xref: /freebsd/crypto/openssl/ssl/s3_enc.c (revision 792bbaba989533a1fc93823df1720c8c4aaf0442)
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137 
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
142 
143 static unsigned char ssl3_pad_1[48] = {
144     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 };
151 
152 static unsigned char ssl3_pad_2[48] = {
153     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 };
160 
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162                               const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 {
165     EVP_MD_CTX m5;
166     EVP_MD_CTX s1;
167     unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168     unsigned char c = 'A';
169     unsigned int i, j, k;
170 
171 #ifdef CHARSET_EBCDIC
172     c = os_toascii[c];          /* 'A' in ASCII */
173 #endif
174     k = 0;
175     EVP_MD_CTX_init(&m5);
176     EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177     EVP_MD_CTX_init(&s1);
178     for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179         k++;
180         if (k > sizeof buf) {
181             /* bug: 'buf' is too small for this ciphersuite */
182             SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
183             return 0;
184         }
185 
186         for (j = 0; j < k; j++)
187             buf[j] = c;
188         c++;
189         EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190         EVP_DigestUpdate(&s1, buf, k);
191         EVP_DigestUpdate(&s1, s->session->master_key,
192                          s->session->master_key_length);
193         EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194         EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195         EVP_DigestFinal_ex(&s1, smd, NULL);
196 
197         EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198         EVP_DigestUpdate(&m5, s->session->master_key,
199                          s->session->master_key_length);
200         EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201         if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202             EVP_DigestFinal_ex(&m5, smd, NULL);
203             memcpy(km, smd, (num - i));
204         } else
205             EVP_DigestFinal_ex(&m5, km, NULL);
206 
207         km += MD5_DIGEST_LENGTH;
208     }
209     OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210     EVP_MD_CTX_cleanup(&m5);
211     EVP_MD_CTX_cleanup(&s1);
212     return 1;
213 }
214 
215 int ssl3_change_cipher_state(SSL *s, int which)
216 {
217     unsigned char *p, *mac_secret;
218     unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219     unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220     unsigned char *ms, *key, *iv, *er1, *er2;
221     EVP_CIPHER_CTX *dd;
222     const EVP_CIPHER *c;
223 #ifndef OPENSSL_NO_COMP
224     COMP_METHOD *comp;
225 #endif
226     const EVP_MD *m;
227     EVP_MD_CTX md;
228     int is_exp, n, i, j, k, cl;
229     int reuse_dd = 0;
230 
231     is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232     c = s->s3->tmp.new_sym_enc;
233     m = s->s3->tmp.new_hash;
234     /* m == NULL will lead to a crash later */
235     OPENSSL_assert(m);
236 #ifndef OPENSSL_NO_COMP
237     if (s->s3->tmp.new_compression == NULL)
238         comp = NULL;
239     else
240         comp = s->s3->tmp.new_compression->method;
241 #endif
242 
243     if (which & SSL3_CC_READ) {
244         if (s->enc_read_ctx != NULL)
245             reuse_dd = 1;
246         else if ((s->enc_read_ctx =
247                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
248             goto err;
249         else
250             /*
251              * make sure it's intialized in case we exit later with an error
252              */
253             EVP_CIPHER_CTX_init(s->enc_read_ctx);
254         dd = s->enc_read_ctx;
255 
256         if (ssl_replace_hash(&s->read_hash, m) == NULL) {
257                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
258                 goto err2;
259         }
260 #ifndef OPENSSL_NO_COMP
261         /* COMPRESS */
262         if (s->expand != NULL) {
263             COMP_CTX_free(s->expand);
264             s->expand = NULL;
265         }
266         if (comp != NULL) {
267             s->expand = COMP_CTX_new(comp);
268             if (s->expand == NULL) {
269                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
270                        SSL_R_COMPRESSION_LIBRARY_ERROR);
271                 goto err2;
272             }
273             if (s->s3->rrec.comp == NULL)
274                 s->s3->rrec.comp = (unsigned char *)
275                     OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
276             if (s->s3->rrec.comp == NULL)
277                 goto err;
278         }
279 #endif
280         memset(&(s->s3->read_sequence[0]), 0, 8);
281         mac_secret = &(s->s3->read_mac_secret[0]);
282     } else {
283         if (s->enc_write_ctx != NULL)
284             reuse_dd = 1;
285         else if ((s->enc_write_ctx =
286                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
287             goto err;
288         else
289             /*
290              * make sure it's intialized in case we exit later with an error
291              */
292             EVP_CIPHER_CTX_init(s->enc_write_ctx);
