X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_enc.c;h=11cd1b6e8233a94c9368da11735c0e7222f21b2e;hp=ae33bda78fc096f0a318a95ad6def63d8d97b55d;hb=287973746edec466d6e9cac72e27cf2978da8629;hpb=f9b3bff6f7e38960bb87a5623fbcbc45ee952c49

diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index ae33bda78f..11cd1b6e82 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -58,11 +58,10 @@
 
 #include <stdio.h>
 #include <openssl/comp.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include "ssl_locl.h"
+#include <openssl/md5.h>
 
 static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 			int sec_len, unsigned char *seed, int seed_len,
@@ -77,7 +76,10 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 	
 	chunk=EVP_MD_size(md);
 
+	HMAC_CTX_init(&ctx);
+	HMAC_CTX_init(&ctx_tmp);
 	HMAC_Init(&ctx,sec,sec_len,md);
+	HMAC_Init(&ctx_tmp,sec,sec_len,md);
 	HMAC_Update(&ctx,seed,seed_len);
 	HMAC_Final(&ctx,A1,&A1_len);
 
@@ -85,8 +87,9 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 	for (;;)
 		{
 		HMAC_Init(&ctx,NULL,0,NULL); /* re-init */
+		HMAC_Init(&ctx_tmp,NULL,0,NULL); /* re-init */
 		HMAC_Update(&ctx,A1,A1_len);
-		memcpy(&ctx_tmp,&ctx,sizeof(ctx)); /* Copy for A2 */ /* not needed for last one */
+		HMAC_Update(&ctx_tmp,A1,A1_len);
 		HMAC_Update(&ctx,seed,seed_len);
 
 		if (olen > chunk)
@@ -103,8 +106,8 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 			break;
 			}
 		}
-	HMAC_cleanup(&ctx);
-	HMAC_cleanup(&ctx_tmp);
+	HMAC_CTX_cleanup(&ctx);
+	HMAC_CTX_cleanup(&ctx_tmp);
 	memset(A1,0,sizeof(A1));
 	}
 
@@ -177,9 +180,10 @@ int tls1_change_cipher_state(SSL *s, int which)
 	const EVP_CIPHER *c;
 	const SSL_COMP *comp;
 	const EVP_MD *m;
-	int _exp,n,i,j,k,exp_label_len,cl;
+	int is_export,n,i,j,k,exp_label_len,cl;
+	int reuse_dd = 0;
 
-	_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+	is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
 	c=s->s3->tmp.new_sym_enc;
 	m=s->s3->tmp.new_hash;
 	comp=s->s3->tmp.new_compression;
@@ -202,9 +206,9 @@ int tls1_change_cipher_state(SSL *s, int which)
 
 	if (which & SSL3_CC_READ)
 		{
-		if ((s->enc_read_ctx == NULL) &&
-			((s->enc_read_ctx=(EVP_CIPHER_CTX *)
-			OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+		if (s->enc_read_ctx != NULL)
+			reuse_dd = 1;
+		else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
 			goto err;
 		dd= s->enc_read_ctx;
 		s->read_hash=m;
@@ -232,6 +236,10 @@ int tls1_change_cipher_state(SSL *s, int which)
 		}
 	else
 		{
+		if (s->enc_write_ctx != NULL)
+			reuse_dd = 1;
+		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+			goto err;
 		if ((s->enc_write_ctx == NULL) &&
 			((s->enc_write_ctx=(EVP_CIPHER_CTX *)
 			OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
@@ -256,13 +264,15 @@ int tls1_change_cipher_state(SSL *s, int which)
 		mac_secret= &(s->s3->write_mac_secret[0]);
 		}
 
+	if (reuse_dd)
+		EVP_CIPHER_CTX_cleanup(dd);
 	EVP_CIPHER_CTX_init(dd);
 
 	p=s->s3->tmp.key_block;
 	i=EVP_MD_size(m);
 	cl=EVP_CIPHER_key_length(c);
-	j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
-		  cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
+	j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+	               cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
 	/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
 	k=EVP_CIPHER_iv_length(c);
 	er1= &(s->s3->client_random[0]);
@@ -290,7 +300,7 @@ int tls1_change_cipher_state(SSL *s, int which)
 
 	if (n > s->s3->tmp.key_block_length)
 		{
-		SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR);
+		SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
 		goto err2;
 		}
 
@@ -299,7 +309,7 @@ int tls1_change_cipher_state(SSL *s, int which)
 printf("which = %04X\nmac key=",which);
 { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); }
 #endif
-	if (_exp)
+	if (is_export)
 		{
 		/* In here I set both the read and write key/iv to the
 		 * same value since only the correct one will be used :-).
@@ -338,7 +348,7 @@ printf("which = %04X\nmac key=",which);
 #ifdef KSSL_DEBUG
 	{
         int i;
-	printf("EVP_CipherInit(dd,c,key=,iv=,which)\n");
+	printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n");
 	printf("\tkey= "); for (i=0; i<c->key_len; i++) printf("%02x", key[i]);
 	printf("\n");
 	printf("\t iv= "); for (i=0; i<c->iv_len; i++) printf("%02x", iv[i]);
@@ -346,7 +356,7 @@ printf("which = %04X\nmac key=",which);
 	}
 #endif	/* KSSL_DEBUG */
 
-	EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
+	EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
 #ifdef TLS_DEBUG
 printf("which = %04X\nkey=",which);
 { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); }
@@ -464,7 +474,7 @@ int tls1_enc(SSL *s, int send)
 	if ((s->session == NULL) || (ds == NULL) ||
 		(enc == NULL))
 		{
-		memcpy(rec->data,rec->input,rec->length);
+		memmove(rec->data,rec->input,rec->length);
 		rec->input=rec->data;
 		}
 	else
@@ -493,7 +503,7 @@ int tls1_enc(SSL *s, int send)
 
 #ifdef KSSL_DEBUG
 		{
-                unsigned long i;
+                unsigned long ui;
 		printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
                         ds,rec->data,rec->input,l);
 		printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
@@ -504,11 +514,21 @@ int tls1_enc(SSL *s, int send)
 		for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
 		printf("\n");
 		printf("\trec->input=");
-		for (i=0; i<l; i++) printf(" %02x", rec->input[i]);
+		for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]);
 		printf("\n");
 		}
 #endif	/* KSSL_DEBUG */
 
+		if (!send)
+			{
+			if (l == 0 || l%bs != 0)
+				{
+				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
+				return 0;
+				}
+			}
+		
 		EVP_Cipher(ds,rec->data,rec->input,l);
 
 #ifdef KSSL_DEBUG
@@ -522,7 +542,7 @@ int tls1_enc(SSL *s, int send)
 
 		if ((bs != 1) && !send)
 			{
-			ii=i=rec->data[l-1];
+			ii=i=rec->data[l-1]; /* padding_length */
 			i++;
 			if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
 				{
@@ -533,19 +553,22 @@ int tls1_enc(SSL *s, int send)
 				if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
 					i--;
 				}
+			/* TLS 1.0 does not bound the number of padding bytes by the block size.
+			 * All of them must have value 'padding_length'. */
 			if (i > (int)rec->length)
 				{
-				SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
-				return(0);
+				/* Incorrect padding. SSLerr() and ssl3_alert are done
+				 * by caller: we don't want to reveal whether this is
+				 * a decryption error or a MAC verification failure
+				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
+				return -1;
 				}
 			for (j=(int)(l-i); j<(int)l; j++)
 				{
 				if (rec->data[j] != ii)
 					{
-					SSLerr(SSL_F_TLS1_ENC,SSL_R_DECRYPTION_FAILED);
-					ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
-					return(0);
+					/* Incorrect padding */
+					return -1;
 					}
 				}
 			rec->length-=i;
@@ -559,8 +582,10 @@ int tls1_cert_verify_mac(SSL *s, EVP_MD_CTX *in_ctx, unsigned char *out)
 	unsigned int ret;
 	EVP_MD_CTX ctx;
 
-	EVP_MD_CTX_copy(&ctx,in_ctx);
-	EVP_DigestFinal(&ctx,out,&ret);
+	EVP_MD_CTX_init(&ctx);
+	EVP_MD_CTX_copy_ex(&ctx,in_ctx);
+	EVP_DigestFinal_ex(&ctx,out,&ret);
+	EVP_MD_CTX_cleanup(&ctx);
 	return((int)ret);
 	}
 
@@ -576,17 +601,18 @@ int tls1_final_finish_mac(SSL *s, EVP_MD_CTX *in1_ctx, EVP_MD_CTX *in2_ctx,
 	memcpy(q,str,slen);
 	q+=slen;
 
-	EVP_MD_CTX_copy(&ctx,in1_ctx);
-	EVP_DigestFinal(&ctx,q,&i);
+	EVP_MD_CTX_init(&ctx);
+	EVP_MD_CTX_copy_ex(&ctx,in1_ctx);
+	EVP_DigestFinal_ex(&ctx,q,&i);
 	q+=i;
-	EVP_MD_CTX_copy(&ctx,in2_ctx);
-	EVP_DigestFinal(&ctx,q,&i);
+	EVP_MD_CTX_copy_ex(&ctx,in2_ctx);
+	EVP_DigestFinal_ex(&ctx,q,&i);
 	q+=i;
 
 	tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(q-buf),
 		s->session->master_key,s->session->master_key_length,
 		out,buf2,12);
-	memset(&ctx,0,sizeof(EVP_MD_CTX));
+	EVP_MD_CTX_cleanup(&ctx);
 
 	return((int)12);
 	}
@@ -625,11 +651,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 	buf[4]=rec->length&0xff;
 
 	/* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
+	HMAC_CTX_init(&hmac);
 	HMAC_Init(&hmac,mac_sec,EVP_MD_size(hash),hash);
 	HMAC_Update(&hmac,seq,8);
 	HMAC_Update(&hmac,buf,5);
 	HMAC_Update(&hmac,rec->input,rec->length);
 	HMAC_Final(&hmac,md,&md_size);
+	HMAC_CTX_cleanup(&hmac);
 
 #ifdef TLS_DEBUG
 printf("sec=");
@@ -643,7 +671,10 @@ printf("rec=");
 #endif
 
 	for (i=7; i>=0; i--)
-		if (++seq[i]) break; 
+		{
+		++seq[i];
+		if (seq[i] != 0) break; 
+		}
 
 #ifdef TLS_DEBUG
 {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); }