1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the OpenSSL license (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include "ssl_local.h" 13 #include <openssl/comp.h> 14 #include <openssl/evp.h> 15 #include <openssl/kdf.h> 16 #include <openssl/rand.h> 17 18 /* seed1 through seed5 are concatenated */ 19 static int tls1_PRF(SSL *s, 20 const void *seed1, size_t seed1_len, 21 const void *seed2, size_t seed2_len, 22 const void *seed3, size_t seed3_len, 23 const void *seed4, size_t seed4_len, 24 const void *seed5, size_t seed5_len, 25 const unsigned char *sec, size_t slen, 26 unsigned char *out, size_t olen, int fatal) 27 { 28 const EVP_MD *md = ssl_prf_md(s); 29 EVP_PKEY_CTX *pctx = NULL; 30 int ret = 0; 31 32 if (md == NULL) { 33 /* Should never happen */ 34 if (fatal) 35 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_PRF, 36 ERR_R_INTERNAL_ERROR); 37 else 38 SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); 39 return 0; 40 } 41 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); 42 if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0 43 || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0 44 || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, (int)slen) <= 0 45 || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, (int)seed1_len) <= 0 46 || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, (int)seed2_len) <= 0 47 || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, (int)seed3_len) <= 0 48 || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, (int)seed4_len) <= 0 49 || EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, (int)seed5_len) <= 0 50 || EVP_PKEY_derive(pctx, out, &olen) <= 0) { 51 if (fatal) 52 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_PRF, 53 ERR_R_INTERNAL_ERROR); 54 else 55 SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); 56 goto err; 57 } 58 59 ret = 1; 60 61 err: 62 EVP_PKEY_CTX_free(pctx); 63 return ret; 64 } 65 66 static int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) 67 { 68 int ret; 69 70 /* Calls SSLfatal() as required */ 71 ret = tls1_PRF(s, 72 TLS_MD_KEY_EXPANSION_CONST, 73 TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random, 74 SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE, 75 NULL, 0, NULL, 0, s->session->master_key, 76 s->session->master_key_length, km, num, 1); 77 78 return ret; 79 } 80 81 int tls1_change_cipher_state(SSL *s, int which) 82 { 83 unsigned char *p, *mac_secret; 84 unsigned char *ms, *key, *iv; 85 EVP_CIPHER_CTX *dd; 86 const EVP_CIPHER *c; 87 #ifndef OPENSSL_NO_COMP 88 const SSL_COMP *comp; 89 #endif 90 const EVP_MD *m; 91 int mac_type; 92 size_t *mac_secret_size; 93 EVP_MD_CTX *mac_ctx; 94 EVP_PKEY *mac_key; 95 size_t n, i, j, k, cl; 96 int reuse_dd = 0; 97 98 c = s->s3->tmp.new_sym_enc; 99 m = s->s3->tmp.new_hash; 100 mac_type = s->s3->tmp.new_mac_pkey_type; 101 #ifndef OPENSSL_NO_COMP 102 comp = s->s3->tmp.new_compression; 103 #endif 104 105 if (which & SSL3_CC_READ) { 106 if (s->ext.use_etm) 107 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 108 else 109 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 110 111 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 112 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 113 else 114 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 115 116 if (s->enc_read_ctx != NULL) { 117 reuse_dd = 1; 118 } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { 119 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 120 ERR_R_MALLOC_FAILURE); 121 goto err; 122 } else { 123 /* 124 * make sure it's initialised in case we exit later with an error 125 */ 126 EVP_CIPHER_CTX_reset(s->enc_read_ctx); 127 } 128 dd = s->enc_read_ctx; 129 mac_ctx = ssl_replace_hash(&s->read_hash, NULL); 130 if (mac_ctx == NULL) 131 goto err; 132 #ifndef OPENSSL_NO_COMP 133 COMP_CTX_free(s->expand); 134 s->expand = NULL; 135 if (comp != NULL) { 136 s->expand = COMP_CTX_new(comp->method); 137 if (s->expand == NULL) { 138 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 139 