Codebase list openssl / c8ad922
Fix for "decryption failed or bad record mac" error messages. Closes: #338006 Kurt Roeckx 18 years ago
2 changed file(s) with 841 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
+8
-2
debian/changelog less more
44 * Remove the static pic libraries. Nobody should be linking
55 it's shared libraries static to libssl or libcrypto.
66 This was added for opensc who now links to it shared.
7
8 -- Kurt Roeckx <kurt@roeckx.be> Mon, 26 Dec 2005 01:14:14 +0100
7 * Do not assume that in case the sequence number is 0 and the
8 packet has an odd number of bytes that the other side has
9 the block padding bug, but try to check that it actually
10 has the bug. The wrong detection of this bug resulted
11 in an "decryption failed or bad record mac" error in case
12 both sides were using zlib compression. (Closes: #338006)
13
14 -- Kurt Roeckx <kurt@roeckx.be> Mon, 21 Jan 2006 16:25:41 +0100
915
1016 openssl (0.9.8a-5) unstable; urgency=low
1117
+833
-0
ssl/t1_enc.c less more
0 /* ssl/t1_enc.c */
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110
111 #include <stdio.h>
112 #include "ssl_locl.h"
113 #include <openssl/comp.h>
114 #include <openssl/evp.h>
115 #include <openssl/hmac.h>
116 #include <openssl/md5.h>
117
118 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
119 int sec_len, unsigned char *seed, int seed_len,
120 unsigned char *out, int olen)
121 {
122 int chunk,n;
123 unsigned int j;
124 HMAC_CTX ctx;
125 HMAC_CTX ctx_tmp;
126 unsigned char A1[EVP_MAX_MD_SIZE];
127 unsigned int A1_len;
128
129 chunk=EVP_MD_size(md);
130
131 HMAC_CTX_init(&ctx);
132 HMAC_CTX_init(&ctx_tmp);
133 HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
134 HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
135 HMAC_Update(&ctx,seed,seed_len);
136 HMAC_Final(&ctx,A1,&A1_len);
137
138 n=0;
139 for (;;)
140 {
141 HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
142 HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
143 HMAC_Update(&ctx,A1,A1_len);
144 HMAC_Update(&ctx_tmp,A1,A1_len);
145 HMAC_Update(&ctx,seed,seed_len);
146
147 if (olen > chunk)
148 {
149 HMAC_Final(&ctx,out,&j);
150 out+=j;
151 olen-=j;
152 HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
153 }
154 else /* last one */
155 {
156 HMAC_Final(&ctx,A1,&A1_len);
157 memcpy(out,A1,olen);
158 break;
159 }
160 }
161 HMAC_CTX_cleanup(&ctx);
162 HMAC_CTX_cleanup(&ctx_tmp);
163 OPENSSL_cleanse(A1,sizeof(A1));
164 }
165
166 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
167 unsigned char *label, int label_len,
168 const unsigned char *sec, int slen, unsigned char *out1,
169 unsigned char *out2, int olen)
170 {
171 int len,i;
172 const unsigned char *S1,*S2;
173
174 len=slen/2;
175 S1=sec;
176 S2= &(sec[len]);
177 len+=(slen&1); /* add for odd, make longer */
178
179
180 tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
181 tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
182
183 for (i=0; i<olen; i++)
184 out1[i]^=out2[i];
185 }
186
187 static void tls1_generate_key_block(SSL *s, unsigned char *km,
188 unsigned char *tmp, int num)
189 {
190 unsigned char *p;
191 unsigned char buf[SSL3_RANDOM_SIZE*2+
192 TLS_MD_MAX_CONST_SIZE];
193 p=buf;
194
195 memcpy(p,TLS_MD_KEY_EXPANSION_CONST,
196 TLS_MD_KEY_EXPANSION_CONST_SIZE);
197 p+=TLS_MD_KEY_EXPANSION_CONST_SIZE;
198 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
199 p+=SSL3_RANDOM_SIZE;
200 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
201 p+=SSL3_RANDOM_SIZE;
202
203 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
204 s->session->master_key,s->session->master_key_length,
205 km,tmp,num);
206 #ifdef KSSL_DEBUG
207 printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
208 s->session->master_key_length);
209 {
210 int i;
211 for (i=0; i < s->session->master_key_length; i++)
212 {
213 printf("%02X", s->session->master_key[i]);
214 }
215 printf("\n"); }
216 #endif /* KSSL_DEBUG */
217 }
218
219 int tls1_change_cipher_state(SSL *s, int which)
220 {
221 static const unsigned char empty[]="";
222 unsigned char *p,*key_block,*mac_secret;
223 unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
224 SSL3_RANDOM_SIZE*2];
225 unsigned char tmp1[EVP_MAX_KEY_LENGTH];
226 unsigned char tmp2[EVP_MAX_KEY_LENGTH];
227 unsigned char iv1[EVP_MAX_IV_LENGTH*2];
