1 /* ssl/s3_enc.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138 #include <stdio.h> 139 #include "ssl_locl.h" 140 #include <openssl/evp.h> 141 #include <openssl/md5.h> 142 143 static unsigned char ssl3_pad_1[48] = { 144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 150 }; 151 152 static unsigned char ssl3_pad_2[48] = { 153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c 159 }; 160 161 static int ssl3_handshake_mac(SSL *s, int md_nid, 162 const char *sender, int len, unsigned char *p); 163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) 164 { 165 EVP_MD_CTX m5; 166 EVP_MD_CTX s1; 167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; 168 unsigned char c = 'A'; 169 unsigned int i, j, k; 170 171 #ifdef CHARSET_EBCDIC 172 c = os_toascii[c]; /* 'A' in ASCII */ 173 #endif 174 k = 0; 175 EVP_MD_CTX_init(&m5); 176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 177 EVP_MD_CTX_init(&s1); 178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { 179 k++; 180 if (k > sizeof(buf)) 181 /* bug: 'buf' is too small for this ciphersuite */ 182 goto err; 183 184 for (j = 0; j < k; j++) 185 buf[j] = c; 186 c++; 187 if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) || 188 !EVP_DigestUpdate(&s1, buf, k) || 189 !EVP_DigestUpdate(&s1, s->session->master_key, 190 s->session->master_key_length) || 191 !EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) || 192 !EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) || 193 !EVP_DigestFinal_ex(&s1, smd, NULL)) 194 goto err2; 195 196 if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) || 197 !EVP_DigestUpdate(&m5, s->session->master_key, 198 s->session->master_key_length) || 199 !EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH)) 200 goto err2; 201 if ((int)(i + MD5_DIGEST_LENGTH) > num) { 202 if (!EVP_DigestFinal_ex(&m5, smd, NULL)) 203 goto err2; 204 memcpy(km, smd, (num - i)); 205 } else 206 if (!EVP_DigestFinal_ex(&m5, km, NULL)) 207 goto err2; 208 209 km += MD5_DIGEST_LENGTH; 210 } 211 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH); 212 EVP_MD_CTX_cleanup(&m5); 213 EVP_MD_CTX_cleanup(&s1); 214 return 1; 215 err: 216 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); 217 err2: 218 EVP_MD_CTX_cleanup(&m5); 219 EVP_MD_CTX_cleanup(&s1); 220 return 0; 221 } 222 223 int ssl3_change_cipher_state(SSL *s, int which) 224 { 225 unsigned char *p, *mac_secret; 226 unsigned char exp_key[EVP_MAX_KEY_LENGTH]; 227 unsigned char exp_iv[EVP_MAX_IV_LENGTH]; 228 unsigned char *ms, *key, *iv, *er1, *er2; 229 EVP_CIPHER_CTX *dd; 230 const EVP_CIPHER *c; 231 #ifndef OPENSSL_NO_COMP 232 COMP_METHOD *comp; 233 #endif 234 const EVP_MD *m; 235 EVP_MD_CTX md; 236 int is_exp, n, i, j, k, cl; 237 int reuse_dd = 0; 238 239 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 240 c = s->s3->tmp.new_sym_enc; 241 m = s->s3->tmp.new_hash; 242 /* m == NULL will lead to a crash later */ 243 OPENSSL_assert(m); 244 #ifndef OPENSSL_NO_COMP 245 if (s->s3->tmp.new_compression == NULL) 246 comp = NULL; 247 else 248 comp = s->s3->tmp.new_compression->method; 249 #endif 250 251 if (which & SSL3_CC_READ) { 252 if (s->enc_read_ctx != NULL) 253 reuse_dd = 1; 254 else if ((s->enc_read_ctx = 255 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 256 goto err; 257 else 258 /* 259 * make sure it's intialized in case we exit later with an error 260 */ 261 EVP_CIPHER_CTX_init(s->enc_read_ctx); 262 dd = s->enc_read_ctx; 263 264 if (ssl_replace_hash(&s->read_hash, m) == NULL) { 265 