1 /* ssl/t1_enc.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include "ssl_locl.h" 114 #include <openssl/comp.h> 115 #include <openssl/evp.h> 116 #include <openssl/hmac.h> 117 #include <openssl/md5.h> 118 119 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 120 int sec_len, unsigned char *seed, int seed_len, 121 unsigned char *out, int olen) 122 { 123 int chunk,n; 124 unsigned int j; 125 HMAC_CTX ctx; 126 HMAC_CTX ctx_tmp; 127 unsigned char A1[EVP_MAX_MD_SIZE]; 128 unsigned int A1_len; 129 130 chunk=EVP_MD_size(md); 131 132 HMAC_CTX_init(&ctx); 133 HMAC_CTX_init(&ctx_tmp); 134 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); 135 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); 136 HMAC_Update(&ctx,seed,seed_len); 137 HMAC_Final(&ctx,A1,&A1_len); 138 139 n=0; 140 for (;;) 141 { 142 HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */ 143 HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */ 144 HMAC_Update(&ctx,A1,A1_len); 145 HMAC_Update(&ctx_tmp,A1,A1_len); 146 HMAC_Update(&ctx,seed,seed_len); 147 148 if (olen > chunk) 149 { 150 HMAC_Final(&ctx,out,&j); 151 out+=j; 152 olen-=j; 153 HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */ 154 } 155 else /* last one */ 156 { 157 HMAC_Final(&ctx,A1,&A1_len); 158 memcpy(out,A1,olen); 159 break; 160 } 161 } 162 HMAC_CTX_cleanup(&ctx); 163 HMAC_CTX_cleanup(&ctx_tmp); 164 OPENSSL_cleanse(A1,sizeof(A1)); 165 } 166 167 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, 168 unsigned char *label, int label_len, 169 const unsigned char *sec, int slen, unsigned char *out1, 170 unsigned char *out2, int olen) 171 { 172 int len,i; 173 const unsigned char *S1,*S2; 174 175 len=slen/2; 176 S1=sec; 177 S2= &(sec[len]); 178 len+=(slen&1); /* add for odd, make longer */ 179 180 181 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); 182 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); 183 184 for (i=0; i<olen; i++) 185 out1[i]^=out2[i]; 186 } 187 188 static void tls1_generate_key_block(SSL *s, unsigned char *km, 189 unsigned char *tmp, int num) 190 { 191 unsigned char *p; 192 unsigned char buf[SSL3_RANDOM_SIZE*2+ 193 TLS_MD_MAX_CONST_SIZE]; 194 p=buf; 195 196 memcpy(p,TLS_MD_KEY_EXPANSION_CONST, 197 TLS_MD_KEY_EXPANSION_CONST_SIZE); 198 p+=TLS_MD_KEY_EXPANSION_CONST_SIZE; 199 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 200 p+=SSL3_RANDOM_SIZE; 201 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 202 p+=SSL3_RANDOM_SIZE; 203 204 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf), 205 s->session->master_key,s->session->master_key_length, 206 km,tmp,num); 207 #ifdef KSSL_DEBUG 208 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 209 s->session->master_key_length); 210 { 211 int i; 212 for (i=0; i < s->session->master_key_length; i++) 213 { 214 printf("%02X", s->session->master_key[i]); 215 } 216 printf("\n"); } 217 #endif /* KSSL_DEBUG */ 218 } 219 220 int tls1_change_cipher_state(SSL *s, int which) 221 { 222 static const unsigned char empty[]=""; 223 unsigned char *p,*key_block,*mac_secret; 224 unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ 225 SSL3_RANDOM_SIZE*2]; 226 unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 227 unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 228 unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 229 unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 230 unsigned char *ms,*key,*iv,*er1,*er2; 231 int client_write; 232 EVP_CIPHER_CTX *dd; 233 const EVP_CIPHER *c; 234 #ifndef OPENSSL_NO_COMP 235 const SSL_COMP *comp; 236 #endif 237 const EVP_MD *m; 238 int is_export,n,i,j,k,exp_label_len,cl; 239 int reuse_dd = 0; 240 241 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 242 c=s->s3->tmp.new_sym_enc; 243 m=s->s3->tmp.new_hash; 244 #ifndef OPENSSL_NO_COMP 245 comp=s->s3->tmp.new_compression; 246 #endif 247 key_block=s->s3->tmp.key_block; 248 249 #ifdef KSSL_DEBUG 250 printf("tls1_change_cipher_state(which= %d) w/\n", which); 251 printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, 252 comp); 253 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); 