1 | /*
|
---|
2 | * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #include <stdlib.h>
|
---|
11 | #include "ssl_local.h"
|
---|
12 | #include "internal/cryptlib.h"
|
---|
13 | #include <openssl/evp.h>
|
---|
14 | #include <openssl/kdf.h>
|
---|
15 |
|
---|
16 | #define TLS13_MAX_LABEL_LEN 249
|
---|
17 |
|
---|
18 | /* Always filled with zeros */
|
---|
19 | static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
|
---|
20 |
|
---|
21 | /*
|
---|
22 | * Given a |secret|; a |label| of length |labellen|; and |data| of length
|
---|
23 | * |datalen| (e.g. typically a hash of the handshake messages), derive a new
|
---|
24 | * secret |outlen| bytes long and store it in the location pointed to be |out|.
|
---|
25 | * The |data| value may be zero length. Any errors will be treated as fatal if
|
---|
26 | * |fatal| is set. Returns 1 on success 0 on failure.
|
---|
27 | */
|
---|
28 | int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
|
---|
29 | const unsigned char *label, size_t labellen,
|
---|
30 | const unsigned char *data, size_t datalen,
|
---|
31 | unsigned char *out, size_t outlen, int fatal)
|
---|
32 | {
|
---|
33 | #ifdef CHARSET_EBCDIC
|
---|
34 | static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 };
|
---|
35 | #else
|
---|
36 | static const unsigned char label_prefix[] = "tls13 ";
|
---|
37 | #endif
|
---|
38 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
|
---|
39 | int ret;
|
---|
40 | size_t hkdflabellen;
|
---|
41 | size_t hashlen;
|
---|
42 | /*
|
---|
43 | * 2 bytes for length of derived secret + 1 byte for length of combined
|
---|
44 | * prefix and label + bytes for the label itself + 1 byte length of hash
|
---|
45 | * + bytes for the hash itself
|
---|
46 | */
|
---|
47 | unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t)
|
---|
48 | + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN
|
---|
49 | + 1 + EVP_MAX_MD_SIZE];
|
---|
50 | WPACKET pkt;
|
---|
51 |
|
---|
52 | if (pctx == NULL)
|
---|
53 | return 0;
|
---|
54 |
|
---|
55 | if (labellen > TLS13_MAX_LABEL_LEN) {
|
---|
56 | if (fatal) {
|
---|
57 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
|
---|
58 | ERR_R_INTERNAL_ERROR);
|
---|
59 | } else {
|
---|
60 | /*
|
---|
61 | * Probably we have been called from SSL_export_keying_material(),
|
---|
62 | * or SSL_export_keying_material_early().
|
---|
63 | */
|
---|
64 | SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
|
---|
65 | }
|
---|
66 | EVP_PKEY_CTX_free(pctx);
|
---|
67 | return 0;
|
---|
68 | }
|
---|
69 |
|
---|
70 | hashlen = EVP_MD_size(md);
|
---|
71 |
|
---|
72 | if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
|
---|
73 | || !WPACKET_put_bytes_u16(&pkt, outlen)
|
---|
74 | || !WPACKET_start_sub_packet_u8(&pkt)
|
---|
75 | || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1)
|
---|
76 | || !WPACKET_memcpy(&pkt, label, labellen)
|
---|
77 | || !WPACKET_close(&pkt)
|
---|
78 | || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
|
---|
79 | || !WPACKET_get_total_written(&pkt, &hkdflabellen)
|
---|
80 | || !WPACKET_finish(&pkt)) {
|
---|
81 | EVP_PKEY_CTX_free(pctx);
|
---|
82 | WPACKET_cleanup(&pkt);
|
---|
83 | if (fatal)
|
---|
84 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
|
---|
85 | ERR_R_INTERNAL_ERROR);
|
---|
86 | else
|
---|
87 | SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
|
---|
88 | return 0;
|
---|
89 | }
|
---|
90 |
|
---|
91 | ret = EVP_PKEY_derive_init(pctx) <= 0
|
---|
92 | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)
|
---|
93 | <= 0
|
---|
94 | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0
|
---|
95 | || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0
|
---|
96 | || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0
|
---|
97 | || EVP_PKEY_derive(pctx, out, &outlen) <= 0;
|
---|
98 |
|
---|
99 | EVP_PKEY_CTX_free(pctx);
|
---|
100 |
|
---|
101 | if (ret != 0) {
|
---|
102 | if (fatal)
|
---|
103 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
|
---|
104 | ERR_R_INTERNAL_ERROR);
|
---|
105 | else
|
---|
106 | SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR);
|
---|
107 | }
|
---|
108 |
|
---|
109 | return ret == 0;
|
---|
110 | }
|
---|
111 |
|
---|
112 | /*
|
---|
113 | * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on
|
---|
114 | * success 0 on failure.
