kris
/
boringssl
1
0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
5524 İşleme
12 Dallar
38 MiB
 
 
 
 
 
 
Ağaç: 2745ef9082
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'2745ef9082'den
${ noResults }
boringssl/ssl/tls13_enc.cc

588 satır
22 KiB
Ham Suçlama Geçmiş 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <utility>

  21. 

  22. #include <openssl/aead.h>

  23. #include <openssl/bytestring.h>

  24. #include <openssl/digest.h>

  25. #include <openssl/hkdf.h>

  26. #include <openssl/hmac.h>

  27. #include <openssl/mem.h>

  28. 

  29. #include "../crypto/internal.h"

  30. #include "internal.h"

  31. 

  32. 

  33. BSSL_NAMESPACE_BEGIN

  34. 

  35. static bool init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,

  36.                              const SSL_CIPHER *cipher) {

  37.   if (!hs->transcript.InitHash(version, cipher)) {

  38.     return false;

  39.   }

  40. 

  41.   hs->hash_len = hs->transcript.DigestLen();

  42. 

  43.   // Initialize the secret to the zero key.

  44.   OPENSSL_memset(hs->secret, 0, hs->hash_len);

  45. 

  46.   return true;

  47. }

  48. 

  49. bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,

  50.                              size_t psk_len) {

  51.   if (!init_key_schedule(hs, ssl_protocol_version(hs->ssl), hs->new_cipher)) {

  52.     return false;

  53.   }

  54. 

  55.   hs->transcript.FreeBuffer();

  56.   return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,

  57.                       psk_len, hs->secret, hs->hash_len);

  58. }

  59. 

  60. bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,

  61.                                    size_t psk_len) {

  62.   SSL *const ssl = hs->ssl;

  63.   return init_key_schedule(hs, ssl_session_protocol_version(ssl->session.get()),

  64.                            ssl->session->cipher) &&

  65.          HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,

  66.                       psk_len, hs->secret, hs->hash_len);

  67. }

  68. 

  69. static bool hkdf_expand_label(uint8_t *out, const EVP_MD *digest,

  70.                               const uint8_t *secret, size_t secret_len,

  71.                               const char *label, size_t label_len,

  72.                               const uint8_t *hash, size_t hash_len, size_t len,

  73.                               bool use_quic_label) {

  74.   static const char kTLS13ProtocolLabel[] = "tls13 ";

  75.   static const char kQUICProtocolLabel[] = "quic ";

  76. 

  77.   const char *protocol_label;

  78.   if (use_quic_label) {

  79.     protocol_label = kQUICProtocolLabel;

  80.   } else {

  81.     protocol_label = kTLS13ProtocolLabel;

  82.   }

  83. 

  84.   ScopedCBB cbb;

  85.   CBB child;

  86.   Array<uint8_t> hkdf_label;

  87.   if (!CBB_init(cbb.get(),

  88.                 2 + 1 + strlen(protocol_label) + label_len + 1 + hash_len) ||

  89.       !CBB_add_u16(cbb.get(), len) ||

  90.       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||

  91.       !CBB_add_bytes(&child, (const uint8_t *)protocol_label,

  92.                      strlen(protocol_label)) ||

  93.       !CBB_add_bytes(&child, (const uint8_t *)label, label_len) ||

  94.       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||

  95.       !CBB_add_bytes(&child, hash, hash_len) ||

  96.       !CBBFinishArray(cbb.get(), &hkdf_label)) {

  97.     return false;

  98.   }

  99. 

  100.   return HKDF_expand(out, len, digest, secret, secret_len, hkdf_label.data(),

  101.                      hkdf_label.size());

  102. }

  103. 

  104. static const char kTLS13LabelDerived[] = "derived";

  105. 

  106. bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,

  107.                                 size_t len) {

  108.   uint8_t derive_context[EVP_MAX_MD_SIZE];

  109.   unsigned derive_context_len;

  110.   if (!EVP_Digest(nullptr, 0, derive_context, &derive_context_len,

  111.                   hs->transcript.Digest(), nullptr)) {

  112.     return false;

  113.   }

  114. 

