tls13_enc.c 34 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920
  1. /*
  2. * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdlib.h>
  10. #include "ssl_local.h"
  11. #include "internal/ktls.h"
  12. #include "record/record_local.h"
  13. #include "internal/cryptlib.h"
  14. #include <openssl/evp.h>
  15. #include <openssl/kdf.h>
  16. #include <openssl/core_names.h>
  17. #define TLS13_MAX_LABEL_LEN 249
  18. #ifdef CHARSET_EBCDIC
  19. static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 };
  20. #else
  21. static const unsigned char label_prefix[] = "tls13 ";
  22. #endif
  23. /*
  24. * Given a |secret|; a |label| of length |labellen|; and |data| of length
  25. * |datalen| (e.g. typically a hash of the handshake messages), derive a new
  26. * secret |outlen| bytes long and store it in the location pointed to be |out|.
  27. * The |data| value may be zero length. Any errors will be treated as fatal if
  28. * |fatal| is set. Returns 1 on success 0 on failure.
  29. */
  30. int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
  31. const unsigned char *label, size_t labellen,
  32. const unsigned char *data, size_t datalen,
  33. unsigned char *out, size_t outlen, int fatal)
  34. {
  35. EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF,
  36. s->ctx->propq);
  37. EVP_KDF_CTX *kctx;
  38. OSSL_PARAM params[7], *p = params;
  39. int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
  40. const char *mdname = EVP_MD_get0_name(md);
  41. int ret;
  42. size_t hashlen;
  43. kctx = EVP_KDF_CTX_new(kdf);
  44. EVP_KDF_free(kdf);
  45. if (kctx == NULL)
  46. return 0;
  47. if (labellen > TLS13_MAX_LABEL_LEN) {
  48. if (fatal) {
  49. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  50. } else {
  51. /*
  52. * Probably we have been called from SSL_export_keying_material(),
  53. * or SSL_export_keying_material_early().
  54. */
  55. ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
  56. }
  57. EVP_KDF_CTX_free(kctx);
  58. return 0;
  59. }
  60. if ((ret = EVP_MD_get_size(md)) <= 0) {
  61. EVP_KDF_CTX_free(kctx);
  62. if (fatal)
  63. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  64. else
  65. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  66. return 0;
  67. }
  68. hashlen = (size_t)ret;
  69. *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode);
  70. *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
  71. (char *)mdname, 0);
  72. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
  73. (unsigned char *)secret, hashlen);
  74. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX,
  75. (unsigned char *)label_prefix,
  76. sizeof(label_prefix) - 1);
  77. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL,
  78. (unsigned char *)label, labellen);
  79. if (data != NULL)
  80. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_DATA,
  81. (unsigned char *)data,
  82. datalen);
  83. *p++ = OSSL_PARAM_construct_end();
  84. ret = EVP_KDF_derive(kctx, out, outlen, params) <= 0;
  85. EVP_KDF_CTX_free(kctx);
  86. if (ret != 0) {
  87. if (fatal)
  88. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  89. else
  90. ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR);
  91. }
  92. return ret == 0;
  93. }
  94. /*
  95. * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on
  96. * success 0 on failure.
  97. */
  98. int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret,
  99. unsigned char *key, size_t keylen)
  100. {
  101. #ifdef CHARSET_EBCDIC
  102. static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 };
  103. #else
  104. static const unsigned char keylabel[] = "key";
  105. #endif
  106. return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
  107. NULL, 0, key, keylen, 1);
  108. }
  109. /*
  110. * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on
  111. * success 0 on failure.
