Symaptic: os/ossrv/ssl/libssl/src/s3_enc.c@bde4ae8d615e (annotated)

sl@0	1	/* ssl/s3_enc.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58	/* ====================================================================
sl@0	59	* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
sl@0	60	*
sl@0	61	* Redistribution and use in source and binary forms, with or without
sl@0	62	* modification, are permitted provided that the following conditions
sl@0	63	* are met:
sl@0	64	*
sl@0	65	* 1. Redistributions of source code must retain the above copyright
sl@0	66	* notice, this list of conditions and the following disclaimer.
sl@0	67	*
sl@0	68	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	69	* notice, this list of conditions and the following disclaimer in
sl@0	70	* the documentation and/or other materials provided with the
sl@0	71	* distribution.
sl@0	72	*
sl@0	73	* 3. All advertising materials mentioning features or use of this
sl@0	74	* software must display the following acknowledgment:
sl@0	75	* "This product includes software developed by the OpenSSL Project
sl@0	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
sl@0	77	*
sl@0	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	79	* endorse or promote products derived from this software without
sl@0	80	* prior written permission. For written permission, please contact
sl@0	81	* openssl-core@openssl.org.
sl@0	82	*
sl@0	83	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	84	* nor may "OpenSSL" appear in their names without prior written
sl@0	85	* permission of the OpenSSL Project.
sl@0	86	*
sl@0	87	* 6. Redistributions of any form whatsoever must retain the following
sl@0	88	* acknowledgment:
sl@0	89	* "This product includes software developed by the OpenSSL Project
sl@0	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
sl@0	91	*
sl@0	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	104	* ====================================================================
sl@0	105	*
sl@0	106	* This product includes cryptographic software written by Eric Young
sl@0	107	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	108	* Hudson (tjh@cryptsoft.com).
sl@0	109	*
sl@0	110	*/
sl@0	111	/*
sl@0	112	© Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
sl@0	113	*/
sl@0	114
sl@0	115	#include <stdio.h>
sl@0	116	#include "ssl_locl.h"
sl@0	117	#include <openssl/evp.h>
sl@0	118	#include <openssl/md5.h>
sl@0	119
sl@0	120	#ifndef EMULATOR
sl@0	121	static unsigned char ssl3_pad_1[48]={
sl@0	122	#else
sl@0	123	static const unsigned char ssl3_pad_1[48]={
sl@0	124	#endif
sl@0	125	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
sl@0	126	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
sl@0	127	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
sl@0	128	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
sl@0	129	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
sl@0	130	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 };
sl@0	131
sl@0	132	#ifndef EMULATOR
sl@0	133	static unsigned char ssl3_pad_2[48]={
sl@0	134	#else
sl@0	135	static const unsigned char ssl3_pad_2[48]={
sl@0	136	#endif
sl@0	137	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
sl@0	138	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
