1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include "ssl_local.h" 13 #include "record/record_local.h" 14 #include "internal/ktls.h" 15 #include "internal/cryptlib.h" 16 #include <openssl/comp.h> 17 #include <openssl/evp.h> 18 #include <openssl/kdf.h> 19 #include <openssl/rand.h> 20 #include <openssl/obj_mac.h> 21 #include <openssl/core_names.h> 22 #include <openssl/trace.h> 23 24 /* seed1 through seed5 are concatenated */ 25 static int tls1_PRF(SSL *s, 26 const void *seed1, size_t seed1_len, 27 const void *seed2, size_t seed2_len, 28 const void *seed3, size_t seed3_len, 29 const void *seed4, size_t seed4_len, 30 const void *seed5, size_t seed5_len, 31 const unsigned char *sec, size_t slen, 32 unsigned char *out, size_t olen, int fatal) 33 { 34 const EVP_MD *md = ssl_prf_md(s); 35 EVP_KDF *kdf; 36 EVP_KDF_CTX *kctx = NULL; 37 OSSL_PARAM params[8], *p = params; 38 const char *mdname; 39 40 if (md == NULL) { 41 /* Should never happen */ 42 if (fatal) 43 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 44 else 45 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 46 return 0; 47 } 48 kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_PRF, s->ctx->propq); 49 if (kdf == NULL) 50 goto err; 51 kctx = EVP_KDF_CTX_new(kdf); 52 EVP_KDF_free(kdf); 53 if (kctx == NULL) 54 goto err; 55 mdname = EVP_MD_get0_name(md); 56 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 57 (char *)mdname, 0); 58 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, 59 (unsigned char *)sec, 60 (size_t)slen); 61 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 62 (void *)seed1, (size_t)seed1_len); 63 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 64 (void *)seed2, (size_t)seed2_len); 65 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 66 (void *)seed3, (size_t)seed3_len); 67 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 68 (void *)seed4, (size_t)seed4_len); 69 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 70 (void *)seed5, (size_t)seed5_len); 71 *p = OSSL_PARAM_construct_end(); 72 if (EVP_KDF_derive(kctx, out, olen, params)) { 73 EVP_KDF_CTX_free(kctx); 74 return 1; 75 } 76 77 err: 78 if (fatal) 79 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 80 else 81 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 82 EVP_KDF_CTX_free(kctx); 83 return 0; 84 } 85 86 static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) 87 { 88 int ret; 89 90 /* Calls SSLfatal() as required */ 91 ret = tls1_PRF(s, 92 TLS_MD_KEY_EXPANSION_CONST, 93 TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3.server_random, 94 SSL3_RANDOM_SIZE, s->s3.client_random, SSL3_RANDOM_SIZE, 95 NULL, 0, NULL, 0, s->session->master_key, 96 s->session->master_key_length, km, num, 1); 97 98 return ret; 99 } 100 101 int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, 102 const EVP_CIPHER *ciph, 103 const EVP_MD *md) 104 { 105 /* 106 * Provided cipher, the TLS padding/MAC removal is performed provider 107 * side so we need to tell the ctx about our TLS version and mac size 108 */ 109 OSSL_PARAM params[3], *pprm = params; 110 size_t macsize = 0; 111 int imacsize = -1; 112 113 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 114 /* 115 * We look at s->ext.use_etm instead of SSL_READ_ETM() or 116 * SSL_WRITE_ETM() because this test applies to both reading 117 * and writing. 118 */ 119 && !s->ext.use_etm) 120 imacsize = EVP_MD_get_size(md); 121 if (imacsize >= 0) 122 macsize = (size_t)imacsize; 123 124 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION, 125 &s->version); 126 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, 127 &macsize); 128 *pprm = OSSL_PARAM_construct_end(); 129 130 if (!EVP_CIPHER_CTX_set_params(ctx, params)) { 131 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 132 return 0; 133 } 134 135 return 1; 136 } 137 138 139 static int tls_iv_length_within_key_block(const EVP_CIPHER *c) 140 { 141 /* If GCM/CCM mode only part of IV comes from PRF */ 142 if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) 