto err; 979 ctx->hs->peer_sigalg = sigalg; 980 981 if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 982 goto err; 983 984 if ((mdctx = EVP_MD_CTX_new()) == NULL) 985 goto err; 986 if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 987 goto err; 988 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 989 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 990 goto err; 991 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 992 goto err; 993 } 994 if (EVP_DigestVerify(mdctx, CBS_data(&signature), CBS_len(&signature), 995 sig_content, sig_content_len) <= 0) { 996 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 997 goto err; 998 } 999 1000 ret = 1; 1001 1002 err: 1003 if (!ret && ctx->alert == 0) 1004 ctx->alert = TLS13_ALERT_DECODE_ERROR; 1005 1006 CBB_cleanup(&cbb); 1007 EVP_MD_CTX_free(mdctx); 1008 free(sig_content); 1009 1010 return ret; 1011} 1012 1013int 1014tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 1015{ 1016 return 0; 1017} 1018 1019int 1020tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 1021{ 1022 struct tls13_secrets *secrets = ctx->hs->tls13.secrets; 1023 struct tls13_secret context = { .data = "", .len = 0 }; 1024 struct tls13_secret finished_key; 1025 uint8_t *verify_data = NULL; 1026 size_t verify_data_len; 1027 uint8_t key[EVP_MAX_MD_SIZE]; 1028 HMAC_CTX *hmac_ctx = NULL; 1029 unsigned int hlen; 1030 int ret = 0; 1031 1032 /* 1033 * Verify client finished. 1034 */ 1035 finished_key.data = key; 1036 finished_key.len = EVP_MD_size(ctx->hash); 1037 1038 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 1039 &secrets->client_handshake_traffic, "finished", 1040 &context)) 1041 goto err; 1042 1043 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 1044 goto err; 1045 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 1046 ctx->hash, NULL)) 1047 goto err; 1048 if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, 1049 ctx->hs->tls13.transcript_hash_len)) 1050 goto err; 1051 verify_data_len = HMAC_size(hmac_ctx); 1052 if ((verify_data = calloc(1, verify_data_len)) == NULL) 1053 goto err; 1054 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 1055 goto err; 1056 if (hlen != verify_data_len) 1057 goto err; 1058 1059 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 1060 ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 1061 goto err; 1062 } 1063 1064 if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, 1065 sizeof(ctx->hs->peer_finished), 1066 &ctx->hs->peer_finished_len)) 1067 goto err; 1068 1069 if (!CBS_skip(cbs, verify_data_len)) 1070 goto err; 1071 1072 /* 1073 * Any records following the client finished message must be encrypted 1074 * using the client application traffic keys. 1075 */ 1076 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 1077 &secrets->client_application_traffic, ssl_encryption_application)) 1078 goto err; 1079 1080 tls13_record_layer_allow_ccs(ctx->rl, 0); 1081 1082 ret = 1; 1083 1084 err: 1085 HMAC_CTX_free(hmac_ctx); 1086 free(verify_data); 1087 1088 return ret; 1089}