]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/s3_enc.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Remove struct ccs_header_st
[thirdparty/openssl.git] / ssl / s3_enc.c
CommitLineData
d02b48c6 1/* ssl/s3_enc.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 8 *
d02b48c6
RE		 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 15 *
d02b48c6
RE		 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
0f113f3e 22 *
d02b48c6
RE		 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
0f113f3e 37 * 4. If you include any Windows specific code (or a derivative thereof) from
d02b48c6
RE		 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 40 *
d02b48c6
RE		 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
0f113f3e 52 *
d02b48c6
RE		 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
82b0bf0b 58/* ====================================================================
52b8dad8 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
82b0bf0b
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
0f113f3e 66 * notice, this list of conditions and the following disclaimer.
82b0bf0b
BM		 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ddac1974
NL		 111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
d02b48c6
RE		 137
138#include <stdio.h>
d02b48c6 139#include "ssl_locl.h"
7b63c0fa 140#include <openssl/evp.h>
dbad1690 141#include <openssl/md5.h>
d02b48c6 142
0f113f3e
MC		 143static const unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150};
151
152static const unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159};
160
81025661 161static int ssl3_handshake_mac(SSL *s, int md_nid,
0f113f3e 162 const char *sender, int len, unsigned char *p);
027e257b 163static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
0f113f3e
MC		 164{
165 EVP_MD_CTX m5;
166 EVP_MD_CTX s1;
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
58964a49 170
ca570cfd 171#ifdef CHARSET_EBCDIC
0f113f3e 172 c = os_toascii[c]; /* 'A' in ASCII */
ca570cfd 173#endif
0f113f3e
MC		 174 k = 0;
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179 k++;
180 if (k > sizeof buf) {
181 /* bug: 'buf' is too small for this ciphersuite */
182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
183 return 0;
184 }
185
186 for (j = 0; j < k; j++)
187 buf[j] = c;
188 c++;
189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190 EVP_DigestUpdate(&s1, buf, k);
191 EVP_DigestUpdate(&s1, s->session->master_key,
192 s->session->master_key_length);
193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195 EVP_DigestFinal_ex(&s1, smd, NULL);
196
197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198 EVP_DigestUpdate(&m5, s->session->master_key,
199 s->session->master_key_length);
200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 EVP_DigestFinal_ex(&m5, smd, NULL);
203 memcpy(km, smd, (num - i));
204 } else
205 EVP_DigestFinal_ex(&m5, km, NULL);
206
207 km += MD5_DIGEST_LENGTH;
208 }
209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 EVP_MD_CTX_cleanup(&m5);
211 EVP_MD_CTX_cleanup(&s1);
212 return 1;
213}
58964a49 214
6b691a5c 215int ssl3_change_cipher_state(SSL *s, int which)
0f113f3e
MC		 216{
217 unsigned char *p, *mac_secret;
218 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220 unsigned char *ms, *key, *iv, *er1, *er2;
221 EVP_CIPHER_CTX *dd;
222 const EVP_CIPHER *c;
09b6c2ef 223#ifndef OPENSSL_NO_COMP
0f113f3e 224 COMP_METHOD *comp;
09b6c2ef 225#endif
0f113f3e
MC		 226 const EVP_MD *m;
227 EVP_MD_CTX md;
228 int is_exp, n, i, j, k, cl;
229 int reuse_dd = 0;
230
231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232 c = s->s3->tmp.new_sym_enc;
233 m = s->s3->tmp.new_hash;
234 /* m == NULL will lead to a crash later */
235 OPENSSL_assert(m);
09b6c2ef 236#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 237 if (s->s3->tmp.new_compression == NULL)
238 comp = NULL;
239 else
240 comp = s->s3->tmp.new_compression->method;
09b6c2ef 241#endif
d02b48c6 242
0f113f3e
MC		 243 if (which & SSL3_CC_READ) {
244 if (s->enc_read_ctx != NULL)
245 reuse_dd = 1;
