Fix unsigned/signed warnings in ssl.
[openssl.git] / ssl / t1_enc.c
1 /* ssl/t1_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/comp.h>
141 #include <openssl/evp.h>
142 #include <openssl/hmac.h>
143 #include <openssl/md5.h>
144 #ifdef KSSL_DEBUG
145 #include <openssl/des.h>
146 #endif
147
148 /* seed1 through seed5 are virtually concatenated */
149 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
150                         int sec_len,
151                         const void *seed1, int seed1_len,
152                         const void *seed2, int seed2_len,
153                         const void *seed3, int seed3_len,
154                         const void *seed4, int seed4_len,
155                         const void *seed5, int seed5_len,
156                         unsigned char *out, int olen)
157         {
158         int chunk,n;
159         unsigned int j;
160         HMAC_CTX ctx;
161         HMAC_CTX ctx_tmp;
162         unsigned char A1[EVP_MAX_MD_SIZE];
163         unsigned int A1_len;
164         
165         chunk=EVP_MD_size(md);
166
167         HMAC_CTX_init(&ctx);
168         HMAC_CTX_init(&ctx_tmp);
169         HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
170         HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
171         if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len);
172         if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len);
173         if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len);
174         if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len);
175         if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len);
176         HMAC_Final(&ctx,A1,&A1_len);
177
178         n=0;
179         for (;;)
180                 {
181                 HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
182                 HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
183                 HMAC_Update(&ctx,A1,A1_len);
184                 HMAC_Update(&ctx_tmp,A1,A1_len);
185                 if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len);
186                 if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len);
187                 if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len);
188                 if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len);
189                 if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len);
190
191                 if (olen > chunk)
192                         {
193                         HMAC_Final(&ctx,out,&j);
194                         out+=j;
195                         olen-=j;
196                         HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
197                         }
198                 else    /* last one */
199                         {
200                         HMAC_Final(&ctx,A1,&A1_len);
201                         memcpy(out,A1,olen);
202                         break;
203                         }
204                 }
205         HMAC_CTX_cleanup(&ctx);
206         HMAC_CTX_cleanup(&ctx_tmp);
207         OPENSSL_cleanse(A1,sizeof(A1));
208         }
209
210 /* seed1 through seed5 are virtually concatenated */
211 static void tls1_PRF(long digest_mask,
212                      const void *seed1, int seed1_len,
213                      const void *seed2, int seed2_len,
214                      const void *seed3, int seed3_len,
215                      const void *seed4, int seed4_len,
216                      const void *seed5, int seed5_len,
217                      const unsigned char *sec, int slen,
218                      unsigned char *out1,
219                      unsigned char *out2, int olen)
220         {
221         int len,i,idx,count;
222         const unsigned char *S1;
223         long m;
224         const EVP_MD *md;
225
226         /* Count number of digests and partition sec evenly */
227         count=0;
228         for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
229                 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) count++;
230         }       
231         len=slen/count;
232         S1=sec;
233         memset(out1,0,olen);
234         for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) {
235                 if ((m<<TLS1_PRF_DGST_SHIFT) & digest_mask) {
236                         if (!md) {
237                                 SSLerr(SSL_F_TLS1_PRF,
238                                 SSL_R_UNSUPPORTED_DIGEST_TYPE);
239                                 return;                         
240                         }
241                         tls1_P_hash(md ,S1,len+(slen&1),
242                                     seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len,
243                                     out2,olen);
244                         S1+=len;
245                         for (i=0; i<olen; i++)
246                         {
247                                 out1[i]^=out2[i];
248                         }
249                 }
250         }
251
252 }
253 static void tls1_generate_key_block(SSL *s, unsigned char *km,
254              unsigned char *tmp, int num)
255         {
