Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(467)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: openssl/ssl/t1_enc.c

Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with. (Closed) Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/
Patch Set: '' Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« openssl.gyp ('K') | « openssl/ssl/t1_clnt.c ('k') | openssl/ssl/t1_lib.c » ('j') | patches/x509_hash_name_algorithm_change.patch » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* ssl/t1_enc.c */ 1 /* ssl/t1_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 /* ==================================================================== 58 /* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
63 * are met: 63 * are met:
64 * 64 *
65 * 1. Redistributions of source code must retain the above copyright 65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer. 66 * notice, this list of conditions and the following disclaimer.
67 * 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright 68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in 69 * notice, this list of conditions and the following disclaimer in
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE. 103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ==================================================================== 104 * ====================================================================
105 * 105 *
106 * This product includes cryptographic software written by Eric Young 106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim 107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com). 108 * Hudson (tjh@cryptsoft.com).
109 * 109 *
110 */ 110 */
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
111 137
112 #include <stdio.h> 138 #include <stdio.h>
113 #include "ssl_locl.h" 139 #include "ssl_locl.h"
114 #ifndef OPENSSL_NO_COMP 140 #ifndef OPENSSL_NO_COMP
115 #include <openssl/comp.h> 141 #include <openssl/comp.h>
116 #endif 142 #endif
117 #include <openssl/evp.h> 143 #include <openssl/evp.h>
118 #include <openssl/hmac.h> 144 #include <openssl/hmac.h>
119 #include <openssl/md5.h> 145 #include <openssl/md5.h>
120 #ifdef KSSL_DEBUG 146 #ifdef KSSL_DEBUG
121 #include <openssl/des.h> 147 #include <openssl/des.h>
122 #endif 148 #endif
123 149
124 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 150 /* seed1 through seed5 are virtually concatenated */
125 » » » int sec_len, unsigned char *seed, int seed_len, 151 static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
152 » » » int sec_len,
153 » » » const void *seed1, int seed1_len,
154 » » » const void *seed2, int seed2_len,
155 » » » const void *seed3, int seed3_len,
156 » » » const void *seed4, int seed4_len,
157 » » » const void *seed5, int seed5_len,
126 unsigned char *out, int olen) 158 unsigned char *out, int olen)
127 { 159 {
128 » int chunk,n; 160 » int chunk;
129 unsigned int j; 161 unsigned int j;
130 HMAC_CTX ctx; 162 HMAC_CTX ctx;
131 HMAC_CTX ctx_tmp; 163 HMAC_CTX ctx_tmp;
132 unsigned char A1[EVP_MAX_MD_SIZE]; 164 unsigned char A1[EVP_MAX_MD_SIZE];
133 unsigned int A1_len; 165 unsigned int A1_len;
166 int ret = 0;
134 167
135 chunk=EVP_MD_size(md); 168 chunk=EVP_MD_size(md);
169 OPENSSL_assert(chunk >= 0);
136 170
137 HMAC_CTX_init(&ctx); 171 HMAC_CTX_init(&ctx);
138 HMAC_CTX_init(&ctx_tmp); 172 HMAC_CTX_init(&ctx_tmp);
139 » HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 173 » if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL))
140 » HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 174 » » goto err;
141 » HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); 175 » if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL))
142 » HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); 176 » » goto err;
143 » HMAC_Update(&ctx,seed,seed_len); 177 » if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len))
144 » HMAC_Final(&ctx,A1,&A1_len); 178 » » goto err;
179 » if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len))
180 » » goto err;
181 » if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len))
182 » » goto err;
183 » if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len))
184 » » goto err;
185 » if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len))
186 » » goto err;
187 » if (!HMAC_Final(&ctx,A1,&A1_len))
188 » » goto err;
145 189
146 n=0;
147 for (;;) 190 for (;;)
148 { 191 {
149 » » HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */ 192 » » if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */
150 » » HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */ 193 » » » goto err;
151 » » HMAC_Update(&ctx,A1,A1_len); 194 » » if (!HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL)) /* re-init */
152 » » HMAC_Update(&ctx_tmp,A1,A1_len); 195 » » » goto err;
153 » » HMAC_Update(&ctx,seed,seed_len); 196 » » if (!HMAC_Update(&ctx,A1,A1_len))
197 » » » goto err;
198 » » if (!HMAC_Update(&ctx_tmp,A1,A1_len))
199 » » » goto err;
200 » » if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len))
201 » » » goto err;
202 » » if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len))
203 » » » goto err;
204 » » if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len))
205 » » » goto err;
206 » » if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len))
207 » » » goto err;
208 » » if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len))
209 » » » goto err;
154 210
155 if (olen > chunk) 211 if (olen > chunk)
156 { 212 {
157 » » » HMAC_Final(&ctx,out,&j); 213 » » » if (!HMAC_Final(&ctx,out,&j))
214 » » » » goto err;
158 out+=j; 215 out+=j;
159 olen-=j; 216 olen-=j;
160 » » » HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 val ue */ 217 » » » if (!HMAC_Final(&ctx_tmp,A1,&A1_len)) /* calc the next A 1 value */
218 » » » » goto err;
161 } 219 }
162 else /* last one */ 220 else /* last one */
163 { 221 {
164 » » » HMAC_Final(&ctx,A1,&A1_len); 222 » » » if (!HMAC_Final(&ctx,A1,&A1_len))
223 » » » » goto err;
165 memcpy(out,A1,olen); 224 memcpy(out,A1,olen);
166 break; 225 break;
167 } 226 }
168 } 227 }
228 ret = 1;
229 err:
169 HMAC_CTX_cleanup(&ctx); 230 HMAC_CTX_cleanup(&ctx);
170 HMAC_CTX_cleanup(&ctx_tmp); 231 HMAC_CTX_cleanup(&ctx_tmp);
171 OPENSSL_cleanse(A1,sizeof(A1)); 232 OPENSSL_cleanse(A1,sizeof(A1));
233 return ret;
172 } 234 }
173 235
174 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, 236 /* seed1 through seed5 are virtually concatenated */
175 » » unsigned char *label, int label_len, 237 static int tls1_PRF(long digest_mask,
176 » » const unsigned char *sec, int slen, unsigned char *out1, 238 » » const void *seed1, int seed1_len,
239 » » const void *seed2, int seed2_len,
240 » » const void *seed3, int seed3_len,
241 » » const void *seed4, int seed4_len,
242 » » const void *seed5, int seed5_len,
243 » » const unsigned char *sec, int slen,
244 » » unsigned char *out1,
177 unsigned char *out2, int olen) 245 unsigned char *out2, int olen)
178 { 246 {
179 » int len,i; 247 » int len,i,idx,count;
180 » const unsigned char *S1,*S2; 248 » const unsigned char *S1;
249 » long m;
250 » const EVP_MD *md;
251 » int ret = 0;
181 252
182 » len=slen/2; 253 » /* Count number of digests and partition sec evenly */
254 » count=0;
255 » for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
256 » » if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++;
257 » }»
258 » len=slen/count;
183 S1=sec; 259 S1=sec;
184 » S2= &(sec[len]); 260 » memset(out1,0,olen);
185 » len+=(slen&1); /* add for odd, make longer */ 261 » for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
186 262 » » if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) {
187 » 263 » » » if (!md) {
188 » tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); 264 » » » » SSLerr(SSL_F_TLS1_PRF,
189 » tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); 265 » » » » SSL_R_UNSUPPORTED_DIGEST_TYPE);
190 266 » » » » goto err;» » » »
191 » for (i=0; i<olen; i++) 267 » » » }
192 » » out1[i]^=out2[i]; 268 » » » if (!tls1_P_hash(md ,S1,len+(slen&1),
269 » » » » » seed1,seed1_len,seed2,seed2_len,seed3,se ed3_len,seed4,seed4_len,seed5,seed5_len,
270 » » » » » out2,olen))
271 » » » » goto err;
272 » » » S1+=len;
273 » » » for (i=0; i<olen; i++)
274 » » » {
275 » » » » out1[i]^=out2[i];
276 » » » }
277 » » }
193 } 278 }
194 279 » ret = 1;
195 static void tls1_generate_key_block(SSL *s, unsigned char *km, 280 err:
281 » return ret;
282 }
283 static int tls1_generate_key_block(SSL *s, unsigned char *km,
196 unsigned char *tmp, int num) 284 unsigned char *tmp, int num)
197 { 285 {
198 » unsigned char *p; 286 » int ret;
199 » unsigned char buf[SSL3_RANDOM_SIZE*2+ 287 » ret = tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
200 » » TLS_MD_MAX_CONST_SIZE]; 288 » » TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE,
201 » p=buf; 289 » » s->s3->server_random,SSL3_RANDOM_SIZE,
202 290 » » s->s3->client_random,SSL3_RANDOM_SIZE,
203 » memcpy(p,TLS_MD_KEY_EXPANSION_CONST, 291 » » NULL,0,NULL,0,
204 » » TLS_MD_KEY_EXPANSION_CONST_SIZE);
205 » p+=TLS_MD_KEY_EXPANSION_CONST_SIZE;
206 » memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
207 » p+=SSL3_RANDOM_SIZE;
208 » memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
209 » p+=SSL3_RANDOM_SIZE;
210
211 » tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
212 s->session->master_key,s->session->master_key_length, 292 s->session->master_key,s->session->master_key_length,
213 km,tmp,num); 293 km,tmp,num);
214 #ifdef KSSL_DEBUG 294 #ifdef KSSL_DEBUG
215 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 295 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
216 s->session->master_key_length); 296 s->session->master_key_length);
217 { 297 {
218 int i; 298 int i;
219 for (i=0; i < s->session->master_key_length; i++) 299 for (i=0; i < s->session->master_key_length; i++)
220 { 300 {
221 printf("%02X", s->session->master_key[i]); 301 printf("%02X", s->session->master_key[i]);
222 } 302 }
223 printf("\n"); } 303 printf("\n"); }
224 #endif /* KSSL_DEBUG */ 304 #endif /* KSSL_DEBUG */
305 return ret;
225 } 306 }
226 307
227 int tls1_change_cipher_state(SSL *s, int which) 308 int tls1_change_cipher_state(SSL *s, int which)
228 { 309 {
229 static const unsigned char empty[]=""; 310 static const unsigned char empty[]="";
230 » unsigned char *p,*key_block,*mac_secret; 311 » unsigned char *p,*mac_secret;
231 » unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ 312 » unsigned char *exp_label;
232 » » SSL3_RANDOM_SIZE*2];
233 unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 313 unsigned char tmp1[EVP_MAX_KEY_LENGTH];
234 unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 314 unsigned char tmp2[EVP_MAX_KEY_LENGTH];
235 unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 315 unsigned char iv1[EVP_MAX_IV_LENGTH*2];
236 unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 316 unsigned char iv2[EVP_MAX_IV_LENGTH*2];
237 » unsigned char *ms,*key,*iv,*er1,*er2; 317 » unsigned char *ms,*key,*iv;
238 int client_write; 318 int client_write;
239 EVP_CIPHER_CTX *dd; 319 EVP_CIPHER_CTX *dd;
240 const EVP_CIPHER *c; 320 const EVP_CIPHER *c;
241 #ifndef OPENSSL_NO_COMP 321 #ifndef OPENSSL_NO_COMP
242 const SSL_COMP *comp; 322 const SSL_COMP *comp;
243 #endif 323 #endif
244 const EVP_MD *m; 324 const EVP_MD *m;
325 int mac_type;
326 int *mac_secret_size;
327 EVP_MD_CTX *mac_ctx;
328 EVP_PKEY *mac_key;
245 int is_export,n,i,j,k,exp_label_len,cl; 329 int is_export,n,i,j,k,exp_label_len,cl;
246 int reuse_dd = 0; 330 int reuse_dd = 0;
247 331
248 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 332 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
249 c=s->s3->tmp.new_sym_enc; 333 c=s->s3->tmp.new_sym_enc;
250 m=s->s3->tmp.new_hash; 334 m=s->s3->tmp.new_hash;
335 mac_type = s->s3->tmp.new_mac_pkey_type;
251 #ifndef OPENSSL_NO_COMP 336 #ifndef OPENSSL_NO_COMP
252 comp=s->s3->tmp.new_compression; 337 comp=s->s3->tmp.new_compression;
253 #endif 338 #endif
254 key_block=s->s3->tmp.key_block;
255 339
256 #ifdef KSSL_DEBUG 340 #ifdef KSSL_DEBUG
257 printf("tls1_change_cipher_state(which= %d) w/\n", which); 341 printf("tls1_change_cipher_state(which= %d) w/\n", which);
258 » printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, 342 » printf("\talg= %ld/%ld, comp= %p\n",
259 (void *)comp); 343 » s->s3->tmp.new_cipher->algorithm_mkey,
260 » printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", (void *)c); 344 » s->s3->tmp.new_cipher->algorithm_auth,
345 » comp);
346 » printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
261 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", 347 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
262 c->nid,c->block_size,c->key_len,c->iv_len); 348 c->nid,c->block_size,c->key_len,c->iv_len);
263 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); 349 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
264 { 350 {
265 int ki; 351 int i;
266 for (ki=0; ki<s->s3->tmp.key_block_length; ki++) 352 for (i=0; i<s->s3->tmp.key_block_length; i++)
267 » » printf("%02x", key_block[ki]); printf("\n"); 353 » » printf("%02x", key_block[i]); printf("\n");
268 } 354 }
269 #endif /* KSSL_DEBUG */ 355 #endif /* KSSL_DEBUG */
270 356
271 if (which & SSL3_CC_READ) 357 if (which & SSL3_CC_READ)
272 { 358 {
359 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
360 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
361 else
362 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
363
273 if (s->enc_read_ctx != NULL) 364 if (s->enc_read_ctx != NULL)
274 reuse_dd = 1; 365 reuse_dd = 1;
275 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)) ) == NULL) 366 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)) ) == NULL)
276 goto err; 367 goto err;
277 else 368 else
278 /* make sure it's intialized in case we exit later with an error */ 369 /* make sure it's intialized in case we exit later with an error */
279 EVP_CIPHER_CTX_init(s->enc_read_ctx); 370 EVP_CIPHER_CTX_init(s->enc_read_ctx);
280 dd= s->enc_read_ctx; 371 dd= s->enc_read_ctx;
281 » » s->read_hash=m; 372 » » mac_ctx=ssl_replace_hash(&s->read_hash,NULL);
282 #ifndef OPENSSL_NO_COMP 373 #ifndef OPENSSL_NO_COMP
283 if (s->expand != NULL) 374 if (s->expand != NULL)
284 { 375 {
285 COMP_CTX_free(s->expand); 376 COMP_CTX_free(s->expand);
286 s->expand=NULL; 377 s->expand=NULL;
287 } 378 }
288 if (comp != NULL) 379 if (comp != NULL)
289 { 380 {
290 s->expand=COMP_CTX_new(comp->method); 381 s->expand=COMP_CTX_new(comp->method);
291 if (s->expand == NULL) 382 if (s->expand == NULL)
292 { 383 {
293 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR); 384 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR);
294 goto err2; 385 goto err2;
295 } 386 }
296 if (s->s3->rrec.comp == NULL) 387 if (s->s3->rrec.comp == NULL)
297 s->s3->rrec.comp=(unsigned char *) 388 s->s3->rrec.comp=(unsigned char *)
298 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LEN GTH); 389 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LEN GTH);
299 if (s->s3->rrec.comp == NULL) 390 if (s->s3->rrec.comp == NULL)
300 goto err; 391 goto err;
301 } 392 }
302 #endif 393 #endif
303 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 394 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
304 if (s->version != DTLS1_VERSION) 395 if (s->version != DTLS1_VERSION)
305 memset(&(s->s3->read_sequence[0]),0,8); 396 memset(&(s->s3->read_sequence[0]),0,8);
306 mac_secret= &(s->s3->read_mac_secret[0]); 397 mac_secret= &(s->s3->read_mac_secret[0]);
398 mac_secret_size=&(s->s3->read_mac_secret_size);
307 } 399 }
308 else 400 else
309 { 401 {
402 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
403 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
404 else
405 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
310 if (s->enc_write_ctx != NULL) 406 if (s->enc_write_ctx != NULL)
311 reuse_dd = 1; 407 reuse_dd = 1;
312 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX) )) == NULL) 408 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX) )) == NULL)
313 goto err; 409 goto err;
314 else 410 else
315 /* make sure it's intialized in case we exit later with an error */ 411 /* make sure it's intialized in case we exit later with an error */
316 EVP_CIPHER_CTX_init(s->enc_write_ctx); 412 EVP_CIPHER_CTX_init(s->enc_write_ctx);
317 dd= s->enc_write_ctx; 413 dd= s->enc_write_ctx;
318 » » s->write_hash=m; 414 » » mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
319 #ifndef OPENSSL_NO_COMP 415 #ifndef OPENSSL_NO_COMP
320 if (s->compress != NULL) 416 if (s->compress != NULL)
321 { 417 {
322 COMP_CTX_free(s->compress); 418 COMP_CTX_free(s->compress);
323 s->compress=NULL; 419 s->compress=NULL;
324 } 420 }
325 if (comp != NULL) 421 if (comp != NULL)
326 { 422 {
327 s->compress=COMP_CTX_new(comp->method); 423 s->compress=COMP_CTX_new(comp->method);
328 if (s->compress == NULL) 424 if (s->compress == NULL)
329 { 425 {
330 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR); 426 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR);
331 goto err2; 427 goto err2;
332 } 428 }
333 } 429 }
334 #endif 430 #endif
335 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 431 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
336 if (s->version != DTLS1_VERSION) 432 if (s->version != DTLS1_VERSION)
337 memset(&(s->s3->write_sequence[0]),0,8); 433 memset(&(s->s3->write_sequence[0]),0,8);
338 mac_secret= &(s->s3->write_mac_secret[0]); 434 mac_secret= &(s->s3->write_mac_secret[0]);
435 mac_secret_size = &(s->s3->write_mac_secret_size);
339 } 436 }
340 437
341 if (reuse_dd) 438 if (reuse_dd)
342 EVP_CIPHER_CTX_cleanup(dd); 439 EVP_CIPHER_CTX_cleanup(dd);
343 440
344 p=s->s3->tmp.key_block; 441 p=s->s3->tmp.key_block;
345 » i=EVP_MD_size(m); 442 » i=*mac_secret_size=s->s3->tmp.new_mac_secret_size;
443
346 cl=EVP_CIPHER_key_length(c); 444 cl=EVP_CIPHER_key_length(c);
347 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 445 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
348 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 446 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
349 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 447 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
350 k=EVP_CIPHER_iv_length(c); 448 k=EVP_CIPHER_iv_length(c);
351 er1= &(s->s3->client_random[0]);
352 er2= &(s->s3->server_random[0]);
353 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 449 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
354 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 450 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
355 { 451 {
356 ms= &(p[ 0]); n=i+i; 452 ms= &(p[ 0]); n=i+i;
357 key= &(p[ n]); n+=j+j; 453 key= &(p[ n]); n+=j+j;
358 iv= &(p[ n]); n+=k+k; 454 iv= &(p[ n]); n+=k+k;
359 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 455 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
360 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 456 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
361 client_write=1; 457 client_write=1;
362 } 458 }
363 else 459 else
364 { 460 {
365 n=i; 461 n=i;
366 ms= &(p[ n]); n+=i+j; 462 ms= &(p[ n]); n+=i+j;
367 key= &(p[ n]); n+=j+k; 463 key= &(p[ n]); n+=j+k;
368 iv= &(p[ n]); n+=k; 464 iv= &(p[ n]); n+=k;
369 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 465 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
370 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 466 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
371 client_write=0; 467 client_write=0;
372 } 468 }
373 469
374 if (n > s->s3->tmp.key_block_length) 470 if (n > s->s3->tmp.key_block_length)
375 { 471 {
376 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); 472 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
377 goto err2; 473 goto err2;
378 } 474 }
379 475
380 memcpy(mac_secret,ms,i); 476 memcpy(mac_secret,ms,i);
477 mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
478 mac_secret,*mac_secret_size);
479 EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key);
480 EVP_PKEY_free(mac_key);
381 #ifdef TLS_DEBUG 481 #ifdef TLS_DEBUG
382 printf("which = %04X\nmac key=",which); 482 printf("which = %04X\nmac key=",which);
383 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 483 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
384 #endif 484 #endif
385 if (is_export) 485 if (is_export)
386 { 486 {
387 /* In here I set both the read and write key/iv to the 487 /* In here I set both the read and write key/iv to the
388 * same value since only the correct one will be used :-). 488 * same value since only the correct one will be used :-).
389 */ 489 */
390 » » p=buf; 490 » » if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
391 » » memcpy(p,exp_label,exp_label_len); 491 » » » » exp_label,exp_label_len,
392 » » p+=exp_label_len; 492 » » » » s->s3->client_random,SSL3_RANDOM_SIZE,
393 » » memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 493 » » » » s->s3->server_random,SSL3_RANDOM_SIZE,
394 » » p+=SSL3_RANDOM_SIZE; 494 » » » » NULL,0,NULL,0,
395 » » memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 495 » » » » key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)))
396 » » p+=SSL3_RANDOM_SIZE; 496 » » » goto err2;
397 » » tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
398 » » » tmp1,tmp2,EVP_CIPHER_key_length(c));
399 key=tmp1; 497 key=tmp1;
400 498
401 if (k > 0) 499 if (k > 0)
402 { 500 {
403 » » » p=buf; 501 » » » if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
404 » » » memcpy(p,TLS_MD_IV_BLOCK_CONST, 502 » » » » » TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CO NST_SIZE,
405 » » » » TLS_MD_IV_BLOCK_CONST_SIZE); 503 » » » » » s->s3->client_random,SSL3_RANDOM_SIZE,
406 » » » p+=TLS_MD_IV_BLOCK_CONST_SIZE; 504 » » » » » s->s3->server_random,SSL3_RANDOM_SIZE,
407 » » » memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 505 » » » » » NULL,0,NULL,0,
408 » » » p+=SSL3_RANDOM_SIZE; 506 » » » » » empty,0,iv1,iv2,k*2))
409 » » » memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 507 » » » » goto err2;
410 » » » p+=SSL3_RANDOM_SIZE;
411 » » » tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
412 » » » » iv1,iv2,k*2);
413 if (client_write) 508 if (client_write)
414 iv=iv1; 509 iv=iv1;
415 else 510 else
416 iv= &(iv1[k]); 511 iv= &(iv1[k]);
417 } 512 }
418 } 513 }
419 514
420 s->session->key_arg_length=0; 515 s->session->key_arg_length=0;
421 #ifdef KSSL_DEBUG 516 #ifdef KSSL_DEBUG
422 { 517 {
423 int ki; 518 int i;
424 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); 519 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
425 » printf("\tkey= "); 520 » printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
426 » for (ki=0; ki<c->key_len; ki++) printf("%02x", key[ki]);
427 printf("\n"); 521 printf("\n");
428 » printf("\t iv= "); 522 » printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
429 » for (ki=0; ki<c->iv_len; ki++) printf("%02x", iv[ki]);
430 printf("\n"); 523 printf("\n");
431 } 524 }
432 #endif /* KSSL_DEBUG */ 525 #endif /* KSSL_DEBUG */
433 526
434 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); 527 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
435 #ifdef TLS_DEBUG 528 #ifdef TLS_DEBUG
436 printf("which = %04X\nkey=",which); 529 printf("which = %04X\nkey=",which);
437 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1 )%16)?' ':'\n'); } 530 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1 )%16)?' ':'\n'); }
438 printf("\niv="); 531 printf("\niv=");
439 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } 532 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
440 printf("\n"); 533 printf("\n");
441 #endif 534 #endif
442 535
443 OPENSSL_cleanse(tmp1,sizeof(tmp1)); 536 OPENSSL_cleanse(tmp1,sizeof(tmp1));
444 OPENSSL_cleanse(tmp2,sizeof(tmp1)); 537 OPENSSL_cleanse(tmp2,sizeof(tmp1));
445 OPENSSL_cleanse(iv1,sizeof(iv1)); 538 OPENSSL_cleanse(iv1,sizeof(iv1));
446 OPENSSL_cleanse(iv2,sizeof(iv2)); 539 OPENSSL_cleanse(iv2,sizeof(iv2));
447 return(1); 540 return(1);
448 err: 541 err:
449 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 542 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
450 err2: 543 err2:
451 return(0); 544 return(0);
452 } 545 }
453 546
454 int tls1_setup_key_block(SSL *s) 547 int tls1_setup_key_block(SSL *s)
455 { 548 {
456 » unsigned char *p1,*p2; 549 » unsigned char *p1,*p2=NULL;
457 const EVP_CIPHER *c; 550 const EVP_CIPHER *c;
458 const EVP_MD *hash; 551 const EVP_MD *hash;
459 int num; 552 int num;
460 SSL_COMP *comp; 553 SSL_COMP *comp;
554 int mac_type= NID_undef,mac_secret_size=0;
555 int ret=0;
461 556
462 #ifdef KSSL_DEBUG 557 #ifdef KSSL_DEBUG
463 printf ("tls1_setup_key_block()\n"); 558 printf ("tls1_setup_key_block()\n");
464 #endif /* KSSL_DEBUG */ 559 #endif /* KSSL_DEBUG */
465 560
466 if (s->s3->tmp.key_block_length != 0) 561 if (s->s3->tmp.key_block_length != 0)
467 return(1); 562 return(1);
468 563
469 » if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) 564 » if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,& comp))
470 { 565 {
471 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILAB LE); 566 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILAB LE);
472 return(0); 567 return(0);
473 } 568 }
474 569
475 s->s3->tmp.new_sym_enc=c; 570 s->s3->tmp.new_sym_enc=c;
476 s->s3->tmp.new_hash=hash; 571 s->s3->tmp.new_hash=hash;
477 572 » s->s3->tmp.new_mac_pkey_type = mac_type;
478 » num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); 573 » s->s3->tmp.new_mac_secret_size = mac_secret_size;
574 » num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c);
479 num*=2; 575 num*=2;
480 576
481 ssl3_cleanup_key_block(s); 577 ssl3_cleanup_key_block(s);
482 578
483 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) 579 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
580 {
581 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
484 goto err; 582 goto err;
485 » if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) 583 » » }
486 » » goto err;
487 584
488 s->s3->tmp.key_block_length=num; 585 s->s3->tmp.key_block_length=num;
489 s->s3->tmp.key_block=p1; 586 s->s3->tmp.key_block=p1;
490 587
588 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
589 {
590 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
591 goto err;
592 }
491 593
492 #ifdef TLS_DEBUG 594 #ifdef TLS_DEBUG
493 printf("client random\n"); 595 printf("client random\n");
494 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random [z],((z+1)%16)?' ':'\n'); } 596 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random [z],((z+1)%16)?' ':'\n'); }
495 printf("server random\n"); 597 printf("server random\n");
496 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random [z],((z+1)%16)?' ':'\n'); } 598 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random [z],((z+1)%16)?' ':'\n'); }
497 printf("pre-master\n"); 599 printf("pre-master\n");
498 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->sess ion->master_key[z],((z+1)%16)?' ':'\n'); } 600 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->sess ion->master_key[z],((z+1)%16)?' ':'\n'); }
499 #endif 601 #endif
500 » tls1_generate_key_block(s,p1,p2,num); 602 » if (!tls1_generate_key_block(s,p1,p2,num))
501 » OPENSSL_cleanse(p2,num); 603 » » goto err;
502 » OPENSSL_free(p2);
503 #ifdef TLS_DEBUG 604 #ifdef TLS_DEBUG
504 printf("\nkey block\n"); 605 printf("\nkey block\n");
505 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 606 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
506 #endif 607 #endif
507 608
508 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 609 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
509 { 610 {
510 /* enable vulnerability countermeasure for CBC ciphers with 611 /* enable vulnerability countermeasure for CBC ciphers with
511 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 612 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
512 */ 613 */
513 s->s3->need_empty_fragments = 1; 614 s->s3->need_empty_fragments = 1;
514 615
515 if (s->session->cipher != NULL) 616 if (s->session->cipher != NULL)
516 { 617 {
517 » » » if ((s->session->cipher->algorithms & SSL_ENC_MASK) == S SL_eNULL) 618 » » » if (s->session->cipher->algorithm_enc == SSL_eNULL)
518 s->s3->need_empty_fragments = 0; 619 s->s3->need_empty_fragments = 0;
519 620
520 #ifndef OPENSSL_NO_RC4 621 #ifndef OPENSSL_NO_RC4
521 » » » if ((s->session->cipher->algorithms & SSL_ENC_MASK) == S SL_RC4) 622 » » » if (s->session->cipher->algorithm_enc == SSL_RC4)
522 s->s3->need_empty_fragments = 0; 623 s->s3->need_empty_fragments = 0;
523 #endif 624 #endif
524 } 625 }
525 } 626 }
526 627
527 » return(1); 628 » ret = 1;
528 err: 629 err:
529 » SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); 630 » if (p2)
530 » return(0); 631 » » {
632 » » OPENSSL_cleanse(p2,num);
633 » » OPENSSL_free(p2);
634 » » }
635 » return(ret);
531 } 636 }
532 637
533 int tls1_enc(SSL *s, int send) 638 int tls1_enc(SSL *s, int send)
534 { 639 {
535 SSL3_RECORD *rec; 640 SSL3_RECORD *rec;
536 EVP_CIPHER_CTX *ds; 641 EVP_CIPHER_CTX *ds;
537 unsigned long l; 642 unsigned long l;
538 int bs,i,ii,j,k,n=0; 643 int bs,i,ii,j,k,n=0;
539 const EVP_CIPHER *enc; 644 const EVP_CIPHER *enc;
540 645
541 if (send) 646 if (send)
542 { 647 {
543 » » if (s->write_hash != NULL) 648 » » if (EVP_MD_CTX_md(s->write_hash))
544 » » » n=EVP_MD_size(s->write_hash); 649 » » » {
650 » » » n=EVP_MD_CTX_size(s->write_hash);
651 » » » OPENSSL_assert(n >= 0);
652 » » » }
545 ds=s->enc_write_ctx; 653 ds=s->enc_write_ctx;
546 rec= &(s->s3->wrec); 654 rec= &(s->s3->wrec);
547 if (s->enc_write_ctx == NULL) 655 if (s->enc_write_ctx == NULL)
548 enc=NULL; 656 enc=NULL;
549 else 657 else
550 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 658 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
551 } 659 }
552 else 660 else
553 { 661 {
554 » » if (s->read_hash != NULL) 662 » » if (EVP_MD_CTX_md(s->read_hash))
555 » » » n=EVP_MD_size(s->read_hash); 663 » » » {
664 » » » n=EVP_MD_CTX_size(s->read_hash);
665 » » » OPENSSL_assert(n >= 0);
666 » » » }
556 ds=s->enc_read_ctx; 667 ds=s->enc_read_ctx;
557 rec= &(s->s3->rrec); 668 rec= &(s->s3->rrec);
558 if (s->enc_read_ctx == NULL) 669 if (s->enc_read_ctx == NULL)
559 enc=NULL; 670 enc=NULL;
560 else 671 else
561 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 672 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
562 } 673 }
563 674
564 #ifdef KSSL_DEBUG 675 #ifdef KSSL_DEBUG
565 printf("tls1_enc(%d)\n", send); 676 printf("tls1_enc(%d)\n", send);
(...skipping 26 matching lines...) Expand all
592 for (k=(int)l; k<(int)(l+i); k++) 703 for (k=(int)l; k<(int)(l+i); k++)
593 rec->input[k]=j; 704 rec->input[k]=j;
594 l+=i; 705 l+=i;
595 rec->length+=i; 706 rec->length+=i;
596 } 707 }
597 708
598 #ifdef KSSL_DEBUG 709 #ifdef KSSL_DEBUG
599 { 710 {
600 unsigned long ui; 711 unsigned long ui;
601 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n ", 712 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n ",
602 (void *)ds,rec->data,rec->input,l); 713 ds,rec->data,rec->input,l);
603 » » printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%ld %ld], %d i v_len\n", 714 » » printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_ len\n",
604 ds->buf_len, ds->cipher->key_len, 715 ds->buf_len, ds->cipher->key_len,
605 (unsigned long)DES_KEY_SZ, 716 DES_KEY_SZ, DES_SCHEDULE_SZ,
606 » » » (unsigned long)DES_SCHEDULE_SZ,
607 ds->cipher->iv_len); 717 ds->cipher->iv_len);
608 printf("\t\tIV: "); 718 printf("\t\tIV: ");
609 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 719 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
610 printf("\n"); 720 printf("\n");
611 printf("\trec->input="); 721 printf("\trec->input=");
612 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); 722 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
613 printf("\n"); 723 printf("\n");
614 } 724 }
615 #endif /* KSSL_DEBUG */ 725 #endif /* KSSL_DEBUG */
616 726
617 if (!send) 727 if (!send)
618 { 728 {
619 if (l == 0 || l%bs != 0) 729 if (l == 0 || l%bs != 0)
620 { 730 {
621 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_ WRONG); 731 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_ WRONG);
622 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTIO N_FAILED); 732 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTIO N_FAILED);
623 return 0; 733 return 0;
624 } 734 }
625 } 735 }
626 736
627 EVP_Cipher(ds,rec->data,rec->input,l); 737 EVP_Cipher(ds,rec->data,rec->input,l);
628 738
629 #ifdef KSSL_DEBUG 739 #ifdef KSSL_DEBUG
630 { 740 {
631 unsigned long ki; 741 unsigned long i;
632 printf("\trec->data="); 742 printf("\trec->data=");
633 » » for (ki=0; ki<l; i++) 743 » » for (i=0; i<l; i++)
634 printf(" %02x", rec->data[ki]); printf("\n"); 744 printf(" %02x", rec->data[i]); printf("\n");
635 } 745 }
636 #endif /* KSSL_DEBUG */ 746 #endif /* KSSL_DEBUG */
637 747
638 if ((bs != 1) && !send) 748 if ((bs != 1) && !send)
639 { 749 {
640 ii=i=rec->data[l-1]; /* padding_length */ 750 ii=i=rec->data[l-1]; /* padding_length */
641 i++; 751 i++;
642 /* NB: if compression is in operation the first packet 752 /* NB: if compression is in operation the first packet
643 * may not be of even length so the padding bug check 753 * may not be of even length so the padding bug check
644 * cannot be performed. This bug workaround has been 754 * cannot be performed. This bug workaround has been
(...skipping 27 matching lines...) Expand all
672 { 782 {
673 /* Incorrect padding */ 783 /* Incorrect padding */
674 return -1; 784 return -1;
675 } 785 }
676 } 786 }
677 rec->length-=i; 787 rec->length-=i;
678 } 788 }
679 } 789 }
680 return(1); 790 return(1);
681 } 791 }
682 792 int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
683 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
684 { 793 {
685 unsigned int ret; 794 unsigned int ret;
686 » EVP_MD_CTX ctx; 795 » EVP_MD_CTX ctx, *d=NULL;
796 » int i;
797
798 » if (s->s3->handshake_buffer)
799 » » if (!ssl3_digest_cached_records(s))
800 » » » return 0;
801
802 » for (i=0;i<SSL_MAX_DIGEST;i++)
803 » » {
804 » » if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake _dgst[i])==md_nid)
805 » » » {
806 » » » d=s->s3->handshake_dgst[i];
807 » » » break;
808 » » » }
809 » » }
810 » if (!d) {
811 » » SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST);
812 » » return 0;
813 » }»
687 814
688 EVP_MD_CTX_init(&ctx); 815 EVP_MD_CTX_init(&ctx);
689 » EVP_MD_CTX_copy_ex(&ctx,in_ctx); 816 » EVP_MD_CTX_copy_ex(&ctx,d);
690 EVP_DigestFinal_ex(&ctx,out,&ret); 817 EVP_DigestFinal_ex(&ctx,out,&ret);
691 EVP_MD_CTX_cleanup(&ctx); 818 EVP_MD_CTX_cleanup(&ctx);
692 return((int)ret); 819 return((int)ret);
693 } 820 }
694 821
695 int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, 822 int tls1_final_finish_mac(SSL *s,
696 const char *str, int slen, unsigned char *out) 823 const char *str, int slen, unsigned char *out)
697 { 824 {
698 unsigned int i; 825 unsigned int i;
699 EVP_MD_CTX ctx; 826 EVP_MD_CTX ctx;
700 » unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LEN GTH]; 827 » unsigned char buf[2*EVP_MAX_MD_SIZE];
701 unsigned char *q,buf2[12]; 828 unsigned char *q,buf2[12];
829 int idx;
830 long mask;
831 int err=0;
832 const EVP_MD *md;
702 833
703 q=buf; 834 q=buf;
704 » memcpy(q,str,slen); 835
705 » q+=slen; 836 » if (s->s3->handshake_buffer)
837 » » if (!ssl3_digest_cached_records(s))
838 » » » return 0;
706 839
707 EVP_MD_CTX_init(&ctx); 840 EVP_MD_CTX_init(&ctx);
708 EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
709 EVP_DigestFinal_ex(&ctx,q,&i);
710 q+=i;
711 EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
712 EVP_DigestFinal_ex(&ctx,q,&i);
713 q+=i;
714 841
715 » tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf), 842 » for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
716 » » s->session->master_key,s->session->master_key_length, 843 » » {
717 » » out,buf2,sizeof buf2); 844 » » if (mask & s->s3->tmp.new_cipher->algorithm2)
845 » » » {
846 » » » int hashsize = EVP_MD_size(md);
847 » » » if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_ t)(q-buf)))
848 » » » » {
849 » » » » /* internal error: 'buf' is too small for this c ipersuite! */
850 » » » » err = 1;
851 » » » » }
852 » » » else
853 » » » » {
854 » » » » EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[id x]);
855 » » » » EVP_DigestFinal_ex(&ctx,q,&i);
856 » » » » if (i != (unsigned int)hashsize) /* can't really happen */
857 » » » » » err = 1;
858 » » » » q+=i;
859 » » » » }
860 » » » }
861 » » }
862 » »
863 » if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
864 » » » str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
865 » » » s->session->master_key,s->session->master_key_length,
866 » » » out,buf2,sizeof buf2))
867 » » err = 1;
718 EVP_MD_CTX_cleanup(&ctx); 868 EVP_MD_CTX_cleanup(&ctx);
719 869
720 » return sizeof buf2; 870 » if (err)
871 » » return 0;
872 » else
873 » » return sizeof buf2;
721 } 874 }
722 875
723 int tls1_mac(SSL *ssl, unsigned char *md, int send) 876 int tls1_mac(SSL *ssl, unsigned char *md, int send)
724 { 877 {
725 SSL3_RECORD *rec; 878 SSL3_RECORD *rec;
726 » unsigned char *mac_sec,*seq; 879 » unsigned char *seq;
727 » const EVP_MD *hash; 880 » EVP_MD_CTX *hash;
728 » unsigned int md_size; 881 » size_t md_size;
729 int i; 882 int i;
730 » HMAC_CTX hmac; 883 » EVP_MD_CTX hmac, *mac_ctx;
731 unsigned char buf[5]; 884 unsigned char buf[5];
885 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM): (ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
886 int t;
732 887
733 if (send) 888 if (send)
734 { 889 {
735 rec= &(ssl->s3->wrec); 890 rec= &(ssl->s3->wrec);
736 mac_sec= &(ssl->s3->write_mac_secret[0]);
737 seq= &(ssl->s3->write_sequence[0]); 891 seq= &(ssl->s3->write_sequence[0]);
738 hash=ssl->write_hash; 892 hash=ssl->write_hash;
739 } 893 }
740 else 894 else
741 { 895 {
742 rec= &(ssl->s3->rrec); 896 rec= &(ssl->s3->rrec);
743 mac_sec= &(ssl->s3->read_mac_secret[0]);
744 seq= &(ssl->s3->read_sequence[0]); 897 seq= &(ssl->s3->read_sequence[0]);
745 hash=ssl->read_hash; 898 hash=ssl->read_hash;
746 } 899 }
747 900
748 » md_size=EVP_MD_size(hash); 901 » t=EVP_MD_CTX_size(hash);
902 » OPENSSL_assert(t >= 0);
903 » md_size=t;
749 904
750 buf[0]=rec->type; 905 buf[0]=rec->type;
751 » if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VE R) 906 » buf[1]=(unsigned char)(ssl->version>>8);
752 » » { 907 » buf[2]=(unsigned char)(ssl->version);
753 » » buf[1]=TLS1_VERSION_MAJOR;
754 » » buf[2]=TLS1_VERSION_MINOR;
755 » » }
756 » else» {
757 » » buf[1]=(unsigned char)(ssl->version>>8);
758 » » buf[2]=(unsigned char)(ssl->version);
759 » » }
760
761 buf[3]=rec->length>>8; 908 buf[3]=rec->length>>8;
762 buf[4]=rec->length&0xff; 909 buf[4]=rec->length&0xff;
763 910
764 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 911 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
765 » HMAC_CTX_init(&hmac); 912 » if (stream_mac)
766 » HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); 913 » » {
914 » » » mac_ctx = hash;
915 » » }
916 » » else
917 » » {
918 » » » EVP_MD_CTX_copy(&hmac,hash);
919 » » » mac_ctx = &hmac;
920 » » }
767 921
768 » if (ssl->version == DTLS1_BAD_VER || 922 » if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER)
769 » (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_V ER))
770 { 923 {
771 unsigned char dtlsseq[8],*p=dtlsseq; 924 unsigned char dtlsseq[8],*p=dtlsseq;
925
772 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); 926 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
773 memcpy (p,&seq[2],6); 927 memcpy (p,&seq[2],6);
774 928
775 » » HMAC_Update(&hmac,dtlsseq,8); 929 » » EVP_DigestSignUpdate(mac_ctx,dtlsseq,8);
776 } 930 }
777 else 931 else
778 » » HMAC_Update(&hmac,seq,8); 932 » » EVP_DigestSignUpdate(mac_ctx,seq,8);
779 933
780 » HMAC_Update(&hmac,buf,5); 934 » EVP_DigestSignUpdate(mac_ctx,buf,5);
781 » HMAC_Update(&hmac,rec->input,rec->length); 935 » EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
782 » HMAC_Final(&hmac,md,&md_size); 936 » t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
783 » HMAC_CTX_cleanup(&hmac); 937 » OPENSSL_assert(t > 0);
784 938 » »
939 » if (!stream_mac) EVP_MD_CTX_cleanup(&hmac);
785 #ifdef TLS_DEBUG 940 #ifdef TLS_DEBUG
786 printf("sec="); 941 printf("sec=");
787 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\ n"); } 942 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\ n"); }
788 printf("seq="); 943 printf("seq=");
789 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 944 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
790 printf("buf="); 945 printf("buf=");
791 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 946 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
792 printf("rec="); 947 printf("rec=");
793 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\ n"); } 948 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\ n"); }
794 #endif 949 #endif
795 950
796 » if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_ VER) 951 » if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER)
797 { 952 {
798 for (i=7; i>=0; i--) 953 for (i=7; i>=0; i--)
799 { 954 {
800 ++seq[i]; 955 ++seq[i];
801 if (seq[i] != 0) break; 956 if (seq[i] != 0) break;
802 } 957 }
803 } 958 }
804 959
805 #ifdef TLS_DEBUG 960 #ifdef TLS_DEBUG
806 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 961 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
807 #endif 962 #endif
808 return(md_size); 963 return(md_size);
809 } 964 }
810 965
811 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 966 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
812 int len) 967 int len)
813 { 968 {
814 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
815 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 969 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
970 const void *co = NULL, *so = NULL;
971 int col = 0, sol = 0;
816 972
817 #ifdef KSSL_DEBUG 973 #ifdef KSSL_DEBUG
818 » printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", (void *)s,out, p ,len); 974 » printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
819 #endif /* KSSL_DEBUG */ 975 #endif /* KSSL_DEBUG */
820 976
821 » /* Setup the stuff to munge */ 977 #ifdef TLSEXT_TYPE_opaque_prf_input
822 » memcpy(buf,TLS_MD_MASTER_SECRET_CONST, 978 » if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_i nput != NULL &&
823 » » TLS_MD_MASTER_SECRET_CONST_SIZE); 979 » s->s3->client_opaque_prf_input_len > 0 &&
824 » memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]), 980 » s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input _len)
825 » » s->s3->client_random,SSL3_RANDOM_SIZE); 981 » » {
826 » memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]), 982 » » co = s->s3->client_opaque_prf_input;
827 » » s->s3->server_random,SSL3_RANDOM_SIZE); 983 » » col = s->s3->server_opaque_prf_input_len;
828 » tls1_PRF(s->ctx->md5,s->ctx->sha1, 984 » » so = s->s3->server_opaque_prf_input;
829 » » buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, 985 » » sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */
986 » » }
987 #endif
988
989 » tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
990 » » TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE,
991 » » s->s3->client_random,SSL3_RANDOM_SIZE,
992 » » co, col,
993 » » s->s3->server_random,SSL3_RANDOM_SIZE,
994 » » so, sol,
995 » » p,len,
830 s->session->master_key,buff,sizeof buff); 996 s->session->master_key,buff,sizeof buff);
997
831 #ifdef KSSL_DEBUG 998 #ifdef KSSL_DEBUG
832 printf ("tls1_generate_master_secret() complete\n"); 999 printf ("tls1_generate_master_secret() complete\n");
833 #endif /* KSSL_DEBUG */ 1000 #endif /* KSSL_DEBUG */
834 return(SSL3_MASTER_SECRET_SIZE); 1001 return(SSL3_MASTER_SECRET_SIZE);
835 } 1002 }
836 1003
837 int tls1_alert_code(int code) 1004 int tls1_alert_code(int code)
838 { 1005 {
839 switch (code) 1006 switch (code)
840 { 1007 {
(...skipping 14 matching lines...) Expand all
855 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); 1022 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA);
856 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 1023 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
857 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 1024 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
858 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 1025 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
859 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); 1026 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
860 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 1027 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
861 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 1028 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
862 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 1029 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
863 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); 1030 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
864 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 1031 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
865 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE 1032 » case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION) ;
1033 » case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAI NABLE);
1034 » case SSL_AD_UNRECOGNIZED_NAME:» return(TLS1_AD_UNRECOGNIZED_NAME);
1035 » case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFIC ATE_STATUS_RESPONSE);
1036 » case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_H ASH_VALUE);
1037 » case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
1038 #if 0 /* not appropriate for TLS, not used for DTLS */
866 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 1039 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
867 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 1040 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
868 #endif 1041 #endif
869 default: return(-1); 1042 default: return(-1);
870 } 1043 }
871 } 1044 }
872 1045
OLDNEW
« openssl.gyp ('K') | « openssl/ssl/t1_clnt.c ('k') | openssl/ssl/t1_lib.c » ('j') | patches/x509_hash_name_algorithm_change.patch » ('J')

Powered by Google App Engine
This is Rietveld 408576698