]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/s3_enc.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Introduce macro RECORD_LAYER_setup_comp_buffer
[thirdparty/openssl.git] / ssl / s3_enc.c
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
142
143 static const unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 };
151
152 static const unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 };
160
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 {
165 EVP_MD_CTX m5;
166 EVP_MD_CTX s1;
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
170
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
173 #endif
174 k = 0;
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179 k++;
180 if (k > sizeof buf) {
181 /* bug: 'buf' is too small for this ciphersuite */
182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
183 return 0;
184 }
185
186 for (j = 0; j < k; j++)
187 buf[j] = c;
188 c++;
189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190 EVP_DigestUpdate(&s1, buf, k);
191 EVP_DigestUpdate(&s1, s->session->master_key,
192 s->session->master_key_length);
193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195 EVP_DigestFinal_ex(&s1, smd, NULL);
196
197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198 EVP_DigestUpdate(&m5, s->session->master_key,
199 s->session->master_key_length);
200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 EVP_DigestFinal_ex(&m5, smd, NULL);
203 memcpy(km, smd, (num - i));
204 } else
205 EVP_DigestFinal_ex(&m5, km, NULL);
206
207 km += MD5_DIGEST_LENGTH;
208 }
209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 EVP_MD_CTX_cleanup(&m5);
211 EVP_MD_CTX_cleanup(&s1);
212 return 1;
213 }
214
215 int ssl3_change_cipher_state(SSL *s, int which)
216 {
217 unsigned char *p, *mac_secret;
218 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220 unsigned char *ms, *key, *iv, *er1, *er2;
221 EVP_CIPHER_CTX *dd;
222 const EVP_CIPHER *c;
223 #ifndef OPENSSL_NO_COMP
224 COMP_METHOD *comp;
225 #endif
226 const EVP_MD *m;
227 EVP_MD_CTX md;
228 int is_exp, n, i, j, k, cl;
229 int reuse_dd = 0;
230
231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232 c = s->s3->tmp.new_sym_enc;
233 m = s->s3->tmp.new_hash;
234 /* m == NULL will lead to a crash later */
235 OPENSSL_assert(m);
236 #ifndef OPENSSL_NO_COMP
237 if (s->s3->tmp.new_compression == NULL)
238 comp = NULL;
239 else
240 comp = s->s3->tmp.new_compression->method;
241 #endif
242
243 if (which & SSL3_CC_READ) {
244 if (s->enc_read_ctx != NULL)
245 reuse_dd = 1;
246 else if ((s->enc_read_ctx =
247 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
248 goto err;
249 else
250 /*
251 * make sure it's intialized in case we exit later with an error
252 */
253 EVP_CIPHER_CTX_init(s->enc_read_ctx);
254 dd = s->enc_read_ctx;
255
256 if(!ssl_replace_hash(&s->read_hash, m)) {
257 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
258 goto err2;
259 }
260 #ifndef OPENSSL_NO_COMP
261 /* COMPRESS */
262 if (s->expand != NULL) {
263 COMP_CTX_free(s->expand);
264 s->expand = NULL;
265 }
266 if (comp != NULL) {
267 s->expand = COMP_CTX_new(comp);
268 if (s->expand == NULL) {
269 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
270 SSL_R_COMPRESSION_LIBRARY_ERROR);
271 goto err2;
272 }
273 if(!RECORD_LAYER_setup_comp_buffer(&s->rlayer))
274 goto err;
275 }
276 #endif
277 memset(&(s->s3->read_sequence[0]), 0, 8);
278 mac_secret = &(s->s3->read_mac_secret[0]);
279 } else {
280 if (s->enc_write_ctx != NULL)
281 reuse_dd = 1;
282 else if ((s->enc_write_ctx =
283 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
