Line | Source | Count |
1 | | - |
2 | | - |
3 | | - |
4 | | - |
5 | | - |
6 | | - |
7 | | - |
8 | | - |
9 | | - |
10 | #include <stdlib.h> | - |
11 | #include "ssl_locl.h" | - |
12 | #include "internal/cryptlib.h" | - |
13 | #include <openssl/evp.h> | - |
14 | #include <openssl/kdf.h> | - |
15 | | - |
16 | #define TLS13_MAX_LABEL_LEN 246 | - |
17 | | - |
18 | | - |
19 | static const unsigned char default_zeros[EVP_MAX_MD_SIZE]; | - |
20 | | - |
21 | | - |
22 | | - |
23 | | - |
24 | | - |
25 | | - |
26 | | - |
27 | int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret, | - |
28 | const unsigned char *label, size_t labellen, | - |
29 | const unsigned char *data, size_t datalen, | - |
30 | unsigned char *out, size_t outlen) | - |
31 | { | - |
32 | const unsigned char label_prefix[] = "tls13 "; | - |
33 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | - |
34 | int ret; | - |
35 | size_t hkdflabellen; | - |
36 | size_t hashlen; | - |
37 | | - |
38 | | - |
39 | | - |
40 | | - |
41 | unsigned char hkdflabel[sizeof(uint16_t) + sizeof(uint8_t) + | - |
42 | + sizeof(label_prefix) + TLS13_MAX_LABEL_LEN | - |
43 | + EVP_MAX_MD_SIZE]; | - |
44 | WPACKET pkt; | - |
45 | | - |
46 | if (pctx == NULL)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
47 | return 0; never executed: return 0; | 0 |
48 | | - |
49 | hashlen = EVP_MD_size(md); | - |
50 | | - |
51 | if (!WPACKET_init_static_len(&pkt, hkdflabel, sizeof(hkdflabel), 0)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
52 | || !WPACKET_put_bytes_u16(&pkt, outlen)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
53 | || !WPACKET_start_sub_packet_u8(&pkt)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
54 | || !WPACKET_memcpy(&pkt, label_prefix, sizeof(label_prefix) - 1)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
55 | || !WPACKET_memcpy(&pkt, label, labellen)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
56 | || !WPACKET_close(&pkt)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
57 | || !WPACKET_sub_memcpy_u8(&pkt, data, (data == NULL) ? 0 : datalen)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
58 | || !WPACKET_get_total_written(&pkt, &hkdflabellen)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
59 | || !WPACKET_finish(&pkt)) {TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
60 | EVP_PKEY_CTX_free(pctx); | - |
61 | WPACKET_cleanup(&pkt); | - |
62 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, | - |
63 | ERR_R_INTERNAL_ERROR); | - |
64 | return 0; never executed: return 0; | 0 |
65 | } | - |
66 | | - |
67 | ret = EVP_PKEY_derive_init(pctx) <= 0TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
68 | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
69 | <= 0TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
70 | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
71 | || EVP_PKEY_CTX_set1_hkdf_key(pctx, secret, hashlen) <= 0TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
72 | || EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdflabel, hkdflabellen) <= 0TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
73 | || EVP_PKEY_derive(pctx, out, &outlen) <= 0;TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
74 | | - |
75 | EVP_PKEY_CTX_free(pctx); | - |
76 | | - |
77 | if (ret != 0)TRUE | never evaluated | FALSE | evaluated 27761 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-27761 |
78 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_HKDF_EXPAND, never executed: ossl_statem_fatal((s), (80), (561), ((4|64)), __FILE__ , 79 ) ; | 0 |
79 | ERR_R_INTERNAL_ERROR); never executed: ossl_statem_fatal((s), (80), (561), ((4|64)), __FILE__ , 79 ) ; | 0 |
80 | | - |
81 | return ret == 0;executed 27761 times by 2 tests: return ret == 0; Executed by:- libssl.so.1.1
- tls13secretstest
| 27761 |
82 | } | - |
83 | | - |
84 | | - |
85 | | - |
86 | | - |
87 | | - |
88 | int tls13_derive_key(SSL *s, const EVP_MD *md, const unsigned char *secret, | - |
89 | unsigned char *key, size_t keylen) | - |
90 | { | - |
91 | static const unsigned char keylabel[] = "key"; | - |
92 | | - |
93 | return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1,executed 5550 times by 2 tests: return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, ((void *)0) , 0, key, keylen); Executed by:- libssl.so.1.1
- tls13secretstest
| 5550 |
94 | NULL, 0, key, keylen);executed 5550 times by 2 tests: return tls13_hkdf_expand(s, md, secret, keylabel, sizeof(keylabel) - 1, ((void *)0) , 0, key, keylen); Executed by:- libssl.so.1.1
- tls13secretstest
| 5550 |
95 | } | - |
96 | | - |
97 | | - |
98 | | - |
99 | | - |
100 | | - |
101 | int tls13_derive_iv(SSL *s, const EVP_MD *md, const unsigned char *secret, | - |
102 | unsigned char *iv, size_t ivlen) | - |
103 | { | - |
104 | static const unsigned char ivlabel[] = "iv"; | - |
105 | | - |
106 | return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1,executed 5550 times by 2 tests: return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, ((void *)0) , 0, iv, ivlen); Executed by:- libssl.so.1.1
- tls13secretstest
| 5550 |
107 | NULL, 0, iv, ivlen);executed 5550 times by 2 tests: return tls13_hkdf_expand(s, md, secret, ivlabel, sizeof(ivlabel) - 1, ((void *)0) , 0, iv, ivlen); Executed by:- libssl.so.1.1
- tls13secretstest
| 5550 |
108 | } | - |
109 | | - |
110 | int tls13_derive_finishedkey(SSL *s, const EVP_MD *md, | - |
111 | const unsigned char *secret, | - |
112 | unsigned char *fin, size_t finlen) | - |
113 | { | - |
114 | static const unsigned char finishedlabel[] = "finished"; | - |
115 | | - |