|
---|
115 | */
|
---|
116 | int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
|
---|
117 | unsigned char *key, size_t keylen)
|
---|
118 | {
|
---|
119 | #ifdef CHARSET_EBCDIC
|
---|
120 | static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 };
|
---|
121 | #else
|
---|
122 | static const unsigned char keylabel[] = "key";
|
---|
123 | #endif
|
---|
124 |
|
---|
125 | return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
|
---|
126 | NULL, 0, key, keylen, 1);
|
---|
127 | }
|
---|
128 |
|
---|
129 | /*
|
---|
130 | * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on
|
---|
131 | * success 0 on failure.
|
---|
132 | */
|
---|
133 | int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
|
---|
134 | unsigned char *iv, size_t ivlen)
|
---|
135 | {
|
---|
136 | #ifdef CHARSET_EBCDIC
|
---|
137 | static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 };
|
---|
138 | #else
|
---|
139 | static const unsigned char ivlabel[] = "iv";
|
---|
140 | #endif
|
---|
141 |
|
---|
142 | return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
|
---|
143 | NULL, 0, iv, ivlen, 1);
|
---|
144 | }
|
---|
145 |
|
---|
146 | int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
|
---|
147 | const unsigned char *secret,
|
---|
148 | unsigned char *fin, size_t finlen)
|
---|
149 | {
|
---|
150 | #ifdef CHARSET_EBCDIC
|
---|
151 | static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 };
|
---|
152 | #else
|
---|
153 | static const unsigned char finishedlabel[] = "finished";
|
---|
154 | #endif
|
---|
155 |
|
---|
156 | return tls13_hkdf_expand(s, md, secret, finishedlabel,
|
---|
157 | sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
|
---|
158 | }
|
---|
159 |
|
---|
160 | /*
|
---|
161 | * Given the previous secret |prevsecret| and a new input secret |insecret| of
|
---|
162 | * length |insecretlen|, generate a new secret and store it in the location
|
---|
163 | * pointed to by |outsecret|. Returns 1 on success 0 on failure.
|
---|
164 | */
|
---|
165 | int tls13_generate_secret(SSL *s, const EVP_MD *md,
|
---|
166 | const unsigned char *prevsecret,
|
---|
167 | const unsigned char *insecret,
|
---|
168 | size_t insecretlen,
|
---|
169 | unsigned char *outsecret)
|
---|
170 | {
|
---|
171 | size_t mdlen, prevsecretlen;
|
---|
172 | int mdleni;
|
---|
173 | int ret;
|
---|
174 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
|
---|
175 | #ifdef CHARSET_EBCDIC
|
---|
176 | static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 };
|
---|
177 | #else
|
---|
178 | static const char derived_secret_label[] = "derived";
|
---|
179 | #endif
|
---|
180 | unsigned char preextractsec[EVP_MAX_MD_SIZE];
|
---|
181 |
|
---|
182 | if (pctx == NULL) {
|
---|
183 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
|
---|
184 | ERR_R_INTERNAL_ERROR);
|
---|
185 | return 0;
|
---|
186 | }
|
---|
187 |
|
---|
188 | mdleni = EVP_MD_size(md);
|
---|
189 | /* Ensure cast to size_t is safe */
|
---|
190 | if (!ossl_assert(mdleni >= 0)) {
|
---|
191 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
|
---|
192 | ERR_R_INTERNAL_ERROR);
|
---|
193 | return 0;
|
---|
194 | }
|
---|
195 | mdlen = (size_t)mdleni;
|
---|
196 |
|
---|
197 | if (insecret == NULL) {
|
---|
198 | insecret = default_zeros;
|
---|
199 | insecretlen = mdlen;
|
---|
200 | }
|
---|
201 | if (prevsecret == NULL) {
|
---|
202 | prevsecret = default_zeros;
|
---|
203 | prevsecretlen = 0;
|
---|
204 | } else {
|
---|
205 | EVP_MD_CTX *mctx = EVP_MD_CTX_new();
|
---|
206 | unsigned char hash[EVP_MAX_MD_SIZE];
|
---|
207 |
|
---|
208 | /* The pre-extract derive step uses a hash of no messages */
|
---|
209 | if (mctx == NULL
|
---|
210 | || EVP_DigestInit_ex(mctx, md, NULL) <= 0
|
---|
211 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
|
---|
212 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
|
---|
213 | ERR_R_INTERNAL_ERROR);
|
---|
214 | EVP_MD_CTX_free(mctx);
|
---|
215 | EVP_PKEY_CTX_free(pctx);
|
---|
216 | return 0;
|
---|
217 | }
|
---|
218 | EVP_MD_CTX_free(mctx);
|
---|
219 |
|
---|
220 | /* Generate the pre-extract secret */
|
---|
221 | if (!tls13_hkdf_expand(s, md, prevsecret,
|
---|
222 | (unsigned char *)derived_secret_label,
|
---|
223 | sizeof(derived_secret_label) - 1, hash, mdlen,
|
---|
224 | preextractsec, mdlen, 1)) {
|
---|
225 | /* SSLfatal() already called */
|
---|
226 | EVP_PKEY_CTX_free(pctx);
|
---|
227 | return 0;
|
---|
228 | }
|
---|
229 |
|
---|
230 | prevsecret = preextractsec;
|
---|
231 | prevsecretlen = mdlen;
|
---|
232 | }
|
---|
233 |
|
---|
234 | ret = EVP_PKEY_derive_init(pctx) <= 0
|
---|
235 | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)
|
---|
236 | <= 0
|
---|
237 | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0
|
---|
238 | || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0
|
---|
239 | || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen)
|
---|
240 | <= 0
|
---|
241 | || EVP_PKEY_derive(pctx, outsecret, &mdlen)
|
---|
242 | <= 0;
|
---|
243 |
|
---|
244 | if (ret != 0)
|
---|
245 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
|
---|
246 | ERR_R_INTERNAL_ERROR);
|
---|
247 |
|
---|
248 | EVP_PKEY_CTX_free(pctx);
|
---|
249 | if (prevsecret == preextractsec)
|
---|
250 | OPENSSL_cleanse(preextractsec, mdlen);
|
---|
251 | return ret == 0;
|
---|
252 | }
|
---|
253 |
|
---|
254 | /*
|
---|
255 | * Given an input secret |insecret| of length |insecretlen| generate the
|
---|
256 | * handshake secret. This requires the early secret to already have been
|
---|
257 | * generated. Returns 1 on success 0 on failure.
