1 /* ssl/t1_enc.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112 #include <stdio.h> 113 #include "ssl_locl.h" 114 #include <openssl/comp.h> 115 #include <openssl/evp.h> 116 #include <openssl/hmac.h> 117 #include <openssl/md5.h> 118 119 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 120 int sec_len, unsigned char *seed, int seed_len, 121 unsigned char *out, int olen) 122 { 123 int chunk,n; 124 unsigned int j; 125 HMAC_CTX ctx; 126 HMAC_CTX ctx_tmp; 127 unsigned char A1[EVP_MAX_MD_SIZE]; 128 unsigned int A1_len; 129 130 chunk=EVP_MD_size(md); 131 132 HMAC_CTX_init(&ctx); 133 HMAC_CTX_init(&ctx_tmp); 134 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); 135 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); 136 HMAC_Update(&ctx,seed,seed_len); 137 HMAC_Final(&ctx,A1,&A1_len); 138 139 n=0; 140 for (;;) 141 { 142 HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */ 143 HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */ 144 HMAC_Update(&ctx,A1,A1_len); 145 HMAC_Update(&ctx_tmp,A1,A1_len); 146 HMAC_Update(&ctx,seed,seed_len); 147 148 if (olen > chunk) 149 { 150 HMAC_Final(&ctx,out,&j); 151 out+=j; 152 olen-=j; 153 HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */ 154 } 155 else /* last one */ 156 { 157 HMAC_Final(&ctx,A1,&A1_len); 158 memcpy(out,A1,olen); 159 break; 160 } 161 } 162 HMAC_CTX_cleanup(&ctx); 163 HMAC_CTX_cleanup(&ctx_tmp); 164 OPENSSL_cleanse(A1,sizeof(A1)); 165 } 166 167 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, 168 unsigned char *label, int label_len, 169 const unsigned char *sec, int slen, unsigned char *out1, 170 unsigned char *out2, int olen) 171 { 172 int len,i; 173 const unsigned char *S1,*S2; 174 175 len=slen/2; 176 S1=sec; 177 S2= &(sec[len]); 178 len+=(slen&1); /* add for odd, make longer */ 179 180 181 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); 182 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); 183 184 for (i=0; i<olen; i++) 185 out1[i]^=out2[i]; 186 } 187 188 static void tls1_generate_key_block(SSL *s, unsigned char *km, 189 unsigned char *tmp, int num) 190 { 191 unsigned char *p; 192 unsigned char buf[SSL3_RANDOM_SIZE*2+ 193 TLS_MD_MAX_CONST_SIZE]; 194 p=buf; 195 196 memcpy(p,TLS_MD_KEY_EXPANSION_CONST, 197 TLS_MD_KEY_EXPANSION_CONST_SIZE); 198 p+=TLS_MD_KEY_EXPANSION_CONST_SIZE; 199 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 200 p+=SSL3_RANDOM_SIZE; 201 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 202 p+=SSL3_RANDOM_SIZE; 203 204 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf), 205 s->session->master_key,s->session->master_key_length, 206 km,tmp,num); 207 #ifdef KSSL_DEBUG 208 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 209 s->session->master_key_length); 210 { 211 int i; 212 for (i=0; i < s->session->master_key_length; i++) 213 { 214 printf("%02X", s->session->master_key[i]); 215 } 216 printf("\n"); } 217 #endif /* KSSL_DEBUG */ 218 } 219 220 int tls1_change_cipher_state(SSL *s, int which) 221 { 222 static const unsigned char empty[]=""; 223 unsigned char *p,*key_block,*mac_secret; 224 unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ 225 SSL3_RANDOM_SIZE*2]; 226 unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 227 unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 228 unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 229 unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 230 unsigned char *ms,*key,*iv,*er1,*er2; 231 int client_write; 232 EVP_CIPHER_CTX *dd; 233 const EVP_CIPHER *c; 234 #ifndef OPENSSL_NO_COMP 235 const SSL_COMP *comp; 236 #endif 237 const EVP_MD *m; 238 int is_export,n,i,j,k,exp_label_len,cl; 239 int reuse_dd = 0; 240 241 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 242 c=s->s3->tmp.new_sym_enc; 243 m=s->s3->tmp.new_hash; 244 #ifndef OPENSSL_NO_COMP 245 comp=s->s3->tmp.new_compression; 246 #endif 247 key_block=s->s3->tmp.key_block; 248 249 #ifdef KSSL_DEBUG 250 printf("tls1_change_cipher_state(which= %d) w/\n", which); 251 printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, 252 comp); 253 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); 254 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", 255 c->nid,c->block_size,c->key_len,c->iv_len); 256 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); 257 { 258 int i; 259 for (i=0; i<s->s3->tmp.key_block_length; i++) 260 printf("%02x", key_block[i]); printf("\n"); 261 } 262 #endif /* KSSL_DEBUG */ 263 264 if (which & SSL3_CC_READ) 265 { 266 if (s->enc_read_ctx != NULL) 267 reuse_dd = 1; 268 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 269 goto err; 270 dd= s->enc_read_ctx; 271 s->read_hash=m; 272 #ifndef OPENSSL_NO_COMP 273 if (s->expand != NULL) 274 { 275 COMP_CTX_free(s->expand); 276 s->expand=NULL; 277 } 278 if (comp != NULL) 279 { 280 s->expand=COMP_CTX_new(comp->method); 281 if (s->expand == NULL) 282 { 283 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 284 goto err2; 285 } 286 if (s->s3->rrec.comp == NULL) 287 s->s3->rrec.comp=(unsigned char *) 288 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 289 if (s->s3->rrec.comp == NULL) 290 goto err; 291 } 292 #endif 293 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 294 if (s->version != DTLS1_VERSION) 295 memset(&(s->s3->read_sequence[0]),0,8); 296 mac_secret= &(s->s3->read_mac_secret[0]); 297 } 298 else 299 { 300 if (s->enc_write_ctx != NULL) 301 reuse_dd = 1; 302 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 303 goto err; 304 if ((s->enc_write_ctx == NULL) && 305 ((s->enc_write_ctx=(EVP_CIPHER_CTX *) 306 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) 307 goto err; 308 dd= s->enc_write_ctx; 309 s->write_hash=m; 310 #ifndef OPENSSL_NO_COMP 311 if (s->compress != NULL) 312 { 313 COMP_CTX_free(s->compress); 314 s->compress=NULL; 315 } 316 if (comp != NULL) 317 { 318 s->compress=COMP_CTX_new(comp->method); 319 if (s->compress == NULL) 320 { 321 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 322 goto err2; 323 } 324 } 325 #endif 326 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ 327 if (s->version != DTLS1_VERSION) 328 memset(&(s->s3->write_sequence[0]),0,8); 329 mac_secret= &(s->s3->write_mac_secret[0]); 330 } 331 332 if (reuse_dd) 333 EVP_CIPHER_CTX_cleanup(dd); 334 EVP_CIPHER_CTX_init(dd); 335 336 p=s->s3->tmp.key_block; 337 i=EVP_MD_size(m); 338 cl=EVP_CIPHER_key_length(c); 339 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 340 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 341 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 342 k=EVP_CIPHER_iv_length(c); 343 er1= &(s->s3->client_random[0]); 344 er2= &(s->s3->server_random[0]); 345 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 346 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 347 { 348 ms= &(p[ 0]); n=i+i; 349 key= &(p[ n]); n+=j+j; 350 iv= &(p[ n]); n+=k+k; 351 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 352 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 353 client_write=1; 354 } 355 else 356 { 357 n=i; 358 ms= &(p[ n]); n+=i+j; 359 key= &(p[ n]); n+=j+k; 360 iv= &(p[ n]); n+=k; 361 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 362 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 363 client_write=0; 364 } 365 366 if (n > s->s3->tmp.key_block_length) 367 { 368 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); 369 goto err2; 370 } 371 372 memcpy(mac_secret,ms,i); 373 #ifdef TLS_DEBUG 374 printf("which = %04X\nmac key=",which); 375 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 376 #endif 377 if (is_export) 378 { 379 /* In here I set both the read and write key/iv to the 380 * same value since only the correct one will be used :-). 381 */ 382 p=buf; 383 memcpy(p,exp_label,exp_label_len); 384 p+=exp_label_len; 385 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 386 p+=SSL3_RANDOM_SIZE; 387 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 388 p+=SSL3_RANDOM_SIZE; 389 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j, 390 tmp1,tmp2,EVP_CIPHER_key_length(c)); 391 key=tmp1; 392 393 if (k > 0) 394 { 395 p=buf; 396 memcpy(p,TLS_MD_IV_BLOCK_CONST, 397 TLS_MD_IV_BLOCK_CONST_SIZE); 398 p+=TLS_MD_IV_BLOCK_CONST_SIZE; 399 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 400 p+=SSL3_RANDOM_SIZE; 401 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 402 p+=SSL3_RANDOM_SIZE; 403 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0, 404 iv1,iv2,k*2); 405 if (client_write) 406 iv=iv1; 407 else 408 iv= &(iv1[k]); 409 } 410 } 411 412 s->session->key_arg_length=0; 413 #ifdef KSSL_DEBUG 414 { 415 int i; 416 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); 417 printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]); 418 printf("\n"); 419 printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]); 420 printf("\n"); 421 } 422 #endif /* KSSL_DEBUG */ 423 424 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); 425 #ifdef TLS_DEBUG 426 printf("which = %04X\nkey=",which); 427 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 428 printf("\niv="); 429 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } 430 printf("\n"); 431 #endif 432 433 OPENSSL_cleanse(tmp1,sizeof(tmp1)); 434 OPENSSL_cleanse(tmp2,sizeof(tmp1)); 435 OPENSSL_cleanse(iv1,sizeof(iv1)); 436 OPENSSL_cleanse(iv2,sizeof(iv2)); 437 return(1); 438 err: 439 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 440 err2: 441 return(0); 442 } 443 444 int tls1_setup_key_block(SSL *s) 445 { 446 unsigned char *p1,*p2; 447 const EVP_CIPHER *c; 448 const EVP_MD *hash; 449 int num; 450 SSL_COMP *comp; 451 452 #ifdef KSSL_DEBUG 453 printf ("tls1_setup_key_block()\n"); 454 #endif /* KSSL_DEBUG */ 455 456 if (s->s3->tmp.key_block_length != 0) 457 return(1); 458 459 if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) 460 { 461 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 462 return(0); 463 } 464 465 s->s3->tmp.new_sym_enc=c; 466 s->s3->tmp.new_hash=hash; 467 468 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); 469 num*=2; 470 471 ssl3_cleanup_key_block(s); 472 473 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) 474 goto err; 475 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) 476 goto err; 477 478 s->s3->tmp.key_block_length=num; 479 s->s3->tmp.key_block=p1; 480 481 482 #ifdef TLS_DEBUG 483 printf("client random\n"); 484 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); } 485 printf("server random\n"); 486 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); } 487 printf("pre-master\n"); 488 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } 489 #endif 490 tls1_generate_key_block(s,p1,p2,num); 491 OPENSSL_cleanse(p2,num); 492 OPENSSL_free(p2); 493 #ifdef TLS_DEBUG 494 printf("\nkey block\n"); 495 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 496 #endif 497 498 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 499 { 500 /* enable vulnerability countermeasure for CBC ciphers with 501 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 502 */ 503 s->s3->need_empty_fragments = 1; 504 505 if (s->session->cipher != NULL) 506 { 507 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) 508 s->s3->need_empty_fragments = 0; 509 510 #ifndef OPENSSL_NO_RC4 511 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) 512 s->s3->need_empty_fragments = 0; 513 #endif 514 } 515 } 516 517 return(1); 518 err: 519 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); 520 return(0); 521 } 522 523 int tls1_enc(SSL *s, int send) 524 { 525 SSL3_RECORD *rec; 526 EVP_CIPHER_CTX *ds; 527 unsigned long l; 528 int bs,i,ii,j,k,n=0; 529 const EVP_CIPHER *enc; 530 531 if (send) 532 { 533 if (s->write_hash != NULL) 534 n=EVP_MD_size(s->write_hash); 535 ds=s->enc_write_ctx; 536 rec= &(s->s3->wrec); 537 if (s->enc_write_ctx == NULL) 538 enc=NULL; 539 else 540 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 541 } 542 else 543 { 544 if (s->read_hash != NULL) 545 n=EVP_MD_size(s->read_hash); 546 ds=s->enc_read_ctx; 547 rec= &(s->s3->rrec); 548 if (s->enc_read_ctx == NULL) 549 enc=NULL; 550 else 551 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 552 } 553 554 #ifdef KSSL_DEBUG 555 printf("tls1_enc(%d)\n", send); 556 #endif /* KSSL_DEBUG */ 557 558 if ((s->session == NULL) || (ds == NULL) || 559 (enc == NULL)) 