]>
Commit | Line | Data |
---|---|---|
846e33c7 | 1 | /* |
33388b44 | 2 | * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. |
c80149d9 | 3 | * Copyright 2005 Nokia. All rights reserved. |
82b0bf0b | 4 | * |
2c18d164 | 5 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
846e33c7 RS |
6 | * this file except in compliance with the License. You can obtain a copy |
7 | * in the file LICENSE in the source distribution or at | |
8 | * https://www.openssl.org/source/license.html | |
82b0bf0b | 9 | */ |
846e33c7 | 10 | |
d02b48c6 | 11 | #include <stdio.h> |
706457b7 | 12 | #include "ssl_local.h" |
7b63c0fa | 13 | #include <openssl/evp.h> |
dbad1690 | 14 | #include <openssl/md5.h> |
d5e5e2ff | 15 | #include <openssl/core_names.h> |
67dc995e | 16 | #include "internal/cryptlib.h" |
d02b48c6 | 17 | |
027e257b | 18 | static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) |
0f113f3e | 19 | { |
62ba8345 | 20 | const EVP_MD *md5 = NULL, *sha1 = NULL; |
6e59a892 RL |
21 | EVP_MD_CTX *m5; |
22 | EVP_MD_CTX *s1; | |
0f113f3e MC |
23 | unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; |
24 | unsigned char c = 'A'; | |
c19e6da9 | 25 | unsigned int i, k; |
6e59a892 | 26 | int ret = 0; |
58964a49 | 27 | |
ca570cfd | 28 | #ifdef CHARSET_EBCDIC |
0f113f3e | 29 | c = os_toascii[c]; /* 'A' in ASCII */ |
ca570cfd | 30 | #endif |
0f113f3e | 31 | k = 0; |
62ba8345 MC |
32 | md5 = ssl_evp_md_fetch(s->ctx->libctx, NID_md5, s->ctx->propq); |
33 | sha1 = ssl_evp_md_fetch(s->ctx->libctx, NID_sha1, s->ctx->propq); | |
bfb0641f RL |
34 | m5 = EVP_MD_CTX_new(); |
35 | s1 = EVP_MD_CTX_new(); | |
62ba8345 | 36 | if (md5 == NULL || sha1 == NULL || m5 == NULL || s1 == NULL) { |
d4d2f3a4 MC |
37 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, |
38 | ERR_R_MALLOC_FAILURE); | |
6e59a892 RL |
39 | goto err; |
40 | } | |
0f113f3e MC |
41 | for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { |
42 | k++; | |
a6fd7c1d | 43 | if (k > sizeof(buf)) { |
0f113f3e | 44 | /* bug: 'buf' is too small for this ciphersuite */ |
d4d2f3a4 MC |
45 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, |
46 | ERR_R_INTERNAL_ERROR); | |
a6fd7c1d | 47 | goto err; |
0f113f3e MC |
48 | } |
49 | ||
c19e6da9 | 50 | memset(buf, c, k); |
0f113f3e | 51 | c++; |
62ba8345 | 52 | if (!EVP_DigestInit_ex(s1, sha1, NULL) |
d166ed8c DSH |
53 | || !EVP_DigestUpdate(s1, buf, k) |
54 | || !EVP_DigestUpdate(s1, s->session->master_key, | |
55 | s->session->master_key_length) | |
555cbb32 TS |
56 | || !EVP_DigestUpdate(s1, s->s3.server_random, SSL3_RANDOM_SIZE) |
57 | || !EVP_DigestUpdate(s1, s->s3.client_random, SSL3_RANDOM_SIZE) | |
d166ed8c | 58 | || !EVP_DigestFinal_ex(s1, smd, NULL) |
47b4ccea | 59 | || !EVP_DigestInit_ex(m5, md5, NULL) |
d166ed8c DSH |
60 | || !EVP_DigestUpdate(m5, s->session->master_key, |
61 | s->session->master_key_length) | |
d4d2f3a4 MC |
62 | || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { |
63 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, | |
64 | ERR_R_INTERNAL_ERROR); | |
d166ed8c | 65 | goto err; |
d4d2f3a4 | 66 | } |
0f113f3e | 67 | if ((int)(i + MD5_DIGEST_LENGTH) > num) { |
d4d2f3a4 MC |
68 | if (!EVP_DigestFinal_ex(m5, smd, NULL)) { |