256         tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
257                  TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE,
258                  s->s3->server_random,SSL3_RANDOM_SIZE,
259                  s->s3->client_random,SSL3_RANDOM_SIZE,
260                  NULL,0,NULL,0,
261                  s->session->master_key,s->session->master_key_length,
262                  km,tmp,num);
263 #ifdef KSSL_DEBUG
264         printf("tls1_generate_key_block() ==> %d byte master_key =\n\t",
265                 s->session->master_key_length);
266         {
267         int i;
268         for (i=0; i < s->session->master_key_length; i++)
269                 {
270                 printf("%02X", s->session->master_key[i]);
271                 }
272         printf("\n");  }
273 #endif    /* KSSL_DEBUG */
274         }
275
276 int tls1_change_cipher_state(SSL *s, int which)
277         {
278         static const unsigned char empty[]="";
279         unsigned char *p,*key_block,*mac_secret;
280         unsigned char *exp_label;
281         unsigned char tmp1[EVP_MAX_KEY_LENGTH];
282         unsigned char tmp2[EVP_MAX_KEY_LENGTH];
283         unsigned char iv1[EVP_MAX_IV_LENGTH*2];
284         unsigned char iv2[EVP_MAX_IV_LENGTH*2];
285         unsigned char *ms,*key,*iv,*er1,*er2;
286         int client_write;
287         EVP_CIPHER_CTX *dd;
288         const EVP_CIPHER *c;
289 #ifndef OPENSSL_NO_COMP
290         const SSL_COMP *comp;
291 #endif
292         const EVP_MD *m;
293         int mac_type;
294         int *mac_secret_size;
295         EVP_MD_CTX *mac_ctx;
296         EVP_PKEY *mac_key;
297         int is_export,n,i,j,k,exp_label_len,cl;
298         int reuse_dd = 0;
299
300         is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
301         c=s->s3->tmp.new_sym_enc;
302         m=s->s3->tmp.new_hash;
303         mac_type = s->s3->tmp.new_mac_pkey_type;
304 #ifndef OPENSSL_NO_COMP
305         comp=s->s3->tmp.new_compression;
306 #endif
307         key_block=s->s3->tmp.key_block;
308
309 #ifdef KSSL_DEBUG
310         printf("tls1_change_cipher_state(which= %d) w/\n", which);
311         printf("\talg= %ld/%ld, comp= %p\n",
312                s->s3->tmp.new_cipher->algorithm_mkey,
313                s->s3->tmp.new_cipher->algorithm_auth,
314                comp);
315         printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c);
316         printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n",
317                 c->nid,c->block_size,c->key_len,c->iv_len);
318         printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length);
319         {
320         int i;
321         for (i=0; i<s->s3->tmp.key_block_length; i++)
322                 printf("%02x", key_block[i]);  printf("\n");
323         }
324 #endif  /* KSSL_DEBUG */
325
326         if (which & SSL3_CC_READ)
327                 {
328                 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
329                         s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM;
330                         else
331                         s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM;
332
333                 if (s->enc_read_ctx != NULL)
334                         reuse_dd = 1;
335                 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
336                         goto err;
337                 else
338                         /* make sure it's intialized in case we exit later with an error */
339                         EVP_CIPHER_CTX_init(s->enc_read_ctx);
340                 dd= s->enc_read_ctx;
341                 mac_ctx=ssl_replace_hash(&s->read_hash,NULL);
342 #ifndef OPENSSL_NO_COMP
343                 if (s->expand != NULL)
344                         {
345                         COMP_CTX_free(s->expand);
346                         s->expand=NULL;
347                         }
348                 if (comp != NULL)
349                         {
350                         s->expand=COMP_CTX_new(comp->method);
351                         if (s->expand == NULL)
352                                 {
353                                 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
354                                 goto err2;
355                                 }
356                         if (s->s3->rrec.comp == NULL)
357                                 s->s3->rrec.comp=(unsigned char *)
358                                         OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH);
359                         if (s->s3->rrec.comp == NULL)
360                                 goto err;
361                         }
362 #endif
363                 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
364                 if (s->version != DTLS1_VERSION)
365                         memset(&(s->s3->read_sequence[0]),0,8);
366                 mac_secret= &(s->s3->read_mac_secret[0]);
367                 mac_secret_size=&(s->s3->read_mac_secret_size);
368                 }
369         else
370                 {
371                 if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC)
372                         s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
373                         else
374                         s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
375                 if (s->enc_write_ctx != NULL)
376                         reuse_dd = 1;
377                 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
378                         goto err;
379                 else
380                         /* make sure it's intialized in case we exit later with an error */
381                         EVP_CIPHER_CTX_init(s->enc_write_ctx);
382                 dd= s->enc_write_ctx;
383                 mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
384 #ifndef OPENSSL_NO_COMP
385                 if (s->compress != NULL)
386                         {
387                         COMP_CTX_free(s->compress);
388                         s->compress=NULL;
389                         }
390                 if (comp != NULL)
391                         {
392                         s->compress=COMP_CTX_new(comp->method);
393                         if (s->compress == NULL)
394                                 {
395                                 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
396                                 goto err2;
397                                 }
398                         }
399 #endif
400                 /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */
401                 if (s->version != DTLS1_VERSION)
402                         memset(&(s->s3->write_sequence[0]),0,8);
403                 mac_secret= &(s->s3->write_mac_secret[0]);
404                 mac_secret_size = &(s->s3->write_mac_secret_size);
405                 }
406
407         if (reuse_dd)
408                 EVP_CIPHER_CTX_cleanup(dd);
409
410         p=s->s3->tmp.key_block;
411         i=*mac_secret_size=s->s3->tmp.new_mac_secret_size;
412
413         cl=EVP_CIPHER_key_length(c);
414         j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
415                        cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
416         /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
417         k=EVP_CIPHER_iv_length(c);
418         er1= &(s->s3->client_random[0]);
419         er2= &(s->s3->server_random[0]);
420         if (    (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
421                 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
422                 {
423                 ms=  &(p[ 0]); n=i+i;
424                 key= &(p[ n]); n+=j+j;
425                 iv=  &(p[ n]); n+=k+k;
426                 exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST;
427                 exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE;
428                 client_write=1;
429                 }
430         else
431                 {
432                 n=i;
433                 ms=  &(p[ n]); n+=i+j;
434                 key= &(p[ n]); n+=j+k;
435                 iv=  &(p[ n]); n+=k;
436                 exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST;
437                 exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE;
438                 client_write=0;
439                 }
440
441         if (n > s->s3->tmp.key_block_length)
442                 {
443                 SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
444                 goto err2;
445                 }
446
447         memcpy(mac_secret,ms,i);
448         mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
449                         mac_secret,*mac_secret_size);
450         EVP_DigestSignInit(mac_ctx,NULL,m,NULL,mac_key);
451         EVP_PKEY_free(mac_key);
452 #ifdef TLS_DEBUG
453 printf("which = %04X\nmac key=",which);
454 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
455 #endif
456         if (is_export)
457                 {
458                 /* In here I set both the read and write key/iv to the
459                  * same value since only the correct one will be used :-).
460                  */
461                 tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
462                          exp_label,exp_label_len,
463                          s->s3->client_random,SSL3_RANDOM_SIZE,
464                          s->s3->server_random,SSL3_RANDOM_SIZE,
465                          NULL,0,NULL,0,
466                          key,j,tmp1,tmp2,EVP_CIPHER_key_length(c));
467                 key=tmp1;
468
469                 if (k > 0)
470                         {
471                         tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
472                                  TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE,
473                                  s->s3->client_random,SSL3_RANDOM_SIZE,
474                                  s->s3->server_random,SSL3_RANDOM_SIZE,
475                                  NULL,0,NULL,0,
476                                  empty,0,iv1,iv2,k*2);
477                         if (client_write)
478                                 iv=iv1;
479                         else
480                                 iv= &(iv1[k]);
481                         }
482                 }
483
484         s->session->key_arg_length=0;
