1/* ssl/s3_enc.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 *    notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 *    notice, this list of conditions and the following disclaimer in
70 *    the documentation and/or other materials provided with the
71 *    distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 *    software must display the following acknowledgment:
75 *    "This product includes software developed by the OpenSSL Project
76 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 *    endorse or promote products derived from this software without
80 *    prior written permission. For written permission, please contact
81 *    openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 *    nor may "OpenSSL" appear in their names without prior written
85 *    permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 *    acknowledgment:
89 *    "This product includes software developed by the OpenSSL Project
90 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com).  This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
113 *
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
116 * license.
117 *
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
121 *
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
125 *
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
130 *
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
135 * OTHERWISE.
136 */
137
138#include <stdio.h>
139#include "ssl_locl.h"
140#include <openssl/evp.h>
141#include <openssl/md5.h>
142
143static unsigned char ssl3_pad_1[48]={
144	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
145	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
146	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
147	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
148	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36,
149	0x36,0x36,0x36,0x36,0x36,0x36,0x36,0x36 };
150
151static unsigned char ssl3_pad_2[48]={
152	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
153	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
154	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
155	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
156	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,
157	0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c,0x5c };
158static int ssl3_handshake_mac(SSL *s, int md_nid,
159	const char *sender, int len, unsigned char *p);
160static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
161	{
162	EVP_MD_CTX m5;
163	EVP_MD_CTX s1;
164	unsigned char buf[16],smd[SHA_DIGEST_LENGTH];
165	unsigned char c='A';
166	unsigned int i,j,k;
167
168#ifdef CHARSET_EBCDIC
169	c = os_toascii[c]; /*'A' in ASCII */
170#endif
171	k=0;
172	EVP_MD_CTX_init(&m5);
173	EVP_MD_CTX_init(&s1);
174	for (i=0; (int)i<num; i+=MD5_DIGEST_LENGTH)
175		{
176		k++;
177		if (k > sizeof buf)
178			{
179			/* bug: 'buf' is too small for this ciphersuite */
180			SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
181			return 0;
182			}
183
184		for (j=0; j<k; j++)
185			buf[j]=c;
186		c++;
187		EVP_DigestInit_ex(&s1,EVP_sha1(), NULL);
188		EVP_DigestUpdate(&s1,buf,k);
189		EVP_DigestUpdate(&s1,s->session->master_key,
190			s->session->master_key_length);
191		EVP_DigestUpdate(&s1,s->s3->server_random,SSL3_RANDOM_SIZE);
192		EVP_DigestUpdate(&s1,s->s3->client_random,SSL3_RANDOM_SIZE);
193		EVP_DigestFinal_ex(&s1,smd,NULL);
194
195		EVP_DigestInit_ex(&m5,EVP_md5(), NULL);
196		EVP_DigestUpdate(&m5,s->session->master_key,
197			s->session->master_key_length);
198		EVP_DigestUpdate(&m5,smd,SHA_DIGEST_LENGTH);
199		if ((int)(i+MD5_DIGEST_LENGTH) > num)
200			{
201			EVP_DigestFinal_ex(&m5,smd,NULL);
202			memcpy(km,smd,(num-i));
203			}
204		else
205			EVP_DigestFinal_ex(&m5,km,NULL);
206
207		km+=MD5_DIGEST_LENGTH;
208		}
209	OPENSSL_cleanse(smd,SHA_DIGEST_LENGTH);
210	EVP_MD_CTX_cleanup(&m5);
211	EVP_MD_CTX_cleanup(&s1);
212	return 1;
