/src/libressl/ssl/tls13_lib.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: tls13_lib.c,v 1.70 2022/07/24 14:28:16 jsing Exp $ */ |
2 | | /* |
3 | | * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> |
4 | | * Copyright (c) 2019 Bob Beck <beck@openbsd.org> |
5 | | * |
6 | | * Permission to use, copy, modify, and distribute this software for any |
7 | | * purpose with or without fee is hereby granted, provided that the above |
8 | | * copyright notice and this permission notice appear in all copies. |
9 | | * |
10 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
11 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
12 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
13 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
14 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
15 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
16 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
17 | | */ |
18 | | |
19 | | #include <stddef.h> |
20 | | |
21 | | #include <openssl/evp.h> |
22 | | |
23 | | #include "ssl_locl.h" |
24 | | #include "ssl_tlsext.h" |
25 | | #include "tls13_internal.h" |
26 | | |
27 | | /* |
28 | | * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set |
29 | | * by the server in server random if it is willing to downgrade but supports |
30 | | * TLSv1.3 |
31 | | */ |
32 | | const uint8_t tls13_downgrade_12[8] = { |
33 | | 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01, |
34 | | }; |
35 | | const uint8_t tls13_downgrade_11[8] = { |
36 | | 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00, |
37 | | }; |
38 | | |
39 | | /* |
40 | | * HelloRetryRequest hash - RFC 8446 section 4.1.3. |
41 | | */ |
42 | | const uint8_t tls13_hello_retry_request_hash[32] = { |
43 | | 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, |
44 | | 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, |
45 | | 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, |
46 | | 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, |
47 | | }; |
48 | | |
49 | | /* |
50 | | * Certificate Verify padding - RFC 8446 section 4.4.3. |
51 | | */ |
52 | | const uint8_t tls13_cert_verify_pad[64] = { |
53 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
54 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
55 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
56 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
57 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
58 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
59 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
60 | | 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, |
61 | | }; |
62 | | |
63 | | const uint8_t tls13_cert_client_verify_context[] = |
64 | | "TLS 1.3, client CertificateVerify"; |
65 | | const uint8_t tls13_cert_server_verify_context[] = |
66 | | "TLS 1.3, server CertificateVerify"; |
67 | | |
68 | | const EVP_AEAD * |
69 | | tls13_cipher_aead(const SSL_CIPHER *cipher) |
70 | 86 | { |
71 | 86 | if (cipher == NULL) |
72 | 0 | return NULL; |
73 | 86 | if (cipher->algorithm_ssl != SSL_TLSV1_3) |
74 | 0 | return NULL; |
75 | | |
76 | 86 | switch (cipher->algorithm_enc) { |
77 | 11 | case SSL_AES128GCM: |
78 | 11 | return EVP_aead_aes_128_gcm(); |
79 | 20 | case SSL_AES256GCM: |