485 #ifdef KSSL_DEBUG
486         {
487         int i;
488         printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
489         printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
490         printf("\n");
491         printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
492         printf("\n");
493         }
494 #endif  /* KSSL_DEBUG */
495
496         EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
497 #ifdef TLS_DEBUG
498 printf("which = %04X\nkey=",which);
499 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
500 printf("\niv=");
501 { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); }
502 printf("\n");
503 #endif
504
505         OPENSSL_cleanse(tmp1,sizeof(tmp1));
506         OPENSSL_cleanse(tmp2,sizeof(tmp1));
507         OPENSSL_cleanse(iv1,sizeof(iv1));
508         OPENSSL_cleanse(iv2,sizeof(iv2));
509         return(1);
510 err:
511         SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
512 err2:
513         return(0);
514         }
515
516 int tls1_setup_key_block(SSL *s)
517         {
518         unsigned char *p1,*p2;
519         const EVP_CIPHER *c;
520         const EVP_MD *hash;
521         int num;
522         SSL_COMP *comp;
523         int mac_type= NID_undef,mac_secret_size=0;
524
525 #ifdef KSSL_DEBUG
526         printf ("tls1_setup_key_block()\n");
527 #endif  /* KSSL_DEBUG */
528
529         if (s->s3->tmp.key_block_length != 0)
530                 return(1);
531
532         if (!ssl_cipher_get_evp(s->session,&c,&hash,&mac_type,&mac_secret_size,&comp))
533                 {
534                 SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
535                 return(0);
536                 }
537
538         s->s3->tmp.new_sym_enc=c;
539         s->s3->tmp.new_hash=hash;
540         s->s3->tmp.new_mac_pkey_type = mac_type;
541         s->s3->tmp.new_mac_secret_size = mac_secret_size;
542         num=EVP_CIPHER_key_length(c)+mac_secret_size+EVP_CIPHER_iv_length(c);
543         num*=2;
544
545         ssl3_cleanup_key_block(s);
546
547         if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL)
548                 goto err;
549         if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL)
550                 goto err;
551
552         s->s3->tmp.key_block_length=num;
553         s->s3->tmp.key_block=p1;
554
555
556 #ifdef TLS_DEBUG
557 printf("client random\n");
558 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); }
559 printf("server random\n");
560 { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); }
561 printf("pre-master\n");
562 { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
563 #endif
564         tls1_generate_key_block(s,p1,p2,num);
565         OPENSSL_cleanse(p2,num);
566         OPENSSL_free(p2);
567 #ifdef TLS_DEBUG
568 printf("\nkey block\n");
569 { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
570 #endif
571
572         if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
573                 {
574                 /* enable vulnerability countermeasure for CBC ciphers with
575                  * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
576                  */
577                 s->s3->need_empty_fragments = 1;
578
579                 if (s->session->cipher != NULL)
580                         {
581                         if (s->session->cipher->algorithm_enc == SSL_eNULL)
582                                 s->s3->need_empty_fragments = 0;
583                         
584 #ifndef OPENSSL_NO_RC4
585                         if (s->session->cipher->algorithm_enc == SSL_RC4)
586                                 s->s3->need_empty_fragments = 0;
587 #endif
588                         }
589                 }
590                 
591         return(1);
592 err:
593         SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
594         return(0);
595         }
596
597 int tls1_enc(SSL *s, int send)
598         {
599         SSL3_RECORD *rec;
600         EVP_CIPHER_CTX *ds;
601         unsigned long l;
602         int bs,i,ii,j,k,n=0;
603         const EVP_CIPHER *enc;
604
605         if (send)
606                 {
607                 if (EVP_MD_CTX_md(s->write_hash))
608                         n=EVP_MD_CTX_size(s->write_hash);
609                 ds=s->enc_write_ctx;
610                 rec= &(s->s3->wrec);
611                 if (s->enc_write_ctx == NULL)
612                         enc=NULL;
613                 else
614                         enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
615                 }
616         else
617                 {
618                 if (EVP_MD_CTX_md(s->read_hash))
619                         n=EVP_MD_CTX_size(s->read_hash);
620                 ds=s->enc_read_ctx;
621                 rec= &(s->s3->rrec);
622                 if (s->enc_read_ctx == NULL)
623                         enc=NULL;
624                 else
625                         enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
626                 }
627
628 #ifdef KSSL_DEBUG
629         printf("tls1_enc(%d)\n", send);
630 #endif    /* KSSL_DEBUG */
631
632         if ((s->session == NULL) || (ds == NULL) ||