143 return EVP_GCM_TLS_FIXED_IV_LEN; 144 else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) 145 return EVP_CCM_TLS_FIXED_IV_LEN; 146 else 147 return EVP_CIPHER_get_iv_length(c); 148 } 149 150 int tls1_change_cipher_state(SSL *s, int which) 151 { 152 unsigned char *p, *mac_secret; 153 unsigned char *ms, *key, *iv; 154 EVP_CIPHER_CTX *dd; 155 const EVP_CIPHER *c; 156 #ifndef OPENSSL_NO_COMP 157 const SSL_COMP *comp; 158 #endif 159 const EVP_MD *m; 160 int mac_type; 161 size_t *mac_secret_size; 162 EVP_MD_CTX *mac_ctx; 163 EVP_PKEY *mac_key; 164 size_t n, i, j, k, cl; 165 int reuse_dd = 0; 166 #ifndef OPENSSL_NO_KTLS 167 ktls_crypto_info_t crypto_info; 168 void *rl_sequence; 169 BIO *bio; 170 #endif 171 172 c = s->s3.tmp.new_sym_enc; 173 m = s->s3.tmp.new_hash; 174 mac_type = s->s3.tmp.new_mac_pkey_type; 175 #ifndef OPENSSL_NO_COMP 176 comp = s->s3.tmp.new_compression; 177 #endif 178 179 if (which & SSL3_CC_READ) { 180 if (s->ext.use_etm) 181 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 182 else 183 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 184 185 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 186 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 187 else 188 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 189 190 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 191 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE; 192 else 193 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE; 194 195 if (s->enc_read_ctx != NULL) { 196 reuse_dd = 1; 197 } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { 198 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 199 goto err; 200 } else { 201 /* 202 * make sure it's initialised in case we exit later with an error 203 */ 204 EVP_CIPHER_CTX_reset(s->enc_read_ctx); 205 } 206 dd = s->enc_read_ctx; 207 mac_ctx = ssl_replace_hash(&s->read_hash, NULL); 208 if (mac_ctx == NULL) { 209 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 210 goto err; 211 } 212 #ifndef OPENSSL_NO_COMP 213 COMP_CTX_free(s->expand); 214 s->expand = NULL; 215 if (comp != NULL) { 216 s->expand = COMP_CTX_new(comp->method); 217 if (s->expand == NULL) { 218 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 219 SSL_R_COMPRESSION_LIBRARY_ERROR); 220 goto err; 221 } 222 } 223 #endif 224 /* 225 * this is done by dtls1_reset_seq_numbers for DTLS 226 */ 227 if (!SSL_IS_DTLS(s)) 228 RECORD_LAYER_reset_read_sequence(&s->rlayer); 229 mac_secret = &(s->s3.read_mac_secret[0]); 230 mac_secret_size = &(s->s3.read_mac_secret_size); 231 } else { 232 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 233 if (s->ext.use_etm) 234 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 235 else 236 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 237 238 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 239 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 240 else 241 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 242 243 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 244 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 245 else 246 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 247 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) { 248 reuse_dd = 1; 249 } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { 250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 251 goto err; 252 } 253 dd = s->enc_write_ctx; 254 if (SSL_IS_DTLS(s)) { 255 mac_ctx = EVP_MD_CTX_new(); 256 if (mac_ctx == NULL) { 257 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 258 goto err; 259 } 260 s->write_hash = mac_ctx; 261 } else { 262 mac_ctx = ssl_replace_hash(&s->write_hash, NULL); 263 if (mac_ctx == NULL) { 264 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 265 goto err; 266 } 267 } 268 #ifndef OPENSSL_NO_COMP 269 COMP_CTX_free(s->compress); 270 s->compress = NULL; 271 if (comp != NULL) { 272 s->compress = COMP_CTX_new(comp->method); 273 if (s->compress == NULL) { 274 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 275 