kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2448 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6f7374b0ed
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6f7374b0ed'
${ noResults }
boringssl/ssl/t1_enc.c

564 lines
20 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2005 Nokia. All rights reserved.

  112.  *

  113.  * The portions of the attached software ("Contribution") is developed by

  114.  * Nokia Corporation and is licensed pursuant to the OpenSSL open source

  115.  * license.

  116.  *

  117.  * The Contribution, originally written by Mika Kousa and Pasi Eronen of

  118.  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites

  119.  * support (see RFC 4279) to OpenSSL.

  120.  *

  121.  * No patent licenses or other rights except those expressly stated in

  122.  * the OpenSSL open source license shall be deemed granted or received

  123.  * expressly, by implication, estoppel, or otherwise.

  124.  *

  125.  * No assurances are provided by Nokia that the Contribution does not

  126.  * infringe the patent or other intellectual property rights of any third

  127.  * party or that the license provides you with all the necessary rights

  128.  * to make use of the Contribution.

  129.  *

  130.  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN

  131.  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA

  132.  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY

  133.  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR

  134.  * OTHERWISE. */

  135. 

  136. #include <openssl/ssl.h>

  137. 

  138. #include <assert.h>

  139. #include <stdio.h>

  140. #include <string.h>

  141. 

  142. #include <openssl/err.h>

  143. #include <openssl/evp.h>

  144. #include <openssl/hmac.h>

  145. #include <openssl/md5.h>

  146. #include <openssl/mem.h>

  147. #include <openssl/obj.h>

  148. #include <openssl/rand.h>

  149. 

  150. #include "internal.h"

  151. 

  152. 

  153. /* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,

  154.  * section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and

  155.  * |secret| as the secret. |seed1| through |seed3| are concatenated to form the

  156.  * seed parameter. It returns one on success and zero on failure. */

  157. static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,

  158.                        const uint8_t *secret, size_t secret_len,

  159.                        const uint8_t *seed1, size_t seed1_len,

  160.                        const uint8_t *seed2, size_t seed2_len,

  161.                        const uint8_t *seed3, size_t seed3_len) {

  162.   HMAC_CTX ctx, ctx_tmp, ctx_init;

  163.   uint8_t A1[EVP_MAX_MD_SIZE];

  164.   unsigned A1_len;

  165.   int ret = 0;

  166. 

  167.   size_t chunk = EVP_MD_size(md);

  168. 

  169.   HMAC_CTX_init(&ctx);

  170.   HMAC_CTX_init(&ctx_tmp);

  171.   HMAC_CTX_init(&ctx_init);

  172.   if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) ||

  173.       !HMAC_CTX_copy_ex(&ctx, &ctx_init) ||

  174.       !HMAC_Update(&ctx, seed1, seed1_len) ||

  175.       !HMAC_Update(&ctx, seed2, seed2_len) ||

  176.       !HMAC_Update(&ctx, seed3, seed3_len) ||

  177.       !HMAC_Final(&ctx, A1, &A1_len)) {

  178.     goto err;

  179.   }

  180. 

  181.   for (;;) {

  182.     unsigned len;

  183.     uint8_t hmac[EVP_MAX_MD_SIZE];

  184.     if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) ||

  185.         !HMAC_Update(&ctx, A1, A1_len) ||

  186.         /* Save a copy of |ctx| to compute the next A1 value below. */

  187.         (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) ||

  188.         !HMAC_Update(&ctx, seed1, seed1_len) ||

  189.         !HMAC_Update(&ctx, seed2, seed2_len) ||

  190.         !HMAC_Update(&ctx, seed3, seed3_len) ||

  191.         !HMAC_Final(&ctx, hmac, &len)) {

  192.       goto err;

  193.     }

  194.     assert(len == chunk);

  195. 

  196.     /* XOR the result into |out|. */

  197.     if (len > out_len) {

  198.       len = out_len;

  199.     }

  200.     unsigned i;

  201.     for (i = 0; i < len; i++) {

  202.       out[i] ^= hmac[i];

  203.     }

  204.     out += len;

  205.     out_len -= len;

  206. 

  207.     if (out_len == 0) {

  208.       break;

  209.     }

  210. 

  211.     /* Calculate the next A1 value. */

  212.     if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) {

  213.       goto err;

  214.     }

  215.   }

  216. 

  217.   ret = 1;

  218. 

  219. err:

  220.   HMAC_CTX_cleanup(&ctx);

  221.   HMAC_CTX_cleanup(&ctx_tmp);

  222.   HMAC_CTX_cleanup(&ctx_init);

  223.   OPENSSL_cleanse(A1, sizeof(A1));

  224.   return ret;

  225. }

  226. 

  227. static int tls1_prf(const SSL *ssl, uint8_t *out, size_t out_len,

  228.                     const uint8_t *secret, size_t secret_len, const char *label,

  229.                     size_t label_len, const uint8_t *seed1, size_t seed1_len,

  230.                     const uint8_t *seed2, size_t seed2_len) {

  231.   if (out_len == 0) {

  232.     return 1;

  233.   }

  234. 

  235.   memset(out, 0, out_len);

  236. 

  237.   uint32_t algorithm_prf = ssl_get_algorithm_prf(ssl);

  238.   if (algorithm_prf == SSL_HANDSHAKE_MAC_DEFAULT) {

  239.     /* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and

  240.      * MD5, MD5 first. */

  241.     size_t secret_half = secret_len - (secret_len / 2);

  242.     if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half,

  243.                      (const uint8_t *)label, label_len, seed1, seed1_len, seed2,

  244.                      seed2_len)) {

  245.       return 0;

  246.     }

  247. 

  248.     /* Note that, if |secret_len| is odd, the two halves share a byte. */

  249.     secret = secret + (secret_len - secret_half);

  250.     secret_len = secret_half;

  251.   }

  252. 

  253.   if (!tls1_P_hash(out, out_len, ssl_get_handshake_digest(algorithm_prf),

  254.                    secret, secret_len, (const uint8_t *)label, label_len,

  255.                    seed1, seed1_len, seed2, seed2_len)) {

  256.     return 0;

  257.   }

  258. 

  259.   return 1;

  260. }

  261. 

  262. int tls1_change_cipher_state(SSL *ssl, int which) {

  263.   /* Ensure the key block is set up. */

  264.   if (!tls1_setup_key_block(ssl)) {

  265.     return 0;

  266.   }

  267. 

  268.   /* is_read is true if we have just read a ChangeCipherSpec message - i.e. we

  269.    * need to update the read cipherspec. Otherwise we have just written one. */

  270.   const char is_read = (which & SSL3_CC_READ) != 0;

  271.   /* use_client_keys is true if we wish to use the keys for the "client write"

  272.    * direction. This is the case if we're a client sending a ChangeCipherSpec,

  273.    * or a server reading a client's ChangeCipherSpec. */

  274.   const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||

  275.                                which == SSL3_CHANGE_CIPHER_SERVER_READ;

  276. 

  277.   size_t mac_secret_len = ssl->s3->tmp.new_mac_secret_len;

  278.   size_t key_len = ssl->s3->tmp.new_key_len;

  279.   size_t iv_len = ssl->s3->tmp.new_fixed_iv_len;

  280.   assert((mac_secret_len + key_len + iv_len) * 2 ==

  281.          ssl->s3->tmp.key_block_length);

  282. 

  283.   const uint8_t *key_data = ssl->s3->tmp.key_block;

  284.   const uint8_t *client_write_mac_secret = key_data;

  285.   key_data += mac_secret_len;

  286.   const uint8_t *server_write_mac_secret = key_data;

  287.   key_data += mac_secret_len;

  288.   const uint8_t *client_write_key = key_data;

  289.   key_data += key_len;

  290.   const uint8_t *server_write_key = key_data;

  291.   key_data += key_len;

  292.   const uint8_t *client_write_iv = key_data;

  293.   key_data += iv_len;

  294.   const uint8_t *server_write_iv = key_data;

  295.   key_data += iv_len;

  296. 

  297.   const uint8_t *mac_secret, *key, *iv;

  298.   if (use_client_keys) {

  299.     mac_secret = client_write_mac_secret;

  300.     key = client_write_key;

  301.     iv = client_write_iv;

  302.   } else {

  303.     mac_secret = server_write_mac_secret;

  304.     key = server_write_key;

  305.     iv = server_write_iv;

  306.   }

  307. 

  308.   SSL_AEAD_CTX *aead_ctx =

  309.       SSL_AEAD_CTX_new(is_read ? evp_aead_open : evp_aead_seal,

  310.                        ssl3_protocol_version(ssl), ssl->s3->tmp.new_cipher, key,

  311.                        key_len, mac_secret, mac_secret_len, iv, iv_len);

  312.   if (aead_ctx == NULL) {

  313.     return 0;

  314.   }

  315. 

  316.   if (is_read) {

  317.     ssl_set_read_state(ssl, aead_ctx);

  318.   } else {

  319.     ssl_set_write_state(ssl, aead_ctx);

  320.   }

  321.   return 1;

  322. }

  323. 

  324. size_t SSL_get_key_block_len(const SSL *ssl) {

  325.   return 2 * ((size_t)ssl->s3->tmp.new_mac_secret_len +

  326.               (size_t)ssl->s3->tmp.new_key_len +

  327.               (size_t)ssl->s3->tmp.new_fixed_iv_len);

  328. }

  329. 

  330. int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {

  331.   return ssl->s3->enc_method->prf(

  332.       ssl, out, out_len, ssl->session->master_key,

  333.       ssl->session->master_key_length, TLS_MD_KEY_EXPANSION_CONST,

  334.       TLS_MD_KEY_EXPANSION_CONST_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE,

  335.       ssl->s3->client_random, SSL3_RANDOM_SIZE);

  336. }

  337. 

  338. int tls1_setup_key_block(SSL *ssl) {

  339.   if (ssl->s3->tmp.key_block_length != 0) {

  340.     return 1;

  341.   }

  342. 

  343.   const EVP_AEAD *aead = NULL;

  344.   size_t mac_secret_len, fixed_iv_len;

  345.   if (ssl->session->cipher == NULL ||

  346.       !ssl_cipher_get_evp_aead(&aead, &mac_secret_len, &fixed_iv_len,

  347.                                ssl->session->cipher,

  348.                                ssl3_protocol_version(ssl))) {

  349.     OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);

  350.     return 0;

  351.   }

  352.   size_t key_len = EVP_AEAD_key_length(aead);

  353.   if (mac_secret_len > 0) {

  354.     /* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the

  355.      * key length reported by |EVP_AEAD_key_length| will include the MAC key

  356.      * bytes and initial implicit IV. */

  357.     if (key_len < mac_secret_len + fixed_iv_len) {

  358.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  359.       return 0;

  360.     }

  361.     key_len -= mac_secret_len + fixed_iv_len;

  362.   }

  363. 

  364.   assert(mac_secret_len < 256);

  365.   assert(key_len < 256);

  366.   assert(fixed_iv_len < 256);

  367. 

  368.   ssl->s3->tmp.new_mac_secret_len = (uint8_t)mac_secret_len;

  369.   ssl->s3->tmp.new_key_len = (uint8_t)key_len;

  370.   ssl->s3->tmp.new_fixed_iv_len = (uint8_t)fixed_iv_len;

  371. 

  372.   size_t key_block_len = SSL_get_key_block_len(ssl);

  373. 

  374.   ssl3_cleanup_key_block(ssl);

  375. 

  376.   uint8_t *keyblock = OPENSSL_malloc(key_block_len);

  377.   if (keyblock == NULL) {

  378.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  379.     return 0;

  380.   }

  381. 

  382.   if (!SSL_generate_key_block(ssl, keyblock, key_block_len)) {

  383.     OPENSSL_free(keyblock);

  384.     return 0;

  385.   }

  386. 

  387.   assert(key_block_len < 256);

  388.   ssl->s3->tmp.key_block_length = (uint8_t)key_block_len;

  389.   ssl->s3->tmp.key_block = keyblock;

  390.   return 1;

  391. }

  392. 

  393. static int tls1_cert_verify_mac(SSL *ssl, int md_nid, uint8_t *out) {

  394.   const EVP_MD_CTX *ctx_template;

  395.   if (md_nid == NID_md5) {

  396.     ctx_template = &ssl->s3->handshake_md5;

  397.   } else if (md_nid == EVP_MD_CTX_type(&ssl->s3->handshake_hash)) {

  398.     ctx_template = &ssl->s3->handshake_hash;

  399.   } else {

  400.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_REQUIRED_DIGEST);

  401.     return 0;

  402.   }

  403. 

  404.   EVP_MD_CTX ctx;

  405.   EVP_MD_CTX_init(&ctx);

  406.   if (!EVP_MD_CTX_copy_ex(&ctx, ctx_template)) {

  407.     EVP_MD_CTX_cleanup(&ctx);

  408.     return 0;

  409.   }

  410.   unsigned ret;

  411.   EVP_DigestFinal_ex(&ctx, out, &ret);

  412.   EVP_MD_CTX_cleanup(&ctx);

  413.   return ret;

  414. }

  415. 

  416. static int append_digest(const EVP_MD_CTX *ctx, uint8_t *out, size_t *out_len,

  417.                          size_t max_out) {

  418.   int ret = 0;

  419.   EVP_MD_CTX ctx_copy;

  420.   EVP_MD_CTX_init(&ctx_copy);

  421. 

  422.   if (EVP_MD_CTX_size(ctx) > max_out) {

  423.     OPENSSL_PUT_ERROR(SSL, SSL_R_BUFFER_TOO_SMALL);

  424.     goto err;

  425.   }

  426.   unsigned len;

  427.   if (!EVP_MD_CTX_copy_ex(&ctx_copy, ctx) ||

  428.       !EVP_DigestFinal_ex(&ctx_copy, out, &len)) {

  429.     goto err;

  430.   }

  431.   assert(len == EVP_MD_CTX_size(ctx));

  432. 

  433.   *out_len = len;

  434.   ret = 1;

  435. 

  436. err:

  437.   EVP_MD_CTX_cleanup(&ctx_copy);

  438.   return ret;

  439. }

  440. 

  441. /* tls1_handshake_digest calculates the current handshake hash and writes it to

  442.  * |out|, which has space for |out_len| bytes. It returns the number of bytes

  443.  * written or -1 in the event of an error. This function works on a copy of the

  444.  * underlying digests so can be called multiple times and prior to the final

  445.  * update etc. */

  446. int tls1_handshake_digest(SSL *ssl, uint8_t *out, size_t out_len) {

  447.   size_t md5_len = 0;

  448.   if (EVP_MD_CTX_md(&ssl->s3->handshake_md5) != NULL &&

  449.       !append_digest(&ssl->s3->handshake_md5, out, &md5_len, out_len)) {

  450.     return -1;

  451.   }

  452. 

  453.   size_t len;

  454.   if (!append_digest(&ssl->s3->handshake_hash, out + md5_len, &len,

  455.                      out_len - md5_len)) {

  456.     return -1;

  457.   }

  458. 

  459.   return (int)(md5_len + len);

  460. }

  461. 

  462. static int tls1_final_finish_mac(SSL *ssl, int from_server, uint8_t *out) {

  463.   /* At this point, the handshake should have released the handshake buffer on

  464.    * its own. */

  465.   assert(ssl->s3->handshake_buffer == NULL);

  466. 

  467.   const char *label = TLS_MD_CLIENT_FINISH_CONST;

  468.   size_t label_len = TLS_MD_SERVER_FINISH_CONST_SIZE;

  469.   if (from_server) {

  470.     label = TLS_MD_SERVER_FINISH_CONST;

  471.     label_len = TLS_MD_SERVER_FINISH_CONST_SIZE;

  472.   }

  473. 

  474.   uint8_t buf[EVP_MAX_MD_SIZE];

  475.   int digests_len = tls1_handshake_digest(ssl, buf, sizeof(buf));

  476.   if (digests_len < 0) {

  477.     return 0;

  478.   }

  479. 

  480.   static const size_t kFinishedLen = 12;

  481.   if (!ssl->s3->enc_method->prf(ssl, out, kFinishedLen,

  482.                                 ssl->session->master_key,

  483.                                 ssl->session->master_key_length, label,

  484.                                 label_len, buf, digests_len, NULL, 0)) {

  485.     return 0;

  486.   }

  487. 

  488.   return (int)kFinishedLen;

  489. }

  490. 

  491. int tls1_generate_master_secret(SSL *ssl, uint8_t *out,

  492.                                 const uint8_t *premaster,

  493.                                 size_t premaster_len) {

  494.   if (ssl->s3->tmp.extended_master_secret) {

  495.     uint8_t digests[EVP_MAX_MD_SIZE];

  496.     int digests_len = tls1_handshake_digest(ssl, digests, sizeof(digests));

  497.     if (digests_len == -1) {

  498.       return 0;

  499.     }

  500. 

  501.     if (!ssl->s3->enc_method->prf(ssl, out, SSL3_MASTER_SECRET_SIZE, premaster,

  502.                                   premaster_len,

  503.                                   TLS_MD_EXTENDED_MASTER_SECRET_CONST,

  504.                                   TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,

  505.                                   digests, digests_len, NULL, 0)) {

  506.       return 0;

  507.     }

  508.   } else {

  509.     if (!ssl->s3->enc_method->prf(ssl, out, SSL3_MASTER_SECRET_SIZE, premaster,

  510.                                   premaster_len, TLS_MD_MASTER_SECRET_CONST,

  511.                                   TLS_MD_MASTER_SECRET_CONST_SIZE,

  512.                                   ssl->s3->client_random, SSL3_RANDOM_SIZE,

  513.                                   ssl->s3->server_random, SSL3_RANDOM_SIZE)) {

  514.       return 0;

  515.     }

  516.   }

  517. 

  518.   return SSL3_MASTER_SECRET_SIZE;

  519. }

  520. 

  521. int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,

  522.                                const char *label, size_t label_len,

  523.                                const uint8_t *context, size_t context_len,

  524.                                int use_context) {

  525.   if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) {

  526.     return 0;

  527.   }

  528. 

  529.   size_t seed_len = 2 * SSL3_RANDOM_SIZE;

  530.   if (use_context) {

  531.     if (context_len >= 1u << 16) {

  532.       OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  533.       return 0;

  534.     }

  535.     seed_len += 2 + context_len;

  536.   }

  537.   uint8_t *seed = OPENSSL_malloc(seed_len);

  538.   if (seed == NULL) {

  539.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  540.     return 0;

  541.   }

  542. 

  543.   memcpy(seed, ssl->s3->client_random, SSL3_RANDOM_SIZE);

  544.   memcpy(seed + SSL3_RANDOM_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE);

  545.   if (use_context) {

  546.     seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8);

  547.     seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len;

  548.     memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);

  549.   }

  550. 

  551.   int ret =

  552.       ssl->s3->enc_method->prf(ssl, out, out_len, ssl->session->master_key,

  553.                                ssl->session->master_key_length, label,

  554.                                label_len, seed, seed_len, NULL, 0);

  555.   OPENSSL_free(seed);

  556.   return ret;

  557. }

  558. 

  559. const SSL3_ENC_METHOD TLSv1_enc_data = {

  560.     tls1_prf,

  561.     tls1_final_finish_mac,

  562.     tls1_cert_verify_mac,

  563. };