228 unsigned char iv2[EVP_MAX_IV_LENGTH*2];
229 unsigned char *ms,*key,*iv,*er1,*er2;
230 int client_write;
231 EVP_CIPHER_CTX *dd;
232 const EVP_CIPHER *c;
233 #ifndef OPENSSL_NO_COMP
234 const SSL_COMP *comp;
235 #endif
236 const EVP_MD *m;
237 int is_export,n,i,j,k,exp_label_len,cl;
238 int reuse_dd = 0;
239
240 is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
241 c=s->s3->tmp.new_sym_enc;
242 m=s->s3->tmp.new_hash;
243 #ifndef OPENSSL_NO_COMP
244 comp=s->s3->tmp.new_compression;
245 #endif
246 key_block=s->s3->tmp.key_block;
247
248 #ifdef KSSL_DEBUG
249 printf("tls1_change_cipher_state(which= %d) w/\n", which);
250 printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
251 comp);
252 printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
253 printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
254 c->nid,c->block_size,c->key_len,c->iv_len);
255 printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
256 {
257 int i;
258 for (i=0; i<s->s3->tmp.key_block_length; i++)
259 printf("%02x", key_block[i]); printf("\n");
260 }
261 #endif /* KSSL_DEBUG */
262
263 if (which & SSL3_CC_READ)
264 {
265 if (s->enc_read_ctx != NULL)
266 reuse_dd = 1;
267 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
268 goto err;
269 dd= s->enc_read_ctx;
270 s->read_hash=m;
271 #ifndef OPENSSL_NO_COMP
272 if (s->expand != NULL)
273 {
274 COMP_CTX_free(s->expand);
275 s->expand=NULL;
276 }
277 if (comp != NULL)
278 {
279 s->expand=COMP_CTX_new(comp->method);
280 if (s->expand == NULL)
281 {
282 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
283 goto err2;
284 }
285 if (s->s3->rrec.comp == NULL)
286 s->s3->rrec.comp=(unsigned char *)
287 OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
288 if (s->s3->rrec.comp == NULL)
289 goto err;
290 }
291 #endif
292 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
293 if (s->version != DTLS1_VERSION)
294 memset(&(s->s3->read_sequence[0]),0,8);
295 mac_secret= &(s->s3->read_mac_secret[0]);
296 }
297 else
298 {
299 if (s->enc_write_ctx != NULL)
300 reuse_dd = 1;
301 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
302 goto err;
303 if ((s->enc_write_ctx == NULL) &&
304 ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
305 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
306 goto err;
307 dd= s->enc_write_ctx;
308 s->write_hash=m;
309 #ifndef OPENSSL_NO_COMP
310 if (s->compress != NULL)
311 {
312 COMP_CTX_free(s->compress);
313 s->compress=NULL;
314 }
315 if (comp != NULL)
316 {
317 s->compress=COMP_CTX_new(comp->method);
318 if (s->compress == NULL)
319 {
320 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
321 goto err2;
322 }
323 }
324 #endif
325 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
326 if (s->version != DTLS1_VERSION)
327 memset(&(s->s3->write_sequence[0]),0,8);
328 mac_secret= &(s->s3->write_mac_secret[0]);
329 }
330
331 if (reuse_dd)
332 EVP_CIPHER_CTX_cleanup(dd);
333 EVP_CIPHER_CTX_init(dd);
334
335 p=s->s3->tmp.key_block;
336 i=EVP_MD_size(m);
337 cl=EVP_CIPHER_key_length(c);
338 j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
339 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
340 /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
341 k=EVP_CIPHER_iv_length(c);
342 er1= &(s->s3->client_random[0]);
343 er2= &(s->s3->server_random[0]);
344 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
345 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
346 {
347 ms= &(p[ 0]); n=i+i;
348 key= &(p[ n]); n+=j+j;
349 iv= &(p[ n]); n+=k+k;
350 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
351 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
352 client_write=1;
353 }
354 else
355 {
356 n=i;
357 ms= &(p[ n]); n+=i+j;
358 key= &(p[ n]); n+=j+k;
359 iv= &(p[ n]); n+=k;
360 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
361 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
362 client_write=0;
363 }
364
365 if (n > s->s3->tmp.key_block_length)
366 {
367 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
368 goto err2;
369 }
370
371 memcpy(mac_secret,ms,i);
372 #ifdef TLS_DEBUG
373 printf("which = %04X\nmac key=",which);
374 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
375 #endif
376 if (is_export)
377 {
378 /* In here I set both the read and write key/iv to the
379 * same value since only the correct one will be used :-).
