1e1051a39Sopenharmony_ci/* 2e1051a39Sopenharmony_ci * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3e1051a39Sopenharmony_ci * Copyright 2005 Nokia. All rights reserved. 4e1051a39Sopenharmony_ci * 5e1051a39Sopenharmony_ci * Licensed under the Apache License 2.0 (the "License"). You may not use 6e1051a39Sopenharmony_ci * this file except in compliance with the License. You can obtain a copy 7e1051a39Sopenharmony_ci * in the file LICENSE in the source distribution or at 8e1051a39Sopenharmony_ci * https://www.openssl.org/source/license.html 9e1051a39Sopenharmony_ci */ 10e1051a39Sopenharmony_ci 11e1051a39Sopenharmony_ci#include <stdio.h> 12e1051a39Sopenharmony_ci#include "ssl_local.h" 13e1051a39Sopenharmony_ci#include "record/record_local.h" 14e1051a39Sopenharmony_ci#include "internal/ktls.h" 15e1051a39Sopenharmony_ci#include "internal/cryptlib.h" 16e1051a39Sopenharmony_ci#include <openssl/comp.h> 17e1051a39Sopenharmony_ci#include <openssl/evp.h> 18e1051a39Sopenharmony_ci#include <openssl/kdf.h> 19e1051a39Sopenharmony_ci#include <openssl/rand.h> 20e1051a39Sopenharmony_ci#include <openssl/obj_mac.h> 21e1051a39Sopenharmony_ci#include <openssl/core_names.h> 22e1051a39Sopenharmony_ci#include <openssl/trace.h> 23e1051a39Sopenharmony_ci 24e1051a39Sopenharmony_ci/* seed1 through seed5 are concatenated */ 25e1051a39Sopenharmony_cistatic int tls1_PRF(SSL *s, 26e1051a39Sopenharmony_ci const void *seed1, size_t seed1_len, 27e1051a39Sopenharmony_ci const void *seed2, size_t seed2_len, 28e1051a39Sopenharmony_ci const void *seed3, size_t seed3_len, 29e1051a39Sopenharmony_ci const void *seed4, size_t seed4_len, 30e1051a39Sopenharmony_ci const void *seed5, size_t seed5_len, 31e1051a39Sopenharmony_ci const unsigned char *sec, size_t slen, 32e1051a39Sopenharmony_ci unsigned char *out, size_t olen, int fatal) 33e1051a39Sopenharmony_ci{ 34e1051a39Sopenharmony_ci const EVP_MD *md = ssl_prf_md(s); 35e1051a39Sopenharmony_ci EVP_KDF *kdf; 36e1051a39Sopenharmony_ci EVP_KDF_CTX *kctx = NULL; 37e1051a39Sopenharmony_ci OSSL_PARAM params[8], *p = params; 38e1051a39Sopenharmony_ci const char *mdname; 39e1051a39Sopenharmony_ci 40e1051a39Sopenharmony_ci if (md == NULL) { 41e1051a39Sopenharmony_ci /* Should never happen */ 42e1051a39Sopenharmony_ci if (fatal) 43e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 44e1051a39Sopenharmony_ci else 45e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 46e1051a39Sopenharmony_ci return 0; 47e1051a39Sopenharmony_ci } 48e1051a39Sopenharmony_ci kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_TLS1_PRF, s->ctx->propq); 49e1051a39Sopenharmony_ci if (kdf == NULL) 50e1051a39Sopenharmony_ci goto err; 51e1051a39Sopenharmony_ci kctx = EVP_KDF_CTX_new(kdf); 52e1051a39Sopenharmony_ci EVP_KDF_free(kdf); 53e1051a39Sopenharmony_ci if (kctx == NULL) 54e1051a39Sopenharmony_ci goto err; 55e1051a39Sopenharmony_ci mdname = EVP_MD_get0_name(md); 56e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, 57e1051a39Sopenharmony_ci (char *)mdname, 0); 58e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, 59e1051a39Sopenharmony_ci (unsigned char *)sec, 60e1051a39Sopenharmony_ci (size_t)slen); 61e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 62e1051a39Sopenharmony_ci (void *)seed1, (size_t)seed1_len); 63e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 64e1051a39Sopenharmony_ci (void *)seed2, (size_t)seed2_len); 65e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 66e1051a39Sopenharmony_ci (void *)seed3, (size_t)seed3_len); 67e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 68e1051a39Sopenharmony_ci (void *)seed4, (size_t)seed4_len); 69e1051a39Sopenharmony_ci *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, 70e1051a39Sopenharmony_ci (void *)seed5, (size_t)seed5_len); 71e1051a39Sopenharmony_ci *p = OSSL_PARAM_construct_end(); 72e1051a39Sopenharmony_ci if (EVP_KDF_derive(kctx, out, olen, params)) { 73e1051a39Sopenharmony_ci EVP_KDF_CTX_free(kctx); 74e1051a39Sopenharmony_ci return 1; 75e1051a39Sopenharmony_ci } 76e1051a39Sopenharmony_ci 77e1051a39Sopenharmony_ci err: 78e1051a39Sopenharmony_ci if (fatal) 79e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 80e1051a39Sopenharmony_ci else 81e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); 82e1051a39Sopenharmony_ci EVP_KDF_CTX_free(kctx); 83e1051a39Sopenharmony_ci return 0; 84e1051a39Sopenharmony_ci} 85e1051a39Sopenharmony_ci 86e1051a39Sopenharmony_cistatic int tls1_generate_key_block(SSL *s, unsigned char *km, size_t num) 87e1051a39Sopenharmony_ci{ 88e1051a39Sopenharmony_ci int ret; 89e1051a39Sopenharmony_ci 90e1051a39Sopenharmony_ci /* Calls SSLfatal() as required */ 91e1051a39Sopenharmony_ci ret = tls1_PRF(s, 92e1051a39Sopenharmony_ci TLS_MD_KEY_EXPANSION_CONST, 93e1051a39Sopenharmony_ci TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3.server_random, 94e1051a39Sopenharmony_ci SSL3_RANDOM_SIZE, s->s3.client_random, SSL3_RANDOM_SIZE, 95e1051a39Sopenharmony_ci NULL, 0, NULL, 0, s->session->master_key, 96e1051a39Sopenharmony_ci s->session->master_key_length, km, num, 1); 97e1051a39Sopenharmony_ci 98e1051a39Sopenharmony_ci return ret; 99e1051a39Sopenharmony_ci} 100e1051a39Sopenharmony_ci 101e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_KTLS 102e1051a39Sopenharmony_ci /* 103e1051a39Sopenharmony_ci * Count the number of records that were not processed yet from record boundary. 104e1051a39Sopenharmony_ci * 105e1051a39Sopenharmony_ci * This function assumes that there are only fully formed records read in the 106e1051a39Sopenharmony_ci * record layer. If read_ahead is enabled, then this might be false and this 107e1051a39Sopenharmony_ci * function will fail. 108e1051a39Sopenharmony_ci */ 109e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_KTLS_RX 110e1051a39Sopenharmony_cistatic int count_unprocessed_records(SSL *s) 111e1051a39Sopenharmony_ci{ 112e1051a39Sopenharmony_ci SSL3_BUFFER *rbuf = RECORD_LAYER_get_rbuf(&s->rlayer); 113e1051a39Sopenharmony_ci PACKET pkt, subpkt; 114e1051a39Sopenharmony_ci int count = 0; 115e1051a39Sopenharmony_ci 116e1051a39Sopenharmony_ci if (!PACKET_buf_init(&pkt, rbuf->buf + rbuf->offset, rbuf->left)) 117e1051a39Sopenharmony_ci return -1; 118e1051a39Sopenharmony_ci 119e1051a39Sopenharmony_ci while (PACKET_remaining(&pkt) > 0) { 120e1051a39Sopenharmony_ci /* Skip record type and version */ 121e1051a39Sopenharmony_ci if (!PACKET_forward(&pkt, 3)) 122e1051a39Sopenharmony_ci return -1; 123e1051a39Sopenharmony_ci 124e1051a39Sopenharmony_ci /* Read until next record */ 125e1051a39Sopenharmony_ci if (!PACKET_get_length_prefixed_2(&pkt, &subpkt)) 126e1051a39Sopenharmony_ci return -1; 127e1051a39Sopenharmony_ci 128e1051a39Sopenharmony_ci count += 1; 129e1051a39Sopenharmony_ci } 130e1051a39Sopenharmony_ci 131e1051a39Sopenharmony_ci return count; 132e1051a39Sopenharmony_ci} 133e1051a39Sopenharmony_ci# endif 134e1051a39Sopenharmony_ci#endif 135e1051a39Sopenharmony_ci 136e1051a39Sopenharmony_ci 137e1051a39Sopenharmony_ciint tls_provider_set_tls_params(SSL *s, EVP_CIPHER_CTX *ctx, 138e1051a39Sopenharmony_ci const EVP_CIPHER *ciph, 139e1051a39Sopenharmony_ci const EVP_MD *md) 140e1051a39Sopenharmony_ci{ 141e1051a39Sopenharmony_ci /* 142e1051a39Sopenharmony_ci * Provided cipher, the TLS padding/MAC removal is performed provider 143e1051a39Sopenharmony_ci * side so we need to tell the ctx about our TLS version and mac size 144e1051a39Sopenharmony_ci */ 145e1051a39Sopenharmony_ci OSSL_PARAM params[3], *pprm = params; 146e1051a39Sopenharmony_ci size_t macsize = 0; 147e1051a39Sopenharmony_ci int imacsize = -1; 148e1051a39Sopenharmony_ci 149e1051a39Sopenharmony_ci if ((EVP_CIPHER_get_flags(ciph) & EVP_CIPH_FLAG_AEAD_CIPHER) == 0 150e1051a39Sopenharmony_ci /* 151e1051a39Sopenharmony_ci * We look at s->ext.use_etm instead of SSL_READ_ETM() or 152e1051a39Sopenharmony_ci * SSL_WRITE_ETM() because this test applies to both reading 153e1051a39Sopenharmony_ci * and writing. 154e1051a39Sopenharmony_ci */ 155e1051a39Sopenharmony_ci && !s->ext.use_etm) 156e1051a39Sopenharmony_ci imacsize = EVP_MD_get_size(md); 157e1051a39Sopenharmony_ci if (imacsize >= 0) 158e1051a39Sopenharmony_ci macsize = (size_t)imacsize; 159e1051a39Sopenharmony_ci 160e1051a39Sopenharmony_ci *pprm++ = OSSL_PARAM_construct_int(OSSL_CIPHER_PARAM_TLS_VERSION, 161e1051a39Sopenharmony_ci &s->version); 162e1051a39Sopenharmony_ci *pprm++ = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_TLS_MAC_SIZE, 163e1051a39Sopenharmony_ci &macsize); 164e1051a39Sopenharmony_ci *pprm = OSSL_PARAM_construct_end(); 165e1051a39Sopenharmony_ci 166e1051a39Sopenharmony_ci if (!EVP_CIPHER_CTX_set_params(ctx, params)) { 167e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 168e1051a39Sopenharmony_ci return 0; 169e1051a39Sopenharmony_ci } 170e1051a39Sopenharmony_ci 171e1051a39Sopenharmony_ci return 1; 172e1051a39Sopenharmony_ci} 173e1051a39Sopenharmony_ci 174e1051a39Sopenharmony_ci 175e1051a39Sopenharmony_cistatic int tls_iv_length_within_key_block(const EVP_CIPHER *c) 176e1051a39Sopenharmony_ci{ 177e1051a39Sopenharmony_ci /* If GCM/CCM mode only part of IV comes from PRF */ 178e1051a39Sopenharmony_ci if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) 179e1051a39Sopenharmony_ci return EVP_GCM_TLS_FIXED_IV_LEN; 180e1051a39Sopenharmony_ci else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) 181e1051a39Sopenharmony_ci return EVP_CCM_TLS_FIXED_IV_LEN; 182e1051a39Sopenharmony_ci else 183e1051a39Sopenharmony_ci return EVP_CIPHER_get_iv_length(c); 184e1051a39Sopenharmony_ci} 185e1051a39Sopenharmony_ci 186e1051a39Sopenharmony_ciint tls1_change_cipher_state(SSL *s, int which) 187e1051a39Sopenharmony_ci{ 188e1051a39Sopenharmony_ci unsigned char *p, *mac_secret; 189e1051a39Sopenharmony_ci unsigned char *ms, *key, *iv; 190e1051a39Sopenharmony_ci EVP_CIPHER_CTX *dd; 191e1051a39Sopenharmony_ci const EVP_CIPHER *c; 192e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_COMP 193e1051a39Sopenharmony_ci const SSL_COMP *comp; 194e1051a39Sopenharmony_ci#endif 195e1051a39Sopenharmony_ci const EVP_MD *m; 196e1051a39Sopenharmony_ci int mac_type; 197e1051a39Sopenharmony_ci size_t *mac_secret_size; 198e1051a39Sopenharmony_ci EVP_MD_CTX *mac_ctx; 199e1051a39Sopenharmony_ci EVP_PKEY *mac_key; 200e1051a39Sopenharmony_ci size_t n, i, j, k, cl; 201e1051a39Sopenharmony_ci int reuse_dd = 0; 202e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_KTLS 203e1051a39Sopenharmony_ci ktls_crypto_info_t crypto_info; 204e1051a39Sopenharmony_ci unsigned char *rec_seq; 205e1051a39Sopenharmony_ci void *rl_sequence; 206e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_KTLS_RX 207e1051a39Sopenharmony_ci int count_unprocessed; 208e1051a39Sopenharmony_ci int bit; 209e1051a39Sopenharmony_ci# endif 210e1051a39Sopenharmony_ci BIO *bio; 211e1051a39Sopenharmony_ci#endif 212e1051a39Sopenharmony_ci 213e1051a39Sopenharmony_ci c = s->s3.tmp.new_sym_enc; 214e1051a39Sopenharmony_ci m = s->s3.tmp.new_hash; 215e1051a39Sopenharmony_ci mac_type = s->s3.tmp.new_mac_pkey_type; 216e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_COMP 217e1051a39Sopenharmony_ci comp = s->s3.tmp.new_compression; 218e1051a39Sopenharmony_ci#endif 219e1051a39Sopenharmony_ci 220e1051a39Sopenharmony_ci if (which & SSL3_CC_READ) { 221e1051a39Sopenharmony_ci if (s->ext.use_etm) 222e1051a39Sopenharmony_ci