Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(355)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: openssl/ssl/t1_enc.c

Issue 59083010: third_party/openssl: add ChaCha20+Poly1305 support. Base URL: https://chromium.googlesource.com/chromium/deps/openssl.git@master
Patch Set: Created 7 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « openssl/ssl/ssl_txt.c ('k') | openssl/ssl/tls1.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* ssl/t1_enc.c */ 1 /* ssl/t1_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
(...skipping 298 matching lines...) Expand 10 before | Expand all | Expand 10 after
309 int i; 309 int i;
310 for (i=0; i < s->session->master_key_length; i++) 310 for (i=0; i < s->session->master_key_length; i++)
311 { 311 {
312 printf("%02X", s->session->master_key[i]); 312 printf("%02X", s->session->master_key[i]);
313 } 313 }
314 printf("\n"); } 314 printf("\n"); }
315 #endif /* KSSL_DEBUG */ 315 #endif /* KSSL_DEBUG */
316 return ret; 316 return ret;
317 } 317 }
318 318
319 int tls1_change_cipher_state(SSL *s, int which) 319 /* tls1_aead_ctx_init allocates |*aead_ctx|, if needed and returns 1. It
320 * returns 0 on malloc error. */
321 static int tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx)
320 { 322 {
321 » static const unsigned char empty[]=""; 323 » if (*aead_ctx != NULL)
322 » unsigned char *p,*mac_secret; 324 » » EVP_AEAD_CTX_cleanup(&(*aead_ctx)->ctx);
323 » unsigned char *exp_label; 325 » else
324 » unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 326 » » {
325 » unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 327 » » *aead_ctx = (SSL_AEAD_CTX*) OPENSSL_malloc(sizeof(SSL_AEAD_CTX)) ;
326 » unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 328 » » if (*aead_ctx == NULL)
327 » unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 329 » » » {
328 » unsigned char *ms,*key,*iv; 330 » » » SSLerr(SSL_F_TLS1_AEAD_CTX_INIT, ERR_R_MALLOC_FAILURE);
329 » int client_write; 331 » » » return 0;
330 » EVP_CIPHER_CTX *dd; 332 » » » }
331 » const EVP_CIPHER *c; 333 » » }
332 #ifndef OPENSSL_NO_COMP 334
333 » const SSL_COMP *comp; 335 » return 1;
334 #endif 336 » }
335 » const EVP_MD *m; 337
336 » int mac_type; 338 static int tls1_change_cipher_state_aead(SSL *s, char is_read,
337 » int *mac_secret_size; 339 » const unsigned char *key, unsigned key_len,
340 » const unsigned char *iv, unsigned iv_len)
341 » {
342 » const EVP_AEAD *aead = s->s3->tmp.new_aead;
343 » SSL_AEAD_CTX *aead_ctx;
344
345 » if (is_read)
346 » » {
347 » » if (!tls1_aead_ctx_init(&s->aead_read_ctx))
348 » » » return 0;
349 » » aead_ctx = s->aead_read_ctx;
350 » » }
351 » else
352 » » {
353 » » if (!tls1_aead_ctx_init(&s->aead_write_ctx))
354 » » » return 0;
355 » » aead_ctx = s->aead_write_ctx;
356 » » }
357
358 » if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len,
359 » » » EVP_AEAD_DEFAULT_TAG_LENGTH, NULL /* engine */))
360 » » return 0;
361 » if (iv_len > sizeof(aead_ctx->fixed_nonce))
362 » » {
363 » » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR );
364 » » return 0;
365 » » }
366 » memcpy(aead_ctx->fixed_nonce, iv, iv_len);
367 » aead_ctx->fixed_nonce_len = iv_len;
368 » aead_ctx->variable_nonce_len = 8; /* always the case, currently. */
369 » aead_ctx->variable_nonce_included_in_record =
370 » » (s->s3->tmp.new_cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_VARIA BLE_NONCE_INCLUDED_IN_RECORD) != 0;
371 » if (aead_ctx->variable_nonce_len + aead_ctx->fixed_nonce_len != EVP_AEAD _nonce_length(aead))
372 » » {
373 » » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_AEAD, ERR_R_INTERNAL_ERROR );
374 » » return 0;
375 » » }
376 » aead_ctx->tag_len = EVP_AEAD_max_overhead(aead);
377
378 » return 1;
379 » }
380
381 /* tls1_change_cipher_state_cipher performs the work needed to switch cipher
382 * states when using EVP_CIPHER. The argument |is_read| is true iff this
383 * function is being called due to reading, as opposed to writing, a
384 * ChangeCipherSpec message. In order to support export ciphersuites,
385 * use_client_keys indicates whether the key material provided is in the
