xref: /illumos-gate/usr/src/lib/pkcs11/pkcs11_softtoken/common/softSSL.c (revision 826ac02a0def83e0a41b29321470d299c7389aab)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <fcntl.h>
27 #include <strings.h>
28 #include <sys/stat.h>
29 #include <sys/types.h>
30 #include <sys/sha1.h>
31 #include <sys/md5.h>
32 #include <sys/sysmacros.h>
33 #include <security/cryptoki.h>
34 #include "softGlobal.h"
35 #include "softKeys.h"
36 #include "softKeystore.h"
37 #include "softMAC.h"
38 #include "softObject.h"
39 #include "softSession.h"
40 #include "softSSL.h"
41 
42 /*
43  * This files contains the implementation of the following PKCS#11
44  * mechanisms needed by SSL:
45  * CKM_SSL3_MASTER_KEY_DERIVE
46  * CKM_SSL3_MASTER_KEY_DERIVE_DH
47  * CKM_SSL3_KEY_AND_DERIVE
48  * CKM_TLS_MASTER_KEY_DERIVE
49  * CKM_TLS_MASTER_KEY_DERIVE_DH
50  * CKM_TLS_KEY_AND_DERIVE
51  *
52  * SSL refers to common functions between SSL v3.0 and SSL v3.1 (a.k.a TLS.)
53  */
54 
55 #define	MAX_KEYBLOCK	160	/* should be plenty for all known cipherspecs */
56 
57 #define	MAX_DEFAULT_ATTRS	10	/* Enough for major applicarions */
58 
59 static	char *ssl3_const_vals[] = {
60 	"A",
61 	"BB",
62 	"CCC",
63 	"DDDD",
64 	"EEEEE",
65 	"FFFFFF",
66 	"GGGGGGG",
67 	"HHHHHHHH",
68 	"IIIIIIIII",
69 	"JJJJJJJJJJ",
70 };
71 static	uint_t ssl3_const_lens[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10};
72 
73 static uchar_t TLS_MASTER_SECRET_LABEL[] = {"master secret"};
74 #define	TLS_MASTER_SECRET_LABEL_LEN	13
75 
76 static uchar_t TLS_KEY_EXPANSION_LABEL[] = {"key expansion"};
77 #define	TLS_KEY_EXPANSION_LABEL_LEN	13
78 
79 static uchar_t TLS_CLIENT_KEY_LABEL[] = {"client write key"};
80 #define	TLS_CLIENT_KEY_LABEL_LEN	16
81 
82 static uchar_t TLS_SERVER_KEY_LABEL[] = {"server write key"};
83 #define	TLS_SERVER_KEY_LABEL_LEN	16
84 
85 static uchar_t TLS_IV_BLOCK_LABEL[] = {"IV block"};
86 #define	TLS_IV_BLOCK_LABEL_LEN	8
87 
88 static void P_MD5(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
89     uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
90 static void P_SHA1(uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, uint_t,
91     uchar_t *, uint_t, uchar_t *, uint_t, boolean_t);
92 
93 static CK_RV soft_add_derived_key(CK_ATTRIBUTE_PTR, CK_ULONG,
94     CK_OBJECT_HANDLE_PTR, soft_session_t *, soft_object_t *);
95 static void soft_delete_derived_key(soft_session_t *, soft_object_t *);
96 static void soft_ssl_weaken_key(CK_MECHANISM_PTR, uchar_t *, uint_t,
97     uchar_t *, uint_t, uchar_t *, uint_t, uchar_t *, boolean_t);
98 
99 /*
100  * soft_ssl3_churn()
101  * Called for derivation of the master secret from the pre-master secret,
102  * and for the derivation of the key_block in an SSL3 handshake
103  * result is assumed to be larger than rounds * MD5_HASH_SIZE.
104  */
105 static void
106 soft_ssl3_churn(uchar_t *secret, uint_t secretlen, uchar_t *rand1,
107     uint_t rand1len, uchar_t *rand2, uint_t rand2len, int rounds,
108     uchar_t *result)
109 {
110 	SHA1_CTX sha1_ctx;
111 	MD5_CTX	md5_ctx;
112 	uchar_t sha1_digest[SHA1_HASH_SIZE];
113 	int i;
114 	uchar_t *ms = result;
115 	for (i = 0; i < rounds; i++) {
116 		SHA1Init(&sha1_ctx);
117 		SHA1Update(&sha1_ctx, (const uint8_t *)ssl3_const_vals[i],
118 		    ssl3_const_lens[i]);
119 		SHA1Update(&sha1_ctx, secret, secretlen);
120 		SHA1Update(&sha1_ctx, rand1, rand1len);
121 		SHA1Update(&sha1_ctx, rand2, rand2len);
122 		SHA1Final(sha1_digest, &sha1_ctx);
123 
124 		MD5Init(&md5_ctx);
125 		MD5Update(&md5_ctx, secret, secretlen);
126 		MD5Update(&md5_ctx, sha1_digest, SHA1_HASH_SIZE);
127 		MD5Final(ms, &md5_ctx);
128 		ms += MD5_HASH_SIZE;
129 	}
130 }
131 
132 /*
133  * This TLS generic Pseudo Random Function expands a triplet
134  * {secret, label, seed} into any arbitrary length string of pseudo
135  * random bytes.
