1 /* 2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* ==================================================================== 11 * Copyright 2005 Nokia. All rights reserved. 12 * 13 * The portions of the attached software ("Contribution") is developed by 14 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 15 * license. 16 * 17 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 18 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 19 * support (see RFC 4279) to OpenSSL. 20 * 21 * No patent licenses or other rights except those expressly stated in 22 * the OpenSSL open source license shall be deemed granted or received 23 * expressly, by implication, estoppel, or otherwise. 24 * 25 * No assurances are provided by Nokia that the Contribution does not 26 * infringe the patent or other intellectual property rights of any third 27 * party or that the license provides you with all the necessary rights 28 * to make use of the Contribution. 29 * 30 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 31 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 32 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 33 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 34 * OTHERWISE. 35 */ 36 37 #include <stdio.h> 38 #include "ssl_locl.h" 39 #include <openssl/comp.h> 40 #include <openssl/evp.h> 41 #include <openssl/kdf.h> 42 #include <openssl/rand.h> 43 44 /* seed1 through seed5 are concatenated */ 45 static int tls1_PRF(SSL *s, 46 const void *seed1, int seed1_len, 47 const void *seed2, int seed2_len, 48 const void *seed3, int seed3_len, 49 const void *seed4, int seed4_len, 50 const void *seed5, int seed5_len, 51 const unsigned char *sec, int slen, 52 unsigned char *out, int olen) 53 { 54 const EVP_MD *md = ssl_prf_md(s); 55 EVP_PKEY_CTX *pctx = NULL; 56 57 int ret = 0; 58 size_t outlen = olen; 59 60 if (md == NULL) { 61 /* Should never happen */ 62 SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); 63 return 0; 64 } 65 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); 66 if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0 67 || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0 68 || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, slen) <= 0) 69 goto err; 70 71 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len) <= 0) 72 goto err; 73 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len) <= 0) 74 goto err; 75 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len) <= 0) 76 goto err; 77 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, seed4_len) <= 0) 78 goto err; 79 if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, seed5_len) <= 0) 80 goto err; 81 82 if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) 83 goto err; 84 ret = 1; 85 86 err: 87 EVP_PKEY_CTX_free(pctx); 88 return ret; 89 } 90 91 static int tls1_generate_key_block(SSL *s, unsigned char *km, int num) 92 { 93 int ret; 94 ret = tls1_PRF(s, 95 TLS_MD_KEY_EXPANSION_CONST, 96 TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random, 97 SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE, 98 NULL, 0, NULL, 0, s->session->master_key, 99 s->session->master_key_length, km, num); 100 101 return ret; 102 } 103 104 int tls1_change_cipher_state(SSL *s, int which) 105 { 106 unsigned char *p, *mac_secret; 107 unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 108 unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 109 unsigned char iv1[EVP_MAX_IV_LENGTH * 2]; 110 unsigned char iv2[EVP_MAX_IV_LENGTH * 2]; 111 unsigned char *ms, *key, *iv; 112 EVP_CIPHER_CTX *dd; 113 const EVP_CIPHER *c; 114 #ifndef OPENSSL_NO_COMP 115 const SSL_COMP *comp; 116 #endif 117 const EVP_MD *m; 118 int mac_type; 119 int *mac_secret_size; 120 EVP_MD_CTX *mac_ctx; 121 EVP_PKEY *mac_key; 122 int n, i, j, k, cl; 123 int reuse_dd = 0; 124 125 c = s->s3->tmp.new_sym_enc; 126 m = s->s3->tmp.new_hash; 127 mac_type = s->s3->tmp.new_mac_pkey_type; 128 #ifndef OPENSSL_NO_COMP 129 comp = s->s3->tmp.new_compression; 130 #endif 131 132 if (which & SSL3_CC_READ) { 133 if (s->tlsext_use_etm) 134 