69 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
70 | SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); | |
d166ed8c | 71 | goto err; |
d4d2f3a4 | 72 | } |
0f113f3e | 73 | memcpy(km, smd, (num - i)); |
d166ed8c | 74 | } else { |
d4d2f3a4 MC |
75 | if (!EVP_DigestFinal_ex(m5, km, NULL)) { |
76 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, | |
77 | SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); | |
d166ed8c | 78 | goto err; |
d4d2f3a4 | 79 | } |
d166ed8c | 80 | } |
0f113f3e MC |
81 | |
82 | km += MD5_DIGEST_LENGTH; | |
83 | } | |
e0f9bf1d | 84 | OPENSSL_cleanse(smd, sizeof(smd)); |
6e59a892 RL |
85 | ret = 1; |
86 | err: | |
bfb0641f RL |
87 | EVP_MD_CTX_free(m5); |
88 | EVP_MD_CTX_free(s1); | |
c8f6c28a | 89 | ssl_evp_md_free(md5); |
62ba8345 | 90 | ssl_evp_md_free(sha1); |
6e59a892 | 91 | return ret; |
0f113f3e | 92 | } |
58964a49 | 93 | |
6b691a5c | 94 | int ssl3_change_cipher_state(SSL *s, int which) |
0f113f3e MC |
95 | { |
96 | unsigned char *p, *mac_secret; | |
361a1191 | 97 | unsigned char *ms, *key, *iv; |
0f113f3e MC |
98 | EVP_CIPHER_CTX *dd; |
99 | const EVP_CIPHER *c; | |
09b6c2ef | 100 | #ifndef OPENSSL_NO_COMP |
0f113f3e | 101 | COMP_METHOD *comp; |
09b6c2ef | 102 | #endif |
0f113f3e | 103 | const EVP_MD *m; |
8c1a5343 MC |
104 | int mdi; |
105 | size_t n, i, j, k, cl; | |
0f113f3e MC |
106 | int reuse_dd = 0; |
107 | ||
555cbb32 TS |
108 | c = s->s3.tmp.new_sym_enc; |
109 | m = s->s3.tmp.new_hash; | |
0f113f3e | 110 | /* m == NULL will lead to a crash later */ |
380a522f | 111 | if (!ossl_assert(m != NULL)) { |
f63a17d6 MC |
112 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, |
113 | ERR_R_INTERNAL_ERROR); | |
114 | goto err; | |
380a522f | 115 | } |
09b6c2ef | 116 | #ifndef OPENSSL_NO_COMP |
555cbb32 | 117 | if (s->s3.tmp.new_compression == NULL) |
0f113f3e MC |
118 | comp = NULL; |
119 | else | |
555cbb32 | 120 | comp = s->s3.tmp.new_compression->method; |
09b6c2ef | 121 | #endif |
d02b48c6 | 122 | |
0f113f3e | 123 | if (which & SSL3_CC_READ) { |
f63a17d6 | 124 | if (s->enc_read_ctx != NULL) { |
0f113f3e | 125 | reuse_dd = 1; |
f63a17d6 MC |
126 | } else if ((s->enc_read_ctx = EVP_CIPHER_CTX_new()) == NULL) { |
127 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
128 | ERR_R_MALLOC_FAILURE); | |
0f113f3e | 129 | goto err; |
f63a17d6 | 130 | } else { |
0f113f3e | 131 | /* |
8483a003 | 132 | * make sure it's initialised in case we exit later with an error |
0f113f3e | 133 | */ |
846ec07d | 134 | EVP_CIPHER_CTX_reset(s->enc_read_ctx); |
f63a17d6 | 135 | } |
0f113f3e MC |
136 | dd = s->enc_read_ctx; |
137 | ||
5f3d93e4 | 138 | if (ssl_replace_hash(&s->read_hash, m) == NULL) { |
f63a17d6 MC |
139 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, |
140 | ERR_R_INTERNAL_ERROR); | |
141 | goto err; | |
69f68237 | 142 | } |
09b6c2ef | 143 | #ifndef OPENSSL_NO_COMP |
0f113f3e | 144 | /* COMPRESS */ |
efa7dd64 RS |
145 | COMP_CTX_free(s->expand); |
146 | s->expand = NULL; | |
0f113f3e MC |
147 | if (comp != NULL) { |
148 | s->expand = COMP_CTX_new(comp); | |
149 | if (s->expand == NULL) { | |
f63a17d6 MC |
150 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
151 | SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
dd5a4279 | 152 | SSL_R_COMPRESSION_LIBRARY_ERROR); |
f63a17d6 | 153 | goto err; |
0f113f3e | 154 | } |
0f113f3e | 155 | } |
09b6c2ef | 156 | #endif |
de07f311 | 157 | RECORD_LAYER_reset_read_sequence(&s->rlayer); |
555cbb32 | 158 | mac_secret = &(s->s3.read_mac_secret[0]); |
0f113f3e | 159 | } else { |
7426cd34 | 160 | s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; |
f63a17d6 | 161 | if (s->enc_write_ctx != NULL) { |
0f113f3e | 162 | reuse_dd = 1; |
f63a17d6 MC |
163 | } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { |
164 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
165 | ERR_R_MALLOC_FAILURE); | |
0f113f3e | 166 | goto err; |
f63a17d6 | 167 | } else { |
0f113f3e | 168 | /* |
8483a003 | 169 | * make sure it's initialised in case we exit later with an error |
0f113f3e | 170 | */ |
846ec07d | 171 | EVP_CIPHER_CTX_reset(s->enc_write_ctx); |
f63a17d6 | 172 | } |
0f113f3e | 173 | dd = s->enc_write_ctx; |
5f3d93e4 | 174 | if (ssl_replace_hash(&s->write_hash, m) == NULL) { |
f63a17d6 MC |
175 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, |
176 | ERR_R_MALLOC_FAILURE); | |
177 | goto err; | |
69f68237 | 178 | } |
09b6c2ef | 179 | #ifndef OPENSSL_NO_COMP |
0f113f3e | 180 | /* COMPRESS */ |
efa7dd64 RS |
181 | COMP_CTX_free(s->compress); |
182 | s->compress = NULL; | |
0f113f3e MC |
183 | if (comp != NULL) { |
184 | s->compress = COMP_CTX_new(comp); | |
185 | if (s->compress == NULL) { | |
f63a17d6 MC |
186 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
187 | SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
188 | SSL_R_COMPRESSION_LIBRARY_ERROR); | |
189 | goto err; | |
0f113f3e MC |
190 | } |
191 | } | |
09b6c2ef | 192 | #endif |
de07f311 | 193 | RECORD_LAYER_reset_write_sequence(&s->rlayer); |
555cbb32 | 194 | mac_secret = &(s->s3.write_mac_secret[0]); |
0f113f3e MC |
195 | } |
196 | ||
197 | if (reuse_dd) | |
846ec07d | 198 | EVP_CIPHER_CTX_reset(dd); |
0f113f3e | 199 | |
555cbb32 | 200 | p = s->s3.tmp.key_block; |
8c1a5343 | 201 | mdi = EVP_MD_size(m); |
f63a17d6 MC |
202 | if (mdi < 0) { |
203 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
204 | ERR_R_INTERNAL_ERROR); | |
205 | goto err; | |
206 | } | |
8c1a5343 | 207 | i = mdi; |
0f113f3e | 208 | cl = EVP_CIPHER_key_length(c); |
361a1191 | 209 | j = cl; |
0f113f3e MC |
210 | k = EVP_CIPHER_iv_length(c); |
211 | if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || | |
212 | (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { | |
213 | ms = &(p[0]); | |
214 | n = i + i; | |
215 | key = &(p[n]); | |
216 | n += j + j; | |
217 | iv = &(p[n]); | |
218 | n += k + k; | |
0f113f3e MC |
219 | } else { |
220 | n = i; | |
221 | ms = &(p[n]); | |
222 | n += i + j; | |
223 | key = &(p[n]); | |
224 | n += j + k; | |
225 | iv = &(p[n]); | |
226 | n += k; | |
0f113f3e MC |
227 | } |
228 | ||
555cbb32 | 229 | if (n > s->s3.tmp.key_block_length) { |
f63a17d6 MC |
230 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, |
231 | ERR_R_INTERNAL_ERROR); | |
232 | goto err; | |
0f113f3e MC |
233 | } |
234 | ||
0f113f3e | 235 | memcpy(mac_secret, ms, i); |