136  * Here, it is called for the derivation of the master secret from the
137  * pre-master secret, and for the derivation of the key_block in a TLS
138  * handshake
139  */
140 static void
141 soft_tls_prf(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
142     uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
143     uchar_t *result, uint_t resultlen)
144 {
145 	uchar_t *S1, *S2;
146 	uchar_t md5_digested_key[MD5_HASH_SIZE];
147 	uchar_t sha1_digested_key[SHA1_HASH_SIZE];
148 	uint_t L_S, L_S1, L_S2;
149 
150 	/* secret is NULL for IV's in exportable ciphersuites */
151 	if (secret == NULL) {
152 		L_S = 0;
153 		L_S2 = L_S1 = 0;
154 		S1 = NULL;
155 		S2 = NULL;
156 		goto do_P_HASH;
157 	}
158 
159 	L_S = roundup(secretlen, 2) / 2;
160 	L_S1 = L_S;
161 	L_S2 = L_S;
162 	S1 = secret;
163 	S2 = secret + (secretlen / 2);	/* Possible overlap of S1 and S2. */
164 
165 	/* Reduce the half secrets if bigger than the HASH's block size */
166 	if (L_S > MD5_HMAC_BLOCK_SIZE) {
167 		MD5_CTX	md5_ctx;
168 		SHA1_CTX sha1_ctx;
169 
170 		MD5Init(&md5_ctx);
171 		MD5Update(&md5_ctx, S1, L_S);
172 		MD5Final(md5_digested_key, &md5_ctx);
173 		S1 = md5_digested_key;
174 		L_S1 = MD5_HASH_SIZE;
175 
176 		SHA1Init(&sha1_ctx);
177 		SHA1Update(&sha1_ctx, S2, L_S);
178 		SHA1Final(sha1_digested_key, &sha1_ctx);
179 		S2 = sha1_digested_key;
180 		L_S2 = SHA1_HASH_SIZE;
181 	}
182 
183 	/*
184 	 * PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
185 	 *				P_SHA-1(S2, label + seed);
186 	 * the 'seed' here is rand1 + rand2
187 	 */
188 do_P_HASH:
189 	/* The first one writes directly to the result */
190 	P_MD5(S1, L_S1, label, labellen, rand1, rand1len, rand2, rand2len,
191 	    result, resultlen, B_FALSE);
192 
193 	/* The second one XOR's with the result. */
194 	P_SHA1(S2, L_S2, label, labellen, rand1, rand1len, rand2, rand2len,
195 	    result, resultlen, B_TRUE);
196 }
197 
198 /*
199  * These two expansion routines are very similar. (they can merge one day).
200  * They implement the P_HASH() function for MD5 and for SHA1, as defined in
201  * RFC2246:
202  *
203  *	P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
204  *				HMAC_hash(secret, A(2) + seed) +
205  *				HMAC_hash(secret, A(3) + seed) + ...
206  * Where + indicates concatenation.
207  * A() is defined as:
208  *	A(0) = seed
209  *	A(i) = HMAC_hash(secret, A(i-1))
210  *
211  * The seed is the concatenation of 'babel', 'rand1', and 'rand2'.
212  */
213 static void
214 P_MD5(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
215     uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
216     uchar_t *result, uint_t resultlen, boolean_t xor_it)
217 {
218 	uint32_t md5_ipad[MD5_HMAC_INTS_PER_BLOCK];
219 	uint32_t md5_opad[MD5_HMAC_INTS_PER_BLOCK];
220 	uchar_t	md5_hmac[MD5_HASH_SIZE];
221 	uchar_t	A[MD5_HASH_SIZE];
222 	md5_hc_ctx_t md5_hmac_ctx;
223 	uchar_t *res, *cur;
224 	uint_t left = resultlen;
225 	int i;
226 
227 	/* good compilers will leverage the aligment */
228 	bzero(md5_ipad, MD5_HMAC_BLOCK_SIZE);
229 	bzero(md5_opad, MD5_HMAC_BLOCK_SIZE);
230 
231 	if (secretlen > 0) {
232 		bcopy(secret, md5_ipad, secretlen);
233 		bcopy(secret, md5_opad, secretlen);
234 	}
235 
236 	/* A(1) = HMAC_MD5(secret, rand1 + rand2) */
237 	md5_hmac_ctx_init(&md5_hmac_ctx, md5_ipad, md5_opad);
238 	SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
239 	SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
240 	SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
241 	SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
242 
243 	if (xor_it) {
244 		res = md5_hmac;
245 		cur = result;
246 	} else {
247 		res = result;
248 	}
249 
250 	while (left > 0) {
251 		/*
252 		 * Compute HMAC_MD5(secret, A(i) + seed);
253 		 * The secret is already expanded in the ictx and octx, so
254 		 * we can call the SOFT_MAC_INIT_CTX() directly.
255 		 */
256 		SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
257 		    MD5_HMAC_BLOCK_SIZE);
258 		SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
259 		SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, label, labellen);
260 		SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand1, rand1len);
261 		SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, rand2, rand2len);
262 
263 		if (left > MD5_HASH_SIZE) {
264 			SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, res);
265 			if (xor_it) {
266 				for (i = 0; i < MD5_HASH_SIZE; i++) {
267 					*cur ^= res[i];
268 					cur++;
269 				}
270 			} else {
271 				res += MD5_HASH_SIZE;
272 			}
273 			left -= MD5_HASH_SIZE;
274 		} else {
275 			SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, md5_hmac);
276 			if (xor_it) {
277 				for (i = 0; i < left; i++) {
278 					*cur ^= md5_hmac[i];
279 					cur++;
280 				}
281 			} else {
282 				bcopy(md5_hmac, res, left);
283 			}
284 			break;
285 		}
286 		/* A(i) = HMAC_MD5(secret, A(i-1) */
287 		SOFT_MAC_INIT_CTX(MD5, &md5_hmac_ctx, md5_ipad, md5_opad,
288 		    MD5_HMAC_BLOCK_SIZE);
289 		SOFT_MAC_UPDATE(MD5, &md5_hmac_ctx, A, MD5_HASH_SIZE);
290 		SOFT_MAC_FINAL(MD5, &md5_hmac_ctx, A);
291 	}
292 }
293 static void
294 P_SHA1(uchar_t *secret, uint_t secretlen, uchar_t *label, uint_t labellen,
295     uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
296     uchar_t *result, uint_t resultlen, boolean_t xor_it)
297 {
298 	uint32_t sha1_ipad[SHA1_HMAC_INTS_PER_BLOCK];
299 	uint32_t sha1_opad[SHA1_HMAC_INTS_PER_BLOCK];
300 	uchar_t	sha1_hmac[SHA1_HASH_SIZE];
301 	uchar_t	A[SHA1_HASH_SIZE];
302 	sha1_hc_ctx_t sha1_hmac_ctx;
303 	uchar_t *res, *cur;
304 	uint_t left = resultlen;
305 	int i;
306 
307 	/* good compilers will leverage the aligment */
308 	bzero(sha1_ipad, SHA1_HMAC_BLOCK_SIZE);
309 	bzero(sha1_opad, SHA1_HMAC_BLOCK_SIZE);
310 
311 	if (secretlen > 0) {
312 		bcopy(secret, sha1_ipad, secretlen);
313 		bcopy(secret, sha1_opad, secretlen);
314 	}
315 
316 	/* A(1) = HMAC_SHA1(secret, rand1 + rand2) */
317 	sha1_hmac_ctx_init(&sha1_hmac_ctx, sha1_ipad, sha1_opad);
318 	SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
319 	SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
320 	SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
321 	SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
322 
323 	if (xor_it) {
324 		res = sha1_hmac;
325 		cur = result;
326 	} else {
327 		res = result;
328 	}
329 
330 	while (left > 0) {
331 		/*
332 		 * Compute HMAC_SHA1(secret, A(i) + seed);
333 		 * The secret is already expanded in the ictx and octx, so
334 		 * we can call the SOFT_MAC_INIT_CTX() directly.
