kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4929 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: b9f30bb6fe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b9f30bb6fe'
${ noResults }
boringssl/ssl/tls13_enc.cc

561 lines
21 KiB
Raw Blame History 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <utility>

  21. 

  22. #include <openssl/aead.h>

  23. #include <openssl/bytestring.h>

  24. #include <openssl/digest.h>

  25. #include <openssl/hkdf.h>

  26. #include <openssl/hmac.h>

  27. #include <openssl/mem.h>

  28. 

  29. #include "../crypto/internal.h"

  30. #include "internal.h"

  31. 

  32. 

  33. namespace bssl {

  34. 

  35. static int init_key_schedule(SSL_HANDSHAKE *hs, uint16_t version,

  36.                              const SSL_CIPHER *cipher) {

  37.   if (!hs->transcript.InitHash(version, cipher)) {

  38.     return 0;

  39.   }

  40. 

  41.   hs->hash_len = hs->transcript.DigestLen();

  42. 

  43.   // Initialize the secret to the zero key.

  44.   OPENSSL_memset(hs->secret, 0, hs->hash_len);

  45. 

  46.   return 1;

  47. }

  48. 

  49. int tls13_init_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,

  50.                             size_t psk_len) {

  51.   if (!init_key_schedule(hs, ssl_protocol_version(hs->ssl), hs->new_cipher)) {

  52.     return 0;

  53.   }

  54. 

  55.   hs->transcript.FreeBuffer();

  56.   return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,

  57.                       psk_len, hs->secret, hs->hash_len);

  58. }

  59. 

  60. int tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *psk,

  61.                                   size_t psk_len) {

  62.   SSL *const ssl = hs->ssl;

  63.   return init_key_schedule(hs, ssl_session_protocol_version(ssl->session),

  64.                            ssl->session->cipher) &&

  65.          HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), psk,

  66.                       psk_len, hs->secret, hs->hash_len);

  67. }

  68. 

  69. static int hkdf_expand_label(uint8_t *out, uint16_t version,

  70.                              const EVP_MD *digest, const uint8_t *secret,

  71.                              size_t secret_len, const char *label,

  72.                              size_t label_len, const uint8_t *hash,

  73.                              size_t hash_len, size_t len) {

  74.   const char *kTLS13LabelVersion =

  75.       ssl_is_draft22(version) ? "tls13 " : "TLS 1.3, ";

  76. 

  77.   ScopedCBB cbb;

  78.   CBB child;

  79.   uint8_t *hkdf_label;

  80.   size_t hkdf_label_len;

  81.   if (!CBB_init(cbb.get(), 2 + 1 + strlen(kTLS13LabelVersion) + label_len + 1 +

  82.                                hash_len) ||

  83.       !CBB_add_u16(cbb.get(), len) ||

  84.       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||

  85.       !CBB_add_bytes(&child, (const uint8_t *)kTLS13LabelVersion,

  86.                      strlen(kTLS13LabelVersion)) ||

  87.       !CBB_add_bytes(&child, (const uint8_t *)label, label_len) ||

  88.       !CBB_add_u8_length_prefixed(cbb.get(), &child) ||

  89.       !CBB_add_bytes(&child, hash, hash_len) ||

  90.       !CBB_finish(cbb.get(), &hkdf_label, &hkdf_label_len)) {

  91.     return 0;

  92.   }

  93. 

  94.   int ret = HKDF_expand(out, len, digest, secret, secret_len, hkdf_label,

  95.                         hkdf_label_len);

  96.   OPENSSL_free(hkdf_label);

  97.   return ret;

  98. }

  99. 

  100. static const char kTLS13LabelDerived[] = "derived";

  101. 

  102. int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,

  103.                                size_t len) {

  104.   SSL *const ssl = hs->ssl;

  105. 

  106.   // Draft 18 does not include the extra Derive-Secret step.

  107.   if (ssl_is_draft22(ssl->version)) {

  108.     uint8_t derive_context[EVP_MAX_MD_SIZE];

  109.     unsigned derive_context_len;

  110.     if (!EVP_Digest(nullptr, 0, derive_context, &derive_context_len,

  111.                     hs->transcript.Digest(), nullptr)) {

  112.       return 0;

  113.     }

  114. 

  115.     if (!hkdf_expand_label(hs->secret, ssl->version, hs->transcript.Digest(),

  116.                            hs->secret, hs->hash_len, kTLS13LabelDerived,

  117.                            strlen(kTLS13LabelDerived), derive_context,

  118.                            derive_context_len, hs->hash_len)) {

  119.       return 0;

  120.     }

  121.   }

  122. 

  123.   return HKDF_extract(hs->secret, &hs->hash_len, hs->transcript.Digest(), in,

  124.                       len, hs->secret, hs->hash_len);

  125. }

  126. 

  127. // derive_secret derives a secret of length |len| and writes the result in |out|

  128. // with the given label and the current base secret and most recently-saved

  129. // handshake context. It returns one on success and zero on error.

  130. static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,

  131.                          const char *label, size_t label_len) {

  132.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  133.   size_t context_hash_len;

  134.   if (!hs->transcript.GetHash(context_hash, &context_hash_len)) {

  135.     return 0;

  136.   }

  137. 

  138.   return hkdf_expand_label(out, SSL_get_session(hs->ssl)->ssl_version,

  139.                            hs->transcript.Digest(), hs->secret, hs->hash_len,

  140.                            label, label_len, context_hash, context_hash_len,

  141.                            len);

  142. }

  143. 

  144. int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,

  145.                           const uint8_t *traffic_secret,

  146.                           size_t traffic_secret_len) {

  147.   const SSL_SESSION *session = SSL_get_session(ssl);

  148.   uint16_t version = ssl_session_protocol_version(session);

  149. 

  150.   if (traffic_secret_len > 0xff) {

  151.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  152.     return 0;

  153.   }

  154. 

  155.   // Look up cipher suite properties.

  156.   const EVP_AEAD *aead;

  157.   size_t discard;

  158.   if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard, session->cipher,

  159.                                version, SSL_is_dtls(ssl))) {

  160.     return 0;

  161.   }

  162. 

  163.   const EVP_MD *digest = ssl_session_get_digest(session);

  164. 

  165.   // Derive the key.

  166.   size_t key_len = EVP_AEAD_key_length(aead);

  167.   uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];

  168.   if (!hkdf_expand_label(key, session->ssl_version, digest, traffic_secret,

  169.                          traffic_secret_len, "key", 3, NULL, 0, key_len)) {

  170.     return 0;

  171.   }

  172. 

  173.   // Derive the IV.

  174.   size_t iv_len = EVP_AEAD_nonce_length(aead);

  175.   uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];

  176.   if (!hkdf_expand_label(iv, session->ssl_version, digest, traffic_secret,

  177.                          traffic_secret_len, "iv", 2, NULL, 0, iv_len)) {

  178.     return 0;

  179.   }

  180. 

  181.   UniquePtr<SSLAEADContext> traffic_aead =

  182.       SSLAEADContext::Create(direction, session->ssl_version, SSL_is_dtls(ssl),

  183.                              session->cipher, MakeConstSpan(key, key_len),

  184.                              Span<const uint8_t>(), MakeConstSpan(iv, iv_len));

  185.   if (!traffic_aead) {

  186.     return 0;

  187.   }

  188. 

  189.   if (direction == evp_aead_open) {

  190.     if (!ssl->method->set_read_state(ssl, std::move(traffic_aead))) {

  191.       return 0;

  192.     }

  193.   } else {

  194.     if (!ssl->method->set_write_state(ssl, std::move(traffic_aead))) {

  195.       return 0;

  196.     }

  197.   }

  198. 

  199.   // Save the traffic secret.

  200.   if (direction == evp_aead_open) {

  201.     OPENSSL_memmove(ssl->s3->read_traffic_secret, traffic_secret,

  202.                     traffic_secret_len);

  203.     ssl->s3->read_traffic_secret_len = traffic_secret_len;

  204.   } else {

  205.     OPENSSL_memmove(ssl->s3->write_traffic_secret, traffic_secret,

  206.                     traffic_secret_len);

  207.     ssl->s3->write_traffic_secret_len = traffic_secret_len;

  208.   }

  209. 

  210.   return 1;

  211. }

  212. 

  213. static const char kTLS13LabelExporter[] = "exporter master secret";

  214. static const char kTLS13LabelEarlyExporter[] = "early exporter master secret";

  215. 

  216. static const char kTLS13LabelClientEarlyTraffic[] =

  217.     "client early traffic secret";

  218. static const char kTLS13LabelClientHandshakeTraffic[] =

  219.     "client handshake traffic secret";

  220. static const char kTLS13LabelServerHandshakeTraffic[] =

  221.     "server handshake traffic secret";

  222. static const char kTLS13LabelClientApplicationTraffic[] =

  223.     "client application traffic secret";

  224. static const char kTLS13LabelServerApplicationTraffic[] =

  225.     "server application traffic secret";

  226. 

  227. static const char kTLS13Draft22LabelExporter[] = "exp master";

  228. static const char kTLS13Draft22LabelEarlyExporter[] = "e exp master";

  229. 

  230. static const char kTLS13Draft22LabelClientEarlyTraffic[] = "c e traffic";

  231. static const char kTLS13Draft22LabelClientHandshakeTraffic[] = "c hs traffic";

  232. static const char kTLS13Draft22LabelServerHandshakeTraffic[] = "s hs traffic";

  233. static const char kTLS13Draft22LabelClientApplicationTraffic[] = "c ap traffic";

  234. static const char kTLS13Draft22LabelServerApplicationTraffic[] = "s ap traffic";

  235. 

  236. int tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {

  237.   SSL *const ssl = hs->ssl;

  238.   uint16_t version = SSL_get_session(ssl)->ssl_version;

  239. 

  240.   const char *early_traffic_label = ssl_is_draft22(version)

  241.                                         ? kTLS13Draft22LabelClientEarlyTraffic

  242.                                         : kTLS13LabelClientEarlyTraffic;

  243.   const char *early_exporter_label = ssl_is_draft22(version)

  244.                                          ? kTLS13Draft22LabelEarlyExporter

  245.                                          : kTLS13LabelEarlyExporter;

  246.   if (!derive_secret(hs, hs->early_traffic_secret, hs->hash_len,

  247.                      early_traffic_label, strlen(early_traffic_label)) ||

  248.       !ssl_log_secret(ssl, "CLIENT_EARLY_TRAFFIC_SECRET",

  249.                       hs->early_traffic_secret, hs->hash_len) ||

  250.       !derive_secret(hs, ssl->s3->early_exporter_secret, hs->hash_len,

  251.                      early_exporter_label, strlen(early_exporter_label))) {

  252.     return 0;

  253.   }

  254.   ssl->s3->early_exporter_secret_len = hs->hash_len;

  255.   return 1;

  256. }

  257. 

  258. int tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) {

  259.   SSL *const ssl = hs->ssl;

  260.   const char *client_label = ssl_is_draft22(ssl->version)

  261.                                  ? kTLS13Draft22LabelClientHandshakeTraffic

  262.                                  : kTLS13LabelClientHandshakeTraffic;

  263.   const char *server_label = ssl_is_draft22(ssl->version)

  264.                                  ? kTLS13Draft22LabelServerHandshakeTraffic

  265.                                  : kTLS13LabelServerHandshakeTraffic;

  266.   return derive_secret(hs, hs->client_handshake_secret, hs->hash_len,

  267.                        client_label, strlen(client_label)) &&

  268.          ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",

  269.                         hs->client_handshake_secret, hs->hash_len) &&

  270.          derive_secret(hs, hs->server_handshake_secret, hs->hash_len,

  271.                        server_label, strlen(server_label)) &&

  272.          ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",

  273.                         hs->server_handshake_secret, hs->hash_len);

  274. }

  275. 