386 * "client write" direction. */
387 static int tls1_change_cipher_state_cipher(
388 » SSL *s, char is_read, char use_client_keys,
389 » const unsigned char *mac_secret, unsigned mac_secret_len,
390 » const unsigned char *key, unsigned key_len,
391 » const unsigned char *iv, unsigned iv_len)
392 » {
393 » const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc;
394 » const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0;
395 » EVP_CIPHER_CTX *cipher_ctx;
338 EVP_MD_CTX *mac_ctx; 396 EVP_MD_CTX *mac_ctx;
339 » EVP_PKEY *mac_key; 397 » char is_aead_cipher;
340 » int is_export,n,i,j,k,exp_label_len,cl;
341 » int reuse_dd = 0;
342 398
343 » is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 399 » unsigned char export_tmp1[EVP_MAX_KEY_LENGTH];
344 » c=s->s3->tmp.new_sym_enc; 400 » unsigned char export_tmp2[EVP_MAX_KEY_LENGTH];
345 » m=s->s3->tmp.new_hash; 401 » unsigned char export_iv1[EVP_MAX_IV_LENGTH * 2];
346 » mac_type = s->s3->tmp.new_mac_pkey_type; 402 » unsigned char export_iv2[EVP_MAX_IV_LENGTH * 2];
347 #ifndef OPENSSL_NO_COMP
348 » comp=s->s3->tmp.new_compression;
349 #endif
350 403
351 #ifdef KSSL_DEBUG 404 » if (is_read)
352 » printf("tls1_change_cipher_state(which= %d) w/\n", which);
353 » printf("\talg= %ld/%ld, comp= %p\n",
354 » s->s3->tmp.new_cipher->algorithm_mkey,
355 » s->s3->tmp.new_cipher->algorithm_auth,
356 » comp);
357 » printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
358 » printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
359 c->nid,c->block_size,c->key_len,c->iv_len);
360 » printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
361 » {
362 int i;
363 for (i=0; i<s->s3->tmp.key_block_length; i++)
364 » » printf("%02x", s->s3->tmp.key_block[i]); printf("\n");
365 }
366 #endif» /* KSSL_DEBUG */
367
368 » if (which & SSL3_CC_READ)
369 { 405 {
370 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) 406 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
371 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; 407 s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
372 else 408 else
373 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; 409 s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
374 410
375 if (s->enc_read_ctx != NULL) 411 if (s->enc_read_ctx != NULL)
376 » » » reuse_dd = 1; 412 » » » EVP_CIPHER_CTX_cleanup(s->enc_read_ctx);
377 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)) ) == NULL) 413 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX)) ) == NULL)
378 goto err; 414 goto err;
379 else 415 else
380 /* make sure it's intialized in case we exit later with an error */ 416 /* make sure it's intialized in case we exit later with an error */
381 EVP_CIPHER_CTX_init(s->enc_read_ctx); 417 EVP_CIPHER_CTX_init(s->enc_read_ctx);
382 » » dd= s->enc_read_ctx; 418
383 » » mac_ctx=ssl_replace_hash(&s->read_hash,NULL); 419 » » cipher_ctx = s->enc_read_ctx;
420 » » mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
421
422 » » memcpy(s->s3->read_mac_secret, mac_secret, mac_secret_len);
423 » » s->s3->read_mac_secret_size = mac_secret_len;
424 » » }
425 » else
426 » » {
427 » » if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
428 » » » s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
429 » » else
430 » » » s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
431
432 » » if (s->enc_write_ctx != NULL)
433 » » » EVP_CIPHER_CTX_cleanup(s->enc_write_ctx);
434 » » else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX) )) == NULL)
435 » » » goto err;
436 » » else
437 » » » /* make sure it's intialized in case we exit later with an error */
438 » » » EVP_CIPHER_CTX_init(s->enc_write_ctx);
439
440 » » cipher_ctx = s->enc_write_ctx;
441 » » mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
442
443 » » memcpy(s->s3->write_mac_secret, mac_secret, mac_secret_len);
444 » » s->s3->write_mac_secret_size = mac_secret_len;
445 » » }
446
447 » if (is_export)
448 » » {
449 » » /* In here I set both the read and write key/iv to the
450 » » * same value since only the correct one will be used :-).
