xref: /freebsd/crypto/openssl/ssl/s3_enc.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #include <stdio.h>
113 #include "ssl_locl.h"
114 #include <openssl/evp.h>
115 #include <openssl/md5.h>
116 
117 static unsigned char ssl3_pad_1[48]={
118 	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
119 	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
120 	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
121 	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
122 	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
123 	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 };
124 
125 static unsigned char ssl3_pad_2[48]={
126 	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
127 	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
128 	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
129 	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
130 	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
131 	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
132 
133 static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
134 	const char *sender, int len, unsigned char *p);
135 
136 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
137 	{
138 	EVP_MD_CTX m5;
139 	EVP_MD_CTX s1;
140 	unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
141 	unsigned char c='A';
142 	unsigned int i,j,k;
143 
144 #ifdef CHARSET_EBCDIC
145 	c = os_toascii[c]; /*'A' in ASCII */
146 #endif
147 	k=0;
148 	EVP_MD_CTX_init(&m5);
149 	EVP_MD_CTX_init(&s1);
150 	for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
151 		{
152 		k++;
153 		if (k > sizeof buf)
154 			{
155 			/* bug: 'buf' is too small for this ciphersuite */
156 			SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
157 			return 0;
158 			}
159 
160 		for (j=0; j<k; j++)
161 			buf[j]=c;
162 		c++;
163 		EVP_DigestInit_ex(&s1,EVP_sha1(), NULL);
164 		EVP_DigestUpdate(&s1,buf,k);
165 		EVP_DigestUpdate(&s1,s->session->master_key,
166 			s->session->master_key_length);
167 		EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
168 		EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
169 		EVP_DigestFinal_ex(&s1,smd,NULL);
170 
171 		EVP_DigestInit_ex(&m5,EVP_md5(), NULL);
172 		EVP_DigestUpdate(&m5,s->session->master_key,
173 			s->session->master_key_length);
174 		EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
175 		if ((int)(i+MD5_DIGEST_LENGTH) > num)
176 			{
177 			EVP_DigestFinal_ex(&m5,smd,NULL);
178 			memcpy(km,smd,(num-i));
179 			}
180 		else
181 			EVP_DigestFinal_ex(&m5,km,NULL);
182 
183 		km+=MD5_DIGEST_LENGTH;
184 		}
185 	OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
186 	EVP_MD_CTX_cleanup(&m5);
187 	EVP_MD_CTX_cleanup(&s1);
188 	return 1;
189 	}
190 
191 int ssl3_change_cipher_state(SSL *s, int which)
192 	{
193 	unsigned char *p,*key_block,*mac_secret;
194 	unsigned char exp_key[EVP_MAX_KEY_LENGTH];
195 	unsigned char exp_iv[EVP_MAX_IV_LENGTH];
196 	unsigned char *ms,*key,*iv,*er1,*er2;
197 	EVP_CIPHER_CTX *dd;
198 	const EVP_CIPHER *c;
199 #ifndef OPENSSL_NO_COMP
200 	COMP_METHOD *comp;
201 #endif
202 	const EVP_MD *m;
203 	EVP_MD_CTX md;
204 	int is_exp,n,i,j,k,cl;
205 	int reuse_dd = 0;
206 
207 	is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
208 	c=s->s3->tmp.new_sym_enc;