80 | 20 | return EVP_aead_aes_256_gcm(); |
81 | 55 | case SSL_CHACHA20POLY1305: |
82 | 55 | return EVP_aead_chacha20_poly1305(); |
83 | 86 | } |
84 | | |
85 | 0 | return NULL; |
86 | 86 | } |
87 | | |
88 | | const EVP_MD * |
89 | | tls13_cipher_hash(const SSL_CIPHER *cipher) |
90 | 86 | { |
91 | 86 | if (cipher == NULL) |
92 | 0 | return NULL; |
93 | 86 | if (cipher->algorithm_ssl != SSL_TLSV1_3) |
94 | 0 | return NULL; |
95 | | |
96 | 86 | switch (cipher->algorithm2) { |
97 | 66 | case SSL_HANDSHAKE_MAC_SHA256: |
98 | 66 | return EVP_sha256(); |
99 | 20 | case SSL_HANDSHAKE_MAC_SHA384: |
100 | 20 | return EVP_sha384(); |
101 | 86 | } |
102 | | |
103 | 0 | return NULL; |
104 | 86 | } |
105 | | |
106 | | void |
107 | | tls13_alert_received_cb(uint8_t alert_desc, void *arg) |
108 | 912 | { |
109 | 912 | struct tls13_ctx *ctx = arg; |
110 | | |
111 | 912 | if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { |
112 | 4 | ctx->close_notify_recv = 1; |
113 | 4 | ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; |
114 | 4 | ctx->ssl->s3->warn_alert = alert_desc; |
115 | 4 | return; |
116 | 4 | } |
117 | | |
118 | 908 | if (alert_desc == TLS13_ALERT_USER_CANCELED) { |
119 | | /* |
120 | | * We treat this as advisory, since a close_notify alert |
121 | | * SHOULD follow this alert (RFC 8446 section 6.1). |
122 | | */ |
123 | 882 | return; |
124 | 882 | } |
125 | | |
126 | | /* All other alerts are treated as fatal in TLSv1.3. */ |
127 | 26 | ctx->ssl->s3->fatal_alert = alert_desc; |
128 | | |
129 | 26 | SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); |
130 | 26 | ERR_asprintf_error_data("SSL alert number %d", alert_desc); |
131 | | |
132 | 26 | SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); |
133 | 26 | } |
134 | | |
135 | | void |
136 | | tls13_alert_sent_cb(uint8_t alert_desc, void *arg) |
137 | 555 | { |
138 | 555 | struct tls13_ctx *ctx = arg; |
139 | | |
140 | 555 | if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { |
141 | 0 | ctx->close_notify_sent = 1; |
142 | 0 | return; |
143 | 0 | } |
144 | | |
145 | 555 | if (alert_desc == TLS13_ALERT_USER_CANCELED) { |
146 | 0 | return; |
147 | 0 | } |
148 | | |
149 | | /* All other alerts are treated as fatal in TLSv1.3. */ |
150 | 555 | if (ctx->error.code == 0) |
151 | 520 | SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); |
152 | 555 | } |
153 | | |
154 | | static void |
155 | | tls13_legacy_handshake_message_recv_cb(void *arg) |
156 | 12.1k | { |
157 | 12.1k | struct tls13_ctx *ctx = arg; |
158 | 12.1k | SSL *s = ctx->ssl; |
159 | 12.1k | CBS cbs; |
160 | | |
161 | 12.1k | if (s->internal->msg_callback == NULL) |
162 | 12.1k | return; |
163 | | |
164 | 0 | tls13_handshake_msg_data(ctx->hs_msg, &cbs); |
165 | 0 | ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs)); |
166 | 0 | } |
167 | | |
168 | | static void |
169 | | tls13_legacy_handshake_message_sent_cb(void *arg) |
170 | 7.19k | { |
171 | 7.19k | struct tls13_ctx *ctx = arg; |
172 | 7.19k | SSL *s = ctx->ssl; |
173 | 7.19k | CBS cbs; |
174 | | |
175 | 7.19k | if (s->internal->msg_callback == NULL) |
176 | 7.19k | return; |
177 | | |
178 | 0 | tls13_handshake_msg_data(ctx->hs_msg, &cbs); |
179 | 0 | ssl_msg_callback(s, 1, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs)); |
