xref: /dragonfly/crypto/libressl/ssl/tls13_server.c (revision 961e30ea7dc61d1112b778ea4981eac68129fb86)
1 /* $OpenBSD: tls13_server.c,v 1.103 2022/09/17 17:14:06 jsing Exp $ */
2 /*
3  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <openssl/x509v3.h>
20 
21 #include "ssl_locl.h"
22 #include "ssl_sigalgs.h"
23 #include "ssl_tlsext.h"
24 #include "tls13_handshake.h"
25 #include "tls13_internal.h"
26 
27 int
tls13_server_init(struct tls13_ctx * ctx)28 tls13_server_init(struct tls13_ctx *ctx)
29 {
30           SSL *s = ctx->ssl;
31 
32           if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
33               &ctx->hs->our_max_tls_version)) {
34                     SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
35                     return 0;
36           }
37           s->version = ctx->hs->our_max_tls_version;
38 
39           tls13_record_layer_set_retry_after_phh(ctx->rl,
40               (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
41 
42           if (!ssl_get_new_session(s, 0)) /* XXX */
43                     return 0;
44 
45           tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION);
46 
47           if (!tls1_transcript_init(s))
48                     return 0;
49 
50           arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
51 
52           return 1;
53 }
54 
55 int
tls13_server_accept(struct tls13_ctx * ctx)56 tls13_server_accept(struct tls13_ctx *ctx)
57 {
58           if (ctx->mode != TLS13_HS_SERVER)
59                     return TLS13_IO_FAILURE;
60 
61           return tls13_handshake_perform(ctx);
62 }
63 
64 static int
tls13_client_hello_is_legacy(CBS * cbs)65 tls13_client_hello_is_legacy(CBS *cbs)
66 {
67           CBS extensions_block, extensions, extension_data, versions;
68           uint16_t version, max_version = 0;
69           uint16_t type;
70 
71           CBS_dup(cbs, &extensions_block);
72 
73           if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
74                     return 1;
75 
76           while (CBS_len(&extensions) > 0) {
77                     if (!CBS_get_u16(&extensions, &type))
78                               return 1;
79                     if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
80                               return 1;
81 
82                     if (type != TLSEXT_TYPE_supported_versions)
83                               continue;
84                     if (!CBS_get_u8_length_prefixed(&extension_data, &versions))
85                               return 1;
86                     while (CBS_len(&versions) > 0) {
87                               if (!CBS_get_u16(&versions, &version))
88                                         return 1;
89                               if (version >= max_version)
90                                         max_version = version;
91                     }
92                     if (CBS_len(&extension_data) != 0)
93                               return 1;
94           }
95 
96           return (max_version < TLS1_3_VERSION);
97 }
98 
99 int
tls13_client_hello_required_extensions(struct tls13_ctx * ctx)100 tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
101 {
102           SSL *s = ctx->ssl;
103 
104           /*
105            * RFC 8446, section 9.2. If the ClientHello has supported_versions
106            * containing TLSv1.3, presence or absence of some extensions requires
107            * presence or absence of others.
108            */
109 
110           /*
111            * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we
112            * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies
113            * that we need both signature_algorithms and supported_groups.
114            */
115           if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
116                     if (!tlsext_extension_seen(s,
117                         TLSEXT_TYPE_psk_key_exchange_modes))
118                               return 0;
119           } else {
120                     if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms))
121                               return 0;
122                     if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups))
123                               return 0;
124           }
125 
126           /*
127            * supported_groups and key_share must either both be present or
128            * both be absent.
129            */
130           if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) !=
131               tlsext_extension_seen(s, TLSEXT_TYPE_key_share))
132                     return 0;
133 
134           /*
135            * XXX - Require server_name from client? If so, we SHOULD enforce
136            * this here - RFC 8446, 9.2.
