t1_enc.c 22.1 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 *
R
Rich Salz 已提交
4 5 6 7
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
8
 */
R
Rich Salz 已提交
9

10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
/* ====================================================================
 * Copyright 2005 Nokia. All rights reserved.
 *
 * The portions of the attached software ("Contribution") is developed by
 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
 * license.
 *
 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
 * support (see RFC 4279) to OpenSSL.
 *
 * No patent licenses or other rights except those expressly stated in
 * the OpenSSL open source license shall be deemed granted or received
 * expressly, by implication, estoppel, or otherwise.
 *
 * No assurances are provided by Nokia that the Contribution does not
 * infringe the patent or other intellectual property rights of any third
 * party or that the license provides you with all the necessary rights
 * to make use of the Contribution.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
 * OTHERWISE.
 */
36 37

#include <stdio.h>
38
#include "ssl_locl.h"
R
Rich Salz 已提交
39
#include <openssl/comp.h>
40
#include <openssl/evp.h>
D
Dr. Stephen Henson 已提交
41
#include <openssl/kdf.h>
42
#include <openssl/rand.h>
43

D
Dr. Stephen Henson 已提交
44
/* seed1 through seed5 are concatenated */
45
static int tls1_PRF(SSL *s,
46 47 48 49 50 51 52
                    const void *seed1, size_t seed1_len,
                    const void *seed2, size_t seed2_len,
                    const void *seed3, size_t seed3_len,
                    const void *seed4, size_t seed4_len,
                    const void *seed5, size_t seed5_len,
                    const unsigned char *sec, size_t slen,
                    unsigned char *out, size_t olen)
53
{
54
    const EVP_MD *md = ssl_prf_md(s);
D
Dr. Stephen Henson 已提交
55 56 57
    EVP_PKEY_CTX *pctx = NULL;

    int ret = 0;
58

59
    if (md == NULL) {
M
Matt Caswell 已提交
60 61
        /* Should never happen */
        SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR);
62
        return 0;
M
Matt Caswell 已提交
63
    }
D
Dr. Stephen Henson 已提交
64 65 66
    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
    if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0
        || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0
67
        || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0)
D
Dr. Stephen Henson 已提交
68
        goto err;
69

70
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0)
D
Dr. Stephen Henson 已提交
71
        goto err;
72
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0)
D
Dr. Stephen Henson 已提交
73
        goto err;
74
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0)
D
Dr. Stephen Henson 已提交
75
        goto err;
76
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0)
D
Dr. Stephen Henson 已提交
77
        goto err;
78
    if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0)
D
Dr. Stephen Henson 已提交
79 80
        goto err;

81
    if (EVP_PKEY_derive(pctx, out, &olen) <= 0)
D
Dr. Stephen Henson 已提交
82 83 84
        goto err;
    ret = 1;

E
Emilia Kasper 已提交
85
 err:
D
Dr. Stephen Henson 已提交
86 87
    EVP_PKEY_CTX_free(pctx);
    return ret;
88
}
89

90
static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
91 92
{
    int ret;
93
    ret = tls1_PRF(s,
94 95 96 97
                   TLS_MD_KEY_EXPANSION_CONST,
                   TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random,
                   SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE,
                   NULL, 0, NULL, 0, s->session->master_key,
D
Dr. Stephen Henson 已提交
98
                   s->session->master_key_length, km, num);
99

100 101
    return ret;
}
102

U
Ulf Möller 已提交
103
int tls1_change_cipher_state(SSL *s, int which)
104 105 106 107 108 109 110 111 112
{
    unsigned char *p, *mac_secret;
    unsigned char tmp1[EVP_MAX_KEY_LENGTH];
    unsigned char tmp2[EVP_MAX_KEY_LENGTH];
    unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
    unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
    unsigned char *ms, *key, *iv;
    EVP_CIPHER_CTX *dd;
    const EVP_CIPHER *c;
113
#ifndef OPENSSL_NO_COMP
114
    const SSL_COMP *comp;
115
#endif
116 117
    const EVP_MD *m;
    int mac_type;
118
    size_t *mac_secret_size;
119 120
    EVP_MD_CTX *mac_ctx;
    EVP_PKEY *mac_key;
121
    size_t n, i, j, k, cl;
122 123 124 125 126
    int reuse_dd = 0;

    c = s->s3->tmp.new_sym_enc;
    m = s->s3->tmp.new_hash;
    mac_type = s->s3->tmp.new_mac_pkey_type;
127
#ifndef OPENSSL_NO_COMP
128
    comp = s->s3->tmp.new_compression;
129
#endif
130

