/src/libressl/ssl/tls13_client.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: tls13_client.c,v 1.97 2022/07/24 14:16:29 jsing Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
4 | | * |
5 | | * Permission to use, copy, modify, and distribute this software for any |
6 | | * purpose with or without fee is hereby granted, provided that the above |
7 | | * copyright notice and this permission notice appear in all copies. |
8 | | * |
9 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
10 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
11 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
12 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
13 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
14 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
15 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
16 | | */ |
17 | | |
18 | | #include <openssl/ssl3.h> |
19 | | |
20 | | #include "bytestring.h" |
21 | | #include "ssl_locl.h" |
22 | | #include "ssl_sigalgs.h" |
23 | | #include "ssl_tlsext.h" |
24 | | #include "tls13_handshake.h" |
25 | | #include "tls13_internal.h" |
26 | | |
27 | | int |
28 | | tls13_client_init(struct tls13_ctx *ctx) |
29 | 6.76k | { |
30 | 6.76k | const uint16_t *groups; |
31 | 6.76k | size_t groups_len; |
32 | 6.76k | SSL *s = ctx->ssl; |
33 | | |
34 | 6.76k | if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version, |
35 | 6.76k | &ctx->hs->our_max_tls_version)) { |
36 | 0 | SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); |
37 | 0 | return 0; |
38 | 0 | } |
39 | 6.76k | s->version = ctx->hs->our_max_tls_version; |
40 | | |
41 | 6.76k | tls13_record_layer_set_retry_after_phh(ctx->rl, |
42 | 6.76k | (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); |
43 | | |
44 | 6.76k | if (!ssl_get_new_session(s, 0)) /* XXX */ |
45 | 0 | return 0; |
46 | | |
47 | 6.76k | if (!tls1_transcript_init(s)) |
48 | 0 | return 0; |
49 | | |
50 | | /* Generate a key share using our preferred group. */ |
51 | 6.76k | tls1_get_group_list(s, 0, &groups, &groups_len); |
52 | 6.76k | if (groups_len < 1) |
53 | 0 | return 0; |
54 | 6.76k | if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL) |
55 | 0 | return 0; |
56 | 6.76k | if (!tls_key_share_generate(ctx->hs->key_share)) |
57 | 0 | return 0; |
58 | | |
59 | 6.76k | arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); |
60 | | |
61 | | /* |
62 | | * The legacy session identifier should either be set to an |
63 | | * unpredictable 32-byte value or zero length... a non-zero length |
64 | | * legacy session identifier triggers compatibility mode (see RFC 8446 |
65 | | * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. |
66 | | */ |
67 | 6.76k | if (ctx->middlebox_compat && |
68 | 6.76k | ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { |
69 | 6.76k | arc4random_buf(ctx->hs->tls13.legacy_session_id, |
70 | 6.76k | sizeof(ctx->hs->tls13.legacy_session_id)); |
71 | 6.76k | ctx->hs->tls13.legacy_session_id_len = |
72 | 6.76k | sizeof(ctx->hs->tls13.legacy_session_id); |
73 | 6.76k | } |
74 | | |
75 | 6.76k | return 1; |
76 | 6.76k | } |
77 | | |
78 | | int |
79 | | tls13_client_connect(struct tls13_ctx *ctx) |
80 | 6.76k | { |
81 | 6.76k | if (ctx->mode != TLS13_HS_CLIENT) |
82 | 0 | return TLS13_IO_FAILURE; |
83 | | |
84 | 6.76k | return tls13_handshake_perform(ctx); |
85 | 6.76k | } |
86 | | |
87 | | static int |
88 | | tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) |
89 | 6.76k | { |
90 | 6.76k | CBB cipher_suites, compression_methods, session_id; |
91 | 6.76k | uint16_t client_version; |
92 | 6.76k | SSL *s = ctx->ssl; |
93 | | |
94 | | /* Legacy client version is capped at TLS 1.2. */ |
95 | 6.76k | if (!ssl_max_legacy_version(s, &client_version)) |
96 | 0 | goto err; |
97 | | |
98 | 6.76k | if (!CBB_add_u16(cbb, client_version)) |
99 | 0 | goto err; |
100 | 6.76k | if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) |
101 | 0 | goto err; |
102 | | |
103 | 6.76k | if (!CBB_add_u8_length_prefixed(cbb, &session_id)) |
104 | 0 | goto err; |
105 | 6.76k | if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id, |
106 | 6.76k | ctx->hs->tls13.legacy_session_id_len)) |
107 | 0 | goto err; |
108 | | |
109 | 6.76k | if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) |
110 | 0 | goto err; |
111 | 6.76k | if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { |
112 | 0 | SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); |
113 | 0 | goto err; |
114 | 0 | } |
115 | | |
116 | 6.76k | if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) |
117 | 0 | goto err; |
118 | 6.76k | if (!CBB_add_u8(&compression_methods, 0)) |
119 | 0 | goto err; |
120 | | |
121 | 6.76k | if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb)) |
122 | 0 | goto err; |
123 | | |
124 | 6.76k | if (!CBB_flush(cbb)) |
125 | 0 | goto err; |
126 | | |
127 | 6.76k | return 1; |
128 | | |
129 | 0 | err: |
130 | 0 | return 0; |
131 | 6.76k | } |
132 | | |
133 | | int |
134 | | tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) |
135 | 6.76k | { |
136 | 6.76k | if (ctx->hs->our_min_tls_version < TLS1_2_VERSION) |
137 | 6.76k | tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); |
138 | | |
139 | | /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ |
140 | 6.76k | tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); |
141 | | |
142 | 6.76k | if (!tls13_client_hello_build(ctx, cbb)) |
143 | 0 | return 0; |
144 | | |
145 | 6.76k | return 1; |
146 | 6.76k | } |
147 | | |
148 | | int |
149 | | tls13_client_hello_sent(struct tls13_ctx *ctx) |
150 | 6.76k | { |
151 | 6.76k | tls13_record_layer_allow_ccs(ctx->rl, 1); |
152 | | |
153 | 6.76k | tls1_transcript_freeze(ctx->ssl); |
154 | | |
155 | 6.76k | if (ctx->middlebox_compat) |
156 | 6.76k | ctx->send_dummy_ccs = 1; |
157 | | |
158 | 6.76k | return 1; |
159 | 6.76k | } |
160 | | |
161 | | static int |
162 | | tls13_server_hello_is_legacy(CBS *cbs) |
163 | 6.35k | { |
164 | 6.35k | CBS extensions_block, extensions, extension_data; |
165 | 6.35k | uint16_t selected_version = 0; |
166 | 6.35k | uint16_t type; |
167 | | |
168 | 6.35k | CBS_dup(cbs, &extensions_block); |
169 | | |
170 | 6.35k | if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) |
171 | 3.38k | return 1; |
172 | | |
173 | 10.5k | while (CBS_len(&extensions) > 0) { |
174 | 7.74k | if (!CBS_get_u16(&extensions, &type)) |
175 | 16 | return 1; |
176 | 7.72k | if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) |
177 | 130 | return 1; |
178 | | |
179 | 7.59k | if (type != TLSEXT_TYPE_supported_versions) |
180 | 7.13k | continue; |
181 | 462 | if (!CBS_get_u16(&extension_data, &selected_version)) |
182 | 2 | return 1; |
183 | 460 | if (CBS_len(&extension_data) != 0) |
184 | 17 | return 1; |
185 | 460 | } |
186 | | |
187 | 2.80k | return (selected_version < TLS1_3_VERSION); |
188 | 2.96k | } |
189 | | |
190 | | static int |
191 | | tls13_server_hello_is_retry(CBS *cbs) |
192 | 6.37k | { |
193 | 6.37k | CBS server_hello, server_random; |
194 | 6.37k | uint16_t legacy_version; |
195 | | |
196 | 6.37k | CBS_dup(cbs, &server_hello); |
197 | | |
198 | 6.37k | if (!CBS_get_u16(&server_hello, &legacy_version)) |
199 | 2 | return 0; |
200 | 6.37k | if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE)) |
201 | 4 | return 0; |
202 | | |
203 | | /* See if this is a HelloRetryRequest. */ |
204 | 6.36k | return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, |
205 | 6.36k | sizeof(tls13_hello_retry_request_hash)); |
206 | 6.37k | } |
207 | | |
208 | | static int |
209 | | tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) |
210 | 6.37k | { |
211 | 6.37k | CBS server_random, session_id; |
212 | 6.37k | uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; |
213 | 6.37k | uint16_t cipher_suite, legacy_version; |
214 | 6.37k | uint8_t compression_method; |
215 | 6.37k | const SSL_CIPHER *cipher; |
216 | 6.37k | int alert_desc; |
217 | 6.37k | SSL *s = ctx->ssl; |
218 | | |
219 | 6.37k | if (!CBS_get_u16(cbs, &legacy_version)) |
220 | 2 | goto err; |
221 | 6.37k | if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) |
222 | 4 | goto err; |
223 | 6.36k | if (!CBS_get_u8_length_prefixed(cbs, &session_id)) |
224 | 12 | goto err; |
225 | 6.35k | if (!CBS_get_u16(cbs, &cipher_suite)) |
226 | 1 | goto err; |
227 | 6.35k | if (!CBS_get_u8(cbs, &compression_method)) |
228 | 2 | goto err; |
229 | | |
230 | 6.35k | if (tls13_server_hello_is_legacy(cbs)) { |
231 | 6.30k | if (ctx->hs->our_max_tls_version >= TLS1_3_VERSION) { |
232 | | /* |
233 | | * RFC 8446 section 4.1.3: we must not downgrade if |
234 | | * the server random value contains the TLS 1.2 or 1.1 |
235 | | * magical value. |
236 | | */ |
237 | 6.30k | if (!CBS_skip(&server_random, CBS_len(&server_random) - |
238 | 6.30k | sizeof(tls13_downgrade_12))) |
239 | 0 | goto err; |
240 | 6.30k | if (CBS_mem_equal(&server_random, tls13_downgrade_12, |
241 | 6.30k | sizeof(tls13_downgrade_12)) || |
242 | 6.30k | CBS_mem_equal(&server_random, tls13_downgrade_11, |
243 | 6.30k | sizeof(tls13_downgrade_11))) { |
244 | 2 | ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
245 | 2 | goto err; |
246 | 2 | } |
247 | 6.30k | } |
248 | | |
249 | 6.30k | if (!CBS_skip(cbs, CBS_len(cbs))) |
250 | 0 | goto err; |
251 | | |
252 | 6.30k | ctx->hs->tls13.use_legacy = 1; |
253 | 6.30k | return 1; |
254 | 6.30k | } |
255 | | |
256 | | /* From here on in we know we are doing TLSv1.3. */ |
257 | 45 | tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); |
