diff options
Diffstat (limited to 'openssl/ssl')
| -rw-r--r-- | openssl/ssl/d1_both.c | 315 | ||||
| -rw-r--r-- | openssl/ssl/d1_lib.c | 10 | ||||
| -rw-r--r-- | openssl/ssl/d1_pkt.c | 44 | ||||
| -rw-r--r-- | openssl/ssl/dtls1.h | 1 | ||||
| -rw-r--r-- | openssl/ssl/ssl-lib.com | 16 | ||||
| -rw-r--r-- | openssl/ssl/ssl_algs.c | 8 | ||||
| -rw-r--r-- | openssl/ssl/t1_enc.c | 151 |
7 files changed, 377 insertions, 168 deletions
diff --git a/openssl/ssl/d1_both.c b/openssl/ssl/d1_both.c index 0242f1e4d..4ce4064cc 100644 --- a/openssl/ssl/d1_both.c +++ b/openssl/ssl/d1_both.c @@ -123,6 +123,37 @@ #include <openssl/evp.h> #include <openssl/x509.h> +#define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) + +#define RSMBLY_BITMASK_MARK(bitmask, start, end) { \ + if ((end) - (start) <= 8) { \ + long ii; \ + for (ii = (start); ii < (end); ii++) bitmask[((ii) >> 3)] |= (1 << ((ii) & 7)); \ + } else { \ + long ii; \ + bitmask[((start) >> 3)] |= bitmask_start_values[((start) & 7)]; \ + for (ii = (((start) >> 3) + 1); ii < ((((end) - 1)) >> 3); ii++) bitmask[ii] = 0xff; \ + bitmask[(((end) - 1) >> 3)] |= bitmask_end_values[((end) & 7)]; \ + } } + +#define RSMBLY_BITMASK_IS_COMPLETE(bitmask, msg_len, is_complete) { \ + long ii; \ + OPENSSL_assert((msg_len) > 0); \ + is_complete = 1; \ + if (bitmask[(((msg_len) - 1) >> 3)] != bitmask_end_values[((msg_len) & 7)]) is_complete = 0; \ + if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ + if (bitmask[ii] != 0xff) { is_complete = 0; break; } } + +#if 0 +#define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \ + long ii; \ + printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \ + printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \ + printf("\n"); } +#endif + +static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80}; +static unsigned char bitmask_end_values[] = {0x00, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f}; /* XDTLS: figure out the right values */ static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; @@ -140,10 +171,11 @@ static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok); static hm_fragment * -dtls1_hm_fragment_new(unsigned long frag_len) +dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) { hm_fragment *frag = NULL; unsigned char *buf = NULL; + unsigned char *bitmask = NULL; frag = (hm_fragment *)OPENSSL_malloc(sizeof(hm_fragment)); if ( frag == NULL) @@ -162,6 +194,21 @@ dtls1_hm_fragment_new(unsigned long frag_len) /* zero length fragment gets zero frag->fragment */ frag->fragment = buf; + /* Initialize reassembly bitmask if necessary */ + if (reassembly) + { + bitmask = (unsigned char *)OPENSSL_malloc(RSMBLY_BITMASK_SIZE(frag_len)); + if (bitmask == NULL) + { + if (buf != NULL) OPENSSL_free(buf); + OPENSSL_free(frag); + return NULL; + } + memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len)); + } + + frag->reassembly = bitmask; + return frag; } @@ -169,6 +216,7 @@ static void dtls1_hm_fragment_free(hm_fragment *frag) { if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); OPENSSL_free(frag); } @@ -363,6 +411,8 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) { int i, al; struct hm_header_st *msg_hdr; + unsigned char *p; + unsigned long msg_len; /* s3->tmp is used to store messages that are unexpected, caused * by the absence of an optional handshake message */ @@ -382,77 +432,55 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) } msg_hdr = &s->d1->r_msg_hdr; - do - { - if ( msg_hdr->frag_off == 0) - { - /* s->d1->r_message_header.msg_len = 0; */ - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); - } + memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); - i = dtls1_get_message_fragment(s, st1, stn, max, ok); - if ( i == DTLS1_HM_BAD_FRAGMENT || - i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ - continue; - else if ( i <= 0 && !