1/* ssl/t1_enc.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include "ssl_locl.h" 114#include <openssl/comp.h> 115#include <openssl/evp.h> 116#include <openssl/hmac.h> 117#include <openssl/md5.h> 118#include <openssl/fips.h> 119 120static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, 121 int sec_len, unsigned char *seed, int seed_len, 122 unsigned char *out, int olen) 123 { 124 int chunk,n; 125 unsigned int j; 126 HMAC_CTX ctx; 127 HMAC_CTX ctx_tmp; 128 unsigned char A1[EVP_MAX_MD_SIZE]; 129 unsigned int A1_len; 130 131 chunk=EVP_MD_size(md); 132 133 HMAC_CTX_init(&ctx); 134 HMAC_CTX_init(&ctx_tmp); 135 HMAC_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 136 HMAC_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 137 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); 138 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); 139 HMAC_Update(&ctx,seed,seed_len); 140 HMAC_Final(&ctx,A1,&A1_len); 141 142 n=0; 143 for (;;) 144 { 145 HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */ 146 HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */ 147 HMAC_Update(&ctx,A1,A1_len); 148 HMAC_Update(&ctx_tmp,A1,A1_len); 149 HMAC_Update(&ctx,seed,seed_len); 150 151 if (olen > chunk) 152 { 153 HMAC_Final(&ctx,out,&j); 154 out+=j; 155 olen-=j; 156 HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */ 157 } 158 else /* last one */ 159 { 160 HMAC_Final(&ctx,A1,&A1_len); 161 memcpy(out,A1,olen); 162 break; 163 } 164 } 165 HMAC_CTX_cleanup(&ctx); 166 HMAC_CTX_cleanup(&ctx_tmp); 167 OPENSSL_cleanse(A1,sizeof(A1)); 168 } 169 170static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1, 171 unsigned char *label, int label_len, 172 const unsigned char *sec, int slen, unsigned char *out1, 173 unsigned char *out2, int olen) 174 { 175 int len,i; 176 const unsigned char *S1,*S2; 177 178 len=slen/2; 179 S1=sec; 180 S2= &(sec[len]); 181 len+=(slen&1); /* add for odd, make longer */ 182 183 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); 184 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); 185 186 for (i=0; i<olen; i++) 187 out1[i]^=out2[i]; 188 } 189 190static void tls1_generate_key_block(SSL *s, unsigned char *km, 191 unsigned char *tmp, int num) 192 { 193 unsigned char *p; 194 unsigned char buf[SSL3_RANDOM_SIZE*2+ 195 TLS_MD_MAX_CONST_SIZE]; 196 p=buf; 197 198 memcpy(p,TLS_MD_KEY_EXPANSION_CONST, 199 TLS_MD_KEY_EXPANSION_CONST_SIZE); 200 p+=TLS_MD_KEY_EXPANSION_CONST_SIZE; 201 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 202 p+=SSL3_RANDOM_SIZE; 203 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 204 p+=SSL3_RANDOM_SIZE; 205 206 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf), 207 s->session->master_key,s->session->master_key_length, 208 km,tmp,num); 209#ifdef KSSL_DEBUG 210 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t", 211 s->session->master_key_length); 212 { 213 int i; 214 for (i=0; i < s->session->master_key_length; i++) 215 { 216 printf("%02X", s->session->master_key[i]); 217 } 218 printf("\n"); } 219#endif /* KSSL_DEBUG */ 220 } 221 222int tls1_change_cipher_state(SSL *s, int which) 223 { 224 static const unsigned char empty[]=""; 225 unsigned char *p,*key_block,*mac_secret; 226 unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ 227 SSL3_RANDOM_SIZE*2]; 228 unsigned char tmp1[EVP_MAX_KEY_LENGTH]; 229 unsigned char tmp2[EVP_MAX_KEY_LENGTH]; 230 unsigned char iv1[EVP_MAX_IV_LENGTH*2]; 231 unsigned char iv2[EVP_MAX_IV_LENGTH*2]; 232 unsigned char *ms,*key,*iv,*er1,*er2; 233 int client_write; 234 EVP_CIPHER_CTX *dd; 235 const EVP_CIPHER *c; 236 const SSL_COMP *comp; 237 const EVP_MD *m; 238 int is_export,n,i,j,k,exp_label_len,cl; 239 int reuse_dd = 0; 240 241 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 242 c=s->s3->tmp.new_sym_enc; 243 m=s->s3->tmp.new_hash; 244 comp=s->s3->tmp.new_compression; 245 key_block=s->s3->tmp.key_block; 246 247#ifdef KSSL_DEBUG 248 printf("tls1_change_cipher_state(which= %d) w/\n", which); 249 printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, 250 comp); 251 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); 252 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", 253 c->nid,c->block_size,c->key_len,c->iv_len); 254 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); 255 { 256 int i; 257 for (i=0; i<s->s3->tmp.key_block_length; i++) 258 printf("%02x", key_block[i]); printf("\n"); 259 } 260#endif /* KSSL_DEBUG */ 261 262 if (which & SSL3_CC_READ) 263 { 264 if (s->enc_read_ctx != NULL) 265 reuse_dd = 1; 266 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 267 goto err; 268 dd= s->enc_read_ctx; 269 s->read_hash=m; 270 if (s->expand != NULL) 271 { 272 COMP_CTX_free(s->expand); 273 s->expand=NULL; 274 } 275 if (comp != NULL) 276 { 277 s->expand=COMP_CTX_new(comp->method); 278 if (s->expand == NULL) 279 { 280 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 281 goto err2; 282 } 283 if (s->s3->rrec.comp == NULL) 284 s->s3->rrec.comp=(unsigned char *) 285 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); 286 if (s->s3->rrec.comp == NULL) 287 goto err; 288 } 289 memset(&(s->s3->read_sequence[0]),0,8); 290 mac_secret= &(s->s3->read_mac_secret[0]); 291 } 292 else 293 { 294 if (s->enc_write_ctx != NULL) 295 reuse_dd = 1; 296 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 297 goto err; 298 if ((s->enc_write_ctx == NULL) && 299 ((s->enc_write_ctx=(EVP_CIPHER_CTX *) 300 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) 301 goto err; 302 dd= s->enc_write_ctx; 303 s->write_hash=m; 304 if (s->compress != NULL) 305 { 306 COMP_CTX_free(s->compress); 307 s->compress=NULL; 308 } 309 if (comp != NULL) 310 { 311 s->compress=COMP_CTX_new(comp->method); 312 if (s->compress == NULL) 313 { 314 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); 315 goto err2; 316 } 317 } 318 memset(&(s->s3->write_sequence[0]),0,8); 319 mac_secret= &(s->s3->write_mac_secret[0]); 320 } 321 322 if (reuse_dd) 323 EVP_CIPHER_CTX_cleanup(dd); 324 EVP_CIPHER_CTX_init(dd); 325 326 p=s->s3->tmp.key_block; 327 i=EVP_MD_size(m); 328 cl=EVP_CIPHER_key_length(c); 329 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 330 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 331 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ 332 k=EVP_CIPHER_iv_length(c); 333 er1= &(s->s3->client_random[0]); 334 er2= &(s->s3->server_random[0]); 335 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 336 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) 337 { 338 ms= &(p[ 0]); n=i+i; 339 key= &(p[ n]); n+=j+j; 340 iv= &(p[ n]); n+=k+k; 341 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; 342 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; 343 client_write=1; 344 } 345 else 346 { 347 n=i; 348 ms= &(p[ n]); n+=i+j; 349 key= &(p[ n]); n+=j+k; 350 iv= &(p[ n]); n+=k; 351 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; 352 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; 353 client_write=0; 354 } 355 356 if (n > s->s3->tmp.key_block_length) 357 { 358 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); 359 goto err2; 360 } 361 362 memcpy(mac_secret,ms,i); 363#ifdef TLS_DEBUG 364printf("which = %04X\nmac key=",which); 365{ int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } 366#endif 367 if (is_export) 368 { 369 /* In here I set both the read and write key/iv to the 370 * same value since only the correct one will be used :-). 