137            */
138 
139           return 1;
140 }
141 
142 static const uint8_t tls13_compression_null_only[] = { 0 };
143 
144 static int
tls13_client_hello_process(struct tls13_ctx * ctx,CBS * cbs)145 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
146 {
147           CBS cipher_suites, client_random, compression_methods, session_id;
148           STACK_OF(SSL_CIPHER) *ciphers = NULL;
149           const SSL_CIPHER *cipher;
150           uint16_t legacy_version;
151           int alert_desc;
152           SSL *s = ctx->ssl;
153           int ret = 0;
154 
155           if (!CBS_get_u16(cbs, &legacy_version))
156                     goto err;
157           if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
158                     goto err;
159           if (!CBS_get_u8_length_prefixed(cbs, &session_id))
160                     goto err;
161           if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites))
162                     goto err;
163           if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
164                     goto err;
165 
166           if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) {
167                     if (!CBS_skip(cbs, CBS_len(cbs)))
168                               goto err;
169                     return tls13_use_legacy_server(ctx);
170           }
171           ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
172           ctx->hs->peer_legacy_version = legacy_version;
173 
174           /* Ensure we send subsequent alerts with the correct record version. */
175           tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
176 
177           /*
178            * Ensure that the client has not requested middlebox compatibility mode
179            * if it is prohibited from doing so.
180            */
181           if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) {
182                     ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
183                     goto err;
184           }
185 
186           /* Add decoded values to the current ClientHello hash */
187           if (!tls13_clienthello_hash_init(ctx)) {
188                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
189                     goto err;
190           }
191           if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version,
192               sizeof(legacy_version))) {
193                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
194                     goto err;
195           }
196           if (!tls13_clienthello_hash_update(ctx, &client_random)) {
197                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
198                     goto err;
199           }
200           if (!tls13_clienthello_hash_update(ctx, &session_id)) {
201                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
202                     goto err;
203           }
204           if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) {
205                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
206                     goto err;
207           }
208           if (!tls13_clienthello_hash_update(ctx, &compression_methods)) {
209                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
210                     goto err;
211           }
212 
213           if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) {
214                     ctx->alert = alert_desc;
215                     goto err;
216           }
217 
218           /* Finalize first ClientHello hash, or validate against it */
219           if (!ctx->hs->tls13.hrr) {
220                     if (!tls13_clienthello_hash_finalize(ctx)) {
221                               ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
222                               goto err;
223                     }
224           } else {
225                     if (!tls13_clienthello_hash_validate(ctx)) {
226                               ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
227                               goto err;
228                     }
229                     tls13_clienthello_hash_clear(&ctx->hs->tls13);
230           }
231 
232           if (!tls13_client_hello_required_extensions(ctx)) {
233                     ctx->alert = TLS13_ALERT_MISSING_EXTENSION;
234                     goto err;
235           }
236 
237           /*
238            * If we got this far we have a supported versions extension that offers
239            * TLS 1.3 or later. This requires the legacy version be set to 0x0303.
240            */
241           if (legacy_version != TLS1_2_VERSION) {
242                     ctx->alert = TLS13_ALERT_PROTOCOL_VERSION;
243                     goto err;
244           }
245 
246           /*
247            * The legacy session identifier must either be zero length or a 32 byte
248            * value (in which case the client is requesting middlebox compatibility
249            * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value
250            * so that we can echo it back to the client.
251            */
252           if (CBS_len(&session_id) != 0 &&
253               CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) {
254                     ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
255                     goto err;
256           }
257           if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
258               sizeof(ctx->hs->tls13.legacy_session_id),
259               &ctx->hs->tls13.legacy_session_id_len)) {
260                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
261                     goto err;
262           }
263 
264           /* Parse cipher suites list and select preferred cipher. */
265           if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {
266                     ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
267                     goto err;
268           }
269           cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
270           if (cipher == NULL) {
271                     tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0,
272                         "no shared cipher found", NULL);
273                     ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
274                     goto err;
275           }
276           ctx->hs->cipher = cipher;
277 
278           sk_SSL_CIPHER_free(s->session->ciphers);
279           s->session->ciphers = ciphers;
280           ciphers = NULL;
281 
282           /* Ensure only the NULL compression method is advertised. */
283           if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only,
284               sizeof(tls13_compression_null_only))) {
285                     ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
286                     goto err;
287           }
288 
289           ret = 1;
290 
291  err:
292           sk_SSL_CIPHER_free(ciphers);
293 
294           return ret;
295 }
296 
297 int
tls13_client_hello_recv(struct tls13_ctx * ctx,CBS * cbs)298 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
299 {
300           SSL *s = ctx->ssl;
301 
302           if (!tls13_client_hello_process(ctx, cbs))
303                     goto err;
304 
305           /* See if we switched back to the legacy client method. */
306           if (s->method->version < TLS1_3_VERSION)
307                     return 1;
308 
309           /*
310            * If a matching key share was provided, we do not need to send a
311            * HelloRetryRequest.
