diff options
| -rw-r--r-- | src/lib/libssl/tls13_internal.h | 24 | ||||
| -rw-r--r-- | src/lib/libssl/tls13_key_schedule.c | 137 |
2 files changed, 95 insertions, 66 deletions
diff --git a/src/lib/libssl/tls13_internal.h b/src/lib/libssl/tls13_internal.h index cad769a1bf..83f9988140 100644 --- a/src/lib/libssl/tls13_internal.h +++ b/src/lib/libssl/tls13_internal.h | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | /* $OpenBSD: tls13_internal.h,v 1.4 2018/11/09 03:07:26 jsing Exp $ */ | 1 | /* $OpenBSD: tls13_internal.h,v 1.5 2018/11/09 23:56:20 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2018, Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2018 Bob Beck <beck@openbsd.org> |
| 4 | * Copyright (c) 2018, Theo Buehler <tb@openbsd.org> | 4 | * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> |
| 5 | * | 5 | * |
| 6 | * Permission to use, copy, modify, and/or distribute this software for any | 6 | * Permission to use, copy, modify, and/or distribute this software for any |
| 7 | * purpose with or without fee is hereby granted, provided that the above | 7 | * purpose with or without fee is hereby granted, provided that the above |
| @@ -30,6 +30,7 @@ struct tls13_secret { | |||
| 30 | 30 | ||
| 31 | /* RFC 8446 Section 7.1 Page 92 */ | 31 | /* RFC 8446 Section 7.1 Page 92 */ |
| 32 | struct tls13_secrets { | 32 | struct tls13_secrets { |
| 33 | const EVP_MD *digest; | ||
| 33 | int resumption; | 34 | int resumption; |
| 34 | int init_done; | 35 | int init_done; |
| 35 | int early_done; | 36 | int early_done; |
| @@ -37,6 +38,7 @@ struct tls13_secrets { | |||
| 37 | int schedule_done; | 38 | int schedule_done; |
| 38 | int insecure; /* Set by tests */ | 39 | int insecure; /* Set by tests */ |
| 39 | struct tls13_secret zeros; | 40 | struct tls13_secret zeros; |
| 41 | struct tls13_secret empty_hash; | ||
| 40 | struct tls13_secret extracted_early; | 42 | struct tls13_secret extracted_early; |
| 41 | struct tls13_secret binder_key; | 43 | struct tls13_secret binder_key; |
| 42 | struct tls13_secret client_early_traffic; | 44 | struct tls13_secret client_early_traffic; |
| @@ -53,18 +55,20 @@ struct tls13_secrets { | |||
| 53 | struct tls13_secret resumption_master; | 55 | struct tls13_secret resumption_master; |
| 54 | }; | 56 | }; |
| 55 | 57 | ||
| 56 | struct tls13_secrets *tls13_secrets_new(size_t hash_length); | 58 | struct tls13_secrets *tls13_secrets_create(const EVP_MD *digest, |
| 57 | void tls13_secrets_init(struct tls13_secrets *secrets, int resumption); | 59 | int resumption); |
| 58 | void tls13_secrets_destroy(struct tls13_secrets *secrets); | 60 | void tls13_secrets_destroy(struct tls13_secrets *secrets); |
| 59 | 61 | ||
| 60 | int tls13_derive_early_secrets(struct tls13_secrets *secrets, | 62 | int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, |
| 61 | const EVP_MD *digest,uint8_t *psk, size_t psk_len, | 63 | const struct tls13_secret *secret, const char *label, |
| 62 | const struct tls13_secret *context); | 64 | const struct tls13_secret *context); |
| 65 | |||
| 66 | int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, | ||
| 67 | size_t psk_len, const struct tls13_secret *context); | ||
| 63 | int tls13_derive_handshake_secrets(struct tls13_secrets *secrets, | 68 | int tls13_derive_handshake_secrets(struct tls13_secrets *secrets, |
| 64 | const EVP_MD *digest, const uint8_t *ecdhe, size_t ecdhe_len, | 69 | const uint8_t *ecdhe, size_t ecdhe_len, const struct tls13_secret *context); |
| 65 | const struct tls13_secret *context); | ||