213	}
214
215int ssl3_change_cipher_state(SSL *s, int which)
216	{
217	unsigned char *p,*mac_secret;
218	unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219	unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220	unsigned char *ms,*key,*iv,*er1,*er2;
221	EVP_CIPHER_CTX *dd;
222	const EVP_CIPHER *c;
223#ifndef OPENSSL_NO_COMP
224	COMP_METHOD *comp;
225#endif
226	const EVP_MD *m;
227	EVP_MD_CTX md;
228	int is_exp,n,i,j,k,cl;
229	int reuse_dd = 0;
230
231	is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232	c=s->s3->tmp.new_sym_enc;
233	m=s->s3->tmp.new_hash;
234	/* m == NULL will lead to a crash later */
235	OPENSSL_assert(m);
236#ifndef OPENSSL_NO_COMP
237	if (s->s3->tmp.new_compression == NULL)
238		comp=NULL;
239	else
240		comp=s->s3->tmp.new_compression->method;
241#endif
242
243	if (which & SSL3_CC_READ)
244		{
245		if (s->enc_read_ctx != NULL)
246			reuse_dd = 1;
247		else if ((s->enc_read_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
248			goto err;
249		else
250			/* make sure it's intialized in case we exit later with an error */
251			EVP_CIPHER_CTX_init(s->enc_read_ctx);
252		dd= s->enc_read_ctx;
253
254		ssl_replace_hash(&s->read_hash,m);
255#ifndef OPENSSL_NO_COMP
256		/* COMPRESS */
257		if (s->expand != NULL)
258			{
259			COMP_CTX_free(s->expand);
260			s->expand=NULL;
261			}
262		if (comp != NULL)
263			{
264			s->expand=COMP_CTX_new(comp);
265			if (s->expand == NULL)
266				{
267				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
268				goto err2;
269				}
270			if (s->s3->rrec.comp == NULL)
271				s->s3->rrec.comp=(unsigned char *)
272					OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
273			if (s->s3->rrec.comp == NULL)
274				goto err;
275			}
276#endif
277		memset(&(s->s3->read_sequence[0]),0,8);
278		mac_secret= &(s->s3->read_mac_secret[0]);
279		}
280	else
281		{
282		if (s->enc_write_ctx != NULL)
283			reuse_dd = 1;
284		else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
285			goto err;
286		else
287			/* make sure it's intialized in case we exit later with an error */
288			EVP_CIPHER_CTX_init(s->enc_write_ctx);
289		dd= s->enc_write_ctx;
290		ssl_replace_hash(&s->write_hash,m);
291#ifndef OPENSSL_NO_COMP
292		/* COMPRESS */
293		if (s->compress != NULL)
294			{
295			COMP_CTX_free(s->compress);
296			s->compress=NULL;
297			}
298		if (comp != NULL)
299			{
300			s->compress=COMP_CTX_new(comp);
301			if (s->compress == NULL)
302				{
303				SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,SSL_R_COMPRESSION_LIBRARY_ERROR);
304				goto err2;
305				}
306			}
307#endif
308		memset(&(s->s3->write_sequence[0]),0,8);
309		mac_secret= &(s->s3->write_mac_secret[0]);
310		}
311
312	if (reuse_dd)
313		EVP_CIPHER_CTX_cleanup(dd);
314
315	p=s->s3->tmp.key_block;
316	i=EVP_MD_size(m);
317	if (i < 0)
318		goto err2;
319	cl=EVP_CIPHER_key_length(c);
320	j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
321		 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
322	/* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
323	k=EVP_CIPHER_iv_length(c);
324	if (	(which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
325		(which == SSL3_CHANGE_CIPHER_SERVER_READ))
326		{
327		ms=  &(p[ 0]); n=i+i;
328		key= &(p[ n]); n+=j+j;
329		iv=  &(p[ n]); n+=k+k;
330		er1= &(s->s3->client_random[0]);
331		er2= &(s->s3->server_random[0]);
332		}
333	else
334		{
335		n=i;
336		ms=  &(p[ n]); n+=i+j;
337		key= &(p[ n]); n+=j+k;
338		iv=  &(p[ n]); n+=k;
339		er1= &(s->s3->server_random[0]);
340		er2= &(s->s3->client_random[0]);
341		}
342
343	if (n > s->s3->tmp.key_block_length)
344		{
345		SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_INTERNAL_ERROR);
346		goto err2;
347		}
348
349	EVP_MD_CTX_init(&md);
350	memcpy(mac_secret,ms,i);
351	if (is_exp)
352		{
353		/* In here I set both the read and write key/iv to the
354		 * same value since only the correct one will be used :-).
355		 */
356		EVP_DigestInit_ex(&md,EVP_md5(), NULL);
357		EVP_DigestUpdate(&md,key,j);
358		EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
359		EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
360		EVP_DigestFinal_ex(&md,&(exp_key[0]),NULL);
361		key= &(exp_key[0]);
362
363		if (k > 0)
364			{
365			EVP_DigestInit_ex(&md,EVP_md5(), NULL);
366			EVP_DigestUpdate(&md,er1,SSL3_RANDOM_SIZE);
367			EVP_DigestUpdate(&md,er2,SSL3_RANDOM_SIZE);
368			EVP_DigestFinal_ex(&md,&(exp_iv[0]),NULL);
369			iv= &(exp_iv[0]);
370			}
371		}
372
373	s->session->key_arg_length=0;
374
375	EVP_CipherInit_ex(dd,c,NULL,key,iv,(which & SSL3_CC_WRITE));
376
377	OPENSSL_cleanse(&(exp_key[0]),sizeof(exp_key));
378	OPENSSL_cleanse(&(exp_iv[0]),sizeof(exp_iv));
379	EVP_MD_CTX_cleanup(&md);
380	return(1);
381err:
382	SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,ERR_R_MALLOC_FAILURE);
383err2:
384	return(0);
385	}
386
387int ssl3_setup_key_block(SSL *s)
388	{
389	unsigned char *p;
390	const EVP_CIPHER *c;
391	const EVP_MD *hash;
392	int num;
393	int ret = 0;
394	SSL_COMP *comp;
395
396	if (s->s3->tmp.key_block_length != 0)
397		return(1);
398
399	if (!ssl_cipher_get_evp(s->session,&c,&hash,NULL,NULL,&comp))
400		{
401		SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
402		return(0);
403		}
404
405	s->s3->tmp.new_sym_enc=c;
406	s->s3->tmp.new_hash=hash;
407#ifdef OPENSSL_NO_COMP
408	s->s3->tmp.new_compression=NULL;
409#else
410	s->s3->tmp.new_compression=comp;
411#endif
412
413	num=EVP_MD_size(hash);
414	if (num < 0)
415		return 0;
416
417	num=EVP_CIPHER_key_length(c)+num+EVP_CIPHER_iv_length(c);
418	num*=2;
419
420	ssl3_cleanup_key_block(s);
421
422	if ((p=OPENSSL_malloc(num)) == NULL)
423		goto err;
424
425	s->s3->tmp.key_block_length=num;
426	s->s3->tmp.key_block=p;
427
428	ret = ssl3_generate_key_block(s,p,num);
429
430	if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS))
431		{
432		/* enable vulnerability countermeasure for CBC ciphers with
433		 * known-IV problem (http://www.openssl.org/~bodo/tls-cbc.txt)
434		 */
435		s->s3->need_empty_fragments = 1;
436
437		if (s->session->cipher != NULL)
438			{
439			if (s->session->cipher->algorithm_enc == SSL_eNULL)
440				s->s3->need_empty_fragments = 0;
441
442#ifndef OPENSSL_NO_RC4
443			if (s->session->cipher->algorithm_enc == SSL_RC4)
444				s->s3->need_empty_fragments = 0;
445#endif
446			}
447		}
448
449	return ret;
450
451err:
452	SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,ERR_R_MALLOC_FAILURE);
453	return(0);
454	}
455
456void ssl3_cleanup_key_block(SSL *s)
457	{
458	if (s->s3->tmp.key_block != NULL)
459		{
460		OPENSSL_cleanse(s->s3->tmp.key_block,
461			s->s3->tmp.key_block_length);
462		OPENSSL_free(s->s3->tmp.key_block);
463		s->s3->tmp.key_block=NULL;
464		}
465	s->s3->tmp.key_block_length=0;
466	}
467
468int ssl3_enc(SSL *s, int send)
469	{
470	SSL3_RECORD *rec;
471	EVP_CIPHER_CTX *ds;
472	unsigned long l;
473	int bs,i;
474	const EVP_CIPHER *enc;
475
476	if (send)
477		{
478		ds=s->enc_write_ctx;
479		rec= &(s->s3->wrec);
480		if (s->enc_write_ctx == NULL)
481			enc=NULL;
482		else
483			enc=EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
484		}
485	else
486		{
487		ds=s->enc_read_ctx;
488		rec= &(s->s3->rrec);
489		if (s->enc_read_ctx == NULL)
490			enc=NULL;
491		else
492			enc=EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
493		}
494
495	if ((s->session == NULL) || (ds == NULL) ||
496		(enc == NULL))
497		{
498		memmove(rec->data,rec->input,rec->length);
499		rec->input=rec->data;
500		}
501	else
502		{
503		l=rec->length;
504		bs=EVP_CIPHER_block_size(ds->cipher);
505
506		/* COMPRESS */
507
508		if ((bs != 1) && send)
509			{
510			i=bs-((int)l%bs);
511
512			/* we need to add 'i-1' padding bytes */
513			l+=i;
514			rec->length+=i;
515			rec->input[l-1]=(i-1);
516			}
517
518		if (!send)
519			{
520			if (l == 0 || l%bs != 0)
521				{
522				SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
523				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
524				return 0;
525				}
526			/* otherwise, rec->length >= bs */
527			}
528
529		EVP_Cipher(ds,rec->data,rec->input,l);
530
531		if ((bs != 1) && !send)
532			{
533			i=rec->data[l-1]+1;
534			/* SSL 3.0 bounds the number of padding bytes by the block size;
535			 * padding bytes (except the last one) are arbitrary */
536			if (i > bs)
537				{
538				/* Incorrect padding. SSLerr() and ssl3_alert are done
539				 * by caller: we don't want to reveal whether this is
540				 * a decryption error or a MAC verification failure
541				 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
542				return -1;
543				}
544			/* now i <= bs <= rec->length */
545			rec->length-=i;
546			}
547		}
548	return(1);
549	}
550
551void ssl3_init_finished_mac(SSL *s)
552	{
553	if (s->s3->handshake_buffer) BIO_free(s->s3->handshake_buffer);
554	if (s->s3->handshake_dgst) ssl3_free_digest_list(s);
555    s->s3->handshake_buffer=BIO_new(BIO_s_mem());
556	(void)BIO_set_close(s->s3->handshake_buffer,BIO_CLOSE);
557	}
558
559void ssl3_free_digest_list(SSL *s)
560	{
561	int i;
562	if (!s->s3->handshake_dgst) return;
563	for (i=0;i<SSL_MAX_DIGEST;i++)
564		{
565		if (s->s3->handshake_dgst[i])
566			EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
567		}
568	OPENSSL_free(s->s3->handshake_dgst);
569	s->s3->handshake_dgst=NULL;
570	}
571
572
573
574void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
575	{
576	if (s->s3->handshake_buffer)
577		{
578		BIO_write (s->s3->handshake_buffer,(void *)buf,len);
579		}
580	else
581		{
582		int i;
583		for (i=0;i< SSL_MAX_DIGEST;i++)
584			{
585			if (s->s3->handshake_dgst[i]!= NULL)
586			EVP_DigestUpdate(s->s3->handshake_dgst[i],buf,len);
587			}
588		}
589	}
590
591int ssl3_digest_cached_records(SSL *s)
592	{
593	int i;
594	long mask;
595	const EVP_MD *md;
596	long hdatalen;
597	void *hdata;
598
599	/* Allocate handshake_dgst array */
600	ssl3_free_digest_list(s);