451 » » */
452 » » const unsigned char *label;
453 » » unsigned label_len;
454
455 » » if (use_client_keys)
456 » » » {
457 » » » label = (const unsigned char*) TLS_MD_CLIENT_WRITE_KEY_C ONST;
458 » » » label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
459 » » » }
460 » » else
461 » » » {
462 » » » label = (const unsigned char*) TLS_MD_SERVER_WRITE_KEY_C ONST;
463 » » » label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
464 » » » }
465
466 » » if (!tls1_PRF(ssl_get_algorithm2(s),
467 » » » » label, label_len,
468 » » » » s->s3->client_random, SSL3_RANDOM_SIZE,
469 » » » » s->s3->server_random, SSL3_RANDOM_SIZE,
470 » » » » NULL, 0, NULL, 0,
471 » » » » key /* secret */, key_len /* secret length */,
472 » » » » export_tmp1 /* output */,
473 » » » » export_tmp2 /* scratch space */,
474 » » » » EVP_CIPHER_key_length(s->s3->tmp.new_sym_enc) /* output length */))
475 » » » return 0;
476 » » key = export_tmp1;
477
478 » » if (iv_len > 0)
479 » » » {
480 » » » static const unsigned char empty[] = "";
481
482 » » » if (!tls1_PRF(ssl_get_algorithm2(s),
483 » » » » » TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_C ONST_SIZE,
484 » » » » » s->s3->client_random, SSL3_RANDOM_SIZE,
485 » » » » » s->s3->server_random, SSL3_RANDOM_SIZE,
486 » » » » » NULL, 0, NULL, 0,
487 » » » » » empty /* secret */ ,0 /* secret length * /,
488 » » » » » export_iv1 /* output */,
489 » » » » » export_iv2 /* scratch space */,
490 » » » » » iv_len * 2 /* output length */))
491 » » » » return 0;
492
493 » » » if (use_client_keys)
494 » » » » iv = export_iv1;
495 » » » else
496 » » » » iv = &export_iv1[iv_len];
497 » » » }
498 » » }
499
500 » /* is_aead_cipher indicates whether the EVP_CIPHER implements an AEAD
501 » * interface. This is different from the newer EVP_AEAD interface. */
502 » is_aead_cipher = (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0;
503
504 » if (!is_aead_cipher)
505 » » {
506 » » EVP_PKEY *mac_key =
507 » » » EVP_PKEY_new_mac_key(s->s3->tmp.new_mac_pkey_type,
508 » » » » » NULL, mac_secret, mac_secret_len);
509 » » if (!mac_key)
510 » » » return 0;
511 » » EVP_DigestSignInit(mac_ctx, NULL, s->s3->tmp.new_hash, NULL, mac _key);
512 » » EVP_PKEY_free(mac_key);
513 » » }
514
515 » if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
516 » » {
517 » » EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key,
518 » » » » NULL /* iv */, !is_read);
519 » » EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, iv_le n, (void*) iv);
520 » » }
521 » else
522 » » EVP_CipherInit_ex(cipher_ctx, cipher, NULL /* engine */, key, iv , !is_read);
523
524 » /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
525 » if (is_aead_cipher && mac_secret_len > 0)
526 » » EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY,
527 » » » » mac_secret_len, (void*) mac_secret);
528
529 » if (is_export)
530 » » {
531 » » OPENSSL_cleanse(export_tmp1, sizeof(export_tmp1));
532 » » OPENSSL_cleanse(export_tmp2, sizeof(export_tmp1));
533 » » OPENSSL_cleanse(export_iv1, sizeof(export_iv1));
534 » » OPENSSL_cleanse(export_iv2, sizeof(export_iv2));
535 » » }
536
537 » return 1;
538
539 err:
540 » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE_CIPHER, ERR_R_MALLOC_FAILURE);
541 » return 0;
542 » }
543
544 int tls1_change_cipher_state(SSL *s, int which)
545 » {
546 » /* is_read is true if we have just read a ChangeCipherSpec message -
547 » * i.e. we need to update the read cipherspec. Otherwise we have just
548 » * written one. */
549 » const char is_read = (which & SSL3_CC_READ) != 0;
550 » /* use_client_keys is true if we wish to use the keys for the "client
551 » * write" direction. This is the case if we're a client sending a
552 » * ChangeCipherSpec, or a server reading a client's ChangeCipherSpec. */
553 » const char use_client_keys = which == SSL3_CHANGE_CIPHER_CLIENT_WRITE ||
554 » » » » which == SSL3_CHANGE_CIPHER_SERVER_READ;