116 | return tls13_hkdf_expand(s, md, secret, finishedlabel,executed 3248 times by 1 test: return tls13_hkdf_expand(s, md, secret, finishedlabel, sizeof(finishedlabel) - 1, ((void *)0) , 0, fin, finlen); | 3248 |
117 | sizeof(finishedlabel) - 1, NULL, 0, fin, finlen);executed 3248 times by 1 test: return tls13_hkdf_expand(s, md, secret, finishedlabel, sizeof(finishedlabel) - 1, ((void *)0) , 0, fin, finlen); | 3248 |
118 | } | - |
119 | | - |
120 | | - |
121 | | - |
122 | | - |
123 | | - |
124 | | - |
125 | int tls13_generate_secret(SSL *s, const EVP_MD *md, | - |
126 | const unsigned char *prevsecret, | - |
127 | const unsigned char *insecret, | - |
128 | size_t insecretlen, | - |
129 | unsigned char *outsecret) | - |
130 | { | - |
131 | size_t mdlen, prevsecretlen; | - |
132 | int mdleni; | - |
133 | int ret; | - |
134 | EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); | - |
135 | static const char derived_secret_label[] = "derived"; | - |
136 | unsigned char preextractsec[EVP_MAX_MD_SIZE]; | - |
137 | | - |
138 | if (pctx == NULL) {TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
139 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, | - |
140 | ERR_R_INTERNAL_ERROR); | - |
141 | return 0; never executed: return 0; | 0 |
142 | } | - |
143 | | - |
144 | mdleni = EVP_MD_size(md); | - |
145 | | - |
146 | if (!ossl_assert(mdleni >= 0)) {TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
147 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, | - |
148 | ERR_R_INTERNAL_ERROR); | - |
149 | return 0; never executed: return 0; | 0 |
150 | } | - |
151 | mdlen = (size_t)mdleni; | - |
152 | | - |
153 | if (insecret == NULL) {TRUE | evaluated 2686 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
| FALSE | evaluated 1776 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 1776-2686 |
154 | insecret = default_zeros; | - |
155 | insecretlen = mdlen; | - |
156 | }executed 2686 times by 2 tests: end of block Executed by:- libssl.so.1.1
- tls13secretstest
| 2686 |
157 | if (prevsecret == NULL) {TRUE | evaluated 1561 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
| FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 1561-2901 |
158 | prevsecret = default_zeros; | - |
159 | prevsecretlen = 0; | - |
160 | } else {executed 1561 times by 2 tests: end of block Executed by:- libssl.so.1.1
- tls13secretstest
| 1561 |
161 | EVP_MD_CTX *mctx = EVP_MD_CTX_new(); | - |
162 | unsigned char hash[EVP_MAX_MD_SIZE]; | - |
163 | | - |
164 | | - |
165 | if (mctx == NULLTRUE | never evaluated | FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-2901 |
166 | || EVP_DigestInit_ex(mctx, md, NULL) <= 0TRUE | never evaluated | FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-2901 |
167 | || EVP_DigestFinal_ex(mctx, hash, NULL) <= 0) {TRUE | never evaluated | FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-2901 |
168 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, | - |
169 | ERR_R_INTERNAL_ERROR); | - |
170 | EVP_MD_CTX_free(mctx); | - |
171 | EVP_PKEY_CTX_free(pctx); | - |
172 | return 0; never executed: return 0; | 0 |
173 | } | - |
174 | EVP_MD_CTX_free(mctx); | - |
175 | | - |
176 | | - |
177 | if (!tls13_hkdf_expand(s, md, prevsecret,TRUE | never evaluated | FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-2901 |
178 | (unsigned char *)derived_secret_label,TRUE | never evaluated | FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-2901 |
179 | sizeof(derived_secret_label) - 1, hash, mdlen,TRUE | never evaluated | FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-2901 |
180 | preextractsec, mdlen)) {TRUE | never evaluated | FALSE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-2901 |
181 | | - |
182 | EVP_PKEY_CTX_free(pctx); | - |
183 | return 0; never executed: return 0; | 0 |
184 | } | - |
185 | | - |
186 | prevsecret = preextractsec; | - |
187 | prevsecretlen = mdlen; | - |
188 | }executed 2901 times by 2 tests: end of block Executed by:- libssl.so.1.1
- tls13secretstest
| 2901 |
189 | | - |
190 | ret = EVP_PKEY_derive_init(pctx) <= 0TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
191 | || EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY)TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
192 | <= 0TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
193 | || EVP_PKEY_CTX_set_hkdf_md(pctx, md) <= 0TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
194 | || EVP_PKEY_CTX_set1_hkdf_key(pctx, insecret, insecretlen) <= 0TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
195 | || EVP_PKEY_CTX_set1_hkdf_salt(pctx, prevsecret, prevsecretlen)TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
196 | <= 0TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
197 | || EVP_PKEY_derive(pctx, outsecret, &mdlen)TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
198 | <= 0;TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
199 | | - |
200 | if (ret != 0)TRUE | never evaluated | FALSE | evaluated 4462 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 0-4462 |
201 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_GENERATE_SECRET, never executed: ossl_statem_fatal((s), (80), (591), ((4|64)), __FILE__ , 202 ) ; | 0 |
202 | ERR_R_INTERNAL_ERROR); never executed: ossl_statem_fatal((s), (80), (591), ((4|64)), __FILE__ , 202 ) ; | 0 |
203 | | - |
204 | EVP_PKEY_CTX_free(pctx); | - |
205 | if (prevsecret == preextractsec)TRUE | evaluated 2901 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
| FALSE | evaluated 1561 times by 2 testsEvaluated by:- libssl.so.1.1
- tls13secretstest
|
| 1561-2901 |
