/src/openssl111/ssl/tls13_enc.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdlib.h> |
11 | | #include "ssl_local.h" |
12 | | #include "internal/cryptlib.h" |
13 | | #include <openssl/evp.h> |
14 | | #include <openssl/kdf.h> |
15 | | |
16 | 7.34k | #define TLS13_MAX_LABEL_LEN 249 |
17 | | |
18 | | /* Always filled with zeros */ |
19 | | static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; |
20 | | |
21 | | /* |
22 | | * Given a |secret|; a |label| of length |labellen|; and |data| of length |
23 | | * |datalen| (e.g. typically a hash of the handshake messages), derive a new |
24 | | * secret |outlen| bytes long and store it in the location pointed to be |out|. |
25 | | * The |data| value may be zero length. Any errors will be treated as fatal if |
26 | | * |fatal| is set. Returns 1 on success 0 on failure. |
27 | | */ |
28 | | int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
29 | | const unsigned char *label, size_t labellen, |
30 | | const unsigned char *data, size_t datalen, |
31 | | unsigned char *out, size_t outlen, int fatal) |
32 | 7.34k | { |
33 | | #ifdef CHARSET_EBCDIC |
34 | | static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 }; |
35 | | #else |
36 | 7.34k | static const unsigned char label_prefix[] = "tls13 "; |
37 | 7.34k | #endif |
38 | 7.34k | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
39 | 7.34k | int ret; |
40 | 7.34k | size_t hkdflabellen; |
41 | 7.34k | size_t hashlen; |
42 | | /* |
43 | | * 2 bytes for length of derived secret + 1 byte for length of combined |
44 | | * prefix and label + bytes for the label itself + 1 byte length of hash |
45 | | * + bytes for the hash itself |
46 | | */ |
47 | 7.34k | unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) |
48 | 7.34k | + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN |
49 | 7.34k | + 1 + EVP_MAX_MD_SIZE]; |
50 | 7.34k | WPACKET pkt; |
51 | | |
52 | 7.34k | if (pctx == NULL) |
53 | 0 | return 0; |
54 | | |
55 | 7.34k | if (labellen > TLS13_MAX_LABEL_LEN) { |
56 | 0 | if (fatal) { |
57 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
58 | 0 | ERR_R_INTERNAL_ERROR); |
59 | 0 | } else { |
60 | | /* |
61 | | * Probably we have been called from SSL_export_keying_material(), |
62 | | * or SSL_export_keying_material_early(). |
63 | | */ |
64 | 0 | SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); |
65 | 0 | } |
66 | 0 | EVP_PKEY_CTX_free(pctx); |
67 | 0 | return 0; |
68 | 0 | } |
69 | | |
70 | 7.34k | hashlen = EVP_MD_size(md); |
71 | | |
72 | 7.34k | if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) |
73 | 7.34k | || !WPACKET_put_bytes_u16(&pkt, outlen) |
74 | 7.34k | || !WPACKET_start_sub_packet_u8(&pkt) |
75 | 7.34k | || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1) |
76 | 7.34k | || !WPACKET_memcpy(&pkt, label, labellen) |
77 | 7.34k | || !WPACKET_close(&pkt) |
78 | 7.34k | || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) |
79 | 7.34k | || !WPACKET_get_total_written(&pkt, &hkdflabellen) |
80 | 7.34k | || !WPACKET_finish(&pkt)) { |
81 | 0 | EVP_PKEY_CTX_free(pctx); |
82 | 0 | WPACKET_cleanup(&pkt); |
83 | 0 | if (fatal) |
84 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
85 | 0 | ERR_R_INTERNAL_ERROR); |
86 | 0 | else |
87 | 0 | SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); |
88 | 0 | return 0; |
89 | 0 | } |
90 | | |
91 | 7.34k | ret = EVP_PKEY_derive_init(pctx) <= 0 |
92 | 7.34k | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) |
93 | 7.34k | <= 0 |
94 | 7.34k | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 |
95 | 7.34k | || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0 |
96 | 7.34k | || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0 |
97 | 7.34k | || EVP_PKEY_derive(pctx, out, &outlen) <= 0; |
98 | | |
99 | 7.34k | EVP_PKEY_CTX_free(pctx); |
100 | | |
101 | 7.34k | if (ret != 0) { |
102 | 0 | if (fatal) |
103 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
104 | 0 | ERR_R_INTERNAL_ERROR); |
105 | 0 | else |
106 | 0 | SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); |
107 | 0 | } |
108 | | |
109 | 7.34k | return ret == 0; |
110 | 7.34k | } |
111 | | |
112 | | /* |
113 | | * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on |
114 | | * success 0 on failure. |
115 | | */ |
116 | | int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, |
117 | | unsigned char *key, size_t keylen) |
118 | 1.56k | { |
