hdkv/yuzu
1
Fork 0
Code Issues Pull Requests Releases 1 Activity

early-access version 2698

Browse Source
This commit is contained in:
pineappleEA
2022-04-24 22:29:35 +02:00
parent c96f949832
commit caa0c2911b
486 changed files with 37806 additions and 14362 deletions
Download Patch File Download Diff File Expand all files Collapse all files

229
externals/libressl/ssl/tls13_server.c vendored
View File

@@ -1,4 +1,4 @@
/* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */
/* $OpenBSD: tls13_server.c,v 1.96 2022/02/03 16:33:12 jsing Exp $ */
/*
* Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -19,8 +19,8 @@
#include <openssl/x509v3.h>
#include "ssl_locl.h"
#include "ssl_sigalgs.h"
#include "ssl_tlsext.h"
#include "tls13_handshake.h"
#include "tls13_internal.h"
@@ -29,12 +29,12 @@ tls13_server_init(struct tls13_ctx *ctx)
{
SSL *s = ctx->ssl;
if (!ssl_supported_version_range(s, &ctx->hs->min_version,
&ctx->hs->max_version)) {
if (!ssl_supported_tls_version_range(s, &ctx->hs->our_min_tls_version,
&ctx->hs->our_max_tls_version)) {
SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE);
return 0;
}
s->version = ctx->hs->max_version;
s->version = ctx->hs->our_max_tls_version;
tls13_record_layer_set_retry_after_phh(ctx->rl,
(s->internal->mode & SSL_MODE_AUTO_RETRY) != 0);
@@ -99,7 +99,7 @@ tls13_client_hello_is_legacy(CBS *cbs)
int
tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
{
SSL *ssl = ctx->ssl;
SSL *s = ctx->ssl;
/*
* RFC 8446, section 9.2. If the ClientHello has supported_versions
@@ -111,10 +111,10 @@ tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
* If we got no pre_shared_key, then signature_algorithms and
* supported_groups must both be present.
*/
if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) {
if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms))
if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms))
return 0;
if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups))
if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups))
return 0;
}
@@ -122,8 +122,8 @@ tls13_client_hello_required_extensions(struct tls13_ctx *ctx)
* supported_groups and key_share must either both be present or
* both be absent.
*/
if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) !=
tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share))
if (tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups) !=
tlsext_extension_seen(s, TLSEXT_TYPE_key_share))
return 0;
/*
@@ -163,6 +163,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
goto err;
return tls13_use_legacy_server(ctx);
}
ctx->hs->negotiated_tls_version = TLS1_3_VERSION;
ctx->hs->peer_legacy_version = legacy_version;
/* Ensure we send subsequent alerts with the correct record version. */
tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
/* Add decoded values to the current ClientHello hash */
if (!tls13_clienthello_hash_init(ctx)) {
@@ -197,7 +202,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
}
/* Finalize first ClientHello hash, or validate against it */
if (!ctx->hs->hrr) {
if (!ctx->hs->tls13.hrr) {
if (!tls13_clienthello_hash_finalize(ctx)) {
ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
goto err;
@@ -207,7 +212,7 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
tls13_clienthello_hash_clear(ctx->hs);
tls13_clienthello_hash_clear(&ctx->hs->tls13);
}
if (!tls13_client_hello_required_extensions(ctx)) {
@@ -225,13 +230,13 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
}
/* Store legacy session identifier so we can echo it. */
if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) {
if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) {
ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER;
goto err;
}
if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id,
sizeof(ctx->hs->legacy_session_id),
&ctx->hs->legacy_session_id_len)) {
if (!CBS_write_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
sizeof(ctx->hs->tls13.legacy_session_id),
&ctx->hs->tls13.legacy_session_id_len)) {
ctx->alert = TLS13_ALERT_INTERNAL_ERROR;
goto err;
}
@@ -248,7 +253,11 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs)
ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE;
goto err;
}
S3I(s)->hs.new_cipher = cipher;
ctx->hs->cipher = cipher;
sk_SSL_CIPHER_free(s->session->ciphers);
s->session->ciphers = ciphers;
ciphers = NULL;
/* Ensure only the NULL compression method is advertised. */
if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only,
@@ -274,11 +283,9 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
goto err;
/* See if we switched back to the legacy client method. */
if (s->method->internal->version < TLS1_3_VERSION)
if (s->method->version < TLS1_3_VERSION)
return 1;
tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION);
/*
* If a matching key share was provided, we do not need to send a
* HelloRetryRequest.
@@ -309,7 +316,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
SSL *s = ctx->ssl;
uint16_t cipher;
cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher);
cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
server_random = s->s3->server_random;
if (hrr) {
@@ -323,8 +330,8 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
goto err;
if (!CBB_add_u8_length_prefixed(cbb, &session_id))
goto err;
if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id,
ctx->hs->legacy_session_id_len))
if (!CBB_add_bytes(&session_id, ctx->hs->tls13.legacy_session_id,
ctx->hs->tls13.legacy_session_id_len))
goto err;
if (!CBB_add_u16(cbb, cipher))
goto err;
@@ -337,7 +344,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
goto err;
return 1;
err:
err:
return 0;
}
@@ -353,20 +360,20 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
SSL *s = ctx->ssl;
int ret = 0;
if (!tls13_key_share_derive(ctx->hs->key_share,
&shared_key, &shared_key_len))
if (!tls_key_share_derive(ctx->hs->key_share, &shared_key,
&shared_key_len))
goto err;
s->session->cipher = S3I(s)->hs.new_cipher;
s->session->cipher = ctx->hs->cipher;
if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL)
if ((ctx->aead = tls13_cipher_aead(ctx->hs->cipher)) == NULL)
goto err;
if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL)
if ((ctx->hash = tls13_cipher_hash(ctx->hs->cipher)) == NULL)
goto err;
if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL)
goto err;
ctx->hs->secrets = secrets;
ctx->hs->tls13.secrets = secrets;
/* XXX - pass in hash. */
if (!tls1_transcript_hash_init(s))
@@ -383,7 +390,7 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
goto err;
/* Handshake secrets. */
if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key,
if (!tls13_derive_handshake_secrets(ctx->hs->tls13.secrets, shared_key,
shared_key_len, &context))
goto err;
@@ -413,7 +420,7 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
{
int nid;
ctx->hs->hrr = 1;
ctx->hs->tls13.hrr = 1;
if (!tls13_synthetic_handshake_message(ctx))
return 0;
@@ -422,7 +429,7 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
return 0;
if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef)
return 0;
if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0)
if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0)
return 0;
if (!tls13_server_hello_build(ctx, cbb, 1))
@@ -439,7 +446,7 @@ tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx)
* we MUST send a dummy CCS following our first handshake message.
* See RFC 8446 Appendix D.4.
*/
if (ctx->hs->legacy_session_id_len > 0)
if (ctx->hs->tls13.legacy_session_id_len > 0)
ctx->send_dummy_ccs_after = 1;
return 1;
@@ -454,10 +461,10 @@ tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs)
return 0;
/* XXX - need further checks. */
if (s->method->internal->version < TLS1_3_VERSION)
if (s->method->version < TLS1_3_VERSION)
return 0;
ctx->hs->hrr = 0;
ctx->hs->tls13.hrr = 0;
return 1;
}
@@ -480,12 +487,12 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
{
if (ctx->hs->key_share == NULL)
return 0;
if (!tls13_key_share_generate(ctx->hs->key_share))
if (!tls_key_share_generate(ctx->hs->key_share))
return 0;
if (!tls13_servername_process(ctx))
return 0;
ctx->hs->server_group = 0;
ctx->hs->tls13.server_group = 0;
if (!tls13_server_hello_build(ctx, cbb, 0))
return 0;
@@ -502,7 +509,7 @@ tls13_server_hello_sent(struct tls13_ctx *ctx)
* See RFC 8446 Appendix D.4.
*/
if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) &&
ctx->hs->legacy_session_id_len > 0)
ctx->hs->tls13.legacy_session_id_len > 0)
ctx->send_dummy_ccs_after = 1;
return tls13_server_engage_record_protection(ctx);
@@ -538,7 +545,7 @@ tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb)
}
static int
tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
tls13_server_check_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY *cpk,
int *ok, const struct ssl_sigalg **out_sigalg)
{
const struct ssl_sigalg *sigalg;
@@ -550,15 +557,11 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
if (cpk->x509 == NULL || cpk->privatekey == NULL)
goto done;
if (!X509_check_purpose(cpk->x509, -1, 0))
return 0;
/*
* The digitalSignature bit MUST be set if the Key Usage extension is
* present as per RFC 8446 section 4.4.2.2.