180 | 0 | } |
181 | | |
182 | | static void |
183 | | tls13_legacy_info_cb(void *arg, int state, int ret) |
184 | 21.1k | { |
185 | 21.1k | struct tls13_ctx *ctx = arg; |
186 | 21.1k | SSL *s = ctx->ssl; |
187 | | |
188 | 21.1k | ssl_info_callback(s, state, ret); |
189 | 21.1k | } |
190 | | |
191 | | static int |
192 | | tls13_legacy_ocsp_status_recv_cb(void *arg) |
193 | 0 | { |
194 | 0 | struct tls13_ctx *ctx = arg; |
195 | 0 | SSL *s = ctx->ssl; |
196 | 0 | int ret; |
197 | |
|
198 | 0 | if (s->ctx->internal->tlsext_status_cb == NULL) |
199 | 0 | return 1; |
200 | | |
201 | 0 | ret = s->ctx->internal->tlsext_status_cb(s, |
202 | 0 | s->ctx->internal->tlsext_status_arg); |
203 | 0 | if (ret < 0) { |
204 | 0 | ctx->alert = TLS13_ALERT_INTERNAL_ERROR; |
205 | 0 | SSLerror(s, ERR_R_MALLOC_FAILURE); |
206 | 0 | return 0; |
207 | 0 | } |
208 | 0 | if (ret == 0) { |
209 | 0 | ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE; |
210 | 0 | SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); |
211 | 0 | return 0; |
212 | 0 | } |
213 | | |
214 | 0 | return 1; |
215 | 0 | } |
216 | | |
217 | | static int |
218 | | tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx) |
219 | 0 | { |
220 | 0 | struct tls13_secrets *secrets = ctx->hs->tls13.secrets; |
221 | 0 | struct tls13_secret *secret; |
222 | |
|
223 | 0 | if (ctx->mode == TLS13_HS_CLIENT) { |
224 | 0 | secret = &secrets->server_application_traffic; |
225 | 0 | if (!tls13_update_server_traffic_secret(secrets)) |
226 | 0 | return 0; |
227 | 0 | } else { |
228 | 0 | secret = &secrets->client_application_traffic; |
229 | 0 | if (!tls13_update_client_traffic_secret(secrets)) |
230 | 0 | return 0; |
231 | 0 | } |
232 | | |
233 | 0 | return tls13_record_layer_set_read_traffic_key(ctx->rl, |
234 | 0 | secret, ssl_encryption_application); |
235 | 0 | } |
236 | | |
237 | | static int |
238 | | tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx) |
239 | 0 | { |
240 | 0 | struct tls13_secrets *secrets = ctx->hs->tls13.secrets; |
241 | 0 | struct tls13_secret *secret; |
242 | |
|
243 | 0 | if (ctx->mode == TLS13_HS_CLIENT) { |
244 | 0 | secret = &secrets->client_application_traffic; |
245 | 0 | if (!tls13_update_client_traffic_secret(secrets)) |
246 | 0 | return 0; |
247 | 0 | } else { |
248 | 0 | secret = &secrets->server_application_traffic; |
249 | 0 | if (!tls13_update_server_traffic_secret(secrets)) |
250 | 0 | return 0; |
251 | 0 | } |
252 | | |
253 | 0 | return tls13_record_layer_set_write_traffic_key(ctx->rl, |
254 | 0 | secret, ssl_encryption_application); |
255 | 0 | } |
256 | | |
257 | | /* |
258 | | * XXX arbitrarily chosen limit of 100 post handshake handshake |
259 | | * messages in an hour - to avoid a hostile peer from constantly |
260 | | * requesting certificates or key renegotiaitons, etc. |
261 | | */ |
262 | | static int |
263 | | tls13_phh_limit_check(struct tls13_ctx *ctx) |
264 | 0 | { |
265 | 0 | time_t now = time(NULL); |
266 | |
|
267 | 0 | if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) { |
268 | 0 | if (ctx->phh_count > TLS13_PHH_LIMIT) |
269 | 0 | return 0; |
270 | 0 | } else |
271 | 0 | ctx->phh_count = 0; |
272 | 0 | ctx->phh_count++; |
273 | 0 | ctx->phh_last_seen = now; |
