1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * 4e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 5e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 6e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 7e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 8e1051a39Sopenharmony_ci */ 9e1051a39Sopenharmony_ci 10e1051a39Sopenharmony_ci#include <stdlib.h> 11e1051a39Sopenharmony_ci#include "ssl_local.h" 12e1051a39Sopenharmony_ci#include "internal/ktls.h" 13e1051a39Sopenharmony_ci#include "record/record_local.h" 14e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 15e1051a39Sopenharmony_ci#include <openssl/evp.h> 16e1051a39Sopenharmony_ci#include <openssl/kdf.h> 17e1051a39Sopenharmony_ci#include <openssl/core_names.h> 18e1051a39Sopenharmony_ci 19e1051a39Sopenharmony_ci#define TLS13_MAX_LABEL_LEN 249 20e1051a39Sopenharmony_ci 21e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 22e1051a39Sopenharmony_cistatic const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 }; 23e1051a39Sopenharmony_ci#else 24e1051a39Sopenharmony_cistatic const unsigned char label_prefix[] = "tls13 "; 25e1051a39Sopenharmony_ci#endif 26e1051a39Sopenharmony_ci 27e1051a39Sopenharmony_ci/* 28e1051a39Sopenharmony_ci * Given a |secret|; a |label| of length |labellen|; and |data| of length 29e1051a39Sopenharmony_ci * |datalen| (e.g. typically a hash of the handshake messages), derive a new 30e1051a39Sopenharmony_ci * secret |outlen| bytes long and store it in the location pointed to be |out|. 31e1051a39Sopenharmony_ci * The |data| value may be zero length. Any errors will be treated as fatal if 32e1051a39Sopenharmony_ci * |fatal| is set. Returns 1 on success 0 on failure. 33e1051a39Sopenharmony_ci */ 34e1051a39Sopenharmony_ciint tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, 35e1051a39Sopenharmony_ci const unsigned char *label, size_t labellen, 36e1051a39Sopenharmony_ci const unsigned char *data, size_t datalen, 37e1051a39Sopenharmony_ci unsigned char *out, size_t outlen, int fatal) 38e1051a39Sopenharmony_ci{ 39e1051a39Sopenharmony_ci EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, 40e1051a39Sopenharmony_ci s->ctx->propq); 41e1051a39Sopenharmony_ci EVP_KDF_CTX *kctx; 42e1051a39Sopenharmony_ci OSSL_PARAM params[7], *p = params; 43e1051a39Sopenharmony_ci int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; 44e1051a39Sopenharmony_ci const char *mdname = EVP_MD_get0_name(md); 45e1051a39Sopenharmony_ci int ret; 46e1051a39Sopenharmony_ci size_t hashlen; 47e1051a39Sopenharmony_ci 48e1051a39Sopenharmony_ci kctx = EVP_KDF_CTX_new(kdf); 49e1051a39Sopenharmony_ci EVP_KDF_free(kdf); 50e1051a39Sopenharmony_ci if (kctx == NULL) 51e1051a39Sopenharmony_ci return 0; 52e1051a39Sopenharmony_ci 53e1051a39Sopenharmony_ci if (labellen > TLS13_MAX_LABEL_LEN) { 54e1051a39Sopenharmony_ci if (fatal) { 55e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 56e1051a39Sopenharmony_ci } else { 57e1051a39Sopenharmony_ci /* 58e1051a39Sopenharmony_ci * Probably we have been called from SSL_export_keying_material(), 59e1051a39Sopenharmony_ci * or SSL_export_keying_material_early(). 60e1051a39Sopenharmony_ci */ 61e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 62e1051a39Sopenharmony_ci } 63e1051a39Sopenharmony_ci EVP_KDF_CTX_free(kctx); 64e1051a39Sopenharmony_ci return 0; 65e1051a39Sopenharmony_ci } 66e1051a39Sopenharmony_ci 67e1051a39Sopenharmony_ci if ((ret = EVP_MD_get_size(md)) <= 0) { 68e1051a39Sopenharmony_ci EVP_KDF_CTX_free(kctx); 69e1051a39Sopenharmony_ci if (fatal) 70e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 71e1051a39Sopenharmony_ci else 72e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 73e1051a39Sopenharmony_ci return 0; 74e1051a39Sopenharmony_ci } 75e1051a39Sopenharmony_ci hashlen = (size_t)ret; 76e1051a39Sopenharmony_ci 77e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); 78e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 79e1051a39Sopenharmony_ci (char *)mdname, 0); 80e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 81e1051a39Sopenharmony_ci (unsigned char *)secret, hashlen); 82e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, 83e1051a39Sopenharmony_ci (unsigned char *)label_prefix, 84e1051a39Sopenharmony_ci sizeof(label_prefix) - 1); 85e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, 86e1051a39Sopenharmony_ci (unsigned char *)label, labellen); 87e1051a39Sopenharmony_ci if (data != NULL) 88e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_DATA, 89e1051a39Sopenharmony_ci (unsigned char *)data, 90e1051a39Sopenharmony_ci datalen); 91e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_end(); 92e1051a39Sopenharmony_ci 93e1051a39Sopenharmony_ci ret = EVP_KDF_derive(kctx, out, outlen, params) <= 0; 94e1051a39Sopenharmony_ci EVP_KDF_CTX_free(kctx); 95e1051a39Sopenharmony_ci 96e1051a39Sopenharmony_ci if (ret != 0) { 97e1051a39Sopenharmony_ci if (fatal) 98e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 99e1051a39Sopenharmony_ci else 100e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 101e1051a39Sopenharmony_ci } 102e1051a39Sopenharmony_ci 103e1051a39Sopenharmony_ci return ret == 0; 104e1051a39Sopenharmony_ci} 105e1051a39Sopenharmony_ci 106e1051a39Sopenharmony_ci/* 107e1051a39Sopenharmony_ci * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on 108e1051a39Sopenharmony_ci * success 0 on failure. 109e1051a39Sopenharmony_ci */ 110e1051a39Sopenharmony_ciint tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, 111e1051a39Sopenharmony_ci unsigned char *key, size_t keylen) 112e1051a39Sopenharmony_ci{ 113e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 114e1051a39Sopenharmony_ci static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 }; 115e1051a39Sopenharmony_ci#else 116e1051a39Sopenharmony_ci static const unsigned char keylabel[] = "key"; 117e1051a39Sopenharmony_ci#endif 118e1051a39Sopenharmony_ci 119e1051a39Sopenharmony_ci return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, 120e1051a39Sopenharmony_ci NULL, 0, key, keylen, 1); 121e1051a39Sopenharmony_ci} 122e1051a39Sopenharmony_ci 123e1051a39Sopenharmony_ci/* 124e1051a39Sopenharmony_ci * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on 125e1051a39Sopenharmony_ci * success 0 on failure. 