284 goto err;
285 else
286 /*
287 * make sure it's intialized in case we exit later with an error
288 */
289 EVP_CIPHER_CTX_init(s->enc_write_ctx);
290 dd = s->enc_write_ctx;
291 if(!ssl_replace_hash(&s->write_hash, m)) {
292 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
293 goto err2;
294 }
295 #ifndef OPENSSL_NO_COMP
296 /* COMPRESS */
297 if (s->compress != NULL) {
298 COMP_CTX_free(s->compress);
299 s->compress = NULL;
300 }
301 if (comp != NULL) {
302 s->compress = COMP_CTX_new(comp);
303 if (s->compress == NULL) {
304 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
305 SSL_R_COMPRESSION_LIBRARY_ERROR);
306 goto err2;
307 }
308 }
309 #endif
310 memset(&(s->s3->write_sequence[0]), 0, 8);
311 mac_secret = &(s->s3->write_mac_secret[0]);
312 }
313
314 if (reuse_dd)
315 EVP_CIPHER_CTX_cleanup(dd);
316
317 p = s->s3->tmp.key_block;
318 i = EVP_MD_size(m);
319 if (i < 0)
320 goto err2;
321 cl = EVP_CIPHER_key_length(c);
322 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
323 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
324 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
325 k = EVP_CIPHER_iv_length(c);
326 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
327 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
328 ms = &(p[0]);
329 n = i + i;
330 key = &(p[n]);
331 n += j + j;
332 iv = &(p[n]);
333 n += k + k;
334 er1 = &(s->s3->client_random[0]);
335 er2 = &(s->s3->server_random[0]);
336 } else {
337 n = i;
338 ms = &(p[n]);
339 n += i + j;
340 key = &(p[n]);
341 n += j + k;
342 iv = &(p[n]);
343 n += k;
344 er1 = &(s->s3->server_random[0]);
345 er2 = &(s->s3->client_random[0]);
346 }
347
348 if (n > s->s3->tmp.key_block_length) {
349 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
350 goto err2;
351 }
352
353 EVP_MD_CTX_init(&md);
354 memcpy(mac_secret, ms, i);
355 if (is_exp) {
356 /*
357 * In here I set both the read and write key/iv to the same value
358 * since only the correct one will be used :-).
359 */
360 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
361 EVP_DigestUpdate(&md, key, j);
362 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
363 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
364 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
365 key = &(exp_key[0]);
366
367 if (k > 0) {
368 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
369 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
370 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
371 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
372 iv = &(exp_iv[0]);
373 }
374 }
375
376 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
377
378 #ifdef OPENSSL_SSL_TRACE_CRYPTO
379 if (s->msg_callback) {
380
381 int wh = which & SSL3_CC_WRITE ?
382 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
383 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
384 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
385 if (c->key_len)
386 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
387 key, c->key_len, s, s->msg_callback_arg);
388 if (k) {
389 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
390 iv, k, s, s->msg_callback_arg);
391 }
392 }
393 #endif
394
395 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
396 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
397 EVP_MD_CTX_cleanup(&md);
398 return (1);
399 err:
400 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
401 err2:
402 return (0);
403 }
404
405 int ssl3_setup_key_block(SSL *s)
406 {
407 unsigned char *p;
408 const EVP_CIPHER *c;
409 const EVP_MD *hash;
410 int num;
411 int ret = 0;
412 SSL_COMP *comp;
413
414 if (s->s3->tmp.key_block_length != 0)
415 return (1);
416
417 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) {
418 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
419 return (0);
420 }
421
422 s->s3->tmp.new_sym_enc = c;
423 s->s3->tmp.new_hash = hash;
424 #ifdef OPENSSL_NO_COMP
425 s->s3->tmp.new_compression = NULL;
426 #else
427 s->s3->tmp.new_compression = comp;
428 #endif
429
430 num = EVP_MD_size(hash);
431 if (num < 0)
432 return 0;
433
434 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
435 num *= 2;
436
437 ssl3_cleanup_key_block(s);
438
439 if ((p = OPENSSL_malloc(num)) == NULL)
440 goto err;
441
442 s->s3->tmp.key_block_length = num;
443 s->s3->tmp.key_block = p;
444
445 ret = ssl3_generate_key_block(s, p, num);
446
447 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
448 /*
449 * enable vulnerability countermeasure for CBC ciphers with known-IV
450 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
451 */
452 s->s3->need_empty_fragments = 1;
453
454 if (s->session->cipher != NULL) {
455 if (s->session->cipher->algorithm_enc == SSL_eNULL)
456 s->s3->need_empty_fragments = 0;
457
458 #ifndef OPENSSL_NO_RC4
459 if (s->session->cipher->algorithm_enc == SSL_RC4)
460 s->s3->need_empty_fragments = 0;
461 #endif
462 }
463 }
464
465 return ret;
466
467 err:
468 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
469 return (0);
470 }
471
472 void ssl3_cleanup_key_block(SSL *s)
473 {
474 if (s->s3->tmp.key_block != NULL) {
475 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
476 OPENSSL_free(s->s3->tmp.key_block);
477 s->s3->tmp.key_block = NULL;
478 }
479 s->s3->tmp.key_block_length = 0;
480 }
481
482 void ssl3_init_finished_mac(SSL *s)
483 {
484 BIO_free(s->s3->handshake_buffer);
485 if (s->s3->handshake_dgst)
486 ssl3_free_digest_list(s);
487 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
488 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
489 }
490
491 void ssl3_free_digest_list(SSL *s)
492 {
493 int i;
494 if (!s->s3->handshake_dgst)
495 return;
496 for (i = 0; i < SSL_MAX_DIGEST; i++) {
497 if (s->s3->handshake_dgst[i])
498 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
499 }
500 OPENSSL_free(s->s3->handshake_dgst);
501 s->s3->handshake_dgst = NULL;
502 }
503
504 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
505 {
506 if (s->s3->handshake_buffer
507 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
508 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
509 } else {
510 int i;
511 for (i = 0; i < SSL_MAX_DIGEST; i++) {
512 if (s->s3->handshake_dgst[i] != NULL)
513 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
514 }
515 }
516 }
517
518 int ssl3_digest_cached_records(SSL *s)
519 {
520 int i;
521 long mask;
522 const EVP_MD *md;
523 long hdatalen;
524 void *hdata;
525
526 /* Allocate handshake_dgst array */
527 ssl3_free_digest_list(s);
528 s->s3->handshake_dgst =
529 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
530 if (s->s3->handshake_dgst == NULL) {
531 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
532 return 0;
533 }
534 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
535 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
536 if (hdatalen <= 0) {
537 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
538 return 0;
539 }
540
541 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
542 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
543 if ((mask & ssl_get_algorithm2(s)) && md) {
544 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
545 if (EVP_MD_nid(md) == NID_md5) {
546 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
547 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
548 }
549 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
550 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
551 } else {
552 s->s3->handshake_dgst[i] = NULL;
553 }
554 }
555 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
556 /* Free handshake_buffer BIO */
557 BIO_free(s->s3->handshake_buffer);
558 s->s3->handshake_buffer = NULL;
559 }
560
561 return 1;
562 }
563
564 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
565 {
566 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
567 }
568
569 int ssl3_final_finish_mac(SSL *s,
570 const char *sender, int len, unsigned char *p)
571 {
572 int ret, sha1len;
573 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
574 if (ret == 0)
575 return 0;
576
577 p += ret;
578
579 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
580 if (sha1len == 0)
581 return 0;
582
583 ret += sha1len;
584 return (ret);
585 }
586
587 static int ssl3_handshake_mac(SSL *s, int md_nid,
588 const char *sender, int len, unsigned char *p)
589 {
590 unsigned int ret;
591 int npad, n;
592 unsigned int i;
593 unsigned char md_buf[EVP_MAX_MD_SIZE];
594 EVP_MD_CTX ctx, *d = NULL;
595
596 if (s->s3->handshake_buffer)
597 if (!ssl3_digest_cached_records(s))
598 return 0;
599
600 /*
601 * Search for digest of specified type in the handshake_dgst array
602 */
603 for (i = 0; i < SSL_MAX_DIGEST; i++) {
604 if (s->s3->handshake_dgst[i]
605 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
606 d = s->s3->handshake_dgst[i];
607 break;
608 }
609 }
610 if (!d) {
611 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
612 return 0;
613 }
614 EVP_MD_CTX_init(&ctx);
615 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
616 EVP_MD_CTX_copy_ex(&ctx, d);
617 n = EVP_MD_CTX_size(&ctx);
618 if (n < 0)
619 return 0;
620
621 npad = (48 / n) * n;
622 if (sender != NULL)
623 EVP_DigestUpdate(&ctx, sender, len);
624 EVP_DigestUpdate(&ctx, s->session->master_key,
625 s->session->master_key_length);
626 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
627 EVP_DigestFinal_ex(&ctx, md_buf, &i);
628
629 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
630 EVP_DigestUpdate(&ctx, s->session->master_key,
631 s->session->master_key_length);
632 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
633 EVP_DigestUpdate(&ctx, md_buf, i);
634 EVP_DigestFinal_ex(&ctx, p, &ret);
635
636 EVP_MD_CTX_cleanup(&ctx);
637
638 return ((int)ret);
639 }
640
641 void ssl3_record_sequence_update(unsigned char *seq)
642 {
643 int i;
644
645 for (i = 7; i >= 0; i--) {
646 ++seq[i];
647 if (seq[i] != 0)
648 break;
649 }
650 }
651
652 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
653 int len)
654 {
655 static const unsigned char *salt[3] = {
656 #ifndef CHARSET_EBCDIC
657 (const unsigned char *)"A",
658 (const unsigned char *)"BB",
659 (const unsigned char *)"CCC",
660 #else
661 (const unsigned char *)"\x41",
662 (const unsigned char *)"\x42\x42",
663 (const unsigned char *)"\x43\x43\x43",
664 #endif
665 };
666 unsigned char buf[EVP_MAX_MD_SIZE];
667 EVP_MD_CTX ctx;
668 int i, ret = 0;
669 unsigned int n;
670 #ifdef OPENSSL_SSL_TRACE_CRYPTO
671 unsigned char *tmpout = out;
672 #endif
673
674 EVP_MD_CTX_init(&ctx);
675 for (i = 0; i < 3; i++) {
676 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
677 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
678 EVP_DigestUpdate(&ctx, p, len);
679 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
680 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
681 EVP_DigestFinal_ex(&ctx, buf, &n);
682
683 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
684 EVP_DigestUpdate(&ctx, p, len);
685 EVP_DigestUpdate(&ctx, buf, n);
686 EVP_DigestFinal_ex(&ctx, out, &n);
687 out += n;
688 ret += n;
689 }
690 EVP_MD_CTX_cleanup(&ctx);
691
692 #ifdef OPENSSL_SSL_TRACE_CRYPTO
693 if (s->msg_callback) {
694 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
695 p, len, s, s->msg_callback_arg);
696 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
697 s->s3->client_random, SSL3_RANDOM_SIZE,
698 s, s->msg_callback_arg);
699 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
700 s->s3->server_random, SSL3_RANDOM_SIZE,
701 s, s->msg_callback_arg);
702 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
703 tmpout, SSL3_MASTER_SECRET_SIZE,
704 s, s->msg_callback_arg);
705 }
706 #endif
707 OPENSSL_cleanse(buf, sizeof buf);
708 return (ret);
709 }
710
711 int ssl3_alert_code(int code)
712 {
713 switch (code) {
714 case SSL_AD_CLOSE_NOTIFY:
715 return (SSL3_AD_CLOSE_NOTIFY);
716 case SSL_AD_UNEXPECTED_MESSAGE:
717 return (SSL3_AD_UNEXPECTED_MESSAGE);
718 case SSL_AD_BAD_RECORD_MAC:
719 return (SSL3_AD_BAD_RECORD_MAC);
720 case SSL_AD_DECRYPTION_FAILED:
721 return (SSL3_AD_BAD_RECORD_MAC);
722 case SSL_AD_RECORD_OVERFLOW:
723 return (SSL3_AD_BAD_RECORD_MAC);
724 case SSL_AD_DECOMPRESSION_FAILURE:
725 return (SSL3_AD_DECOMPRESSION_FAILURE);
726 case SSL_AD_HANDSHAKE_FAILURE:
727 return (SSL3_AD_HANDSHAKE_FAILURE);
728 case SSL_AD_NO_CERTIFICATE:
729 return (SSL3_AD_NO_CERTIFICATE);
730 case SSL_AD_BAD_CERTIFICATE:
731 return (SSL3_AD_BAD_CERTIFICATE);
732 case SSL_AD_UNSUPPORTED_CERTIFICATE:
733 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
734 case SSL_AD_CERTIFICATE_REVOKED:
735 return (SSL3_AD_CERTIFICATE_REVOKED);
736 case SSL_AD_CERTIFICATE_EXPIRED:
737 return (SSL3_AD_CERTIFICATE_EXPIRED);
738 case SSL_AD_CERTIFICATE_UNKNOWN:
739 return (SSL3_AD_CERTIFICATE_UNKNOWN);
740 case SSL_AD_ILLEGAL_PARAMETER:
741 return (SSL3_AD_ILLEGAL_PARAMETER);
742 case SSL_AD_UNKNOWN_CA:
743 return (SSL3_AD_BAD_CERTIFICATE);
744 case SSL_AD_ACCESS_DENIED:
745 return (SSL3_AD_HANDSHAKE_FAILURE);
746 case SSL_AD_DECODE_ERROR:
747 return (SSL3_AD_HANDSHAKE_FAILURE);
748 case SSL_AD_DECRYPT_ERROR:
749 return (SSL3_AD_HANDSHAKE_FAILURE);
750 case SSL_AD_EXPORT_RESTRICTION:
751 return (SSL3_AD_HANDSHAKE_FAILURE);
752 case SSL_AD_PROTOCOL_VERSION:
753 return (SSL3_AD_HANDSHAKE_FAILURE);
754 case SSL_AD_INSUFFICIENT_SECURITY:
755 return (SSL3_AD_HANDSHAKE_FAILURE);
756 case SSL_AD_INTERNAL_ERROR:
757 return (SSL3_AD_HANDSHAKE_FAILURE);
758 case SSL_AD_USER_CANCELLED:
759 return (SSL3_AD_HANDSHAKE_FAILURE);
760 case SSL_AD_NO_RENEGOTIATION:
761 return (-1); /* Don't send it :-) */
762 case SSL_AD_UNSUPPORTED_EXTENSION:
763 return (SSL3_AD_HANDSHAKE_FAILURE);
764 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
765 return (SSL3_AD_HANDSHAKE_FAILURE);
766 case SSL_AD_UNRECOGNIZED_NAME:
767 return (SSL3_AD_HANDSHAKE_FAILURE);
768 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
769 return (SSL3_AD_HANDSHAKE_FAILURE);
770 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
771 return (SSL3_AD_HANDSHAKE_FAILURE);
772 case SSL_AD_UNKNOWN_PSK_IDENTITY:
773 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
774 case SSL_AD_INAPPROPRIATE_FALLBACK:
775 return (TLS1_AD_INAPPROPRIATE_FALLBACK);
776 default:
777 return (-1);
778 }
779 }
A mirror of the official openssl repository