274 | 0 | return 1; |
275 | 0 | } |
276 | | |
277 | | static ssize_t |
278 | | tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) |
279 | 0 | { |
280 | 0 | struct tls13_handshake_msg *hs_msg = NULL; |
281 | 0 | CBB cbb_hs; |
282 | 0 | CBS cbs_hs; |
283 | 0 | uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; |
284 | 0 | uint8_t key_update_request; |
285 | 0 | ssize_t ret; |
286 | |
|
287 | 0 | if (!CBS_get_u8(cbs, &key_update_request)) { |
288 | 0 | alert = TLS13_ALERT_DECODE_ERROR; |
289 | 0 | goto err; |
290 | 0 | } |
291 | 0 | if (CBS_len(cbs) != 0) { |
292 | 0 | alert = TLS13_ALERT_DECODE_ERROR; |
293 | 0 | goto err; |
294 | 0 | } |
295 | 0 | if (key_update_request > 1) { |
296 | 0 | alert = TLS13_ALERT_ILLEGAL_PARAMETER; |
297 | 0 | goto err; |
298 | 0 | } |
299 | | |
300 | 0 | if (!tls13_phh_update_read_traffic_secret(ctx)) |
301 | 0 | goto err; |
302 | | |
303 | 0 | if (key_update_request == 0) |
304 | 0 | return TLS13_IO_SUCCESS; |
305 | | |
306 | | /* Our peer requested that we update our write traffic keys. */ |
307 | 0 | if ((hs_msg = tls13_handshake_msg_new()) == NULL) |
308 | 0 | goto err; |
309 | 0 | if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE)) |
310 | 0 | goto err; |
311 | 0 | if (!CBB_add_u8(&cbb_hs, 0)) |
312 | 0 | goto err; |
313 | 0 | if (!tls13_handshake_msg_finish(hs_msg)) |
314 | 0 | goto err; |
315 | | |
316 | 0 | ctx->key_update_request = 1; |
317 | 0 | tls13_handshake_msg_data(hs_msg, &cbs_hs); |
318 | 0 | ret = tls13_record_layer_phh(ctx->rl, &cbs_hs); |
319 | |
|
320 | 0 | tls13_handshake_msg_free(hs_msg); |
321 | 0 | hs_msg = NULL; |
322 | |
|
323 | 0 | return ret; |
324 | | |
325 | 0 | err: |
326 | 0 | tls13_handshake_msg_free(hs_msg); |
327 | |
|
328 | 0 | return tls13_send_alert(ctx->rl, alert); |
329 | 0 | } |
330 | | |
331 | | ssize_t |
332 | | tls13_phh_received_cb(void *cb_arg) |
333 | 0 | { |
334 | 0 | ssize_t ret = TLS13_IO_FAILURE; |
335 | 0 | struct tls13_ctx *ctx = cb_arg; |
336 | 0 | CBS cbs; |
337 | |
|
338 | 0 | if (!tls13_phh_limit_check(ctx)) |
339 | 0 | return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); |
340 | | |
341 | 0 | if ((ctx->hs_msg == NULL) && |
342 | 0 | ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) |
343 | 0 | return TLS13_IO_FAILURE; |
344 | | |
345 | 0 | if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) != |
346 | 0 | TLS13_IO_SUCCESS) |
347 | 0 | return ret; |
348 | | |
349 | 0 | if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) |
350 | 0 | return TLS13_IO_FAILURE; |
351 | | |
352 | 0 | switch(tls13_handshake_msg_type(ctx->hs_msg)) { |
353 | 0 | case TLS13_MT_KEY_UPDATE: |
354 | 0 | ret = tls13_key_update_recv(ctx, &cbs); |
355 | 0 | break; |
356 | 0 | case TLS13_MT_NEW_SESSION_TICKET: |
357 | | /* XXX do nothing for now and ignore this */ |
358 | 0 | break; |
359 | 0 | case TLS13_MT_CERTIFICATE_REQUEST: |
360 | | /* XXX add support if we choose to advertise this */ |
361 | | /* FALLTHROUGH */ |
362 | 0 | default: |
363 | 0 | ret = TLS13_IO_FAILURE; /* XXX send alert */ |
364 | 0 | break; |
365 | 0 | } |
366 | | |
367 | 0 | tls13_handshake_msg_free(ctx->hs_msg); |
368 | 0 | ctx->hs_msg = NULL; |
369 | 0 | return ret; |
370 | 0 | } |
371 | | |
372 | | void |
373 | | tls13_phh_done_cb(void *cb_arg) |
