Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in RFC8446 section 7.5. Issue reported by nmathewson on github. ok inoguchi@ tb@
author: jsing <> 2020-11-16 18:55:15 +0000
committer: jsing <> 2020-11-16 18:55:15 +0000
commit: 7edbb85fb63bc248e3633a6d70bd4e49c811e451 (patch)
tree: 23027db55bc9d45c4690d13e3be7302ff83c4055
parent: abffca736d5ed1aaca940a97ae97979bc46699f8 (diff)
download: openbsd-7edbb85fb63bc248e3633a6d70bd4e49c811e451.tar.gz
openbsd-7edbb85fb63bc248e3633a6d70bd4e49c811e451.tar.bz2
openbsd-7edbb85fb63bc248e3633a6d70bd4e49c811e451.zip
4 files changed, 121 insertions, 8 deletions
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index d92ccd8029..58b9dae910 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.237 2020/10/14 16:57:33 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.238 2020/11/16 18:55:15 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1716,8 +1716,17 @@ SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
    const char *label, size_t llen, const unsigned char *p, size_t plen,
    int use_context)
 {
-        return (tls1_export_keying_material(s, out, olen,
+        if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) {
-            label, llen, p, plen, use_context));
+                if (!use_context) {
+                        p = NULL;
+                        plen = 0;
+                }
+                return tls13_exporter(s->internal->tls13, label, llen, p, plen,
+                    out, olen);
+        }
+        return (tls1_export_keying_material(s, out, olen, label, llen, p, plen,
+            use_context));
 }
 static unsigned long
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h
index 03a1a6b4b1..ea5f9a1473 100644
--- a/src/lib/libssl/tls13_internal.h
+++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_internal.h,v 1.86 2020/07/30 16:23:17 tb Exp $ */
+/* $OpenBSD: tls13_internal.h,v 1.87 2020/11/16 18:55:15 jsing Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -148,6 +148,16 @@ void tls13_secrets_destroy(struct tls13_secrets *secrets);
 int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
    const struct tls13_secret *secret, const char *label,
    const struct tls13_secret *context);
+int tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret,
+    const uint8_t *label, size_t label_len, const struct tls13_secret *context);
+int tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
+    const struct tls13_secret *secret, const char *label,   
+    const struct tls13_secret *context);
+int tls13_derive_secret_with_label_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret,
+    const uint8_t *label, size_t label_len, const struct tls13_secret *context);
 int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk,
    size_t psk_len, const struct tls13_secret *context);
@@ -412,6 +422,10 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode,
        tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
            (fmt), __VA_ARGS__)
+int tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
+    const uint8_t *context_value, size_t context_value_len, uint8_t *out,
+    size_t out_len);
 extern const uint8_t tls13_downgrade_12[8];
 extern const uint8_t tls13_downgrade_11[8];
 extern const uint8_t tls13_hello_retry_request_hash[32];
diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c
index 91f59e46f9..35180cfe5c 100644
--- a/src/lib/libssl/tls13_key_schedule.c
+++ b/src/lib/libssl/tls13_key_schedule.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_key_schedule.c,v 1.8 2019/11/17 21:01:08 beck Exp $ */
+/* $OpenBSD: tls13_key_schedule.c,v 1.9 2020/11/16 18:55:15 jsing Exp $ */
 /* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
@@ -174,6 +174,15 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
    const struct tls13_secret *secret, const char *label,
    const struct tls13_secret *context)
 {
+        return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
+            strlen(label), context);
+}
+int
+tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret,
+    const uint8_t *label, size_t label_len, const struct tls13_secret *context)
+{
        const char tls13_plabel[] = "tls13 ";
        uint8_t *hkdf_label;
        size_t hkdf_label_len;
@@ -188,7 +197,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
                goto err;
        if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
                goto err;
-        if (!CBB_add_bytes(&child, label, strlen(label)))
+        if (!CBB_add_bytes(&child, label, label_len))
                goto err;
        if (!CBB_add_u8_length_prefixed(&cbb, &child))
                goto err;
@@ -207,7 +216,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
        return(0);
 }
-static int
+int
 tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
    const struct tls13_secret *secret, const char *label,
    const struct tls13_secret *context)
@@ -216,6 +225,15 @@ tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
 }
 int
+tls13_derive_secret_with_label_length(struct tls13_secret *out,
+    const EVP_MD *digest, const struct tls13_secret *secret, const uint8_t *label,
+    size_t label_len, const struct tls13_secret *context)
+{
+        return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
+            label_len, context);
+}
+int
 tls13_derive_early_secrets(struct tls13_secrets *secrets,
    uint8_t *psk, size_t psk_len, const struct tls13_secret *context)
 {
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 590426ad8a..6b6ddce4d6 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.54 2020/09/11 15:03:36 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.55 2020/11/16 18:55:15 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -579,3 +579,75 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
        return 1;
 }
+int
+tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len,
+    const uint8_t *context_value, size_t context_value_len, uint8_t *out,
+    size_t out_len)
+{
+        struct tls13_secret context, export_out, export_secret;
+        struct tls13_secrets *secrets = ctx->hs->secrets;
+        EVP_MD_CTX *md_ctx = NULL;
+        unsigned int md_out_len;
+        int md_len;
+        int ret = 0;
+        /*
+         * RFC 8446 Section 7.5.
+         */
+        memset(&context, 0, sizeof(context));
+        memset(&export_secret, 0, sizeof(export_secret));
+        export_out.data = out;
+        export_out.len = out_len;
+        if (!ctx->handshake_completed)
+                return 0;
+        md_len = EVP_MD_size(secrets->digest);
+        if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE)
+                goto err;
+        if ((export_secret.data = calloc(1, md_len)) == NULL)
+                goto err;
+        export_secret.len = md_len;
+        if ((context.data = calloc(1, md_len)) == NULL)
+                goto err;
+        context.len = md_len;
+        /* In TLSv1.3 no context is equivalent to an empty context. */
+        if (context_value == NULL) {
+                context_value = "";
+                context_value_len = 0;
+        }
+        if ((md_ctx = EVP_MD_CTX_new()) == NULL)
+                goto err;
+        if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
+                goto err;
+        if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
+                goto err;
+        if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
+                goto err;
+        if (md_len != md_out_len)
+                goto err;
+        if (!tls13_derive_secret_with_label_length(&export_secret,
+            secrets->digest, &secrets->exporter_master, label, label_len,
+            &secrets->empty_hash))
+                goto err;
+        if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
+            &export_secret, "exporter", &context))
+                goto err;
+        ret = 1;
+ err:
+        EVP_MD_CTX_free(md_ctx);
+        freezero(context.data, context.len);
+        freezero(export_secret.data, export_secret.len);
+        return ret;
+}
author	jsing <>	2020-11-16 18:55:15 +0000
committer	jsing <>	2020-11-16 18:55:15 +0000
commit	7edbb85fb63bc248e3633a6d70bd4e49c811e451 (patch)
tree	23027db55bc9d45c4690d13e3be7302ff83c4055
parent	abffca736d5ed1aaca940a97ae97979bc46699f8 (diff)
download	openbsd-7edbb85fb63bc248e3633a6d70bd4e49c811e451.tar.gz openbsd-7edbb85fb63bc248e3633a6d70bd4e49c811e451.tar.bz2 openbsd-7edbb85fb63bc248e3633a6d70bd4e49c811e451.zip

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index d92ccd8029..58b9dae910 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssl_lib.c,v 1.237 2020/10/14 16:57:33 jsing Exp $ */	1	/* $OpenBSD: ssl_lib.c,v 1.238 2020/11/16 18:55:15 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1716,8 +1716,17 @@ SSL_export_keying_material(SSL s, unsigned char out, size_t olen,
1716	const char label, size_t llen, const unsigned char p, size_t plen,	1716	const char label, size_t llen, const unsigned char p, size_t plen,
1717	int use_context)	1717	int use_context)
1718	{	1718	{
1719	return (tls1_export_keying_material(s, out, olen,	1719	if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) {
1720	label, llen, p, plen, use_context));	1720	if (!use_context) {
		1721	p = NULL;
		1722	plen = 0;
		1723	}
		1724	return tls13_exporter(s->internal->tls13, label, llen, p, plen,
		1725	out, olen);
		1726	}
		1727
		1728	return (tls1_export_keying_material(s, out, olen, label, llen, p, plen,
		1729	use_context));
1721	}	1730	}
1722		1731
1723	static unsigned long	1732	static unsigned long


diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index 03a1a6b4b1..ea5f9a1473 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_internal.h,v 1.86 2020/07/30 16:23:17 tb Exp $ */	1	/* $OpenBSD: tls13_internal.h,v 1.87 2020/11/16 18:55:15 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2018 Bob Beck <beck@openbsd.org>
4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>	4	* Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
@@ -148,6 +148,16 @@ void tls13_secrets_destroy(struct tls13_secrets *secrets);
