/**
* For a given client, calculate the master key and do key expansion
* to determine the symmetric cypher key and IV salt, and hash key
*/
void calculate_client_keys(struct pr_group_list_t *group, int hostidx)
{
unsigned char *seed, *prf_buf;
int explen, len, seedlen;
struct pr_destinfo_t *dest;
dest = &group->destinfo[hostidx];
explen = group->keylen + group->ivlen +
group->hmaclen;
seedlen = sizeof(group->rand1) * 2;
seed = safe_calloc(seedlen, 1);
prf_buf = safe_calloc(MASTER_LEN + explen + group->hmaclen, 1);
memcpy(seed, group->rand1, sizeof(group->rand1));
memcpy(seed + sizeof(group->rand1), dest->rand2,
sizeof(dest->rand2));
PRF(group->hashtype, MASTER_LEN, dest->premaster, dest->premaster_len,
"master secret", seed, seedlen, prf_buf, &len);
memcpy(dest->master,prf_buf, sizeof(dest->master));
PRF(group->hashtype, explen, dest->master, sizeof(dest->master),
"key expansion", seed, seedlen, prf_buf, &len);
memcpy(dest->hmackey, prf_buf, group->hmaclen);
memcpy(dest->key, prf_buf + group->hmaclen, group->keylen);
memcpy(dest->salt, prf_buf + group->hmaclen + group->keylen, group->ivlen);
free(seed);
free(prf_buf);
}
static ELzma2State Lzma2Dec_UpdateState(CLzma2Dec *p, Byte b)
{
switch(p->state)
{
case LZMA2_STATE_CONTROL:
p->control = b;
PRF(printf("\n %4X ", p->decoder.dicPos));
PRF(printf(" %2X", b));
if (p->control == 0)
return LZMA2_STATE_FINISHED;
if (LZMA2_IS_UNCOMPRESSED_STATE(p))
{
if ((p->control & 0x7F) > 2)
return LZMA2_STATE_ERROR;
p->unpackSize = 0;
}
else
p->unpackSize = (UInt32)(p->control & 0x1F) << 16;
return LZMA2_STATE_UNPACK0;
case LZMA2_STATE_UNPACK0:
p->unpackSize |= (UInt32)b << 8;
return LZMA2_STATE_UNPACK1;
case LZMA2_STATE_UNPACK1:
p->unpackSize |= (UInt32)b;
p->unpackSize++;
PRF(printf(" %8d", p->unpackSize));
return (LZMA2_IS_UNCOMPRESSED_STATE(p)) ? LZMA2_STATE_DATA : LZMA2_STATE_PACK0;
case LZMA2_STATE_PACK0:
p->packSize = (UInt32)b << 8;
return LZMA2_STATE_PACK1;
case LZMA2_STATE_PACK1:
p->packSize |= (UInt32)b;
p->packSize++;
PRF(printf(" %8d", p->packSize));
return LZMA2_IS_THERE_PROP(LZMA2_GET_LZMA_MODE(p)) ? LZMA2_STATE_PROP:
(p->needInitProp ? LZMA2_STATE_ERROR : LZMA2_STATE_DATA);
case LZMA2_STATE_PROP:
{
int lc, lp;
if (b >= (9 * 5 * 5))
return LZMA2_STATE_ERROR;
lc = b % 9;
b /= 9;
p->decoder.prop.pb = b / 5;
lp = b % 5;
if (lc + lp > LZMA2_LCLP_MAX)
return LZMA2_STATE_ERROR;
p->decoder.prop.lc = lc;
p->decoder.prop.lp = lp;
p->needInitProp = False;
return LZMA2_STATE_DATA;
}
}
return LZMA2_STATE_ERROR;
}
void PRF_plus( u8 iter, u8 * key, u16 key_length, u8 * sequence, u16 sequence_length, u8 * result ){
u16 prf_size = EVP_MD_size((EVP_MD*) EVP_sha1());
u8 *temp = malloc(prf_size*sizeof(u8));
u8 *new_sequence = malloc((prf_size+sequence_length+1)*sizeof(u8));
u8 current_iter = 1;
// New sequence = S | 0x01
memcpy(new_sequence, sequence, sequence_length);
new_sequence[sequence_length] = current_iter;
// Calculate T1 = prf(K, S | 0x01) = prf(K, new_sequence)
PRF(key, key_length, new_sequence, sequence_length + 1, temp);
// Insert into result
memcpy(result, temp, prf_size);
for (current_iter = 2; current_iter <= iter; current_iter++) {
// New sequence = T | S | iter
memcpy(new_sequence, temp,prf_size);
memcpy(&new_sequence[prf_size], sequence, sequence_length);
new_sequence[prf_size + sequence_length] = current_iter;
// Calculate T1 = prf(K, S | 0x01) = prf(K, new_sequence)