374 | 0 | { |
375 | 0 | struct tls13_ctx *ctx = cb_arg; |
376 | |
|
377 | 0 | if (ctx->key_update_request) { |
378 | 0 | tls13_phh_update_write_traffic_secret(ctx); |
379 | 0 | ctx->key_update_request = 0; |
380 | 0 | } |
381 | 0 | } |
382 | | |
383 | | static const struct tls13_record_layer_callbacks tls13_rl_callbacks = { |
384 | | .wire_read = tls13_legacy_wire_read_cb, |
385 | | .wire_write = tls13_legacy_wire_write_cb, |
386 | | .wire_flush = tls13_legacy_wire_flush_cb, |
387 | | |
388 | | .alert_recv = tls13_alert_received_cb, |
389 | | .alert_sent = tls13_alert_sent_cb, |
390 | | .phh_recv = tls13_phh_received_cb, |
391 | | .phh_sent = tls13_phh_done_cb, |
392 | | }; |
393 | | |
394 | | struct tls13_ctx * |
395 | | tls13_ctx_new(int mode, SSL *ssl) |
396 | 12.8k | { |
397 | 12.8k | struct tls13_ctx *ctx = NULL; |
398 | | |
399 | 12.8k | if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL) |
400 | 0 | goto err; |
401 | | |
402 | 12.8k | ctx->hs = &ssl->s3->hs; |
403 | 12.8k | ctx->mode = mode; |
404 | 12.8k | ctx->ssl = ssl; |
405 | | |
406 | 12.8k | if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL) |
407 | 0 | goto err; |
408 | | |
409 | 12.8k | ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; |
410 | 12.8k | ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; |
411 | 12.8k | ctx->info_cb = tls13_legacy_info_cb; |
412 | 12.8k | ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; |
413 | | |
414 | 12.8k | ctx->middlebox_compat = 1; |
415 | | |
416 | 12.8k | ssl->internal->tls13 = ctx; |
417 | | |
418 | 12.8k | if (SSL_is_quic(ssl)) { |
419 | 0 | if (!tls13_quic_init(ctx)) |
420 | 0 | goto err; |
421 | 0 | } |
422 | | |
423 | 12.8k | return ctx; |
424 | | |
425 | 0 | err: |
426 | 0 | tls13_ctx_free(ctx); |
427 | |
|
428 | 0 | return NULL; |
429 | 12.8k | } |
430 | | |
431 | | void |
432 | | tls13_ctx_free(struct tls13_ctx *ctx) |
433 | 25.6k | { |
434 | 25.6k | if (ctx == NULL) |
435 | 12.8k | return; |
436 | | |
437 | 12.8k | tls13_error_clear(&ctx->error); |
438 | 12.8k | tls13_record_layer_free(ctx->rl); |
439 | 12.8k | tls13_handshake_msg_free(ctx->hs_msg); |
440 | | |
441 | 12.8k | freezero(ctx, sizeof(struct tls13_ctx)); |
442 | 12.8k | } |
443 | | |
444 | | int |
445 | | tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, |
446 | | int (*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)) |
447 | 63 | { |
448 | 63 | CBB cert_data, cert_exts; |
449 | 63 | uint8_t *data; |
450 | 63 | int cert_len; |
451 | | |
452 | 63 | if ((cert_len = i2d_X509(cert, NULL)) < 0) |
453 | 0 | return 0; |
454 | | |
455 | 63 | if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) |
456 | 0 | return 0; |
457 | 63 | if (!CBB_add_space(&cert_data, &data, cert_len)) |
458 | 0 | return 0; |
459 | 63 | if (i2d_X509(cert, &data) != cert_len) |
460 | 0 | return 0; |
461 | 63 | if (build_extensions != NULL) { |
462 | 63 | if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb)) |
463 | 0 | return 0; |
464 | 63 | } else { |
465 | 0 | if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) |
466 | 0 | return 0; |
467 | 0 | } |
468 | 63 | if (!CBB_flush(cbb)) |
469 | 0 | return 0; |
470 | | |
471 | 63 | return 1; |
472 | 63 | } |
473 | | |
474 | | int |
