kris
/
boringssl
1
0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
2548 Revize
12 Větve
38 MiB
 
 
 
 
 
 
Strom: 3ed24f0502
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „3ed24f0502“
${ noResults }
boringssl/ssl/t1_enc.c

563 řádky
20 KiB
Surový Blame Historie 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2005 Nokia. All rights reserved.

  112.  *

  113.  * The portions of the attached software ("Contribution") is developed by

  114.  * Nokia Corporation and is licensed pursuant to the OpenSSL open source

  115.  * license.

  116.  *

  117.  * The Contribution, originally written by Mika Kousa and Pasi Eronen of

  118.  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites

  119.  * support (see RFC 4279) to OpenSSL.

  120.  *

  121.  * No patent licenses or other rights except those expressly stated in

  122.  * the OpenSSL open source license shall be deemed granted or received

  123.  * expressly, by implication, estoppel, or otherwise.

  124.  *

  125.  * No assurances are provided by Nokia that the Contribution does not

  126.  * infringe the patent or other intellectual property rights of any third

  127.  * party or that the license provides you with all the necessary rights

  128.  * to make use of the Contribution.

  129.  *

  130.  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN

  131.  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA

  132.  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY

  133.  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR

  134.  * OTHERWISE. */

  135. 

  136. #include <openssl/ssl.h>

  137. 

  138. #include <assert.h>

  139. #include <string.h>

  140. 

  141. #include <openssl/err.h>

  142. #include <openssl/evp.h>

  143. #include <openssl/hmac.h>

  144. #include <openssl/md5.h>

  145. #include <openssl/mem.h>

  146. #include <openssl/nid.h>

  147. #include <openssl/rand.h>

  148. 

  149. #include "internal.h"

  150. 

  151. 

  152. /* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,

  153.  * section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and

  154.  * |secret| as the secret. |seed1| through |seed3| are concatenated to form the

  155.  * seed parameter. It returns one on success and zero on failure. */

  156. static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,

  157.                        const uint8_t *secret, size_t secret_len,

  158.                        const uint8_t *seed1, size_t seed1_len,

  159.                        const uint8_t *seed2, size_t seed2_len,

  160.                        const uint8_t *seed3, size_t seed3_len) {

  161.   HMAC_CTX ctx, ctx_tmp, ctx_init;

  162.   uint8_t A1[EVP_MAX_MD_SIZE];

  163.   unsigned A1_len;

  164.   int ret = 0;

  165. 

  166.   size_t chunk = EVP_MD_size(md);

  167. 

  168.   HMAC_CTX_init(&ctx);

  169.   HMAC_CTX_init(&ctx_tmp);

  170.   HMAC_CTX_init(&ctx_init);

  171.   if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) ||

  172.       !HMAC_CTX_copy_ex(&ctx, &ctx_init) ||

  173.       !HMAC_Update(&ctx, seed1, seed1_len) ||

  174.       !HMAC_Update(&ctx, seed2, seed2_len) ||

  175.       !HMAC_Update(&ctx, seed3, seed3_len) ||

  176.       !HMAC_Final(&ctx, A1, &A1_len)) {

  177.     goto err;

  178.   }

  179. 

  180.   for (;;) {

  181.     unsigned len;

  182.     uint8_t hmac[EVP_MAX_MD_SIZE];

  183.     if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) ||

  184.         !HMAC_Update(&ctx, A1, A1_len) ||

  185.         /* Save a copy of |ctx| to compute the next A1 value below. */

  186.         (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) ||

  187.         !HMAC_Update(&ctx, seed1, seed1_len) ||

  188.         !HMAC_Update(&ctx, seed2, seed2_len) ||

  189.         !HMAC_Update(&ctx, seed3, seed3_len) ||

  190.         !HMAC_Final(&ctx, hmac, &len)) {

  191.       goto err;

  192.     }

  193.     assert(len == chunk);

  194. 

  195.     /* XOR the result into |out|. */

  196.     if (len > out_len) {

  197.       len = out_len;

  198.     }

  199.     unsigned i;

  200.     for (i = 0; i < len; i++) {

  201.       out[i] ^= hmac[i];

  202.     }

  203.     out += len;

  204.     out_len -= len;

  205. 

  206.     if (out_len == 0) {

  207.       break;

  208.     }

  209. 

  210.     /* Calculate the next A1 value. */

  211.     if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) {

  212.       goto err;

  213.     }

  214.   }

  215. 

  216.   ret = 1;

  217. 

  218. err:

  219.   HMAC_CTX_cleanup(&ctx);

  220.   HMAC_CTX_cleanup(&ctx_tmp);

  221.   HMAC_CTX_cleanup(&ctx_init);

  222.   OPENSSL_cleanse(A1, sizeof(A1));

  223.   return ret;

  224. }

  225. 

  226. static int tls1_prf(const SSL *ssl, uint8_t *out, size_t out_len,

  227.                     const uint8_t *secret, size_t secret_len, const char *label,

  228.                     size_t label_len, const uint8_t *seed1, size_t seed1_len,

  229.                     const uint8_t *seed2, size_t seed2_len) {

  230.   if (out_len == 0) {

  231.     return 1;

  232.   }

  233. 

  234.   memset(out, 0, out_len);

  235. 

  236.   uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);

  237.   if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT) {

  238.     /* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and

  239.      * MD5, MD5 first. */

  240.     size_t secret_half = secret_len - (secret_len / 2);

  241.     if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half,

  242.                      (const uint8_t *)label, label_len, seed1, seed1_len, seed2,

  243.                      seed2_len)) {

  244.       return 0;

  245.     }

  246. 

  247.     /* Note that, if |secret_len| is odd, the two halves share a byte. */

  248.     secret = secret + (secret_len - secret_half);

  249.     secret_len = secret_half;

  250.   }

  251. 

  252.   if (!tls1_P_hash(out, out_len, ssl_get_handshake_digest(algorithm_prf),

  253.                    secret, secret_len, (const uint8_t *)label, label_len,

  254.                    seed1, seed1_len, seed2, seed2_len)) {

  255.     return 0;

  256.   }

  257. 

  258.   return 1;

  259. }

  260. 

  261. int tls1_change_cipher_state(SSL *ssl, int which) {

  262.   /* Ensure the key block is set up. */

  263.   if (!tls1_setup_key_block(ssl)) {

  264.     return 0;

  265.   }

  266. 

  267.   /* is_read is true if we have just read a ChangeCipherSpec message - i.e. we

  268.    * need to update the read cipherspec. Otherwise we have just written one. */

  269.   const char is_read = (which & SSL3_CC_READ) != 0;

  270.   /* use_client_keys is true if we wish to use the keys for the "client write"

  271.    * direction. This is the case if we're a client sending a ChangeCipherSpec,

  272.    * or a server reading a client's ChangeCipherSpec. */

  273.   const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||

  274.                                which == SSL3_CHANGE_CIPHER_SERVER_READ;

  275. 

  276.   size_t mac_secret_len = ssl->s3->tmp.new_mac_secret_len;

  277.   size_t key_len = ssl->s3->tmp.new_key_len;

  278.   size_t iv_len = ssl->s3->tmp.new_fixed_iv_len;

  279.   assert((mac_secret_len + key_len + iv_len) * 2 ==

  280.          ssl->s3->tmp.key_block_length);

  281. 

  282.   const uint8_t *key_data = ssl->s3->tmp.key_block;

  283.   const uint8_t *client_write_mac_secret = key_data;

  284.   key_data += mac_secret_len;

  285.   const uint8_t *server_write_mac_secret = key_data;

  286.   key_data += mac_secret_len;

  287.   const uint8_t *client_write_key = key_data;

  288.   key_data += key_len;

  289.   const uint8_t *server_write_key = key_data;

  290.   key_data += key_len;

  291.   const uint8_t *client_write_iv = key_data;

  292.   key_data += iv_len;

  293.   const uint8_t *server_write_iv = key_data;

  294.   key_data += iv_len;

  295. 

