1 /* ssl/s3_enc.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138 #include <stdio.h> 139 #include "ssl_locl.h" 140 #include <openssl/evp.h> 141 #include <openssl/md5.h> 142 143 static unsigned char ssl3_pad_1[48] = { 144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 150 }; 151 152 static unsigned char ssl3_pad_2[48] = { 153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c 159 }; 160 161 static int ssl3_handshake_mac(SSL *s, int md_nid, 162 const char *sender, int len, unsigned char *p); 163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) 164 { 165 EVP_MD_CTX m5; 166 EVP_MD_CTX s1; 167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; 168 unsigned char c = 'A'; 169 unsigned int i, j, k; 170 171 #ifdef CHARSET_EBCDIC 172 c = os_toascii[c]; /* 'A' in ASCII */ 173 #endif 174 k = 0; 175 EVP_MD_CTX_init(&m5); 176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 177 EVP_MD_CTX_init(&s1); 178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { 179 k++; 180 if (k > sizeof buf) { 181 /* bug: 'buf' is too small for this ciphersuite */ 182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); 183 return 0; 184 } 185 186 for (j = 0; j < k; j++) 187 buf[j] = c; 188 c++; 189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL); 190 EVP_DigestUpdate(&s1, buf, k); 191 EVP_DigestUpdate(&s1, s->session->master_key, 192 s->session->master_key_length); 193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE); 194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE); 195 EVP_DigestFinal_ex(&s1, smd, NULL); 196 197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL); 198 EVP_DigestUpdate(&m5, s->session->master_key, 199 s->session->master_key_length); 200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH); 201 if ((int)(i + MD5_DIGEST_LENGTH) > num) { 202 EVP_DigestFinal_ex(&m5, smd, NULL); 203 memcpy(km, smd, (num - i)); 204 } else 205 EVP_DigestFinal_ex(&m5, km, NULL); 206 207 km += MD5_DIGEST_LENGTH; 208 } 209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH); 210 EVP_MD_CTX_cleanup(&m5); 211 EVP_MD_CTX_cleanup(&s1); 212 return 1; 213 } 214 215 int ssl3_change_cipher_state(SSL *s, int which) 216 { 217 unsigned char *p, *mac_secret; 218 unsigned char exp_key[EVP_MAX_KEY_LENGTH]; 219 unsigned char exp_iv[EVP_MAX_IV_LENGTH]; 220 unsigned char *ms, *key, *iv, *er1, *er2; 221 EVP_CIPHER_CTX *dd; 222 const EVP_CIPHER *c; 223 #ifndef OPENSSL_NO_COMP 224 COMP_METHOD *comp; 225 #endif 226 const EVP_MD *m; 227 EVP_MD_CTX md; 228 int is_exp, n, i, j, k, cl; 229 int reuse_dd = 0; 230 231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 232 c = s->s3->tmp.new_sym_enc; 233 m = s->s3->tmp.new_hash; 234 /* m == NULL will lead to a crash later */ 235 OPENSSL_assert(m); 236 #ifndef OPENSSL_NO_COMP 237 if (s->s3->tmp.new_compression == NULL) 238 comp = NULL; 239 else 240 comp = s->s3->tmp.new_compression->method; 241 #endif 242 243 if (which & SSL3_CC_READ) { 244 if (s->enc_read_ctx != NULL) 245 reuse_dd = 1; 246 else if ((s->enc_read_ctx = 247 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 248 goto err; 249 else 250 /* 251 * make sure it's intialized in case we exit later with an error 252 */ 253 EVP_CIPHER_CTX_init(s->enc_read_ctx); 254 dd = s->enc_read_ctx; 255 256 ssl_replace_hash(&s->read_hash, m); 257 #ifndef OPENSSL_NO_COMP 258 /* COMPRESS */ 259 if (s->expand != NULL) { 260 COMP_CTX_free(s->expand); 261 s->expand = NULL; 262 } 263 if (comp != NULL) { 264 s->expand = COMP_CTX_new(comp); 265 if (s->expand == NULL) { 266 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 267 SSL_R_COMPRESSION_LIBRARY_ERROR); 268 goto err2; 269 } 270 if (s->s3->rrec.comp == NULL) 271 s->s3->rrec.comp = (unsigned char *) 272 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH); 273 if (s->s3->rrec.comp == NULL) 274 goto err; 275 } 276 #endif 277 