  115.   if (!hkdf_expand_label(hs->secret, hs->transcript.Digest(), hs->secret,

  116.                          hs->hash_len, kTLS13LabelDerived,

  117.                          strlen(kTLS13LabelDerived), derive_context,

  118.                          derive_context_len, hs->hash_len,

  119.                          hs->ssl->ctx->quic_method != nullptr)) {

  120.     return false;

  121.   }

  122. 

  123.   return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), in,

  124.                       len, hs->secret, hs->hash_len);

  125. }

  126. 

  127. // derive_secret derives a secret of length |len| and writes the result in |out|

  128. // with the given label and the current base secret and most recently-saved

  129. // handshake context. It returns true on success and false on error.

  130. static bool derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,

  131.                           const char *label, size_t label_len) {

  132.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  133.   size_t context_hash_len;

  134.   if (!hs->transcript.GetHash(context_hash, &context_hash_len)) {

  135.     return false;

  136.   }

  137. 

  138.   return hkdf_expand_label(out, hs->transcript.Digest(), hs->secret,

  139.                            hs->hash_len, label, label_len, context_hash,

  140.                            context_hash_len, len,

  141.                            hs->ssl->ctx->quic_method != nullptr);

  142. }

  143. 

  144. bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level,

  145.                            enum evp_aead_direction_t direction,

  146.                            const uint8_t *traffic_secret,

  147.                            size_t traffic_secret_len) {

  148.   const SSL_SESSION *session = SSL_get_session(ssl);

  149.   uint16_t version = ssl_session_protocol_version(session);

  150. 

  151.   if (traffic_secret_len > 0xff) {

  152.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  153.     return false;

  154.   }

  155. 

  156.   UniquePtr<SSLAEADContext> traffic_aead;

  157.   if (ssl->ctx->quic_method == nullptr) {

  158.     // Look up cipher suite properties.

  159.     const EVP_AEAD *aead;

  160.     size_t discard;

  161.     if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,

  162.                                  version, SSL_is_dtls(ssl))) {

  163.       return false;

  164.     }

  165. 

  166.     const EVP_MD *digest = ssl_session_get_digest(session);

  167. 

  168.     // Derive the key.

  169.     size_t key_len = EVP_AEAD_key_length(aead);

  170.     uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];

  171.     if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,

  172.                            "key", 3, NULL, 0, key_len,

  173.                            ssl->ctx->quic_method != nullptr)) {

  174.       return false;

  175.     }

  176. 

  177.     // Derive the IV.

  178.     size_t iv_len = EVP_AEAD_nonce_length(aead);

  179.     uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];

  180.     if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len, "iv",

  181.                            2, NULL, 0, iv_len,

  182.                            ssl->ctx->quic_method != nullptr)) {

  183.       return false;

  184.     }

  185. 

  186. 

  187.     traffic_aead = SSLAEADContext::Create(

  188.         direction, session->ssl_version, SSL_is_dtls(ssl), session->cipher,

  189.         MakeConstSpan(key, key_len), Span<const uint8_t>(),

  190.         MakeConstSpan(iv, iv_len));

  191.   } else {

  192.     // Install a placeholder SSLAEADContext so that SSL accessors work. The

  193.     // encryption itself will be handled by the SSL_QUIC_METHOD.

  194.     traffic_aead =

  195.         SSLAEADContext::CreatePlaceholderForQUIC(version, session->cipher);

  196.   }

  197. 

  198.   if (!traffic_aead) {

  199.     return false;

  200.   }

  201. 

  202.   if (direction == evp_aead_open) {

  203.     if (!ssl->method->set_read_state(ssl, std::move(traffic_aead))) {

  204.       return false;

  205.     }

  206.   } else {

  207.     if (!ssl->method->set_write_state(ssl, std::move(traffic_aead))) {

  208.       return false;

  209.     }

  210.   }

  211. 

