1 files changed, 62 insertions, 18 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 2c6246abf5..ed5a4a7255 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -115,7 +115,6 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
-#include <openssl/fips.h>
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                        int sec_len, unsigned char *seed, int seed_len,
@@ -132,8 +131,6 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
        HMAC_CTX_init(&ctx);
        HMAC_CTX_init(&ctx_tmp);
-        HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-        HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
        HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
        HMAC_Update(&ctx,seed,seed_len);
@@ -180,6 +177,7 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
        S2= &(sec[len]);
        len+=(slen&1); /* add for odd, make longer */
+        
        tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
        tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
@@ -233,7 +231,9 @@ int tls1_change_cipher_state(SSL *s, int which)
        int client_write;
        EVP_CIPHER_CTX *dd;
        const EVP_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
        const SSL_COMP *comp;
+#endif
        const EVP_MD *m;
        int is_export,n,i,j,k,exp_label_len,cl;
        int reuse_dd = 0;
@@ -241,7 +241,9 @@ int tls1_change_cipher_state(SSL *s, int which)
        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
        c=s->s3->tmp.new_sym_enc;
        m=s->s3->tmp.new_hash;
+#ifndef OPENSSL_NO_COMP
        comp=s->s3->tmp.new_compression;
+#endif
        key_block=s->s3->tmp.key_block;
 #ifdef KSSL_DEBUG
@@ -265,8 +267,12 @@ int tls1_change_cipher_state(SSL *s, int which)
                        reuse_dd = 1;
                else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
                        goto err;
+                else
+                        /* make sure it's intialized in case we exit later with an error */
+                        EVP_CIPHER_CTX_init(s->enc_read_ctx);
                dd= s->enc_read_ctx;
                s->read_hash=m;
+#ifndef OPENSSL_NO_COMP
                if (s->expand != NULL)
                        {
                        COMP_CTX_free(s->expand);
@@ -286,7 +292,10 @@ int tls1_change_cipher_state(SSL *s, int which)
                        if (s->s3->rrec.comp == NULL)
                                goto err;
                        }
-                memset(&(s->s3->read_sequence[0]),0,8);
+#endif
+                /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
+                if (s->version != DTLS1_VERSION)
+                        memset(&(s->s3->read_sequence[0]),0,8);
                mac_secret= &(s->s3->read_mac_secret[0]);
                }
        else
@@ -295,12 +304,12 @@ int tls1_change_cipher_state(SSL *s, int which)
                        reuse_dd = 1;
                else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
                        goto err;
-                if ((s->enc_write_ctx == NULL) &&
+                else
-                        ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
+                        /* make sure it's intialized in case we exit later with an error */
-                        OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+                        EVP_CIPHER_CTX_init(s->enc_write_ctx);
-                        goto err;
                dd= s->enc_write_ctx;
                s->write_hash=m;
+#ifndef OPENSSL_NO_COMP
                if (s->compress != NULL)
                        {
                        COMP_CTX_free(s->compress);
@@ -315,13 +324,15 @@ int tls1_change_cipher_state(SSL *s, int which)
                                goto err2;
                                }
                        }
-                memset(&(s->s3->write_sequence[0]),0,8);
+#endif
+                /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
+                if (s->version != DTLS1_VERSION)
+                        memset(&(s->s3->write_sequence[0]),0,8);
                mac_secret= &(s->s3->write_mac_secret[0]);
                }
        if (reuse_dd)
