int tls13_update_key(SSL *s, int sending) { static const unsigned char application_traffic[] = "traffic upd"; const EVP_MD *md = ssl_handshake_md(s); size_t hashlen = EVP_MD_size(md); unsigned char *insecret, *iv; unsigned char secret[EVP_MAX_MD_SIZE]; EVP_CIPHER_CTX *ciph_ctx; int ret = 0; if (s->server == sending) insecret = s->server_app_traffic_secret; else insecret = s->client_app_traffic_secret; if (sending) { s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; iv = s->write_iv; ciph_ctx = s->enc_write_ctx; RECORD_LAYER_reset_write_sequence(&s->rlayer); } else { iv = s->read_iv; ciph_ctx = s->enc_read_ctx; RECORD_LAYER_reset_read_sequence(&s->rlayer); } if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), s->s3->tmp.new_sym_enc, insecret, NULL, application_traffic, sizeof(application_traffic) - 1, secret, iv, ciph_ctx)) { /* SSLfatal() already called */ goto err; } memcpy(insecret, secret, hashlen); s->statem.enc_write_state = ENC_WRITE_STATE_VALID; ret = 1; err: OPENSSL_cleanse(secret, sizeof(secret)); return ret; }
int tls13_change_cipher_state(SSL *s, int which) { static const unsigned char client_early_traffic[] = "c e traffic"; static const unsigned char client_handshake_traffic[] = "c hs traffic"; static const unsigned char client_application_traffic[] = "c ap traffic"; static const unsigned char server_handshake_traffic[] = "s hs traffic"; static const unsigned char server_application_traffic[] = "s ap traffic"; static const unsigned char exporter_master_secret[] = "exp master"; static const unsigned char resumption_master_secret[] = "res master"; static const unsigned char early_exporter_master_secret[] = "e exp master"; unsigned char *iv; unsigned char secret[EVP_MAX_MD_SIZE]; unsigned char hashval[EVP_MAX_MD_SIZE]; unsigned char *hash = hashval; unsigned char *insecret; unsigned char *finsecret = NULL; const char *log_label = NULL; EVP_CIPHER_CTX *ciph_ctx; size_t finsecretlen = 0; const unsigned char *label; size_t labellen, hashlen = 0; int ret = 0; const EVP_MD *md = NULL; const EVP_CIPHER *cipher = NULL; if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_read_ctx); } else { s->enc_read_ctx = EVP_CIPHER_CTX_new(); if (s->enc_read_ctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_read_ctx; iv = s->read_iv; RECORD_LAYER_reset_read_sequence(&s->rlayer); } else { s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_write_ctx); } else { s->enc_write_ctx = EVP_CIPHER_CTX_new(); if (s->enc_write_ctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_write_ctx; iv = s->write_iv; RECORD_LAYER_reset_write_sequence(&s->rlayer); } if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { if (which & SSL3_CC_EARLY) { EVP_MD_CTX *mdctx = NULL; long handlen; void *hdata; unsigned int hashlenui; const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); insecret = s->early_secret; label = client_early_traffic; labellen = sizeof(client_early_traffic) - 1; log_label = CLIENT_EARLY_LABEL; handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); if (handlen <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_HANDSHAKE_LENGTH); goto err; } if (s->early_data_state == SSL_EARLY_DATA_CONNECTING && s->max_early_data > 0 && s->session->ext.max_early_data == 0) { /* * If we are attempting to send early data, and we've decided to * actually do it but max_early_data in s->session is 0 then we * must be using an external PSK. */ if (!ossl_assert(s->psksession != NULL && s->max_early_data == s->psksession->ext.max_early_data)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } sslcipher = SSL_SESSION_get0_cipher(s->psksession); } if (sslcipher == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); goto err; } /* * We need to calculate the handshake digest using the digest from * the session. We haven't yet selected our ciphersuite so we can't * use ssl_handshake_md(). */ mdctx = EVP_MD_CTX_new(); if (mdctx == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); md = ssl_md(sslcipher->algorithm2); if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL) || !EVP_DigestUpdate(mdctx, hdata, handlen) || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); EVP_MD_CTX_free(mdctx); goto err; } hashlen = hashlenui; EVP_MD_CTX_free(mdctx); if (!tls13_hkdf_expand(s, md, insecret, early_exporter_master_secret, sizeof(early_exporter_master_secret) - 1, hashval, hashlen, s->early_exporter_master_secret, hashlen, 1)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, s->early_exporter_master_secret, hashlen)) { /* SSLfatal() already called */ goto err; } } else if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; finsecretlen = EVP_MD_size(ssl_handshake_md(s)); label = client_handshake_traffic; labellen = sizeof(client_handshake_traffic) - 1; log_label = CLIENT_HANDSHAKE_LABEL; /* * The handshake hash used for the server read/client write handshake * traffic secret is the same as the hash for the server * write/client read handshake traffic secret. However, if we * processed early data then we delay changing the server * read/client write cipher state until later, and the handshake * hashes have moved on. Therefore we use the value saved earlier * when we did the server write/client read change cipher state. */ hash = s->handshake_traffic_hash; } else { insecret = s->master_secret; label = client_application_traffic; labellen = sizeof(client_application_traffic) - 1; log_label = CLIENT_APPLICATION_LABEL; /* * For this we only use the handshake hashes up until the server * Finished hash. We do not include the client's Finished, which is * what ssl_handshake_hash() would give us. Instead we use the * previously saved value. */ hash = s->server_finished_hash; } } else { /* Early data never applies to client-read/server-write */ if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->server_finished_secret; finsecretlen = EVP_MD_size(ssl_handshake_md(s)); label = server_handshake_traffic; labellen = sizeof(server_handshake_traffic) - 1; log_label = SERVER_HANDSHAKE_LABEL; } else { insecret = s->master_secret; label = server_application_traffic; labellen = sizeof(server_application_traffic) - 1; log_label = SERVER_APPLICATION_LABEL; } } if (!(which & SSL3_CC_EARLY)) { md = ssl_handshake_md(s); cipher = s->s3->tmp.new_sym_enc; if (!ssl3_digest_cached_records(s, 1) || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { /* SSLfatal() already called */; goto err; } } /* * Save the hash of handshakes up to now for use when we calculate the * client application traffic secret */ if (label == server_application_traffic) memcpy(s->server_finished_hash, hashval, hashlen); if (label == server_handshake_traffic) memcpy(s->handshake_traffic_hash, hashval, hashlen); if (label == client_application_traffic) { /* * We also create the resumption master secret, but this time use the * hash for the whole handshake including the Client Finished */ if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, resumption_master_secret, sizeof(resumption_master_secret) - 1, hashval, hashlen, s->resumption_master_secret, hashlen, 1)) { /* SSLfatal() already called */ goto err; } } if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, insecret, hash, label, labellen, secret, iv, ciph_ctx)) { /* SSLfatal() already called */ goto err; } if (label == server_application_traffic) { memcpy(s->server_app_traffic_secret, secret, hashlen); /* Now we create the exporter master secret */ if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, exporter_master_secret, sizeof(exporter_master_secret) - 1, hash, hashlen, s->exporter_master_secret, hashlen, 1)) { /* SSLfatal() already called */ goto err; } if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, hashlen)) { /* SSLfatal() already called */ goto err; } } else if (label == client_application_traffic) memcpy(s->client_app_traffic_secret, secret, hashlen); if (!ssl_log_secret(s, log_label, secret, hashlen)) { /* SSLfatal() already called */ goto err; } if (finsecret != NULL && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, finsecret, finsecretlen)) { /* SSLfatal() already called */ goto err; } if (!s->server && label == client_early_traffic) s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; else s->statem.enc_write_state = ENC_WRITE_STATE_VALID; ret = 1; err: OPENSSL_cleanse(secret, sizeof(secret)); return ret; }
int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p, *mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms, *key, *iv, *er1, *er2; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; #ifndef OPENSSL_NO_COMP COMP_METHOD *comp; #endif const EVP_MD *m; EVP_MD_CTX md; int is_exp, n, i, j, k, cl; int reuse_dd = 0; is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c = s->s3->tmp.new_sym_enc; m = s->s3->tmp.new_hash; /* m == NULL will lead to a crash later */ OPENSSL_assert(m); #ifndef OPENSSL_NO_COMP if (s->s3->tmp.new_compression == NULL) comp = NULL; else comp = s->s3->tmp.new_compression->method; #endif if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; else if ((s->enc_read_ctx = OPENSSL_malloc(sizeof(*s->enc_read_ctx))) == NULL) goto err; else /* * make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_read_ctx); dd = s->enc_read_ctx; if (ssl_replace_hash(&s->read_hash, m) == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ COMP_CTX_free(s->expand); s->expand = NULL; if (comp != NULL) { s->expand = COMP_CTX_new(comp); if (s->expand == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } if (!RECORD_LAYER_setup_comp_buffer(&s->rlayer)) goto err; } #endif RECORD_LAYER_reset_read_sequence(&s->rlayer); mac_secret = &(s->s3->read_mac_secret[0]); } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx = OPENSSL_malloc(sizeof(*s->enc_write_ctx))) == NULL) goto err; else /* * make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_write_ctx); dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ COMP_CTX_free(s->compress); s->compress = NULL; if (comp != NULL) { s->compress = COMP_CTX_new(comp); if (s->compress == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } #endif RECORD_LAYER_reset_write_sequence(&s->rlayer); mac_secret = &(s->s3->write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); p = s->s3->tmp.key_block; i = EVP_MD_size(m); if (i < 0) goto err2; cl = EVP_CIPHER_key_length(c); j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ k = EVP_CIPHER_iv_length(c); if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms = &(p[0]); n = i + i; key = &(p[n]); n += j + j; iv = &(p[n]); n += k + k; er1 = &(s->s3->client_random[0]); er2 = &(s->s3->server_random[0]); } else { n = i; ms = &(p[n]); n += i + j; key = &(p[n]); n += j + k; iv = &(p[n]); n += k; er1 = &(s->s3->server_random[0]); er2 = &(s->s3->client_random[0]); } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } EVP_MD_CTX_init(&md); memcpy(mac_secret, ms, i); if (is_exp) { /* * In here I set both the read and write key/iv to the same value * since only the correct one will be used :-). */ EVP_DigestInit_ex(&md, EVP_md5(), NULL); EVP_DigestUpdate(&md, key, j); EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL); key = &(exp_key[0]); if (k > 0) { EVP_DigestInit_ex(&md, EVP_md5(), NULL); EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL); iv = &(exp_iv[0]); } } EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); #ifdef OPENSSL_SSL_TRACE_CRYPTO if (s->msg_callback) { int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ; s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC, mac_secret, EVP_MD_size(m), s, s->msg_callback_arg); if (c->key_len) s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, key, c->key_len, s, s->msg_callback_arg); if (k) { s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV, iv, k, s, s->msg_callback_arg); } } #endif OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); EVP_MD_CTX_cleanup(&md); return (1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); err2: OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return (0); }
int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p, *mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms, *key, *iv; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; #ifndef OPENSSL_NO_COMP COMP_METHOD *comp; #endif const EVP_MD *m; int n, i, j, k, cl; int reuse_dd = 0; c = s->s3->tmp.new_sym_enc; m = s->s3->tmp.new_hash; /* m == NULL will lead to a crash later */ OPENSSL_assert(m); #ifndef OPENSSL_NO_COMP if (s->s3->tmp.new_compression == NULL) comp = NULL; else comp = s->s3->tmp.new_compression->method; #endif if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; else /* * make sure it's initialised in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_read_ctx); dd = s->enc_read_ctx; if (ssl_replace_hash(&s->read_hash, m) == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ COMP_CTX_free(s->expand); s->expand = NULL; if (comp != NULL) { s->expand = COMP_CTX_new(comp); if (s->expand == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } #endif RECORD_LAYER_reset_read_sequence(&s->rlayer); mac_secret = &(s->s3->read_mac_secret[0]); } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; else /* * make sure it's initialised in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ COMP_CTX_free(s->compress); s->compress = NULL; if (comp != NULL) { s->compress = COMP_CTX_new(comp); if (s->compress == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } #endif RECORD_LAYER_reset_write_sequence(&s->rlayer); mac_secret = &(s->s3->write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_reset(dd); p = s->s3->tmp.key_block; i = EVP_MD_size(m); if (i < 0) goto err2; cl = EVP_CIPHER_key_length(c); j = cl; k = EVP_CIPHER_iv_length(c); if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms = &(p[0]); n = i + i; key = &(p[n]); n += j + j; iv = &(p[n]); n += k + k; } else { n = i; ms = &(p[n]); n += i + j; key = &(p[n]); n += j + k; iv = &(p[n]); n += k; } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } memcpy(mac_secret, ms, i); EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); #ifdef OPENSSL_SSL_TRACE_CRYPTO if (s->msg_callback) { int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ; s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC, mac_secret, EVP_MD_size(m), s, s->msg_callback_arg); if (c->key_len) s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, key, c->key_len, s, s->msg_callback_arg); if (k) { s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV, iv, k, s, s->msg_callback_arg); } } #endif OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return (1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); err2: OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return (0); }
int tls13_change_cipher_state(SSL *s, int which) { static const unsigned char client_handshake_traffic[] = "client handshake traffic secret"; static const unsigned char client_application_traffic[] = "client application traffic secret"; static const unsigned char server_handshake_traffic[] = "server handshake traffic secret"; static const unsigned char server_application_traffic[] = "server application traffic secret"; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char secret[EVP_MAX_MD_SIZE]; unsigned char *insecret; unsigned char *finsecret = NULL; EVP_CIPHER_CTX *ciph_ctx; const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc; size_t ivlen, keylen, finsecretlen = 0; const unsigned char *label; size_t labellen; int ret = 0; if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_read_ctx); } else { s->enc_read_ctx = EVP_CIPHER_CTX_new(); if (s->enc_read_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_read_ctx; RECORD_LAYER_reset_read_sequence(&s->rlayer); } else { if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_write_ctx); } else { s->enc_write_ctx = EVP_CIPHER_CTX_new(); if (s->enc_write_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_write_ctx; RECORD_LAYER_reset_write_sequence(&s->rlayer); } if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; finsecretlen = sizeof(s->client_finished_secret); label = client_handshake_traffic; labellen = sizeof(client_handshake_traffic) - 1; } else { insecret = s->session->master_key; label = client_application_traffic; labellen = sizeof(client_application_traffic) - 1; } } else { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->server_finished_secret; finsecretlen = sizeof(s->server_finished_secret); label = server_handshake_traffic; labellen = sizeof(server_handshake_traffic) - 1; } else { insecret = s->session->master_key; label = server_application_traffic; labellen = sizeof(server_application_traffic) - 1; } } if (!tls13_derive_secret(s, insecret, label, labellen, secret)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } /* TODO(size_t): convert me */ keylen = EVP_CIPHER_key_length(ciph); if (EVP_CIPHER_mode(ciph) == EVP_CIPH_GCM_MODE) ivlen = EVP_GCM_TLS_FIXED_IV_LEN; else if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) ivlen = EVP_CCM_TLS_FIXED_IV_LEN; else ivlen = EVP_CIPHER_iv_length(ciph); if (!tls13_derive_key(s, secret, key, keylen) || !tls13_derive_iv(s, secret, iv, ivlen) || (finsecret != NULL && !tls13_derive_finishedkey(s, secret, finsecret, finsecretlen))) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (EVP_CIPHER_mode(ciph) == EVP_CIPH_GCM_MODE) { if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_GCM_SET_IV_FIXED, (int)ivlen, iv)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } } else if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) { int taglen; if (s->s3->tmp.new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) taglen = 8; else taglen = 16; if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_CCM_SET_IV_FIXED, (int)ivlen, iv) || !EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } } else { if (!EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, iv, (which & SSL3_CC_WRITE))) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } } #ifdef OPENSSL_SSL_TRACE_CRYPTO if (s->msg_callback) { int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : 0; if (ciph->key_len) s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, key, ciph->key_len, s, s->msg_callback_arg); if (ivlen) { if (EVP_CIPHER_mode(ciph) == EVP_CIPH_GCM_MODE) wh |= TLS1_RT_CRYPTO_FIXED_IV; else wh |= TLS1_RT_CRYPTO_IV; s->msg_callback(2, s->version, wh, iv, ivlen, s, s->msg_callback_arg); } } #endif ret = 1; err: OPENSSL_cleanse(secret, sizeof(secret)); OPENSSL_cleanse(key, sizeof(key)); OPENSSL_cleanse(iv, sizeof(iv)); return ret; }
