s3_enc.c revision 291721
1/* ssl/s3_enc.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138#include <stdio.h> 139#include "ssl_locl.h" 140#include <openssl/evp.h> 141#include <openssl/md5.h> 142 143static unsigned char ssl3_pad_1[48] = { 144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 150}; 151 152static unsigned char ssl3_pad_2[48] = { 153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c 159}; 160 161static int ssl3_handshake_mac(SSL *s, int md_nid, 162 const char *sender, int len, unsigned char *p); 163static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) 164{ 165 EVP_MD_CTX m5; 166 EVP_MD_CTX s1; 167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; 168 unsigned char c = 'A'; 169 unsigned int i, j, k; 170 171#ifdef CHARSET_EBCDIC 172 c = os_toascii[c]; /* 'A' in ASCII */ 173#endif 174 k = 0; 175 EVP_MD_CTX_init(&m5); 176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 177 EVP_MD_CTX_init(&s1); 178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { 179 k++; 180 if (k > sizeof buf) { 181 /* bug: 'buf' is too small for this ciphersuite */ 182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); 183 return 0; 184 } 185 186 for (j = 0; j < k; j++) 187 buf[j] = c; 188 c++; 189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL); 190 EVP_DigestUpdate(&s1, buf, k); 191 EVP_DigestUpdate(&s1, s->session->master_key, 192 s->session->master_key_length); 193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE); 194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE); 195 EVP_DigestFinal_ex(&s1, smd, NULL); 196 197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL); 198 EVP_DigestUpdate(&m5, s->session->master_key, 199 s->session->master_key_length); 200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH); 201 if ((int)(i + MD5_DIGEST_LENGTH) > num) { 202 EVP_DigestFinal_ex(&m5, smd, NULL); 203 memcpy(km, smd, (num - i)); 204 } else 205 EVP_DigestFinal_ex(&m5, km, NULL); 206 207 km += MD5_DIGEST_LENGTH; 208 } 209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH); 210 EVP_MD_CTX_cleanup(&m5); 211 EVP_MD_CTX_cleanup(&s1); 212 return 1; 213} 214 215int ssl3_change_cipher_state(SSL *s, int which) 216{ 217 unsigned char *p, *mac_secret; 218 unsigned char exp_key[EVP_MAX_KEY_LENGTH]; 219 unsigned char exp_iv[EVP_MAX_IV_LENGTH]; 220 unsigned char *ms, *key, *iv, *er1, *er2; 221 EVP_CIPHER_CTX *dd; 222 const EVP_CIPHER *c; 223#ifndef OPENSSL_NO_COMP 224 COMP_METHOD *comp; 225#endif 226 const EVP_MD *m; 227 EVP_MD_CTX md; 228 int is_exp, n, i, j, k, cl; 229 int reuse_dd = 0; 230 231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 232 c = s->s3->tmp.new_sym_enc; 233 m = s->s3->tmp.new_hash; 234 /* m == NULL will lead to a crash later */ 235 OPENSSL_assert(m); 236#ifndef OPENSSL_NO_COMP 237 if (s->s3->tmp.new_compression == NULL) 238 comp = NULL; 239 else 240 comp = s->s3->tmp.new_compression->method; 241#endif 242 243 if (which & SSL3_CC_READ) { 244 if (s->enc_read_ctx != NULL) 245 reuse_dd = 1; 246 else if ((s->enc_read_ctx = 247 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 248 goto err; 249 else 250 /* 251 * make sure it's intialized in case we exit later with an error 252 */ 253 EVP_CIPHER_CTX_init(s->enc_read_ctx); 254 dd = s->enc_read_ctx; 255 256 if (ssl_replace_hash(&s->read_hash, m) == NULL) { 257 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 258 goto err2; 259 } 260#ifndef OPENSSL_NO_COMP 261 /* COMPRESS */ 262 if (s->expand != NULL) { 263 COMP_CTX_free(s->expand); 264 s->expand = NULL; 265 } 266 if (comp != NULL) { 267 s->expand = COMP_CTX_new(comp); 268 if (s->expand == NULL) { 269 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 270 SSL_R_COMPRESSION_LIBRARY_ERROR); 271 goto err2; 272 } 273 if (s->s3->rrec.comp == NULL) 274 