555 » const unsigned char *client_write_mac_secret, *server_write_mac_secret, *mac_secret;
556 » const unsigned char *client_write_key, *server_write_key, *key;
557 » const unsigned char *client_write_iv, *server_write_iv, *iv;
558 » const EVP_CIPHER *cipher = s->s3->tmp.new_sym_enc;
559 » const EVP_AEAD *aead = s->s3->tmp.new_aead;
560 » unsigned key_len, iv_len, mac_secret_len;
561 » const unsigned char *key_data;
562 » const char is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) != 0;
563
564 » /* Update compression contexts. */
384 #ifndef OPENSSL_NO_COMP 565 #ifndef OPENSSL_NO_COMP
566 const SSL_COMP *comp = s->s3->tmp.new_compression;
567
568 if (is_read)
569 {
385 if (s->expand != NULL) 570 if (s->expand != NULL)
386 { 571 {
387 COMP_CTX_free(s->expand); 572 COMP_CTX_free(s->expand);
388 » » » s->expand=NULL; 573 » » » s->expand = NULL;
389 } 574 }
390 if (comp != NULL) 575 if (comp != NULL)
391 { 576 {
392 s->expand=COMP_CTX_new(comp->method); 577 s->expand=COMP_CTX_new(comp->method);
393 if (s->expand == NULL) 578 if (s->expand == NULL)
394 { 579 {
395 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR); 580 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR);
396 » » » » goto err2; 581 » » » » return 0;
397 } 582 }
398 if (s->s3->rrec.comp == NULL) 583 if (s->s3->rrec.comp == NULL)
399 » » » » s->s3->rrec.comp=(unsigned char *) 584 » » » » s->s3->rrec.comp =
400 » » » » » OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LEN GTH); 585 » » » » » (unsigned char *)OPENSSL_malloc(SSL3_RT_ MAX_ENCRYPTED_LENGTH);
401 if (s->s3->rrec.comp == NULL) 586 if (s->s3->rrec.comp == NULL)
402 goto err; 587 goto err;
403 } 588 }
404 #endif 589 » » }
405 » » /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 590 » else
406 » » if (s->version != DTLS1_VERSION) 591 » » {
407 » » » memset(&(s->s3->read_sequence[0]),0,8);
408 » » mac_secret= &(s->s3->read_mac_secret[0]);
409 » » mac_secret_size=&(s->s3->read_mac_secret_size);
410 » » }
411 » else
412 » » {
413 » » if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
414 » » » s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
415 » » » else
416 » » » s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
417 » » if (s->enc_write_ctx != NULL)
418 » » » reuse_dd = 1;
419 » » else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX) )) == NULL)
420 » » » goto err;
421 » » else
422 » » » /* make sure it's intialized in case we exit later with an error */
423 » » » EVP_CIPHER_CTX_init(s->enc_write_ctx);
424 » » dd= s->enc_write_ctx;
425 » » mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
426 #ifndef OPENSSL_NO_COMP
427 if (s->compress != NULL) 592 if (s->compress != NULL)
428 { 593 {
429 COMP_CTX_free(s->compress); 594 COMP_CTX_free(s->compress);
430 » » » s->compress=NULL; 595 » » » s->compress = NULL;
431 } 596 }
432 if (comp != NULL) 597 if (comp != NULL)
433 { 598 {
434 » » » s->compress=COMP_CTX_new(comp->method); 599 » » » s->compress = COMP_CTX_new(comp->method);
435 if (s->compress == NULL) 600 if (s->compress == NULL)
436 { 601 {
437 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR); 602 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMP RESSION_LIBRARY_ERROR);
438 » » » » goto err2; 603 » » » » return 0;
439 } 604 }
440 } 605 }
441 #endif 606 » » }
442 » » /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 607 #endif /* OPENSSL_NO_COMP */
443 » » if (s->version != DTLS1_VERSION) 608
444 » » » memset(&(s->s3->write_sequence[0]),0,8); 609 » /* Reset sequence number to zero. */
445 » » mac_secret= &(s->s3->write_mac_secret[0]); 610 » memset(is_read ? s->s3->read_sequence : s->s3->write_sequence, 0, 8);
446 » » mac_secret_size = &(s->s3->write_mac_secret_size); 611
447 » » } 612 » /* key_arg is used for SSLv2. We don't need it for TLS. */
448 613 » s->session->key_arg_length = 0;
449 » if (reuse_dd) 614
450 » » EVP_CIPHER_CTX_cleanup(dd); 615 » mac_secret_len = s->s3->tmp.new_mac_secret_size;
451 616
452 » p=s->s3->tmp.key_block; 617 » if (aead != NULL)
453 » i=*mac_secret_size=s->s3->tmp.new_mac_secret_size; 618 » » {
454 619 » » key_len = EVP_AEAD_key_length(aead);
455 » cl=EVP_CIPHER_key_length(c); 620 » » iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->s3->tmp.new_cipher);
456 » j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 621 » » }
457 » cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 622 » else
458 » /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 623 » » {
459 » /* If GCM mode only part of IV comes from PRF */ 624 » » key_len = EVP_CIPHER_key_length(cipher);
460 » if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) 625 » » if (is_export && key_len > SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new _cipher))
461 » » k = EVP_GCM_TLS_FIXED_IV_LEN; 626 » » » key_len = SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher);
462 » else 627
463 » » k=EVP_CIPHER_iv_length(c); 628 » » if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE)
464 » if (» (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 629 » » » iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
465 » » (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 630 » » else
466 » » { 631 » » » iv_len = EVP_CIPHER_iv_length(cipher);
467 » » ms= &(p[ 0]); n=i+i; 632 » » }
468 » » key= &(p[ n]); n+=j+j; 633
469 » » iv= &(p[ n]); n+=k+k; 634 » key_data = s->s3->tmp.key_block;
470 » » exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 635 » client_write_mac_secret = key_data; key_data += mac_secret_len;
471 » » exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 636 » server_write_mac_secret = key_data; key_data += mac_secret_len;
472 » » client_write=1; 637 » client_write_key = key_data; key_data += key_len;
473 » » } 638 » server_write_key = key_data; key_data += key_len;
474 » else 639 » client_write_iv = key_data; key_data += iv_len;
475 » » { 640 » server_write_iv = key_data; key_data += iv_len;
476 » » n=i; 641
477 » » ms= &(p[ n]); n+=i+j; 642 » if (use_client_keys)
478 » » key= &(p[ n]); n+=j+k; 643 » » {
479 » » iv= &(p[ n]); n+=k; 644 » » mac_secret = client_write_mac_secret;
480 » » exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 645 » » key = client_write_key;
481 » » exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 646 » » iv = client_write_iv;
482 » » client_write=0; 647 » » }
483 » » } 648 » else
484 649 » » {
485 » if (n > s->s3->tmp.key_block_length) 650 » » mac_secret = server_write_mac_secret;
651 » » key = server_write_key;
652 » » iv = server_write_iv;
653 » » }
654
655 » if (key_data - s->s3->tmp.key_block != s->s3->tmp.key_block_length)
486 { 656 {
487 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); 657 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
488 » » goto err2; 658 » » return 0;
489 » » } 659 » » }
490 660
491 » memcpy(mac_secret,ms,i); 661 » if (aead != NULL)
492 662 » » {
493 » if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER)) 663 » » if (!tls1_change_cipher_state_aead(s, is_read,
494 » » { 664 » » » » » » key, key_len, iv, iv_len))
495 » » mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, 665 » » » return 0;
496 » » » » mac_secret,*mac_secret_size); 666 » » }
497 » » EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key); 667 » else
498 » » EVP_PKEY_free(mac_key); 668 » » {
499 » » } 669 » » if (!tls1_change_cipher_state_cipher(s, is_read, use_client_keys ,
500 #ifdef TLS_DEBUG 670 » » » » » » mac_secret, mac_secret_len,
501 printf("which = %04X\nmac key=",which); 671 » » » » » » key, key_len,
502 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 672 » » » » » » iv, iv_len))
503 #endif 673 » » » return 0;
504 » if (is_export) 674 » » }
505 » » { 675
506 » » /* In here I set both the read and write key/iv to the 676 » return 1;
507 » » * same value since only the correct one will be used :-).
