/src/openssl/ssl/tls13_enc.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdlib.h> |
11 | | #include "ssl_local.h" |
12 | | #include "internal/ktls.h" |
13 | | #include "record/record_local.h" |
14 | | #include "internal/cryptlib.h" |
15 | | #include <openssl/evp.h> |
16 | | #include <openssl/kdf.h> |
17 | | #include <openssl/core_names.h> |
18 | | |
19 | 5.51k | #define TLS13_MAX_LABEL_LEN 249 |
20 | | |
21 | | /* ASCII: "tls13 ", in hex for EBCDIC compatibility */ |
22 | | static const unsigned char label_prefix[] = "\x74\x6C\x73\x31\x33\x20"; |
23 | | |
24 | | /* |
25 | | * Given a |secret|; a |label| of length |labellen|; and |data| of length |
26 | | * |datalen| (e.g. typically a hash of the handshake messages), derive a new |
27 | | * secret |outlen| bytes long and store it in the location pointed to be |out|. |
28 | | * The |data| value may be zero length. Any errors will be treated as fatal if |
29 | | * |fatal| is set. Returns 1 on success 0 on failure. |
30 | | * If |raise_error| is set, ERR_raise is called on failure. |
31 | | */ |
32 | | int tls13_hkdf_expand_ex(OSSL_LIB_CTX *libctx, const char *propq, |
33 | | const EVP_MD *md, |
34 | | const unsigned char *secret, |
35 | | const unsigned char *label, size_t labellen, |
36 | | const unsigned char *data, size_t datalen, |
37 | | unsigned char *out, size_t outlen, int raise_error) |
38 | 5.51k | { |
39 | 5.51k | EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_TLS1_3_KDF, propq); |
40 | 5.51k | EVP_KDF_CTX *kctx; |
41 | 5.51k | OSSL_PARAM params[7], *p = params; |
42 | 5.51k | int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; |
43 | 5.51k | const char *mdname = EVP_MD_get0_name(md); |
44 | 5.51k | int ret; |
45 | 5.51k | size_t hashlen; |
46 | | |
47 | 5.51k | kctx = EVP_KDF_CTX_new(kdf); |
48 | 5.51k | EVP_KDF_free(kdf); |
49 | 5.51k | if (kctx == NULL) |
50 | 0 | return 0; |
51 | | |
52 | 5.51k | if (labellen > TLS13_MAX_LABEL_LEN) { |
53 | 0 | if (raise_error) |
54 | | /* |
55 | | * Probably we have been called from SSL_export_keying_material(), |
56 | | * or SSL_export_keying_material_early(). |
57 | | */ |
58 | 0 | ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); |
59 | |
|
60 | 0 | EVP_KDF_CTX_free(kctx); |
61 | 0 | return 0; |
62 | 0 | } |
63 | | |
64 | 5.51k | if ((ret = EVP_MD_get_size(md)) <= 0) { |
65 | 0 | EVP_KDF_CTX_free(kctx); |
66 | 0 | if (raise_error) |
67 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
68 | 0 | return 0; |
69 | 0 | } |
70 | 5.51k | hashlen = (size_t)ret; |
71 | | |
72 | 5.51k | *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); |
73 | 5.51k | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, |
74 | 5.51k | (char *)mdname, 0); |
75 | 5.51k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, |
76 | 5.51k | (unsigned char *)secret, hashlen); |
77 | 5.51k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, |
78 | 5.51k | (unsigned char *)label_prefix, |
79 | 5.51k | sizeof(label_prefix) - 1); |
80 | 5.51k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, |
81 | 5.51k | (unsigned char *)label, labellen); |
82 | 5.51k | if (data != NULL) |
83 | 1.84k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_DATA, |
84 | 1.84k | (unsigned char *)data, |
85 | 1.84k | datalen); |
86 | 5.51k | *p++ = OSSL_PARAM_construct_end(); |
87 | | |
88 | 5.51k | ret = EVP_KDF_derive(kctx, out, outlen, params) <= 0; |
89 | 5.51k | EVP_KDF_CTX_free(kctx); |
90 | | |
91 | 5.51k | if (ret != 0) { |
92 | 0 | if (raise_error) |
93 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
94 | 0 | } |
95 | | |
96 | 5.51k | return ret == 0; |
97 | 5.51k | } |
98 | | |
99 | | int tls13_hkdf_expand(SSL_CONNECTION *s, const EVP_MD *md, |
100 | | const unsigned char *secret, |
101 | | const unsigned char *label, size_t labellen, |
102 | | const unsigned char *data, size_t datalen, |
103 | | unsigned char *out, size_t outlen, int fatal) |
104 | 5.51k | { |
105 | 5.51k | int ret; |
106 | 5.51k | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
107 | | |
108 | 5.51k | ret = tls13_hkdf_expand_ex(sctx->libctx, sctx->propq, md, |
109 | 5.51k | secret, label, labellen, data, datalen, |
110 | 5.51k | out, outlen, !fatal); |
111 | 5.51k | if (ret == 0 && fatal) |
112 | 5.51k | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
113 | | |
114 | 5.51k | return ret; |
115 | 5.51k | } |
116 | | |
117 | | /* |
118 | | * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on |
