t1_enc.c 35 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189
  1. /* ssl/t1_enc.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2005 Nokia. All rights reserved.
  113. *
  114. * The portions of the attached software ("Contribution") is developed by
  115. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  116. * license.
  117. *
  118. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  119. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  120. * support (see RFC 4279) to OpenSSL.
  121. *
  122. * No patent licenses or other rights except those expressly stated in
  123. * the OpenSSL open source license shall be deemed granted or received
  124. * expressly, by implication, estoppel, or otherwise.
  125. *
  126. * No assurances are provided by Nokia that the Contribution does not
  127. * infringe the patent or other intellectual property rights of any third
  128. * party or that the license provides you with all the necessary rights
  129. * to make use of the Contribution.
  130. *
  131. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  132. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  133. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  134. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  135. * OTHERWISE.
  136. */
  137. #include <stdio.h>
  138. #include "ssl_locl.h"
  139. #ifndef OPENSSL_NO_COMP
  140. #include <openssl/comp.h>
  141. #endif
  142. #include <openssl/evp.h>
  143. #include <openssl/hmac.h>
  144. #include <openssl/md5.h>
  145. #include <openssl/rand.h>
  146. #ifdef KSSL_DEBUG
  147. #include <openssl/des.h>
  148. #endif
  149. /* seed1 through seed5 are virtually concatenated */
  150. static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
  151. int sec_len,
  152. const void *seed1, int seed1_len,
  153. const void *seed2, int seed2_len,
  154. const void *seed3, int seed3_len,
  155. const void *seed4, int seed4_len,
  156. const void *seed5, int seed5_len,
  157. unsigned char *out, int olen)
  158. {
  159. int chunk;
  160. size_t j;
  161. EVP_MD_CTX ctx, ctx_tmp;
  162. EVP_PKEY *mac_key;
  163. unsigned char A1[EVP_MAX_MD_SIZE];
  164. size_t A1_len;
  165. int ret = 0;
  166. chunk=EVP_MD_size(md);
  167. OPENSSL_assert(chunk >= 0);
  168. EVP_MD_CTX_init(&ctx);
  169. EVP_MD_CTX_init(&ctx_tmp);
  170. EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  171. EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  172. mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
  173. if (!mac_key)
  174. goto err;
  175. if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
  176. goto err;
  177. if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key))
  178. goto err;
  179. if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len))
  180. goto err;
  181. if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len))
  182. goto err;
  183. if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len))
  184. goto err;
  185. if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len))
  186. goto err;
  187. if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len))
  188. goto err;
  189. if (!EVP_DigestSignFinal(&ctx,A1,&A1_len))
  190. goto err;
  191. for (;;)
  192. {
  193. /* Reinit mac contexts */
  194. if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
  195. goto err;
  196. if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key))
  197. goto err;
  198. if (!EVP_DigestSignUpdate(&ctx,A1,A1_len))
  199. goto err;
  200. if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len))
  201. goto err;
  202. if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len))
  203. goto err;
  204. if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len))
  205. goto err;
  206. if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len))
  207. goto err;
  208. if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len))
  209. goto err;
  210. if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len))
  211. goto err;
  212. if (olen > chunk)
  213. {
  214. if (!EVP_DigestSignFinal(&ctx,out,&j))
  215. goto err;
  216. out+=j;
  217. olen-=j;
  218. /* calc the next A1 value */
  219. if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len))
  220. goto err;
  221. }
  222. else /* last one */
  223. {
  224. if (!EVP_DigestSignFinal(&ctx,A1,&A1_len))
  225. goto err;
