t1_enc.c 23.2 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
36 37

#include <stdio.h>
38
#include "ssl_locl.h"
R
Rich Salz 已提交
39
#include <openssl/comp.h>
40
#include <openssl/evp.h>
D
Dr. Stephen Henson 已提交
41
#include <openssl/kdf.h>
42
#include <openssl/rand.h>
43

D
Dr. Stephen Henson 已提交
44
/* seed1 through seed5 are concatenated */
45
static int tls1_PRF(SSL *s,
46 47 48 49 50 51 52
                    const void *seed1, size_t seed1_len,
                    const void *seed2, size_t seed2_len,
                    const void *seed3, size_t seed3_len,
                    const void *seed4, size_t seed4_len,
                    const void *seed5, size_t seed5_len,
                    const unsigned char *sec, size_t slen,
                    unsigned char *out, size_t olen)
53
{
54
    const EVP_MD *md = ssl_prf_md(s);
D
Dr. Stephen Henson 已提交
55 56 57
    EVP_PKEY_CTX *pctx = NULL;

    int ret = 0;
58

59
    if (md == NULL) {
M
Matt Caswell 已提交
60 61
        /* Should never happen */
        SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR);
62
        return 0;
M
Matt Caswell 已提交
63
    }
D
Dr. Stephen Henson 已提交
64 65 66
    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
    if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0
        || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0
67
        || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0)
D
Dr. Stephen Henson 已提交
68
        goto err;
69

70
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0)
D
Dr. Stephen Henson 已提交
71
        goto err;
72
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0)
D
Dr. Stephen Henson 已提交
73
        goto err;
74
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0)
D
Dr. Stephen Henson 已提交
75
        goto err;
76
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0)
D
Dr. Stephen Henson 已提交
77
        goto err;
78
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0)
D
Dr. Stephen Henson 已提交
79 80
        goto err;

81
    if (EVP_PKEY_derive(pctx, out, &olen) <= 0)
D
Dr. Stephen Henson 已提交
82 83 84
        goto err;
    ret = 1;

E
Emilia Kasper 已提交
85
 err:
D
Dr. Stephen Henson 已提交
86 87
    EVP_PKEY_CTX_free(pctx);
    return ret;
88
}
89

90
static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
91 92
{
    int ret;
93
    ret = tls1_PRF(s,
94 95 96 97
                   TLS_MD_KEY_EXPANSION_CONST,
                   TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random,
                   SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE,
                   NULL, 0, NULL, 0, s->session->master_key,
D
Dr. Stephen Henson 已提交
98
                   s->session->master_key_length, km, num);
99

100 101
    return ret;
}
102

U
Ulf Möller 已提交
103
int tls1_change_cipher_state(SSL *s, int which)
104 105 106 107 108 109 110 111 112
{
    unsigned char *p, *mac_secret;
    unsigned char tmp1[EVP_MAX_KEY_LENGTH];
    unsigned char tmp2[EVP_MAX_KEY_LENGTH];
    unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
    unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
    unsigned char *ms, *key, *iv;
    EVP_CIPHER_CTX *dd;
    const EVP_CIPHER *c;
113
#ifndef OPENSSL_NO_COMP
114
    const SSL_COMP *comp;
115
#endif
116 117
    const EVP_MD *m;
    int mac_type;
118
    size_t *mac_secret_size;
119 120
    EVP_MD_CTX *mac_ctx;
    EVP_PKEY *mac_key;
121
    size_t n, i, j, k, cl;
122 123 124 125 126
    int reuse_dd = 0;

    c = s->s3->tmp.new_sym_enc;
    m = s->s3->tmp.new_hash;
    mac_type = s->s3->tmp.new_mac_pkey_type;
127
#ifndef OPENSSL_NO_COMP
128
    comp = s->s3->tmp.new_compression;
129
#endif
130

