xref: /openbsd-src/lib/libssl/tls13_client.c (revision 7350f337b9e3eb4461d99580e625c7ef148d107c) 
1 /* $OpenBSD: tls13_client.c,v 1.16 2019/04/05 20:23:38 tb Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "ssl_locl.h"
19 
20 #include <openssl/curve25519.h>
21 #include <openssl/ssl3.h>
22 
23 #include "bytestring.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_handshake.h"
26 #include "tls13_internal.h"
27 
28 int
29 tls13_connect(struct tls13_ctx *ctx)
30 {
31 	if (ctx->mode != TLS13_HS_CLIENT)
32 		return TLS13_IO_FAILURE;
33 
34 	return tls13_handshake_perform(ctx);
35 }
36 
37 static int
38 tls13_client_init(struct tls13_ctx *ctx)
39 {
40 	SSL *s = ctx->ssl;
41 
42 	if (!ssl_supported_version_range(s, &ctx->hs->min_version,
43 	    &ctx->hs->max_version)) {
44 		SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
45 		return 0;
46 	}
47 	s->client_version = s->version = ctx->hs->max_version;
48 
49 	if (!ssl_get_new_session(s, 0)) /* XXX */
50 		return 0;
51 
52 	if (!tls1_transcript_init(s))
53 		return 0;
54 
55 	arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
56 
57 	return 1;
58 }
59 
60 int
61 tls13_legacy_connect(SSL *ssl)
62 {
63 	struct tls13_ctx *ctx = ssl->internal->tls13;
64 	int ret;
65 
66 	if (ctx == NULL) {
67 		if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
68 			SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
69 			return -1;
70 		}
71 		ssl->internal->tls13 = ctx;
72 		ctx->ssl = ssl;
73 		ctx->hs = &S3I(ssl)->hs_tls13;
74 
75 		if (!tls13_client_init(ctx)) {
76 			if (ERR_peek_error() == 0)
77 				SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
78 			return -1;
79 		}
80 	}
81 
82 	S3I(ssl)->hs.state = SSL_ST_CONNECT;
83 
84 	ret = tls13_connect(ctx);
85 	if (ret == TLS13_IO_USE_LEGACY)
86 		return ssl->method->internal->ssl_connect(ssl);
87 	if (ret == TLS13_IO_SUCCESS)
88 		S3I(ssl)->hs.state = SSL_ST_OK;
89 
90 	return tls13_legacy_return_code(ssl, ret);
91 }
92 
93 int
94 tls13_use_legacy_client(struct tls13_ctx *ctx)
95 {
96 	SSL *s = ctx->ssl;
97 	CBS cbs;
98 
99 	s->method = tls_legacy_client_method();
100 	s->client_version = s->version = s->method->internal->max_version;
101 
102 	if (!ssl3_setup_init_buffer(s))
103 		goto err;
104 	if (!ssl3_setup_buffers(s))
105 		goto err;
106 	if (!ssl_init_wbio_buffer(s, 0))
107 		goto err;
108 
109 	if (s->bbio != s->wbio)
110 		s->wbio = BIO_push(s->bbio, s->wbio);
111 
112 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
113 		goto err;
114 
115 	if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs) + 4))
116 		goto err;
117 
118 	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data + 4,
119 	    s->internal->init_buf->length - 4, NULL))
120 		goto err;
121 
122 	S3I(s)->tmp.reuse_message = 1;
123 	S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
124 	S3I(s)->tmp.message_size = CBS_len(&cbs);
125 
126 	S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
127 
128 	return 1;
129 
130  err:
131 	return 0;
132 }
133 
134 static int
135 tls13_client_hello_build(SSL *s, CBB *cbb)
136 {
137 	CBB cipher_suites, compression_methods, session_id;
138 	uint8_t *sid;
139 
140 	if (!CBB_add_u16(cbb, TLS1_2_VERSION))
141 		goto err;
142 	if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
143 		goto err;
144 
145 	/* Either 32-random bytes or zero length... */
146 	/* XXX - session resumption for TLSv1.2? */
147 	if (!CBB_add_u8_length_prefixed(cbb, &session_id))
148 		goto err;
149 	if (!CBB_add_space(&session_id, &sid, 32))
150 		goto err;
151 	arc4random_buf(sid, 32);
152 
153 	if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
154 		goto err;
155 	if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) {
