static int test_secret(SSL *s, unsigned char *prk, const unsigned char *label, size_t labellen, const unsigned char *ref_secret, const unsigned char *ref_key, const unsigned char *ref_iv) { size_t hashsize; unsigned char gensecret[EVP_MAX_MD_SIZE]; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned char key[KEYLEN]; unsigned char iv[IVLEN]; const EVP_MD *md = ssl_handshake_md(s); if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) { fprintf(stderr, "Failed to get hash\n"); return 0; } if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, gensecret, hashsize)) { fprintf(stderr, "Secret generation failed\n"); return 0; } if (memcmp(gensecret, ref_secret, hashsize) != 0) { fprintf(stderr, "Generated secret does not match\n"); return 0; } if (!tls13_derive_key(s, gensecret, key, KEYLEN)) { fprintf(stderr, "Key generation failed\n"); return 0; } if (memcmp(key, ref_key, KEYLEN) != 0) { fprintf(stderr, "Generated key does not match\n"); return 0; } if (!tls13_derive_iv(s, gensecret, iv, IVLEN)) { fprintf(stderr, "IV generation failed\n"); return 0; } if (memcmp(iv, ref_iv, IVLEN) != 0) { fprintf(stderr, "Generated IV does not match\n"); return 0; } return 1; }
static int test_secret(SSL *s, unsigned char *prk, const unsigned char *label, size_t labellen, const unsigned char *ref_secret, const unsigned char *ref_key, const unsigned char *ref_iv) { size_t hashsize; unsigned char gensecret[EVP_MAX_MD_SIZE]; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned char key[KEYLEN]; unsigned char iv[IVLEN]; const EVP_MD *md = ssl_handshake_md(s); if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashsize)) { TEST_error("Failed to get hash"); return 0; } if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize, gensecret, hashsize)) { TEST_error("Secret generation failed"); return 0; } if (!TEST_mem_eq(gensecret, hashsize, ref_secret, hashsize)) return 0; if (!tls13_derive_key(s, md, gensecret, key, KEYLEN)) { TEST_error("Key generation failed"); return 0; } if (!TEST_mem_eq(key, KEYLEN, ref_key, KEYLEN)) return 0; if (!tls13_derive_iv(s, md, gensecret, iv, IVLEN)) { TEST_error("IV generation failed"); return 0; } if (!TEST_mem_eq(iv, IVLEN, ref_iv, IVLEN)) return 0; return 1; }
static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, const EVP_CIPHER *ciph, const unsigned char *insecret, const unsigned char *hash, const unsigned char *label, size_t labellen, unsigned char *secret, unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) { unsigned char key[EVP_MAX_KEY_LENGTH]; size_t ivlen, keylen, taglen; int hashleni = EVP_MD_size(md); size_t hashlen; /* Ensure cast to size_t is safe */ if (!ossl_assert(hashleni >= 0)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_EVP_LIB); goto err; } hashlen = (size_t)hashleni; if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, secret, hashlen, 1)) { /* SSLfatal() already called */ goto err; } /* TODO(size_t): convert me */ keylen = EVP_CIPHER_key_length(ciph); if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { uint32_t algenc; ivlen = EVP_CCM_TLS_IV_LEN; if (s->s3->tmp.new_cipher == NULL) { /* We've not selected a cipher yet - we must be doing early data */ algenc = s->session->cipher->algorithm_enc; } else { algenc = s->s3->tmp.new_cipher->algorithm_enc; } if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8)) taglen = EVP_CCM8_TLS_TAG_LEN; else taglen = EVP_CCM_TLS_TAG_LEN; } else { ivlen = EVP_CIPHER_iv_length(ciph); taglen = 0; } if (!tls13_derive_key(s, md, secret, key, keylen) || !tls13_derive_iv(s, md, secret, iv, ivlen)) { /* SSLfatal() already called */ goto err; } if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0 || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL) || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)) || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_EVP_LIB); goto err; } return 1; err: OPENSSL_cleanse(key, sizeof(key)); return 0; }
int tls13_change_cipher_state(SSL *s, int which) { static const unsigned char client_handshake_traffic[] = "client handshake traffic secret"; static const unsigned char client_application_traffic[] = "client application traffic secret"; static const unsigned char server_handshake_traffic[] = "server handshake traffic secret"; static const unsigned char server_application_traffic[] = "server application traffic secret"; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char secret[EVP_MAX_MD_SIZE]; unsigned char *insecret; unsigned char *finsecret = NULL; EVP_CIPHER_CTX *ciph_ctx; const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc; size_t ivlen, keylen, finsecretlen = 0; const unsigned char *label; size_t labellen; int ret = 0; if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_read_ctx); } else { s->enc_read_ctx = EVP_CIPHER_CTX_new(); if (s->enc_read_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_read_ctx; RECORD_LAYER_reset_read_sequence(&s->rlayer); } else { if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_write_ctx); } else { s->enc_write_ctx = EVP_CIPHER_CTX_new(); if (s->enc_write_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_write_ctx; RECORD_LAYER_reset_write_sequence(&s->rlayer); } if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; finsecretlen = sizeof(s->client_finished_secret); label = client_handshake_traffic; labellen = sizeof(client_handshake_traffic) - 1; } else { insecret = s->session->master_key; label = client_application_traffic; labellen = sizeof(client_application_traffic) - 1; } } else { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->server_finished_secret; finsecretlen = sizeof(s->server_finished_secret); label = server_handshake_traffic; labellen = sizeof(server_handshake_traffic) - 1; } else { insecret = s->session->master_key; label = server_application_traffic; labellen = sizeof(server_application_traffic) - 1; } } if (!tls13_derive_secret(s, insecret, label, labellen, secret)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } /* TODO(size_t): convert me */ keylen = EVP_CIPHER_key_length(ciph); if (EVP_CIPHER_mode(ciph) == EVP_CIPH_GCM_MODE) ivlen = EVP_GCM_TLS_FIXED_IV_LEN; else if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) ivlen = EVP_CCM_TLS_FIXED_IV_LEN; else ivlen = EVP_CIPHER_iv_length(ciph); if (!tls13_derive_key(s, secret, key, keylen) || !tls13_derive_iv(s, secret, iv, ivlen) || (finsecret != NULL && !tls13_derive_finishedkey(s, secret, finsecret, finsecretlen))) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (EVP_CIPHER_mode(ciph) == EVP_CIPH_GCM_MODE) { if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_GCM_SET_IV_FIXED, (int)ivlen, iv)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } } else if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { int taglen; if (s->s3->tmp.new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) taglen = 8; else taglen = 16; if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_CCM_SET_IV_FIXED, (int)ivlen, iv) || !EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } } else { if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, (which & SSL3_CC_WRITE))) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } } #ifdef OPENSSL_SSL_TRACE_CRYPTO if (s->msg_callback) { int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : 0; if (ciph->key_len) s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, key, ciph->key_len, s, s->msg_callback_arg); if (ivlen) { if (EVP_CIPHER_mode(ciph) == EVP_CIPH_GCM_MODE) wh |= TLS1_RT_CRYPTO_FIXED_IV; else wh |= TLS1_RT_CRYPTO_IV; s->msg_callback(2, s->version, wh, iv, ivlen, s, s->msg_callback_arg); } } #endif ret = 1; err: OPENSSL_cleanse(secret, sizeof(secret)); OPENSSL_cleanse(key, sizeof(key)); OPENSSL_cleanse(iv, sizeof(iv)); return ret; }
int tls13_change_cipher_state(SSL *s, int which) { static const unsigned char client_handshake_traffic[] = "client handshake traffic secret"; static const unsigned char client_application_traffic[] = "client application traffic secret"; static const unsigned char server_handshake_traffic[] = "server handshake traffic secret"; static const unsigned char server_application_traffic[] = "server application traffic secret"; static const unsigned char resumption_master_secret[] = "resumption master secret"; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char *iv; unsigned char secret[EVP_MAX_MD_SIZE]; unsigned char hashval[EVP_MAX_MD_SIZE]; unsigned char *hash = hashval; unsigned char *insecret; unsigned char *finsecret = NULL; const char *log_label = NULL; EVP_CIPHER_CTX *ciph_ctx; const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc; size_t ivlen, keylen, finsecretlen = 0; const unsigned char *label; size_t labellen, hashlen = 0; int ret = 0; if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_read_ctx); } else { s->enc_read_ctx = EVP_CIPHER_CTX_new(); if (s->enc_read_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_read_ctx; iv = s->read_iv; RECORD_LAYER_reset_read_sequence(&s->rlayer); } else { if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_write_ctx); } else { s->enc_write_ctx = EVP_CIPHER_CTX_new(); if (s->enc_write_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_write_ctx; iv = s->write_iv; RECORD_LAYER_reset_write_sequence(&s->rlayer); } if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; finsecretlen = EVP_MD_size(ssl_handshake_md(s)); label = client_handshake_traffic; labellen = sizeof(client_handshake_traffic) - 1; log_label = CLIENT_HANDSHAKE_LABEL; } else { insecret = s->master_secret; label = client_application_traffic; labellen = sizeof(client_application_traffic) - 1; log_label = CLIENT_APPLICATION_LABEL; /* * For this we only use the handshake hashes up until the server * Finished hash. We do not include the client's Finished, which is * what ssl_handshake_hash() would give us. Instead we use the * previously saved value. */ hash = s->server_finished_hash; } } else { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->server_finished_secret; finsecretlen = EVP_MD_size(ssl_handshake_md(s)); label = server_handshake_traffic; labellen = sizeof(server_handshake_traffic) - 1; log_label = SERVER_HANDSHAKE_LABEL; } else { insecret = s->master_secret; label = server_application_traffic; labellen = sizeof(server_application_traffic) - 1; log_label = SERVER_APPLICATION_LABEL; } } if (!ssl3_digest_cached_records(s, 1) || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } /* * Save the hash of handshakes up to now for use when we calculate the * client application traffic secret */ if (label == server_application_traffic) memcpy(s->server_finished_hash, hashval, hashlen); if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, label, labellen, hash, secret, hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (label == client_application_traffic) { /* * We also create the resumption master secret, but this time use the * hash for the whole handshake including the Client Finished */ if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, resumption_master_secret, sizeof(resumption_master_secret) - 1, hashval, s->session->master_key, hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } s->session->master_key_length = hashlen; } /* TODO(size_t): convert me */ keylen = EVP_CIPHER_key_length(ciph); ivlen = EVP_CIPHER_iv_length(ciph); if (!ssl_log_secret(s, log_label, secret, hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (!tls13_derive_key(s, secret, key, keylen) || !tls13_derive_iv(s, secret, iv, ivlen) || (finsecret != NULL && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, finsecret, finsecretlen))) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL, (which & SSL3_CC_WRITE)) <= 0) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } #ifdef OPENSSL_SSL_TRACE_CRYPTO if (s->msg_callback) { int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : 0; if (ciph->key_len) s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, key, ciph->key_len, s, s->msg_callback_arg); wh |= TLS1_RT_CRYPTO_IV; s->msg_callback(2, s->version, wh, iv, ivlen, s, s->msg_callback_arg); } #endif ret = 1; err: OPENSSL_cleanse(secret, sizeof(secret)); OPENSSL_cleanse(key, sizeof(key)); return ret; }