1 files changed, 5 insertions, 334 deletions
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index a66c82bdca..7a71a08434 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.123 2020/08/30 15:40:20 jsing Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.124 2020/10/03 17:35:16 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -440,6 +440,10 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
                if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl,
                    cipher_ctx, mac_ctx, stream_mac))
                        goto err;
+                if (!tls12_record_layer_set_read_mac_key(s->internal->rl,
+                    S3I(s)->read_mac_secret, mac_secret_size))
+                        goto err;
        } else {
                if (stream_mac)
                        s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
@@ -672,260 +676,6 @@ tls1_setup_key_block(SSL *s)
        return (ret);
 }
-/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
- *
- * Returns:
- *   0: (in non-constant time) if the record is publically invalid (i.e. too
- *       short etc).
- *   1: if the record's padding is valid / the encryption was successful.
- *   -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
- *       an internal error occured.
- */
-int
-tls1_enc(SSL *s, int send)
-{
-        const SSL_AEAD_CTX *aead;
-        const EVP_CIPHER *enc;
-        EVP_CIPHER_CTX *ds;
-        SSL3_RECORD_INTERNAL *rec;
-        unsigned char *seq;
-        unsigned long l;
-        int bs, i, j, k, ret, mac_size = 0;
-        if (send) {
-                /* No longer supported. */
-                return -1;
-        } else {
-                aead = s->internal->aead_read_ctx;
-                rec = &S3I(s)->rrec;
-                seq = S3I(s)->read_sequence;
-        }
-        if (aead) {
-                unsigned char ad[13], *in, *out, nonce[16];
-                size_t out_len, pad_len = 0;
-                unsigned int nonce_used;
-                if (SSL_IS_DTLS(s)) {
-                        dtls1_build_sequence_number(ad, seq,
-                            send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
-                } else {
-                        memcpy(ad, seq, SSL3_SEQUENCE_SIZE);
-                        tls1_record_sequence_increment(seq);
-                }
-                ad[8] = rec->type;
-                ad[9] = (unsigned char)(s->version >> 8);
-                ad[10] = (unsigned char)(s->version);
-                if (aead->variable_nonce_len > 8 ||
-                    aead->variable_nonce_len > sizeof(nonce))
-                        return -1;
-                if (aead->xor_fixed_nonce) {
-                        if (aead->fixed_nonce_len > sizeof(nonce) ||
-                            aead->variable_nonce_len > aead->fixed_nonce_len)
-                                return -1;  /* Should never happen. */
-                        pad_len = aead->fixed_nonce_len - aead->variable_nonce_len;
-                } else {
-                        if (aead->fixed_nonce_len +
-                            aead->variable_nonce_len > sizeof(nonce))
-                                return -1;  /* Should never happen. */
-                }
-                if (send) {
-                        size_t len = rec->length;
-                        size_t eivlen = 0;
-                        in = rec->input;
-                        out = rec->data;
-                        if (aead->xor_fixed_nonce) {
-                                /*
-                                 * The sequence number is left zero
-                                 * padded, then xored with the fixed
-                                 * nonce.
-                                 */
-                                memset(nonce, 0, pad_len);
-                                memcpy(nonce + pad_len, ad,
-                                    aead->variable_nonce_len);
-                                for (i = 0; i < aead->fixed_nonce_len; i++)
-                                        nonce[i] ^= aead->fixed_nonce[i];
-                                nonce_used = aead->fixed_nonce_len;
-                        } else {
-                                /*
-                                 * When sending we use the sequence number as
-                                 * the variable part of the nonce.
-                                 */
-                                memcpy(nonce, aead->fixed_nonce,
-                                    aead->fixed_nonce_len);
-                                nonce_used = aead->fixed_nonce_len;
-                                memcpy(nonce + nonce_used, ad,
-                                    aead->variable_nonce_len);
-                                nonce_used += aead->variable_nonce_len;
-                        }
-                        /*
-                         * In do_ssl3_write, rec->input is moved forward by
-                         * variable_nonce_len in order to leave space for the
-                         * variable nonce. Thus we can copy the sequence number
-                         * bytes into place without overwriting any of the
-                         * plaintext.
-                         */
-                        if (aead->variable_nonce_in_record) {
-                                memcpy(out, ad, aead->variable_nonce_len);
-                                len -= aead->variable_nonce_len;
-                                eivlen = aead->variable_nonce_len;
-                        }
-                        ad[11] = len >> 8;
-                        ad[12] = len & 0xff;
-                        if (!EVP_AEAD_CTX_seal(&aead->ctx,
-                            out + eivlen, &out_len, len + aead->tag_len, nonce,
-                            nonce_used, in + eivlen, len, ad, sizeof(ad)))
-                                return -1;
-                        if (aead->variable_nonce_in_record)
-                                out_len += aead->variable_nonce_len;
-                } else {
-                        /* receive */
-                        size_t len = rec->length;
-                        if (rec->data != rec->input)
-                                return -1;  /* internal error - should never happen. */
-                        out = in = rec->input;
-                        if (len < aead->variable_nonce_len)
-                                return 0;
-                        if (aead->xor_fixed_nonce) {
-                                /*
-                                 * The sequence number is left zero
-                                 * padded, then xored with the fixed
-                                 * nonce.
-                                 */
-                                memset(nonce, 0, pad_len);
-                                memcpy(nonce + pad_len, ad,
-                                    aead->variable_nonce_len);
-                                for (i = 0; i < aead->fixed_nonce_len; i++)
-                                        nonce[i] ^= aead->fixed_nonce[i];
-                                nonce_used = aead->fixed_nonce_len;
-                        } else {
-                                memcpy(nonce, aead->fixed_nonce,
-                                    aead->fixed_nonce_len);
-                                nonce_used = aead->fixed_nonce_len;
-                                memcpy(nonce + nonce_used,
-                                    aead->variable_nonce_in_record ? in : ad,
-                                    aead->variable_nonce_len);
-                                nonce_used += aead->variable_nonce_len;
-                        }
-                        if (aead->variable_nonce_in_record) {
-                                in += aead->variable_nonce_len;
-                                len -= aead->variable_nonce_len;
-                                out += aead->variable_nonce_len;
-                        }
-                        if (len < aead->tag_len)
-                                return 0;
-                        len -= aead->tag_len;
-                        ad[11] = len >> 8;
-                        ad[12] = len & 0xff;
-                        if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len,
-                            nonce, nonce_used, in, len + aead->tag_len, ad,
-                            sizeof(ad)))
-                                return -1;
-                        rec->data = rec->input = out;
-                }
-                rec->length = out_len;
-                return 1;
-        }
-        if (send) {
-                if (EVP_MD_CTX_md(s->internal->write_hash)) {
-                        int n = EVP_MD_CTX_size(s->internal->write_hash);
-                        OPENSSL_assert(n >= 0);
-                }
-                ds = s->internal->enc_write_ctx;
-                if (s->internal->enc_write_ctx == NULL)
-                        enc = NULL;
-                else {
-                        int ivlen = 0;
-                        enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx);
-                        if (SSL_USE_EXPLICIT_IV(s) &&
-                            EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
-                                ivlen = EVP_CIPHER_iv_length(enc);
-                        if (ivlen > 1) {
-                                if (rec->data != rec->input) {
-#ifdef DEBUG
-                                        /* we can't write into the input stream:
-                                         * Can this ever happen?? (steve)
-                                         */
-                                        fprintf(stderr,
-                                            "%s:%d: rec->data != rec->input\n",
-                                            __FILE__, __LINE__);
-#endif
-                                } else
-                                        arc4random_buf(rec->input, ivlen);
-                        }
-                }
-        } else {
-                if (EVP_MD_CTX_md(s->read_hash)) {
-                        int n = EVP_MD_CTX_size(s->read_hash);
-                        OPENSSL_assert(n >= 0);
-                }
-                ds = s->enc_read_ctx;
-                if (s->enc_read_ctx == NULL)
-                        enc = NULL;
-                else
-                        enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
-        }
-        if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
-                memmove(rec->data, rec->input, rec->length);
-                rec->input = rec->data;
-                ret = 1;
-        } else {
-                l = rec->length;
-                bs = EVP_CIPHER_block_size(ds->cipher);
-                if (bs != 1 && send) {
-                        i = bs - ((int)l % bs);
-                        /* Add weird padding of upto 256 bytes */
-                        /* we need to add 'i' padding bytes of value j */
-                        j = i - 1;
-                        for (k = (int)l; k < (int)(l + i); k++)
-                                rec->input[k] = j;
-                        l += i;
-                        rec->length += i;
-                }
-                if (!send) {
-                        if (l == 0 || l % bs != 0)
-                                return 0;
-                }
-                i = EVP_Cipher(ds, rec->data, rec->input, l);
-                if ((EVP_CIPHER_flags(ds->cipher) &
-                    EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
-                        return -1;      /* AEAD can fail to verify MAC */
-                ret = 1;
-                if (EVP_MD_CTX_md(s->read_hash) != NULL)
-                        mac_size = EVP_MD_CTX_size(s->read_hash);
-                if ((bs != 1) && !send)
-                        ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
-        }
-        return ret;
-}
 int
 tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
 {
@@ -947,85 +697,6 @@ tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out)
 }
 int
-tls1_mac(SSL *ssl, unsigned char *md, int send)
-{
-        SSL3_RECORD_INTERNAL *rec;
-        unsigned char *seq;
-        EVP_MD_CTX *hash;
-        size_t md_size, orig_len;
-        EVP_MD_CTX hmac, *mac_ctx;
-        unsigned char header[13];
-        int stream_mac = (send ?
-            (ssl->internal->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) :
-            (ssl->internal->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
-        int t;
-        if (send) {
-                /* No longer supported. */
-                return -1;
-        } else {
-                rec = &(ssl->s3->internal->rrec);
-                seq = &(ssl->s3->internal->read_sequence[0]);
-                hash = ssl->read_hash;
-        }
-        t = EVP_MD_CTX_size(hash);
-        OPENSSL_assert(t >= 0);
-        md_size = t;
-        /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
-        if (stream_mac) {
-                mac_ctx = hash;
-        } else {
-                if (!EVP_MD_CTX_copy(&hmac, hash))
-                        return -1;
-                mac_ctx = &hmac;
-        }
-        if (SSL_IS_DTLS(ssl))
-                dtls1_build_sequence_number(header, seq,
-                    send ? D1I(ssl)->w_epoch : D1I(ssl)->r_epoch);
-        else
-                memcpy(header, seq, SSL3_SEQUENCE_SIZE);
-        orig_len = rec->length + md_size + rec->padding_length;
-        header[8] = rec->type;
-        header[9] = (unsigned char)(ssl->version >> 8);
-        header[10] = (unsigned char)(ssl->version);
-        header[11] = (rec->length) >> 8;
-        header[12] = (rec->length) & 0xff;
-        if (!send &&
-            EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-            ssl3_cbc_record_digest_supported(mac_ctx)) {
-                /* This is a CBC-encrypted record. We must avoid leaking any
-                 * timing-side channel information about how many blocks of
-                 * data we are hashing because that gives an attacker a
-                 * timing-oracle. */
-                if (!ssl3_cbc_digest_record(mac_ctx,
-                    md, &md_size, header, rec->input,
-                    rec->length + md_size, orig_len,
-                    ssl->s3->internal->read_mac_secret,
-                    ssl->s3->internal->read_mac_secret_size))
-                        return -1;
-        } else {
-                EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
-                EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
-                t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
-                OPENSSL_assert(t > 0);
-        }
-        if (!stream_mac)
-                EVP_MD_CTX_cleanup(&hmac);
-        if (!SSL_IS_DTLS(ssl))
-                tls1_record_sequence_increment(seq);
-        return (md_size);
-}
-int
 tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
    int len)
 {

diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index a66c82bdca..7a71a08434 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: t1_enc.c,v 1.123 2020/08/30 15:40:20 jsing Exp $ */	1	/* $OpenBSD: t1_enc.c,v 1.124 2020/10/03 17:35:16 jsing Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -440,6 +440,10 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read,
440	if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl,	440	if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl,
441	cipher_ctx, mac_ctx, stream_mac))	441	cipher_ctx, mac_ctx, stream_mac))
442	goto err;	442	goto err;
		443
		444	if (!tls12_record_layer_set_read_mac_key(s->internal->rl,
		445	S3I(s)->read_mac_secret, mac_secret_size))
		446	goto err;
443	} else {	447	} else {
444	if (stream_mac)	448	if (stream_mac)
445	s->internal->mac_flags \|= SSL_MAC_FLAG_WRITE_MAC_STREAM;	449	s->internal->mac_flags \|= SSL_MAC_FLAG_WRITE_MAC_STREAM;
@@ -672,260 +676,6 @@ tls1_setup_key_block(SSL *s)
672	return (ret);	676	return (ret);
673	}	677	}
674		678
675	/* tls1_enc encrypts/decrypts the record in \|s->wrec\| / \|s->rrec\|, respectively.
676	*
677	* Returns:
678	* 0: (in non-constant time) if the record is publically invalid (i.e. too
679	* short etc).
680	* 1: if the record's padding is valid / the encryption was successful.
681	* -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682	* an internal error occured.
683	*/
684	int
685	tls1_enc(SSL *s, int send)
686	{
687	const SSL_AEAD_CTX *aead;
688	const EVP_CIPHER *enc;
689	EVP_CIPHER_CTX *ds;
690	SSL3_RECORD_INTERNAL *rec;
691	unsigned char *seq;
692	unsigned long l;
693	int bs, i, j, k, ret, mac_size = 0;
694
695	if (send) {
696	/* No longer supported. */
697	return -1;
698	} else {
699	aead = s->internal->aead_read_ctx;
700	rec = &S3I(s)->rrec;
701	seq = S3I(s)->read_sequence;
702	}
703
704	if (aead) {
705	unsigned char ad[13], in, out, nonce[16];
706	size_t out_len, pad_len = 0;
707	unsigned int nonce_used;
708
709	if (SSL_IS_DTLS(s)) {
710	dtls1_build_sequence_number(ad, seq,
711	send ? D1I(s)->w_epoch : D1I(s)->r_epoch);
712	} else {
713	memcpy(ad, seq, SSL3_SEQUENCE_SIZE);
714	tls1_record_sequence_increment(seq);
715	}
716
717	ad[8] = rec->type;
718	ad[9] = (unsigned char)(s->version >> 8);
719	ad[10] = (unsigned char)(s->version);
720
721	if (aead->variable_nonce_len > 8 \|\|
722	aead->variable_nonce_len > sizeof(nonce))
723	return -1;
724
725	if (aead->xor_fixed_nonce) {
726	if (aead->fixed_nonce_len > sizeof(nonce) \|\|
727	aead->variable_nonce_len > aead->fixed_nonce_len)
728	return -1; /* Should never happen. */
729	pad_len = aead->fixed_nonce_len - aead->variable_nonce_len;
730	} else {
731	if (aead->fixed_nonce_len +
732	aead->variable_nonce_len > sizeof(nonce))
733	return -1; /* Should never happen. */
734	}
735
736	if (send) {
737	size_t len = rec->length;
738	size_t eivlen = 0;
739	in = rec->input;
740	out = rec->data;
741
742	if (aead->xor_fixed_nonce) {
743	/*
744	* The sequence number is left zero
745	* padded, then xored with the fixed
746	* nonce.
747	*/
748	memset(nonce, 0, pad_len);
749	memcpy(nonce + pad_len, ad,
750	aead->variable_nonce_len);
751	for (i = 0; i < aead->fixed_nonce_len; i++)
752	nonce[i] ^= aead->fixed_nonce[i];
753	nonce_used = aead->fixed_nonce_len;
754	} else {
755	/*
756	* When sending we use the sequence number as
757	* the variable part of the nonce.
758	*/
759	memcpy(nonce, aead->fixed_nonce,
760	aead->fixed_nonce_len);
761	nonce_used = aead->fixed_nonce_len;
762	memcpy(nonce + nonce_used, ad,
763	aead->variable_nonce_len);
764	nonce_used += aead->variable_nonce_len;
765	}
766
767	/*
768	* In do_ssl3_write, rec->input is moved forward by
769	* variable_nonce_len in order to leave space for the
770	* variable nonce. Thus we can copy the sequence number
771	* bytes into place without overwriting any of the
772	* plaintext.
773	*/
774	if (aead->variable_nonce_in_record) {
775	memcpy(out, ad, aead->variable_nonce_len);
776	len -= aead->variable_nonce_len;
777	eivlen = aead->variable_nonce_len;
778	}
779
780	ad[11] = len >> 8;
781	ad[12] = len & 0xff;
782
783	if (!EVP_AEAD_CTX_seal(&aead->ctx,
784	out + eivlen, &out_len, len + aead->tag_len, nonce,
785	nonce_used, in + eivlen, len, ad, sizeof(ad)))
786	return -1;
787	if (aead->variable_nonce_in_record)
788	out_len += aead->variable_nonce_len;
789	} else {
790	/* receive */
791	size_t len = rec->length;
792
793	if (rec->data != rec->input)
794	return -1; /* internal error - should never happen. */
795	out = in = rec->input;
796
797	if (len < aead->variable_nonce_len)
798	return 0;
799
800	if (aead->xor_fixed_nonce) {
801	/*
802	* The sequence number is left zero
803	* padded, then xored with the fixed
804	* nonce.
805	*/
806	memset(nonce, 0, pad_len);
807	memcpy(nonce + pad_len, ad,
808	aead->variable_nonce_len);
809	for (i = 0; i < aead->fixed_nonce_len; i++)
810	nonce[i] ^= aead->fixed_nonce[i];
811	nonce_used = aead->fixed_nonce_len;
812	} else {
813	memcpy(nonce, aead->fixed_nonce,
814	aead->fixed_nonce_len);
815	nonce_used = aead->fixed_nonce_len;
816
817	memcpy(nonce + nonce_used,
818	aead->variable_nonce_in_record ? in : ad,
819	aead->variable_nonce_len);
820	nonce_used += aead->variable_nonce_len;
821	}
822
823	if (aead->variable_nonce_in_record) {
824	in += aead->variable_nonce_len;
825	len -= aead->variable_nonce_len;
826	out += aead->variable_nonce_len;
827	}
828
829	if (len < aead->tag_len)
830	return 0;
831	len -= aead->tag_len;
832
833	ad[11] = len >> 8;
834	ad[12] = len & 0xff;
835
836	if (!EVP_AEAD_CTX_open(&aead->ctx, out, &out_len, len,
837	nonce, nonce_used, in, len + aead->tag_len, ad,
838	sizeof(ad)))
839	return -1;
840
841	rec->data = rec->input = out;
842	}
843
844	rec->length = out_len;
845
846	return 1;
847	}
848
849	if (send) {
850	if (EVP_MD_CTX_md(s->internal->write_hash)) {
851	int n = EVP_MD_CTX_size(s->internal->write_hash);
852	OPENSSL_assert(n >= 0);
853	}
854	ds = s->internal->enc_write_ctx;
855	if (s->internal->enc_write_ctx == NULL)
856	enc = NULL;
857	else {
858	int ivlen = 0;
859	enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx);
860	if (SSL_USE_EXPLICIT_IV(s) &&
861	EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
862	ivlen = EVP_CIPHER_iv_length(enc);
863	if (ivlen > 1) {
864	if (rec->data != rec->input) {
865	#ifdef DEBUG
866	/* we can't write into the input stream:
867	* Can this ever happen?? (steve)
868	*/
869	fprintf(stderr,
870	"%s:%d: rec->data != rec->input\n",
871	__FILE__, __LINE__);
872	#endif
873	} else
874	arc4random_buf(rec->input, ivlen);
875	}
876	}
877	} else {
878	if (EVP_MD_CTX_md(s->read_hash)) {
879	int n = EVP_MD_CTX_size(s->read_hash);
880	OPENSSL_assert(n >= 0);
881	}
882	ds = s->enc_read_ctx;
883	if (s->enc_read_ctx == NULL)
884	enc = NULL;
885	else
886	enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
887	}
888
889	if ((s->session == NULL) \|\| (ds == NULL) \|\| (enc == NULL)) {
890	memmove(rec->data, rec->input, rec->length);
891	rec->input = rec->data;
892	ret = 1;
893	} else {
894	l = rec->length;
895	bs = EVP_CIPHER_block_size(ds->cipher);
896
897	if (bs != 1 && send) {
898	i = bs - ((int)l % bs);
899
900	/* Add weird padding of upto 256 bytes */
901
902	/* we need to add 'i' padding bytes of value j */
903	j = i - 1;
904	for (k = (int)l; k < (int)(l + i); k++)
905	rec->input[k] = j;
906	l += i;
907	rec->length += i;
908	}
909
910	if (!send) {
911	if (l == 0 \|\| l % bs != 0)
912	return 0;
913	}
914
915	i = EVP_Cipher(ds, rec->data, rec->input, l);
916	if ((EVP_CIPHER_flags(ds->cipher) &
917	EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0))
918	return -1; /* AEAD can fail to verify MAC */
919
920	ret = 1;
921	if (EVP_MD_CTX_md(s->read_hash) != NULL)
922	mac_size = EVP_MD_CTX_size(s->read_hash);
923	if ((bs != 1) && !send)
924	ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
925	}
926	return ret;
927	}
928
929	int	679	int
930	tls1_final_finish_mac(SSL s, const char str, int str_len, unsigned char *out)	680	tls1_final_finish_mac(SSL s, const char str, int str_len, unsigned char *out)
931	{	681	{
@@ -947,85 +697,6 @@ tls1_final_finish_mac(SSL s, const char str, int str_len, unsigned char *out)
947	}	697	}
948		698
949	int	699	int
950	tls1_mac(SSL ssl, unsigned char md, int send)
951	{
952	SSL3_RECORD_INTERNAL *rec;
953	unsigned char *seq;
954	EVP_MD_CTX *hash;
955	size_t md_size, orig_len;
956	EVP_MD_CTX hmac, *mac_ctx;
957	unsigned char header[13];
958	int stream_mac = (send ?
959	(ssl->internal->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) :
960	(ssl->internal->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM));
961	int t;
962
963	if (send) {
964	/* No longer supported. */
965	return -1;
966	} else {
967	rec = &(ssl->s3->internal->rrec);
968	seq = &(ssl->s3->internal->read_sequence[0]);
969	hash = ssl->read_hash;
970	}
971
972	t = EVP_MD_CTX_size(hash);
973	OPENSSL_assert(t >= 0);
974	md_size = t;
975
976	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
977	if (stream_mac) {
978	mac_ctx = hash;
979	} else {
980	if (!EVP_MD_CTX_copy(&hmac, hash))
981	return -1;
982	mac_ctx = &hmac;
983	}
984
985	if (SSL_IS_DTLS(ssl))
986	dtls1_build_sequence_number(header, seq,
987	send ? D1I(ssl)->w_epoch : D1I(ssl)->r_epoch);
988	else
989	memcpy(header, seq, SSL3_SEQUENCE_SIZE);
990
991	orig_len = rec->length + md_size + rec->padding_length;
992
993	header[8] = rec->type;
994	header[9] = (unsigned char)(ssl->version >> 8);
995	header[10] = (unsigned char)(ssl->version);
996	header[11] = (rec->length) >> 8;
997	header[12] = (rec->length) & 0xff;
998
999	if (!send &&
1000	EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1001	ssl3_cbc_record_digest_supported(mac_ctx)) {
1002	/* This is a CBC-encrypted record. We must avoid leaking any
1003	* timing-side channel information about how many blocks of
1004	* data we are hashing because that gives an attacker a
1005	* timing-oracle. */
1006	if (!ssl3_cbc_digest_record(mac_ctx,
1007	md, &md_size, header, rec->input,
1008	rec->length + md_size, orig_len,
1009	ssl->s3->internal->read_mac_secret,
1010	ssl->s3->internal->read_mac_secret_size))
1011	return -1;
1012	} else {
1013	EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
1014	EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
1015	t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
1016	OPENSSL_assert(t > 0);
1017	}
1018
1019	if (!stream_mac)
1020	EVP_MD_CTX_cleanup(&hmac);
1021
1022	if (!SSL_IS_DTLS(ssl))
1023	tls1_record_sequence_increment(seq);
1024
1025	return (md_size);
1026	}
1027
1028	int
1029	tls1_generate_master_secret(SSL s, unsigned char out, unsigned char *p,	700	tls1_generate_master_secret(SSL s, unsigned char out, unsigned char *p,
1030	int len)	701	int len)
1031	{	702	{