1 /* $OpenBSD: tls13_server.c,v 1.16 2020/01/24 08:21:24 jsing Exp $ */ 2 /* 3 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <openssl/curve25519.h> 20 21 #include "ssl_locl.h" 22 #include "ssl_tlsext.h" 23 24 #include "tls13_handshake.h" 25 #include "tls13_internal.h" 26 27 static int 28 tls13_accept(struct tls13_ctx *ctx) 29 { 30 if (ctx->mode != TLS13_HS_SERVER) 31 return TLS13_IO_FAILURE; 32 33 return tls13_handshake_perform(ctx); 34 } 35 36 static int 37 tls13_server_init(struct tls13_ctx *ctx) 38 { 39 SSL *s = ctx->ssl; 40 41 if (!ssl_supported_version_range(s, &ctx->hs->min_version, 42 &ctx->hs->max_version)) { 43 SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 44 return 0; 45 } 46 s->version = ctx->hs->max_version; 47 48 if (!tls1_transcript_init(s)) 49 return 0; 50 51 if ((s->session = SSL_SESSION_new()) == NULL) 52 return 0; 53 54 arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 55 56 return 1; 57 } 58 59 int 60 tls13_legacy_accept(SSL *ssl) 61 { 62 struct tls13_ctx *ctx = ssl->internal->tls13; 63 int ret; 64 65 if (ctx == NULL) { 66 if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { 67 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 68 return -1; 69 } 70 ssl->internal->tls13 = ctx; 71 ctx->ssl = ssl; 72 ctx->hs = &S3I(ssl)->hs_tls13; 73 74 if (!tls13_server_init(ctx)) { 75 if (ERR_peek_error() == 0) 76 SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ 77 return -1; 78 } 79 } 80 81 S3I(ssl)->hs.state = SSL_ST_ACCEPT; 82 83 ret = tls13_accept(ctx); 84 if (ret == TLS13_IO_USE_LEGACY) 85 return ssl->method->internal->ssl_accept(ssl); 86 if (ret == TLS13_IO_SUCCESS) 87 S3I(ssl)->hs.state = SSL_ST_OK; 88 89 return tls13_legacy_return_code(ssl, ret); 90 } 91 92 int 93 tls13_use_legacy_server(struct tls13_ctx *ctx) 94 { 95 SSL *s = ctx->ssl; 96 CBS cbs; 97 98 s->method = tls_legacy_server_method(); 99 s->client_version = s->version = s->method->internal->max_version; 100 s->server = 1; 101 102 if (!ssl3_setup_init_buffer(s)) 103 goto err; 104 if (!ssl3_setup_buffers(s)) 105 goto err; 106 if (!ssl_init_wbio_buffer(s, 0)) 107 goto err; 108 109 if (s->bbio != s->wbio) 110 s->wbio = BIO_push(s->bbio, s->wbio); 111 112 /* Stash any unprocessed data from the last record. */ 113 tls13_record_layer_rbuf(ctx->rl, &cbs); 114 if (CBS_len(&cbs) > 0) { 115 if (!CBS_write_bytes(&cbs, 116 S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, 117 S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) 118 goto err; 119 120 S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; 121 S3I(s)->rbuf.left = CBS_len(&cbs); 122 S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; 123 S3I(s)->rrec.length = CBS_len(&cbs); 124 s->internal->rstate = SSL_ST_READ_BODY; 125 s->internal->packet = S3I(s)->rbuf.buf; 126 s->internal->packet_length = SSL3_RT_HEADER_LENGTH; 127 s->internal->mac_packet = 1; 128 } 129 130 /* Stash the current handshake message. */ 131 tls13_handshake_msg_data(ctx->hs_msg, &cbs); 132 if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, 133 s->internal->init_buf->length, NULL)) 134 goto err; 135 136 S3I(s)->tmp.reuse_message = 1; 137 S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); 138 S3I(s)->tmp.message_size = CBS_len(&cbs); 139 140 S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; 141 142 return 1; 143 144 err: 145 return 0; 146 } 147 148 static int 149 tls13_client_hello_is_legacy(CBS *cbs) 150 { 151 CBS extensions_block, extensions, extension_data, versions; 152 uint16_t version, max_version = 0; 153 uint16_t type; 154 155 CBS_dup(cbs, &extensions_block); 156 157 if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 158 return 1; 159 160 while (CBS_len(&extensions) > 0) { 161 if (!CBS_get_u16(&extensions, &type)) 162 return 1; 163 if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 164 return 1; 165 166 if (type != TLSEXT_TYPE_supported_versions) 167 continue; 168 if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 169 return 1; 170 while (CBS_len(&versions) > 0) { 