119 | | * success 0 on failure. |
120 | | */ |
121 | | int tls13_derive_key(SSL_CONNECTION *s, const EVP_MD *md, |
122 | | const unsigned char *secret, |
123 | | unsigned char *key, size_t keylen) |
124 | 1.37k | { |
125 | | /* ASCII: "key", in hex for EBCDIC compatibility */ |
126 | 1.37k | static const unsigned char keylabel[] = "\x6B\x65\x79"; |
127 | | |
128 | 1.37k | return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, |
129 | 1.37k | NULL, 0, key, keylen, 1); |
130 | 1.37k | } |
131 | | |
132 | | /* |
133 | | * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on |
134 | | * success 0 on failure. |
135 | | */ |
136 | | int tls13_derive_iv(SSL_CONNECTION *s, const EVP_MD *md, |
137 | | const unsigned char *secret, |
138 | | unsigned char *iv, size_t ivlen) |
139 | 1.37k | { |
140 | | /* ASCII: "iv", in hex for EBCDIC compatibility */ |
141 | 1.37k | static const unsigned char ivlabel[] = "\x69\x76"; |
142 | | |
143 | 1.37k | return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, |
144 | 1.37k | NULL, 0, iv, ivlen, 1); |
145 | 1.37k | } |
146 | | |
147 | | int tls13_derive_finishedkey(SSL_CONNECTION *s, const EVP_MD *md, |
148 | | const unsigned char *secret, |
149 | | unsigned char *fin, size_t finlen) |
150 | 926 | { |
151 | | /* ASCII: "finished", in hex for EBCDIC compatibility */ |
152 | 926 | static const unsigned char finishedlabel[] = "\x66\x69\x6E\x69\x73\x68\x65\x64"; |
153 | | |
154 | 926 | return tls13_hkdf_expand(s, md, secret, finishedlabel, |
155 | 926 | sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); |
156 | 926 | } |
157 | | |
158 | | /* |
159 | | * Given the previous secret |prevsecret| and a new input secret |insecret| of |
160 | | * length |insecretlen|, generate a new secret and store it in the location |
161 | | * pointed to by |outsecret|. Returns 1 on success 0 on failure. |
162 | | */ |
163 | | int tls13_generate_secret(SSL_CONNECTION *s, const EVP_MD *md, |
164 | | const unsigned char *prevsecret, |
165 | | const unsigned char *insecret, |
166 | | size_t insecretlen, |
167 | | unsigned char *outsecret) |
168 | 1.38k | { |
169 | 1.38k | size_t mdlen; |
170 | 1.38k | int mdleni; |
171 | 1.38k | int ret; |
172 | 1.38k | EVP_KDF *kdf; |
173 | 1.38k | EVP_KDF_CTX *kctx; |
174 | 1.38k | OSSL_PARAM params[7], *p = params; |
175 | 1.38k | int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; |
176 | 1.38k | const char *mdname = EVP_MD_get0_name(md); |
177 | | /* ASCII: "derived", in hex for EBCDIC compatibility */ |
178 | 1.38k | static const char derived_secret_label[] = "\x64\x65\x72\x69\x76\x65\x64"; |
179 | 1.38k | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
180 | | |
181 | 1.38k | kdf = EVP_KDF_fetch(sctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, sctx->propq); |
182 | 1.38k | kctx = EVP_KDF_CTX_new(kdf); |
183 | 1.38k | EVP_KDF_free(kdf); |
184 | 1.38k | if (kctx == NULL) { |
185 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
186 | 0 | return 0; |
187 | 0 | } |
188 | | |
189 | 1.38k | mdleni = EVP_MD_get_size(md); |
190 | | /* Ensure cast to size_t is safe */ |
191 | 1.38k | if (!ossl_assert(mdleni >= 0)) { |
192 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
193 | 0 | EVP_KDF_CTX_free(kctx); |
194 | 0 | return 0; |
195 | 0 | } |
196 | 1.38k | mdlen = (size_t)mdleni; |
197 | | |
198 | 1.38k | *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); |
199 | 1.38k | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, |
200 | 1.38k | (char *)mdname, 0); |
201 | 1.38k | if (insecret != NULL) |
202 | 468 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, |
203 | 468 | (unsigned char *)insecret, |
204 | 468 | insecretlen); |
205 | 1.38k | if (prevsecret != NULL) |
206 | 916 | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, |
207 | 916 | (unsigned char *)prevsecret, mdlen); |
208 | 1.38k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, |
209 | 1.38k | (unsigned char *)label_prefix, |
210 | 1.38k | sizeof(label_prefix) - 1); |
211 | 1.38k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, |
212 | 1.38k | (unsigned char *)derived_secret_label, |
213 | 1.38k | sizeof(derived_secret_label) - 1); |
214 | 1.38k | *p++ = OSSL_PARAM_construct_end(); |
215 | | |
216 | 1.38k | ret = EVP_KDF_derive(kctx, outsecret, mdlen, params) <= 0; |
217 | | |
218 | 1.38k | if (ret != 0) |
219 | 1.38k | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
220 | | |
221 | 1.38k | EVP_KDF_CTX_free(kctx); |