|
---|
258 | */
|
---|
259 | int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret,
|
---|
260 | size_t insecretlen)
|
---|
261 | {
|
---|
262 | /* Calls SSLfatal() if required */
|
---|
263 | return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret,
|
---|
264 | insecret, insecretlen,
|
---|
265 | (unsigned char *)&s->handshake_secret);
|
---|
266 | }
|
---|
267 |
|
---|
268 | /*
|
---|
269 | * Given the handshake secret |prev| of length |prevlen| generate the master
|
---|
270 | * secret and store its length in |*secret_size|. Returns 1 on success 0 on
|
---|
271 | * failure.
|
---|
272 | */
|
---|
273 | int tls13_generate_master_secret(SSL *s, unsigned char *out,
|
---|
274 | unsigned char *prev, size_t prevlen,
|
---|
275 | size_t *secret_size)
|
---|
276 | {
|
---|
277 | const EVP_MD *md = ssl_handshake_md(s);
|
---|
278 |
|
---|
279 | *secret_size = EVP_MD_size(md);
|
---|
280 | /* Calls SSLfatal() if required */
|
---|
281 | return tls13_generate_secret(s, md, prev, NULL, 0, out);
|
---|
282 | }
|
---|
283 |
|
---|
284 | /*
|
---|
285 | * Generates the mac for the Finished message. Returns the length of the MAC or
|
---|
286 | * 0 on error.
|
---|
287 | */
|
---|
288 | size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
|
---|
289 | unsigned char *out)
|
---|
290 | {
|
---|
291 | const EVP_MD *md = ssl_handshake_md(s);
|
---|
292 | unsigned char hash[EVP_MAX_MD_SIZE];
|
---|
293 | size_t hashlen, ret = 0;
|
---|
294 | EVP_PKEY *key = NULL;
|
---|
295 | EVP_MD_CTX *ctx = EVP_MD_CTX_new();
|
---|
296 |
|
---|
297 | if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
|
---|
298 | /* SSLfatal() already called */
|
---|
299 | goto err;
|
---|
300 | }
|
---|
301 |
|
---|
302 | if (str == s->method->ssl3_enc->server_finished_label) {
|
---|
303 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
|
---|
304 | s->server_finished_secret, hashlen);
|
---|
305 | } else if (SSL_IS_FIRST_HANDSHAKE(s)) {
|
---|
306 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
|
---|
307 | s->client_finished_secret, hashlen);
|
---|
308 | } else {
|
---|
309 | unsigned char finsecret[EVP_MAX_MD_SIZE];
|
---|
310 |
|
---|
311 | if (!tls13_derive_finishedkey(s, ssl_handshake_md(s),
|
---|
312 | s->client_app_traffic_secret,
|
---|
313 | finsecret, hashlen))
|
---|
314 | goto err;
|
---|
315 |
|
---|
316 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret,
|
---|
317 | hashlen);
|
---|
318 | OPENSSL_cleanse(finsecret, sizeof(finsecret));
|
---|
319 | }
|
---|
320 |
|
---|
321 | if (key == NULL
|
---|
322 | || ctx == NULL
|
---|
323 | || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0
|
---|
324 | || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0
|
---|
325 | || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) {
|
---|
326 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC,
|
---|
327 | ERR_R_INTERNAL_ERROR);
|
---|
328 | goto err;
|
---|
329 | }
|
---|
330 |
|
---|
331 | ret = hashlen;
|
---|
332 | err:
|
---|
333 | EVP_PKEY_free(key);
|
---|
334 | EVP_MD_CTX_free(ctx);
|
---|
335 | return ret;
|
---|
336 | }
|
---|
337 |
|
---|
338 | /*
|
---|
339 | * There isn't really a key block in TLSv1.3, but we still need this function
|
---|
340 | * for initialising the cipher and hash. Returns 1 on success or 0 on failure.
|
---|
341 | */
|
---|
342 | int tls13_setup_key_block(SSL *s)
|
---|
343 | {
|
---|
344 | const EVP_CIPHER *c;
|
---|
345 | const EVP_MD *hash;
|
---|
346 |
|
---|
347 | s->session->cipher = s->s3->tmp.new_cipher;
|
---|
348 | if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, NULL, 0)) {
|
---|
349 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK,
|
---|
350 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
|
---|
351 | return 0;
|
---|
352 | }
|
---|
353 |
|
---|
354 | s->s3->tmp.new_sym_enc = c;
|
---|
355 | s->s3->tmp.new_hash = hash;
|
---|
356 |
|
---|
357 | return 1;
|
---|
358 | }
|
---|
359 |
|
---|
360 | static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
|
---|
361 | const EVP_CIPHER *ciph,
|
---|
362 | const unsigned char *insecret,
|
---|
363 | const unsigned char *hash,
|
---|
364 | const unsigned char *label,
|
---|
365 | size_t labellen, unsigned char *secret,
|
---|
366 | unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx)
|
---|
367 | {
|
---|
368 | unsigned char key[EVP_MAX_KEY_LENGTH];
|
---|
369 | size_t ivlen, keylen, taglen;
|
---|
370 | int hashleni = EVP_MD_size(md);
|
---|
371 | size_t hashlen;
|
---|
372 |
|
---|
373 | /* Ensure cast to size_t is safe */
|
---|
374 | if (!ossl_assert(hashleni >= 0)) {
|
---|
375 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
|
---|
376 | ERR_R_EVP_LIB);
|
---|
377 | goto err;
|
---|
378 | }
|
---|
379 | hashlen = (size_t)hashleni;
|
---|
380 |
|
---|
381 | if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
|
---|
382 | secret, hashlen, 1)) {
|
---|
383 | /* SSLfatal() already called */
|
---|
384 | goto err;
|
---|
385 | }
|
---|
386 |
|
---|
387 | /* TODO(size_t): convert me */
|
---|
388 | keylen = EVP_CIPHER_key_length(ciph);
|
---|
389 | if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) {
|
---|
390 | uint32_t algenc;
|
---|
391 |
|
---|
392 | ivlen = EVP_CCM_TLS_IV_LEN;
|
---|
393 | if (s->s3->tmp.new_cipher == NULL) {
|
---|
394 | /* We've not selected a cipher yet - we must be doing early data */
|
---|
395 | algenc = s->session->cipher->algorithm_enc;
|
---|
396 | } else {
|
---|
397 | algenc = s->s3->tmp.new_cipher->algorithm_enc;
|
---|
398 | }
|
---|
399 | if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))
|
---|
400 | taglen = EVP_CCM8_TLS_TAG_LEN;
|
---|
401 | else
|
---|
402 | taglen = EVP_CCM_TLS_TAG_LEN;
|
---|
403 | } else {
|
---|
404 | ivlen = EVP_CIPHER_iv_length(ciph);
|
---|
405 | taglen = 0;
|
---|
406 | }
|
---|
407 |
|
---|
408 | if (!tls13_derive_key(s, md, secret, key, keylen)
|
---|
409 | || !tls13_derive_iv(s, md, secret, iv, ivlen)) {
|
---|
410 | /* SSLfatal() already called */
|
---|
411 | goto err;
|
---|
412 | }
|
---|
413 |
|
---|
414 | if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0
|
---|
415 | || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
|
---|
416 | || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
|
---|
417 | taglen, NULL))
|
---|
418 | || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {
|
---|
419 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
|
---|
420 | ERR_R_EVP_LIB);
|
---|
421 | goto err;
|
---|
422 | }
|
---|
423 |
|
---|
424 | return 1;
|
---|
425 | err:
|
---|
426 | OPENSSL_cleanse(key, sizeof(key));
|
---|
427 | return 0;
|
---|
428 | }
|
---|
429 |
|
---|
430 | int tls13_change_cipher_state(SSL *s, int which)
|
---|
431 | {
|
---|
432 | #ifdef CHARSET_EBCDIC
|
---|
433 | static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
|
---|
434 | static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
|
---|
435 | static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
|
---|
436 | static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
|
---|
437 | static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
|
---|
438 | static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
|
---|
439 | static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
|
---|
440 | static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
|
---|
441 | #else
|
---|
442 | static const unsigned char client_early_traffic[] = "c e traffic";
|
---|
443 | static const unsigned char client_handshake_traffic[] = "c hs traffic";
|
---|
444 | static const unsigned char client_application_traffic[] = "c ap traffic";
|
---|
445 | static const unsigned char server_handshake_traffic[] = "s hs traffic";
|
---|
446 | static const unsigned char server_application_traffic[] = "s ap traffic";
|
---|
447 | static const unsigned char exporter_master_secret[] = "exp master";
|
---|
448 | static const unsigned char resumption_master_secret[] = "res master";
|
---|
449 | static const unsigned char early_exporter_master_secret[] = "e exp master";
|
---|
450 | #endif
|
---|
451 | unsigned char *iv;
|
---|
452 | unsigned char secret[EVP_MAX_MD_SIZE];
|
---|
453 | unsigned char hashval[EVP_MAX_MD_SIZE];
|
---|
454 | unsigned char *hash = hashval;
|
---|
455 | unsigned char *insecret;
|
---|
456 | unsigned char *finsecret = NULL;
|
---|
457 | const char *log_label = NULL;
|
---|
458 | EVP_CIPHER_CTX *ciph_ctx;
|
---|
459 | size_t finsecretlen = 0;
|
---|
460 | const unsigned char *label;
|
---|
461 | size_t labellen, hashlen = 0;
|
---|
462 | int ret = 0;
|
---|
463 | const EVP_MD *md = NULL;
|
---|
464 | const EVP_CIPHER *cipher = NULL;
|
---|
465 |
|
---|
466 | if (which & SSL3_CC_READ) {
|
---|
467 | if (s->enc_read_ctx != NULL) {
|
---|
468 | EVP_CIPHER_CTX_reset(s->enc_read_ctx);
|
---|
469 | } else {
|
---|
470 | s->enc_read_ctx = EVP_CIPHER_CTX_new();
|
---|
471 | if (s->enc_read_ctx == NULL) {
|
---|
472 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
473 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
|
---|
474 | goto err;
|
---|
475 | }
|
---|
476 | }
|
---|
477 | ciph_ctx = s->enc_read_ctx;
|
---|
478 | iv = s->read_iv;
|
---|
479 |
|
---|
480 | RECORD_LAYER_reset_read_sequence(&s->rlayer);
|
---|
481 | } else {
|
---|
482 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID;
|
---|
483 | if (s->enc_write_ctx != NULL) {
|
---|
484 | EVP_CIPHER_CTX_reset(s->enc_write_ctx);
|
---|
485 | } else {
|
---|
486 | s->enc_write_ctx = EVP_CIPHER_CTX_new();
|
---|
487 | if (s->enc_write_ctx == NULL) {
|
---|
488 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
489 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
|
---|
490 | goto err;
|
---|
491 | }
|
---|
492 | }
|
---|
493 | ciph_ctx = s->enc_write_ctx;
|
---|
494 | iv = s->write_iv;
|
---|
495 |
|
---|
496 | RECORD_LAYER_reset_write_sequence(&s->rlayer);
|
---|
497 | }
|
---|
498 |
|
---|
499 | if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE))
|
---|
500 | || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) {
|
---|
501 | if (which & SSL3_CC_EARLY) {
|
---|
502 | EVP_MD_CTX *mdctx = NULL;
|
---|
503 | long handlen;
|
---|
504 | void *hdata;
|
---|
505 | unsigned int hashlenui;
|
---|
506 | const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session);
|
---|
507 |
|
---|
508 | insecret = s->early_secret;
|
---|
509 | label = client_early_traffic;
|
---|
510 | labellen = sizeof(client_early_traffic) - 1;
|
---|
511 | log_label = CLIENT_EARLY_LABEL;
|
---|
512 |
|
---|
513 | handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
|
---|
514 | if (handlen <= 0) {
|
---|
515 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
516 | SSL_F_TLS13_CHANGE_CIPHER_STATE,
|
---|
517 | SSL_R_BAD_HANDSHAKE_LENGTH);
|
---|
518 | goto err;
|
---|
519 | }
|
---|
520 |
|
---|
521 | if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
|
---|
522 | && s->max_early_data > 0
|
---|
523 | && s->session->ext.max_early_data == 0) {
|
---|
524 | /*
|
---|
525 | * If we are attempting to send early data, and we've decided to
|
---|
526 | * actually do it but max_early_data in s->session is 0 then we
|
---|
527 | * must be using an external PSK.
|
---|
528 | */
|
---|
529 | if (!ossl_assert(s->psksession != NULL
|
---|
530 | && s->max_early_data ==
|
---|
531 | s->psksession->ext.max_early_data)) {
|
---|
532 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
533 | SSL_F_TLS13_CHANGE_CIPHER_STATE,
|
---|
534 | ERR_R_INTERNAL_ERROR);
|
---|
535 | goto err;
|
---|
536 | }
|
---|
537 | sslcipher = SSL_SESSION_get0_cipher(s->psksession);
|
---|
538 | }
|
---|
539 | if (sslcipher == NULL) {
|
---|
540 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
541 | SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK);
|
---|
542 | goto err;
|
---|
543 | }
|
---|
544 |
|
---|
545 | /*
|
---|
546 | * We need to calculate the handshake digest using the digest from
|
---|
547 | * the session. We haven't yet selected our ciphersuite so we can't
|
---|
548 | * use ssl_handshake_md().
