xref: /openbsd-src/lib/libssl/tls13_client.c (revision dd7183d711827caf3ffa441a8d52da6bdd7ae879) 
1 /* $OpenBSD: tls13_client.c,v 1.12 2019/02/25 16:46:17 jsing Exp $ */
2 /*
3  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "ssl_locl.h"
19 
20 #include <openssl/curve25519.h>
21 #include <openssl/ssl3.h>
22 
23 #include "bytestring.h"
24 #include "ssl_tlsext.h"
25 #include "tls13_handshake.h"
26 #include "tls13_internal.h"
27 
28 int
29 tls13_connect(struct tls13_ctx *ctx)
30 {
31 	if (ctx->mode != TLS13_HS_CLIENT)
32 		return TLS13_IO_FAILURE;
33 
34 	return tls13_handshake_perform(ctx);
35 }
36 
37 static int
38 tls13_client_init(struct tls13_ctx *ctx)
39 {
40 	SSL *s = ctx->ssl;
41 
42 	if (!ssl_supported_version_range(s, &ctx->hs->min_version,
43 	    &ctx->hs->max_version)) {
44 		SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
45 		return 0;
46 	}
47 	s->client_version = s->version = ctx->hs->max_version;
48 
49 	if (!ssl_get_new_session(s, 0)) /* XXX */
50 		return 0;
51 
52 	if (!tls1_transcript_init(s))
53 		return 0;
54 
55 	arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
56 
57 	return 1;
58 }
59 
60 int
61 tls13_legacy_connect(SSL *ssl)
62 {
63 	struct tls13_ctx *ctx = ssl->internal->tls13;
64 	int ret;
65 
66 	if (ctx == NULL) {
67 		if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) {
68 			SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
69 			return -1;
70 		}
71 		ssl->internal->tls13 = ctx;
72 		ctx->ssl = ssl;
73 		ctx->hs = &S3I(ssl)->hs_tls13;
74 
75 		if (!tls13_client_init(ctx)) {
76 			if (ERR_peek_error() == 0)
77 				SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */
78 			return -1;
79 		}
80 	}
81 
82 	ret = tls13_connect(ctx);
83 
84 	return tls13_legacy_return_code(ssl, ret);
85 }
86 
87 static int
88 tls13_client_hello_build(SSL *s, CBB *cbb)
89 {
90 	CBB cipher_suites, compression_methods, session_id;
91 	uint8_t *sid;
92 
93 	if (!CBB_add_u16(cbb, TLS1_2_VERSION))
94 		goto err;
95 	if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE))
96 		goto err;
97 
98 	/* Either 32-random bytes or zero length... */
99 	/* XXX - session resumption for TLSv1.2? */
100 	if (!CBB_add_u8_length_prefixed(cbb, &session_id))
101 		goto err;
102 	if (!CBB_add_space(&session_id, &sid, 32))
103 		goto err;
104 	arc4random_buf(sid, 32);
105 
106 	if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites))
107 		goto err;
108 	if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) {
109 		SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE);
110 		goto err;
111 	}
112 
113 	if (!CBB_add_u8_length_prefixed(cbb, &compression_methods))
114 		goto err;
115 	if (!CBB_add_u8(&compression_methods, 0))
116 		goto err;
117 
118 	if (!tlsext_client_build(s, cbb, SSL_TLSEXT_MSG_CH))
119 		goto err;
120 
121 	if (!CBB_flush(cbb))
122 		goto err;
123 
124 	return 1;
125 
126  err:
127 	return 0;
128 }
129 
130 int
131 tls13_client_hello_send(struct tls13_ctx *ctx)
132 {
133 	CBB body;
134 
135 	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_CLIENT_HELLO))
136 		return 0;
137 	if (!tls13_client_hello_build(ctx->ssl, &body))
138 		return 0;
139 	if (!tls13_handshake_msg_finish(ctx->hs_msg))
140 		return 0;
141 
142 	return 1;
143 }
144 
145 /*
146  * HelloRetryRequest hash - RFC 8446 section 4.1.3.