126e1051a39Sopenharmony_ci */ 127e1051a39Sopenharmony_ciint tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, 128e1051a39Sopenharmony_ci unsigned char *iv, size_t ivlen) 129e1051a39Sopenharmony_ci{ 130e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 131e1051a39Sopenharmony_ci static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 }; 132e1051a39Sopenharmony_ci#else 133e1051a39Sopenharmony_ci static const unsigned char ivlabel[] = "iv"; 134e1051a39Sopenharmony_ci#endif 135e1051a39Sopenharmony_ci 136e1051a39Sopenharmony_ci return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, 137e1051a39Sopenharmony_ci NULL, 0, iv, ivlen, 1); 138e1051a39Sopenharmony_ci} 139e1051a39Sopenharmony_ci 140e1051a39Sopenharmony_ciint tls13_derive_finishedkey(SSL *s, const EVP_MD *md, 141e1051a39Sopenharmony_ci const unsigned char *secret, 142e1051a39Sopenharmony_ci unsigned char *fin, size_t finlen) 143e1051a39Sopenharmony_ci{ 144e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 145e1051a39Sopenharmony_ci static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 }; 146e1051a39Sopenharmony_ci#else 147e1051a39Sopenharmony_ci static const unsigned char finishedlabel[] = "finished"; 148e1051a39Sopenharmony_ci#endif 149e1051a39Sopenharmony_ci 150e1051a39Sopenharmony_ci return tls13_hkdf_expand(s, md, secret, finishedlabel, 151e1051a39Sopenharmony_ci sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); 152e1051a39Sopenharmony_ci} 153e1051a39Sopenharmony_ci 154e1051a39Sopenharmony_ci/* 155e1051a39Sopenharmony_ci * Given the previous secret |prevsecret| and a new input secret |insecret| of 156e1051a39Sopenharmony_ci * length |insecretlen|, generate a new secret and store it in the location 157e1051a39Sopenharmony_ci * pointed to by |outsecret|. Returns 1 on success 0 on failure. 158e1051a39Sopenharmony_ci */ 159e1051a39Sopenharmony_ciint tls13_generate_secret(SSL *s, const EVP_MD *md, 160e1051a39Sopenharmony_ci const unsigned char *prevsecret, 161e1051a39Sopenharmony_ci const unsigned char *insecret, 162e1051a39Sopenharmony_ci size_t insecretlen, 163e1051a39Sopenharmony_ci unsigned char *outsecret) 164e1051a39Sopenharmony_ci{ 165e1051a39Sopenharmony_ci size_t mdlen; 166e1051a39Sopenharmony_ci int mdleni; 167e1051a39Sopenharmony_ci int ret; 168e1051a39Sopenharmony_ci EVP_KDF *kdf; 169e1051a39Sopenharmony_ci EVP_KDF_CTX *kctx; 170e1051a39Sopenharmony_ci OSSL_PARAM params[7], *p = params; 171e1051a39Sopenharmony_ci int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; 172e1051a39Sopenharmony_ci const char *mdname = EVP_MD_get0_name(md); 173e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 174e1051a39Sopenharmony_ci static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; 175e1051a39Sopenharmony_ci#else 176e1051a39Sopenharmony_ci static const char derived_secret_label[] = "derived"; 177e1051a39Sopenharmony_ci#endif 178e1051a39Sopenharmony_ci 179e1051a39Sopenharmony_ci kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, s->ctx->propq); 180e1051a39Sopenharmony_ci kctx = EVP_KDF_CTX_new(kdf); 181e1051a39Sopenharmony_ci EVP_KDF_free(kdf); 182e1051a39Sopenharmony_ci if (kctx == NULL) { 183e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 184e1051a39Sopenharmony_ci return 0; 185e1051a39Sopenharmony_ci } 186e1051a39Sopenharmony_ci 187e1051a39Sopenharmony_ci mdleni = EVP_MD_get_size(md); 188e1051a39Sopenharmony_ci /* Ensure cast to size_t is safe */ 189e1051a39Sopenharmony_ci if (!ossl_assert(mdleni >= 0)) { 190e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 191e1051a39Sopenharmony_ci EVP_KDF_CTX_free(kctx); 192e1051a39Sopenharmony_ci return 0; 193e1051a39Sopenharmony_ci } 194e1051a39Sopenharmony_ci mdlen = (size_t)mdleni; 195e1051a39Sopenharmony_ci 196e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); 197e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 198e1051a39Sopenharmony_ci (char *)mdname, 0); 199e1051a39Sopenharmony_ci if (insecret != NULL) 200e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 201e1051a39Sopenharmony_ci (unsigned char *)insecret, 202e1051a39Sopenharmony_ci insecretlen); 203e1051a39Sopenharmony_ci if (prevsecret != NULL) 204e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 205e1051a39Sopenharmony_ci (unsigned char *)prevsecret, mdlen); 206e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, 207e1051a39Sopenharmony_ci (unsigned char *)label_prefix, 208e1051a39Sopenharmony_ci sizeof(label_prefix) - 1); 209e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, 210e1051a39Sopenharmony_ci (unsigned char *)derived_secret_label, 211e1051a39Sopenharmony_ci sizeof(derived_secret_label) - 1); 212e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_end(); 213e1051a39Sopenharmony_ci 214e1051a39Sopenharmony_ci ret = EVP_KDF_derive(kctx, outsecret, mdlen, params) <= 0; 215e1051a39Sopenharmony_ci 216e1051a39Sopenharmony_ci if (ret != 0) 217e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 218e1051a39Sopenharmony_ci 219e1051a39Sopenharmony_ci EVP_KDF_CTX_free(kctx); 220e1051a39Sopenharmony_ci return ret == 0; 221e1051a39Sopenharmony_ci} 222e1051a39Sopenharmony_ci 223e1051a39Sopenharmony_ci/* 224e1051a39Sopenharmony_ci * Given an input secret |insecret| of length |insecretlen| generate the 225e1051a39Sopenharmony_ci * handshake secret. This requires the early secret to already have been 226e1051a39Sopenharmony_ci * generated. Returns 1 on success 0 on failure. 227e1051a39Sopenharmony_ci */ 228e1051a39Sopenharmony_ciint tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, 229e1051a39Sopenharmony_ci size_t insecretlen) 230e1051a39Sopenharmony_ci{ 231e1051a39Sopenharmony_ci /* Calls SSLfatal() if required */ 232e1051a39Sopenharmony_ci return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, 233e1051a39Sopenharmony_ci insecret, insecretlen, 234e1051a39Sopenharmony_ci (unsigned char *)&s->handshake_secret); 235e1051a39Sopenharmony_ci} 236e1051a39Sopenharmony_ci 237e1051a39Sopenharmony_ci/* 238e1051a39Sopenharmony_ci * Given the handshake secret |prev| of length |prevlen| generate the master 239e1051a39Sopenharmony_ci * secret and store its length in |*secret_size|. Returns 1 on success 0 on 240e1051a39Sopenharmony_ci * failure. 