X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=ssl%2Fs3_enc.c;h=010069bf28a570daf873989dec9bf76f51000192;hb=6434abbfc6ac0d5cb882844ed10fef5821039cf6;hp=72ac8b6913a0b22d4d9face3b5e43ea05bffe015;hpb=c21506ba024adb6d5655a92d61c1d3824e5dedcf;p=oweals%2Fopenssl.git

diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 72ac8b6913..010069bf28 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -108,10 +108,36 @@
  * Hudson (tjh@cryptsoft.com).
  *
  */
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
 
 #include <stdio.h>
-#include <openssl/evp.h>
 #include "ssl_locl.h"
+#include <openssl/evp.h>
 #include <openssl/md5.h>
 
 static unsigned char ssl3_pad_1[48]={
@@ -139,7 +165,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 	EVP_MD_CTX s1;
 	unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
 	unsigned char c='A';
-	int i,j,k;
+	unsigned int i,j,k;
 
 #ifdef CHARSET_EBCDIC
 	c = os_toascii[c]; /*'A' in ASCII */
@@ -147,7 +173,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 	k=0;
 	EVP_MD_CTX_init(&m5);
 	EVP_MD_CTX_init(&s1);
-	for (i=0; i<num; i+=MD5_DIGEST_LENGTH)
+	for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
 		{
 		k++;
 		if (k > sizeof buf)
@@ -172,7 +198,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 		EVP_DigestUpdate(&m5,s->session->master_key,
 			s->session->master_key_length);
 		EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
-		if ((i+MD5_DIGEST_LENGTH) > num)
+		if ((int)(i+MD5_DIGEST_LENGTH) > num)
 			{
 			EVP_DigestFinal_ex(&m5,smd,NULL);
 			memcpy(km,smd,(num-i));
@@ -182,7 +208,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
 		km+=MD5_DIGEST_LENGTH;
 		}
-	memset(smd,0,SHA_DIGEST_LENGTH);
+	OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
 	EVP_MD_CTX_cleanup(&m5);
 	EVP_MD_CTX_cleanup(&s1);
 	return 1;
@@ -192,23 +218,27 @@ int ssl3_change_cipher_state(SSL *s, int which)
 	{
 	unsigned char *p,*key_block,*mac_secret;
 	unsigned char exp_key[EVP_MAX_KEY_LENGTH];
-	unsigned char exp_iv[EVP_MAX_KEY_LENGTH];
+	unsigned char exp_iv[EVP_MAX_IV_LENGTH];
 	unsigned char *ms,*key,*iv,*er1,*er2;
 	EVP_CIPHER_CTX *dd;
 	const EVP_CIPHER *c;
+#ifndef OPENSSL_NO_COMP
 	COMP_METHOD *comp;
+#endif
 	const EVP_MD *m;
 	EVP_MD_CTX md;
-	int exp,n,i,j,k,cl;
+	int is_exp,n,i,j,k,cl;
 	int reuse_dd = 0;
 
-	exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
+	is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
 	c=s->s3->tmp.new_sym_enc;
 	m=s->s3->tmp.new_hash;
+#ifndef OPENSSL_NO_COMP
 	if (s->s3->tmp.new_compression == NULL)
 		comp=NULL;
 	else
 		comp=s->s3->tmp.new_compression->method;
+#endif
 	key_block=s->s3->tmp.key_block;
 
