X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_enc.c;h=7333ba926b413d3a30de655510abe914a218fe09;hp=3f4973e9ac51ed11585f2e724b54fd7a944f2bfe;hb=1d2932de4cefcc200f175863a42c311916269981;hpb=68fd6dce73e07cb9a5944e8667455f2f9a80d52e

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 3f4973e9ac..7333ba926b 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -649,6 +649,7 @@ int tls1_setup_key_block(SSL *s)
 
     if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) {
         SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
+        OPENSSL_free(p1);
         goto err;
     }
 #ifdef TLS_DEBUG
@@ -919,57 +920,28 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
     return ((int)ret);
 }
 
-int tls1_final_finish_mac(SSL *s,
-                          const char *str, int slen, unsigned char *out)
+int tls1_final_finish_mac(SSL *s, const char *str, int slen,
+                          unsigned char *out)
 {
-    unsigned int i;
-    EVP_MD_CTX ctx;
-    unsigned char buf[2 * EVP_MAX_MD_SIZE];
-    unsigned char *q, buf2[12];
-    int idx;
-    long mask;
-    int err = 0;
-    const EVP_MD *md;
-
-    q = buf;
+    int hashlen;
+    unsigned char hash[2 * EVP_MAX_MD_SIZE];
+    unsigned char buf2[12];
 
     if (s->s3->handshake_buffer)
         if (!ssl3_digest_cached_records(s))
             return 0;
 
-    EVP_MD_CTX_init(&ctx);
+    hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
 
-    for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) {
-        if (mask & ssl_get_algorithm2(s)) {
-            int hashsize = EVP_MD_size(md);
-            EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
-            if (!hdgst || hashsize < 0
-                || hashsize > (int)(sizeof buf - (size_t)(q - buf))) {
-                /*
-                 * internal error: 'buf' is too small for this cipersuite!
-                 */
-                err = 1;
-            } else {
-                if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
-                    !EVP_DigestFinal_ex(&ctx, q, &i) ||
-                    (i != (unsigned int)hashsize))
-                    err = 1;
-                q += hashsize;
-            }
-        }
-    }
+    if (hashlen == 0)
+        return 0;
 
     if (!tls1_PRF(ssl_get_algorithm2(s),
-                  str, slen, buf, (int)(q - buf), NULL, 0, NULL, 0, NULL, 0,
+                  str, slen, hash, hashlen, NULL, 0, NULL, 0, NULL, 0,
                   s->session->master_key, s->session->master_key_length,
                   out, buf2, sizeof buf2))
-        err = 1;
-    EVP_MD_CTX_cleanup(&ctx);
-
-    if (err)
         return 0;
-    else
-        return sizeof buf2;
+    return sizeof buf2;
 }
 
 int tls1_mac(SSL *ssl, unsigned char *md, int send)
@@ -1091,21 +1063,47 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
                                 int len)
 {
     unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
-    const void *co = NULL, *so = NULL;
-    int col = 0, sol = 0;
 
 #ifdef KSSL_DEBUG
     fprintf(stderr, "tls1_generate_master_secret(%p,%p, %p, %d)\n", s, out, p,
             len);
 #endif                          /* KSSL_DEBUG */
 
-
-    tls1_PRF(ssl_get_algorithm2(s),
-             TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE,
-             s->s3->client_random, SSL3_RANDOM_SIZE,
-             co, col,
-             s->s3->server_random, SSL3_RANDOM_SIZE,
-             so, sol, p, len, s->session->master_key, buff, sizeof buff);
+    if (s->session->flags & SSL_SESS_FLAG_EXTMS) {
+        unsigned char hash[EVP_MAX_MD_SIZE * 2];
+        int hashlen;
+        /* If we don't have any digests cache records */
+        if (s->s3->handshake_buffer) {
+            /*
+             * keep record buffer: this wont affect client auth because we're
+             * freezing the buffer at the same point (after client key
+             * exchange and before certificate verify)
+             */
+            s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
+            ssl3_digest_cached_records(s);
+        }
+        hashlen = ssl_handshake_hash(s, hash, sizeof(hash));
+#ifdef SSL_DEBUG
+        fprintf(stderr, "Handshake hashes:\n");
+        BIO_dump_fp(stderr, (char *)hash, hashlen);
+#endif
+        tls1_PRF(ssl_get_algorithm2(s),
+                 TLS_MD_EXTENDED_MASTER_SECRET_CONST,
+                 TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE,
+                 hash, hashlen,
+                 NULL, 0,
+                 NULL, 0,
+                 NULL, 0, p, len, s->session->master_key, buff, sizeof buff);
+        OPENSSL_cleanse(hash, hashlen);
+    } else {
+        tls1_PRF(ssl_get_algorithm2(s),
+                 TLS_MD_MASTER_SECRET_CONST,
+                 TLS_MD_MASTER_SECRET_CONST_SIZE,
+                 s->s3->client_random, SSL3_RANDOM_SIZE,
+                 NULL, 0,
+                 s->s3->server_random, SSL3_RANDOM_SIZE,
+                 NULL, 0, p, len, s->session->master_key, buff, sizeof buff);
+    }
 #ifdef SSL_DEBUG
     fprintf(stderr, "Premaster Secret:\n");
     BIO_dump_fp(stderr, (char *)p, len);
@@ -1204,6 +1202,9 @@ int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen,
     if (memcmp(val, TLS_MD_MASTER_SECRET_CONST,
                TLS_MD_MASTER_SECRET_CONST_SIZE) == 0)
         goto err1;
+    if (memcmp(val, TLS_MD_EXTENDED_MASTER_SECRET_CONST,
+               TLS_MD_EXTENDED_MASTER_SECRET_CONST_SIZE) == 0)
+        goto err1;
     if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST,
                TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0)
         goto err1;
@@ -1302,11 +1303,6 @@ int tls1_alert_code(int code)
         return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
     case SSL_AD_INAPPROPRIATE_FALLBACK:
         return (TLS1_AD_INAPPROPRIATE_FALLBACK);
-#if 0
-        /* not appropriate for TLS, not used for DTLS */
-    case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE:
-        return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
     default:
         return (-1);
     }