xref: /openbsd-src/lib/libssl/tls13_server.c (revision 18f4ffe1b0f679b6a32b4368fae791b51edff664)
1 /* $OpenBSD: tls13_server.c,v 1.16 2020/01/24 08:21:24 jsing Exp $ */
2 /*
3  * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
4  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include <openssl/curve25519.h>
20 
21 #include "ssl_locl.h"
22 #include "ssl_tlsext.h"
23 
24 #include "tls13_handshake.h"
25 #include "tls13_internal.h"
26 
27 static int
28 tls13_accept(struct tls13_ctx *ctx)
29 {
30 	if (ctx->mode != TLS13_HS_SERVER)
31 		return TLS13_IO_FAILURE;
32 
33 	return tls13_handshake_perform(ctx);
34 }
35 
36 static int
37 tls13_server_init(struct tls13_ctx *ctx)
38 {
39 	SSL *s = ctx->ssl;
40 
41 	if (!ssl_supported_version_range(s, &ctx->hs->min_version,
42 	    &ctx->hs->max_version)) {
43 		SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
44 		return 0;
45 	}
46 	s->version = ctx->hs->max_version;
47 
48 	if (!tls1_transcript_init(s))
49 		return 0;
50 
51 	if ((s->session = SSL_SESSION_new()) == NULL)
52 		return 0;
53 
54 	arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE);
55 
56 	return 1;
57 }
58 
59 int
60 tls13_legacy_accept(SSL *ssl)
61 {
62 	struct tls13_ctx *ctx = ssl->internal->tls13;
63 	int ret;
64 
65 	if (ctx == NULL) {
66 		if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) {
67 			SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
68 			return -1;
69 		}
70 		ssl->internal->tls13 = ctx;
71 		ctx->ssl = ssl;
72 		ctx->hs = &S3I(ssl)->hs_tls13;
73 
74 		if (!tls13_server_init(ctx)) {
75 			if (ERR_peek_error() == 0)
76 				SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
77 			return -1;
78 		}
79 	}
80 
81 	S3I(ssl)->hs.state = SSL_ST_ACCEPT;
82 
83 	ret = tls13_accept(ctx);
84 	if (ret == TLS13_IO_USE_LEGACY)
85 		return ssl->method->internal->ssl_accept(ssl);
86 	if (ret == TLS13_IO_SUCCESS)
87 		S3I(ssl)->hs.state = SSL_ST_OK;
88 
89 	return tls13_legacy_return_code(ssl, ret);
90 }
91 
92 int
93 tls13_use_legacy_server(struct tls13_ctx *ctx)
94 {
95 	SSL *s = ctx->ssl;
96 	CBS cbs;
97 
98 	s->method = tls_legacy_server_method();
99 	s->client_version = s->version = s->method->internal->max_version;
100 	s->server = 1;
101 
102 	if (!ssl3_setup_init_buffer(s))
103 		goto err;
104 	if (!ssl3_setup_buffers(s))
105 		goto err;
106 	if (!ssl_init_wbio_buffer(s, 0))
107 		goto err;
108 
109 	if (s->bbio != s->wbio)
110 		s->wbio = BIO_push(s->bbio, s->wbio);
111 
112 	/* Stash any unprocessed data from the last record. */
113 	tls13_record_layer_rbuf(ctx->rl, &cbs);
114 	if (CBS_len(&cbs) > 0) {
115 		if (!CBS_write_bytes(&cbs,
116 		    S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH,
117 		    S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL))
118 			goto err;
119 
120 		S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH;
121 		S3I(s)->rbuf.left = CBS_len(&cbs);
122 		S3I(s)->rrec.type = SSL3_RT_HANDSHAKE;
123 		S3I(s)->rrec.length = CBS_len(&cbs);
124 		s->internal->rstate = SSL_ST_READ_BODY;
125 		s->internal->packet = S3I(s)->rbuf.buf;
126 		s->internal->packet_length = SSL3_RT_HEADER_LENGTH;
127 		s->internal->mac_packet = 1;
128 	}
129 
130 	/* Stash the current handshake message. */
131 	tls13_handshake_msg_data(ctx->hs_msg, &cbs);
132 	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data,
133 	    s->internal->init_buf->length, NULL))
134 		goto err;
135 
136 	S3I(s)->tmp.reuse_message = 1;
137 	S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
138 	S3I(s)->tmp.message_size = CBS_len(&cbs);
139 
140 	S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A;
141 
142 	return 1;
143 
144  err:
145 	return 0;
146 }
147 
148 static int
149 tls13_client_hello_is_legacy(CBS *cbs)
150 {
151 	CBS extensions_block, extensions, extension_data, versions;
152 	uint16_t version, max_version = 0;
153 	uint16_t type;
154 
155 	CBS_dup(cbs, &extensions_block);
156 
157 	if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
158 		return 1;
159 
160 	while (CBS_len(&extensions) > 0) {
161 		if (!CBS_get_u16(&extensions, &type))
162 			return 1;
163 		if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
164 			return 1;
165 
166 		if (type != TLSEXT_TYPE_supported_versions)