*ok) - return i; +again: + i = dtls1_get_message_fragment(s, st1, stn, max, ok); + if ( i == DTLS1_HM_BAD_FRAGMENT || + i == DTLS1_HM_FRAGMENT_RETRY) /* bad fragment received */ + goto again; + else if ( i <= 0 && !*ok) + return i; - /* Note that s->init_sum is used as a counter summing - * up fragments' lengths: as soon as they sum up to - * handshake packet length, we assume we have got all - * the fragments. Overlapping fragments would cause - * premature termination, so we don't expect overlaps. - * Well, handling overlaps would require something more - * drastic. Indeed, as it is now there is no way to - * tell if out-of-order fragment from the middle was - * the last. '>=' is the best/least we can do to control - * the potential damage caused by malformed overlaps. */ - if ((unsigned int)s->init_num >= msg_hdr->msg_len) - { - unsigned char *p = (unsigned char *)s->init_buf->data; - unsigned long msg_len = msg_hdr->msg_len; - - /* reconstruct message header as if it was - * sent in single fragment */ - *(p++) = msg_hdr->type; - l2n3(msg_len,p); - s2n (msg_hdr->seq,p); - l2n3(0,p); - l2n3(msg_len,p); - if (s->version != DTLS1_BAD_VER) { - p -= DTLS1_HM_HEADER_LENGTH; - msg_len += DTLS1_HM_HEADER_LENGTH; - } + p = (unsigned char *)s->init_buf->data; + msg_len = msg_hdr->msg_len; + + /* reconstruct message header */ + *(p++) = msg_hdr->type; + l2n3(msg_len,p); + s2n (msg_hdr->seq,p); + l2n3(0,p); + l2n3(msg_len,p); + if (s->version != DTLS1_BAD_VER) { + p -= DTLS1_HM_HEADER_LENGTH; + msg_len += DTLS1_HM_HEADER_LENGTH; + } - ssl3_finish_mac(s, p, msg_len); - if (s->msg_callback) - s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, - p, msg_len, - s, s->msg_callback_arg); - - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); - - s->d1->handshake_read_seq++; - /* we just read a handshake message from the other side: - * this means that we don't need to retransmit of the - * buffered messages. - * XDTLS: may be able clear out this - * buffer a little sooner (i.e if an out-of-order - * handshake message/record is received at the record - * layer. - * XDTLS: exception is that the server needs to - * know that change cipher spec and finished messages - * have been received by the client before clearing this - * buffer. this can simply be done by waiting for the - * first data segment, but is there a better way? */ - dtls1_clear_record_buffer(s); - - s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; - return s->init_num; - } - else - msg_hdr->frag_off = i; - } while(1) ; + ssl3_finish_mac(s, p, msg_len); + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, + p, msg_len, + s, s->msg_callback_arg); + + memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); + + s->d1->handshake_read_seq++; + /* we just read a handshake message from the other side: + * this means that we don't need to retransmit of the + * buffered messages. + * XDTLS: may be able clear out this + * buffer a little sooner (i.e if an out-of-order + * handshake message/record is received at the record + * layer. + * XDTLS: exception is that the server needs to + * know that change cipher spec and finished messages + * have been received by the client before clearing this + * buffer. this can simply be done by waiting for the + * first data segment, but is there a better way? */ + dtls1_clear_record_buffer(s); + + s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; + return s->init_num; f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); @@ -528,6 +556,10 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) return 0; frag = (hm_fragment *)item->data; + + /* Don't return if reassembly still in progress */ + if (frag->reassembly != NULL) + return 0; if ( s->d1->handshake_read_seq == frag->msg_header.seq) { @@ -563,6 +595,109 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) static int +dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + { + hm_fragment *frag = NULL; + pitem *item = NULL; + int i = -1, is_complete; + unsigned char seq64be[8]; + unsigned long frag_len = msg_hdr->frag_len, max_len; + + if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) + goto err; + + /* Determine maximum allowed message size. Depends on (user set) + * maximum certificate length, but 16k is minimum. + */ + if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) + max_len = s->max_cert_list; + else + max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; + + if ((msg_hdr->frag_off+frag_len) > max_len) + goto err; + + /* Try to find item in queue */ + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char) (msg_hdr->seq>>8); + seq64be[7] = (unsigned char) msg_hdr->seq; + item = pqueue_find(s->d1->buffered_messages, seq64be); + + if (item == NULL) + { + frag = dtls1_hm_fragment_new(msg_hdr->msg_len, 1); + if ( frag == NULL) + goto err; + memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); + frag->msg_header.frag_len = frag->msg_header.msg_len; + frag->msg_header.frag_off = 0; + } + else + frag = (hm_fragment*) item->data; + + /* If message is already reassembled, this must be a + * retransmit and can be dropped. + */ + if (frag->reassembly == NULL) + { + unsigned char devnull [256]; + + while (frag_len) + { + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + devnull, + frag_len>sizeof(devnull)?sizeof(devnull):frag_len,0); + if (i<=0) goto err; + frag_len -= i; + } + return DTLS1_HM_FRAGMENT_RETRY; + } + + /* read the body of the fragment (header has already been read */ + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + frag->fragment + msg_hdr->frag_off,frag_len,0); + if (i<=0 || (unsigned long)i!=frag_len) + goto err; + + RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off, + (long)(msg_hdr->frag_off + frag_len)); + + RSMBLY_BITMASK_IS_COMPLETE(frag->reassembly, (long)msg_hdr->msg_len, + is_complete); + + if (is_complete) + { + OPENSSL_free(frag->reassembly); + frag->reassembly = NULL; + } + + if (item == NULL) + { + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char)(msg_hdr->seq>>8); + seq64be[7] = (unsigned char)(msg_hdr->seq); + + item = pitem_new(seq64be, frag); + if (item == NULL) + { + goto err; + i = -1; + } + + pqueue_insert(s->d1->buffered_messages, item); + } + + return DTLS1_HM_FRAGMENT_RETRY; + +err: + if (frag != NULL) dtls1_hm_fragment_free(frag); + if (item != NULL) OPENSSL_free(item); + *ok = 0; + return i; + } + + +static int dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) { int i=-1; @@ -579,7 +714,13 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) seq64be[6] = (unsigned char) (msg_hdr->seq>>8); seq64be[7] = (unsigned char) msg_hdr->seq; item = pqueue_find(s->d1->buffered_messages, seq64be); - + + /* If we already have an entry and this one is a fragment, + * don't discard it and rather try to reassemble it. + */ + if (item != NULL && frag_len < msg_hdr->msg_len) + item = NULL; + /* Discard the message if sequence number was already there, is * too far in the future, already in the queue or if we received * a FINISHED before the SERVER_HELLO, which then must be a stale @@ -600,20 +741,25 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) frag_len -= i; } } - - if (frag_len) + else { - frag = dtls1_hm_fragment_new(frag_len); + if (frag_len && frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + + frag = dtls1_hm_fragment_new(frag_len, 0); if ( frag == NULL) goto err; memcpy(&(frag->msg_header), msg_hdr, sizeof(*msg_hdr)); - /* read the body of the fragment (header has already been read */ - i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, - frag->fragment,frag_len,0); - if (i<=0 || (unsigned long)i!=frag_len) - goto err; + if (frag_len) + { + /* read the body of the fragment (header has already been read */ + i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE, + frag->fragment,frag_len,0); + if (i<=0 || (unsigned long)i!