s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 223e1051a39Sopenharmony_ci else 224e1051a39Sopenharmony_ci s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_READ; 225e1051a39Sopenharmony_ci 226e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 227e1051a39Sopenharmony_ci s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 228e1051a39Sopenharmony_ci else 229e1051a39Sopenharmony_ci s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 230e1051a39Sopenharmony_ci 231e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 232e1051a39Sopenharmony_ci s->mac_flags |= SSL_MAC_FLAG_READ_MAC_TLSTREE; 233e1051a39Sopenharmony_ci else 234e1051a39Sopenharmony_ci s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_TLSTREE; 235e1051a39Sopenharmony_ci 236e1051a39Sopenharmony_ci if (s->enc_read_ctx != NULL) { 237e1051a39Sopenharmony_ci reuse_dd = 1; 238e1051a39Sopenharmony_ci } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { 239e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 240e1051a39Sopenharmony_ci goto err; 241e1051a39Sopenharmony_ci } else { 242e1051a39Sopenharmony_ci /* 243e1051a39Sopenharmony_ci * make sure it's initialised in case we exit later with an error 244e1051a39Sopenharmony_ci */ 245e1051a39Sopenharmony_ci EVP_CIPHER_CTX_reset(s->enc_read_ctx); 246e1051a39Sopenharmony_ci } 247e1051a39Sopenharmony_ci dd = s->enc_read_ctx; 248e1051a39Sopenharmony_ci mac_ctx = ssl_replace_hash(&s->read_hash, NULL); 249e1051a39Sopenharmony_ci if (mac_ctx == NULL) { 250e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 251e1051a39Sopenharmony_ci goto err; 252e1051a39Sopenharmony_ci } 253e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_COMP 254e1051a39Sopenharmony_ci COMP_CTX_free(s->expand); 255e1051a39Sopenharmony_ci s->expand = NULL; 256e1051a39Sopenharmony_ci if (comp != NULL) { 257e1051a39Sopenharmony_ci s->expand = COMP_CTX_new(comp->method); 258e1051a39Sopenharmony_ci if (s->expand == NULL) { 259e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 260e1051a39Sopenharmony_ci SSL_R_COMPRESSION_LIBRARY_ERROR); 261e1051a39Sopenharmony_ci goto err; 262e1051a39Sopenharmony_ci } 263e1051a39Sopenharmony_ci } 264e1051a39Sopenharmony_ci#endif 265e1051a39Sopenharmony_ci /* 266e1051a39Sopenharmony_ci * this is done by dtls1_reset_seq_numbers for DTLS 267e1051a39Sopenharmony_ci */ 268e1051a39Sopenharmony_ci if (!SSL_IS_DTLS(s)) 269e1051a39Sopenharmony_ci RECORD_LAYER_reset_read_sequence(&s->rlayer); 270e1051a39Sopenharmony_ci mac_secret = &(s->s3.read_mac_secret[0]); 271e1051a39Sopenharmony_ci mac_secret_size = &(s->s3.read_mac_secret_size); 272e1051a39Sopenharmony_ci } else { 273e1051a39Sopenharmony_ci s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; 274e1051a39Sopenharmony_ci if (s->ext.use_etm) 275e1051a39Sopenharmony_ci s->s3.flags |= TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 276e1051a39Sopenharmony_ci else 277e1051a39Sopenharmony_ci s->s3.flags &= ~TLS1_FLAGS_ENCRYPT_THEN_MAC_WRITE; 278e1051a39Sopenharmony_ci 279e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 280e1051a39Sopenharmony_ci s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 281e1051a39Sopenharmony_ci else 282e1051a39Sopenharmony_ci s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 283e1051a39Sopenharmony_ci 284e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm2 & TLS1_TLSTREE) 285e1051a39Sopenharmony_ci s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 286e1051a39Sopenharmony_ci else 287e1051a39Sopenharmony_ci s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_TLSTREE; 288e1051a39Sopenharmony_ci if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) { 289e1051a39Sopenharmony_ci reuse_dd = 1; 290e1051a39Sopenharmony_ci } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { 291e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 292e1051a39Sopenharmony_ci goto err; 293e1051a39Sopenharmony_ci } 294e1051a39Sopenharmony_ci dd = s->enc_write_ctx; 295e1051a39Sopenharmony_ci if (SSL_IS_DTLS(s)) { 296e1051a39Sopenharmony_ci mac_ctx = EVP_MD_CTX_new(); 297e1051a39Sopenharmony_ci if (mac_ctx == NULL) { 298e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 299e1051a39Sopenharmony_ci goto err; 300e1051a39Sopenharmony_ci } 301e1051a39Sopenharmony_ci s->write_hash = mac_ctx; 302e1051a39Sopenharmony_ci } else { 303e1051a39Sopenharmony_ci mac_ctx = ssl_replace_hash(&s->write_hash, NULL); 304e1051a39Sopenharmony_ci if (mac_ctx == NULL) { 305e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 306e1051a39Sopenharmony_ci goto err; 307e1051a39Sopenharmony_ci } 308e1051a39Sopenharmony_ci } 309e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_COMP 310e1051a39Sopenharmony_ci COMP_CTX_free(s->compress); 311e1051a39Sopenharmony_ci s->compress = NULL; 312e1051a39Sopenharmony_ci if (comp != NULL) { 313e1051a39Sopenharmony_ci s->compress = COMP_CTX_new(comp->method); 314e1051a39Sopenharmony_ci if (s->compress == NULL) { 315e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, 316e1051a39Sopenharmony_ci SSL_R_COMPRESSION_LIBRARY_ERROR); 317e1051a39Sopenharmony_ci goto err; 318e1051a39Sopenharmony_ci } 319e1051a39Sopenharmony_ci } 320e1051a39Sopenharmony_ci#endif 321e1051a39Sopenharmony_ci /* 322e1051a39Sopenharmony_ci * this is done by dtls1_reset_seq_numbers for DTLS 323e1051a39Sopenharmony_ci */ 324e1051a39Sopenharmony_ci if (!SSL_IS_DTLS(s)) 325e1051a39Sopenharmony_ci RECORD_LAYER_reset_write_sequence(&s->rlayer); 326e1051a39Sopenharmony_ci mac_secret = &(s->s3.write_mac_secret[0]); 327e1051a39Sopenharmony_ci mac_secret_size = &(s->s3.write_mac_secret_size); 328e1051a39Sopenharmony_ci } 329e1051a39Sopenharmony_ci 330e1051a39Sopenharmony_ci