generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use single master secret generation function.

Browse Source 
Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-06-17 04:10:04 +01:00
parent 7f098cb436
commit 57b272b01a
6 changed files with 37 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/openssl/ssl.h
View File

@ -636,9 +636,7 @@ __owur int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
int SSL_SRP_CTX_free(SSL *ctx); int SSL_SRP_CTX_free(SSL *ctx);
int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx); int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
__owur int SSL_srp_server_param_with_username(SSL *s, int *ad); __owur int SSL_srp_server_param_with_username(SSL *s, int *ad);
__owur int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key);
__owur int SRP_Calc_A_param(SSL *s); __owur int SRP_Calc_A_param(SSL *s);
__owur int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key);
# endif # endif

16
ssl/s3_clnt.c
View File

@ -2891,13 +2891,10 @@ int ssl3_send_client_key_exchange(SSL *s)
if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) { if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
/* /*
* If everything written generate master key: no need to save PMS as * If everything written generate master key: no need to save PMS as
* SRP_generate_client_master_secret generates it internally. * srp_generate_client_master_secret generates it internally.
*/ */
if (n > 0) { if (n > 0) {
if ((s->session->master_key_length = if (!srp_generate_client_master_secret(s)) {
SRP_generate_client_master_secret(s,
s->session->master_key)) <
0) {
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR); ERR_R_INTERNAL_ERROR);
goto err; goto err;
@ -2920,14 +2917,7 @@ int ssl3_send_client_key_exchange(SSL *s)
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto err; goto err;
} }
s->session->master_key_length = if (!ssl_generate_master_secret(s, pms, pmslen, 1)) {
s->method->ssl3_enc->generate_master_secret(s,
s->
session->master_key,
pms, pmslen);
OPENSSL_clear_free(pms, pmslen);
s->s3->tmp.pms = NULL;
if (s->session->master_key_length < 0) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err; goto err;

15
ssl/s3_lib.c
View File

@ -4291,3 +4291,18 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
} else } else
return RAND_bytes(result, len); return RAND_bytes(result, len);
} }
int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
int free_pms)
{
s->session->master_key_length =
s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,
pms, pmslen);
if (free_pms)
OPENSSL_clear_free(pms, pmslen);
else
OPENSSL_cleanse(pms, pmslen);
if (s->server == 0)
s->s3->tmp.pms = NULL;
return s->session->master_key_length >= 0;
}

54
ssl/s3_srvr.c
View File

@ -2381,15 +2381,7 @@ int ssl3_get_client_key_exchange(SSL *s)
rand_premaster_secret[j]); rand_premaster_secret[j]);
} }
s->session->master_key_length = if (!ssl_generate_master_secret(s, p, sizeof(rand_premaster_secret), 0)) {
s->method->ssl3_enc->generate_master_secret(s,
s->
session->master_key,
p,
sizeof
(rand_premaster_secret));
OPENSSL_cleanse(p, sizeof(rand_premaster_secret));
if (s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR; al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err; goto f_err;
@ -2480,13 +2472,7 @@ int ssl3_get_client_key_exchange(SSL *s)
else else
BN_clear_free(pub); BN_clear_free(pub);
pub = NULL; pub = NULL;
s->session->master_key_length = if (!ssl_generate_master_secret(s, p, i, 0)) {
s->method->ssl3_enc->generate_master_secret(s,
s->
session->master_key,
p, i);
OPENSSL_cleanse(p, i);
if (s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR; al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err; goto f_err;
@ -2618,15 +2604,7 @@ int ssl3_get_client_key_exchange(SSL *s)
EC_KEY_free(s->s3->tmp.ecdh); EC_KEY_free(s->s3->tmp.ecdh);
s->s3->tmp.ecdh = NULL; s->s3->tmp.ecdh = NULL;
/* Compute the master secret */ if (!ssl_generate_master_secret(s, p, i, 0)) {
s->session->master_key_length =
s->method->ssl3_enc->generate_master_secret(s,
s->
session->master_key,
p, i);
OPENSSL_cleanse(p, i);
if (s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR; al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err; goto f_err;
@ -2707,22 +2685,17 @@ int ssl3_get_client_key_exchange(SSL *s)
goto psk_err; goto psk_err;
} }
s->session->master_key_length = if (!ssl_generate_master_secret(s, psk_or_pre_ms, pre_ms_len, 0)) {
s->method->ssl3_enc->generate_master_secret(s,
s->
session->master_key,
psk_or_pre_ms,
pre_ms_len);
if (s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR; al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto psk_err; goto f_err;
} }
psk_err = 0; psk_err = 0;
psk_err: psk_err:
if (psk_err != 0) {
OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms)); OPENSSL_cleanse(psk_or_pre_ms, sizeof(psk_or_pre_ms));
if (psk_err != 0)
goto f_err; goto f_err;
}
} else } else
#endif #endif
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
@ -2755,9 +2728,7 @@ int ssl3_get_client_key_exchange(SSL *s)
goto err; goto err;
} }
if ((s->session->master_key_length = if (!srp_generate_server_master_secret(s)) {
SRP_generate_server_master_secret(s,
s->session->master_key)) < 0) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto err; goto err;
} }
@ -2813,13 +2784,8 @@ int ssl3_get_client_key_exchange(SSL *s)
goto gerr; goto gerr;
} }
/* Generate master secret */ /* Generate master secret */
s->session->master_key_length = if (!ssl_generate_master_secret(s, premaster_secret,
s->method->ssl3_enc->generate_master_secret(s, sizeof(premaster_secret), 0)) {
s->
session->master_key,
premaster_secret, 32);
OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret));
if (s->session->master_key_length < 0) {
al = SSL_AD_INTERNAL_ERROR; al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
goto f_err; goto f_err;