| 66 | int tls13_derive_application_secrets(struct tls13_secrets *secrets, | 70 | int tls13_derive_application_secrets(struct tls13_secrets *secrets, |
| 67 | const EVP_MD *digest, const struct tls13_secret *context); | 71 | const struct tls13_secret *context); |
| 68 | 72 | ||
| 69 | struct tls13_ctx; | 73 | struct tls13_ctx; |
| 70 | 74 | ||
diff --git a/src/lib/libssl/tls13_key_schedule.c b/src/lib/libssl/tls13_key_schedule.c index 6984d20730..f20e9b741b 100644 --- a/src/lib/libssl/tls13_key_schedule.c +++ b/src/lib/libssl/tls13_key_schedule.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls13_key_schedule.c,v 1.3 2018/11/08 23:50:54 beck Exp $ */ | 1 | /* $OpenBSD: tls13_key_schedule.c,v 1.4 2018/11/09 23:56:20 jsing Exp $ */ |
| 2 | /* Copyright (c) 2018, Bob Beck <beck@openbsd.org> | 2 | /* Copyright (c) 2018, Bob Beck <beck@openbsd.org> |
| 3 | * | 3 | * |
| 4 | * Permission to use, copy, modify, and/or distribute this software for any | 4 | * Permission to use, copy, modify, and/or distribute this software for any |
| @@ -30,6 +30,7 @@ tls13_secrets_destroy(struct tls13_secrets *secrets) | |||
| 30 | 30 | ||
| 31 | /* you can never be too sure :) */ | 31 | /* you can never be too sure :) */ |
| 32 | freezero(secrets->zeros.data, secrets->zeros.len); | 32 | freezero(secrets->zeros.data, secrets->zeros.len); |
| 33 | freezero(secrets->empty_hash.data, secrets->empty_hash.len); | ||
| 33 | 34 | ||
| 34 | freezero(secrets->extracted_early.data, | 35 | freezero(secrets->extracted_early.data, |
| 35 | secrets->extracted_early.len); | 36 | secrets->extracted_early.len); |
| @@ -65,12 +66,17 @@ tls13_secrets_destroy(struct tls13_secrets *secrets) | |||
| 65 | 66 | ||
| 66 | /* | 67 | /* |
| 67 | * Allocate a set of secrets for a key schedule using | 68 | * Allocate a set of secrets for a key schedule using |
| 68 | * a size of hash_length from RFC 8446 section 7.1 | 69 | * a size of hash_length from RFC 8446 section 7.1. |
| 69 | */ | 70 | */ |
| 70 | struct tls13_secrets * | 71 | struct tls13_secrets * |
| 71 | tls13_secrets_new(size_t hash_length) | 72 | tls13_secrets_create(const EVP_MD *digest, int resumption) |
| 72 | { | 73 | { |
| 73 | struct tls13_secrets *secrets = NULL; | 74 | struct tls13_secrets *secrets = NULL; |
| 75 | EVP_MD_CTX *mdctx = NULL; | ||
| 76 | unsigned int mdlen; | ||
| 77 | size_t hash_length; | ||
| 78 | |||
| 79 | hash_length = EVP_MD_size(digest); | ||
| 74 | 80 | ||
| 75 | if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL) | 81 | if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL) |
| 76 | goto err; | 82 | goto err; |
| @@ -79,6 +85,10 @@ tls13_secrets_new(size_t hash_length) | |||
| 79 | goto err; | 85 | goto err; |
| 80 | secrets->zeros.len = hash_length; | 86 | secrets->zeros.len = hash_length; |
| 81 | 87 | ||
| 88 | if ((secrets->empty_hash.data = malloc(hash_length)) == NULL) | ||
| 89 | goto err; | ||
| 90 | secrets->empty_hash.len = hash_length; | ||
| 91 | |||
| 82 | if ((secrets->extracted_early.data = malloc(hash_length)) == NULL) | 92 | if ((secrets->extracted_early.data = malloc(hash_length)) == NULL) |
| 83 | goto err; | 93 | goto err; |
| 84 | secrets->extracted_early.len = hash_length; | 94 | secrets->extracted_early.len = hash_length; |
| @@ -130,20 +140,37 @@ tls13_secrets_new(size_t hash_length) | |||
| 130 | goto err; | 140 | goto err; |
| 131 | secrets->resumption_master.len = hash_length; | 141 | secrets->resumption_master.len = hash_length; |
| 132 | 142 | ||
| 143 | /* | ||
| 144 | * Calculate the hash of a zero-length string - this is needed during | ||
