kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4071 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6fdea2aba9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6fdea2aba9'
${ noResults }
boringssl/ssl/t1_enc.c

562 lines
20 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2005 Nokia. All rights reserved.

  112.  *

  113.  * The portions of the attached software ("Contribution") is developed by

  114.  * Nokia Corporation and is licensed pursuant to the OpenSSL open source

  115.  * license.

  116.  *

  117.  * The Contribution, originally written by Mika Kousa and Pasi Eronen of

  118.  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites

  119.  * support (see RFC 4279) to OpenSSL.

  120.  *

  121.  * No patent licenses or other rights except those expressly stated in

  122.  * the OpenSSL open source license shall be deemed granted or received

  123.  * expressly, by implication, estoppel, or otherwise.

  124.  *

  125.  * No assurances are provided by Nokia that the Contribution does not

  126.  * infringe the patent or other intellectual property rights of any third

  127.  * party or that the license provides you with all the necessary rights

  128.  * to make use of the Contribution.

  129.  *

  130.  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN

  131.  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA

  132.  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY

  133.  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR

  134.  * OTHERWISE. */

  135. 

  136. #include <openssl/ssl.h>

  137. 

  138. #include <assert.h>

  139. #include <string.h>

  140. 

  141. #include <openssl/err.h>

  142. #include <openssl/evp.h>

  143. #include <openssl/hmac.h>

  144. #include <openssl/md5.h>

  145. #include <openssl/mem.h>

  146. #include <openssl/nid.h>

  147. #include <openssl/rand.h>

  148. 

  149. #include "../crypto/internal.h"

  150. #include "internal.h"

  151. 

  152. 

  153. /* tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246,

  154.  * section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and

  155.  * |secret| as the secret. |seed1| through |seed3| are concatenated to form the

  156.  * seed parameter. It returns one on success and zero on failure. */

  157. static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md,

  158.                        const uint8_t *secret, size_t secret_len,

  159.                        const uint8_t *seed1, size_t seed1_len,

  160.                        const uint8_t *seed2, size_t seed2_len,

  161.                        const uint8_t *seed3, size_t seed3_len) {

  162.   HMAC_CTX ctx, ctx_tmp, ctx_init;

  163.   uint8_t A1[EVP_MAX_MD_SIZE];

  164.   unsigned A1_len;

  165.   int ret = 0;

  166. 

  167.   size_t chunk = EVP_MD_size(md);

  168. 

  169.   HMAC_CTX_init(&ctx);

  170.   HMAC_CTX_init(&ctx_tmp);

  171.   HMAC_CTX_init(&ctx_init);

  172.   if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) ||

  173.       !HMAC_CTX_copy_ex(&ctx, &ctx_init) ||

  174.       !HMAC_Update(&ctx, seed1, seed1_len) ||

  175.       !HMAC_Update(&ctx, seed2, seed2_len) ||

  176.       !HMAC_Update(&ctx, seed3, seed3_len) ||

  177.       !HMAC_Final(&ctx, A1, &A1_len)) {

  178.     goto err;

  179.   }

  180. 

  181.   for (;;) {

  182.     unsigned len;

  183.     uint8_t hmac[EVP_MAX_MD_SIZE];

  184.     if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) ||

  185.         !HMAC_Update(&ctx, A1, A1_len) ||

  186.         /* Save a copy of |ctx| to compute the next A1 value below. */

  187.         (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) ||

  188.         !HMAC_Update(&ctx, seed1, seed1_len) ||

  189.         !HMAC_Update(&ctx, seed2, seed2_len) ||

  190.         !HMAC_Update(&ctx, seed3, seed3_len) ||

  191.         !HMAC_Final(&ctx, hmac, &len)) {

  192.       goto err;

  193.     }

  194.     assert(len == chunk);

  195. 

  196.     /* XOR the result into |out|. */

  197.     if (len > out_len) {

  198.       len = out_len;

  199.     }

  200.     unsigned i;

  201.     for (i = 0; i < len; i++) {

  202.       out[i] ^= hmac[i];

  203.     }

  204.     out += len;

  205.     out_len -= len;

  206. 