 	if (which & SSL3_CC_READ)
@@ -217,8 +247,13 @@ int ssl3_change_cipher_state(SSL *s, int which)
 			reuse_dd = 1;
 		else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
 			goto err;
+		else
+			/* make sure it's intialized in case we exit later with an error */
+			EVP_CIPHER_CTX_init(s->enc_read_ctx);
 		dd= s->enc_read_ctx;
-		s->read_hash=m;
+
+		ssl_replace_hash(&s->read_hash,m);
+#ifndef OPENSSL_NO_COMP
 		/* COMPRESS */
 		if (s->expand != NULL)
 			{
@@ -239,6 +274,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
 			if (s->s3->rrec.comp == NULL)
 				goto err;
 			}
+#endif
 		memset(&(s->s3->read_sequence[0]),0,8);
 		mac_secret= &(s->s3->read_mac_secret[0]);
 		}
@@ -248,8 +284,12 @@ int ssl3_change_cipher_state(SSL *s, int which)
 			reuse_dd = 1;
 		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
 			goto err;
+		else
+			/* make sure it's intialized in case we exit later with an error */
+			EVP_CIPHER_CTX_init(s->enc_write_ctx);
 		dd= s->enc_write_ctx;
-		s->write_hash=m;
+		ssl_replace_hash(&s->write_hash,m);
+#ifndef OPENSSL_NO_COMP
 		/* COMPRESS */
 		if (s->compress != NULL)
 			{
@@ -265,20 +305,20 @@ int ssl3_change_cipher_state(SSL *s, int which)
 				goto err2;
 				}
 			}
+#endif
 		memset(&(s->s3->write_sequence[0]),0,8);
 		mac_secret= &(s->s3->write_mac_secret[0]);
 		}
 
 	if (reuse_dd)
 		EVP_CIPHER_CTX_cleanup(dd);
-	EVP_CIPHER_CTX_init(dd);
 
 	p=s->s3->tmp.key_block;
 	i=EVP_MD_size(m);
 	cl=EVP_CIPHER_key_length(c);
-	j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
+	j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
 		 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
-	/* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
+	/* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
 	k=EVP_CIPHER_iv_length(c);
 	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
 		(which == SSL3_CHANGE_CIPHER_SERVER_READ))
@@ -307,7 +347,7 @@ int ssl3_change_cipher_state(SSL *s, int which)
 
 	EVP_MD_CTX_init(&md);
 	memcpy(mac_secret,ms,i);
-	if (exp)
+	if (is_exp)
 		{
 		/* In here I set both the read and write key/iv to the
 		 * same value since only the correct one will be used :-).
@@ -333,8 +373,8 @@ int ssl3_change_cipher_state(SSL *s, int which)
 
 	EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
 
-	memset(&(exp_key[0]),0,sizeof(exp_key));
-	memset(&(exp_iv[0]),0,sizeof(exp_iv));
+	OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
+	OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
 	EVP_MD_CTX_cleanup(&md);
 	return(1);
 err:
@@ -355,7 +395,7 @@ int ssl3_setup_key_block(SSL *s)
 	if (s->s3->tmp.key_block_length != 0)
 		return(1);
 
-	if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
+	if (!ssl_cipher_get_evp(s->session,&c,&hash,NULL,NULL,&comp))
 		{
 		SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
 		return(0);
@@ -363,7 +403,11 @@ int ssl3_setup_key_block(SSL *s)
 
 	s->s3->tmp.new_sym_enc=c;
 	s->s3->tmp.new_hash=hash;
+#ifdef OPENSSL_NO_COMP
+	s->s3->tmp.new_compression=NULL;
+#else
 	s->s3->tmp.new_compression=comp;
+#endif
 
 	num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
 	num*=2;
@@ -385,10 +429,16 @@ int ssl3_setup_key_block(SSL *s)
 		 */
 		s->s3->need_empty_fragments = 1;
 
+		if (s->session->cipher != NULL)
+			{
+			if (s->session->cipher->algorithm_enc == SSL_eNULL)
+				s->s3->need_empty_fragments = 0;
+			
 #ifndef OPENSSL_NO_RC4
-		if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4))
-			s->s3->need_empty_fragments = 0;
+			if (s->session->cipher->algorithm_enc == SSL_RC4)
+				s->s3->need_empty_fragments = 0;
 #endif
+			}
 		}
 
 	return ret;
@@ -402,7 +452,7 @@ void ssl3_cleanup_key_block(SSL *s)
 	{
 	if (s->s3->tmp.key_block != NULL)
 		{
-		memset(s->s3->tmp.key_block,0,
+		OPENSSL_cleanse(s->s3->tmp.key_block,
 			s->s3->tmp.key_block_length);
 		OPENSSL_free(s->s3->tmp.key_block);
 		s->s3->tmp.key_block=NULL;
@@ -468,6 +518,7 @@ int ssl3_enc(SSL *s, int send)
 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
 				return 0;
 				}
+			/* otherwise, rec->length >= bs */
 			}
 		
