OLD | NEW |
| (Empty) |
1 /* ssl/t1_enc.c */ | |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | |
3 * All rights reserved. | |
4 * | |
5 * This package is an SSL implementation written | |
6 * by Eric Young (eay@cryptsoft.com). | |
7 * The implementation was written so as to conform with Netscapes SSL. | |
8 * | |
9 * This library is free for commercial and non-commercial use as long as | |
10 * the following conditions are aheared to. The following conditions | |
11 * apply to all code found in this distribution, be it the RC4, RSA, | |
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation | |
13 * included with this distribution is covered by the same copyright terms | |
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). | |
15 * | |
16 * Copyright remains Eric Young's, and as such any Copyright notices in | |
17 * the code are not to be removed. | |
18 * If this package is used in a product, Eric Young should be given attribution | |
19 * as the author of the parts of the library used. | |
20 * This can be in the form of a textual message at program startup or | |
21 * in documentation (online or textual) provided with the package. | |
22 * | |
23 * Redistribution and use in source and binary forms, with or without | |
24 * modification, are permitted provided that the following conditions | |
25 * are met: | |
26 * 1. Redistributions of source code must retain the copyright | |
27 * notice, this list of conditions and the following disclaimer. | |
28 * 2. Redistributions in binary form must reproduce the above copyright | |
29 * notice, this list of conditions and the following disclaimer in the | |
30 * documentation and/or other materials provided with the distribution. | |
31 * 3. All advertising materials mentioning features or use of this software | |
32 * must display the following acknowledgement: | |
33 * "This product includes cryptographic software written by | |
34 * Eric Young (eay@cryptsoft.com)" | |
35 * The word 'cryptographic' can be left out if the rouines from the library | |
36 * being used are not cryptographic related :-). | |
37 * 4. If you include any Windows specific code (or a derivative thereof) from | |
38 * the apps directory (application code) you must include an acknowledgement: | |
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | |
40 * | |
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | |
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 * SUCH DAMAGE. | |
52 * | |
53 * The licence and distribution terms for any publically available version or | |
54 * derivative of this code cannot be changed. i.e. this code cannot simply be | |
55 * copied and put under another distribution licence | |
56 * [including the GNU Public Licence.] | |
57 */ | |
58 /* ==================================================================== | |
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. | |
60 * | |
61 * Redistribution and use in source and binary forms, with or without | |
62 * modification, are permitted provided that the following conditions | |
63 * are met: | |
64 * | |
65 * 1. Redistributions of source code must retain the above copyright | |
66 * notice, this list of conditions and the following disclaimer. | |
67 * | |
68 * 2. Redistributions in binary form must reproduce the above copyright | |
69 * notice, this list of conditions and the following disclaimer in | |
70 * the documentation and/or other materials provided with the | |
71 * distribution. | |
72 * | |
73 * 3. All advertising materials mentioning features or use of this | |
74 * software must display the following acknowledgment: | |
75 * "This product includes software developed by the OpenSSL Project | |
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
77 * | |
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
79 * endorse or promote products derived from this software without | |
80 * prior written permission. For written permission, please contact | |
81 * openssl-core@openssl.org. | |
82 * | |
83 * 5. Products derived from this software may not be called "OpenSSL" | |
84 * nor may "OpenSSL" appear in their names without prior written | |
85 * permission of the OpenSSL Project. | |
86 * | |
87 * 6. Redistributions of any form whatsoever must retain the following | |
88 * acknowledgment: | |
89 * "This product includes software developed by the OpenSSL Project | |
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
91 * | |
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
103 * OF THE POSSIBILITY OF SUCH DAMAGE. | |
104 * ==================================================================== | |
105 * | |
106 * This product includes cryptographic software written by Eric Young | |
107 * (eay@cryptsoft.com). This product includes software written by Tim | |
108 * Hudson (tjh@cryptsoft.com). | |
109 * | |
110 */ | |
111 /* ==================================================================== | |
112 * Copyright 2005 Nokia. All rights reserved. | |
113 * | |
114 * The portions of the attached software ("Contribution") is developed by | |
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source | |
116 * license. | |
117 * | |
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of | |
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites | |
120 * support (see RFC 4279) to OpenSSL. | |
121 * | |
122 * No patent licenses or other rights except those expressly stated in | |
123 * the OpenSSL open source license shall be deemed granted or received | |
124 * expressly, by implication, estoppel, or otherwise. | |
125 * | |
126 * No assurances are provided by Nokia that the Contribution does not | |
127 * infringe the patent or other intellectual property rights of any third | |
128 * party or that the license provides you with all the necessary rights | |
129 * to make use of the Contribution. | |
130 * | |
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN | |
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA | |
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY | |
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR | |
135 * OTHERWISE. | |
136 */ | |
137 | |
138 #include <stdio.h> | |
139 #include "ssl_locl.h" | |
140 #ifndef OPENSSL_NO_COMP | |
141 #include <openssl/comp.h> | |
142 #endif | |
143 #include <openssl/evp.h> | |
144 #include <openssl/hmac.h> | |
145 #include <openssl/md5.h> | |
146 #include <openssl/rand.h> | |
147 #ifdef KSSL_DEBUG | |
148 #include <openssl/des.h> | |
149 #endif | |
150 | |
151 /* seed1 through seed5 are virtually concatenated */ | |
152 static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, | |
153 int sec_len, | |
154 const void *seed1, int seed1_len, | |
155 const void *seed2, int seed2_len, | |
156 const void *seed3, int seed3_len, | |
157 const void *seed4, int seed4_len, | |
158 const void *seed5, int seed5_len, | |
159 unsigned char *out, int olen) | |
160 { | |
161 int chunk; | |
162 size_t j; | |
163 EVP_MD_CTX ctx, ctx_tmp; | |
164 EVP_PKEY *mac_key; | |
165 unsigned char A1[EVP_MAX_MD_SIZE]; | |
166 size_t A1_len; | |
167 int ret = 0; | |
168 | |
169 chunk=EVP_MD_size(md); | |
170 OPENSSL_assert(chunk >= 0); | |
171 | |
172 EVP_MD_CTX_init(&ctx); | |
173 EVP_MD_CTX_init(&ctx_tmp); | |
174 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
175 EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
176 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); | |
177 if (!mac_key) | |
178 goto err; | |
179 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) | |
180 goto err; | |
181 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) | |
182 goto err; | |
183 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) | |
184 goto err; | |
185 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) | |
186 goto err; | |
187 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) | |
188 goto err; | |
189 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) | |
190 goto err; | |
191 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) | |
192 goto err; | |
193 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) | |
194 goto err; | |
195 | |
196 for (;;) | |
197 { | |
198 /* Reinit mac contexts */ | |
199 if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) | |
200 goto err; | |
201 if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) | |
202 goto err; | |
203 if (!EVP_DigestSignUpdate(&ctx,A1,A1_len)) | |
204 goto err; | |
205 if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len)) | |
206 goto err; | |
207 if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) | |
208 goto err; | |
209 if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) | |
210 goto err; | |
211 if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) | |
212 goto err; | |
213 if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) | |
214 goto err; | |
215 if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) | |
216 goto err; | |
217 | |
218 if (olen > chunk) | |
219 { | |
220 if (!EVP_DigestSignFinal(&ctx,out,&j)) | |
221 goto err; | |
222 out+=j; | |
223 olen-=j; | |
224 /* calc the next A1 value */ | |
225 if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len)) | |
226 goto err; | |
227 } | |
228 else /* last one */ | |
229 { | |
230 if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) | |
231 goto err; | |
232 memcpy(out,A1,olen); | |
233 break; | |
234 } | |
235 } | |
236 ret = 1; | |
237 err: | |
238 EVP_PKEY_free(mac_key); | |
239 EVP_MD_CTX_cleanup(&ctx); | |
240 EVP_MD_CTX_cleanup(&ctx_tmp); | |
241 OPENSSL_cleanse(A1,sizeof(A1)); | |
242 return ret; | |
243 } | |
244 | |
245 /* seed1 through seed5 are virtually concatenated */ | |
246 static int tls1_PRF(long digest_mask, | |
247 const void *seed1, int seed1_len, | |
248 const void *seed2, int seed2_len, | |
249 const void *seed3, int seed3_len, | |
250 const void *seed4, int seed4_len, | |
251 const void *seed5, int seed5_len, | |
252 const unsigned char *sec, int slen, | |
253 unsigned char *out1, | |
254 unsigned char *out2, int olen) | |
255 { | |
256 int len,i,idx,count; | |
257 const unsigned char *S1; | |
258 long m; | |
259 const EVP_MD *md; | |
260 int ret = 0; | |
261 | |
262 /* Count number of digests and partition sec evenly */ | |
263 count=0; | |
264 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { | |
265 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++; | |
266 } | |
267 len=slen/count; | |
268 if (count == 1) | |
269 slen = 0; | |
270 S1=sec; | |
271 memset(out1,0,olen); | |
272 for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { | |
273 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) { | |
274 if (!md) { | |
275 SSLerr(SSL_F_TLS1_PRF, | |
276 SSL_R_UNSUPPORTED_DIGEST_TYPE); | |
277 goto err; | |
278 } | |
279 if (!tls1_P_hash(md ,S1,len+(slen&1), | |
280 seed1,seed1_len,seed2,seed2_len,seed3,se
ed3_len,seed4,seed4_len,seed5,seed5_len, | |
281 out2,olen)) | |
282 goto err; | |
283 S1+=len; | |
284 for (i=0; i<olen; i++) | |
285 { | |
286 out1[i]^=out2[i]; | |
287 } | |
288 } | |
289 } | |
290 ret = 1; | |
291 err: | |
292 return ret; | |
293 } | |
294 static int tls1_generate_key_block(SSL *s, unsigned char *km, | |
295 unsigned char *tmp, int num) | |
296 { | |
297 int ret; | |
298 ret = tls1_PRF(ssl_get_algorithm2(s), | |
299 TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE, | |
300 s->s3->server_random,SSL3_RANDOM_SIZE, | |
301 s->s3->client_random,SSL3_RANDOM_SIZE, | |
302 NULL,0,NULL,0, | |
303 s->session->master_key,s->session->master_key_length, | |
304 km,tmp,num); | |
305 #ifdef KSSL_DEBUG | |
306 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", | |
307 s->session->master_key_length); | |
308 { | |
309 int i; | |
310 for (i=0; i < s->session->master_key_length; i++) | |
311 { | |
312 printf("%02X", s->session->master_key[i]); | |
313 } | |
314 printf("\n"); } | |
315 #endif /* KSSL_DEBUG */ | |
316 return ret; | |
317 } | |
318 | |
319 /* tls1_aead_ctx_init allocates |*aead_ctx|, if needed and returns 1. It | |
320 * returns 0 on malloc error. */ | |
321 static int tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) | |
322 { | |
323 if (*aead_ctx != NULL) | |
324 EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); | |
325 else | |
326 { | |
327 *aead_ctx = (SSL_AEAD_CTX*) OPENSSL_malloc(sizeof(SSL_AEAD_CTX))
; | |
328 if (*aead_ctx == NULL) | |
329 { | |
330 SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE); | |
331 return 0; | |
332 } | |
333 } | |
334 | |
335 return 1; | |
336 } | |
337 | |
338 static int tls1_change_cipher_state_aead(SSL *s, char is_read, | |
339 const unsigned char *key, unsigned key_len, | |
340 const unsigned char *iv, unsigned iv_len) | |
341 { | |
342 const EVP_AEAD *aead = s->s3->tmp.new_aead; | |
343 SSL_AEAD_CTX *aead_ctx; | |
344 | |
345 if (is_read) | |
346 { | |
347 if (!tls1_aead_ctx_init(&s->aead_read_ctx)) | |
348 return 0; | |
349 aead_ctx = s->aead_read_ctx; | |
350 } | |
351 else | |
352 { | |
353 if (!tls1_aead_ctx_init(&s->aead_write_ctx)) | |
354 return 0; | |
355 aead_ctx = s->aead_write_ctx; | |
356 } | |
357 | |
358 if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, | |
359 EVP_AEAD_DEFAULT_TAG_LENGTH, NULL /* engine */)) | |
360 return 0; | |
361 if (iv_len > sizeof(aead_ctx->fixed_nonce)) | |
362 { | |
363 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR
); | |
364 return 0; | |
365 } | |
366 memcpy(aead_ctx->fixed_nonce, iv, iv_len); | |
367 aead_ctx->fixed_nonce_len = iv_len; | |
368 aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ | |
369 aead_ctx->variable_nonce_included_in_record = | |
370 (s->s3->tmp.new_cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_VARIA
BLE_NONCE_INCLUDED_IN_RECORD) != 0; | |
371 if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != EVP_AEAD
_nonce_length(aead)) | |
372 { | |
373 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR
); | |
374 return 0; | |
375 } | |
376 aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); | |
377 | |
378 return 1; | |
379 } | |
380 | |
381 /* tls1_change_cipher_state_cipher performs the work needed to switch cipher | |
382 * states when using EVP_CIPHER. The argument |is_read| is true iff this | |
383 * function is being called due to reading, as opposed to writing, a | |
384 * ChangeCipherSpec message. In order to support export ciphersuites, | |
385 * use_client_keys indicates whether the key material provided is in the | |
386 * "client write" direction. */ | |
387 static int tls1_change_cipher_state_cipher( | |
388 SSL *s, char is_read, char use_client_keys, | |
389 const unsigned char *mac_secret, unsigned mac_secret_len, | |
390 const unsigned char *key, unsigned key_len, | |
391 const unsigned char *iv, unsigned iv_len) | |
392 { | |
393 const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc; | |
394 const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0; | |
395 EVP_CIPHER_CTX *cipher_ctx; | |
396 EVP_MD_CTX *mac_ctx; | |
397 char is_aead_cipher; | |
398 | |
399 unsigned char export_tmp1[EVP_MAX_KEY_LENGTH]; | |
400 unsigned char export_tmp2[EVP_MAX_KEY_LENGTH]; | |
401 unsigned char export_iv1[EVP_MAX_IV_LENGTH * 2]; | |
402 unsigned char export_iv2[EVP_MAX_IV_LENGTH * 2]; | |
403 | |
404 if (is_read) | |
405 { | |
406 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) | |
407 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; | |
408 else | |
409 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; | |
410 | |
411 if (s->enc_read_ctx != NULL) | |
412 EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); | |
413 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))
) == NULL) | |
414 goto err; | |
415 else | |
416 /* make sure it's intialized in case we exit later with
an error */ | |
417 EVP_CIPHER_CTX_init(s->enc_read_ctx); | |
418 | |
419 cipher_ctx = s->enc_read_ctx; | |
420 mac_ctx = ssl_replace_hash(&s->read_hash, NULL); | |
421 | |
422 memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_len); | |
423 s->s3->read_mac_secret_size = mac_secret_len; | |
424 } | |
425 else | |
426 { | |
427 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) | |
428 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; | |
429 else | |
430 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; | |
431 | |
432 if (s->enc_write_ctx != NULL) | |
433 EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); | |
434 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)
)) == NULL) | |
435 goto err; | |
436 else | |
437 /* make sure it's intialized in case we exit later with
an error */ | |
438 EVP_CIPHER_CTX_init(s->enc_write_ctx); | |
439 | |
440 cipher_ctx = s->enc_write_ctx; | |
441 mac_ctx = ssl_replace_hash(&s->write_hash, NULL); | |
442 | |
443 memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_len); | |
444 s->s3->write_mac_secret_size = mac_secret_len; | |
445 } | |
446 | |
447 if (is_export) | |
448 { | |
449 /* In here I set both the read and write key/iv to the | |
450 * same value since only the correct one will be used :-). | |
451 */ | |
452 const unsigned char *label; | |
453 unsigned label_len; | |
454 | |
455 if (use_client_keys) | |
456 { | |
457 label = (const unsigned char*) TLS_MD_CLIENT_WRITE_KEY_C
ONST; | |
458 label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; | |
459 } | |
460 else | |
461 { | |
462 label = (const unsigned char*) TLS_MD_SERVER_WRITE_KEY_C
ONST; | |
463 label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; | |
464 } | |
465 | |
466 if (!tls1_PRF(ssl_get_algorithm2(s), | |
467 label, label_len, | |
468 s->s3->client_random, SSL3_RANDOM_SIZE, | |
469 s->s3->server_random, SSL3_RANDOM_SIZE, | |
470 NULL, 0, NULL, 0, | |
471 key /* secret */, key_len /* secret length */, | |
472 export_tmp1 /* output */, | |
473 export_tmp2 /* scratch space */, | |
474 EVP_CIPHER_key_length(s->s3->tmp.new_sym_enc) /*
output length */)) | |
475 return 0; | |
476 key = export_tmp1; | |
477 | |
478 if (iv_len > 0) | |
479 { | |
480 static const unsigned char empty[] = ""; | |
481 | |
482 if (!tls1_PRF(ssl_get_algorithm2(s), | |
483 TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_C
ONST_SIZE, | |
484 s->s3->client_random, SSL3_RANDOM_SIZE, | |
485 s->s3->server_random, SSL3_RANDOM_SIZE, | |
486 NULL, 0, NULL, 0, | |
487 empty /* secret */ ,0 /* secret length *
/, | |
488 export_iv1 /* output */, | |
489 export_iv2 /* scratch space */, | |
490 iv_len * 2 /* output length */)) | |
491 return 0; | |
492 | |
493 if (use_client_keys) | |
494 iv = export_iv1; | |
495 else | |
496 iv = &export_iv1[iv_len]; | |
497 } | |
498 } | |
499 | |
500 /* is_aead_cipher indicates whether the EVP_CIPHER implements an AEAD | |
501 * interface. This is different from the newer EVP_AEAD interface. */ | |
502 is_aead_cipher = (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
!= 0; | |
503 | |
504 if (!is_aead_cipher) | |
505 { | |
506 EVP_PKEY *mac_key = | |
507 EVP_PKEY_new_mac_key(s->s3->tmp.new_mac_pkey_type, | |
508 NULL, mac_secret, mac_secret_len); | |
509 if (!mac_key) | |
510 return 0; | |
511 EVP_DigestSignInit(mac_ctx, NULL, s->s3->tmp.new_hash, NULL, mac
_key); | |
512 EVP_PKEY_free(mac_key); | |
513 } | |
514 | |
515 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | |
516 { | |
517 EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key, | |
518 NULL /* iv */, !is_read); | |
519 EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, iv_le
n, (void*) iv); | |
520 } | |
521 else | |
522 EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key, iv
, !is_read); | |
523 | |
524 /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ | |
525 if (is_aead_cipher && mac_secret_len > 0) | |
526 EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, | |
527 mac_secret_len, (void*) mac_secret); | |
528 | |
529 if (is_export) | |
530 { | |
531 OPENSSL_cleanse(export_tmp1, sizeof(export_tmp1)); | |
532 OPENSSL_cleanse(export_tmp2, sizeof(export_tmp1)); | |
533 OPENSSL_cleanse(export_iv1, sizeof(export_iv1)); | |
534 OPENSSL_cleanse(export_iv2, sizeof(export_iv2)); | |
535 } | |
536 | |
537 return 1; | |
538 | |
539 err: | |
540 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER, ERR_R_MALLOC_FAILURE); | |
541 return 0; | |
542 } | |
543 | |
544 int tls1_change_cipher_state(SSL *s, int which) | |
545 { | |
546 /* is_read is true if we have just read a ChangeCipherSpec message - | |
547 * i.e. we need to update the read cipherspec. Otherwise we have just | |
548 * written one. */ | |
549 const char is_read = (which & SSL3_CC_READ) != 0; | |
550 /* use_client_keys is true if we wish to use the keys for the "client | |
551 * write" direction. This is the case if we're a client sending a | |
552 * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. */ | |
553 const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE || | |
554 which == SSL3_CHANGE_CIPHER_SERVER_READ; | |
555 const unsigned char *client_write_mac_secret, *server_write_mac_secret,
*mac_secret; | |
556 const unsigned char *client_write_key, *server_write_key, *key; | |
557 const unsigned char *client_write_iv, *server_write_iv, *iv; | |
558 const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc; | |
559 const EVP_AEAD *aead = s->s3->tmp.new_aead; | |
560 unsigned key_len, iv_len, mac_secret_len; | |
561 const unsigned char *key_data; | |
562 const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0; | |
563 | |
564 /* Update compression contexts. */ | |
565 #ifndef OPENSSL_NO_COMP | |
566 const SSL_COMP *comp = s->s3->tmp.new_compression; | |
567 | |
568 if (is_read) | |
569 { | |
570 if (s->expand != NULL) | |
571 { | |
572 COMP_CTX_free(s->expand); | |
573 s->expand = NULL; | |
574 } | |
575 if (comp != NULL) | |
576 { | |
577 s->expand=COMP_CTX_new(comp->method); | |
578 if (s->expand == NULL) | |
579 { | |
580 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP
RESSION_LIBRARY_ERROR); | |
581 return 0; | |
582 } | |
583 if (s->s3->rrec.comp == NULL) | |
584 s->s3->rrec.comp = | |
585 (unsigned char *)OPENSSL_malloc(SSL3_RT_
MAX_ENCRYPTED_LENGTH); | |
586 if (s->s3->rrec.comp == NULL) | |
587 goto err; | |
588 } | |
589 } | |
590 else | |
591 { | |
592 if (s->compress != NULL) | |
593 { | |
594 COMP_CTX_free(s->compress); | |
595 s->compress = NULL; | |
596 } | |
597 if (comp != NULL) | |
598 { | |
599 s->compress = COMP_CTX_new(comp->method); | |
600 if (s->compress == NULL) | |
601 { | |
602 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP
RESSION_LIBRARY_ERROR); | |
603 return 0; | |
604 } | |
605 } | |
606 } | |
607 #endif /* OPENSSL_NO_COMP */ | |
608 | |
609 /* Reset sequence number to zero. */ | |
610 memset(is_read ? s->s3->read_sequence : s->s3->write_sequence, 0, 8); | |
611 | |
612 /* key_arg is used for SSLv2. We don't need it for TLS. */ | |
613 s->session->key_arg_length = 0; | |
614 | |
615 mac_secret_len = s->s3->tmp.new_mac_secret_size; | |
616 | |
617 if (aead != NULL) | |
618 { | |
619 key_len = EVP_AEAD_key_length(aead); | |
620 iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher); | |
621 } | |
622 else | |
623 { | |
624 key_len = EVP_CIPHER_key_length(cipher); | |
625 if (is_export && key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new
_cipher)) | |
626 key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); | |
627 | |
628 if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) | |
629 iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | |
630 else | |
631 iv_len = EVP_CIPHER_iv_length(cipher); | |
632 } | |
633 | |
634 key_data = s->s3->tmp.key_block; | |
635 client_write_mac_secret = key_data; key_data += mac_secret_len; | |
636 server_write_mac_secret = key_data; key_data += mac_secret_len; | |
637 client_write_key = key_data; key_data += key_len; | |
638 server_write_key = key_data; key_data += key_len; | |
639 client_write_iv = key_data; key_data += iv_len; | |
640 server_write_iv = key_data; key_data += iv_len; | |
641 | |
642 if (use_client_keys) | |
643 { | |
644 mac_secret = client_write_mac_secret; | |
645 key = client_write_key; | |
646 iv = client_write_iv; | |
647 } | |
648 else | |
649 { | |
650 mac_secret = server_write_mac_secret; | |
651 key = server_write_key; | |
652 iv = server_write_iv; | |
653 } | |
654 | |
655 if (key_data - s->s3->tmp.key_block != s->s3->tmp.key_block_length) | |
656 { | |
657 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); | |
658 return 0; | |
659 } | |
660 | |
661 if (aead != NULL) | |
662 { | |
663 if (!tls1_change_cipher_state_aead(s, is_read, | |
664 key, key_len, iv, iv_len)) | |
665 return 0; | |
666 } | |
667 else | |
668 { | |
669 if (!tls1_change_cipher_state_cipher(s, is_read, use_client_keys
, | |
670 mac_secret, mac_secret_len, | |
671 key, key_len, | |
672 iv, iv_len)) | |
673 return 0; | |
674 } | |
675 | |
676 return 1; | |
677 err: | |
678 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); | |
679 return 0; | |
680 } | |
681 | |
682 int tls1_setup_key_block(SSL *s) | |
683 { | |
684 unsigned char *p1,*p2=NULL; | |
685 const EVP_CIPHER *c = NULL; | |
686 const EVP_MD *hash = NULL; | |
687 const EVP_AEAD *aead = NULL; | |
688 int num; | |
689 SSL_COMP *comp; | |
690 int mac_type= NID_undef,mac_secret_size=0; | |
691 int ret=0; | |
692 unsigned key_len, iv_len; | |
693 | |
694 #ifdef KSSL_DEBUG | |
695 printf ("tls1_setup_key_block()\n"); | |
696 #endif /* KSSL_DEBUG */ | |
697 | |
698 if (s->s3->tmp.key_block_length != 0) | |
699 return(1); | |
700 | |
701 if (!ssl_cipher_get_comp(s->session, &comp)) | |
702 goto cipher_unavailable_err; | |
703 | |
704 if (s->session->cipher && | |
705 (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) | |
706 { | |
707 if (!ssl_cipher_get_evp_aead(s->session, &aead)) | |
708 goto cipher_unavailable_err; | |
709 key_len = EVP_AEAD_key_length(aead); | |
710 iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); | |
711 } | |
712 else | |
713 { | |
714 if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secre
t_size)) | |
715 goto cipher_unavailable_err; | |
716 key_len = EVP_CIPHER_key_length(c); | |
717 | |
718 if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) | |
719 iv_len = EVP_GCM_TLS_FIXED_IV_LEN; | |
720 else | |
721 iv_len = EVP_CIPHER_iv_length(c); | |
722 } | |
723 | |
724 s->s3->tmp.new_aead=aead; | |
725 s->s3->tmp.new_sym_enc=c; | |
726 s->s3->tmp.new_hash=hash; | |
727 s->s3->tmp.new_mac_pkey_type = mac_type; | |
728 s->s3->tmp.new_mac_secret_size = mac_secret_size; | |
729 | |
730 num=key_len+mac_secret_size+iv_len; | |
731 num*=2; | |
732 | |
733 ssl3_cleanup_key_block(s); | |
734 | |
735 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) | |
736 { | |
737 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); | |
738 goto err; | |
739 } | |
740 | |
741 s->s3->tmp.key_block_length=num; | |
742 s->s3->tmp.key_block=p1; | |
743 | |
744 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) | |
745 { | |
746 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); | |
747 goto err; | |
748 } | |
749 | |
750 #ifdef TLS_DEBUG | |
751 printf("client random\n"); | |
752 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random
[z],((z+1)%16)?' ':'\n'); } | |
753 printf("server random\n"); | |
754 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random
[z],((z+1)%16)?' ':'\n'); } | |
755 printf("pre-master\n"); | |
756 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->sess
ion->master_key[z],((z+1)%16)?' ':'\n'); } | |
757 #endif | |
758 if (!tls1_generate_key_block(s,p1,p2,num)) | |
759 goto err; | |
760 #ifdef TLS_DEBUG | |
761 printf("\nkey block\n"); | |
762 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } | |
763 #endif | |
764 | |
765 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) | |
766 && s->method->version <= TLS1_VERSION) | |
767 { | |
768 /* enable vulnerability countermeasure for CBC ciphers with | |
769 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) | |
770 */ | |
771 s->s3->need_empty_fragments = 1; | |
772 | |
773 if (s->session->cipher != NULL) | |
774 { | |
775 if (s->session->cipher->algorithm_enc == SSL_eNULL) | |
776 s->s3->need_empty_fragments = 0; | |
777 | |
778 #ifndef OPENSSL_NO_RC4 | |
779 if (s->session->cipher->algorithm_enc == SSL_RC4) | |
780 s->s3->need_empty_fragments = 0; | |
781 #endif | |
782 } | |
783 } | |
784 | |
785 ret = 1; | |
786 err: | |
787 if (p2) | |
788 { | |
789 OPENSSL_cleanse(p2,num); | |
790 OPENSSL_free(p2); | |
791 } | |
792 return(ret); | |
793 | |
794 cipher_unavailable_err: | |
795 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | |
796 return 0; | |
797 } | |
798 | |
799 /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. | |
800 * | |
801 * Returns: | |
802 * 0: (in non-constant time) if the record is publically invalid (i.e. too | |
803 * short etc). | |
804 * 1: if the record's padding is valid / the encryption was successful. | |
805 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, | |
806 * an internal error occured. | |
807 */ | |
808 int tls1_enc(SSL *s, int send) | |
809 { | |
810 SSL3_RECORD *rec; | |
811 EVP_CIPHER_CTX *ds; | |
812 unsigned long l; | |
813 int bs,i,j,k,pad=0,ret,mac_size=0; | |
814 const EVP_CIPHER *enc; | |
815 const SSL_AEAD_CTX *aead; | |
816 | |
817 if (send) | |
818 rec = &s->s3->wrec; | |
819 else | |
820 rec = &s->s3->rrec; | |
821 | |
822 if (send) | |
823 aead = s->aead_write_ctx; | |
824 else | |
825 aead = s->aead_read_ctx; | |
826 | |
827 if (aead) | |
828 { | |
829 unsigned char ad[13], *seq, *in, *out, nonce[16]; | |
830 unsigned nonce_used; | |
831 ssize_t n; | |
832 | |
833 seq = send ? s->s3->write_sequence : s->s3->read_sequence; | |
834 | |
835 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) | |
836 { | |
837 unsigned char dtlsseq[9], *p = dtlsseq; | |
838 | |
839 s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); | |
840 memcpy(p, &seq[2], 6); | |
841 memcpy(ad, dtlsseq, 8); | |
842 } | |
843 else | |
844 { | |
845 memcpy(ad, seq, 8); | |
846 for (i=7; i>=0; i--) /* increment */ | |
847 { | |
848 ++seq[i]; | |
849 if (seq[i] != 0) | |
850 break; | |
851 } | |
852 } | |
853 | |
854 ad[8] = rec->type; | |
855 ad[9] = (unsigned char)(s->version>>8); | |
856 ad[10] = (unsigned char)(s->version); | |
857 | |
858 if (aead->fixed_nonce_len + aead->variable_nonce_len > sizeof(no
nce) || | |
859 aead->variable_nonce_len > 8) | |
860 return -1; /* internal error - should never happen. */ | |
861 | |
862 memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); | |
863 nonce_used = aead->fixed_nonce_len; | |
864 | |
865 if (send) | |
866 { | |
867 size_t len = rec->length; | |
868 size_t eivlen = 0; | |
869 in = rec->input; | |
870 out = rec->data; | |
871 | |
872 /* When sending we use the sequence number as the | |
873 * variable part of the nonce. */ | |
874 if (aead->variable_nonce_len > 8) | |
875 return -1; | |
876 memcpy(nonce + nonce_used, ad, aead->variable_nonce_len)
; | |
877 nonce_used += aead->variable_nonce_len; | |
878 | |
879 /* in do_ssl3_write, rec->input is moved forward by | |
880 * variable_nonce_len in order to leave space for the | |
881 * variable nonce. Thus we can copy the sequence number | |
882 * bytes into place without overwriting any of the | |
883 * plaintext. */ | |
884 if (aead->variable_nonce_included_in_record) | |
885 { | |
886 memcpy(out, ad, aead->variable_nonce_len); | |
887 len -= aead->variable_nonce_len; | |
888 eivlen = aead->variable_nonce_len; | |
889 } | |
890 | |
891 ad[11] = len >> 8; | |
892 ad[12] = len & 0xff; | |
893 | |
894 n = EVP_AEAD_CTX_seal(&aead->ctx, | |
895 out + eivlen, len + aead->tag_len, | |
896 nonce, nonce_used, | |
897 in + eivlen, len, | |
898 ad, sizeof(ad)); | |
899 if (n >= 0 && aead->variable_nonce_included_in_record) | |
900 n += aead->variable_nonce_len; | |
901 } | |
902 else | |
903 { | |
904 /* receive */ | |
905 size_t len = rec->length; | |
906 | |
907 if (rec->data != rec->input) | |
908 return -1; /* internal error - should never hap
pen. */ | |
909 out = in = rec->input; | |
910 | |
911 if (len < aead->variable_nonce_len) | |
912 return 0; | |
913 memcpy(nonce + nonce_used, | |
914 aead->variable_nonce_included_in_record ? in : ad
, | |
915 aead->variable_nonce_len); | |
916 nonce_used += aead->variable_nonce_len; | |
917 | |
918 if (aead->variable_nonce_included_in_record) | |
919 { | |
920 in += aead->variable_nonce_len; | |
921 len -= aead->variable_nonce_len; | |
922 out += aead->variable_nonce_len; | |
923 } | |
924 | |
925 if (len < aead->tag_len) | |
926 return 0; | |
927 len -= aead->tag_len; | |
928 | |
929 ad[11] = len >> 8; | |
930 ad[12] = len & 0xff; | |
931 | |
932 n = EVP_AEAD_CTX_open(&aead->ctx, out, len, nonce, nonce
_used, | |
933 in, len + aead->tag_len, ad, sizeo
f(ad)); | |
934 | |
935 rec->data = rec->input = out; | |
936 } | |
937 | |
938 if (n == -1) | |
939 return -1; | |
940 rec->length = n; | |
941 return 1; | |
942 } | |
943 | |
944 if (send) | |
945 { | |
946 if (EVP_MD_CTX_md(s->write_hash)) | |
947 { | |
948 int n=EVP_MD_CTX_size(s->write_hash); | |
949 OPENSSL_assert(n >= 0); | |
950 } | |
951 ds=s->enc_write_ctx; | |
952 rec= &(s->s3->wrec); | |
953 if (s->enc_write_ctx == NULL) | |
954 enc=NULL; | |
955 else | |
956 { | |
957 int ivlen; | |
958 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); | |
959 /* For TLSv1.1 and later explicit IV */ | |
960 if (s->version >= TLS1_1_VERSION | |
961 && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) | |
962 ivlen = EVP_CIPHER_iv_length(enc); | |
963 else | |
964 ivlen = 0; | |
965 if (ivlen > 1) | |
966 { | |
967 if ( rec->data != rec->input) | |
968 /* we can't write into the input stream: | |
969 * Can this ever happen?? (steve) | |
970 */ | |
971 fprintf(stderr, | |
972 "%s:%d: rec->data != rec->input\
n", | |
973 __FILE__, __LINE__); | |
974 else if (RAND_bytes(rec->input, ivlen) <= 0) | |
975 return -1; | |
976 } | |
977 } | |
978 } | |
979 else | |
980 { | |
981 if (EVP_MD_CTX_md(s->read_hash)) | |
982 { | |
983 int n=EVP_MD_CTX_size(s->read_hash); | |
984 OPENSSL_assert(n >= 0); | |
985 } | |
986 ds=s->enc_read_ctx; | |
987 rec= &(s->s3->rrec); | |
988 if (s->enc_read_ctx == NULL) | |
989 enc=NULL; | |
990 else | |
991 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); | |
992 } | |
993 | |
994 #ifdef KSSL_DEBUG | |
995 printf("tls1_enc(%d)\n", send); | |
996 #endif /* KSSL_DEBUG */ | |
997 | |
998 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) | |
999 { | |
1000 memmove(rec->data,rec->input,rec->length); | |
1001 rec->input=rec->data; | |
1002 ret = 1; | |
1003 } | |
1004 else | |
1005 { | |
1006 l=rec->length; | |
1007 bs=EVP_CIPHER_block_size(ds->cipher); | |
1008 | |
1009 if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) | |
1010 { | |
1011 unsigned char buf[13],*seq; | |
1012 | |
1013 seq = send?s->s3->write_sequence:s->s3->read_sequence; | |
1014 | |
1015 if (s->version == DTLS1_VERSION || s->version == DTLS1_B
AD_VER) | |
1016 { | |
1017 unsigned char dtlsseq[9],*p=dtlsseq; | |
1018 | |
1019 s2n(send?s->d1->w_epoch:s->d1->r_epoch,p); | |
1020 memcpy(p,&seq[2],6); | |
1021 memcpy(buf,dtlsseq,8); | |
1022 } | |
1023 else | |
1024 { | |
1025 memcpy(buf,seq,8); | |
1026 for (i=7; i>=0; i--) /* increment */ | |
1027 { | |
1028 ++seq[i]; | |
1029 if (seq[i] != 0) break; | |
1030 } | |
1031 } | |
1032 | |
1033 buf[8]=rec->type; | |
1034 buf[9]=(unsigned char)(s->version>>8); | |
1035 buf[10]=(unsigned char)(s->version); | |
1036 buf[11]=rec->length>>8; | |
1037 buf[12]=rec->length&0xff; | |
1038 pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf
); | |
1039 if (send) | |
1040 { | |
1041 l+=pad; | |
1042 rec->length+=pad; | |
1043 } | |
1044 } | |
1045 else if ((bs != 1) && send) | |
1046 { | |
1047 i=bs-((int)l%bs); | |
1048 | |
1049 /* Add weird padding of upto 256 bytes */ | |
1050 | |
1051 /* we need to add 'i' padding bytes of value j */ | |
1052 j=i-1; | |
1053 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) | |
1054 { | |
1055 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) | |
1056 j++; | |
1057 } | |
1058 for (k=(int)l; k<(int)(l+i); k++) | |
1059 rec->input[k]=j; | |
1060 l+=i; | |
1061 rec->length+=i; | |
1062 } | |
1063 | |
1064 #ifdef KSSL_DEBUG | |
1065 { | |
1066 unsigned long ui; | |
1067 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n
", | |
1068 ds,rec->data,rec->input,l); | |
1069 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_
len\n", | |
1070 ds->buf_len, ds->cipher->key_len, | |
1071 DES_KEY_SZ, DES_SCHEDULE_SZ, | |
1072 ds->cipher->iv_len); | |
1073 printf("\t\tIV: "); | |
1074 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); | |
1075 printf("\n"); | |
1076 printf("\trec->input="); | |
1077 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); | |
1078 printf("\n"); | |
1079 } | |
1080 #endif /* KSSL_DEBUG */ | |
1081 | |
1082 if (!send) | |
1083 { | |
1084 if (l == 0 || l%bs != 0) | |
1085 return 0; | |
1086 } | |
1087 | |
1088 i = EVP_Cipher(ds,rec->data,rec->input,l); | |
1089 if ((EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_CUSTOM_CIPHER) | |
1090 ?(i<0) | |
1091 :(i==0)) | |
1092 return -1; /* AEAD can fail to verify MAC */ | |
1093 if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) | |
1094 { | |
1095 rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1096 rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1097 rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; | |
1098 } | |
1099 | |
1100 #ifdef KSSL_DEBUG | |
1101 { | |
1102 unsigned long i; | |
1103 printf("\trec->data="); | |
1104 for (i=0; i<l; i++) | |
1105 printf(" %02x", rec->data[i]); printf("\n"); | |
1106 } | |
1107 #endif /* KSSL_DEBUG */ | |
1108 | |
1109 ret = 1; | |
1110 if (EVP_MD_CTX_md(s->read_hash) != NULL) | |
1111 mac_size = EVP_MD_CTX_size(s->read_hash); | |
1112 if ((bs != 1) && !send) | |
1113 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); | |
1114 if (pad && !send) | |
1115 rec->length -= pad; | |
1116 } | |
1117 return ret; | |
1118 } | |
1119 | |
1120 int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) | |
1121 { | |
1122 unsigned int ret; | |
1123 EVP_MD_CTX ctx, *d=NULL; | |
1124 int i; | |
1125 | |
1126 if (s->s3->handshake_buffer) | |
1127 if (!ssl3_digest_cached_records(s)) | |
1128 return 0; | |
1129 | |
1130 for (i=0;i<SSL_MAX_DIGEST;i++) | |
1131 { | |
1132 if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake
_dgst[i])==md_nid) | |
1133 { | |
1134 d=s->s3->handshake_dgst[i]; | |
1135 break; | |
1136 } | |
1137 } | |
1138 if (!d) { | |
1139 SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST); | |
1140 return 0; | |
1141 } | |
1142 | |
1143 EVP_MD_CTX_init(&ctx); | |
1144 EVP_MD_CTX_copy_ex(&ctx,d); | |
1145 EVP_DigestFinal_ex(&ctx,out,&ret); | |
1146 EVP_MD_CTX_cleanup(&ctx); | |
1147 return((int)ret); | |
1148 } | |
1149 | |
1150 /* tls1_handshake_digest calculates the current handshake hash and writes it to | |
1151 * |out|, which has space for |out_len| bytes. It returns the number of bytes | |
1152 * written or -1 in the event of an error. This function works on a copy of the | |
1153 * underlying digests so can be called multiple times and prior to the final | |
1154 * update etc. */ | |
1155 int tls1_handshake_digest(SSL *s, unsigned char *out, size_t out_len) | |
1156 { | |
1157 const EVP_MD *md; | |
1158 EVP_MD_CTX ctx; | |
1159 int i, err = 0, len = 0; | |
1160 long mask; | |
1161 | |
1162 EVP_MD_CTX_init(&ctx); | |
1163 | |
1164 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) | |
1165 { | |
1166 int hash_size; | |
1167 unsigned int digest_len; | |
1168 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[i]; | |
1169 | |
1170 if ((mask & ssl_get_algorithm2(s)) == 0) | |
1171 continue; | |
1172 | |
1173 hash_size = EVP_MD_size(md); | |
1174 if (!hdgst || hash_size < 0 || (size_t)hash_size > out_len) | |
1175 { | |
1176 err = 1; | |
1177 break; | |
1178 } | |
1179 | |
1180 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || | |
1181 !EVP_DigestFinal_ex(&ctx, out, &digest_len) || | |
1182 digest_len != (unsigned int)hash_size) /* internal error */ | |
1183 { | |
1184 err = 1; | |
1185 break; | |
1186 } | |
1187 out += digest_len; | |
1188 out_len -= digest_len; | |
1189 len += digest_len; | |
1190 } | |
1191 | |
1192 EVP_MD_CTX_cleanup(&ctx); | |
1193 | |
1194 if (err != 0) | |
1195 return -1; | |
1196 return len; | |
1197 } | |
1198 | |
1199 int tls1_final_finish_mac(SSL *s, | |
1200 const char *str, int slen, unsigned char *out) | |
1201 { | |
1202 unsigned char buf[2*EVP_MAX_MD_SIZE]; | |
1203 unsigned char buf2[12]; | |
1204 int err=0; | |
1205 int digests_len; | |
1206 | |
1207 if (s->s3->handshake_buffer) | |
1208 if (!ssl3_digest_cached_records(s)) | |
1209 return 0; | |
1210 | |
1211 digests_len = tls1_handshake_digest(s, buf, sizeof(buf)); | |
1212 if (digests_len < 0) | |
1213 { | |
1214 err = 1; | |
1215 digests_len = 0; | |
1216 } | |
1217 | |
1218 if (!tls1_PRF(ssl_get_algorithm2(s), | |
1219 str,slen, buf, digests_len, NULL,0, NULL,0, NULL,0, | |
1220 s->session->master_key,s->session->master_key_length, | |
1221 out,buf2,sizeof buf2)) | |
1222 err = 1; | |
1223 | |
1224 if (err) | |
1225 return 0; | |
1226 else | |
1227 return sizeof buf2; | |
1228 } | |
1229 | |
1230 int tls1_mac(SSL *ssl, unsigned char *md, int send) | |
1231 { | |
1232 SSL3_RECORD *rec; | |
1233 unsigned char *seq; | |
1234 EVP_MD_CTX *hash; | |
1235 size_t md_size, orig_len; | |
1236 int i; | |
1237 EVP_MD_CTX hmac, *mac_ctx; | |
1238 unsigned char header[13]; | |
1239 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):
(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); | |
1240 int t; | |
1241 | |
1242 if (send) | |
1243 { | |
1244 rec= &(ssl->s3->wrec); | |
1245 seq= &(ssl->s3->write_sequence[0]); | |
1246 hash=ssl->write_hash; | |
1247 } | |
1248 else | |
1249 { | |
1250 rec= &(ssl->s3->rrec); | |
1251 seq= &(ssl->s3->read_sequence[0]); | |
1252 hash=ssl->read_hash; | |
1253 } | |
1254 | |
1255 t=EVP_MD_CTX_size(hash); | |
1256 OPENSSL_assert(t >= 0); | |
1257 md_size=t; | |
1258 | |
1259 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ | |
1260 if (stream_mac) | |
1261 { | |
1262 mac_ctx = hash; | |
1263 } | |
1264 else | |
1265 { | |
1266 EVP_MD_CTX_copy(&hmac,hash); | |
1267 mac_ctx = &hmac; | |
1268 } | |
1269 | |
1270 if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) | |
1271 { | |
1272 unsigned char dtlsseq[8],*p=dtlsseq; | |
1273 | |
1274 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); | |
1275 memcpy (p,&seq[2],6); | |
1276 | |
1277 memcpy(header, dtlsseq, 8); | |
1278 } | |
1279 else | |
1280 memcpy(header, seq, 8); | |
1281 | |
1282 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ | |
1283 orig_len = rec->length+md_size+((unsigned int)rec->type>>8); | |
1284 rec->type &= 0xff; | |
1285 | |
1286 header[8]=rec->type; | |
1287 header[9]=(unsigned char)(ssl->version>>8); | |
1288 header[10]=(unsigned char)(ssl->version); | |
1289 header[11]=(rec->length)>>8; | |
1290 header[12]=(rec->length)&0xff; | |
1291 | |
1292 if (!send && | |
1293 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && | |
1294 ssl3_cbc_record_digest_supported(mac_ctx)) | |
1295 { | |
1296 /* This is a CBC-encrypted record. We must avoid leaking any | |
1297 * timing-side channel information about how many blocks of | |
1298 * data we are hashing because that gives an attacker a | |
1299 * timing-oracle. */ | |
1300 ssl3_cbc_digest_record( | |
1301 mac_ctx, | |
1302 md, &md_size, | |
1303 header, rec->input, | |
1304 rec->length + md_size, orig_len, | |
1305 ssl->s3->read_mac_secret, | |
1306 ssl->s3->read_mac_secret_size, | |
1307 0 /* not SSLv3 */); | |
1308 } | |
1309 else | |
1310 { | |
1311 EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); | |
1312 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); | |
1313 t=EVP_DigestSignFinal(mac_ctx,md,&md_size); | |
1314 OPENSSL_assert(t > 0); | |
1315 #ifdef OPENSSL_FIPS | |
1316 if (!send && FIPS_mode()) | |
1317 tls_fips_digest_extra( | |
1318 ssl->enc_read_ctx, | |
1319 mac_ctx, rec->input, | |
1320 rec->length, orig_len); | |
1321 #endif | |
1322 } | |
1323 | |
1324 if (!stream_mac) | |
1325 EVP_MD_CTX_cleanup(&hmac); | |
1326 #ifdef TLS_DEBUG | |
1327 printf("sec="); | |
1328 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\
n"); } | |
1329 printf("seq="); | |
1330 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } | |
1331 printf("buf="); | |
1332 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } | |
1333 printf("rec="); | |
1334 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\
n"); } | |
1335 #endif | |
1336 | |
1337 if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) | |
1338 { | |
1339 for (i=7; i>=0; i--) | |
1340 { | |
1341 ++seq[i]; | |
1342 if (seq[i] != 0) break; | |
1343 } | |
1344 } | |
1345 | |
1346 #ifdef TLS_DEBUG | |
1347 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n");
} | |
1348 #endif | |
1349 return(md_size); | |
1350 } | |
1351 | |
1352 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, | |
1353 int len) | |
1354 { | |
1355 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; | |
1356 const void *co = NULL, *so = NULL; | |
1357 int col = 0, sol = 0; | |
1358 | |
1359 | |
1360 #ifdef KSSL_DEBUG | |
1361 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); | |
1362 #endif /* KSSL_DEBUG */ | |
1363 | |
1364 #ifdef TLSEXT_TYPE_opaque_prf_input | |
1365 if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_i
nput != NULL && | |
1366 s->s3->client_opaque_prf_input_len > 0 && | |
1367 s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input
_len) | |
1368 { | |
1369 co = s->s3->client_opaque_prf_input; | |
1370 col = s->s3->server_opaque_prf_input_len; | |
1371 so = s->s3->server_opaque_prf_input; | |
1372 sol = s->s3->client_opaque_prf_input_len; /* must be same as col
(see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */ | |
1373 } | |
1374 #endif | |
1375 | |
1376 tls1_PRF(ssl_get_algorithm2(s), | |
1377 TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE, | |
1378 s->s3->client_random,SSL3_RANDOM_SIZE, | |
1379 co, col, | |
1380 s->s3->server_random,SSL3_RANDOM_SIZE, | |
1381 so, sol, | |
1382 p,len, | |
1383 s->session->master_key,buff,sizeof buff); | |
1384 #ifdef SSL_DEBUG | |
1385 fprintf(stderr, "Premaster Secret:\n"); | |
1386 BIO_dump_fp(stderr, (char *)p, len); | |
1387 fprintf(stderr, "Client Random:\n"); | |
1388 BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE); | |
1389 fprintf(stderr, "Server Random:\n"); | |
1390 BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE); | |
1391 fprintf(stderr, "Master Secret:\n"); | |
1392 BIO_dump_fp(stderr, (char *)s->session->master_key, SSL3_MASTER_SECRET_S
IZE); | |
1393 #endif | |
1394 | |
1395 #ifdef KSSL_DEBUG | |
1396 printf ("tls1_generate_master_secret() complete\n"); | |
1397 #endif /* KSSL_DEBUG */ | |
1398 return(SSL3_MASTER_SECRET_SIZE); | |
1399 } | |
1400 | |
1401 int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, | |
1402 const char *label, size_t llen, const unsigned char *context, | |
1403 size_t contextlen, int use_context) | |
1404 { | |
1405 unsigned char *buff; | |
1406 unsigned char *val = NULL; | |
1407 size_t vallen, currentvalpos; | |
1408 int rv; | |
1409 | |
1410 #ifdef KSSL_DEBUG | |
1411 printf ("tls1_export_keying_material(%p,%p,%d,%s,%d,%p,%d)\n", s, out, o
len, label, llen, p, plen); | |
1412 #endif /* KSSL_DEBUG */ | |
1413 | |
1414 buff = OPENSSL_malloc(olen); | |
1415 if (buff == NULL) goto err2; | |
1416 | |
1417 /* construct PRF arguments | |
1418 * we construct the PRF argument ourself rather than passing separate | |
1419 * values into the TLS PRF to ensure that the concatenation of values | |
1420 * does not create a prohibited label. | |
1421 */ | |
1422 vallen = llen + SSL3_RANDOM_SIZE * 2; | |
1423 if (use_context) | |
1424 { | |
1425 vallen += 2 + contextlen; | |
1426 } | |
1427 | |
1428 val = OPENSSL_malloc(vallen); | |
1429 if (val == NULL) goto err2; | |
1430 currentvalpos = 0; | |
1431 memcpy(val + currentvalpos, (unsigned char *) label, llen); | |
1432 currentvalpos += llen; | |
1433 memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); | |
1434 currentvalpos += SSL3_RANDOM_SIZE; | |
1435 memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); | |
1436 currentvalpos += SSL3_RANDOM_SIZE; | |
1437 | |
1438 if (use_context) | |
1439 { | |
1440 val[currentvalpos] = (contextlen >> 8) & 0xff; | |
1441 currentvalpos++; | |
1442 val[currentvalpos] = contextlen & 0xff; | |
1443 currentvalpos++; | |
1444 if ((contextlen > 0) || (context != NULL)) | |
1445 { | |
1446 memcpy(val + currentvalpos, context, contextlen); | |
1447 } | |
1448 } | |
1449 | |
1450 /* disallow prohibited labels | |
1451 * note that SSL3_RANDOM_SIZE > max(prohibited label len) = | |
1452 * 15, so size of val > max(prohibited label len) = 15 and the | |
1453 * comparisons won't have buffer overflow | |
1454 */ | |
1455 if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, | |
1456 TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) goto err1; | |
1457 if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, | |
1458 TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) goto err1; | |
1459 if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, | |
1460 TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) goto err1; | |
1461 if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, | |
1462 TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) goto err1; | |
1463 | |
1464 rv = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, | |
1465 val, vallen, | |
1466 NULL, 0, | |
1467 NULL, 0, | |
1468 NULL, 0, | |
1469 NULL, 0, | |
1470 s->session->master_key,s->session->master_key_length, | |
1471 out,buff,olen); | |
1472 | |
1473 #ifdef KSSL_DEBUG | |
1474 printf ("tls1_export_keying_material() complete\n"); | |
1475 #endif /* KSSL_DEBUG */ | |
1476 goto ret; | |
1477 err1: | |
1478 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, SSL_R_TLS_ILLEGAL_EXPORTER_LAB
EL); | |
1479 rv = 0; | |
1480 goto ret; | |
1481 err2: | |
1482 SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); | |
1483 rv = 0; | |
1484 ret: | |
1485 if (buff != NULL) OPENSSL_free(buff); | |
1486 if (val != NULL) OPENSSL_free(val); | |
1487 return(rv); | |
1488 } | |
1489 | |
1490 int tls1_alert_code(int code) | |
1491 { | |
1492 switch (code) | |
1493 { | |
1494 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); | |
1495 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); | |
1496 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); | |
1497 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); | |
1498 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); | |
1499 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); | |
1500 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); | |
1501 case SSL_AD_NO_CERTIFICATE: return(-1); | |
1502 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); | |
1503 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICA
TE); | |
1504 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); | |
1505 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); | |
1506 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); | |
1507 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); | |
1508 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); | |
1509 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); | |
1510 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); | |
1511 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); | |
1512 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); | |
1513 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); | |
1514 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); | |
1515 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); | |
1516 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); | |
1517 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); | |
1518 case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION)
; | |
1519 case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAI
NABLE); | |
1520 case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME); | |
1521 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFIC
ATE_STATUS_RESPONSE); | |
1522 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_H
ASH_VALUE); | |
1523 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); | |
1524 #if 0 /* not appropriate for TLS, not used for DTLS */ | |
1525 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return | |
1526 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); | |
1527 #endif | |
1528 default: return(-1); | |
1529 } | |
1530 } | |
OLD | NEW |