1 /* 2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include "ssl_local.h" 13 #include "record/record_local.h" 14 #include "internal/ktls.h" 15 #include "internal/cryptlib.h" 16 #include <openssl/comp.h> 17 #include <openssl/evp.h> 18 #include <openssl/kdf.h> 19 #include <openssl/rand.h> 20 #include <openssl/obj_mac.h> 21 #include <openssl/core_names.h> 22 #include <openssl/trace.h> 23 24 /* seed1 through seed5 are concatenated */ 25 static int tls1_PRF(SSL *s, 26 const void *seed1, size_t seed1_len, 27 const void *seed2, size_t seed2_len, 28 const void *seed3, size_t seed3_len, 29 const void *seed4, size_t seed4_len, 30 const void *seed5, size_t seed5_len, 31 const unsigned char *sec, size_t slen, 32 unsigned char *out, size_t olen, int fatal) 33 { 34 const EVP_MD *md = ssl_prf_md(s); 35 EVP_KDF *kdf; 36 EVP_KDF_CTX *kctx = NULL; 37 OSSL_PARAM params[8], *p = params; 38 const char *mdname; 39 40 if (md == NULL) { 41 /* Should never happen */ 42 if (fatal) 43 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 44 else 45 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 46 return 0; 47 } 48 kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_PRF, s->ctx->propq); 49 if (kdf == NULL) 50 goto err; 51 kctx = EVP_KDF_CTX_new(kdf); 52 EVP_KDF_free(kdf); 53 if (kctx == NULL) 54 goto err; 55 mdname = EVP_MD_get0_name(md); 56 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 57 (char *)mdname, 0); 58 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, 59 (unsigned char *)sec, 60 (size_t)slen); 61 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 62 (void *)seed1, (size_t)seed1_len); 63 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 64 (void *)seed2, (size_t)seed2_len); 65 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 66 (void *)seed3, (size_t)seed3_len); 67 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 68 (void *)seed4, (size_t)seed4_len); 69 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 70 (void *)seed5, (size_t)seed5_len); 71 *p = OSSL_PARAM_construct_end(); 72 if (EVP_KDF_derive(kctx, out, olen, params)) { 73 EVP_KDF_CTX_free(kctx); 74 return 1; 75 } 76 77 err: 78 if (fatal) 79 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 80 else 81 ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 82 EVP_KDF_CTX_free(kctx); 83 return 0; 84 } 85 86 static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) 87 { 88 int ret; 89 90 /* Calls SSLfatal() as required */ 91 ret = tls1_PRF(s, 92 TLS_MD_KEY_EXPANSION_CONST, 93 TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3.server_random, 94 SSL3_RANDOM_SIZE, s->s3.client_random, SSL3_RANDOM_SIZE, 95 NULL, 0, NULL, 0, s->session->master_key, 96 s->session->master_key_length, km, num, 1); 97 98 return ret; 99 } 100 101 #ifndef OPENSSL_NO_KTLS 102 /* 103 * Count the number of records that were not processed yet from record boundary. 104 * 105 * This function assumes that there are only fully formed records read in the 106 * record layer. If read_ahead is enabled, then this might be false and this 107 * function will fail. 108 */ 109 # ifndef OPENSSL_NO_KTLS_RX 110 static int count_unprocessed_records(SSL *s) 111 { 112 SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); 113 PACKET pkt, subpkt; 114 int count = 0; 115 116 if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) 117 return -1; 118 119 while (PACKET_remaining(&pkt) > 0) { 120 /* Skip record type and version */ 121 if (!PACKET_forward(&pkt, 3)) 122 return -1; 123 124 /* Read until next record */ 125 if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) 126 return -1; 127 128 count += 1; 129 } 130 131 return count; 