if (reuse_dd) 331e1051a39Sopenharmony_ci EVP_CIPHER_CTX_reset(dd); 332e1051a39Sopenharmony_ci 333e1051a39Sopenharmony_ci p = s->s3.tmp.key_block; 334e1051a39Sopenharmony_ci i = *mac_secret_size = s->s3.tmp.new_mac_secret_size; 335e1051a39Sopenharmony_ci 336e1051a39Sopenharmony_ci cl = EVP_CIPHER_get_key_length(c); 337e1051a39Sopenharmony_ci j = cl; 338e1051a39Sopenharmony_ci k = tls_iv_length_within_key_block(c); 339e1051a39Sopenharmony_ci if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 340e1051a39Sopenharmony_ci (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 341e1051a39Sopenharmony_ci ms = &(p[0]); 342e1051a39Sopenharmony_ci n = i + i; 343e1051a39Sopenharmony_ci key = &(p[n]); 344e1051a39Sopenharmony_ci n += j + j; 345e1051a39Sopenharmony_ci iv = &(p[n]); 346e1051a39Sopenharmony_ci n += k + k; 347e1051a39Sopenharmony_ci } else { 348e1051a39Sopenharmony_ci n = i; 349e1051a39Sopenharmony_ci ms = &(p[n]); 350e1051a39Sopenharmony_ci n += i + j; 351e1051a39Sopenharmony_ci key = &(p[n]); 352e1051a39Sopenharmony_ci n += j + k; 353e1051a39Sopenharmony_ci iv = &(p[n]); 354e1051a39Sopenharmony_ci n += k; 355e1051a39Sopenharmony_ci } 356e1051a39Sopenharmony_ci 357e1051a39Sopenharmony_ci if (n > s->s3.tmp.key_block_length) { 358e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 359e1051a39Sopenharmony_ci goto err; 360e1051a39Sopenharmony_ci } 361e1051a39Sopenharmony_ci 362e1051a39Sopenharmony_ci memcpy(mac_secret, ms, i); 363e1051a39Sopenharmony_ci 364e1051a39Sopenharmony_ci if (!(EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { 365e1051a39Sopenharmony_ci if (mac_type == EVP_PKEY_HMAC) { 366e1051a39Sopenharmony_ci mac_key = EVP_PKEY_new_raw_private_key_ex(s->ctx->libctx, "HMAC", 367e1051a39Sopenharmony_ci s->ctx->propq, mac_secret, 368e1051a39Sopenharmony_ci *mac_secret_size); 369e1051a39Sopenharmony_ci } else { 370e1051a39Sopenharmony_ci /* 371e1051a39Sopenharmony_ci * If its not HMAC then the only other types of MAC we support are 372e1051a39Sopenharmony_ci * the GOST MACs, so we need to use the old style way of creating 373e1051a39Sopenharmony_ci * a MAC key. 374e1051a39Sopenharmony_ci */ 375e1051a39Sopenharmony_ci mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, 376e1051a39Sopenharmony_ci (int)*mac_secret_size); 377e1051a39Sopenharmony_ci } 378e1051a39Sopenharmony_ci if (mac_key == NULL 379e1051a39Sopenharmony_ci || EVP_DigestSignInit_ex(mac_ctx, NULL, EVP_MD_get0_name(m), 380e1051a39Sopenharmony_ci s->ctx->libctx, s->ctx->propq, mac_key, 381e1051a39Sopenharmony_ci NULL) <= 0) { 382e1051a39Sopenharmony_ci EVP_PKEY_free(mac_key); 383e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 384e1051a39Sopenharmony_ci goto err; 385e1051a39Sopenharmony_ci } 386e1051a39Sopenharmony_ci EVP_PKEY_free(mac_key); 387e1051a39Sopenharmony_ci } 388e1051a39Sopenharmony_ci 389e1051a39Sopenharmony_ci OSSL_TRACE_BEGIN(TLS) { 390e1051a39Sopenharmony_ci BIO_printf(trc_out, "which = %04X, mac key:\n", which); 391e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, ms, i, 4); 392e1051a39Sopenharmony_ci } OSSL_TRACE_END(TLS); 393e1051a39Sopenharmony_ci 394e1051a39Sopenharmony_ci if (EVP_CIPHER_get_mode(c) == EVP_CIPH_GCM_MODE) { 395e1051a39Sopenharmony_ci if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) 396e1051a39Sopenharmony_ci || EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, (int)k, 397e1051a39Sopenharmony_ci iv) <= 0) { 398e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 399e1051a39Sopenharmony_ci goto err; 400e1051a39Sopenharmony_ci } 401e1051a39Sopenharmony_ci } else if (EVP_CIPHER_get_mode(c) == EVP_CIPH_CCM_MODE) { 402e1051a39Sopenharmony_ci int taglen; 403e1051a39Sopenharmony_ci if (s->s3.tmp. 404e1051a39Sopenharmony_ci new_cipher->algorithm_enc & (SSL_AES128CCM8 | SSL_AES256CCM8)) 405e1051a39Sopenharmony_ci taglen = EVP_CCM8_TLS_TAG_LEN; 406e1051a39Sopenharmony_ci else 407e1051a39Sopenharmony_ci taglen = EVP_CCM_TLS_TAG_LEN; 408e1051a39Sopenharmony_ci if (!EVP_CipherInit_ex(dd, c, NULL, NULL, NULL, (which & SSL3_CC_WRITE)) 409e1051a39Sopenharmony_ci || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_IVLEN, 12, NULL) <= 0) 410e1051a39Sopenharmony_ci || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_TAG, taglen, NULL) <= 0) 411e1051a39Sopenharmony_ci || (EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_CCM_SET_IV_FIXED, (int)k, iv) <= 0) 412e1051a39Sopenharmony_ci || !EVP_CipherInit_ex(dd, NULL, NULL, key, NULL, -1)) { 413e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 414e1051a39Sopenharmony_ci goto err; 415e1051a39Sopenharmony_ci } 416e1051a39Sopenharmony_ci } else { 417e1051a39Sopenharmony_ci if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { 418e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 419e1051a39Sopenharmony_ci goto err; 420e1051a39Sopenharmony_ci } 421e1051a39Sopenharmony_ci } 422e1051a39Sopenharmony_ci /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ 423e1051a39Sopenharmony_ci if ((EVP_CIPHER_get_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) 424e1051a39Sopenharmony_ci && *mac_secret_size 425e1051a39Sopenharmony_ci && EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, 426e1051a39Sopenharmony_ci (int)*mac_secret_size, mac_secret) <= 0) { 427e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 428e1051a39Sopenharmony_ci goto err; 429e1051a39Sopenharmony_ci } 430e1051a39Sopenharmony_ci if (EVP_CIPHER_get0_provider(c) != NULL 431e1051a39Sopenharmony_ci && !tls_provider_set_tls_params(s, dd, c, m)) { 432e1051a39Sopenharmony_ci /* SSLfatal already called */ 433e1051a39Sopenharmony_ci goto err; 434e1051a39Sopenharmony_ci } 435e1051a39Sopenharmony_ci 