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 135 else 136 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 137 138 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 139 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 140 else 141 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 142 143 if (s->enc_read_ctx != NULL) 144 reuse_dd = 1; 145 else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) 146 goto err; 147 else 148 /* 149 * make sure it's initialised in case we exit later with an error 150 */ 151 EVP_CIPHER_CTX_reset(s->enc_read_ctx); 152 dd = s->enc_read_ctx; 153 mac_ctx = ssl_replace_hash(&s->read_hash, NULL); 154 if (mac_ctx == NULL) 155 goto err; 156 #ifndef OPENSSL_NO_COMP 157 COMP_CTX_free(s->expand); 158 s->expand = NULL; 159 if (comp != NULL) { 160 s->expand = COMP_CTX_new(comp->method); 161 if (s->expand == NULL) { 162 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, 163 SSL_R_COMPRESSION_LIBRARY_ERROR); 164 goto err2; 165 } 166 } 167 #endif 168 /* 169 * this is done by dtls1_reset_seq_numbers for DTLS 170 */ 171 if (!SSL_IS_DTLS(s)) 172 RECORD_LAYER_reset_read_sequence(&s->rlayer); 173 mac_secret = &(s->s3->read_mac_secret[0]); 174 mac_secret_size = &(s->s3->read_mac_secret_size); 175 } else { 176 if (s->tlsext_use_etm) 177 s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 178 else 179 s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 180 181 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 182 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 183 else 184 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 185 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) 186 reuse_dd = 1; 187 else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) 188 goto err; 189 dd = s->enc_write_ctx; 190 if (SSL_IS_DTLS(s)) { 191 mac_ctx = EVP_MD_CTX_new(); 192 if (mac_ctx == NULL) 193 goto err; 194 s->write_hash = mac_ctx; 195 } else { 196 mac_ctx = ssl_replace_hash(&s->write_hash, NULL); 197 if (mac_ctx == NULL) 198 goto err; 199 } 200 #ifndef OPENSSL_NO_COMP 201 COMP_CTX_free(s->compress); 202 s->compress = NULL; 203 if (comp != NULL) { 204 s->compress = COMP_CTX_new(comp->method); 205 if (s->compress == NULL) { 206 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, 207 SSL_R_COMPRESSION_LIBRARY_ERROR); 208 goto err2; 209 } 210 } 211 #endif 212 /* 213 * this is done by dtls1_reset_seq_numbers for DTLS 214 */ 215 if (!SSL_IS_DTLS(s)) 216 RECORD_LAYER_reset_write_sequence(&s->rlayer); 217 mac_secret = &(s->s3->write_mac_secret[0]); 218 mac_secret_size = &(s->s3->write_mac_secret_size); 219 } 220 221 if (reuse_dd) 222 EVP_CIPHER_CTX_reset(dd); 223 224 p = s->s3->tmp.key_block; 225 i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; 226 227 cl = EVP_CIPHER_key_length(c); 228 j = cl; 229 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 230 /* If GCM/CCM mode only part of IV comes from PRF */ 231 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 232 k = EVP_GCM_TLS_FIXED_IV_LEN; 233 else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) 234 k = EVP_CCM_TLS_FIXED_IV_LEN; 235 else 236 k = EVP_CIPHER_iv_length(c); 237 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 238 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 239 ms = &(p[0]); 240 n = i + i; 241 key = &(p[n]); 242 n += j + j; 243 iv = &(p[n]); 244 n += k + k; 245 } else { 246 n = i; 247 ms = &(p[n]); 248 n += i + j; 249 key = &(p[n]); 250 n += j + k; 251 iv = &(p[n]); 252 n += k; 253 } 254 255 if (n > s->s3->tmp.key_block_length) { 256 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 257 goto err2; 258 } 259 260 memcpy(mac_secret, ms, i); 261 262 if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { 263 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 264 mac_secret, *mac_secret_size); 265 if (mac_key == NULL 266 || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) { 267 EVP_PKEY_free(mac_key); 268 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 269 goto err2; 270 } 271 EVP_PKEY_free(mac_key); 272 } 273 #ifdef