]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. | |
3 | * Copyright 2005 Nokia. All rights reserved. | |
4 | * | |
5 | * Licensed under the OpenSSL license (the "License"). You may not use | |
6 | * this file except in compliance with the License. You can obtain a copy | |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
9 | */ | |
10 | ||
11 | #include <stdio.h> | |
12 | #include "ssl_locl.h" | |
13 | #include <openssl/evp.h> | |
14 | #include <openssl/md5.h> | |
15 | #include "internal/cryptlib.h" | |
16 | ||
17 | static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) | |
18 | { | |
19 | EVP_MD_CTX *m5; | |
20 | EVP_MD_CTX *s1; | |
21 | unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; | |
22 | unsigned char c = 'A'; | |
23 | unsigned int i, j, k; | |
24 | int ret = 0; | |
25 | ||
26 | #ifdef CHARSET_EBCDIC | |
27 | c = os_toascii[c]; /* 'A' in ASCII */ | |
28 | #endif | |
29 | k = 0; | |
30 | m5 = EVP_MD_CTX_new(); | |
31 | s1 = EVP_MD_CTX_new(); | |
32 | if (m5 == NULL || s1 == NULL) { | |
33 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, | |
34 | ERR_R_MALLOC_FAILURE); | |
35 | goto err; | |
36 | } | |
37 | EVP_MD_CTX_set_flags(m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
38 | for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { | |
39 | k++; | |
40 | if (k > sizeof(buf)) { | |
41 | /* bug: 'buf' is too small for this ciphersuite */ | |
42 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, | |
43 | ERR_R_INTERNAL_ERROR); | |
44 | goto err; | |
45 | } | |
46 | ||
47 | for (j = 0; j < k; j++) | |
48 | buf[j] = c; | |
49 | c++; | |
50 | if (!EVP_DigestInit_ex(s1, EVP_sha1(), NULL) | |
51 | || !EVP_DigestUpdate(s1, buf, k) | |
52 | || !EVP_DigestUpdate(s1, s->session->master_key, | |
53 | s->session->master_key_length) | |
54 | || !EVP_DigestUpdate(s1, s->s3->server_random, SSL3_RANDOM_SIZE) | |
55 | || !EVP_DigestUpdate(s1, s->s3->client_random, SSL3_RANDOM_SIZE) | |
56 | || !EVP_DigestFinal_ex(s1, smd, NULL) | |
57 | || !EVP_DigestInit_ex(m5, EVP_md5(), NULL) | |
58 | || !EVP_DigestUpdate(m5, s->session->master_key, | |
59 | s->session->master_key_length) | |
60 | || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { | |
61 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, | |
62 | ERR_R_INTERNAL_ERROR); | |
63 | goto err; | |
64 | } | |
65 | if ((int)(i + MD5_DIGEST_LENGTH) > num) { | |
66 | if (!EVP_DigestFinal_ex(m5, smd, NULL)) { | |
67 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
68 | SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); | |
69 | goto err; | |
70 | } | |
71 | memcpy(km, smd, (num - i)); | |
72 | } else { | |
73 | if (!EVP_DigestFinal_ex(m5, km, NULL)) { | |
74 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
75 | SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); | |
76 | goto err; | |
77 | } | |
78 | } | |
79 | ||
80 | km += MD5_DIGEST_LENGTH; | |
81 | } | |
82 | OPENSSL_cleanse(smd, sizeof(smd)); | |
83 | ret = 1; | |
84 | err: | |
85 | EVP_MD_CTX_free(m5); | |
86 | EVP_MD_CTX_free(s1); | |
87 | return ret; | |
88 | } | |
89 | ||
90 | int ssl3_change_cipher_state(SSL *s, int which) | |
91 | { | |
92 | unsigned char *p, *mac_secret; | |
93 | unsigned char exp_key[EVP_MAX_KEY_LENGTH]; | |
94 | unsigned char exp_iv[EVP_MAX_IV_LENGTH]; | |
95 | unsigned char *ms, *key, *iv; | |
96 | EVP_CIPHER_CTX *dd; | |
97 | const EVP_CIPHER *c; | |
