t1_enc.c@ 69881

Last change on this file since 69881 was 69881, checked in by vboxsync, 7 years ago
Update OpenSSL to 1.1.0g. bugref:8070: src/libs maintenance
Property svn:eol-style set to `native`
File size: 21.8 KB

Line
1	/*
2	* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the OpenSSL license (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	/* ====================================================================
11	* Copyright 2005 Nokia. All rights reserved.
12	*
13	* The portions of the attached software ("Contribution") is developed by
14	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
15	* license.
16	*
17	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
18	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
19	* support (see RFC 4279) to OpenSSL.
20	*
21	* No patent licenses or other rights except those expressly stated in
22	* the OpenSSL open source license shall be deemed granted or received
23	* expressly, by implication, estoppel, or otherwise.
24	*
25	* No assurances are provided by Nokia that the Contribution does not
26	* infringe the patent or other intellectual property rights of any third
27	* party or that the license provides you with all the necessary rights
28	* to make use of the Contribution.
29	*
30	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
31	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
32	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
33	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
34	* OTHERWISE.
35	*/
36
37	#include <stdio.h>
38	#include "ssl_locl.h"
39	#include <openssl/comp.h>
40	#include <openssl/evp.h>
41	#include <openssl/kdf.h>
42	#include <openssl/rand.h>
43
44	/* seed1 through seed5 are concatenated */
45	static int tls1_PRF(SSL *s,
46	const void *seed1, int seed1_len,
47	const void *seed2, int seed2_len,
48	const void *seed3, int seed3_len,
49	const void *seed4, int seed4_len,
50	const void *seed5, int seed5_len,
51	const unsigned char *sec, int slen,
52	unsigned char *out, int olen)
53	{
54	const EVP_MD *md = ssl_prf_md(s);
55	EVP_PKEY_CTX *pctx = NULL;
56
57	int ret = 0;
58	size_t outlen = olen;
59
60	if (md == NULL) {
61	/* Should never happen */
62	SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR);
63	return 0;
64	}
65	pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
66	if (pctx == NULL \|\| EVP_PKEY_derive_init(pctx) <= 0
67	\|\| EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) <= 0
68	\|\| EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, sec, slen) <= 0)
69	goto err;
70
71	if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed1, seed1_len) <= 0)
72	goto err;
73	if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed2, seed2_len) <= 0)
74	goto err;
75	if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed3, seed3_len) <= 0)
76	goto err;
77	if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed4, seed4_len) <= 0)
78	goto err;
79	if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed5, seed5_len) <= 0)
80	goto err;
81
82	if (EVP_PKEY_derive(pctx, out, &outlen) <= 0)
83	goto err;
84	ret = 1;
85
86	err:
87	EVP_PKEY_CTX_free(pctx);
88	return ret;
89	}
90
91	static int tls1_generate_key_block(SSL s, unsigned char km, int num)
92	{
93	int ret;
94	ret = tls1_PRF(s,
95	TLS_MD_KEY_EXPANSION_CONST,
96	TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random,
97	SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE,
98	NULL, 0, NULL, 0, s->session->master_key,