209 	m=s->s3->tmp.new_hash;
210 #ifndef OPENSSL_NO_COMP
211 	if (s->s3->tmp.new_compression == NULL)
212 		comp=NULL;
213 	else
214 		comp=s->s3->tmp.new_compression->method;
215 #endif
216 	key_block=s->s3->tmp.key_block;
217 
218 	if (which & SSL3_CC_READ)
219 		{
220 		if (s->enc_read_ctx != NULL)
221 			reuse_dd = 1;
222 		else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
223 			goto err;
224 		else
225 			/* make sure it's intialized in case we exit later with an error */
226 			EVP_CIPHER_CTX_init(s->enc_read_ctx);
227 		dd= s->enc_read_ctx;
228 		s->read_hash=m;
229 #ifndef OPENSSL_NO_COMP
230 		/* COMPRESS */
231 		if (s->expand != NULL)
232 			{
233 			COMP_CTX_free(s->expand);
234 			s->expand=NULL;
235 			}
236 		if (comp != NULL)
237 			{
238 			s->expand=COMP_CTX_new(comp);
239 			if (s->expand == NULL)
240 				{
241 				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
242 				goto err2;
243 				}
244 			if (s->s3->rrec.comp == NULL)
245 				s->s3->rrec.comp=(unsigned char *)
246 					OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
247 			if (s->s3->rrec.comp == NULL)
248 				goto err;
249 			}
250 #endif
251 		memset(&(s->s3->read_sequence[0]),0,8);
252 		mac_secret= &(s->s3->read_mac_secret[0]);
253 		}
254 	else
255 		{
256 		if (s->enc_write_ctx != NULL)
257 			reuse_dd = 1;
258 		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
259 			goto err;
260 		else
261 			/* make sure it's intialized in case we exit later with an error */
262 			EVP_CIPHER_CTX_init(s->enc_write_ctx);
263 		dd= s->enc_write_ctx;
264 		s->write_hash=m;
265 #ifndef OPENSSL_NO_COMP
266 		/* COMPRESS */
267 		if (s->compress != NULL)
268 			{
269 			COMP_CTX_free(s->compress);
270 			s->compress=NULL;
271 			}
272 		if (comp != NULL)
273 			{
274 			s->compress=COMP_CTX_new(comp);
275 			if (s->compress == NULL)
276 				{
277 				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
278 				goto err2;
279 				}
280 			}
281 #endif
282 		memset(&(s->s3->write_sequence[0]),0,8);
283 		mac_secret= &(s->s3->write_mac_secret[0]);
284 		}
285 
286 	if (reuse_dd)
287 		EVP_CIPHER_CTX_cleanup(dd);
288 
289 	p=s->s3->tmp.key_block;
290 	i=EVP_MD_size(m);
291 	cl=EVP_CIPHER_key_length(c);
292 	j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
293 		 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
294 	/* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
295 	k=EVP_CIPHER_iv_length(c);
296 	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
297 		(which == SSL3_CHANGE_CIPHER_SERVER_READ))
298 		{
299 		ms=  &(p[ 0]); n=i+i;
300 		key= &(p[ n]); n+=j+j;
301 		iv=  &(p[ n]); n+=k+k;
302 		er1= &(s->s3->client_random[0]);
303 		er2= &(s->s3->server_random[0]);
304 		}
305 	else
306 		{
307 		n=i;
308 		ms=  &(p[ n]); n+=i+j;
309 		key= &(p[ n]); n+=j+k;
310 		iv=  &(p[ n]); n+=k;
311 		er1= &(s->s3->server_random[0]);
312 		er2= &(s->s3->client_random[0]);
313 		}
314 
315 	if (n > s->s3->tmp.key_block_length)
316 		{
317 		SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
318 		goto err2;
319 		}
320 
321 	EVP_MD_CTX_init(&md);
322 	memcpy(mac_secret,ms,i);
323 	if (is_exp)
324 		{
325 		/* In here I set both the read and write key/iv to the
326 		 * same value since only the correct one will be used :-).
