t1_enc.c revision 55714
155714Skris/* ssl/t1_enc.c */ 255714Skris/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 355714Skris * All rights reserved. 455714Skris * 555714Skris * This package is an SSL implementation written 655714Skris * by Eric Young (eay@cryptsoft.com). 755714Skris * The implementation was written so as to conform with Netscapes SSL. 855714Skris * 955714Skris * This library is free for commercial and non-commercial use as long as 1055714Skris * the following conditions are aheared to. The following conditions 1155714Skris * apply to all code found in this distribution, be it the RC4, RSA, 1255714Skris * lhash, DES, etc., code; not just the SSL code. The SSL documentation 1355714Skris * included with this distribution is covered by the same copyright terms 1455714Skris * except that the holder is Tim Hudson (tjh@cryptsoft.com). 1555714Skris * 1655714Skris * Copyright remains Eric Young's, and as such any Copyright notices in 1755714Skris * the code are not to be removed. 1855714Skris * If this package is used in a product, Eric Young should be given attribution 1955714Skris * as the author of the parts of the library used. 2055714Skris * This can be in the form of a textual message at program startup or 2155714Skris * in documentation (online or textual) provided with the package. 2255714Skris * 2355714Skris * Redistribution and use in source and binary forms, with or without 2455714Skris * modification, are permitted provided that the following conditions 2555714Skris * are met: 2655714Skris * 1. Redistributions of source code must retain the copyright 2755714Skris * notice, this list of conditions and the following disclaimer. 2855714Skris * 2. Redistributions in binary form must reproduce the above copyright 2955714Skris * notice, this list of conditions and the following disclaimer in the 3055714Skris * documentation and/or other materials provided with the distribution. 3155714Skris * 3. All advertising materials mentioning features or use of this software 3255714Skris * must display the following acknowledgement: 3355714Skris * "This product includes cryptographic software written by 3455714Skris * Eric Young (eay@cryptsoft.com)" 3555714Skris * The word 'cryptographic' can be left out if the rouines from the library 3655714Skris * being used are not cryptographic related :-). 3755714Skris * 4. If you include any Windows specific code (or a derivative thereof) from 3855714Skris * the apps directory (application code) you must include an acknowledgement: 3955714Skris * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 4055714Skris * 4155714Skris * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 4255714Skris * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 4355714Skris * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 4455714Skris * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 4555714Skris * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 4655714Skris * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 4755714Skris * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 4855714Skris * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 4955714Skris * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 5055714Skris * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 5155714Skris * SUCH DAMAGE. 5255714Skris * 5355714Skris * The licence and distribution terms for any publically available version or 5455714Skris * derivative of this code cannot be changed. i.e. this code cannot simply be 5555714Skris * copied and put under another distribution licence 5655714Skris * [including the GNU Public Licence.] 