|
---|
549 | */
|
---|
550 | mdctx = EVP_MD_CTX_new();
|
---|
551 | if (mdctx == NULL) {
|
---|
552 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
553 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
|
---|
554 | goto err;
|
---|
555 | }
|
---|
556 | cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher));
|
---|
557 | md = ssl_md(sslcipher->algorithm2);
|
---|
558 | if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL)
|
---|
559 | || !EVP_DigestUpdate(mdctx, hdata, handlen)
|
---|
560 | || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) {
|
---|
561 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
562 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
563 | EVP_MD_CTX_free(mdctx);
|
---|
564 | goto err;
|
---|
565 | }
|
---|
566 | hashlen = hashlenui;
|
---|
567 | EVP_MD_CTX_free(mdctx);
|
---|
568 |
|
---|
569 | if (!tls13_hkdf_expand(s, md, insecret,
|
---|
570 | early_exporter_master_secret,
|
---|
571 | sizeof(early_exporter_master_secret) - 1,
|
---|
572 | hashval, hashlen,
|
---|
573 | s->early_exporter_master_secret, hashlen,
|
---|
574 | 1)) {
|
---|
575 | SSLfatal(s, SSL_AD_INTERNAL_ERROR,
|
---|
576 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
577 | goto err;
|
---|
578 | }
|
---|
579 |
|
---|
580 | if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL,
|
---|
581 | s->early_exporter_master_secret, hashlen)) {
|
---|
582 | /* SSLfatal() already called */
|
---|
583 | goto err;
|
---|
584 | }
|
---|
585 | } else if (which & SSL3_CC_HANDSHAKE) {
|
---|
586 | insecret = s->handshake_secret;
|
---|
587 | finsecret = s->client_finished_secret;
|
---|
588 | finsecretlen = EVP_MD_size(ssl_handshake_md(s));
|
---|
589 | label = client_handshake_traffic;
|
---|
590 | labellen = sizeof(client_handshake_traffic) - 1;
|
---|
591 | log_label = CLIENT_HANDSHAKE_LABEL;
|
---|
592 | /*
|
---|
593 | * The handshake hash used for the server read/client write handshake
|
---|
594 | * traffic secret is the same as the hash for the server
|
---|
595 | * write/client read handshake traffic secret. However, if we
|
---|
596 | * processed early data then we delay changing the server
|
---|
597 | * read/client write cipher state until later, and the handshake
|
---|
598 | * hashes have moved on. Therefore we use the value saved earlier
|
---|
599 | * when we did the server write/client read change cipher state.
|
---|
600 | */
|
---|
601 | hash = s->handshake_traffic_hash;
|
---|
602 | } else {
|
---|
603 | insecret = s->master_secret;
|
---|
604 | label = client_application_traffic;
|
---|
605 | labellen = sizeof(client_application_traffic) - 1;
|
---|
606 | log_label = CLIENT_APPLICATION_LABEL;
|
---|
607 | /*
|
---|
608 | * For this we only use the handshake hashes up until the server
|
---|
609 | * Finished hash. We do not include the client's Finished, which is
|
---|
610 | * what ssl_handshake_hash() would give us. Instead we use the
|
---|
611 | * previously saved value.
|
---|
612 | */
|
---|
613 | hash = s->server_finished_hash;
|
---|
614 | }
|
---|
615 | } else {
|
---|
616 | /* Early data never applies to client-read/server-write */
|
---|
617 | if (which & SSL3_CC_HANDSHAKE) {
|
---|
618 | insecret = s->handshake_secret;
|
---|
619 | finsecret = s->server_finished_secret;
|
---|
620 | finsecretlen = EVP_MD_size(ssl_handshake_md(s));
|
---|
621 | label = server_handshake_traffic;
|
---|
622 | labellen = sizeof(server_handshake_traffic) - 1;
|
---|
623 | log_label = SERVER_HANDSHAKE_LABEL;
|
---|
624 | } else {
|
---|
625 | insecret = s->master_secret;
|
---|
626 | label = server_application_traffic;
|
---|
627 | labellen = sizeof(server_application_traffic) - 1;
|
---|
628 | log_label = SERVER_APPLICATION_LABEL;
|
---|
629 | }
|
---|
630 | }
|
---|
631 |
|
---|
632 | if (!(which & SSL3_CC_EARLY)) {
|
---|
633 | md = ssl_handshake_md(s);
|
---|
634 | cipher = s->s3->tmp.new_sym_enc;
|
---|
635 | if (!ssl3_digest_cached_records(s, 1)
|
---|
636 | || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) {
|
---|
637 | /* SSLfatal() already called */;
|
---|
638 | goto err;
|
---|
639 | }
|
---|
640 | }
|
---|
641 |
|
---|
642 | /*
|
---|
643 | * Save the hash of handshakes up to now for use when we calculate the
|
---|
644 | * client application traffic secret
|
---|
645 | */
|
---|
646 | if (label == server_application_traffic)
|
---|
647 | memcpy(s->server_finished_hash, hashval, hashlen);
|
---|
648 |
|
---|
649 | if (label == server_handshake_traffic)
|
---|
