054853335485f56138ee61c09e926acdde7d037c
[openssl.git] / ssl / t1_enc.c
1 /* ssl/t1_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58
59 #include <stdio.h>
60 #include <openssl/comp.h>
61 #include <openssl/evp.h>
62 #include <openssl/hmac.h>
63 #include "ssl_locl.h"
64 #include <openssl/md5.h>
65
66 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
67                         int sec_len, unsigned char *seed, int seed_len,
68                         unsigned char *out, int olen)
69         {
70         int chunk,n;
71         unsigned int j;
72         HMAC_CTX ctx;
73         HMAC_CTX ctx_tmp;
74         unsigned char A1[HMAC_MAX_MD_CBLOCK];
75         unsigned int A1_len;
76         
77         chunk=EVP_MD_size(md);
78
79         HMAC_CTX_init(&ctx);
80         HMAC_CTX_init(&ctx_tmp);
81         HMAC_Init_ex(&ctx,sec,sec_len,md);
82         HMAC_Init_ex(&ctx_tmp,sec,sec_len,md);
83         HMAC_Update(&ctx,seed,seed_len);
84         HMAC_Final(&ctx,A1,&A1_len);
85
86         n=0;
87         for (;;)
88                 {
89                 HMAC_Init_ex(&ctx,NULL,0,NULL); /* re-init */
90                 HMAC_Init_ex(&ctx_tmp,NULL,0,NULL); /* re-init */
91                 HMAC_Update(&ctx,A1,A1_len);
92                 HMAC_Update(&ctx_tmp,A1,A1_len);
93                 HMAC_Update(&ctx,seed,seed_len);
94
95                 if (olen > chunk)
96                         {
97                         HMAC_Final(&ctx,out,&j);
98                         out+=j;
99                         olen-=j;
100                         HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
101                         }
102                 else    /* last one */
103                         {
104                         HMAC_Final(&ctx,A1,&A1_len);
105                         memcpy(out,A1,olen);
106                         break;
107                         }
108                 }
109         HMAC_CTX_cleanup(&ctx);
110         HMAC_CTX_cleanup(&ctx_tmp);
111         memset(A1,0,sizeof(A1));
112         }
113
114 static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
115                      unsigned char *label, int label_len,
116                      const unsigned char *sec, int slen, unsigned char *out1,
117                      unsigned char *out2, int olen)
118         {
119         int len,i;
120         const unsigned char *S1,*S2;
121
122         len=slen/2;
123         S1=sec;
124         S2= &(sec[len]);
125         len+=(slen&1); /* add for odd, make longer */
126
127         
128         tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
129         tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
130
131         for (i=0; i<olen; i++)
132                 out1[i]^=out2[i];
133         }
134
135 static void tls1_generate_key_block(SSL *s, unsigned char *km,
136              unsigned char *tmp, int num)
137         {
138         unsigned char *p;
139         unsigned char buf[SSL3_RANDOM_SIZE*2+
140                 TLS_MD_MAX_CONST_SIZE];
141         p=buf;
142
143         memcpy(p,TLS_MD_KEY_EXPANSION_CONST,
144                 TLS_MD_KEY_EXPANSION_CONST_SIZE);
145         p+=TLS_MD_KEY_EXPANSION_CONST_SIZE;
146         memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
147         p+=SSL3_RANDOM_SIZE;
148         memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
149         p+=SSL3_RANDOM_SIZE;
150
151         tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),
152                  s->session->master_key,s->session->master_key_length,
153                  km,tmp,num);
154 #ifdef KSSL_DEBUG
155         printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
156                 s->session->master_key_length);
157         {
158         int i;
159         for (i=0; i < s->session->master_key_length; i++)
160                 {
161                 printf("%02X", s->session->master_key[i]);
162                 }
163         printf("\n");  }
164 #endif    /* KSSL_DEBUG */
165         }
166
167 int tls1_change_cipher_state(SSL *s, int which)
168         {
169         static const unsigned char empty[]="";
170         unsigned char *p,*key_block,*mac_secret;
171         unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+
172                 SSL3_RANDOM_SIZE*2];
173         unsigned char tmp1[EVP_MAX_KEY_LENGTH];
174         unsigned char tmp2[EVP_MAX_KEY_LENGTH];
175         unsigned char iv1[EVP_MAX_IV_LENGTH*2];
176         unsigned char iv2[EVP_MAX_IV_LENGTH*2];
177         unsigned char *ms,*key,*iv,*er1,*er2;
178         int client_write;
179         EVP_CIPHER_CTX *dd;
180         const EVP_CIPHER *c;
181         const SSL_COMP *comp;
182         const EVP_MD *m;
183         int is_export,n,i,j,k,exp_label_len,cl;
184         int reuse_dd = 0;
185
186         is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
187         c=s->s3->tmp.new_sym_enc;
188         m=s->s3->tmp.new_hash;
189         comp=s->s3->tmp.new_compression;
190         key_block=s->s3->tmp.key_block;
191
192 #ifdef KSSL_DEBUG
193         printf("tls1_change_cipher_state(which= %d) w/\n", which);
194         printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms,
195                 comp);
196         printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
