Handle finished messages in TLSv1.3 client.

This adds support for processing of the server finished message and generation of the client finished message. ok tb@
author: jsing <> 2019-02-13 16:28:28 +0000
committer: jsing <> 2019-02-13 16:28:28 +0000
commit: b28bcd3087cd32cc3213d71970d9cb335eef5b94 (patch)
tree: 965059bf3187665c85fd4348475732e88b489e34 /src
parent: 976e689fa21b88566fb9707a45c85dc8e85b2886 (diff)
download: openbsd-b28bcd3087cd32cc3213d71970d9cb335eef5b94.tar.gz
openbsd-b28bcd3087cd32cc3213d71970d9cb335eef5b94.tar.bz2
openbsd-b28bcd3087cd32cc3213d71970d9cb335eef5b94.zip
2 files changed, 131 insertions, 14 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index d15ab65105..b3209c063c 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.6 2019/02/11 17:48:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.7 2019/02/13 16:28:28 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -555,3 +555,132 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
        return ret;
 }
+int
+tls13_server_finished_recv(struct tls13_ctx *ctx)
+{
+        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secret context = { .data = "", .len = 0 };
+        struct tls13_secret finished_key;
+        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+        size_t transcript_hash_len;
+        uint8_t *verify_data = NULL;
+        size_t verify_data_len;
+        uint8_t key[EVP_MAX_MD_SIZE];
+        HMAC_CTX *hmac_ctx = NULL;
+        unsigned int hlen;
+        int ret = 0;
+        CBS cbs;
+        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
+                goto err;
+        /*
+         * Verify server finished.
+         */
+        finished_key.data = key;
+        finished_key.len = EVP_MD_size(ctx->hash);
+        if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
+            &secrets->server_handshake_traffic, "finished",
+            &context))
+                goto err;
+        if ((hmac_ctx = HMAC_CTX_new()) == NULL)
+                goto err;
+        if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
+            ctx->hash, NULL))
+                goto err;
+        if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
+            ctx->hs->transcript_hash_len))
+                goto err;
+        verify_data_len = HMAC_size(hmac_ctx);
+        if ((verify_data = calloc(1, verify_data_len)) == NULL)
+                goto err;
+        if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
+                goto err;
+        if (hlen != verify_data_len)
+                goto err;
+        if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
+                /* XXX - send alert. */
+                goto err;
+        }
+        /*
+         * Derive application traffic keys.
+         */
+        if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
+            sizeof(transcript_hash), &transcript_hash_len))
+                goto err;
+        context.data = transcript_hash;
+        context.len = transcript_hash_len;
+        if (!tls13_derive_application_secrets(secrets, &context))
+                return TLS13_IO_FAILURE;
+        ret = 1;
+ err:
+        HMAC_CTX_free(hmac_ctx);
+        free(verify_data);
+        return ret;
+}
+int
+tls13_client_finished_send(struct tls13_ctx *ctx)
+{
+        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secret context = { .data = "", .len = 0 };
+        struct tls13_secret finished_key;
+        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+        size_t transcript_hash_len;
+        uint8_t key[EVP_MAX_MD_SIZE];
+        uint8_t *verify_data;
+        size_t hmac_len;
+        unsigned int hlen;
+        HMAC_CTX *hmac_ctx = NULL;
+        int ret = 0;
+        CBB body;
+        finished_key.data = key;
+        finished_key.len = EVP_MD_size(ctx->hash);
+        if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
+            &secrets->client_handshake_traffic, "finished",
+            &context))
+                goto err;
+        if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
+            sizeof(transcript_hash), &transcript_hash_len))
+                goto err;
+        if ((hmac_ctx = HMAC_CTX_new()) == NULL)
+                goto err;
+        if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
+            ctx->hash, NULL))
+                goto err;
+        if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
+                goto err;
+        if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
+                goto err;
+        hmac_len = HMAC_size(hmac_ctx);
+        if (!CBB_add_space(&body, &verify_data, hmac_len))
+                goto err;
+        if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
+                goto err;
+        if (hlen != hmac_len)
+                goto err;
+        if (!tls13_handshake_msg_finish(ctx->hs_msg))
+                goto err;
+        ret = 1;
+ err:
+        HMAC_CTX_free(hmac_ctx);
+        return ret;
+}
diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c
index 3ebf1e9d73..630f81a8a8 100644
--- a/src/lib/libssl/tls13_handshake.c
+++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_handshake.c,v 1.26 2019/02/11 17:48:15 jsing Exp $      */
+/*      $OpenBSD: tls13_handshake.c,v 1.27 2019/02/13 16:28:28 jsing Exp $      */
 /*
 * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
 * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -459,12 +459,6 @@ tls13_client_finished_recv(struct tls13_ctx *ctx)
 }
 int
-tls13_client_finished_send(struct tls13_ctx *ctx)
-{
-        return 0;
-}
-int
 tls13_client_key_update_send(struct tls13_ctx *ctx)
 {
        return 0;
@@ -509,12 +503,6 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx)
 }
 int
-tls13_server_finished_recv(struct tls13_ctx *ctx)
-{
-        return 0;
-}
-int
 tls13_server_finished_send(struct tls13_ctx *ctx)
 {
        return 0;
author	jsing <>	2019-02-13 16:28:28 +0000
committer	jsing <>	2019-02-13 16:28:28 +0000
commit	b28bcd3087cd32cc3213d71970d9cb335eef5b94 (patch)
tree	965059bf3187665c85fd4348475732e88b489e34 /src
parent	976e689fa21b88566fb9707a45c85dc8e85b2886 (diff)
download	openbsd-b28bcd3087cd32cc3213d71970d9cb335eef5b94.tar.gz openbsd-b28bcd3087cd32cc3213d71970d9cb335eef5b94.tar.bz2 openbsd-b28bcd3087cd32cc3213d71970d9cb335eef5b94.zip

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index d15ab65105..b3209c063c 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.6 2019/02/11 17:48:15 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.7 2019/02/13 16:28:28 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -555,3 +555,132 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
555		555
556	return ret;	556	return ret;
557	}	557	}
		558
		559	int
		560	tls13_server_finished_recv(struct tls13_ctx *ctx)
		561	{
		562	struct tls13_secrets *secrets = ctx->hs->secrets;
		563	struct tls13_secret context = { .data = "", .len = 0 };
		564	struct tls13_secret finished_key;
		565	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
		566	size_t transcript_hash_len;
		567	uint8_t *verify_data = NULL;
		568	size_t verify_data_len;
		569	uint8_t key[EVP_MAX_MD_SIZE];
		570	HMAC_CTX *hmac_ctx = NULL;
		571	unsigned int hlen;
		572	int ret = 0;
		573	CBS cbs;
		574
		575	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
		576	goto err;
		577
		578	/*
		579	* Verify server finished.
		580	*/
		581	finished_key.data = key;
		582	finished_key.len = EVP_MD_size(ctx->hash);
		583
		584	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
		585	&secrets->server_handshake_traffic, "finished",
		586	&context))
		587	goto err;
		588
		589	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
		590	goto err;
		591	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
		592	ctx->hash, NULL))
		593	goto err;
		594	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
		595	ctx->hs->transcript_hash_len))
		596	goto err;
		597	verify_data_len = HMAC_size(hmac_ctx);
		598	if ((verify_data = calloc(1, verify_data_len)) == NULL)
		599	goto err;
		600	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
		601	goto err;
		602	if (hlen != verify_data_len)
		603	goto err;
		604
		605	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
		606	/* XXX - send alert. */
		607	goto err;
		608	}
		609
		610	/*
		611	* Derive application traffic keys.
		612	*/
		613	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
		614	sizeof(transcript_hash), &transcript_hash_len))
		615	goto err;
		616
		617	context.data = transcript_hash;
		618	context.len = transcript_hash_len;
		619
		620	if (!tls13_derive_application_secrets(secrets, &context))
		621	return TLS13_IO_FAILURE;
		622
		623	ret = 1;
		624
		625	err:
		626	HMAC_CTX_free(hmac_ctx);
		627	free(verify_data);
		628
		629	return ret;
		630	}
		631
		632	int
		633	tls13_client_finished_send(struct tls13_ctx *ctx)
		634	{
		635	struct tls13_secrets *secrets = ctx->hs->secrets;
		636	struct tls13_secret context = { .data = "", .len = 0 };
		637	struct tls13_secret finished_key;
		638	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
		639	size_t transcript_hash_len;
		640	uint8_t key[EVP_MAX_MD_SIZE];
		641	uint8_t *verify_data;
		642	size_t hmac_len;
		643	unsigned int hlen;
		644	HMAC_CTX *hmac_ctx = NULL;
		645	int ret = 0;
		646	CBB body;
		647
		648	finished_key.data = key;
		649	finished_key.len = EVP_MD_size(ctx->hash);
		650
		651	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
		652	&secrets->client_handshake_traffic, "finished",
		653	&context))
		654	goto err;
		655
		656	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
		657	sizeof(transcript_hash), &transcript_hash_len))
		658	goto err;
		659
		660	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
		661	goto err;
		662	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
		663	ctx->hash, NULL))
		664	goto err;
		665	if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
		666	goto err;
		667
		668	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
		669	goto err;
		670	hmac_len = HMAC_size(hmac_ctx);
		671	if (!CBB_add_space(&body, &verify_data, hmac_len))
		672	goto err;
		673	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
		674	goto err;
		675	if (hlen != hmac_len)
		676	goto err;
		677	if (!tls13_handshake_msg_finish(ctx->hs_msg))
		678	goto err;
		679
		680	ret = 1;
		681
		682	err:
		683	HMAC_CTX_free(hmac_ctx);
		684
		685	return ret;
		686	}


diff --git a/src/lib/libssl/tls13_handshake.c b/src/lib/libssl/tls13_handshake.c index 3ebf1e9d73..630f81a8a8 100644 --- a/src/lib/libssl/tls13_handshake.c +++ b/src/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_handshake.c,v 1.26 2019/02/11 17:48:15 jsing Exp $ */	1	/* $OpenBSD: tls13_handshake.c,v 1.27 2019/02/13 16:28:28 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>	3	* Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -459,12 +459,6 @@ tls13_client_finished_recv(struct tls13_ctx *ctx)
459	}	459	}
460		460
461	int	461	int
462	tls13_client_finished_send(struct tls13_ctx *ctx)
463	{
464	return 0;
465	}
466
467	int
468	tls13_client_key_update_send(struct tls13_ctx *ctx)	462	tls13_client_key_update_send(struct tls13_ctx *ctx)
469	{	463	{
470	return 0;	464	return 0;
@@ -509,12 +503,6 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx)
509	}	503	}
510		504
511	int	505	int
512	tls13_server_finished_recv(struct tls13_ctx *ctx)
513	{
514	return 0;
515	}
516
517	int
518	tls13_server_finished_send(struct tls13_ctx *ctx)	506	tls13_server_finished_send(struct tls13_ctx *ctx)
519	{	507	{
520	return 0;	508	return 0;