s->s3->rrec.comp = (unsigned char *) 275 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH); 276 if (s->s3->rrec.comp == NULL) 277 goto err; 278 } 279#endif 280 memset(&(s->s3->read_sequence[0]), 0, 8); 281 mac_secret = &(s->s3->read_mac_secret[0]); 282 } else { 283 if (s->enc_write_ctx != NULL) 284 reuse_dd = 1; 285 else if ((s->enc_write_ctx = 286 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 287 goto err; 288 else 289 /* 290 * make sure it's intialized in case we exit later with an error 291 */ 292 EVP_CIPHER_CTX_init(s->enc_write_ctx); 293 dd = s->enc_write_ctx; 294 if (ssl_replace_hash(&s->write_hash, m) == NULL) { 295 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 296 goto err2; 297 } 298#ifndef OPENSSL_NO_COMP 299 /* COMPRESS */ 300 if (s->compress != NULL) { 301 COMP_CTX_free(s->compress); 302 s->compress = NULL; 303 } 304 if (comp != NULL) { 305 s->compress = COMP_CTX_new(comp); 306 if (s->compress == NULL) { 307 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 308 SSL_R_COMPRESSION_LIBRARY_ERROR); 309 goto err2; 310 } 311 } 312#endif 313 memset(&(s->s3->write_sequence[0]), 0, 8); 314 mac_secret = &(s->s3->write_mac_secret[0]); 315 } 316 317 if (reuse_dd) 318 EVP_CIPHER_CTX_cleanup(dd); 319 320 p = s->s3->tmp.key_block; 321 i = EVP_MD_size(m); 322 if (i < 0) 323 goto err2; 324 cl = EVP_CIPHER_key_length(c); 325 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 326 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 327 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ 328 k = EVP_CIPHER_iv_length(c); 329 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 330 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 331 ms = &(p[0]); 332 n = i + i; 333 key = &(p[n]); 334 n += j + j; 335 iv = &(p[n]); 336 n += k + k; 337 er1 = &(s->s3->client_random[0]); 338 er2 = &(s->s3->server_random[0]); 339 } else { 340 n = i; 341 ms = &(p[n]); 342 n += i + j; 343 key = &(p[n]); 344 n += j + k; 345 iv = &(p[n]); 346 n += k; 347 er1 = &(s->s3->server_random[0]); 348 er2 = &(s->s3->client_random[0]); 349 } 350 351 if (n > s->s3->tmp.key_block_length) { 352 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 353 goto err2; 354 } 355 356 EVP_MD_CTX_init(&md); 357 memcpy(mac_secret, ms, i); 358 if (is_exp) { 359 /* 360 * In here I set both the read and write key/iv to the same value 361 * since only the correct one will be used :-). 362 */ 363 EVP_DigestInit_ex(&md, EVP_md5(), NULL); 364 EVP_DigestUpdate(&md, key, j); 365 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); 366 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); 367 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL); 368 key = &(exp_key[0]); 369 370 if (k > 0) { 371 EVP_DigestInit_ex(&md, EVP_md5(), NULL); 372 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); 373 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); 374 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL); 375 iv = &(exp_iv[0]); 376 } 377 } 378 379 s->session->key_arg_length = 0; 380 381 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); 382 383 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key)); 384 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv)); 385 EVP_MD_CTX_cleanup(&md); 386 return (1); 387 err: 388 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 389 err2: 390 return (0); 391} 392 393int ssl3_setup_key_block(SSL *s) 394{ 395 unsigned char *p; 396 const EVP_CIPHER *c; 397 const EVP_MD *hash; 398 int num; 399 int ret = 0; 400 SSL_COMP *comp; 401 402 if (s->s3->tmp.key_block_length != 0) 403 return (1); 404 405 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) { 406 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 407 return (0); 408 } 409 410 s->s3->tmp.new_sym_enc = c; 411 s->s3->tmp.new_hash = hash; 412#ifdef OPENSSL_NO_COMP 413 s->s3->tmp.new_compression = NULL; 414#else 415 s->s3->tmp.new_compression = comp; 416#endif 417 418 num = EVP_MD_size(hash); 419 if (num < 0) 420 return 0; 421 422 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); 423 num *= 2; 424 425 ssl3_cleanup_key_block(s); 426 427 if ((p = OPENSSL_malloc(num)) == NULL) 428 goto err; 429 430 s->s3->tmp.key_block_length = num; 431 s->s3->tmp.key_block = p; 432 433 ret = ssl3_generate_key_block(s, p, num); 434 435 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { 436 /* 437 * enable vulnerability countermeasure for CBC ciphers with known-IV 438 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 439 */ 440 s->s3->need_empty_fragments = 1; 441 442 if (s->session->cipher != NULL) { 443 if (s->session->cipher->algorithm_enc == SSL_eNULL) 444 s->s3->need_empty_fragments = 0; 445 446#ifndef OPENSSL_NO_RC4 447 if (s->session->cipher->algorithm_enc == SSL_RC4) 448 s->s3->need_empty_fragments = 0; 449#endif 450 } 451 } 452 453 return ret; 454 455 err: 456 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 457 return (0); 458} 459 460void ssl3_cleanup_key_block(SSL *s) 461{ 462 if (s->s3->tmp.key_block != NULL) { 463 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); 464 OPENSSL_free(s->s3->tmp.key_block); 465 s->s3->tmp.key_block = NULL; 466 } 467 s->s3->tmp.key_block_length = 0; 468} 469 470/*- 471 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 472 * 473 * Returns: 474 * 0: (in non-constant time) if the record is publically invalid (i.e. too 475 * short etc). 476 * 1: if the record's padding is valid / the encryption was successful. 477 * -1: if the record's padding is invalid or, if sending, an internal error 478 * occured. 479 */ 480int ssl3_enc(SSL *s, int send) 481{ 482 SSL3_RECORD *rec; 483 EVP_CIPHER_CTX *ds; 484 unsigned long l; 485 int bs, i, mac_size = 0; 486 const EVP_CIPHER *enc; 487 488 if (send) { 489 ds = s->enc_write_ctx; 490 rec = &(s->s3->wrec); 491 if (s->enc_write_ctx == NULL) 492 enc = NULL; 493 else 494 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 495 } else { 496 ds = s->enc_read_ctx; 497 rec = &(s->s3->rrec); 498 if (s->enc_read_ctx == NULL) 499 enc = NULL; 500 else 501 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 502 } 503 504 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 505 memmove(rec->data, rec->input, rec->length); 506 rec->input = rec->data; 507 } else { 508 l = rec->length; 509 bs = EVP_CIPHER_block_size(ds->cipher); 510 511 /* COMPRESS */ 512 513 if ((bs != 1) && send) { 514 i = bs - ((int)l % bs); 515 516 /* we need to add 'i-1' padding bytes */ 517 l += i; 518 /* 519 * the last of these zero bytes will be overwritten with the 520 * padding length. 521 */ 522 memset(&rec->input[rec->length], 0, i); 523 rec->length += i; 524 rec->input[l - 1] = (i - 1); 525 } 526 527 if (!send) { 528 if (l == 0 || l % bs != 0) 529 return 0; 530 /* otherwise, rec->length >= bs */ 531 } 532 533 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1) 534 return -1; 535 536 if (EVP_MD_CTX_md(s->read_hash) != NULL) 537 mac_size = EVP_MD_CTX_size(s->read_hash); 538 if ((bs != 1) && !send) 539 return ssl3_cbc_remove_padding(s, rec, bs, mac_size); 540 } 541 return (1); 542} 543 544void ssl3_init_finished_mac(SSL *s) 545{ 546 if (s->s3->handshake_buffer) 547 BIO_free(s->s3->handshake_buffer); 548 if (s->s3->handshake_dgst) 549 ssl3_free_digest_list(s); 550 s->s3->handshake_buffer = BIO_new(BIO_s_mem()); 551 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); 552} 553 554void ssl3_free_digest_list(SSL *s) 555{ 556 int i; 557 if (!s->s3->handshake_dgst) 558 return; 559 for (i = 0; i < SSL_MAX_DIGEST; i++) { 560 if (s->s3->handshake_dgst[i]) 561 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]); 562 } 563 OPENSSL_free(s->s3->handshake_dgst); 564 s->s3->handshake_dgst = NULL; 565} 566 567void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) 568{ 569 if (s->s3->handshake_buffer 570 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 571 BIO_write(s->s3->handshake_buffer, (void *)buf, len); 572 } else { 573 int i; 574 for (i = 0; i < SSL_MAX_DIGEST; i++) { 575 if (s->s3->handshake_dgst[i] != NULL) 576 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len); 577 } 578 } 579} 580 581int ssl3_digest_cached_records(SSL *s) 582{ 583 int i; 584 long mask; 585 const EVP_MD *md; 586 long hdatalen; 587 void *hdata; 588 589 /* Allocate handshake_dgst array */ 590 ssl3_free_digest_list(s); 591 s->s3->handshake_dgst = 592 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); 593 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); 594 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 595 if (hdatalen <= 0) { 596 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH); 597 return 0; 598 } 599 600 /* Loop through bitso of algorithm2 field and create MD_CTX-es */ 601 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) { 602 if ((mask & ssl_get_algorithm2(s)) && md) { 603 s->s3->handshake_dgst[i] = EVP_MD_CTX_create(); 604#ifdef OPENSSL_FIPS 605 if (EVP_MD_nid(md) == NID_md5) { 606 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], 607 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 608 } 609#endif 610 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL); 611 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen); 612 } else { 613 s->s3->handshake_dgst[i] = NULL; 614 } 615 } 616 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 617 /* Free handshake_buffer BIO */ 618 BIO_free(s->s3->handshake_buffer); 619 s->s3->handshake_buffer = NULL; 620 } 621 622 return 1; 623} 624 625int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p) 626{ 627 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p)); 628} 629 630int ssl3_final_finish_mac(SSL *s, 631 const char *sender, int len, unsigned char *p) 632{ 633 int ret, sha1len; 634 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p); 635 if (ret == 0) 636 return 0; 637 638 p += ret; 639 640 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p); 641 if (sha1len == 0) 642 return 0; 643 644 ret += sha1len; 645 return (ret); 646} 647 648static int ssl3_handshake_mac(SSL *s, int md_nid, 649 const char *sender, int len, unsigned char *p) 650{ 651 unsigned int ret; 652 int npad, n; 653 unsigned int i; 654 unsigned char md_buf[EVP_MAX_MD_SIZE]; 655 EVP_MD_CTX ctx, *d = NULL; 656 657 if (s->s3->handshake_buffer) 658 if (!ssl3_digest_cached_records(s)) 659 return 0; 660 661 /* 662 * Search for digest of specified type in the handshake_dgst array 663 */ 664 for (i = 0; i < SSL_MAX_DIGEST; i++) { 665 if (s->s3->handshake_dgst[i] 666 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { 667 d = s->s3->handshake_dgst[i]; 668 break; 669 } 670 } 671 if (!d) { 672 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST); 673 return 0; 674 } 675 EVP_MD_CTX_init(&ctx); 676 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 677 EVP_MD_CTX_copy_ex(&ctx, d); 678 n = EVP_MD_CTX_size(&ctx); 679 if (n < 0) 680 return 0; 681 682 npad = (48 / n) * n; 683 if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0) 684 || EVP_DigestUpdate(&ctx, s->session->master_key, 685 s->session->master_key_length) <= 0 686 || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0 687 || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0 688 689 || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0 690 || EVP_DigestUpdate(&ctx, s->session->master_key, 691 s->session->master_key_length) <= 0 692 || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0 693 || EVP_DigestUpdate(&ctx, md_buf, i) <= 0 694 || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) { 695 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR); 696 ret = 0; 697 } 698 699 EVP_MD_CTX_cleanup(&ctx); 700 701 return ((int)ret); 702} 703 704int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) 705{ 706 SSL3_RECORD *rec; 707 unsigned char *mac_sec, *seq; 708 EVP_MD_CTX md_ctx; 709 const EVP_MD_CTX *hash; 710 unsigned char *p, rec_char; 711 size_t md_size, orig_len; 712 int npad; 713 int t; 714 715 if (send) { 716 rec = &(ssl->s3->wrec); 717 mac_sec = &(ssl->s3->write_mac_secret[0]); 718 seq = &(ssl->s3->write_sequence[0]); 719 hash = ssl->write_hash; 720 } else { 721 rec = &(ssl->s3->rrec); 722 mac_sec = &(ssl->s3->read_mac_secret[0]); 723 seq = &(ssl->s3->read_sequence[0]); 724 hash = ssl->read_hash; 725 } 726 727 t = EVP_MD_CTX_size(hash); 728 if (t < 0) 729 return -1; 730 md_size = t; 731 npad = (48 / md_size) * md_size; 732 733 /* 734 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type 735 */ 736 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); 737 rec->type &= 0xff; 738 739 if (!send && 740 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 741 ssl3_cbc_record_digest_supported(hash)) { 742 /* 743 * This is a CBC-encrypted record. We must avoid leaking any 744 * timing-side channel information about how many blocks of data we 745 * are hashing because that gives an attacker a timing-oracle. 746 */ 747 748 /*- 749 * npad is, at most, 48 bytes and that's with MD5: 750 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. 751 * 752 * With SHA-1 (the largest hash speced for SSLv3) the hash size 753 * goes up 4, but npad goes down by 8, resulting in a smaller 754 * total size. 755 */ 756 unsigned char header[75]; 757 unsigned j = 0; 758 memcpy(header + j, mac_sec, md_size); 759 j += md_size; 760 memcpy(header + j, ssl3_pad_1, npad); 761 j += npad; 762 memcpy(header + j, seq, 8); 763 j += 8; 764 header[j++] = rec->type; 765 header[j++] = rec->length >> 8; 766 header[j++] = rec->length & 0xff; 767 768 /* Final param == is SSLv3 */ 769 if (ssl3_cbc_digest_record(hash, 770 md, &md_size, 771 header, rec->input, 772 rec->length + md_size, orig_len, 773 mac_sec, md_size, 1) <= 0) 774 return -1; 775 } else { 776 unsigned int md_size_u; 777 /* Chop the digest off the end :-) */ 778 EVP_MD_CTX_init(&md_ctx); 779 780 rec_char = rec->type; 781 p = md; 782 s2n(rec->length, p); 783 if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0 784 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0 785 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0 786 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0 787 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0 788 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0 789 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0 790 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0 791 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0 792 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0 793 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0 794 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0 795 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) { 796 EVP_MD_CTX_cleanup(&md_ctx); 797 return -1; 798 } 799 md_size = md_size_u; 800 801 EVP_MD_CTX_cleanup(&md_ctx); 802 } 803 804 ssl3_record_sequence_update(seq); 805 return (md_size); 806} 807 808void ssl3_record_sequence_update(unsigned char *seq) 809{ 810 int i; 811 812 for (i = 7; i >= 0; i--) { 813 ++seq[i]; 814 if (seq[i] != 0) 815 break; 816 } 817} 818 819int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 820 int len) 821{ 822 static const unsigned char *salt[3] = { 823#ifndef CHARSET_EBCDIC 824 (const unsigned char *)"A", 825 (const unsigned char *)"BB", 826 (const unsigned char *)"CCC", 827#else 828 (const unsigned char *)"\x41", 829 (const unsigned char *)"\x42\x42", 830 (const unsigned char *)"\x43\x43\x43", 831#endif 832 }; 833 unsigned char buf[EVP_MAX_MD_SIZE]; 834 EVP_MD_CTX ctx; 835 int i, ret = 0; 836 unsigned int n; 837 838 EVP_MD_CTX_init(&ctx); 839 for (i = 0; i < 3; i++) { 840 if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0 841 || EVP_DigestUpdate(&ctx, salt[i], 842 strlen((const char *)salt[i])) <= 0 843 || EVP_DigestUpdate(&ctx, p, len) <= 0 844 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), 845 SSL3_RANDOM_SIZE) <= 0 846 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), 847 SSL3_RANDOM_SIZE) <= 0 848 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0 849 850 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0 851 || EVP_DigestUpdate(&ctx, p, len) <= 0 852 || EVP_DigestUpdate(&ctx, buf, n) <= 0 853 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) { 854 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); 855 ret = 0; 856 break; 857 } 858 out += n; 859 ret += n; 860 } 861 EVP_MD_CTX_cleanup(&ctx); 862 OPENSSL_cleanse(buf, sizeof buf); 863 return (ret); 864} 865 866int ssl3_alert_code(int code) 867{ 868 switch (code) { 869 case SSL_AD_CLOSE_NOTIFY: 870 return (SSL3_AD_CLOSE_NOTIFY); 871 case SSL_AD_UNEXPECTED_MESSAGE: 872 return (SSL3_AD_UNEXPECTED_MESSAGE); 873 case SSL_AD_BAD_RECORD_MAC: 874 return (SSL3_AD_BAD_RECORD_MAC); 875 case SSL_AD_DECRYPTION_FAILED: 876 return (SSL3_AD_BAD_RECORD_MAC); 877 case SSL_AD_RECORD_OVERFLOW: 878 return (SSL3_AD_BAD_RECORD_MAC); 879 case SSL_AD_DECOMPRESSION_FAILURE: 880 return (SSL3_AD_DECOMPRESSION_FAILURE); 881 case SSL_AD_HANDSHAKE_FAILURE: 882 return (SSL3_AD_HANDSHAKE_FAILURE); 883 case SSL_AD_NO_CERTIFICATE: 884 return (SSL3_AD_NO_CERTIFICATE); 885 case SSL_AD_BAD_CERTIFICATE: 886 return (SSL3_AD_BAD_CERTIFICATE); 887 case SSL_AD_UNSUPPORTED_CERTIFICATE: 888 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 889 case SSL_AD_CERTIFICATE_REVOKED: 890 return (SSL3_AD_CERTIFICATE_REVOKED); 891 case SSL_AD_CERTIFICATE_EXPIRED: 892 return (SSL3_AD_CERTIFICATE_EXPIRED); 893 case SSL_AD_CERTIFICATE_UNKNOWN: 894 return (SSL3_AD_CERTIFICATE_UNKNOWN); 895 case SSL_AD_ILLEGAL_PARAMETER: 896 return (SSL3_AD_ILLEGAL_PARAMETER); 897 case SSL_AD_UNKNOWN_CA: 898 return (SSL3_AD_BAD_CERTIFICATE); 899 case SSL_AD_ACCESS_DENIED: 900 return (SSL3_AD_HANDSHAKE_FAILURE); 901 case SSL_AD_DECODE_ERROR: 902 return (SSL3_AD_HANDSHAKE_FAILURE); 903 case SSL_AD_DECRYPT_ERROR: 904 return (SSL3_AD_HANDSHAKE_FAILURE); 905 case SSL_AD_EXPORT_RESTRICTION: 906 return (SSL3_AD_HANDSHAKE_FAILURE); 907 case SSL_AD_PROTOCOL_VERSION: 908 return (SSL3_AD_HANDSHAKE_FAILURE); 909 case SSL_AD_INSUFFICIENT_SECURITY: 910 return (SSL3_AD_HANDSHAKE_FAILURE); 911 case SSL_AD_INTERNAL_ERROR: 912 return (SSL3_AD_HANDSHAKE_FAILURE); 913 case SSL_AD_USER_CANCELLED: 914 return (SSL3_AD_HANDSHAKE_FAILURE); 915 case SSL_AD_NO_RENEGOTIATION: 916 return (-1); /* Don't send it :-) */ 917 case SSL_AD_UNSUPPORTED_EXTENSION: 918 return (SSL3_AD_HANDSHAKE_FAILURE); 919 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 920 return (SSL3_AD_HANDSHAKE_FAILURE); 921 case SSL_AD_UNRECOGNIZED_NAME: 922 return (SSL3_AD_HANDSHAKE_FAILURE); 923 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 924 return (SSL3_AD_HANDSHAKE_FAILURE); 925 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 926 return (SSL3_AD_HANDSHAKE_FAILURE); 927 case SSL_AD_UNKNOWN_PSK_IDENTITY: 928 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 929 case SSL_AD_INAPPROPRIATE_FALLBACK: 930 return (TLS1_AD_INAPPROPRIATE_FALLBACK); 931 default: 932 return (-1); 933 } 934} 935