sl@0	139	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
sl@0	140	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
sl@0	141	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
sl@0	142	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
sl@0	143
sl@0	144	static int ssl3_handshake_mac(SSL s, EVP_MD_CTX in_ctx,
sl@0	145	const char sender, int len, unsigned char p);
sl@0	146
sl@0	147	static int ssl3_generate_key_block(SSL s, unsigned char km, int num)
sl@0	148	{
sl@0	149	EVP_MD_CTX m5;
sl@0	150	EVP_MD_CTX s1;
sl@0	151	unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
sl@0	152	unsigned char c='A';
sl@0	153	unsigned int i,j,k;
sl@0	154
sl@0	155	#ifdef CHARSET_EBCDIC
sl@0	156	c = os_toascii[c]; /'A' in ASCII /
sl@0	157	#endif
sl@0	158	k=0;
sl@0	159	EVP_MD_CTX_init(&m5);
sl@0	160	EVP_MD_CTX_init(&s1);
sl@0	161	for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
sl@0	162	{
sl@0	163	k++;
sl@0	164	if (k > sizeof buf)
sl@0	165	{
sl@0	166	/* bug: 'buf' is too small for this ciphersuite */
sl@0	167	SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
sl@0	168	return 0;
sl@0	169	}
sl@0	170
sl@0	171	for (j=0; j<k; j++)
sl@0	172	buf[j]=c;
sl@0	173	c++;
sl@0	174	EVP_DigestInit_ex(&s1,EVP_sha1(), NULL);
sl@0	175	EVP_DigestUpdate(&s1,buf,k);
sl@0	176	EVP_DigestUpdate(&s1,s->session->master_key,
sl@0	177	s->session->master_key_length);
sl@0	178	EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
sl@0	179	EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
sl@0	180	EVP_DigestFinal_ex(&s1,smd,NULL);
sl@0	181
sl@0	182	EVP_DigestInit_ex(&m5,EVP_md5(), NULL);
sl@0	183	EVP_DigestUpdate(&m5,s->session->master_key,
sl@0	184	s->session->master_key_length);
sl@0	185	EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
sl@0	186	if ((int)(i+MD5_DIGEST_LENGTH) > num)
sl@0	187	{
sl@0	188	EVP_DigestFinal_ex(&m5,smd,NULL);
sl@0	189	memcpy(km,smd,(num-i));
sl@0	190	}
sl@0	191	else
sl@0	192	EVP_DigestFinal_ex(&m5,km,NULL);
sl@0	193
sl@0	194	km+=MD5_DIGEST_LENGTH;
sl@0	195	}
sl@0	196	OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
sl@0	197	EVP_MD_CTX_cleanup(&m5);
sl@0	198	EVP_MD_CTX_cleanup(&s1);
sl@0	199	return 1;
sl@0	200	}
sl@0	201
sl@0	202	int ssl3_change_cipher_state(SSL *s, int which)
sl@0	203	{
sl@0	204	unsigned char p,key_block,*mac_secret;
sl@0	205	unsigned char exp_key[EVP_MAX_KEY_LENGTH];
sl@0	206	unsigned char exp_iv[EVP_MAX_IV_LENGTH];
sl@0	207	unsigned char ms,key,iv,er1,*er2;
sl@0	208	EVP_CIPHER_CTX *dd;
sl@0	209	const EVP_CIPHER *c;
sl@0	210	#ifndef OPENSSL_NO_COMP
sl@0	211	COMP_METHOD *comp;
sl@0	212	#endif
sl@0	213	const EVP_MD *m;
sl@0	214	EVP_MD_CTX md;
sl@0	215	int is_exp,n,i,j,k,cl;
sl@0	216	int reuse_dd = 0;
sl@0	217
sl@0	218	is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
sl@0	219	c=s->s3->tmp.new_sym_enc;
sl@0	220	m=s->s3->tmp.new_hash;
sl@0	221	#ifndef OPENSSL_NO_COMP
sl@0	222	if (s->s3->tmp.new_compression == NULL)
sl@0	223	comp=NULL;
sl@0	224	else
sl@0	225	comp=s->s3->tmp.new_compression->method;
sl@0	226	#endif
sl@0	227	key_block=s->s3->tmp.key_block;
sl@0	228
sl@0	229	if (which & SSL3_CC_READ)
sl@0	230	{
sl@0	231	if (s->enc_read_ctx != NULL)
sl@0	232	reuse_dd = 1;
sl@0	233	else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
sl@0	234	goto err;
sl@0	235	else
sl@0	236	/* make sure it's intialized in case we exit later with an error */
sl@0	237	EVP_CIPHER_CTX_init(s->enc_read_ctx);
sl@0	238	dd= s->enc_read_ctx;
sl@0	239	s->read_hash=m;
sl@0	240	#ifndef OPENSSL_NO_COMP
sl@0	241	/* COMPRESS */
sl@0	242	if (s->expand != NULL)
sl@0	243	{
sl@0	244	COMP_CTX_free(s->expand);
sl@0	245	s->expand=NULL;
sl@0	246	}
sl@0	247	if (comp != NULL)
sl@0	248	{
sl@0	249	s->expand=COMP_CTX_new(comp);
sl@0	250	if (s->expand == NULL)
sl@0	251	{
sl@0	252	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
sl@0	253	goto err2;
sl@0	254	}
sl@0	255	if (s->s3->rrec.comp == NULL)
sl@0	256	s->s3->rrec.comp=(unsigned char *)
sl@0	257	OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
sl@0	258	if (s->s3->rrec.comp == NULL)
sl@0	259	goto err;
sl@0	260	}
sl@0	261	#endif
sl@0	262	memset(&(s->s3->read_sequence[0]),0,8);
sl@0	263	mac_secret= &(s->s3->read_mac_secret[0]);
sl@0	264	}
sl@0	265	else
sl@0	266	{
sl@0	267	if (s->enc_write_ctx != NULL)
sl@0	268	reuse_dd = 1;
sl@0	269	else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
sl@0	270	goto err;
sl@0	271	else
sl@0	272	/* make sure it's intialized in case we exit later with an error */
sl@0	273	EVP_CIPHER_CTX_init(s->enc_write_ctx);
sl@0	274	dd= s->enc_write_ctx;
sl@0	275
sl@0	276
sl@0	277	s->write_hash=m;
sl@0	278	#ifndef OPENSSL_NO_COMP
sl@0	279	/* COMPRESS */
sl@0	280	if (s->compress != NULL)
sl@0	281	{
sl@0	282	COMP_CTX_free(s->compress);
sl@0	283	s->compress=NULL;
sl@0	284	}
sl@0	285	if (comp != NULL)
sl@0	286	{
sl@0	287	s->compress=COMP_CTX_new(comp);
sl@0	288	if (s->compress == NULL)
sl@0	289	{
sl@0	290	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
sl@0	291	goto err2;
sl@0	292	}
sl@0	293	}
sl@0	294	#endif
sl@0	295	memset(&(s->s3->write_sequence[0]),0,8);
sl@0	296	mac_secret= &(s->s3->write_mac_secret[0]);
sl@0	297	}
sl@0	298
sl@0	299	if (reuse_dd)
sl@0	300	EVP_CIPHER_CTX_cleanup(dd);
sl@0	301
sl@0	302	p=s->s3->tmp.key_block;
sl@0	303	i=EVP_MD_size(m);
sl@0	304	cl=EVP_CIPHER_key_length(c);
sl@0	305	j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
sl@0	306	cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
sl@0	307	/* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
sl@0	308	k=EVP_CIPHER_iv_length(c);
sl@0	309	if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) \|\|
sl@0	310	(which == SSL3_CHANGE_CIPHER_SERVER_READ))
sl@0	311	{
sl@0	312	ms= &(p[ 0]); n=i+i;
sl@0	313	key= &(p[ n]); n+=j+j;
sl@0	314	iv= &(p[ n]); n+=k+k;
sl@0	315	er1= &(s->s3->client_random[0]);
sl@0	316	er2= &(s->s3->server_random[0]);
sl@0	317	}
sl@0	318	else
sl@0	319	{
sl@0	320	n=i;
sl@0	321	ms= &(p[ n]); n+=i+j;
sl@0	322	key= &(p[ n]); n+=j+k;
sl@0	323	iv= &(p[ n]); n+=k;
sl@0	324	er1= &(s->s3->server_random[0]);
sl@0	325	er2= &(s->s3->client_random[0]);
sl@0	326	}
sl@0	327
sl@0	328	if (n > s->s3->tmp.key_block_length)
sl@0	329	{
sl@0	330	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
sl@0	331	goto err2;
sl@0	332	}
sl@0	333
sl@0	334	EVP_MD_CTX_init(&md);
sl@0	335	memcpy(mac_secret,ms,i);
sl@0	336	if (is_exp)
sl@0	337	{
sl@0	338	/* In here I set both the read and write key/iv to the
sl@0	339	* same value since only the correct one will be used :-).
sl@0	340	*/
sl@0	341	EVP_DigestInit_ex(&md,EVP_md5(), NULL);
sl@0	342	EVP_DigestUpdate(&md,key,j);
sl@0	343	EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
sl@0	344	EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
sl@0	345	EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL);
sl@0	346	key= &(exp_key[0]);
sl@0	347
sl@0	348	if (k > 0)
sl@0	349	{
sl@0	350	EVP_DigestInit_ex(&md,EVP_md5(), NULL);
sl@0	351	EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
sl@0	352	EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
sl@0	353	EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL);
sl@0	354	iv= &(exp_iv[0]);
sl@0	355	}
sl@0	356	}
sl@0	357
sl@0	358	s->session->key_arg_length=0;
sl@0	359
sl@0	360	EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
sl@0	361
sl@0	362	OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
sl@0	363	OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
sl@0	364	EVP_MD_CTX_cleanup(&md);
sl@0	365	return(1);
sl@0	366	err:
sl@0	367	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
sl@0	368	err2:
sl@0	369	return(0);
sl@0	370	}
sl@0	371
sl@0	372	int ssl3_setup_key_block(SSL *s)
sl@0	373	{
sl@0	374	unsigned char *p;
sl@0	375	const EVP_CIPHER *c;
sl@0	376	const EVP_MD *hash;
sl@0	377	int num;
sl@0	378	int ret = 0;
sl@0	379	SSL_COMP *comp;
sl@0	380
sl@0	381	if (s->s3->tmp.key_block_length != 0)
sl@0	382	return(1);
sl@0	383
sl@0	384	if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
sl@0	385	{
sl@0	386	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
sl@0	387	return(0);
sl@0	388	}
sl@0	389
sl@0	390	s->s3->tmp.new_sym_enc=c;
sl@0	391	s->s3->tmp.new_hash=hash;
sl@0	392	#ifdef OPENSSL_NO_COMP
sl@0	393	s->s3->tmp.new_compression=NULL;
sl@0	394	#else
sl@0	395	s->s3->tmp.new_compression=comp;
sl@0	396	#endif
sl@0	397
sl@0	398	num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
sl@0	399	num*=2;
sl@0	400
sl@0	401	ssl3_cleanup_key_block(s);
sl@0	402
sl@0	403	if ((p=OPENSSL_malloc(num)) == NULL)
sl@0	404	goto err;
sl@0	405
sl@0	406	s->s3->tmp.key_block_length=num;
sl@0	407	s->s3->tmp.key_block=p;
sl@0	408
sl@0	409	ret = ssl3_generate_key_block(s,p,num);
sl@0	410
sl@0	411	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
sl@0	412	{
sl@0	413	/* enable vulnerability countermeasure for CBC ciphers with
sl@0	414	* known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
sl@0	415	*/
sl@0	416	s->s3->need_empty_fragments = 1;
sl@0	417
sl@0	418	if (s->session->cipher != NULL)
sl@0	419	{
sl@0	420	if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
sl@0	421	s->s3->need_empty_fragments = 0;
sl@0	422
sl@0	423	#ifndef OPENSSL_NO_RC4
sl@0	424	if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
sl@0	425	s->s3->need_empty_fragments = 0;
sl@0	426	#endif
sl@0	427	}
sl@0	428	}
sl@0	429
sl@0	430	return ret;
sl@0	431
sl@0	432	err:
sl@0	433	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
sl@0	434	return(0);
sl@0	435	}
sl@0	436
sl@0	437	void ssl3_cleanup_key_block(SSL *s)
sl@0	438	{
sl@0	439	if (s->s3->tmp.key_block != NULL)
sl@0	440	{
sl@0	441	OPENSSL_cleanse(s->s3->tmp.key_block,
sl@0	442	s->s3->tmp.key_block_length);
sl@0	443	OPENSSL_free(s->s3->tmp.key_block);
sl@0	444	s->s3->tmp.key_block=NULL;
sl@0	445	}
sl@0	446	s->s3->tmp.key_block_length=0;
sl@0	447	}
sl@0	448
sl@0	449	int ssl3_enc(SSL *s, int send)
sl@0	450	{
sl@0	451	SSL3_RECORD *rec;
sl@0	452	EVP_CIPHER_CTX *ds;
sl@0	453	unsigned long l;
sl@0	454	int bs,i;
sl@0	455	const EVP_CIPHER *enc;
sl@0	456
sl@0	457	if (send)
sl@0	458	{
sl@0	459	ds=s->enc_write_ctx;
sl@0	460	rec= &(s->s3->wrec);
sl@0	461	if (s->enc_write_ctx == NULL)
sl@0	462	enc=NULL;
sl@0	463	else
sl@0	464	enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
sl@0	465	}
sl@0	466	else
sl@0	467	{
sl@0	468	ds=s->enc_read_ctx;
sl@0	469	rec= &(s->s3->rrec);
sl@0	470	if (s->enc_read_ctx == NULL)
sl@0	471	enc=NULL;
sl@0	472	else
sl@0	473	enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
sl@0	474	}
sl@0	475
sl@0	476	if ((s->session == NULL) \|\| (ds == NULL) \|\|
sl@0	477	(enc == NULL))
sl@0	478	{
sl@0	479	memmove(rec->data,rec->input,rec->length);
sl@0	480	rec->input=rec->data;
sl@0	481	}
sl@0	482	else
sl@0	483	{
sl@0	484	l=rec->length;
sl@0	485	bs=EVP_CIPHER_block_size(ds->cipher);
sl@0	486
sl@0	487	/* COMPRESS */
sl@0	488
sl@0	489	if ((bs != 1) && send)
sl@0	490	{
sl@0	491	i=bs-((int)l%bs);
sl@0	492
sl@0	493	/* we need to add 'i-1' padding bytes */
sl@0	494	l+=i;
sl@0	495	rec->length+=i;
sl@0	496	rec->input[l-1]=(i-1);
sl@0	497	}
sl@0	498
sl@0	499	if (!send)
sl@0	500	{
sl@0	501	if (l == 0 \|\| l%bs != 0)
sl@0	502	{
sl@0	503	SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
sl@0	504	ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
sl@0	505	return 0;
sl@0	506	}
sl@0	507	/* otherwise, rec->length >= bs */
sl@0	508	}
sl@0	509
sl@0	510	EVP_Cipher(ds,rec->data,rec->input,l);
sl@0	511
sl@0	512	if ((bs != 1) && !send)
sl@0	513	{
sl@0	514	i=rec->data[l-1]+1;
sl@0	515	/* SSL 3.0 bounds the number of padding bytes by the block size;
sl@0	516	* padding bytes (except the last one) are arbitrary */
sl@0	517	if (i > bs)
sl@0	518	{
sl@0	519	/* Incorrect padding. SSLerr() and ssl3_alert are done
sl@0	520	* by caller: we don't want to reveal whether this is
sl@0	521	* a decryption error or a MAC verification failure
sl@0	522	* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
sl@0	523	return -1;
sl@0	524	}
sl@0	525	/* now i <= bs <= rec->length */
sl@0	526	rec->length-=i;
sl@0	527	}
sl@0	528	}
sl@0	529	return(1);
sl@0	530	}
sl@0	531
sl@0	532	void ssl3_init_finished_mac(SSL *s)
sl@0	533	{
sl@0	534	EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
sl@0	535	EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
sl@0	536	}
sl@0	537
sl@0	538	void ssl3_finish_mac(SSL s, const unsigned char buf, int len)
sl@0	539	{
sl@0	540	EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len);
sl@0	541	EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len);
sl@0	542	}
sl@0	543
sl@0	544	int ssl3_cert_verify_mac(SSL s, EVP_MD_CTX ctx, unsigned char *p)
sl@0	545	{
sl@0	546	return(ssl3_handshake_mac(s,ctx,NULL,0,p));
sl@0	547	}
sl@0	548
sl@0	549	int ssl3_final_finish_mac(SSL s, EVP_MD_CTX ctx1, EVP_MD_CTX *ctx2,
sl@0	550	const char sender, int len, unsigned char p)
sl@0	551	{
sl@0	552	int ret;
sl@0	553
sl@0	554	ret=ssl3_handshake_mac(s,ctx1,sender,len,p);
sl@0	555	p+=ret;
sl@0	556	ret+=ssl3_handshake_mac(s,ctx2,sender,len,p);
sl@0	557	return(ret);
sl@0	558	}
sl@0	559
sl@0	560	static int ssl3_handshake_mac(SSL s, EVP_MD_CTX in_ctx,
sl@0	561	const char sender, int len, unsigned char p)
sl@0	562	{
sl@0	563	unsigned int ret;
sl@0	564	int npad,n;
sl@0	565	unsigned int i;
sl@0	566	unsigned char md_buf[EVP_MAX_MD_SIZE];
sl@0	567	EVP_MD_CTX ctx;
sl@0	568
sl@0	569	EVP_MD_CTX_init(&ctx);
sl@0	570	EVP_MD_CTX_copy_ex(&ctx,in_ctx);
sl@0	571
sl@0	572	n=EVP_MD_CTX_size(&ctx);
sl@0	573	npad=(48/n)*n;
sl@0	574
sl@0	575	if (sender != NULL)
sl@0	576	EVP_DigestUpdate(&ctx,sender,len);
sl@0	577	EVP_DigestUpdate(&ctx,s->session->master_key,
sl@0	578	s->session->master_key_length);
sl@0	579	EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
sl@0	580	EVP_DigestFinal_ex(&ctx,md_buf,&i);
sl@0	581
sl@0	582	EVP_DigestInit_ex(&ctx,EVP_MD_CTX_md(&ctx), NULL);
sl@0	583	EVP_DigestUpdate(&ctx,s->session->master_key,
sl@0	584	s->session->master_key_length);
sl@0	585	EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
sl@0	586	EVP_DigestUpdate(&ctx,md_buf,i);
sl@0	587	EVP_DigestFinal_ex(&ctx,p,&ret);
sl@0	588
sl@0	589	EVP_MD_CTX_cleanup(&ctx);
sl@0	590
sl@0	591	return((int)ret);
sl@0	592	}
sl@0	593
sl@0	594	int ssl3_mac(SSL ssl, unsigned char md, int send)
sl@0	595	{
sl@0	596	SSL3_RECORD *rec;
sl@0	597	unsigned char mac_sec,seq;
sl@0	598	EVP_MD_CTX md_ctx;
sl@0	599	const EVP_MD *hash;
sl@0	600	unsigned char *p,rec_char;
sl@0	601	unsigned int md_size;
sl@0	602	int npad;
sl@0	603
sl@0	604	if (send)
sl@0	605	{
sl@0	606	rec= &(ssl->s3->wrec);
sl@0	607	mac_sec= &(ssl->s3->write_mac_secret[0]);
sl@0	608	seq= &(ssl->s3->write_sequence[0]);
sl@0	609	hash=ssl->write_hash;
sl@0	610	}
sl@0	611	else
sl@0	612	{
sl@0	613	rec= &(ssl->s3->rrec);
sl@0	614	mac_sec= &(ssl->s3->read_mac_secret[0]);
sl@0	615	seq= &(ssl->s3->read_sequence[0]);
sl@0	616	hash=ssl->read_hash;
sl@0	617	}
sl@0	618
sl@0	619	md_size=EVP_MD_size(hash);
sl@0	620	npad=(48/md_size)*md_size;
sl@0	621
sl@0	622	/* Chop the digest off the end :-) */
sl@0	623	EVP_MD_CTX_init(&md_ctx);
sl@0	624
sl@0	625	EVP_DigestInit_ex( &md_ctx,hash, NULL);
sl@0	626	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
sl@0	627	EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
sl@0	628	EVP_DigestUpdate(&md_ctx,seq,8);
sl@0	629	rec_char=rec->type;
sl@0	630	EVP_DigestUpdate(&md_ctx,&rec_char,1);
sl@0	631	p=md;
sl@0	632	s2n(rec->length,p);
sl@0	633	EVP_DigestUpdate(&md_ctx,md,2);
sl@0	634	EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
sl@0	635	EVP_DigestFinal_ex( &md_ctx,md,NULL);
sl@0	636
sl@0	637	EVP_DigestInit_ex( &md_ctx,hash, NULL);
sl@0	638	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
sl@0	639	EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
sl@0	640	EVP_DigestUpdate(&md_ctx,md,md_size);
sl@0	641	EVP_DigestFinal_ex( &md_ctx,md,&md_size);
sl@0	642
sl@0	643	EVP_MD_CTX_cleanup(&md_ctx);
sl@0	644
sl@0	645	ssl3_record_sequence_update(seq);
sl@0	646	return(md_size);
sl@0	647	}
sl@0	648
sl@0	649	void ssl3_record_sequence_update(unsigned char *seq)
sl@0	650	{
sl@0	651	int i;
sl@0	652
sl@0	653	for (i=7; i>=0; i--)
sl@0	654	{
sl@0	655	++seq[i];
sl@0	656	if (seq[i] != 0) break;
sl@0	657	}
sl@0	658	}
sl@0	659
sl@0	660	int ssl3_generate_master_secret(SSL s, unsigned char out, unsigned char *p,
sl@0	661	int len)
sl@0	662	{
sl@0	663	#ifndef EMULATOR
sl@0	664	static const unsigned char *salt[3]={
sl@0	665	#else
sl@0	666	static const unsigned char *const salt[3]={
sl@0	667	#endif
sl@0	668
sl@0	669	#ifndef CHARSET_EBCDIC
sl@0	670	(const unsigned char *)"A",
sl@0	671	(const unsigned char *)"BB",
sl@0	672	(const unsigned char *)"CCC",
sl@0	673	#else
sl@0	674	(const unsigned char *)"\x41",
sl@0	675	(const unsigned char *)"\x42\x42",
sl@0	676	(const unsigned char *)"\x43\x43\x43",
sl@0	677	#endif
sl@0	678	};
sl@0	679	unsigned char buf[EVP_MAX_MD_SIZE];
sl@0	680	EVP_MD_CTX ctx;
sl@0	681	int i,ret=0;
sl@0	682	unsigned int n;
sl@0	683
sl@0	684	EVP_MD_CTX_init(&ctx);
sl@0	685	for (i=0; i<3; i++)
sl@0	686	{
sl@0	687	EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
sl@0	688	EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
sl@0	689	EVP_DigestUpdate(&ctx,p,len);
sl@0	690	EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
sl@0	691	SSL3_RANDOM_SIZE);
sl@0	692	EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
sl@0	693	SSL3_RANDOM_SIZE);
sl@0	694	EVP_DigestFinal_ex(&ctx,buf,&n);
sl@0	695
sl@0	696	EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL);
sl@0	697	EVP_DigestUpdate(&ctx,p,len);
sl@0	698	EVP_DigestUpdate(&ctx,buf,n);
sl@0	699	EVP_DigestFinal_ex(&ctx,out,&n);
sl@0	700	out+=n;
sl@0	701	ret+=n;
sl@0	702	}
sl@0	703	EVP_MD_CTX_cleanup(&ctx);
sl@0	704	return(ret);
sl@0	705	}
sl@0	706
sl@0	707	int ssl3_alert_code(int code)
sl@0	708	{
sl@0	709	switch (code)
sl@0	710	{
sl@0	711	case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY);
sl@0	712	case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
sl@0	713	case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC);
sl@0	714	case SSL_AD_DECRYPTION_FAILED: return(SSL3_AD_BAD_RECORD_MAC);
sl@0	715	case SSL_AD_RECORD_OVERFLOW: return(SSL3_AD_BAD_RECORD_MAC);
sl@0	716	case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
sl@0	717	case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	718	case SSL_AD_NO_CERTIFICATE: return(SSL3_AD_NO_CERTIFICATE);
sl@0	719	case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE);
sl@0	720	case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
sl@0	721	case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
sl@0	722	case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
sl@0	723	case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
sl@0	724	case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER);
sl@0	725	case SSL_AD_UNKNOWN_CA: return(SSL3_AD_BAD_CERTIFICATE);
sl@0	726	case SSL_AD_ACCESS_DENIED: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	727	case SSL_AD_DECODE_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	728	case SSL_AD_DECRYPT_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	729	case SSL_AD_EXPORT_RESTRICTION: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	730	case SSL_AD_PROTOCOL_VERSION: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	731	case SSL_AD_INSUFFICIENT_SECURITY:return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	732	case SSL_AD_INTERNAL_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	733	case SSL_AD_USER_CANCELLED: return(SSL3_AD_HANDSHAKE_FAILURE);
sl@0	734	case SSL_AD_NO_RENEGOTIATION: return(-1); /* Don't send it :-) */
sl@0	735	default: return(-1);
sl@0	736	}
sl@0	737	}
sl@0	738

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--