171 if (!CBS_get_u16(&versions, &version)) 172 return 1; 173 if (version >= max_version) 174 max_version = version; 175 } 176 if (CBS_len(&extension_data) != 0) 177 return 1; 178 } 179 180 return (max_version < TLS1_3_VERSION); 181 } 182 183 static int 184 tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 185 { 186 CBS cipher_suites, client_random, compression_methods, session_id; 187 STACK_OF(SSL_CIPHER) *ciphers = NULL; 188 const SSL_CIPHER *cipher; 189 uint16_t legacy_version; 190 uint8_t compression_method; 191 int alert_desc, comp_null; 192 SSL *s = ctx->ssl; 193 int ret = 0; 194 195 if (!CBS_get_u16(cbs, &legacy_version)) 196 goto err; 197 if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 198 goto err; 199 if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 200 goto err; 201 if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 202 goto err; 203 if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 204 goto err; 205 206 if (tls13_client_hello_is_legacy(cbs)) { 207 if (!CBS_skip(cbs, CBS_len(cbs))) 208 goto err; 209 return tls13_use_legacy_server(ctx); 210 } 211 212 if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) { 213 ctx->alert = alert_desc; 214 goto err; 215 } 216 217 /* 218 * If we got this far we have a supported versions extension that offers 219 * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 220 */ 221 if (legacy_version != TLS1_2_VERSION) { 222 ctx->alert = SSL_AD_PROTOCOL_VERSION; 223 goto err; 224 } 225 226 /* Store legacy session identifier so we can echo it. */ 227 if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { 228 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 229 goto err; 230 } 231 if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, 232 sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len)) 233 goto err; 234 235 /* Parse cipher suites list and select preferred cipher. */ 236 if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 237 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 238 goto err; 239 } 240 cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 241 if (cipher == NULL) { 242 tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 243 "no shared cipher found", NULL); 244 ctx->alert = SSL_AD_HANDSHAKE_FAILURE; 245 goto err; 246 } 247 S3I(s)->hs.new_cipher = cipher; 248 249 /* Ensure they advertise the NULL compression method. */ 250 comp_null = 0; 251 while (CBS_len(&compression_methods) > 0) { 252 if (!CBS_get_u8(&compression_methods, &compression_method)) 253 goto err; 254 if (compression_method == 0) 255 comp_null = 1; 256 } 257 if (!comp_null) { 258 ctx->alert = SSL_AD_ILLEGAL_PARAMETER; 259 goto err; 260 } 261 262 ret = 1; 263 264 err: 265 sk_SSL_CIPHER_free(ciphers); 266 267 return ret; 268 } 269 270 int 271 tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 272 { 273 SSL *s = ctx->ssl; 274 275 if (!tls13_client_hello_process(ctx, cbs)) 276 goto err; 277 278 /* See if we switched back to the legacy client method. */ 279 if (s->method->internal->version < TLS1_3_VERSION) 280 return 1; 281 282 tls13_record_layer_allow_ccs(ctx->rl, 1); 283 284 return 1; 285 286 err: 287 return 0; 288 } 289 290 int 291 tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 292 { 293 return 0; 294 } 295 296 int 297 tls13_server_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 298 { 299 return 0; 300 } 301 302 int 303 tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) 304 { 305 return 0; 306 } 307 308 int 309 tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 310 { 311 return 0; 312 } 313 314 int 315 tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 316 { 317 return 0; 318 } 319 320 int 321 tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 322 { 323 return 0; 324 } 325 326 int 327 tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 328 { 329 return 0; 330 } 331 332 int 333 tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 334 { 335 return 0; 336 } 337 338 int 339 tls13_client_key_update_send(struct tls13_ctx *ctx, CBB *cbb) 340 { 341 return 0; 342 } 343 344 int 345 tls13_client_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) 346 { 347 return 0; 348 } 349 350 static int 351 tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb) 352 { 353 CBB session_id; 354 SSL *s = ctx->ssl; 355 uint16_t cipher; 356 357 cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); 358 359 if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 360 goto err; 361 if (!CBB_add_bytes(cbb, s->s3->server_random, SSL3_RANDOM_SIZE)) 362 goto err; 363 if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 364 goto err; 365 if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 366 ctx->hs->legacy_session_id_len)) 367 goto err; 368 if (!CBB_add_u16(cbb, cipher)) 369 goto err; 370 if (!CBB_add_u8(cbb, 0)) 371 goto err; 372 if (!tlsext_server_build(s, cbb, SSL_TLSEXT_MSG_SH)) 373 goto err; 374 375 if (!CBB_flush(cbb)) 376 goto err; 377 378 return 1; 379 err: 380 return 0; 381 } 382 383 int 384 tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 385 { 386 if (!tls13_server_hello_build(ctx, cbb)) 387 return 0; 388 389 return 1; 390 } 391 392 int 393 tls13_server_hello_sent(struct tls13_ctx *ctx) 394 { 395 struct tls13_secrets *secrets; 396 struct tls13_secret context; 397 unsigned char buf[EVP_MAX_MD_SIZE]; 398 uint8_t *shared_key = NULL; 399 size_t hash_len; 400 SSL *s = ctx->ssl; 401 int ret = 0; 402 403 /* XXX - handle other key share types. */ 404 if (ctx->hs->x25519_peer_public == NULL) { 405 /* XXX - alert. */ 406 goto err; 407 } 408 if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL) 409 goto err; 410 if (!X25519(shared_key, ctx->hs->x25519_private, 411 ctx->hs->x25519_peer_public)) 412 goto err; 413 414 s->session->cipher = S3I(s)->hs.new_cipher; 415 s->session->ssl_version = ctx->hs->server_version; 416 417 if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 418 goto err; 419 if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 420 goto err; 421 422 if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 423 goto err; 424 S3I(ctx->ssl)->hs_tls13.secrets = secrets; 425 426 /* XXX - pass in hash. */ 427 if (!tls1_transcript_hash_init(s)) 428 goto err; 429 if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 430 goto err; 431 context.data = buf; 432 context.len = hash_len; 433 434 /* Early secrets. */ 435 if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 436 secrets->zeros.len, &context)) 437 goto err; 438 439 /* Handshake secrets. */ 440 if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 441 X25519_KEY_LENGTH, &context)) 442 goto err; 443 444 tls13_record_layer_set_aead(ctx->rl, ctx->aead); 445 tls13_record_layer_set_hash(ctx->rl, ctx->hash); 446 447 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 448 &secrets->client_handshake_traffic)) 449 goto err; 450 if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 451 &secrets->server_handshake_traffic)) 452 goto err; 453 454 ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_CR; 455 ret = 1; 456 457 err: 458 freezero(shared_key, X25519_KEY_LENGTH); 459 return ret; 460 } 461 462 int 463 tls13_server_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) 464 { 465 return 0; 466 } 467 468 int 469 tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 470 { 471 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE)) 472 goto err; 473 474 return 1; 475 err: 476 return 0; 477 } 478 479 static int 480 tls13_cert_add(CBB *cbb, X509 *cert) 481 { 482 CBB cert_data, cert_exts; 483 uint8_t *data; 484 int cert_len; 485 486 if ((cert_len = i2d_X509(cert, NULL)) < 0) 487 return 0; 488 489 if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) 490 return 0; 491 if (!CBB_add_space(&cert_data, &data, cert_len)) 492 return 0; 493 if (i2d_X509(cert, &data) != cert_len) 494 return 0; 495 496 if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) 497 return 0; 498 499 if (!CBB_flush(cbb)) 500 return 0; 501 502 return 1; 503 } 504 505 int 506 tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 