1 /* 2 * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright 2005 Nokia. All rights reserved. 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or at 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include <stdio.h> 12 #include "ssl_local.h" 13 #include <openssl/evp.h> 14 #include <openssl/md5.h> 15 #include <openssl/core_names.h> 16 #include "internal/cryptlib.h" 17 #include "internal/ssl_unwrap.h" 18 19 static int ssl3_generate_key_block(SSL_CONNECTION *s, unsigned char *km, int num) 20 { 21 const EVP_MD *md5 = NULL, *sha1 = NULL; 22 EVP_MD_CTX *m5; 23 EVP_MD_CTX *s1; 24 unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; 25 unsigned char c = 'A'; 26 unsigned int i, k; 27 int ret = 0; 28 SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); 29 30 #ifdef CHARSET_EBCDIC 31 c = os_toascii[c]; /* 'A' in ASCII */ 32 #endif 33 k = 0; 34 md5 = ssl_evp_md_fetch(sctx->libctx, NID_md5, sctx->propq); 35 sha1 = ssl_evp_md_fetch(sctx->libctx, NID_sha1, sctx->propq); 36 m5 = EVP_MD_CTX_new(); 37 s1 = EVP_MD_CTX_new(); 38 if (md5 == NULL || sha1 == NULL || m5 == NULL || s1 == NULL) { 39 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 40 goto err; 41 } 42 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { 43 k++; 44 if (k > sizeof(buf)) { 45 /* bug: 'buf' is too small for this ciphersuite */ 46 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 47 goto err; 48 } 49 50 memset(buf, c, k); 51 c++; 52 if (!EVP_DigestInit_ex(s1, sha1, NULL) 53 || !EVP_DigestUpdate(s1, buf, k) 54 || !EVP_DigestUpdate(s1, s->session->master_key, 55 s->session->master_key_length) 56 || !EVP_DigestUpdate(s1, s->s3.server_random, SSL3_RANDOM_SIZE) 57 || !EVP_DigestUpdate(s1, s->s3.client_random, SSL3_RANDOM_SIZE) 58 || !EVP_DigestFinal_ex(s1, smd, NULL) 59 || !EVP_DigestInit_ex(m5, md5, NULL) 60 || !EVP_DigestUpdate(m5, s->session->master_key, 61 s->session->master_key_length) 62 || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { 63 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 64 goto err; 65 } 66 if ((int)(i + MD5_DIGEST_LENGTH) > num) { 67 if (!EVP_DigestFinal_ex(m5, smd, NULL)) { 68 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 69 goto err; 70 } 71 memcpy(km, smd, (num - i)); 72 } else { 73 if (!EVP_DigestFinal_ex(m5, km, NULL)) { 74 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 75 goto err; 76 } 77 } 78 79 km += MD5_DIGEST_LENGTH; 80 } 81 OPENSSL_cleanse(smd, sizeof(smd)); 82 ret = 1; 83 err: 84 EVP_MD_CTX_free(m5); 85 EVP_MD_CTX_free(s1); 86 ssl_evp_md_free(md5); 87 ssl_evp_md_free(sha1); 88 return ret; 89 } 90 91 int ssl3_change_cipher_state(SSL_CONNECTION *s, int which) 92 { 93 unsigned char *p, *mac_secret; 94 size_t md_len; 95 unsigned char *key, *iv; 96 const EVP_CIPHER *ciph; 97 const SSL_COMP *comp = NULL; 98 const EVP_MD *md; 99 int mdi; 100 size_t n, iv_len, key_len; 101 int direction = (which & SSL3_CC_READ) != 0 ? OSSL_RECORD_DIRECTION_READ 102 : OSSL_RECORD_DIRECTION_WRITE; 103 104 ciph = s->s3.tmp.new_sym_enc; 105 md = s->s3.tmp.new_hash; 106 /* m == NULL will lead to a crash later */ 107 if (!ossl_assert(md != NULL)) { 108 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 109 goto err; 110 } 111 #ifndef OPENSSL_NO_COMP 112 comp = s->s3.tmp.new_compression; 113 #endif 114 115 p = s->s3.tmp.key_block; 116 mdi = EVP_MD_get_size(md); 117 if (mdi <= 0) { 118 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 119 goto err; 120 } 121 md_len = (size_t)mdi; 122 key_len = EVP_CIPHER_get_key_length(ciph); 123 iv_len = EVP_CIPHER_get_iv_length(ciph); 124 125 