/src/openssl30/ssl/tls13_enc.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdlib.h> |
11 | | #include "ssl_local.h" |
12 | | #include "internal/ktls.h" |
13 | | #include "record/record_local.h" |
14 | | #include "internal/cryptlib.h" |
15 | | #include <openssl/evp.h> |
16 | | #include <openssl/kdf.h> |
17 | | #include <openssl/core_names.h> |
18 | | |
19 | 11.5k | #define TLS13_MAX_LABEL_LEN 249 |
20 | | |
21 | | #ifdef CHARSET_EBCDIC |
22 | | static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 }; |
23 | | #else |
24 | | static const unsigned char label_prefix[] = "tls13 "; |
25 | | #endif |
26 | | |
27 | | /* |
28 | | * Given a |secret|; a |label| of length |labellen|; and |data| of length |
29 | | * |datalen| (e.g. typically a hash of the handshake messages), derive a new |
30 | | * secret |outlen| bytes long and store it in the location pointed to be |out|. |
31 | | * The |data| value may be zero length. Any errors will be treated as fatal if |
32 | | * |fatal| is set. Returns 1 on success 0 on failure. |
33 | | */ |
34 | | int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
35 | | const unsigned char *label, size_t labellen, |
36 | | const unsigned char *data, size_t datalen, |
37 | | unsigned char *out, size_t outlen, int fatal) |
38 | 11.5k | { |
39 | 11.5k | EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, |
40 | 11.5k | s->ctx->propq); |
41 | 11.5k | EVP_KDF_CTX *kctx; |
42 | 11.5k | OSSL_PARAM params[7], *p = params; |
43 | 11.5k | int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; |
44 | 11.5k | const char *mdname = EVP_MD_get0_name(md); |
45 | 11.5k | int ret; |
46 | 11.5k | size_t hashlen; |
47 | | |
48 | 11.5k | kctx = EVP_KDF_CTX_new(kdf); |
49 | 11.5k | EVP_KDF_free(kdf); |
50 | 11.5k | if (kctx == NULL) |
51 | 0 | return 0; |
52 | | |
53 | 11.5k | if (labellen > TLS13_MAX_LABEL_LEN) { |
54 | 0 | if (fatal) { |
55 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
56 | 0 | } else { |
57 | | /* |
58 | | * Probably we have been called from SSL_export_keying_material(), |
59 | | * or SSL_export_keying_material_early(). |
60 | | */ |
61 | 0 | ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); |
62 | 0 | } |
63 | 0 | EVP_KDF_CTX_free(kctx); |
64 | 0 | return 0; |
65 | 0 | } |
66 | | |
67 | 11.5k | if ((ret = EVP_MD_get_size(md)) <= 0) { |
68 | 0 | EVP_KDF_CTX_free(kctx); |
69 | 0 | if (fatal) |
70 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
71 | 0 | else |
72 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
73 | 0 | return 0; |
74 | 0 | } |
75 | 11.5k | hashlen = (size_t)ret; |
76 | | |
77 | 11.5k | *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); |
78 | 11.5k | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, |
79 | 11.5k | (char *)mdname, 0); |
80 | 11.5k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, |
81 | 11.5k | (unsigned char *)secret, hashlen); |
82 | 11.5k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, |
83 | 11.5k | (unsigned char *)label_prefix, |
84 | 11.5k | sizeof(label_prefix) - 1); |
85 | 11.5k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, |
86 | 11.5k | (unsigned char *)label, labellen); |
87 | 11.5k | if (data != NULL) |
88 | 3.80k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_DATA, |
89 | 3.80k | (unsigned char *)data, |
90 | 3.80k | datalen); |
91 | 11.5k | *p++ = OSSL_PARAM_construct_end(); |
92 | | |
93 | 11.5k | ret = EVP_KDF_derive(kctx, out, outlen, params) <= 0; |
94 | 11.5k | EVP_KDF_CTX_free(kctx); |
95 | | |
96 | 11.5k | if (ret != 0) { |
97 | 0 | if (fatal) |
98 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
99 | 0 | else |
100 | 0 | ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); |
101 | 0 | } |
102 | | |
103 | 11.5k | return ret == 0; |
104 | 11.5k | } |
105 | | |
106 | | /* |
107 | | * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on |
108 | | * success 0 on failure. |
109 | | */ |
110 | | int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, |
111 | | unsigned char *key, size_t keylen) |
112 | 39.6k | { |
113 | | #ifdef CHARSET_EBCDIC |
114 | | static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 }; |
115 | | #else |
116 | 39.6k | static const unsigned char keylabel[] = "key"; |
117 | 39.6k | #endif |
118 | | |
119 | 39.6k | return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, |
120 | 39.6k | NULL, 0, key, keylen, 1); |
121 | 39.6k | } |
122 | | |
123 | | /* |
124 | | * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on |
125 | | * success 0 on failure. |
126 | | */ |
127 | | int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, |
