/src/openssl/ssl/t1_enc.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* ssl/t1_enc.c */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | /* ==================================================================== |
59 | | * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. |
60 | | * |
61 | | * Redistribution and use in source and binary forms, with or without |
62 | | * modification, are permitted provided that the following conditions |
63 | | * are met: |
64 | | * |
65 | | * 1. Redistributions of source code must retain the above copyright |
66 | | * notice, this list of conditions and the following disclaimer. |
67 | | * |
68 | | * 2. Redistributions in binary form must reproduce the above copyright |
69 | | * notice, this list of conditions and the following disclaimer in |
70 | | * the documentation and/or other materials provided with the |
71 | | * distribution. |
72 | | * |
73 | | * 3. All advertising materials mentioning features or use of this |
74 | | * software must display the following acknowledgment: |
75 | | * "This product includes software developed by the OpenSSL Project |
76 | | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | | * |
78 | | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | | * endorse or promote products derived from this software without |
80 | | * prior written permission. For written permission, please contact |
81 | | * openssl-core@openssl.org. |
82 | | * |
83 | | * 5. Products derived from this software may not be called "OpenSSL" |
84 | | * nor may "OpenSSL" appear in their names without prior written |
85 | | * permission of the OpenSSL Project. |
86 | | * |
87 | | * 6. Redistributions of any form whatsoever must retain the following |
88 | | * acknowledgment: |
89 | | * "This product includes software developed by the OpenSSL Project |
90 | | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | | * |
92 | | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | | * ==================================================================== |
105 | | * |
106 | | * This product includes cryptographic software written by Eric Young |
107 | | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | | * Hudson (tjh@cryptsoft.com). |
109 | | * |
110 | | */ |
111 | | /* ==================================================================== |
112 | | * Copyright 2005 Nokia. All rights reserved. |
113 | | * |
114 | | * The portions of the attached software ("Contribution") is developed by |
115 | | * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
116 | | * license. |
117 | | * |
118 | | * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
119 | | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
120 | | * support (see RFC 4279) to OpenSSL. |
121 | | * |
122 | | * No patent licenses or other rights except those expressly stated in |
123 | | * the OpenSSL open source license shall be deemed granted or received |
124 | | * expressly, by implication, estoppel, or otherwise. |
125 | | * |
126 | | * No assurances are provided by Nokia that the Contribution does not |
127 | | * infringe the patent or other intellectual property rights of any third |
128 | | * party or that the license provides you with all the necessary rights |
129 | | * to make use of the Contribution. |
130 | | * |
131 | | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
132 | | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
133 | | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
134 | | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
135 | | * OTHERWISE. |
136 | | */ |
137 | | |
138 | | #include <stdio.h> |
139 | | #include "ssl_locl.h" |
140 | | #ifndef OPENSSL_NO_COMP |
141 | | # include <openssl/comp.h> |
142 | | #endif |
143 | | #include <openssl/evp.h> |
144 | | #include <openssl/hmac.h> |
145 | | #include <openssl/md5.h> |
146 | | #include <openssl/rand.h> |
147 | | #ifdef KSSL_DEBUG |
148 | | # include <openssl/des.h> |
149 | | #endif |
150 | | |
151 | | /* seed1 through seed5 are virtually concatenated */ |
152 | | static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, |
153 | | int sec_len, |
154 | | const void *seed1, int seed1_len, |
155 | | const void *seed2, int seed2_len, |
156 | | const void *seed3, int seed3_len, |
157 | | const void *seed4, int seed4_len, |
158 | | const void *seed5, int seed5_len, |
159 | | unsigned char *out, int olen) |
160 | 0 | { |
161 | 0 | int chunk; |
162 | 0 | size_t j; |
163 | 0 | EVP_MD_CTX ctx, ctx_tmp, ctx_init; |
164 | 0 | EVP_PKEY *mac_key; |
165 | 0 | unsigned char A1[EVP_MAX_MD_SIZE]; |
166 | 0 | size_t A1_len; |
167 | 0 | int ret = 0; |
168 | |
|
169 | 0 | chunk = EVP_MD_size(md); |
170 | 0 | OPENSSL_assert(chunk >= 0); |
171 | |
|
172 | 0 | EVP_MD_CTX_init(&ctx); |
173 | 0 | EVP_MD_CTX_init(&ctx_tmp); |
174 | 0 | EVP_MD_CTX_init(&ctx_init); |
175 | 0 | EVP_MD_CTX_set_flags(&ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
176 | 0 | mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); |
177 | 0 | if (!mac_key) |
178 | 0 | goto err; |
179 | 0 | if (!EVP_DigestSignInit(&ctx_init, NULL, md, NULL, mac_key)) |
180 | 0 | goto err; |
181 | 0 | if (!EVP_MD_CTX_copy_ex(&ctx, &ctx_init)) |
182 | 0 | goto err; |
183 | 0 | if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) |
184 | 0 | goto err; |
185 | 0 | if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) |
186 | 0 | goto err; |
187 | 0 | if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) |
188 | 0 | goto err; |
189 | 0 | if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) |
190 | 0 | goto err; |
191 | 0 | if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) |
192 | 0 | goto err; |
193 | 0 | if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) |
194 | 0 | goto err; |
195 | | |
196 | 0 | for (;;) { |
197 | | /* Reinit mac contexts */ |
198 | 0 | if (!EVP_MD_CTX_copy_ex(&ctx, &ctx_init)) |
199 | 0 | goto err; |
200 | 0 | if (!EVP_DigestSignUpdate(&ctx, A1, A1_len)) |
201 | 0 | goto err; |
202 | 0 | if (olen > chunk && !EVP_MD_CTX_copy_ex(&ctx_tmp, &ctx)) |
203 | 0 | goto err; |
204 | 0 | if (seed1 && !EVP_DigestSignUpdate(&ctx, seed1, seed1_len)) |
205 | 0 | goto err; |