0f113f3e | 236 | |
f63a17d6 MC |
237 | if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) { |
238 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, | |
239 | ERR_R_INTERNAL_ERROR); | |
240 | goto err; | |
241 | } | |
58964a49 | 242 | |
b5588178 MC |
243 | if (EVP_CIPHER_provider(c) != NULL |
244 | && !tls_provider_set_tls_params(s, dd, c, m)) { | |
245 | /* SSLfatal already called */ | |
246 | goto err; | |
247 | } | |
248 | ||
7426cd34 | 249 | s->statem.enc_write_state = ENC_WRITE_STATE_VALID; |
208fb891 | 250 | return 1; |
0f113f3e | 251 | err: |
26a7d938 | 252 | return 0; |
0f113f3e | 253 | } |
d02b48c6 | 254 | |
6b691a5c | 255 | int ssl3_setup_key_block(SSL *s) |
0f113f3e MC |
256 | { |
257 | unsigned char *p; | |
258 | const EVP_CIPHER *c; | |
259 | const EVP_MD *hash; | |
260 | int num; | |
261 | int ret = 0; | |
262 | SSL_COMP *comp; | |
263 | ||
555cbb32 | 264 | if (s->s3.tmp.key_block_length != 0) |
208fb891 | 265 | return 1; |
0f113f3e | 266 | |
c8f6c28a MC |
267 | if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, &comp, |
268 | 0)) { | |
f63a17d6 MC |
269 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, |
270 | SSL_R_CIPHER_OR_HASH_UNAVAILABLE); | |
26a7d938 | 271 | return 0; |
0f113f3e MC |
272 | } |
273 | ||
c8f6c28a | 274 | ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); |
555cbb32 | 275 | s->s3.tmp.new_sym_enc = c; |
c8f6c28a | 276 | ssl_evp_md_free(s->s3.tmp.new_hash); |
555cbb32 | 277 | s->s3.tmp.new_hash = hash; |
09b6c2ef | 278 | #ifdef OPENSSL_NO_COMP |
555cbb32 | 279 | s->s3.tmp.new_compression = NULL; |
09b6c2ef | 280 | #else |
555cbb32 | 281 | s->s3.tmp.new_compression = comp; |
09b6c2ef | 282 | #endif |
d02b48c6 | 283 | |
0f113f3e MC |
284 | num = EVP_MD_size(hash); |
285 | if (num < 0) | |
286 | return 0; | |
287 | ||
288 | num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); | |
289 | num *= 2; | |
0eab41fb | 290 | |
0f113f3e | 291 | ssl3_cleanup_key_block(s); |
d02b48c6 | 292 | |
f63a17d6 MC |
293 | if ((p = OPENSSL_malloc(num)) == NULL) { |
294 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK, | |
295 | ERR_R_MALLOC_FAILURE); | |
296 | return 0; | |
297 | } | |
d02b48c6 | 298 | |
555cbb32 TS |
299 | s->s3.tmp.key_block_length = num; |
300 | s->s3.tmp.key_block = p; | |
d02b48c6 | 301 | |
d4d2f3a4 | 302 | /* Calls SSLfatal() as required */ |
0f113f3e | 303 | ret = ssl3_generate_key_block(s, p, num); |
d02b48c6 | 304 | |
0f113f3e MC |
305 | if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { |
306 | /* | |
307 | * enable vulnerability countermeasure for CBC ciphers with known-IV | |
308 | * problem (http://www.openssl.org/~bodo/tls-cbc.txt) | |
309 | */ | |
555cbb32 | 310 | s->s3.need_empty_fragments = 1; |
82b0bf0b | 311 | |
0f113f3e MC |
312 | if (s->session->cipher != NULL) { |
313 | if (s->session->cipher->algorithm_enc == SSL_eNULL) | |
555cbb32 | 314 | s->s3.need_empty_fragments = 0; |
c21506ba | 315 | |
82b0bf0b | 316 | #ifndef OPENSSL_NO_RC4 |
0f113f3e | 317 | if (s->session->cipher->algorithm_enc == SSL_RC4) |
555cbb32 | 318 | s->s3.need_empty_fragments = 0; |
82b0bf0b | 319 | #endif |
0f113f3e MC |
320 | } |
321 | } | |
d02b48c6 | 322 | |
0f113f3e | 323 | return ret; |
0f113f3e | 324 | } |
d02b48c6 | 325 | |
6b691a5c | 326 | void ssl3_cleanup_key_block(SSL *s) |
0f113f3e | 327 | { |
555cbb32 TS |
328 | OPENSSL_clear_free(s->s3.tmp.key_block, s->s3.tmp.key_block_length); |
329 | s->s3.tmp.key_block = NULL; | |
330 | s->s3.tmp.key_block_length = 0; | |
0f113f3e | 331 | } |
d02b48c6 | 332 | |
2c4a056f | 333 | int ssl3_init_finished_mac(SSL *s) |
0f113f3e | 334 | { |
2c4a056f MC |
335 | BIO *buf = BIO_new(BIO_s_mem()); |
336 | ||
337 | if (buf == NULL) { | |
4752c5de MC |
338 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_INIT_FINISHED_MAC, |
339 | ERR_R_MALLOC_FAILURE); | |
2c4a056f MC |
340 | return 0; |
341 | } | |
85fb6fda | 342 | ssl3_free_digest_list(s); |
555cbb32 TS |
343 | s->s3.handshake_buffer = buf; |
344 | (void)BIO_set_close(s->s3.handshake_buffer, BIO_CLOSE); | |
2c4a056f | 345 | return 1; |
0f113f3e MC |
346 | } |
347 | ||
c7238204 DSH |
348 | /* |
349 | * Free digest list. Also frees handshake buffer since they are always freed | |
350 | * together. | |
351 | */ | |
352 | ||
0f113f3e MC |
353 | void ssl3_free_digest_list(SSL *s) |
354 | { | |
555cbb32 TS |
355 | BIO_free(s->s3.handshake_buffer); |
356 | s->s3.handshake_buffer = NULL; | |
357 | EVP_MD_CTX_free(s->s3.handshake_dgst); | |
358 | s->s3.handshake_dgst = NULL; | |
0f113f3e | 359 | } |
81025661 | 360 | |
7ee8627f | 361 | int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len) |
0f113f3e | 362 | { |
f63a17d6 MC |
363 | int ret; |
364 | ||
555cbb32 | 365 | if (s->s3.handshake_dgst == NULL) { |
d166ed8c | 366 | /* Note: this writes to a memory BIO so a failure is a fatal error */ |
f63a17d6 MC |
367 | if (len > INT_MAX) { |
368 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, | |
369 | SSL_R_OVERFLOW_ERROR); | |
7ee8627f | 370 | return 0; |
f63a17d6 | 371 | } |
555cbb32 | 372 | ret = BIO_write(s->s3.handshake_buffer, (void *)buf, (int)len); |
f63a17d6 MC |
373 | if (ret <= 0 || ret != (int)len) { |
374 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, | |
375 | ERR_R_INTERNAL_ERROR); | |
376 | return 0; | |
377 | } | |
7ee8627f | 378 | } else { |
555cbb32 | 379 | ret = EVP_DigestUpdate(s->s3.handshake_dgst, buf, len); |
f63a17d6 MC |
380 | if (!ret) { |
381 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, | |
382 | ERR_R_INTERNAL_ERROR); | |
383 | return 0; | |
384 | } | |
7ee8627f | 385 | } |
f63a17d6 | 386 | return 1; |
0f113f3e | 387 | } |
6ba71a71 | 388 | |
124037fd | 389 | int ssl3_digest_cached_records(SSL *s, int keep) |
0f113f3e | 390 | { |
0f113f3e MC |
391 | const EVP_MD *md; |
392 | long hdatalen; | |
393 | void *hdata; | |
394 | ||
555cbb32 TS |
395 | if (s->s3.handshake_dgst == NULL) { |
396 | hdatalen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); | |
124037fd | 397 | if (hdatalen <= 0) { |
f63a17d6 MC |
398 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, |
399 | SSL_R_BAD_HANDSHAKE_LENGTH); | |
124037fd DSH |
400 | return 0; |
401 | } | |
0f113f3e | 402 | |
555cbb32 TS |
403 | s->s3.handshake_dgst = EVP_MD_CTX_new(); |
404 | if (s->s3.handshake_dgst == NULL) { | |
f63a17d6 MC |
405 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, |
406 | ERR_R_MALLOC_FAILURE); | |
28ba2541 DSH |
407 | return 0; |
408 | } | |
409 | ||
410 | md = ssl_handshake_md(s); | |
7cd1420b MC |
411 | if (md == NULL) { |
412 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, | |
413 | SSL_R_NO_SUITABLE_DIGEST_ALGORITHM); | |
414 | return 0; | |
415 | } | |
416 | if (!EVP_DigestInit_ex(s->s3.handshake_dgst, md, NULL) | |
555cbb32 | 417 | || !EVP_DigestUpdate(s->s3.handshake_dgst, hdata, hdatalen)) { |
f63a17d6 MC |
418 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, |
419 | ERR_R_INTERNAL_ERROR); | |
28ba2541 | 420 | return 0; |
0f113f3e MC |
421 | } |
422 | } | |
124037fd | 423 | if (keep == 0) { |
555cbb32 TS |
424 | BIO_free(s->s3.handshake_buffer); |
425 | s->s3.handshake_buffer = NULL; | |
0f113f3e MC |
426 | } |
427 | ||
428 | return 1; | |
429 | } | |
6ba71a71 | 430 | |
d5e5e2ff SL |
431 | void ssl3_digest_master_key_set_params(const SSL_SESSION *session, |
432 | OSSL_PARAM params[]) | |
433 | { | |
434 | int n = 0; | |
83b4a243 SL |
435 | params[n++] = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS, |
436 | (void *)session->master_key, | |
4e7991b4 | 437 | session->master_key_length); |
d5e5e2ff SL |
438 | params[n++] = OSSL_PARAM_construct_end(); |
439 | } | |
440 | ||
6db6bc5a MC |
441 | size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, |
442 | unsigned char *p) | |
0f113f3e | 443 | { |
28ba2541 | 444 | int ret; |
6e59a892 | 445 | EVP_MD_CTX *ctx = NULL; |
0f113f3e | 446 | |
d4d2f3a4 MC |
447 | if (!ssl3_digest_cached_records(s, 0)) { |
448 | /* SSLfatal() already called */ | |
124037fd | 449 | return 0; |
d4d2f3a4 | 450 | } |
0f113f3e | 451 | |
555cbb32 | 452 | if (EVP_MD_CTX_type(s->s3.handshake_dgst) != NID_md5_sha1) { |
d4d2f3a4 MC |
453 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, |
454 | SSL_R_NO_REQUIRED_DIGEST); | |
0f113f3e MC |
455 | return 0; |
456 | } | |
28ba2541 | 457 | |
bfb0641f | 458 | ctx = EVP_MD_CTX_new(); |
6e59a892 | 459 | if (ctx == NULL) { |
d4d2f3a4 MC |
460 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, |
461 | ERR_R_MALLOC_FAILURE); | |
6e59a892 RL |
462 | return 0; |
463 | } | |
555cbb32 | 464 | if (!EVP_MD_CTX_copy_ex(ctx, s->s3.handshake_dgst)) { |
d4d2f3a4 MC |
465 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, |
466 | ERR_R_INTERNAL_ERROR); | |
7d0effea AP |
467 | ret = 0; |
468 | goto err; | |
d356dc56 | 469 | } |
28ba2541 | 470 | |
6e59a892 | 471 | ret = EVP_MD_CTX_size(ctx); |
28ba2541 | 472 | if (ret < 0) { |
d4d2f3a4 MC |
473 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, |
474 | ERR_R_INTERNAL_ERROR); | |
7d0effea AP |
475 | ret = 0; |
476 | goto err; | |
28ba2541 | 477 | } |
0f113f3e | 478 | |
d5e5e2ff SL |
479 | if (sender != NULL) { |
480 | OSSL_PARAM digest_cmd_params[3]; | |
481 | ||
482 | ssl3_digest_master_key_set_params(s->session, digest_cmd_params); | |
83b4a243 | 483 | |
d5e5e2ff SL |
484 | if (EVP_DigestUpdate(ctx, sender, len) <= 0 |
485 | || EVP_MD_CTX_set_params(ctx, digest_cmd_params) <= 0 | |
486 | || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { | |
487 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, | |
488 | ERR_R_INTERNAL_ERROR); | |
489 | ret = 0; | |
490 | } | |
5f3d93e4 | 491 | } |
0f113f3e | 492 | |
7d0effea | 493 | err: |
bfb0641f | 494 | EVP_MD_CTX_free(ctx); |
0f113f3e | 495 | |
28ba2541 | 496 | return ret; |
0f113f3e | 497 | } |
d02b48c6 | 498 | |
6b691a5c | 499 | int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, |
8c1a5343 | 500 | size_t len, size_t *secret_size) |
0f113f3e MC |
501 | { |
502 | static const unsigned char *salt[3] = { | |
ca570cfd | 503 | #ifndef CHARSET_EBCDIC |
0f113f3e MC |
504 | (const unsigned char *)"A", |
505 | (const unsigned char *)"BB", | |
506 | (const unsigned char *)"CCC", | |
ca570cfd | 507 | #else |
0f113f3e MC |
508 | (const unsigned char *)"\x41", |
509 | (const unsigned char *)"\x42\x42", | |
510 | (const unsigned char *)"\x43\x43\x43", | |
ca570cfd | 511 | #endif |
0f113f3e MC |
512 | }; |
513 | unsigned char buf[EVP_MAX_MD_SIZE]; | |
bfb0641f | 514 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
8c1a5343 | 515 | int i, ret = 1; |
0f113f3e | 516 | unsigned int n; |
8c1a5343 | 517 | size_t ret_secret_size = 0; |
d02b48c6 | 518 | |
6e59a892 | 519 | if (ctx == NULL) { |
f63a17d6 MC |
520 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_MASTER_SECRET, |
521 | ERR_R_MALLOC_FAILURE); | |
6e59a892 RL |
522 | return 0; |
523 | } | |
0f113f3e | 524 | for (i = 0; i < 3; i++) { |
6e59a892 | 525 | if (EVP_DigestInit_ex(ctx, s->ctx->sha1, NULL) <= 0 |
a230b26e EK |
526 | || EVP_DigestUpdate(ctx, salt[i], |
527 | strlen((const char *)salt[i])) <= 0 | |
528 | || EVP_DigestUpdate(ctx, p, len) <= 0 | |
555cbb32 | 529 | || EVP_DigestUpdate(ctx, &(s->s3.client_random[0]), |
a230b26e | 530 | SSL3_RANDOM_SIZE) <= 0 |
555cbb32 | 531 | || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]), |
a230b26e | 532 | SSL3_RANDOM_SIZE) <= 0 |
8c1a5343 | 533 | /* TODO(size_t) : convert me */ |
a230b26e EK |
534 | || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 |
535 | || EVP_DigestInit_ex(ctx, s->ctx->md5, NULL) <= 0 | |
536 | || EVP_DigestUpdate(ctx, p, len) <= 0 | |
537 | || EVP_DigestUpdate(ctx, buf, n) <= 0 | |
538 | || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { | |
f63a17d6 MC |
539 | SSLfatal(s, SSL_AD_INTERNAL_ERROR, |
540 | SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); | |
5f3d93e4 MC |
541 | ret = 0; |
542 | break; | |
543 | } | |
0f113f3e | 544 | out += n; |
8c1a5343 | 545 | ret_secret_size += n; |
0f113f3e | 546 | } |
bfb0641f | 547 | EVP_MD_CTX_free(ctx); |
1cf218bc | 548 | |
e0f9bf1d | 549 | OPENSSL_cleanse(buf, sizeof(buf)); |
8c1a5343 MC |
550 | if (ret) |
551 | *secret_size = ret_secret_size; | |
552 | return ret; | |
0f113f3e | 553 | } |
d02b48c6 | 554 | |
6b691a5c | 555 | int ssl3_alert_code(int code) |
0f113f3e MC |
556 | { |
557 | switch (code) { | |
558 | case SSL_AD_CLOSE_NOTIFY: | |
26a7d938 | 559 | return SSL3_AD_CLOSE_NOTIFY; |
0f113f3e | 560 | case SSL_AD_UNEXPECTED_MESSAGE: |
26a7d938 | 561 | return SSL3_AD_UNEXPECTED_MESSAGE; |
0f113f3e | 562 | case SSL_AD_BAD_RECORD_MAC: |
26a7d938 | 563 | return SSL3_AD_BAD_RECORD_MAC; |
0f113f3e | 564 | case SSL_AD_DECRYPTION_FAILED: |
26a7d938 | 565 | return SSL3_AD_BAD_RECORD_MAC; |
0f113f3e | 566 | case SSL_AD_RECORD_OVERFLOW: |
26a7d938 | 567 | return SSL3_AD_BAD_RECORD_MAC; |
0f113f3e | 568 | case SSL_AD_DECOMPRESSION_FAILURE: |
26a7d938 | 569 | return SSL3_AD_DECOMPRESSION_FAILURE; |
0f113f3e | 570 | case SSL_AD_HANDSHAKE_FAILURE: |
26a7d938 | 571 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 572 | case SSL_AD_NO_CERTIFICATE: |
26a7d938 | 573 | return SSL3_AD_NO_CERTIFICATE; |
0f113f3e | 574 | case SSL_AD_BAD_CERTIFICATE: |
26a7d938 | 575 | return SSL3_AD_BAD_CERTIFICATE; |
0f113f3e | 576 | case SSL_AD_UNSUPPORTED_CERTIFICATE: |
26a7d938 | 577 | return SSL3_AD_UNSUPPORTED_CERTIFICATE; |
0f113f3e | 578 | case SSL_AD_CERTIFICATE_REVOKED: |
26a7d938 | 579 | return SSL3_AD_CERTIFICATE_REVOKED; |
0f113f3e | 580 | case SSL_AD_CERTIFICATE_EXPIRED: |
26a7d938 | 581 | return SSL3_AD_CERTIFICATE_EXPIRED; |
0f113f3e | 582 | case SSL_AD_CERTIFICATE_UNKNOWN: |
26a7d938 | 583 | return SSL3_AD_CERTIFICATE_UNKNOWN; |
0f113f3e | 584 | case SSL_AD_ILLEGAL_PARAMETER: |
26a7d938 | 585 | return SSL3_AD_ILLEGAL_PARAMETER; |
0f113f3e | 586 | case SSL_AD_UNKNOWN_CA: |
26a7d938 | 587 | return SSL3_AD_BAD_CERTIFICATE; |
0f113f3e | 588 | case SSL_AD_ACCESS_DENIED: |
26a7d938 | 589 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 590 | case SSL_AD_DECODE_ERROR: |
26a7d938 | 591 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 592 | case SSL_AD_DECRYPT_ERROR: |
26a7d938 | 593 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 594 | case SSL_AD_EXPORT_RESTRICTION: |
26a7d938 | 595 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 596 | case SSL_AD_PROTOCOL_VERSION: |
26a7d938 | 597 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 598 | case SSL_AD_INSUFFICIENT_SECURITY: |
26a7d938 | 599 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 600 | case SSL_AD_INTERNAL_ERROR: |
26a7d938 | 601 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 602 | case SSL_AD_USER_CANCELLED: |
26a7d938 | 603 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 604 | case SSL_AD_NO_RENEGOTIATION: |
26a7d938 | 605 | return -1; /* Don't send it :-) */ |
0f113f3e | 606 | case SSL_AD_UNSUPPORTED_EXTENSION: |
26a7d938 | 607 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 608 | case SSL_AD_CERTIFICATE_UNOBTAINABLE: |
26a7d938 | 609 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 610 | case SSL_AD_UNRECOGNIZED_NAME: |
26a7d938 | 611 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 612 | case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: |
26a7d938 | 613 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 614 | case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: |
26a7d938 | 615 | return SSL3_AD_HANDSHAKE_FAILURE; |
0f113f3e | 616 | case SSL_AD_UNKNOWN_PSK_IDENTITY: |
26a7d938 | 617 | return TLS1_AD_UNKNOWN_PSK_IDENTITY; |
0f113f3e | 618 | case SSL_AD_INAPPROPRIATE_FALLBACK: |
26a7d938 | 619 | return TLS1_AD_INAPPROPRIATE_FALLBACK; |
06217867 | 620 | case SSL_AD_NO_APPLICATION_PROTOCOL: |
26a7d938 | 621 | return TLS1_AD_NO_APPLICATION_PROTOCOL; |
42c28b63 MC |
622 | case SSL_AD_CERTIFICATE_REQUIRED: |
623 | return SSL_AD_HANDSHAKE_FAILURE; | |
0f113f3e | 624 | default: |
26a7d938 | 625 | return -1; |
0f113f3e MC |
626 | } |
627 | } |