Lines Matching refs:s
34 int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, in tls13_hkdf_expand() argument
39 EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, in tls13_hkdf_expand()
40 s->ctx->propq); in tls13_hkdf_expand()
55 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_hkdf_expand()
70 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_hkdf_expand()
98 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_hkdf_expand()
110 int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, in tls13_derive_key() argument
119 return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, in tls13_derive_key()
127 int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, in tls13_derive_iv() argument
136 return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, in tls13_derive_iv()
140 int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, in tls13_derive_finishedkey() argument
150 return tls13_hkdf_expand(s, md, secret, finishedlabel, in tls13_derive_finishedkey()
159 int tls13_generate_secret(SSL *s, const EVP_MD *md, in tls13_generate_secret() argument
179 kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_3_KDF, s->ctx->propq); in tls13_generate_secret()
183 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_generate_secret()
190 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_generate_secret()
217 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_generate_secret()
228 int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, in tls13_generate_handshake_secret() argument
232 return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, in tls13_generate_handshake_secret()
234 (unsigned char *)&s->handshake_secret); in tls13_generate_handshake_secret()
242 int tls13_generate_master_secret(SSL *s, unsigned char *out, in tls13_generate_master_secret() argument
246 const EVP_MD *md = ssl_handshake_md(s); in tls13_generate_master_secret()
250 return tls13_generate_secret(s, md, prev, NULL, 0, out); in tls13_generate_master_secret()
257 size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, in tls13_final_finish_mac() argument
260 const char *mdname = EVP_MD_get0_name(ssl_handshake_md(s)); in tls13_final_finish_mac()
268 if (s->ctx->propq != NULL) in tls13_final_finish_mac()
270 (char *)s->ctx->propq, in tls13_final_finish_mac()
274 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { in tls13_final_finish_mac()
279 if (str == s->method->ssl3_enc->server_finished_label) { in tls13_final_finish_mac()
280 key = s->server_finished_secret; in tls13_final_finish_mac()
281 } else if (SSL_IS_FIRST_HANDSHAKE(s)) { in tls13_final_finish_mac()
282 key = s->client_finished_secret; in tls13_final_finish_mac()
284 if (!tls13_derive_finishedkey(s, ssl_handshake_md(s), in tls13_final_finish_mac()
285 s->client_app_traffic_secret, in tls13_final_finish_mac()
291 if (!EVP_Q_mac(s->ctx->libctx, "HMAC", s->ctx->propq, mdname, in tls13_final_finish_mac()
295 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_final_finish_mac()
308 int tls13_setup_key_block(SSL *s) in tls13_setup_key_block() argument
313 s->session->cipher = s->s3.tmp.new_cipher; in tls13_setup_key_block()
314 if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL, in tls13_setup_key_block()
317 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls13_setup_key_block()
321 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); in tls13_setup_key_block()
322 s->s3.tmp.new_sym_enc = c; in tls13_setup_key_block()
323 ssl_evp_md_free(s->s3.tmp.new_hash); in tls13_setup_key_block()
324 s->s3.tmp.new_hash = hash; in tls13_setup_key_block()
329 static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, in derive_secret_key_and_iv() argument
344 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in derive_secret_key_and_iv()
349 if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen, in derive_secret_key_and_iv()
360 if (s->s3.tmp.new_cipher != NULL) { in derive_secret_key_and_iv()
361 algenc = s->s3.tmp.new_cipher->algorithm_enc; in derive_secret_key_and_iv()
362 } else if (s->session->cipher != NULL) { in derive_secret_key_and_iv()
364 algenc = s->session->cipher->algorithm_enc; in derive_secret_key_and_iv()
365 } else if (s->psksession != NULL && s->psksession->cipher != NULL) { in derive_secret_key_and_iv()
367 algenc = s->psksession->cipher->algorithm_enc; in derive_secret_key_and_iv()