148	int tls13_hkdf_expand_label(struct tls13_secret out, const EVP_MD digest,	148	int tls13_hkdf_expand_label(struct tls13_secret out, const EVP_MD digest,
149	const struct tls13_secret secret, const char label,	149	const struct tls13_secret secret, const char label,
150	const struct tls13_secret *context);	150	const struct tls13_secret *context);
		151	int tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
		152	const EVP_MD digest, const struct tls13_secret secret,
		153	const uint8_t label, size_t label_len, const struct tls13_secret context);
		154
		155	int tls13_derive_secret(struct tls13_secret out, const EVP_MD digest,
		156	const struct tls13_secret secret, const char label,
		157	const struct tls13_secret *context);
		158	int tls13_derive_secret_with_label_length(struct tls13_secret *out,
		159	const EVP_MD digest, const struct tls13_secret secret,
		160	const uint8_t label, size_t label_len, const struct tls13_secret context);
151		161
152	int tls13_derive_early_secrets(struct tls13_secrets secrets, uint8_t psk,	162	int tls13_derive_early_secrets(struct tls13_secrets secrets, uint8_t psk,
153	size_t psk_len, const struct tls13_secret *context);	163	size_t psk_len, const struct tls13_secret *context);
@@ -412,6 +422,10 @@ int tls13_error_setx(struct tls13_error *error, int code, int subcode,
412	tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \	422	tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \
413	(fmt), __VA_ARGS__)	423	(fmt), __VA_ARGS__)
414		424
		425	int tls13_exporter(struct tls13_ctx ctx, const uint8_t label, size_t label_len,
		426	const uint8_t context_value, size_t context_value_len, uint8_t out,
		427	size_t out_len);
		428
415	extern const uint8_t tls13_downgrade_12[8];	429	extern const uint8_t tls13_downgrade_12[8];
416	extern const uint8_t tls13_downgrade_11[8];	430	extern const uint8_t tls13_downgrade_11[8];
417	extern const uint8_t tls13_hello_retry_request_hash[32];	431	extern const uint8_t tls13_hello_retry_request_hash[32];


diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c index 91f59e46f9..35180cfe5c 100644 --- a/src/lib/libssl/tls13_key_schedule.c +++ b/src/lib/libssl/tls13_key_schedule.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_key_schedule.c,v 1.8 2019/11/17 21:01:08 beck Exp $ */	1	/* $OpenBSD: tls13_key_schedule.c,v 1.9 2020/11/16 18:55:15 jsing Exp $ */
2	/* Copyright (c) 2018, Bob Beck <beck@openbsd.org>	2	/* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
3	*	3	*
4	* Permission to use, copy, modify, and/or distribute this software for any	4	* Permission to use, copy, modify, and/or distribute this software for any
@@ -174,6 +174,15 @@ tls13_hkdf_expand_label(struct tls13_secret out, const EVP_MD digest,
174	const struct tls13_secret secret, const char label,	174	const struct tls13_secret secret, const char label,
175	const struct tls13_secret *context)	175	const struct tls13_secret *context)
176	{	176	{
		177	return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
		178	strlen(label), context);
		179	}
		180
		181	int
		182	tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
		183	const EVP_MD digest, const struct tls13_secret secret,
		184	const uint8_t label, size_t label_len, const struct tls13_secret context)
		185	{
177	const char tls13_plabel[] = "tls13 ";	186	const char tls13_plabel[] = "tls13 ";
178	uint8_t *hkdf_label;	187	uint8_t *hkdf_label;
179	size_t hkdf_label_len;	188	size_t hkdf_label_len;
@@ -188,7 +197,7 @@ tls13_hkdf_expand_label(struct tls13_secret out, const EVP_MD digest,
188	goto err;	197	goto err;
189	if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))	198	if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
190	goto err;	199	goto err;
191	if (!CBB_add_bytes(&child, label, strlen(label)))	200	if (!CBB_add_bytes(&child, label, label_len))
192	goto err;	201	goto err;