206 | OPENSSL_cleanse(preextractsec, mdlen);executed 2901 times by 2 tests: OPENSSL_cleanse(preextractsec, mdlen); Executed by:- libssl.so.1.1
- tls13secretstest
| 2901 |
207 | return ret == 0;executed 4462 times by 2 tests: return ret == 0; Executed by:- libssl.so.1.1
- tls13secretstest
| 4462 |
208 | } | - |
209 | | - |
210 | | - |
211 | | - |
212 | | - |
213 | | - |
214 | | - |
215 | int tls13_generate_handshake_secret(SSL *s, const unsigned char *insecret, | - |
216 | size_t insecretlen) | - |
217 | { | - |
218 | | - |
219 | return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret,executed 1472 times by 2 tests: return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, insecret, insecretlen, (unsigned char *)&s->handshake_secret); Executed by:- libssl.so.1.1
- tls13secretstest
| 1472 |
220 | insecret, insecretlen,executed 1472 times by 2 tests: return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, insecret, insecretlen, (unsigned char *)&s->handshake_secret); Executed by:- libssl.so.1.1
- tls13secretstest
| 1472 |
221 | (unsigned char *)&s->handshake_secret);executed 1472 times by 2 tests: return tls13_generate_secret(s, ssl_handshake_md(s), s->early_secret, insecret, insecretlen, (unsigned char *)&s->handshake_secret); Executed by:- libssl.so.1.1
- tls13secretstest
| 1472 |
222 | } | - |
223 | | - |
224 | | - |
225 | | - |
226 | | - |
227 | | - |
228 | | - |
229 | int tls13_generate_master_secret(SSL *s, unsigned char *out, | - |
230 | unsigned char *prev, size_t prevlen, | - |
231 | size_t *secret_size) | - |
232 | { | - |
233 | const EVP_MD *md = ssl_handshake_md(s); | - |
234 | | - |
235 | *secret_size = EVP_MD_size(md); | - |
236 | | - |
237 | return tls13_generate_secret(s, md, prev, NULL, 0, out);executed 1429 times by 2 tests: return tls13_generate_secret(s, md, prev, ((void *)0) , 0, out); Executed by:- libssl.so.1.1
- tls13secretstest
| 1429 |
238 | } | - |
239 | | - |
240 | | - |
241 | | - |
242 | | - |
243 | | - |
244 | size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen, | - |
245 | unsigned char *out) | - |
246 | { | - |
247 | const EVP_MD *md = ssl_handshake_md(s); | - |
248 | unsigned char hash[EVP_MAX_MD_SIZE]; | - |
249 | size_t hashlen, ret = 0; | - |
250 | EVP_PKEY *key = NULL; | - |
251 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); | - |
252 | | - |
253 | if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {TRUE | never evaluated | FALSE | evaluated 2614 times by 1 test |
| 0-2614 |
254 | | - |
255 | goto err; never executed: goto err; | 0 |
256 | } | - |
257 | | - |
258 | if (str == s->method->ssl3_enc->server_finished_label) {TRUE | evaluated 1429 times by 1 test | FALSE | evaluated 1185 times by 1 test |
| 1185-1429 |
259 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, | - |
260 | s->server_finished_secret, hashlen); | - |
261 | } else if (SSL_IS_FIRST_HANDSHAKE(s)) {executed 1429 times by 1 test: end of block TRUE | evaluated 573 times by 1 test | FALSE | evaluated 612 times by 1 test |
TRUE | evaluated 565 times by 1 test | FALSE | evaluated 47 times by 1 test |
| 47-1429 |
262 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, | - |
263 | s->client_finished_secret, hashlen); | - |
264 | } else {executed 1138 times by 1 test: end of block | 1138 |
265 | unsigned char finsecret[EVP_MAX_MD_SIZE]; | - |
266 | | - |
267 | if (!tls13_derive_finishedkey(s, ssl_handshake_md(s),TRUE | never evaluated | FALSE | evaluated 47 times by 1 test |
| 0-47 |
268 | s->client_app_traffic_secret,TRUE | never evaluated | FALSE | evaluated 47 times by 1 test |
| 0-47 |
269 | finsecret, hashlen))TRUE | never evaluated | FALSE | evaluated 47 times by 1 test |
| 0-47 |
270 | goto err; never executed: goto err; | 0 |
271 | | - |
272 | key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret, | - |
273 | hashlen); | - |
274 | OPENSSL_cleanse(finsecret, sizeof(finsecret)); | - |
275 | }executed 47 times by 1 test: end of block | 47 |
276 | | - |
277 | if (key == NULLTRUE | never evaluated | FALSE | evaluated 2614 times by 1 test |
| 0-2614 |
278 | || ctx == NULLTRUE | never evaluated | FALSE | evaluated 2614 times by 1 test |
| 0-2614 |
279 | || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0TRUE | never evaluated | FALSE | evaluated 2614 times by 1 test |
| 0-2614 |
280 | || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0TRUE | never evaluated | FALSE | evaluated 2614 times by 1 test |
| 0-2614 |
281 | || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) {TRUE | never evaluated | FALSE | evaluated 2614 times by 1 test |
| 0-2614 |
282 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC, | - |
283 | ERR_R_INTERNAL_ERROR); | - |
284 | goto err; never executed: goto err; | 0 |
285 | } | - |
286 | | - |
287 | ret = hashlen; | - |
288 | err:code before this statement executed 2614 times by 1 test: err: | 2614 |
289 | EVP_PKEY_free(key); | - |
290 | EVP_MD_CTX_free(ctx); | - |
291 | return ret;executed 2614 times by 1 test: return ret; | 2614 |
292 | } | - |
293 | | - |
294 | | - |
295 | | - |
296 | | - |
297 | | - |
298 | int tls13_setup_key_block(SSL *s) | - |
299 | { | - |
300 | const EVP_CIPHER *c; | - |
301 | const EVP_MD *hash; | - |
302 | int mac_type = NID_undef; | - |
303 | | - |
304 | s->session->cipher = s->s3->tmp.new_cipher; | - |
305 | if (!ssl_cipher_get_evpTRUE | never evaluated | FALSE | evaluated 1471 times by 1 test |
| 0-1471 |
306 | (s->session, &c, &hash, &mac_type, NULL, NULL, 0)) {TRUE | never evaluated | FALSE | evaluated 1471 times by 1 test |
| 0-1471 |
