t1_enc.c revision 1.105
1/* $OpenBSD: t1_enc.c,v 1.105 2017/03/18 13:04:30 jsing Exp $ */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138#include <limits.h> 139#include <stdio.h> 140 141#include "ssl_locl.h" 142 143#include <openssl/evp.h> 144#include <openssl/hmac.h> 145#include <openssl/md5.h> 146 147int tls1_PRF(SSL *s, const void *seed1, int seed1_len, const void *seed2, 148 int seed2_len, const void *seed3, int seed3_len, const void *seed4, 149 int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec, 150 int slen, unsigned char *out, int olen); 151 152void 153tls1_cleanup_key_block(SSL *s) 154{ 155 if (S3I(s)->tmp.key_block != NULL) { 156 explicit_bzero(S3I(s)->tmp.key_block, 157 S3I(s)->tmp.key_block_length); 158 free(S3I(s)->tmp.key_block); 159 S3I(s)->tmp.key_block = NULL; 160 } 161 S3I(s)->tmp.key_block_length = 0; 162} 163 164int 165tls1_init_finished_mac(SSL *s) 166{ 167 BIO_free(S3I(s)->handshake_buffer); 168 169 S3I(s)->handshake_buffer = BIO_new(BIO_s_mem()); 170 if (S3I(s)->handshake_buffer == NULL) 171 return (0); 172 173 (void)BIO_set_close(S3I(s)->handshake_buffer, BIO_CLOSE); 174 175 return (1); 176} 177 178int 179tls1_finish_mac(SSL *s, const unsigned char *buf, int len) 180{ 181 if (len < 0) 182 return 0; 183 184 if (!tls1_handshake_hash_update(s, buf, len)) 185 return 0; 186 187 if (S3I(s)->handshake_buffer && 188 !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 189 BIO_write(S3I(s)->handshake_buffer, (void *)buf, len); 190 return 1; 191 } 192 193 return 1; 194} 195 196int 197tls1_digest_cached_records(SSL *s) 198{ 199 long hdatalen; 200 void *hdata; 201 202 hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); 203 if (hdatalen <= 0) { 204 SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); 205 goto err; 206 } 207 208 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 209 BIO_free(S3I(s)->handshake_buffer); 210 S3I(s)->handshake_buffer = NULL; 211 } 212 213 return 1; 214 215 err: 216 return 0; 217} 218 219void 220tls1_record_sequence_increment(unsigned char *seq) 221{ 222 int i; 223 224 for (i = SSL3_SEQUENCE_SIZE - 1; i >= 0; i--) { 225 if (++seq[i] != 0) 226 break; 227 } 228} 229 230/* 231 * TLS P_hash() data expansion function - see RFC 5246, section 5. 232 */ 233static int 234tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, 235 const void *seed1, int seed1_len, const void *seed2, int seed2_len, 236 const void *seed3, int seed3_len, const void *seed4, int seed4_len, 237 const void *seed5, int seed5_len, unsigned char *out, int olen) 238{ 239 unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE]; 240 size_t A1_len, hmac_len; 241 EVP_MD_CTX ctx; 242 EVP_PKEY *mac_key; 243 int ret = 0; 244 int chunk; 245 size_t i; 246 247 chunk = EVP_MD_size(md); 248 OPENSSL_assert(chunk >= 0); 249 250 EVP_MD_CTX_init(&ctx); 251 252 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); 253 if (!mac_key) 254 goto err; 255 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) 256 goto err; 257 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) 258 goto err; 259 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) 260 goto err; 261 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) 262 goto err; 263 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) 264 goto err; 265 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) 266 goto err; 267 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) 268 goto err; 269 270 for (;;) { 271 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) 272 goto err; 273 if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) 274 goto err; 275 if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) 276 goto err; 277 if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) 278 goto err; 279 if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) 280 goto err; 281 if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) 282 goto err; 283 if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) 284 goto err; 285 if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len)) 286 goto err; 287 288 if (hmac_len > olen) 289 hmac_len = olen; 290 291 for (i = 0; i < hmac_len; i++) 292 out[i] ^= hmac[i]; 293 294 out += hmac_len; 295 olen -= hmac_len; 296 297 if (olen == 0) 298 break; 299 300 