                EVP_CIPHER_CTX_cleanup(dd);
-        EVP_CIPHER_CTX_init(dd);
        p=s->s3->tmp.key_block;
        i=EVP_MD_size(m);
@@ -503,7 +514,7 @@ printf("\nkey block\n");
 #endif
                        }
                }
+                
        return(1);
 err:
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
@@ -618,7 +629,15 @@ int tls1_enc(SSL *s, int send)
                        {
                        ii=i=rec->data[l-1]; /* padding_length */
                        i++;
-                        if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
+                        /* NB: if compression is in operation the first packet
+                         * may not be of even length so the padding bug check
+                         * cannot be performed. This bug workaround has been
+                         * around since SSLeay so hopefully it is either fixed
+                         * now or no buggy implementation supports compression 
+                         * [steve]
+                         */
+                        if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
+                                && !s->expand)
                                {
                                /* First packet is even in size, so check */
                                if ((memcmp(s->s3->read_sequence,
@@ -719,15 +738,35 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
        md_size=EVP_MD_size(hash);
        buf[0]=rec->type;
-        buf[1]=TLS1_VERSION_MAJOR;
+        if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
-        buf[2]=TLS1_VERSION_MINOR;
+                {
+                buf[1]=TLS1_VERSION_MAJOR;
+                buf[2]=TLS1_VERSION_MINOR;
+                }
+        else    {
+                buf[1]=(unsigned char)(ssl->version>>8);
+                buf[2]=(unsigned char)(ssl->version);
+                }
        buf[3]=rec->length>>8;
        buf[4]=rec->length&0xff;
        /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
        HMAC_CTX_init(&hmac);
        HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
-        HMAC_Update(&hmac,seq,8);
+        if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
+                {
+                unsigned char dtlsseq[8],*p=dtlsseq;
+                s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
+                memcpy (p,&seq[2],6);
+                HMAC_Update(&hmac,dtlsseq,8);
+                }
+        else
+                HMAC_Update(&hmac,seq,8);
        HMAC_Update(&hmac,buf,5);
        HMAC_Update(&hmac,rec->input,rec->length);
        HMAC_Final(&hmac,md,&md_size);
@@ -744,10 +783,13 @@ printf("rec=");
 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
 #endif
-        for (i=7; i>=0; i--)
+        if ( SSL_version(ssl) != DTLS1_VERSION)
                {
-                ++seq[i];
+                for (i=7; i>=0; i--)
-                if (seq[i] != 0) break; 
+                        {
+                        ++seq[i];
+                        if (seq[i] != 0) break; 
+                        }
                }
 #ifdef TLS_DEBUG
@@ -810,6 +852,8 @@ int tls1_alert_code(int code)
        case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
        case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
        case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
+        case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
+                                          (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
        default:                        return(-1);
                }
        }

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 2c6246abf5..ed5a4a7255 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -115,7 +115,6 @@
115	#include <openssl/evp.h>	115	#include <openssl/evp.h>
116	#include <openssl/hmac.h>	116	#include <openssl/hmac.h>
117	#include <openssl/md5.h>	117	#include <openssl/md5.h>
118	#include <openssl/fips.h>
119		118
120	static void tls1_P_hash(const EVP_MD md, const unsigned char sec,	119	static void tls1_P_hash(const EVP_MD md, const unsigned char sec,
121	int sec_len, unsigned char *seed, int seed_len,	120	int sec_len, unsigned char *seed, int seed_len,