119 | | #ifdef CHARSET_EBCDIC |
120 | | static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 }; |
121 | | #else |
122 | 1.56k | static const unsigned char keylabel[] = "key"; |
123 | 1.56k | #endif |
124 | | |
125 | 1.56k | return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, |
126 | 1.56k | NULL, 0, key, keylen, 1); |
127 | 1.56k | } |
128 | | |
129 | | /* |
130 | | * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on |
131 | | * success 0 on failure. |
132 | | */ |
133 | | int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, |
134 | | unsigned char *iv, size_t ivlen) |
135 | 1.56k | { |
136 | | #ifdef CHARSET_EBCDIC |
137 | | static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 }; |
138 | | #else |
139 | 1.56k | static const unsigned char ivlabel[] = "iv"; |
140 | 1.56k | #endif |
141 | | |
142 | 1.56k | return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, |
143 | 1.56k | NULL, 0, iv, ivlen, 1); |
144 | 1.56k | } |
145 | | |
146 | | int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, |
147 | | const unsigned char *secret, |
148 | | unsigned char *fin, size_t finlen) |
149 | 1.05k | { |
150 | | #ifdef CHARSET_EBCDIC |
151 | | static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 }; |
152 | | #else |
153 | 1.05k | static const unsigned char finishedlabel[] = "finished"; |
154 | 1.05k | #endif |
155 | | |
156 | 1.05k | return tls13_hkdf_expand(s, md, secret, finishedlabel, |
157 | 1.05k | sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); |
158 | 1.05k | } |
159 | | |
160 | | /* |
161 | | * Given the previous secret |prevsecret| and a new input secret |insecret| of |
162 | | * length |insecretlen|, generate a new secret and store it in the location |
163 | | * pointed to by |outsecret|. Returns 1 on success 0 on failure. |
164 | | */ |
165 | | int tls13_generate_secret(SSL *s, const EVP_MD *md, |
166 | | const unsigned char *prevsecret, |
167 | | const unsigned char *insecret, |
168 | | size_t insecretlen, |
169 | | unsigned char *outsecret) |
170 | 1.57k | { |
171 | 1.57k | size_t mdlen, prevsecretlen; |
172 | 1.57k | int mdleni; |
173 | 1.57k | int ret; |
174 | 1.57k | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
175 | | #ifdef CHARSET_EBCDIC |
176 | | static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; |
177 | | #else |
178 | 1.57k | static const char derived_secret_label[] = "derived"; |
179 | 1.57k | #endif |
180 | 1.57k | unsigned char preextractsec[EVP_MAX_MD_SIZE]; |
181 | | |
182 | 1.57k | if (pctx == NULL) { |
183 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
184 | 0 | ERR_R_INTERNAL_ERROR); |
185 | 0 | return 0; |
186 | 0 | } |
187 | | |
188 | 1.57k | mdleni = EVP_MD_size(md); |
189 | | /* Ensure cast to size_t is safe */ |
190 | 1.57k | if (!ossl_assert(mdleni >= 0)) { |
191 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
192 | 0 | ERR_R_INTERNAL_ERROR); |
193 | 0 | EVP_PKEY_CTX_free(pctx); |
194 | 0 | return 0; |
195 | 0 | } |
196 | 1.57k | mdlen = (size_t)mdleni; |
197 | | |
198 | 1.57k | if (insecret == NULL) { |
199 | 1.04k | insecret = default_zeros; |
200 | 1.04k | insecretlen = mdlen; |
201 | 1.04k | } |
202 | 1.57k | if (prevsecret == NULL) { |
203 | 533 | prevsecret = default_zeros; |
204 | 533 | prevsecretlen = 0; |
205 | 1.04k | } else { |
206 | 1.04k | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); |
207 | 1.04k | unsigned char hash[EVP_MAX_MD_SIZE]; |
208 | | |
209 | | /* The pre-extract derive step uses a hash of no messages */ |
210 | 1.04k | if (mctx == NULL |
211 | 1.04k | || EVP_DigestInit_ex(mctx, md, NULL) <= 0 |
212 | 1.04k | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { |
213 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
214 | 0 | ERR_R_INTERNAL_ERROR); |
215 | 0 | EVP_MD_CTX_free(mctx); |
216 | 0 | EVP_PKEY_CTX_free(pctx); |
217 | 0 | return 0; |
218 | 0 | } |
219 | 1.04k | EVP_MD_CTX_free(mctx); |
220 | | |
221 | | /* Generate the pre-extract secret */ |
222 | 1.04k | if (!tls13_hkdf_expand(s, md, prevsecret, |
223 | 1.04k | (unsigned char *)derived_secret_label, |
224 | 1.04k | sizeof(derived_secret_label) - 1, hash, mdlen, |
225 | 1.04k | preextractsec, mdlen, 1)) { |
226 | | /* SSLfatal() already called */ |
227 | 0 | EVP_PKEY_CTX_free(pctx); |
228 | 0 | return 0; |
229 | 0 | } |
230 | | |
231 | 1.04k | prevsecret = preextractsec; |
232 | 1.04k | prevsecretlen = mdlen; |
