*/
#include <stdio.h>
+#include "ssl_locl.h"
#include <openssl/comp.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
-#include "ssl_locl.h"
#include <openssl/md5.h>
static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
unsigned int j;
HMAC_CTX ctx;
HMAC_CTX ctx_tmp;
- unsigned char A1[HMAC_MAX_MD_CBLOCK];
+ unsigned char A1[EVP_MAX_MD_SIZE];
unsigned int A1_len;
chunk=EVP_MD_size(md);
}
HMAC_CTX_cleanup(&ctx);
HMAC_CTX_cleanup(&ctx_tmp);
- memset(A1,0,sizeof(A1));
+ OPENSSL_cleanse(A1,sizeof(A1));
}
static void tls1_PRF(const EVP_MD *md5, const EVP_MD *sha1,
printf("\n");
#endif
- memset(tmp1,0,sizeof(tmp1));
- memset(tmp2,0,sizeof(tmp1));
- memset(iv1,0,sizeof(iv1));
- memset(iv2,0,sizeof(iv2));
+ OPENSSL_cleanse(tmp1,sizeof(tmp1));
+ OPENSSL_cleanse(tmp2,sizeof(tmp1));
+ OPENSSL_cleanse(iv1,sizeof(iv1));
+ OPENSSL_cleanse(iv2,sizeof(iv2));
return(1);
err:
SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
{ int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); }
#endif
tls1_generate_key_block(s,p1,p2,num);
- memset(p2,0,num);
+ OPENSSL_cleanse(p2,num);
OPENSSL_free(p2);
#ifdef TLS_DEBUG
printf("\nkey block\n");
{ int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); }
#endif
- /* enable vulnerability countermeasure for CBC ciphers with
- * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */
- s->s3->need_empty_fragments = 1;
-#ifndef NO_RC4
- if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
- s->s3->need_empty_fragments = 0;
+ if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
+ {
+ /* enable vulnerability countermeasure for CBC ciphers with
+ * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
+ */
+ s->s3->need_empty_fragments = 1;
+
+ if (s->session->cipher != NULL)
+ {
+ if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
+ s->s3->need_empty_fragments = 0;
+
+#ifndef OPENSSL_NO_RC4
+ if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
+ s->s3->need_empty_fragments = 0;
#endif
+ }
+ }
return(1);
err:
tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
s->session->master_key,s->session->master_key_length,
- out,buf2,12);
+ out,buf2,sizeof buf2);
EVP_MD_CTX_cleanup(&ctx);
- return((int)12);
+ return sizeof buf2;
}
int tls1_mac(SSL *ssl, unsigned char *md, int send)
s->s3->server_random,SSL3_RANDOM_SIZE);
tls1_PRF(s->ctx->md5,s->ctx->sha1,
buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len,
- s->session->master_key,buff,SSL3_MASTER_SECRET_SIZE);
+ s->session->master_key,buff,sizeof buff);
#ifdef KSSL_DEBUG
printf ("tls1_generate_master_secret() complete\n");
#endif /* KSSL_DEBUG */