SSL_F_TLS1_CHANGE_CIPHER_STATE, 140 SSL_R_COMPRESSION_LIBRARY_ERROR); 141 goto err; 142 } 143 } 144 #endif 145 /* 146 * this is done by dtls1_reset_seq_numbers for DTLS 147 */ 148 if (!SSL_IS_DTLS(s)) 149 RECORD_LAYER_reset_read_sequence(&s->rlayer); 150 mac_secret = &(s->s3->read_mac_secret[0]); 151 mac_secret_size = &(s->s3->read_mac_secret_size); 152 } else { 153 s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 154 if (s->ext.use_etm) 155 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 156 else 157 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 158 159 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 160 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 161 else 162 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 163 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) { 164 reuse_dd = 1; 165 } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { 166 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 167 ERR_R_MALLOC_FAILURE); 168 goto err; 169 } 170 dd = s->enc_write_ctx; 171 if (SSL_IS_DTLS(s)) { 172 mac_ctx = EVP_MD_CTX_new(); 173 if (mac_ctx == NULL) { 174 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 175 SSL_F_TLS1_CHANGE_CIPHER_STATE, 176 ERR_R_MALLOC_FAILURE); 177 goto err; 178 } 179 s->write_hash = mac_ctx; 180 } else { 181 mac_ctx = ssl_replace_hash(&s->write_hash, NULL); 182 if (mac_ctx == NULL) { 183 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 184 SSL_F_TLS1_CHANGE_CIPHER_STATE, 185 ERR_R_MALLOC_FAILURE); 186 goto err; 187 } 188 } 189 #ifndef OPENSSL_NO_COMP 190 COMP_CTX_free(s->compress); 191 s->compress = NULL; 192 if (comp != NULL) { 193 s->compress = COMP_CTX_new(comp->method); 194 if (s->compress == NULL) { 195 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 196 SSL_F_TLS1_CHANGE_CIPHER_STATE, 197 SSL_R_COMPRESSION_LIBRARY_ERROR); 198 goto err; 199 } 200 } 201 #endif 202 /* 203 * this is done by dtls1_reset_seq_numbers for DTLS 204 */ 205 if (!SSL_IS_DTLS(s)) 206 RECORD_LAYER_reset_write_sequence(&s->rlayer); 207 mac_secret = &(s->s3->write_mac_secret[0]); 208 mac_secret_size = &(s->s3->write_mac_secret_size); 209 } 210 211 if (reuse_dd) 212 EVP_CIPHER_CTX_reset(dd); 213 214 p = s->s3->tmp.key_block; 215 i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; 216 217 /* TODO(size_t): convert me */ 218 cl = EVP_CIPHER_key_length(c); 219 j = cl; 220 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 221 /* If GCM/CCM mode only part of IV comes from PRF */ 222 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 223 k = EVP_GCM_TLS_FIXED_IV_LEN; 224 else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) 225 k = EVP_CCM_TLS_FIXED_IV_LEN; 226 else 227 k = EVP_CIPHER_iv_length(c); 228 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 229 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 230 ms = &(p[0]); 231 n = i + i; 232 key = &(p[n]); 233 n += j + j; 234 iv = &(p[n]); 235 n += k + k; 236 } else { 237 n = i; 238 ms = &(p[n]); 239 n += i + j; 240 key = &(p[n]); 241 n += j + k; 242 iv = &(p[n]); 243 n += k; 244 } 245 246 if (n > s->s3->tmp.key_block_length) { 247 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 248 ERR_R_INTERNAL_ERROR); 249 goto err; 250 } 251 252 memcpy(mac_secret, ms, i); 253 254 if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { 255 /* TODO(size_t): Convert this function */ 256 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, 257 (int)*mac_secret_size); 258 if (mac_key == NULL 259 || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) { 260 EVP_PKEY_free(mac_key); 261 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 262 ERR_R_INTERNAL_ERROR); 263 goto err; 264 } 265 EVP_PKEY_free(mac_key); 266 } 267 #ifdef SSL_DEBUG 268 printf("which = %04X\nmac key=", which); 269 { 270 size_t z; 271 for (z = 0; z < i; z++) 272 printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n'); 273 } 274 #endif 275 276 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { 277 if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) 278 