tls13_enc.c revision 1.1.1.1
1 1.1 christos /* 2 1.1 christos * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * 4 1.1 christos * Licensed under the OpenSSL license (the "License"). You may not use 5 1.1 christos * this file except in compliance with the License. You can obtain a copy 6 1.1 christos * in the file LICENSE in the source distribution or at 7 1.1 christos * https://www.openssl.org/source/license.html 8 1.1 christos */ 9 1.1 christos 10 1.1 christos #include <stdlib.h> 11 1.1 christos #include "ssl_local.h" 12 1.1 christos #include "internal/cryptlib.h" 13 1.1 christos #include <openssl/evp.h> 14 1.1 christos #include <openssl/kdf.h> 15 1.1 christos 16 1.1 christos #define TLS13_MAX_LABEL_LEN 249 17 1.1 christos 18 1.1 christos /* Always filled with zeros */ 19 1.1 christos static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; 20 1.1 christos 21 1.1 christos /* 22 1.1 christos * Given a |secret|; a |label| of length |labellen|; and |data| of length 23 1.1 christos * |datalen| (e.g. typically a hash of the handshake messages), derive a new 24 1.1 christos * secret |outlen| bytes long and store it in the location pointed to be |out|. 25 1.1 christos * The |data| value may be zero length. Any errors will be treated as fatal if 26 1.1 christos * |fatal| is set. Returns 1 on success 0 on failure. 27 1.1 christos */ 28 1.1 christos int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, 29 1.1 christos const unsigned char *label, size_t labellen, 30 1.1 christos const unsigned char *data, size_t datalen, 31 1.1 christos unsigned char *out, size_t outlen, int fatal) 32 1.1 christos { 33 1.1 christos #ifdef CHARSET_EBCDIC 34 1.1 christos static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 }; 35 1.1 christos #else 36 1.1 christos static const unsigned char label_prefix[] = "tls13 "; 37 1.1 christos #endif 38 1.1 christos EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); 39 1.1 christos int ret; 40 1.1 christos size_t hkdflabellen; 41 1.1 christos size_t hashlen; 42 1.1 christos /* 43 1.1 christos * 2 bytes for length of derived secret + 1 byte for length of combined 44 1.1 christos * prefix and label + bytes for the label itself + 1 byte length of hash 45 1.1 christos * + bytes for the hash itself 46 1.1 christos */ 47 1.1 christos unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) 48 1.1 christos + (sizeof(label_prefix) - 1) + TLS13_MAX_LABEL_LEN 49 1.1 christos + 1 + EVP_MAX_MD_SIZE]; 50 1.1 christos WPACKET pkt; 51 1.1 christos 52 1.1 christos if (pctx == NULL) 53 1.1 christos return 0; 54 1.1 christos 55 1.1 christos if (labellen > TLS13_MAX_LABEL_LEN) { 56 1.1 christos if (fatal) { 57 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, 58 1.1 christos ERR_R_INTERNAL_ERROR); 59 1.1 christos } else { 60 1.1 christos /* 61 1.1 christos * Probably we have been called from SSL_export_keying_material(), 62 1.1 christos * or SSL_export_keying_material_early(). 63 1.1 christos */ 64 1.1 christos SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 65 1.1 christos } 66 1.1 christos EVP_PKEY_CTX_free(pctx); 67 1.1 christos return 0; 68 1.1 christos } 69 1.1 christos 70 1.1 christos hashlen = EVP_MD_size(md); 71 1.1 christos 72 1.1 christos if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) 73 1.1 christos || !WPACKET_put_bytes_u16(&pkt, outlen) 74 1.1 christos || !WPACKET_start_sub_packet_u8(&pkt) 75 1.1 christos || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1) 76 1.1 christos || !WPACKET_memcpy(&pkt, label, labellen) 77 1.1 christos || !WPACKET_close(&pkt) 78 1.1 christos || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) 79 1.1 christos || !WPACKET_get_total_written(&pkt, &hkdflabellen) 80 1.1 christos || !WPACKET_finish(&pkt)) { 81 1.1 christos EVP_PKEY_CTX_free(pctx); 82 1.1 christos WPACKET_cleanup(&pkt); 83 1.1 christos if (fatal) 84 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, 85 1.1 christos ERR_R_INTERNAL_ERROR); 86 1.1 christos else 87 1.1 christos SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); 88 1.1 christos return 0; 89 1.1 christos } 90 1.1 christos 91 1.1 christos ret = EVP_PKEY_derive_init(pctx) <= 0 92 1.1 christos || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) 93 1.1 christos <= 0 94 1.1 christos || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 95 1.1 christos || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0 96 1.1 christos || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0 97 1.1 christos || EVP_PKEY_derive(pctx, out, &outlen) <= 0; 98 1.1 christos 99 1.1 christos EVP_PKEY_CTX_free(pctx); 100 1.1 christos 101 1.1 christos if (ret != 0) { 102 1.1 christos if (fatal) 103 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, 104 1.1 christos ERR_R_INTERNAL_ERROR); 105 1.1 christos else 106 1.1 christos SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); 107 1.1 christos } 108 1.1 christos 109 1.1 christos return ret == 0; 110 1.1 christos } 111 1.1 christos 112 1.1 christos /* 113 1.1 christos * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on 114 1.1 christos * success 0 on failure. 