diff options
| author | jsing <> | 2014-06-01 16:07:20 +0000 |
|---|---|---|
| committer | jsing <> | 2014-06-01 16:07:20 +0000 |
| commit | 6b3db85e3c245a6128515ffe3d0d48abea6e12eb (patch) | |
| tree | 4c316c71d0af480d3fe3af0a5993401fbe715059 /src/lib | |
| parent | 2575f058caaef9a395b71dc37964a7bcd2a092dc (diff) | |
| download | openbsd-6b3db85e3c245a6128515ffe3d0d48abea6e12eb.tar.gz openbsd-6b3db85e3c245a6128515ffe3d0d48abea6e12eb.tar.bz2 openbsd-6b3db85e3c245a6128515ffe3d0d48abea6e12eb.zip | |
Overhaul the key block handling in tls1_change_cipher_state() - use
meaningful variable names with pointer arithmitic, rather than n, i, j
and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_enc.c | 112 | ||||
| -rw-r--r-- | src/lib/libssl/t1_enc.c | 112 |
2 files changed, 132 insertions, 92 deletions
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index e3acf59ab0..3146388c73 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c | |||
| @@ -301,14 +301,18 @@ int | |||
| 301 | tls1_change_cipher_state(SSL *s, int which) | 301 | tls1_change_cipher_state(SSL *s, int which) |
| 302 | { | 302 | { |
| 303 | static const unsigned char empty[]=""; | 303 | static const unsigned char empty[]=""; |
| 304 | unsigned char *p, *mac_secret; | ||
| 305 | unsigned char *exp_label; | ||
| 306 | unsigned char tmp1[EVP_MAX_KEY_LENGTH]; | 304 | unsigned char tmp1[EVP_MAX_KEY_LENGTH]; |
| 307 | unsigned char tmp2[EVP_MAX_KEY_LENGTH]; | 305 | unsigned char tmp2[EVP_MAX_KEY_LENGTH]; |
| 308 | unsigned char iv1[EVP_MAX_IV_LENGTH*2]; | 306 | unsigned char iv1[EVP_MAX_IV_LENGTH*2]; |
| 309 | unsigned char iv2[EVP_MAX_IV_LENGTH*2]; | 307 | unsigned char iv2[EVP_MAX_IV_LENGTH*2]; |
| 310 | unsigned char *ms, *key, *iv; | 308 | |
| 311 | int client_write; | 309 | const unsigned char *client_write_mac_secret, *server_write_mac_secret; |
| 310 | const unsigned char *client_write_key, *server_write_key; | ||
| 311 | const unsigned char *client_write_iv, *server_write_iv; | ||
| 312 | const unsigned char *mac_secret, *key, *iv; | ||
| 313 | int mac_secret_size, key_len, iv_len; | ||
| 314 | unsigned char *key_block, *exp_label; | ||
| 315 | |||
| 312 | EVP_CIPHER_CTX *dd; | 316 | EVP_CIPHER_CTX *dd; |
| 313 | const EVP_CIPHER *c; | 317 | const EVP_CIPHER *c; |
| 314 | #ifndef OPENSSL_NO_COMP | 318 | #ifndef OPENSSL_NO_COMP |
| @@ -316,12 +320,11 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 316 | #endif | 320 | #endif |
| 317 | const EVP_MD *m; | 321 | const EVP_MD *m; |
| 318 | int mac_type; | 322 | int mac_type; |
| 319 | int *mac_secret_size; | ||
| 320 | EVP_MD_CTX *mac_ctx; | 323 | EVP_MD_CTX *mac_ctx; |
| 321 | EVP_PKEY *mac_key; | 324 | EVP_PKEY *mac_key; |
| 322 | int is_export, n, i, k, exp_label_len, key_len; | 325 | int is_export, exp_label_len; |
| 323 | int reuse_dd = 0; | 326 | int reuse_dd = 0; |
| 324 | char is_read; | 327 | char is_read, use_client_keys; |
| 325 | 328 | ||
| 326 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); | 329 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); |
| 327 | c = s->s3->tmp.new_sym_enc; | 330 | c = s->s3->tmp.new_sym_enc; |
| @@ -335,6 +338,14 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 335 | */ | 338 | */ |
| 336 | is_read = (which & SSL3_CC_READ) != 0; | 339 | is_read = (which & SSL3_CC_READ) != 0; |
| 337 | 340 | ||
| 341 | /* | ||
| 342 | * use_client_keys is true if we wish to use the keys for the "client | ||
| 343 | * write" direction. This is the case if we're a client sending a | ||
| 344 | * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. | ||
| 345 | */ | ||
| 346 | use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | ||
| 347 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)); | ||
| 348 | |||
| 338 | #ifndef OPENSSL_NO_COMP | 349 | #ifndef OPENSSL_NO_COMP |
| 339 | comp = s->s3->tmp.new_compression; | 350 | comp = s->s3->tmp.new_compression; |
| 340 | if (is_read) { | 351 | if (is_read) { |
| @@ -395,8 +406,6 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 395 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ | 406 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ |
| 396 | if (s->version != DTLS1_VERSION) | 407 | if (s->version != DTLS1_VERSION) |
| 397 | memset(&(s->s3->read_sequence[0]), 0, 8); | 408 | memset(&(s->s3->read_sequence[0]), 0, 8); |
| 398 | mac_secret = &(s->s3->read_mac_secret[0]); | ||
| 399 | mac_secret_size = &(s->s3->read_mac_secret_size); | ||
| 400 | } else { | 409 | } else { |
| 401 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) | 410 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) |
| 402 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; | 411 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; |
| @@ -424,16 +433,11 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 424 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ | 433 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ |
| 425 | if (s->version != DTLS1_VERSION) | 434 | if (s->version != DTLS1_VERSION) |
| 426 | memset(&(s->s3->write_sequence[0]), 0, 8); | 435 | memset(&(s->s3->write_sequence[0]), 0, 8); |
| 427 | mac_secret = &(s->s3->write_mac_secret[0]); | ||
| 428 | mac_secret_size = &(s->s3->write_mac_secret_size); | ||
| 429 | } | 436 | } |
| 430 | 437 | ||
| 431 | if (reuse_dd) | 438 | if (reuse_dd) |
| 432 | EVP_CIPHER_CTX_cleanup(dd); | 439 | EVP_CIPHER_CTX_cleanup(dd); |
| 433 | 440 | ||
| 434 | p = s->s3->tmp.key_block; | ||
| 435 | i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; | ||
| 436 | |||
| 437 | key_len = EVP_CIPHER_key_length(c); | 441 | key_len = EVP_CIPHER_key_length(c); |
| 438 | if (is_export) { | 442 | if (is_export) { |
| 439 | if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | 443 | if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) |
| @@ -442,43 +446,56 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 442 | 446 | ||
| 443 | /* If GCM mode only part of IV comes from PRF. */ | 447 | /* If GCM mode only part of IV comes from PRF. */ |
| 444 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) | 448 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) |
| 445 | k = EVP_GCM_TLS_FIXED_IV_LEN; | 449 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; |
| 446 | else | 450 | else |
| 447 | k = EVP_CIPHER_iv_length(c); | 451 | iv_len = EVP_CIPHER_iv_length(c); |
| 448 | if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | 452 | |
| 449 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { | 453 | mac_secret_size = s->s3->tmp.new_mac_secret_size; |
| 450 | ms = &(p[0]); | 454 | |
| 451 | n = i + i; | 455 | key_block = s->s3->tmp.key_block; |
| 452 | key = &(p[n]); | 456 | client_write_mac_secret = key_block; |
| 453 | n += key_len + key_len; | 457 | key_block += mac_secret_size; |
| 454 | iv = &(p[n]); | 458 | server_write_mac_secret = key_block; |
| 455 | n += k + k; | 459 | key_block += mac_secret_size; |
| 460 | client_write_key = key_block; | ||
| 461 | key_block += key_len; | ||
| 462 | server_write_key = key_block; | ||
| 463 | key_block += key_len; | ||
| 464 | client_write_iv = key_block; | ||
| 465 | key_block += iv_len; | ||
| 466 | server_write_iv = key_block; | ||
| 467 | key_block += iv_len; | ||
| 468 | |||
| 469 | if (use_client_keys) { | ||
| 470 | mac_secret = client_write_mac_secret; | ||
| 471 | key = client_write_key; | ||
| 472 | iv = client_write_iv; | ||
| 456 | exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; | 473 | exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; |
| 457 | exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; | 474 | exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; |
| 458 | client_write = 1; | ||
| 459 | } else { | 475 | } else { |
| 460 | n = i; | 476 | mac_secret = server_write_mac_secret; |