241e1051a39Sopenharmony_ci */ 242e1051a39Sopenharmony_ciint tls13_generate_master_secret(SSL *s, unsigned char *out, 243e1051a39Sopenharmony_ci unsigned char *prev, size_t prevlen, 244e1051a39Sopenharmony_ci size_t *secret_size) 245e1051a39Sopenharmony_ci{ 246e1051a39Sopenharmony_ci const EVP_MD *md = ssl_handshake_md(s); 247e1051a39Sopenharmony_ci 248e1051a39Sopenharmony_ci *secret_size = EVP_MD_get_size(md); 249e1051a39Sopenharmony_ci /* Calls SSLfatal() if required */ 250e1051a39Sopenharmony_ci return tls13_generate_secret(s, md, prev, NULL, 0, out); 251e1051a39Sopenharmony_ci} 252e1051a39Sopenharmony_ci 253e1051a39Sopenharmony_ci/* 254e1051a39Sopenharmony_ci * Generates the mac for the Finished message. Returns the length of the MAC or 255e1051a39Sopenharmony_ci * 0 on error. 256e1051a39Sopenharmony_ci */ 257e1051a39Sopenharmony_cisize_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, 258e1051a39Sopenharmony_ci unsigned char *out) 259e1051a39Sopenharmony_ci{ 260e1051a39Sopenharmony_ci const EVP_MD *md = ssl_handshake_md(s); 261e1051a39Sopenharmony_ci const char *mdname = EVP_MD_get0_name(md); 262e1051a39Sopenharmony_ci unsigned char hash[EVP_MAX_MD_SIZE]; 263e1051a39Sopenharmony_ci unsigned char finsecret[EVP_MAX_MD_SIZE]; 264e1051a39Sopenharmony_ci unsigned char *key = NULL; 265e1051a39Sopenharmony_ci size_t len = 0, hashlen; 266e1051a39Sopenharmony_ci OSSL_PARAM params[2], *p = params; 267e1051a39Sopenharmony_ci 268e1051a39Sopenharmony_ci if (md == NULL) 269e1051a39Sopenharmony_ci return 0; 270e1051a39Sopenharmony_ci 271e1051a39Sopenharmony_ci /* Safe to cast away const here since we're not "getting" any data */ 272e1051a39Sopenharmony_ci if (s->ctx->propq != NULL) 273e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES, 274e1051a39Sopenharmony_ci (char *)s->ctx->propq, 275e1051a39Sopenharmony_ci 0); 276e1051a39Sopenharmony_ci *p = OSSL_PARAM_construct_end(); 277e1051a39Sopenharmony_ci 278e1051a39Sopenharmony_ci if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 279e1051a39Sopenharmony_ci /* SSLfatal() already called */ 280e1051a39Sopenharmony_ci goto err; 281e1051a39Sopenharmony_ci } 282e1051a39Sopenharmony_ci 283e1051a39Sopenharmony_ci if (str == s->method->ssl3_enc->server_finished_label) { 284e1051a39Sopenharmony_ci key = s->server_finished_secret; 285e1051a39Sopenharmony_ci } else if (SSL_IS_FIRST_HANDSHAKE(s)) { 286e1051a39Sopenharmony_ci key = s->client_finished_secret; 287e1051a39Sopenharmony_ci } else { 288e1051a39Sopenharmony_ci if (!tls13_derive_finishedkey(s, md, 289e1051a39Sopenharmony_ci s->client_app_traffic_secret, 290e1051a39Sopenharmony_ci finsecret, hashlen)) 291e1051a39Sopenharmony_ci goto err; 292e1051a39Sopenharmony_ci key = finsecret; 293e1051a39Sopenharmony_ci } 294e1051a39Sopenharmony_ci 295e1051a39Sopenharmony_ci if (!EVP_Q_mac(s->ctx->libctx, "HMAC", s->ctx->propq, mdname, 296e1051a39Sopenharmony_ci params, key, hashlen, hash, hashlen, 297e1051a39Sopenharmony_ci /* outsize as per sizeof(peer_finish_md) */ 298e1051a39Sopenharmony_ci out, EVP_MAX_MD_SIZE * 2, &len)) { 299e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 300e1051a39Sopenharmony_ci goto err; 301e1051a39Sopenharmony_ci } 302e1051a39Sopenharmony_ci 303e1051a39Sopenharmony_ci err: 304e1051a39Sopenharmony_ci OPENSSL_cleanse(finsecret, sizeof(finsecret)); 305e1051a39Sopenharmony_ci return len; 306e1051a39Sopenharmony_ci} 307e1051a39Sopenharmony_ci 308e1051a39Sopenharmony_ci/* 309e1051a39Sopenharmony_ci * There isn't really a key block in TLSv1.3, but we still need this function 310e1051a39Sopenharmony_ci * for initialising the cipher and hash. Returns 1 on success or 0 on failure. 311e1051a39Sopenharmony_ci */ 312e1051a39Sopenharmony_ciint tls13_setup_key_block(SSL *s) 313e1051a39Sopenharmony_ci{ 314e1051a39Sopenharmony_ci const EVP_CIPHER *c; 315e1051a39Sopenharmony_ci const EVP_MD *hash; 316e1051a39Sopenharmony_ci 317e1051a39Sopenharmony_ci s->session->cipher = s->s3.tmp.new_cipher; 318e1051a39Sopenharmony_ci if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL, 319e1051a39Sopenharmony_ci 0)) { 320e1051a39Sopenharmony_ci /* Error is already recorded */ 321e1051a39Sopenharmony_ci SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 322e1051a39Sopenharmony_ci return 0; 323e1051a39Sopenharmony_ci } 324e1051a39Sopenharmony_ci 325e1051a39Sopenharmony_ci ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 326e1051a39Sopenharmony_ci s->s3.tmp.new_sym_enc = c; 327e1051a39Sopenharmony_ci ssl_evp_md_free(s->s3.tmp.new_hash); 328e1051a39Sopenharmony_ci s->s3.tmp.new_hash = hash; 329e1051a39Sopenharmony_ci 330e1051a39Sopenharmony_ci return 1; 331e1051a39Sopenharmony_ci} 332e1051a39Sopenharmony_ci 333e1051a39Sopenharmony_cistatic int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, 334e1051a39Sopenharmony_ci const EVP_CIPHER *ciph, 335e1051a39Sopenharmony_ci const unsigned char *insecret, 336e1051a39Sopenharmony_ci const unsigned char *hash, 337e1051a39Sopenharmony_ci const unsigned char *label, 338e1051a39Sopenharmony_ci size_t labellen, unsigned char *secret, 339e1051a39Sopenharmony_ci unsigned char *key, unsigned char *iv, 340e1051a39Sopenharmony_ci EVP_CIPHER_CTX *ciph_ctx) 341e1051a39Sopenharmony_ci{ 342e1051a39Sopenharmony_ci size_t ivlen, keylen, taglen; 343e1051a39Sopenharmony_ci int hashleni = EVP_MD_get_size(md); 344e1051a39Sopenharmony_ci size_t hashlen; 345e1051a39Sopenharmony_ci 346e1051a39Sopenharmony_ci /* Ensure cast to size_t is safe */ 347e1051a39Sopenharmony_ci if (!ossl_assert(hashleni >= 0)) { 348e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 349e1051a39Sopenharmony_ci return 0; 350e1051a39Sopenharmony_ci } 351e1051a39Sopenharmony_ci hashlen = (size_t)hashleni; 352e1051a39Sopenharmony_ci 353e1051a39Sopenharmony_ci if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, 354e1051a39Sopenharmony_ci secret, hashlen, 1)) { 355e1051a39Sopenharmony_ci /* SSLfatal() already called */ 356e1051a39Sopenharmony_ci return 0; 357e1051a39Sopenharmony_ci } 358e1051a39Sopenharmony_ci 359e1051a39Sopenharmony_ci keylen = EVP_CIPHER_get_key_length(ciph); 360e1051a39Sopenharmony_ci if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) { 