507 { 508 SSL *s = ctx->ssl; 509 CBB cert_request_context, cert_list; 510 STACK_OF(X509) *chain; 511 CERT_PKEY *cpk; 512 X509 *cert; 513 int i, ret = 0; 514 515 /* XXX - Need to revisit certificate selection. */ 516 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 517 518 if ((chain = cpk->chain) == NULL) 519 chain = s->ctx->extra_certs; 520 521 if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 522 goto err; 523 if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 524 goto err; 525 526 if (cpk->x509 == NULL) 527 goto done; 528 529 if (!tls13_cert_add(&cert_list, cpk->x509)) 530 goto err; 531 532 for (i = 0; i < sk_X509_num(chain); i++) { 533 cert = sk_X509_value(chain, i); 534 if (!tls13_cert_add(&cert_list, cert)) 535 goto err; 536 } 537 538 done: 539 if (!CBB_flush(cbb)) 540 goto err; 541 542 ret = 1; 543 544 err: 545 return ret; 546 } 547 548 /* XXX - move up. */ 549 int 550 tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 551 { 552 CBB certificate_request_context; 553 554 if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 555 goto err; 556 if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR)) 557 goto err; 558 559 if (!CBB_flush(cbb)) 560 goto err; 561 562 return 1; 563 err: 564 return 0; 565 } 566 567 /* 568 * Certificate Verify padding - RFC 8446 section 4.4.3. 569 */ 570 static uint8_t cert_verify_pad[64] = { 571 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 572 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 573 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 574 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 575 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 576 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 577 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 578 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 579 }; 580 581 static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify"; 582 583 int 584 tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 585 { 586 SSL *s = ctx->ssl; 587 const struct ssl_sigalg *sigalg = NULL; 588 uint8_t *sig = NULL, *sig_content = NULL; 589 size_t sig_len, sig_content_len; 590 EVP_MD_CTX *mdctx = NULL; 591 EVP_PKEY_CTX *pctx; 592 EVP_PKEY *pkey; 593 CERT_PKEY *cpk; 594 CBB sig_cbb; 595 int ret = 0; 596 597 memset(&sig_cbb, 0, sizeof(sig_cbb)); 598 599 /* XXX - Need to revisit certificate selection. */ 600 cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 601 pkey = cpk->privatekey; 602 603 if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 604 /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */ 605 goto err; 606 } 607 608 if (!CBB_init(&sig_cbb, 0)) 609 goto err; 610 if (!CBB_add_bytes(&sig_cbb, cert_verify_pad, sizeof(cert_verify_pad))) 611 goto err; 612 if (!CBB_add_bytes(&sig_cbb, server_cert_verify_context, 613 strlen(server_cert_verify_context))) 614 goto err; 615 if (!CBB_add_u8(&sig_cbb, 0)) 616 goto err; 617 if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 618 ctx->hs->transcript_hash_len)) 619 goto err; 620 if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 621 goto err; 622 623 if ((mdctx = EVP_MD_CTX_new()) == NULL) 624 goto err; 625 if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 626 goto err; 627 if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 628 if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 629 goto err; 630 if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 631 goto err; 632 } 633 if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 634 goto err; 635 if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 636 goto err; 637 if ((sig = calloc(1, sig_len)) == NULL) 638 goto err; 639 if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 640 goto err; 641 642 if (!CBB_add_u16(cbb, sigalg->value)) 643 goto err; 644 if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 645 goto err; 646 if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 647 goto err; 648 649 if (!CBB_flush(cbb)) 650 goto err; 651 652 ret = 1; 653 654 err: 655 