SSL_DEBUG 274 printf("which = %04X\nmac key=", which); 275 { 276 int z; 277 for (z = 0; z < i; z++) 278 printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n'); 279 } 280 #endif 281 282 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { 283 if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) 284 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv)) { 285 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 286 goto err2; 287 } 288 } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) { 289 int taglen; 290 if (s->s3->tmp. 291 new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 292 taglen = 8; 293 else 294 taglen = 16; 295 if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) 296 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) 297 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) 298 || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, k, iv) 299 || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { 300 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 301 goto err2; 302 } 303 } else { 304 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { 305 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 306 goto err2; 307 } 308 } 309 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 310 if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size 311 && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, 312 *mac_secret_size, mac_secret)) { 313 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 314 goto err2; 315 } 316 317 #ifdef SSL_DEBUG 318 printf("which = %04X\nkey=", which); 319 { 320 int z; 321 for (z = 0; z < EVP_CIPHER_key_length(c); z++) 322 printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n'); 323 } 324 printf("\niv="); 325 { 326 int z; 327 for (z = 0; z < k; z++) 328 printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n'); 329 } 330 printf("\n"); 331 #endif 332 333 OPENSSL_cleanse(tmp1, sizeof(tmp1)); 334 OPENSSL_cleanse(tmp2, sizeof(tmp1)); 335 OPENSSL_cleanse(iv1, sizeof(iv1)); 336 OPENSSL_cleanse(iv2, sizeof(iv2)); 337 return (1); 338 err: 339 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 340 err2: 341 OPENSSL_cleanse(tmp1, sizeof(tmp1)); 342 OPENSSL_cleanse(tmp2, sizeof(tmp1)); 343 OPENSSL_cleanse(iv1, sizeof(iv1)); 344 OPENSSL_cleanse(iv2, sizeof(iv2)); 345 return (0); 346 } 347 348 int tls1_setup_key_block(SSL *s) 349 { 350 unsigned char *p; 351 const EVP_CIPHER *c; 352 const EVP_MD *hash; 353 int num; 354 SSL_COMP *comp; 355 int mac_type = NID_undef, mac_secret_size = 0; 356 int ret = 0; 357 358 if (s->s3->tmp.key_block_length != 0) 359 return (1); 360 361 if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size, 362 &comp, s->tlsext_use_etm)) { 363 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 364 return (0); 365 } 366 367 s->s3->tmp.new_sym_enc = c; 368 s->s3->tmp.new_hash = hash; 369 s->s3->tmp.new_mac_pkey_type = mac_type; 370 s->s3->tmp.new_mac_secret_size = mac_secret_size; 371 num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); 372 num *= 2; 373 374 ssl3_cleanup_key_block(s); 375 376 if ((p = OPENSSL_malloc(num)) == NULL) { 377 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 378 goto err; 379 } 380 381 s->s3->tmp.key_block_length = num; 382 s->s3->tmp.key_block = p; 383 384 #ifdef SSL_DEBUG 385 printf("client random\n"); 386 { 387 int z; 388 for (z = 0; z < SSL3_RANDOM_SIZE; z++) 389 printf("%02X%c", s->s3->client_random[z], 390 ((z + 1) % 16) ? ' ' : '\n'); 391 } 392 printf("server random\n"); 393 { 394 int z; 395 for (z = 0; z < SSL3_RANDOM_SIZE; z++) 396 printf("%02X%c", s->s3->server_random[z], 397 ((z + 1) % 16) ? ' ' : '\n'); 398 } 399 printf("master key\n"); 400 { 401 int z; 402 for (z = 0; z < s->session->master_key_length; z++) 403 printf("%02X%c", s->session->master_key[z], 404 ((z + 1) % 16) ? ' ' : '\n'); 405 } 406 #endif 407 if (!tls1_generate_key_block(s, p, num)) 408 goto err; 409 #ifdef SSL_DEBUG 410 printf("\nkey block\n"); 411 { 412 int z; 413 for (z = 0; z < num; z++) 414 printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n'); 415 } 416 #endif 417 418 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 419 && s->method->version <= TLS1_VERSION) { 420 /* 421 * enable vulnerability countermeasure for CBC ciphers with known-IV 422 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 423 */ 424 s->s3->need_empty_fragments = 1; 425 426 if (s->session->cipher != NULL) { 427 if (s->session->cipher->algorithm_enc == SSL_eNULL) 428 s->s3->need_empty_fragments = 0; 429 430 #ifndef OPENSSL_NO_RC4 431 if (s->session->cipher->algorithm_enc == SSL_RC4) 432 s->s3->need_empty_fragments = 0; 433 #endif 434 } 435 } 436 437 ret = 1; 438 err: 439 return (ret); 440 } 441 442 int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out) 443 { 444 int hashlen; 445 unsigned char hash[EVP_MAX_MD_SIZE]; 446 447 if (!ssl3_digest_cached_records(s, 0)) 448 return 0; 449 450 hashlen = ssl_handshake_hash(s, hash, sizeof(hash)); 451 452 if (hashlen == 0) 453 return 0; 454 455 if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, 456 s->session->master_key, s->session->master_key_length, 457 out, TLS1_FINISH_MAC_LENGTH)) 458 return 0; 459 OPENSSL_cleanse(hash, hashlen); 460 return TLS1_FINISH_MAC_LENGTH; 461 } 462 463 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 464 int len) 465 { 466 if (s->session->flags & SSL_SESS_FLAG_EXTMS) { 467 unsigned char hash[EVP_MAX_MD_SIZE * 2]; 468 int hashlen; 469 /* 470 * Digest cached records keeping record buffer (if present): this wont 471 * affect client auth because we're freezing the buffer at the same 472 * point (after client key exchange and before certificate verify) 473 */ 474 if (!ssl3_digest_cached_records(s, 1)) 475 return -1; 476 hashlen = ssl_handshake_hash(s, hash, sizeof(hash)); 477 #ifdef SSL_DEBUG 478 fprintf(stderr, "Handshake hashes:\n"); 479 BIO_dump_fp(stderr, (char *)hash, hashlen); 480 #endif 481 tls1_PRF(s, 482 TLS_MD_EXTENDED_MASTER_SECRET_CONST, 483 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, 484 hash, hashlen, 485 NULL, 0, 486 NULL, 0, 487 NULL, 0, p, len, s->session->master_key, 488 SSL3_MASTER_SECRET_SIZE); 489 OPENSSL_cleanse(hash, hashlen); 490 } else { 491 tls1_PRF(s, 492 TLS_MD_MASTER_SECRET_CONST, 493 TLS_MD_MASTER_SECRET_CONST_SIZE, 494 s->s3->client_random, SSL3_RANDOM_SIZE, 495 NULL, 0, 496 s->s3->server_random, SSL3_RANDOM_SIZE, 497 NULL, 0, p, len, s->session->master_key, 498 SSL3_MASTER_SECRET_SIZE); 499 } 500 #ifdef SSL_DEBUG 501 fprintf(stderr, "Premaster Secret:\n"); 502 BIO_dump_fp(stderr, (char *)p, len); 503 fprintf(stderr, "Client Random:\n"); 504 BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE); 505 fprintf(stderr, "Server Random:\n"); 506 BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE); 507 fprintf(stderr, "Master Secret:\n"); 508 BIO_dump_fp(stderr, (char *)s->session->master_key, 509 SSL3_MASTER_SECRET_SIZE); 510 #endif 511 512 return (SSL3_MASTER_SECRET_SIZE); 513 } 514 515 int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 516 const char *label, size_t llen, 517 const unsigned char *context, 518 size_t contextlen, int use_context) 519 { 520 unsigned char *val = NULL; 521 size_t vallen = 0, currentvalpos; 522 int rv; 523 524 /* 525 * construct PRF arguments we construct the PRF argument ourself rather 526 * than passing separate values into the TLS PRF to ensure that the 527 * concatenation of values does not create a prohibited label. 528 */ 529 vallen = llen + SSL3_RANDOM_SIZE * 2; 530 if (use_context) { 531 vallen += 2 + contextlen; 532 } 533 534 val = OPENSSL_malloc(vallen); 535 if (val == NULL) 536 goto err2; 537 currentvalpos = 0; 538 memcpy(val + currentvalpos, (unsigned char *)label, llen); 539 currentvalpos += llen; 540 memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); 541 currentvalpos += SSL3_RANDOM_SIZE; 542 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); 543 currentvalpos += SSL3_RANDOM_SIZE; 544 545 if (use_context) { 546 val[currentvalpos] = (contextlen >> 8) & 0xff; 547 currentvalpos++; 548 val[currentvalpos] = contextlen & 0xff; 549 currentvalpos++; 550 if ((contextlen > 0) || (context != NULL)) { 551 memcpy(val + currentvalpos, context, contextlen); 552 } 553 } 554 555 /* 556 * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited 557 * label len) = 15, so size of val > max(prohibited label len) = 15 and 558 * the comparisons won't have buffer overflow 559 */ 560 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 561 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 562 goto err1; 563 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 564 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 565 goto err1; 566 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 567 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 568 goto err1; 569 if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST, 570 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0) 571 goto err1; 572 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 573 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 574 goto err1; 575 576 rv = tls1_PRF(s, 577 val, vallen, 578 NULL, 0, 579 NULL, 0, 580 NULL, 0, 581 NULL, 0, 582 s->session->master_key, s->session->master_key_length, 583 out, olen); 584 585 goto ret; 586 err1: 587 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 588 rv = 0; 589 goto ret; 590 err2: 591 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); 592 rv = 0; 593 ret: 594 OPENSSL_clear_free(val, vallen); 595 return (rv); 596 } 597 598 int tls1_alert_code(int code) 599 { 600 switch (code) { 601 case SSL_AD_CLOSE_NOTIFY: 602 return (SSL3_AD_CLOSE_NOTIFY); 603 case SSL_AD_UNEXPECTED_MESSAGE: 604 return (SSL3_AD_UNEXPECTED_MESSAGE); 605 case SSL_AD_BAD_RECORD_MAC: 606 return (SSL3_AD_BAD_RECORD_MAC); 607 case SSL_AD_DECRYPTION_FAILED: 608 return (TLS1_AD_DECRYPTION_FAILED); 609 case SSL_AD_RECORD_OVERFLOW: 610 return (TLS1_AD_RECORD_OVERFLOW); 611 case SSL_AD_DECOMPRESSION_FAILURE: 612 return (SSL3_AD_DECOMPRESSION_FAILURE); 613 case SSL_AD_HANDSHAKE_FAILURE: 614 return (SSL3_AD_HANDSHAKE_FAILURE); 615 case SSL_AD_NO_CERTIFICATE: 616 return (-1); 617 case SSL_AD_BAD_CERTIFICATE: 618 return (SSL3_AD_BAD_CERTIFICATE); 619 case SSL_AD_UNSUPPORTED_CERTIFICATE: 620 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 621 case SSL_AD_CERTIFICATE_REVOKED: 622 return (SSL3_AD_CERTIFICATE_REVOKED); 623 case SSL_AD_CERTIFICATE_EXPIRED: 624 return (SSL3_AD_CERTIFICATE_EXPIRED); 625 case SSL_AD_CERTIFICATE_UNKNOWN: 626 return (SSL3_AD_CERTIFICATE_UNKNOWN); 627 case SSL_AD_ILLEGAL_PARAMETER: 628 return (SSL3_AD_ILLEGAL_PARAMETER); 629 case SSL_AD_UNKNOWN_CA: 630 return (TLS1_AD_UNKNOWN_CA); 631 case SSL_AD_ACCESS_DENIED: 632 return (TLS1_AD_ACCESS_DENIED); 633 case SSL_AD_DECODE_ERROR: 634 return (TLS1_AD_DECODE_ERROR); 635 case SSL_AD_DECRYPT_ERROR: 636 return (TLS1_AD_DECRYPT_ERROR); 637 case SSL_AD_EXPORT_RESTRICTION: 638 return (TLS1_AD_EXPORT_RESTRICTION); 639 case SSL_AD_PROTOCOL_VERSION: 640 return (TLS1_AD_PROTOCOL_VERSION); 641 case SSL_AD_INSUFFICIENT_SECURITY: 642 return (TLS1_AD_INSUFFICIENT_SECURITY); 643 case SSL_AD_INTERNAL_ERROR: 644 return (TLS1_AD_INTERNAL_ERROR); 645 case SSL_AD_USER_CANCELLED: 646 return (TLS1_AD_USER_CANCELLED); 647 case SSL_AD_NO_RENEGOTIATION: 648 return (TLS1_AD_NO_RENEGOTIATION); 649 case SSL_AD_UNSUPPORTED_EXTENSION: 650 return (TLS1_AD_UNSUPPORTED_EXTENSION); 651 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 652 return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); 653 case SSL_AD_UNRECOGNIZED_NAME: 654 return (TLS1_AD_UNRECOGNIZED_NAME); 655 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 656 return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); 657 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 658 return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); 659 case SSL_AD_UNKNOWN_PSK_IDENTITY: 660 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 661 case SSL_AD_INAPPROPRIATE_FALLBACK: 662 return (TLS1_AD_INAPPROPRIATE_FALLBACK); 663 case SSL_AD_NO_APPLICATION_PROTOCOL: 664 return (TLS1_AD_NO_APPLICATION_PROTOCOL); 665 default: 666 return (-1); 667 } 668 } 669