/* * Class: org_jitsi_impl_neomedia_transform_srtp_OpenSSLHMAC * Method: EVP_MD_size * Signature: (J)I */ JNIEXPORT jint JNICALL Java_org_jitsi_impl_neomedia_transform_srtp_OpenSSLHMAC_EVP_1MD_1size (JNIEnv *env, jclass clazz, jlong md) { return EVP_MD_size((const EVP_MD *) (intptr_t) md); }
// tls1_P_hash computes the TLS P_<hash> function as described in RFC 5246, // section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and // |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to // form the seed parameter. It returns true on success and false on failure. static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, const uint8_t *secret, size_t secret_len, const char *label, size_t label_len, const uint8_t *seed1, size_t seed1_len, const uint8_t *seed2, size_t seed2_len) { HMAC_CTX ctx, ctx_tmp, ctx_init; uint8_t A1[EVP_MAX_MD_SIZE]; unsigned A1_len; int ret = 0; const size_t chunk = EVP_MD_size(md); HMAC_CTX_init(&ctx); HMAC_CTX_init(&ctx_tmp); HMAC_CTX_init(&ctx_init); if (!HMAC_Init_ex(&ctx_init, secret, secret_len, md, NULL) || !HMAC_CTX_copy_ex(&ctx, &ctx_init) || !HMAC_Update(&ctx, (const uint8_t *) label, label_len) || !HMAC_Update(&ctx, seed1, seed1_len) || !HMAC_Update(&ctx, seed2, seed2_len) || !HMAC_Final(&ctx, A1, &A1_len)) { goto err; } for (;;) { unsigned len; uint8_t hmac[EVP_MAX_MD_SIZE]; if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) || !HMAC_Update(&ctx, A1, A1_len) || // Save a copy of |ctx| to compute the next A1 value below. (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) || !HMAC_Update(&ctx, (const uint8_t *) label, label_len) || !HMAC_Update(&ctx, seed1, seed1_len) || !HMAC_Update(&ctx, seed2, seed2_len) || !HMAC_Final(&ctx, hmac, &len)) { goto err; } assert(len == chunk); // XOR the result into |out|. if (len > out_len) { len = out_len; } for (unsigned i = 0; i < len; i++) { out[i] ^= hmac[i]; } out += len; out_len -= len; if (out_len == 0) { break; } // Calculate the next A1 value. if (!HMAC_Final(&ctx_tmp, A1, &A1_len)) { goto err; } } ret = 1; err: OPENSSL_cleanse(A1, sizeof(A1)); HMAC_CTX_cleanup(&ctx); HMAC_CTX_cleanup(&ctx_tmp); HMAC_CTX_cleanup(&ctx_init); return ret; }
int tls1_change_cipher_state(SSL *s, int which) { static const unsigned char empty[]=""; unsigned char *p,*key_block,*mac_secret; unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ SSL3_RANDOM_SIZE*2]; unsigned char tmp1[EVP_MAX_KEY_LENGTH]; unsigned char tmp2[EVP_MAX_KEY_LENGTH]; unsigned char iv1[EVP_MAX_IV_LENGTH*2]; unsigned char iv2[EVP_MAX_IV_LENGTH*2]; unsigned char *ms,*key,*iv,*er1,*er2; int client_write; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; const SSL_COMP *comp; const EVP_MD *m; int _exp,n,i,j,k,exp_label_len,cl; _exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; comp=s->s3->tmp.new_compression; key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) { if ((s->enc_read_ctx == NULL) && ((s->enc_read_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; dd= s->enc_read_ctx; s->read_hash=m; if (s->expand != NULL) { COMP_CTX_free(s->expand); s->expand=NULL; } if (comp != NULL) { s->expand=COMP_CTX_new(comp->method); if (s->expand == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } if (s->s3->rrec.comp == NULL) s->s3->rrec.comp=(unsigned char *) OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } else { if ((s->enc_write_ctx == NULL) && ((s->enc_write_ctx=(EVP_CIPHER_CTX *) OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)) goto err; dd= s->enc_write_ctx; s->write_hash=m; if (s->compress != NULL) { COMP_CTX_free(s->compress); s->compress=NULL; } if (comp != NULL) { s->compress=COMP_CTX_new(comp->method); if (s->compress == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } EVP_CIPHER_CTX_init(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); j=_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); er1= &(s->s3->client_random[0]); er2= &(s->s3->server_random[0]); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms= &(p[ 0]); n=i+i; key= &(p[ n]); n+=j+j; iv= &(p[ n]); n+=k+k; exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; client_write=1; } else { n=i; ms= &(p[ n]); n+=i+j; key= &(p[ n]); n+=j+k; iv= &(p[ n]); n+=k; exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; client_write=0; } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR); goto err2; } memcpy(mac_secret,ms,i); #ifdef TLS_DEBUG printf("which = %04X\nmac key=",which); { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } #endif if (_exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ p=buf; memcpy(p,exp_label,exp_label_len); p+=exp_label_len; memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j, tmp1,tmp2,EVP_CIPHER_key_length(c)); key=tmp1; if (k > 0) { p=buf; memcpy(p,TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE); p+=TLS_MD_IV_BLOCK_CONST_SIZE; memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0, iv1,iv2,k*2); if (client_write) iv=iv1; else iv= &(iv1[k]); } } s->session->key_arg_length=0; EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE)); #ifdef TLS_DEBUG printf("which = %04X\nkey=",which); { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } printf("\niv="); { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } printf("\n"); #endif memset(tmp1,0,sizeof(tmp1)); memset(tmp2,0,sizeof(tmp1)); memset(iv1,0,sizeof(iv1)); memset(iv2,0,sizeof(iv2)); return(1); err: SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); err2: return(0); }
int SM2_do_decrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md, const SM2_CIPHERTEXT_VALUE *cv, unsigned char *out, size_t *outlen, EC_KEY *ec_key) { int ret = 0; const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key); const BIGNUM *pri_key = EC_KEY_get0_private_key(ec_key); KDF_FUNC kdf = KDF_get_x9_63(kdf_md); EC_POINT *point = NULL; BIGNUM *n = NULL; BIGNUM *h = NULL; BN_CTX *bn_ctx = NULL; EVP_MD_CTX *md_ctx = NULL; unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1]; unsigned char mac[EVP_MAX_MD_SIZE]; unsigned int maclen; int nbytes; size_t size; int i; OPENSSL_assert(kdf_md && mac_md && cv && ec_key); OPENSSL_assert(cv->ephem_point && cv->ciphertext); if (!ec_group || !pri_key) { goto end; } if (!kdf) { goto end; } if (!out) { *outlen = cv->ciphertext_size; return 1; } if (*outlen < cv->ciphertext_size) { goto end; } /* init vars */ point = EC_POINT_new(ec_group); n = BN_new(); h = BN_new(); bn_ctx = BN_CTX_new(); md_ctx = EVP_MD_CTX_create(); if (!point || !n || !h || !bn_ctx || !md_ctx) { goto end; } /* init ec domain parameters */ if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) { goto end; } if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) { goto end; } nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8; //OPENSSL_assert(nbytes == BN_num_bytes(n)); #if 0 /* check sm2 curve and md is 256 bits */ OPENSSL_assert(nbytes == 32); OPENSSL_assert(EVP_MD_size(kdf_md) == 32); OPENSSL_assert(EVP_MD_size(mac_md) == 32); #endif /* B2: check [h]C1 != O */ if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, h, bn_ctx)) { goto end; } if (EC_POINT_is_at_infinity(ec_group, point)) { goto end; } /* B3: compute ECDH [d]C1 = (x2, y2) */ if (!EC_POINT_mul(ec_group, point, NULL, cv->ephem_point, pri_key, bn_ctx)) { goto end; } if (!(size = EC_POINT_point2oct(ec_group, point, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) { goto end; } OPENSSL_assert(size == 1 + nbytes * 2); /* B4: compute t = KDF(x2 || y2, clen) */ *outlen = cv->ciphertext_size; //FIXME: duplicated code kdf(buf + 1, size - 1, out, outlen); /* B5: compute M = C2 xor t */ for (i = 0; i < cv->ciphertext_size; i++) { out[i] ^= cv->ciphertext[i]; } *outlen = cv->ciphertext_size; /* B6: check Hash(x2 || M || y2) == C3 */ if (!EVP_DigestInit_ex(md_ctx, mac_md, NULL)) { goto end; } if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) { goto end; } if (!EVP_DigestUpdate(md_ctx, out, *outlen)) { goto end; } if (!EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)) { goto end; } if (!EVP_DigestFinal_ex(md_ctx, mac, &maclen)) { goto end; } if (cv->mactag_size != maclen || memcmp(cv->mactag, mac, maclen)) { goto end; } ret = 1; end: if (point) EC_POINT_free(point); if (n) BN_free(n); if (h) BN_free(h); if (bn_ctx) BN_CTX_free(bn_ctx); if (md_ctx) EVP_MD_CTX_destroy(md_ctx); return ret; }
TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) { long off = 0; int cachable; SSL_CTX *client_ctx; TLS_APPL_STATE *app_ctx; const EVP_MD *md_alg; unsigned int md_len; int log_mask; /* * Convert user loglevel to internal logmask. */ log_mask = tls_log_mask(props->log_param, props->log_level); if (log_mask & TLS_LOG_VERBOSE) msg_info("initializing the client-side TLS engine"); /* * Load (mostly cipher related) TLS-library internal main.cf parameters. */ tls_param_init(); /* * Detect mismatch between compile-time headers and run-time library. */ tls_check_version(); /* * Initialize the OpenSSL library by the book! To start with, we must * initialize the algorithms. We want cleartext error messages instead of * just error codes, so we load the error_strings. */ SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); /* * Create an application data index for SSL objects, so that we can * attach TLScontext information; this information is needed inside * tls_verify_certificate_callback(). */ if (TLScontext_index < 0) { if ((TLScontext_index = SSL_get_ex_new_index(0, 0, 0, 0, 0)) < 0) { msg_warn("Cannot allocate SSL application data index: " "disabling TLS support"); return (0); } } /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. */ if ((md_alg = EVP_get_digestbyname(props->fpt_dgst)) == 0) { msg_warn("Digest algorithm \"%s\" not found: disabling TLS support", props->fpt_dgst); return (0); } /* * Sanity check: Newer shared libraries may use larger digests. */ if ((md_len = EVP_MD_size(md_alg)) > EVP_MAX_MD_SIZE) { msg_warn("Digest algorithm \"%s\" output size %u too large:" " disabling TLS support", props->fpt_dgst, md_len); return (0); } /* * Initialize the PRNG (Pseudo Random Number Generator) with some seed * from external and internal sources. Don't enable TLS without some real * entropy. */ if (tls_ext_seed(var_tls_daemon_rand_bytes) < 0) { msg_warn("no entropy for TLS key generation: disabling TLS support"); return (0); } tls_int_seed(); /* * The SSL/TLS specifications require the client to send a message in the * oldest specification it understands with the highest level it * understands in the message. RFC2487 is only specified for TLSv1, but * we want to be as compatible as possible, so we will start off with a * SSLv2 greeting allowing the best we can offer: TLSv1. We can restrict * this with the options setting later, anyhow. */ ERR_clear_error(); if ((client_ctx = SSL_CTX_new(SSLv23_client_method())) == 0) { msg_warn("cannot allocate client SSL_CTX: disabling TLS support"); tls_print_errors(); return (0); } /* * See the verify callback in tls_verify.c */ SSL_CTX_set_verify_depth(client_ctx, props->verifydepth + 1); /* * Protocol selection is destination dependent, so we delay the protocol * selection options to the per-session SSL object. */ off |= tls_bug_bits(); SSL_CTX_set_options(client_ctx, off); /* * Set the call-back routine for verbose logging. */ if (log_mask & TLS_LOG_DEBUG) SSL_CTX_set_info_callback(client_ctx, tls_info_callback); /* * Load the CA public key certificates for both the client cert and for * the verification of server certificates. As provided by OpenSSL we * support two types of CA certificate handling: One possibility is to * add all CA certificates to one large CAfile, the other possibility is * a directory pointed to by CApath, containing separate files for each * CA with softlinks named after the hash values of the certificate. The * first alternative has the advantage that the file is opened and read * at startup time, so that you don't have the hassle to maintain another * copy of the CApath directory for chroot-jail. */ if (tls_set_ca_certificate_info(client_ctx, props->CAfile, props->CApath) < 0) { /* tls_set_ca_certificate_info() already logs a warning. */ SSL_CTX_free(client_ctx); /* 200411 */ return (0); } /* * We do not need a client certificate, so the certificates are only * loaded (and checked) if supplied. A clever client would handle * multiple client certificates and decide based on the list of * acceptable CAs, sent by the server, which certificate to submit. * OpenSSL does however not do this and also has no call-back hooks to * easily implement it. * * Load the client public key certificate and private key from file and * check whether the cert matches the key. We can use RSA certificates * ("cert") DSA certificates ("dcert") or ECDSA certificates ("eccert"). * All three can be made available at the same time. The CA certificates * for all three are handled in the same setup already finished. Which * one is used depends on the cipher negotiated (that is: the first * cipher listed by the client which does match the server). The client * certificate is presented after the server chooses the session cipher, * so we will just present the right cert for the chosen cipher (if it * uses certificates). */ if (tls_set_my_certificate_key_info(client_ctx, props->cert_file, props->key_file, props->dcert_file, props->dkey_file, props->eccert_file, props->eckey_file) < 0) { /* tls_set_my_certificate_key_info() already logs a warning. */ SSL_CTX_free(client_ctx); /* 200411 */ return (0); } /* * According to the OpenSSL documentation, temporary RSA key is needed * export ciphers are in use. We have to provide one, so well, we just do * it. */ SSL_CTX_set_tmp_rsa_callback(client_ctx, tls_tmp_rsa_cb); /* * Finally, the setup for the server certificate checking, done "by the * book". */ SSL_CTX_set_verify(client_ctx, SSL_VERIFY_NONE, tls_verify_certificate_callback); /* * Initialize the session cache. * * Since the client does not search an internal cache, we simply disable it. * It is only useful for expiring old sessions, but we do that in the * tlsmgr(8). * * This makes SSL_CTX_remove_session() not useful for flushing broken * sessions from the external cache, so we must delete them directly (not * via a callback). */ if (tls_mgr_policy(props->cache_type, &cachable) != TLS_MGR_STAT_OK) cachable = 0; /* * Allocate an application context, and populate with mandatory protocol * and cipher data. */ app_ctx = tls_alloc_app_context(client_ctx, log_mask); /* * The external session cache is implemented by the tlsmgr(8) process. */ if (cachable) { app_ctx->cache_type = mystrdup(props->cache_type); /* * OpenSSL does not use callbacks to load sessions from a client * cache, so we must invoke that function directly. Apparently, * OpenSSL does not provide a way to pass session names from here to * call-back routines that do session lookup. * * OpenSSL can, however, automatically save newly created sessions for * us by callback (we create the session name in the call-back * function). * * XXX gcc 2.95 can't compile #ifdef .. #endif in the expansion of * SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE | * SSL_SESS_CACHE_NO_AUTO_CLEAR. */ #ifndef SSL_SESS_CACHE_NO_INTERNAL_STORE #define SSL_SESS_CACHE_NO_INTERNAL_STORE 0 #endif SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE | SSL_SESS_CACHE_NO_AUTO_CLEAR); SSL_CTX_sess_set_new_cb(client_ctx, new_client_session_cb); } return (app_ctx); }
int int_rsa_verify(int dtype, const uint8_t *m, unsigned int m_len, uint8_t *rm, size_t *prm_len, const uint8_t *sigbuf, size_t siglen, RSA *rsa) { int i, ret = 0, sigtype; uint8_t *s; X509_SIG *sig = NULL; if (siglen != (unsigned int)RSA_size(rsa)) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH); return (0); } if ((dtype == NID_md5_sha1) && rm) { i = RSA_public_decrypt((int)siglen, sigbuf, rm, rsa, RSA_PKCS1_PADDING); if (i <= 0) return 0; *prm_len = i; return 1; } s = malloc((unsigned int)siglen); if (s == NULL) { RSAerr(RSA_F_INT_RSA_VERIFY, ERR_R_MALLOC_FAILURE); goto err; } if ((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH)) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_MESSAGE_LENGTH); goto err; } i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING); if (i <= 0) goto err; /* Special case: SSL signature */ if (dtype == NID_md5_sha1) { if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH)) RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE); else ret = 1; } else { const uint8_t *p = s; sig = d2i_X509_SIG(NULL, &p, (long)i); if (sig == NULL) goto err; /* Excess data can be used to create forgeries */ if (p != s + i || !rsa_check_digestinfo(sig, s, i)) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE); goto err; } /* Parameters to the signature algorithm can also be used to create forgeries */ if (sig->algor->parameter && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE); goto err; } sigtype = OBJ_obj2nid(sig->algor->algorithm); if (sigtype != dtype) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH); goto err; } if (rm) { const EVP_MD *md; md = EVP_get_digestbynid(dtype); if (md && (EVP_MD_size(md) != sig->digest->length)) RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); else { memcpy(rm, sig->digest->data, sig->digest->length); *prm_len = sig->digest->length; ret = 1; } } else if (((unsigned int)sig->digest->length != m_len) || (memcmp(m, sig->digest->data, m_len) != 0)) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE); } else ret = 1; } err: X509_SIG_free(sig); if (s != NULL) { vigortls_zeroize(s, (unsigned int)siglen); free(s); } return (ret); }