307 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK, | - |
308 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | - |
309 | return 0; never executed: return 0; | 0 |
310 | } | - |
311 | | - |
312 | s->s3->tmp.new_sym_enc = c; | - |
313 | s->s3->tmp.new_hash = hash; | - |
314 | | - |
315 | return 1;executed 1471 times by 1 test: return 1; | 1471 |
316 | } | - |
317 | | - |
318 | static int derive_secret_key_and_iv(SSL *s, int sending, const EVP_MD *md, | - |
319 | const EVP_CIPHER *ciph, | - |
320 | const unsigned char *insecret, | - |
321 | const unsigned char *hash, | - |
322 | const unsigned char *label, | - |
323 | size_t labellen, unsigned char *secret, | - |
324 | unsigned char *iv, EVP_CIPHER_CTX *ciph_ctx) | - |
325 | { | - |
326 | unsigned char key[EVP_MAX_KEY_LENGTH]; | - |
327 | size_t ivlen, keylen, taglen; | - |
328 | int hashleni = EVP_MD_size(md); | - |
329 | size_t hashlen; | - |
330 | | - |
331 | | - |
332 | if (!ossl_assert(hashleni >= 0)) {TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
333 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, | - |
334 | ERR_R_EVP_LIB); | - |
335 | goto err; never executed: goto err; | 0 |
336 | } | - |
337 | hashlen = (size_t)hashleni; | - |
338 | | - |
339 | if (!tls13_hkdf_expand(s, md, insecret, label, labellen, hash, hashlen,TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
340 | secret, hashlen)) {TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
341 | | - |
342 | goto err; never executed: goto err; | 0 |
343 | } | - |
344 | | - |
345 | | - |
346 | keylen = EVP_CIPHER_key_length(ciph); | - |
347 | if (EVP_CIPHER_mode(ciph) == EVP_CIPH_CCM_MODE) {TRUE | evaluated 24 times by 1 test | FALSE | evaluated 5522 times by 1 test |
| 24-5522 |
348 | uint32_t algenc; | - |
349 | | - |
350 | ivlen = EVP_CCM_TLS_IV_LEN; | - |
351 | if (s->s3->tmp.new_cipher == NULL) {TRUE | never evaluated | FALSE | evaluated 24 times by 1 test |
| 0-24 |
352 | | - |
353 | algenc = s->session->cipher->algorithm_enc; | - |
354 | } else { never executed: end of block | 0 |
355 | algenc = s->s3->tmp.new_cipher->algorithm_enc; | - |
356 | }executed 24 times by 1 test: end of block | 24 |
357 | if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))TRUE | never evaluated | FALSE | evaluated 24 times by 1 test |
| 0-24 |
358 | taglen = EVP_CCM8_TLS_TAG_LEN; never executed: taglen = 8; | 0 |
359 | else | - |
360 | taglen = EVP_CCM_TLS_TAG_LEN;executed 24 times by 1 test: taglen = 16; | 24 |
361 | } else { | - |
362 | ivlen = EVP_CIPHER_iv_length(ciph); | - |
363 | taglen = 0; | - |
364 | }executed 5522 times by 1 test: end of block | 5522 |
365 | | - |
366 | if (!tls13_derive_key(s, md, secret, key, keylen)TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
367 | || !tls13_derive_iv(s, md, secret, iv, ivlen)) {TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
368 | | - |
369 | goto err; never executed: goto err; | 0 |
370 | } | - |
371 | | - |
372 | if (EVP_CipherInit_ex(ciph_ctx, ciph, NULL, NULL, NULL, sending) <= 0TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
373 | || !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
374 | || (taglen != 0 && !EVP_CIPHER_CTX_ctrl(ciph_ctx, EVP_CTRL_AEAD_SET_TAG,TRUE | evaluated 24 times by 1 test | FALSE | evaluated 5522 times by 1 test |
TRUE | never evaluated | FALSE | evaluated 24 times by 1 test |
| 0-5522 |
375 | taglen, NULL))TRUE | never evaluated | FALSE | evaluated 24 times by 1 test |
| 0-24 |
376 | || EVP_CipherInit_ex(ciph_ctx, NULL, NULL, key, NULL, -1) <= 0) {TRUE | never evaluated | FALSE | evaluated 5546 times by 1 test |
| 0-5546 |
377 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV, | - |
378 | ERR_R_EVP_LIB); | - |
379 | goto err; never executed: goto err; | 0 |
380 | } | - |
381 | | - |
382 | return 1;executed 5546 times by 1 test: return 1; | 5546 |
383 | err: | - |
384 | OPENSSL_cleanse(key, sizeof(key)); | - |
385 | return 0; never executed: return 0; | 0 |
386 | } | - |
387 | | - |
388 | int tls13_change_cipher_state(SSL *s, int which) | - |
389 | { | - |
390 | static const unsigned char client_early_traffic[] = "c e traffic"; | - |
391 | static const unsigned char client_handshake_traffic[] = "c hs traffic"; | - |
392 | static const unsigned char client_application_traffic[] = "c ap traffic"; | - |
393 | static const unsigned char server_handshake_traffic[] = "s hs traffic"; | - |
394 | static const unsigned char server_application_traffic[] = "s ap traffic"; | - |
395 | static const unsigned char exporter_master_secret[] = "exp master"; | - |
396 | static const unsigned char resumption_master_secret[] = "res master"; | - |
397 | static const unsigned char early_exporter_master_secret[] = "e exp master"; | - |
398 | unsigned char *iv; | - |
399 | unsigned char secret[EVP_MAX_MD_SIZE]; | - |
400 | unsigned char hashval[EVP_MAX_MD_SIZE]; | - |
401 | unsigned char *hash = hashval; | - |
402 | unsigned char *insecret; | - |
403 | unsigned char *finsecret = NULL; | - |
404 | const char *log_label = NULL; | - |
405 | EVP_CIPHER_CTX *ciph_ctx; | - |
406 | size_t finsecretlen = 0; | - |
407 | const unsigned char *label; | - |
408 | size_t labellen, hashlen = 0; | - |
409 | int ret = 0; | - |
410 | const EVP_MD *md = NULL; | - |
411 | const EVP_CIPHER *cipher = NULL; | - |
412 | | - |
413 | if (which & SSL3_CC_READ) {TRUE | evaluated 2627 times by 1 test | FALSE | evaluated 2904 times by 1 test |
| 2627-2904 |
414 | if (s->enc_read_ctx != NULL) {TRUE | evaluated 1156 times by 1 test | FALSE | evaluated 1471 times by 1 test |
| 1156-1471 |
415 | EVP_CIPHER_CTX_reset(s->enc_read_ctx); | - |
