1 files changed, 0 insertions, 496 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
deleted file mode 100644
index 65e2063398..0000000000
--- a/src/lib/libssl/t1_enc.c
+++ /dev/null
@@ -1,496 +0,0 @@
-/* $OpenBSD: t1_enc.c,v 1.151 2021/07/01 17:53:39 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#include <limits.h>
-#include <stdio.h>
-#include <openssl/evp.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/opensslconf.h>
-#include "dtls_locl.h"
-#include "ssl_locl.h"
-void
-tls1_cleanup_key_block(SSL *s)
-{
-        tls12_key_block_free(S3I(s)->hs.tls12.key_block);
-        S3I(s)->hs.tls12.key_block = NULL;
-}
-/*
- * TLS P_hash() data expansion function - see RFC 5246, section 5.
- */
-static int
-tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
-    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
-    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
-    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
-{
-        unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
-        size_t A1_len, hmac_len;
-        EVP_MD_CTX ctx;
-        EVP_PKEY *mac_key;
-        int ret = 0;
-        int chunk;
-        size_t i;
-        chunk = EVP_MD_size(md);
-        OPENSSL_assert(chunk >= 0);
-        EVP_MD_CTX_init(&ctx);
-        mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
-        if (!mac_key)
-                goto err;
-        if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
-                goto err;
-        if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
-                goto err;
-        if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
-                goto err;
-        if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
-                goto err;
-        if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
-                goto err;
-        if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
-                goto err;
-        if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
-                goto err;
-        for (;;) {
-                if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
-                        goto err;
-                if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
-                        goto err;
-                if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
-                        goto err;
-                if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
-                        goto err;
-                if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
-                        goto err;
-                if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
-                        goto err;
-                if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
-                        goto err;
-                if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len))
-                        goto err;
-                if (hmac_len > out_len)
-                        hmac_len = out_len;
-                for (i = 0; i < hmac_len; i++)
-                        out[i] ^= hmac[i];
-                out += hmac_len;
-                out_len -= hmac_len;
-                if (out_len == 0)
-                        break;
-                if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
-                        goto err;
-                if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
-                        goto err;
-                if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
-                        goto err;
-        }
-        ret = 1;
- err:
-        EVP_PKEY_free(mac_key);
-        EVP_MD_CTX_cleanup(&ctx);
-        explicit_bzero(A1, sizeof(A1));
-        explicit_bzero(hmac, sizeof(hmac));
-        return ret;
-}
-int
-tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
-    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
-    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
-    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
-{
-        const EVP_MD *md;
-        size_t half_len;
-        memset(out, 0, out_len);
-        if (!ssl_get_handshake_evp_md(s, &md))
-                return (0);
-        if (md->type == NID_md5_sha1) {
-                /*
-                 * Partition secret between MD5 and SHA1, then XOR result.
-                 * If the secret length is odd, a one byte overlap is used.