memset(&(s->s3->read_sequence[0]), 0, 8); 278 mac_secret = &(s->s3->read_mac_secret[0]); 279 } else { 280 if (s->enc_write_ctx != NULL) 281 reuse_dd = 1; 282 else if ((s->enc_write_ctx = 283 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 284 goto err; 285 else 286 /* 287 * make sure it's intialized in case we exit later with an error 288 */ 289 EVP_CIPHER_CTX_init(s->enc_write_ctx); 290 dd = s->enc_write_ctx; 291 ssl_replace_hash(&s->write_hash, m); 292 #ifndef OPENSSL_NO_COMP 293 /* COMPRESS */ 294 if (s->compress != NULL) { 295 COMP_CTX_free(s->compress); 296 s->compress = NULL; 297 } 298 if (comp != NULL) { 299 s->compress = COMP_CTX_new(comp); 300 if (s->compress == NULL) { 301 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 302 SSL_R_COMPRESSION_LIBRARY_ERROR); 303 goto err2; 304 } 305 } 306 #endif 307 memset(&(s->s3->write_sequence[0]), 0, 8); 308 mac_secret = &(s->s3->write_mac_secret[0]); 309 } 310 311 if (reuse_dd) 312 EVP_CIPHER_CTX_cleanup(dd); 313 314 p = s->s3->tmp.key_block; 315 i = EVP_MD_size(m); 316 if (i < 0) 317 goto err2; 318 cl = EVP_CIPHER_key_length(c); 319 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 320 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 321 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ 322 k = EVP_CIPHER_iv_length(c); 323 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 324 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 325 ms = &(p[0]); 326 n = i + i; 327 key = &(p[n]); 328 n += j + j; 329 iv = &(p[n]); 330 n += k + k; 331 er1 = &(s->s3->client_random[0]); 332 er2 = &(s->s3->server_random[0]); 333 } else { 334 n = i; 335 ms = &(p[n]); 336 n += i + j; 337 key = &(p[n]); 338 n += j + k; 339 iv = &(p[n]); 340 n += k; 341 er1 = &(s->s3->server_random[0]); 342 er2 = &(s->s3->client_random[0]); 343 } 344 345 if (n > s->s3->tmp.key_block_length) { 346 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 347 goto err2; 348 } 349 350 EVP_MD_CTX_init(&md); 351 memcpy(mac_secret, ms, i); 352 if (is_exp) { 353 /* 354 * In here I set both the read and write key/iv to the same value 355 * since only the correct one will be used :-). 356 */ 357 EVP_DigestInit_ex(&md, EVP_md5(), NULL); 358 EVP_DigestUpdate(&md, key, j); 359 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); 360 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); 361 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL); 362 key = &(exp_key[0]); 363 364 if (k > 0) { 365 EVP_DigestInit_ex(&md, EVP_md5(), NULL); 366 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); 367 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); 368 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL); 369 iv = &(exp_iv[0]); 370 } 371 } 372 373 s->session->key_arg_length = 0; 374 375 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); 376 377 #ifdef OPENSSL_SSL_TRACE_CRYPTO 378 if (s->msg_callback) { 379 380 int wh = which & SSL3_CC_WRITE ? 381 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ; 382 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC, 383 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg); 384 if (c->key_len) 385 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, 386 key, c->key_len, s, s->msg_callback_arg); 387 if (k) { 388 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV, 389 iv, k, s, s->msg_callback_arg); 390 } 391 } 392 #endif 393 394 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key)); 395 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv)); 396 EVP_MD_CTX_cleanup(&md); 397 return (1); 398 err: 399 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 400 err2: 401 return (0); 402 } 403 404 int ssl3_setup_key_block(SSL *s) 405 { 406 unsigned char *p; 407 const EVP_CIPHER *c; 408 const EVP_MD *hash; 409 int num; 410 int ret = 0; 411 SSL_COMP *comp; 412 413 if (s->s3->tmp.key_block_length != 0) 414 return (1); 415 416 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) { 417 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 418 return (0); 419 } 420 421 s->s3->tmp.new_sym_enc = c; 422 s->s3->tmp.new_hash = hash; 423 #ifdef OPENSSL_NO_COMP 424 s->s3->tmp.new_compression = NULL; 425 #else 426 s->s3->tmp.new_compression = comp; 427 #endif 428 429 num = EVP_MD_size(hash); 430 if (num < 0) 431 return 0; 432 433 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); 434 num *= 2; 435 436 ssl3_cleanup_key_block(s); 437 438 if ((p = OPENSSL_malloc(num)) == NULL) 439 goto err; 440 441 s->s3->tmp.key_block_length = num; 442 s->s3->tmp.key_block = p; 443 444 ret = ssl3_generate_key_block(s, p, num); 445 446 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { 447 /* 448 * enable vulnerability countermeasure for CBC ciphers with known-IV 449 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 450 */ 451 s->s3->need_empty_fragments = 1; 452 453 if (s->session->cipher != NULL) { 454 if (s->session->cipher->algorithm_enc == SSL_eNULL) 455 s->s3->need_empty_fragments = 0; 456 457 #ifndef OPENSSL_NO_RC4 458 if (s->session->cipher->algorithm_enc == SSL_RC4) 459 s->s3->need_empty_fragments = 0; 460 #endif 461 } 462 } 463 464 return ret; 465 466 err: 467 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 468 return (0); 469 } 470 471 void ssl3_cleanup_key_block(SSL *s) 472 { 473 if (s->s3->tmp.key_block != NULL) { 474 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); 475 OPENSSL_free(s->s3->tmp.key_block); 476 s->s3->tmp.key_block = NULL; 477 } 478 s->s3->tmp.key_block_length = 0; 479 } 480 481 /*- 482 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 483 * 484 * Returns: 485 * 0: (in non-constant time) if the record is publically invalid (i.e. too 486 * short etc). 487 * 1: if the record's padding is valid / the encryption was successful. 488 * -1: if the record's padding is invalid or, if sending, an internal error 489 * occured. 490 */ 491 int ssl3_enc(SSL *s, int send) 492 { 493 SSL3_RECORD *rec; 494 EVP_CIPHER_CTX *ds; 495 unsigned long l; 496 int bs, i, mac_size = 0; 497 const EVP_CIPHER *enc; 498 499 if (send) { 500 ds = s->enc_write_ctx; 501 rec = &(s->s3->wrec); 502 if (s->enc_write_ctx == NULL) 503 enc = NULL; 504 else 505 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 506 } else { 507 ds = s->enc_read_ctx; 508 rec = &(s->s3->rrec); 509 if (s->enc_read_ctx == NULL) 510 enc = NULL; 511 else 512 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 513 } 514 515 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 516 memmove(rec->data, rec->input, rec->length); 517 rec->input = rec->data; 518 } else { 519 l = rec->length; 520 bs = EVP_CIPHER_block_size(ds->cipher); 521 522 /* COMPRESS */ 523 524 if ((bs != 1) && send) { 525 i = bs - ((int)l % bs); 526 527 /* we need to add 'i-1' padding bytes */ 528 l += i; 529 /* 530 * the last of these zero bytes will be overwritten with the 531 * padding length. 532 */ 533 memset(&rec->input[rec->length], 0, i); 534 rec->length += i; 535 rec->input[l - 1] = (i - 1); 536 } 537 538 if (!send) { 539 if (l == 0 || l % bs != 0) 540 return 0; 541 /* otherwise, rec->length >= bs */ 542 } 543 544 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1) 545 return -1; 546 547 if (EVP_MD_CTX_md(s->read_hash) != NULL) 548 mac_size = EVP_MD_CTX_size(s->read_hash); 549 if ((bs != 1) && !send) 550 return ssl3_cbc_remove_padding(s, rec, bs, mac_size); 551 } 552 return (1); 553 } 554 555 void ssl3_init_finished_mac(SSL *s) 556 { 557 if (s->s3->handshake_buffer) 558 BIO_free(s->s3->handshake_buffer); 559 if (s->s3->handshake_dgst) 560 ssl3_free_digest_list(s); 561 s->s3->handshake_buffer = BIO_new(BIO_s_mem()); 562 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); 563 } 564 565 void ssl3_free_digest_list(SSL *s) 566 { 567 