1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libssl/src/t1_enc.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,860 @@
1.4 +/* ssl/t1_enc.c */
1.5 +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
1.6 + * All rights reserved.
1.7 + *
1.8 + * This package is an SSL implementation written
1.9 + * by Eric Young (eay@cryptsoft.com).
1.10 + * The implementation was written so as to conform with Netscapes SSL.
1.11 + *
1.12 + * This library is free for commercial and non-commercial use as long as
1.13 + * the following conditions are aheared to. The following conditions
1.14 + * apply to all code found in this distribution, be it the RC4, RSA,
1.15 + * lhash, DES, etc., code; not just the SSL code. The SSL documentation
1.16 + * included with this distribution is covered by the same copyright terms
1.17 + * except that the holder is Tim Hudson (tjh@cryptsoft.com).
1.18 + *
1.19 + * Copyright remains Eric Young's, and as such any Copyright notices in
1.20 + * the code are not to be removed.
1.21 + * If this package is used in a product, Eric Young should be given attribution
1.22 + * as the author of the parts of the library used.
1.23 + * This can be in the form of a textual message at program startup or
1.24 + * in documentation (online or textual) provided with the package.
1.25 + *
1.26 + * Redistribution and use in source and binary forms, with or without
1.27 + * modification, are permitted provided that the following conditions
1.28 + * are met:
1.29 + * 1. Redistributions of source code must retain the copyright
1.30 + * notice, this list of conditions and the following disclaimer.
1.31 + * 2. Redistributions in binary form must reproduce the above copyright
1.32 + * notice, this list of conditions and the following disclaimer in the
1.33 + * documentation and/or other materials provided with the distribution.
1.34 + * 3. All advertising materials mentioning features or use of this software
1.35 + * must display the following acknowledgement:
1.36 + * "This product includes cryptographic software written by
1.37 + * Eric Young (eay@cryptsoft.com)"
1.38 + * The word 'cryptographic' can be left out if the rouines from the library
1.39 + * being used are not cryptographic related :-).
1.40 + * 4. If you include any Windows specific code (or a derivative thereof) from
1.41 + * the apps directory (application code) you must include an acknowledgement:
1.42 + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
1.43 + *
1.44 + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
1.45 + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.46 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1.47 + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
1.48 + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1.49 + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1.50 + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.51 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1.52 + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1.53 + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1.54 + * SUCH DAMAGE.
1.55 + *
1.56 + * The licence and distribution terms for any publically available version or
1.57 + * derivative of this code cannot be changed. i.e. this code cannot simply be
1.58 + * copied and put under another distribution licence
1.59 + * [including the GNU Public Licence.]
1.60 + */
1.61 +/* ====================================================================
1.62 + * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
1.63 + *
1.64 + * Redistribution and use in source and binary forms, with or without
1.65 + * modification, are permitted provided that the following conditions
1.66 + * are met:
1.67 + *
1.68 + * 1. Redistributions of source code must retain the above copyright
1.69 + * notice, this list of conditions and the following disclaimer.
1.70 + *
1.71 + * 2. Redistributions in binary form must reproduce the above copyright
1.72 + * notice, this list of conditions and the following disclaimer in
1.73 + * the documentation and/or other materials provided with the
1.74 + * distribution.
1.75 + *
1.76 + * 3. All advertising materials mentioning features or use of this
1.77 + * software must display the following acknowledgment:
1.78 + * "This product includes software developed by the OpenSSL Project
1.79 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.80 + *
1.81 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.82 + * endorse or promote products derived from this software without
1.83 + * prior written permission. For written permission, please contact
1.84 + * openssl-core@openssl.org.
1.85 + *
1.86 + * 5. Products derived from this software may not be called "OpenSSL"
1.87 + * nor may "OpenSSL" appear in their names without prior written
1.88 + * permission of the OpenSSL Project.
