[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | /* ====================================================================
|
---|
| 11 | * Copyright 2005 Nokia. All rights reserved.
|
---|
| 12 | *
|
---|
| 13 | * The portions of the attached software ("Contribution") is developed by
|
---|
| 14 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source
|
---|
| 15 | * license.
|
---|
| 16 | *
|
---|
| 17 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of
|
---|
| 18 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
|
---|
| 19 | * support (see RFC 4279) to OpenSSL.
|
---|
| 20 | *
|
---|
| 21 | * No patent licenses or other rights except those expressly stated in
|
---|
| 22 | * the OpenSSL open source license shall be deemed granted or received
|
---|
| 23 | * expressly, by implication, estoppel, or otherwise.
|
---|
| 24 | *
|
---|
| 25 | * No assurances are provided by Nokia that the Contribution does not
|
---|
| 26 | * infringe the patent or other intellectual property rights of any third
|
---|
| 27 | * party or that the license provides you with all the necessary rights
|
---|
| 28 | * to make use of the Contribution.
|
---|
| 29 | *
|
---|
| 30 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
|
---|
| 31 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
|
---|
| 32 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
|
---|
| 33 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
|
---|
| 34 | * OTHERWISE.
|
---|
| 35 | */
|
---|
| 36 |
|
---|
| 37 | #include <stdio.h>
|
---|
| 38 | #include "ssl_locl.h"
|
---|
| 39 | #include <openssl/comp.h>
|
---|
| 40 | #include <openssl/evp.h>
|
---|
| 41 | #include <openssl/kdf.h>
|
---|
| 42 | #include <openssl/rand.h>
|
---|
| 43 |
|
---|
| 44 | /* seed1 through seed5 are concatenated */
|
---|
| 45 | static int tls1_PRF(SSL *s,
|
---|
| 46 | const void *seed1, int seed1_len,
|
---|
| 47 | const void *seed2, int seed2_len,
|
---|
| 48 | const void *seed3, int seed3_len,
|
---|
| 49 | const void *seed4, int seed4_len,
|
---|
| 50 | const void *seed5, int seed5_len,
|
---|
| 51 | const unsigned char *sec, int slen,
|
---|
| 52 | unsigned char *out, int olen)
|
---|
| 53 | {
|
---|
| 54 | const EVP_MD *md = ssl_prf_md(s);
|
---|
| 55 | EVP_PKEY_CTX *pctx = NULL;
|
---|
| 56 |
|
---|
| 57 | int ret = 0;
|
---|
| 58 | size_t outlen = olen;
|
---|
| 59 |
|
---|
| 60 | if (md == NULL) {
|
---|
| 61 | /* Should never happen */
|
---|
| 62 | SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR);
|
---|
| 63 | return 0;
|
---|
| 64 | }
|
---|
| 65 | pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
|
---|
| 66 | if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0
|
---|
| 67 | || EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0
|
---|
| 68 | || EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, slen) <= 0)
|
---|
| 69 | goto err;
|
---|
| 70 |
|
---|
| 71 | if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len) <= 0)
|
---|
| 72 | goto err;
|
---|
| 73 | if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len) <= 0)
|
---|
| 74 | goto err;
|
---|
| 75 | if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len) <= 0)
|
---|
| 76 | goto err;
|
---|
| 77 | if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, seed4_len) <= 0)
|
---|
| 78 | goto err;
|
---|
| 79 | if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, seed5_len) <= 0)
|
---|
| 80 | goto err;
|
---|
| 81 |
|
---|
| 82 | if (EVP_PKEY_derive(pctx, out, &outlen) <= 0)
|
---|
| 83 | goto err;
|
---|
| 84 | ret = 1;
|
---|
| 85 |
|
---|
| 86 | err:
|
---|
| 87 | EVP_PKEY_CTX_free(pctx);
|
---|
| 88 | return ret;
|
---|
| 89 | }
|
---|
| 90 |
|
---|
| 91 | static int tls1_generate_key_block(SSL *s, unsigned char *km, int num)
|
---|
| 92 | {
|
---|
| 93 | int ret;
|
---|
| 94 | ret = tls1_PRF(s,
|
---|
| 95 | TLS_MD_KEY_EXPANSION_CONST,
|
---|
