/src/openssl/ssl/tls13_enc.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdlib.h> |
11 | | #include "ssl_locl.h" |
12 | | #include "internal/cryptlib.h" |
13 | | #include <openssl/evp.h> |
14 | | #include <openssl/kdf.h> |
15 | | |
16 | | #define TLS13_MAX_LABEL_LEN 246 |
17 | | |
18 | | /* Always filled with zeros */ |
19 | | static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; |
20 | | |
21 | | /* |
22 | | * Given a |secret|; a |label| of length |labellen|; and |data| of length |
23 | | * |datalen| (e.g. typically a hash of the handshake messages), derive a new |
24 | | * secret |outlen| bytes long and store it in the location pointed to be |out|. |
25 | | * The |data| value may be zero length. Returns 1 on success 0 on failure. |
26 | | */ |
27 | | int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, |
28 | | const unsigned char *label, size_t labellen, |
29 | | const unsigned char *data, size_t datalen, |
30 | | unsigned char *out, size_t outlen) |
31 | 0 | { |
32 | 0 | const unsigned char label_prefix[] = "tls13 "; |
33 | 0 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
34 | 0 | int ret; |
35 | 0 | size_t hkdflabellen; |
36 | 0 | size_t hashlen; |
37 | 0 | /* |
38 | 0 | * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined |
39 | 0 | * prefix and label + bytes for the label itself + bytes for the hash |
40 | 0 | */ |
41 | 0 | unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + |
42 | 0 | + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN |
43 | 0 | + EVP_MAX_MD_SIZE]; |
44 | 0 | WPACKET pkt; |
45 | 0 |
|
46 | 0 | if (pctx == NULL) |
47 | 0 | return 0; |
48 | 0 | |
49 | 0 | hashlen = EVP_MD_size(md); |
50 | 0 |
|
51 | 0 | if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) |
52 | 0 | || !WPACKET_put_bytes_u16(&pkt, outlen) |
53 | 0 | || !WPACKET_start_sub_packet_u8(&pkt) |
54 | 0 | || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1) |
55 | 0 | || !WPACKET_memcpy(&pkt, label, labellen) |
56 | 0 | || !WPACKET_close(&pkt) |
57 | 0 | || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) |
58 | 0 | || !WPACKET_get_total_written(&pkt, &hkdflabellen) |
59 | 0 | || !WPACKET_finish(&pkt)) { |
60 | 0 | EVP_PKEY_CTX_free(pctx); |
61 | 0 | WPACKET_cleanup(&pkt); |
62 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
63 | 0 | ERR_R_INTERNAL_ERROR); |
64 | 0 | return 0; |
65 | 0 | } |
66 | 0 |
|
67 | 0 | ret = EVP_PKEY_derive_init(pctx) <= 0 |
68 | 0 | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) |
69 | 0 | <= 0 |
70 | 0 | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 |
71 | 0 | || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0 |
72 | 0 | || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0 |
73 | 0 | || EVP_PKEY_derive(pctx, out, &outlen) <= 0; |
74 | 0 |
|
75 | 0 | EVP_PKEY_CTX_free(pctx); |
76 | 0 |
|
77 | 0 | if (ret != 0) |
78 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, |
79 | 0 | ERR_R_INTERNAL_ERROR); |
80 | 0 |
|
81 | 0 | return ret == 0; |
82 | 0 | } |
83 | | |
84 | | /* |
85 | | * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on |
86 | | * success 0 on failure. |
87 | | */ |
88 | | int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, |
89 | | unsigned char *key, size_t keylen) |
90 | 0 | { |
91 | 0 | static const unsigned char keylabel[] = "key"; |
92 | 0 |
|
93 | 0 | return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, |
94 | 0 | NULL, 0, key, keylen); |
95 | 0 | } |
96 | | |
97 | | /* |
98 | | * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on |
99 | | * success 0 on failure. |
100 | | */ |
101 | | int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, |
102 | | unsigned char *iv, size_t ivlen) |
103 | 0 | { |
104 | 0 | static const unsigned char ivlabel[] = "iv"; |
105 | 0 |
|
106 | 0 | return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, |
107 | 0 | NULL, 0, iv, ivlen); |
108 | 0 | } |
109 | | |
110 | | int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, |