PRF(key, key_length, new_sequence, sequence_length + prf_size + 1, temp);
// Insert into result
memcpy(&result[ (current_iter - 1) * prf_size], temp, prf_size);
}
free(temp);
free(new_sequence);
}
int
main(int argc, char* argv[])
{
struct timeval tstart, tend;
unsigned char output[64 + 20];
int32 usec;
int j;
memset(output, 0, 64);
if (gettimeofday(&tstart, NULL)) exit(1);
for (j = 0; j < NITER; j++) {
fPRF(prf_vec[0].key, prf_vec[0].key_len, (const unsigned char *)"prefix",
6, prf_vec[0].data, prf_vec[0].data_len, output, 64);
}
if (gettimeofday(&tend, NULL)) exit(1);
dprintf("fPRF", output, 64, 0);
usec = tend.tv_usec - tstart.tv_usec;
usec += 1000000 * (tend.tv_sec - tstart.tv_sec);
printf("usec %d\n", usec);
memset(output, 0, 64);
if (gettimeofday(&tstart, NULL)) exit(1);
for (j = 0; j < NITER; j++) {
PRF(prf_vec[0].key, prf_vec[0].key_len, (const unsigned char *)"prefix",
6, prf_vec[0].data, prf_vec[0].data_len, output, 64);
}
if (gettimeofday(&tend, NULL)) exit(1);
dprintf("PRF", output, 64, 0);
usec = tend.tv_usec - tstart.tv_usec;
usec += 1000000 * (tend.tv_sec - tstart.tv_sec);
printf("usec %d\n", usec);
memset(output, 0, 64);
if (gettimeofday(&tstart, NULL)) exit(1);
for (j = 0; j < NITER; j++) {
fPRF(prf_vec[0].key, prf_vec[0].key_len, (const unsigned char *)"prefix",
6, prf_vec[0].data, prf_vec[0].data_len, output, 64);
}
if (gettimeofday(&tend, NULL)) exit(1);
dprintf("fPRF", output, 64, 0);
usec = tend.tv_usec - tstart.tv_usec;
usec += 1000000 * (tend.tv_sec - tstart.tv_sec);
printf("usec %d\n", usec);
memset(output, 0, 64);
if (gettimeofday(&tstart, NULL)) exit(1);
for (j = 0; j < NITER; j++) {
PRF(prf_vec[0].key, prf_vec[0].key_len, (unsigned char *)"prefix",
6, prf_vec[0].data, prf_vec[0].data_len, output, 64);
}
if (gettimeofday(&tend, NULL)) exit(1);
dprintf("PRF", output, 64, 0);
usec = tend.tv_usec - tstart.tv_usec;
usec += 1000000 * (tend.tv_sec - tstart.tv_sec);
printf("usec %d\n", usec);
return (0);
}
/*ARGSUSED*/
static int
logiattach(dev_info_t *dip, ddi_attach_cmd_t cmd)
{
int unit;
struct driver_minor_data *dmdp;
struct strmseinfo *logiptr = 0;
#ifdef LOGI_DEBUG
if (logi_debug) {
PRF("logiattach entry\n");
}
#endif
switch (cmd) {
case DDI_ATTACH:
unit = ddi_get_instance(dip);
for (dmdp = logi_minor_data; dmdp->name != NULL; dmdp++) {
if (ddi_create_minor_node(dip, dmdp->name, dmdp->type,
dmdp->minor, DDI_PSEUDO, NULL) == DDI_FAILURE) {
ddi_remove_minor_node(dip, NULL);
ddi_prop_remove_all(dip);
#ifdef LOGI_DEBUG
if (logi_debug)
PRF("logiattach: "
"ddi_create_minor_node failed\n");
#endif
return (DDI_FAILURE);
}
}
logiunits[unit] = dip;
/* allocate and initialize state structure */
logiptr = kmem_zalloc(sizeof (struct strmseinfo), KM_SLEEP);
logiptr->state = 0; /* not opened */
ddi_set_driver_private(dip, logiptr);
if (ddi_add_intr(dip, (uint_t)0, &logiptr->iblock,
(ddi_idevice_cookie_t *)0, logiintr,
(caddr_t)logiptr) != DDI_SUCCESS) {
#ifdef LOGI_DEBUG
if (logi_debug)
PRF("logiattach: ddi_add_intr failed\n");
#endif
cmn_err(CE_WARN, "logi: cannot add intr\n");
return (DDI_FAILURE);
}
mutex_init(&logiptr->lock, NULL, MUTEX_DRIVER,
(void *)logiptr->iblock);
ddi_report_dev(dip);
return (DDI_SUCCESS);
default:
return (DDI_FAILURE);
}
}
int
main(int argc, char* argv[])
{
unsigned char digest[20];
unsigned char output[64 + 20];
int k, c, fail = 0;
for (k = 0; k < NUM_VECTORS; k++) {