5755714Skris */ 5855714Skris 5955714Skris#include <stdio.h> 6055714Skris#include <openssl/comp.h> 6155714Skris#include <openssl/md5.h> 6255714Skris#include <openssl/sha.h> 6355714Skris#include <openssl/evp.h> 6455714Skris#include <openssl/hmac.h> 6555714Skris#include "ssl_locl.h" 6655714Skris 6755714Skrisstatic void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 6855714Skris int sec_len, unsigned char *seed, int seed_len, 6955714Skris unsigned char *out, int olen) 7055714Skris { 7155714Skris int chunk,n; 7255714Skris unsigned int j; 7355714Skris HMAC_CTX ctx; 7455714Skris HMAC_CTX ctx_tmp; 7555714Skris unsigned char A1[HMAC_MAX_MD_CBLOCK]; 7655714Skris unsigned int A1_len; 7755714Skris 7855714Skris chunk=EVP_MD_size(md); 7955714Skris 8055714Skris HMAC_Init(&ctx,sec,sec_len,md); 8155714Skris HMAC_Update(&ctx,seed,seed_len); 8255714Skris HMAC_Final(&ctx,A1,&A1_len); 8355714Skris 8455714Skris n=0; 8555714Skris for (;;) 8655714Skris { 8755714Skris HMAC_Init(&ctx,NULL,0,NULL); /* re-init */ 8855714Skris HMAC_Update(&ctx,A1,A1_len); 8955714Skris memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */ 9055714Skris HMAC_Update(&ctx,seed,seed_len); 9155714Skris 9255714Skris if (olen > chunk) 9355714Skris { 9455714Skris HMAC_Final(&ctx,out,&j); 9555714Skris out+=j; 9655714Skris olen-=j; 9755714Skris HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */ 9855714Skris } 9955714Skris else /* last one */ 10055714Skris { 10155714Skris HMAC_Final(&ctx,A1,&A1_len); 10255714Skris memcpy(out,A1,olen); 10355714Skris break; 10455714Skris } 10555714Skris } 10655714Skris HMAC_cleanup(&ctx); 10755714Skris HMAC_cleanup(&ctx_tmp); 10855714Skris memset(A1,0,sizeof(A1)); 10955714Skris } 11055714Skris 11155714Skrisstatic void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, 11255714Skris unsigned char *label, int label_len, 11355714Skris const unsigned char *sec, int slen, unsigned char *out1, 11455714Skris unsigned char *out2, int olen) 11555714Skris { 11655714Skris int len,i; 11755714Skris const unsigned char *S1,*S2; 11855714Skris 11955714Skris len=slen/2; 12055714Skris S1=sec; 12155714Skris S2= &(sec[len]); 12255714Skris len+=(slen&1); /* add for odd, make longer */ 12355714Skris 12455714Skris 12555714Skris tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); 12655714Skris tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); 12755714Skris 12855714Skris for (i=0; i<olen; i++) 12955714Skris out1[i]^=out2[i]; 13055714Skris } 13155714Skris 13255714Skrisstatic void tls1_generate_key_block(SSL *s, unsigned char *km, 13355714Skris unsigned char *tmp, int num) 13455714Skris { 13555714Skris unsigned char *p; 13655714Skris unsigned char buf[SSL3_RANDOM_SIZE*2+ 13755714Skris TLS_MD_MAX_CONST_SIZE]; 13855714Skris p=buf; 13955714Skris 14055714Skris memcpy(p,TLS_MD_KEY_EXPANSION_CONST, 14155714Skris TLS_MD_KEY_EXPANSION_CONST_SIZE); 14255714Skris p+=TLS_MD_KEY_EXPANSION_CONST_SIZE; 14355714Skris memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 14455714Skris p+=SSL3_RANDOM_SIZE; 14555714Skris memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 14655714Skris p+=SSL3_RANDOM_SIZE; 14755714Skris 14855714Skris tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf), 14955714Skris s->session->master_key,s->session->master_key_length, 15055714Skris km,tmp,num); 15155714Skris } 15255714Skris 15355714Skrisint tls1_change_cipher_state(SSL *s, int which) 15455714Skris { 15555714Skris static const unsigned char empty[]=""; 15655714Skris unsigned char *p,*key_block,*mac_secret; 15755714Skris unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ 15855714Skris SSL3_RANDOM_SIZE*2]; 15955714Skris unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 16055714Skris unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 16155714Skris unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 16255714Skris unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 16355714Skris unsigned char *ms,*key,*iv,*er1,*er2; 16455714Skris int client_write; 16555714Skris EVP_CIPHER_CTX *dd; 16655714Skris const EVP_CIPHER *c; 16755714Skris const SSL_COMP *comp; 16855714Skris const EVP_MD *m; 16955714Skris int _exp,n,i,j,k,exp_label_len,cl; 17055714Skris 17155714Skris _exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 17255714Skris c=s->s3->tmp.new_sym_enc; 17355714Skris m=s->s3->tmp.new_hash; 17455714Skris comp=s->s3->tmp.new_compression; 17555714Skris key_block=s->s3->tmp.key_block; 17655714Skris 17755714Skris if (which & SSL3_CC_READ) 17855714Skris { 17955714Skris if ((s->enc_read_ctx == NULL) && 18055714Skris ((s->enc_read_ctx=(EVP_CIPHER_CTX *) 18155714Skris Malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) 18255714Skris goto err; 18355714Skris dd= s->enc_read_ctx; 18455714Skris s->read_hash=m; 18555714Skris if (s->expand != NULL) 18655714Skris { 18755714Skris COMP_CTX_free(s->expand); 18855714Skris s->expand=NULL; 18955714Skris } 19055714Skris if (comp != NULL) 19155714Skris { 19255714Skris s->expand=COMP_CTX_new(comp->method); 19355714Skris if (s->expand == NULL) 19455714Skris { 19555714Skris SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 19655714Skris goto err2; 19755714Skris } 19855714Skris if (s->s3->rrec.comp == NULL) 19955714Skris s->s3->rrec.comp=(unsigned char *) 20055714Skris Malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 20155714Skris if (s->s3->rrec.comp == NULL) 20255714Skris goto err; 20355714Skris } 20455714Skris memset(&(s->s3->read_sequence[0]),0,8); 20555714Skris mac_secret= &(s->s3->read_mac_secret[0]); 20655714Skris } 20755714Skris else 20855714Skris { 20955714Skris if ((s->enc_write_ctx == NULL) && 21055714Skris ((s->enc_write_ctx=(EVP_CIPHER_CTX *) 21155714Skris Malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) 21255714Skris goto err; 21355714Skris dd= s->enc_write_ctx; 21455714Skris s->write_hash=m; 21555714Skris if (s->compress != NULL) 21655714Skris { 21755714Skris COMP_CTX_free(s->compress); 21855714Skris s->compress=NULL; 21955714Skris } 22055714Skris if (comp != NULL) 22155714Skris { 22255714Skris s->compress=COMP_CTX_new(comp->method); 22355714Skris if (s->compress == NULL) 22455714Skris { 22555714Skris SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 22655714Skris goto err2; 22755714Skris } 22855714Skris } 22955714Skris memset(&(s->s3->write_sequence[0]),0,8); 23055714Skris mac_secret= &(s->s3->write_mac_secret[0]); 23155714Skris } 23255714Skris 23355714Skris EVP_CIPHER_CTX_init(dd); 23455714Skris 23555714Skris p=s->s3->tmp.key_block; 23655714Skris i=EVP_MD_size(m); 23755714Skris cl=EVP_CIPHER_key_length(c); 23855714Skris j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 23955714Skris cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 24055714Skris /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 24155714Skris k=EVP_CIPHER_iv_length(c); 24255714Skris er1= &(s->s3->client_random[0]); 24355714Skris er2= &(s->s3->server_random[0]); 24455714Skris if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 24555714Skris (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 24655714Skris { 24755714Skris ms= &(p[ 0]); n=i+i; 24855714Skris key= &(p[ n]); n+=j+j; 24955714Skris iv= &(p[ n]); n+=k+k; 25055714Skris exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 25155714Skris exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 25255714Skris client_write=1; 25355714Skris } 25455714Skris else 25555714Skris { 25655714Skris n=i; 25755714Skris ms= &(p[ n]); n+=i+j; 25855714Skris key= &(p[ n]); n+=j+k; 25955714Skris iv= &(p[ n]); n+=k; 26055714Skris exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 26155714Skris exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 26255714Skris client_write=0; 26355714Skris } 26455714Skris 26555714Skris if (n > s->s3->tmp.key_block_length) 26655714Skris { 26755714Skris SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR); 26855714Skris goto err2; 26955714Skris } 27055714Skris 27155714Skris memcpy(mac_secret,ms,i); 27255714Skris#ifdef TLS_DEBUG 27355714Skrisprintf("which = %04X\nmac key=",which); 27455714Skris{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 27555714Skris#endif 27655714Skris if (_exp) 27755714Skris { 27855714Skris /* In here I set both the read and write key/iv to the 27955714Skris * same value since only the correct one will be used :-). 28055714Skris */ 28155714Skris p=buf; 28255714Skris memcpy(p,exp_label,exp_label_len); 28355714Skris p+=exp_label_len; 28455714Skris memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 28555714Skris p+=SSL3_RANDOM_SIZE; 28655714Skris memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 28755714Skris p+=SSL3_RANDOM_SIZE; 28855714Skris tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j, 28955714Skris tmp1,tmp2,EVP_CIPHER_key_length(c)); 29055714Skris key=tmp1; 29155714Skris 29255714Skris if (k > 0) 29355714Skris { 29455714Skris p=buf; 29555714Skris memcpy(p,TLS_MD_IV_BLOCK_CONST, 29655714Skris TLS_MD_IV_BLOCK_CONST_SIZE); 29755714Skris p+=TLS_MD_IV_BLOCK_CONST_SIZE; 