@@ -132,8 +131,6 @@ static void tls1_P_hash(const EVP_MD md, const unsigned char sec,
132		131
133	HMAC_CTX_init(&ctx);	132	HMAC_CTX_init(&ctx);
134	HMAC_CTX_init(&ctx_tmp);	133	HMAC_CTX_init(&ctx_tmp);
135	HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
136	HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
137	HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);	134	HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
138	HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);	135	HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
139	HMAC_Update(&ctx,seed,seed_len);	136	HMAC_Update(&ctx,seed,seed_len);
@@ -180,6 +177,7 @@ static void tls1_PRF(const EVP_MD md5, const EVP_MD sha1,
180	S2= &(sec[len]);	177	S2= &(sec[len]);
181	len+=(slen&1); /* add for odd, make longer */	178	len+=(slen&1); /* add for odd, make longer */
182		179
		180
183	tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);	181	tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
184	tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);	182	tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
185		183
@@ -233,7 +231,9 @@ int tls1_change_cipher_state(SSL *s, int which)
233	int client_write;	231	int client_write;
234	EVP_CIPHER_CTX *dd;	232	EVP_CIPHER_CTX *dd;
235	const EVP_CIPHER *c;	233	const EVP_CIPHER *c;
		234	#ifndef OPENSSL_NO_COMP
236	const SSL_COMP *comp;	235	const SSL_COMP *comp;
		236	#endif
237	const EVP_MD *m;	237	const EVP_MD *m;
238	int is_export,n,i,j,k,exp_label_len,cl;	238	int is_export,n,i,j,k,exp_label_len,cl;
239	int reuse_dd = 0;	239	int reuse_dd = 0;
@@ -241,7 +241,9 @@ int tls1_change_cipher_state(SSL *s, int which)
241	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);	241	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
242	c=s->s3->tmp.new_sym_enc;	242	c=s->s3->tmp.new_sym_enc;
243	m=s->s3->tmp.new_hash;	243	m=s->s3->tmp.new_hash;
		244	#ifndef OPENSSL_NO_COMP
244	comp=s->s3->tmp.new_compression;	245	comp=s->s3->tmp.new_compression;
		246	#endif
245	key_block=s->s3->tmp.key_block;	247	key_block=s->s3->tmp.key_block;
246		248
247	#ifdef KSSL_DEBUG	249	#ifdef KSSL_DEBUG
@@ -265,8 +267,12 @@ int tls1_change_cipher_state(SSL *s, int which)
265	reuse_dd = 1;	267	reuse_dd = 1;
266	else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)	268	else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
267	goto err;	269	goto err;
		270	else
		271	/* make sure it's intialized in case we exit later with an error */
		272	EVP_CIPHER_CTX_init(s->enc_read_ctx);
268	dd= s->enc_read_ctx;	273	dd= s->enc_read_ctx;
269	s->read_hash=m;	274	s->read_hash=m;
		275	#ifndef OPENSSL_NO_COMP
270	if (s->expand != NULL)	276	if (s->expand != NULL)
271	{	277	{
272	COMP_CTX_free(s->expand);	278	COMP_CTX_free(s->expand);
@@ -286,7 +292,10 @@ int tls1_change_cipher_state(SSL *s, int which)
286	if (s->s3->rrec.comp == NULL)	292	if (s->s3->rrec.comp == NULL)
287	goto err;	293	goto err;
288	}	294	}
289	memset(&(s->s3->read_sequence[0]),0,8);	295	#endif
		296	/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
		297	if (s->version != DTLS1_VERSION)
		298	memset(&(s->s3->read_sequence[0]),0,8);
290	mac_secret= &(s->s3->read_mac_secret[0]);	299	mac_secret= &(s->s3->read_mac_secret[0]);
291	}	300	}
292	else	301	else
@@ -295,12 +304,12 @@ int tls1_change_cipher_state(SSL *s, int which)
295	reuse_dd = 1;	304	reuse_dd = 1;
296	else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)	305	else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
297	goto err;	306	goto err;
298	if ((s->enc_write_ctx == NULL) &&	307	else
299	((s->enc_write_ctx=(EVP_CIPHER_CTX *)	308	/* make sure it's intialized in case we exit later with an error */
300	OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))	309	EVP_CIPHER_CTX_init(s->enc_write_ctx);
301	goto err;
302	dd= s->enc_write_ctx;	310	dd= s->enc_write_ctx;
303	s->write_hash=m;	311	s->write_hash=m;
		312	#ifndef OPENSSL_NO_COMP
304	if (s->compress != NULL)	313	if (s->compress != NULL)
305	{	314	{
306	COMP_CTX_free(s->compress);	315	COMP_CTX_free(s->compress);
@@ -315,13 +324,15 @@ int tls1_change_cipher_state(SSL *s, int which)
315	goto err2;	324	goto err2;
316	}	325	}
317	}	326	}
