From 3e0458fb12a9e663518cf99bad4d807adc8a0a28 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Wed, 8 Mar 2017 13:57:17 +0000 Subject: [PATCH] Update secret generation for draft-19 TLSv1.3 draft 19 introduces a new pre HKDF-extract Derive-Secret stage. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2895) --- ssl/tls13_enc.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 9fdd61e8c7..cac4a424ef 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -124,6 +124,8 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, size_t mdlen, prevsecretlen; int ret; EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); + const char *derived_secret_label = "derived secret"; + unsigned char preextractsec[EVP_MAX_MD_SIZE]; if (pctx == NULL) return 0; @@ -138,6 +140,26 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, prevsecret = default_zeros; prevsecretlen = 0; } else { + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + unsigned char hash[EVP_MAX_MD_SIZE]; + + /* The pre-extract derive step uses a hash of no messages */ + if (mctx == NULL + || EVP_DigestInit_ex(mctx, md, NULL) <= 0 + || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) { + EVP_MD_CTX_free(mctx); + return 0; + } + EVP_MD_CTX_free(mctx); + + /* Generate the pre-extract secret */ + if (!tls13_hkdf_expand(s, md, prevsecret, + (unsigned char *)derived_secret_label, + sizeof(derived_secret_label) - 1, hash, + preextractsec, mdlen)) + return 0; + + prevsecret = preextractsec; prevsecretlen = mdlen; } @@ -152,6 +174,8 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, <= 0; EVP_PKEY_CTX_free(pctx); + if (prevsecret == preextractsec) + OPENSSL_cleanse(preextractsec, mdlen); return ret == 0; } -- 2.34.1