371 */ 372 p=buf; 373 memcpy(p,exp_label,exp_label_len); 374 p+=exp_label_len; 375 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 376 p+=SSL3_RANDOM_SIZE; 377 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 378 p+=SSL3_RANDOM_SIZE; 379 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j, 380 tmp1,tmp2,EVP_CIPHER_key_length(c)); 381 key=tmp1; 382 383 if (k > 0) 384 { 385 p=buf; 386 memcpy(p,TLS_MD_IV_BLOCK_CONST, 387 TLS_MD_IV_BLOCK_CONST_SIZE); 388 p+=TLS_MD_IV_BLOCK_CONST_SIZE; 389 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); 390 p+=SSL3_RANDOM_SIZE; 391 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); 392 p+=SSL3_RANDOM_SIZE; 393 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0, 394 iv1,iv2,k*2); 395 if (client_write) 396 iv=iv1; 397 else 398 iv= &(iv1[k]); 399 } 400 } 401 402 s->session->key_arg_length=0; 403#ifdef KSSL_DEBUG 404 { 405 int i; 406 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); 407 printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]); 408 printf("\n"); 409 printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]); 410 printf("\n"); 411 } 412#endif /* KSSL_DEBUG */ 413 414 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); 415#ifdef TLS_DEBUG 416printf("which = %04X\nkey=",which); 417{ int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } 418printf("\niv="); 419{ int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } 420printf("\n"); 421#endif 422 423 OPENSSL_cleanse(tmp1,sizeof(tmp1)); 424 OPENSSL_cleanse(tmp2,sizeof(tmp1)); 425 OPENSSL_cleanse(iv1,sizeof(iv1)); 426 OPENSSL_cleanse(iv2,sizeof(iv2)); 427 return(1); 428err: 429 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); 430err2: 431 return(0); 432 } 433 434int tls1_setup_key_block(SSL *s) 435 { 436 unsigned char *p1,*p2; 437 const EVP_CIPHER *c; 438 const EVP_MD *hash; 439 int num; 440 SSL_COMP *comp; 441 442#ifdef KSSL_DEBUG 443 printf ("tls1_setup_key_block()\n"); 444#endif /* KSSL_DEBUG */ 445 446 if (s->s3->tmp.key_block_length != 0) 447 return(1); 448 449 if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) 450 { 451 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 452 return(0); 453 } 454 455 s->s3->tmp.new_sym_enc=c; 456 s->s3->tmp.new_hash=hash; 457 458 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); 459 num*=2; 460 461 ssl3_cleanup_key_block(s); 462 463 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) 464 goto err; 465 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) 466 goto err; 467 468 s->s3->tmp.key_block_length=num; 469 s->s3->tmp.key_block=p1; 470 471 472#ifdef TLS_DEBUG 473printf("client random\n"); 474{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); } 475printf("server random\n"); 476{ int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); } 477printf("pre-master\n"); 478{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } 479#endif 480 tls1_generate_key_block(s,p1,p2,num); 481 OPENSSL_cleanse(p2,num); 482 OPENSSL_free(p2); 483#ifdef TLS_DEBUG 484printf("\nkey block\n"); 485{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } 486#endif 487 488 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) 489 { 490 /* enable vulnerability countermeasure for CBC ciphers with 491 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) 492 */ 493 s->s3->need_empty_fragments = 1; 494 495 if (s->session->cipher != NULL) 496 { 497 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) 498 s->s3->need_empty_fragments = 0; 499 500#ifndef OPENSSL_NO_RC4 501 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) 502 s->s3->need_empty_fragments = 0; 503#endif 504 } 505 } 506 507 return(1); 508err: 509 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); 510 return(0); 511 } 512 513int tls1_enc(SSL *s, int send) 514 { 515 SSL3_RECORD *rec; 516 EVP_CIPHER_CTX *ds; 517 unsigned long l; 518 int bs,i,ii,j,k,n=0; 519 const EVP_CIPHER *enc; 520 521 if (send) 522 { 523 if (s->write_hash != NULL) 524 n=EVP_MD_size(s->write_hash); 525 ds=s->enc_write_ctx; 526 rec= &(s->s3->wrec); 527 if (s->enc_write_ctx == NULL) 528 enc=NULL; 529 else 530 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 531 } 532 else 533 { 534 if (s->read_hash != NULL) 535 n=EVP_MD_size(s->read_hash); 536 ds=s->enc_read_ctx; 537 rec= &(s->s3->rrec); 538 if (s->enc_read_ctx == NULL) 539 enc=NULL; 540 else 541 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 542 } 543 544#ifdef KSSL_DEBUG 545 printf("tls1_enc(%d)\n", send); 546#endif /* KSSL_DEBUG */ 547 548 if ((s->session == NULL) || (ds == NULL) || 549 (enc == NULL)) 550 { 551 memmove(rec->data,rec->input,rec->length); 552 rec->input=rec->data; 553 } 554 else 555 { 556 l=rec->length; 557 bs=EVP_CIPHER_block_size(ds->cipher); 558 559 if ((bs != 1) && send) 560 { 561 i=bs-((int)l%bs); 562 563 /* Add weird padding of upto 256 bytes */ 564 565 /* we need to add 'i' padding bytes of value j */ 566 j=i-1; 567 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) 568 { 569 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 570 j++; 571 } 572 for (k=(int)l; k<(int)(l+i); k++) 573 rec->input[k]=j; 574 l+=i; 575 rec->length+=i; 576 } 577 578#ifdef KSSL_DEBUG 579 { 580 unsigned long ui; 581 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 582 ds,rec->data,rec->input,l); 583 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 584 ds->buf_len, ds->cipher->key_len, 585 DES_KEY_SZ, DES_SCHEDULE_SZ, 586 ds->cipher->iv_len); 587 printf("\t\tIV: "); 588 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 589 printf("\n"); 590 printf("\trec->input="); 591 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); 592 printf("\n"); 593 } 594#endif /* KSSL_DEBUG */ 595 596 if (!send) 597 { 598 if (l == 0 || l%bs != 0) 599 { 600 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); 601 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); 602 return 0; 603 } 604 } 605 606 EVP_Cipher(ds,rec->data,rec->input,l); 607 608#ifdef KSSL_DEBUG 609 { 610 unsigned long i; 611 printf("\trec->data="); 612 for (i=0; i<l; i++) 613 printf(" %02x", rec->data[i]); printf("\n"); 614 } 615#endif /* KSSL_DEBUG */ 616 617 if ((bs != 1) && !send) 618 { 619 ii=i=rec->data[l-1]; /* padding_length */ 620 i++; 621 if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) 622 { 623 /* First packet is even in size, so check */ 624 if ((memcmp(s->s3->read_sequence, 625 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) 626 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; 627 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) 628 i--; 629 } 630 /* TLS 1.0 does not bound the number of padding bytes by the block size. 631 * All of them must have value 'padding_length'. */ 632 if (i > (int)rec->length) 633 { 634 /* Incorrect padding. SSLerr() and ssl3_alert are done 635 * by caller: we don't want to reveal whether this is 636 * a decryption error or a MAC verification failure 637 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ 638 return -1; 639 } 640 for (j=(int)(l-i); j<(int)l; j++) 641 { 642 if (rec->data[j] != ii) 643 { 644 /* Incorrect padding */ 645 return -1; 646 } 647 } 648 rec->length-=i; 649 } 650 } 651 return(1); 652 } 653 654int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out) 655 { 656 unsigned int ret; 657 EVP_MD_CTX ctx; 658 659 EVP_MD_CTX_init(&ctx); 660 EVP_MD_CTX_copy_ex(&ctx,in_ctx); 661 EVP_DigestFinal_ex(&ctx,out,&ret); 662 EVP_MD_CTX_cleanup(&ctx); 663 return((int)ret); 664 } 665 666int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx, 667 const char *str, int slen, unsigned char *out) 668 { 669 unsigned int i; 670 EVP_MD_CTX ctx; 671 unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; 672 unsigned char *q,buf2[12]; 673 674 q=buf; 675 memcpy(q,str,slen); 676 q+=slen; 677 678 EVP_MD_CTX_init(&ctx); 679 EVP_MD_CTX_copy_ex(&ctx,in1_ctx); 680 EVP_DigestFinal_ex(&ctx,q,&i); 681 q+=i; 682 EVP_MD_CTX_copy_ex(&ctx,in2_ctx); 683 EVP_DigestFinal_ex(&ctx,q,&i); 684 q+=i; 685 686 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf), 687 s->session->master_key,s->session->master_key_length, 688 out,buf2,sizeof buf2); 689 EVP_MD_CTX_cleanup(&ctx); 690 691 return sizeof buf2; 692 } 693 694int tls1_mac(SSL *ssl, unsigned char *md, int send) 695 { 696 SSL3_RECORD *rec; 697 unsigned char *mac_sec,*seq; 698 const EVP_MD *hash; 699 unsigned int md_size; 700 int i; 