int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
const char *label, size_t label_len,
const uint8_t *context, size_t context_len,
int use_context) {
if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) {
return 0;
}
/* Exporters may not be used in the middle of a renegotiation. */
if (SSL_in_init(ssl) && !SSL_in_false_start(ssl)) {
return 0;
}
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return tls13_export_keying_material(ssl, out, out_len, label, label_len,
context, context_len, use_context);
}
size_t seed_len = 2 * SSL3_RANDOM_SIZE;
if (use_context) {
if (context_len >= 1u << 16) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
return 0;
}
seed_len += 2 + context_len;
}
uint8_t *seed = OPENSSL_malloc(seed_len);
if (seed == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
OPENSSL_memcpy(seed, ssl->s3->client_random, SSL3_RANDOM_SIZE);
OPENSSL_memcpy(seed + SSL3_RANDOM_SIZE, ssl->s3->server_random,
SSL3_RANDOM_SIZE);
if (use_context) {
seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8);
seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len;
OPENSSL_memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);
}
const EVP_MD *digest = ssl_get_handshake_digest(
SSL_get_session(ssl)->cipher->algorithm_prf, ssl3_protocol_version(ssl));
if (digest == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return 0;
}
int ret = tls1_prf(digest, out, out_len, SSL_get_session(ssl)->master_key,
SSL_get_session(ssl)->master_key_length, label, label_len,
seed, seed_len, NULL, 0);
OPENSSL_free(seed);
return ret;
}
int SSL_export_keying_material(SSL *ssl, uint8_t *out, size_t out_len,
const char *label, size_t label_len,
const uint8_t *context, size_t context_len,
int use_context) {
if (!ssl->s3->have_version || ssl->version == SSL3_VERSION) {
return 0;
}
if (ssl3_protocol_version(ssl) >= TLS1_3_VERSION) {
return tls13_export_keying_material(ssl, out, out_len, label, label_len,
context, context_len, use_context);
}
size_t seed_len = 2 * SSL3_RANDOM_SIZE;
if (use_context) {
if (context_len >= 1u << 16) {
OPENSSL_PUT_ERROR(SSL, ERR_R_OVERFLOW);
return 0;
}
seed_len += 2 + context_len;
}
uint8_t *seed = OPENSSL_malloc(seed_len);
if (seed == NULL) {
OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
return 0;
}
memcpy(seed, ssl->s3->client_random, SSL3_RANDOM_SIZE);
memcpy(seed + SSL3_RANDOM_SIZE, ssl->s3->server_random, SSL3_RANDOM_SIZE);
if (use_context) {
seed[2 * SSL3_RANDOM_SIZE] = (uint8_t)(context_len >> 8);
seed[2 * SSL3_RANDOM_SIZE + 1] = (uint8_t)context_len;
memcpy(seed + 2 * SSL3_RANDOM_SIZE + 2, context, context_len);
}
int ret =
ssl->s3->enc_method->prf(ssl, out, out_len,
SSL_get_session(ssl)->master_key,
SSL_get_session(ssl)->master_key_length, label,
label_len, seed, seed_len, NULL, 0);
OPENSSL_free(seed);
return ret;
}