258 | 45 | tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); |
259 | | |
260 | | /* See if this is a HelloRetryRequest. */ |
261 | | /* XXX - see if we can avoid doing this twice. */ |
262 | 45 | if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, |
263 | 45 | sizeof(tls13_hello_retry_request_hash))) { |
264 | 1 | tlsext_msg_type = SSL_TLSEXT_MSG_HRR; |
265 | 1 | ctx->hs->tls13.hrr = 1; |
266 | 1 | } |
267 | | |
268 | 45 | if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { |
269 | 9 | ctx->alert = alert_desc; |
270 | 9 | goto err; |
271 | 9 | } |
272 | | |
273 | | /* |
274 | | * The supported versions extension indicated 0x0304 or greater. |
275 | | * Ensure that it was 0x0304 and that legacy version is set to 0x0303 |
276 | | * (RFC 8446 section 4.2.1). |
277 | | */ |
278 | 36 | if (ctx->hs->tls13.server_version != TLS1_3_VERSION || |
279 | 36 | legacy_version != TLS1_2_VERSION) { |
280 | 34 | ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; |
281 | 34 | goto err; |
282 | 34 | } |
283 | 2 | ctx->hs->negotiated_tls_version = ctx->hs->tls13.server_version; |
284 | 2 | ctx->hs->peer_legacy_version = legacy_version; |
285 | | |
286 | | /* The session_id must match. */ |
287 | 2 | if (!CBS_mem_equal(&session_id, ctx->hs->tls13.legacy_session_id, |
288 | 2 | ctx->hs->tls13.legacy_session_id_len)) { |
289 | 2 | ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
290 | 2 | goto err; |
291 | 2 | } |
292 | | |
293 | | /* |
294 | | * Ensure that the cipher suite is one that we offered in the client |
295 | | * hello and that it is a TLSv1.3 cipher suite. |
296 | | */ |
297 | 0 | cipher = ssl3_get_cipher_by_value(cipher_suite); |
298 | 0 | if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { |
299 | 0 | ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
300 | 0 | goto err; |
301 | 0 | } |
302 | 0 | if (cipher->algorithm_ssl != SSL_TLSV1_3) { |
303 | 0 | ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
304 | 0 | goto err; |
305 | 0 | } |
306 | 0 | if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR) && !ctx->hs->tls13.hrr) { |
307 | | /* |
308 | | * A ServerHello following a HelloRetryRequest MUST use the same |
309 | | * cipher suite (RFC 8446 section 4.1.4). |
310 | | */ |
311 | 0 | if (ctx->hs->cipher != cipher) { |
312 | 0 | ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
313 | 0 | goto err; |
314 | 0 | } |
315 | 0 | } |
316 | 0 | ctx->hs->cipher = cipher; |
317 | |
|
318 | 0 | if (compression_method != 0) { |
319 | 0 | ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
320 | 0 | goto err; |
321 | 0 | } |
322 | | |
323 | 0 | return 1; |
324 | | |
325 | 68 | err: |
326 | 68 | if (ctx->alert == 0) |
327 | 21 | ctx->alert = TLS13_ALERT_DECODE_ERROR; |
328 | | |
329 | 68 | return 0; |
330 | 0 | } |
331 | | |
332 | | static int |
333 | | tls13_client_engage_record_protection(struct tls13_ctx *ctx) |
334 | 0 | { |
335 | 0 | struct tls13_secrets *secrets; |
336 | 0 | struct tls13_secret context; |
337 | 0 | unsigned char buf[EVP_MAX_MD_SIZE]; |
338 | 0 | uint8_t *shared_key = NULL; |
339 | 0 | size_t shared_key_len = 0; |
340 | 0 | size_t hash_len; |
341 | 0 | SSL *s = ctx->ssl; |
342 | 0 | int ret = 0; |
343 | | |
344 | | /* Derive the shared key and engage record protection. */ |
345 | |
|
346 | 0 | if (!tls_key_share_derive(ctx->hs->key_share, &shared_key, |
347 | 0 | &shared_key_len)) |
348 | 0 | goto err; |
349 | | |
350 | 0 | s->session->cipher = ctx->hs->cipher; |
351 | 0 | s->session->ssl_version = ctx->hs->tls13.server_version; |
352 | |
|
353 | 0 | if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL) |
354 | 0 | goto err; |
355 | 0 | if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL) |
356 | 0 | goto err; |
357 | | |
358 | 0 | if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) |
359 | 0 | goto err; |
360 | 0 | ctx->hs->tls13.secrets = secrets; |
361 | | |
362 | | /* XXX - pass in hash. */ |
363 | 0 | if (!tls1_transcript_hash_init(s)) |
364 | 0 | goto err; |
365 | 0 | tls1_transcript_free(s); |
366 | 0 | if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) |
367 | 0 | goto err; |
368 | 0 | context.data = buf; |
369 | 0 | context.len = hash_len; |
370 | | |
371 | | /* Early secrets. */ |
372 | 0 | if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, |
373 | 0 | secrets->zeros.len, &context)) |
374 | 0 | goto err; |
375 | | |
376 | | /* Handshake secrets. */ |
377 | 0 | if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key, |
378 | 0 | shared_key_len, &context)) |
379 | 0 | goto err; |
380 | | |
381 | 0 | tls13_record_layer_set_aead(ctx->rl, ctx->aead); |
382 | 0 | tls13_record_layer_set_hash(ctx->rl, ctx->hash); |
383 | |
|
384 | 0 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, |
