xref: /freebsd/crypto/openssl/ssl/s3_enc.c (revision 4b330699f819a81d8e34d471225143ffeb321855)
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137 
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
142 
143 static unsigned char ssl3_pad_1[48] = {
144     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 };
151 
152 static unsigned char ssl3_pad_2[48] = {
153     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 };
160 
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162                               const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 {
165     EVP_MD_CTX m5;
166     EVP_MD_CTX s1;
167     unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168     unsigned char c = 'A';
169     unsigned int i, j, k;
170 
171 #ifdef CHARSET_EBCDIC
172     c = os_toascii[c];          /* 'A' in ASCII */
173 #endif
174     k = 0;
175     EVP_MD_CTX_init(&m5);
176     EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177     EVP_MD_CTX_init(&s1);
178     for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179         k++;
180         if (k > sizeof(buf))
181             /* bug: 'buf' is too small for this ciphersuite */
182             goto err;
183 
184         for (j = 0; j < k; j++)
185             buf[j] = c;
186         c++;
187         if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) ||
188             !EVP_DigestUpdate(&s1, buf, k) ||
189             !EVP_DigestUpdate(&s1, s->session->master_key,
190                               s->session->master_key_length) ||
191             !EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) ||
192             !EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) ||
193             !EVP_DigestFinal_ex(&s1, smd, NULL))
194             goto err2;
195 
196         if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) ||
197             !EVP_DigestUpdate(&m5, s->session->master_key,
198                               s->session->master_key_length) ||
199             !EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH))
200             goto err2;
201         if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202             if (!EVP_DigestFinal_ex(&m5, smd, NULL))
203                 goto err2;
204             memcpy(km, smd, (num - i));
205         } else
206             if (!EVP_DigestFinal_ex(&m5, km, NULL))
207                 goto err2;
208 
209         km += MD5_DIGEST_LENGTH;
210     }
211     OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
212     EVP_MD_CTX_cleanup(&m5);
213     EVP_MD_CTX_cleanup(&s1);
214     return 1;
215  err:
216     SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
217  err2:
218     EVP_MD_CTX_cleanup(&m5);
219     EVP_MD_CTX_cleanup(&s1);
220     return 0;
221 }
222 
223 int ssl3_change_cipher_state(SSL *s, int which)
224 {
225     unsigned char *p, *mac_secret;
226     unsigned char exp_key[EVP_MAX_KEY_LENGTH];
227     unsigned char exp_iv[EVP_MAX_IV_LENGTH];
228     unsigned char *ms, *key, *iv, *er1, *er2;
229     EVP_CIPHER_CTX *dd;
230     const EVP_CIPHER *c;
231 #ifndef OPENSSL_NO_COMP
232     COMP_METHOD *comp;
233 #endif
234     const EVP_MD *m;
235     EVP_MD_CTX md;
236     int is_exp, n, i, j, k, cl;
237     int reuse_dd = 0;
238 
239     is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
240     c = s->s3->tmp.new_sym_enc;
241     m = s->s3->tmp.new_hash;
242     /* m == NULL will lead to a crash later */
243     OPENSSL_assert(m);
244 #ifndef OPENSSL_NO_COMP
245     if (s->s3->tmp.new_compression == NULL)
246         comp = NULL;
247     else
248         comp = s->s3->tmp.new_compression->method;
249 #endif
250 
251     if (which & SSL3_CC_READ) {
252         if (s->enc_read_ctx != NULL)
253             reuse_dd = 1;
254         else if ((s->enc_read_ctx =
255                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
256             goto err;
257         else
258             /*
259              * make sure it's intialized in case we exit later with an error
260              */
261             EVP_CIPHER_CTX_init(s->enc_read_ctx);
262         dd = s->enc_read_ctx;
263 
264         if (ssl_replace_hash(&s->read_hash, m) == NULL) {
265                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
266                 goto err2;
267         }
268 #ifndef OPENSSL_NO_COMP
269         /* COMPRESS */
270         if (s->expand != NULL) {
271             COMP_CTX_free(s->expand);
272             s->expand = NULL;
273         }
274         if (comp != NULL) {
275             s->expand = COMP_CTX_new(comp);
276             if (s->expand == NULL) {
