This commit was manufactured by cvs2git to create tag 'tb_20210818'.tb_20210818

author: cvs2svn <admin@example.com> 2021-08-18 16:06:57 +0000
committer: cvs2svn <admin@example.com> 2021-08-18 16:06:57 +0000
commit: d56c8fa8260d226f98b26f017b45b9c2b135f38d (patch)
tree: 348178b41617813cc93787187984a734ef8379ca /src/lib/libssl/tls13_key_schedule.c
parent: 18b9c1bcab7c37d8c5bd05b8e0d14d0c59d96650 (diff)
download: openbsd-tb_20210818.tar.gz
openbsd-tb_20210818.tar.bz2
openbsd-tb_20210818.zip
1 files changed, 0 insertions, 383 deletions
diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c
deleted file mode 100644
index bb96cf3dd8..0000000000
--- a/src/lib/libssl/tls13_key_schedule.c
+++ /dev/null
@@ -1,383 +0,0 @@
-/* $OpenBSD: tls13_key_schedule.c,v 1.14 2021/01/05 18:36:22 tb Exp $ */
-/*
- * Copyright (c) 2018, Bob Beck <beck@openbsd.org>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <string.h>
-#include <stdlib.h>
-#include <openssl/hkdf.h>
-#include "bytestring.h"
-#include "tls13_internal.h"
-int
-tls13_secret_init(struct tls13_secret *secret, size_t len)
-{
-        if (secret->data != NULL)
-                return 0;
-        if ((secret->data = calloc(1, len)) == NULL)
-                return 0;
-        secret->len = len;
-        return 1;
-}
-void
-tls13_secret_cleanup(struct tls13_secret *secret)
-{
-        freezero(secret->data, secret->len);
-        secret->data = NULL;
-        secret->len = 0;
-}
-/*
- * Allocate a set of secrets for a key schedule using
- * a size of hash_length from RFC 8446 section 7.1.
- */
-struct tls13_secrets *
-tls13_secrets_create(const EVP_MD *digest, int resumption)
-{
-        struct tls13_secrets *secrets = NULL;
-        EVP_MD_CTX *mdctx = NULL;
-        unsigned int mdlen;
-        size_t hash_length;
-        hash_length = EVP_MD_size(digest);
-        if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL)
-                goto err;
-        if (!tls13_secret_init(&secrets->zeros, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->empty_hash, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->extracted_early, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->binder_key, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->client_early_traffic, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->early_exporter_master, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->derived_early, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->extracted_handshake, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->client_handshake_traffic, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->server_handshake_traffic, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->derived_handshake, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->extracted_master, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->client_application_traffic, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->server_application_traffic, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->exporter_master, hash_length))
-                goto err;
-        if (!tls13_secret_init(&secrets->resumption_master, hash_length))
-                goto err;
-        /*
-         * Calculate the hash of a zero-length string - this is needed during
-         * the "derived" step for key extraction.
