t1_enc.c 22.7 KB
Newer Older
R
Rich Salz 已提交
1 2
/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3
 * Copyright 2005 Nokia. All rights reserved.
4
 *
R
Rich Salz 已提交
5 6 7 8
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
9
 */
R
Rich Salz 已提交
10

11
#include <stdio.h>
12
#include "ssl_locl.h"
R
Rich Salz 已提交
13
#include <openssl/comp.h>
14
#include <openssl/evp.h>
D
Dr. Stephen Henson 已提交
15
#include <openssl/kdf.h>
16
#include <openssl/rand.h>
17

D
Dr. Stephen Henson 已提交
18
/* seed1 through seed5 are concatenated */
19
static int tls1_PRF(SSL *s,
20 21 22 23 24 25
                    const void *seed1, size_t seed1_len,
                    const void *seed2, size_t seed2_len,
                    const void *seed3, size_t seed3_len,
                    const void *seed4, size_t seed4_len,
                    const void *seed5, size_t seed5_len,
                    const unsigned char *sec, size_t slen,
26
                    unsigned char *out, size_t olen, int fatal)
27
{
28
    const EVP_MD *md = ssl_prf_md(s);
D
Dr. Stephen Henson 已提交
29 30
    EVP_PKEY_CTX *pctx = NULL;
    int ret = 0;
31

32
    if (md == NULL) {
M
Matt Caswell 已提交
33
        /* Should never happen */
34 35 36 37 38
        if (fatal)
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_PRF,
                     ERR_R_INTERNAL_ERROR);
        else
            SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR);
39
        return 0;
M
Matt Caswell 已提交
40
    }
D
Dr. Stephen Henson 已提交
41 42 43
    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
    if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0
        || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0
44 45 46 47 48 49 50 51 52 53 54 55
        || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0
        || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0
        || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0
        || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0
        || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0
        || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0
        || EVP_PKEY_derive(pctx, out, &olen) <= 0) {
        if (fatal)
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_PRF,
                     ERR_R_INTERNAL_ERROR);
        else
            SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR);
D
Dr. Stephen Henson 已提交
56
        goto err;
57
    }
D
Dr. Stephen Henson 已提交
58 59 60

    ret = 1;

E
Emilia Kasper 已提交
61
 err:
D
Dr. Stephen Henson 已提交
62 63
    EVP_PKEY_CTX_free(pctx);
    return ret;
64
}
65

66
static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num)
67 68
{
    int ret;
69 70

    /* Calls SSLfatal() as required */
71
    ret = tls1_PRF(s,
72 73 74 75
                   TLS_MD_KEY_EXPANSION_CONST,
                   TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random,
                   SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE,
                   NULL, 0, NULL, 0, s->session->master_key,
76
                   s->session->master_key_length, km, num, 1);
77

78 79
    return ret;
}
80

U
Ulf Möller 已提交
81
int tls1_change_cipher_state(SSL *s, int which)
82 83 84 85 86 87 88 89 90
{
    unsigned char *p, *mac_secret;
    unsigned char tmp1[EVP_MAX_KEY_LENGTH];
    unsigned char tmp2[EVP_MAX_KEY_LENGTH];
    unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
    unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
    unsigned char *ms, *key, *iv;
    EVP_CIPHER_CTX *dd;
    const EVP_CIPHER *c;
91
#ifndef OPENSSL_NO_COMP
92
    const SSL_COMP *comp;
93
#endif
94 95
    const EVP_MD *m;
    int mac_type;
96
    size_t *mac_secret_size;
97 98
    EVP_MD_CTX *mac_ctx;
    EVP_PKEY *mac_key;
99
    size_t n, i, j, k, cl;
100 101 102 103 104
    int reuse_dd = 0;

    c = s->s3->tmp.new_sym_enc;
    m = s->s3->tmp.new_hash;
    mac_type = s->s3->tmp.new_mac_pkey_type;
105
#ifndef OPENSSL_NO_COMP
106
    comp = s->s3->tmp.new_compression;
107
#endif
108

109
    if (which & SSL3_CC_READ) {
110 111 112 113 114
        if (s->ext.use_etm)
            s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
        else
            s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;

115 116 117 118 119
        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
            s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
        else
            s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;