int tls13_change_cipher_state(SSL *s, int which) { static const unsigned char client_handshake_traffic[] = "client handshake traffic secret"; static const unsigned char client_application_traffic[] = "client application traffic secret"; static const unsigned char server_handshake_traffic[] = "server handshake traffic secret"; static const unsigned char server_application_traffic[] = "server application traffic secret"; static const unsigned char resumption_master_secret[] = "resumption master secret"; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char *iv; unsigned char secret[EVP_MAX_MD_SIZE]; unsigned char hashval[EVP_MAX_MD_SIZE]; unsigned char *hash = hashval; unsigned char *insecret; unsigned char *finsecret = NULL; const char *log_label = NULL; EVP_CIPHER_CTX *ciph_ctx; const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc; size_t ivlen, keylen, finsecretlen = 0; const unsigned char *label; size_t labellen, hashlen = 0; int ret = 0; if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_read_ctx); } else { s->enc_read_ctx = EVP_CIPHER_CTX_new(); if (s->enc_read_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_read_ctx; iv = s->read_iv; RECORD_LAYER_reset_read_sequence(&s->rlayer); } else { if (s->enc_write_ctx != NULL) { EVP_CIPHER_CTX_reset(s->enc_write_ctx); } else { s->enc_write_ctx = EVP_CIPHER_CTX_new(); if (s->enc_write_ctx == NULL) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); goto err; } } ciph_ctx = s->enc_write_ctx; iv = s->write_iv; RECORD_LAYER_reset_write_sequence(&s->rlayer); } if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE)) || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->client_finished_secret; finsecretlen = EVP_MD_size(ssl_handshake_md(s)); label = client_handshake_traffic; labellen = sizeof(client_handshake_traffic) - 1; log_label = CLIENT_HANDSHAKE_LABEL; } else { insecret = s->master_secret; label = client_application_traffic; labellen = sizeof(client_application_traffic) - 1; log_label = CLIENT_APPLICATION_LABEL; /* * For this we only use the handshake hashes up until the server * Finished hash. We do not include the client's Finished, which is * what ssl_handshake_hash() would give us. Instead we use the * previously saved value. */ hash = s->server_finished_hash; } } else { if (which & SSL3_CC_HANDSHAKE) { insecret = s->handshake_secret; finsecret = s->server_finished_secret; finsecretlen = EVP_MD_size(ssl_handshake_md(s)); label = server_handshake_traffic; labellen = sizeof(server_handshake_traffic) - 1; log_label = SERVER_HANDSHAKE_LABEL; } else { insecret = s->master_secret; label = server_application_traffic; labellen = sizeof(server_application_traffic) - 1; log_label = SERVER_APPLICATION_LABEL; } } if (!ssl3_digest_cached_records(s, 1) || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } /* * Save the hash of handshakes up to now for use when we calculate the * client application traffic secret */ if (label == server_application_traffic) memcpy(s->server_finished_hash, hashval, hashlen); if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, label, labellen, hash, secret, hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (label == client_application_traffic) { /* * We also create the resumption master secret, but this time use the * hash for the whole handshake including the Client Finished */ if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, resumption_master_secret, sizeof(resumption_master_secret) - 1, hashval, s->session->master_key, hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } s->session->master_key_length = hashlen; } /* TODO(size_t): convert me */ keylen = EVP_CIPHER_key_length(ciph); ivlen = EVP_CIPHER_iv_length(ciph); if (!ssl_log_secret(s, log_label, secret, hashlen)) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (!tls13_derive_key(s, secret, key, keylen) || !tls13_derive_iv(s, secret, iv, ivlen) || (finsecret != NULL && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, finsecret, finsecretlen))) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; } if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, key, NULL, (which & SSL3_CC_WRITE)) <= 0) { SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_EVP_LIB); goto err; } #ifdef OPENSSL_SSL_TRACE_CRYPTO if (s->msg_callback) { int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : 0; if (ciph->key_len) s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, key, ciph->key_len, s, s->msg_callback_arg); wh |= TLS1_RT_CRYPTO_IV; s->msg_callback(2, s->version, wh, iv, ivlen, s, s->msg_callback_arg); } #endif ret = 1; err: OPENSSL_cleanse(secret, sizeof(secret)); OPENSSL_cleanse(key, sizeof(key)); return ret; }