167 			continue;
168 		if (!CBS_get_u8_length_prefixed(&extension_data, &versions))
169 			return 1;
170 		while (CBS_len(&versions) > 0) {
171 			if (!CBS_get_u16(&versions, &version))
172 				return 1;
173 			if (version >= max_version)
174 				max_version = version;
175 		}
176 		if (CBS_len(&extension_data) != 0)
177 			return 1;
178 	}
179 
180 	return (max_version < TLS1_3_VERSION);
181 }
182 
183 static int
184 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
185 {
186 	CBS cipher_suites, client_random, compression_methods, session_id;
187 	STACK_OF(SSL_CIPHER) *ciphers = NULL;
188 	const SSL_CIPHER *cipher;
189 	uint16_t legacy_version;
190 	uint8_t compression_method;
191 	int alert_desc, comp_null;
192 	SSL *s = ctx->ssl;
193 	int ret = 0;
194 
195 	if (!CBS_get_u16(cbs, &legacy_version))
196 		goto err;
197 	if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE))
198 		goto err;
199 	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
200 		goto err;
201 	if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites))
202 		goto err;
203 	if (!CBS_get_u8_length_prefixed(cbs, &compression_methods))
204 		goto err;
205 
206 	if (tls13_client_hello_is_legacy(cbs)) {
207 		if (!CBS_skip(cbs, CBS_len(cbs)))
208 			goto err;
209 		return tls13_use_legacy_server(ctx);
210 	}
211 
212 	if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) {
213 		ctx->alert = alert_desc;
214 		goto err;
215 	}
216 
217 	/*
218 	 * If we got this far we have a supported versions extension that offers
219 	 * TLS 1.3 or later. This requires the legacy version be set to 0x0303.
220 	 */
221 	if (legacy_version != TLS1_2_VERSION) {
222 		ctx->alert = SSL_AD_PROTOCOL_VERSION;
223 		goto err;
224 	}
225 
226 	/* Store legacy session identifier so we can echo it. */
227 	if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
228 		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
229 		goto err;
230 	}
231 	if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
232 	    sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len))
233 		goto err;
234 
235 	/* Parse cipher suites list and select preferred cipher. */
236 	if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) {
237 		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
238 		goto err;
239 	}
240 	cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s));
241 	if (cipher == NULL) {
242 		tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0,
243 		    "no shared cipher found", NULL);
244 		ctx->alert = SSL_AD_HANDSHAKE_FAILURE;
245 		goto err;
246 	}
247 	S3I(s)->hs.new_cipher = cipher;
248 
249 	/* Ensure they advertise the NULL compression method. */
250 	comp_null = 0;
251 	while (CBS_len(&compression_methods) > 0) {
252 		if (!CBS_get_u8(&compression_methods, &compression_method))
253 			goto err;
254 		if (compression_method == 0)
255 			comp_null = 1;
256 	}
257 	if (!comp_null) {
258 		ctx->alert = SSL_AD_ILLEGAL_PARAMETER;
259 		goto err;
260 	}
261 
262 	ret = 1;
263 
264  err:
265 	sk_SSL_CIPHER_free(ciphers);
266 
267 	return ret;
268 }
269 
270 int
271 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
272 {
273 	SSL *s = ctx->ssl;
274 
275 	if (!tls13_client_hello_process(ctx, cbs))
276 		goto err;
277 
278 	/* See if we switched back to the legacy client method. */
279 	if (s->method->internal->version < TLS1_3_VERSION)
280 		return 1;
281 
282 	tls13_record_layer_allow_ccs(ctx->rl, 1);
283 
284 	return 1;
285 
286  err:
287 	return 0;
288 }
289 
290 int
291 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
292 {
293 	return 0;
294 }
295 
296 int
297 tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
298 {
299 	return 0;
300 }
301 
302 int
303 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb)
304 {
305 	return 0;
306 }
307 
308 int
309 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
310 {
311 	return 0;
312 }
313 
314 int
315 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
316 {
317 	return 0;
318 }
319 
320 int
321 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
322 {
323 	return 0;
324 }
325 
326 int
327 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
328 {
329 	return 0;
330 }
331 
332 int