312            */
313           /*
314            * XXX - ideally NEGOTIATED would only be added after record protection
315            * has been enabled. This would probably mean using either an
316            * INITIAL | WITHOUT_HRR state, or another intermediate state.
317            */
318           if (ctx->hs->key_share != NULL)
319                     ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR;
320 
321           tls13_record_layer_allow_ccs(ctx->rl, 1);
322 
323           return 1;
324 
325  err:
326           return 0;
327 }
328 
329 static int
tls13_server_hello_build(struct tls13_ctx * ctx,CBB * cbb,int hrr)330 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
331 {
332           uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
333           const uint8_t *server_random;
334           CBB session_id;
335           SSL *s = ctx->ssl;
336           uint16_t cipher;
337 
338           cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
339           server_random = s->s3->server_random;
340 
341           if (hrr) {
342                     server_random = tls13_hello_retry_request_hash;
343                     tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
344           }
345 
346           if (!CBB_add_u16(cbb, TLS1_2_VERSION))
347                     goto err;
348           if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE))
349                     goto err;
350           if (!CBB_add_u8_length_prefixed(cbb, &session_id))
351                     goto err;
352           if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
353               ctx->hs->tls13.legacy_session_id_len))
354                     goto err;
355           if (!CBB_add_u16(cbb, cipher))
356                     goto err;
357           if (!CBB_add_u8(cbb, 0))
358                     goto err;
359           if (!tlsext_server_build(s, tlsext_msg_type, cbb))
360                     goto err;
361 
362           if (!CBB_flush(cbb))
363                     goto err;
364 
365           return 1;
366  err:
367           return 0;
368 }
369 
370 static int
tls13_server_engage_record_protection(struct tls13_ctx * ctx)371 tls13_server_engage_record_protection(struct tls13_ctx *ctx)
372 {
373           struct tls13_secrets *secrets;
374           struct tls13_secret context;
375           unsigned char buf[EVP_MAX_MD_SIZE];
376           uint8_t *shared_key = NULL;
377           size_t shared_key_len = 0;
378           size_t hash_len;
379           SSL *s = ctx->ssl;
380           int ret = 0;
381 
382           if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
383               &shared_key_len))
384                     goto err;
385 
386           s->session->cipher = ctx->hs->cipher;
387 
388           if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
389                     goto err;
390           if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
391                     goto err;
392 
393           if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
394                     goto err;
395           ctx->hs->tls13.secrets = secrets;
396 
397           /* XXX - pass in hash. */
398           if (!tls1_transcript_hash_init(s))
399                     goto err;
400           tls1_transcript_free(s);
401           if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
402                     goto err;
403           context.data = buf;
404           context.len = hash_len;
405 
406           /* Early secrets. */
407           if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
408               secrets->zeros.len, &context))
409                     goto err;
410 
411           /* Handshake secrets. */
412           if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
413               shared_key_len, &context))
414                     goto err;
415 
416           tls13_record_layer_set_aead(ctx->rl, ctx->aead);
417           tls13_record_layer_set_hash(ctx->rl, ctx->hash);
418 
419           if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
420               &secrets->client_handshake_traffic, ssl_encryption_handshake))
421                     goto err;
422           if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
423               &secrets->server_handshake_traffic, ssl_encryption_handshake))
424                     goto err;
425 
426           ctx->handshake_stage.hs_type |= NEGOTIATED;
427           if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER))
428                     ctx->handshake_stage.hs_type |= WITHOUT_CR;
429 
430           ret = 1;
431 
432  err:
433           freezero(shared_key, shared_key_len);
434           return ret;
435 }
436 
437 int
tls13_server_hello_retry_request_send(struct tls13_ctx * ctx,CBB * cbb)438 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
439 {
440           int nid;
441 
442           ctx->hs->tls13.hrr = 1;
443 
444           if (!tls13_synthetic_handshake_message(ctx))
445                     return 0;
446 
447           if (ctx->hs->key_share != NULL)
448                     return 0;
449           if (!tls1_get_supported_group(ctx->ssl, &nid))
450                     return 0;
451           if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
452                     return 0;
453 
454           if (!tls13_server_hello_build(ctx, cbb, 1))
455                     return 0;
456 
457           return 1;
458 }
459 
460 int
tls13_server_hello_retry_request_sent(struct tls13_ctx * ctx)461 tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
462 {
463           /*
464            * If the client has requested middlebox compatibility mode,
465            * we MUST send a dummy CCS following our first handshake message.
