Moving transcript and PRF functions to SSL_TRANSCRIPT.
Change-Id: I98903df561bbf8c5739f892d2ad5e89ac0eb8e6f
Reviewed-on: https://boringssl-review.googlesource.com/13369
Reviewed-by: Steven Valdez <svaldez@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index ea9dce8..4d140e3 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -29,28 +29,25 @@
int tls13_init_key_schedule(SSL_HANDSHAKE *hs) {
- SSL *const ssl = hs->ssl;
- const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));
+ if (!SSL_TRANSCRIPT_init_hash(&hs->transcript, ssl3_protocol_version(hs->ssl),
+ hs->ssl->s3->tmp.new_cipher->algorithm_prf)) {
+ return 0;
+ }
- hs->hash_len = EVP_MD_size(digest);
+
+ hs->hash_len = SSL_TRANSCRIPT_digest_len(&hs->transcript);
/* Initialize the secret to the zero key. */
OPENSSL_memset(hs->secret, 0, hs->hash_len);
- /* Initialize the rolling hashes and release the handshake buffer. */
- if (!ssl3_init_handshake_hash(ssl)) {
- return 0;
- }
- ssl3_free_handshake_buffer(ssl);
+ SSL_TRANSCRIPT_free_buffer(&hs->transcript);
return 1;
}
int tls13_advance_key_schedule(SSL_HANDSHAKE *hs, const uint8_t *in,
size_t len) {
- const EVP_MD *digest =
- ssl_get_handshake_digest(ssl_get_algorithm_prf(hs->ssl));
-
- return HKDF_extract(hs->secret, &hs->hash_len, digest, in, len, hs->secret,
+ return HKDF_extract(hs->secret, &hs->hash_len,
+ SSL_TRANSCRIPT_md(&hs->transcript), in, len, hs->secret,
hs->hash_len);
}
@@ -83,35 +80,21 @@
return ret;
}
-int tls13_get_context_hash(SSL *ssl, uint8_t *out, size_t *out_len) {
- EVP_MD_CTX ctx;
- EVP_MD_CTX_init(&ctx);
- unsigned handshake_len = 0;
- int ok = EVP_MD_CTX_copy_ex(&ctx, &ssl->s3->handshake_hash) &&
- EVP_DigestFinal_ex(&ctx, out, &handshake_len);
- EVP_MD_CTX_cleanup(&ctx);
- if (ok) {
- *out_len = handshake_len;
- }
- return ok;
-}
-
/* derive_secret derives a secret of length |len| and writes the result in |out|
* with the given label and the current base secret and most recently-saved
* handshake context. It returns one on success and zero on error. */
static int derive_secret(SSL_HANDSHAKE *hs, uint8_t *out, size_t len,
const uint8_t *label, size_t label_len) {
- SSL *const ssl = hs->ssl;
- const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));
-
uint8_t context_hash[EVP_MAX_MD_SIZE];
size_t context_hash_len;
- if (!tls13_get_context_hash(ssl, context_hash, &context_hash_len)) {
+ if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, context_hash,
+ &context_hash_len)) {
return 0;
}
- return hkdf_expand_label(out, digest, hs->secret, hs->hash_len, label,
- label_len, context_hash, context_hash_len, len);
+ return hkdf_expand_label(out, SSL_TRANSCRIPT_md(&hs->transcript), hs->secret,
+ hs->hash_len, label, label_len, context_hash,
+ context_hash_len, len);
}
int tls13_set_traffic_key(SSL *ssl, enum evp_aead_direction_t direction,
@@ -124,7 +107,6 @@
/* Look up cipher suite properties. */
const EVP_AEAD *aead;
- const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));
size_t discard;
if (!ssl_cipher_get_evp_aead(&aead, &discard, &discard,
SSL_get_session(ssl)->cipher,
@@ -132,6 +114,9 @@
return 0;
}
+ const EVP_MD *digest = ssl_get_handshake_digest(
+ SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));
+
/* Derive the key. */
size_t key_len = EVP_AEAD_key_length(aead);
uint8_t key[EVP_AEAD_MAX_KEY_LENGTH];
@@ -226,7 +211,8 @@
"application traffic secret";
int tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) {
- const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));
+ const EVP_MD *digest = ssl_get_handshake_digest(
+ SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));
uint8_t *secret;
size_t secret_len;
@@ -287,7 +273,6 @@
int tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len,
int is_server) {
SSL *const ssl = hs->ssl;
- const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));
const uint8_t *traffic_secret;
if (is_server == ssl->server) {
@@ -298,9 +283,11 @@
uint8_t context_hash[EVP_MAX_MD_SIZE];
size_t context_hash_len;
- if (!tls13_get_context_hash(ssl, context_hash, &context_hash_len) ||
- !tls13_verify_data(digest, out, out_len, traffic_secret, hs->hash_len,
- context_hash, context_hash_len)) {
+ if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, context_hash,
+ &context_hash_len) ||
+ !tls13_verify_data(SSL_TRANSCRIPT_md(&hs->transcript), out, out_len,
+ traffic_secret, hs->hash_len, context_hash,
+ context_hash_len)) {
return 0;
}
return 1;
@@ -310,7 +297,8 @@
const char *label, size_t label_len,
const uint8_t *context, size_t context_len,
int use_context) {
- const EVP_MD *digest = ssl_get_handshake_digest(ssl_get_algorithm_prf(ssl));
+ const EVP_MD *digest = ssl_get_handshake_digest(
+ SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));
const uint8_t *hash = NULL;
size_t hash_len = 0;
@@ -325,8 +313,8 @@
static const char kTLS13LabelPSKBinder[] = "resumption psk binder key";
-static int tls13_psk_binder(SSL *ssl, uint8_t *out, const EVP_MD *digest,
- uint8_t *psk, size_t psk_len, uint8_t *context,
+static int tls13_psk_binder(uint8_t *out, const EVP_MD *digest, uint8_t *psk,
+ size_t psk_len, uint8_t *context,
size_t context_len, size_t hash_len) {
uint8_t binder_context[EVP_MAX_MD_SIZE];
unsigned binder_context_len;
@@ -355,9 +343,13 @@
return 1;
}
-int tls13_write_psk_binder(SSL *ssl, uint8_t *msg, size_t len) {
- const EVP_MD *digest =
- ssl_get_handshake_digest(ssl->session->cipher->algorithm_prf);
+int tls13_write_psk_binder(SSL_HANDSHAKE *hs, uint8_t *msg, size_t len) {
+ SSL *const ssl = hs->ssl;
+ const EVP_MD *digest = SSL_SESSION_get_digest(ssl->session, ssl);
+ if (digest == NULL) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
size_t hash_len = EVP_MD_size(digest);
if (len < hash_len + 3) {
@@ -370,8 +362,8 @@
uint8_t context[EVP_MAX_MD_SIZE];
unsigned context_len;
if (!EVP_DigestInit_ex(&ctx, digest, NULL) ||
- !EVP_DigestUpdate(&ctx, ssl->s3->handshake_buffer->data,
- ssl->s3->handshake_buffer->length) ||
+ !EVP_DigestUpdate(&ctx, hs->transcript.buffer->data,
+ hs->transcript.buffer->length) ||
!EVP_DigestUpdate(&ctx, msg, len - hash_len - 3) ||
!EVP_DigestFinal_ex(&ctx, context, &context_len)) {
EVP_MD_CTX_cleanup(&ctx);
@@ -381,9 +373,9 @@
EVP_MD_CTX_cleanup(&ctx);
uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};
- if (!tls13_psk_binder(ssl, verify_data, digest, ssl->session->master_key,
- ssl->session->master_key_length, context,
- context_len, hash_len)) {
+ if (!tls13_psk_binder(verify_data, digest, ssl->session->master_key,
+ ssl->session->master_key_length, context, context_len,
+ hash_len)) {
return 0;
}
@@ -391,16 +383,14 @@
return 1;
}
-int tls13_verify_psk_binder(SSL *ssl, SSL_SESSION *session,
+int tls13_verify_psk_binder(SSL_HANDSHAKE *hs, SSL_SESSION *session,
CBS *binders) {
- const EVP_MD *digest =
- ssl_get_handshake_digest(session->cipher->algorithm_prf);
- size_t hash_len = EVP_MD_size(digest);
+ size_t hash_len = SSL_TRANSCRIPT_digest_len(&hs->transcript);
/* Get the full ClientHello, including message header. It must be large enough
* to exclude the binders. */
CBS message;
- ssl->method->get_current_message(ssl, &message);
+ hs->ssl->method->get_current_message(hs->ssl, &message);
if (CBS_len(&message) < CBS_len(binders) + 2) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
@@ -411,23 +401,25 @@
uint8_t context[EVP_MAX_MD_SIZE];
unsigned context_len;
if (!EVP_Digest(CBS_data(&message), CBS_len(&message) - CBS_len(binders) - 2,
- context, &context_len, digest, NULL)) {
+ context, &context_len, SSL_TRANSCRIPT_md(&hs->transcript),
+ NULL)) {
return 0;
}
uint8_t verify_data[EVP_MAX_MD_SIZE] = {0};
CBS binder;
- if (!tls13_psk_binder(ssl, verify_data, digest, session->master_key,
- session->master_key_length, context, context_len,
- hash_len) ||
+ if (!tls13_psk_binder(verify_data, SSL_TRANSCRIPT_md(&hs->transcript),
+ session->master_key, session->master_key_length,
+ context, context_len, hash_len) ||
/* We only consider the first PSK, so compare against the first binder. */
!CBS_get_u8_length_prefixed(binders, &binder)) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
- int binder_ok = CBS_len(&binder) == hash_len &&
- CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;
+ int binder_ok =
+ CBS_len(&binder) == hash_len &&
+ CRYPTO_memcmp(CBS_data(&binder), verify_data, hash_len) == 0;
#if defined(BORINGSSL_UNSAFE_FUZZER_MODE)
binder_ok = 1;
#endif