1: /* ssl/s3_enc.c */
    2: /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
    3:  * All rights reserved.
    4:  *
    5:  * This package is an SSL implementation written
    6:  * by Eric Young (eay@cryptsoft.com).
    7:  * The implementation was written so as to conform with Netscapes SSL.
    8:  * 
    9:  * This library is free for commercial and non-commercial use as long as
   10:  * the following conditions are aheared to.  The following conditions
   11:  * apply to all code found in this distribution, be it the RC4, RSA,
   12:  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
   13:  * included with this distribution is covered by the same copyright terms
   14:  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
   15:  * 
   16:  * Copyright remains Eric Young's, and as such any Copyright notices in
   17:  * the code are not to be removed.
   18:  * If this package is used in a product, Eric Young should be given attribution
   19:  * as the author of the parts of the library used.
   20:  * This can be in the form of a textual message at program startup or
   21:  * in documentation (online or textual) provided with the package.
   22:  * 
   23:  * Redistribution and use in source and binary forms, with or without
   24:  * modification, are permitted provided that the following conditions
   25:  * are met:
   26:  * 1. Redistributions of source code must retain the copyright
   27:  *    notice, this list of conditions and the following disclaimer.
   28:  * 2. Redistributions in binary form must reproduce the above copyright
   29:  *    notice, this list of conditions and the following disclaimer in the
   30:  *    documentation and/or other materials provided with the distribution.
   31:  * 3. All advertising materials mentioning features or use of this software
   32:  *    must display the following acknowledgement:
   33:  *    "This product includes cryptographic software written by
   34:  *     Eric Young (eay@cryptsoft.com)"
   35:  *    The word 'cryptographic' can be left out if the rouines from the library
   36:  *    being used are not cryptographic related :-).
   37:  * 4. If you include any Windows specific code (or a derivative thereof) from 
   38:  *    the apps directory (application code) you must include an acknowledgement:
   39:  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
   40:  * 
   41:  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
   42:  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   43:  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   44:  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
   45:  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   46:  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   47:  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   48:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   49:  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   50:  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   51:  * SUCH DAMAGE.
   52:  * 
   53:  * The licence and distribution terms for any publically available version or
   54:  * derivative of this code cannot be changed.  i.e. this code cannot simply be
   55:  * copied and put under another distribution licence
   56:  * [including the GNU Public Licence.]
   57:  */
   58: /* ====================================================================
   59:  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
   60:  *
   61:  * Redistribution and use in source and binary forms, with or without
   62:  * modification, are permitted provided that the following conditions
   63:  * are met:
   64:  *
   65:  * 1. Redistributions of source code must retain the above copyright
   66:  *    notice, this list of conditions and the following disclaimer. 
   67:  *
   68:  * 2. Redistributions in binary form must reproduce the above copyright
   69:  *    notice, this list of conditions and the following disclaimer in
   70:  *    the documentation and/or other materials provided with the
   71:  *    distribution.
   72:  *
   73:  * 3. All advertising materials mentioning features or use of this
   74:  *    software must display the following acknowledgment:
   75:  *    "This product includes software developed by the OpenSSL Project
   76:  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
   77:  *
   78:  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
   79:  *    endorse or promote products derived from this software without
   80:  *    prior written permission. For written permission, please contact
   81:  *    openssl-core@openssl.org.
   82:  *
   83:  * 5. Products derived from this software may not be called "OpenSSL"
   84:  *    nor may "OpenSSL" appear in their names without prior written
   85:  *    permission of the OpenSSL Project.
   86:  *
   87:  * 6. Redistributions of any form whatsoever must retain the following
   88:  *    acknowledgment:
   89:  *    "This product includes software developed by the OpenSSL Project
   90:  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
   91:  *
   92:  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
   93:  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   94:  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
   95:  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
   96:  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   97:  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   98:  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
   99:  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101:  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102:  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103:  * OF THE POSSIBILITY OF SUCH DAMAGE.
  104:  * ====================================================================
  105:  *
  106:  * This product includes cryptographic software written by Eric Young
  107:  * (eay@cryptsoft.com).  This product includes software written by Tim
  108:  * Hudson (tjh@cryptsoft.com).