-         */
-        if ((mdctx = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        if (!EVP_DigestInit_ex(mdctx, digest, NULL))
-                goto err;
-        if (!EVP_DigestUpdate(mdctx, secrets->zeros.data, 0))
-                goto err;
-        if (!EVP_DigestFinal_ex(mdctx, secrets->empty_hash.data, &mdlen))
-                goto err;
-        EVP_MD_CTX_free(mdctx);
-        mdctx = NULL;
-        if (secrets->empty_hash.len != mdlen)
-                goto err;
-        secrets->digest = digest;
-        secrets->resumption = resumption;
-        secrets->init_done = 1;
-        return secrets;
- err:
-        tls13_secrets_destroy(secrets);
-        EVP_MD_CTX_free(mdctx);
-        return NULL;
-}
-void
-tls13_secrets_destroy(struct tls13_secrets *secrets)
-{
-        if (secrets == NULL)
-                return;
-        /* you can never be too sure :) */
-        tls13_secret_cleanup(&secrets->zeros);
-        tls13_secret_cleanup(&secrets->empty_hash);
-        tls13_secret_cleanup(&secrets->extracted_early);
-        tls13_secret_cleanup(&secrets->binder_key);
-        tls13_secret_cleanup(&secrets->client_early_traffic);
-        tls13_secret_cleanup(&secrets->early_exporter_master);
-        tls13_secret_cleanup(&secrets->derived_early);
-        tls13_secret_cleanup(&secrets->extracted_handshake);
-        tls13_secret_cleanup(&secrets->client_handshake_traffic);
-        tls13_secret_cleanup(&secrets->server_handshake_traffic);
-        tls13_secret_cleanup(&secrets->derived_handshake);
-        tls13_secret_cleanup(&secrets->extracted_master);
-        tls13_secret_cleanup(&secrets->client_application_traffic);
-        tls13_secret_cleanup(&secrets->server_application_traffic);
-        tls13_secret_cleanup(&secrets->exporter_master);
-        tls13_secret_cleanup(&secrets->resumption_master);
-        freezero(secrets, sizeof(struct tls13_secrets));
-}
-int
-tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest,
-    const struct tls13_secret *secret, const char *label,
-    const struct tls13_secret *context)
-{
-        return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
-            strlen(label), context);
-}
-int
-tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
-    const EVP_MD *digest, const struct tls13_secret *secret,
-    const uint8_t *label, size_t label_len, const struct tls13_secret *context)
-{
-        const char tls13_plabel[] = "tls13 ";
-        uint8_t *hkdf_label;
-        size_t hkdf_label_len;
-        CBB cbb, child;
-        int ret;
-        if (!CBB_init(&cbb, 256))
-                return 0;
-        if (!CBB_add_u16(&cbb, out->len))
-                goto err;
-        if (!CBB_add_u8_length_prefixed(&cbb, &child))
-                goto err;
-        if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
-                goto err;
-        if (!CBB_add_bytes(&child, label, label_len))
-                goto err;
-        if (!CBB_add_u8_length_prefixed(&cbb, &child))
-                goto err;
-        if (!CBB_add_bytes(&child, context->data, context->len))
-                goto err;
-        if (!CBB_finish(&cbb, &hkdf_label, &hkdf_label_len))
-                goto err;
-        ret = HKDF_expand(out->data, out->len, digest, secret->data,
-            secret->len, hkdf_label, hkdf_label_len);
-        free(hkdf_label);
-        return(ret);
- err:
-        CBB_cleanup(&cbb);
-        return(0);
-}
-int
-tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest,
-    const struct tls13_secret *secret, const char *label,
-    const struct tls13_secret *context)
-{
-        return tls13_hkdf_expand_label(out, digest, secret, label, context);
-}
-int
-tls13_derive_secret_with_label_length(struct tls13_secret *out,
-    const EVP_MD *digest, const struct tls13_secret *secret, const uint8_t *label,
-    size_t label_len, const struct tls13_secret *context)
-{
-        return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