*/
if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) &&
!(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE))
if (!(X509_get_key_usage(cpk->x509) & X509v3_KU_DIGITAL_SIGNATURE))
goto done;
if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL)
@@ -572,12 +575,12 @@ tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk,
}
static int
tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk,
tls13_server_select_certificate(struct tls13_ctx *ctx, SSL_CERT_PKEY **out_cpk,
const struct ssl_sigalg **out_sigalg)
{
SSL *s = ctx->ssl;
const struct ssl_sigalg *sigalg;
CERT_PKEY *cpk;
SSL_CERT_PKEY *cpk;
int cert_ok;
*out_cpk = NULL;
@@ -611,8 +614,9 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
SSL *s = ctx->ssl;
CBB cert_request_context, cert_list;
const struct ssl_sigalg *sigalg;
X509_STORE_CTX *xsc = NULL;
STACK_OF(X509) *chain;
CERT_PKEY *cpk;
SSL_CERT_PKEY *cpk;
X509 *cert;
int i, ret = 0;
@@ -627,12 +631,24 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
goto err;
}
ctx->hs->cpk = cpk;
ctx->hs->sigalg = sigalg;
ctx->hs->tls13.cpk = cpk;
ctx->hs->our_sigalg = sigalg;
if ((chain = cpk->chain) == NULL)
chain = s->ctx->extra_certs;
if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) {
if ((xsc = X509_STORE_CTX_new()) == NULL)
goto err;
if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL))
goto err;
X509_VERIFY_PARAM_set_flags(X509_STORE_CTX_get0_param(xsc),
X509_V_FLAG_LEGACY_VERIFY);
X509_verify_cert(xsc);
ERR_clear_error();
chain = X509_STORE_CTX_get0_chain(xsc);
}
if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context))
goto err;
if (!CBB_add_u24_length_prefixed(cbb, &cert_list))
@@ -643,10 +659,19 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
for (i = 0; i < sk_X509_num(chain); i++) {
cert = sk_X509_value(chain, i);
/*
* In the case of auto chain, the leaf certificate will be at
* the top of the chain - skip over it as we've already added
* it earlier.
*/
if (i == 0 && cert == cpk->x509)
continue;
/*
* XXX we don't send extensions with chain certs to avoid sending
* a leaf ocsp stape with the chain certs. This needs to get
* fixed
* a leaf ocsp staple with the chain certs. This needs to get
* fixed.
*/
if (!tls13_cert_add(ctx, &cert_list, cert, NULL))
goto err;
@@ -658,6 +683,8 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb)
ret = 1;
err:
X509_STORE_CTX_free(xsc);
return ret;
}
@@ -670,15 +697,15 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
EVP_MD_CTX *mdctx = NULL;
EVP_PKEY_CTX *pctx;
EVP_PKEY *pkey;
const CERT_PKEY *cpk;
const SSL_CERT_PKEY *cpk;
CBB sig_cbb;
int ret = 0;
memset(&sig_cbb, 0, sizeof(sig_cbb));
if ((cpk = ctx->hs->cpk) == NULL)
if ((cpk = ctx->hs->tls13.cpk) == NULL)
goto err;
if ((sigalg = ctx->hs->sigalg) == NULL)
if ((sigalg = ctx->hs->our_sigalg) == NULL)
goto err;
pkey = cpk->privatekey;
@@ -692,8 +719,8 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
goto err;
if (!CBB_add_u8(&sig_cbb, 0))
goto err;
if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash,
ctx->hs->transcript_hash_len))
if (!CBB_add_bytes(&sig_cbb, ctx->hs->tls13.transcript_hash,
ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len))
goto err;
@@ -744,20 +771,20 @@ tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb)
int
tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
{
struct tls13_secrets *secrets = ctx->hs->secrets;
struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key;
struct tls13_secret finished_key = { .data = NULL, .len = 0 } ;
uint8_t transcript_hash[EVP_MAX_MD_SIZE];
size_t transcript_hash_len;
uint8_t key[EVP_MAX_MD_SIZE];
uint8_t *verify_data;
size_t hmac_len;
size_t verify_data_len;
unsigned int hlen;
HMAC_CTX *hmac_ctx = NULL;
CBS cbs;
int ret = 0;
finished_key.data = key;
finished_key.len = EVP_MD_size(ctx->hash);
if (!tls13_secret_init(&finished_key, EVP_MD_size(ctx->hash)))
goto err;
if (!tls13_hkdf_expand_label(&finished_key, ctx->hash,
&secrets->server_handshake_traffic, "finished",
@@ -776,17 +803,23 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len))
goto err;
hmac_len = HMAC_size(hmac_ctx);
if (!CBB_add_space(cbb, &verify_data, hmac_len))
verify_data_len = HMAC_size(hmac_ctx);
if (!CBB_add_space(cbb, &verify_data, verify_data_len))
goto err;
if (!HMAC_Final(hmac_ctx, verify_data, &hlen))
goto err;
if (hlen != hmac_len)
if (hlen != verify_data_len)
goto err;
CBS_init(&cbs, verify_data, verify_data_len);
if (!CBS_write_bytes(&cbs, ctx->hs->finished,
sizeof(ctx->hs->finished), &ctx->hs->finished_len))
goto err;
ret = 1;
err:
tls13_secret_cleanup(&finished_key);
HMAC_CTX_free(hmac_ctx);
return ret;
@@ -795,14 +828,14 @@ tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb)
int
tls13_server_finished_sent(struct tls13_ctx *ctx)
{
struct tls13_secrets *secrets = ctx->hs->secrets;
struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
/*
* Derive application traffic keys.
