t1_enc.c revision 1.138 
1/* $OpenBSD: t1_enc.c,v 1.138 2021/04/19 17:26:39 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 *    notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 *    notice, this list of conditions and the following disclaimer in
70 *    the documentation and/or other materials provided with the
71 *    distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 *    software must display the following acknowledgment:
75 *    "This product includes software developed by the OpenSSL Project
76 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 *    endorse or promote products derived from this software without
80 *    prior written permission. For written permission, please contact
81 *    openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 *    nor may "OpenSSL" appear in their names without prior written
85 *    permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 *    acknowledgment:
89 *    "This product includes software developed by the OpenSSL Project
90 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com).  This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <limits.h>
139#include <stdio.h>
140
141#include "ssl_locl.h"
142
143#include <openssl/evp.h>
144#include <openssl/hmac.h>
145#include <openssl/md5.h>
146
147int tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
148    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
149    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
150    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len);
151
152void
153tls1_cleanup_key_block(SSL *s)
154{
155	freezero(S3I(s)->hs.tls12.key_block, S3I(s)->hs.tls12.key_block_len);
156	S3I(s)->hs.tls12.key_block = NULL;
157	S3I(s)->hs.tls12.key_block_len = 0;
158}
159
160/*
161 * TLS P_hash() data expansion function - see RFC 5246, section 5.
162 */
163static int
164tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
165    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
166    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
167    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
168{
169	unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
170	size_t A1_len, hmac_len;
171	EVP_MD_CTX ctx;
172	EVP_PKEY *mac_key;
173	int ret = 0;
174	int chunk;
175	size_t i;
176
177	chunk = EVP_MD_size(md);
178	OPENSSL_assert(chunk >= 0);
179
180	EVP_MD_CTX_init(&ctx);
181
182	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
183	if (!mac_key)
184		goto err;
185	if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
186		goto err;
187	if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
188		goto err;
189	if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
190		goto err;
191	if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
192		goto err;
193	if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
194		goto err;
195	if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
196		goto err;
197	if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
198		goto err;
199
200	for (;;) {
201		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
202			goto err;
203		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
204			goto err;
205		if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
206			goto err;
207		if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
208			goto err;
209		if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
210			goto err;
211		if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
212			goto err;
213		if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
214			goto err;
215		if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len))
216			goto err;
217
218		if (hmac_len > out_len)
219			hmac_len = out_len;
220
221		for (i = 0; i < hmac_len; i++)
222			out[i] ^= hmac[i];
223
224		out += hmac_len;
225		out_len -= hmac_len;
226
227		if (out_len == 0)
228			break;
229
230		if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
231			goto err;
232		if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
233			goto err;
234		if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
235			goto err;
236	}
237	ret = 1;
238
239 err:
240	EVP_PKEY_free(mac_key);
241	EVP_MD_CTX_cleanup(&ctx);
242
243	explicit_bzero(A1, sizeof(A1));
244	explicit_bzero(hmac, sizeof(hmac));
245
246	return ret;
247}
248
249int
250tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
251    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
252    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
253    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
254{
255	const EVP_MD *md;
256	size_t half_len;
257
258	memset(out, 0, out_len);
259
260	if (!ssl_get_handshake_evp_md(s, &md))
261		return (0);
262
263	if (md->type == NID_md5_sha1) {
264		/*
265		 * Partition secret between MD5 and SHA1, then XOR result.
266		 * If the secret length is odd, a one byte overlap is used.
267		 */
268		half_len = secret_len - (secret_len / 2);
269		if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
270		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
271		    seed5, seed5_len, out, out_len))
272			return (0);
273
274		secret += secret_len - half_len;
275		if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
276		    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
277		    seed5, seed5_len, out, out_len))
278			return (0);
279
280		return (1);
281	}
282
283	if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
284	    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
285	    seed5, seed5_len, out, out_len))
286		return (0);
287
288	return (1);
289}
290
291static int
292tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
293{
294	return tls1_PRF(s,
295	    s->session->master_key, s->session->master_key_length,
296	    TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
297	    s->s3->server_random, SSL3_RANDOM_SIZE,
298	    s->s3->client_random, SSL3_RANDOM_SIZE,
299	    NULL, 0, NULL, 0, key_block, key_block_len);
300}
301
302int
303tls1_change_cipher_state(SSL *s, int which)
304{
305	const unsigned char *client_write_mac_secret, *server_write_mac_secret;
306	const unsigned char *client_write_key, *server_write_key;
307	const unsigned char *client_write_iv, *server_write_iv;
308	const unsigned char *mac_secret, *key, *iv;
309	int mac_secret_size, key_len, iv_len;
310	unsigned char *key_block;
311	const EVP_CIPHER *cipher;
312	const EVP_AEAD *aead;
313	char is_read, use_client_keys;
314
315	aead = tls12_record_layer_aead(s->internal->rl);
316	cipher = tls12_record_layer_cipher(s->internal->rl);
317
318	/*
319	 * is_read is true if we have just read a ChangeCipherSpec message,
320	 * that is we need to update the read cipherspec. Otherwise we have
321	 * just written one.
322	 */
323	is_read = (which & SSL3_CC_READ) != 0;
324
325	/*
326	 * use_client_keys is true if we wish to use the keys for the "client
327	 * write" direction. This is the case if we're a client sending a
328	 * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec.
329	 */
330	use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
331	    (which == SSL3_CHANGE_CIPHER_SERVER_READ));
332
333	if (aead != NULL) {
334		key_len = EVP_AEAD_key_length(aead);
335		iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(S3I(s)->hs.cipher);
336	} else {
337		key_len = EVP_CIPHER_key_length(cipher);
338		iv_len = EVP_CIPHER_iv_length(cipher);
339	}
340
341	mac_secret_size = S3I(s)->hs.tls12.mac_secret_size;
342
343	key_block = S3I(s)->hs.tls12.key_block;
344	client_write_mac_secret = key_block;
345	key_block += mac_secret_size;
346	server_write_mac_secret = key_block;
347	key_block += mac_secret_size;
348	client_write_key = key_block;
349	key_block += key_len;
350	server_write_key = key_block;
351	key_block += key_len;
352	client_write_iv = key_block;
353	key_block += iv_len;
354	server_write_iv = key_block;
355	key_block += iv_len;
356
357	if (use_client_keys) {
358		mac_secret = client_write_mac_secret;
359		key = client_write_key;
360		iv = client_write_iv;
361	} else {
362		mac_secret = server_write_mac_secret;
363		key = server_write_key;
364		iv = server_write_iv;
365	}
366
367	if (key_block - S3I(s)->hs.tls12.key_block !=
368	    S3I(s)->hs.tls12.key_block_len) {
369		SSLerror(s, ERR_R_INTERNAL_ERROR);
370		goto err;
371	}
372
373	if (is_read) {
374		if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
375		    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
376			goto err;
377		tls12_record_layer_read_cipher_hash(s->internal->rl,
378		    &s->enc_read_ctx, &s->read_hash);
379	} else {
380		if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
381		    mac_secret, mac_secret_size, key, key_len, iv, iv_len))
382			goto err;
383	}
384	return (1);
385
386 err:
387	return (0);
388}
389
390int
391tls1_setup_key_block(SSL *s)
392{
393	unsigned char *key_block;
394	int mac_type = NID_undef, mac_secret_size = 0;
395	size_t key_block_len;
396	int key_len, iv_len;
397	const EVP_CIPHER *cipher = NULL;
398	const EVP_AEAD *aead = NULL;
399	const EVP_MD *handshake_hash = NULL;
400	const EVP_MD *mac_hash = NULL;
401	int ret = 0;
402
403	if (S3I(s)->hs.tls12.key_block_len != 0)
404		return (1);
405
406	if (s->session->cipher &&
407	    (s->session->cipher->algorithm_mac & SSL_AEAD)) {
408		if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
409			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
410			return (0);
411		}
412		key_len = EVP_AEAD_key_length(aead);
413		iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
414	} else {
415		if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
416		    &mac_type, &mac_secret_size)) {
417			SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
418			return (0);
419		}
420		key_len = EVP_CIPHER_key_length(cipher);
421		iv_len = EVP_CIPHER_iv_length(cipher);
422	}
423
424	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
425		return (0);
426
427	S3I(s)->hs.tls12.mac_secret_size = mac_secret_size;
428
429	tls12_record_layer_set_aead(s->internal->rl, aead);
430	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
431	    handshake_hash, mac_hash);
432
433	tls1_cleanup_key_block(s);
434
435	if ((key_block = reallocarray(NULL, mac_secret_size + key_len + iv_len,
436	    2)) == NULL) {
437		SSLerror(s, ERR_R_MALLOC_FAILURE);
438		goto err;
439	}
440	key_block_len = (mac_secret_size + key_len + iv_len) * 2;
441
442	S3I(s)->hs.tls12.key_block_len = key_block_len;
443	S3I(s)->hs.tls12.key_block = key_block;
444
445	if (!tls1_generate_key_block(s, key_block, key_block_len))
446		goto err;
447
448	if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
449	    s->method->internal->version <= TLS1_VERSION) {
450		/*
451		 * Enable vulnerability countermeasure for CBC ciphers with
452		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
453		 */
454		S3I(s)->need_empty_fragments = 1;
455
456		if (s->session->cipher != NULL) {
457			if (s->session->cipher->algorithm_enc == SSL_eNULL)
458				S3I(s)->need_empty_fragments = 0;
459
460#ifndef OPENSSL_NO_RC4
461			if (s->session->cipher->algorithm_enc == SSL_RC4)
462				S3I(s)->need_empty_fragments = 0;
463#endif
464		}
465	}
466
467	ret = 1;
468
469 err:
470	return (ret);
471}
472
473int
474tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
475{
476	unsigned char buf[EVP_MAX_MD_SIZE];
477	size_t hash_len;
478
479	if (str_len < 0)
480		return 0;
481
482	if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len))
483		return 0;
484
485	if (!tls1_PRF(s, s->session->master_key, s->session->master_key_length,
486	    str, str_len, buf, hash_len, NULL, 0, NULL, 0, NULL, 0,
487	    out, TLS1_FINISH_MAC_LENGTH))
488		return 0;
489
490	return TLS1_FINISH_MAC_LENGTH;
491}
492
493int
494tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
495    int len)
496{
497	if (len < 0)
498		return 0;
499
500	if (!tls1_PRF(s, p, len,
501	    TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,
502	    s->s3->client_random, SSL3_RANDOM_SIZE, NULL, 0,
503	    s->s3->server_random, SSL3_RANDOM_SIZE, NULL, 0,
504	    s->session->master_key, SSL_MAX_MASTER_KEY_LENGTH))
505		return 0;
506
507	return (SSL_MAX_MASTER_KEY_LENGTH);
508}
509
510int
511tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
512    const char *label, size_t llen, const unsigned char *context,
513    size_t contextlen, int use_context)
514{
515	unsigned char *val = NULL;
516	size_t vallen, currentvalpos;
517	int rv;
518
519	if (!SSL_is_init_finished(s)) {
520		SSLerror(s, SSL_R_BAD_STATE);
521		return 0;
522	}
523
524	/* construct PRF arguments
525	 * we construct the PRF argument ourself rather than passing separate
526	 * values into the TLS PRF to ensure that the concatenation of values
527	 * does not create a prohibited label.