  112. */
  113. int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret,
  114. unsigned char *iv, size_t ivlen)
  115. {
  116. #ifdef CHARSET_EBCDIC
  117. static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 };
  118. #else
  119. static const unsigned char ivlabel[] = "iv";
  120. #endif
  121. return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
  122. NULL, 0, iv, ivlen, 1);
  123. }
  124. int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
  125. const unsigned char *secret,
  126. unsigned char *fin, size_t finlen)
  127. {
  128. #ifdef CHARSET_EBCDIC
  129. static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 };
  130. #else
  131. static const unsigned char finishedlabel[] = "finished";
  132. #endif
  133. return tls13_hkdf_expand(s, md, secret, finishedlabel,
  134. sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1);
  135. }
  136. /*
  137. * Given the previous secret |prevsecret| and a new input secret |insecret| of
  138. * length |insecretlen|, generate a new secret and store it in the location
  139. * pointed to by |outsecret|. Returns 1 on success 0 on failure.
  140. */
  141. int tls13_generate_secret(SSL *s, const EVP_MD *md,
  142. const unsigned char *prevsecret,
  143. const unsigned char *insecret,
  144. size_t insecretlen,
  145. unsigned char *outsecret)
  146. {
  147. size_t mdlen;
  148. int mdleni;
  149. int ret;
  150. EVP_KDF *kdf;
  151. EVP_KDF_CTX *kctx;
  152. OSSL_PARAM params[7], *p = params;
  153. int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY;
  154. const char *mdname = EVP_MD_get0_name(md);
  155. #ifdef CHARSET_EBCDIC
  156. static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 };
  157. #else
  158. static const char derived_secret_label[] = "derived";
  159. #endif
  160. kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, s->ctx->propq);
  161. kctx = EVP_KDF_CTX_new(kdf);
  162. EVP_KDF_free(kdf);
  163. if (kctx == NULL) {
  164. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  165. return 0;
  166. }
  167. mdleni = EVP_MD_get_size(md);
  168. /* Ensure cast to size_t is safe */
  169. if (!ossl_assert(mdleni >= 0)) {
  170. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  171. EVP_KDF_CTX_free(kctx);
  172. return 0;
  173. }
  174. mdlen = (size_t)mdleni;
  175. *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode);
  176. *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
  177. (char *)mdname, 0);
  178. if (insecret != NULL)
  179. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
  180. (unsigned char *)insecret,
  181. insecretlen);
  182. if (prevsecret != NULL)
  183. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT,
  184. (unsigned char *)prevsecret, mdlen);
  185. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX,
  186. (unsigned char *)label_prefix,
  187. sizeof(label_prefix) - 1);
  188. *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL,
  189. (unsigned char *)derived_secret_label,
  190. sizeof(derived_secret_label) - 1);
  191. *p++ = OSSL_PARAM_construct_end();
  192. ret = EVP_KDF_derive(kctx, outsecret, mdlen, params) <= 0;
  193. if (ret != 0)
  194. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  195. EVP_KDF_CTX_free(kctx);
  196. return ret == 0;
  197. }
  198. /*
  199. * Given an input secret |insecret| of length |insecretlen| generate the
  200. * handshake secret. This requires the early secret to already have been
  201. * generated. Returns 1 on success 0 on failure.
  202. */
  203. int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret,
  204. size_t insecretlen)
  205. {
  206. /* Calls SSLfatal() if required */
  207. return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret,
  208. insecret, insecretlen,
  209. (unsigned char *)&s->handshake_secret);
  210. }
  211. /*
  212. * Given the handshake secret |prev| of length |prevlen| generate the master
  213. * secret and store its length in |*secret_size|. Returns 1 on success 0 on
  214. * failure.
  215. */
  216. int tls13_generate_master_secret(SSL *s, unsigned char *out,
  217. unsigned char *prev, size_t prevlen,
  218. size_t *secret_size)
  219. {
  220. const EVP_MD *md = ssl_handshake_md(s);
  221. *secret_size = EVP_MD_get_size(md);
  222. /* Calls SSLfatal() if required */
  223. return tls13_generate_secret(s, md, prev, NULL, 0, out);
  224. }
  225. /*
  226. * Generates the mac for the Finished message. Returns the length of the MAC or
  227. * 0 on error.