-                 */
-                half_len = secret_len - (secret_len / 2);
-                if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
-                    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
-                    seed5, seed5_len, out, out_len))
-                        return (0);
-                secret += secret_len - half_len;
-                if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
-                    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
-                    seed5, seed5_len, out, out_len))
-                        return (0);
-                return (1);
-        }
-        if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
-            seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
-            seed5, seed5_len, out, out_len))
-                return (0);
-        return (1);
-}
-int
-tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
-{
-        return tls1_PRF(s,
-            s->session->master_key, s->session->master_key_length,
-            TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
-            s->s3->server_random, SSL3_RANDOM_SIZE,
-            s->s3->client_random, SSL3_RANDOM_SIZE,
-            NULL, 0, NULL, 0, key_block, key_block_len);
-}
-static int
-tls1_change_cipher_state(SSL *s, int is_write)
-{
-        CBS mac_key, key, iv;
-        /* Use client write keys on client write and server read. */
-        if ((!s->server && is_write) || (s->server && !is_write)) {
-                tls12_key_block_client_write(S3I(s)->hs.tls12.key_block,
-                    &mac_key, &key, &iv);
-        } else {
-                tls12_key_block_server_write(S3I(s)->hs.tls12.key_block,
-                    &mac_key, &key, &iv);
-        }
-        if (!is_write) {
-                if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
-                    &mac_key, &key, &iv))
-                        goto err;
-                if (SSL_is_dtls(s))
-                        dtls1_reset_read_seq_numbers(s);
-                tls12_record_layer_read_cipher_hash(s->internal->rl,
-                    &s->enc_read_ctx, &s->read_hash);
-        } else {
-                if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
-                    &mac_key, &key, &iv))
-                        goto err;
-        }
-        return (1);
- err:
-        return (0);
-}
-int
-tls1_change_read_cipher_state(SSL *s)
-{
-        return tls1_change_cipher_state(s, 0);
-}
-int
-tls1_change_write_cipher_state(SSL *s)
-{
-        return tls1_change_cipher_state(s, 1);
-}
-int
-tls1_setup_key_block(SSL *s)
-{
-        struct tls12_key_block *key_block;
-        int mac_type = NID_undef, mac_secret_size = 0;
-        const EVP_CIPHER *cipher = NULL;
-        const EVP_AEAD *aead = NULL;
-        const EVP_MD *handshake_hash = NULL;
-        const EVP_MD *mac_hash = NULL;
-        int ret = 0;
-        /*
-         * XXX - callers should be changed so that they only call this
-         * function once.
-         */
-        if (S3I(s)->hs.tls12.key_block != NULL)
-                return (1);
-        if (s->session->cipher &&
-            (s->session->cipher->algorithm_mac & SSL_AEAD)) {
-                if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
-                        SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
-                        return (0);
-                }
-        } else {
-                /* XXX - mac_type and mac_secret_size are now unused. */
-                if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
-                    &mac_type, &mac_secret_size)) {
-                        SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
-                        return (0);
-                }
-        }
-        if (!ssl_get_handshake_evp_md(s, &handshake_hash))
-                return (0);
-        tls12_record_layer_set_aead(s->internal->rl, aead);
-        tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
-            handshake_hash, mac_hash);
-        if ((key_block = tls12_key_block_new()) == NULL)
-                goto err;
-        if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
-                goto err;
-        S3I(s)->hs.tls12.key_block = key_block;
-        key_block = NULL;
-        if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
-            s->method->version <= TLS1_VERSION) {
-                /*
-                 * Enable vulnerability countermeasure for CBC ciphers with
-                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
-                 */
-                S3I(s)->need_empty_fragments = 1;
-                if (s->session->cipher != NULL) {
-                        if (s->session->cipher->algorithm_enc == SSL_eNULL)
-                                S3I(s)->need_empty_fragments = 0;
-#ifndef OPENSSL_NO_RC4
-                        if (s->session->cipher->algorithm_enc == SSL_RC4)
-                                S3I(s)->need_empty_fragments = 0;
-#endif
-                }
-        }
-        ret = 1;
- err:
-        tls12_key_block_free(key_block);
-        return (ret);
-}
-int
-tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-    const char *label, size_t llen, const unsigned char *context,
-    size_t contextlen, int use_context)
-{
-        unsigned char *val = NULL;
-        size_t vallen, currentvalpos;
-        int rv;
-        if (!SSL_is_init_finished(s)) {
-                SSLerror(s, SSL_R_BAD_STATE);
-                return 0;
-        }
-        /* construct PRF arguments
-         * we construct the PRF argument ourself rather than passing separate
-         * values into the TLS PRF to ensure that the concatenation of values
-         * does not create a prohibited label.
