Lines Matching refs:s
34 int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, in tls13_hkdf_expand() argument
39 EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, in tls13_hkdf_expand()
40 s->ctx->propq); in tls13_hkdf_expand()
55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_hkdf_expand()
70 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_hkdf_expand()
98 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_hkdf_expand()
110 int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, in tls13_derive_key() argument
119 return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, in tls13_derive_key()
127 int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, in tls13_derive_iv() argument
136 return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, in tls13_derive_iv()
140 int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, in tls13_derive_finishedkey() argument
150 return tls13_hkdf_expand(s, md, secret, finishedlabel, in tls13_derive_finishedkey()
159 int tls13_generate_secret(SSL *s, const EVP_MD *md, in tls13_generate_secret() argument
179 kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, s->ctx->propq); in tls13_generate_secret()
183 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_generate_secret()
190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_generate_secret()
217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_generate_secret()
228 int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, in tls13_generate_handshake_secret() argument
232 return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, in tls13_generate_handshake_secret()
234 (unsigned char *)&s->handshake_secret); in tls13_generate_handshake_secret()
242 int tls13_generate_master_secret(SSL *s, unsigned char *out, in tls13_generate_master_secret() argument
246 const EVP_MD *md = ssl_handshake_md(s); in tls13_generate_master_secret()
250 return tls13_generate_secret(s, md, prev, NULL, 0, out); in tls13_generate_master_secret()
257 size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, in tls13_final_finish_mac() argument
260 const EVP_MD *md = ssl_handshake_md(s); in tls13_final_finish_mac()
272 if (s->ctx->propq != NULL) in tls13_final_finish_mac()
274 (char *)s->ctx->propq, in tls13_final_finish_mac()
278 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { in tls13_final_finish_mac()
283 if (str == s->method->ssl3_enc->server_finished_label) { in tls13_final_finish_mac()
284 key = s->server_finished_secret; in tls13_final_finish_mac()
285 } else if (SSL_IS_FIRST_HANDSHAKE(s)) { in tls13_final_finish_mac()
286 key = s->client_finished_secret; in tls13_final_finish_mac()
288 if (!tls13_derive_finishedkey(s, md, in tls13_final_finish_mac()
289 s->client_app_traffic_secret, in tls13_final_finish_mac()
295 if (!EVP_Q_mac(s->ctx->libctx, "HMAC", s->ctx->propq, mdname, in tls13_final_finish_mac()
299 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_final_finish_mac()
312 int tls13_setup_key_block(SSL *s) in tls13_setup_key_block() argument
317 s->session->cipher = s->s3.tmp.new_cipher; in tls13_setup_key_block()
318 if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL, in tls13_setup_key_block()
321 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls13_setup_key_block()
325 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); in tls13_setup_key_block()
326 s->s3.tmp.new_sym_enc = c; in tls13_setup_key_block()
327 ssl_evp_md_free(s->s3.tmp.new_hash); in tls13_setup_key_block()
328 s->s3.tmp.new_hash = hash; in tls13_setup_key_block()
333 static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, in derive_secret_key_and_iv() argument
348 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in derive_secret_key_and_iv()
353 if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, in derive_secret_key_and_iv()
364 if (s->s3.tmp.new_cipher != NULL) { in derive_secret_key_and_iv()
365 algenc = s->s3.tmp.new_cipher->algorithm_enc; in derive_secret_key_and_iv()
366 } else if (s->session->cipher != NULL) { in derive_secret_key_and_iv()
368 algenc = s->session->cipher->algorithm_enc; in derive_secret_key_and_iv()
369 } else if (s->psksession != NULL && s->psksession->cipher != NULL) { in derive_secret_key_and_iv()
371 algenc = s->psksession->cipher->algorithm_enc; in derive_secret_key_and_iv()
373 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in derive_secret_key_and_iv()
385 if (!tls13_derive_key(s, md, secret, key, keylen) in derive_secret_key_and_iv()