335 		 */
336 		SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
337 		    (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
338 		    SHA1_HMAC_BLOCK_SIZE);
339 		SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
340 		SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, label, labellen);
341 		SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand1, rand1len);
342 		SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, rand2, rand2len);
343 
344 		if (left > SHA1_HASH_SIZE) {
345 			SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, res);
346 			if (xor_it) {
347 				for (i = 0; i < SHA1_HASH_SIZE; i++) {
348 					*cur ^= res[i];
349 					cur++;
350 				}
351 			} else {
352 				res += SHA1_HASH_SIZE;
353 			}
354 			left -= SHA1_HASH_SIZE;
355 		} else {
356 			SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, sha1_hmac);
357 			if (xor_it) {
358 				for (i = 0; i < left; i++) {
359 					*cur ^= sha1_hmac[i];
360 					cur++;
361 				}
362 			} else {
363 				bcopy(sha1_hmac, res, left);
364 			}
365 			break;
366 		}
367 		/* A(i) = HMAC_SHA1(secret, A(i-1) */
368 		SOFT_MAC_INIT_CTX(SHA1, &sha1_hmac_ctx,
369 		    (const uchar_t *)sha1_ipad, (const uchar_t *)sha1_opad,
370 		    SHA1_HMAC_BLOCK_SIZE);
371 		SOFT_MAC_UPDATE(SHA1, &sha1_hmac_ctx, A, SHA1_HASH_SIZE);
372 		SOFT_MAC_FINAL(SHA1, &sha1_hmac_ctx, A);
373 	}
374 }
375 
376 /* This function handles the call from C_DeriveKey for CKM_TLS_PRF */
377 CK_RV
378 derive_tls_prf(CK_TLS_PRF_PARAMS_PTR param, soft_object_t *basekey_p)
379 {
380 
381 	if (param->pOutput == NULL || param->pulOutputLen == 0)
382 		return (CKR_BUFFER_TOO_SMALL);
383 
384 	(void) soft_tls_prf(OBJ_SEC_VALUE(basekey_p),
385 	    OBJ_SEC_VALUE_LEN(basekey_p), param->pLabel, param->ulLabelLen,
386 	    param->pSeed, param->ulSeedLen, NULL, 0, param->pOutput,
387 	    *param->pulOutputLen);
388 
389 	return (CKR_OK);
390 }
391 
392 
393 /*
394  * soft_ssl_master_key_derive()
395  *
396  * Arguments:
397  * . session_p
398  * . mech_p:	key derivation mechanism. the mechanism parameter carries the
399  *		client and master random from the Hello handshake messages.
400  * . basekey_p: The pre-master secret key.
401  * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
402  *		created.
403  * . phKey:	store for handle to the derived key.
404  *
405  * Description:
406  *	Derive the SSL master secret from the pre-master secret, the client
407  *	and server random.