115 1.1 christos */ 116 1.1 christos int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, 117 1.1 christos unsigned char *key, size_t keylen) 118 1.1 christos { 119 1.1 christos #ifdef CHARSET_EBCDIC 120 1.1 christos static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 }; 121 1.1 christos #else 122 1.1 christos static const unsigned char keylabel[] = "key"; 123 1.1 christos #endif 124 1.1 christos 125 1.1 christos return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, 126 1.1 christos NULL, 0, key, keylen, 1); 127 1.1 christos } 128 1.1 christos 129 1.1 christos /* 130 1.1 christos * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on 131 1.1 christos * success 0 on failure. 132 1.1 christos */ 133 1.1 christos int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, 134 1.1 christos unsigned char *iv, size_t ivlen) 135 1.1 christos { 136 1.1 christos #ifdef CHARSET_EBCDIC 137 1.1 christos static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 }; 138 1.1 christos #else 139 1.1 christos static const unsigned char ivlabel[] = "iv"; 140 1.1 christos #endif 141 1.1 christos 142 1.1 christos return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, 143 1.1 christos NULL, 0, iv, ivlen, 1); 144 1.1 christos } 145 1.1 christos 146 1.1 christos int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, 147 1.1 christos const unsigned char *secret, 148 1.1 christos unsigned char *fin, size_t finlen) 149 1.1 christos { 150 1.1 christos #ifdef CHARSET_EBCDIC 151 1.1 christos static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 }; 152 1.1 christos #else 153 1.1 christos static const unsigned char finishedlabel[] = "finished"; 154 1.1 christos #endif 155 1.1 christos 156 1.1 christos return tls13_hkdf_expand(s, md, secret, finishedlabel, 157 1.1 christos sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); 158 1.1 christos } 159 1.1 christos 160 1.1 christos /* 161 1.1 christos * Given the previous secret |prevsecret| and a new input secret |insecret| of 162 1.1 christos * length |insecretlen|, generate a new secret and store it in the location 163 1.1 christos * pointed to by |outsecret|. Returns 1 on success 0 on failure. 164 1.1 christos */ 165 1.1 christos int tls13_generate_secret(SSL *s, const EVP_MD *md, 166 1.1 christos const unsigned char *prevsecret, 167 1.1 christos const unsigned char *insecret, 168 1.1 christos size_t insecretlen, 169 1.1 christos unsigned char *outsecret) 170 1.1 christos { 171 1.1 christos size_t mdlen, prevsecretlen; 172 1.1 christos int mdleni; 173 1.1 christos int ret; 174 1.1 christos EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); 175 1.1 christos #ifdef CHARSET_EBCDIC 176 1.1 christos static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; 177 1.1 christos #else 178 1.1 christos static const char derived_secret_label[] = "derived"; 179 1.1 christos #endif 180 1.1 christos unsigned char preextractsec[EVP_MAX_MD_SIZE]; 181 1.1 christos 182 1.1 christos if (pctx == NULL) { 183 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 184 1.1 christos ERR_R_INTERNAL_ERROR); 185 1.1 christos return 0; 186 1.1 christos } 187 1.1 christos 188 1.1 christos mdleni = EVP_MD_size(md); 189 1.1 christos /* Ensure cast to size_t is safe */ 190 1.1 christos if (!ossl_assert(mdleni >= 0)) { 191 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 192 1.1 christos ERR_R_INTERNAL_ERROR); 193 1.1 christos EVP_PKEY_CTX_free(pctx); 194 1.1 christos return 0; 195 1.1 christos } 196 1.1 christos mdlen = (size_t)mdleni; 197 1.1 christos 198 1.1 christos if (insecret == NULL) { 199 1.1 christos insecret = default_zeros; 200 1.1 christos insecretlen = mdlen; 201 1.1 christos } 202 1.1 christos if (prevsecret == NULL) { 203 1.1 christos prevsecret = default_zeros; 204 1.1 christos prevsecretlen = 0; 205 1.1 christos } else { 206 1.1 christos EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 207 1.1 christos unsigned char hash[EVP_MAX_MD_SIZE]; 208 1.1 christos 209 1.1 christos /* The pre-extract derive step uses a hash of no messages */ 210 1.1 christos if (mctx == NULL 211 1.1 christos || EVP_DigestInit_ex(mctx, md, NULL) <= 0 212 1.1 christos || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 213 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 214 1.1 christos ERR_R_INTERNAL_ERROR); 215 1.1 christos EVP_MD_CTX_free(mctx); 216 1.1 christos EVP_PKEY_CTX_free(pctx); 217 1.1 christos return 0; 218 1.1 christos } 219 1.1 christos EVP_MD_CTX_free(mctx); 220 1.1 christos 221 1.1 christos /* Generate the pre-extract secret */ 222 1.1 christos if (!tls13_hkdf_expand(s, md, prevsecret, 223 1.1 christos (unsigned char *)derived_secret_label, 224 1.1 christos sizeof(derived_secret_label) - 1, hash, mdlen, 225 1.1 christos preextractsec, mdlen, 1)) { 226 1.1 christos /* SSLfatal() already called */ 227 1.1 christos EVP_PKEY_CTX_free(pctx); 228 1.1 christos return 0; 229 1.1 christos } 230 1.1 christos 231 1.1 christos prevsecret = preextractsec; 232 1.1 christos prevsecretlen = mdlen; 233 1.1 christos } 234 1.1 christos 235 1.1 christos ret = EVP_PKEY_derive_init(pctx) <= 0 236 1.1 christos || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) 237 1.1 christos <= 0 238 1.1 christos || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 239 1.1 christos || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0 240 1.1 christos || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen) 241 1.1 christos <= 0 242 1.1 christos || EVP_PKEY_derive(pctx, outsecret, &mdlen) 243 1.1 christos <= 0; 244 1.1 christos 245 1.1 christos if (ret != 0) 246 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 247 1.1 christos ERR_R_INTERNAL_ERROR); 248 1.1 christos 249 1.1 christos EVP_PKEY_CTX_free(pctx); 250 1.1 christos if (prevsecret == preextractsec) 251 1.1 christos OPENSSL_cleanse(preextractsec, mdlen); 252 1.1 christos return ret == 0; 253 1.1 christos } 254 1.1 christos 255 1.1 christos /* 256 1.1 christos * Given an input secret |insecret| of length |insecretlen| generate the 257 1.1 christos * handshake secret. This requires the early secret to already have been 258 1.1 christos * generated. Returns 1 on success 0 on failure. 259 1.1 christos */ 260 1.1 christos int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, 261 1.1 christos size_t insecretlen) 262 1.1 christos { 263 1.1 christos /* Calls SSLfatal() if required */ 264 1.1 christos return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, 265 1.1 christos insecret, insecretlen, 266 1.1 christos (unsigned char *)&s->handshake_secret); 267 1.1 christos } 268 1.1 christos 269 1.1 christos /* 270 1.1 christos * Given the handshake secret |prev| of length |prevlen| generate the master 271 1.1 christos * secret and store its length in |*secret_size|. Returns 1 on success 0 on 272 1.1 christos * failure. 273 1.1 christos */ 274 1.1 christos int tls13_generate_master_secret(SSL *s, unsigned char *out, 275 1.1 christos unsigned char *prev, size_t prevlen, 276 1.1 christos size_t *secret_size) 277 1.1 christos { 278 1.1 christos const EVP_MD *md = ssl_handshake_md(s); 279 1.1 christos 280 1.1 christos *secret_size = EVP_MD_size(md); 281 1.1 christos /* Calls SSLfatal() if required */ 282 1.1 christos return tls13_generate_secret(s, md, prev, NULL, 0, out); 283 1.1 christos } 284 1.1 christos 285 1.1 christos /* 286 1.1 christos * Generates the mac for the Finished message. Returns the length of the MAC or 287 1.1 christos * 0 on error. 288 1.1 christos */ 289 1.1 christos size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, 290 1.1 christos unsigned char *out) 291 1.1 christos { 292 1.1 christos const EVP_MD *md = ssl_handshake_md(s); 293 1.1 christos unsigned char hash[EVP_MAX_MD_SIZE]; 294 1.1 christos size_t hashlen, ret = 0; 295 1.1 christos EVP_PKEY *key = NULL; 296 1.1 christos EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 297 1.1 christos 298 1.1 christos if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 299 1.1 christos /* SSLfatal() already called */ 300 1.1 christos goto err; 301 1.1 christos } 302 1.1 christos 303 1.1 christos if (str == s->method->ssl3_enc->server_finished_label) { 304 1.1 christos key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, 305 1.1 christos s->server_finished_secret, hashlen); 306 1.1 christos } else if (SSL_IS_FIRST_HANDSHAKE(s)) { 307 1.1 christos key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, 308 1.1 christos s->client_finished_secret, hashlen); 309 1.1 christos } else { 310 1.1 christos unsigned char finsecret[EVP_MAX_MD_SIZE]; 311 1.1 christos 312 1.1 christos if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), 313 1.1 christos s->client_app_traffic_secret, 314 1.1 christos finsecret, hashlen)) 315 1.1 christos goto err; 316 1.1 christos 317 1.1 christos key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, 318 1.1 christos hashlen); 319 1.1 christos OPENSSL_cleanse(finsecret, sizeof(finsecret)); 320 1.1 christos } 321 1.1 christos 322 1.1 christos if (key == NULL 323 1.1 christos || ctx == NULL 324 1.1 christos || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0 325 1.1 christos || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0 326 1.1 christos || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) { 327 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC, 328 1.1 christos ERR_R_INTERNAL_ERROR); 329 1.1 christos goto err; 330 1.1 christos } 331 1.1 christos 332 1.1 christos ret = hashlen; 333 1.1 christos err: 334 1.1 christos EVP_PKEY_free(key); 335 1.1 christos EVP_MD_CTX_free(ctx); 336 1.1 christos return ret; 337 1.1 christos } 338 1.1 christos 339 1.1 christos /* 340 1.1 christos * There isn't really a key block in TLSv1.3, but we still need this function 341 1.1 christos * for initialising the cipher and hash. Returns 1 on success or 0 on failure. 