| 461 | ms = &(p[n]); | 477 | key = server_write_key; |
| 462 | n += i + key_len; | 478 | iv = server_write_iv; |
| 463 | key = &(p[n]); | ||
| 464 | n += key_len + k; | ||
| 465 | iv = &(p[n]); | ||
| 466 | n += k; | ||
| 467 | exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; | 479 | exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; |
| 468 | exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; | 480 | exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; |
| 469 | client_write = 0; | ||
| 470 | } | 481 | } |
| 471 | 482 | ||
| 472 | if (n > s->s3->tmp.key_block_length) { | 483 | if (key_block - s->s3->tmp.key_block != s->s3->tmp.key_block_length) { |
| 473 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); | 484 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
| 474 | goto err2; | 485 | goto err2; |
| 475 | } | 486 | } |
| 476 | 487 | ||
| 477 | memcpy(mac_secret, ms, i); | 488 | if (is_read) { |
| 489 | memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_size); | ||
| 490 | s->s3->read_mac_secret_size = mac_secret_size; | ||
| 491 | } else { | ||
| 492 | memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_size); | ||
| 493 | s->s3->write_mac_secret_size = mac_secret_size; | ||
| 494 | } | ||
| 478 | 495 | ||
| 479 | if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { | 496 | if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { |
| 480 | mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, | 497 | mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, |
| 481 | mac_secret, *mac_secret_size); | 498 | mac_secret, mac_secret_size); |
| 482 | EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); | 499 | EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); |
| 483 | EVP_PKEY_free(mac_key); | 500 | EVP_PKEY_free(mac_key); |
| 484 | } | 501 | } |
| @@ -495,32 +512,35 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 495 | goto err2; | 512 | goto err2; |
| 496 | key = tmp1; | 513 | key = tmp1; |
| 497 | 514 | ||
| 498 | if (k > 0) { | 515 | if (iv_len > 0) { |
| 499 | if (!tls1_PRF(ssl_get_algorithm2(s), | 516 | if (!tls1_PRF(ssl_get_algorithm2(s), |
| 500 | TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, | 517 | TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, |
| 501 | s->s3->client_random, SSL3_RANDOM_SIZE, | 518 | s->s3->client_random, SSL3_RANDOM_SIZE, |
| 502 | s->s3->server_random, SSL3_RANDOM_SIZE, | 519 | s->s3->server_random, SSL3_RANDOM_SIZE, |
| 503 | NULL, 0, NULL, 0, empty, 0, iv1, iv2, k*2)) | 520 | NULL, 0, NULL, 0, empty, 0, iv1, iv2, iv_len * 2)) |
| 504 | goto err2; | 521 | goto err2; |
| 505 | if (client_write) | 522 | if (use_client_keys) |
| 506 | iv = iv1; | 523 | iv = iv1; |
| 507 | else | 524 | else |
| 508 | iv = &(iv1[k]); | 525 | iv = &(iv1[iv_len]); |
| 509 | } | 526 | } |
| 510 | } | 527 | } |
| 511 | 528 | ||
| 512 | 529 | ||
| 513 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { | 530 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { |
| 514 | EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)); | 531 | EVP_CipherInit_ex(dd, c, NULL, key, NULL, |
| 515 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); | 532 | (which & SSL3_CC_WRITE)); |
| 533 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, iv_len, | ||
| 534 | (unsigned char *)iv); | ||
| 516 | } else | 535 | } else |
| 517 | EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); | 536 | EVP_CipherInit_ex(dd, c, NULL, key, iv, |
| 537 | (which & SSL3_CC_WRITE)); | ||
| 518 | 538 | ||
| 519 | /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ | 539 | /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ |
| 520 | if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) | 540 | if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && |
| 541 | mac_secret_size) | ||
| 521 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, | 542 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, |
| 522 | *mac_secret_size, mac_secret); | 543 | mac_secret_size, (unsigned char *)mac_secret); |
| 523 | |||
| 524 | 544 | ||
| 525 | OPENSSL_cleanse(tmp1, sizeof(tmp1)); | 545 | OPENSSL_cleanse(tmp1, sizeof(tmp1)); |
| 526 | OPENSSL_cleanse(tmp2, sizeof(tmp2)); | 546 | OPENSSL_cleanse(tmp2, sizeof(tmp2)); |
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index e3acf59ab0..3146388c73 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c | |||
| @@ -301,14 +301,18 @@ int | |||
| 301 | tls1_change_cipher_state(SSL *s, int which) | 301 | tls1_change_cipher_state(SSL *s, int which) |
| 302 | { | 302 | { |
| 303 | static const unsigned char empty[]=""; | 303 | static const unsigned char empty[]=""; |
| 304 | unsigned char *p, *mac_secret; | ||
| 305 | unsigned char *exp_label; | ||
| 306 | unsigned char tmp1[EVP_MAX_KEY_LENGTH]; | 304 | unsigned char tmp1[EVP_MAX_KEY_LENGTH]; |
| 307 | unsigned char tmp2[EVP_MAX_KEY_LENGTH]; | 305 | unsigned char tmp2[EVP_MAX_KEY_LENGTH]; |
| 308 | unsigned char iv1[EVP_MAX_IV_LENGTH*2]; | 306 | unsigned char iv1[EVP_MAX_IV_LENGTH*2]; |
| 309 | unsigned char iv2[EVP_MAX_IV_LENGTH*2]; | 307 | unsigned char iv2[EVP_MAX_IV_LENGTH*2]; |
| 310 | unsigned char *ms, *key, *iv; | 308 | |
| 311 | int client_write; | 309 | const unsigned char *client_write_mac_secret, *server_write_mac_secret; |
| 310 | const unsigned char *client_write_key, *server_write_key; | ||
| 311 | const unsigned char *client_write_iv, *server_write_iv; | ||
| 312 | const unsigned char *mac_secret, *key, *iv; | ||
| 313 | int mac_secret_size, key_len, iv_len; | ||
| 314 | unsigned char *key_block, *exp_label; | ||
| 315 | |||
| 312 | EVP_CIPHER_CTX *dd; | 316 | EVP_CIPHER_CTX *dd; |
| 313 | const EVP_CIPHER *c; | 317 | const EVP_CIPHER *c; |
| 314 | #ifndef OPENSSL_NO_COMP | 318 | #ifndef OPENSSL_NO_COMP |
| @@ -316,12 +320,11 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 316 | #endif | 320 | #endif |
| 317 | const EVP_MD *m; | 321 | const EVP_MD *m; |
| 318 | int mac_type; | 322 | int mac_type; |
| 319 | int *mac_secret_size; | ||
| 320 | EVP_MD_CTX *mac_ctx; | 323 | EVP_MD_CTX *mac_ctx; |
| 321 | EVP_PKEY *mac_key; | 324 | EVP_PKEY *mac_key; |
| 322 | int is_export, n, i, k, exp_label_len, key_len; | 325 | int is_export, exp_label_len; |
| 323 | int reuse_dd = 0; | 326 | int reuse_dd = 0; |
| 324 | char is_read; | 327 | char is_read, use_client_keys; |
| 325 | 328 | ||
| 326 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); | 329 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); |
| 327 | c = s->s3->tmp.new_sym_enc; | 330 | c = s->s3->tmp.new_sym_enc; |
| @@ -335,6 +338,14 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 335 | */ | 338 | */ |
| 336 | is_read = (which & SSL3_CC_READ) != 0; | 339 | is_read = (which & SSL3_CC_READ) != 0; |
| 337 | 340 | ||
| 341 | /* | ||
| 342 | * use_client_keys is true if we wish to use the keys for the "client | ||
| 343 | * write" direction. This is the case if we're a client sending a | ||
| 344 | * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. | ||
| 345 | */ | ||
| 346 | use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | ||
| 347 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)); | ||
| 348 | |||
| 338 | #ifndef OPENSSL_NO_COMP | 349 | #ifndef OPENSSL_NO_COMP |
| 339 | comp = s->s3->tmp.new_compression; | 350 | comp = s->s3->tmp.new_compression; |
| 340 | if (is_read) { | 351 | if (is_read) { |
| @@ -395,8 +406,6 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 395 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ | 406 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ |
| 396 | if (s->version != DTLS1_VERSION) | 407 | if (s->version != DTLS1_VERSION) |
| 397 | memset(&(s->s3->read_sequence[0]), 0, 8); | 408 | memset(&(s->s3->read_sequence[0]), 0, 8); |
| 398 | mac_secret = &(s->s3->read_mac_secret[0]); | ||
| 399 | mac_secret_size = &(s->s3->read_mac_secret_size); | ||
| 400 | } else { | 409 | } else { |
| 401 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) | 410 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) |
| 402 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; | 411 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; |
| @@ -424,16 +433,11 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 424 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ | 433 | /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ |
| 425 | if (s->version != DTLS1_VERSION) | 434 | if (s->version != DTLS1_VERSION) |
| 426 | memset(&(s->s3->write_sequence[0]), 0, 8); | 435 | memset(&(s->s3->write_sequence[0]), 0, 8); |
| 427 | mac_secret = &(s->s3->write_mac_secret[0]); | ||
| 428 | mac_secret_size = &(s->s3->write_mac_secret_size); | ||
| 429 | } | 436 | } |
| 430 | 437 | ||
| 431 | if (reuse_dd) | 438 | if (reuse_dd) |
| 432 | EVP_CIPHER_CTX_cleanup(dd); | 439 | EVP_CIPHER_CTX_cleanup(dd); |
| 433 | 440 | ||
| 434 | p = s->s3->tmp.key_block; | ||
| 435 | i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; | ||
| 436 | |||
| 437 | key_len = EVP_CIPHER_key_length(c); | 441 | key_len = EVP_CIPHER_key_length(c); |
| 438 | if (is_export) { | 442 | if (is_export) { |
| 439 | if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) | 443 | if (key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) |
| @@ -442,43 +446,56 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 442 | 446 | ||
| 443 | /* If GCM mode only part of IV comes from PRF. */ | 447 | /* If GCM mode only part of IV comes from PRF. */ |
| 444 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) | 448 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) |
| 445 | k = EVP_GCM_TLS_FIXED_IV_LEN; | 449 | iv_len = EVP_GCM_TLS_FIXED_IV_LEN; |
| 446 | else | 450 | else |
| 447 | k = EVP_CIPHER_iv_length(c); | 451 | iv_len = EVP_CIPHER_iv_length(c); |
| 448 | if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | 452 | |
| 449 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { | 453 | mac_secret_size = s->s3->tmp.new_mac_secret_size; |
| 450 | ms = &(p[0]); | 454 | |
| 451 | n = i + i; | 455 | key_block = s->s3->tmp.key_block; |
| 452 | key = &(p[n]); | 456 | client_write_mac_secret = key_block; |
| 453 | n += key_len + key_len; | 457 | key_block += mac_secret_size; |
| 454 | iv = &(p[n]); | 458 | server_write_mac_secret = key_block; |
| 455 | n += k + k; | 459 | key_block += mac_secret_size; |
| 460 | client_write_key = key_block; | ||
| 461 | key_block += key_len; | ||
| 462 | server_write_key = key_block; | ||
| 463 | key_block += key_len; | ||
| 464 | client_write_iv = key_block; | ||
| 465 | key_block += iv_len; | ||
| 466 | server_write_iv = key_block; | ||
| 467 | key_block += iv_len; | ||
| 468 | |||
| 469 | if (use_client_keys) { | ||
| 470 | mac_secret = client_write_mac_secret; | ||
| 471 | key = client_write_key; | ||
| 472 | iv = client_write_iv; | ||
| 456 | exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; | 473 | exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; |
| 457 | exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; | 474 | exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; |
| 458 | client_write = 1; | ||
| 459 | } else { | 475 | } else { |
| 460 | n = i; | 476 | mac_secret = server_write_mac_secret; |
| 461 | ms = &(p[n]); | 477 | key = server_write_key; |
| 462 | n += i + key_len; | 478 | iv = server_write_iv; |
| 463 | key = &(p[n]); | ||
| 464 | n += key_len + k; | ||
| 465 | iv = &(p[n]); | ||
| 466 | n += k; | ||
| 467 | exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; | 479 | exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; |
| 468 | exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; | 480 | exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; |
| 469 | client_write = 0; | ||
| 470 | } | 481 | } |
| 471 | 482 | ||
| 472 | if (n > s->s3->tmp.key_block_length) { | 483 | if (key_block - s->s3->tmp.key_block != s->s3->tmp.key_block_length) { |
| 473 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); | 484 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
| 474 | goto err2; | 485 | goto err2; |
| 475 | } | 486 | } |
| 476 | 487 | ||
| 477 | memcpy(mac_secret, ms, i); | 488 | if (is_read) { |
| 489 | memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_size); | ||
| 490 | s->s3->read_mac_secret_size = mac_secret_size; | ||
| 491 | } else { | ||
| 492 | memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_size); | ||
| 493 | s->s3->write_mac_secret_size = mac_secret_size; | ||
| 494 | } | ||
| 478 | 495 | ||
| 479 | if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { | 496 | if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { |
| 480 | mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, | 497 | mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, |
| 481 | mac_secret, *mac_secret_size); | 498 | mac_secret, mac_secret_size); |
| 482 | EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); | 499 | EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key); |
| 483 | EVP_PKEY_free(mac_key); | 500 | EVP_PKEY_free(mac_key); |
| 484 | } | 501 | } |
| @@ -495,32 +512,35 @@ tls1_change_cipher_state(SSL *s, int which) | |||
| 495 | goto err2; | 512 | goto err2; |
| 496 | key = tmp1; | 513 | key = tmp1; |
| 497 | 514 | ||
| 498 | if (k > 0) { | 515 | if (iv_len > 0) { |
| 499 | if (!tls1_PRF(ssl_get_algorithm2(s), | 516 | if (!tls1_PRF(ssl_get_algorithm2(s), |
| 500 | TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, | 517 | TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, |
| 501 | s->s3->client_random, SSL3_RANDOM_SIZE, | 518 | s->s3->client_random, SSL3_RANDOM_SIZE, |
| 502 | s->s3->server_random, SSL3_RANDOM_SIZE, | 519 | s->s3->server_random, SSL3_RANDOM_SIZE, |
| 503 | NULL, 0, NULL, 0, empty, 0, iv1, iv2, k*2)) | 520 | NULL, 0, NULL, 0, empty, 0, iv1, iv2, iv_len * 2)) |
| 504 | goto err2; | 521 | goto err2; |
| 505 | if (client_write) | 522 | if (use_client_keys) |
| 506 | iv = iv1; | 523 | iv = iv1; |
| 507 | else | 524 | else |
| 508 | iv = &(iv1[k]); | 525 | iv = &(iv1[iv_len]); |
| 509 | } | 526 | } |
| 510 | } | 527 | } |
| 511 | 528 | ||
| 512 | 529 | ||
| 513 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { | 530 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { |
| 514 | EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)); | 531 | EVP_CipherInit_ex(dd, c, NULL, key, NULL, |
| 515 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); | 532 | (which & SSL3_CC_WRITE)); |
| 533 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, iv_len, | ||
| 534 | (unsigned char *)iv); | ||
| 516 | } else | 535 | } else |
| 517 | EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); | 536 | EVP_CipherInit_ex(dd, c, NULL, key, iv, |
| 537 | (which & SSL3_CC_WRITE)); | ||
| 518 | 538 | ||
| 519 | /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ | 539 | /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ |
| 520 | if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) | 540 | if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && |
| 541 | mac_secret_size) | ||
| 521 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, | 542 | EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, |
| 522 | *mac_secret_size, mac_secret); | 543 | mac_secret_size, (unsigned char *)mac_secret); |
| 523 | |||
| 524 | 544 | ||
| 525 | OPENSSL_cleanse(tmp1, sizeof(tmp1)); | 545 | OPENSSL_cleanse(tmp1, sizeof(tmp1)); |
| 526 | OPENSSL_cleanse(tmp2, sizeof(tmp2)); | 546 | OPENSSL_cleanse(tmp2, sizeof(tmp2)); |