246 else if ((s->enc_read_ctx =
b4faea50 247 OPENSSL_malloc(sizeof(*s->enc_read_ctx))) == NULL)
0f113f3e
MC		 248 goto err;
249 else
250 /*
251 * make sure it's intialized in case we exit later with an error
252 */
253 EVP_CIPHER_CTX_init(s->enc_read_ctx);
254 dd = s->enc_read_ctx;
255
61986d32 256 if (!ssl_replace_hash(&s->read_hash, m)) {
69f68237
MC		 257 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
258 goto err2;
259 }
09b6c2ef 260#ifndef OPENSSL_NO_COMP
0f113f3e 261 /* COMPRESS */
efa7dd64
RS		 262 COMP_CTX_free(s->expand);
263 s->expand = NULL;
0f113f3e
MC		 264 if (comp != NULL) {
265 s->expand = COMP_CTX_new(comp);
266 if (s->expand == NULL) {
267 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
268 SSL_R_COMPRESSION_LIBRARY_ERROR);
269 goto err2;
270 }
61986d32 271 if (!RECORD_LAYER_setup_comp_buffer(&s->rlayer))
0f113f3e
MC		 272 goto err;
273 }
09b6c2ef 274#endif
de07f311 275 RECORD_LAYER_reset_read_sequence(&s->rlayer);
0f113f3e
MC		 276 mac_secret = &(s->s3->read_mac_secret[0]);
277 } else {
278 if (s->enc_write_ctx != NULL)
279 reuse_dd = 1;
280 else if ((s->enc_write_ctx =
b4faea50 281 OPENSSL_malloc(sizeof(*s->enc_write_ctx))) == NULL)
0f113f3e
MC		 282 goto err;
283 else
284 /*
285 * make sure it's intialized in case we exit later with an error
286 */
287 EVP_CIPHER_CTX_init(s->enc_write_ctx);
288 dd = s->enc_write_ctx;
61986d32 289 if (!ssl_replace_hash(&s->write_hash, m)) {
69f68237
MC		 290 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
291 goto err2;
292 }
09b6c2ef 293#ifndef OPENSSL_NO_COMP
0f113f3e 294 /* COMPRESS */
efa7dd64
RS		 295 COMP_CTX_free(s->compress);
296 s->compress = NULL;
0f113f3e
MC		 297 if (comp != NULL) {
298 s->compress = COMP_CTX_new(comp);
299 if (s->compress == NULL) {
300 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
301 SSL_R_COMPRESSION_LIBRARY_ERROR);
302 goto err2;
303 }
304 }
09b6c2ef 305#endif
de07f311 306 RECORD_LAYER_reset_write_sequence(&s->rlayer);
0f113f3e
MC		 307 mac_secret = &(s->s3->write_mac_secret[0]);
308 }
309
310 if (reuse_dd)
311 EVP_CIPHER_CTX_cleanup(dd);
312
313 p = s->s3->tmp.key_block;
314 i = EVP_MD_size(m);
315 if (i < 0)
316 goto err2;
317 cl = EVP_CIPHER_key_length(c);
318 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
319 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
320 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
321 k = EVP_CIPHER_iv_length(c);
322 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
323 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
324 ms = &(p[0]);
325 n = i + i;
326 key = &(p[n]);
327 n += j + j;
328 iv = &(p[n]);
329 n += k + k;
330 er1 = &(s->s3->client_random[0]);
331 er2 = &(s->s3->server_random[0]);
332 } else {
333 n = i;
334 ms = &(p[n]);
335 n += i + j;
336 key = &(p[n]);
337 n += j + k;
338 iv = &(p[n]);
339 n += k;
340 er1 = &(s->s3->server_random[0]);
341 er2 = &(s->s3->client_random[0]);
342 }
343
344 if (n > s->s3->tmp.key_block_length) {
345 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
346 goto err2;
347 }
348
349 EVP_MD_CTX_init(&md);
350 memcpy(mac_secret, ms, i);
351 if (is_exp) {
352 /*
353 * In here I set both the read and write key/iv to the same value
354 * since only the correct one will be used :-).
355 */
356 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
357 EVP_DigestUpdate(&md, key, j);
358 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
359 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
360 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
361 key = &(exp_key[0]);
362
363 if (k > 0) {
364 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
365 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
366 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
367 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
368 iv = &(exp_iv[0]);
369 }
370 }
371
372 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
58964a49 373
1cf218bc 374#ifdef OPENSSL_SSL_TRACE_CRYPTO
0f113f3e
MC		 375 if (s->msg_callback) {
376
377 int wh = which & SSL3_CC_WRITE ?
378 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
379 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
380 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
381 if (c->key_len)
382 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
383 key, c->key_len, s, s->msg_callback_arg);
384 if (k) {
385 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
386 iv, k, s, s->msg_callback_arg);
387 }
388 }
1cf218bc
DSH		 389#endif
390
0f113f3e
MC		 391 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
392 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
393 EVP_MD_CTX_cleanup(&md);
394 return (1);
395 err:
396 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
397 err2:
398 return (0);
399}
d02b48c6 400
6b691a5c 401int ssl3_setup_key_block(SSL *s)
0f113f3e
MC		 402{
403 unsigned char *p;
404 const EVP_CIPHER *c;
405 const EVP_MD *hash;
406 int num;
407 int ret = 0;
408 SSL_COMP *comp;
409
410 if (s->s3->tmp.key_block_length != 0)
411 return (1);
412
413 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) {
414 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
415 return (0);
416 }
417
418 s->s3->tmp.new_sym_enc = c;
419 s->s3->tmp.new_hash = hash;
09b6c2ef 420#ifdef OPENSSL_NO_COMP
0f113f3e 421 s->s3->tmp.new_compression = NULL;
09b6c2ef 422#else
0f113f3e 423 s->s3->tmp.new_compression = comp;
09b6c2ef 424#endif
d02b48c6 425
0f113f3e
MC		 426 num = EVP_MD_size(hash);
427 if (num < 0)
428 return 0;
429
430 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
431 num *= 2;
0eab41fb 432
0f113f3e 433 ssl3_cleanup_key_block(s);
d02b48c6 434
0f113f3e
MC		 435 if ((p = OPENSSL_malloc(num)) == NULL)
436 goto err;
d02b48c6 437
0f113f3e
MC		 438 s->s3->tmp.key_block_length = num;
439 s->s3->tmp.key_block = p;
d02b48c6 440
0f113f3e 441 ret = ssl3_generate_key_block(s, p, num);
d02b48c6 442
0f113f3e
MC		 443 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
444 /*
445 * enable vulnerability countermeasure for CBC ciphers with known-IV
446 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
447 */
448 s->s3->need_empty_fragments = 1;
82b0bf0b 449
0f113f3e
MC		 450 if (s->session->cipher != NULL) {
451 if (s->session->cipher->algorithm_enc == SSL_eNULL)
452 s->s3->need_empty_fragments = 0;
c21506ba 453
82b0bf0b 454#ifndef OPENSSL_NO_RC4
0f113f3e
MC		 455 if (s->session->cipher->algorithm_enc == SSL_RC4)
456 s->s3->need_empty_fragments = 0;
82b0bf0b 457#endif
0f113f3e
MC		 458 }
459 }
d02b48c6 460
0f113f3e
MC		 461 return ret;
462
463 err:
464 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
465 return (0);
466}
d02b48c6 467
6b691a5c 468void ssl3_cleanup_key_block(SSL *s)
0f113f3e 469{
4b45c6e5
RS		 470 OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
471 s->s3->tmp.key_block = NULL;
0f113f3e
MC		 472 s->s3->tmp.key_block_length = 0;
473}
d02b48c6 474
6b691a5c 475void ssl3_init_finished_mac(SSL *s)
0f113f3e 476{
ca3a82c3 477 BIO_free(s->s3->handshake_buffer);
0f113f3e
MC		 478 if (s->s3->handshake_dgst)
479 ssl3_free_digest_list(s);
480 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
481 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
482}
483
484void ssl3_free_digest_list(SSL *s)
485{
486 int i;
487 if (!s->s3->handshake_dgst)
488 return;
489 for (i = 0; i < SSL_MAX_DIGEST; i++) {
490 if (s->s3->handshake_dgst[i])
491 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
492 }
493 OPENSSL_free(s->s3->handshake_dgst);
494 s->s3->handshake_dgst = NULL;
495}
81025661 496
6b691a5c 497void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
0f113f3e
MC		 498{
499 if (s->s3->handshake_buffer
500 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
501 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
502 } else {
503 int i;
504 for (i = 0; i < SSL_MAX_DIGEST; i++) {
505 if (s->s3->handshake_dgst[i] != NULL)
506 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
507 }
508 }
509}
6ba71a71
BL		 510
511int ssl3_digest_cached_records(SSL *s)
0f113f3e
MC		 512{
513 int i;
514 long mask;
515 const EVP_MD *md;
516 long hdatalen;
517 void *hdata;
518
519 /* Allocate handshake_dgst array */
520 ssl3_free_digest_list(s);
521 s->s3->handshake_dgst =
16f8d4eb 522 OPENSSL_malloc(sizeof(*s->s3->handshake_dgst) * SSL_MAX_DIGEST);
0f113f3e
MC		 523 if (s->s3->handshake_dgst == NULL) {
524 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
525 return 0;
526 }
16f8d4eb
RS		 527 memset(s->s3->handshake_dgst, 0,
528 sizeof(*s->s3->handshake_dgst) * SSL_MAX_DIGEST);
0f113f3e
MC		 529 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
530 if (hdatalen <= 0) {
531 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
532 return 0;
533 }
534
535 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
536 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
537 if ((mask & ssl_get_algorithm2(s)) && md) {
538 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
539 if (EVP_MD_nid(md) == NID_md5) {
540 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
541 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
542 }
543 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
544 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
545 } else {
546 s->s3->handshake_dgst[i] = NULL;
547 }
548 }
549 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
550 /* Free handshake_buffer BIO */
551 BIO_free(s->s3->handshake_buffer);
552 s->s3->handshake_buffer = NULL;
553 }
554
555 return 1;
556}
6ba71a71 557
81025661 558int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
0f113f3e
MC		 559{
560 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
561}
562
563int ssl3_final_finish_mac(SSL *s,
564 const char *sender, int len, unsigned char *p)
565{
566 int ret, sha1len;
567 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
568 if (ret == 0)
569 return 0;
570
571 p += ret;
572
573 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
574 if (sha1len == 0)
575 return 0;
576
577 ret += sha1len;
578 return (ret);
579}
580
81025661 581static int ssl3_handshake_mac(SSL *s, int md_nid,
0f113f3e
MC		 582 const char *sender, int len, unsigned char *p)
583{
584 unsigned int ret;
585 int npad, n;
586 unsigned int i;
587 unsigned char md_buf[EVP_MAX_MD_SIZE];
588 EVP_MD_CTX ctx, *d = NULL;
589
590 if (s->s3->handshake_buffer)
591 if (!ssl3_digest_cached_records(s))
592 return 0;
593
594 /*
595 * Search for digest of specified type in the handshake_dgst array
596 */
597 for (i = 0; i < SSL_MAX_DIGEST; i++) {
598 if (s->s3->handshake_dgst[i]
599 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
600 d = s->s3->handshake_dgst[i];
601 break;
602 }
603 }
604 if (!d) {
605 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
606 return 0;
607 }
608 EVP_MD_CTX_init(&ctx);
609 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
610 EVP_MD_CTX_copy_ex(&ctx, d);
611 n = EVP_MD_CTX_size(&ctx);
612 if (n < 0)
613 return 0;
614
615 npad = (48 / n) * n;
616 if (sender != NULL)
617 EVP_DigestUpdate(&ctx, sender, len);
618 EVP_DigestUpdate(&ctx, s->session->master_key,
619 s->session->master_key_length);
620 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
621 EVP_DigestFinal_ex(&ctx, md_buf, &i);
622
623 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
624 EVP_DigestUpdate(&ctx, s->session->master_key,
625 s->session->master_key_length);
626 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
627 EVP_DigestUpdate(&ctx, md_buf, i);
628 EVP_DigestFinal_ex(&ctx, p, &ret);
629
630 EVP_MD_CTX_cleanup(&ctx);
631
632 return ((int)ret);
633}
d02b48c6 634
6b691a5c 635int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
0f113f3e
MC		 636 int len)
637{
638 static const unsigned char *salt[3] = {
ca570cfd 639#ifndef CHARSET_EBCDIC
0f113f3e
MC		 640 (const unsigned char *)"A",
641 (const unsigned char *)"BB",
642 (const unsigned char *)"CCC",
ca570cfd 643#else
0f113f3e
MC		 644 (const unsigned char *)"\x41",
645 (const unsigned char *)"\x42\x42",
646 (const unsigned char *)"\x43\x43\x43",
ca570cfd 647#endif
0f113f3e
MC		 648 };
649 unsigned char buf[EVP_MAX_MD_SIZE];
650 EVP_MD_CTX ctx;
651 int i, ret = 0;
652 unsigned int n;
81f57e5a 653#ifdef OPENSSL_SSL_TRACE_CRYPTO
0f113f3e 654 unsigned char *tmpout = out;
1cf218bc 655#endif
d02b48c6 656
0f113f3e
MC		 657 EVP_MD_CTX_init(&ctx);
658 for (i = 0; i < 3; i++) {
659 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
660 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
661 EVP_DigestUpdate(&ctx, p, len);
662 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
663 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
664 EVP_DigestFinal_ex(&ctx, buf, &n);
665
666 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
667 EVP_DigestUpdate(&ctx, p, len);
668 EVP_DigestUpdate(&ctx, buf, n);
669 EVP_DigestFinal_ex(&ctx, out, &n);
670 out += n;
671 ret += n;
672 }
673 EVP_MD_CTX_cleanup(&ctx);
1cf218bc 674
81f57e5a 675#ifdef OPENSSL_SSL_TRACE_CRYPTO
0f113f3e
MC		 676 if (s->msg_callback) {
677 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
678 p, len, s, s->msg_callback_arg);
679 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
680 s->s3->client_random, SSL3_RANDOM_SIZE,
681 s, s->msg_callback_arg);
682 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
683 s->s3->server_random, SSL3_RANDOM_SIZE,
684 s, s->msg_callback_arg);
685 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
686 tmpout, SSL3_MASTER_SECRET_SIZE,
687 s, s->msg_callback_arg);
688 }
1cf218bc 689#endif
c9dd49a7 690 OPENSSL_cleanse(buf, sizeof buf);
0f113f3e
MC		 691 return (ret);
692}
d02b48c6 693
6b691a5c 694int ssl3_alert_code(int code)
0f113f3e
MC		 695{
696 switch (code) {
697 case SSL_AD_CLOSE_NOTIFY:
698 return (SSL3_AD_CLOSE_NOTIFY);
699 case SSL_AD_UNEXPECTED_MESSAGE:
700 return (SSL3_AD_UNEXPECTED_MESSAGE);
701 case SSL_AD_BAD_RECORD_MAC:
702 return (SSL3_AD_BAD_RECORD_MAC);
703 case SSL_AD_DECRYPTION_FAILED:
704 return (SSL3_AD_BAD_RECORD_MAC);
705 case SSL_AD_RECORD_OVERFLOW:
706 return (SSL3_AD_BAD_RECORD_MAC);
707 case SSL_AD_DECOMPRESSION_FAILURE:
708 return (SSL3_AD_DECOMPRESSION_FAILURE);
709 case SSL_AD_HANDSHAKE_FAILURE:
710 return (SSL3_AD_HANDSHAKE_FAILURE);
711 case SSL_AD_NO_CERTIFICATE:
712 return (SSL3_AD_NO_CERTIFICATE);
713 case SSL_AD_BAD_CERTIFICATE:
714 return (SSL3_AD_BAD_CERTIFICATE);
715 case SSL_AD_UNSUPPORTED_CERTIFICATE:
716 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
717 case SSL_AD_CERTIFICATE_REVOKED:
718 return (SSL3_AD_CERTIFICATE_REVOKED);
719 case SSL_AD_CERTIFICATE_EXPIRED:
720 return (SSL3_AD_CERTIFICATE_EXPIRED);
721 case SSL_AD_CERTIFICATE_UNKNOWN:
722 return (SSL3_AD_CERTIFICATE_UNKNOWN);
723 case SSL_AD_ILLEGAL_PARAMETER:
724 return (SSL3_AD_ILLEGAL_PARAMETER);
725 case SSL_AD_UNKNOWN_CA:
726 return (SSL3_AD_BAD_CERTIFICATE);
727 case SSL_AD_ACCESS_DENIED:
728 return (SSL3_AD_HANDSHAKE_FAILURE);
729 case SSL_AD_DECODE_ERROR:
730 return (SSL3_AD_HANDSHAKE_FAILURE);
731 case SSL_AD_DECRYPT_ERROR:
732 return (SSL3_AD_HANDSHAKE_FAILURE);
733 case SSL_AD_EXPORT_RESTRICTION:
734 return (SSL3_AD_HANDSHAKE_FAILURE);
735 case SSL_AD_PROTOCOL_VERSION:
736 return (SSL3_AD_HANDSHAKE_FAILURE);
737 case SSL_AD_INSUFFICIENT_SECURITY:
738 return (SSL3_AD_HANDSHAKE_FAILURE);
739 case SSL_AD_INTERNAL_ERROR:
740 return (SSL3_AD_HANDSHAKE_FAILURE);
741 case SSL_AD_USER_CANCELLED:
742 return (SSL3_AD_HANDSHAKE_FAILURE);
743 case SSL_AD_NO_RENEGOTIATION:
744 return (-1); /* Don't send it :-) */
745 case SSL_AD_UNSUPPORTED_EXTENSION:
746 return (SSL3_AD_HANDSHAKE_FAILURE);
747 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
748 return (SSL3_AD_HANDSHAKE_FAILURE);
749 case SSL_AD_UNRECOGNIZED_NAME:
750 return (SSL3_AD_HANDSHAKE_FAILURE);
751 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
752 return (SSL3_AD_HANDSHAKE_FAILURE);
753 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
754 return (SSL3_AD_HANDSHAKE_FAILURE);
755 case SSL_AD_UNKNOWN_PSK_IDENTITY:
756 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
757 case SSL_AD_INAPPROPRIATE_FALLBACK:
758 return (TLS1_AD_INAPPROPRIATE_FALLBACK);
759 default:
760 return (-1);
761 }
762}
A mirror of the official openssl repository