156 		SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
157 		goto err;
158 	}
159 
160 	if (!CBB_add_u8_length_prefixed(cbb, &compression_methods))
161 		goto err;
162 	if (!CBB_add_u8(&compression_methods, 0))
163 		goto err;
164 
165 	if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH))
166 		goto err;
167 
168 	if (!CBB_flush(cbb))
169 		goto err;
170 
171 	return 1;
172 
173  err:
174 	return 0;
175 }
176 
177 int
178 tls13_client_hello_send(struct tls13_ctx *ctx)
179 {
180 	CBB body;
181 
182 	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_CLIENT_HELLO))
183 		return 0;
184 	if (!tls13_client_hello_build(ctx->ssl, &body))
185 		return 0;
186 	if (!tls13_handshake_msg_finish(ctx->hs_msg))
187 		return 0;
188 
189 	return 1;
190 }
191 
192 /*
193  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
194  */
195 static const uint8_t tls13_hello_retry_request_hash[] = {
196 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
197 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
198 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
199 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
200 };
201 
202 static int
203 tls13_server_hello_is_legacy(CBS *cbs)
204 {
205 	CBS extensions_block, extensions, extension_data;
206 	uint16_t selected_version = 0;
207 	uint16_t type;
208 
209 	CBS_dup(cbs, &extensions_block);
210 
211 	if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
212 		return 1;
213 
214 	while (CBS_len(&extensions) > 0) {
215 		if (!CBS_get_u16(&extensions, &type))
216 			return 1;
217 		if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
218 			return 1;
219 
220 		if (type != TLSEXT_TYPE_supported_versions)
221 			continue;
222 		if (!CBS_get_u16(&extension_data, &selected_version))
223 			return 1;
224 		if (CBS_len(&extension_data) != 0)
225 			return 1;
226 	}
227 
228 	return (selected_version < TLS1_3_VERSION);
229 }
230 
231 static int
232 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
233 {
234 	CBS server_random, session_id;
235 	uint16_t cipher_suite, legacy_version;
236 	uint8_t compression_method;
237 	const SSL_CIPHER *cipher;
238 	SSL *s = ctx->ssl;
239 	int alert;
240 
241 	if (!CBS_get_u16(cbs, &legacy_version))
242 		goto err;
243 	if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
244 		goto err;
245 	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
246 		goto err;
247 	if (!CBS_get_u16(cbs, &cipher_suite))
248 		goto err;
249 	if (!CBS_get_u8(cbs, &compression_method))
250 		goto err;
251 
252 	if (tls13_server_hello_is_legacy(cbs))
253 		return tls13_use_legacy_client(ctx);
254 
255 	if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))
256 		goto err;
257 
258 	if (CBS_len(cbs) != 0)
259 		goto err;
260 
261 	/*
262 	 * See if a supported versions extension was returned. If it was then
263 	 * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3).
264 	 * Otherwise, fallback to the legacy version, ensuring that it is both
265 	 * within range and not TLS 1.3 or greater (which must use the
266 	 * supported version extension.
267 	 */
268 	if (ctx->hs->server_version != 0) {
269 		if (legacy_version != TLS1_2_VERSION) {
270 			/* XXX - alert. */
271 			goto err;
272 		}
273 	} else {
274 		if (legacy_version < ctx->hs->min_version ||
275 		    legacy_version > ctx->hs->max_version ||
276 		    legacy_version > TLS1_2_VERSION) {
277 			/* XXX - alert. */
278 			goto err;
279 		}
280 		ctx->hs->server_version = legacy_version;
281 	}
282 
283 	/* XXX - session_id must match. */
284 
285 	/*
286 	 * Ensure that the cipher suite is one that we offered in the client
287 	 * hello and that it matches the TLS version selected.