233 | 1.04k | } |
234 | | |
235 | 1.57k | ret = EVP_PKEY_derive_init(pctx) <= 0 |
236 | 1.57k | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) |
237 | 1.57k | <= 0 |
238 | 1.57k | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 |
239 | 1.57k | || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0 |
240 | 1.57k | || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen) |
241 | 1.57k | <= 0 |
242 | 1.57k | || EVP_PKEY_derive(pctx, outsecret, &mdlen) |
243 | 1.57k | <= 0; |
244 | | |
245 | 1.57k | if (ret != 0) |
246 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
247 | 1.57k | ERR_R_INTERNAL_ERROR); |
248 | | |
249 | 1.57k | EVP_PKEY_CTX_free(pctx); |
250 | 1.57k | if (prevsecret == preextractsec) |
251 | 1.04k | OPENSSL_cleanse(preextractsec, mdlen); |
252 | 1.57k | return ret == 0; |
253 | 1.57k | } |
254 | | |
255 | | /* |
256 | | * Given an input secret |insecret| of length |insecretlen| generate the |
257 | | * handshake secret. This requires the early secret to already have been |
258 | | * generated. Returns 1 on success 0 on failure. |
259 | | */ |
260 | | int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, |
261 | | size_t insecretlen) |
262 | 523 | { |
263 | | /* Calls SSLfatal() if required */ |
264 | 523 | return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, |
265 | 523 | insecret, insecretlen, |
266 | 523 | (unsigned char *)&s->handshake_secret); |
267 | 523 | } |
268 | | |
269 | | /* |
270 | | * Given the handshake secret |prev| of length |prevlen| generate the master |
271 | | * secret and store its length in |*secret_size|. Returns 1 on success 0 on |
272 | | * failure. |
273 | | */ |
274 | | int tls13_generate_master_secret(SSL *s, unsigned char *out, |
275 | | unsigned char *prev, size_t prevlen, |
276 | | size_t *secret_size) |
277 | 523 | { |
278 | 523 | const EVP_MD *md = ssl_handshake_md(s); |
279 | | |
280 | 523 | *secret_size = EVP_MD_size(md); |
281 | | /* Calls SSLfatal() if required */ |
282 | 523 | return tls13_generate_secret(s, md, prev, NULL, 0, out); |
283 | 523 | } |
284 | | |
285 | | /* |
286 | | * Generates the mac for the Finished message. Returns the length of the MAC or |
287 | | * 0 on error. |
288 | | */ |
289 | | size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, |
290 | | unsigned char *out) |
291 | 523 | { |
292 | 523 | const EVP_MD *md = ssl_handshake_md(s); |
293 | 523 | unsigned char hash[EVP_MAX_MD_SIZE]; |
294 | 523 | size_t hashlen, ret = 0; |
295 | 523 | EVP_PKEY *key = NULL; |
296 | 523 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
297 | | |
298 | 523 | if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { |
299 | | /* SSLfatal() already called */ |
300 | 0 | goto err; |
301 | 0 | } |
302 | | |
303 | 523 | if (str == s->method->ssl3_enc->server_finished_label) { |
304 | 523 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, |
305 | 523 | s->server_finished_secret, hashlen); |
306 | 523 | } else if (SSL_IS_FIRST_HANDSHAKE(s)) { |
307 | 0 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, |
308 | 0 | s->client_finished_secret, hashlen); |
309 | 0 | } else { |
310 | 0 | unsigned char finsecret[EVP_MAX_MD_SIZE]; |
311 | |
|
312 | 0 | if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), |
313 | 0 | s->client_app_traffic_secret, |
314 | 0 | finsecret, hashlen)) |
315 | 0 | goto err; |
316 | | |
317 | 0 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, |
318 | 0 | hashlen); |
319 | 0 | OPENSSL_cleanse(finsecret, sizeof(finsecret)); |
320 | 0 | } |
321 | | |
322 | 523 | if (key == NULL |
323 | 523 | || ctx == NULL |
324 | 523 | || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0 |
325 | 523 | || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0 |
326 | 523 | || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) { |
327 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC, |
328 | 0 | ERR_R_INTERNAL_ERROR); |
329 | 0 | goto err; |
330 | 0 | } |
331 | | |
332 | 523 | ret = hashlen; |
333 | 523 | err: |
334 | 523 | EVP_PKEY_free(key); |
335 | 523 | EVP_MD_CTX_free(ctx); |
336 | 523 | return ret; |
337 | 523 | } |
338 | | |
339 | | /* |
340 | | * There isn't really a key block in TLSv1.3, but we still need this function |
341 | | * for initialising the cipher and hash. Returns 1 on success or 0 on failure. |
342 | | */ |
343 | | int tls13_setup_key_block(SSL *s) |
344 | 523 | { |