111 | | const unsigned char *secret, |
112 | | unsigned char *fin, size_t finlen) |
113 | 0 | { |
114 | 0 | static const unsigned char finishedlabel[] = "finished"; |
115 | 0 |
|
116 | 0 | return tls13_hkdf_expand(s, md, secret, finishedlabel, |
117 | 0 | sizeof(finishedlabel) - 1, NULL, 0, fin, finlen); |
118 | 0 | } |
119 | | |
120 | | /* |
121 | | * Given the previous secret |prevsecret| and a new input secret |insecret| of |
122 | | * length |insecretlen|, generate a new secret and store it in the location |
123 | | * pointed to by |outsecret|. Returns 1 on success 0 on failure. |
124 | | */ |
125 | | int tls13_generate_secret(SSL *s, const EVP_MD *md, |
126 | | const unsigned char *prevsecret, |
127 | | const unsigned char *insecret, |
128 | | size_t insecretlen, |
129 | | unsigned char *outsecret) |
130 | 0 | { |
131 | 0 | size_t mdlen, prevsecretlen; |
132 | 0 | int mdleni; |
133 | 0 | int ret; |
134 | 0 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); |
135 | 0 | static const char derived_secret_label[] = "derived"; |
136 | 0 | unsigned char preextractsec[EVP_MAX_MD_SIZE]; |
137 | 0 |
|
138 | 0 | if (pctx == NULL) { |
139 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
140 | 0 | ERR_R_INTERNAL_ERROR); |
141 | 0 | return 0; |
142 | 0 | } |
143 | 0 |
|
144 | 0 | mdleni = EVP_MD_size(md); |
145 | 0 | /* Ensure cast to size_t is safe */ |
146 | 0 | if (!ossl_assert(mdleni >= 0)) { |
147 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
148 | 0 | ERR_R_INTERNAL_ERROR); |
149 | 0 | return 0; |
150 | 0 | } |
151 | 0 | mdlen = (size_t)mdleni; |
152 | 0 |
|
153 | 0 | if (insecret == NULL) { |
154 | 0 | insecret = default_zeros; |
155 | 0 | insecretlen = mdlen; |
156 | 0 | } |
157 | 0 | if (prevsecret == NULL) { |
158 | 0 | prevsecret = default_zeros; |
159 | 0 | prevsecretlen = 0; |
160 | 0 | } else { |
161 | 0 | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); |
162 | 0 | unsigned char hash[EVP_MAX_MD_SIZE]; |
163 | 0 |
|
164 | 0 | /* The pre-extract derive step uses a hash of no messages */ |
165 | 0 | if (mctx == NULL |
166 | 0 | || EVP_DigestInit_ex(mctx, md, NULL) <= 0 |
167 | 0 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { |
168 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
169 | 0 | ERR_R_INTERNAL_ERROR); |
170 | 0 | EVP_MD_CTX_free(mctx); |
171 | 0 | EVP_PKEY_CTX_free(pctx); |
172 | 0 | return 0; |
173 | 0 | } |
174 | 0 | EVP_MD_CTX_free(mctx); |
175 | 0 |
|
176 | 0 | /* Generate the pre-extract secret */ |
177 | 0 | if (!tls13_hkdf_expand(s, md, prevsecret, |
178 | 0 | (unsigned char *)derived_secret_label, |
179 | 0 | sizeof(derived_secret_label) - 1, hash, mdlen, |
180 | 0 | preextractsec, mdlen)) { |
181 | 0 | /* SSLfatal() already called */ |
182 | 0 | EVP_PKEY_CTX_free(pctx); |
183 | 0 | return 0; |
184 | 0 | } |
185 | 0 | |
186 | 0 | prevsecret = preextractsec; |
187 | 0 | prevsecretlen = mdlen; |
188 | 0 | } |
189 | 0 |
|
190 | 0 | ret = EVP_PKEY_derive_init(pctx) <= 0 |
191 | 0 | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) |
192 | 0 | <= 0 |
193 | 0 | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 |
194 | 0 | || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0 |
195 | 0 | || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen) |
196 | 0 | <= 0 |
197 | 0 | || EVP_PKEY_derive(pctx, outsecret, &mdlen) |
198 | 0 | <= 0; |
199 | 0 |
|
200 | 0 | if (ret != 0) |
201 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, |
202 | 0 | ERR_R_INTERNAL_ERROR); |
203 | 0 |
|
204 | 0 | EVP_PKEY_CTX_free(pctx); |
205 | 0 | if (prevsecret == preextractsec) |
206 | 0 | OPENSSL_cleanse(preextractsec, mdlen); |
207 | 0 | return ret == 0; |
208 | 0 | } |
209 | | |
210 | | /* |
211 | | * Given an input secret |insecret| of length |insecretlen| generate the |
212 | | * handshake secret. This requires the early secret to already have been |
213 | | * generated. Returns 1 on success 0 on failure. |