385 | 0 | &secrets->server_handshake_traffic, ssl_encryption_handshake)) |
386 | 0 | goto err; |
387 | 0 | if (!tls13_record_layer_set_write_traffic_key(ctx->rl, |
388 | 0 | &secrets->client_handshake_traffic, ssl_encryption_handshake)) |
389 | 0 | goto err; |
390 | | |
391 | 0 | ret = 1; |
392 | |
|
393 | 0 | err: |
394 | 0 | freezero(shared_key, shared_key_len); |
395 | |
|
396 | 0 | return ret; |
397 | 0 | } |
398 | | |
399 | | int |
400 | | tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) |
401 | 6.37k | { |
402 | | /* |
403 | | * The state machine has no way of knowing if we're going to receive a |
404 | | * HelloRetryRequest or a ServerHello. As such, we have to handle |
405 | | * this case here and hand off to the appropriate function. |
406 | | */ |
407 | 6.37k | if (!tls13_server_hello_is_retry(cbs)) { |
408 | 6.36k | ctx->handshake_stage.hs_type |= WITHOUT_HRR; |
409 | 6.36k | return tls13_server_hello_recv(ctx, cbs); |
410 | 6.36k | } |
411 | | |
412 | 14 | if (!tls13_server_hello_process(ctx, cbs)) |
413 | 2 | return 0; |
414 | | |
415 | | /* |
416 | | * This may have been a TLSv1.2 or earlier ServerHello that just |
417 | | * happened to have matching server random... |
418 | | */ |
419 | 12 | if (ctx->hs->tls13.use_legacy) |
420 | 12 | return tls13_use_legacy_client(ctx); |
421 | | |
422 | 0 | if (!ctx->hs->tls13.hrr) |
423 | 0 | return 0; |
424 | | |
425 | 0 | if (!tls13_synthetic_handshake_message(ctx)) |
426 | 0 | return 0; |
427 | 0 | if (!tls13_handshake_msg_record(ctx)) |
428 | 0 | return 0; |
429 | | |
430 | 0 | ctx->hs->tls13.hrr = 0; |
431 | |
|
432 | 0 | return 1; |
433 | 0 | } |
434 | | |
435 | | int |
436 | | tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) |
437 | 0 | { |
438 | | /* |
439 | | * Ensure that the server supported group is one that we listed in our |
440 | | * supported groups and is not the same as the key share we previously |
441 | | * offered. |
442 | | */ |
443 | 0 | if (!tls1_check_group(ctx->ssl, ctx->hs->tls13.server_group)) |
444 | 0 | return 0; /* XXX alert */ |
445 | 0 | if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share)) |
446 | 0 | return 0; /* XXX alert */ |
447 | | |
448 | | /* Switch to new key share. */ |
449 | 0 | tls_key_share_free(ctx->hs->key_share); |
450 | 0 | if ((ctx->hs->key_share = |
451 | 0 | tls_key_share_new(ctx->hs->tls13.server_group)) == NULL) |
452 | 0 | return 0; |
453 | 0 | if (!tls_key_share_generate(ctx->hs->key_share)) |
454 | 0 | return 0; |
455 | | |
456 | 0 | if (!tls13_client_hello_build(ctx, cbb)) |
457 | 0 | return 0; |
458 | | |
459 | 0 | return 1; |
460 | 0 | } |
461 | | |
462 | | int |
463 | | tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) |
464 | 6.36k | { |
465 | 6.36k | SSL *s = ctx->ssl; |
466 | | |
467 | | /* |
468 | | * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3 |
469 | | * ServerHello. HelloRetryRequests have already been handled. |
470 | | */ |
471 | 6.36k | if (!tls13_server_hello_process(ctx, cbs)) |
472 | 66 | return 0; |
473 | | |
474 | 6.29k | if (ctx->handshake_stage.hs_type & WITHOUT_HRR) { |
475 | 6.29k | tls1_transcript_unfreeze(s); |
476 | 6.29k | if (!tls13_handshake_msg_record(ctx)) |
477 | 0 | return 0; |
478 | 6.29k | } |
479 | | |
480 | 6.29k | if (ctx->hs->tls13.use_legacy) { |
481 | 6.29k | if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) |
482 | 0 | return 0; |
483 | 6.29k | return tls13_use_legacy_client(ctx); |
484 | 6.29k | } |
485 | | |
486 | 0 | if (ctx->hs->tls13.hrr) { |
487 | | /* The server has sent two HelloRetryRequests. */ |
488 | 0 | ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
489 | 0 | return 0; |
490 | 0 | } |
491 | | |
492 | 0 | if (!tls13_client_engage_record_protection(ctx)) |
493 | 0 | return 0; |
494 | | |
495 | 0 | ctx->handshake_stage.hs_type |= NEGOTIATED; |
496 | |
|
497 | 0 | return 1; |
498 | 0 | } |
499 | | |
500 | | int |
501 | | tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) |
502 | 0 | { |
503 | 0 | int alert_desc; |
504 | |
|
505 | 0 | if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) { |
506 | 0 | ctx->alert = alert_desc; |
507 | 0 | return 0; |
508 | 0 | } |
509 | | |
510 | 0 | return 1; |
511 | 0 | } |
512 | | |
513 | | int |
514 | | tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) |
515 | 0 | { |
516 | 0 | CBS cert_request_context; |
517 | 0 | int alert_desc; |
518 | | |
519 | | /* |
520 | | * Thanks to poor state design in the RFC, this function can be called |
521 | | * when we actually have a certificate message instead of a certificate |
522 | | * request... in that case we call the certificate handler after |
523 | | * switching state, to avoid advancing state. |
524 | | */ |
