1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libssl/src/s3_enc.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,738 @@
1.4 +/* ssl/s3_enc.c */
1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.6 + * All rights reserved.
1.7 + *
1.8 + * This package is an SSL implementation written
1.9 + * by Eric Young (eay@cryptsoft.com).
1.10 + * The implementation was written so as to conform with Netscapes SSL.
1.11 + *
1.12 + * This library is free for commercial and non-commercial use as long as
1.13 + * the following conditions are aheared to. The following conditions
1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
1.15 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.16 + * included with this distribution is covered by the same copyright terms
1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.18 + *
1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.20 + * the code are not to be removed.
1.21 + * If this package is used in a product, Eric Young should be given attribution
1.22 + * as the author of the parts of the library used.
1.23 + * This can be in the form of a textual message at program startup or
1.24 + * in documentation (online or textual) provided with the package.
1.25 + *
1.26 + * Redistribution and use in source and binary forms, with or without
1.27 + * modification, are permitted provided that the following conditions
1.28 + * are met:
1.29 + * 1. Redistributions of source code must retain the copyright
1.30 + * notice, this list of conditions and the following disclaimer.
1.31 + * 2. Redistributions in binary form must reproduce the above copyright
1.32 + * notice, this list of conditions and the following disclaimer in the
1.33 + * documentation and/or other materials provided with the distribution.
1.34 + * 3. All advertising materials mentioning features or use of this software
1.35 + * must display the following acknowledgement:
1.36 + * "This product includes cryptographic software written by
1.37 + * Eric Young (eay@cryptsoft.com)"
1.38 + * The word 'cryptographic' can be left out if the rouines from the library
1.39 + * being used are not cryptographic related :-).
1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.41 + * the apps directory (application code) you must include an acknowledgement:
1.42 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.43 + *
1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.47 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.54 + * SUCH DAMAGE.
1.55 + *
1.56 + * The licence and distribution terms for any publically available version or
1.57 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.58 + * copied and put under another distribution licence
1.59 + * [including the GNU Public Licence.]
1.60 + */
1.61 +/* ====================================================================
1.62 + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
1.63 + *
1.64 + * Redistribution and use in source and binary forms, with or without
1.65 + * modification, are permitted provided that the following conditions
1.66 + * are met:
1.67 + *
1.68 + * 1. Redistributions of source code must retain the above copyright
1.69 + * notice, this list of conditions and the following disclaimer.
1.70 + *
1.71 + * 2. Redistributions in binary form must reproduce the above copyright
1.72 + * notice, this list of conditions and the following disclaimer in
1.73 + * the documentation and/or other materials provided with the
1.74 + * distribution.
1.75 + *
1.76 + * 3. All advertising materials mentioning features or use of this
1.77 + * software must display the following acknowledgment:
1.78 + * "This product includes software developed by the OpenSSL Project
1.79 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.80 + *
1.81 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.82 + * endorse or promote products derived from this software without
1.83 + * prior written permission. For written permission, please contact
1.84 + * openssl-core@openssl.org.
1.85 + *
1.86 + * 5. Products derived from this software may not be called "OpenSSL"
1.87 + * nor may "OpenSSL" appear in their names without prior written
1.88 + * permission of the OpenSSL Project.
1.89 + *
1.90 + * 6. Redistributions of any form whatsoever must retain the following
1.91 + * acknowledgment:
1.92 + * "This product includes software developed by the OpenSSL Project
1.93 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.94 + *
1.95 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.96 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.97 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.98 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.99 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.100 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.101 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.102 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.103 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.104 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.105 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.106 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.107 + * ====================================================================
1.108 + *
1.109 + * This product includes cryptographic software written by Eric Young
1.110 + * (eay@cryptsoft.com). This product includes software written by Tim
1.111 + * Hudson (tjh@cryptsoft.com).
1.112 + *
1.113 + */
1.114 +/*
1.115 + © Portions copyright (c) 2006 Nokia Corporation. All rights reserved.