214 | | */ |
215 | | int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, |
216 | | size_t insecretlen) |
217 | 0 | { |
218 | 0 | /* Calls SSLfatal() if required */ |
219 | 0 | return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, |
220 | 0 | insecret, insecretlen, |
221 | 0 | (unsigned char *)&s->handshake_secret); |
222 | 0 | } |
223 | | |
224 | | /* |
225 | | * Given the handshake secret |prev| of length |prevlen| generate the master |
226 | | * secret and store its length in |*secret_size|. Returns 1 on success 0 on |
227 | | * failure. |
228 | | */ |
229 | | int tls13_generate_master_secret(SSL *s, unsigned char *out, |
230 | | unsigned char *prev, size_t prevlen, |
231 | | size_t *secret_size) |
232 | 0 | { |
233 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
234 | 0 |
|
235 | 0 | *secret_size = EVP_MD_size(md); |
236 | 0 | /* Calls SSLfatal() if required */ |
237 | 0 | return tls13_generate_secret(s, md, prev, NULL, 0, out); |
238 | 0 | } |
239 | | |
240 | | /* |
241 | | * Generates the mac for the Finished message. Returns the length of the MAC or |
242 | | * 0 on error. |
243 | | */ |
244 | | size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, |
245 | | unsigned char *out) |
246 | 0 | { |
247 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
248 | 0 | unsigned char hash[EVP_MAX_MD_SIZE]; |
249 | 0 | size_t hashlen, ret = 0; |
250 | 0 | EVP_PKEY *key = NULL; |
251 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
252 | 0 |
|
253 | 0 | if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { |
254 | 0 | /* SSLfatal() already called */ |
255 | 0 | goto err; |
256 | 0 | } |
257 | 0 | |
258 | 0 | if (str == s->method->ssl3_enc->server_finished_label) { |
259 | 0 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, |
260 | 0 | s->server_finished_secret, hashlen); |
261 | 0 | } else if (SSL_IS_FIRST_HANDSHAKE(s)) { |
262 | 0 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, |
263 | 0 | s->client_finished_secret, hashlen); |
264 | 0 | } else { |
265 | 0 | unsigned char finsecret[EVP_MAX_MD_SIZE]; |
266 | 0 |
|
267 | 0 | if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), |
268 | 0 | s->client_app_traffic_secret, |
269 | 0 | finsecret, hashlen)) |
270 | 0 | goto err; |
271 | 0 | |
272 | 0 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, |
273 | 0 | hashlen); |
274 | 0 | } |
275 | 0 |
|
276 | 0 | if (key == NULL |
277 | 0 | || ctx == NULL |
278 | 0 | || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0 |
279 | 0 | || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0 |
280 | 0 | || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) { |
281 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC, |
282 | 0 | ERR_R_INTERNAL_ERROR); |
283 | 0 | goto err; |
284 | 0 | } |
285 | 0 |
|
286 | 0 | ret = hashlen; |
287 | 0 | err: |
288 | 0 | EVP_PKEY_free(key); |
289 | 0 | EVP_MD_CTX_free(ctx); |
290 | 0 | return ret; |
291 | 0 | } |
292 | | |
293 | | /* |
294 | | * There isn't really a key block in TLSv1.3, but we still need this function |
295 | | * for initialising the cipher and hash. Returns 1 on success or 0 on failure. |
296 | | */ |
297 | | int tls13_setup_key_block(SSL *s) |
298 | 0 | { |
299 | 0 | const EVP_CIPHER *c; |
300 | 0 | const EVP_MD *hash; |
301 | 0 | int mac_type = NID_undef; |
302 | 0 |
|
303 | 0 | s->session->cipher = s->s3->tmp.new_cipher; |
304 | 0 | if (!ssl_cipher_get_evp |
305 | 0 | (s->session, &c, &hash, &mac_type, NULL, NULL, 0)) { |
306 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, |
307 | 0 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
308 | 0 | return 0; |
309 | 0 | } |
310 | 0 |
|
311 | 0 | s->s3->tmp.new_sym_enc = c; |
312 | 0 | s->s3->tmp.new_hash = hash; |
313 | 0 |
|
314 | 0 | return 1; |
315 | 0 | } |
316 | | |
317 | | static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, |
318 | | const EVP_CIPHER *ciph, |
319 | | const unsigned char *insecret, |
