xref: /freebsd/crypto/openssl/ssl/s3_enc.c (revision 98e0ffaefb0f241cda3a72395d3be04192ae0d47)
1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2005 Nokia. All rights reserved.
113  *
114  * The portions of the attached software ("Contribution") is developed by
115  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116  * license.
117  *
118  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120  * support (see RFC 4279) to OpenSSL.
121  *
122  * No patent licenses or other rights except those expressly stated in
123  * the OpenSSL open source license shall be deemed granted or received
124  * expressly, by implication, estoppel, or otherwise.
125  *
126  * No assurances are provided by Nokia that the Contribution does not
127  * infringe the patent or other intellectual property rights of any third
128  * party or that the license provides you with all the necessary rights
129  * to make use of the Contribution.
130  *
131  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135  * OTHERWISE.
136  */
137 
138 #include <stdio.h>
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
142 
143 static unsigned char ssl3_pad_1[48] = {
144     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149     0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
150 };
151 
152 static unsigned char ssl3_pad_2[48] = {
153     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158     0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
159 };
160 
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162                               const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
164 {
165     EVP_MD_CTX m5;
166     EVP_MD_CTX s1;
167     unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168     unsigned char c = 'A';
169     unsigned int i, j, k;
170 
171 #ifdef CHARSET_EBCDIC
172     c = os_toascii[c];          /* 'A' in ASCII */
173 #endif
174     k = 0;
175     EVP_MD_CTX_init(&m5);
176     EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177     EVP_MD_CTX_init(&s1);
178     for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179         k++;
180         if (k > sizeof buf) {
181             /* bug: 'buf' is too small for this ciphersuite */
182             SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
183             return 0;
184         }
185 
186         for (j = 0; j < k; j++)
187             buf[j] = c;
188         c++;
189         EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190         EVP_DigestUpdate(&s1, buf, k);
191         EVP_DigestUpdate(&s1, s->session->master_key,
192                          s->session->master_key_length);
193         EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194         EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195         EVP_DigestFinal_ex(&s1, smd, NULL);
196 
197         EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198         EVP_DigestUpdate(&m5, s->session->master_key,
199                          s->session->master_key_length);
200         EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201         if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202             EVP_DigestFinal_ex(&m5, smd, NULL);
203             memcpy(km, smd, (num - i));
204         } else
205             EVP_DigestFinal_ex(&m5, km, NULL);
206 
207         km += MD5_DIGEST_LENGTH;
208     }
209     OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210     EVP_MD_CTX_cleanup(&m5);
211     EVP_MD_CTX_cleanup(&s1);
212     return 1;
213 }
214 
215 int ssl3_change_cipher_state(SSL *s, int which)
216 {
217     unsigned char *p, *mac_secret;
218     unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219     unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220     unsigned char *ms, *key, *iv, *er1, *er2;
221     EVP_CIPHER_CTX *dd;
222     const EVP_CIPHER *c;
223 #ifndef OPENSSL_NO_COMP
224     COMP_METHOD *comp;
225 #endif
226     const EVP_MD *m;
227     EVP_MD_CTX md;
228     int is_exp, n, i, j, k, cl;
229     int reuse_dd = 0;
230 
231     is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232     c = s->s3->tmp.new_sym_enc;
233     m = s->s3->tmp.new_hash;
234     /* m == NULL will lead to a crash later */
235     OPENSSL_assert(m);
236 #ifndef OPENSSL_NO_COMP
237     if (s->s3->tmp.new_compression == NULL)
238         comp = NULL;
239     else
240         comp = s->s3->tmp.new_compression->method;
241 #endif
242 
243     if (which & SSL3_CC_READ) {