/* seed1 through seed5 are virtually concatenated */ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, int sec_len, const void *seed1, int seed1_len, const void *seed2, int seed2_len, const void *seed3, int seed3_len, const void *seed4, int seed4_len, const void *seed5, int seed5_len, unsigned char *out, int olen) { int chunk; size_t j; EVP_MD_CTX ctx, ctx_tmp; EVP_PKEY *mac_key; unsigned char A1[EVP_MAX_MD_SIZE]; size_t A1_len; int ret = 0; chunk=EVP_MD_size(md); OPENSSL_assert(chunk >= 0); EVP_MD_CTX_init(&ctx); EVP_MD_CTX_init(&ctx_tmp); EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); if (!mac_key) goto err; if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) goto err; if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) goto err; if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) goto err; if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) goto err; if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) goto err; if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) goto err; if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) goto err; if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) goto err; for (;;) { /* Reinit mac contexts */ if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key)) goto err; if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key)) goto err; if (!EVP_DigestSignUpdate(&ctx,A1,A1_len)) goto err; if (!EVP_DigestSignUpdate(&ctx_tmp,A1,A1_len)) goto err; if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len)) goto err; if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len)) goto err; if (seed3 && !EVP_DigestSignUpdate(&ctx,seed3,seed3_len)) goto err; if (seed4 && !EVP_DigestSignUpdate(&ctx,seed4,seed4_len)) goto err; if (seed5 && !EVP_DigestSignUpdate(&ctx,seed5,seed5_len)) goto err; if (olen > chunk) { if (!EVP_DigestSignFinal(&ctx,out,&j)) goto err; out+=j; olen-=j; /* calc the next A1 value */ if (!EVP_DigestSignFinal(&ctx_tmp,A1,&A1_len)) goto err; } else /* last one */ { if (!EVP_DigestSignFinal(&ctx,A1,&A1_len)) goto err; memcpy(out,A1,olen); break; } } ret = 1; err: EVP_PKEY_free(mac_key); EVP_MD_CTX_cleanup(&ctx); EVP_MD_CTX_cleanup(&ctx_tmp); OPENSSL_cleanse(A1,sizeof(A1)); return ret; }
int tls1_mac(SSL *ssl, unsigned char *md, int send) { SSL3_RECORD *rec; unsigned char *mac_sec,*seq; const EVP_MD *hash; unsigned int md_size; int i; HMAC_CTX hmac; unsigned char buf[5]; if (send) { rec= &(ssl->s3->wrec); mac_sec= &(ssl->s3->write_mac_secret[0]); seq= &(ssl->s3->write_sequence[0]); hash=ssl->write_hash; } else { rec= &(ssl->s3->rrec); mac_sec= &(ssl->s3->read_mac_secret[0]); seq= &(ssl->s3->read_sequence[0]); hash=ssl->read_hash; } md_size=EVP_MD_size(hash); buf[0]=rec->type; buf[1]=TLS1_VERSION_MAJOR; buf[2]=TLS1_VERSION_MINOR; buf[3]=rec->length>>8; buf[4]=rec->length&0xff; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ HMAC_CTX_init(&hmac); HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); HMAC_Update(&hmac,seq,8); HMAC_Update(&hmac,buf,5); HMAC_Update(&hmac,rec->input,rec->length); HMAC_Final(&hmac,md,&md_size); HMAC_CTX_cleanup(&hmac); #ifdef TLS_DEBUG printf("sec="); {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } printf("seq="); {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } printf("buf="); {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } printf("rec="); {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } #endif for (i=7; i>=0; i--) { ++seq[i]; if (seq[i] != 0) break; } #ifdef TLS_DEBUG {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } #endif return(md_size); }
char * ssh_gssapi_kex_mechs(gss_OID_set gss_supported, ssh_gssapi_check_fn *check, const char *data) { Buffer buf; size_t i; int oidpos, enclen; char *mechs, *encoded; u_char digest[EVP_MAX_MD_SIZE]; char deroid[2]; const EVP_MD *evp_md = EVP_md5(); EVP_MD_CTX md; if (gss_enc2oid != NULL) { for (i = 0; gss_enc2oid[i].encoded != NULL; i++) xfree(gss_enc2oid[i].encoded); xfree(gss_enc2oid); } gss_enc2oid = xmalloc(sizeof(ssh_gss_kex_mapping) * (gss_supported->count + 1)); buffer_init(&buf); oidpos = 0; for (i = 0; i < gss_supported->count; i++) { if (gss_supported->elements[i].length < 128 && (*check)(NULL, &(gss_supported->elements[i]), data)) { deroid[0] = SSH_GSS_OIDTYPE; deroid[1] = gss_supported->elements[i].length; EVP_DigestInit(&md, evp_md); EVP_DigestUpdate(&md, deroid, 2); EVP_DigestUpdate(&md, gss_supported->elements[i].elements, gss_supported->elements[i].length); EVP_DigestFinal(&md, digest, NULL); encoded = xmalloc(EVP_MD_size(evp_md) * 2); enclen = __b64_ntop(digest, EVP_MD_size(evp_md), encoded, EVP_MD_size(evp_md) * 2); if (oidpos != 0) buffer_put_char(&buf, ','); buffer_append(&buf, KEX_GSS_GEX_SHA1_ID, sizeof(KEX_GSS_GEX_SHA1_ID) - 1); buffer_append(&buf, encoded, enclen); buffer_put_char(&buf, ','); buffer_append(&buf, KEX_GSS_GRP1_SHA1_ID, sizeof(KEX_GSS_GRP1_SHA1_ID) - 1); buffer_append(&buf, encoded, enclen); buffer_put_char(&buf, ','); buffer_append(&buf, KEX_GSS_GRP14_SHA1_ID, sizeof(KEX_GSS_GRP14_SHA1_ID) - 1); buffer_append(&buf, encoded, enclen); gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); gss_enc2oid[oidpos].encoded = encoded; oidpos++; } } gss_enc2oid[oidpos].oid = NULL; gss_enc2oid[oidpos].encoded = NULL; buffer_put_char(&buf, '\0'); mechs = xmalloc(buffer_len(&buf)); buffer_get(&buf, mechs, buffer_len(&buf)); buffer_free(&buf); if (strlen(mechs) == 0) { xfree(mechs); mechs = NULL; } return (mechs); }
int tls1_mac(SSL *ssl, unsigned char *md, int send) { SSL3_RECORD *rec; unsigned char *mac_sec,*seq; const EVP_MD *hash; unsigned int md_size; int i; HMAC_CTX hmac; unsigned char buf[5]; if (send) { rec= &(ssl->s3->wrec); mac_sec= &(ssl->s3->write_mac_secret[0]); seq= &(ssl->s3->write_sequence[0]); hash=ssl->write_hash; } else { rec= &(ssl->s3->rrec); mac_sec= &(ssl->s3->read_mac_secret[0]); seq= &(ssl->s3->read_sequence[0]); hash=ssl->read_hash; } md_size=EVP_MD_size(hash); buf[0]=rec->type; if (ssl->version == DTLS1_VERSION && ssl->client_version == DTLS1_BAD_VER) { buf[1]=TLS1_VERSION_MAJOR; buf[2]=TLS1_VERSION_MINOR; } else { buf[1]=(unsigned char)(ssl->version>>8); buf[2]=(unsigned char)(ssl->version); } buf[3]=rec->length>>8; buf[4]=rec->length&0xff; /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ HMAC_CTX_init(&hmac); HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL); if (ssl->version == DTLS1_BAD_VER || (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)) { unsigned char dtlsseq[8],*p=dtlsseq; s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); memcpy (p,&seq[2],6); HMAC_Update(&hmac,dtlsseq,8); } else HMAC_Update(&hmac,seq,8); HMAC_Update(&hmac,buf,5); HMAC_Update(&hmac,rec->input,rec->length); HMAC_Final(&hmac,md,&md_size); HMAC_CTX_cleanup(&hmac); #ifdef TLS_DEBUG printf("sec="); {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } printf("seq="); {int z; for (z=0; z<8; z++) printf("%02X ",seq[z]); printf("\n"); } printf("buf="); {int z; for (z=0; z<5; z++) printf("%02X ",buf[z]); printf("\n"); } printf("rec="); {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); } #endif if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER) { for (i=7; i>=0; i--) { ++seq[i]; if (seq[i] != 0) break; } } #ifdef TLS_DEBUG {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",md[z]); printf("\n"); } #endif return(md_size); }
int tls1_enc(SSL *s, int send) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; int bs,i,ii,j,k,n=0; const EVP_CIPHER *enc; if (send) { if (s->write_hash != NULL) n=EVP_MD_size(s->write_hash); ds=s->enc_write_ctx; rec= &(s->s3->wrec); if (s->enc_write_ctx == NULL) enc=NULL; else enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx); } else { if (s->read_hash != NULL) n=EVP_MD_size(s->read_hash); ds=s->enc_read_ctx; rec= &(s->s3->rrec); if (s->enc_read_ctx == NULL) enc=NULL; else enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx); } #ifdef KSSL_DEBUG printf("tls1_enc(%d)\n", send); #endif /* KSSL_DEBUG */ if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { memmove(rec->data,rec->input,rec->length); rec->input=rec->data; } else { l=rec->length; bs=EVP_CIPHER_block_size(ds->cipher); if ((bs != 1) && send) { i=bs-((int)l%bs); /* Add weird padding of upto 256 bytes */ /* we need to add 'i' padding bytes of value j */ j=i-1; if (s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) { if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) j++; } for (k=(int)l; k<(int)(l+i); k++) rec->input[k]=j; l+=i; rec->length+=i; } #ifdef KSSL_DEBUG { unsigned long ui; printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", ds,rec->data,rec->input,l); printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", ds->buf_len, ds->cipher->key_len, DES_KEY_SZ, DES_SCHEDULE_SZ, ds->cipher->iv_len); printf("\t\tIV: "); for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); printf("\n"); printf("\trec->input="); for (ui=0; ui<l; ui++) printf(" %02x", rec->input[ui]); printf("\n"); } #endif /* KSSL_DEBUG */ if (!send) { if (l == 0 || l%bs != 0) { SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; } } EVP_Cipher(ds,rec->data,rec->input,l); #ifdef KSSL_DEBUG { unsigned long i; printf("\trec->data="); for (i=0; i<l; i++) printf(" %02x", rec->data[i]); printf("\n"); } #endif /* KSSL_DEBUG */ if ((bs != 1) && !send) { ii=i=rec->data[l-1]; /* padding_length */ i++; if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) { /* First packet is even in size, so check */ if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) i--; } /* TLS 1.0 does not bound the number of padding bytes by the block size. * All of them must have value 'padding_length'. */ if (i > (int)rec->length) { /* Incorrect padding. SSLerr() and ssl3_alert are done * by caller: we don't want to reveal whether this is * a decryption error or a MAC verification failure * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ return -1; } for (j=(int)(l-i); j<(int)l; j++) { if (rec->data[j] != ii) { /* Incorrect padding */ return -1; } } rec->length-=i; } } return(1); }
int tls1_change_cipher_state(SSL *s, int which) { static const unsigned char empty[]=""; unsigned char *p,*key_block,*mac_secret; unsigned char *exp_label,buf[TLS_MD_MAX_CONST_SIZE+ SSL3_RANDOM_SIZE*2]; unsigned char tmp1[EVP_MAX_KEY_LENGTH]; unsigned char tmp2[EVP_MAX_KEY_LENGTH]; unsigned char iv1[EVP_MAX_IV_LENGTH*2]; unsigned char iv2[EVP_MAX_IV_LENGTH*2]; unsigned char *ms,*key,*iv,*er1,*er2; int client_write; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; #ifndef OPENSSL_NO_COMP const SSL_COMP *comp; #endif const EVP_MD *m; int is_export,n,i,j,k,exp_label_len,cl; int reuse_dd = 0; is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; #ifndef OPENSSL_NO_COMP comp=s->s3->tmp.new_compression; #endif key_block=s->s3->tmp.key_block; #ifdef KSSL_DEBUG printf("tls1_change_cipher_state(which= %d) w/\n", which); printf("\talg= %ld, comp= %p\n", s->s3->tmp.new_cipher->algorithms, (void *)comp); printf("\tevp_cipher == %p ==? &d_cbc_ede_cipher3\n", (void *)c); printf("\tevp_cipher: nid, blksz= %d, %d, keylen=%d, ivlen=%d\n", c->nid,c->block_size,c->key_len,c->iv_len); printf("\tkey_block: len= %d, data= ", s->s3->tmp.key_block_length); { int ki; for (ki=0; ki<s->s3->tmp.key_block_length; ki++) printf("%02x", key_block[ki]); printf("\n"); } #endif /* KSSL_DEBUG */ if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_read_ctx); dd= s->enc_read_ctx; s->read_hash=m; #ifndef OPENSSL_NO_COMP if (s->expand != NULL) { COMP_CTX_free(s->expand); s->expand=NULL; } if (comp != NULL) { s->expand=COMP_CTX_new(comp->method); if (s->expand == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } if (s->s3->rrec.comp == NULL) s->s3->rrec.comp=(unsigned char *) OPENSSL_malloc(SSL3_RT_MAX_ENCRYPTED_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } #endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ if (s->version != DTLS1_VERSION) memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; s->write_hash=m; #ifndef OPENSSL_NO_COMP if (s->compress != NULL) { COMP_CTX_free(s->compress); s->compress=NULL; } if (comp != NULL) { s->compress=COMP_CTX_new(comp->method); if (s->compress == NULL) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } #endif /* this is done by dtls1_reset_seq_numbers for DTLS1_VERSION */ if (s->version != DTLS1_VERSION) memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); j=is_export ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); er1= &(s->s3->client_random[0]); er2= &(s->s3->server_random[0]); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms= &(p[ 0]); n=i+i; key= &(p[ n]); n+=j+j; iv= &(p[ n]); n+=k+k; exp_label=(unsigned char *)TLS_MD_CLIENT_WRITE_KEY_CONST; exp_label_len=TLS_MD_CLIENT_WRITE_KEY_CONST_SIZE; client_write=1; } else { n=i; ms= &(p[ n]); n+=i+j; key= &(p[ n]); n+=j+k; iv= &(p[ n]); n+=k; exp_label=(unsigned char *)TLS_MD_SERVER_WRITE_KEY_CONST; exp_label_len=TLS_MD_SERVER_WRITE_KEY_CONST_SIZE; client_write=0; } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); goto err2; } memcpy(mac_secret,ms,i); #ifdef TLS_DEBUG printf("which = %04X\nmac key=",which); { int z; for (z=0; z<i; z++) printf("%02X%c",ms[z],((z+1)%16)?' ':'\n'); } #endif if (is_export) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ p=buf; memcpy(p,exp_label,exp_label_len); p+=exp_label_len; memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,(int)(p-buf),key,j, tmp1,tmp2,EVP_CIPHER_key_length(c)); key=tmp1; if (k > 0) { p=buf; memcpy(p,TLS_MD_IV_BLOCK_CONST, TLS_MD_IV_BLOCK_CONST_SIZE); p+=TLS_MD_IV_BLOCK_CONST_SIZE; memcpy(p,s->s3->client_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; memcpy(p,s->s3->server_random,SSL3_RANDOM_SIZE); p+=SSL3_RANDOM_SIZE; tls1_PRF(s->ctx->md5,s->ctx->sha1,buf,p-buf,empty,0, iv1,iv2,k*2); if (client_write) iv=iv1; else iv= &(iv1[k]); } } s->session->key_arg_length=0; #ifdef KSSL_DEBUG { int ki; printf("EVP_CipherInit_ex(dd,c,key=,iv=,which)\n"); printf("\tkey= "); for (ki=0; ki<c->key_len; ki++) printf("%02x", key[ki]); printf("\n"); printf("\t iv= "); for (ki=0; ki<c->iv_len; ki++) printf("%02x", iv[ki]); printf("\n"); } #endif /* KSSL_DEBUG */ EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); #ifdef TLS_DEBUG printf("which = %04X\nkey=",which); { int z; for (z=0; z<EVP_CIPHER_key_length(c); z++) printf("%02X%c",key[z],((z+1)%16)?' ':'\n'); } printf("\niv="); { int z; for (z=0; z<k; z++) printf("%02X%c",iv[z],((z+1)%16)?' ':'\n'); } printf("\n"); #endif OPENSSL_cleanse(tmp1,sizeof(tmp1)); OPENSSL_cleanse(tmp2,sizeof(tmp1)); OPENSSL_cleanse(iv1,sizeof(iv1)); OPENSSL_cleanse(iv2,sizeof(iv2)); return(1); err: SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); err2: return(0); }
static unsigned char *HKDF_Expand(const EVP_MD *evp_md, const unsigned char *prk, size_t prk_len, const unsigned char *info, size_t info_len, unsigned char *okm, size_t okm_len) { HMAC_CTX *hmac; unsigned int i; unsigned char prev[EVP_MAX_MD_SIZE]; size_t done_len = 0, dig_len = EVP_MD_size(evp_md); size_t n = okm_len / dig_len; if (okm_len % dig_len) n++; if (n > 255) return NULL; if ((hmac = HMAC_CTX_new()) == NULL) return NULL; if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) goto err; for (i = 1; i <= n; i++) { size_t copy_len; const unsigned char ctr = i; if (i > 1) { if (!HMAC_Init_ex(hmac, NULL, 0, NULL, NULL)) goto err; if (!HMAC_Update(hmac, prev, dig_len)) goto err; } if (!HMAC_Update(hmac, info, info_len)) goto err; if (!HMAC_Update(hmac, &ctr, 1)) goto err; if (!HMAC_Final(hmac, prev, NULL)) goto err; copy_len = (done_len + dig_len > okm_len) ? okm_len - done_len : dig_len; memcpy(okm + done_len, prev, copy_len); done_len += copy_len; } HMAC_CTX_free(hmac); return okm; err: HMAC_CTX_free(hmac); return NULL; }
int _ldapfull_set_hashed(moddata_t data, const char *scheme, const char *prefix, int saltlen, const char *passwd, char *buf, int buflen) { char *hash; // base64 hash EVP_MD_CTX mdctx; const EVP_MD *md; unsigned char *digest; unsigned char *salt; int hlen, plen, dlen, rc; md = EVP_get_digestbyname(scheme); if (!md) { return 0; } EVP_DigestInit(&mdctx, md); EVP_DigestUpdate(&mdctx, passwd, strlen(passwd)); if (saltlen) { salt = (unsigned char *)malloc(saltlen); if( !salt ) { EVP_MD_CTX_cleanup(&mdctx); return 0; } if( !RAND_bytes(salt,saltlen) ) { EVP_MD_CTX_cleanup(&mdctx); free(salt); } EVP_DigestUpdate(&mdctx, salt, saltlen); } digest = (unsigned char *)malloc(EVP_MD_size(md) + saltlen); if( !digest ) { if (saltlen) { free(salt); } EVP_MD_CTX_cleanup(&mdctx); return 0; } EVP_DigestFinal(&mdctx, digest, &dlen); memcpy(digest+dlen,salt,saltlen); if (saltlen) { free(salt); } rc = _ldapfull_base64_encode(digest, dlen+saltlen, &hash, &hlen); if( hash[hlen-1] == '\n' ) { hash[--hlen] = '\0'; } free(digest); if( !rc ) { free(hash); return 0; } plen = strlen(prefix); if( hlen + plen >= buflen ) { log_write(data->ar->c2s->log,LOG_ERR,"_ldapfull_set_hashed: buffer is too short (%i bytes)",buflen); free(hash); return 0; } memcpy(buf,prefix,plen); memcpy(buf+plen,hash,hlen); buf[hlen+plen]='\0'; free(hash); return 1; }
int ssl3_setup_key_block(SSL *s) { unsigned char *p; const EVP_CIPHER *c; const EVP_MD *hash; int num; int ret = 0; SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) return(1); if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) { SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return(0); } s->s3->tmp.new_sym_enc=c; s->s3->tmp.new_hash=hash; #ifdef OPENSSL_NO_COMP s->s3->tmp.new_compression=NULL; #else s->s3->tmp.new_compression=comp; #endif num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); num*=2; ssl3_cleanup_key_block(s); if ((p=OPENSSL_malloc(num)) == NULL) goto err; s->s3->tmp.key_block_length=num; s->s3->tmp.key_block=p; ret = ssl3_generate_key_block(s,p,num); if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ s->s3->need_empty_fragments = 1; if (s->session->cipher != NULL) { if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) s->s3->need_empty_fragments = 0; #ifndef OPENSSL_NO_RC4 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) s->s3->need_empty_fragments = 0; #endif } } return ret; err: SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); return(0); }
int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x, size_t chainidx, int *al) { PACKET identities, binders, binder; size_t binderoffset, hashsize; SSL_SESSION *sess = NULL; unsigned int id, i; const EVP_MD *md = NULL; uint32_t ticket_age = 0, now, agesec, agems; /* * If we have no PSK kex mode that we recognise then we can't resume so * ignore this extension */ if ((s->ext.psk_kex_mode & (TLSEXT_KEX_MODE_FLAG_KE | TLSEXT_KEX_MODE_FLAG_KE_DHE)) == 0) return 1; if (!PACKET_get_length_prefixed_2(pkt, &identities)) { *al = SSL_AD_DECODE_ERROR; return 0; } for (id = 0; PACKET_remaining(&identities) != 0; id++) { PACKET identity; unsigned long ticket_agel; int ret; if (!PACKET_get_length_prefixed_2(&identities, &identity) || !PACKET_get_net_4(&identities, &ticket_agel)) { *al = SSL_AD_DECODE_ERROR; return 0; } ticket_age = (uint32_t)ticket_agel; ret = tls_decrypt_ticket(s, PACKET_data(&identity), PACKET_remaining(&identity), NULL, 0, &sess); if (ret == TICKET_FATAL_ERR_MALLOC || ret == TICKET_FATAL_ERR_OTHER) { *al = SSL_AD_INTERNAL_ERROR; return 0; } if (ret == TICKET_NO_DECRYPT) continue; md = ssl_md(sess->cipher->algorithm2); if (md == NULL) { /* * Don't recognise this cipher so we can't use the session. * Ignore it */ SSL_SESSION_free(sess); sess = NULL; continue; } /* * TODO(TLS1.3): Somehow we need to handle the case of a ticket renewal. * Ignored for now */ break; } if (sess == NULL) return 1; binderoffset = PACKET_data(pkt) - (const unsigned char *)s->init_buf->data; hashsize = EVP_MD_size(md); if (!PACKET_get_length_prefixed_2(pkt, &binders)) { *al = SSL_AD_DECODE_ERROR; goto err; } for (i = 0; i <= id; i++) { if (!PACKET_get_length_prefixed_1(&binders, &binder)) { *al = SSL_AD_DECODE_ERROR; goto err; } } if (PACKET_remaining(&binder) != hashsize || tls_psk_do_binder(s, md, (const unsigned char *)s->init_buf->data, binderoffset, PACKET_data(&binder), NULL, sess, 0) != 1) { *al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR); goto err; } sess->ext.tick_identity = id; now = (uint32_t)time(NULL); agesec = now - (uint32_t)sess->time; agems = agesec * (uint32_t)1000; ticket_age -= sess->ext.tick_age_add; /* * For simplicity we do our age calculations in seconds. If the client does * it in ms then it could appear that their ticket age is longer than ours * (our ticket age calculation should always be slightly longer than the * client's due to the network latency). Therefore we add 1000ms to our age * calculation to adjust for rounding errors. */ if (sess->timeout >= (long)agesec && agems / (uint32_t)1000 == agesec && ticket_age <= agems + 1000 && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) { /* * Ticket age is within tolerance and not expired. We allow it for early * data */ s->ext.early_data_ok = 1; } SSL_SESSION_free(s->session); s->session = sess; return 1; err: SSL_SESSION_free(sess); return 0; }
size_t HMAC_size(HMAC_CTX *ctx) { return EVP_MD_size((ctx)->md); }
static int sqlcipher_openssl_get_hmac_sz(void *ctx) { return EVP_MD_size(EVP_sha1()); }
/* side effect: fills the ssl->fingerprint buffer */ static gboolean ssl_verify_certificate (LmSSL *ssl, const gchar *server) { gboolean retval = TRUE; gboolean match_result = FALSE; LmSSLBase *base; long verify_res; int rc; const EVP_MD *digest = EVP_sha256(); unsigned int digest_len; guchar digest_bin[EVP_MD_size(digest)]; X509 *srv_crt; gchar *cn; X509_NAME *crt_subj; base = LM_SSL_BASE(ssl); g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: Cipher: %s/%s/%i\n", __FILE__, SSL_get_cipher_version(ssl->ssl), SSL_get_cipher_name(ssl->ssl), SSL_get_cipher_bits(ssl->ssl, NULL)); verify_res = SSL_get_verify_result(ssl->ssl); srv_crt = SSL_get_peer_certificate(ssl->ssl); rc = X509_digest(srv_crt, digest, digest_bin, &digest_len); if ((rc != 0) && (digest_len == EVP_MD_size(digest))) { _lm_ssl_base_set_fingerprint(base, digest_bin, digest_len); if (_lm_ssl_base_check_fingerprint(base) != 0) { if (base->func(ssl, LM_SSL_STATUS_CERT_FINGERPRINT_MISMATCH, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { return FALSE; } } } else { if (base->func(ssl, LM_SSL_STATUS_GENERIC_ERROR, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { return FALSE; } } g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: SSL_get_verify_result() = %ld\n", __FILE__, verify_res); switch (verify_res) { case X509_V_OK: break; case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: case X509_V_ERR_UNABLE_TO_GET_CRL: if (base->func(ssl, LM_SSL_STATUS_NO_CERT_FOUND, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { retval = FALSE; } break; case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: /* special case for self signed certificates? */ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: case X509_V_ERR_INVALID_CA: case X509_V_ERR_CERT_UNTRUSTED: case X509_V_ERR_CERT_REVOKED: if (base->func(ssl, LM_SSL_STATUS_UNTRUSTED_CERT, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { retval = FALSE; } break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CRL_NOT_YET_VALID: if (base->func(ssl, LM_SSL_STATUS_CERT_NOT_ACTIVATED, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { retval = FALSE; } break; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_CRL_HAS_EXPIRED: if (base->func(ssl, LM_SSL_STATUS_CERT_EXPIRED, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { retval = FALSE; } break; default: if (base->func(ssl, LM_SSL_STATUS_GENERIC_ERROR, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { retval = FALSE; } } /*if (retval == FALSE) { g_set_error (error, LM_ERROR, LM_ERROR_CONNECTION_OPEN, ssl_get_x509_err(verify_res), NULL); }*/ crt_subj = X509_get_subject_name(srv_crt); cn = (gchar *) g_malloc0(LM_SSL_CN_MAX + 1); /* FWB: deprecated call, can only get first entry */ if (X509_NAME_get_text_by_NID(crt_subj, NID_commonName, cn, LM_SSL_CN_MAX) > 0) { g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: server = '%s', cn = '%s'\n", __FILE__, server, cn); if (cn != NULL && ssl_match_domain_name(server, cn)) { match_result = TRUE; } else { /* g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: CN does not match server name\n", __FILE__); */ } } else { g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "X509_NAME_get_text_by_NID() failed"); } /* RFC6125: "...However, it is perfectly acceptable for the subject field to be empty, * as long as the certificate contains a subject alternative name ("subjectAltName") * extension that includes at least one subjectAltName entry" */ if (!match_result) { /* FWB: CN doesn't match, try SANs */ int subject_alt_names_nb = -1; int san_counter; STACK_OF(GENERAL_NAME) *subject_alt_names = NULL; // Try to extract the names within the SAN extension from the certificate subject_alt_names = X509_get_ext_d2i((X509 *) srv_crt, NID_subject_alt_name, NULL, NULL); if (subject_alt_names != NULL) { // Check each name within the extension subject_alt_names_nb = sk_GENERAL_NAME_num(subject_alt_names); for (san_counter=0; san_counter<subject_alt_names_nb; san_counter++) { const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(subject_alt_names, san_counter); if (current_name->type == GEN_DNS) { // Current name is a DNS name, let's check it, it's ASCII if (ssl_match_domain_name(server, (const char *)current_name->d.dNSName->data)) { g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: found SAN '%s' - MATCH\n", __FILE__, current_name->d.dNSName->data); match_result = TRUE; /* break; */ } else { g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: found SAN '%s'\n", __FILE__, current_name->d.dNSName->data); } } } } sk_GENERAL_NAME_pop_free(subject_alt_names, GENERAL_NAME_free); } if (!match_result) { if (base->func (ssl, LM_SSL_STATUS_CERT_HOSTNAME_MISMATCH, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { retval = FALSE; } } g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s:\n\tIssuer: %s\n\tSubject: %s\n\tFor: %s\n", __FILE__, X509_NAME_oneline(X509_get_issuer_name(srv_crt), NULL, 0), X509_NAME_oneline(X509_get_subject_name(srv_crt), NULL, 0), cn); g_free(cn); return retval; }
int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen) { int sctx = 0, r = 0; EVP_PKEY_CTX *pctx = ctx->pctx; if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) { if (!sigret) return pctx->pmeth->signctx(pctx, sigret, siglen, ctx); if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) r = pctx->pmeth->signctx(pctx, sigret, siglen, ctx); else { EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_dup(ctx->pctx); if (!dctx) return 0; r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx); EVP_PKEY_CTX_free(dctx); } return r; } if (pctx->pmeth->signctx) sctx = 1; else sctx = 0; if (sigret) { unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen = 0; if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { if (sctx) r = ctx->pctx->pmeth->signctx(ctx->pctx, sigret, siglen, ctx); else r = EVP_DigestFinal_ex(ctx, md, &mdlen); } else { EVP_MD_CTX *tmp_ctx = EVP_MD_CTX_new(); if (tmp_ctx == NULL) return 0; if (!EVP_MD_CTX_copy_ex(tmp_ctx, ctx)) { EVP_MD_CTX_free(tmp_ctx); return 0; } if (sctx) r = tmp_ctx->pctx->pmeth->signctx(tmp_ctx->pctx, sigret, siglen, tmp_ctx); else r = EVP_DigestFinal_ex(tmp_ctx, md, &mdlen); EVP_MD_CTX_free(tmp_ctx); } if (sctx || !r) return r; if (EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen) <= 0) return 0; } else { if (sctx) { if (pctx->pmeth->signctx(pctx, sigret, siglen, ctx) <= 0) return 0; } else { int s = EVP_MD_size(ctx->digest); if (s < 0 || EVP_PKEY_sign(pctx, sigret, siglen, NULL, s) <= 0) return 0; } } return 1; }
SM2_CIPHERTEXT_VALUE *SM2_do_encrypt(const EVP_MD *kdf_md, const EVP_MD *mac_md, const unsigned char *in, size_t inlen, EC_KEY *ec_key) { int ok = 0; SM2_CIPHERTEXT_VALUE *cv = NULL; const EC_GROUP *ec_group = EC_KEY_get0_group(ec_key); const EC_POINT *pub_key = EC_KEY_get0_public_key(ec_key); KDF_FUNC kdf = KDF_get_x9_63(kdf_md); EC_POINT *point = NULL; BIGNUM *n = NULL; BIGNUM *h = NULL; BIGNUM *k = NULL; BN_CTX *bn_ctx = NULL; EVP_MD_CTX *md_ctx = NULL; unsigned char buf[(OPENSSL_ECC_MAX_FIELD_BITS + 7)/4 + 1]; int nbytes; size_t len; int i; if (!ec_group || !pub_key) { goto end; } if (!kdf) { goto end; } /* init ciphertext_value */ if (!(cv = OPENSSL_malloc(sizeof(SM2_CIPHERTEXT_VALUE)))) { goto end; } bzero(cv, sizeof(SM2_CIPHERTEXT_VALUE)); cv->ephem_point = EC_POINT_new(ec_group); cv->ciphertext = OPENSSL_malloc(inlen); cv->ciphertext_size = inlen; if (!cv->ephem_point || !cv->ciphertext) { goto end; } point = EC_POINT_new(ec_group); n = BN_new(); h = BN_new(); k = BN_new(); bn_ctx = BN_CTX_new(); md_ctx = EVP_MD_CTX_create(); if (!point || !n || !h || !k || !bn_ctx || !md_ctx) { goto end; } /* init ec domain parameters */ if (!EC_GROUP_get_order(ec_group, n, bn_ctx)) { goto end; } if (!EC_GROUP_get_cofactor(ec_group, h, bn_ctx)) { goto end; } nbytes = (EC_GROUP_get_degree(ec_group) + 7) / 8; //OPENSSL_assert(nbytes == BN_num_bytes(n)); #if 0 /* check sm2 curve and md is 256 bits */ OPENSSL_assert(nbytes == 32); OPENSSL_assert(EVP_MD_size(kdf_md) == 32); OPENSSL_assert(EVP_MD_size(mac_md) == 32); #endif do { /* A1: rand k in [1, n-1] */ do { BN_rand_range(k, n); } while (BN_is_zero(k)); /* A2: C1 = [k]G = (x1, y1) */ if (!EC_POINT_mul(ec_group, cv->ephem_point, k, NULL, NULL, bn_ctx)) { goto end; } /* A3: check [h]P_B != O */ if (!EC_POINT_mul(ec_group, point, NULL, pub_key, h, bn_ctx)) { goto end; } if (EC_POINT_is_at_infinity(ec_group, point)) { goto end; } /* A4: compute ECDH [k]P_B = (x2, y2) */ if (!EC_POINT_mul(ec_group, point, NULL, pub_key, k, bn_ctx)) { goto end; } if (!(len = EC_POINT_point2oct(ec_group, point, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof(buf), bn_ctx))) { goto end; } OPENSSL_assert(len == nbytes * 2 + 1); /* A5: t = KDF(x2 || y2, klen) */ kdf(buf + 1, len - 1, cv->ciphertext, &cv->ciphertext_size); for (i = 0; i < cv->ciphertext_size; i++) { if (cv->ciphertext[i]) { break; } } if (i == cv->ciphertext_size) { continue; } break; } while (1); /* A6: C2 = M xor t */ for (i = 0; i < inlen; i++) { cv->ciphertext[i] ^= in[i]; } /* A7: C3 = Hash(x2 || M || y2) */ if (!EVP_DigestInit_ex(md_ctx, mac_md, NULL)) { goto end; } if (!EVP_DigestUpdate(md_ctx, buf + 1, nbytes)) { goto end; } if (!EVP_DigestUpdate(md_ctx, in, inlen)) { goto end; } if (!EVP_DigestUpdate(md_ctx, buf + 1 + nbytes, nbytes)) { goto end; } if (!EVP_DigestFinal_ex(md_ctx, cv->mactag, &cv->mactag_size)) { goto end; } ok = 1; end: if (!ok && cv) { SM2_CIPHERTEXT_VALUE_free(cv); cv = NULL; } if (point) EC_POINT_free(point); if (n) BN_free(n); if (h) BN_free(h); if (k) BN_free(k); if (bn_ctx) BN_CTX_free(bn_ctx); if (md_ctx) EVP_MD_CTX_destroy(md_ctx); return cv; }
int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p, *mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms, *key, *iv; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; #ifndef OPENSSL_NO_COMP COMP_METHOD *comp; #endif const EVP_MD *m; int n, i, j, k, cl; int reuse_dd = 0; c = s->s3->tmp.new_sym_enc; m = s->s3->tmp.new_hash; /* m == NULL will lead to a crash later */ OPENSSL_assert(m); #ifndef OPENSSL_NO_COMP if (s->s3->tmp.new_compression == NULL) comp = NULL; else comp = s->s3->tmp.new_compression->method; #endif if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; else /* * make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_read_ctx); dd = s->enc_read_ctx; if (ssl_replace_hash(&s->read_hash, m) == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ COMP_CTX_free(s->expand); s->expand = NULL; if (comp != NULL) { s->expand = COMP_CTX_new(comp); if (s->expand == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } if (!RECORD_LAYER_setup_comp_buffer(&s->rlayer)) goto err; } #endif RECORD_LAYER_reset_read_sequence(&s->rlayer); mac_secret = &(s->s3->read_mac_secret[0]); } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; else /* * make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_reset(s->enc_write_ctx); dd = s->enc_write_ctx; if (ssl_replace_hash(&s->write_hash, m) == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } #ifndef OPENSSL_NO_COMP /* COMPRESS */ COMP_CTX_free(s->compress); s->compress = NULL; if (comp != NULL) { s->compress = COMP_CTX_new(comp); if (s->compress == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } #endif RECORD_LAYER_reset_write_sequence(&s->rlayer); mac_secret = &(s->s3->write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_reset(dd); p = s->s3->tmp.key_block; i = EVP_MD_size(m); if (i < 0) goto err2; cl = EVP_CIPHER_key_length(c); j = cl; k = EVP_CIPHER_iv_length(c); if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms = &(p[0]); n = i + i; key = &(p[n]); n += j + j; iv = &(p[n]); n += k + k; } else { n = i; ms = &(p[n]); n += i + j; key = &(p[n]); n += j + k; iv = &(p[n]); n += k; } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err2; } memcpy(mac_secret, ms, i); EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); #ifdef OPENSSL_SSL_TRACE_CRYPTO if (s->msg_callback) { int wh = which & SSL3_CC_WRITE ? TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ; s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC, mac_secret, EVP_MD_size(m), s, s->msg_callback_arg); if (c->key_len) s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, key, c->key_len, s, s->msg_callback_arg); if (k) { s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV, iv, k, s, s->msg_callback_arg); } } #endif OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return (1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); err2: OPENSSL_cleanse(exp_key, sizeof(exp_key)); OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return (0); }
static int pkcs5_pbkdf2(const char *hash, const char *P, size_t Plen, const char *S, size_t Slen, unsigned int c, unsigned int dkLen, char *DK, int perfcheck) { char U[MAX_PRF_BLOCK_LEN]; char T[MAX_PRF_BLOCK_LEN]; const EVP_MD *PRF; HMAC_CTX ctx; int i, k, rc = -EINVAL; unsigned int u, hLen, l, r; unsigned char *p; size_t tmplen = Slen + 4; char *tmp; tmp = alloca(tmplen); if (tmp == NULL) return -ENOMEM; OpenSSL_add_all_digests(); PRF = EVP_get_digestbyname(hash); if (PRF == NULL) { printf("pkcs5_pbkdf2: invalid hash %s\n", hash); return -EINVAL; } hLen = EVP_MD_size(PRF); if (hLen == 0 || hLen > MAX_PRF_BLOCK_LEN) return -EINVAL; if (c == 0) return -EINVAL; if (dkLen == 0) return -EINVAL; /* * * Steps: * * 1. If dkLen > (2^32 - 1) * hLen, output "derived key too long" and * stop. */ if (dkLen > 4294967295U) return -EINVAL; /* * 2. Let l be the number of hLen-octet blocks in the derived key, * rounding up, and let r be the number of octets in the last * block: * * l = CEIL (dkLen / hLen) , * r = dkLen - (l - 1) * hLen . * * Here, CEIL (x) is the "ceiling" function, i.e. the smallest * integer greater than, or equal to, x. */ l = dkLen / hLen; if (dkLen % hLen) l++; r = dkLen - (l - 1) * hLen; /* * 3. For each block of the derived key apply the function F defined * below to the password P, the salt S, the iteration count c, and * the block index to compute the block: * * T_1 = F (P, S, c, 1) , * T_2 = F (P, S, c, 2) , * ... * T_l = F (P, S, c, l) , * * where the function F is defined as the exclusive-or sum of the * first c iterates of the underlying pseudorandom function PRF * applied to the password P and the concatenation of the salt S * and the block index i: * * F (P, S, c, i) = U_1 \xor U_2 \xor ... \xor U_c * * where * * U_1 = PRF (P, S || INT (i)) , * U_2 = PRF (P, U_1) , * ... * U_c = PRF (P, U_{c-1}) . * * Here, INT (i) is a four-octet encoding of the integer i, most * significant octet first. * * 4. Concatenate the blocks and extract the first dkLen octets to * produce a derived key DK: * * DK = T_1 || T_2 || ... || T_l<0..r-1> * * 5. Output the derived key DK. * * Note. The construction of the function F follows a "belt-and- * suspenders" approach. The iterates U_i are computed recursively to * remove a degree of parallelism from an opponent; they are exclusive- * ored together to reduce concerns about the recursion degenerating * into a small set of values. * */ HMAC_CTX_init(&ctx); for (i = 1; (uint) i <= l; i++) { memset(T, 0, hLen); for (u = 1; u <= c ; u++) { if (u == 1) { memcpy(tmp, S, Slen); tmp[Slen + 0] = (i & 0xff000000) >> 24; tmp[Slen + 1] = (i & 0x00ff0000) >> 16; tmp[Slen + 2] = (i & 0x0000ff00) >> 8; tmp[Slen + 3] = (i & 0x000000ff) >> 0; HMAC_Init_ex(&ctx, P, Plen, PRF, NULL); HMAC_Update(&ctx, tmp, tmplen); HMAC_Final(&ctx, U, NULL); } else { HMAC(PRF, P, Plen, U, hLen, U, NULL); } for (k = 0; (uint) k < hLen; k++) T[k] ^= U[k]; if (perfcheck && __PBKDF2_performance) { rc = 0; goto out; } if (perfcheck) __PBKDF2_global_j++; }
int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type) { unsigned char *B = NULL, *D = NULL, *I = NULL, *p = NULL, *Ai = NULL; int Slen, Plen, Ilen, Ijlen; int i, j, u, v; int ret = 0; BIGNUM *Ij = NULL, *Bpl1 = NULL; /* These hold Ij and B + 1 */ EVP_MD_CTX *ctx = NULL; #ifdef DEBUG_KEYGEN unsigned char *tmpout = out; int tmpn = n; #endif ctx = EVP_MD_CTX_new(); if (ctx == NULL) goto err; #ifdef DEBUG_KEYGEN fprintf(stderr, "KEYGEN DEBUG\n"); fprintf(stderr, "ID %d, ITER %d\n", id, iter); fprintf(stderr, "Password (length %d):\n", passlen); h__dump(pass, passlen); fprintf(stderr, "Salt (length %d):\n", saltlen); h__dump(salt, saltlen); #endif v = EVP_MD_block_size(md_type); u = EVP_MD_size(md_type); if (u < 0) return 0; D = OPENSSL_malloc(v); Ai = OPENSSL_malloc(u); B = OPENSSL_malloc(v + 1); Slen = v * ((saltlen + v - 1) / v); if (passlen) Plen = v * ((passlen + v - 1) / v); else Plen = 0; Ilen = Slen + Plen; I = OPENSSL_malloc(Ilen); Ij = BN_new(); Bpl1 = BN_new(); if (D == NULL || Ai == NULL || B == NULL || I == NULL || Ij == NULL || Bpl1 == NULL) goto err; for (i = 0; i < v; i++) D[i] = id; p = I; for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; for (i = 0; i < Plen; i++) *p++ = pass[i % passlen]; for (;;) { if (!EVP_DigestInit_ex(ctx, md_type, NULL) || !EVP_DigestUpdate(ctx, D, v) || !EVP_DigestUpdate(ctx, I, Ilen) || !EVP_DigestFinal_ex(ctx, Ai, NULL)) goto err; for (j = 1; j < iter; j++) { if (!EVP_DigestInit_ex(ctx, md_type, NULL) || !EVP_DigestUpdate(ctx, Ai, u) || !EVP_DigestFinal_ex(ctx, Ai, NULL)) goto err; } memcpy(out, Ai, min(n, u)); if (u >= n) { #ifdef DEBUG_KEYGEN fprintf(stderr, "Output KEY (length %d)\n", tmpn); h__dump(tmpout, tmpn); #endif ret = 1; goto end; } n -= u; out += u; for (j = 0; j < v; j++) B[j] = Ai[j % u]; /* Work out B + 1 first then can use B as tmp space */ if (!BN_bin2bn(B, v, Bpl1)) goto err; if (!BN_add_word(Bpl1, 1)) goto err; for (j = 0; j < Ilen; j += v) { if (!BN_bin2bn(I + j, v, Ij)) goto err; if (!BN_add(Ij, Ij, Bpl1)) goto err; if (!BN_bn2bin(Ij, B)) goto err; Ijlen = BN_num_bytes(Ij); /* If more than 2^(v*8) - 1 cut off MSB */ if (Ijlen > v) { if (!BN_bn2bin(Ij, B)) goto err; memcpy(I + j, B + 1, v); #ifndef PKCS12_BROKEN_KEYGEN /* If less than v bytes pad with zeroes */ } else if (Ijlen < v) { memset(I + j, 0, v - Ijlen); if (!BN_bn2bin(Ij, I + j + v - Ijlen)) goto err; #endif } else if (!BN_bn2bin(Ij, I + j)) goto err; } } err: PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI, ERR_R_MALLOC_FAILURE); end: OPENSSL_free(Ai); OPENSSL_free(B); OPENSSL_free(D); OPENSSL_free(I); BN_free(Ij); BN_free(Bpl1); EVP_MD_CTX_free(ctx); return ret; }
int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, size_t siglen, RSA *rsa) { int i,ret=0,sigtype; unsigned char *s; X509_SIG *sig=NULL; #ifdef OPENSSL_FIPS if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_NON_FIPS_RSA_METHOD); return 0; } #endif if (siglen != (unsigned int)RSA_size(rsa)) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); return(0); } if((dtype == NID_md5_sha1) && rm) { i = RSA_public_decrypt((int)siglen, sigbuf,rm,rsa,RSA_PKCS1_PADDING); if (i <= 0) return 0; *prm_len = i; return 1; } s=(unsigned char *)OPENSSL_malloc((unsigned int)siglen); if (s == NULL) { RSAerr(RSA_F_INT_RSA_VERIFY,ERR_R_MALLOC_FAILURE); goto err; } if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH); goto err; } i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); if (i <= 0) goto err; /* Oddball MDC2 case: signature can be OCTET STRING. * check for correct tag and length octets. */ if (dtype == NID_mdc2 && i == 18 && s[0] == 0x04 && s[1] == 0x10) { if (rm) { memcpy(rm, s + 2, 16); *prm_len = 16; ret = 1; } else if(memcmp(m, s + 2, 16)) RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); else ret = 1; } /* Special case: SSL signature */ if(dtype == NID_md5_sha1) { if((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH)) RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); else ret = 1; } else { const unsigned char *p=s; sig=d2i_X509_SIG(NULL,&p,(long)i); if (sig == NULL) goto err; /* Excess data can be used to create forgeries */ if(p != s+i || !rsa_check_digestinfo(sig, s, i)) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); goto err; } /* Parameters to the signature algorithm can also be used to create forgeries */ if(sig->algor->parameter && ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); goto err; } sigtype=OBJ_obj2nid(sig->algor->algorithm); #ifdef RSA_DEBUG /* put a backward compatibility flag in EAY */ fprintf(stderr,"in(%s) expect(%s)\n",OBJ_nid2ln(sigtype), OBJ_nid2ln(dtype)); #endif if (sigtype != dtype) { if (((dtype == NID_md5) && (sigtype == NID_md5WithRSAEncryption)) || ((dtype == NID_md2) && (sigtype == NID_md2WithRSAEncryption))) { /* ok, we will let it through */ #if !defined(OPENSSL_NO_STDIO) && !defined(OPENSSL_SYS_WIN16) fprintf(stderr,"signature has problems, re-make with post SSLeay045\n"); #endif } else { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH); goto err; } } if (rm) { const EVP_MD *md; md = EVP_get_digestbynid(dtype); if (md && (EVP_MD_size(md) != sig->digest->length)) RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); else { memcpy(rm, sig->digest->data, sig->digest->length); *prm_len = sig->digest->length; ret = 1; } } else if (((unsigned int)sig->digest->length != m_len) || (memcmp(m,sig->digest->data,m_len) != 0)) { RSAerr(RSA_F_INT_RSA_VERIFY,RSA_R_BAD_SIGNATURE); } else ret=1; } err: if (sig != NULL) X509_SIG_free(sig); if (s != NULL) { OPENSSL_cleanse(s,(unsigned int)siglen); OPENSSL_free(s); } return(ret); }
int GTDataHash_create(int hash_algorithm, const unsigned char* data, size_t data_length, GTDataHash **data_hash) { int res = GT_UNKNOWN_ERROR; EVP_MD_CTX md_ctx; const EVP_MD *evp_md; GTDataHash *tmp_data_hash = NULL; unsigned char* tmp_hash = NULL; size_t tmp_length; unsigned int digest_length; if ((data == NULL && data_length != 0) || data_hash == NULL) { res = GT_INVALID_ARGUMENT; goto cleanup; } if (!GT_isSupportedHashAlgorithm(hash_algorithm)) { res = GT_UNTRUSTED_HASH_ALGORITHM; goto cleanup; } evp_md = GT_hashChainIDToEVP(hash_algorithm); if (evp_md == NULL) { res = GT_OUT_OF_MEMORY; goto cleanup; } tmp_data_hash = GT_malloc(sizeof(GTDataHash)); if (tmp_data_hash == NULL) { res = GT_OUT_OF_MEMORY; goto cleanup; } tmp_data_hash->digest = NULL; tmp_data_hash->context = NULL; tmp_length = EVP_MD_size(evp_md); tmp_hash = GT_malloc(tmp_length); if (tmp_hash == NULL) { res = GT_OUT_OF_MEMORY; goto cleanup; } EVP_DigestInit(&md_ctx, evp_md); EVP_DigestUpdate(&md_ctx, data, data_length); EVP_DigestFinal(&md_ctx, tmp_hash, &digest_length); assert(digest_length == tmp_length); tmp_data_hash->digest = tmp_hash; tmp_hash = NULL; tmp_data_hash->digest_length = tmp_length; tmp_data_hash->algorithm = hash_algorithm; *data_hash = tmp_data_hash; tmp_data_hash = NULL; res = GT_OK; cleanup: GT_free(tmp_hash); GTDataHash_free(tmp_data_hash); return res; }
/** @impl_interface_method{RTCRDIGESTDESC::pfnGetHashSize} */ static DECLCALLBACK(uint32_t) rtCrDigestOsslEvp_GetHashSize(void *pvState) { EVP_MD_CTX *pThis = (EVP_MD_CTX *)pvState; return EVP_MD_size(EVP_MD_CTX_md(pThis)); }
int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p,*key_block,*mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms,*key,*iv,*er1,*er2; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; #ifndef OPENSSL_NO_COMP COMP_METHOD *comp; #endif const EVP_MD *m; EVP_MD_CTX md; int is_exp,n,i,j,k,cl; int reuse_dd = 0; is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; #ifndef OPENSSL_NO_COMP if (s->s3->tmp.new_compression == NULL) comp=NULL; else comp=s->s3->tmp.new_compression->method; #endif key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) { if (s->enc_read_ctx != NULL) reuse_dd = 1; else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_read_ctx); dd= s->enc_read_ctx; s->read_hash=m; #ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->expand != NULL) { COMP_CTX_free(s->expand); s->expand=NULL; } if (comp != NULL) { s->expand=COMP_CTX_new(comp); if (s->expand == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } if (s->s3->rrec.comp == NULL) s->s3->rrec.comp=(unsigned char *) OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH); if (s->s3->rrec.comp == NULL) goto err; } #endif memset(&(s->s3->read_sequence[0]),0,8); mac_secret= &(s->s3->read_mac_secret[0]); } else { if (s->enc_write_ctx != NULL) reuse_dd = 1; else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) goto err; else /* make sure it's intialized in case we exit later with an error */ EVP_CIPHER_CTX_init(s->enc_write_ctx); dd= s->enc_write_ctx; s->write_hash=m; #ifndef OPENSSL_NO_COMP /* COMPRESS */ if (s->compress != NULL) { COMP_CTX_free(s->compress); s->compress=NULL; } if (comp != NULL) { s->compress=COMP_CTX_new(comp); if (s->compress == NULL) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR); goto err2; } } #endif memset(&(s->s3->write_sequence[0]),0,8); mac_secret= &(s->s3->write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_cleanup(dd); p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { ms= &(p[ 0]); n=i+i; key= &(p[ n]); n+=j+j; iv= &(p[ n]); n+=k+k; er1= &(s->s3->client_random[0]); er2= &(s->s3->server_random[0]); } else { n=i; ms= &(p[ n]); n+=i+j; key= &(p[ n]); n+=j+k; iv= &(p[ n]); n+=k; er1= &(s->s3->server_random[0]); er2= &(s->s3->client_random[0]); } if (n > s->s3->tmp.key_block_length) { SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR); goto err2; } EVP_MD_CTX_init(&md); memcpy(mac_secret,ms,i); if (is_exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). */ EVP_DigestInit_ex(&md,EVP_md5(), NULL); EVP_DigestUpdate(&md,key,j); EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL); key= &(exp_key[0]); if (k > 0) { EVP_DigestInit_ex(&md,EVP_md5(), NULL); EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE); EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL); iv= &(exp_iv[0]); } } s->session->key_arg_length=0; EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE)); OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key)); OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv)); EVP_MD_CTX_cleanup(&md); return(1); err: SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE); err2: return(0); }
int tls1_setup_key_block(SSL *s) { unsigned char *p1,*p2; const EVP_CIPHER *c; const EVP_MD *hash; int num; SSL_COMP *comp; if (s->s3->tmp.key_block_length != 0) return(1); if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp)) { SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return(0); } s->s3->tmp.new_sym_enc=c; s->s3->tmp.new_hash=hash; num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c); num*=2; ssl3_cleanup_key_block(s); if ((p1=(unsigned char *)OPENSSL_malloc(num)) == NULL) goto err; if ((p2=(unsigned char *)OPENSSL_malloc(num)) == NULL) goto err; s->s3->tmp.key_block_length=num; s->s3->tmp.key_block=p1; #ifdef TLS_DEBUG printf("client random\n"); { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->client_random[z],((z+1)%16)?' ':'\n'); } printf("server random\n"); { int z; for (z=0; z<SSL3_RANDOM_SIZE; z++) printf("%02X%c",s->s3->server_random[z],((z+1)%16)?' ':'\n'); } printf("pre-master\n"); { int z; for (z=0; z<s->session->master_key_length; z++) printf("%02X%c",s->session->master_key[z],((z+1)%16)?' ':'\n'); } #endif tls1_generate_key_block(s,p1,p2,num); memset(p2,0,num); OPENSSL_free(p2); #ifdef TLS_DEBUG printf("\nkey block\n"); { int z; for (z=0; z<num; z++) printf("%02X%c",p1[z],((z+1)%16)?' ':'\n'); } #endif /* enable vulnerability countermeasure for CBC ciphers with * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ s->s3->need_empty_fragments = 1; #ifndef NO_RC4 if ((s->session->cipher != NULL) && ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)) s->s3->need_empty_fragments = 0; #endif return(1); err: SSLerr(SSL_F_TLS1_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE); return(0); }
bool metakey_h(connection_t *c) { char buffer[MAX_STRING_SIZE]; int cipher, digest, maclength, compression; int len; if(sscanf(c->buffer, "%*d %d %d %d %d " MAX_STRING, &cipher, &digest, &maclength, &compression, buffer) != 5) { logger(LOG_ERR, "Got bad %s from %s (%s)", "METAKEY", c->name, c->hostname); return false; } len = RSA_size(myself->connection->rsa_key); /* Check if the length of the meta key is all right */ if(strlen(buffer) != (size_t)len * 2) { logger(LOG_ERR, "Possible intruder %s (%s): %s", c->name, c->hostname, "wrong keylength"); return false; } /* Allocate buffers for the meta key */ c->inkey = xrealloc(c->inkey, len); if(!c->inctx) { c->inctx = EVP_CIPHER_CTX_new(); if(!c->inctx) { abort(); } } /* Convert the challenge from hexadecimal back to binary */ if(!hex2bin(buffer, buffer, len)) { logger(LOG_ERR, "Got bad %s from %s(%s): %s", "METAKEY", c->name, c->hostname, "invalid key"); return false; } /* Decrypt the meta key */ if(RSA_private_decrypt(len, (unsigned char *)buffer, (unsigned char *)c->inkey, myself->connection->rsa_key, RSA_NO_PADDING) != len) { /* See challenge() */ logger(LOG_ERR, "Error during decryption of meta key for %s (%s): %s", c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; } ifdebug(SCARY_THINGS) { bin2hex(c->inkey, buffer, len); buffer[len * 2] = '\0'; logger(LOG_DEBUG, "Received random meta key (unencrypted): %s", buffer); } /* All incoming requests will now be encrypted. */ /* Check and lookup cipher and digest algorithms */ if(cipher) { c->incipher = EVP_get_cipherbynid(cipher); if(!c->incipher) { logger(LOG_ERR, "%s (%s) uses unknown cipher!", c->name, c->hostname); return false; } if(!EVP_DecryptInit(c->inctx, c->incipher, (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher), (unsigned char *)c->inkey + len - EVP_CIPHER_key_length(c->incipher) - EVP_CIPHER_iv_length(c->incipher))) { logger(LOG_ERR, "Error during initialisation of cipher from %s (%s): %s", c->name, c->hostname, ERR_error_string(ERR_get_error(), NULL)); return false; } c->inbudget = byte_budget(c->incipher); c->status.decryptin = true; } else { logger(LOG_ERR, "%s (%s) uses null cipher!", c->name, c->hostname); return false; } c->inmaclength = maclength; if(digest) { c->indigest = EVP_get_digestbynid(digest); if(!c->indigest) { logger(LOG_ERR, "Node %s (%s) uses unknown digest!", c->name, c->hostname); return false; } if(c->inmaclength > EVP_MD_size(c->indigest) || c->inmaclength < 0) { logger(LOG_ERR, "%s (%s) uses bogus MAC length!", c->name, c->hostname); return false; } } else { logger(LOG_ERR, "%s (%s) uses null digest!", c->name, c->hostname); return false; } c->incompression = compression; c->allow_request = CHALLENGE; return send_challenge(c); }