560 { 561 memmove(rec->data,rec->input,rec->length); 562 rec->input=rec->data; 563 } 564 else 565 { 566 l=rec->length; 567 bs=EVP_CIPHER_block_size(ds->cipher); 568 569 if ((bs != 1) && send) 570 { 571 i=bs-((int)l%bs); 572 573 /* Add weird padding of upto 256 bytes */ 574 575 /* we need to add 'i' padding bytes of value j */ 576 j=i-1; 577 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) 578 { 579 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 580 j++; 581 } 582 for (k=(int)l; k<(int)(l+i); k++) 583 rec->input[k]=j; 584 l+=i; 585 rec->length+=i; 586 } 587 588 #ifdef KSSL_DEBUG 589 { 590 unsigned long ui; 591 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 592 ds,rec->data,rec->input,l); 593 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 594 ds->buf_len, ds->cipher->key_len, 595 DES_KEY_SZ, DES_SCHEDULE_SZ, 596 ds->cipher->iv_len); 597 printf("\t\tIV: "); 598 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 599 printf("\n"); 600 printf("\trec->input="); 601 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); 602 printf("\n"); 603 } 604 #endif /* KSSL_DEBUG */ 605 606 if (!send) 607 { 608 if (l == 0 || l%bs != 0) 609 { 610 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 611 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 612 return 0; 613 } 614 } 615 616 EVP_Cipher(ds,rec->data,rec->input,l); 617 618 #ifdef KSSL_DEBUG 619 { 620 unsigned long i; 621 printf("\trec->data="); 622 for (i=0; i<l; i++) 623 printf(" %02x", rec->data[i]); printf("\n"); 624 } 625 #endif /* KSSL_DEBUG */ 626 627 if ((bs != 1) && !send) 628 { 629 ii=i=rec->data[l-1]; /* padding_length */ 630 i++; 631 /* NB: if compression is in operation the first packet 632 * may not be of even length so the padding bug check 633 * cannot be performed. This bug workaround has been 634 * around since SSLeay so hopefully it is either fixed 635 * now or no buggy implementation supports compression 636 * [steve] 637 */ 638 if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) 639 && !s->expand) 640 { 641 /* First packet is even in size, so check */ 642 if ((memcmp(s->s3->read_sequence, 643 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) 644 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; 645 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 646 i--; 647 } 648 /* TLS 1.0 does not bound the number of padding bytes by the block size. 649 * All of them must have value 'padding_length'. */ 650 if (i > (int)rec->length) 651 { 652 /* Incorrect padding. SSLerr() and ssl3_alert are done 653 * by caller: we don't want to reveal whether this is 654 * a decryption error or a MAC verification failure 655 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ 656 return -1; 657 } 658 for (j=(int)(l-i); j<(int)l; j++) 659 { 660 if (rec->data[j] != ii) 661 { 662 /* Incorrect padding */ 663 return -1; 664 } 665 } 666 rec->length-=i; 667 } 668 } 669 return(1); 670 } 671 672 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) 673 { 674 unsigned int ret; 675 EVP_MD_CTX ctx; 676 677 EVP_MD_CTX_init(&ctx); 678 EVP_MD_CTX_copy_ex(&ctx,in_ctx); 679 EVP_DigestFinal_ex(&ctx,out,&ret); 680 EVP_MD_CTX_cleanup(&ctx); 681 return((int)ret); 682 } 683 684 int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, 685 const char *str, int slen, unsigned char *out) 686 { 687 unsigned int i; 688 EVP_MD_CTX ctx; 689 unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 690 unsigned char *q,buf2[12]; 691 692 q=buf; 693 memcpy(q,str,slen); 694 q+=slen; 695 696 EVP_MD_CTX_init(&ctx); 697 EVP_MD_CTX_copy_ex(&ctx,in1_ctx); 698 EVP_DigestFinal_ex(&ctx,q,&i); 699 q+=i; 700 EVP_MD_CTX_copy_ex(&ctx,in2_ctx); 701 EVP_DigestFinal_ex(&ctx,q,&i); 702 q+=i; 703 704 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf), 705 s->session->master_key,s->session->master_key_length, 706 out,buf2,sizeof buf2); 707 EVP_MD_CTX_cleanup(&ctx); 708 709 return sizeof buf2; 710 } 711 712 int tls1_mac(SSL *ssl, unsigned char *md, int send) 713 { 714 SSL3_RECORD *rec; 715 unsigned char *mac_sec,*seq; 716 const EVP_MD *hash; 717 unsigned int md_size; 718 int i; 719 HMAC_CTX hmac; 720 unsigned char buf[5]; 721 722 if (send) 723 { 724 rec= &(ssl->s3->wrec); 725 mac_sec= &(ssl->s3->write_mac_secret[0]); 726 seq= &(ssl->s3->write_sequence[0]); 727 hash=ssl->write_hash; 728 } 729 else 730 { 731 rec= &(ssl->s3->rrec); 732 mac_sec= &(ssl->s3->read_mac_secret[0]); 733 seq= &(ssl->s3->read_sequence[0]); 734 hash=ssl->read_hash; 735 } 736 737 md_size=EVP_MD_size(hash); 738 739 buf[0]=rec->type; 740 buf[1]=TLS1_VERSION_MAJOR; 741 buf[2]=TLS1_VERSION_MINOR; 742 buf[3]=rec->length>>8; 743 buf[4]=rec->length&0xff; 744 745 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 746 HMAC_CTX_init(&hmac); 747 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); 748 HMAC_Update(&hmac,seq,8); 749 HMAC_Update(&hmac,buf,5); 750 HMAC_Update(&hmac,rec->input,rec->length); 751 HMAC_Final(&hmac,md,&md_size); 752 HMAC_CTX_cleanup(&hmac); 753 754 #ifdef TLS_DEBUG 755 printf("sec="); 756 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 757 printf("seq="); 758 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 759 printf("buf="); 760 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 761 printf("rec="); 762 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } 763 #endif 764 765 if ( SSL_version(ssl) != DTLS1_VERSION) 766 { 767 for (i=7; i>=0; i--) 768 { 769 ++seq[i]; 770 if (seq[i] != 0) break; 771 } 772 } 773 774 #ifdef TLS_DEBUG 775 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 776 #endif 777 return(md_size); 778 } 779 780 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 781 int len) 782 { 783 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE]; 784 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 785 786 #ifdef KSSL_DEBUG 787 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); 788 #endif /* KSSL_DEBUG */ 789 790 /* Setup the stuff to munge */ 791 memcpy(buf,TLS_MD_MASTER_SECRET_CONST, 792 TLS_MD_MASTER_SECRET_CONST_SIZE); 793 memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]), 794 s->s3->client_random,SSL3_RANDOM_SIZE); 795 memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]), 796 s->s3->server_random,SSL3_RANDOM_SIZE); 797 tls1_PRF(s->ctx->md5,s->ctx->sha1, 798 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, 799 s->session->master_key,buff,sizeof buff); 800 #ifdef KSSL_DEBUG 801 printf ("tls1_generate_master_secret() complete\n"); 802 #endif /* KSSL_DEBUG */ 803 return(SSL3_MASTER_SECRET_SIZE); 804 } 805 806 int tls1_alert_code(int code) 807 { 808 switch (code) 809 { 810 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); 811 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); 812 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); 813 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); 814 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); 815 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); 816 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); 817 case SSL_AD_NO_CERTIFICATE: return(-1); 818 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); 819 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); 820 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); 821 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); 822 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); 823 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); 824 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); 825 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 826 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 827 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 828 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); 829 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 830 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 831 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 832 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); 833 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 834 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 835 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); 836 default: return(-1); 837 } 838 } 839 840