if (!ret && ctx->alert == 0) 656 ctx->alert = TLS1_AD_INTERNAL_ERROR; 657 658 CBB_cleanup(&sig_cbb); 659 EVP_MD_CTX_free(mdctx); 660 free(sig_content); 661 free(sig); 662 663 return ret; 664 } 665 666 int 667 tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 668 { 669 struct tls13_secrets *secrets = ctx->hs->secrets; 670 struct tls13_secret context = { .data = "", .len = 0 }; 671 struct tls13_secret finished_key; 672 uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 673 size_t transcript_hash_len; 674 uint8_t key[EVP_MAX_MD_SIZE]; 675 uint8_t *verify_data; 676 size_t hmac_len; 677 unsigned int hlen; 678 HMAC_CTX *hmac_ctx = NULL; 679 int ret = 0; 680 681 finished_key.data = key; 682 finished_key.len = EVP_MD_size(ctx->hash); 683 684 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 685 &secrets->server_handshake_traffic, "finished", 686 &context)) 687 goto err; 688 689 if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 690 sizeof(transcript_hash), &transcript_hash_len)) 691 goto err; 692 693 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 694 goto err; 695 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 696 ctx->hash, NULL)) 697 goto err; 698 if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 699 goto err; 700 701 hmac_len = HMAC_size(hmac_ctx); 702 if (!CBB_add_space(cbb, &verify_data, hmac_len)) 703 goto err; 704 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 705 goto err; 706 if (hlen != hmac_len) 707 goto err; 708 709 ret = 1; 710 711 err: 712 HMAC_CTX_free(hmac_ctx); 713 714 return ret; 715 } 716 717 int 718 tls13_server_finished_sent(struct tls13_ctx *ctx) 719 { 720 struct tls13_secrets *secrets = ctx->hs->secrets; 721 struct tls13_secret context = { .data = "", .len = 0 }; 722 723 /* 724 * Derive application traffic keys. 725 */ 726 context.data = ctx->hs->transcript_hash; 727 context.len = ctx->hs->transcript_hash_len; 728 729 if (!tls13_derive_application_secrets(secrets, &context)) 730 return 0; 731 732 /* 733 * Any records following the server finished message must be encrypted 734 * using the server application traffic keys. 735 */ 736 return tls13_record_layer_set_write_traffic_key(ctx->rl, 737 &secrets->server_application_traffic); 738 } 739 740 int 741 tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 742 { 743 struct tls13_secrets *secrets = ctx->hs->secrets; 744 struct tls13_secret context = { .data = "", .len = 0 }; 745 struct tls13_secret finished_key; 746 uint8_t *verify_data = NULL; 747 size_t verify_data_len; 748 uint8_t key[EVP_MAX_MD_SIZE]; 749 HMAC_CTX *hmac_ctx = NULL; 750 unsigned int hlen; 751 int ret = 0; 752 753 /* 754 * Verify client finished. 755 */ 756 finished_key.data = key; 757 finished_key.len = EVP_MD_size(ctx->hash); 758 759 if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 760 &secrets->client_handshake_traffic, "finished", 761 &context)) 762 goto err; 763 764 if ((hmac_ctx = HMAC_CTX_new()) == NULL) 765 goto err; 766 if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 767 ctx->hash, NULL)) 768 goto err; 769 if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 770 ctx->hs->transcript_hash_len)) 771 goto err; 772 verify_data_len = HMAC_size(hmac_ctx); 773 if ((verify_data = calloc(1, verify_data_len)) == NULL) 774 goto err; 775 if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 776 goto err; 777 if (hlen != verify_data_len) 778 goto err; 779 780 if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 781 ctx->alert = TLS1_AD_DECRYPTION_FAILED; 782 goto err; 783 } 784 785 if (!CBS_skip(cbs, verify_data_len)) 786 goto err; 787 788 /* 789 * Any records following the client finished message must be encrypted 790 * using the client application traffic keys. 791 */ 792 if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 793 &secrets->client_application_traffic)) 794 goto err; 795 796 tls13_record_layer_allow_ccs(ctx->rl, 0); 797 798 ret = 1; 799 800 err: 801 HMAC_CTX_free(hmac_ctx); 802 free(verify_data); 803 804 return ret; 805 } 806