206 | 0 | if (seed2 && !EVP_DigestSignUpdate(&ctx, seed2, seed2_len)) |
207 | 0 | goto err; |
208 | 0 | if (seed3 && !EVP_DigestSignUpdate(&ctx, seed3, seed3_len)) |
209 | 0 | goto err; |
210 | 0 | if (seed4 && !EVP_DigestSignUpdate(&ctx, seed4, seed4_len)) |
211 | 0 | goto err; |
212 | 0 | if (seed5 && !EVP_DigestSignUpdate(&ctx, seed5, seed5_len)) |
213 | 0 | goto err; |
214 | | |
215 | 0 | if (olen > chunk) { |
216 | 0 | if (!EVP_DigestSignFinal(&ctx, out, &j)) |
217 | 0 | goto err; |
218 | 0 | out += j; |
219 | 0 | olen -= j; |
220 | | /* calc the next A1 value */ |
221 | 0 | if (!EVP_DigestSignFinal(&ctx_tmp, A1, &A1_len)) |
222 | 0 | goto err; |
223 | 0 | } else { /* last one */ |
224 | |
|
225 | 0 | if (!EVP_DigestSignFinal(&ctx, A1, &A1_len)) |
226 | 0 | goto err; |
227 | 0 | memcpy(out, A1, olen); |
228 | 0 | break; |
229 | 0 | } |
230 | 0 | } |
231 | 0 | ret = 1; |
232 | 0 | err: |
233 | 0 | EVP_PKEY_free(mac_key); |
234 | 0 | EVP_MD_CTX_cleanup(&ctx); |
235 | 0 | EVP_MD_CTX_cleanup(&ctx_tmp); |
236 | 0 | EVP_MD_CTX_cleanup(&ctx_init); |
237 | 0 | OPENSSL_cleanse(A1, sizeof(A1)); |
238 | 0 | return ret; |
239 | 0 | } |
240 | | |
241 | | /* seed1 through seed5 are virtually concatenated */ |
242 | | static int tls1_PRF(long digest_mask, |
243 | | const void *seed1, int seed1_len, |
244 | | const void *seed2, int seed2_len, |
245 | | const void *seed3, int seed3_len, |
246 | | const void *seed4, int seed4_len, |
247 | | const void *seed5, int seed5_len, |
248 | | const unsigned char *sec, int slen, |
249 | | unsigned char *out1, unsigned char *out2, int olen) |
250 | 0 | { |
251 | 0 | int len, i, idx, count; |
252 | 0 | const unsigned char *S1; |
253 | 0 | long m; |
254 | 0 | const EVP_MD *md; |
255 | 0 | int ret = 0; |
256 | | |
257 | | /* Count number of digests and partition sec evenly */ |
258 | 0 | count = 0; |
259 | 0 | for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) { |
260 | 0 | if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) |
261 | 0 | count++; |
262 | 0 | } |
263 | 0 | if (!count) { |
264 | | /* Should never happen */ |
265 | 0 | SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); |
266 | 0 | goto err; |
267 | 0 | } |
268 | 0 | len = slen / count; |
269 | 0 | if (count == 1) |
270 | 0 | slen = 0; |
271 | 0 | S1 = sec; |
272 | 0 | memset(out1, 0, olen); |
273 | 0 | for (idx = 0; ssl_get_handshake_digest(idx, &m, &md); idx++) { |
274 | 0 | if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) { |
275 | 0 | if (!md) { |
276 | 0 | SSLerr(SSL_F_TLS1_PRF, SSL_R_UNSUPPORTED_DIGEST_TYPE); |
277 | 0 | goto err; |
278 | 0 | } |
279 | 0 | if (!tls1_P_hash(md, S1, len + (slen & 1), |
280 | 0 | seed1, seed1_len, seed2, seed2_len, seed3, |
281 | 0 | seed3_len, seed4, seed4_len, seed5, seed5_len, |
282 | 0 | out2, olen)) |
283 | 0 | goto err; |
284 | 0 | S1 += len; |
285 | 0 | for (i = 0; i < olen; i++) { |
286 | 0 | out1[i] ^= out2[i]; |
287 | 0 | } |
288 | 0 | } |
289 | 0 | } |
290 | 0 | ret = 1; |
291 | 0 | err: |
292 | 0 | return ret; |
293 | 0 | } |
294 | | |
295 | | static int tls1_generate_key_block(SSL *s, unsigned char *km, |
296 | | unsigned char *tmp, int num) |
297 | 0 | { |
298 | 0 | int ret; |
299 | 0 | ret = tls1_PRF(ssl_get_algorithm2(s), |
300 | 0 | TLS_MD_KEY_EXPANSION_CONST, |
301 | 0 | TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random, |
302 | 0 | SSL3_RANDOM_SIZE, s->s3->client_random, SSL3_RANDOM_SIZE, |
303 | 0 | NULL, 0, NULL, 0, s->session->master_key, |
304 | 0 | s->session->master_key_length, km, tmp, num); |
305 | | #ifdef KSSL_DEBUG |
306 | | fprintf(stderr, "tls1_generate_key_block() ==> %d byte master_key =\n\t", |
307 | | s->session->master_key_length); |
308 | | { |
309 | | int i; |
310 | | for (i = 0; i < s->session->master_key_length; i++) { |
311 | | fprintf(stderr, "%02X", s->session->master_key[i]); |
312 | | } |
313 | | fprintf(stderr, "\n"); |
314 | | } |
315 | | #endif /* KSSL_DEBUG */ |
316 | 0 | return ret; |
317 | 0 | } |
318 | | |
319 | | int tls1_change_cipher_state(SSL *s, int which) |
320 | 0 | { |
321 | 0 | static const unsigned char empty[] = ""; |
322 | 0 | unsigned char *p, *mac_secret; |
323 | 0 | unsigned char *exp_label; |
324 | 0 | unsigned char tmp1[EVP_MAX_KEY_LENGTH]; |
325 | 0 | unsigned char tmp2[EVP_MAX_KEY_LENGTH]; |
326 | 0 | unsigned char iv1[EVP_MAX_IV_LENGTH * 2]; |
327 | 0 | unsigned char iv2[EVP_MAX_IV_LENGTH * 2]; |
328 | 0 | unsigned char *ms, *key, *iv; |
329 | 0 | int client_write; |
330 | 0 | EVP_CIPHER_CTX *dd; |
331 | 0 | const EVP_CIPHER *c; |
332 | 0 | #ifndef OPENSSL_NO_COMP |
333 | 0 | const SSL_COMP *comp; |
334 | 0 | #endif |
335 | 0 | const EVP_MD *m; |
336 | 0 | int mac_type; |
337 | 0 | int *mac_secret_size; |
338 | 0 | EVP_MD_CTX *mac_ctx; |
339 | 0 | EVP_PKEY *mac_key; |
340 | 0 | int is_export, n, i, j, k, exp_label_len, cl; |
341 | 0 | int reuse_dd = 0; |
342 | |
|
343 | 0 | is_export = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); |
344 | 0 | c = s->s3->tmp.new_sym_enc; |
345 | 0 | m = s->s3->tmp.new_hash; |
346 | 0 | mac_type = s->s3->tmp.new_mac_pkey_type; |
347 | 0 | #ifndef OPENSSL_NO_COMP |
348 | 0 | comp = s->s3->tmp.new_compression; |
349 | 0 | #endif |
350 | |
|
351 | | #ifdef KSSL_DEBUG |
352 | | fprintf(stderr, "tls1_change_cipher_state(which= %d) w/\n", which); |
353 | | fprintf(stderr, "\talg= %ld/%ld, comp= %p\n", |
354 | | s->s3->tmp.new_cipher->algorithm_mkey, |
355 | | s->s3->tmp.new_cipher->algorithm_auth, comp); |
356 | | fprintf(stderr, "\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", c); |
357 | | fprintf(stderr, "\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", |
358 | | c->nid, c->block_size, c->key_len, c->iv_len); |
359 | | fprintf(stderr, "\tkey_block: len= %d, data= ", |
360 | | s->s3->tmp.key_block_length); |
361 | | { |
362 | | int i; |
363 | | for (i = 0; i < s->s3->tmp.key_block_length; i++) |
364 | | fprintf(stderr, "%02x", s->s3->tmp.key_block[i]); |
365 | | fprintf(stderr, "\n"); |
366 | | } |
367 | | #endif /* KSSL_DEBUG */ |
368 | |
|
369 | 0 | if (which & SSL3_CC_READ) { |
370 | 0 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) |