222 | 1.38k | return ret == 0; |
223 | 1.38k | } |
224 | | |
225 | | /* |
226 | | * Given an input secret |insecret| of length |insecretlen| generate the |
227 | | * handshake secret. This requires the early secret to already have been |
228 | | * generated. Returns 1 on success 0 on failure. |
229 | | */ |
230 | | int tls13_generate_handshake_secret(SSL_CONNECTION *s, |
231 | | const unsigned char *insecret, |
232 | | size_t insecretlen) |
233 | 458 | { |
234 | | /* Calls SSLfatal() if required */ |
235 | 458 | return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, |
236 | 458 | insecret, insecretlen, |
237 | 458 | (unsigned char *)&s->handshake_secret); |
238 | 458 | } |
239 | | |
240 | | /* |
241 | | * Given the handshake secret |prev| of length |prevlen| generate the master |
242 | | * secret and store its length in |*secret_size|. Returns 1 on success 0 on |
243 | | * failure. |
244 | | */ |
245 | | int tls13_generate_master_secret(SSL_CONNECTION *s, unsigned char *out, |
246 | | unsigned char *prev, size_t prevlen, |
247 | | size_t *secret_size) |
248 | 458 | { |
249 | 458 | const EVP_MD *md = ssl_handshake_md(s); |
250 | | |
251 | 458 | *secret_size = EVP_MD_get_size(md); |
252 | | /* Calls SSLfatal() if required */ |
253 | 458 | return tls13_generate_secret(s, md, prev, NULL, 0, out); |
254 | 458 | } |
255 | | |
256 | | /* |
257 | | * Generates the mac for the Finished message. Returns the length of the MAC or |
258 | | * 0 on error. |
259 | | */ |
260 | | size_t tls13_final_finish_mac(SSL_CONNECTION *s, const char *str, size_t slen, |
261 | | unsigned char *out) |
262 | 458 | { |
263 | 458 | const EVP_MD *md = ssl_handshake_md(s); |
264 | 458 | const char *mdname = EVP_MD_get0_name(md); |
265 | 458 | unsigned char hash[EVP_MAX_MD_SIZE]; |
266 | 458 | unsigned char finsecret[EVP_MAX_MD_SIZE]; |
267 | 458 | unsigned char *key = NULL; |
268 | 458 | size_t len = 0, hashlen; |
269 | 458 | OSSL_PARAM params[2], *p = params; |
270 | 458 | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
271 | | |
272 | 458 | if (md == NULL) |
273 | 0 | return 0; |
274 | | |
275 | | /* Safe to cast away const here since we're not "getting" any data */ |
276 | 458 | if (sctx->propq != NULL) |
277 | 0 | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES, |
278 | 0 | (char *)sctx->propq, |
279 | 0 | 0); |
280 | 458 | *p = OSSL_PARAM_construct_end(); |
281 | | |
282 | 458 | if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { |
283 | | /* SSLfatal() already called */ |
284 | 0 | goto err; |
285 | 0 | } |
286 | | |
287 | 458 | if (str == SSL_CONNECTION_GET_SSL(s)->method->ssl3_enc->server_finished_label) { |
288 | 458 | key = s->server_finished_secret; |
289 | 458 | } else if (SSL_IS_FIRST_HANDSHAKE(s)) { |
290 | 0 | key = s->client_finished_secret; |
291 | 0 | } else { |
292 | 0 | if (!tls13_derive_finishedkey(s, md, |
293 | 0 | s->client_app_traffic_secret, |
294 | 0 | finsecret, hashlen)) |
295 | 0 | goto err; |
296 | 0 | key = finsecret; |
297 | 0 | } |
298 | | |
299 | 458 | if (!EVP_Q_mac(sctx->libctx, "HMAC", sctx->propq, mdname, |
300 | 458 | params, key, hashlen, hash, hashlen, |
301 | | /* outsize as per sizeof(peer_finish_md) */ |
302 | 458 | out, EVP_MAX_MD_SIZE * 2, &len)) { |
303 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
304 | 0 | goto err; |
305 | 0 | } |
306 | | |
307 | 458 | err: |
308 | 458 | OPENSSL_cleanse(finsecret, sizeof(finsecret)); |
309 | 458 | return len; |
310 | 458 | } |
311 | | |
312 | | /* |
313 | | * There isn't really a key block in TLSv1.3, but we still need this function |
314 | | * for initialising the cipher and hash. Returns 1 on success or 0 on failure. |
315 | | */ |
316 | | int tls13_setup_key_block(SSL_CONNECTION *s) |
317 | 458 | { |
318 | 458 | const EVP_CIPHER *c; |
319 | 458 | const EVP_MD *hash; |
320 | | |
321 | 458 | s->session->cipher = s->s3.tmp.new_cipher; |
322 | 458 | if (!ssl_cipher_get_evp(SSL_CONNECTION_GET_CTX(s), s->session, &c, &hash, |
323 | 458 | NULL, NULL, NULL, 0)) { |
324 | | /* Error is already recorded */ |
325 | 0 | SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); |
326 | 0 | return 0; |
327 | 0 | } |
328 | | |
329 | 458 | ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); |
330 | 458 | s->s3.tmp.new_sym_enc = c; |
331 | 458 | ssl_evp_md_free(s->s3.tmp.new_hash); |
332 | 458 | s->s3.tmp.new_hash = hash; |
333 | | |
334 | 458 | return 1; |
335 | 458 | } |
336 | | |