-            label_len, context);
-}
-int
-tls13_derive_early_secrets(struct tls13_secrets *secrets,
-    uint8_t *psk, size_t psk_len, const struct tls13_secret *context)
-{
-        if (!secrets->init_done || secrets->early_done)
-                return 0;
-        if (!HKDF_extract(secrets->extracted_early.data,
-            &secrets->extracted_early.len, secrets->digest, psk, psk_len,
-            secrets->zeros.data, secrets->zeros.len))
-                return 0;
-        if (secrets->extracted_early.len != secrets->zeros.len)
-                return 0;
-        if (!tls13_derive_secret(&secrets->binder_key, secrets->digest,
-            &secrets->extracted_early,
-            secrets->resumption ? "res binder" : "ext binder",
-            &secrets->empty_hash))
-                return 0;
-        if (!tls13_derive_secret(&secrets->client_early_traffic,
-            secrets->digest, &secrets->extracted_early, "c e traffic",
-            context))
-                return 0;
-        if (!tls13_derive_secret(&secrets->early_exporter_master,
-            secrets->digest, &secrets->extracted_early, "e exp master",
-            context))
-                return 0;
-        if (!tls13_derive_secret(&secrets->derived_early,
-            secrets->digest, &secrets->extracted_early, "derived",
-            &secrets->empty_hash))
-                return 0;
-        /* RFC 8446 recommends */
-        if (!secrets->insecure)
-                explicit_bzero(secrets->extracted_early.data,
-                    secrets->extracted_early.len);
-        secrets->early_done = 1;
-        return 1;
-}
-int
-tls13_derive_handshake_secrets(struct tls13_secrets *secrets,
-    const uint8_t *ecdhe, size_t ecdhe_len,
-    const struct tls13_secret *context)
-{
-        if (!secrets->init_done || !secrets->early_done ||
-            secrets->handshake_done)
-                return 0;
-        if (!HKDF_extract(secrets->extracted_handshake.data,
-            &secrets->extracted_handshake.len, secrets->digest,
-            ecdhe, ecdhe_len, secrets->derived_early.data,
-            secrets->derived_early.len))
-                return 0;
-        if (secrets->extracted_handshake.len != secrets->zeros.len)
-                return 0;
-        /* XXX */
-        if (!secrets->insecure)
-                explicit_bzero(secrets->derived_early.data,
-                    secrets->derived_early.len);
-        if (!tls13_derive_secret(&secrets->client_handshake_traffic,
-            secrets->digest, &secrets->extracted_handshake, "c hs traffic",
-            context))
-                return 0;
-        if (!tls13_derive_secret(&secrets->server_handshake_traffic,
-            secrets->digest, &secrets->extracted_handshake, "s hs traffic",
-            context))
-                return 0;
-        if (!tls13_derive_secret(&secrets->derived_handshake,
-            secrets->digest, &secrets->extracted_handshake, "derived",
-            &secrets->empty_hash))
-                return 0;
-        /* RFC 8446 recommends */
-        if (!secrets->insecure)
-                explicit_bzero(secrets->extracted_handshake.data,
-                    secrets->extracted_handshake.len);
-        secrets->handshake_done = 1;
-        return 1;
-}
-int
-tls13_derive_application_secrets(struct tls13_secrets *secrets,
-    const struct tls13_secret *context)
-{
-        if (!secrets->init_done || !secrets->early_done ||
-            !secrets->handshake_done || secrets->schedule_done)
-                return 0;
-        if (!HKDF_extract(secrets->extracted_master.data,
-            &secrets->extracted_master.len, secrets->digest,
-            secrets->zeros.data, secrets->zeros.len,
-            secrets->derived_handshake.data, secrets->derived_handshake.len))
-                return 0;
-        if (secrets->extracted_master.len != secrets->zeros.len)
-                return 0;
-        /* XXX */