293         dd = s->enc_write_ctx;
294         if (ssl_replace_hash(&s->write_hash, m) == NULL) {
295                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
296                 goto err2;
297         }
298 #ifndef OPENSSL_NO_COMP
299         /* COMPRESS */
300         if (s->compress != NULL) {
301             COMP_CTX_free(s->compress);
302             s->compress = NULL;
303         }
304         if (comp != NULL) {
305             s->compress = COMP_CTX_new(comp);
306             if (s->compress == NULL) {
307                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
308                        SSL_R_COMPRESSION_LIBRARY_ERROR);
309                 goto err2;
310             }
311         }
312 #endif
313         memset(&(s->s3->write_sequence[0]), 0, 8);
314         mac_secret = &(s->s3->write_mac_secret[0]);
315     }
316 
317     if (reuse_dd)
318         EVP_CIPHER_CTX_cleanup(dd);
319 
320     p = s->s3->tmp.key_block;
321     i = EVP_MD_size(m);
322     if (i < 0)
323         goto err2;
324     cl = EVP_CIPHER_key_length(c);
325     j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
326                   cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
327     /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
328     k = EVP_CIPHER_iv_length(c);
329     if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
330         (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
331         ms = &(p[0]);
332         n = i + i;
333         key = &(p[n]);
334         n += j + j;
335         iv = &(p[n]);
336         n += k + k;
337         er1 = &(s->s3->client_random[0]);
338         er2 = &(s->s3->server_random[0]);
339     } else {
340         n = i;
341         ms = &(p[n]);
342         n += i + j;
343         key = &(p[n]);
344         n += j + k;
345         iv = &(p[n]);
346         n += k;
347         er1 = &(s->s3->server_random[0]);
348         er2 = &(s->s3->client_random[0]);
349     }
350 
351     if (n > s->s3->tmp.key_block_length) {
352         SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
353         goto err2;
354     }
355 
356     EVP_MD_CTX_init(&md);
357     memcpy(mac_secret, ms, i);
358     if (is_exp) {
359         /*
360          * In here I set both the read and write key/iv to the same value
361          * since only the correct one will be used :-).
362          */
363         EVP_DigestInit_ex(&md, EVP_md5(), NULL);
364         EVP_DigestUpdate(&md, key, j);
365         EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
366         EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
367         EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
368         key = &(exp_key[0]);
369 
370         if (k > 0) {
371             EVP_DigestInit_ex(&md, EVP_md5(), NULL);
372             EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
373             EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
374             EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
375             iv = &(exp_iv[0]);
376         }
377     }
378 
379     s->session->key_arg_length = 0;
380 
381     EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
382 
383 #ifdef OPENSSL_SSL_TRACE_CRYPTO
384     if (s->msg_callback) {
385 
386         int wh = which & SSL3_CC_WRITE ?
387             TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
388         s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
389                         mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
390         if (c->key_len)
391             s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
392                             key, c->key_len, s, s->msg_callback_arg);
393         if (k) {
394             s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
395                             iv, k, s, s->msg_callback_arg);
396         }
397     }
398 #endif
399 
400     OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
401     OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
402     EVP_MD_CTX_cleanup(&md);
403     return (1);
404  err:
405     SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
406  err2:
407     return (0);
408 }
409 
410 int ssl3_setup_key_block(SSL *s)
411 {
412     unsigned char *p;
413     const EVP_CIPHER *c;
414     const EVP_MD *hash;
415     int num;
416     int ret = 0;
417     SSL_COMP *comp;
418 
419     if (s->s3->tmp.key_block_length != 0)
420         return (1);
421 
422     if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
423         SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
424         return (0);
425     }
426 
427     s->s3->tmp.new_sym_enc = c;
428     s->s3->tmp.new_hash = hash;
429 #ifdef OPENSSL_NO_COMP
430     s->s3->tmp.new_compression = NULL;
431 #else
432     s->s3->tmp.new_compression = comp;
433 #endif
434 
435     num = EVP_MD_size(hash);
436     if (num < 0)
437         return 0;
438 
439     num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
440     num *= 2;
441 
442     ssl3_cleanup_key_block(s);
443 
444     if ((p = OPENSSL_malloc(num)) == NULL)
445         goto err;
446 
447     s->s3->tmp.key_block_length = num;
448     s->s3->tmp.key_block = p;
449 
450     ret = ssl3_generate_key_block(s, p, num);
451 
452     if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