  276. int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {

  277.   SSL *const ssl = hs->ssl;

  278.   ssl->s3->exporter_secret_len = hs->hash_len;

  279.   const char *client_label = ssl_is_draft22(ssl->version)

  280.                                  ? kTLS13Draft22LabelClientApplicationTraffic

  281.                                  : kTLS13LabelClientApplicationTraffic;

  282.   const char *server_label = ssl_is_draft22(ssl->version)

  283.                                  ? kTLS13Draft22LabelServerApplicationTraffic

  284.                                  : kTLS13LabelServerApplicationTraffic;

  285.   const char *exporter_label = ssl_is_draft22(ssl->version)

  286.                                    ? kTLS13Draft22LabelExporter

  287.                                    : kTLS13LabelExporter;

  288.   return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,

  289.                        client_label, strlen(client_label)) &&

  290.          ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",

  291.                         hs->client_traffic_secret_0, hs->hash_len) &&

  292.          derive_secret(hs, hs->server_traffic_secret_0, hs->hash_len,

  293.                        server_label, strlen(server_label)) &&

  294.          ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",

  295.                         hs->server_traffic_secret_0, hs->hash_len) &&

  296.          derive_secret(hs, ssl->s3->exporter_secret, hs->hash_len,

  297.                        exporter_label, strlen(exporter_label)) &&

  298.          ssl_log_secret(ssl, "EXPORTER_SECRET", ssl->s3->exporter_secret,

  299.                         hs->hash_len);

  300. }

  301. 

  302. static const char kTLS13LabelApplicationTraffic[] =

  303.     "application traffic secret";

  304. static const char kTLS13Draft22LabelApplicationTraffic[] = "traffic upd";

  305. 

  306. int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {

  307.   uint8_t *secret;

  308.   size_t secret_len;

  309.   if (direction == evp_aead_open) {

  310.     secret = ssl->s3->read_traffic_secret;

  311.     secret_len = ssl->s3->read_traffic_secret_len;

  312.   } else {

  313.     secret = ssl->s3->write_traffic_secret;

  314.     secret_len = ssl->s3->write_traffic_secret_len;

  315.   }

  316. 

  317.   const char *traffic_label = ssl_is_draft22(ssl->version)

  318.                                   ? kTLS13Draft22LabelApplicationTraffic

  319.                                   : kTLS13LabelApplicationTraffic;

  320. 

  321.   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));

  322.   if (!hkdf_expand_label(secret, ssl->version, digest, secret, secret_len,

  323.                          traffic_label, strlen(traffic_label), NULL, 0,

  324.                          secret_len)) {

  325.     return 0;

  326.   }

  327. 

  328.   return tls13_set_traffic_key(ssl, direction, secret, secret_len);

  329. }

  330. 

  331. static const char kTLS13LabelResumption[] = "resumption master secret";

  332. static const char kTLS13Draft22LabelResumption[] = "res master";

  333. 

  334. int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {

  335.   if (hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {

  336.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  337.     return 0;

  338.   }

  339.   const char *resumption_label = ssl_is_draft22(hs->ssl->version)

  340.                                      ? kTLS13Draft22LabelResumption

  341.                                      : kTLS13LabelResumption;

  342.   hs->new_session->master_key_length = hs->hash_len;

  343.   return derive_secret(hs, hs->new_session->master_key,

  344.                        hs->new_session->master_key_length, resumption_label,

  345.                        strlen(resumption_label));

  346. }

  347. 

  348. static const char kTLS13LabelFinished[] = "finished";

  349. 

  350. // tls13_verify_data sets |out| to be the HMAC of |context| using a derived

  351. // Finished key for both Finished messages and the PSK binder.

  352. static int tls13_verify_data(const EVP_MD *digest, uint16_t version,

  353.                              uint8_t *out, size_t *out_len,

  354.                              const uint8_t *secret, size_t hash_len,

  355.                              uint8_t *context, size_t context_len) {

  356.   uint8_t key[EVP_MAX_MD_SIZE];

  357.   unsigned len;

  358.   if (!hkdf_expand_label(key, version, digest, secret, hash_len,

  359.                          kTLS13LabelFinished, strlen(kTLS13LabelFinished), NULL,

  360.                          0, hash_len) ||

  361.       HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {

  362.     return 0;

  363.   }

  364.   *out_len = len;

  365.   return 1;

  366. }

  367. 

  368. int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,

  369.                        int is_server) {

  370.   const uint8_t *traffic_secret;

  371.   if (is_server) {

  372.     traffic_secret = hs->server_handshake_secret;

  373.   } else {

  374.     traffic_secret = hs->client_handshake_secret;

  375.   }

  376. 

  377.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  378.   size_t context_hash_len;

  379.   if (!hs->transcript.GetHash(context_hash, &context_hash_len) ||

  380.       !tls13_verify_data(hs->transcript.Digest(), hs->ssl->version, out,

  381.                          out_len, traffic_secret, hs->hash_len, context_hash,

  382.                          context_hash_len)) {

  383.     return 0;

  384.   }

  385.   return 1;

  386. }

  387. 

  388. static const char kTLS13LabelResumptionPSK[] = "resumption";

  389. 

  390. bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce) {

  391.   if (!ssl_is_draft22(session->ssl_version)) {

  392.     return true;

  393.   }

  394. 

  395.   const EVP_MD *digest = ssl_session_get_digest(session);

  396.   return hkdf_expand_label(session->master_key, session->ssl_version, digest,

  397.                            session->master_key, session->master_key_length,

  398.                            kTLS13LabelResumptionPSK,

  399.                            strlen(kTLS13LabelResumptionPSK), nonce.data(),

  400.                            nonce.size(), session->master_key_length);

  401. }

  402. 

  403. static const char kTLS13LabelExportKeying[] = "exporter";

  404. 

  405. int tls13_export_keying_material(SSL *ssl, Span<uint8_t> out,

  406.                                  Span<const uint8_t> secret,

  407.                                  Span<const char> label,

  408.                                  Span<const uint8_t> context) {

  409.   if (secret.empty()) {

  410.     assert(0);

  411.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  412.     return 0;

  413.   }

  414. 

  415.   uint16_t version = SSL_get_session(ssl)->ssl_version;

  416.   if (!ssl_is_draft22(version)) {

  417.     const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));

  418.     return hkdf_expand_label(out.data(), version, digest, secret.data(),

  419.                              secret.size(), label.data(), label.size(),

  420.                              context.data(), context.size(), out.size());

  421.   }

  422. 

  423.   const EVP_MD *digest = ssl_session_get_digest(SSL_get_session(ssl));

  424. 

  425.   uint8_t hash[EVP_MAX_MD_SIZE];

  426.   uint8_t export_context[EVP_MAX_MD_SIZE];

  427.   uint8_t derived_secret[EVP_MAX_MD_SIZE];

  428.   unsigned hash_len;

  429.   unsigned export_context_len;

  430.   unsigned derived_secret_len = EVP_MD_size(digest);

  431.   return EVP_Digest(context.data(), context.size(), hash, &hash_len, digest,

  432.                     nullptr) &&

  433.          EVP_Digest(nullptr, 0, export_context, &export_context_len, digest,

  434.                     nullptr) &&

  435.          hkdf_expand_label(derived_secret, version, digest, secret.data(),

  436.                            secret.size(), label.data(), label.size(),

  437.                            export_context, export_context_len,

  438.                            derived_secret_len) &&

  439.          hkdf_expand_label(out.data(), version, digest, derived_secret,

  440.                            derived_secret_len, kTLS13LabelExportKeying,

  441.                            strlen(kTLS13LabelExportKeying), hash, hash_len,

  442.                            out.size());

  443. }

  444. 

  445. static const char kTLS13LabelPSKBinder[] = "resumption psk binder key";

  446. static const char kTLS13Draft22LabelPSKBinder[] = "res binder";

  447. 

  448. static int tls13_psk_binder(uint8_t *out, uint16_t version,

  449.                             const EVP_MD *digest, uint8_t *psk, size_t psk_len,

  450.                             uint8_t *context, size_t context_len,

  451.                             size_t hash_len) {

  452.   uint8_t binder_context[EVP_MAX_MD_SIZE];

  453.   unsigned binder_context_len;

  454.   if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {

  455.     return 0;

  456.   }

  457. 

  458.   uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};

  459.   size_t early_secret_len;

  460.   if (!HKDF_extract(early_secret, &early_secret_len, digest, psk, hash_len,

  461.                     NULL, 0)) {

  462.     return 0;

  463.   }

  464.   const char *binder_label = ssl_is_draft22(version)

  465.                                  ? kTLS13Draft22LabelPSKBinder

  466.                                  : kTLS13LabelPSKBinder;

  467. 

  468.   uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};

  469.   size_t len;

  470.   if (!hkdf_expand_label(binder_key, version, digest, early_secret, hash_len,

  471.                          binder_label, strlen(binder_label), binder_context,

  472.                          binder_context_len, hash_len) ||

  473.       !tls13_verify_data(digest, version, out, &len, binder_key, hash_len,

  474.                          context, context_len)) {

  475.     return 0;

  476.   }

  477. 

  478.   return 1;

  479. }

  480. 

  481. int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {

  482.   SSL *const ssl = hs->ssl;

  483.   const EVP_MD *digest = ssl_session_get_digest(ssl->session);

  484.   size_t hash_len = EVP_MD_size(digest);

  485. 

  486.   if (len < hash_len + 3) {

  487.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  488.     return 0;

  489.   }

  490. 

  491.   ScopedEVP_MD_CTX ctx;

  492.   uint8_t context[EVP_MAX_MD_SIZE];

  493.   unsigned context_len;

  494. 

  495.   if (!EVP_DigestInit_ex(ctx.get(), digest, NULL) ||

  496.       !EVP_DigestUpdate(ctx.get(), hs->transcript.buffer().data(),

  497.                         hs->transcript.buffer().size()) ||

  498.       !EVP_DigestUpdate(ctx.get(), msg, len - hash_len - 3) ||

  499.       !EVP_DigestFinal_ex(ctx.get(), context, &context_len)) {

  500.     return 0;

  501.   }

  502. 

  503.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  504.   if (!tls13_psk_binder(verify_data, ssl->session->ssl_version, digest,

  505.                         ssl->session->master_key,

  506.                         ssl->session->master_key_length, context, context_len,

  507.                         hash_len)) {

  508.     return 0;

  509.   }

  510. 

  511.   OPENSSL_memcpy(msg + len - hash_len, verify_data, hash_len);

  512.   return 1;

  513. }

  514. 

  515. int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,

  516.                             const SSLMessage &msg, CBS *binders) {

  517.   size_t hash_len = hs->transcript.DigestLen();

  518. 

  519.   // The message must be large enough to exclude the binders.

  520.   if (CBS_len(&msg.raw) < CBS_len(binders) + 2) {

  521.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  522.     return 0;

  523.   }

  524. 

  525.   // Hash a ClientHello prefix up to the binders. This includes the header. For

  526.   // now, this assumes we only ever verify PSK binders on initial

  527.   // ClientHellos.

  528.   uint8_t context[EVP_MAX_MD_SIZE];

  529.   unsigned context_len;

  530.   if (!EVP_Digest(CBS_data(&msg.raw), CBS_len(&msg.raw) - CBS_len(binders) - 2,

  531.                   context, &context_len, hs->transcript.Digest(), NULL)) {

  532.     return 0;

  533.   }

  534. 

  535.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  536.   CBS binder;

  537.   if (!tls13_psk_binder(verify_data, hs->ssl->version, hs->transcript.Digest(),

  538.                         session->master_key, session->master_key_length,

  539.                         context, context_len, hash_len) ||

  540.       // We only consider the first PSK, so compare against the first binder.

  541.       !CBS_get_u8_length_prefixed(binders, &binder)) {

  542.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  543.     return 0;

  544.   }

  545. 

  546.   int binder_ok =

  547.       CBS_len(&binder) == hash_len &&

  548.       CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;

  549. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  550.   binder_ok = 1;

  551. #endif

  552.   if (!binder_ok) {

  553.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  554.     return 0;

  555.   }

  556. 

  557.   return 1;

  558. }

  559. 

  560. }  // namespace bssl