466            * See RFC 8446 Appendix D.4.
467            */
468           if (ctx->hs->tls13.legacy_session_id_len > 0)
469                     ctx->send_dummy_ccs_after = 1;
470 
471           return 1;
472 }
473 
474 int
tls13_client_hello_retry_recv(struct tls13_ctx * ctx,CBS * cbs)475 tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
476 {
477           SSL *s = ctx->ssl;
478 
479           if (!tls13_client_hello_process(ctx, cbs))
480                     return 0;
481 
482           /* XXX - need further checks. */
483           if (s->method->version < TLS1_3_VERSION)
484                     return 0;
485 
486           ctx->hs->tls13.hrr = 0;
487 
488           return 1;
489 }
490 
491 static int
tls13_servername_process(struct tls13_ctx * ctx)492 tls13_servername_process(struct tls13_ctx *ctx)
493 {
494           uint8_t alert = TLS13_ALERT_INTERNAL_ERROR;
495 
496           if (!tls13_legacy_servername_process(ctx, &alert)) {
497                     ctx->alert = alert;
498                     return 0;
499           }
500 
501           return 1;
502 }
503 
504 int
tls13_server_hello_send(struct tls13_ctx * ctx,CBB * cbb)505 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
506 {
507           if (ctx->hs->key_share == NULL)
508                     return 0;
509           if (!tls_key_share_generate(ctx->hs->key_share))
510                     return 0;
511           if (!tls13_servername_process(ctx))
512                     return 0;
513 
514           ctx->hs->tls13.server_group = 0;
515 
516           if (!tls13_server_hello_build(ctx, cbb, 0))
517                     return 0;
518 
519           return 1;
520 }
521 
522 int
tls13_server_hello_sent(struct tls13_ctx * ctx)523 tls13_server_hello_sent(struct tls13_ctx *ctx)
524 {
525           /*
526            * If the client has requested middlebox compatibility mode,
527            * we MUST send a dummy CCS following our first handshake message.
528            * See RFC 8446 Appendix D.4.
529            */
530           if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
531               ctx->hs->tls13.legacy_session_id_len > 0)
532                     ctx->send_dummy_ccs_after = 1;
533 
534           return tls13_server_engage_record_protection(ctx);
535 }
536 
537 int
tls13_server_encrypted_extensions_send(struct tls13_ctx * ctx,CBB * cbb)538 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
539 {
540           if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb))
541                     goto err;
542 
543           return 1;
544  err:
545           return 0;
546 }
547 
548 int
tls13_server_certificate_request_send(struct tls13_ctx * ctx,CBB * cbb)549 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
550 {
551           CBB certificate_request_context;
552 
553           if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
554                     goto err;
555           if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb))
556                     goto err;
557 
558           if (!CBB_flush(cbb))
559                     goto err;
560 
561           return 1;
562  err:
563           return 0;
564 }
565 
566 static int
tls13_server_check_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY * cpk,int * ok,const struct ssl_sigalg ** out_sigalg)567 tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
568     int *ok, const struct ssl_sigalg **out_sigalg)
569 {
570           const struct ssl_sigalg *sigalg;
571           SSL *s = ctx->ssl;
572 
573           *ok = 0;
574           *out_sigalg = NULL;
575 
576           if (cpk->x509 == NULL || cpk->privatekey == NULL)
577                     goto done;
578 
579           /*
580            * The digitalSignature bit MUST be set if the Key Usage extension is
581            * present as per RFC 8446 section 4.4.2.2.