436e1051a39Sopenharmony_ci#ifndef OPENSSL_NO_KTLS 437e1051a39Sopenharmony_ci if (s->compress || (s->options & SSL_OP_ENABLE_KTLS) == 0) 438e1051a39Sopenharmony_ci goto skip_ktls; 439e1051a39Sopenharmony_ci 440e1051a39Sopenharmony_ci /* ktls supports only the maximum fragment size */ 441e1051a39Sopenharmony_ci if (ssl_get_max_send_fragment(s) != SSL3_RT_MAX_PLAIN_LENGTH) 442e1051a39Sopenharmony_ci goto skip_ktls; 443e1051a39Sopenharmony_ci 444e1051a39Sopenharmony_ci /* check that cipher is supported */ 445e1051a39Sopenharmony_ci if (!ktls_check_supported_cipher(s, c, dd)) 446e1051a39Sopenharmony_ci goto skip_ktls; 447e1051a39Sopenharmony_ci 448e1051a39Sopenharmony_ci if (which & SSL3_CC_WRITE) 449e1051a39Sopenharmony_ci bio = s->wbio; 450e1051a39Sopenharmony_ci else 451e1051a39Sopenharmony_ci bio = s->rbio; 452e1051a39Sopenharmony_ci 453e1051a39Sopenharmony_ci if (!ossl_assert(bio != NULL)) { 454e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 455e1051a39Sopenharmony_ci goto err; 456e1051a39Sopenharmony_ci } 457e1051a39Sopenharmony_ci 458e1051a39Sopenharmony_ci /* All future data will get encrypted by ktls. Flush the BIO or skip ktls */ 459e1051a39Sopenharmony_ci if (which & SSL3_CC_WRITE) { 460e1051a39Sopenharmony_ci if (BIO_flush(bio) <= 0) 461e1051a39Sopenharmony_ci goto skip_ktls; 462e1051a39Sopenharmony_ci } 463e1051a39Sopenharmony_ci 464e1051a39Sopenharmony_ci /* ktls doesn't support renegotiation */ 465e1051a39Sopenharmony_ci if ((BIO_get_ktls_send(s->wbio) && (which & SSL3_CC_WRITE)) || 466e1051a39Sopenharmony_ci (BIO_get_ktls_recv(s->rbio) && (which & SSL3_CC_READ))) { 467e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_NO_RENEGOTIATION, ERR_R_INTERNAL_ERROR); 468e1051a39Sopenharmony_ci goto err; 469e1051a39Sopenharmony_ci } 470e1051a39Sopenharmony_ci 471e1051a39Sopenharmony_ci if (which & SSL3_CC_WRITE) 472e1051a39Sopenharmony_ci rl_sequence = RECORD_LAYER_get_write_sequence(&s->rlayer); 473e1051a39Sopenharmony_ci else 474e1051a39Sopenharmony_ci rl_sequence = RECORD_LAYER_get_read_sequence(&s->rlayer); 475e1051a39Sopenharmony_ci 476e1051a39Sopenharmony_ci if (!ktls_configure_crypto(s, c, dd, rl_sequence, &crypto_info, &rec_seq, 477e1051a39Sopenharmony_ci iv, key, ms, *mac_secret_size)) 478e1051a39Sopenharmony_ci goto skip_ktls; 479e1051a39Sopenharmony_ci 480e1051a39Sopenharmony_ci if (which & SSL3_CC_READ) { 481e1051a39Sopenharmony_ci# ifndef OPENSSL_NO_KTLS_RX 482e1051a39Sopenharmony_ci count_unprocessed = count_unprocessed_records(s); 483e1051a39Sopenharmony_ci if (count_unprocessed < 0) 484e1051a39Sopenharmony_ci goto skip_ktls; 485e1051a39Sopenharmony_ci 486e1051a39Sopenharmony_ci /* increment the crypto_info record sequence */ 487e1051a39Sopenharmony_ci while (count_unprocessed) { 488e1051a39Sopenharmony_ci for (bit = 7; bit >= 0; bit--) { /* increment */ 489e1051a39Sopenharmony_ci ++rec_seq[bit]; 490e1051a39Sopenharmony_ci if (rec_seq[bit] != 0) 491e1051a39Sopenharmony_ci break; 492e1051a39Sopenharmony_ci } 493e1051a39Sopenharmony_ci count_unprocessed--; 494e1051a39Sopenharmony_ci } 495e1051a39Sopenharmony_ci# else 496e1051a39Sopenharmony_ci goto skip_ktls; 497e1051a39Sopenharmony_ci# endif 498e1051a39Sopenharmony_ci } 499e1051a39Sopenharmony_ci 500e1051a39Sopenharmony_ci /* ktls works with user provided buffers directly */ 501e1051a39Sopenharmony_ci if (BIO_set_ktls(bio, &crypto_info, which & SSL3_CC_WRITE)) { 502e1051a39Sopenharmony_ci if (which & SSL3_CC_WRITE) 503e1051a39Sopenharmony_ci ssl3_release_write_buffer(s); 504e1051a39Sopenharmony_ci SSL_set_options(s, SSL_OP_NO_RENEGOTIATION); 505e1051a39Sopenharmony_ci } 506e1051a39Sopenharmony_ci 507e1051a39Sopenharmony_ci skip_ktls: 508e1051a39Sopenharmony_ci#endif /* OPENSSL_NO_KTLS */ 509e1051a39Sopenharmony_ci s->statem.enc_write_state = ENC_WRITE_STATE_VALID; 510e1051a39Sopenharmony_ci 511e1051a39Sopenharmony_ci OSSL_TRACE_BEGIN(TLS) { 512e1051a39Sopenharmony_ci BIO_printf(trc_out, "which = %04X, key:\n", which); 513e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, key, EVP_CIPHER_get_key_length(c), 4); 514e1051a39Sopenharmony_ci BIO_printf(trc_out, "iv:\n"); 515e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, iv, k, 4); 516e1051a39Sopenharmony_ci } OSSL_TRACE_END(TLS); 517e1051a39Sopenharmony_ci 518e1051a39Sopenharmony_ci return 1; 519e1051a39Sopenharmony_ci err: 520e1051a39Sopenharmony_ci return 0; 521e1051a39Sopenharmony_ci} 522e1051a39Sopenharmony_ci 523e1051a39Sopenharmony_ciint tls1_setup_key_block(SSL *s) 524e1051a39Sopenharmony_ci{ 525e1051a39Sopenharmony_ci unsigned char *p; 526e1051a39Sopenharmony_ci const EVP_CIPHER *c; 527e1051a39Sopenharmony_ci const EVP_MD *hash; 528e1051a39Sopenharmony_ci SSL_COMP *comp; 529e1051a39Sopenharmony_ci int mac_type = NID_undef; 530e1051a39Sopenharmony_ci size_t num, mac_secret_size = 0; 531e1051a39Sopenharmony_ci int ret = 0; 532e1051a39Sopenharmony_ci 533e1051a39Sopenharmony_ci if (s->s3.tmp.key_block_length != 0) 534e1051a39Sopenharmony_ci return 1; 535e1051a39Sopenharmony_ci 536e1051a39Sopenharmony_ci if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, &mac_type, 537e1051a39Sopenharmony_ci &mac_secret_size, &comp, s->ext.use_etm)) { 538e1051a39Sopenharmony_ci /* Error is already recorded */ 539e1051a39Sopenharmony_ci SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 540e1051a39Sopenharmony_ci return 0; 541e1051a39Sopenharmony_ci } 542e1051a39Sopenharmony_ci 543e1051a39Sopenharmony_ci ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 544e1051a39Sopenharmony_ci s->s3.tmp.new_sym_enc = c; 545e1051a39Sopenharmony_ci ssl_evp_md_free(s->s3.tmp.new_hash); 546e1051a39Sopenharmony_ci s->s3.tmp.new_hash = hash; 547e1051a39Sopenharmony_ci s->s3.tmp.new_mac_pkey_type = mac_type; 548e1051a39Sopenharmony_ci s->s3.tmp.new_mac_secret_size = mac_secret_size; 549e1051a39Sopenharmony_ci num = mac_secret_size + EVP_CIPHER_get_key_length(c) 550e1051a39Sopenharmony_ci + tls_iv_length_within_key_block(c); 551e1051a39Sopenharmony_ci num *= 2; 552e1051a39Sopenharmony_ci 553e1051a39Sopenharmony_ci ssl3_cleanup_key_block(s); 554e1051a39Sopenharmony_ci 555e1051a39Sopenharmony_ci if ((p = OPENSSL_malloc(num)) == NULL) { 556e1051a39Sopenharmony_ci SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_MALLOC_FAILURE); 557e1051a39Sopenharmony_ci goto err; 558e1051a39Sopenharmony_ci } 559e1051a39Sopenharmony_ci 560e1051a39Sopenharmony_ci s->s3.tmp.key_block_length = num; 561e1051a39Sopenharmony_ci s->s3.tmp.key_block = p; 562e1051a39Sopenharmony_ci 563e1051a39Sopenharmony_ci OSSL_TRACE_BEGIN(TLS) { 564e1051a39Sopenharmony_ci BIO_printf(trc_out, "key block length: %zu\n", num); 565e1051a39Sopenharmony_ci BIO_printf(trc_out, "client random\n"); 566e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 567e1051a39Sopenharmony_ci BIO_printf(trc_out, "server random\n"); 568e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 569e1051a39Sopenharmony_ci BIO_printf(trc_out, "master key\n"); 570e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, 571e1051a39Sopenharmony_ci s->session->master_key, 572e1051a39Sopenharmony_ci s->session->master_key_length, 4); 573e1051a39Sopenharmony_ci } OSSL_TRACE_END(TLS); 574e1051a39Sopenharmony_ci 575e1051a39Sopenharmony_ci if (!tls1_generate_key_block(s, p, num)) { 576e1051a39Sopenharmony_ci /* SSLfatal() already called */ 577e1051a39Sopenharmony_ci goto err; 578e1051a39Sopenharmony_ci } 579e1051a39Sopenharmony_ci 580e1051a39Sopenharmony_ci OSSL_TRACE_BEGIN(TLS) { 581e1051a39Sopenharmony_ci BIO_printf(trc_out, "key block\n"); 582e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, p, num, 4); 583e1051a39Sopenharmony_ci } OSSL_TRACE_END(TLS); 584e1051a39Sopenharmony_ci 585e1051a39Sopenharmony_ci if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) 586e1051a39Sopenharmony_ci && s->method->version <= TLS1_VERSION) { 587e1051a39Sopenharmony_ci /* 588e1051a39Sopenharmony_ci * enable vulnerability countermeasure for CBC ciphers with known-IV 589e1051a39Sopenharmony_ci * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 590e1051a39Sopenharmony_ci */ 591e1051a39Sopenharmony_ci s->s3.need_empty_fragments = 1; 592e1051a39Sopenharmony_ci 593e1051a39Sopenharmony_ci if (s->session->cipher != NULL) { 594e1051a39Sopenharmony_ci if (s->session->cipher->algorithm_enc == SSL_eNULL) 595e1051a39Sopenharmony_ci s->s3.need_empty_fragments = 0; 596e1051a39Sopenharmony_ci 597e1051a39Sopenharmony_ci if (s->session->cipher->algorithm_enc == SSL_RC4) 598e1051a39Sopenharmony_ci s->s3.need_empty_fragments = 0; 599e1051a39Sopenharmony_ci } 600e1051a39Sopenharmony_ci } 601e1051a39Sopenharmony_ci 602e1051a39Sopenharmony_ci ret = 1; 603e1051a39Sopenharmony_ci err: 604e1051a39Sopenharmony_ci return ret; 605e1051a39Sopenharmony_ci} 606e1051a39Sopenharmony_ci 607e1051a39Sopenharmony_cisize_t tls1_final_finish_mac(SSL *s, const char *str, size_t slen, 608e1051a39Sopenharmony_ci unsigned char *out) 609e1051a39Sopenharmony_ci{ 610e1051a39Sopenharmony_ci size_t hashlen; 611e1051a39Sopenharmony_ci unsigned char hash[EVP_MAX_MD_SIZE]; 612e1051a39Sopenharmony_ci size_t finished_size = TLS1_FINISH_MAC_LENGTH; 613e1051a39Sopenharmony_ci 614e1051a39Sopenharmony_ci if (s->s3.tmp.new_cipher->algorithm_mkey & SSL_kGOST18) 615e1051a39Sopenharmony_ci finished_size = 32; 616e1051a39Sopenharmony_ci 617e1051a39Sopenharmony_ci if (!ssl3_digest_cached_records(s, 0)) { 618e1051a39Sopenharmony_ci /* SSLfatal() already called */ 619e1051a39Sopenharmony_ci return 0; 620e1051a39Sopenharmony_ci } 621e1051a39Sopenharmony_ci 622e1051a39Sopenharmony_ci if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 623e1051a39Sopenharmony_ci /* SSLfatal() already called */ 624e1051a39Sopenharmony_ci return 0; 625e1051a39Sopenharmony_ci } 626e1051a39Sopenharmony_ci 627e1051a39Sopenharmony_ci if (!tls1_PRF(s, str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0, 628e1051a39Sopenharmony_ci s->session->master_key, s->session->master_key_length, 629e1051a39Sopenharmony_ci out, finished_size, 1)) { 630e1051a39Sopenharmony_ci /* SSLfatal() already called */ 631e1051a39Sopenharmony_ci return 0; 632e1051a39Sopenharmony_ci } 633e1051a39Sopenharmony_ci OPENSSL_cleanse(hash, hashlen); 634e1051a39Sopenharmony_ci return finished_size; 635e1051a39Sopenharmony_ci} 636e1051a39Sopenharmony_ci 637e1051a39Sopenharmony_ciint tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 638e1051a39Sopenharmony_ci size_t len, size_t *secret_size) 639e1051a39Sopenharmony_ci{ 640e1051a39Sopenharmony_ci if (s->session->flags & SSL_SESS_FLAG_EXTMS) { 641e1051a39Sopenharmony_ci unsigned char hash[EVP_MAX_MD_SIZE * 2]; 642e1051a39Sopenharmony_ci size_t hashlen; 643e1051a39Sopenharmony_ci /* 644e1051a39Sopenharmony_ci * Digest cached records keeping record buffer (if present): this won't 645e1051a39Sopenharmony_ci * affect client auth because we're freezing the buffer at the same 646e1051a39Sopenharmony_ci * point (after client key exchange and before certificate verify) 647e1051a39Sopenharmony_ci */ 648e1051a39Sopenharmony_ci if (!ssl3_digest_cached_records(s, 1) 649e1051a39Sopenharmony_ci || !ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) { 650e1051a39Sopenharmony_ci /* SSLfatal() already called */ 651e1051a39Sopenharmony_ci return 0; 652e1051a39Sopenharmony_ci } 653e1051a39Sopenharmony_ci OSSL_TRACE_BEGIN(TLS) { 654e1051a39Sopenharmony_ci BIO_printf(trc_out, "Handshake hashes:\n"); 655e1051a39Sopenharmony_ci BIO_dump(trc_out, (char *)hash, hashlen); 656e1051a39Sopenharmony_ci } OSSL_TRACE_END(TLS); 657e1051a39Sopenharmony_ci if (!tls1_PRF(s, 658e1051a39Sopenharmony_ci TLS_MD_EXTENDED_MASTER_SECRET_CONST, 659e1051a39Sopenharmony_ci TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE, 660e1051a39Sopenharmony_ci hash, hashlen, 661e1051a39Sopenharmony_ci NULL, 0, 662e1051a39Sopenharmony_ci NULL, 0, 663e1051a39Sopenharmony_ci NULL, 0, p, len, out, 664e1051a39Sopenharmony_ci SSL3_MASTER_SECRET_SIZE, 1)) { 665e1051a39Sopenharmony_ci /* SSLfatal() already called */ 666e1051a39Sopenharmony_ci return 0; 667e1051a39Sopenharmony_ci } 668e1051a39Sopenharmony_ci OPENSSL_cleanse(hash, hashlen); 669e1051a39Sopenharmony_ci } else { 670e1051a39Sopenharmony_ci if (!tls1_PRF(s, 671e1051a39Sopenharmony_ci TLS_MD_MASTER_SECRET_CONST, 672e1051a39Sopenharmony_ci TLS_MD_MASTER_SECRET_CONST_SIZE, 673e1051a39Sopenharmony_ci s->s3.client_random, SSL3_RANDOM_SIZE, 674e1051a39Sopenharmony_ci NULL, 0, 675e1051a39Sopenharmony_ci s->s3.server_random, SSL3_RANDOM_SIZE, 676e1051a39Sopenharmony_ci NULL, 0, p, len, out, 677e1051a39Sopenharmony_ci SSL3_MASTER_SECRET_SIZE, 1)) { 678e1051a39Sopenharmony_ci /* SSLfatal() already called */ 679e1051a39Sopenharmony_ci return 0; 680e1051a39Sopenharmony_ci } 681e1051a39Sopenharmony_ci } 682e1051a39Sopenharmony_ci 683e1051a39Sopenharmony_ci OSSL_TRACE_BEGIN(TLS) { 684e1051a39Sopenharmony_ci BIO_printf(trc_out, "Premaster Secret:\n"); 685e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, p, len, 4); 686e1051a39Sopenharmony_ci BIO_printf(trc_out, "Client Random:\n"); 687e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, s->s3.client_random, SSL3_RANDOM_SIZE, 4); 688e1051a39Sopenharmony_ci BIO_printf(trc_out, "Server Random:\n"); 689e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, s->s3.server_random, SSL3_RANDOM_SIZE, 4); 690e1051a39Sopenharmony_ci BIO_printf(trc_out, "Master Secret:\n"); 691e1051a39Sopenharmony_ci BIO_dump_indent(trc_out, 692e1051a39Sopenharmony_ci s->session->master_key, 693e1051a39Sopenharmony_ci SSL3_MASTER_SECRET_SIZE, 4); 694e1051a39Sopenharmony_ci } OSSL_TRACE_END(TLS); 695e1051a39Sopenharmony_ci 696e1051a39Sopenharmony_ci *secret_size = SSL3_MASTER_SECRET_SIZE; 697e1051a39Sopenharmony_ci return 1; 698e1051a39Sopenharmony_ci} 699e1051a39Sopenharmony_ci 700e1051a39Sopenharmony_ciint tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, 701e1051a39Sopenharmony_ci const char *label, size_t llen, 702e1051a39Sopenharmony_ci const unsigned char *context, 703e1051a39Sopenharmony_ci size_t contextlen, int use_context) 704e1051a39Sopenharmony_ci{ 705e1051a39Sopenharmony_ci unsigned char *val = NULL; 706e1051a39Sopenharmony_ci size_t vallen = 0, currentvalpos; 707e1051a39Sopenharmony_ci int rv; 708e1051a39Sopenharmony_ci 709e1051a39Sopenharmony_ci /* 710e1051a39Sopenharmony_ci * construct PRF arguments we construct the PRF argument ourself rather 711e1051a39Sopenharmony_ci * than passing separate values into the TLS PRF to ensure that the 712e1051a39Sopenharmony_ci * concatenation of values does not create a prohibited label. 713e1051a39Sopenharmony_ci */ 714e1051a39Sopenharmony_ci vallen = llen + SSL3_RANDOM_SIZE * 2; 715e1051a39Sopenharmony_ci if (use_context) { 716e1051a39Sopenharmony_ci vallen += 2 + contextlen; 717e1051a39Sopenharmony_ci } 718e1051a39Sopenharmony_ci 719e1051a39Sopenharmony_ci val = OPENSSL_malloc(vallen); 720e1051a39Sopenharmony_ci if (val == NULL) 721e1051a39Sopenharmony_ci goto err2; 722e1051a39Sopenharmony_ci currentvalpos = 0; 723e1051a39Sopenharmony_ci memcpy(val + currentvalpos, (unsigned char *)label, llen); 724e1051a39Sopenharmony_ci currentvalpos += llen; 725e1051a39Sopenharmony_ci memcpy(val + currentvalpos, s->s3.client_random, SSL3_RANDOM_SIZE); 726e1051a39Sopenharmony_ci currentvalpos += SSL3_RANDOM_SIZE; 727e1051a39Sopenharmony_ci memcpy(val + currentvalpos, s->s3.server_random, SSL3_RANDOM_SIZE); 728e1051a39Sopenharmony_ci currentvalpos += SSL3_RANDOM_SIZE; 729e1051a39Sopenharmony_ci 730e1051a39Sopenharmony_ci if (use_context) { 731e1051a39Sopenharmony_ci val[currentvalpos] = (contextlen >> 8) & 0xff; 732e1051a39Sopenharmony_ci currentvalpos++; 733e1051a39Sopenharmony_ci val[currentvalpos] = contextlen & 0xff; 734e1051a39Sopenharmony_ci currentvalpos++; 735e1051a39Sopenharmony_ci if ((contextlen > 0) || (context != NULL)) { 736e1051a39Sopenharmony_ci memcpy(val + currentvalpos, context, contextlen); 737e1051a39Sopenharmony_ci } 738e1051a39Sopenharmony_ci } 739e1051a39Sopenharmony_ci 740e1051a39Sopenharmony_ci /* 741e1051a39Sopenharmony_ci * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited 742e1051a39Sopenharmony_ci * label len) = 15, so size of val > max(prohibited label len) = 15 and 743e1051a39Sopenharmony_ci * the comparisons won't have buffer overflow 744e1051a39Sopenharmony_ci */ 745e1051a39Sopenharmony_ci if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, 746e1051a39Sopenharmony_ci TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) 747e1051a39Sopenharmony_ci goto err1; 748e1051a39Sopenharmony_ci if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, 749e1051a39Sopenharmony_ci TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) 750e1051a39Sopenharmony_ci goto err1; 751e1051a39Sopenharmony_ci if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, 752e1051a39Sopenharmony_ci TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) 753e1051a39Sopenharmony_ci goto err1; 754e1051a39Sopenharmony_ci if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST, 