kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4071 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6fdea2aba9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6fdea2aba9'
${ noResults }
boringssl/ssl/tls13_enc.c

470 lines
17 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/aead.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/digest.h>

  23. #include <openssl/hkdf.h>

  24. #include <openssl/hmac.h>

  25. #include <openssl/mem.h>

  26. 

  27. #include "../crypto/internal.h"

  28. #include "internal.h"

  29. 

  30. 

  31. static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,

  32.                               int algorithm_prf) {

  33.   if (!SSL_TRANSCRIPT_init_hash(&hs->transcript, version, algorithm_prf)) {

  34.     return 0;

  35.   }

  36. 

  37.   hs->hash_len = SSL_TRANSCRIPT_digest_len(&hs->transcript);

  38. 

  39.   /* Initialize the secret to the zero key. */

  40.   OPENSSL_memset(hs->secret, 0, hs->hash_len);

  41. 

  42.   return 1;

  43. }

  44. 

  45. int tls13_init_key_schedule(SSL_HANDSHAKE *hs) {

  46.   if (!init_key_schedule(hs, ssl3_protocol_version(hs->ssl),

  47.                          hs->new_cipher->algorithm_prf)) {

  48.     return 0;

  49.   }

  50. 

  51.   SSL_TRANSCRIPT_free_buffer(&hs->transcript);

  52.   return 1;

  53. }

  54. 

  55. int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs) {

  56.   SSL *const ssl = hs->ssl;

  57.   uint16_t session_version;

  58.   if (!ssl->method->version_from_wire(&session_version,

  59.                                       ssl->session->ssl_version) ||

  60.       !init_key_schedule(hs, session_version,

  61.                          ssl->session->cipher->algorithm_prf)) {

  62.     return 0;

  63.   }

  64. 

  65.   return 1;

  66. }

  67. 

  68. int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,

  69.                                size_t len) {

  70.   return HKDF_extract(hs->secret, &hs->hash_len,

  71.                       SSL_TRANSCRIPT_md(&hs->transcript), in, len, hs->secret,

  72.                       hs->hash_len);

  73. }

  74. 

  75. static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest,

  76.                              const uint8_t *secret, size_t secret_len,

  77.                              const uint8_t *label, size_t label_len,

  78.                              const uint8_t *hash, size_t hash_len, size_t len) {

  79.   static const char kTLS13LabelVersion[] = "TLS 1.3, ";

  80. 

  81.   CBB cbb, child;

  82.   uint8_t *hkdf_label;

  83.   size_t hkdf_label_len;

  84.   if (!CBB_init(&cbb, 2 + 1 + strlen(kTLS13LabelVersion) + label_len + 1 +

  85.                           hash_len) ||

  86.       !CBB_add_u16(&cbb, len) ||

  87.       !CBB_add_u8_length_prefixed(&cbb, &child) ||

  88.       !CBB_add_bytes(&child, (const uint8_t *)kTLS13LabelVersion,

  89.                      strlen(kTLS13LabelVersion)) ||

  90.       !CBB_add_bytes(&child, label, label_len) ||

  91.       !CBB_add_u8_length_prefixed(&cbb, &child) ||

  92.       !CBB_add_bytes(&child, hash, hash_len) ||

  93.       !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) {

  94.     CBB_cleanup(&cbb);

  95.     return 0;

  96.   }

  97. 

  98.   int ret = HKDF_expand(out, len, digest, secret, secret_len, hkdf_label,

  99.                         hkdf_label_len);

  100.   OPENSSL_free(hkdf_label);

  101.   return ret;

  102. }

  103. 

  104. /* derive_secret derives a secret of length |len| and writes the result in |out|

  105.  * with the given label and the current base secret and most recently-saved

  106.  * handshake context. It returns one on success and zero on error. */

  107. static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,

  108.                          const uint8_t *label, size_t label_len) {

  109.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  110.   size_t context_hash_len;

  111.   if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, context_hash,

  112.                                &context_hash_len)) {

  113.     return 0;

  114.   }

  115. 

  116.   return hkdf_expand_label(out, SSL_TRANSCRIPT_md(&hs->transcript), hs->secret,

  117.                            hs->hash_len, label, label_len, context_hash,

  118.                            context_hash_len, len);

  119. }

  120. 

  121. int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,

  122.                           const uint8_t *traffic_secret,

  123.                           size_t traffic_secret_len) {

  124.   const SSL_SESSION *session = SSL_get_session(ssl);

  125.   uint16_t version;

  126.   if (!ssl->method->version_from_wire(&version, session->ssl_version)) {

  127.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  128.     return 0;

  129.   }

  130. 