453         /*
454          * enable vulnerability countermeasure for CBC ciphers with known-IV
455          * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
456          */
457         s->s3->need_empty_fragments = 1;
458 
459         if (s->session->cipher != NULL) {
460             if (s->session->cipher->algorithm_enc == SSL_eNULL)
461                 s->s3->need_empty_fragments = 0;
462 
463 #ifndef OPENSSL_NO_RC4
464             if (s->session->cipher->algorithm_enc == SSL_RC4)
465                 s->s3->need_empty_fragments = 0;
466 #endif
467         }
468     }
469 
470     return ret;
471 
472  err:
473     SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
474     return (0);
475 }
476 
477 void ssl3_cleanup_key_block(SSL *s)
478 {
479     if (s->s3->tmp.key_block != NULL) {
480         OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
481         OPENSSL_free(s->s3->tmp.key_block);
482         s->s3->tmp.key_block = NULL;
483     }
484     s->s3->tmp.key_block_length = 0;
485 }
486 
487 /*-
488  * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
489  *
490  * Returns:
491  *   0: (in non-constant time) if the record is publically invalid (i.e. too
492  *       short etc).
493  *   1: if the record's padding is valid / the encryption was successful.
494  *   -1: if the record's padding is invalid or, if sending, an internal error
495  *       occured.
496  */
497 int ssl3_enc(SSL *s, int send)
498 {
499     SSL3_RECORD *rec;
500     EVP_CIPHER_CTX *ds;
501     unsigned long l;
502     int bs, i, mac_size = 0;
503     const EVP_CIPHER *enc;
504 
505     if (send) {
506         ds = s->enc_write_ctx;
507         rec = &(s->s3->wrec);
508         if (s->enc_write_ctx == NULL)
509             enc = NULL;
510         else
511             enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
512     } else {
513         ds = s->enc_read_ctx;
514         rec = &(s->s3->rrec);
515         if (s->enc_read_ctx == NULL)
516             enc = NULL;
517         else
518             enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
519     }
520 
521     if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
522         memmove(rec->data, rec->input, rec->length);
523         rec->input = rec->data;
524     } else {
525         l = rec->length;
526         bs = EVP_CIPHER_block_size(ds->cipher);
527 
528         /* COMPRESS */
529 
530         if ((bs != 1) && send) {
531             i = bs - ((int)l % bs);
532 
533             /* we need to add 'i-1' padding bytes */
534             l += i;
535             /*
536              * the last of these zero bytes will be overwritten with the
537              * padding length.
538              */
539             memset(&rec->input[rec->length], 0, i);
540             rec->length += i;
541             rec->input[l - 1] = (i - 1);
542         }
543 
544         if (!send) {
545             if (l == 0 || l % bs != 0)
546                 return 0;
547             /* otherwise, rec->length >= bs */
548         }
549 
550         if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
551             return -1;
552 
553         if (EVP_MD_CTX_md(s->read_hash) != NULL)
554             mac_size = EVP_MD_CTX_size(s->read_hash);
555         if ((bs != 1) && !send)
556             return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
557     }
558     return (1);
559 }
560 
561 void ssl3_init_finished_mac(SSL *s)
562 {
563     if (s->s3->handshake_buffer)
564         BIO_free(s->s3->handshake_buffer);
565     if (s->s3->handshake_dgst)
566         ssl3_free_digest_list(s);
567     s->s3->handshake_buffer = BIO_new(BIO_s_mem());
568     (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
569 }
570 
571 void ssl3_free_digest_list(SSL *s)
572 {
573     int i;
574     if (!s->s3->handshake_dgst)
575         return;
576     for (i = 0; i < SSL_MAX_DIGEST; i++) {
577         if (s->s3->handshake_dgst[i])
578             EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
579     }
580     OPENSSL_free(s->s3->handshake_dgst);
581     s->s3->handshake_dgst = NULL;
582 }
583 
584 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
585 {
586     if (s->s3->handshake_buffer
587         && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
588         BIO_write(s->s3->handshake_buffer, (void *)buf, len);
589     } else {
590         int i;
591         for (i = 0; i < SSL_MAX_DIGEST; i++) {
592             if (s->s3->handshake_dgst[i] != NULL)
593                 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
594         }
595     }
596 }
597 
598 int ssl3_digest_cached_records(SSL *s)
599 {
600     int i;
601     long mask;
602     const EVP_MD *md;
603     long hdatalen;
604     void *hdata;
605 
606     /* Allocate handshake_dgst array */
607     ssl3_free_digest_list(s);
608     s->s3->handshake_dgst =
609         OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
610     if (s->s3->handshake_dgst == NULL) {
611         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
612         return 0;
613     }
614     memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
615     hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
616     if (hdatalen <= 0) {
617         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