380 */
381 p=buf;
382 memcpy(p,exp_label,exp_label_len);
383 p+=exp_label_len;
384 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
385 p+=SSL3_RANDOM_SIZE;
386 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
387 p+=SSL3_RANDOM_SIZE;
388 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
389 tmp1,tmp2,EVP_CIPHER_key_length(c));
390 key=tmp1;
391
392 if (k > 0)
393 {
394 p=buf;
395 memcpy(p,TLS_MD_IV_BLOCK_CONST,
396 TLS_MD_IV_BLOCK_CONST_SIZE);
397 p+=TLS_MD_IV_BLOCK_CONST_SIZE;
398 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
399 p+=SSL3_RANDOM_SIZE;
400 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
401 p+=SSL3_RANDOM_SIZE;
402 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
403 iv1,iv2,k*2);
404 if (client_write)
405 iv=iv1;
406 else
407 iv= &(iv1[k]);
408 }
409 }
410
411 s->session->key_arg_length=0;
412 #ifdef KSSL_DEBUG
413 {
414 int i;
415 printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
416 printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
417 printf("\n");
418 printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
419 printf("\n");
420 }
421 #endif /* KSSL_DEBUG */
422
423 EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
424 #ifdef TLS_DEBUG
425 printf("which = %04X\nkey=",which);
426 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
427 printf("\niv=");
428 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
429 printf("\n");
430 #endif
431
432 OPENSSL_cleanse(tmp1,sizeof(tmp1));
433 OPENSSL_cleanse(tmp2,sizeof(tmp1));
434 OPENSSL_cleanse(iv1,sizeof(iv1));
435 OPENSSL_cleanse(iv2,sizeof(iv2));
436 return(1);
437 err:
438 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
439 err2:
440 return(0);
441 }
442
443 int tls1_setup_key_block(SSL *s)
444 {
445 unsigned char *p1,*p2;
446 const EVP_CIPHER *c;
447 const EVP_MD *hash;
448 int num;
449 SSL_COMP *comp;
450
451 #ifdef KSSL_DEBUG
452 printf ("tls1_setup_key_block()\n");
453 #endif /* KSSL_DEBUG */
454
455 if (s->s3->tmp.key_block_length != 0)
456 return(1);
457
458 if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
459 {
460 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
461 return(0);
462 }
463
464 s->s3->tmp.new_sym_enc=c;
465 s->s3->tmp.new_hash=hash;
466
467 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
468 num*=2;
469
470 ssl3_cleanup_key_block(s);
471
472 if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
473 goto err;
474 if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
475 goto err;
476
477 s->s3->tmp.key_block_length=num;
478 s->s3->tmp.key_block=p1;
479
480
481 #ifdef TLS_DEBUG
482 printf("client random\n");
483 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
484 printf("server random\n");
485 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
486 printf("pre-master\n");
487 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
488 #endif
489 tls1_generate_key_block(s,p1,p2,num);
490 OPENSSL_cleanse(p2,num);
491 OPENSSL_free(p2);
492 #ifdef TLS_DEBUG
493 printf("\nkey block\n");
494 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
495 #endif
496
497 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
498 {
499 /* enable vulnerability countermeasure for CBC ciphers with
500 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
501 */
502 s->s3->need_empty_fragments = 1;
503
504 if (s->session->cipher != NULL)
505 {
506 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
507 s->s3->need_empty_fragments = 0;
508
509 #ifndef OPENSSL_NO_RC4
510 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
511 s->s3->need_empty_fragments = 0;
512 #endif
513 }
514 }
515
516 return(1);
517 err:
518 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
519 return(0);
520 }
521
522 int tls1_enc(SSL *s, int send)
523 {
524 SSL3_RECORD *rec;
525 EVP_CIPHER_CTX *ds;
526 unsigned long l;
527 int bs,i,ii,j,k,n=0;
528 const EVP_CIPHER *enc;
529
530 if (send)
531 {
532 if (s->write_hash != NULL)
533 n=EVP_MD_size(s->write_hash);
534 ds=s->enc_write_ctx;
535 rec= &(s->s3->wrec);
536 if (s->enc_write_ctx == NULL)
537 enc=NULL;
538 else
539 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
540 }
541 else
542 {
543 if (s->read_hash != NULL)
544 n=EVP_MD_size(s->read_hash);
545 ds=s->enc_read_ctx;
546 rec= &(s->s3->rrec);
547 if (s->enc_read_ctx == NULL)
548 enc=NULL;
549 else
550 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
551 }
552
553 #ifdef KSSL_DEBUG
554 printf("tls1_enc(%d)\n", send);
555 #endif /* KSSL_DEBUG */
556
557 if ((s->session == NULL) || (ds == NULL) ||
558 (enc == NULL))
559 {
560 memmove(rec->data,rec->input,rec->length);
561 rec->input=rec->data;
562 }
563 else
564 {
565 l=rec->length;
566 bs=EVP_CIPHER_block_size(ds->cipher);
567
568 if ((bs != 1) && send)
569 {
570 i=bs-((int)l%bs);
571
572 /* Add weird padding of upto 256 bytes */
573
574 /* we need to add 'i' padding bytes of value j */
575 j=i-1;
576 if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
577 {
578 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
579 j++;
580 }
581 for (k=(int)l; k<(int)(l+i); k++)
582 rec->input[k]=j;
583 l+=i;
584 rec->length+=i;
585 }
586
587 #ifdef KSSL_DEBUG
588 {
589 unsigned long ui;
590 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
591 ds,rec->data,rec->input,l);
592 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
593 ds->buf_len, ds->cipher->key_len,
594 DES_KEY_SZ, DES_SCHEDULE_SZ,
595 ds->cipher->iv_len);
596 printf("\t\tIV: ");
597 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
598 printf("\n");
599 printf("\trec->input=");
600 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
601 printf("\n");
602 }
603 #endif /* KSSL_DEBUG */
604
605 if (!send)
606 {
607 if (l == 0 || l%bs != 0)
608 {
609 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
610 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
611 return 0;
612 }
613 }
614
615 EVP_Cipher(ds,rec->data,rec->input,l);
616
617 #ifdef KSSL_DEBUG
618 {
619 unsigned long i;
620 printf("\trec->data=");
621 for (i=0; i<l; i++)
622 printf(" %02x", rec->data[i]); printf("\n");
623 }
624 #endif /* KSSL_DEBUG */
625
626 if ((bs != 1) && !send)
627 {
628 ii=i=rec->data[l-1]; /* padding_length */
629 i++;
630 if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
631 {
632 /* First packet is even in size, so check */
633 if ((memcmp(s->s3->read_sequence,
634 "\0\0\0\0\0\0\0\0",8) == 0) &&
635 !(ii & 1) &&
636 rec->data[l-i] != ii)
637 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
638 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
639 i--;
640 }
641 /* TLS 1.0 does not bound the number of padding bytes by the block size.