337 | | static int derive_secret_key_and_iv(SSL_CONNECTION *s, int sending, |
338 | | const EVP_MD *md, |
339 | | const EVP_CIPHER *ciph, |
340 | | const unsigned char *insecret, |
341 | | const unsigned char *hash, |
342 | | const unsigned char *label, |
343 | | size_t labellen, unsigned char *secret, |
344 | | unsigned char *key, size_t *keylen, |
345 | | unsigned char *iv, size_t *ivlen, |
346 | | size_t *taglen) |
347 | 1.37k | { |
348 | 1.37k | int hashleni = EVP_MD_get_size(md); |
349 | 1.37k | size_t hashlen; |
350 | 1.37k | int mode; |
351 | | |
352 | | /* Ensure cast to size_t is safe */ |
353 | 1.37k | if (!ossl_assert(hashleni >= 0)) { |
354 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
355 | 0 | return 0; |
356 | 0 | } |
357 | 1.37k | hashlen = (size_t)hashleni; |
358 | | |
359 | 1.37k | if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, |
360 | 1.37k | secret, hashlen, 1)) { |
361 | | /* SSLfatal() already called */ |
362 | 0 | return 0; |
363 | 0 | } |
364 | | |
365 | 1.37k | *keylen = EVP_CIPHER_get_key_length(ciph); |
366 | | |
367 | 1.37k | mode = EVP_CIPHER_get_mode(ciph); |
368 | 1.37k | if (mode == EVP_CIPH_CCM_MODE) { |
369 | 0 | uint32_t algenc; |
370 | |
|
371 | 0 | *ivlen = EVP_CCM_TLS_IV_LEN; |
372 | 0 | if (s->s3.tmp.new_cipher != NULL) { |
373 | 0 | algenc = s->s3.tmp.new_cipher->algorithm_enc; |
374 | 0 | } else if (s->session->cipher != NULL) { |
375 | | /* We've not selected a cipher yet - we must be doing early data */ |
376 | 0 | algenc = s->session->cipher->algorithm_enc; |
377 | 0 | } else if (s->psksession != NULL && s->psksession->cipher != NULL) { |
378 | | /* We must be doing early data with out-of-band PSK */ |
379 | 0 | algenc = s->psksession->cipher->algorithm_enc; |
380 | 0 | } else { |
381 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
382 | 0 | return 0; |
383 | 0 | } |
384 | 0 | if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) |
385 | 0 | *taglen = EVP_CCM8_TLS_TAG_LEN; |
386 | 0 | else |
387 | 0 | *taglen = EVP_CCM_TLS_TAG_LEN; |
388 | 1.37k | } else { |
389 | 1.37k | int iivlen; |
390 | | |
391 | 1.37k | if (mode == EVP_CIPH_GCM_MODE) { |
392 | 765 | *taglen = EVP_GCM_TLS_TAG_LEN; |
393 | 765 | } else { |
394 | | /* CHACHA20P-POLY1305 */ |
395 | 609 | *taglen = EVP_CHACHAPOLY_TLS_TAG_LEN; |
396 | 609 | } |
397 | 1.37k | iivlen = EVP_CIPHER_get_iv_length(ciph); |
398 | 1.37k | if (iivlen < 0) { |
399 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
400 | 0 | return 0; |
401 | 0 | } |
402 | 1.37k | *ivlen = iivlen; |
403 | 1.37k | } |
404 | | |
405 | 1.37k | if (!tls13_derive_key(s, md, secret, key, *keylen) |
406 | 1.37k | || !tls13_derive_iv(s, md, secret, iv, *ivlen)) { |
407 | | /* SSLfatal() already called */ |
408 | 0 | return 0; |
409 | 0 | } |
410 | | |
411 | 1.37k | return 1; |
412 | 1.37k | } |
413 | | |
414 | | int tls13_change_cipher_state(SSL_CONNECTION *s, int which) |
415 | 1.37k | { |
416 | | /* ASCII: "c e traffic", in hex for EBCDIC compatibility */ |
417 | 1.37k | static const unsigned char client_early_traffic[] = "\x63\x20\x65\x20\x74\x72\x61\x66\x66\x69\x63"; |
418 | | /* ASCII: "c hs traffic", in hex for EBCDIC compatibility */ |
419 | 1.37k | static const unsigned char client_handshake_traffic[] = "\x63\x20\x68\x73\x20\x74\x72\x61\x66\x66\x69\x63"; |
420 | | /* ASCII: "c ap traffic", in hex for EBCDIC compatibility */ |
421 | 1.37k | static const unsigned char client_application_traffic[] = "\x63\x20\x61\x70\x20\x74\x72\x61\x66\x66\x69\x63"; |
422 | | /* ASCII: "s hs traffic", in hex for EBCDIC compatibility */ |
423 | 1.37k | static const unsigned char server_handshake_traffic[] = "\x73\x20\x68\x73\x20\x74\x72\x61\x66\x66\x69\x63"; |
424 | | /* ASCII: "s ap traffic", in hex for EBCDIC compatibility */ |
425 | 1.37k | static const unsigned char server_application_traffic[] = "\x73\x20\x61\x70\x20\x74\x72\x61\x66\x66\x69\x63"; |
426 | | /* ASCII: "exp master", in hex for EBCDIC compatibility */ |
427 | 1.37k | static const unsigned char exporter_master_secret[] = "\x65\x78\x70\x20\x6D\x61\x73\x74\x65\x72"; |
428 | | /* ASCII: "res master", in hex for EBCDIC compatibility */ |
429 | 1.37k | static const unsigned char resumption_master_secret[] = "\x72\x65\x73\x20\x6D\x61\x73\x74\x65\x72"; |
430 | | /* ASCII: "e exp master", in hex for EBCDIC compatibility */ |
431 | 1.37k | static const unsigned char early_exporter_master_secret[] = "\x65\x20\x65\x78\x70\x20\x6D\x61\x73\x74\x65\x72"; |
