1 files changed, 0 insertions, 417 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
deleted file mode 100644
index 64e1dd5b63..0000000000
--- a/src/lib/libssl/t1_enc.c
+++ /dev/null
@@ -1,417 +0,0 @@
-/* $OpenBSD: t1_enc.c,v 1.158 2024/07/20 04:04:23 jsing Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-#include <limits.h>
-#include <stdio.h>
-#include <openssl/evp.h>
-#include <openssl/hmac.h>
-#include <openssl/md5.h>
-#include <openssl/opensslconf.h>
-#include "dtls_local.h"
-#include "ssl_local.h"
-void
-tls1_cleanup_key_block(SSL *s)
-{
-        tls12_key_block_free(s->s3->hs.tls12.key_block);
-        s->s3->hs.tls12.key_block = NULL;
-}
-/*
- * TLS P_hash() data expansion function - see RFC 5246, section 5.
- */
-static int
-tls1_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
-    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
-    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
-    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
-{
-        unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
-        size_t A1_len, hmac_len;
-        EVP_MD_CTX *ctx = NULL;
-        EVP_PKEY *mac_key = NULL;
-        int ret = 0;
-        int chunk;
-        size_t i;
-        chunk = EVP_MD_size(md);
-        OPENSSL_assert(chunk >= 0);
-        if ((ctx = EVP_MD_CTX_new()) == NULL)
-                goto err;
-        mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
-        if (mac_key == NULL)
-                goto err;
-        if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key))
-                goto err;
-        if (seed1 && !EVP_DigestSignUpdate(ctx, seed1, seed1_len))
-                goto err;
-        if (seed2 && !EVP_DigestSignUpdate(ctx, seed2, seed2_len))
-                goto err;
-        if (seed3 && !EVP_DigestSignUpdate(ctx, seed3, seed3_len))
-                goto err;
-        if (seed4 && !EVP_DigestSignUpdate(ctx, seed4, seed4_len))
-                goto err;
-        if (seed5 && !EVP_DigestSignUpdate(ctx, seed5, seed5_len))
-                goto err;
-        if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
-                goto err;
-        for (;;) {
-                if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key))
-                        goto err;
-                if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
-                        goto err;
-                if (seed1 && !EVP_DigestSignUpdate(ctx, seed1, seed1_len))
-                        goto err;
-                if (seed2 && !EVP_DigestSignUpdate(ctx, seed2, seed2_len))
-                        goto err;
-                if (seed3 && !EVP_DigestSignUpdate(ctx, seed3, seed3_len))
-                        goto err;
-                if (seed4 && !EVP_DigestSignUpdate(ctx, seed4, seed4_len))
-                        goto err;
-                if (seed5 && !EVP_DigestSignUpdate(ctx, seed5, seed5_len))
-                        goto err;
-                if (!EVP_DigestSignFinal(ctx, hmac, &hmac_len))
-                        goto err;
-                if (hmac_len > out_len)
-                        hmac_len = out_len;
-                for (i = 0; i < hmac_len; i++)
-                        out[i] ^= hmac[i];
-                out += hmac_len;
-                out_len -= hmac_len;
-                if (out_len == 0)
-                        break;
-                if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key))
-                        goto err;
-                if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
-                        goto err;
-                if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
-                        goto err;
-        }
-        ret = 1;
- err:
-        EVP_PKEY_free(mac_key);
-        EVP_MD_CTX_free(ctx);
-        explicit_bzero(A1, sizeof(A1));
-        explicit_bzero(hmac, sizeof(hmac));
-        return ret;
-}
-int
-tls1_PRF(SSL *s, const unsigned char *secret, size_t secret_len,
-    const void *seed1, size_t seed1_len, const void *seed2, size_t seed2_len,
-    const void *seed3, size_t seed3_len, const void *seed4, size_t seed4_len,
-    const void *seed5, size_t seed5_len, unsigned char *out, size_t out_len)
-{
-        const EVP_MD *md;
-        size_t half_len;
-        memset(out, 0, out_len);
-        if (!ssl_get_handshake_evp_md(s, &md))
-                return (0);
-        if (EVP_MD_type(md) == NID_md5_sha1) {
-                /*
-                 * Partition secret between MD5 and SHA1, then XOR result.
-                 * If the secret length is odd, a one byte overlap is used.