345 | 523 | const EVP_CIPHER *c; |
346 | 523 | const EVP_MD *hash; |
347 | | |
348 | 523 | s->session->cipher = s->s3->tmp.new_cipher; |
349 | 523 | if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, NULL, 0)) { |
350 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, |
351 | 0 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
352 | 0 | return 0; |
353 | 0 | } |
354 | | |
355 | 523 | s->s3->tmp.new_sym_enc = c; |
356 | 523 | s->s3->tmp.new_hash = hash; |
357 | | |
358 | 523 | return 1; |
359 | 523 | } |
360 | | |
361 | | static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, |
362 | | const EVP_CIPHER *ciph, |
363 | | const unsigned char *insecret, |
364 | | const unsigned char *hash, |
365 | | const unsigned char *label, |
366 | | size_t labellen, unsigned char *secret, |
367 | | unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) |
368 | 1.56k | { |
369 | 1.56k | unsigned char key[EVP_MAX_KEY_LENGTH]; |
370 | 1.56k | size_t ivlen, keylen, taglen; |
371 | 1.56k | int hashleni = EVP_MD_size(md); |
372 | 1.56k | size_t hashlen; |
373 | | |
374 | | /* Ensure cast to size_t is safe */ |
375 | 1.56k | if (!ossl_assert(hashleni >= 0)) { |
376 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, |
377 | 0 | ERR_R_EVP_LIB); |
378 | 0 | goto err; |
379 | 0 | } |
380 | 1.56k | hashlen = (size_t)hashleni; |
381 | | |
382 | 1.56k | if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, |
383 | 1.56k | secret, hashlen, 1)) { |
384 | | /* SSLfatal() already called */ |
385 | 0 | goto err; |
386 | 0 | } |
387 | | |
388 | | /* TODO(size_t): convert me */ |
389 | 1.56k | keylen = EVP_CIPHER_key_length(ciph); |
390 | 1.56k | if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { |
391 | 0 | uint32_t algenc; |
392 | |
|
393 | 0 | ivlen = EVP_CCM_TLS_IV_LEN; |
394 | 0 | if (s->s3->tmp.new_cipher != NULL) { |
395 | 0 | algenc = s->s3->tmp.new_cipher->algorithm_enc; |
396 | 0 | } else if (s->session->cipher != NULL) { |
397 | | /* We've not selected a cipher yet - we must be doing early data */ |
398 | 0 | algenc = s->session->cipher->algorithm_enc; |
399 | 0 | } else if (s->psksession != NULL && s->psksession->cipher != NULL) { |
400 | | /* We must be doing early data with out-of-band PSK */ |
401 | 0 | algenc = s->psksession->cipher->algorithm_enc; |
402 | 0 | } else { |
403 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, |
404 | 0 | ERR_R_EVP_LIB); |
405 | 0 | goto err; |
406 | 0 | } |
407 | 0 | if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) |
408 | 0 | taglen = EVP_CCM8_TLS_TAG_LEN; |
409 | 0 | else |
410 | 0 | taglen = EVP_CCM_TLS_TAG_LEN; |
411 | 1.56k | } else { |
412 | 1.56k | ivlen = EVP_CIPHER_iv_length(ciph); |
413 | 1.56k | taglen = 0; |
414 | 1.56k | } |
415 | | |
416 | 1.56k | if (!tls13_derive_key(s, md, secret, key, keylen) |
417 | 1.56k | || !tls13_derive_iv(s, md, secret, iv, ivlen)) { |
418 | | /* SSLfatal() already called */ |
419 | 0 | goto err; |
420 | 0 | } |
421 | | |
422 | 1.56k | if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 |
423 | 1.56k | || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) |
424 | 1.56k | || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, |
425 | 0 | taglen, NULL)) |
426 | 1.56k | || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { |
427 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, |
428 | 0 | ERR_R_EVP_LIB); |
429 | 0 | goto err; |
430 | 0 | } |
431 | | |
432 | 1.56k | return 1; |
433 | 0 | err: |
434 | 0 | OPENSSL_cleanse(key, sizeof(key)); |
435 | 0 | return 0; |
436 | 1.56k | } |
437 | | |
438 | | int tls13_change_cipher_state(SSL *s, int which) |
439 | 1.56k | { |
440 | | #ifdef CHARSET_EBCDIC |
441 | | static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
442 | | static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
443 | | static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
444 | | static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
445 | | static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
446 | | static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; |
447 | | static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; |
448 | | static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; |
449 | | #else |
450 | 1.56k | static const unsigned char client_early_traffic[] = "c e traffic"; |
451 | 1.56k | static const unsigned char client_handshake_traffic[] = "c hs traffic"; |
