1 files changed, 18 insertions, 62 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index ed5a4a7255..2c6246abf5 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -115,6 +115,7 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
+#include <openssl/fips.h>
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                        int sec_len, unsigned char *seed, int seed_len,
@@ -131,6 +132,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
        HMAC_CTX_init(&ctx);
        HMAC_CTX_init(&ctx_tmp);
+        HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
        HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
        HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
        HMAC_Update(&ctx,seed,seed_len);
@@ -177,7 +180,6 @@ static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
        S2= &(sec[len]);
        len+=(slen&1); /* add for odd, make longer */
-        
        tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
        tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
@@ -231,9 +233,7 @@ int tls1_change_cipher_state(SSL *s, int which)
        int client_write;
        EVP_CIPHER_CTX *dd;
        const EVP_CIPHER *c;
-#ifndef OPENSSL_NO_COMP
        const SSL_COMP *comp;
-#endif
        const EVP_MD *m;
        int is_export,n,i,j,k,exp_label_len,cl;
        int reuse_dd = 0;
@@ -241,9 +241,7 @@ int tls1_change_cipher_state(SSL *s, int which)
        is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
        c=s->s3->tmp.new_sym_enc;
        m=s->s3->tmp.new_hash;
-#ifndef OPENSSL_NO_COMP
        comp=s->s3->tmp.new_compression;
-#endif
        key_block=s->s3->tmp.key_block;
 #ifdef KSSL_DEBUG
@@ -267,12 +265,8 @@ int tls1_change_cipher_state(SSL *s, int which)
                        reuse_dd = 1;
                else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
                        goto err;
-                else
-                        /* make sure it's intialized in case we exit later with an error */
-                        EVP_CIPHER_CTX_init(s->enc_read_ctx);
                dd= s->enc_read_ctx;
                s->read_hash=m;
-#ifndef OPENSSL_NO_COMP
                if (s->expand != NULL)
                        {
                        COMP_CTX_free(s->expand);
@@ -292,10 +286,7 @@ int tls1_change_cipher_state(SSL *s, int which)
                        if (s->s3->rrec.comp == NULL)
                                goto err;
                        }
-#endif
+                memset(&(s->s3->read_sequence[0]),0,8);
-                /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
-                if (s->version != DTLS1_VERSION)
-                        memset(&(s->s3->read_sequence[0]),0,8);
                mac_secret= &(s->s3->read_mac_secret[0]);
                }
        else
@@ -304,12 +295,12 @@ int tls1_change_cipher_state(SSL *s, int which)
                        reuse_dd = 1;
                else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
                        goto err;
-                else
+                if ((s->enc_write_ctx == NULL) &&
-                        /* make sure it's intialized in case we exit later with an error */
+                        ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
-                        EVP_CIPHER_CTX_init(s->enc_write_ctx);
+                        OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+                        goto err;
                dd= s->enc_write_ctx;
                s->write_hash=m;
-#ifndef OPENSSL_NO_COMP
                if (s->compress != NULL)
                        {
                        COMP_CTX_free(s->compress);
@@ -324,15 +315,13 @@ int tls1_change_cipher_state(SSL *s, int which)
                                goto err2;
                                }
                        }
-#endif
+                memset(&(s->s3->write_sequence[0]),0,8);
-                /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
-                if (s->version != DTLS1_VERSION)
-                        memset(&(s->s3->write_sequence[0]),0,8);
                mac_secret= &(s->s3->write_mac_secret[0]);
                }