408  *	In SSL 3.0, master_secret =
409  *	    MD5(pre_master_secret + SHA('A' + pre_master_secret +
410  *	        ClientHello.random + ServerHello.random)) +
411  *	    MD5(pre_master_secret + SHA('BB' + pre_master_secret +
412  *	        ClientHello.random + ServerHello.random)) +
413  *	    MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
414  *	        ClientHello.random + ServerHello.random));
415  *
416  *	In TLS 1.0 (a.k.a. SSL 3.1), master_secret =
417  *	    PRF(pre_master_secret, "master secret",
418  *		ClientHello.random + ServerHello.random)
419  */
420 CK_RV
421 soft_ssl_master_key_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
422     soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
423     CK_ULONG ulAttributeCount, CK_OBJECT_HANDLE_PTR phKey)
424 {
425 	uchar_t	*pmsecret = OBJ_SEC_VALUE(basekey_p);
426 #ifdef	__sparcv9
427 	/* LINTED */
428 	uint_t pmlen = (uint_t)OBJ_SEC_VALUE_LEN(basekey_p);
429 #else	/* __sparcv9 */
430 	uint_t pmlen = OBJ_SEC_VALUE_LEN(basekey_p);
431 #endif	/* __sparcv9 */
432 	CK_SSL3_MASTER_KEY_DERIVE_PARAMS *mkd_params;
433 	CK_SSL3_RANDOM_DATA *random_data;
434 	CK_VERSION_PTR	pVersion;
435 	uchar_t	ssl_master_secret[48];
436 	CK_OBJECT_CLASS class = CKO_SECRET_KEY;
437 	CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
438 	CK_BBOOL true = TRUE;
439 	CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
440 	CK_ATTRIBUTE_PTR new_tmpl;
441 	CK_ULONG newattrcount;
442 	boolean_t new_tmpl_allocated = B_FALSE, is_tls = B_FALSE;
443 	ulong_t i;
444 	CK_RV rv = CKR_OK;
445 	uint_t ClientRandomLen, ServerRandomLen;
446 
447 	/* Check the validity of the mechanism's parameter */
448 
449 	mkd_params = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS *)mech->pParameter;
450 
451 	if (mkd_params == NULL ||
452 	    mech->ulParameterLen != sizeof (CK_SSL3_MASTER_KEY_DERIVE_PARAMS))
453 		return (CKR_MECHANISM_PARAM_INVALID);
454 
455 	pVersion = mkd_params->pVersion;
456 
457 	switch (mech->mechanism) {
458 	case CKM_TLS_MASTER_KEY_DERIVE:
459 		is_tls = B_TRUE;
460 	/* FALLTHRU */
461 	case CKM_SSL3_MASTER_KEY_DERIVE:
462 		/* Invalid pre-master key length. What else to return? */
463 		if (pmlen != 48)
464 			return (CKR_ARGUMENTS_BAD);
465 
466 		/* Get the SSL version number from the premaster secret */
467 		if (pVersion == NULL_PTR)
468 			return (CKR_MECHANISM_PARAM_INVALID);
469 
470 		bcopy(pmsecret, pVersion, sizeof (CK_VERSION));
471 
472 		break;
473 	case CKM_TLS_MASTER_KEY_DERIVE_DH:
474 		is_tls = B_TRUE;
475 	/* FALLTHRU */
476 	case CKM_SSL3_MASTER_KEY_DERIVE_DH:
477 		if (pVersion != NULL_PTR)
478 			return (CKR_MECHANISM_PARAM_INVALID);
479 	}
480 
481 	random_data = &mkd_params->RandomInfo;
482 #ifdef	__sparcv9
483 	/* LINTED */
484 	ClientRandomLen = (uint_t)random_data->ulClientRandomLen;
485 	/* LINTED */
486 	ServerRandomLen = (uint_t)random_data->ulServerRandomLen;
487 #else	/* __sparcv9 */
488 	ClientRandomLen = random_data->ulClientRandomLen;
489 	ServerRandomLen = random_data->ulServerRandomLen;
490 #endif	/* __sparcv9 */
491 
492 	if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
493 	    random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
494 		return (CKR_MECHANISM_PARAM_INVALID);
495 	}
496 
497 	/* Now the actual secret derivation */
498 	if (!is_tls) {
499 		soft_ssl3_churn(pmsecret, pmlen, random_data->pClientRandom,
500 		    ClientRandomLen, random_data->pServerRandom,
501 		    ServerRandomLen, 3, ssl_master_secret);
502 	} else {
503 		soft_tls_prf(pmsecret, pmlen, TLS_MASTER_SECRET_LABEL,
504 		    TLS_MASTER_SECRET_LABEL_LEN, random_data->pClientRandom,
505 		    ClientRandomLen, random_data->pServerRandom,
506 		    ServerRandomLen, ssl_master_secret, 48);
507 	}
508 
509 	/*
510 	 * The object creation attributes need to be in one contiguous
511 	 * array. In addition to the attrs from the application supplied
512 	 * pTemplates, We need to add the class, type, value, valuelen and
513 	 * CKA_DERIVE.
514 	 * In the most likely case, the application passes between zero and
515 	 * handful of attributes, We optimize for that case by allocating
516 	 * the new template on the stack. Oherwise we malloc() it.
517 	 */
518 
519 	newattrcount = ulAttributeCount + 4;
520 	if (newattrcount > MAX_DEFAULT_ATTRS) {
521 		new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
522 
523 		if (new_tmpl == NULL)
524 			return (CKR_HOST_MEMORY);
525 
526 		new_tmpl_allocated = B_TRUE;
527 	} else
528 		new_tmpl = obj_tmpl;
529 
530 	/*
531 	 * Fill in the new template.
532 	 * We put the attributes contributed by the mechanism first
533 	 * so that they override the application supplied ones.
534 	 */
535 	new_tmpl[0].type = CKA_CLASS;
536 	new_tmpl[0].pValue = &class;
537 	new_tmpl[0].ulValueLen = sizeof (class);
538 	new_tmpl[1].type = CKA_KEY_TYPE;
539 	new_tmpl[1].pValue = &keyType;
540 	new_tmpl[1].ulValueLen = sizeof (keyType);
541 	new_tmpl[2].type = CKA_DERIVE;
542 	new_tmpl[2].pValue = &true;
543 	new_tmpl[2].ulValueLen = sizeof (true);
544 	new_tmpl[3].type = CKA_VALUE;
545 	new_tmpl[3].pValue = ssl_master_secret;
546 	new_tmpl[3].ulValueLen = 48;
547 
548 	/* Any attributes left? */
549 	if (ulAttributeCount > 0) {
550 
551 		/* Validate the default class and type attributes */
552 		for (i = 0; i < ulAttributeCount; i++) {
553 			/* The caller is responsible for proper alignment */
554 			if ((pTemplate[i].type == CKA_CLASS) &&
555 			    (*((CK_OBJECT_CLASS *)pTemplate[i].pValue) !=
556 			    CKO_SECRET_KEY)) {
557 				rv = CKR_TEMPLATE_INCONSISTENT;
558 				goto out;
559 			}
560 			if ((pTemplate[i].type == CKA_KEY_TYPE) &&
561 			    (*((CK_KEY_TYPE *)pTemplate[i].pValue) !=
562 			    CKK_GENERIC_SECRET)) {
563 				rv = CKR_TEMPLATE_INCONSISTENT;
564 				goto out;
565 			}
566 		}
567 		bcopy(pTemplate, &new_tmpl[4],
568 		    ulAttributeCount * sizeof (CK_ATTRIBUTE));
569 	}
570 
571 	rv = soft_add_derived_key(new_tmpl, newattrcount, phKey, sp, basekey_p);
572 out:
573 	if (new_tmpl_allocated)
574 		free(new_tmpl);
575 
576 	return (rv);
577 }
578 
579 /*
580  * soft_ssl3_key_and_mac_derive()
581  *
582  * Arguments:
583  * . session_p
584  * . mech_p:	key derivation mechanism. the mechanism parameter carries the
585  *		client and mastter random from the Hello handshake messages,
586  *		the specification of the key and IV sizes, and the location
587  * 		for the resulting keys and IVs.