98 | #ifndef OPENSSL_NO_COMP | |
99 | COMP_METHOD *comp; | |
100 | #endif | |
101 | const EVP_MD *m; | |
102 | int mdi; | |
103 | size_t n, i, j, k, cl; | |
104 | int reuse_dd = 0; | |
105 | ||
106 | c = s->s3->tmp.new_sym_enc; | |
107 | m = s->s3->tmp.new_hash; | |
108 | /* m == NULL will lead to a crash later */ | |
109 | if (!ossl_assert(m != NULL)) { | |
110 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
111 | ERR_R_INTERNAL_ERROR); | |
112 | goto err; | |
113 | } | |
114 | #ifndef OPENSSL_NO_COMP | |
115 | if (s->s3->tmp.new_compression == NULL) | |
116 | comp = NULL; | |
117 | else | |
118 | comp = s->s3->tmp.new_compression->method; | |
119 | #endif | |
120 | ||
121 | if (which & SSL3_CC_READ) { | |
122 | if (s->enc_read_ctx != NULL) { | |
123 | reuse_dd = 1; | |
124 | } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { | |
125 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
126 | ERR_R_MALLOC_FAILURE); | |
127 | goto err; | |
128 | } else { | |
129 | /* | |
130 | * make sure it's initialised in case we exit later with an error | |
131 | */ | |
132 | EVP_CIPHER_CTX_reset(s->enc_read_ctx); | |
133 | } | |
134 | dd = s->enc_read_ctx; | |
135 | ||
136 | if (ssl_replace_hash(&s->read_hash, m) == NULL) { | |
137 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
138 | ERR_R_INTERNAL_ERROR); | |
139 | goto err; | |
140 | } | |
141 | #ifndef OPENSSL_NO_COMP | |
142 | /* COMPRESS */ | |
143 | COMP_CTX_free(s->expand); | |
144 | s->expand = NULL; | |
145 | if (comp != NULL) { | |
146 | s->expand = COMP_CTX_new(comp); | |
147 | if (s->expand == NULL) { | |
148 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
149 | SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
150 | SSL_R_COMPRESSION_LIBRARY_ERROR); | |
151 | goto err; | |
152 | } | |
153 | } | |
154 | #endif | |
155 | RECORD_LAYER_reset_read_sequence(&s->rlayer); | |
156 | mac_secret = &(s->s3->read_mac_secret[0]); | |
157 | } else { | |
158 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; | |
159 | if (s->enc_write_ctx != NULL) { | |
160 | reuse_dd = 1; | |
161 | } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { | |
162 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
163 | ERR_R_MALLOC_FAILURE); | |
164 | goto err; | |
165 | } else { | |
166 | /* | |
167 | * make sure it's initialised in case we exit later with an error | |
168 | */ | |
169 | EVP_CIPHER_CTX_reset(s->enc_write_ctx); | |
170 | } | |
171 | dd = s->enc_write_ctx; | |
172 | if (ssl_replace_hash(&s->write_hash, m) == NULL) { | |
173 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
174 | ERR_R_MALLOC_FAILURE); | |
175 | goto err; | |
176 | } | |
177 | #ifndef OPENSSL_NO_COMP | |
178 | /* COMPRESS */ | |
179 | COMP_CTX_free(s->compress); | |
180 | s->compress = NULL; | |
181 | if (comp != NULL) { | |
182 | s->compress = COMP_CTX_new(comp); | |
183 | if (s->compress == NULL) { | |
184 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
185 | SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
186 | SSL_R_COMPRESSION_LIBRARY_ERROR); | |
187 | goto err; | |
188 | } | |
189 | } | |
190 | #endif | |
191 | RECORD_LAYER_reset_write_sequence(&s->rlayer); | |
192 | mac_secret = &(s->s3->write_mac_secret[0]); | |
193 | } | |
194 | ||
195 | if (reuse_dd) | |
196 | EVP_CIPHER_CTX_reset(dd); | |
197 | ||
198 | p = s->s3->tmp.key_block; | |
199 | mdi = EVP_MD_size(m); | |
