1*94ac48a6Sjsing /* $OpenBSD: tls13_server.c,v 1.42 2020/05/10 16:59:51 jsing Exp $ */ 28630be86Sjsing /* 3aa78e754Sbeck * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org> 4aa78e754Sbeck * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 58630be86Sjsing * 68630be86Sjsing * Permission to use, copy, modify, and distribute this software for any 78630be86Sjsing * purpose with or without fee is hereby granted, provided that the above 88630be86Sjsing * copyright notice and this permission notice appear in all copies. 98630be86Sjsing * 108630be86Sjsing * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 118630be86Sjsing * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 128630be86Sjsing * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 138630be86Sjsing * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 148630be86Sjsing * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 158630be86Sjsing * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 168630be86Sjsing * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 178630be86Sjsing */ 188630be86Sjsing 198630be86Sjsing #include "ssl_locl.h" 200dbd9f91Sjsing #include "ssl_tlsext.h" 218630be86Sjsing 228630be86Sjsing #include "tls13_handshake.h" 238630be86Sjsing #include "tls13_internal.h" 248630be86Sjsing 258a834dadSjsing int 268630be86Sjsing tls13_server_init(struct tls13_ctx *ctx) 278630be86Sjsing { 288630be86Sjsing SSL *s = ctx->ssl; 298630be86Sjsing 308630be86Sjsing if (!ssl_supported_version_range(s, &ctx->hs->min_version, 318630be86Sjsing &ctx->hs->max_version)) { 328630be86Sjsing SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); 338630be86Sjsing return 0; 348630be86Sjsing } 35be8ffa84Sjsing s->version = ctx->hs->max_version; 368630be86Sjsing 370dbd9f91Sjsing if (!tls1_transcript_init(s)) 380dbd9f91Sjsing return 0; 398630be86Sjsing 40c43b2f19Sjsing if ((s->session = SSL_SESSION_new()) == NULL) 41c43b2f19Sjsing return 0; 42c43b2f19Sjsing 439b4fd993Sbeck arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); 449b4fd993Sbeck 458630be86Sjsing return 1; 468630be86Sjsing } 478630be86Sjsing 488a834dadSjsing int 498a834dadSjsing tls13_server_accept(struct tls13_ctx *ctx) 50d0445389Sjsing { 51d0445389Sjsing if (ctx->mode != TLS13_HS_SERVER) 52d0445389Sjsing return TLS13_IO_FAILURE; 53d0445389Sjsing 54d0445389Sjsing return tls13_handshake_perform(ctx); 55d0445389Sjsing } 56d0445389Sjsing 570dbd9f91Sjsing static int 580dbd9f91Sjsing tls13_client_hello_is_legacy(CBS *cbs) 590dbd9f91Sjsing { 60c43b2f19Sjsing CBS extensions_block, extensions, extension_data, versions; 61c43b2f19Sjsing uint16_t version, max_version = 0; 620dbd9f91Sjsing uint16_t type; 630dbd9f91Sjsing 640dbd9f91Sjsing CBS_dup(cbs, &extensions_block); 650dbd9f91Sjsing 660dbd9f91Sjsing if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) 670dbd9f91Sjsing return 1; 680dbd9f91Sjsing 690dbd9f91Sjsing while (CBS_len(&extensions) > 0) { 700dbd9f91Sjsing if (!CBS_get_u16(&extensions, &type)) 710dbd9f91Sjsing return 1; 720dbd9f91Sjsing if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) 730dbd9f91Sjsing return 1; 740dbd9f91Sjsing 750dbd9f91Sjsing if (type != TLSEXT_TYPE_supported_versions) 760dbd9f91Sjsing continue; 77c43b2f19Sjsing if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) 780dbd9f91Sjsing return 1; 79c43b2f19Sjsing while (CBS_len(&versions) > 0) { 80c43b2f19Sjsing if (!CBS_get_u16(&versions, &version)) 81c43b2f19Sjsing return 1; 82c43b2f19Sjsing if (version >= max_version) 83c43b2f19Sjsing max_version = version; 84c43b2f19Sjsing } 850dbd9f91Sjsing if (CBS_len(&extension_data) != 0) 860dbd9f91Sjsing return 1; 870dbd9f91Sjsing } 880dbd9f91Sjsing 89c43b2f19Sjsing return (max_version < TLS1_3_VERSION); 900dbd9f91Sjsing } 910dbd9f91Sjsing 92cccb618bStb static const uint8_t tls13_compression_null_only[] = { 0 }; 93cccb618bStb 940dbd9f91Sjsing static int 950dbd9f91Sjsing tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) 960dbd9f91Sjsing { 970dbd9f91Sjsing CBS cipher_suites, client_random, compression_methods, session_id; 9810361718Sjsing STACK_OF(SSL_CIPHER) *ciphers = NULL; 9910361718Sjsing const SSL_CIPHER *cipher; 1000dbd9f91Sjsing uint16_t legacy_version; 101cccb618bStb int alert_desc; 1020dbd9f91Sjsing SSL *s = ctx->ssl; 10310361718Sjsing int ret = 0; 1040dbd9f91Sjsing 