  131.   if (traffic_secret_len > 0xff) {

  132.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  133.     return 0;

  134.   }

  135. 

  136.   /* Look up cipher suite properties. */

  137.   const EVP_AEAD *aead;

  138.   size_t discard;

  139.   if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,

  140.                                version)) {

  141.     return 0;

  142.   }

  143. 

  144.   const EVP_MD *digest = ssl_get_handshake_digest(

  145.       session->cipher->algorithm_prf, version);

  146. 

  147.   /* Derive the key. */

  148.   size_t key_len = EVP_AEAD_key_length(aead);

  149.   uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];

  150.   if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,

  151.                          (const uint8_t *)"key", 3, NULL, 0, key_len)) {

  152.     return 0;

  153.   }

  154. 

  155.   /* Derive the IV. */

  156.   size_t iv_len = EVP_AEAD_nonce_length(aead);

  157.   uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];

  158.   if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len,

  159.                          (const uint8_t *)"iv", 2, NULL, 0, iv_len)) {

  160.     return 0;

  161.   }

  162. 

  163.   SSL_AEAD_CTX *traffic_aead = SSL_AEAD_CTX_new(

  164.       direction, version, session->cipher, key, key_len, NULL, 0, iv, iv_len);

  165.   if (traffic_aead == NULL) {

  166.     return 0;

  167.   }

  168. 

  169.   if (direction == evp_aead_open) {

  170.     if (!ssl->method->set_read_state(ssl, traffic_aead)) {

  171.       return 0;

  172.     }

  173.   } else {

  174.     if (!ssl->method->set_write_state(ssl, traffic_aead)) {

  175.       return 0;

  176.     }

  177.   }

  178. 

  179.   /* Save the traffic secret. */

  180.   if (direction == evp_aead_open) {

  181.     OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,

  182.                     traffic_secret_len);

  183.     ssl->s3->read_traffic_secret_len = traffic_secret_len;

  184.   } else {

  185.     OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret,

  186.                     traffic_secret_len);

  187.     ssl->s3->write_traffic_secret_len = traffic_secret_len;

  188.   }

  189. 

  190.   return 1;

  191. }

  192. 

  193. static const char kTLS13LabelExporter[] = "exporter master secret";

  194. static const char kTLS13LabelEarlyExporter[] = "early exporter master secret";

  195. 

  196. static const char kTLS13LabelClientEarlyTraffic[] =

  197.     "client early traffic secret";

  198. static const char kTLS13LabelClientHandshakeTraffic[] =

  199.     "client handshake traffic secret";

  200. static const char kTLS13LabelServerHandshakeTraffic[] =

  201.     "server handshake traffic secret";

  202. static const char kTLS13LabelClientApplicationTraffic[] =

  203.     "client application traffic secret";

  204. static const char kTLS13LabelServerApplicationTraffic[] =

  205.     "server application traffic secret";

  206. 

  207. int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {

  208.   SSL *const ssl = hs->ssl;

  209.   return derive_secret(hs, hs->early_traffic_secret, hs->hash_len,

  210.                        (const uint8_t *)kTLS13LabelClientEarlyTraffic,

  211.                        strlen(kTLS13LabelClientEarlyTraffic)) &&

  212.          ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",

  213.                         hs->early_traffic_secret, hs->hash_len) &&

  214.          derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len,

  215.                        (const uint8_t *)kTLS13LabelEarlyExporter,

  216.                        strlen(kTLS13LabelEarlyExporter));

  217. }

  218. 

  219. int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {

  220.   SSL *const ssl = hs->ssl;

  221.   return derive_secret(hs, hs->client_handshake_secret, hs->hash_len,

  222.                        (const uint8_t *)kTLS13LabelClientHandshakeTraffic,

  223.                        strlen(kTLS13LabelClientHandshakeTraffic)) &&

  224.          ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",

  225.                         hs->client_handshake_secret, hs->hash_len) &&

  226.          derive_secret(hs, hs->server_handshake_secret, hs->hash_len,

  227.                        (const uint8_t *)kTLS13LabelServerHandshakeTraffic,

  228.                        strlen(kTLS13LabelServerHandshakeTraffic)) &&

  229.          ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",

  230.                         hs->server_handshake_secret, hs->hash_len);

  231. }

  232. 