200 | if (mdi < 0) { | |
201 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
202 | ERR_R_INTERNAL_ERROR); | |
203 | goto err; | |
204 | } | |
205 | i = mdi; | |
206 | cl = EVP_CIPHER_key_length(c); | |
207 | j = cl; | |
208 | k = EVP_CIPHER_iv_length(c); | |
209 | if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | |
210 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { | |
211 | ms = &(p[0]); | |
212 | n = i + i; | |
213 | key = &(p[n]); | |
214 | n += j + j; | |
215 | iv = &(p[n]); | |
216 | n += k + k; | |
217 | } else { | |
218 | n = i; | |
219 | ms = &(p[n]); | |
220 | n += i + j; | |
221 | key = &(p[n]); | |
222 | n += j + k; | |
223 | iv = &(p[n]); | |
224 | n += k; | |
225 | } | |
226 | ||
227 | if (n > s->s3->tmp.key_block_length) { | |
228 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
229 | ERR_R_INTERNAL_ERROR); | |
230 | goto err; | |
231 | } | |
232 | ||
233 | memcpy(mac_secret, ms, i); | |
234 | ||
235 | if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { | |
236 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
237 | ERR_R_INTERNAL_ERROR); | |
238 | goto err; | |
239 | } | |
240 | ||
241 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; | |
242 | OPENSSL_cleanse(exp_key, sizeof(exp_key)); | |
243 | OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); | |
244 | return 1; | |
245 | err: | |
246 | OPENSSL_cleanse(exp_key, sizeof(exp_key)); | |
247 | OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); | |
248 | return 0; | |
249 | } | |
250 | ||
251 | int ssl3_setup_key_block(SSL *s) | |
252 | { | |
253 | unsigned char *p; | |
254 | const EVP_CIPHER *c; | |
255 | const EVP_MD *hash; | |
256 | int num; | |
257 | int ret = 0; | |
258 | SSL_COMP *comp; | |
259 | ||
260 | if (s->s3->tmp.key_block_length != 0) | |
261 | return 1; | |
262 | ||
263 | if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) { | |
264 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, | |
265 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | |
266 | return 0; | |
267 | } | |
268 | ||
269 | s->s3->tmp.new_sym_enc = c; | |
270 | s->s3->tmp.new_hash = hash; | |
271 | #ifdef OPENSSL_NO_COMP | |
272 | s->s3->tmp.new_compression = NULL; | |
273 | #else | |
274 | s->s3->tmp.new_compression = comp; | |
275 | #endif | |
276 | ||
277 | num = EVP_MD_size(hash); | |
278 | if (num < 0) | |
279 | return 0; | |
280 | ||
281 | num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); | |
282 | num *= 2; | |
283 | ||
284 | ssl3_cleanup_key_block(s); | |
285 | ||
286 | if ((p = OPENSSL_malloc(num)) == NULL) { | |
287 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, | |
288 | ERR_R_MALLOC_FAILURE); | |
289 | return 0; | |
290 | } | |
291 | ||
292 | s->s3->tmp.key_block_length = num; | |
293 | s->s3->tmp.key_block = p; | |
294 | ||
295 | /* Calls SSLfatal() as required */ | |
296 | ret = ssl3_generate_key_block(s, p, num); | |
297 | ||
298 | if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { | |
299 | /* | |
300 | * enable vulnerability countermeasure for CBC ciphers with known-IV | |
301 | * problem (http://www.openssl.org/~bodo/tls-cbc.txt) | |
302 | */ | |
303 | s->s3->need_empty_fragments = 1; | |
304 | ||
305 | if (s->session->cipher != NULL) { | |
306 | if (s->session->cipher->algorithm_enc == SSL_eNULL) | |
307 | s->s3->need_empty_fragments = 0; | |
308 | ||
309 | #ifndef OPENSSL_NO_RC4 | |