755e1051a39Sopenharmony_ci TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0) 756e1051a39Sopenharmony_ci goto err1; 757e1051a39Sopenharmony_ci if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, 758e1051a39Sopenharmony_ci TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) 759e1051a39Sopenharmony_ci goto err1; 760e1051a39Sopenharmony_ci 761e1051a39Sopenharmony_ci rv = tls1_PRF(s, 762e1051a39Sopenharmony_ci val, vallen, 763e1051a39Sopenharmony_ci NULL, 0, 764e1051a39Sopenharmony_ci NULL, 0, 765e1051a39Sopenharmony_ci NULL, 0, 766e1051a39Sopenharmony_ci NULL, 0, 767e1051a39Sopenharmony_ci s->session->master_key, s->session->master_key_length, 768e1051a39Sopenharmony_ci out, olen, 0); 769e1051a39Sopenharmony_ci 770e1051a39Sopenharmony_ci goto ret; 771e1051a39Sopenharmony_ci err1: 772e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); 773e1051a39Sopenharmony_ci rv = 0; 774e1051a39Sopenharmony_ci goto ret; 775e1051a39Sopenharmony_ci err2: 776e1051a39Sopenharmony_ci ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); 777e1051a39Sopenharmony_ci rv = 0; 778e1051a39Sopenharmony_ci ret: 779e1051a39Sopenharmony_ci OPENSSL_clear_free(val, vallen); 780e1051a39Sopenharmony_ci return rv; 781e1051a39Sopenharmony_ci} 782e1051a39Sopenharmony_ci 783e1051a39Sopenharmony_ciint tls1_alert_code(int code) 784e1051a39Sopenharmony_ci{ 785e1051a39Sopenharmony_ci switch (code) { 786e1051a39Sopenharmony_ci case SSL_AD_CLOSE_NOTIFY: 787e1051a39Sopenharmony_ci return SSL3_AD_CLOSE_NOTIFY; 788e1051a39Sopenharmony_ci case SSL_AD_UNEXPECTED_MESSAGE: 789e1051a39Sopenharmony_ci return SSL3_AD_UNEXPECTED_MESSAGE; 790e1051a39Sopenharmony_ci case SSL_AD_BAD_RECORD_MAC: 791e1051a39Sopenharmony_ci return SSL3_AD_BAD_RECORD_MAC; 792e1051a39Sopenharmony_ci case SSL_AD_DECRYPTION_FAILED: 793e1051a39Sopenharmony_ci return TLS1_AD_DECRYPTION_FAILED; 794e1051a39Sopenharmony_ci case SSL_AD_RECORD_OVERFLOW: 795e1051a39Sopenharmony_ci return TLS1_AD_RECORD_OVERFLOW; 796e1051a39Sopenharmony_ci case SSL_AD_DECOMPRESSION_FAILURE: 797e1051a39Sopenharmony_ci return SSL3_AD_DECOMPRESSION_FAILURE; 798e1051a39Sopenharmony_ci case SSL_AD_HANDSHAKE_FAILURE: 799e1051a39Sopenharmony_ci return SSL3_AD_HANDSHAKE_FAILURE; 800e1051a39Sopenharmony_ci case SSL_AD_NO_CERTIFICATE: 801e1051a39Sopenharmony_ci return -1; 802e1051a39Sopenharmony_ci case SSL_AD_BAD_CERTIFICATE: 803e1051a39Sopenharmony_ci return SSL3_AD_BAD_CERTIFICATE; 804e1051a39Sopenharmony_ci case SSL_AD_UNSUPPORTED_CERTIFICATE: 805e1051a39Sopenharmony_ci return SSL3_AD_UNSUPPORTED_CERTIFICATE; 806e1051a39Sopenharmony_ci case SSL_AD_CERTIFICATE_REVOKED: 807e1051a39Sopenharmony_ci return SSL3_AD_CERTIFICATE_REVOKED; 808e1051a39Sopenharmony_ci case SSL_AD_CERTIFICATE_EXPIRED: 809e1051a39Sopenharmony_ci return SSL3_AD_CERTIFICATE_EXPIRED; 810e1051a39Sopenharmony_ci case SSL_AD_CERTIFICATE_UNKNOWN: 811e1051a39Sopenharmony_ci return SSL3_AD_CERTIFICATE_UNKNOWN; 812e1051a39Sopenharmony_ci case SSL_AD_ILLEGAL_PARAMETER: 813e1051a39Sopenharmony_ci return SSL3_AD_ILLEGAL_PARAMETER; 814e1051a39Sopenharmony_ci case SSL_AD_UNKNOWN_CA: 815e1051a39Sopenharmony_ci return TLS1_AD_UNKNOWN_CA; 816e1051a39Sopenharmony_ci case SSL_AD_ACCESS_DENIED: 817e1051a39Sopenharmony_ci return TLS1_AD_ACCESS_DENIED; 818e1051a39Sopenharmony_ci case SSL_AD_DECODE_ERROR: 819e1051a39Sopenharmony_ci return TLS1_AD_DECODE_ERROR; 820e1051a39Sopenharmony_ci case SSL_AD_DECRYPT_ERROR: 821e1051a39Sopenharmony_ci return TLS1_AD_DECRYPT_ERROR; 822e1051a39Sopenharmony_ci case SSL_AD_EXPORT_RESTRICTION: 823e1051a39Sopenharmony_ci return TLS1_AD_EXPORT_RESTRICTION; 824e1051a39Sopenharmony_ci case SSL_AD_PROTOCOL_VERSION: 825e1051a39Sopenharmony_ci return TLS1_AD_PROTOCOL_VERSION; 826e1051a39Sopenharmony_ci case SSL_AD_INSUFFICIENT_SECURITY: 827e1051a39Sopenharmony_ci return TLS1_AD_INSUFFICIENT_SECURITY; 828e1051a39Sopenharmony_ci case SSL_AD_INTERNAL_ERROR: 829e1051a39Sopenharmony_ci return TLS1_AD_INTERNAL_ERROR; 830e1051a39Sopenharmony_ci case SSL_AD_USER_CANCELLED: 831e1051a39Sopenharmony_ci return TLS1_AD_USER_CANCELLED; 832e1051a39Sopenharmony_ci case SSL_AD_NO_RENEGOTIATION: 833e1051a39Sopenharmony_ci return TLS1_AD_NO_RENEGOTIATION; 834e1051a39Sopenharmony_ci case SSL_AD_UNSUPPORTED_EXTENSION: 835e1051a39Sopenharmony_ci return TLS1_AD_UNSUPPORTED_EXTENSION; 836e1051a39Sopenharmony_ci case SSL_AD_CERTIFICATE_UNOBTAINABLE: 837e1051a39Sopenharmony_ci return TLS1_AD_CERTIFICATE_UNOBTAINABLE; 838e1051a39Sopenharmony_ci case SSL_AD_UNRECOGNIZED_NAME: 839e1051a39Sopenharmony_ci return TLS1_AD_UNRECOGNIZED_NAME; 840e1051a39Sopenharmony_ci case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 841e1051a39Sopenharmony_ci return TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE; 842e1051a39Sopenharmony_ci case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 843e1051a39Sopenharmony_ci return TLS1_AD_BAD_CERTIFICATE_HASH_VALUE; 844e1051a39Sopenharmony_ci case SSL_AD_UNKNOWN_PSK_IDENTITY: 845e1051a39Sopenharmony_ci return TLS1_AD_UNKNOWN_PSK_IDENTITY; 846e1051a39Sopenharmony_ci case SSL_AD_INAPPROPRIATE_FALLBACK: 847e1051a39Sopenharmony_ci return TLS1_AD_INAPPROPRIATE_FALLBACK; 848e1051a39Sopenharmony_ci case SSL_AD_NO_APPLICATION_PROTOCOL: 849e1051a39Sopenharmony_ci return TLS1_AD_NO_APPLICATION_PROTOCOL; 850e1051a39Sopenharmony_ci case SSL_AD_CERTIFICATE_REQUIRED: 851e1051a39Sopenharmony_ci return SSL_AD_HANDSHAKE_FAILURE; 852e1051a39Sopenharmony_ci case TLS13_AD_MISSING_EXTENSION: 853e1051a39Sopenharmony_ci return SSL_AD_HANDSHAKE_FAILURE; 854e1051a39Sopenharmony_ci default: 855e1051a39Sopenharmony_ci return -1; 856e1051a39Sopenharmony_ci } 857e1051a39Sopenharmony_ci} 858