1050dbd9f91Sjsing if (!CBS_get_u16(cbs, &legacy_version)) 1060dbd9f91Sjsing goto err; 1070dbd9f91Sjsing if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) 1080dbd9f91Sjsing goto err; 1090dbd9f91Sjsing if (!CBS_get_u8_length_prefixed(cbs, &session_id)) 1100dbd9f91Sjsing goto err; 111c43b2f19Sjsing if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) 1120dbd9f91Sjsing goto err; 1130dbd9f91Sjsing if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) 1140dbd9f91Sjsing goto err; 1150dbd9f91Sjsing 1160dbd9f91Sjsing if (tls13_client_hello_is_legacy(cbs)) { 1170dbd9f91Sjsing if (!CBS_skip(cbs, CBS_len(cbs))) 1180dbd9f91Sjsing goto err; 1190dbd9f91Sjsing return tls13_use_legacy_server(ctx); 1200dbd9f91Sjsing } 1210dbd9f91Sjsing 12210361718Sjsing if (!tlsext_server_parse(s, cbs, &alert_desc, SSL_TLSEXT_MSG_CH)) { 12310361718Sjsing ctx->alert = alert_desc; 1240dbd9f91Sjsing goto err; 12510361718Sjsing } 1260dbd9f91Sjsing 12710361718Sjsing /* 12810361718Sjsing * If we got this far we have a supported versions extension that offers 12910361718Sjsing * TLS 1.3 or later. This requires the legacy version be set to 0x0303. 13010361718Sjsing */ 13110361718Sjsing if (legacy_version != TLS1_2_VERSION) { 132c957d00cSjsing ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; 13310361718Sjsing goto err; 13410361718Sjsing } 13510361718Sjsing 1363365064dSjsing /* Store legacy session identifier so we can echo it. */ 1373365064dSjsing if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { 138c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 1393365064dSjsing goto err; 1403365064dSjsing } 1413365064dSjsing if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, 1423365064dSjsing sizeof(ctx->hs->legacy_session_id), &ctx->hs->legacy_session_id_len)) 1433365064dSjsing goto err; 1443365064dSjsing 14510361718Sjsing /* Parse cipher suites list and select preferred cipher. */ 14610361718Sjsing if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { 147c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 14810361718Sjsing goto err; 14910361718Sjsing } 15010361718Sjsing cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); 15110361718Sjsing if (cipher == NULL) { 15210361718Sjsing tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, 15310361718Sjsing "no shared cipher found", NULL); 154c957d00cSjsing ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; 15510361718Sjsing goto err; 15610361718Sjsing } 15710361718Sjsing S3I(s)->hs.new_cipher = cipher; 15810361718Sjsing 159cccb618bStb /* Ensure only the NULL compression method is advertised. */ 160cccb618bStb if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, 161cccb618bStb sizeof(tls13_compression_null_only))) { 162c957d00cSjsing ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; 16310361718Sjsing goto err; 16410361718Sjsing } 16510361718Sjsing 16610361718Sjsing ret = 1; 1670dbd9f91Sjsing 1680dbd9f91Sjsing err: 16910361718Sjsing sk_SSL_CIPHER_free(ciphers); 17010361718Sjsing 17110361718Sjsing return ret; 1720dbd9f91Sjsing } 1730dbd9f91Sjsing 1740dbd9f91Sjsing int 1750571c2d6Sjsing tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) 176eb818a3eSjsing { 1770dbd9f91Sjsing SSL *s = ctx->ssl; 1780dbd9f91Sjsing 1790dbd9f91Sjsing if (!tls13_client_hello_process(ctx, cbs)) 1800dbd9f91Sjsing goto err; 1810dbd9f91Sjsing 1820dbd9f91Sjsing /* See if we switched back to the legacy client method. */ 1830dbd9f91Sjsing if (s->method->internal->version < TLS1_3_VERSION) 1840dbd9f91Sjsing return 1; 1850dbd9f91Sjsing 1865c60a123Sjsing /* 187f113bc44Sjsing * If a matching key share was provided, we do not need to send a 188f113bc44Sjsing * HelloRetryRequest. 189f113bc44Sjsing */ 190f113bc44Sjsing /* 191f113bc44Sjsing * XXX - ideally NEGOTIATED would only be added after record protection 192f113bc44Sjsing * has been enabled. This would probably mean using either an 193f113bc44Sjsing * INITIAL | WITHOUT_HRR state, or another intermediate state. 