193	if (!CBB_add_u8_length_prefixed(&cbb, &child))	202	if (!CBB_add_u8_length_prefixed(&cbb, &child))
194	goto err;	203	goto err;
@@ -207,7 +216,7 @@ tls13_hkdf_expand_label(struct tls13_secret out, const EVP_MD digest,
207	return(0);	216	return(0);
208	}	217	}
209		218
210	static int	219	int
211	tls13_derive_secret(struct tls13_secret out, const EVP_MD digest,	220	tls13_derive_secret(struct tls13_secret out, const EVP_MD digest,
212	const struct tls13_secret secret, const char label,	221	const struct tls13_secret secret, const char label,
213	const struct tls13_secret *context)	222	const struct tls13_secret *context)
@@ -216,6 +225,15 @@ tls13_derive_secret(struct tls13_secret out, const EVP_MD digest,
216	}	225	}
217		226
218	int	227	int
		228	tls13_derive_secret_with_label_length(struct tls13_secret *out,
		229	const EVP_MD digest, const struct tls13_secret secret, const uint8_t *label,
		230	size_t label_len, const struct tls13_secret *context)
		231	{
		232	return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
		233	label_len, context);
		234	}
		235
		236	int
219	tls13_derive_early_secrets(struct tls13_secrets *secrets,	237	tls13_derive_early_secrets(struct tls13_secrets *secrets,
220	uint8_t psk, size_t psk_len, const struct tls13_secret context)	238	uint8_t psk, size_t psk_len, const struct tls13_secret context)
221	{	239	{


diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 590426ad8a..6b6ddce4d6 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.54 2020/09/11 15:03:36 jsing Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.55 2020/11/16 18:55:15 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -579,3 +579,75 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx)
579	return 1;	579	return 1;
580	}	580	}
581		581
		582	int
		583	tls13_exporter(struct tls13_ctx ctx, const uint8_t label, size_t label_len,
		584	const uint8_t context_value, size_t context_value_len, uint8_t out,
		585	size_t out_len)
		586	{
		587	struct tls13_secret context, export_out, export_secret;
		588	struct tls13_secrets *secrets = ctx->hs->secrets;
		589	EVP_MD_CTX *md_ctx = NULL;
		590	unsigned int md_out_len;
		591	int md_len;
		592	int ret = 0;
		593
		594	/*
		595	* RFC 8446 Section 7.5.
		596	*/
		597
		598	memset(&context, 0, sizeof(context));
		599	memset(&export_secret, 0, sizeof(export_secret));
		600
		601	export_out.data = out;
		602	export_out.len = out_len;
		603
		604	if (!ctx->handshake_completed)
		605	return 0;
		606
		607	md_len = EVP_MD_size(secrets->digest);
		608	if (md_len <= 0 \|\| md_len > EVP_MAX_MD_SIZE)
		609	goto err;
		610
		611	if ((export_secret.data = calloc(1, md_len)) == NULL)
		612	goto err;
		613	export_secret.len = md_len;
		614
		615	if ((context.data = calloc(1, md_len)) == NULL)
		616	goto err;
		617	context.len = md_len;
		618
		619	/* In TLSv1.3 no context is equivalent to an empty context. */
		620	if (context_value == NULL) {
		621	context_value = "";
		622	context_value_len = 0;
		623	}
		624
		625	if ((md_ctx = EVP_MD_CTX_new()) == NULL)
		626	goto err;
		627	if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL))
		628	goto err;
		629	if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len))
		630	goto err;
		631	if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len))
		632	goto err;
		633	if (md_len != md_out_len)
		634	goto err;
		635
		636	if (!tls13_derive_secret_with_label_length(&export_secret,
		637	secrets->digest, &secrets->exporter_master, label, label_len,
		638	&secrets->empty_hash))
		639	goto err;
		640
		641	if (!tls13_hkdf_expand_label(&export_out, secrets->digest,
		642	&export_secret, "exporter", &context))
		643	goto err;
		644
		645	ret = 1;
		646
		647	err:
		648	EVP_MD_CTX_free(md_ctx);
		649	freezero(context.data, context.len);
		650	freezero(export_secret.data, export_secret.len);
		651
		652	return ret;
		653	}