29855714Skris memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 29955714Skris p+=SSL3_RANDOM_SIZE; 30055714Skris memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 30155714Skris p+=SSL3_RANDOM_SIZE; 30255714Skris tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0, 30355714Skris iv1,iv2,k*2); 30455714Skris if (client_write) 30555714Skris iv=iv1; 30655714Skris else 30755714Skris iv= &(iv1[k]); 30855714Skris } 30955714Skris } 31055714Skris 31155714Skris s->session->key_arg_length=0; 31255714Skris 31355714Skris EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE)); 31455714Skris#ifdef TLS_DEBUG 31555714Skrisprintf("which = %04X\nkey=",which); 31655714Skris{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 31755714Skrisprintf("\niv="); 31855714Skris{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } 31955714Skrisprintf("\n"); 32055714Skris#endif 32155714Skris 32255714Skris memset(tmp1,0,sizeof(tmp1)); 32355714Skris memset(tmp2,0,sizeof(tmp1)); 32455714Skris memset(iv1,0,sizeof(iv1)); 32555714Skris memset(iv2,0,sizeof(iv2)); 32655714Skris return(1); 32755714Skriserr: 32855714Skris SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 32955714Skriserr2: 33055714Skris return(0); 33155714Skris } 33255714Skris 33355714Skrisint tls1_setup_key_block(SSL *s) 33455714Skris { 33555714Skris unsigned char *p1,*p2; 33655714Skris const EVP_CIPHER *c; 33755714Skris const EVP_MD *hash; 33855714Skris int num; 33955714Skris SSL_COMP *comp; 34055714Skris 34155714Skris if (s->s3->tmp.key_block_length != 0) 34255714Skris return(1); 34355714Skris 34455714Skris if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) 34555714Skris { 34655714Skris SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 34755714Skris return(0); 34855714Skris } 34955714Skris 35055714Skris s->s3->tmp.new_sym_enc=c; 35155714Skris s->s3->tmp.new_hash=hash; 35255714Skris 35355714Skris num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); 35455714Skris num*=2; 35555714Skris 35655714Skris ssl3_cleanup_key_block(s); 35755714Skris 35855714Skris if ((p1=(unsigned char *)Malloc(num)) == NULL) 35955714Skris goto err; 36055714Skris if ((p2=(unsigned char *)Malloc(num)) == NULL) 36155714Skris goto err; 36255714Skris 36355714Skris s->s3->tmp.key_block_length=num; 36455714Skris s->s3->tmp.key_block=p1; 36555714Skris 36655714Skris 36755714Skris#ifdef TLS_DEBUG 36855714Skrisprintf("client random\n"); 36955714Skris{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); } 37055714Skrisprintf("server random\n"); 37155714Skris{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); } 37255714Skrisprintf("pre-master\n"); 37355714Skris{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } 37455714Skris#endif 37555714Skris tls1_generate_key_block(s,p1,p2,num); 37655714Skris memset(p2,0,num); 37755714Skris Free(p2); 37855714Skris#ifdef TLS_DEBUG 37955714Skrisprintf("\nkey block\n"); 38055714Skris{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 38155714Skris#endif 38255714Skris 38355714Skris return(1); 38455714Skriserr: 38555714Skris SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); 38655714Skris return(0); 38755714Skris } 38855714Skris 38955714Skrisint tls1_enc(SSL *s, int send) 39055714Skris { 39155714Skris SSL3_RECORD *rec; 39255714Skris EVP_CIPHER_CTX *ds; 39355714Skris unsigned long l; 39455714Skris int bs,i,ii,j,k,n=0; 39555714Skris const EVP_CIPHER *enc; 39655714Skris 39755714Skris if (send) 39855714Skris { 39955714Skris if (s->write_hash != NULL) 40055714Skris n=EVP_MD_size(s->write_hash); 40155714Skris ds=s->enc_write_ctx; 40255714Skris rec= &(s->s3->wrec); 40355714Skris if (s->enc_write_ctx == NULL) 40455714Skris enc=NULL; 40555714Skris else 40655714Skris enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 40755714Skris } 40855714Skris else 40955714Skris { 41055714Skris if (s->read_hash != NULL) 41155714Skris n=EVP_MD_size(s->read_hash); 41255714Skris ds=s->enc_read_ctx; 41355714Skris rec= &(s->s3->rrec); 41455714Skris if (s->enc_read_ctx == NULL) 41555714Skris enc=NULL; 41655714Skris else 41755714Skris enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 41855714Skris } 41955714Skris 42055714Skris if ((s->session == NULL) || (ds == NULL) || 42155714Skris (enc == NULL)) 42255714Skris { 42355714Skris memcpy(rec->data,rec->input,rec->length); 42455714Skris rec->input=rec->data; 42555714Skris } 42655714Skris else 42755714Skris { 42855714Skris l=rec->length; 42955714Skris bs=EVP_CIPHER_block_size(ds->cipher); 43055714Skris 43155714Skris if ((bs != 1) && send) 43255714Skris { 43355714Skris i=bs-((int)l%bs); 43455714Skris 43555714Skris /* Add weird padding of upto 256 bytes */ 43655714Skris 43755714Skris /* we need to add 'i' padding bytes of value j */ 43855714Skris j=i-1; 43955714Skris if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) 44055714Skris { 44155714Skris if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 44255714Skris j++; 44355714Skris } 44455714Skris for (k=(int)l; k<(int)(l+i); k++) 44555714Skris rec->input[k]=j; 44655714Skris l+=i; 44755714Skris rec->length+=i; 44855714Skris } 44955714Skris 45055714Skris EVP_Cipher(ds,rec->data,rec->input,l); 45155714Skris 45255714Skris if ((bs != 1) && !send) 45355714Skris { 45455714Skris ii=i=rec->data[l-1]; 45555714Skris i++; 45655714Skris if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) 45755714Skris { 45855714Skris /* First packet is even in size, so check */ 45955714Skris if ((memcmp(s->s3->read_sequence, 46055714Skris "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) 46155714Skris s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; 46255714Skris if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 46355714Skris i--; 46455714Skris } 46555714Skris if (i > (int)rec->length) 46655714Skris { 46755714Skris SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 46855714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 46955714Skris return(0); 47055714Skris } 47155714Skris for (j=(int)(l-i); j<(int)l; j++) 47255714Skris { 47355714Skris if (rec->data[j] != ii) 47455714Skris { 47555714Skris SSLerr(SSL_F_TLS1_ENC,SSL_R_DECRYPTION_FAILED); 47655714Skris ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 47755714Skris return(0); 47855714Skris } 47955714Skris } 48055714Skris rec->length-=i; 48155714Skris } 48255714Skris } 48355714Skris return(1); 48455714Skris } 48555714Skris 48655714Skrisint tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) 48755714Skris { 48855714Skris unsigned int ret; 48955714Skris EVP_MD_CTX ctx; 49055714Skris 49155714Skris EVP_MD_CTX_copy(&ctx,in_ctx); 49255714Skris EVP_DigestFinal(&ctx,out,&ret); 49355714Skris return((int)ret); 49455714Skris } 49555714Skris 49655714Skrisint tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, 49755714Skris unsigned char *str, int slen, unsigned char *out) 49855714Skris { 49955714Skris unsigned int i; 50055714Skris EVP_MD_CTX ctx; 50155714Skris unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 50255714Skris unsigned char *q,buf2[12]; 50355714Skris 50455714Skris q=buf; 50555714Skris memcpy(q,str,slen); 50655714Skris q+=slen; 50755714Skris 50855714Skris EVP_MD_CTX_copy(&ctx,in1_ctx); 50955714Skris EVP_DigestFinal(&ctx,q,&i); 51055714Skris q+=i; 51155714Skris EVP_MD_CTX_copy(&ctx,in2_ctx); 51255714Skris EVP_DigestFinal(&ctx,q,&i); 51355714Skris q+=i; 51455714Skris 51555714Skris tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf), 51655714Skris s->session->master_key,s->session->master_key_length, 51755714Skris out,buf2,12); 51855714Skris memset(&ctx,0,sizeof(EVP_MD_CTX)); 51955714Skris 52055714Skris return((int)12); 52155714Skris } 52255714Skris 52355714Skrisint tls1_mac(SSL *ssl, unsigned char *md, int send) 52455714Skris { 52555714Skris SSL3_RECORD *rec; 52655714Skris unsigned char *mac_sec,*seq; 52755714Skris const EVP_MD *hash; 52855714Skris unsigned int md_size; 52955714Skris int i; 53055714Skris HMAC_CTX hmac; 53155714Skris unsigned char buf[5]; 53255714Skris 53355714Skris if (send) 53455714Skris { 53555714Skris rec= &(ssl->s3->wrec); 53655714Skris mac_sec= &(ssl->s3->write_mac_secret[0]); 53755714Skris seq= &(ssl->s3->write_sequence[0]); 53855714Skris hash=ssl->write_hash; 53955714Skris } 54055714Skris else 54155714Skris { 54255714Skris rec= &(ssl->s3->rrec); 54355714Skris mac_sec= &(ssl->s3->read_mac_secret[0]); 54455714Skris seq= &(ssl->s3->read_sequence[0]); 54555714Skris hash=ssl->read_hash; 