633                 (enc == NULL))
634                 {
635                 memmove(rec->data,rec->input,rec->length);
636                 rec->input=rec->data;
637                 }
638         else
639                 {
640                 l=rec->length;
641                 bs=EVP_CIPHER_block_size(ds->cipher);
642
643                 if ((bs != 1) && send)
644                         {
645                         i=bs-((int)l%bs);
646
647                         /* Add weird padding of upto 256 bytes */
648
649                         /* we need to add 'i' padding bytes of value j */
650                         j=i-1;
651                         if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG)
652                                 {
653                                 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
654                                         j++;
655                                 }
656                         for (k=(int)l; k<(int)(l+i); k++)
657                                 rec->input[k]=j;
658                         l+=i;
659                         rec->length+=i;
660                         }
661
662 #ifdef KSSL_DEBUG
663                 {
664                 unsigned long ui;
665                 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
666                         ds,rec->data,rec->input,l);
667                 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
668                         ds->buf_len, ds->cipher->key_len,
669                         DES_KEY_SZ, DES_SCHEDULE_SZ,
670                         ds->cipher->iv_len);
671                 printf("\t\tIV: ");
672                 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
673                 printf("\n");
674                 printf("\trec->input=");
675                 for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
676                 printf("\n");
677                 }
678 #endif  /* KSSL_DEBUG */
679
680                 if (!send)
681                         {
682                         if (l == 0 || l%bs != 0)
683                                 {
684                                 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
685                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
686                                 return 0;
687                                 }
688                         }
689                 
690                 EVP_Cipher(ds,rec->data,rec->input,l);
691
692 #ifdef KSSL_DEBUG
693                 {
694                 unsigned long i;
695                 printf("\trec->data=");
696                 for (i=0; i<l; i++)
697                         printf(" %02x", rec->data[i]);  printf("\n");
698                 }
699 #endif  /* KSSL_DEBUG */
700
701                 if ((bs != 1) && !send)
702                         {
703                         ii=i=rec->data[l-1]; /* padding_length */
704                         i++;
705                         /* NB: if compression is in operation the first packet
706                          * may not be of even length so the padding bug check
707                          * cannot be performed. This bug workaround has been
708                          * around since SSLeay so hopefully it is either fixed
709                          * now or no buggy implementation supports compression 
710                          * [steve]
711                          */
712                         if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
713                                 && !s->expand)
714                                 {
715                                 /* First packet is even in size, so check */
716                                 if ((memcmp(s->s3->read_sequence,
717                                         "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
718                                         s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
719                                 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
720                                         i--;
721                                 }
722                         /* TLS 1.0 does not bound the number of padding bytes by the block size.
723                          * All of them must have value 'padding_length'. */
724                         if (i > (int)rec->length)
725                                 {
726                                 /* Incorrect padding. SSLerr() and ssl3_alert are done
727                                  * by caller: we don't want to reveal whether this is
728                                  * a decryption error or a MAC verification failure
729                                  * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
730                                 return -1;
731                                 }
732                         for (j=(int)(l-i); j<(int)l; j++)
733                                 {
734                                 if (rec->data[j] != ii)
735                                         {
736                                         /* Incorrect padding */
737                                         return -1;
738                                         }
739                                 }
740                         rec->length-=i;
741                         }
742                 }
743         return(1);
744         }
745 int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
746         {
747         unsigned int ret;
748         EVP_MD_CTX ctx, *d=NULL;
749         int i;
750
751         if (s->s3->handshake_buffer) 
752                 ssl3_digest_cached_records(s);
753         for (i=0;i<SSL_MAX_DIGEST;i++) 
754                 {
755                   if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) 
756                         {
757                         d=s->s3->handshake_dgst[i];
758                         break;
759                         }
760                 }
761         if (!d) {
762                 SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC,SSL_R_NO_REQUIRED_DIGEST);
763                 return 0;
764         }       
765
766         EVP_MD_CTX_init(&ctx);
767         EVP_MD_CTX_copy_ex(&ctx,d);
768         EVP_DigestFinal_ex(&ctx,out,&ret);
769         EVP_MD_CTX_cleanup(&ctx);
770         return((int)ret);
771         }
772
773 int tls1_final_finish_mac(SSL *s,
774              const char *str, int slen, unsigned char *out)
775         {
776         unsigned int i;
777         EVP_MD_CTX ctx;
778         unsigned char buf[2*EVP_MAX_MD_SIZE];
779         unsigned char *q,buf2[12];
780         int idx;
781         long mask;
782         int err=0;
783         const EVP_MD *md; 
784
785         q=buf;
786
787         EVP_MD_CTX_init(&ctx);
788
789         if (s->s3->handshake_buffer) 
790                 ssl3_digest_cached_records(s);
791
792         for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++)
793                 {
794                 if (mask & s->s3->tmp.new_cipher->algorithm2)
795                         {
796                         unsigned int hashsize = EVP_MD_size(md);
797                         if (hashsize > (sizeof buf - (size_t)(q-buf)))
798                                 {
799                                 /* internal error: 'buf' is too small for this cipersuite! */
800                                 err = 1;
801                                 }
802                         else
803                                 {
804                                 EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
805                                 EVP_DigestFinal_ex(&ctx,q,&i);
806                                 if (i != hashsize) /* can't really happen */
807                                         err = 1;
808                                 q+=i;
809                                 }
810                         }
811                 }
812                 
813         tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
814                  str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0,
815                  s->session->master_key,s->session->master_key_length,
816                  out,buf2,sizeof buf2);
817         EVP_MD_CTX_cleanup(&ctx);
818
819         if (err)
820                 return 0;
821         else
822                 return sizeof buf2;
823         }
824
825 int tls1_mac(SSL *ssl, unsigned char *md, int send)
826         {
827         SSL3_RECORD *rec;
828         unsigned char *mac_sec,*seq;
829         EVP_MD_CTX *hash;
830         size_t md_size;
831         int i;
832         EVP_MD_CTX hmac, *mac_ctx;
833         unsigned char buf[5]; 
834         int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
835
836         if (send)
837                 {
838                 rec= &(ssl->s3->wrec);
839                 mac_sec= &(ssl->s3->write_mac_secret[0]);
840                 seq= &(ssl->s3->write_sequence[0]);
841                 hash=ssl->write_hash;
842                 }
843         else
844                 {
845                 rec= &(ssl->s3->rrec);
846                 mac_sec= &(ssl->s3->read_mac_secret[0]);
847                 seq= &(ssl->s3->read_sequence[0]);
848                 hash=ssl->read_hash;
849                 }
850
851         md_size=EVP_MD_CTX_size(hash);
852
853         buf[0]=rec->type;
854         buf[1]=(unsigned char)(ssl->version>>8);
855         buf[2]=(unsigned char)(ssl->version);
856         buf[3]=rec->length>>8;
857         buf[4]=rec->length&0xff;
858
859         /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
860         if (stream_mac) 
861                 {
862                         mac_ctx = hash;
863                 }
864                 else
865                 {
866                         EVP_MD_CTX_copy(&hmac,hash);
867                         mac_ctx = &hmac;
868                 }
869
870         if (ssl->version == DTLS1_VERSION)
871                 {
872                 unsigned char dtlsseq[8],*p=dtlsseq;
873
874                 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
875                 memcpy (p,&seq[2],6);
876
877                 EVP_DigestSignUpdate(mac_ctx,dtlsseq,8);
878                 }
879         else
880                 EVP_DigestSignUpdate(mac_ctx,seq,8);
881
882         EVP_DigestSignUpdate(mac_ctx,buf,5);
883         EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
884         EVP_DigestSignFinal(mac_ctx,md,&md_size);
885         if (!stream_mac) EVP_MD_CTX_cleanup(&hmac);
886 #ifdef TLS_DEBUG
887 printf("sec=");
888 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
889 printf("seq=");
890 {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); }
891 printf("buf=");
892 {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); }
893 printf("rec=");
894 {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
895 #endif
896
897         if (ssl->version != DTLS1_VERSION)
898                 {
899                 for (i=7; i>=0; i--)
900                         {
901                         ++seq[i];
902                         if (seq[i] != 0) break; 
903                         }
904                 }
905
906 #ifdef TLS_DEBUG
907 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }
908 #endif
909         return(md_size);
910         }
911
912 int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
913              int len)
914         {
915         unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH];
916         const void *co = NULL, *so = NULL;
917         int col = 0, sol = 0;
918
919 #ifdef KSSL_DEBUG
920         printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len);
921 #endif  /* KSSL_DEBUG */
922
923 #ifdef TLSEXT_TYPE_opaque_prf_input
924         if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL &&
925             s->s3->client_opaque_prf_input_len > 0 &&
926             s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len)
927                 {
928                 co = s->s3->client_opaque_prf_input;
929                 col = s->s3->server_opaque_prf_input_len;
930                 so = s->s3->server_opaque_prf_input;
931                 sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */
932                 }
933 #endif
934
935         tls1_PRF(s->s3->tmp.new_cipher->algorithm2,
936                 TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE,
937                 s->s3->client_random,SSL3_RANDOM_SIZE,
938                 co, col,
939                 s->s3->server_random,SSL3_RANDOM_SIZE,
940                 so, sol,
941                 p,len,
942                 s->session->master_key,buff,sizeof buff);
943
944 #ifdef KSSL_DEBUG
945         printf ("tls1_generate_master_secret() complete\n");
946 #endif  /* KSSL_DEBUG */
947         return(SSL3_MASTER_SECRET_SIZE);
948         }
949
950 int tls1_alert_code(int code)
951         {
952         switch (code)
953                 {
954         case SSL_AD_CLOSE_NOTIFY:       return(SSL3_AD_CLOSE_NOTIFY);
955         case SSL_AD_UNEXPECTED_MESSAGE: return(SSL3_AD_UNEXPECTED_MESSAGE);
956         case SSL_AD_BAD_RECORD_MAC:     return(SSL3_AD_BAD_RECORD_MAC);
957         case SSL_AD_DECRYPTION_FAILED:  return(TLS1_AD_DECRYPTION_FAILED);
958         case SSL_AD_RECORD_OVERFLOW:    return(TLS1_AD_RECORD_OVERFLOW);
959         case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
960         case SSL_AD_HANDSHAKE_FAILURE:  return(SSL3_AD_HANDSHAKE_FAILURE);
961         case SSL_AD_NO_CERTIFICATE:     return(-1);
962         case SSL_AD_BAD_CERTIFICATE:    return(SSL3_AD_BAD_CERTIFICATE);
963         case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
964         case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
965         case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
966         case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
967         case SSL_AD_ILLEGAL_PARAMETER:  return(SSL3_AD_ILLEGAL_PARAMETER);
968         case SSL_AD_UNKNOWN_CA:         return(TLS1_AD_UNKNOWN_CA);
969         case SSL_AD_ACCESS_DENIED:      return(TLS1_AD_ACCESS_DENIED);
970         case SSL_AD_DECODE_ERROR:       return(TLS1_AD_DECODE_ERROR);
971         case SSL_AD_DECRYPT_ERROR:      return(TLS1_AD_DECRYPT_ERROR);
972         case SSL_AD_EXPORT_RESTRICTION: return(TLS1_AD_EXPORT_RESTRICTION);
973         case SSL_AD_PROTOCOL_VERSION:   return(TLS1_AD_PROTOCOL_VERSION);
974         case SSL_AD_INSUFFICIENT_SECURITY:return(TLS1_AD_INSUFFICIENT_SECURITY);
975         case SSL_AD_INTERNAL_ERROR:     return(TLS1_AD_INTERNAL_ERROR);
976         case SSL_AD_USER_CANCELLED:     return(TLS1_AD_USER_CANCELLED);
977         case SSL_AD_NO_RENEGOTIATION:   return(TLS1_AD_NO_RENEGOTIATION);
978         case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION);
979         case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE);
980         case SSL_AD_UNRECOGNIZED_NAME:  return(TLS1_AD_UNRECOGNIZED_NAME);
981         case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
982         case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
983         case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
984 #if 0 /* not appropriate for TLS, not used for DTLS */
985         case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return 
986                                           (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
987 #endif
988         default:                        return(-1);
989                 }
990         }
991