kris
/
boringssl
1
0
Fork 0
Código Incidencias 0 Pull Requests 0 Lanzamientos 0 Wiki Actividad
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
3575 Commits
12 Ramas
38 MiB
 
 
 
 
 
 
Árbol: d515722d22
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde 'd515722d22'
${ noResults }
boringssl/ssl/tls13_enc.c

459 líneas
16 KiB
Original Blame Histórico 

  1. /* Copyright (c) 2016, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/ssl.h>

  16. 

  17. #include <assert.h>

  18. #include <string.h>

  19. 

  20. #include <openssl/aead.h>

  21. #include <openssl/bytestring.h>

  22. #include <openssl/digest.h>

  23. #include <openssl/hkdf.h>

  24. #include <openssl/hmac.h>

  25. #include <openssl/mem.h>

  26. 

  27. #include "internal.h"

  28. 

  29. 

  30. int tls13_init_key_schedule(SSL_HANDSHAKE *hs) {

  31.   SSL *const ssl = hs->ssl;

  32.   const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));

  33. 

  34.   hs->hash_len = EVP_MD_size(digest);

  35. 

  36.   /* Initialize the secret to the zero key. */

  37.   memset(hs->secret, 0, hs->hash_len);

  38. 

  39.   /* Initialize the rolling hashes and release the handshake buffer. */

  40.   if (!ssl3_init_handshake_hash(ssl)) {

  41.     return 0;

  42.   }

  43.   ssl3_free_handshake_buffer(ssl);

  44.   return 1;

  45. }

  46. 

  47. int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,

  48.                                size_t len) {

  49.   const EVP_MD *digest =

  50.       ssl_get_handshake_digest(ssl_get_algorithm_prf(hs->ssl));

  51. 

  52.   return HKDF_extract(hs->secret, &hs->hash_len, digest, in, len, hs->secret,

  53.                       hs->hash_len);

  54. }

  55. 

  56. static int hkdf_expand_label(uint8_t *out, const EVP_MD *digest,

  57.                              const uint8_t *secret, size_t secret_len,

  58.                              const uint8_t *label, size_t label_len,

  59.                              const uint8_t *hash, size_t hash_len, size_t len) {

  60.   static const char kTLS13LabelVersion[] = "TLS 1.3, ";

  61. 

  62.   CBB cbb, child;

  63.   uint8_t *hkdf_label;

  64.   size_t hkdf_label_len;

  65.   if (!CBB_init(&cbb, 2 + 1 + strlen(kTLS13LabelVersion) + label_len + 1 +

  66.                           hash_len) ||

  67.       !CBB_add_u16(&cbb, len) ||

  68.       !CBB_add_u8_length_prefixed(&cbb, &child) ||

  69.       !CBB_add_bytes(&child, (const uint8_t *)kTLS13LabelVersion,

  70.                      strlen(kTLS13LabelVersion)) ||

  71.       !CBB_add_bytes(&child, label, label_len) ||

  72.       !CBB_add_u8_length_prefixed(&cbb, &child) ||

  73.       !CBB_add_bytes(&child, hash, hash_len) ||

  74.       !CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) {

  75.     CBB_cleanup(&cbb);

  76.     return 0;

  77.   }

  78. 

  79.   int ret = HKDF_expand(out, len, digest, secret, secret_len, hkdf_label,

  80.                         hkdf_label_len);

  81.   OPENSSL_free(hkdf_label);

  82.   return ret;

  83. }

  84. 

  85. int tls13_get_context_hash(SSL *ssl, uint8_t *out, size_t *out_len) {

  86.   EVP_MD_CTX ctx;

  87.   EVP_MD_CTX_init(&ctx);

  88.   unsigned handshake_len = 0;

  89.   int ok = EVP_MD_CTX_copy_ex(&ctx, &ssl->s3->handshake_hash) &&

  90.            EVP_DigestFinal_ex(&ctx, out, &handshake_len);

  91.   EVP_MD_CTX_cleanup(&ctx);

  92.   if (ok) {

  93.     *out_len = handshake_len;

  94.   }

  95.   return ok;

  96. }

  97. 