-                 */
-                half_len = secret_len - (secret_len / 2);
-                if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
-                    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
-                    seed5, seed5_len, out, out_len))
-                        return (0);
-                secret += secret_len - half_len;
-                if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
-                    seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
-                    seed5, seed5_len, out, out_len))
-                        return (0);
-                return (1);
-        }
-        if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
-            seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
-            seed5, seed5_len, out, out_len))
-                return (0);
-        return (1);
-}
-int
-tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len)
-{
-        return tls1_PRF(s,
-            s->session->master_key, s->session->master_key_length,
-            TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
-            s->s3->server_random, SSL3_RANDOM_SIZE,
-            s->s3->client_random, SSL3_RANDOM_SIZE,
-            NULL, 0, NULL, 0, key_block, key_block_len);
-}
-static int
-tls1_change_cipher_state(SSL *s, int is_write)
-{
-        CBS mac_key, key, iv;
-        /* Use client write keys on client write and server read. */
-        if ((!s->server && is_write) || (s->server && !is_write)) {
-                tls12_key_block_client_write(s->s3->hs.tls12.key_block,
-                    &mac_key, &key, &iv);
-        } else {
-                tls12_key_block_server_write(s->s3->hs.tls12.key_block,
-                    &mac_key, &key, &iv);
-        }
-        if (!is_write) {
-                if (!tls12_record_layer_change_read_cipher_state(s->rl,
-                    &mac_key, &key, &iv))
-                        goto err;
-                if (SSL_is_dtls(s))
-                        dtls1_reset_read_seq_numbers(s);
-        } else {
-                if (!tls12_record_layer_change_write_cipher_state(s->rl,
-                    &mac_key, &key, &iv))
-                        goto err;
-        }
-        return (1);
- err:
-        return (0);
-}
-int
-tls1_change_read_cipher_state(SSL *s)
-{
-        return tls1_change_cipher_state(s, 0);
-}
-int
-tls1_change_write_cipher_state(SSL *s)
-{
-        return tls1_change_cipher_state(s, 1);
-}
-int
-tls1_setup_key_block(SSL *s)
-{
-        struct tls12_key_block *key_block;
-        int mac_type = NID_undef, mac_secret_size = 0;
-        const EVP_CIPHER *cipher = NULL;
-        const EVP_AEAD *aead = NULL;
-        const EVP_MD *handshake_hash = NULL;
-        const EVP_MD *mac_hash = NULL;
-        int ret = 0;
-        /*
-         * XXX - callers should be changed so that they only call this
-         * function once.
-         */
-        if (s->s3->hs.tls12.key_block != NULL)
-                return (1);
-        if (s->s3->hs.cipher == NULL)
-                return (0);
-        if ((s->s3->hs.cipher->algorithm_mac & SSL_AEAD) != 0) {
-                if (!ssl_cipher_get_evp_aead(s, &aead)) {
-                        SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
-                        return (0);
-                }
-        } else {
-                /* XXX - mac_type and mac_secret_size are now unused. */
-                if (!ssl_cipher_get_evp(s, &cipher, &mac_hash,
-                    &mac_type, &mac_secret_size)) {
-                        SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
-                        return (0);
-                }
-        }
-        if (!ssl_get_handshake_evp_md(s, &handshake_hash))
-                return (0);
-        tls12_record_layer_set_aead(s->rl, aead);
-        tls12_record_layer_set_cipher_hash(s->rl, cipher,
-            handshake_hash, mac_hash);
-        if ((key_block = tls12_key_block_new()) == NULL)
-                goto err;
-        if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
-                goto err;
-        s->s3->hs.tls12.key_block = key_block;
-        key_block = NULL;
-        if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
-            s->method->version <= TLS1_VERSION) {
-                /*
-                 * Enable vulnerability countermeasure for CBC ciphers with
-                 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
-                 */
-                s->s3->need_empty_fragments = 1;
-                if (s->s3->hs.cipher != NULL) {
-                        if (s->s3->hs.cipher->algorithm_enc == SSL_eNULL)
-                                s->s3->need_empty_fragments = 0;
-#ifndef OPENSSL_NO_RC4
-                        if (s->s3->hs.cipher->algorithm_enc == SSL_RC4)
-                                s->s3->need_empty_fragments = 0;
-#endif
-                }
-        }
-        ret = 1;
- err:
-        tls12_key_block_free(key_block);
-        return (ret);
-}

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c deleted file mode 100644 index 64e1dd5b63..0000000000 --- a/src/lib/libssl/t1_enc.c +++ /dev/null
@@ -1,417 +0,0 @@
1	/* $OpenBSD: t1_enc.c,v 1.158 2024/07/20 04:04:23 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.
4	*
5	* This package is an SSL implementation written
6	* by Eric Young (eay@cryptsoft.com).