333 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
334 {
335 	return 0;
336 }
337 
338 int
339 tls13_client_key_update_send(struct tls13_ctx *ctx, CBB *cbb)
340 {
341 	return 0;
342 }
343 
344 int
345 tls13_client_key_update_recv(struct tls13_ctx *ctx, CBS *cbs)
346 {
347 	return 0;
348 }
349 
350 static int
351 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb)
352 {
353 	CBB session_id;
354 	SSL *s = ctx->ssl;
355 	uint16_t cipher;
356 
357 	cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
358 
359 	if (!CBB_add_u16(cbb, TLS1_2_VERSION))
360 		goto err;
361 	if (!CBB_add_bytes(cbb, s->s3->server_random, SSL3_RANDOM_SIZE))
362 		goto err;
363 	if (!CBB_add_u8_length_prefixed(cbb, &session_id))
364 		goto err;
365 	if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
366 	    ctx->hs->legacy_session_id_len))
367 		goto err;
368 	if (!CBB_add_u16(cbb, cipher))
369 		goto err;
370 	if (!CBB_add_u8(cbb, 0))
371 		goto err;
372 	if (!tlsext_server_build(s, cbb, SSL_TLSEXT_MSG_SH))
373 		goto err;
374 
375 	if (!CBB_flush(cbb))
376 		goto err;
377 
378 	return 1;
379 err:
380 	return 0;
381 }
382 
383 int
384 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
385 {
386 	if (!tls13_server_hello_build(ctx, cbb))
387 		return 0;
388 
389 	return 1;
390 }
391 
392 int
393 tls13_server_hello_sent(struct tls13_ctx *ctx)
394 {
395 	struct tls13_secrets *secrets;
396 	struct tls13_secret context;
397 	unsigned char buf[EVP_MAX_MD_SIZE];
398 	uint8_t *shared_key = NULL;
399 	size_t hash_len;
400 	SSL *s = ctx->ssl;
401 	int ret = 0;
402 
403 	/* XXX - handle other key share types. */
404 	if (ctx->hs->x25519_peer_public == NULL) {
405 		/* XXX - alert. */
406 		goto err;
407 	}
408 	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
409 		goto err;
410 	if (!X25519(shared_key, ctx->hs->x25519_private,
411 	    ctx->hs->x25519_peer_public))
412 		goto err;
413 
414 	s->session->cipher = S3I(s)->hs.new_cipher;
415 	s->session->ssl_version = ctx->hs->server_version;
416 
417 	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
418 		goto err;
419 	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
420 		goto err;
421 
422 	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
423 		goto err;
424 	S3I(ctx->ssl)->hs_tls13.secrets = secrets;
425 
426 	/* XXX - pass in hash. */
427 	if (!tls1_transcript_hash_init(s))
428 		goto err;
429 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
430 		goto err;
431 	context.data = buf;
432 	context.len = hash_len;
433 
434 	/* Early secrets. */
435 	if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
436 	    secrets->zeros.len, &context))
437 		goto err;
438 
439 	/* Handshake secrets. */
440 	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
441 	    X25519_KEY_LENGTH, &context))
442 		goto err;
443 
444 	tls13_record_layer_set_aead(ctx->rl, ctx->aead);
445 	tls13_record_layer_set_hash(ctx->rl, ctx->hash);
446 
447 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
448 	    &secrets->client_handshake_traffic))
449 		goto err;
450 	if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
451 	    &secrets->server_handshake_traffic))
452 		goto err;
453 
454  	ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_CR;
455 	ret = 1;
456 
457  err:
458 	freezero(shared_key, X25519_KEY_LENGTH);
459 	return ret;
460 }
461 
462 int
463 tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
464 {
465 	return 0;
466 }
467 
468 int
469 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb)
470 {
471 	if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE))
472 		goto err;
473 
474 	return 1;
475  err:
476 	return 0;
477 }
478 
479 static int
480 tls13_cert_add(CBB *cbb, X509 *cert)
481 {
482 	CBB cert_data, cert_exts;
483 	uint8_t *data;
484 	int cert_len;
485 
486 	if ((cert_len = i2d_X509(cert, NULL)) < 0)
487 		return 0;
488 
489 	if (!CBB_add_u24_length_prefixed(cbb, &cert_data))
490 		return 0;
491 	if (!CBB_add_space(&cert_data, &data, cert_len))
492 		return 0;
493 	if (i2d_X509(cert, &data) != cert_len)
494 		return 0;
495 
496 	if (!CBB_add_u16_length_prefixed(cbb, &cert_exts))
497 		return 0;
498 
499 	if (!CBB_flush(cbb))
500 		return 0;
501 
502 	return 1;
503 }
504 
505 int