254 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", 255 c->nid,c->block_size,c->key_len,c->iv_len); 256 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); 257 { 258 int i; 259 for (i=0; i<s->s3->tmp.key_block_length; i++) 260 printf("%02x", key_block[i]); printf("\n"); 261 } 262 #endif /* KSSL_DEBUG */ 263 264 if (which & SSL3_CC_READ) 265 { 266 if (s->enc_read_ctx != NULL) 267 reuse_dd = 1; 268 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 269 goto err; 270 else 271 /* make sure it's intialized in case we exit later with an error */ 272 EVP_CIPHER_CTX_init(s->enc_read_ctx); 273 dd= s->enc_read_ctx; 274 s->read_hash=m; 275 #ifndef OPENSSL_NO_COMP 276 if (s->expand != NULL) 277 { 278 COMP_CTX_free(s->expand); 279 s->expand=NULL; 280 } 281 if (comp != NULL) 282 { 283 s->expand=COMP_CTX_new(comp->method); 284 if (s->expand == NULL) 285 { 286 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 287 goto err2; 288 } 289 if (s->s3->rrec.comp == NULL) 290 s->s3->rrec.comp=(unsigned char *) 291 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 292 if (s->s3->rrec.comp == NULL) 293 goto err; 294 } 295 #endif 296 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 297 if (s->version != DTLS1_VERSION) 298 memset(&(s->s3->read_sequence[0]),0,8); 299 mac_secret= &(s->s3->read_mac_secret[0]); 300 } 301 else 302 { 303 if (s->enc_write_ctx != NULL) 304 reuse_dd = 1; 305 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 306 goto err; 307 else 308 /* make sure it's intialized in case we exit later with an error */ 309 EVP_CIPHER_CTX_init(s->enc_write_ctx); 310 dd= s->enc_write_ctx; 311 s->write_hash=m; 312 #ifndef OPENSSL_NO_COMP 313 if (s->compress != NULL) 314 { 315 COMP_CTX_free(s->compress); 316 s->compress=NULL; 317 } 318 if (comp != NULL) 319 { 320 s->compress=COMP_CTX_new(comp->method); 321 if (s->compress == NULL) 322 { 323 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 324 goto err2; 325 } 326 } 327 #endif 328 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 329 if (s->version != DTLS1_VERSION) 330 memset(&(s->s3->write_sequence[0]),0,8); 331 mac_secret= &(s->s3->write_mac_secret[0]); 332 } 333 334 if (reuse_dd) 335 EVP_CIPHER_CTX_cleanup(dd); 336 337 p=s->s3->tmp.key_block; 338 i=EVP_MD_size(m); 339 cl=EVP_CIPHER_key_length(c); 340 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 341 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 342 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 343 k=EVP_CIPHER_iv_length(c); 344 er1= &(s->s3->client_random[0]); 345 er2= &(s->s3->server_random[0]); 346 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 347 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 348 { 349 ms= &(p[ 0]); n=i+i; 350 key= &(p[ n]); n+=j+j; 351 iv= &(p[ n]); n+=k+k; 352 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 353 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 354 client_write=1; 355 } 356 else 357 { 358 n=i; 359 ms= &(p[ n]); n+=i+j; 360 key= &(p[ n]); n+=j+k; 361 iv= &(p[ n]); n+=k; 362 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 363 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 364 client_write=0; 365 } 366 367 if (n > s->s3->tmp.key_block_length) 368 { 369 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); 370 goto err2; 371 } 372 373 memcpy(mac_secret,ms,i); 374 #ifdef TLS_DEBUG 375 printf("which = %04X\nmac key=",which); 376 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 377 #endif 378 if (is_export) 379 { 380 /* In here I set both the read and write key/iv to the 381 * same value since only the correct one will be used :-). 382 */ 383 p=buf; 384 memcpy(p,exp_label,exp_label_len); 385 p+=exp_label_len; 386 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 387 p+=SSL3_RANDOM_SIZE; 388 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 389 p+=SSL3_RANDOM_SIZE; 390 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j, 391 tmp1,tmp2,EVP_CIPHER_key_length(c)); 392 key=tmp1; 393 394 if (k > 0) 395 { 396 p=buf; 397 memcpy(p,TLS_MD_IV_BLOCK_CONST, 398 TLS_MD_IV_BLOCK_CONST_SIZE); 399 p+=TLS_MD_IV_BLOCK_CONST_SIZE; 400 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 401 p+=SSL3_RANDOM_SIZE; 402 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 403 p+=SSL3_RANDOM_SIZE; 404 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0, 405 iv1,iv2,k*2); 406 if (client_write) 407 iv=iv1; 408 else 409 iv= &(iv1[k]); 410 } 411 } 412 413 s->session->key_arg_length=0; 414 #ifdef KSSL_DEBUG 415 { 416 int i; 417 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); 418 printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]); 419 printf("\n"); 420 printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]); 421 printf("\n"); 422 } 423 #endif /* KSSL_DEBUG */ 424 425 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); 426 #ifdef TLS_DEBUG 427 printf("which = %04X\nkey=",which); 428 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 429 printf("\niv="); 430 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } 431 printf("\n"); 432 #endif 433 434 OPENSSL_cleanse(tmp1,sizeof(tmp1)); 435 OPENSSL_cleanse(tmp2,sizeof(tmp1)); 436 OPENSSL_cleanse(iv1,sizeof(iv1)); 437 OPENSSL_cleanse(iv2,sizeof(iv2)); 438 return(1); 439 err: 440 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 441 err2: 442 return(0); 443 } 444 445 int tls1_setup_key_block(SSL *s) 446 { 447 unsigned char *p1,*p2; 448 const EVP_CIPHER *c; 449 const EVP_MD *hash; 450 int num; 451 SSL_COMP *comp; 452 453 #ifdef KSSL_DEBUG 454 printf ("tls1_setup_key_block()\n"); 455 #endif /* KSSL_DEBUG */ 456 457 if (s->s3->tmp.key_block_length != 0) 458 return(1); 459 460 if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) 461 { 462 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 463 return(0); 464 } 465 466 s->s3->tmp.new_sym_enc=c; 467 s->s3->tmp.new_hash=hash; 468 469 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); 470 num*=2; 471 472 ssl3_cleanup_key_block(s); 473 474 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) 475 goto err; 476 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) 477 goto err; 478 479 s->s3->tmp.key_block_length=num; 480 s->s3->tmp.key_block=p1; 481 482 483 #ifdef TLS_DEBUG 484 printf("client random\n"); 485 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); } 486 printf("server random\n"); 487 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); } 488 printf("pre-master\n"); 489 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } 490 #endif 491 tls1_generate_key_block(s,p1,p2,num); 492 OPENSSL_cleanse(p2,num); 493 OPENSSL_free(p2); 494 #ifdef TLS_DEBUG 495 printf("\nkey block\n"); 496 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 497 #endif 498 499 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 500 { 501 /* enable vulnerability countermeasure for CBC ciphers with 502 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 503 */ 504 s->s3->need_empty_fragments = 1; 505 506 if (s->session->cipher != NULL) 507 { 508 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) 509 s->s3->need_empty_fragments = 0; 510 511 #ifndef OPENSSL_NO_RC4 512 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) 513 s->s3->need_empty_fragments = 0; 514 #endif 515 } 516 } 517 518 return(1); 519 err: 520 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); 521 return(0); 522 } 523 524 int tls1_enc(SSL *s, int send) 525 { 526 SSL3_RECORD *rec; 527 EVP_CIPHER_CTX *ds; 528 unsigned long l; 529 int bs,i,ii,j,k,n=0; 530 const EVP_CIPHER *enc; 531 532 if (send) 533 { 534 if (s->write_hash != NULL) 535 n=EVP_MD_size(s->write_hash); 536 ds=s->enc_write_ctx; 537 rec= &(s->s3->wrec); 538 if (s->enc_write_ctx == NULL) 539 enc=NULL; 540 else 541 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 542 } 543 else 544 { 545 if (s->read_hash != NULL) 546 n=EVP_MD_size(s->read_hash); 547 ds=s->enc_read_ctx; 548 rec= &(s->s3->rrec); 549 if (s->enc_read_ctx == NULL) 550 enc=NULL; 551 else 552 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 553 } 554 555 #ifdef KSSL_DEBUG 556 printf("tls1_enc(%d)\n", send); 557 #endif /* KSSL_DEBUG */ 558 559 if ((s->session == NULL) || (ds == NULL) || 560 (enc == NULL)) 561 { 562 memmove(rec->data,rec->input,rec->length); 563 rec->input=rec->data; 564 } 565 else 566 { 567 l=rec->length; 568 bs=EVP_CIPHER_block_size(ds->cipher); 569 570 if ((bs != 1) && send) 571 { 572 i=bs-((int)l%bs); 573 574 /* Add weird padding of upto 256 bytes */ 575 576 /* we need to add 'i' padding bytes of value j */ 577 j=i-1; 578 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) 579 { 580 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 581 j++; 582 } 583 for (k=(int)l; k<(int)(l+i); k++) 584 rec->input[k]=j; 585 l+=i; 586 rec->length+=i; 587 } 588 589 #ifdef KSSL_DEBUG 590 { 591 unsigned long ui; 592 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 593 ds,rec->data,rec->input,l); 594 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 595 ds->buf_len, ds->cipher->key_len, 596 DES_KEY_SZ, DES_SCHEDULE_SZ, 597 ds->cipher->iv_len); 598 printf("\t\tIV: "); 599 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 600 printf("\n"); 601 printf("\trec->input="); 602 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); 603 printf("\n"); 604 } 605 #endif /* KSSL_DEBUG */ 606 607 if (!send) 608 { 609 if (l == 0 || l%bs != 0) 610 { 611 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 612 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 613 return 0; 614 } 615 } 616 617 EVP_Cipher(ds,rec->data,rec->input,l); 618 619 #ifdef KSSL_DEBUG 620 { 621 unsigned long i; 622 printf("\trec->data="); 623 for (i=0; i<l; i++) 624 printf(" %02x", rec->data[i]); printf("\n"); 625 } 626 #endif /* KSSL_DEBUG */ 627 628 if ((bs != 1) && !send) 629 { 630 ii=i=rec->data[l-1]; /* padding_length */ 631 i++; 632 /* NB: if compression is in operation the first packet 633 * may not be of even length so the padding bug check 634 * cannot be performed. This bug workaround has been 635 * around since SSLeay so hopefully it is either fixed 636 * now or no buggy implementation supports compression 637 * [steve] 638 */ 639 if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) 640 && !s->expand) 641 { 642 /* First packet is even in size, so check */ 643 if ((memcmp(s->s3->read_sequence, 644 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) 645 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; 646 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 647 i--; 648 } 649 /* TLS 1.0 does not bound the number of padding bytes by the block size. 650 * All of them must have value 'padding_length'. */ 651 if (i > (int)rec->length) 652 { 653 /* Incorrect padding. SSLerr() and ssl3_alert are done 654 * by caller: we don't want to reveal whether this is 655 * a decryption error or a MAC verification failure 656 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ 657 return -1; 658 } 659 for (j=(int)(l-i); j<(int)l; j++) 660 { 661 if (rec->data[j] != ii) 662 { 663 /* Incorrect padding */ 664 return -1; 665 } 666 } 667 rec->length-=i; 668 } 669 } 670 return(1); 671 } 672 673 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) 674 { 675 unsigned int ret; 676 EVP_MD_CTX ctx; 677 678 EVP_MD_CTX_init(&ctx); 679 EVP_MD_CTX_copy_ex(&ctx,in_ctx); 680 EVP_DigestFinal_ex(&ctx,out,&ret); 681 EVP_MD_CTX_cleanup(&ctx); 682 return((int)ret); 683 } 684 685 int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, 686 const char *str, int slen, unsigned char *out) 687 { 688 unsigned int i; 689 EVP_MD_CTX ctx; 690 unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 691 unsigned char *q,buf2[12]; 692 693 q=buf; 694 memcpy(q,str,slen); 695 q+=slen; 696 697 EVP_MD_CTX_init(&ctx); 698 EVP_MD_CTX_copy_ex(&ctx,in1_ctx); 699 EVP_DigestFinal_ex(&ctx,q,&i); 700 q+=i; 701 EVP_MD_CTX_copy_ex(&ctx,in2_ctx); 702 EVP_DigestFinal_ex(&ctx,q,&i); 703 q+=i; 704 705 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf), 706 s->session->master_key,s->session->master_key_length, 707 out,buf2,sizeof buf2); 708 EVP_MD_CTX_cleanup(&ctx); 709 710 return sizeof buf2; 711 } 712 713 int tls1_mac(SSL *ssl, unsigned char *md, int send) 714 { 715 SSL3_RECORD *rec; 716 unsigned char *mac_sec,*seq; 717 const EVP_MD *hash; 718 unsigned int md_size; 719 int i; 720 HMAC_CTX hmac; 721 unsigned char buf[5]; 722 723 if (send) 724 { 725 rec= &(ssl->s3->wrec); 726 mac_sec= &(ssl->s3->write_mac_secret[0]); 727 seq= &(ssl->s3->write_sequence[0]); 728 hash=ssl->write_hash; 729 } 730 else 731 { 732 rec= &(ssl->s3->rrec); 733 mac_sec= &(ssl->s3->read_mac_secret[0]); 734 seq= &(ssl->s3->read_sequence[0]); 735 hash=ssl->read_hash; 736 } 737 738 md_size=EVP_MD_size(hash); 739 740 buf[0]=rec->type; 741 buf[1]=TLS1_VERSION_MAJOR; 742 buf[2]=TLS1_VERSION_MINOR; 743 buf[3]=rec->length>>8; 744 buf[4]=rec->length&0xff; 745 746 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 747 HMAC_CTX_init(&hmac); 748 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); 749 HMAC_Update(&hmac,seq,8); 750 HMAC_Update(&hmac,buf,5); 751 HMAC_Update(&hmac,rec->input,rec->length); 752 HMAC_Final(&hmac,md,&md_size); 753 HMAC_CTX_cleanup(&hmac); 754 755 #ifdef TLS_DEBUG 756 printf("sec="); 757 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 758 printf("seq="); 759 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 760 printf("buf="); 761 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 762 printf("rec="); 763 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } 764 #endif 765 766 if ( SSL_version(ssl) != DTLS1_VERSION) 767 { 768 for (i=7; i>=0; i--) 769 { 770 ++seq[i]; 771 if (seq[i] != 0) break; 772 } 773 } 774 775 #ifdef TLS_DEBUG 776 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 777 #endif 778 return(md_size); 779 } 780 781 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 782 int len) 783 { 784 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE]; 785 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 786 787 #ifdef KSSL_DEBUG 788 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); 789 #endif /* KSSL_DEBUG */ 790 791 /* Setup the stuff to munge */ 792 memcpy(buf,TLS_MD_MASTER_SECRET_CONST, 793 TLS_MD_MASTER_SECRET_CONST_SIZE); 794 memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]), 795 s->s3->client_random,SSL3_RANDOM_SIZE); 796 memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]), 797 s->s3->server_random,SSL3_RANDOM_SIZE); 798 tls1_PRF(s->ctx->md5,s->ctx->sha1, 799 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, 800 s->session->master_key,buff,sizeof buff); 801 #ifdef KSSL_DEBUG 802 printf ("tls1_generate_master_secret() complete\n"); 803 #endif /* KSSL_DEBUG */ 804 return(SSL3_MASTER_SECRET_SIZE); 805 } 806 807 int tls1_alert_code(int code) 808 { 809 switch (code) 810 { 811 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); 812 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); 813 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); 814 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); 815 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); 816 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); 817 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); 818 case SSL_AD_NO_CERTIFICATE: return(-1); 819 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); 820 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); 821 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); 822 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); 823 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); 824 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); 825 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); 826 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 827 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 828 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 829 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); 830 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 831 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 832 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 833 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); 834 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 835 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 836 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 837 default: return(-1); 838 } 839 } 840 841