int i; 568 if (!s->s3->handshake_dgst) 569 return; 570 for (i = 0; i < SSL_MAX_DIGEST; i++) { 571 if (s->s3->handshake_dgst[i]) 572 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]); 573 } 574 OPENSSL_free(s->s3->handshake_dgst); 575 s->s3->handshake_dgst = NULL; 576 } 577 578 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) 579 { 580 if (s->s3->handshake_buffer 581 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 582 BIO_write(s->s3->handshake_buffer, (void *)buf, len); 583 } else { 584 int i; 585 for (i = 0; i < SSL_MAX_DIGEST; i++) { 586 if (s->s3->handshake_dgst[i] != NULL) 587 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len); 588 } 589 } 590 } 591 592 int ssl3_digest_cached_records(SSL *s) 593 { 594 int i; 595 long mask; 596 const EVP_MD *md; 597 long hdatalen; 598 void *hdata; 599 600 /* Allocate handshake_dgst array */ 601 ssl3_free_digest_list(s); 602 s->s3->handshake_dgst = 603 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); 604 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); 605 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 606 if (hdatalen <= 0) { 607 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH); 608 return 0; 609 } 610 611 /* Loop through bitso of algorithm2 field and create MD_CTX-es */ 612 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) { 613 if ((mask & ssl_get_algorithm2(s)) && md) { 614 s->s3->handshake_dgst[i] = EVP_MD_CTX_create(); 615 #ifdef OPENSSL_FIPS 616 if (EVP_MD_nid(md) == NID_md5) { 617 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], 618 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 619 } 620 #endif 621 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL); 622 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen); 623 } else { 624 s->s3->handshake_dgst[i] = NULL; 625 } 626 } 627 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 628 /* Free handshake_buffer BIO */ 629 BIO_free(s->s3->handshake_buffer); 630 s->s3->handshake_buffer = NULL; 631 } 632 633 return 1; 634 } 635 636 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p) 637 { 638 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p)); 639 } 640 641 int ssl3_final_finish_mac(SSL *s, 642 const char *sender, int len, unsigned char *p) 643 { 644 int ret, sha1len; 645 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p); 646 if (ret == 0) 647 return 0; 648 649 p += ret; 650 651 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p); 652 if (sha1len == 0) 653 return 0; 654 655 ret += sha1len; 656 return (ret); 657 } 658 659 static int ssl3_handshake_mac(SSL *s, int md_nid, 660 const char *sender, int len, unsigned char *p) 661 { 662 unsigned int ret; 663 int npad, n; 664 unsigned int i; 665 unsigned char md_buf[EVP_MAX_MD_SIZE]; 666 EVP_MD_CTX ctx, *d = NULL; 667 668 if (s->s3->handshake_buffer) 669 if (!ssl3_digest_cached_records(s)) 670 return 0; 671 672 /* 673 * Search for digest of specified type in the handshake_dgst array 674 */ 675 for (i = 0; i < SSL_MAX_DIGEST; i++) { 676 if (s->s3->handshake_dgst[i] 677 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { 678 d = s->s3->handshake_dgst[i]; 679 break; 680 } 681 } 682 if (!d) { 683 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST); 684 return 0; 685 } 686 EVP_MD_CTX_init(&ctx); 687 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 688 EVP_MD_CTX_copy_ex(&ctx, d); 689 n = EVP_MD_CTX_size(&ctx); 690 if (n < 0) 691 return 0; 692 693 npad = (48 / n) * n; 694 if (sender != NULL) 695 EVP_DigestUpdate(&ctx, sender, len); 696 EVP_DigestUpdate(&ctx, s->session->master_key, 697 s->session->master_key_length); 698 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad); 699 EVP_DigestFinal_ex(&ctx, md_buf, &i); 700 701 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL); 702 EVP_DigestUpdate(&ctx, s->session->master_key, 703 