128 | | unsigned char *iv, size_t ivlen) |
129 | 39.6k | { |
130 | | #ifdef CHARSET_EBCDIC |
131 | | static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 }; |
132 | | #else |
133 | 39.6k | static const unsigned char ivlabel[] = "iv"; |
134 | 39.6k | #endif |
135 | | |
136 | 39.6k | return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, |
137 | 39.6k | NULL, 0, iv, ivlen, 1); |
138 | 39.6k | } |
139 | | |
140 | | int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, |
141 | | const unsigned char *secret, |
142 | | unsigned char *fin, size_t finlen) |
143 | 26.1k | { |
144 | | #ifdef CHARSET_EBCDIC |
145 | | static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 }; |
146 | | #else |
147 | 26.1k | static const unsigned char finishedlabel[] = "finished"; |
148 | 26.1k | #endif |
149 | | |
150 | 26.1k | return tls13_hkdf_expand(s, md, secret, finishedlabel, |
151 | 26.1k | sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); |
152 | 26.1k | } |
153 | | |
154 | | /* |
155 | | * Given the previous secret |prevsecret| and a new input secret |insecret| of |
156 | | * length |insecretlen|, generate a new secret and store it in the location |
157 | | * pointed to by |outsecret|. Returns 1 on success 0 on failure. |
158 | | */ |
159 | | int tls13_generate_secret(SSL *s, const EVP_MD *md, |
160 | | const unsigned char *prevsecret, |
161 | | const unsigned char *insecret, |
162 | | size_t insecretlen, |
163 | | unsigned char *outsecret) |
164 | 18.7k | { |
165 | 18.7k | size_t mdlen; |
166 | 18.7k | int mdleni; |
167 | 18.7k | int ret; |
168 | 18.7k | EVP_KDF *kdf; |
169 | 18.7k | EVP_KDF_CTX *kctx; |
170 | 18.7k | OSSL_PARAM params[7], *p = params; |
171 | 18.7k | int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; |
172 | 18.7k | const char *mdname = EVP_MD_get0_name(md); |
173 | | #ifdef CHARSET_EBCDIC |
174 | | static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; |
175 | | #else |
176 | 18.7k | static const char derived_secret_label[] = "derived"; |
177 | 18.7k | #endif |
178 | | |
179 | 18.7k | kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, s->ctx->propq); |
180 | 18.7k | kctx = EVP_KDF_CTX_new(kdf); |
181 | 18.7k | EVP_KDF_free(kdf); |
182 | 18.7k | if (kctx == NULL) { |
183 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
184 | 0 | return 0; |
185 | 0 | } |
186 | | |
187 | 18.7k | mdleni = EVP_MD_get_size(md); |
188 | | /* Ensure cast to size_t is safe */ |
189 | 18.7k | if (!ossl_assert(mdleni >= 0)) { |
190 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
191 | 0 | EVP_KDF_CTX_free(kctx); |
192 | 0 | return 0; |
193 | 0 | } |
194 | 18.7k | mdlen = (size_t)mdleni; |
195 | | |
196 | 18.7k | *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); |
197 | 18.7k | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, |
198 | 18.7k | (char *)mdname, 0); |
199 | 18.7k | if (insecret != NULL) |
200 | 7.19k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, |
201 | 7.19k | (unsigned char *)insecret, |
202 | 7.19k | insecretlen); |
203 | 18.7k | if (prevsecret != NULL) |
204 | 11.5k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, |
205 | 11.5k | (unsigned char *)prevsecret, mdlen); |
206 | 18.7k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, |
207 | 18.7k | (unsigned char *)label_prefix, |
208 | 18.7k | sizeof(label_prefix) - 1); |
209 | 18.7k | *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, |
210 | 18.7k | (unsigned char *)derived_secret_label, |
211 | 18.7k | sizeof(derived_secret_label) - 1); |
212 | 18.7k | *p++ = OSSL_PARAM_construct_end(); |
213 | | |
214 | 18.7k | ret = EVP_KDF_derive(kctx, outsecret, mdlen, params) <= 0; |
215 | | |
216 | 18.7k | if (ret != 0) |
217 | 18.7k | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
218 | | |
219 | 18.7k | EVP_KDF_CTX_free(kctx); |
220 | 18.7k | return ret == 0; |
221 | 18.7k | } |
222 | | |
223 | | /* |
224 | | * Given an input secret |insecret| of length |insecretlen| generate the |
225 | | * handshake secret. This requires the early secret to already have been |
226 | | * generated. Returns 1 on success 0 on failure. |
227 | | */ |
228 | | int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, |
229 | | size_t insecretlen) |
230 | 13.2k | { |
231 | | /* Calls SSLfatal() if required */ |
232 | 13.2k | return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, |
233 | 13.2k | insecret, insecretlen, |
234 | 13.2k | (unsigned char *)&s->handshake_secret); |
235 | 13.2k | } |
236 | | |
237 | | /* |