288 	 */
289 	cipher = ssl3_get_cipher_by_value(cipher_suite);
290 	if (cipher == NULL ||
291 	    sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) {
292 		/* XXX - alert. */
293 		goto err;
294 	}
295 	if (ctx->hs->server_version == TLS1_3_VERSION &&
296 	    cipher->algorithm_ssl != SSL_TLSV1_3) {
297 		/* XXX - alert. */
298 		goto err;
299 	}
300 	/* XXX - move this to hs_tls13? */
301 	S3I(s)->hs.new_cipher = cipher;
302 
303 	if (compression_method != 0) {
304 		/* XXX - alert. */
305 		goto err;
306 	}
307 
308 	if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
309 	    sizeof(tls13_hello_retry_request_hash)))
310 		ctx->handshake_stage.hs_type |= WITH_HRR;
311 
312 	return 1;
313 
314  err:
315 	/* XXX - send alert. */
316 
317 	return 0;
318 }
319 
320 int
321 tls13_server_hello_recv(struct tls13_ctx *ctx)
322 {
323 	struct tls13_secrets *secrets;
324 	struct tls13_secret context;
325 	unsigned char buf[EVP_MAX_MD_SIZE];
326 	uint8_t *shared_key = NULL;
327 	size_t hash_len;
328 	SSL *s = ctx->ssl;
329 	int ret = 0;
330 	CBS cbs;
331 
332 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
333 		goto err;
334 
335 	if (!tls13_server_hello_process(ctx, &cbs))
336 		goto err;
337 
338 	/* See if we switched back to the legacy client method. */
339 	if (s->method->internal->version < TLS1_3_VERSION)
340 		return 1;
341 
342 	/* XXX - handle other key share types. */
343 	if (ctx->hs->x25519_peer_public == NULL) {
344 		/* XXX - alert. */
345 		goto err;
346 	}
347 	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
348 		goto err;
349 	if (!X25519(shared_key, ctx->hs->x25519_private,
350 	    ctx->hs->x25519_peer_public))
351 		goto err;
352 
353 	s->session->cipher = S3I(s)->hs.new_cipher;
354 	s->session->ssl_version = ctx->hs->server_version;
355 
356 	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
357 		goto err;
358 	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
359 		goto err;
360 
361 	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
362 		goto err;
363 	S3I(ctx->ssl)->hs_tls13.secrets = secrets;
364 
365 	/* XXX - pass in hash. */
366 	if (!tls1_transcript_hash_init(s))
367 		goto err;
368 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
369 		goto err;
370 	context.data = buf;
371 	context.len = hash_len;
372 
373 	/* Early secrets. */
374 	if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
375 	    secrets->zeros.len, &context))
376 		goto err;
377 
378 	/* Handshake secrets. */
379 	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
380 	    X25519_KEY_LENGTH, &context))
381 		goto err;
382 
383 	tls13_record_layer_set_aead(ctx->rl, ctx->aead);
384 	tls13_record_layer_set_hash(ctx->rl, ctx->hash);
385 
386 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
387 	    &secrets->server_handshake_traffic))
388 		goto err;
389 	if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
390 	    &secrets->client_handshake_traffic))
391 		goto err;
392 
393 	ctx->handshake_stage.hs_type |= NEGOTIATED;
394 	ret = 1;
395 
396  err:
397 	freezero(shared_key, X25519_KEY_LENGTH);
398 	return ret;
399 }
400 
401 int
402 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
403 {
404 	int alert;
405 	CBS cbs;
406 
407 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
408 		goto err;
409 
410 	if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE))
411 		goto err;
412 
413 	if (CBS_len(&cbs) != 0)
414 		goto err;
415 
416 	return 1;
417 
418  err:
419 	/* XXX - send alert. */
420 
421 	return 0;
422 }
423 
424 int
425 tls13_server_certificate_request_recv(struct tls13_ctx *ctx)
426 {
427 	/*
428 	 * Thanks to poor state design in the RFC, this function can be called
429 	 * when we actually have a certificate message instead of a certificate
430 	 * request... in that case we call the certificate handler after
431 	 * switching state, to avoid advancing state.
432 	 */
433 	if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) {
434 		ctx->handshake_stage.hs_type |= WITHOUT_CR;
435 		return tls13_server_certificate_recv(ctx);
436 	}
437 
438 	/* XXX - unimplemented. */
439 
440 	return 0;
441 }
442 
443 int
444 tls13_server_certificate_recv(struct tls13_ctx *ctx)
445 {
446 	CBS cbs, cert_request_context, cert_list, cert_data, cert_exts;
447 	struct stack_st_X509 *certs = NULL;
448 	SSL *s = ctx->ssl;
449 	X509 *cert = NULL;
450 	EVP_PKEY *pkey;
451 	const uint8_t *p;
452 	int cert_idx;
453 	int ret = 0;
454 
455 	if ((certs = sk_X509_new_null()) == NULL)
456 		goto err;
457 
458 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
459 		goto err;
460 
461 	if (!CBS_get_u8_length_prefixed(&cbs, &cert_request_context))
462 		goto err;
463 	if (CBS_len(&cert_request_context) != 0)
464 		goto err;
465 	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
466 		goto err;
467 	if (CBS_len(&cbs) != 0)
468 		goto err;
469 
470 	while (CBS_len(&cert_list) > 0) {
471 		if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
472 			goto err;
473 		if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
474 			goto err;
475 
476 		p = CBS_data(&cert_data);
477 		if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
478 			goto err;
479 		if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
480 			goto err;
481 
482 		if (!sk_X509_push(certs, cert))
483 			goto err;
484 
485 		cert = NULL;
486 	}
487 
488 	/*
489 	 * At this stage we still have no proof of possession. As such, it would
490 	 * be preferable to keep the chain and verify once we have successfully
491 	 * processed the CertificateVerify message.