s->session->master_key_length); 704 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad); 705 EVP_DigestUpdate(&ctx, md_buf, i); 706 EVP_DigestFinal_ex(&ctx, p, &ret); 707 708 EVP_MD_CTX_cleanup(&ctx); 709 710 return ((int)ret); 711 } 712 713 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) 714 { 715 SSL3_RECORD *rec; 716 unsigned char *mac_sec, *seq; 717 EVP_MD_CTX md_ctx; 718 const EVP_MD_CTX *hash; 719 unsigned char *p, rec_char; 720 size_t md_size, orig_len; 721 int npad; 722 int t; 723 724 if (send) { 725 rec = &(ssl->s3->wrec); 726 mac_sec = &(ssl->s3->write_mac_secret[0]); 727 seq = &(ssl->s3->write_sequence[0]); 728 hash = ssl->write_hash; 729 } else { 730 rec = &(ssl->s3->rrec); 731 mac_sec = &(ssl->s3->read_mac_secret[0]); 732 seq = &(ssl->s3->read_sequence[0]); 733 hash = ssl->read_hash; 734 } 735 736 t = EVP_MD_CTX_size(hash); 737 if (t < 0) 738 return -1; 739 md_size = t; 740 npad = (48 / md_size) * md_size; 741 742 /* 743 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type 744 */ 745 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); 746 rec->type &= 0xff; 747 748 if (!send && 749 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 750 ssl3_cbc_record_digest_supported(hash)) { 751 /* 752 * This is a CBC-encrypted record. We must avoid leaking any 753 * timing-side channel information about how many blocks of data we 754 * are hashing because that gives an attacker a timing-oracle. 755 */ 756 757 /*- 758 * npad is, at most, 48 bytes and that's with MD5: 759 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. 760 * 761 * With SHA-1 (the largest hash speced for SSLv3) the hash size 762 * goes up 4, but npad goes down by 8, resulting in a smaller 763 * total size. 764 */ 765 unsigned char header[75]; 766 unsigned j = 0; 767 memcpy(header + j, mac_sec, md_size); 768 j += md_size; 769 memcpy(header + j, ssl3_pad_1, npad); 770 j += npad; 771 memcpy(header + j, seq, 8); 772 j += 8; 773 header[j++] = rec->type; 774 header[j++] = rec->length >> 8; 775 header[j++] = rec->length & 0xff; 776 777 /* Final param == is SSLv3 */ 778 ssl3_cbc_digest_record(hash, 779 md, &md_size, 780 header, rec->input, 781 rec->length + md_size, orig_len, 782 mac_sec, md_size, 1); 783 } else { 784 unsigned int md_size_u; 785 /* Chop the digest off the end :-) */ 786 EVP_MD_CTX_init(&md_ctx); 787 788 EVP_MD_CTX_copy_ex(&md_ctx, hash); 789 EVP_DigestUpdate(&md_ctx, mac_sec, md_size); 790 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad); 791 EVP_DigestUpdate(&md_ctx, seq, 8); 792 rec_char = rec->type; 793 EVP_DigestUpdate(&md_ctx, &rec_char, 1); 794 p = md; 795 s2n(rec->length, p); 796 EVP_DigestUpdate(&md_ctx, md, 2); 797 EVP_DigestUpdate(&md_ctx, rec->input, rec->length); 798 EVP_DigestFinal_ex(&md_ctx, md, NULL); 799 800 EVP_MD_CTX_copy_ex(&md_ctx, hash); 801 EVP_DigestUpdate(&md_ctx, mac_sec, md_size); 802 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad); 803 EVP_DigestUpdate(&md_ctx, md, md_size); 804 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u); 805 md_size = md_size_u; 806 807 EVP_MD_CTX_cleanup(&md_ctx); 808 } 809 810 ssl3_record_sequence_update(seq); 811 return (md_size); 812 } 813 814 void ssl3_record_sequence_update(unsigned char *seq) 815 { 816 int i; 817 818 for (i = 7; i >= 0; i--) { 819 ++seq[i]; 820 if (seq[i] != 0) 821 break; 822 } 823 } 824 825 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 826 int len) 827 { 828 static const unsigned char *salt[3] = { 829 #ifndef CHARSET_EBCDIC 830 (const unsigned char *)"A", 831 (const unsigned char *)"BB", 832 (const unsigned char *)"CCC", 833 #else 834 (const unsigned char *)"\x41", 835 (const unsigned char *)"\x42\x42", 836 (const unsigned char *)"\x43\x43\x43", 837 #endif 838 }; 839 unsigned char buf[EVP_MAX_MD_SIZE]; 840 EVP_MD_CTX ctx; 841 int i, ret = 0; 842 unsigned int n; 843 #ifdef OPENSSL_SSL_TRACE_CRYPTO 844 unsigned char *tmpout = out; 845 #endif 846 847 EVP_MD_CTX_init(&ctx); 848 for (i = 0; i < 3; i++) { 849 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL); 850 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i])); 851 EVP_DigestUpdate(&ctx, p, len); 852 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 853 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 854 EVP_DigestFinal_ex(&ctx, buf, &n); 855 856 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL); 857 EVP_DigestUpdate(&ctx, p, len); 858 EVP_DigestUpdate(&ctx, buf, n); 859 EVP_DigestFinal_ex(&ctx, out, &n); 860 out += n; 861 ret += n; 862 } 863 EVP_MD_CTX_cleanup(&ctx); 864 865 #ifdef OPENSSL_SSL_TRACE_CRYPTO 866 if (s->msg_callback) { 867 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER, 868 p, len, s, s->msg_callback_arg); 869 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM, 870 s->s3->client_random, SSL3_RANDOM_SIZE, 871 s, s->msg_callback_arg); 872 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM, 873 s->s3->server_random, SSL3_RANDOM_SIZE, 874 s, s->msg_callback_arg); 875 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER, 876 tmpout, SSL3_MASTER_SECRET_SIZE, 877 s, s->msg_callback_arg); 878 } 879 #endif 880 OPENSSL_cleanse(buf, sizeof buf); 881 return (ret); 882 } 883 884 int ssl3_alert_code(int code) 885 { 886 switch (code) { 887 case SSL_AD_CLOSE_NOTIFY: 888 return (SSL3_AD_CLOSE_NOTIFY); 889 case SSL_AD_UNEXPECTED_MESSAGE: 890 return (SSL3_AD_UNEXPECTED_MESSAGE); 891 case SSL_AD_BAD_RECORD_MAC: 892 return (SSL3_AD_BAD_RECORD_MAC); 893 case SSL_AD_DECRYPTION_FAILED: 894 return (SSL3_AD_BAD_RECORD_MAC); 895 case SSL_AD_RECORD_OVERFLOW: 896 return (SSL3_AD_BAD_RECORD_MAC); 897 case SSL_AD_DECOMPRESSION_FAILURE: 898 return (SSL3_AD_DECOMPRESSION_FAILURE); 899 case SSL_AD_HANDSHAKE_FAILURE: 900 return (SSL3_AD_HANDSHAKE_FAILURE); 901 case SSL_AD_NO_CERTIFICATE: 902 return (SSL3_AD_NO_CERTIFICATE); 903 case SSL_AD_BAD_CERTIFICATE: 904 return (SSL3_AD_BAD_CERTIFICATE); 905 case SSL_AD_UNSUPPORTED_CERTIFICATE: 906 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 907 case SSL_AD_CERTIFICATE_REVOKED: 908 return (SSL3_AD_CERTIFICATE_REVOKED); 909 case SSL_AD_CERTIFICATE_EXPIRED: 910 return (SSL3_AD_CERTIFICATE_EXPIRED); 911 case SSL_AD_CERTIFICATE_UNKNOWN: 912 return (SSL3_AD_CERTIFICATE_UNKNOWN); 913 case SSL_AD_ILLEGAL_PARAMETER: 914 return (SSL3_AD_ILLEGAL_PARAMETER); 915 case SSL_AD_UNKNOWN_CA: 916 return (SSL3_AD_BAD_CERTIFICATE); 917 case SSL_AD_ACCESS_DENIED: 918 return (SSL3_AD_HANDSHAKE_FAILURE); 919 case SSL_AD_DECODE_ERROR: 920 return (SSL3_AD_HANDSHAKE_FAILURE); 921 case SSL_AD_DECRYPT_ERROR: 922 return (SSL3_AD_HANDSHAKE_FAILURE); 923 case SSL_AD_EXPORT_RESTRICTION: 924 return (SSL3_AD_HANDSHAKE_FAILURE); 925 case SSL_AD_PROTOCOL_VERSION: 926 return (SSL3_AD_HANDSHAKE_FAILURE); 927 case SSL_AD_INSUFFICIENT_SECURITY: 928 return (SSL3_AD_HANDSHAKE_FAILURE); 929 case SSL_AD_INTERNAL_ERROR: 930 return (SSL3_AD_HANDSHAKE_FAILURE); 931 case SSL_AD_USER_CANCELLED: 932 return (SSL3_AD_HANDSHAKE_FAILURE); 933 case SSL_AD_NO_RENEGOTIATION: 934 return (-1); /* Don't send it :-) */ 935 case SSL_AD_UNSUPPORTED_EXTENSION: 936 return (SSL3_AD_HANDSHAKE_FAILURE); 937 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 938 return (SSL3_AD_HANDSHAKE_FAILURE); 939 case SSL_AD_UNRECOGNIZED_NAME: 940 return (SSL3_AD_HANDSHAKE_FAILURE); 941 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 942 return (SSL3_AD_HANDSHAKE_FAILURE); 943 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 944 return (SSL3_AD_HANDSHAKE_FAILURE); 945 case SSL_AD_UNKNOWN_PSK_IDENTITY: 946 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 947 case SSL_AD_INAPPROPRIATE_FALLBACK: 948 return (TLS1_AD_INAPPROPRIATE_FALLBACK); 949 default: 950 return (-1); 951 } 952 } 953