1945c60a123Sjsing */ 195bb4189d7Sjsing if (ctx->hs->key_share != NULL) 196f113bc44Sjsing ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; 1975c60a123Sjsing 1985c60a123Sjsing /* XXX - check this is the correct point */ 199138e3c44Stb tls13_record_layer_allow_ccs(ctx->rl, 1); 200138e3c44Stb 2010dbd9f91Sjsing return 1; 2020dbd9f91Sjsing 2030dbd9f91Sjsing err: 204eb818a3eSjsing return 0; 205eb818a3eSjsing } 206eb818a3eSjsing 207d0445389Sjsing static int 208f62c22f4Sjsing tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) 209d0445389Sjsing { 210f62c22f4Sjsing uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; 211f62c22f4Sjsing const uint8_t *server_random; 212d0445389Sjsing CBB session_id; 213d0445389Sjsing SSL *s = ctx->ssl; 214d0445389Sjsing uint16_t cipher; 215d0445389Sjsing 216d0445389Sjsing cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); 217f62c22f4Sjsing server_random = s->s3->server_random; 218f62c22f4Sjsing 219f62c22f4Sjsing if (hrr) { 220f62c22f4Sjsing server_random = tls13_hello_retry_request_hash; 221f62c22f4Sjsing tlsext_msg_type = SSL_TLSEXT_MSG_HRR; 222f62c22f4Sjsing } 223d0445389Sjsing 224d0445389Sjsing if (!CBB_add_u16(cbb, TLS1_2_VERSION)) 225d0445389Sjsing goto err; 226f62c22f4Sjsing if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) 227d0445389Sjsing goto err; 228d0445389Sjsing if (!CBB_add_u8_length_prefixed(cbb, &session_id)) 229d0445389Sjsing goto err; 230d0445389Sjsing if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, 231d0445389Sjsing ctx->hs->legacy_session_id_len)) 232d0445389Sjsing goto err; 233d0445389Sjsing if (!CBB_add_u16(cbb, cipher)) 234d0445389Sjsing goto err; 235d0445389Sjsing if (!CBB_add_u8(cbb, 0)) 236d0445389Sjsing goto err; 237f62c22f4Sjsing if (!tlsext_server_build(s, cbb, tlsext_msg_type)) 238d0445389Sjsing goto err; 239d0445389Sjsing 240d0445389Sjsing if (!CBB_flush(cbb)) 241d0445389Sjsing goto err; 242d0445389Sjsing 243d0445389Sjsing return 1; 244d0445389Sjsing err: 245d0445389Sjsing return 0; 246d0445389Sjsing } 247d0445389Sjsing 2487752f9fdSjsing static int 2497752f9fdSjsing tls13_server_engage_record_protection(struct tls13_ctx *ctx) 250d0445389Sjsing { 251d0445389Sjsing struct tls13_secrets *secrets; 252d0445389Sjsing struct tls13_secret context; 253d0445389Sjsing unsigned char buf[EVP_MAX_MD_SIZE]; 254d0445389Sjsing uint8_t *shared_key = NULL; 255d0445389Sjsing size_t shared_key_len = 0; 256d0445389Sjsing size_t hash_len; 257d0445389Sjsing SSL *s = ctx->ssl; 258d0445389Sjsing int ret = 0; 259d0445389Sjsing 260d0445389Sjsing if (!tls13_key_share_derive(ctx->hs->key_share, 261d0445389Sjsing &shared_key, &shared_key_len)) 262d0445389Sjsing goto err; 263d0445389Sjsing 264d0445389Sjsing s->session->cipher = S3I(s)->hs.new_cipher; 265d0445389Sjsing s->session->ssl_version = ctx->hs->server_version; 266d0445389Sjsing 267d0445389Sjsing if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) 268d0445389Sjsing goto err; 269d0445389Sjsing if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) 270d0445389Sjsing goto err; 271d0445389Sjsing 272d0445389Sjsing if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) 273d0445389Sjsing goto err; 274d0445389Sjsing ctx->hs->secrets = secrets; 275d0445389Sjsing 276d0445389Sjsing /* XXX - pass in hash. */ 277d0445389Sjsing if (!tls1_transcript_hash_init(s)) 278d0445389Sjsing goto err; 279d0445389Sjsing tls1_transcript_free(s); 280d0445389Sjsing if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) 281d0445389Sjsing goto err; 282d0445389Sjsing context.data = buf; 283d0445389Sjsing context.len = hash_len; 284d0445389Sjsing 285d0445389Sjsing /* Early secrets. */ 286d0445389Sjsing if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, 287d0445389Sjsing secrets->zeros.len, &context)) 288d0445389Sjsing goto err; 289d0445389Sjsing 290d0445389Sjsing /* Handshake secrets. */ 291d0445389Sjsing if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, 292d0445389Sjsing shared_key_len, &context)) 293d0445389Sjsing goto err; 294d0445389Sjsing 295d0445389Sjsing tls13_record_layer_set_aead(ctx->rl, ctx->aead); 296d0445389Sjsing tls13_record_layer_set_hash(ctx->rl, ctx->hash); 297d0445389Sjsing 298d0445389Sjsing if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 299d0445389Sjsing &secrets->client_handshake_traffic)) 300d0445389Sjsing goto err; 301d0445389Sjsing if (!tls13_record_layer_set_write_traffic_key(ctx->rl, 302d0445389Sjsing &secrets->server_handshake_traffic)) 303d0445389Sjsing goto err; 304d0445389Sjsing 305d0445389Sjsing ctx->handshake_stage.hs_type |= NEGOTIATED; 306d0445389Sjsing if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) 307d0445389Sjsing ctx->handshake_stage.hs_type |= WITHOUT_CR; 308d0445389Sjsing 309d0445389Sjsing ret = 1; 310d0445389Sjsing 311d0445389Sjsing err: 312d0445389Sjsing freezero(shared_key, shared_key_len); 313d0445389Sjsing return ret; 314d0445389Sjsing } 315d0445389Sjsing 316d0445389Sjsing int 3177752f9fdSjsing tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) 3187752f9fdSjsing { 319f62c22f4Sjsing int nid; 320f62c22f4Sjsing 321f62c22f4Sjsing if (!tls13_synthetic_handshake_message(ctx)) 3227752f9fdSjsing return 0; 323f62c22f4Sjsing 324f62c22f4Sjsing if (ctx->hs->key_share != NULL) 325f62c22f4Sjsing return 0; 326f62c22f4Sjsing if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) 327f62c22f4Sjsing return 0; 328f62c22f4Sjsing if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0) 329f62c22f4Sjsing return 0; 330f62c22f4Sjsing 331f62c22f4Sjsing if (!tls13_server_hello_build(ctx, cbb, 1)) 332f62c22f4Sjsing return 0; 333f62c22f4Sjsing 334f62c22f4Sjsing return 1; 3357752f9fdSjsing } 3367752f9fdSjsing 3377752f9fdSjsing int 3387752f9fdSjsing tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) 3397752f9fdSjsing { 340f62c22f4Sjsing SSL *s = ctx->ssl; 341f62c22f4Sjsing 342f62c22f4Sjsing if (!tls13_client_hello_process(ctx, cbs)) 3437752f9fdSjsing return 0; 344f62c22f4Sjsing 345f62c22f4Sjsing /* XXX - need further checks. */ 346f62c22f4Sjsing if (s->method->internal->version < TLS1_3_VERSION) 347f62c22f4Sjsing return 0; 348f62c22f4Sjsing 349f62c22f4Sjsing return 1; 3507752f9fdSjsing } 3517752f9fdSjsing 3527752f9fdSjsing int 3537752f9fdSjsing tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) 3547752f9fdSjsing { 3557752f9fdSjsing if (ctx->hs->key_share == NULL) 3567752f9fdSjsing return 0; 3577752f9fdSjsing if (!tls13_key_share_generate(ctx->hs->key_share)) 3587752f9fdSjsing return 0; 3597752f9fdSjsing 360f62c22f4Sjsing ctx->hs->server_group = 0; 361f62c22f4Sjsing 362f62c22f4Sjsing if (!tls13_server_hello_build(ctx, cbb, 0)) 3637752f9fdSjsing return 0; 3647752f9fdSjsing 3657752f9fdSjsing return 1; 3667752f9fdSjsing } 3677752f9fdSjsing 3687752f9fdSjsing int 3697752f9fdSjsing tls13_server_hello_sent(struct tls13_ctx *ctx) 3707752f9fdSjsing { 3717752f9fdSjsing return tls13_server_engage_record_protection(ctx); 3727752f9fdSjsing } 3737752f9fdSjsing 3747752f9fdSjsing int 375d0445389Sjsing tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) 376d0445389Sjsing { 377d0445389Sjsing if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_EE)) 378d0445389Sjsing goto err; 379d0445389Sjsing 380d0445389Sjsing return 1; 381d0445389Sjsing err: 382eb818a3eSjsing return 0; 383eb818a3eSjsing } 384eb818a3eSjsing 385eb818a3eSjsing int 386d0445389Sjsing tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) 387eb818a3eSjsing { 388d0445389Sjsing CBB certificate_request_context; 389d0445389Sjsing 390d0445389Sjsing if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) 391d0445389Sjsing goto err; 392d0445389Sjsing if (!tlsext_server_build(ctx->ssl, cbb, SSL_TLSEXT_MSG_CR)) 393d0445389Sjsing goto err; 394d0445389Sjsing 395d0445389Sjsing if (!CBB_flush(cbb)) 396d0445389Sjsing goto err; 397d0445389Sjsing 398d0445389Sjsing return 1; 399d0445389Sjsing err: 400eb818a3eSjsing return 0; 401eb818a3eSjsing } 402eb818a3eSjsing 403eb818a3eSjsing int 404d0445389Sjsing tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) 405d0445389Sjsing { 406d0445389Sjsing SSL *s = ctx->ssl; 407d0445389Sjsing CBB cert_request_context, cert_list; 408d0445389Sjsing STACK_OF(X509) *chain; 409d0445389Sjsing CERT_PKEY *cpk; 410d0445389Sjsing X509 *cert; 411d0445389Sjsing int i, ret = 0; 412d0445389Sjsing 413d0445389Sjsing /* XXX - Need to revisit certificate selection. */ 414d0445389Sjsing cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 415d0445389Sjsing 416d0445389Sjsing if ((chain = cpk->chain) == NULL) 417d0445389Sjsing chain = s->ctx->extra_certs; 418d0445389Sjsing 419d0445389Sjsing if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) 420d0445389Sjsing goto err; 421d0445389Sjsing if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) 422d0445389Sjsing goto err; 423d0445389Sjsing 424d0445389Sjsing if (cpk->x509 == NULL) 425d0445389Sjsing goto done; 426d0445389Sjsing 427d0445389Sjsing if (!tls13_cert_add(&cert_list, cpk->x509)) 428d0445389Sjsing goto err; 429d0445389Sjsing 430d0445389Sjsing for (i = 