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 266 goto err2; 267 } 268 #ifndef OPENSSL_NO_COMP 269 /* COMPRESS */ 270 if (s->expand != NULL) { 271 COMP_CTX_free(s->expand); 272 s->expand = NULL; 273 } 274 if (comp != NULL) { 275 s->expand = COMP_CTX_new(comp); 276 if (s->expand == NULL) { 277 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 278 SSL_R_COMPRESSION_LIBRARY_ERROR); 279 goto err2; 280 } 281 if (s->s3->rrec.comp == NULL) 282 s->s3->rrec.comp = (unsigned char *) 283 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH); 284 if (s->s3->rrec.comp == NULL) 285 goto err; 286 } 287 #endif 288 memset(&(s->s3->read_sequence[0]), 0, 8); 289 mac_secret = &(s->s3->read_mac_secret[0]); 290 } else { 291 if (s->enc_write_ctx != NULL) 292 reuse_dd = 1; 293 else if ((s->enc_write_ctx = 294 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 295 goto err; 296 else 297 /* 298 * make sure it's intialized in case we exit later with an error 299 */ 300 EVP_CIPHER_CTX_init(s->enc_write_ctx); 301 dd = s->enc_write_ctx; 302 if (ssl_replace_hash(&s->write_hash, m) == NULL) { 303 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 304 goto err2; 305 } 306 #ifndef OPENSSL_NO_COMP 307 /* COMPRESS */ 308 if (s->compress != NULL) { 309 COMP_CTX_free(s->compress); 310 s->compress = NULL; 311 } 312 if (comp != NULL) { 313 s->compress = COMP_CTX_new(comp); 314 if (s->compress == NULL) { 315 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 316 SSL_R_COMPRESSION_LIBRARY_ERROR); 317 goto err2; 318 } 319 } 320 #endif 321 memset(&(s->s3->write_sequence[0]), 0, 8); 322 mac_secret = &(s->s3->write_mac_secret[0]); 323 } 324 325 if (reuse_dd) 326 EVP_CIPHER_CTX_cleanup(dd); 327 328 p = s->s3->tmp.key_block; 329 i = EVP_MD_size(m); 330 if (i < 0) 331 goto err2; 332 cl = EVP_CIPHER_key_length(c); 333 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 334 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 335 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ 336 k = EVP_CIPHER_iv_length(c); 337 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 338 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 339 ms = &(p[0]); 340 n = i + i; 341 key = &(p[n]); 342 n += j + j; 343 iv = &(p[n]); 344 n += k + k; 345 er1 = &(s->s3->client_random[0]); 346 er2 = &(s->s3->server_random[0]); 347 } else { 348 n = i; 349 ms = &(p[n]); 350 n += i + j; 351 key = &(p[n]); 352 n += j + k; 353 iv = &(p[n]); 354 n += k; 355 er1 = &(s->s3->server_random[0]); 356 er2 = &(s->s3->client_random[0]); 357 } 358 359 if (n > s->s3->tmp.key_block_length) { 360 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 361 goto err2; 362 } 363 364 EVP_MD_CTX_init(&md); 365 memcpy(mac_secret, ms, i); 366 if (is_exp) { 367 /* 368 * In here I set both the read and write key/iv to the same value 369 * since only the correct one will be used :-). 370 */ 371 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) || 372 !EVP_DigestUpdate(&md, key, j) || 373 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) || 374 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) || 375 !EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) { 376 EVP_MD_CTX_cleanup(&md); 377 goto err2; 378 } 379 key = &(exp_key[0]); 380 381 if (k > 0) { 382 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) || 383 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) || 384 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) || 385 !EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) { 386 EVP_MD_CTX_cleanup(&md); 387 goto err2; 388 } 389 iv = &(exp_iv[0]); 390 } 391 } 392 EVP_MD_CTX_cleanup(&md); 393 394 s->session->key_arg_length = 0; 395 396 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE))) 397 goto err2; 398 399 #ifdef OPENSSL_SSL_TRACE_CRYPTO 400 if (s->msg_callback) { 401 402 int wh = which & SSL3_CC_WRITE ? 