506 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
507 {
508 	SSL *s = ctx->ssl;
509 	CBB cert_request_context, cert_list;
510 	STACK_OF(X509) *chain;
511 	CERT_PKEY *cpk;
512 	X509 *cert;
513 	int i, ret = 0;
514 
515 	/* XXX - Need to revisit certificate selection. */
516 	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
517 
518 	if ((chain = cpk->chain) == NULL)
519 		chain = s->ctx->extra_certs;
520 
521 	if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
522 		goto err;
523 	if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
524 		goto err;
525 
526 	if (cpk->x509 == NULL)
527 		goto done;
528 
529 	if (!tls13_cert_add(&cert_list, cpk->x509))
530 		goto err;
531 
532 	for (i = 0; i < sk_X509_num(chain); i++) {
533 		cert = sk_X509_value(chain, i);
534 		if (!tls13_cert_add(&cert_list, cert))
535 			goto err;
536 	}
537 
538  done:
539 	if (!CBB_flush(cbb))
540 		goto err;
541 
542 	ret = 1;
543 
544  err:
545 	return ret;
546 }
547 
548 /* XXX - move up. */
549 int
550 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
551 {
552 	CBB certificate_request_context;
553 
554 	if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context))
555 		goto err;
556 	if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR))
557 		goto err;
558 
559 	if (!CBB_flush(cbb))
560 		goto err;
561 
562 	return 1;
563  err:
564 	return 0;
565 }
566 
567 /*
568  * Certificate Verify padding - RFC 8446 section 4.4.3.
569  */
570 static uint8_t cert_verify_pad[64] = {
571 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
572 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
573 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
574 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
575 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
576 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
577 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
578 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
579 };
580 
581 static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify";
582 
583 int
584 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
585 {
586 	SSL *s = ctx->ssl;
587 	const struct ssl_sigalg *sigalg = NULL;
588 	uint8_t *sig = NULL, *sig_content = NULL;
589 	size_t sig_len, sig_content_len;
590 	EVP_MD_CTX *mdctx = NULL;
591 	EVP_PKEY_CTX *pctx;
592 	EVP_PKEY *pkey;
593 	CERT_PKEY *cpk;
594 	CBB sig_cbb;
595 	int ret = 0;
596 
597 	memset(&sig_cbb, 0, sizeof(sig_cbb));
598 
599 	/* XXX - Need to revisit certificate selection. */
600 	cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC];
601 	pkey = cpk->privatekey;
602 
603 	if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) {
604 		/* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */
605 		goto err;
606 	}
607 
608 	if (!CBB_init(&sig_cbb, 0))
609 		goto err;
610 	if (!CBB_add_bytes(&sig_cbb, cert_verify_pad, sizeof(cert_verify_pad)))
611 		goto err;
612 	if (!CBB_add_bytes(&sig_cbb, server_cert_verify_context,
613 	    strlen(server_cert_verify_context)))
614 		goto err;
615 	if (!CBB_add_u8(&sig_cbb, 0))
616 		goto err;
617 	if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
618 	    ctx->hs->transcript_hash_len))
619 		goto err;
620 	if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
621 		goto err;
622 
623 	if ((mdctx = EVP_MD_CTX_new()) == NULL)
624 		goto err;
625 	if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
626 		goto err;
627 	if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
628 		if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
629 			goto err;
630 		if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
631 			goto err;
632 	}
633 	if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len))
634 		goto err;
635 	if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0)
636 		goto err;
637 	if ((sig = calloc(1, sig_len)) == NULL)
638 		goto err;
639 	if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0)
640 		goto err;
641 
642 	if (!CBB_add_u16(cbb, sigalg->value))
643 		goto err;
644 	if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb))
645 		goto err;
646 	if (!CBB_add_bytes(&sig_cbb, sig, sig_len))
647 		goto err;
648 
649 	if (!CBB_flush(cbb))
650 		goto err;
651 
652 	ret = 1;
653 
654  err:
655 	if (!ret && ctx->alert == 0)
656 		ctx->alert = TLS1_AD_INTERNAL_ERROR;
657 
658 	CBB_cleanup(&sig_cbb);
659 	EVP_MD_CTX_free(mdctx);
660 	free(sig_content);
661 	free(sig);
662 
663 	return ret;
664 }
665 
666 int
667 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
668 {
669 	struct tls13_secrets *secrets = ctx->hs->secrets;
670 	struct tls13_secret context = { .data = "", .len = 0 };
671 	struct tls13_secret finished_key;
672 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
673 	size_t transcript_hash_len;
674 	uint8_t key[EVP_MAX_MD_SIZE];
675 	uint8_t *verify_data;
676 	size_t hmac_len;
677 	unsigned int hlen;
678 	HMAC_CTX *hmac_ctx = NULL;
679 	int ret = 0;
680 
681 	finished_key.data = key;
682 	finished_key.len = EVP_MD_size(ctx->hash);
683 
684 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
685 	    &secrets->server_handshake_traffic, "finished",
686 	    &context))
687 		goto err;
688 
689 	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
690 	    sizeof(transcript_hash), &transcript_hash_len))
691 		goto err;
692 
693 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
694 		goto err;
695 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
696 	    ctx->hash, NULL))
697 		goto err;
698 	if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
699 		goto err;
700 
701 	hmac_len = HMAC_size(hmac_ctx);
702 	if (!CBB_add_space(cbb, &verify_data, hmac_len))
703 		goto err;
704 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
705 		goto err;
706 	if (hlen != hmac_len)
707 		goto err;
708 
709 	ret = 1;
710 
711  err:
712 	HMAC_CTX_free(hmac_ctx);
713 
714 	return ret;
715 }
716 
717 int
718 tls13_server_finished_sent(struct tls13_ctx *ctx)
719 {
720 	struct tls13_secrets *secrets = ctx->hs->secrets;
721 	struct tls13_secret context = { .data = "", .len = 0 };
722 
723 	/*
724 	 * Derive application traffic keys.
725 	 */
726 	context.data = ctx->hs->transcript_hash;
727 	context.len = ctx->hs->transcript_hash_len;
728 
729 	if (!tls13_derive_application_secrets(secrets, &context))
730 		return 0;
731 
732 	/*
733 	 * Any records following the server finished message must be encrypted
734 	 * using the server application traffic keys.
735 	 */
736 	return tls13_record_layer_set_write_traffic_key(ctx->rl,
737 	    &secrets->server_application_traffic);
738 }
739 
740 int
741 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
742 {
743 	struct tls13_secrets *secrets = ctx->hs->secrets;
744 	struct tls13_secret context = { .data = "", .len = 0 };
745 	struct tls13_secret finished_key;
746 	uint8_t *verify_data = NULL;
747 	size_t verify_data_len;
748 	uint8_t key[EVP_MAX_MD_SIZE];
749 	HMAC_CTX *hmac_ctx = NULL;
750 	unsigned int hlen;
751 	int ret = 0;
752 
753 	/*
754 	 * Verify client finished.
755 	 */
756 	finished_key.data = key;
757 	finished_key.len = EVP_MD_size(ctx->hash);
758 
759 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
760 	    &secrets->client_handshake_traffic, "finished",
761 	    &context))
762 		goto err;
763 
764 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
765 		goto err;
766 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
767 	    ctx->hash, NULL))
768 		goto err;
769 	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
770 	    ctx->hs->transcript_hash_len))
771 		goto err;
772 	verify_data_len = HMAC_size(hmac_ctx);
773 	if ((verify_data = calloc(1, verify_data_len)) == NULL)
774 		goto err;
775 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
776 		goto err;
777 	if (hlen != verify_data_len)
778 		goto err;
779 
780 	if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) {
781 		ctx->alert = TLS1_AD_DECRYPTION_FAILED;
782 		goto err;
783 	}
784 
785 	if (!CBS_skip(cbs, verify_data_len))
786 		goto err;
787 
788 	/*
789 	 * Any records following the client finished message must be encrypted
790 	 * using the client application traffic keys.
791 	 */
792 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
793 	    &secrets->client_application_traffic))
794 		goto err;
795 
796 	tls13_record_layer_allow_ccs(ctx->rl, 0);
797 
798 	ret = 1;
799 
800  err:
801 	HMAC_CTX_free(hmac_ctx);
802 	free(verify_data);
803 
804 	return ret;
805 }
806