99	s->session->master_key_length, km, num);
100
101	return ret;
102	}
103
104	int tls1_change_cipher_state(SSL *s, int which)
105	{
106	unsigned char p, mac_secret;
107	unsigned char tmp1[EVP_MAX_KEY_LENGTH];
108	unsigned char tmp2[EVP_MAX_KEY_LENGTH];
109	unsigned char iv1[EVP_MAX_IV_LENGTH * 2];
110	unsigned char iv2[EVP_MAX_IV_LENGTH * 2];
111	unsigned char ms, key, *iv;
112	EVP_CIPHER_CTX *dd;
113	const EVP_CIPHER *c;
114	#ifndef OPENSSL_NO_COMP
115	const SSL_COMP *comp;
116	#endif
117	const EVP_MD *m;
118	int mac_type;
119	int *mac_secret_size;
120	EVP_MD_CTX *mac_ctx;
121	EVP_PKEY *mac_key;
122	int n, i, j, k, cl;
123	int reuse_dd = 0;
124
125	c = s->s3->tmp.new_sym_enc;
126	m = s->s3->tmp.new_hash;
127	mac_type = s->s3->tmp.new_mac_pkey_type;
128	#ifndef OPENSSL_NO_COMP
129	comp = s->s3->tmp.new_compression;
130	#endif
131
132	if (which & SSL3_CC_READ) {
133	if (s->tlsext_use_etm)
134	s->s3->flags \|= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
135	else
136	s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ;
137
138	if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
139	s->mac_flags \|= SSL_MAC_FLAG_READ_MAC_STREAM;
140	else
141	s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
142
143	if (s->enc_read_ctx != NULL)
144	reuse_dd = 1;
145	else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL)
146	goto err;
147	else
148	/*
149	* make sure it's initialised in case we exit later with an error
150	*/
151	EVP_CIPHER_CTX_reset(s->enc_read_ctx);
152	dd = s->enc_read_ctx;
153	mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
154	if (mac_ctx == NULL)
155	goto err;
156	#ifndef OPENSSL_NO_COMP
157	COMP_CTX_free(s->expand);
158	s->expand = NULL;
159	if (comp != NULL) {
160	s->expand = COMP_CTX_new(comp->method);
161	if (s->expand == NULL) {
162	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
163	SSL_R_COMPRESSION_LIBRARY_ERROR);
164	goto err2;
165	}
166	}
167	#endif
168	/*
169	* this is done by dtls1_reset_seq_numbers for DTLS
170	*/
171	if (!SSL_IS_DTLS(s))
172	RECORD_LAYER_reset_read_sequence(&s->rlayer);
173	mac_secret = &(s->s3->read_mac_secret[0]);
174	mac_secret_size = &(s->s3->read_mac_secret_size);
175	} else {
176	if (s->tlsext_use_etm)
177	s->s3->flags \|= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
178	else
179	s->s3->flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE;
180
181	if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
182	s->mac_flags \|= SSL_MAC_FLAG_WRITE_MAC_STREAM;
183	else
184	s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
185	if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
186	reuse_dd = 1;
187	else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL)
188	goto err;
189	dd = s->enc_write_ctx;
190	if (SSL_IS_DTLS(s)) {
191	mac_ctx = EVP_MD_CTX_new();
192	if (mac_ctx == NULL)
193	goto err;
194	s->write_hash = mac_ctx;
195	} else {
196	mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
197	if (mac_ctx == NULL)
198	goto err;
199	}
200	#ifndef OPENSSL_NO_COMP
201	COMP_CTX_free(s->compress);
202	s->compress = NULL;
203	if (comp != NULL) {
204	s->compress = COMP_CTX_new(comp->method);
205	if (s->compress == NULL) {
206	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,
207	SSL_R_COMPRESSION_LIBRARY_ERROR);
208	goto err2;
209	}
210	}
211	#endif
212	/*
213	* this is done by dtls1_reset_seq_numbers for DTLS
214	*/
215	if (!SSL_IS_DTLS(s))
216	RECORD_LAYER_reset_write_sequence(&s->rlayer);
217	mac_secret = &(s->s3->write_mac_secret[0]);
