/* Copyright (c) 2016, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include <openssl/ssl.h> #include <assert.h> #include <string.h> #include <algorithm> #include <utility> #include <openssl/aead.h> #include <openssl/bytestring.h> #include <openssl/digest.h> #include <openssl/hkdf.h> #include <openssl/hmac.h> #include <openssl/mem.h> #include "../crypto/fipsmodule/tls/internal.h" #include "../crypto/internal.h" #include "internal.h" BSSL_NAMESPACE_BEGIN static bool init_key_schedule(SSL_HANDSHAKE *hs, SSLTranscript *transcript, uint16_t version, const SSL_CIPHER *cipher) { … } static bool hkdf_extract_to_secret(SSL_HANDSHAKE *hs, const SSLTranscript &transcript, Span<const uint8_t> in) { … } bool tls13_init_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> psk) { … } bool tls13_init_early_key_schedule(SSL_HANDSHAKE *hs, const SSL_SESSION *session) { … } static Span<const char> label_to_span(const char *label) { … } static bool hkdf_expand_label_with_prefix(Span<uint8_t> out, const EVP_MD *digest, Span<const uint8_t> secret, Span<const uint8_t> label_prefix, Span<const char> label, Span<const uint8_t> hash) { … } static bool hkdf_expand_label(Span<uint8_t> out, const EVP_MD *digest, Span<const uint8_t> secret, Span<const char> label, Span<const uint8_t> hash, bool is_dtls) { … } static const char kTLS13LabelDerived[] = …; bool tls13_advance_key_schedule(SSL_HANDSHAKE *hs, Span<const uint8_t> in) { … } // derive_secret_with_transcript derives a secret of length |out.size()| and // writes the result in |out| with the given label, the current base secret, and // the state of |transcript|. It returns true on success and false on error. static bool derive_secret_with_transcript(const SSL_HANDSHAKE *hs, Span<uint8_t> out, const SSLTranscript &transcript, Span<const char> label) { … } static bool derive_secret(SSL_HANDSHAKE *hs, Span<uint8_t> out, Span<const char> label) { … } bool tls13_set_traffic_key(SSL *ssl, enum ssl_encryption_level_t level, enum evp_aead_direction_t direction, const SSL_SESSION *session, Span<const uint8_t> traffic_secret) { … } static const char kTLS13LabelExporter[] = …; static const char kTLS13LabelClientEarlyTraffic[] = …; static const char kTLS13LabelClientHandshakeTraffic[] = …; static const char kTLS13LabelServerHandshakeTraffic[] = …; static const char kTLS13LabelClientApplicationTraffic[] = …; static const char kTLS13LabelServerApplicationTraffic[] = …; bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) { … } bool tls13_derive_handshake_secrets(SSL_HANDSHAKE *hs) { … } bool tls13_derive_application_secrets(SSL_HANDSHAKE *hs) { … } static const char kTLS13LabelApplicationTraffic[] = …; bool tls13_rotate_traffic_key(SSL *ssl, enum evp_aead_direction_t direction) { … } static const char kTLS13LabelResumption[] = …; bool tls13_derive_resumption_secret(SSL_HANDSHAKE *hs) { … } static const char kTLS13LabelFinished[] = …; // tls13_verify_data sets |out| to be the HMAC of |context| using a derived // Finished key for both Finished messages and the PSK binder. |out| must have // space available for |EVP_MAX_MD_SIZE| bytes. static bool tls13_verify_data(uint8_t *out, size_t *out_len, const EVP_MD *digest, uint16_t version, Span<const uint8_t> secret, Span<const uint8_t> context, bool is_dtls) { … } bool tls13_finished_mac(SSL_HANDSHAKE *hs, uint8_t *out, size_t *out_len, bool is_server) { … } static const char kTLS13LabelResumptionPSK[] = …; bool tls13_derive_session_psk(SSL_SESSION *session, Span<const uint8_t> nonce, bool is_dtls) { … } static const char kTLS13LabelExportKeying[] = …; bool tls13_export_keying_material(SSL *ssl, Span<uint8_t> out, Span<const uint8_t> secret, Span<const char> label, Span<const uint8_t> context) { … } static const char kTLS13LabelPSKBinder[] = …; static bool tls13_psk_binder(uint8_t *out, size_t *out_len, const SSL_SESSION *session, const SSLTranscript &transcript, Span<const uint8_t> client_hello, size_t binders_len, bool is_dtls) { … } bool tls13_write_psk_binder(const SSL_HANDSHAKE *hs, const SSLTranscript &transcript, Span<uint8_t> msg, size_t *out_binder_len) { … } bool tls13_verify_psk_binder(const SSL_HANDSHAKE *hs, const SSL_SESSION *session, const SSLMessage &msg, CBS *binders) { … } size_t ssl_ech_confirmation_signal_hello_offset(const SSL *ssl) { … } bool ssl_ech_accept_confirmation(const SSL_HANDSHAKE *hs, Span<uint8_t> out, Span<const uint8_t> client_random, const SSLTranscript &transcript, bool is_hrr, Span<const uint8_t> msg, size_t offset) { … } BSSL_NAMESPACE_END
Codebase Browser
chromium