  212.   // Save the traffic secret.

  213.   if (direction == evp_aead_open) {

  214.     OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,

  215.                     traffic_secret_len);

  216.     ssl->s3->read_traffic_secret_len = traffic_secret_len;

  217.     ssl->s3->read_level = level;

  218.   } else {

  219.     OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret,

  220.                     traffic_secret_len);

  221.     ssl->s3->write_traffic_secret_len = traffic_secret_len;

  222.     ssl->s3->write_level = level;

  223.   }

  224. 

  225.   return true;

  226. }

  227. 

  228. 

  229. static const char kTLS13LabelExporter[] = "exp master";

  230. static const char kTLS13LabelEarlyExporter[] = "e exp master";

  231. 

  232. static const char kTLS13LabelClientEarlyTraffic[] = "c e traffic";

  233. static const char kTLS13LabelClientHandshakeTraffic[] = "c hs traffic";

  234. static const char kTLS13LabelServerHandshakeTraffic[] = "s hs traffic";

  235. static const char kTLS13LabelClientApplicationTraffic[] = "c ap traffic";

  236. static const char kTLS13LabelServerApplicationTraffic[] = "s ap traffic";

  237. 

  238. bool tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {

  239.   SSL *const ssl = hs->ssl;

  240.   if (!derive_secret(hs, hs->early_traffic_secret, hs->hash_len,

  241.                      kTLS13LabelClientEarlyTraffic,

  242.                      strlen(kTLS13LabelClientEarlyTraffic)) ||

  243.       !ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",

  244.                       hs->early_traffic_secret, hs->hash_len) ||

  245.       !derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len,

  246.                      kTLS13LabelEarlyExporter,

  247.                      strlen(kTLS13LabelEarlyExporter))) {

  248.     return false;

  249.   }

  250.   ssl->s3->early_exporter_secret_len = hs->hash_len;

  251. 

  252.   if (ssl->ctx->quic_method != nullptr) {

  253.     if (ssl->server) {

  254.       if (!ssl->ctx->quic_method->set_encryption_secrets(

  255.               ssl, ssl_encryption_early_data, nullptr, hs->early_traffic_secret,

  256.               hs->hash_len)) {

  257.         OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  258.         return false;

  259.       }

  260.     } else {

  261.       if (!ssl->ctx->quic_method->set_encryption_secrets(

  262.               ssl, ssl_encryption_early_data, hs->early_traffic_secret, nullptr,

  263.               hs->hash_len)) {

  264.         OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  265.         return false;

  266.       }

  267.     }

  268.   }

  269. 

  270.   return true;

  271. }

  272. 

  273. bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {

  274.   SSL *const ssl = hs->ssl;

  275.   if (!derive_secret(hs, hs->client_handshake_secret, hs->hash_len,

  276.                      kTLS13LabelClientHandshakeTraffic,

  277.                      strlen(kTLS13LabelClientHandshakeTraffic)) ||

  278.       !ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",

  279.                       hs->client_handshake_secret, hs->hash_len) ||

  280.       !derive_secret(hs, hs->server_handshake_secret, hs->hash_len,

  281.                      kTLS13LabelServerHandshakeTraffic,

  282.                      strlen(kTLS13LabelServerHandshakeTraffic)) ||

  283.       !ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",

  284.                       hs->server_handshake_secret, hs->hash_len)) {

  285.     return false;

  286.   }

  287. 

  288.   if (ssl->ctx->quic_method != nullptr) {

  289.     if (ssl->server) {

  290.       if (!ssl->ctx->quic_method->set_encryption_secrets(

  291.               ssl, ssl_encryption_handshake, hs->client_handshake_secret,

  292.               hs->server_handshake_secret, hs->hash_len)) {

  293.         OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  294.         return false;

  295.       }

  296.     } else {

  297.       if (!ssl->ctx->quic_method->set_encryption_secrets(

  298.               ssl, ssl_encryption_handshake, hs->server_handshake_secret,

  299.               hs->client_handshake_secret, hs->hash_len)) {

  300.         OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  301.         return false;

  302.       }

  303.     }

  304.   }

  305. 