475 | | tls13_synthetic_handshake_message(struct tls13_ctx *ctx) |
476 | 72 | { |
477 | 72 | struct tls13_handshake_msg *hm = NULL; |
478 | 72 | unsigned char buf[EVP_MAX_MD_SIZE]; |
479 | 72 | size_t hash_len; |
480 | 72 | CBB cbb; |
481 | 72 | CBS cbs; |
482 | 72 | SSL *s = ctx->ssl; |
483 | 72 | int ret = 0; |
484 | | |
485 | | /* |
486 | | * Replace ClientHello with synthetic handshake message - see |
487 | | * RFC 8446 section 4.4.1. |
488 | | */ |
489 | 72 | if (!tls1_transcript_hash_init(s)) |
490 | 0 | goto err; |
491 | 72 | if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) |
492 | 0 | goto err; |
493 | | |
494 | 72 | if ((hm = tls13_handshake_msg_new()) == NULL) |
495 | 0 | goto err; |
496 | 72 | if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH)) |
497 | 0 | goto err; |
498 | 72 | if (!CBB_add_bytes(&cbb, buf, hash_len)) |
499 | 0 | goto err; |
500 | 72 | if (!tls13_handshake_msg_finish(hm)) |
501 | 0 | goto err; |
502 | | |
503 | 72 | tls13_handshake_msg_data(hm, &cbs); |
504 | | |
505 | 72 | tls1_transcript_reset(ctx->ssl); |
506 | 72 | if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) |
507 | 0 | goto err; |
508 | | |
509 | 72 | ret = 1; |
510 | | |
511 | 72 | err: |
512 | 72 | tls13_handshake_msg_free(hm); |
513 | | |
514 | 72 | return ret; |
515 | 72 | } |
516 | | |
517 | | int |
518 | | tls13_clienthello_hash_init(struct tls13_ctx *ctx) |
519 | 274 | { |
520 | 274 | if (ctx->hs->tls13.clienthello_md_ctx != NULL) |
521 | 0 | return 0; |
522 | 274 | if ((ctx->hs->tls13.clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) |
523 | 0 | return 0; |
524 | 274 | if (!EVP_DigestInit_ex(ctx->hs->tls13.clienthello_md_ctx, |
525 | 274 | EVP_sha256(), NULL)) |
526 | 0 | return 0; |
527 | | |
528 | 274 | if ((ctx->hs->tls13.clienthello_hash == NULL) && |
529 | 274 | (ctx->hs->tls13.clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == |
530 | 242 | NULL) |
531 | 0 | return 0; |
532 | | |
533 | 274 | return 1; |
534 | 274 | } |
535 | | |
536 | | void |
537 | | tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) /* XXX */ |
538 | 51.3k | { |
539 | 51.3k | EVP_MD_CTX_free(hs->clienthello_md_ctx); |
540 | 51.3k | hs->clienthello_md_ctx = NULL; |
541 | 51.3k | freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE); |
542 | 51.3k | hs->clienthello_hash = NULL; |
543 | 51.3k | } |
544 | | |
545 | | int |
546 | | tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, |
547 | | size_t len) |
548 | 3.26k | { |
549 | 3.26k | return EVP_DigestUpdate(ctx->hs->tls13.clienthello_md_ctx, data, len); |
550 | 3.26k | } |
551 | | |
552 | | int |
553 | | tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs) |
554 | 1.92k | { |
555 | 1.92k | return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs), |
556 | 1.92k | CBS_len(cbs)); |
557 | 1.92k | } |
558 | | |
559 | | int |
560 | | tls13_clienthello_hash_finalize(struct tls13_ctx *ctx) |
561 | 196 | { |
562 | 196 | if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, |
563 | 196 | ctx->hs->tls13.clienthello_hash, |
564 | 196 | &ctx->hs->tls13.clienthello_hash_len)) |
565 | 0 | return 0; |
566 | 196 | EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); |
567 | 196 | ctx->hs->tls13.clienthello_md_ctx = NULL; |