1.116 + */
1.117 +
1.118 +#include <stdio.h>
1.119 +#include "ssl_locl.h"
1.120 +#include <openssl/evp.h>
1.121 +#include <openssl/md5.h>
1.122 +
1.123 +#ifndef EMULATOR
1.124 + static unsigned char ssl3_pad_1[48]={
1.125 +#else
1.126 + static const unsigned char ssl3_pad_1[48]={
1.127 +#endif
1.128 + 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
1.129 + 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
1.130 + 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
1.131 + 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
1.132 + 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
1.133 + 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 };
1.134 +
1.135 +#ifndef EMULATOR
1.136 + static unsigned char ssl3_pad_2[48]={
1.137 +#else
1.138 + static const unsigned char ssl3_pad_2[48]={
1.139 +#endif
1.140 + 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
1.141 + 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
1.142 + 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
1.143 + 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
1.144 + 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
1.145 + 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
1.146 +
1.147 +static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
1.148 + const char *sender, int len, unsigned char *p);
1.149 +
1.150 +static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
1.151 + {
1.152 + EVP_MD_CTX m5;
1.153 + EVP_MD_CTX s1;
1.154 + unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
1.155 + unsigned char c='A';
1.156 + unsigned int i,j,k;
1.157 +
1.158 +#ifdef CHARSET_EBCDIC
1.159 + c = os_toascii[c]; /*'A' in ASCII */
1.160 +#endif
1.161 + k=0;
1.162 + EVP_MD_CTX_init(&m5);
1.163 + EVP_MD_CTX_init(&s1);
1.164 + for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
1.165 + {
1.166 + k++;
1.167 + if (k > sizeof buf)
1.168 + {
1.169 + /* bug: 'buf' is too small for this ciphersuite */
1.170 + SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
1.171 + return 0;
1.172 + }
1.173 +
1.174 + for (j=0; j<k; j++)
1.175 + buf[j]=c;
1.176 + c++;
1.177 + EVP_DigestInit_ex(&s1,EVP_sha1(), NULL);
1.178 + EVP_DigestUpdate(&s1,buf,k);
1.179 + EVP_DigestUpdate(&s1,s->session->master_key,
1.180 + s->session->master_key_length);
1.181 + EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
1.182 + EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
1.183 + EVP_DigestFinal_ex(&s1,smd,NULL);
1.184 +
1.185 + EVP_DigestInit_ex(&m5,EVP_md5(), NULL);
1.186 + EVP_DigestUpdate(&m5,s->session->master_key,
1.187 + s->session->master_key_length);
1.188 + EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
1.189 + if ((int)(i+MD5_DIGEST_LENGTH) > num)
1.190 + {
1.191 + EVP_DigestFinal_ex(&m5,smd,NULL);
1.192 + memcpy(km,smd,(num-i));
1.193 + }
1.194 + else
1.195 + EVP_DigestFinal_ex(&m5,km,NULL);
1.196 +
1.197 + km+=MD5_DIGEST_LENGTH;
1.198 + }
1.199 + OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
1.200 + EVP_MD_CTX_cleanup(&m5);
1.201 + EVP_MD_CTX_cleanup(&s1);
1.202 + return 1;
1.203 + }
1.204 +
1.205 +int ssl3_change_cipher_state(SSL *s, int which)
1.206 + {
1.207 + unsigned char *p,*key_block,*mac_secret;
1.208 + unsigned char exp_key[EVP_MAX_KEY_LENGTH];
1.209 + unsigned char exp_iv[EVP_MAX_IV_LENGTH];
1.210 + unsigned char *ms,*key,*iv,*er1,*er2;
1.211 + EVP_CIPHER_CTX *dd;
1.212 + const EVP_CIPHER *c;
1.213 +#ifndef OPENSSL_NO_COMP
1.214 + COMP_METHOD *comp;
1.215 +#endif
1.216 + const EVP_MD *m;
1.217 + EVP_MD_CTX md;
1.218 + int is_exp,n,i,j,k,cl;
1.219 + int reuse_dd = 0;
1.220 +