218	mac_secret_size = &(s->s3->write_mac_secret_size);
219	}
220
221	if (reuse_dd)
222	EVP_CIPHER_CTX_reset(dd);
223
224	p = s->s3->tmp.key_block;
225	i = *mac_secret_size = s->s3->tmp.new_mac_secret_size;
226
227	cl = EVP_CIPHER_key_length(c);
228	j = cl;
229	/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
230	/* If GCM/CCM mode only part of IV comes from PRF */
231	if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
232	k = EVP_GCM_TLS_FIXED_IV_LEN;
233	else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE)
234	k = EVP_CCM_TLS_FIXED_IV_LEN;
235	else
236	k = EVP_CIPHER_iv_length(c);
237	if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) \|\|
238	(which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
239	ms = &(p[0]);
240	n = i + i;
241	key = &(p[n]);
242	n += j + j;
243	iv = &(p[n]);
244	n += k + k;
245	} else {
246	n = i;
247	ms = &(p[n]);
248	n += i + j;
249	key = &(p[n]);
250	n += j + k;
251	iv = &(p[n]);
252	n += k;
253	}
254
255	if (n > s->s3->tmp.key_block_length) {
256	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
257	goto err2;
258	}
259
260	memcpy(mac_secret, ms, i);
261
262	if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
263	mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
264	mac_secret, *mac_secret_size);
265	if (mac_key == NULL
266	\|\| EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
267	EVP_PKEY_free(mac_key);
268	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
269	goto err2;
270	}
271	EVP_PKEY_free(mac_key);
272	}
273	#ifdef SSL_DEBUG
274	printf("which = %04X\nmac key=", which);
275	{
276	int z;
277	for (z = 0; z < i; z++)
278	printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n');
279	}
280	#endif
281
282	if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) {
283	if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE))
284	\|\| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv)) {
285	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
286	goto err2;
287	}
288	} else if (EVP_CIPHER_mode(c) == EVP_CIPH_CCM_MODE) {
289	int taglen;
290	if (s->s3->tmp.
291	new_cipher->algorithm_enc & (SSL_AES128CCM8 \| SSL_AES256CCM8))
292	taglen = 8;
293	else
294	taglen = 16;
295	if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE))
296	\|\| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL)
297	\|\| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL)
298	\|\| !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, k, iv)
299	\|\| !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) {
300	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
301	goto err2;
302	}
303	} else {
304	if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) {
305	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
306	goto err2;
307	}
308	}
309	/* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
310	if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size
311	&& !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY,
312	*mac_secret_size, mac_secret)) {
313	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
314	goto err2;
315	}
316
317	#ifdef SSL_DEBUG
318	printf("which = %04X\nkey=", which);
319	{
320	int z;
321	for (z = 0; z < EVP_CIPHER_key_length(c); z++)
322	printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n');
323	}
324	printf("\niv=");
325	{
326	int z;
327	for (z = 0; z < k; z++)
328	printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n');
329	}
330	printf("\n");
331	#endif
332