  296.   const uint8_t *mac_secret, *key, *iv;

  297.   if (use_client_keys) {

  298.     mac_secret = client_write_mac_secret;

  299.     key = client_write_key;

  300.     iv = client_write_iv;

  301.   } else {

  302.     mac_secret = server_write_mac_secret;

  303.     key = server_write_key;

  304.     iv = server_write_iv;

  305.   }

  306. 

  307.   SSL_AEAD_CTX *aead_ctx =

  308.       SSL_AEAD_CTX_new(is_read ? evp_aead_open : evp_aead_seal,

  309.                        ssl3_protocol_version(ssl), ssl->s3->tmp.new_cipher, key,

  310.                        key_len, mac_secret, mac_secret_len, iv, iv_len);

  311.   if (aead_ctx == NULL) {

  312.     return 0;

  313.   }

  314. 

  315.   if (is_read) {

  316.     ssl_set_read_state(ssl, aead_ctx);

  317.   } else {

  318.     ssl_set_write_state(ssl, aead_ctx);

  319.   }

  320.   return 1;

  321. }

  322. 

  323. size_t SSL_get_key_block_len(const SSL *ssl) {

  324.   return 2 * ((size_t)ssl->s3->tmp.new_mac_secret_len +

  325.               (size_t)ssl->s3->tmp.new_key_len +

  326.               (size_t)ssl->s3->tmp.new_fixed_iv_len);

  327. }

  328. 

  329. int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {

  330.   return ssl->s3->enc_method->prf(

  331.       ssl, out, out_len, ssl->session->master_key,

  332.       ssl->session->master_key_length, TLS_MD_KEY_EXPANSION_CONST,

  333.       TLS_MD_KEY_EXPANSION_CONST_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE,

  334.       ssl->s3->client_random, SSL3_RANDOM_SIZE);

  335. }

  336. 

  337. int tls1_setup_key_block(SSL *ssl) {

  338.   if (ssl->s3->tmp.key_block_length != 0) {

  339.     return 1;

  340.   }

  341. 

  342.   const EVP_AEAD *aead = NULL;

  343.   size_t mac_secret_len, fixed_iv_len;

  344.   if (ssl->session->cipher == NULL ||

  345.       !ssl_cipher_get_evp_aead(&aead, &mac_secret_len, &fixed_iv_len,

  346.                                ssl->session->cipher,

  347.                                ssl3_protocol_version(ssl))) {

  348.     OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);

  349.     return 0;

  350.   }

  351.   size_t key_len = EVP_AEAD_key_length(aead);

  352.   if (mac_secret_len > 0) {

  353.     /* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the

  354.      * key length reported by |EVP_AEAD_key_length| will include the MAC key

  355.      * bytes and initial implicit IV. */

  356.     if (key_len < mac_secret_len + fixed_iv_len) {

  357.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  358.       return 0;

  359.     }

  360.     key_len -= mac_secret_len + fixed_iv_len;

  361.   }

  362. 

  363.   assert(mac_secret_len < 256);

  364.   assert(key_len < 256);

  365.   assert(fixed_iv_len < 256);

  366. 

  367.   ssl->s3->tmp.new_mac_secret_len = (uint8_t)mac_secret_len;

  368.   ssl->s3->tmp.new_key_len = (uint8_t)key_len;

  369.   ssl->s3->tmp.new_fixed_iv_len = (uint8_t)fixed_iv_len;

  370. 

  371.   size_t key_block_len = SSL_get_key_block_len(ssl);

  372. 

  373.   ssl3_cleanup_key_block(ssl);

  374. 