277                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
278                        SSL_R_COMPRESSION_LIBRARY_ERROR);
279                 goto err2;
280             }
281             if (s->s3->rrec.comp == NULL)
282                 s->s3->rrec.comp = (unsigned char *)
283                     OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
284             if (s->s3->rrec.comp == NULL)
285                 goto err;
286         }
287 #endif
288         memset(&(s->s3->read_sequence[0]), 0, 8);
289         mac_secret = &(s->s3->read_mac_secret[0]);
290     } else {
291         if (s->enc_write_ctx != NULL)
292             reuse_dd = 1;
293         else if ((s->enc_write_ctx =
294                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
295             goto err;
296         else
297             /*
298              * make sure it's intialized in case we exit later with an error
299              */
300             EVP_CIPHER_CTX_init(s->enc_write_ctx);
301         dd = s->enc_write_ctx;
302         if (ssl_replace_hash(&s->write_hash, m) == NULL) {
303                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
304                 goto err2;
305         }
306 #ifndef OPENSSL_NO_COMP
307         /* COMPRESS */
308         if (s->compress != NULL) {
309             COMP_CTX_free(s->compress);
310             s->compress = NULL;
311         }
312         if (comp != NULL) {
313             s->compress = COMP_CTX_new(comp);
314             if (s->compress == NULL) {
315                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
316                        SSL_R_COMPRESSION_LIBRARY_ERROR);
317                 goto err2;
318             }
319         }
320 #endif
321         memset(&(s->s3->write_sequence[0]), 0, 8);
322         mac_secret = &(s->s3->write_mac_secret[0]);
323     }
324 
325     if (reuse_dd)
326         EVP_CIPHER_CTX_cleanup(dd);
327 
328     p = s->s3->tmp.key_block;
329     i = EVP_MD_size(m);
330     if (i < 0)
331         goto err2;
332     cl = EVP_CIPHER_key_length(c);
333     j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
334                   cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
335     /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
336     k = EVP_CIPHER_iv_length(c);
337     if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
338         (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
339         ms = &(p[0]);
340         n = i + i;
341         key = &(p[n]);
342         n += j + j;
343         iv = &(p[n]);
344         n += k + k;
345         er1 = &(s->s3->client_random[0]);
346         er2 = &(s->s3->server_random[0]);
347     } else {
348         n = i;
349         ms = &(p[n]);
350         n += i + j;
351         key = &(p[n]);
352         n += j + k;
353         iv = &(p[n]);
354         n += k;
355         er1 = &(s->s3->server_random[0]);
356         er2 = &(s->s3->client_random[0]);
357     }
358 
359     if (n > s->s3->tmp.key_block_length) {
360         SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
361         goto err2;
362     }
363 
364     EVP_MD_CTX_init(&md);
365     memcpy(mac_secret, ms, i);
366     if (is_exp) {
367         /*
368          * In here I set both the read and write key/iv to the same value
369          * since only the correct one will be used :-).
370          */
371         if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
372             !EVP_DigestUpdate(&md, key, j) ||
373             !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
374             !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
375             !EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) {
376             EVP_MD_CTX_cleanup(&md);
377             goto err2;
378         }
379         key = &(exp_key[0]);
380 
381         if (k > 0) {
382             if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
383                 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
384                 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
385                 !EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) {
386                 EVP_MD_CTX_cleanup(&md);
387                 goto err2;
388             }
389             iv = &(exp_iv[0]);
390         }
391     }
392     EVP_MD_CTX_cleanup(&md);
393 
394     s->session->key_arg_length = 0;
395 
396     if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)))
397         goto err2;
398 
399 #ifdef OPENSSL_SSL_TRACE_CRYPTO
400     if (s->msg_callback) {
401 
402         int wh = which & SSL3_CC_WRITE ?
