1 /* 2 * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdlib.h> 11 #include "ssl_locl.h" 12 #include "internal/cryptlib.h" 13 #include <openssl/evp.h> 14 #include <openssl/kdf.h> 15 16 #define TLS13_MAX_LABEL_LEN 246 17 18 /* Always filled with zeros */ 19 static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; 20 21 /* 22 * Given a |secret|; a |label| of length |labellen|; and |data| of length 23 * |datalen| (e.g. typically a hash of the handshake messages), derive a new 24 * secret |outlen| bytes long and store it in the location pointed to be |out|. 25 * The |data| value may be zero length. Returns 1 on success 0 on failure. 26 */ 27 int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, 28 const unsigned char *label, size_t labellen, 29 const unsigned char *data, size_t datalen, 30 unsigned char *out, size_t outlen) 31 { 32 const unsigned char label_prefix[] = "tls13 "; 33 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); 34 int ret; 35 size_t hkdflabellen; 36 size_t hashlen; 37 /* 38 * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined 39 * prefix and label + bytes for the label itself + bytes for the hash 40 */ 41 unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + 42 + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN 43 + EVP_MAX_MD_SIZE]; 44 WPACKET pkt; 45 46 if (pctx == NULL) 47 return 0; 48 49 hashlen = EVP_MD_size(md); 50 51 if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) 52 || !WPACKET_put_bytes_u16(&pkt, outlen) 53 || !WPACKET_start_sub_packet_u8(&pkt) 54 || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1) 55 || !WPACKET_memcpy(&pkt, label, labellen) 56 || !WPACKET_close(&pkt) 57 || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) 58 || !WPACKET_get_total_written(&pkt, &hkdflabellen) 59 || !WPACKET_finish(&pkt)) { 60 EVP_PKEY_CTX_free(pctx); 61 WPACKET_cleanup(&pkt); 62 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, 63 ERR_R_INTERNAL_ERROR); 64 return 0; 65 } 66 67 ret = EVP_PKEY_derive_init(pctx) <= 0 68 || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) 69 <= 0 70 || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 71 || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0 72 || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0 73 || EVP_PKEY_derive(pctx, out, &outlen) <= 0; 74 75 EVP_PKEY_CTX_free(pctx); 76 77 if (ret != 0) 78 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, 79 ERR_R_INTERNAL_ERROR); 80 81 return ret == 0; 82 } 83 84 /* 85 * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on 86 * success 0 on failure. 87 */ 88 int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, 89 unsigned char *key, size_t keylen) 90 { 91 static const unsigned char keylabel[] = "key"; 92 93 return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, 94 NULL, 0, key, keylen); 95 } 96 97 /* 98 * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on 99 * success 0 on failure. 100 */ 101 int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, 102 unsigned char *iv, size_t ivlen) 103 { 104 static const unsigned char ivlabel[] = "iv"; 105 106 return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, 107 NULL, 0, iv, ivlen); 108 } 109 110 int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, 111 const unsigned char *secret, 112 unsigned char *fin, size_t finlen) 113 { 114 static const unsigned char finishedlabel[] = "finished"; 115 116 return tls13_hkdf_expand(s, md, secret, finishedlabel, 117 sizeof(finishedlabel) - 1, NULL, 0, fin, finlen); 118 } 119 120 /* 121 * Given the previous secret |prevsecret| and a new input secret |insecret| of 122 * length |insecretlen|, generate a new secret and store it in the location 123 * pointed to by |outsecret|. Returns 1 on success 0 on failure. 