tls13_enc.c 28 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766
  1. /*
  2. * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include "ssl_locl.h"
  11. #include "internal/cryptlib.h"
  12. #include <openssl/evp.h>
  13. #include <openssl/kdf.h>
  14. #define TLS13_MAX_LABEL_LEN 246
  15. /* Always filled with zeros */
  16. static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
  17. /*
  18. * Given a |secret|; a |label| of length |labellen|; and |data| of length
  19. * |datalen| (e.g. typically a hash of the handshake messages), derive a new
  20. * secret |outlen| bytes long and store it in the location pointed to be |out|.
  21. * The |data| value may be zero length. Returns 1 on success 0 on failure.
  22. */
  23. int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
  24. const unsigned char *label, size_t labellen,
  25. const unsigned char *data, size_t datalen,
  26. unsigned char *out, size_t outlen)
  27. {
  28. const unsigned char label_prefix[] = "tls13 ";
  29. EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
  30. int ret;
  31. size_t hkdflabellen;
  32. size_t hashlen;
  33. /*
  34. * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
  35. * prefix and label + bytes for the label itself + bytes for the hash
  36. */
  37. unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
  38. + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
  39. + EVP_MAX_MD_SIZE];
  40. WPACKET pkt;
  41. if (pctx == NULL)
  42. return 0;
  43. hashlen = EVP_MD_size(md);
  44. if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)
  45. || !WPACKET_put_bytes_u16(&pkt, outlen)
  46. || !WPACKET_start_sub_packet_u8(&pkt)
  47. || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1)
  48. || !WPACKET_memcpy(&pkt, label, labellen)
  49. || !WPACKET_close(&pkt)
  50. || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
  51. || !WPACKET_get_total_written(&pkt, &hkdflabellen)
  52. || !WPACKET_finish(&pkt)) {
  53. EVP_PKEY_CTX_free(pctx);
  54. WPACKET_cleanup(&pkt);
  55. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
  56. ERR_R_INTERNAL_ERROR);
  57. return 0;
  58. }
  59. ret = EVP_PKEY_derive_init(pctx) <= 0
  60. || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)
  61. <= 0
  62. || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0
  63. || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0
  64. || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0
  65. || EVP_PKEY_derive(pctx, out, &outlen) <= 0;
  66. EVP_PKEY_CTX_free(pctx);
  67. if (ret != 0)
  68. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND,
  69. ERR_R_INTERNAL_ERROR);
  70. return ret == 0;
  71. }
  72. /*
  73. * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on
  74. * success 0 on failure.
  75. */
  76. int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
  77. unsigned char *key, size_t keylen)
  78. {
  79. static const unsigned char keylabel[] = "key";
  80. return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
  81. NULL, 0, key, keylen);
  82. }
  83. /*
  84. * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on
  85. * success 0 on failure.
  86. */
  87. int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
  88. unsigned char *iv, size_t ivlen)
  89. {
  90. static const unsigned char ivlabel[] = "iv";
  91. return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
  92. NULL, 0, iv, ivlen);
  93. }
  94. int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
  95. const unsigned char *secret,
  96. unsigned char *fin, size_t finlen)
  97. {
  98. static const unsigned char finishedlabel[] = "finished";
  99. return tls13_hkdf_expand(s, md, secret, finishedlabel,
  100. sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
  101. }
  102. /*
  103. * Given the previous secret |prevsecret| and a new input secret |insecret| of
  104. * length |insecretlen|, generate a new secret and store it in the location
  105. * pointed to by |outsecret|. Returns 1 on success 0 on failure.
  106. */
  107. int tls13_generate_secret(SSL *s, const EVP_MD *md,
  108. const unsigned char *prevsecret,
  109. const unsigned char *insecret,
  110. size_t insecretlen,
  111. unsigned char *outsecret)
  112. {
  113. size_t mdlen, prevsecretlen;
  114. int ret;
  115. EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
  116. static const char derived_secret_label[] = "derived";
  117. unsigned char preextractsec[EVP_MAX_MD_SIZE];
  118. if (pctx == NULL) {
  119. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
  120. ERR_R_INTERNAL_ERROR);
  121. return 0;
  122. }
  123. mdlen = EVP_MD_size(md);
  124. if (insecret == NULL) {
  125. insecret = default_zeros;
  126. insecretlen = mdlen;
  127. }
  128. if (prevsecret == NULL) {
  129. prevsecret = default_zeros;
  130. prevsecretlen = 0;
  131. } else {
  132. EVP_MD_CTX *mctx = EVP_MD_CTX_new();
  133. unsigned char hash[EVP_MAX_MD_SIZE];
  134. /* The pre-extract derive step uses a hash of no messages */
  135. if (mctx == NULL
  136. || EVP_DigestInit_ex(mctx, md, NULL) <= 0
  137. || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {
  138. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
  139. ERR_R_INTERNAL_ERROR);
  140. EVP_MD_CTX_free(mctx);
  141. EVP_PKEY_CTX_free(pctx);
  142. return 0;
  143. }
  144. EVP_MD_CTX_free(mctx);
  145. /* Generate the pre-extract secret */
  146. if (!tls13_hkdf_expand(s, md, prevsecret,
  147. (unsigned char *)derived_secret_label,
  148. sizeof(derived_secret_label) - 1, hash, mdlen,
  149. preextractsec, mdlen)) {
  150. /* SSLfatal() already called */
  151. EVP_PKEY_CTX_free(pctx);
  152. return 0;
  153. }
  154. prevsecret = preextractsec;
  155. prevsecretlen = mdlen;
  156. }
  157. ret = EVP_PKEY_derive_init(pctx) <= 0
  158. || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)
  159. <= 0
  160. || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0
  161. || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0
  162. || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen)
  163. <= 0
  164. || EVP_PKEY_derive(pctx, outsecret, &mdlen)
  165. <= 0;
  166. if (ret != 0)
  167. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
  168. ERR_R_INTERNAL_ERROR);
  169. EVP_PKEY_CTX_free(pctx);
  170. if (prevsecret == preextractsec)
  171. OPENSSL_cleanse(preextractsec, mdlen);
  172. return ret == 0;
  173. }
  174. /*
  175. * Given an input secret |insecret| of length |insecretlen| generate the
  176. * handshake secret. This requires the early secret to already have been
  177. * generated. Returns 1 on success 0 on failure.
  178. */
  179. int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret,
  180. size_t insecretlen)
  181. {
  182. /* Calls SSLfatal() if required */
  183. return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret,
  184. insecret, insecretlen,
  185. (unsigned char *)&s->handshake_secret);
  186. }
  187. /*
  188. * Given the handshake secret |prev| of length |prevlen| generate the master
  189. * secret and store its length in |*secret_size|. Returns 1 on success 0 on
  190. * failure.
  191. */
  192. int tls13_generate_master_secret(SSL *s, unsigned char *out,
  193. unsigned char *prev, size_t prevlen,
  194. size_t *secret_size)
  195. {
  196. const EVP_MD *md = ssl_handshake_md(s);
  197. *secret_size = EVP_MD_size(md);
  198. /* Calls SSLfatal() if required */
  199. return tls13_generate_secret(s, md, prev, NULL, 0, out);
  200. }
  201. /*
  202. * Generates the mac for the Finished message. Returns the length of the MAC or
  203. * 0 on error.
  204. */
  205. size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
  206. unsigned char *out)
  207. {
  208. const EVP_MD *md = ssl_handshake_md(s);
  209. unsigned char hash[EVP_MAX_MD_SIZE];
  210. size_t hashlen, ret = 0;
  211. EVP_PKEY *key = NULL;
  212. EVP_MD_CTX *ctx = EVP_MD_CTX_new();
  213. if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
  214. /* SSLfatal() already called */
  215. goto err;
  216. }
  217. if (str == s->method->ssl3_enc->server_finished_label)
  218. key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
  219. s->server_finished_secret, hashlen);
  220. else
  221. key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
  222. s->client_finished_secret, hashlen);
  223. if (key == NULL
  224. || ctx == NULL
  225. || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0
  226. || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0
  227. || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) {
  228. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC,
  229. ERR_R_INTERNAL_ERROR);
  230. goto err;
  231. }
  232. ret = hashlen;
  233. err:
  234. EVP_PKEY_free(key);
  235. EVP_MD_CTX_free(ctx);
  236. return ret;
  237. }
  238. /*
  239. * There isn't really a key block in TLSv1.3, but we still need this function
  240. * for initialising the cipher and hash. Returns 1 on success or 0 on failure.