147  */
148 static const uint8_t tls13_hello_retry_request_hash[] = {
149 	0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11,
150 	0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91,
151 	0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e,
152 	0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c,
153 };
154 
155 static int
156 tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs)
157 {
158 	CBS server_random, session_id;
159 	uint16_t cipher_suite, legacy_version;
160 	uint8_t compression_method;
161 	const SSL_CIPHER *cipher;
162 	SSL *s = ctx->ssl;
163 	int alert;
164 
165 	if (!CBS_get_u16(cbs, &legacy_version))
166 		goto err;
167 	if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE))
168 		goto err;
169 	if (!CBS_get_u8_length_prefixed(cbs, &session_id))
170 		goto err;
171 	if (!CBS_get_u16(cbs, &cipher_suite))
172 		goto err;
173 	if (!CBS_get_u8(cbs, &compression_method))
174 		goto err;
175 
176 	if (!tlsext_client_parse(s, cbs, &alert, SSL_TLSEXT_MSG_SH))
177 		goto err;
178 
179 	if (CBS_len(cbs) != 0)
180 		goto err;
181 
182 	/*
183 	 * See if a supported versions extension was returned. If it was then
184 	 * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3).
185 	 * Otherwise, fallback to the legacy version, ensuring that it is both
186 	 * within range and not TLS 1.3 or greater (which must use the
187 	 * supported version extension.
188 	 */
189 	if (ctx->hs->server_version != 0) {
190 		if (legacy_version != TLS1_2_VERSION) {
191 			/* XXX - alert. */
192 			goto err;
193 		}
194 	} else {
195 		if (legacy_version < ctx->hs->min_version ||
196 		    legacy_version > ctx->hs->max_version ||
197 		    legacy_version > TLS1_2_VERSION) {
198 			/* XXX - alert. */
199 			goto err;
200 		}
201 		ctx->hs->server_version = legacy_version;
202 	}
203 
204 	/* XXX - session_id must match. */
205 
206 	/*
207 	 * Ensure that the cipher suite is one that we offered in the client
208 	 * hello and that it matches the TLS version selected.
209 	 */
210 	cipher = ssl3_get_cipher_by_value(cipher_suite);
211 	if (cipher == NULL ||
212 	    sk_SSL_CIPHER_find(ssl_get_ciphers_by_id(s), cipher) < 0) {
213 		/* XXX - alert. */
214 		goto err;
215 	}
216 	if (ctx->hs->server_version == TLS1_3_VERSION &&
217 	    cipher->algorithm_ssl != SSL_TLSV1_3) {
218 		/* XXX - alert. */
219 		goto err;
220 	}
221 	/* XXX - move this to hs_tls13? */
222 	S3I(s)->hs.new_cipher = cipher;
223 
224 	if (compression_method != 0) {
225 		/* XXX - alert. */
226 		goto err;
227 	}
228 
229 	if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash,
230 	    sizeof(tls13_hello_retry_request_hash)))
231 		ctx->handshake_stage.hs_type |= WITH_HRR;
232 
233 	return 1;
234 
235  err:
236 	/* XXX - send alert. */
237 
238 	return 0;
239 }
240 
241 int
242 tls13_server_hello_recv(struct tls13_ctx *ctx)
243 {
244 	struct tls13_secrets *secrets;
245 	struct tls13_secret context;
246 	unsigned char buf[EVP_MAX_MD_SIZE];
247 	uint8_t *shared_key = NULL;
248 	size_t hash_len;
249 	SSL *s = ctx->ssl;
250 	int ret = 0;
251 	CBS cbs;
252 
253 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
254 		goto err;
255 
256 	if (!tls13_server_hello_process(ctx, &cbs))
257 		goto err;
258 
259 	if (ctx->hs->server_version < TLS1_3_VERSION) {
260 		/* XXX - switch back to legacy client. */
261 		goto err;
262 	}
263 
264 	if (ctx->handshake_stage.hs_type & WITH_HRR)
265 		return 1;
266 
267 	/* XXX - handle other key share types. */
268 	if (ctx->hs->x25519_peer_public == NULL) {
269 		/* XXX - alert. */
270 		goto err;
271 	}
272 	if ((shared_key = malloc(X25519_KEY_LENGTH)) == NULL)
273 		goto err;
274 	if (!X25519(shared_key, ctx->hs->x25519_private,
275 	    ctx->hs->x25519_peer_public))
276 		goto err;
277 
278 	s->session->cipher = S3I(s)->hs.new_cipher;