124 */ 125 int tls13_generate_secret(SSL *s, const EVP_MD *md, 126 const unsigned char *prevsecret, 127 const unsigned char *insecret, 128 size_t insecretlen, 129 unsigned char *outsecret) 130 { 131 size_t mdlen, prevsecretlen; 132 int mdleni; 133 int ret; 134 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); 135 static const char derived_secret_label[] = "derived"; 136 unsigned char preextractsec[EVP_MAX_MD_SIZE]; 137 138 if (pctx == NULL) { 139 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 140 ERR_R_INTERNAL_ERROR); 141 return 0; 142 } 143 144 mdleni = EVP_MD_size(md); 145 /* Ensure cast to size_t is safe */ 146 if (!ossl_assert(mdleni >= 0)) { 147 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 148 ERR_R_INTERNAL_ERROR); 149 return 0; 150 } 151 mdlen = (size_t)mdleni; 152 153 if (insecret == NULL) { 154 insecret = default_zeros; 155 insecretlen = mdlen; 156 } 157 if (prevsecret == NULL) { 158 prevsecret = default_zeros; 159 prevsecretlen = 0; 160 } else { 161 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 162 unsigned char hash[EVP_MAX_MD_SIZE]; 163 164 /* The pre-extract derive step uses a hash of no messages */ 165 if (mctx == NULL 166 || EVP_DigestInit_ex(mctx, md, NULL) <= 0 167 || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { 168 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 169 ERR_R_INTERNAL_ERROR); 170 EVP_MD_CTX_free(mctx); 171 EVP_PKEY_CTX_free(pctx); 172 return 0; 173 } 174 EVP_MD_CTX_free(mctx); 175 176 /* Generate the pre-extract secret */ 177 if (!tls13_hkdf_expand(s, md, prevsecret, 178 (unsigned char *)derived_secret_label, 179 sizeof(derived_secret_label) - 1, hash, mdlen, 180 preextractsec, mdlen)) { 181 /* SSLfatal() already called */ 182 EVP_PKEY_CTX_free(pctx); 183 return 0; 184 } 185 186 prevsecret = preextractsec; 187 prevsecretlen = mdlen; 188 } 189 190 ret = EVP_PKEY_derive_init(pctx) <= 0 191 || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) 192 <= 0 193 || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 194 || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0 195 || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen) 196 <= 0 197 || EVP_PKEY_derive(pctx, outsecret, &mdlen) 198 <= 0; 199 200 if (ret != 0) 201 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, 202 ERR_R_INTERNAL_ERROR); 203 204 EVP_PKEY_CTX_free(pctx); 205 if (prevsecret == preextractsec) 206 OPENSSL_cleanse(preextractsec, mdlen); 207 return ret == 0; 208 } 209 210 /* 211 * Given an input secret |insecret| of length |insecretlen| generate the 212 * handshake secret. This requires the early secret to already have been 213 * generated. Returns 1 on success 0 on failure. 214 */ 215 int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, 216 size_t insecretlen) 217 { 218 /* Calls SSLfatal() if required */ 219 return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, 220 insecret, insecretlen, 221 (unsigned char *)&s->handshake_secret); 222 } 223 224 /* 225 * Given the handshake secret |prev| of length |prevlen| generate the master 226 * secret and store its length in |*secret_size|. Returns 1 on success 0 on 227 * failure. 228 */ 229 int tls13_generate_master_secret(SSL *s, unsigned char *out, 230 unsigned char *prev, size_t prevlen, 231 size_t *secret_size) 232 { 233 const EVP_MD *md = ssl_handshake_md(s); 234 235 *secret_size = EVP_MD_size(md); 236 /* Calls SSLfatal() if required */ 237 return tls13_generate_secret(s, md, prev, NULL, 0, out); 238 } 239 240 /* 241 * Generates the mac for the Finished message. Returns the length of the MAC or 242 * 0 on error. 243 */ 244 size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, 245 unsigned char *out) 246 { 247 const EVP_MD *md = ssl_handshake_md(s); 248 unsigned char hash[EVP_MAX_MD_SIZE]; 249 size_t hashlen, ret = 0; 250 EVP_PKEY *key = NULL; 251 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 252 253 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 254 /* SSLfatal() already called */ 255 goto err; 256 } 257 258 if (str == s->method->ssl3_enc->server_finished_label) { 259 key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, 260 s->server_finished_secret, hashlen); 261 } else if (SSL_IS_FIRST_HANDSHAKE(s)) { 262 key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, 263 s->client_finished_secret, hashlen); 264 } else { 265 unsigned char finsecret[EVP_MAX_MD_SIZE]; 266 267 if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), 268 s->client_app_traffic_secret, 269 finsecret, hashlen)) 270 goto err; 271 272 key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, 273 hashlen); 274 OPENSSL_cleanse(finsecret, sizeof(finsecret)); 275 } 276 277 if (key == NULL 278 || ctx == NULL 279 || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0 280 || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0 281 || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) { 282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC, 283 ERR_R_INTERNAL_ERROR); 284 goto err; 285 } 286 287 ret = hashlen; 288 err: 289 EVP_PKEY_free(key); 290 EVP_MD_CTX_free(ctx); 291 return ret; 292 } 293 294 /* 295 * There isn't really a key block in TLSv1.3, but we still need this function 296 * for initialising the cipher and hash. Returns 1 on success or 0 on failure. 297 */ 298 int tls13_setup_key_block(SSL *s) 299 { 300 const EVP_CIPHER *c; 301 const EVP_MD *hash; 302 int mac_type = NID_undef; 303 304 s->session->cipher = s->s3->tmp.new_cipher; 305 if (!ssl_cipher_get_evp 306 (s->session, &c, &hash, &mac_type, NULL, NULL, 0)) { 307 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, 308 SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 309 return 0; 310 } 311 312 s->s3->tmp.new_sym_enc = c; 313 s->s3->tmp.new_hash = hash; 314 315 return 1; 316 } 317 318 static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, 319 const EVP_CIPHER *ciph, 320 const unsigned char *insecret, 321 const unsigned char *hash, 322 const unsigned char *label, 323 size_t labellen, unsigned char *secret, 324 unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) 325 { 326 unsigned char key[EVP_MAX_KEY_LENGTH]; 327 size_t ivlen, keylen, taglen; 328 int hashleni = EVP_MD_size(md); 329 size_t hashlen; 330 331 /* Ensure cast to size_t is safe */ 332 if (!ossl_assert(hashleni >= 0)) { 333 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, 334 ERR_R_EVP_LIB); 335 goto err; 336 } 337 hashlen = (size_t)hashleni; 338 339 if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, 340 secret, hashlen)) { 341 /* SSLfatal() already called */ 342 goto err; 343 } 344 345 /* TODO(size_t): convert me */ 346 keylen = EVP_CIPHER_key_length(ciph); 347 if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { 348 uint32_t algenc; 349 350 ivlen = EVP_CCM_TLS_IV_LEN; 351 if (s->s3->tmp.new_cipher == NULL) { 352 /* We've not selected a cipher yet - we must be doing early data */ 353 algenc = s->session->cipher->algorithm_enc; 354 } else { 355 algenc = s->s3->tmp.new_cipher->algorithm_enc; 356 } 357 if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 358 taglen = EVP_CCM8_TLS_TAG_LEN; 359 else 360 taglen = EVP_CCM_TLS_TAG_LEN; 361 } else { 362 ivlen = EVP_CIPHER_iv_length(ciph); 363 taglen = 0; 364 } 365 366 if (!tls13_derive_key(s, md, secret, key, keylen) 367 || !tls13_derive_iv(s, md, secret, iv, ivlen)) { 368 /* SSLfatal() already called */ 369 goto err; 370 } 371 372 if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 373 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) 374 || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, 375 taglen, NULL)) 376 || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { 377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, 378 ERR_R_EVP_LIB); 379 goto err; 380 } 381 382 return 1; 383 err: 384 OPENSSL_cleanse(key, sizeof(key)); 385 return 0; 386 } 387 388 int tls13_change_cipher_state(SSL *s, int which) 389 { 390 static const unsigned char client_early_traffic[] = "c e traffic"; 391 static const unsigned char client_handshake_traffic[] = "c hs traffic"; 392 static const unsigned char client_application_traffic[] = "c ap traffic"; 393 static const unsigned char server_handshake_traffic[] = "s hs traffic"; 394 static const unsigned char server_application_traffic[] = "s ap traffic"; 395 static const unsigned char exporter_master_secret[] = "exp master"; 396 static const unsigned char resumption_master_secret[] = "res master"; 397 static const unsigned char early_exporter_master_secret[] = "e exp master"; 398 unsigned char *iv; 399 unsigned char secret[EVP_MAX_MD_SIZE]; 400 unsigned char hashval[EVP_MAX_MD_SIZE]; 401 unsigned char *hash = hashval; 402 unsigned char *insecret; 403 unsigned char *finsecret = NULL; 404 const char *log_label = NULL; 405 EVP_CIPHER_CTX *ciph_ctx; 406 size_t finsecretlen = 0; 407 const unsigned char *label; 408 size_t labellen, hashlen = 0; 409 int ret = 0; 410 const EVP_MD *md = NULL; 411 const EVP_CIPHER *cipher = NULL; 412 413 if (which & SSL3_CC_READ) { 414 if (s->enc_read_ctx != NULL) { 415 EVP_CIPHER_CTX_reset(s->enc_read_ctx); 416 } else { 417 s->enc_read_ctx = EVP_CIPHER_CTX_new(); 418 if (s->enc_read_ctx == NULL) { 419 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 420 SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 421 goto err; 422 } 423 } 424 ciph_ctx = s->enc_read_ctx; 425 iv = s->read_iv; 426 427 RECORD_LAYER_reset_read_sequence(&s->rlayer); 428 } else { 429 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 430 if (s->enc_write_ctx != NULL) { 431 EVP_CIPHER_CTX_reset(s->enc_write_ctx); 432 } else { 433 s->enc_write_ctx = EVP_CIPHER_CTX_new(); 434 if (s->enc_write_ctx == NULL) { 435 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 436 SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 437 goto err; 438 } 439 } 440 ciph_ctx = s->enc_write_ctx; 441 iv = s->write_iv; 442 443 RECORD_LAYER_reset_write_sequence(&s->rlayer); 444 } 445 446 if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) 447 || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { 448 if (which & SSL3_CC_EARLY) { 449 EVP_MD_CTX *mdctx = NULL; 450 long handlen; 451 void *hdata; 452 unsigned int hashlenui; 453 const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); 454 455 insecret = s->early_secret; 456 label = client_early_traffic; 457 labellen = sizeof(client_early_traffic) - 1; 458 log_label = CLIENT_EARLY_LABEL; 459 460 handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 461 if (handlen <= 0) { 462 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 463 SSL_F_TLS13_CHANGE_CIPHER_STATE, 464 SSL_R_BAD_HANDSHAKE_LENGTH); 465 goto err; 466 } 467 468 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 469 && s->max_early_data > 0 470 && s->session->ext.max_early_data == 0) { 471 /* 472 * If we are attempting to send early data, and we've decided to 473 * actually do it but max_early_data in s->session is 0 then we 474 * must be using an external PSK. 475 */ 476 if (!ossl_assert(s->psksession != NULL 477 && s->max_early_data == 478 s->psksession->ext.max_early_data)) { 479 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 480 SSL_F_TLS13_CHANGE_CIPHER_STATE, 481 ERR_R_INTERNAL_ERROR); 482 goto err; 483 } 484 sslcipher = SSL_SESSION_get0_cipher(s->psksession); 485 } 486 if (sslcipher == NULL) { 487 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 488 SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); 489 goto err; 490 } 491 492 /* 493 * We need to calculate the handshake digest using the digest from 494 * the session. We haven't yet selected our ciphersuite so we can't 495 * use ssl_handshake_md(). 496 */ 497 mdctx = EVP_MD_CTX_new(); 498 if (mdctx == NULL) { 499 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 500 SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 501 goto err; 502 } 503 cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); 504 md = ssl_md(sslcipher->algorithm2); 505 if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) 506 || !EVP_DigestUpdate(mdctx, hdata, handlen) 507 || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { 508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 509 SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 510 EVP_MD_CTX_free(mdctx); 511 goto err; 512 } 513 hashlen = hashlenui; 514 EVP_MD_CTX_free(mdctx); 515 516 if (!tls13_hkdf_expand(s, md, insecret, 517 early_exporter_master_secret, 518 sizeof(early_exporter_master_secret) - 1, 519 hashval, hashlen, 520 s->early_exporter_master_secret, hashlen)) { 521 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 522 SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 523 goto err; 524 } 525 526 if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, 527 s->early_exporter_master_secret, hashlen)) { 528 /* SSLfatal() already called */ 529 goto err; 530 } 531 } else if (which & SSL3_CC_HANDSHAKE) { 532 insecret = s->handshake_secret; 533 finsecret = s->client_finished_secret; 534 finsecretlen = EVP_MD_size(ssl_handshake_md(s)); 535 label = client_handshake_traffic; 536 labellen = sizeof(client_handshake_traffic) - 1; 537 log_label = CLIENT_HANDSHAKE_LABEL; 538 /* 539 * The handshake hash used for the server read/client write handshake 540 * traffic secret is the same as the hash for the server 541 * write/client read handshake traffic secret. However, if we 542 * processed early data then we delay changing the server 543 * read/client write cipher state until later, and the handshake 544 * hashes have moved on. Therefore we use the value saved earlier 545 * when we did the server write/client read change cipher state. 546 */ 547 hash = s->handshake_traffic_hash; 548 } else { 549 insecret = s->master_secret; 550 label = client_application_traffic; 551 labellen = sizeof(client_application_traffic) - 1; 552 log_label = CLIENT_APPLICATION_LABEL; 553 /* 554 * For this we only use the handshake hashes up until the server 555 * Finished hash. We do not include the client's Finished, which is 556 * what ssl_handshake_hash() would give us. Instead we use the 557 * previously saved value. 558 */ 559 hash = s->server_finished_hash; 560 } 561 } else { 562 /* Early data never applies to client-read/server-write */ 563 if (which & SSL3_CC_HANDSHAKE) { 564 insecret = s->handshake_secret; 565 finsecret = s->server_finished_secret; 566 finsecretlen = EVP_MD_size(ssl_handshake_md(s)); 567 label = server_handshake_traffic; 568 labellen = sizeof(server_handshake_traffic) - 1; 569 log_label = SERVER_HANDSHAKE_LABEL; 570 } else { 571 insecret = s->master_secret; 572 label = server_application_traffic; 573 labellen = sizeof(server_application_traffic) - 1; 574 log_label = SERVER_APPLICATION_LABEL; 575 } 576 } 577 578 if (!(which & SSL3_CC_EARLY)) { 579 md = ssl_handshake_md(s); 580 cipher = s->s3->tmp.new_sym_enc; 581 if (!ssl3_digest_cached_records(s, 1) 582 || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { 583 /* SSLfatal() already called */; 584 goto err; 585 } 586 } 587 588 /* 589 * Save the hash of handshakes up to now for use when we calculate the 590 * client application traffic secret 591 */ 592 if (label == server_application_traffic) 593 memcpy(s->server_finished_hash, hashval, hashlen); 594 595 if (label == server_handshake_traffic) 596 memcpy(s->handshake_traffic_hash, hashval, hashlen); 597 598 if (label == client_application_traffic) { 599 /* 600 * We also create the resumption master secret, but this time use the 601 * hash for the whole handshake including the Client Finished 602 */ 603 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 604 resumption_master_secret, 605 sizeof(resumption_master_secret) - 1, 606 hashval, hashlen, s->resumption_master_secret, 607 hashlen)) { 608 /* SSLfatal() already called */ 609 goto err; 610 } 611 } 612 613 if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, 614 insecret, hash, label, labellen, secret, iv, 615 ciph_ctx)) { 616 /* SSLfatal() already called */ 617 goto err; 618 } 619 620 if (label == server_application_traffic) { 621 memcpy(s->server_app_traffic_secret, secret, hashlen); 622 /* Now we create the exporter master secret */ 623 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 624 exporter_master_secret, 625 sizeof(exporter_master_secret) - 1, 626 hash, hashlen, s->exporter_master_secret, 627 hashlen)) { 628 /* SSLfatal() already called */ 629 goto err; 630 } 631 632 if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, 633 hashlen)) { 634 /* SSLfatal() already called */ 635 goto err; 636 } 637 } else if (label == client_application_traffic) 638 memcpy(s->client_app_traffic_secret, secret, hashlen); 639 640 if (!ssl_log_secret(s, log_label, secret, hashlen)) { 641 /* SSLfatal() already called */ 642 goto err; 643 } 644 645 if (finsecret != NULL 646 && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, 647 finsecret, finsecretlen)) { 648 /* SSLfatal() already called */ 649 goto err; 650 } 651 652 if (!s->server && label == client_early_traffic) 653 s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; 654 else 655 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 656 ret = 1; 657 err: 658 OPENSSL_cleanse(secret, sizeof(secret)); 659 return ret; 660 } 661 662 int tls13_update_key(SSL *s, int sending) 663 { 664 static const unsigned char application_traffic[] = "traffic upd"; 665 const EVP_MD *md = ssl_handshake_md(s); 666 size_t hashlen = EVP_MD_size(md); 667 unsigned char *insecret, *iv; 668 unsigned char secret[EVP_MAX_MD_SIZE]; 669 EVP_CIPHER_CTX *ciph_ctx; 670 int ret = 0; 671 672 if (s->server == sending) 673 insecret = s->server_app_traffic_secret; 674 else 675 insecret = s->client_app_traffic_secret; 676 677 if (sending) { 678 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 679 iv = s->write_iv; 680 ciph_ctx = s->enc_write_ctx; 681 RECORD_LAYER_reset_write_sequence(&s->rlayer); 682 } else { 683 iv = s->read_iv; 684 ciph_ctx = s->enc_read_ctx; 685 RECORD_LAYER_reset_read_sequence(&s->rlayer); 686 } 687 688 if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), 689 s->s3->tmp.new_sym_enc, insecret, NULL, 690 application_traffic, 691 sizeof(application_traffic) - 1, secret, iv, 692 ciph_ctx)) { 693 /* SSLfatal() already called */ 694 goto err; 695 } 696 697 memcpy(insecret, secret, hashlen); 698 699 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 700 ret = 1; 701 err: 702 OPENSSL_cleanse(secret, sizeof(secret)); 703 return ret; 704 } 705 706 int tls13_alert_code(int code) 707 { 708 /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ 709 if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) 710 return code; 711 712 return tls1_alert_code(code); 713 } 714 715 int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, 716 const char *label, size_t llen, 717 const unsigned char *context, 718 size_t contextlen, int use_context) 719 { 720 unsigned char exportsecret[EVP_MAX_MD_SIZE]; 721 static const unsigned char exporterlabel[] = "exporter"; 722 unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 723 const EVP_MD *md = ssl_handshake_md(s); 724 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 725 unsigned int hashsize, datalen; 726 int ret = 0; 727 728 if (ctx == NULL || !ossl_statem_export_allowed(s)) 729 goto err; 730 731 if (!use_context) 732 contextlen = 0; 733 734 if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 735 || EVP_DigestUpdate(ctx, context, contextlen) <= 0 736 || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 737 || EVP_DigestInit_ex(ctx, md, NULL) <= 0 738 || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 739 || !tls13_hkdf_expand(s, md, s->exporter_master_secret, 740 (const unsigned char *)label, llen, 741 data, datalen, exportsecret, hashsize) 742 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 743 sizeof(exporterlabel) - 1, hash, hashsize, 744 out, olen)) 745 goto err; 746 747 ret = 1; 748 err: 749 EVP_MD_CTX_free(ctx); 750 return ret; 751 } 752 753 int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, 754 const char *label, size_t llen, 755 const unsigned char *context, 756 size_t contextlen) 757 { 758 static const unsigned char exporterlabel[] = "exporter"; 759 unsigned char exportsecret[EVP_MAX_MD_SIZE]; 760 unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 761 const EVP_MD *md; 762 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 763 unsigned int hashsize, datalen; 764 int ret = 0; 765 const SSL_CIPHER *sslcipher; 766 767 if (ctx == NULL || !ossl_statem_export_early_allowed(s)) 768 goto err; 769 770 if (!s->server && s->max_early_data > 0 771 && s->session->ext.max_early_data == 0) 772 sslcipher = SSL_SESSION_get0_cipher(s->psksession); 773 else 774 sslcipher = SSL_SESSION_get0_cipher(s->session); 775 776 md = ssl_md(sslcipher->algorithm2); 777 778 /* 779 * Calculate the hash value and store it in |data|. The reason why 780 * the empty string is used is that the definition of TLS-Exporter 781 * is like so: 782 * 783 * TLS-Exporter(label, context_value, key_length) = 784 * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), 785 * "exporter", Hash(context_value), key_length) 786 * 787 * Derive-Secret(Secret, Label, Messages) = 788 * HKDF-Expand-Label(Secret, Label, 789 * Transcript-Hash(Messages), Hash.length) 790 * 791 * Here Transcript-Hash is the cipher suite hash algorithm. 792 */ 793 if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 794 || EVP_DigestUpdate(ctx, context, contextlen) <= 0 795 || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 796 || EVP_DigestInit_ex(ctx, md, NULL) <= 0 797 || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 798 || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, 799 (const unsigned char *)label, llen, 800 data, datalen, exportsecret, hashsize) 801 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 802 sizeof(exporterlabel) - 1, hash, hashsize, 803 out, olen)) 804 goto err; 805 806 ret = 1; 807 err: 808 EVP_MD_CTX_free(ctx); 809 return ret; 810 } 811