  241. */
  242. int tls13_setup_key_block(SSL *s)
  243. {
  244. const EVP_CIPHER *c;
  245. const EVP_MD *hash;
  246. int mac_type = NID_undef;
  247. s->session->cipher = s->s3->tmp.new_cipher;
  248. if (!ssl_cipher_get_evp
  249. (s->session, &c, &hash, &mac_type, NULL, NULL, 0)) {
  250. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK,
  251. SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
  252. return 0;
  253. }
  254. s->s3->tmp.new_sym_enc = c;
  255. s->s3->tmp.new_hash = hash;
  256. return 1;
  257. }
  258. static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
  259. const EVP_CIPHER *ciph,
  260. const unsigned char *insecret,
  261. const unsigned char *hash,
  262. const unsigned char *label,
  263. size_t labellen, unsigned char *secret,
  264. unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx)
  265. {
  266. unsigned char key[EVP_MAX_KEY_LENGTH];
  267. size_t ivlen, keylen, taglen;
  268. size_t hashlen = EVP_MD_size(md);
  269. if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
  270. secret, hashlen)) {
  271. /* SSLfatal() already called */
  272. goto err;
  273. }
  274. /* TODO(size_t): convert me */
  275. keylen = EVP_CIPHER_key_length(ciph);
  276. if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) {
  277. uint32_t algenc;
  278. ivlen = EVP_CCM_TLS_IV_LEN;
  279. if (s->s3->tmp.new_cipher == NULL) {
  280. /* We've not selected a cipher yet - we must be doing early data */
  281. algenc = s->session->cipher->algorithm_enc;
  282. } else {
  283. algenc = s->s3->tmp.new_cipher->algorithm_enc;
  284. }
  285. if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))
  286. taglen = EVP_CCM8_TLS_TAG_LEN;
  287. else
  288. taglen = EVP_CCM_TLS_TAG_LEN;
  289. } else {
  290. ivlen = EVP_CIPHER_iv_length(ciph);
  291. taglen = 0;
  292. }
  293. if (!tls13_derive_key(s, md, secret, key, keylen)
  294. || !tls13_derive_iv(s, md, secret, iv, ivlen)) {
  295. /* SSLfatal() already called */
  296. goto err;
  297. }
  298. if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0
  299. || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
  300. || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
  301. taglen, NULL))
  302. || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {
  303. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
  304. ERR_R_EVP_LIB);
  305. goto err;
  306. }
  307. return 1;
  308. err:
  309. OPENSSL_cleanse(key, sizeof(key));
  310. return 0;
  311. }
  312. int tls13_change_cipher_state(SSL *s, int which)
  313. {
  314. static const unsigned char client_early_traffic[] = "c e traffic";
  315. static const unsigned char client_handshake_traffic[] = "c hs traffic";
  316. static const unsigned char client_application_traffic[] = "c ap traffic";
  317. static const unsigned char server_handshake_traffic[] = "s hs traffic";
  318. static const unsigned char server_application_traffic[] = "s ap traffic";
  319. static const unsigned char exporter_master_secret[] = "exp master";
  320. static const unsigned char resumption_master_secret[] = "res master";
  321. static const unsigned char early_exporter_master_secret[] = "e exp master";
  322. unsigned char *iv;
  323. unsigned char secret[EVP_MAX_MD_SIZE];
  324. unsigned char hashval[EVP_MAX_MD_SIZE];
  325. unsigned char *hash = hashval;
  326. unsigned char *insecret;
  327. unsigned char *finsecret = NULL;
  328. const char *log_label = NULL;
  329. EVP_CIPHER_CTX *ciph_ctx;
  330. size_t finsecretlen = 0;
  331. const unsigned char *label;
  332. size_t labellen, hashlen = 0;
  333. int ret = 0;
  334. const EVP_MD *md = NULL;
  335. const EVP_CIPHER *cipher = NULL;
  336. if (which & SSL3_CC_READ) {
  337. if (s->enc_read_ctx != NULL) {
  338. EVP_CIPHER_CTX_reset(s->enc_read_ctx);
  339. } else {
  340. s->enc_read_ctx = EVP_CIPHER_CTX_new();
  341. if (s->enc_read_ctx == NULL) {
  342. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  343. SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
  344. goto err;
  345. }
  346. }
  347. ciph_ctx = s->enc_read_ctx;
  348. iv = s->read_iv;
  349. RECORD_LAYER_reset_read_sequence(&s->rlayer);
  350. } else {
  351. s->statem.invalid_enc_write_ctx = 1;
  352. if (s->enc_write_ctx != NULL) {
  353. EVP_CIPHER_CTX_reset(s->enc_write_ctx);
  354. } else {
  355. s->enc_write_ctx = EVP_CIPHER_CTX_new();
  356. if (s->enc_write_ctx == NULL) {
  357. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  358. SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
  359. goto err;
  360. }
  361. }
  362. ciph_ctx = s->enc_write_ctx;
  363. iv = s->write_iv;
  364. RECORD_LAYER_reset_write_sequence(&s->rlayer);
  365. }
  366. if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE))
  367. || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) {
  368. if (which & SSL3_CC_EARLY) {
  369. EVP_MD_CTX *mdctx = NULL;
  370. long handlen;
  371. void *hdata;
  372. unsigned int hashlenui;
  373. const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session);
  374. insecret = s->early_secret;
  375. label = client_early_traffic;
  376. labellen = sizeof(client_early_traffic) - 1;
  377. log_label = CLIENT_EARLY_LABEL;
  378. handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
  379. if (handlen <= 0) {
  380. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  381. SSL_F_TLS13_CHANGE_CIPHER_STATE,
  382. SSL_R_BAD_HANDSHAKE_LENGTH);
  383. goto err;
  384. }
  385. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
  386. && s->max_early_data > 0
  387. && s->session->ext.max_early_data == 0) {
  388. /*
  389. * If we are attempting to send early data, and we've decided to
  390. * actually do it but max_early_data in s->session is 0 then we
  391. * must be using an external PSK.
  392. */
  393. if (!ossl_assert(s->psksession != NULL
  394. && s->max_early_data ==
  395. s->psksession->ext.max_early_data)) {
  396. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  397. SSL_F_TLS13_CHANGE_CIPHER_STATE,
  398. ERR_R_INTERNAL_ERROR);
  399. goto err;
  400. }
  401. sslcipher = SSL_SESSION_get0_cipher(s->psksession);
  402. }
  403. if (sslcipher == NULL) {
  404. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  405. SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK);
  406. goto err;
  407. }
  408. /*
  409. * We need to calculate the handshake digest using the digest from
  410. * the session. We haven't yet selected our ciphersuite so we can't
  411. * use ssl_handshake_md().
  412. */
  413. mdctx = EVP_MD_CTX_new();
  414. if (mdctx == NULL) {
  415. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  416. SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
  417. goto err;
  418. }
  419. cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher));
  420. md = ssl_md(sslcipher->algorithm2);
  421. if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL)
  422. || !EVP_DigestUpdate(mdctx, hdata, handlen)
  423. || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) {
  424. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  425. SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
  426. EVP_MD_CTX_free(mdctx);
  427. goto err;
  428. }
  429. hashlen = hashlenui;
  430. EVP_MD_CTX_free(mdctx);
  431. if (!tls13_hkdf_expand(s, md, insecret,
  432. early_exporter_master_secret,
  433. sizeof(early_exporter_master_secret) - 1,
  434. hashval, hashlen,
  435. s->early_exporter_master_secret, hashlen)) {
  436. SSLfatal(s, SSL_AD_INTERNAL_ERROR,
  437. SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
  438. goto err;
  439. }
  440. } else if (which & SSL3_CC_HANDSHAKE) {
  441. insecret = s->handshake_secret;
  442. finsecret = s->client_finished_secret;
  443. finsecretlen = EVP_MD_size(ssl_handshake_md(s));
  444. label = client_handshake_traffic;
  445. labellen = sizeof(client_handshake_traffic) - 1;
  446. log_label = CLIENT_HANDSHAKE_LABEL;
  447. /*
  448. * The handshake hash used for the server read/client write handshake
  449. * traffic secret is the same as the hash for the server
  450. * write/client read handshake traffic secret. However, if we
  451. * processed early data then we delay changing the server
  452. * read/client write cipher state until later, and the handshake
  453. * hashes have moved on. Therefore we use the value saved earlier
  454. * when we did the server write/client read change cipher state.
  455. */
  456. hash = s->handshake_traffic_hash;
  457. } else {
  458. insecret = s->master_secret;
  459. label = client_application_traffic;
  460. labellen = sizeof(client_application_traffic) - 1;
  461. log_label = CLIENT_APPLICATION_LABEL;
  462. /*
  463. * For this we only use the handshake hashes up until the server
  464. * Finished hash. We do not include the client's Finished, which is
  465. * what ssl_handshake_hash() would give us. Instead we use the
  466. * previously saved value.