132 } 133 # endif 134 #endif 135 136 137 int tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, 138 const EVP_CIPHER *ciph, 139 const EVP_MD *md) 140 { 141 /* 142 * Provided cipher, the TLS padding/MAC removal is performed provider 143 * side so we need to tell the ctx about our TLS version and mac size 144 */ 145 OSSL_PARAM params[3], *pprm = params; 146 size_t macsize = 0; 147 int imacsize = -1; 148 149 if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 150 /* 151 * We look at s->ext.use_etm instead of SSL_READ_ETM() or 152 * SSL_WRITE_ETM() because this test applies to both reading 153 * and writing. 154 */ 155 && !s->ext.use_etm) 156 imacsize = EVP_MD_get_size(md); 157 if (imacsize >= 0) 158 macsize = (size_t)imacsize; 159 160 *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION, 161 &s->version); 162 *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, 163 &macsize); 164 *pprm = OSSL_PARAM_construct_end(); 165 166 if (!EVP_CIPHER_CTX_set_params(ctx, params)) { 167 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 168 return 0; 169 } 170 171 return 1; 172 } 173 174 175 static int tls_iv_length_within_key_block(const EVP_CIPHER *c) 176 { 177 /* If GCM/CCM mode only part of IV comes from PRF */ 178 if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) 179 return EVP_GCM_TLS_FIXED_IV_LEN; 180 else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) 181 return EVP_CCM_TLS_FIXED_IV_LEN; 182 else 183 return EVP_CIPHER_get_iv_length(c); 184 } 185 186 int tls1_change_cipher_state(SSL *s, int which) 187 { 188 unsigned char *p, *mac_secret; 189 unsigned char *ms, *key, *iv; 190 EVP_CIPHER_CTX *dd; 191 const EVP_CIPHER *c; 192 #ifndef OPENSSL_NO_COMP 193 const SSL_COMP *comp; 194 #endif 195 const EVP_MD *m; 196 int mac_type; 197 size_t *mac_secret_size; 198 EVP_MD_CTX *mac_ctx; 199 EVP_PKEY *mac_key; 200 size_t n, i, j, k, cl; 201 int reuse_dd = 0; 202 #ifndef OPENSSL_NO_KTLS 203 ktls_crypto_info_t crypto_info; 204 unsigned char *rec_seq; 205 void *rl_sequence; 206 # ifndef OPENSSL_NO_KTLS_RX 207 int count_unprocessed; 208 int bit; 209 # endif 210 BIO *bio; 211 #endif 212 213 c = s->s3.tmp.new_sym_enc; 214 m = s->s3.tmp.new_hash; 215 mac_type = s->s3.tmp.new_mac_pkey_type; 216 #ifndef OPENSSL_NO_COMP 217 comp = s->s3.tmp.new_compression; 218 #endif 219 220 if (which & SSL3_CC_READ) { 221 if (s->ext.use_etm) 222 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 223 else 224 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 225 226 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 227 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 228 else 229 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 230 231 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 232 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE; 233 else 234 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE; 235 236 if (s->enc_read_ctx != NULL) { 237 reuse_dd = 1; 238 } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { 239 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 240 goto err; 241 } else { 242 /* 243 * make sure it's initialised in case we exit later with an error 244 */ 245 EVP_CIPHER_CTX_reset(s->enc_read_ctx); 246 } 247 dd = s->enc_read_ctx; 248 mac_ctx = ssl_replace_hash(&s->read_hash, NULL); 249 if (mac_ctx == NULL) { 250 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 251 goto err; 252 } 253 #ifndef OPENSSL_NO_COMP 254 COMP_CTX_free(s->expand); 255 s->expand = NULL; 256 if (comp != NULL) { 257 s->expand = COMP_CTX_new(comp->method); 258 if (s->expand == NULL) { 259 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 260 SSL_R_COMPRESSION_LIBRARY_ERROR); 261 goto err; 262 } 263 } 264 #endif 265 /* 266 * this is done by dtls1_reset_seq_numbers for DTLS 267 */ 268 if (!SSL_IS_DTLS(s)) 269 RECORD_LAYER_reset_read_sequence(&s->rlayer); 270 mac_secret = &(s->s3.read_mac_secret[0]); 271 mac_secret_size = &(s->s3.read_mac_secret_size); 272 } else { 273 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 274 if (s->ext.use_etm) 275 s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 276 else 277 s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 278 279 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 280 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 281 else 282 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 283 284 if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 285 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 286 else 287 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 288 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) { 289 reuse_dd = 1; 290 } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { 291 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 292 goto err; 293 } 294 dd = s->enc_write_ctx; 295 if (SSL_IS_DTLS(s)) { 296 mac_ctx = EVP_MD_CTX_new(); 297 if (mac_ctx == NULL) { 298 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 299 goto err; 300 } 301 s->write_hash = mac_ctx; 302 } else { 303 mac_ctx = ssl_replace_hash(&s->write_hash, NULL); 304 if (mac_ctx == NULL) { 305 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 306 goto err; 307 } 308 } 309 #ifndef OPENSSL_NO_COMP 310 COMP_CTX_free(s->compress); 311 s->compress = NULL; 312 if (comp != NULL) { 313 s->compress = COMP_CTX_new(comp->method); 314 if (s->compress == NULL) { 315 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 316 SSL_R_COMPRESSION_LIBRARY_ERROR); 317 goto err; 318 } 319 } 320 #endif 321 /* 322 * this is done by dtls1_reset_seq_numbers for DTLS 323 */ 324 if (!SSL_IS_DTLS(s)) 325 RECORD_LAYER_reset_write_sequence(&s->rlayer); 326 mac_secret = &(s->s3.write_mac_secret[0]); 327 mac_secret_size = &(s->s3.write_mac_secret_size); 328 } 329 330 if (reuse_dd) 331 EVP_CIPHER_CTX_reset(dd); 332 333 p = s->s3.tmp.key_block; 334 i = *mac_secret_size = s->s3.tmp.new_mac_secret_size; 335 336 cl = EVP_CIPHER_get_key_length(c); 337 j = cl; 338 k = tls_iv_length_within_key_block(c); 339 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 340 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 341 ms = &(p[0]); 342 n = i + i; 343 key = &(p[n]); 344 n += j + j; 345 iv = &(p[n]); 346 n += k + k; 347 } else { 348 n = i; 349 ms = &(p[n]); 350 n += i + j; 351 key = &(p[n]); 352 n += j + k; 353 iv = &(p[n]); 354 n += k; 355 } 356 357 if (n > s->s3.tmp.key_block_length) { 358 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 359 goto err; 360 } 361 362 memcpy(mac_secret, ms, i); 363 364 if (!(EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { 365 if (mac_type == EVP_PKEY_HMAC) { 366 mac_key = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", 367 s->ctx->propq, mac_secret, 368 *mac_secret_size); 369 } else { 370 /* 371 * If its not HMAC then the only other types of MAC we support are 372 * the GOST MACs, so we need to use the old style way of creating 373 * a MAC key. 374 */ 375 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, 376 (int)*mac_secret_size); 377 } 378 if (mac_key == NULL 379 || EVP_DigestSignInit_ex(mac_ctx, NULL, EVP_MD_get0_name(m), 380 s->ctx->libctx, s->ctx->propq, mac_key, 381 NULL) <= 0) { 382 EVP_PKEY_free(mac_key); 383 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 384 goto err; 385 } 386 EVP_PKEY_free(mac_key); 387 } 388 389 