  226. memcpy(out,A1,olen);
  227. break;
  228. }
  229. }
  230. ret = 1;
  231. err:
  232. EVP_PKEY_free(mac_key);
  233. EVP_MD_CTX_cleanup(&ctx);
  234. EVP_MD_CTX_cleanup(&ctx_tmp);
  235. OPENSSL_cleanse(A1,sizeof(A1));
  236. return ret;
  237. }
  238. /* seed1 through seed5 are virtually concatenated */
  239. static int tls1_PRF(long digest_mask,
  240. const void *seed1, int seed1_len,
  241. const void *seed2, int seed2_len,
  242. const void *seed3, int seed3_len,
  243. const void *seed4, int seed4_len,
  244. const void *seed5, int seed5_len,
  245. const unsigned char *sec, int slen,
  246. unsigned char *out1,
  247. unsigned char *out2, int olen)
  248. {
  249. int len,i,idx,count;
  250. const unsigned char *S1;
  251. long m;
  252. const EVP_MD *md;
  253. int ret = 0;
  254. /* Count number of digests and partition sec evenly */
  255. count=0;
  256. for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
  257. if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++;
  258. }
  259. len=slen/count;
  260. if (count == 1)
  261. slen = 0;
  262. S1=sec;
  263. memset(out1,0,olen);
  264. for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
  265. if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) {
  266. if (!md) {
  267. SSLerr(SSL_F_TLS1_PRF,
  268. SSL_R_UNSUPPORTED_DIGEST_TYPE);
  269. goto err;
  270. }
  271. if (!tls1_P_hash(md ,S1,len+(slen&1),
  272. seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len,
  273. out2,olen))
  274. goto err;
  275. S1+=len;
  276. for (i=0; i<olen; i++)
  277. {
  278. out1[i]^=out2[i];
  279. }
  280. }
  281. }
  282. ret = 1;
  283. err:
  284. return ret;
  285. }
  286. static int tls1_generate_key_block(SSL *s, unsigned char *km,
  287. unsigned char *tmp, int num)
  288. {
  289. int ret;
  290. ret = tls1_PRF(ssl_get_algorithm2(s),
  291. TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE,
  292. s->s3->server_random,SSL3_RANDOM_SIZE,
  293. s->s3->client_random,SSL3_RANDOM_SIZE,
  294. NULL,0,NULL,0,
  295. s->session->master_key,s->session->master_key_length,
  296. km,tmp,num);
  297. #ifdef KSSL_DEBUG
  298. printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
  299. s->session->master_key_length);
  300. {
  301. int i;
  302. for (i=0; i < s->session->master_key_length; i++)
  303. {
  304. printf("%02X", s->session->master_key[i]);
  305. }
  306. printf("\n"); }
  307. #endif /* KSSL_DEBUG */
  308. return ret;
  309. }
  310. int tls1_change_cipher_state(SSL *s, int which)
  311. {
  312. static const unsigned char empty[]="";
  313. unsigned char *p,*mac_secret;
  314. unsigned char *exp_label;
  315. unsigned char tmp1[EVP_MAX_KEY_LENGTH];
  316. unsigned char tmp2[EVP_MAX_KEY_LENGTH];
  317. unsigned char iv1[EVP_MAX_IV_LENGTH*2];
  318. unsigned char iv2[EVP_MAX_IV_LENGTH*2];
  319. unsigned char *ms,*key,*iv;
  320. int client_write;
  321. EVP_CIPHER_CTX *dd;
  322. const EVP_CIPHER *c;
  323. #ifndef OPENSSL_NO_COMP
  324. const SSL_COMP *comp;
  325. #endif
  326. const EVP_MD *m;
  327. int mac_type;
  328. int *mac_secret_size;
  329. EVP_MD_CTX *mac_ctx;
  330. EVP_PKEY *mac_key;
  331. int is_export,n,i,j,k,exp_label_len,cl;
  332. int reuse_dd = 0;
  333. is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
  334. c=s->s3->tmp.new_sym_enc;
  335. m=s->s3->tmp.new_hash;
  336. mac_type = s->s3->tmp.new_mac_pkey_type;
  337. #ifndef OPENSSL_NO_COMP
  338. comp=s->s3->tmp.new_compression;
  339. #endif
  340. #ifdef KSSL_DEBUG
  341. printf("tls1_change_cipher_state(which= %d) w/\n", which);
  342. printf("\talg= %ld/%ld, comp= %p\n",
  343. s->s3->tmp.new_cipher->algorithm_mkey,
  344. s->s3->tmp.new_cipher->algorithm_auth,
  345. comp);
  346. printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
  347. printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
  348. c->nid,c->block_size,c->key_len,c->iv_len);
  349. printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
  350. {
  351. int i;
  352. for (i=0; i<s->s3->tmp.key_block_length; i++)
  353. printf("%02x", key_block[i]); printf("\n");
  354. }
  355. #endif /* KSSL_DEBUG */
  356. if (which & SSL3_CC_READ)
  357. {
  358. if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
  359. s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
  360. else
  361. s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