492 	 */
493 	if (ssl_verify_cert_chain(s, certs) <= 0 &&
494 	    s->verify_mode != SSL_VERIFY_NONE) {
495 		/* XXX send alert */
496 		goto err;
497 	}
498 	ERR_clear_error();
499 
500 	cert = sk_X509_value(certs, 0);
501 	X509_up_ref(cert);
502 
503 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
504 		goto err;
505 	if (EVP_PKEY_missing_parameters(pkey))
506 		goto err;
507 	if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
508 		goto err;
509 
510 	ssl_sess_cert_free(SSI(s)->sess_cert);
511 	if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
512 		goto err;
513 
514 	SSI(s)->sess_cert->cert_chain = certs;
515 	certs = NULL;
516 
517 	X509_up_ref(cert);
518 	SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
519 	SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
520 
521 	X509_free(s->session->peer);
522 
523 	X509_up_ref(cert);
524 	s->session->peer = cert;
525 	s->session->verify_result = s->verify_result;
526 
527 	ret = 1;
528 
529  err:
530 	sk_X509_pop_free(certs, X509_free);
531 	X509_free(cert);
532 
533 	return ret;
534 }
535 
536 /*
537  * Certificate Verify padding - RFC 8446 section 4.4.3.
538  */
539 static uint8_t cert_verify_pad[64] = {
540 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
541 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
542 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
543 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
544 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
545 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
546 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
547 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
548 };
549 
550 static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify";
551 
552 int
553 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
554 {
555 	const struct ssl_sigalg *sigalg;
556 	uint16_t signature_scheme;
557 	uint8_t *sig_content = NULL;
558 	size_t sig_content_len;
559 	EVP_MD_CTX *mdctx = NULL;
560 	EVP_PKEY_CTX *pctx;
561 	EVP_PKEY *pkey;
562 	X509 *cert;
563 	CBS cbs, signature;
564 	CBB cbb;
565 	int ret = 0;
566 
567 	memset(&cbb, 0, sizeof(cbb));
568 
569 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
570 		goto err;
571 
572 	if (!CBS_get_u16(&cbs, &signature_scheme))
573 		goto err;
574 	if (!CBS_get_u16_length_prefixed(&cbs, &signature))
575 		goto err;
576 	if (CBS_len(&cbs) != 0)
577 		goto err;
578 
579 	if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
580 	    tls13_sigalgs_len)) == NULL)
581 		goto err;
582 
583 	if (!CBB_init(&cbb, 0))
584 		goto err;
585 	if (!CBB_add_bytes(&cbb, cert_verify_pad, sizeof(cert_verify_pad)))
586 		goto err;
587 	if (!CBB_add_bytes(&cbb, server_cert_verify_context,
588 	    strlen(server_cert_verify_context)))
589 		goto err;
590 	if (!CBB_add_u8(&cbb, 0))
591 		goto err;
592 	if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
593 	    ctx->hs->transcript_hash_len))
594 		goto err;
595 	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
596 		goto err;
597 
598 	if ((cert = ctx->ssl->session->peer) == NULL)
599 		goto err;
600 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
601 		goto err;
602 	if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
603 		goto err;
604 
605 	if (CBS_len(&signature) > EVP_PKEY_size(pkey))
606 		goto err;
607 
608 	if ((mdctx = EVP_MD_CTX_new()) == NULL)
609 		goto err;
610 	if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
611 		goto err;
612 	if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
613 		if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
614 			goto err;
615 		if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
616 			goto err;
617 	}
618 	if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len))
619 		goto err;
620 	if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
621 	    CBS_len(&signature)) <= 0) {
622 		/* XXX - send alert. */
623 		goto err;
624 	}
625 
626 	ret = 1;
627 
628  err:
629 	CBB_cleanup(&cbb);
630 	EVP_MD_CTX_free(mdctx);
631 	free(sig_content);
632 
633 	return ret;
634 }
635 
636 int
637 tls13_server_finished_recv(struct tls13_ctx *ctx)
638 {
639 	struct tls13_secrets *secrets = ctx->hs->secrets;
640 	struct tls13_secret context = { .data = "", .len = 0 };
641 	struct tls13_secret finished_key;
642 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
643 	size_t transcript_hash_len;
644 	uint8_t *verify_data = NULL;
645 	size_t verify_data_len;
646 	uint8_t key[EVP_MAX_MD_SIZE];
647 	HMAC_CTX *hmac_ctx = NULL;
648 	unsigned int hlen;
649 	int ret = 0;
650 	CBS cbs;
651 
652 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
653 		goto err;
654 
655 	/*
656 	 * Verify server finished.