OSSL_TRACE_BEGIN(TLS) { 390 BIO_printf(trc_out, "which = %04X, mac key:\n", which); 391 BIO_dump_indent(trc_out, ms, i, 4); 392 } OSSL_TRACE_END(TLS); 393 394 if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { 395 if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) 396 || EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, 397 iv) <= 0) { 398 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 399 goto err; 400 } 401 } else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) { 402 int taglen; 403 if (s->s3.tmp. 404 new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 405 taglen = EVP_CCM8_TLS_TAG_LEN; 406 else 407 taglen = EVP_CCM_TLS_TAG_LEN; 408 if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) 409 || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) <= 0) 410 || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) <= 0) 411 || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv) <= 0) 412 || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { 413 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 414 goto err; 415 } 416 } else { 417 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { 418 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 419 goto err; 420 } 421 } 422 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 423 if ((EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) 424 && *mac_secret_size 425 && EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, 426 (int)*mac_secret_size, mac_secret) <= 0) { 427 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 428 goto err; 429 } 430 if (EVP_CIPHER_get0_provider(c) != NULL 431 && !tls_provider_set_tls_params(s, dd, c, m)) { 432 /* SSLfatal already called */ 433 goto err; 434 } 435 436 #ifndef OPENSSL_NO_KTLS 437 if (s->compress || (s->options & SSL_OP_ENABLE_KTLS) == 0) 438 goto skip_ktls; 439 440 /* ktls supports only the maximum fragment size */ 441 if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) 442 goto skip_ktls; 443 444 /* check that cipher is supported */ 445 if (!ktls_check_supported_cipher(s, c, dd)) 446 goto skip_ktls; 447 448 if (which & SSL3_CC_WRITE) 449 bio = s->wbio; 450 else 451 bio = s->rbio; 452 453 if (!ossl_assert(bio != NULL)) { 454 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 455 goto err; 456 } 457 458 /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ 459 if (which & SSL3_CC_WRITE) { 460 if (BIO_flush(bio) <= 0) 461 goto skip_ktls; 462 } 463 464 /* ktls doesn't support renegotiation */ 465 if ((BIO_get_ktls_send(s->wbio) && (which & SSL3_CC_WRITE)) || 466 (BIO_get_ktls_recv(s->rbio) && (which & SSL3_CC_READ))) { 467 SSLfatal(s, SSL_AD_NO_RENEGOTIATION, ERR_R_INTERNAL_ERROR); 468 goto err; 469 } 470 471 if (which & SSL3_CC_WRITE) 472 rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); 473 else 474 rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); 475 476 if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, 477 iv, key, ms, *mac_secret_size)) 478 goto skip_ktls; 479 480 if (which & SSL3_CC_READ) { 481 # ifndef OPENSSL_NO_KTLS_RX 482 count_unprocessed = count_unprocessed_records(s); 483 if (count_unprocessed < 0) 484 goto skip_ktls; 485 486 /* increment the crypto_info record sequence */ 487 while (count_unprocessed) { 488 for (bit = 7; bit >= 0; bit--) { /* increment */ 489 ++rec_seq[bit]; 490 if (rec_seq[bit] != 0) 491 break; 492 } 493 count_unprocessed--; 494 } 495 # else 496 goto skip_ktls; 497 # endif 498 } 499 500 /* ktls works with user provided buffers directly */ 501 if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { 502 if (which & SSL3_CC_WRITE) 503 ssl3_release_write_buffer(s); 504 SSL_set_options(s, SSL_OP_NO_RENEGOTIATION); 505 } 506 507 skip_ktls: 508 #endif /* OPENSSL_NO_KTLS */ 509 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 510 511 OSSL_TRACE_BEGIN(TLS) { 512 BIO_printf(trc_out, "which = %04X, key:\n", which); 513 BIO_dump_indent(trc_out, key, EVP_CIPHER_get_key_length(c), 4); 514 BIO_printf(trc_out, "iv:\n"); 515 BIO_dump_indent(trc_out, iv, k, 4); 516 } OSSL_TRACE_END(TLS); 517 518 return 1; 519 err: 520 return 0; 521 } 522 523 int tls1_setup_key_block(SSL *s) 524 { 525 unsigned char *p; 526 const EVP_CIPHER *c; 527 const EVP_MD *hash; 528 SSL_COMP *comp; 529 int mac_type = NID_undef; 530 size_t num, mac_secret_size = 0; 531 int ret = 0; 532 533 if (s->s3.tmp.key_block_length != 0) 534 return 1; 535 536 if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, &mac_type, 537 &mac_secret_size, &comp, s->ext.use_etm)) { 538 /* Error is already recorded */ 539 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 540 return 0; 541 } 542 543 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 544 s->s3.tmp.new_sym_enc = c; 545 ssl_evp_md_free(s->s3.tmp.new_hash); 546 s->s3.tmp.new_hash = hash; 547 s->s3.tmp.new_mac_pkey_type = mac_type; 548 s->s3.tmp.new_mac_secret_size = mac_secret_size; 549 num = mac_secret_size + EVP_CIPHER_get_key_length(c) 550 + tls_iv_length_within_key_block(c); 551 num *= 2; 552 553 ssl3_cleanup_key_block(s); 554 555 if ((p = OPENSSL_malloc(num)) == NULL) { 556 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 557 goto err; 558 } 559 560 s->s3.tmp.key_block_length = num; 561 s->s3.tmp.key_block = p; 562 563 OSSL_TRACE_BEGIN(TLS) { 564 BIO_printf(trc_out, "key block length: %zu\n", num); 565 BIO_printf(trc_out, "client random\n"); 566 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 567 BIO_printf(trc_out, "server random\n"); 568 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 569 BIO_printf(trc_out, "master key\n"); 570 BIO_dump_indent(trc_out, 571 s->session->master_key, 572 s->session->master_key_length, 4); 573 } OSSL_TRACE_END(TLS); 574 575 if (!tls1_generate_key_block(s, p, num)) { 576 /* SSLfatal() already called */ 577 goto err; 578 } 579 580 OSSL_TRACE_BEGIN(TLS) { 581 BIO_printf(trc_out, "key block\n"); 582 BIO_dump_indent(trc_out, p, num, 4); 583 } OSSL_TRACE_END(TLS); 584 585 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 586 && s->method->version <= TLS1_VERSION) { 587 /* 588 * enable vulnerability countermeasure for CBC ciphers with known-IV 589 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 590 */ 591 s->s3.need_empty_fragments = 1; 592 593 if (s->session->cipher != NULL) { 594 if (s->session->cipher->algorithm_enc == SSL_eNULL) 595 s->s3.need_empty_fragments = 0; 596 597 if (s->session->cipher->algorithm_enc == SSL_RC4) 598 s->s3.need_empty_fragments = 0; 599 } 600 } 601 602 ret = 1; 603 err: 604 return ret; 605 } 606 607 size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen, 608 unsigned char *out) 609 { 610 size_t hashlen; 611 unsigned char hash[EVP_MAX_MD_SIZE]; 612 size_t finished_size = TLS1_FINISH_MAC_LENGTH; 613 614 if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kGOST18) 615 finished_size = 32; 616 617 if (!ssl3_digest_cached_records(s, 0)) { 618 /* SSLfatal() already called */ 619 return 0; 620 } 621 622 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 623 /* SSLfatal() already called */ 624 return 0; 625 } 626 627 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, 628 s->session->master_key, s->session->master_key_length, 629 out, finished_size, 1)) { 630 /* SSLfatal() already called */ 631 return 0; 632 } 633 OPENSSL_cleanse(hash, hashlen); 634 return