  306.   return true;

  307. }

  308. 

  309. bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {

  310.   SSL *const ssl = hs->ssl;

  311.   ssl->s3->exporter_secret_len = hs->hash_len;

  312.   if (!derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,

  313.                      kTLS13LabelClientApplicationTraffic,

  314.                      strlen(kTLS13LabelClientApplicationTraffic)) ||

  315.       !ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",

  316.                       hs->client_traffic_secret_0, hs->hash_len) ||

  317.       !derive_secret(hs, hs->server_traffic_secret_0, hs->hash_len,

  318.                      kTLS13LabelServerApplicationTraffic,

  319.                      strlen(kTLS13LabelServerApplicationTraffic)) ||

  320.       !ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",

  321.                       hs->server_traffic_secret_0, hs->hash_len) ||

  322.       !derive_secret(hs, ssl->s3->exporter_secret, hs->hash_len,

  323.                      kTLS13LabelExporter, strlen(kTLS13LabelExporter)) ||

  324.       !ssl_log_secret(ssl, "EXPORTER_SECRET", ssl->s3->exporter_secret,

  325.                       hs->hash_len)) {

  326.     return false;

  327.   }

  328. 

  329.   if (ssl->ctx->quic_method != nullptr) {

  330.     if (ssl->server) {

  331.       if (!ssl->ctx->quic_method->set_encryption_secrets(

  332.               ssl, ssl_encryption_application, hs->client_traffic_secret_0,

  333.               hs->server_traffic_secret_0, hs->hash_len)) {

  334.         OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  335.         return false;

  336.       }

  337.     } else {

  338.       if (!ssl->ctx->quic_method->set_encryption_secrets(

  339.               ssl, ssl_encryption_application, hs->server_traffic_secret_0,

  340.               hs->client_traffic_secret_0, hs->hash_len)) {

  341.         OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);

  342.         return false;

  343.       }

  344.     }

  345.   }

  346. 

  347.   return true;

  348. }

  349. 

  350. static const char kTLS13LabelApplicationTraffic[] = "traffic upd";

  351. 

  352. bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {

  353.   uint8_t *secret;

  354.   size_t secret_len;

  355.   if (direction == evp_aead_open) {

  356.     secret = ssl->s3->read_traffic_secret;

  357.     secret_len = ssl->s3->read_traffic_secret_len;

  358.   } else {

  359.     secret = ssl->s3->write_traffic_secret;

  360.     secret_len = ssl->s3->write_traffic_secret_len;

  361.   }

  362. 

  363.   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));

  364.   if (!hkdf_expand_label(secret, digest, secret, secret_len,

  365.                          kTLS13LabelApplicationTraffic,

  366.                          strlen(kTLS13LabelApplicationTraffic), NULL, 0,

  367.                          secret_len, ssl->ctx->quic_method != nullptr)) {

  368.     return false;

  369.   }

  370. 

  371.   return tls13_set_traffic_key(ssl, ssl_encryption_application, direction,

  372.                                secret, secret_len);

  373. }

  374. 

  375. static const char kTLS13LabelResumption[] = "res master";

  376. 

  377. bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {

  378.   if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {

  379.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  380.     return false;

  381.   }

  382.   hs->new_session->master_key_length = hs->hash_len;

  383.   return derive_secret(hs, hs->new_session->master_key,

  384.                        hs->new_session->master_key_length,

  385.                        kTLS13LabelResumption, strlen(kTLS13LabelResumption));

  386. }

  387. 

  388. static const char kTLS13LabelFinished[] = "finished";

  389. 

  390. // tls13_verify_data sets |out| to be the HMAC of |context| using a derived

  391. // Finished key for both Finished messages and the PSK binder.