  98. /* derive_secret derives a secret of length |len| and writes the result in |out|

  99.  * with the given label and the current base secret and most recently-saved

  100.  * handshake context. It returns one on success and zero on error. */

  101. static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,

  102.                          const uint8_t *label, size_t label_len) {

  103.   SSL *const ssl = hs->ssl;

  104.   const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));

  105. 

  106.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  107.   size_t context_hash_len;

  108.   if (!tls13_get_context_hash(ssl, context_hash, &context_hash_len)) {

  109.     return 0;

  110.   }

  111. 

  112.   return hkdf_expand_label(out, digest, hs->secret, hs->hash_len, label,

  113.                            label_len, context_hash, context_hash_len, len);

  114. }

  115. 

  116. int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,

  117.                           const uint8_t *traffic_secret,

  118.                           size_t traffic_secret_len) {

  119.   if (traffic_secret_len > 0xff) {

  120.     OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  121.     return 0;

  122.   }

  123. 

  124.   /* Look up cipher suite properties. */

  125.   const EVP_AEAD *aead;

  126.   const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));

  127.   size_t discard;

  128.   if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard,

  129.                                SSL_get_session(ssl)->cipher,

  130.                                ssl3_protocol_version(ssl))) {

  131.     return 0;

  132.   }

  133. 

  134.   /* Derive the key. */

  135.   size_t key_len = EVP_AEAD_key_length(aead);

  136.   uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];

  137.   if (!hkdf_expand_label(key, digest, traffic_secret, traffic_secret_len,

  138.                          (const uint8_t *)"key", 3, NULL, 0, key_len)) {

  139.     return 0;

  140.   }

  141. 

  142.   /* Derive the IV. */

  143.   size_t iv_len = EVP_AEAD_nonce_length(aead);

  144.   uint8_t iv[EVP_AEAD_MAX_NONCE_LENGTH];

  145.   if (!hkdf_expand_label(iv, digest, traffic_secret, traffic_secret_len,

  146.                          (const uint8_t *)"iv", 2, NULL, 0, iv_len)) {

  147.     return 0;

  148.   }

  149. 

  150.   SSL_AEAD_CTX *traffic_aead = SSL_AEAD_CTX_new(

  151.       direction, ssl3_protocol_version(ssl), SSL_get_session(ssl)->cipher, key,

  152.       key_len, NULL, 0, iv, iv_len);

  153.   if (traffic_aead == NULL) {

  154.     return 0;

  155.   }

  156. 

  157.   if (direction == evp_aead_open) {

  158.     if (!ssl->method->set_read_state(ssl, traffic_aead)) {

  159.       return 0;

  160.     }

  161.   } else {

  162.     if (!ssl->method->set_write_state(ssl, traffic_aead)) {

  163.       return 0;

  164.     }

  165.   }

  166. 

  167.   /* Save the traffic secret. */

  168.   if (direction == evp_aead_open) {

  169.     memmove(ssl->s3->read_traffic_secret, traffic_secret, traffic_secret_len);

  170.     ssl->s3->read_traffic_secret_len = traffic_secret_len;

  171.   } else {

  172.     memmove(ssl->s3->write_traffic_secret, traffic_secret, traffic_secret_len);

  173.     ssl->s3->write_traffic_secret_len = traffic_secret_len;

  174.   }

  175. 

  176.   return 1;

  177. }

  178. 

  179. static const char kTLS13LabelClientHandshakeTraffic[] =

  180.     "client handshake traffic secret";

  181. static const char kTLS13LabelServerHandshakeTraffic[] =

  182.     "server handshake traffic secret";

  183. static const char kTLS13LabelClientApplicationTraffic[] =

  184.     "client application traffic secret";

  185. static const char kTLS13LabelServerApplicationTraffic[] =

  186.     "server application traffic secret";

  187. 