369 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in derive_secret_key_and_iv()
381 if (!tls13_derive_key(s, md, secret, key, keylen) in derive_secret_key_and_iv()
382 || !tls13_derive_iv(s, md, secret, iv, ivlen)) { in derive_secret_key_and_iv()
392 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); in derive_secret_key_and_iv()
399 int tls13_change_cipher_state(SSL *s, int which) in tls13_change_cipher_state() argument
441 if (s->enc_read_ctx != NULL) { in tls13_change_cipher_state()
442 EVP_CIPHER_CTX_reset(s->enc_read_ctx); in tls13_change_cipher_state()
444 s->enc_read_ctx = EVP_CIPHER_CTX_new(); in tls13_change_cipher_state()
445 if (s->enc_read_ctx == NULL) { in tls13_change_cipher_state()
446 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls13_change_cipher_state()
450 ciph_ctx = s->enc_read_ctx; in tls13_change_cipher_state()
451 iv = s->read_iv; in tls13_change_cipher_state()
453 RECORD_LAYER_reset_read_sequence(&s->rlayer); in tls13_change_cipher_state()
455 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; in tls13_change_cipher_state()
456 if (s->enc_write_ctx != NULL) { in tls13_change_cipher_state()
457 EVP_CIPHER_CTX_reset(s->enc_write_ctx); in tls13_change_cipher_state()
459 s->enc_write_ctx = EVP_CIPHER_CTX_new(); in tls13_change_cipher_state()
460 if (s->enc_write_ctx == NULL) { in tls13_change_cipher_state()
461 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls13_change_cipher_state()
465 ciph_ctx = s->enc_write_ctx; in tls13_change_cipher_state()
466 iv = s->write_iv; in tls13_change_cipher_state()
468 RECORD_LAYER_reset_write_sequence(&s->rlayer); in tls13_change_cipher_state()
478 const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); in tls13_change_cipher_state()
480 insecret = s->early_secret; in tls13_change_cipher_state()
485 handlen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); in tls13_change_cipher_state()
487 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); in tls13_change_cipher_state()
491 if (s->early_data_state == SSL_EARLY_DATA_CONNECTING in tls13_change_cipher_state()
492 && s->max_early_data > 0 in tls13_change_cipher_state()
493 && s->session->ext.max_early_data == 0) { in tls13_change_cipher_state()
499 if (!ossl_assert(s->psksession != NULL in tls13_change_cipher_state()
500 && s->max_early_data == in tls13_change_cipher_state()
501 s->psksession->ext.max_early_data)) { in tls13_change_cipher_state()
502 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
505 sslcipher = SSL_SESSION_get0_cipher(s->psksession); in tls13_change_cipher_state()
508 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_PSK); in tls13_change_cipher_state()
519 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); in tls13_change_cipher_state()
527 if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) { in tls13_change_cipher_state()
529 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); in tls13_change_cipher_state()
534 md = ssl_md(s->ctx, sslcipher->algorithm2); in tls13_change_cipher_state()
538 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
545 if (!tls13_hkdf_expand(s, md, insecret, in tls13_change_cipher_state()
549 s->early_exporter_master_secret, hashlen, in tls13_change_cipher_state()
551 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
555 if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, in tls13_change_cipher_state()
556 s->early_exporter_master_secret, hashlen)) { in tls13_change_cipher_state()
561 insecret = s->handshake_secret; in tls13_change_cipher_state()
562 finsecret = s->client_finished_secret; in tls13_change_cipher_state()
563 finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); in tls13_change_cipher_state()
576 hash = s->handshake_traffic_hash; in tls13_change_cipher_state()
578 insecret = s->master_secret; in tls13_change_cipher_state()
588 hash = s->server_finished_hash; in tls13_change_cipher_state()
593 insecret = s->handshake_secret; in tls13_change_cipher_state()
594 finsecret = s->server_finished_secret; in tls13_change_cipher_state()
595 finsecretlen = EVP_MD_get_size(ssl_handshake_md(s)); in tls13_change_cipher_state()
600 insecret = s->master_secret; in tls13_change_cipher_state()
608 md = ssl_handshake_md(s); in tls13_change_cipher_state()
609 cipher = s->s3.tmp.new_sym_enc; in tls13_change_cipher_state()
610 if (!ssl3_digest_cached_records(s, 1) in tls13_change_cipher_state()