1.221 + is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
1.222 + c=s->s3->tmp.new_sym_enc;
1.223 + m=s->s3->tmp.new_hash;
1.224 +#ifndef OPENSSL_NO_COMP
1.225 + if (s->s3->tmp.new_compression == NULL)
1.226 + comp=NULL;
1.227 + else
1.228 + comp=s->s3->tmp.new_compression->method;
1.229 +#endif
1.230 + key_block=s->s3->tmp.key_block;
1.231 +
1.232 + if (which & SSL3_CC_READ)
1.233 + {
1.234 + if (s->enc_read_ctx != NULL)
1.235 + reuse_dd = 1;
1.236 + else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
1.237 + goto err;
1.238 + else
1.239 + /* make sure it's intialized in case we exit later with an error */
1.240 + EVP_CIPHER_CTX_init(s->enc_read_ctx);
1.241 + dd= s->enc_read_ctx;
1.242 + s->read_hash=m;
1.243 +#ifndef OPENSSL_NO_COMP
1.244 + /* COMPRESS */
1.245 + if (s->expand != NULL)
1.246 + {
1.247 + COMP_CTX_free(s->expand);
1.248 + s->expand=NULL;
1.249 + }
1.250 + if (comp != NULL)
1.251 + {
1.252 + s->expand=COMP_CTX_new(comp);
1.253 + if (s->expand == NULL)
1.254 + {
1.255 + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
1.256 + goto err2;
1.257 + }
1.258 + if (s->s3->rrec.comp == NULL)
1.259 + s->s3->rrec.comp=(unsigned char *)
1.260 + OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
1.261 + if (s->s3->rrec.comp == NULL)
1.262 + goto err;
1.263 + }
1.264 +#endif
1.265 + memset(&(s->s3->read_sequence[0]),0,8);
1.266 + mac_secret= &(s->s3->read_mac_secret[0]);
1.267 + }
1.268 + else
1.269 + {
1.270 + if (s->enc_write_ctx != NULL)
1.271 + reuse_dd = 1;
1.272 + else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
1.273 + goto err;
1.274 + else
1.275 + /* make sure it's intialized in case we exit later with an error */
1.276 + EVP_CIPHER_CTX_init(s->enc_write_ctx);
1.277 + dd= s->enc_write_ctx;
1.278 +
1.279 +
1.280 + s->write_hash=m;
1.281 +#ifndef OPENSSL_NO_COMP
1.282 + /* COMPRESS */
1.283 + if (s->compress != NULL)
1.284 + {
1.285 + COMP_CTX_free(s->compress);
1.286 + s->compress=NULL;
1.287 + }
1.288 + if (comp != NULL)
1.289 + {
1.290 + s->compress=COMP_CTX_new(comp);
1.291 + if (s->compress == NULL)
1.292 + {
1.293 + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
1.294 + goto err2;
1.295 + }
1.296 + }
1.297 +#endif
1.298 + memset(&(s->s3->write_sequence[0]),0,8);
1.299 + mac_secret= &(s->s3->write_mac_secret[0]);
1.300 + }
1.301 +
1.302 + if (reuse_dd)
1.303 + EVP_CIPHER_CTX_cleanup(dd);
1.304 +
1.305 + p=s->s3->tmp.key_block;
1.306 + i=EVP_MD_size(m);
1.307 + cl=EVP_CIPHER_key_length(c);
1.308 + j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
1.309 + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
1.310 + /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
1.311 + k=EVP_CIPHER_iv_length(c);
1.312 + if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
1.313 + (which == SSL3_CHANGE_CIPHER_SERVER_READ))
1.314 + {
1.315 + ms= &(p[ 0]); n=i+i;
1.316 + key= &(p[ n]); n+=j+j;
1.317 + iv= &(p[ n]); n+=k+k;
1.318 + er1= &(s->s3->client_random[0]);
1.319 + er2= &(s->s3->server_random[0]);
1.320 + }
1.321 + else
1.322 + {
1.323 + n=i;
1.324 + ms= &(p[ n]); n+=i+j;
1.325 + key= &(p[ n]); n+=j+k;
1.326 + iv= &(p[ n]); n+=k;
1.327 + er1= &(s->s3->server_random[0]);
1.328 + er2= &(s->s3->client_random[0]);
1.329 + }
1.330 +
1.331 + if (n > s->s3->tmp.key_block_length)
1.332 + {
1.333 + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
1.334 + goto err2;
1.335 + }
1.336 +
1.337 + EVP_MD_CTX_init(&md);
1.338 + memcpy(mac_secret,ms,i);
1.339 + if (is_exp)
1.340 + {
1.341 + /* In here I set both the read and write key/iv to the
1.342 + * same value since only the correct one will be used :-).
1.343 + */
1.344 + EVP_DigestInit_ex(&md,EVP_md5(), NULL);
1.345 + EVP_DigestUpdate(&md,key,j);
1.346 + EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
1.347 + EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
1.348 + EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL);
1.349 + key= &(exp_key[0]);
1.350 +
1.351 + if (k > 0)
1.352 + {
1.353 + EVP_DigestInit_ex(&md,EVP_md5(), NULL);
1.354 + EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
1.355 + EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
1.356 + EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL);
1.357 + iv= &(exp_iv[0]);
1.358 + }
1.359 + }
1.360 +
1.361 + s->session->key_arg_length=0;
1.362 +
1.363 + EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
1.364 +
1.365 + OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
1.366 + OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
1.367 + EVP_MD_CTX_cleanup(&md);
1.368 + return(1);
1.369 +err:
1.370 + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
1.371 +err2:
1.372 + return(0);
1.373 + }
1.374 +
1.375 +int ssl3_setup_key_block(SSL *s)
1.376 + {
1.377 + unsigned char *p;
1.378 + const EVP_CIPHER *c;
1.379 + const EVP_MD *hash;
1.380 + int num;
1.381 + int ret = 0;
1.382 + SSL_COMP *comp;
1.383 +
1.384 + if (s->s3->tmp.key_block_length != 0)
1.385 + return(1);
1.386 +
1.387 + if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
1.388 + {
1.389 + SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
1.390 + return(0);
1.391 + }
1.392 +
1.393 + s->s3->tmp.new_sym_enc=c;
1.394 + s->s3->tmp.new_hash=hash;
1.395 +#ifdef OPENSSL_NO_COMP
1.396 + s->s3->tmp.new_compression=NULL;
1.397 +#else
1.398 + s->s3->tmp.new_compression=comp;
1.399 +#endif
1.400 +
1.401 + num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
1.402 + num*=2;
1.403 +
1.404 + ssl3_cleanup_key_block(s);
1.405 +
1.406 + if ((p=OPENSSL_malloc(num)) == NULL)
1.407 + goto err;
1.408 +
1.409 + s->s3->tmp.key_block_length=num;
1.410 + s->s3->tmp.key_block=p;
1.411 +
1.412 + ret = ssl3_generate_key_block(s,p,num);
1.413 +
1.414 + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1.415 + {
1.416 + /* enable vulnerability countermeasure for CBC ciphers with
1.417 + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
1.418 + */
1.419 + s->s3->need_empty_fragments = 1;
1.420 +
1.421 + if (s->session->cipher != NULL)
1.422 + {
1.423 + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
1.424 + s->s3->need_empty_fragments = 0;
1.425 +
1.426 +#ifndef OPENSSL_NO_RC4
1.427 + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
1.428 + s->s3->need_empty_fragments = 0;
1.429 +#endif
1.430 + }
1.431 + }
1.432 +
1.433 + return ret;
1.434 +
1.435 +err:
1.436 + SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
1.437 + return(0);
1.438 + }
1.439 +
1.440 +void ssl3_cleanup_key_block(SSL *s)
1.441 + {
1.442 + if (s->s3->tmp.key_block != NULL)
1.443 + {
1.444 + OPENSSL_cleanse(s->s3->tmp.key_block,
1.445 + s->s3->tmp.key_block_length);
1.446 + OPENSSL_free(s->s3->tmp.key_block);
1.447 + s->s3->tmp.key_block=NULL;
1.448 + }
1.449 + s->s3->tmp.key_block_length=0;
1.450 + }
1.451 +
1.452 +int ssl3_enc(SSL *s, int send)
1.453 + {
1.454 + SSL3_RECORD *rec;
1.455 + EVP_CIPHER_CTX *ds;
1.456 + unsigned long l;
1.457 + int bs,i;
1.458 + const EVP_CIPHER *enc;
1.459 +
1.460 + if (send)
1.461 + {
1.462 + ds=s->enc_write_ctx;
1.463 + rec= &(s->s3->wrec);
1.464 + if (s->enc_write_ctx == NULL)
1.465 + enc=NULL;
1.466 + else
1.467 + enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
1.468 + }
1.469 + else
1.470 + {
1.471 + ds=s->enc_read_ctx;
1.472 + rec= &(s->s3->rrec);
1.473 + if (s->enc_read_ctx == NULL)
1.474 + enc=NULL;
1.475 + else
1.476 + enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
1.477 + }
1.478 +
1.479 + if ((s->session == NULL) || (ds == NULL) ||
1.480 + (enc == NULL))
1.481 + {
1.482 + memmove(rec->data,rec->input,rec->length);
1.483 + rec->input=rec->data;
1.484 + }
1.485 + else
1.486 + {
1.487 + l=rec->length;
1.488 + bs=EVP_CIPHER_block_size(ds->cipher);
1.489 +
1.490 + /* COMPRESS */
1.491 +
1.492 + if ((bs != 1) && send)
1.493 + {
1.494 + i=bs-((int)l%bs);
1.495 +
1.496 + /* we need to add 'i-1' padding bytes */
1.497 + l+=i;
1.498 + rec->length+=i;
1.499 + rec->input[l-1]=(i-1);
1.500 + }
1.501 +
1.502 + if (!send)
1.503 + {
1.504 + if (l == 0 || l%bs != 0)
1.505 + {
1.506 + SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
1.507 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
1.508 + return 0;
1.509 + }
1.510 + /* otherwise, rec->length >= bs */
1.511 + }
1.512 +
1.513 + EVP_Cipher(ds,rec->data,rec->input,l);
1.514 +
1.515 + if ((bs != 1) && !send)
1.516 + {
1.517 + i=rec->data[l-1]+1;
1.518 + /* SSL 3.0 bounds the number of padding bytes by the block size;
1.519 + * padding bytes (except the last one) are arbitrary */
1.520 + if (i > bs)
1.521 + {
1.522 + /* Incorrect padding. SSLerr() and ssl3_alert are done
1.523 + * by caller: we don't want to reveal whether this is
1.524 + * a decryption error or a MAC verification failure
1.525 + * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
1.526 + return -1;
1.527 + }
1.528 + /* now i <= bs <= rec->length */
1.529 + rec->length-=i;
1.530 + }
1.531 + }
1.532 + return(1);
1.533 + }
1.534 +
1.535 +void ssl3_init_finished_mac(SSL *s)
1.536 + {
1.537 + EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
1.538 + EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
1.539 + }
1.540 +
1.541 +void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
1.542 + {
1.543 + EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len);
1.544 + EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len);
1.545 + }
1.546 +
1.547 +int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
1.548 + {
1.549 + return(ssl3_handshake_mac(s,ctx,NULL,0,p));
1.550 + }
1.551 +
1.552 +int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
1.553 + const char *sender, int len, unsigned char *p)
1.554 + {
1.555 + int ret;
1.556 +
1.557 + ret=ssl3_handshake_mac(s,ctx1,sender,len,p);
1.558 + p+=ret;
1.559 + ret+=ssl3_handshake_mac(s,ctx2,sender,len,p);
1.560 + return(ret);
1.561 + }
1.562 +
1.563 +static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
1.564 + const char *sender, int len, unsigned char *p)
1.565 + {
1.566 + unsigned int ret;
1.567 + int npad,n;
1.568 + unsigned int i;
1.569 + unsigned char md_buf[EVP_MAX_MD_SIZE];
1.570 + EVP_MD_CTX ctx;
1.571 +
1.572 + EVP_MD_CTX_init(&ctx);
1.573 + EVP_MD_CTX_copy_ex(&ctx,in_ctx);
1.574 +
1.575 + n=EVP_MD_CTX_size(&ctx);
1.576 + npad=(48/n)*n;
1.577 +
1.578 + if (sender != NULL)
1.579 + EVP_DigestUpdate(&ctx,sender,len);
1.580 + EVP_DigestUpdate(&ctx,s->session->master_key,
1.581 + s->session->master_key_length);
1.582 + EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
1.583 + EVP_DigestFinal_ex(&ctx,md_buf,&i);
1.584 +
1.585 + EVP_DigestInit_ex(&ctx,EVP_MD_CTX_md(&ctx), NULL);
1.586 + EVP_DigestUpdate(&ctx,s->session->master_key,
1.587 + s->session->master_key_length);
1.588 + EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
1.589 + EVP_DigestUpdate(&ctx,md_buf,i);
1.590 + EVP_DigestFinal_ex(&ctx,p,&ret);
1.591 +
1.592 + EVP_MD_CTX_cleanup(&ctx);
1.593 +
1.594 + return((int)ret);
1.595 + }
1.596 +
1.597 +int ssl3_mac(SSL *ssl, unsigned char *md, int send)
1.598 + {
1.599 + SSL3_RECORD *rec;
1.600 + unsigned char *mac_sec,*seq;
1.601 + EVP_MD_CTX md_ctx;
1.602 + const EVP_MD *hash;
1.603 + unsigned char *p,rec_char;
1.604 + unsigned int md_size;
1.605 + int npad;
1.606 +
1.607 + if (send)
1.608 + {
1.609 + rec= &(ssl->s3->wrec);
1.610 + mac_sec= &(ssl->s3->write_mac_secret[0]);
1.611 + seq= &(ssl->s3->write_sequence[0]);
1.612 + hash=ssl->write_hash;
1.613 + }
1.614 + else
1.615 + {
1.616 + rec= &(ssl->s3->rrec);
1.617 + mac_sec= &(ssl->s3->read_mac_secret[0]);
1.618 + seq= &(ssl->s3->read_sequence[0]);
1.619 + hash=ssl->read_hash;
1.620 + }
1.621 +
1.622 + md_size=EVP_MD_size(hash);
1.623 + npad=(48/md_size)*md_size;
1.624 +
1.625 + /* Chop the digest off the end :-) */
1.626 + EVP_MD_CTX_init(&md_ctx);
1.627 +
1.628 + EVP_DigestInit_ex( &md_ctx,hash, NULL);
1.629 + EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
1.630 + EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
1.631 + EVP_DigestUpdate(&md_ctx,seq,8);
1.632 + rec_char=rec->type;
1.633 + EVP_DigestUpdate(&md_ctx,&rec_char,1);
1.634 + p=md;
1.635 + s2n(rec->length,p);
1.636 + EVP_DigestUpdate(&md_ctx,md,2);
1.637 + EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
1.638 + EVP_DigestFinal_ex( &md_ctx,md,NULL);
1.639 +
1.640 + EVP_DigestInit_ex( &md_ctx,hash, NULL);
1.641 + EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
1.642 + EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
1.643 + EVP_DigestUpdate(&md_ctx,md,md_size);
1.644 + EVP_DigestFinal_ex( &md_ctx,md,&md_size);
1.645 +
1.646 + EVP_MD_CTX_cleanup(&md_ctx);
1.647 +
1.648 + ssl3_record_sequence_update(seq);
1.649 + return(md_size);
1.650 + }
1.651 +
1.652 +void ssl3_record_sequence_update(unsigned char *seq)
1.653 + {
1.654 + int i;
1.655 +
1.656 + for (i=7; i>=0; i--)
1.657 + {
1.658 + ++seq[i];
1.659 + if (seq[i] != 0) break;
1.660 + }
1.661 + }
1.662 +
1.663 +int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1.664 + int len)
1.665 + {
1.666 +#ifndef EMULATOR
1.667 + static const unsigned char *salt[3]={
1.668 +#else
1.669 + static const unsigned char *const salt[3]={
1.670 +#endif
1.671 +
1.672 +#ifndef CHARSET_EBCDIC
1.673 + (const unsigned char *)"A",
1.674 + (const unsigned char *)"BB",
1.675 + (const unsigned char *)"CCC",
1.676 +#else
1.677 + (const unsigned char *)"\x41",
1.678 + (const unsigned char *)"\x42\x42",
1.679 + (const unsigned char *)"\x43\x43\x43",
1.680 +#endif
1.681 + };
1.682 + unsigned char buf[EVP_MAX_MD_SIZE];
1.683 + EVP_MD_CTX ctx;
1.684 + int i,ret=0;
1.685 + unsigned int n;
1.686 +
1.687 + EVP_MD_CTX_init(&ctx);
1.688 + for (i=0; i<3; i++)
1.689 + {
1.690 + EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
1.691 + EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
1.692 + EVP_DigestUpdate(&ctx,p,len);
1.693 + EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
1.694 + SSL3_RANDOM_SIZE);
1.695 + EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
1.696 + SSL3_RANDOM_SIZE);
1.697 + EVP_DigestFinal_ex(&ctx,buf,&n);
1.698 +
1.699 + EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL);
1.700 + EVP_DigestUpdate(&ctx,p,len);
1.701 + EVP_DigestUpdate(&ctx,buf,n);
1.702 + EVP_DigestFinal_ex(&ctx,out,&n);
1.703 + out+=n;
1.704 + ret+=n;
1.705 + }
1.706 + EVP_MD_CTX_cleanup(&ctx);
1.707 + return(ret);
1.708 + }
1.709 +
1.710 +int ssl3_alert_code(int code)
1.711 + {
1.712 + switch (code)
1.713 + {
1.714 + case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY);
1.715 + case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
1.716 + case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC);
1.717 + case SSL_AD_DECRYPTION_FAILED: return(SSL3_AD_BAD_RECORD_MAC);
1.718 + case SSL_AD_RECORD_OVERFLOW: return(SSL3_AD_BAD_RECORD_MAC);
1.719 + case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
1.720 + case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE);
1.721 + case SSL_AD_NO_CERTIFICATE: return(SSL3_AD_NO_CERTIFICATE);
1.722 + case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE);
1.723 + case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
1.724 + case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
1.725 + case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
1.726 + case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
1.727 + case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER);
1.728 + case SSL_AD_UNKNOWN_CA: return(SSL3_AD_BAD_CERTIFICATE);
1.729 + case SSL_AD_ACCESS_DENIED: return(SSL3_AD_HANDSHAKE_FAILURE);
1.730 + case SSL_AD_DECODE_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
1.731 + case SSL_AD_DECRYPT_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
1.732 + case SSL_AD_EXPORT_RESTRICTION: return(SSL3_AD_HANDSHAKE_FAILURE);
1.733 + case SSL_AD_PROTOCOL_VERSION: return(SSL3_AD_HANDSHAKE_FAILURE);
1.734 + case SSL_AD_INSUFFICIENT_SECURITY:return(SSL3_AD_HANDSHAKE_FAILURE);
1.735 + case SSL_AD_INTERNAL_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE);
1.736 + case SSL_AD_USER_CANCELLED: return(SSL3_AD_HANDSHAKE_FAILURE);
1.737 + case SSL_AD_NO_RENEGOTIATION: return(-1); /* Don't send it :-) */
1.738 + default: return(-1);
1.739 + }
1.740 + }
1.741 +