1.89 + *
1.90 + * 6. Redistributions of any form whatsoever must retain the following
1.91 + * acknowledgment:
1.92 + * "This product includes software developed by the OpenSSL Project
1.93 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.94 + *
1.95 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.96 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.97 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.98 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.99 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.100 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.101 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.102 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.103 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.104 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.105 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.106 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.107 + * ====================================================================
1.108 + *
1.109 + * This product includes cryptographic software written by Eric Young
1.110 + * (eay@cryptsoft.com). This product includes software written by Tim
1.111 + * Hudson (tjh@cryptsoft.com).
1.112 + *
1.113 + */
1.114 +
1.115 +#include <stdio.h>
1.116 +#include "ssl_locl.h"
1.117 +#include <openssl/comp.h>
1.118 +#include <openssl/evp.h>
1.119 +#include <openssl/hmac.h>
1.120 +#include <openssl/md5.h>
1.121 +
1.122 +static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
1.123 + int sec_len, unsigned char *seed, int seed_len,
1.124 + unsigned char *out, int olen)
1.125 + {
1.126 + int chunk,n;
1.127 + unsigned int j;
1.128 + HMAC_CTX ctx;
1.129 + HMAC_CTX ctx_tmp;
1.130 + unsigned char A1[EVP_MAX_MD_SIZE];
1.131 + unsigned int A1_len;
1.132 +
1.133 + chunk=EVP_MD_size(md);
1.134 +
1.135 + HMAC_CTX_init(&ctx);
1.136 + HMAC_CTX_init(&ctx_tmp);
1.137 + HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
1.138 + HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
1.139 + HMAC_Update(&ctx,seed,seed_len);
1.140 + HMAC_Final(&ctx,A1,&A1_len);
1.141 +
1.142 + n=0;
1.143 + for (;;)
1.144 + {
1.145 + HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
1.146 + HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
1.147 + HMAC_Update(&ctx,A1,A1_len);
1.148 + HMAC_Update(&ctx_tmp,A1,A1_len);
1.149 + HMAC_Update(&ctx,seed,seed_len);
1.150 +
1.151 + if (olen > chunk)
1.152 + {
1.153 + HMAC_Final(&ctx,out,&j);
1.154 + out+=j;
1.155 + olen-=j;
1.156 + HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
1.157 + }
1.158 + else /* last one */
1.159 + {
1.160 + HMAC_Final(&ctx,A1,&A1_len);
1.161 + memcpy(out,A1,olen);
1.162 + break;
1.163 + }
1.164 + }
1.165 + HMAC_CTX_cleanup(&ctx);
1.166 + HMAC_CTX_cleanup(&ctx_tmp);
1.167 + OPENSSL_cleanse(A1,sizeof(A1));
1.168 + }
1.169 +
1.170 +static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
1.171 + unsigned char *label, int label_len,
1.172 + const unsigned char *sec, int slen, unsigned char *out1,
1.173 + unsigned char *out2, int olen)
1.174 + {
1.175 + int len,i;
1.176 + const unsigned char *S1,*S2;
1.177 +
1.178 + len=slen/2;
1.179 + S1=sec;
1.180 + S2= &(sec[len]);
1.181 + len+=(slen&1); /* add for odd, make longer */
1.182 +
1.183 +
1.184 + tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
1.185 + tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
1.186 +
1.187 + for (i=0; i<olen; i++)
1.188 + out1[i]^=out2[i];
1.189 + }
1.190 +
1.191 +static void tls1_generate_key_block(SSL *s, unsigned char *km,
1.192 + unsigned char *tmp, int num)
1.193 + {
1.194 + unsigned char *p;
1.195 + unsigned char buf[SSL3_RANDOM_SIZE*2+
1.196 + TLS_MD_MAX_CONST_SIZE];
1.197 + p=buf;
1.198 +
1.199 + memcpy(p,TLS_MD_KEY_EXPANSION_CONST,
1.200 + TLS_MD_KEY_EXPANSION_CONST_SIZE);
1.201 + p+=TLS_MD_KEY_EXPANSION_CONST_SIZE;
1.202 + memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
1.203 + p+=SSL3_RANDOM_SIZE;
1.204 + memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
1.205 + p+=SSL3_RANDOM_SIZE;
1.206 +
1.207 + tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
1.208 + s->session->master_key,s->session->master_key_length,
1.209 + km,tmp,num);
1.210 +#ifdef KSSL_DEBUG
1.211 + printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
1.212 + s->session->master_key_length);
1.213 + {
1.214 + int i;
1.215 + for (i=0; i < s->session->master_key_length; i++)
1.216 + {
1.217 + printf("%02X", s->session->master_key[i]);
1.218 + }
1.219 + printf("\n"); }
1.220 +#endif /* KSSL_DEBUG */
1.221 + }
1.222 +
1.223 +int tls1_change_cipher_state(SSL *s, int which)
1.224 + {
1.225 + static const unsigned char empty[]="";
1.226 + unsigned char *p,*key_block,*mac_secret;
1.227 + unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
1.228 + SSL3_RANDOM_SIZE*2];
1.229 + unsigned char tmp1[EVP_MAX_KEY_LENGTH];
1.230 + unsigned char tmp2[EVP_MAX_KEY_LENGTH];
1.231 + unsigned char iv1[EVP_MAX_IV_LENGTH*2];
1.232 + unsigned char iv2[EVP_MAX_IV_LENGTH*2];
1.233 + unsigned char *ms,*key,*iv,*er1,*er2;
1.234 + int client_write;
1.235 + EVP_CIPHER_CTX *dd;
1.236 + const EVP_CIPHER *c;
1.237 +#ifndef OPENSSL_NO_COMP
1.238 + const SSL_COMP *comp;
1.239 +#endif
1.240 + const EVP_MD *m;
1.241 + int is_export,n,i,j,k,exp_label_len,cl;
1.242 + int reuse_dd = 0;
1.243 +
1.244 + is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
1.245 + c=s->s3->tmp.new_sym_enc;
1.246 + m=s->s3->tmp.new_hash;
1.247 +#ifndef OPENSSL_NO_COMP
1.248 + comp=s->s3->tmp.new_compression;
1.249 +#endif
1.250 + key_block=s->s3->tmp.key_block;
1.251 +
1.252 +#ifdef KSSL_DEBUG
1.253 + printf("tls1_change_cipher_state(which= %d) w/\n", which);
1.254 + printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
1.255 + comp);
1.256 + printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
1.257 + printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
1.258 + c->nid,c->block_size,c->key_len,c->iv_len);
1.259 + printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
1.260 + {
1.261 + int i;
1.262 + for (i=0; i<s->s3->tmp.key_block_length; i++)
1.263 + printf("%02x", key_block[i]); printf("\n");
1.264 + }
1.265 +#endif /* KSSL_DEBUG */
1.266 +
1.267 + if (which & SSL3_CC_READ)
1.268 + {
1.269 + if (s->enc_read_ctx != NULL)
1.270 + reuse_dd = 1;
1.271 + else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
1.272 + goto err;
1.273 + else
1.274 + /* make sure it's intialized in case we exit later with an error */
1.275 + EVP_CIPHER_CTX_init(s->enc_read_ctx);
1.276 + dd= s->enc_read_ctx;
1.277 + s->read_hash=m;
1.278 +#ifndef OPENSSL_NO_COMP
1.279 + if (s->expand != NULL)
1.280 + {
1.281 + COMP_CTX_free(s->expand);
1.282 + s->expand=NULL;
1.283 + }
1.284 + if (comp != NULL)
1.285 + {
1.286 + s->expand=COMP_CTX_new(comp->method);
1.287 + if (s->expand == NULL)
1.288 + {
1.289 + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
1.290 + goto err2;
1.291 + }
1.292 + if (s->s3->rrec.comp == NULL)
1.293 + s->s3->rrec.comp=(unsigned char *)
1.294 + OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
1.295 + if (s->s3->rrec.comp == NULL)
1.296 + goto err;
1.297 + }
1.298 +#endif
1.299 + /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
1.300 + if (s->version != DTLS1_VERSION)
1.301 + memset(&(s->s3->read_sequence[0]),0,8);
1.302 + mac_secret= &(s->s3->read_mac_secret[0]);
1.303 + }
1.304 + else
1.305 + {
1.306 + if (s->enc_write_ctx != NULL)
1.307 + reuse_dd = 1;
1.308 + else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
1.309 + goto err;
1.310 + else
1.311 + /* make sure it's intialized in case we exit later with an error */
1.312 + EVP_CIPHER_CTX_init(s->enc_write_ctx);
1.313 + dd= s->enc_write_ctx;
1.314 + s->write_hash=m;
1.315 +#ifndef OPENSSL_NO_COMP
1.316 + if (s->compress != NULL)
1.317 + {
1.318 + COMP_CTX_free(s->compress);
1.319 + s->compress=NULL;
1.320 + }
1.321 + if (comp != NULL)
1.322 + {
1.323 + s->compress=COMP_CTX_new(comp->method);
1.324 + if (s->compress == NULL)
1.325 + {
1.326 + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
1.327 + goto err2;
1.328 + }
1.329 + }
1.330 +#endif
1.331 + /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
1.332 + if (s->version != DTLS1_VERSION)
1.333 + memset(&(s->s3->write_sequence[0]),0,8);
1.334 + mac_secret= &(s->s3->write_mac_secret[0]);
1.335 + }
1.336 +
1.337 + if (reuse_dd)
1.338 + EVP_CIPHER_CTX_cleanup(dd);
1.339 +
1.340 + p=s->s3->tmp.key_block;
1.341 + i=EVP_MD_size(m);
1.342 + cl=EVP_CIPHER_key_length(c);
1.343 + j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
1.344 + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
1.345 + /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
1.346 + k=EVP_CIPHER_iv_length(c);
1.347 + er1= &(s->s3->client_random[0]);
1.348 + er2= &(s->s3->server_random[0]);
1.349 + if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
1.350 + (which == SSL3_CHANGE_CIPHER_SERVER_READ))
1.351 + {
1.352 + ms= &(p[ 0]); n=i+i;
1.353 + key= &(p[ n]); n+=j+j;
1.354 + iv= &(p[ n]); n+=k+k;
1.355 + exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
1.356 + exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
1.357 + client_write=1;
1.358 + }
1.359 + else
1.360 + {
1.361 + n=i;
1.362 + ms= &(p[ n]); n+=i+j;
1.363 + key= &(p[ n]); n+=j+k;
1.364 + iv= &(p[ n]); n+=k;
1.365 + exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
1.366 + exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
1.367 + client_write=0;
1.368 + }
1.369 +
1.370 + if (n > s->s3->tmp.key_block_length)
1.371 + {
1.372 + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
1.373 + goto err2;
1.374 + }
1.375 +
1.376 + memcpy(mac_secret,ms,i);
1.377 +#ifdef TLS_DEBUG
1.378 +printf("which = %04X\nmac key=",which);
1.379 +{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
1.380 +#endif
1.381 + if (is_export)
1.382 + {
1.383 + /* In here I set both the read and write key/iv to the
1.384 + * same value since only the correct one will be used :-).
1.385 + */
1.386 + p=buf;
1.387 + memcpy(p,exp_label,exp_label_len);
1.388 + p+=exp_label_len;
1.389 + memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
1.390 + p+=SSL3_RANDOM_SIZE;
1.391 + memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
1.392 + p+=SSL3_RANDOM_SIZE;
1.393 + tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
1.394 + tmp1,tmp2,EVP_CIPHER_key_length(c));
1.395 + key=tmp1;
1.396 +
1.397 + if (k > 0)
1.398 + {
1.399 + p=buf;
1.400 + memcpy(p,TLS_MD_IV_BLOCK_CONST,
1.401 + TLS_MD_IV_BLOCK_CONST_SIZE);
1.402 + p+=TLS_MD_IV_BLOCK_CONST_SIZE;
1.403 + memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
1.404 + p+=SSL3_RANDOM_SIZE;
1.405 + memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
1.406 + p+=SSL3_RANDOM_SIZE;
1.407 + tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
1.408 + iv1,iv2,k*2);
1.409 + if (client_write)
1.410 + iv=iv1;
1.411 + else
1.412 + iv= &(iv1[k]);
1.413 + }
1.414 + }
1.415 +
1.416 + s->session->key_arg_length=0;
1.417 +#ifdef KSSL_DEBUG
1.418 + {
1.419 + int i;
1.420 + printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
1.421 + printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
1.422 + printf("\n");
1.423 + printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
1.424 + printf("\n");
1.425 + }
1.426 +#endif /* KSSL_DEBUG */
1.427 +
1.428 + EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
1.429 +#ifdef TLS_DEBUG
1.430 +printf("which = %04X\nkey=",which);
1.431 +{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
1.432 +printf("\niv=");
1.433 +{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
1.434 +printf("\n");
1.435 +#endif
1.436 +
1.437 + OPENSSL_cleanse(tmp1,sizeof(tmp1));
1.438 + OPENSSL_cleanse(tmp2,sizeof(tmp1));
1.439 + OPENSSL_cleanse(iv1,sizeof(iv1));
1.440 + OPENSSL_cleanse(iv2,sizeof(iv2));
1.441 + return(1);
1.442 +err:
1.443 + SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
1.444 +err2:
1.445 + return(0);
1.446 + }
1.447 +
1.448 +int tls1_setup_key_block(SSL *s)
1.449 + {
1.450 + unsigned char *p1,*p2;
1.451 + const EVP_CIPHER *c;
1.452 + const EVP_MD *hash;
1.453 + int num;
1.454 + SSL_COMP *comp;
1.455 +
1.456 +#ifdef KSSL_DEBUG
1.457 + printf ("tls1_setup_key_block()\n");
1.458 +#endif /* KSSL_DEBUG */
1.459 +
1.460 + if (s->s3->tmp.key_block_length != 0)
1.461 + return(1);
1.462 +
1.463 + if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
1.464 + {
1.465 + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
1.466 + return(0);
1.467 + }
1.468 +
1.469 + s->s3->tmp.new_sym_enc=c;
1.470 + s->s3->tmp.new_hash=hash;
1.471 +
1.472 + num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
1.473 + num*=2;
1.474 +
1.475 + ssl3_cleanup_key_block(s);
1.476 +
1.477 + if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
1.478 + goto err;
1.479 + if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
1.480 + goto err;
1.481 +
1.482 + s->s3->tmp.key_block_length=num;
1.483 + s->s3->tmp.key_block=p1;
1.484 +
1.485 +
1.486 +#ifdef TLS_DEBUG
1.487 +printf("client random\n");
1.488 +{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
1.489 +printf("server random\n");
1.490 +{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
1.491 +printf("pre-master\n");
1.492 +{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
1.493 +#endif
1.494 + tls1_generate_key_block(s,p1,p2,num);
1.495 + OPENSSL_cleanse(p2,num);
1.496 + OPENSSL_free(p2);
1.497 +#ifdef TLS_DEBUG
1.498 +printf("\nkey block\n");
1.499 +{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
1.500 +#endif
1.501 +
1.502 + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
1.503 + {
1.504 + /* enable vulnerability countermeasure for CBC ciphers with
1.505 + * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
1.506 + */
1.507 + s->s3->need_empty_fragments = 1;
1.508 +
1.509 + if (s->session->cipher != NULL)
1.510 + {
1.511 + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
1.512 + s->s3->need_empty_fragments = 0;
1.513 +
1.514 +#ifndef OPENSSL_NO_RC4
1.515 + if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
1.516 + s->s3->need_empty_fragments = 0;
1.517 +#endif
1.518 + }
1.519 + }
1.520 +
1.521 + return(1);
1.522 +err:
1.523 + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
1.524 + return(0);
1.525 + }
1.526 +
1.527 +int tls1_enc(SSL *s, int send)
1.528 + {
1.529 + SSL3_RECORD *rec;
1.530 + EVP_CIPHER_CTX *ds;
1.531 + unsigned long l;
1.532 + int bs,i,ii,j,k,n=0;
1.533 + const EVP_CIPHER *enc;
1.534 +
1.535 + if (send)
1.536 + {
1.537 + if (s->write_hash != NULL)
1.538 + n=EVP_MD_size(s->write_hash);
1.539 + ds=s->enc_write_ctx;
1.540 + rec= &(s->s3->wrec);
1.541 + if (s->enc_write_ctx == NULL)
1.542 + enc=NULL;
1.543 + else
1.544 + enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
1.545 + }
1.546 + else
1.547 + {
1.548 + if (s->read_hash != NULL)
1.549 + n=EVP_MD_size(s->read_hash);
1.550 + ds=s->enc_read_ctx;
1.551 + rec= &(s->s3->rrec);
1.552 + if (s->enc_read_ctx == NULL)
1.553 + enc=NULL;
1.554 + else
1.555 + enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
1.556 + }
1.557 +
1.558 +#ifdef KSSL_DEBUG
1.559 + printf("tls1_enc(%d)\n", send);
1.560 +#endif /* KSSL_DEBUG */
1.561 +
1.562 + if ((s->session == NULL) || (ds == NULL) ||
1.563 + (enc == NULL))
1.564 + {
1.565 + memmove(rec->data,rec->input,rec->length);
1.566 + rec->input=rec->data;
1.567 + }
1.568 + else
1.569 + {
1.570 + l=rec->length;
1.571 + bs=EVP_CIPHER_block_size(ds->cipher);
1.572 +
1.573 + if ((bs != 1) && send)
1.574 + {
1.575 + i=bs-((int)l%bs);
1.576 +
1.577 + /* Add weird padding of upto 256 bytes */
1.578 +
1.579 + /* we need to add 'i' padding bytes of value j */
1.580 + j=i-1;
1.581 + if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
1.582 + {
1.583 + if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
1.584 + j++;
1.585 + }
1.586 + for (k=(int)l; k<(int)(l+i); k++)
1.587 + rec->input[k]=j;
1.588 + l+=i;
1.589 + rec->length+=i;
1.590 + }
1.591 +
1.592 +#ifdef KSSL_DEBUG
1.593 + {
1.594 + unsigned long ui;
1.595 + printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
1.596 + ds,rec->data,rec->input,l);
1.597 + printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
1.598 + ds->buf_len, ds->cipher->key_len,
1.599 + DES_KEY_SZ, DES_SCHEDULE_SZ,
1.600 + ds->cipher->iv_len);
1.601 + printf("\t\tIV: ");
1.602 + for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
1.603 + printf("\n");
1.604 + printf("\trec->input=");
1.605 + for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
1.606 + printf("\n");
1.607 + }
1.608 +#endif /* KSSL_DEBUG */
1.609 +
1.610 + if (!send)
1.611 + {
1.612 + if (l == 0 || l%bs != 0)
1.613 + {
1.614 + SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
1.615 + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
1.616 + return 0;
1.617 + }
1.618 + }
1.619 +
1.620 + EVP_Cipher(ds,rec->data,rec->input,l);
1.621 +
1.622 +#ifdef KSSL_DEBUG
1.623 + {
1.624 + unsigned long i;
1.625 + printf("\trec->data=");
1.626 + for (i=0; i<l; i++)
1.627 + printf(" %02x", rec->data[i]); printf("\n");
1.628 + }
1.629 +#endif /* KSSL_DEBUG */
1.630 +
1.631 + if ((bs != 1) && !send)
1.632 + {
1.633 + ii=i=rec->data[l-1]; /* padding_length */
1.634 + i++;
1.635 + /* NB: if compression is in operation the first packet
1.636 + * may not be of even length so the padding bug check
1.637 + * cannot be performed. This bug workaround has been
1.638 + * around since SSLeay so hopefully it is either fixed
1.639 + * now or no buggy implementation supports compression
1.640 + * [steve]
1.641 + */
1.642 + if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
1.643 + && !s->expand)
1.644 + {
1.645 + /* First packet is even in size, so check */
1.646 + if ((memcmp(s->s3->read_sequence,
1.647 + "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
1.648 + s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
1.649 + if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
1.650 + i--;
1.651 + }
1.652 + /* TLS 1.0 does not bound the number of padding bytes by the block size.
1.653 + * All of them must have value 'padding_length'. */
1.654 + if (i > (int)rec->length)
1.655 + {
1.656 + /* Incorrect padding. SSLerr() and ssl3_alert are done
1.657 + * by caller: we don't want to reveal whether this is
1.658 + * a decryption error or a MAC verification failure
1.659 + * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
1.660 + return -1;
1.661 + }
1.662 + for (j=(int)(l-i); j<(int)l; j++)
1.663 + {
1.664 + if (rec->data[j] != ii)
1.665 + {
1.666 + /* Incorrect padding */
1.667 + return -1;
1.668 + }
1.669 + }
1.670 + rec->length-=i;
1.671 + }
1.672 + }
1.673 + return(1);
1.674 + }
1.675 +
1.676 +int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
1.677 + {
1.678 + unsigned int ret;
1.679 + EVP_MD_CTX ctx;
1.680 +
1.681 + EVP_MD_CTX_init(&ctx);
1.682 + EVP_MD_CTX_copy_ex(&ctx,in_ctx);
1.683 + EVP_DigestFinal_ex(&ctx,out,&ret);
1.684 + EVP_MD_CTX_cleanup(&ctx);
1.685 + return((int)ret);
1.686 + }
1.687 +
1.688 +int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
1.689 + const char *str, int slen, unsigned char *out)
1.690 + {
1.691 + unsigned int i;
1.692 + EVP_MD_CTX ctx;
1.693 + unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
1.694 + unsigned char *q,buf2[12];
1.695 +
1.696 + q=buf;
1.697 + memcpy(q,str,slen);
1.698 + q+=slen;
1.699 +
1.700 + EVP_MD_CTX_init(&ctx);
1.701 + EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
1.702 + EVP_DigestFinal_ex(&ctx,q,&i);
1.703 + q+=i;
1.704 + EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
1.705 + EVP_DigestFinal_ex(&ctx,q,&i);
1.706 + q+=i;
1.707 +
1.708 + tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
1.709 + s->session->master_key,s->session->master_key_length,
1.710 + out,buf2,sizeof buf2);
1.711 + EVP_MD_CTX_cleanup(&ctx);
1.712 +
1.713 + return sizeof buf2;
1.714 + }
1.715 +
1.716 +int tls1_mac(SSL *ssl, unsigned char *md, int send)
1.717 + {
1.718 + SSL3_RECORD *rec;
1.719 + unsigned char *mac_sec,*seq;
1.720 + const EVP_MD *hash;
1.721 + unsigned int md_size;
1.722 + int i;
1.723 + HMAC_CTX hmac;
1.724 + unsigned char buf[5];
1.725 +
1.726 + if (send)
1.727 + {
1.728 + rec= &(ssl->s3->wrec);
1.729 + mac_sec= &(ssl->s3->write_mac_secret[0]);
1.730 + seq= &(ssl->s3->write_sequence[0]);
1.731 + hash=ssl->write_hash;
1.732 + }
1.733 + else
1.734 + {
1.735 + rec= &(ssl->s3->rrec);
1.736 + mac_sec= &(ssl->s3->read_mac_secret[0]);
1.737 + seq= &(ssl->s3->read_sequence[0]);
1.738 + hash=ssl->read_hash;
1.739 + }
1.740 +
1.741 + md_size=EVP_MD_size(hash);
1.742 +
1.743 + buf[0]=rec->type;
1.744 + if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER)
1.745 + {
1.746 + buf[1]=TLS1_VERSION_MAJOR;
1.747 + buf[2]=TLS1_VERSION_MINOR;
1.748 + }
1.749 + else {
1.750 + buf[1]=(unsigned char)(ssl->version>>8);
1.751 + buf[2]=(unsigned char)(ssl->version);
1.752 + }
1.753 +
1.754 + buf[3]=rec->length>>8;
1.755 + buf[4]=rec->length&0xff;
1.756 +
1.757 + /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1.758 + HMAC_CTX_init(&hmac);
1.759 + HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
1.760 +
1.761 + if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
1.762 + {
1.763 + unsigned char dtlsseq[8],*p=dtlsseq;
1.764 +
1.765 + s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
1.766 + memcpy (p,&seq[2],6);
1.767 +
1.768 + HMAC_Update(&hmac,dtlsseq,8);
1.769 + }
1.770 + else
1.771 + HMAC_Update(&hmac,seq,8);
1.772 +
1.773 + HMAC_Update(&hmac,buf,5);
1.774 + HMAC_Update(&hmac,rec->input,rec->length);
1.775 + HMAC_Final(&hmac,md,&md_size);
1.776 + HMAC_CTX_cleanup(&hmac);
1.777 +
1.778 +#ifdef TLS_DEBUG
1.779 +printf("sec=");
1.780 +{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
1.781 +printf("seq=");
1.782 +{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
1.783 +printf("buf=");
1.784 +{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
1.785 +printf("rec=");
1.786 +{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
1.787 +#endif
1.788 +
1.789 + if ( SSL_version(ssl) != DTLS1_VERSION)
1.790 + {
1.791 + for (i=7; i>=0; i--)
1.792 + {
1.793 + ++seq[i];
1.794 + if (seq[i] != 0) break;
1.795 + }
1.796 + }
1.797 +
1.798 +#ifdef TLS_DEBUG
1.799 +{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
1.800 +#endif
1.801 + return(md_size);
1.802 + }
1.803 +
1.804 +int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
1.805 + int len)
1.806 + {
1.807 + unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
1.808 + unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
1.809 +
1.810 +#ifdef KSSL_DEBUG
1.811 + printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
1.812 +#endif /* KSSL_DEBUG */
1.813 +
1.814 + /* Setup the stuff to munge */
1.815 + memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
1.816 + TLS_MD_MASTER_SECRET_CONST_SIZE);
1.817 + memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]),
1.818 + s->s3->client_random,SSL3_RANDOM_SIZE);
1.819 + memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]),
1.820 + s->s3->server_random,SSL3_RANDOM_SIZE);
1.821 + tls1_PRF(s->ctx->md5,s->ctx->sha1,
1.822 + buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
1.823 + s->session->master_key,buff,sizeof buff);
1.824 +#ifdef KSSL_DEBUG
1.825 + printf ("tls1_generate_master_secret() complete\n");
1.826 +#endif /* KSSL_DEBUG */
1.827 + return(SSL3_MASTER_SECRET_SIZE);
1.828 + }
1.829 +
1.830 +int tls1_alert_code(int code)
1.831 + {
1.832 + switch (code)
1.833 + {
1.834 + case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY);
1.835 + case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
1.836 + case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC);
1.837 + case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED);
1.838 + case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW);
1.839 + case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
1.840 + case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE);
1.841 + case SSL_AD_NO_CERTIFICATE: return(-1);
1.842 + case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE);
1.843 + case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
1.844 + case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
1.845 + case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
1.846 + case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
1.847 + case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER);
1.848 + case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA);
1.849 + case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
1.850 + case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
1.851 + case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
1.852 + case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
1.853 + case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
1.854 + case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
1.855 + case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
1.856 + case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
1.857 + case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
1.858 + case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
1.859 + (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
1.860 + default: return(-1);
1.861 + }
1.862 + }
1.863 +