416 | } else {executed 1156 times by 1 test: end of block | 1156 |
417 | s->enc_read_ctx = EVP_CIPHER_CTX_new(); | - |
418 | if (s->enc_read_ctx == NULL) {TRUE | never evaluated | FALSE | evaluated 1471 times by 1 test |
| 0-1471 |
419 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
420 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); | - |
421 | goto err; never executed: goto err; | 0 |
422 | } | - |
423 | }executed 1471 times by 1 test: end of block | 1471 |
424 | ciph_ctx = s->enc_read_ctx; | - |
425 | iv = s->read_iv; | - |
426 | | - |
427 | RECORD_LAYER_reset_read_sequence(&s->rlayer); | - |
428 | } else {executed 2627 times by 1 test: end of block | 2627 |
429 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; | - |
430 | if (s->enc_write_ctx != NULL) {TRUE | evaluated 1443 times by 1 test | FALSE | evaluated 1461 times by 1 test |
| 1443-1461 |
431 | EVP_CIPHER_CTX_reset(s->enc_write_ctx); | - |
432 | } else {executed 1443 times by 1 test: end of block | 1443 |
433 | s->enc_write_ctx = EVP_CIPHER_CTX_new(); | - |
434 | if (s->enc_write_ctx == NULL) {TRUE | never evaluated | FALSE | evaluated 1461 times by 1 test |
| 0-1461 |
435 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
436 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); | - |
437 | goto err; never executed: goto err; | 0 |
438 | } | - |
439 | }executed 1461 times by 1 test: end of block | 1461 |
440 | ciph_ctx = s->enc_write_ctx; | - |
441 | iv = s->write_iv; | - |
442 | | - |
443 | RECORD_LAYER_reset_write_sequence(&s->rlayer); | - |
444 | }executed 2904 times by 1 test: end of block | 2904 |
445 | | - |
446 | if (((which & SSL3_CC_CLIENT) && (which & SSL3_CC_WRITE))TRUE | evaluated 2389 times by 1 test | FALSE | evaluated 3142 times by 1 test |
TRUE | evaluated 1197 times by 1 test | FALSE | evaluated 1192 times by 1 test |
| 1192-3142 |
447 | || ((which & SSL3_CC_SERVER) && (which & SSL3_CC_READ))) {TRUE | evaluated 3142 times by 1 test | FALSE | evaluated 1192 times by 1 test |
TRUE | evaluated 1435 times by 1 test | FALSE | evaluated 1707 times by 1 test |
| 1192-3142 |
448 | if (which & SSL3_CC_EARLY) {TRUE | evaluated 72 times by 1 test | FALSE | evaluated 2560 times by 1 test |
| 72-2560 |
449 | EVP_MD_CTX *mdctx = NULL; | - |
450 | long handlen; | - |
451 | void *hdata; | - |
452 | unsigned int hashlenui; | - |
453 | const SSL_CIPHER *sslcipher = SSL_SESSION_get0_cipher(s->session); | - |
454 | | - |
455 | insecret = s->early_secret; | - |
456 | label = client_early_traffic; | - |
457 | labellen = sizeof(client_early_traffic) - 1; | - |
458 | log_label = CLIENT_EARLY_LABEL; | - |
459 | | - |
460 | handlen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); | - |
461 | if (handlen <= 0) {TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
462 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
463 | SSL_F_TLS13_CHANGE_CIPHER_STATE, | - |
464 | SSL_R_BAD_HANDSHAKE_LENGTH); | - |
465 | goto err; never executed: goto err; | 0 |
466 | } | - |
467 | | - |
468 | if (s->early_data_state == SSL_EARLY_DATA_CONNECTINGTRUE | evaluated 50 times by 1 test | FALSE | evaluated 22 times by 1 test |
| 22-50 |
469 | && s->max_early_data > 0TRUE | evaluated 50 times by 1 test | FALSE | never evaluated |
| 0-50 |
470 | && s->session->ext.max_early_data == 0) {TRUE | evaluated 12 times by 1 test | FALSE | evaluated 38 times by 1 test |
| 12-38 |
471 | | - |
472 | | - |
473 | | - |
474 | | - |
475 | | - |
476 | if (!ossl_assert(s->psksession != NULLTRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
TRUE | evaluated 12 times by 1 test | FALSE | never evaluated |
TRUE | evaluated 12 times by 1 test | FALSE | never evaluated |
| 0-12 |
477 | && s->max_early_data == | - |
478 | s->psksession->ext.max_early_data)) { | - |
479 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
480 | SSL_F_TLS13_CHANGE_CIPHER_STATE, | - |
481 | ERR_R_INTERNAL_ERROR); | - |
482 | goto err; never executed: goto err; | 0 |
483 | } | - |
484 | sslcipher = SSL_SESSION_get0_cipher(s->psksession); | - |
485 | }executed 12 times by 1 test: end of block | 12 |
486 | if (sslcipher == NULL) {TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
487 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
488 | SSL_F_TLS13_CHANGE_CIPHER_STATE, SSL_R_BAD_PSK); | - |
489 | goto err; never executed: goto err; | 0 |
490 | } | - |
491 | | - |
492 | | - |
493 | | - |
494 | | - |
495 | | - |
496 | | - |
497 | mdctx = EVP_MD_CTX_new(); | - |
498 | if (mdctx == NULL) {TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
499 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
500 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); | - |
501 | goto err; never executed: goto err; | 0 |
502 | } | - |
503 | cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher)); | - |
504 | md = ssl_md(sslcipher->algorithm2); | - |
505 | if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL)TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
506 | || !EVP_DigestUpdate(mdctx, hdata, handlen)TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
507 | || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) {TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
508 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
509 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); | - |
510 | EVP_MD_CTX_free(mdctx); | - |
511 | goto err; never executed: goto err; | 0 |
512 | } | - |
513 | hashlen = hashlenui; | - |
514 | EVP_MD_CTX_free(mdctx); | - |
515 | | - |