318	memset(&(s->s3->write_sequence[0]),0,8);	327	#endif
		328	/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
		329	if (s->version != DTLS1_VERSION)
		330	memset(&(s->s3->write_sequence[0]),0,8);
319	mac_secret= &(s->s3->write_mac_secret[0]);	331	mac_secret= &(s->s3->write_mac_secret[0]);
320	}	332	}
321		333
322	if (reuse_dd)	334	if (reuse_dd)
323	EVP_CIPHER_CTX_cleanup(dd);	335	EVP_CIPHER_CTX_cleanup(dd);
324	EVP_CIPHER_CTX_init(dd);
325		336
326	p=s->s3->tmp.key_block;	337	p=s->s3->tmp.key_block;
327	i=EVP_MD_size(m);	338	i=EVP_MD_size(m);
@@ -503,7 +514,7 @@ printf("\nkey block\n");
503	#endif	514	#endif
504	}	515	}
505	}	516	}
506		517
507	return(1);	518	return(1);
508	err:	519	err:
509	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);	520	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
@@ -618,7 +629,15 @@ int tls1_enc(SSL *s, int send)
618	{	629	{
619	ii=i=rec->data[l-1]; /* padding_length */	630	ii=i=rec->data[l-1]; /* padding_length */
620	i++;	631	i++;
621	if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)	632	/* NB: if compression is in operation the first packet
		633	* may not be of even length so the padding bug check
		634	* cannot be performed. This bug workaround has been
		635	* around since SSLeay so hopefully it is either fixed
		636	* now or no buggy implementation supports compression
		637	* [steve]
		638	*/
		639	if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
		640	&& !s->expand)
622	{	641	{
623	/* First packet is even in size, so check */	642	/* First packet is even in size, so check */
624	if ((memcmp(s->s3->read_sequence,	643	if ((memcmp(s->s3->read_sequence,
@@ -719,15 +738,35 @@ int tls1_mac(SSL ssl, unsigned char md, int send)
719	md_size=EVP_MD_size(hash);	738	md_size=EVP_MD_size(hash);
720		739
721	buf[0]=rec->type;	740	buf[0]=rec->type;
722	buf[1]=TLS1_VERSION_MAJOR;	741	if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
723	buf[2]=TLS1_VERSION_MINOR;	742	{
		743	buf[1]=TLS1_VERSION_MAJOR;
		744	buf[2]=TLS1_VERSION_MINOR;
		745	}
		746	else {
		747	buf[1]=(unsigned char)(ssl->version>>8);
		748	buf[2]=(unsigned char)(ssl->version);
		749	}
		750
724	buf[3]=rec->length>>8;	751	buf[3]=rec->length>>8;
725	buf[4]=rec->length&0xff;	752	buf[4]=rec->length&0xff;
726		753
727	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */	754	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
728	HMAC_CTX_init(&hmac);	755	HMAC_CTX_init(&hmac);
729	HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);	756	HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
730	HMAC_Update(&hmac,seq,8);	757
		758	if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
		759	{
		760	unsigned char dtlsseq[8],*p=dtlsseq;
		761
		762	s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
		763	memcpy (p,&seq[2],6);
		764
		765	HMAC_Update(&hmac,dtlsseq,8);
		766	}
		767	else
		768	HMAC_Update(&hmac,seq,8);
		769
731	HMAC_Update(&hmac,buf,5);	770	HMAC_Update(&hmac,buf,5);
732	HMAC_Update(&hmac,rec->input,rec->length);	771	HMAC_Update(&hmac,rec->input,rec->length);
733	HMAC_Final(&hmac,md,&md_size);	772	HMAC_Final(&hmac,md,&md_size);
@@ -744,10 +783,13 @@ printf("rec=");
744	{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }	783	{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
745	#endif	784	#endif
746		785
747	for (i=7; i>=0; i--)	786	if ( SSL_version(ssl) != DTLS1_VERSION)
748	{	787	{
749	++seq[i];	788	for (i=7; i>=0; i--)
750	if (seq[i] != 0) break;	789	{
		790	++seq[i];
		791	if (seq[i] != 0) break;
		792	}
751	}	793	}
752		794
753	#ifdef TLS_DEBUG	795	#ifdef TLS_DEBUG
@@ -810,6 +852,8 @@ int tls1_alert_code(int code)
810	case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);	852	case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
811	case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);	853	case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
812	case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);	854	case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
		855	case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
		856	(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
813	default: return(-1);	857	default: return(-1);
814	}	858	}
815	}	859	}