  362. if (s->enc_read_ctx != NULL)
  363. reuse_dd = 1;
  364. else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  365. goto err;
  366. else
  367. /* make sure it's intialized in case we exit later with an error */
  368. EVP_CIPHER_CTX_init(s->enc_read_ctx);
  369. dd= s->enc_read_ctx;
  370. mac_ctx=ssl_replace_hash(&s->read_hash,NULL);
  371. #ifndef OPENSSL_NO_COMP
  372. if (s->expand != NULL)
  373. {
  374. COMP_CTX_free(s->expand);
  375. s->expand=NULL;
  376. }
  377. if (comp != NULL)
  378. {
  379. s->expand=COMP_CTX_new(comp->method);
  380. if (s->expand == NULL)
  381. {
  382. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
  383. goto err2;
  384. }
  385. if (s->s3->rrec.comp == NULL)
  386. s->s3->rrec.comp=(unsigned char *)
  387. OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
  388. if (s->s3->rrec.comp == NULL)
  389. goto err;
  390. }
  391. #endif
  392. /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
  393. if (s->version != DTLS1_VERSION)
  394. memset(&(s->s3->read_sequence[0]),0,8);
  395. mac_secret= &(s->s3->read_mac_secret[0]);
  396. mac_secret_size=&(s->s3->read_mac_secret_size);
  397. }
  398. else
  399. {
  400. if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
  401. s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
  402. else
  403. s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
  404. if (s->enc_write_ctx != NULL)
  405. reuse_dd = 1;
  406. else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  407. goto err;
  408. else
  409. /* make sure it's intialized in case we exit later with an error */
  410. EVP_CIPHER_CTX_init(s->enc_write_ctx);
  411. dd= s->enc_write_ctx;
  412. mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
  413. #ifndef OPENSSL_NO_COMP
  414. if (s->compress != NULL)
  415. {
  416. COMP_CTX_free(s->compress);
  417. s->compress=NULL;
  418. }
  419. if (comp != NULL)
  420. {
  421. s->compress=COMP_CTX_new(comp->method);
  422. if (s->compress == NULL)
  423. {
  424. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
  425. goto err2;
  426. }
  427. }
  428. #endif
  429. /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
  430. if (s->version != DTLS1_VERSION)
  431. memset(&(s->s3->write_sequence[0]),0,8);
  432. mac_secret= &(s->s3->write_mac_secret[0]);
  433. mac_secret_size = &(s->s3->write_mac_secret_size);
  434. }
  435. if (reuse_dd)
  436. EVP_CIPHER_CTX_cleanup(dd);
  437. p=s->s3->tmp.key_block;
  438. i=*mac_secret_size=s->s3->tmp.new_mac_secret_size;
  439. cl=EVP_CIPHER_key_length(c);
  440. j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
  441. cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
  442. /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
  443. /* If GCM mode only part of IV comes from PRF */
  444. if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
  445. k = EVP_GCM_TLS_FIXED_IV_LEN;
  446. else
  447. k=EVP_CIPHER_iv_length(c);
  448. if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
  449. (which == SSL3_CHANGE_CIPHER_SERVER_READ))
  450. {
  451. ms= &(p[ 0]); n=i+i;
  452. key= &(p[ n]); n+=j+j;
  453. iv= &(p[ n]); n+=k+k;
  454. exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
  455. exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
  456. client_write=1;
  457. }
  458. else
  459. {
  460. n=i;
  461. ms= &(p[ n]); n+=i+j;
  462. key= &(p[ n]); n+=j+k;
  463. iv= &(p[ n]); n+=k;
  464. exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
  465. exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
  466. client_write=0;
  467. }
  468. if (n > s->s3->tmp.key_block_length)
  469. {
  470. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
  471. goto err2;
  472. }
  473. memcpy(mac_secret,ms,i);
  474. if (!(EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER))
  475. {
  476. mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
  477. mac_secret,*mac_secret_size);
  478. EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key);
  479. EVP_PKEY_free(mac_key);
  480. }
  481. #ifdef TLS_DEBUG
  482. printf("which = %04X\nmac key=",which);
  483. { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
  484. #endif
  485. if (is_export)
  486. {
  487. /* In here I set both the read and write key/iv to the
  488. * same value since only the correct one will be used :-).
