#include <stdlib.h>
#include "ssl_locl.h"
+#include "internal/cryptlib.h"
#include <openssl/evp.h>
#include <openssl/kdf.h>
static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
/*
- * Given a |secret|; a |label| of length |labellen|; and a |hash| of the
- * handshake messages, derive a new secret |outlen| bytes long and store it in
- * the location pointed to be |out|. The |hash| value may be NULL. Returns 1 on
- * success 0 on failure.
+ * Given a |secret|; a |label| of length |labellen|; and |data| of length
+ * |datalen| (e.g. typically a hash of the handshake messages), derive a new
+ * secret |outlen| bytes long and store it in the location pointed to be |out|.
+ * The |data| value may be zero length. Returns 1 on success 0 on failure.
*/
int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
const unsigned char *label, size_t labellen,
- const unsigned char *hash,
+ const unsigned char *data, size_t datalen,
unsigned char *out, size_t outlen)
{
const unsigned char label_prefix[] = "tls13 ";
|| !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1)
|| !WPACKET_memcpy(&pkt, label, labellen)
|| !WPACKET_close(&pkt)
- || !WPACKET_sub_memcpy_u8(&pkt, hash, (hash == NULL) ? 0 : hashlen)
+ || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)
|| !WPACKET_get_total_written(&pkt, &hkdflabellen)
|| !WPACKET_finish(&pkt)) {
EVP_PKEY_CTX_free(pctx);
static const unsigned char keylabel[] = "key";
return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,
- NULL, key, keylen);
+ NULL, 0, key, keylen);
}
/*
static const unsigned char ivlabel[] = "iv";
return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,
- NULL, iv, ivlen);
+ NULL, 0, iv, ivlen);
}
int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
static const unsigned char finishedlabel[] = "finished";
return tls13_hkdf_expand(s, md, secret, finishedlabel,
- sizeof(finishedlabel) - 1, NULL, fin, finlen);
+ sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);
}
/*
/* Generate the pre-extract secret */
if (!tls13_hkdf_expand(s, md, prevsecret,
(unsigned char *)derived_secret_label,
- sizeof(derived_secret_label) - 1, hash,
+ sizeof(derived_secret_label) - 1, hash, mdlen,
preextractsec, mdlen)) {
EVP_PKEY_CTX_free(pctx);
return 0;
size_t ivlen, keylen, taglen;
size_t hashlen = EVP_MD_size(md);
- if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, secret,
- hashlen)) {
+ if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
+ secret, hashlen)) {
SSLerr(SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_INTERNAL_ERROR);
goto err;
}
SSL_R_BAD_HANDSHAKE_LENGTH);
goto err;
}
+
+ if (s->early_data_state == SSL_EARLY_DATA_CONNECTING
+ && s->max_early_data > 0
+ && s->session->ext.max_early_data == 0) {
+ /*
+ * If we are attempting to send early data, and we've decided to
+ * actually do it but max_early_data in s->session is 0 then we
+ * must be using an external PSK.
+ */
+ if (!ossl_assert(s->psksession != NULL
+ && s->max_early_data ==
+ s->psksession->ext.max_early_data)) {
+ SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ sslcipher = SSL_SESSION_get0_cipher(s->psksession);
+ }
if (sslcipher == NULL) {
- SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK);
goto err;
}
if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
resumption_master_secret,
sizeof(resumption_master_secret) - 1,
- hashval, s->session->master_key, hashlen)) {
+ hashval, hashlen, s->session->master_key,
+ hashlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err;
}
if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
exporter_master_secret,
sizeof(exporter_master_secret) - 1,
- hash, s->exporter_master_secret, hashlen)) {
+ hash, hashlen, s->exporter_master_secret,
+ hashlen)) {
SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err;
}
{
unsigned char exportsecret[EVP_MAX_MD_SIZE];
static const unsigned char exporterlabel[] = "exporter";
- unsigned char hash[EVP_MAX_MD_SIZE];
+ unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE];
const EVP_MD *md = ssl_handshake_md(s);
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
- unsigned int hashsize;
+ unsigned int hashsize, datalen;
int ret = 0;
- if (ctx == NULL)
- goto err;
-
- if (!SSL_is_init_finished(s))
+ if (ctx == NULL || !SSL_is_init_finished(s))
goto err;
if (!use_context)
if (EVP_DigestInit_ex(ctx, md, NULL) <= 0
|| EVP_DigestUpdate(ctx, context, contextlen) <= 0
|| EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0
+ || EVP_DigestInit_ex(ctx, md, NULL) <= 0
+ || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0
|| !tls13_hkdf_expand(s, md, s->exporter_master_secret,
- (const unsigned char *)label, llen, NULL,
- exportsecret, 0)
+ (const unsigned char *)label, llen,
+ data, datalen, exportsecret, hashsize)
|| !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,
- sizeof(exporterlabel) - 1, hash, out, olen))
+ sizeof(exporterlabel) - 1, hash, hashsize,
+ out, olen))
goto err;
ret = 1;