]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/s3_enc.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Import of old SSLeay release: SSLeay 0.8.1b
[thirdparty/openssl.git] / ssl / s3_enc.c
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <stdio.h>
60 #include "evp.h"
61 #include "ssl_locl.h"
62
63 static unsigned char ssl3_pad_1[48]={
64 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
65 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
66 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
67 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
68 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
69 0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 };
70
71 static unsigned char ssl3_pad_2[48]={
72 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
73 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
74 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
75 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
76 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
77 0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
78
79 int ssl3_change_cipher_state(s,which)
80 SSL *s;
81 int which;
82 {
83 unsigned char *p,*key_block,*mac_secret;
84 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
85 unsigned char exp_iv[EVP_MAX_KEY_LENGTH];
86 unsigned char *ms,*key,*iv,*er1,*er2;
87 EVP_CIPHER_CTX *dd;
88 EVP_CIPHER *c;
89 SSL_COMPRESSION *comp;
90 EVP_MD *m;
91 MD5_CTX md;
92 int exp,n,i,j,k;
93
94 exp=(s->s3->tmp.new_cipher->algorithms & SSL_EXPORT)?1:0;
95 c=s->s3->tmp.new_sym_enc;
96 m=s->s3->tmp.new_hash;
97 comp=s->s3->tmp.new_compression;
98 key_block=s->s3->tmp.key_block;
99
100 if (which & SSL3_CC_READ)
101 {
102 if ((s->enc_read_ctx == NULL) &&
103 ((s->enc_read_ctx=(EVP_CIPHER_CTX *)
104 Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
105 goto err;
106 dd= s->enc_read_ctx;
107 s->read_hash=m;
108 s->read_compression=comp;
109 memset(&(s->s3->read_sequence[0]),0,8);
110 mac_secret= &(s->s3->read_mac_secret[0]);
111 }
112 else
113 {
114 if ((s->enc_write_ctx == NULL) &&
115 ((s->enc_write_ctx=(EVP_CIPHER_CTX *)
116 Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
117 goto err;
118 dd= s->enc_write_ctx;
119 s->write_hash=m;
120 s->write_compression=comp;
121 memset(&(s->s3->write_sequence[0]),0,8);
122 mac_secret= &(s->s3->write_mac_secret[0]);
123 }
124
125 p=s->s3->tmp.key_block;
126 i=EVP_MD_size(m);
127 j=(exp)?5:EVP_CIPHER_key_length(c);
128 k=EVP_CIPHER_iv_length(c);
129 if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
130 (which == SSL3_CHANGE_CIPHER_SERVER_READ))
131 {
132 ms= &(p[ 0]); n=i+i;
133 key= &(p[ n]); n+=j+j;
134 iv= &(p[ n]); n+=k+k;
135 er1= &(s->s3->client_random[0]);
136 er2= &(s->s3->server_random[0]);
137 }
138 else
139 {
140 n=i;
141 ms= &(p[ n]); n+=i+j;
142 key= &(p[ n]); n+=j+k;
143 iv= &(p[ n]); n+=k;
144 er1= &(s->s3->server_random[0]);
145 er2= &(s->s3->client_random[0]);
146 }
147
148 if (n > s->s3->tmp.key_block_length)
149 {
150 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_INTERNAL_ERROR);
151 goto err2;
152 }
153
154 memcpy(mac_secret,ms,i);
155 if (exp)
156 {
157 /* In here I set both the read and write key/iv to the
158 * same value since only the correct one will be used :-).