  392. static bool tls13_verify_data(const EVP_MD *digest, uint16_t version,

  393.                               uint8_t *out, size_t *out_len,

  394.                               const uint8_t *secret, size_t hash_len,

  395.                               uint8_t *context, size_t context_len,

  396.                               bool use_quic) {

  397.   uint8_t key[EVP_MAX_MD_SIZE];

  398.   unsigned len;

  399.   if (!hkdf_expand_label(key, digest, secret, hash_len, kTLS13LabelFinished,

  400.                          strlen(kTLS13LabelFinished), NULL, 0, hash_len,

  401.                          use_quic) ||

  402.       HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {

  403.     return false;

  404.   }

  405.   *out_len = len;

  406.   return true;

  407. }

  408. 

  409. bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,

  410.                         bool is_server) {

  411.   const uint8_t *traffic_secret;

  412.   if (is_server) {

  413.     traffic_secret = hs->server_handshake_secret;

  414.   } else {

  415.     traffic_secret = hs->client_handshake_secret;

  416.   }

  417. 

  418.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  419.   size_t context_hash_len;

  420.   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||

  421.       !tls13_verify_data(hs->transcript.Digest(), hs->ssl->version, out,

  422.                          out_len, traffic_secret, hs->hash_len, context_hash,

  423.                          context_hash_len,

  424.                          hs->ssl->ctx->quic_method != nullptr)) {

  425.     return 0;

  426.   }

  427.   return 1;

  428. }

  429. 

  430. static const char kTLS13LabelResumptionPSK[] = "resumption";

  431. 

  432. bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce,

  433.                               bool use_quic) {

  434.   const EVP_MD *digest = ssl_session_get_digest(session);

  435.   return hkdf_expand_label(session->master_key, digest, session->master_key,

  436.                            session->master_key_length, kTLS13LabelResumptionPSK,

  437.                            strlen(kTLS13LabelResumptionPSK), nonce.data(),

  438.                            nonce.size(), session->master_key_length, use_quic);

  439. }

  440. 

  441. static const char kTLS13LabelExportKeying[] = "exporter";

  442. 

  443. bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,

  444.                                   Span<const uint8_t> secret,

  445.                                   Span<const char> label,

  446.                                   Span<const uint8_t> context) {

  447.   if (secret.empty()) {

  448.     assert(0);

  449.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  450.     return false;

  451.   }

  452. 

  453.   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));

  454. 

  455.   uint8_t hash[EVP_MAX_MD_SIZE];

  456.   uint8_t export_context[EVP_MAX_MD_SIZE];

  457.   uint8_t derived_secret[EVP_MAX_MD_SIZE];

  458.   unsigned hash_len;

  459.   unsigned export_context_len;

  460.   unsigned derived_secret_len = EVP_MD_size(digest);

  461.   return EVP_Digest(context.data(), context.size(), hash, &hash_len, digest,

  462.                     nullptr) &&

  463.          EVP_Digest(nullptr, 0, export_context, &export_context_len, digest,

  464.                     nullptr) &&

  465.          hkdf_expand_label(derived_secret, digest, secret.data(), secret.size(),

  466.                            label.data(), label.size(), export_context,

  467.                            export_context_len, derived_secret_len,

  468.                            ssl->ctx->quic_method != nullptr) &&

  469.          hkdf_expand_label(out.data(), digest, derived_secret,

  470.                            derived_secret_len, kTLS13LabelExportKeying,

  471.                            strlen(kTLS13LabelExportKeying), hash, hash_len,

  472.                            out.size(), ssl->ctx->quic_method != nullptr);

  473. }

  474. 

  475. static const char kTLS13LabelPSKBinder[] = "res binder";

  476. 

  477. static bool tls13_psk_binder(uint8_t *out, uint16_t version,

  478.                              const EVP_MD *digest, uint8_t *psk, size_t psk_len,

  479.                              uint8_t *context, size_t context_len,

  480.                              size_t hash_len, bool use_quic) {

  481.   uint8_t binder_context[EVP_MAX_MD_SIZE];

  482.   unsigned binder_context_len;

  483.   if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {

  484.     return false;

  485.   }

  486. 