238 | | * Given the handshake secret |prev| of length |prevlen| generate the master |
239 | | * secret and store its length in |*secret_size|. Returns 1 on success 0 on |
240 | | * failure. |
241 | | */ |
242 | | int tls13_generate_master_secret(SSL *s, unsigned char *out, |
243 | | unsigned char *prev, size_t prevlen, |
244 | | size_t *secret_size) |
245 | 4.35k | { |
246 | 4.35k | const EVP_MD *md = ssl_handshake_md(s); |
247 | | |
248 | 4.35k | *secret_size = EVP_MD_get_size(md); |
249 | | /* Calls SSLfatal() if required */ |
250 | 4.35k | return tls13_generate_secret(s, md, prev, NULL, 0, out); |
251 | 4.35k | } |
252 | | |
253 | | /* |
254 | | * Generates the mac for the Finished message. Returns the length of the MAC or |
255 | | * 0 on error. |
256 | | */ |
257 | | size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, |
258 | | unsigned char *out) |
259 | 13.5k | { |
260 | 13.5k | const EVP_MD *md = ssl_handshake_md(s); |
261 | 13.5k | const char *mdname = EVP_MD_get0_name(md); |
262 | 13.5k | unsigned char hash[EVP_MAX_MD_SIZE]; |
263 | 13.5k | unsigned char finsecret[EVP_MAX_MD_SIZE]; |
264 | 13.5k | unsigned char *key = NULL; |
265 | 13.5k | size_t len = 0, hashlen; |
266 | 13.5k | OSSL_PARAM params[2], *p = params; |
267 | | |
268 | 13.5k | if (md == NULL) |
269 | 0 | return 0; |
270 | | |
271 | | /* Safe to cast away const here since we're not "getting" any data */ |
272 | 13.5k | if (s->ctx->propq != NULL) |
273 | 0 | *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES, |
274 | 0 | (char *)s->ctx->propq, |
275 | 0 | 0); |
276 | 13.5k | *p = OSSL_PARAM_construct_end(); |
277 | | |
278 | 13.5k | if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { |
279 | | /* SSLfatal() already called */ |
280 | 0 | goto err; |
281 | 0 | } |
282 | | |
283 | 13.5k | if (str == s->method->ssl3_enc->server_finished_label) { |
284 | 7.76k | key = s->server_finished_secret; |
285 | 7.76k | } else if (SSL_IS_FIRST_HANDSHAKE(s)) { |
286 | 5.77k | key = s->client_finished_secret; |
287 | 5.77k | } else { |
288 | 0 | if (!tls13_derive_finishedkey(s, md, |
289 | 0 | s->client_app_traffic_secret, |
290 | 0 | finsecret, hashlen)) |
291 | 0 | goto err; |
292 | 0 | key = finsecret; |
293 | 0 | } |
294 | | |
295 | 13.5k | if (!EVP_Q_mac(s->ctx->libctx, "HMAC", s->ctx->propq, mdname, |
296 | 13.5k | params, key, hashlen, hash, hashlen, |
297 | | /* outsize as per sizeof(peer_finish_md) */ |
298 | 13.5k | out, EVP_MAX_MD_SIZE * 2, &len)) { |
299 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
300 | 0 | goto err; |
301 | 0 | } |
302 | | |
303 | 13.5k | err: |
304 | 13.5k | OPENSSL_cleanse(finsecret, sizeof(finsecret)); |
305 | 13.5k | return len; |
306 | 13.5k | } |
307 | | |
308 | | /* |
309 | | * There isn't really a key block in TLSv1.3, but we still need this function |
310 | | * for initialising the cipher and hash. Returns 1 on success or 0 on failure. |
311 | | */ |
312 | | int tls13_setup_key_block(SSL *s) |
313 | 13.2k | { |
314 | 13.2k | const EVP_CIPHER *c; |
315 | 13.2k | const EVP_MD *hash; |
316 | | |
317 | 13.2k | s->session->cipher = s->s3.tmp.new_cipher; |
318 | 13.2k | if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL, |
319 | 13.2k | 0)) { |
320 | | /* Error is already recorded */ |
321 | 0 | SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); |
322 | 0 | return 0; |
323 | 0 | } |
324 | | |
325 | 13.2k | ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); |
326 | 13.2k | s->s3.tmp.new_sym_enc = c; |
327 | 13.2k | ssl_evp_md_free(s->s3.tmp.new_hash); |
328 | 13.2k | s->s3.tmp.new_hash = hash; |
329 | | |
330 | 13.2k | return 1; |
331 | 13.2k | } |
332 | | |
333 | | static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, |
334 | | const EVP_CIPHER *ciph, |
335 | | const unsigned char *insecret, |
336 | | const unsigned char *hash, |
337 | | const unsigned char *label, |
338 | | size_t labellen, unsigned char *secret, |
339 | | unsigned char *key, unsigned char *iv, |
340 | | EVP_CIPHER_CTX *ciph_ctx) |
341 | 2.88k | { |
342 | 2.88k | size_t ivlen, keylen, taglen; |
343 | 2.88k | int hashleni = EVP_MD_get_size(md); |
344 | 2.88k | size_t hashlen; |
345 | | |
346 | | /* Ensure cast to size_t is safe */ |
347 | 2.88k | if (!ossl_assert(hashleni >= 0)) { |
348 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
349 | 0 | return 0; |
350 | 0 | } |
351 | 2.88k | hashlen = (size_t)hashleni; |
352 | | |
353 | 2.88k | if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, |
354 | 2.88k | secret, hashlen, 1)) { |
355 | | /* SSLfatal() already called */ |
356 | 0 | return 0; |
357 | 0 | } |
358 | | |