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 126 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 127 mac_secret = &(p[0]); 128 n = md_len + md_len; 129 key = &(p[n]); 130 n += key_len + key_len; 131 iv = &(p[n]); 132 n += iv_len + iv_len; 133 } else { 134 n = md_len; 135 mac_secret = &(p[n]); 136 n += md_len + key_len; 137 key = &(p[n]); 138 n += key_len + iv_len; 139 iv = &(p[n]); 140 n += iv_len; 141 } 142 143 if (n > s->s3.tmp.key_block_length) { 144 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 145 goto err; 146 } 147 148 if (!ssl_set_new_record_layer(s, SSL3_VERSION, 149 direction, 150 OSSL_RECORD_PROTECTION_LEVEL_APPLICATION, 151 NULL, 0, key, key_len, iv, iv_len, mac_secret, 152 md_len, ciph, 0, NID_undef, md, comp, NULL)) { 153 /* SSLfatal already called */ 154 goto err; 155 } 156 157 return 1; 158 err: 159 return 0; 160 } 161 162 int ssl3_setup_key_block(SSL_CONNECTION *s) 163 { 164 unsigned char *p; 165 const EVP_CIPHER *c; 166 const EVP_MD *hash; 167 int num; 168 int ret = 0; 169 SSL_COMP *comp; 170 171 if (s->s3.tmp.key_block_length != 0) 172 return 1; 173 174 if (!ssl_cipher_get_evp(SSL_CONNECTION_GET_CTX(s), s->session, &c, &hash, 175 NULL, NULL, &comp, 0)) { 176 /* Error is already recorded */ 177 SSLfatal_alert(s, SSL_AD_INTERNAL_ERROR); 178 return 0; 179 } 180 181 ssl_evp_cipher_free(s->s3.tmp.new_sym_enc); 182 s->s3.tmp.new_sym_enc = c; 183 ssl_evp_md_free(s->s3.tmp.new_hash); 184 s->s3.tmp.new_hash = hash; 185 #ifdef OPENSSL_NO_COMP 186 s->s3.tmp.new_compression = NULL; 187 #else 188 s->s3.tmp.new_compression = comp; 189 #endif 190 191 num = EVP_MD_get_size(hash); 192 if (num <= 0) 193 return 0; 194 195 num = EVP_CIPHER_get_key_length(c) + num + EVP_CIPHER_get_iv_length(c); 196 num *= 2; 197 198 ssl3_cleanup_key_block(s); 199 200 if ((p = OPENSSL_malloc(num)) == NULL) { 201 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_CRYPTO_LIB); 202 return 0; 203 } 204 205 s->s3.tmp.key_block_length = num; 206 s->s3.tmp.key_block = p; 207 208 /* Calls SSLfatal() as required */ 209 ret = ssl3_generate_key_block(s, p, num); 210 211 return ret; 212 } 213 214 void ssl3_cleanup_key_block(SSL_CONNECTION *s) 215 { 216 OPENSSL_clear_free(s->s3.tmp.key_block, s->s3.tmp.key_block_length); 217 s->s3.tmp.key_block = NULL; 218 s->s3.tmp.key_block_length = 0; 219 } 220 221 int ssl3_init_finished_mac(SSL_CONNECTION *s) 222 { 223 BIO *buf = BIO_new(BIO_s_mem()); 224 225 if (buf == NULL) { 226 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_BIO_LIB); 227 return 0; 228 } 229 ssl3_free_digest_list(s); 230 s->s3.handshake_buffer = buf; 231 (void)BIO_set_close(s->s3.handshake_buffer, BIO_CLOSE); 232 return 1; 233 } 234 235 /* 236 * Free digest list. Also frees handshake buffer since they are always freed 237 * together. 238 */ 239 240 void ssl3_free_digest_list(SSL_CONNECTION *s) 241 { 242 BIO_free(s->s3.handshake_buffer); 243 s->s3.handshake_buffer = NULL; 244 EVP_MD_CTX_free(s->s3.handshake_dgst); 245 s->s3.handshake_dgst = NULL; 246 } 247 248 int ssl3_finish_mac(SSL_CONNECTION *s, const unsigned char *buf, size_t len) 249 { 250 int ret; 251 252 if (s->s3.handshake_dgst == NULL) { 253 /* Note: this writes to a memory BIO so a failure is a fatal error */ 254 if (len > INT_MAX) { 255 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_OVERFLOW_ERROR); 256 return 0; 257 } 258 ret = BIO_write(s->s3.handshake_buffer, (void *)buf, (int)len); 259 if (ret <= 0 || ret != (int)len) { 260 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 261 return 0; 262 } 263 } else { 264 ret = EVP_DigestUpdate(s->s3.handshake_dgst, buf, len); 265 if (!ret) { 266 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 267 return 0; 268 } 269 } 270 return 1; 271 } 272 273 int ssl3_digest_cached_records(SSL_CONNECTION *s, int keep) 274 { 275 const EVP_MD *md; 276 long hdatalen; 277 void *hdata; 278 279 if (s->s3.handshake_dgst == NULL) { 280 hdatalen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); 281 if (hdatalen <= 0) { 282 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_BAD_HANDSHAKE_LENGTH); 283 return 0; 284 } 285 286 s->s3.handshake_dgst = EVP_MD_CTX_new(); 287 if (s->s3.handshake_dgst == NULL) { 288 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 289 return 0; 290 } 291 292 md = ssl_handshake_md(s); 293 if (md == NULL) { 294 SSLfatal(s, SSL_AD_INTERNAL_ERROR, 295 SSL_R_NO_SUITABLE_DIGEST_ALGORITHM); 296 return 0; 297 } 298 if (!EVP_DigestInit_ex(s->s3.handshake_dgst, md, NULL) 299 || !EVP_DigestUpdate(s->s3.handshake_dgst, hdata, hdatalen)) { 300 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 301 return 0; 302 } 303 } 304 if (keep == 0) { 305 BIO_free(s->s3.handshake_buffer); 306 s->s3.handshake_buffer = NULL; 307 } 308 309 return 1; 310 } 311 312 void ssl3_digest_master_key_set_params(const SSL_SESSION *session, 313 OSSL_PARAM params[]) 314 { 315 int n = 0; 316 params[n++] = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS, 317 (void *)session->master_key, 318 session->master_key_length); 319 params[n++] = OSSL_PARAM_construct_end(); 320 } 321 322 size_t ssl3_final_finish_mac(SSL_CONNECTION *s, const char *sender, size_t len, 323 unsigned char *p) 324 { 325 int ret; 326 EVP_MD_CTX *ctx = NULL; 327 328 if (!ssl3_digest_cached_records(s, 0)) { 329 /* SSLfatal() already called */ 330 return 0; 331 } 332 333 if (EVP_MD_CTX_get_type(s->s3.handshake_dgst) != NID_md5_sha1) { 334 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_R_NO_REQUIRED_DIGEST); 335 return 0; 336 } 337 338 ctx = EVP_MD_CTX_new(); 339 if (ctx == NULL) { 340 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 341 return 0; 342 } 343 if (!EVP_MD_CTX_copy_ex(ctx, s->s3.handshake_dgst)) { 344 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 345 ret = 0; 346 goto err; 347 } 348 349 ret = EVP_MD_CTX_get_size(ctx); 350 if (ret < 0) { 351 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 352 ret = 0; 353 goto err; 354 } 355 356 if (sender != NULL) { 357 OSSL_PARAM digest_cmd_params[3]; 358 359 ssl3_digest_master_key_set_params(s->session, digest_cmd_params); 360 361 if (EVP_DigestUpdate(ctx, sender, len) <= 0 362 || EVP_MD_CTX_set_params(ctx, digest_cmd_params) <= 0 363 || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { 364 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 365 ret = 0; 366 } 367 } 368 369 err: 370 EVP_MD_CTX_free(ctx); 371 372 return ret; 373 } 374 375 int ssl3_generate_master_secret(SSL_CONNECTION *s, unsigned char *out, 376 unsigned char *p, 377 size_t len, size_t *secret_size) 378 { 379 static const unsigned char *const salt[3] = { 380 #ifndef CHARSET_EBCDIC 381 (const unsigned char *)"A", 382 (const unsigned char *)"BB", 383 (const unsigned char *)"CCC", 384 #else 385 (const unsigned char *)"\x41", 386 (const unsigned char *)"\x42\x42", 387 (const unsigned char *)"\x43\x43\x43", 388 #endif 389 }; 390 unsigned char buf[EVP_MAX_MD_SIZE]; 391 EVP_MD_CTX *ctx = EVP_MD_CTX_new(); 392 int i, ret = 1; 393 unsigned int n; 394 size_t ret_secret_size = 0; 395 396 if (ctx == NULL) { 397 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_EVP_LIB); 398 return 0; 399 } 400 for (i = 0; i < 3; i++) { 