525 | 0 | if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { |
526 | 0 | ctx->handshake_stage.hs_type |= WITHOUT_CR; |
527 | 0 | return tls13_server_certificate_recv(ctx, cbs); |
528 | 0 | } |
529 | | |
530 | 0 | if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) |
531 | 0 | goto err; |
532 | 0 | if (CBS_len(&cert_request_context) != 0) |
533 | 0 | goto err; |
534 | | |
535 | 0 | if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) { |
536 | 0 | ctx->alert = alert_desc; |
537 | 0 | goto err; |
538 | 0 | } |
539 | | |
540 | 0 | return 1; |
541 | | |
542 | 0 | err: |
543 | 0 | if (ctx->alert == 0) |
544 | 0 | ctx->alert = TLS13_ALERT_DECODE_ERROR; |
545 | |
|
546 | 0 | return 0; |
547 | 0 | } |
548 | | |
549 | | int |
550 | | tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) |
551 | 0 | { |
552 | 0 | CBS cert_request_context, cert_list, cert_data; |
553 | 0 | struct stack_st_X509 *certs = NULL; |
554 | 0 | SSL *s = ctx->ssl; |
555 | 0 | X509 *cert = NULL; |
556 | 0 | EVP_PKEY *pkey; |
557 | 0 | const uint8_t *p; |
558 | 0 | int alert_desc, cert_type; |
559 | 0 | int ret = 0; |
560 | |
|
561 | 0 | if ((certs = sk_X509_new_null()) == NULL) |
562 | 0 | goto err; |
563 | | |
564 | 0 | if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) |
565 | 0 | goto err; |
566 | 0 | if (CBS_len(&cert_request_context) != 0) |
567 | 0 | goto err; |
568 | 0 | if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) |
569 | 0 | goto err; |
570 | | |
571 | 0 | while (CBS_len(&cert_list) > 0) { |
572 | 0 | if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) |
573 | 0 | goto err; |
574 | | |
575 | 0 | if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT, |
576 | 0 | &cert_list, &alert_desc)) { |
577 | 0 | ctx->alert = alert_desc; |
578 | 0 | goto err; |
579 | 0 | } |
580 | | |
581 | 0 | p = CBS_data(&cert_data); |
582 | 0 | if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) |
583 | 0 | goto err; |
584 | 0 | if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) |
585 | 0 | goto err; |
586 | | |
587 | 0 | if (!sk_X509_push(certs, cert)) |
588 | 0 | goto err; |
589 | | |
590 | 0 | cert = NULL; |
591 | 0 | } |
592 | | |
593 | | /* A server must always provide a non-empty certificate list. */ |
594 | 0 | if (sk_X509_num(certs) < 1) { |
595 | 0 | ctx->alert = TLS13_ALERT_DECODE_ERROR; |
596 | 0 | tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, |
597 | 0 | "peer failed to provide a certificate", NULL); |
598 | 0 | goto err; |
599 | 0 | } |
600 | | |
601 | | /* |
602 | | * At this stage we still have no proof of possession. As such, it would |
603 | | * be preferable to keep the chain and verify once we have successfully |
604 | | * processed the CertificateVerify message. |
605 | | */ |
606 | 0 | if (ssl_verify_cert_chain(s, certs) <= 0 && |
607 | 0 | s->verify_mode != SSL_VERIFY_NONE) { |
608 | 0 | ctx->alert = ssl_verify_alarm_type(s->verify_result); |
609 | 0 | tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, |
610 | 0 | "failed to verify peer certificate", NULL); |
611 | 0 | goto err; |
612 | 0 | } |
613 | 0 | ERR_clear_error(); |
614 | |
|
615 | 0 | cert = sk_X509_value(certs, 0); |
616 | 0 | X509_up_ref(cert); |
617 | |
|
618 | 0 | if ((pkey = X509_get0_pubkey(cert)) == NULL) |
619 | 0 | goto err; |
620 | 0 | if (EVP_PKEY_missing_parameters(pkey)) |
621 | 0 | goto err; |
622 | 0 | if ((cert_type = ssl_cert_type(pkey)) < 0) |
623 | 0 | goto err; |
624 | | |
625 | 0 | X509_up_ref(cert); |
626 | 0 | X509_free(s->session->peer_cert); |
627 | 0 | s->session->peer_cert = cert; |
628 | 0 | s->session->peer_cert_type = cert_type; |
629 | |
|
630 | 0 | s->session->verify_result = s->verify_result; |
631 | |
|
632 | 0 | sk_X509_pop_free(s->session->cert_chain, X509_free); |
633 | 0 | s->session->cert_chain = certs; |
634 | 0 | certs = NULL; |
635 | |
|
636 | 0 | if (ctx->ocsp_status_recv_cb != NULL && |
637 | 0 | !ctx->ocsp_status_recv_cb(ctx)) |
638 | 0 | goto err; |
639 | | |
640 | 0 | ret = 1; |
641 | |
|
642 | 0 | err: |
643 | 0 | sk_X509_pop_free(certs, X509_free); |
644 | 0 | X509_free(cert); |
645 | |
|
646 | 0 | return ret; |
647 | 0 | } |
648 | | |
649 | | int |
650 | | tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) |
651 | 0 | { |
652 | 0 | const struct ssl_sigalg *sigalg; |
653 | 0 | uint16_t signature_scheme; |
654 | 0 | uint8_t *sig_content = NULL; |
655 | 0 | size_t sig_content_len; |
656 | 0 | EVP_MD_CTX *mdctx = NULL; |
657 | 0 | EVP_PKEY_CTX *pctx; |
658 | 0 | EVP_PKEY *pkey; |
659 | 0 | X509 *cert; |
660 | 0 | CBS signature; |
661 | 0 | CBB cbb; |
662 | 0 | int ret = 0; |
663 | |
|
664 | 0 | memset(&cbb, 0, sizeof(cbb)); |
665 | |
|
666 | 0 | if (!CBS_get_u16(cbs, &signature_scheme)) |
667 | 0 | goto err; |