*/
context.data = ctx->hs->transcript_hash;
context.len = ctx->hs->transcript_hash_len;
context.data = ctx->hs->tls13.transcript_hash;
context.len = ctx->hs->tls13.transcript_hash_len;
if (!tls13_derive_application_secrets(secrets, &context))
return 0;
@@ -824,7 +857,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
X509 *cert = NULL;
EVP_PKEY *pkey;
const uint8_t *p;
int cert_idx;
int cert_type;
int ret = 0;
if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context))
@@ -875,33 +908,30 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs)
}
ERR_clear_error();
cert = sk_X509_value(certs, 0);
X509_up_ref(cert);
/*
* Achtung! Due to API inconsistency, a client includes the peer's leaf
* certificate in the stored certificate chain, while a server does not.
*/
cert = sk_X509_shift(certs);
if ((pkey = X509_get0_pubkey(cert)) == NULL)
goto err;
if (EVP_PKEY_missing_parameters(pkey))
goto err;
if ((cert_idx = ssl_cert_type(cert, pkey)) < 0)
if ((cert_type = ssl_cert_type(pkey)) < 0)
goto err;
ssl_sess_cert_free(SSI(s)->sess_cert);
if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL)
goto err;
SSI(s)->sess_cert->cert_chain = certs;
certs = NULL;
X509_up_ref(cert);
SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert;
SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]);
X509_free(s->session->peer_cert);
s->session->peer_cert = cert;
s->session->peer_cert_type = cert_type;
X509_free(s->session->peer);
X509_up_ref(cert);
s->session->peer = cert;
s->session->verify_result = s->verify_result;
sk_X509_pop_free(s->session->cert_chain, X509_free);
s->session->cert_chain = certs;
certs = NULL;
ctx->handshake_stage.hs_type |= WITH_CCV;
ret = 1;
@@ -934,10 +964,6 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!CBS_get_u16_length_prefixed(cbs, &signature))
goto err;
if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs,
tls13_sigalgs_len)) == NULL)
goto err;
if (!CBB_init(&cbb, 0))
goto err;
if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad,
@@ -948,18 +974,20 @@ tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs)
goto err;
if (!CBB_add_u8(&cbb, 0))
goto err;
if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash,
ctx->hs->transcript_hash_len))
if (!CBB_add_bytes(&cbb, ctx->hs->tls13.transcript_hash,
ctx->hs->tls13.transcript_hash_len))
goto err;
if (!CBB_finish(&cbb, &sig_content, &sig_content_len))
goto err;
if ((cert = ctx->ssl->session->peer) == NULL)
if ((cert = ctx->ssl->session->peer_cert) == NULL)
goto err;
if ((pkey = X509_get0_pubkey(cert)) == NULL)
goto err;
if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1))
if ((sigalg = ssl_sigalg_for_peer(ctx->ssl, pkey,
signature_scheme)) == NULL)
goto err;
ctx->hs->peer_sigalg = sigalg;
if (CBS_len(&signature) > EVP_PKEY_size(pkey))
goto err;
@@ -1006,7 +1034,7 @@ tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs)
int
tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
{
struct tls13_secrets *secrets = ctx->hs->secrets;
struct tls13_secrets *secrets = ctx->hs->tls13.secrets;
struct tls13_secret context = { .data = "", .len = 0 };
struct tls13_secret finished_key;
uint8_t *verify_data = NULL;
@@ -1032,8 +1060,8 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len,
ctx->hash, NULL))
goto err;
if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash,
ctx->hs->transcript_hash_len))
if (!HMAC_Update(hmac_ctx, ctx->hs->tls13.transcript_hash,
ctx->hs->tls13.transcript_hash_len))
goto err;
verify_data_len = HMAC_size(hmac_ctx);
if ((verify_data = calloc(1, verify_data_len)) == NULL)
@@ -1048,6 +1076,11 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs)
goto err;
}
if (!CBS_write_bytes(cbs, ctx->hs->peer_finished,
sizeof(ctx->hs->peer_finished),
&ctx->hs->peer_finished_len))
goto err;
if (!CBS_skip(cbs, verify_data_len))
goto err;