342 1.1 christos */ 343 1.1 christos int tls13_setup_key_block(SSL *s) 344 1.1 christos { 345 1.1 christos const EVP_CIPHER *c; 346 1.1 christos const EVP_MD *hash; 347 1.1 christos 348 1.1 christos s->session->cipher = s->s3->tmp.new_cipher; 349 1.1 christos if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, NULL, 0)) { 350 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, 351 1.1 christos SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 352 1.1 christos return 0; 353 1.1 christos } 354 1.1 christos 355 1.1 christos s->s3->tmp.new_sym_enc = c; 356 1.1 christos s->s3->tmp.new_hash = hash; 357 1.1 christos 358 1.1 christos return 1; 359 1.1 christos } 360 1.1 christos 361 1.1 christos static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, 362 1.1 christos const EVP_CIPHER *ciph, 363 1.1 christos const unsigned char *insecret, 364 1.1 christos const unsigned char *hash, 365 1.1 christos const unsigned char *label, 366 1.1 christos size_t labellen, unsigned char *secret, 367 1.1 christos unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) 368 1.1 christos { 369 1.1 christos unsigned char key[EVP_MAX_KEY_LENGTH]; 370 1.1 christos size_t ivlen, keylen, taglen; 371 1.1 christos int hashleni = EVP_MD_size(md); 372 1.1 christos size_t hashlen; 373 1.1 christos 374 1.1 christos /* Ensure cast to size_t is safe */ 375 1.1 christos if (!ossl_assert(hashleni >= 0)) { 376 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, 377 1.1 christos ERR_R_EVP_LIB); 378 1.1 christos goto err; 379 1.1 christos } 380 1.1 christos hashlen = (size_t)hashleni; 381 1.1 christos 382 1.1 christos if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, 383 1.1 christos secret, hashlen, 1)) { 384 1.1 christos /* SSLfatal() already called */ 385 1.1 christos goto err; 386 1.1 christos } 387 1.1 christos 388 1.1 christos /* TODO(size_t): convert me */ 389 1.1 christos keylen = EVP_CIPHER_key_length(ciph); 390 1.1 christos if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { 391 1.1 christos uint32_t algenc; 392 1.1 christos 393 1.1 christos ivlen = EVP_CCM_TLS_IV_LEN; 394 1.1 christos if (s->s3->tmp.new_cipher != NULL) { 395 1.1 christos algenc = s->s3->tmp.new_cipher->algorithm_enc; 396 1.1 christos } else if (s->session->cipher != NULL) { 397 1.1 christos /* We've not selected a cipher yet - we must be doing early data */ 398 1.1 christos algenc = s->session->cipher->algorithm_enc; 399 1.1 christos } else if (s->psksession != NULL && s->psksession->cipher != NULL) { 400 1.1 christos /* We must be doing early data with out-of-band PSK */ 401 1.1 christos algenc = s->psksession->cipher->algorithm_enc; 402 1.1 christos } else { 403 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, 404 1.1 christos ERR_R_EVP_LIB); 405 1.1 christos goto err; 406 1.1 christos } 407 1.1 christos if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 408 1.1 christos taglen = EVP_CCM8_TLS_TAG_LEN; 409 1.1 christos else 410 1.1 christos taglen = EVP_CCM_TLS_TAG_LEN; 411 1.1 christos } else { 412 1.1 christos ivlen = EVP_CIPHER_iv_length(ciph); 413 1.1 christos taglen = 0; 414 1.1 christos } 415 1.1 christos 416 1.1 christos if (!tls13_derive_key(s, md, secret, key, keylen) 417 1.1 christos || !tls13_derive_iv(s, md, secret, iv, ivlen)) { 418 1.1 christos /* SSLfatal() already called */ 419 1.1 christos goto err; 420 1.1 christos } 421 1.1 christos 422 1.1 christos if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 423 1.1 christos || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) 424 1.1 christos || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, 425 1.1 christos taglen, NULL)) 426 1.1 christos || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { 427 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, 428 1.1 christos ERR_R_EVP_LIB); 429 1.1 christos goto err; 430 1.1 christos } 431 1.1 christos 432 1.1 christos return 1; 433 1.1 christos err: 434 1.1 christos OPENSSL_cleanse(key, sizeof(key)); 435 1.1 christos return 0; 436 1.1 christos } 437 1.1 christos 438 1.1 christos int tls13_change_cipher_state(SSL *s, int which) 439 1.1 christos { 440 1.1 christos #ifdef CHARSET_EBCDIC 441 1.1 christos static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 442 1.1 christos static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 443 1.1 christos static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 444 1.1 christos static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 445 1.1 christos static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 446 1.1 christos static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 447 1.1 christos static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 448 1.1 christos static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 449 1.1 christos #else 450 1.1 christos static const unsigned char client_early_traffic[] = "c e traffic"; 451 1.1 christos static const unsigned char client_handshake_traffic[] = "c hs traffic"; 452 1.1 christos static const unsigned char client_application_traffic[] = "c ap traffic"; 453 1.1 christos static const unsigned char server_handshake_traffic[] = "s hs traffic"; 454 1.1 christos static const unsigned char server_application_traffic[] = "s ap traffic"; 455 1.1 christos static const unsigned char exporter_master_secret[] = "exp master"; 456 1.1 christos static const unsigned char resumption_master_secret[] = "res master"; 457 1.1 christos static const unsigned char early_exporter_master_secret[] = "e exp master"; 458 1.1 christos #endif 459 1.1 christos unsigned char *iv; 460 1.1 christos unsigned char secret[EVP_MAX_MD_SIZE]; 461 1.1 christos unsigned char hashval[EVP_MAX_MD_SIZE]; 462 1.1 christos unsigned char *hash = hashval; 463 1.1 christos unsigned char *insecret; 464 1.1 christos unsigned char *finsecret = NULL; 465 1.1 christos const char *log_label = NULL; 466 1.1 christos EVP_CIPHER_CTX *ciph_ctx; 467 1.1 christos size_t finsecretlen = 0; 468 1.1 christos const unsigned char *label; 469 1.1 christos size_t labellen, hashlen = 0; 470 1.1 christos int ret = 0; 471 1.1 christos const EVP_MD *md = NULL; 472 1.1 christos const EVP_CIPHER *cipher = NULL; 473 1.1 christos 474 1.1 christos if (which & SSL3_CC_READ) { 475 1.1 christos if (s->enc_read_ctx != NULL) { 476 1.1 christos EVP_CIPHER_CTX_reset(s->enc_read_ctx); 477 1.1 christos } else { 478 1.1 christos s->enc_read_ctx = EVP_CIPHER_CTX_new(); 479 1.1 christos if (s->enc_read_ctx == NULL) { 480 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 481 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 482 1.1 christos goto err; 483 1.1 christos } 484 1.1 christos } 485 1.1 christos ciph_ctx = s->enc_read_ctx; 486 1.1 christos iv = s->read_iv; 487 1.1 christos 488 1.1 christos RECORD_LAYER_reset_read_sequence(&s->rlayer); 489 1.1 christos } else { 490 1.1 christos s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 491 1.1 christos if (s->enc_write_ctx != NULL) { 492 1.1 christos EVP_CIPHER_CTX_reset(s->enc_write_ctx); 493 1.1 christos } else { 494 1.1 christos s->enc_write_ctx = EVP_CIPHER_CTX_new(); 495 1.1 christos if (s->enc_write_ctx == NULL) { 496 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 497 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 498 1.1 christos goto err; 499 1.1 christos } 500 1.1 christos } 501 1.1 christos ciph_ctx = s->enc_write_ctx; 502 1.1 christos iv = s->write_iv; 503 1.1 christos 504 1.1 christos RECORD_LAYER_reset_write_sequence(&s->rlayer); 505 1.1 christos } 506 1.1 christos 507 1.1 christos if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) 508 1.1 christos || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { 509 1.1 christos if (which & SSL3_CC_EARLY) { 510 1.1 christos EVP_MD_CTX *mdctx = NULL; 511 1.1 christos long handlen; 512 1.1 christos void *hdata; 513 1.1 christos unsigned int hashlenui; 514 1.1 christos const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); 515 1.1 christos 516 1.1 christos insecret = s->early_secret; 517 1.1 christos label = client_early_traffic; 518 1.1 christos labellen = sizeof(client_early_traffic) - 1; 519 1.1 christos log_label = CLIENT_EARLY_LABEL; 520 1.1 christos 521 1.1 christos handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 522 1.1 christos if (handlen <= 0) { 523 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 524 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, 525 1.1 christos SSL_R_BAD_HANDSHAKE_LENGTH); 526 1.1 christos goto err; 527 1.1 christos } 528 1.1 christos 529 1.1 christos if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 530 1.1 christos && s->max_early_data > 0 531 1.1 christos && s->session->ext.max_early_data == 0) { 532 1.1 christos /* 533 1.1 christos * If we are attempting to send early data, and we've decided to 534 1.1 christos * actually do it but max_early_data in s->session is 0 then we 535 1.1 christos * must be using an external PSK. 536 1.1 christos */ 537 1.1 christos if (!ossl_assert(s->psksession != NULL 538 1.1 christos && s->max_early_data == 539 1.1 christos s->psksession->ext.max_early_data)) { 540 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 541 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, 542 1.1 christos ERR_R_INTERNAL_ERROR); 543 1.1 christos goto err; 544 1.1 christos } 545 1.1 christos sslcipher = SSL_SESSION_get0_cipher(s->psksession); 546 1.1 christos } 547 1.1 christos if (sslcipher == NULL) { 548 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 549 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); 550 1.1 christos goto err; 551 1.1 christos } 552 1.1 christos 553 1.1 christos /* 554 1.1 christos * We need to calculate the handshake digest using the digest from 555 1.1 christos * the session. We haven't yet selected our ciphersuite so we can't 556 1.1 christos * use ssl_handshake_md(). 557 1.1 christos */ 558 1.1 christos mdctx = EVP_MD_CTX_new(); 559 1.1 christos if (mdctx == NULL) { 560 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 561 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 562 1.1 christos goto err; 563 1.1 christos } 564 1.1 christos cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); 565 1.1 christos md = ssl_md(sslcipher->algorithm2); 566 1.1 christos if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) 567 1.1 christos || !EVP_DigestUpdate(mdctx, hdata, handlen) 568 1.1 christos || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { 569 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 570 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 571 1.1 christos EVP_MD_CTX_free(mdctx); 572 1.1 christos goto err; 573 1.1 christos } 574 1.1 christos hashlen = hashlenui; 575 1.1 christos EVP_MD_CTX_free(mdctx); 576 1.1 christos 577 1.1 christos if (!tls13_hkdf_expand(s, md, insecret, 578 1.1 christos early_exporter_master_secret, 579 1.1 christos sizeof(early_exporter_master_secret) - 1, 580 1.1 christos hashval, hashlen, 581 1.1 christos s->early_exporter_master_secret, hashlen, 582 1.1 christos 1)) { 583 1.1 christos SSLfatal(s, SSL_AD_INTERNAL_ERROR, 584 1.1 christos SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 585 1.1 christos goto err; 586 1.1 christos } 587 1.1 christos 588 1.1 christos if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, 589 1.1 christos s->early_exporter_master_secret, hashlen)) { 590 1.1 christos /* SSLfatal() already called */ 591 1.1 christos goto err; 592 1.1 christos } 593 1.1 christos } else if (which & SSL3_CC_HANDSHAKE) { 594 1.1 christos insecret = s->handshake_secret; 595 1.1 christos finsecret = s->client_finished_secret; 596 1.1 christos finsecretlen = EVP_MD_size(ssl_handshake_md(s)); 597 1.1 christos label = client_handshake_traffic; 598 1.1 christos labellen = sizeof(client_handshake_traffic) - 1; 599 1.1 christos log_label = CLIENT_HANDSHAKE_LABEL; 600 1.1 christos /* 601 1.1 christos * The handshake hash used for the server read/client write handshake 602 1.1 christos * traffic secret is the same as the hash for the server 603 1.1 christos * write/client read handshake traffic secret. However, if we 604 1.1 christos * processed early data then we delay changing the server 605 1.1 christos * read/client write cipher state until later, and the handshake 606 1.1 christos * hashes have moved on. Therefore we use the value saved earlier 607 1.1 christos * when we did the server write/client read change cipher state. 608 1.1 christos */ 609 1.1 christos hash = s->handshake_traffic_hash; 610 1.1 christos } else { 611 1.1 christos insecret = s->master_secret; 612 1.1 christos label = client_application_traffic; 613 1.1 christos labellen = sizeof(client_application_traffic) - 1; 614 1.1 christos log_label = CLIENT_APPLICATION_LABEL; 615 1.1 christos /* 616 1.1 christos * For this we only use the handshake hashes up until the server 617 1.1 christos * Finished hash. We do not include the client's Finished, which is 618 1.1 christos * what ssl_handshake_hash() would give us. Instead we use the 619 1.1 christos * previously saved value. 620 1.1 christos */ 621 1.1 christos hash = s->server_finished_hash; 622 1.1 christos } 623 1.1 christos } else { 624 1.1 christos /* Early data never applies to client-read/server-write */ 625 1.1 christos if (which & SSL3_CC_HANDSHAKE) { 626 1.1 christos insecret = s->handshake_secret; 627 1.1 christos finsecret = s->server_finished_secret; 628 1.1 christos finsecretlen = EVP_MD_size(ssl_handshake_md(s)); 629 1.1 christos label = server_handshake_traffic; 630 1.1 christos labellen = sizeof(server_handshake_traffic) - 1; 631 1.1 christos log_label = SERVER_HANDSHAKE_LABEL; 632 1.1 christos } else { 633 1.1 christos insecret = s->master_secret; 634 1.1 christos label = server_application_traffic; 635 1.1 christos labellen = sizeof(server_application_traffic) - 1; 636 1.1 christos log_label = SERVER_APPLICATION_LABEL; 637 1.1 christos } 638 1.1 christos } 639 1.1 christos 640 1.1 christos if (!(which & SSL3_CC_EARLY)) { 641 1.1 christos md = ssl_handshake_md(s); 642 1.1 christos cipher = s->s3->tmp.new_sym_enc; 643 1.1 christos if (!ssl3_digest_cached_records(s, 1) 644 1.1 christos || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { 645 1.1 christos /* SSLfatal() already called */; 646 1.1 christos goto err; 647 1.1 christos } 648 1.1 christos } 649 1.1 christos 650 1.1 christos /* 651 1.1 christos * Save the hash of handshakes up to now for use when we calculate the 652 1.1 christos * client application traffic secret 653 1.1 christos */ 654 1.1 christos if (label == server_application_traffic) 655 1.1 christos memcpy(s->server_finished_hash, hashval, hashlen); 656 1.1 christos 657 1.1 christos if (label == server_handshake_traffic) 658 1.1 christos memcpy(s->handshake_traffic_hash, hashval, hashlen); 659 1.1 christos 660 1.1 christos if (label == client_application_traffic) { 661 1.1 christos /* 662 1.1 christos * We also create the resumption master secret, but this time use the 663 1.1 christos * hash for the whole handshake including the Client Finished 664 1.1 christos */ 665 1.1 christos if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 666 1.1 christos resumption_master_secret, 667 1.1 christos sizeof(resumption_master_secret) - 1, 668 1.1 christos hashval, hashlen, s->resumption_master_secret, 669 1.1 christos hashlen, 1)) { 670 1.1 christos /* SSLfatal() already called */ 671 1.1 christos goto err; 672 1.1 christos } 673 1.1 christos } 674 1.1 christos 675 1.1 christos if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, 676 1.1 christos insecret, hash, label, labellen, secret, iv, 677 1.1 christos ciph_ctx)) { 678 1.1 christos /* SSLfatal() already called */ 679 1.1 christos goto err; 680 1.1 christos } 681 1.1 christos 682 1.1 christos if (label == server_application_traffic) { 683 1.1 christos memcpy(s->server_app_traffic_secret, secret, hashlen); 684 1.1 christos /* Now we create the exporter master secret */ 685 1.1 christos if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 686 1.1 christos exporter_master_secret, 687 1.1 christos sizeof(exporter_master_secret) - 1, 688 1.1 christos hash, hashlen, s->exporter_master_secret, 689 1.1 christos hashlen, 1)) { 690 1.1 christos /* SSLfatal() already called */ 691 1.1 christos goto err; 692 1.1 christos } 693 1.1 christos 694 1.1 christos if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, 695 1.1 christos hashlen)) { 696 1.1 christos /* SSLfatal() already called */ 697 1.1 christos goto err; 698 1.1 christos } 699 1.1 christos } else if (label == client_application_traffic) 700 1.1 christos memcpy(s->client_app_traffic_secret, secret, hashlen); 701 1.1 christos 702 1.1 christos if (!ssl_log_secret(s, log_label, secret, hashlen)) { 703 1.1 christos /* SSLfatal() already called */ 704 1.1 christos goto err; 705 1.1 christos } 706 1.1 christos 707 1.1 christos if (finsecret != NULL 708 1.1 christos && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, 709 1.1 christos finsecret, finsecretlen)) { 710 1.1 christos /* SSLfatal() already called */ 711 1.1 christos goto err; 712 1.1 christos } 713 1.1 christos 714 1.1 christos if (!s->server && label == client_early_traffic) 715 1.1 christos s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; 716 1.1 christos else 717 1.1 christos s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 718 1.1 christos ret = 1; 719 1.1 christos err: 720 1.1 christos OPENSSL_cleanse(secret, sizeof(secret)); 721 1.1 christos return ret; 722 1.1 christos } 723 1.1 christos 724 1.1 christos int tls13_update_key(SSL *s, int sending) 725 1.1 christos { 726 1.1 christos #ifdef CHARSET_EBCDIC 727 1.1 christos static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00}; 728 1.1 christos #else 729 1.1 christos static const unsigned char application_traffic[] = "traffic upd"; 730 1.1 christos #endif 731 1.1 christos const EVP_MD *md = ssl_handshake_md(s); 732 1.1 christos size_t hashlen = EVP_MD_size(md); 733 1.1 christos unsigned char *insecret, *iv; 734 1.1 christos unsigned char secret[EVP_MAX_MD_SIZE]; 735 1.1 christos EVP_CIPHER_CTX *ciph_ctx; 736 1.1 christos int ret = 0; 737 1.1 christos 738 1.1 christos if (s->server == sending) 739 1.1 christos insecret = s->server_app_traffic_secret; 740 1.1 christos else 741 1.1 christos insecret = s->client_app_traffic_secret; 742 1.1 christos 743 1.1 christos if (sending) { 744 1.1 christos s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 745 1.1 christos iv = s->write_iv; 746 1.1 christos ciph_ctx = s->enc_write_ctx; 747 1.1 christos RECORD_LAYER_reset_write_sequence(&s->rlayer); 748 1.1 christos } else { 749 1.1 christos iv = s->read_iv; 750 1.1 christos ciph_ctx = s->enc_read_ctx; 751 1.1 christos RECORD_LAYER_reset_read_sequence(&s->rlayer); 752 1.1 christos } 753 1.1 christos 754 1.1 christos if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), 755 1.1 christos s->s3->tmp.new_sym_enc, insecret, NULL, 756 1.1 christos application_traffic, 757 1.1 christos sizeof(application_traffic) - 1, secret, iv, 758 1.1 christos ciph_ctx)) { 759 1.1 christos /* SSLfatal() already called */ 760 1.1 christos goto err; 761 1.1 christos } 762 1.1 christos 763 1.1 christos memcpy(insecret, secret, hashlen); 764 1.1 christos 765 1.1 christos s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 766 1.1 christos ret = 1; 767 1.1 christos err: 768 1.1 christos OPENSSL_cleanse(secret, sizeof(secret)); 769 1.1 christos return ret; 770 1.1 christos } 771 1.1 christos 772 1.1 christos int tls13_alert_code(int code) 773 1.1 christos { 774 1.1 christos /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ 775 1.1 christos if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) 776 1.1 christos return code; 777 1.1 christos 778 1.1 christos return tls1_alert_code(code); 779 1.1 christos } 780 1.1 christos 781 1.1 christos int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, 782 1.1 christos const char *label, size_t llen, 783 1.1 christos const unsigned char *context, 784 1.1 christos size_t contextlen, int use_context) 785 1.1 christos { 786 1.1 christos unsigned char exportsecret[EVP_MAX_MD_SIZE]; 787 1.1 christos #ifdef CHARSET_EBCDIC 788 1.1 christos static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; 789 1.1 christos #else 790 1.1 christos static const unsigned char exporterlabel[] = "exporter"; 791 1.1 christos #endif 792 1.1 christos unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 793 1.1 christos const EVP_MD *md = ssl_handshake_md(s); 794 1.1 christos EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 795 1.1 christos unsigned int hashsize, datalen; 796 1.1 christos int ret = 0; 797 1.1 christos 798 1.1 christos if (ctx == NULL || !ossl_statem_export_allowed(s)) 799 1.1 christos goto err; 800 1.1 christos 801 1.1 christos if (!use_context) 802 1.1 christos contextlen = 0; 803 1.1 christos 804 1.1 christos if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 805 1.1 christos || EVP_DigestUpdate(ctx, context, contextlen) <= 0 806 1.1 christos || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 807 1.1 christos || EVP_DigestInit_ex(ctx, md, NULL) <= 0 808 1.1 christos || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 809 1.1 christos || !tls13_hkdf_expand(s, md, s->exporter_master_secret, 810 1.1 christos (const unsigned char *)label, llen, 811 1.1 christos data, datalen, exportsecret, hashsize, 0) 812 1.1 christos || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 813 1.1 christos sizeof(exporterlabel) - 1, hash, hashsize, 814 1.1 christos out, olen, 0)) 815 1.1 christos goto err; 816 1.1 christos 817 1.1 christos ret = 1; 818 1.1 christos err: 819 1.1 christos EVP_MD_CTX_free(ctx); 820 1.1 christos return ret; 821 1.1 christos } 822 1.1 christos 823 1.1 christos int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, 824 1.1 christos const char *label, size_t llen, 825 1.1 christos const unsigned char *context, 826 1.1 christos size_t contextlen) 827 1.1 christos { 828 1.1 christos #ifdef CHARSET_EBCDIC 829 1.1 christos static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; 830 1.1 christos #else 831 1.1 christos static const unsigned char exporterlabel[] = "exporter"; 832 1.1 christos #endif 833 1.1 christos unsigned char exportsecret[EVP_MAX_MD_SIZE]; 834 1.1 christos unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 835 1.1 christos const EVP_MD *md; 836 1.1 christos EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 837 1.1 christos unsigned int hashsize, datalen; 838 1.1 christos int ret = 0; 839 1.1 christos const SSL_CIPHER *sslcipher; 840 1.1 christos 841 1.1 christos if (ctx == NULL || !ossl_statem_export_early_allowed(s)) 842 1.1 christos goto err; 843 1.1 christos 844 1.1 christos if (!s->server && s->max_early_data > 0 845 1.1 christos && s->session->ext.max_early_data == 0) 846 1.1 christos sslcipher = SSL_SESSION_get0_cipher(s->psksession); 847 1.1 christos else 848 1.1 christos sslcipher = SSL_SESSION_get0_cipher(s->session); 849 1.1 christos 850 1.1 christos md = ssl_md(sslcipher->algorithm2); 851 1.1 christos 852 1.1 christos /* 853 1.1 christos * Calculate the hash value and store it in |data|. The reason why 854 1.1 christos * the empty string is used is that the definition of TLS-Exporter 855 1.1 christos * is like so: 856 1.1 christos * 857 1.1 christos * TLS-Exporter(label, context_value, key_length) = 858 1.1 christos * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), 859 1.1 christos * "exporter", Hash(context_value), key_length) 860 1.1 christos * 861 1.1 christos * Derive-Secret(Secret, Label, Messages) = 862 1.1 christos * HKDF-Expand-Label(Secret, Label, 863 1.1 christos * Transcript-Hash(Messages), Hash.length) 864 1.1 christos * 865 1.1 christos * Here Transcript-Hash is the cipher suite hash algorithm. 866 1.1 christos */ 867 1.1 christos if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 868 1.1 christos || EVP_DigestUpdate(ctx, context, contextlen) <= 0 869 1.1 christos || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 870 1.1 christos || EVP_DigestInit_ex(ctx, md, NULL) <= 0 871 1.1 christos || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 872 1.1 christos || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, 873 1.1 christos (const unsigned char *)label, llen, 874 1.1 christos data, datalen, exportsecret, hashsize, 0) 875 1.1 christos || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 876 1.1 christos sizeof(exporterlabel) - 1, hash, hashsize, 877 1.1 christos out, olen, 0)) 878 1.1 christos goto err; 879 1.1 christos 880 1.1 christos ret = 1; 881 1.1 christos err: 882 1.1 christos EVP_MD_CTX_free(ctx); 883 1.1 christos return ret; 884 1.1 christos } 885
Indexes created Sun Jun 28 00:24:58 UTC 2026