386 || !tls13_derive_iv(s, md, secret, iv, ivlen)) { in derive_secret_key_and_iv()
396 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in derive_secret_key_and_iv()
403 int tls13_change_cipher_state(SSL *s, int which) in tls13_change_cipher_state() argument
446 if (s->enc_read_ctx != NULL) { in tls13_change_cipher_state()
447 EVP_CIPHER_CTX_reset(s->enc_read_ctx); in tls13_change_cipher_state()
449 s->enc_read_ctx = EVP_CIPHER_CTX_new(); in tls13_change_cipher_state()
450 if (s->enc_read_ctx == NULL) { in tls13_change_cipher_state()
451 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls13_change_cipher_state()
455 ciph_ctx = s->enc_read_ctx; in tls13_change_cipher_state()
456 iv = s->read_iv; in tls13_change_cipher_state()
458 RECORD_LAYER_reset_read_sequence(&s->rlayer); in tls13_change_cipher_state()
460 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; in tls13_change_cipher_state()
461 if (s->enc_write_ctx != NULL) { in tls13_change_cipher_state()
462 EVP_CIPHER_CTX_reset(s->enc_write_ctx); in tls13_change_cipher_state()
464 s->enc_write_ctx = EVP_CIPHER_CTX_new(); in tls13_change_cipher_state()
465 if (s->enc_write_ctx == NULL) { in tls13_change_cipher_state()
466 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls13_change_cipher_state()
470 ciph_ctx = s->enc_write_ctx; in tls13_change_cipher_state()
471 iv = s->write_iv; in tls13_change_cipher_state()
473 RECORD_LAYER_reset_write_sequence(&s->rlayer); in tls13_change_cipher_state()
483 const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); in tls13_change_cipher_state()
485 insecret = s->early_secret; in tls13_change_cipher_state()
490 handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); in tls13_change_cipher_state()
492 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); in tls13_change_cipher_state()
496 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in tls13_change_cipher_state()
497 && s->max_early_data > 0 in tls13_change_cipher_state()
498 && s->session->ext.max_early_data == 0) { in tls13_change_cipher_state()
504 if (!ossl_assert(s->psksession != NULL in tls13_change_cipher_state()
505 && s->max_early_data == in tls13_change_cipher_state()
506 s->psksession->ext.max_early_data)) { in tls13_change_cipher_state()
507 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
510 sslcipher = SSL_SESSION_get0_cipher(s->psksession); in tls13_change_cipher_state()
513 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); in tls13_change_cipher_state()
524 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls13_change_cipher_state()
532 if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) { in tls13_change_cipher_state()
534 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls13_change_cipher_state()
539 md = ssl_md(s->ctx, sslcipher->algorithm2); in tls13_change_cipher_state()
543 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
550 if (!tls13_hkdf_expand(s, md, insecret, in tls13_change_cipher_state()
554 s->early_exporter_master_secret, hashlen, in tls13_change_cipher_state()
556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
560 if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, in tls13_change_cipher_state()
561 s->early_exporter_master_secret, hashlen)) { in tls13_change_cipher_state()
566 insecret = s->handshake_secret; in tls13_change_cipher_state()
567 finsecret = s->client_finished_secret; in tls13_change_cipher_state()
568 finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); in tls13_change_cipher_state()
581 hash = s->handshake_traffic_hash; in tls13_change_cipher_state()
583 insecret = s->master_secret; in tls13_change_cipher_state()
593 hash = s->server_finished_hash; in tls13_change_cipher_state()
598 insecret = s->handshake_secret; in tls13_change_cipher_state()
599 finsecret = s->server_finished_secret; in tls13_change_cipher_state()
600 finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); in tls13_change_cipher_state()
605 insecret = s->master_secret; in tls13_change_cipher_state()
613 md = ssl_handshake_md(s); in tls13_change_cipher_state()
614 cipher = s->s3.tmp.new_sym_enc; in tls13_change_cipher_state()
615 if (!ssl3_digest_cached_records(s, 1) in tls13_change_cipher_state()
616 || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { in tls13_change_cipher_state()
627 memcpy(s->server_finished_hash, hashval, hashlen); in tls13_change_cipher_state()
630 memcpy(s->handshake_traffic_hash, hashval, hashlen); in tls13_change_cipher_state()
637 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, in tls13_change_cipher_state()
640 hashval, hashlen, s->resumption_master_secret, in tls13_change_cipher_state()
651 if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, in tls13_change_cipher_state()
659 memcpy(s->server_app_traffic_secret, secret, hashlen); in tls13_change_cipher_state()
661 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, in tls13_change_cipher_state()
664 hash, hashlen, s->exporter_master_secret, in tls13_change_cipher_state()
670 if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, in tls13_change_cipher_state()
676 memcpy(s->client_app_traffic_secret, secret, hashlen); in tls13_change_cipher_state()
678 if (!ssl_log_secret(s, log_label, secret, hashlen)) { in tls13_change_cipher_state()
684 && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, in tls13_change_cipher_state()
690 if (!s->server && label == client_early_traffic) in tls13_change_cipher_state()
691 s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; in tls13_change_cipher_state()
693 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; in tls13_change_cipher_state()
697 || (s->options & SSL_OP_ENABLE_KTLS) == 0) in tls13_change_cipher_state()
701 if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) in tls13_change_cipher_state()
705 if (s->record_padding_cb != NULL) in tls13_change_cipher_state()
709 if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) in tls13_change_cipher_state()
713 bio = s->wbio; in tls13_change_cipher_state()
715 bio = s->rbio; in tls13_change_cipher_state()
718 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
730 rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); in tls13_change_cipher_state()
732 rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); in tls13_change_cipher_state()
734 if (!ktls_configure_crypto(s, cipher, ciph_ctx, rl_sequence, &crypto_info, in tls13_change_cipher_state()
741 ssl3_release_write_buffer(s); in tls13_change_cipher_state()
757 int tls13_update_key(SSL *s, int sending) in tls13_update_key() argument
764 const EVP_MD *md = ssl_handshake_md(s); in tls13_update_key()
774 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_update_key()
779 if (s->server == sending) in tls13_update_key()
780 insecret = s->server_app_traffic_secret; in tls13_update_key()
782 insecret = s->client_app_traffic_secret; in tls13_update_key()
785 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; in tls13_update_key()
786 iv = s->write_iv; in tls13_update_key()
787 ciph_ctx = s->enc_write_ctx; in tls13_update_key()
788 RECORD_LAYER_reset_write_sequence(&s->rlayer); in tls13_update_key()
790 iv = s->read_iv; in tls13_update_key()
791 ciph_ctx = s->enc_read_ctx; in tls13_update_key()
792 RECORD_LAYER_reset_read_sequence(&s->rlayer); in tls13_update_key()
795 if (!derive_secret_key_and_iv(s, sending, md, in tls13_update_key()
796 s->s3.tmp.new_sym_enc, insecret, NULL, in tls13_update_key()
807 log_label = s->server == sending ? SERVER_APPLICATION_N_LABEL : CLIENT_APPLICATION_N_LABEL; in tls13_update_key()
808 if (!ssl_log_secret(s, log_label, secret, hashlen)) { in tls13_update_key()
813 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; in tls13_update_key()
830 int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, in tls13_export_keying_material() argument
842 const EVP_MD *md = ssl_handshake_md(s); in tls13_export_keying_material()
847 if (ctx == NULL || md == NULL || !ossl_statem_export_allowed(s)) in tls13_export_keying_material()
858 || !tls13_hkdf_expand(s, md, s->exporter_master_secret, in tls13_export_keying_material()
861 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, in tls13_export_keying_material()
872 int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, in tls13_export_keying_material_early() argument
890 if (ctx == NULL || !ossl_statem_export_early_allowed(s)) in tls13_export_keying_material_early()
893 if (!s->server && s->max_early_data > 0 in tls13_export_keying_material_early()
894 && s->session->ext.max_early_data == 0) in tls13_export_keying_material_early()
895 sslcipher = SSL_SESSION_get0_cipher(s->psksession); in tls13_export_keying_material_early()
897 sslcipher = SSL_SESSION_get0_cipher(s->session); in tls13_export_keying_material_early()
899 md = ssl_md(s->ctx, sslcipher->algorithm2); in tls13_export_keying_material_early()
922 || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, in tls13_export_keying_material_early()
925 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, in tls13_export_keying_material_early()