xref: /openbsd-src/lib/libssl/tls13_client.c (revision b46d8ef224b95de1dddcd1f01c1ab482f0ab3778) 
1 /* $OpenBSD: tls13_client.c,v 1.19 2019/11/17 06:30:12 jsing Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "ssl_locl.h"
19 
20 #include <openssl/curve25519.h>
21 #include <openssl/ssl3.h>
22 
23 #include "bytestring.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_handshake.h"
26 #include "tls13_internal.h"
27 
28 static int
29 tls13_connect(struct tls13_ctx *ctx)
30 {
31 	if (ctx->mode != TLS13_HS_CLIENT)
32 		return TLS13_IO_FAILURE;
33 
34 	return tls13_handshake_perform(ctx);
35 }
36 
37 static int
38 tls13_client_init(struct tls13_ctx *ctx)
39 {
40 	SSL *s = ctx->ssl;
41 
42 	if (!ssl_supported_version_range(s, &ctx->hs->min_version,
43 	    &ctx->hs->max_version)) {
44 		SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
45 		return 0;
46 	}
47 	s->client_version = s->version = ctx->hs->max_version;
48 
49 	if (!ssl_get_new_session(s, 0)) /* XXX */
50 		return 0;
51 
52 	if (!tls1_transcript_init(s))
53 		return 0;
54 
55 	arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
56 
57 	return 1;
58 }
59 
60 int
61 tls13_legacy_connect(SSL *ssl)
62 {
63 	struct tls13_ctx *ctx = ssl->internal->tls13;
64 	int ret;
65 
66 	/* XXX drop back to legacy for client auth for now */
67 	if (ssl->cert->key->privatekey != NULL) {
68 		ssl->method = tls_legacy_client_method();
69 		return ssl->method->internal->ssl_connect(ssl);
70 	}
71 
72 	if (ctx == NULL) {
73 		if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
74 			SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
75 			return -1;
76 		}
77 		ssl->internal->tls13 = ctx;
78 		ctx->ssl = ssl;
79 		ctx->hs = &S3I(ssl)->hs_tls13;
80 
81 		if (!tls13_client_init(ctx)) {
82 			if (ERR_peek_error() == 0)
83 				SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
84 			return -1;
85 		}
86 	}
87 
88 	S3I(ssl)->hs.state = SSL_ST_CONNECT;
89 
90 	ret = tls13_connect(ctx);
91 	if (ret == TLS13_IO_USE_LEGACY)
92 		return ssl->method->internal->ssl_connect(ssl);
93 	if (ret == TLS13_IO_SUCCESS)
94 		S3I(ssl)->hs.state = SSL_ST_OK;
95 
96 	return tls13_legacy_return_code(ssl, ret);
97 }
98 
99 int
100 tls13_use_legacy_client(struct tls13_ctx *ctx)
101 {
102 	SSL *s = ctx->ssl;
103 	CBS cbs;
104 
105 	s->method = tls_legacy_client_method();
106 	s->client_version = s->version = s->method->internal->max_version;
107 
108 	if (!ssl3_setup_init_buffer(s))
109 		goto err;
110 	if (!ssl3_setup_buffers(s))
111 		goto err;
112 	if (!ssl_init_wbio_buffer(s, 0))
113 		goto err;
114 
115 	if (s->bbio != s->wbio)
116 		s->wbio = BIO_push(s->bbio, s->wbio);
117 
118 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
119 		goto err;
120 
121 	if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs) + 4))
122 		goto err;
123 
124 	if (!CBS_write_bytes(&cbs, s->internal->init_buf->data + 4,
125 	    s->internal->init_buf->length - 4, NULL))
126 		goto err;
127 
128 	S3I(s)->tmp.reuse_message = 1;
129 	S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg);
130 	S3I(s)->tmp.message_size = CBS_len(&cbs);
131 
132 	S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A;
133 
134 	return 1;
135 
136  err:
137 	return 0;
138 }
139 
140 static int
141 tls13_client_hello_build(SSL *s, CBB *cbb)
142 {
143 	CBB cipher_suites, compression_methods, session_id;
144 	uint8_t *sid;
145 
146 	if (!CBB_add_u16(cbb, TLS1_2_VERSION))
147 		goto err;
148 	if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
149 		goto err;
150 
151 	/* Either 32-random bytes or zero length... */
152 	/* XXX - session resumption for TLSv1.2? */
153 	if (!CBB_add_u8_length_prefixed(cbb, &session_id))
154 		goto err;
155 	if (!CBB_add_space(&session_id, &sid, 32))
156 		goto err;
157 	arc4random_buf(sid, 32);
158 