-        if (!secrets->insecure)
-                explicit_bzero(secrets->derived_handshake.data,
-                    secrets->derived_handshake.len);
-        if (!tls13_derive_secret(&secrets->client_application_traffic,
-            secrets->digest, &secrets->extracted_master, "c ap traffic",
-            context))
-                return 0;
-        if (!tls13_derive_secret(&secrets->server_application_traffic,
-            secrets->digest, &secrets->extracted_master, "s ap traffic",
-            context))
-                return 0;
-        if (!tls13_derive_secret(&secrets->exporter_master,
-            secrets->digest, &secrets->extracted_master, "exp master",
-            context))
-                return 0;
-        if (!tls13_derive_secret(&secrets->resumption_master,
-            secrets->digest, &secrets->extracted_master, "res master",
-            context))
-                return 0;
-        /* RFC 8446 recommends */
-        if (!secrets->insecure)
-                explicit_bzero(secrets->extracted_master.data,
-                    secrets->extracted_master.len);
-        secrets->schedule_done = 1;
-        return 1;
-}
-int
-tls13_update_client_traffic_secret(struct tls13_secrets *secrets)
-{
-        struct tls13_secret context = { .data = "", .len = 0 };
-        if (!secrets->init_done || !secrets->early_done ||
-            !secrets->handshake_done || !secrets->schedule_done)
-                return 0;
-        return tls13_hkdf_expand_label(&secrets->client_application_traffic,
-            secrets->digest, &secrets->client_application_traffic,
-            "traffic upd", &context);
-}
-int
-tls13_update_server_traffic_secret(struct tls13_secrets *secrets)
-{
-        struct tls13_secret context = { .data = "", .len = 0 };
-        if (!secrets->init_done || !secrets->early_done ||
-            !secrets->handshake_done || !secrets->schedule_done)
-                return 0;
-        return tls13_hkdf_expand_label(&secrets->server_application_traffic,
-            secrets->digest, &secrets->server_application_traffic,
-            "traffic upd", &context);
-}
author	cvs2svn <admin@example.com>	2021-08-18 16:06:57 +0000
committer	cvs2svn <admin@example.com>	2021-08-18 16:06:57 +0000
commit	d56c8fa8260d226f98b26f017b45b9c2b135f38d (patch)
tree	348178b41617813cc93787187984a734ef8379ca /src/lib/libssl/tls13_key_schedule.c
parent	18b9c1bcab7c37d8c5bd05b8e0d14d0c59d96650 (diff)
download	openbsd-tb_20210818.tar.gz openbsd-tb_20210818.tar.bz2 openbsd-tb_20210818.zip

diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c deleted file mode 100644 index bb96cf3dd8..0000000000 --- a/src/lib/libssl/tls13_key_schedule.c +++ /dev/null
@@ -1,383 +0,0 @@
1	/* $OpenBSD: tls13_key_schedule.c,v 1.14 2021/01/05 18:36:22 tb Exp $ */
2	/*
3	* Copyright (c) 2018, Bob Beck <beck@openbsd.org>
4	*
5	* Permission to use, copy, modify, and/or distribute this software for any
6	* purpose with or without fee is hereby granted, provided that the above
7	* copyright notice and this permission notice appear in all copies.
8	*
9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
12	* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
14	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
15	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	*/
17
18	#include <string.h>
19	#include <stdlib.h>
20
21	#include <openssl/hkdf.h>
22
23	#include "bytestring.h"
24	#include "tls13_internal.h"
25
26	int
27	tls13_secret_init(struct tls13_secret *secret, size_t len)
28	{
29	if (secret->data != NULL)
30	return 0;
31
32	if ((secret->data = calloc(1, len)) == NULL)
33	return 0;
34	secret->len = len;
35
36	return 1;
37	}
38
39	void
40	tls13_secret_cleanup(struct tls13_secret *secret)
41	{
42	freezero(secret->data, secret->len);
43	secret->data = NULL;
44	secret->len = 0;
45	}
46
47	/*
48	* Allocate a set of secrets for a key schedule using
49	* a size of hash_length from RFC 8446 section 7.1.
