/src/libressl/ssl/t1_enc.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* $OpenBSD: t1_enc.c,v 1.154 2022/02/05 14:54:10 jsing Exp $ */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
60 | | * |
61 | | * Redistribution and use in source and binary forms, with or without |
62 | | * modification, are permitted provided that the following conditions |
63 | | * are met: |
64 | | * |
65 | | * 1. Redistributions of source code must retain the above copyright |
66 | | * notice, this list of conditions and the following disclaimer. |
67 | | * |
68 | | * 2. Redistributions in binary form must reproduce the above copyright |
69 | | * notice, this list of conditions and the following disclaimer in |
70 | | * the documentation and/or other materials provided with the |
71 | | * distribution. |
72 | | * |
73 | | * 3. All advertising materials mentioning features or use of this |
74 | | * software must display the following acknowledgment: |
75 | | * "This product includes software developed by the OpenSSL Project |
76 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | | * |
78 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | | * endorse or promote products derived from this software without |
80 | | * prior written permission. For written permission, please contact |
81 | | * openssl-core@openssl.org. |
82 | | * |
83 | | * 5. Products derived from this software may not be called "OpenSSL" |
84 | | * nor may "OpenSSL" appear in their names without prior written |
85 | | * permission of the OpenSSL Project. |
86 | | * |
87 | | * 6. Redistributions of any form whatsoever must retain the following |
88 | | * acknowledgment: |
89 | | * "This product includes software developed by the OpenSSL Project |
90 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | | * |
92 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | | * ==================================================================== |
105 | | * |
106 | | * This product includes cryptographic software written by Eric Young |
107 | | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | | * Hudson (tjh@cryptsoft.com). |
109 | | * |
110 | | */ |
111 | | /* ==================================================================== |
112 | | * Copyright 2005 Nokia. All rights reserved. |
113 | | * |
114 | | * The portions of the attached software ("Contribution") is developed by |
115 | | * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
116 | | * license. |
117 | | * |
118 | | * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
119 | | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
120 | | * support (see RFC 4279) to OpenSSL. |
121 | | * |
122 | | * No patent licenses or other rights except those expressly stated in |
123 | | * the OpenSSL open source license shall be deemed granted or received |
124 | | * expressly, by implication, estoppel, or otherwise. |
125 | | * |
126 | | * No assurances are provided by Nokia that the Contribution does not |
127 | | * infringe the patent or other intellectual property rights of any third |
128 | | * party or that the license provides you with all the necessary rights |
129 | | * to make use of the Contribution. |
130 | | * |
131 | | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
132 | | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
133 | | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
134 | | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
135 | | * OTHERWISE. |
136 | | */ |
137 | | |
138 | | #include <limits.h> |
139 | | #include <stdio.h> |
140 | | |
141 | | #include <openssl/evp.h> |
142 | | #include <openssl/hmac.h> |
143 | | #include <openssl/md5.h> |
144 | | #include <openssl/opensslconf.h> |
145 | | |
146 | | #include "dtls_locl.h" |
147 | | #include "ssl_locl.h" |
148 | | |
149 | | void |
150 | | tls1_cleanup_key_block(SSL *s) |
151 | 24.3k | { |
152 | 24.3k | tls12_key_block_free(s->s3->hs.tls12.key_block); |
153 | 24.3k | s->s3->hs.tls12.key_block = NULL; |
154 | 24.3k | } |
155 | | |
156 | | /* |
157 | | * TLS P_hash() data expansion function - see RFC 5246, section 5. |
158 | | */ |
159 | | static int |
