diff options
| author | cvs2svn <admin@example.com> | 2021-08-18 16:06:57 +0000 |
|---|---|---|
| committer | cvs2svn <admin@example.com> | 2021-08-18 16:06:57 +0000 |
| commit | d56c8fa8260d226f98b26f017b45b9c2b135f38d (patch) | |
| tree | 348178b41617813cc93787187984a734ef8379ca /src/lib/libssl/t1_enc.c | |
| parent | 18b9c1bcab7c37d8c5bd05b8e0d14d0c59d96650 (diff) | |
| download | openbsd-tb_20210818.tar.gz openbsd-tb_20210818.tar.bz2 openbsd-tb_20210818.zip | |
This commit was manufactured by cvs2git to create tag 'tb_20210818'.tb_20210818
Diffstat (limited to 'src/lib/libssl/t1_enc.c')
| -rw-r--r-- | src/lib/libssl/t1_enc.c | 496 |
1 files changed, 0 insertions, 496 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c deleted file mode 100644 index 65e2063398..0000000000 --- a/src/lib/libssl/t1_enc.c +++ /dev/null | |||
| @@ -1,496 +0,0 @@ | |||
| 1 | /* $OpenBSD: t1_enc.c,v 1.151 2021/07/01 17:53:39 jsing Exp $ */ | ||
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | ||
| 3 | * All rights reserved. | ||
| 4 | * | ||
| 5 | * This package is an SSL implementation written | ||
| 6 | * by Eric Young (eay@cryptsoft.com). | ||
| 7 | * The implementation was written so as to conform with Netscapes SSL. | ||
| 8 | * | ||
| 9 | * This library is free for commercial and non-commercial use as long as | ||
| 10 | * the following conditions are aheared to. The following conditions | ||
| 11 | * apply to all code found in this distribution, be it the RC4, RSA, | ||
| 12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | ||
| 13 | * included with this distribution is covered by the same copyright terms | ||
| 14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | ||
| 15 | * | ||
| 16 | * Copyright remains Eric Young's, and as such any Copyright notices in | ||
| 17 | * the code are not to be removed. | ||
| 18 | * If this package is used in a product, Eric Young should be given attribution | ||
| 19 | * as the author of the parts of the library used. | ||
| 20 | * This can be in the form of a textual message at program startup or | ||
| 21 | * in documentation (online or textual) provided with the package. | ||
| 22 | * | ||
| 23 | * Redistribution and use in source and binary forms, with or without | ||
| 24 | * modification, are permitted provided that the following conditions | ||
| 25 | * are met: | ||
| 26 | * 1. Redistributions of source code must retain the copyright | ||
| 27 | * notice, this list of conditions and the following disclaimer. | ||
| 28 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 29 | * notice, this list of conditions and the following disclaimer in the | ||
| 30 | * documentation and/or other materials provided with the distribution. | ||
| 31 | * 3. All advertising materials mentioning features or use of this software | ||
| 32 | * must display the following acknowledgement: | ||
| 33 | * "This product includes cryptographic software written by | ||
| 34 | * Eric Young (eay@cryptsoft.com)" | ||
| 35 | * The word 'cryptographic' can be left out if the rouines from the library | ||
| 36 | * being used are not cryptographic related :-). | ||
| 37 | * 4. If you include any Windows specific code (or a derivative thereof) from | ||
| 38 | * the apps directory (application code) you must include an acknowledgement: | ||
| 39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | ||
| 40 | * | ||
| 41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | ||
| 42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
| 44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
| 45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
| 46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
| 47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
| 49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
| 50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
| 51 | * SUCH DAMAGE. | ||
| 52 | * | ||
| 53 | * The licence and distribution terms for any publically available version or | ||
| 54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | ||
| 55 | * copied and put under another distribution licence | ||
| 56 | * [including the GNU Public Licence.] | ||
| 57 | */ | ||
| 58 | /* ==================================================================== | ||
| 59 | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. | ||
| 60 | * | ||
| 61 | * Redistribution and use in source and binary forms, with or without | ||
| 62 | * modification, are permitted provided that the following conditions | ||
| 63 | * are met: | ||
| 64 | * | ||
| 65 | * 1. Redistributions of source code must retain the above copyright | ||
| 66 | * notice, this list of conditions and the following disclaimer. | ||
| 67 | * | ||
| 68 | * 2. Redistributions in binary form must reproduce the above copyright | ||
| 69 | * notice, this list of conditions and the following disclaimer in | ||
| 70 | * the documentation and/or other materials provided with the | ||
| 71 | * distribution. | ||
| 72 | * | ||
| 73 | * 3. All advertising materials mentioning features or use of this | ||
| 74 | * software must display the following acknowledgment: | ||
| 75 | * "This product includes software developed by the OpenSSL Project | ||
| 76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | ||
| 77 | * | ||
| 78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | ||
| 79 | * endorse or promote products derived from this software without | ||
| 80 | * prior written permission. For written permission, please contact | ||
| 81 | * openssl-core@openssl.org. | ||
| 82 | * | ||
| 83 | * 5. Products derived from this software may not be called "OpenSSL" | ||
| 84 | * nor may "OpenSSL" appear in their names without prior written | ||
| 85 | * permission of the OpenSSL Project. | ||
| 86 | * | ||
| 87 | * 6. Redistributions of any form whatsoever must retain the following | ||
| 88 | * acknowledgment: | ||
| 89 | * "This product includes software developed by the OpenSSL Project | ||
| 90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | ||
| 91 | * | ||
| 92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | ||
| 93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
| 94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | ||
| 95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | ||
| 96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
| 97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | ||
| 98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | ||
| 99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
| 100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | ||
| 101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
| 102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | ||
| 103 | * OF THE POSSIBILITY OF SUCH DAMAGE. | ||
| 104 | * ==================================================================== | ||
| 105 | * | ||
| 106 | * This product includes cryptographic software written by Eric Young | ||
| 107 | * (eay@cryptsoft.com). This product includes software written by Tim | ||
| 108 | * Hudson (tjh@cryptsoft.com). | ||
| 109 | * | ||
| 110 | */ | ||
| 111 | /* ==================================================================== | ||
| 112 | * Copyright 2005 Nokia. All rights reserved. | ||
| 113 | * | ||
| 114 | * The portions of the attached software ("Contribution") is developed by | ||
| 115 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source | ||
| 116 | * license. | ||
| 117 | * | ||
| 118 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of | ||
| 119 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites | ||
| 120 | * support (see RFC 4279) to OpenSSL. | ||
| 121 | * | ||
| 122 | * No patent licenses or other rights except those expressly stated in | ||
| 123 | * the OpenSSL open source license shall be deemed granted or received | ||
| 124 | * expressly, by implication, estoppel, or otherwise. | ||
| 125 | * | ||
| 126 | * No assurances are provided by Nokia that the Contribution does not | ||
| 127 | * infringe the patent or other intellectual property rights of any third | ||
| 128 | * party or that the license provides you with all the necessary rights | ||
| 129 | * to make use of the Contribution. | ||
| 130 | * | ||
| 131 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN | ||
| 132 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA | ||
| 133 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY | ||
| 134 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR | ||
| 135 | * OTHERWISE. | ||
| 136 | */ | ||
| 137 | |||
| 138 | #include <limits.h> | ||
| 139 | #include <stdio.h> | ||
| 140 | |||
| 141 | #include <openssl/evp.h> | ||
| 142 | #include <openssl/hmac.h> | ||
| 143 | #include <openssl/md5.h> | ||
| 144 | #include <openssl/opensslconf.h> | ||
| 145 | |||
| 146 | #include "dtls_locl.h" | ||
| 147 | #include "ssl_locl.h" | ||
| 148 | |||
| 149 | void | ||
| 150 | tls1_cleanup_key_block(SSL *s) | ||
| 151 | { | ||
| 152 | tls12_key_block_free(S3I(s)->hs.tls12.key_block); | ||
| 153 | S3I(s)->hs.tls12.key_block = NULL; | ||
| 154 | } | ||
| 155 | |||
| 156 | /* | ||
| 157 | * TLS P_hash() data expansion function - see RFC 5246, section 5. | ||
| 158 | */ | ||
| 159 | static int | ||
| 160 | tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len, | ||
| 161 | const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, | ||
| 162 | const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, | ||
| 163 | const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len) | ||
| 164 | { | ||
| 165 | unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE]; | ||
| 166 | size_t A1_len, hmac_len; | ||
| 167 | EVP_MD_CTX ctx; | ||
| 168 | EVP_PKEY *mac_key; | ||
| 169 | int ret = 0; | ||
| 170 | int chunk; | ||
| 171 | size_t i; | ||
| 172 | |||
| 173 | chunk = EVP_MD_size(md); | ||
| 174 | OPENSSL_assert(chunk >= 0); | ||
| 175 | |||
| 176 | EVP_MD_CTX_init(&ctx); | ||
| 177 | |||
| 178 | mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len); | ||
| 179 | if (!mac_key) | ||
| 180 | goto err; | ||
| 181 | if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) | ||
| 182 | goto err; | ||
| 183 | if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) | ||
| 184 | goto err; | ||
| 185 | if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) | ||
| 186 | goto err; | ||
| 187 | if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) | ||
| 188 | goto err; | ||
| 189 | if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) | ||
| 190 | goto err; | ||
| 191 | if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) | ||
| 192 | goto err; | ||
| 193 | if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) | ||
| 194 | goto err; | ||
| 195 | |||
| 196 | for (;;) { | ||
| 197 | if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) | ||
| 198 | goto err; | ||
| 199 | if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) | ||
| 200 | goto err; | ||
| 201 | if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) | ||
| 202 | goto err; | ||
| 203 | if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) | ||
| 204 | goto err; | ||
| 205 | if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) | ||
| 206 | goto err; | ||
| 207 | if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) | ||
| 208 | goto err; | ||
| 209 | if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) | ||
| 210 | goto err; | ||
| 211 | if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len)) | ||
| 212 | goto err; | ||
| 213 | |||
| 214 | if (hmac_len > out_len) | ||
| 215 | hmac_len = out_len; | ||
| 216 | |||
| 217 | for (i = 0; i < hmac_len; i++) | ||
| 218 | out[i] ^= hmac[i]; | ||
| 219 | |||
| 220 | out += hmac_len; | ||
| 221 | out_len -= hmac_len; | ||
| 222 | |||
| 223 | if (out_len == 0) | ||
| 224 | break; | ||
| 225 | |||
| 226 | if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key)) | ||
| 227 | goto err; | ||
| 228 | if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) | ||
| 229 | goto err; | ||
| 230 | if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) | ||
| 231 | goto err; | ||
| 232 | } | ||
| 233 | ret = 1; | ||
| 234 | |||
| 235 | err: | ||
| 236 | EVP_PKEY_free(mac_key); | ||
| 237 | EVP_MD_CTX_cleanup(&ctx); | ||
| 238 | |||
| 239 | explicit_bzero(A1, sizeof(A1)); | ||
| 240 | explicit_bzero(hmac, sizeof(hmac)); | ||
| 241 | |||
| 242 | return ret; | ||
| 243 | } | ||
| 244 | |||
| 245 | int | ||
| 246 | tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, | ||
| 247 | const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, | ||
| 248 | const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, | ||
| 249 | const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len) | ||
| 250 | { | ||
| 251 | const EVP_MD *md; | ||
| 252 | size_t half_len; | ||
| 253 | |||
| 254 | memset(out, 0, out_len); | ||
| 255 | |||
| 256 | if (!ssl_get_handshake_evp_md(s, &md)) | ||
| 257 | return (0); | ||
| 258 | |||
| 259 | if (md->type == NID_md5_sha1) { | ||
| 260 | /* | ||
| 261 | * Partition secret between MD5 and SHA1, then XOR result. | ||
| 262 | * If the secret length is odd, a one byte overlap is used. | ||
| 263 | */ | ||
| 264 | half_len = secret_len - (secret_len / 2); | ||
| 265 | if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len, | ||
| 266 | seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, | ||
| 267 | seed5, seed5_len, out, out_len)) | ||
| 268 | return (0); | ||
| 269 | |||
| 270 | secret += secret_len - half_len; | ||
| 271 | if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len, | ||
| 272 | seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, | ||
| 273 | seed5, seed5_len, out, out_len)) | ||
| 274 | return (0); | ||
| 275 | |||
| 276 | return (1); | ||
| 277 | } | ||
| 278 | |||
| 279 | if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len, | ||
| 280 | seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, | ||
| 281 | seed5, seed5_len, out, out_len)) | ||
| 282 | return (0); | ||
| 283 | |||
| 284 | return (1); | ||
| 285 | } | ||
| 286 | |||
| 287 | int | ||
| 288 | tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len) | ||
| 289 | { | ||
| 290 | return tls1_PRF(s, | ||
| 291 | s->session->master_key, s->session->master_key_length, | ||
| 292 | TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, | ||
| 293 | s->s3->server_random, SSL3_RANDOM_SIZE, | ||
| 294 | s->s3->client_random, SSL3_RANDOM_SIZE, | ||
| 295 | NULL, 0, NULL, 0, key_block, key_block_len); | ||
| 296 | } | ||
| 297 | |||
| 298 | static int | ||
| 299 | tls1_change_cipher_state(SSL *s, int is_write) | ||
| 300 | { | ||
| 301 | CBS mac_key, key, iv; | ||
| 302 | |||
| 303 | /* Use client write keys on client write and server read. */ | ||
| 304 | if ((!s->server && is_write) || (s->server && !is_write)) { | ||
| 305 | tls12_key_block_client_write(S3I(s)->hs.tls12.key_block, | ||
| 306 | &mac_key, &key, &iv); | ||
| 307 | } else { | ||
| 308 | tls12_key_block_server_write(S3I(s)->hs.tls12.key_block, | ||
| 309 | &mac_key, &key, &iv); | ||
| 310 | } | ||
| 311 | |||
| 312 | if (!is_write) { | ||
| 313 | if (!tls12_record_layer_change_read_cipher_state(s->internal->rl, | ||
| 314 | &mac_key, &key, &iv)) | ||
| 315 | goto err; | ||
| 316 | if (SSL_is_dtls(s)) | ||
| 317 | dtls1_reset_read_seq_numbers(s); | ||
| 318 | tls12_record_layer_read_cipher_hash(s->internal->rl, | ||
| 319 | &s->enc_read_ctx, &s->read_hash); | ||
| 320 | } else { | ||
| 321 | if (!tls12_record_layer_change_write_cipher_state(s->internal->rl, | ||
| 322 | &mac_key, &key, &iv)) | ||
| 323 | goto err; | ||
| 324 | } | ||
| 325 | return (1); | ||
| 326 | |||
| 327 | err: | ||
| 328 | return (0); | ||
| 329 | } | ||
| 330 | |||
| 331 | int | ||
| 332 | tls1_change_read_cipher_state(SSL *s) | ||
| 333 | { | ||
| 334 | return tls1_change_cipher_state(s, 0); | ||
| 335 | } | ||
| 336 | |||
| 337 | int | ||
| 338 | tls1_change_write_cipher_state(SSL *s) | ||
| 339 | { | ||
| 340 | return tls1_change_cipher_state(s, 1); | ||
| 341 | } | ||
| 342 | |||
| 343 | int | ||
| 344 | tls1_setup_key_block(SSL *s) | ||
| 345 | { | ||
| 346 | struct tls12_key_block *key_block; | ||
| 347 | int mac_type = NID_undef, mac_secret_size = 0; | ||
| 348 | const EVP_CIPHER *cipher = NULL; | ||
| 349 | const EVP_AEAD *aead = NULL; | ||
| 350 | const EVP_MD *handshake_hash = NULL; | ||
| 351 | const EVP_MD *mac_hash = NULL; | ||
| 352 | int ret = 0; | ||
| 353 | |||
| 354 | /* | ||
| 355 | * XXX - callers should be changed so that they only call this | ||
| 356 | * function once. | ||
| 357 | */ | ||
| 358 | if (S3I(s)->hs.tls12.key_block != NULL) | ||
| 359 | return (1); | ||
| 360 | |||
| 361 | if (s->session->cipher && | ||
| 362 | (s->session->cipher->algorithm_mac & SSL_AEAD)) { | ||
| 363 | if (!ssl_cipher_get_evp_aead(s->session, &aead)) { | ||
| 364 | SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | ||
| 365 | return (0); | ||
| 366 | } | ||
| 367 | } else { | ||
| 368 | /* XXX - mac_type and mac_secret_size are now unused. */ | ||
| 369 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash, | ||
| 370 | &mac_type, &mac_secret_size)) { | ||
| 371 | SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | ||
| 372 | return (0); | ||
| 373 | } | ||
| 374 | } | ||
| 375 | |||
| 376 | if (!ssl_get_handshake_evp_md(s, &handshake_hash)) | ||
| 377 | return (0); | ||
| 378 | |||
| 379 | tls12_record_layer_set_aead(s->internal->rl, aead); | ||
| 380 | tls12_record_layer_set_cipher_hash(s->internal->rl, cipher, | ||
| 381 | handshake_hash, mac_hash); | ||