508 » » */
509 » » if (!tls1_PRF(ssl_get_algorithm2(s),
510 » » » » exp_label,exp_label_len,
511 » » » » s->s3->client_random,SSL3_RANDOM_SIZE,
512 » » » » s->s3->server_random,SSL3_RANDOM_SIZE,
513 » » » » NULL,0,NULL,0,
514 » » » » key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)))
515 » » » goto err2;
516 » » key=tmp1;
517
518 » » if (k > 0)
519 » » » {
520 » » » if (!tls1_PRF(ssl_get_algorithm2(s),
521 » » » » » TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CO NST_SIZE,
522 » » » » » s->s3->client_random,SSL3_RANDOM_SIZE,
523 » » » » » s->s3->server_random,SSL3_RANDOM_SIZE,
524 » » » » » NULL,0,NULL,0,
525 » » » » » empty,0,iv1,iv2,k*2))
526 » » » » goto err2;
527 » » » if (client_write)
528 » » » » iv=iv1;
529 » » » else
530 » » » » iv= &(iv1[k]);
531 » » » }
532 » » }
533
534 » s->session->key_arg_length=0;
535 #ifdef KSSL_DEBUG
536 » {
537 int i;
538 » printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
539 » printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
540 » printf("\n");
541 » printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
542 » printf("\n");
543 » }
544 #endif» /* KSSL_DEBUG */
545
546 » if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
547 » » {
548 » » EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE));
549 » » EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv);
550 » » }
551 » else»
552 » » EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
553
554 » /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
555 » if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
556 » » EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY,
557 » » » » *mac_secret_size,mac_secret);
558
559 #ifdef TLS_DEBUG
560 printf("which = %04X\nkey=",which);
561 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1 )%16)?' ':'\n'); }
562 printf("\niv=");
563 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
564 printf("\n");
565 #endif
566
567 » OPENSSL_cleanse(tmp1,sizeof(tmp1));
568 » OPENSSL_cleanse(tmp2,sizeof(tmp1));
569 » OPENSSL_cleanse(iv1,sizeof(iv1));
570 » OPENSSL_cleanse(iv2,sizeof(iv2));
571 » return(1);
572 err: 677 err:
573 » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 678 » SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
574 err2: 679 » return 0;
575 » return(0);
576 } 680 }
577 681
578 int tls1_setup_key_block(SSL *s) 682 int tls1_setup_key_block(SSL *s)
579 { 683 {
580 unsigned char *p1,*p2=NULL; 684 unsigned char *p1,*p2=NULL;
581 » const EVP_CIPHER *c; 685 » const EVP_CIPHER *c = NULL;
582 » const EVP_MD *hash; 686 » const EVP_MD *hash = NULL;
687 » const EVP_AEAD *aead = NULL;
583 int num; 688 int num;
584 SSL_COMP *comp; 689 SSL_COMP *comp;
585 int mac_type= NID_undef,mac_secret_size=0; 690 int mac_type= NID_undef,mac_secret_size=0;
586 int ret=0; 691 int ret=0;
692 unsigned key_len, iv_len;
587 693
588 #ifdef KSSL_DEBUG 694 #ifdef KSSL_DEBUG
589 printf ("tls1_setup_key_block()\n"); 695 printf ("tls1_setup_key_block()\n");
590 #endif /* KSSL_DEBUG */ 696 #endif /* KSSL_DEBUG */
591 697
592 if (s->s3->tmp.key_block_length != 0) 698 if (s->s3->tmp.key_block_length != 0)
593 return(1); 699 return(1);
594 700
595 » if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,& comp)) 701 » if (!ssl_cipher_get_comp(s->session, &comp))
702 » » goto cipher_unavailable_err;
703
704 » if (s->session->cipher &&
705 » (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD))
596 { 706 {
597 » » SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILAB LE); 707 » » if (!ssl_cipher_get_evp_aead(s->session, &aead))
598 » » return(0); 708 » » » goto cipher_unavailable_err;
709 » » key_len = EVP_AEAD_key_length(aead);
710 » » iv_len = SSL_CIPHER_AEAD_FIXED_NONCE_LEN(s->session->cipher);
711 » » }
712 » else
713 » » {
714 » » if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secre t_size))
715 » » » goto cipher_unavailable_err;
716 » » key_len = EVP_CIPHER_key_length(c);
717
718 » » if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
719 » » » iv_len = EVP_GCM_TLS_FIXED_IV_LEN;
720 » » else
721 » » » iv_len = EVP_CIPHER_iv_length(c);
599 } 722 }
600 723
724 s->s3->tmp.new_aead=aead;
601 s->s3->tmp.new_sym_enc=c; 725 s->s3->tmp.new_sym_enc=c;
602 s->s3->tmp.new_hash=hash; 726 s->s3->tmp.new_hash=hash;
603 s->s3->tmp.new_mac_pkey_type = mac_type; 727 s->s3->tmp.new_mac_pkey_type = mac_type;
604 s->s3->tmp.new_mac_secret_size = mac_secret_size; 728 s->s3->tmp.new_mac_secret_size = mac_secret_size;
605 » num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c); 729
730 » num=key_len+mac_secret_size+iv_len;
606 num*=2; 731 num*=2;
607 732
608 ssl3_cleanup_key_block(s); 733 ssl3_cleanup_key_block(s);
609 734
610 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) 735 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
611 { 736 {
612 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); 737 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
613 goto err; 738 goto err;
614 } 739 }
615 740
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
658 } 783 }
659 784
660 ret = 1; 785 ret = 1;
661 err: 786 err:
662 if (p2) 787 if (p2)
663 { 788 {
664 OPENSSL_cleanse(p2,num); 789 OPENSSL_cleanse(p2,num);
665 OPENSSL_free(p2); 790 OPENSSL_free(p2);
666 } 791 }
667 return(ret); 792 return(ret);
793
794 cipher_unavailable_err:
795 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
796 return 0;
668 } 797 }
669 798
670 /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 799 /* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
671 * 800 *
672 * Returns: 801 * Returns:
673 * 0: (in non-constant time) if the record is publically invalid (i.e. too 802 * 0: (in non-constant time) if the record is publically invalid (i.e. too
674 * short etc). 803 * short etc).
675 * 1: if the record's padding is valid / the encryption was successful. 804 * 1: if the record's padding is valid / the encryption was successful.
676 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, 805 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
677 * an internal error occured. 806 * an internal error occured.
678 */ 807 */
679 int tls1_enc(SSL *s, int send) 808 int tls1_enc(SSL *s, int send)
680 { 809 {
681 SSL3_RECORD *rec; 810 SSL3_RECORD *rec;
682 EVP_CIPHER_CTX *ds; 811 EVP_CIPHER_CTX *ds;
683 unsigned long l; 812 unsigned long l;
684 int bs,i,j,k,pad=0,ret,mac_size=0; 813 int bs,i,j,k,pad=0,ret,mac_size=0;
685 const EVP_CIPHER *enc; 814 const EVP_CIPHER *enc;
815 const SSL_AEAD_CTX *aead;
816
817 if (send)
818 rec = &s->s3->wrec;
819 else
820 rec = &s->s3->rrec;
821
822 if (send)
823 aead = s->aead_write_ctx;
824 else
825 aead = s->aead_read_ctx;
826
827 if (aead)
828 {
829 unsigned char ad[13], *seq, *in, *out, nonce[16];
830 unsigned nonce_used;
831 ssize_t n;
832
833 seq = send ? s->s3->write_sequence : s->s3->read_sequence;
834
835 if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
836 {
837 unsigned char dtlsseq[9], *p = dtlsseq;
838
839 s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p);
840 memcpy(p, &seq[2], 6);
841 memcpy(ad, dtlsseq, 8);
842 }
843 else
844 {
845 memcpy(ad, seq, 8);
846 for (i=7; i>=0; i--) /* increment */
847 {
848 ++seq[i];
849 if (seq[i] != 0)
850 break;
851 }
852 }
853
854 ad[8] = rec->type;
855 ad[9] = (unsigned char)(s->version>>8);
856 ad[10] = (unsigned char)(s->version);
857
858 if (aead->fixed_nonce_len + aead->variable_nonce_len > sizeof(no nce) ||
859 aead->variable_nonce_len > 8)
860 return -1; /* internal error - should never happen. */
861
862 memcpy(nonce, aead->fixed_nonce, aead->fixed_nonce_len);
863 nonce_used = aead->fixed_nonce_len;
864
865 if (send)
866 {
867 size_t len = rec->length;
868 size_t eivlen = 0;
869 in = rec->input;
870 out = rec->data;
871
872 /* When sending we use the sequence number as the
873 * variable part of the nonce. */
874 if (aead->variable_nonce_len > 8)
875 return -1;
876 memcpy(nonce + nonce_used, ad, aead->variable_nonce_len) ;
877 nonce_used += aead->variable_nonce_len;
878
879 /* in do_ssl3_write, rec->input is moved forward by
880 * variable_nonce_len in order to leave space for the
881 * variable nonce. Thus we can copy the sequence number
882 * bytes into place without overwriting any of the
883 * plaintext. */
884 if (aead->variable_nonce_included_in_record)
885 {
886 memcpy(out, ad, aead->variable_nonce_len);
887 len -= aead->variable_nonce_len;
888 eivlen = aead->variable_nonce_len;
889 }
890
891 ad[11] = len >> 8;
892 ad[12] = len & 0xff;
893
894 n = EVP_AEAD_CTX_seal(&aead->ctx,
895 out + eivlen, len + aead->tag_len,
896 nonce, nonce_used,
897 in + eivlen, len,
898 ad, sizeof(ad));
899 if (n >= 0 && aead->variable_nonce_included_in_record)
900 n += aead->variable_nonce_len;
901 }
902 else
903 {
904 /* receive */
905 size_t len = rec->length;
906
907 if (rec->data != rec->input)
908 return -1; /* internal error - should never hap pen. */
909 out = in = rec->input;
910
911 if (len < aead->variable_nonce_len)
912 return 0;
913 memcpy(nonce + nonce_used,
914 aead->variable_nonce_included_in_record ? in : ad ,
915 aead->variable_nonce_len);
916 nonce_used += aead->variable_nonce_len;
917
918 if (aead->variable_nonce_included_in_record)
919 {
920 in += aead->variable_nonce_len;
921 len -= aead->variable_nonce_len;
922 out += aead->variable_nonce_len;
923 }
924
925 if (len < aead->tag_len)
926 return 0;
927 len -= aead->tag_len;
928
929 ad[11] = len >> 8;
930 ad[12] = len & 0xff;
931
932 n = EVP_AEAD_CTX_open(&aead->ctx, out, len, nonce, nonce _used,
933 in, len + aead->tag_len, ad, sizeo f(ad));
934
935 rec->data = rec->input = out;
936 }
937
938 if (n == -1)
939 return -1;
940 rec->length = n;
941 return 1;
942 }
686 943
687 if (send) 944 if (send)
688 { 945 {
689 if (EVP_MD_CTX_md(s->write_hash)) 946 if (EVP_MD_CTX_md(s->write_hash))
690 { 947 {
691 int n=EVP_MD_CTX_size(s->write_hash); 948 int n=EVP_MD_CTX_size(s->write_hash);
692 OPENSSL_assert(n >= 0); 949 OPENSSL_assert(n >= 0);
693 } 950 }
694 ds=s->enc_write_ctx; 951 ds=s->enc_write_ctx;
695 rec= &(s->s3->wrec); 952 rec= &(s->s3->wrec);
(...skipping 542 matching lines...) Expand 10 before | Expand all | Expand 10 after
1238 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFIC ATE_STATUS_RESPONSE); 1495 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFIC ATE_STATUS_RESPONSE);
1239 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_H ASH_VALUE); 1496 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_H ASH_VALUE);
1240 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); 1497 case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
1241 #if 0 /* not appropriate for TLS, not used for DTLS */ 1498 #if 0 /* not appropriate for TLS, not used for DTLS */
1242 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 1499 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
1243 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 1500 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1244 #endif 1501 #endif
1245 default: return(-1); 1502 default: return(-1);
1246 } 1503 }
1247 } 1504 }
OLDNEW
« no previous file with comments | « openssl/ssl/ssl_txt.c ('k') | openssl/ssl/tls1.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698