588  * . basekey_p: The master secret key.
589  * . pTemplate & ulAttributeCount: Any extra attributes for the key to be
590  *		created.
591  *
592  * Description:
593  *	Derive the SSL key material (Client and server MAC secrets, symmetric
594  *	keys and IVs), from the master secret and the client
595  *	and server random.
596  *	First a keyblock is generated usining the following formula:
597  *	key_block =
598  *      	MD5(master_secret + SHA(`A' + master_secret +
599  *					ServerHello.random +
600  *					ClientHello.random)) +
601  *      	MD5(master_secret + SHA(`BB' + master_secret +
602  *					ServerHello.random +
603  *					ClientHello.random)) +
604  *      	MD5(master_secret + SHA(`CCC' + master_secret +
605  *					ServerHello.random +
606  *					ClientHello.random)) + [...];
607  *
608  *	In TLS 1.0 (a.k.a. SSL 3.1), key_block =
609  *	    PRF(master_secret, "key expansion",
610  *		ServerHello.random + ClientHello.random)
611  *
612  *	Then the keys materials are taken from the keyblock.
613  */
614 
615 CK_RV
616 soft_ssl_key_and_mac_derive(soft_session_t *sp, CK_MECHANISM_PTR mech,
617     soft_object_t *basekey_p, CK_ATTRIBUTE_PTR pTemplate,
618     CK_ULONG ulAttributeCount)
619 {
620 	uchar_t	*msecret = OBJ_SEC_VALUE(basekey_p);
621 #ifdef	__sparcv9
622 	/* LINTED */
623 	uint_t mslen = (uint_t)OBJ_SEC_VALUE_LEN(basekey_p);
624 #else	/* __sparcv9 */
625 	uint_t mslen = OBJ_SEC_VALUE_LEN(basekey_p);
626 #endif	/* __sparcv9 */
627 	CK_SSL3_KEY_MAT_PARAMS *km_params;
628 	CK_SSL3_RANDOM_DATA *random_data;
629 	CK_SSL3_KEY_MAT_OUT *kmo;
630 	uchar_t key_block[MAX_KEYBLOCK], *kb, *export_keys = NULL;
631 	CK_OBJECT_CLASS class = CKO_SECRET_KEY;
632 	CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
633 	CK_BBOOL true = TRUE;
634 	CK_ATTRIBUTE obj_tmpl[MAX_DEFAULT_ATTRS];
635 	CK_ATTRIBUTE_PTR new_tmpl;
636 	ulong_t newattrcount, mac_key_bytes, secret_key_bytes, iv_bytes;
637 	ulong_t extra_attr_count;
638 	uint_t size;
639 	int rounds, n = 0;
640 	boolean_t new_tmpl_allocated = B_FALSE, isExport;
641 	CK_RV rv = CKR_OK;
642 	uint_t ClientRandomLen, ServerRandomLen;
643 
644 	/* Check the validity of the mechanism's parameter */
645 
646 	km_params = (CK_SSL3_KEY_MAT_PARAMS *)mech->pParameter;
647 
648 	if (km_params == NULL ||
649 	    mech->ulParameterLen != sizeof (CK_SSL3_KEY_MAT_PARAMS) ||
650 	    (kmo = km_params->pReturnedKeyMaterial) == NULL)
651 		return (CKR_MECHANISM_PARAM_INVALID);
652 
653 	isExport = (km_params->bIsExport == TRUE);
654 
655 	random_data = &km_params->RandomInfo;
656 #ifdef	__sparcv9
657 	/* LINTED */
658 	ClientRandomLen = (uint_t)random_data->ulClientRandomLen;
659 	/* LINTED */
660 	ServerRandomLen = (uint_t)random_data->ulServerRandomLen;
661 #else	/* __sparcv9 */
662 	ClientRandomLen = random_data->ulClientRandomLen;
663 	ServerRandomLen = random_data->ulServerRandomLen;
664 #endif	/* __sparcv9 */
665 
666 	if (random_data->pClientRandom == NULL_PTR || ClientRandomLen == 0 ||
667 	    random_data->pServerRandom == NULL_PTR || ServerRandomLen == 0) {
668 		return (CKR_MECHANISM_PARAM_INVALID);
669 	}
670 
671 	mac_key_bytes = km_params->ulMacSizeInBits / 8;
672 	secret_key_bytes = km_params->ulKeySizeInBits / 8;
673 	iv_bytes = km_params->ulIVSizeInBits / 8;
674 
675 	if ((iv_bytes > 0) &&
676 	    ((kmo->pIVClient == NULL) || (kmo->pIVServer == NULL)))
677 		return (CKR_MECHANISM_PARAM_INVALID);
678 
679 	/*
680 	 * For exportable ciphersuites, the IV's aren't taken from the
681 	 * key block. They are directly derived from the client and
682 	 * server random data.