668 | 0 | if (!CBS_get_u16_length_prefixed(cbs, &signature)) |
669 | 0 | goto err; |
670 | | |
671 | 0 | if (!CBB_init(&cbb, 0)) |
672 | 0 | goto err; |
673 | 0 | if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, |
674 | 0 | sizeof(tls13_cert_verify_pad))) |
675 | 0 | goto err; |
676 | 0 | if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, |
677 | 0 | strlen(tls13_cert_server_verify_context))) |
678 | 0 | goto err; |
679 | 0 | if (!CBB_add_u8(&cbb, 0)) |
680 | 0 | goto err; |
681 | 0 | if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash, |
682 | 0 | ctx->hs->tls13.transcript_hash_len)) |
683 | 0 | goto err; |
684 | 0 | if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) |
685 | 0 | goto err; |
686 | | |
687 | 0 | if ((cert = ctx->ssl->session->peer_cert) == NULL) |
688 | 0 | goto err; |
689 | 0 | if ((pkey = X509_get0_pubkey(cert)) == NULL) |
690 | 0 | goto err; |
691 | 0 | if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey, |
692 | 0 | signature_scheme)) == NULL) |
693 | 0 | goto err; |
694 | 0 | ctx->hs->peer_sigalg = sigalg; |
695 | |
|
696 | 0 | if (CBS_len(&signature) > EVP_PKEY_size(pkey)) |
697 | 0 | goto err; |
698 | | |
699 | 0 | if ((mdctx = EVP_MD_CTX_new()) == NULL) |
700 | 0 | goto err; |
701 | 0 | if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) |
702 | 0 | goto err; |
703 | 0 | if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { |
704 | 0 | if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) |
705 | 0 | goto err; |
706 | 0 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) |
707 | 0 | goto err; |
708 | 0 | } |
709 | 0 | if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { |
710 | 0 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; |
711 | 0 | goto err; |
712 | 0 | } |
713 | 0 | if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), |
714 | 0 | CBS_len(&signature)) <= 0) { |
715 | 0 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; |
716 | 0 | goto err; |
717 | 0 | } |
718 | | |
719 | 0 | ret = 1; |
720 | |
|
721 | 0 | err: |
722 | 0 | if (!ret && ctx->alert == 0) |
723 | 0 | ctx->alert = TLS13_ALERT_DECODE_ERROR; |
724 | 0 | CBB_cleanup(&cbb); |
725 | 0 | EVP_MD_CTX_free(mdctx); |
726 | 0 | free(sig_content); |
727 | |
|
728 | 0 | return ret; |
729 | 0 | } |
730 | | |
731 | | int |
732 | | tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) |
733 | 0 | { |
734 | 0 | struct tls13_secrets *secrets = ctx->hs->tls13.secrets; |
735 | 0 | struct tls13_secret context = { .data = "", .len = 0 }; |
736 | 0 | struct tls13_secret finished_key; |
737 | 0 | uint8_t transcript_hash[EVP_MAX_MD_SIZE]; |
738 | 0 | size_t transcript_hash_len; |
739 | 0 | uint8_t *verify_data = NULL; |
740 | 0 | size_t verify_data_len; |
741 | 0 | uint8_t key[EVP_MAX_MD_SIZE]; |
742 | 0 | HMAC_CTX *hmac_ctx = NULL; |
743 | 0 | unsigned int hlen; |
744 | 0 | int ret = 0; |
745 | | |
746 | | /* |
747 | | * Verify server finished. |
748 | | */ |
749 | 0 | finished_key.data = key; |
750 | 0 | finished_key.len = EVP_MD_size(ctx->hash); |
751 | |
|
752 | 0 | if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, |
753 | 0 | &secrets->server_handshake_traffic, "finished", |
754 | 0 | &context)) |
755 | 0 | goto err; |
756 | | |
757 | 0 | if ((hmac_ctx = HMAC_CTX_new()) == NULL) |
758 | 0 | goto err; |
759 | 0 | if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, |
760 | 0 | ctx->hash, NULL)) |
761 | 0 | goto err; |
762 | 0 | if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash, |
763 | 0 | ctx->hs->tls13.transcript_hash_len)) |
764 | 0 | goto err; |
765 | 0 | verify_data_len = HMAC_size(hmac_ctx); |
766 | 0 | if ((verify_data = calloc(1, verify_data_len)) == NULL) |
767 | 0 | goto err; |
768 | 0 | if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) |
769 | 0 | goto err; |
770 | 0 | if (hlen != verify_data_len) |
771 | 0 | goto err; |
772 | | |
773 | 0 | if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { |
774 | 0 | ctx->alert = TLS13_ALERT_DECRYPT_ERROR; |
775 | 0 | goto err; |
776 | 0 | } |
777 | | |
778 | 0 | if (!CBS_write_bytes(cbs, ctx->hs->peer_finished, |
779 | 0 | sizeof(ctx->hs->peer_finished), |
780 | 0 | &ctx->hs->peer_finished_len)) |
781 | 0 | goto err; |
782 | | |
783 | 0 | if (!CBS_skip(cbs, verify_data_len)) |
784 | 0 | goto err; |
785 | | |
786 | | /* |
787 | | * Derive application traffic keys. |
788 | | */ |
789 | 0 | if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, |
790 | 0 | sizeof(transcript_hash), &transcript_hash_len)) |
791 | 0 | goto err; |
792 | | |
793 | 0 | context.data = transcript_hash; |
794 | 0 | context.len = transcript_hash_len; |
795 | |
|
796 | 0 | if (!tls13_derive_application_secrets(secrets, &context)) |
797 | 0 | goto err; |
798 | | |
799 | | /* |