279 	s->session->ssl_version = ctx->hs->server_version;
280 
281 	if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
282 		goto err;
283 	if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
284 		goto err;
285 
286 	if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
287 		goto err;
288 	S3I(ctx->ssl)->hs_tls13.secrets = secrets;
289 
290 	/* XXX - pass in hash. */
291 	if (!tls1_transcript_hash_init(s))
292 		goto err;
293 	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
294 		goto err;
295 	context.data = buf;
296 	context.len = hash_len;
297 
298 	/* Early secrets. */
299 	if (!tls13_derive_early_secrets(secrets, secrets->zeros.data,
300 	    secrets->zeros.len, &context))
301 		goto err;
302 
303 	/* Handshake secrets. */
304 	if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
305 	    X25519_KEY_LENGTH, &context))
306 		goto err;
307 
308 	tls13_record_layer_set_aead(ctx->rl, ctx->aead);
309 	tls13_record_layer_set_hash(ctx->rl, ctx->hash);
310 
311 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
312 	    &secrets->server_handshake_traffic))
313 		goto err;
314 	if (!tls13_record_layer_set_write_traffic_key(ctx->rl,
315 	    &secrets->client_handshake_traffic))
316 		goto err;
317 
318 	ctx->handshake_stage.hs_type |= NEGOTIATED;
319 	ret = 1;
320 
321  err:
322 	freezero(shared_key, X25519_KEY_LENGTH);
323 	return ret;
324 }
325 
326 int
327 tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx)
328 {
329 	int alert;
330 	CBS cbs;
331 
332 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
333 		goto err;
334 
335 	if (!tlsext_client_parse(ctx->ssl, &cbs, &alert, SSL_TLSEXT_MSG_EE))
336 		goto err;
337 
338 	if (CBS_len(&cbs) != 0)
339 		goto err;
340 
341 	return 1;
342 
343  err:
344 	/* XXX - send alert. */
345 
346 	return 0;
347 }
348 
349 int
350 tls13_server_certificate_request_recv(struct tls13_ctx *ctx)
351 {
352 	/*
353 	 * Thanks to poor state design in the RFC, this function can be called
354 	 * when we actually have a certificate message instead of a certificate
355 	 * request... in that case we call the certificate handler after
356 	 * switching state, to avoid advancing state.
357 	 */
358 	if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) {
359 		ctx->handshake_stage.hs_type |= WITHOUT_CR;
360 		return tls13_server_certificate_recv(ctx);
361 	}
362 
363 	/* XXX - unimplemented. */
364 
365 	return 0;
366 }
367 
368 int
369 tls13_server_certificate_recv(struct tls13_ctx *ctx)
370 {
371 	CBS cbs, cert_request_context, cert_list, cert_data, cert_exts;
372 	struct stack_st_X509 *certs = NULL;
373 	SSL *s = ctx->ssl;
374 	X509 *cert = NULL;
375 	EVP_PKEY *pkey;
376 	const uint8_t *p;
377 	int cert_idx;
378 	int ret = 0;
379 
380 	if ((certs = sk_X509_new_null()) == NULL)
381 		goto err;
382 
383 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
384 		goto err;
385 
386 	if (!CBS_get_u8_length_prefixed(&cbs, &cert_request_context))
387 		goto err;
388 	if (CBS_len(&cert_request_context) != 0)
389 		goto err;
390 	if (!CBS_get_u24_length_prefixed(&cbs, &cert_list))
391 		goto err;
392 	if (CBS_len(&cbs) != 0)
393 		goto err;
394 
395 	while (CBS_len(&cert_list) > 0) {
396 		if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data))
397 			goto err;
398 		if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts))
399 			goto err;
400 
401 		p = CBS_data(&cert_data);
402 		if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL)
403 			goto err;
404 		if (p != CBS_data(&cert_data) + CBS_len(&cert_data))
405 			goto err;
406 
407 		if (!sk_X509_push(certs, cert))
408 			goto err;
409 
410 		cert = NULL;
411 	}
412 
413 	/*
414 	 * At this stage we still have no proof of possession. As such, it would
415 	 * be preferable to keep the chain and verify once we have successfully
416 	 * processed the CertificateVerify message.