  467. */
  468. hash = s->server_finished_hash;
  469. }
  470. } else {
  471. /* Early data never applies to client-read/server-write */
  472. if (which & SSL3_CC_HANDSHAKE) {
  473. insecret = s->handshake_secret;
  474. finsecret = s->server_finished_secret;
  475. finsecretlen = EVP_MD_size(ssl_handshake_md(s));
  476. label = server_handshake_traffic;
  477. labellen = sizeof(server_handshake_traffic) - 1;
  478. log_label = SERVER_HANDSHAKE_LABEL;
  479. } else {
  480. insecret = s->master_secret;
  481. label = server_application_traffic;
  482. labellen = sizeof(server_application_traffic) - 1;
  483. log_label = SERVER_APPLICATION_LABEL;
  484. }
  485. }
  486. if (!(which & SSL3_CC_EARLY)) {
  487. md = ssl_handshake_md(s);
  488. cipher = s->s3->tmp.new_sym_enc;
  489. if (!ssl3_digest_cached_records(s, 1)
  490. || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) {
  491. /* SSLfatal() already called */;
  492. goto err;
  493. }
  494. }
  495. /*
  496. * Save the hash of handshakes up to now for use when we calculate the
  497. * client application traffic secret
  498. */
  499. if (label == server_application_traffic)
  500. memcpy(s->server_finished_hash, hashval, hashlen);
  501. if (label == server_handshake_traffic)
  502. memcpy(s->handshake_traffic_hash, hashval, hashlen);
  503. if (label == client_application_traffic) {
  504. /*
  505. * We also create the resumption master secret, but this time use the
  506. * hash for the whole handshake including the Client Finished
  507. */
  508. if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
  509. resumption_master_secret,
  510. sizeof(resumption_master_secret) - 1,
  511. hashval, hashlen, s->session->master_key,
  512. hashlen)) {
  513. /* SSLfatal() already called */
  514. goto err;
  515. }
  516. s->session->master_key_length = hashlen;
  517. }
  518. if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher,
  519. insecret, hash, label, labellen, secret, iv,
  520. ciph_ctx)) {
  521. /* SSLfatal() already called */
  522. goto err;
  523. }
  524. if (label == server_application_traffic) {
  525. memcpy(s->server_app_traffic_secret, secret, hashlen);
  526. /* Now we create the exporter master secret */
  527. if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
  528. exporter_master_secret,
  529. sizeof(exporter_master_secret) - 1,
  530. hash, hashlen, s->exporter_master_secret,
  531. hashlen)) {
  532. /* SSLfatal() already called */
  533. goto err;
  534. }
  535. } else if (label == client_application_traffic)
  536. memcpy(s->client_app_traffic_secret, secret, hashlen);
  537. if (!ssl_log_secret(s, log_label, secret, hashlen)) {
  538. /* SSLfatal() already called */
  539. goto err;
  540. }
  541. if (finsecret != NULL
  542. && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret,
  543. finsecret, finsecretlen)) {
  544. /* SSLfatal() already called */
  545. goto err;
  546. }
  547. s->statem.invalid_enc_write_ctx = 0;
  548. ret = 1;
  549. err:
  550. OPENSSL_cleanse(secret, sizeof(secret));
  551. return ret;
  552. }
  553. int tls13_update_key(SSL *s, int sending)
  554. {
  555. static const unsigned char application_traffic[] = "traffic upd";
  556. const EVP_MD *md = ssl_handshake_md(s);
  557. size_t hashlen = EVP_MD_size(md);
  558. unsigned char *insecret, *iv;
  559. unsigned char secret[EVP_MAX_MD_SIZE];
  560. EVP_CIPHER_CTX *ciph_ctx;
  561. int ret = 0;
  562. if (s->server == sending)
  563. insecret = s->server_app_traffic_secret;
  564. else
  565. insecret = s->client_app_traffic_secret;
  566. if (sending) {
  567. s->statem.invalid_enc_write_ctx = 1;
  568. iv = s->write_iv;
  569. ciph_ctx = s->enc_write_ctx;
  570. RECORD_LAYER_reset_write_sequence(&s->rlayer);
  571. } else {
  572. iv = s->read_iv;
  573. ciph_ctx = s->enc_read_ctx;
  574. RECORD_LAYER_reset_read_sequence(&s->rlayer);
  575. }
  576. if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s),
