summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_enc.c
diff options
context:
space:
mode:
authormarkus <>2002-09-05 12:51:50 +0000
committermarkus <>2002-09-05 12:51:50 +0000
commit15b5d84f9da2ce4bfae8580e56e34a859f74ad71 (patch)
treebf939e82d7fd73cc8a01cf6959002209972091bc /src/lib/libssl/t1_enc.c
parent027351f729b9e837200dae6e1520cda6577ab930 (diff)
downloadopenbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.tar.gz
openbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.tar.bz2
openbsd-15b5d84f9da2ce4bfae8580e56e34a859f74ad71.zip
import openssl-0.9.7-beta1
Diffstat (limited to 'src/lib/libssl/t1_enc.c')
-rw-r--r--src/lib/libssl/t1_enc.c418
1 files changed, 293 insertions, 125 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index fbdd3bffb5..b80525f3ba 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -55,20 +55,70 @@
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
58 111
59#include <stdio.h> 112#include <stdio.h>
60#include "evp.h" 113#include <openssl/comp.h>
61#include "hmac.h" 114#include <openssl/evp.h>
115#include <openssl/hmac.h>
62#include "ssl_locl.h" 116#include "ssl_locl.h"
117#include <openssl/md5.h>
63 118
64static void tls1_P_hash(md,sec,sec_len,seed,seed_len,out,olen) 119static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
65EVP_MD *md; 120 int sec_len, unsigned char *seed, int seed_len,
66unsigned char *sec; 121 unsigned char *out, int olen)
67int sec_len;
68unsigned char *seed;
69int seed_len;
70unsigned char *out;
71int olen;
72 { 122 {
73 int chunk,n; 123 int chunk,n;
74 unsigned int j; 124 unsigned int j;
@@ -79,16 +129,20 @@ int olen;
79 129
80 chunk=EVP_MD_size(md); 130 chunk=EVP_MD_size(md);
81 131
82 HMAC_Init(&ctx,sec,sec_len,md); 132 HMAC_CTX_init(&ctx);
133 HMAC_CTX_init(&ctx_tmp);
134 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
135 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
83 HMAC_Update(&ctx,seed,seed_len); 136 HMAC_Update(&ctx,seed,seed_len);
84 HMAC_Final(&ctx,A1,&A1_len); 137 HMAC_Final(&ctx,A1,&A1_len);
85 138
86 n=0; 139 n=0;
87 for (;;) 140 for (;;)
88 { 141 {
89 HMAC_Init(&ctx,NULL,0,NULL); /* re-init */ 142 HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
143 HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
90 HMAC_Update(&ctx,A1,A1_len); 144 HMAC_Update(&ctx,A1,A1_len);
91 memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */ 145 HMAC_Update(&ctx_tmp,A1,A1_len);
92 HMAC_Update(&ctx,seed,seed_len); 146 HMAC_Update(&ctx,seed,seed_len);
93 147
94 if (olen > chunk) 148 if (olen > chunk)
@@ -105,24 +159,18 @@ int olen;
105 break; 159 break;
106 } 160 }
107 } 161 }
108 HMAC_cleanup(&ctx); 162 HMAC_CTX_cleanup(&ctx);
109 HMAC_cleanup(&ctx_tmp); 163 HMAC_CTX_cleanup(&ctx_tmp);
110 memset(A1,0,sizeof(A1)); 164 memset(A1,0,sizeof(A1));
111 } 165 }
112 166
113static void tls1_PRF(md5,sha1,label,label_len,sec,slen,out1,out2,olen) 167static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
114EVP_MD *md5; 168 unsigned char *label, int label_len,
115EVP_MD *sha1; 169 const unsigned char *sec, int slen, unsigned char *out1,
116unsigned char *label; 170 unsigned char *out2, int olen)
117int label_len;
118unsigned char *sec;
119int slen;
120unsigned char *out1;
121unsigned char *out2;
122int olen;
123 { 171 {
124 int len,i; 172 int len,i;
125 unsigned char *S1,*S2; 173 const unsigned char *S1,*S2;
126 174
127 len=slen/2; 175 len=slen/2;
128 S1=sec; 176 S1=sec;
@@ -137,10 +185,8 @@ int olen;
137 out1[i]^=out2[i]; 185 out1[i]^=out2[i];
138 } 186 }
139 187
140static void tls1_generate_key_block(s,km,tmp,num) 188static void tls1_generate_key_block(SSL *s, unsigned char *km,
141SSL *s; 189 unsigned char *tmp, int num)
142unsigned char *km,*tmp;
143int num;
144 { 190 {
145 unsigned char *p; 191 unsigned char *p;
146 unsigned char buf[SSL3_RANDOM_SIZE*2+ 192 unsigned char buf[SSL3_RANDOM_SIZE*2+
@@ -155,15 +201,25 @@ int num;
155 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 201 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
156 p+=SSL3_RANDOM_SIZE; 202 p+=SSL3_RANDOM_SIZE;
157 203
158 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf, 204 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
159 s->session->master_key,s->session->master_key_length, 205 s->session->master_key,s->session->master_key_length,
160 km,tmp,num); 206 km,tmp,num);
207#ifdef KSSL_DEBUG
208 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
209 s->session->master_key_length);
210 {
211 int i;
212 for (i=0; i < s->session->master_key_length; i++)
213 {
214 printf("%02X", s->session->master_key[i]);
215 }
216 printf("\n"); }
217#endif /* KSSL_DEBUG */
161 } 218 }
162 219
163int tls1_change_cipher_state(s,which) 220int tls1_change_cipher_state(SSL *s, int which)
164SSL *s;
165int which;
166 { 221 {
222 static const unsigned char empty[]="";
167 unsigned char *p,*key_block,*mac_secret; 223 unsigned char *p,*key_block,*mac_secret;
168 unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ 224 unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
169 SSL3_RANDOM_SIZE*2]; 225 SSL3_RANDOM_SIZE*2];
@@ -174,47 +230,103 @@ int which;
174 unsigned char *ms,*key,*iv,*er1,*er2; 230 unsigned char *ms,*key,*iv,*er1,*er2;
175 int client_write; 231 int client_write;
176 EVP_CIPHER_CTX *dd; 232 EVP_CIPHER_CTX *dd;
177 EVP_CIPHER *c; 233 const EVP_CIPHER *c;
178 SSL_COMPRESSION *comp; 234 const SSL_COMP *comp;
179 EVP_MD *m; 235 const EVP_MD *m;
180 int exp,n,i,j,k,exp_label_len; 236 int is_export,n,i,j,k,exp_label_len,cl;
237 int reuse_dd = 0;
181 238
182 exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0; 239 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
183 c=s->s3->tmp.new_sym_enc; 240 c=s->s3->tmp.new_sym_enc;
184 m=s->s3->tmp.new_hash; 241 m=s->s3->tmp.new_hash;
185 comp=s->s3->tmp.new_compression; 242 comp=s->s3->tmp.new_compression;
186 key_block=s->s3->tmp.key_block; 243 key_block=s->s3->tmp.key_block;
187 244
245#ifdef KSSL_DEBUG
246 printf("tls1_change_cipher_state(which= %d) w/\n", which);
247 printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
248 comp);
249 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
250 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
251 c->nid,c->block_size,c->key_len,c->iv_len);
252 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
253 {
254 int i;
255 for (i=0; i<s->s3->tmp.key_block_length; i++)
256 printf("%02x", key_block[i]); printf("\n");
257 }
258#endif /* KSSL_DEBUG */
259
188 if (which & SSL3_CC_READ) 260 if (which & SSL3_CC_READ)
189 { 261 {
190 if ((s->enc_read_ctx == NULL) && 262 if (s->enc_read_ctx != NULL)
191 ((s->enc_read_ctx=(EVP_CIPHER_CTX *) 263 reuse_dd = 1;
192 Malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) 264 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
193 goto err; 265 goto err;
194 dd= s->enc_read_ctx; 266 dd= s->enc_read_ctx;
195 s->read_hash=m; 267 s->read_hash=m;
196 s->read_compression=comp; 268 if (s->expand != NULL)
269 {
270 COMP_CTX_free(s->expand);
271 s->expand=NULL;
272 }
273 if (comp != NULL)
274 {
275 s->expand=COMP_CTX_new(comp->method);
276 if (s->expand == NULL)
277 {
278 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
279 goto err2;
280 }
281 if (s->s3->rrec.comp == NULL)
282 s->s3->rrec.comp=(unsigned char *)
283 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
284 if (s->s3->rrec.comp == NULL)
285 goto err;
286 }
197 memset(&(s->s3->read_sequence[0]),0,8); 287 memset(&(s->s3->read_sequence[0]),0,8);
198 mac_secret= &(s->s3->read_mac_secret[0]); 288 mac_secret= &(s->s3->read_mac_secret[0]);
199 } 289 }
200 else 290 else
201 { 291 {
292 if (s->enc_write_ctx != NULL)
293 reuse_dd = 1;
294 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
295 goto err;
202 if ((s->enc_write_ctx == NULL) && 296 if ((s->enc_write_ctx == NULL) &&
203 ((s->enc_write_ctx=(EVP_CIPHER_CTX *) 297 ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
204 Malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) 298 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
205 goto err; 299 goto err;
206 dd= s->enc_write_ctx; 300 dd= s->enc_write_ctx;
207 s->write_hash=m; 301 s->write_hash=m;
208 s->write_compression=comp; 302 if (s->compress != NULL)
303 {
304 COMP_CTX_free(s->compress);
305 s->compress=NULL;
306 }
307 if (comp != NULL)
308 {
309 s->compress=COMP_CTX_new(comp->method);
310 if (s->compress == NULL)
311 {
312 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
313 goto err2;
314 }
315 }
209 memset(&(s->s3->write_sequence[0]),0,8); 316 memset(&(s->s3->write_sequence[0]),0,8);
210 mac_secret= &(s->s3->write_mac_secret[0]); 317 mac_secret= &(s->s3->write_mac_secret[0]);
211 } 318 }
212 319
320 if (reuse_dd)
321 EVP_CIPHER_CTX_cleanup(dd);
213 EVP_CIPHER_CTX_init(dd); 322 EVP_CIPHER_CTX_init(dd);
214 323
215 p=s->s3->tmp.key_block; 324 p=s->s3->tmp.key_block;
216 i=EVP_MD_size(m); 325 i=EVP_MD_size(m);
217 j=(exp)?5:EVP_CIPHER_key_length(c); 326 cl=EVP_CIPHER_key_length(c);
327 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
328 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
329 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
218 k=EVP_CIPHER_iv_length(c); 330 k=EVP_CIPHER_iv_length(c);
219 er1= &(s->s3->client_random[0]); 331 er1= &(s->s3->client_random[0]);
220 er2= &(s->s3->server_random[0]); 332 er2= &(s->s3->server_random[0]);
@@ -241,7 +353,7 @@ int which;
241 353
242 if (n > s->s3->tmp.key_block_length) 354 if (n > s->s3->tmp.key_block_length)
243 { 355 {
244 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR); 356 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
245 goto err2; 357 goto err2;
246 } 358 }
247 359
@@ -250,7 +362,7 @@ int which;
250printf("which = %04X\nmac key=",which); 362printf("which = %04X\nmac key=",which);
251{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 363{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
252#endif 364#endif
253 if (exp) 365 if (is_export)
254 { 366 {
255 /* In here I set both the read and write key/iv to the 367 /* In here I set both the read and write key/iv to the
256 * same value since only the correct one will be used :-). 368 * same value since only the correct one will be used :-).
@@ -262,8 +374,8 @@ printf("which = %04X\nmac key=",which);
262 p+=SSL3_RANDOM_SIZE; 374 p+=SSL3_RANDOM_SIZE;
263 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 375 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
264 p+=SSL3_RANDOM_SIZE; 376 p+=SSL3_RANDOM_SIZE;
265 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,key,j, 377 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
266 tmp1,tmp2,EVP_CIPHER_key_length(c)); 378 tmp1,tmp2,EVP_CIPHER_key_length(c));
267 key=tmp1; 379 key=tmp1;
268 380
269 if (k > 0) 381 if (k > 0)
@@ -276,8 +388,8 @@ printf("which = %04X\nmac key=",which);
276 p+=SSL3_RANDOM_SIZE; 388 p+=SSL3_RANDOM_SIZE;
277 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 389 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
278 p+=SSL3_RANDOM_SIZE; 390 p+=SSL3_RANDOM_SIZE;
279 tls1_PRF(s->ctx->md5,s->ctx->sha1, 391 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
280 buf,p-buf,"",0,iv1,iv2,k*2); 392 iv1,iv2,k*2);
281 if (client_write) 393 if (client_write)
282 iv=iv1; 394 iv=iv1;
283 else 395 else
@@ -286,8 +398,18 @@ printf("which = %04X\nmac key=",which);
286 } 398 }
287 399
288 s->session->key_arg_length=0; 400 s->session->key_arg_length=0;
401#ifdef KSSL_DEBUG
402 {
403 int i;
404 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
405 printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
406 printf("\n");
407 printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
408 printf("\n");
409 }
410#endif /* KSSL_DEBUG */
289 411
290 EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE)); 412 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
291#ifdef TLS_DEBUG 413#ifdef TLS_DEBUG
292printf("which = %04X\nkey=",which); 414printf("which = %04X\nkey=",which);
293{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 415{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
@@ -307,18 +429,22 @@ err2:
307 return(0); 429 return(0);
308 } 430 }
309 431
310int tls1_setup_key_block(s) 432int tls1_setup_key_block(SSL *s)
311SSL *s;
312 { 433 {
313 unsigned char *p1,*p2; 434 unsigned char *p1,*p2;
314 EVP_CIPHER *c; 435 const EVP_CIPHER *c;
315 EVP_MD *hash; 436 const EVP_MD *hash;
316 int num,exp; 437 int num;
438 SSL_COMP *comp;
439
440#ifdef KSSL_DEBUG
441 printf ("tls1_setup_key_block()\n");
442#endif /* KSSL_DEBUG */
317 443
318 if (s->s3->tmp.key_block_length != 0) 444 if (s->s3->tmp.key_block_length != 0)
319 return(1); 445 return(1);
320 446
321 if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash)) 447 if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
322 { 448 {
323 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 449 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
324 return(0); 450 return(0);
@@ -327,16 +453,14 @@ SSL *s;
327 s->s3->tmp.new_sym_enc=c; 453 s->s3->tmp.new_sym_enc=c;
328 s->s3->tmp.new_hash=hash; 454 s->s3->tmp.new_hash=hash;
329 455
330 exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
331
332 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); 456 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
333 num*=2; 457 num*=2;
334 458
335 ssl3_cleanup_key_block(s); 459 ssl3_cleanup_key_block(s);
336 460
337 if ((p1=(unsigned char *)Malloc(num)) == NULL) 461 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
338 goto err; 462 goto err;
339 if ((p2=(unsigned char *)Malloc(num)) == NULL) 463 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
340 goto err; 464 goto err;
341 465
342 s->s3->tmp.key_block_length=num; 466 s->s3->tmp.key_block_length=num;
@@ -353,28 +477,33 @@ printf("pre-master\n");
353#endif 477#endif
354 tls1_generate_key_block(s,p1,p2,num); 478 tls1_generate_key_block(s,p1,p2,num);
355 memset(p2,0,num); 479 memset(p2,0,num);
356 Free(p2); 480 OPENSSL_free(p2);
357#ifdef TLS_DEBUG 481#ifdef TLS_DEBUG
358printf("\nkey block\n"); 482printf("\nkey block\n");
359{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 483{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
360#endif 484#endif
361 485
486 /* enable vulnerability countermeasure for CBC ciphers with
487 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
488 s->s3->need_empty_fragments = 1;
489#ifndef NO_RC4
490 if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
491 s->s3->need_empty_fragments = 0;
492#endif
493
362 return(1); 494 return(1);
363err: 495err:
364 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); 496 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
365 return(0); 497 return(0);
366 } 498 }
367 499
368int tls1_enc(s,send) 500int tls1_enc(SSL *s, int send)
369SSL *s;
370int send;
371 { 501 {
372 SSL3_RECORD *rec; 502 SSL3_RECORD *rec;
373 EVP_CIPHER_CTX *ds; 503 EVP_CIPHER_CTX *ds;
374 unsigned long l; 504 unsigned long l;
375 int bs,i,ii,j,k,n=0; 505 int bs,i,ii,j,k,n=0;
376 EVP_CIPHER *enc; 506 const EVP_CIPHER *enc;
377 SSL_COMPRESSION *comp;
378 507
379 if (send) 508 if (send)
380 { 509 {
@@ -383,12 +512,9 @@ int send;
383 ds=s->enc_write_ctx; 512 ds=s->enc_write_ctx;
384 rec= &(s->s3->wrec); 513 rec= &(s->s3->wrec);
385 if (s->enc_write_ctx == NULL) 514 if (s->enc_write_ctx == NULL)
386 { enc=NULL; comp=NULL; } 515 enc=NULL;
387 else 516 else
388 {
389 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 517 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
390 comp=s->write_compression;
391 }
392 } 518 }
393 else 519 else
394 { 520 {
@@ -397,18 +523,19 @@ int send;
397 ds=s->enc_read_ctx; 523 ds=s->enc_read_ctx;
398 rec= &(s->s3->rrec); 524 rec= &(s->s3->rrec);
399 if (s->enc_read_ctx == NULL) 525 if (s->enc_read_ctx == NULL)
400 { enc=NULL; comp=NULL; } 526 enc=NULL;
401 else 527 else
402 {
403 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 528 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
404 comp=s->read_compression;
405 }
406 } 529 }
407 530
531#ifdef KSSL_DEBUG
532 printf("tls1_enc(%d)\n", send);
533#endif /* KSSL_DEBUG */
534
408 if ((s->session == NULL) || (ds == NULL) || 535 if ((s->session == NULL) || (ds == NULL) ||
409 ((enc == NULL) && (comp == NULL))) 536 (enc == NULL))
410 { 537 {
411 memcpy(rec->data,rec->input,rec->length); 538 memmove(rec->data,rec->input,rec->length);
412 rec->input=rec->data; 539 rec->input=rec->data;
413 } 540 }
414 else 541 else
@@ -435,11 +562,48 @@ int send;
435 rec->length+=i; 562 rec->length+=i;
436 } 563 }
437 564
565#ifdef KSSL_DEBUG
566 {
567 unsigned long ui;
568 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
569 ds,rec->data,rec->input,l);
570 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
571 ds->buf_len, ds->cipher->key_len,
572 DES_KEY_SZ, DES_SCHEDULE_SZ,
573 ds->cipher->iv_len);
574 printf("\t\tIV: ");
575 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
576 printf("\n");
577 printf("\trec->input=");
578 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
579 printf("\n");
580 }
581#endif /* KSSL_DEBUG */
582
583 if (!send)
584 {
585 if (l == 0 || l%bs != 0)
586 {
587 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
588 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
589 return 0;
590 }
591 }
592
438 EVP_Cipher(ds,rec->data,rec->input,l); 593 EVP_Cipher(ds,rec->data,rec->input,l);
439 594
595#ifdef KSSL_DEBUG
596 {
597 unsigned long i;
598 printf("\trec->data=");
599 for (i=0; i<l; i++)
600 printf(" %02x", rec->data[i]); printf("\n");
601 }
602#endif /* KSSL_DEBUG */
603
440 if ((bs != 1) && !send) 604 if ((bs != 1) && !send)
441 { 605 {
442 ii=i=rec->data[l-1]; 606 ii=i=rec->data[l-1]; /* padding_length */
443 i++; 607 i++;
444 if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) 608 if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
445 { 609 {
@@ -450,19 +614,22 @@ int send;
450 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 614 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
451 i--; 615 i--;
452 } 616 }
617 /* TLS 1.0 does not bound the number of padding bytes by the block size.
618 * All of them must have value 'padding_length'. */
453 if (i > (int)rec->length) 619 if (i > (int)rec->length)
454 { 620 {
455 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 621 /* Incorrect padding. SSLerr() and ssl3_alert are done
456 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 622 * by caller: we don't want to reveal whether this is
457 return(0); 623 * a decryption error or a MAC verification failure
624 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
625 return -1;
458 } 626 }
459 for (j=(int)(l-i); j<(int)l; j++) 627 for (j=(int)(l-i); j<(int)l; j++)
460 { 628 {
461 if (rec->data[j] != ii) 629 if (rec->data[j] != ii)
462 { 630 {
463 SSLerr(SSL_F_TLS1_ENC,SSL_R_DECRYPTION_FAILED); 631 /* Incorrect padding */
464 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 632 return -1;
465 return(0);
466 } 633 }
467 } 634 }
468 rec->length-=i; 635 rec->length-=i;
@@ -471,25 +638,20 @@ int send;
471 return(1); 638 return(1);
472 } 639 }
473 640
474int tls1_cert_verify_mac(s,in_ctx,out) 641int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
475SSL *s;
476EVP_MD_CTX *in_ctx;
477unsigned char *out;
478 { 642 {
479 unsigned int ret; 643 unsigned int ret;
480 EVP_MD_CTX ctx; 644 EVP_MD_CTX ctx;
481 645
482 memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX)); 646 EVP_MD_CTX_init(&ctx);
483 EVP_DigestFinal(&ctx,out,&ret); 647 EVP_MD_CTX_copy_ex(&ctx,in_ctx);
648 EVP_DigestFinal_ex(&ctx,out,&ret);
649 EVP_MD_CTX_cleanup(&ctx);
484 return((int)ret); 650 return((int)ret);
485 } 651 }
486 652
487int tls1_final_finish_mac(s,in1_ctx,in2_ctx,str,slen,out) 653int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
488SSL *s; 654 const char *str, int slen, unsigned char *out)
489EVP_MD_CTX *in1_ctx,*in2_ctx;
490unsigned char *str;
491int slen;
492unsigned char *out;
493 { 655 {
494 unsigned int i; 656 unsigned int i;
495 EVP_MD_CTX ctx; 657 EVP_MD_CTX ctx;
@@ -500,29 +662,27 @@ unsigned char *out;
500 memcpy(q,str,slen); 662 memcpy(q,str,slen);
501 q+=slen; 663 q+=slen;
502 664
503 memcpy(&ctx,in1_ctx,sizeof(EVP_MD_CTX)); 665 EVP_MD_CTX_init(&ctx);
504 EVP_DigestFinal(&ctx,q,&i); 666 EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
667 EVP_DigestFinal_ex(&ctx,q,&i);
505 q+=i; 668 q+=i;
506 memcpy(&ctx,in2_ctx,sizeof(EVP_MD_CTX)); 669 EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
507 EVP_DigestFinal(&ctx,q,&i); 670 EVP_DigestFinal_ex(&ctx,q,&i);
508 q+=i; 671 q+=i;
509 672
510 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,q-buf, 673 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
511 s->session->master_key,s->session->master_key_length, 674 s->session->master_key,s->session->master_key_length,
512 out,buf2,12); 675 out,buf2,12);
513 memset(&ctx,0,sizeof(EVP_MD_CTX)); 676 EVP_MD_CTX_cleanup(&ctx);
514 677
515 return((int)12); 678 return((int)12);
516 } 679 }
517 680
518int tls1_mac(ssl,md,send) 681int tls1_mac(SSL *ssl, unsigned char *md, int send)
519SSL *ssl;
520unsigned char *md;
521int send;
522 { 682 {
523 SSL3_RECORD *rec; 683 SSL3_RECORD *rec;
524 unsigned char *mac_sec,*seq; 684 unsigned char *mac_sec,*seq;
525 EVP_MD *hash; 685 const EVP_MD *hash;
526 unsigned int md_size; 686 unsigned int md_size;
527 int i; 687 int i;
528 HMAC_CTX hmac; 688 HMAC_CTX hmac;
@@ -552,41 +712,47 @@ int send;
552 buf[4]=rec->length&0xff; 712 buf[4]=rec->length&0xff;
553 713
554 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 714 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
555 HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash); 715 HMAC_CTX_init(&hmac);
716 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
556 HMAC_Update(&hmac,seq,8); 717 HMAC_Update(&hmac,seq,8);
557 HMAC_Update(&hmac,buf,5); 718 HMAC_Update(&hmac,buf,5);
558 HMAC_Update(&hmac,rec->input,rec->length); 719 HMAC_Update(&hmac,rec->input,rec->length);
559 HMAC_Final(&hmac,md,&md_size); 720 HMAC_Final(&hmac,md,&md_size);
721 HMAC_CTX_cleanup(&hmac);
560 722
561#ifdef TLS_DEBUG 723#ifdef TLS_DEBUG
562printf("sec="); 724printf("sec=");
563{int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 725{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
564printf("seq="); 726printf("seq=");
565{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 727{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
566printf("buf="); 728printf("buf=");
567{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 729{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
568printf("rec="); 730printf("rec=");
569{int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } 731{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
570#endif 732#endif
571 733
572 for (i=7; i>=0; i--) 734 for (i=7; i>=0; i--)
573 if (++seq[i]) break; 735 {
736 ++seq[i];
737 if (seq[i] != 0) break;
738 }
574 739
575#ifdef TLS_DEBUG 740#ifdef TLS_DEBUG
576{int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 741{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
577#endif 742#endif
578 return(md_size); 743 return(md_size);
579 } 744 }
580 745
581int tls1_generate_master_secret(s,out,p,len) 746int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
582SSL *s; 747 int len)
583unsigned char *out;
584unsigned char *p;
585int len;
586 { 748 {
587 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE]; 749 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
588 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 750 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
589 751
752#ifdef KSSL_DEBUG
753 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
754#endif /* KSSL_DEBUG */
755
590 /* Setup the stuff to munge */ 756 /* Setup the stuff to munge */
591 memcpy(buf,TLS_MD_MASTER_SECRET_CONST, 757 memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
592 TLS_MD_MASTER_SECRET_CONST_SIZE); 758 TLS_MD_MASTER_SECRET_CONST_SIZE);
@@ -597,11 +763,13 @@ int len;
597 tls1_PRF(s->ctx->md5,s->ctx->sha1, 763 tls1_PRF(s->ctx->md5,s->ctx->sha1,
598 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, 764 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
599 s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE); 765 s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
766#ifdef KSSL_DEBUG
767 printf ("tls1_generate_master_secret() complete\n");
768#endif /* KSSL_DEBUG */
600 return(SSL3_MASTER_SECRET_SIZE); 769 return(SSL3_MASTER_SECRET_SIZE);
601 } 770 }
602 771
603int tls1_alert_code(code) 772int tls1_alert_code(int code)
604int code;
605 { 773 {
606 switch (code) 774 switch (code)
607 { 775 {
@@ -623,11 +791,11 @@ int code;
623 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 791 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
624 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 792 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
625 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 793 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
626 case SSL_AD_EXPORT_RESTRICION: return(TLS1_AD_EXPORT_RESTRICION); 794 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
627 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 795 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
628 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 796 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
629 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 797 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
630 case SSL_AD_USER_CANCLED: return(TLS1_AD_USER_CANCLED); 798 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
631 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 799 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
632 default: return(-1); 800 default: return(-1);
633 } 801 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-06 10:06:57 +0000