X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=ssl%2Ft1_enc.c;h=d9cb059d0c21685d8b0e9c7c2cba816fe4b70350;hp=80cfe44a02070cabd4741d532d0302f661d5fc67;hb=7ba3838a4bfcf6728895ebc1e625f99ef5506999;hpb=81025661a94034fef1386cb5d5137ba4ddb120f0 diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 80cfe44a02..d9cb059d0c 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -137,13 +137,24 @@ #include #include "ssl_locl.h" +#ifndef OPENSSL_NO_COMP #include +#endif #include #include #include +#ifdef KSSL_DEBUG +#include +#endif +/* seed1 through seed5 are virtually concatenated */ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, - int sec_len, unsigned char *seed, int seed_len, + int sec_len, + const void *seed1, int seed1_len, + const void *seed2, int seed2_len, + const void *seed3, int seed3_len, + const void *seed4, int seed4_len, + const void *seed5, int seed5_len, unsigned char *out, int olen) { int chunk,n; @@ -154,12 +165,17 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, unsigned int A1_len; chunk=EVP_MD_size(md); + OPENSSL_assert(chunk >= 0); HMAC_CTX_init(&ctx); HMAC_CTX_init(&ctx_tmp); HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); - HMAC_Update(&ctx,seed,seed_len); + if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len); + if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len); + if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len); + if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len); + if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len); HMAC_Final(&ctx,A1,&A1_len); n=0; @@ -169,7 +185,11 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */ HMAC_Update(&ctx,A1,A1_len); HMAC_Update(&ctx_tmp,A1,A1_len); - HMAC_Update(&ctx,seed,seed_len); + if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len); + if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len); + if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len); + if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len); + if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len); if (olen > chunk) { @@ -190,9 +210,15 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, OPENSSL_cleanse(A1,sizeof(A1)); } +/* seed1 through seed5 are virtually concatenated */ static void tls1_PRF(long digest_mask, - unsigned char *label, int label_len, - const unsigned char *sec, int slen, unsigned char *out1, + const void *seed1, int seed1_len, + const void *seed2, int seed2_len, + const void *seed3, int seed3_len, + const void *seed4, int seed4_len, + const void *seed5, int seed5_len, + const unsigned char *sec, int slen, + unsigned char *out1, unsigned char *out2, int olen) { int len,i,idx,count; @@ -200,7 +226,7 @@ static void tls1_PRF(long digest_mask, long m; const EVP_MD *md; - /* Count number of digests and divide sec evenly */ + /* Count number of digests and partition sec evenly */ count=0; for (idx=0;ssl_get_handshake_digest(idx,&m,&md);idx++) { if ((m<s3->server_random,SSL3_RANDOM_SIZE); - p+=SSL3_RANDOM_SIZE; - memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); - p+=SSL3_RANDOM_SIZE; - - tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,(int)(p-buf), + tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE, + s->s3->server_random,SSL3_RANDOM_SIZE, + s->s3->client_random,SSL3_RANDOM_SIZE, + NULL,0,NULL,0, s->session->master_key,s->session->master_key_length, km,tmp,num); #ifdef KSSL_DEBUG @@ -261,8 +280,7 @@ int tls1_change_cipher_state(SSL *s, int which) { static const unsigned char empty[]=""; unsigned char *p,*key_block,*mac_secret; - unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ - SSL3_RANDOM_SIZE*2]; + unsigned char *exp_label; unsigned char tmp1[EVP_MAX_KEY_LENGTH]; unsigned char tmp2[EVP_MAX_KEY_LENGTH]; unsigned char iv1[EVP_MAX_IV_LENGTH*2]; @@ -443,29 +461,22 @@ printf("which = %04X\nmac key=",which); /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ - p=buf; - memcpy(p,exp_label,exp_label_len); - p+=exp_label_len; - memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); - p+=SSL3_RANDOM_SIZE; - memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); - p+=SSL3_RANDOM_SIZE; - tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,(int)(p-buf),key,j, - tmp1,tmp2,EVP_CIPHER_key_length(c)); + tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + exp_label,exp_label_len, + s->s3->client_random,SSL3_RANDOM_SIZE, + s->s3->server_random,SSL3_RANDOM_SIZE, + NULL,0,NULL,0, + key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)); key=tmp1; if (k > 0) { - p=buf; - memcpy(p,TLS_MD_IV_BLOCK_CONST, - TLS_MD_IV_BLOCK_CONST_SIZE); - p+=TLS_MD_IV_BLOCK_CONST_SIZE; - memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); - p+=SSL3_RANDOM_SIZE; - memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); - p+=SSL3_RANDOM_SIZE; - tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,p-buf,empty,0, - iv1,iv2,k*2); + tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, + s->s3->client_random,SSL3_RANDOM_SIZE, + s->s3->server_random,SSL3_RANDOM_SIZE, + NULL,0,NULL,0, + empty,0,iv1,iv2,k*2); if (client_write) iv=iv1; else @@ -597,7 +608,10 @@ int tls1_enc(SSL *s, int send) if (send) { if (EVP_MD_CTX_md(s->write_hash)) + { n=EVP_MD_CTX_size(s->write_hash); + OPENSSL_assert(n >= 0); + } ds=s->enc_write_ctx; rec= &(s->s3->wrec); if (s->enc_write_ctx == NULL) @@ -608,7 +622,10 @@ int tls1_enc(SSL *s, int send) else { if (EVP_MD_CTX_md(s->read_hash)) + { n=EVP_MD_CTX_size(s->read_hash); + OPENSSL_assert(n >= 0); + } ds=s->enc_read_ctx; rec= &(s->s3->rrec); if (s->enc_read_ctx == NULL) @@ -741,7 +758,9 @@ int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) int i; if (s->s3->handshake_buffer) - ssl3_digest_cached_records(s); + if (!ssl3_digest_cached_records(s)) + return 0; + for (i=0;is3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid) @@ -767,35 +786,52 @@ int tls1_final_finish_mac(SSL *s, { unsigned int i; EVP_MD_CTX ctx; - unsigned char buf[TLS_MD_MAX_CONST_SIZE+MD5_DIGEST_LENGTH+SHA_DIGEST_LENGTH]; + unsigned char buf[2*EVP_MAX_MD_SIZE]; unsigned char *q,buf2[12]; int idx; long mask; + int err=0; const EVP_MD *md; q=buf; - memcpy(q,str,slen); - q+=slen; - - EVP_MD_CTX_init(&ctx); if (s->s3->handshake_buffer) - ssl3_digest_cached_records(s); + if (!ssl3_digest_cached_records(s)) + return 0; - for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) { - if (mask & s->s3->tmp.new_cipher->algorithm2) { - EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); - EVP_DigestFinal_ex(&ctx,q,&i); - q+=i; - } - } + EVP_MD_CTX_init(&ctx); - tls1_PRF(s->s3->tmp.new_cipher->algorithm2,buf,(int)(q-buf), - s->session->master_key,s->session->master_key_length, - out,buf2,sizeof buf2); + for (idx=0;ssl_get_handshake_digest(idx,&mask,&md);idx++) + { + if (mask & s->s3->tmp.new_cipher->algorithm2) + { + int hashsize = EVP_MD_size(md); + if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + { + /* internal error: 'buf' is too small for this cipersuite! */ + err = 1; + } + else + { + EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); + EVP_DigestFinal_ex(&ctx,q,&i); + if (i != (unsigned int)hashsize) /* can't really happen */ + err = 1; + q+=i; + } + } + } + + tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, + s->session->master_key,s->session->master_key_length, + out,buf2,sizeof buf2); EVP_MD_CTX_cleanup(&ctx); - return sizeof buf2; + if (err) + return 0; + else + return sizeof buf2; } int tls1_mac(SSL *ssl, unsigned char *md, int send) @@ -808,6 +844,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) EVP_MD_CTX hmac, *mac_ctx; unsigned char buf[5]; int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); + int t; + if (send) { rec= &(ssl->s3->wrec); @@ -823,11 +861,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) hash=ssl->read_hash; } - md_size=EVP_MD_CTX_size(hash); + t=EVP_MD_CTX_size(hash); + OPENSSL_assert(t >= 0); + md_size=t; buf[0]=rec->type; - buf[1]=TLS1_VERSION_MAJOR; - buf[2]=TLS1_VERSION_MINOR; + buf[1]=(unsigned char)(ssl->version>>8); + buf[2]=(unsigned char)(ssl->version); buf[3]=rec->length>>8; buf[4]=rec->length&0xff; @@ -840,13 +880,26 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) { EVP_MD_CTX_copy(&hmac,hash); mac_ctx = &hmac; - } - EVP_DigestSignUpdate(mac_ctx,seq,8); + } + + if (ssl->version == DTLS1_VERSION || ssl->version == DTLS1_BAD_VER) + { + unsigned char dtlsseq[8],*p=dtlsseq; + + s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); + memcpy (p,&seq[2],6); + + EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); + } + else + EVP_DigestSignUpdate(mac_ctx,seq,8); + EVP_DigestSignUpdate(mac_ctx,buf,5); EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); - if (stream_mac) EVP_MD_CTX_copy(&hmac,hash); - EVP_DigestSignFinal(&hmac,md,&md_size); - EVP_MD_CTX_cleanup(&hmac); + t=EVP_DigestSignFinal(mac_ctx,md,&md_size); + OPENSSL_assert(t > 0); + + if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); #ifdef TLS_DEBUG printf("sec="); {unsigned int z; for (z=0; zversion != DTLS1_VERSION && ssl->version != DTLS1_BAD_VER) + { for (i=7; i>=0; i--) { ++seq[i]; @@ -876,23 +929,35 @@ printf("rec="); int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len) { - unsigned char buf[SSL3_RANDOM_SIZE*2+TLS_MD_MASTER_SECRET_CONST_SIZE]; unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; + const void *co = NULL, *so = NULL; + int col = 0, sol = 0; #ifdef KSSL_DEBUG printf ("tls1_generate_master_secret(%p,%p, %p, %d)\n", s,out, p,len); #endif /* KSSL_DEBUG */ - /* Setup the stuff to munge */ - memcpy(buf,TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE); - memcpy(&(buf[TLS_MD_MASTER_SECRET_CONST_SIZE]), - s->s3->client_random,SSL3_RANDOM_SIZE); - memcpy(&(buf[SSL3_RANDOM_SIZE+TLS_MD_MASTER_SECRET_CONST_SIZE]), - s->s3->server_random,SSL3_RANDOM_SIZE); +#ifdef TLSEXT_TYPE_opaque_prf_input + if (s->s3->client_opaque_prf_input != NULL && s->s3->server_opaque_prf_input != NULL && + s->s3->client_opaque_prf_input_len > 0 && + s->s3->client_opaque_prf_input_len == s->s3->server_opaque_prf_input_len) + { + co = s->s3->client_opaque_prf_input; + col = s->s3->server_opaque_prf_input_len; + so = s->s3->server_opaque_prf_input; + sol = s->s3->client_opaque_prf_input_len; /* must be same as col (see draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */ + } +#endif + tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - buf,TLS_MD_MASTER_SECRET_CONST_SIZE+SSL3_RANDOM_SIZE*2,p,len, + TLS_MD_MASTER_SECRET_CONST,TLS_MD_MASTER_SECRET_CONST_SIZE, + s->s3->client_random,SSL3_RANDOM_SIZE, + co, col, + s->s3->server_random,SSL3_RANDOM_SIZE, + so, sol, + p,len, s->session->master_key,buff,sizeof buff); + #ifdef KSSL_DEBUG printf ("tls1_generate_master_secret() complete\n"); #endif /* KSSL_DEBUG */