| 96 | TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random,
|
---|
| 97 | SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE,
|
---|
| 98 | NULL, 0, NULL, 0, s->session->master_key,
|
---|
| 99 | s->session->master_key_length, km, num);
|
---|
| 100 |
|
---|
| 101 | return ret;
|
---|
| 102 | }
|
---|
| 103 |
|
---|
| 104 | int tls1_change_cipher_state(SSL *s, int which)
|
---|
| 105 | {
|
---|
| 106 | unsigned char *p, *mac_secret;
|
---|
| 107 | unsigned char tmp1[EVP_MAX_KEY_LENGTH];
|
---|
| 108 | unsigned char tmp2[EVP_MAX_KEY_LENGTH];
|
---|
| 109 | unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
|
---|
| 110 | unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
|
---|
| 111 | unsigned char *ms, *key, *iv;
|
---|
| 112 | EVP_CIPHER_CTX *dd;
|
---|
| 113 | const EVP_CIPHER *c;
|
---|
| 114 | #ifndef OPENSSL_NO_COMP
|
---|
| 115 | const SSL_COMP *comp;
|
---|
| 116 | #endif
|
---|
| 117 | const EVP_MD *m;
|
---|
| 118 | int mac_type;
|
---|
| 119 | int *mac_secret_size;
|
---|
| 120 | EVP_MD_CTX *mac_ctx;
|
---|
| 121 | EVP_PKEY *mac_key;
|
---|
| 122 | int n, i, j, k, cl;
|
---|
| 123 | int reuse_dd = 0;
|
---|
| 124 |
|
---|
| 125 | c = s->s3->tmp.new_sym_enc;
|
---|
| 126 | m = s->s3->tmp.new_hash;
|
---|
| 127 | mac_type = s->s3->tmp.new_mac_pkey_type;
|
---|
| 128 | #ifndef OPENSSL_NO_COMP
|
---|
| 129 | comp = s->s3->tmp.new_compression;
|
---|
| 130 | #endif
|
---|
| 131 |
|
---|
| 132 | if (which & SSL3_CC_READ) {
|
---|
| 133 | if (s->tlsext_use_etm)
|
---|
| 134 | s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
|
---|
| 135 | else
|
---|
| 136 | s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
|
---|
| 137 |
|
---|
| 138 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
|
---|
| 139 | s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
|
---|
| 140 | else
|
---|
| 141 | s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
|
---|
| 142 |
|
---|
| 143 | if (s->enc_read_ctx != NULL)
|
---|
| 144 | reuse_dd = 1;
|
---|
| 145 | else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL)
|
---|
| 146 | goto err;
|
---|
| 147 | else
|
---|
| 148 | /*
|
---|
| 149 | * make sure it's initialised in case we exit later with an error
|
---|
| 150 | */
|
---|
| 151 | EVP_CIPHER_CTX_reset(s->enc_read_ctx);
|
---|
| 152 | dd = s->enc_read_ctx;
|
---|
| 153 | mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
|
---|
| 154 | if (mac_ctx == NULL)
|
---|
| 155 | goto err;
|
---|
| 156 | #ifndef OPENSSL_NO_COMP
|
---|
| 157 | COMP_CTX_free(s->expand);
|
---|
| 158 | s->expand = NULL;
|
---|
| 159 | if (comp != NULL) {
|
---|
| 160 | s->expand = COMP_CTX_new(comp->method);
|
---|
| 161 | if (s->expand == NULL) {
|
---|
| 162 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
|
---|
| 163 | SSL_R_COMPRESSION_LIBRARY_ERROR);
|
---|
| 164 | goto err2;
|
---|
| 165 | }
|
---|
| 166 | }
|
---|
| 167 | #endif
|
---|
| 168 | /*
|
---|
| 169 | * this is done by dtls1_reset_seq_numbers for DTLS
|
---|
| 170 | */
|
---|
| 171 | if (!SSL_IS_DTLS(s))
|
---|
| 172 | RECORD_LAYER_reset_read_sequence(&s->rlayer);
|
---|
| 173 | mac_secret = &(s->s3->read_mac_secret[0]);
|
---|
| 174 | mac_secret_size = &(s->s3->read_mac_secret_size);
|
---|
| 175 | } else {
|
---|
| 176 | if (s->tlsext_use_etm)
|
---|
| 177 | s->s3->flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
|
---|
| 178 | else
|
---|
| 179 | s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
|
---|
| 180 |
|
---|
| 181 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
|
---|
| 182 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
|
---|
| 183 | else
|
---|
| 184 | s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
|
---|
| 185 | if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
|
---|
| 186 | reuse_dd = 1;
|
---|
| 187 | else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL)
|
---|
| 188 | goto err;
|
---|