  577. s->s3->tmp.new_sym_enc, insecret, NULL,
  578. application_traffic,
  579. sizeof(application_traffic) - 1, secret, iv,
  580. ciph_ctx)) {
  581. /* SSLfatal() already called */
  582. goto err;
  583. }
  584. memcpy(insecret, secret, hashlen);
  585. s->statem.invalid_enc_write_ctx = 0;
  586. ret = 1;
  587. err:
  588. OPENSSL_cleanse(secret, sizeof(secret));
  589. return ret;
  590. }
  591. int tls13_alert_code(int code)
  592. {
  593. if (code == SSL_AD_MISSING_EXTENSION)
  594. return code;
  595. return tls1_alert_code(code);
  596. }
  597. int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
  598. const char *label, size_t llen,
  599. const unsigned char *context,
  600. size_t contextlen, int use_context)
  601. {
  602. unsigned char exportsecret[EVP_MAX_MD_SIZE];
  603. static const unsigned char exporterlabel[] = "exporter";
  604. unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
  605. const EVP_MD *md = ssl_handshake_md(s);
  606. EVP_MD_CTX *ctx = EVP_MD_CTX_new();
  607. unsigned int hashsize, datalen;
  608. int ret = 0;
  609. if (ctx == NULL || !ossl_statem_export_allowed(s))
  610. goto err;
  611. if (!use_context)
  612. contextlen = 0;
  613. if (EVP_DigestInit_ex(ctx, md, NULL) <= 0
  614. || EVP_DigestUpdate(ctx, context, contextlen) <= 0
  615. || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
  616. || EVP_DigestInit_ex(ctx, md, NULL) <= 0
  617. || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
  618. || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
  619. (const unsigned char *)label, llen,
  620. data, datalen, exportsecret, hashsize)
  621. || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
  622. sizeof(exporterlabel) - 1, hash, hashsize,
  623. out, olen))
  624. goto err;
  625. ret = 1;
  626. err:
  627. EVP_MD_CTX_free(ctx);
  628. return ret;
  629. }
  630. int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
  631. const char *label, size_t llen,
  632. const unsigned char *context,
  633. size_t contextlen)
  634. {
  635. static const unsigned char exporterlabel[] = "exporter";
  636. unsigned char exportsecret[EVP_MAX_MD_SIZE];
  637. unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
  638. const EVP_MD *md;
  639. EVP_MD_CTX *ctx = EVP_MD_CTX_new();
  640. unsigned int hashsize, datalen;
  641. int ret = 0;
  642. const SSL_CIPHER *sslcipher;
  643. if (ctx == NULL || !ossl_statem_export_early_allowed(s))
  644. goto err;
  645. if (!s->server && s->max_early_data > 0
  646. && s->session->ext.max_early_data == 0)
  647. sslcipher = SSL_SESSION_get0_cipher(s->psksession);
  648. else
  649. sslcipher = SSL_SESSION_get0_cipher(s->session);
  650. md = ssl_md(sslcipher->algorithm2);
  651. /*
  652. * Calculate the hash value and store it in |data|. The reason why
  653. * the empty string is used is that the definition of TLS-Exporter
  654. * is like so:
  655. *
  656. * TLS-Exporter(label, context_value, key_length) =
  657. * HKDF-Expand-Label(Derive-Secret(Secret, label, ""),
  658. * "exporter", Hash(context_value), key_length)
  659. *
  660. * Derive-Secret(Secret, Label, Messages) =
  661. * HKDF-Expand-Label(Secret, Label,
  662. * Transcript-Hash(Messages), Hash.length)
  663. *
  664. * Here Transcript-Hash is the cipher suite hash algorithm.
  665. */
  666. if (EVP_DigestInit_ex(ctx, md, NULL) <= 0
  667. || EVP_DigestUpdate(ctx, context, contextlen) <= 0
  668. || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
  669. || EVP_DigestInit_ex(ctx, md, NULL) <= 0
  670. || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
  671. || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
  672. (const unsigned char *)label, llen,
  673. data, datalen, exportsecret, hashsize)
  674. || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
  675. sizeof(exporterlabel) - 1, hash, hashsize,
  676. out, olen))
  677. goto err;
  678. ret = 1;
  679. err:
  680. EVP_MD_CTX_free(ctx);
  681. return ret;
  682. }