371 | 0 | s->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; |
372 | 0 | else |
373 | 0 | s->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; |
374 | |
|
375 | 0 | if (s->enc_read_ctx != NULL) |
376 | 0 | reuse_dd = 1; |
377 | 0 | else if ((s->enc_read_ctx = |
378 | 0 | OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) |
379 | 0 | goto err; |
380 | 0 | else |
381 | | /* |
382 | | * make sure it's intialized in case we exit later with an error |
383 | | */ |
384 | 0 | EVP_CIPHER_CTX_init(s->enc_read_ctx); |
385 | 0 | dd = s->enc_read_ctx; |
386 | 0 | mac_ctx = ssl_replace_hash(&s->read_hash, NULL); |
387 | 0 | if (mac_ctx == NULL) |
388 | 0 | goto err; |
389 | 0 | #ifndef OPENSSL_NO_COMP |
390 | 0 | if (s->expand != NULL) { |
391 | 0 | COMP_CTX_free(s->expand); |
392 | 0 | s->expand = NULL; |
393 | 0 | } |
394 | 0 | if (comp != NULL) { |
395 | 0 | s->expand = COMP_CTX_new(comp->method); |
396 | 0 | if (s->expand == NULL) { |
397 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, |
398 | 0 | SSL_R_COMPRESSION_LIBRARY_ERROR); |
399 | 0 | goto err2; |
400 | 0 | } |
401 | 0 | if (s->s3->rrec.comp == NULL) |
402 | 0 | s->s3->rrec.comp = (unsigned char *) |
403 | 0 | OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); |
404 | 0 | if (s->s3->rrec.comp == NULL) |
405 | 0 | goto err; |
406 | 0 | } |
407 | 0 | #endif |
408 | | /* |
409 | | * this is done by dtls1_reset_seq_numbers for DTLS |
410 | | */ |
411 | 0 | if (!SSL_IS_DTLS(s)) |
412 | 0 | memset(&(s->s3->read_sequence[0]), 0, 8); |
413 | 0 | mac_secret = &(s->s3->read_mac_secret[0]); |
414 | 0 | mac_secret_size = &(s->s3->read_mac_secret_size); |
415 | 0 | } else { |
416 | 0 | if (s->s3->tmp.new_cipher->algorithm2 & TLS1_STREAM_MAC) |
417 | 0 | s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; |
418 | 0 | else |
419 | 0 | s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; |
420 | 0 | if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) |
421 | 0 | reuse_dd = 1; |
422 | 0 | else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) |
423 | 0 | goto err; |
424 | 0 | dd = s->enc_write_ctx; |
425 | 0 | if (SSL_IS_DTLS(s)) { |
426 | 0 | mac_ctx = EVP_MD_CTX_create(); |
427 | 0 | if (mac_ctx == NULL) |
428 | 0 | goto err; |
429 | 0 | s->write_hash = mac_ctx; |
430 | 0 | } else { |
431 | 0 | mac_ctx = ssl_replace_hash(&s->write_hash, NULL); |
432 | 0 | if (mac_ctx == NULL) |
433 | 0 | goto err; |
434 | 0 | } |
435 | 0 | #ifndef OPENSSL_NO_COMP |
436 | 0 | if (s->compress != NULL) { |
437 | 0 | COMP_CTX_free(s->compress); |
438 | 0 | s->compress = NULL; |
439 | 0 | } |
440 | 0 | if (comp != NULL) { |
441 | 0 | s->compress = COMP_CTX_new(comp->method); |
442 | 0 | if (s->compress == NULL) { |
443 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, |
444 | 0 | SSL_R_COMPRESSION_LIBRARY_ERROR); |
445 | 0 | goto err2; |
446 | 0 | } |
447 | 0 | } |
448 | 0 | #endif |
449 | | /* |
450 | | * this is done by dtls1_reset_seq_numbers for DTLS |
451 | | */ |
452 | 0 | if (!SSL_IS_DTLS(s)) |
453 | 0 | memset(&(s->s3->write_sequence[0]), 0, 8); |
454 | 0 | mac_secret = &(s->s3->write_mac_secret[0]); |
455 | 0 | mac_secret_size = &(s->s3->write_mac_secret_size); |
456 | 0 | } |
457 | | |
458 | 0 | if (reuse_dd) |
459 | 0 | EVP_CIPHER_CTX_cleanup(dd); |
460 | |
|
461 | 0 | p = s->s3->tmp.key_block; |
462 | 0 | i = *mac_secret_size = s->s3->tmp.new_mac_secret_size; |
463 | |
|
464 | 0 | cl = EVP_CIPHER_key_length(c); |
465 | 0 | j = is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? |
466 | 0 | cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; |
467 | | /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ |
468 | | /* If GCM mode only part of IV comes from PRF */ |
469 | 0 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) |
470 | 0 | k = EVP_GCM_TLS_FIXED_IV_LEN; |
471 | 0 | else |
472 | 0 | k = EVP_CIPHER_iv_length(c); |
473 | 0 | if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || |
474 | 0 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { |
475 | 0 | ms = &(p[0]); |
476 | 0 | n = i + i; |
477 | 0 | key = &(p[n]); |
478 | 0 | n += j + j; |
479 | 0 | iv = &(p[n]); |
480 | 0 | n += k + k; |
481 | 0 | exp_label = (unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; |
482 | 0 | exp_label_len = TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; |
483 | 0 | client_write = 1; |
484 | 0 | } else { |
485 | 0 | n = i; |
486 | 0 | ms = &(p[n]); |
487 | 0 | n += i + j; |
488 | 0 | key = &(p[n]); |
489 | 0 | n += j + k; |
490 | 0 | iv = &(p[n]); |
491 | 0 | n += k; |
492 | 0 | exp_label = (unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; |
493 | 0 | exp_label_len = TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; |
494 | 0 | client_write = 0; |
495 | 0 | } |
496 | |
|
497 | 0 | if (n > s->s3->tmp.key_block_length) { |
498 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
499 | 0 | goto err2; |
500 | 0 | } |
501 | | |
502 | 0 | memcpy(mac_secret, ms, i); |
503 | |
|
504 | 0 | if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) { |
505 | 0 | mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, |
506 | 0 | mac_secret, *mac_secret_size); |
507 | 0 | if (mac_key == NULL |
508 | 0 | || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) { |
509 | 0 | EVP_PKEY_free(mac_key); |
510 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
511 | 0 | goto err2; |
512 | 0 | } |
513 | 0 | EVP_PKEY_free(mac_key); |
514 | 0 | } |
515 | | #ifdef TLS_DEBUG |
516 | | printf("which = %04X\nmac key=", which); |
517 | | { |
518 | | int z; |
519 | | for (z = 0; z < i; z++) |
520 | | printf("%02X%c", ms[z], ((z + 1) % 16) ? ' ' : '\n'); |
521 | | } |
522 | | #endif |
523 | 0 | if (is_export) { |
524 | | /* |
525 | | * In here I set both the read and write key/iv to the same value |
526 | | * since only the correct one will be used :-). |
527 | | */ |
528 | 0 | if (!tls1_PRF(ssl_get_algorithm2(s), |
529 | 0 | exp_label, exp_label_len, |
530 | 0 | s->s3->client_random, SSL3_RANDOM_SIZE, |
531 | 0 | s->s3->server_random, SSL3_RANDOM_SIZE, |
532 | 0 | NULL, 0, NULL, 0, |
533 | 0 | key, j, tmp1, tmp2, EVP_CIPHER_key_length(c))) |
534 | 0 | goto err2; |
535 | 0 | key = tmp1; |
536 | |
|
537 | 0 | if (k > 0) { |
538 | 0 | if (!tls1_PRF(ssl_get_algorithm2(s), |
539 | 0 | TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE, |
540 | 0 | s->s3->client_random, SSL3_RANDOM_SIZE, |
541 | 0 | s->s3->server_random, SSL3_RANDOM_SIZE, |
542 | 0 | NULL, 0, NULL, 0, empty, 0, iv1, iv2, k * 2)) |
543 | 0 | goto err2; |
544 | 0 | if (client_write) |
545 | 0 | iv = iv1; |
546 | 0 | else |
547 | 0 | iv = &(iv1[k]); |
548 | 0 | } |
549 | 0 | } |
550 | | |
551 | 0 | s->session->key_arg_length = 0; |
552 | | #ifdef KSSL_DEBUG |
553 | | { |
554 | | int i; |
555 | | fprintf(stderr, "EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); |
556 | | fprintf(stderr, "\tkey= "); |
557 | | for (i = 0; i < c->key_len; i++) |
558 | | fprintf(stderr, "%02x", key[i]); |
559 | | fprintf(stderr, "\n"); |
560 | | fprintf(stderr, "\t iv= "); |
561 | | for (i = 0; i < c->iv_len; i++) |
562 | | fprintf(stderr, "%02x", iv[i]); |
563 | | fprintf(stderr, "\n"); |
564 | | } |
565 | | #endif /* KSSL_DEBUG */ |
566 | |
|
567 | 0 | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) { |
568 | 0 | if (!EVP_CipherInit_ex(dd, c, NULL, key, NULL, (which & SSL3_CC_WRITE)) |
569 | 0 | || !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_GCM_SET_IV_FIXED, k, iv)) { |
570 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
571 | 0 | goto err2; |
572 | 0 | } |
573 | 0 | } else { |
574 | 0 | if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { |
575 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
576 | 0 | goto err2; |
577 | 0 | } |
578 | 0 | } |
579 | | /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ |
580 | 0 | if ((EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER) && *mac_secret_size |
581 | 0 | && !EVP_CIPHER_CTX_ctrl(dd, EVP_CTRL_AEAD_SET_MAC_KEY, |
582 | 0 | *mac_secret_size, mac_secret)) { |
583 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); |
584 | 0 | goto err2; |
585 | 0 | } |
586 | | #ifdef OPENSSL_SSL_TRACE_CRYPTO |
587 | | if (s->msg_callback) { |
588 | | int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : 0; |
589 | | if (*mac_secret_size) |
590 | | s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC, |
591 | | mac_secret, *mac_secret_size, |
592 | | s, s->msg_callback_arg); |
593 | | if (c->key_len) |
594 | | s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, |
595 | | key, c->key_len, s, s->msg_callback_arg); |
596 | | if (k) { |
597 | | if (EVP_CIPHER_mode(c) == EVP_CIPH_GCM_MODE) |
598 | | wh |= TLS1_RT_CRYPTO_FIXED_IV; |
599 | | else |
600 | | wh |= TLS1_RT_CRYPTO_IV; |
601 | | s->msg_callback(2, s->version, wh, iv, k, s, s->msg_callback_arg); |
602 | | } |
603 | | } |
604 | | #endif |
605 | | |
606 | | #ifdef TLS_DEBUG |
607 | | printf("which = %04X\nkey=", which); |
608 | | { |
609 | | int z; |
610 | | for (z = 0; z < EVP_CIPHER_key_length(c); z++) |
611 | | printf("%02X%c", key[z], ((z + 1) % 16) ? ' ' : '\n'); |
612 | | } |
613 | | printf("\niv="); |
614 | | { |
615 | | int z; |
616 | | for (z = 0; z < k; z++) |
617 | | printf("%02X%c", iv[z], ((z + 1) % 16) ? ' ' : '\n'); |
618 | | } |
619 | | printf("\n"); |
620 | | #endif |
621 | | |
622 | 0 | OPENSSL_cleanse(tmp1, sizeof(tmp1)); |
623 | 0 | OPENSSL_cleanse(tmp2, sizeof(tmp1)); |
624 | 0 | OPENSSL_cleanse(iv1, sizeof(iv1)); |
625 | 0 | OPENSSL_cleanse(iv2, sizeof(iv2)); |
626 | 0 | return (1); |
627 | 0 | err: |
628 | 0 | SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); |
629 | 0 | err2: |
630 | 0 | return (0); |
631 | 0 | } |
632 | | |
633 | | int tls1_setup_key_block(SSL *s) |
634 | 0 | { |
635 | 0 | unsigned char *p1, *p2 = NULL; |
636 | 0 | const EVP_CIPHER *c; |
637 | 0 | const EVP_MD *hash; |
638 | 0 | int num; |
639 | 0 | SSL_COMP *comp; |
640 | 0 | int mac_type = NID_undef, mac_secret_size = 0; |
641 | 0 | int ret = 0; |
642 | |
|
643 | | #ifdef KSSL_DEBUG |
644 | | fprintf(stderr, "tls1_setup_key_block()\n"); |
645 | | #endif /* KSSL_DEBUG */ |
646 | |
|
647 | 0 | if (s->s3->tmp.key_block_length != 0) |
648 | 0 | return (1); |
649 | | |
650 | 0 | if (!ssl_cipher_get_evp |
651 | 0 | (s->session, &c, &hash, &mac_type, &mac_secret_size, &comp)) { |
652 | 0 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); |
653 | 0 | return (0); |
654 | 0 | } |
655 | | |
656 | 0 | s->s3->tmp.new_sym_enc = c; |
657 | 0 | s->s3->tmp.new_hash = hash; |
658 | 0 | s->s3->tmp.new_mac_pkey_type = mac_type; |
659 | 0 | s->s3->tmp.new_mac_secret_size = mac_secret_size; |
660 | 0 | num = |
661 | 0 | EVP_CIPHER_key_length(c) + mac_secret_size + EVP_CIPHER_iv_length(c); |
662 | 0 | num *= 2; |
663 | |
|
664 | 0 | ssl3_cleanup_key_block(s); |
665 | |
|
666 | 0 | if ((p1 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { |
667 | 0 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); |
668 | 0 | goto err; |
669 | 0 | } |
670 | | |
671 | 0 | s->s3->tmp.key_block_length = num; |
672 | 0 | s->s3->tmp.key_block = p1; |
673 | |
|
674 | 0 | if ((p2 = (unsigned char *)OPENSSL_malloc(num)) == NULL) { |
675 | 0 | SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); |
676 | 0 | goto err; |
677 | 0 | } |
678 | | #ifdef TLS_DEBUG |
679 | | printf("client random\n"); |
680 | | { |
681 | | int z; |
682 | | for (z = 0; z < SSL3_RANDOM_SIZE; z++) |
683 | | printf("%02X%c", s->s3->client_random[z], |
684 | | ((z + 1) % 16) ? ' ' : '\n'); |
685 | | } |
686 | | printf("server random\n"); |
687 | | { |
688 | | int z; |
689 | | for (z = 0; z < SSL3_RANDOM_SIZE; z++) |
690 | | printf("%02X%c", s->s3->server_random[z], |
691 | | ((z + 1) % 16) ? ' ' : '\n'); |
692 | | } |
693 | | printf("pre-master\n"); |
694 | | { |
695 | | int z; |
696 | | for (z = 0; z < s->session->master_key_length; z++) |
697 | | printf("%02X%c", s->session->master_key[z], |
698 | | ((z + 1) % 16) ? ' ' : '\n'); |
699 | | } |
700 | | #endif |
701 | 0 | if (!tls1_generate_key_block(s, p1, p2, num)) |
702 | 0 | goto err; |
703 | | #ifdef TLS_DEBUG |
704 | | printf("\nkey block\n"); |
705 | | { |
706 | | int z; |
707 | | for (z = 0; z < num; z++) |
708 | | printf("%02X%c", p1[z], ((z + 1) % 16) ? ' ' : '\n'); |
709 | | } |
710 | | #endif |
711 | | |