| 189 | dd = s->enc_write_ctx;
|
---|
| 190 | if (SSL_IS_DTLS(s)) {
|
---|
| 191 | mac_ctx = EVP_MD_CTX_new();
|
---|
| 192 | if (mac_ctx == NULL)
|
---|
| 193 | goto err;
|
---|
| 194 | s->write_hash = mac_ctx;
|
---|
| 195 | } else {
|
---|
| 196 | mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
|
---|
| 197 | if (mac_ctx == NULL)
|
---|
| 198 | goto err;
|
---|
| 199 | }
|
---|
| 200 | #ifndef OPENSSL_NO_COMP
|
---|
| 201 | COMP_CTX_free(s->compress);
|
---|
| 202 | s->compress = NULL;
|
---|
| 203 | if (comp != NULL) {
|
---|
| 204 | s->compress = COMP_CTX_new(comp->method);
|
---|
| 205 | if (s->compress == NULL) {
|
---|
| 206 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
|
---|
| 207 | SSL_R_COMPRESSION_LIBRARY_ERROR);
|
---|
| 208 | goto err2;
|
---|
| 209 | }
|
---|
| 210 | }
|
---|
| 211 | #endif
|
---|
| 212 | /*
|
---|
| 213 | * this is done by dtls1_reset_seq_numbers for DTLS
|
---|
| 214 | */
|
---|
| 215 | if (!SSL_IS_DTLS(s))
|
---|
| 216 | RECORD_LAYER_reset_write_sequence(&s->rlayer);
|
---|
| 217 | mac_secret = &(s->s3->write_mac_secret[0]);
|
---|
| 218 | mac_secret_size = &(s->s3->write_mac_secret_size);
|
---|
| 219 | }
|
---|
| 220 |
|
---|
| 221 | if (reuse_dd)
|
---|
| 222 | EVP_CIPHER_CTX_reset(dd);
|
---|
| 223 |
|
---|
| 224 | p = s->s3->tmp.key_block;
|
---|
| 225 | i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;
|
---|
| 226 |
|
---|
| 227 | cl = EVP_CIPHER_key_length(c);
|
---|
| 228 | j = cl;
|
---|
| 229 | /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
|
---|
| 230 | /* If GCM/CCM mode only part of IV comes from PRF */
|
---|
| 231 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
|
---|
| 232 | k = EVP_GCM_TLS_FIXED_IV_LEN;
|
---|
| 233 | else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
|
---|
| 234 | k = EVP_CCM_TLS_FIXED_IV_LEN;
|
---|
| 235 | else
|
---|
| 236 | k = EVP_CIPHER_iv_length(c);
|
---|
| 237 | if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
|
---|
| 238 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
|
---|
| 239 | ms = &(p[0]);
|
---|
| 240 | n = i + i;
|
---|
| 241 | key = &(p[n]);
|
---|
| 242 | n += j + j;
|
---|
| 243 | iv = &(p[n]);
|
---|
| 244 | n += k + k;
|
---|
| 245 | } else {
|
---|
| 246 | n = i;
|
---|
| 247 | ms = &(p[n]);
|
---|
| 248 | n += i + j;
|
---|
| 249 | key = &(p[n]);
|
---|
| 250 | n += j + k;
|
---|
| 251 | iv = &(p[n]);
|
---|
| 252 | n += k;
|
---|
| 253 | }
|
---|
| 254 |
|
---|
| 255 | if (n > s->s3->tmp.key_block_length) {
|
---|
| 256 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
| 257 | goto err2;
|
---|
| 258 | }
|
---|
| 259 |
|
---|
| 260 | memcpy(mac_secret, ms, i);
|
---|
| 261 |
|
---|
| 262 | if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
|
---|
| 263 | mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
|
---|
| 264 | mac_secret, *mac_secret_size);
|
---|
| 265 | if (mac_key == NULL
|
---|
| 266 | || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
|
---|
| 267 | EVP_PKEY_free(mac_key);
|
---|
| 268 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
| 269 | goto err2;
|
---|
| 270 | }
|
---|
| 271 | EVP_PKEY_free(mac_key);
|
---|
| 272 | }
|
---|
| 273 | #ifdef SSL_DEBUG
|
---|
| 274 | printf("which = %04X\nmac key=", which);
|
---|
| 275 | {
|
---|
| 276 | int z;
|
---|
| 277 | for (z = 0; z < i; z++)
|
---|
| 278 | printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 279 | }
|
---|
| 280 | #endif
|
---|
| 281 |
|
---|
| 282 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
|
---|
| 283 | if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
|
---|
| 284 | || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv)) {
|
---|
| 285 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
| 286 | goto err2;
|
---|
| 287 | }
|
---|
| 288 | } else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
|
---|
| 289 | int taglen;
|
---|
| 290 | if (s->s3->tmp.