159 */
160 MD5_Init(&md);
161 MD5_Update(&md,key,j);
162 MD5_Update(&md,er1,SSL3_RANDOM_SIZE);
163 MD5_Update(&md,er2,SSL3_RANDOM_SIZE);
164 MD5_Final(&(exp_key[0]),&md);
165 key= &(exp_key[0]);
166
167 MD5_Init(&md);
168 MD5_Update(&md,er1,SSL3_RANDOM_SIZE);
169 MD5_Update(&md,er2,SSL3_RANDOM_SIZE);
170 MD5_Final(&(exp_iv[0]),&md);
171 iv= &(exp_iv[0]);
172 }
173
174 s->session->key_arg_length=k;
175 if (k > 0)
176 memcpy(&(s->session->key_arg[0]),iv,k);
177
178 EVP_CipherInit(dd,c,key,iv,(which & SSL3_CC_WRITE));
179 memset(&(exp_key[0]),0,sizeof(exp_key));
180 memset(&(exp_iv[0]),0,sizeof(exp_iv));
181 return(1);
182 err:
183 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
184 err2:
185 return(0);
186 }
187
188 int ssl3_setup_key_block(s)
189 SSL *s;
190 {
191 unsigned char *p;
192 EVP_CIPHER *c;
193 EVP_MD *hash;
194 int num,exp;
195
196 if (s->s3->tmp.key_block_length != 0)
197 return(1);
198
199 if (!ssl_cipher_get_evp(s->session->cipher,&c,&hash))
200 {
201 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
202 return(0);
203 }
204
205 s->s3->tmp.new_sym_enc=c;
206 s->s3->tmp.new_hash=hash;
207
208 exp=(s->session->cipher->algorithms & SSL_EXPORT)?1:0;
209
210 num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
211 num*=2;
212
213 ssl3_cleanup_key_block(s);
214
215 if ((p=(unsigned char *)Malloc(num)) == NULL)
216 goto err;
217
218 s->s3->tmp.key_block_length=num;
219 s->s3->tmp.key_block=p;
220
221 ssl3_generate_key_block(s,p,num);
222
223 return(1);
224 err:
225 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
226 return(0);
227 }
228
229 void ssl3_cleanup_key_block(s)
230 SSL *s;
231 {
232 if (s->s3->tmp.key_block != NULL)
233 {
234 memset(s->s3->tmp.key_block,0,
235 s->s3->tmp.key_block_length);
236 Free(s->s3->tmp.key_block);
237 s->s3->tmp.key_block=NULL;
238 }
239 s->s3->tmp.key_block_length=0;
240 }
241
242 int ssl3_enc(s,send)
243 SSL *s;
244 int send;
245 {
246 SSL3_RECORD *rec;
247 EVP_CIPHER_CTX *ds;
248 unsigned long l;
249 int bs,i;
250 EVP_CIPHER *enc;
251 SSL_COMPRESSION *comp;
252
253 if (send)
254 {
255 ds=s->enc_write_ctx;
256 rec= &(s->s3->wrec);
257 if (s->enc_write_ctx == NULL)
258 { enc=NULL; comp=NULL; }
259 else
260 {
261 enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
262 comp=s->write_compression;
263 }
264 }
265 else
266 {
267 ds=s->enc_read_ctx;
268 rec= &(s->s3->rrec);
269 if (s->enc_read_ctx == NULL)
270 { enc=NULL; comp=NULL; }
271 else
272 {
273 enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
274 comp=s->read_compression;
275 }
276 }
277
278 if ((s->session == NULL) || (ds == NULL) ||
279 ((enc == NULL) && (comp == NULL)))
280 {
281 memcpy(rec->data,rec->input,rec->length);
282 rec->input=rec->data;
283 }
284 else
285 {
286 l=rec->length;
287 bs=EVP_CIPHER_block_size(ds->cipher);
288
289 /* This should be using (bs-1) and bs instead of 7 and 8 */
290 if ((bs != 1) && send)
291 {
292 i=bs-((int)l%bs);
293
294 /* we need to add 'i-1' padding bytes */
295 l+=i;
296 rec->length+=i;
297 rec->input[l-1]=(i-1);
298 }
299
300 EVP_Cipher(ds,rec->data,rec->input,l);
301
302 if ((bs != 1) && !send)
303 {
304 i=rec->data[l-1]+1;
305 if (i > bs)
306 {
307 SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
308 ssl3_send_alert(s,SSL3_AL_FATAL,SSL3_AD_BAD_RECORD_MAC);
309 return(0);
310 }
311 rec->length-=i;
312 }
313 }
314 return(1);
315 }
316
317 void ssl3_init_finished_mac(s)
318 SSL *s;
319 {
320 EVP_DigestInit(&(s->s3->finish_dgst1),EVP_md5());
321 EVP_DigestInit(&(s->s3->finish_dgst2),EVP_sha1());
322 }
323
324 void ssl3_finish_mac(s,buf,len)
325 SSL *s;
326 unsigned char *buf;
327 int len;
328 {
329 EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len);
330 EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len);
331 }
332
333 int ssl3_final_finish_mac(s,in_ctx,sender,p)
334 SSL *s;
335 EVP_MD_CTX *in_ctx;
336 unsigned char *sender;
337 unsigned char *p;
338 {
339 unsigned int ret;
340 int npad,n;
341 unsigned int i;
342 unsigned char md_buf[EVP_MAX_MD_SIZE];
343 EVP_MD_CTX ctx;
344
345 memcpy(&ctx,in_ctx,sizeof(EVP_MD_CTX));
346
347 n=EVP_MD_CTX_size(&ctx);
348 npad=(48/n)*n;
349
350 if (sender != NULL)
351 EVP_DigestUpdate(&ctx,sender,4);
352 EVP_DigestUpdate(&ctx,s->session->master_key,
353 s->session->master_key_length);
354 EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
355 EVP_DigestFinal(&ctx,md_buf,&i);
356
357 EVP_DigestInit(&ctx,EVP_MD_CTX_type(&ctx));
358 EVP_DigestUpdate(&ctx,s->session->master_key,
359 s->session->master_key_length);
360 EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
361 EVP_DigestUpdate(&ctx,md_buf,i);
362 EVP_DigestFinal(&ctx,p,&ret);
363
364 memset(&ctx,0,sizeof(EVP_MD_CTX));
365
366 return((int)ret);
367 }
368
369 int ssl3_mac(ssl,md,send)
370 SSL *ssl;
371 unsigned char *md;
372 int send;
373 {
374 SSL3_RECORD *rec;
375 unsigned char *mac_sec,*seq;
376 EVP_MD_CTX md_ctx;
377 EVP_MD *hash;
378 unsigned char *p,rec_char;
379 unsigned int md_size;
380 int npad,i;
381
382 if (send)
383 {
384 rec= &(ssl->s3->wrec);
385 mac_sec= &(ssl->s3->write_mac_secret[0]);
386 seq= &(ssl->s3->write_sequence[0]);
387 hash=ssl->write_hash;
388 }
389 else
390 {
391 rec= &(ssl->s3->rrec);
392 mac_sec= &(ssl->s3->read_mac_secret[0]);
393 seq= &(ssl->s3->read_sequence[0]);
394 hash=ssl->read_hash;
395 }
396
397 md_size=EVP_MD_size(hash);
398 npad=(48/md_size)*md_size;
399
400 #ifdef MAC_DEBUG
401 printf("npad=%d md_size=%d",npad,md_size);
402 printf("\nmsec=");
403 for (i=0; i<md_size; i++) printf("%02X ",mac_sec[i]);
404 printf("\npad1=");
405 for (i=0; i<npad; i++) printf("%02X ",ssl3_pad_1[i]);
406 printf("\nseq =");
407 for (i=0; i<8; i++) printf("%02X ",seq[i]);
408 printf("\nreqt=%02X len=%04X\n",rec->type,rec->length);
409 for (i=0; i<rec->length; i++) printf("%02X",rec->input[i]);
410 printf("\n");
411 #endif
412
413 /* Chop the digest off the end :-) */
414
415 EVP_DigestInit( &md_ctx,hash);
416 EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
417 EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
418 EVP_DigestUpdate(&md_ctx,seq,8);
419 rec_char=rec->type;
420 EVP_DigestUpdate(&md_ctx,&rec_char,1);
421 p=md;
422 s2n(rec->length,p);
423 EVP_DigestUpdate(&md_ctx,md,2);
424 EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
425 EVP_DigestFinal( &md_ctx,md,NULL);
426
427 EVP_DigestInit( &md_ctx,hash);
428 EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
429 EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
430 EVP_DigestUpdate(&md_ctx,md,md_size);
431 EVP_DigestFinal( &md_ctx,md,&md_size);
432
433 for (i=7; i>=0; i--)
434 if (++seq[i]) break;
435
436 #ifdef MAC_DEBUG
437 printf("md=");
438 for (i=0; i<md_size; i++) printf("%02X ",md[i]);
439 printf("\n");
440 #endif
441
442 return(md_size);
443 }
444
445 int ssl3_generate_master_secret(s,out,p,len)
446 SSL *s;
447 unsigned char *out;
448 unsigned char *p;
449 int len;
450 {
451 static unsigned char *salt[3]={
452 (unsigned char *)"A",
453 (unsigned char *)"BB",
454 (unsigned char *)"CCC",
455 };
456 unsigned char buf[EVP_MAX_MD_SIZE];
457 EVP_MD_CTX ctx;
458 int i,ret=0;
459 unsigned int n;
460
461 for (i=0; i<3; i++)
462 {
463 EVP_DigestInit(&ctx,EVP_sha1());
464 EVP_DigestUpdate(&ctx,salt[i],strlen((char *)salt[i]));
465 EVP_DigestUpdate(&ctx,p,len);
466 EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
467 SSL3_RANDOM_SIZE);
468 EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
469 SSL3_RANDOM_SIZE);
470 EVP_DigestFinal(&ctx,buf,&n);
471
472 EVP_DigestInit(&ctx,EVP_md5());
473 EVP_DigestUpdate(&ctx,p,len);
474 EVP_DigestUpdate(&ctx,buf,n);
475 EVP_DigestFinal(&ctx,out,&n);
476 out+=n;
477 ret+=n;
478 }
479 return(ret);
480 }
481
A mirror of the official openssl repository