657 	 */
658 	finished_key.data = key;
659 	finished_key.len = EVP_MD_size(ctx->hash);
660 
661 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
662 	    &secrets->server_handshake_traffic, "finished",
663 	    &context))
664 		goto err;
665 
666 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
667 		goto err;
668 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
669 	    ctx->hash, NULL))
670 		goto err;
671 	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
672 	    ctx->hs->transcript_hash_len))
673 		goto err;
674 	verify_data_len = HMAC_size(hmac_ctx);
675 	if ((verify_data = calloc(1, verify_data_len)) == NULL)
676 		goto err;
677 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
678 		goto err;
679 	if (hlen != verify_data_len)
680 		goto err;
681 
682 	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
683 		/* XXX - send alert. */
684 		goto err;
685 	}
686 
687 	/*
688 	 * Derive application traffic keys.
689 	 */
690 	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
691 	    sizeof(transcript_hash), &transcript_hash_len))
692 		goto err;
693 
694 	context.data = transcript_hash;
695 	context.len = transcript_hash_len;
696 
697 	if (!tls13_derive_application_secrets(secrets, &context))
698 		goto err;
699 
700 	/*
701 	 * Any records following the server finished message must be encrypted
702 	 * using the server application traffic keys.
703 	 */
704 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
705 	    &secrets->server_application_traffic))
706 		goto err;
707 
708 	ret = 1;
709 
710  err:
711 	HMAC_CTX_free(hmac_ctx);
712 	free(verify_data);
713 
714 	return ret;
715 }
716 
717 int
718 tls13_client_finished_send(struct tls13_ctx *ctx)
719 {
720 	struct tls13_secrets *secrets = ctx->hs->secrets;
721 	struct tls13_secret context = { .data = "", .len = 0 };
722 	struct tls13_secret finished_key;
723 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
724 	size_t transcript_hash_len;
725 	uint8_t key[EVP_MAX_MD_SIZE];
726 	uint8_t *verify_data;
727 	size_t hmac_len;
728 	unsigned int hlen;
729 	HMAC_CTX *hmac_ctx = NULL;
730 	int ret = 0;
731 	CBB body;
732 
733 	finished_key.data = key;
734 	finished_key.len = EVP_MD_size(ctx->hash);
735 
736 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
737 	    &secrets->client_handshake_traffic, "finished",
738 	    &context))
739 		goto err;
740 
741 	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
742 	    sizeof(transcript_hash), &transcript_hash_len))
743 		goto err;
744 
745 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
746 		goto err;
747 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
748 	    ctx->hash, NULL))
749 		goto err;
750 	if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
751 		goto err;
752 
753 	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
754 		goto err;
755 	hmac_len = HMAC_size(hmac_ctx);
756 	if (!CBB_add_space(&body, &verify_data, hmac_len))
757 		goto err;
758 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
759 		goto err;
760 	if (hlen != hmac_len)
761 		goto err;
762 	if (!tls13_handshake_msg_finish(ctx->hs_msg))
763 		goto err;
764 
765 	ret = 1;
766 
767  err:
768 	HMAC_CTX_free(hmac_ctx);
769 
770 	return ret;
771 }
772 
773 int
774 tls13_client_finished_sent(struct tls13_ctx *ctx)
775 {
776 	struct tls13_secrets *secrets = ctx->hs->secrets;
777 
778 	/*
779 	 * Any records following the client finished message must be encrypted
780 	 * using the client application traffic keys.
781 	 */
782 	return tls13_record_layer_set_write_traffic_key(ctx->rl,
783 	    &secrets->client_application_traffic);
784 }
785