320 | | const unsigned char *hash, |
321 | | const unsigned char *label, |
322 | | size_t labellen, unsigned char *secret, |
323 | | unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) |
324 | 0 | { |
325 | 0 | unsigned char key[EVP_MAX_KEY_LENGTH]; |
326 | 0 | size_t ivlen, keylen, taglen; |
327 | 0 | int hashleni = EVP_MD_size(md); |
328 | 0 | size_t hashlen; |
329 | 0 |
|
330 | 0 | /* Ensure cast to size_t is safe */ |
331 | 0 | if (!ossl_assert(hashleni >= 0)) { |
332 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, |
333 | 0 | ERR_R_EVP_LIB); |
334 | 0 | goto err; |
335 | 0 | } |
336 | 0 | hashlen = (size_t)hashleni; |
337 | 0 |
|
338 | 0 | if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, |
339 | 0 | secret, hashlen)) { |
340 | 0 | /* SSLfatal() already called */ |
341 | 0 | goto err; |
342 | 0 | } |
343 | 0 | |
344 | 0 | /* TODO(size_t): convert me */ |
345 | 0 | keylen = EVP_CIPHER_key_length(ciph); |
346 | 0 | if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { |
347 | 0 | uint32_t algenc; |
348 | 0 |
|
349 | 0 | ivlen = EVP_CCM_TLS_IV_LEN; |
350 | 0 | if (s->s3->tmp.new_cipher == NULL) { |
351 | 0 | /* We've not selected a cipher yet - we must be doing early data */ |
352 | 0 | algenc = s->session->cipher->algorithm_enc; |
353 | 0 | } else { |
354 | 0 | algenc = s->s3->tmp.new_cipher->algorithm_enc; |
355 | 0 | } |
356 | 0 | if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) |
357 | 0 | taglen = EVP_CCM8_TLS_TAG_LEN; |
358 | 0 | else |
359 | 0 | taglen = EVP_CCM_TLS_TAG_LEN; |
360 | 0 | } else { |
361 | 0 | ivlen = EVP_CIPHER_iv_length(ciph); |
362 | 0 | taglen = 0; |
363 | 0 | } |
364 | 0 |
|
365 | 0 | if (!tls13_derive_key(s, md, secret, key, keylen) |
366 | 0 | || !tls13_derive_iv(s, md, secret, iv, ivlen)) { |
367 | 0 | /* SSLfatal() already called */ |
368 | 0 | goto err; |
369 | 0 | } |
370 | 0 | |
371 | 0 | if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 |
372 | 0 | || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) |
373 | 0 | || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, |
374 | 0 | taglen, NULL)) |
375 | 0 | || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { |
376 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, |
377 | 0 | ERR_R_EVP_LIB); |
378 | 0 | goto err; |
379 | 0 | } |
380 | 0 |
|
381 | 0 | return 1; |
382 | 0 | err: |
383 | 0 | OPENSSL_cleanse(key, sizeof(key)); |
384 | 0 | return 0; |
385 | 0 | } |
386 | | |
387 | | int tls13_change_cipher_state(SSL *s, int which) |
388 | 0 | { |
389 | 0 | static const unsigned char client_early_traffic[] = "c e traffic"; |
390 | 0 | static const unsigned char client_handshake_traffic[] = "c hs traffic"; |
391 | 0 | static const unsigned char client_application_traffic[] = "c ap traffic"; |
392 | 0 | static const unsigned char server_handshake_traffic[] = "s hs traffic"; |
393 | 0 | static const unsigned char server_application_traffic[] = "s ap traffic"; |
394 | 0 | static const unsigned char exporter_master_secret[] = "exp master"; |
395 | 0 | static const unsigned char resumption_master_secret[] = "res master"; |
396 | 0 | static const unsigned char early_exporter_master_secret[] = "e exp master"; |
397 | 0 | unsigned char *iv; |
398 | 0 | unsigned char secret[EVP_MAX_MD_SIZE]; |
399 | 0 | unsigned char hashval[EVP_MAX_MD_SIZE]; |
400 | 0 | unsigned char *hash = hashval; |
401 | 0 | unsigned char *insecret; |
402 | 0 | unsigned char *finsecret = NULL; |
403 | 0 | const char *log_label = NULL; |
404 | 0 | EVP_CIPHER_CTX *ciph_ctx; |
405 | 0 | size_t finsecretlen = 0; |
406 | 0 | const unsigned char *label; |
407 | 0 | size_t labellen, hashlen = 0; |
408 | 0 | int ret = 0; |
409 | 0 | const EVP_MD *md = NULL; |
410 | 0 | const EVP_CIPHER *cipher = NULL; |
411 | 0 |
|
412 | 0 | if (which & SSL3_CC_READ) { |
413 | 0 | if (s->enc_read_ctx != NULL) { |
414 | 0 | EVP_CIPHER_CTX_reset(s->enc_read_ctx); |
415 | 0 | } else { |
