static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
/*
- * Given a |secret|; a |label| of length |labellen|; and a |hash| of the
- * handshake messages, derive a new secret |outlen| bytes long and store it in
- * the location pointed to be |out|. The |hash| value may be NULL. Returns 1 on
- * success 0 on failure.
+ * Given a |secret|; a |label| of length |labellen|; and |data| of length
+ * |datalen| (e.g. typically a hash of the handshake messages), derive a new
+ * secret |outlen| bytes long and store it in the location pointed to be |out|.
+ * The |data| value may be zero length. Returns 1 on success 0 on failure.
*/
int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
const unsigned char *label, size_t labellen,
- const unsigned char *hash,
+ const unsigned char *data, size_t datalen,
unsigned char *out, size_t outlen)
{
const unsigned char label_prefix[] = "tls13 ";
|| !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1)
|| !WPACKET_memcpy(&pkt, label, labellen)
|| !WPACKET_close(&pkt)
- || !WPACKET_sub_memcpy_u8(&pkt, hash, (hash == NULL) ? 0 : hashlen)
+ || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
|| !WPACKET_get_total_written(&pkt, &hkdflabellen)
|| !WPACKET_finish(&pkt)) {
EVP_PKEY_CTX_free(pctx);
static const unsigned char keylabel[] = "key";
return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
- NULL, key, keylen);
+ NULL, 0, key, keylen);
}
/*
static const unsigned char ivlabel[] = "iv";
return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
- NULL, iv, ivlen);
+ NULL, 0, iv, ivlen);
}
int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
static const unsigned char finishedlabel[] = "finished";
return tls13_hkdf_expand(s, md, secret, finishedlabel,
- sizeof(finishedlabel) - 1, NULL, fin, finlen);
+ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
}
/*
/* Generate the pre-extract secret */
if (!tls13_hkdf_expand(s, md, prevsecret,
(unsigned char *)derived_secret_label,
- sizeof(derived_secret_label) - 1, hash,
+ sizeof(derived_secret_label) - 1, hash, mdlen,
preextractsec, mdlen)) {
EVP_PKEY_CTX_free(pctx);
return 0;
size_t ivlen, keylen, taglen;
size_t hashlen = EVP_MD_size(md);
- if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, secret,
- hashlen)) {
+ if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
+ secret, hashlen)) {
SSLerr(SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_INTERNAL_ERROR);
goto err;
}
static const unsigned char client_application_traffic[] = "c ap traffic";
static const unsigned char server_handshake_traffic[] = "s hs traffic";
static const unsigned char server_application_traffic[] = "s ap traffic";
+ static const unsigned char exporter_master_secret[] = "exp master";
static const unsigned char resumption_master_secret[] = "res master";
unsigned char *iv;
unsigned char secret[EVP_MAX_MD_SIZE];
if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
resumption_master_secret,
sizeof(resumption_master_secret) - 1,
- hashval, s->session->master_key, hashlen)) {
+ hashval, hashlen, s->session->master_key,
+ hashlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err;
}
s->session->master_key_length = hashlen;
+
+ /* Now we create the exporter master secret */
+ if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
+ exporter_master_secret,
+ sizeof(exporter_master_secret) - 1,
+ hash, hashlen, s->exporter_master_secret,
+ hashlen)) {
+ SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
}
if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher,
return tls1_alert_code(code);
}
+
+int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen,
+ const char *label, size_t llen,
+ const unsigned char *context,
+ size_t contextlen, int use_context)
+{
+ unsigned char exportsecret[EVP_MAX_MD_SIZE];
+ static const unsigned char exporterlabel[] = "exporter";
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ const EVP_MD *md = ssl_handshake_md(s);
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+ unsigned int hashsize;
+ int ret = 0;
+
+ if (ctx == NULL || !SSL_is_init_finished(s))
+ goto err;
+
+ if (!use_context)
+ contextlen = 0;
+
+ if (EVP_DigestInit_ex(ctx, md, NULL) <= 0
+ || EVP_DigestUpdate(ctx, context, contextlen) <= 0
+ || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
+ || !tls13_hkdf_expand(s, md, s->exporter_master_secret,
+ (const unsigned char *)label, llen, NULL, 0,
+ exportsecret, hashsize)
+ || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
+ sizeof(exporterlabel) - 1, hash, hashsize,
+ out, olen))
+ goto err;
+
+ ret = 1;
+ err:
+ EVP_MD_CTX_free(ctx);
+ return ret;
+}
projects / openssl.git / blobdiff