452 | 1.56k | static const unsigned char client_application_traffic[] = "c ap traffic"; |
453 | 1.56k | static const unsigned char server_handshake_traffic[] = "s hs traffic"; |
454 | 1.56k | static const unsigned char server_application_traffic[] = "s ap traffic"; |
455 | 1.56k | static const unsigned char exporter_master_secret[] = "exp master"; |
456 | 1.56k | static const unsigned char resumption_master_secret[] = "res master"; |
457 | 1.56k | static const unsigned char early_exporter_master_secret[] = "e exp master"; |
458 | 1.56k | #endif |
459 | 1.56k | unsigned char *iv; |
460 | 1.56k | unsigned char secret[EVP_MAX_MD_SIZE]; |
461 | 1.56k | unsigned char hashval[EVP_MAX_MD_SIZE]; |
462 | 1.56k | unsigned char *hash = hashval; |
463 | 1.56k | unsigned char *insecret; |
464 | 1.56k | unsigned char *finsecret = NULL; |
465 | 1.56k | const char *log_label = NULL; |
466 | 1.56k | EVP_CIPHER_CTX *ciph_ctx; |
467 | 1.56k | size_t finsecretlen = 0; |
468 | 1.56k | const unsigned char *label; |
469 | 1.56k | size_t labellen, hashlen = 0; |
470 | 1.56k | int ret = 0; |
471 | 1.56k | const EVP_MD *md = NULL; |
472 | 1.56k | const EVP_CIPHER *cipher = NULL; |
473 | | |
474 | 1.56k | if (which & SSL3_CC_READ) { |
475 | 523 | if (s->enc_read_ctx != NULL) { |
476 | 0 | EVP_CIPHER_CTX_reset(s->enc_read_ctx); |
477 | 523 | } else { |
478 | 523 | s->enc_read_ctx = EVP_CIPHER_CTX_new(); |
479 | 523 | if (s->enc_read_ctx == NULL) { |
480 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
481 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
482 | 0 | goto err; |
483 | 0 | } |
484 | 523 | } |
485 | 523 | ciph_ctx = s->enc_read_ctx; |
486 | 523 | iv = s->read_iv; |
487 | | |
488 | 523 | RECORD_LAYER_reset_read_sequence(&s->rlayer); |
489 | 1.04k | } else { |
490 | 1.04k | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; |
491 | 1.04k | if (s->enc_write_ctx != NULL) { |
492 | 523 | EVP_CIPHER_CTX_reset(s->enc_write_ctx); |
493 | 523 | } else { |
494 | 523 | s->enc_write_ctx = EVP_CIPHER_CTX_new(); |
495 | 523 | if (s->enc_write_ctx == NULL) { |
496 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
497 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
498 | 0 | goto err; |
499 | 0 | } |
500 | 523 | } |
501 | 1.04k | ciph_ctx = s->enc_write_ctx; |
502 | 1.04k | iv = s->write_iv; |
503 | | |
504 | 1.04k | RECORD_LAYER_reset_write_sequence(&s->rlayer); |
505 | 1.04k | } |
506 | | |
507 | 1.56k | if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) |
508 | 1.56k | || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { |
509 | 523 | if (which & SSL3_CC_EARLY) { |
510 | 0 | EVP_MD_CTX *mdctx = NULL; |
511 | 0 | long handlen; |
512 | 0 | void *hdata; |
513 | 0 | unsigned int hashlenui; |
514 | 0 | const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); |
515 | |
|
516 | 0 | insecret = s->early_secret; |
517 | 0 | label = client_early_traffic; |
518 | 0 | labellen = sizeof(client_early_traffic) - 1; |
519 | 0 | log_label = CLIENT_EARLY_LABEL; |
520 | |
|
521 | 0 | handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); |
522 | 0 | if (handlen <= 0) { |
523 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
524 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, |
525 | 0 | SSL_R_BAD_HANDSHAKE_LENGTH); |
526 | 0 | goto err; |
527 | 0 | } |
528 | | |
529 | 0 | if (s->early_data_state == SSL_EARLY_DATA_CONNECTING |
530 | 0 | && s->max_early_data > 0 |
531 | 0 | && s->session->ext.max_early_data == 0) { |
532 | | /* |
533 | | * If we are attempting to send early data, and we've decided to |
534 | | * actually do it but max_early_data in s->session is 0 then we |
535 | | * must be using an external PSK. |
536 | | */ |
537 | 0 | if (!ossl_assert(s->psksession != NULL |
538 | 0 | && s->max_early_data == |
539 | 0 | s->psksession->ext.max_early_data)) { |
540 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
541 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, |
542 | 0 | ERR_R_INTERNAL_ERROR); |
543 | 0 | goto err; |
544 | 0 | } |
545 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
546 | 0 | } |
547 | 0 | if (sslcipher == NULL) { |
548 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
549 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); |
550 | 0 | goto err; |
551 | 0 | } |
552 | | |
553 | | /* |
554 | | * We need to calculate the handshake digest using the digest from |