159 	if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
160 		goto err;
161 	if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) {
162 		SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
163 		goto err;
164 	}
165 
166 	if (!CBB_add_u8_length_prefixed(cbb, &compression_methods))
167 		goto err;
168 	if (!CBB_add_u8(&compression_methods, 0))
169 		goto err;
170 
171 	if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH))
172 		goto err;
173 
174 	if (!CBB_flush(cbb))
175 		goto err;
176 
177 	return 1;
178 
179  err:
180 	return 0;
181 }
182 
183 int
184 tls13_client_hello_send(struct tls13_ctx *ctx)
185 {
186 	CBB body;
187 
188 	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_CLIENT_HELLO))
189 		return 0;
190 	if (!tls13_client_hello_build(ctx->ssl, &body))
191 		return 0;
192 	if (!tls13_handshake_msg_finish(ctx->hs_msg))
193 		return 0;
194 
195 	return 1;
196 }
197 
198 /*
199  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
200  */
201 static const uint8_t tls13_hello_retry_request_hash[] = {
202 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
203 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
204 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
205 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
206 };
207 
208 static int
209 tls13_server_hello_is_legacy(CBS *cbs)
210 {
211 	CBS extensions_block, extensions, extension_data;
212 	uint16_t selected_version = 0;
213 	uint16_t type;
214 
215 	CBS_dup(cbs, &extensions_block);
216 
217 	if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions))
218 		return 1;
219 
220 	while (CBS_len(&extensions) > 0) {
221 		if (!CBS_get_u16(&extensions, &type))
222 			return 1;
223 		if (!CBS_get_u16_length_prefixed(&extensions, &extension_data))
224 			return 1;
225 
226 		if (type != TLSEXT_TYPE_supported_versions)
227 			continue;
228 		if (!CBS_get_u16(&extension_data, &selected_version))
229 			return 1;
230 		if (CBS_len(&extension_data) != 0)
231 			return 1;
232 	}
233 
234 	return (selected_version < TLS1_3_VERSION);
235 }
236 
237 static int
238 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
239 {
240 	CBS server_random, session_id;
241 	uint16_t cipher_suite, legacy_version;
242 	uint8_t compression_method;
243 	const SSL_CIPHER *cipher;
244 	SSL *s = ctx->ssl;
245 	int alert;
246 
247 	if (!CBS_get_u16(cbs, &legacy_version))
248 		goto err;
249 	if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
250 		goto err;
251 	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
252 		goto err;
253 	if (!CBS_get_u16(cbs, &cipher_suite))
254 		goto err;
255 	if (!CBS_get_u8(cbs, &compression_method))
256 		goto err;
257 
258 	if (tls13_server_hello_is_legacy(cbs))
259 		return tls13_use_legacy_client(ctx);
260 
261 	if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))
262 		goto err;
263 
264 	if (CBS_len(cbs) != 0)
265 		goto err;
266 
267 	/*
268 	 * See if a supported versions extension was returned. If it was then
269 	 * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3).
270 	 * Otherwise, fallback to the legacy version, ensuring that it is both
271 	 * within range and not TLS 1.3 or greater (which must use the
272 	 * supported version extension.
273 	 */
274 	if (ctx->hs->server_version != 0) {
275 		if (legacy_version != TLS1_2_VERSION) {
276 			/* XXX - alert. */
277 			goto err;
278 		}
279 	} else {
280 		if (legacy_version < ctx->hs->min_version ||
281 		    legacy_version > ctx->hs->max_version ||
282 		    legacy_version > TLS1_2_VERSION) {
283 			/* XXX - alert. */
284 			goto err;
285 		}
286 		ctx->hs->server_version = legacy_version;
287 	}
288 
289 	/* XXX - session_id must match. */
290 
291 	/*
292 	 * Ensure that the cipher suite is one that we offered in the client
293 	 * hello and that it matches the TLS version selected.