120
        if (s->enc_read_ctx != NULL) {
121
            reuse_dd = 1;
122 123 124
        } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                     ERR_R_MALLOC_FAILURE);
125
            goto err;
126
        } else {
127
            /*
F
FdaSilvaYY 已提交
128
             * make sure it's initialised in case we exit later with an error
129
             */
130
            EVP_CIPHER_CTX_reset(s->enc_read_ctx);
131
        }
132 133
        dd = s->enc_read_ctx;
        mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
134 135
        if (mac_ctx == NULL)
            goto err;
136
#ifndef OPENSSL_NO_COMP
R
Rich Salz 已提交
137 138
        COMP_CTX_free(s->expand);
        s->expand = NULL;
139 140 141
        if (comp != NULL) {
            s->expand = COMP_CTX_new(comp->method);
            if (s->expand == NULL) {
142 143 144 145
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS1_CHANGE_CIPHER_STATE,
                         SSL_R_COMPRESSION_LIBRARY_ERROR);
                goto err;
146 147
            }
        }
148
#endif
149
        /*
150
         * this is done by dtls1_reset_seq_numbers for DTLS
151
         */
152
        if (!SSL_IS_DTLS(s))
153
            RECORD_LAYER_reset_read_sequence(&s->rlayer);
154 155 156
        mac_secret = &(s->s3->read_mac_secret[0]);
        mac_secret_size = &(s->s3->read_mac_secret_size);
    } else {
157 158 159 160 161
        if (s->ext.use_etm)
            s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
        else
            s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;

162 163 164 165
        if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
            s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
        else
            s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
166
        if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) {
167
            reuse_dd = 1;
168 169 170
        } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) {
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                     ERR_R_MALLOC_FAILURE);
171
            goto err;
172
        }
173
        EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, EVP_CTRL_SET_DRBG, 0, s->drbg);
174 175
        dd = s->enc_write_ctx;
        if (SSL_IS_DTLS(s)) {
176
            mac_ctx = EVP_MD_CTX_new();
177 178 179 180
            if (mac_ctx == NULL) {
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS1_CHANGE_CIPHER_STATE,
                         ERR_R_MALLOC_FAILURE);
181
                goto err;
182
            }
183
            s->write_hash = mac_ctx;
184
        } else {
185
            mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
186 187 188 189
            if (mac_ctx == NULL) {
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS1_CHANGE_CIPHER_STATE,
                         ERR_R_MALLOC_FAILURE);
190
                goto err;
191
            }
192
        }
193
#ifndef OPENSSL_NO_COMP
R
Rich Salz 已提交
194 195
        COMP_CTX_free(s->compress);
        s->compress = NULL;
196 197 198
        if (comp != NULL) {
            s->compress = COMP_CTX_new(comp->method);
            if (s->compress == NULL) {
199 200 201 202
                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                         SSL_F_TLS1_CHANGE_CIPHER_STATE,
                        SSL_R_COMPRESSION_LIBRARY_ERROR);
                goto err;
203 204
            }
        }
205
#endif
206
        /*
207
         * this is done by dtls1_reset_seq_numbers for DTLS
208
         */
209
        if (!SSL_IS_DTLS(s))
210
            RECORD_LAYER_reset_write_sequence(&s->rlayer);
211 212 213 214 215
        mac_secret = &(s->s3->write_mac_secret[0]);
        mac_secret_size = &(s->s3->write_mac_secret_size);
    }

    if (reuse_dd)
216
        EVP_CIPHER_CTX_reset(dd);
217 218 219 220

    p = s->s3->tmp.key_block;
    i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;

221
    /* TODO(size_t): convert me */
222
    cl = EVP_CIPHER_key_length(c);
223
    j = cl;
224
    /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
D
Dr. Stephen Henson 已提交
225
    /* If GCM/CCM mode only part of IV comes from PRF */
226 227
    if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
        k = EVP_GCM_TLS_FIXED_IV_LEN;
D
Dr. Stephen Henson 已提交
228 229
    else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
        k = EVP_CCM_TLS_FIXED_IV_LEN;
230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250
    else
        k = EVP_CIPHER_iv_length(c);
    if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
        (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
        ms = &(p[0]);
        n = i + i;
        key = &(p[n]);
        n += j + j;
        iv = &(p[n]);
        n += k + k;
    } else {
        n = i;
        ms = &(p[n]);
        n += i + j;
        key = &(p[n]);
        n += j + k;
        iv = &(p[n]);
        n += k;
    }

    if (n > s->s3->tmp.key_block_length) {
251 252 253
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                 ERR_R_INTERNAL_ERROR);
        goto err;
254 255 256 257 258
    }

    memcpy(mac_secret, ms, i);

    if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
259
        /* TODO(size_t): Convert this function */
260
        mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
261
                                       mac_secret, (int)*mac_secret_size);
262
        if (mac_key == NULL
E
Emilia Kasper 已提交
263
            || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
264
            EVP_PKEY_free(mac_key);
265 266 267
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
268
        }
269 270
        EVP_PKEY_free(mac_key);
    }
R
Rich Salz 已提交
271
#ifdef SSL_DEBUG
272 273
    printf("which = %04X\nmac key=", which);
    {
274
        size_t z;
275 276 277
        for (z = 0; z < i; z++)
            printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n');
    }
278
#endif
279 280

    if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
281
        if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
282 283
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k,
                                    iv)) {
284 285 286
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
287
        }
D
Dr. Stephen Henson 已提交
288
    } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
D
Dr. Stephen Henson 已提交
289
        int taglen;
E
Emilia Kasper 已提交
290 291
        if (s->s3->tmp.
            new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
292
            taglen = EVP_CCM8_TLS_TAG_LEN;
D
Dr. Stephen Henson 已提交
293
        else
294
            taglen = EVP_CCM_TLS_TAG_LEN;
D
Dr. Stephen Henson 已提交
295 296 297
        if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
298
            || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv)
D
Dr. Stephen Henson 已提交
299
            || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
300 301 302
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
D
Dr. Stephen Henson 已提交
303
        }
304 305
    } else {
        if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
306 307 308
            SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                     ERR_R_INTERNAL_ERROR);
            goto err;
309 310
        }
    }
311
    /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
312 313
    if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
        && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
314
                                (int)*mac_secret_size, mac_secret)) {
315 316 317
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE,
                 ERR_R_INTERNAL_ERROR);
        goto err;
318
    }
319

R
Rich Salz 已提交
320
#ifdef SSL_DEBUG
321 322 323 324 325 326 327 328
    printf("which = %04X\nkey=", which);
    {
        int z;
        for (z = 0; z < EVP_CIPHER_key_length(c); z++)
            printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("\niv=");
    {
329
        size_t z;
330 331 332 333
        for (z = 0; z < k; z++)
            printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("\n");
334 335
#endif

336 337 338 339
    OPENSSL_cleanse(tmp1, sizeof(tmp1));
    OPENSSL_cleanse(tmp2, sizeof(tmp1));
    OPENSSL_cleanse(iv1, sizeof(iv1));
    OPENSSL_cleanse(iv2, sizeof(iv2));
340
    return 1;
341
 err:
R
Rich Salz 已提交
342 343 344 345
    OPENSSL_cleanse(tmp1, sizeof(tmp1));
    OPENSSL_cleanse(tmp2, sizeof(tmp1));
    OPENSSL_cleanse(iv1, sizeof(iv1));
    OPENSSL_cleanse(iv2, sizeof(iv2));
K
KaoruToda 已提交
346
    return 0;
347
}
348

U
Ulf Möller 已提交
349
int tls1_setup_key_block(SSL *s)
350
{
D
Dr. Stephen Henson 已提交
351
    unsigned char *p;
352 353 354
    const EVP_CIPHER *c;
    const EVP_MD *hash;
    SSL_COMP *comp;
355 356
    int mac_type = NID_undef;
    size_t num, mac_secret_size = 0;
357
    int ret = 0;
358

359
    if (s->s3->tmp.key_block_length != 0)
360
        return 1;
361

362 363
    if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
                            &comp, s->ext.use_etm)) {
364 365
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK,
                 SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
K
KaoruToda 已提交
366
        return 0;
367 368 369 370 371 372
    }

    s->s3->tmp.new_sym_enc = c;
    s->s3->tmp.new_hash = hash;
    s->s3->tmp.new_mac_pkey_type = mac_type;
    s->s3->tmp.new_mac_secret_size = mac_secret_size;
E
Emilia Kasper 已提交
373
    num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
374 375 376 377
    num *= 2;

    ssl3_cleanup_key_block(s);

D
Dr. Stephen Henson 已提交
378
    if ((p = OPENSSL_malloc(num)) == NULL) {
379 380
        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK,
                 ERR_R_MALLOC_FAILURE);
381 382 383 384
        goto err;
    }

    s->s3->tmp.key_block_length = num;
D
Dr. Stephen Henson 已提交
385
    s->s3->tmp.key_block = p;
386