7	* The implementation was written so as to conform with Netscapes SSL.
8	*
9	* This library is free for commercial and non-commercial use as long as
10	* the following conditions are aheared to. The following conditions
11	* apply to all code found in this distribution, be it the RC4, RSA,
12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13	* included with this distribution is covered by the same copyright terms
14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15	*
16	* Copyright remains Eric Young's, and as such any Copyright notices in
17	* the code are not to be removed.
18	* If this package is used in a product, Eric Young should be given attribution
19	* as the author of the parts of the library used.
20	* This can be in the form of a textual message at program startup or
21	* in documentation (online or textual) provided with the package.
22	*
23	* Redistribution and use in source and binary forms, with or without
24	* modification, are permitted provided that the following conditions
25	* are met:
26	* 1. Redistributions of source code must retain the copyright
27	* notice, this list of conditions and the following disclaimer.
28	* 2. Redistributions in binary form must reproduce the above copyright
29	* notice, this list of conditions and the following disclaimer in the
30	* documentation and/or other materials provided with the distribution.
31	* 3. All advertising materials mentioning features or use of this software
32	* must display the following acknowledgement:
33	* "This product includes cryptographic software written by
34	* Eric Young (eay@cryptsoft.com)"
35	* The word 'cryptographic' can be left out if the rouines from the library
36	* being used are not cryptographic related :-).
37	* 4. If you include any Windows specific code (or a derivative thereof) from
38	* the apps directory (application code) you must include an acknowledgement:
39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51	* SUCH DAMAGE.
52	*
53	* The licence and distribution terms for any publically available version or
54	* derivative of this code cannot be changed. i.e. this code cannot simply be
55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]
57	*/
58	/* ====================================================================
59	* Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60	*
61	* Redistribution and use in source and binary forms, with or without
62	* modification, are permitted provided that the following conditions
63	* are met:
64	*
65	* 1. Redistributions of source code must retain the above copyright
66	* notice, this list of conditions and the following disclaimer.
67	*
68	* 2. Redistributions in binary form must reproduce the above copyright
69	* notice, this list of conditions and the following disclaimer in
70	* the documentation and/or other materials provided with the
71	* distribution.
72	*
73	* 3. All advertising materials mentioning features or use of this
74	* software must display the following acknowledgment:
75	* "This product includes software developed by the OpenSSL Project
76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77	*
78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79	* endorse or promote products derived from this software without
80	* prior written permission. For written permission, please contact
81	* openssl-core@openssl.org.
82	*
83	* 5. Products derived from this software may not be called "OpenSSL"
84	* nor may "OpenSSL" appear in their names without prior written
85	* permission of the OpenSSL Project.
86	*
87	* 6. Redistributions of any form whatsoever must retain the following
88	* acknowledgment:
89	* "This product includes software developed by the OpenSSL Project
90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91	*
92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103	* OF THE POSSIBILITY OF SUCH DAMAGE.
104	* ====================================================================
105	*
106	* This product includes cryptographic software written by Eric Young
107	* (eay@cryptsoft.com). This product includes software written by Tim
108	* Hudson (tjh@cryptsoft.com).
109	*
110	*/
111	/* ====================================================================
112	* Copyright 2005 Nokia. All rights reserved.
113	*
114	* The portions of the attached software ("Contribution") is developed by
115	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
116	* license.
117	*
118	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
119	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120	* support (see RFC 4279) to OpenSSL.
121	*
122	* No patent licenses or other rights except those expressly stated in
123	* the OpenSSL open source license shall be deemed granted or received
124	* expressly, by implication, estoppel, or otherwise.
125	*
126	* No assurances are provided by Nokia that the Contribution does not
127	* infringe the patent or other intellectual property rights of any third
128	* party or that the license provides you with all the necessary rights
129	* to make use of the Contribution.
130	*
131	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135	* OTHERWISE.
136	*/
137
138	#include <limits.h>
139	#include <stdio.h>
140
141	#include <openssl/evp.h>
142	#include <openssl/hmac.h>
143	#include <openssl/md5.h>
144	#include <openssl/opensslconf.h>
145
146	#include "dtls_local.h"
147	#include "ssl_local.h"
148
149	void
150	tls1_cleanup_key_block(SSL *s)
151	{
152	tls12_key_block_free(s->s3->hs.tls12.key_block);
153	s->s3->hs.tls12.key_block = NULL;
154	}
155
156	/*
157	* TLS P_hash() data expansion function - see RFC 5246, section 5.
158	*/
159	static int
160	tls1_P_hash(const EVP_MD md, const unsigned char secret, size_t secret_len,
161	const void seed1, size_t seed1_len, const void seed2, size_t seed2_len,
162	const void seed3, size_t seed3_len, const void seed4, size_t seed4_len,
163	const void seed5, size_t seed5_len, unsigned char out, size_t out_len)
164	{
165	unsigned char A1[EVP_MAX_MD_SIZE], hmac[EVP_MAX_MD_SIZE];
166	size_t A1_len, hmac_len;
167	EVP_MD_CTX *ctx = NULL;
168	EVP_PKEY *mac_key = NULL;
169	int ret = 0;
170	int chunk;
171	size_t i;
172
173	chunk = EVP_MD_size(md);
174	OPENSSL_assert(chunk >= 0);
175
176	if ((ctx = EVP_MD_CTX_new()) == NULL)
177	goto err;
178
179	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, secret, secret_len);
180	if (mac_key == NULL)
181	goto err;
182	if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key))
183	goto err;
184	if (seed1 && !EVP_DigestSignUpdate(ctx, seed1, seed1_len))
185	goto err;
186	if (seed2 && !EVP_DigestSignUpdate(ctx, seed2, seed2_len))
187	goto err;
188	if (seed3 && !EVP_DigestSignUpdate(ctx, seed3, seed3_len))
189	goto err;
190	if (seed4 && !EVP_DigestSignUpdate(ctx, seed4, seed4_len))
191	goto err;
192	if (seed5 && !EVP_DigestSignUpdate(ctx, seed5, seed5_len))
193	goto err;
194	if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
195	goto err;
196
197	for (;;) {
198	if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key))
199	goto err;
200	if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
201	goto err;
202	if (seed1 && !EVP_DigestSignUpdate(ctx, seed1, seed1_len))
203	goto err;
204	if (seed2 && !EVP_DigestSignUpdate(ctx, seed2, seed2_len))
205	goto err;
206	if (seed3 && !EVP_DigestSignUpdate(ctx, seed3, seed3_len))
207	goto err;
208	if (seed4 && !EVP_DigestSignUpdate(ctx, seed4, seed4_len))
209	goto err;
210	if (seed5 && !EVP_DigestSignUpdate(ctx, seed5, seed5_len))
211	goto err;
212	if (!EVP_DigestSignFinal(ctx, hmac, &hmac_len))
213	goto err;
214
215	if (hmac_len > out_len)
216	hmac_len = out_len;
217
218	for (i = 0; i < hmac_len; i++)
219	out[i] ^= hmac[i];
220
221	out += hmac_len;
222	out_len -= hmac_len;
223
224	if (out_len == 0)
225	break;
226
227	if (!EVP_DigestSignInit(ctx, NULL, md, NULL, mac_key))
228	goto err;
229	if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
230	goto err;
231	if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
232	goto err;
233	}
234	ret = 1;
235
236	err:
237	EVP_PKEY_free(mac_key);
238	EVP_MD_CTX_free(ctx);
239
240	explicit_bzero(A1, sizeof(A1));
241	explicit_bzero(hmac, sizeof(hmac));
242
243	return ret;
244	}
245
246	int
247	tls1_PRF(SSL s, const unsigned char secret, size_t secret_len,
248	const void seed1, size_t seed1_len, const void seed2, size_t seed2_len,
249	const void seed3, size_t seed3_len, const void seed4, size_t seed4_len,
250	const void seed5, size_t seed5_len, unsigned char out, size_t out_len)
251	{
252	const EVP_MD *md;
253	size_t half_len;
254
255	memset(out, 0, out_len);
256
257	if (!ssl_get_handshake_evp_md(s, &md))
258	return (0);
259
260	if (EVP_MD_type(md) == NID_md5_sha1) {
261	/*
262	* Partition secret between MD5 and SHA1, then XOR result.
263	* If the secret length is odd, a one byte overlap is used.
264	*/
265	half_len = secret_len - (secret_len / 2);
266	if (!tls1_P_hash(EVP_md5(), secret, half_len, seed1, seed1_len,
267	seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
268	seed5, seed5_len, out, out_len))
269	return (0);
270
271	secret += secret_len - half_len;
272	if (!tls1_P_hash(EVP_sha1(), secret, half_len, seed1, seed1_len,
273	seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
274	seed5, seed5_len, out, out_len))
275	return (0);
276
277	return (1);
278	}
279
280	if (!tls1_P_hash(md, secret, secret_len, seed1, seed1_len,
281	seed2, seed2_len, seed3, seed3_len, seed4, seed4_len,
282	seed5, seed5_len, out, out_len))
283	return (0);
284
285	return (1);
286	}
287
288	int
289	tls1_generate_key_block(SSL s, uint8_t key_block, size_t key_block_len)
290	{
291	return tls1_PRF(s,
292	s->session->master_key, s->session->master_key_length,
293	TLS_MD_KEY_EXPANSION_CONST, TLS_MD_KEY_EXPANSION_CONST_SIZE,
294	s->s3->server_random, SSL3_RANDOM_SIZE,
295	s->s3->client_random, SSL3_RANDOM_SIZE,
296	NULL, 0, NULL, 0, key_block, key_block_len);
297	}
298
299	static int
300	tls1_change_cipher_state(SSL *s, int is_write)
301	{
302	CBS mac_key, key, iv;
303
304	/* Use client write keys on client write and server read. */
305	if ((!s->server && is_write) \|\| (s->server && !is_write)) {
306	tls12_key_block_client_write(s->s3->hs.tls12.key_block,
307	&mac_key, &key, &iv);
308	} else {
309	tls12_key_block_server_write(s->s3->hs.tls12.key_block,
310	&mac_key, &key, &iv);
311	}
312
313	if (!is_write) {
314	if (!tls12_record_layer_change_read_cipher_state(s->rl,
315	&mac_key, &key, &iv))
316	goto err;
317	if (SSL_is_dtls(s))
318	dtls1_reset_read_seq_numbers(s);
319	} else {
320	if (!tls12_record_layer_change_write_cipher_state(s->rl,
321	&mac_key, &key, &iv))
322	goto err;
323	}
324	return (1);
325
326	err:
327	return (0);
328	}
329
330	int
331	tls1_change_read_cipher_state(SSL *s)
332	{
333	return tls1_change_cipher_state(s, 0);
334	}
335
336	int
337	tls1_change_write_cipher_state(SSL *s)
338	{
339	return tls1_change_cipher_state(s, 1);
340	}
341
342	int
343	tls1_setup_key_block(SSL *s)
344	{
345	struct tls12_key_block *key_block;
346	int mac_type = NID_undef, mac_secret_size = 0;
347	const EVP_CIPHER *cipher = NULL;
348	const EVP_AEAD *aead = NULL;
349	const EVP_MD *handshake_hash = NULL;
350	const EVP_MD *mac_hash = NULL;
351	int ret = 0;
352
353	/*
354	* XXX - callers should be changed so that they only call this
355	* function once.
356	*/
357	if (s->s3->hs.tls12.key_block != NULL)
358	return (1);
359
360	if (s->s3->hs.cipher == NULL)
361	return (0);
362
363	if ((s->s3->hs.cipher->algorithm_mac & SSL_AEAD) != 0) {
364	if (!ssl_cipher_get_evp_aead(s, &aead)) {
365	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
366	return (0);
367	}
368	} else {
369	/* XXX - mac_type and mac_secret_size are now unused. */
370	if (!ssl_cipher_get_evp(s, &cipher, &mac_hash,
371	&mac_type, &mac_secret_size)) {
372	SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
373	return (0);
374	}
375	}
376
377	if (!ssl_get_handshake_evp_md(s, &handshake_hash))
378	return (0);
379
380	tls12_record_layer_set_aead(s->rl, aead);
381	tls12_record_layer_set_cipher_hash(s->rl, cipher,
382	handshake_hash, mac_hash);
383
384	if ((key_block = tls12_key_block_new()) == NULL)
385	goto err;
386	if (!tls12_key_block_generate(key_block, s, aead, cipher, mac_hash))
387	goto err;
388
389	s->s3->hs.tls12.key_block = key_block;
390	key_block = NULL;
391
392	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) &&
393	s->method->version <= TLS1_VERSION) {
394	/*
395	* Enable vulnerability countermeasure for CBC ciphers with
396	* known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
397	*/
398	s->s3->need_empty_fragments = 1;
399
400	if (s->s3->hs.cipher != NULL) {
401	if (s->s3->hs.cipher->algorithm_enc == SSL_eNULL)
402	s->s3->need_empty_fragments = 0;
403
404	#ifndef OPENSSL_NO_RC4
405	if (s->s3->hs.cipher->algorithm_enc == SSL_RC4)
406	s->s3->need_empty_fragments = 0;
407	#endif
408	}
409	}
410
411	ret = 1;
412
413	err:
414	tls12_key_block_free(key_block);
415
416	return (ret);
417	}