712 | 0 | if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) |
713 | 0 | && s->method->version <= TLS1_VERSION) { |
714 | | /* |
715 | | * enable vulnerability countermeasure for CBC ciphers with known-IV |
716 | | * problem (http://www.openssl.org/~bodo/tls-cbc.txt) |
717 | | */ |
718 | 0 | s->s3->need_empty_fragments = 1; |
719 | |
|
720 | 0 | if (s->session->cipher != NULL) { |
721 | 0 | if (s->session->cipher->algorithm_enc == SSL_eNULL) |
722 | 0 | s->s3->need_empty_fragments = 0; |
723 | |
|
724 | 0 | #ifndef OPENSSL_NO_RC4 |
725 | 0 | if (s->session->cipher->algorithm_enc == SSL_RC4) |
726 | 0 | s->s3->need_empty_fragments = 0; |
727 | 0 | #endif |
728 | 0 | } |
729 | 0 | } |
730 | |
|
731 | 0 | ret = 1; |
732 | 0 | err: |
733 | 0 | if (p2) { |
734 | 0 | OPENSSL_cleanse(p2, num); |
735 | 0 | OPENSSL_free(p2); |
736 | 0 | } |
737 | 0 | return (ret); |
738 | 0 | } |
739 | | |
740 | | /*- |
741 | | * tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. |
742 | | * |
743 | | * Returns: |
744 | | * 0: (in non-constant time) if the record is publically invalid (i.e. too |
745 | | * short etc). |
746 | | * 1: if the record's padding is valid / the encryption was successful. |
747 | | * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, |
748 | | * an internal error occured. |
749 | | */ |
750 | | int tls1_enc(SSL *s, int send) |
751 | 0 | { |
752 | 0 | SSL3_RECORD *rec; |
753 | 0 | EVP_CIPHER_CTX *ds; |
754 | 0 | unsigned long l; |
755 | 0 | int bs, i, j, k, pad = 0, ret, mac_size = 0; |
756 | 0 | const EVP_CIPHER *enc; |
757 | |
|
758 | 0 | if (send) { |
759 | 0 | if (EVP_MD_CTX_md(s->write_hash)) { |
760 | 0 | int n = EVP_MD_CTX_size(s->write_hash); |
761 | 0 | OPENSSL_assert(n >= 0); |
762 | 0 | } |
763 | 0 | ds = s->enc_write_ctx; |
764 | 0 | rec = &(s->s3->wrec); |
765 | 0 | if (s->enc_write_ctx == NULL) |
766 | 0 | enc = NULL; |
767 | 0 | else { |
768 | 0 | int ivlen; |
769 | 0 | enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); |
770 | | /* For TLSv1.1 and later explicit IV */ |
771 | 0 | if (SSL_USE_EXPLICIT_IV(s) |
772 | 0 | && EVP_CIPHER_mode(enc) == EVP_CIPH_CBC_MODE) |
773 | 0 | ivlen = EVP_CIPHER_iv_length(enc); |
774 | 0 | else |
775 | 0 | ivlen = 0; |
776 | 0 | if (ivlen > 1) { |
777 | 0 | if (rec->data != rec->input) |
778 | | /* |
779 | | * we can't write into the input stream: Can this ever |
780 | | * happen?? (steve) |
781 | | */ |
782 | 0 | fprintf(stderr, |
783 | 0 | "%s:%d: rec->data != rec->input\n", |
784 | 0 | __FILE__, __LINE__); |
785 | 0 | else if (RAND_bytes(rec->input, ivlen) <= 0) |
786 | 0 | return -1; |
787 | 0 | } |
788 | 0 | } |
789 | 0 | } else { |
790 | 0 | if (EVP_MD_CTX_md(s->read_hash)) { |
791 | 0 | int n = EVP_MD_CTX_size(s->read_hash); |
792 | 0 | OPENSSL_assert(n >= 0); |
793 | 0 | } |
794 | 0 | ds = s->enc_read_ctx; |
795 | 0 | rec = &(s->s3->rrec); |
796 | 0 | if (s->enc_read_ctx == NULL) |
797 | 0 | enc = NULL; |
798 | 0 | else |
799 | 0 | enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); |
800 | 0 | } |
801 | | |
802 | | #ifdef KSSL_DEBUG |
803 | | fprintf(stderr, "tls1_enc(%d)\n", send); |
804 | | #endif /* KSSL_DEBUG */ |
805 | | |
806 | 0 | if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { |
807 | 0 | memmove(rec->data, rec->input, rec->length); |
808 | 0 | rec->input = rec->data; |
809 | 0 | ret = 1; |
810 | 0 | } else { |
811 | 0 | l = rec->length; |
812 | 0 | bs = EVP_CIPHER_block_size(ds->cipher); |
813 | |
|
814 | 0 | if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { |
815 | 0 | unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq; |
816 | |
|
817 | 0 | seq = send ? s->s3->write_sequence : s->s3->read_sequence; |
818 | |
|
819 | 0 | if (SSL_IS_DTLS(s)) { |
820 | 0 | unsigned char dtlsseq[9], *p = dtlsseq; |
821 | |
|
822 | 0 | s2n(send ? s->d1->w_epoch : s->d1->r_epoch, p); |
823 | 0 | memcpy(p, &seq[2], 6); |
824 | 0 | memcpy(buf, dtlsseq, 8); |
825 | 0 | } else { |
826 | 0 | memcpy(buf, seq, 8); |
827 | 0 | for (i = 7; i >= 0; i--) { /* increment */ |
828 | 0 | ++seq[i]; |
829 | 0 | if (seq[i] != 0) |
830 | 0 | break; |
831 | 0 | } |
832 | 0 | } |
833 | |
|
834 | 0 | buf[8] = rec->type; |
835 | 0 | buf[9] = (unsigned char)(s->version >> 8); |
836 | 0 | buf[10] = (unsigned char)(s->version); |
837 | 0 | buf[11] = rec->length >> 8; |
838 | 0 | buf[12] = rec->length & 0xff; |
839 | 0 | pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, |
840 | 0 | EVP_AEAD_TLS1_AAD_LEN, buf); |
841 | 0 | if (pad <= 0) |
842 | 0 | return -1; |
843 | 0 | if (send) { |
844 | 0 | l += pad; |
845 | 0 | rec->length += pad; |
846 | 0 | } |
847 | 0 | } else if ((bs != 1) && send) { |
848 | 0 | i = bs - ((int)l % bs); |
849 | | |
850 | | /* Add weird padding of upto 256 bytes */ |
851 | | |
852 | | /* we need to add 'i' padding bytes of value j */ |
853 | 0 | j = i - 1; |
854 | 0 | if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) { |
855 | 0 | if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) |
856 | 0 | j++; |
857 | 0 | } |
858 | 0 | for (k = (int)l; k < (int)(l + i); k++) |
859 | 0 | rec->input[k] = j; |
860 | 0 | l += i; |
861 | 0 | rec->length += i; |
862 | 0 | } |
863 | | #ifdef KSSL_DEBUG |
864 | | { |
865 | | unsigned long ui; |
866 | | fprintf(stderr, |
867 | | "EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", |
868 | | ds, rec->data, rec->input, l); |
869 | | fprintf(stderr, |
870 | | "\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%lu %lu], %d iv_len\n", |
871 | | ds->buf_len, ds->cipher->key_len, DES_KEY_SZ, |
872 | | DES_SCHEDULE_SZ, ds->cipher->iv_len); |
873 | | fprintf(stderr, "\t\tIV: "); |
874 | | for (i = 0; i < ds->cipher->iv_len; i++) |
875 | | fprintf(stderr, "%02X", ds->iv[i]); |
876 | | fprintf(stderr, "\n"); |
877 | | fprintf(stderr, "\trec->input="); |
878 | | for (ui = 0; ui < l; ui++) |
879 | | fprintf(stderr, " %02x", rec->input[ui]); |
880 | | fprintf(stderr, "\n"); |
881 | | } |
882 | | #endif /* KSSL_DEBUG */ |
883 | | |
884 | 0 | if (!send) { |
885 | 0 | if (l == 0 || l % bs != 0) |
886 | 0 | return 0; |
887 | 0 | } |
888 | | |
889 | 0 | i = EVP_Cipher(ds, rec->data, rec->input, l); |
890 | 0 | if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER) |
891 | 0 | ? (i < 0) |
892 | 0 | : (i == 0)) |
893 | 0 | return -1; /* AEAD can fail to verify MAC */ |
894 | 0 | if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { |
895 | 0 | rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
896 | 0 | rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; |
897 | 0 | rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; |
898 | 0 | } |
899 | | #ifdef KSSL_DEBUG |
900 | | { |
901 | | unsigned long i; |
902 | | fprintf(stderr, "\trec->data="); |
903 | | for (i = 0; i < l; i++) |
904 | | fprintf(stderr, " %02x", rec->data[i]); |
905 | | fprintf(stderr, "\n"); |
906 | | } |
907 | | #endif /* KSSL_DEBUG */ |
908 | |
|
909 | 0 | ret = 1; |
910 | 0 | if (EVP_MD_CTX_md(s->read_hash) != NULL) |
911 | 0 | mac_size = EVP_MD_CTX_size(s->read_hash); |
912 | 0 | if ((bs != 1) && !send) |
913 | 0 | ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); |
914 | 0 | if (pad && !send) |
915 | 0 | rec->length -= pad; |
916 | 0 | } |
917 | 0 | return ret; |
918 | 0 | } |
919 | | |
920 | | int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) |
921 | 0 | { |
922 | 0 | unsigned int ret; |
923 | 0 | EVP_MD_CTX ctx, *d = NULL; |
924 | 0 | int i; |
925 | |
|
926 | 0 | if (s->s3->handshake_buffer) |
927 | 0 | if (!ssl3_digest_cached_records(s)) |
928 | 0 | return 0; |
929 | | |
930 | 0 | for (i = 0; i < SSL_MAX_DIGEST; i++) { |
931 | 0 | if (s->s3->handshake_dgst[i] |
932 | 0 | && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { |
933 | 0 | d = s->s3->handshake_dgst[i]; |
934 | 0 | break; |
935 | 0 | } |
936 | 0 | } |
937 | 0 | if (!d) { |
938 | 0 | SSLerr(SSL_F_TLS1_CERT_VERIFY_MAC, SSL_R_NO_REQUIRED_DIGEST); |
939 | 0 | return 0; |
940 | 0 | } |
941 | | |
942 | 0 | EVP_MD_CTX_init(&ctx); |
943 | 0 | if (EVP_MD_CTX_copy_ex(&ctx, d) <=0 |
944 | 0 | || EVP_DigestFinal_ex(&ctx, out, &ret) <= 0) |
945 | 0 | ret = 0; |
946 | 0 | EVP_MD_CTX_cleanup(&ctx); |
947 | 0 | return ((int)ret); |
948 | 0 | } |
949 | | |
950 | | int tls1_final_finish_mac(SSL *s, |
951 | | const char *str, int slen, unsigned char *out) |
952 | 0 | { |
953 | 0 | unsigned int i; |
954 | 0 | EVP_MD_CTX ctx; |
955 | 0 | unsigned char buf[2 * EVP_MAX_MD_SIZE]; |
956 | 0 | unsigned char *q, buf2[12]; |
957 | 0 | int idx; |
958 | 0 | long mask; |
959 | 0 | int err = 0; |
960 | 0 | const EVP_MD *md; |
961 | |
|
962 | 0 | q = buf; |
963 | |
|
964 | 0 | if (s->s3->handshake_buffer) |
965 | 0 | if (!ssl3_digest_cached_records(s)) |
966 | 0 | return 0; |
967 | | |
968 | 0 | EVP_MD_CTX_init(&ctx); |
969 | |
|
970 | 0 | for (idx = 0; ssl_get_handshake_digest(idx, &mask, &md); idx++) { |
971 | 0 | if (mask & ssl_get_algorithm2(s)) { |
972 | 0 | int hashsize = EVP_MD_size(md); |
973 | 0 | EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; |
974 | 0 | if (!hdgst || hashsize < 0 |
975 | 0 | || hashsize > (int)(sizeof buf - (size_t)(q - buf))) { |
976 | | /* |
977 | | * internal error: 'buf' is too small for this cipersuite! |
978 | | */ |
979 | 0 | err = 1; |
980 | 0 | } else { |
981 | 0 | if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || |
982 | 0 | !EVP_DigestFinal_ex(&ctx, q, &i) || |
983 | 0 | (i != (unsigned int)hashsize)) |
984 | 0 | err = 1; |
985 | 0 | q += hashsize; |
986 | 0 | } |
987 | 0 | } |
988 | 0 | } |
989 | |
|
990 | 0 | if (!tls1_PRF(ssl_get_algorithm2(s), |
991 | 0 | str, slen, buf, (int)(q - buf), NULL, 0, NULL, 0, NULL, 0, |
992 | 0 | s->session->master_key, s->session->master_key_length, |
993 | 0 | out, buf2, sizeof buf2)) |
994 | 0 | err = 1; |
995 | 0 | EVP_MD_CTX_cleanup(&ctx); |
996 | |
|
997 | 0 | OPENSSL_cleanse(buf, (int)(q - buf)); |
998 | 0 | OPENSSL_cleanse(buf2, sizeof(buf2)); |
999 | 0 | if (err) |
1000 | 0 | return 0; |
1001 | 0 | else |
1002 | 0 | return sizeof buf2; |
1003 | 0 | } |
1004 | | |
1005 | | int tls1_mac(SSL *ssl, unsigned char *md, int send) |
1006 | 0 | { |
1007 | 0 | SSL3_RECORD *rec; |
1008 | 0 | unsigned char *seq; |
1009 | 0 | EVP_MD_CTX *hash; |
1010 | 0 | size_t md_size, orig_len; |
1011 | 0 | int i; |
1012 | 0 | EVP_MD_CTX hmac, *mac_ctx; |
1013 | 0 | unsigned char header[13]; |
1014 | 0 | int stream_mac = (send ? (ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM) |
1015 | 0 | : (ssl->mac_flags & SSL_MAC_FLAG_READ_MAC_STREAM)); |
1016 | 0 | int t; |
1017 | |
|
1018 | 0 | if (send) { |
1019 | 0 | rec = &(ssl->s3->wrec); |
1020 | 0 | seq = &(ssl->s3->write_sequence[0]); |
1021 | 0 | hash = ssl->write_hash; |
1022 | 0 | } else { |
1023 | 0 | rec = &(ssl->s3->rrec); |
1024 | 0 | seq = &(ssl->s3->read_sequence[0]); |
1025 | 0 | hash = ssl->read_hash; |
1026 | 0 | } |
1027 | |
|
1028 | 0 | t = EVP_MD_CTX_size(hash); |
1029 | 0 | OPENSSL_assert(t >= 0); |
1030 | 0 | md_size = t; |
1031 | | |
1032 | | /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ |
1033 | 0 | if (stream_mac) { |
1034 | 0 | mac_ctx = hash; |
1035 | 0 | } else { |
1036 | 0 | if (!EVP_MD_CTX_copy(&hmac, hash)) |
1037 | 0 | return -1; |
1038 | 0 | mac_ctx = &hmac; |
1039 | 0 | } |
1040 | | |
1041 | 0 | if (SSL_IS_DTLS(ssl)) { |
1042 | 0 | unsigned char dtlsseq[8], *p = dtlsseq; |
1043 | |
|
1044 | 0 | s2n(send ? ssl->d1->w_epoch : ssl->d1->r_epoch, p); |
1045 | 0 | memcpy(p, &seq[2], 6); |
1046 | |
|
1047 | 0 | memcpy(header, dtlsseq, 8); |
1048 | 0 | } else |
1049 | 0 | memcpy(header, seq, 8); |
1050 | | |
1051 | | /* |
1052 | | * kludge: tls1_cbc_remove_padding passes padding length in rec->type |
1053 | | */ |
1054 | 0 | orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); |
1055 | 0 | rec->type &= 0xff; |
1056 | |
|
1057 | 0 | header[8] = rec->type; |
1058 | 0 | header[9] = (unsigned char)(ssl->version >> 8); |
1059 | 0 | header[10] = (unsigned char)(ssl->version); |
1060 | 0 | header[11] = (rec->length) >> 8; |
1061 | 0 | header[12] = (rec->length) & 0xff; |
1062 | |
|
1063 | 0 | if (!send && |
1064 | 0 | EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && |
1065 | 0 | ssl3_cbc_record_digest_supported(mac_ctx)) { |
1066 | | /* |
1067 | | * This is a CBC-encrypted record. We must avoid leaking any |
1068 | | * timing-side channel information about how many blocks of data we |
1069 | | * are hashing because that gives an attacker a timing-oracle. |
1070 | | */ |
1071 | | /* Final param == not SSLv3 */ |
1072 | 0 | if (ssl3_cbc_digest_record(mac_ctx, |
1073 | 0 | md, &md_size, |
1074 | 0 | header, rec->input, |
1075 | 0 | rec->length + md_size, orig_len, |
1076 | 0 | ssl->s3->read_mac_secret, |
1077 | 0 | ssl->s3->read_mac_secret_size, 0) <= 0) { |
1078 | 0 | if (!stream_mac) |
1079 | 0 | EVP_MD_CTX_cleanup(&hmac); |
1080 | 0 | return -1; |
1081 | 0 | } |
1082 | 0 | } else { |
1083 | 0 | if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0 |
1084 | 0 | || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0 |
1085 | 0 | || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) { |
1086 | 0 | if (!stream_mac) |
1087 | 0 | EVP_MD_CTX_cleanup(&hmac); |
1088 | 0 | return -1; |
1089 | 0 | } |
1090 | | #ifdef OPENSSL_FIPS |
1091 | | if (!send && FIPS_mode()) |
1092 | | tls_fips_digest_extra(ssl->enc_read_ctx, |
1093 | | mac_ctx, rec->input, rec->length, orig_len); |
1094 | | #endif |
1095 | 0 | } |
1096 | | |
1097 | 0 | if (!stream_mac) |
1098 | 0 | EVP_MD_CTX_cleanup(&hmac); |
1099 | | #ifdef TLS_DEBUG |
1100 | | fprintf(stderr, "seq="); |
1101 | | { |
1102 | | int z; |
1103 | | for (z = 0; z < 8; z++) |
1104 | | fprintf(stderr, "%02X ", seq[z]); |
1105 | | fprintf(stderr, "\n"); |
1106 | | } |
1107 | | fprintf(stderr, "rec="); |
1108 | | { |
1109 | | unsigned int z; |
1110 | | for (z = 0; z < rec->length; z++) |
1111 | | fprintf(stderr, "%02X ", rec->data[z]); |
1112 | | fprintf(stderr, "\n"); |
1113 | | } |
1114 | | #endif |
1115 | |
|
1116 | 0 | if (!SSL_IS_DTLS(ssl)) { |
1117 | 0 | for (i = 7; i >= 0; i--) { |
1118 | 0 | ++seq[i]; |
1119 | 0 | if (seq[i] != 0) |
1120 | 0 | break; |
1121 | 0 | } |
1122 | 0 | } |
1123 | | #ifdef TLS_DEBUG |
1124 | | { |
1125 | | unsigned int z; |
1126 | | for (z = 0; z < md_size; z++) |
1127 | | fprintf(stderr, "%02X ", md[z]); |
1128 | | fprintf(stderr, "\n"); |
1129 | | } |
1130 | | #endif |
1131 | 0 | return (md_size); |
1132 | 0 | } |
1133 | | |
1134 | | int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, |
1135 | | int len) |
1136 | 0 | { |
1137 | 0 | unsigned char buff[SSL_MAX_MASTER_KEY_LENGTH]; |
1138 | 0 | const void *co = NULL, *so = NULL; |
1139 | 0 | int col = 0, sol = 0; |
1140 | |
|
1141 | | #ifdef KSSL_DEBUG |
1142 | | fprintf(stderr, "tls1_generate_master_secret(%p,%p, %p, %d)\n", s, out, p, |
1143 | | len); |
1144 | | #endif /* KSSL_DEBUG */ |
1145 | |
|
1146 | | #ifdef TLSEXT_TYPE_opaque_prf_input |
1147 | | if (s->s3->client_opaque_prf_input != NULL |
1148 | | && s->s3->server_opaque_prf_input != NULL |
1149 | | && s->s3->client_opaque_prf_input_len > 0 |
1150 | | && s->s3->client_opaque_prf_input_len == |
1151 | | s->s3->server_opaque_prf_input_len) { |
1152 | | co = s->s3->client_opaque_prf_input; |
1153 | | col = s->s3->server_opaque_prf_input_len; |
1154 | | so = s->s3->server_opaque_prf_input; |
1155 | | /* |
1156 | | * must be same as col (see |
1157 | | * draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) |
1158 | | */ |
1159 | | sol = s->s3->client_opaque_prf_input_len; |
1160 | | } |
1161 | | #endif |
1162 | |
|
1163 | 0 | tls1_PRF(ssl_get_algorithm2(s), |
1164 | 0 | TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE, |
1165 | 0 | s->s3->client_random, SSL3_RANDOM_SIZE, |
1166 | 0 | co, col, |
1167 | 0 | s->s3->server_random, SSL3_RANDOM_SIZE, |
1168 | 0 | so, sol, p, len, s->session->master_key, buff, sizeof buff); |
1169 | 0 | OPENSSL_cleanse(buff, sizeof buff); |
1170 | | #ifdef SSL_DEBUG |
1171 | | fprintf(stderr, "Premaster Secret:\n"); |
1172 | | BIO_dump_fp(stderr, (char *)p, len); |
1173 | | fprintf(stderr, "Client Random:\n"); |
1174 | | BIO_dump_fp(stderr, (char *)s->s3->client_random, SSL3_RANDOM_SIZE); |
1175 | | fprintf(stderr, "Server Random:\n"); |
1176 | | BIO_dump_fp(stderr, (char *)s->s3->server_random, SSL3_RANDOM_SIZE); |
1177 | | fprintf(stderr, "Master Secret:\n"); |
1178 | | BIO_dump_fp(stderr, (char *)s->session->master_key, |
1179 | | SSL3_MASTER_SECRET_SIZE); |
1180 | | #endif |
1181 | |
|
1182 | | #ifdef OPENSSL_SSL_TRACE_CRYPTO |
1183 | | if (s->msg_callback) { |
1184 | | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER, |
1185 | | p, len, s, s->msg_callback_arg); |
1186 | | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM, |
1187 | | s->s3->client_random, SSL3_RANDOM_SIZE, |
1188 | | s, s->msg_callback_arg); |
1189 | | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM, |
1190 | | s->s3->server_random, SSL3_RANDOM_SIZE, |
1191 | | s, s->msg_callback_arg); |
1192 | | s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER, |
1193 | | s->session->master_key, |
1194 | | SSL3_MASTER_SECRET_SIZE, s, s->msg_callback_arg); |
1195 | | } |
1196 | | #endif |
1197 | |
|
1198 | | #ifdef KSSL_DEBUG |
1199 | | fprintf(stderr, "tls1_generate_master_secret() complete\n"); |
1200 | | #endif /* KSSL_DEBUG */ |
1201 | 0 | return (SSL3_MASTER_SECRET_SIZE); |
1202 | 0 | } |
1203 | | |
1204 | | int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, |
1205 | | const char *label, size_t llen, |
1206 | | const unsigned char *context, |
1207 | | size_t contextlen, int use_context) |
1208 | 0 | { |
1209 | 0 | unsigned char *buff; |
1210 | 0 | unsigned char *val = NULL; |
1211 | 0 | size_t vallen, currentvalpos; |
1212 | 0 | int rv; |
1213 | |
|
1214 | | #ifdef KSSL_DEBUG |
1215 | | fprintf(stderr, "tls1_export_keying_material(%p,%p,%lu,%s,%lu,%p,%lu)\n", |
1216 | | s, out, olen, label, llen, context, contextlen); |
1217 | | #endif /* KSSL_DEBUG */ |
1218 | |
|
1219 | 0 | buff = OPENSSL_malloc(olen); |
1220 | 0 | if (buff == NULL) |
1221 | 0 | goto err2; |
1222 | | |
1223 | | /* |
1224 | | * construct PRF arguments we construct the PRF argument ourself rather |
1225 | | * than passing separate values into the TLS PRF to ensure that the |
1226 | | * concatenation of values does not create a prohibited label. |
1227 | | */ |
1228 | 0 | vallen = llen + SSL3_RANDOM_SIZE * 2; |
1229 | 0 | if (use_context) { |
1230 | 0 | vallen += 2 + contextlen; |
1231 | 0 | } |
1232 | |
|
1233 | 0 | val = OPENSSL_malloc(vallen); |
1234 | 0 | if (val == NULL) |
1235 | 0 | goto err2; |
1236 | 0 | currentvalpos = 0; |
1237 | 0 | memcpy(val + currentvalpos, (unsigned char *)label, llen); |
1238 | 0 | currentvalpos += llen; |
1239 | 0 | memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); |
1240 | 0 | currentvalpos += SSL3_RANDOM_SIZE; |
1241 | 0 | memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); |
1242 | 0 | currentvalpos += SSL3_RANDOM_SIZE; |
1243 | |
|
1244 | 0 | if (use_context) { |
1245 | 0 | val[currentvalpos] = (contextlen >> 8) & 0xff; |
1246 | 0 | currentvalpos++; |
1247 | 0 | val[currentvalpos] = contextlen & 0xff; |
1248 | 0 | currentvalpos++; |
1249 | 0 | if ((contextlen > 0) || (context != NULL)) { |
1250 | 0 | memcpy(val + currentvalpos, context, contextlen); |
1251 | 0 | } |
1252 | 0 | } |
1253 | | |
1254 | | /* |
1255 | | * disallow prohibited labels note that SSL3_RANDOM_SIZE > max(prohibited |
1256 | | * label len) = 15, so size of val > max(prohibited label len) = 15 and |
1257 | | * the comparisons won't have buffer overflow |
1258 | | */ |
1259 | 0 | if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, |
1260 | 0 | TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) |
1261 | 0 | goto err1; |
1262 | 0 | if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, |
1263 | 0 | TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) |
1264 | 0 | goto err1; |
1265 | 0 | if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, |
1266 | 0 | TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) |
1267 | 0 | goto err1; |
1268 | 0 | if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, |
1269 | 0 | TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) |
1270 | 0 | goto err1; |
1271 | | |
1272 | 0 | rv = tls1_PRF(ssl_get_algorithm2(s), |
1273 | 0 | val, vallen, |
1274 | 0 | NULL, 0, |
1275 | 0 | NULL, 0, |
1276 | 0 | NULL, 0, |
1277 | 0 | NULL, 0, |
1278 | 0 | s->session->master_key, s->session->master_key_length, |
1279 | 0 | out, buff, olen); |
1280 | 0 | OPENSSL_cleanse(val, vallen); |
1281 | 0 | OPENSSL_cleanse(buff, olen); |
1282 | |
|
1283 | | #ifdef KSSL_DEBUG |
1284 | | fprintf(stderr, "tls1_export_keying_material() complete\n"); |
1285 | | #endif /* KSSL_DEBUG */ |
1286 | 0 | goto ret; |
1287 | 0 | err1: |
1288 | 0 | SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, |
1289 | 0 | SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); |
1290 | 0 | rv = 0; |
1291 | 0 | goto ret; |
1292 | 0 | err2: |
1293 | 0 | SSLerr(SSL_F_TLS1_EXPORT_KEYING_MATERIAL, ERR_R_MALLOC_FAILURE); |
1294 | 0 | rv = 0; |
1295 | 0 | ret: |
1296 | 0 | if (buff != NULL) |
1297 | 0 | OPENSSL_free(buff); |
1298 | 0 | if (val != NULL) |
1299 | 0 | OPENSSL_free(val); |
1300 | 0 | return (rv); |
1301 | 0 | } |
1302 | | |
1303 | | int tls1_alert_code(int code) |
1304 | 0 | { |
1305 | 0 | switch (code) { |
1306 | 0 | case SSL_AD_CLOSE_NOTIFY: |
1307 | 0 | return (SSL3_AD_CLOSE_NOTIFY); |
1308 | 0 | case SSL_AD_UNEXPECTED_MESSAGE: |
1309 | 0 | return (SSL3_AD_UNEXPECTED_MESSAGE); |
1310 | 0 | case SSL_AD_BAD_RECORD_MAC: |
1311 | 0 | return (SSL3_AD_BAD_RECORD_MAC); |
1312 | 0 | case SSL_AD_DECRYPTION_FAILED: |
1313 | 0 | return (TLS1_AD_DECRYPTION_FAILED); |
1314 | 0 | case SSL_AD_RECORD_OVERFLOW: |
1315 | 0 | return (TLS1_AD_RECORD_OVERFLOW); |
1316 | 0 | case SSL_AD_DECOMPRESSION_FAILURE: |
1317 | 0 | return (SSL3_AD_DECOMPRESSION_FAILURE); |
1318 | 0 | case SSL_AD_HANDSHAKE_FAILURE: |
1319 | 0 | return (SSL3_AD_HANDSHAKE_FAILURE); |
1320 | 0 | case SSL_AD_NO_CERTIFICATE: |
1321 | 0 | return (-1); |
1322 | 0 | case SSL_AD_BAD_CERTIFICATE: |
1323 | 0 | return (SSL3_AD_BAD_CERTIFICATE); |
1324 | 0 | case SSL_AD_UNSUPPORTED_CERTIFICATE: |
1325 | 0 | return (SSL3_AD_UNSUPPORTED_CERTIFICATE); |
1326 | 0 | case SSL_AD_CERTIFICATE_REVOKED: |
1327 | 0 | return (SSL3_AD_CERTIFICATE_REVOKED); |
1328 | 0 | case SSL_AD_CERTIFICATE_EXPIRED: |
1329 | 0 | return (SSL3_AD_CERTIFICATE_EXPIRED); |
1330 | 0 | case SSL_AD_CERTIFICATE_UNKNOWN: |
1331 | 0 | return (SSL3_AD_CERTIFICATE_UNKNOWN); |
1332 | 0 | case SSL_AD_ILLEGAL_PARAMETER: |
1333 | 0 | return (SSL3_AD_ILLEGAL_PARAMETER); |
1334 | 0 | case SSL_AD_UNKNOWN_CA: |
1335 | 0 | return (TLS1_AD_UNKNOWN_CA); |
1336 | 0 | case SSL_AD_ACCESS_DENIED: |
1337 | 0 | return (TLS1_AD_ACCESS_DENIED); |
1338 | 0 | case SSL_AD_DECODE_ERROR: |
1339 | 0 | return (TLS1_AD_DECODE_ERROR); |
1340 | 0 | case SSL_AD_DECRYPT_ERROR: |
1341 | 0 | return (TLS1_AD_DECRYPT_ERROR); |
1342 | 0 | case SSL_AD_EXPORT_RESTRICTION: |
1343 | 0 | return (TLS1_AD_EXPORT_RESTRICTION); |
1344 | 0 | case SSL_AD_PROTOCOL_VERSION: |
1345 | 0 | return (TLS1_AD_PROTOCOL_VERSION); |
1346 | 0 | case SSL_AD_INSUFFICIENT_SECURITY: |
1347 | 0 | return (TLS1_AD_INSUFFICIENT_SECURITY); |
1348 | 0 | case SSL_AD_INTERNAL_ERROR: |
1349 | 0 | return (TLS1_AD_INTERNAL_ERROR); |
1350 | 0 | case SSL_AD_USER_CANCELLED: |
1351 | 0 | return (TLS1_AD_USER_CANCELLED); |
1352 | 0 | case SSL_AD_NO_RENEGOTIATION: |
1353 | 0 | return (TLS1_AD_NO_RENEGOTIATION); |
1354 | 0 | case SSL_AD_UNSUPPORTED_EXTENSION: |
1355 | 0 | return (TLS1_AD_UNSUPPORTED_EXTENSION); |
1356 | 0 | case SSL_AD_CERTIFICATE_UNOBTAINABLE: |
1357 | 0 | return (TLS1_AD_CERTIFICATE_UNOBTAINABLE); |
1358 | 0 | case SSL_AD_UNRECOGNIZED_NAME: |
1359 | 0 | return (TLS1_AD_UNRECOGNIZED_NAME); |
1360 | 0 | case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: |
1361 | 0 | return (TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); |
1362 | 0 | case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: |
1363 | 0 | return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); |
1364 | 0 | case SSL_AD_UNKNOWN_PSK_IDENTITY: |
1365 | 0 | return (TLS1_AD_UNKNOWN_PSK_IDENTITY); |
1366 | 0 | case SSL_AD_INAPPROPRIATE_FALLBACK: |
1367 | 0 | return (TLS1_AD_INAPPROPRIATE_FALLBACK); |
1368 | | #if 0 |
1369 | | /* not appropriate for TLS, not used for DTLS */ |
1370 | | case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: |
1371 | | return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); |
1372 | | #endif |
1373 | 0 | default: |
1374 | 0 | return (-1); |
1375 | 0 | } |
1376 | 0 | } |