-         */
-        vallen = llen + SSL3_RANDOM_SIZE * 2;
-        if (use_context) {
-                vallen += 2 + contextlen;
-        }
-        val = malloc(vallen);
-        if (val == NULL)
-                goto err2;
-        currentvalpos = 0;
-        memcpy(val + currentvalpos, (unsigned char *) label, llen);
-        currentvalpos += llen;
-        memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
-        currentvalpos += SSL3_RANDOM_SIZE;
-        memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
-        currentvalpos += SSL3_RANDOM_SIZE;
-        if (use_context) {
-                val[currentvalpos] = (contextlen >> 8) & 0xff;
-                currentvalpos++;
-                val[currentvalpos] = contextlen & 0xff;
-                currentvalpos++;
-                if ((contextlen > 0) || (context != NULL)) {
-                        memcpy(val + currentvalpos, context, contextlen);
-                }
-        }
-        /* disallow prohibited labels
-         * note that SSL3_RANDOM_SIZE > max(prohibited label len) =
-         * 15, so size of val > max(prohibited label len) = 15 and the
-         * comparisons won't have buffer overflow
-         */
-        if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
-            TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
-                goto err1;
-        if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
-            TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
-                goto err1;
-        if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
-            TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
-                goto err1;
-        if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
-            TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
-                goto err1;
-        rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length,
-            val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen);
-        goto ret;
- err1:
-        SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
-        rv = 0;
-        goto ret;
- err2:
-        SSLerror(s, ERR_R_MALLOC_FAILURE);
-        rv = 0;
- ret:
-        free(val);
-        return (rv);
-}

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c deleted file mode 100644 index 65e2063398..0000000000 --- a/src/lib/libssl/t1_enc.c +++ /dev/null
@@ -1,496 +0,0 @@
1	/* $OpenBSD: t1_enc.c,v 1.151 2021/07/01 17:53:39 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.
4	*
5	* This package is an SSL implementation written
6	* by Eric Young (eay@cryptsoft.com).
7	* The implementation was written so as to conform with Netscapes SSL.
8	*
9	* This library is free for commercial and non-commercial use as long as
10	* the following conditions are aheared to. The following conditions
11	* apply to all code found in this distribution, be it the RC4, RSA,
12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13	* included with this distribution is covered by the same copyright terms
14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15	*
16	* Copyright remains Eric Young's, and as such any Copyright notices in
17	* the code are not to be removed.
18	* If this package is used in a product, Eric Young should be given attribution
19	* as the author of the parts of the library used.
20	* This can be in the form of a textual message at program startup or
21	* in documentation (online or textual) provided with the package.
22	*
23	* Redistribution and use in source and binary forms, with or without
24	* modification, are permitted provided that the following conditions
25	* are met:
26	* 1. Redistributions of source code must retain the copyright
27	* notice, this list of conditions and the following disclaimer.
28	* 2. Redistributions in binary form must reproduce the above copyright
29	* notice, this list of conditions and the following disclaimer in the
30	* documentation and/or other materials provided with the distribution.
31	* 3. All advertising materials mentioning features or use of this software
32	* must display the following acknowledgement:
33	* "This product includes cryptographic software written by
34	* Eric Young (eay@cryptsoft.com)"
35	* The word 'cryptographic' can be left out if the rouines from the library
36	* being used are not cryptographic related :-).
37	* 4. If you include any Windows specific code (or a derivative thereof) from
38	* the apps directory (application code) you must include an acknowledgement:
39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51	* SUCH DAMAGE.
52	*
53	* The licence and distribution terms for any publically available version or
54	* derivative of this code cannot be changed. i.e. this code cannot simply be
55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]
57	*/
58	/* ====================================================================
59	* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60	*
61	* Redistribution and use in source and binary forms, with or without
62	* modification, are permitted provided that the following conditions
63	* are met:
64	*
65	* 1. Redistributions of source code must retain the above copyright
66	* notice, this list of conditions and the following disclaimer.
67	*
68	* 2. Redistributions in binary form must reproduce the above copyright
69	* notice, this list of conditions and the following disclaimer in
70	* the documentation and/or other materials provided with the
71	* distribution.
72	*
73	* 3. All advertising materials mentioning features or use of this
74	* software must display the following acknowledgment:
75	* "This product includes software developed by the OpenSSL Project
76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77	*
78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79	* endorse or promote products derived from this software without
80	* prior written permission. For written permission, please contact
81	* openssl-core@openssl.org.
82	*
83	* 5. Products derived from this software may not be called "OpenSSL"
84	* nor may "OpenSSL" appear in their names without prior written
85	* permission of the OpenSSL Project.
86	*
87	* 6. Redistributions of any form whatsoever must retain the following
88	* acknowledgment:
89	* "This product includes software developed by the OpenSSL Project
90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91	*
92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103	* OF THE POSSIBILITY OF SUCH DAMAGE.
104	* ====================================================================
105	*
106	* This product includes cryptographic software written by Eric Young
107	* (eay@cryptsoft.com). This product includes software written by Tim
108	* Hudson (tjh@cryptsoft.com).
109	*
110	*/
111	/* ====================================================================
112	* Copyright 2005 Nokia. All rights reserved.
113	*
114	* The portions of the attached software ("Contribution") is developed by
115	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
116	* license.
117	*
118	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
119	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120	* support (see RFC 4279) to OpenSSL.
121	*
122	* No patent licenses or other rights except those expressly stated in
123	* the OpenSSL open source license shall be deemed granted or received
124	* expressly, by implication, estoppel, or otherwise.
125	*
126	* No assurances are provided by Nokia that the Contribution does not
127	* infringe the patent or other intellectual property rights of any third
128	* party or that the license provides you with all the necessary rights
129	* to make use of the Contribution.
130	*
131	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135	* OTHERWISE.
136	*/
137
138	#include <limits.h>
139	#include <stdio.h>
140
141	#include <openssl/evp.h>
142	#include <openssl/hmac.h>
143	#include <openssl/md5.h>
144	#include <openssl/opensslconf.h>
145
146	#include "dtls_locl.h"
147	#include "ssl_locl.h"
148
149	void
150	tls1_cleanup_key_block(SSL *s)
151	{
152	tls12_key_block_free(S3I(s)->hs.tls12.key_block);
153	S3I(s)->hs.tls12.key_block = NULL;
154	}
155
156	/*
157	* TLS P_hash() data expansion function - see RFC 5246, section 5.
158	*/
159	static int
160	tls1_P_hash(const EVP_MD md, const unsigned char secret, size_t secret_len,
161	const void seed1, size_t seed1_len, const void seed2, size_t seed2_len,
162	const void seed3, size_t seed3_len, const void seed4, size_t seed4_len,
163	const void seed5, size_t seed5_len, unsigned char out, size_t out_len)
164	{
165	unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
166	size_t A1_len, hmac_len;
167	EVP_MD_CTX ctx;
168	EVP_PKEY *mac_key;
169	int ret = 0;
170	int chunk;
171	size_t i;
172
173	chunk = EVP_MD_size(md);
174	OPENSSL_assert(chunk >= 0);
175
176	EVP_MD_CTX_init(&ctx);
177
178	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
179	if (!mac_key)
180	goto err;
181	if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
182	goto err;
183	if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
184	goto err;
185	if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
186	goto err;
187	if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
188	goto err;
189	if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
190	goto err;
191	if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
192	goto err;
193	if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
194	goto err;
195
196	for (;;) {
197	if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
198	goto err;
199	if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
200	goto err;
201	if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len))
202	goto err;
203	if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len))
204	goto err;
205	if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len))
206	goto err;
207	if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len))
208	goto err;
209	if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len))
210	goto err;
211	if (!EVP_DigestSignFinal(&ctx, hmac, &hmac_len))
212	goto err;
213
214	if (hmac_len > out_len)
215	hmac_len = out_len;
216
217	for (i = 0; i < hmac_len; i++)
218	out[i] ^= hmac[i];
219
220	out += hmac_len;
221	out_len -= hmac_len;
222
223	if (out_len == 0)
224	break;
225
226	if (!EVP_DigestSignInit(&ctx, NULL, md, NULL, mac_key))
227	goto err;
228	if (!EVP_DigestSignUpdate(&ctx, A1, A1_len))
229	goto err;
230	if (!EVP_DigestSignFinal(&ctx, A1, &A1_len))
231	goto err;
232	}
233	ret = 1;
234
235	err:
236	EVP_PKEY_free(mac_key);
237	EVP_MD_CTX_cleanup(&ctx);
238
239	explicit_bzero(A1, sizeof(A1));
240	explicit_bzero(hmac, sizeof(hmac));
241
242	return ret;
243	}
244
245	int
246	tls1_PRF(SSL s, const unsigned char secret, size_t secret_len,
247	const void seed1, size_t seed1_len, const void seed2, size_t seed2_len,
248	const void seed3, size_t seed3_len, const void seed4, size_t seed4_len,
249	const void seed5, size_t seed5_len, unsigned char out, size_t out_len)
250	{
251	const EVP_MD *md;
252	size_t half_len;
253
254	memset(out, 0, out_len);
255
256	if (!ssl_get_handshake_evp_md(s, &md))
257	return (0);
258
259	if (md->type == NID_md5_sha1) {
260	/*
261	* Partition secret between MD5 and SHA1, then XOR result.