printf("Test Vector %d:\n", k);
hmac_sha1(prf_vec[k].data, prf_vec[k].data_len, prf_vec[k].key,
prf_vec[k].key_len, digest);
c = memcmp(digest, prf_vec[k].digest1, 20);
dprintf("HMAC_SHA1", digest, 20, c);
if (c) fail++;
memset(output, 0, 64);
if (PRF(prf_vec[k].key, prf_vec[k].key_len,
prf_vec[k].prefix, prf_vec[k].prefix_len,
prf_vec[k].data, prf_vec[k].data_len, output, 16))
fail++;
c = memcmp(output, prf_vec[k].prf, 16);
dprintf("PRF", output, 16, c);
if (c) fail++;
memset(output, 0, 64);
if (fPRF(prf_vec[k].key, prf_vec[k].key_len,
prf_vec[k].prefix, prf_vec[k].prefix_len,
prf_vec[k].data, prf_vec[k].data_len, output, 16))
fail++;
c = memcmp(output, prf_vec[k].prf, 16);
dprintf("fPRF", output, 16, c);
if (c) fail++;
memset(output, 0, 64);
if (PRF(prf_vec[k].key, prf_vec[k].key_len,
prf_vec[k].prefix, prf_vec[k].prefix_len,
prf_vec[k].data, prf_vec[k].data_len, output, 64))
fail++;
c = memcmp(output, prf_vec[k].prf, 64);
dprintf("PRF", output, 64, c);
if (c) fail++;
memset(output, 0, 64);
if (fPRF(prf_vec[k].key, prf_vec[k].key_len,
prf_vec[k].prefix, prf_vec[k].prefix_len,
prf_vec[k].data, prf_vec[k].data_len, output, 64))
fail++;
c = memcmp(output, prf_vec[k].prf, 64);
dprintf("fPRF", output, 64, c);
if (c) fail++;
}
fprintf(stderr, "%s: %s\n", *argv, fail?"FAILED":"PASSED");
return (fail);
}
/* ARGSUSED */
static int
logiinfo(dev_info_t *dip, ddi_info_cmd_t infocmd, void *arg, void **result)
{
dev_t dev = (dev_t)arg;
int unit;
dev_info_t *devi;
#ifdef LOGI_DEBUG
if (logi_debug)
PRF("logiinfo: call\n");
#endif
if (((unit = LOGIUNIT(dev)) >= LOGI_MAXUNIT) ||
(devi = logiunits[unit]) == NULL)
return (DDI_FAILURE);
switch (infocmd) {
case DDI_INFO_DEVT2DEVINFO:
*result = (void *)devi;
break;
case DDI_INFO_DEVT2INSTANCE:
*result = (void *)(uintptr_t)unit;
break;
default:
return (DDI_FAILURE);
}
return (DDI_SUCCESS);
}
uint256 PRF_addr(const uint252& a_sk, unsigned char t)
{
uint256 y;
*(y.begin()) = t;
return PRF(1, 1, 0, 0, a_sk, y);
}
int MakeTlsMasterSecret(CYASSL* ssl)
{
int ret;
byte seed[SEED_LEN];
XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN);
ret = PRF(ssl->arrays->masterSecret, SECRET_LEN,
ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
master_label, MASTER_LABEL_SZ,
seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
if (ret != 0)
return ret;
#ifdef SHOW_SECRETS
{
int i;
printf("master secret: ");
for (i = 0; i < SECRET_LEN; i++)
printf("%02x", ssl->arrays->masterSecret[i]);
printf("\n");
}
#endif
return DeriveTlsKeys(ssl);
}
void BuildTlsFinished(CYASSL* ssl, Hashes* hashes, const byte* sender)
{
const byte* side;
byte handshake_hash[HSHASH_SZ];
word32 hashSz = FINISHED_SZ;
#ifndef NO_OLD_TLS
Md5Final(&ssl->hashMd5, handshake_hash);
ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
#endif
if (IsAtLeastTLSv1_2(ssl)) {
#ifndef NO_SHA256
if (ssl->specs.mac_algorithm <= sha256_mac) {
Sha256Final(&ssl->hashSha256, handshake_hash);
hashSz = SHA256_DIGEST_SIZE;
}
#endif
#ifdef CYASSL_SHA384
if (ssl->specs.mac_algorithm == sha384_mac) {
Sha384Final(&ssl->hashSha384, handshake_hash);
hashSz = SHA384_DIGEST_SIZE;
}
#endif
}
if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
side = tls_client;
else
side = tls_server;
PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret, SECRET_LEN,
side, FINISHED_LABEL_SZ, handshake_hash, hashSz, IsAtLeastTLSv1_2(ssl),
ssl->specs.mac_algorithm);
