ssldump/ssl/ssldecode.c

/**
   ssldecode.c


   Copyright (C) 1999-2000 RTFM, Inc.
   All Rights Reserved

   This package is a SSLv3/TLS protocol analyzer written by Eric Rescorla
   <ekr@rtfm.com> and licensed by RTFM, Inc.

   Redistribution and use in source and binary forms, with or without
   modification, are permitted provided that the following conditions
   are met:
   1. Redistributions of source code must retain the above copyright
      notice, this list of conditions and the following disclaimer.
   2. Redistributions in binary form must reproduce the above copyright
      notice, this list of conditions and the following disclaimer in the
      documentation and/or other materials provided with the distribution.
   3. All advertising materials mentioning features or use of this software
      must display the following acknowledgement:

      This product includes software developed by Eric Rescorla for
      RTFM, Inc.

   4. Neither the name of RTFM, Inc. nor the name of Eric Rescorla may be
      used to endorse or promote products derived from this
      software without specific prior written permission.

   THIS SOFTWARE IS PROVIDED BY ERIC RESCORLA AND RTFM, INC. ``AS IS'' AND
   ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY SUCH
   DAMAGE.

   $Id: ssldecode.c,v 1.9 2002/08/17 01:33:17 ekr Exp $


   ekr@rtfm.com  Thu Apr  1 09:54:53 1999
 */

#include "network.h"
#include "ssl_h.h"
#include "sslprint.h"
#include "ssl.enums.h"
#ifdef OPENSSL
#include <openssl/err.h>
#include <openssl/kdf.h>
#include <openssl/ssl.h>
#include <openssl/hmac.h>
#include <openssl/evp.h>
#include <openssl/md5.h>
#include <openssl/x509v3.h>
#endif
#include "ssldecode.h"
#include "ssl_rec.h"
#include "r_assoc.h"

#define PRF(ssl, secret, usage, rnd1, rnd2, out)              \
  (ssl->version == SSLV3_VERSION)                             \
      ? ssl3_prf(ssl, secret, usage, rnd1, rnd2, out)         \
      : ((ssl->version == TLSV12_VERSION)                     \
             ? tls12_prf(ssl, secret, usage, rnd1, rnd2, out) \
             : tls_prf(ssl, secret, usage, rnd1, rnd2, out))

static char *ssl_password;

extern char *digests[];
extern UINT4 SSL_print_flags;

struct ssl_decode_ctx_ {
#ifdef OPENSSL
  SSL_CTX *ssl_ctx;
  SSL *ssl;
  r_assoc *session_cache;
  FILE *ssl_key_log_file;
#else
  char dummy; /* Some compilers (Win32) don't like empty
                  structs */
#endif
};

struct ssl_decoder_ {
  ssl_decode_ctx *ctx;
  Data *session_id;
  SSL_CipherSuite *cs;
  Data *client_random;
  Data *server_random;
  int ephemeral_rsa;
  Data *PMS;
  Data *MS;
  Data *SHTS;  // Server Handshake traffic secret
  Data *CHTS;  // Client Handshake traffic secret
  Data *STS;   // Server traffic Secret
  Data *CTS;   // Client traffic secret
  Data *handshake_messages;
  Data *session_hash;
  ssl_rec_decoder *c_to_s;
  ssl_rec_decoder *s_to_c;
  ssl_rec_decoder *c_to_s_n;
  ssl_rec_decoder *s_to_c_n;
};

#ifdef OPENSSL
static int tls_P_hash PROTO_LIST(
    (ssl_obj * ssl, Data *secret, Data *seed, const EVP_MD *md, Data *out));
static int tls12_prf PROTO_LIST((ssl_obj * ssl,
                                 Data *secret,
                                 char *usage,
                                 Data *rnd1,
                                 Data *rnd2,
                                 Data *out));
static int tls_prf PROTO_LIST((ssl_obj * ssl,
                               Data *secret,
                               char *usage,
                               Data *rnd1,
                               Data *rnd2,
                               Data *out));
static int ssl3_prf PROTO_LIST((ssl_obj * ssl,
                                Data *secret,
                                char *usage,
                                Data *rnd1,
                                Data *rnd2,
                                Data *out));
static int ssl3_generate_export_iv
    PROTO_LIST((ssl_obj * ssl, Data *rnd1, Data *rnd2, Data *out));
static int ssl_generate_keying_material PROTO_LIST((ssl_obj * ssl,
                                                    ssl_decoder *d));
static int ssl_generate_session_hash PROTO_LIST((ssl_obj * ssl,
                                                 ssl_decoder *d));
static int ssl_read_key_log_file PROTO_LIST((ssl_obj * obj, ssl_decoder *d));
#endif

static int ssl_create_session_lookup_key PROTO_LIST(
    (ssl_obj * ssl, UCHAR *id, UINT4 idlen, UCHAR **keyp, UINT4 *keyl));
int ssl_save_session PROTO_LIST((ssl_obj * ssl, ssl_decoder *d));
int ssl_restore_session PROTO_LIST((ssl_obj * ssl, ssl_decoder *d));

/*The password code is not thread safe*/
static int password_cb(char *buf, int num, int rwflag, void *userdata) {
  if(num < strlen(ssl_password) + 1)
    return 0;

  strcpy(buf, ssl_password);
  return strlen(ssl_password);
}

int ssl_decode_ctx_create(ssl_decode_ctx **dp,
                          char *keyfile,
                          char *pass,
                          char *keylogfile) {
#ifdef OPENSSL
  ssl_decode_ctx *d = 0;
  int _status;

  SSL_library_init();
  OpenSSL_add_all_algorithms();
  if(!(d = (ssl_decode_ctx *)malloc(sizeof(ssl_decode_ctx))))
    ABORT(R_NO_MEMORY);
  if(!(d->ssl_ctx = SSL_CTX_new(SSLv23_server_method())))
    ABORT(R_NO_MEMORY);
  if(keyfile) {
    if(pass) {
      ssl_password = pass;
      SSL_CTX_set_default_passwd_cb(d->ssl_ctx, password_cb);
    }
#if 0      
      if(SSL_CTX_use_certificate_file(d->ssl_ctx,keyfile,SSL_FILETYPE_PEM)!=1){
        fprintf(stderr,"Problem loading certificate file\n");
        ABORT(R_INTERNAL);
      }
#endif
    if(SSL_CTX_use_PrivateKey_file(d->ssl_ctx, keyfile, SSL_FILETYPE_PEM) !=
       1) {
      fprintf(stderr, "Problem loading private key\n");
      ABORT(R_INTERNAL);
    }
  }
  if(!(d->ssl = SSL_new(d->ssl_ctx)))
    ABORT(R_NO_MEMORY);

  if(r_assoc_create(&d->session_cache))
    ABORT(R_NO_MEMORY);

  if(keylogfile) {
    if(!(d->ssl_key_log_file = fopen(keylogfile, "r"))) {
      fprintf(stderr, "Failed to open ssl key log file");
      ABORT(R_INTERNAL);
    }
  } else {
    d->ssl_key_log_file = NULL;
  }

  X509V3_add_standard_extensions();

  *dp = d;
  _status = 0;
abort:
  return _status;
#else
  return 0;
#endif
}

int ssl_decode_ctx_destroy(ssl_decode_ctx **dp) {
#ifdef OPENSSL
  ssl_decode_ctx *d = *dp;
  if(!d)
    return 0;
  if(d->ssl_key_log_file) {
    fclose(d->ssl_key_log_file);
  }

  r_assoc_destroy(&d->session_cache);

  SSL_CTX_free(d->ssl_ctx);
  SSL_free(d->ssl);
  free(d);
#endif
  return 0;
}

int ssl_decoder_create(ssl_decoder **dp, ssl_decode_ctx *ctx) {
  int _status;

  ssl_decoder *d = 0;

#ifdef OPENSSL
  if(!(d = (ssl_decoder *)calloc(1, sizeof(ssl_decoder))))
    ABORT(R_NO_MEMORY);
  d->ctx = ctx;

  *dp = d;
  _status = 0;
abort:
  if(_status)
    ssl_decoder_destroy(&d);
  return _status;
#else
  return 0;
#endif
}

int ssl_decoder_destroy(ssl_decoder **dp) {
#ifdef OPENSSL
  ssl_decoder *d;

  if(!dp || !*dp)
    return 0;
  d = *dp;
  r_data_destroy(&d->client_random);
  r_data_destroy(&d->server_random);
  r_data_destroy(&d->session_id);
  r_data_destroy(&d->PMS);
  r_data_destroy(&d->MS);
  r_data_destroy(&d->handshake_messages);
  r_data_destroy(&d->session_hash);
  ssl_destroy_rec_decoder(&d->c_to_s);
  ssl_destroy_rec_decoder(&d->c_to_s_n);
  ssl_destroy_rec_decoder(&d->s_to_c);
  ssl_destroy_rec_decoder(&d->s_to_c_n);
  free(d);
  *dp = 0;
#endif
  return 0;
}

int ssl_set_client_random(ssl_decoder *d, UCHAR *msg, int len) {
#ifdef OPENSSL
  int r;

  r_data_destroy(&d->client_random);
  if((r = r_data_create(&d->client_random, msg, len)))
    ERETURN(r);
#endif
  return 0;
}

int ssl_set_server_random(ssl_decoder *d, UCHAR *msg, int len) {
#ifdef OPENSSL
  int r;

  r_data_destroy(&d->server_random);
  if((r = r_data_create(&d->server_random, msg, len)))
    ERETURN(r);
#endif
  return 0;
}

int ssl_set_client_session_id(ssl_decoder *d, UCHAR *msg, int len) {
#ifdef OPENSSL
  int r;

  if(len > 0) {
    r_data_destroy(&d->session_id);
    if((r = r_data_create(&d->session_id, msg, len)))
      ERETURN(r);
  }
#endif
  return 0;
}

int ssl_process_server_session_id(ssl_obj *ssl,
                                  ssl_decoder *d,
                                  UCHAR *msg,
                                  int len) {
#ifdef OPENSSL
  int r, _status;
  Data idd;
  int restored = 0;

  INIT_DATA(idd, msg, len);

  if(ssl->version == TLSV13_VERSION) {
    // No need to save/restore session in tls1.3 since the only way of
    // decrypting is through log file
  } else {
    /* First check to see if the client tried to restore */
    if(d->session_id) {
      /* Now check to see if we restored */
      if((r = r_data_compare(&idd, d->session_id)))
        ABORT(r);

      /* Now try to look up the session. We may not be able
         to find it if, for instance, the original session
         was initiated with something other than static RSA */
      if((r = ssl_restore_session(ssl, d)))
        ABORT(r);

      restored = 1;
    }
  }

  _status = 0;
abort:
  if(!restored) {
    /* Copy over the session ID */
    r_data_destroy(&d->session_id);
    r_data_create(&d->session_id, msg, len);
  }
  return _status;
#else
  return 0;
#endif
}

int ssl_process_client_session_id(ssl_obj *ssl,
                                  ssl_decoder *d,
                                  UCHAR *msg,
                                  int len) {
#ifdef OPENSSL
  int _status;

  /* First check if the client set session id */
  // todo: check that session_id in decoder and msg are the same (and if not
  // then take from msg?)
  if(d->session_id) {
    /* Remove the master secret */
    // todo: better save and destroy only when successfully read key log
    r_data_destroy(&d->MS);

    if(d->ctx->ssl_key_log_file && (ssl_read_key_log_file(ssl, d) == 0) &&
       d->MS) {
      // we found master secret for session in keylog
      // try to save session
      _status = ssl_save_session(ssl, d);
    } else {
      // just return error
      _status = -1;
    }
  } else {
    _status = -1;
  }
  return _status;
#else
  return 0;
#endif
}

int ssl_process_handshake_finished(ssl_obj *ssl, ssl_decoder *dec, Data *data) {
  if(ssl->version == TLSV13_VERSION) {
    if(ssl->direction ==
       DIR_I2R) {  // Change from handshake decoder to data traffic decoder
      dec->c_to_s = dec->c_to_s_n;
      dec->c_to_s_n = 0;
    } else {
      dec->s_to_c = dec->s_to_c_n;
      dec->s_to_c_n = 0;
    }
  }
  return 0;
}

int ssl_process_change_cipher_spec(ssl_obj *ssl,
                                   ssl_decoder *d,
                                   int direction) {
#ifdef OPENSSL
  if(ssl->version != TLSV13_VERSION) {
    if(direction == DIR_I2R) {
      d->c_to_s = d->c_to_s_n;
      d->c_to_s_n = 0;
      if(d->c_to_s)
        ssl->process_ciphertext |= direction;
    } else {
      d->s_to_c = d->s_to_c_n;
      d->s_to_c_n = 0;
      if(d->s_to_c)
        ssl->process_ciphertext |= direction;
    }
  }
#endif
  return 0;
}
int ssl_decode_record(ssl_obj *ssl,
                      ssl_decoder *dec,
                      int direction,
                      int ct,
                      int version,
                      Data *d) {
  ssl_rec_decoder *rd;
  UCHAR *out;
  int outl;
  int r, _status;
  UINT4 state;

  if(dec)
    rd = (direction == DIR_I2R) ? dec->c_to_s : dec->s_to_c;
  else
    rd = 0;
  state = (direction == DIR_I2R) ? ssl->i_state : ssl->r_state;

  if(ssl->version == TLSV13_VERSION &&
     ct != 23) {  // Only type 23 is encrypted in tls1.3
    ssl->record_encryption = REC_PLAINTEXT;
    return 0;
  } else if(!rd) {
    if(state & SSL_ST_SENT_CHANGE_CIPHER_SPEC) {
      ssl->record_encryption = REC_CIPHERTEXT;
      return SSL_NO_DECRYPT;
    } else {
      ssl->record_encryption = REC_PLAINTEXT;
      return 0;
    }
  }

  ssl->record_encryption = REC_CIPHERTEXT;
#ifdef OPENSSL
  if(!(out = (UCHAR *)malloc(d->len)))
    ABORT(R_NO_MEMORY);

  if(ssl->version == TLSV13_VERSION) {
    r = tls13_decode_rec_data(ssl, rd, ct, version, d->data, d->len, out,
                              &outl);
  } else {
    r = ssl_decode_rec_data(ssl, rd, ct, version, d->data, d->len, out, &outl);
  }
  if(r) {
    ABORT(r);
  }

  memcpy(d->data, out, outl);
  d->len = outl;

  ssl->record_encryption = REC_DECRYPTED_CIPHERTEXT;

  _status = 0;
abort:
  FREE(out);
  return _status;
#else
  return 0;
#endif
}

int ssl_update_handshake_messages(ssl_obj *ssl, Data *data) {
#ifdef OPENSSL
  Data *hms;
  UCHAR *d;
  int l, r;

  hms = ssl->decoder->handshake_messages;
  d = data->data - 4;
  l = data->len + 4;

  if(hms) {
    if(!(hms->data = realloc(hms->data, l + hms->len)))
      ERETURN(R_NO_MEMORY);

    memcpy(hms->data + hms->len, d, l);
    hms->len += l;
  } else {
    if((r = r_data_create(&hms, d, l)))
      ERETURN(r);
    ssl->decoder->handshake_messages = hms;
  }
#endif
  return 0;
}

static int ssl_create_session_lookup_key(ssl_obj *ssl,
                                         UCHAR *id,
                                         UINT4 idlen,
                                         UCHAR **keyp,
                                         UINT4 *keyl) {
  UCHAR *key = 0;
  UINT4 l;
  int _status;

  l = idlen + strlen(ssl->server_name) + idlen + 15; /* HOST + PORT + id */

  if(!(key = (UCHAR *)malloc(l)))
    ABORT(R_NO_MEMORY);
  *keyp = key;

  memcpy(key, id, idlen);
  *keyl = idlen;
  key += idlen;

  snprintf((char *)key, l, "%s:%d", ssl->server_name, ssl->server_port);
  *keyl += strlen((char *)key);

  _status = 0;
abort:
  return _status;
}

/* Look up the session id in the session cache and generate
   the appropriate keying material */
int ssl_restore_session(ssl_obj *ssl, ssl_decoder *d) {
  UCHAR *lookup_key = 0;
  void *msv;
  Data *msd;
  int lookup_key_len;
  int r, _status;
#ifdef OPENSSL
  if((r = ssl_create_session_lookup_key(ssl, d->session_id->data,
                                        d->session_id->len, &lookup_key,
                                        (UINT4 *)&lookup_key_len)))
    ABORT(r);
  if((r = r_assoc_fetch(d->ctx->session_cache, (char *)lookup_key,
                        lookup_key_len, &msv)))
    ABORT(r);
  msd = (Data *)msv;
  if((r = r_data_create(&d->MS, msd->data, msd->len)))
    ABORT(r);
  CRDUMPD("Restored MS", d->MS);

  switch(ssl->version) {
    case SSLV3_VERSION:
    case TLSV1_VERSION:
    case TLSV11_VERSION:
    case TLSV12_VERSION:
      if((r = ssl_generate_keying_material(ssl, d)))
        ABORT(r);
      break;
    default:
      ABORT(SSL_CANT_DO_CIPHER);
  }

  _status = 0;
abort:
  FREE(lookup_key);
  return _status;
#else
  return 0;
#endif
}

/* Look up the session id in the session cache and generate
   the appropriate keying material */
int ssl_save_session(ssl_obj *ssl, ssl_decoder *d) {
#ifdef OPENSSL
  UCHAR *lookup_key = 0;
  Data *msd = 0;
  int lookup_key_len;
  int r, _status;

  if((r = ssl_create_session_lookup_key(ssl, d->session_id->data,
                                        d->session_id->len, &lookup_key,
                                        (UINT4 *)&lookup_key_len)))
    ABORT(r);
  if((r = r_data_create(&msd, d->MS->data, d->MS->len)))
    ABORT(r);
  if((r = r_assoc_insert(d->ctx->session_cache, (char *)lookup_key,
                         lookup_key_len, (void *)msd, 0,
                         (int (*)(void *))r_data_zfree,
                         R_ASSOC_NEW | R_ASSOC_REPLACE)))
    ABORT(r);

  _status = 0;
abort:
  if(_status) {
    r_data_zfree(msd);
  }
  FREE(lookup_key);
  return _status;
#else
  return 0;
#endif
}

/* This only works with RSA because the other cipher suites
   offer PFS. Yuck. */
int ssl_process_client_key_exchange(ssl_obj *ssl,
                                    ssl_decoder *d,
                                    UCHAR *msg,
                                    int len) {
#ifdef OPENSSL
  int r, _status;
  int i;
  EVP_PKEY *pk;
  const BIGNUM *n;

  /* Remove the master secret if it was there
     to force keying material regeneration in
     case we're renegotiating */
  r_data_destroy(&d->MS);

  if(!d->ctx->ssl_key_log_file || ssl_read_key_log_file(ssl, d) || !d->MS) {
    if(ssl->cs->kex != KEX_RSA)
      return -1;

    if(d->ephemeral_rsa)
      return -1;

    pk = SSL_get_privatekey(d->ctx->ssl);
    if(!pk)
      return -1;

    if(EVP_PKEY_id(pk) != EVP_PKEY_RSA)
      return -1;

    RSA_get0_key(EVP_PKEY_get0_RSA(pk), &n, NULL, NULL);
    if((r = r_data_alloc(&d->PMS, BN_num_bytes(n))))
      ABORT(r);

    i = RSA_private_decrypt(len, msg, d->PMS->data, EVP_PKEY_get0_RSA(pk),
                            RSA_PKCS1_PADDING);

    if(i != 48)
      ABORT(SSL_BAD_PMS);

    d->PMS->len = 48;

    CRDUMPD("PMS", d->PMS);
  }

  switch(ssl->version) {
    case SSLV3_VERSION:
    case TLSV1_VERSION:
    case TLSV11_VERSION:
    case TLSV12_VERSION:
      if((r = ssl_generate_keying_material(ssl, d)))
        ABORT(r);
      break;
    default:
      ABORT(SSL_CANT_DO_CIPHER);
  }

  /* Now store the data in the session cache */
  if((r = ssl_save_session(ssl, d)))
    ABORT(r);

  _status = 0;
abort:
  return _status;
#else
  return 0;
#endif
}

#ifdef OPENSSL
static int tls_P_hash(ssl_obj *ssl,
                      Data *secret,
                      Data *seed,
                      const EVP_MD *md,
                      Data *out) {
  UCHAR *ptr = out->data;
  int left = out->len;
  int tocpy;
  UCHAR *A;
  UCHAR _A[128], tmp[128];
  unsigned int A_l, tmp_l;
  HMAC_CTX *hm = HMAC_CTX_new();

  CRDUMPD("P_hash secret", secret);
  CRDUMPD("P_hash seed", seed);

  A = seed->data;
  A_l = seed->len;

  while(left) {
    HMAC_Init_ex(hm, secret->data, secret->len, md, NULL);
    HMAC_Update(hm, A, A_l);
    HMAC_Final(hm, _A, &A_l);
    A = _A;

    HMAC_Init_ex(hm, secret->data, secret->len, md, NULL);
    HMAC_Update(hm, A, A_l);
    HMAC_Update(hm, seed->data, seed->len);
    HMAC_Final(hm, tmp, &tmp_l);

    tocpy = MIN(left, tmp_l);
    memcpy(ptr, tmp, tocpy);
    ptr += tocpy;
    left -= tocpy;
  }

  HMAC_CTX_free(hm);
  CRDUMPD("P_hash out", out);

  return 0;
}

static int tls_prf(ssl_obj *ssl,
                   Data *secret,
                   char *usage,
                   Data *rnd1,
                   Data *rnd2,
                   Data *out) {
  int r, _status;
  Data *md5_out = 0, *sha_out = 0;
  Data *seed;
  UCHAR *ptr;
  Data *S1 = 0, *S2 = 0;
  int i, S_l;

  if((r = r_data_alloc(&md5_out, MAX(out->len, 16))))
    ABORT(r);
  if((r = r_data_alloc(&sha_out, MAX(out->len, 20))))
    ABORT(r);
  if((r = r_data_alloc(&seed, strlen(usage) + rnd1->len + rnd2->len)))
    ABORT(r);
  ptr = seed->data;
  memcpy(ptr, usage, strlen(usage));
  ptr += strlen(usage);
  memcpy(ptr, rnd1->data, rnd1->len);
  ptr += rnd1->len;
  memcpy(ptr, rnd2->data, rnd2->len);
  ptr += rnd2->len;

  S_l = secret->len / 2 + secret->len % 2;

  if((r = r_data_alloc(&S1, S_l)))
    ABORT(r);
  if((r = r_data_alloc(&S2, S_l)))
    ABORT(r);

  memcpy(S1->data, secret->data, S_l);
  memcpy(S2->data, secret->data + (secret->len - S_l), S_l);

  if((r = tls_P_hash(ssl, S1, seed, EVP_get_digestbyname("MD5"), md5_out)))
    ABORT(r);
  if((r = tls_P_hash(ssl, S2, seed, EVP_get_digestbyname("SHA1"), sha_out)))
    ABORT(r);

  for(i = 0; i < out->len; i++)
    out->data[i] = md5_out->data[i] ^ sha_out->data[i];

  CRDUMPD("PRF out", out);
  _status = 0;
abort:
  r_data_destroy(&md5_out);
  r_data_destroy(&sha_out);
  r_data_destroy(&seed);
  r_data_destroy(&S1);
  r_data_destroy(&S2);
  return _status;
}

static int tls12_prf(ssl_obj *ssl,
                     Data *secret,
                     char *usage,
                     Data *rnd1,
                     Data *rnd2,
                     Data *out)

{
  const EVP_MD *md;
  int r, _status;
  Data *sha_out = 0;
  Data *seed;
  UCHAR *ptr;
  int i, dgi;

  if((r = r_data_alloc(&sha_out, MAX(out->len, 64)))) /* assume max SHA512 */
    ABORT(r);
  if((r = r_data_alloc(&seed, strlen(usage) + rnd1->len + rnd2->len)))
    ABORT(r);
  ptr = seed->data;
  memcpy(ptr, usage, strlen(usage));
  ptr += strlen(usage);
  memcpy(ptr, rnd1->data, rnd1->len);
  ptr += rnd1->len;
  memcpy(ptr, rnd2->data, rnd2->len);
  ptr += rnd2->len;

  /* Earlier versions of openssl didn't have SHA256 of course... */
  dgi = MAX(DIG_SHA256, ssl->cs->dig);
  dgi -= 0x40;
  if((md = EVP_get_digestbyname(digests[dgi])) == NULL) {
    DBG((0, "Cannot get EVP for digest %s, openssl library current?",
         digests[dgi]));
    ERETURN(SSL_BAD_MAC);
  }
  if((r = tls_P_hash(ssl, secret, seed, md, sha_out)))
    ABORT(r);

  for(i = 0; i < out->len; i++)
    out->data[i] = sha_out->data[i];

  CRDUMPD("PRF out", out);
  _status = 0;
abort:
  r_data_destroy(&sha_out);
  r_data_destroy(&seed);
  return _status;
}

static int ssl3_generate_export_iv(ssl_obj *ssl,
                                   Data *r1,
                                   Data *r2,
                                   Data *out) {
  MD5_CTX md5;
  UCHAR tmp[16];

  MD5_Init(&md5);
  MD5_Update(&md5, r1->data, r1->len);
  MD5_Update(&md5, r2->data, r2->len);
  MD5_Final(tmp, &md5);

  memcpy(out->data, tmp, out->len);

  return 0;
}

static int ssl3_prf(ssl_obj *ssl,
                    Data *secret,
                    char *usage,
                    Data *r1,
                    Data *r2,
                    Data *out) {
  MD5_CTX md5;
  SHA_CTX sha;
  Data *rnd1, *rnd2;
  int off;
  int i = 0, j;
  UCHAR buf[20];

  rnd1 = r1;
  rnd2 = r2;

  CRDUMPD("Secret", secret);
  CRDUMPD("RND1", rnd1);
  CRDUMPD("RND2", rnd2);

  MD5_Init(&md5);
  memset(&sha, 0, sizeof(sha));
  SHA1_Init(&sha);

  for(off = 0; off < out->len; off += 16) {
    char outbuf[16];
    int tocpy;
    i++;

    /* A, BB, CCC,  ... */
    for(j = 0; j < i; j++) {
      buf[j] = 64 + i;
    }

    SHA1_Update(&sha, buf, i);
    CRDUMP("BUF", buf, i);
    if(secret)
      SHA1_Update(&sha, secret->data, secret->len);
    CRDUMPD("secret", secret);

    if(!strcmp(usage, "client write key") ||
       !strcmp(usage, "server write key")) {
      SHA1_Update(&sha, rnd2->data, rnd2->len);
      CRDUMPD("rnd2", rnd2);
      SHA1_Update(&sha, rnd1->data, rnd1->len);
      CRDUMPD("rnd1", rnd1);
    } else {
      SHA1_Update(&sha, rnd1->data, rnd1->len);
      CRDUMPD("rnd1", rnd1);
      SHA1_Update(&sha, rnd2->data, rnd2->len);
      CRDUMPD("rnd2", rnd2);
    }

    SHA1_Final(buf, &sha);
    CRDUMP("SHA out", buf, 20);

    SHA1_Init(&sha);

    MD5_Update(&md5, secret->data, secret->len);
    MD5_Update(&md5, buf, 20);
    MD5_Final((unsigned char *)outbuf, &md5);
    tocpy = MIN(out->len - off, 16);
    memcpy(out->data + off, outbuf, tocpy);
    CRDUMP("MD5 out", (UCHAR *)outbuf, 16);

    MD5_Init(&md5);
  }

  return 0;
}

static int ssl_generate_keying_material(ssl_obj *ssl, ssl_decoder *d) {
  Data *key_block = 0, temp;
  UCHAR _iv_c[8], _iv_s[8];
  UCHAR _key_c[16], _key_s[16];
  int needed;
  int r, _status;
  UCHAR *ptr, *c_wk, *s_wk, *c_mk = NULL, *s_mk = NULL, *c_iv = NULL,
                            *s_iv = NULL;

  if(!d->MS) {
    if((r = r_data_alloc(&d->MS, 48)))
      ABORT(r);

    if(ssl->extensions->extended_master_secret == 2) {
      if((r = ssl_generate_session_hash(ssl, d)))
        ABORT(r);

      temp.len = 0;
      if((r = PRF(ssl, d->PMS, "extended master secret", d->session_hash, &temp,
                  d->MS)))
        ABORT(r);
    } else if((r = PRF(ssl, d->PMS, "master secret", d->client_random,
                       d->server_random, d->MS)))
      ABORT(r);

    CRDUMPD("MS", d->MS);
  }

  /* Compute the key block. First figure out how much data
       we need*/
  /* Ideally find a cleaner way to check for AEAD cipher */
  needed = !IS_AEAD_CIPHER(ssl->cs) ? ssl->cs->dig_len * 2 : 0;
  needed += ssl->cs->bits / 4;
  if(ssl->cs->block > 1)
    needed += ssl->cs->block * 2;

  if((r = r_data_alloc(&key_block, needed)))
    ABORT(r);
  if((r = PRF(ssl, d->MS, "key expansion", d->server_random, d->client_random,
              key_block)))
    ABORT(r);

  ptr = key_block->data;
  /* Ideally find a cleaner way to check for AEAD cipher */
  if(!IS_AEAD_CIPHER(ssl->cs)) {
    c_mk = ptr;
    ptr += ssl->cs->dig_len;
    s_mk = ptr;
    ptr += ssl->cs->dig_len;
  }

  c_wk = ptr;
  ptr += ssl->cs->eff_bits / 8;
  s_wk = ptr;
  ptr += ssl->cs->eff_bits / 8;

  if(ssl->cs->block > 1) {
    c_iv = ptr;
    ptr += ssl->cs->block;
    s_iv = ptr;
    ptr += ssl->cs->block;
  }

  if(ssl->cs->export) {
    Data iv_c, iv_s;
    Data key_c, key_s;
    Data k;

    if(ssl->cs->block > 1) {
      ATTACH_DATA(iv_c, _iv_c);
      ATTACH_DATA(iv_s, _iv_s);

      if(ssl->version == SSLV3_VERSION) {
        if((r = ssl3_generate_export_iv(ssl, d->client_random, d->server_random,
                                        &iv_c)))
          ABORT(r);
        if((r = ssl3_generate_export_iv(ssl, d->server_random, d->client_random,
                                        &iv_s)))
          ABORT(r);
      } else {
        UCHAR _iv_block[16];
        Data iv_block;
        Data key_null;
        UCHAR _key_null;

        INIT_DATA(key_null, &_key_null, 0);

        /* We only have room for 8 bit IVs, but that's
           all we should need. This is a sanity check */
        if(ssl->cs->block > 8)
          ABORT(R_INTERNAL);

        ATTACH_DATA(iv_block, _iv_block);

        if((r = PRF(ssl, &key_null, "IV block", d->client_random,
                    d->server_random, &iv_block)))
          ABORT(r);

        memcpy(_iv_c, iv_block.data, 8);
        memcpy(_iv_s, iv_block.data + 8, 8);
      }

      c_iv = _iv_c;
      s_iv = _iv_s;
    }

    if(ssl->version == SSLV3_VERSION) {
      MD5_CTX md5;

      MD5_Init(&md5);
      MD5_Update(&md5, c_wk, ssl->cs->eff_bits / 8);
      MD5_Update(&md5, d->client_random->data, d->client_random->len);
      MD5_Update(&md5, d->server_random->data, d->server_random->len);
      MD5_Final(_key_c, &md5);
      c_wk = _key_c;

      MD5_Init(&md5);
      MD5_Update(&md5, s_wk, ssl->cs->eff_bits / 8);
      MD5_Update(&md5, d->server_random->data, d->server_random->len);
      MD5_Update(&md5, d->client_random->data, d->client_random->len);
      MD5_Final(_key_s, &md5);
      s_wk = _key_s;
    } else {
      ATTACH_DATA(key_c, _key_c);
      ATTACH_DATA(key_s, _key_s);
      INIT_DATA(k, c_wk, ssl->cs->eff_bits / 8);
      if((r = PRF(ssl, &k, "client write key", d->client_random,
                  d->server_random, &key_c)))
        ABORT(r);
      c_wk = _key_c;
      INIT_DATA(k, s_wk, ssl->cs->eff_bits / 8);
      if((r = PRF(ssl, &k, "server write key", d->client_random,
                  d->server_random, &key_s)))
        ABORT(r);
      s_wk = _key_s;
    }
  }

  if(!IS_AEAD_CIPHER(ssl->cs)) {
    CRDUMP("Client MAC key", c_mk, ssl->cs->dig_len);
    CRDUMP("Server MAC key", s_mk, ssl->cs->dig_len);
  }
  CRDUMP("Client Write key", c_wk, ssl->cs->bits / 8);
  CRDUMP("Server Write key", s_wk, ssl->cs->bits / 8);

  if(ssl->cs->block > 1) {
    CRDUMP("Client Write IV", c_iv, ssl->cs->block);
    CRDUMP("Server Write IV", s_iv, ssl->cs->block);
  }

  if((r = ssl_create_rec_decoder(&d->c_to_s_n, ssl, c_mk, c_wk, c_iv)))
    ABORT(r);
  if((r = ssl_create_rec_decoder(&d->s_to_c_n, ssl, s_mk, s_wk, s_iv)))
    ABORT(r);

  _status = 0;
abort:
  if(key_block) {
    r_data_zfree(key_block);
    free(key_block);
  }
  return _status;
}

static int hkdf_expand_label(ssl_obj *ssl,
                             ssl_decoder *d,
                             Data *secret,
                             char *label,
                             Data *context,
                             uint16_t length,
                             UCHAR **out) {
  int r = -1;
  size_t outlen = length;
  EVP_PKEY_CTX *pctx;

  pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);

  Data hkdf_label;
  UCHAR *ptr;

  // Construct HkdfLabel
  hkdf_label.data = ptr = malloc(512);
  *(uint16_t *)ptr = ntohs(length);
  ptr += 2;
  *(uint8_t *)ptr++ = 6 + (label ? strlen(label) : 0);
  memcpy(ptr, "tls13 ", 6);
  ptr += 6;
  if(label) {
    memcpy(ptr, label, strlen(label));
    ptr += strlen(label);
  }
  *(uint8_t *)ptr++ = context ? context->len : 0;
  if(context) {
    memcpy(ptr, context->data, context->len);
    ptr += context->len;
  }
  hkdf_label.len = ptr - hkdf_label.data;
  CRDUMPD("hkdf_label", &hkdf_label);
  // Load parameters
  *out = malloc(length);
  if(EVP_PKEY_derive_init(pctx) <= 0) {
    fprintf(stderr, "EVP_PKEY_derive_init failed\n");
  }
  /* Error */
  if(EVP_PKEY_CTX_hkdf_mode(pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) <= 0) {
    fprintf(stderr, "EVP_PKEY_CTX_hkdf_mode failed\n");
    goto abort;
  }
  if(EVP_PKEY_CTX_set_hkdf_md(
         pctx, EVP_get_digestbyname(digests[ssl->cs->dig - 0x40])) <= 0) {
    fprintf(stderr, "EVP_PKEY_CTX_set_hkdf_md failed\n");
    goto abort;
  }
  if(EVP_PKEY_CTX_set1_hkdf_key(pctx, secret->data, secret->len) <= 0) {
    fprintf(stderr, "EVP_PKEY_CTX_set_hkdf_md failed\n");
    goto abort;
  }
  if(EVP_PKEY_CTX_add1_hkdf_info(pctx, hkdf_label.data, hkdf_label.len) <= 0) {
    fprintf(stderr, "EVP_PKEY_CTX_add1_hkdf_info failed\n");
    goto abort;
  }
  if(EVP_PKEY_derive(pctx, *out, &outlen) <= 0) {
    fprintf(stderr, "EVP_PKEY_derive failed\n");
    goto abort;
  }

  CRDUMP("out_hkdf", *out, outlen);
  return 0;
abort:
  ERR_print_errors_fp(stderr);
  return r;
}

// Will update the keys for the particular direction
int ssl_tls13_update_keying_material(ssl_obj *ssl,
                                     ssl_decoder *d,
                                     int direction) {
  Data *secret;
  ssl_rec_decoder *decoder;
  UCHAR *newsecret;
  UCHAR *newkey;
  UCHAR *newiv;

  if(direction == DIR_I2R) {
    secret = d->CTS;
    decoder = d->c_to_s;
  } else {
    secret = d->STS;
    decoder = d->s_to_c;
  }
  hkdf_expand_label(ssl, d, secret, "traffic upd", NULL, ssl->cs->dig_len,
                    &newsecret);
  secret->data = newsecret;
  hkdf_expand_label(ssl, d, secret, "key", NULL, ssl->cs->eff_bits / 8,
                    &newkey);
  hkdf_expand_label(ssl, d, secret, "iv", NULL, 12, &newiv);
  tls13_update_rec_key(decoder, newkey, newiv);

  return 0;
}

int ssl_tls13_generate_keying_material(ssl_obj *ssl, ssl_decoder *d) {
  int r, _status;
  UCHAR *s_wk_h, *s_iv_h, *c_wk_h, *c_iv_h, *s_wk, *s_iv, *c_wk, *c_iv;
  if(!(d->ctx->ssl_key_log_file && ssl_read_key_log_file(ssl, d) == 0 &&
       d->SHTS && d->CHTS && d->STS && d->CTS)) {
    ABORT(-1);
  }
  // It is 12 for all ciphers
  if(hkdf_expand_label(ssl, d, d->SHTS, "key", NULL, ssl->cs->eff_bits / 8,
                       &s_wk_h)) {
    fprintf(stderr, "s_wk_h hkdf_expand_label failed\n");
    ABORT(-1);
  }
  if(hkdf_expand_label(ssl, d, d->SHTS, "iv", NULL, 12, &s_iv_h)) {
    fprintf(stderr, "s_iv_h hkdf_expand_label failed\n");
    ABORT(-1);
  }
  if(hkdf_expand_label(ssl, d, d->CHTS, "key", NULL, ssl->cs->eff_bits / 8,
                       &c_wk_h)) {
    fprintf(stderr, "c_wk_h hkdf_expand_label failed\n");
    ABORT(-1);
  }
  if(hkdf_expand_label(ssl, d, d->CHTS, "iv", NULL, 12, &c_iv_h)) {
    fprintf(stderr, "c_iv_h hkdf_expand_label failed\n");
    ABORT(-1);
  }
  if(hkdf_expand_label(ssl, d, d->STS, "key", NULL, ssl->cs->eff_bits / 8,
                       &s_wk)) {
    fprintf(stderr, "s_wk hkdf_expand_label failed\n");
    ABORT(-1);
  }
  if(hkdf_expand_label(ssl, d, d->STS, "iv", NULL, 12, &s_iv)) {
    fprintf(stderr, "s_iv hkdf_expand_label failed\n");
    ABORT(-1);
  }
  if(hkdf_expand_label(ssl, d, d->CTS, "key", NULL, ssl->cs->eff_bits / 8,
                       &c_wk)) {
    fprintf(stderr, "c_wk hkdf_expand_label failed\n");
    ABORT(-1);
  }
  if(hkdf_expand_label(ssl, d, d->CTS, "iv", NULL, 12, &c_iv)) {
    fprintf(stderr, "c_iv hkdf_expand_label failed\n");
    ABORT(-1);
  }
  CRDUMP("Server Handshake Write key", s_wk_h, ssl->cs->eff_bits / 8);
  CRDUMP("Server Handshake IV", s_iv_h, 12);
  CRDUMP("Client Handshake Write key", c_wk_h, ssl->cs->eff_bits / 8);
  CRDUMP("Client Handshake IV", c_iv_h, 12);
  CRDUMP("Server Write key", s_wk, ssl->cs->eff_bits / 8);
  CRDUMP("Server IV", s_iv, 12);
  CRDUMP("Client Write key", c_wk, ssl->cs->eff_bits / 8);
  CRDUMP("Client IV", c_iv, 12);

  if((r = ssl_create_rec_decoder(&d->c_to_s_n, ssl, NULL, c_wk, c_iv)))
    ABORT(r);
  if((r = ssl_create_rec_decoder(&d->s_to_c_n, ssl, NULL, s_wk, s_iv)))
    ABORT(r);
  if((r = ssl_create_rec_decoder(&d->c_to_s, ssl, NULL, c_wk_h, c_iv_h)))
    ABORT(r);
  if((r = ssl_create_rec_decoder(&d->s_to_c, ssl, NULL, s_wk_h, s_iv_h)))
    ABORT(r);
  return 0;
abort:
  return _status;
}

static int ssl_generate_session_hash(ssl_obj *ssl, ssl_decoder *d) {
  int r, _status, dgi;
  unsigned int len;
  const EVP_MD *md;
  EVP_MD_CTX *dgictx = EVP_MD_CTX_create();

  if((r = r_data_alloc(&d->session_hash, EVP_MAX_MD_SIZE)))
    ABORT(r);

  switch(ssl->version) {
    case TLSV12_VERSION:
      dgi = MAX(DIG_SHA256, ssl->cs->dig) - 0x40;
      if((md = EVP_get_digestbyname(digests[dgi])) == NULL) {
        DBG((0, "Cannot get EVP for digest %s, openssl library current?",
             digests[dgi]));
        ERETURN(SSL_BAD_MAC);
      }

      EVP_DigestInit(dgictx, md);
      EVP_DigestUpdate(dgictx, d->handshake_messages->data,
                       d->handshake_messages->len);
      EVP_DigestFinal(dgictx, d->session_hash->data,
                      (unsigned int *)&d->session_hash->len);

      break;
    case SSLV3_VERSION:
    case TLSV1_VERSION:
    case TLSV11_VERSION:
      EVP_DigestInit(dgictx, EVP_get_digestbyname("MD5"));
      EVP_DigestUpdate(dgictx, d->handshake_messages->data,
                       d->handshake_messages->len);
      EVP_DigestFinal_ex(dgictx, d->session_hash->data,
                         (unsigned int *)&d->session_hash->len);

      EVP_DigestInit(dgictx, EVP_get_digestbyname("SHA1"));
      EVP_DigestUpdate(dgictx, d->handshake_messages->data,
                       d->handshake_messages->len);
      EVP_DigestFinal(dgictx, d->session_hash->data + d->session_hash->len,
                      &len);

      d->session_hash->len += len;
      break;
    default:
      ABORT(SSL_CANT_DO_CIPHER);
  }

  _status = 0;
abort:
  return _status;
}

static int read_hex_string(char *str, UCHAR *buf, int n) {
  unsigned int t;
  int i;
  for(i = 0; i < n; i++) {
    if(sscanf(str + i * 2, "%02x", &t) != 1)
      return -1;
    buf[i] = (char)t;
  }
  return 0;
}
static int ssl_read_key_log_file(ssl_obj *ssl, ssl_decoder *d) {
  int r = -1;
  int _status, n, i;
  size_t l = 0;
  char *line, *d_client_random, *label, *client_random, *secret;
  if(ssl->version == TLSV13_VERSION &&
     !ssl->cs)  // ssl->cs is not set when called from
                // ssl_process_client_session_id
    ABORT(r);
  if(!(d_client_random = malloc((d->client_random->len * 2) + 1)))
    ABORT(r);
  for(i = 0; i < d->client_random->len; i++)
    if(snprintf(d_client_random + (i * 2), 3, "%02x",
                d->client_random->data[i]) != 2)
      ABORT(r);
  while((n = getline(&line, &l, d->ctx->ssl_key_log_file)) != -1) {
    if(line[n - 1] == '\n')
      line[n - 1] = '\0';
    if(!(label = strtok(line, " ")))
      continue;
    if(!(client_random = strtok(NULL, " ")) || strlen(client_random) != 64 ||
       STRNICMP(client_random, d_client_random, 64))
      continue;
    secret = strtok(NULL, " ");
    if(!(secret) ||
       strlen(secret) !=
           (ssl->version == TLSV13_VERSION ? ssl->cs->dig_len * 2 : 96))
      continue;
    if(!strncmp(label, "CLIENT_RANDOM", 13)) {
      if((r = r_data_alloc(&d->MS, 48)))
        ABORT(r);
      if(read_hex_string(secret, d->MS->data, 48))
        ABORT(r);
    }
    if(ssl->version != TLSV13_VERSION)
      continue;
    if(!strncmp(label, "SERVER_HANDSHAKE_TRAFFIC_SECRET", 31)) {
      if((r = r_data_alloc(&d->SHTS, ssl->cs->dig_len)))
        ABORT(r);
      if(read_hex_string(secret, d->SHTS->data, ssl->cs->dig_len))
        ABORT(r);
    } else if(!strncmp(label, "CLIENT_HANDSHAKE_TRAFFIC_SECRET", 31)) {
      if((r = r_data_alloc(&d->CHTS, ssl->cs->dig_len)))
        ABORT(r);
      if(read_hex_string(secret, d->CHTS->data, ssl->cs->dig_len))
        ABORT(r);
    } else if(!strncmp(label, "SERVER_TRAFFIC_SECRET_0", 23)) {
      if((r = r_data_alloc(&d->STS, ssl->cs->dig_len)))
        ABORT(r);
      if(read_hex_string(secret, d->STS->data, ssl->cs->dig_len))
        ABORT(r);
    } else if(!strncmp(label, "CLIENT_TRAFFIC_SECRET_0", 23)) {
      if((r = r_data_alloc(&d->CTS, ssl->cs->dig_len)))
        ABORT(r);
      if(read_hex_string(secret, d->CTS->data, ssl->cs->dig_len))
        ABORT(r);
    }
    /*
       Eventually add support for other labels defined here:
       https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
    */
  }
  _status = 0;
abort:
  if(d->ctx->ssl_key_log_file != NULL)
    fseek(d->ctx->ssl_key_log_file, 0, SEEK_SET);
  return _status;
}
#endif