262	* If the secret length is odd, a one byte overlap is used.
263	*/
264	half_len = secret_len - (secret_len / 2);
265	if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
266	seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
267	seed5, seed5_len, out, out_len))
268	return (0);
269
270	secret += secret_len - half_len;
271	if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
272	seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
273	seed5, seed5_len, out, out_len))
274	return (0);
275
276	return (1);
277	}
278
279	if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
280	seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
281	seed5, seed5_len, out, out_len))
282	return (0);
283
284	return (1);
285	}
286
287	int
288	tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)
289	{
290	return tls1_PRF(s,
291	s->session->master_key, s->session->master_key_length,
292	TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
293	s->s3->server_random, SSL3_RANDOM_SIZE,
294	s->s3->client_random, SSL3_RANDOM_SIZE,
295	NULL, 0, NULL, 0, key_block, key_block_len);
296	}
297
298	static int
299	tls1_change_cipher_state(SSL *s, int is_write)
300	{
301	CBS mac_key, key, iv;
302
303	/* Use client write keys on client write and server read. */
304	if ((!s->server && is_write) \|\| (s->server && !is_write)) {
305	tls12_key_block_client_write(S3I(s)->hs.tls12.key_block,
306	&mac_key, &key, &iv);
307	} else {
308	tls12_key_block_server_write(S3I(s)->hs.tls12.key_block,
309	&mac_key, &key, &iv);
310	}
311
312	if (!is_write) {
313	if (!tls12_record_layer_change_read_cipher_state(s->internal->rl,
314	&mac_key, &key, &iv))
315	goto err;
316	if (SSL_is_dtls(s))
317	dtls1_reset_read_seq_numbers(s);
318	tls12_record_layer_read_cipher_hash(s->internal->rl,
319	&s->enc_read_ctx, &s->read_hash);
320	} else {
321	if (!tls12_record_layer_change_write_cipher_state(s->internal->rl,
322	&mac_key, &key, &iv))
323	goto err;
324	}
325	return (1);
326
327	err:
328	return (0);
329	}
330
331	int
332	tls1_change_read_cipher_state(SSL *s)
333	{
334	return tls1_change_cipher_state(s, 0);
335	}
336
337	int
338	tls1_change_write_cipher_state(SSL *s)
339	{
340	return tls1_change_cipher_state(s, 1);
341	}
342
343	int
344	tls1_setup_key_block(SSL *s)
345	{
346	struct tls12_key_block *key_block;
347	int mac_type = NID_undef, mac_secret_size = 0;
348	const EVP_CIPHER *cipher = NULL;
349	const EVP_AEAD *aead = NULL;
350	const EVP_MD *handshake_hash = NULL;
351	const EVP_MD *mac_hash = NULL;
352	int ret = 0;
353
354	/*
355	* XXX - callers should be changed so that they only call this
356	* function once.