244         if (s->enc_read_ctx != NULL)
245             reuse_dd = 1;
246         else if ((s->enc_read_ctx =
247                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
248             goto err;
249         else
250             /*
251              * make sure it's intialized in case we exit later with an error
252              */
253             EVP_CIPHER_CTX_init(s->enc_read_ctx);
254         dd = s->enc_read_ctx;
255 
256         ssl_replace_hash(&s->read_hash, m);
257 #ifndef OPENSSL_NO_COMP
258         /* COMPRESS */
259         if (s->expand != NULL) {
260             COMP_CTX_free(s->expand);
261             s->expand = NULL;
262         }
263         if (comp != NULL) {
264             s->expand = COMP_CTX_new(comp);
265             if (s->expand == NULL) {
266                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
267                        SSL_R_COMPRESSION_LIBRARY_ERROR);
268                 goto err2;
269             }
270             if (s->s3->rrec.comp == NULL)
271                 s->s3->rrec.comp = (unsigned char *)
272                     OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
273             if (s->s3->rrec.comp == NULL)
274                 goto err;
275         }
276 #endif
277         memset(&(s->s3->read_sequence[0]), 0, 8);
278         mac_secret = &(s->s3->read_mac_secret[0]);
279     } else {
280         if (s->enc_write_ctx != NULL)
281             reuse_dd = 1;
282         else if ((s->enc_write_ctx =
283                   OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
284             goto err;
285         else
286             /*
287              * make sure it's intialized in case we exit later with an error
288              */
289             EVP_CIPHER_CTX_init(s->enc_write_ctx);
290         dd = s->enc_write_ctx;
291         ssl_replace_hash(&s->write_hash, m);
292 #ifndef OPENSSL_NO_COMP
293         /* COMPRESS */
294         if (s->compress != NULL) {
295             COMP_CTX_free(s->compress);
296             s->compress = NULL;
297         }
298         if (comp != NULL) {
299             s->compress = COMP_CTX_new(comp);
300             if (s->compress == NULL) {
301                 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
302                        SSL_R_COMPRESSION_LIBRARY_ERROR);
303                 goto err2;
304             }
305         }
306 #endif
307         memset(&(s->s3->write_sequence[0]), 0, 8);
308         mac_secret = &(s->s3->write_mac_secret[0]);
309     }
310 
311     if (reuse_dd)
312         EVP_CIPHER_CTX_cleanup(dd);
313 
314     p = s->s3->tmp.key_block;
315     i = EVP_MD_size(m);
316     if (i < 0)
317         goto err2;
318     cl = EVP_CIPHER_key_length(c);
319     j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
320                   cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
321     /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
322     k = EVP_CIPHER_iv_length(c);
323     if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
324         (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
325         ms = &(p[0]);
326         n = i + i;
327         key = &(p[n]);
328         n += j + j;
329         iv = &(p[n]);
330         n += k + k;
331         er1 = &(s->s3->client_random[0]);
332         er2 = &(s->s3->server_random[0]);
333     } else {
334         n = i;
335         ms = &(p[n]);
336         n += i + j;
337         key = &(p[n]);
338         n += j + k;
339         iv = &(p[n]);
340         n += k;
341         er1 = &(s->s3->server_random[0]);
342         er2 = &(s->s3->client_random[0]);
343     }
344 
345     if (n > s->s3->tmp.key_block_length) {
346         SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
347         goto err2;
348     }
349 
350     EVP_MD_CTX_init(&md);
351     memcpy(mac_secret, ms, i);
352     if (is_exp) {
353         /*
354          * In here I set both the read and write key/iv to the same value
355          * since only the correct one will be used :-).
356          */
357         EVP_DigestInit_ex(&md, EVP_md5(), NULL);
358         EVP_DigestUpdate(&md, key, j);
359         EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
360         EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
361         EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
362         key = &(exp_key[0]);
363 
364         if (k > 0) {
365             EVP_DigestInit_ex(&md, EVP_md5(), NULL);