if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) 301 goto err; 302 if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) 303 goto err; 304 if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) 305 goto err; 306 } 307 ret = 1; 308 309 err: 310 EVP_PKEY_free(mac_key); 311 EVP_MD_CTX_cleanup(&ctx); 312 313 explicit_bzero(A1, sizeof(A1)); 314 explicit_bzero(hmac, sizeof(hmac)); 315 316 return ret; 317} 318 319/* seed1 through seed5 are virtually concatenated */ 320int 321tls1_PRF(SSL *s, const void *seed1, int seed1_len, const void *seed2, 322 int seed2_len, const void *seed3, int seed3_len, const void *seed4, 323 int seed4_len, const void *seed5, int seed5_len, const unsigned char *sec, 324 int slen, unsigned char *out, int olen) 325{ 326 const EVP_MD *md; 327 size_t hlen; 328 329 memset(out, 0, olen); 330 331 if (!ssl_get_handshake_evp_md(s, &md)) 332 return (0); 333 334 if (md->type == NID_md5_sha1) { 335 /* 336 * Partition secret between MD5 and SHA1, then XOR result. 337 * If the secret length is odd, a one byte overlap is used. 338 */ 339 hlen = slen - (slen / 2); 340 if (!tls1_P_hash(EVP_md5(), sec, hlen, seed1, seed1_len, seed2, 341 seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, 342 seed5_len, out, olen)) 343 return (0); 344 345 sec += slen - hlen; 346 if (!tls1_P_hash(EVP_sha1(), sec, hlen, seed1, seed1_len, seed2, 347 seed2_len, seed3, seed3_len, seed4, seed4_len, seed5, 348 seed5_len, out, olen)) 349 return (0); 350 351 return (1); 352 } 353 354 if (!tls1_P_hash(md, sec, slen, seed1, seed1_len, seed2, seed2_len, 355 seed3, seed3_len, seed4, seed4_len, seed5, seed5_len, out, olen)) 356 return (0); 357 358 return (1); 359} 360 361static int 362tls1_generate_key_block(SSL *s, unsigned char *km, int num) 363{ 364 return tls1_PRF(s, 365 TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, 366 s->s3->server_random, SSL3_RANDOM_SIZE, 367 s->s3->client_random, SSL3_RANDOM_SIZE, 368 NULL, 0, NULL, 0, 369 s->session->master_key, s->session->master_key_length, 370 km, num); 371} 372 373/* 374 * tls1_aead_ctx_init allocates aead_ctx, if needed. It returns 1 on success 375 * and 0 on failure. 376 */ 377static int 378tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) 379{ 380 if (*aead_ctx != NULL) { 381 EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); 382 return (1); 383 } 384 385 *aead_ctx = malloc(sizeof(SSL_AEAD_CTX)); 386 if (*aead_ctx == NULL) { 387 SSLerrorx(ERR_R_MALLOC_FAILURE); 388 return (0); 389 } 390 391 return (1); 392} 393 394static int 395tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, 396 unsigned key_len, const unsigned char *iv, unsigned iv_len) 397{ 398 const EVP_AEAD *aead = S3I(s)->tmp.new_aead; 399 SSL_AEAD_CTX *aead_ctx; 400 401 if (is_read) { 402 if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx)) 403 return 0; 404 aead_ctx = s->internal->aead_read_ctx; 405 } else { 406 if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx)) 407 return 0; 408 aead_ctx = s->internal->aead_write_ctx; 409 } 410 411 if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, 412 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) 413 return (0); 414 if (iv_len > sizeof(aead_ctx->fixed_nonce)) { 415 SSLerrorx(ERR_R_INTERNAL_ERROR); 416 return (0); 417 } 418 memcpy(aead_ctx->fixed_nonce, iv, iv_len); 419 aead_ctx->fixed_nonce_len = iv_len; 420 aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ 421 aead_ctx->variable_nonce_in_record = 422 (S3I(s)->tmp.new_cipher->algorithm2 & 423 SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD) != 0; 424 aead_ctx->xor_fixed_nonce = 425 S3I(s)->tmp.new_cipher->algorithm_enc == SSL_CHACHA20POLY1305; 426 aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); 427 428 if (aead_ctx->xor_fixed_nonce) { 429 if (aead_ctx->fixed_nonce_len != EVP_AEAD_nonce_length(aead) || 430 aead_ctx->variable_nonce_len > EVP_AEAD_nonce_length(aead)) { 431 SSLerrorx(ERR_R_INTERNAL_ERROR); 432 return (0); 433 } 434 } else { 435 if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != 436 EVP_AEAD_nonce_length(aead)) { 437 SSLerrorx(ERR_R_INTERNAL_ERROR); 438 return (0); 439 } 440 } 441 442 return (1); 443} 444 445/* 446 * tls1_change_cipher_state_cipher performs the work needed to switch cipher 447 * states when using EVP_CIPHER. The argument is_read is true iff this function 448 * is being called due to reading, as opposed to writing, a ChangeCipherSpec 449 * message. In order to support export ciphersuites, use_client_keys indicates 450 * whether the key material provided is in the "client write" direction. 