  109:  *
  110:  */
  111: 
  112: #include <stdio.h>
  113: #include "ssl_locl.h"
  114: #include <openssl/evp.h>
  115: #include <openssl/md5.h>
  116: 
  117: static unsigned char ssl3_pad_1[48]={
  118:         0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
  119:         0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
  120:         0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
  121:         0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
  122:         0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
  123:         0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 };
  124: 
  125: static unsigned char ssl3_pad_2[48]={
  126:         0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
  127:         0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
  128:         0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
  129:         0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
  130:         0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
  131:         0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
  132: 
  133: static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
  134:         const char *sender, int len, unsigned char *p);
  135: 
  136: static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
  137:         {
  138:         EVP_MD_CTX m5;
  139:         EVP_MD_CTX s1;
  140:         unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
  141:         unsigned char c='A';
  142:         unsigned int i,j,k;
  143: 
  144: #ifdef CHARSET_EBCDIC
  145:         c = os_toascii[c]; /*'A' in ASCII */
  146: #endif
  147:         k=0;
  148:         EVP_MD_CTX_init(&m5);
  149:         EVP_MD_CTX_init(&s1);
  150:         for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
  151:                 {
  152:                 k++;
  153:                 if (k > sizeof buf)
  154:                         {
  155:                         /* bug: 'buf' is too small for this ciphersuite */
  156:                         SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
  157:                         return 0;
  158:                         }
  159:                 
  160:                 for (j=0; j<k; j++)
  161:                         buf[j]=c;
  162:                 c++;
  163:                 EVP_DigestInit_ex(&s1,EVP_sha1(), NULL);
  164:                 EVP_DigestUpdate(&s1,buf,k);
  165:                 EVP_DigestUpdate(&s1,s->session->master_key,
  166:                         s->session->master_key_length);
  167:                 EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
  168:                 EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
  169:                 EVP_DigestFinal_ex(&s1,smd,NULL);
  170: 
  171:                 EVP_DigestInit_ex(&m5,EVP_md5(), NULL);
  172:                 EVP_DigestUpdate(&m5,s->session->master_key,
  173:                         s->session->master_key_length);
  174:                 EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
  175:                 if ((int)(i+MD5_DIGEST_LENGTH) > num)
  176:                         {
  177:                         EVP_DigestFinal_ex(&m5,smd,NULL);
  178:                         memcpy(km,smd,(num-i));
  179:                         }
  180:                 else
  181:                         EVP_DigestFinal_ex(&m5,km,NULL);
  182: 
  183:                 km+=MD5_DIGEST_LENGTH;
  184:                 }
  185:         OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
  186:         EVP_MD_CTX_cleanup(&m5);
  187:         EVP_MD_CTX_cleanup(&s1);
  188:         return 1;
  189:         }
  190: 
  191: int ssl3_change_cipher_state(SSL *s, int which)
  192:         {
  193:         unsigned char *p,*key_block,*mac_secret;
  194:         unsigned char exp_key[EVP_MAX_KEY_LENGTH];
  195:         unsigned char exp_iv[EVP_MAX_IV_LENGTH];
  196:         unsigned char *ms,*key,*iv,*er1,*er2;
  197:         EVP_CIPHER_CTX *dd;
  198:         const EVP_CIPHER *c;
  199: #ifndef OPENSSL_NO_COMP
  200:         COMP_METHOD *comp;
  201: #endif
  202:         const EVP_MD *m;
  203:         EVP_MD_CTX md;
  204:         int is_exp,n,i,j,k,cl;
  205:         int reuse_dd = 0;
  206: 
  207:         is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
  208:         c=s->s3->tmp.new_sym_enc;
  209:         m=s->s3->tmp.new_hash;
  210: #ifndef OPENSSL_NO_COMP
  211:         if (s->s3->tmp.new_compression == NULL)
  212:                 comp=NULL;
  213:         else
  214:                 comp=s->s3->tmp.new_compression->method;
  215: #endif
  216:         key_block=s->s3->tmp.key_block;
  217: 
  218:         if (which & SSL3_CC_READ)
  219:                 {
  220:                 if (s->enc_read_ctx != NULL)
  221:                         reuse_dd = 1;
  222:                 else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  223:                         goto err;
  224:                 else
  225:                         /* make sure it's intialized in case we exit later with an error */
  226:                         EVP_CIPHER_CTX_init(s->enc_read_ctx);
  227:                 dd= s->enc_read_ctx;
  228:                 s->read_hash=m;
  229: #ifndef OPENSSL_NO_COMP
  230:                 /* COMPRESS */
  231:                 if (s->expand != NULL)
  232:                         {
  233:                         COMP_CTX_free(s->expand);
  234:                         s->expand=NULL;
  235:                         }
  236:                 if (comp != NULL)
  237:                         {
  238:                         s->expand=COMP_CTX_new(comp);
  239:                         if (s->expand == NULL)
  240:                                 {
  241:                                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
  242:                                 goto err2;
  243:                                 }
  244:                         if (s->s3->rrec.comp == NULL)
  245:                                 s->s3->rrec.comp=(unsigned char *)
  246:                                         OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
  247:                         if (s->s3->rrec.comp == NULL)
  248:                                 goto err;
  249:                         }
  250: #endif
  251:                 memset(&(s->s3->read_sequence[0]),0,8);
  252:                 mac_secret= &(s->s3->read_mac_secret[0]);
  253:                 }
  254:         else
  255:                 {
  256:                 if (s->enc_write_ctx != NULL)
  257:                         reuse_dd = 1;
  258:                 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  259:                         goto err;
  260:                 else
  261:                         /* make sure it's intialized in case we exit later with an error */
  262:                         EVP_CIPHER_CTX_init(s->enc_write_ctx);
  263:                 dd= s->enc_write_ctx;
  264:                 s->write_hash=m;
  265: #ifndef OPENSSL_NO_COMP
  266:                 /* COMPRESS */
  267:                 if (s->compress != NULL)
  268:                         {
  269:                         COMP_CTX_free(s->compress);
  270:                         s->compress=NULL;
  271:                         }
  272:                 if (comp != NULL)
  273:                         {
  274:                         s->compress=COMP_CTX_new(comp);
  275:                         if (s->compress == NULL)
  276:                                 {
  277:                                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
  278:                                 goto err2;
  279:                                 }
  280:                         }
  281: #endif
  282:                 memset(&(s->s3->write_sequence[0]),0,8);
  283:                 mac_secret= &(s->s3->write_mac_secret[0]);
  284:                 }
  285: 
  286:         if (reuse_dd)
  287:                 EVP_CIPHER_CTX_cleanup(dd);
  288: 
  289:         p=s->s3->tmp.key_block;
  290:         i=EVP_MD_size(m);
  291:         cl=EVP_CIPHER_key_length(c);
  292:         j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
  293:                  cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
  294:         /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
  295:         k=EVP_CIPHER_iv_length(c);
  296:         if (   (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
  297:                 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
  298:                 {
  299:                 ms=  &(p[ 0]); n=i+i;
  300:                 key= &(p[ n]); n+=j+j;
  301:                 iv=  &(p[ n]); n+=k+k;
  302:                 er1= &(s->s3->client_random[0]);
  303:                 er2= &(s->s3->server_random[0]);
  304:                 }
  305:         else
  306:                 {
  307:                 n=i;
  308:                 ms=  &(p[ n]); n+=i+j;
  309:                 key= &(p[ n]); n+=j+k;
  310:                 iv=  &(p[ n]); n+=k;
  311:                 er1= &(s->s3->server_random[0]);
  312:                 er2= &(s->s3->client_random[0]);
  313:                 }
  314: 
  315:         if (n > s->s3->tmp.key_block_length)
  316:                 {
  317:                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
  318:                 goto err2;
  319:                 }
  320: 
  321:         EVP_MD_CTX_init(&md);
  322:         memcpy(mac_secret,ms,i);
  323:         if (is_exp)
  324:                 {
  325:                 /* In here I set both the read and write key/iv to the
  326:                  * same value since only the correct one will be used :-).
  327:                  */
  328:                 EVP_DigestInit_ex(&md,EVP_md5(), NULL);
  329:                 EVP_DigestUpdate(&md,key,j);
  330:                 EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
  331:                 EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
  332:                 EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL);
  333:                 key= &(exp_key[0]);
  334: 
  335:                 if (k > 0)
  336:                         {
  337:                         EVP_DigestInit_ex(&md,EVP_md5(), NULL);
  338:                         EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
  339:                         EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
  340:                         EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL);
  341:                         iv= &(exp_iv[0]);
  342:                         }
  343:                 }
  344: 
  345:         s->session->key_arg_length=0;
  346: 
  347:         EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
  348: 
  349:         OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
  350:         OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
  351:         EVP_MD_CTX_cleanup(&md);
  352:         return(1);
  353: err:
  354:         SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
  355: err2:
  356:         return(0);
  357:         }
  358: 
  359: int ssl3_setup_key_block(SSL *s)
  360:         {
  361:         unsigned char *p;
  362:         const EVP_CIPHER *c;
  363:         const EVP_MD *hash;
  364:         int num;
  365:         int ret = 0;
  366:         SSL_COMP *comp;
  367: 
  368:         if (s->s3->tmp.key_block_length != 0)
  369:                 return(1);
  370: 
  371:         if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
  372:                 {
  373:                 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
  374:                 return(0);
  375:                 }
  376: 
  377:         s->s3->tmp.new_sym_enc=c;
  378:         s->s3->tmp.new_hash=hash;
  379: #ifdef OPENSSL_NO_COMP
  380:         s->s3->tmp.new_compression=NULL;
  381: #else
  382:         s->s3->tmp.new_compression=comp;
  383: #endif
  384: 
  385:         num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
  386:         num*=2;
  387: 
  388:         ssl3_cleanup_key_block(s);
  389: 
  390:         if ((p=OPENSSL_malloc(num)) == NULL)
  391:                 goto err;
  392: 
  393:         s->s3->tmp.key_block_length=num;
  394:         s->s3->tmp.key_block=p;
  395: 
  396:         ret = ssl3_generate_key_block(s,p,num);
  397: 
  398:         if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
  399:                 {
  400:                 /* enable vulnerability countermeasure for CBC ciphers with
  401:                  * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
  402:                  */
  403:                 s->s3->need_empty_fragments = 1;
  404: 
  405:                 if (s->session->cipher != NULL)
  406:                         {
  407:                         if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
  408:                                 s->s3->need_empty_fragments = 0;
  409:                         
  410: #ifndef OPENSSL_NO_RC4
  411:                         if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
  412:                                 s->s3->need_empty_fragments = 0;
  413: #endif
  414:                         }
  415:                 }
  416: 
  417:         return ret;
  418:                 
  419: err:
  420:         SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
  421:         return(0);
  422:         }
  423: 
  424: void ssl3_cleanup_key_block(SSL *s)
  425:         {
  426:         if (s->s3->tmp.key_block != NULL)
  427:                 {
  428:                 OPENSSL_cleanse(s->s3->tmp.key_block,
  429:                         s->s3->tmp.key_block_length);
  430:                 OPENSSL_free(s->s3->tmp.key_block);
  431:                 s->s3->tmp.key_block=NULL;
  432:                 }
  433:         s->s3->tmp.key_block_length=0;
  434:         }
  435: 
  436: int ssl3_enc(SSL *s, int send)
  437:         {
  438:         SSL3_RECORD *rec;
  439:         EVP_CIPHER_CTX *ds;
  440:         unsigned long l;
  441:         int bs,i;
  442:         const EVP_CIPHER *enc;
  443: 
  444:         if (send)
  445:                 {
  446:                 ds=s->enc_write_ctx;
  447:                 rec= &(s->s3->wrec);
  448:                 if (s->enc_write_ctx == NULL)
  449:                         enc=NULL;
  450:                 else
  451:                         enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
  452:                 }
  453:         else
  454:                 {
  455:                 ds=s->enc_read_ctx;
  456:                 rec= &(s->s3->rrec);
  457:                 if (s->enc_read_ctx == NULL)
  458:                         enc=NULL;
  459:                 else
  460:                         enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
  461:                 }
  462: 
  463:         if ((s->session == NULL) || (ds == NULL) ||
  464:                 (enc == NULL))
  465:                 {
  466:                 memmove(rec->data,rec->input,rec->length);
  467:                 rec->input=rec->data;
  468:                 }
  469:         else
  470:                 {
  471:                 l=rec->length;
  472:                 bs=EVP_CIPHER_block_size(ds->cipher);
  473: 
  474:                 /* COMPRESS */
  475: 
  476:                 if ((bs != 1) && send)
  477:                         {
  478:                         i=bs-((int)l%bs);
  479: 
  480:                         /* we need to add 'i-1' padding bytes */
  481:                         l+=i;
  482:                         rec->length+=i;
  483:                         rec->input[l-1]=(i-1);
  484:                         }
  485:                 
  486:                 if (!send)
  487:                         {
  488:                         if (l == 0 || l%bs != 0)
  489:                                 {
  490:                                 SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
  491:                                 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
  492:                                 return 0;
  493:                                 }
  494:                         /* otherwise, rec->length >= bs */
  495:                         }
  496:                 
  497:                 EVP_Cipher(ds,rec->data,rec->input,l);
  498: 
  499:                 if ((bs != 1) && !send)
  500:                         {
  501:                         i=rec->data[l-1]+1;
  502:                         /* SSL 3.0 bounds the number of padding bytes by the block size;
  503:                          * padding bytes (except the last one) are arbitrary */
  504:                         if (i > bs)
  505:                                 {
  506:                                 /* Incorrect padding. SSLerr() and ssl3_alert are done
  507:                                  * by caller: we don't want to reveal whether this is
  508:                                  * a decryption error or a MAC verification failure
  509:                                  * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
  510:                                 return -1;
  511:                                 }
  512:                         /* now i <= bs <= rec->length */
  513:                         rec->length-=i;
  514:                         }
  515:                 }
  516:         return(1);
  517:         }
  518: 
  519: void ssl3_init_finished_mac(SSL *s)
  520:         {
  521:         EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
  522:         EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
  523:         }
  524: 
  525: void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
  526:         {
  527:         EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len);
  528:         EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len);
  529:         }
  530: 
  531: int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
  532:         {
  533:         return(ssl3_handshake_mac(s,ctx,NULL,0,p));
  534:         }
  535: 
  536: int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
  537:              const char *sender, int len, unsigned char *p)
  538:         {
  539:         int ret;
  540: