From 6484776f177b38dd668618a75bee58674ca42578 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 11 Nov 2016 00:20:19 +0000
Subject: [PATCH] Create the Finished message payload

The previous commit had a dummy payload for the Finished data. This commit
fills it in with a real value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
---
 ssl/ssl_locl.h  |  2 ++
 ssl/tls13_enc.c | 56 ++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 46 insertions(+), 12 deletions(-)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e9ba0f62c5..798a8f72e1 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -955,6 +955,8 @@ struct ssl_st {
      */
     unsigned char early_secret[EVP_MAX_MD_SIZE];
     unsigned char handshake_secret[EVP_MAX_MD_SIZE];
+    unsigned char client_finished_secret[EVP_MAX_MD_SIZE];
+    unsigned char server_finished_secret[EVP_MAX_MD_SIZE];
     EVP_CIPHER_CTX *enc_read_ctx; /* cryptographic state */
     EVP_MD_CTX *read_hash;      /* used for mac generation */
     COMP_CTX *compress;         /* compression */
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index 65b5dee768..3ffb6153f8 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -19,6 +19,7 @@ static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
 
 static const unsigned char keylabel[] = "key";
 static const unsigned char ivlabel[] = "iv";
+static const unsigned char finishedlabel[] = "finished";
 
 /*
  * Given a |secret|; a |label| of length |labellen|; and a |hash| of the
@@ -126,6 +127,13 @@ int tls13_derive_iv(SSL *s, const unsigned char *secret, unsigned char *iv,
                              iv, ivlen);
 }
 
+static int tls13_derive_finishedkey(SSL *s, const unsigned char *secret,
+                                 unsigned char *fin, size_t finlen)
+{
+    return tls13_hkdf_expand(s, secret, finishedlabel,
+                             sizeof(finishedlabel) - 1, NULL, fin, finlen);
+}
+
 /*
  * Given the previous secret |prevsecret| and a new input secret |insecret| of
  * length |insecretlen|, generate a new secret and store it in the location
@@ -222,18 +230,34 @@ int tls13_generate_master_secret(SSL *s, unsigned char *out,
 size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
                              unsigned char *out)
 {
-    size_t hashlen;
-    const EVP_MD *md;
+    const EVP_MD *md = ssl_handshake_md(s);
+    unsigned char hash[EVP_MAX_MD_SIZE];
+    size_t hashlen, ret = 0;
+    EVP_PKEY *key = NULL;
+    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 
-    /*
-     * TODO(TLS1.3): This is a dummy implementation for now. We need to come
-     * back and fill this in.
-     */
-    md = ssl_handshake_md(s);
-    hashlen = EVP_MD_size(md);
-    memset(out, 0, hashlen);
+    if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen))
+        goto err;
 
-    return hashlen;
+    if (str == s->method->ssl3_enc->server_finished_label)
+        key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
+                                   s->server_finished_secret, hashlen);
+    else
+        key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
+                                   s->client_finished_secret, hashlen);
+
+    if (key == NULL
+            || ctx == NULL
+            || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0
+            || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0
+            || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0)
+        goto err;
+
+    ret = hashlen;
+ err:
+    EVP_PKEY_free(key);
+    EVP_MD_CTX_free(ctx);
+    return ret;
 }
 
 /*
@@ -276,9 +300,10 @@ int tls13_change_cipher_state(SSL *s, int which)
     unsigned char iv[EVP_MAX_IV_LENGTH];
     unsigned char secret[EVP_MAX_MD_SIZE];
     unsigned char *insecret;
+    unsigned char *finsecret = NULL;
     EVP_CIPHER_CTX *ciph_ctx;
     const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;;
-    size_t ivlen, keylen;
+    size_t ivlen, keylen, finsecretlen;
     const unsigned char *label;
     size_t labellen;
 
@@ -314,6 +339,8 @@ int tls13_change_cipher_state(SSL *s, int which)
             || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) {
         if (which & SSL3_CC_HANDSHAKE) {
             insecret = s->handshake_secret;
+            finsecret = s->client_finished_secret;
+            finsecretlen = sizeof(s->client_finished_secret);
             label = client_handshake_traffic;
             labellen = sizeof(client_handshake_traffic) - 1;
         } else {
@@ -324,6 +351,8 @@ int tls13_change_cipher_state(SSL *s, int which)
     } else {
         if (which & SSL3_CC_HANDSHAKE) {
             insecret = s->handshake_secret;
+            finsecret = s->server_finished_secret;
+            finsecretlen = sizeof(s->server_finished_secret);
             label = server_handshake_traffic;
             labellen = sizeof(server_handshake_traffic) - 1;
         } else {
@@ -349,7 +378,10 @@ int tls13_change_cipher_state(SSL *s, int which)
         ivlen = EVP_CIPHER_iv_length(ciph);
 
     if (!tls13_derive_key(s, secret, key, keylen)
-            || !tls13_derive_iv(s, secret, iv, ivlen)) {
+            || !tls13_derive_iv(s, secret, iv, ivlen)
+            || (finsecret != NULL && !tls13_derive_finishedkey(s, secret,
+                                                               finsecret,
+                                                               finsecretlen))) {
         SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
         goto err;
     }
-- 
2.34.1