#include <openssl/evp.h>
#include <openssl/kdf.h>
-#define TLS13_MAX_LABEL_LEN 246
+/*
+ * RFC 8446, 7.1 Key Schedule, says:
+ * Note: With common hash functions, any label longer than 12 characters
+ * requires an additional iteration of the hash function to compute.
+ * The labels in this specification have all been chosen to fit within
+ * this limit.
+ */
+#define TLS13_MAX_LABEL_LEN 12
/* Always filled with zeros */
static const unsigned char default_zeros[EVP_MAX_MD_SIZE];
const unsigned char *data, size_t datalen,
unsigned char *out, size_t outlen)
{
- const unsigned char label_prefix[] = "tls13 ";
+ static const unsigned char label_prefix[] = "tls13 ";
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
int ret;
size_t hkdflabellen;
size_t hashlen;
/*
- * 2 bytes for length of whole HkdfLabel + 1 byte for length of combined
- * prefix and label + bytes for the label itself + bytes for the hash
+ * 2 bytes for length of derived secret + 1 byte for length of combined
+ * prefix and label + bytes for the label itself + 1 byte length of hash
+ * + bytes for the hash itself
*/
unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) +
+ sizeof(label_prefix) + TLS13_MAX_LABEL_LEN
unsigned char *outsecret)
{
size_t mdlen, prevsecretlen;
+ int mdleni;
int ret;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
static const char derived_secret_label[] = "derived";
return 0;
}
- mdlen = EVP_MD_size(md);
+ mdleni = EVP_MD_size(md);
+ /* Ensure cast to size_t is safe */
+ if (!ossl_assert(mdleni >= 0)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ mdlen = (size_t)mdleni;
if (insecret == NULL) {
insecret = default_zeros;
goto err;
}
- if (str == s->method->ssl3_enc->server_finished_label)
- key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
- s->server_finished_secret, hashlen);
- else
- key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
- s->client_finished_secret, hashlen);
+ if (str == s->method->ssl3_enc->server_finished_label) {
+ key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+ s->server_finished_secret, hashlen);
+ } else if (SSL_IS_FIRST_HANDSHAKE(s)) {
+ key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+ s->client_finished_secret, hashlen);
+ } else {
+ unsigned char finsecret[EVP_MAX_MD_SIZE];
+
+ if (!tls13_derive_finishedkey(s, ssl_handshake_md(s),
+ s->client_app_traffic_secret,
+ finsecret, hashlen))
+ goto err;
+
+ key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret,
+ hashlen);
+ OPENSSL_cleanse(finsecret, sizeof(finsecret));
+ }
if (key == NULL
|| ctx == NULL
{
unsigned char key[EVP_MAX_KEY_LENGTH];
size_t ivlen, keylen, taglen;
- size_t hashlen = EVP_MD_size(md);
+ int hashleni = EVP_MD_size(md);
+ size_t hashlen;
+
+ /* Ensure cast to size_t is safe */
+ if (!ossl_assert(hashleni >= 0)) {
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
+ ERR_R_EVP_LIB);
+ goto err;
+ }
+ hashlen = (size_t)hashleni;
if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,
secret, hashlen)) {
RECORD_LAYER_reset_read_sequence(&s->rlayer);
} else {
+ s->statem.enc_write_state = ENC_WRITE_STATE_INVALID;
if (s->enc_write_ctx != NULL) {
EVP_CIPHER_CTX_reset(s->enc_write_ctx);
} else {
SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
goto err;
}
+
+ if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL,
+ s->early_exporter_master_secret, hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
} else if (which & SSL3_CC_HANDSHAKE) {
insecret = s->handshake_secret;
finsecret = s->client_finished_secret;
if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,
resumption_master_secret,
sizeof(resumption_master_secret) - 1,
- hashval, hashlen, s->session->master_key,
+ hashval, hashlen, s->resumption_master_secret,
hashlen)) {
/* SSLfatal() already called */
goto err;
}
- s->session->master_key_length = hashlen;
}
if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher,
/* SSLfatal() already called */
goto err;
}
+
+ if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret,
+ hashlen)) {
+ /* SSLfatal() already called */
+ goto err;
+ }
} else if (label == client_application_traffic)
memcpy(s->client_app_traffic_secret, secret, hashlen);
goto err;
}
+ if (!s->server && label == client_early_traffic)
+ s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS;
+ else
+ s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
ret = 1;
err:
OPENSSL_cleanse(secret, sizeof(secret));
insecret = s->client_app_traffic_secret;
if (sending) {
+ s->statem.enc_write_state = ENC_WRITE_STATE_INVALID;
iv = s->write_iv;
ciph_ctx = s->enc_write_ctx;
RECORD_LAYER_reset_write_sequence(&s->rlayer);
memcpy(insecret, secret, hashlen);
+ s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
ret = 1;
err:
OPENSSL_cleanse(secret, sizeof(secret));
int tls13_alert_code(int code)
{
- if (code == SSL_AD_MISSING_EXTENSION)
+ /* There are 2 additional alerts in TLSv1.3 compared to TLSv1.2 */
+ if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED)
return code;
return tls1_alert_code(code);