361e1051a39Sopenharmony_ci uint32_t algenc; 362e1051a39Sopenharmony_ci 363e1051a39Sopenharmony_ci ivlen = EVP_CCM_TLS_IV_LEN; 364e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher != NULL) { 365e1051a39Sopenharmony_ci algenc = s->s3.tmp.new_cipher->algorithm_enc; 366e1051a39Sopenharmony_ci } else if (s->session->cipher != NULL) { 367e1051a39Sopenharmony_ci /* We've not selected a cipher yet - we must be doing early data */ 368e1051a39Sopenharmony_ci algenc = s->session->cipher->algorithm_enc; 369e1051a39Sopenharmony_ci } else if (s->psksession != NULL && s->psksession->cipher != NULL) { 370e1051a39Sopenharmony_ci /* We must be doing early data with out-of-band PSK */ 371e1051a39Sopenharmony_ci algenc = s->psksession->cipher->algorithm_enc; 372e1051a39Sopenharmony_ci } else { 373e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 374e1051a39Sopenharmony_ci return 0; 375e1051a39Sopenharmony_ci } 376e1051a39Sopenharmony_ci if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 377e1051a39Sopenharmony_ci taglen = EVP_CCM8_TLS_TAG_LEN; 378e1051a39Sopenharmony_ci else 379e1051a39Sopenharmony_ci taglen = EVP_CCM_TLS_TAG_LEN; 380e1051a39Sopenharmony_ci } else { 381e1051a39Sopenharmony_ci ivlen = EVP_CIPHER_get_iv_length(ciph); 382e1051a39Sopenharmony_ci taglen = 0; 383e1051a39Sopenharmony_ci } 384e1051a39Sopenharmony_ci 385e1051a39Sopenharmony_ci if (!tls13_derive_key(s, md, secret, key, keylen) 386e1051a39Sopenharmony_ci || !tls13_derive_iv(s, md, secret, iv, ivlen)) { 387e1051a39Sopenharmony_ci /* SSLfatal() already called */ 388e1051a39Sopenharmony_ci return 0; 389e1051a39Sopenharmony_ci } 390e1051a39Sopenharmony_ci 391e1051a39Sopenharmony_ci if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 392e1051a39Sopenharmony_ci || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) <= 0 393e1051a39Sopenharmony_ci || (taglen != 0 && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, 394e1051a39Sopenharmony_ci taglen, NULL) <= 0) 395e1051a39Sopenharmony_ci || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { 396e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 397e1051a39Sopenharmony_ci return 0; 398e1051a39Sopenharmony_ci } 399e1051a39Sopenharmony_ci 400e1051a39Sopenharmony_ci return 1; 401e1051a39Sopenharmony_ci} 402e1051a39Sopenharmony_ci 403e1051a39Sopenharmony_ciint tls13_change_cipher_state(SSL *s, int which) 404e1051a39Sopenharmony_ci{ 405e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 406e1051a39Sopenharmony_ci static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 407e1051a39Sopenharmony_ci static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 408e1051a39Sopenharmony_ci static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 409e1051a39Sopenharmony_ci static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 410e1051a39Sopenharmony_ci static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 411e1051a39Sopenharmony_ci static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 412e1051a39Sopenharmony_ci static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 413e1051a39Sopenharmony_ci static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 414e1051a39Sopenharmony_ci#else 415e1051a39Sopenharmony_ci static const unsigned char client_early_traffic[] = "c e traffic"; 416e1051a39Sopenharmony_ci static const unsigned char client_handshake_traffic[] = "c hs traffic"; 417e1051a39Sopenharmony_ci static const unsigned char client_application_traffic[] = "c ap traffic"; 418e1051a39Sopenharmony_ci static const unsigned char server_handshake_traffic[] = "s hs traffic"; 419e1051a39Sopenharmony_ci static const unsigned char server_application_traffic[] = "s ap traffic"; 420e1051a39Sopenharmony_ci static const unsigned char exporter_master_secret[] = "exp master"; 421e1051a39Sopenharmony_ci static const unsigned char resumption_master_secret[] = "res master"; 422e1051a39Sopenharmony_ci static const unsigned char early_exporter_master_secret[] = "e exp master"; 423e1051a39Sopenharmony_ci#endif 424e1051a39Sopenharmony_ci unsigned char *iv; 425e1051a39Sopenharmony_ci unsigned char key[EVP_MAX_KEY_LENGTH]; 426e1051a39Sopenharmony_ci unsigned char secret[EVP_MAX_MD_SIZE]; 427e1051a39Sopenharmony_ci unsigned char hashval[EVP_MAX_MD_SIZE]; 428e1051a39Sopenharmony_ci unsigned char *hash = hashval; 429e1051a39Sopenharmony_ci unsigned char *insecret; 430e1051a39Sopenharmony_ci unsigned char *finsecret = NULL; 431e1051a39Sopenharmony_ci const char *log_label = NULL; 432e1051a39Sopenharmony_ci EVP_CIPHER_CTX *ciph_ctx; 433e1051a39Sopenharmony_ci size_t finsecretlen = 0; 434e1051a39Sopenharmony_ci const unsigned char *label; 435e1051a39Sopenharmony_ci size_t labellen, hashlen = 0; 436e1051a39Sopenharmony_ci int ret = 0; 437e1051a39Sopenharmony_ci const EVP_MD *md = NULL; 438e1051a39Sopenharmony_ci const EVP_CIPHER *cipher = NULL; 439e1051a39Sopenharmony_ci#if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) 440e1051a39Sopenharmony_ci ktls_crypto_info_t crypto_info; 441e1051a39Sopenharmony_ci BIO *bio; 442e1051a39Sopenharmony_ci#endif 443e1051a39Sopenharmony_ci 444e1051a39Sopenharmony_ci if (which & SSL3_CC_READ) { 445e1051a39Sopenharmony_ci if (s->enc_read_ctx != NULL) { 446e1051a39Sopenharmony_ci EVP_CIPHER_CTX_reset(s->enc_read_ctx); 447e1051a39Sopenharmony_ci } else { 448e1051a39Sopenharmony_ci s->enc_read_ctx = EVP_CIPHER_CTX_new(); 449e1051a39Sopenharmony_ci if (s->enc_read_ctx == NULL) { 450e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 451e1051a39Sopenharmony_ci goto err; 452e1051a39Sopenharmony_ci } 453e1051a39Sopenharmony_ci } 454e1051a39Sopenharmony_ci ciph_ctx = s->enc_read_ctx; 455e1051a39Sopenharmony_ci iv = s->read_iv; 456e1051a39Sopenharmony_ci 457e1051a39Sopenharmony_ci RECORD_LAYER_reset_read_sequence(&s->rlayer); 458e1051a39Sopenharmony_ci } else { 459e1051a39Sopenharmony_ci s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 460e1051a39Sopenharmony_ci if (s->enc_write_ctx != NULL) { 461e1051a39Sopenharmony_ci EVP_CIPHER_CTX_reset(s->enc_write_ctx); 462e1051a39Sopenharmony_ci } else { 463e1051a39Sopenharmony_ci s->enc_write_ctx = EVP_CIPHER_CTX_new(); 464e1051a39Sopenharmony_ci if (s->enc_write_ctx == NULL) { 465e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 