701 HMAC_CTX hmac; 702 unsigned char buf[5]; 703 704 if (send) 705 { 706 rec= &(ssl->s3->wrec); 707 mac_sec= &(ssl->s3->write_mac_secret[0]); 708 seq= &(ssl->s3->write_sequence[0]); 709 hash=ssl->write_hash; 710 } 711 else 712 { 713 rec= &(ssl->s3->rrec); 714 mac_sec= &(ssl->s3->read_mac_secret[0]); 715 seq= &(ssl->s3->read_sequence[0]); 716 hash=ssl->read_hash; 717 } 718 719 md_size=EVP_MD_size(hash); 720 721 buf[0]=rec->type; 722 buf[1]=TLS1_VERSION_MAJOR; 723 buf[2]=TLS1_VERSION_MINOR; 724 buf[3]=rec->length>>8; 725 buf[4]=rec->length&0xff; 726 727 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 728 HMAC_CTX_init(&hmac); 729 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); 730 HMAC_Update(&hmac,seq,8); 731 HMAC_Update(&hmac,buf,5); 732 HMAC_Update(&hmac,rec->input,rec->length); 733 HMAC_Final(&hmac,md,&md_size); 734 HMAC_CTX_cleanup(&hmac); 735 736#ifdef TLS_DEBUG 737printf("sec="); 738{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 739printf("seq="); 740{int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } 741printf("buf="); 742{int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } 743printf("rec="); 744{unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } 745#endif 746 747 for (i=7; i>=0; i--) 748 { 749 ++seq[i]; 750 if (seq[i] != 0) break; 751 } 752 753#ifdef TLS_DEBUG 754{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } 755#endif 756 return(md_size); 757 } 758 759int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 760 int len) 761 { 762 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE]; 763 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; 764 765#ifdef KSSL_DEBUG 766 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); 767#endif /* KSSL_DEBUG */ 768 769 /* Setup the stuff to munge */ 770 memcpy(buf,TLS_MD_MASTER_SECRET_CONST, 771 TLS_MD_MASTER_SECRET_CONST_SIZE); 772 memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]), 773 s->s3->client_random,SSL3_RANDOM_SIZE); 774 memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]), 775 s->s3->server_random,SSL3_RANDOM_SIZE); 776 tls1_PRF(s->ctx->md5,s->ctx->sha1, 777 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, 778 s->session->master_key,buff,sizeof buff); 779#ifdef KSSL_DEBUG 780 printf ("tls1_generate_master_secret() complete\n"); 781#endif /* KSSL_DEBUG */ 782 return(SSL3_MASTER_SECRET_SIZE); 783 } 784 785int tls1_alert_code(int code) 786 { 787 switch (code) 788 { 789 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY); 790 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE); 791 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC); 792 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED); 793 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW); 794 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE); 795 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE); 796 case SSL_AD_NO_CERTIFICATE: return(-1); 797 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE); 798 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE); 799 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED); 800 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED); 801 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN); 802 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER); 803 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA); 804 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED); 805 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR); 806 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR); 807 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION); 808 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION); 809 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY); 810 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); 811 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); 812 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); 813 default: return(-1); 814 } 815 } 816 817