582            */
583           if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE))
584                     goto done;
585 
586           if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
587                     goto done;
588 
589           *ok = 1;
590           *out_sigalg = sigalg;
591 
592  done:
593           return 1;
594 }
595 
596 static int
tls13_server_select_certificate(struct tls13_ctx * ctx,SSL_CERT_PKEY ** out_cpk,const struct ssl_sigalg ** out_sigalg)597 tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
598     const struct ssl_sigalg **out_sigalg)
599 {
600           SSL *s = ctx->ssl;
601           const struct ssl_sigalg *sigalg;
602           SSL_CERT_PKEY *cpk;
603           int cert_ok;
604 
605           *out_cpk = NULL;
606           *out_sigalg = NULL;
607 
608           cpk = &s->cert->pkeys[SSL_PKEY_ECC];
609           if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
610                     return 0;
611           if (cert_ok)
612                     goto done;
613 
614           cpk = &s->cert->pkeys[SSL_PKEY_RSA];
615           if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg))
616                     return 0;
617           if (cert_ok)
618                     goto done;
619 
620           cpk = NULL;
621           sigalg = NULL;
622 
623  done:
624           *out_cpk = cpk;
625           *out_sigalg = sigalg;
626 
627           return 1;
628 }
629 
630 int
tls13_server_certificate_send(struct tls13_ctx * ctx,CBB * cbb)631 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
632 {
633           SSL *s = ctx->ssl;
634           CBB cert_request_context, cert_list;
635           const struct ssl_sigalg *sigalg;
636           X509_STORE_CTX *xsc = NULL;
637           STACK_OF(X509) *chain;
638           SSL_CERT_PKEY *cpk;
639           X509 *cert;
640           int i, ret = 0;
641 
642           if (!tls13_server_select_certificate(ctx, &cpk, &sigalg))
643                     goto err;
644 
645           if (cpk == NULL) {
646                     /* A server must always provide a certificate. */
647                     ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
648                     tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0,
649                         "no server certificate", NULL);
650                     goto err;
651           }
652 
653           ctx->hs->tls13.cpk = cpk;
654           ctx->hs->our_sigalg = sigalg;
655 
656           if ((chain = cpk->chain) == NULL)
657                     chain = s->ctx->extra_certs;
658 
659           if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
660                     if ((xsc = X509_STORE_CTX_new()) == NULL)
661                               goto err;
662                     if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
663                               goto err;
664                     X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
665                         X509_V_FLAG_LEGACY_VERIFY);
666                     X509_verify_cert(xsc);
667                     ERR_clear_error();
668                     chain = X509_STORE_CTX_get0_chain(xsc);
669           }
670 
671           if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
672                     goto err;
673           if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
674                     goto err;
675 
676           if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build))
677                     goto err;
678 
679           for (i = 0; i < sk_X509_num(chain); i++) {
680                     cert = sk_X509_value(chain, i);
681 
682                     /*
683                      * In the case of auto chain, the leaf certificate will be at
684                      * the top of the chain - skip over it as we've already added
685                      * it earlier.
686                      */
687                     if (i == 0 && cert == cpk->x509)
688                               continue;
689 
690                     /*
691                      * XXX we don't send extensions with chain certs to avoid sending
692                      * a leaf ocsp staple with the chain certs.  This needs to get
693                      * fixed.