417 	 */
418 	if (ssl_verify_cert_chain(s, certs) <= 0 &&
419 	    s->verify_mode != SSL_VERIFY_NONE) {
420 		/* XXX send alert */
421 		goto err;
422 	}
423 	ERR_clear_error();
424 
425 	cert = sk_X509_value(certs, 0);
426 	X509_up_ref(cert);
427 
428 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
429 		goto err;
430 	if (EVP_PKEY_missing_parameters(pkey))
431 		goto err;
432 	if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
433 		goto err;
434 
435 	ssl_sess_cert_free(SSI(s)->sess_cert);
436 	if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
437 		goto err;
438 
439 	SSI(s)->sess_cert->cert_chain = certs;
440 	certs = NULL;
441 
442 	X509_up_ref(cert);
443 	SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
444 	SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
445 
446 	X509_free(s->session->peer);
447 
448 	X509_up_ref(cert);
449 	s->session->peer = cert;
450 	s->session->verify_result = s->verify_result;
451 
452 	ret = 1;
453 
454  err:
455 	sk_X509_pop_free(certs, X509_free);
456 	X509_free(cert);
457 
458 	return ret;
459 }
460 
461 /*
462  * Certificate Verify padding - RFC 8446 section 4.4.3.
463  */
464 static uint8_t cert_verify_pad[64] = {
465 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
466 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
467 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
468 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
469 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
470 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
471 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
472 	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
473 };
474 
475 static uint8_t server_cert_verify_context[] = "TLS 1.3, server CertificateVerify";
476 
477 int
478 tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
479 {
480 	const struct ssl_sigalg *sigalg;
481 	uint16_t signature_scheme;
482 	uint8_t *sig_content = NULL;
483 	size_t sig_content_len;
484 	EVP_MD_CTX *mdctx = NULL;
485 	EVP_PKEY_CTX *pctx;
486 	EVP_PKEY *pkey;
487 	X509 *cert;
488 	CBS cbs, signature;
489 	CBB cbb;
490 	int ret = 0;
491 
492 	memset(&cbb, 0, sizeof(cbb));
493 
494 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
495 		goto err;
496 
497 	if (!CBS_get_u16(&cbs, &signature_scheme))
498 		goto err;
499 	if (!CBS_get_u16_length_prefixed(&cbs, &signature))
500 		goto err;
501 	if (CBS_len(&cbs) != 0)
502 		goto err;
503 
504 	if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
505 	    tls13_sigalgs_len)) == NULL)
506 		goto err;
507 
508 	if (!CBB_init(&cbb, 0))
509 		goto err;
510 	if (!CBB_add_bytes(&cbb, cert_verify_pad, sizeof(cert_verify_pad)))
511 		goto err;
512 	if (!CBB_add_bytes(&cbb, server_cert_verify_context,
513 	    strlen(server_cert_verify_context)))
514 		goto err;
515 	if (!CBB_add_u8(&cbb, 0))
516 		goto err;
517 	if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
518 	    ctx->hs->transcript_hash_len))
519 		goto err;
520 	if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
521 		goto err;
522 
523 	if ((cert = ctx->ssl->session->peer) == NULL)
524 		goto err;
525 	if ((pkey = X509_get0_pubkey(cert)) == NULL)
526 		goto err;
527 	if (!ssl_sigalg_pkey_ok(sigalg, pkey))
528 		goto err;
529 
530 	if (CBS_len(&signature) > EVP_PKEY_size(pkey))
531 		goto err;
532 
533 	if ((mdctx = EVP_MD_CTX_new()) == NULL)
534 		goto err;
535 	if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey))
536 		goto err;
537 	if (sigalg->flags & SIGALG_FLAG_RSA_PSS) {
538 		if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING))
539 			goto err;
540 		if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))
541 			goto err;
542 	}
543 	if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len))
544 		goto err;
545 	if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature),
546 	    CBS_len(&signature)) <= 0) {
547 		/* XXX - send alert. */
548 		goto err;
549 	}
550 
551 	ret = 1;
552 
553  err:
554 	CBB_cleanup(&cbb);
555 	EVP_MD_CTX_free(mdctx);
556 	free(sig_content);
557 
558 	return ret;
559 }
560 
561 int
562 tls13_server_finished_recv(struct tls13_ctx *ctx)
563 {
564 	struct tls13_secrets *secrets = ctx->hs->secrets;
565 	struct tls13_secret context = { .data = "", .len = 0 };
566 	struct tls13_secret finished_key;
567 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
568 	size_t transcript_hash_len;
569 	uint8_t *verify_data = NULL;
570 	size_t verify_data_len;
571 	uint8_t key[EVP_MAX_MD_SIZE];
572 	HMAC_CTX *hmac_ctx = NULL;
573 	unsigned int hlen;
574 	int ret = 0;
575 	CBS cbs;
576 
577 	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
578 		goto err;
579 
580 	/*
581 	 * Verify server finished.
582 	 */
583 	finished_key.data = key;
584 	finished_key.len = EVP_MD_size(ctx->hash);
585 
586 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
587 	    &secrets->server_handshake_traffic, "finished",
588 	    &context))
589 		goto err;
590 
591 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
592 		goto err;
593 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
594 	    ctx->hash, NULL))
595 		goto err;
596 	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
597 	    ctx->hs->transcript_hash_len))
598 		goto err;
599 	verify_data_len = HMAC_size(hmac_ctx);
600 	if ((verify_data = calloc(1, verify_data_len)) == NULL)
601 		goto err;
602 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
603 		goto err;
604 	if (hlen != verify_data_len)
605 		goto err;
606 
607 	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
608 		/* XXX - send alert. */
609 		goto err;
610 	}
611 
612 	/*
613 	 * Derive application traffic keys.
614 	 */
615 	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
616 	    sizeof(transcript_hash), &transcript_hash_len))
617 		goto err;
618 
619 	context.data = transcript_hash;
620 	context.len = transcript_hash_len;
621 
622 	if (!tls13_derive_application_secrets(secrets, &context))
623 		goto err;
624 
625 	/*
626 	 * Any records following the server finished message must be encrypted
627 	 * using the server application traffic keys.
628 	 */
629 	if (!tls13_record_layer_set_read_traffic_key(ctx->rl,
630 	    &secrets->server_application_traffic))
631 		goto err;
632 
633 	ret = 1;
634 
635  err:
636 	HMAC_CTX_free(hmac_ctx);
637 	free(verify_data);
638 
639 	return ret;
640 }
641 
642 int
643 tls13_client_finished_send(struct tls13_ctx *ctx)
644 {
645 	struct tls13_secrets *secrets = ctx->hs->secrets;
646 	struct tls13_secret context = { .data = "", .len = 0 };
647 	struct tls13_secret finished_key;
648 	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
649 	size_t transcript_hash_len;
650 	uint8_t key[EVP_MAX_MD_SIZE];
651 	uint8_t *verify_data;
652 	size_t hmac_len;
653 	unsigned int hlen;
654 	HMAC_CTX *hmac_ctx = NULL;
655 	int ret = 0;
656 	CBB body;
657 
658 	finished_key.data = key;
659 	finished_key.len = EVP_MD_size(ctx->hash);
660 
661 	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
662 	    &secrets->client_handshake_traffic, "finished",
663 	    &context))
664 		goto err;
665 
666 	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
667 	    sizeof(transcript_hash), &transcript_hash_len))
668 		goto err;
669 
670 	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
671 		goto err;
672 	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
673 	    ctx->hash, NULL))
674 		goto err;
675 	if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
676 		goto err;
677 
678 	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
679 		goto err;
680 	hmac_len = HMAC_size(hmac_ctx);
681 	if (!CBB_add_space(&body, &verify_data, hmac_len))
682 		goto err;
683 	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
684 		goto err;
685 	if (hlen != hmac_len)
686 		goto err;
687 	if (!tls13_handshake_msg_finish(ctx->hs_msg))
688 		goto err;
689 
690 	ret = 1;
691 
692  err:
693 	HMAC_CTX_free(hmac_ctx);
694 
695 	return ret;
696 }
697 
698 int
699 tls13_client_finished_sent(struct tls13_ctx *ctx)
700 {
701 	struct tls13_secrets *secrets = ctx->hs->secrets;
702 
703 	/*
704 	 * Any records following the client finished message must be encrypted
705 	 * using the client application traffic keys.
706 	 */
707 	return tls13_record_layer_set_write_traffic_key(ctx->rl,
708 	    &secrets->client_application_traffic);
709 }
710