357	*/
358	if (S3I(s)->hs.tls12.key_block != NULL)
359	return (1);
360
361	if (s->session->cipher &&
362	(s->session->cipher->algorithm_mac & SSL_AEAD)) {
363	if (!ssl_cipher_get_evp_aead(s->session, &aead)) {
364	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
365	return (0);
366	}
367	} else {
368	/* XXX - mac_type and mac_secret_size are now unused. */
369	if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash,
370	&mac_type, &mac_secret_size)) {
371	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
372	return (0);
373	}
374	}
375
376	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
377	return (0);
378
379	tls12_record_layer_set_aead(s->internal->rl, aead);
380	tls12_record_layer_set_cipher_hash(s->internal->rl, cipher,
381	handshake_hash, mac_hash);
382
383	if ((key_block = tls12_key_block_new()) == NULL)
384	goto err;
385	if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
386	goto err;
387
388	S3I(s)->hs.tls12.key_block = key_block;
389	key_block = NULL;
390
391	if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
392	s->method->version <= TLS1_VERSION) {
393	/*
394	* Enable vulnerability countermeasure for CBC ciphers with
395	* known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
396	*/
397	S3I(s)->need_empty_fragments = 1;
398
399	if (s->session->cipher != NULL) {
400	if (s->session->cipher->algorithm_enc == SSL_eNULL)
401	S3I(s)->need_empty_fragments = 0;
402
403	#ifndef OPENSSL_NO_RC4
404	if (s->session->cipher->algorithm_enc == SSL_RC4)
405	S3I(s)->need_empty_fragments = 0;
406	#endif
407	}
408	}
409
410	ret = 1;
411
412	err:
413	tls12_key_block_free(key_block);
414
415	return (ret);
416	}
417
418	int
419	tls1_export_keying_material(SSL s, unsigned char out, size_t olen,
420	const char label, size_t llen, const unsigned char context,
421	size_t contextlen, int use_context)
422	{
423	unsigned char *val = NULL;
424	size_t vallen, currentvalpos;
425	int rv;
426
427	if (!SSL_is_init_finished(s)) {
428	SSLerror(s, SSL_R_BAD_STATE);
429	return 0;
430	}
431
432	/* construct PRF arguments
433	* we construct the PRF argument ourself rather than passing separate
434	* values into the TLS PRF to ensure that the concatenation of values
435	* does not create a prohibited label.
436	*/
437	vallen = llen + SSL3_RANDOM_SIZE * 2;
438	if (use_context) {
439	vallen += 2 + contextlen;
440	}
441
442	val = malloc(vallen);
443	if (val == NULL)
444	goto err2;
445	currentvalpos = 0;
446	memcpy(val + currentvalpos, (unsigned char *) label, llen);
447	currentvalpos += llen;
448	memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
449	currentvalpos += SSL3_RANDOM_SIZE;
450	memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
451	currentvalpos += SSL3_RANDOM_SIZE;
452
453	if (use_context) {
454	val[currentvalpos] = (contextlen >> 8) & 0xff;
455	currentvalpos++;
456	val[currentvalpos] = contextlen & 0xff;
457	currentvalpos++;
458	if ((contextlen > 0) \|\| (context != NULL)) {
459	memcpy(val + currentvalpos, context, contextlen);
460	}
461	}
462
463	/* disallow prohibited labels
464	* note that SSL3_RANDOM_SIZE > max(prohibited label len) =
465	* 15, so size of val > max(prohibited label len) = 15 and the
466	* comparisons won't have buffer overflow
467	*/
468	if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
469	TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
470	goto err1;
471	if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
472	TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
473	goto err1;
474	if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
475	TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
476	goto err1;
477	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
478	TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
479	goto err1;
480
481	rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length,
482	val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen);
483
484	goto ret;
485	err1:
486	SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
487	rv = 0;
488	goto ret;
489	err2:
490	SSLerror(s, ERR_R_MALLOC_FAILURE);
491	rv = 0;
492	ret:
493	free(val);
494
495	return (rv);
496	}