432 | 1.37k | unsigned char iv[EVP_MAX_IV_LENGTH]; |
433 | 1.37k | unsigned char key[EVP_MAX_KEY_LENGTH]; |
434 | 1.37k | unsigned char secret[EVP_MAX_MD_SIZE]; |
435 | 1.37k | unsigned char hashval[EVP_MAX_MD_SIZE]; |
436 | 1.37k | unsigned char *hash = hashval; |
437 | 1.37k | unsigned char *insecret; |
438 | 1.37k | unsigned char *finsecret = NULL; |
439 | 1.37k | const char *log_label = NULL; |
440 | 1.37k | size_t finsecretlen = 0; |
441 | 1.37k | const unsigned char *label; |
442 | 1.37k | size_t labellen, hashlen = 0; |
443 | 1.37k | int ret = 0; |
444 | 1.37k | const EVP_MD *md = NULL; |
445 | 1.37k | const EVP_CIPHER *cipher = NULL; |
446 | 1.37k | SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); |
447 | 1.37k | size_t keylen, ivlen, taglen; |
448 | 1.37k | int level; |
449 | 1.37k | int direction = (which & SSL3_CC_READ) != 0 ? OSSL_RECORD_DIRECTION_READ |
450 | 1.37k | : OSSL_RECORD_DIRECTION_WRITE; |
451 | | |
452 | 1.37k | if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) |
453 | 1.37k | || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { |
454 | 458 | if (which & SSL3_CC_EARLY) { |
455 | 0 | EVP_MD_CTX *mdctx = NULL; |
456 | 0 | long handlen; |
457 | 0 | void *hdata; |
458 | 0 | unsigned int hashlenui; |
459 | 0 | const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); |
460 | |
|
461 | 0 | insecret = s->early_secret; |
462 | 0 | label = client_early_traffic; |
463 | 0 | labellen = sizeof(client_early_traffic) - 1; |
464 | 0 | log_label = CLIENT_EARLY_LABEL; |
465 | |
|
466 | 0 | handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); |
467 | 0 | if (handlen <= 0) { |
468 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); |
469 | 0 | goto err; |
470 | 0 | } |
471 | | |
472 | 0 | if (s->early_data_state == SSL_EARLY_DATA_CONNECTING |
473 | 0 | && s->max_early_data > 0 |
474 | 0 | && s->session->ext.max_early_data == 0) { |
475 | | /* |
476 | | * If we are attempting to send early data, and we've decided to |
477 | | * actually do it but max_early_data in s->session is 0 then we |
478 | | * must be using an external PSK. |
479 | | */ |
480 | 0 | if (!ossl_assert(s->psksession != NULL |
481 | 0 | && s->max_early_data == |
482 | 0 | s->psksession->ext.max_early_data)) { |
483 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
484 | 0 | goto err; |
485 | 0 | } |
486 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
487 | 0 | } |
488 | 0 | if (sslcipher == NULL) { |
489 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); |
490 | 0 | goto err; |
491 | 0 | } |
492 | | |
493 | | /* |
494 | | * We need to calculate the handshake digest using the digest from |
495 | | * the session. We haven't yet selected our ciphersuite so we can't |
496 | | * use ssl_handshake_md(). |
497 | | */ |
498 | 0 | mdctx = EVP_MD_CTX_new(); |
499 | 0 | if (mdctx == NULL) { |
500 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
501 | 0 | goto err; |
502 | 0 | } |
503 | | |
504 | | /* |
505 | | * This ups the ref count on cipher so we better make sure we free |
506 | | * it again |
507 | | */ |
508 | 0 | if (!ssl_cipher_get_evp_cipher(sctx, sslcipher, &cipher)) { |
509 | | /* Error is already recorded */ |
510 | 0 | SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); |
511 | 0 | EVP_MD_CTX_free(mdctx); |
512 | 0 | goto err; |
513 | 0 | } |
514 | | |
515 | 0 | md = ssl_md(sctx, sslcipher->algorithm2); |
516 | 0 | if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) |
517 | 0 | || !EVP_DigestUpdate(mdctx, hdata, handlen) |
518 | 0 | || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { |
519 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
520 | 0 | EVP_MD_CTX_free(mdctx); |
521 | 0 | goto err; |
522 | 0 | } |
523 | 0 | hashlen = hashlenui; |
524 | 0 | EVP_MD_CTX_free(mdctx); |
525 | |
|
526 | 0 | if (!tls13_hkdf_expand(s, md, insecret, |
527 | 0 | early_exporter_master_secret, |
528 | 0 | sizeof(early_exporter_master_secret) - 1, |
529 | 0 | hashval, hashlen, |
530 | 0 | s->early_exporter_master_secret, hashlen, |
531 | 0 | 1)) { |
532 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
533 | 0 | goto err; |
534 | 0 | } |
535 | | |
536 | 0 | if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, |
537 | 0 | s->early_exporter_master_secret, hashlen)) { |
538 | | /* SSLfatal() already called */ |
539 | 0 | goto err; |
540 | 0 | } |
541 | 458 | } else if (which & SSL3_CC_HANDSHAKE) { |
542 | 458 | insecret = s->handshake_secret; |