528	 */
529	vallen = llen + SSL3_RANDOM_SIZE * 2;
530	if (use_context) {
531		vallen += 2 + contextlen;
532	}
533
534	val = malloc(vallen);
535	if (val == NULL)
536		goto err2;
537	currentvalpos = 0;
538	memcpy(val + currentvalpos, (unsigned char *) label, llen);
539	currentvalpos += llen;
540	memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
541	currentvalpos += SSL3_RANDOM_SIZE;
542	memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
543	currentvalpos += SSL3_RANDOM_SIZE;
544
545	if (use_context) {
546		val[currentvalpos] = (contextlen >> 8) & 0xff;
547		currentvalpos++;
548		val[currentvalpos] = contextlen & 0xff;
549		currentvalpos++;
550		if ((contextlen > 0) || (context != NULL)) {
551			memcpy(val + currentvalpos, context, contextlen);
552		}
553	}
554
555	/* disallow prohibited labels
556	 * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
557	 * 15, so size of val > max(prohibited label len) = 15 and the
558	 * comparisons won't have buffer overflow
559	 */
560	if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
561	    TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
562		goto err1;
563	if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
564	    TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
565		goto err1;
566	if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
567	    TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
568		goto err1;
569	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
570	    TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
571		goto err1;
572
573	rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length,
574	    val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen);
575
576	goto ret;
577err1:
578	SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
579	rv = 0;
580	goto ret;
581err2:
582	SSLerror(s, ERR_R_MALLOC_FAILURE);
583	rv = 0;
584ret:
585	free(val);
586
587	return (rv);
588}
589
590int
591tls1_alert_code(int code)
592{
593	switch (code) {
594	case SSL_AD_CLOSE_NOTIFY:
595		return (SSL3_AD_CLOSE_NOTIFY);
596	case SSL_AD_UNEXPECTED_MESSAGE:
597		return (SSL3_AD_UNEXPECTED_MESSAGE);
598	case SSL_AD_BAD_RECORD_MAC:
599		return (SSL3_AD_BAD_RECORD_MAC);
600	case SSL_AD_DECRYPTION_FAILED:
601		return (TLS1_AD_DECRYPTION_FAILED);
602	case SSL_AD_RECORD_OVERFLOW:
603		return (TLS1_AD_RECORD_OVERFLOW);
604	case SSL_AD_DECOMPRESSION_FAILURE:
605		return (SSL3_AD_DECOMPRESSION_FAILURE);
606	case SSL_AD_HANDSHAKE_FAILURE:
607		return (SSL3_AD_HANDSHAKE_FAILURE);
608	case SSL_AD_NO_CERTIFICATE:
609		return (-1);
610	case SSL_AD_BAD_CERTIFICATE:
611		return (SSL3_AD_BAD_CERTIFICATE);
612	case SSL_AD_UNSUPPORTED_CERTIFICATE:
613		return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
614	case SSL_AD_CERTIFICATE_REVOKED:
615		return (SSL3_AD_CERTIFICATE_REVOKED);
616	case SSL_AD_CERTIFICATE_EXPIRED:
617		return (SSL3_AD_CERTIFICATE_EXPIRED);
618	case SSL_AD_CERTIFICATE_UNKNOWN:
619		return (SSL3_AD_CERTIFICATE_UNKNOWN);
620	case SSL_AD_ILLEGAL_PARAMETER:
621		return (SSL3_AD_ILLEGAL_PARAMETER);
622	case SSL_AD_UNKNOWN_CA:
623		return (TLS1_AD_UNKNOWN_CA);
624	case SSL_AD_ACCESS_DENIED:
625		return (TLS1_AD_ACCESS_DENIED);
626	case SSL_AD_DECODE_ERROR:
627		return (TLS1_AD_DECODE_ERROR);
628	case SSL_AD_DECRYPT_ERROR:
629		return (TLS1_AD_DECRYPT_ERROR);
630	case SSL_AD_EXPORT_RESTRICTION:
631		return (TLS1_AD_EXPORT_RESTRICTION);
632	case SSL_AD_PROTOCOL_VERSION:
633		return (TLS1_AD_PROTOCOL_VERSION);
634	case SSL_AD_INSUFFICIENT_SECURITY:
635		return (TLS1_AD_INSUFFICIENT_SECURITY);
636	case SSL_AD_INTERNAL_ERROR:
637		return (TLS1_AD_INTERNAL_ERROR);
638	case SSL_AD_INAPPROPRIATE_FALLBACK:
639		return(TLS1_AD_INAPPROPRIATE_FALLBACK);
640	case SSL_AD_USER_CANCELLED:
641		return (TLS1_AD_USER_CANCELLED);
642	case SSL_AD_NO_RENEGOTIATION:
643		return (TLS1_AD_NO_RENEGOTIATION);
644	case SSL_AD_UNSUPPORTED_EXTENSION:
645		return (TLS1_AD_UNSUPPORTED_EXTENSION);
646	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
647		return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
648	case SSL_AD_UNRECOGNIZED_NAME:
649		return (TLS1_AD_UNRECOGNIZED_NAME);
650	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
651		return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
652	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
653		return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
654	case SSL_AD_UNKNOWN_PSK_IDENTITY:
655		return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
656	default:
657		return (-1);
658	}
659}
660