131 132 133 134 135 136 137 138
    if (which & SSL3_CC_READ) {
        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
            s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
        else
            s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;

        if (s->enc_read_ctx != NULL)
            reuse_dd = 1;
139
        else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL)
140 141 142
            goto err;
        else
            /*
F
FdaSilvaYY 已提交
143
             * make sure it's initialised in case we exit later with an error
144
             */
145
            EVP_CIPHER_CTX_reset(s->enc_read_ctx);
146 147
        dd = s->enc_read_ctx;
        mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
148 149
        if (mac_ctx == NULL)
            goto err;
150
#ifndef OPENSSL_NO_COMP
R
Rich Salz 已提交
151 152
        COMP_CTX_free(s->expand);
        s->expand = NULL;
153 154 155 156 157 158 159 160
        if (comp != NULL) {
            s->expand = COMP_CTX_new(comp->method);
            if (s->expand == NULL) {
                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
                       SSL_R_COMPRESSION_LIBRARY_ERROR);
                goto err2;
            }
        }
161
#endif
162
        /*
163
         * this is done by dtls1_reset_seq_numbers for DTLS
164
         */
165
        if (!SSL_IS_DTLS(s))
166
            RECORD_LAYER_reset_read_sequence(&s->rlayer);
167 168 169 170 171 172 173 174 175 176 177 178 179
        mac_secret = &(s->s3->read_mac_secret[0]);
        mac_secret_size = &(s->s3->read_mac_secret_size);
    } else {
        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
            s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
        else
            s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
        if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
            reuse_dd = 1;
        else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL)
            goto err;
        dd = s->enc_write_ctx;
        if (SSL_IS_DTLS(s)) {
180
            mac_ctx = EVP_MD_CTX_new();
181
            if (mac_ctx == NULL)
182 183
                goto err;
            s->write_hash = mac_ctx;
184
        } else {
185
            mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
186 187 188
            if (mac_ctx == NULL)
                goto err;
        }
189
#ifndef OPENSSL_NO_COMP
R
Rich Salz 已提交
190 191
        COMP_CTX_free(s->compress);
        s->compress = NULL;
192 193 194 195 196 197 198 199
        if (comp != NULL) {
            s->compress = COMP_CTX_new(comp->method);
            if (s->compress == NULL) {
                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
                       SSL_R_COMPRESSION_LIBRARY_ERROR);
                goto err2;
            }
        }
200
#endif
201
        /*
202
         * this is done by dtls1_reset_seq_numbers for DTLS
203
         */
204
        if (!SSL_IS_DTLS(s))
205
            RECORD_LAYER_reset_write_sequence(&s->rlayer);
206 207 208 209 210
        mac_secret = &(s->s3->write_mac_secret[0]);
        mac_secret_size = &(s->s3->write_mac_secret_size);
    }

    if (reuse_dd)
211
        EVP_CIPHER_CTX_reset(dd);
212 213 214 215

    p = s->s3->tmp.key_block;
    i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;

216
    /* TODO(size_t): convert me */
217
    cl = EVP_CIPHER_key_length(c);
218
    j = cl;
219
    /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
D
Dr. Stephen Henson 已提交
220
    /* If GCM/CCM mode only part of IV comes from PRF */
221 222
    if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
        k = EVP_GCM_TLS_FIXED_IV_LEN;
D
Dr. Stephen Henson 已提交
223 224
    else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
        k = EVP_CCM_TLS_FIXED_IV_LEN;
225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252
    else
        k = EVP_CIPHER_iv_length(c);
    if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
        (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
        ms = &(p[0]);
        n = i + i;
        key = &(p[n]);
        n += j + j;
        iv = &(p[n]);
        n += k + k;
    } else {
        n = i;
        ms = &(p[n]);
        n += i + j;
        key = &(p[n]);
        n += j + k;
        iv = &(p[n]);
        n += k;
    }

    if (n > s->s3->tmp.key_block_length) {
        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
        goto err2;
    }

    memcpy(mac_secret, ms, i);

    if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
253
        /* TODO(size_t): Convert this function */
254
        mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
255
                                       mac_secret, (int)*mac_secret_size);
256
        if (mac_key == NULL
E
Emilia Kasper 已提交
257
            || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
258 259 260 261
            EVP_PKEY_free(mac_key);
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
262 263
        EVP_PKEY_free(mac_key);
    }
R
Rich Salz 已提交
264
#ifdef SSL_DEBUG
265 266 267 268 269 270
    printf("which = %04X\nmac key=", which);
    {
        int z;
        for (z = 0; z < i; z++)
            printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n');
    }
271
#endif
272 273

    if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
274
        if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
275 276
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k,
                                    iv)) {
277 278 279
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
D
Dr. Stephen Henson 已提交
280
    } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
D
Dr. Stephen Henson 已提交
281
        int taglen;
E
Emilia Kasper 已提交
282 283
        if (s->s3->tmp.
            new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
D
Dr. Stephen Henson 已提交
284 285 286
            taglen = 8;
        else
            taglen = 16;
D
Dr. Stephen Henson 已提交
287 288 289
        if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
290
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv)
D
Dr. Stephen Henson 已提交
291 292 293 294
            || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
295 296 297 298 299 300
    } else {
        if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
    }
301
    /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
302 303
    if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
        && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
304
                                (int)*mac_secret_size, mac_secret)) {
305 306 307
        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
        goto err2;
    }
308
#ifdef OPENSSL_SSL_TRACE_CRYPTO
309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325
    if (s->msg_callback) {
        int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : 0;
        if (*mac_secret_size)
            s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
                            mac_secret, *mac_secret_size,
                            s, s->msg_callback_arg);
        if (c->key_len)
            s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
                            key, c->key_len, s, s->msg_callback_arg);
        if (k) {
            if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
                wh |= TLS1_RT_CRYPTO_FIXED_IV;
            else
                wh |= TLS1_RT_CRYPTO_IV;
            s->msg_callback(2, s->version, wh, iv, k, s, s->msg_callback_arg);
        }
    }
326 327
#endif

R
Rich Salz 已提交
328
#ifdef SSL_DEBUG
329 330 331 332 333 334 335 336 337 338 339 340 341
    printf("which = %04X\nkey=", which);
    {
        int z;
        for (z = 0; z < EVP_CIPHER_key_length(c); z++)
            printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("\niv=");
    {
        int z;
        for (z = 0; z < k; z++)
            printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("\n");
342 343
#endif

344 345 346 347 348 349 350 351
    OPENSSL_cleanse(tmp1, sizeof(tmp1));
    OPENSSL_cleanse(tmp2, sizeof(tmp1));
    OPENSSL_cleanse(iv1, sizeof(iv1));
    OPENSSL_cleanse(iv2, sizeof(iv2));
    return (1);
 err:
    SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
 err2:
R
Rich Salz 已提交
352 353 354 355
    OPENSSL_cleanse(tmp1, sizeof(tmp1));
    OPENSSL_cleanse(tmp2, sizeof(tmp1));
    OPENSSL_cleanse(iv1, sizeof(iv1));
    OPENSSL_cleanse(iv2, sizeof(iv2));
356 357
    return (0);
}
358

U
Ulf Möller 已提交
359
int tls1_setup_key_block(SSL *s)
360
{
D
Dr. Stephen Henson 已提交
361
    unsigned char *p;
362 363 364
    const EVP_CIPHER *c;
    const EVP_MD *hash;
    SSL_COMP *comp;
365 366
    int mac_type = NID_undef;
    size_t num, mac_secret_size = 0;
367
    int ret = 0;
368

369 370 371 372 373 374 375 376 377 378 379 380 381 382
    if (s->s3->tmp.key_block_length != 0)
        return (1);

    if (!ssl_cipher_get_evp
        (s->session, &c, &hash, &mac_type, &mac_secret_size, &comp,
         SSL_USE_ETM(s))) {
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
        return (0);
    }

    s->s3->tmp.new_sym_enc = c;
    s->s3->tmp.new_hash = hash;
    s->s3->tmp.new_mac_pkey_type = mac_type;
    s->s3->tmp.new_mac_secret_size = mac_secret_size;
E
Emilia Kasper 已提交
383
    num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
384 385 386 387
    num *= 2;

    ssl3_cleanup_key_block(s);

D
Dr. Stephen Henson 已提交
388
    if ((p = OPENSSL_malloc(num)) == NULL) {
389 390 391 392 393
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
        goto err;
    }

    s->s3->tmp.key_block_length = num;
D
Dr. Stephen Henson 已提交
394
    s->s3->tmp.key_block = p;
395

R
Rich Salz 已提交
396
#ifdef SSL_DEBUG
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412
    printf("client random\n");
    {
        int z;
        for (z = 0; z < SSL3_RANDOM_SIZE; z++)
            printf("%02X%c", s->s3->client_random[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("server random\n");
    {
        int z;
        for (z = 0; z < SSL3_RANDOM_SIZE; z++)
            printf("%02X%c", s->s3->server_random[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("master key\n");
    {
413
        size_t z;
414 415 416 417
        for (z = 0; z < s->session->master_key_length; z++)
            printf("%02X%c", s->session->master_key[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
418
#endif
D
Dr. Stephen Henson 已提交
419
    if (!tls1_generate_key_block(s, p, num))
420
        goto err;
R
Rich Salz 已提交
421
#ifdef SSL_DEBUG
422 423
    printf("\nkey block\n");
    {
424
        size_t z;
425
        for (z = 0; z < num; z++)
R
Rich Salz 已提交
426
            printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n');
427
    }
428 429
#endif

430 431 432 433 434 435 436 437 438 439 440 441
    if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
        && s->method->version <= TLS1_VERSION) {
        /*
         * enable vulnerability countermeasure for CBC ciphers with known-IV
         * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
         */
        s->s3->need_empty_fragments = 1;

        if (s->session->cipher != NULL) {
            if (s->session->cipher->algorithm_enc == SSL_eNULL)
                s->s3->need_empty_fragments = 0;

442
#ifndef OPENSSL_NO_RC4
443 444
            if (s->session->cipher->algorithm_enc == SSL_RC4)
                s->s3->need_empty_fragments = 0;
445
#endif
446 447 448 449 450 451 452
        }
    }

    ret = 1;
 err:
    return (ret);
}
453

454 455
size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
                             unsigned char *out)
456
{
457
    size_t hashlen;
458
    unsigned char hash[EVP_MAX_MD_SIZE];
459

460 461
    if (!ssl3_digest_cached_records(s, 0))
        return 0;
462

463
    if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen))
464
        return 0;
465

D
Dr. Stephen Henson 已提交
466
    if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
467
                  s->session->master_key, s->session->master_key_length,
D
Dr. Stephen Henson 已提交
468
                  out, TLS1_FINISH_MAC_LENGTH))
469
        return 0;
M
Matt Caswell 已提交
470
    OPENSSL_cleanse(hash, hashlen);
D
Dr. Stephen Henson 已提交
471
    return TLS1_FINISH_MAC_LENGTH;
472
}
473

U
Ulf Möller 已提交
474
int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
475
                                size_t len, size_t *secret_size)
476
{
477 478
    if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
        unsigned char hash[EVP_MAX_MD_SIZE * 2];
479
        size_t hashlen;
E
Emilia Kasper 已提交
480 481 482 483
        /*
         * Digest cached records keeping record buffer (if present): this wont
         * affect client auth because we're freezing the buffer at the same
         * point (after client key exchange and before certificate verify)
484 485
         */
        if (!ssl3_digest_cached_records(s, 1))
486 487 488
            return 0;
        if(!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen))
            return 0;
489 490 491 492
#ifdef SSL_DEBUG
        fprintf(stderr, "Handshake hashes:\n");
        BIO_dump_fp(stderr, (char *)hash, hashlen);
#endif
493
        tls1_PRF(s,
494 495 496 497
                 TLS_MD_EXTENDED_MASTER_SECRET_CONST,
                 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,
                 hash, hashlen,
                 NULL, 0,
D
Dr. Stephen Henson 已提交
498
                 NULL, 0,
D
Dr. Stephen Henson 已提交
499 500
                 NULL, 0, p, len, s->session->master_key,
                 SSL3_MASTER_SECRET_SIZE);
501 502
        OPENSSL_cleanse(hash, hashlen);
    } else {
503
        tls1_PRF(s,
504 505 506
                 TLS_MD_MASTER_SECRET_CONST,
                 TLS_MD_MASTER_SECRET_CONST_SIZE,
                 s->s3->client_random, SSL3_RANDOM_SIZE,
D
Dr. Stephen Henson 已提交
507
                 NULL, 0,
508
                 s->s3->server_random, SSL3_RANDOM_SIZE,
D
Dr. Stephen Henson 已提交
509 510
                 NULL, 0, p, len, s->session->master_key,
                 SSL3_MASTER_SECRET_SIZE);
511
    }
512
#ifdef SSL_DEBUG
513 514 515 516 517 518 519 520 521
    fprintf(stderr, "Premaster Secret:\n");
    BIO_dump_fp(stderr, (char *)p, len);
    fprintf(stderr, "Client Random:\n");
    BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE);
    fprintf(stderr, "Server Random:\n");
    BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE);
    fprintf(stderr, "Master Secret:\n");
    BIO_dump_fp(stderr, (char *)s->session->master_key,
                SSL3_MASTER_SECRET_SIZE);
522
#endif
523

524
#ifdef OPENSSL_SSL_TRACE_CRYPTO
525 526 527 528 529 530 531 532 533 534 535 536 537
    if (s->msg_callback) {
        s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
                        p, len, s, s->msg_callback_arg);
        s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
                        s->s3->client_random, SSL3_RANDOM_SIZE,
                        s, s->msg_callback_arg);
        s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
                        s->s3->server_random, SSL3_RANDOM_SIZE,
                        s, s->msg_callback_arg);
        s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
                        s->session->master_key,
                        SSL3_MASTER_SECRET_SIZE, s, s->msg_callback_arg);
    }
538 539
#endif

540 541
    *secret_size = SSL3_MASTER_SECRET_SIZE;
    return 1;
542
}
543

544
int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
545 546 547 548 549
                                const char *label, size_t llen,
                                const unsigned char *context,
                                size_t contextlen, int use_context)
{
    unsigned char *val = NULL;
550
    size_t vallen = 0, currentvalpos;
551
    int rv;
B
Ben Laurie 已提交
552

553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597
    /*
     * construct PRF arguments we construct the PRF argument ourself rather
     * than passing separate values into the TLS PRF to ensure that the
     * concatenation of values does not create a prohibited label.
     */
    vallen = llen + SSL3_RANDOM_SIZE * 2;
    if (use_context) {
        vallen += 2 + contextlen;
    }

    val = OPENSSL_malloc(vallen);
    if (val == NULL)
        goto err2;
    currentvalpos = 0;
    memcpy(val + currentvalpos, (unsigned char *)label, llen);
    currentvalpos += llen;
    memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
    currentvalpos += SSL3_RANDOM_SIZE;
    memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
    currentvalpos += SSL3_RANDOM_SIZE;

    if (use_context) {
        val[currentvalpos] = (contextlen >> 8) & 0xff;
        currentvalpos++;
        val[currentvalpos] = contextlen & 0xff;
        currentvalpos++;
        if ((contextlen > 0) || (context != NULL)) {
            memcpy(val + currentvalpos, context, contextlen);
        }
    }

    /*
     * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
     * label len) = 15, so size of val > max(prohibited label len) = 15 and
     * the comparisons won't have buffer overflow
     */
    if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
               TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
        goto err1;
    if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
               TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
        goto err1;
    if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
               TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
        goto err1;
598 599 600
    if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
               TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
        goto err1;
601 602 603 604
    if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
               TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
        goto err1;

605
    rv = tls1_PRF(s,
606 607 608 609 610 611
                  val, vallen,
                  NULL, 0,
                  NULL, 0,
                  NULL, 0,
                  NULL, 0,
                  s->session->master_key, s->session->master_key_length,
D
Dr. Stephen Henson 已提交
612
                  out, olen);
B
Ben Laurie 已提交
613