401 if (EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->sha1, NULL) <= 0 402 || EVP_DigestUpdate(ctx, salt[i], 403 strlen((const char *)salt[i])) <= 0 404 || EVP_DigestUpdate(ctx, p, len) <= 0 405 || EVP_DigestUpdate(ctx, &(s->s3.client_random[0]), 406 SSL3_RANDOM_SIZE) <= 0 407 || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]), 408 SSL3_RANDOM_SIZE) <= 0 409 || EVP_DigestFinal_ex(ctx, buf, &n) <= 0 410 || EVP_DigestInit_ex(ctx, SSL_CONNECTION_GET_CTX(s)->md5, NULL) <= 0 411 || EVP_DigestUpdate(ctx, p, len) <= 0 412 || EVP_DigestUpdate(ctx, buf, n) <= 0 413 || EVP_DigestFinal_ex(ctx, out, &n) <= 0) { 414 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); 415 ret = 0; 416 break; 417 } 418 out += n; 419 ret_secret_size += n; 420 } 421 EVP_MD_CTX_free(ctx); 422 423 OPENSSL_cleanse(buf, sizeof(buf)); 424 if (ret) 425 *secret_size = ret_secret_size; 426 return ret; 427 } 428 429 int ssl3_alert_code(int code) 430 { 431 switch (code) { 432 case SSL_AD_CLOSE_NOTIFY: 433 return SSL3_AD_CLOSE_NOTIFY; 434 case SSL_AD_UNEXPECTED_MESSAGE: 435 return SSL3_AD_UNEXPECTED_MESSAGE; 436 case SSL_AD_BAD_RECORD_MAC: 437 return SSL3_AD_BAD_RECORD_MAC; 438 case SSL_AD_DECRYPTION_FAILED: 439 return SSL3_AD_BAD_RECORD_MAC; 440 case SSL_AD_RECORD_OVERFLOW: 441 return SSL3_AD_BAD_RECORD_MAC; 442 case SSL_AD_DECOMPRESSION_FAILURE: 443 return SSL3_AD_DECOMPRESSION_FAILURE; 444 case SSL_AD_HANDSHAKE_FAILURE: 445 return SSL3_AD_HANDSHAKE_FAILURE; 446 case SSL_AD_NO_CERTIFICATE: 447 return SSL3_AD_NO_CERTIFICATE; 448 case SSL_AD_BAD_CERTIFICATE: 449 return SSL3_AD_BAD_CERTIFICATE; 450 case SSL_AD_UNSUPPORTED_CERTIFICATE: 451 return SSL3_AD_UNSUPPORTED_CERTIFICATE; 452 case SSL_AD_CERTIFICATE_REVOKED: 453 return SSL3_AD_CERTIFICATE_REVOKED; 454 case SSL_AD_CERTIFICATE_EXPIRED: 455 return SSL3_AD_CERTIFICATE_EXPIRED; 456 case SSL_AD_CERTIFICATE_UNKNOWN: 457 return SSL3_AD_CERTIFICATE_UNKNOWN; 458 case SSL_AD_ILLEGAL_PARAMETER: 459 return SSL3_AD_ILLEGAL_PARAMETER; 460 case SSL_AD_UNKNOWN_CA: 461 return SSL3_AD_BAD_CERTIFICATE; 462 case SSL_AD_ACCESS_DENIED: 463 return SSL3_AD_HANDSHAKE_FAILURE; 464 case SSL_AD_DECODE_ERROR: 465 return SSL3_AD_HANDSHAKE_FAILURE; 466 case SSL_AD_DECRYPT_ERROR: 467 return SSL3_AD_HANDSHAKE_FAILURE; 468 case SSL_AD_EXPORT_RESTRICTION: 469 return SSL3_AD_HANDSHAKE_FAILURE; 470 case SSL_AD_PROTOCOL_VERSION: 471 return SSL3_AD_HANDSHAKE_FAILURE; 472 case SSL_AD_INSUFFICIENT_SECURITY: 473 return SSL3_AD_HANDSHAKE_FAILURE; 474 case SSL_AD_INTERNAL_ERROR: 475 return SSL3_AD_HANDSHAKE_FAILURE; 476 case SSL_AD_USER_CANCELLED: 477 return SSL3_AD_HANDSHAKE_FAILURE; 478 case SSL_AD_NO_RENEGOTIATION: 479 return -1; /* Don't send it :-) */ 480 case SSL_AD_UNSUPPORTED_EXTENSION: 481 return SSL3_AD_HANDSHAKE_FAILURE; 482 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 483 return SSL3_AD_HANDSHAKE_FAILURE; 484 case SSL_AD_UNRECOGNIZED_NAME: 485 return SSL3_AD_HANDSHAKE_FAILURE; 486 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 487 return SSL3_AD_HANDSHAKE_FAILURE; 488 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 489 return SSL3_AD_HANDSHAKE_FAILURE; 490 case SSL_AD_UNKNOWN_PSK_IDENTITY: 491 return TLS1_AD_UNKNOWN_PSK_IDENTITY; 492 case SSL_AD_INAPPROPRIATE_FALLBACK: 493 return TLS1_AD_INAPPROPRIATE_FALLBACK; 494 case SSL_AD_NO_APPLICATION_PROTOCOL: 495 return TLS1_AD_NO_APPLICATION_PROTOCOL; 496 case SSL_AD_CERTIFICATE_REQUIRED: 497 return SSL_AD_HANDSHAKE_FAILURE; 498 case TLS13_AD_MISSING_EXTENSION: 499 return SSL_AD_HANDSHAKE_FAILURE; 500 default: 501 return -1; 502 } 503 } 504