R
Rich Salz 已提交
387
#ifdef SSL_DEBUG
388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403
    printf("client random\n");
    {
        int z;
        for (z = 0; z < SSL3_RANDOM_SIZE; z++)
            printf("%02X%c", s->s3->client_random[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("server random\n");
    {
        int z;
        for (z = 0; z < SSL3_RANDOM_SIZE; z++)
            printf("%02X%c", s->s3->server_random[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
    printf("master key\n");
    {
404
        size_t z;
405 406 407 408
        for (z = 0; z < s->session->master_key_length; z++)
            printf("%02X%c", s->session->master_key[z],
                   ((z + 1) % 16) ? ' ' : '\n');
    }
409
#endif
410 411
    if (!tls1_generate_key_block(s, p, num)) {
        /* SSLfatal() already called */
412
        goto err;
413
    }
R
Rich Salz 已提交
414
#ifdef SSL_DEBUG
415 416
    printf("\nkey block\n");
    {
417
        size_t z;
418
        for (z = 0; z < num; z++)
R
Rich Salz 已提交
419
            printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n');
420
    }
421 422
#endif

423 424 425 426 427 428 429 430 431 432 433 434
    if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
        && s->method->version <= TLS1_VERSION) {
        /*
         * enable vulnerability countermeasure for CBC ciphers with known-IV
         * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
         */
        s->s3->need_empty_fragments = 1;

        if (s->session->cipher != NULL) {
            if (s->session->cipher->algorithm_enc == SSL_eNULL)
                s->s3->need_empty_fragments = 0;

435
#ifndef OPENSSL_NO_RC4
436 437
            if (s->session->cipher->algorithm_enc == SSL_RC4)
                s->s3->need_empty_fragments = 0;
438
#endif
439 440 441 442 443
        }
    }

    ret = 1;
 err:
K
KaoruToda 已提交
444
    return ret;
445
}
446

447 448
size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen,
                             unsigned char *out)
449
{
450
    size_t hashlen;
451
    unsigned char hash[EVP_MAX_MD_SIZE];
452

453 454
    if (!ssl3_digest_cached_records(s, 0)) {
        /* SSLfatal() already called */
455
        return 0;
456
    }
457

458 459
    if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
        /* SSLfatal() already called */
460
        return 0;
461
    }
462

D
Dr. Stephen Henson 已提交
463
    if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
464
                  s->session->master_key, s->session->master_key_length,
465 466
                  out, TLS1_FINISH_MAC_LENGTH, 1)) {
        /* SSLfatal() already called */
467
        return 0;
468
    }
M
Matt Caswell 已提交
469
    OPENSSL_cleanse(hash, hashlen);
D
Dr. Stephen Henson 已提交
470
    return TLS1_FINISH_MAC_LENGTH;
471
}
472

U
Ulf Möller 已提交
473
int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
474
                                size_t len, size_t *secret_size)
475
{
476
    if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
477
        unsigned char hash[EVP_MAX_MD_SIZE * 2];
478
        size_t hashlen;
E
Emilia Kasper 已提交
479 480 481 482
        /*
         * Digest cached records keeping record buffer (if present): this wont
         * affect client auth because we're freezing the buffer at the same
         * point (after client key exchange and before certificate verify)
483
         */
484 485 486
        if (!ssl3_digest_cached_records(s, 1)
                || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
            /* SSLfatal() already called */
487
            return 0;
488
        }
489 490 491 492
#ifdef SSL_DEBUG
        fprintf(stderr, "Handshake hashes:\n");
        BIO_dump_fp(stderr, (char *)hash, hashlen);
#endif
493 494 495 496 497 498 499 500 501 502 503
        if (!tls1_PRF(s,
                      TLS_MD_EXTENDED_MASTER_SECRET_CONST,
                      TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,
                      hash, hashlen,
                      NULL, 0,
                      NULL, 0,
                      NULL, 0, p, len, out,
                      SSL3_MASTER_SECRET_SIZE, 1)) {
            /* SSLfatal() already called */
            return 0;
        }
504 505
        OPENSSL_cleanse(hash, hashlen);
    } else {
506 507 508 509 510 511 512 513 514 515 516
        if (!tls1_PRF(s,
                      TLS_MD_MASTER_SECRET_CONST,
                      TLS_MD_MASTER_SECRET_CONST_SIZE,
                      s->s3->client_random, SSL3_RANDOM_SIZE,
                      NULL, 0,
                      s->s3->server_random, SSL3_RANDOM_SIZE,
                      NULL, 0, p, len, out,
                      SSL3_MASTER_SECRET_SIZE, 1)) {
           /* SSLfatal() already called */
            return 0;
        }
517
    }
518
#ifdef SSL_DEBUG
519 520 521 522 523 524 525 526 527
    fprintf(stderr, "Premaster Secret:\n");
    BIO_dump_fp(stderr, (char *)p, len);
    fprintf(stderr, "Client Random:\n");
    BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE);
    fprintf(stderr, "Server Random:\n");
    BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE);
    fprintf(stderr, "Master Secret:\n");
    BIO_dump_fp(stderr, (char *)s->session->master_key,
                SSL3_MASTER_SECRET_SIZE);
528
#endif
529

530 531
    *secret_size = SSL3_MASTER_SECRET_SIZE;
    return 1;
532
}
533

534
int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
535 536 537 538 539
                                const char *label, size_t llen,
                                const unsigned char *context,
                                size_t contextlen, int use_context)
{
    unsigned char *val = NULL;
540
    size_t vallen = 0, currentvalpos;
541
    int rv;
B
Ben Laurie 已提交
542

543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587
    /*
     * construct PRF arguments we construct the PRF argument ourself rather
     * than passing separate values into the TLS PRF to ensure that the
     * concatenation of values does not create a prohibited label.
     */
    vallen = llen + SSL3_RANDOM_SIZE * 2;
    if (use_context) {
        vallen += 2 + contextlen;
    }

    val = OPENSSL_malloc(vallen);
    if (val == NULL)
        goto err2;
    currentvalpos = 0;
    memcpy(val + currentvalpos, (unsigned char *)label, llen);
    currentvalpos += llen;
    memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
    currentvalpos += SSL3_RANDOM_SIZE;
    memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
    currentvalpos += SSL3_RANDOM_SIZE;

    if (use_context) {
        val[currentvalpos] = (contextlen >> 8) & 0xff;
        currentvalpos++;
        val[currentvalpos] = contextlen & 0xff;
        currentvalpos++;
        if ((contextlen > 0) || (context != NULL)) {
            memcpy(val + currentvalpos, context, contextlen);
        }
    }

    /*
     * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
     * label len) = 15, so size of val > max(prohibited label len) = 15 and
     * the comparisons won't have buffer overflow
     */
    if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
               TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
        goto err1;
    if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
               TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
        goto err1;
    if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
               TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
        goto err1;
588 589 590
    if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
               TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
        goto err1;
591 592 593 594
    if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
               TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
        goto err1;

595
    rv = tls1_PRF(s,
596 597 598 599 600 601
                  val, vallen,
                  NULL, 0,
                  NULL, 0,
                  NULL, 0,
                  NULL, 0,
                  s->session->master_key, s->session->master_key_length,
602
                  out, olen, 0);
B
Ben Laurie 已提交
603

604 605
    goto ret;
 err1:
E
Emilia Kasper 已提交
606
    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
607 608 609 610 611 612
    rv = 0;
    goto ret;
 err2:
    SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
    rv = 0;
 ret:
613
    OPENSSL_clear_free(val, vallen);
K
KaoruToda 已提交
614
    return rv;
615
}
B
Ben Laurie 已提交
616

U
Ulf Möller 已提交
617
int tls1_alert_code(int code)
618 619 620
{
    switch (code) {
    case SSL_AD_CLOSE_NOTIFY:
K
KaoruToda 已提交
621
        return SSL3_AD_CLOSE_NOTIFY;
622
    case SSL_AD_UNEXPECTED_MESSAGE:
K
KaoruToda 已提交
623
        return SSL3_AD_UNEXPECTED_MESSAGE;
624
    case SSL_AD_BAD_RECORD_MAC:
K
KaoruToda 已提交
625
        return SSL3_AD_BAD_RECORD_MAC;
626
    case SSL_AD_DECRYPTION_FAILED:
K
KaoruToda 已提交
627
        return TLS1_AD_DECRYPTION_FAILED;
628
    case SSL_AD_RECORD_OVERFLOW:
K
KaoruToda 已提交
629
        return TLS1_AD_RECORD_OVERFLOW;
630
    case SSL_AD_DECOMPRESSION_FAILURE:
K
KaoruToda 已提交
631
        return SSL3_AD_DECOMPRESSION_FAILURE;
632
    case SSL_AD_HANDSHAKE_FAILURE:
K
KaoruToda 已提交
633
        return SSL3_AD_HANDSHAKE_FAILURE;
634
    case SSL_AD_NO_CERTIFICATE:
K
KaoruToda 已提交
635
        return -1;
636
    case SSL_AD_BAD_CERTIFICATE:
K
KaoruToda 已提交
637
        return SSL3_AD_BAD_CERTIFICATE;
638
    case SSL_AD_UNSUPPORTED_CERTIFICATE:
K
KaoruToda 已提交
639
        return SSL3_AD_UNSUPPORTED_CERTIFICATE;
640
    case SSL_AD_CERTIFICATE_REVOKED:
K
KaoruToda 已提交
641
        return SSL3_AD_CERTIFICATE_REVOKED;
642
    case SSL_AD_CERTIFICATE_EXPIRED:
K
KaoruToda 已提交
643
        return SSL3_AD_CERTIFICATE_EXPIRED;
644
    case SSL_AD_CERTIFICATE_UNKNOWN:
K
KaoruToda 已提交
645
        return SSL3_AD_CERTIFICATE_UNKNOWN;
646
    case SSL_AD_ILLEGAL_PARAMETER:
K
KaoruToda 已提交
647
        return SSL3_AD_ILLEGAL_PARAMETER;
648
    case SSL_AD_UNKNOWN_CA:
K
KaoruToda 已提交
649
        return TLS1_AD_UNKNOWN_CA;
650
    case SSL_AD_ACCESS_DENIED:
K
KaoruToda 已提交
651
        return TLS1_AD_ACCESS_DENIED;
652
    case SSL_AD_DECODE_ERROR:
K
KaoruToda 已提交
653
        return TLS1_AD_DECODE_ERROR;
654
    case SSL_AD_DECRYPT_ERROR:
K
KaoruToda 已提交
655
        return TLS1_AD_DECRYPT_ERROR;
656
    case SSL_AD_EXPORT_RESTRICTION:
K
KaoruToda 已提交
657
        return TLS1_AD_EXPORT_RESTRICTION;
658
    case SSL_AD_PROTOCOL_VERSION:
K
KaoruToda 已提交
659
        return TLS1_AD_PROTOCOL_VERSION;
660
    case SSL_AD_INSUFFICIENT_SECURITY:
K
KaoruToda 已提交
661
        return TLS1_AD_INSUFFICIENT_SECURITY;
662
    case SSL_AD_INTERNAL_ERROR:
K
KaoruToda 已提交
663
        return TLS1_AD_INTERNAL_ERROR;
664
    case SSL_AD_USER_CANCELLED:
K
KaoruToda 已提交
665
        return TLS1_AD_USER_CANCELLED;
666
    case SSL_AD_NO_RENEGOTIATION:
K
KaoruToda 已提交
667
        return TLS1_AD_NO_RENEGOTIATION;
668
    case SSL_AD_UNSUPPORTED_EXTENSION:
K
KaoruToda 已提交
669
        return TLS1_AD_UNSUPPORTED_EXTENSION;
670
    case SSL_AD_CERTIFICATE_UNOBTAINABLE:
K
KaoruToda 已提交
671
        return TLS1_AD_CERTIFICATE_UNOBTAINABLE;
672
    case SSL_AD_UNRECOGNIZED_NAME:
K
KaoruToda 已提交
673
        return TLS1_AD_UNRECOGNIZED_NAME;
674
    case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
K
KaoruToda 已提交
675
        return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
676
    case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
K
KaoruToda 已提交
677
        return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE;
678
    case SSL_AD_UNKNOWN_PSK_IDENTITY:
K
KaoruToda 已提交
679
        return TLS1_AD_UNKNOWN_PSK_IDENTITY;
680
    case SSL_AD_INAPPROPRIATE_FALLBACK:
K
KaoruToda 已提交
681
        return TLS1_AD_INAPPROPRIATE_FALLBACK;
682
    case SSL_AD_NO_APPLICATION_PROTOCOL:
K
KaoruToda 已提交
683
        return TLS1_AD_NO_APPLICATION_PROTOCOL;
684 685
    case SSL_AD_CERTIFICATE_REQUIRED:
        return SSL_AD_HANDSHAKE_FAILURE;
686
    default:
K
KaoruToda 已提交
687
        return -1;
688 689
    }
}