403             TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
404         s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
405                         mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
406         if (c->key_len)
407             s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
408                             key, c->key_len, s, s->msg_callback_arg);
409         if (k) {
410             s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
411                             iv, k, s, s->msg_callback_arg);
412         }
413     }
414 #endif
415 
416     OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
417     OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
418     return (1);
419  err:
420     SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
421  err2:
422     return (0);
423 }
424 
425 int ssl3_setup_key_block(SSL *s)
426 {
427     unsigned char *p;
428     const EVP_CIPHER *c;
429     const EVP_MD *hash;
430     int num;
431     int ret = 0;
432     SSL_COMP *comp;
433 
434     if (s->s3->tmp.key_block_length != 0)
435         return (1);
436 
437     if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
438         SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
439         return (0);
440     }
441 
442     s->s3->tmp.new_sym_enc = c;
443     s->s3->tmp.new_hash = hash;
444 #ifdef OPENSSL_NO_COMP
445     s->s3->tmp.new_compression = NULL;
446 #else
447     s->s3->tmp.new_compression = comp;
448 #endif
449 
450     num = EVP_MD_size(hash);
451     if (num < 0)
452         return 0;
453 
454     num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
455     num *= 2;
456 
457     ssl3_cleanup_key_block(s);
458 
459     if ((p = OPENSSL_malloc(num)) == NULL)
460         goto err;
461 
462     s->s3->tmp.key_block_length = num;
463     s->s3->tmp.key_block = p;
464 
465     ret = ssl3_generate_key_block(s, p, num);
466 
467     if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
468         /*
469          * enable vulnerability countermeasure for CBC ciphers with known-IV
470          * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
471          */
472         s->s3->need_empty_fragments = 1;
473 
474         if (s->session->cipher != NULL) {
475             if (s->session->cipher->algorithm_enc == SSL_eNULL)
476                 s->s3->need_empty_fragments = 0;
477 
478 #ifndef OPENSSL_NO_RC4
479             if (s->session->cipher->algorithm_enc == SSL_RC4)
480                 s->s3->need_empty_fragments = 0;
481 #endif
482         }
483     }
484 
485     return ret;
486 
487  err:
488     SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
489     return (0);
490 }
491 
492 void ssl3_cleanup_key_block(SSL *s)
493 {
494     if (s->s3->tmp.key_block != NULL) {
495         OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
496         OPENSSL_free(s->s3->tmp.key_block);
497         s->s3->tmp.key_block = NULL;
498     }
499     s->s3->tmp.key_block_length = 0;
500 }
501 
502 /*-
503  * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
504  *
505  * Returns:
506  *   0: (in non-constant time) if the record is publically invalid (i.e. too
507  *       short etc).
508  *   1: if the record's padding is valid / the encryption was successful.
509  *   -1: if the record's padding is invalid or, if sending, an internal error
510  *       occured.
511  */
512 int ssl3_enc(SSL *s, int send)
513 {
514     SSL3_RECORD *rec;
515     EVP_CIPHER_CTX *ds;
516     unsigned long l;
517     int bs, i, mac_size = 0;
518     const EVP_CIPHER *enc;
519 
520     if (send) {
521         ds = s->enc_write_ctx;
522         rec = &(s->s3->wrec);
523         if (s->enc_write_ctx == NULL)
524             enc = NULL;
525         else
526             enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
527     } else {
528         ds = s->enc_read_ctx;
529         rec = &(s->s3->rrec);
530         if (s->enc_read_ctx == NULL)
531             enc = NULL;
532         else
533             enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
534     }
535 
536     if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
537         memmove(rec->data, rec->input, rec->length);
538         rec->input = rec->data;
539     } else {
540         l = rec->length;
541         bs = EVP_CIPHER_block_size(ds->cipher);
542 
543         /* COMPRESS */
544 
545         if ((bs != 1) && send) {
546             i = bs - ((int)l % bs);
547 
548             /* we need to add 'i-1' padding bytes */
549             l += i;
550             /*
551              * the last of these zero bytes will be overwritten with the
552              * padding length.
553              */
554             memset(&rec->input[rec->length], 0, i);
555             rec->length += i;
556             rec->input[l - 1] = (i - 1);
557         }
558 
559         if (!send) {
560             if (l == 0 || l % bs != 0)
561                 return 0;
562             /* otherwise, rec->length >= bs */
563         }
564 
565         if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
566             return -1;
567 
568         if (EVP_MD_CTX_md(s->read_hash) != NULL)
569             mac_size = EVP_MD_CTX_size(s->read_hash);
570         if ((bs != 1) && !send)
571             return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
572     }
573     return 1;
574 }
575 
576 int ssl3_init_finished_mac(SSL *s)
577 {
578     if (s->s3->handshake_buffer)
579         BIO_free(s->s3->handshake_buffer);
580     if (s->s3->handshake_dgst)
581         ssl3_free_digest_list(s);
582     s->s3->handshake_buffer = BIO_new(BIO_s_mem());
583     if (s->s3->handshake_buffer == NULL)
584         return 0;
585     (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
586     return 1;
587 }
588 
589 void ssl3_free_digest_list(SSL *s)
590 {
591     int i;
592     if (!s->s3->handshake_dgst)
593         return;
594     for (i = 0; i < SSL_MAX_DIGEST; i++) {
595         if (s->s3->handshake_dgst[i])
596             EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
597     }
598     OPENSSL_free(s->s3->handshake_dgst);
599     s->s3->handshake_dgst = NULL;
600 }
601 
602 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
603 {
604     if (s->s3->handshake_buffer
605         && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
606         BIO_write(s->s3->handshake_buffer, (void *)buf, len);
607     } else {