  375.   uint8_t *keyblock = OPENSSL_malloc(key_block_len);

  376.   if (keyblock == NULL) {

  377.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  378.     return 0;

  379.   }

  380. 

  381.   if (!SSL_generate_key_block(ssl, keyblock, key_block_len)) {

  382.     OPENSSL_free(keyblock);

  383.     return 0;

  384.   }

  385. 

  386.   assert(key_block_len < 256);

  387.   ssl->s3->tmp.key_block_length = (uint8_t)key_block_len;

  388.   ssl->s3->tmp.key_block = keyblock;

  389.   return 1;

  390. }

  391. 

  392. static int tls1_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *out) {

  393.   const EVP_MD_CTX *ctx_template;

  394.   if (md_nid == NID_md5) {

  395.     ctx_template = &ssl->s3->handshake_md5;

  396.   } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {

  397.     ctx_template = &ssl->s3->handshake_hash;

  398.   } else {

  399.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);

  400.     return 0;

  401.   }

  402. 

  403.   EVP_MD_CTX ctx;

  404.   EVP_MD_CTX_init(&ctx);

  405.   if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {

  406.     EVP_MD_CTX_cleanup(&ctx);

  407.     return 0;

  408.   }

  409.   unsigned ret;

  410.   EVP_DigestFinal_ex(&ctx, out, &ret);

  411.   EVP_MD_CTX_cleanup(&ctx);

  412.   return ret;

  413. }

  414. 

  415. static int append_digest(const EVP_MD_CTX *ctx, uint8_t *out, size_t *out_len,

  416.                          size_t max_out) {

  417.   int ret = 0;

  418.   EVP_MD_CTX ctx_copy;

  419.   EVP_MD_CTX_init(&ctx_copy);

  420. 

  421.   if (EVP_MD_CTX_size(ctx) > max_out) {

  422.     OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);

  423.     goto err;

  424.   }

  425.   unsigned len;

  426.   if (!EVP_MD_CTX_copy_ex(&ctx_copy, ctx) ||

  427.       !EVP_DigestFinal_ex(&ctx_copy, out, &len)) {

  428.     goto err;

  429.   }

  430.   assert(len == EVP_MD_CTX_size(ctx));

  431. 

  432.   *out_len = len;

  433.   ret = 1;

  434. 

  435. err:

  436.   EVP_MD_CTX_cleanup(&ctx_copy);

  437.   return ret;

  438. }

  439. 

  440. /* tls1_handshake_digest calculates the current handshake hash and writes it to

  441.  * |out|, which has space for |out_len| bytes. It returns the number of bytes

  442.  * written or -1 in the event of an error. This function works on a copy of the

  443.  * underlying digests so can be called multiple times and prior to the final

  444.  * update etc. */

  445. int tls1_handshake_digest(SSL *ssl, uint8_t *out, size_t out_len) {

  446.   size_t md5_len = 0;

  447.   if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL &&

  448.       !append_digest(&ssl->s3->handshake_md5, out, &md5_len, out_len)) {

  449.     return -1;

  450.   }

  451. 

  452.   size_t len;

  453.   if (!append_digest(&ssl->s3->handshake_hash, out + md5_len, &len,

  454.                      out_len - md5_len)) {

  455.     return -1;

  456.   }

  457. 

  458.   return (int)(md5_len + len);

  459. }

  460. 

  461. static int tls1_final_finish_mac(SSL *ssl, int from_server, uint8_t *out) {

  462.   /* At this point, the handshake should have released the handshake buffer on

  463.    * its own. */

  464.   assert(ssl->s3->handshake_buffer == NULL);

  465. 

  466.   const char *label = TLS_MD_CLIENT_FINISH_CONST;

  467.   size_t label_len = TLS_MD_SERVER_FINISH_CONST_SIZE;

  468.   if (from_server) {

  469.     label = TLS_MD_SERVER_FINISH_CONST;

  470.     label_len = TLS_MD_SERVER_FINISH_CONST_SIZE;

  471.   }

  472. 

