diff options
Diffstat (limited to 'patches/tls_exporter.patch')
-rwxr-xr-x | patches/tls_exporter.patch | 220 |
1 files changed, 0 insertions, 220 deletions
diff --git a/patches/tls_exporter.patch b/patches/tls_exporter.patch deleted file mode 100755 index a9e64a3..0000000 --- a/patches/tls_exporter.patch +++ /dev/null @@ -1,220 +0,0 @@ -diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c -index c3b77c8..a94290a 100644 ---- a/ssl/d1_lib.c -+++ b/ssl/d1_lib.c -@@ -82,6 +82,7 @@ SSL3_ENC_METHOD DTLSv1_enc_data={ - TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, - TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, - tls1_alert_code, -+ tls1_export_keying_material, - }; - - long dtls1_default_timeout(void) -diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c -index c19538a..1fecbbc 100644 ---- a/ssl/s3_lib.c -+++ b/ssl/s3_lib.c -@@ -2087,6 +2087,9 @@ SSL3_ENC_METHOD SSLv3_enc_data={ - SSL3_MD_CLIENT_FINISHED_CONST,4, - SSL3_MD_SERVER_FINISHED_CONST,4, - ssl3_alert_code, -+ (int (*)(SSL *, unsigned char *, size_t, const char *, -+ size_t, const unsigned char *, size_t, -+ int use_context)) ssl_undefined_function, - }; - - long ssl3_default_timeout(void) -diff --git a/ssl/ssl.h b/ssl/ssl.h -index 9336af8..be4af2f 100644 ---- a/ssl/ssl.h -+++ b/ssl/ssl.h -@@ -2116,6 +2116,7 @@ void ERR_load_SSL_strings(void); - #define SSL_F_SSL_PARSE_SERVERHELLO_RENEGOTIATE_EXT 301 - #define SSL_F_SSL_PARSE_SERVERHELLO_TLSEXT 303 - #define SSL_F_SSL_PEEK 270 -+#define SSL_F_TLS1_EXPORT_KEYING_MATERIAL 312 - #define SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 - #define SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 - #define SSL_F_SSL_READ 223 -@@ -2394,6 +2395,7 @@ void ERR_load_SSL_strings(void); - #define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 - #define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 - #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 -+#define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL 367 - #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 157 - #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 - #define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG 234 -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index 17d2cde..d6ad3c1 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3127,6 +3127,18 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, int (*cb) (SSL *s, unsigned - } - #endif - -+int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, -+ const char *label, size_t llen, const unsigned char *p, size_t plen, -+ int use_context) -+ { -+ if (s->version < TLS1_VERSION) -+ return -1; -+ -+ return s->method->ssl3_enc->export_keying_material(s, out, olen, label, -+ llen, p, plen, -+ use_context); -+ } -+ - int SSL_cutthrough_complete(const SSL *s) - { - return (!s->server && /* cutthrough only applies to clients */ -diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h -index 146c89c..e7c6b9a 100644 ---- a/ssl/ssl_locl.h -+++ b/ssl/ssl_locl.h -@@ -557,6 +557,10 @@ typedef struct ssl3_enc_method - const char *server_finished_label; - int server_finished_label_len; - int (*alert_value)(int); -+ int (*export_keying_material)(SSL *, unsigned char *, size_t, -+ const char *, size_t, -+ const unsigned char *, size_t, -+ int use_context); - } SSL3_ENC_METHOD; - - #ifndef OPENSSL_NO_COMP -@@ -1041,6 +1045,9 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *p); - int tls1_mac(SSL *ssl, unsigned char *md, int snd); - int tls1_generate_master_secret(SSL *s, unsigned char *out, - unsigned char *p, int len); -+int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, -+ const char *label, size_t llen, const unsigned char *p, -+ size_t plen, int use_context); - int tls1_alert_code(int code); - int ssl3_alert_code(int code); - int ssl_ok(SSL *s); -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index 793ea43..b1d5b28 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -1001,6 +1001,95 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, - return(SSL3_MASTER_SECRET_SIZE); - } - -+int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, -+ const char *label, size_t llen, const unsigned char *context, -+ size_t contextlen, int use_context) -+ { -+ unsigned char *buff; -+ unsigned char *val = NULL; -+ size_t vallen, currentvalpos; -+ int rv; -+ -+#ifdef KSSL_DEBUG -+ printf ("tls1_export_keying_material(%p,%p,%d,%s,%d,%p,%d)\n", s, out, olen, label, llen, p, plen); -+#endif /* KSSL_DEBUG */ -+ -+ buff = OPENSSL_malloc(olen); -+ if (buff == NULL) goto err2; -+ -+ /* construct PRF arguments -+ * we construct the PRF argument ourself rather than passing separate -+ * values into the TLS PRF to ensure that the concatenation of values -+ * does not create a prohibited label. -+ */ -+ vallen = llen + SSL3_RANDOM_SIZE * 2; -+ if (use_context) -+ { -+ vallen += 2 + contextlen; -+ } -+ -+ val = OPENSSL_malloc(vallen); -+ if (val == NULL) goto err2; -+ currentvalpos = 0; -+ memcpy(val + currentvalpos, (unsigned char *) label, llen); -+ currentvalpos += llen; -+ memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); -+ currentvalpos += SSL3_RANDOM_SIZE; -+ memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); -+ currentvalpos += SSL3_RANDOM_SIZE; -+ -+ if (use_context) -+ { -+ val[currentvalpos] = (contextlen >> 8) & 0xff; -+ currentvalpos++; -+ val[currentvalpos] = contextlen & 0xff; -+ currentvalpos++; -+ if ((contextlen > 0) || (context != NULL)) -+ { -+ memcpy(val + currentvalpos, context, contextlen); -+ } -+ } -+ -+ /* disallow prohibited labels -+ * note that SSL3_RANDOM_SIZE > max(prohibited label len) = -+ * 15, so size of val > max(prohibited label len) = 15 and the -+ * comparisons won't have buffer overflow -+ */ -+ if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, -+ TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; -+ if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, -+ TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; -+ if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, -+ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; -+ if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, -+ TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; -+ -+ rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, -+ val, vallen, -+ NULL, 0, -+ NULL, 0, -+ NULL, 0, -+ NULL, 0, -+ s->session->master_key,s->session->master_key_length, -+ out,buff,olen); -+ -+#ifdef KSSL_DEBUG -+ printf ("tls1_export_keying_material() complete\n"); -+#endif /* KSSL_DEBUG */ -+ goto ret; -+err1: -+ SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); -+ rv = 0; -+ goto ret; -+err2: -+ SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); -+ rv = 0; -+ret: -+ if (buff != NULL) OPENSSL_free(buff); -+ if (val != NULL) OPENSSL_free(val); -+ return(rv); -+ } -+ - int tls1_alert_code(int code) - { - switch (code) -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index daa65c9..c094471 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -209,6 +209,7 @@ SSL3_ENC_METHOD TLSv1_enc_data={ - TLS_MD_CLIENT_FINISH_CONST,TLS_MD_CLIENT_FINISH_CONST_SIZE, - TLS_MD_SERVER_FINISH_CONST,TLS_MD_SERVER_FINISH_CONST_SIZE, - tls1_alert_code, -+ tls1_export_keying_material, - }; - - long tls1_default_timeout(void) -diff --git a/ssl/tls1.h b/ssl/tls1.h -index 1fa96e5..7bbb875 100644 ---- a/ssl/tls1.h -+++ b/ssl/tls1.h -@@ -231,6 +231,9 @@ extern "C" { - - const char *SSL_get_servername(const SSL *s, const int type) ; - int SSL_get_servername_type(const SSL *s) ; -+int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, -+ const char *label, size_t llen, const unsigned char *p, size_t plen, -+ int use_context); - - #define SSL_set_tlsext_host_name(s,name) \ - SSL_ctrl(s,SSL_CTRL_SET_TLSEXT_HOSTNAME,TLSEXT_NAMETYPE_host_name,(char *)name)
\ No newline at end of file |