| 145 | * the "derived" step for key extraction. | ||
| 146 | */ | ||
| 147 | if ((mdctx = EVP_MD_CTX_new()) == NULL) | ||
| 148 | goto err; | ||
| 149 | if (!EVP_DigestInit_ex(mdctx, digest, NULL)) | ||
| 150 | goto err; | ||
| 151 | if (!EVP_DigestUpdate(mdctx, secrets->zeros.data, 0)) | ||
| 152 | goto err; | ||
| 153 | if (!EVP_DigestFinal_ex(mdctx, secrets->empty_hash.data, &mdlen)) | ||
| 154 | goto err; | ||
| 155 | EVP_MD_CTX_free(mdctx); | ||
| 156 | |||
| 157 | if (secrets->empty_hash.len != mdlen) | ||
| 158 | goto err; | ||
| 159 | |||
| 160 | secrets->digest = digest; | ||
| 161 | secrets->resumption = resumption; | ||
| 162 | secrets->init_done = 1; | ||
| 163 | |||
| 133 | return secrets; | 164 | return secrets; |
| 165 | |||
| 134 | err: | 166 | err: |
| 135 | tls13_secrets_destroy(secrets); | 167 | tls13_secrets_destroy(secrets); |
| 136 | return NULL; | 168 | EVP_MD_CTX_free(mdctx); |
| 137 | } | ||
| 138 | 169 | ||
| 139 | void | 170 | return NULL; |
| 140 | tls13_secrets_init(struct tls13_secrets *secrets, int resumption) | ||
| 141 | { | ||
| 142 | secrets->resumption = resumption; | ||
| 143 | secrets->init_done = 1; | ||
| 144 | } | 171 | } |
| 145 | 172 | ||
| 146 | static int | 173 | int |
| 147 | tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, | 174 | tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, |
| 148 | const struct tls13_secret *secret, const char *label, | 175 | const struct tls13_secret *secret, const char *label, |
| 149 | const struct tls13_secret *context) | 176 | const struct tls13_secret *context) |
| @@ -173,6 +200,7 @@ tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, | |||
| 173 | 200 | ||
| 174 | ret = HKDF_expand(out->data, out->len, digest, secret->data, | 201 | ret = HKDF_expand(out->data, out->len, digest, secret->data, |
| 175 | secret->len, hkdf_label, hkdf_label_len); | 202 | secret->len, hkdf_label, hkdf_label_len); |
| 203 | |||
| 176 | free(hkdf_label); | 204 | free(hkdf_label); |
| 177 | return(ret); | 205 | return(ret); |
| 178 | err: | 206 | err: |
| @@ -188,9 +216,8 @@ tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, | |||
| 188 | return tls13_hkdf_expand_label(out, digest, secret, label, context); | 216 | return tls13_hkdf_expand_label(out, digest, secret, label, context); |
| 189 | } | 217 | } |
| 190 | 218 | ||
| 191 | |||
| 192 | int | 219 | int |
| 193 | tls13_derive_early_secrets(struct tls13_secrets *secrets, const EVP_MD *digest, | 220 | tls13_derive_early_secrets(struct tls13_secrets *secrets, |
| 194 | uint8_t *psk, size_t psk_len, const struct tls13_secret *context) | 221 | uint8_t *psk, size_t psk_len, const struct tls13_secret *context) |
| 195 | { | 222 | { |
| 196 | struct tls13_secret binder_context; | 223 | struct tls13_secret binder_context; |
| @@ -204,7 +231,7 @@ tls13_derive_early_secrets(struct tls13_secrets *secrets, const EVP_MD *digest, | |||
| 204 | if ((mdctx = EVP_MD_CTX_new()) == NULL) | 231 | if ((mdctx = EVP_MD_CTX_new()) == NULL) |
| 205 | return 0; | 232 | return 0; |
| 206 | 233 | ||
| 207 | if (!EVP_DigestInit_ex(mdctx, digest, NULL) || | 234 | if (!EVP_DigestInit_ex(mdctx, secrets->digest, NULL) || |
| 208 | !EVP_DigestUpdate(mdctx, secrets->zeros.data, secrets->zeros.len) || | 235 | !EVP_DigestUpdate(mdctx, secrets->zeros.data, secrets->zeros.len) || |
| 209 | !EVP_DigestFinal_ex(mdctx, binder_context_data, | 236 | !EVP_DigestFinal_ex(mdctx, binder_context_data, |
| 210 | &binder_context_len)) { | 237 | &binder_context_len)) { |
| @@ -220,29 +247,29 @@ tls13_derive_early_secrets(struct tls13_secrets *secrets, const EVP_MD *digest, | |||
| 220 | return 0; | 247 | return 0; |
| 221 | 248 | ||
| 222 | if (!HKDF_extract(secrets->extracted_early.data, | 249 | if (!HKDF_extract(secrets->extracted_early.data, |
| 223 | &secrets->extracted_early.len, digest, psk, psk_len, | 250 | &secrets->extracted_early.len, secrets->digest, psk, psk_len, |
| 224 | secrets->zeros.data, secrets->zeros.len)) | 251 | secrets->zeros.data, secrets->zeros.len)) |
| 225 | return 0; | 252 | return 0; |
| 226 | 253 | ||
| 227 | if (secrets->extracted_early.len != secrets->zeros.len) | 254 | if (secrets->extracted_early.len != secrets->zeros.len) |
| 228 | return 0; | 255 | return 0; |
| 229 | 256 | ||
| 230 | if (!tls13_derive_secret(&secrets->binder_key, | 257 | if (!tls13_derive_secret(&secrets->binder_key, secrets->digest, |
| 231 | digest, &secrets->extracted_early, | 258 | &secrets->extracted_early, |
| 232 | secrets->resumption ? "res binder" : "ext binder", | 259 | secrets->resumption ? "res binder" : "ext binder", |
| 233 | &binder_context)) | 260 | &binder_context)) |
| 234 | return 0; | 261 | return 0; |
| 235 | |||
| 236 | if (!tls13_derive_secret(&secrets->client_early_traffic, | 262 | if (!tls13_derive_secret(&secrets->client_early_traffic, |
| 237 | digest, &secrets->extracted_early, "c e traffic", context)) | 263 | secrets->digest, &secrets->extracted_early, "c e traffic", |
| 264 | context)) | ||
| 238 | return 0; | 265 | return 0; |
| 239 | |||
| 240 | if (!tls13_derive_secret(&secrets->early_exporter_master, | 266 | if (!tls13_derive_secret(&secrets->early_exporter_master, |
| 241 | digest, &secrets->extracted_early, "e exp master", context)) | 267 | secrets->digest, &secrets->extracted_early, "e exp master", |
| 268 | context)) | ||
| 242 | return 0; | 269 | return 0; |
| 243 | |||
| 244 | if (!tls13_derive_secret(&secrets->derived_early, | 270 | if (!tls13_derive_secret(&secrets->derived_early, |
| 245 | digest, &secrets->extracted_early, "derived", context)) | 271 | secrets->digest, &secrets->extracted_early, "derived", |
| 272 | &secrets->empty_hash)) | ||
| 246 | return 0; | 273 | return 0; |
| 247 | 274 | ||
| 248 | /* RFC 8446 recommends */ | 275 | /* RFC 8446 recommends */ |
| @@ -255,7 +282,7 @@ tls13_derive_early_secrets(struct tls13_secrets *secrets, const EVP_MD *digest, | |||
| 255 | 282 | ||
| 256 | int | 283 | int |
| 257 | tls13_derive_handshake_secrets(struct tls13_secrets *secrets, | 284 | tls13_derive_handshake_secrets(struct tls13_secrets *secrets, |
| 258 | const EVP_MD *digest, const uint8_t *ecdhe, size_t ecdhe_len, | 285 | const uint8_t *ecdhe, size_t ecdhe_len, |
| 259 | const struct tls13_secret *context) | 286 | const struct tls13_secret *context) |
| 260 | { | 287 | { |
| 261 | if (!secrets->init_done || !secrets->early_done || | 288 | if (!secrets->init_done || !secrets->early_done || |
| @@ -263,8 +290,8 @@ tls13_derive_handshake_secrets(struct tls13_secrets *secrets, | |||
| 263 | return 0; | 290 | return 0; |
| 264 | 291 | ||
| 265 | if (!HKDF_extract(secrets->extracted_handshake.data, | 292 | if (!HKDF_extract(secrets->extracted_handshake.data, |
| 266 | &secrets->extracted_handshake.len, | 293 | &secrets->extracted_handshake.len, secrets->digest, |
| 267 | digest, ecdhe, ecdhe_len, secrets->derived_early.data, | 294 | ecdhe, ecdhe_len, secrets->derived_early.data, |
| 268 | secrets->derived_early.len)) | 295 | secrets->derived_early.len)) |
| 269 | return 0; | 296 | return 0; |
| 270 | 297 | ||
