Handle finished messages in TLSv1.3 client.

This adds support for processing of the server finished message and generation of the client finished message. ok tb@
author: jsing <jsing@openbsd.org> 2019-02-13 16:28:28 +0000
committer: jsing <jsing@openbsd.org> 2019-02-13 16:28:28 +0000
commit: 61d658999aa7e583d5032e13db1924f28acef89c (patch)
tree: 8ac8f6905c77d7a36db84ac68e2f90f2fce53dd3 /lib/libssl
parent: Also remove tbl files from CLEANFILES now they are not generated. (diff)
download: wireguard-openbsd-61d658999aa7e583d5032e13db1924f28acef89c.tar.xz
wireguard-openbsd-61d658999aa7e583d5032e13db1924f28acef89c.zip
2 files changed, 131 insertions, 14 deletions
diff --git a/lib/libssl/tls13_client.c b/lib/libssl/tls13_client.c
index d15ab65105e..b3209c063cb 100644
--- a/lib/libssl/tls13_client.c
+++ b/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.6 2019/02/11 17:48:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.7 2019/02/13 16:28:28 jsing Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  *
@@ -555,3 +555,132 @@ tls13_server_certificate_verify_recv(struct tls13_ctx *ctx)
 
 	return ret;
 }
+
+int
+tls13_server_finished_recv(struct tls13_ctx *ctx)
+{
+	struct tls13_secrets *secrets = ctx->hs->secrets;
+	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret finished_key;
+	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+	size_t transcript_hash_len;
+	uint8_t *verify_data = NULL;
+	size_t verify_data_len;
+	uint8_t key[EVP_MAX_MD_SIZE];
+	HMAC_CTX *hmac_ctx = NULL;
+	unsigned int hlen;
+	int ret = 0;
+	CBS cbs;
+
+	if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs))
+		goto err;
+
+	/*
+	 * Verify server finished.
+	 */
+	finished_key.data = key;
+	finished_key.len = EVP_MD_size(ctx->hash);
+
+	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
+	    &secrets->server_handshake_traffic, "finished",
+	    &context))
+		goto err;
+
+	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
+		goto err;
+	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
+	    ctx->hash, NULL))
+		goto err;
+	if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
+	    ctx->hs->transcript_hash_len))
+		goto err;
+	verify_data_len = HMAC_size(hmac_ctx);
+	if ((verify_data = calloc(1, verify_data_len)) == NULL)
+		goto err;
+	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
+		goto err;
+	if (hlen != verify_data_len)
+		goto err;
+
+	if (!CBS_mem_equal(&cbs, verify_data, verify_data_len)) {
+		/* XXX - send alert. */
+		goto err;
+	}
+
+	/*
+	 * Derive application traffic keys.
+	 */
+	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
+	    sizeof(transcript_hash), &transcript_hash_len))
+		goto err;
+
+	context.data = transcript_hash;
+	context.len = transcript_hash_len;
+
+	if (!tls13_derive_application_secrets(secrets, &context))
+		return TLS13_IO_FAILURE;
+
+	ret = 1;
+
+ err:
+	HMAC_CTX_free(hmac_ctx);
+	free(verify_data);
+
+	return ret;
+}
+
+int
+tls13_client_finished_send(struct tls13_ctx *ctx)
+{
+	struct tls13_secrets *secrets = ctx->hs->secrets;
+	struct tls13_secret context = { .data = "", .len = 0 };
+	struct tls13_secret finished_key;
+	uint8_t transcript_hash[EVP_MAX_MD_SIZE];
+	size_t transcript_hash_len;
+	uint8_t key[EVP_MAX_MD_SIZE];
+	uint8_t *verify_data;
+	size_t hmac_len;
+	unsigned int hlen;
+	HMAC_CTX *hmac_ctx = NULL;
+	int ret = 0;
+	CBB body;
+
+	finished_key.data = key;
+	finished_key.len = EVP_MD_size(ctx->hash);
+
+	if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
+	    &secrets->client_handshake_traffic, "finished",
+	    &context))
+		goto err;
+
+	if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash,
+	    sizeof(transcript_hash), &transcript_hash_len))
+		goto err;
+
+	if ((hmac_ctx = HMAC_CTX_new()) == NULL)
+		goto err;
+	if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
+	    ctx->hash, NULL))
+		goto err;
+	if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
+		goto err;
+
+	if (!tls13_handshake_msg_start(ctx->hs_msg, &body, TLS13_MT_FINISHED))
+		goto err;
+	hmac_len = HMAC_size(hmac_ctx);
+	if (!CBB_add_space(&body, &verify_data, hmac_len))
+		goto err;
+	if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
+		goto err;
+	if (hlen != hmac_len)
+		goto err;
+	if (!tls13_handshake_msg_finish(ctx->hs_msg))
+		goto err;
+
+	ret = 1;
+
+ err:
+	HMAC_CTX_free(hmac_ctx);
+
+	return ret;
+}
diff --git a/lib/libssl/tls13_handshake.c b/lib/libssl/tls13_handshake.c
index 3ebf1e9d737..630f81a8a83 100644
--- a/lib/libssl/tls13_handshake.c
+++ b/lib/libssl/tls13_handshake.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_handshake.c,v 1.26 2019/02/11 17:48:15 jsing Exp $	*/
+/*	$OpenBSD: tls13_handshake.c,v 1.27 2019/02/13 16:28:28 jsing Exp $	*/
 /*
  * Copyright (c) 2018-2019 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Joel Sing <jsing@openbsd.org>
@@ -459,12 +459,6 @@ tls13_client_finished_recv(struct tls13_ctx *ctx)
 }
 
 int
-tls13_client_finished_send(struct tls13_ctx *ctx)
-{
-	return 0;
-}
-
-int
 tls13_client_key_update_send(struct tls13_ctx *ctx)
 {
 	return 0;
@@ -509,12 +503,6 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx)
 }
 
 int
-tls13_server_finished_recv(struct tls13_ctx *ctx)
-{
-	return 0;
-}
-
-int
 tls13_server_finished_send(struct tls13_ctx *ctx)
 {
 	return 0;
author	jsing <jsing@openbsd.org>	2019-02-13 16:28:28 +0000
committer	jsing <jsing@openbsd.org>	2019-02-13 16:28:28 +0000
commit	61d658999aa7e583d5032e13db1924f28acef89c (patch)
tree	8ac8f6905c77d7a36db84ac68e2f90f2fce53dd3 /lib/libssl
parent	Also remove tbl files from CLEANFILES now they are not generated. (diff)
download	wireguard-openbsd-61d658999aa7e583d5032e13db1924f28acef89c.tar.xz wireguard-openbsd-61d658999aa7e583d5032e13db1924f28acef89c.zip