160 | | tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len, |
161 | | const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, |
162 | | const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, |
163 | | const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len) |
164 | 2.51k | { |
165 | 2.51k | unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE]; |
166 | 2.51k | size_t A1_len, hmac_len; |
167 | 2.51k | EVP_MD_CTX *ctx = NULL; |
168 | 2.51k | EVP_PKEY *mac_key = NULL; |
169 | 2.51k | int ret = 0; |
170 | 2.51k | int chunk; |
171 | 2.51k | size_t i; |
172 | | |
173 | 2.51k | chunk = EVP_MD_size(md); |
174 | 2.51k | OPENSSL_assert(chunk >= 0); |
175 | | |
176 | 2.51k | if ((ctx = EVP_MD_CTX_new()) == NULL) |
177 | 0 | goto err; |
178 | | |
179 | 2.51k | mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len); |
180 | 2.51k | if (mac_key == NULL) |
181 | 0 | goto err; |
182 | 2.51k | if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key)) |
183 | 0 | goto err; |
184 | 2.51k | if (seed1 && !EVP_DigestSignUpdate(ctx, seed1, seed1_len)) |
185 | 0 | goto err; |
186 | 2.51k | if (seed2 && !EVP_DigestSignUpdate(ctx, seed2, seed2_len)) |
187 | 0 | goto err; |
188 | 2.51k | if (seed3 && !EVP_DigestSignUpdate(ctx, seed3, seed3_len)) |
189 | 0 | goto err; |
190 | 2.51k | if (seed4 && !EVP_DigestSignUpdate(ctx, seed4, seed4_len)) |
191 | 0 | goto err; |
192 | 2.51k | if (seed5 && !EVP_DigestSignUpdate(ctx, seed5, seed5_len)) |
193 | 0 | goto err; |
194 | 2.51k | if (!EVP_DigestSignFinal(ctx, A1, &A1_len)) |
195 | 0 | goto err; |
196 | | |
197 | 5.32k | for (;;) { |
198 | 5.32k | if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key)) |
199 | 0 | goto err; |
200 | 5.32k | if (!EVP_DigestSignUpdate(ctx, A1, A1_len)) |
201 | 0 | goto err; |
202 | 5.32k | if (seed1 && !EVP_DigestSignUpdate(ctx, seed1, seed1_len)) |
203 | 0 | goto err; |
204 | 5.32k | if (seed2 && !EVP_DigestSignUpdate(ctx, seed2, seed2_len)) |
205 | 0 | goto err; |
206 | 5.32k | if (seed3 && !EVP_DigestSignUpdate(ctx, seed3, seed3_len)) |
207 | 0 | goto err; |
208 | 5.32k | if (seed4 && !EVP_DigestSignUpdate(ctx, seed4, seed4_len)) |
209 | 0 | goto err; |
210 | 5.32k | if (seed5 && !EVP_DigestSignUpdate(ctx, seed5, seed5_len)) |
211 | 0 | goto err; |
212 | 5.32k | if (!EVP_DigestSignFinal(ctx, hmac, &hmac_len)) |
213 | 0 | goto err; |
214 | | |
215 | 5.32k | if (hmac_len > out_len) |
216 | 2.17k | hmac_len = out_len; |
217 | | |
218 | 131k | for (i = 0; i < hmac_len; i++) |
219 | 126k | out[i] ^= hmac[i]; |
220 | | |
221 | 5.32k | out += hmac_len; |
222 | 5.32k | out_len -= hmac_len; |
223 | | |
224 | 5.32k | if (out_len == 0) |
225 | 2.51k | break; |
226 | | |
227 | 2.80k | if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key)) |
228 | 0 | goto err; |
229 | 2.80k | if (!EVP_DigestSignUpdate(ctx, A1, A1_len)) |
230 | 0 | goto err; |
231 | 2.80k | if (!EVP_DigestSignFinal(ctx, A1, &A1_len)) |
232 | 0 | goto err; |
233 | 2.80k | } |
234 | 2.51k | ret = 1; |
235 | | |
236 | 2.51k | err: |
237 | 2.51k | EVP_PKEY_free(mac_key); |
238 | 2.51k | EVP_MD_CTX_free(ctx); |
239 | | |
240 | 2.51k | explicit_bzero(A1, sizeof(A1)); |
241 | 2.51k | explicit_bzero(hmac, sizeof(hmac)); |
242 | | |
243 | 2.51k | return ret; |
244 | 2.51k | } |
245 | | |
246 | | int |
247 | | tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len, |
248 | | const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len, |
249 | | const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len, |
250 | | const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len) |
251 | 2.36k | { |
252 | 2.36k | const EVP_MD *md; |
253 | 2.36k | size_t half_len; |
254 | | |
255 | 2.36k | memset(out, 0, out_len); |
256 | | |
257 | 2.36k | if (!ssl_get_handshake_evp_md(s, &md)) |
258 | 0 | return (0); |
259 | | |
260 | 2.36k | if (EVP_MD_type(md) == NID_md5_sha1) { |
261 | | /* |
262 | | * Partition secret between MD5 and SHA1, then XOR result. |
263 | | * If the secret length is odd, a one byte overlap is used. |
264 | | */ |
265 | 156 | half_len = secret_len - (secret_len / 2); |
266 | 156 | if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len, |