  487.   uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};

  488.   size_t early_secret_len;

  489.   if (!HKDF_extract(early_secret, &early_secret_len, digest, psk, hash_len,

  490.                     NULL, 0)) {

  491.     return false;

  492.   }

  493. 

  494.   uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};

  495.   size_t len;

  496.   if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len,

  497.                          kTLS13LabelPSKBinder, strlen(kTLS13LabelPSKBinder),

  498.                          binder_context, binder_context_len, hash_len,

  499.                          use_quic) ||

  500.       !tls13_verify_data(digest, version, out, &len, binder_key, hash_len,

  501.                          context, context_len, use_quic)) {

  502.     return false;

  503.   }

  504. 

  505.   return true;

  506. }

  507. 

  508. bool tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {

  509.   SSL *const ssl = hs->ssl;

  510.   const EVP_MD *digest = ssl_session_get_digest(ssl->session.get());

  511.   size_t hash_len = EVP_MD_size(digest);

  512. 

  513.   if (len < hash_len + 3) {

  514.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  515.     return false;

  516.   }

  517. 

  518.   ScopedEVP_MD_CTX ctx;

  519.   uint8_t context[EVP_MAX_MD_SIZE];

  520.   unsigned context_len;

  521. 

  522.   if (!EVP_DigestInit_ex(ctx.get(), digest, NULL) ||

  523.       !EVP_DigestUpdate(ctx.get(), hs->transcript.buffer().data(),

  524.                         hs->transcript.buffer().size()) ||

  525.       !EVP_DigestUpdate(ctx.get(), msg, len - hash_len - 3) ||

  526.       !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {

  527.     return false;

  528.   }

  529. 

  530.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  531.   if (!tls13_psk_binder(verify_data, ssl->session->ssl_version, digest,

  532.                         ssl->session->master_key,

  533.                         ssl->session->master_key_length, context, context_len,

  534.                         hash_len, ssl->ctx->quic_method != nullptr)) {

  535.     return false;

  536.   }

  537. 

  538.   OPENSSL_memcpy(msg + len - hash_len, verify_data, hash_len);

  539.   return true;

  540. }

  541. 

  542. bool tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,

  543.                              const SSLMessage &msg, CBS *binders) {

  544.   size_t hash_len = hs->transcript.DigestLen();

  545. 

  546.   // The message must be large enough to exclude the binders.

  547.   if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {

  548.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  549.     return false;

  550.   }

  551. 

  552.   // Hash a ClientHello prefix up to the binders. This includes the header. For

  553.   // now, this assumes we only ever verify PSK binders on initial

  554.   // ClientHellos.

  555.   uint8_t context[EVP_MAX_MD_SIZE];

  556.   unsigned context_len;

  557.   if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,

  558.                   context, &context_len, hs->transcript.Digest(), NULL)) {

  559.     return false;

  560.   }

  561. 

  562.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  563.   CBS binder;

  564.   if (!tls13_psk_binder(verify_data, hs->ssl->version, hs->transcript.Digest(),

  565.                         session->master_key, session->master_key_length,

  566.                         context, context_len, hash_len,

  567.                         hs->ssl->ctx->quic_method != nullptr) ||

  568.       // We only consider the first PSK, so compare against the first binder.

  569.       !CBS_get_u8_length_prefixed(binders, &binder)) {

  570.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  571.     return false;

  572.   }

  573. 

  574.   bool binder_ok = CBS_len(&binder) == hash_len &&

  575.                    CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;

  576. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  577.   binder_ok = true;

  578. #endif

  579.   if (!binder_ok) {

  580.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  581.     return false;

  582.   }

  583. 

  584.   return true;

  585. }

  586. 

  587. BSSL_NAMESPACE_END