comment

[openssl.git] / ssl / t1_enc.c

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 5f0976f9e7a9983e8176edf56d7ca1a9db195f10..a6502772e8cd3fd79e08e5e083a900abaa71c611 100644 (file)
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -58,11 +58,10 @@
 
 #include <stdio.h>
 #include <openssl/comp.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include "ssl_locl.h"
+#include <openssl/md5.h>
 
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                        int sec_len, unsigned char *seed, int seed_len,
@@ -77,7 +76,10 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
        
        chunk=EVP_MD_size(md);
 
+       HMAC_CTX_init(&ctx);
+       HMAC_CTX_init(&ctx_tmp);
        HMAC_Init(&ctx,sec,sec_len,md);
+       HMAC_Init(&ctx_tmp,sec,sec_len,md);
        HMAC_Update(&ctx,seed,seed_len);
        HMAC_Final(&ctx,A1,&A1_len);
 
@@ -85,8 +87,9 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
        for (;;)
                {
                HMAC_Init(&ctx,NULL,0,NULL); /* re-init */
+               HMAC_Init(&ctx_tmp,NULL,0,NULL); /* re-init */
                HMAC_Update(&ctx,A1,A1_len);
-               memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */
+               HMAC_Update(&ctx_tmp,A1,A1_len);
                HMAC_Update(&ctx,seed,seed_len);
 
                if (olen > chunk)
@@ -103,8 +106,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                        break;
                        }
                }
-       HMAC_cleanup(&ctx);
-       HMAC_cleanup(&ctx_tmp);
+       HMAC_CTX_cleanup(&ctx);
+       HMAC_CTX_cleanup(&ctx_tmp);
        memset(A1,0,sizeof(A1));
        }
 
@@ -493,7 +496,7 @@ int tls1_enc(SSL *s, int send)
 
 #ifdef KSSL_DEBUG
                {
-                unsigned long i;
+                unsigned long ui;
                printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
                         ds,rec->data,rec->input,l);
                printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
@@ -504,11 +507,21 @@ int tls1_enc(SSL *s, int send)
                for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
                printf("\n");
                printf("\trec->input=");
-               for (i=0; i<l; i++) printf(" %02x", rec->input[i]);
+               for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
                printf("\n");
                }
 #endif /* KSSL_DEBUG */
 
+               if (!send)
+                       {
+                       if (l == 0 || l%bs != 0)
+                               {
+                               SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
+                               return 0;
+                               }
+                       }
+               
                EVP_Cipher(ds,rec->data,rec->input,l);
 
 #ifdef KSSL_DEBUG
@@ -522,7 +535,7 @@ int tls1_enc(SSL *s, int send)
 
                if ((bs != 1) && !send)
                        {
-                       ii=i=rec->data[l-1];
+                       ii=i=rec->data[l-1]; /* padding_length */
                        i++;
                        if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
                                {
@@ -533,19 +546,22 @@ int tls1_enc(SSL *s, int send)
                                if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
                                        i--;
                                }
+                       /* TLS 1.0 does not bound the number of padding bytes by the block size.
+                        * All of them must have value 'padding_length'. */
                        if (i > (int)rec->length)
                                {
-                               SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-                               ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
-                               return(0);
+                               /* Incorrect padding. SSLerr() and ssl3_alert are done
+                                * by caller: we don't want to reveal whether this is
+                                * a decryption error or a MAC verification failure
+                                * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
+                               return -1;
                                }
                        for (j=(int)(l-i); j<(int)l; j++)
                                {
                                if (rec->data[j] != ii)
                                        {
-                                       SSLerr(SSL_F_TLS1_ENC,SSL_R_DECRYPTION_FAILED);
-                                       ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
-                                       return(0);
+                                       /* Incorrect padding */
+                                       return -1;
                                        }
                                }
                        rec->length-=i;
@@ -559,8 +575,10 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
        unsigned int ret;
        EVP_MD_CTX ctx;
 
+       EVP_MD_CTX_init(&ctx);
        EVP_MD_CTX_copy(&ctx,in_ctx);
        EVP_DigestFinal(&ctx,out,&ret);
+       EVP_MD_CTX_cleanup(&ctx);
        return((int)ret);
        }
 
@@ -576,6 +594,7 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
        memcpy(q,str,slen);
        q+=slen;
 
+       EVP_MD_CTX_init(&ctx);
        EVP_MD_CTX_copy(&ctx,in1_ctx);
        EVP_DigestFinal(&ctx,q,&i);
        q+=i;
@@ -586,7 +605,7 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
        tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
                s->session->master_key,s->session->master_key_length,
                out,buf2,12);
-       memset(&ctx,0,sizeof(EVP_MD_CTX));
+       EVP_MD_CTX_cleanup(&ctx);
 
        return((int)12);
        }
@@ -625,11 +644,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
        buf[4]=rec->length&0xff;
 
        /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
+       HMAC_CTX_init(&hmac);
        HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash);
        HMAC_Update(&hmac,seq,8);
        HMAC_Update(&hmac,buf,5);
        HMAC_Update(&hmac,rec->input,rec->length);
        HMAC_Final(&hmac,md,&md_size);
+       HMAC_CTX_cleanup(&hmac);
 
 #ifdef TLS_DEBUG
 printf("sec=");