=frag_len) + goto err; + } memset(seq64be,0,sizeof(seq64be)); seq64be[6] = (unsigned char)(msg_hdr->seq>>8); @@ -640,14 +786,14 @@ static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) { unsigned char wire[DTLS1_HM_HEADER_LENGTH]; - unsigned long l, frag_off, frag_len; + unsigned long len, frag_off, frag_len; int i,al; struct hm_header_st msg_hdr; /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) { - if (*ok) s->init_num += frag_len; + if (*ok) s->init_num = frag_len; return frag_len; } @@ -672,10 +818,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) if ( msg_hdr.seq != s->d1->handshake_read_seq) return dtls1_process_out_of_seq_message(s, &msg_hdr, ok); - l = msg_hdr.msg_len; + len = msg_hdr.msg_len; frag_off = msg_hdr.frag_off; frag_len = msg_hdr.frag_len; + if (frag_len && frag_len < len) + return dtls1_reassemble_fragment(s, &msg_hdr, ok); + if (!s->server && s->d1->r_msg_hdr.frag_off == 0 && wire[0] == SSL3_MT_HELLO_REQUEST) { @@ -735,7 +884,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) * s->init_buf->data, but as a counter summing up fragments' * lengths: as soon as they sum up to handshake packet * length, we assume we have got all the fragments. */ - s->init_num += frag_len; + s->init_num = frag_len; return frag_len; f_err: @@ -1010,7 +1159,7 @@ dtls1_buffer_message(SSL *s, int is_ccs) * been serialized */ OPENSSL_assert(s->init_off == 0); - frag = dtls1_hm_fragment_new(s->init_num); + frag = dtls1_hm_fragment_new(s->init_num, 0); memcpy(frag->fragment, s->init_buf->data, s->init_num); diff --git a/openssl/ssl/d1_lib.c b/openssl/ssl/d1_lib.c index eeffce3cc..96b220e87 100644 --- a/openssl/ssl/d1_lib.c +++ b/openssl/ssl/d1_lib.c @@ -283,6 +283,16 @@ struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft) timeleft->tv_usec += 1000000; } + /* If remaining time is less than 15 ms, set it to 0 + * to prevent issues because of small devergences with + * socket timeouts. + */ + if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) + { + memset(timeleft, 0, sizeof(struct timeval)); + } + + return timeleft; } diff --git a/openssl/ssl/d1_pkt.c b/openssl/ssl/d1_pkt.c index c9757e1d6..a5439d544 100644 --- a/openssl/ssl/d1_pkt.c +++ b/openssl/ssl/d1_pkt.c @@ -196,6 +196,9 @@ dtls1_copy_record(SSL *s, pitem *item) s->packet_length = rdata->packet_length; memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); + + /* Set proper sequence number for mac calculation */ + memcpy(&(s->s3->read_sequence[2]), &(rdata->packet[5]), 6); return(1); } @@ -414,7 +417,7 @@ dtls1_process_record(SSL *s) goto err; /* otherwise enc_err == -1 */ - goto decryption_failed_or_bad_record_mac; + goto err; } #ifdef TLS_DEBUG @@ -444,7 +447,7 @@ printf("\n"); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + goto err; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ @@ -455,14 +458,14 @@ printf("\n"); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + goto err; #endif } rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) { - goto decryption_failed_or_bad_record_mac; + goto err; } } @@ -504,14 +507,6 @@ printf("\n"); dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ return(1); -decryption_failed_or_bad_record_mac: - /* Separate 'decryption_failed' alert was introduced with TLS 1.0, - * SSL 3.0 only has 'bad_record_mac'. But unless a decryption - * failure is directly visible from the ciphertext anyway, - * we should not reveal which kind of error occured -- this - * might become visible to an attacker (e.g. via logfile) */ - al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: @@ -544,8 +539,7 @@ int dtls1_get_record(SSL *s) /* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ - if ( ! dtls1_process_buffered_records(s)) - return 0; + dtls1_process_buffered_records(s); /* if we're renegotiating, then there may be buffered records */ if (dtls1_get_processed_record(s)) @@ -667,21 +661,25 @@ again: if (rr->length == 0) goto again; /* If this record is from the next epoch (either HM or ALERT), - * buffer it since it cannot be processed at this time. Records - * from the next epoch are marked as received even though they - * are not processed, so as to prevent any potential resource - * DoS attack */ + * and a handshake is currently in progress, buffer it since it + * cannot be processed at this time. */ if (is_next_epoch) { - dtls1_record_bitmap_update(s, bitmap); - dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); + if (SSL_in_init(s) || s->in_handshake) + { + dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); + } rr->length = 0; s->packet_length = 0; goto again; } - if ( ! dtls1_process_record(s)) - return(0); + if (!dtls1_process_record(s)) + { + rr->length = 0; + s->packet_length = 0; /* dump this record */ + goto again; /* get another record */ + } dtls1_clear_timeouts(s); /* done waiting */ return(1); @@ -809,7 +807,7 @@ start: * buffer the application data for later processing rather * than dropping the connection. */ - dtls1_buffer_record(s, &(s->d1->buffered_app_data), 0); + dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); rr->length = 0; goto start; } diff --git a/openssl/ssl/dtls1.h b/openssl/ssl/dtls1.h index af363a984..2900d1d8a 100644 --- a/openssl/ssl/dtls1.h +++ b/openssl/ssl/dtls1.h @@ -167,6 +167,7 @@ typedef struct hm_fragment_st { struct hm_header_st msg_header; unsigned char *fragment; + unsigned char *reassembly; } hm_fragment; typedef struct dtls1_state_st diff --git a/openssl/ssl/ssl-lib.com b/openssl/ssl/ssl-lib.com index 85ab2f61f..c5ca9e1df 100644 --- a/openssl/ssl/ssl-lib.com +++ b/openssl/ssl/ssl-lib.com @@ -30,7 +30,7 @@ $! VAXC For VAX C. $! DECC For DEC C. $! GNUC For GNU C. $! -$! If you don't speficy a compiler, it will try to determine which +$! If you don't specify a compiler, it will try to determine which $! "C" compiler to use. $! $! P4, if defined, sets a TCP/IP library to use, through one of the following @@ -55,7 +55,7 @@ $ THEN $! $! The Architecture Is VAX. $! -$ ARCH := VAX +$ ARCH = "VAX" $! $! Else... $! @@ -524,12 +524,12 @@ $! Else... $! $ ELSE $! -$! Else, Check To See If P1 Has A Valid Arguement. +$! Else, Check To See If P1 Has A Valid Argument. $! $ IF (P1.EQS."LIBRARY").OR.(P1.EQS."SSL_TASK") $ THEN $! -$! A Valid Arguement. +$! A Valid Argument. $! $ BUILDALL = P1 $! @@ -557,7 +557,7 @@ $! Time To EXIT. $! $ EXIT $! -$! End The Valid Arguement Check. +$! End The Valid Argument Check. $! $ ENDIF $! @@ -611,7 +611,7 @@ $! Time To EXIT. $! $ EXIT $! -$! End The Valid Arguement Check. +$! End The Valid Argument Check. $! $ ENDIF $! @@ -893,7 +893,7 @@ $! Show user the result $! $ WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC $! -$! Else The User Entered An Invalid Arguement. +$! Else The User Entered An Invalid Argument. $! $ ELSE $! @@ -994,7 +994,7 @@ $! Print info $! $ WRITE SYS$OUTPUT "TCP/IP library spec: ", TCPIP_LIB $! -$! Else The User Entered An Invalid Arguement. +$! Else The User Entered An Invalid Argument. $! $ ELSE $! diff --git a/openssl/ssl/ssl_algs.c b/openssl/ssl/ssl_algs.c index a26ae4395..0967b2dfe 100644 --- a/openssl/ssl/ssl_algs.c +++ b/openssl/ssl/ssl_algs.c @@ -105,6 +105,14 @@ int SSL_library_init(void) EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif +#ifndef OPENSSL_NO_SHA256 + EVP_add_digest(EVP_sha224()); + EVP_add_digest(EVP_sha256()); +#endif +#ifndef OPENSSL_NO_SHA512 + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); +#endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); diff --git a/openssl/ssl/t1_enc.c b/openssl/ssl/t1_enc.c index d9cb059d0..9719541f2 100644 --- a/openssl/ssl/t1_enc.c +++ b/openssl/ssl/t1_enc.c @@ -148,7 +148,7 @@ #endif /* seed1 through seed5 are virtually concatenated */ -static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, +static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, const void *seed1, int seed1_len, const void *seed2, int seed2_len, @@ -163,55 +163,79 @@ static void tls1_P_hash(const EVP_MD *md, const unsigned char *sec, HMAC_CTX ctx_tmp; unsigned char A1[EVP_MAX_MD_SIZE]; unsigned int A1_len; + int ret = 0; chunk=EVP_MD_size(md); OPENSSL_assert(chunk >= 0); HMAC_CTX_init(&ctx); HMAC_CTX_init(&ctx_tmp); - HMAC_Init_ex(&ctx,sec,sec_len,md, NULL); - HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL); - if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len); - if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len); - if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len); - if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len); - if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len); - HMAC_Final(&ctx,A1,&A1_len); + if (!HMAC_Init_ex(&ctx,sec,sec_len,md, NULL)) + goto err; + if (!HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL)) + goto err; + if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len)) + goto err; + if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len)) + goto err; + if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len)) + goto err; + if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len)) + goto err; + if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len)) + goto err; + if (!HMAC_Final(&ctx,A1,&A1_len)) + goto err; n=0; for (;;) { - HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */ - HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */ - HMAC_Update(&ctx,A1,A1_len); - HMAC_Update(&ctx_tmp,A1,A1_len); - if (seed1 != NULL) HMAC_Update(&ctx,seed1,seed1_len); - if (seed2 != NULL) HMAC_Update(&ctx,seed2,seed2_len); - if (seed3 != NULL) HMAC_Update(&ctx,seed3,seed3_len); - if (seed4 != NULL) HMAC_Update(&ctx,seed4,seed4_len); - if (seed5 != NULL) HMAC_Update(&ctx,seed5,seed5_len); + if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */ + goto err; + if (!HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL)) /* re-init */ + goto err; + if (!HMAC_Update(&ctx,A1,A1_len)) + goto err; + if (!HMAC_Update(&ctx_tmp,A1,A1_len)) + goto err; + if (seed1 != NULL && !HMAC_Update(&ctx,seed1,seed1_len)) + goto err; + if (seed2 != NULL && !HMAC_Update(&ctx,seed2,seed2_len)) + goto err; + if (seed3 != NULL && !HMAC_Update(&ctx,seed3,seed3_len)) + goto err; + if (seed4 != NULL && !HMAC_Update(&ctx,seed4,seed4_len)) + goto err; + if (seed5 != NULL && !HMAC_Update(&ctx,seed5,seed5_len)) + goto err; if (olen > chunk) { - HMAC_Final(&ctx,out,&j); + if (!HMAC_Final(&ctx,out,&j)) + goto err; out+=j; olen-=j; - HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */ + if (!HMAC_Final(&ctx_tmp,A1,&A1_len)) /* calc the next A1 value */ + goto err; } else /* last one */ { - HMAC_Final(&ctx,A1,&A1_len); + if (!HMAC_Final(&ctx,A1,&A1_len)) + goto err; memcpy(out,A1,olen); break; } } + ret = 1; +err: HMAC_CTX_cleanup(&ctx); HMAC_CTX_cleanup(&ctx_tmp); OPENSSL_cleanse(A1,sizeof(A1)); + return ret; } /* seed1 through seed5 are virtually concatenated */ -static void tls1_PRF(long digest_mask, +static int tls1_PRF(long digest_mask, const void *seed1, int seed1_len, const void *seed2, int seed2_len, const void *seed3, int seed3_len, @@ -225,6 +249,7 @@ static void tls1_PRF(long digest_mask, const unsigned char *S1; long m; const EVP_MD *md; + int ret = 0; /* Count number of digests and partition sec evenly */ count=0; @@ -239,11 +264,12 @@ static void tls1_PRF(long digest_mask, if (!md) { SSLerr(SSL_F_TLS1_PRF, SSL_R_UNSUPPORTED_DIGEST_TYPE); - return; + goto err; } - tls1_P_hash(md ,S1,len+(slen&1), - seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len, - out2,olen); + if (!tls1_P_hash(md ,S1,len+(slen&1), + seed1,seed1_len,seed2,seed2_len,seed3,seed3_len,seed4,seed4_len,seed5,seed5_len, + out2,olen)) + goto err; S1+=len; for (i=0; i<olen; i++) { @@ -251,12 +277,15 @@ static void tls1_PRF(long digest_mask, } } } - + ret = 1; +err: + return ret; } -static void tls1_generate_key_block(SSL *s, unsigned char *km, +static int tls1_generate_key_block(SSL *s, unsigned char *km, unsigned char *tmp, int num) { - tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + int ret; + ret = tls1_PRF(s->s3->tmp.new_cipher->algorithm2, TLS_MD_KEY_EXPANSION_CONST,TLS_MD_KEY_EXPANSION_CONST_SIZE, s->s3->server_random,SSL3_RANDOM_SIZE, s->s3->client_random,SSL3_RANDOM_SIZE, @@ -274,6 +303,7 @@ static void tls1_generate_key_block(SSL *s, unsigned char *km, } printf("\n"); } #endif /* KSSL_DEBUG */ + return ret; } int tls1_change_cipher_state(SSL *s, int which) @@ -461,22 +491,24 @@ printf("which = %04X\nmac key=",which); /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ - tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - exp_label,exp_label_len, - s->s3->client_random,SSL3_RANDOM_SIZE, - s->s3->server_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - key,j,tmp1,tmp2,EVP_CIPHER_key_length(c)); + if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + exp_label,exp_label_len, + s->s3->client_random,SSL3_RANDOM_SIZE, + s->s3->server_random,SSL3_RANDOM_SIZE, + NULL,0,NULL,0, + key,j,tmp1,tmp2,EVP_CIPHER_key_length(c))) + goto err2; key=tmp1; if (k > 0) { - tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, - s->s3->client_random,SSL3_RANDOM_SIZE, - s->s3->server_random,SSL3_RANDOM_SIZE, - NULL,0,NULL,0, - empty,0,iv1,iv2,k*2); + if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + TLS_MD_IV_BLOCK_CONST,TLS_MD_IV_BLOCK_CONST_SIZE, + s->s3->client_random,SSL3_RANDOM_SIZE, + s->s3->server_random,SSL3_RANDOM_SIZE, + NULL,0,NULL,0, + empty,0,iv1,iv2,k*2)) + goto err2; if (client_write) iv=iv1; else @@ -518,12 +550,13 @@ err2: int tls1_setup_key_block(SSL *s) { - unsigned char *p1,*p2; + unsigned char *p1,*p2=NULL; const EVP_CIPHER *c; const EVP_MD *hash; int num; SSL_COMP *comp; int mac_type= NID_undef,mac_secret_size=0; + int ret=0; #ifdef KSSL_DEBUG printf ("tls1_setup_key_block()\n"); @@ -548,13 +581,19 @@ int tls1_setup_key_block(SSL *s) ssl3_cleanup_key_block(s); if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) + { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); goto err; - if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) - goto err; + } s->s3->tmp.key_block_length=num; s->s3->tmp.key_block=p1; + if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) + { + SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); + goto err; + } #ifdef TLS_DEBUG printf("client random\n"); @@ -564,9 +603,8 @@ printf("server random\n"); printf("pre-master\n"); { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } #endif - tls1_generate_key_block(s,p1,p2,num); - OPENSSL_cleanse(p2,num); - OPENSSL_free(p2); + if (!tls1_generate_key_block(s,p1,p2,num)) + goto err; #ifdef TLS_DEBUG printf("\nkey block\n"); { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } @@ -591,10 +629,14 @@ printf("\nkey block\n"); } } - return(1); + ret = 1; err: - SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); - return(0); + if (p2) + { + OPENSSL_cleanse(p2,num); + OPENSSL_free(p2); + } + return(ret); } int tls1_enc(SSL *s, int send) @@ -822,10 +864,11 @@ int tls1_final_finish_mac(SSL *s, } } - tls1_PRF(s->s3->tmp.new_cipher->algorithm2, - str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, - s->session->master_key,s->session->master_key_length, - out,buf2,sizeof buf2); + if (!tls1_PRF(s->s3->tmp.new_cipher->algorithm2, + str,slen, buf,(int)(q-buf), NULL,0, NULL,0, NULL,0, + s->session->master_key,s->session->master_key_length, + out,buf2,sizeof buf2)) + err = 1; EVP_MD_CTX_cleanup(&ctx); if (err) |