197         printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
198                 c->nid,c->block_size,c->key_len,c->iv_len);
199         printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
200         {
201         int i;
202         for (i=0; i<s->s3->tmp.key_block_length; i++)
203                 printf("%02x", key_block[i]);  printf("\n");
204         }
205 #endif  /* KSSL_DEBUG */
206
207         if (which & SSL3_CC_READ)
208                 {
209                 if (s->enc_read_ctx != NULL)
210                         reuse_dd = 1;
211                 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
212                         goto err;
213                 dd= s->enc_read_ctx;
214                 s->read_hash=m;
215                 if (s->expand != NULL)
216                         {
217                         COMP_CTX_free(s->expand);
218                         s->expand=NULL;
219                         }
220                 if (comp != NULL)
221                         {
222                         s->expand=COMP_CTX_new(comp->method);
223                         if (s->expand == NULL)
224                                 {
225                                 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
226                                 goto err2;
227                                 }
228                         if (s->s3->rrec.comp == NULL)
229                                 s->s3->rrec.comp=(unsigned char *)
230                                         OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
231                         if (s->s3->rrec.comp == NULL)
232                                 goto err;
233                         }
234                 memset(&(s->s3->read_sequence[0]),0,8);
235                 mac_secret= &(s->s3->read_mac_secret[0]);
236                 }
237         else
238                 {
239                 if (s->enc_write_ctx != NULL)
240                         reuse_dd = 1;
241                 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
242                         goto err;
243                 if ((s->enc_write_ctx == NULL) &&
244                         ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
245                         OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
246                         goto err;
247                 dd= s->enc_write_ctx;
248                 s->write_hash=m;
249                 if (s->compress != NULL)
250                         {
251                         COMP_CTX_free(s->compress);
252                         s->compress=NULL;
253                         }
254                 if (comp != NULL)
255                         {
256                         s->compress=COMP_CTX_new(comp->method);
257                         if (s->compress == NULL)
258                                 {
259                                 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
260                                 goto err2;
261                                 }
262                         }
263                 memset(&(s->s3->write_sequence[0]),0,8);
264                 mac_secret= &(s->s3->write_mac_secret[0]);
265                 }
266
267         if (reuse_dd)
268                 EVP_CIPHER_CTX_cleanup(dd);
269         EVP_CIPHER_CTX_init(dd);
270
271         p=s->s3->tmp.key_block;
272         i=EVP_MD_size(m);
273         cl=EVP_CIPHER_key_length(c);
274         j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
275                        cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
276         /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
277         k=EVP_CIPHER_iv_length(c);
278         er1= &(s->s3->client_random[0]);
279         er2= &(s->s3->server_random[0]);
280         if (    (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
281                 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
282                 {
283                 ms=  &(p[ 0]); n=i+i;
284                 key= &(p[ n]); n+=j+j;
285                 iv=  &(p[ n]); n+=k+k;
286                 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
287                 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
288                 client_write=1;
289                 }
290         else
291                 {
292                 n=i;
293                 ms=  &(p[ n]); n+=i+j;
294                 key= &(p[ n]); n+=j+k;
295                 iv=  &(p[ n]); n+=k;
296                 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
297                 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
298                 client_write=0;
299                 }
300
301         if (n > s->s3->tmp.key_block_length)
302                 {
303                 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
304                 goto err2;
305                 }
306
307         memcpy(mac_secret,ms,i);
308 #ifdef TLS_DEBUG
309 printf("which = %04X\nmac key=",which);
310 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
311 #endif
312         if (is_export)
313                 {
314                 /* In here I set both the read and write key/iv to the
315                  * same value since only the correct one will be used :-).