611 || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) { in tls13_change_cipher_state()
622 memcpy(s->server_finished_hash, hashval, hashlen); in tls13_change_cipher_state()
625 memcpy(s->handshake_traffic_hash, hashval, hashlen); in tls13_change_cipher_state()
632 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, in tls13_change_cipher_state()
635 hashval, hashlen, s->resumption_master_secret, in tls13_change_cipher_state()
646 if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher, in tls13_change_cipher_state()
654 memcpy(s->server_app_traffic_secret, secret, hashlen); in tls13_change_cipher_state()
656 if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret, in tls13_change_cipher_state()
659 hash, hashlen, s->exporter_master_secret, in tls13_change_cipher_state()
665 if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret, in tls13_change_cipher_state()
671 memcpy(s->client_app_traffic_secret, secret, hashlen); in tls13_change_cipher_state()
673 if (!ssl_log_secret(s, log_label, secret, hashlen)) { in tls13_change_cipher_state()
679 && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret, in tls13_change_cipher_state()
685 if (!s->server && label == client_early_traffic) in tls13_change_cipher_state()
686 s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; in tls13_change_cipher_state()
688 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; in tls13_change_cipher_state()
693 || (s->options & SSL_OP_ENABLE_KTLS) == 0) in tls13_change_cipher_state()
697 if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) in tls13_change_cipher_state()
701 if (s->record_padding_cb != NULL) in tls13_change_cipher_state()
705 if (!ktls_check_supported_cipher(s, cipher, ciph_ctx)) in tls13_change_cipher_state()
708 bio = s->wbio; in tls13_change_cipher_state()
711 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); in tls13_change_cipher_state()
720 if (!ktls_configure_crypto(s, cipher, ciph_ctx, in tls13_change_cipher_state()
721 RECORD_LAYER_get_write_sequence(&s->rlayer), in tls13_change_cipher_state()
727 ssl3_release_write_buffer(s); in tls13_change_cipher_state()
742 int tls13_update_key(SSL *s, int sending) in tls13_update_key() argument
749 const EVP_MD *md = ssl_handshake_md(s); in tls13_update_key()
757 if (s->server == sending) in tls13_update_key()
758 insecret = s->server_app_traffic_secret; in tls13_update_key()
760 insecret = s->client_app_traffic_secret; in tls13_update_key()
763 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; in tls13_update_key()
764 iv = s->write_iv; in tls13_update_key()
765 ciph_ctx = s->enc_write_ctx; in tls13_update_key()
766 RECORD_LAYER_reset_write_sequence(&s->rlayer); in tls13_update_key()
768 iv = s->read_iv; in tls13_update_key()
769 ciph_ctx = s->enc_read_ctx; in tls13_update_key()
770 RECORD_LAYER_reset_read_sequence(&s->rlayer); in tls13_update_key()
773 if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s), in tls13_update_key()
774 s->s3.tmp.new_sym_enc, insecret, NULL, in tls13_update_key()
784 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; in tls13_update_key()
801 int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, in tls13_export_keying_material() argument
813 const EVP_MD *md = ssl_handshake_md(s); in tls13_export_keying_material()
818 if (ctx == NULL || !ossl_statem_export_allowed(s)) in tls13_export_keying_material()
829 || !tls13_hkdf_expand(s, md, s->exporter_master_secret, in tls13_export_keying_material()
832 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, in tls13_export_keying_material()
843 int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, in tls13_export_keying_material_early() argument
861 if (ctx == NULL || !ossl_statem_export_early_allowed(s)) in tls13_export_keying_material_early()
864 if (!s->server && s->max_early_data > 0 in tls13_export_keying_material_early()
865 && s->session->ext.max_early_data == 0) in tls13_export_keying_material_early()
866 sslcipher = SSL_SESSION_get0_cipher(s->psksession); in tls13_export_keying_material_early()
868 sslcipher = SSL_SESSION_get0_cipher(s->session); in tls13_export_keying_material_early()
870 md = ssl_md(s->ctx, sslcipher->algorithm2); in tls13_export_keying_material_early()
892 || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret, in tls13_export_keying_material_early()
895 || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel, in tls13_export_keying_material_early()