327 		 */
328 		EVP_DigestInit_ex(&md,EVP_md5(), NULL);
329 		EVP_DigestUpdate(&md,key,j);
330 		EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
331 		EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
332 		EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL);
333 		key= &(exp_key[0]);
334 
335 		if (k > 0)
336 			{
337 			EVP_DigestInit_ex(&md,EVP_md5(), NULL);
338 			EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
339 			EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
340 			EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL);
341 			iv= &(exp_iv[0]);
342 			}
343 		}
344 
345 	s->session->key_arg_length=0;
346 
347 	EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
348 
349 	OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
350 	OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
351 	EVP_MD_CTX_cleanup(&md);
352 	return(1);
353 err:
354 	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
355 err2:
356 	return(0);
357 	}
358 
359 int ssl3_setup_key_block(SSL *s)
360 	{
361 	unsigned char *p;
362 	const EVP_CIPHER *c;
363 	const EVP_MD *hash;
364 	int num;
365 	int ret = 0;
366 	SSL_COMP *comp;
367 
368 	if (s->s3->tmp.key_block_length != 0)
369 		return(1);
370 
371 	if (!ssl_cipher_get_evp(s->session,&c,&hash,&comp))
372 		{
373 		SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
374 		return(0);
375 		}
376 
377 	s->s3->tmp.new_sym_enc=c;
378 	s->s3->tmp.new_hash=hash;
379 #ifdef OPENSSL_NO_COMP
380 	s->s3->tmp.new_compression=NULL;
381 #else
382 	s->s3->tmp.new_compression=comp;
383 #endif
384 
385 	num=EVP_CIPHER_key_length(c)+EVP_MD_size(hash)+EVP_CIPHER_iv_length(c);
386 	num*=2;
387 
388 	ssl3_cleanup_key_block(s);
389 
390 	if ((p=OPENSSL_malloc(num)) == NULL)
391 		goto err;
392 
393 	s->s3->tmp.key_block_length=num;
394 	s->s3->tmp.key_block=p;
395 
396 	ret = ssl3_generate_key_block(s,p,num);
397 
398 	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
399 		{
400 		/* enable vulnerability countermeasure for CBC ciphers with
401 		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
402 		 */
403 		s->s3->need_empty_fragments = 1;
404 
405 		if (s->session->cipher != NULL)
406 			{
407 			if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
408 				s->s3->need_empty_fragments = 0;
409 
410 #ifndef OPENSSL_NO_RC4
411 			if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
412 				s->s3->need_empty_fragments = 0;
413 #endif
414 			}
415 		}
416 
417 	return ret;
418 
419 err:
420 	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
421 	return(0);
422 	}
423 
424 void ssl3_cleanup_key_block(SSL *s)
425 	{
426 	if (s->s3->tmp.key_block != NULL)
427 		{
428 		OPENSSL_cleanse(s->s3->tmp.key_block,
429 			s->s3->tmp.key_block_length);
430 		OPENSSL_free(s->s3->tmp.key_block);
431 		s->s3->tmp.key_block=NULL;
432 		}
433 	s->s3->tmp.key_block_length=0;
434 	}
435 
436 int ssl3_enc(SSL *s, int send)
437 	{
438 	SSL3_RECORD *rec;
439 	EVP_CIPHER_CTX *ds;
440 	unsigned long l;
441 	int bs,i;
442 	const EVP_CIPHER *enc;
443 
444 	if (send)
445 		{
446 		ds=s->enc_write_ctx;
447 		rec= &(s->s3->wrec);
448 		if (s->enc_write_ctx == NULL)
449 			enc=NULL;
450 		else
451 			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
452 		}
453 	else
454 		{
455 		ds=s->enc_read_ctx;
456 		rec= &(s->s3->rrec);
457 		if (s->enc_read_ctx == NULL)
458 			enc=NULL;
459 		else
460 			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
461 		}
462 
463 	if ((s->session == NULL) || (ds == NULL) ||
464 		(enc == NULL))
465 		{
466 		memmove(rec->data,rec->input,rec->length);
467 		rec->input=rec->data;
468 		}
469 	else
470 		{
471 		l=rec->length;
472 		bs=EVP_CIPHER_block_size(ds->cipher);
473 
474 		/* COMPRESS */
475 
476 		if ((bs != 1) && send)
477 			{
478 			i=bs-((int)l%bs);
479 
480 			/* we need to add 'i-1' padding bytes */
481 			l+=i;
482 			rec->length+=i;
483 			rec->input[l-1]=(i-1);
484 			}
485 
486 		if (!send)
487 			{
488 			if (l == 0 || l%bs != 0)
489 				{
490 				SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
491 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
492 				return 0;
493 				}
494 			/* otherwise, rec->length >= bs */
495 			}
496 
497 		EVP_Cipher(ds,rec->data,rec->input,l);
498 
499 		if ((bs != 1) && !send)
500 			{
501 			i=rec->data[l-1]+1;
502 			/* SSL 3.0 bounds the number of padding bytes by the block size;
503 			 * padding bytes (except the last one) are arbitrary */
504 			if (i > bs)
505 				{
506 				/* Incorrect padding. SSLerr() and ssl3_alert are done
507 				 * by caller: we don't want to reveal whether this is
508 				 * a decryption error or a MAC verification failure
509 				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
510 				return -1;
511 				}
512 			/* now i <= bs <= rec->length */
513 			rec->length-=i;
514 			}
515 		}
516 	return(1);
517 	}
518 
519 void ssl3_init_finished_mac(SSL *s)
520 	{
521 	EVP_DigestInit_ex(&(s->s3->finish_dgst1),s->ctx->md5, NULL);
522 	EVP_DigestInit_ex(&(s->s3->finish_dgst2),s->ctx->sha1, NULL);
523 	}
524 
525 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
526 	{
527 	EVP_DigestUpdate(&(s->s3->finish_dgst1),buf,len);
528 	EVP_DigestUpdate(&(s->s3->finish_dgst2),buf,len);
529 	}
530 
531 int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
532 	{
533 	return(ssl3_handshake_mac(s,ctx,NULL,0,p));
534 	}
535 
536 int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
537 	     const char *sender, int len, unsigned char *p)
538 	{
539 	int ret;
540 
541 	ret=ssl3_handshake_mac(s,ctx1,sender,len,p);
542 	p+=ret;
543 	ret+=ssl3_handshake_mac(s,ctx2,sender,len,p);
544 	return(ret);
545 	}
546 
547 static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
548 	     const char *sender, int len, unsigned char *p)
549 	{
550 	unsigned int ret;
551 	int npad,n;
552 	unsigned int i;
553 	unsigned char md_buf[EVP_MAX_MD_SIZE];
554 	EVP_MD_CTX ctx;
555 
556 	EVP_MD_CTX_init(&ctx);
557 	EVP_MD_CTX_copy_ex(&ctx,in_ctx);
558 
559 	n=EVP_MD_CTX_size(&ctx);
560 	npad=(48/n)*n;
561 
562 	if (sender != NULL)
563 		EVP_DigestUpdate(&ctx,sender,len);
564 	EVP_DigestUpdate(&ctx,s->session->master_key,
565 		s->session->master_key_length);
566 	EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
567 	EVP_DigestFinal_ex(&ctx,md_buf,&i);
568 
569 	EVP_DigestInit_ex(&ctx,EVP_MD_CTX_md(&ctx), NULL);
570 	EVP_DigestUpdate(&ctx,s->session->master_key,
571 		s->session->master_key_length);
572 	EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
573 	EVP_DigestUpdate(&ctx,md_buf,i);
574 	EVP_DigestFinal_ex(&ctx,p,&ret);
575 
576 	EVP_MD_CTX_cleanup(&ctx);
577 
578 	return((int)ret);
579 	}
580 
581 int ssl3_mac(SSL *ssl, unsigned char *md, int send)
582 	{
583 	SSL3_RECORD *rec;
584 	unsigned char *mac_sec,*seq;
585 	EVP_MD_CTX md_ctx;
586 	const EVP_MD *hash;
587 	unsigned char *p,rec_char;
588 	unsigned int md_size;
589 	int npad;
590 
591 	if (send)
592 		{
593 		rec= &(ssl->s3->wrec);
594 		mac_sec= &(ssl->s3->write_mac_secret[0]);
595 		seq= &(ssl->s3->write_sequence[0]);
596 		hash=ssl->write_hash;
597 		}
598 	else
599 		{
600 		rec= &(ssl->s3->rrec);
601 		mac_sec= &(ssl->s3->read_mac_secret[0]);
602 		seq= &(ssl->s3->read_sequence[0]);
603 		hash=ssl->read_hash;
604 		}
605 
606 	md_size=EVP_MD_size(hash);
607 	npad=(48/md_size)*md_size;
608 
609 	/* Chop the digest off the end :-) */
610 	EVP_MD_CTX_init(&md_ctx);
611 
612 	EVP_DigestInit_ex(  &md_ctx,hash, NULL);
613 	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
614 	EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
615 	EVP_DigestUpdate(&md_ctx,seq,8);
616 	rec_char=rec->type;
617 	EVP_DigestUpdate(&md_ctx,&rec_char,1);
618 	p=md;
619 	s2n(rec->length,p);
620 	EVP_DigestUpdate(&md_ctx,md,2);
621 	EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
622 	EVP_DigestFinal_ex( &md_ctx,md,NULL);
623 
624 	EVP_DigestInit_ex(  &md_ctx,hash, NULL);
625 	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
626 	EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
627 	EVP_DigestUpdate(&md_ctx,md,md_size);
628 	EVP_DigestFinal_ex( &md_ctx,md,&md_size);
629 
630 	EVP_MD_CTX_cleanup(&md_ctx);
631 
632 	ssl3_record_sequence_update(seq);
633 	return(md_size);
634 	}
635 
636 void ssl3_record_sequence_update(unsigned char *seq)
637 	{
638 	int i;
639 
640 	for (i=7; i>=0; i--)
641 		{
642 		++seq[i];
643 		if (seq[i] != 0) break;
644 		}
645 	}
646 
647 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
648 	     int len)
649 	{
650 	static const unsigned char *salt[3]={
651 #ifndef CHARSET_EBCDIC
652 		(const unsigned char *)"A",
653 		(const unsigned char *)"BB",
654 		(const unsigned char *)"CCC",
655 #else
656 		(const unsigned char *)"\x41",
657 		(const unsigned char *)"\x42\x42",
658 		(const unsigned char *)"\x43\x43\x43",
659 #endif
660 		};
661 	unsigned char buf[EVP_MAX_MD_SIZE];
662 	EVP_MD_CTX ctx;
663 	int i,ret=0;
664 	unsigned int n;
665 
666 	EVP_MD_CTX_init(&ctx);
667 	for (i=0; i<3; i++)
668 		{
669 		EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
670 		EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
671 		EVP_DigestUpdate(&ctx,p,len);
672 		EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
673 			SSL3_RANDOM_SIZE);
674 		EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
675 			SSL3_RANDOM_SIZE);
676 		EVP_DigestFinal_ex(&ctx,buf,&n);
677 
678 		EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL);
679 		EVP_DigestUpdate(&ctx,p,len);
680 		EVP_DigestUpdate(&ctx,buf,n);
681 		EVP_DigestFinal_ex(&ctx,out,&n);
682 		out+=n;
683 		ret+=n;
684 		}
685 	EVP_MD_CTX_cleanup(&ctx);
686 	return(ret);
687 	}
688 
689 int ssl3_alert_code(int code)
690 	{
691 	switch (code)
692 		{
693 	case SSL_AD_CLOSE_NOTIFY:	return(SSL3_AD_CLOSE_NOTIFY);
694 	case SSL_AD_UNEXPECTED_MESSAGE:	return(SSL3_AD_UNEXPECTED_MESSAGE);
695 	case SSL_AD_BAD_RECORD_MAC:	return(SSL3_AD_BAD_RECORD_MAC);
696 	case SSL_AD_DECRYPTION_FAILED:	return(SSL3_AD_BAD_RECORD_MAC);
697 	case SSL_AD_RECORD_OVERFLOW:	return(SSL3_AD_BAD_RECORD_MAC);
698 	case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
699 	case SSL_AD_HANDSHAKE_FAILURE:	return(SSL3_AD_HANDSHAKE_FAILURE);
700 	case SSL_AD_NO_CERTIFICATE:	return(SSL3_AD_NO_CERTIFICATE);
701 	case SSL_AD_BAD_CERTIFICATE:	return(SSL3_AD_BAD_CERTIFICATE);
702 	case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
703 	case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
704 	case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
705 	case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
706 	case SSL_AD_ILLEGAL_PARAMETER:	return(SSL3_AD_ILLEGAL_PARAMETER);
707 	case SSL_AD_UNKNOWN_CA:		return(SSL3_AD_BAD_CERTIFICATE);
708 	case SSL_AD_ACCESS_DENIED:	return(SSL3_AD_HANDSHAKE_FAILURE);
709 	case SSL_AD_DECODE_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
710 	case SSL_AD_DECRYPT_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
711 	case SSL_AD_EXPORT_RESTRICTION:	return(SSL3_AD_HANDSHAKE_FAILURE);
712 	case SSL_AD_PROTOCOL_VERSION:	return(SSL3_AD_HANDSHAKE_FAILURE);
713 	case SSL_AD_INSUFFICIENT_SECURITY:return(SSL3_AD_HANDSHAKE_FAILURE);
714 	case SSL_AD_INTERNAL_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
715 	case SSL_AD_USER_CANCELLED:	return(SSL3_AD_HANDSHAKE_FAILURE);
716 	case SSL_AD_NO_RENEGOTIATION:	return(-1); /* Don't send it :-) */
717 	default:			return(-1);
718 		}
719 	}
720 
721