  207.     if (out_len == 0) {

  208.       break;

  209.     }

  210. 

  211.     /* Calculate the next A1 value. */

  212.     if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) {

  213.       goto err;

  214.     }

  215.   }

  216. 

  217.   ret = 1;

  218. 

  219. err:

  220.   HMAC_CTX_cleanup(&ctx);

  221.   HMAC_CTX_cleanup(&ctx_tmp);

  222.   HMAC_CTX_cleanup(&ctx_init);

  223.   OPENSSL_cleanse(A1, sizeof(A1));

  224.   return ret;

  225. }

  226. 

  227. int tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len,

  228.              const uint8_t *secret, size_t secret_len, const char *label,

  229.              size_t label_len, const uint8_t *seed1, size_t seed1_len,

  230.              const uint8_t *seed2, size_t seed2_len) {

  231.   if (out_len == 0) {

  232.     return 1;

  233.   }

  234. 

  235.   OPENSSL_memset(out, 0, out_len);

  236. 

  237.   if (digest == EVP_md5_sha1()) {

  238.     /* If using the MD5/SHA1 PRF, |secret| is partitioned between SHA-1 and

  239.      * MD5, MD5 first. */

  240.     size_t secret_half = secret_len - (secret_len / 2);

  241.     if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half,

  242.                      (const uint8_t *)label, label_len, seed1, seed1_len, seed2,

  243.                      seed2_len)) {

  244.       return 0;

  245.     }

  246. 

  247.     /* Note that, if |secret_len| is odd, the two halves share a byte. */

  248.     secret = secret + (secret_len - secret_half);

  249.     secret_len = secret_half;

  250. 

  251.     digest = EVP_sha1();

  252.   }

  253. 

  254.   if (!tls1_P_hash(out, out_len, digest, secret, secret_len,

  255.                    (const uint8_t *)label, label_len, seed1, seed1_len, seed2,

  256.                    seed2_len)) {

  257.     return 0;

  258.   }

  259. 

  260.   return 1;

  261. }

  262. 

  263. static int ssl3_prf(uint8_t *out, size_t out_len, const uint8_t *secret,

  264.                     size_t secret_len, const char *label, size_t label_len,

  265.                     const uint8_t *seed1, size_t seed1_len,

  266.                     const uint8_t *seed2, size_t seed2_len) {

  267.   EVP_MD_CTX md5;

  268.   EVP_MD_CTX sha1;

  269.   uint8_t buf[16], smd[SHA_DIGEST_LENGTH];

  270.   uint8_t c = 'A';

  271.   size_t i, j, k;

  272. 

  273.   k = 0;

  274.   EVP_MD_CTX_init(&md5);

  275.   EVP_MD_CTX_init(&sha1);

  276.   for (i = 0; i < out_len; i += MD5_DIGEST_LENGTH) {

  277.     k++;

  278.     if (k > sizeof(buf)) {

  279.       /* bug: 'buf' is too small for this ciphersuite */

  280.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  281.       return 0;

  282.     }

  283. 

  284.     for (j = 0; j < k; j++) {

  285.       buf[j] = c;

  286.     }

  287.     c++;

  288.     if (!EVP_DigestInit_ex(&sha1, EVP_sha1(), NULL)) {

  289.       OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);

  290.       return 0;

  291.     }

  292.     EVP_DigestUpdate(&sha1, buf, k);

  293.     EVP_DigestUpdate(&sha1, secret, secret_len);

  294.     /* |label| is ignored for SSLv3. */

  295.     if (seed1_len) {

  296.       EVP_DigestUpdate(&sha1, seed1, seed1_len);

  297.     }

  298.     if (seed2_len) {

  299.       EVP_DigestUpdate(&sha1, seed2, seed2_len);

  300.     }

  301.     EVP_DigestFinal_ex(&sha1, smd, NULL);

  302. 