568 | 196 | return 1; |
569 | 196 | } |
570 | | |
571 | | int |
572 | | tls13_clienthello_hash_validate(struct tls13_ctx *ctx) |
573 | 26 | { |
574 | 26 | unsigned char new_ch_hash[EVP_MAX_MD_SIZE]; |
575 | 26 | unsigned int new_ch_hash_len; |
576 | | |
577 | 26 | if (ctx->hs->tls13.clienthello_hash == NULL) |
578 | 0 | return 0; |
579 | | |
580 | 26 | if (!EVP_DigestFinal_ex(ctx->hs->tls13.clienthello_md_ctx, |
581 | 26 | new_ch_hash, &new_ch_hash_len)) |
582 | 0 | return 0; |
583 | 26 | EVP_MD_CTX_free(ctx->hs->tls13.clienthello_md_ctx); |
584 | 26 | ctx->hs->tls13.clienthello_md_ctx = NULL; |
585 | | |
586 | 26 | if (ctx->hs->tls13.clienthello_hash_len != new_ch_hash_len) |
587 | 0 | return 0; |
588 | 26 | if (memcmp(ctx->hs->tls13.clienthello_hash, new_ch_hash, |
589 | 26 | new_ch_hash_len) != 0) |
590 | 21 | return 0; |
591 | | |
592 | 5 | return 1; |
593 | 26 | } |
594 | | |
595 | | int |
596 | | tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, |
597 | | const uint8_t *context_value, size_t context_value_len, uint8_t *out, |
598 | | size_t out_len) |
599 | 0 | { |
600 | 0 | struct tls13_secret context, export_out, export_secret; |
601 | 0 | struct tls13_secrets *secrets = ctx->hs->tls13.secrets; |
602 | 0 | EVP_MD_CTX *md_ctx = NULL; |
603 | 0 | unsigned int md_out_len; |
604 | 0 | int md_len; |
605 | 0 | int ret = 0; |
606 | | |
607 | | /* |
608 | | * RFC 8446 Section 7.5. |
609 | | */ |
610 | |
|
611 | 0 | memset(&context, 0, sizeof(context)); |
612 | 0 | memset(&export_secret, 0, sizeof(export_secret)); |
613 | |
|
614 | 0 | export_out.data = out; |
615 | 0 | export_out.len = out_len; |
616 | |
|
617 | 0 | if (!ctx->handshake_completed) |
618 | 0 | return 0; |
619 | | |
620 | 0 | md_len = EVP_MD_size(secrets->digest); |
621 | 0 | if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE) |
622 | 0 | goto err; |
623 | | |
624 | 0 | if (!tls13_secret_init(&export_secret, md_len)) |
625 | 0 | goto err; |
626 | 0 | if (!tls13_secret_init(&context, md_len)) |
627 | 0 | goto err; |
628 | | |
629 | | /* In TLSv1.3 no context is equivalent to an empty context. */ |
630 | 0 | if (context_value == NULL) { |
631 | 0 | context_value = ""; |
632 | 0 | context_value_len = 0; |
633 | 0 | } |
634 | |
|
635 | 0 | if ((md_ctx = EVP_MD_CTX_new()) == NULL) |
636 | 0 | goto err; |
637 | 0 | if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL)) |
638 | 0 | goto err; |
639 | 0 | if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len)) |
640 | 0 | goto err; |
641 | 0 | if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len)) |
642 | 0 | goto err; |
643 | 0 | if (md_len != md_out_len) |
644 | 0 | goto err; |
645 | | |
646 | 0 | if (!tls13_derive_secret_with_label_length(&export_secret, |
647 | 0 | secrets->digest, &secrets->exporter_master, label, label_len, |
648 | 0 | &secrets->empty_hash)) |
649 | 0 | goto err; |
650 | | |
651 | 0 | if (!tls13_hkdf_expand_label(&export_out, secrets->digest, |
652 | 0 | &export_secret, "exporter", &context)) |
653 | 0 | goto err; |
654 | | |
655 | 0 | ret = 1; |
656 | |
|
657 | 0 | err: |
658 | 0 | EVP_MD_CTX_free(md_ctx); |
659 | 0 | tls13_secret_cleanup(&context); |
660 | 0 | tls13_secret_cleanup(&export_secret); |
661 | |
|
662 | 0 | return ret; |
663 | 0 | } |