800 | | * Any records following the server finished message must be encrypted |
801 | | * using the server application traffic keys. |
802 | | */ |
803 | 0 | if (!tls13_record_layer_set_read_traffic_key(ctx->rl, |
804 | 0 | &secrets->server_application_traffic, ssl_encryption_application)) |
805 | 0 | goto err; |
806 | | |
807 | 0 | tls13_record_layer_allow_ccs(ctx->rl, 0); |
808 | |
|
809 | 0 | ret = 1; |
810 | |
|
811 | 0 | err: |
812 | 0 | HMAC_CTX_free(hmac_ctx); |
813 | 0 | free(verify_data); |
814 | |
|
815 | 0 | return ret; |
816 | 0 | } |
817 | | |
818 | | static int |
819 | | tls13_client_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk, |
820 | | int *ok, const struct ssl_sigalg **out_sigalg) |
821 | 0 | { |
822 | 0 | const struct ssl_sigalg *sigalg; |
823 | 0 | SSL *s = ctx->ssl; |
824 | |
|
825 | 0 | *ok = 0; |
826 | 0 | *out_sigalg = NULL; |
827 | |
|
828 | 0 | if (cpk->x509 == NULL || cpk->privatekey == NULL) |
829 | 0 | goto done; |
830 | | |
831 | 0 | if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) |
832 | 0 | goto done; |
833 | | |
834 | 0 | *ok = 1; |
835 | 0 | *out_sigalg = sigalg; |
836 | |
|
837 | 0 | done: |
838 | 0 | return 1; |
839 | 0 | } |
840 | | |
841 | | static int |
842 | | tls13_client_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk, |
843 | | const struct ssl_sigalg **out_sigalg) |
844 | 0 | { |
845 | 0 | SSL *s = ctx->ssl; |
846 | 0 | const struct ssl_sigalg *sigalg; |
847 | 0 | SSL_CERT_PKEY *cpk; |
848 | 0 | int cert_ok; |
849 | |
|
850 | 0 | *out_cpk = NULL; |
851 | 0 | *out_sigalg = NULL; |
852 | | |
853 | | /* |
854 | | * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences |
855 | | * with the certificate_authorities (4.2.4) and oid_filters (4.2.5) |
856 | | * extensions. We should honor the former and must apply the latter. |
857 | | */ |
858 | |
|
859 | 0 | cpk = &s->cert->pkeys[SSL_PKEY_ECC]; |
860 | 0 | if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) |
861 | 0 | return 0; |
862 | 0 | if (cert_ok) |
863 | 0 | goto done; |
864 | | |
865 | 0 | cpk = &s->cert->pkeys[SSL_PKEY_RSA]; |
866 | 0 | if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) |
867 | 0 | return 0; |
868 | 0 | if (cert_ok) |
869 | 0 | goto done; |
870 | | |
871 | 0 | cpk = NULL; |
872 | 0 | sigalg = NULL; |
873 | |
|
874 | 0 | done: |
875 | 0 | *out_cpk = cpk; |
876 | 0 | *out_sigalg = sigalg; |
877 | |
|
878 | 0 | return 1; |
879 | 0 | } |
880 | | |
881 | | int |
882 | | tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) |
883 | 0 | { |
884 | 0 | SSL *s = ctx->ssl; |
885 | 0 | CBB cert_request_context, cert_list; |
886 | 0 | const struct ssl_sigalg *sigalg; |
887 | 0 | STACK_OF(X509) *chain; |
888 | 0 | SSL_CERT_PKEY *cpk; |
889 | 0 | X509 *cert; |
890 | 0 | int i, ret = 0; |
891 | |
|
892 | 0 | if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) |
893 | 0 | goto err; |
894 | | |
895 | 0 | ctx->hs->tls13.cpk = cpk; |
896 | 0 | ctx->hs->our_sigalg = sigalg; |
897 | |
|
898 | 0 | if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) |
899 | 0 | goto err; |
900 | 0 | if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) |
901 | 0 | goto err; |
902 | | |
903 | | /* No certificate selected. */ |
904 | 0 | if (cpk == NULL) |
905 | 0 | goto done; |
906 | | |
907 | 0 | if ((chain = cpk->chain) == NULL) |
908 | 0 | chain = s->ctx->extra_certs; |
909 | |
|
910 | 0 | if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build)) |
911 | 0 | goto err; |
912 | | |
913 | 0 | for (i = 0; i < sk_X509_num(chain); i++) { |
914 | 0 | cert = sk_X509_value(chain, i); |
915 | 0 | if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build)) |
916 | 0 | goto err; |
917 | 0 | } |
918 | | |
919 | 0 | ctx->handshake_stage.hs_type |= WITH_CCV; |
920 | 0 | done: |
921 | 0 | if (!CBB_flush(cbb)) |
922 | 0 | goto err; |
923 | | |
924 | 0 | ret = 1; |
925 | |
|
926 | 0 | err: |
927 | 0 | return ret; |
928 | 0 | } |
929 | | |
930 | | int |
931 | | tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) |
932 | 0 | { |
933 | 0 | const struct ssl_sigalg *sigalg; |
934 | 0 | uint8_t *sig = NULL, *sig_content = NULL; |
935 | 0 | size_t sig_len, sig_content_len; |
936 | 0 | EVP_MD_CTX *mdctx = NULL; |
937 | 0 | EVP_PKEY_CTX *pctx; |
938 | 0 | EVP_PKEY *pkey; |
939 | 0 | const SSL_CERT_PKEY *cpk; |
940 | 0 | CBB sig_cbb; |
941 | 0 | int ret = 0; |
942 | |
|
943 | 0 | memset(&sig_cbb, 0, sizeof(sig_cbb)); |
944 | |
|
945 | 0 | if ((cpk = ctx->hs->tls13.cpk) == NULL) |
946 | 0 | goto err; |
947 | 0 | if ((sigalg = ctx->hs->our_sigalg) == NULL) |
948 | 0 | goto err; |
949 | 0 | pkey = cpk->privatekey; |
950 | |
|
951 | 0 | if (!CBB_init(&sig_cbb, 0)) |
952 | 0 | goto err; |
953 | 0 | if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, |