451 */ 452static int 453tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, 454 const unsigned char *mac_secret, unsigned int mac_secret_size, 455 const unsigned char *key, unsigned int key_len, const unsigned char *iv, 456 unsigned int iv_len) 457{ 458 EVP_CIPHER_CTX *cipher_ctx; 459 const EVP_CIPHER *cipher; 460 EVP_MD_CTX *mac_ctx; 461 const EVP_MD *mac; 462 int mac_type; 463 464 cipher = S3I(s)->tmp.new_sym_enc; 465 mac = S3I(s)->tmp.new_hash; 466 mac_type = S3I(s)->tmp.new_mac_pkey_type; 467 468 if (is_read) { 469 if (S3I(s)->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 470 s->internal->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 471 else 472 s->internal->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 473 474 EVP_CIPHER_CTX_free(s->enc_read_ctx); 475 s->enc_read_ctx = NULL; 476 EVP_MD_CTX_destroy(s->read_hash); 477 s->read_hash = NULL; 478 479 if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 480 goto err; 481 s->enc_read_ctx = cipher_ctx; 482 if ((mac_ctx = EVP_MD_CTX_create()) == NULL) 483 goto err; 484 s->read_hash = mac_ctx; 485 } else { 486 if (S3I(s)->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 487 s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 488 else 489 s->internal->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 490 491 /* 492 * DTLS fragments retain a pointer to the compression, cipher 493 * and hash contexts, so that it can restore state in order 494 * to perform retransmissions. As such, we cannot free write 495 * contexts that are used for DTLS - these are instead freed 496 * by DTLS when its frees a ChangeCipherSpec fragment. 497 */ 498 if (!SSL_IS_DTLS(s)) { 499 EVP_CIPHER_CTX_free(s->internal->enc_write_ctx); 500 s->internal->enc_write_ctx = NULL; 501 EVP_MD_CTX_destroy(s->internal->write_hash); 502 s->internal->write_hash = NULL; 503 } 504 if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) 505 goto err; 506 s->internal->enc_write_ctx = cipher_ctx; 507 if ((mac_ctx = EVP_MD_CTX_create()) == NULL) 508 goto err; 509 s->internal->write_hash = mac_ctx; 510 } 511 512 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) { 513 EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL, 514 !is_read); 515 EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, 516 iv_len, (unsigned char *)iv); 517 } else 518 EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); 519 520 if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { 521 EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 522 mac_secret, mac_secret_size); 523 if (mac_key == NULL) 524 goto err; 525 EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key); 526 EVP_PKEY_free(mac_key); 527 } else if (mac_secret_size > 0) { 528 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 529 EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, 530 mac_secret_size, (unsigned char *)mac_secret); 531 } 532 533 if (S3I(s)->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) { 534 int nid; 535 if (S3I(s)->tmp.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) 536 nid = NID_id_Gost28147_89_CryptoPro_A_ParamSet; 537 else 538 nid = NID_id_tc26_gost_28147_param_Z; 539 540 EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GOST_SET_SBOX, nid, 0); 541 if (S3I(s)->tmp.new_cipher->algorithm_mac == SSL_GOST89MAC) 542 EVP_MD_CTX_ctrl(mac_ctx, EVP_MD_CTRL_GOST_SET_SBOX, nid, 0); 543 } 544 545 return (1); 546 547err: 548 SSLerrorx(ERR_R_MALLOC_FAILURE); 549 return (0); 550} 551 552int 553tls1_change_cipher_state(SSL *s, int which) 554{ 555 const unsigned char *client_write_mac_secret, *server_write_mac_secret; 556 const unsigned char *client_write_key, *server_write_key; 557 const unsigned char *client_write_iv, *server_write_iv; 558 const unsigned char *mac_secret, *key, *iv; 559 int mac_secret_size, key_len, iv_len; 560 unsigned char *key_block, *seq; 561 const EVP_CIPHER *cipher; 562 const EVP_AEAD *aead; 563 char is_read, use_client_keys; 564 565 566 cipher = S3I(s)->tmp.new_sym_enc; 567 aead = S3I(s)->tmp.new_aead; 568 569 /* 570 * is_read is true if we have just read a ChangeCipherSpec message, 571 * that is we need to update the read cipherspec. Otherwise we have 572 * just written one. 573 */ 574 is_read = (which & SSL3_CC_READ) != 0; 575 576 /* 577 * use_client_keys is true if we wish to use the keys for the "client 578 * write" direction. This is the case if we're a client sending a 579 * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. 