618         return 0;
619     }
620 
621     /* Loop through bitso of algorithm2 field and create MD_CTX-es */
622     for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
623         if ((mask & ssl_get_algorithm2(s)) && md) {
624             s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
625 #ifdef OPENSSL_FIPS
626             if (EVP_MD_nid(md) == NID_md5) {
627                 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
628                                      EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
629             }
630 #endif
631             if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)
632                 || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata,
633                                      hdatalen)) {
634                 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
635                 return 0;
636             }
637         } else {
638             s->s3->handshake_dgst[i] = NULL;
639         }
640     }
641     if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
642         /* Free handshake_buffer BIO */
643         BIO_free(s->s3->handshake_buffer);
644         s->s3->handshake_buffer = NULL;
645     }
646 
647     return 1;
648 }
649 
650 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
651 {
652     return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
653 }
654 
655 int ssl3_final_finish_mac(SSL *s,
656                           const char *sender, int len, unsigned char *p)
657 {
658     int ret, sha1len;
659     ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
660     if (ret == 0)
661         return 0;
662 
663     p += ret;
664 
665     sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
666     if (sha1len == 0)
667         return 0;
668 
669     ret += sha1len;
670     return (ret);
671 }
672 
673 static int ssl3_handshake_mac(SSL *s, int md_nid,
674                               const char *sender, int len, unsigned char *p)
675 {
676     unsigned int ret;
677     int npad, n;
678     unsigned int i;
679     unsigned char md_buf[EVP_MAX_MD_SIZE];
680     EVP_MD_CTX ctx, *d = NULL;
681 
682     if (s->s3->handshake_buffer)
683         if (!ssl3_digest_cached_records(s))
684             return 0;
685 
686     /*
687      * Search for digest of specified type in the handshake_dgst array
688      */
689     for (i = 0; i < SSL_MAX_DIGEST; i++) {
690         if (s->s3->handshake_dgst[i]
691             && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
692             d = s->s3->handshake_dgst[i];
693             break;
694         }
695     }
696     if (!d) {
697         SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
698         return 0;
699     }
700     EVP_MD_CTX_init(&ctx);
701     EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
702     EVP_MD_CTX_copy_ex(&ctx, d);
703     n = EVP_MD_CTX_size(&ctx);
704     if (n < 0)
705         return 0;
706 
707     npad = (48 / n) * n;
708     if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
709             || EVP_DigestUpdate(&ctx, s->session->master_key,
710                                 s->session->master_key_length) <= 0
711             || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
712             || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
713 
714             || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
715             || EVP_DigestUpdate(&ctx, s->session->master_key,
716                                 s->session->master_key_length) <= 0
717             || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
718             || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
719             || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
720         SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
721         ret = 0;
722     }
723 
724     EVP_MD_CTX_cleanup(&ctx);
725 
726     return ((int)ret);
727 }
728 
729 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
730 {
731     SSL3_RECORD *rec;
732     unsigned char *mac_sec, *seq;
733     EVP_MD_CTX md_ctx;
734     const EVP_MD_CTX *hash;
735     unsigned char *p, rec_char;
736     size_t md_size, orig_len;
737     int npad;
738     int t;
739 
740     if (send) {
741         rec = &(ssl->s3->wrec);
742         mac_sec = &(ssl->s3->write_mac_secret[0]);
743         seq = &(ssl->s3->write_sequence[0]);
744         hash = ssl->write_hash;
745     } else {
746         rec = &(ssl->s3->rrec);
747         mac_sec = &(ssl->s3->read_mac_secret[0]);
748         seq = &(ssl->s3->read_sequence[0]);
749         hash = ssl->read_hash;
750     }
751 
752     t = EVP_MD_CTX_size(hash);
753     if (t < 0)
754         return -1;
755     md_size = t;
756     npad = (48 / md_size) * md_size;
757 
758     /*
759      * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
760      */
761     orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
762     rec->type &= 0xff;
763 
764     if (!send &&
765         EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
766         ssl3_cbc_record_digest_supported(hash)) {
767         /*
768          * This is a CBC-encrypted record. We must avoid leaking any
769          * timing-side channel information about how many blocks of data we
770          * are hashing because that gives an attacker a timing-oracle.