694                      */
695                     if (!tls13_cert_add(ctx, &cert_list, cert, NULL))
696                               goto err;
697           }
698 
699           if (!CBB_flush(cbb))
700                     goto err;
701 
702           ret = 1;
703 
704  err:
705           X509_STORE_CTX_free(xsc);
706 
707           return ret;
708 }
709 
710 int
tls13_server_certificate_verify_send(struct tls13_ctx * ctx,CBB * cbb)711 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
712 {
713           const struct ssl_sigalg *sigalg;
714           uint8_t *sig = NULL, *sig_content = NULL;
715           size_t sig_len, sig_content_len;
716           EVP_MD_CTX *mdctx = NULL;
717           EVP_PKEY_CTX *pctx;
718           EVP_PKEY *pkey;
719           const SSL_CERT_PKEY *cpk;
720           CBB sig_cbb;
721           int ret = 0;
722 
723           memset(&sig_cbb, 0, sizeof(sig_cbb));
724 
725           if ((cpk = ctx->hs->tls13.cpk) == NULL)
726                     goto err;
727           if ((sigalg = ctx->hs->our_sigalg) == NULL)
728                     goto err;
729           pkey = cpk->privatekey;
730 
731           if (!CBB_init(&sig_cbb, 0))
732                     goto err;
733           if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad,
734               sizeof(tls13_cert_verify_pad)))
735                     goto err;
736           if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context,
737               strlen(tls13_cert_server_verify_context)))
738                     goto err;
739           if (!CBB_add_u8(&sig_cbb, 0))
740                     goto err;
741           if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
742               ctx->hs->tls13.transcript_hash_len))
743                     goto err;
744           if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
745                     goto err;
746 
747           if ((mdctx = EVP_MD_CTX_new()) == NULL)
748                     goto err;
749           if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
750                     goto err;
751           if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
752                     if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
753                               goto err;
754                     if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
755                               goto err;
756           }
757           if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
758                     goto err;
759           if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
760                     goto err;
761           if ((sig = calloc(1, sig_len)) == NULL)
762                     goto err;
763           if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
764                     goto err;
765 
766           if (!CBB_add_u16(cbb, sigalg->value))
767                     goto err;
768           if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
769                     goto err;
770           if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
771                     goto err;
772 
773           if (!CBB_flush(cbb))
774                     goto err;
775 
776           ret = 1;
777 
778  err:
779           if (!ret && ctx->alert == 0)
780                     ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
781 
782           CBB_cleanup(&sig_cbb);
783           EVP_MD_CTX_free(mdctx);
784           free(sig_content);
785           free(sig);
786 
787           return ret;
788 }
789 
790 int
tls13_server_finished_send(struct tls13_ctx * ctx,CBB * cbb)791 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
792 {
793           struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
794           struct tls13_secret context = { .data = "", .len = 0 };
795           struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
796           uint8_t transcript_hash[EVP_MAX_MD_SIZE];
797           size_t transcript_hash_len;
798           uint8_t *verify_data;
799           size_t verify_data_len;
800           unsigned int hlen;
801           HMAC_CTX *hmac_ctx = NULL;
802           CBS cbs;
803           int ret = 0;
804 
805           if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
806                     goto err;
807 
808           if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
809               &secrets->server_handshake_traffic, "finished",
810               &context))
811                     goto err;
812 
813           if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
814               sizeof(transcript_hash), &transcript_hash_len))
815                     goto err;
816 
817           if ((hmac_ctx = HMAC_CTX_new()) == NULL)
818                     goto err;
819           if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
820               ctx->hash, NULL))
821                     goto err;
822           if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
823                     goto err;
824 
825           verify_data_len = HMAC_size(hmac_ctx);
826           if (!CBB_add_space(cbb, &verify_data, verify_data_len))
827                     goto err;
828           if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
829                     goto err;
830           if (hlen != verify_data_len)
831                     goto err;
832 
833           CBS_init(&cbs, verify_data, verify_data_len);
834           if (!CBS_write_bytes(&cbs, ctx->hs->finished,
835               sizeof(ctx->hs->finished), &ctx->hs->finished_len))
836                     goto err;
837 
838           ret = 1;
839 
840  err:
841           tls13_secret_cleanup(&finished_key);
842           HMAC_CTX_free(hmac_ctx);
843 
844           return ret;
845 }
846 
847 int
tls13_server_finished_sent(struct tls13_ctx * ctx)848 tls13_server_finished_sent(struct tls13_ctx *ctx)
849 {
850           struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
851           struct tls13_secret context = { .data = "", .len = 0 };
852 
853           /*
854            * Derive application traffic keys.
855            */
856           context.data = ctx->hs->tls13.transcript_hash;
857           context.len = ctx->hs->tls13.transcript_hash_len;
858 
859           if (!tls13_derive_application_secrets(secrets, &context))
860                     return 0;
861 
862           /*
863            * Any records following the server finished message must be encrypted
864            * using the server application traffic keys.
865            */
866           return tls13_record_layer_set_write_traffic_key(ctx->rl,
867               &secrets->server_application_traffic, ssl_encryption_application);
868 }
869 
870 int
tls13_client_certificate_recv(struct tls13_ctx * ctx,CBS * cbs)871 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
872 {
873           CBS cert_request_context, cert_list, cert_data, cert_exts;
874           struct stack_st_X509 *certs = NULL;
875           SSL *s = ctx->ssl;
876           X509 *cert = NULL;
877           const uint8_t *p;
878           int ret = 0;
879 
880           if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
881                     goto err;
882           if (CBS_len(&cert_request_context) != 0)
883                     goto err;
884           if (!CBS_get_u24_length_prefixed(cbs, &cert_list))
885                     goto err;
886           if (CBS_len(&cert_list) == 0) {
887                     if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
888                               return 1;
889                     ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED;
890                     tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0,
891                         "peer did not provide a certificate", NULL);
892                     goto err;
893           }
894 
895           if ((certs = sk_X509_new_null()) == NULL)
896                     goto err;
897           while (CBS_len(&cert_list) > 0) {
898                     if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
899                               goto err;
900                     if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
901                               goto err;
902 
903                     p = CBS_data(&cert_data);
904                     if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
905                               goto err;
906                     if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
907                               goto err;
908 
909                     if (!sk_X509_push(certs, cert))
910                               goto err;
911 
912                     cert = NULL;
913           }
914 
915           /*
916            * At this stage we still have no proof of possession. As such, it would
917            * be preferable to keep the chain and verify once we have successfully
918            * processed the CertificateVerify message.
919            */
920           if (ssl_verify_cert_chain(s, certs) <= 0) {
921                     ctx->alert = ssl_verify_alarm_type(s->verify_result);
922                     tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0,
923                         "failed to verify peer certificate", NULL);
924                     goto err;
925           }
926           s->session->verify_result = s->verify_result;
927           ERR_clear_error();
928 
929           if (!tls_process_peer_certs(s, certs))
930                     goto err;
931 
932           ctx->handshake_stage.hs_type |= WITH_CCV;
933           ret = 1;
934 
935  err:
936           sk_X509_pop_free(certs, X509_free);
937           X509_free(cert);
938 
939           return ret;
940 }
941 
942 int
tls13_client_certificate_verify_recv(struct tls13_ctx * ctx,CBS * cbs)943 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
944 {
945           const struct ssl_sigalg *sigalg;
946           uint16_t signature_scheme;
947           uint8_t *sig_content = NULL;
948           size_t sig_content_len;
949           EVP_MD_CTX *mdctx = NULL;
950           EVP_PKEY_CTX *pctx;
951           EVP_PKEY *pkey;
952           X509 *cert;
953           CBS signature;
954           CBB cbb;
955           int ret = 0;
956 
957           memset(&cbb, 0, sizeof(cbb));
958 
959           if (!CBS_get_u16(cbs, &signature_scheme))
960                     goto err;
961           if (!CBS_get_u16_length_prefixed(cbs, &signature))
962                     goto err;
963 
964           if (!CBB_init(&cbb, 0))
965                     goto err;
966           if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
967               sizeof(tls13_cert_verify_pad)))
968                     goto err;
969           if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context,
970               strlen(tls13_cert_client_verify_context)))
971                     goto err;
972           if (!CBB_add_u8(&cbb, 0))
973                     goto err;
974           if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