359 | 2.88k | keylen = EVP_CIPHER_get_key_length(ciph); |
360 | 2.88k | if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) { |
361 | 0 | uint32_t algenc; |
362 | |
|
363 | 0 | ivlen = EVP_CCM_TLS_IV_LEN; |
364 | 0 | if (s->s3.tmp.new_cipher != NULL) { |
365 | 0 | algenc = s->s3.tmp.new_cipher->algorithm_enc; |
366 | 0 | } else if (s->session->cipher != NULL) { |
367 | | /* We've not selected a cipher yet - we must be doing early data */ |
368 | 0 | algenc = s->session->cipher->algorithm_enc; |
369 | 0 | } else if (s->psksession != NULL && s->psksession->cipher != NULL) { |
370 | | /* We must be doing early data with out-of-band PSK */ |
371 | 0 | algenc = s->psksession->cipher->algorithm_enc; |
372 | 0 | } else { |
373 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
374 | 0 | return 0; |
375 | 0 | } |
376 | 0 | if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) |
377 | 0 | taglen = EVP_CCM8_TLS_TAG_LEN; |
378 | 0 | else |
379 | 0 | taglen = EVP_CCM_TLS_TAG_LEN; |
380 | 2.88k | } else { |
381 | 2.88k | ivlen = EVP_CIPHER_get_iv_length(ciph); |
382 | 2.88k | taglen = 0; |
383 | 2.88k | } |
384 | | |
385 | 2.88k | if (!tls13_derive_key(s, md, secret, key, keylen) |
386 | 2.88k | || !tls13_derive_iv(s, md, secret, iv, ivlen)) { |
387 | | /* SSLfatal() already called */ |
388 | 0 | return 0; |
389 | 0 | } |
390 | | |
391 | 2.88k | if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 |
392 | 2.88k | || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) <= 0 |
393 | 2.88k | || (taglen != 0 && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, |
394 | 0 | taglen, NULL) <= 0) |
395 | 2.88k | || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { |
396 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); |
397 | 0 | return 0; |
398 | 0 | } |
399 | | |
400 | 2.88k | return 1; |
401 | 2.88k | } |
402 | | |
403 | | int tls13_change_cipher_state(SSL *s, int which) |
404 | 2.88k | { |
405 | | #ifdef CHARSET_EBCDIC |
406 | | static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
407 | | static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
408 | | static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
409 | | static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
410 | | static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; |
411 | | static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; |
412 | | static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; |
413 | | static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; |
414 | | #else |
415 | 2.88k | static const unsigned char client_early_traffic[] = "c e traffic"; |
416 | 2.88k | static const unsigned char client_handshake_traffic[] = "c hs traffic"; |
417 | 2.88k | static const unsigned char client_application_traffic[] = "c ap traffic"; |
418 | 2.88k | static const unsigned char server_handshake_traffic[] = "s hs traffic"; |
419 | 2.88k | static const unsigned char server_application_traffic[] = "s ap traffic"; |
420 | 2.88k | static const unsigned char exporter_master_secret[] = "exp master"; |
421 | 2.88k | static const unsigned char resumption_master_secret[] = "res master"; |
422 | 2.88k | static const unsigned char early_exporter_master_secret[] = "e exp master"; |
423 | 2.88k | #endif |
424 | 2.88k | unsigned char *iv; |
425 | 2.88k | unsigned char key[EVP_MAX_KEY_LENGTH]; |
426 | 2.88k | unsigned char secret[EVP_MAX_MD_SIZE]; |
427 | 2.88k | unsigned char hashval[EVP_MAX_MD_SIZE]; |
428 | 2.88k | unsigned char *hash = hashval; |
429 | 2.88k | unsigned char *insecret; |
430 | 2.88k | unsigned char *finsecret = NULL; |
431 | 2.88k | const char *log_label = NULL; |
432 | 2.88k | EVP_CIPHER_CTX *ciph_ctx; |
433 | 2.88k | size_t finsecretlen = 0; |
434 | 2.88k | const unsigned char *label; |
435 | 2.88k | size_t labellen, hashlen = 0; |
436 | 2.88k | int ret = 0; |
437 | 2.88k | const EVP_MD *md = NULL; |
438 | 2.88k | const EVP_CIPHER *cipher = NULL; |
439 | | #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) |
440 | | ktls_crypto_info_t crypto_info; |
441 | | BIO *bio; |
442 | | #endif |
443 | | |
444 | 2.88k | if (which & SSL3_CC_READ) { |
445 | 1.09k | if (s->enc_read_ctx != NULL) { |
446 | 0 | EVP_CIPHER_CTX_reset(s->enc_read_ctx); |
447 | 1.09k | } else { |
448 | 1.09k | s->enc_read_ctx = EVP_CIPHER_CTX_new(); |
449 | 1.09k | if (s->enc_read_ctx == NULL) { |
450 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); |
451 | 0 | goto err; |
452 | 0 | } |
453 | 1.09k | } |
454 | 1.09k | ciph_ctx = s->enc_read_ctx; |
455 | 1.09k | iv = s->read_iv; |
456 | | |
457 | 1.09k | RECORD_LAYER_reset_read_sequence(&s->rlayer); |
458 | 1.79k | } else { |
459 | 1.79k | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; |
460 | 1.79k | if (s->enc_write_ctx != NULL) { |
461 | 896 | EVP_CIPHER_CTX_reset(s->enc_write_ctx); |
462 | 896 | } else { |
463 | 896 | s->enc_write_ctx = EVP_CIPHER_CTX_new(); |
464 | 896 | if (s->enc_write_ctx == NULL) { |
465 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); |
466 | 0 | goto err; |
467 | 0 | } |
468 | 896 | } |
469 | 1.79k | ciph_ctx = s->enc_write_ctx; |
470 | 1.79k | iv = s->write_iv; |
471 | | |
472 | 1.79k | RECORD_LAYER_reset_write_sequence(&s->rlayer); |
473 | 1.79k | } |
474 | | |
475 | 2.88k | if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) |
476 | 2.88k | || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { |
477 | 896 | if (which & SSL3_CC_EARLY) { |
478 | 0 | EVP_MD_CTX *mdctx = NULL; |
479 | 0 | long handlen; |
480 | 0 | void *hdata; |
481 | 0 | unsigned int hashlenui; |
482 | 0 | const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); |
483 | |
|
484 | 0 | insecret = s->early_secret; |
485 | 0 | label = client_early_traffic; |
486 | 0 | labellen = sizeof(client_early_traffic) - 1; |
487 | 0 | log_label = CLIENT_EARLY_LABEL; |
488 | |
|
489 | 0 | handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); |
490 | 0 | if (handlen <= 0) { |
491 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); |
492 | 0 | goto err; |
493 | 0 | } |
494 | | |
495 | 0 | if (s->early_data_state == SSL_EARLY_DATA_CONNECTING |
496 | 0 | && s->max_early_data > 0 |
497 | 0 | && s->session->ext.max_early_data == 0) { |
498 | | /* |
499 | | * If we are attempting to send early data, and we've decided to |
500 | | * actually do it but max_early_data in s->session is 0 then we |
501 | | * must be using an external PSK. |
502 | | */ |
503 | 0 | if (!ossl_assert(s->psksession != NULL |
504 | 0 | && s->max_early_data == |
505 | 0 | s->psksession->ext.max_early_data)) { |
506 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
507 | 0 | goto err; |
508 | 0 | } |
509 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
510 | 0 | } |
511 | 0 | if (sslcipher == NULL) { |
512 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); |
513 | 0 | goto err; |
514 | 0 | } |
515 | | |
516 | | /* |
517 | | * We need to calculate the handshake digest using the digest from |
518 | | * the session. We haven't yet selected our ciphersuite so we can't |
519 | | * use ssl_handshake_md(). |
520 | | */ |
521 | 0 | mdctx = EVP_MD_CTX_new(); |
522 | 0 | if (mdctx == NULL) { |
523 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); |
524 | 0 | goto err; |
525 | 0 | } |
526 | | |
527 | | /* |
528 | | * This ups the ref count on cipher so we better make sure we free |
529 | | * it again |
530 | | */ |
531 | 0 | if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) { |
532 | | /* Error is already recorded */ |
533 | 0 | SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); |
534 | 0 | EVP_MD_CTX_free(mdctx); |
535 | 0 | goto err; |
536 | 0 | } |
537 | | |
538 | 0 | md = ssl_md(s->ctx, sslcipher->algorithm2); |
539 | 0 | if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) |
540 | 0 | || !EVP_DigestUpdate(mdctx, hdata, handlen) |
541 | 0 | || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { |
542 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
543 | 0 | EVP_MD_CTX_free(mdctx); |
544 | 0 | goto err; |
545 | 0 | } |
546 | 0 | hashlen = hashlenui; |
547 | 0 | EVP_MD_CTX_free(mdctx); |
548 | |
|
549 | 0 | if (!tls13_hkdf_expand(s, md, insecret, |
550 | 0 | early_exporter_master_secret, |
551 | 0 | sizeof(early_exporter_master_secret) - 1, |
552 | 0 | hashval, hashlen, |
553 | 0 | s->early_exporter_master_secret, hashlen, |
554 | 0 | 1)) { |
555 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
556 | 0 | goto err; |
557 | 0 | } |
558 | | |
559 | 0 | if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, |
560 | 0 | s->early_exporter_master_secret, hashlen)) { |
561 | | /* SSLfatal() already called */ |
562 | 0 | goto err; |
563 | 0 | } |
564 | 896 | } else if (which & SSL3_CC_HANDSHAKE) { |
565 | 896 | insecret = s->handshake_secret; |
566 | 896 | finsecret = s->client_finished_secret; |
567 | 896 | finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); |
568 | 896 | label = client_handshake_traffic; |
569 | 896 | labellen = sizeof(client_handshake_traffic) - 1; |
570 | 896 | log_label = CLIENT_HANDSHAKE_LABEL; |
571 | | /* |
572 | | * The handshake hash used for the server read/client write handshake |