  489. */
  490. if (!tls1_PRF(ssl_get_algorithm2(s),
  491. exp_label,exp_label_len,
  492. s->s3->client_random,SSL3_RANDOM_SIZE,
  493. s->s3->server_random,SSL3_RANDOM_SIZE,
  494. NULL,0,NULL,0,
  495. key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)))
  496. goto err2;
  497. key=tmp1;
  498. if (k > 0)
  499. {
  500. if (!tls1_PRF(ssl_get_algorithm2(s),
  501. TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE,
  502. s->s3->client_random,SSL3_RANDOM_SIZE,
  503. s->s3->server_random,SSL3_RANDOM_SIZE,
  504. NULL,0,NULL,0,
  505. empty,0,iv1,iv2,k*2))
  506. goto err2;
  507. if (client_write)
  508. iv=iv1;
  509. else
  510. iv= &(iv1[k]);
  511. }
  512. }
  513. s->session->key_arg_length=0;
  514. #ifdef KSSL_DEBUG
  515. {
  516. int i;
  517. printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
  518. printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
  519. printf("\n");
  520. printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
  521. printf("\n");
  522. }
  523. #endif /* KSSL_DEBUG */
  524. if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE)
  525. {
  526. EVP_CipherInit_ex(dd,c,NULL,key,NULL,(which & SSL3_CC_WRITE));
  527. EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv);
  528. }
  529. else
  530. EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
  531. /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */
  532. if ((EVP_CIPHER_flags(c)&EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size)
  533. EVP_CIPHER_CTX_ctrl(dd,EVP_CTRL_AEAD_SET_MAC_KEY,
  534. *mac_secret_size,mac_secret);
  535. #ifdef TLS_DEBUG
  536. printf("which = %04X\nkey=",which);
  537. { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
  538. printf("\niv=");
  539. { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
  540. printf("\n");
  541. #endif
  542. OPENSSL_cleanse(tmp1,sizeof(tmp1));
  543. OPENSSL_cleanse(tmp2,sizeof(tmp1));
  544. OPENSSL_cleanse(iv1,sizeof(iv1));
  545. OPENSSL_cleanse(iv2,sizeof(iv2));
  546. return(1);
  547. err:
  548. SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
  549. err2:
  550. return(0);
  551. }
  552. int tls1_setup_key_block(SSL *s)
  553. {
  554. unsigned char *p1,*p2=NULL;
  555. const EVP_CIPHER *c;
  556. const EVP_MD *hash;
  557. int num;
  558. SSL_COMP *comp;
  559. int mac_type= NID_undef,mac_secret_size=0;
  560. int ret=0;
  561. #ifdef KSSL_DEBUG
  562. printf ("tls1_setup_key_block()\n");
  563. #endif /* KSSL_DEBUG */
  564. if (s->s3->tmp.key_block_length != 0)
  565. return(1);
  566. if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp))
  567. {
  568. SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
  569. return(0);
  570. }
  571. s->s3->tmp.new_sym_enc=c;
  572. s->s3->tmp.new_hash=hash;
  573. s->s3->tmp.new_mac_pkey_type = mac_type;
  574. s->s3->tmp.new_mac_secret_size = mac_secret_size;
  575. num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c);
  576. num*=2;
  577. ssl3_cleanup_key_block(s);
  578. if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
  579. {
  580. SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
  581. goto err;
  582. }
  583. s->s3->tmp.key_block_length=num;
  584. s->s3->tmp.key_block=p1;
  585. if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
  586. {
  587. SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
  588. goto err;
  589. }
  590. #ifdef TLS_DEBUG
  591. printf("client random\n");
  592. { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
  593. printf("server random\n");
  594. { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
  595. printf("pre-master\n");
  596. { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
  597. #endif
  598. if (!tls1_generate_key_block(s,p1,p2,num))
  599. goto err;
  600. #ifdef TLS_DEBUG
  601. printf("\nkey block\n");
  602. { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
  603. #endif
  604. if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
  605. && s->method->version <= TLS1_VERSION)
  606. {
  607. /* enable vulnerability countermeasure for CBC ciphers with