  188. int tls13_set_handshake_traffic(SSL_HANDSHAKE *hs) {

  189.   SSL *const ssl = hs->ssl;

  190.   uint8_t client_traffic_secret[EVP_MAX_MD_SIZE];

  191.   uint8_t server_traffic_secret[EVP_MAX_MD_SIZE];

  192.   if (!derive_secret(hs, client_traffic_secret, hs->hash_len,

  193.                      (const uint8_t *)kTLS13LabelClientHandshakeTraffic,

  194.                      strlen(kTLS13LabelClientHandshakeTraffic)) ||

  195.       !ssl_log_secret(ssl, "CLIENT_HANDSHAKE_TRAFFIC_SECRET",

  196.                       client_traffic_secret, hs->hash_len) ||

  197.       !derive_secret(hs, server_traffic_secret, hs->hash_len,

  198.                      (const uint8_t *)kTLS13LabelServerHandshakeTraffic,

  199.                      strlen(kTLS13LabelServerHandshakeTraffic)) ||

  200.       !ssl_log_secret(ssl, "SERVER_HANDSHAKE_TRAFFIC_SECRET",

  201.                       server_traffic_secret, hs->hash_len)) {

  202.     return 0;

  203.   }

  204. 

  205.   if (ssl->server) {

  206.     if (!tls13_set_traffic_key(ssl, evp_aead_open, client_traffic_secret,

  207.                                hs->hash_len) ||

  208.         !tls13_set_traffic_key(ssl, evp_aead_seal, server_traffic_secret,

  209.                                hs->hash_len)) {

  210.       return 0;

  211.     }

  212.   } else {

  213.     if (!tls13_set_traffic_key(ssl, evp_aead_open, server_traffic_secret,

  214.                                hs->hash_len) ||

  215.         !tls13_set_traffic_key(ssl, evp_aead_seal, client_traffic_secret,

  216.                                hs->hash_len)) {

  217.       return 0;

  218.     }

  219.   }

  220.   return 1;

  221. }

  222. 

  223. static const char kTLS13LabelExporter[] = "exporter master secret";

  224. 

  225. int tls13_derive_application_secrets(SSL_HANDSHAKE *hs) {

  226.   SSL *const ssl = hs->ssl;

  227.   ssl->s3->exporter_secret_len = hs->hash_len;

  228.   return derive_secret(hs, hs->client_traffic_secret_0, hs->hash_len,

  229.                        (const uint8_t *)kTLS13LabelClientApplicationTraffic,

  230.                        strlen(kTLS13LabelClientApplicationTraffic)) &&

  231.          ssl_log_secret(ssl, "CLIENT_TRAFFIC_SECRET_0",

  232.                         hs->client_traffic_secret_0, hs->hash_len) &&

  233.          derive_secret(hs, hs->server_traffic_secret_0, hs->hash_len,

  234.                        (const uint8_t *)kTLS13LabelServerApplicationTraffic,

  235.                        strlen(kTLS13LabelServerApplicationTraffic)) &&

  236.          ssl_log_secret(ssl, "SERVER_TRAFFIC_SECRET_0",

  237.                         hs->server_traffic_secret_0, hs->hash_len) &&

  238.          derive_secret(hs, ssl->s3->exporter_secret, hs->hash_len,

  239.                        (const uint8_t *)kTLS13LabelExporter,

  240.                        strlen(kTLS13LabelExporter));

  241. }

  242. 

  243. static const char kTLS13LabelApplicationTraffic[] =

  244.     "application traffic secret";

  245. 

  246. int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {

  247.   const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));

  248. 

  249.   uint8_t *secret;

  250.   size_t secret_len;

  251.   if (direction == evp_aead_open) {

  252.     secret = ssl->s3->read_traffic_secret;

  253.     secret_len = ssl->s3->read_traffic_secret_len;

  254.   } else {

  255.     secret = ssl->s3->write_traffic_secret;

  256.     secret_len = ssl->s3->write_traffic_secret_len;

  257.   }

  258. 

  259.   if (!hkdf_expand_label(secret, digest, secret, secret_len,

  260.                          (const uint8_t *)kTLS13LabelApplicationTraffic,

  261.                          strlen(kTLS13LabelApplicationTraffic), NULL, 0,

  262.                          secret_len)) {

  263.     return 0;

  264.   }

  265. 

  266.   return tls13_set_traffic_key(ssl, direction, secret, secret_len);

  267. }

  268. 

  269. static const char kTLS13LabelResumption[] = "resumption master secret";

  270. 