  473.   uint8_t buf[EVP_MAX_MD_SIZE];

  474.   int digests_len = tls1_handshake_digest(ssl, buf, sizeof(buf));

  475.   if (digests_len < 0) {

  476.     return 0;

  477.   }

  478. 

  479.   static const size_t kFinishedLen = 12;

  480.   if (!ssl->s3->enc_method->prf(ssl, out, kFinishedLen,

  481.                                 ssl->session->master_key,

  482.                                 ssl->session->master_key_length, label,

  483.                                 label_len, buf, digests_len, NULL, 0)) {

  484.     return 0;

  485.   }

  486. 

  487.   return (int)kFinishedLen;

  488. }

  489. 

  490. int tls1_generate_master_secret(SSL *ssl, uint8_t *out,

  491.                                 const uint8_t *premaster,

  492.                                 size_t premaster_len) {

  493.   if (ssl->s3->tmp.extended_master_secret) {

  494.     uint8_t digests[EVP_MAX_MD_SIZE];

  495.     int digests_len = tls1_handshake_digest(ssl, digests, sizeof(digests));

  496.     if (digests_len == -1) {

  497.       return 0;

  498.     }

  499. 

  500.     if (!ssl->s3->enc_method->prf(ssl, out, SSL3_MASTER_SECRET_SIZE, premaster,

  501.                                   premaster_len,

  502.                                   TLS_MD_EXTENDED_MASTER_SECRET_CONST,

  503.                                   TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,

  504.                                   digests, digests_len, NULL, 0)) {

  505.       return 0;

  506.     }

  507.   } else {

  508.     if (!ssl->s3->enc_method->prf(ssl, out, SSL3_MASTER_SECRET_SIZE, premaster,

  509.                                   premaster_len, TLS_MD_MASTER_SECRET_CONST,

  510.                                   TLS_MD_MASTER_SECRET_CONST_SIZE,

  511.                                   ssl->s3->client_random, SSL3_RANDOM_SIZE,

  512.                                   ssl->s3->server_random, SSL3_RANDOM_SIZE)) {

  513.       return 0;

  514.     }

  515.   }

  516. 

  517.   return SSL3_MASTER_SECRET_SIZE;

  518. }

  519. 

  520. int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,

  521.                                const char *label, size_t label_len,

  522.                                const uint8_t *context, size_t context_len,

  523.                                int use_context) {

  524.   if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) {

  525.     return 0;

  526.   }

  527. 

  528.   size_t seed_len = 2 * SSL3_RANDOM_SIZE;

  529.   if (use_context) {

  530.     if (context_len >= 1u << 16) {

  531.       OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  532.       return 0;

  533.     }

  534.     seed_len += 2 + context_len;

  535.   }

  536.   uint8_t *seed = OPENSSL_malloc(seed_len);

  537.   if (seed == NULL) {

  538.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  539.     return 0;

  540.   }

  541. 

  542.   memcpy(seed, ssl->s3->client_random, SSL3_RANDOM_SIZE);

  543.   memcpy(seed + SSL3_RANDOM_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE);

  544.   if (use_context) {

  545.     seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8);

  546.     seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len;

  547.     memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);

  548.   }

  549. 

  550.   int ret =

  551.       ssl->s3->enc_method->prf(ssl, out, out_len, ssl->session->master_key,

  552.                                ssl->session->master_key_length, label,

  553.                                label_len, seed, seed_len, NULL, 0);

  554.   OPENSSL_free(seed);

  555.   return ret;

  556. }

  557. 

  558. const SSL3_ENC_METHOD TLSv1_enc_data = {

  559.     tls1_prf,

  560.     tls1_final_finish_mac,

  561.     tls1_cert_verify_mac,

  562. };