  608. * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
  609. */
  610. s->s3->need_empty_fragments = 1;
  611. if (s->session->cipher != NULL)
  612. {
  613. if (s->session->cipher->algorithm_enc == SSL_eNULL)
  614. s->s3->need_empty_fragments = 0;
  615. #ifndef OPENSSL_NO_RC4
  616. if (s->session->cipher->algorithm_enc == SSL_RC4)
  617. s->s3->need_empty_fragments = 0;
  618. #endif
  619. }
  620. }
  621. ret = 1;
  622. err:
  623. if (p2)
  624. {
  625. OPENSSL_cleanse(p2,num);
  626. OPENSSL_free(p2);
  627. }
  628. return(ret);
  629. }
  630. int tls1_enc(SSL *s, int send)
  631. {
  632. SSL3_RECORD *rec;
  633. EVP_CIPHER_CTX *ds;
  634. unsigned long l;
  635. int bs,i,ii,j,k,pad=0;
  636. const EVP_CIPHER *enc;
  637. if (send)
  638. {
  639. if (EVP_MD_CTX_md(s->write_hash))
  640. {
  641. int n=EVP_MD_CTX_size(s->write_hash);
  642. OPENSSL_assert(n >= 0);
  643. }
  644. ds=s->enc_write_ctx;
  645. rec= &(s->s3->wrec);
  646. if (s->enc_write_ctx == NULL)
  647. enc=NULL;
  648. else
  649. {
  650. int ivlen;
  651. enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
  652. /* For TLSv1.1 and later explicit IV */
  653. if (s->version >= TLS1_1_VERSION
  654. && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE)
  655. ivlen = EVP_CIPHER_iv_length(enc);
  656. else
  657. ivlen = 0;
  658. if (ivlen > 1)
  659. {
  660. if ( rec->data != rec->input)
  661. /* we can't write into the input stream:
  662. * Can this ever happen?? (steve)
  663. */
  664. fprintf(stderr,
  665. "%s:%d: rec->data != rec->input\n",
  666. __FILE__, __LINE__);
  667. else if (RAND_bytes(rec->input, ivlen) <= 0)
  668. return -1;
  669. }
  670. }
  671. }
  672. else
  673. {
  674. if (EVP_MD_CTX_md(s->read_hash))
  675. {
  676. int n=EVP_MD_CTX_size(s->read_hash);
  677. OPENSSL_assert(n >= 0);
  678. }
  679. ds=s->enc_read_ctx;
  680. rec= &(s->s3->rrec);
  681. if (s->enc_read_ctx == NULL)
  682. enc=NULL;
  683. else
  684. enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
  685. }
  686. #ifdef KSSL_DEBUG
  687. printf("tls1_enc(%d)\n", send);
  688. #endif /* KSSL_DEBUG */
  689. if ((s->session == NULL) || (ds == NULL) ||
  690. (enc == NULL))
  691. {
  692. memmove(rec->data,rec->input,rec->length);
  693. rec->input=rec->data;
  694. }
  695. else
  696. {
  697. l=rec->length;
  698. bs=EVP_CIPHER_block_size(ds->cipher);
  699. if (EVP_CIPHER_flags(ds->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
  700. {
  701. unsigned char buf[13],*seq;
  702. seq = send?s->s3->write_sequence:s->s3->read_sequence;
  703. if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
  704. {
  705. unsigned char dtlsseq[9],*p=dtlsseq;
  706. s2n(send?s->d1->w_epoch:s->d1->r_epoch,p);
  707. memcpy(p,&seq[2],6);
  708. memcpy(buf,dtlsseq,8);
  709. }
  710. else
  711. {
  712. memcpy(buf,seq,8);
  713. for (i=7; i>=0; i--) /* increment */
  714. {
  715. ++seq[i];
  716. if (seq[i] != 0) break;
  717. }
  718. }
  719. buf[8]=rec->type;
  720. buf[9]=(unsigned char)(s->version>>8);
  721. buf[10]=(unsigned char)(s->version);
  722. buf[11]=rec->length>>8;
  723. buf[12]=rec->length&0xff;
  724. pad=EVP_CIPHER_CTX_ctrl(ds,EVP_CTRL_AEAD_TLS1_AAD,13,buf);
  725. if (send)
  726. {
  727. l+=pad;
  728. rec->length+=pad;
  729. }
  730. }
  731. else if ((bs != 1) && send)
  732. {
  733. i=bs-((int)l%bs);
  734. /* Add weird padding of upto 256 bytes */
  735. /* we need to add 'i' padding bytes of value j */
  736. j=i-1;
  737. if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
  738. {
  739. if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
  740. j++;
  741. }
  742. for (k=(int)l; k<(int)(l+i); k++)
  743. rec->input[k]=j;
  744. l+=i;
  745. rec->length+=i;
  746. }
  747. #ifdef KSSL_DEBUG
  748. {
  749. unsigned long ui;
  750. printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
  751. ds,rec->data,rec->input,l);
  752. printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
  753. ds->buf_len, ds->cipher->key_len,
  754. DES_KEY_SZ, DES_SCHEDULE_SZ,