        if (reuse_dd)
                EVP_CIPHER_CTX_cleanup(dd);
+        EVP_CIPHER_CTX_init(dd);
        p=s->s3->tmp.key_block;
        i=EVP_MD_size(m);
@@ -514,7 +503,7 @@ printf("\nkey block\n");
 #endif
                        }
                }
-                
        return(1);
 err:
        SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
@@ -629,15 +618,7 @@ int tls1_enc(SSL *s, int send)
                        {
                        ii=i=rec->data[l-1]; /* padding_length */
                        i++;
-                        /* NB: if compression is in operation the first packet
+                        if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
-                         * may not be of even length so the padding bug check
-                         * cannot be performed. This bug workaround has been
-                         * around since SSLeay so hopefully it is either fixed
-                         * now or no buggy implementation supports compression 
-                         * [steve]
-                         */
-                        if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
-                                && !s->expand)
                                {
                                /* First packet is even in size, so check */
                                if ((memcmp(s->s3->read_sequence,
@@ -738,35 +719,15 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
        md_size=EVP_MD_size(hash);
        buf[0]=rec->type;
-        if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
+        buf[1]=TLS1_VERSION_MAJOR;
-                {
+        buf[2]=TLS1_VERSION_MINOR;
-                buf[1]=TLS1_VERSION_MAJOR;
-                buf[2]=TLS1_VERSION_MINOR;
-                }
-        else    {
-                buf[1]=(unsigned char)(ssl->version>>8);
-                buf[2]=(unsigned char)(ssl->version);
-                }
        buf[3]=rec->length>>8;
        buf[4]=rec->length&0xff;
        /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
        HMAC_CTX_init(&hmac);
        HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
+        HMAC_Update(&hmac,seq,8);
-        if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
-                {
-                unsigned char dtlsseq[8],*p=dtlsseq;
-                s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
-                memcpy (p,&seq[2],6);
-                HMAC_Update(&hmac,dtlsseq,8);
-                }
-        else
-                HMAC_Update(&hmac,seq,8);
        HMAC_Update(&hmac,buf,5);
        HMAC_Update(&hmac,rec->input,rec->length);
        HMAC_Final(&hmac,md,&md_size);
@@ -783,13 +744,10 @@ printf("rec=");
 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
 #endif
-        if ( SSL_version(ssl) != DTLS1_VERSION)
+        for (i=7; i>=0; i--)
                {
-                for (i=7; i>=0; i--)
+                ++seq[i];
-                        {
+                if (seq[i] != 0) break; 
-                        ++seq[i];
-                        if (seq[i] != 0) break; 
-                        }
                }
 #ifdef TLS_DEBUG
@@ -852,8 +810,6 @@ int tls1_alert_code(int code)
        case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
        case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
        case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
-        case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
-                                          (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
        default:                        return(-1);
                }
        }

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index ed5a4a7255..2c6246abf5 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -115,6 +115,7 @@
115	#include <openssl/evp.h>	115	#include <openssl/evp.h>
116	#include <openssl/hmac.h>	116	#include <openssl/hmac.h>
117	#include <openssl/md5.h>	117	#include <openssl/md5.h>
		118	#include <openssl/fips.h>
118		119
119	static void tls1_P_hash(const EVP_MD md, const unsigned char sec,	120	static void tls1_P_hash(const EVP_MD md, const unsigned char sec,
120	int sec_len, unsigned char *seed, int seed_len,	121	int sec_len, unsigned char *seed, int seed_len,
@@ -131,6 +132,8 @@ static void tls1_P_hash(const EVP_MD md, const unsigned char sec,
131		132
132	HMAC_CTX_init(&ctx);	133	HMAC_CTX_init(&ctx);
133	HMAC_CTX_init(&ctx_tmp);	134	HMAC_CTX_init(&ctx_tmp);
		135	HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
		136	HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
134	HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);	137	HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
135	HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);	138	HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
136	HMAC_Update(&ctx,seed,seed_len);	139	HMAC_Update(&ctx,seed,seed_len);
@@ -177,7 +180,6 @@ static void tls1_PRF(const EVP_MD md5, const EVP_MD sha1,
177	S2= &(sec[len]);	180	S2= &(sec[len]);
178	len+=(slen&1); /* add for odd, make longer */	181	len+=(slen&1); /* add for odd, make longer */
179		182
180
181	tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);	183	tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
182	tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);	184	tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
183		185
@@ -231,9 +233,7 @@ int tls1_change_cipher_state(SSL *s, int which)
231	int client_write;	233	int client_write;
232	EVP_CIPHER_CTX *dd;	234	EVP_CIPHER_CTX *dd;
233	const EVP_CIPHER *c;	235	const EVP_CIPHER *c;
234	#ifndef OPENSSL_NO_COMP
235	const SSL_COMP *comp;	236	const SSL_COMP *comp;
236	#endif
237	const EVP_MD *m;	237	const EVP_MD *m;
238	int is_export,n,i,j,k,exp_label_len,cl;	238	int is_export,n,i,j,k,exp_label_len,cl;
239	int reuse_dd = 0;	239	int reuse_dd = 0;
@@ -241,9 +241,7 @@ int tls1_change_cipher_state(SSL *s, int which)
241	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);	241	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
242	c=s->s3->tmp.new_sym_enc;	242	c=s->s3->tmp.new_sym_enc;
243	m=s->s3->tmp.new_hash;	243	m=s->s3->tmp.new_hash;
244	#ifndef OPENSSL_NO_COMP
245	comp=s->s3->tmp.new_compression;	244	comp=s->s3->tmp.new_compression;
246	#endif
247	key_block=s->s3->tmp.key_block;	245	key_block=s->s3->tmp.key_block;
248		246
249	#ifdef KSSL_DEBUG	247	#ifdef KSSL_DEBUG
@@ -267,12 +265,8 @@ int tls1_change_cipher_state(SSL *s, int which)
267	reuse_dd = 1;	265	reuse_dd = 1;
268	else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)	266	else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
269	goto err;	267	goto err;
270	else
271	/* make sure it's intialized in case we exit later with an error */
272	EVP_CIPHER_CTX_init(s->enc_read_ctx);
273	dd= s->enc_read_ctx;	268	dd= s->enc_read_ctx;
274	s->read_hash=m;	269	s->read_hash=m;
275	#ifndef OPENSSL_NO_COMP
276	if (s->expand != NULL)	270	if (s->expand != NULL)
277	{	271	{
278	COMP_CTX_free(s->expand);	272	COMP_CTX_free(s->expand);
@@ -292,10 +286,7 @@ int tls1_change_cipher_state(SSL *s, int which)
292	if (s->s3->rrec.comp == NULL)	286	if (s->s3->rrec.comp == NULL)
293	goto err;	287	goto err;
294	}	288	}
295	#endif	289	memset(&(s->s3->read_sequence[0]),0,8);
296	/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
297	if (s->version != DTLS1_VERSION)
298	memset(&(s->s3->read_sequence[0]),0,8);
299	mac_secret= &(s->s3->read_mac_secret[0]);	290	mac_secret= &(s->s3->read_mac_secret[0]);
300	}	291	}
301	else	292	else
@@ -304,12 +295,12 @@ int tls1_change_cipher_state(SSL *s, int which)
304	reuse_dd = 1;	295	reuse_dd = 1;
305	else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)	296	else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
306	goto err;	297	goto err;
307	else	298	if ((s->enc_write_ctx == NULL) &&
308	/* make sure it's intialized in case we exit later with an error */	299	((s->enc_write_ctx=(EVP_CIPHER_CTX *)
309	EVP_CIPHER_CTX_init(s->enc_write_ctx);	300	OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
		301	goto err;
310	dd= s->enc_write_ctx;	302	dd= s->enc_write_ctx;
311	s->write_hash=m;	303	s->write_hash=m;
312	#ifndef OPENSSL_NO_COMP
313	if (s->compress != NULL)	304	if (s->compress != NULL)
314	{	305	{
315	COMP_CTX_free(s->compress);	306	COMP_CTX_free(s->compress);
@@ -324,15 +315,13 @@ int tls1_change_cipher_state(SSL *s, int which)
324	goto err2;	315	goto err2;
325	}	316	}
326	}	317	}
327	#endif	318	memset(&(s->s3->write_sequence[0]),0,8);
328	/* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
329	if (s->version != DTLS1_VERSION)
330	memset(&(s->s3->write_sequence[0]),0,8);
331	mac_secret= &(s->s3->write_mac_secret[0]);	319	mac_secret= &(s->s3->write_mac_secret[0]);
332	}	320	}
333		321
334	if (reuse_dd)	322	if (reuse_dd)
335	EVP_CIPHER_CTX_cleanup(dd);	323	EVP_CIPHER_CTX_cleanup(dd);
		324	EVP_CIPHER_CTX_init(dd);
336		325
337	p=s->s3->tmp.key_block;	326	p=s->s3->tmp.key_block;
338	i=EVP_MD_size(m);	327	i=EVP_MD_size(m);
@@ -514,7 +503,7 @@ printf("\nkey block\n");
514	#endif	503	#endif
515	}	504	}
516	}	505	}
517		506
518	return(1);	507	return(1);
519	err:	508	err:
520	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);	509	SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
@@ -629,15 +618,7 @@ int tls1_enc(SSL *s, int send)
629	{	618	{
630	ii=i=rec->data[l-1]; /* padding_length */	619	ii=i=rec->data[l-1]; /* padding_length */
631	i++;	620	i++;
632	/* NB: if compression is in operation the first packet	621	if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
633	* may not be of even length so the padding bug check
634	* cannot be performed. This bug workaround has been
635	* around since SSLeay so hopefully it is either fixed
636	* now or no buggy implementation supports compression
637	* [steve]
638	*/
639	if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
640	&& !s->expand)
641	{	622	{
642	/* First packet is even in size, so check */	623	/* First packet is even in size, so check */
643	if ((memcmp(s->s3->read_sequence,	624	if ((memcmp(s->s3->read_sequence,
@@ -738,35 +719,15 @@ int tls1_mac(SSL ssl, unsigned char md, int send)
738	md_size=EVP_MD_size(hash);	719	md_size=EVP_MD_size(hash);
739		720
740	buf[0]=rec->type;	721	buf[0]=rec->type;
741	if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)	722	buf[1]=TLS1_VERSION_MAJOR;
742	{	723	buf[2]=TLS1_VERSION_MINOR;
743	buf[1]=TLS1_VERSION_MAJOR;
744	buf[2]=TLS1_VERSION_MINOR;
745	}
746	else {
747	buf[1]=(unsigned char)(ssl->version>>8);
748	buf[2]=(unsigned char)(ssl->version);
749	}
750
751	buf[3]=rec->length>>8;	724	buf[3]=rec->length>>8;
752	buf[4]=rec->length&0xff;	725	buf[4]=rec->length&0xff;
753		726
754	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */	727	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
755	HMAC_CTX_init(&hmac);	728	HMAC_CTX_init(&hmac);
756	HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);	729	HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
757		730	HMAC_Update(&hmac,seq,8);
758	if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
759	{
760	unsigned char dtlsseq[8],*p=dtlsseq;
761
762	s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
763	memcpy (p,&seq[2],6);
764
765	HMAC_Update(&hmac,dtlsseq,8);
766	}
767	else
768	HMAC_Update(&hmac,seq,8);
769
770	HMAC_Update(&hmac,buf,5);	731	HMAC_Update(&hmac,buf,5);
771	HMAC_Update(&hmac,rec->input,rec->length);	732	HMAC_Update(&hmac,rec->input,rec->length);
772	HMAC_Final(&hmac,md,&md_size);	733	HMAC_Final(&hmac,md,&md_size);
@@ -783,13 +744,10 @@ printf("rec=");
783	{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }	744	{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
784	#endif	745	#endif
785		746
786	if ( SSL_version(ssl) != DTLS1_VERSION)	747	for (i=7; i>=0; i--)
787	{	748	{
788	for (i=7; i>=0; i--)	749	++seq[i];
789	{	750	if (seq[i] != 0) break;
790	++seq[i];
791	if (seq[i] != 0) break;
792	}
793	}	751	}
794		752
795	#ifdef TLS_DEBUG	753	#ifdef TLS_DEBUG
@@ -852,8 +810,6 @@ int tls1_alert_code(int code)
852	case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);	810	case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
853	case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);	811	case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
854	case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);	812	case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
855	case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
856	(DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
857	default: return(-1);	813	default: return(-1);
858	}	814	}
859	}	815	}