  233. int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {

  234.   SSL *const ssl = hs->ssl;

  235.   ssl->s3->exporter_secret_len = hs->hash_len;

  236.   return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,

  237.                        (const uint8_t *)kTLS13LabelClientApplicationTraffic,

  238.                        strlen(kTLS13LabelClientApplicationTraffic)) &&

  239.          ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",

  240.                         hs->client_traffic_secret_0, hs->hash_len) &&

  241.          derive_secret(hs, hs->server_traffic_secret_0, hs->hash_len,

  242.                        (const uint8_t *)kTLS13LabelServerApplicationTraffic,

  243.                        strlen(kTLS13LabelServerApplicationTraffic)) &&

  244.          ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",

  245.                         hs->server_traffic_secret_0, hs->hash_len) &&

  246.          derive_secret(hs, ssl->s3->exporter_secret, hs->hash_len,

  247.                        (const uint8_t *)kTLS13LabelExporter,

  248.                        strlen(kTLS13LabelExporter));

  249. }

  250. 

  251. static const char kTLS13LabelApplicationTraffic[] =

  252.     "application traffic secret";

  253. 

  254. int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {

  255.   const EVP_MD *digest = ssl_get_handshake_digest(

  256.       SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));

  257. 

  258.   uint8_t *secret;

  259.   size_t secret_len;

  260.   if (direction == evp_aead_open) {

  261.     secret = ssl->s3->read_traffic_secret;

  262.     secret_len = ssl->s3->read_traffic_secret_len;

  263.   } else {

  264.     secret = ssl->s3->write_traffic_secret;

  265.     secret_len = ssl->s3->write_traffic_secret_len;

  266.   }

  267. 

  268.   if (!hkdf_expand_label(secret, digest, secret, secret_len,

  269.                          (const uint8_t *)kTLS13LabelApplicationTraffic,

  270.                          strlen(kTLS13LabelApplicationTraffic), NULL, 0,

  271.                          secret_len)) {

  272.     return 0;

  273.   }

  274. 

  275.   return tls13_set_traffic_key(ssl, direction, secret, secret_len);

  276. }

  277. 

  278. static const char kTLS13LabelResumption[] = "resumption master secret";

  279. 

  280. int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {

  281.   if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {

  282.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  283.     return 0;

  284.   }

  285. 

  286.   hs->new_session->master_key_length = hs->hash_len;

  287.   return derive_secret(

  288.       hs, hs->new_session->master_key, hs->new_session->master_key_length,

  289.       (const uint8_t *)kTLS13LabelResumption, strlen(kTLS13LabelResumption));

  290. }

  291. 

  292. static const char kTLS13LabelFinished[] = "finished";

  293. 

  294. /* tls13_verify_data sets |out| to be the HMAC of |context| using a derived

  295.  * Finished key for both Finished messages and the PSK binder. */

  296. static int tls13_verify_data(const EVP_MD *digest, uint8_t *out,

  297.                              size_t *out_len, const uint8_t *secret,

  298.                              size_t hash_len, uint8_t *context,

  299.                              size_t context_len) {

  300.   uint8_t key[EVP_MAX_MD_SIZE];

  301.   unsigned len;

  302.   if (!hkdf_expand_label(key, digest, secret, hash_len,

  303.                          (const uint8_t *)kTLS13LabelFinished,

  304.                          strlen(kTLS13LabelFinished), NULL, 0, hash_len) ||

  305.       HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {

  306.     return 0;

  307.   }

  308.   *out_len = len;

  309.   return 1;

  310. }

  311. 

  312. int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,

  313.                        int is_server) {

  314.   const uint8_t *traffic_secret;

  315.   if (is_server) {

  316.     traffic_secret = hs->server_handshake_secret;

  317.   } else {

  318.     traffic_secret = hs->client_handshake_secret;

  319.   }

  320. 

  321.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  322.   size_t context_hash_len;

  323.   if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, context_hash,

  324.                                &context_hash_len) ||

  325.       !tls13_verify_data(SSL_TRANSCRIPT_md(&hs->transcript), out, out_len,

  326.                          traffic_secret, hs->hash_len, context_hash,

  327.                          context_hash_len)) {

  328.     return 0;

  329.   }

  330.   return 1;

  331. }

  332. 

  333. int tls13_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,

  334.                                  const char *label, size_t label_len,

  335.                                  const uint8_t *context, size_t context_len,

  336.                                  int use_context) {

  337.   const EVP_MD *digest = ssl_get_handshake_digest(

  338.       SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));

  339. 

  340.   const uint8_t *hash = NULL;

  341.   size_t hash_len = 0;

  342.   if (use_context) {

  343.     hash = context;

  344.     hash_len = context_len;

  345.   }

  346.   return hkdf_expand_label(out, digest, ssl->s3->exporter_secret,

  347.                            ssl->s3->exporter_secret_len, (const uint8_t *)label,

  348.                            label_len, hash, hash_len, out_len);

  349. }

  350. 

  351. static const char kTLS13LabelPSKBinder[] = "resumption psk binder key";

  352. 