954 | 0 | sizeof(tls13_cert_verify_pad))) |
955 | 0 | goto err; |
956 | 0 | if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, |
957 | 0 | strlen(tls13_cert_client_verify_context))) |
958 | 0 | goto err; |
959 | 0 | if (!CBB_add_u8(&sig_cbb, 0)) |
960 | 0 | goto err; |
961 | 0 | if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash, |
962 | 0 | ctx->hs->tls13.transcript_hash_len)) |
963 | 0 | goto err; |
964 | 0 | if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) |
965 | 0 | goto err; |
966 | | |
967 | 0 | if ((mdctx = EVP_MD_CTX_new()) == NULL) |
968 | 0 | goto err; |
969 | 0 | if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) |
970 | 0 | goto err; |
971 | 0 | if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { |
972 | 0 | if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) |
973 | 0 | goto err; |
974 | 0 | if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) |
975 | 0 | goto err; |
976 | 0 | } |
977 | 0 | if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) |
978 | 0 | goto err; |
979 | 0 | if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) |
980 | 0 | goto err; |
981 | 0 | if ((sig = calloc(1, sig_len)) == NULL) |
982 | 0 | goto err; |
983 | 0 | if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) |
984 | 0 | goto err; |
985 | | |
986 | 0 | if (!CBB_add_u16(cbb, sigalg->value)) |
987 | 0 | goto err; |
988 | 0 | if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) |
989 | 0 | goto err; |
990 | 0 | if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) |
991 | 0 | goto err; |
992 | | |
993 | 0 | if (!CBB_flush(cbb)) |
994 | 0 | goto err; |
995 | | |
996 | 0 | ret = 1; |
997 | |
|
998 | 0 | err: |
999 | 0 | if (!ret && ctx->alert == 0) |
1000 | 0 | ctx->alert = TLS13_ALERT_INTERNAL_ERROR; |
1001 | |
|
1002 | 0 | CBB_cleanup(&sig_cbb); |
1003 | 0 | EVP_MD_CTX_free(mdctx); |
1004 | 0 | free(sig_content); |
1005 | 0 | free(sig); |
1006 | |
|
1007 | 0 | return ret; |
1008 | 0 | } |
1009 | | |
1010 | | int |
1011 | | tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) |
1012 | 0 | { |
1013 | 0 | return 0; |
1014 | 0 | } |
1015 | | |
1016 | | int |
1017 | | tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) |
1018 | 0 | { |
1019 | 0 | struct tls13_secrets *secrets = ctx->hs->tls13.secrets; |
1020 | 0 | struct tls13_secret context = { .data = "", .len = 0 }; |
1021 | 0 | struct tls13_secret finished_key = { .data = NULL, .len = 0 }; |
1022 | 0 | uint8_t transcript_hash[EVP_MAX_MD_SIZE]; |
1023 | 0 | size_t transcript_hash_len; |
1024 | 0 | uint8_t *verify_data; |
1025 | 0 | size_t verify_data_len; |
1026 | 0 | unsigned int hlen; |
1027 | 0 | HMAC_CTX *hmac_ctx = NULL; |
1028 | 0 | CBS cbs; |
1029 | 0 | int ret = 0; |
1030 | |
|
1031 | 0 | if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash))) |
1032 | 0 | goto err; |
1033 | | |
1034 | 0 | if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, |
1035 | 0 | &secrets->client_handshake_traffic, "finished", |
1036 | 0 | &context)) |
1037 | 0 | goto err; |
1038 | | |
1039 | 0 | if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, |
1040 | 0 | sizeof(transcript_hash), &transcript_hash_len)) |
1041 | 0 | goto err; |
1042 | | |
1043 | 0 | if ((hmac_ctx = HMAC_CTX_new()) == NULL) |
1044 | 0 | goto err; |
1045 | 0 | if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, |
1046 | 0 | ctx->hash, NULL)) |
1047 | 0 | goto err; |
1048 | 0 | if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) |
1049 | 0 | goto err; |
1050 | | |
1051 | 0 | verify_data_len = HMAC_size(hmac_ctx); |
1052 | 0 | if (!CBB_add_space(cbb, &verify_data, verify_data_len)) |
1053 | 0 | goto err; |
1054 | 0 | if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) |
1055 | 0 | goto err; |
1056 | 0 | if (hlen != verify_data_len) |
1057 | 0 | goto err; |
1058 | | |
1059 | 0 | CBS_init(&cbs, verify_data, verify_data_len); |
1060 | 0 | if (!CBS_write_bytes(&cbs, ctx->hs->finished, |
1061 | 0 | sizeof(ctx->hs->finished), &ctx->hs->finished_len)) |
1062 | 0 | goto err; |
1063 | | |
1064 | 0 | ret = 1; |
1065 | |
|
1066 | 0 | err: |
1067 | 0 | tls13_secret_cleanup(&finished_key); |
1068 | 0 | HMAC_CTX_free(hmac_ctx); |
1069 | |
|
1070 | 0 | return ret; |
1071 | 0 | } |
1072 | | |
1073 | | int |
1074 | | tls13_client_finished_sent(struct tls13_ctx *ctx) |
1075 | 0 | { |
1076 | 0 | struct tls13_secrets *secrets = ctx->hs->tls13.secrets; |
1077 | | |
1078 | | /* |
1079 | | * Any records following the client finished message must be encrypted |
1080 | | * using the client application traffic keys. |
1081 | | */ |
1082 | 0 | return tls13_record_layer_set_write_traffic_key(ctx->rl, |
1083 | 0 | &secrets->client_application_traffic, ssl_encryption_application); |
1084 | 0 | } |