294 	 */
295 	cipher = ssl3_get_cipher_by_value(cipher_suite);
296 	if (cipher == NULL ||
297 	    sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) {
298 		/* XXX - alert. */
299 		goto err;
300 	}
301 	if (ctx->hs->server_version == TLS1_3_VERSION &&
302 	    cipher->algorithm_ssl != SSL_TLSV1_3) {
303 		/* XXX - alert. */
304 		goto err;
305 	}
306 	/* XXX - move this to hs_tls13? */
307 	S3I(s)->hs.new_cipher = cipher;
308 
309 	if (compression_method != 0) {
310 		/* XXX - alert. */
311 		goto err;
312 	}
313 
314 	if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
315 	    sizeof(tls13_hello_retry_request_hash)))
316 		ctx->handshake_stage.hs_type |= WITH_HRR;
317 
318 	return 1;
319 
320  err:
321 	/* XXX - send alert. */
322 
323 	return 0;
324 }
325 
326 int
327 tls13_server_hello_recv(struct tls13_ctx *ctx)
328 {
329 	struct tls13_secrets *secrets;
330 	struct tls13_secret context;
331 	unsigned char buf[EVP_MAX_MD_SIZE];
332 	uint8_t *shared_key = NULL;
333 	size_t hash_len;
334 	SSL *s = ctx->ssl;
335 	int ret = 0;
336 	CBS cbs;
337 
338 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
339 		goto err;
340 
341 	if (!tls13_server_hello_process(ctx, &cbs))
342 		goto err;
343 
344 	/* See if we switched back to the legacy client method. */
345 	if (s->method->internal->version < TLS1_3_VERSION)
346 		return 1;
347 
348 	/* XXX - handle other key share types. */
349 	if (ctx->hs->x25519_peer_public == NULL) {
350 		/* XXX - alert. */
351 		goto err;
352 	}
353 	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
354 		goto err;
355 	if (!X25519(shared_key, ctx->hs->x25519_private,
356 	    ctx->hs->x25519_peer_public))
357 		goto err;
358 
359 	s->session->cipher = S3I(s)->hs.new_cipher;
360 	s->session->ssl_version = ctx->hs->server_version;
361 
362 	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
363 		goto err;
364 	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
365 		goto err;
366 
367 	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
368 		goto err;
369 	S3I(ctx->ssl)->hs_tls13.secrets = secrets;
370 
371 	/* XXX - pass in hash. */
372 	if (!tls1_transcript_hash_init(s))
373 		goto err;
374 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
375 		goto err;
376 	context.data = buf;
377 	context.len = hash_len;
378 
379 	/* Early secrets. */
380 	if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
381 	    secrets->zeros.len, &context))
382 		goto err;
383 
384 	/* Handshake secrets. */
385 	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
386 	    X25519_KEY_LENGTH, &context))
387 		goto err;
388 
389 	tls13_record_layer_set_aead(ctx->rl, ctx->aead);
390 	tls13_record_layer_set_hash(ctx->rl, ctx->hash);
391 
392 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
393 	    &secrets->server_handshake_traffic))
394 		goto err;
395 	if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
396 	    &secrets->client_handshake_traffic))
397 		goto err;
398 
399 	ctx->handshake_stage.hs_type |= NEGOTIATED;
400 	ret = 1;
401 
402  err:
403 	freezero(shared_key, X25519_KEY_LENGTH);
404 	return ret;
405 }
406 
407 int
408 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
409 {
410 	int alert;
411 	CBS cbs;
412 
413 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
414 		goto err;
415 
416 	if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE))
417 		goto err;
418 
419 	if (CBS_len(&cbs) != 0)
420 		goto err;
421 
422 	return 1;
423 
424  err:
425 	/* XXX - send alert. */
426 
427 	return 0;
428 }
429 
430 int
431 tls13_server_certificate_request_recv(struct tls13_ctx *ctx)
432 {
433 	/*
434 	 * Thanks to poor state design in the RFC, this function can be called
435 	 * when we actually have a certificate message instead of a certificate
436 	 * request... in that case we call the certificate handler after
437 	 * switching state, to avoid advancing state.
438 	 */
439 	if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) {
440 		ctx->handshake_stage.hs_type |= WITHOUT_CR;
441 		return tls13_server_certificate_recv(ctx);
442 	}
443 
444 	/* XXX - unimplemented. */
445 
446 	return 0;
447 }
448 
449 int
450 tls13_server_certificate_recv(struct tls13_ctx *ctx)
451 {
452 	CBS cbs, cert_request_context, cert_list, cert_data, cert_exts;
453 	struct stack_st_X509 *certs = NULL;
454 	SSL *s = ctx->ssl;
455 	X509 *cert = NULL;
456 	EVP_PKEY *pkey;
457 	const uint8_t *p;
458 	int cert_idx;
459 	int ret = 0;
460 
461 	if ((certs = sk_X509_new_null()) == NULL)
462 		goto err;
463 
464 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
465 		goto err;
466 
467 	if (!CBS_get_u8_length_prefixed(&cbs, &cert_request_context))
468 		goto err;
469 	if (CBS_len(&cert_request_context) != 0)
470 		goto err;
471 	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
472 		goto err;
473 	if (CBS_len(&cbs) != 0)
474 		goto err;
475 
476 	while (CBS_len(&cert_list) > 0) {
477 		if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
478 			goto err;
479 		if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
480 			goto err;
481 
482 		p = CBS_data(&cert_data);
483 		if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
484 			goto err;
485 		if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
486 			goto err;
487 
488 		if (!sk_X509_push(certs, cert))
489 			goto err;
490 
491 		cert = NULL;
492 	}
493 
494 	/*
495 	 * At this stage we still have no proof of possession. As such, it would
496 	 * be preferable to keep the chain and verify once we have successfully
497 	 * processed the CertificateVerify message.