| @@ -277,36 +304,40 @@ tls13_derive_handshake_secrets(struct tls13_secrets *secrets, | |||
| 277 | secrets->derived_early.len); | 304 | secrets->derived_early.len); |
| 278 | 305 | ||
| 279 | if (!tls13_derive_secret(&secrets->client_handshake_traffic, | 306 | if (!tls13_derive_secret(&secrets->client_handshake_traffic, |
| 280 | digest, &secrets->extracted_handshake, "c hs traffic", context)) | 307 | secrets->digest, &secrets->extracted_handshake, "c hs traffic", |
| 308 | context)) | ||
| 281 | return 0; | 309 | return 0; |
| 282 | if (!tls13_derive_secret(&secrets->server_handshake_traffic, | 310 | if (!tls13_derive_secret(&secrets->server_handshake_traffic, |
| 283 | digest, &secrets->extracted_handshake, "s hs traffic", context)) | 311 | secrets->digest, &secrets->extracted_handshake, "s hs traffic", |
| 312 | context)) | ||
| 284 | return 0; | 313 | return 0; |
| 285 | if (!tls13_derive_secret(&secrets->derived_handshake, | 314 | if (!tls13_derive_secret(&secrets->derived_handshake, |
| 286 | digest, &secrets->extracted_handshake, "derived", context)) | 315 | secrets->digest, &secrets->extracted_handshake, "derived", |
| 316 | context)) | ||
| 287 | return 0; | 317 | return 0; |
| 288 | 318 | ||
| 289 | /* RFC 8446 recommends */ | 319 | /* RFC 8446 recommends */ |
| 290 | if (!secrets->insecure) | 320 | if (!secrets->insecure) |
| 291 | explicit_bzero(secrets->extracted_handshake.data, | 321 | explicit_bzero(secrets->extracted_handshake.data, |
| 292 | secrets->extracted_handshake.len); | 322 | secrets->extracted_handshake.len); |
| 323 | |||
| 293 | secrets->handshake_done = 1; | 324 | secrets->handshake_done = 1; |
| 325 | |||
| 294 | return 1; | 326 | return 1; |
| 295 | } | 327 | } |
| 296 | 328 | ||
| 297 | int | 329 | int |
| 298 | tls13_derive_application_secrets(struct tls13_secrets *secrets, | 330 | tls13_derive_application_secrets(struct tls13_secrets *secrets, |
| 299 | const EVP_MD *digest, const struct tls13_secret *context) | 331 | const struct tls13_secret *context) |
| 300 | { | 332 | { |
| 301 | if (!secrets->init_done || !secrets->early_done || | 333 | if (!secrets->init_done || !secrets->early_done || |
| 302 | !secrets->handshake_done || secrets->schedule_done) | 334 | !secrets->handshake_done || secrets->schedule_done) |
| 303 | return 0; | 335 | return 0; |
| 304 | 336 | ||
| 305 | if (!HKDF_extract(secrets->extracted_master.data, | 337 | if (!HKDF_extract(secrets->extracted_master.data, |
| 306 | &secrets->extracted_master.len, | 338 | &secrets->extracted_master.len, secrets->digest, |
| 307 | digest, secrets->zeros.data, secrets->zeros.len, // XXX ? | 339 | secrets->zeros.data, secrets->zeros.len, |
| 308 | secrets->derived_handshake.data, | 340 | secrets->derived_handshake.data, secrets->derived_handshake.len)) |
| 309 | secrets->derived_handshake.len)) | ||
| 310 | return 0; | 341 | return 0; |
| 311 | 342 | ||
| 312 | if (secrets->extracted_master.len != secrets->zeros.len) | 343 | if (secrets->extracted_master.len != secrets->zeros.len) |
| @@ -318,58 +349,52 @@ tls13_derive_application_secrets(struct tls13_secrets *secrets, | |||
| 318 | secrets->derived_handshake.len); | 349 | secrets->derived_handshake.len); |
| 319 | 350 | ||
| 320 | if (!tls13_derive_secret(&secrets->client_application_traffic, | 351 | if (!tls13_derive_secret(&secrets->client_application_traffic, |
| 321 | digest, &secrets->extracted_master, "c ap traffic", context)) | 352 | secrets->digest, &secrets->extracted_master, "c ap traffic", |
| 353 | context)) | ||
| 322 | return 0; | 354 | return 0; |