403 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ; 404 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC, 405 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg); 406 if (c->key_len) 407 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY, 408 key, c->key_len, s, s->msg_callback_arg); 409 if (k) { 410 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV, 411 iv, k, s, s->msg_callback_arg); 412 } 413 } 414 #endif 415 416 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key)); 417 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv)); 418 return (1); 419 err: 420 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 421 err2: 422 return (0); 423 } 424 425 int ssl3_setup_key_block(SSL *s) 426 { 427 unsigned char *p; 428 const EVP_CIPHER *c; 429 const EVP_MD *hash; 430 int num; 431 int ret = 0; 432 SSL_COMP *comp; 433 434 if (s->s3->tmp.key_block_length != 0) 435 return (1); 436 437 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) { 438 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 439 return (0); 440 } 441 442 s->s3->tmp.new_sym_enc = c; 443 s->s3->tmp.new_hash = hash; 444 #ifdef OPENSSL_NO_COMP 445 s->s3->tmp.new_compression = NULL; 446 #else 447 s->s3->tmp.new_compression = comp; 448 #endif 449 450 num = EVP_MD_size(hash); 451 if (num < 0) 452 return 0; 453 454 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c); 455 num *= 2; 456 457 ssl3_cleanup_key_block(s); 458 459 if ((p = OPENSSL_malloc(num)) == NULL) 460 goto err; 461 462 s->s3->tmp.key_block_length = num; 463 s->s3->tmp.key_block = p; 464 465 ret = ssl3_generate_key_block(s, p, num); 466 467 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { 468 /* 469 * enable vulnerability countermeasure for CBC ciphers with known-IV 470 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 471 */ 472 s->s3->need_empty_fragments = 1; 473 474 if (s->session->cipher != NULL) { 475 if (s->session->cipher->algorithm_enc == SSL_eNULL) 476 s->s3->need_empty_fragments = 0; 477 478 #ifndef OPENSSL_NO_RC4 479 if (s->session->cipher->algorithm_enc == SSL_RC4) 480 s->s3->need_empty_fragments = 0; 481 #endif 482 } 483 } 484 485 return ret; 486 487 err: 488 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 489 return (0); 490 } 491 492 void ssl3_cleanup_key_block(SSL *s) 493 { 494 if (s->s3->tmp.key_block != NULL) { 495 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); 496 OPENSSL_free(s->s3->tmp.key_block); 497 s->s3->tmp.key_block = NULL; 498 } 499 s->s3->tmp.key_block_length = 0; 500 } 501 502 /*- 503 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 504 * 505 * Returns: 506 * 0: (in non-constant time) if the record is publically invalid (i.e. too 507 * short etc). 508 * 1: if the record's padding is valid / the encryption was successful. 509 * -1: if the record's padding is invalid or, if sending, an internal error 510 * occured. 