683 	 * For SSL3.0:
684 	 *	client_write_IV = MD5(ClientHello.random + ServerHello.random);
685 	 *	server_write_IV = MD5(ServerHello.random + ClientHello.random);
686 	 * For TLS1.0:
687 	 *	iv_block = PRF("", "IV block", client_random +
688 	 *			server_random)[0..15]
689 	 *	client_write_IV = iv_block[0..7]
690 	 *	server_write_IV = iv_block[8..15]
691 	 */
692 	if ((isExport) && (iv_bytes > 0)) {
693 
694 		if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
695 			MD5_CTX	exp_md5_ctx;
696 
697 			if (iv_bytes > MD5_HASH_SIZE)
698 				return (CKR_MECHANISM_PARAM_INVALID);
699 
700 			MD5Init(&exp_md5_ctx);
701 			MD5Update(&exp_md5_ctx, random_data->pClientRandom,
702 			    ClientRandomLen);
703 			MD5Update(&exp_md5_ctx, random_data->pServerRandom,
704 			    ServerRandomLen);
705 
706 			/* there's room in key_block. use it */
707 			MD5Final(key_block, &exp_md5_ctx);
708 			bcopy(key_block, kmo->pIVClient, iv_bytes);
709 
710 			MD5Init(&exp_md5_ctx);
711 			MD5Update(&exp_md5_ctx, random_data->pServerRandom,
712 			    ServerRandomLen);
713 			MD5Update(&exp_md5_ctx, random_data->pClientRandom,
714 			    ClientRandomLen);
715 			MD5Final(key_block, &exp_md5_ctx);
716 			bcopy(key_block, kmo->pIVServer, iv_bytes);
717 		} else {
718 			uchar_t	iv_block[16];
719 
720 			if (iv_bytes != 8)
721 				return (CKR_MECHANISM_PARAM_INVALID);
722 
723 			soft_tls_prf(NULL, 0, TLS_IV_BLOCK_LABEL,
724 			    TLS_IV_BLOCK_LABEL_LEN,
725 			    random_data->pClientRandom, ClientRandomLen,
726 			    random_data->pServerRandom, ServerRandomLen,
727 			    iv_block, 16);
728 			bcopy(iv_block, kmo->pIVClient, 8);
729 			bcopy(iv_block + 8, kmo->pIVServer, 8);
730 		}
731 		/* so we won't allocate a key_block bigger than needed */
732 		iv_bytes = 0;
733 	}
734 
735 	/* Now the actual secret derivation */
736 
737 #ifdef	__sparcv9
738 	/* LINTED */
739 	size = (uint_t)((mac_key_bytes + secret_key_bytes + iv_bytes) * 2);
740 #else	/* __sparcv9 */
741 	size = (mac_key_bytes + secret_key_bytes + iv_bytes) * 2;
742 #endif	/* __sparcv9 */
743 
744 	/* Need to handle this better */
745 	if (size > MAX_KEYBLOCK)
746 		return (CKR_MECHANISM_PARAM_INVALID);
747 
748 	rounds = howmany(size, MD5_HASH_SIZE);
749 
750 	kb = key_block;
751 
752 	if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
753 		soft_ssl3_churn(msecret, mslen, random_data->pServerRandom,
754 		    ServerRandomLen, random_data->pClientRandom,
755 		    ClientRandomLen, rounds, kb);
756 	} else {
757 		soft_tls_prf(msecret, mslen, TLS_KEY_EXPANSION_LABEL,
758 		    TLS_KEY_EXPANSION_LABEL_LEN,
759 		    random_data->pServerRandom, ServerRandomLen,
760 		    random_data->pClientRandom, ClientRandomLen,
761 		    kb, size);
762 	}
763 
764 	/* Now create the objects */
765 
766 	kmo->hClientMacSecret = CK_INVALID_HANDLE;
767 	kmo->hServerMacSecret = CK_INVALID_HANDLE;
768 	kmo->hClientKey = CK_INVALID_HANDLE;
769 	kmo->hServerKey = CK_INVALID_HANDLE;
770 
771 	/* First the MAC secrets */
772 	if (mac_key_bytes > 0) {
773 		obj_tmpl[0].type = CKA_CLASS;
774 		obj_tmpl[0].pValue = &class;	/* CKO_SECRET_KEY */
775 		obj_tmpl[0].ulValueLen = sizeof (class);
776 		obj_tmpl[1].type = CKA_KEY_TYPE;
777 		obj_tmpl[1].pValue = &keyType;	/* CKK_GENERIC_SECRET */
778 		obj_tmpl[1].ulValueLen = sizeof (keyType);
779 		obj_tmpl[2].type = CKA_DERIVE;
780 		obj_tmpl[2].pValue = &true;
781 		obj_tmpl[2].ulValueLen = sizeof (true);
782 		obj_tmpl[3].type = CKA_SIGN;
783 		obj_tmpl[3].pValue = &true;
784 		obj_tmpl[3].ulValueLen = sizeof (true);
785 		obj_tmpl[4].type = CKA_VERIFY;
786 		obj_tmpl[4].pValue = &true;
787 		obj_tmpl[4].ulValueLen = sizeof (true);
788 		obj_tmpl[5].type = CKA_VALUE;
789 		obj_tmpl[5].pValue = kb;
790 		obj_tmpl[5].ulValueLen = mac_key_bytes;
791 
792 		rv = soft_add_derived_key(obj_tmpl, 6,
793 		    &(kmo->hClientMacSecret), sp, basekey_p);
794 
795 		if (rv != CKR_OK)
796 			goto out_err;
797 
798 		kb += mac_key_bytes;
799 
800 		obj_tmpl[5].pValue = kb;
801 		rv = soft_add_derived_key(obj_tmpl, 6,
802 		    &(kmo->hServerMacSecret), sp, basekey_p);
803 
804 		if (rv != CKR_OK)
805 			goto out_err;
806 
807 		kb += mac_key_bytes;
808 	}
809 
810 	/* Then the symmetric ciphers keys */
811 
812 	extra_attr_count = (secret_key_bytes == 0) ? 6 : 5;
813 	newattrcount = ulAttributeCount + extra_attr_count;
814 	if (newattrcount > MAX_DEFAULT_ATTRS) {
815 		new_tmpl = malloc(sizeof (CK_ATTRIBUTE) * newattrcount);
816 
817 		if (new_tmpl == NULL)
818 			return (CKR_HOST_MEMORY);
819 
820 		new_tmpl_allocated = B_TRUE;
821 	} else
822 		new_tmpl = obj_tmpl;
823 
824 	new_tmpl[n].type = CKA_CLASS;
825 	new_tmpl[n].pValue = &class;	/* CKO_SECRET_KEY */
826 	new_tmpl[n].ulValueLen = sizeof (class);
827 	++n;
828 	/*
829 	 * The keyType comes from the application's template, and depends
830 	 * on the ciphersuite. The only exception is authentication only
831 	 * ciphersuites which do not use cipher keys.
