Commit a19ae67d authored by Matt Caswell's avatar Matt Caswell
Browse files

Update tls13_hkdf_expand() to take the length of the data 



In most scenarios the length of the input data is the hashsize, or 0 if
the data is NULL. However with the new ticket_nonce changes the length can
be different.

Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3852)
parent de2f409e

ssl/ssl_locl.h

+1 −1
Original line number Diff line number Diff line
@@ -2265,7 +2265,7 @@ __owur int tls13_update_key(SSL *s, int send); 
__owur int tls13_hkdf_expand(SSL *s, const EVP_MD *md,

                             const unsigned char *secret,

                             const unsigned char *label, size_t labellen,

                             const unsigned char *hash,

                             const unsigned char *data, size_t datalen,

                             unsigned char *out, size_t outlen);

__owur int tls13_derive_key(SSL *s, const EVP_MD *md,

                            const unsigned char *secret, unsigned char *key,

ssl/statem/extensions.c

+1 −1
Original line number Diff line number Diff line
@@ -1280,7 +1280,7 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart, 


    /* Generate the binder key */

    if (!tls13_hkdf_expand(s, md, early_secret, (unsigned char *)label,

                           labelsize, hash, binderkey, hashsize)) {

                           labelsize, hash, hashsize, binderkey, hashsize)) {

        SSLerr(SSL_F_TLS_PSK_DO_BINDER, ERR_R_INTERNAL_ERROR);

        goto err;

    }

ssl/tls13_enc.c

+19 −16
Original line number Diff line number Diff line
@@ -18,14 +18,14 @@ 
static const unsigned char default_zeros[EVP_MAX_MD_SIZE];



/*

 * Given a |secret|; a |label| of length |labellen|; and a |hash| of the

 * handshake messages, derive a new secret |outlen| bytes long and store it in

 * the location pointed to be |out|. The |hash| value may be NULL. Returns 1 on

 * success  0 on failure.

 * Given a |secret|; a |label| of length |labellen|; and |data| of length

 * |datalen| (e.g. typically a hash of the handshake messages), derive a new

 * secret |outlen| bytes long and store it in the location pointed to be |out|.

 * The |data| value may be zero length. Returns 1 on success  0 on failure.

 */

int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,

                             const unsigned char *label, size_t labellen,

                             const unsigned char *hash,

                             const unsigned char *data, size_t datalen,

                             unsigned char *out, size_t outlen)

{

    const unsigned char label_prefix[] = "tls13 ";
@@ -53,7 +53,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, 
            || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1)

            || !WPACKET_memcpy(&pkt, label, labellen)

            || !WPACKET_close(&pkt)

            || !WPACKET_sub_memcpy_u8(&pkt, hash, (hash == NULL) ? 0 : hashlen)

            || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)

            || !WPACKET_get_total_written(&pkt, &hkdflabellen)

            || !WPACKET_finish(&pkt)) {

        EVP_PKEY_CTX_free(pctx);
@@ -84,7 +84,7 @@ int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, 
    static const unsigned char keylabel[] = "key";



    return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,

                             NULL, key, keylen);

                             NULL, 0, key, keylen);

}



/*
@@ -97,7 +97,7 @@ int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, 
    static const unsigned char ivlabel[] = "iv";



    return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,

                             NULL, iv, ivlen);

                             NULL, 0, iv, ivlen);

}



int tls13_derive_finishedkey(SSL *s, const EVP_MD *md,
@@ -107,7 +107,7 @@ int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, 
    static const unsigned char finishedlabel[] = "finished";



    return tls13_hkdf_expand(s, md, secret, finishedlabel,

                             sizeof(finishedlabel) - 1, NULL, fin, finlen);

                             sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);

}



/*
@@ -156,7 +156,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md, 
        /* Generate the pre-extract secret */

        if (!tls13_hkdf_expand(s, md, prevsecret,

                               (unsigned char *)derived_secret_label,

                               sizeof(derived_secret_label) - 1, hash,

                               sizeof(derived_secret_label) - 1, hash, mdlen,

                               preextractsec, mdlen)) {

            EVP_PKEY_CTX_free(pctx);

            return 0;
@@ -282,8 +282,8 @@ static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, 
    size_t ivlen, keylen, taglen;

    size_t hashlen = EVP_MD_size(md);



    if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, secret,

                           hashlen)) {

    if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,

                           secret, hashlen)) {

        SSLerr(SSL_F_DERIVE_SECRET_KEY_AND_IV, ERR_R_INTERNAL_ERROR);

        goto err;

    }
@@ -505,7 +505,8 @@ int tls13_change_cipher_state(SSL *s, int which) 
        if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,

                               resumption_master_secret,

                               sizeof(resumption_master_secret) - 1,

                               hashval, s->session->master_key, hashlen)) {

                               hashval, hashlen, s->session->master_key,

                               hashlen)) {

            SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);

            goto err;

        }
@@ -515,7 +516,8 @@ int tls13_change_cipher_state(SSL *s, int which) 
        if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,

                               exporter_master_secret,

                               sizeof(exporter_master_secret) - 1,

                               hash, s->exporter_master_secret, hashlen)) {

                               hash, hashlen, s->exporter_master_secret,

                               hashlen)) {

            SSLerr(SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);

            goto err;

        }
@@ -621,10 +623,11 @@ int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, 
            || EVP_DigestUpdate(ctx, context, contextlen) <= 0

            || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0

            || !tls13_hkdf_expand(s, md, s->exporter_master_secret,

                                  (const unsigned char *)label, llen, NULL,

                                  (const unsigned char *)label, llen, NULL, 0,

                                  exportsecret, hashsize)

            || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,

                                  sizeof(exporterlabel) - 1, hash, out, olen))

                                  sizeof(exporterlabel) - 1, hash, hashsize,

                                  out, olen))

        goto err;



    ret = 1;

test/tls13secretstest.c

+2 −2
Original line number Diff line number Diff line
@@ -226,8 +226,8 @@ static int test_secret(SSL *s, unsigned char *prk, 
        return 0;

    }



    if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, gensecret,

                           hashsize)) {

    if (!tls13_hkdf_expand(s, md, prk, label, labellen, hash, hashsize,

                           gensecret, hashsize)) {

        TEST_error("Secret generation failed");

        return 0;

    }