366             EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
367             EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
368             EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
369             iv = &(exp_iv[0]);
370         }
371     }
372 
373     s->session->key_arg_length = 0;
374 
375     EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
376 
377     OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
378     OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
379     EVP_MD_CTX_cleanup(&md);
380     return (1);
381  err:
382     SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
383  err2:
384     return (0);
385 }
386 
387 int ssl3_setup_key_block(SSL *s)
388 {
389     unsigned char *p;
390     const EVP_CIPHER *c;
391     const EVP_MD *hash;
392     int num;
393     int ret = 0;
394     SSL_COMP *comp;
395 
396     if (s->s3->tmp.key_block_length != 0)
397         return (1);
398 
399     if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
400         SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
401         return (0);
402     }
403 
404     s->s3->tmp.new_sym_enc = c;
405     s->s3->tmp.new_hash = hash;
406 #ifdef OPENSSL_NO_COMP
407     s->s3->tmp.new_compression = NULL;
408 #else
409     s->s3->tmp.new_compression = comp;
410 #endif
411 
412     num = EVP_MD_size(hash);
413     if (num < 0)
414         return 0;
415 
416     num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
417     num *= 2;
418 
419     ssl3_cleanup_key_block(s);
420 
421     if ((p = OPENSSL_malloc(num)) == NULL)
422         goto err;
423 
424     s->s3->tmp.key_block_length = num;
425     s->s3->tmp.key_block = p;
426 
427     ret = ssl3_generate_key_block(s, p, num);
428 
429     if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
430         /*
431          * enable vulnerability countermeasure for CBC ciphers with known-IV
432          * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
433          */
434         s->s3->need_empty_fragments = 1;
435 
436         if (s->session->cipher != NULL) {
437             if (s->session->cipher->algorithm_enc == SSL_eNULL)
438                 s->s3->need_empty_fragments = 0;
439 
440 #ifndef OPENSSL_NO_RC4
441             if (s->session->cipher->algorithm_enc == SSL_RC4)
442                 s->s3->need_empty_fragments = 0;
443 #endif
444         }
445     }
446 
447     return ret;
448 
449  err:
450     SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
451     return (0);
452 }
453 
454 void ssl3_cleanup_key_block(SSL *s)
455 {
456     if (s->s3->tmp.key_block != NULL) {
457         OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
458         OPENSSL_free(s->s3->tmp.key_block);
459         s->s3->tmp.key_block = NULL;
460     }
461     s->s3->tmp.key_block_length = 0;
462 }
463 
464 /*-
465  * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
466  *
467  * Returns:
468  *   0: (in non-constant time) if the record is publically invalid (i.e. too
469  *       short etc).
470  *   1: if the record's padding is valid / the encryption was successful.
471  *   -1: if the record's padding is invalid or, if sending, an internal error
472  *       occured.
473  */
474 int ssl3_enc(SSL *s, int send)
475 {
476     SSL3_RECORD *rec;
477     EVP_CIPHER_CTX *ds;
478     unsigned long l;
479     int bs, i, mac_size = 0;
480     const EVP_CIPHER *enc;
481 
482     if (send) {
483         ds = s->enc_write_ctx;
484         rec = &(s->s3->wrec);
485         if (s->enc_write_ctx == NULL)
486             enc = NULL;
487         else
488             enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
489     } else {
490         ds = s->enc_read_ctx;
491         rec = &(s->s3->rrec);
492         if (s->enc_read_ctx == NULL)
493             enc = NULL;
494         else
495             enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
496     }
497 
498     if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
499         memmove(rec->data, rec->input, rec->length);
500         rec->input = rec->data;
501     } else {
502         l = rec->length;
503         bs = EVP_CIPHER_block_size(ds->cipher);
504 
505         /* COMPRESS */
506 
507         if ((bs != 1) && send) {
508             i = bs - ((int)l % bs);
509 
510             /* we need to add 'i-1' padding bytes */
511             l += i;
512             /*
513              * the last of these zero bytes will be overwritten with the
514              * padding length.