310 | if (s->session->cipher->algorithm_enc == SSL_RC4) | |
311 | s->s3->need_empty_fragments = 0; | |
312 | #endif | |
313 | } | |
314 | } | |
315 | ||
316 | return ret; | |
317 | } | |
318 | ||
319 | void ssl3_cleanup_key_block(SSL *s) | |
320 | { | |
321 | OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length); | |
322 | s->s3->tmp.key_block = NULL; | |
323 | s->s3->tmp.key_block_length = 0; | |
324 | } | |
325 | ||
326 | int ssl3_init_finished_mac(SSL *s) | |
327 | { | |
328 | BIO *buf = BIO_new(BIO_s_mem()); | |
329 | ||
330 | if (buf == NULL) { | |
331 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_INIT_FINISHED_MAC, | |
332 | ERR_R_MALLOC_FAILURE); | |
333 | return 0; | |
334 | } | |
335 | ssl3_free_digest_list(s); | |
336 | s->s3->handshake_buffer = buf; | |
337 | (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); | |
338 | return 1; | |
339 | } | |
340 | ||
341 | /* | |
342 | * Free digest list. Also frees handshake buffer since they are always freed | |
343 | * together. | |
344 | */ | |
345 | ||
346 | void ssl3_free_digest_list(SSL *s) | |
347 | { | |
348 | BIO_free(s->s3->handshake_buffer); | |
349 | s->s3->handshake_buffer = NULL; | |
350 | EVP_MD_CTX_free(s->s3->handshake_dgst); | |
351 | s->s3->handshake_dgst = NULL; | |
352 | } | |
353 | ||
354 | int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len) | |
355 | { | |
356 | int ret; | |
357 | ||
358 | if (s->s3->handshake_dgst == NULL) { | |
359 | /* Note: this writes to a memory BIO so a failure is a fatal error */ | |
360 | if (len > INT_MAX) { | |
361 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, | |
362 | SSL_R_OVERFLOW_ERROR); | |
363 | return 0; | |
364 | } | |
365 | ret = BIO_write(s->s3->handshake_buffer, (void *)buf, (int)len); | |
366 | if (ret <= 0 || ret != (int)len) { | |
367 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, | |
368 | ERR_R_INTERNAL_ERROR); | |
369 | return 0; | |
370 | } | |
371 | } else { | |
372 | ret = EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); | |
373 | if (!ret) { | |
374 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, | |
375 | ERR_R_INTERNAL_ERROR); | |
376 | return 0; | |
377 | } | |
378 | } | |
379 | return 1; | |
380 | } | |
381 | ||
382 | int ssl3_digest_cached_records(SSL *s, int keep) | |
383 | { | |
384 | const EVP_MD *md; | |
385 | long hdatalen; | |
386 | void *hdata; | |
387 | ||
388 | if (s->s3->handshake_dgst == NULL) { | |
389 | hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); | |
390 | if (hdatalen <= 0) { | |
391 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, | |
392 | SSL_R_BAD_HANDSHAKE_LENGTH); | |
393 | return 0; | |
394 | } | |
395 | ||
396 | s->s3->handshake_dgst = EVP_MD_CTX_new(); | |
397 | if (s->s3->handshake_dgst == NULL) { | |
398 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, | |
399 | ERR_R_MALLOC_FAILURE); | |
400 | return 0; | |
401 | } | |
402 | ||
403 | md = ssl_handshake_md(s); | |
404 | if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL) | |
405 | || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) { | |
406 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, | |
407 | ERR_R_INTERNAL_ERROR); | |
408 | return 0; | |
409 | } | |
410 | } | |
411 | if (keep == 0) { | |
412 | BIO_free(s->s3->handshake_buffer); | |
413 | s->s3->handshake_buffer = NULL; | |
414 | } | |
415 | ||
416 | return 1; | |
417 | } | |
418 | ||
419 | size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, | |
420 | unsigned char *p) | |
421 | { | |
422 | int ret; | |
423 | EVP_MD_CTX *ctx = NULL; | |
424 | ||
425 | if (!ssl3_digest_cached_records(s, 0)) { | |
426 | /* SSLfatal() already called */ | |
427 | return 0; | |
428 | } | |
429 | ||
430 | if (EVP_MD_CTX_type(s->s3->handshake_dgst) != NID_md5_sha1) { | |
431 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, | |
432 | SSL_R_NO_REQUIRED_DIGEST); | |
433 | return 0; | |
434 | } | |
435 | ||
436 | ctx = EVP_MD_CTX_new(); | |
437 | if (ctx == NULL) { | |
438 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, | |
439 | ERR_R_MALLOC_FAILURE); | |
440 | return 0; | |
441 | } | |
442 | if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { | |
443 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, | |
444 | ERR_R_INTERNAL_ERROR); | |
445 | ret = 0; | |
446 | goto err; | |
447 | } | |
448 | ||
449 | ret = EVP_MD_CTX_size(ctx); | |
450 | if (ret < 0) { | |
451 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, | |
452 | ERR_R_INTERNAL_ERROR); | |
453 | ret = 0; | |
454 | goto err; | |
455 | } | |
456 | ||
457 | if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) | |
458 | || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, | |
459 | (int)s->session->master_key_length, | |
460 | s->session->master_key) <= 0 | |
461 | || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { | |
462 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, | |
463 | ERR_R_INTERNAL_ERROR); | |
464 | ret = 0; | |
465 | } | |
466 | ||
467 | err: | |
468 | EVP_MD_CTX_free(ctx); | |
469 | ||
470 | return ret; | |
471 | } | |
472 | ||
473 | int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, | |
474 | size_t len, size_t *secret_size) | |
475 | { | |
476 | static const unsigned char *salt[3] = { | |
477 | #ifndef CHARSET_EBCDIC | |
478 | (const unsigned char *)"A", | |
479 | (const unsigned char *)"BB", | |
480 | (const unsigned char *)"CCC", | |
481 | #else | |
482 | (const unsigned char *)"\x41", | |
483 | (const unsigned char *)"\x42\x42", | |
484 | (const unsigned char *)"\x43\x43\x43", | |
485 | #endif | |
486 | }; | |
487 | unsigned char buf[EVP_MAX_MD_SIZE]; | |
488 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); | |
489 | int i, ret = 1; | |
490 | unsigned int n; | |
491 | size_t ret_secret_size = 0; | |
492 | ||
493 | if (ctx == NULL) { | |
494 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_MASTER_SECRET, | |
495 | ERR_R_MALLOC_FAILURE); | |
496 | return 0; | |
497 | } | |
498 | for (i = 0; i < 3; i++) { | |
499 | if (EVP_DigestInit_ex(ctx, s->ctx->sha1, NULL) <= 0 | |
500 | || EVP_DigestUpdate(ctx, salt[i], | |
501 | strlen((const char *)salt[i])) <= 0 | |
502 | || EVP_DigestUpdate(ctx, p, len) <= 0 | |
503 | || EVP_DigestUpdate(ctx, &(s->s3->client_random[0]), | |
504 | SSL3_RANDOM_SIZE) <= 0 | |
505 | || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]), | |
506 | SSL3_RANDOM_SIZE) <= 0 | |
507 | /* TODO(size_t) : convert me */ | |
508 | || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 | |
509 | || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0 | |
510 | || EVP_DigestUpdate(ctx, p, len) <= 0 | |
511 | || EVP_DigestUpdate(ctx, buf, n) <= 0 | |
512 | || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { | |
513 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
514 | SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); | |
515 | ret = 0; | |
516 | break; | |
517 | } | |
518 | out += n; | |
519 | ret_secret_size += n; | |
520 | } | |
521 | EVP_MD_CTX_free(ctx); | |
522 | ||
523 | OPENSSL_cleanse(buf, sizeof(buf)); | |
524 | if (ret) | |
525 | *secret_size = ret_secret_size; | |
526 | return ret; | |
527 | } | |
528 | ||
529 | int ssl3_alert_code(int code) | |
530 | { | |
531 | switch (code) { | |
532 | case SSL_AD_CLOSE_NOTIFY: | |
533 | return SSL3_AD_CLOSE_NOTIFY; | |
534 | case SSL_AD_UNEXPECTED_MESSAGE: | |
535 | return SSL3_AD_UNEXPECTED_MESSAGE; | |
536 | case SSL_AD_BAD_RECORD_MAC: | |
537 | return SSL3_AD_BAD_RECORD_MAC; | |
538 | case SSL_AD_DECRYPTION_FAILED: | |
539 | return SSL3_AD_BAD_RECORD_MAC; | |
540 | case SSL_AD_RECORD_OVERFLOW: | |
541 | return SSL3_AD_BAD_RECORD_MAC; | |
542 | case SSL_AD_DECOMPRESSION_FAILURE: | |
543 | return SSL3_AD_DECOMPRESSION_FAILURE; | |
544 | case SSL_AD_HANDSHAKE_FAILURE: | |
545 | return SSL3_AD_HANDSHAKE_FAILURE; | |
546 | case SSL_AD_NO_CERTIFICATE: | |
547 | return SSL3_AD_NO_CERTIFICATE; | |
548 | case SSL_AD_BAD_CERTIFICATE: | |
549 | return SSL3_AD_BAD_CERTIFICATE; | |
550 | case SSL_AD_UNSUPPORTED_CERTIFICATE: | |
551 | return SSL3_AD_UNSUPPORTED_CERTIFICATE; | |
552 | case SSL_AD_CERTIFICATE_REVOKED: | |
553 | return SSL3_AD_CERTIFICATE_REVOKED; | |
554 | case SSL_AD_CERTIFICATE_EXPIRED: | |
555 | return SSL3_AD_CERTIFICATE_EXPIRED; | |
556 | case SSL_AD_CERTIFICATE_UNKNOWN: | |
557 | return SSL3_AD_CERTIFICATE_UNKNOWN; | |
558 | case SSL_AD_ILLEGAL_PARAMETER: | |
559 | return SSL3_AD_ILLEGAL_PARAMETER; | |
560 | case SSL_AD_UNKNOWN_CA: | |
561 | return SSL3_AD_BAD_CERTIFICATE; | |
562 | case SSL_AD_ACCESS_DENIED: | |
563 | return SSL3_AD_HANDSHAKE_FAILURE; | |
564 | case SSL_AD_DECODE_ERROR: | |
565 | return SSL3_AD_HANDSHAKE_FAILURE; | |
566 | case SSL_AD_DECRYPT_ERROR: | |
567 | return SSL3_AD_HANDSHAKE_FAILURE; | |
568 | case SSL_AD_EXPORT_RESTRICTION: | |
569 | return SSL3_AD_HANDSHAKE_FAILURE; | |
570 | case SSL_AD_PROTOCOL_VERSION: | |
571 | return SSL3_AD_HANDSHAKE_FAILURE; | |
572 | case SSL_AD_INSUFFICIENT_SECURITY: | |
573 | return SSL3_AD_HANDSHAKE_FAILURE; | |
574 | case SSL_AD_INTERNAL_ERROR: | |
575 | return SSL3_AD_HANDSHAKE_FAILURE; | |
576 | case SSL_AD_USER_CANCELLED: | |
577 | return SSL3_AD_HANDSHAKE_FAILURE; | |
578 | case SSL_AD_NO_RENEGOTIATION: | |
579 | return -1; /* Don't send it :-) */ | |
580 | case SSL_AD_UNSUPPORTED_EXTENSION: | |
581 | return SSL3_AD_HANDSHAKE_FAILURE; | |
582 | case SSL_AD_CERTIFICATE_UNOBTAINABLE: | |
583 | return SSL3_AD_HANDSHAKE_FAILURE; | |
584 | case SSL_AD_UNRECOGNIZED_NAME: | |
585 | return SSL3_AD_HANDSHAKE_FAILURE; | |
586 | case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: | |
587 | return SSL3_AD_HANDSHAKE_FAILURE; | |
588 | case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: | |
589 | return SSL3_AD_HANDSHAKE_FAILURE; | |
590 | case SSL_AD_UNKNOWN_PSK_IDENTITY: | |
591 | return TLS1_AD_UNKNOWN_PSK_IDENTITY; | |
592 | case SSL_AD_INAPPROPRIATE_FALLBACK: | |
593 | return TLS1_AD_INAPPROPRIATE_FALLBACK; | |
594 | case SSL_AD_NO_APPLICATION_PROTOCOL: | |
595 | return TLS1_AD_NO_APPLICATION_PROTOCOL; | |
596 | case SSL_AD_CERTIFICATE_REQUIRED: | |
597 | return SSL_AD_HANDSHAKE_FAILURE; | |
598 | default: | |
599 | return -1; | |
600 | } | |
601 | } |