516 | if (!tls13_hkdf_expand(s, md, insecret,TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
517 | early_exporter_master_secret,TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
518 | sizeof(early_exporter_master_secret) - 1,TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
519 | hashval, hashlen,TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
520 | s->early_exporter_master_secret, hashlen)) {TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
521 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | - |
522 | SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); | - |
523 | goto err; never executed: goto err; | 0 |
524 | } | - |
525 | | - |
526 | if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL,TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
527 | s->early_exporter_master_secret, hashlen)) {TRUE | never evaluated | FALSE | evaluated 72 times by 1 test |
| 0-72 |
528 | | - |
529 | goto err; never executed: goto err; | 0 |
530 | } | - |
531 | } else if (which & SSL3_CC_HANDSHAKE) {executed 72 times by 1 test: end of block TRUE | evaluated 1422 times by 1 test | FALSE | evaluated 1138 times by 1 test |
| 72-1422 |
532 | insecret = s->handshake_secret; | - |
533 | finsecret = s->client_finished_secret; | - |
534 | finsecretlen = EVP_MD_size(ssl_handshake_md(s)); | - |
535 | label = client_handshake_traffic; | - |
536 | labellen = sizeof(client_handshake_traffic) - 1; | - |
537 | log_label = CLIENT_HANDSHAKE_LABEL; | - |
538 | | - |
539 | | - |
540 | | - |
541 | | - |
542 | | - |
543 | | - |
544 | | - |
545 | | - |
546 | | - |
547 | hash = s->handshake_traffic_hash; | - |
548 | } else {executed 1422 times by 1 test: end of block | 1422 |
549 | insecret = s->master_secret; | - |
550 | label = client_application_traffic; | - |
551 | labellen = sizeof(client_application_traffic) - 1; | - |
552 | log_label = CLIENT_APPLICATION_LABEL; | - |
553 | | - |
554 | | - |
555 | | - |
556 | | - |
557 | | - |
558 | | - |
559 | hash = s->server_finished_hash; | - |
560 | }executed 1138 times by 1 test: end of block | 1138 |
561 | } else { | - |
562 | | - |
563 | if (which & SSL3_CC_HANDSHAKE) {TRUE | evaluated 1471 times by 1 test | FALSE | evaluated 1428 times by 1 test |
| 1428-1471 |
564 | insecret = s->handshake_secret; | - |
565 | finsecret = s->server_finished_secret; | - |
566 | finsecretlen = EVP_MD_size(ssl_handshake_md(s)); | - |
567 | label = server_handshake_traffic; | - |
568 | labellen = sizeof(server_handshake_traffic) - 1; | - |
569 | log_label = SERVER_HANDSHAKE_LABEL; | - |
570 | } else {executed 1471 times by 1 test: end of block | 1471 |
571 | insecret = s->master_secret; | - |
572 | label = server_application_traffic; | - |
573 | labellen = sizeof(server_application_traffic) - 1; | - |
574 | log_label = SERVER_APPLICATION_LABEL; | - |
575 | }executed 1428 times by 1 test: end of block | 1428 |
576 | } | - |
577 | | - |
578 | if (!(which & SSL3_CC_EARLY)) {TRUE | evaluated 5459 times by 1 test | FALSE | evaluated 72 times by 1 test |
| 72-5459 |
579 | md = ssl_handshake_md(s); | - |
580 | cipher = s->s3->tmp.new_sym_enc; | - |
581 | if (!ssl3_digest_cached_records(s, 1)TRUE | never evaluated | FALSE | evaluated 5459 times by 1 test |
| 0-5459 |
582 | || !ssl_handshake_hash(s, hashval, sizeof(hashval), &hashlen)) {TRUE | never evaluated | FALSE | evaluated 5459 times by 1 test |
| 0-5459 |
583 | ; | - |
584 | goto err; never executed: goto err; | 0 |
585 | } | - |
586 | }executed 5459 times by 1 test: end of block | 5459 |
587 | | - |
588 | | - |
589 | | - |
590 | | - |
591 | | - |
592 | if (label == server_application_traffic)TRUE | evaluated 1428 times by 1 test | FALSE | evaluated 4103 times by 1 test |
| 1428-4103 |
593 | memcpy(s->server_finished_hash, hashval, hashlen);executed 1428 times by 1 test: memcpy(s->server_finished_hash, hashval, hashlen); | 1428 |
594 | | - |
595 | if (label == server_handshake_traffic)TRUE | evaluated 1471 times by 1 test | FALSE | evaluated 4060 times by 1 test |
| 1471-4060 |
596 | memcpy(s->handshake_traffic_hash, hashval, hashlen);executed 1471 times by 1 test: memcpy(s->handshake_traffic_hash, hashval, hashlen); | 1471 |
597 | | - |
598 | if (label == client_application_traffic) {TRUE | evaluated 1138 times by 1 test | FALSE | evaluated 4393 times by 1 test |
| 1138-4393 |
599 | | - |
600 | | - |
601 | | - |
602 | | - |
603 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,TRUE | never evaluated | FALSE | evaluated 1138 times by 1 test |
| 0-1138 |
604 | resumption_master_secret,TRUE | never evaluated | FALSE | evaluated 1138 times by 1 test |
| 0-1138 |
605 | sizeof(resumption_master_secret) - 1,TRUE | never evaluated | FALSE | evaluated 1138 times by 1 test |
| 0-1138 |
606 | hashval, hashlen, s->resumption_master_secret,TRUE | never evaluated | FALSE | evaluated 1138 times by 1 test |
| 0-1138 |
607 | hashlen)) {TRUE | never evaluated | FALSE | evaluated 1138 times by 1 test |
| 0-1138 |
608 | | - |
609 | goto err; never executed: goto err; | 0 |
610 | } | - |
611 | }executed 1138 times by 1 test: end of block | 1138 |
612 | | - |
613 | if (!derive_secret_key_and_iv(s, which & SSL3_CC_WRITE, md, cipher,TRUE | never evaluated | FALSE | evaluated 5531 times by 1 test |
| 0-5531 |
614 | insecret, hash, label, labellen, secret, iv,TRUE | never evaluated | FALSE | evaluated 5531 times by 1 test |
| 0-5531 |
615 | ciph_ctx)) {TRUE | never evaluated | FALSE | evaluated 5531 times by 1 test |
| 0-5531 |
616 | | - |
617 | goto err; never executed: goto err; | 0 |
618 | } | - |
619 | | - |
620 | if (label == server_application_traffic) {TRUE | evaluated 1428 times by 1 test | FALSE | evaluated 4103 times by 1 test |
| 1428-4103 |
621 | memcpy(s->server_app_traffic_secret, secret, hashlen); | - |
622 | | - |
623 | if (!tls13_hkdf_expand(s, ssl_handshake_md(s), insecret,TRUE | never evaluated | FALSE | evaluated 1428 times by 1 test |
| 0-1428 |
624 | exporter_master_secret,TRUE | never evaluated | FALSE | evaluated 1428 times by 1 test |
| 0-1428 |
625 | sizeof(exporter_master_secret) - 1,TRUE | never evaluated | FALSE | evaluated 1428 times by 1 test |
| 0-1428 |
626 | hash, hashlen, s->exporter_master_secret,TRUE | never evaluated | FALSE | evaluated 1428 times by 1 test |
| 0-1428 |
627 | hashlen)) {TRUE | never evaluated | FALSE | evaluated 1428 times by 1 test |
| 0-1428 |
628 | | - |
629 | goto err; never executed: goto err; | 0 |
630 | } | - |
631 | | - |
632 | if (!ssl_log_secret(s, EXPORTER_SECRET_LABEL, s->exporter_master_secret,TRUE | never evaluated | FALSE | evaluated 1428 times by 1 test |
| 0-1428 |
633 | hashlen)) {TRUE | never evaluated | FALSE | evaluated 1428 times by 1 test |
| 0-1428 |
634 | | - |
635 | goto err; never executed: goto err; | 0 |
636 | } | - |
637 | } else if (label == client_application_traffic)executed 1428 times by 1 test: end of block TRUE | evaluated 1138 times by 1 test | FALSE | evaluated 2965 times by 1 test |
| 1138-2965 |
638 | memcpy(s->client_app_traffic_secret, secret, hashlen);executed 1138 times by 1 test: memcpy(s->client_app_traffic_secret, secret, hashlen); | 1138 |
639 | | - |
640 | if (!ssl_log_secret(s, log_label, secret, hashlen)) {TRUE | never evaluated | FALSE | evaluated 5531 times by 1 test |
| 0-5531 |
641 | | - |
642 | goto err; never executed: goto err; | 0 |
643 | } | - |
644 | | - |
645 | if (finsecret != NULLTRUE | evaluated 2893 times by 1 test | FALSE | evaluated 2638 times by 1 test |
| 2638-2893 |
646 | && !tls13_derive_finishedkey(s, ssl_handshake_md(s), secret,TRUE | never evaluated | FALSE | evaluated 2893 times by 1 test |
| 0-2893 |
647 | finsecret, finsecretlen)) {TRUE | never evaluated | FALSE | evaluated 2893 times by 1 test |
| 0-2893 |
648 | | - |
649 | goto err; never executed: goto err; | 0 |
650 | } | - |
651 | | - |
652 | if (!s->server && label == client_early_traffic)TRUE | evaluated 2389 times by 1 test | FALSE | evaluated 3142 times by 1 test |
TRUE | evaluated 50 times by 1 test | FALSE | evaluated 2339 times by 1 test |
| 50-3142 |
653 | s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS;executed 50 times by 1 test: s->statem.enc_write_state = ENC_WRITE_STATE_WRITE_PLAIN_ALERTS; | 50 |
654 | else | - |
655 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID;executed 5481 times by 1 test: s->statem.enc_write_state = ENC_WRITE_STATE_VALID; | 5481 |
656 | ret = 1; | - |
657 | err:code before this statement executed 5531 times by 1 test: err: | 5531 |
658 | OPENSSL_cleanse(secret, sizeof(secret)); | - |
659 | return ret;executed 5531 times by 1 test: return ret; | 5531 |
660 | } | - |
661 | | - |
662 | int tls13_update_key(SSL *s, int sending) | - |
663 | { | - |
664 | static const unsigned char application_traffic[] = "traffic upd"; | - |
665 | const EVP_MD *md = ssl_handshake_md(s); | - |
666 | size_t hashlen = EVP_MD_size(md); | - |
667 | unsigned char *insecret, *iv; | - |
668 | unsigned char secret[EVP_MAX_MD_SIZE]; | - |
669 | EVP_CIPHER_CTX *ciph_ctx; | - |
670 | int ret = 0; | - |
671 | | - |
672 | if (s->server == sending)TRUE | evaluated 8 times by 1 test | FALSE | evaluated 7 times by 1 test |
| 7-8 |
673 | insecret = s->server_app_traffic_secret;executed 8 times by 1 test: insecret = s->server_app_traffic_secret; | 8 |
674 | else | - |
675 | insecret = s->client_app_traffic_secret;executed 7 times by 1 test: insecret = s->client_app_traffic_secret; | 7 |
676 | | - |
677 | if (sending) {TRUE | evaluated 8 times by 1 test | FALSE | evaluated 7 times by 1 test |
| 7-8 |
678 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; | - |
679 | iv = s->write_iv; | - |
680 | ciph_ctx = s->enc_write_ctx; | - |
681 | RECORD_LAYER_reset_write_sequence(&s->rlayer); | - |
682 | } else {executed 8 times by 1 test: end of block | 8 |
683 | iv = s->read_iv; | - |
684 | ciph_ctx = s->enc_read_ctx; | - |
685 | RECORD_LAYER_reset_read_sequence(&s->rlayer); | - |
686 | }executed 7 times by 1 test: end of block | 7 |
687 | | - |
688 | if (!derive_secret_key_and_iv(s, sending, ssl_handshake_md(s),TRUE | never evaluated | FALSE | evaluated 15 times by 1 test |
| 0-15 |
689 | s->s3->tmp.new_sym_enc, insecret, NULL,TRUE | never evaluated | FALSE | evaluated 15 times by 1 test |
| 0-15 |
690 | application_traffic,TRUE | never evaluated | FALSE | evaluated 15 times by 1 test |
| 0-15 |
691 | sizeof(application_traffic) - 1, secret, iv,TRUE | never evaluated | FALSE | evaluated 15 times by 1 test |
| 0-15 |
692 | ciph_ctx)) {TRUE | never evaluated | FALSE | evaluated 15 times by 1 test |
| 0-15 |
693 | | - |
694 | goto err; never executed: goto err; | 0 |
695 | } | - |
696 | | - |
697 | memcpy(insecret, secret, hashlen); | - |
698 | | - |
699 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; | - |
700 | ret = 1; | - |
701 | err:code before this statement executed 15 times by 1 test: err: | 15 |
702 | OPENSSL_cleanse(secret, sizeof(secret)); | - |
703 | return ret;executed 15 times by 1 test: return ret; | 15 |
704 | } | - |
705 | | - |
706 | int tls13_alert_code(int code) | - |
707 | { | - |
708 | | - |
709 | if (code == SSL_AD_MISSING_EXTENSION || code == SSL_AD_CERTIFICATE_REQUIRED)TRUE | evaluated 22 times by 1 test | FALSE | evaluated 1320 times by 1 test |
TRUE | evaluated 2 times by 1 test | FALSE | evaluated 1318 times by 1 test |
| 2-1320 |
710 | return code;executed 24 times by 1 test: return code; | 24 |
711 | | - |
712 | return tls1_alert_code(code);executed 1318 times by 1 test: return tls1_alert_code(code); | 1318 |
713 | } | - |
714 | | - |
715 | int tls13_export_keying_material(SSL *s, unsigned char *out, size_t olen, | - |
716 | const char *label, size_t llen, | - |
717 | const unsigned char *context, | - |
718 | size_t contextlen, int use_context) | - |
719 | { | - |
720 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; | - |
721 | static const unsigned char exporterlabel[] = "exporter"; | - |
722 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; | - |
723 | const EVP_MD *md = ssl_handshake_md(s); | - |
724 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); | - |
725 | unsigned int hashsize, datalen; | - |
726 | int ret = 0; | - |
727 | | - |
728 | if (ctx == NULL || !ossl_statem_export_allowed(s))TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
729 | goto err; never executed: goto err; | 0 |
730 | | - |
731 | if (!use_context)TRUE | evaluated 2 times by 1 test | FALSE | evaluated 4 times by 1 test |
| 2-4 |
732 | contextlen = 0;executed 2 times by 1 test: contextlen = 0; | 2 |
733 | | - |
734 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
735 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
736 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
737 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
738 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
739 | || !tls13_hkdf_expand(s, md, s->exporter_master_secret,TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
740 | (const unsigned char *)label, llen,TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
741 | data, datalen, exportsecret, hashsize)TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
742 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
743 | sizeof(exporterlabel) - 1, hash, hashsize,TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
744 | out, olen))TRUE | never evaluated | FALSE | evaluated 6 times by 1 test |
| 0-6 |
745 | goto err; never executed: goto err; | 0 |
746 | | - |
747 | ret = 1; | - |
748 | err:code before this statement executed 6 times by 1 test: err: | 6 |
749 | EVP_MD_CTX_free(ctx); | - |
750 | return ret;executed 6 times by 1 test: return ret; | 6 |
751 | } | - |
752 | | - |
753 | int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, | - |
754 | const char *label, size_t llen, | - |
755 | const unsigned char *context, | - |
756 | size_t contextlen) | - |
757 | { | - |
758 | static const unsigned char exporterlabel[] = "exporter"; | - |
759 | unsigned char exportsecret[EVP_MAX_MD_SIZE]; | - |
760 | unsigned char hash[EVP_MAX_MD_SIZE], data[EVP_MAX_MD_SIZE]; | - |
761 | const EVP_MD *md; | - |
762 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); | - |
763 | unsigned int hashsize, datalen; | - |
764 | int ret = 0; | - |
765 | const SSL_CIPHER *sslcipher; | - |
766 | | - |
767 | if (ctx == NULL || !ossl_statem_export_early_allowed(s))TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
768 | goto err; never executed: goto err; | 0 |
769 | | - |
770 | if (!s->server && s->max_early_data > 0TRUE | evaluated 6 times by 1 test | FALSE | evaluated 6 times by 1 test |
TRUE | evaluated 6 times by 1 test | FALSE | never evaluated |
| 0-6 |
771 | && s->session->ext.max_early_data == 0)TRUE | evaluated 2 times by 1 test | FALSE | evaluated 4 times by 1 test |
| 2-4 |
772 | sslcipher = SSL_SESSION_get0_cipher(s->psksession);executed 2 times by 1 test: sslcipher = SSL_SESSION_get0_cipher(s->psksession); | 2 |
773 | else | - |
774 | sslcipher = SSL_SESSION_get0_cipher(s->session);executed 10 times by 1 test: sslcipher = SSL_SESSION_get0_cipher(s->session); | 10 |
775 | | - |
776 | md = ssl_md(sslcipher->algorithm2); | - |
777 | | - |
778 | | - |
779 | | - |
780 | | - |
781 | | - |
782 | | - |
783 | | - |
784 | | - |
785 | | - |
786 | | - |
787 | | - |
788 | | - |
789 | | - |
790 | | - |
791 | | - |
792 | | - |
793 | if (EVP_DigestInit_ex(ctx, md, NULL) <= 0TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
794 | || EVP_DigestUpdate(ctx, context, contextlen) <= 0TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
795 | || EVP_DigestFinal_ex(ctx, hash, &hashsize) <= 0TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
796 | || EVP_DigestInit_ex(ctx, md, NULL) <= 0TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
797 | || EVP_DigestFinal_ex(ctx, data, &datalen) <= 0TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
798 | || !tls13_hkdf_expand(s, md, s->early_exporter_master_secret,TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
799 | (const unsigned char *)label, llen,TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
800 | data, datalen, exportsecret, hashsize)TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
801 | || !tls13_hkdf_expand(s, md, exportsecret, exporterlabel,TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
802 | sizeof(exporterlabel) - 1, hash, hashsize,TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
803 | out, olen))TRUE | never evaluated | FALSE | evaluated 12 times by 1 test |
| 0-12 |
804 | goto err; never executed: goto err; | 0 |
805 | | - |
806 | ret = 1; | - |
807 | err:code before this statement executed 12 times by 1 test: err: | 12 |
808 | EVP_MD_CTX_free(ctx); | - |
809 | return ret;executed 12 times by 1 test: return ret; | 12 |
810 | } | - |
| | |