 		EVP_Cipher(ds,rec->data,rec->input,l);
@@ -476,7 +527,7 @@ int ssl3_enc(SSL *s, int send)
 			{
 			i=rec->data[l-1]+1;
 			/* SSL 3.0 bounds the number of padding bytes by the block size;
-			 * padding bytes (except that last) are arbitrary */
+			 * padding bytes (except the last one) are arbitrary */
 			if (i > bs)
 				{
 				/* Incorrect padding. SSLerr() and ssl3_alert are done
@@ -485,6 +536,7 @@ int ssl3_enc(SSL *s, int send)
 				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
 				return -1;
 				}
+			/* now i <= bs <= rec->length */
 			rec->length-=i;
 			}
 		}
@@ -530,7 +582,6 @@ static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
 
 	EVP_MD_CTX_init(&ctx);
 	EVP_MD_CTX_copy_ex(&ctx,in_ctx);
-
 	n=EVP_MD_CTX_size(&ctx);
 	npad=(48/n)*n;
 
@@ -558,10 +609,10 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
 	SSL3_RECORD *rec;
 	unsigned char *mac_sec,*seq;
 	EVP_MD_CTX md_ctx;
-	const EVP_MD *hash;
+	const EVP_MD_CTX *hash;
 	unsigned char *p,rec_char;
 	unsigned int md_size;
-	int npad,i;
+	int npad;
 
 	if (send)
 		{
@@ -578,13 +629,13 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
 		hash=ssl->read_hash;
 		}
 
-	md_size=EVP_MD_size(hash);
+	md_size=EVP_MD_CTX_size(hash);
 	npad=(48/md_size)*md_size;
 
 	/* Chop the digest off the end :-) */
 	EVP_MD_CTX_init(&md_ctx);
 
-	EVP_DigestInit_ex(  &md_ctx,hash, NULL);
+	EVP_MD_CTX_copy_ex( &md_ctx,hash);
 	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
 	EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
 	EVP_DigestUpdate(&md_ctx,seq,8);
@@ -596,7 +647,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
 	EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
 	EVP_DigestFinal_ex( &md_ctx,md,NULL);
 
-	EVP_DigestInit_ex(  &md_ctx,hash, NULL);
+	EVP_MD_CTX_copy_ex( &md_ctx,hash);
 	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
 	EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
 	EVP_DigestUpdate(&md_ctx,md,md_size);
@@ -604,13 +655,19 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
 
 	EVP_MD_CTX_cleanup(&md_ctx);
 
+	ssl3_record_sequence_update(seq);
+	return(md_size);
+	}
+
+void ssl3_record_sequence_update(unsigned char *seq)
+	{
+	int i;
+
 	for (i=7; i>=0; i--)
 		{
 		++seq[i];
 		if (seq[i] != 0) break; 
 		}
-
-	return(md_size);
 	}
 
 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
@@ -683,6 +740,12 @@ int ssl3_alert_code(int code)
 	case SSL_AD_INTERNAL_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
 	case SSL_AD_USER_CANCELLED:	return(SSL3_AD_HANDSHAKE_FAILURE);
 	case SSL_AD_NO_RENEGOTIATION:	return(-1); /* Don't send it :-) */
+	case SSL_AD_UNSUPPORTED_EXTENSION: return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_UNRECOGNIZED_NAME:	return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
+	case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
 	default:			return(-1);
 		}
 	}