Coverage Report

Created: 2025-03-06 06:58

/src/gnutls/lib/tls13/finished.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright (C) 2017 Red Hat, Inc.
3
 *
4
 * Author: Nikos Mavrogiannopoulos
5
 *
6
 * This file is part of GnuTLS.
7
 *
8
 * The GnuTLS is free software; you can redistribute it and/or
9
 * modify it under the terms of the GNU Lesser General Public License
10
 * as published by the Free Software Foundation; either version 2.1 of
11
 * the License, or (at your option) any later version.
12
 *
13
 * This library is distributed in the hope that it will be useful, but
14
 * WITHOUT ANY WARRANTY; without even the implied warranty of
15
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16
 * Lesser General Public License for more details.
17
 *
18
 * You should have received a copy of the GNU Lesser General Public License
19
 * along with this program.  If not, see <https://www.gnu.org/licenses/>
20
 *
21
 */
22
23
#include "gnutls_int.h"
24
#include "errors.h"
25
#include "handshake.h"
26
#include "tls13/finished.h"
27
#include "mem.h"
28
#include "mbuffers.h"
29
#include "secrets.h"
30
31
int _gnutls13_compute_finished(const mac_entry_st *prf, const uint8_t *base_key,
32
             gnutls_buffer_st *handshake_hash_buffer,
33
             void *out)
34
0
{
35
0
  int ret;
36
0
  uint8_t fkey[MAX_HASH_SIZE];
37
0
  uint8_t ts_hash[MAX_HASH_SIZE];
38
39
0
  ret = _tls13_expand_secret2(prf, "finished", 8, NULL, 0, base_key,
40
0
            prf->output_size, fkey);
41
0
  if (ret < 0)
42
0
    return gnutls_assert_val(ret);
43
44
0
  ret = gnutls_hash_fast(MAC_TO_DIG(prf->id), handshake_hash_buffer->data,
45
0
             handshake_hash_buffer->length, ts_hash);
46
0
  if (ret < 0)
47
0
    return gnutls_assert_val(ret);
48
49
0
  ret = gnutls_hmac_fast(prf->id, fkey, prf->output_size, ts_hash,
50
0
             prf->output_size, out);
51
0
  if (ret < 0)
52
0
    return gnutls_assert_val(ret);
53
54
0
  return 0;
55
0
}
56
57
int _gnutls13_recv_finished(gnutls_session_t session)
58
0
{
59
0
  int ret;
60
0
  gnutls_buffer_st buf;
61
0
  uint8_t verifier[MAX_HASH_SIZE];
62
0
  const uint8_t *base_key;
63
0
  unsigned hash_size;
64
65
0
  if (unlikely(session->security_parameters.prf == NULL))
66
0
    return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
67
68
0
  hash_size = session->security_parameters.prf->output_size;
69
70
0
  if (!session->internals.initial_negotiation_completed) {
71
0
    if (session->security_parameters.entity == GNUTLS_CLIENT)
72
0
      base_key = session->key.proto.tls13.hs_skey;
73
0
    else
74
0
      base_key = session->key.proto.tls13.hs_ckey;
75
0
  } else {
76
0
    if (session->security_parameters.entity == GNUTLS_CLIENT)
77
0
      base_key = session->key.proto.tls13.ap_skey;
78
0
    else
79
0
      base_key = session->key.proto.tls13.ap_ckey;
80
0
  }
81
82
0
  ret = _gnutls13_compute_finished(
83
0
    session->security_parameters.prf, base_key,
84
0
    &session->internals.handshake_hash_buffer, verifier);
85
0
  if (ret < 0)
86
0
    return gnutls_assert_val(ret);
87
88
0
  ret = _gnutls_recv_handshake(session, GNUTLS_HANDSHAKE_FINISHED, 0,
89
0
             &buf);
90
0
  if (ret < 0)
91
0
    return gnutls_assert_val(ret);
92
93
0
  _gnutls_handshake_log("HSK[%p]: parsing finished\n", session);
94
95
0
  if (buf.length != hash_size) {
96
0
    gnutls_assert();
97
0
    ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
98
0
    goto cleanup;
99
0
  }
100
#if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
101
#warning This is unsafe for production builds
102
#else
103
0
  if (gnutls_memcmp(verifier, buf.data, buf.length) != 0) {
104
0
    gnutls_assert();
105
0
    ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
106
0
    goto cleanup;
107
0
  }
108
0
#endif
109
110
0
  ret = 0;
111
0
cleanup:
112
113
0
  _gnutls_buffer_clear(&buf);
114
0
  return ret;
115
0
}
116
117
int _gnutls13_send_finished(gnutls_session_t session, unsigned again)
118
0
{
119
0
  int ret;
120
0
  uint8_t verifier[MAX_HASH_SIZE];
121
0
  mbuffer_st *bufel = NULL;
122
0
  const uint8_t *base_key;
123
0
  unsigned hash_size;
124
125
0
  if (again == 0) {
126
0
    if (unlikely(session->security_parameters.prf == NULL))
127
0
      return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
128
129
0
    hash_size = session->security_parameters.prf->output_size;
130
131
0
    if (!session->internals.initial_negotiation_completed) {
132
0
      if (session->security_parameters.entity ==
133
0
          GNUTLS_CLIENT)
134
0
        base_key = session->key.proto.tls13.hs_ckey;
135
0
      else
136
0
        base_key = session->key.proto.tls13.hs_skey;
137
0
    } else {
138
0
      if (session->security_parameters.entity ==
139
0
          GNUTLS_CLIENT)
140
0
        base_key = session->key.proto.tls13.ap_ckey;
141
0
      else
142
0
        base_key = session->key.proto.tls13.ap_skey;
143
0
    }
144
145
0
    ret = _gnutls13_compute_finished(
146
0
      session->security_parameters.prf, base_key,
147
0
      &session->internals.handshake_hash_buffer, verifier);
148
0
    if (ret < 0) {
149
0
      gnutls_assert();
150
0
      goto cleanup;
151
0
    }
152
153
0
    _gnutls_handshake_log("HSK[%p]: sending finished\n", session);
154
155
0
    bufel = _gnutls_handshake_alloc(session, hash_size);
156
0
    if (bufel == NULL)
157
0
      return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
158
159
0
    _mbuffer_set_udata_size(bufel, 0);
160
0
    ret = _mbuffer_append_data(bufel, verifier, hash_size);
161
0
    if (ret < 0) {
162
0
      gnutls_assert();
163
0
      goto cleanup;
164
0
    }
165
0
  }
166
167
0
  return _gnutls_send_handshake(session, bufel,
168
0
              GNUTLS_HANDSHAKE_FINISHED);
169
170
0
cleanup:
171
0
  _mbuffer_xfree(&bufel);
172
0
  return ret;
173
0
}