511 */ 512 int ssl3_enc(SSL *s, int send) 513 { 514 SSL3_RECORD *rec; 515 EVP_CIPHER_CTX *ds; 516 unsigned long l; 517 int bs, i, mac_size = 0; 518 const EVP_CIPHER *enc; 519 520 if (send) { 521 ds = s->enc_write_ctx; 522 rec = &(s->s3->wrec); 523 if (s->enc_write_ctx == NULL) 524 enc = NULL; 525 else 526 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 527 } else { 528 ds = s->enc_read_ctx; 529 rec = &(s->s3->rrec); 530 if (s->enc_read_ctx == NULL) 531 enc = NULL; 532 else 533 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 534 } 535 536 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 537 memmove(rec->data, rec->input, rec->length); 538 rec->input = rec->data; 539 } else { 540 l = rec->length; 541 bs = EVP_CIPHER_block_size(ds->cipher); 542 543 /* COMPRESS */ 544 545 if ((bs != 1) && send) { 546 i = bs - ((int)l % bs); 547 548 /* we need to add 'i-1' padding bytes */ 549 l += i; 550 /* 551 * the last of these zero bytes will be overwritten with the 552 * padding length. 553 */ 554 memset(&rec->input[rec->length], 0, i); 555 rec->length += i; 556 rec->input[l - 1] = (i - 1); 557 } 558 559 if (!send) { 560 if (l == 0 || l % bs != 0) 561 return 0; 562 /* otherwise, rec->length >= bs */ 563 } 564 565 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1) 566 return -1; 567 568 if (EVP_MD_CTX_md(s->read_hash) != NULL) 569 mac_size = EVP_MD_CTX_size(s->read_hash); 570 if ((bs != 1) && !send) 571 return ssl3_cbc_remove_padding(s, rec, bs, mac_size); 572 } 573 return 1; 574 } 575 576 int ssl3_init_finished_mac(SSL *s) 577 { 578 if (s->s3->handshake_buffer) 579 BIO_free(s->s3->handshake_buffer); 580 if (s->s3->handshake_dgst) 581 ssl3_free_digest_list(s); 582 s->s3->handshake_buffer = BIO_new(BIO_s_mem()); 583 if (s->s3->handshake_buffer == NULL) 584 return 0; 585 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); 586 return 1; 587 } 588 589 void ssl3_free_digest_list(SSL *s) 590 { 591 int i; 592 if (!s->s3->handshake_dgst) 593 return; 594 for (i = 0; i < SSL_MAX_DIGEST; i++) { 595 if (s->s3->handshake_dgst[i]) 596 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]); 597 } 598 OPENSSL_free(s->s3->handshake_dgst); 599 s->s3->handshake_dgst = NULL; 600 } 601 602 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) 603 { 604 if (s->s3->handshake_buffer 605 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 606 BIO_write(s->s3->handshake_buffer, (void *)buf, len); 607 } else { 608 int i; 609 for (i = 0; i < SSL_MAX_DIGEST; i++) { 610 if (s->s3->handshake_dgst[i] != NULL) 611 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len); 612 } 613 } 614 } 615 616 int ssl3_digest_cached_records(SSL *s) 617 { 618 int i; 619 long mask; 620 const EVP_MD *md; 621 long hdatalen; 622 void *hdata; 623 624 /* Allocate handshake_dgst array */ 625 ssl3_free_digest_list(s); 626 s->s3->handshake_dgst = 627 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); 628 if (s->s3->handshake_dgst == NULL) { 629 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); 630 return 0; 631 } 632 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); 633 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); 634 if (hdatalen <= 0) { 635 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH); 636 return 0; 637 } 638 639 /* Loop through bitso of algorithm2 field and create MD_CTX-es */ 640 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) { 641 if ((mask & ssl_get_algorithm2(s)) && md) { 642 s->s3->handshake_dgst[i] = EVP_MD_CTX_create(); 643 if (s->s3->handshake_dgst[i] == NULL) { 644 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); 645 return 0; 646 } 647 #ifdef OPENSSL_FIPS 648 if (EVP_MD_nid(md) == NID_md5) { 649 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i], 650 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 651 } 652 #endif 653 if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL) 654 || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, 655 hdatalen)) { 656 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR); 657 return 0; 658 } 659 } else { 660 s->s3->handshake_dgst[i] = NULL; 661 } 662 } 663 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { 664 /* Free handshake_buffer BIO */ 665 BIO_free(s->s3->handshake_buffer); 666 s->s3->handshake_buffer = NULL; 667 } 668 669 return 1; 670 } 671 672 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p) 673 { 674 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p)); 675 } 676 677 int ssl3_final_finish_mac(SSL *s, 678 const char *sender, int len, unsigned char *p) 679 { 680 int ret, sha1len; 681 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p); 682 if (ret == 0) 683 return 0; 684 685 p += ret; 686 687 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p); 688 if (sha1len == 0) 689 return 0; 690 691 ret += sha1len; 692 return (ret); 693 } 694 695 static int ssl3_handshake_mac(SSL *s, int md_nid, 696 const char *sender, int len, unsigned char *p) 697 { 698 unsigned int ret; 699 int npad, n; 700 unsigned int i; 701 unsigned char md_buf[EVP_MAX_MD_SIZE]; 702 EVP_MD_CTX ctx, *d = NULL; 703 704 if (s->s3->handshake_buffer) 705 if (!ssl3_digest_cached_records(s)) 706 return 0; 707 708 /* 709 * Search for digest of specified type in the handshake_dgst array 710 */ 711 for (i = 0; i < SSL_MAX_DIGEST; i++) { 712 if (s->s3->handshake_dgst[i] 713 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) { 714 d = s->s3->handshake_dgst[i]; 715 break; 716 } 717 } 718 if (!d) { 719 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST); 720 return 0; 721 } 722 EVP_MD_CTX_init(&ctx); 723 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 724 EVP_MD_CTX_copy_ex(&ctx, d); 725 n = EVP_MD_CTX_size(&ctx); 726 if (n < 0) 727 return 0; 728 729 npad = (48 / n) * n; 730 if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0) 731 || EVP_DigestUpdate(&ctx, s->session->master_key, 732 s->session->master_key_length) <= 0 733 || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0 734 || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0 735 736 || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0 737 || EVP_DigestUpdate(&ctx, s->session->master_key, 738 s->session->master_key_length) <= 0 739 || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0 740 || EVP_DigestUpdate(&ctx, md_buf, i) <= 0 741 || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) { 742 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR); 743 ret = 0; 744 } 745 746 EVP_MD_CTX_cleanup(&ctx); 747 748 return ((int)ret); 749 } 750 751 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) 752 { 753 SSL3_RECORD *rec; 754 unsigned char *mac_sec, *seq; 755 EVP_MD_CTX md_ctx; 756 const EVP_MD_CTX *hash; 757 unsigned char *p, rec_char; 758 size_t md_size, orig_len; 759 int npad; 760 int t; 761 762 if (send) { 763 rec = &(ssl->s3->wrec); 764 mac_sec = &(ssl->s3->write_mac_secret[0]); 765 seq = &(ssl->s3->write_sequence[0]); 766 hash = ssl->write_hash; 767 } else { 768 rec = &(ssl->s3->rrec); 769 mac_sec = &(ssl->s3->read_mac_secret[0]); 770 seq = &(ssl->s3->read_sequence[0]); 771 hash = ssl->read_hash; 772 } 773 774 t = EVP_MD_CTX_size(hash); 775 if (t < 0) 776 return -1; 777 md_size = t; 778 npad = (48 / md_size) * md_size; 779 780 /* 781 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type 782 */ 783 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); 784 rec->type &= 0xff; 785 786 if (!send && 787 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 788 ssl3_cbc_record_digest_supported(hash)) { 789 /* 790 * This is a CBC-encrypted record. We must avoid leaking any 791 * timing-side channel information about how many blocks of data we 792 * are hashing because that gives an attacker a timing-oracle. 793 */ 794 795 /*- 796 * npad is, at most, 48 bytes and that's with MD5: 797 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. 798 * 799 * With SHA-1 (the largest hash speced for SSLv3) the hash size 800 * goes up 4, but npad goes down by 8, resulting in a smaller 801 * total size. 802 */ 803 unsigned char header[75]; 804 unsigned j = 0; 805 memcpy(header + j, mac_sec, md_size); 806 j += md_size; 807 memcpy(header + j, ssl3_pad_1, npad); 808 j += npad; 809 memcpy(header + j, seq, 8); 810 j += 8; 811 header[j++] = rec->type; 812 header[j++] = rec->length >> 8; 813 header[j++] = rec->length & 0xff; 814 815 /* Final param == is SSLv3 */ 816 if (ssl3_cbc_digest_record(hash, 817 md, &md_size, 818 header, rec->input, 819 rec->length + md_size, orig_len, 820 mac_sec, md_size, 1) <= 0) 821 return -1; 822 } else { 823 unsigned int md_size_u; 824 /* Chop the digest off the end :-) */ 825 EVP_MD_CTX_init(&md_ctx); 826 827 rec_char = rec->type; 828 p = md; 829 s2n(rec->length, p); 830 if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0 831 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0 832 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0 833 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0 834 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0 835 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0 836 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0 837 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0 838 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0 839 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0 840 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0 841 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0 842 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) { 843 EVP_MD_CTX_cleanup(&md_ctx); 844 return -1; 845 } 846 md_size = md_size_u; 847 848 EVP_MD_CTX_cleanup(&md_ctx); 849 } 850 851 ssl3_record_sequence_update(seq); 852 return (md_size); 853 } 854 855 void ssl3_record_sequence_update(unsigned char *seq) 856 { 857 int i; 858 859 for (i = 7; i >= 0; i--) { 860 ++seq[i]; 861 if (seq[i] != 0) 862 break; 863 } 864 } 865 866 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 867 int len) 868 { 869 static const unsigned char *salt[3] = { 870 #ifndef CHARSET_EBCDIC 871 (const unsigned char *)"A", 872 (const unsigned char *)"BB", 873 (const unsigned char *)"CCC", 874 #else 875 (const unsigned char *)"\x41", 876 (const unsigned char *)"\x42\x42", 877 (const unsigned char *)"\x43\x43\x43", 878 #endif 879 }; 880 unsigned char buf[EVP_MAX_MD_SIZE]; 881 EVP_MD_CTX ctx; 882 int i, ret = 0; 883 unsigned int n; 884 #ifdef OPENSSL_SSL_TRACE_CRYPTO 885 unsigned char *tmpout = out; 886 #endif 887 888 EVP_MD_CTX_init(&ctx); 889 for (i = 0; i < 3; i++) { 890 if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0 891 || EVP_DigestUpdate(&ctx, salt[i], 892 strlen((const char *)salt[i])) <= 0 893 || EVP_DigestUpdate(&ctx, p, len) <= 0 894 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), 895 SSL3_RANDOM_SIZE) <= 0 896 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), 897 SSL3_RANDOM_SIZE) <= 0 898 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0 899 900 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0 901 || EVP_DigestUpdate(&ctx, p, len) <= 0 902 || EVP_DigestUpdate(&ctx, buf, n) <= 0 903 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) { 904 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR); 905 ret = 0; 906 break; 907 } 908 out += n; 909 ret += n; 910 } 911 EVP_MD_CTX_cleanup(&ctx); 912 913 #ifdef OPENSSL_SSL_TRACE_CRYPTO 914 if (ret > 0 && s->msg_callback) { 915 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER, 916 p, len, s, s->msg_callback_arg); 917 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM, 918 s->s3->client_random, SSL3_RANDOM_SIZE, 919 s, s->msg_callback_arg); 920 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM, 921 s->s3->server_random, SSL3_RANDOM_SIZE, 922 s, s->msg_callback_arg); 923 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER, 924 tmpout, SSL3_MASTER_SECRET_SIZE, 925 s, s->msg_callback_arg); 926 } 927 #endif 928 OPENSSL_cleanse(buf, sizeof(buf)); 929 return (ret); 930 } 931 932 int ssl3_alert_code(int code) 933 { 934 switch (code) { 935 case SSL_AD_CLOSE_NOTIFY: 936 return (SSL3_AD_CLOSE_NOTIFY); 937 case SSL_AD_UNEXPECTED_MESSAGE: 938 return (SSL3_AD_UNEXPECTED_MESSAGE); 939 case SSL_AD_BAD_RECORD_MAC: 940 return (SSL3_AD_BAD_RECORD_MAC); 941 case SSL_AD_DECRYPTION_FAILED: 942 return (SSL3_AD_BAD_RECORD_MAC); 943 case SSL_AD_RECORD_OVERFLOW: 944 return (SSL3_AD_BAD_RECORD_MAC); 945 case SSL_AD_DECOMPRESSION_FAILURE: 946 return (SSL3_AD_DECOMPRESSION_FAILURE); 947 case SSL_AD_HANDSHAKE_FAILURE: 948 return (SSL3_AD_HANDSHAKE_FAILURE); 949 case SSL_AD_NO_CERTIFICATE: 950 return (SSL3_AD_NO_CERTIFICATE); 951 case SSL_AD_BAD_CERTIFICATE: 952 return (SSL3_AD_BAD_CERTIFICATE); 953 case SSL_AD_UNSUPPORTED_CERTIFICATE: 954 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 955 case SSL_AD_CERTIFICATE_REVOKED: 956 return (SSL3_AD_CERTIFICATE_REVOKED); 957 case SSL_AD_CERTIFICATE_EXPIRED: 958 return (SSL3_AD_CERTIFICATE_EXPIRED); 959 case SSL_AD_CERTIFICATE_UNKNOWN: 960 return (SSL3_AD_CERTIFICATE_UNKNOWN); 961 case SSL_AD_ILLEGAL_PARAMETER: 962 return (SSL3_AD_ILLEGAL_PARAMETER); 963 case SSL_AD_UNKNOWN_CA: 964 return (SSL3_AD_BAD_CERTIFICATE); 965 case SSL_AD_ACCESS_DENIED: 966 return (SSL3_AD_HANDSHAKE_FAILURE); 967 case SSL_AD_DECODE_ERROR: 968 return (SSL3_AD_HANDSHAKE_FAILURE); 969 case SSL_AD_DECRYPT_ERROR: 970 return (SSL3_AD_HANDSHAKE_FAILURE); 971 case SSL_AD_EXPORT_RESTRICTION: 972 return (SSL3_AD_HANDSHAKE_FAILURE); 973 case SSL_AD_PROTOCOL_VERSION: 974 return (SSL3_AD_HANDSHAKE_FAILURE); 975 case SSL_AD_INSUFFICIENT_SECURITY: 976 return (SSL3_AD_HANDSHAKE_FAILURE); 977 case SSL_AD_INTERNAL_ERROR: 978 return (SSL3_AD_HANDSHAKE_FAILURE); 979 case SSL_AD_USER_CANCELLED: 980 return (SSL3_AD_HANDSHAKE_FAILURE); 981 case SSL_AD_NO_RENEGOTIATION: 982 return (-1); /* Don't send it :-) */ 983 case SSL_AD_UNSUPPORTED_EXTENSION: 984 return (SSL3_AD_HANDSHAKE_FAILURE); 985 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 986 return (SSL3_AD_HANDSHAKE_FAILURE); 987 case SSL_AD_UNRECOGNIZED_NAME: 988 return (SSL3_AD_HANDSHAKE_FAILURE); 989 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 990 return (SSL3_AD_HANDSHAKE_FAILURE); 991 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 992 return (SSL3_AD_HANDSHAKE_FAILURE); 993 case SSL_AD_UNKNOWN_PSK_IDENTITY: 994 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 995 case SSL_AD_INAPPROPRIATE_FALLBACK: 996 return (TLS1_AD_INAPPROPRIATE_FALLBACK); 997 default: 998 return (-1); 999 } 1000 } 1001