finished_size; 635 } 636 637 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 638 size_t len, size_t *secret_size) 639 { 640 if (s->session->flags & SSL_SESS_FLAG_EXTMS) { 641 unsigned char hash[EVP_MAX_MD_SIZE * 2]; 642 size_t hashlen; 643 /* 644 * Digest cached records keeping record buffer (if present): this won't 645 * affect client auth because we're freezing the buffer at the same 646 * point (after client key exchange and before certificate verify) 647 */ 648 if (!ssl3_digest_cached_records(s, 1) 649 || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 650 /* SSLfatal() already called */ 651 return 0; 652 } 653 OSSL_TRACE_BEGIN(TLS) { 654 BIO_printf(trc_out, "Handshake hashes:\n"); 655 BIO_dump(trc_out, (char *)hash, hashlen); 656 } OSSL_TRACE_END(TLS); 657 if (!tls1_PRF(s, 658 TLS_MD_EXTENDED_MASTER_SECRET_CONST, 659 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, 660 hash, hashlen, 661 NULL, 0, 662 NULL, 0, 663 NULL, 0, p, len, out, 664 SSL3_MASTER_SECRET_SIZE, 1)) { 665 /* SSLfatal() already called */ 666 return 0; 667 } 668 OPENSSL_cleanse(hash, hashlen); 669 } else { 670 if (!tls1_PRF(s, 671 TLS_MD_MASTER_SECRET_CONST, 672 TLS_MD_MASTER_SECRET_CONST_SIZE, 673 s->s3.client_random, SSL3_RANDOM_SIZE, 674 NULL, 0, 675 s->s3.server_random, SSL3_RANDOM_SIZE, 676 NULL, 0, p, len, out, 677 SSL3_MASTER_SECRET_SIZE, 1)) { 678 /* SSLfatal() already called */ 679 return 0; 680 } 681 } 682 683 OSSL_TRACE_BEGIN(TLS) { 684 BIO_printf(trc_out, "Premaster Secret:\n"); 685 BIO_dump_indent(trc_out, p, len, 4); 686 BIO_printf(trc_out, "Client Random:\n"); 687 BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 688 BIO_printf(trc_out, "Server Random:\n"); 689 BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 690 BIO_printf(trc_out, "Master Secret:\n"); 691 BIO_dump_indent(trc_out, 692 s->session->master_key, 693 SSL3_MASTER_SECRET_SIZE, 4); 694 } OSSL_TRACE_END(TLS); 695 696 *secret_size = SSL3_MASTER_SECRET_SIZE; 697 return 1; 698 } 699 700 int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 701 const char *label, size_t llen, 702 const unsigned char *context, 703 size_t contextlen, int use_context) 704 { 705 unsigned char *val = NULL; 706 size_t vallen = 0, currentvalpos; 707 int rv; 708 709 /* 710 * construct PRF arguments we construct the PRF argument ourself rather 711 * than passing separate values into the TLS PRF to ensure that the 712 * concatenation of values does not create a prohibited label. 713 */ 714 vallen = llen + SSL3_RANDOM_SIZE * 2; 715 if (use_context) { 716 vallen += 2 + contextlen; 717 } 718 719 val = OPENSSL_malloc(vallen); 720 if (val == NULL) 721 goto err2; 722 currentvalpos = 0; 723 memcpy(val + currentvalpos, (unsigned char *)label, llen); 724 currentvalpos += llen; 725 memcpy(val + currentvalpos, s->s3.client_random, SSL3_RANDOM_SIZE); 726 currentvalpos += SSL3_RANDOM_SIZE; 727 memcpy(val + currentvalpos, s->s3.server_random, SSL3_RANDOM_SIZE); 728 currentvalpos += SSL3_RANDOM_SIZE; 729 730 if (use_context) { 731 val[currentvalpos] = (contextlen >> 8) & 0xff; 732 currentvalpos++; 733 val[currentvalpos] = contextlen & 0xff; 734 currentvalpos++; 735 if ((contextlen > 0) || (context != NULL)) { 736 memcpy(val + currentvalpos, context, contextlen); 737 } 738 } 739 740 /* 741 * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited 742 * label len) = 15, so size of val > max(prohibited label len) = 15 and 743 * the comparisons won't have buffer overflow 744 */ 745 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 746 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 747 goto err1; 748 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 