333	OPENSSL_cleanse(tmp1, sizeof(tmp1));
334	OPENSSL_cleanse(tmp2, sizeof(tmp1));
335	OPENSSL_cleanse(iv1, sizeof(iv1));
336	OPENSSL_cleanse(iv2, sizeof(iv2));
337	return (1);
338	err:
339	SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
340	err2:
341	OPENSSL_cleanse(tmp1, sizeof(tmp1));
342	OPENSSL_cleanse(tmp2, sizeof(tmp1));
343	OPENSSL_cleanse(iv1, sizeof(iv1));
344	OPENSSL_cleanse(iv2, sizeof(iv2));
345	return (0);
346	}
347
348	int tls1_setup_key_block(SSL *s)
349	{
350	unsigned char *p;
351	const EVP_CIPHER *c;
352	const EVP_MD *hash;
353	int num;
354	SSL_COMP *comp;
355	int mac_type = NID_undef, mac_secret_size = 0;
356	int ret = 0;
357
358	if (s->s3->tmp.key_block_length != 0)
359	return (1);
360
361	if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
362	&comp, s->tlsext_use_etm)) {
363	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
364	return (0);
365	}
366
367	s->s3->tmp.new_sym_enc = c;
368	s->s3->tmp.new_hash = hash;
369	s->s3->tmp.new_mac_pkey_type = mac_type;
370	s->s3->tmp.new_mac_secret_size = mac_secret_size;
371	num = EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c);
372	num *= 2;
373
374	ssl3_cleanup_key_block(s);
375
376	if ((p = OPENSSL_malloc(num)) == NULL) {
377	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
378	goto err;
379	}
380
381	s->s3->tmp.key_block_length = num;
382	s->s3->tmp.key_block = p;
383
384	#ifdef SSL_DEBUG
385	printf("client random\n");
386	{
387	int z;
388	for (z = 0; z < SSL3_RANDOM_SIZE; z++)
389	printf("%02X%c", s->s3->client_random[z],
390	((z + 1) % 16) ? ' ' : '\n');
391	}
392	printf("server random\n");
393	{
394	int z;
395	for (z = 0; z < SSL3_RANDOM_SIZE; z++)
396	printf("%02X%c", s->s3->server_random[z],
397	((z + 1) % 16) ? ' ' : '\n');
398	}
399	printf("master key\n");
400	{
401	int z;
402	for (z = 0; z < s->session->master_key_length; z++)
403	printf("%02X%c", s->session->master_key[z],
404	((z + 1) % 16) ? ' ' : '\n');
405	}
406	#endif
407	if (!tls1_generate_key_block(s, p, num))
408	goto err;
409	#ifdef SSL_DEBUG
410	printf("\nkey block\n");
411	{
412	int z;
413	for (z = 0; z < num; z++)
414	printf("%02X%c", p[z], ((z + 1) % 16) ? ' ' : '\n');
415	}
416	#endif
417
418	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
419	&& s->method->version <= TLS1_VERSION) {
420	/*
421	* enable vulnerability countermeasure for CBC ciphers with known-IV
422	* problem (http://www.openssl.org/~bodo/tls-cbc.txt)
423	*/
424	s->s3->need_empty_fragments = 1;
425
426	if (s->session->cipher != NULL) {
427	if (s->session->cipher->algorithm_enc == SSL_eNULL)
428	s->s3->need_empty_fragments = 0;
429
430	#ifndef OPENSSL_NO_RC4
431	if (s->session->cipher->algorithm_enc == SSL_RC4)
432	s->s3->need_empty_fragments = 0;
433	#endif
434	}
435	}
436
437	ret = 1;
438	err:
439	return (ret);
440	}
441
442	int tls1_final_finish_mac(SSL s, const char str, int slen, unsigned char *out)
443	{
444	int hashlen;
445	unsigned char hash[EVP_MAX_MD_SIZE];
446
447	if (!ssl3_digest_cached_records(s, 0))
448	return 0;
449
450	hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
451
452	if (hashlen == 0)
453	return 0;
454
455	if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
456	s->session->master_key, s->session->master_key_length,
457	out, TLS1_FINISH_MAC_LENGTH))
458	return 0;
459	OPENSSL_cleanse(hash, hashlen);
460	return TLS1_FINISH_MAC_LENGTH;
461	}
462
463	int tls1_generate_master_secret(SSL s, unsigned char out, unsigned char *p,
464	int len)
465	{