  271. int tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) {

  272.   SSL *const ssl = hs->ssl;

  273.   if (ssl->s3->hs->hash_len > SSL_MAX_MASTER_KEY_LENGTH) {

  274.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  275.     return 0;

  276.   }

  277. 

  278.   ssl->s3->new_session->master_key_length = hs->hash_len;

  279.   return derive_secret(hs, ssl->s3->new_session->master_key,

  280.                        ssl->s3->new_session->master_key_length,

  281.                        (const uint8_t *)kTLS13LabelResumption,

  282.                        strlen(kTLS13LabelResumption));

  283. }

  284. 

  285. static const char kTLS13LabelFinished[] = "finished";

  286. 

  287. /* tls13_verify_data sets |out| to be the HMAC of |context| using a derived

  288.  * Finished key for both Finished messages and the PSK binder. */

  289. static int tls13_verify_data(const EVP_MD *digest, uint8_t *out,

  290.                              size_t *out_len, const uint8_t *secret,

  291.                              size_t hash_len, uint8_t *context,

  292.                              size_t context_len) {

  293.   uint8_t key[EVP_MAX_MD_SIZE];

  294.   unsigned len;

  295.   if (!hkdf_expand_label(key, digest, secret, hash_len,

  296.                          (const uint8_t *)kTLS13LabelFinished,

  297.                          strlen(kTLS13LabelFinished), NULL, 0, hash_len) ||

  298.       HMAC(digest, key, hash_len, context, context_len, out, &len) == NULL) {

  299.     return 0;

  300.   }

  301.   *out_len = len;

  302.   return 1;

  303. }

  304. 

  305. int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,

  306.                        int is_server) {

  307.   SSL *const ssl = hs->ssl;

  308.   const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));

  309. 

  310.   const uint8_t *traffic_secret;

  311.   if (is_server == ssl->server) {

  312.     traffic_secret = ssl->s3->write_traffic_secret;

  313.   } else {

  314.     traffic_secret = ssl->s3->read_traffic_secret;

  315.   }

  316. 

  317.   uint8_t context_hash[EVP_MAX_MD_SIZE];

  318.   size_t context_hash_len;

  319.   if (!tls13_get_context_hash(ssl, context_hash, &context_hash_len) ||

  320.       !tls13_verify_data(digest, out, out_len, traffic_secret, hs->hash_len,

  321.                          context_hash, context_hash_len)) {

  322.     return 0;

  323.   }

  324.   return 1;

  325. }

  326. 

  327. int tls13_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,

  328.                                  const char *label, size_t label_len,

  329.                                  const uint8_t *context, size_t context_len,

  330.                                  int use_context) {

  331.   const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));

  332. 

  333.   const uint8_t *hash = NULL;

  334.   size_t hash_len = 0;

  335.   if (use_context) {

  336.     hash = context;

  337.     hash_len = context_len;

  338.   }

  339.   return hkdf_expand_label(out, digest, ssl->s3->exporter_secret,

  340.                            ssl->s3->exporter_secret_len, (const uint8_t *)label,

  341.                            label_len, hash, hash_len, out_len);

  342. }

  343. 

  344. static const char kTLS13LabelPSKBinder[] = "resumption psk binder key";

  345. 

  346. static int tls13_psk_binder(SSL *ssl, uint8_t *out, const EVP_MD *digest,

  347.                             uint8_t *psk, size_t psk_len, uint8_t *context,

  348.                             size_t context_len, size_t hash_len) {

  349.   uint8_t binder_context[EVP_MAX_MD_SIZE];

  350.   unsigned binder_context_len;

  351.   if (!EVP_Digest(NULL, 0, binder_context, &binder_context_len, digest, NULL)) {

  352.     return 0;

  353.   }

  354. 

  355.   uint8_t early_secret[EVP_MAX_MD_SIZE] = {0};

  356.   size_t early_secret_len;

  357.   if (!HKDF_extract(early_secret, &early_secret_len, digest, psk, hash_len,

  358.                     NULL, 0)) {

  359.     return 0;

  360.   }

  361. 