975               ctx->hs->tls13.transcript_hash_len))
976                     goto err;
977           if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
978                     goto err;
979 
980           if ((cert = ctx->ssl->session->peer_cert) == NULL)
981                     goto err;
982           if ((pkey = X509_get0_pubkey(cert)) == NULL)
983                     goto err;
984           if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
985               signature_scheme)) == NULL)
986                     goto err;
987           ctx->hs->peer_sigalg = sigalg;
988 
989           if (CBS_len(&signature) > EVP_PKEY_size(pkey))
990                     goto err;
991 
992           if ((mdctx = EVP_MD_CTX_new()) == NULL)
993                     goto err;
994           if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
995                     goto err;
996           if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
997                     if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
998                               goto err;
999                     if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
1000                               goto err;
1001           }
1002           if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) {
1003                     ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1004                     goto err;
1005           }
1006           if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
1007               CBS_len(&signature)) <= 0) {
1008                     ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1009                     goto err;
1010           }
1011 
1012           ret = 1;
1013 
1014  err:
1015           if (!ret && ctx->alert == 0)
1016                     ctx->alert = TLS13_ALERT_DECODE_ERROR;
1017 
1018           CBB_cleanup(&cbb);
1019           EVP_MD_CTX_free(mdctx);
1020           free(sig_content);
1021 
1022           return ret;
1023 }
1024 
1025 int
tls13_client_end_of_early_data_recv(struct tls13_ctx * ctx,CBS * cbs)1026 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
1027 {
1028           return 0;
1029 }
1030 
1031 int
tls13_client_finished_recv(struct tls13_ctx * ctx,CBS * cbs)1032 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
1033 {
1034           struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
1035           struct tls13_secret context = { .data = "", .len = 0 };
1036           struct tls13_secret finished_key;
1037           uint8_t *verify_data = NULL;
1038           size_t verify_data_len;
1039           uint8_t key[EVP_MAX_MD_SIZE];
1040           HMAC_CTX *hmac_ctx = NULL;
1041           unsigned int hlen;
1042           int ret = 0;
1043 
1044           /*
1045            * Verify client finished.
1046            */
1047           finished_key.data = key;
1048           finished_key.len = EVP_MD_size(ctx->hash);
1049 
1050           if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
1051               &secrets->client_handshake_traffic, "finished",
1052               &context))
1053                     goto err;
1054 
1055           if ((hmac_ctx = HMAC_CTX_new()) == NULL)
1056                     goto err;
1057           if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
1058               ctx->hash, NULL))
1059                     goto err;
1060           if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
1061               ctx->hs->tls13.transcript_hash_len))
1062                     goto err;
1063           verify_data_len = HMAC_size(hmac_ctx);
1064           if ((verify_data = calloc(1, verify_data_len)) == NULL)
1065                     goto err;
1066           if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
1067                     goto err;
1068           if (hlen != verify_data_len)
1069                     goto err;
1070 
1071           if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
1072                     ctx->alert = TLS13_ALERT_DECRYPT_ERROR;
1073                     goto err;
1074           }
1075 
1076           if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
1077               sizeof(ctx->hs->peer_finished),
1078               &ctx->hs->peer_finished_len))
1079                     goto err;
1080 
1081           if (!CBS_skip(cbs, verify_data_len))
1082                     goto err;
1083 
1084           /*
1085            * Any records following the client finished message must be encrypted
1086            * using the client application traffic keys.
1087            */
1088           if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
1089               &secrets->client_application_traffic, ssl_encryption_application))
1090                     goto err;
1091 
1092           tls13_record_layer_allow_ccs(ctx->rl, 0);
1093 
1094           ret = 1;
1095 
1096  err:
1097           HMAC_CTX_free(hmac_ctx);
1098           free(verify_data);
1099 
1100           return ret;
1101 }
1102