  755. ds->cipher->iv_len);
  756. printf("\t\tIV: ");
  757. for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
  758. printf("\n");
  759. printf("\trec->input=");
  760. for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
  761. printf("\n");
  762. }
  763. #endif /* KSSL_DEBUG */
  764. if (!send)
  765. {
  766. if (l == 0 || l%bs != 0)
  767. {
  768. if (s->version >= TLS1_1_VERSION)
  769. return -1;
  770. SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
  771. ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
  772. return 0;
  773. }
  774. }
  775. if (EVP_Cipher(ds,rec->data,rec->input,l) < 0)
  776. return -1; /* AEAD can fail to verify MAC */
  777. if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send)
  778. {
  779. rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  780. rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN;
  781. rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
  782. }
  783. #ifdef KSSL_DEBUG
  784. {
  785. unsigned long i;
  786. printf("\trec->data=");
  787. for (i=0; i<l; i++)
  788. printf(" %02x", rec->data[i]); printf("\n");
  789. }
  790. #endif /* KSSL_DEBUG */
  791. if ((bs != 1) && !send)
  792. {
  793. ii=i=rec->data[l-1]; /* padding_length */
  794. i++;
  795. /* NB: if compression is in operation the first packet
  796. * may not be of even length so the padding bug check
  797. * cannot be performed. This bug workaround has been
  798. * around since SSLeay so hopefully it is either fixed
  799. * now or no buggy implementation supports compression
  800. * [steve]
  801. */
  802. if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
  803. && !s->expand)
  804. {
  805. /* First packet is even in size, so check */
  806. if ((memcmp(s->s3->read_sequence,
  807. "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
  808. s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
  809. if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
  810. i--;
  811. }
  812. /* TLS 1.0 does not bound the number of padding bytes by the block size.
  813. * All of them must have value 'padding_length'. */
  814. if (i > (int)rec->length)
  815. {
  816. /* Incorrect padding. SSLerr() and ssl3_alert are done
  817. * by caller: we don't want to reveal whether this is
  818. * a decryption error or a MAC verification failure
  819. * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
  820. return -1;
  821. }
  822. for (j=(int)(l-i); j<(int)l; j++)
  823. {
  824. if (rec->data[j] != ii)
  825. {
  826. /* Incorrect padding */
  827. return -1;
  828. }
  829. }
  830. rec->length -=i;
  831. if (s->version >= TLS1_1_VERSION
  832. && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
  833. {
  834. rec->data += bs; /* skip the explicit IV */
  835. rec->input += bs;
  836. rec->length -= bs;
  837. }
  838. }
  839. if (pad && !send)
  840. rec->length -= pad;
  841. }
  842. return(1);
  843. }
  844. int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
  845. {
  846. unsigned int ret;
  847. EVP_MD_CTX ctx, *d=NULL;
  848. int i;
  849. if (s->s3->handshake_buffer)
  850. if (!ssl3_digest_cached_records(s))
  851. return 0;
  852. for (i=0;i<SSL_MAX_DIGEST;i++)
  853. {
  854. if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
  855. {
  856. d=s->s3->handshake_dgst[i];
  857. break;
  858. }
  859. }
  860. if (!d) {
  861. SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST);
  862. return 0;
  863. }
  864. EVP_MD_CTX_init(&ctx);
  865. EVP_MD_CTX_copy_ex(&ctx,d);
  866. EVP_DigestFinal_ex(&ctx,out,&ret);
  867. EVP_MD_CTX_cleanup(&ctx);
  868. return((int)ret);
  869. }
  870. int tls1_final_finish_mac(SSL *s,
  871. const char *str, int slen, unsigned char *out)
  872. {
  873. unsigned int i;
  874. EVP_MD_CTX ctx;
  875. unsigned char buf[2*EVP_MAX_MD_SIZE];
  876. unsigned char *q,buf2[12];
  877. int idx;
  878. long mask;
  879. int err=0;
  880. const EVP_MD *md;
  881. q=buf;
  882. if (s->s3->handshake_buffer)
  883. if (!ssl3_digest_cached_records(s))
  884. return 0;