}
void TLSClient_Impl::handshake_finished_received(const void *data, int size)
{
if (conversation_state != cl_tls_state_receive_finished)
throw Exception("TLS Expected server finished");
const int verify_data_size = 12;
Secret server_verify_data(verify_data_size);
copy_data(server_verify_data.get_data(), verify_data_size, data, size);
Secret client_verify_data(verify_data_size);
Secret md5_handshake_messages(16);
Secret sha1_handshake_messages(20);
server_handshake_md5_hash.calculate();
server_handshake_sha1_hash.calculate();
server_handshake_md5_hash.get_hash(md5_handshake_messages.get_data());
server_handshake_sha1_hash.get_hash(sha1_handshake_messages.get_data());
PRF(client_verify_data.get_data(), verify_data_size, security_parameters.master_secret, "server finished", md5_handshake_messages, sha1_handshake_messages);
if (memcmp(client_verify_data.get_data(), server_verify_data.get_data(), verify_data_size))
throw Exception("TLS server finished verify data failed");
conversation_state = cl_tls_state_connected;
}
/**
* Sends a KEYINFO_ACK in response to a KEYINFO
*/
void send_keyinfo_ack(struct group_list_t *group)
{
unsigned char *buf, *encrypted;
struct uftp_h *header;
struct keyinfoack_h *keyinfo_ack;
unsigned char *verifydata, *verify_hash, *verify_val;
unsigned int payloadlen, hashlen;
int verifylen, enclen, len;
buf = safe_calloc(MAXMTU, 1);
header = (struct uftp_h *)buf;
keyinfo_ack = (struct keyinfoack_h *)(buf + sizeof(struct uftp_h));
set_uftp_header(header, KEYINFO_ACK, group);
keyinfo_ack->func = KEYINFO_ACK;
keyinfo_ack->hlen = sizeof(struct keyinfoack_h) / 4;
verifydata = build_verify_data(group, &verifylen);
if (!verifydata) {
glog0(group, "Error getting verify data");
send_abort(group, "Error getting verify data");
free(buf);
return;
}
verify_hash = safe_calloc(group->hmaclen, 1);
verify_val = safe_calloc(VERIFY_LEN + group->hmaclen, 1);
hash(group->hashtype, verifydata, verifylen, verify_hash, &hashlen);
PRF(group->hashtype, VERIFY_LEN, group->groupmaster,
sizeof(group->groupmaster), "client finished",
verify_hash, hashlen, verify_val, &len);
memcpy(keyinfo_ack->verify_data, verify_val, VERIFY_LEN);
free(verifydata);
free(verify_hash);
free(verify_val);
payloadlen = sizeof(struct keyinfoack_h);
encrypted = NULL;
if (!encrypt_and_sign(buf, &encrypted, payloadlen, &enclen, group->keytype,
group->groupkey, group->groupsalt, &group->ivctr, group->ivlen,
group->hashtype, group->grouphmackey, group->hmaclen,group->sigtype,
group->keyextype, group->client_privkey,group->client_privkeylen)) {
glog0(group, "Error encrypting KEYINFO_ACK");
free(buf);
return;
}
payloadlen = enclen + sizeof(struct uftp_h);
if (nb_sendto(listener, encrypted, payloadlen, 0,
(struct sockaddr *)&(group->replyaddr),
family_len(group->replyaddr)) == SOCKET_ERROR) {
gsockerror(group, "Error sending KEYINFO_ACK");
} else {
glog2(group, "KEYINFO_ACK sent");
}
free(encrypted);
free(buf);
}
void SSL_Version_3_0::CalculateKeys(const SSL_varvector16 &mastersecret,
SSL_CipherSpec *client, SSL_CipherSpec *server)
{
SSL_secure_varvector16 result;
SSL_varvector32 random, random_c;
//byte *result;
const byte *source;
uint32 keylen,keysize,ivsize,hashsize;
SSL_GeneralCipher *clientcipher, *servercipher;
clientcipher = client->Method;
servercipher = server->Method;
hashsize = client->MAC->Size();
keysize = clientcipher->KeySize();