  228. */
  229. size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
  230. unsigned char *out)
  231. {
  232. const EVP_MD *md = ssl_handshake_md(s);
  233. const char *mdname = EVP_MD_get0_name(md);
  234. unsigned char hash[EVP_MAX_MD_SIZE];
  235. unsigned char finsecret[EVP_MAX_MD_SIZE];
  236. unsigned char *key = NULL;
  237. size_t len = 0, hashlen;
  238. OSSL_PARAM params[2], *p = params;
  239. if (md == NULL)
  240. return 0;
  241. /* Safe to cast away const here since we're not "getting" any data */
  242. if (s->ctx->propq != NULL)
  243. *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES,
  244. (char *)s->ctx->propq,
  245. 0);
  246. *p = OSSL_PARAM_construct_end();
  247. if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
  248. /* SSLfatal() already called */
  249. goto err;
  250. }
  251. if (str == s->method->ssl3_enc->server_finished_label) {
  252. key = s->server_finished_secret;
  253. } else if (SSL_IS_FIRST_HANDSHAKE(s)) {
  254. key = s->client_finished_secret;
  255. } else {
  256. if (!tls13_derive_finishedkey(s, md,
  257. s->client_app_traffic_secret,
  258. finsecret, hashlen))
  259. goto err;
  260. key = finsecret;
  261. }
  262. if (!EVP_Q_mac(s->ctx->libctx, "HMAC", s->ctx->propq, mdname,
  263. params, key, hashlen, hash, hashlen,
  264. /* outsize as per sizeof(peer_finish_md) */
  265. out, EVP_MAX_MD_SIZE * 2, &len)) {
  266. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  267. goto err;
  268. }
  269. err:
  270. OPENSSL_cleanse(finsecret, sizeof(finsecret));
  271. return len;
  272. }
  273. /*
  274. * There isn't really a key block in TLSv1.3, but we still need this function
  275. * for initialising the cipher and hash. Returns 1 on success or 0 on failure.
  276. */
  277. int tls13_setup_key_block(SSL *s)
  278. {
  279. const EVP_CIPHER *c;
  280. const EVP_MD *hash;
  281. s->session->cipher = s->s3.tmp.new_cipher;
  282. if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL,
  283. 0)) {
  284. /* Error is already recorded */
  285. SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
  286. return 0;
  287. }
  288. ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);
  289. s->s3.tmp.new_sym_enc = c;
  290. ssl_evp_md_free(s->s3.tmp.new_hash);
  291. s->s3.tmp.new_hash = hash;
  292. return 1;
  293. }
  294. static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md,
  295. const EVP_CIPHER *ciph,
  296. const unsigned char *insecret,
  297. const unsigned char *hash,
  298. const unsigned char *label,
  299. size_t labellen, unsigned char *secret,
  300. unsigned char *key, unsigned char *iv,
  301. EVP_CIPHER_CTX *ciph_ctx)
  302. {
  303. size_t ivlen, keylen, taglen;
  304. int hashleni = EVP_MD_get_size(md);
  305. size_t hashlen;
  306. /* Ensure cast to size_t is safe */
  307. if (!ossl_assert(hashleni >= 0)) {
  308. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  309. return 0;
  310. }
  311. hashlen = (size_t)hashleni;
  312. if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
  313. secret, hashlen, 1)) {
  314. /* SSLfatal() already called */
  315. return 0;
  316. }
  317. keylen = EVP_CIPHER_get_key_length(ciph);
  318. if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) {
  319. uint32_t algenc;
  320. ivlen = EVP_CCM_TLS_IV_LEN;
  321. if (s->s3.tmp.new_cipher != NULL) {
  322. algenc = s->s3.tmp.new_cipher->algorithm_enc;
  323. } else if (s->session->cipher != NULL) {
  324. /* We've not selected a cipher yet - we must be doing early data */
  325. algenc = s->session->cipher->algorithm_enc;
  326. } else if (s->psksession != NULL && s->psksession->cipher != NULL) {
  327. /* We must be doing early data with out-of-band PSK */
  328. algenc = s->psksession->cipher->algorithm_enc;
  329. } else {
  330. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  331. return 0;
  332. }
  333. if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))
  334. taglen = EVP_CCM8_TLS_TAG_LEN;
  335. else
  336. taglen = EVP_CCM_TLS_TAG_LEN;
  337. } else {
  338. ivlen = EVP_CIPHER_get_iv_length(ciph);
  339. taglen = 0;
  340. }
  341. if (!tls13_derive_key(s, md, secret, key, keylen)
  342. || !tls13_derive_iv(s, md, secret, iv, ivlen)) {
  343. /* SSLfatal() already called */
  344. return 0;
  345. }