267 | 156 | seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, |
268 | 156 | seed5, seed5_len, out, out_len)) |
269 | 0 | return (0); |
270 | | |
271 | 156 | secret += secret_len - half_len; |
272 | 156 | if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len, |
273 | 156 | seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, |
274 | 156 | seed5, seed5_len, out, out_len)) |
275 | 0 | return (0); |
276 | | |
277 | 156 | return (1); |
278 | 156 | } |
279 | | |
280 | 2.20k | if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len, |
281 | 2.20k | seed2, seed2_len, seed3, seed3_len, seed4, seed4_len, |
282 | 2.20k | seed5, seed5_len, out, out_len)) |
283 | 0 | return (0); |
284 | | |
285 | 2.20k | return (1); |
286 | 2.20k | } |
287 | | |
288 | | int |
289 | | tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len) |
290 | 239 | { |
291 | 239 | return tls1_PRF(s, |
292 | 239 | s->session->master_key, s->session->master_key_length, |
293 | 239 | TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE, |
294 | 239 | s->s3->server_random, SSL3_RANDOM_SIZE, |
295 | 239 | s->s3->client_random, SSL3_RANDOM_SIZE, |
296 | 239 | NULL, 0, NULL, 0, key_block, key_block_len); |
297 | 239 | } |
298 | | |
299 | | static int |
300 | | tls1_change_cipher_state(SSL *s, int is_write) |
301 | 239 | { |
302 | 239 | CBS mac_key, key, iv; |
303 | | |
304 | | /* Use client write keys on client write and server read. */ |
305 | 239 | if ((!s->server && is_write) || (s->server && !is_write)) { |
306 | 239 | tls12_key_block_client_write(s->s3->hs.tls12.key_block, |
307 | 239 | &mac_key, &key, &iv); |
308 | 239 | } else { |
309 | 0 | tls12_key_block_server_write(s->s3->hs.tls12.key_block, |
310 | 0 | &mac_key, &key, &iv); |
311 | 0 | } |
312 | | |
313 | 239 | if (!is_write) { |
314 | 239 | if (!tls12_record_layer_change_read_cipher_state(s->internal->rl, |
315 | 239 | &mac_key, &key, &iv)) |
316 | 0 | goto err; |
317 | 239 | if (SSL_is_dtls(s)) |
318 | 0 | dtls1_reset_read_seq_numbers(s); |
319 | 239 | } else { |
320 | 0 | if (!tls12_record_layer_change_write_cipher_state(s->internal->rl, |
321 | 0 | &mac_key, &key, &iv)) |
322 | 0 | goto err; |
323 | 0 | } |
324 | 239 | return (1); |
325 | | |
326 | 0 | err: |
327 | 0 | return (0); |
328 | 239 | } |
329 | | |
330 | | int |
331 | | tls1_change_read_cipher_state(SSL *s) |
332 | 239 | { |
333 | 239 | return tls1_change_cipher_state(s, 0); |
334 | 239 | } |
335 | | |
336 | | int |
337 | | tls1_change_write_cipher_state(SSL *s) |
338 | 0 | { |
339 | 0 | return tls1_change_cipher_state(s, 1); |
340 | 0 | } |
341 | | |
342 | | int |
343 | | tls1_setup_key_block(SSL *s) |
344 | 239 | { |
345 | 239 | struct tls12_key_block *key_block; |
346 | 239 | int mac_type = NID_undef, mac_secret_size = 0; |
347 | 239 | const EVP_CIPHER *cipher = NULL; |
348 | 239 | const EVP_AEAD *aead = NULL; |
349 | 239 | const EVP_MD *handshake_hash = NULL; |
350 | 239 | const EVP_MD *mac_hash = NULL; |
351 | 239 | int ret = 0; |
352 | | |
353 | | /* |
354 | | * XXX - callers should be changed so that they only call this |
355 | | * function once. |
356 | | */ |
357 | 239 | if (s->s3->hs.tls12.key_block != NULL) |
358 | 0 | return (1); |
359 | | |
360 | 239 | if (s->session->cipher && |
361 | 239 | (s->session->cipher->algorithm_mac & SSL_AEAD)) { |
362 | 91 | if (!ssl_cipher_get_evp_aead(s->session, &aead)) { |
363 | 0 | SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
364 | 0 | return (0); |
365 | 0 | } |
366 | 148 | } else { |
367 | | /* XXX - mac_type and mac_secret_size are now unused. */ |
368 | 148 | if (!ssl_cipher_get_evp(s->session, &cipher, &mac_hash, |
369 | 148 | &mac_type, &mac_secret_size)) { |
370 | 0 | SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
371 | 0 | return (0); |
372 | 0 | } |
373 | 148 | } |
374 | | |
375 | 239 | if (!ssl_get_handshake_evp_md(s, &handshake_hash)) |
376 | 0 | return (0); |
377 | | |
378 | 239 | tls12_record_layer_set_aead(s->internal->rl, aead); |
379 | 239 | tls12_record_layer_set_cipher_hash(s->internal->rl, cipher, |
380 | 239 | handshake_hash, mac_hash); |
381 | | |
382 | 239 | if ((key_block = tls12_key_block_new()) == NULL) |