  303.     if (!EVP_DigestInit_ex(&md5, EVP_md5(), NULL)) {

  304.       OPENSSL_PUT_ERROR(SSL, ERR_LIB_EVP);

  305.       return 0;

  306.     }

  307.     EVP_DigestUpdate(&md5, secret, secret_len);

  308.     EVP_DigestUpdate(&md5, smd, SHA_DIGEST_LENGTH);

  309.     if (i + MD5_DIGEST_LENGTH > out_len) {

  310.       EVP_DigestFinal_ex(&md5, smd, NULL);

  311.       OPENSSL_memcpy(out, smd, out_len - i);

  312.     } else {

  313.       EVP_DigestFinal_ex(&md5, out, NULL);

  314.     }

  315. 

  316.     out += MD5_DIGEST_LENGTH;

  317.   }

  318. 

  319.   OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);

  320.   EVP_MD_CTX_cleanup(&md5);

  321.   EVP_MD_CTX_cleanup(&sha1);

  322. 

  323.   return 1;

  324. }

  325. 

  326. static int tls1_setup_key_block(SSL_HANDSHAKE *hs) {

  327.   SSL *const ssl = hs->ssl;

  328.   if (hs->key_block_len != 0) {

  329.     return 1;

  330.   }

  331. 

  332.   SSL_SESSION *session = ssl->session;

  333.   if (hs->new_session != NULL) {

  334.     session = hs->new_session;

  335.   }

  336. 

  337.   const EVP_AEAD *aead = NULL;

  338.   size_t mac_secret_len, fixed_iv_len;

  339.   if (session->cipher == NULL ||

  340.       !ssl_cipher_get_evp_aead(&aead, &mac_secret_len, &fixed_iv_len,

  341.                                session->cipher, ssl3_protocol_version(ssl))) {

  342.     OPENSSL_PUT_ERROR(SSL, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);

  343.     return 0;

  344.   }

  345.   size_t key_len = EVP_AEAD_key_length(aead);

  346.   if (mac_secret_len > 0) {

  347.     /* For "stateful" AEADs (i.e. compatibility with pre-AEAD cipher suites) the

  348.      * key length reported by |EVP_AEAD_key_length| will include the MAC key

  349.      * bytes and initial implicit IV. */

  350.     if (key_len < mac_secret_len + fixed_iv_len) {

  351.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  352.       return 0;

  353.     }

  354.     key_len -= mac_secret_len + fixed_iv_len;

  355.   }

  356. 

  357.   assert(mac_secret_len < 256);

  358.   assert(key_len < 256);

  359.   assert(fixed_iv_len < 256);

  360. 

  361.   ssl->s3->tmp.new_mac_secret_len = (uint8_t)mac_secret_len;

  362.   ssl->s3->tmp.new_key_len = (uint8_t)key_len;

  363.   ssl->s3->tmp.new_fixed_iv_len = (uint8_t)fixed_iv_len;

  364. 

  365.   size_t key_block_len = SSL_get_key_block_len(ssl);

  366. 

  367.   uint8_t *keyblock = OPENSSL_malloc(key_block_len);

  368.   if (keyblock == NULL) {

  369.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  370.     return 0;

  371.   }

  372. 

  373.   if (!SSL_generate_key_block(ssl, keyblock, key_block_len)) {

  374.     OPENSSL_free(keyblock);

  375.     return 0;

  376.   }

  377. 

  378.   assert(key_block_len < 256);

  379.   hs->key_block_len = (uint8_t)key_block_len;

  380.   hs->key_block = keyblock;

  381.   return 1;

  382. }

  383. 

  384. int tls1_change_cipher_state(SSL_HANDSHAKE *hs, int which) {

  385.   SSL *const ssl = hs->ssl;

  386.   /* Ensure the key block is set up. */

  387.   if (!tls1_setup_key_block(hs)) {

  388.     return 0;

  389.   }

  390. 