| 382 | |||
| 383 | if ((key_block = tls12_key_block_new()) == NULL) | ||
| 384 | goto err; | ||
| 385 | if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash)) | ||
| 386 | goto err; | ||
| 387 | |||
| 388 | S3I(s)->hs.tls12.key_block = key_block; | ||
| 389 | key_block = NULL; | ||
| 390 | |||
| 391 | if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && | ||
| 392 | s->method->version <= TLS1_VERSION) { | ||
| 393 | /* | ||
| 394 | * Enable vulnerability countermeasure for CBC ciphers with | ||
| 395 | * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) | ||
| 396 | */ | ||
| 397 | S3I(s)->need_empty_fragments = 1; | ||
| 398 | |||
| 399 | if (s->session->cipher != NULL) { | ||
| 400 | if (s->session->cipher->algorithm_enc == SSL_eNULL) | ||
| 401 | S3I(s)->need_empty_fragments = 0; | ||
| 402 | |||
| 403 | #ifndef OPENSSL_NO_RC4 | ||
| 404 | if (s->session->cipher->algorithm_enc == SSL_RC4) | ||
| 405 | S3I(s)->need_empty_fragments = 0; | ||
| 406 | #endif | ||
| 407 | } | ||
| 408 | } | ||
| 409 | |||
| 410 | ret = 1; | ||
| 411 | |||
| 412 | err: | ||
| 413 | tls12_key_block_free(key_block); | ||
| 414 | |||
| 415 | return (ret); | ||
| 416 | } | ||
| 417 | |||
| 418 | int | ||
| 419 | tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, | ||
| 420 | const char *label, size_t llen, const unsigned char *context, | ||
| 421 | size_t contextlen, int use_context) | ||
| 422 | { | ||
| 423 | unsigned char *val = NULL; | ||
| 424 | size_t vallen, currentvalpos; | ||
| 425 | int rv; | ||
| 426 | |||
| 427 | if (!SSL_is_init_finished(s)) { | ||
| 428 | SSLerror(s, SSL_R_BAD_STATE); | ||
| 429 | return 0; | ||
| 430 | } | ||
| 431 | |||
| 432 | /* construct PRF arguments | ||
| 433 | * we construct the PRF argument ourself rather than passing separate | ||
| 434 | * values into the TLS PRF to ensure that the concatenation of values | ||
| 435 | * does not create a prohibited label. | ||
| 436 | */ | ||
| 437 | vallen = llen + SSL3_RANDOM_SIZE * 2; | ||
| 438 | if (use_context) { | ||
| 439 | vallen += 2 + contextlen; | ||
| 440 | } | ||
| 441 | |||
| 442 | val = malloc(vallen); | ||
| 443 | if (val == NULL) | ||
| 444 | goto err2; | ||
| 445 | currentvalpos = 0; | ||
| 446 | memcpy(val + currentvalpos, (unsigned char *) label, llen); | ||
| 447 | currentvalpos += llen; | ||
| 448 | memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); | ||
| 449 | currentvalpos += SSL3_RANDOM_SIZE; | ||
| 450 | memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); | ||
| 451 | currentvalpos += SSL3_RANDOM_SIZE; | ||
| 452 | |||
| 453 | if (use_context) { | ||
| 454 | val[currentvalpos] = (contextlen >> 8) & 0xff; | ||
| 455 | currentvalpos++; | ||
| 456 | val[currentvalpos] = contextlen & 0xff; | ||
| 457 | currentvalpos++; | ||
| 458 | if ((contextlen > 0) || (context != NULL)) { | ||
| 459 | memcpy(val + currentvalpos, context, contextlen); | ||
| 460 | } | ||
| 461 | } | ||
| 462 | |||
| 463 | /* disallow prohibited labels | ||
| 464 | * note that SSL3_RANDOM_SIZE > max(prohibited label len) = | ||
| 465 | * 15, so size of val > max(prohibited label len) = 15 and the | ||
| 466 | * comparisons won't have buffer overflow | ||
| 467 | */ | ||
| 468 | if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, | ||
| 469 | TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) | ||
| 470 | goto err1; | ||
| 471 | if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, | ||
| 472 | TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) | ||
| 473 | goto err1; | ||
| 474 | if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, | ||
| 475 | TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) | ||
| 476 | goto err1; | ||
| 477 | if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, | ||
| 478 | TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) | ||
| 479 | goto err1; | ||
| 480 | |||
| 481 | rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length, | ||
| 482 | val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen); | ||
| 483 | |||
| 484 | goto ret; | ||
| 485 | err1: | ||
| 486 | SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); | ||
| 487 | rv = 0; | ||
| 488 | goto ret; | ||
| 489 | err2: | ||
| 490 | SSLerror(s, ERR_R_MALLOC_FAILURE); | ||
| 491 | rv = 0; | ||
| 492 | ret: | ||
| 493 | free(val); | ||
| 494 | |||
| 495 | return (rv); | ||
| 496 | } | ||