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, 279 iv)) { 280 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 281 ERR_R_INTERNAL_ERROR); 282 goto err; 283 } 284 } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) { 285 int taglen; 286 if (s->s3->tmp. 287 new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 288 taglen = EVP_CCM8_TLS_TAG_LEN; 289 else 290 taglen = EVP_CCM_TLS_TAG_LEN; 291 if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) 292 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) 293 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) 294 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv) 295 || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { 296 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 297 ERR_R_INTERNAL_ERROR); 298 goto err; 299 } 300 } else { 301 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { 302 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 303 ERR_R_INTERNAL_ERROR); 304 goto err; 305 } 306 } 307 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 308 if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size 309 && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, 310 (int)*mac_secret_size, mac_secret)) { 311 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_CHANGE_CIPHER_STATE, 312 ERR_R_INTERNAL_ERROR); 313 goto err; 314 } 315 s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 316 317 #ifdef SSL_DEBUG 318 printf("which = %04X\nkey=", which); 319 { 320 int z; 321 for (z = 0; z < EVP_CIPHER_key_length(c); z++) 322 printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n'); 323 } 324 printf("\niv="); 325 { 326 size_t z; 327 for (z = 0; z < k; z++) 328 printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n'); 329 } 330 printf("\n"); 331 #endif 332 333 return 1; 334 err: 335 return 0; 336 } 337 338 int tls1_setup_key_block(SSL *s) 339 { 340 unsigned char *p; 341 const EVP_CIPHER *c; 342 const EVP_MD *hash; 343 SSL_COMP *comp; 344 int mac_type = NID_undef; 345 size_t num, mac_secret_size = 0; 346 int ret = 0; 347 348 if (s->s3->tmp.key_block_length != 0) 349 return 1; 350 351 if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, 352 &comp, s->ext.use_etm)) { 353 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK, 354 SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 355 return 0; 356 } 357 358 s->s3->tmp.new_sym_enc = c; 359 s->s3->tmp.new_hash = hash; 360 s->s3->tmp.new_mac_pkey_type = mac_type; 361 s->s3->tmp.new_mac_secret_size = mac_secret_size; 362 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); 363 num *= 2; 364 365 ssl3_cleanup_key_block(s); 366 367 if ((p = OPENSSL_malloc(num)) == NULL) { 368 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK, 369 ERR_R_MALLOC_FAILURE); 370 goto err; 371 } 372 373 s->s3->tmp.key_block_length = num; 374 s->s3->tmp.key_block = p; 375 376 #ifdef SSL_DEBUG 377 printf("client random\n"); 378 { 379 int z; 380 for (z = 0; z < SSL3_RANDOM_SIZE; z++) 381 printf("%02X%c", s->s3->client_random[z], 382 ((z + 1) % 16) ? ' ' : '\n'); 383 } 384 printf("server random\n"); 385 { 386 int z; 387 for (z = 0; z < SSL3_RANDOM_SIZE; z++) 388 printf("%02X%c", s->s3->server_random[z], 389 ((z + 1) % 16) ? ' ' : '\n'); 390 } 391 printf("master key\n"); 392 { 393 size_t z; 394 for (z = 0; z < s->session->master_key_length; z++) 395 printf("%02X%c", s->session->master_key[z], 396 ((z + 1) % 16) ? ' ' : '\n'); 397 } 398 #endif 399 if (!tls1_generate_key_block(s, p, num)) { 400 /* SSLfatal() already called */ 401 goto err; 402 } 403 #ifdef SSL_DEBUG 404 printf("\nkey block\n"); 405 { 406 size_t z; 407 for (z = 0; z < num; z++) 408 printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n'); 409 } 410 #endif 411 412 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 413 && s->method->version <= TLS1_VERSION) { 414 /* 415 * enable vulnerability countermeasure for CBC ciphers with known-IV 416 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 417 */ 418 s->s3->need_empty_fragments = 1; 419 420 if (s->session->cipher != NULL) { 421 if (s->session->cipher->algorithm_enc == SSL_eNULL) 422 s->s3->need_empty_fragments = 0; 423 424 #ifndef OPENSSL_NO_RC4 425 if (s->session->cipher->algorithm_enc == SSL_RC4) 426 s->s3->need_empty_fragments = 0; 427 #endif 428 } 429 } 430 431 ret = 1; 432 err: 433 return ret; 434 } 435 436 size_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen, 437 unsigned char *out) 438 { 439 size_t hashlen; 440 unsigned char hash[EVP_MAX_MD_SIZE]; 441 442 if (!ssl3_digest_cached_records(s, 0)) { 443 /* SSLfatal() already called */ 444 return 0; 445 } 446 447 if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 448 /* SSLfatal() already called */ 449 return 0; 450 } 451 452 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, 453 s->session->master_key, s->session->master_key_length, 454 out, TLS1_FINISH_MAC_LENGTH, 1)) { 455 /* SSLfatal() already called */ 456 return 0; 457 } 458 OPENSSL_cleanse(hash, hashlen); 459 return TLS1_FINISH_MAC_LENGTH; 460 } 461 462 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 463 size_t len, size_t *secret_size) 464 { 465 if (s->session->flags & SSL_SESS_FLAG_EXTMS) { 466 unsigned char hash[EVP_MAX_MD_SIZE * 2]; 467 size_t hashlen; 468 /* 469 * Digest cached records keeping record buffer (if present): this won't 470 * affect client auth because we're freezing the buffer at the same 471 * point (after client key exchange and before certificate verify) 472 */ 473 if (!ssl3_digest_cached_records(s, 1) 474 || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 475 /* SSLfatal() already called */ 476 return 0; 477 } 478 #ifdef SSL_DEBUG 479 fprintf(stderr, "Handshake hashes:\n"); 480 BIO_dump_fp(stderr, (char *)hash, hashlen); 481 #endif 482 if (!tls1_PRF(s, 483 TLS_MD_EXTENDED_MASTER_SECRET_CONST, 484 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, 485 hash, hashlen, 486 NULL, 0, 487 NULL, 0, 488 NULL, 0, p, len, out, 489 SSL3_MASTER_SECRET_SIZE, 1)) { 490 /* SSLfatal() already called */ 491 return 0; 492 } 493 OPENSSL_cleanse(hash, hashlen); 494 } else { 495 if (!tls1_PRF(s, 496 TLS_MD_MASTER_SECRET_CONST, 497 TLS_MD_MASTER_SECRET_CONST_SIZE, 498 s->s3->client_random, SSL3_RANDOM_SIZE, 499 NULL, 0, 500 s->s3->server_random, SSL3_RANDOM_SIZE, 501 NULL, 0, p, len, out, 502 SSL3_MASTER_SECRET_SIZE, 1)) { 503 /* SSLfatal() already called */ 504 return 0; 505 } 506 } 507 #ifdef SSL_DEBUG 508 fprintf(stderr, "Premaster Secret:\n"); 509 BIO_dump_fp(stderr, (char *)p, len); 510 fprintf(stderr, "Client Random:\n"); 511 BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE); 512 fprintf(stderr, "Server Random:\n"); 513 BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE); 514 fprintf(stderr, "Master Secret:\n"); 515 BIO_dump_fp(stderr, (char *)s->session->master_key, 516 SSL3_MASTER_SECRET_SIZE); 517 #endif 518 519 *secret_size = SSL3_MASTER_SECRET_SIZE; 520 return 1; 521 } 522 523 int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 524 const char *label, size_t llen, 525 const unsigned char *context, 526 size_t contextlen, int use_context) 527 { 528 unsigned char *val = NULL; 529 size_t vallen = 0, currentvalpos; 530 int rv; 531 532 /* 533 * construct PRF arguments we construct the PRF argument ourself rather 534 * than passing separate values into the TLS PRF to ensure that the 535 * concatenation of values does not create a prohibited label. 536 */ 537 vallen = llen + SSL3_RANDOM_SIZE * 2; 538 if (use_context) { 539 vallen += 2 + contextlen; 540 } 541 542 val = OPENSSL_malloc(vallen); 543 if (val == NULL) 544 goto err2; 545 currentvalpos = 0; 546 memcpy(val + currentvalpos, (unsigned char *)label, llen); 547 currentvalpos += llen; 548 memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); 549 currentvalpos += SSL3_RANDOM_SIZE; 550 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); 551 currentvalpos += SSL3_RANDOM_SIZE; 552 553 if (use_context) { 554 val[currentvalpos] = (contextlen >> 8) & 0xff; 555 currentvalpos++; 556 val[currentvalpos] = contextlen & 0xff; 557 currentvalpos++; 558 if ((contextlen > 0) || (context != NULL)) { 559 memcpy(val + currentvalpos, context, contextlen); 560 } 561 } 562 563 /* 564 * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited 565 * label len) = 15, so size of val > max(prohibited label len) = 15 and 566 * the comparisons won't have buffer overflow 567 */ 568 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 569 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 570 goto err1; 571 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 572 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 573 goto err1; 574 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 575 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 576 goto err1; 577 if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST, 578 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0) 579 goto err1; 580 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 581 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 582 goto err1; 583 584 rv = tls1_PRF(s, 585 val, vallen, 586 NULL, 0, 587 NULL, 0, 588 NULL, 0, 589 NULL, 0, 590 s->session->master_key, s->session->master_key_length, 591 out, olen, 0); 592 593 goto ret; 594 err1: 595 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 596 rv = 0; 597 goto ret; 598 err2: 599 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); 600 rv = 0; 601 ret: 602 OPENSSL_clear_free(val, vallen); 603 return rv; 604 } 605 606 int tls1_alert_code(int code) 607 { 608 switch (code) { 609 case SSL_AD_CLOSE_NOTIFY: 610 return SSL3_AD_CLOSE_NOTIFY; 611 case SSL_AD_UNEXPECTED_MESSAGE: 612 return SSL3_AD_UNEXPECTED_MESSAGE; 613 case SSL_AD_BAD_RECORD_MAC: 614 return SSL3_AD_BAD_RECORD_MAC; 615 case SSL_AD_DECRYPTION_FAILED: 616 return TLS1_AD_DECRYPTION_FAILED; 617 case SSL_AD_RECORD_OVERFLOW: 618 return TLS1_AD_RECORD_OVERFLOW; 619 case SSL_AD_DECOMPRESSION_FAILURE: 620 return SSL3_AD_DECOMPRESSION_FAILURE; 621 case SSL_AD_HANDSHAKE_FAILURE: 622 return SSL3_AD_HANDSHAKE_FAILURE; 623 case SSL_AD_NO_CERTIFICATE: 624 return -1; 625 case SSL_AD_BAD_CERTIFICATE: 626 return SSL3_AD_BAD_CERTIFICATE; 627 case SSL_AD_UNSUPPORTED_CERTIFICATE: 628 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 629 case SSL_AD_CERTIFICATE_REVOKED: 630 return SSL3_AD_CERTIFICATE_REVOKED; 631 case SSL_AD_CERTIFICATE_EXPIRED: 632 return SSL3_AD_CERTIFICATE_EXPIRED; 633 case SSL_AD_CERTIFICATE_UNKNOWN: 634 return SSL3_AD_CERTIFICATE_UNKNOWN; 635 case SSL_AD_ILLEGAL_PARAMETER: 636 return SSL3_AD_ILLEGAL_PARAMETER; 637 case SSL_AD_UNKNOWN_CA: 638 return TLS1_AD_UNKNOWN_CA; 639 case SSL_AD_ACCESS_DENIED: 640 return TLS1_AD_ACCESS_DENIED; 641 case SSL_AD_DECODE_ERROR: 642 return TLS1_AD_DECODE_ERROR; 643 case SSL_AD_DECRYPT_ERROR: 644 return TLS1_AD_DECRYPT_ERROR; 645 case SSL_AD_EXPORT_RESTRICTION: 646 return TLS1_AD_EXPORT_RESTRICTION; 647 case SSL_AD_PROTOCOL_VERSION: 648 return TLS1_AD_PROTOCOL_VERSION; 649 case SSL_AD_INSUFFICIENT_SECURITY: 650 return TLS1_AD_INSUFFICIENT_SECURITY; 651 case SSL_AD_INTERNAL_ERROR: 652 return TLS1_AD_INTERNAL_ERROR; 653 case SSL_AD_USER_CANCELLED: 654 return TLS1_AD_USER_CANCELLED; 655 case SSL_AD_NO_RENEGOTIATION: 656 return TLS1_AD_NO_RENEGOTIATION; 657 case SSL_AD_UNSUPPORTED_EXTENSION: 658 return TLS1_AD_UNSUPPORTED_EXTENSION; 659 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 660 return TLS1_AD_CERTIFICATE_UNOBTAINABLE; 661 case SSL_AD_UNRECOGNIZED_NAME: 662 return TLS1_AD_UNRECOGNIZED_NAME; 663 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 664 return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 665 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 666 return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE; 667 case SSL_AD_UNKNOWN_PSK_IDENTITY: 668 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 669 case SSL_AD_INAPPROPRIATE_FALLBACK: 670 return TLS1_AD_INAPPROPRIATE_FALLBACK; 671 case SSL_AD_NO_APPLICATION_PROTOCOL: 672 return TLS1_AD_NO_APPLICATION_PROTOCOL; 673 case SSL_AD_CERTIFICATE_REQUIRED: 674 return SSL_AD_HANDSHAKE_FAILURE; 675 default: 676 return -1; 677 } 678 } 679