416 | 0 | s->enc_read_ctx = EVP_CIPHER_CTX_new(); |
417 | 0 | if (s->enc_read_ctx == NULL) { |
418 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
419 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
420 | 0 | goto err; |
421 | 0 | } |
422 | 0 | } |
423 | 0 | ciph_ctx = s->enc_read_ctx; |
424 | 0 | iv = s->read_iv; |
425 | 0 |
|
426 | 0 | RECORD_LAYER_reset_read_sequence(&s->rlayer); |
427 | 0 | } else { |
428 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; |
429 | 0 | if (s->enc_write_ctx != NULL) { |
430 | 0 | EVP_CIPHER_CTX_reset(s->enc_write_ctx); |
431 | 0 | } else { |
432 | 0 | s->enc_write_ctx = EVP_CIPHER_CTX_new(); |
433 | 0 | if (s->enc_write_ctx == NULL) { |
434 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
435 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
436 | 0 | goto err; |
437 | 0 | } |
438 | 0 | } |
439 | 0 | ciph_ctx = s->enc_write_ctx; |
440 | 0 | iv = s->write_iv; |
441 | 0 |
|
442 | 0 | RECORD_LAYER_reset_write_sequence(&s->rlayer); |
443 | 0 | } |
444 | 0 |
|
445 | 0 | if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) |
446 | 0 | || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { |
447 | 0 | if (which & SSL3_CC_EARLY) { |
448 | 0 | EVP_MD_CTX *mdctx = NULL; |
449 | 0 | long handlen; |
450 | 0 | void *hdata; |
451 | 0 | unsigned int hashlenui; |
452 | 0 | const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); |
453 | 0 |
|
454 | 0 | insecret = s->early_secret; |
455 | 0 | label = client_early_traffic; |
456 | 0 | labellen = sizeof(client_early_traffic) - 1; |
457 | 0 | log_label = CLIENT_EARLY_LABEL; |
458 | 0 |
|
459 | 0 | handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); |
460 | 0 | if (handlen <= 0) { |
461 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
462 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, |
463 | 0 | SSL_R_BAD_HANDSHAKE_LENGTH); |
464 | 0 | goto err; |
465 | 0 | } |
466 | 0 |
|
467 | 0 | if (s->early_data_state == SSL_EARLY_DATA_CONNECTING |
468 | 0 | && s->max_early_data > 0 |
469 | 0 | && s->session->ext.max_early_data == 0) { |
470 | 0 | /* |
471 | 0 | * If we are attempting to send early data, and we've decided to |
472 | 0 | * actually do it but max_early_data in s->session is 0 then we |
473 | 0 | * must be using an external PSK. |
474 | 0 | */ |
475 | 0 | if (!ossl_assert(s->psksession != NULL |
476 | 0 | && s->max_early_data == |
477 | 0 | s->psksession->ext.max_early_data)) { |
478 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
479 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, |
480 | 0 | ERR_R_INTERNAL_ERROR); |
481 | 0 | goto err; |
482 | 0 | } |
483 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
484 | 0 | } |
485 | 0 | if (sslcipher == NULL) { |
486 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
487 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); |
488 | 0 | goto err; |
489 | 0 | } |
490 | 0 |
|
491 | 0 | /* |
492 | 0 | * We need to calculate the handshake digest using the digest from |
493 | 0 | * the session. We haven't yet selected our ciphersuite so we can't |
494 | 0 | * use ssl_handshake_md(). |
495 | 0 | */ |
496 | 0 | mdctx = EVP_MD_CTX_new(); |
497 | 0 | if (mdctx == NULL) { |
498 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
499 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
500 | 0 | goto err; |
501 | 0 | } |
502 | 0 | cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); |
503 | 0 | md = ssl_md(sslcipher->algorithm2); |
504 | 0 | if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) |
505 | 0 | || !EVP_DigestUpdate(mdctx, hdata, handlen) |
506 | 0 | || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { |
507 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
508 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
509 | 0 | EVP_MD_CTX_free(mdctx); |
510 | 0 | goto err; |
511 | 0 | } |
512 | 0 | hashlen = hashlenui; |
513 | 0 | EVP_MD_CTX_free(mdctx); |
514 | 0 |
|