498 	 */
499 	if (ssl_verify_cert_chain(s, certs) <= 0 &&
500 	    s->verify_mode != SSL_VERIFY_NONE) {
501 		/* XXX send alert */
502 		goto err;
503 	}
504 	ERR_clear_error();
505 
506 	cert = sk_X509_value(certs, 0);
507 	X509_up_ref(cert);
508 
509 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
510 		goto err;
511 	if (EVP_PKEY_missing_parameters(pkey))
512 		goto err;
513 	if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
514 		goto err;
515 
516 	ssl_sess_cert_free(SSI(s)->sess_cert);
517 	if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
518 		goto err;
519 
520 	SSI(s)->sess_cert->cert_chain = certs;
521 	certs = NULL;
522 
523 	X509_up_ref(cert);
524 	SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
525 	SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
526 
527 	X509_free(s->session->peer);
528 
529 	X509_up_ref(cert);
530 	s->session->peer = cert;
531 	s->session->verify_result = s->verify_result;
532 
533 	ret = 1;
534 
535  err:
536 	sk_X509_pop_free(certs, X509_free);
537 	X509_free(cert);
538 
539 	return ret;
540 }
541 
542 /*
543  * Certificate Verify padding - RFC 8446 section 4.4.3.
544  */
545 static uint8_t cert_verify_pad[64] = {
546 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
547 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
548 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
549 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
550 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
551 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
552 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
553 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
554 };
555 
556 static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify";
557 
558 int
559 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
560 {
561 	const struct ssl_sigalg *sigalg;
562 	uint16_t signature_scheme;
563 	uint8_t *sig_content = NULL;
564 	size_t sig_content_len;
565 	EVP_MD_CTX *mdctx = NULL;
566 	EVP_PKEY_CTX *pctx;
567 	EVP_PKEY *pkey;
568 	X509 *cert;
569 	CBS cbs, signature;
570 	CBB cbb;
571 	int ret = 0;
572 
573 	memset(&cbb, 0, sizeof(cbb));
574 
575 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
576 		goto err;
577 
578 	if (!CBS_get_u16(&cbs, &signature_scheme))
579 		goto err;
580 	if (!CBS_get_u16_length_prefixed(&cbs, &signature))
581 		goto err;
582 	if (CBS_len(&cbs) != 0)
583 		goto err;
584 
585 	if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
586 	    tls13_sigalgs_len)) == NULL)
587 		goto err;
588 
589 	if (!CBB_init(&cbb, 0))
590 		goto err;
591 	if (!CBB_add_bytes(&cbb, cert_verify_pad, sizeof(cert_verify_pad)))
592 		goto err;
593 	if (!CBB_add_bytes(&cbb, server_cert_verify_context,
594 	    strlen(server_cert_verify_context)))
595 		goto err;
596 	if (!CBB_add_u8(&cbb, 0))
597 		goto err;
598 	if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
599 	    ctx->hs->transcript_hash_len))
600 		goto err;
601 	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
602 		goto err;
603 
604 	if ((cert = ctx->ssl->session->peer) == NULL)
605 		goto err;
606 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
607 		goto err;
608 	if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
609 		goto err;
610 
611 	if (CBS_len(&signature) > EVP_PKEY_size(pkey))
612 		goto err;
613 
614 	if ((mdctx = EVP_MD_CTX_new()) == NULL)
615 		goto err;
616 	if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
617 		goto err;
618 	if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
619 		if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
620 			goto err;
621 		if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
622 			goto err;
623 	}
624 	if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len))
625 		goto err;
626 	if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
627 	    CBS_len(&signature)) <= 0) {
628 		/* XXX - send alert. */
629 		goto err;
630 	}
631 
632 	ret = 1;
633 
634  err:
635 	CBB_cleanup(&cbb);
636 	EVP_MD_CTX_free(mdctx);
637 	free(sig_content);
638 
639 	return ret;
640 }
641 
642 int
643 tls13_server_finished_recv(struct tls13_ctx *ctx)
644 {
645 	struct tls13_secrets *secrets = ctx->hs->secrets;
646 	struct tls13_secret context = { .data = "", .len = 0 };
647 	struct tls13_secret finished_key;
648 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
649 	size_t transcript_hash_len;
650 	uint8_t *verify_data = NULL;
651 	size_t verify_data_len;
652 	uint8_t key[EVP_MAX_MD_SIZE];
653 	HMAC_CTX *hmac_ctx = NULL;
654 	unsigned int hlen;
655 	int ret = 0;
656 	CBS cbs;
657 
658 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
659 		goto err;
660 
661 	/*
662 	 * Verify server finished.