608         int i;
609         for (i = 0; i < SSL_MAX_DIGEST; i++) {
610             if (s->s3->handshake_dgst[i] != NULL)
611                 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
612         }
613     }
614 }
615 
616 int ssl3_digest_cached_records(SSL *s)
617 {
618     int i;
619     long mask;
620     const EVP_MD *md;
621     long hdatalen;
622     void *hdata;
623 
624     /* Allocate handshake_dgst array */
625     ssl3_free_digest_list(s);
626     s->s3->handshake_dgst =
627         OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
628     if (s->s3->handshake_dgst == NULL) {
629         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
630         return 0;
631     }
632     memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
633     hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
634     if (hdatalen <= 0) {
635         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
636         return 0;
637     }
638 
639     /* Loop through bitso of algorithm2 field and create MD_CTX-es */
640     for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
641         if ((mask & ssl_get_algorithm2(s)) && md) {
642             s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
643             if (s->s3->handshake_dgst[i] == NULL) {
644                 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
645                 return 0;
646             }
647 #ifdef OPENSSL_FIPS
648             if (EVP_MD_nid(md) == NID_md5) {
649                 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
650                                      EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
651             }
652 #endif
653             if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)
654                 || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata,
655                                      hdatalen)) {
656                 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
657                 return 0;
658             }
659         } else {
660             s->s3->handshake_dgst[i] = NULL;
661         }
662     }
663     if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
664         /* Free handshake_buffer BIO */
665         BIO_free(s->s3->handshake_buffer);
666         s->s3->handshake_buffer = NULL;
667     }
668 
669     return 1;
670 }
671 
672 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
673 {
674     return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
675 }
676 
677 int ssl3_final_finish_mac(SSL *s,
678                           const char *sender, int len, unsigned char *p)
679 {
680     int ret, sha1len;
681     ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
682     if (ret == 0)
683         return 0;
684 
685     p += ret;
686 
687     sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
688     if (sha1len == 0)
689         return 0;
690 
691     ret += sha1len;
692     return (ret);
693 }
694 
695 static int ssl3_handshake_mac(SSL *s, int md_nid,
696                               const char *sender, int len, unsigned char *p)
697 {
698     unsigned int ret;
699     int npad, n;
700     unsigned int i;
701     unsigned char md_buf[EVP_MAX_MD_SIZE];
702     EVP_MD_CTX ctx, *d = NULL;
703 
704     if (s->s3->handshake_buffer)
705         if (!ssl3_digest_cached_records(s))
706             return 0;
707 
708     /*
709      * Search for digest of specified type in the handshake_dgst array
710      */
711     for (i = 0; i < SSL_MAX_DIGEST; i++) {
712         if (s->s3->handshake_dgst[i]
713             && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
714             d = s->s3->handshake_dgst[i];
715             break;
716         }
717     }
718     if (!d) {
719         SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
720         return 0;
721     }
722     EVP_MD_CTX_init(&ctx);
723     EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
724     EVP_MD_CTX_copy_ex(&ctx, d);
725     n = EVP_MD_CTX_size(&ctx);
726     if (n < 0)
727         return 0;
728 
729     npad = (48 / n) * n;
730     if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
731             || EVP_DigestUpdate(&ctx, s->session->master_key,
732                                 s->session->master_key_length) <= 0
733             || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
734             || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
735 
736             || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
737             || EVP_DigestUpdate(&ctx, s->session->master_key,
738                                 s->session->master_key_length) <= 0
739             || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
740             || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
741             || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
742         SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
743         ret = 0;
744     }
745 
746     EVP_MD_CTX_cleanup(&ctx);
747 
748     return ((int)ret);
749 }
750 
751 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
752 {
753     SSL3_RECORD *rec;
754     unsigned char *mac_sec, *seq;
755     EVP_MD_CTX md_ctx;
756     const EVP_MD_CTX *hash;
757     unsigned char *p, rec_char;
758     size_t md_size, orig_len;
759     int npad;
760     int t;
761 
762     if (send) {
763         rec = &(ssl->s3->wrec);
764         mac_sec = &(ssl->s3->write_mac_secret[0]);
765         seq = &(ssl->s3->write_sequence[0]);
766         hash = ssl->write_hash;
767     } else {
768         rec = &(ssl->s3->rrec);
769         mac_sec = &(ssl->s3->read_mac_secret[0]);
770         seq = &(ssl->s3->read_sequence[0]);
771         hash = ssl->read_hash;
772     }
773 
774     t = EVP_MD_CTX_size(hash);
775     if (t < 0)
776         return -1;
777     md_size = t;
778     npad = (48 / md_size) * md_size;
779 
780     /*
781      * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
782      */
783     orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
784     rec->type &= 0xff;
785 
786     if (!send &&
787         EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
788         ssl3_cbc_record_digest_supported(hash)) {
789         /*
790          * This is a CBC-encrypted record. We must avoid leaking any
791          * timing-side channel information about how many blocks of data we
792          * are hashing because that gives an attacker a timing-oracle.