580 */ 581 use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 582 (which == SSL3_CHANGE_CIPHER_SERVER_READ)); 583 584 585 /* 586 * Reset sequence number to zero - for DTLS this is handled in 587 * dtls1_reset_seq_numbers(). 588 */ 589 if (!SSL_IS_DTLS(s)) { 590 seq = is_read ? S3I(s)->read_sequence : S3I(s)->write_sequence; 591 memset(seq, 0, SSL3_SEQUENCE_SIZE); 592 } 593 594 if (aead != NULL) { 595 key_len = EVP_AEAD_key_length(aead); 596 iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->tmp.new_cipher); 597 } else { 598 key_len = EVP_CIPHER_key_length(cipher); 599 iv_len = EVP_CIPHER_iv_length(cipher); 600 601 /* If GCM mode only part of IV comes from PRF. */ 602 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) 603 iv_len = EVP_GCM_TLS_FIXED_IV_LEN; 604 } 605 606 mac_secret_size = s->s3->tmp.new_mac_secret_size; 607 608 key_block = S3I(s)->tmp.key_block; 609 client_write_mac_secret = key_block; 610 key_block += mac_secret_size; 611 server_write_mac_secret = key_block; 612 key_block += mac_secret_size; 613 client_write_key = key_block; 614 key_block += key_len; 615 server_write_key = key_block; 616 key_block += key_len; 617 client_write_iv = key_block; 618 key_block += iv_len; 619 server_write_iv = key_block; 620 key_block += iv_len; 621 622 if (use_client_keys) { 623 mac_secret = client_write_mac_secret; 624 key = client_write_key; 625 iv = client_write_iv; 626 } else { 627 mac_secret = server_write_mac_secret; 628 key = server_write_key; 629 iv = server_write_iv; 630 } 631 632 if (key_block - S3I(s)->tmp.key_block != S3I(s)->tmp.key_block_length) { 633 SSLerror(s, ERR_R_INTERNAL_ERROR); 634 goto err2; 635 } 636 637 if (is_read) { 638 memcpy(S3I(s)->read_mac_secret, mac_secret, mac_secret_size); 639 S3I(s)->read_mac_secret_size = mac_secret_size; 640 } else { 641 memcpy(S3I(s)->write_mac_secret, mac_secret, mac_secret_size); 642 S3I(s)->write_mac_secret_size = mac_secret_size; 643 } 644 645 if (aead != NULL) { 646 return tls1_change_cipher_state_aead(s, is_read, key, key_len, 647 iv, iv_len); 648 } 649 650 return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, 651 mac_secret, mac_secret_size, key, key_len, iv, iv_len); 652 653err2: 654 return (0); 655} 656 657int 658tls1_setup_key_block(SSL *s) 659{ 660 unsigned char *key_block; 661 int mac_type = NID_undef, mac_secret_size = 0; 662 int key_block_len, key_len, iv_len; 663 const EVP_CIPHER *cipher = NULL; 664 const EVP_AEAD *aead = NULL; 665 const EVP_MD *mac = NULL; 666 int ret = 0; 667 668 if (S3I(s)->tmp.key_block_length != 0) 669 return (1); 670 671 if (s->session->cipher && 672 (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { 673 if (!ssl_cipher_get_evp_aead(s->session, &aead)) { 674 SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 675 return (0); 676 } 677 key_len = EVP_AEAD_key_length(aead); 678 iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); 679 } else { 680 if (!ssl_cipher_get_evp(s->session, &cipher, &mac, &mac_type, 681 &mac_secret_size)) { 682 SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 683 return (0); 684 } 685 key_len = EVP_CIPHER_key_length(cipher); 686 iv_len = EVP_CIPHER_iv_length(cipher); 687 688 /* If GCM mode only part of IV comes from PRF. */ 689 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) 690 iv_len = EVP_GCM_TLS_FIXED_IV_LEN; 691 } 692 693 S3I(s)->tmp.new_aead = aead; 694 S3I(s)->tmp.new_sym_enc = cipher; 695 S3I(s)->tmp.new_hash = mac; 696 S3I(s)->tmp.new_mac_pkey_type = mac_type; 697 s->s3->tmp.new_mac_secret_size = mac_secret_size; 698 699 tls1_cleanup_key_block(s); 700 701 if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len, 702 2)) == NULL) { 703 SSLerror(s, ERR_R_MALLOC_FAILURE); 704 goto err; 705 } 706 key_block_len = (mac_secret_size + key_len + iv_len) * 2; 707 708 S3I(s)->tmp.key_block_length = key_block_len; 709 S3I(s)->tmp.key_block = key_block; 710 711 if (!tls1_generate_key_block(s, key_block, key_block_len)) 712 goto err; 713 714 if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && 715 s->method->internal->version <= TLS1_VERSION) { 716 /* 717 * Enable vulnerability countermeasure for CBC ciphers with 718 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 719 */ 720 S3I(s)->need_empty_fragments = 1; 721 722 if (s->session->cipher != NULL) { 723 if (s->session->cipher->algorithm_enc == SSL_eNULL) 724 S3I(s)->need_empty_fragments = 0; 725 726#ifndef OPENSSL_NO_RC4 727 if (s->session->cipher->algorithm_enc == SSL_RC4) 728 S3I(s)->need_empty_fragments = 0; 729#endif 730 } 731 } 732 733 ret = 1; 734 735 err: 736 return (ret); 737} 738 739/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 740 * 741 * Returns: 742 * 0: (in non-constant time) if the record is publically invalid (i.e. too 743 * short etc). 744 * 1: if the record's padding is valid / the encryption was successful. 745 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, 746 * an internal error occured. 747 */ 748int 749tls1_enc(SSL *s, int send) 750{ 751 const SSL_AEAD_CTX *aead; 752 const EVP_CIPHER *enc; 753 EVP_CIPHER_CTX *ds; 754 SSL3_RECORD *rec; 755 unsigned char *seq; 756 unsigned long l; 757 int bs, i, j, k, pad = 0, ret, mac_size = 0; 758 759 if (send) { 760 aead = s->internal->aead_write_ctx; 761 rec = &S3I(s)->wrec; 762 seq = S3I(s)->write_sequence; 763 } else { 764 aead = s->internal->aead_read_ctx; 765 rec = &S3I(s)->rrec; 766 seq = S3I(s)->read_sequence; 767 } 768 769 if (aead) { 770 unsigned char ad[13], *in, *out, nonce[16]; 771 size_t out_len, pad_len = 0; 772 unsigned int nonce_used; 773 774 if (SSL_IS_DTLS(s)) { 775 dtls1_build_sequence_number(ad, seq, 776 send ? D1I(s)->w_epoch : D1I(s)->r_epoch); 777 } else { 778 memcpy(ad, seq, SSL3_SEQUENCE_SIZE); 779 tls1_record_sequence_increment(seq); 780 } 781 782 ad[8] = rec->type; 783 ad[9] = (unsigned char)(s->version >> 8); 784 ad[10] = (unsigned char)(s->version); 785 786 if (aead->variable_nonce_len > 8 || 787 aead->variable_nonce_len > sizeof(nonce)) 788 return -1; 789 790 if (aead->xor_fixed_nonce) { 791 if (aead->fixed_nonce_len > sizeof(nonce) || 792 aead->variable_nonce_len > aead->fixed_nonce_len) 793 return -1; /* Should never happen. */ 794 pad_len = aead->fixed_nonce_len - aead->variable_nonce_len; 795 } else { 796 if (aead->fixed_nonce_len + 797 aead->variable_nonce_len > sizeof(nonce)) 798 return -1; /* Should never happen. */ 799 } 800 801 if (send) { 802 size_t len = rec->length; 803 size_t eivlen = 0; 804 in = rec->input; 805 out = rec->data; 806 807 if (aead->xor_fixed_nonce) { 808 /* 809 * The sequence number is left zero 810 * padded, then xored with the fixed 811 * nonce. 812 */ 813 memset(nonce, 0, pad_len); 814 memcpy(nonce + pad_len, ad, 815 aead->variable_nonce_len); 816 for (i = 0; i < aead->fixed_nonce_len; i++) 817 nonce[i] ^= aead->fixed_nonce[i]; 818 nonce_used = aead->fixed_nonce_len; 819 } else { 820 /* 821 * When sending we use the sequence number as 822 * the variable part of the nonce. 823 */ 824 memcpy(nonce, aead->fixed_nonce, 825 aead->fixed_nonce_len); 826 nonce_used = aead->fixed_nonce_len; 827 memcpy(nonce + nonce_used, ad, 828 aead->variable_nonce_len); 829 nonce_used += aead->variable_nonce_len; 830 } 831 832 /* 833 * In do_ssl3_write, rec->input is moved forward by 834 * variable_nonce_len in order to leave space for the 835 * variable nonce. Thus we can copy the sequence number 836 * bytes into place without overwriting any of the 837 * plaintext. 838 */ 839 if (aead->variable_nonce_in_record) { 840 memcpy(out, ad, aead->variable_nonce_len); 841 len -= aead->variable_nonce_len; 842 eivlen = aead->variable_nonce_len; 843 } 844 845 ad[11] = len >> 8; 846 ad[12] = len & 0xff; 847 848 if (!EVP_AEAD_CTX_seal(&aead->ctx, 849 out + eivlen, &out_len, len + aead->tag_len, nonce, 850 nonce_used, in + eivlen, len, ad, sizeof(ad))) 851 return -1; 852 if (aead->variable_nonce_in_record) 853 out_len += aead->variable_nonce_len; 854 } else { 855 /* receive */ 856 size_t len = rec->length; 857 858 if (rec->data != rec->input) 859 return -1; /* internal error - should never happen. */ 860 out = in = rec->input; 861 862 if (len < aead->variable_nonce_len) 863 return 0; 864 865 if (aead->xor_fixed_nonce) { 866 /* 867 * The sequence number is left zero 868 * padded, then xored with the fixed 869 * nonce. 870 */ 871 memset(nonce, 0, pad_len); 872 memcpy(nonce + pad_len, ad, 873 aead->variable_nonce_len); 874 for (i = 0; i < aead->fixed_nonce_len; i++) 875 nonce[i] ^= aead->fixed_nonce[i]; 876 nonce_used = aead->fixed_nonce_len; 877 } else { 878 memcpy(nonce, aead->fixed_nonce, 879 aead->fixed_nonce_len); 880 nonce_used = aead->fixed_nonce_len; 881 882 memcpy(nonce + nonce_used, 883 aead->variable_nonce_in_record ? in : ad, 884 aead->variable_nonce_len); 885 nonce_used += aead->variable_nonce_len; 886 } 887 888 if (aead->variable_nonce_in_record) { 889 in += aead->variable_nonce_len; 890 len -= aead->variable_nonce_len; 891 out += aead->variable_nonce_len; 892 } 893 894 if (len < aead->tag_len) 895 return 0; 896 len -= aead->tag_len; 897 898 ad[11] = len >> 8; 899 ad[12] = len & 0xff; 900 901 if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len, 902 nonce, nonce_used, in, len + aead->tag_len, ad, 903 sizeof(ad))) 904 return -1; 905 906 rec->data = rec->input = out; 907 } 908 909 rec->length = out_len; 910 911 return 1; 912 } 913 914 if (send) { 915 if (EVP_MD_CTX_md(s->internal->write_hash)) { 916 int n = EVP_MD_CTX_size(s->internal->write_hash); 917 OPENSSL_assert(n >= 0); 918 } 919 ds = s->internal->enc_write_ctx; 920 if (s->internal->enc_write_ctx == NULL) 921 enc = NULL; 922 else { 923 int ivlen = 0; 924 enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx); 925 if (SSL_USE_EXPLICIT_IV(s) && 926 EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) 927 ivlen = EVP_CIPHER_iv_length(enc); 928 if (ivlen > 1) { 929 if (rec->data != rec->input) { 930#ifdef DEBUG 931 /* we can't write into the input stream: 932 * Can this ever happen?? (steve) 933 */ 934 fprintf(stderr, 935 "%s:%d: rec->data != rec->input\n", 936 __FILE__, __LINE__); 937#endif 938 } else 939 arc4random_buf(rec->input, ivlen); 940 } 941 } 942 } else { 943 if (EVP_MD_CTX_md(s->read_hash)) { 944 int n = EVP_MD_CTX_size(s->read_hash); 945 OPENSSL_assert(n >= 0); 946 } 947 ds = s->enc_read_ctx; 948 if (s->enc_read_ctx == NULL) 949 enc = NULL; 950 else 951 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 952 } 953 954 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 955 memmove(rec->data, rec->input, rec->length); 956 rec->input = rec->data; 957 ret = 1; 958 } else { 959 l = rec->length; 960 bs = EVP_CIPHER_block_size(ds->cipher); 961 962 if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { 963 unsigned char buf[13]; 964 965 if (SSL_IS_DTLS(s)) { 966 dtls1_build_sequence_number(buf, seq, 967 send ? D1I(s)->w_epoch : D1I(s)->r_epoch); 968 } else { 969 memcpy(buf, seq, SSL3_SEQUENCE_SIZE); 970 tls1_record_sequence_increment(seq); 971 } 972 973 buf[8] = rec->type; 974 buf[9] = (unsigned char)(s->version >> 8); 975 buf[10] = (unsigned char)(s->version); 976 buf[11] = rec->length >> 8; 977 buf[12] = rec->length & 0xff; 978 pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); 979 if (send) { 980 l += pad; 981 rec->length += pad; 982 } 983 } else if ((bs != 1) && send) { 984 i = bs - ((int)l % bs); 985 986 /* Add weird padding of upto 256 bytes */ 987 988 /* we need to add 'i' padding bytes of value j */ 989 j = i - 1; 990 for (k = (int)l; k < (int)(l + i); k++) 991 rec->input[k] = j; 992 l += i; 993 rec->length += i; 994 } 995 996 if (!send) { 997 if (l == 0 || l % bs != 0) 998 return 0; 999 } 1000 1001 i = EVP_Cipher(ds, rec->data, rec->input, l); 1002 if ((EVP_CIPHER_flags(ds->cipher) & 1003 EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0)) 1004 return -1; /* AEAD can fail to verify MAC */ 1005 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { 1006 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1007 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; 1008 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; 1009 } 1010 1011 ret = 1; 1012 if (EVP_MD_CTX_md(s->read_hash) != NULL) 1013 mac_size = EVP_MD_CTX_size(s->read_hash); 1014 if ((bs != 1) && !send) 1015 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); 1016 if (pad && !send) 1017 rec->length -= pad; 1018 } 1019 return ret; 1020} 1021 1022int 1023tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) 1024{ 1025 unsigned char buf1[EVP_MAX_MD_SIZE]; 1026 size_t hlen; 1027 1028 if (!tls1_handshake_hash_value(s, buf1, sizeof(buf1), &hlen)) 1029 return 0; 1030 1031 if (hlen > INT_MAX) 1032 return 0; 1033 1034 if (!tls1_PRF(s, str, slen, buf1, hlen, NULL, 0, NULL, 0, NULL, 0, 1035 s->session->master_key, s->session->master_key_length, 1036 out, TLS1_FINISH_MAC_LENGTH)) 1037 return 0; 1038 1039 return TLS1_FINISH_MAC_LENGTH; 1040} 1041 1042int 1043tls1_mac(SSL *ssl, unsigned char *md, int send) 1044{ 1045 SSL3_RECORD *rec; 1046 unsigned char *seq; 1047 EVP_MD_CTX *hash; 1048 size_t md_size, orig_len; 1049 EVP_MD_CTX hmac, *mac_ctx; 1050 unsigned char header[13]; 1051 int stream_mac = (send ? 1052 (ssl->internal->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) : 1053 (ssl->internal->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); 1054 int t; 1055 1056 if (send) { 1057 rec = &(ssl->s3->internal->wrec); 1058 seq = &(ssl->s3->internal->write_sequence[0]); 1059 hash = ssl->internal->write_hash; 1060 } else { 1061 rec = &(ssl->s3->internal->rrec); 1062 seq = &(ssl->s3->internal->read_sequence[0]); 1063 hash = ssl->read_hash; 1064 } 1065 1066 t = EVP_MD_CTX_size(hash); 1067 OPENSSL_assert(t >= 0); 1068 md_size = t; 1069 1070 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 1071 if (stream_mac) { 1072 mac_ctx = hash; 1073 } else { 1074 if (!EVP_MD_CTX_copy(&hmac, hash)) 1075 return -1; 1076 mac_ctx = &hmac; 1077 } 1078 1079 if (SSL_IS_DTLS(ssl)) 1080 dtls1_build_sequence_number(header, seq, 1081 send ? D1I(ssl)->w_epoch : D1I(ssl)->r_epoch); 1082 else 1083 memcpy(header, seq, SSL3_SEQUENCE_SIZE); 1084 1085 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ 1086 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); 1087 rec->type &= 0xff; 1088 1089 header[8] = rec->type; 1090 header[9] = (unsigned char)(ssl->version >> 8); 1091 header[10] = (unsigned char)(ssl->version); 1092 header[11] = (rec->length) >> 8; 1093 header[12] = (rec->length) & 0xff; 1094 1095 if (!send && 1096 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 1097 ssl3_cbc_record_digest_supported(mac_ctx)) { 1098 /* This is a CBC-encrypted record. We must avoid leaking any 1099 * timing-side channel information about how many blocks of 1100 * data we are hashing because that gives an attacker a 1101 * timing-oracle. */ 1102 if (!ssl3_cbc_digest_record(mac_ctx, 1103 md, &md_size, header, rec->input, 1104 rec->length + md_size, orig_len, 1105 ssl->s3->internal->read_mac_secret, 1106 ssl->s3->internal->read_mac_secret_size)) 1107 return -1; 1108 } else { 1109 EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)); 1110 EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length); 1111 t = EVP_DigestSignFinal(mac_ctx, md, &md_size); 1112 OPENSSL_assert(t > 0); 1113 } 1114 1115 if (!stream_mac) 1116 EVP_MD_CTX_cleanup(&hmac); 1117 1118 if (!SSL_IS_DTLS(ssl)) 1119 tls1_record_sequence_increment(seq); 1120 1121 return (md_size); 1122} 1123 1124int 1125tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 1126 int len) 1127{ 1128 /* XXX - check return value. */ 1129 tls1_PRF(s, 1130 TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, 1131 s->s3->client_random, SSL3_RANDOM_SIZE, NULL, 0, 1132 s->s3->server_random, SSL3_RANDOM_SIZE, NULL, 0, 1133 p, len, s->session->master_key, SSL_MAX_MASTER_KEY_LENGTH); 1134 1135 return (SSL_MAX_MASTER_KEY_LENGTH); 1136} 1137 1138int 1139tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 1140 const char *label, size_t llen, const unsigned char *context, 1141 size_t contextlen, int use_context) 1142{ 1143 unsigned char *val = NULL; 1144 size_t vallen, currentvalpos; 1145 int rv; 1146 1147 /* construct PRF arguments 1148 * we construct the PRF argument ourself rather than passing separate 1149 * values into the TLS PRF to ensure that the concatenation of values 1150 * does not create a prohibited label. 