  346. if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0
  347. || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) <= 0
  348. || (taglen != 0 && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,
  349. taglen, NULL) <= 0)
  350. || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {
  351. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB);
  352. return 0;
  353. }
  354. return 1;
  355. }
  356. int tls13_change_cipher_state(SSL *s, int which)
  357. {
  358. #ifdef CHARSET_EBCDIC
  359. static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
  360. static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
  361. static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
  362. static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
  363. static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00};
  364. static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
  365. static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
  366. static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00};
  367. #else
  368. static const unsigned char client_early_traffic[] = "c e traffic";
  369. static const unsigned char client_handshake_traffic[] = "c hs traffic";
  370. static const unsigned char client_application_traffic[] = "c ap traffic";
  371. static const unsigned char server_handshake_traffic[] = "s hs traffic";
  372. static const unsigned char server_application_traffic[] = "s ap traffic";
  373. static const unsigned char exporter_master_secret[] = "exp master";
  374. static const unsigned char resumption_master_secret[] = "res master";
  375. static const unsigned char early_exporter_master_secret[] = "e exp master";
  376. #endif
  377. unsigned char *iv;
  378. unsigned char key[EVP_MAX_KEY_LENGTH];
  379. unsigned char secret[EVP_MAX_MD_SIZE];
  380. unsigned char hashval[EVP_MAX_MD_SIZE];
  381. unsigned char *hash = hashval;
  382. unsigned char *insecret;
  383. unsigned char *finsecret = NULL;
  384. const char *log_label = NULL;
  385. EVP_CIPHER_CTX *ciph_ctx;
  386. size_t finsecretlen = 0;
  387. const unsigned char *label;
  388. size_t labellen, hashlen = 0;
  389. int ret = 0;
  390. const EVP_MD *md = NULL;
  391. const EVP_CIPHER *cipher = NULL;
  392. #if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13)
  393. ktls_crypto_info_t crypto_info;
  394. void *rl_sequence;
  395. BIO *bio;
  396. #endif
  397. if (which & SSL3_CC_READ) {
  398. if (s->enc_read_ctx != NULL) {
  399. EVP_CIPHER_CTX_reset(s->enc_read_ctx);
  400. } else {
  401. s->enc_read_ctx = EVP_CIPHER_CTX_new();
  402. if (s->enc_read_ctx == NULL) {
  403. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  404. goto err;
  405. }
  406. }
  407. ciph_ctx = s->enc_read_ctx;
  408. iv = s->read_iv;
  409. RECORD_LAYER_reset_read_sequence(&s->rlayer);
  410. } else {
  411. s->statem.enc_write_state = ENC_WRITE_STATE_INVALID;
  412. if (s->enc_write_ctx != NULL) {
  413. EVP_CIPHER_CTX_reset(s->enc_write_ctx);
  414. } else {
  415. s->enc_write_ctx = EVP_CIPHER_CTX_new();
  416. if (s->enc_write_ctx == NULL) {
  417. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  418. goto err;
  419. }
  420. }
  421. ciph_ctx = s->enc_write_ctx;
  422. iv = s->write_iv;
  423. RECORD_LAYER_reset_write_sequence(&s->rlayer);
  424. }
  425. if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE))
  426. || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) {
  427. if (which & SSL3_CC_EARLY) {
  428. EVP_MD_CTX *mdctx = NULL;
  429. long handlen;
  430. void *hdata;
  431. unsigned int hashlenui;
  432. const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session);
  433. insecret = s->early_secret;
  434. label = client_early_traffic;
  435. labellen = sizeof(client_early_traffic) - 1;
  436. log_label = CLIENT_EARLY_LABEL;
  437. handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata);
  438. if (handlen <= 0) {
  439. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH);
  440. goto err;
  441. }
  442. if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
  443. && s->max_early_data > 0
  444. && s->session->ext.max_early_data == 0) {
  445. /*
  446. * If we are attempting to send early data, and we've decided to
  447. * actually do it but max_early_data in s->session is 0 then we
  448. * must be using an external PSK.