316                  */
317                 p=buf;
318                 memcpy(p,exp_label,exp_label_len);
319                 p+=exp_label_len;
320                 memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
321                 p+=SSL3_RANDOM_SIZE;
322                 memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
323                 p+=SSL3_RANDOM_SIZE;
324                 tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j,
325                          tmp1,tmp2,EVP_CIPHER_key_length(c));
326                 key=tmp1;
327
328                 if (k > 0)
329                         {
330                         p=buf;
331                         memcpy(p,TLS_MD_IV_BLOCK_CONST,
332                                 TLS_MD_IV_BLOCK_CONST_SIZE);
333                         p+=TLS_MD_IV_BLOCK_CONST_SIZE;
334                         memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE);
335                         p+=SSL3_RANDOM_SIZE;
336                         memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE);
337                         p+=SSL3_RANDOM_SIZE;
338                         tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0,
339                                  iv1,iv2,k*2);
340                         if (client_write)
341                                 iv=iv1;
342                         else
343                                 iv= &(iv1[k]);
344                         }
345                 }
346
347         s->session->key_arg_length=0;
348 #ifdef KSSL_DEBUG
349         {
350         int i;
351         printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
352         printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
353         printf("\n");
354         printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
355         printf("\n");
356         }
357 #endif  /* KSSL_DEBUG */
358
359         EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
360 #ifdef TLS_DEBUG
361 printf("which = %04X\nkey=",which);
362 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
363 printf("\niv=");
364 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
365 printf("\n");
366 #endif
367
368         memset(tmp1,0,sizeof(tmp1));
369         memset(tmp2,0,sizeof(tmp1));
370         memset(iv1,0,sizeof(iv1));
371         memset(iv2,0,sizeof(iv2));
372         return(1);
373 err:
374         SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
375 err2:
376         return(0);
377         }
378
379 int tls1_setup_key_block(SSL *s)
380         {
381         unsigned char *p1,*p2;
382         const EVP_CIPHER *c;
383         const EVP_MD *hash;
384         int num;
385         SSL_COMP *comp;
386
387 #ifdef KSSL_DEBUG
388         printf ("tls1_setup_key_block()\n");
389 #endif  /* KSSL_DEBUG */
390
391         if (s->s3->tmp.key_block_length != 0)
392                 return(1);
393
394         if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
395                 {
396                 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
397                 return(0);
398                 }
399
400         s->s3->tmp.new_sym_enc=c;
401         s->s3->tmp.new_hash=hash;
402
403         num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
404         num*=2;
405
406         ssl3_cleanup_key_block(s);
407
408         if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
409                 goto err;
410         if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
411                 goto err;
412
413         s->s3->tmp.key_block_length=num;
414         s->s3->tmp.key_block=p1;
415
416
417 #ifdef TLS_DEBUG
418 printf("client random\n");
419 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
420 printf("server random\n");
421 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
422 printf("pre-master\n");
423 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
424 #endif
425         tls1_generate_key_block(s,p1,p2,num);
426         memset(p2,0,num);
427         OPENSSL_free(p2);
428 #ifdef TLS_DEBUG
429 printf("\nkey block\n");
430 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
431 #endif
432
433         return(1);
434 err:
435         SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
436         return(0);
437         }
438
439 int tls1_enc(SSL *s, int send)
440         {
441         SSL3_RECORD *rec;
442         EVP_CIPHER_CTX *ds;
443         unsigned long l;
444         int bs,i,ii,j,k,n=0;
445         const EVP_CIPHER *enc;
446
447         if (send)
448                 {
449                 if (s->write_hash != NULL)
450                         n=EVP_MD_size(s->write_hash);
451                 ds=s->enc_write_ctx;
452                 rec= &(s->s3->wrec);
453                 if (s->enc_write_ctx == NULL)
454                         enc=NULL;
455                 else
456                         enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
457                 }
458         else
459                 {
460                 if (s->read_hash != NULL)
461                         n=EVP_MD_size(s->read_hash);
462                 ds=s->enc_read_ctx;
463                 rec= &(s->s3->rrec);
464                 if (s->enc_read_ctx == NULL)
465                         enc=NULL;
466                 else
467                         enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
468                 }
469
470 #ifdef KSSL_DEBUG
471         printf("tls1_enc(%d)\n", send);
472 #endif    /* KSSL_DEBUG */
473
474         if ((s->session == NULL) || (ds == NULL) ||
475                 (enc == NULL))
476                 {
