/* * Given a |secret|; a |label| of length |labellen|; and a |hash| of the * handshake messages, derive a new secret |outlen| bytes long and store it in * the location pointed to be |out|. The |hash| value may be NULL. Returns 1 on * success 0 on failure. */ static int tls13_hkdf_expand(SSL *s, const unsigned char *secret, const unsigned char *label, size_t labellen, const unsigned char *hash, unsigned char *out, size_t outlen) { const unsigned char label_prefix[] = "TLS 1.3, "; const EVP_MD *md = ssl_handshake_md(s); EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); int ret; size_t hkdflabellen; size_t hashlen; /* * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined * prefix and label + bytes for the label itself + bytes for the hash */ unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN + EVP_MAX_MD_SIZE]; WPACKET pkt; if (pctx == NULL) return 0; hashlen = EVP_MD_size(md); if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) || !WPACKET_put_bytes_u16(&pkt, outlen) || !WPACKET_start_sub_packet_u8(&pkt) || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1) || !WPACKET_memcpy(&pkt, label, labellen) || !WPACKET_close(&pkt) || !WPACKET_sub_memcpy_u8(&pkt, hash, (hash == NULL) ? 0 : hashlen) || !WPACKET_get_total_written(&pkt, &hkdflabellen) || !WPACKET_finish(&pkt)) { WPACKET_cleanup(&pkt); return 0; } ret = EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0 || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0 || EVP_PKEY_derive(pctx, out, &outlen) <= 0; EVP_PKEY_CTX_free(pctx); return ret == 0; }
static int test_kdf_hkdf(void) { int ret = 0; EVP_PKEY_CTX *pctx; unsigned char out[10]; size_t outlen = sizeof(out); if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) { TEST_error("EVP_PKEY_HKDF"); goto err; } if (EVP_PKEY_derive_init(pctx) <= 0) { TEST_error("EVP_PKEY_derive_init"); goto err; } if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) { TEST_error("EVP_PKEY_CTX_set_hkdf_md"); goto err; } if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0) { TEST_error("EVP_PKEY_CTX_set1_hkdf_salt"); goto err; } if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0) { TEST_error("EVP_PKEY_CTX_set1_hkdf_key"); goto err; } if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0) { TEST_error("EVP_PKEY_CTX_set1_hkdf_info"); goto err; } if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { TEST_error("EVP_PKEY_derive"); goto err; } { const unsigned char expected[sizeof(out)] = { 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 }; if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { goto err; } } ret = 1; err: EVP_PKEY_CTX_free(pctx); return ret; }
static int test_HKDF(void) { EVP_PKEY_CTX *pctx; unsigned char out[20]; size_t outlen; int i, ret = 0; unsigned char salt[] = "0123456789"; unsigned char key[] = "012345678901234567890123456789"; unsigned char info[] = "infostring"; const unsigned char expected[] = { 0xe5, 0x07, 0x70, 0x7f, 0xc6, 0x78, 0xd6, 0x54, 0x32, 0x5f, 0x7e, 0xc5, 0x7b, 0x59, 0x3e, 0xd8, 0x03, 0x6b, 0xed, 0xca }; size_t expectedlen = sizeof(expected); if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL))) goto done; /* We do this twice to test reuse of the EVP_PKEY_CTX */ for (i = 0; i < 2; i++) { outlen = sizeof(out); memset(out, 0, outlen); if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0) || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0) || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, sizeof(salt) - 1), 0) || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key, sizeof(key) - 1), 0) || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, sizeof(info) - 1), 0) || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0) || !TEST_mem_eq(out, outlen, expected, expectedlen)) goto done; } ret = 1; done: EVP_PKEY_CTX_free(pctx); return ret; }
/* * Given a |secret|; a |label| of length |labellen|; and |data| of length * |datalen| (e.g. typically a hash of the handshake messages), derive a new * secret |outlen| bytes long and store it in the location pointed to be |out|. * The |data| value may be zero length. Any errors will be treated as fatal if * |fatal| is set. Returns 1 on success 0 on failure. */ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, const unsigned char *label, size_t labellen, const unsigned char *data, size_t datalen, unsigned char *out, size_t outlen, int fatal) { static const unsigned char label_prefix[] = "tls13 "; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); int ret; size_t hkdflabellen; size_t hashlen; /* * 2 bytes for length of derived secret + 1 byte for length of combined * prefix and label + bytes for the label itself + 1 byte length of hash * + bytes for the hash itself */ unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN + 1 + EVP_MAX_MD_SIZE]; WPACKET pkt; if (pctx == NULL) return 0; if (labellen > TLS13_MAX_LABEL_LEN) { if (fatal) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); } else { /* * Probably we have been called from SSL_export_keying_material(), * or SSL_export_keying_material_early(). */ SSLerr(SSL_F_TLS13_HKDF_EXPAND, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); } EVP_PKEY_CTX_free(pctx); return 0; } hashlen = EVP_MD_size(md); if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0) || !WPACKET_put_bytes_u16(&pkt, outlen) || !WPACKET_start_sub_packet_u8(&pkt) || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1) || !WPACKET_memcpy(&pkt, label, labellen) || !WPACKET_close(&pkt) || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen) || !WPACKET_get_total_written(&pkt, &hkdflabellen) || !WPACKET_finish(&pkt)) { EVP_PKEY_CTX_free(pctx); WPACKET_cleanup(&pkt); if (fatal) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); else SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); return 0; } ret = EVP_PKEY_derive_init(pctx) <= 0 || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0 || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0 || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0 || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0 || EVP_PKEY_derive(pctx, out, &outlen) <= 0; EVP_PKEY_CTX_free(pctx); if (ret != 0) { if (fatal) SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); else SSLerr(SSL_F_TLS13_HKDF_EXPAND, ERR_R_INTERNAL_ERROR); } return ret == 0; }