650 | memcpy(s->handshake_traffic_hash, hashval, hashlen);
|
---|
651 |
|
---|
652 | if (label == client_application_traffic) {
|
---|
653 | /*
|
---|
654 | * We also create the resumption master secret, but this time use the
|
---|
655 | * hash for the whole handshake including the Client Finished
|
---|
656 | */
|
---|
657 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
|
---|
658 | resumption_master_secret,
|
---|
659 | sizeof(resumption_master_secret) - 1,
|
---|
660 | hashval, hashlen, s->resumption_master_secret,
|
---|
661 | hashlen, 1)) {
|
---|
662 | /* SSLfatal() already called */
|
---|
663 | goto err;
|
---|
664 | }
|
---|
665 | }
|
---|
666 |
|
---|
667 | if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher,
|
---|
668 | insecret, hash, label, labellen, secret, iv,
|
---|
669 | ciph_ctx)) {
|
---|
670 | /* SSLfatal() already called */
|
---|
671 | goto err;
|
---|
672 | }
|
---|
673 |
|
---|
674 | if (label == server_application_traffic) {
|
---|
675 | memcpy(s->server_app_traffic_secret, secret, hashlen);
|
---|
676 | /* Now we create the exporter master secret */
|
---|
677 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
|
---|
678 | exporter_master_secret,
|
---|
679 | sizeof(exporter_master_secret) - 1,
|
---|
680 | hash, hashlen, s->exporter_master_secret,
|
---|
681 | hashlen, 1)) {
|
---|
682 | /* SSLfatal() already called */
|
---|
683 | goto err;
|
---|
684 | }
|
---|
685 |
|
---|
686 | if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret,
|
---|
687 | hashlen)) {
|
---|
688 | /* SSLfatal() already called */
|
---|
689 | goto err;
|
---|
690 | }
|
---|
691 | } else if (label == client_application_traffic)
|
---|
692 | memcpy(s->client_app_traffic_secret, secret, hashlen);
|
---|
693 |
|
---|
694 | if (!ssl_log_secret(s, log_label, secret, hashlen)) {
|
---|
695 | /* SSLfatal() already called */
|
---|
696 | goto err;
|
---|
697 | }
|
---|
698 |
|
---|
699 | if (finsecret != NULL
|
---|
700 | && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret,
|
---|
701 | finsecret, finsecretlen)) {
|
---|
702 | /* SSLfatal() already called */
|
---|
703 | goto err;
|
---|
704 | }
|
---|
705 |
|
---|
706 | if (!s->server && label == client_early_traffic)
|
---|
707 | s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS;
|
---|
708 | else
|
---|
709 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
|
---|
710 | ret = 1;
|
---|
711 | err:
|
---|
712 | OPENSSL_cleanse(secret, sizeof(secret));
|
---|
713 | return ret;
|
---|
714 | }
|
---|
715 |
|
---|
716 | int tls13_update_key(SSL *s, int sending)
|
---|
717 | {
|
---|
718 | #ifdef CHARSET_EBCDIC
|
---|
719 | static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00};
|
---|
720 | #else
|
---|
721 | static const unsigned char application_traffic[] = "traffic upd";
|
---|
722 | #endif
|
---|
723 | const EVP_MD *md = ssl_handshake_md(s);
|
---|
724 | size_t hashlen = EVP_MD_size(md);
|
---|
725 | unsigned char *insecret, *iv;
|
---|
726 | unsigned char secret[EVP_MAX_MD_SIZE];
|
---|
727 | EVP_CIPHER_CTX *ciph_ctx;
|
---|
728 | int ret = 0;
|
---|
729 |
|
---|
730 | if (s->server == sending)
|
---|
731 | insecret = s->server_app_traffic_secret;
|
---|
732 | else
|
---|
733 | insecret = s->client_app_traffic_secret;
|
---|
734 |
|
---|
735 | if (sending) {
|
---|
736 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID;
|
---|
737 | iv = s->write_iv;
|
---|
738 | ciph_ctx = s->enc_write_ctx;
|
---|
739 | RECORD_LAYER_reset_write_sequence(&s->rlayer);
|
---|
740 | } else {
|
---|
741 | iv = s->read_iv;
|
---|
742 | ciph_ctx = s->enc_read_ctx;
|
---|
743 | RECORD_LAYER_reset_read_sequence(&s->rlayer);
|
---|
744 | }
|
---|
745 |
|
---|
746 | if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s),
|
---|
747 | s->s3->tmp.new_sym_enc, insecret, NULL,
|
---|
748 | application_traffic,
|
---|
749 | sizeof(application_traffic) - 1, secret, iv,
|
---|
750 | ciph_ctx)) {
|
---|
751 | /* SSLfatal() already called */
|
---|
752 | goto err;
|
---|
753 | }
|
---|
754 |
|
---|
755 | memcpy(insecret, secret, hashlen);
|
---|
756 |
|
---|
757 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
|
---|
758 | ret = 1;
|
---|
759 | err:
|
---|
760 | OPENSSL_cleanse(secret, sizeof(secret));
|
---|
761 | return ret;
|
---|
762 | }
|
---|
763 |
|
---|
764 | int tls13_alert_code(int code)
|
---|
765 | {
|
---|
766 | /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */
|
---|
767 | if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED)
|
---|