|
---|
| 291 | new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8))
|
---|
| 292 | taglen = 8;
|
---|
| 293 | else
|
---|
| 294 | taglen = 16;
|
---|
| 295 | if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
|
---|
| 296 | || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
|
---|
| 297 | || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
|
---|
| 298 | || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, k, iv)
|
---|
| 299 | || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
|
---|
| 300 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
| 301 | goto err2;
|
---|
| 302 | }
|
---|
| 303 | } else {
|
---|
| 304 | if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
|
---|
| 305 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
| 306 | goto err2;
|
---|
| 307 | }
|
---|
| 308 | }
|
---|
| 309 | /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
|
---|
| 310 | if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
|
---|
| 311 | && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
|
---|
| 312 | *mac_secret_size, mac_secret)) {
|
---|
| 313 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
|
---|
| 314 | goto err2;
|
---|
| 315 | }
|
---|
| 316 | #ifdef OPENSSL_SSL_TRACE_CRYPTO
|
---|
| 317 | if (s->msg_callback) {
|
---|
| 318 | int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : 0;
|
---|
| 319 | if (*mac_secret_size)
|
---|
| 320 | s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
|
---|
| 321 | mac_secret, *mac_secret_size,
|
---|
| 322 | s, s->msg_callback_arg);
|
---|
| 323 | if (c->key_len)
|
---|
| 324 | s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
|
---|
| 325 | key, c->key_len, s, s->msg_callback_arg);
|
---|
| 326 | if (k) {
|
---|
| 327 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
|
---|
| 328 | wh |= TLS1_RT_CRYPTO_FIXED_IV;
|
---|
| 329 | else
|
---|
| 330 | wh |= TLS1_RT_CRYPTO_IV;
|
---|
| 331 | s->msg_callback(2, s->version, wh, iv, k, s, s->msg_callback_arg);
|
---|
| 332 | }
|
---|
| 333 | }
|
---|
| 334 | #endif
|
---|
| 335 |
|
---|
| 336 | #ifdef SSL_DEBUG
|
---|
| 337 | printf("which = %04X\nkey=", which);
|
---|
| 338 | {
|
---|
| 339 | int z;
|
---|
| 340 | for (z = 0; z < EVP_CIPHER_key_length(c); z++)
|
---|
| 341 | printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 342 | }
|
---|
| 343 | printf("\niv=");
|
---|
| 344 | {
|
---|
| 345 | int z;
|
---|
| 346 | for (z = 0; z < k; z++)
|
---|
| 347 | printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 348 | }
|
---|
| 349 | printf("\n");
|
---|
| 350 | #endif
|
---|
| 351 |
|
---|
| 352 | OPENSSL_cleanse(tmp1, sizeof(tmp1));
|
---|
| 353 | OPENSSL_cleanse(tmp2, sizeof(tmp1));
|
---|
| 354 | OPENSSL_cleanse(iv1, sizeof(iv1));
|
---|
| 355 | OPENSSL_cleanse(iv2, sizeof(iv2));
|
---|
| 356 | return (1);
|
---|
| 357 | err:
|
---|
| 358 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
|
---|
| 359 | err2:
|
---|
| 360 | OPENSSL_cleanse(tmp1, sizeof(tmp1));
|
---|
| 361 | OPENSSL_cleanse(tmp2, sizeof(tmp1));
|
---|
| 362 | OPENSSL_cleanse(iv1, sizeof(iv1));
|
---|
| 363 | OPENSSL_cleanse(iv2, sizeof(iv2));
|
---|
| 364 | return (0);
|
---|
| 365 | }
|
---|
| 366 |
|
---|
| 367 | int tls1_setup_key_block(SSL *s)
|
---|
| 368 | {
|
---|
| 369 | unsigned char *p;
|
---|
| 370 | const EVP_CIPHER *c;
|
---|
| 371 | const EVP_MD *hash;
|
---|
| 372 | int num;
|
---|
| 373 | SSL_COMP *comp;
|
---|
| 374 | int mac_type = NID_undef, mac_secret_size = 0;
|
---|
| 375 | int ret = 0;
|
---|
| 376 |
|
---|
| 377 | if (s->s3->tmp.key_block_length != 0)
|
---|
| 378 | return (1);
|
---|
| 379 |
|
---|
| 380 | if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
|
---|
| 381 | &comp, s->tlsext_use_etm)) {
|
---|
| 382 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
|
---|
| 383 | return (0);
|
---|
| 384 | }
|
---|
| 385 |
|
---|
| 386 | s->s3->tmp.new_sym_enc = c;
|
---|
| 387 | s->s3->tmp.new_hash = hash;
|
---|
| 388 | s->s3->tmp.new_mac_pkey_type = mac_type;
|
---|
| 389 | s->s3->tmp.new_mac_secret_size = mac_secret_size;
|
---|
| 390 | num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
|
---|
| 391 | num *= 2;
|
---|
| 392 |
|
---|
| 393 | ssl3_cleanup_key_block(s);
|
---|
| 394 |
|
---|
| 395 | if ((p = OPENSSL_malloc(num)) == NULL) {
|
---|
| 396 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
|
---|
| 397 | goto err;
|
---|
| 398 | }
|
---|
| 399 |
|
---|
| 400 | s->s3->tmp.key_block_length = num;
|
---|
| 401 | s->s3->tmp.key_block = p;
|
---|
| 402 |
|
---|
| 403 | #ifdef SSL_DEBUG
|
---|
| 404 | printf("client random\n");
|
---|
| 405 | {
|
---|
| 406 | int z;
|
---|
| 407 | for (z = 0; z < SSL3_RANDOM_SIZE; z++)
|
---|
| 408 | printf("%02X%c", s->s3->client_random[z],
|
---|
| 409 | ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 410 | }
|
---|
| 411 | printf("server random\n");
|
---|
| 412 | {
|
---|
| 413 | int z;
|
---|
| 414 | for (z = 0; z < SSL3_RANDOM_SIZE; z++)
|
---|
| 415 | printf("%02X%c", s->s3->server_random[z],
|
---|
| 416 | ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 417 | }
|
---|
| 418 | printf("master key\n");
|
---|
| 419 | {
|
---|
| 420 | int z;
|
---|
| 421 | for (z = 0; z < s->session->master_key_length; z++)
|
---|
| 422 | printf("%02X%c", s->session->master_key[z],
|
---|
| 423 | ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 424 | }
|
---|
| 425 | #endif
|
---|
| 426 | if (!tls1_generate_key_block(s, p, num))
|
---|
| 427 | goto err;
|
---|
| 428 | #ifdef SSL_DEBUG
|
---|
| 429 | printf("\nkey block\n");
|
---|
| 430 | {
|
---|
| 431 | int z;
|
---|
| 432 | for (z = 0; z < num; z++)
|
---|
| 433 | printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n');
|
---|
| 434 | }
|
---|
| 435 | #endif
|
---|
| 436 |
|
---|
| 437 | if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
|
---|
| 438 | && s->method->version <= TLS1_VERSION) {
|
---|
| 439 | /*
|
---|
| 440 | * enable vulnerability countermeasure for CBC ciphers with known-IV
|
---|
| 441 | * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
|
---|
| 442 | */
|
---|
| 443 | s->s3->need_empty_fragments = 1;
|
---|
| 444 |
|
---|
| 445 | if (s->session->cipher != NULL) {
|
---|
| 446 | if (s->session->cipher->algorithm_enc == SSL_eNULL)
|
---|
| 447 | s->s3->need_empty_fragments = 0;
|
---|
| 448 |
|
---|
| 449 | #ifndef OPENSSL_NO_RC4
|
---|
| 450 | if (s->session->cipher->algorithm_enc == SSL_RC4)
|
---|
| 451 | s->s3->need_empty_fragments = 0;
|
---|
| 452 | #endif
|
---|
| 453 | }
|
---|
| 454 | }
|
---|
| 455 |
|
---|
| 456 | ret = 1;
|
---|
| 457 | err:
|
---|
| 458 | return (ret);
|
---|
| 459 | }
|
---|
| 460 |
|
---|
| 461 | int tls1_final_finish_mac(SSL *s, const char *str, int slen, unsigned char *out)
|
---|
| 462 | {
|
---|
| 463 | int hashlen;
|
---|
| 464 | unsigned char hash[EVP_MAX_MD_SIZE];
|
---|
| 465 |
|
---|
| 466 | if (!ssl3_digest_cached_records(s, 0))
|
---|
| 467 | return 0;
|
---|
| 468 |
|
---|
| 469 | hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
|
---|
| 470 |
|
---|
| 471 | if (hashlen == 0)
|
---|
| 472 | return 0;
|
---|
| 473 |
|
---|
| 474 | if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
|
---|
| 475 | s->session->master_key, s->session->master_key_length,
|
---|
| 476 | out, TLS1_FINISH_MAC_LENGTH))
|
---|
| 477 | return 0;
|
---|
| 478 | OPENSSL_cleanse(hash, hashlen);
|
---|
| 479 | return TLS1_FINISH_MAC_LENGTH;
|
---|
| 480 | }
|
---|
| 481 |
|
---|
| 482 | int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
|
---|
| 483 | int len)
|
---|
| 484 | {
|
---|
| 485 | if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
|
---|
| 486 | unsigned char hash[EVP_MAX_MD_SIZE * 2];
|
---|
| 487 | int hashlen;
|
---|
| 488 | /*
|
---|
| 489 | * Digest cached records keeping record buffer (if present): this wont
|
---|
| 490 | * affect client auth because we're freezing the buffer at the same
|
---|
| 491 | * point (after client key exchange and before certificate verify)
|
---|
| 492 | */
|
---|
| 493 | if (!ssl3_digest_cached_records(s, 1))
|
---|
| 494 | return -1;
|
---|
| 495 | hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
|
---|
| 496 | #ifdef SSL_DEBUG
|
---|
| 497 | fprintf(stderr, "Handshake hashes:\n");
|
---|
| 498 | BIO_dump_fp(stderr, (char *)hash, hashlen);
|
---|
| 499 | #endif
|
---|
| 500 | tls1_PRF(s,
|
---|
| 501 | TLS_MD_EXTENDED_MASTER_SECRET_CONST,
|
---|
| 502 | TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,
|
---|
| 503 | hash, hashlen,
|
---|
| 504 | NULL, 0,
|
---|
| 505 | NULL, 0,
|
---|
| 506 | NULL, 0, p, len, s->session->master_key,
|
---|
| 507 | SSL3_MASTER_SECRET_SIZE);
|
---|
| 508 | OPENSSL_cleanse(hash, hashlen);
|
---|
| 509 | } else {
|
---|
| 510 | tls1_PRF(s,
|
---|
| 511 | TLS_MD_MASTER_SECRET_CONST,
|
---|
| 512 | TLS_MD_MASTER_SECRET_CONST_SIZE,
|
---|
| 513 | s->s3->client_random, SSL3_RANDOM_SIZE,
|
---|
| 514 | NULL, 0,
|
---|
| 515 | s->s3->server_random, SSL3_RANDOM_SIZE,
|
---|
| 516 | NULL, 0, p, len, s->session->master_key,
|
---|
| 517 | SSL3_MASTER_SECRET_SIZE);
|
---|
| 518 | }
|
---|
| 519 | #ifdef SSL_DEBUG
|
---|
| 520 | fprintf(stderr, "Premaster Secret:\n");
|
---|
| 521 | BIO_dump_fp(stderr, (char *)p, len);
|
---|
| 522 | fprintf(stderr, "Client Random:\n");
|
---|
| 523 | BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE);
|
---|
| 524 | fprintf(stderr, "Server Random:\n");
|
---|
| 525 | BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE);
|
---|
| 526 | fprintf(stderr, "Master Secret:\n");
|
---|
| 527 | BIO_dump_fp(stderr, (char *)s->session->master_key,
|
---|
| 528 | SSL3_MASTER_SECRET_SIZE);
|
---|
| 529 | #endif
|
---|
| 530 |
|
---|
| 531 | #ifdef OPENSSL_SSL_TRACE_CRYPTO
|
---|
| 532 | if (s->msg_callback) {
|
---|
| 533 | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
|
---|
| 534 | p, len, s, s->msg_callback_arg);
|
---|
| 535 | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
|
---|
| 536 | s->s3->client_random, SSL3_RANDOM_SIZE,
|
---|
| 537 | s, s->msg_callback_arg);
|
---|
| 538 | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
|
---|
| 539 | s->s3->server_random, SSL3_RANDOM_SIZE,
|
---|
| 540 | s, s->msg_callback_arg);
|
---|
| 541 | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
|
---|
| 542 | s->session->master_key,
|
---|
| 543 | SSL3_MASTER_SECRET_SIZE, s, s->msg_callback_arg);
|
---|
| 544 | }
|
---|
| 545 | #endif
|
---|
| 546 |
|
---|
| 547 | return (SSL3_MASTER_SECRET_SIZE);
|
---|
| 548 | }
|
---|
| 549 |
|
---|
| 550 | int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
|
---|
| 551 | const char *label, size_t llen,
|
---|
| 552 | const unsigned char *context,
|
---|
| 553 | size_t contextlen, int use_context)
|
---|
| 554 | {
|
---|
| 555 | unsigned char *val = NULL;
|
---|
| 556 | size_t vallen = 0, currentvalpos;
|
---|
| 557 | int rv;
|
---|
| 558 |
|
---|
| 559 | /*
|
---|
| 560 | * construct PRF arguments we construct the PRF argument ourself rather
|
---|
| 561 | * than passing separate values into the TLS PRF to ensure that the
|
---|
| 562 | * concatenation of values does not create a prohibited label.
|
---|
| 563 | */
|
---|
| 564 | vallen = llen + SSL3_RANDOM_SIZE * 2;
|
---|
| 565 | if (use_context) {
|
---|
| 566 | vallen += 2 + contextlen;
|
---|
| 567 | }
|
---|
| 568 |
|
---|
| 569 | val = OPENSSL_malloc(vallen);
|
---|
| 570 | if (val == NULL)
|
---|
| 571 | goto err2;
|
---|
| 572 | currentvalpos = 0;
|
---|
| 573 | memcpy(val + currentvalpos, (unsigned char *)label, llen);
|
---|
| 574 | currentvalpos += llen;
|
---|
| 575 | memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
|
---|
| 576 | currentvalpos += SSL3_RANDOM_SIZE;
|
---|
| 577 | memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
|
---|
| 578 | currentvalpos += SSL3_RANDOM_SIZE;
|
---|
| 579 |
|
---|
| 580 | if (use_context) {
|
---|
| 581 | val[currentvalpos] = (contextlen >> 8) & 0xff;
|
---|
| 582 | currentvalpos++;
|
---|
| 583 | val[currentvalpos] = contextlen & 0xff;
|
---|
| 584 | currentvalpos++;
|
---|
| 585 | if ((contextlen > 0) || (context != NULL)) {
|
---|
| 586 | memcpy(val + currentvalpos, context, contextlen);
|
---|
| 587 | }
|
---|
| 588 | }
|
---|
| 589 |
|
---|
| 590 | /*
|
---|
| 591 | * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
|
---|
| 592 | * label len) = 15, so size of val > max(prohibited label len) = 15 and
|
---|
| 593 | * the comparisons won't have buffer overflow
|
---|
| 594 | */
|
---|
| 595 | if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
|
---|
| 596 | TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
|
---|
| 597 | goto err1;
|
---|
| 598 | if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
|
---|
| 599 | TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
|
---|
| 600 | goto err1;
|
---|
| 601 | if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
|
---|
| 602 | TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
|
---|
| 603 | goto err1;
|
---|
| 604 | if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
|
---|
| 605 | TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
|
---|
| 606 | goto err1;
|
---|
| 607 | if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
|
---|
| 608 | TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
|
---|
| 609 | goto err1;
|
---|
| 610 |
|
---|
| 611 | rv = tls1_PRF(s,
|
---|
| 612 | val, vallen,
|
---|
| 613 | NULL, 0,
|
---|
| 614 | NULL, 0,
|
---|
| 615 | NULL, 0,
|
---|
| 616 | NULL, 0,
|
---|
| 617 | s->session->master_key, s->session->master_key_length,
|
---|
| 618 | out, olen);
|
---|
| 619 |
|
---|
| 620 | goto ret;
|
---|
| 621 | err1:
|
---|
| 622 | SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
|
---|
| 623 | rv = 0;
|
---|
| 624 | goto ret;
|
---|
| 625 | err2:
|
---|
| 626 | SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
|
---|
| 627 | rv = 0;
|
---|
| 628 | ret:
|
---|
| 629 | OPENSSL_clear_free(val, vallen);
|
---|
| 630 | return (rv);
|
---|
| 631 | }
|
---|
| 632 |
|
---|
| 633 | int tls1_alert_code(int code)
|
---|
| 634 | {
|
---|
| 635 | switch (code) {
|
---|
| 636 | case SSL_AD_CLOSE_NOTIFY:
|
---|
| 637 | return (SSL3_AD_CLOSE_NOTIFY);
|
---|
| 638 | case SSL_AD_UNEXPECTED_MESSAGE:
|
---|
| 639 | return (SSL3_AD_UNEXPECTED_MESSAGE);
|
---|