ivsize = clientcipher->IVSize();
keylen = hashsize + keysize + ivsize;
keylen += keylen;
random.Concat(conn_state->server_random, conn_state->client_random);
if(!PRF(result, keylen, mastersecret, random))
return;
#ifdef TST_DUMP
DumpTofile(result,keylen,"SSL Calckeys : keyblock","sslkeys.txt");
#endif
source = result.GetDirect();
if(hashsize)
{
source = client->MAC->LoadSecret(source,hashsize);
source = server->MAC->LoadSecret(source,hashsize);
}
if(keysize || ivsize)
{
SSL_Hash_Pointer t_md5(SSL_MD5);
random_c.Concat(conn_state->client_random, conn_state->server_random);
if(t_md5.ErrorRaisedFlag || random_c.ErrorRaisedFlag)
return;
if(keysize)
{
clientcipher->SetCipherDirection(SSL_Encrypt);
servercipher->SetCipherDirection(SSL_Decrypt);
source = LoadKeyData(t_md5, source, random_c, clientcipher, TRUE);
source = LoadKeyData(t_md5, source, random, servercipher, TRUE);
}
if(ivsize)
{
source = LoadKeyData(t_md5, source, random_c, clientcipher, FALSE);
source = LoadKeyData(t_md5, source, random, servercipher, FALSE);
}
}
}
uint256 PRF_pk(const uint252& a_sk, size_t i0, const uint256& h_sig)
{
if ((i0 != 0) && (i0 != 1)) {
throw std::domain_error("PRF_pk invoked with index out of bounds");
}
return PRF(0, i0, 0, 0, a_sk, h_sig);
}
uint256 PRF_rho(const uint252& phi, size_t i0, const uint256& h_sig)
{
if ((i0 != 0) && (i0 != 1)) {
throw std::domain_error("PRF_rho invoked with index out of bounds");
}
return PRF(0, i0, 1, 0, phi, h_sig);
}
/**
* Initialize crypto library, generate keys
*/
void key_init()
{
unsigned char *prf_buf;
time_t t;
uint32_t t2;
int explen, len;
if (keytype == KEY_NONE) {
return;
}
set_sys_keys(sys_keys);
get_key_info(keytype, &keylen, &ivlen);
hmaclen = get_hash_len(hashtype);
memset(groupkey, 0, sizeof(groupkey));
memset(groupsalt, 0, sizeof(groupsalt));
memset(grouphmackey, 0, sizeof(grouphmackey));
if (!get_random_bytes(groupmaster, sizeof(groupmaster))) {
log(0, 0, "Failed to generate group master");
exit(1);
}
groupmaster[0] = UFTP_VER_NUM;
if (!get_random_bytes(rand1, sizeof(rand1))) {
log(0, 0, "Failed to generate rand1");
exit(1);
}
// Sets the first 4 bytes of rand1 to the current time
t = time(NULL);
t2 = (uint32_t)(t & 0xFFFFFFFF);
*(uint32_t *)rand1 = t2;
explen = hmaclen + keylen + ivlen;
prf_buf = calloc(explen + hmaclen, 1);
if (prf_buf == NULL) {
syserror(0, 0, "calloc failed!");
exit(1);
}
PRF(hashtype, explen, groupmaster, sizeof(groupmaster), "key expansion",
rand1, sizeof(rand1), prf_buf, &len);
memcpy(grouphmackey, prf_buf, hmaclen);
memcpy(groupkey, prf_buf + hmaclen, keylen);
memcpy(groupsalt, prf_buf + hmaclen + keylen, ivlen);
free(prf_buf);
if ((!strcmp(keyfile, "")) || (newkeylen != 0)) {
privkey = gen_RSA_key(newkeylen, RSA_EXP, keyfile);
} else {
privkey = read_RSA_key(keyfile);
}
if (!privkey) {
log(0, 0, "Failed to read/generate private key");
exit(1);
}
rsalen = RSA_keylen(privkey);
}
int
_fini(void)
{
#ifdef DADK_DEBUG
if (dadk_debug & DENT)
PRF("dadk_fini: call\n");
#endif
return (mod_remove(&modlinkage));
}
/**
* Turn the premaster secret into an actual master secret (the
* server side will do this concurrently) as specified in section 8.1:
* master_secret = PRF( pre_master_secret, "master secret",
* ClientHello.random + ServerHello.random );
* ( premaster_secret, parameters );
* Note that, with DH, the master secret len is determined by the generator (p)
* value.