749 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 750 goto err1; 751 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 752 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 753 goto err1; 754 if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST, 755 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0) 756 goto err1; 757 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 758 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 759 goto err1; 760 761 rv = tls1_PRF(s, 762 val, vallen, 763 NULL, 0, 764 NULL, 0, 765 NULL, 0, 766 NULL, 0, 767 s->session->master_key, s->session->master_key_length, 768 out, olen, 0); 769 770 goto ret; 771 err1: 772 ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 773 rv = 0; 774 goto ret; 775 err2: 776 ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 777 rv = 0; 778 ret: 779 OPENSSL_clear_free(val, vallen); 780 return rv; 781 } 782 783 int tls1_alert_code(int code) 784 { 785 switch (code) { 786 case SSL_AD_CLOSE_NOTIFY: 787 return SSL3_AD_CLOSE_NOTIFY; 788 case SSL_AD_UNEXPECTED_MESSAGE: 789 return SSL3_AD_UNEXPECTED_MESSAGE; 790 case SSL_AD_BAD_RECORD_MAC: 791 return SSL3_AD_BAD_RECORD_MAC; 792 case SSL_AD_DECRYPTION_FAILED: 793 return TLS1_AD_DECRYPTION_FAILED; 794 case SSL_AD_RECORD_OVERFLOW: 795 return TLS1_AD_RECORD_OVERFLOW; 796 case SSL_AD_DECOMPRESSION_FAILURE: 797 return SSL3_AD_DECOMPRESSION_FAILURE; 798 case SSL_AD_HANDSHAKE_FAILURE: 799 return SSL3_AD_HANDSHAKE_FAILURE; 800 case SSL_AD_NO_CERTIFICATE: 801 return -1; 802 case SSL_AD_BAD_CERTIFICATE: 803 return SSL3_AD_BAD_CERTIFICATE; 804 case SSL_AD_UNSUPPORTED_CERTIFICATE: 805 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 806 case SSL_AD_CERTIFICATE_REVOKED: 807 return SSL3_AD_CERTIFICATE_REVOKED; 808 case SSL_AD_CERTIFICATE_EXPIRED: 809 return SSL3_AD_CERTIFICATE_EXPIRED; 810 case SSL_AD_CERTIFICATE_UNKNOWN: 811 return SSL3_AD_CERTIFICATE_UNKNOWN; 812 case SSL_AD_ILLEGAL_PARAMETER: 813 return SSL3_AD_ILLEGAL_PARAMETER; 814 case SSL_AD_UNKNOWN_CA: 815 return TLS1_AD_UNKNOWN_CA; 816 case SSL_AD_ACCESS_DENIED: 817 return TLS1_AD_ACCESS_DENIED; 818 case SSL_AD_DECODE_ERROR: 819 return TLS1_AD_DECODE_ERROR; 820 case SSL_AD_DECRYPT_ERROR: 821 return TLS1_AD_DECRYPT_ERROR; 822 case SSL_AD_EXPORT_RESTRICTION: 823 return TLS1_AD_EXPORT_RESTRICTION; 824 case SSL_AD_PROTOCOL_VERSION: 825 return TLS1_AD_PROTOCOL_VERSION; 826 case SSL_AD_INSUFFICIENT_SECURITY: 827 return TLS1_AD_INSUFFICIENT_SECURITY; 828 case SSL_AD_INTERNAL_ERROR: 829 return TLS1_AD_INTERNAL_ERROR; 830 case SSL_AD_USER_CANCELLED: 831 return TLS1_AD_USER_CANCELLED; 832 case SSL_AD_NO_RENEGOTIATION: 833 return TLS1_AD_NO_RENEGOTIATION; 834 case SSL_AD_UNSUPPORTED_EXTENSION: 835 return TLS1_AD_UNSUPPORTED_EXTENSION; 836 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 837 return TLS1_AD_CERTIFICATE_UNOBTAINABLE; 838 case SSL_AD_UNRECOGNIZED_NAME: 839 return TLS1_AD_UNRECOGNIZED_NAME; 840 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 841 return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 842 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 843 return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE; 844 case SSL_AD_UNKNOWN_PSK_IDENTITY: 845 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 846 case SSL_AD_INAPPROPRIATE_FALLBACK: 847 return TLS1_AD_INAPPROPRIATE_FALLBACK; 848 case SSL_AD_NO_APPLICATION_PROTOCOL: 849 return TLS1_AD_NO_APPLICATION_PROTOCOL; 850 case SSL_AD_CERTIFICATE_REQUIRED: 851 return SSL_AD_HANDSHAKE_FAILURE; 852 case TLS13_AD_MISSING_EXTENSION: 853 return SSL_AD_HANDSHAKE_FAILURE; 854 default: 855 return -1; 856 } 857 } 858