768 | return code;
|
---|
769 |
|
---|
770 | return tls1_alert_code(code);
|
---|
771 | }
|
---|
772 |
|
---|
773 | int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
|
---|
774 | const char *label, size_t llen,
|
---|
775 | const unsigned char *context,
|
---|
776 | size_t contextlen, int use_context)
|
---|
777 | {
|
---|
778 | unsigned char exportsecret[EVP_MAX_MD_SIZE];
|
---|
779 | #ifdef CHARSET_EBCDIC
|
---|
780 | static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
|
---|
781 | #else
|
---|
782 | static const unsigned char exporterlabel[] = "exporter";
|
---|
783 | #endif
|
---|
784 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
|
---|
785 | const EVP_MD *md = ssl_handshake_md(s);
|
---|
786 | EVP_MD_CTX *ctx = EVP_MD_CTX_new();
|
---|
787 | unsigned int hashsize, datalen;
|
---|
788 | int ret = 0;
|
---|
789 |
|
---|
790 | if (ctx == NULL || !ossl_statem_export_allowed(s))
|
---|
791 | goto err;
|
---|
792 |
|
---|
793 | if (!use_context)
|
---|
794 | contextlen = 0;
|
---|
795 |
|
---|
796 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0
|
---|
797 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0
|
---|
798 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
|
---|
799 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0
|
---|
800 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
|
---|
801 | || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
|
---|
802 | (const unsigned char *)label, llen,
|
---|
803 | data, datalen, exportsecret, hashsize, 0)
|
---|
804 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
|
---|
805 | sizeof(exporterlabel) - 1, hash, hashsize,
|
---|
806 | out, olen, 0))
|
---|
807 | goto err;
|
---|
808 |
|
---|
809 | ret = 1;
|
---|
810 | err:
|
---|
811 | EVP_MD_CTX_free(ctx);
|
---|
812 | return ret;
|
---|
813 | }
|
---|
814 |
|
---|
815 | int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
|
---|
816 | const char *label, size_t llen,
|
---|
817 | const unsigned char *context,
|
---|
818 | size_t contextlen)
|
---|
819 | {
|
---|
820 | #ifdef CHARSET_EBCDIC
|
---|
821 | static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
|
---|
822 | #else
|
---|
823 | static const unsigned char exporterlabel[] = "exporter";
|
---|
824 | #endif
|
---|
825 | unsigned char exportsecret[EVP_MAX_MD_SIZE];
|
---|
826 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
|
---|
827 | const EVP_MD *md;
|
---|
828 | EVP_MD_CTX *ctx = EVP_MD_CTX_new();
|
---|
829 | unsigned int hashsize, datalen;
|
---|
830 | int ret = 0;
|
---|
831 | const SSL_CIPHER *sslcipher;
|
---|
832 |
|
---|
833 | if (ctx == NULL || !ossl_statem_export_early_allowed(s))
|
---|
834 | goto err;
|
---|
835 |
|
---|
836 | if (!s->server && s->max_early_data > 0
|
---|
837 | && s->session->ext.max_early_data == 0)
|
---|
838 | sslcipher = SSL_SESSION_get0_cipher(s->psksession);
|
---|
839 | else
|
---|
840 | sslcipher = SSL_SESSION_get0_cipher(s->session);
|
---|
841 |
|
---|
842 | md = ssl_md(sslcipher->algorithm2);
|
---|
843 |
|
---|
844 | /*
|
---|
845 | * Calculate the hash value and store it in |data|. The reason why
|
---|
846 | * the empty string is used is that the definition of TLS-Exporter
|
---|
847 | * is like so:
|
---|
848 | *
|
---|
849 | * TLS-Exporter(label, context_value, key_length) =
|
---|
850 | * HKDF-Expand-Label(Derive-Secret(Secret, label, ""),
|
---|
851 | * "exporter", Hash(context_value), key_length)
|
---|
852 | *
|
---|
853 | * Derive-Secret(Secret, Label, Messages) =
|
---|
854 | * HKDF-Expand-Label(Secret, Label,
|
---|
855 | * Transcript-Hash(Messages), Hash.length)
|
---|
856 | *
|
---|
857 | * Here Transcript-Hash is the cipher suite hash algorithm.
|
---|
858 | */
|
---|
859 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0
|
---|
860 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0
|
---|
861 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
|
---|
862 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0
|
---|
863 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
|
---|
864 | || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
|
---|
865 | (const unsigned char *)label, llen,
|
---|
866 | data, datalen, exportsecret, hashsize, 0)
|
---|
867 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
|
---|
868 | sizeof(exporterlabel) - 1, hash, hashsize,
|
---|
869 | out, olen, 0))
|
---|
870 | goto err;
|
---|
871 |
|
---|
872 | ret = 1;
|
---|
873 | err:
|
---|
874 | EVP_MD_CTX_free(ctx);
|
---|
875 | return ret;
|
---|
876 | }
|
---|