  362.   uint8_t binder_key[EVP_MAX_MD_SIZE] = {0};

  363.   size_t len;

  364.   if (!hkdf_expand_label(binder_key, digest, early_secret, hash_len,

  365.                          (const uint8_t *)kTLS13LabelPSKBinder,

  366.                          strlen(kTLS13LabelPSKBinder), binder_context,

  367.                          binder_context_len, hash_len) ||

  368.       !tls13_verify_data(digest, out, &len, binder_key, hash_len, context,

  369.                          context_len)) {

  370.     return 0;

  371.   }

  372. 

  373.   return 1;

  374. }

  375. 

  376. int tls13_write_psk_binder(SSL *ssl, uint8_t *msg, size_t len) {

  377.   const EVP_MD *digest =

  378.       ssl_get_handshake_digest(ssl->session->cipher->algorithm_prf);

  379.   size_t hash_len = EVP_MD_size(digest);

  380. 

  381.   if (len < hash_len + 3) {

  382.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  383.     return 0;

  384.   }

  385. 

  386.   EVP_MD_CTX ctx;

  387.   EVP_MD_CTX_init(&ctx);

  388.   uint8_t context[EVP_MAX_MD_SIZE];

  389.   unsigned context_len;

  390.   if (!EVP_DigestInit_ex(&ctx, digest, NULL) ||

  391.       !EVP_DigestUpdate(&ctx, ssl->s3->handshake_buffer->data,

  392.                         ssl->s3->handshake_buffer->length) ||

  393.       !EVP_DigestUpdate(&ctx, msg, len - hash_len - 3) ||

  394.       !EVP_DigestFinal_ex(&ctx, context, &context_len)) {

  395.     EVP_MD_CTX_cleanup(&ctx);

  396.     return 0;

  397.   }

  398. 

  399.   EVP_MD_CTX_cleanup(&ctx);

  400. 

  401.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  402.   if (!tls13_psk_binder(ssl, verify_data, digest, ssl->session->master_key,

  403.                         ssl->session->master_key_length, context,

  404.                         context_len, hash_len)) {

  405.     return 0;

  406.   }

  407. 

  408.   memcpy(msg + len - hash_len, verify_data, hash_len);

  409.   return 1;

  410. }

  411. 

  412. int tls13_verify_psk_binder(SSL *ssl, SSL_SESSION *session,

  413.                             CBS *binders) {

  414.   const EVP_MD *digest =

  415.       ssl_get_handshake_digest(session->cipher->algorithm_prf);

  416.   size_t hash_len = EVP_MD_size(digest);

  417. 

  418.   /* Get the full ClientHello, including message header. It must be large enough

  419.    * to exclude the binders. */

  420.   CBS message;

  421.   ssl->method->get_current_message(ssl, &message);

  422.   if (CBS_len(&message) < CBS_len(binders) + 2) {

  423.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  424.     return 0;

  425.   }

  426. 

  427.   /* Hash a ClientHello prefix up to the binders. For now, this assumes we only

  428.    * ever verify PSK binders on initial ClientHellos. */

  429.   uint8_t context[EVP_MAX_MD_SIZE];

  430.   unsigned context_len;

  431.   if (!EVP_Digest(CBS_data(&message), CBS_len(&message) - CBS_len(binders) - 2,

  432.                   context, &context_len, digest, NULL)) {

  433.     return 0;

  434.   }

  435. 

  436.   uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};

  437.   CBS binder;

  438.   if (!tls13_psk_binder(ssl, verify_data, digest, session->master_key,

  439.                         session->master_key_length, context, context_len,

  440.                         hash_len) ||

  441.       /* We only consider the first PSK, so compare against the first binder. */

  442.       !CBS_get_u8_length_prefixed(binders, &binder)) {

  443.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  444.     return 0;

  445.   }

  446. 

  447.   int binder_ok = CBS_len(&binder) == hash_len &&

  448.                   CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;

  449. #if defined(BORINGSSL_UNSAFE_FUZZER_MODE)

  450.   binder_ok = 1;

  451. #endif

  452.   if (!binder_ok) {

  453.     OPENSSL_PUT_ERROR(SSL, SSL_R_DIGEST_CHECK_FAILED);

  454.     return 0;

  455.   }

  456. 

  457.   return 1;

  458. }