From: Ben Laurie Date: Tue, 15 Nov 2011 23:51:22 +0000 (+0000) Subject: Add TLS exporter. X-Git-Tag: OpenSSL_1_0_1-beta1~66 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=b1d7429186658934e4ca8b7913c3640ef4426e45;p=oweals%2Fopenssl.git Add TLS exporter. --- diff --git a/CHANGES b/CHANGES index c8f8c88d19..24d29d1206 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 1.0.0f and 1.0.1 [xx XXX xxxx] + *) Add TLS key material exporter from RFC 5705. + [Eric Rescorla] + *) Add DTLS-SRTP negotiation from RFC 5764. [Eric Rescorla] diff --git a/apps/s_client.c b/apps/s_client.c index 94e03c9c00..0a0fcf836a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -206,6 +206,9 @@ static int c_status_req=0; static int c_msg=0; static int c_showcerts=0; +static char *keymatexportlabel=NULL; +static int keymatexportlen=20; + static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT @@ -360,6 +363,8 @@ static void sc_usage(void) #endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list"); + BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); + BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); } #ifndef OPENSSL_NO_TLSEXT @@ -942,6 +947,17 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; srtp_profiles = *(++argv); } + else if (strcmp(*argv,"-keymatexport") == 0) + { + if (--argc < 1) goto bad; + keymatexportlabel= *(++argv); + } + else if (strcmp(*argv,"-keymatexportlen") == 0) + { + if (--argc < 1) goto bad; + keymatexportlen=atoi(*(++argv)); + if (keymatexportlen == 0) goto bad; + } else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1900,6 +1916,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) #ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; #endif + unsigned char *exportedkeymat; if (full) { @@ -2045,6 +2062,30 @@ static void print_stuff(BIO *bio, SSL *s, int full) } SSL_SESSION_print(bio,SSL_get_session(s)); + if (keymatexportlabel != NULL) { + BIO_printf(bio, "Keying material exporter:\n"); + BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); + BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); + exportedkeymat = OPENSSL_malloc(keymatexportlen); + if (exportedkeymat != NULL) { + i = SSL_export_keying_material(s, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0); + if (i != keymatexportlen) { + BIO_printf(bio, + " Error: return value %i\n", i); + } else { + BIO_printf(bio, " Keying material: "); + for (i=0; iversion < TLS1_VERSION) + return -1; + + return s->method->ssl3_enc->export_keying_material(s, out, olen, label, + llen, p, plen, + use_context); + } + static unsigned long ssl_session_hash(const SSL_SESSION *a) { unsigned long l; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4d6ffd9f39..48ee110d5f 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -571,6 +571,10 @@ typedef struct ssl3_enc_method const char *server_finished_label; int server_finished_label_len; int (*alert_value)(int); + int (*export_keying_material)(SSL *, unsigned char *, unsigned int, + const char *, unsigned int, + const unsigned char *, unsigned int, + int use_context); } SSL3_ENC_METHOD; #ifndef OPENSSL_NO_COMP @@ -1057,6 +1061,9 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p); int tls1_mac(SSL *ssl, unsigned char *md, int snd); int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len); +int tls1_export_keying_material(SSL *s, unsigned char *out, unsigned int olen, + const char *label, unsigned int llen, const unsigned char *p, + unsigned int plen, int use_context); int tls1_alert_code(int code); int ssl3_alert_code(int code); int ssl_ok(SSL *s); diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 3452b25c45..b9d0dd3757 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1119,6 +1119,95 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, return(SSL3_MASTER_SECRET_SIZE); } +int tls1_export_keying_material(SSL *s, unsigned char *out, unsigned int olen, + const char *label, unsigned int llen, const unsigned char *context, + unsigned int contextlen, int use_context) + { + unsigned char *buff; + unsigned char *val; + unsigned int vallen, currentvalpos, rv; + +#ifdef KSSL_DEBUG + printf ("tls1_export_keying_material(%p, %p,%d, %s,%d, %p,%d)\n", s, out,olen, label,llen, p,plen); +#endif /* KSSL_DEBUG */ + + buff = OPENSSL_malloc(olen); + if (buff == NULL) goto err2; + + /* construct PRF arguments + * we construct the PRF argument ourself rather than passing separate + * values into the TLS PRF to ensure that the concatenation of values + * does not create a prohibited label. + */ + vallen = llen + SSL3_RANDOM_SIZE * 2; + if (use_context) + { + vallen += 2 + contextlen; + } + + val = OPENSSL_malloc(vallen); + if (val == NULL) goto err2; + currentvalpos = 0; + memcpy(val + currentvalpos, (unsigned char *) label, llen); + currentvalpos += llen; + memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); + currentvalpos += SSL3_RANDOM_SIZE; + memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); + currentvalpos += SSL3_RANDOM_SIZE; + + if (use_context) + { + val[currentvalpos] = (contextlen << 8) & 0xff; + currentvalpos++; + val[currentvalpos] = contextlen & 0xff; + currentvalpos++; + if ((contextlen > 0) || (context != NULL)) + { + memcpy(val + currentvalpos, context, contextlen); + } + } + + /* disallow prohibited labels + * note that SSL3_RANDOM_SIZE > max(prohibited label len) = + * 15, so size of val > max(prohibited label len) = 15 and the + * comparisons won't have buffer overflow + */ + if (bcmp(val, TLS_MD_CLIENT_FINISH_CONST, + TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; + if (bcmp(val, TLS_MD_SERVER_FINISH_CONST, + TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; + if (bcmp(val, TLS_MD_MASTER_SECRET_CONST, + TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; + if (bcmp(val, TLS_MD_KEY_EXPANSION_CONST, + TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; + + tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + val, vallen, + NULL, 0, + NULL, 0, + NULL, 0, + NULL, 0, + s->session->master_key,s->session->master_key_length, + out,buff,olen); + +#ifdef KSSL_DEBUG + printf ("tls1_export_keying_material() complete\n"); +#endif /* KSSL_DEBUG */ + rv = olen; + goto ret; +err1: + SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); + rv = 0; + goto ret; +err2: + SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); + rv = 0; +ret: + if (buff != NULL) OPENSSL_free(buff); + if (val != NULL) OPENSSL_free(val); + return(rv); + } + int tls1_alert_code(int code) { switch (code) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 030c0c1131..f33a93197b 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -136,6 +136,7 @@ SSL3_ENC_METHOD TLSv1_enc_data={ TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, tls1_alert_code, + tls1_export_keying_material, }; long tls1_default_timeout(void) diff --git a/ssl/tls1.h b/ssl/tls1.h index f443bb13ef..545383a5ee 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -262,8 +262,10 @@ extern "C" { #define TLSEXT_MAXLEN_host_name 255 -const char *SSL_get_servername(const SSL *s, const int type) ; -int SSL_get_servername_type(const SSL *s) ; +const char *SSL_get_servername(const SSL *s, const int type); +int SSL_get_servername_type(const SSL *s); +int SSL_export_keying_material(SSL *s, unsigned char *out, int olen, + char *label, int llen, unsigned char *p, int plen, int use_context); #define SSL_set_tlsext_host_name(s,name) \ SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)