t1_enc.c 33 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106
  1. /* ssl/t1_enc.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2005 Nokia. All rights reserved.
  113. *
  114. * The portions of the attached software ("Contribution") is developed by
  115. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  116. * license.
  117. *
  118. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  119. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  120. * support (see RFC 4279) to OpenSSL.
  121. *
  122. * No patent licenses or other rights except those expressly stated in
  123. * the OpenSSL open source license shall be deemed granted or received
  124. * expressly, by implication, estoppel, or otherwise.
  125. *
  126. * No assurances are provided by Nokia that the Contribution does not
  127. * infringe the patent or other intellectual property rights of any third
  128. * party or that the license provides you with all the necessary rights
  129. * to make use of the Contribution.
  130. *
  131. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  132. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  133. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  134. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  135. * OTHERWISE.
  136. */
  137. #include <stdio.h>
  138. #include "ssl_locl.h"
  139. #ifndef OPENSSL_NO_COMP
  140. #include <openssl/comp.h>
  141. #endif
  142. #include <openssl/evp.h>
  143. #include <openssl/hmac.h>
  144. #include <openssl/md5.h>
  145. #include <openssl/rand.h>
  146. #ifdef KSSL_DEBUG
  147. #include <openssl/des.h>
  148. #endif
  149. /* seed1 through seed5 are virtually concatenated */
  150. static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
  151. int sec_len,
  152. const void *seed1, int seed1_len,
  153. const void *seed2, int seed2_len,
  154. const void *seed3, int seed3_len,
  155. const void *seed4, int seed4_len,
  156. const void *seed5, int seed5_len,
  157. unsigned char *out, int olen)
  158. {
  159. int chunk;
  160. size_t j;
  161. EVP_MD_CTX ctx, ctx_tmp;
  162. EVP_PKEY *mac_key;
  163. unsigned char A1[EVP_MAX_MD_SIZE];
  164. size_t A1_len;
  165. int ret = 0;
  166. chunk=EVP_MD_size(md);
  167. OPENSSL_assert(chunk >= 0);
  168. EVP_MD_CTX_init(&ctx);
  169. EVP_MD_CTX_init(&ctx_tmp);
  170. mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
  171. if (!mac_key)
  172. goto err;
  173. if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
  174. goto err;
  175. if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key))
  176. goto err;
  177. if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len))
  178. goto err;
  179. if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len))
  180. goto err;
  181. if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len))
  182. goto err;
  183. if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len))
  184. goto err;
  185. if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len))
  186. goto err;
  187. if (!EVP_DigestSignFinal(&ctx,A1,&A1_len))
  188. goto err;
  189. for (;;)
  190. {
  191. /* Reinit mac contexts */
  192. if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
  193. goto err;
  194. if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key))
  195. goto err;
  196. if (!EVP_DigestSignUpdate(&ctx,A1,A1_len))
  197. goto err;
  198. if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len))
  199. goto err;
  200. if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len))
  201. goto err;
  202. if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len))
  203. goto err;
  204. if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len))
  205. goto err;
  206. if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len))
  207. goto err;
  208. if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len))
  209. goto err;
  210. if (olen > chunk)
  211. {
  212. if (!EVP_DigestSignFinal(&ctx,out,&j))
  213. goto err;
  214. out+=j;
  215. olen-=j;
  216. /* calc the next A1 value */
  217. if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len))
  218. goto err;
  219. }
  220. else /* last one */
  221. {
  222. if (!EVP_DigestSignFinal(&ctx,A1,&A1_len))
  223. goto err;