50	*/
51	struct tls13_secrets *
52	tls13_secrets_create(const EVP_MD *digest, int resumption)
53	{
54	struct tls13_secrets *secrets = NULL;
55	EVP_MD_CTX *mdctx = NULL;
56	unsigned int mdlen;
57	size_t hash_length;
58
59	hash_length = EVP_MD_size(digest);
60
61	if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL)
62	goto err;
63
64	if (!tls13_secret_init(&secrets->zeros, hash_length))
65	goto err;
66	if (!tls13_secret_init(&secrets->empty_hash, hash_length))
67	goto err;
68
69	if (!tls13_secret_init(&secrets->extracted_early, hash_length))
70	goto err;
71	if (!tls13_secret_init(&secrets->binder_key, hash_length))
72	goto err;
73	if (!tls13_secret_init(&secrets->client_early_traffic, hash_length))
74	goto err;
75	if (!tls13_secret_init(&secrets->early_exporter_master, hash_length))
76	goto err;
77	if (!tls13_secret_init(&secrets->derived_early, hash_length))
78	goto err;
79	if (!tls13_secret_init(&secrets->extracted_handshake, hash_length))
80	goto err;
81	if (!tls13_secret_init(&secrets->client_handshake_traffic, hash_length))
82	goto err;
83	if (!tls13_secret_init(&secrets->server_handshake_traffic, hash_length))
84	goto err;
85	if (!tls13_secret_init(&secrets->derived_handshake, hash_length))
86	goto err;
87	if (!tls13_secret_init(&secrets->extracted_master, hash_length))
88	goto err;
89	if (!tls13_secret_init(&secrets->client_application_traffic, hash_length))
90	goto err;
91	if (!tls13_secret_init(&secrets->server_application_traffic, hash_length))
92	goto err;
93	if (!tls13_secret_init(&secrets->exporter_master, hash_length))
94	goto err;
95	if (!tls13_secret_init(&secrets->resumption_master, hash_length))
96	goto err;
97
98	/*
99	* Calculate the hash of a zero-length string - this is needed during
100	* the "derived" step for key extraction.
101	*/
102	if ((mdctx = EVP_MD_CTX_new()) == NULL)
103	goto err;
104	if (!EVP_DigestInit_ex(mdctx, digest, NULL))
105	goto err;
106	if (!EVP_DigestUpdate(mdctx, secrets->zeros.data, 0))
107	goto err;
108	if (!EVP_DigestFinal_ex(mdctx, secrets->empty_hash.data, &mdlen))
109	goto err;
110	EVP_MD_CTX_free(mdctx);
111	mdctx = NULL;
112
113	if (secrets->empty_hash.len != mdlen)
114	goto err;
115
116	secrets->digest = digest;
117	secrets->resumption = resumption;
118	secrets->init_done = 1;
119
120	return secrets;
121
122	err:
123	tls13_secrets_destroy(secrets);
124	EVP_MD_CTX_free(mdctx);
125
126	return NULL;
127	}
128
129	void
130	tls13_secrets_destroy(struct tls13_secrets *secrets)
131	{
132	if (secrets == NULL)
133	return;
134
135	/* you can never be too sure :) */
136	tls13_secret_cleanup(&secrets->zeros);
137	tls13_secret_cleanup(&secrets->empty_hash);
138
139	tls13_secret_cleanup(&secrets->extracted_early);
140	tls13_secret_cleanup(&secrets->binder_key);
141	tls13_secret_cleanup(&secrets->client_early_traffic);
142	tls13_secret_cleanup(&secrets->early_exporter_master);
143	tls13_secret_cleanup(&secrets->derived_early);
144	tls13_secret_cleanup(&secrets->extracted_handshake);
145	tls13_secret_cleanup(&secrets->client_handshake_traffic);
146	tls13_secret_cleanup(&secrets->server_handshake_traffic);
147	tls13_secret_cleanup(&secrets->derived_handshake);
148	tls13_secret_cleanup(&secrets->extracted_master);
149	tls13_secret_cleanup(&secrets->client_application_traffic);
150	tls13_secret_cleanup(&secrets->server_application_traffic);
151	tls13_secret_cleanup(&secrets->exporter_master);
152	tls13_secret_cleanup(&secrets->resumption_master);
153
154	freezero(secrets, sizeof(struct tls13_secrets));
155	}
156
157	int