| 323 | if (!tls13_derive_secret(&secrets->server_application_traffic, | 355 | if (!tls13_derive_secret(&secrets->server_application_traffic, |
| 324 | digest, &secrets->extracted_master, "s ap traffic", context)) | 356 | secrets->digest, &secrets->extracted_master, "s ap traffic", |
| 357 | context)) | ||
| 325 | return 0; | 358 | return 0; |
| 326 | if (!tls13_derive_secret(&secrets->exporter_master, | 359 | if (!tls13_derive_secret(&secrets->exporter_master, |
| 327 | digest, &secrets->extracted_master, "exp master", context)) | 360 | secrets->digest, &secrets->extracted_master, "exp master", |
| 361 | context)) | ||
| 328 | return 0; | 362 | return 0; |
| 329 | if (!tls13_derive_secret(&secrets->resumption_master, | 363 | if (!tls13_derive_secret(&secrets->resumption_master, |
| 330 | digest, &secrets->extracted_master, "res master", context)) | 364 | secrets->digest, &secrets->extracted_master, "res master", |
| 365 | context)) | ||
| 331 | return 0; | 366 | return 0; |
| 332 | 367 | ||
| 333 | /* RFC 8446 recommends */ | 368 | /* RFC 8446 recommends */ |
| 334 | if (!secrets->insecure) | 369 | if (!secrets->insecure) |
| 335 | explicit_bzero(secrets->extracted_master.data, | 370 | explicit_bzero(secrets->extracted_master.data, |
| 336 | secrets->extracted_master.len); | 371 | secrets->extracted_master.len); |
| 372 | |||
| 337 | secrets->schedule_done = 1; | 373 | secrets->schedule_done = 1; |
| 374 | |||
| 338 | return 1; | 375 | return 1; |
| 339 | } | 376 | } |
| 340 | 377 | ||
| 341 | int | 378 | int |
| 342 | tls13_update_client_traffic_secret(struct tls13_secrets *secrets, | 379 | tls13_update_client_traffic_secret(struct tls13_secrets *secrets) |
| 343 | const EVP_MD *digest) | ||
| 344 | { | 380 | { |
| 345 | const struct tls13_secret empty = { | ||
| 346 | .data = "", | ||
| 347 | .len = 0, | ||
| 348 | }; | ||
| 349 | |||
| 350 | if (!secrets->init_done || !secrets->early_done || | 381 | if (!secrets->init_done || !secrets->early_done || |
| 351 | !secrets->handshake_done || !secrets->schedule_done) | 382 | !secrets->handshake_done || !secrets->schedule_done) |
| 352 | return 0; | 383 | return 0; |
| 353 | 384 | ||
| 354 | return tls13_hkdf_expand_label(&secrets->client_application_traffic, | 385 | return tls13_hkdf_expand_label(&secrets->client_application_traffic, |
| 355 | digest, &secrets->client_application_traffic, "traffic upd", | 386 | secrets->digest, &secrets->client_application_traffic, |
| 356 | &empty); | 387 | "traffic upd", &secrets->empty_hash); |
| 357 | } | 388 | } |
| 358 | 389 | ||
| 359 | int | 390 | int |
| 360 | tls13_update_server_traffic_secret(struct tls13_secrets *secrets, | 391 | tls13_update_server_traffic_secret(struct tls13_secrets *secrets) |
| 361 | const EVP_MD *digest) | ||
| 362 | { | 392 | { |
| 363 | const struct tls13_secret empty = { | ||
| 364 | .data = "", | ||
| 365 | .len = 0, | ||
| 366 | }; | ||
| 367 | |||
| 368 | if (!secrets->init_done || !secrets->early_done || | 393 | if (!secrets->init_done || !secrets->early_done || |
| 369 | !secrets->handshake_done || !secrets->schedule_done) | 394 | !secrets->handshake_done || !secrets->schedule_done) |
| 370 | return 0; | 395 | return 0; |
| 371 | 396 | ||
| 372 | return tls13_hkdf_expand_label(&secrets->server_application_traffic, | 397 | return tls13_hkdf_expand_label(&secrets->server_application_traffic, |
| 373 | digest, &secrets->server_application_traffic, "traffic upd", | 398 | secrets->digest, &secrets->server_application_traffic, |
| 374 | &empty); | 399 | "traffic upd", &secrets->empty_hash); |
| 375 | } | 400 | } |