555 | | * the session. We haven't yet selected our ciphersuite so we can't |
556 | | * use ssl_handshake_md(). |
557 | | */ |
558 | 0 | mdctx = EVP_MD_CTX_new(); |
559 | 0 | if (mdctx == NULL) { |
560 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
561 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
562 | 0 | goto err; |
563 | 0 | } |
564 | 0 | cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); |
565 | 0 | md = ssl_md(sslcipher->algorithm2); |
566 | 0 | if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) |
567 | 0 | || !EVP_DigestUpdate(mdctx, hdata, handlen) |
568 | 0 | || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { |
569 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
570 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
571 | 0 | EVP_MD_CTX_free(mdctx); |
572 | 0 | goto err; |
573 | 0 | } |
574 | 0 | hashlen = hashlenui; |
575 | 0 | EVP_MD_CTX_free(mdctx); |
576 | |
|
577 | 0 | if (!tls13_hkdf_expand(s, md, insecret, |
578 | 0 | early_exporter_master_secret, |
579 | 0 | sizeof(early_exporter_master_secret) - 1, |
580 | 0 | hashval, hashlen, |
581 | 0 | s->early_exporter_master_secret, hashlen, |
582 | 0 | 1)) { |
583 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
584 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
585 | 0 | goto err; |
586 | 0 | } |
587 | | |
588 | 0 | if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, |
589 | 0 | s->early_exporter_master_secret, hashlen)) { |
590 | | /* SSLfatal() already called */ |
591 | 0 | goto err; |
592 | 0 | } |
593 | 523 | } else if (which & SSL3_CC_HANDSHAKE) { |
594 | 523 | insecret = s->handshake_secret; |
595 | 523 | finsecret = s->client_finished_secret; |
596 | 523 | finsecretlen = EVP_MD_size(ssl_handshake_md(s)); |
597 | 523 | label = client_handshake_traffic; |
598 | 523 | labellen = sizeof(client_handshake_traffic) - 1; |
599 | 523 | log_label = CLIENT_HANDSHAKE_LABEL; |
600 | | /* |
601 | | * The handshake hash used for the server read/client write handshake |
602 | | * traffic secret is the same as the hash for the server |
603 | | * write/client read handshake traffic secret. However, if we |
604 | | * processed early data then we delay changing the server |
605 | | * read/client write cipher state until later, and the handshake |
606 | | * hashes have moved on. Therefore we use the value saved earlier |
607 | | * when we did the server write/client read change cipher state. |
608 | | */ |
609 | 523 | hash = s->handshake_traffic_hash; |
610 | 523 | } else { |
611 | 0 | insecret = s->master_secret; |
612 | 0 | label = client_application_traffic; |
613 | 0 | labellen = sizeof(client_application_traffic) - 1; |
614 | 0 | log_label = CLIENT_APPLICATION_LABEL; |
615 | | /* |
616 | | * For this we only use the handshake hashes up until the server |
617 | | * Finished hash. We do not include the client's Finished, which is |
618 | | * what ssl_handshake_hash() would give us. Instead we use the |
619 | | * previously saved value. |
620 | | */ |
621 | 0 | hash = s->server_finished_hash; |
622 | 0 | } |
623 | 1.04k | } else { |
624 | | /* Early data never applies to client-read/server-write */ |
625 | 1.04k | if (which & SSL3_CC_HANDSHAKE) { |
626 | 523 | insecret = s->handshake_secret; |
627 | 523 | finsecret = s->server_finished_secret; |
628 | 523 | finsecretlen = EVP_MD_size(ssl_handshake_md(s)); |
629 | 523 | label = server_handshake_traffic; |
630 | 523 | labellen = sizeof(server_handshake_traffic) - 1; |
631 | 523 | log_label = SERVER_HANDSHAKE_LABEL; |
632 | 523 | } else { |
633 | 523 | insecret = s->master_secret; |
634 | 523 | label = server_application_traffic; |
635 | 523 | labellen = sizeof(server_application_traffic) - 1; |
636 | 523 | log_label = SERVER_APPLICATION_LABEL; |
637 | 523 | } |
638 | 1.04k | } |
639 | | |
640 | 1.56k | if (!(which & SSL3_CC_EARLY)) { |
641 | 1.56k | md = ssl_handshake_md(s); |
642 | 1.56k | cipher = s->s3->tmp.new_sym_enc; |
643 | 1.56k | if (!ssl3_digest_cached_records(s, 1) |
644 | 1.56k | || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { |
645 | 0 | /* SSLfatal() already called */; |
646 | 0 | goto err; |
647 | 0 | } |
648 | 1.56k | } |
649 | | |
650 | | /* |
651 | | * Save the hash of handshakes up to now for use when we calculate the |
652 | | * client application traffic secret |
653 | | */ |
654 | 1.56k | if (label == server_application_traffic) |
655 | 523 | memcpy(s->server_finished_hash, hashval, hashlen); |
656 | | |
657 | 1.56k | if (label == server_handshake_traffic) |
658 | 523 | memcpy(s->handshake_traffic_hash, hashval, hashlen); |
659 | | |
660 | 1.56k | if (label == client_application_traffic) { |
661 | | /* |
662 | | * We also create the resumption master secret, but this time use the |
663 | | * hash for the whole handshake including the Client Finished |
664 | | */ |
665 | 0 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
666 | 0 | resumption_master_secret, |
667 | 0 | sizeof(resumption_master_secret) - 1, |
668 | 0 | hashval, hashlen, s->resumption_master_secret, |
669 | 0 | hashlen, 1)) { |
670 | | /* SSLfatal() already called */ |
671 | 0 | goto err; |
672 | 0 | } |
673 | 0 | } |
674 | | |
675 | 1.56k | if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, |
676 | 1.56k | insecret, hash, label, labellen, secret, iv, |
677 | 1.56k | ciph_ctx)) { |
678 | | /* SSLfatal() already called */ |
679 | 0 | goto err; |
680 | 0 | } |
681 | | |
682 | 1.56k | if (label == server_application_traffic) { |
683 | 523 | memcpy(s->server_app_traffic_secret, secret, hashlen); |
684 | | /* Now we create the exporter master secret */ |
685 | 523 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
686 | 523 | exporter_master_secret, |
687 | 523 | sizeof(exporter_master_secret) - 1, |
688 | 523 | hash, hashlen, s->exporter_master_secret, |
689 | 523 | hashlen, 1)) { |
690 | | /* SSLfatal() already called */ |
691 | 0 | goto err; |
692 | 0 | } |
693 | | |
694 | 523 | if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, |
695 | 523 | hashlen)) { |
696 | | /* SSLfatal() already called */ |
697 | 0 | goto err; |
698 | 0 | } |
699 | 1.04k | } else if (label == client_application_traffic) |
700 | 0 | memcpy(s->client_app_traffic_secret, secret, hashlen); |
701 | | |
702 | 1.56k | if (!ssl_log_secret(s, log_label, secret, hashlen)) { |
703 | | /* SSLfatal() already called */ |
704 | 0 | goto err; |
705 | 0 | } |
706 | | |
707 | 1.56k | if (finsecret != NULL |
708 | 1.56k | && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, |
709 | 1.04k | finsecret, finsecretlen)) { |
710 | | /* SSLfatal() already called */ |
711 | 0 | goto err; |
712 | 0 | } |
713 | | |
714 | 1.56k | if (!s->server && label == client_early_traffic) |
715 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; |
716 | 1.56k | else |
717 | 1.56k | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; |
718 | 1.56k | ret = 1; |
719 | 1.56k | err: |
720 | 1.56k | OPENSSL_cleanse(secret, sizeof(secret)); |
721 | 1.56k | return ret; |
722 | 1.56k | } |
723 | | |
724 | | int tls13_update_key(SSL *s, int sending) |
725 | 0 | { |
726 | | #ifdef CHARSET_EBCDIC |
727 | | static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00}; |
728 | | #else |
729 | 0 | static const unsigned char application_traffic[] = "traffic upd"; |
730 | 0 | #endif |
731 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
732 | 0 | size_t hashlen = EVP_MD_size(md); |
733 | 0 | unsigned char *insecret, *iv; |
734 | 0 | unsigned char secret[EVP_MAX_MD_SIZE]; |
735 | 0 | EVP_CIPHER_CTX *ciph_ctx; |
736 | 0 | int ret = 0; |
737 | |
|
738 | 0 | if (s->server == sending) |
739 | 0 | insecret = s->server_app_traffic_secret; |
740 | 0 | else |
741 | 0 | insecret = s->client_app_traffic_secret; |
742 | |
|
743 | 0 | if (sending) { |
744 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; |
745 | 0 | iv = s->write_iv; |
746 | 0 | ciph_ctx = s->enc_write_ctx; |
747 | 0 | RECORD_LAYER_reset_write_sequence(&s->rlayer); |
748 | 0 | } else { |
749 | 0 | iv = s->read_iv; |
750 | 0 | ciph_ctx = s->enc_read_ctx; |
751 | 0 | RECORD_LAYER_reset_read_sequence(&s->rlayer); |
752 | 0 | } |
753 | |
|
754 | 0 | if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), |
755 | 0 | s->s3->tmp.new_sym_enc, insecret, NULL, |
756 | 0 | application_traffic, |
757 | 0 | sizeof(application_traffic) - 1, secret, iv, |
758 | 0 | ciph_ctx)) { |
759 | | /* SSLfatal() already called */ |
760 | 0 | goto err; |
761 | 0 | } |
762 | | |
763 | 0 | memcpy(insecret, secret, hashlen); |
764 | |
|
765 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; |
766 | 0 | ret = 1; |
767 | 0 | err: |
768 | 0 | OPENSSL_cleanse(secret, sizeof(secret)); |
769 | 0 | return ret; |
770 | 0 | } |
771 | | |
772 | | int tls13_alert_code(int code) |
773 | 691 | { |