793          */
794 
795         /*-
796          * npad is, at most, 48 bytes and that's with MD5:
797          *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
798          *
799          * With SHA-1 (the largest hash speced for SSLv3) the hash size
800          * goes up 4, but npad goes down by 8, resulting in a smaller
801          * total size.
802          */
803         unsigned char header[75];
804         unsigned j = 0;
805         memcpy(header + j, mac_sec, md_size);
806         j += md_size;
807         memcpy(header + j, ssl3_pad_1, npad);
808         j += npad;
809         memcpy(header + j, seq, 8);
810         j += 8;
811         header[j++] = rec->type;
812         header[j++] = rec->length >> 8;
813         header[j++] = rec->length & 0xff;
814 
815         /* Final param == is SSLv3 */
816         if (ssl3_cbc_digest_record(hash,
817                                    md, &md_size,
818                                    header, rec->input,
819                                    rec->length + md_size, orig_len,
820                                    mac_sec, md_size, 1) <= 0)
821             return -1;
822     } else {
823         unsigned int md_size_u;
824         /* Chop the digest off the end :-) */
825         EVP_MD_CTX_init(&md_ctx);
826 
827         rec_char = rec->type;
828         p = md;
829         s2n(rec->length, p);
830         if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
831                 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
832                 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
833                 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
834                 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
835                 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
836                 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
837                 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
838                 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
839                 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
840                 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
841                 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
842                 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
843             EVP_MD_CTX_cleanup(&md_ctx);
844             return -1;
845         }
846         md_size = md_size_u;
847 
848         EVP_MD_CTX_cleanup(&md_ctx);
849     }
850 
851     ssl3_record_sequence_update(seq);
852     return (md_size);
853 }
854 
855 void ssl3_record_sequence_update(unsigned char *seq)
856 {
857     int i;
858 
859     for (i = 7; i >= 0; i--) {
860         ++seq[i];
861         if (seq[i] != 0)
862             break;
863     }
864 }
865 
866 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
867                                 int len)
868 {
869     static const unsigned char *salt[3] = {
870 #ifndef CHARSET_EBCDIC
871         (const unsigned char *)"A",
872         (const unsigned char *)"BB",
873         (const unsigned char *)"CCC",
874 #else
875         (const unsigned char *)"\x41",
876         (const unsigned char *)"\x42\x42",
877         (const unsigned char *)"\x43\x43\x43",
878 #endif
879     };
880     unsigned char buf[EVP_MAX_MD_SIZE];
881     EVP_MD_CTX ctx;
882     int i, ret = 0;
883     unsigned int n;
884 #ifdef OPENSSL_SSL_TRACE_CRYPTO
885     unsigned char *tmpout = out;
886 #endif
887 
888     EVP_MD_CTX_init(&ctx);
889     for (i = 0; i < 3; i++) {
890         if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
891                 || EVP_DigestUpdate(&ctx, salt[i],
892                                     strlen((const char *)salt[i])) <= 0
893                 || EVP_DigestUpdate(&ctx, p, len) <= 0
894                 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
895                                     SSL3_RANDOM_SIZE) <= 0
896                 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
897                                     SSL3_RANDOM_SIZE) <= 0
898                 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
899 
900                 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
901                 || EVP_DigestUpdate(&ctx, p, len) <= 0
902                 || EVP_DigestUpdate(&ctx, buf, n) <= 0
903                 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
904             SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
905             ret = 0;
906             break;
907         }
908         out += n;
909         ret += n;
910     }
911     EVP_MD_CTX_cleanup(&ctx);
912 
913 #ifdef OPENSSL_SSL_TRACE_CRYPTO
914     if (ret > 0 && s->msg_callback) {
915         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
916                         p, len, s, s->msg_callback_arg);
917         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
918                         s->s3->client_random, SSL3_RANDOM_SIZE,
919                         s, s->msg_callback_arg);
920         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
921                         s->s3->server_random, SSL3_RANDOM_SIZE,
922                         s, s->msg_callback_arg);
923         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
924                         tmpout, SSL3_MASTER_SECRET_SIZE,
925                         s, s->msg_callback_arg);
926     }
927 #endif
928     OPENSSL_cleanse(buf, sizeof(buf));
929     return (ret);
930 }
931 
932 int ssl3_alert_code(int code)
933 {
934     switch (code) {
935     case SSL_AD_CLOSE_NOTIFY:
936         return (SSL3_AD_CLOSE_NOTIFY);
937     case SSL_AD_UNEXPECTED_MESSAGE:
938         return (SSL3_AD_UNEXPECTED_MESSAGE);
939     case SSL_AD_BAD_RECORD_MAC:
940         return (SSL3_AD_BAD_RECORD_MAC);
941     case SSL_AD_DECRYPTION_FAILED:
942         return (SSL3_AD_BAD_RECORD_MAC);
943     case SSL_AD_RECORD_OVERFLOW:
944         return (SSL3_AD_BAD_RECORD_MAC);
945     case SSL_AD_DECOMPRESSION_FAILURE:
946         return (SSL3_AD_DECOMPRESSION_FAILURE);
947     case SSL_AD_HANDSHAKE_FAILURE:
948         return (SSL3_AD_HANDSHAKE_FAILURE);
949     case SSL_AD_NO_CERTIFICATE:
950         return (SSL3_AD_NO_CERTIFICATE);
951     case SSL_AD_BAD_CERTIFICATE:
952         return (SSL3_AD_BAD_CERTIFICATE);
953     case SSL_AD_UNSUPPORTED_CERTIFICATE:
954         return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
955     case SSL_AD_CERTIFICATE_REVOKED:
956         return (SSL3_AD_CERTIFICATE_REVOKED);
957     case SSL_AD_CERTIFICATE_EXPIRED:
958         return (SSL3_AD_CERTIFICATE_EXPIRED);
959     case SSL_AD_CERTIFICATE_UNKNOWN:
960         return (SSL3_AD_CERTIFICATE_UNKNOWN);
961     case SSL_AD_ILLEGAL_PARAMETER:
962         return (SSL3_AD_ILLEGAL_PARAMETER);
963     case SSL_AD_UNKNOWN_CA:
964         return (SSL3_AD_BAD_CERTIFICATE);
965     case SSL_AD_ACCESS_DENIED:
966         return (SSL3_AD_HANDSHAKE_FAILURE);
967     case SSL_AD_DECODE_ERROR:
968         return (SSL3_AD_HANDSHAKE_FAILURE);
969     case SSL_AD_DECRYPT_ERROR:
970         return (SSL3_AD_HANDSHAKE_FAILURE);
971     case SSL_AD_EXPORT_RESTRICTION:
972         return (SSL3_AD_HANDSHAKE_FAILURE);
973     case SSL_AD_PROTOCOL_VERSION:
974         return (SSL3_AD_HANDSHAKE_FAILURE);
975     case SSL_AD_INSUFFICIENT_SECURITY:
976         return (SSL3_AD_HANDSHAKE_FAILURE);
977     case SSL_AD_INTERNAL_ERROR:
978         return (SSL3_AD_HANDSHAKE_FAILURE);
979     case SSL_AD_USER_CANCELLED:
980         return (SSL3_AD_HANDSHAKE_FAILURE);
981     case SSL_AD_NO_RENEGOTIATION:
982         return (-1);            /* Don't send it :-) */
983     case SSL_AD_UNSUPPORTED_EXTENSION:
984         return (SSL3_AD_HANDSHAKE_FAILURE);
985     case SSL_AD_CERTIFICATE_UNOBTAINABLE:
986         return (SSL3_AD_HANDSHAKE_FAILURE);
987     case SSL_AD_UNRECOGNIZED_NAME:
988         return (SSL3_AD_HANDSHAKE_FAILURE);
989     case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
990         return (SSL3_AD_HANDSHAKE_FAILURE);
991     case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
992         return (SSL3_AD_HANDSHAKE_FAILURE);
993     case SSL_AD_UNKNOWN_PSK_IDENTITY:
994         return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
995     case SSL_AD_INAPPROPRIATE_FALLBACK:
996         return (TLS1_AD_INAPPROPRIATE_FALLBACK);
997     default:
998         return (-1);
999     }
1000 }
1001