515              */
516             memset(&rec->input[rec->length], 0, i);
517             rec->length += i;
518             rec->input[l - 1] = (i - 1);
519         }
520 
521         if (!send) {
522             if (l == 0 || l % bs != 0)
523                 return 0;
524             /* otherwise, rec->length >= bs */
525         }
526 
527         if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
528             return -1;
529 
530         if (EVP_MD_CTX_md(s->read_hash) != NULL)
531             mac_size = EVP_MD_CTX_size(s->read_hash);
532         if ((bs != 1) && !send)
533             return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
534     }
535     return (1);
536 }
537 
538 void ssl3_init_finished_mac(SSL *s)
539 {
540     if (s->s3->handshake_buffer)
541         BIO_free(s->s3->handshake_buffer);
542     if (s->s3->handshake_dgst)
543         ssl3_free_digest_list(s);
544     s->s3->handshake_buffer = BIO_new(BIO_s_mem());
545     (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
546 }
547 
548 void ssl3_free_digest_list(SSL *s)
549 {
550     int i;
551     if (!s->s3->handshake_dgst)
552         return;
553     for (i = 0; i < SSL_MAX_DIGEST; i++) {
554         if (s->s3->handshake_dgst[i])
555             EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
556     }
557     OPENSSL_free(s->s3->handshake_dgst);
558     s->s3->handshake_dgst = NULL;
559 }
560 
561 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
562 {
563     if (s->s3->handshake_buffer
564         && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
565         BIO_write(s->s3->handshake_buffer, (void *)buf, len);
566     } else {
567         int i;
568         for (i = 0; i < SSL_MAX_DIGEST; i++) {
569             if (s->s3->handshake_dgst[i] != NULL)
570                 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
571         }
572     }
573 }
574 
575 int ssl3_digest_cached_records(SSL *s)
576 {
577     int i;
578     long mask;
579     const EVP_MD *md;
580     long hdatalen;
581     void *hdata;
582 
583     /* Allocate handshake_dgst array */
584     ssl3_free_digest_list(s);
585     s->s3->handshake_dgst =
586         OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
587     memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
588     hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
589     if (hdatalen <= 0) {
590         SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
591         return 0;
592     }
593 
594     /* Loop through bitso of algorithm2 field and create MD_CTX-es */
595     for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
596         if ((mask & ssl_get_algorithm2(s)) && md) {
597             s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
598 #ifdef OPENSSL_FIPS
599             if (EVP_MD_nid(md) == NID_md5) {
600                 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
601                                      EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
602             }
603 #endif
604             EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
605             EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
606         } else {
607             s->s3->handshake_dgst[i] = NULL;
608         }
609     }
610     if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
611         /* Free handshake_buffer BIO */
612         BIO_free(s->s3->handshake_buffer);
613         s->s3->handshake_buffer = NULL;
614     }
615 
616     return 1;
617 }
618 
619 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
620 {
621     return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
622 }
623 
624 int ssl3_final_finish_mac(SSL *s,
625                           const char *sender, int len, unsigned char *p)
626 {
627     int ret, sha1len;
628     ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
629     if (ret == 0)
630         return 0;
631 
632     p += ret;
633 
634     sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
635     if (sha1len == 0)
636         return 0;
637 
638     ret += sha1len;
639     return (ret);
640 }
641 
642 static int ssl3_handshake_mac(SSL *s, int md_nid,
643                               const char *sender, int len, unsigned char *p)
644 {
645     unsigned int ret;
646     int npad, n;
647     unsigned int i;
648     unsigned char md_buf[EVP_MAX_MD_SIZE];
649     EVP_MD_CTX ctx, *d = NULL;
650 
651     if (s->s3->handshake_buffer)
652         if (!ssl3_digest_cached_records(s))
653             return 0;
654 
655     /*
656      * Search for digest of specified type in the handshake_dgst array
657      */
658     for (i = 0; i < SSL_MAX_DIGEST; i++) {
659         if (s->s3->handshake_dgst[i]
660             && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
661             d = s->s3->handshake_dgst[i];
662             break;
663         }
664     }
665     if (!d) {
666         SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
667         return 0;
668     }
669     EVP_MD_CTX_init(&ctx);
670     EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
671     EVP_MD_CTX_copy_ex(&ctx, d);
672     n = EVP_MD_CTX_size(&ctx);
673     if (n < 0)
674         return 0;
675 
676     npad = (48 / n) * n;
677     if (sender != NULL)
678         EVP_DigestUpdate(&ctx, sender, len);
679     EVP_DigestUpdate(&ctx, s->session->master_key,
680                      s->session->master_key_length);
681     EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
682     EVP_DigestFinal_ex(&ctx, md_buf, &i);
683 
684     EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
685     EVP_DigestUpdate(&ctx, s->session->master_key,
686                      s->session->master_key_length);
687     EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
688     EVP_DigestUpdate(&ctx, md_buf, i);
689     EVP_DigestFinal_ex(&ctx, p, &ret);
690 
691     EVP_MD_CTX_cleanup(&ctx);
692 
693     return ((int)ret);
694 }
695 
696 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
697 {
698     SSL3_RECORD *rec;
699     unsigned char *mac_sec, *seq;
700     EVP_MD_CTX md_ctx;
701     const EVP_MD_CTX *hash;
702     unsigned char *p, rec_char;
703     size_t md_size, orig_len;
704     int npad;
705     int t;
706 
707     if (send) {
708         rec = &(ssl->s3->wrec);
709         mac_sec = &(ssl->s3->write_mac_secret[0]);
710         seq = &(ssl->s3->write_sequence[0]);
711         hash = ssl->write_hash;
712     } else {
713         rec = &(ssl->s3->rrec);
714         mac_sec = &(ssl->s3->read_mac_secret[0]);
715         seq = &(ssl->s3->read_sequence[0]);
716         hash = ssl->read_hash;
717     }
718 
719     t = EVP_MD_CTX_size(hash);
720     if (t < 0)
721         return -1;
722     md_size = t;
723     npad = (48 / md_size) * md_size;
724 
725     /*
726      * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
727      */
728     orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
729     rec->type &= 0xff;
730 
731     if (!send &&
732         EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
733         ssl3_cbc_record_digest_supported(hash)) {
734         /*
735          * This is a CBC-encrypted record. We must avoid leaking any
736          * timing-side channel information about how many blocks of data we
737          * are hashing because that gives an attacker a timing-oracle.
738          */
739 
740         /*-
741          * npad is, at most, 48 bytes and that's with MD5:
742          *   16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
743          *
744          * With SHA-1 (the largest hash speced for SSLv3) the hash size
745          * goes up 4, but npad goes down by 8, resulting in a smaller
746          * total size.
747          */
748         unsigned char header[75];
749         unsigned j = 0;
750         memcpy(header + j, mac_sec, md_size);
751         j += md_size;
752         memcpy(header + j, ssl3_pad_1, npad);
753         j += npad;
754         memcpy(header + j, seq, 8);
755         j += 8;
756         header[j++] = rec->type;
757         header[j++] = rec->length >> 8;
758         header[j++] = rec->length & 0xff;
759 
760         /* Final param == is SSLv3 */
761         ssl3_cbc_digest_record(hash,
762                                md, &md_size,
763                                header, rec->input,
764                                rec->length + md_size, orig_len,
765                                mac_sec, md_size, 1);
766     } else {
767         unsigned int md_size_u;
768         /* Chop the digest off the end :-) */
769         EVP_MD_CTX_init(&md_ctx);
770 
771         EVP_MD_CTX_copy_ex(&md_ctx, hash);
772         EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
773         EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
774         EVP_DigestUpdate(&md_ctx, seq, 8);
775         rec_char = rec->type;
776         EVP_DigestUpdate(&md_ctx, &rec_char, 1);
777         p = md;
778         s2n(rec->length, p);
779         EVP_DigestUpdate(&md_ctx, md, 2);
780         EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
781         EVP_DigestFinal_ex(&md_ctx, md, NULL);
782 
783         EVP_MD_CTX_copy_ex(&md_ctx, hash);
784         EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
785         EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
786         EVP_DigestUpdate(&md_ctx, md, md_size);
787         EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
788         md_size = md_size_u;
789 
790         EVP_MD_CTX_cleanup(&md_ctx);
791     }
792 
793     ssl3_record_sequence_update(seq);
794     return (md_size);
795 }
796 
797 void ssl3_record_sequence_update(unsigned char *seq)
798 {
799     int i;
800 
801     for (i = 7; i >= 0; i--) {
802         ++seq[i];
803         if (seq[i] != 0)
804             break;
805     }
806 }
807 
808 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
809                                 int len)
810 {
811     static const unsigned char *salt[3] = {
812 #ifndef CHARSET_EBCDIC
813         (const unsigned char *)"A",
814         (const unsigned char *)"BB",
815         (const unsigned char *)"CCC",
816 #else
817         (const unsigned char *)"\x41",
818         (const unsigned char *)"\x42\x42",
819         (const unsigned char *)"\x43\x43\x43",
820 #endif
821     };
822     unsigned char buf[EVP_MAX_MD_SIZE];
823     EVP_MD_CTX ctx;
824     int i, ret = 0;
825     unsigned int n;
826 
827     EVP_MD_CTX_init(&ctx);
828     for (i = 0; i < 3; i++) {
829         EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
830         EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
831         EVP_DigestUpdate(&ctx, p, len);
832         EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
833         EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
834         EVP_DigestFinal_ex(&ctx, buf, &n);
835 
836         EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
837         EVP_DigestUpdate(&ctx, p, len);
838         EVP_DigestUpdate(&ctx, buf, n);
839         EVP_DigestFinal_ex(&ctx, out, &n);
840         out += n;
841         ret += n;
842     }
843     EVP_MD_CTX_cleanup(&ctx);
844     OPENSSL_cleanse(buf, sizeof buf);
845     return (ret);
846 }
847 
848 int ssl3_alert_code(int code)
849 {
850     switch (code) {
851     case SSL_AD_CLOSE_NOTIFY:
852         return (SSL3_AD_CLOSE_NOTIFY);
853     case SSL_AD_UNEXPECTED_MESSAGE:
854         return (SSL3_AD_UNEXPECTED_MESSAGE);
855     case SSL_AD_BAD_RECORD_MAC:
856         return (SSL3_AD_BAD_RECORD_MAC);
857     case SSL_AD_DECRYPTION_FAILED:
858         return (SSL3_AD_BAD_RECORD_MAC);
859     case SSL_AD_RECORD_OVERFLOW:
860         return (SSL3_AD_BAD_RECORD_MAC);
861     case SSL_AD_DECOMPRESSION_FAILURE:
862         return (SSL3_AD_DECOMPRESSION_FAILURE);
863     case SSL_AD_HANDSHAKE_FAILURE:
864         return (SSL3_AD_HANDSHAKE_FAILURE);
865     case SSL_AD_NO_CERTIFICATE:
866         return (SSL3_AD_NO_CERTIFICATE);
867     case SSL_AD_BAD_CERTIFICATE:
868         return (SSL3_AD_BAD_CERTIFICATE);
869     case SSL_AD_UNSUPPORTED_CERTIFICATE:
870         return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
871     case SSL_AD_CERTIFICATE_REVOKED:
872         return (SSL3_AD_CERTIFICATE_REVOKED);
873     case SSL_AD_CERTIFICATE_EXPIRED:
874         return (SSL3_AD_CERTIFICATE_EXPIRED);
875     case SSL_AD_CERTIFICATE_UNKNOWN:
876         return (SSL3_AD_CERTIFICATE_UNKNOWN);
877     case SSL_AD_ILLEGAL_PARAMETER:
878         return (SSL3_AD_ILLEGAL_PARAMETER);
879     case SSL_AD_UNKNOWN_CA:
880         return (SSL3_AD_BAD_CERTIFICATE);
881     case SSL_AD_ACCESS_DENIED:
882         return (SSL3_AD_HANDSHAKE_FAILURE);
883     case SSL_AD_DECODE_ERROR:
884         return (SSL3_AD_HANDSHAKE_FAILURE);
885     case SSL_AD_DECRYPT_ERROR:
886         return (SSL3_AD_HANDSHAKE_FAILURE);
887     case SSL_AD_EXPORT_RESTRICTION:
888         return (SSL3_AD_HANDSHAKE_FAILURE);
889     case SSL_AD_PROTOCOL_VERSION:
890         return (SSL3_AD_HANDSHAKE_FAILURE);
891     case SSL_AD_INSUFFICIENT_SECURITY:
892         return (SSL3_AD_HANDSHAKE_FAILURE);
893     case SSL_AD_INTERNAL_ERROR:
894         return (SSL3_AD_HANDSHAKE_FAILURE);
895     case SSL_AD_USER_CANCELLED:
896         return (SSL3_AD_HANDSHAKE_FAILURE);
897     case SSL_AD_NO_RENEGOTIATION:
898         return (-1);            /* Don't send it :-) */
899     case SSL_AD_UNSUPPORTED_EXTENSION:
900         return (SSL3_AD_HANDSHAKE_FAILURE);
901     case SSL_AD_CERTIFICATE_UNOBTAINABLE:
902         return (SSL3_AD_HANDSHAKE_FAILURE);
903     case SSL_AD_UNRECOGNIZED_NAME:
904         return (SSL3_AD_HANDSHAKE_FAILURE);
905     case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
906         return (SSL3_AD_HANDSHAKE_FAILURE);
907     case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
908         return (SSL3_AD_HANDSHAKE_FAILURE);
909     case SSL_AD_UNKNOWN_PSK_IDENTITY:
910         return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
911     case SSL_AD_INAPPROPRIATE_FALLBACK:
912         return (TLS1_AD_INAPPROPRIATE_FALLBACK);
913     default:
914         return (-1);
915     }
916 }
917