1/* 2 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <stdlib.h> 11#include "ssl_local.h" 12#include "internal/ktls.h" 13#include "record/record_local.h" 14#include "internal/cryptlib.h" 15#include <openssl/evp.h> 16#include <openssl/kdf.h> 17#include <openssl/core_names.h> 18 19#define TLS13_MAX_LABEL_LEN 249 20 21#ifdef CHARSET_EBCDIC 22static const unsigned char label_prefix[] = { 0x74, 0x6C, 0x73, 0x31, 0x33, 0x20, 0x00 }; 23#else 24static const unsigned char label_prefix[] = "tls13 "; 25#endif 26 27/* 28 * Given a |secret|; a |label| of length |labellen|; and |data| of length 29 * |datalen| (e.g. typically a hash of the handshake messages), derive a new 30 * secret |outlen| bytes long and store it in the location pointed to be |out|. 31 * The |data| value may be zero length. Any errors will be treated as fatal if 32 * |fatal| is set. Returns 1 on success 0 on failure. 33 */ 34int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, 35 const unsigned char *label, size_t labellen, 36 const unsigned char *data, size_t datalen, 37 unsigned char *out, size_t outlen, int fatal) 38{ 39 EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, 40 s->ctx->propq); 41 EVP_KDF_CTX *kctx; 42 OSSL_PARAM params[7], *p = params; 43 int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; 44 const char *mdname = EVP_MD_get0_name(md); 45 int ret; 46 size_t hashlen; 47 48 kctx = EVP_KDF_CTX_new(kdf); 49 EVP_KDF_free(kdf); 50 if (kctx == NULL) 51 return 0; 52 53 if (labellen > TLS13_MAX_LABEL_LEN) { 54 if (fatal) { 55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 56 } else { 57 /* 58 * Probably we have been called from SSL_export_keying_material(), 59 * or SSL_export_keying_material_early(). 60 */ 61 ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 62 } 63 EVP_KDF_CTX_free(kctx); 64 return 0; 65 } 66 67 if ((ret = EVP_MD_get_size(md)) <= 0) { 68 EVP_KDF_CTX_free(kctx); 69 if (fatal) 70 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 71 else 72 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 73 return 0; 74 } 75 hashlen = (size_t)ret; 76 77 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); 78 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 79 (char *)mdname, 0); 80 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 81 (unsigned char *)secret, hashlen); 82 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, 83 (unsigned char *)label_prefix, 84 sizeof(label_prefix) - 1); 85 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, 86 (unsigned char *)label, labellen); 87 if (data != NULL) 88 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_DATA, 89 (unsigned char *)data, 90 datalen); 91 *p++ = OSSL_PARAM_construct_end(); 92 93 ret = EVP_KDF_derive(kctx, out, outlen, params) <= 0; 94 EVP_KDF_CTX_free(kctx); 95 96 if (ret != 0) { 97 if (fatal) 98 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 99 else 100 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 101 } 102 103 return ret == 0; 104} 105 106/* 107 * Given a |secret| generate a |key| of length |keylen| bytes. Returns 1 on 108 * success 0 on failure. 109 */ 110int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, 111 unsigned char *key, size_t keylen) 112{ 113#ifdef CHARSET_EBCDIC 114 static const unsigned char keylabel[] ={ 0x6B, 0x65, 0x79, 0x00 }; 115#else 116 static const unsigned char keylabel[] = "key"; 117#endif 118 119 return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, 120 NULL, 0, key, keylen, 1); 121} 122 123/* 124 * Given a |secret| generate an |iv| of length |ivlen| bytes. Returns 1 on 125 * success 0 on failure. 126 */ 127int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, 128 unsigned char *iv, size_t ivlen) 129{ 130#ifdef CHARSET_EBCDIC 131 static const unsigned char ivlabel[] = { 0x69, 0x76, 0x00 }; 132#else 133 static const unsigned char ivlabel[] = "iv"; 134#endif 135 136 return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, 137 NULL, 0, iv, ivlen, 1); 138} 139 140int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, 141 const unsigned char *secret, 142 unsigned char *fin, size_t finlen) 143{ 144#ifdef CHARSET_EBCDIC 145 static const unsigned char finishedlabel[] = { 0x66, 0x69, 0x6E, 0x69, 0x73, 0x68, 0x65, 0x64, 0x00 }; 146#else 147 static const unsigned char finishedlabel[] = "finished"; 148#endif 149 150 return tls13_hkdf_expand(s, md, secret, finishedlabel, 151 sizeof(finishedlabel) - 1, NULL, 0, fin, finlen, 1); 152} 153 154/* 155 * Given the previous secret |prevsecret| and a new input secret |insecret| of 156 * length |insecretlen|, generate a new secret and store it in the location 157 * pointed to by |outsecret|. Returns 1 on success 0 on failure. 158 */ 159int tls13_generate_secret(SSL *s, const EVP_MD *md, 160 const unsigned char *prevsecret, 161 const unsigned char *insecret, 162 size_t insecretlen, 163 unsigned char *outsecret) 164{ 165 size_t mdlen; 166 int mdleni; 167 int ret; 168 EVP_KDF *kdf; 169 EVP_KDF_CTX *kctx; 170 OSSL_PARAM params[7], *p = params; 171 int mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; 172 const char *mdname = EVP_MD_get0_name(md); 173#ifdef CHARSET_EBCDIC 174 static const char derived_secret_label[] = { 0x64, 0x65, 0x72, 0x69, 0x76, 0x65, 0x64, 0x00 }; 175#else 176 static const char derived_secret_label[] = "derived"; 177#endif 178 179 kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, s->ctx->propq); 180 kctx = EVP_KDF_CTX_new(kdf); 181 EVP_KDF_free(kdf); 182 if (kctx == NULL) { 183 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 184 return 0; 185 } 186 187 mdleni = EVP_MD_get_size(md); 188 /* Ensure cast to size_t is safe */ 189 if (!ossl_assert(mdleni >= 0)) { 190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 191 EVP_KDF_CTX_free(kctx); 192 return 0; 193 } 194 mdlen = (size_t)mdleni; 195 196 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode); 197 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 198 (char *)mdname, 0); 199 if (insecret != NULL) 200 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, 201 (unsigned char *)insecret, 202 insecretlen); 203 if (prevsecret != NULL) 204 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SALT, 205 (unsigned char *)prevsecret, mdlen); 206 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, 207 (unsigned char *)label_prefix, 208 sizeof(label_prefix) - 1); 209 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, 210 (unsigned char *)derived_secret_label, 211 sizeof(derived_secret_label) - 1); 212 *p++ = OSSL_PARAM_construct_end(); 213 214 ret = EVP_KDF_derive(kctx, outsecret, mdlen, params) <= 0; 215 216 if (ret != 0) 217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 218 219 EVP_KDF_CTX_free(kctx); 220 return ret == 0; 221} 222 223/* 224 * Given an input secret |insecret| of length |insecretlen| generate the 225 * handshake secret. This requires the early secret to already have been 226 * generated. Returns 1 on success 0 on failure. 227 */ 228int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, 229 size_t insecretlen) 230{ 231 /* Calls SSLfatal() if required */ 232 return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, 233 insecret, insecretlen, 234 (unsigned char *)&s->handshake_secret); 235} 236 237/* 238 * Given the handshake secret |prev| of length |prevlen| generate the master 239 * secret and store its length in |*secret_size|. Returns 1 on success 0 on 240 * failure. 241 */ 242int tls13_generate_master_secret(SSL *s, unsigned char *out, 243 unsigned char *prev, size_t prevlen, 244 size_t *secret_size) 245{ 246 const EVP_MD *md = ssl_handshake_md(s); 247 248 *secret_size = EVP_MD_get_size(md); 249 /* Calls SSLfatal() if required */ 250 return tls13_generate_secret(s, md, prev, NULL, 0, out); 251} 252 253/* 254 * Generates the mac for the Finished message. Returns the length of the MAC or 255 * 0 on error. 256 */ 257size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, 258 unsigned char *out) 259{ 260 const EVP_MD *md = ssl_handshake_md(s); 261 const char *mdname = EVP_MD_get0_name(md); 262 unsigned char hash[EVP_MAX_MD_SIZE]; 263 unsigned char finsecret[EVP_MAX_MD_SIZE]; 264 unsigned char *key = NULL; 265 size_t len = 0, hashlen; 266 OSSL_PARAM params[2], *p = params; 267 268 if (md == NULL) 269 return 0; 270 271 /* Safe to cast away const here since we're not "getting" any data */ 272 if (s->ctx->propq != NULL) 273 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES, 274 (char *)s->ctx->propq, 275 0); 276 *p = OSSL_PARAM_construct_end(); 277 278 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 279 /* SSLfatal() already called */ 280 goto err; 281 } 282 283 if (str == s->method->ssl3_enc->server_finished_label) { 284 key = s->server_finished_secret; 285 } else if (SSL_IS_FIRST_HANDSHAKE(s)) { 286 key = s->client_finished_secret; 287 } else { 288 if (!tls13_derive_finishedkey(s, md, 289 s->client_app_traffic_secret, 290 finsecret, hashlen)) 291 goto err; 292 key = finsecret; 293 } 294 295 if (!EVP_Q_mac(s->ctx->libctx, "HMAC", s->ctx->propq, mdname, 296 params, key, hashlen, hash, hashlen, 297 /* outsize as per sizeof(peer_finish_md) */ 298 out, EVP_MAX_MD_SIZE * 2, &len)) { 299 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 300 goto err; 301 } 302 303 err: 304 OPENSSL_cleanse(finsecret, sizeof(finsecret)); 305 return len; 306} 307 308/* 309 * There isn't really a key block in TLSv1.3, but we still need this function 310 * for initialising the cipher and hash. Returns 1 on success or 0 on failure. 311 */ 312int tls13_setup_key_block(SSL *s) 313{ 314 const EVP_CIPHER *c; 315 const EVP_MD *hash; 316 317 s->session->cipher = s->s3.tmp.new_cipher; 318 if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL, 319 0)) { 320 /* Error is already recorded */ 321 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 322 return 0; 323 } 324 325 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 326 s->s3.tmp.new_sym_enc = c; 327 ssl_evp_md_free(s->s3.tmp.new_hash); 328 s->s3.tmp.new_hash = hash; 329 330 return 1; 331} 332 333static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, 334 const EVP_CIPHER *ciph, 335 const unsigned char *insecret, 336 const unsigned char *hash, 337 const unsigned char *label, 338 size_t labellen, unsigned char *secret, 339 unsigned char *key, unsigned char *iv, 340 EVP_CIPHER_CTX *ciph_ctx) 341{ 342 size_t ivlen, keylen, taglen; 343 int hashleni = EVP_MD_get_size(md); 344 size_t hashlen; 345 346 /* Ensure cast to size_t is safe */ 347 if (!ossl_assert(hashleni >= 0)) { 348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 349 return 0; 350 } 351 hashlen = (size_t)hashleni; 352 353 if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, 354 secret, hashlen, 1)) { 355 /* SSLfatal() already called */ 356 return 0; 357 } 358 359 keylen = EVP_CIPHER_get_key_length(ciph); 360 if (EVP_CIPHER_get_mode(ciph) == EVP_CIPH_CCM_MODE) { 361 uint32_t algenc; 362 363 ivlen = EVP_CCM_TLS_IV_LEN; 364 if (s->s3.tmp.new_cipher != NULL) { 365 algenc = s->s3.tmp.new_cipher->algorithm_enc; 366 } else if (s->session->cipher != NULL) { 367 /* We've not selected a cipher yet - we must be doing early data */ 368 algenc = s->session->cipher->algorithm_enc; 369 } else if (s->psksession != NULL && s->psksession->cipher != NULL) { 370 /* We must be doing early data with out-of-band PSK */ 371 algenc = s->psksession->cipher->algorithm_enc; 372 } else { 373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 374 return 0; 375 } 376 if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 377 taglen = EVP_CCM8_TLS_TAG_LEN; 378 else 379 taglen = EVP_CCM_TLS_TAG_LEN; 380 } else { 381 ivlen = EVP_CIPHER_get_iv_length(ciph); 382 taglen = 0; 383 } 384 385 if (!tls13_derive_key(s, md, secret, key, keylen) 386 || !tls13_derive_iv(s, md, secret, iv, ivlen)) { 387 /* SSLfatal() already called */ 388 return 0; 389 } 390 391 if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 392 || EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) <= 0 393 || (taglen != 0 && EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, 394 taglen, NULL) <= 0) 395 || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { 396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 397 return 0; 398 } 399 400 return 1; 401} 402 403int tls13_change_cipher_state(SSL *s, int which) 404{ 405#ifdef CHARSET_EBCDIC 406 static const unsigned char client_early_traffic[] = {0x63, 0x20, 0x65, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 407 static const unsigned char client_handshake_traffic[] = {0x63, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 408 static const unsigned char client_application_traffic[] = {0x63, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 409 static const unsigned char server_handshake_traffic[] = {0x73, 0x20, 0x68, 0x73, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 410 static const unsigned char server_application_traffic[] = {0x73, 0x20, 0x61, 0x70, 0x20, /*traffic*/0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x00}; 411 static const unsigned char exporter_master_secret[] = {0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 412 static const unsigned char resumption_master_secret[] = {0x72, 0x65, 0x73, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 413 static const unsigned char early_exporter_master_secret[] = {0x65, 0x20, 0x65, 0x78, 0x70, 0x20, /* master*/ 0x6D, 0x61, 0x73, 0x74, 0x65, 0x72, 0x00}; 414#else 415 static const unsigned char client_early_traffic[] = "c e traffic"; 416 static const unsigned char client_handshake_traffic[] = "c hs traffic"; 417 static const unsigned char client_application_traffic[] = "c ap traffic"; 418 static const unsigned char server_handshake_traffic[] = "s hs traffic"; 419 static const unsigned char server_application_traffic[] = "s ap traffic"; 420 static const unsigned char exporter_master_secret[] = "exp master"; 421 static const unsigned char resumption_master_secret[] = "res master"; 422 static const unsigned char early_exporter_master_secret[] = "e exp master"; 423#endif 424 unsigned char *iv; 425 unsigned char key[EVP_MAX_KEY_LENGTH]; 426 unsigned char secret[EVP_MAX_MD_SIZE]; 427 unsigned char hashval[EVP_MAX_MD_SIZE]; 428 unsigned char *hash = hashval; 429 unsigned char *insecret; 430 unsigned char *finsecret = NULL; 431 const char *log_label = NULL; 432 EVP_CIPHER_CTX *ciph_ctx; 433 size_t finsecretlen = 0; 434 const unsigned char *label; 435 size_t labellen, hashlen = 0; 436 int ret = 0; 437 const EVP_MD *md = NULL; 438 const EVP_CIPHER *cipher = NULL; 439#if !defined(OPENSSL_NO_KTLS) && defined(OPENSSL_KTLS_TLS13) 440 ktls_crypto_info_t crypto_info; 441 BIO *bio; 442#endif 443 444 if (which & SSL3_CC_READ) { 445 if (s->enc_read_ctx != NULL) { 446 EVP_CIPHER_CTX_reset(s->enc_read_ctx); 447 } else { 448 s->enc_read_ctx = EVP_CIPHER_CTX_new(); 449 if (s->enc_read_ctx == NULL) { 450 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 451 goto err; 452 } 453 } 454 ciph_ctx = s->enc_read_ctx; 455 iv = s->read_iv; 456 457 RECORD_LAYER_reset_read_sequence(&s->rlayer); 458 } else { 459 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 460 if (s->enc_write_ctx != NULL) { 461 EVP_CIPHER_CTX_reset(s->enc_write_ctx); 462 } else { 463 s->enc_write_ctx = EVP_CIPHER_CTX_new(); 464 if (s->enc_write_ctx == NULL) { 465 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 466 goto err; 467 } 468 } 469 ciph_ctx = s->enc_write_ctx; 470 iv = s->write_iv; 471 472 RECORD_LAYER_reset_write_sequence(&s->rlayer); 473 } 474 475 if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) 476 || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { 477 if (which & SSL3_CC_EARLY) { 478 EVP_MD_CTX *mdctx = NULL; 479 long handlen; 480 void *hdata; 481 unsigned int hashlenui; 482 const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); 483 484 insecret = s->early_secret; 485 label = client_early_traffic; 486 labellen = sizeof(client_early_traffic) - 1; 487 log_label = CLIENT_EARLY_LABEL; 488 489 handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); 490 if (handlen <= 0) { 491 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); 492 goto err; 493 } 494 495 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING 496 && s->max_early_data > 0 497 && s->session->ext.max_early_data == 0) { 498 /* 499 * If we are attempting to send early data, and we've decided to 500 * actually do it but max_early_data in s->session is 0 then we 501 * must be using an external PSK. 502 */ 503 if (!ossl_assert(s->psksession != NULL 504 && s->max_early_data == 505 s->psksession->ext.max_early_data)) { 506 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 507 goto err; 508 } 509 sslcipher = SSL_SESSION_get0_cipher(s->psksession); 510 } 511 if (sslcipher == NULL) { 512 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); 513 goto err; 514 } 515 516 /* 517 * We need to calculate the handshake digest using the digest from 518 * the session. We haven't yet selected our ciphersuite so we can't 519 * use ssl_handshake_md(). 520 */ 521 mdctx = EVP_MD_CTX_new(); 522 if (mdctx == NULL) { 523 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 524 goto err; 525 } 526 527 /* 528 * This ups the ref count on cipher so we better make sure we free 529 * it again 530 */ 531 if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) { 532 /* Error is already recorded */ 533 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 534 EVP_MD_CTX_free(mdctx); 535 goto err; 536 } 537 538 md = ssl_md(s->ctx, sslcipher->algorithm2); 539 if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) 540 || !EVP_DigestUpdate(mdctx, hdata, handlen) 541 || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { 542 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 543 EVP_MD_CTX_free(mdctx); 544 goto err; 545 } 546 hashlen = hashlenui; 547 EVP_MD_CTX_free(mdctx); 548 549 if (!tls13_hkdf_expand(s, md, insecret, 550 early_exporter_master_secret, 551 sizeof(early_exporter_master_secret) - 1, 552 hashval, hashlen, 553 s->early_exporter_master_secret, hashlen, 554 1)) { 555 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 556 goto err; 557 } 558 559 if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, 560 s->early_exporter_master_secret, hashlen)) { 561 /* SSLfatal() already called */ 562 goto err; 563 } 564 } else if (which & SSL3_CC_HANDSHAKE) { 565 insecret = s->handshake_secret; 566 finsecret = s->client_finished_secret; 567 finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); 568 label = client_handshake_traffic; 569 labellen = sizeof(client_handshake_traffic) - 1; 570 log_label = CLIENT_HANDSHAKE_LABEL; 571 /* 572 * The handshake hash used for the server read/client write handshake 573 * traffic secret is the same as the hash for the server 574 * write/client read handshake traffic secret. However, if we 575 * processed early data then we delay changing the server 576 * read/client write cipher state until later, and the handshake 577 * hashes have moved on. Therefore we use the value saved earlier 578 * when we did the server write/client read change cipher state. 579 */ 580 hash = s->handshake_traffic_hash; 581 } else { 582 insecret = s->master_secret; 583 label = client_application_traffic; 584 labellen = sizeof(client_application_traffic) - 1; 585 log_label = CLIENT_APPLICATION_LABEL; 586 /* 587 * For this we only use the handshake hashes up until the server 588 * Finished hash. We do not include the client's Finished, which is 589 * what ssl_handshake_hash() would give us. Instead we use the 590 * previously saved value. 591 */ 592 hash = s->server_finished_hash; 593 } 594 } else { 595 /* Early data never applies to client-read/server-write */ 596 if (which & SSL3_CC_HANDSHAKE) { 597 insecret = s->handshake_secret; 598 finsecret = s->server_finished_secret; 599 finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); 600 label = server_handshake_traffic; 601 labellen = sizeof(server_handshake_traffic) - 1; 602 log_label = SERVER_HANDSHAKE_LABEL; 603 } else { 604 insecret = s->master_secret; 605 label = server_application_traffic; 606 labellen = sizeof(server_application_traffic) - 1; 607 log_label = SERVER_APPLICATION_LABEL; 608 } 609 } 610 611 if (!(which & SSL3_CC_EARLY)) { 612 md = ssl_handshake_md(s); 613 cipher = s->s3.tmp.new_sym_enc; 614 if (!ssl3_digest_cached_records(s, 1) 615 || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { 616 /* SSLfatal() already called */; 617 goto err; 618 } 619 } 620 621 /* 622 * Save the hash of handshakes up to now for use when we calculate the 623 * client application traffic secret 624 */ 625 if (label == server_application_traffic) 626 memcpy(s->server_finished_hash, hashval, hashlen); 627 628 if (label == server_handshake_traffic) 629 memcpy(s->handshake_traffic_hash, hashval, hashlen); 630 631 if (label == client_application_traffic) { 632 /* 633 * We also create the resumption master secret, but this time use the 634 * hash for the whole handshake including the Client Finished 635 */ 636 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 637 resumption_master_secret, 638 sizeof(resumption_master_secret) - 1, 639 hashval, hashlen, s->resumption_master_secret, 640 hashlen, 1)) { 641 /* SSLfatal() already called */ 642 goto err; 643 } 644 } 645 646 /* check whether cipher is known */ 647 if(!ossl_assert(cipher != NULL)) 648 goto err; 649 650 if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, 651 insecret, hash, label, labellen, secret, key, 652 iv, ciph_ctx)) { 653 /* SSLfatal() already called */ 654 goto err; 655 } 656 657 if (label == server_application_traffic) { 658 memcpy(s->server_app_traffic_secret, secret, hashlen); 659 /* Now we create the exporter master secret */ 660 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, 661 exporter_master_secret, 662 sizeof(exporter_master_secret) - 1, 663 hash, hashlen, s->exporter_master_secret, 664 hashlen, 1)) { 665 /* SSLfatal() already called */ 666 goto err; 667 } 668 669 if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, 670 hashlen)) { 671 /* SSLfatal() already called */ 672 goto err; 673 } 674 } else if (label == client_application_traffic) 675 memcpy(s->client_app_traffic_secret, secret, hashlen); 676 677 if (!ssl_log_secret(s, log_label, secret, hashlen)) { 678 /* SSLfatal() already called */ 679 goto err; 680 } 681 682 if (finsecret != NULL 683 && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, 684 finsecret, finsecretlen)) { 685 /* SSLfatal() already called */ 686 goto err; 687 } 688 689 if (!s->server && label == client_early_traffic) 690 s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; 691 else 692 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 693#ifndef OPENSSL_NO_KTLS 694# if defined(OPENSSL_KTLS_TLS13) 695 if (!(which & SSL3_CC_WRITE) 696 || !(which & SSL3_CC_APPLICATION) 697 || (s->options & SSL_OP_ENABLE_KTLS) == 0) 698 goto skip_ktls; 699 700 /* ktls supports only the maximum fragment size */ 701 if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) 702 goto skip_ktls; 703 704 /* ktls does not support record padding */ 705 if (s->record_padding_cb != NULL) 706 goto skip_ktls; 707 708 /* check that cipher is supported */ 709 if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) 710 goto skip_ktls; 711 712 bio = s->wbio; 713 714 if (!ossl_assert(bio != NULL)) { 715 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 716 goto err; 717 } 718 719 /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ 720 if (BIO_flush(bio) <= 0) 721 goto skip_ktls; 722 723 /* configure kernel crypto structure */ 724 if (!ktls_configure_crypto(s, cipher, ciph_ctx, 725 RECORD_LAYER_get_write_sequence(&s->rlayer), 726 &crypto_info, NULL, iv, key, NULL, 0)) 727 goto skip_ktls; 728 729 /* ktls works with user provided buffers directly */ 730 if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) 731 ssl3_release_write_buffer(s); 732skip_ktls: 733# endif 734#endif 735 ret = 1; 736 err: 737 if ((which & SSL3_CC_EARLY) != 0) { 738 /* We up-refed this so now we need to down ref */ 739 ssl_evp_cipher_free(cipher); 740 } 741 OPENSSL_cleanse(key, sizeof(key)); 742 OPENSSL_cleanse(secret, sizeof(secret)); 743 return ret; 744} 745 746int tls13_update_key(SSL *s, int sending) 747{ 748#ifdef CHARSET_EBCDIC 749 static const unsigned char application_traffic[] = { 0x74, 0x72 ,0x61 ,0x66 ,0x66 ,0x69 ,0x63 ,0x20 ,0x75 ,0x70 ,0x64, 0x00}; 750#else 751 static const unsigned char application_traffic[] = "traffic upd"; 752#endif 753 const EVP_MD *md = ssl_handshake_md(s); 754 size_t hashlen; 755 unsigned char key[EVP_MAX_KEY_LENGTH]; 756 unsigned char *insecret, *iv; 757 unsigned char secret[EVP_MAX_MD_SIZE]; 758 char *log_label; 759 EVP_CIPHER_CTX *ciph_ctx; 760 int ret = 0, l; 761 762 if ((l = EVP_MD_get_size(md)) <= 0) { 763 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 764 return 0; 765 } 766 hashlen = (size_t)l; 767 768 if (s->server == sending) 769 insecret = s->server_app_traffic_secret; 770 else 771 insecret = s->client_app_traffic_secret; 772 773 if (sending) { 774 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 775 iv = s->write_iv; 776 ciph_ctx = s->enc_write_ctx; 777 RECORD_LAYER_reset_write_sequence(&s->rlayer); 778 } else { 779 iv = s->read_iv; 780 ciph_ctx = s->enc_read_ctx; 781 RECORD_LAYER_reset_read_sequence(&s->rlayer); 782 } 783 784 if (!derive_secret_key_and_iv(s, sending, md, 785 s->s3.tmp.new_sym_enc, insecret, NULL, 786 application_traffic, 787 sizeof(application_traffic) - 1, secret, key, 788 iv, ciph_ctx)) { 789 /* SSLfatal() already called */ 790 goto err; 791 } 792 793 memcpy(insecret, secret, hashlen); 794 795 /* Call Key log on successful traffic secret update */ 796 log_label = s->server == sending ? SERVER_APPLICATION_N_LABEL : CLIENT_APPLICATION_N_LABEL; 797 if (!ssl_log_secret(s, log_label, secret, hashlen)) { 798 /* SSLfatal() already called */ 799 goto err; 800 } 801 802 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 803 ret = 1; 804 err: 805 OPENSSL_cleanse(key, sizeof(key)); 806 OPENSSL_cleanse(secret, sizeof(secret)); 807 return ret; 808} 809 810int tls13_alert_code(int code) 811{ 812 /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */ 813 if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED) 814 return code; 815 816 return tls1_alert_code(code); 817} 818 819int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, 820 const char *label, size_t llen, 821 const unsigned char *context, 822 size_t contextlen, int use_context) 823{ 824 unsigned char exportsecret[EVP_MAX_MD_SIZE]; 825#ifdef CHARSET_EBCDIC 826 static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; 827#else 828 static const unsigned char exporterlabel[] = "exporter"; 829#endif 830 unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 831 const EVP_MD *md = ssl_handshake_md(s); 832 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 833 unsigned int hashsize, datalen; 834 int ret = 0; 835 836 if (ctx == NULL || md == NULL || !ossl_statem_export_allowed(s)) 837 goto err; 838 839 if (!use_context) 840 contextlen = 0; 841 842 if (EVP_DigestInit_ex(ctx, md, NULL) <= 0 843 || EVP_DigestUpdate(ctx, context, contextlen) <= 0 844 || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 845 || EVP_DigestInit_ex(ctx, md, NULL) <= 0 846 || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 847 || !tls13_hkdf_expand(s, md, s->exporter_master_secret, 848 (const unsigned char *)label, llen, 849 data, datalen, exportsecret, hashsize, 0) 850 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 851 sizeof(exporterlabel) - 1, hash, hashsize, 852 out, olen, 0)) 853 goto err; 854 855 ret = 1; 856 err: 857 EVP_MD_CTX_free(ctx); 858 return ret; 859} 860 861int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, 862 const char *label, size_t llen, 863 const unsigned char *context, 864 size_t contextlen) 865{ 866#ifdef CHARSET_EBCDIC 867 static const unsigned char exporterlabel[] = {0x65, 0x78, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x72, 0x00}; 868#else 869 static const unsigned char exporterlabel[] = "exporter"; 870#endif 871 unsigned char exportsecret[EVP_MAX_MD_SIZE]; 872 unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; 873 const EVP_MD *md; 874 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 875 unsigned int hashsize, datalen; 876 int ret = 0; 877 const SSL_CIPHER *sslcipher; 878 879 if (ctx == NULL || !ossl_statem_export_early_allowed(s)) 880 goto err; 881 882 if (!s->server && s->max_early_data > 0 883 && s->session->ext.max_early_data == 0) 884 sslcipher = SSL_SESSION_get0_cipher(s->psksession); 885 else 886 sslcipher = SSL_SESSION_get0_cipher(s->session); 887 888 md = ssl_md(s->ctx, sslcipher->algorithm2); 889 890 /* 891 * Calculate the hash value and store it in |data|. The reason why 892 * the empty string is used is that the definition of TLS-Exporter 893 * is like so: 894 * 895 * TLS-Exporter(label, context_value, key_length) = 896 * HKDF-Expand-Label(Derive-Secret(Secret, label, ""), 897 * "exporter", Hash(context_value), key_length) 898 * 899 * Derive-Secret(Secret, Label, Messages) = 900 * HKDF-Expand-Label(Secret, Label, 901 * Transcript-Hash(Messages), Hash.length) 902 * 903 * Here Transcript-Hash is the cipher suite hash algorithm. 904 */ 905 if (md == NULL 906 || EVP_DigestInit_ex(ctx, md, NULL) <= 0 907 || EVP_DigestUpdate(ctx, context, contextlen) <= 0 908 || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0 909 || EVP_DigestInit_ex(ctx, md, NULL) <= 0 910 || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0 911 || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, 912 (const unsigned char *)label, llen, 913 data, datalen, exportsecret, hashsize, 0) 914 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, 915 sizeof(exporterlabel) - 1, hash, hashsize, 916 out, olen, 0)) 917 goto err; 918 919 ret = 1; 920 err: 921 EVP_MD_CTX_free(ctx); 922 return ret; 923} 924