466	if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
467	unsigned char hash[EVP_MAX_MD_SIZE * 2];
468	int hashlen;
469	/*
470	* Digest cached records keeping record buffer (if present): this wont
471	* affect client auth because we're freezing the buffer at the same
472	* point (after client key exchange and before certificate verify)
473	*/
474	if (!ssl3_digest_cached_records(s, 1))
475	return -1;
476	hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
477	#ifdef SSL_DEBUG
478	fprintf(stderr, "Handshake hashes:\n");
479	BIO_dump_fp(stderr, (char *)hash, hashlen);
480	#endif
481	tls1_PRF(s,
482	TLS_MD_EXTENDED_MASTER_SECRET_CONST,
483	TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,
484	hash, hashlen,
485	NULL, 0,
486	NULL, 0,
487	NULL, 0, p, len, s->session->master_key,
488	SSL3_MASTER_SECRET_SIZE);
489	OPENSSL_cleanse(hash, hashlen);
490	} else {
491	tls1_PRF(s,
492	TLS_MD_MASTER_SECRET_CONST,
493	TLS_MD_MASTER_SECRET_CONST_SIZE,
494	s->s3->client_random, SSL3_RANDOM_SIZE,
495	NULL, 0,
496	s->s3->server_random, SSL3_RANDOM_SIZE,
497	NULL, 0, p, len, s->session->master_key,
498	SSL3_MASTER_SECRET_SIZE);
499	}
500	#ifdef SSL_DEBUG
501	fprintf(stderr, "Premaster Secret:\n");
502	BIO_dump_fp(stderr, (char *)p, len);
503	fprintf(stderr, "Client Random:\n");
504	BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE);
505	fprintf(stderr, "Server Random:\n");
506	BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE);
507	fprintf(stderr, "Master Secret:\n");
508	BIO_dump_fp(stderr, (char *)s->session->master_key,
509	SSL3_MASTER_SECRET_SIZE);
510	#endif
511
512	return (SSL3_MASTER_SECRET_SIZE);
513	}
514
515	int tls1_export_keying_material(SSL s, unsigned char out, size_t olen,
516	const char *label, size_t llen,
517	const unsigned char *context,
518	size_t contextlen, int use_context)
519	{
520	unsigned char *val = NULL;
521	size_t vallen = 0, currentvalpos;
522	int rv;
523
524	/*
525	* construct PRF arguments we construct the PRF argument ourself rather
526	* than passing separate values into the TLS PRF to ensure that the
527	* concatenation of values does not create a prohibited label.
528	*/
529	vallen = llen + SSL3_RANDOM_SIZE * 2;
530	if (use_context) {
531	vallen += 2 + contextlen;
532	}
533
534	val = OPENSSL_malloc(vallen);
535	if (val == NULL)
536	goto err2;
537	currentvalpos = 0;
538	memcpy(val + currentvalpos, (unsigned char *)label, llen);
539	currentvalpos += llen;
540	memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE);
541	currentvalpos += SSL3_RANDOM_SIZE;
542	memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE);
543	currentvalpos += SSL3_RANDOM_SIZE;
544
545	if (use_context) {
546	val[currentvalpos] = (contextlen >> 8) & 0xff;
547	currentvalpos++;
548	val[currentvalpos] = contextlen & 0xff;
549	currentvalpos++;
550	if ((contextlen > 0) \|\| (context != NULL)) {
551	memcpy(val + currentvalpos, context, contextlen);
552	}
553	}
554
555	/*
556	* disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited
557	* label len) = 15, so size of val > max(prohibited label len) = 15 and
558	* the comparisons won't have buffer overflow
559	*/
560	if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST,
561	TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0)
562	goto err1;
563	if (memcmp(val, TLS_MD_SERVER_FINISH_CONST,
564	TLS_MD_SERVER_FINISH_CONST_SIZE) == 0)
565	goto err1;
566	if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
567	TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