*/
static void compute_master_secret( const unsigned char *premaster_secret,
int premaster_secret_len,
TLSParameters *parameters )
{
const char *label = "master secret";
PRF( premaster_secret, premaster_secret_len,
label, strlen( label ),
// Note - cheating, since client_random & server_random are defined
// sequentially in the structure
parameters->client_random, RANDOM_LENGTH * 2,
parameters->master_secret, MASTER_SECRET_LENGTH );
}
/**
* Handles an incoming KEYINFO_ACK message from a client
*/
void handle_keyinfo_ack(struct pr_group_list_t *group, int hostidx,
const unsigned char *message, unsigned meslen)
{
const struct keyinfoack_h *keyinfoack;
unsigned char *verifydata, *verify_hash, *verify_test;
int verifylen, len, dupmsg;
unsigned int hashlen;
struct pr_destinfo_t *dest;
keyinfoack = (const struct keyinfoack_h *)message;
dest = &group->destinfo[hostidx];
if ((meslen < (keyinfoack->hlen * 4U)) ||
((keyinfoack->hlen * 4U) < sizeof(struct keyinfoack_h))) {
glog1(group, "Rejecting KEYINFO_ACK from %s: invalid message size",
dest->name);
send_downstream_abort(group, dest->id, "Invalid message size", 0);
return;
}
if (!(verifydata = build_verify_data(group, hostidx, &verifylen,1))) {
glog1(group, "Rejecting KEYINFO_ACK from %s: "
"error exporting client public key", dest->name);
return;
}
verify_hash = safe_calloc(group->hmaclen, 1);
verify_test = safe_calloc(VERIFY_LEN + group->hmaclen, 1);
hash(group->hashtype, verifydata, verifylen, verify_hash, &hashlen);
PRF(group->hashtype, VERIFY_LEN, group->groupmaster,
sizeof(group->groupmaster), "client finished",
verify_hash, hashlen, verify_test, &len);
if (memcmp(keyinfoack->verify_data, verify_test, VERIFY_LEN)) {
glog1(group, "Rejecting KEYINFO_ACK from %s: verify data mismatch",
dest->name);
free(verifydata);
free(verify_hash);
free(verify_test);
return;
}
free(verifydata);
free(verify_hash);
free(verify_test);
dupmsg = (dest->state == PR_CLIENT_READY);
glog2(group, "Received KEYINFO_ACK%s from %s", dupmsg ? "+" : "",
dest->name);
dest->state = PR_CLIENT_READY;
if (!check_unfinished_clients(group, 0)) {
group->phase = PR_PHASE_RECEIVING;
}
}
static int
logiprobe(dev_info_t *dip)
{
int unit;
#ifdef LOGI_DEBUG
if (logi_debug) {
PRF("logiprobe: entry\n");
}
#endif
unit = ddi_get_instance(dip);
#ifdef LOGI_DEBUG
if (logi_debug)
PRF("unit is %x\n", unit);
#endif
if (unit >= LOGI_MAXUNIT || logiunits[unit])
return (DDI_PROBE_FAILURE);
return (logiinit(dip));
}
/*ARGSUSED*/
static int
logidetach(dev_info_t *dip, ddi_detach_cmd_t cmd)
{
dev_info_t *ldevi;
struct strmseinfo *logiptr;
int instance;
switch (cmd) {
case DDI_DETACH:
/*
* check if every instance can be unloaded before actually
* starting to unload this one; this prevents the needless
* detach/re-attach sequence
*/
for (instance = 0; instance < LOGI_MAXUNIT; instance++) {
if (((ldevi = logiunits[instance]) == NULL) ||
(logiptr = ddi_get_driver_private(ldevi)) == NULL)
continue;
}
/*
* Undo what we did in logiattach & logiprobe, freeing resources
* and removing things we installed. The system
* framework guarantees we are not active with this devinfo
* node in any other entry points at this time.