  224. memcpy(out,A1,olen);
  225. break;
  226. }
  227. }
  228. ret = 1;
  229. err:
  230. EVP_PKEY_free(mac_key);
  231. EVP_MD_CTX_cleanup(&ctx);
  232. EVP_MD_CTX_cleanup(&ctx_tmp);
  233. OPENSSL_cleanse(A1,sizeof(A1));
  234. return ret;
  235. }
  236. /* seed1 through seed5 are virtually concatenated */
  237. static int tls1_PRF(long digest_mask,
  238. const void *seed1, int seed1_len,
  239. const void *seed2, int seed2_len,
  240. const void *seed3, int seed3_len,
  241. const void *seed4, int seed4_len,
  242. const void *seed5, int seed5_len,
  243. const unsigned char *sec, int slen,
  244. unsigned char *out1,
  245. unsigned char *out2, int olen)
  246. {
  247. int len,i,idx,count;
  248. const unsigned char *S1;
  249. long m;
  250. const EVP_MD *md;
  251. int ret = 0;
  252. /* Count number of digests and partition sec evenly */
  253. count=0;
  254. for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
  255. if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++;
  256. }
  257. len=slen/count;
  258. S1=sec;
  259. memset(out1,0,olen);
  260. for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
  261. if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) {
  262. if (!md) {
  263. SSLerr(SSL_F_TLS1_PRF,
  264. SSL_R_UNSUPPORTED_DIGEST_TYPE);
  265. goto err;
  266. }
  267. if (!tls1_P_hash(md ,S1,len+(slen&1),
  268. seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len,
  269. out2,olen))
  270. goto err;
  271. S1+=len;
  272. for (i=0; i<olen; i++)
  273. {
  274. out1[i]^=out2[i];
  275. }
  276. }
  277. }
  278. ret = 1;
  279. err:
  280. return ret;
  281. }
  282. static int tls1_generate_key_block(SSL *s, unsigned char *km,
  283. unsigned char *tmp, int num)
  284. {
  285. int ret;
  286. ret = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
  287. TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE,
  288. s->s3->server_random,SSL3_RANDOM_SIZE,
  289. s->s3->client_random,SSL3_RANDOM_SIZE,
  290. NULL,0,NULL,0,
  291. s->session->master_key,s->session->master_key_length,
  292. km,tmp,num);
  293. #ifdef KSSL_DEBUG
  294. printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
  295. s->session->master_key_length);
  296. {
  297. int i;
  298. for (i=0; i < s->session->master_key_length; i++)
  299. {
  300. printf("%02X", s->session->master_key[i]);
  301. }
  302. printf("\n"); }
  303. #endif /* KSSL_DEBUG */
  304. return ret;
  305. }
  306. int tls1_change_cipher_state(SSL *s, int which)
  307. {
  308. static const unsigned char empty[]="";
  309. unsigned char *p,*mac_secret;
  310. unsigned char *exp_label;
  311. unsigned char tmp1[EVP_MAX_KEY_LENGTH];
  312. unsigned char tmp2[EVP_MAX_KEY_LENGTH];
  313. unsigned char iv1[EVP_MAX_IV_LENGTH*2];
  314. unsigned char iv2[EVP_MAX_IV_LENGTH*2];
  315. unsigned char *ms,*key,*iv;
  316. int client_write;
  317. EVP_CIPHER_CTX *dd;
  318. const EVP_CIPHER *c;
  319. #ifndef OPENSSL_NO_COMP
  320. const SSL_COMP *comp;
  321. #endif
  322. const EVP_MD *m;
  323. int mac_type;
  324. int *mac_secret_size;
  325. EVP_MD_CTX *mac_ctx;
  326. EVP_PKEY *mac_key;
  327. int is_export,n,i,j,k,exp_label_len,cl;
  328. int reuse_dd = 0;
  329. is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
  330. c=s->s3->tmp.new_sym_enc;
  331. m=s->s3->tmp.new_hash;
  332. mac_type = s->s3->tmp.new_mac_pkey_type;
  333. #ifndef OPENSSL_NO_COMP
  334. comp=s->s3->tmp.new_compression;
  335. #endif
  336. #ifdef KSSL_DEBUG
  337. printf("tls1_change_cipher_state(which= %d) w/\n", which);
  338. printf("\talg= %ld/%ld, comp= %p\n",
  339. s->s3->tmp.new_cipher->algorithm_mkey,
  340. s->s3->tmp.new_cipher->algorithm_auth,
  341. comp);
  342. printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
  343. printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
  344. c->nid,c->block_size,c->key_len,c->iv_len);
  345. printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
  346. {
  347. int i;
  348. for (i=0; i<s->s3->tmp.key_block_length; i++)
  349. printf("%02x", key_block[i]); printf("\n");
  350. }
  351. #endif /* KSSL_DEBUG */
  352. if (which & SSL3_CC_READ)
  353. {
  354. if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
