summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_enc.c
diff options
context:
space:
mode:
authormiod <>2014-04-13 15:16:40 +0000
committermiod <>2014-04-13 15:16:40 +0000
commit52628ee3f51f011b463aaedb1a28aa0524b43cb3 (patch)
tree4bd2adeac981051908ec5756401424bbb4e57d6a /src/lib/libssl/t1_enc.c
parent40c22d3625a3818690c889ed6216fedf2be522c9 (diff)
downloadopenbsd-52628ee3f51f011b463aaedb1a28aa0524b43cb3.tar.gz
openbsd-52628ee3f51f011b463aaedb1a28aa0524b43cb3.tar.bz2
openbsd-52628ee3f51f011b463aaedb1a28aa0524b43cb3.zip
Import OpenSSL 1.0.1g
Diffstat (limited to 'src/lib/libssl/t1_enc.c')
-rw-r--r--src/lib/libssl/t1_enc.c190
1 files changed, 94 insertions, 96 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index f7bdeb3b9d..0c4cddedf8 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -361,7 +361,7 @@ int tls1_change_cipher_state(SSL *s, int which)
361 { 361 {
362 int i; 362 int i;
363 for (i=0; i<s->s3->tmp.key_block_length; i++) 363 for (i=0; i<s->s3->tmp.key_block_length; i++)
364 printf("%02x", key_block[i]); printf("\n"); 364 printf("%02x", s->s3->tmp.key_block[i]); printf("\n");
365 } 365 }
366#endif /* KSSL_DEBUG */ 366#endif /* KSSL_DEBUG */
367 367
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
415 else 415 else
416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
417 if (s->enc_write_ctx != NULL) 417 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
418 reuse_dd = 1; 418 reuse_dd = 1;
419 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 419 else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
420 goto err; 420 goto err;
421 else
422 /* make sure it's intialized in case we exit later with an error */
423 EVP_CIPHER_CTX_init(s->enc_write_ctx);
424 dd= s->enc_write_ctx; 421 dd= s->enc_write_ctx;
425 mac_ctx = ssl_replace_hash(&s->write_hash,NULL); 422 if (SSL_IS_DTLS(s))
423 {
424 mac_ctx = EVP_MD_CTX_create();
425 if (!mac_ctx)
426 goto err;
427 s->write_hash = mac_ctx;
428 }
429 else
430 mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
426#ifndef OPENSSL_NO_COMP 431#ifndef OPENSSL_NO_COMP
427 if (s->compress != NULL) 432 if (s->compress != NULL)
428 { 433 {
@@ -667,12 +672,21 @@ err:
667 return(ret); 672 return(ret);
668 } 673 }
669 674
675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
676 *
677 * Returns:
678 * 0: (in non-constant time) if the record is publically invalid (i.e. too
679 * short etc).
680 * 1: if the record's padding is valid / the encryption was successful.
681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682 * an internal error occured.
683 */
670int tls1_enc(SSL *s, int send) 684int tls1_enc(SSL *s, int send)
671 { 685 {
672 SSL3_RECORD *rec; 686 SSL3_RECORD *rec;
673 EVP_CIPHER_CTX *ds; 687 EVP_CIPHER_CTX *ds;
674 unsigned long l; 688 unsigned long l;
675 int bs,i,ii,j,k,pad=0; 689 int bs,i,j,k,pad=0,ret,mac_size=0;
676 const EVP_CIPHER *enc; 690 const EVP_CIPHER *enc;
677 691
678 if (send) 692 if (send)
@@ -729,11 +743,11 @@ int tls1_enc(SSL *s, int send)
729 printf("tls1_enc(%d)\n", send); 743 printf("tls1_enc(%d)\n", send);
730#endif /* KSSL_DEBUG */ 744#endif /* KSSL_DEBUG */
731 745
732 if ((s->session == NULL) || (ds == NULL) || 746 if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
733 (enc == NULL))
734 { 747 {
735 memmove(rec->data,rec->input,rec->length); 748 memmove(rec->data,rec->input,rec->length);
736 rec->input=rec->data; 749 rec->input=rec->data;
750 ret = 1;
737 } 751 }
738 else 752 else
739 { 753 {
@@ -797,13 +811,13 @@ int tls1_enc(SSL *s, int send)
797 811
798#ifdef KSSL_DEBUG 812#ifdef KSSL_DEBUG
799 { 813 {
800 unsigned long ui; 814 unsigned long ui;
801 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 815 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
802 ds,rec->data,rec->input,l); 816 ds,rec->data,rec->input,l);
803 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 817 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
804 ds->buf_len, ds->cipher->key_len, 818 ds->buf_len, ds->cipher->key_len,
805 DES_KEY_SZ, DES_SCHEDULE_SZ, 819 DES_KEY_SZ, DES_SCHEDULE_SZ,
806 ds->cipher->iv_len); 820 ds->cipher->iv_len);
807 printf("\t\tIV: "); 821 printf("\t\tIV: ");
808 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 822 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
809 printf("\n"); 823 printf("\n");
@@ -816,13 +830,7 @@ int tls1_enc(SSL *s, int send)
816 if (!send) 830 if (!send)
817 { 831 {
818 if (l == 0 || l%bs != 0) 832 if (l == 0 || l%bs != 0)
819 {
820 if (s->version >= TLS1_1_VERSION)
821 return -1;
822 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
823 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
824 return 0; 833 return 0;
825 }
826 } 834 }
827 835
828 i = EVP_Cipher(ds,rec->data,rec->input,l); 836 i = EVP_Cipher(ds,rec->data,rec->input,l);
@@ -839,68 +847,24 @@ int tls1_enc(SSL *s, int send)
839 847
840#ifdef KSSL_DEBUG 848#ifdef KSSL_DEBUG
841 { 849 {
842 unsigned long i; 850 unsigned long i;
843 printf("\trec->data="); 851 printf("\trec->data=");
844 for (i=0; i<l; i++) 852 for (i=0; i<l; i++)
845 printf(" %02x", rec->data[i]); printf("\n"); 853 printf(" %02x", rec->data[i]); printf("\n");
846 } 854 }
847#endif /* KSSL_DEBUG */ 855#endif /* KSSL_DEBUG */
848 856
857 ret = 1;
858 if (EVP_MD_CTX_md(s->read_hash) != NULL)
859 mac_size = EVP_MD_CTX_size(s->read_hash);
849 if ((bs != 1) && !send) 860 if ((bs != 1) && !send)
850 { 861 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
851 ii=i=rec->data[l-1]; /* padding_length */
852 i++;
853 /* NB: if compression is in operation the first packet
854 * may not be of even length so the padding bug check
855 * cannot be performed. This bug workaround has been
856 * around since SSLeay so hopefully it is either fixed
857 * now or no buggy implementation supports compression
858 * [steve]
859 */
860 if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
861 && !s->expand)
862 {
863 /* First packet is even in size, so check */
864 if ((memcmp(s->s3->read_sequence,
865 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
866 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
867 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
868 i--;
869 }
870 /* TLS 1.0 does not bound the number of padding bytes by the block size.
871 * All of them must have value 'padding_length'. */
872 if (i > (int)rec->length)
873 {
874 /* Incorrect padding. SSLerr() and ssl3_alert are done
875 * by caller: we don't want to reveal whether this is
876 * a decryption error or a MAC verification failure
877 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
878 return -1;
879 }
880 for (j=(int)(l-i); j<(int)l; j++)
881 {
882 if (rec->data[j] != ii)
883 {
884 /* Incorrect padding */
885 return -1;
886 }
887 }
888 rec->length -=i;
889 if (s->version >= TLS1_1_VERSION
890 && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
891 {
892 if (bs > (int)rec->length)
893 return -1;
894 rec->data += bs; /* skip the explicit IV */
895 rec->input += bs;
896 rec->length -= bs;
897 }
898 }
899 if (pad && !send) 862 if (pad && !send)
900 rec->length -= pad; 863 rec->length -= pad;
901 } 864 }
902 return(1); 865 return ret;
903 } 866 }
867
904int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) 868int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
905 { 869 {
906 unsigned int ret; 870 unsigned int ret;
@@ -956,18 +920,19 @@ int tls1_final_finish_mac(SSL *s,
956 if (mask & ssl_get_algorithm2(s)) 920 if (mask & ssl_get_algorithm2(s))
957 { 921 {
958 int hashsize = EVP_MD_size(md); 922 int hashsize = EVP_MD_size(md);
959 if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) 923 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
924 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
960 { 925 {
961 /* internal error: 'buf' is too small for this cipersuite! */ 926 /* internal error: 'buf' is too small for this cipersuite! */
962 err = 1; 927 err = 1;
963 } 928 }
964 else 929 else
965 { 930 {
966 EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); 931 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
967 EVP_DigestFinal_ex(&ctx,q,&i); 932 !EVP_DigestFinal_ex(&ctx,q,&i) ||
968 if (i != (unsigned int)hashsize) /* can't really happen */ 933 (i != (unsigned int)hashsize))
969 err = 1; 934 err = 1;
970 q+=i; 935 q+=hashsize;
971 } 936 }
972 } 937 }
973 } 938 }
@@ -990,10 +955,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
990 SSL3_RECORD *rec; 955 SSL3_RECORD *rec;
991 unsigned char *seq; 956 unsigned char *seq;
992 EVP_MD_CTX *hash; 957 EVP_MD_CTX *hash;
993 size_t md_size; 958 size_t md_size, orig_len;
994 int i; 959 int i;
995 EVP_MD_CTX hmac, *mac_ctx; 960 EVP_MD_CTX hmac, *mac_ctx;
996 unsigned char buf[5]; 961 unsigned char header[13];
997 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); 962 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
998 int t; 963 int t;
999 964
@@ -1014,12 +979,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1014 OPENSSL_assert(t >= 0); 979 OPENSSL_assert(t >= 0);
1015 md_size=t; 980 md_size=t;
1016 981
1017 buf[0]=rec->type;
1018 buf[1]=(unsigned char)(ssl->version>>8);
1019 buf[2]=(unsigned char)(ssl->version);
1020 buf[3]=rec->length>>8;
1021 buf[4]=rec->length&0xff;
1022
1023 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 982 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1024 if (stream_mac) 983 if (stream_mac)
1025 { 984 {
@@ -1027,7 +986,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1027 } 986 }
1028 else 987 else
1029 { 988 {
1030 EVP_MD_CTX_copy(&hmac,hash); 989 if (!EVP_MD_CTX_copy(&hmac,hash))
990 return -1;
1031 mac_ctx = &hmac; 991 mac_ctx = &hmac;
1032 } 992 }
1033 993
@@ -1038,17 +998,55 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1038 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); 998 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
1039 memcpy (p,&seq[2],6); 999 memcpy (p,&seq[2],6);
1040 1000
1041 EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); 1001 memcpy(header, dtlsseq, 8);
1042 } 1002 }
1043 else 1003 else
1044 EVP_DigestSignUpdate(mac_ctx,seq,8); 1004 memcpy(header, seq, 8);
1005
1006 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
1007 orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
1008 rec->type &= 0xff;
1045 1009
1046 EVP_DigestSignUpdate(mac_ctx,buf,5); 1010 header[8]=rec->type;
1047 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); 1011 header[9]=(unsigned char)(ssl->version>>8);
1048 t=EVP_DigestSignFinal(mac_ctx,md,&md_size); 1012 header[10]=(unsigned char)(ssl->version);
1049 OPENSSL_assert(t > 0); 1013 header[11]=(rec->length)>>8;
1014 header[12]=(rec->length)&0xff;
1015
1016 if (!send &&
1017 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1018 ssl3_cbc_record_digest_supported(mac_ctx))
1019 {
1020 /* This is a CBC-encrypted record. We must avoid leaking any
1021 * timing-side channel information about how many blocks of
1022 * data we are hashing because that gives an attacker a
1023 * timing-oracle. */
1024 ssl3_cbc_digest_record(
1025 mac_ctx,
1026 md, &md_size,
1027 header, rec->input,
1028 rec->length + md_size, orig_len,
1029 ssl->s3->read_mac_secret,
1030 ssl->s3->read_mac_secret_size,
1031 0 /* not SSLv3 */);
1032 }
1033 else
1034 {
1035 EVP_DigestSignUpdate(mac_ctx,header,sizeof(header));
1036 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
1037 t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
1038 OPENSSL_assert(t > 0);
1039#ifdef OPENSSL_FIPS
1040 if (!send && FIPS_mode())
1041 tls_fips_digest_extra(
1042 ssl->enc_read_ctx,
1043 mac_ctx, rec->input,
1044 rec->length, orig_len);
1045#endif
1046 }
1050 1047
1051 if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); 1048 if (!stream_mac)
1049 EVP_MD_CTX_cleanup(&hmac);
1052#ifdef TLS_DEBUG 1050#ifdef TLS_DEBUG
1053printf("sec="); 1051printf("sec=");
1054{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 1052{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-01 08:13:27 +0000