54655714Skris } 54755714Skris 54855714Skris md_size=EVP_MD_size(hash); 54955714Skris 55055714Skris buf[0]=rec->type; 55155714Skris buf[1]=TLS1_VERSION_MAJOR; 55255714Skris buf[2]=TLS1_VERSION_MINOR; 55355714Skris buf[3]=rec->length>>8; 55455714Skris buf[4]=rec->length&0xff; 55555714Skris 55655714Skris /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 55755714Skris HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash); 55855714Skris HMAC_Update(&hmac,seq,8); 55955714Skris HMAC_Update(&hmac,buf,5); 56055714Skris HMAC_Update(&hmac,rec->input,rec->length); 56155714Skris HMAC_Final(&hmac,md,&md_size); 56255714Skris 56355714Skris#ifdef TLS_DEBUG 56455714Skrisprintf("sec="); 56555714Skris{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 56655714Skrisprintf("seq="); 56755714Skris{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 56855714Skrisprintf("buf="); 56955714Skris{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 57055714Skrisprintf("rec="); 57155714Skris{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } 57255714Skris#endif 57355714Skris 57455714Skris for (i=7; i>=0; i--) 57555714Skris if (++seq[i]) break; 57655714Skris 57755714Skris#ifdef TLS_DEBUG 57855714Skris{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 57955714Skris#endif 58055714Skris return(md_size); 58155714Skris } 58255714Skris 58355714Skrisint tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 58455714Skris int len) 58555714Skris { 58655714Skris unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE]; 58755714Skris unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 58855714Skris 58955714Skris /* Setup the stuff to munge */ 59055714Skris memcpy(buf,TLS_MD_MASTER_SECRET_CONST, 59155714Skris TLS_MD_MASTER_SECRET_CONST_SIZE); 59255714Skris memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]), 59355714Skris s->s3->client_random,SSL3_RANDOM_SIZE); 59455714Skris memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]), 59555714Skris s->s3->server_random,SSL3_RANDOM_SIZE); 59655714Skris tls1_PRF(s->ctx->md5,s->ctx->sha1, 59755714Skris buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, 59855714Skris s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE); 59955714Skris return(SSL3_MASTER_SECRET_SIZE); 60055714Skris } 60155714Skris 60255714Skrisint tls1_alert_code(int code) 60355714Skris { 60455714Skris switch (code) 60555714Skris { 60655714Skris case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); 60755714Skris case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); 60855714Skris case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); 60955714Skris case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); 61055714Skris case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); 61155714Skris case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); 61255714Skris case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); 61355714Skris case SSL_AD_NO_CERTIFICATE: return(-1); 61455714Skris case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); 61555714Skris case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); 61655714Skris case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); 61755714Skris case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); 61855714Skris case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); 61955714Skris case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); 62055714Skris case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); 62155714Skris case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 62255714Skris case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 62355714Skris case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 62455714Skris case SSL_AD_EXPORT_RESTRICION: return(TLS1_AD_EXPORT_RESTRICION); 62555714Skris case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 62655714Skris case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 62755714Skris case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 62855714Skris case SSL_AD_USER_CANCLED: return(TLS1_AD_USER_CANCLED); 62955714Skris case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 63055714Skris default: return(-1); 63155714Skris } 63255714Skris } 63355714Skris 634