832 	 */
833 	if (secret_key_bytes == 0) {
834 		new_tmpl[n].type = CKA_KEY_TYPE;
835 		new_tmpl[n].pValue = &keyType;	/* CKK_GENERIC_SECRET */
836 		new_tmpl[n].ulValueLen = sizeof (keyType);
837 		n++;
838 	}
839 	new_tmpl[n].type = CKA_DERIVE;
840 	new_tmpl[n].pValue = &true;
841 	new_tmpl[n].ulValueLen = sizeof (true);
842 	n++;
843 	new_tmpl[n].type = CKA_ENCRYPT;
844 	new_tmpl[n].pValue = &true;
845 	new_tmpl[n].ulValueLen = sizeof (true);
846 	n++;
847 	new_tmpl[n].type = CKA_DECRYPT;
848 	new_tmpl[n].pValue = &true;
849 	new_tmpl[n].ulValueLen = sizeof (true);
850 	n++;
851 	new_tmpl[n].type = CKA_VALUE;
852 	new_tmpl[n].pValue = NULL;
853 	new_tmpl[n].ulValueLen = 0;
854 
855 	if (secret_key_bytes > 0) {
856 		if (isExport) {
857 			if (secret_key_bytes > MD5_HASH_SIZE) {
858 				rv = CKR_MECHANISM_PARAM_INVALID;
859 				goto out_err;
860 			}
861 			if ((export_keys = malloc(2 * MD5_HASH_SIZE)) == NULL) {
862 				rv = CKR_HOST_MEMORY;
863 				goto out_err;
864 			}
865 #ifdef	__sparcv9
866 			/* LINTED */
867 			soft_ssl_weaken_key(mech, kb, (uint_t)secret_key_bytes,
868 #else	/* __sparcv9 */
869 			soft_ssl_weaken_key(mech, kb, secret_key_bytes,
870 #endif	/* __sparcv9 */
871 			    random_data->pClientRandom, ClientRandomLen,
872 			    random_data->pServerRandom, ServerRandomLen,
873 			    export_keys, B_TRUE);
874 			new_tmpl[n].pValue = export_keys;
875 			new_tmpl[n].ulValueLen = MD5_HASH_SIZE;
876 		} else {
877 			new_tmpl[n].pValue = kb;
878 			new_tmpl[n].ulValueLen = secret_key_bytes;
879 		}
880 	}
881 
882 	if (ulAttributeCount > 0)
883 		bcopy(pTemplate, &new_tmpl[extra_attr_count],
884 		    ulAttributeCount * sizeof (CK_ATTRIBUTE));
885 
886 	rv = soft_add_derived_key(new_tmpl, newattrcount,
887 	    &(kmo->hClientKey), sp, basekey_p);
888 
889 	if (rv != CKR_OK)
890 		goto out_err;
891 
892 	kb += secret_key_bytes;
893 
894 	if (secret_key_bytes > 0) {
895 		if (isExport) {
896 #ifdef	__sparcv9
897 			/* LINTED */
898 			soft_ssl_weaken_key(mech, kb, (uint_t)secret_key_bytes,
899 #else	/* __sparcv9 */
900 			soft_ssl_weaken_key(mech, kb, secret_key_bytes,
901 #endif	/* __sparcv9 */
902 			    random_data->pServerRandom, ServerRandomLen,
903 			    random_data->pClientRandom, ClientRandomLen,
904 			    export_keys + MD5_HASH_SIZE, B_FALSE);
905 			new_tmpl[n].pValue = export_keys + MD5_HASH_SIZE;
906 		} else
907 			new_tmpl[n].pValue = kb;
908 	}
909 
910 	rv = soft_add_derived_key(new_tmpl, newattrcount,
911 	    &(kmo->hServerKey), sp, basekey_p);
912 
913 	if (rv != CKR_OK)
914 		goto out_err;
915 
916 	kb += secret_key_bytes;
917 
918 	/* Finally, the IVs */
919 	if (iv_bytes > 0) {
920 		bcopy(kb, kmo->pIVClient, iv_bytes);
921 		kb += iv_bytes;
922 		bcopy(kb, kmo->pIVServer, iv_bytes);
923 	}
924 
925 	if (new_tmpl_allocated)
926 		free(new_tmpl);
927 
928 	if (export_keys != NULL)
929 		free(export_keys);
930 
931 	return (rv);
932 
933 out_err:
934 	if (kmo->hClientMacSecret != CK_INVALID_HANDLE) {
935 		(void) soft_delete_derived_key(sp,
936 		    (soft_object_t *)(kmo->hClientMacSecret));
937 		kmo->hClientMacSecret = CK_INVALID_HANDLE;
938 	}
939 	if (kmo->hServerMacSecret != CK_INVALID_HANDLE) {
940 		(void) soft_delete_derived_key(sp,
941 		    (soft_object_t *)(kmo->hServerMacSecret));
942 		kmo->hServerMacSecret = CK_INVALID_HANDLE;
943 	}
944 	if (kmo->hClientKey != CK_INVALID_HANDLE) {
945 		(void) soft_delete_derived_key(sp,
946 		    (soft_object_t *)(kmo->hClientKey));
947 		kmo->hClientKey = CK_INVALID_HANDLE;
948 	}
949 	if (kmo->hServerKey != CK_INVALID_HANDLE) {
950 		(void) soft_delete_derived_key(sp,
951 		    (soft_object_t *)(kmo->hServerKey));
952 		kmo->hServerKey = CK_INVALID_HANDLE;
953 	}
954 
955 	if (new_tmpl_allocated)
956 		free(new_tmpl);
957 
958 	if (export_keys != NULL)
959 		free(export_keys);
960 
961 	return (rv);
962 }
963 
964 /*
965  * Add the derived key to the session, and, if it's a token object,
966  * write it to the token.