  885. EVP_MD_CTX_init(&ctx);
  886. for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
  887. {
  888. if (mask & ssl_get_algorithm2(s))
  889. {
  890. int hashsize = EVP_MD_size(md);
  891. if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
  892. {
  893. /* internal error: 'buf' is too small for this cipersuite! */
  894. err = 1;
  895. }
  896. else
  897. {
  898. EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
  899. EVP_DigestFinal_ex(&ctx,q,&i);
  900. if (i != (unsigned int)hashsize) /* can't really happen */
  901. err = 1;
  902. q+=i;
  903. }
  904. }
  905. }
  906. if (!tls1_PRF(ssl_get_algorithm2(s),
  907. str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
  908. s->session->master_key,s->session->master_key_length,
  909. out,buf2,sizeof buf2))
  910. err = 1;
  911. EVP_MD_CTX_cleanup(&ctx);
  912. if (err)
  913. return 0;
  914. else
  915. return sizeof buf2;
  916. }
  917. int tls1_mac(SSL *ssl, unsigned char *md, int send)
  918. {
  919. SSL3_RECORD *rec;
  920. unsigned char *seq;
  921. EVP_MD_CTX *hash;
  922. size_t md_size;
  923. int i;
  924. EVP_MD_CTX hmac, *mac_ctx;
  925. unsigned char buf[5];
  926. int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
  927. int t;
  928. if (send)
  929. {
  930. rec= &(ssl->s3->wrec);
  931. seq= &(ssl->s3->write_sequence[0]);
  932. hash=ssl->write_hash;
  933. }
  934. else
  935. {
  936. rec= &(ssl->s3->rrec);
  937. seq= &(ssl->s3->read_sequence[0]);
  938. hash=ssl->read_hash;
  939. }
  940. t=EVP_MD_CTX_size(hash);
  941. OPENSSL_assert(t >= 0);
  942. md_size=t;
  943. buf[0]=rec->type;
  944. buf[1]=(unsigned char)(ssl->version>>8);
  945. buf[2]=(unsigned char)(ssl->version);
  946. buf[3]=rec->length>>8;
  947. buf[4]=rec->length&0xff;
  948. /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
  949. if (stream_mac)
  950. {
  951. mac_ctx = hash;
  952. }
  953. else
  954. {
  955. EVP_MD_CTX_copy(&hmac,hash);
  956. mac_ctx = &hmac;
  957. }
  958. if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER)
  959. {
  960. unsigned char dtlsseq[8],*p=dtlsseq;
  961. s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
  962. memcpy (p,&seq[2],6);
  963. EVP_DigestSignUpdate(mac_ctx,dtlsseq,8);
  964. }
  965. else
  966. EVP_DigestSignUpdate(mac_ctx,seq,8);
  967. EVP_DigestSignUpdate(mac_ctx,buf,5);
  968. EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
  969. t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
  970. OPENSSL_assert(t > 0);
  971. if (!stream_mac) EVP_MD_CTX_cleanup(&hmac);
  972. #ifdef TLS_DEBUG
  973. printf("sec=");
  974. {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
  975. printf("seq=");
  976. {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
  977. printf("buf=");
  978. {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
  979. printf("rec=");
  980. {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
  981. #endif
  982. if (ssl->version != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER)
  983. {
  984. for (i=7; i>=0; i--)
  985. {
  986. ++seq[i];
  987. if (seq[i] != 0) break;
  988. }
  989. }
  990. #ifdef TLS_DEBUG
  991. {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
  992. #endif
  993. return(md_size);
  994. }
  995. int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
  996. int len)
  997. {
  998. unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
  999. const void *co = NULL, *so = NULL;
  1000. int col = 0, sol = 0;
  1001. #ifdef KSSL_DEBUG
  1002. printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
  1003. #endif /* KSSL_DEBUG */
  1004. #ifdef TLSEXT_TYPE_opaque_prf_input
  1005. if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL &&
  1006. s->s3->client_opaque_prf_input_len > 0 &&
  1007. s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len)
  1008. {
  1009. co = s->s3->client_opaque_prf_input;
  1010. col = s->s3->server_opaque_prf_input_len;
  1011. so = s->s3->server_opaque_prf_input;
  1012. sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */
  1013. }