4
ssl/ssl_locl.h
View File

@ -1890,6 +1890,8 @@ __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
__owur int ssl_verify_alarm_type(long type); __owur int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void); void ssl_load_ciphers(void);
__owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len); __owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
__owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
int free_pms);
__owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); __owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
__owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); __owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
@ -2159,6 +2161,8 @@ void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
EVP_MD_CTX *mac_ctx, const unsigned char *data, EVP_MD_CTX *mac_ctx, const unsigned char *data,
size_t data_len, size_t orig_len); size_t data_len, size_t orig_len);
__owur int srp_generate_server_master_secret(SSL *s);
__owur int srp_generate_client_master_secret(SSL *s);
__owur int srp_verify_server_param(SSL *s, int *al); __owur int srp_verify_server_param(SSL *s, int *al);
/* t1_ext.c */ /* t1_ext.c */

13
ssl/tls_srp.c
View File

@ -332,7 +332,7 @@ int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
return 1; return 1;
} }
int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key) int srp_generate_server_master_secret(SSL *s)
{ {
BIGNUM *K = NULL, *u = NULL; BIGNUM *K = NULL, *u = NULL;
int ret = -1, tmp_len = 0; int ret = -1, tmp_len = 0;
@ -350,17 +350,15 @@ int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
goto err; goto err;
BN_bn2bin(K, tmp); BN_bn2bin(K, tmp);
ret = s->method->ssl3_enc->generate_master_secret(s, master_key, tmp, ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
tmp_len);
err: err:
OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K); BN_clear_free(K);
BN_clear_free(u); BN_clear_free(u);
return ret; return ret;
} }
/* client side */ /* client side */
int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key) int srp_generate_client_master_secret(SSL *s)
{ {
BIGNUM *x = NULL, *u = NULL, *K = NULL; BIGNUM *x = NULL, *u = NULL, *K = NULL;
int ret = -1, tmp_len = 0; int ret = -1, tmp_len = 0;
@ -391,11 +389,8 @@ int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
if ((tmp = OPENSSL_malloc(tmp_len)) == NULL) if ((tmp = OPENSSL_malloc(tmp_len)) == NULL)
goto err; goto err;
BN_bn2bin(K, tmp); BN_bn2bin(K, tmp);
ret = ret = ssl_generate_master_secret(s, tmp, tmp_len, 1);
s->method->ssl3_enc->generate_master_secret(s, master_key, tmp,
tmp_len);
err: err:
OPENSSL_clear_free(tmp, tmp_len);
BN_clear_free(K); BN_clear_free(K);
BN_clear_free(x); BN_clear_free(x);
OPENSSL_clear_free(passwd, strlen(passwd)); OPENSSL_clear_free(passwd, strlen(passwd));