515 | 0 | if (!tls13_hkdf_expand(s, md, insecret, |
516 | 0 | early_exporter_master_secret, |
517 | 0 | sizeof(early_exporter_master_secret) - 1, |
518 | 0 | hashval, hashlen, |
519 | 0 | s->early_exporter_master_secret, hashlen)) { |
520 | 0 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
521 | 0 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
522 | 0 | goto err; |
523 | 0 | } |
524 | 0 |
|
525 | 0 | if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, |
526 | 0 | s->early_exporter_master_secret, hashlen)) { |
527 | 0 | /* SSLfatal() already called */ |
528 | 0 | goto err; |
529 | 0 | } |
530 | 0 | } else if (which & SSL3_CC_HANDSHAKE) { |
531 | 0 | insecret = s->handshake_secret; |
532 | 0 | finsecret = s->client_finished_secret; |
533 | 0 | finsecretlen = EVP_MD_size(ssl_handshake_md(s)); |
534 | 0 | label = client_handshake_traffic; |
535 | 0 | labellen = sizeof(client_handshake_traffic) - 1; |
536 | 0 | log_label = CLIENT_HANDSHAKE_LABEL; |
537 | 0 | /* |
538 | 0 | * The handshake hash used for the server read/client write handshake |
539 | 0 | * traffic secret is the same as the hash for the server |
540 | 0 | * write/client read handshake traffic secret. However, if we |
541 | 0 | * processed early data then we delay changing the server |
542 | 0 | * read/client write cipher state until later, and the handshake |
543 | 0 | * hashes have moved on. Therefore we use the value saved earlier |
544 | 0 | * when we did the server write/client read change cipher state. |
545 | 0 | */ |
546 | 0 | hash = s->handshake_traffic_hash; |
547 | 0 | } else { |
548 | 0 | insecret = s->master_secret; |
549 | 0 | label = client_application_traffic; |
550 | 0 | labellen = sizeof(client_application_traffic) - 1; |
551 | 0 | log_label = CLIENT_APPLICATION_LABEL; |
552 | 0 | /* |
553 | 0 | * For this we only use the handshake hashes up until the server |
554 | 0 | * Finished hash. We do not include the client's Finished, which is |
555 | 0 | * what ssl_handshake_hash() would give us. Instead we use the |
556 | 0 | * previously saved value. |
557 | 0 | */ |
558 | 0 | hash = s->server_finished_hash; |
559 | 0 | } |
560 | 0 | } else { |
561 | 0 | /* Early data never applies to client-read/server-write */ |
562 | 0 | if (which & SSL3_CC_HANDSHAKE) { |
563 | 0 | insecret = s->handshake_secret; |
564 | 0 | finsecret = s->server_finished_secret; |
565 | 0 | finsecretlen = EVP_MD_size(ssl_handshake_md(s)); |
566 | 0 | label = server_handshake_traffic; |
567 | 0 | labellen = sizeof(server_handshake_traffic) - 1; |
568 | 0 | log_label = SERVER_HANDSHAKE_LABEL; |
569 | 0 | } else { |
570 | 0 | insecret = s->master_secret; |
571 | 0 | label = server_application_traffic; |
572 | 0 | labellen = sizeof(server_application_traffic) - 1; |
573 | 0 | log_label = SERVER_APPLICATION_LABEL; |
574 | 0 | } |
575 | 0 | } |
576 | 0 |
|
577 | 0 | if (!(which & SSL3_CC_EARLY)) { |
578 | 0 | md = ssl_handshake_md(s); |
579 | 0 | cipher = s->s3->tmp.new_sym_enc; |
580 | 0 | if (!ssl3_digest_cached_records(s, 1) |
581 | 0 | || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { |
582 | 0 | /* SSLfatal() already called */; |
583 | 0 | goto err; |
584 | 0 | } |
585 | 0 | } |
586 | 0 | |
587 | 0 | /* |
588 | 0 | * Save the hash of handshakes up to now for use when we calculate the |
589 | 0 | * client application traffic secret |
590 | 0 | */ |
591 | 0 | if (label == server_application_traffic) |
592 | 0 | memcpy(s->server_finished_hash, hashval, hashlen); |
593 | 0 |
|
594 | 0 | if (label == server_handshake_traffic) |
595 | 0 | memcpy(s->handshake_traffic_hash, hashval, hashlen); |
596 | 0 |
|
597 | 0 | if (label == client_application_traffic) { |
598 | 0 | /* |
599 | 0 | * We also create the resumption master secret, but this time use the |
600 | 0 | * hash for the whole handshake including the Client Finished |
601 | 0 | */ |
602 | 0 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
603 | 0 | resumption_master_secret, |
604 | 0 | sizeof(resumption_master_secret) - 1, |
605 | 0 | hashval, hashlen, s->resumption_master_secret, |
606 | 0 | hashlen)) { |
607 | 0 | /* SSLfatal() already called */ |
608 | 0 | goto err; |
609 | 0 | } |
610 | 0 | } |
611 | 0 | |
612 | 0 | if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, |
613 | 0 | insecret, hash, label, labellen, secret, iv, |
614 | 0 | ciph_ctx)) { |
615 | 0 | /* SSLfatal() already called */ |
616 | 0 | goto err; |
617 | 0 | } |
618 | 0 | |
619 | 0 | if (label == server_application_traffic) { |
620 | 0 | memcpy(s->server_app_traffic_secret, secret, hashlen); |
621 | 0 | /* Now we create the exporter master secret */ |
622 | 0 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, |
623 | 0 | exporter_master_secret, |
624 | 0 | sizeof(exporter_master_secret) - 1, |
625 | 0 | hash, hashlen, s->exporter_master_secret, |
626 | 0 | hashlen)) { |
627 | 0 | /* SSLfatal() already called */ |
628 | 0 | goto err; |
629 | 0 | } |
630 | 0 | |
631 | 0 | if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, |
632 | 0 | hashlen)) { |
633 | 0 | /* SSLfatal() already called */ |
634 | 0 | goto err; |
635 | 0 | } |
636 | 0 | } else if (label == client_application_traffic) |
637 | 0 | memcpy(s->client_app_traffic_secret, secret, hashlen); |
638 | 0 |
|
639 | 0 | if (!ssl_log_secret(s, log_label, secret, hashlen)) { |
640 | 0 | /* SSLfatal() already called */ |
641 | 0 | goto err; |
642 | 0 | } |
643 | 0 | |
644 | 0 | if (finsecret != NULL |
645 | 0 | && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, |
646 | 0 | finsecret, finsecretlen)) { |
647 | 0 | /* SSLfatal() already called */ |
648 | 0 | goto err; |
649 | 0 | } |
650 | 0 | |
651 | 0 | if (!s->server && label == client_early_traffic) |
652 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; |
653 | 0 | else |
654 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; |
655 | 0 | ret = 1; |
656 | 0 | err: |
657 | 0 | OPENSSL_cleanse(secret, sizeof(secret)); |
658 | 0 | return ret; |
659 | 0 | } |
660 | | |
661 | | int tls13_update_key(SSL *s, int sending) |
662 | 0 | { |
663 | 0 | static const unsigned char application_traffic[] = "traffic upd"; |
664 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
665 | 0 | size_t hashlen = EVP_MD_size(md); |
666 | 0 | unsigned char *insecret, *iv; |
667 | 0 | unsigned char secret[EVP_MAX_MD_SIZE]; |
668 | 0 | EVP_CIPHER_CTX *ciph_ctx; |
669 | 0 | int ret = 0; |
670 | 0 |
|
671 | 0 | if (s->server == sending) |
672 | 0 | insecret = s->server_app_traffic_secret; |
673 | 0 | else |
674 | 0 | insecret = s->client_app_traffic_secret; |
675 | 0 |
|
676 | 0 | if (sending) { |
677 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; |
678 | 0 | iv = s->write_iv; |
679 | 0 | ciph_ctx = s->enc_write_ctx; |
680 | 0 | RECORD_LAYER_reset_write_sequence(&s->rlayer); |
681 | 0 | } else { |
682 | 0 | iv = s->read_iv; |
683 | 0 | ciph_ctx = s->enc_read_ctx; |
684 | 0 | RECORD_LAYER_reset_read_sequence(&s->rlayer); |
685 | 0 | } |
686 | 0 |
|
687 | 0 | if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), |
688 | 0 | s->s3->tmp.new_sym_enc, insecret, NULL, |
689 | 0 | application_traffic, |
690 | 0 | sizeof(application_traffic) - 1, secret, iv, |
691 | 0 | ciph_ctx)) { |
692 | 0 | /* SSLfatal() already called */ |
693 | 0 | goto err; |
694 | 0 | } |
695 | 0 | |
696 | 0 | memcpy(insecret, secret, hashlen); |
697 | 0 |
|
698 | 0 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; |
699 | 0 | ret = 1; |
700 | 0 | err: |
701 | 0 | OPENSSL_cleanse(secret, sizeof(secret)); |
702 | 0 | return ret; |
703 | 0 | } |
704 | | |
705 | | int tls13_alert_code(int code) |
706 | 0 | { |
707 | 0 | /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ |
708 | 0 | if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) |
709 | 0 | return code; |
710 | 0 | |
711 | 0 | return tls1_alert_code(code); |
712 | 0 | } |
713 | | |
714 | | int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, |
715 | | const char *label, size_t llen, |
716 | | const unsigned char *context, |
717 | | size_t contextlen, int use_context) |
718 | 0 | { |
719 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
720 | 0 | static const unsigned char exporterlabel[] = "exporter"; |
721 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
722 | 0 | const EVP_MD *md = ssl_handshake_md(s); |
723 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
724 | 0 | unsigned int hashsize, datalen; |
725 | 0 | int ret = 0; |
726 | 0 |
|
727 | 0 | if (ctx == NULL || !ossl_statem_export_allowed(s)) |
728 | 0 | goto err; |
729 | 0 | |
730 | 0 | if (!use_context) |
731 | 0 | contextlen = 0; |
732 | 0 |
|
733 | 0 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
734 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
735 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
736 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
737 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
738 | 0 | || !tls13_hkdf_expand(s, md, s->exporter_master_secret, |
739 | 0 | (const unsigned char *)label, llen, |
740 | 0 | data, datalen, exportsecret, hashsize) |
741 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
742 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
743 | 0 | out, olen)) |
744 | 0 | goto err; |
745 | 0 | |
746 | 0 | ret = 1; |
747 | 0 | err: |
748 | 0 | EVP_MD_CTX_free(ctx); |
749 | 0 | return ret; |
750 | 0 | } |
751 | | |
752 | | int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, |
753 | | const char *label, size_t llen, |
754 | | const unsigned char *context, |
755 | | size_t contextlen) |
756 | 0 | { |
757 | 0 | static const unsigned char exporterlabel[] = "exporter"; |
758 | 0 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; |
759 | 0 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; |
760 | 0 | const EVP_MD *md; |
761 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
762 | 0 | unsigned int hashsize, datalen; |
763 | 0 | int ret = 0; |
764 | 0 | const SSL_CIPHER *sslcipher; |
765 | 0 |
|
766 | 0 | if (ctx == NULL || !ossl_statem_export_early_allowed(s)) |
767 | 0 | goto err; |
768 | 0 | |
769 | 0 | if (!s->server && s->max_early_data > 0 |
770 | 0 | && s->session->ext.max_early_data == 0) |
771 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); |
772 | 0 | else |
773 | 0 | sslcipher = SSL_SESSION_get0_cipher(s->session); |
774 | 0 |
|
775 | 0 | md = ssl_md(sslcipher->algorithm2); |
776 | 0 |
|
777 | 0 | /* |
778 | 0 | * Calculate the hash value and store it in |data|. The reason why |
779 | 0 | * the empty string is used is that the definition of TLS-Exporter |
780 | 0 | * is like so: |
781 | 0 | * |
782 | 0 | * TLS-Exporter(label, context_value, key_length) = |
783 | 0 | * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), |
784 | 0 | * "exporter", Hash(context_value), key_length) |
785 | 0 | * |
786 | 0 | * Derive-Secret(Secret, Label, Messages) = |
787 | 0 | * HKDF-Expand-Label(Secret, Label, |
788 | 0 | * Transcript-Hash(Messages), Hash.length) |
789 | 0 | * |
790 | 0 | * Here Transcript-Hash is the cipher suite hash algorithm. |
791 | 0 | */ |
792 | 0 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
793 | 0 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0 |
794 | 0 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 |
795 | 0 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0 |
796 | 0 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 |
797 | 0 | || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, |
798 | 0 | (const unsigned char *)label, llen, |
799 | 0 | data, datalen, exportsecret, hashsize) |
800 | 0 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, |
801 | 0 | sizeof(exporterlabel) - 1, hash, hashsize, |
802 | 0 | out, olen)) |
803 | 0 | goto err; |
804 | 0 | |
805 | 0 | ret = 1; |
806 | 0 | err: |
807 | 0 | EVP_MD_CTX_free(ctx); |
808 | 0 | return ret; |
809 | 0 | } |