  353. static int tls13_psk_binder(uint8_t *out, const EVP_MD *digest, uint8_t *psk,

  354.                             size_t psk_len, uint8_t *context,

  355.                             size_t context_len, size_t hash_len) {

  356.   uint8_t binder_context[EVP_MAX_MD_SIZE];

  357.   unsigned binder_context_len;

  358.   if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {

  359.     return 0;

  360.   }

  361. 

  362.   uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};

  363.   size_t early_secret_len;

  364.   if (!HKDF_extract(early_secret, &early_secret_len, digest, psk, hash_len,

  365.                     NULL, 0)) {

  366.     return 0;

  367.   }

  368. 

  369.   uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};

  370.   size_t len;

  371.   if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len,

  372.                          (const uint8_t *)kTLS13LabelPSKBinder,

  373.                          strlen(kTLS13LabelPSKBinder), binder_context,

  374.                          binder_context_len, hash_len) ||

  375.       !tls13_verify_data(digest, out, &len, binder_key, hash_len, context,

  376.                          context_len)) {

  377.     return 0;

  378.   }

  379. 

  380.   return 1;

  381. }

  382. 

  383. int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {

  384.   SSL *const ssl = hs->ssl;

  385.   const EVP_MD *digest = SSL_SESSION_get_digest(ssl->session, ssl);

  386.   if (digest == NULL) {

  387.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  388.     return 0;

  389.   }

  390.   size_t hash_len = EVP_MD_size(digest);

  391. 

  392.   if (len < hash_len + 3) {

  393.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  394.     return 0;

  395.   }

  396. 

  397.   EVP_MD_CTX ctx;

  398.   EVP_MD_CTX_init(&ctx);

  399.   uint8_t context[EVP_MAX_MD_SIZE];

  400.   unsigned context_len;

  401.   if (!EVP_DigestInit_ex(&ctx, digest, NULL) ||

  402.       !EVP_DigestUpdate(&ctx, hs->transcript.buffer->data,

  403.                         hs->transcript.buffer->length) ||

  404.       !EVP_DigestUpdate(&ctx, msg, len - hash_len - 3) ||

  405.       !EVP_DigestFinal_ex(&ctx, context, &context_len)) {

  406.     EVP_MD_CTX_cleanup(&ctx);

  407.     return 0;

  408.   }

  409. 

  410.   EVP_MD_CTX_cleanup(&ctx);

  411. 

  412.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  413.   if (!tls13_psk_binder(verify_data, digest, ssl->session->master_key,

  414.                         ssl->session->master_key_length, context, context_len,

  415.                         hash_len)) {

  416.     return 0;

  417.   }

  418. 

  419.   OPENSSL_memcpy(msg + len - hash_len, verify_data, hash_len);

  420.   return 1;

  421. }

  422. 

  423. int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,

  424.                             CBS *binders) {

  425.   size_t hash_len = SSL_TRANSCRIPT_digest_len(&hs->transcript);

  426. 

  427.   /* Get the full ClientHello, including message header. It must be large enough

  428.    * to exclude the binders. */

  429.   CBS message;

  430.   hs->ssl->method->get_current_message(hs->ssl, &message);

  431.   if (CBS_len(&message) < CBS_len(binders) + 2) {

  432.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  433.     return 0;

  434.   }

  435. 

  436.   /* Hash a ClientHello prefix up to the binders. For now, this assumes we only

  437.    * ever verify PSK binders on initial ClientHellos. */

  438.   uint8_t context[EVP_MAX_MD_SIZE];

  439.   unsigned context_len;

  440.   if (!EVP_Digest(CBS_data(&message), CBS_len(&message) - CBS_len(binders) - 2,

  441.                   context, &context_len, SSL_TRANSCRIPT_md(&hs->transcript),

  442.                   NULL)) {

  443.     return 0;

  444.   }

  445. 

  446.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  447.   CBS binder;

  448.   if (!tls13_psk_binder(verify_data, SSL_TRANSCRIPT_md(&hs->transcript),

  449.                         session->master_key, session->master_key_length,

  450.                         context, context_len, hash_len) ||

  451.       /* We only consider the first PSK, so compare against the first binder. */

  452.       !CBS_get_u8_length_prefixed(binders, &binder)) {

  453.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  454.     return 0;

  455.   }

  456. 

  457.   int binder_ok =

  458.       CBS_len(&binder) == hash_len &&

  459.       CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;

  460. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  461.   binder_ok = 1;

  462. #endif

  463.   if (!binder_ok) {

  464.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  465.     return 0;

  466.   }

  467. 

  468.   return 1;

  469. }