543 | 458 | finsecret = s->client_finished_secret; |
544 | 458 | finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); |
545 | 458 | label = client_handshake_traffic; |
546 | 458 | labellen = sizeof(client_handshake_traffic) - 1; |
547 | 458 | log_label = CLIENT_HANDSHAKE_LABEL; |
548 | | /* |
549 | | * The handshake hash used for the server read/client write handshake |
550 | | * traffic secret is the same as the hash for the server |
551 | | * write/client read handshake traffic secret. However, if we |
552 | | * processed early data then we delay changing the server |
553 | | * read/client write cipher state until later, and the handshake |
554 | | * hashes have moved on. Therefore we use the value saved earlier |
555 | | * when we did the server write/client read change cipher state. |
556 | | */ |
557 | 458 | hash = s->handshake_traffic_hash; |
558 | 458 | } else { |
559 | 0 | insecret = s->master_secret; |
560 | 0 | label = client_application_traffic; |
561 | 0 | labellen = sizeof(client_application_traffic) - 1; |
562 | 0 | log_label = CLIENT_APPLICATION_LABEL; |
563 | | /* |
564 | | * For this we only use the handshake hashes up until the server |
565 | | * Finished hash. We do not include the client's Finished, which is |
566 | | * what ssl_handshake_hash() would give us. Instead we use the |
567 | | * previously saved value. |
568 | | */ |
569 | 0 | hash = s->server_finished_hash; |
570 | 0 | } |
571 | 916 | } else { |
572 | | /* Early data never applies to client-read/server-write */ |
573 | 916 | if (which & SSL3_CC_HANDSHAKE) { |
574 | 458 | insecret = s->handshake_secret; |
575 | 458 | finsecret = s->server_finished_secret; |
576 | 458 | finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); |
577 | 458 | label = server_handshake_traffic; |
578 | 458 | labellen = sizeof(server_handshake_traffic) - 1; |
579 | 458 | log_label = SERVER_HANDSHAKE_LABEL; |
580 | 458 | } else { |
581 | 458 | insecret = s->master_secret; |
582 | 458 | label = server_application_traffic; |
583 | 458 | labellen = sizeof(server_application_traffic) - 1; |
584 | 458 | log_label = SERVER_APPLICATION_LABEL; |
585 | 458 | } |
586 | 916 | } |
587 | | |
588 | 1.37k | if (!(which & SSL3_CC_EARLY)) { |
589 | 1.37k | md = ssl_handshake_md(s); |
590 | 1.37k | cipher = s->s3.tmp.new_sym_enc; |
591 | 1.37k | if (!ssl3_digest_cached_records(s, 1) |
592 | 1.37k | || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { |
593 | 0 | /* SSLfatal() already called */; |
594 | 0 | goto err; |
595 | 0 | } |
596 | 1.37k | } |
597 | | |
598 | | /* |
599 | | * Save the hash of handshakes up to now for use when we calculate the |
600 | | * client application traffic secret |
601 | | */ |
602 | 1.37k | if (label == server_application_traffic) |
603 | 458 | memcpy(s->server_finished_hash, hashval, hashlen); |
604 | | |
605 | 1.37k | if (label == server_handshake_traffic) |
606 | 458 | memcpy(s->handshake_traffic_hash, hashval, hashlen); |
607 | | |
608 | 1.37k | if (label == client_application_traffic) { |
609 | | /* |
610 | | * We also create the resumption master secret, but this time use the |
611 | | * hash for the whole handshake including the Client Finished |
612 | | */ |
613 | 0 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
614 | 0 | resumption_master_secret, |
615 | 0 | sizeof(resumption_master_secret) - 1, |
616 | 0 | hashval, hashlen, s->resumption_master_secret, |
617 | 0 | hashlen, 1)) { |
618 | | /* SSLfatal() already called */ |
619 | 0 | goto err; |
620 | 0 | } |
621 | 0 | } |
622 | | |
623 | | /* check whether cipher is known */ |
624 | 1.37k | if (!ossl_assert(cipher != NULL)) |
625 | 0 | goto err; |
626 | | |
627 | 1.37k | if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, |
628 | 1.37k | insecret, hash, label, labellen, secret, key, |
629 | 1.37k | &keylen, iv, &ivlen, &taglen)) { |
630 | | /* SSLfatal() already called */ |
631 | 0 | goto err; |
632 | 0 | } |
633 | | |
634 | 1.37k | if (label == server_application_traffic) { |
635 | 458 | memcpy(s->server_app_traffic_secret, secret, hashlen); |
636 | | /* Now we create the exporter master secret */ |
637 | 458 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
638 | 458 | exporter_master_secret, |
639 | 458 | sizeof(exporter_master_secret) - 1, |
640 | 458 | hash, hashlen, s->exporter_master_secret, |
641 | 458 | hashlen, 1)) { |
642 | | /* SSLfatal() already called */ |
643 | 0 | goto err; |
644 | 0 | } |
645 | | |
646 | 458 | if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, |
647 | 458 | hashlen)) { |
648 | | /* SSLfatal() already called */ |
649 | 0 | goto err; |
650 | 0 | } |
651 | 916 | } else if (label == client_application_traffic) |
652 | 0 | memcpy(s->client_app_traffic_secret, secret, hashlen); |
653 | | |
654 | 1.37k | if (!ssl_log_secret(s, log_label, secret, hashlen)) { |
655 | | /* SSLfatal() already called */ |
656 | 0 | goto err; |
657 | 0 | } |
658 | | |
659 | 1.37k | if (finsecret != NULL |
660 | 1.37k | && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, |
661 | 916 | finsecret, finsecretlen)) { |
662 | | /* SSLfatal() already called */ |
663 | 0 | goto err; |
664 | 0 | } |
665 | | |
666 | 1.37k | if ((which & SSL3_CC_WRITE) != 0) { |
667 | 916 | if (!s->server && label == client_early_traffic) |
668 | 0 | s->rlayer.wrlmethod->set_plain_alerts(s->rlayer.wrl, 1); |
669 | 916 | else |
670 | 916 | s->rlayer.wrlmethod->set_plain_alerts(s->rlayer.wrl, 0); |
671 | 916 | } |
672 | | |
673 | 1.37k | level = (which & SSL3_CC_EARLY) != 0 |
674 | 1.37k | ? OSSL_RECORD_PROTECTION_LEVEL_EARLY |
675 | 1.37k | : ((which &SSL3_CC_HANDSHAKE) != 0 |
676 | 1.37k | ? OSSL_RECORD_PROTECTION_LEVEL_HANDSHAKE |
677 | 1.37k | : OSSL_RECORD_PROTECTION_LEVEL_APPLICATION); |
678 | | |
679 | 1.37k | if (!ssl_set_new_record_layer(s, s->version, |
680 | 1.37k | direction, |
681 | 1.37k | level, secret, hashlen, key, keylen, iv, |
682 | 1.37k | ivlen, NULL, 0, cipher, taglen, NID_undef, |
683 | 1.37k | NULL, NULL, md)) { |
684 | | /* SSLfatal already called */ |
685 | 0 | goto err; |
686 | 0 | } |
687 | | |
688 | 1.37k | ret = 1; |
689 | 1.37k | err: |
690 | 1.37k | if ((which & SSL3_CC_EARLY) != 0) { |
691 | | /* We up-refed this so now we need to down ref */ |
692 | 0 | ssl_evp_cipher_free(cipher); |
693 | 0 | } |
694 | 1.37k | OPENSSL_cleanse(key, sizeof(key)); |
695 | 1.37k | OPENSSL_cleanse(secret, sizeof(secret)); |
696 | 1.37k | return ret; |
697 | 1.37k | } |
698 | | |
699 | | int tls13_update_key(SSL_CONNECTION *s, int sending) |
700 | 0 | { |
701 | | /* ASCII: "traffic upd", in hex for EBCDIC compatibility */ |
702 | 0 | static const unsigned char application_traffic[] = "\x74\x72\x61\x66\x66\x69\x63\x20\x75\x70\x64"; |
703 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
704 | 0 | size_t hashlen; |
705 | 0 | unsigned char key[EVP_MAX_KEY_LENGTH]; |
706 | 0 | unsigned char *insecret; |
707 | 0 | unsigned char secret[EVP_MAX_MD_SIZE]; |
708 | 0 | char *log_label; |
709 | 0 | size_t keylen, ivlen, taglen; |
710 | 0 | int ret = 0, l; |
711 | 0 | int direction = sending ? OSSL_RECORD_DIRECTION_WRITE |
712 | 0 | : OSSL_RECORD_DIRECTION_READ; |
713 | 0 | unsigned char iv[EVP_MAX_IV_LENGTH]; |
714 | |
|
715 | 0 | if ((l = EVP_MD_get_size(md)) <= 0) { |
716 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
717 | 0 | return 0; |
718 | 0 | } |
719 | 0 | hashlen = (size_t)l; |
720 | |
|
721 | 0 | if (s->server == sending) |
722 | 0 | insecret = s->server_app_traffic_secret; |
723 | 0 | else |
724 | 0 | insecret = s->client_app_traffic_secret; |
725 | |
|
726 | 0 | if (!derive_secret_key_and_iv(s, sending, md, |
727 | 0 | s->s3.tmp.new_sym_enc, insecret, NULL, |
728 | 0 | application_traffic, |
729 | 0 | sizeof(application_traffic) - 1, secret, key, |
730 | 0 | &keylen, iv, &ivlen, &taglen)) { |
731 | | /* SSLfatal() already called */ |
732 | 0 | goto err; |
733 | 0 | } |
734 | | |
735 | 0 | memcpy(insecret, secret, hashlen); |
736 | |
|
737 | 0 | if (!ssl_set_new_record_layer(s, s->version, |
738 | 0 | direction, |
739 | 0 | OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, |
740 | 0 | insecret, hashlen, key, keylen, iv, ivlen, NULL, 0, |
741 | 0 | s->s3.tmp.new_sym_enc, taglen, NID_undef, NULL, |
742 | 0 | NULL, md)) { |
743 | | /* SSLfatal already called */ |
744 | 0 | goto err; |
745 | 0 | } |
746 | | |
747 | | /* Call Key log on successful traffic secret update */ |
748 | 0 | log_label = s->server == sending ? SERVER_APPLICATION_N_LABEL : CLIENT_APPLICATION_N_LABEL; |
749 | 0 | if (!ssl_log_secret(s, log_label, secret, hashlen)) { |
750 | | /* SSLfatal() already called */ |
751 | 0 | goto err; |
752 | 0 | } |
753 | 0 | ret = 1; |
754 | 0 | err: |
755 | 0 | OPENSSL_cleanse(key, sizeof(key)); |
756 | 0 | OPENSSL_cleanse(secret, sizeof(secret)); |
757 | 0 | return ret; |
758 | 0 | } |
759 | | |
760 | | int tls13_alert_code(int code) |
761 | 649 | { |