  355. s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
  356. else
  357. s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
  358. if (s->enc_read_ctx != NULL)
  359. reuse_dd = 1;
  360. else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  361. goto err;
  362. else
  363. /* make sure it's intialized in case we exit later with an error */
  364. EVP_CIPHER_CTX_init(s->enc_read_ctx);
  365. dd= s->enc_read_ctx;
  366. mac_ctx=ssl_replace_hash(&s->read_hash,NULL);
  367. #ifndef OPENSSL_NO_COMP
  368. if (s->expand != NULL)
  369. {
  370. COMP_CTX_free(s->expand);
  371. s->expand=NULL;
  372. }
  373. if (comp != NULL)
  374. {
  375. s->expand=COMP_CTX_new(comp->method);
  376. if (s->expand == NULL)
  377. {
  378. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
  379. goto err2;
  380. }
  381. if (s->s3->rrec.comp == NULL)
  382. s->s3->rrec.comp=(unsigned char *)
  383. OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
  384. if (s->s3->rrec.comp == NULL)
  385. goto err;
  386. }
  387. #endif
  388. /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
  389. if (s->version != DTLS1_VERSION)
  390. memset(&(s->s3->read_sequence[0]),0,8);
  391. mac_secret= &(s->s3->read_mac_secret[0]);
  392. mac_secret_size=&(s->s3->read_mac_secret_size);
  393. }
  394. else
  395. {
  396. if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
  397. s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
  398. else
  399. s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
  400. if (s->enc_write_ctx != NULL)
  401. reuse_dd = 1;
  402. else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  403. goto err;
  404. else
  405. /* make sure it's intialized in case we exit later with an error */
  406. EVP_CIPHER_CTX_init(s->enc_write_ctx);
  407. dd= s->enc_write_ctx;
  408. mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
  409. #ifndef OPENSSL_NO_COMP
  410. if (s->compress != NULL)
  411. {
  412. COMP_CTX_free(s->compress);
  413. s->compress=NULL;
  414. }
  415. if (comp != NULL)
  416. {
  417. s->compress=COMP_CTX_new(comp->method);
  418. if (s->compress == NULL)
  419. {
  420. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
  421. goto err2;
  422. }
  423. }
  424. #endif
  425. /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
  426. if (s->version != DTLS1_VERSION)
  427. memset(&(s->s3->write_sequence[0]),0,8);
  428. mac_secret= &(s->s3->write_mac_secret[0]);
  429. mac_secret_size = &(s->s3->write_mac_secret_size);
  430. }
  431. if (reuse_dd)
  432. EVP_CIPHER_CTX_cleanup(dd);
  433. p=s->s3->tmp.key_block;
  434. i=*mac_secret_size=s->s3->tmp.new_mac_secret_size;
  435. cl=EVP_CIPHER_key_length(c);
  436. j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
  437. cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
  438. /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
  439. k=EVP_CIPHER_iv_length(c);
  440. if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
  441. (which == SSL3_CHANGE_CIPHER_SERVER_READ))
  442. {
  443. ms= &(p[ 0]); n=i+i;
  444. key= &(p[ n]); n+=j+j;
  445. iv= &(p[ n]); n+=k+k;
  446. exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
  447. exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
  448. client_write=1;
  449. }
  450. else
  451. {
  452. n=i;
  453. ms= &(p[ n]); n+=i+j;
  454. key= &(p[ n]); n+=j+k;
  455. iv= &(p[ n]); n+=k;
  456. exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
  457. exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
  458. client_write=0;
  459. }
  460. if (n > s->s3->tmp.key_block_length)
  461. {
  462. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
  463. goto err2;
  464. }
  465. memcpy(mac_secret,ms,i);
  466. mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
  467. mac_secret,*mac_secret_size);
  468. EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key);
  469. EVP_PKEY_free(mac_key);
  470. #ifdef TLS_DEBUG
  471. printf("which = %04X\nmac key=",which);
  472. { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
  473. #endif
  474. if (is_export)
  475. {
  476. /* In here I set both the read and write key/iv to the
  477. * same value since only the correct one will be used :-).
  478. */
  479. if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
  480. exp_label,exp_label_len,
  481. s->s3->client_random,SSL3_RANDOM_SIZE,
  482. s->s3->server_random,SSL3_RANDOM_SIZE,
  483. NULL,0,NULL,0,
  484. key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)))
  485. goto err2;
  486. key=tmp1;
  487. if (k > 0)
  488. {
  489. if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
  490. TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE,
  491. s->s3->client_random,SSL3_RANDOM_SIZE,
  492. s->s3->server_random,SSL3_RANDOM_SIZE,
  493. NULL,0,NULL,0,
  494. empty,0,iv1,iv2,k*2))
  495. goto err2;
  496. if (client_write)
  497. iv=iv1;
  498. else
  499. iv= &(iv1[k]);
  500. }
  501. }
  502. s->session->key_arg_length=0;
  503. #ifdef KSSL_DEBUG
  504. {
  505. int i;
  506. printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
  507. printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
  508. printf("\n");
  509. printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
  510. printf("\n");
  511. }
  512. #endif /* KSSL_DEBUG */
  513. EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
  514. #ifdef TLS_DEBUG
  515. printf("which = %04X\nkey=",which);
  516. { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
  517. printf("\niv=");
  518. { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
  519. printf("\n");
  520. #endif
  521. OPENSSL_cleanse(tmp1,sizeof(tmp1));
  522. OPENSSL_cleanse(tmp2,sizeof(tmp1));
  523. OPENSSL_cleanse(iv1,sizeof(iv1));
  524. OPENSSL_cleanse(iv2,sizeof(iv2));
  525. return(1);
  526. err:
  527. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
  528. err2:
  529. return(0);
  530. }
  531. int tls1_setup_key_block(SSL *s)
  532. {
  533. unsigned char *p1,*p2=NULL;
  534. const EVP_CIPHER *c;
  535. const EVP_MD *hash;
  536. int num;
  537. SSL_COMP *comp;
  538. int mac_type= NID_undef,mac_secret_size=0;
  539. int ret=0;
  540. #ifdef KSSL_DEBUG
  541. printf ("tls1_setup_key_block()\n");
  542. #endif /* KSSL_DEBUG */
  543. if (s->s3->tmp.key_block_length != 0)
  544. return(1);
  545. if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp))
  546. {
  547. SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
  548. return(0);
  549. }
  550. s->s3->tmp.new_sym_enc=c;
  551. s->s3->tmp.new_hash=hash;
  552. s->s3->tmp.new_mac_pkey_type = mac_type;
  553. s->s3->tmp.new_mac_secret_size = mac_secret_size;
  554. num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c);
  555. num*=2;
  556. ssl3_cleanup_key_block(s);
  557. if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
  558. {
  559. SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
  560. goto err;
  561. }
  562. s->s3->tmp.key_block_length=num;
  563. s->s3->tmp.key_block=p1;
  564. if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
  565. {
  566. SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
  567. goto err;
  568. }
  569. #ifdef TLS_DEBUG
  570. printf("client random\n");
  571. { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
  572. printf("server random\n");
  573. { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
  574. printf("pre-master\n");
  575. { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
  576. #endif
  577. if (!tls1_generate_key_block(s,p1,p2,num))
  578. goto err;
  579. #ifdef TLS_DEBUG
  580. printf("\nkey block\n");
  581. { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
  582. #endif
  583. if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
  584. && s->method->version <= TLS1_VERSION)
  585. {
  586. /* enable vulnerability countermeasure for CBC ciphers with
  587. * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
  588. */
  589. s->s3->need_empty_fragments = 1;
  590. if (s->session->cipher != NULL)
  591. {
  592. if (s->session->cipher->algorithm_enc == SSL_eNULL)
  593. s->s3->need_empty_fragments = 0;
  594. #ifndef OPENSSL_NO_RC4
  595. if (s->session->cipher->algorithm_enc == SSL_RC4)
  596. s->s3->need_empty_fragments = 0;
  597. #endif
  598. }
  599. }
  600. ret = 1;
  601. err:
  602. if (p2)
  603. {
  604. OPENSSL_cleanse(p2,num);
  605. OPENSSL_free(p2);
  606. }
  607. return(ret);
  608. }
  609. int tls1_enc(SSL *s, int send)
  610. {
  611. SSL3_RECORD *rec;
  612. EVP_CIPHER_CTX *ds;
  613. unsigned long l;
  614. int bs,i,ii,j,k,n=0;
  615. const EVP_CIPHER *enc;
  616. if (send)
  617. {
  618. if (EVP_MD_CTX_md(s->write_hash))
  619. {
  620. n=EVP_MD_CTX_size(s->write_hash);
  621. OPENSSL_assert(n >= 0);
  622. }
  623. ds=s->enc_write_ctx;
  624. rec= &(s->s3->wrec);
  625. if (s->enc_write_ctx == NULL)
  626. enc=NULL;
  627. else
  628. {
  629. int ivlen;
  630. enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
  631. /* For TLSv1.1 and later explicit IV */
  632. if (s->version >= TLS1_1_VERSION
  633. && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
  634. ivlen = EVP_CIPHER_iv_length(enc);
  635. else
  636. ivlen = 0;
  637. if (ivlen > 1)
  638. {
  639. if ( rec->data != rec->input)
  640. /* we can't write into the input stream:
  641. * Can this ever happen?? (steve)
  642. */
  643. fprintf(stderr,
  644. "%s:%d: rec->data != rec->input\n",
  645. __FILE__, __LINE__);
  646. else if (RAND_bytes(rec->input, ivlen) <= 0)
  647. return -1;
  648. }
  649. }
  650. }
  651. else
  652. {
  653. if (EVP_MD_CTX_md(s->read_hash))
  654. {
  655. n=EVP_MD_CTX_size(s->read_hash);
  656. OPENSSL_assert(n >= 0);
  657. }
  658. ds=s->enc_read_ctx;
  659. rec= &(s->s3->rrec);
  660. if (s->enc_read_ctx == NULL)
  661. enc=NULL;
  662. else
  663. enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
  664. }
  665. #ifdef KSSL_DEBUG
  666. printf("tls1_enc(%d)\n", send);
  667. #endif /* KSSL_DEBUG */
  668. if ((s->session == NULL) || (ds == NULL) ||
  669. (enc == NULL))
  670. {
  671. memmove(rec->data,rec->input,rec->length);
  672. rec->input=rec->data;
  673. }
  674. else
  675. {
  676. l=rec->length;
  677. bs=EVP_CIPHER_block_size(ds->cipher);
  678. if ((bs != 1) && send)
  679. {
  680. i=bs-((int)l%bs);
  681. /* Add weird padding of upto 256 bytes */
  682. /* we need to add 'i' padding bytes of value j */
  683. j=i-1;
  684. if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
  685. {
  686. if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
  687. j++;
  688. }
  689. for (k=(int)l; k<(int)(l+i); k++)
  690. rec->input[k]=j;
  691. l+=i;
  692. rec->length+=i;
  693. }
  694. #ifdef KSSL_DEBUG
  695. {
  696. unsigned long ui;
  697. printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
  698. ds,rec->data,rec->input,l);
  699. printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
  700. ds->buf_len, ds->cipher->key_len,
  701. DES_KEY_SZ, DES_SCHEDULE_SZ,
  702. ds->cipher->iv_len);
  703. printf("\t\tIV: ");
  704. for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
  705. printf("\n");
  706. printf("\trec->input=");
  707. for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
  708. printf("\n");
  709. }
  710. #endif /* KSSL_DEBUG */
  711. if (!send)
  712. {
  713. if (l == 0 || l%bs != 0)
  714. {
  715. if (s->version >= TLS1_1_VERSION)
  716. return -1;
  717. SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
  718. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
  719. return 0;
  720. }
  721. }
  722. EVP_Cipher(ds,rec->data,rec->input,l);
  723. #ifdef KSSL_DEBUG
  724. {
  725. unsigned long i;
  726. printf("\trec->data=");
  727. for (i=0; i<l; i++)
  728. printf(" %02x", rec->data[i]); printf("\n");
  729. }
  730. #endif /* KSSL_DEBUG */
  731. if ((bs != 1) && !send)
  732. {
  733. ii=i=rec->data[l-1]; /* padding_length */
  734. i++;
  735. /* NB: if compression is in operation the first packet
  736. * may not be of even length so the padding bug check
  737. * cannot be performed. This bug workaround has been
  738. * around since SSLeay so hopefully it is either fixed
  739. * now or no buggy implementation supports compression
  740. * [steve]
  741. */
  742. if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
  743. && !s->expand)
  744. {
  745. /* First packet is even in size, so check */
  746. if ((memcmp(s->s3->read_sequence,
  747. "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
  748. s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
  749. if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
  750. i--;
  751. }
  752. /* TLS 1.0 does not bound the number of padding bytes by the block size.
  753. * All of them must have value 'padding_length'. */
  754. if (i > (int)rec->length)
  755. {
  756. /* Incorrect padding. SSLerr() and ssl3_alert are done
  757. * by caller: we don't want to reveal whether this is
  758. * a decryption error or a MAC verification failure
  759. * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
  760. return -1;
  761. }
  762. for (j=(int)(l-i); j<(int)l; j++)
  763. {
  764. if (rec->data[j] != ii)
  765. {
  766. /* Incorrect padding */
  767. return -1;
  768. }
  769. }
  770. rec->length -=i;
  771. if (s->version >= TLS1_1_VERSION
  772. && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
  773. {
  774. rec->data += bs; /* skip the explicit IV */
  775. rec->input += bs;
  776. rec->length -= bs;
  777. }
  778. }
  779. }
  780. return(1);
  781. }
  782. int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
  783. {
  784. unsigned int ret;
  785. EVP_MD_CTX ctx, *d=NULL;
  786. int i;
  787. if (s->s3->handshake_buffer)
  788. if (!ssl3_digest_cached_records(s))
  789. return 0;
  790. for (i=0;i<SSL_MAX_DIGEST;i++)
  791. {
  792. if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
  793. {
  794. d=s->s3->handshake_dgst[i];
  795. break;
  796. }
  797. }
  798. if (!d) {
  799. SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST);
  800. return 0;
  801. }
  802. EVP_MD_CTX_init(&ctx);
  803. EVP_MD_CTX_copy_ex(&ctx,d);
  804. EVP_DigestFinal_ex(&ctx,out,&ret);
  805. EVP_MD_CTX_cleanup(&ctx);
  806. return((int)ret);
  807. }
  808. int tls1_final_finish_mac(SSL *s,
  809. const char *str, int slen, unsigned char *out)
  810. {
  811. unsigned int i;
  812. EVP_MD_CTX ctx;
  813. unsigned char buf[2*EVP_MAX_MD_SIZE];
  814. unsigned char *q,buf2[12];
  815. int idx;
  816. long mask;
  817. int err=0;
  818. const EVP_MD *md;
  819. q=buf;
  820. if (s->s3->handshake_buffer)
  821. if (!ssl3_digest_cached_records(s))
  822. return 0;
  823. EVP_MD_CTX_init(&ctx);
  824. for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
  825. {
  826. if (mask & s->s3->tmp.new_cipher->algorithm2)
  827. {
  828. int hashsize = EVP_MD_size(md);
  829. if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
  830. {
  831. /* internal error: 'buf' is too small for this cipersuite! */
  832. err = 1;
  833. }
  834. else
  835. {
  836. EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
  837. EVP_DigestFinal_ex(&ctx,q,&i);
  838. if (i != (unsigned int)hashsize) /* can't really happen */
  839. err = 1;
  840. q+=i;
  841. }
  842. }
  843. }
  844. if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
  845. str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
  846. s->session->master_key,s->session->master_key_length,
  847. out,buf2,sizeof buf2))
  848. err = 1;
  849. EVP_MD_CTX_cleanup(&ctx);
  850. if (err)
  851. return 0;
  852. else
  853. return sizeof buf2;
  854. }
  855. int tls1_mac(SSL *ssl, unsigned char *md, int send)
  856. {
  857. SSL3_RECORD *rec;
  858. unsigned char *seq;
  859. EVP_MD_CTX *hash;
  860. size_t md_size;
  861. int i;
  862. EVP_MD_CTX hmac, *mac_ctx;
  863. unsigned char buf[5];
  864. int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
  865. int t;
  866. if (send)
  867. {
  868. rec= &(ssl->s3->wrec);
  869. seq= &(ssl->s3->write_sequence[0]);
  870. hash=ssl->write_hash;
  871. }
  872. else
  873. {
  874. rec= &(ssl->s3->rrec);
  875. seq= &(ssl->s3->read_sequence[0]);
  876. hash=ssl->read_hash;
  877. }
  878. t=EVP_MD_CTX_size(hash);
  879. OPENSSL_assert(t >= 0);
  880. md_size=t;
  881. buf[0]=rec->type;
  882. buf[1]=(unsigned char)(ssl->version>>8);
  883. buf[2]=(unsigned char)(ssl->version);
  884. buf[3]=rec->length>>8;
  885. buf[4]=rec->length&0xff;
  886. /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
  887. if (stream_mac)
  888. {
  889. mac_ctx = hash;
  890. }
  891. else
  892. {
  893. EVP_MD_CTX_copy(&hmac,hash);
  894. mac_ctx = &hmac;
  895. }
  896. if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER)
  897. {
  898. unsigned char dtlsseq[8],*p=dtlsseq;
  899. s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
  900. memcpy (p,&seq[2],6);
  901. EVP_DigestSignUpdate(mac_ctx,dtlsseq,8);
  902. }
  903. else
  904. EVP_DigestSignUpdate(mac_ctx,seq,8);
  905. EVP_DigestSignUpdate(mac_ctx,buf,5);
  906. EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
  907. t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
  908. OPENSSL_assert(t > 0);
  909. if (!stream_mac) EVP_MD_CTX_cleanup(&hmac);
  910. #ifdef TLS_DEBUG
  911. printf("sec=");
  912. {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
  913. printf("seq=");
  914. {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