158	tls13_hkdf_expand_label(struct tls13_secret out, const EVP_MD digest,
159	const struct tls13_secret secret, const char label,
160	const struct tls13_secret *context)
161	{
162	return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
163	strlen(label), context);
164	}
165
166	int
167	tls13_hkdf_expand_label_with_length(struct tls13_secret *out,
168	const EVP_MD digest, const struct tls13_secret secret,
169	const uint8_t label, size_t label_len, const struct tls13_secret context)
170	{
171	const char tls13_plabel[] = "tls13 ";
172	uint8_t *hkdf_label;
173	size_t hkdf_label_len;
174	CBB cbb, child;
175	int ret;
176
177	if (!CBB_init(&cbb, 256))
178	return 0;
179	if (!CBB_add_u16(&cbb, out->len))
180	goto err;
181	if (!CBB_add_u8_length_prefixed(&cbb, &child))
182	goto err;
183	if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel)))
184	goto err;
185	if (!CBB_add_bytes(&child, label, label_len))
186	goto err;
187	if (!CBB_add_u8_length_prefixed(&cbb, &child))
188	goto err;
189	if (!CBB_add_bytes(&child, context->data, context->len))
190	goto err;
191	if (!CBB_finish(&cbb, &hkdf_label, &hkdf_label_len))
192	goto err;
193
194	ret = HKDF_expand(out->data, out->len, digest, secret->data,
195	secret->len, hkdf_label, hkdf_label_len);
196
197	free(hkdf_label);
198	return(ret);
199	err:
200	CBB_cleanup(&cbb);
201	return(0);
202	}
203
204	int
205	tls13_derive_secret(struct tls13_secret out, const EVP_MD digest,
206	const struct tls13_secret secret, const char label,
207	const struct tls13_secret *context)
208	{
209	return tls13_hkdf_expand_label(out, digest, secret, label, context);
210	}
211
212	int
213	tls13_derive_secret_with_label_length(struct tls13_secret *out,
214	const EVP_MD digest, const struct tls13_secret secret, const uint8_t *label,
215	size_t label_len, const struct tls13_secret *context)
216	{
217	return tls13_hkdf_expand_label_with_length(out, digest, secret, label,
218	label_len, context);
219	}
220
221	int
222	tls13_derive_early_secrets(struct tls13_secrets *secrets,
223	uint8_t psk, size_t psk_len, const struct tls13_secret context)
224	{
225	if (!secrets->init_done \|\| secrets->early_done)
226	return 0;
227
228	if (!HKDF_extract(secrets->extracted_early.data,
229	&secrets->extracted_early.len, secrets->digest, psk, psk_len,
230	secrets->zeros.data, secrets->zeros.len))
231	return 0;
232
233	if (secrets->extracted_early.len != secrets->zeros.len)
234	return 0;
235
236	if (!tls13_derive_secret(&secrets->binder_key, secrets->digest,
237	&secrets->extracted_early,
238	secrets->resumption ? "res binder" : "ext binder",
239	&secrets->empty_hash))
240	return 0;
241	if (!tls13_derive_secret(&secrets->client_early_traffic,
242	secrets->digest, &secrets->extracted_early, "c e traffic",
243	context))
244	return 0;
245	if (!tls13_derive_secret(&secrets->early_exporter_master,
246	secrets->digest, &secrets->extracted_early, "e exp master",
247	context))
248	return 0;
249	if (!tls13_derive_secret(&secrets->derived_early,
250	secrets->digest, &secrets->extracted_early, "derived",
251	&secrets->empty_hash))
252	return 0;
253
254	/* RFC 8446 recommends */
255	if (!secrets->insecure)
256	explicit_bzero(secrets->extracted_early.data,
257	secrets->extracted_early.len);
258	secrets->early_done = 1;
259	return 1;
260	}
261
262	int
263	tls13_derive_handshake_secrets(struct tls13_secrets *secrets,
264	const uint8_t *ecdhe, size_t ecdhe_len,
265	const struct tls13_secret *context)
266	{
267	if (!secrets->init_done \|\| !secrets->early_done \|\|
268	secrets->handshake_done)
269	return 0;
270