762 | | /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ |
763 | 649 | if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) |
764 | 24 | return code; |
765 | | |
766 | 625 | return tls1_alert_code(code); |
767 | 649 | } |
768 | | |
769 | | int tls13_export_keying_material(SSL_CONNECTION *s, |
770 | | unsigned char *out, size_t olen, |
771 | | const char *label, size_t llen, |
772 | | const unsigned char *context, |
773 | | size_t contextlen, int use_context) |
774 | 0 | { |
775 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
776 | | /* ASCII: "exporter", in hex for EBCDIC compatibility */ |
777 | 0 | static const unsigned char exporterlabel[] = "\x65\x78\x70\x6F\x72\x74\x65\x72"; |
778 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
779 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
780 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
781 | 0 | unsigned int hashsize, datalen; |
782 | 0 | int ret = 0; |
783 | |
|
784 | 0 | if (ctx == NULL || md == NULL || !ossl_statem_export_allowed(s)) |
785 | 0 | goto err; |
786 | | |
787 | 0 | if (!use_context) |
788 | 0 | contextlen = 0; |
789 | |
|
790 | 0 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
791 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
792 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
793 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
794 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
795 | 0 | || !tls13_hkdf_expand(s, md, s->exporter_master_secret, |
796 | 0 | (const unsigned char *)label, llen, |
797 | 0 | data, datalen, exportsecret, hashsize, 0) |
798 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
799 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
800 | 0 | out, olen, 0)) |
801 | 0 | goto err; |
802 | | |
803 | 0 | ret = 1; |
804 | 0 | err: |
805 | 0 | EVP_MD_CTX_free(ctx); |
806 | 0 | return ret; |
807 | 0 | } |
808 | | |
809 | | int tls13_export_keying_material_early(SSL_CONNECTION *s, |
810 | | unsigned char *out, size_t olen, |
811 | | const char *label, size_t llen, |
812 | | const unsigned char *context, |
813 | | size_t contextlen) |
814 | 0 | { |
815 | | /* ASCII: "exporter", in hex for EBCDIC compatibility */ |
816 | 0 | static const unsigned char exporterlabel[] = "\x65\x78\x70\x6F\x72\x74\x65\x72"; |
817 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
818 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
819 | 0 | const EVP_MD *md; |
820 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
821 | 0 | unsigned int hashsize, datalen; |
822 | 0 | int ret = 0; |
823 | 0 | const SSL_CIPHER *sslcipher; |
824 | |
|
825 | 0 | if (ctx == NULL || !ossl_statem_export_early_allowed(s)) |
826 | 0 | goto err; |
827 | | |
828 | 0 | if (!s->server && s->max_early_data > 0 |
829 | 0 | && s->session->ext.max_early_data == 0) |
830 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
831 | 0 | else |
832 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->session); |
833 | |
|
834 | 0 | md = ssl_md(SSL_CONNECTION_GET_CTX(s), sslcipher->algorithm2); |
835 | | |
836 | | /* |
837 | | * Calculate the hash value and store it in |data|. The reason why |
838 | | * the empty string is used is that the definition of TLS-Exporter |
839 | | * is like so: |
840 | | * |
841 | | * TLS-Exporter(label, context_value, key_length) = |
842 | | * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), |
843 | | * "exporter", Hash(context_value), key_length) |
844 | | * |
845 | | * Derive-Secret(Secret, Label, Messages) = |
846 | | * HKDF-Expand-Label(Secret, Label, |
847 | | * Transcript-Hash(Messages), Hash.length) |
848 | | * |
849 | | * Here Transcript-Hash is the cipher suite hash algorithm. |
850 | | */ |
851 | 0 | if (md == NULL |
852 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
853 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
854 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
855 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
856 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
857 | 0 | || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, |
858 | 0 | (const unsigned char *)label, llen, |
859 | 0 | data, datalen, exportsecret, hashsize, 0) |
860 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
861 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
862 | 0 | out, olen, 0)) |
863 | 0 | goto err; |
864 | | |
865 | 0 | ret = 1; |
866 | 0 | err: |
867 | 0 | EVP_MD_CTX_free(ctx); |
868 | 0 | return ret; |
869 | 0 | } |