*/
instance = ddi_get_instance(dip);
if ((instance >= LOGI_MAXUNIT) ||
(logiptr = ddi_get_driver_private(dip)) == NULL)
return (DDI_FAILURE);
logiunits[instance] = 0;
ddi_prop_remove_all(dip);
ddi_remove_minor_node(dip, NULL);
mutex_destroy(&logiptr->lock);
ddi_remove_intr(dip, 0, logiptr->iblock);
kmem_free(logiptr, sizeof (struct strmseinfo));
return (DDI_SUCCESS);
default:
#ifdef LOGI_DEBUG
if (logi_debug) {
PRF("logidetach: cmd = %d unknown\n", cmd);
}
#endif
return (DDI_FAILURE);
}
}
static void compute_verify_data( const char *finished_label,
TLSParameters *parameters,
char *verify_data )
{
unsigned char handshake_hash[ ( MD5_RESULT_SIZE * sizeof( int ) ) +
( SHA1_RESULT_SIZE * sizeof( int ) ) ];
compute_handshake_hash( parameters, handshake_hash );
PRF( parameters->master_secret, MASTER_SECRET_LENGTH,
finished_label, strlen( finished_label ),
handshake_hash,
MD5_RESULT_SIZE * sizeof( int ) + SHA1_RESULT_SIZE * sizeof( int ),
verify_data, VERIFY_DATA_LEN );
}
/*
* Generate keys according to RFC 2716 and add to reply
*/
void eaptls_gen_mppe_keys(REQUEST *request, SSL *s, char const *prf_label)
{
uint8_t out[4 * EAPTLS_MPPE_KEY_LEN];
uint8_t *p;
size_t prf_size;
if (!s->s3) {
ERROR("No SSLv3 information");
return;
}
prf_size = strlen(prf_label);
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if (SSL_export_keying_material(s, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1) {
ERROR("Failed generating keying material");
return;
}
#else
{
uint8_t seed[64 + (2 * SSL3_RANDOM_SIZE)];
uint8_t buf[4 * EAPTLS_MPPE_KEY_LEN];
p = seed;
memcpy(p, prf_label, prf_size);
p += prf_size;
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
prf_size += SSL3_RANDOM_SIZE;
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
prf_size += SSL3_RANDOM_SIZE;
PRF(s->session->master_key, s->session->master_key_length,
seed, prf_size, out, buf, sizeof(out));
}
#endif
p = out;
eap_add_reply(request, "MS-MPPE-Recv-Key", p, EAPTLS_MPPE_KEY_LEN);
p += EAPTLS_MPPE_KEY_LEN;
eap_add_reply(request, "MS-MPPE-Send-Key", p, EAPTLS_MPPE_KEY_LEN);
eap_add_reply(request, "EAP-MSK", out, 64);
eap_add_reply(request, "EAP-EMSK", out + 64, 64);
}
int DeriveTlsKeys(SSL* ssl)
{
int length = 2 * ssl->specs.hash_size +
2 * ssl->specs.key_size +
2 * ssl->specs.iv_size;
byte seed[SEED_LEN];
byte key_data[MAX_PRF_DIG];
XMEMCPY(seed, ssl->arrays.serverRandom, RAN_LEN);
XMEMCPY(&seed[RAN_LEN], ssl->arrays.clientRandom, RAN_LEN);
PRF(key_data, length, ssl->arrays.masterSecret, SECRET_LEN, key_label,
KEY_LABEL_SZ, seed, SEED_LEN, IsAtLeastTLSv1_2(ssl));
return StoreKeys(ssl, key_data);
}
/* Used by EAP-TLS and EAP-TTLS to derive keying material from
* the master_secret. */
int CyaSSL_make_eap_keys(CYASSL* ssl, void* msk, unsigned int len,
const char* label)
{
byte seed[SEED_LEN];
/*
* As per RFC-5281, the order of the client and server randoms is reversed
* from that used by the TLS protocol to derive keys.