SSL_R_COMPRESSION_LIBRARY_ERROR); 276 goto err; 277 } 278 } 279 #endif 280 /* 281 * this is done by dtls1_reset_seq_numbers for DTLS 282 */ 283 if (!SSL_IS_DTLS(s)) 284 RECORD_LAYER_reset_write_sequence(&s->rlayer); 285 mac_secret = &(s->s3.write_mac_secret[0]); 286 mac_secret_size = &(s->s3.write_mac_secret_size); 287 } 288 289 if (reuse_dd) 290 EVP_CIPHER_CTX_reset(dd); 291 292 p = s->s3.tmp.key_block; 293 i = *mac_secret_size = s->s3.tmp.new_mac_secret_size; 294 295 cl = EVP_CIPHER_get_key_length(c); 296 j = cl; 297 k = tls_iv_length_within_key_block(c); 298 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 299 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 300 ms = &(p[0]); 301 n = i + i; 302 key = &(p[n]); 303 n += j + j; 304 iv = &(p[n]); 305 n += k + k; 306 } else { 307 n = i; 308 ms = &(p[n]); 309 n += i + j; 310 key = &(p[n]); 311 n += j + k; 312 iv = &(p[n]); 313 n += k; 314 } 315 316 if (n > s->s3.tmp.key_block_length) { 317 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 318 goto err; 319 } 320 321 memcpy(mac_secret, ms, i); 322 323 if (!(EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { 324 if (mac_type == EVP_PKEY_HMAC) { 325 mac_key = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", 326 s->ctx->propq, mac_secret, 327 *mac_secret_size); 328 } else { 329 /* 330 * If its not HMAC then the only other types of MAC we support are 331 * the GOST MACs, so we need to use the old style way of creating 332 * a MAC key. 333 */ 334 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, 335 (int)*mac_secret_size); 336 } 337 if (mac_key == NULL 338 || EVP_DigestSignInit_ex(mac_ctx, NULL, EVP_MD_get0_name(m), 339 s->ctx->libctx, s->ctx->propq, mac_key, 340 NULL) <= 0) { 341 EVP_PKEY_free(mac_key); 342 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 343 goto err; 344 } 345 EVP_PKEY_free(mac_key); 346 } 347 348 OSSL_TRACE_BEGIN(TLS) { 349 BIO_printf(trc_out, "which = %04X, mac key:\n", which); 350 BIO_dump_indent(trc_out, ms, i, 4); 351 } OSSL_TRACE_END(TLS); 352 353 if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { 354 if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) 355 || EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, 356 iv) <= 0) { 357 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 358 goto err; 359 } 360 } else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) { 361 int taglen; 362 if (s->s3.tmp. 363 new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 364 taglen = EVP_CCM8_TLS_TAG_LEN; 365 else 366 taglen = EVP_CCM_TLS_TAG_LEN; 367 if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) 368 || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) <= 0) 369 || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) <= 0) 370 || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv) <= 0) 371 || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { 372 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 373 goto err; 374 } 375 } else { 376 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { 377 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 378 goto err; 379 } 380 } 381 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 382 if ((EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) 383 && *mac_secret_size 384 && EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, 385 (int)*mac_secret_size, mac_secret) <= 0) { 386 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 387 goto err; 388 } 389 if (EVP_CIPHER_get0_provider(c) != NULL 390 && !tls_provider_set_tls_params(s, dd, c, m)) { 391 /* SSLfatal already called */ 392 goto err; 393 } 394 395 #ifndef OPENSSL_NO_KTLS 396 if (s->compress || (s->options & SSL_OP_ENABLE_KTLS) == 0) 397 goto skip_ktls; 398 399 /* ktls supports only the maximum fragment size */ 400 if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) 401 goto skip_ktls; 402 403 /* check that cipher is supported */ 404 if (!ktls_check_supported_cipher(s, c, dd)) 405 goto skip_ktls; 406 407 if (which & SSL3_CC_WRITE) 408 bio = s->wbio; 409 else 410 bio = s->rbio; 411 412 if (!ossl_assert(bio != NULL)) { 413 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 414 goto err; 415 } 416 417 /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ 418 if (which & SSL3_CC_WRITE) { 419 if (BIO_flush(bio) <= 0) 420 goto skip_ktls; 421 } 422 423 /* ktls doesn't support renegotiation */ 424 if ((BIO_get_ktls_send(s->wbio) && (which & SSL3_CC_WRITE)) || 425 (BIO_get_ktls_recv(s->rbio) && (which & SSL3_CC_READ))) { 426 SSLfatal(s, SSL_AD_NO_RENEGOTIATION, ERR_R_INTERNAL_ERROR); 427 goto err; 428 } 429 430 if (which & SSL3_CC_WRITE) 431 rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); 432 else 433 rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); 434 435 if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, 436 which & SSL3_CC_WRITE, iv, key, ms, 437 *mac_secret_size)) 438 goto skip_ktls; 439 440 /* ktls works with user provided buffers directly */ 441 if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { 442 if (which & SSL3_CC_WRITE) 443 ssl3_release_write_buffer(s); 444 SSL_set_options(s, SSL_OP_NO_RENEGOTIATION); 445 } 446 447 skip_ktls: 448 #endif /* OPENSSL_NO_KTLS */ 449 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 450 451 OSSL_TRACE_BEGIN(TLS) { 452 BIO_printf(trc_out, "which = %04X, key:\n", which); 453 BIO_dump_indent(trc_out, key, EVP_CIPHER_get_key_length(c), 4); 454 BIO_printf(trc_out, "iv:\n"); 455 BIO_dump_indent(trc_out, iv, k, 4); 456 } OSSL_TRACE_END(TLS); 457 458 return 1; 459 err: 460 return 0; 461 } 462 463 int tls1_setup_key_block(SSL *s) 464 { 465 unsigned char *p; 466 const EVP_CIPHER *c; 467 const EVP_MD *hash; 468 SSL_COMP *comp; 469 int mac_type = NID_undef; 470 size_t num, mac_secret_size = 0; 471 int ret = 0; 472 473 if (s->s3.tmp.key_block_length != 0) 474 return 1; 475 476 if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, &mac_type, 477 &mac_secret_size, &comp, s->ext.use_etm)) { 478 /* Error is already recorded */ 479 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 480 return 0; 481 } 482 483 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 484 s->s3.tmp.new_sym_enc = c; 485 ssl_evp_md_free(s->s3.tmp.new_hash); 486 s->s3.tmp.new_hash = hash; 487 s->s3.tmp.new_mac_pkey_type = mac_type; 488 s->s3.tmp.new_mac_secret_size = mac_secret_size; 489 num = mac_secret_size + EVP_CIPHER_get_key_length(c) 490 + tls_iv_length_within_key_block(c); 491 num *= 2; 492 493 ssl3_cleanup_key_block(s); 494 495 if ((p = OPENSSL_malloc(num)) == NULL) { 496 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 497 goto err; 498 } 499 500 s->s3.tmp.key_block_length = num; 501 s->s3.tmp.key_block = p; 502 503 OSSL_TRACE_BEGIN(TLS) { 504 BIO_printf(trc_out, "key block length: %zu\n", num); 505 BIO_printf(trc_out, "client random\n"); 506 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 507 BIO_printf(trc_out, "server random\n"); 508 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 509 BIO_printf(trc_out, "master key\n"); 510 BIO_dump_indent(trc_out, 511 s->session->master_key, 512 s->session->master_key_length, 4); 513 } OSSL_TRACE_END(TLS); 514 515 if (!tls1_generate_key_block(s, p, num)) { 516 /* SSLfatal() already called */ 517 goto err; 518 } 519 520 OSSL_TRACE_BEGIN(TLS) { 521 BIO_printf(trc_out, "key block\n"); 522 BIO_dump_indent(trc_out, p, num, 4); 523 } OSSL_TRACE_END(TLS); 524 525 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 526 && s->method->version <= TLS1_VERSION) { 527 /* 528 * enable vulnerability countermeasure for CBC ciphers with known-IV 529 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 530 */ 531 s->s3.need_empty_fragments = 1; 532 533 if (s->session->cipher != NULL) { 534 if (s->session->cipher->algorithm_enc == SSL_eNULL) 535 s->s3.need_empty_fragments = 0; 536 537 if (s->session->cipher->algorithm_enc == SSL_RC4) 538 s->s3.need_empty_fragments = 0; 539 } 540 } 541 542 ret = 1; 543 err: 544 return ret; 545 } 546 547 size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen, 548 unsigned char *out) 549 { 550 size_t hashlen; 551 unsigned char hash[EVP_MAX_MD_SIZE]; 552 size_t finished_size = TLS1_FINISH_MAC_LENGTH; 553 554 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kGOST18) 555 finished_size = 32; 556 557 if (!ssl3_digest_cached_records(s, 0)) { 558 /* SSLfatal() already called */ 559 return 0; 560 } 561 562 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 563 /* SSLfatal() already called */ 564 return 0; 565 } 566 567 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, 568 s->session->master_key, s->session->master_key_length, 569 out, finished_size, 1)) { 570 /* SSLfatal() already called */ 571 return 0; 572 } 573 OPENSSL_cleanse(hash, hashlen); 574 return finished_size; 575 } 576 577 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 578 size_t len, size_t *secret_size) 579 { 580 if (s->session->flags & SSL_SESS_FLAG_EXTMS) { 581 unsigned char hash[EVP_MAX_MD_SIZE * 2]; 582 size_t hashlen; 583 /* 584 * Digest cached records keeping record buffer (if present): this won't 585 * affect client auth because we're freezing the buffer at the same 586 * point (after client key exchange and before certificate verify) 587 */ 588 if (!ssl3_digest_cached_records(s, 1) 589 || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 590 /* SSLfatal() already called */ 591 return 0; 592 } 593 OSSL_TRACE_BEGIN(TLS) { 594 BIO_printf(trc_out, "Handshake hashes:\n"); 595 BIO_dump(trc_out, (char *)hash, hashlen); 596 } OSSL_TRACE_END(TLS); 597 if (!tls1_PRF(s, 598 TLS_MD_EXTENDED_MASTER_SECRET_CONST, 599 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, 600 hash, hashlen, 601 NULL, 0, 602 NULL, 0, 603 NULL, 0, p, len, out, 604 SSL3_MASTER_SECRET_SIZE, 1)) { 605 /* SSLfatal() already called */ 606 return 0; 607 } 608 OPENSSL_cleanse(hash, hashlen); 609 } else { 610 if (!tls1_PRF(s, 611 TLS_MD_MASTER_SECRET_CONST, 612 TLS_MD_MASTER_SECRET_CONST_SIZE, 613 s->s3.client_random, SSL3_RANDOM_SIZE, 614 NULL, 0, 615 s->s3.server_random, SSL3_RANDOM_SIZE, 616 NULL, 0, p, len, out, 617 SSL3_MASTER_SECRET_SIZE, 1)) { 618 /* SSLfatal() already called */ 619 return 0; 620 } 621 } 622 623 OSSL_TRACE_BEGIN(TLS) { 624 BIO_printf(trc_out, "Premaster Secret:\n"); 625 BIO_dump_indent(trc_out, p, len, 4); 626 BIO_printf(trc_out, "Client Random:\n"); 627 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 628 BIO_printf(trc_out, "Server Random:\n"); 629 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 630 BIO_printf(trc_out, "Master Secret:\n"); 631 BIO_dump_indent(trc_out, 632 s->session->master_key, 633 SSL3_MASTER_SECRET_SIZE, 4); 634 } OSSL_TRACE_END(TLS); 635 636 *secret_size = SSL3_MASTER_SECRET_SIZE; 637 return 1; 638 } 639 640 int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 641 const char *label, size_t llen, 642 const unsigned char *context, 643 size_t contextlen, int use_context) 644 { 645 unsigned char *val = NULL; 646 size_t vallen = 0, currentvalpos; 647 int rv; 648 649 /* 650 * construct PRF arguments we construct the PRF argument ourself rather 651 * than passing separate values into the TLS PRF to ensure that the 652 * concatenation of values does not create a prohibited label. 653 */ 654 vallen = llen + SSL3_RANDOM_SIZE * 2; 655 if (use_context) { 656 vallen += 2 + contextlen; 657 } 658 659 val = OPENSSL_malloc(vallen); 660 if (val == NULL) 661 goto err2; 662 currentvalpos = 0; 663 memcpy(val + currentvalpos, (unsigned char *)label, llen); 664 currentvalpos += llen; 665 memcpy(val + currentvalpos, s->s3.client_random, SSL3_RANDOM_SIZE); 666 currentvalpos += SSL3_RANDOM_SIZE; 667 memcpy(val + currentvalpos, s->s3.server_random, SSL3_RANDOM_SIZE); 668 currentvalpos += SSL3_RANDOM_SIZE; 669 670 if (use_context) { 671 val[currentvalpos] = (contextlen >> 8) & 0xff; 672 currentvalpos++; 673 val[currentvalpos] = contextlen & 0xff; 674 currentvalpos++; 675 if ((contextlen > 0) || (context != NULL)) { 676 memcpy(val + currentvalpos, context, contextlen); 677 } 678 } 679 680 /* 681 * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited 682 * label len) = 15, so size of val > max(prohibited label len) = 15 and 683 * the comparisons won't have buffer overflow 684 */ 685 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 686 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 687 goto err1; 688 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 689 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 690 goto err1; 691 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 692 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 693 goto err1; 694 if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST, 695 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0) 696 goto err1; 697 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 698 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 699 goto err1; 700 701 rv = tls1_PRF(s, 702 val, vallen, 703 NULL, 0, 704 NULL, 0, 705 NULL, 0, 706 NULL, 0, 707 s->session->master_key, s->session->master_key_length, 708 out, olen, 0); 709 710 goto ret; 711 err1: 712 ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 713 rv = 0; 714 goto ret; 715 err2: 716 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 717 rv = 0; 718 ret: 719 OPENSSL_clear_free(val, vallen); 720 return rv; 721 } 722 723 int tls1_alert_code(int code) 724 { 725 switch (code) { 726 case SSL_AD_CLOSE_NOTIFY: 727 return SSL3_AD_CLOSE_NOTIFY; 728 case SSL_AD_UNEXPECTED_MESSAGE: 729 return SSL3_AD_UNEXPECTED_MESSAGE; 730 case SSL_AD_BAD_RECORD_MAC: 731 return SSL3_AD_BAD_RECORD_MAC; 732 case SSL_AD_DECRYPTION_FAILED: 733 return TLS1_AD_DECRYPTION_FAILED; 734 case SSL_AD_RECORD_OVERFLOW: 735 return TLS1_AD_RECORD_OVERFLOW; 736 case SSL_AD_DECOMPRESSION_FAILURE: 737 return SSL3_AD_DECOMPRESSION_FAILURE; 738 case SSL_AD_HANDSHAKE_FAILURE: 739 return SSL3_AD_HANDSHAKE_FAILURE; 740 case SSL_AD_NO_CERTIFICATE: 741 return -1; 742 case SSL_AD_BAD_CERTIFICATE: 743 return SSL3_AD_BAD_CERTIFICATE; 744 case SSL_AD_UNSUPPORTED_CERTIFICATE: 745 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 746 case SSL_AD_CERTIFICATE_REVOKED: 747 return SSL3_AD_CERTIFICATE_REVOKED; 748 case SSL_AD_CERTIFICATE_EXPIRED: 749 return SSL3_AD_CERTIFICATE_EXPIRED; 750 case SSL_AD_CERTIFICATE_UNKNOWN: 751 return SSL3_AD_CERTIFICATE_UNKNOWN; 752 case SSL_AD_ILLEGAL_PARAMETER: 753 return SSL3_AD_ILLEGAL_PARAMETER; 754 case SSL_AD_UNKNOWN_CA: 755 return TLS1_AD_UNKNOWN_CA; 756 case SSL_AD_ACCESS_DENIED: 757 return TLS1_AD_ACCESS_DENIED; 758 case SSL_AD_DECODE_ERROR: 759 return TLS1_AD_DECODE_ERROR; 760 case SSL_AD_DECRYPT_ERROR: 761 return TLS1_AD_DECRYPT_ERROR; 762 case SSL_AD_EXPORT_RESTRICTION: 763 return TLS1_AD_EXPORT_RESTRICTION; 764 case SSL_AD_PROTOCOL_VERSION: 765 return TLS1_AD_PROTOCOL_VERSION; 766 case SSL_AD_INSUFFICIENT_SECURITY: 767 return TLS1_AD_INSUFFICIENT_SECURITY; 768 case SSL_AD_INTERNAL_ERROR: 769 return TLS1_AD_INTERNAL_ERROR; 770 case SSL_AD_USER_CANCELLED: 771 return TLS1_AD_USER_CANCELLED; 772 case SSL_AD_NO_RENEGOTIATION: 773 return TLS1_AD_NO_RENEGOTIATION; 774 case SSL_AD_UNSUPPORTED_EXTENSION: 775 return TLS1_AD_UNSUPPORTED_EXTENSION; 776 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 777 return TLS1_AD_CERTIFICATE_UNOBTAINABLE; 778 case SSL_AD_UNRECOGNIZED_NAME: 779 return TLS1_AD_UNRECOGNIZED_NAME; 780 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 781 return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 782 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 783 return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE; 784 case SSL_AD_UNKNOWN_PSK_IDENTITY: 785 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 786 case SSL_AD_INAPPROPRIATE_FALLBACK: 787 return TLS1_AD_INAPPROPRIATE_FALLBACK; 788 case SSL_AD_NO_APPLICATION_PROTOCOL: 789 return TLS1_AD_NO_APPLICATION_PROTOCOL; 790 case SSL_AD_CERTIFICATE_REQUIRED: 791 return SSL_AD_HANDSHAKE_FAILURE; 792 case TLS13_AD_MISSING_EXTENSION: 793 return SSL_AD_HANDSHAKE_FAILURE; 794 default: 795 return -1; 796 } 797 } 798