383 | 0 | goto err; |
384 | 239 | if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash)) |
385 | 0 | goto err; |
386 | | |
387 | 239 | s->s3->hs.tls12.key_block = key_block; |
388 | 239 | key_block = NULL; |
389 | | |
390 | 239 | if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && |
391 | 239 | s->method->version <= TLS1_VERSION) { |
392 | | /* |
393 | | * Enable vulnerability countermeasure for CBC ciphers with |
394 | | * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) |
395 | | */ |
396 | 42 | s->s3->need_empty_fragments = 1; |
397 | | |
398 | 42 | if (s->session->cipher != NULL) { |
399 | 42 | if (s->session->cipher->algorithm_enc == SSL_eNULL) |
400 | 0 | s->s3->need_empty_fragments = 0; |
401 | | |
402 | 42 | #ifndef OPENSSL_NO_RC4 |
403 | 42 | if (s->session->cipher->algorithm_enc == SSL_RC4) |
404 | 3 | s->s3->need_empty_fragments = 0; |
405 | 42 | #endif |
406 | 42 | } |
407 | 42 | } |
408 | | |
409 | 239 | ret = 1; |
410 | | |
411 | 239 | err: |
412 | 239 | tls12_key_block_free(key_block); |
413 | | |
414 | 239 | return (ret); |
415 | 239 | } |
416 | | |
417 | | int |
418 | | tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, |
419 | | const char *label, size_t llen, const unsigned char *context, |
420 | | size_t contextlen, int use_context) |
421 | 0 | { |
422 | 0 | unsigned char *val = NULL; |
423 | 0 | size_t vallen, currentvalpos; |
424 | 0 | int rv; |
425 | |
|
426 | 0 | if (!SSL_is_init_finished(s)) { |
427 | 0 | SSLerror(s, SSL_R_BAD_STATE); |
428 | 0 | return 0; |
429 | 0 | } |
430 | | |
431 | | /* construct PRF arguments |
432 | | * we construct the PRF argument ourself rather than passing separate |
433 | | * values into the TLS PRF to ensure that the concatenation of values |
434 | | * does not create a prohibited label. |
435 | | */ |
436 | 0 | vallen = llen + SSL3_RANDOM_SIZE * 2; |
437 | 0 | if (use_context) { |
438 | 0 | vallen += 2 + contextlen; |
439 | 0 | } |
440 | |
|
441 | 0 | val = malloc(vallen); |
442 | 0 | if (val == NULL) |
443 | 0 | goto err2; |
444 | 0 | currentvalpos = 0; |
445 | 0 | memcpy(val + currentvalpos, (unsigned char *) label, llen); |
446 | 0 | currentvalpos += llen; |
447 | 0 | memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); |
448 | 0 | currentvalpos += SSL3_RANDOM_SIZE; |
449 | 0 | memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); |
450 | 0 | currentvalpos += SSL3_RANDOM_SIZE; |
451 | |
|
452 | 0 | if (use_context) { |
453 | 0 | val[currentvalpos] = (contextlen >> 8) & 0xff; |
454 | 0 | currentvalpos++; |
455 | 0 | val[currentvalpos] = contextlen & 0xff; |
456 | 0 | currentvalpos++; |
457 | 0 | if ((contextlen > 0) || (context != NULL)) { |
458 | 0 | memcpy(val + currentvalpos, context, contextlen); |
459 | 0 | } |
460 | 0 | } |
461 | | |
462 | | /* disallow prohibited labels |
463 | | * note that SSL3_RANDOM_SIZE > max(prohibited label len) = |
464 | | * 15, so size of val > max(prohibited label len) = 15 and the |
465 | | * comparisons won't have buffer overflow |
466 | | */ |
467 | 0 | if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, |
468 | 0 | TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) |
469 | 0 | goto err1; |
470 | 0 | if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, |
471 | 0 | TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) |
472 | 0 | goto err1; |
473 | 0 | if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, |
474 | 0 | TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) |
475 | 0 | goto err1; |
476 | 0 | if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, |
477 | 0 | TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) |
478 | 0 | goto err1; |
479 | | |
480 | 0 | rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length, |
481 | 0 | val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen); |
482 | |
|
483 | 0 | goto ret; |
484 | 0 | err1: |
485 | 0 | SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); |
486 | 0 | rv = 0; |
487 | 0 | goto ret; |
488 | 0 | err2: |
489 | 0 | SSLerror(s, ERR_R_MALLOC_FAILURE); |
490 | 0 | rv = 0; |
491 | 0 | ret: |
492 | 0 | free(val); |
493 | |
|
494 | 0 | return (rv); |
495 | 0 | } |