466e1051a39Sopenharmony_ci goto err; 467e1051a39Sopenharmony_ci } 468e1051a39Sopenharmony_ci } 469e1051a39Sopenharmony_ci ciph_ctx = s->enc_write_ctx; 470e1051a39Sopenharmony_ci iv = s->write_iv; 471e1051a39Sopenharmony_ci 472e1051a39Sopenharmony_ci RECORD_LAYER_reset_write_sequence(&s->rlayer); 473e1051a39Sopenharmony_ci } 474e1051a39Sopenharmony_ci 475e1051a39Sopenharmony_ci if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) 476e1051a39Sopenharmony_ci || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { 477e1051a39Sopenharmony_ci if (which & SSL3_CC_EARLY) { 478e1051a39Sopenharmony_ci EVP_MD_CTX *mdctx = NULL; 479e1051a39Sopenharmony_ci long handlen; 480e1051a39Sopenharmony_ci void *hdata; 481e1051a39Sopenharmony_ci unsigned int hashlenui; 482e1051a39Sopenharmony_ci const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); 483e1051a39Sopenharmony_ci 484e1051a39Sopenharmony_ci insecret = s->early_secret; 485e1051a39Sopenharmony_ci label = client_early_traffic; 486e1051a39Sopenharmony_ci labellen = sizeof(client_early_traffic) - 1; 487e1051a39Sopenharmony_ci log_label = CLIENT_EARLY_LABEL; 488e1051a39Sopenharmony_ci 489e1051a39Sopenharmony_ci handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); 490e1051a39Sopenharmony_ci if (handlen <= 0) { 491e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); 492e1051a39Sopenharmony_ci goto err; 493e1051a39Sopenharmony_ci } 494e1051a39Sopenharmony_ci 495e1051a39Sopenharmony_ci if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 496e1051a39Sopenharmony_ci && s->max_early_data > 0 497e1051a39Sopenharmony_ci && s->session->ext.max_early_data == 0) { 498e1051a39Sopenharmony_ci /* 499e1051a39Sopenharmony_ci * If we are attempting to send early data, and we've decided to 500e1051a39Sopenharmony_ci * actually do it but max_early_data in s->session is 0 then we 501e1051a39Sopenharmony_ci * must be using an external PSK. 502e1051a39Sopenharmony_ci */ 503e1051a39Sopenharmony_ci if (!ossl_assert(s->psksession != NULL 504e1051a39Sopenharmony_ci && s->max_early_data == 505e1051a39Sopenharmony_ci s->psksession->ext.max_early_data)) { 506e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 507e1051a39Sopenharmony_ci goto err; 508e1051a39Sopenharmony_ci } 509e1051a39Sopenharmony_ci sslcipher = SSL_SESSION_get0_cipher(s->psksession); 510e1051a39Sopenharmony_ci } 511e1051a39Sopenharmony_ci if (sslcipher == NULL) { 512e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 513e1051a39Sopenharmony_ci goto err; 514e1051a39Sopenharmony_ci } 515e1051a39Sopenharmony_ci 516e1051a39Sopenharmony_ci /* 517e1051a39Sopenharmony_ci * We need to calculate the handshake digest using the digest from 518e1051a39Sopenharmony_ci * the session. We haven't yet selected our ciphersuite so we can't 519e1051a39Sopenharmony_ci * use ssl_handshake_md(). 520e1051a39Sopenharmony_ci */ 521e1051a39Sopenharmony_ci mdctx = EVP_MD_CTX_new(); 522e1051a39Sopenharmony_ci if (mdctx == NULL) { 523e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 524e1051a39Sopenharmony_ci goto err; 525e1051a39Sopenharmony_ci } 526e1051a39Sopenharmony_ci 527e1051a39Sopenharmony_ci /* 528e1051a39Sopenharmony_ci * This ups the ref count on cipher so we better make sure we free 529e1051a39Sopenharmony_ci * it again 530e1051a39Sopenharmony_ci */ 531e1051a39Sopenharmony_ci if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) { 532e1051a39Sopenharmony_ci /* Error is already recorded */ 533e1051a39Sopenharmony_ci SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 534e1051a39Sopenharmony_ci EVP_MD_CTX_free(mdctx); 535e1051a39Sopenharmony_ci goto err; 536e1051a39Sopenharmony_ci } 537e1051a39Sopenharmony_ci 538e1051a39Sopenharmony_ci md = ssl_md(s->ctx, sslcipher->algorithm2); 539e1051a39Sopenharmony_ci if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) 540e1051a39Sopenharmony_ci || !EVP_DigestUpdate(mdctx, hdata, handlen) 541e1051a39Sopenharmony_ci || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { 542e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 543e1051a39Sopenharmony_ci EVP_MD_CTX_free(mdctx); 544e1051a39Sopenharmony_ci goto err; 545e1051a39Sopenharmony_ci } 546e1051a39Sopenharmony_ci hashlen = hashlenui; 547e1051a39Sopenharmony_ci EVP_MD_CTX_free(mdctx); 548e1051a39Sopenharmony_ci 549e1051a39Sopenharmony_ci if (!tls13_hkdf_expand(s, md, insecret, 550e1051a39Sopenharmony_ci early_exporter_master_secret, 551e1051a39Sopenharmony_ci sizeof(early_exporter_master_secret) - 1, 552e1051a39Sopenharmony_ci hashval, hashlen, 553e1051a39Sopenharmony_ci s->early_exporter_master_secret, hashlen, 554e1051a39Sopenharmony_ci 1)) { 555e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 556e1051a39Sopenharmony_ci goto err; 557e1051a39Sopenharmony_ci } 558e1051a39Sopenharmony_ci 559e1051a39Sopenharmony_ci if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, 560e1051a39Sopenharmony_ci s->early_exporter_master_secret, hashlen)) { 561e1051a39Sopenharmony_ci /* SSLfatal() already called */ 562e1051a39Sopenharmony_ci goto err; 563e1051a39Sopenharmony_ci } 564e1051a39Sopenharmony_ci } else if (which & SSL3_CC_HANDSHAKE) { 565e1051a39Sopenharmony_ci insecret = s->handshake_secret; 566e1051a39Sopenharmony_ci finsecret = s->client_finished_secret; 567e1051a39Sopenharmony_ci finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); 568e1051a39Sopenharmony_ci label = client_handshake_traffic; 569e1051a39Sopenharmony_ci labellen = sizeof(client_handshake_traffic) - 1; 570e1051a39Sopenharmony_ci log_label = CLIENT_HANDSHAKE_LABEL; 571e1051a39Sopenharmony_ci /* 572e1051a39Sopenharmony_ci * The handshake hash used for the server read/client write handshake 573e1051a39Sopenharmony_ci * traffic secret is the same as the hash for the server 574e1051a39Sopenharmony_ci * write/client read handshake traffic secret. However, if we 575e1051a39Sopenharmony_ci * processed early data then we delay changing the server 576e1051a39Sopenharmony_ci * read/client write cipher state until later, and the handshake 577e1051a39Sopenharmony_ci * hashes have moved on. Therefore we use the value saved earlier 578e1051a39Sopenharmony_ci * when we did the server write/client read change cipher state. 579e1051a39Sopenharmony_ci */ 580e1051a39Sopenharmony_ci hash = s->handshake_traffic_hash; 581e1051a39Sopenharmony_ci } else { 582e1051a39Sopenharmony_ci insecret = s->master_secret; 583e1051a39Sopenharmony_ci label = client_application_traffic; 584e1051a39Sopenharmony_ci labellen = sizeof(client_application_traffic) - 1; 585e1051a39Sopenharmony_ci log_label = CLIENT_APPLICATION_LABEL; 586e1051a39Sopenharmony_ci /* 587e1051a39Sopenharmony_ci * For this we only use the handshake hashes up until the server 588e1051a39Sopenharmony_ci * Finished hash. We do not include the client's Finished, which is 589e1051a39Sopenharmony_ci * what ssl_handshake_hash() would give us. Instead we use the 590e1051a39Sopenharmony_ci * previously saved value. 591e1051a39Sopenharmony_ci */ 592e1051a39Sopenharmony_ci hash = s->server_finished_hash; 593e1051a39Sopenharmony_ci } 594e1051a39Sopenharmony_ci } else { 595e1051a39Sopenharmony_ci /* Early data never applies to client-read/server-write */ 596e1051a39Sopenharmony_ci if (which & SSL3_CC_HANDSHAKE) { 597e1051a39Sopenharmony_ci insecret = s->handshake_secret; 598e1051a39Sopenharmony_ci finsecret = s->server_finished_secret; 599e1051a39Sopenharmony_ci finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); 600e1051a39Sopenharmony_ci label = server_handshake_traffic; 601e1051a39Sopenharmony_ci labellen = sizeof(server_handshake_traffic) - 1; 602e1051a39Sopenharmony_ci log_label = SERVER_HANDSHAKE_LABEL; 603e1051a39Sopenharmony_ci } else { 604e1051a39Sopenharmony_ci insecret = s->master_secret; 605e1051a39Sopenharmony_ci label = server_application_traffic; 606e1051a39Sopenharmony_ci labellen = sizeof(server_application_traffic) - 1; 607e1051a39Sopenharmony_ci log_label = SERVER_APPLICATION_LABEL; 608e1051a39Sopenharmony_ci } 609e1051a39Sopenharmony_ci } 610e1051a39Sopenharmony_ci 611e1051a39Sopenharmony_ci if (!(which & SSL3_CC_EARLY)) { 612e1051a39Sopenharmony_ci md = ssl_handshake_md(s); 613e1051a39Sopenharmony_ci cipher = s->s3.tmp.new_sym_enc; 614e1051a39Sopenharmony_ci if (!ssl3_digest_cached_records(s, 1) 615e1051a39Sopenharmony_ci || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { 616e1051a39Sopenharmony_ci /* SSLfatal() already called */; 617e1051a39Sopenharmony_ci goto err; 618e1051a39Sopenharmony_ci } 619e1051a39Sopenharmony_ci } 620e1051a39Sopenharmony_ci 621e1051a39Sopenharmony_ci /* 622e1051a39Sopenharmony_ci * Save the hash of handshakes up to now for use when we calculate the 623e1051a39Sopenharmony_ci * client application traffic secret 624e1051a39Sopenharmony_ci */ 625e1051a39Sopenharmony_ci if (label == server_application_traffic) 626e1051a39Sopenharmony_ci memcpy(s->server_finished_hash, hashval, hashlen); 627e1051a39Sopenharmony_ci 628e1051a39Sopenharmony_ci if (label == server_handshake_traffic) 629e1051a39Sopenharmony_ci memcpy(s->handshake_traffic_hash, hashval, hashlen); 630e1051a39Sopenharmony_ci 631e1051a39Sopenharmony_ci if (label == client_application_traffic) { 632e1051a39Sopenharmony_ci /* 633e1051a39Sopenharmony_ci * We also create the resumption master secret, but this time use the 634e1051a39Sopenharmony_ci * hash for the whole handshake including the Client Finished 635e1051a39Sopenharmony_ci */ 636e1051a39Sopenharmony_ci if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 637e1051a39Sopenharmony_ci resumption_master_secret, 638e1051a39Sopenharmony_ci sizeof(resumption_master_secret) - 1, 639e1051a39Sopenharmony_ci hashval, hashlen, s->resumption_master_secret, 640e1051a39Sopenharmony_ci hashlen, 1)) { 641e1051a39Sopenharmony_ci /* SSLfatal() already called */ 642e1051a39Sopenharmony_ci goto err; 643e1051a39Sopenharmony_ci } 644e1051a39Sopenharmony_ci } 645e1051a39Sopenharmony_ci 646e1051a39Sopenharmony_ci /* check whether cipher is known */ 647e1051a39Sopenharmony_ci if(!ossl_assert(cipher != NULL)) 648e1051a39Sopenharmony_ci goto err; 649e1051a39Sopenharmony_ci 650e1051a39Sopenharmony_ci if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, 651e1051a39Sopenharmony_ci insecret, hash, label, labellen, secret, key, 652e1051a39Sopenharmony_ci iv, ciph_ctx)) { 653e1051a39Sopenharmony_ci /* SSLfatal() already called */ 654e1051a39Sopenharmony_ci goto err; 655e1051a39Sopenharmony_ci } 656e1051a39Sopenharmony_ci 657e1051a39Sopenharmony_ci if (label == server_application_traffic) { 658e1051a39Sopenharmony_ci memcpy(s->server_app_traffic_secret, secret, hashlen); 659e1051a39Sopenharmony_ci /* Now we create the exporter master secret */ 660e1051a39Sopenharmony_ci if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 661e1051a39Sopenharmony_ci exporter_master_secret, 662e1051a39Sopenharmony_ci sizeof(exporter_master_secret) - 1, 663e1051a39Sopenharmony_ci hash, hashlen, s->exporter_master_secret, 664e1051a39Sopenharmony_ci hashlen, 1)) { 665e1051a39Sopenharmony_ci /* SSLfatal() already called */ 666e1051a39Sopenharmony_ci goto err; 667e1051a39Sopenharmony_ci } 668e1051a39Sopenharmony_ci 669e1051a39Sopenharmony_ci if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, 670e1051a39Sopenharmony_ci hashlen)) { 671e1051a39Sopenharmony_ci /* SSLfatal() already called */ 672e1051a39Sopenharmony_ci goto err; 673e1051a39Sopenharmony_ci } 674e1051a39Sopenharmony_ci } else if (label == client_application_traffic) 675e1051a39Sopenharmony_ci memcpy(s->client_app_traffic_secret, secret, hashlen); 676e1051a39Sopenharmony_ci 677e1051a39Sopenharmony_ci if (!ssl_log_secret(s, log_label, secret, hashlen)) { 678e1051a39Sopenharmony_ci /* SSLfatal() already called */ 679e1051a39Sopenharmony_ci goto err; 680e1051a39Sopenharmony_ci } 681e1051a39Sopenharmony_ci 682e1051a39Sopenharmony_ci if (finsecret != NULL 683e1051a39Sopenharmony_ci && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, 684e1051a39Sopenharmony_ci finsecret, finsecretlen)) { 685e1051a39Sopenharmony_ci /* SSLfatal() already called */ 686e1051a39Sopenharmony_ci goto err; 687e1051a39Sopenharmony_ci } 688e1051a39Sopenharmony_ci 689e1051a39Sopenharmony_ci if (!s->server && label == client_early_traffic) 690e1051a39Sopenharmony_ci s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; 691e1051a39Sopenharmony_ci else 692e1051a39Sopenharmony_ci s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 693e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_KTLS 694e1051a39Sopenharmony_ci# if defined(OPENSSL_KTLS_TLS13) 695e1051a39Sopenharmony_ci if (!(which & SSL3_CC_WRITE) 696e1051a39Sopenharmony_ci || !(which & SSL3_CC_APPLICATION) 697e1051a39Sopenharmony_ci || (s->options & SSL_OP_ENABLE_KTLS) == 0) 698e1051a39Sopenharmony_ci goto skip_ktls; 699e1051a39Sopenharmony_ci 700e1051a39Sopenharmony_ci /* ktls supports only the maximum fragment size */ 701e1051a39Sopenharmony_ci if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) 702e1051a39Sopenharmony_ci goto skip_ktls; 703e1051a39Sopenharmony_ci 704e1051a39Sopenharmony_ci /* ktls does not support record padding */ 705e1051a39Sopenharmony_ci if (s->record_padding_cb != NULL) 706e1051a39Sopenharmony_ci goto skip_ktls; 707e1051a39Sopenharmony_ci 708e1051a39Sopenharmony_ci /* check that cipher is supported */ 709e1051a39Sopenharmony_ci if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) 710e1051a39Sopenharmony_ci goto skip_ktls; 711e1051a39Sopenharmony_ci 712e1051a39Sopenharmony_ci bio = s->wbio; 713e1051a39Sopenharmony_ci 714e1051a39Sopenharmony_ci if (!ossl_assert(bio != NULL)) { 715e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 716e1051a39Sopenharmony_ci goto err; 717e1051a39Sopenharmony_ci } 718e1051a39Sopenharmony_ci 719e1051a39Sopenharmony_ci /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ 720e1051a39Sopenharmony_ci if (BIO_flush(bio) <= 0) 721e1051a39Sopenharmony_ci goto skip_ktls; 722e1051a39Sopenharmony_ci 723e1051a39Sopenharmony_ci /* configure kernel crypto structure */ 724e1051a39Sopenharmony_ci if (!ktls_configure_crypto(s, cipher, ciph_ctx, 725e1051a39Sopenharmony_ci RECORD_LAYER_get_write_sequence(&s->rlayer), 726e1051a39Sopenharmony_ci &crypto_info, NULL, iv, key, NULL, 0)) 727e1051a39Sopenharmony_ci goto skip_ktls; 728e1051a39Sopenharmony_ci 729e1051a39Sopenharmony_ci /* ktls works with user provided buffers directly */ 730e1051a39Sopenharmony_ci if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) 731e1051a39Sopenharmony_ci ssl3_release_write_buffer(s); 732e1051a39Sopenharmony_ciskip_ktls: 733e1051a39Sopenharmony_ci# endif 734e1051a39Sopenharmony_ci#endif 735e1051a39Sopenharmony_ci ret = 1; 736e1051a39Sopenharmony_ci err: 737e1051a39Sopenharmony_ci if ((which & SSL3_CC_EARLY) != 0) { 738e1051a39Sopenharmony_ci /* We up-refed this so now we need to down ref */ 739e1051a39Sopenharmony_ci ssl_evp_cipher_free(cipher); 740e1051a39Sopenharmony_ci } 741e1051a39Sopenharmony_ci OPENSSL_cleanse(key, sizeof(key)); 742e1051a39Sopenharmony_ci OPENSSL_cleanse(secret, sizeof(secret)); 743e1051a39Sopenharmony_ci return ret; 744e1051a39Sopenharmony_ci} 745e1051a39Sopenharmony_ci 746e1051a39Sopenharmony_ciint tls13_update_key(SSL *s, int sending) 747e1051a39Sopenharmony_ci{ 748e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 749e1051a39Sopenharmony_ci static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00}; 750e1051a39Sopenharmony_ci#else 751e1051a39Sopenharmony_ci static const unsigned char application_traffic[] = "traffic upd"; 752e1051a39Sopenharmony_ci#endif 753e1051a39Sopenharmony_ci const EVP_MD *md = ssl_handshake_md(s); 754e1051a39Sopenharmony_ci size_t hashlen; 755e1051a39Sopenharmony_ci unsigned char key[EVP_MAX_KEY_LENGTH]; 756e1051a39Sopenharmony_ci unsigned char *insecret, *iv; 757e1051a39Sopenharmony_ci unsigned char secret[EVP_MAX_MD_SIZE]; 758e1051a39Sopenharmony_ci char *log_label; 759e1051a39Sopenharmony_ci EVP_CIPHER_CTX *ciph_ctx; 760e1051a39Sopenharmony_ci int ret = 0, l; 761e1051a39Sopenharmony_ci 762e1051a39Sopenharmony_ci if ((l = EVP_MD_get_size(md)) <= 0) { 763e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 764e1051a39Sopenharmony_ci return 0; 765e1051a39Sopenharmony_ci } 766e1051a39Sopenharmony_ci hashlen = (size_t)l; 767e1051a39Sopenharmony_ci 768e1051a39Sopenharmony_ci if (s->server == sending) 769e1051a39Sopenharmony_ci insecret = s->server_app_traffic_secret; 770e1051a39Sopenharmony_ci else 771e1051a39Sopenharmony_ci insecret = s->client_app_traffic_secret; 772e1051a39Sopenharmony_ci 773e1051a39Sopenharmony_ci if (sending) { 774e1051a39Sopenharmony_ci s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 775e1051a39Sopenharmony_ci iv = s->write_iv; 776e1051a39Sopenharmony_ci ciph_ctx = s->enc_write_ctx; 777e1051a39Sopenharmony_ci RECORD_LAYER_reset_write_sequence(&s->rlayer); 778e1051a39Sopenharmony_ci } else { 779e1051a39Sopenharmony_ci iv = s->read_iv; 780e1051a39Sopenharmony_ci ciph_ctx = s->enc_read_ctx; 781e1051a39Sopenharmony_ci RECORD_LAYER_reset_read_sequence(&s->rlayer); 782e1051a39Sopenharmony_ci } 783e1051a39Sopenharmony_ci 784e1051a39Sopenharmony_ci if (!derive_secret_key_and_iv(s, sending, md, 785e1051a39Sopenharmony_ci s->s3.tmp.new_sym_enc, insecret, NULL, 786e1051a39Sopenharmony_ci application_traffic, 787e1051a39Sopenharmony_ci sizeof(application_traffic) - 1, secret, key, 788e1051a39Sopenharmony_ci iv, ciph_ctx)) { 789e1051a39Sopenharmony_ci /* SSLfatal() already called */ 790e1051a39Sopenharmony_ci goto err; 791e1051a39Sopenharmony_ci } 792e1051a39Sopenharmony_ci 793e1051a39Sopenharmony_ci memcpy(insecret, secret, hashlen); 794e1051a39Sopenharmony_ci 795e1051a39Sopenharmony_ci /* Call Key log on successful traffic secret update */ 796e1051a39Sopenharmony_ci log_label = s->server == sending ? SERVER_APPLICATION_N_LABEL : CLIENT_APPLICATION_N_LABEL; 797e1051a39Sopenharmony_ci if (!ssl_log_secret(s, log_label, secret, hashlen)) { 798e1051a39Sopenharmony_ci /* SSLfatal() already called */ 799e1051a39Sopenharmony_ci goto err; 800e1051a39Sopenharmony_ci } 801e1051a39Sopenharmony_ci 802e1051a39Sopenharmony_ci s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 803e1051a39Sopenharmony_ci ret = 1; 804e1051a39Sopenharmony_ci err: 805e1051a39Sopenharmony_ci OPENSSL_cleanse(key, sizeof(key)); 806e1051a39Sopenharmony_ci OPENSSL_cleanse(secret, sizeof(secret)); 807e1051a39Sopenharmony_ci return ret; 808e1051a39Sopenharmony_ci} 809e1051a39Sopenharmony_ci 810e1051a39Sopenharmony_ciint tls13_alert_code(int code) 811e1051a39Sopenharmony_ci{ 812e1051a39Sopenharmony_ci /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ 813e1051a39Sopenharmony_ci