573 | | * traffic secret is the same as the hash for the server |
574 | | * write/client read handshake traffic secret. However, if we |
575 | | * processed early data then we delay changing the server |
576 | | * read/client write cipher state until later, and the handshake |
577 | | * hashes have moved on. Therefore we use the value saved earlier |
578 | | * when we did the server write/client read change cipher state. |
579 | | */ |
580 | 896 | hash = s->handshake_traffic_hash; |
581 | 896 | } else { |
582 | 0 | insecret = s->master_secret; |
583 | 0 | label = client_application_traffic; |
584 | 0 | labellen = sizeof(client_application_traffic) - 1; |
585 | 0 | log_label = CLIENT_APPLICATION_LABEL; |
586 | | /* |
587 | | * For this we only use the handshake hashes up until the server |
588 | | * Finished hash. We do not include the client's Finished, which is |
589 | | * what ssl_handshake_hash() would give us. Instead we use the |
590 | | * previously saved value. |
591 | | */ |
592 | 0 | hash = s->server_finished_hash; |
593 | 0 | } |
594 | 1.98k | } else { |
595 | | /* Early data never applies to client-read/server-write */ |
596 | 1.98k | if (which & SSL3_CC_HANDSHAKE) { |
597 | 1.09k | insecret = s->handshake_secret; |
598 | 1.09k | finsecret = s->server_finished_secret; |
599 | 1.09k | finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); |
600 | 1.09k | label = server_handshake_traffic; |
601 | 1.09k | labellen = sizeof(server_handshake_traffic) - 1; |
602 | 1.09k | log_label = SERVER_HANDSHAKE_LABEL; |
603 | 1.09k | } else { |
604 | 896 | insecret = s->master_secret; |
605 | 896 | label = server_application_traffic; |
606 | 896 | labellen = sizeof(server_application_traffic) - 1; |
607 | 896 | log_label = SERVER_APPLICATION_LABEL; |
608 | 896 | } |
609 | 1.98k | } |
610 | | |
611 | 2.88k | if (!(which & SSL3_CC_EARLY)) { |
612 | 2.88k | md = ssl_handshake_md(s); |
613 | 2.88k | cipher = s->s3.tmp.new_sym_enc; |
614 | 2.88k | if (!ssl3_digest_cached_records(s, 1) |
615 | 2.88k | || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { |
616 | 0 | /* SSLfatal() already called */; |
617 | 0 | goto err; |
618 | 0 | } |
619 | 2.88k | } |
620 | | |
621 | | /* |
622 | | * Save the hash of handshakes up to now for use when we calculate the |
623 | | * client application traffic secret |
624 | | */ |
625 | 2.88k | if (label == server_application_traffic) |
626 | 896 | memcpy(s->server_finished_hash, hashval, hashlen); |
627 | | |
628 | 2.88k | if (label == server_handshake_traffic) |
629 | 1.09k | memcpy(s->handshake_traffic_hash, hashval, hashlen); |
630 | | |
631 | 2.88k | if (label == client_application_traffic) { |
632 | | /* |
633 | | * We also create the resumption master secret, but this time use the |
634 | | * hash for the whole handshake including the Client Finished |
635 | | */ |
636 | 0 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
637 | 0 | resumption_master_secret, |
638 | 0 | sizeof(resumption_master_secret) - 1, |
639 | 0 | hashval, hashlen, s->resumption_master_secret, |
640 | 0 | hashlen, 1)) { |
641 | | /* SSLfatal() already called */ |
642 | 0 | goto err; |
643 | 0 | } |
644 | 0 | } |
645 | | |
646 | | /* check whether cipher is known */ |
647 | 2.88k | if(!ossl_assert(cipher != NULL)) |
648 | 0 | goto err; |
649 | | |
650 | 2.88k | if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, |
651 | 2.88k | insecret, hash, label, labellen, secret, key, |
652 | 2.88k | iv, ciph_ctx)) { |
653 | | /* SSLfatal() already called */ |
654 | 0 | goto err; |
655 | 0 | } |
656 | | |
657 | 2.88k | if (label == server_application_traffic) { |
658 | 896 | memcpy(s->server_app_traffic_secret, secret, hashlen); |
659 | | /* Now we create the exporter master secret */ |
660 | 896 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
661 | 896 | exporter_master_secret, |
662 | 896 | sizeof(exporter_master_secret) - 1, |
663 | 896 | hash, hashlen, s->exporter_master_secret, |
664 | 896 | hashlen, 1)) { |
665 | | /* SSLfatal() already called */ |
666 | 0 | goto err; |
667 | 0 | } |
668 | | |
669 | 896 | if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, |
670 | 896 | hashlen)) { |
671 | | /* SSLfatal() already called */ |
672 | 0 | goto err; |
673 | 0 | } |
674 | 1.98k | } else if (label == client_application_traffic) |
675 | 0 | memcpy(s->client_app_traffic_secret, secret, hashlen); |
676 | | |
677 | 2.88k | if (!ssl_log_secret(s, log_label, secret, hashlen)) { |
678 | | /* SSLfatal() already called */ |
679 | 0 | goto err; |
680 | 0 | } |
681 | | |
682 | 2.88k | if (finsecret != NULL |
683 | 2.88k | && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, |
684 | 1.98k | finsecret, finsecretlen)) { |
685 | | /* SSLfatal() already called */ |
686 | 0 | goto err; |
687 | 0 | } |
688 | | |
689 | 2.88k | if (!s->server && label == client_early_traffic) |
690 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; |
691 | 2.88k | else |
692 | 2.88k | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; |
693 | | #ifndef OPENSSL_NO_KTLS |
694 | | # if defined(OPENSSL_KTLS_TLS13) |
695 | | if (!(which & SSL3_CC_WRITE) |
696 | | || !(which & SSL3_CC_APPLICATION) |
697 | | || (s->options & SSL_OP_ENABLE_KTLS) == 0) |
698 | | goto skip_ktls; |
699 | | |
700 | | /* ktls supports only the maximum fragment size */ |
701 | | if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) |
702 | | goto skip_ktls; |
703 | | |
704 | | /* ktls does not support record padding */ |
705 | | if (s->record_padding_cb != NULL) |
706 | | goto skip_ktls; |
707 | | |
708 | | /* check that cipher is supported */ |
709 | | if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) |
710 | | goto skip_ktls; |
711 | | |
712 | | bio = s->wbio; |
713 | | |
714 | | if (!ossl_assert(bio != NULL)) { |
715 | | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
716 | | goto err; |
717 | | } |
718 | | |
719 | | /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ |
720 | | if (BIO_flush(bio) <= 0) |
721 | | goto skip_ktls; |
722 | | |
723 | | /* configure kernel crypto structure */ |
724 | | if (!ktls_configure_crypto(s, cipher, ciph_ctx, |
725 | | RECORD_LAYER_get_write_sequence(&s->rlayer), |
726 | | &crypto_info, NULL, iv, key, NULL, 0)) |
727 | | goto skip_ktls; |
728 | | |
729 | | /* ktls works with user provided buffers directly */ |
730 | | if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) |
731 | | ssl3_release_write_buffer(s); |
732 | | skip_ktls: |
733 | | # endif |
734 | | #endif |
735 | 2.88k | ret = 1; |
736 | 2.88k | err: |
737 | 2.88k | if ((which & SSL3_CC_EARLY) != 0) { |
738 | | /* We up-refed this so now we need to down ref */ |
739 | 0 | ssl_evp_cipher_free(cipher); |
740 | 0 | } |
741 | 2.88k | OPENSSL_cleanse(key, sizeof(key)); |
742 | 2.88k | OPENSSL_cleanse(secret, sizeof(secret)); |
743 | 2.88k | return ret; |
744 | 2.88k | } |
745 | | |
746 | | int tls13_update_key(SSL *s, int sending) |
747 | 0 | { |
748 | | #ifdef CHARSET_EBCDIC |
749 | | static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00}; |
750 | | #else |
751 | 0 | static const unsigned char application_traffic[] = "traffic upd"; |
752 | 0 | #endif |
753 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
754 | 0 | size_t hashlen; |
755 | 0 | unsigned char key[EVP_MAX_KEY_LENGTH]; |
756 | 0 | unsigned char *insecret, *iv; |
757 | 0 | unsigned char secret[EVP_MAX_MD_SIZE]; |
758 | 0 | char *log_label; |
759 | 0 | EVP_CIPHER_CTX *ciph_ctx; |
760 | 0 | int ret = 0, l; |
761 | |
|
762 | 0 | if ((l = EVP_MD_get_size(md)) <= 0) { |
763 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); |
764 | 0 | return 0; |
765 | 0 | } |
766 | 0 | hashlen = (size_t)l; |
767 | |
|
768 | 0 | if (s->server == sending) |
769 | 0 | insecret = s->server_app_traffic_secret; |
770 | 0 | else |
771 | 0 | insecret = s->client_app_traffic_secret; |
772 | |
|
773 | 0 | if (sending) { |
774 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; |
775 | 0 | iv = s->write_iv; |
776 | 0 | ciph_ctx = s->enc_write_ctx; |
777 | 0 | RECORD_LAYER_reset_write_sequence(&s->rlayer); |
778 | 0 | } else { |
779 | 0 | iv = s->read_iv; |
780 | 0 | ciph_ctx = s->enc_read_ctx; |
781 | 0 | RECORD_LAYER_reset_read_sequence(&s->rlayer); |
782 | 0 | } |
783 | |
|
784 | 0 | if (!derive_secret_key_and_iv(s, sending, md, |
785 | 0 | s->s3.tmp.new_sym_enc, insecret, NULL, |
786 | 0 | application_traffic, |
787 | 0 | sizeof(application_traffic) - 1, secret, key, |
788 | 0 | iv, ciph_ctx)) { |
789 | | /* SSLfatal() already called */ |
790 | 0 | goto err; |
791 | 0 | } |
792 | | |
793 | 0 | memcpy(insecret, secret, hashlen); |
794 | | |
795 | | /* Call Key log on successful traffic secret update */ |
796 | 0 | log_label = s->server == sending ? SERVER_APPLICATION_N_LABEL : CLIENT_APPLICATION_N_LABEL; |
797 | 0 | if (!ssl_log_secret(s, log_label, secret, hashlen)) { |
798 | | /* SSLfatal() already called */ |
799 | 0 | goto err; |
800 | 0 | } |
801 | | |
802 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; |
803 | 0 | ret = 1; |
804 | 0 | err: |
805 | 0 | OPENSSL_cleanse(key, sizeof(key)); |
806 | 0 | OPENSSL_cleanse(secret, sizeof(secret)); |
807 | 0 | return ret; |
808 | 0 | } |
809 | | |
810 | | int tls13_alert_code(int code) |
811 | 7.51k | { |
812 | | /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ |
813 | 7.51k | if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) |
814 | 121 | return code; |
815 | | |
816 | 7.39k | return tls1_alert_code(code); |
817 | 7.51k | } |
818 | | |
819 | | int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, |
820 | | const char *label, size_t llen, |
821 | | const unsigned char *context, |
822 | | size_t contextlen, int use_context) |
823 | 0 | { |
824 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
825 | | #ifdef CHARSET_EBCDIC |
826 | | static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; |
827 | | #else |
828 | 0 | static const unsigned char exporterlabel[] = "exporter"; |
829 | 0 | #endif |
830 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
831 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
832 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
833 | 0 | unsigned int hashsize, datalen; |
834 | 0 | int ret = 0; |
835 | |
|
836 | 0 | if (ctx == NULL || md == NULL || !ossl_statem_export_allowed(s)) |
837 | 0 | goto err; |
838 | | |
839 | 0 | if (!use_context) |
840 | 0 | contextlen = 0; |
841 | |
|
842 | 0 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
843 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
844 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
845 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
846 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
847 | 0 | || !tls13_hkdf_expand(s, md, s->exporter_master_secret, |
848 | 0 | (const unsigned char *)label, llen, |
849 | 0 | data, datalen, exportsecret, hashsize, 0) |
850 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
851 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
852 | 0 | out, olen, 0)) |
853 | 0 | goto err; |
854 | | |
855 | 0 | ret = 1; |
856 | 0 | err: |
857 | 0 | EVP_MD_CTX_free(ctx); |
858 | 0 | return ret; |
859 | 0 | } |
860 | | |
861 | | int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, |
862 | | const char *label, size_t llen, |
863 | | const unsigned char *context, |
864 | | size_t contextlen) |
865 | 0 | { |
866 | | #ifdef CHARSET_EBCDIC |
867 | | static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; |
868 | | #else |
869 | 0 | static const unsigned char exporterlabel[] = "exporter"; |
870 | 0 | #endif |
871 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
872 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
873 | 0 | const EVP_MD *md; |
874 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
875 | 0 | unsigned int hashsize, datalen; |
876 | 0 | int ret = 0; |
877 | 0 | const SSL_CIPHER *sslcipher; |
878 | |
|
879 | 0 | if (ctx == NULL || !ossl_statem_export_early_allowed(s)) |
880 | 0 | goto err; |
881 | | |
882 | 0 | if (!s->server && s->max_early_data > 0 |
883 | 0 | && s->session->ext.max_early_data == 0) |
884 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
885 | 0 | else |
886 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->session); |
887 | |
|
888 | 0 | md = ssl_md(s->ctx, sslcipher->algorithm2); |
889 | | |
890 | | /* |
891 | | * Calculate the hash value and store it in |data|. The reason why |
892 | | * the empty string is used is that the definition of TLS-Exporter |
893 | | * is like so: |
894 | | * |
895 | | * TLS-Exporter(label, context_value, key_length) = |
896 | | * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), |
897 | | * "exporter", Hash(context_value), key_length) |
898 | | * |
899 | | * Derive-Secret(Secret, Label, Messages) = |
900 | | * HKDF-Expand-Label(Secret, Label, |
901 | | * Transcript-Hash(Messages), Hash.length) |
902 | | * |
903 | | * Here Transcript-Hash is the cipher suite hash algorithm. |
904 | | */ |
905 | 0 | if (md == NULL |
906 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
907 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
908 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
909 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
910 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
911 | 0 | || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, |
912 | 0 | (const unsigned char *)label, llen, |
913 | 0 | data, datalen, exportsecret, hashsize, 0) |
914 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
915 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
916 | 0 | out, olen, 0)) |
917 | 0 | goto err; |
918 | | |
919 | 0 | ret = 1; |
920 | 0 | err: |
921 | 0 | EVP_MD_CTX_free(ctx); |
922 | 0 | return ret; |
923 | 0 | } |