774 | | /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ |
775 | 691 | if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) |
776 | 30 | return code; |
777 | | |
778 | 661 | return tls1_alert_code(code); |
779 | 691 | } |
780 | | |
781 | | int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, |
782 | | const char *label, size_t llen, |
783 | | const unsigned char *context, |
784 | | size_t contextlen, int use_context) |
785 | 0 | { |
786 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
787 | | #ifdef CHARSET_EBCDIC |
788 | | static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; |
789 | | #else |
790 | 0 | static const unsigned char exporterlabel[] = "exporter"; |
791 | 0 | #endif |
792 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
793 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
794 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
795 | 0 | unsigned int hashsize, datalen; |
796 | 0 | int ret = 0; |
797 | |
|
798 | 0 | if (ctx == NULL || !ossl_statem_export_allowed(s)) |
799 | 0 | goto err; |
800 | | |
801 | 0 | if (!use_context) |
802 | 0 | contextlen = 0; |
803 | |
|
804 | 0 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
805 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
806 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
807 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
808 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
809 | 0 | || !tls13_hkdf_expand(s, md, s->exporter_master_secret, |
810 | 0 | (const unsigned char *)label, llen, |
811 | 0 | data, datalen, exportsecret, hashsize, 0) |
812 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
813 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
814 | 0 | out, olen, 0)) |
815 | 0 | goto err; |
816 | | |
817 | 0 | ret = 1; |
818 | 0 | err: |
819 | 0 | EVP_MD_CTX_free(ctx); |
820 | 0 | return ret; |
821 | 0 | } |
822 | | |
823 | | int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, |
824 | | const char *label, size_t llen, |
825 | | const unsigned char *context, |
826 | | size_t contextlen) |
827 | 0 | { |
828 | | #ifdef CHARSET_EBCDIC |
829 | | static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; |
830 | | #else |
831 | 0 | static const unsigned char exporterlabel[] = "exporter"; |
832 | 0 | #endif |
833 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
834 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
835 | 0 | const EVP_MD *md; |
836 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
837 | 0 | unsigned int hashsize, datalen; |
838 | 0 | int ret = 0; |
839 | 0 | const SSL_CIPHER *sslcipher; |
840 | |
|
841 | 0 | if (ctx == NULL || !ossl_statem_export_early_allowed(s)) |
842 | 0 | goto err; |
843 | | |
844 | 0 | if (!s->server && s->max_early_data > 0 |
845 | 0 | && s->session->ext.max_early_data == 0) |
846 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
847 | 0 | else |
848 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->session); |
849 | |
|
850 | 0 | md = ssl_md(sslcipher->algorithm2); |
851 | | |
852 | | /* |
853 | | * Calculate the hash value and store it in |data|. The reason why |
854 | | * the empty string is used is that the definition of TLS-Exporter |
855 | | * is like so: |
856 | | * |
857 | | * TLS-Exporter(label, context_value, key_length) = |
858 | | * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), |
859 | | * "exporter", Hash(context_value), key_length) |
860 | | * |
861 | | * Derive-Secret(Secret, Label, Messages) = |
862 | | * HKDF-Expand-Label(Secret, Label, |
863 | | * Transcript-Hash(Messages), Hash.length) |
864 | | * |
865 | | * Here Transcript-Hash is the cipher suite hash algorithm. |
866 | | */ |
867 | 0 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
868 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
869 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
870 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
871 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
872 | 0 | || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, |
873 | 0 | (const unsigned char *)label, llen, |
874 | 0 | data, datalen, exportsecret, hashsize, 0) |
875 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
876 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
877 | 0 | out, olen, 0)) |
878 | 0 | goto err; |
879 | | |
880 | 0 | ret = 1; |
881 | 0 | err: |
882 | 0 | EVP_MD_CTX_free(ctx); |
883 | 0 | return ret; |
884 | 0 | } |