477                 memmove(rec->data,rec->input,rec->length);
478                 rec->input=rec->data;
479                 }
480         else
481                 {
482                 l=rec->length;
483                 bs=EVP_CIPHER_block_size(ds->cipher);
484
485                 if ((bs != 1) && send)
486                         {
487                         i=bs-((int)l%bs);
488
489                         /* Add weird padding of upto 256 bytes */
490
491                         /* we need to add 'i' padding bytes of value j */
492                         j=i-1;
493                         if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
494                                 {
495                                 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
496                                         j++;
497                                 }
498                         for (k=(int)l; k<(int)(l+i); k++)
499                                 rec->input[k]=j;
500                         l+=i;
501                         rec->length+=i;
502                         }
503
504 #ifdef KSSL_DEBUG
505                 {
506                 unsigned long ui;
507                 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
508                         ds,rec->data,rec->input,l);
509                 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
510                         ds->buf_len, ds->cipher->key_len,
511                         DES_KEY_SZ, DES_SCHEDULE_SZ,
512                         ds->cipher->iv_len);
513                 printf("\t\tIV: ");
514                 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
515                 printf("\n");
516                 printf("\trec->input=");
517                 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
518                 printf("\n");
519                 }
520 #endif  /* KSSL_DEBUG */
521
522                 if (!send)
523                         {
524                         if (l == 0 || l%bs != 0)
525                                 {
526                                 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
527                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
528                                 return 0;
529                                 }
530                         }
531                 
532                 EVP_Cipher(ds,rec->data,rec->input,l);
533
534 #ifdef KSSL_DEBUG
535                 {
536                 unsigned long i;
537                 printf("\trec->data=");
538                 for (i=0; i<l; i++)
539                         printf(" %02x", rec->data[i]);  printf("\n");
540                 }
541 #endif  /* KSSL_DEBUG */
542
543                 if ((bs != 1) && !send)
544                         {
545                         ii=i=rec->data[l-1]; /* padding_length */
546                         i++;
547                         if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
548                                 {
549                                 /* First packet is even in size, so check */
550                                 if ((memcmp(s->s3->read_sequence,
551                                         "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
552                                         s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
553                                 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
554                                         i--;
555                                 }
556                         /* TLS 1.0 does not bound the number of padding bytes by the block size.
557                          * All of them must have value 'padding_length'. */
558                         if (i > (int)rec->length)
559                                 {
560                                 /* Incorrect padding. SSLerr() and ssl3_alert are done
561                                  * by caller: we don't want to reveal whether this is
562                                  * a decryption error or a MAC verification failure
563                                  * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
564                                 return -1;
565                                 }
566                         for (j=(int)(l-i); j<(int)l; j++)
567                                 {
568                                 if (rec->data[j] != ii)
569                                         {
570                                         /* Incorrect padding */
571                                         return -1;
572                                         }
573                                 }
574                         rec->length-=i;
575                         }
576                 }
577         return(1);
578         }
579
580 int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
581         {
582         unsigned int ret;
583         EVP_MD_CTX ctx;
584
585         EVP_MD_CTX_init(&ctx);
586         EVP_MD_CTX_copy_ex(&ctx,in_ctx);
587         EVP_DigestFinal_ex(&ctx,out,&ret);
588         EVP_MD_CTX_cleanup(&ctx);
589         return((int)ret);
590         }
591
592 int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
593              const char *str, int slen, unsigned char *out)
594         {
595         unsigned int i;
596         EVP_MD_CTX ctx;
597         unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH];
598         unsigned char *q,buf2[12];
599
600         q=buf;
601         memcpy(q,str,slen);
602         q+=slen;
603
604         EVP_MD_CTX_init(&ctx);
605         EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
606         EVP_DigestFinal_ex(&ctx,q,&i);
607         q+=i;
608         EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
609         EVP_DigestFinal_ex(&ctx,q,&i);
610         q+=i;
611
612         tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
613                 s->session->master_key,s->session->master_key_length,
614                 out,buf2,12);
615         EVP_MD_CTX_cleanup(&ctx);
616
617         return((int)12);
618         }
619
620 int tls1_mac(SSL *ssl, unsigned char *md, int send)
621         {
622         SSL3_RECORD *rec;
623         unsigned char *mac_sec,*seq;
624         const EVP_MD *hash;
625         unsigned int md_size;
626         int i;
627         HMAC_CTX hmac;
628         unsigned char buf[5]; 
629
630         if (send)
631                 {
632                 rec= &(ssl->s3->wrec);
633                 mac_sec= &(ssl->s3->write_mac_secret[0]);
634                 seq= &(ssl->s3->write_sequence[0]);
635                 hash=ssl->write_hash;
636                 }
637         else
638                 {
639                 rec= &(ssl->s3->rrec);
640                 mac_sec= &(ssl->s3->read_mac_secret[0]);
641                 seq= &(ssl->s3->read_sequence[0]);
642                 hash=ssl->read_hash;
643                 }
644
645         md_size=EVP_MD_size(hash);
646
647         buf[0]=rec->type;
648         buf[1]=TLS1_VERSION_MAJOR;
649         buf[2]=TLS1_VERSION_MINOR;
650         buf[3]=rec->length>>8;
651         buf[4]=rec->length&0xff;
652
653         /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
654         HMAC_CTX_init(&hmac);
655         HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash);
656         HMAC_Update(&hmac,seq,8);
657         HMAC_Update(&hmac,buf,5);
658         HMAC_Update(&hmac,rec->input,rec->length);
659         HMAC_Final(&hmac,md,&md_size);
660         HMAC_CTX_cleanup(&hmac);
661
662 #ifdef TLS_DEBUG
663 printf("sec=");
664 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
665 printf("seq=");
666 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
667 printf("buf=");
668 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
669 printf("rec=");
670 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
671 #endif
672
673         for (i=7; i>=0; i--)
674                 {
675                 ++seq[i];
676                 if (seq[i] != 0) break; 
677                 }
678
679 #ifdef TLS_DEBUG
680 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
681 #endif
682         return(md_size);
683         }
684
685 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
686              int len)
687         {
688         unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE];
689         unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
690
691 #ifdef KSSL_DEBUG
692         printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
693 #endif  /* KSSL_DEBUG */
694
695         /* Setup the stuff to munge */
696         memcpy(buf,TLS_MD_MASTER_SECRET_CONST,
697                 TLS_MD_MASTER_SECRET_CONST_SIZE);
698         memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]),
699                 s->s3->client_random,SSL3_RANDOM_SIZE);
700         memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]),
701                 s->s3->server_random,SSL3_RANDOM_SIZE);
702         tls1_PRF(s->ctx->md5,s->ctx->sha1,
703                 buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
704                 s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
705 #ifdef KSSL_DEBUG
706         printf ("tls1_generate_master_secret() complete\n");
707 #endif  /* KSSL_DEBUG */
708         return(SSL3_MASTER_SECRET_SIZE);
709         }
710
711 int tls1_alert_code(int code)
712         {
713         switch (code)
714                 {
715         case SSL_AD_CLOSE_NOTIFY:       return(SSL3_AD_CLOSE_NOTIFY);
716         case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
717         case SSL_AD_BAD_RECORD_MAC:     return(SSL3_AD_BAD_RECORD_MAC);
718         case SSL_AD_DECRYPTION_FAILED:  return(TLS1_AD_DECRYPTION_FAILED);
719         case SSL_AD_RECORD_OVERFLOW:    return(TLS1_AD_RECORD_OVERFLOW);
720         case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
721         case SSL_AD_HANDSHAKE_FAILURE:  return(SSL3_AD_HANDSHAKE_FAILURE);
722         case SSL_AD_NO_CERTIFICATE:     return(-1);
723         case SSL_AD_BAD_CERTIFICATE:    return(SSL3_AD_BAD_CERTIFICATE);
724         case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
725         case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
726         case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
727         case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
728         case SSL_AD_ILLEGAL_PARAMETER:  return(SSL3_AD_ILLEGAL_PARAMETER);
729         case SSL_AD_UNKNOWN_CA:         return(TLS1_AD_UNKNOWN_CA);
730         case SSL_AD_ACCESS_DENIED:      return(TLS1_AD_ACCESS_DENIED);
731         case SSL_AD_DECODE_ERROR:       return(TLS1_AD_DECODE_ERROR);
732         case SSL_AD_DECRYPT_ERROR:      return(TLS1_AD_DECRYPT_ERROR);
733         case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
734         case SSL_AD_PROTOCOL_VERSION:   return(TLS1_AD_PROTOCOL_VERSION);
735         case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
736         case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
737         case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
738         case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
739         default:                        return(-1);
740                 }
741         }
742