642 * All of them must have value 'padding_length'. */
643 if (i > (int)rec->length)
644 {
645 /* Incorrect padding. SSLerr() and ssl3_alert are done
646 * by caller: we don't want to reveal whether this is
647 * a decryption error or a MAC verification failure
648 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
649 return -1;
650 }
651 for (j=(int)(l-i); j<(int)l; j++)
652 {
653 if (rec->data[j] != ii)
654 {
655 /* Incorrect padding */
656 return -1;
657 }
658 }
659 rec->length-=i;
660 }
661 }
662 return(1);
663 }
664
665 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
666 {
667 unsigned int ret;
668 EVP_MD_CTX ctx;
669
670 EVP_MD_CTX_init(&ctx);
671 EVP_MD_CTX_copy_ex(&ctx,in_ctx);
672 EVP_DigestFinal_ex(&ctx,out,&ret);
673 EVP_MD_CTX_cleanup(&ctx);
674 return((int)ret);
675 }
676
677 int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
678 const char *str, int slen, unsigned char *out)
679 {
680 unsigned int i;
681 EVP_MD_CTX ctx;
682 unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
683 unsigned char *q,buf2[12];
684
685 q=buf;
686 memcpy(q,str,slen);
687 q+=slen;
688
689 EVP_MD_CTX_init(&ctx);
690 EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
691 EVP_DigestFinal_ex(&ctx,q,&i);
692 q+=i;
693 EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
694 EVP_DigestFinal_ex(&ctx,q,&i);
695 q+=i;
696
697 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
698 s->session->master_key,s->session->master_key_length,
699 out,buf2,sizeof buf2);
700 EVP_MD_CTX_cleanup(&ctx);
701
702 return sizeof buf2;
703 }
704
705 int tls1_mac(SSL *ssl, unsigned char *md, int send)
706 {
707 SSL3_RECORD *rec;
708 unsigned char *mac_sec,*seq;
709 const EVP_MD *hash;
710 unsigned int md_size;
711 int i;
712 HMAC_CTX hmac;
713 unsigned char buf[5];
714
715 if (send)
716 {
717 rec= &(ssl->s3->wrec);
718 mac_sec= &(ssl->s3->write_mac_secret[0]);
719 seq= &(ssl->s3->write_sequence[0]);
720 hash=ssl->write_hash;
721 }
722 else
723 {
724 rec= &(ssl->s3->rrec);
725 mac_sec= &(ssl->s3->read_mac_secret[0]);
726 seq= &(ssl->s3->read_sequence[0]);
727 hash=ssl->read_hash;
728 }
729
730 md_size=EVP_MD_size(hash);
731
732 buf[0]=rec->type;
733 buf[1]=TLS1_VERSION_MAJOR;
734 buf[2]=TLS1_VERSION_MINOR;
735 buf[3]=rec->length>>8;
736 buf[4]=rec->length&0xff;
737
738 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
739 HMAC_CTX_init(&hmac);
740 HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
741 HMAC_Update(&hmac,seq,8);
742 HMAC_Update(&hmac,buf,5);
743 HMAC_Update(&hmac,rec->input,rec->length);
744 HMAC_Final(&hmac,md,&md_size);
745 HMAC_CTX_cleanup(&hmac);
746
747 #ifdef TLS_DEBUG
748 printf("sec=");
749 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
750 printf("seq=");
751 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
752 printf("buf=");
753 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
754 printf("rec=");
755 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
756 #endif
757
758 if ( SSL_version(ssl) != DTLS1_VERSION)
759 {
760 for (i=7; i>=0; i--)
761 {
762 ++seq[i];
763 if (seq[i] != 0) break;
764 }
765 }
766
767 #ifdef TLS_DEBUG
768 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
769 #endif
770 return(md_size);
771 }
772
773 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
774 int len)
775 {
776 unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
777 unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
778
779 #ifdef KSSL_DEBUG
780 printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
781 #endif /* KSSL_DEBUG */
782
783 /* Setup the stuff to munge */
784 memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
785 TLS_MD_MASTER_SECRET_CONST_SIZE);
786 memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]),
787 s->s3->client_random,SSL3_RANDOM_SIZE);
788 memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]),
789 s->s3->server_random,SSL3_RANDOM_SIZE);
790 tls1_PRF(s->ctx->md5,s->ctx->sha1,
791 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
792 s->session->master_key,buff,sizeof buff);
793 #ifdef KSSL_DEBUG
794 printf ("tls1_generate_master_secret() complete\n");
795 #endif /* KSSL_DEBUG */
796 return(SSL3_MASTER_SECRET_SIZE);
797 }
798
799 int tls1_alert_code(int code)
800 {
801 switch (code)
802 {
803 case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY);
804 case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
805 case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC);
806 case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED);
807 case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW);
808 case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
809 case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE);
810 case SSL_AD_NO_CERTIFICATE: return(-1);
811 case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE);
812 case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
813 case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
814 case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
815 case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
816 case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER);
817 case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA);
818 case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
819 case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
820 case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
821 case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
822 case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
823 case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
824 case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
825 case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
826 case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
827 case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
828 (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
829 default: return(-1);
830 }
831 }
832