1151 */ 1152 vallen = llen + SSL3_RANDOM_SIZE * 2; 1153 if (use_context) { 1154 vallen += 2 + contextlen; 1155 } 1156 1157 val = malloc(vallen); 1158 if (val == NULL) 1159 goto err2; 1160 currentvalpos = 0; 1161 memcpy(val + currentvalpos, (unsigned char *) label, llen); 1162 currentvalpos += llen; 1163 memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); 1164 currentvalpos += SSL3_RANDOM_SIZE; 1165 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); 1166 currentvalpos += SSL3_RANDOM_SIZE; 1167 1168 if (use_context) { 1169 val[currentvalpos] = (contextlen >> 8) & 0xff; 1170 currentvalpos++; 1171 val[currentvalpos] = contextlen & 0xff; 1172 currentvalpos++; 1173 if ((contextlen > 0) || (context != NULL)) { 1174 memcpy(val + currentvalpos, context, contextlen); 1175 } 1176 } 1177 1178 /* disallow prohibited labels 1179 * note that SSL3_RANDOM_SIZE > max(prohibited label len) = 1180 * 15, so size of val > max(prohibited label len) = 15 and the 1181 * comparisons won't have buffer overflow 1182 */ 1183 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 1184 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 1185 goto err1; 1186 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 1187 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 1188 goto err1; 1189 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 1190 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 1191 goto err1; 1192 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 1193 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 1194 goto err1; 1195 1196 rv = tls1_PRF(s, val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, 1197 s->session->master_key, s->session->master_key_length, 1198 out, olen); 1199 1200 goto ret; 1201err1: 1202 SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 1203 rv = 0; 1204 goto ret; 1205err2: 1206 SSLerror(s, ERR_R_MALLOC_FAILURE); 1207 rv = 0; 1208ret: 1209 free(val); 1210 1211 return (rv); 1212} 1213 1214int 1215tls1_alert_code(int code) 1216{ 1217 switch (code) { 1218 case SSL_AD_CLOSE_NOTIFY: 1219 return (SSL3_AD_CLOSE_NOTIFY); 1220 case SSL_AD_UNEXPECTED_MESSAGE: 1221 return (SSL3_AD_UNEXPECTED_MESSAGE); 1222 case SSL_AD_BAD_RECORD_MAC: 1223 return (SSL3_AD_BAD_RECORD_MAC); 1224 case SSL_AD_DECRYPTION_FAILED: 1225 return (TLS1_AD_DECRYPTION_FAILED); 1226 case SSL_AD_RECORD_OVERFLOW: 1227 return (TLS1_AD_RECORD_OVERFLOW); 1228 case SSL_AD_DECOMPRESSION_FAILURE: 1229 return (SSL3_AD_DECOMPRESSION_FAILURE); 1230 case SSL_AD_HANDSHAKE_FAILURE: 1231 return (SSL3_AD_HANDSHAKE_FAILURE); 1232 case SSL_AD_NO_CERTIFICATE: 1233 return (-1); 1234 case SSL_AD_BAD_CERTIFICATE: 1235 return (SSL3_AD_BAD_CERTIFICATE); 1236 case SSL_AD_UNSUPPORTED_CERTIFICATE: 1237 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 1238 case SSL_AD_CERTIFICATE_REVOKED: 1239 return (SSL3_AD_CERTIFICATE_REVOKED); 1240 case SSL_AD_CERTIFICATE_EXPIRED: 1241 return (SSL3_AD_CERTIFICATE_EXPIRED); 1242 case SSL_AD_CERTIFICATE_UNKNOWN: 1243 return (SSL3_AD_CERTIFICATE_UNKNOWN); 1244 case SSL_AD_ILLEGAL_PARAMETER: 1245 return (SSL3_AD_ILLEGAL_PARAMETER); 1246 case SSL_AD_UNKNOWN_CA: 1247 return (TLS1_AD_UNKNOWN_CA); 1248 case SSL_AD_ACCESS_DENIED: 1249 return (TLS1_AD_ACCESS_DENIED); 1250 case SSL_AD_DECODE_ERROR: 1251 return (TLS1_AD_DECODE_ERROR); 1252 case SSL_AD_DECRYPT_ERROR: 1253 return (TLS1_AD_DECRYPT_ERROR); 1254 case SSL_AD_EXPORT_RESTRICTION: 1255 return (TLS1_AD_EXPORT_RESTRICTION); 1256 case SSL_AD_PROTOCOL_VERSION: 1257 return (TLS1_AD_PROTOCOL_VERSION); 1258 case SSL_AD_INSUFFICIENT_SECURITY: 1259 return (TLS1_AD_INSUFFICIENT_SECURITY); 1260 case SSL_AD_INTERNAL_ERROR: 1261 return (TLS1_AD_INTERNAL_ERROR); 1262 case SSL_AD_INAPPROPRIATE_FALLBACK: 1263 return(TLS1_AD_INAPPROPRIATE_FALLBACK); 1264 case SSL_AD_USER_CANCELLED: 1265 return (TLS1_AD_USER_CANCELLED); 1266 case SSL_AD_NO_RENEGOTIATION: 1267 return (TLS1_AD_NO_RENEGOTIATION); 1268 case SSL_AD_UNSUPPORTED_EXTENSION: 1269 return (TLS1_AD_UNSUPPORTED_EXTENSION); 1270 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 1271 return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); 1272 case SSL_AD_UNRECOGNIZED_NAME: 1273 return (TLS1_AD_UNRECOGNIZED_NAME); 1274 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 1275 return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); 1276 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 1277 return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); 1278 case SSL_AD_UNKNOWN_PSK_IDENTITY: 1279 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 1280 default: 1281 return (-1); 1282 } 1283} 1284