663 	 */
664 	finished_key.data = key;
665 	finished_key.len = EVP_MD_size(ctx->hash);
666 
667 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
668 	    &secrets->server_handshake_traffic, "finished",
669 	    &context))
670 		goto err;
671 
672 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
673 		goto err;
674 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
675 	    ctx->hash, NULL))
676 		goto err;
677 	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
678 	    ctx->hs->transcript_hash_len))
679 		goto err;
680 	verify_data_len = HMAC_size(hmac_ctx);
681 	if ((verify_data = calloc(1, verify_data_len)) == NULL)
682 		goto err;
683 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
684 		goto err;
685 	if (hlen != verify_data_len)
686 		goto err;
687 
688 	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
689 		/* XXX - send alert. */
690 		goto err;
691 	}
692 
693 	/*
694 	 * Derive application traffic keys.
695 	 */
696 	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
697 	    sizeof(transcript_hash), &transcript_hash_len))
698 		goto err;
699 
700 	context.data = transcript_hash;
701 	context.len = transcript_hash_len;
702 
703 	if (!tls13_derive_application_secrets(secrets, &context))
704 		goto err;
705 
706 	/*
707 	 * Any records following the server finished message must be encrypted
708 	 * using the server application traffic keys.
709 	 */
710 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
711 	    &secrets->server_application_traffic))
712 		goto err;
713 
714 	ret = 1;
715 
716  err:
717 	HMAC_CTX_free(hmac_ctx);
718 	free(verify_data);
719 
720 	return ret;
721 }
722 
723 int
724 tls13_client_finished_send(struct tls13_ctx *ctx)
725 {
726 	struct tls13_secrets *secrets = ctx->hs->secrets;
727 	struct tls13_secret context = { .data = "", .len = 0 };
728 	struct tls13_secret finished_key;
729 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
730 	size_t transcript_hash_len;
731 	uint8_t key[EVP_MAX_MD_SIZE];
732 	uint8_t *verify_data;
733 	size_t hmac_len;
734 	unsigned int hlen;
735 	HMAC_CTX *hmac_ctx = NULL;
736 	int ret = 0;
737 	CBB body;
738 
739 	finished_key.data = key;
740 	finished_key.len = EVP_MD_size(ctx->hash);
741 
742 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
743 	    &secrets->client_handshake_traffic, "finished",
744 	    &context))
745 		goto err;
746 
747 	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
748 	    sizeof(transcript_hash), &transcript_hash_len))
749 		goto err;
750 
751 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
752 		goto err;
753 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
754 	    ctx->hash, NULL))
755 		goto err;
756 	if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
757 		goto err;
758 
759 	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
760 		goto err;
761 	hmac_len = HMAC_size(hmac_ctx);
762 	if (!CBB_add_space(&body, &verify_data, hmac_len))
763 		goto err;
764 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
765 		goto err;
766 	if (hlen != hmac_len)
767 		goto err;
768 	if (!tls13_handshake_msg_finish(ctx->hs_msg))
769 		goto err;
770 
771 	ret = 1;
772 
773  err:
774 	HMAC_CTX_free(hmac_ctx);
775 
776 	return ret;
777 }
778 
779 int
780 tls13_client_finished_sent(struct tls13_ctx *ctx)
781 {
782 	struct tls13_secrets *secrets = ctx->hs->secrets;
783 
784 	/*
785 	 * Any records following the client finished message must be encrypted
786 	 * using the client application traffic keys.
787 	 */
788 	return tls13_record_layer_set_write_traffic_key(ctx->rl,
789 	    &secrets->client_application_traffic);
790 }
791