if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) 814e1051a39Sopenharmony_ci return code; 815e1051a39Sopenharmony_ci 816e1051a39Sopenharmony_ci return tls1_alert_code(code); 817e1051a39Sopenharmony_ci} 818e1051a39Sopenharmony_ci 819e1051a39Sopenharmony_ciint tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, 820e1051a39Sopenharmony_ci const char *label, size_t llen, 821e1051a39Sopenharmony_ci const unsigned char *context, 822e1051a39Sopenharmony_ci size_t contextlen, int use_context) 823e1051a39Sopenharmony_ci{ 824e1051a39Sopenharmony_ci unsigned char exportsecret[EVP_MAX_MD_SIZE]; 825e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 826e1051a39Sopenharmony_ci static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; 827e1051a39Sopenharmony_ci#else 828e1051a39Sopenharmony_ci static const unsigned char exporterlabel[] = "exporter"; 829e1051a39Sopenharmony_ci#endif 830e1051a39Sopenharmony_ci unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 831e1051a39Sopenharmony_ci const EVP_MD *md = ssl_handshake_md(s); 832e1051a39Sopenharmony_ci EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 833e1051a39Sopenharmony_ci unsigned int hashsize, datalen; 834e1051a39Sopenharmony_ci int ret = 0; 835e1051a39Sopenharmony_ci 836e1051a39Sopenharmony_ci if (ctx == NULL || md == NULL || !ossl_statem_export_allowed(s)) 837e1051a39Sopenharmony_ci goto err; 838e1051a39Sopenharmony_ci 839e1051a39Sopenharmony_ci if (!use_context) 840e1051a39Sopenharmony_ci contextlen = 0; 841e1051a39Sopenharmony_ci 842e1051a39Sopenharmony_ci if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 843e1051a39Sopenharmony_ci || EVP_DigestUpdate(ctx, context, contextlen) <= 0 844e1051a39Sopenharmony_ci || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 845e1051a39Sopenharmony_ci || EVP_DigestInit_ex(ctx, md, NULL) <= 0 846e1051a39Sopenharmony_ci || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 847e1051a39Sopenharmony_ci || !tls13_hkdf_expand(s, md, s->exporter_master_secret, 848e1051a39Sopenharmony_ci (const unsigned char *)label, llen, 849e1051a39Sopenharmony_ci data, datalen, exportsecret, hashsize, 0) 850e1051a39Sopenharmony_ci || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 851e1051a39Sopenharmony_ci sizeof(exporterlabel) - 1, hash, hashsize, 852e1051a39Sopenharmony_ci out, olen, 0)) 853e1051a39Sopenharmony_ci goto err; 854e1051a39Sopenharmony_ci 855e1051a39Sopenharmony_ci ret = 1; 856e1051a39Sopenharmony_ci err: 857e1051a39Sopenharmony_ci EVP_MD_CTX_free(ctx); 858e1051a39Sopenharmony_ci return ret; 859e1051a39Sopenharmony_ci} 860e1051a39Sopenharmony_ci 861e1051a39Sopenharmony_ciint tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, 862e1051a39Sopenharmony_ci const char *label, size_t llen, 863e1051a39Sopenharmony_ci const unsigned char *context, 864e1051a39Sopenharmony_ci size_t contextlen) 865e1051a39Sopenharmony_ci{ 866e1051a39Sopenharmony_ci#ifdef CHARSET_EBCDIC 867e1051a39Sopenharmony_ci static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; 868e1051a39Sopenharmony_ci#else 869e1051a39Sopenharmony_ci static const unsigned char exporterlabel[] = "exporter"; 870e1051a39Sopenharmony_ci#endif 871e1051a39Sopenharmony_ci unsigned char exportsecret[EVP_MAX_MD_SIZE]; 872e1051a39Sopenharmony_ci unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 873e1051a39Sopenharmony_ci const EVP_MD *md; 874e1051a39Sopenharmony_ci EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 875e1051a39Sopenharmony_ci unsigned int hashsize, datalen; 876e1051a39Sopenharmony_ci int ret = 0; 877e1051a39Sopenharmony_ci const SSL_CIPHER *sslcipher; 878e1051a39Sopenharmony_ci 879e1051a39Sopenharmony_ci if (ctx == NULL || !ossl_statem_export_early_allowed(s)) 880e1051a39Sopenharmony_ci goto err; 881e1051a39Sopenharmony_ci 882e1051a39Sopenharmony_ci if (!s->server && s->max_early_data > 0 883e1051a39Sopenharmony_ci && s->session->ext.max_early_data == 0) 884e1051a39Sopenharmony_ci sslcipher = SSL_SESSION_get0_cipher(s->psksession); 885e1051a39Sopenharmony_ci else 886e1051a39Sopenharmony_ci sslcipher = SSL_SESSION_get0_cipher(s->session); 887e1051a39Sopenharmony_ci 888e1051a39Sopenharmony_ci md = ssl_md(s->ctx, sslcipher->algorithm2); 889e1051a39Sopenharmony_ci 890e1051a39Sopenharmony_ci /* 891e1051a39Sopenharmony_ci * Calculate the hash value and store it in |data|. The reason why 892e1051a39Sopenharmony_ci * the empty string is used is that the definition of TLS-Exporter 893e1051a39Sopenharmony_ci * is like so: 894e1051a39Sopenharmony_ci * 895e1051a39Sopenharmony_ci * TLS-Exporter(label, context_value, key_length) = 896e1051a39Sopenharmony_ci * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), 897e1051a39Sopenharmony_ci * "exporter", Hash(context_value), key_length) 898e1051a39Sopenharmony_ci * 899e1051a39Sopenharmony_ci * Derive-Secret(Secret, Label, Messages) = 900e1051a39Sopenharmony_ci * HKDF-Expand-Label(Secret, Label, 901e1051a39Sopenharmony_ci * Transcript-Hash(Messages), Hash.length) 902e1051a39Sopenharmony_ci * 903e1051a39Sopenharmony_ci * Here Transcript-Hash is the cipher suite hash algorithm. 904e1051a39Sopenharmony_ci */ 905e1051a39Sopenharmony_ci if (md == NULL 906e1051a39Sopenharmony_ci || EVP_DigestInit_ex(ctx, md, NULL) <= 0 907e1051a39Sopenharmony_ci || EVP_DigestUpdate(ctx, context, contextlen) <= 0 908e1051a39Sopenharmony_ci || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 909e1051a39Sopenharmony_ci || EVP_DigestInit_ex(ctx, md, NULL) <= 0 910e1051a39Sopenharmony_ci || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 911e1051a39Sopenharmony_ci || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, 912e1051a39Sopenharmony_ci (const unsigned char *)label, llen, 913e1051a39Sopenharmony_ci data, datalen, exportsecret, hashsize, 0) 914e1051a39Sopenharmony_ci || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 915e1051a39Sopenharmony_ci sizeof(exporterlabel) - 1, hash, hashsize, 916e1051a39Sopenharmony_ci out, olen, 0)) 917e1051a39Sopenharmony_ci goto err; 918e1051a39Sopenharmony_ci 919e1051a39Sopenharmony_ci ret = 1; 920e1051a39Sopenharmony_ci err: 921e1051a39Sopenharmony_ci EVP_MD_CTX_free(ctx); 922e1051a39Sopenharmony_ci return ret; 923e1051a39Sopenharmony_ci} 924