  449. */
  450. if (!ossl_assert(s->psksession != NULL
  451. && s->max_early_data ==
  452. s->psksession->ext.max_early_data)) {
  453. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  454. goto err;
  455. }
  456. sslcipher = SSL_SESSION_get0_cipher(s->psksession);
  457. }
  458. if (sslcipher == NULL) {
  459. SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK);
  460. goto err;
  461. }
  462. /*
  463. * We need to calculate the handshake digest using the digest from
  464. * the session. We haven't yet selected our ciphersuite so we can't
  465. * use ssl_handshake_md().
  466. */
  467. mdctx = EVP_MD_CTX_new();
  468. if (mdctx == NULL) {
  469. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE);
  470. goto err;
  471. }
  472. /*
  473. * This ups the ref count on cipher so we better make sure we free
  474. * it again
  475. */
  476. if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) {
  477. /* Error is already recorded */
  478. SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR);
  479. EVP_MD_CTX_free(mdctx);
  480. goto err;
  481. }
  482. md = ssl_md(s->ctx, sslcipher->algorithm2);
  483. if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL)
  484. || !EVP_DigestUpdate(mdctx, hdata, handlen)
  485. || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) {
  486. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  487. EVP_MD_CTX_free(mdctx);
  488. goto err;
  489. }
  490. hashlen = hashlenui;
  491. EVP_MD_CTX_free(mdctx);
  492. if (!tls13_hkdf_expand(s, md, insecret,
  493. early_exporter_master_secret,
  494. sizeof(early_exporter_master_secret) - 1,
  495. hashval, hashlen,
  496. s->early_exporter_master_secret, hashlen,
  497. 1)) {
  498. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  499. goto err;
  500. }
  501. if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL,
  502. s->early_exporter_master_secret, hashlen)) {
  503. /* SSLfatal() already called */
  504. goto err;
  505. }
  506. } else if (which & SSL3_CC_HANDSHAKE) {
  507. insecret = s->handshake_secret;
  508. finsecret = s->client_finished_secret;
  509. finsecretlen = EVP_MD_get_size(ssl_handshake_md(s));
  510. label = client_handshake_traffic;
  511. labellen = sizeof(client_handshake_traffic) - 1;
  512. log_label = CLIENT_HANDSHAKE_LABEL;
  513. /*
  514. * The handshake hash used for the server read/client write handshake
  515. * traffic secret is the same as the hash for the server
  516. * write/client read handshake traffic secret. However, if we
  517. * processed early data then we delay changing the server
  518. * read/client write cipher state until later, and the handshake
  519. * hashes have moved on. Therefore we use the value saved earlier
  520. * when we did the server write/client read change cipher state.
  521. */
  522. hash = s->handshake_traffic_hash;
  523. } else {
  524. insecret = s->master_secret;
  525. label = client_application_traffic;
  526. labellen = sizeof(client_application_traffic) - 1;
  527. log_label = CLIENT_APPLICATION_LABEL;
  528. /*
  529. * For this we only use the handshake hashes up until the server
  530. * Finished hash. We do not include the client's Finished, which is
  531. * what ssl_handshake_hash() would give us. Instead we use the
  532. * previously saved value.
  533. */
  534. hash = s->server_finished_hash;
  535. }
  536. } else {
  537. /* Early data never applies to client-read/server-write */
  538. if (which & SSL3_CC_HANDSHAKE) {
  539. insecret = s->handshake_secret;
  540. finsecret = s->server_finished_secret;
  541. finsecretlen = EVP_MD_get_size(ssl_handshake_md(s));
  542. label = server_handshake_traffic;
  543. labellen = sizeof(server_handshake_traffic) - 1;
  544. log_label = SERVER_HANDSHAKE_LABEL;
  545. } else {
  546. insecret = s->master_secret;
  547. label = server_application_traffic;
  548. labellen = sizeof(server_application_traffic) - 1;
  549. log_label = SERVER_APPLICATION_LABEL;
  550. }
  551. }
  552. if (!(which & SSL3_CC_EARLY)) {
  553. md = ssl_handshake_md(s);
  554. cipher = s->s3.tmp.new_sym_enc;
  555. if (!ssl3_digest_cached_records(s, 1)
  556. || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) {
  557. /* SSLfatal() already called */;
  558. goto err;
  559. }
  560. }
  561. /*
  562. * Save the hash of handshakes up to now for use when we calculate the
  563. * client application traffic secret
  564. */
  565. if (label == server_application_traffic)
  566. memcpy(s->server_finished_hash, hashval, hashlen);
  567. if (label == server_handshake_traffic)
  568. memcpy(s->handshake_traffic_hash, hashval, hashlen);
  569. if (label == client_application_traffic) {
  570. /*
  571. * We also create the resumption master secret, but this time use the
  572. * hash for the whole handshake including the Client Finished
  573. */
  574. if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
  575. resumption_master_secret,
  576. sizeof(resumption_master_secret) - 1,
  577. hashval, hashlen, s->resumption_master_secret,
  578. hashlen, 1)) {
  579. /* SSLfatal() already called */
  580. goto err;
  581. }
  582. }
  583. /* check whether cipher is known */
  584. if (!ossl_assert(cipher != NULL))
  585. goto err;
  586. if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher,
  587. insecret, hash, label, labellen, secret, key,
  588. iv, ciph_ctx)) {
  589. /* SSLfatal() already called */
  590. goto err;
  591. }
  592. if (label == server_application_traffic) {
  593. memcpy(s->server_app_traffic_secret, secret, hashlen);
  594. /* Now we create the exporter master secret */
  595. if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
  596. exporter_master_secret,
  597. sizeof(exporter_master_secret) - 1,
  598. hash, hashlen, s->exporter_master_secret,
  599. hashlen, 1)) {
  600. /* SSLfatal() already called */
  601. goto err;
  602. }
  603. if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret,
  604. hashlen)) {
  605. /* SSLfatal() already called */
  606. goto err;
  607. }
  608. } else if (label == client_application_traffic)
  609. memcpy(s->client_app_traffic_secret, secret, hashlen);
  610. if (!ssl_log_secret(s, log_label, secret, hashlen)) {
  611. /* SSLfatal() already called */
  612. goto err;
  613. }
  614. if (finsecret != NULL
  615. && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret,
  616. finsecret, finsecretlen)) {
  617. /* SSLfatal() already called */
  618. goto err;
  619. }
  620. if (!s->server && label == client_early_traffic)
  621. s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS;
  622. else
  623. s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
  624. #ifndef OPENSSL_NO_KTLS
  625. # if defined(OPENSSL_KTLS_TLS13)
  626. if (!(which & SSL3_CC_APPLICATION)
  627. || (s->options & SSL_OP_ENABLE_KTLS) == 0)
  628. goto skip_ktls;
  629. /* ktls supports only the maximum fragment size */
  630. if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH)
  631. goto skip_ktls;
  632. /* ktls does not support record padding */
  633. if (s->record_padding_cb != NULL)
  634. goto skip_ktls;
  635. /* check that cipher is supported */
  636. if (!ktls_check_supported_cipher(s, cipher, ciph_ctx))
  637. goto skip_ktls;
  638. if (which & SSL3_CC_WRITE)
  639. bio = s->wbio;
  640. else
  641. bio = s->rbio;
  642. if (!ossl_assert(bio != NULL)) {
  643. SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
  644. goto err;
  645. }
  646. /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */
  647. if (which & SSL3_CC_WRITE) {
  648. if (BIO_flush(bio) <= 0)
  649. goto skip_ktls;
  650. }
  651. /* configure kernel crypto structure */
  652. if (which & SSL3_CC_WRITE)
  653. rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer);
  654. else
  655. rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer);
  656. if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info,
  657. which & SSL3_CC_WRITE, iv, key, NULL, 0))
  658. goto skip_ktls;
  659. /* ktls works with user provided buffers directly */
  660. if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) {
  661. if (which & SSL3_CC_WRITE)
  662. ssl3_release_write_buffer(s);
  663. }
  664. skip_ktls:
  665. # endif
  666. #endif
  667. ret = 1;
  668. err:
  669. if ((which & SSL3_CC_EARLY) != 0) {
  670. /* We up-refed this so now we need to down ref */
  671. ssl_evp_cipher_free(cipher);
  672. }
  673. OPENSSL_cleanse(key, sizeof(key));
  674. OPENSSL_cleanse(secret, sizeof(secret));
  675. return ret;
  676. }
  677. int tls13_update_key(SSL *s, int sending)
  678. {
  679. #ifdef CHARSET_EBCDIC
  680. static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00};
  681. #else
  682. static const unsigned char application_traffic[] = "traffic upd";
  683. #endif
  684. const EVP_MD *md = ssl_handshake_md(s);
  685. size_t hashlen = EVP_MD_get_size(md);
  686. unsigned char key[EVP_MAX_KEY_LENGTH];
  687. unsigned char *insecret, *iv;
  688. unsigned char secret[EVP_MAX_MD_SIZE];
  689. EVP_CIPHER_CTX *ciph_ctx;
  690. int ret = 0;
  691. if (s->server == sending)
  692. insecret = s->server_app_traffic_secret;
  693. else
  694. insecret = s->client_app_traffic_secret;
  695. if (sending) {
  696. s->statem.enc_write_state = ENC_WRITE_STATE_INVALID;
  697. iv = s->write_iv;
  698. ciph_ctx = s->enc_write_ctx;
  699. RECORD_LAYER_reset_write_sequence(&s->rlayer);
  700. } else {
  701. iv = s->read_iv;
  702. ciph_ctx = s->enc_read_ctx;
  703. RECORD_LAYER_reset_read_sequence(&s->rlayer);
  704. }
  705. if (!derive_secret_key_and_iv(s, sending, md,
  706. s->s3.tmp.new_sym_enc, insecret, NULL,
  707. application_traffic,
  708. sizeof(application_traffic) - 1, secret, key,
  709. iv, ciph_ctx)) {
  710. /* SSLfatal() already called */
  711. goto err;
  712. }
  713. memcpy(insecret, secret, hashlen);
  714. s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
  715. ret = 1;
  716. err:
  717. OPENSSL_cleanse(key, sizeof(key));
  718. OPENSSL_cleanse(secret, sizeof(secret));
  719. return ret;
  720. }
  721. int tls13_alert_code(int code)
  722. {
  723. /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */
  724. if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED)
  725. return code;
  726. return tls1_alert_code(code);
  727. }
  728. int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
  729. const char *label, size_t llen,
  730. const unsigned char *context,
  731. size_t contextlen, int use_context)
  732. {
  733. unsigned char exportsecret[EVP_MAX_MD_SIZE];
  734. #ifdef CHARSET_EBCDIC
  735. static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
  736. #else
  737. static const unsigned char exporterlabel[] = "exporter";
  738. #endif
  739. unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
  740. const EVP_MD *md = ssl_handshake_md(s);
  741. EVP_MD_CTX *ctx = EVP_MD_CTX_new();
  742. unsigned int hashsize, datalen;
  743. int ret = 0;
  744. if (ctx == NULL || md == NULL || !ossl_statem_export_allowed(s))
  745. goto err;
  746. if (!use_context)
  747. contextlen = 0;
  748. if (EVP_DigestInit_ex(ctx, md, NULL) <= 0
  749. || EVP_DigestUpdate(ctx, context, contextlen) <= 0
  750. || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
  751. || EVP_DigestInit_ex(ctx, md, NULL) <= 0
  752. || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
  753. || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
  754. (const unsigned char *)label, llen,
  755. data, datalen, exportsecret, hashsize, 0)
  756. || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
  757. sizeof(exporterlabel) - 1, hash, hashsize,
  758. out, olen, 0))
  759. goto err;
  760. ret = 1;
  761. err:
  762. EVP_MD_CTX_free(ctx);
  763. return ret;
  764. }
  765. int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
  766. const char *label, size_t llen,
  767. const unsigned char *context,
  768. size_t contextlen)
  769. {
  770. #ifdef CHARSET_EBCDIC
  771. static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00};
  772. #else
  773. static const unsigned char exporterlabel[] = "exporter";
  774. #endif
  775. unsigned char exportsecret[EVP_MAX_MD_SIZE];
  776. unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
  777. const EVP_MD *md;
  778. EVP_MD_CTX *ctx = EVP_MD_CTX_new();
  779. unsigned int hashsize, datalen;
  780. int ret = 0;
  781. const SSL_CIPHER *sslcipher;
  782. if (ctx == NULL || !ossl_statem_export_early_allowed(s))
  783. goto err;
  784. if (!s->server && s->max_early_data > 0
  785. && s->session->ext.max_early_data == 0)
  786. sslcipher = SSL_SESSION_get0_cipher(s->psksession);
  787. else
  788. sslcipher = SSL_SESSION_get0_cipher(s->session);
  789. md = ssl_md(s->ctx, sslcipher->algorithm2);
  790. /*
  791. * Calculate the hash value and store it in |data|. The reason why
  792. * the empty string is used is that the definition of TLS-Exporter
  793. * is like so:
  794. *
  795. * TLS-Exporter(label, context_value, key_length) =
  796. * HKDF-Expand-Label(Derive-Secret(Secret, label, ""),
  797. * "exporter", Hash(context_value), key_length)
  798. *
  799. * Derive-Secret(Secret, Label, Messages) =
  800. * HKDF-Expand-Label(Secret, Label,
  801. * Transcript-Hash(Messages), Hash.length)
  802. *
  803. * Here Transcript-Hash is the cipher suite hash algorithm.
  804. */
  805. if (md == NULL
  806. || EVP_DigestInit_ex(ctx, md, NULL) <= 0
  807. || EVP_DigestUpdate(ctx, context, contextlen) <= 0
  808. || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
  809. || EVP_DigestInit_ex(ctx, md, NULL) <= 0
  810. || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
  811. || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,
  812. (const unsigned char *)label, llen,
  813. data, datalen, exportsecret, hashsize, 0)
  814. || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
  815. sizeof(exporterlabel) - 1, hash, hashsize,
  816. out, olen, 0))
  817. goto err;
  818. ret = 1;
  819. err:
  820. EVP_MD_CTX_free(ctx);
  821. return ret;
  822. }