| 640 | case SSL_AD_BAD_RECORD_MAC:
|
---|
| 641 | return (SSL3_AD_BAD_RECORD_MAC);
|
---|
| 642 | case SSL_AD_DECRYPTION_FAILED:
|
---|
| 643 | return (TLS1_AD_DECRYPTION_FAILED);
|
---|
| 644 | case SSL_AD_RECORD_OVERFLOW:
|
---|
| 645 | return (TLS1_AD_RECORD_OVERFLOW);
|
---|
| 646 | case SSL_AD_DECOMPRESSION_FAILURE:
|
---|
| 647 | return (SSL3_AD_DECOMPRESSION_FAILURE);
|
---|
| 648 | case SSL_AD_HANDSHAKE_FAILURE:
|
---|
| 649 | return (SSL3_AD_HANDSHAKE_FAILURE);
|
---|
| 650 | case SSL_AD_NO_CERTIFICATE:
|
---|
| 651 | return (-1);
|
---|
| 652 | case SSL_AD_BAD_CERTIFICATE:
|
---|
| 653 | return (SSL3_AD_BAD_CERTIFICATE);
|
---|
| 654 | case SSL_AD_UNSUPPORTED_CERTIFICATE:
|
---|
| 655 | return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
|
---|
| 656 | case SSL_AD_CERTIFICATE_REVOKED:
|
---|
| 657 | return (SSL3_AD_CERTIFICATE_REVOKED);
|
---|
| 658 | case SSL_AD_CERTIFICATE_EXPIRED:
|
---|
| 659 | return (SSL3_AD_CERTIFICATE_EXPIRED);
|
---|
| 660 | case SSL_AD_CERTIFICATE_UNKNOWN:
|
---|
| 661 | return (SSL3_AD_CERTIFICATE_UNKNOWN);
|
---|
| 662 | case SSL_AD_ILLEGAL_PARAMETER:
|
---|
| 663 | return (SSL3_AD_ILLEGAL_PARAMETER);
|
---|
| 664 | case SSL_AD_UNKNOWN_CA:
|
---|
| 665 | return (TLS1_AD_UNKNOWN_CA);
|
---|
| 666 | case SSL_AD_ACCESS_DENIED:
|
---|
| 667 | return (TLS1_AD_ACCESS_DENIED);
|
---|
| 668 | case SSL_AD_DECODE_ERROR:
|
---|
| 669 | return (TLS1_AD_DECODE_ERROR);
|
---|
| 670 | case SSL_AD_DECRYPT_ERROR:
|
---|
| 671 | return (TLS1_AD_DECRYPT_ERROR);
|
---|
| 672 | case SSL_AD_EXPORT_RESTRICTION:
|
---|
| 673 | return (TLS1_AD_EXPORT_RESTRICTION);
|
---|
| 674 | case SSL_AD_PROTOCOL_VERSION:
|
---|
| 675 | return (TLS1_AD_PROTOCOL_VERSION);
|
---|
| 676 | case SSL_AD_INSUFFICIENT_SECURITY:
|
---|
| 677 | return (TLS1_AD_INSUFFICIENT_SECURITY);
|
---|
| 678 | case SSL_AD_INTERNAL_ERROR:
|
---|
| 679 | return (TLS1_AD_INTERNAL_ERROR);
|
---|
| 680 | case SSL_AD_USER_CANCELLED:
|
---|
| 681 | return (TLS1_AD_USER_CANCELLED);
|
---|
| 682 | case SSL_AD_NO_RENEGOTIATION:
|
---|
| 683 | return (TLS1_AD_NO_RENEGOTIATION);
|
---|
| 684 | case SSL_AD_UNSUPPORTED_EXTENSION:
|
---|
| 685 | return (TLS1_AD_UNSUPPORTED_EXTENSION);
|
---|
| 686 | case SSL_AD_CERTIFICATE_UNOBTAINABLE:
|
---|
| 687 | return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
|
---|
| 688 | case SSL_AD_UNRECOGNIZED_NAME:
|
---|
| 689 | return (TLS1_AD_UNRECOGNIZED_NAME);
|
---|
| 690 | case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
|
---|
| 691 | return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
|
---|
| 692 | case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
|
---|
| 693 | return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
|
---|
| 694 | case SSL_AD_UNKNOWN_PSK_IDENTITY:
|
---|
| 695 | return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
|
---|
| 696 | case SSL_AD_INAPPROPRIATE_FALLBACK:
|
---|
| 697 | return (TLS1_AD_INAPPROPRIATE_FALLBACK);
|
---|
| 698 | case SSL_AD_NO_APPLICATION_PROTOCOL:
|
---|
| 699 | return (TLS1_AD_NO_APPLICATION_PROTOCOL);
|
---|
| 700 | default:
|
---|
| 701 | return (-1);
|
---|
| 702 | }
|
---|
| 703 | }
|
---|