  391.   /* is_read is true if we have just read a ChangeCipherSpec message - i.e. we

  392.    * need to update the read cipherspec. Otherwise we have just written one. */

  393.   const char is_read = (which & SSL3_CC_READ) != 0;

  394.   /* use_client_keys is true if we wish to use the keys for the "client write"

  395.    * direction. This is the case if we're a client sending a ChangeCipherSpec,

  396.    * or a server reading a client's ChangeCipherSpec. */

  397.   const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||

  398.                                which == SSL3_CHANGE_CIPHER_SERVER_READ;

  399. 

  400.   size_t mac_secret_len = ssl->s3->tmp.new_mac_secret_len;

  401.   size_t key_len = ssl->s3->tmp.new_key_len;

  402.   size_t iv_len = ssl->s3->tmp.new_fixed_iv_len;

  403.   assert((mac_secret_len + key_len + iv_len) * 2 == hs->key_block_len);

  404. 

  405.   const uint8_t *key_data = hs->key_block;

  406.   const uint8_t *client_write_mac_secret = key_data;

  407.   key_data += mac_secret_len;

  408.   const uint8_t *server_write_mac_secret = key_data;

  409.   key_data += mac_secret_len;

  410.   const uint8_t *client_write_key = key_data;

  411.   key_data += key_len;

  412.   const uint8_t *server_write_key = key_data;

  413.   key_data += key_len;

  414.   const uint8_t *client_write_iv = key_data;

  415.   key_data += iv_len;

  416.   const uint8_t *server_write_iv = key_data;

  417.   key_data += iv_len;

  418. 

  419.   const uint8_t *mac_secret, *key, *iv;

  420.   if (use_client_keys) {

  421.     mac_secret = client_write_mac_secret;

  422.     key = client_write_key;

  423.     iv = client_write_iv;

  424.   } else {

  425.     mac_secret = server_write_mac_secret;

  426.     key = server_write_key;

  427.     iv = server_write_iv;

  428.   }

  429. 

  430.   SSL_AEAD_CTX *aead_ctx = SSL_AEAD_CTX_new(

  431.       is_read ? evp_aead_open : evp_aead_seal, ssl3_protocol_version(ssl),

  432.       hs->new_cipher, key, key_len, mac_secret, mac_secret_len, iv, iv_len);

  433.   if (aead_ctx == NULL) {

  434.     return 0;

  435.   }

  436. 

  437.   if (is_read) {

  438.     return ssl->method->set_read_state(ssl, aead_ctx);

  439.   }

  440. 

  441.   return ssl->method->set_write_state(ssl, aead_ctx);

  442. }

  443. 

  444. size_t SSL_get_key_block_len(const SSL *ssl) {

  445.   return 2 * ((size_t)ssl->s3->tmp.new_mac_secret_len +

  446.               (size_t)ssl->s3->tmp.new_key_len +

  447.               (size_t)ssl->s3->tmp.new_fixed_iv_len);

  448. }

  449. 

  450. int SSL_generate_key_block(const SSL *ssl, uint8_t *out, size_t out_len) {

  451.   if (ssl3_protocol_version(ssl) == SSL3_VERSION) {

  452.     return ssl3_prf(out, out_len, SSL_get_session(ssl)->master_key,

  453.                     SSL_get_session(ssl)->master_key_length,

  454.                     TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,

  455.                     ssl->s3->server_random, SSL3_RANDOM_SIZE,

  456.                     ssl->s3->client_random, SSL3_RANDOM_SIZE);

  457.   }

  458. 

  459.   const EVP_MD *digest = ssl_get_handshake_digest(

  460.       SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));

  461.   if (digest == NULL) {

  462.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  463.     return 0;

  464.   }

  465.   return tls1_prf(digest, out, out_len, SSL_get_session(ssl)->master_key,

  466.                   SSL_get_session(ssl)->master_key_length,

  467.                   TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,

  468.                   ssl->s3->server_random, SSL3_RANDOM_SIZE,

  469.                   ssl->s3->client_random, SSL3_RANDOM_SIZE);

  470. }

  471. 

  472. int tls1_generate_master_secret(SSL_HANDSHAKE *hs, uint8_t *out,

  473.                                 const uint8_t *premaster,

  474.                                 size_t premaster_len) {

  475.   const SSL *ssl = hs->ssl;

  476.   if (hs->extended_master_secret) {

  477.     uint8_t digests[EVP_MAX_MD_SIZE];

  478.     size_t digests_len;

  479.     if (!SSL_TRANSCRIPT_get_hash(&hs->transcript, digests, &digests_len) ||

  480.         !tls1_prf(SSL_TRANSCRIPT_md(&hs->transcript), out,

  481.                   SSL3_MASTER_SECRET_SIZE, premaster, premaster_len,

  482.                   TLS_MD_EXTENDED_MASTER_SECRET_CONST,

  483.                   TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, digests,

  484.                   digests_len, NULL, 0)) {

  485.       return 0;

  486.     }

  487.   } else {

  488.     if (ssl3_protocol_version(ssl) == SSL3_VERSION) {

  489.       if (!ssl3_prf(out, SSL3_MASTER_SECRET_SIZE, premaster, premaster_len,

  490.                     TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,

  491.                     ssl->s3->client_random, SSL3_RANDOM_SIZE,

  492.                     ssl->s3->server_random, SSL3_RANDOM_SIZE)) {

  493.         return 0;

  494.       }

  495.     } else {

  496.       if (!tls1_prf(SSL_TRANSCRIPT_md(&hs->transcript), out,

  497.                     SSL3_MASTER_SECRET_SIZE, premaster, premaster_len,

  498.                     TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,

  499.                     ssl->s3->client_random, SSL3_RANDOM_SIZE,

  500.                     ssl->s3->server_random, SSL3_RANDOM_SIZE)) {

  501.         return 0;

  502.       }

  503.     }

  504.   }

  505. 

  506.   return SSL3_MASTER_SECRET_SIZE;

  507. }

  508. 

  509. int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,

  510.                                const char *label, size_t label_len,

  511.                                const uint8_t *context, size_t context_len,

  512.                                int use_context) {

  513.   if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) {

  514.     return 0;

  515.   }

  516. 

  517.   /* Exporters may not be used in the middle of a renegotiation. */

  518.   if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {

  519.     return 0;

  520.   }

  521. 

  522.   if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {

  523.     return tls13_export_keying_material(ssl, out, out_len, label, label_len,

  524.                                         context, context_len, use_context);

  525.   }

  526. 

  527.   size_t seed_len = 2 * SSL3_RANDOM_SIZE;

  528.   if (use_context) {

  529.     if (context_len >= 1u << 16) {

  530.       OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);

  531.       return 0;

  532.     }

  533.     seed_len += 2 + context_len;

  534.   }

  535.   uint8_t *seed = OPENSSL_malloc(seed_len);

  536.   if (seed == NULL) {

  537.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  538.     return 0;

  539.   }

  540. 

  541.   OPENSSL_memcpy(seed, ssl->s3->client_random, SSL3_RANDOM_SIZE);

  542.   OPENSSL_memcpy(seed + SSL3_RANDOM_SIZE, ssl->s3->server_random,

  543.                  SSL3_RANDOM_SIZE);

  544.   if (use_context) {

  545.     seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8);

  546.     seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len;

  547.     OPENSSL_memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);

  548.   }

  549. 

  550.   const EVP_MD *digest = ssl_get_handshake_digest(

  551.       SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));

  552.   if (digest == NULL) {

  553.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  554.     return 0;

  555.   }

  556.   int ret = tls1_prf(digest, out, out_len, SSL_get_session(ssl)->master_key,

  557.                      SSL_get_session(ssl)->master_key_length, label, label_len,

  558.                      seed, seed_len, NULL, 0);

  559.   OPENSSL_free(seed);

  560.   return ret;

  561. }