1 files changed, 130 insertions, 1 deletions
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index d15ab65105..b3209c063c 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.6 2019/02/11 17:48:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.7 2019/02/13 16:28:28 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -555,3 +555,132 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
        return ret;
 }
+int
+tls13_server_finished_recv(struct tls13_ctx *ctx)
+{
+        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secret context = { .data = "", .len = 0 };
+        struct tls13_secret finished_key;
+        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+        size_t transcript_hash_len;
+        uint8_t *verify_data = NULL;
+        size_t verify_data_len;
+        uint8_t key[EVP_MAX_MD_SIZE];
+        HMAC_CTX *hmac_ctx = NULL;
+        unsigned int hlen;
+        int ret = 0;
+        CBS cbs;
+        if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
+                goto err;
+        /*
+         * Verify server finished.
+         */
+        finished_key.data = key;
+        finished_key.len = EVP_MD_size(ctx->hash);
+        if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
+            &secrets->server_handshake_traffic, "finished",
+            &context))
+                goto err;
+        if ((hmac_ctx = HMAC_CTX_new()) == NULL)
+                goto err;
+        if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
+            ctx->hash, NULL))
+                goto err;
+        if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
+            ctx->hs->transcript_hash_len))
+                goto err;
+        verify_data_len = HMAC_size(hmac_ctx);
+        if ((verify_data = calloc(1, verify_data_len)) == NULL)
+                goto err;
+        if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
+                goto err;
+        if (hlen != verify_data_len)
+                goto err;
+        if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
+                /* XXX - send alert. */
+                goto err;
+        }
+        /*
+         * Derive application traffic keys.
+         */
+        if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
+            sizeof(transcript_hash), &transcript_hash_len))
+                goto err;
+        context.data = transcript_hash;
+        context.len = transcript_hash_len;
+        if (!tls13_derive_application_secrets(secrets, &context))
+                return TLS13_IO_FAILURE;
+        ret = 1;
+ err:
+        HMAC_CTX_free(hmac_ctx);
+        free(verify_data);
+        return ret;
+}
+int
+tls13_client_finished_send(struct tls13_ctx *ctx)
+{
+        struct tls13_secrets *secrets = ctx->hs->secrets;
+        struct tls13_secret context = { .data = "", .len = 0 };
+        struct tls13_secret finished_key;
+        uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+        size_t transcript_hash_len;
+        uint8_t key[EVP_MAX_MD_SIZE];
+        uint8_t *verify_data;
+        size_t hmac_len;
+        unsigned int hlen;
+        HMAC_CTX *hmac_ctx = NULL;
+        int ret = 0;
+        CBB body;
+        finished_key.data = key;
+        finished_key.len = EVP_MD_size(ctx->hash);
+        if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
+            &secrets->client_handshake_traffic, "finished",
+            &context))
+                goto err;
+        if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
+            sizeof(transcript_hash), &transcript_hash_len))
+                goto err;
+        if ((hmac_ctx = HMAC_CTX_new()) == NULL)
+                goto err;
+        if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
+            ctx->hash, NULL))
+                goto err;
+        if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
+                goto err;
+        if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
+                goto err;
+        hmac_len = HMAC_size(hmac_ctx);
+        if (!CBB_add_space(&body, &verify_data, hmac_len))
+                goto err;
+        if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
+                goto err;
+        if (hlen != hmac_len)
+                goto err;
+        if (!tls13_handshake_msg_finish(ctx->hs_msg))
+                goto err;
+        ret = 1;
+ err:
+        HMAC_CTX_free(hmac_ctx);
+        return ret;
+}

diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c index d15ab65105..b3209c063c 100644 --- a/src/lib/libssl/tls13_client.c +++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_client.c,v 1.6 2019/02/11 17:48:15 jsing Exp $ */	1	/* $OpenBSD: tls13_client.c,v 1.7 2019/02/13 16:28:28 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -555,3 +555,132 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
555		555
556	return ret;	556	return ret;
557	}	557	}
		558
		559	int
		560	tls13_server_finished_recv(struct tls13_ctx *ctx)
		561	{
		562	struct tls13_secrets *secrets = ctx->hs->secrets;
		563	struct tls13_secret context = { .data = "", .len = 0 };
		564	struct tls13_secret finished_key;
		565	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
		566	size_t transcript_hash_len;
		567	uint8_t *verify_data = NULL;
		568	size_t verify_data_len;
		569	uint8_t key[EVP_MAX_MD_SIZE];
		570	HMAC_CTX *hmac_ctx = NULL;
		571	unsigned int hlen;
		572	int ret = 0;
		573	CBS cbs;
		574
		575	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
		576	goto err;
		577
		578	/*
		579	* Verify server finished.
		580	*/
		581	finished_key.data = key;
		582	finished_key.len = EVP_MD_size(ctx->hash);
		583
		584	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
		585	&secrets->server_handshake_traffic, "finished",
		586	&context))
		587	goto err;
		588
		589	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
		590	goto err;
		591	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
		592	ctx->hash, NULL))
		593	goto err;
		594	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
		595	ctx->hs->transcript_hash_len))
		596	goto err;
		597	verify_data_len = HMAC_size(hmac_ctx);
		598	if ((verify_data = calloc(1, verify_data_len)) == NULL)
		599	goto err;
		600	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
		601	goto err;
		602	if (hlen != verify_data_len)
		603	goto err;
		604
		605	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
		606	/* XXX - send alert. */
		607	goto err;
		608	}
		609
		610	/*
		611	* Derive application traffic keys.
		612	*/
		613	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
		614	sizeof(transcript_hash), &transcript_hash_len))
		615	goto err;
		616
		617	context.data = transcript_hash;
		618	context.len = transcript_hash_len;
		619
		620	if (!tls13_derive_application_secrets(secrets, &context))
		621	return TLS13_IO_FAILURE;
		622
		623	ret = 1;
		624
		625	err:
		626	HMAC_CTX_free(hmac_ctx);
		627	free(verify_data);
		628
		629	return ret;
		630	}
		631
		632	int
		633	tls13_client_finished_send(struct tls13_ctx *ctx)
		634	{
		635	struct tls13_secrets *secrets = ctx->hs->secrets;
		636	struct tls13_secret context = { .data = "", .len = 0 };
		637	struct tls13_secret finished_key;
		638	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
		639	size_t transcript_hash_len;
		640	uint8_t key[EVP_MAX_MD_SIZE];
		641	uint8_t *verify_data;
		642	size_t hmac_len;
		643	unsigned int hlen;
		644	HMAC_CTX *hmac_ctx = NULL;
		645	int ret = 0;
		646	CBB body;
		647
		648	finished_key.data = key;
		649	finished_key.len = EVP_MD_size(ctx->hash);
		650
		651	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
		652	&secrets->client_handshake_traffic, "finished",
		653	&context))
		654	goto err;
		655
		656	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
		657	sizeof(transcript_hash), &transcript_hash_len))
		658	goto err;
		659
		660	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
		661	goto err;
		662	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
		663	ctx->hash, NULL))
		664	goto err;
		665	if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
		666	goto err;
		667
		668	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
		669	goto err;
		670	hmac_len = HMAC_size(hmac_ctx);
		671	if (!CBB_add_space(&body, &verify_data, hmac_len))
		672	goto err;
		673	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
		674	goto err;
		675	if (hlen != hmac_len)
		676	goto err;
		677	if (!tls13_handshake_msg_finish(ctx->hs_msg))
		678	goto err;
		679
		680	ret = 1;
		681
		682	err:
		683	HMAC_CTX_free(hmac_ctx);
		684
		685	return ret;
		686	}