771          */
772 
773         /*-
774          * npad is, at most, 48 bytes and that's with MD5:
775          *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
776          *
777          * With SHA-1 (the largest hash speced for SSLv3) the hash size
778          * goes up 4, but npad goes down by 8, resulting in a smaller
779          * total size.
780          */
781         unsigned char header[75];
782         unsigned j = 0;
783         memcpy(header + j, mac_sec, md_size);
784         j += md_size;
785         memcpy(header + j, ssl3_pad_1, npad);
786         j += npad;
787         memcpy(header + j, seq, 8);
788         j += 8;
789         header[j++] = rec->type;
790         header[j++] = rec->length >> 8;
791         header[j++] = rec->length & 0xff;
792 
793         /* Final param == is SSLv3 */
794         if (ssl3_cbc_digest_record(hash,
795                                    md, &md_size,
796                                    header, rec->input,
797                                    rec->length + md_size, orig_len,
798                                    mac_sec, md_size, 1) <= 0)
799             return -1;
800     } else {
801         unsigned int md_size_u;
802         /* Chop the digest off the end :-) */
803         EVP_MD_CTX_init(&md_ctx);
804 
805         rec_char = rec->type;
806         p = md;
807         s2n(rec->length, p);
808         if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
809                 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
810                 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
811                 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
812                 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
813                 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
814                 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
815                 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
816                 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
817                 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
818                 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
819                 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
820                 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
821             EVP_MD_CTX_cleanup(&md_ctx);
822             return -1;
823         }
824         md_size = md_size_u;
825 
826         EVP_MD_CTX_cleanup(&md_ctx);
827     }
828 
829     ssl3_record_sequence_update(seq);
830     return (md_size);
831 }
832 
833 void ssl3_record_sequence_update(unsigned char *seq)
834 {
835     int i;
836 
837     for (i = 7; i >= 0; i--) {
838         ++seq[i];
839         if (seq[i] != 0)
840             break;
841     }
842 }
843 
844 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
845                                 int len)
846 {
847     static const unsigned char *salt[3] = {
848 #ifndef CHARSET_EBCDIC
849         (const unsigned char *)"A",
850         (const unsigned char *)"BB",
851         (const unsigned char *)"CCC",
852 #else
853         (const unsigned char *)"\x41",
854         (const unsigned char *)"\x42\x42",
855         (const unsigned char *)"\x43\x43\x43",
856 #endif
857     };
858     unsigned char buf[EVP_MAX_MD_SIZE];
859     EVP_MD_CTX ctx;
860     int i, ret = 0;
861     unsigned int n;
862 #ifdef OPENSSL_SSL_TRACE_CRYPTO
863     unsigned char *tmpout = out;
864 #endif
865 
866     EVP_MD_CTX_init(&ctx);
867     for (i = 0; i < 3; i++) {
868         if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
869                 || EVP_DigestUpdate(&ctx, salt[i],
870                                     strlen((const char *)salt[i])) <= 0
871                 || EVP_DigestUpdate(&ctx, p, len) <= 0
872                 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
873                                     SSL3_RANDOM_SIZE) <= 0
874                 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
875                                     SSL3_RANDOM_SIZE) <= 0
876                 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
877 
878                 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