  1014. #endif
  1015. tls1_PRF(ssl_get_algorithm2(s),
  1016. TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE,
  1017. s->s3->client_random,SSL3_RANDOM_SIZE,
  1018. co, col,
  1019. s->s3->server_random,SSL3_RANDOM_SIZE,
  1020. so, sol,
  1021. p,len,
  1022. s->session->master_key,buff,sizeof buff);
  1023. #ifdef SSL_DEBUG
  1024. fprintf(stderr, "Premaster Secret:\n");
  1025. BIO_dump_fp(stderr, (char *)p, len);
  1026. fprintf(stderr, "Client Random:\n");
  1027. BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE);
  1028. fprintf(stderr, "Server Random:\n");
  1029. BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE);
  1030. fprintf(stderr, "Master Secret:\n");
  1031. BIO_dump_fp(stderr, (char *)s->session->master_key, SSL3_MASTER_SECRET_SIZE);
  1032. #endif
  1033. #ifdef KSSL_DEBUG
  1034. printf ("tls1_generate_master_secret() complete\n");
  1035. #endif /* KSSL_DEBUG */
  1036. return(SSL3_MASTER_SECRET_SIZE);
  1037. }
  1038. int tls1_alert_code(int code)
  1039. {
  1040. switch (code)
  1041. {
  1042. case SSL_AD_CLOSE_NOTIFY: return(SSL3_AD_CLOSE_NOTIFY);
  1043. case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
  1044. case SSL_AD_BAD_RECORD_MAC: return(SSL3_AD_BAD_RECORD_MAC);
  1045. case SSL_AD_DECRYPTION_FAILED: return(TLS1_AD_DECRYPTION_FAILED);
  1046. case SSL_AD_RECORD_OVERFLOW: return(TLS1_AD_RECORD_OVERFLOW);
  1047. case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
  1048. case SSL_AD_HANDSHAKE_FAILURE: return(SSL3_AD_HANDSHAKE_FAILURE);
  1049. case SSL_AD_NO_CERTIFICATE: return(-1);
  1050. case SSL_AD_BAD_CERTIFICATE: return(SSL3_AD_BAD_CERTIFICATE);
  1051. case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
  1052. case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
  1053. case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
  1054. case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
  1055. case SSL_AD_ILLEGAL_PARAMETER: return(SSL3_AD_ILLEGAL_PARAMETER);
  1056. case SSL_AD_UNKNOWN_CA: return(TLS1_AD_UNKNOWN_CA);
  1057. case SSL_AD_ACCESS_DENIED: return(TLS1_AD_ACCESS_DENIED);
  1058. case SSL_AD_DECODE_ERROR: return(TLS1_AD_DECODE_ERROR);
  1059. case SSL_AD_DECRYPT_ERROR: return(TLS1_AD_DECRYPT_ERROR);
  1060. case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
  1061. case SSL_AD_PROTOCOL_VERSION: return(TLS1_AD_PROTOCOL_VERSION);
  1062. case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
  1063. case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR);
  1064. case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED);
  1065. case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION);
  1066. case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION);
  1067. case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE);
  1068. case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME);
  1069. case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
  1070. case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
  1071. case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
  1072. #ifndef OPENSSL_NO_SRP
  1073. case SSL_AD_MISSING_SRP_USERNAME:return(TLS1_AD_MISSING_SRP_USERNAME);
  1074. #endif
  1075. #if 0 /* not appropriate for TLS, not used for DTLS */
  1076. case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
  1077. (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
  1078. #endif
  1079. default: return(-1);
  1080. }
  1081. }
  1082. int SSL_tls1_key_exporter(SSL *s, unsigned char *label, int label_len,
  1083. unsigned char *context, int context_len,
  1084. unsigned char *out, int olen)
  1085. {
  1086. unsigned char *tmp;
  1087. int rv;
  1088. tmp = OPENSSL_malloc(olen);
  1089. if (!tmp)
  1090. return 0;
  1091. rv = tls1_PRF(ssl_get_algorithm2(s),
  1092. label, label_len,
  1093. s->s3->client_random,SSL3_RANDOM_SIZE,
  1094. s->s3->server_random,SSL3_RANDOM_SIZE,
  1095. context, context_len, NULL, 0,
  1096. s->session->master_key, s->session->master_key_length,
  1097. out, tmp, olen);
  1098. OPENSSL_free(tmp);
  1099. return rv;
  1100. }