271	if (!HKDF_extract(secrets->extracted_handshake.data,
272	&secrets->extracted_handshake.len, secrets->digest,
273	ecdhe, ecdhe_len, secrets->derived_early.data,
274	secrets->derived_early.len))
275	return 0;
276
277	if (secrets->extracted_handshake.len != secrets->zeros.len)
278	return 0;
279
280	/* XXX */
281	if (!secrets->insecure)
282	explicit_bzero(secrets->derived_early.data,
283	secrets->derived_early.len);
284
285	if (!tls13_derive_secret(&secrets->client_handshake_traffic,
286	secrets->digest, &secrets->extracted_handshake, "c hs traffic",
287	context))
288	return 0;
289	if (!tls13_derive_secret(&secrets->server_handshake_traffic,
290	secrets->digest, &secrets->extracted_handshake, "s hs traffic",
291	context))
292	return 0;
293	if (!tls13_derive_secret(&secrets->derived_handshake,
294	secrets->digest, &secrets->extracted_handshake, "derived",
295	&secrets->empty_hash))
296	return 0;
297
298	/* RFC 8446 recommends */
299	if (!secrets->insecure)
300	explicit_bzero(secrets->extracted_handshake.data,
301	secrets->extracted_handshake.len);
302
303	secrets->handshake_done = 1;
304
305	return 1;
306	}
307
308	int
309	tls13_derive_application_secrets(struct tls13_secrets *secrets,
310	const struct tls13_secret *context)
311	{
312	if (!secrets->init_done \|\| !secrets->early_done \|\|
313	!secrets->handshake_done \|\| secrets->schedule_done)
314	return 0;
315
316	if (!HKDF_extract(secrets->extracted_master.data,
317	&secrets->extracted_master.len, secrets->digest,
318	secrets->zeros.data, secrets->zeros.len,
319	secrets->derived_handshake.data, secrets->derived_handshake.len))
320	return 0;
321
322	if (secrets->extracted_master.len != secrets->zeros.len)
323	return 0;
324
325	/* XXX */
326	if (!secrets->insecure)
327	explicit_bzero(secrets->derived_handshake.data,
328	secrets->derived_handshake.len);
329
330	if (!tls13_derive_secret(&secrets->client_application_traffic,
331	secrets->digest, &secrets->extracted_master, "c ap traffic",
332	context))
333	return 0;
334	if (!tls13_derive_secret(&secrets->server_application_traffic,
335	secrets->digest, &secrets->extracted_master, "s ap traffic",
336	context))
337	return 0;
338	if (!tls13_derive_secret(&secrets->exporter_master,
339	secrets->digest, &secrets->extracted_master, "exp master",
340	context))
341	return 0;
342	if (!tls13_derive_secret(&secrets->resumption_master,
343	secrets->digest, &secrets->extracted_master, "res master",
344	context))
345	return 0;
346
347	/* RFC 8446 recommends */
348	if (!secrets->insecure)
349	explicit_bzero(secrets->extracted_master.data,
350	secrets->extracted_master.len);
351
352	secrets->schedule_done = 1;
353
354	return 1;
355	}
356
357	int
358	tls13_update_client_traffic_secret(struct tls13_secrets *secrets)
359	{
360	struct tls13_secret context = { .data = "", .len = 0 };
361
362	if (!secrets->init_done \|\| !secrets->early_done \|\|
363	!secrets->handshake_done \|\| !secrets->schedule_done)
364	return 0;
365
366	return tls13_hkdf_expand_label(&secrets->client_application_traffic,
367	secrets->digest, &secrets->client_application_traffic,
368	"traffic upd", &context);
369	}
370
371	int
372	tls13_update_server_traffic_secret(struct tls13_secrets *secrets)
373	{
374	struct tls13_secret context = { .data = "", .len = 0 };
375
376	if (!secrets->init_done \|\| !secrets->early_done \|\|
377	!secrets->handshake_done \|\| !secrets->schedule_done)
378	return 0;
379
380	return tls13_hkdf_expand_label(&secrets->server_application_traffic,
381	secrets->digest, &secrets->server_application_traffic,
382	"traffic upd", &context);
383	}