131
    if (which & SSL3_CC_READ) {
132 133 134 135 136
        if (s->ext.use_etm)
            s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
        else
            s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;

137 138 139 140 141 142 143
        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
            s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
        else
            s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;

        if (s->enc_read_ctx != NULL)
            reuse_dd = 1;
144
        else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL)
145 146 147
            goto err;
        else
            /*
F
FdaSilvaYY 已提交
148
             * make sure it's initialised in case we exit later with an error
149
             */
150
            EVP_CIPHER_CTX_reset(s->enc_read_ctx);
151 152
        dd = s->enc_read_ctx;
        mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
153 154
        if (mac_ctx == NULL)
            goto err;
155
#ifndef OPENSSL_NO_COMP
R
Rich Salz 已提交
156 157
        COMP_CTX_free(s->expand);
        s->expand = NULL;
158 159 160 161 162 163 164 165
        if (comp != NULL) {
            s->expand = COMP_CTX_new(comp->method);
            if (s->expand == NULL) {
                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
                       SSL_R_COMPRESSION_LIBRARY_ERROR);
                goto err2;
            }
        }
166
#endif
167
        /*
168
         * this is done by dtls1_reset_seq_numbers for DTLS
169
         */
170
        if (!SSL_IS_DTLS(s))
171
            RECORD_LAYER_reset_read_sequence(&s->rlayer);
172 173 174
        mac_secret = &(s->s3->read_mac_secret[0]);
        mac_secret_size = &(s->s3->read_mac_secret_size);
    } else {
175 176 177 178 179
        if (s->ext.use_etm)
            s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
        else
            s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;

180 181 182 183 184 185 186 187 188 189
        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
            s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
        else
            s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
        if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
            reuse_dd = 1;
        else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL)
            goto err;
        dd = s->enc_write_ctx;
        if (SSL_IS_DTLS(s)) {
190
            mac_ctx = EVP_MD_CTX_new();
191
            if (mac_ctx == NULL)
192 193
                goto err;
            s->write_hash = mac_ctx;
194
        } else {
195
            mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
196 197 198
            if (mac_ctx == NULL)
                goto err;
        }
199
#ifndef OPENSSL_NO_COMP
R
Rich Salz 已提交
200 201
        COMP_CTX_free(s->compress);
        s->compress = NULL;
202 203 204 205 206 207 208 209
        if (comp != NULL) {
            s->compress = COMP_CTX_new(comp->method);
            if (s->compress == NULL) {
                SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
                       SSL_R_COMPRESSION_LIBRARY_ERROR);
                goto err2;
            }
        }
210
#endif
211
        /*
212
         * this is done by dtls1_reset_seq_numbers for DTLS
213
         */
214
        if (!SSL_IS_DTLS(s))
215
            RECORD_LAYER_reset_write_sequence(&s->rlayer);
216 217 218 219 220
        mac_secret = &(s->s3->write_mac_secret[0]);
        mac_secret_size = &(s->s3->write_mac_secret_size);
    }

    if (reuse_dd)
221
        EVP_CIPHER_CTX_reset(dd);
222 223 224 225

    p = s->s3->tmp.key_block;
    i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;

226
    /* TODO(size_t): convert me */
227
    cl = EVP_CIPHER_key_length(c);
228
    j = cl;
229
    /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
D
Dr. Stephen Henson 已提交
230
    /* If GCM/CCM mode only part of IV comes from PRF */
231 232
    if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
        k = EVP_GCM_TLS_FIXED_IV_LEN;
D
Dr. Stephen Henson 已提交
233 234
    else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
        k = EVP_CCM_TLS_FIXED_IV_LEN;
235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262
    else
        k = EVP_CIPHER_iv_length(c);
    if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
        (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
        ms = &(p[0]);
        n = i + i;
        key = &(p[n]);
        n += j + j;
        iv = &(p[n]);
        n += k + k;
    } else {
        n = i;
        ms = &(p[n]);
        n += i + j;
        key = &(p[n]);
        n += j + k;
        iv = &(p[n]);
        n += k;
    }

    if (n > s->s3->tmp.key_block_length) {
        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
        goto err2;
    }

    memcpy(mac_secret, ms, i);

    if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
263
        /* TODO(size_t): Convert this function */
264
        mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
265
                                       mac_secret, (int)*mac_secret_size);
266
        if (mac_key == NULL
E
Emilia Kasper 已提交
267
            || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
268 269 270 271
            EVP_PKEY_free(mac_key);
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
272 273
        EVP_PKEY_free(mac_key);
    }
R
Rich Salz 已提交
274
#ifdef SSL_DEBUG
275 276
    printf("which = %04X\nmac key=", which);
    {
277
        size_t z;
278 279 280
        for (z = 0; z < i; z++)
            printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n');
    }
281
#endif
282 283

    if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
284
        if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
285 286
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k,
                                    iv)) {
287 288 289
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
D
Dr. Stephen Henson 已提交
290
    } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
D
Dr. Stephen Henson 已提交
291
        int taglen;
E
Emilia Kasper 已提交
292 293
        if (s->s3->tmp.
            new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
294
            taglen = EVP_CCM8_TLS_TAG_LEN;
D
Dr. Stephen Henson 已提交
295
        else
296
            taglen = EVP_CCM_TLS_TAG_LEN;
D
Dr. Stephen Henson 已提交
297 298 299
        if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
300
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv)
D
Dr. Stephen Henson 已提交
301 302 303 304
            || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
305 306 307 308 309 310
    } else {
        if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
            SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
            goto err2;
        }
    }
311
    /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
312 313
    if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
        && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
314
                                (int)*mac_secret_size, mac_secret)) {
315 316 317
        SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
        goto err2;
    }
318

R
Rich Salz 已提交
319
#ifdef SSL_DEBUG
320 321 322 323 324 325 326 327
    printf("which = %04X\nkey=", which);
    {
        int z;
        for (z = 0; z < EVP_CIPHER_key_length(c); z++)
            printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("\niv=");
    {
328
        size_t z;
329 330 331 332
        for (z = 0; z < k; z++)
            printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("\n");
333 334
#endif

335 336 337 338 339 340 341 342
    OPENSSL_cleanse(tmp1, sizeof(tmp1));
    OPENSSL_cleanse(tmp2, sizeof(tmp1));
    OPENSSL_cleanse(iv1, sizeof(iv1));
    OPENSSL_cleanse(iv2, sizeof(iv2));
    return (1);
 err:
    SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
 err2:
R
Rich Salz 已提交
343 344 345 346
    OPENSSL_cleanse(tmp1, sizeof(tmp1));
    OPENSSL_cleanse(tmp2, sizeof(tmp1));
    OPENSSL_cleanse(iv1, sizeof(iv1));
    OPENSSL_cleanse(iv2, sizeof(iv2));
347 348
    return (0);
}
349

U
Ulf Möller 已提交
350
int tls1_setup_key_block(SSL *s)
351
{
D
Dr. Stephen Henson 已提交
352
    unsigned char *p;
353 354 355
    const EVP_CIPHER *c;
    const EVP_MD *hash;
    SSL_COMP *comp;
356 357
    int mac_type = NID_undef;
    size_t num, mac_secret_size = 0;
358
    int ret = 0;
359

360 361 362
    if (s->s3->tmp.key_block_length != 0)
        return (1);

363 364
    if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
                            &comp, s->ext.use_etm)) {
365 366 367 368 369 370 371 372
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
        return (0);
    }

    s->s3->tmp.new_sym_enc = c;
    s->s3->tmp.new_hash = hash;
    s->s3->tmp.new_mac_pkey_type = mac_type;
    s->s3->tmp.new_mac_secret_size = mac_secret_size;
E
Emilia Kasper 已提交
373
    num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
374 375 376 377
    num *= 2;

    ssl3_cleanup_key_block(s);

D
Dr. Stephen Henson 已提交
378
    if ((p = OPENSSL_malloc(num)) == NULL) {
379 380 381 382 383
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
        goto err;
    }

    s->s3->tmp.key_block_length = num;
D
Dr. Stephen Henson 已提交
384
    s->s3->tmp.key_block = p;
385

R
Rich Salz 已提交
386
#ifdef SSL_DEBUG
387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402
    printf("client random\n");
    {
        int z;
        for (z = 0; z < SSL3_RANDOM_SIZE; z++)
            printf("%02X%c", s->s3->client_random[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("server random\n");
    {
        int z;
        for (z = 0; z < SSL3_RANDOM_SIZE; z++)
            printf("%02X%c", s->s3->server_random[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("master key\n");
    {
403
        size_t z;
404 405 406 407
        for (z = 0; z < s->session->master_key_length; z++)
            printf("%02X%c", s->session->master_key[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
408
#endif
D
Dr. Stephen Henson 已提交
409
    if (!tls1_generate_key_block(s, p, num))
410
        goto err;
R
Rich Salz 已提交
411
#ifdef SSL_DEBUG
412 413
    printf("\nkey block\n");
    {
414
        size_t z;
415
        for (z = 0; z < num; z++)
R
Rich Salz 已提交
416
            printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n');
417
    }
418 419
#endif

420 421 422 423 424 425 426 427 428 429 430 431
    if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
        && s->method->version <= TLS1_VERSION) {
        /*
         * enable vulnerability countermeasure for CBC ciphers with known-IV
         * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
         */
        s->s3->need_empty_fragments = 1;

        if (s->session->cipher != NULL) {
            if (s->session->cipher->algorithm_enc == SSL_eNULL)
                s->s3->need_empty_fragments = 0;

432
#ifndef OPENSSL_NO_RC4
433 434
            if (s->session->cipher->algorithm_enc == SSL_RC4)
                s->s3->need_empty_fragments = 0;
435
#endif
436 437 438 439 440 441 442
        }
    }

    ret = 1;
 err:
    return (ret);
}
443

444 445
size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
                             unsigned char *out)
446
{
447
    size_t hashlen;
448
    unsigned char hash[EVP_MAX_MD_SIZE];
449

450 451
    if (!ssl3_digest_cached_records(s, 0))
        return 0;
452

453
    if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen))
454
        return 0;
455

D
Dr. Stephen Henson 已提交
456
    if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
457
                  s->session->master_key, s->session->master_key_length,
D
Dr. Stephen Henson 已提交
458
                  out, TLS1_FINISH_MAC_LENGTH))
459
        return 0;
M
Matt Caswell 已提交
460
    OPENSSL_cleanse(hash, hashlen);
D
Dr. Stephen Henson 已提交
461
    return TLS1_FINISH_MAC_LENGTH;
462
}
463

U
Ulf Möller 已提交
464
int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
465
                                size_t len, size_t *secret_size)
466
{
467
    if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
468
        unsigned char hash[EVP_MAX_MD_SIZE * 2];
469
        size_t hashlen;
E
Emilia Kasper 已提交
470 471 472 473
        /*
         * Digest cached records keeping record buffer (if present): this wont
         * affect client auth because we're freezing the buffer at the same
         * point (after client key exchange and before certificate verify)
474 475
         */
        if (!ssl3_digest_cached_records(s, 1))
476 477 478
            return 0;
        if(!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen))
            return 0;
479 480 481 482
#ifdef SSL_DEBUG
        fprintf(stderr, "Handshake hashes:\n");
        BIO_dump_fp(stderr, (char *)hash, hashlen);
#endif
483
        tls1_PRF(s,
484 485 486 487
                 TLS_MD_EXTENDED_MASTER_SECRET_CONST,
                 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,
                 hash, hashlen,
                 NULL, 0,
D
Dr. Stephen Henson 已提交
488
                 NULL, 0,
D
Dr. Stephen Henson 已提交
489 490
                 NULL, 0, p, len, s->session->master_key,
                 SSL3_MASTER_SECRET_SIZE);
491 492
        OPENSSL_cleanse(hash, hashlen);
    } else {
493
        tls1_PRF(s,
494 495 496
                 TLS_MD_MASTER_SECRET_CONST,
                 TLS_MD_MASTER_SECRET_CONST_SIZE,
                 s->s3->client_random, SSL3_RANDOM_SIZE,
D
Dr. Stephen Henson 已提交
497
                 NULL, 0,
498
                 s->s3->server_random, SSL3_RANDOM_SIZE,
D
Dr. Stephen Henson 已提交
499 500
                 NULL, 0, p, len, s->session->master_key,
                 SSL3_MASTER_SECRET_SIZE);
501
    }
502
#ifdef SSL_DEBUG
503 504 505 506 507 508 509 510 511
    fprintf(stderr, "Premaster Secret:\n");
    BIO_dump_fp(stderr, (char *)p, len);
    fprintf(stderr, "Client Random:\n");
    BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE);
    fprintf(stderr, "Server Random:\n");
    BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE);
    fprintf(stderr, "Master Secret:\n");
    BIO_dump_fp(stderr, (char *)s->session->master_key,
                SSL3_MASTER_SECRET_SIZE);
512
#endif
513

514 515
    *secret_size = SSL3_MASTER_SECRET_SIZE;
    return 1;
516
}
517

518
int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
519 520 521 522 523
                                const char *label, size_t llen,
                                const unsigned char *context,
                                size_t contextlen, int use_context)
{
    unsigned char *val = NULL;
524
    size_t vallen = 0, currentvalpos;
525
    int rv;
B
Ben Laurie 已提交
526

527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571
    /*
     * construct PRF arguments we construct the PRF argument ourself rather
     * than passing separate values into the TLS PRF to ensure that the
     * concatenation of values does not create a prohibited label.
     */
    vallen = llen + SSL3_RANDOM_SIZE * 2;
    if (use_context) {
        vallen += 2 + contextlen;
    }

    val = OPENSSL_malloc(vallen);
    if (val == NULL)
        goto err2;
    currentvalpos = 0;
    memcpy(val + currentvalpos, (unsigned char *)label, llen);
    currentvalpos += llen;
    memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
    currentvalpos += SSL3_RANDOM_SIZE;
    memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
    currentvalpos += SSL3_RANDOM_SIZE;

    if (use_context) {
        val[currentvalpos] = (contextlen >> 8) & 0xff;
        currentvalpos++;
        val[currentvalpos] = contextlen & 0xff;
        currentvalpos++;
        if ((contextlen > 0) || (context != NULL)) {
            memcpy(val + currentvalpos, context, contextlen);
        }
    }

    /*
     * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
     * label len) = 15, so size of val > max(prohibited label len) = 15 and
     * the comparisons won't have buffer overflow
     */
    if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
               TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
        goto err1;
    if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
               TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
        goto err1;
    if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
               TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
        goto err1;
572 573 574
    if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
               TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
        goto err1;
575 576 577 578
    if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
               TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
        goto err1;

579
    rv = tls1_PRF(s,
580 581 582 583 584 585
                  val, vallen,
                  NULL, 0,
                  NULL, 0,
                  NULL, 0,
                  NULL, 0,
                  s->session->master_key, s->session->master_key_length,
D
Dr. Stephen Henson 已提交
586
                  out, olen);
B
Ben Laurie 已提交
587

588 589
    goto ret;
 err1:
E
Emilia Kasper 已提交
590
    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
591 592 593 594 595 596
    rv = 0;
    goto ret;
 err2:
    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
    rv = 0;
 ret:
597
    OPENSSL_clear_free(val, vallen);
598 599
    return (rv);
}
B
Ben Laurie 已提交
600

U
Ulf Möller 已提交
601
int tls1_alert_code(int code)
602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665
{
    switch (code) {
    case SSL_AD_CLOSE_NOTIFY:
        return (SSL3_AD_CLOSE_NOTIFY);
    case SSL_AD_UNEXPECTED_MESSAGE:
        return (SSL3_AD_UNEXPECTED_MESSAGE);
    case SSL_AD_BAD_RECORD_MAC:
        return (SSL3_AD_BAD_RECORD_MAC);
    case SSL_AD_DECRYPTION_FAILED:
        return (TLS1_AD_DECRYPTION_FAILED);
    case SSL_AD_RECORD_OVERFLOW:
        return (TLS1_AD_RECORD_OVERFLOW);
    case SSL_AD_DECOMPRESSION_FAILURE:
        return (SSL3_AD_DECOMPRESSION_FAILURE);
    case SSL_AD_HANDSHAKE_FAILURE:
        return (SSL3_AD_HANDSHAKE_FAILURE);
    case SSL_AD_NO_CERTIFICATE:
        return (-1);
    case SSL_AD_BAD_CERTIFICATE:
        return (SSL3_AD_BAD_CERTIFICATE);
    case SSL_AD_UNSUPPORTED_CERTIFICATE:
        return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
    case SSL_AD_CERTIFICATE_REVOKED:
        return (SSL3_AD_CERTIFICATE_REVOKED);
    case SSL_AD_CERTIFICATE_EXPIRED:
        return (SSL3_AD_CERTIFICATE_EXPIRED);
    case SSL_AD_CERTIFICATE_UNKNOWN:
        return (SSL3_AD_CERTIFICATE_UNKNOWN);
    case SSL_AD_ILLEGAL_PARAMETER:
        return (SSL3_AD_ILLEGAL_PARAMETER);
    case SSL_AD_UNKNOWN_CA:
        return (TLS1_AD_UNKNOWN_CA);
    case SSL_AD_ACCESS_DENIED:
        return (TLS1_AD_ACCESS_DENIED);
    case SSL_AD_DECODE_ERROR:
        return (TLS1_AD_DECODE_ERROR);
    case SSL_AD_DECRYPT_ERROR:
        return (TLS1_AD_DECRYPT_ERROR);
    case SSL_AD_EXPORT_RESTRICTION:
        return (TLS1_AD_EXPORT_RESTRICTION);
    case SSL_AD_PROTOCOL_VERSION:
        return (TLS1_AD_PROTOCOL_VERSION);
    case SSL_AD_INSUFFICIENT_SECURITY:
        return (TLS1_AD_INSUFFICIENT_SECURITY);
    case SSL_AD_INTERNAL_ERROR:
        return (TLS1_AD_INTERNAL_ERROR);
    case SSL_AD_USER_CANCELLED:
        return (TLS1_AD_USER_CANCELLED);
    case SSL_AD_NO_RENEGOTIATION:
        return (TLS1_AD_NO_RENEGOTIATION);
    case SSL_AD_UNSUPPORTED_EXTENSION:
        return (TLS1_AD_UNSUPPORTED_EXTENSION);
    case SSL_AD_CERTIFICATE_UNOBTAINABLE:
        return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
    case SSL_AD_UNRECOGNIZED_NAME:
        return (TLS1_AD_UNRECOGNIZED_NAME);
    case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
        return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
    case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
        return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
    case SSL_AD_UNKNOWN_PSK_IDENTITY:
        return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
    case SSL_AD_INAPPROPRIATE_FALLBACK:
        return (TLS1_AD_INAPPROPRIATE_FALLBACK);
666 667
    case SSL_AD_NO_APPLICATION_PROTOCOL:
        return (TLS1_AD_NO_APPLICATION_PROTOCOL);
668 669
    case SSL_AD_CERTIFICATE_REQUIRED:
        return SSL_AD_HANDSHAKE_FAILURE;
670 671 672 673
    default:
        return (-1);
    }
}