  915. printf("buf=");
  916. {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
  917. printf("rec=");
  918. {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
  919. #endif
  920. if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER)
  921. {
  922. for (i=7; i>=0; i--)
  923. {
  924. ++seq[i];
  925. if (seq[i] != 0) break;
  926. }
  927. }
  928. #ifdef TLS_DEBUG
  929. {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
  930. #endif
  931. return(md_size);
  932. }
  933. int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
  934. int len)
  935. {
  936. unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
  937. const void *co = NULL, *so = NULL;
  938. int col = 0, sol = 0;
  939. #ifdef KSSL_DEBUG
  940. printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
  941. #endif /* KSSL_DEBUG */
  942. #ifdef TLSEXT_TYPE_opaque_prf_input
  943. if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL &&
  944. s->s3->client_opaque_prf_input_len > 0 &&
  945. s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len)
  946. {
  947. co = s->s3->client_opaque_prf_input;
  948. col = s->s3->server_opaque_prf_input_len;
  949. so = s->s3->server_opaque_prf_input;
  950. sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */
  951. }
  952. #endif
  953. tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
  954. TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE,
  955. s->s3->client_random,SSL3_RANDOM_SIZE,
  956. co, col,
  957. s->s3->server_random,SSL3_RANDOM_SIZE,
  958. so, sol,
  959. p,len,
  960. s->session->master_key,buff,sizeof buff);
  961. #ifdef KSSL_DEBUG
  962. printf ("tls1_generate_master_secret() complete\n");
  963. #endif /* KSSL_DEBUG */
  964. return(SSL3_MASTER_SECRET_SIZE);
  965. }
  966. int tls1_alert_code(int code)
  967. {
  968. switch (code)
  969. {
  970. case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY);
  971. case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
  972. case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC);
  973. case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED);
  974. case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW);
  975. case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
  976. case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE);
  977. case SSL_AD_NO_CERTIFICATE: return(-1);
  978. case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE);
  979. case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
  980. case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
  981. case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
  982. case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
  983. case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER);
  984. case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA);
  985. case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
  986. case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
  987. case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
  988. case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
  989. case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
  990. case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
  991. case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
  992. case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
  993. case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
  994. case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION);
  995. case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE);
  996. case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME);
  997. case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
  998. case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
  999. case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
  1000. #if 0 /* not appropriate for TLS, not used for DTLS */
  1001. case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
  1002. (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
  1003. #endif
  1004. default: return(-1);
  1005. }
  1006. }
  1007. int SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
  1008. unsigned char *context, int context_len,
  1009. unsigned char *out, int olen)
  1010. {
  1011. unsigned char *tmp;
  1012. int rv;
  1013. tmp = OPENSSL_malloc(olen);
  1014. if (!tmp)
  1015. return 0;
  1016. rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
  1017. label, label_len,
  1018. s->s3->client_random,SSL3_RANDOM_SIZE,
  1019. s->s3->server_random,SSL3_RANDOM_SIZE,
  1020. context, context_len, NULL, 0,
  1021. s->session->master_key, s->session->master_key_length,
  1022. out, tmp, olen);
  1023. OPENSSL_free(tmp);
  1024. return rv;
  1025. }