614 615
    goto ret;
 err1:
E
Emilia Kasper 已提交
616
    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
617 618 619 620 621 622
    rv = 0;
    goto ret;
 err2:
    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
    rv = 0;
 ret:
623
    OPENSSL_clear_free(val, vallen);
624 625
    return (rv);
}
B
Ben Laurie 已提交
626

U
Ulf Möller 已提交
627
int tls1_alert_code(int code)
628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691
{
    switch (code) {
    case SSL_AD_CLOSE_NOTIFY:
        return (SSL3_AD_CLOSE_NOTIFY);
    case SSL_AD_UNEXPECTED_MESSAGE:
        return (SSL3_AD_UNEXPECTED_MESSAGE);
    case SSL_AD_BAD_RECORD_MAC:
        return (SSL3_AD_BAD_RECORD_MAC);
    case SSL_AD_DECRYPTION_FAILED:
        return (TLS1_AD_DECRYPTION_FAILED);
    case SSL_AD_RECORD_OVERFLOW:
        return (TLS1_AD_RECORD_OVERFLOW);
    case SSL_AD_DECOMPRESSION_FAILURE:
        return (SSL3_AD_DECOMPRESSION_FAILURE);
    case SSL_AD_HANDSHAKE_FAILURE:
        return (SSL3_AD_HANDSHAKE_FAILURE);
    case SSL_AD_NO_CERTIFICATE:
        return (-1);
    case SSL_AD_BAD_CERTIFICATE:
        return (SSL3_AD_BAD_CERTIFICATE);
    case SSL_AD_UNSUPPORTED_CERTIFICATE:
        return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
    case SSL_AD_CERTIFICATE_REVOKED:
        return (SSL3_AD_CERTIFICATE_REVOKED);
    case SSL_AD_CERTIFICATE_EXPIRED:
        return (SSL3_AD_CERTIFICATE_EXPIRED);
    case SSL_AD_CERTIFICATE_UNKNOWN:
        return (SSL3_AD_CERTIFICATE_UNKNOWN);
    case SSL_AD_ILLEGAL_PARAMETER:
        return (SSL3_AD_ILLEGAL_PARAMETER);
    case SSL_AD_UNKNOWN_CA:
        return (TLS1_AD_UNKNOWN_CA);
    case SSL_AD_ACCESS_DENIED:
        return (TLS1_AD_ACCESS_DENIED);
    case SSL_AD_DECODE_ERROR:
        return (TLS1_AD_DECODE_ERROR);
    case SSL_AD_DECRYPT_ERROR:
        return (TLS1_AD_DECRYPT_ERROR);
    case SSL_AD_EXPORT_RESTRICTION:
        return (TLS1_AD_EXPORT_RESTRICTION);
    case SSL_AD_PROTOCOL_VERSION:
        return (TLS1_AD_PROTOCOL_VERSION);
    case SSL_AD_INSUFFICIENT_SECURITY:
        return (TLS1_AD_INSUFFICIENT_SECURITY);
    case SSL_AD_INTERNAL_ERROR:
        return (TLS1_AD_INTERNAL_ERROR);
    case SSL_AD_USER_CANCELLED:
        return (TLS1_AD_USER_CANCELLED);
    case SSL_AD_NO_RENEGOTIATION:
        return (TLS1_AD_NO_RENEGOTIATION);
    case SSL_AD_UNSUPPORTED_EXTENSION:
        return (TLS1_AD_UNSUPPORTED_EXTENSION);
    case SSL_AD_CERTIFICATE_UNOBTAINABLE:
        return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
    case SSL_AD_UNRECOGNIZED_NAME:
        return (TLS1_AD_UNRECOGNIZED_NAME);
    case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
        return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
    case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
        return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
    case SSL_AD_UNKNOWN_PSK_IDENTITY:
        return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
    case SSL_AD_INAPPROPRIATE_FALLBACK:
        return (TLS1_AD_INAPPROPRIATE_FALLBACK);
692 693
    case SSL_AD_NO_APPLICATION_PROTOCOL:
        return (TLS1_AD_NO_APPLICATION_PROTOCOL);
694 695 696 697
    default:
        return (-1);
    }
}