879                 || EVP_DigestUpdate(&ctx, p, len) <= 0
880                 || EVP_DigestUpdate(&ctx, buf, n) <= 0
881                 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
882             SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
883             ret = 0;
884             break;
885         }
886         out += n;
887         ret += n;
888     }
889     EVP_MD_CTX_cleanup(&ctx);
890 
891 #ifdef OPENSSL_SSL_TRACE_CRYPTO
892     if (ret > 0 && s->msg_callback) {
893         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
894                         p, len, s, s->msg_callback_arg);
895         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
896                         s->s3->client_random, SSL3_RANDOM_SIZE,
897                         s, s->msg_callback_arg);
898         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
899                         s->s3->server_random, SSL3_RANDOM_SIZE,
900                         s, s->msg_callback_arg);
901         s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
902                         tmpout, SSL3_MASTER_SECRET_SIZE,
903                         s, s->msg_callback_arg);
904     }
905 #endif
906     OPENSSL_cleanse(buf, sizeof buf);
907     return (ret);
908 }
909 
910 int ssl3_alert_code(int code)
911 {
912     switch (code) {
913     case SSL_AD_CLOSE_NOTIFY:
914         return (SSL3_AD_CLOSE_NOTIFY);
915     case SSL_AD_UNEXPECTED_MESSAGE:
916         return (SSL3_AD_UNEXPECTED_MESSAGE);
917     case SSL_AD_BAD_RECORD_MAC:
918         return (SSL3_AD_BAD_RECORD_MAC);
919     case SSL_AD_DECRYPTION_FAILED:
920         return (SSL3_AD_BAD_RECORD_MAC);
921     case SSL_AD_RECORD_OVERFLOW:
922         return (SSL3_AD_BAD_RECORD_MAC);
923     case SSL_AD_DECOMPRESSION_FAILURE:
924         return (SSL3_AD_DECOMPRESSION_FAILURE);
925     case SSL_AD_HANDSHAKE_FAILURE:
926         return (SSL3_AD_HANDSHAKE_FAILURE);
927     case SSL_AD_NO_CERTIFICATE:
928         return (SSL3_AD_NO_CERTIFICATE);
929     case SSL_AD_BAD_CERTIFICATE:
930         return (SSL3_AD_BAD_CERTIFICATE);
931     case SSL_AD_UNSUPPORTED_CERTIFICATE:
932         return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
933     case SSL_AD_CERTIFICATE_REVOKED:
934         return (SSL3_AD_CERTIFICATE_REVOKED);
935     case SSL_AD_CERTIFICATE_EXPIRED:
936         return (SSL3_AD_CERTIFICATE_EXPIRED);
937     case SSL_AD_CERTIFICATE_UNKNOWN:
938         return (SSL3_AD_CERTIFICATE_UNKNOWN);
939     case SSL_AD_ILLEGAL_PARAMETER:
940         return (SSL3_AD_ILLEGAL_PARAMETER);
941     case SSL_AD_UNKNOWN_CA:
942         return (SSL3_AD_BAD_CERTIFICATE);
943     case SSL_AD_ACCESS_DENIED:
944         return (SSL3_AD_HANDSHAKE_FAILURE);
945     case SSL_AD_DECODE_ERROR:
946         return (SSL3_AD_HANDSHAKE_FAILURE);
947     case SSL_AD_DECRYPT_ERROR:
948         return (SSL3_AD_HANDSHAKE_FAILURE);
949     case SSL_AD_EXPORT_RESTRICTION:
950         return (SSL3_AD_HANDSHAKE_FAILURE);
951     case SSL_AD_PROTOCOL_VERSION:
952         return (SSL3_AD_HANDSHAKE_FAILURE);
953     case SSL_AD_INSUFFICIENT_SECURITY:
954         return (SSL3_AD_HANDSHAKE_FAILURE);
955     case SSL_AD_INTERNAL_ERROR:
956         return (SSL3_AD_HANDSHAKE_FAILURE);
957     case SSL_AD_USER_CANCELLED:
958         return (SSL3_AD_HANDSHAKE_FAILURE);
959     case SSL_AD_NO_RENEGOTIATION:
960         return (-1);            /* Don't send it :-) */
961     case SSL_AD_UNSUPPORTED_EXTENSION:
962         return (SSL3_AD_HANDSHAKE_FAILURE);
963     case SSL_AD_CERTIFICATE_UNOBTAINABLE:
964         return (SSL3_AD_HANDSHAKE_FAILURE);
965     case SSL_AD_UNRECOGNIZED_NAME:
966         return (SSL3_AD_HANDSHAKE_FAILURE);
967     case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
968         return (SSL3_AD_HANDSHAKE_FAILURE);
969     case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
970         return (SSL3_AD_HANDSHAKE_FAILURE);
971     case SSL_AD_UNKNOWN_PSK_IDENTITY:
972         return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
973     case SSL_AD_INAPPROPRIATE_FALLBACK:
974         return (TLS1_AD_INAPPROPRIATE_FALLBACK);
975     default:
976         return (-1);
977     }
978 }
979