568	goto err1;
569	if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
570	TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
571	goto err1;
572	if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
573	TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
574	goto err1;
575
576	rv = tls1_PRF(s,
577	val, vallen,
578	NULL, 0,
579	NULL, 0,
580	NULL, 0,
581	NULL, 0,
582	s->session->master_key, s->session->master_key_length,
583	out, olen);
584
585	goto ret;
586	err1:
587	SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL);
588	rv = 0;
589	goto ret;
590	err2:
591	SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE);
592	rv = 0;
593	ret:
594	OPENSSL_clear_free(val, vallen);
595	return (rv);
596	}
597
598	int tls1_alert_code(int code)
599	{
600	switch (code) {
601	case SSL_AD_CLOSE_NOTIFY:
602	return (SSL3_AD_CLOSE_NOTIFY);
603	case SSL_AD_UNEXPECTED_MESSAGE:
604	return (SSL3_AD_UNEXPECTED_MESSAGE);
605	case SSL_AD_BAD_RECORD_MAC:
606	return (SSL3_AD_BAD_RECORD_MAC);
607	case SSL_AD_DECRYPTION_FAILED:
608	return (TLS1_AD_DECRYPTION_FAILED);
609	case SSL_AD_RECORD_OVERFLOW:
610	return (TLS1_AD_RECORD_OVERFLOW);
611	case SSL_AD_DECOMPRESSION_FAILURE:
612	return (SSL3_AD_DECOMPRESSION_FAILURE);
613	case SSL_AD_HANDSHAKE_FAILURE:
614	return (SSL3_AD_HANDSHAKE_FAILURE);
615	case SSL_AD_NO_CERTIFICATE:
616	return (-1);
617	case SSL_AD_BAD_CERTIFICATE:
618	return (SSL3_AD_BAD_CERTIFICATE);
619	case SSL_AD_UNSUPPORTED_CERTIFICATE:
620	return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
621	case SSL_AD_CERTIFICATE_REVOKED:
622	return (SSL3_AD_CERTIFICATE_REVOKED);
623	case SSL_AD_CERTIFICATE_EXPIRED:
624	return (SSL3_AD_CERTIFICATE_EXPIRED);
625	case SSL_AD_CERTIFICATE_UNKNOWN:
626	return (SSL3_AD_CERTIFICATE_UNKNOWN);
627	case SSL_AD_ILLEGAL_PARAMETER:
628	return (SSL3_AD_ILLEGAL_PARAMETER);
629	case SSL_AD_UNKNOWN_CA:
630	return (TLS1_AD_UNKNOWN_CA);
631	case SSL_AD_ACCESS_DENIED:
632	return (TLS1_AD_ACCESS_DENIED);
633	case SSL_AD_DECODE_ERROR:
634	return (TLS1_AD_DECODE_ERROR);
635	case SSL_AD_DECRYPT_ERROR:
636	return (TLS1_AD_DECRYPT_ERROR);
637	case SSL_AD_EXPORT_RESTRICTION:
638	return (TLS1_AD_EXPORT_RESTRICTION);
639	case SSL_AD_PROTOCOL_VERSION:
640	return (TLS1_AD_PROTOCOL_VERSION);
641	case SSL_AD_INSUFFICIENT_SECURITY:
642	return (TLS1_AD_INSUFFICIENT_SECURITY);
643	case SSL_AD_INTERNAL_ERROR:
644	return (TLS1_AD_INTERNAL_ERROR);
645	case SSL_AD_USER_CANCELLED:
646	return (TLS1_AD_USER_CANCELLED);
647	case SSL_AD_NO_RENEGOTIATION:
648	return (TLS1_AD_NO_RENEGOTIATION);
649	case SSL_AD_UNSUPPORTED_EXTENSION:
650	return (TLS1_AD_UNSUPPORTED_EXTENSION);
651	case SSL_AD_CERTIFICATE_UNOBTAINABLE:
652	return (TLS1_AD_CERTIFICATE_UNOBTAINABLE);
653	case SSL_AD_UNRECOGNIZED_NAME:
654	return (TLS1_AD_UNRECOGNIZED_NAME);
655	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
656	return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
657	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
658	return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
659	case SSL_AD_UNKNOWN_PSK_IDENTITY:
660	return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
661	case SSL_AD_INAPPROPRIATE_FALLBACK:
662	return (TLS1_AD_INAPPROPRIATE_FALLBACK);
663	case SSL_AD_NO_APPLICATION_PROTOCOL:
664	return (TLS1_AD_NO_APPLICATION_PROTOCOL);
665	default:
666	return (-1);
667	}
668	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-1.1.0g/ssl/t1_enc.c@ 69881

Download in other formats: