OLD | NEW |
1 /* ssl/t1_enc.c */ | 1 /* ssl/t1_enc.c */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
(...skipping 298 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
309 int i; | 309 int i; |
310 for (i=0; i < s->session->master_key_length; i++) | 310 for (i=0; i < s->session->master_key_length; i++) |
311 { | 311 { |
312 printf("%02X", s->session->master_key[i]); | 312 printf("%02X", s->session->master_key[i]); |
313 } | 313 } |
314 printf("\n"); } | 314 printf("\n"); } |
315 #endif /* KSSL_DEBUG */ | 315 #endif /* KSSL_DEBUG */ |
316 return ret; | 316 return ret; |
317 } | 317 } |
318 | 318 |
319 int tls1_change_cipher_state(SSL *s, int which) | 319 /* tls1_aead_ctx_init allocates |*aead_ctx|, if needed and returns 1. It |
| 320 * returns 0 on malloc error. */ |
| 321 static int tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) |
320 { | 322 { |
321 » static const unsigned char empty[]=""; | 323 » if (*aead_ctx != NULL) |
322 » unsigned char *p,*mac_secret; | 324 » » EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx); |
323 » unsigned char *exp_label; | 325 » else |
324 » unsigned char tmp1[EVP_MAX_KEY_LENGTH]; | 326 » » { |
325 » unsigned char tmp2[EVP_MAX_KEY_LENGTH]; | 327 » » *aead_ctx = (SSL_AEAD_CTX*) OPENSSL_malloc(sizeof(SSL_AEAD_CTX))
; |
326 » unsigned char iv1[EVP_MAX_IV_LENGTH*2]; | 328 » » if (*aead_ctx == NULL) |
327 » unsigned char iv2[EVP_MAX_IV_LENGTH*2]; | 329 » » » { |
328 » unsigned char *ms,*key,*iv; | 330 » » » SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE); |
329 » int client_write; | 331 » » » return 0; |
330 » EVP_CIPHER_CTX *dd; | 332 » » » } |
331 » const EVP_CIPHER *c; | 333 » » } |
332 #ifndef OPENSSL_NO_COMP | 334 |
333 » const SSL_COMP *comp; | 335 » return 1; |
334 #endif | 336 » } |
335 » const EVP_MD *m; | 337 |
336 » int mac_type; | 338 static int tls1_change_cipher_state_aead(SSL *s, char is_read, |
337 » int *mac_secret_size; | 339 » const unsigned char *key, unsigned key_len, |
| 340 » const unsigned char *iv, unsigned iv_len) |
| 341 » { |
| 342 » const EVP_AEAD *aead = s->s3->tmp.new_aead; |
| 343 » SSL_AEAD_CTX *aead_ctx; |
| 344 |
| 345 » if (is_read) |
| 346 » » { |
| 347 » » if (!tls1_aead_ctx_init(&s->aead_read_ctx)) |
| 348 » » » return 0; |
| 349 » » aead_ctx = s->aead_read_ctx; |
| 350 » » } |
| 351 » else |
| 352 » » { |
| 353 » » if (!tls1_aead_ctx_init(&s->aead_write_ctx)) |
| 354 » » » return 0; |
| 355 » » aead_ctx = s->aead_write_ctx; |
| 356 » » } |
| 357 |
| 358 » if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, |
| 359 » » » EVP_AEAD_DEFAULT_TAG_LENGTH, NULL /* engine */)) |
| 360 » » return 0; |
| 361 » if (iv_len > sizeof(aead_ctx->fixed_nonce)) |
| 362 » » { |
| 363 » » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR
); |
| 364 » » return 0; |
| 365 » » } |
| 366 » memcpy(aead_ctx->fixed_nonce, iv, iv_len); |
| 367 » aead_ctx->fixed_nonce_len = iv_len; |
| 368 » aead_ctx->variable_nonce_len = 8; /* always the case, currently. */ |
| 369 » aead_ctx->variable_nonce_included_in_record = |
| 370 » » (s->s3->tmp.new_cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_VARIA
BLE_NONCE_INCLUDED_IN_RECORD) != 0; |
| 371 » if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != EVP_AEAD
_nonce_length(aead)) |
| 372 » » { |
| 373 » » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR
); |
| 374 » » return 0; |
| 375 » » } |
| 376 » aead_ctx->tag_len = EVP_AEAD_max_overhead(aead); |
| 377 |
| 378 » return 1; |
| 379 » } |
| 380 |
| 381 /* tls1_change_cipher_state_cipher performs the work needed to switch cipher |
| 382 * states when using EVP_CIPHER. The argument |is_read| is true iff this |
| 383 * function is being called due to reading, as opposed to writing, a |
| 384 * ChangeCipherSpec message. In order to support export ciphersuites, |
| 385 * use_client_keys indicates whether the key material provided is in the |
| 386 * "client write" direction. */ |
| 387 static int tls1_change_cipher_state_cipher( |
| 388 » SSL *s, char is_read, char use_client_keys, |
| 389 » const unsigned char *mac_secret, unsigned mac_secret_len, |
| 390 » const unsigned char *key, unsigned key_len, |
| 391 » const unsigned char *iv, unsigned iv_len) |
| 392 » { |
| 393 » const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc; |
| 394 » const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0; |
| 395 » EVP_CIPHER_CTX *cipher_ctx; |
338 EVP_MD_CTX *mac_ctx; | 396 EVP_MD_CTX *mac_ctx; |
339 » EVP_PKEY *mac_key; | 397 » char is_aead_cipher; |
340 » int is_export,n,i,j,k,exp_label_len,cl; | |
341 » int reuse_dd = 0; | |
342 | 398 |
343 » is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); | 399 » unsigned char export_tmp1[EVP_MAX_KEY_LENGTH]; |
344 » c=s->s3->tmp.new_sym_enc; | 400 » unsigned char export_tmp2[EVP_MAX_KEY_LENGTH]; |
345 » m=s->s3->tmp.new_hash; | 401 » unsigned char export_iv1[EVP_MAX_IV_LENGTH * 2]; |
346 » mac_type = s->s3->tmp.new_mac_pkey_type; | 402 » unsigned char export_iv2[EVP_MAX_IV_LENGTH * 2]; |
347 #ifndef OPENSSL_NO_COMP | |
348 » comp=s->s3->tmp.new_compression; | |
349 #endif | |
350 | 403 |
351 #ifdef KSSL_DEBUG | 404 » if (is_read) |
352 » printf("tls1_change_cipher_state(which= %d) w/\n", which); | |
353 » printf("\talg= %ld/%ld, comp= %p\n", | |
354 » s->s3->tmp.new_cipher->algorithm_mkey, | |
355 » s->s3->tmp.new_cipher->algorithm_auth, | |
356 » comp); | |
357 » printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); | |
358 » printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", | |
359 c->nid,c->block_size,c->key_len,c->iv_len); | |
360 » printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); | |
361 » { | |
362 int i; | |
363 for (i=0; i<s->s3->tmp.key_block_length; i++) | |
364 » » printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); | |
365 } | |
366 #endif» /* KSSL_DEBUG */ | |
367 | |
368 » if (which & SSL3_CC_READ) | |
369 { | 405 { |
370 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) | 406 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) |
371 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; | 407 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; |
372 else | 408 else |
373 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; | 409 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; |
374 | 410 |
375 if (s->enc_read_ctx != NULL) | 411 if (s->enc_read_ctx != NULL) |
376 » » » reuse_dd = 1; | 412 » » » EVP_CIPHER_CTX_cleanup(s->enc_read_ctx); |
377 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))
) == NULL) | 413 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))
) == NULL) |
378 goto err; | 414 goto err; |
379 else | 415 else |
380 /* make sure it's intialized in case we exit later with
an error */ | 416 /* make sure it's intialized in case we exit later with
an error */ |
381 EVP_CIPHER_CTX_init(s->enc_read_ctx); | 417 EVP_CIPHER_CTX_init(s->enc_read_ctx); |
382 » » dd= s->enc_read_ctx; | 418 |
383 » » mac_ctx=ssl_replace_hash(&s->read_hash,NULL); | 419 » » cipher_ctx = s->enc_read_ctx; |
| 420 » » mac_ctx = ssl_replace_hash(&s->read_hash, NULL); |
| 421 |
| 422 » » memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_len); |
| 423 » » s->s3->read_mac_secret_size = mac_secret_len; |
| 424 » » } |
| 425 » else |
| 426 » » { |
| 427 » » if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) |
| 428 » » » s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; |
| 429 » » else |
| 430 » » » s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; |
| 431 |
| 432 » » if (s->enc_write_ctx != NULL) |
| 433 » » » EVP_CIPHER_CTX_cleanup(s->enc_write_ctx); |
| 434 » » else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)
)) == NULL) |
| 435 » » » goto err; |
| 436 » » else |
| 437 » » » /* make sure it's intialized in case we exit later with
an error */ |
| 438 » » » EVP_CIPHER_CTX_init(s->enc_write_ctx); |
| 439 |
| 440 » » cipher_ctx = s->enc_write_ctx; |
| 441 » » mac_ctx = ssl_replace_hash(&s->write_hash, NULL); |
| 442 |
| 443 » » memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_len); |
| 444 » » s->s3->write_mac_secret_size = mac_secret_len; |
| 445 » » } |
| 446 |
| 447 » if (is_export) |
| 448 » » { |
| 449 » » /* In here I set both the read and write key/iv to the |
| 450 » » * same value since only the correct one will be used :-). |
| 451 » » */ |
| 452 » » const unsigned char *label; |
| 453 » » unsigned label_len; |
| 454 |
| 455 » » if (use_client_keys) |
| 456 » » » { |
| 457 » » » label = (const unsigned char*) TLS_MD_CLIENT_WRITE_KEY_C
ONST; |
| 458 » » » label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; |
| 459 » » » } |
| 460 » » else |
| 461 » » » { |
| 462 » » » label = (const unsigned char*) TLS_MD_SERVER_WRITE_KEY_C
ONST; |
| 463 » » » label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; |
| 464 » » » } |
| 465 |
| 466 » » if (!tls1_PRF(ssl_get_algorithm2(s), |
| 467 » » » » label, label_len, |
| 468 » » » » s->s3->client_random, SSL3_RANDOM_SIZE, |
| 469 » » » » s->s3->server_random, SSL3_RANDOM_SIZE, |
| 470 » » » » NULL, 0, NULL, 0, |
| 471 » » » » key /* secret */, key_len /* secret length */, |
| 472 » » » » export_tmp1 /* output */, |
| 473 » » » » export_tmp2 /* scratch space */, |
| 474 » » » » EVP_CIPHER_key_length(s->s3->tmp.new_sym_enc) /*
output length */)) |
| 475 » » » return 0; |
| 476 » » key = export_tmp1; |
| 477 |
| 478 » » if (iv_len > 0) |
| 479 » » » { |
| 480 » » » static const unsigned char empty[] = ""; |
| 481 |
| 482 » » » if (!tls1_PRF(ssl_get_algorithm2(s), |
| 483 » » » » » TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_C
ONST_SIZE, |
| 484 » » » » » s->s3->client_random, SSL3_RANDOM_SIZE, |
| 485 » » » » » s->s3->server_random, SSL3_RANDOM_SIZE, |
| 486 » » » » » NULL, 0, NULL, 0, |
| 487 » » » » » empty /* secret */ ,0 /* secret length *
/, |
| 488 » » » » » export_iv1 /* output */, |
| 489 » » » » » export_iv2 /* scratch space */, |
| 490 » » » » » iv_len * 2 /* output length */)) |
| 491 » » » » return 0; |
| 492 |
| 493 » » » if (use_client_keys) |
| 494 » » » » iv = export_iv1; |
| 495 » » » else |
| 496 » » » » iv = &export_iv1[iv_len]; |
| 497 » » » } |
| 498 » » } |
| 499 |
| 500 » /* is_aead_cipher indicates whether the EVP_CIPHER implements an AEAD |
| 501 » * interface. This is different from the newer EVP_AEAD interface. */ |
| 502 » is_aead_cipher = (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
!= 0; |
| 503 |
| 504 » if (!is_aead_cipher) |
| 505 » » { |
| 506 » » EVP_PKEY *mac_key = |
| 507 » » » EVP_PKEY_new_mac_key(s->s3->tmp.new_mac_pkey_type, |
| 508 » » » » » NULL, mac_secret, mac_secret_len); |
| 509 » » if (!mac_key) |
| 510 » » » return 0; |
| 511 » » EVP_DigestSignInit(mac_ctx, NULL, s->s3->tmp.new_hash, NULL, mac
_key); |
| 512 » » EVP_PKEY_free(mac_key); |
| 513 » » } |
| 514 |
| 515 » if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) |
| 516 » » { |
| 517 » » EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key, |
| 518 » » » » NULL /* iv */, !is_read); |
| 519 » » EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, iv_le
n, (void*) iv); |
| 520 » » } |
| 521 » else |
| 522 » » EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key, iv
, !is_read); |
| 523 |
| 524 » /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ |
| 525 » if (is_aead_cipher && mac_secret_len > 0) |
| 526 » » EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, |
| 527 » » » » mac_secret_len, (void*) mac_secret); |
| 528 |
| 529 » if (is_export) |
| 530 » » { |
| 531 » » OPENSSL_cleanse(export_tmp1, sizeof(export_tmp1)); |
| 532 » » OPENSSL_cleanse(export_tmp2, sizeof(export_tmp1)); |
| 533 » » OPENSSL_cleanse(export_iv1, sizeof(export_iv1)); |
| 534 » » OPENSSL_cleanse(export_iv2, sizeof(export_iv2)); |
| 535 » » } |
| 536 |
| 537 » return 1; |
| 538 |
| 539 err: |
| 540 » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER, ERR_R_MALLOC_FAILURE); |
| 541 » return 0; |
| 542 » } |
| 543 |
| 544 int tls1_change_cipher_state(SSL *s, int which) |
| 545 » { |
| 546 » /* is_read is true if we have just read a ChangeCipherSpec message - |
| 547 » * i.e. we need to update the read cipherspec. Otherwise we have just |
| 548 » * written one. */ |
| 549 » const char is_read = (which & SSL3_CC_READ) != 0; |
| 550 » /* use_client_keys is true if we wish to use the keys for the "client |
| 551 » * write" direction. This is the case if we're a client sending a |
| 552 » * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. */ |
| 553 » const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE || |
| 554 » » » » which == SSL3_CHANGE_CIPHER_SERVER_READ; |
| 555 » const unsigned char *client_write_mac_secret, *server_write_mac_secret,
*mac_secret; |
| 556 » const unsigned char *client_write_key, *server_write_key, *key; |
| 557 » const unsigned char *client_write_iv, *server_write_iv, *iv; |
| 558 » const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc; |
| 559 » const EVP_AEAD *aead = s->s3->tmp.new_aead; |
| 560 » unsigned key_len, iv_len, mac_secret_len; |
| 561 » const unsigned char *key_data; |
| 562 » const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0; |
| 563 |
| 564 » /* Update compression contexts. */ |
384 #ifndef OPENSSL_NO_COMP | 565 #ifndef OPENSSL_NO_COMP |
| 566 const SSL_COMP *comp = s->s3->tmp.new_compression; |
| 567 |
| 568 if (is_read) |
| 569 { |
385 if (s->expand != NULL) | 570 if (s->expand != NULL) |
386 { | 571 { |
387 COMP_CTX_free(s->expand); | 572 COMP_CTX_free(s->expand); |
388 » » » s->expand=NULL; | 573 » » » s->expand = NULL; |
389 } | 574 } |
390 if (comp != NULL) | 575 if (comp != NULL) |
391 { | 576 { |
392 s->expand=COMP_CTX_new(comp->method); | 577 s->expand=COMP_CTX_new(comp->method); |
393 if (s->expand == NULL) | 578 if (s->expand == NULL) |
394 { | 579 { |
395 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP
RESSION_LIBRARY_ERROR); | 580 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP
RESSION_LIBRARY_ERROR); |
396 » » » » goto err2; | 581 » » » » return 0; |
397 } | 582 } |
398 if (s->s3->rrec.comp == NULL) | 583 if (s->s3->rrec.comp == NULL) |
399 » » » » s->s3->rrec.comp=(unsigned char *) | 584 » » » » s->s3->rrec.comp = |
400 » » » » » OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LEN
GTH); | 585 » » » » » (unsigned char *)OPENSSL_malloc(SSL3_RT_
MAX_ENCRYPTED_LENGTH); |
401 if (s->s3->rrec.comp == NULL) | 586 if (s->s3->rrec.comp == NULL) |
402 goto err; | 587 goto err; |
403 } | 588 } |
404 #endif | 589 » » } |
405 » » /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ | 590 » else |
406 » » if (s->version != DTLS1_VERSION) | 591 » » { |
407 » » » memset(&(s->s3->read_sequence[0]),0,8); | |
408 » » mac_secret= &(s->s3->read_mac_secret[0]); | |
409 » » mac_secret_size=&(s->s3->read_mac_secret_size); | |
410 » » } | |
411 » else | |
412 » » { | |
413 » » if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) | |
414 » » » s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; | |
415 » » » else | |
416 » » » s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; | |
417 » » if (s->enc_write_ctx != NULL) | |
418 » » » reuse_dd = 1; | |
419 » » else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)
)) == NULL) | |
420 » » » goto err; | |
421 » » else | |
422 » » » /* make sure it's intialized in case we exit later with
an error */ | |
423 » » » EVP_CIPHER_CTX_init(s->enc_write_ctx); | |
424 » » dd= s->enc_write_ctx; | |
425 » » mac_ctx = ssl_replace_hash(&s->write_hash,NULL); | |
426 #ifndef OPENSSL_NO_COMP | |
427 if (s->compress != NULL) | 592 if (s->compress != NULL) |
428 { | 593 { |
429 COMP_CTX_free(s->compress); | 594 COMP_CTX_free(s->compress); |
430 » » » s->compress=NULL; | 595 » » » s->compress = NULL; |
431 } | 596 } |
432 if (comp != NULL) | 597 if (comp != NULL) |
433 { | 598 { |
434 » » » s->compress=COMP_CTX_new(comp->method); | 599 » » » s->compress = COMP_CTX_new(comp->method); |
435 if (s->compress == NULL) | 600 if (s->compress == NULL) |
436 { | 601 { |
437 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP
RESSION_LIBRARY_ERROR); | 602 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP
RESSION_LIBRARY_ERROR); |
438 » » » » goto err2; | 603 » » » » return 0; |
439 } | 604 } |
440 } | 605 } |
441 #endif | 606 » » } |
442 » » /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ | 607 #endif /* OPENSSL_NO_COMP */ |
443 » » if (s->version != DTLS1_VERSION) | 608 |
444 » » » memset(&(s->s3->write_sequence[0]),0,8); | 609 » /* Reset sequence number to zero. */ |
445 » » mac_secret= &(s->s3->write_mac_secret[0]); | 610 » memset(is_read ? s->s3->read_sequence : s->s3->write_sequence, 0, 8); |
446 » » mac_secret_size = &(s->s3->write_mac_secret_size); | 611 |
447 » » } | 612 » /* key_arg is used for SSLv2. We don't need it for TLS. */ |
448 | 613 » s->session->key_arg_length = 0; |
449 » if (reuse_dd) | 614 |
450 » » EVP_CIPHER_CTX_cleanup(dd); | 615 » mac_secret_len = s->s3->tmp.new_mac_secret_size; |
451 | 616 |
452 » p=s->s3->tmp.key_block; | 617 » if (aead != NULL) |
453 » i=*mac_secret_size=s->s3->tmp.new_mac_secret_size; | 618 » » { |
454 | 619 » » key_len = EVP_AEAD_key_length(aead); |
455 » cl=EVP_CIPHER_key_length(c); | 620 » » iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher); |
456 » j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? | 621 » » } |
457 » cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; | 622 » else |
458 » /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ | 623 » » { |
459 » /* If GCM mode only part of IV comes from PRF */ | 624 » » key_len = EVP_CIPHER_key_length(cipher); |
460 » if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) | 625 » » if (is_export && key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new
_cipher)) |
461 » » k = EVP_GCM_TLS_FIXED_IV_LEN; | 626 » » » key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher); |
462 » else | 627 |
463 » » k=EVP_CIPHER_iv_length(c); | 628 » » if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) |
464 » if (» (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | 629 » » » iv_len = EVP_GCM_TLS_FIXED_IV_LEN; |
465 » » (which == SSL3_CHANGE_CIPHER_SERVER_READ)) | 630 » » else |
466 » » { | 631 » » » iv_len = EVP_CIPHER_iv_length(cipher); |
467 » » ms= &(p[ 0]); n=i+i; | 632 » » } |
468 » » key= &(p[ n]); n+=j+j; | 633 |
469 » » iv= &(p[ n]); n+=k+k; | 634 » key_data = s->s3->tmp.key_block; |
470 » » exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; | 635 » client_write_mac_secret = key_data; key_data += mac_secret_len; |
471 » » exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; | 636 » server_write_mac_secret = key_data; key_data += mac_secret_len; |
472 » » client_write=1; | 637 » client_write_key = key_data; key_data += key_len; |
473 » » } | 638 » server_write_key = key_data; key_data += key_len; |
474 » else | 639 » client_write_iv = key_data; key_data += iv_len; |
475 » » { | 640 » server_write_iv = key_data; key_data += iv_len; |
476 » » n=i; | 641 |
477 » » ms= &(p[ n]); n+=i+j; | 642 » if (use_client_keys) |
478 » » key= &(p[ n]); n+=j+k; | 643 » » { |
479 » » iv= &(p[ n]); n+=k; | 644 » » mac_secret = client_write_mac_secret; |
480 » » exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; | 645 » » key = client_write_key; |
481 » » exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; | 646 » » iv = client_write_iv; |
482 » » client_write=0; | 647 » » } |
483 » » } | 648 » else |
484 | 649 » » { |
485 » if (n > s->s3->tmp.key_block_length) | 650 » » mac_secret = server_write_mac_secret; |
| 651 » » key = server_write_key; |
| 652 » » iv = server_write_iv; |
| 653 » » } |
| 654 |
| 655 » if (key_data - s->s3->tmp.key_block != s->s3->tmp.key_block_length) |
486 { | 656 { |
487 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); | 657 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); |
488 » » goto err2; | 658 » » return 0; |
489 » » } | 659 » » } |
490 | 660 |
491 » memcpy(mac_secret,ms,i); | 661 » if (aead != NULL) |
492 | 662 » » { |
493 » if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) | 663 » » if (!tls1_change_cipher_state_aead(s, is_read, |
494 » » { | 664 » » » » » » key, key_len, iv, iv_len)) |
495 » » mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, | 665 » » » return 0; |
496 » » » » mac_secret,*mac_secret_size); | 666 » » } |
497 » » EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key); | 667 » else |
498 » » EVP_PKEY_free(mac_key); | 668 » » { |
499 » » } | 669 » » if (!tls1_change_cipher_state_cipher(s, is_read, use_client_keys
, |
500 #ifdef TLS_DEBUG | 670 » » » » » » mac_secret, mac_secret_len, |
501 printf("which = %04X\nmac key=",which); | 671 » » » » » » key, key_len, |
502 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } | 672 » » » » » » iv, iv_len)) |
503 #endif | 673 » » » return 0; |
504 » if (is_export) | 674 » » } |
505 » » { | 675 |
506 » » /* In here I set both the read and write key/iv to the | 676 » return 1; |
507 » » * same value since only the correct one will be used :-). | |
508 » » */ | |
509 » » if (!tls1_PRF(ssl_get_algorithm2(s), | |
510 » » » » exp_label,exp_label_len, | |
511 » » » » s->s3->client_random,SSL3_RANDOM_SIZE, | |
512 » » » » s->s3->server_random,SSL3_RANDOM_SIZE, | |
513 » » » » NULL,0,NULL,0, | |
514 » » » » key,j,tmp1,tmp2,EVP_CIPHER_key_length(c))) | |
515 » » » goto err2; | |
516 » » key=tmp1; | |
517 | |
518 » » if (k > 0) | |
519 » » » { | |
520 » » » if (!tls1_PRF(ssl_get_algorithm2(s), | |
521 » » » » » TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CO
NST_SIZE, | |
522 » » » » » s->s3->client_random,SSL3_RANDOM_SIZE, | |
523 » » » » » s->s3->server_random,SSL3_RANDOM_SIZE, | |
524 » » » » » NULL,0,NULL,0, | |
525 » » » » » empty,0,iv1,iv2,k*2)) | |
526 » » » » goto err2; | |
527 » » » if (client_write) | |
528 » » » » iv=iv1; | |
529 » » » else | |
530 » » » » iv= &(iv1[k]); | |
531 » » » } | |
532 » » } | |
533 | |
534 » s->session->key_arg_length=0; | |
535 #ifdef KSSL_DEBUG | |
536 » { | |
537 int i; | |
538 » printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); | |
539 » printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]); | |
540 » printf("\n"); | |
541 » printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]); | |
542 » printf("\n"); | |
543 » } | |
544 #endif» /* KSSL_DEBUG */ | |
545 | |
546 » if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) | |
547 » » { | |
548 » » EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE)); | |
549 » » EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv); | |
550 » » } | |
551 » else» | |
552 » » EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); | |
553 | |
554 » /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ | |
555 » if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size) | |
556 » » EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY, | |
557 » » » » *mac_secret_size,mac_secret); | |
558 | |
559 #ifdef TLS_DEBUG | |
560 printf("which = %04X\nkey=",which); | |
561 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1
)%16)?' ':'\n'); } | |
562 printf("\niv="); | |
563 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } | |
564 printf("\n"); | |
565 #endif | |
566 | |
567 » OPENSSL_cleanse(tmp1,sizeof(tmp1)); | |
568 » OPENSSL_cleanse(tmp2,sizeof(tmp1)); | |
569 » OPENSSL_cleanse(iv1,sizeof(iv1)); | |
570 » OPENSSL_cleanse(iv2,sizeof(iv2)); | |
571 » return(1); | |
572 err: | 677 err: |
573 » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); | 678 » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
574 err2: | 679 » return 0; |
575 » return(0); | |
576 } | 680 } |
577 | 681 |
578 int tls1_setup_key_block(SSL *s) | 682 int tls1_setup_key_block(SSL *s) |
579 { | 683 { |
580 unsigned char *p1,*p2=NULL; | 684 unsigned char *p1,*p2=NULL; |
581 » const EVP_CIPHER *c; | 685 » const EVP_CIPHER *c = NULL; |
582 » const EVP_MD *hash; | 686 » const EVP_MD *hash = NULL; |
| 687 » const EVP_AEAD *aead = NULL; |
583 int num; | 688 int num; |
584 SSL_COMP *comp; | 689 SSL_COMP *comp; |
585 int mac_type= NID_undef,mac_secret_size=0; | 690 int mac_type= NID_undef,mac_secret_size=0; |
586 int ret=0; | 691 int ret=0; |
| 692 unsigned key_len, iv_len; |
587 | 693 |
588 #ifdef KSSL_DEBUG | 694 #ifdef KSSL_DEBUG |
589 printf ("tls1_setup_key_block()\n"); | 695 printf ("tls1_setup_key_block()\n"); |
590 #endif /* KSSL_DEBUG */ | 696 #endif /* KSSL_DEBUG */ |
591 | 697 |
592 if (s->s3->tmp.key_block_length != 0) | 698 if (s->s3->tmp.key_block_length != 0) |
593 return(1); | 699 return(1); |
594 | 700 |
595 » if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&
comp)) | 701 » if (!ssl_cipher_get_comp(s->session, &comp)) |
| 702 » » goto cipher_unavailable_err; |
| 703 |
| 704 » if (s->session->cipher && |
| 705 » (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) |
596 { | 706 { |
597 » » SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILAB
LE); | 707 » » if (!ssl_cipher_get_evp_aead(s->session, &aead)) |
598 » » return(0); | 708 » » » goto cipher_unavailable_err; |
| 709 » » key_len = EVP_AEAD_key_length(aead); |
| 710 » » iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher); |
| 711 » » } |
| 712 » else |
| 713 » » { |
| 714 » » if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secre
t_size)) |
| 715 » » » goto cipher_unavailable_err; |
| 716 » » key_len = EVP_CIPHER_key_length(c); |
| 717 |
| 718 » » if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) |
| 719 » » » iv_len = EVP_GCM_TLS_FIXED_IV_LEN; |
| 720 » » else |
| 721 » » » iv_len = EVP_CIPHER_iv_length(c); |
599 } | 722 } |
600 | 723 |
| 724 s->s3->tmp.new_aead=aead; |
601 s->s3->tmp.new_sym_enc=c; | 725 s->s3->tmp.new_sym_enc=c; |
602 s->s3->tmp.new_hash=hash; | 726 s->s3->tmp.new_hash=hash; |
603 s->s3->tmp.new_mac_pkey_type = mac_type; | 727 s->s3->tmp.new_mac_pkey_type = mac_type; |
604 s->s3->tmp.new_mac_secret_size = mac_secret_size; | 728 s->s3->tmp.new_mac_secret_size = mac_secret_size; |
605 » num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c); | 729 |
| 730 » num=key_len+mac_secret_size+iv_len; |
606 num*=2; | 731 num*=2; |
607 | 732 |
608 ssl3_cleanup_key_block(s); | 733 ssl3_cleanup_key_block(s); |
609 | 734 |
610 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) | 735 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) |
611 { | 736 { |
612 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); | 737 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); |
613 goto err; | 738 goto err; |
614 } | 739 } |
615 | 740 |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
658 } | 783 } |
659 | 784 |
660 ret = 1; | 785 ret = 1; |
661 err: | 786 err: |
662 if (p2) | 787 if (p2) |
663 { | 788 { |
664 OPENSSL_cleanse(p2,num); | 789 OPENSSL_cleanse(p2,num); |
665 OPENSSL_free(p2); | 790 OPENSSL_free(p2); |
666 } | 791 } |
667 return(ret); | 792 return(ret); |
| 793 |
| 794 cipher_unavailable_err: |
| 795 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
| 796 return 0; |
668 } | 797 } |
669 | 798 |
670 /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. | 799 /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. |
671 * | 800 * |
672 * Returns: | 801 * Returns: |
673 * 0: (in non-constant time) if the record is publically invalid (i.e. too | 802 * 0: (in non-constant time) if the record is publically invalid (i.e. too |
674 * short etc). | 803 * short etc). |
675 * 1: if the record's padding is valid / the encryption was successful. | 804 * 1: if the record's padding is valid / the encryption was successful. |
676 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, | 805 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, |
677 * an internal error occured. | 806 * an internal error occured. |
678 */ | 807 */ |
679 int tls1_enc(SSL *s, int send) | 808 int tls1_enc(SSL *s, int send) |
680 { | 809 { |
681 SSL3_RECORD *rec; | 810 SSL3_RECORD *rec; |
682 EVP_CIPHER_CTX *ds; | 811 EVP_CIPHER_CTX *ds; |
683 unsigned long l; | 812 unsigned long l; |
684 int bs,i,j,k,pad=0,ret,mac_size=0; | 813 int bs,i,j,k,pad=0,ret,mac_size=0; |
685 const EVP_CIPHER *enc; | 814 const EVP_CIPHER *enc; |
| 815 const SSL_AEAD_CTX *aead; |
| 816 |
| 817 if (send) |
| 818 rec = &s->s3->wrec; |
| 819 else |
| 820 rec = &s->s3->rrec; |
| 821 |
| 822 if (send) |
| 823 aead = s->aead_write_ctx; |
| 824 else |
| 825 aead = s->aead_read_ctx; |
| 826 |
| 827 if (aead) |
| 828 { |
| 829 unsigned char ad[13], *seq, *in, *out, nonce[16]; |
| 830 unsigned nonce_used; |
| 831 ssize_t n; |
| 832 |
| 833 seq = send ? s->s3->write_sequence : s->s3->read_sequence; |
| 834 |
| 835 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) |
| 836 { |
| 837 unsigned char dtlsseq[9], *p = dtlsseq; |
| 838 |
| 839 s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); |
| 840 memcpy(p, &seq[2], 6); |
| 841 memcpy(ad, dtlsseq, 8); |
| 842 } |
| 843 else |
| 844 { |
| 845 memcpy(ad, seq, 8); |
| 846 for (i=7; i>=0; i--) /* increment */ |
| 847 { |
| 848 ++seq[i]; |
| 849 if (seq[i] != 0) |
| 850 break; |
| 851 } |
| 852 } |
| 853 |
| 854 ad[8] = rec->type; |
| 855 ad[9] = (unsigned char)(s->version>>8); |
| 856 ad[10] = (unsigned char)(s->version); |
| 857 |
| 858 if (aead->fixed_nonce_len + aead->variable_nonce_len > sizeof(no
nce) || |
| 859 aead->variable_nonce_len > 8) |
| 860 return -1; /* internal error - should never happen. */ |
| 861 |
| 862 memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len); |
| 863 nonce_used = aead->fixed_nonce_len; |
| 864 |
| 865 if (send) |
| 866 { |
| 867 size_t len = rec->length; |
| 868 size_t eivlen = 0; |
| 869 in = rec->input; |
| 870 out = rec->data; |
| 871 |
| 872 /* When sending we use the sequence number as the |
| 873 * variable part of the nonce. */ |
| 874 if (aead->variable_nonce_len > 8) |
| 875 return -1; |
| 876 memcpy(nonce + nonce_used, ad, aead->variable_nonce_len)
; |
| 877 nonce_used += aead->variable_nonce_len; |
| 878 |
| 879 /* in do_ssl3_write, rec->input is moved forward by |
| 880 * variable_nonce_len in order to leave space for the |
| 881 * variable nonce. Thus we can copy the sequence number |
| 882 * bytes into place without overwriting any of the |
| 883 * plaintext. */ |
| 884 if (aead->variable_nonce_included_in_record) |
| 885 { |
| 886 memcpy(out, ad, aead->variable_nonce_len); |
| 887 len -= aead->variable_nonce_len; |
| 888 eivlen = aead->variable_nonce_len; |
| 889 } |
| 890 |
| 891 ad[11] = len >> 8; |
| 892 ad[12] = len & 0xff; |
| 893 |
| 894 n = EVP_AEAD_CTX_seal(&aead->ctx, |
| 895 out + eivlen, len + aead->tag_len, |
| 896 nonce, nonce_used, |
| 897 in + eivlen, len, |
| 898 ad, sizeof(ad)); |
| 899 if (n >= 0 && aead->variable_nonce_included_in_record) |
| 900 n += aead->variable_nonce_len; |
| 901 } |
| 902 else |
| 903 { |
| 904 /* receive */ |
| 905 size_t len = rec->length; |
| 906 |
| 907 if (rec->data != rec->input) |
| 908 return -1; /* internal error - should never hap
pen. */ |
| 909 out = in = rec->input; |
| 910 |
| 911 if (len < aead->variable_nonce_len) |
| 912 return 0; |
| 913 memcpy(nonce + nonce_used, |
| 914 aead->variable_nonce_included_in_record ? in : ad
, |
| 915 aead->variable_nonce_len); |
| 916 nonce_used += aead->variable_nonce_len; |
| 917 |
| 918 if (aead->variable_nonce_included_in_record) |
| 919 { |
| 920 in += aead->variable_nonce_len; |
| 921 len -= aead->variable_nonce_len; |
| 922 out += aead->variable_nonce_len; |
| 923 } |
| 924 |
| 925 if (len < aead->tag_len) |
| 926 return 0; |
| 927 len -= aead->tag_len; |
| 928 |
| 929 ad[11] = len >> 8; |
| 930 ad[12] = len & 0xff; |
| 931 |
| 932 n = EVP_AEAD_CTX_open(&aead->ctx, out, len, nonce, nonce
_used, |
| 933 in, len + aead->tag_len, ad, sizeo
f(ad)); |
| 934 |
| 935 rec->data = rec->input = out; |
| 936 } |
| 937 |
| 938 if (n == -1) |
| 939 return -1; |
| 940 rec->length = n; |
| 941 return 1; |
| 942 } |
686 | 943 |
687 if (send) | 944 if (send) |
688 { | 945 { |
689 if (EVP_MD_CTX_md(s->write_hash)) | 946 if (EVP_MD_CTX_md(s->write_hash)) |
690 { | 947 { |
691 int n=EVP_MD_CTX_size(s->write_hash); | 948 int n=EVP_MD_CTX_size(s->write_hash); |
692 OPENSSL_assert(n >= 0); | 949 OPENSSL_assert(n >= 0); |
693 } | 950 } |
694 ds=s->enc_write_ctx; | 951 ds=s->enc_write_ctx; |
695 rec= &(s->s3->wrec); | 952 rec= &(s->s3->wrec); |
(...skipping 542 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1238 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFIC
ATE_STATUS_RESPONSE); | 1495 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFIC
ATE_STATUS_RESPONSE); |
1239 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_H
ASH_VALUE); | 1496 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_H
ASH_VALUE); |
1240 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); | 1497 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); |
1241 #if 0 /* not appropriate for TLS, not used for DTLS */ | 1498 #if 0 /* not appropriate for TLS, not used for DTLS */ |
1242 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return | 1499 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return |
1243 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); | 1500 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); |
1244 #endif | 1501 #endif |
1245 default: return(-1); | 1502 default: return(-1); |
1246 } | 1503 } |
1247 } | 1504 } |
OLD | NEW |