*/
XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
XMEMCPY(&seed[RAN_LEN], ssl->arrays->serverRandom, RAN_LEN);
return PRF((byte*)msk, len,
ssl->arrays->masterSecret, SECRET_LEN,
(const byte *)label, (word32)strlen(label),
seed, SEED_LEN, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
}
void SSL_Version_3_0::CalculateMasterSecret(SSL_secure_varvector16 &mastersecret, const SSL_secure_varvector16 &premaster)
{
#ifdef TST_DUMP
DumpTofile(premaster,premaster.GetLength(),"SSL Master : premaster","sslkeys.txt");
#endif
SSL_secure_varvector32 random;
random.Concat(conn_state->client_random, conn_state->server_random);
if(!PRF(mastersecret, SSL_MASTER_SECRET_SIZE, premaster, random))
mastersecret.Resize(0);
#ifdef TST_DUMP
DumpTofile(mastersecret,SSL_MASTER_SECRET_SIZE,"SSL Calcmaster : ","sslkeys.txt");
#endif
}
/*
* Same as before, but for EAP-FAST the order of {server,client}_random is flipped
*/
void eap_fast_tls_gen_challenge(SSL *s, uint8_t *buffer, uint8_t *scratch, size_t size, char const *prf_label)
{
uint8_t seed[128 + 2*SSL3_RANDOM_SIZE];
uint8_t *p = seed;
size_t len;
len = strlen(prf_label);
if (len > 128) len = 128;
memcpy(p, prf_label, len);
p += len;
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
PRF(s->session->master_key, s->session->master_key_length,
seed, p - seed, buffer, scratch, size);
}
int main( int argc, char *argv[ ] )
{
unsigned char *output;
int out_len, i;
int secret_len;
int label_len;
int seed_len;
unsigned char *secret;
unsigned char *label;
unsigned char *seed;
if ( argc < 5 )
{
fprintf( stderr,
"usage: %s [0x]<secret> [0x]<label> [0x]<seed> <output len>\n",
argv[ 0 ] );
exit( 0 );
}
secret_len = hex_decode( argv[ 1 ], &secret );
label_len = hex_decode( argv[ 2 ], &label );
seed_len = hex_decode( argv[ 3 ], &seed );
out_len = atoi( argv[ 4 ] );
output = ( unsigned char * ) malloc( out_len );
PRF( secret, secret_len,
label, label_len,
seed, seed_len,
output, out_len );
for ( i = 0; i < out_len; i++ )
{
printf( "%.02x", output[ i ] );
}
printf( "\n" );
free( secret );
free( label );
free( seed );
free( output );
return 0;
}
/*
========================================================================
Routine Description:
Generate random number by software.
Arguments:
pAd - pointer to our pAdapter context
macAddr - pointer to local MAC address
Return Value:
Note:
802.1ii-2004 Annex H.5
========================================================================
*/
VOID GenRandom(
IN PRTMP_ADAPTER pAd,
IN UCHAR *macAddr,
OUT UCHAR *random)
{
INT i, curr;
UCHAR local[80], KeyCounter[32];
UCHAR result[80];
ULONG CurrentTime;
UCHAR prefix[] = {'I', 'n', 'i', 't', ' ', 'C', 'o', 'u', 'n', 't', 'e', 'r'};
// Zero the related information
NdisZeroMemory(result, 80);
NdisZeroMemory(local, 80);
NdisZeroMemory(KeyCounter, 32);
for (i = 0; i < 32; i++)
{
// copy the local MAC address
COPY_MAC_ADDR(local, macAddr);
curr = MAC_ADDR_LEN;
// concatenate the current time
NdisGetSystemUpTime(&CurrentTime);
NdisMoveMemory(&local[curr], &CurrentTime, sizeof(CurrentTime));
curr += sizeof(CurrentTime);
// concatenate the last result
NdisMoveMemory(&local[curr], result, 32);
curr += 32;
// concatenate a variable
NdisMoveMemory(&local[curr], &i, 2);
curr += 2;
// calculate the result
PRF(KeyCounter, 32, prefix,12, local, curr, result, 32);
}
NdisMoveMemory(random, result, 32);
}
/*
* Generate the TTLS challenge
*
* It's in the TLS module simply because it's only a few lines
* of code, and it needs access to the TLS PRF functions.
*/
void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size)
{
uint8_t out[32], buf[32];
uint8_t seed[sizeof(EAPTLS_PRF_CHALLENGE)-1 + 2*SSL3_RANDOM_SIZE];
uint8_t *p = seed;
if (!s->s3) {
radlog(L_ERR, "ERROR: OpenSSL build / link incompatibility detected");
return;
}
memcpy(p, EAPTLS_PRF_CHALLENGE, sizeof(EAPTLS_PRF_CHALLENGE)-1);
p += sizeof(EAPTLS_PRF_CHALLENGE)-1;
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
p += SSL3_RANDOM_SIZE;
memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
PRF(s->session->master_key, s->session->master_key_length,
seed, sizeof(seed), out, buf, sizeof(out));
memcpy(buffer, out, size);
}