0; i < sk_X509_num(chain); i++) { 431d0445389Sjsing cert = sk_X509_value(chain, i); 432d0445389Sjsing if (!tls13_cert_add(&cert_list, cert)) 433d0445389Sjsing goto err; 434d0445389Sjsing } 435d0445389Sjsing 436d0445389Sjsing done: 437d0445389Sjsing if (!CBB_flush(cbb)) 438d0445389Sjsing goto err; 439d0445389Sjsing 440d0445389Sjsing ret = 1; 441d0445389Sjsing 442d0445389Sjsing err: 443d0445389Sjsing return ret; 444d0445389Sjsing } 445d0445389Sjsing 446d0445389Sjsing int 447d0445389Sjsing tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) 448d0445389Sjsing { 449d0445389Sjsing SSL *s = ctx->ssl; 450d0445389Sjsing const struct ssl_sigalg *sigalg = NULL; 451d0445389Sjsing uint8_t *sig = NULL, *sig_content = NULL; 452d0445389Sjsing size_t sig_len, sig_content_len; 453d0445389Sjsing EVP_MD_CTX *mdctx = NULL; 454d0445389Sjsing EVP_PKEY_CTX *pctx; 455d0445389Sjsing EVP_PKEY *pkey; 456d0445389Sjsing CERT_PKEY *cpk; 457d0445389Sjsing CBB sig_cbb; 458d0445389Sjsing int ret = 0; 459d0445389Sjsing 460d0445389Sjsing memset(&sig_cbb, 0, sizeof(sig_cbb)); 461d0445389Sjsing 462d0445389Sjsing /* XXX - Need to revisit certificate selection. */ 463d0445389Sjsing cpk = &s->cert->pkeys[SSL_PKEY_RSA_ENC]; 464d0445389Sjsing pkey = cpk->privatekey; 465d0445389Sjsing 466d0445389Sjsing if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { 467d0445389Sjsing /* XXX - SSL_R_SIGNATURE_ALGORITHMS_ERROR */ 468d0445389Sjsing goto err; 469d0445389Sjsing } 470d0445389Sjsing 471d0445389Sjsing if (!CBB_init(&sig_cbb, 0)) 472d0445389Sjsing goto err; 473d0445389Sjsing if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, 474d0445389Sjsing sizeof(tls13_cert_verify_pad))) 475d0445389Sjsing goto err; 476d0445389Sjsing if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, 477d0445389Sjsing strlen(tls13_cert_server_verify_context))) 478d0445389Sjsing goto err; 479d0445389Sjsing if (!CBB_add_u8(&sig_cbb, 0)) 480d0445389Sjsing goto err; 481d0445389Sjsing if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, 482d0445389Sjsing ctx->hs->transcript_hash_len)) 483d0445389Sjsing goto err; 484d0445389Sjsing if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) 485d0445389Sjsing goto err; 486d0445389Sjsing 487d0445389Sjsing if ((mdctx = EVP_MD_CTX_new()) == NULL) 488d0445389Sjsing goto err; 489d0445389Sjsing if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 490d0445389Sjsing goto err; 491d0445389Sjsing if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 492d0445389Sjsing if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 493d0445389Sjsing goto err; 494d0445389Sjsing if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 495d0445389Sjsing goto err; 496d0445389Sjsing } 497d0445389Sjsing if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) 498d0445389Sjsing goto err; 499d0445389Sjsing if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) 500d0445389Sjsing goto err; 501d0445389Sjsing if ((sig = calloc(1, sig_len)) == NULL) 502d0445389Sjsing goto err; 503d0445389Sjsing if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) 504d0445389Sjsing goto err; 505d0445389Sjsing 506d0445389Sjsing if (!CBB_add_u16(cbb, sigalg->value)) 507d0445389Sjsing goto err; 508d0445389Sjsing if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) 509d0445389Sjsing goto err; 510d0445389Sjsing if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) 511d0445389Sjsing goto err; 512d0445389Sjsing 513d0445389Sjsing if (!CBB_flush(cbb)) 514d0445389Sjsing goto err; 515d0445389Sjsing 516d0445389Sjsing ret = 1; 517d0445389Sjsing 518d0445389Sjsing err: 519d0445389Sjsing if (!ret && ctx->alert == 0) 520c957d00cSjsing ctx->alert = TLS13_ALERT_INTERNAL_ERROR; 521d0445389Sjsing 522d0445389Sjsing CBB_cleanup(&sig_cbb); 523d0445389Sjsing EVP_MD_CTX_free(mdctx); 524d0445389Sjsing free(sig_content); 525d0445389Sjsing free(sig); 526d0445389Sjsing 527d0445389Sjsing return ret; 528d0445389Sjsing } 529d0445389Sjsing 530d0445389Sjsing int 531d0445389Sjsing tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) 532d0445389Sjsing { 533d0445389Sjsing struct tls13_secrets *secrets = ctx->hs->secrets; 534d0445389Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 535d0445389Sjsing struct tls13_secret finished_key; 536d0445389Sjsing uint8_t transcript_hash[EVP_MAX_MD_SIZE]; 537d0445389Sjsing size_t transcript_hash_len; 538d0445389Sjsing uint8_t key[EVP_MAX_MD_SIZE]; 539d0445389Sjsing uint8_t *verify_data; 540d0445389Sjsing size_t hmac_len; 541d0445389Sjsing unsigned int hlen; 542d0445389Sjsing HMAC_CTX *hmac_ctx = NULL; 543d0445389Sjsing int ret = 0; 544d0445389Sjsing 545d0445389Sjsing finished_key.data = key; 546d0445389Sjsing finished_key.len = EVP_MD_size(ctx->hash); 547d0445389Sjsing 548d0445389Sjsing if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 549d0445389Sjsing &secrets->server_handshake_traffic, "finished", 550d0445389Sjsing &context)) 551d0445389Sjsing goto err; 552d0445389Sjsing 553d0445389Sjsing if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, 554d0445389Sjsing sizeof(transcript_hash), &transcript_hash_len)) 555d0445389Sjsing goto err; 556d0445389Sjsing 557d0445389Sjsing if ((hmac_ctx = HMAC_CTX_new()) == NULL) 558d0445389Sjsing goto err; 559d0445389Sjsing if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 560d0445389Sjsing ctx->hash, NULL)) 561d0445389Sjsing goto err; 562d0445389Sjsing if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) 563d0445389Sjsing goto err; 564d0445389Sjsing 565d0445389Sjsing hmac_len = HMAC_size(hmac_ctx); 566d0445389Sjsing if (!CBB_add_space(cbb, &verify_data, hmac_len)) 567d0445389Sjsing goto err; 568d0445389Sjsing if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 569d0445389Sjsing goto err; 570d0445389Sjsing if (hlen != hmac_len) 571d0445389Sjsing goto err; 572d0445389Sjsing 573d0445389Sjsing ret = 1; 574d0445389Sjsing 575d0445389Sjsing err: 576d0445389Sjsing HMAC_CTX_free(hmac_ctx); 577d0445389Sjsing 578d0445389Sjsing return ret; 579d0445389Sjsing } 580d0445389Sjsing 581d0445389Sjsing int 582d0445389Sjsing tls13_server_finished_sent(struct tls13_ctx *ctx) 583d0445389Sjsing { 584d0445389Sjsing struct tls13_secrets *secrets = ctx->hs->secrets; 585d0445389Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 586d0445389Sjsing 587d0445389Sjsing /* 588d0445389Sjsing * Derive application traffic keys. 589d0445389Sjsing */ 590d0445389Sjsing context.data = ctx->hs->transcript_hash; 591d0445389Sjsing context.len = ctx->hs->transcript_hash_len; 592d0445389Sjsing 593d0445389Sjsing if (!tls13_derive_application_secrets(secrets, &context)) 594d0445389Sjsing return 0; 595d0445389Sjsing 596d0445389Sjsing /* 597d0445389Sjsing * Any records following the server finished message must be encrypted 598d0445389Sjsing * using the server application traffic keys. 599d0445389Sjsing */ 600d0445389Sjsing return tls13_record_layer_set_write_traffic_key(ctx->rl, 601d0445389Sjsing &secrets->server_application_traffic); 602d0445389Sjsing } 603d0445389Sjsing 604d0445389Sjsing int 6050571c2d6Sjsing tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) 606eb818a3eSjsing { 607f25edc96Sbeck CBS cert_request_context, cert_list, cert_data, cert_exts; 608f25edc96Sbeck struct stack_st_X509 *certs = NULL; 609f25edc96Sbeck SSL *s = ctx->ssl; 610f25edc96Sbeck X509 *cert = NULL; 611f25edc96Sbeck EVP_PKEY *pkey; 612f25edc96Sbeck const uint8_t *p; 613f25edc96Sbeck int cert_idx; 614f25edc96Sbeck int ret = 0; 615f25edc96Sbeck 616f25edc96Sbeck if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) 617f25edc96Sbeck goto err; 618f25edc96Sbeck if (CBS_len(&cert_request_context) != 0) 619f25edc96Sbeck goto err; 620f25edc96Sbeck if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) 621f25edc96Sbeck goto err; 622*94ac48a6Sjsing if (CBS_len(&cert_list) == 0) { 623*94ac48a6Sjsing if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) 624f25edc96Sbeck return 1; 625*94ac48a6Sjsing ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; 626*94ac48a6Sjsing tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, 627*94ac48a6Sjsing "peer did not provide a certificate", NULL); 628*94ac48a6Sjsing goto err; 629*94ac48a6Sjsing } 630f25edc96Sbeck 631f25edc96Sbeck if ((certs = sk_X509_new_null()) == NULL) 632f25edc96Sbeck goto err; 633f25edc96Sbeck while (CBS_len(&cert_list) > 0) { 634f25edc96Sbeck if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) 635f25edc96Sbeck goto err; 636f25edc96Sbeck if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) 637f25edc96Sbeck goto err; 638f25edc96Sbeck 639f25edc96Sbeck p = CBS_data(&cert_data); 640f25edc96Sbeck if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) 641f25edc96Sbeck goto err; 642f25edc96Sbeck if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) 643f25edc96Sbeck goto err; 644f25edc96Sbeck 645f25edc96Sbeck if (!sk_X509_push(certs, cert)) 646f25edc96Sbeck goto err; 647f25edc96Sbeck 648f25edc96Sbeck cert = NULL; 649f25edc96Sbeck } 650f25edc96Sbeck 651f25edc96Sbeck /* 652f25edc96Sbeck * At this stage we still have no proof of possession. As such, it would 653f25edc96Sbeck * be preferable to keep the chain and verify once we have successfully 654f25edc96Sbeck * processed the CertificateVerify message. 655f25edc96Sbeck */ 656*94ac48a6Sjsing if (ssl_verify_cert_chain(s, certs) <= 0) { 657f25edc96Sbeck ctx->alert = ssl_verify_alarm_type(s->verify_result); 658f25edc96Sbeck tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, 659f25edc96Sbeck "failed to verify peer certificate", NULL); 660f25edc96Sbeck goto err; 661f25edc96Sbeck } 662f25edc96Sbeck ERR_clear_error(); 663f25edc96Sbeck 664f25edc96Sbeck cert = sk_X509_value(certs, 0); 665f25edc96Sbeck X509_up_ref(cert); 666f25edc96Sbeck 667f25edc96Sbeck if ((pkey = X509_get0_pubkey(cert)) == NULL) 668f25edc96Sbeck goto err; 669f25edc96Sbeck if (EVP_PKEY_missing_parameters(pkey)) 670f25edc96Sbeck goto err; 671f25edc96Sbeck if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) 672f25edc96Sbeck goto err; 673f25edc96Sbeck 674f25edc96Sbeck ssl_sess_cert_free(SSI(s)->sess_cert); 675f25edc96Sbeck if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) 676f25edc96Sbeck goto err; 677f25edc96Sbeck 678f25edc96Sbeck SSI(s)->sess_cert->cert_chain = certs; 679f25edc96Sbeck certs = NULL; 680f25edc96Sbeck 681f25edc96Sbeck X509_up_ref(cert); 682f25edc96Sbeck SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; 683f25edc96Sbeck SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); 684f25edc96Sbeck 685f25edc96Sbeck X509_free(s->session->peer); 686f25edc96Sbeck 687f25edc96Sbeck X509_up_ref(cert); 688f25edc96Sbeck s->session->peer = cert; 689f25edc96Sbeck s->session->verify_result = s->verify_result; 690f25edc96Sbeck 691f25edc96Sbeck ctx->handshake_stage.hs_type |= WITH_CCV; 692f25edc96Sbeck ret = 1; 693f25edc96Sbeck 694f25edc96Sbeck err: 695f25edc96Sbeck sk_X509_pop_free(certs, X509_free); 696f25edc96Sbeck X509_free(cert); 697f25edc96Sbeck 698f25edc96Sbeck return ret; 699eb818a3eSjsing } 700eb818a3eSjsing 701eb818a3eSjsing int 7020571c2d6Sjsing tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) 703eb818a3eSjsing { 704f25edc96Sbeck const struct ssl_sigalg *sigalg; 705f25edc96Sbeck uint16_t signature_scheme; 706f25edc96Sbeck uint8_t *sig_content = NULL; 707f25edc96Sbeck size_t sig_content_len; 708f25edc96Sbeck EVP_MD_CTX *mdctx = NULL; 709f25edc96Sbeck EVP_PKEY_CTX *pctx; 710f25edc96Sbeck EVP_PKEY *pkey; 711f25edc96Sbeck X509 *cert; 712f25edc96Sbeck CBS signature; 713f25edc96Sbeck CBB cbb; 714f25edc96Sbeck int ret = 0; 715f25edc96Sbeck 716f25edc96Sbeck memset(&cbb, 0, sizeof(cbb)); 717f25edc96Sbeck 718f25edc96Sbeck if (!CBS_get_u16(cbs, &signature_scheme)) 719f25edc96Sbeck goto err; 720f25edc96Sbeck if (!CBS_get_u16_length_prefixed(cbs, &signature)) 721f25edc96Sbeck goto err; 722f25edc96Sbeck 723f25edc96Sbeck if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, 724f25edc96Sbeck tls13_sigalgs_len)) == NULL) 725f25edc96Sbeck goto err; 726f25edc96Sbeck 727f25edc96Sbeck if (!CBB_init(&cbb, 0)) 728f25edc96Sbeck goto err; 729f25edc96Sbeck if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, 730f25edc96Sbeck sizeof(tls13_cert_verify_pad))) 731f25edc96Sbeck goto err; 732f25edc96Sbeck if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, 733f25edc96Sbeck strlen(tls13_cert_client_verify_context))) 734f25edc96Sbeck goto err; 735f25edc96Sbeck if (!CBB_add_u8(&cbb, 0)) 736f25edc96Sbeck goto err; 737f25edc96Sbeck if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, 738f25edc96Sbeck ctx->hs->transcript_hash_len)) 739f25edc96Sbeck goto err; 740f25edc96Sbeck if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) 741f25edc96Sbeck goto err; 742f25edc96Sbeck 743f25edc96Sbeck if ((cert = ctx->ssl->session->peer) == NULL) 744f25edc96Sbeck goto err; 745f25edc96Sbeck if ((pkey = X509_get0_pubkey(cert)) == NULL) 746f25edc96Sbeck goto err; 747f25edc96Sbeck if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) 748f25edc96Sbeck goto err; 749f25edc96Sbeck 750f25edc96Sbeck if (CBS_len(&signature) > EVP_PKEY_size(pkey)) 751f25edc96Sbeck goto err; 752f25edc96Sbeck 753f25edc96Sbeck if ((mdctx = EVP_MD_CTX_new()) == NULL) 754f25edc96Sbeck goto err; 755f25edc96Sbeck if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) 756f25edc96Sbeck goto err; 757f25edc96Sbeck if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { 758f25edc96Sbeck if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) 759f25edc96Sbeck goto err; 760f25edc96Sbeck if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) 761f25edc96Sbeck goto err; 762f25edc96Sbeck } 763f25edc96Sbeck if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { 764c957d00cSjsing ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 765f25edc96Sbeck goto err; 766f25edc96Sbeck } 767f25edc96Sbeck if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), 768f25edc96Sbeck CBS_len(&signature)) <= 0) { 769c957d00cSjsing ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 770f25edc96Sbeck goto err; 771f25edc96Sbeck } 772f25edc96Sbeck 773f25edc96Sbeck ret = 1; 774f25edc96Sbeck 775f25edc96Sbeck err: 776f25edc96Sbeck if (!ret && ctx->alert == 0) { 777c957d00cSjsing ctx->alert = TLS13_ALERT_DECODE_ERROR; 778f25edc96Sbeck } 779f25edc96Sbeck CBB_cleanup(&cbb); 780f25edc96Sbeck EVP_MD_CTX_free(mdctx); 781f25edc96Sbeck free(sig_content); 782f25edc96Sbeck 783f25edc96Sbeck return ret; 784eb818a3eSjsing } 785eb818a3eSjsing 786eb818a3eSjsing int 787d0445389Sjsing tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) 788eb818a3eSjsing { 789eb818a3eSjsing return 0; 790eb818a3eSjsing } 791eb818a3eSjsing 792eb818a3eSjsing int 79318f4ffe1Sjsing tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) 79418f4ffe1Sjsing { 79518f4ffe1Sjsing struct tls13_secrets *secrets = ctx->hs->secrets; 79618f4ffe1Sjsing struct tls13_secret context = { .data = "", .len = 0 }; 79718f4ffe1Sjsing struct tls13_secret finished_key; 79818f4ffe1Sjsing uint8_t *verify_data = NULL; 79918f4ffe1Sjsing size_t verify_data_len; 80018f4ffe1Sjsing uint8_t key[EVP_MAX_MD_SIZE]; 80118f4ffe1Sjsing HMAC_CTX *hmac_ctx = NULL; 80218f4ffe1Sjsing unsigned int hlen; 80318f4ffe1Sjsing int ret = 0; 80418f4ffe1Sjsing 80518f4ffe1Sjsing /* 80618f4ffe1Sjsing * Verify client finished. 80718f4ffe1Sjsing */ 80818f4ffe1Sjsing finished_key.data = key; 80918f4ffe1Sjsing finished_key.len = EVP_MD_size(ctx->hash); 81018f4ffe1Sjsing 81118f4ffe1Sjsing if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, 81218f4ffe1Sjsing &secrets->client_handshake_traffic, "finished", 81318f4ffe1Sjsing &context)) 81418f4ffe1Sjsing goto err; 81518f4ffe1Sjsing 81618f4ffe1Sjsing if ((hmac_ctx = HMAC_CTX_new()) == NULL) 81718f4ffe1Sjsing goto err; 81818f4ffe1Sjsing if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, 81918f4ffe1Sjsing ctx->hash, NULL)) 82018f4ffe1Sjsing goto err; 82118f4ffe1Sjsing if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, 82218f4ffe1Sjsing ctx->hs->transcript_hash_len)) 82318f4ffe1Sjsing goto err; 82418f4ffe1Sjsing verify_data_len = HMAC_size(hmac_ctx); 82518f4ffe1Sjsing if ((verify_data = calloc(1, verify_data_len)) == NULL) 82618f4ffe1Sjsing goto err; 82718f4ffe1Sjsing if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) 82818f4ffe1Sjsing goto err; 82918f4ffe1Sjsing if (hlen != verify_data_len) 83018f4ffe1Sjsing goto err; 83118f4ffe1Sjsing 83218f4ffe1Sjsing if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { 833c957d00cSjsing ctx->alert = TLS13_ALERT_DECRYPT_ERROR; 83418f4ffe1Sjsing goto err; 83518f4ffe1Sjsing } 83618f4ffe1Sjsing 83718f4ffe1Sjsing if (!CBS_skip(cbs, verify_data_len)) 83818f4ffe1Sjsing goto err; 83918f4ffe1Sjsing 84018f4ffe1Sjsing /* 84118f4ffe1Sjsing * Any records following the client finished message must be encrypted 84218f4ffe1Sjsing * using the client application traffic keys. 84318f4ffe1Sjsing */ 84418f4ffe1Sjsing if (!tls13_record_layer_set_read_traffic_key(ctx->rl, 84518f4ffe1Sjsing &secrets->client_application_traffic)) 84618f4ffe1Sjsing goto err; 84718f4ffe1Sjsing 84818f4ffe1Sjsing tls13_record_layer_allow_ccs(ctx->rl, 0); 84918f4ffe1Sjsing 85018f4ffe1Sjsing ret = 1; 85118f4ffe1Sjsing 85218f4ffe1Sjsing err: 85318f4ffe1Sjsing HMAC_CTX_free(hmac_ctx); 85418f4ffe1Sjsing free(verify_data); 85518f4ffe1Sjsing 85618f4ffe1Sjsing return ret; 857eb818a3eSjsing } 858