967  */
968 static CK_RV
969 soft_add_derived_key(CK_ATTRIBUTE_PTR tmpl, CK_ULONG attrcount,
970     CK_OBJECT_HANDLE_PTR phKey, soft_session_t *sp, soft_object_t *basekey_p)
971 {
972 	CK_RV rv;
973 	soft_object_t *secret_key;
974 
975 	if ((secret_key = calloc(1, sizeof (soft_object_t))) == NULL) {
976 		return (CKR_HOST_MEMORY);
977 	}
978 
979 	if (((rv = soft_build_secret_key_object(tmpl, attrcount, secret_key,
980 	    SOFT_CREATE_OBJ_INT, 0, (CK_KEY_TYPE)~0UL)) != CKR_OK) ||
981 	    ((rv = soft_pin_expired_check(secret_key)) != CKR_OK) ||
982 	    ((rv = soft_object_write_access_check(sp, secret_key)) != CKR_OK)) {
983 
984 		free(secret_key);
985 		return (rv);
986 	}
987 
988 	/* Set the sensitivity and extractability attributes as a needed */
989 	soft_derive_enforce_flags(basekey_p, secret_key);
990 
991 	/* Initialize the rest of stuffs in soft_object_t. */
992 	(void) pthread_mutex_init(&secret_key->object_mutex, NULL);
993 	secret_key->magic_marker = SOFTTOKEN_OBJECT_MAGIC;
994 
995 	/* ... and, if it needs to persist, write on the token */
996 	if (IS_TOKEN_OBJECT(secret_key)) {
997 		secret_key->session_handle = (CK_SESSION_HANDLE)NULL;
998 		soft_add_token_object_to_slot(secret_key);
999 		rv = soft_put_object_to_keystore(secret_key);
1000 		if (rv != CKR_OK) {
1001 			soft_delete_token_object(secret_key, B_FALSE, B_FALSE);
1002 			return (rv);
1003 		}
1004 		*phKey = (CK_OBJECT_HANDLE)secret_key;
1005 
1006 		return (CKR_OK);
1007 	}
1008 
1009 	/* Add the new object to the session's object list. */
1010 	soft_add_object_to_session(secret_key, sp);
1011 	secret_key->session_handle = (CK_SESSION_HANDLE)sp;
1012 
1013 	*phKey = (CK_OBJECT_HANDLE)secret_key;
1014 
1015 	return (rv);
1016 }
1017 
1018 /*
1019  * Delete the derived key from the session, and, if it's a token object,
1020  * remove it from the token.
1021  */
1022 static void
1023 soft_delete_derived_key(soft_session_t *sp, soft_object_t *key)
1024 {
1025 	/* session_handle is the creating session. It's NULL for token objs */
1026 
1027 	if (IS_TOKEN_OBJECT(key))
1028 		soft_delete_token_object(key, B_FALSE, B_FALSE);
1029 	else
1030 		soft_delete_object(sp, key, B_FALSE, B_FALSE);
1031 }
1032 
1033 /*
1034  * soft_ssl_weaken_key()
1035  * Reduce the key length to an exportable size.
1036  * For SSL3.0:
1037  *	final_client_write_key = MD5(client_write_key +
1038  *                                ClientHello.random +
1039  *                                ServerHello.random);
1040  *	final_server_write_key = MD5(server_write_key +
1041  *                                ServerHello.random +
1042  *                                ClientHello.random);
1043  * For TLS1.0:
1044  *	final_client_write_key = PRF(SecurityParameters.client_write_key,
1045  *				    "client write key",
1046  *				    SecurityParameters.client_random +
1047  *				    SecurityParameters.server_random)[0..15];
1048  *	final_server_write_key = PRF(SecurityParameters.server_write_key,
1049  *				    "server write key",
1050  *				    SecurityParameters.client_random +
1051  *				    SecurityParameters.server_random)[0..15];
1052  */
1053 static void
1054 soft_ssl_weaken_key(CK_MECHANISM_PTR mech, uchar_t *secret, uint_t secretlen,
1055     uchar_t *rand1, uint_t rand1len, uchar_t *rand2, uint_t rand2len,
1056     uchar_t *result, boolean_t isclient)
1057 {
1058 	MD5_CTX exp_md5_ctx;
1059 	uchar_t *label;
1060 	uint_t labellen;
1061 
1062 	if (mech->mechanism == CKM_SSL3_KEY_AND_MAC_DERIVE) {
1063 		MD5Init(&exp_md5_ctx);
1064 		MD5Update(&exp_md5_ctx, secret, secretlen);
1065 		MD5Update(&exp_md5_ctx, rand1, rand1len);
1066 		MD5Update(&exp_md5_ctx, rand2, rand2len);
1067 		MD5Final(result, &exp_md5_ctx);
1068 	} else {
1069 		if (isclient) {
1070 			label = TLS_CLIENT_KEY_LABEL;
1071 			labellen = TLS_CLIENT_KEY_LABEL_LEN;
1072 			soft_tls_prf(secret, secretlen, label, labellen,
1073 			    rand1, rand1len, rand2, rand2len, result, 16);
1074 		} else {
1075 			label = TLS_SERVER_KEY_LABEL;
1076 			labellen = TLS_SERVER_KEY_LABEL_LEN;
1077 			soft_tls_prf(secret, secretlen, label, labellen,
1078 			    rand2, rand2len, rand1, rand1len, result, 16);
1079 		}
1080 	}
1081 }
1082