601	s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
602	memset(s->s3->handshake_dgst,0,SSL_MAX_DIGEST *sizeof(EVP_MD_CTX *));
603	hdatalen = BIO_get_mem_data(s->s3->handshake_buffer,&hdata);
604	if (hdatalen <= 0)
605		{
606		SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
607		return 0;
608		}
609
610	/* Loop through bitso of algorithm2 field and create MD_CTX-es */
611	for (i=0;ssl_get_handshake_digest(i,&mask,&md); i++)
612		{
613		if ((mask & s->s3->tmp.new_cipher->algorithm2) && md)
614			{
615			s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
616			EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
617			EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
618			}
619		else
620			{
621			s->s3->handshake_dgst[i]=NULL;
622			}
623		}
624	/* Free handshake_buffer BIO */
625	BIO_free(s->s3->handshake_buffer);
626	s->s3->handshake_buffer = NULL;
627
628	return 1;
629	}
630
631int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
632	{
633	return(ssl3_handshake_mac(s,md_nid,NULL,0,p));
634	}
635int ssl3_final_finish_mac(SSL *s,
636	     const char *sender, int len, unsigned char *p)
637	{
638	int ret;
639	ret=ssl3_handshake_mac(s,NID_md5,sender,len,p);
640	p+=ret;
641	ret+=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
642	return(ret);
643	}
644static int ssl3_handshake_mac(SSL *s, int md_nid,
645	     const char *sender, int len, unsigned char *p)
646	{
647	unsigned int ret;
648	int npad,n;
649	unsigned int i;
650	unsigned char md_buf[EVP_MAX_MD_SIZE];
651	EVP_MD_CTX ctx,*d=NULL;
652
653	if (s->s3->handshake_buffer)
654		if (!ssl3_digest_cached_records(s))
655			return 0;
656
657	/* Search for digest of specified type in the handshake_dgst
658	 * array*/
659	for (i=0;i<SSL_MAX_DIGEST;i++)
660		{
661		  if (s->s3->handshake_dgst[i]&&EVP_MD_CTX_type(s->s3->handshake_dgst[i])==md_nid)
662		  	{
663		  	d=s->s3->handshake_dgst[i];
664			break;
665			}
666		}
667	if (!d) {
668		SSLerr(SSL_F_SSL3_HANDSHAKE_MAC,SSL_R_NO_REQUIRED_DIGEST);
669		return 0;
670	}
671	EVP_MD_CTX_init(&ctx);
672	EVP_MD_CTX_copy_ex(&ctx,d);
673	n=EVP_MD_CTX_size(&ctx);
674	if (n < 0)
675		return 0;
676
677	npad=(48/n)*n;
678	if (sender != NULL)
679		EVP_DigestUpdate(&ctx,sender,len);
680	EVP_DigestUpdate(&ctx,s->session->master_key,
681		s->session->master_key_length);
682	EVP_DigestUpdate(&ctx,ssl3_pad_1,npad);
683	EVP_DigestFinal_ex(&ctx,md_buf,&i);
684
685	EVP_DigestInit_ex(&ctx,EVP_MD_CTX_md(&ctx), NULL);
686	EVP_DigestUpdate(&ctx,s->session->master_key,
687		s->session->master_key_length);
688	EVP_DigestUpdate(&ctx,ssl3_pad_2,npad);
689	EVP_DigestUpdate(&ctx,md_buf,i);
690	EVP_DigestFinal_ex(&ctx,p,&ret);
691
692	EVP_MD_CTX_cleanup(&ctx);
693
694	return((int)ret);
695	}
696
697int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
698	{
699	SSL3_RECORD *rec;
700	unsigned char *mac_sec,*seq;
701	EVP_MD_CTX md_ctx;
702	const EVP_MD_CTX *hash;
703	unsigned char *p,rec_char;
704	unsigned int md_size;
705	int npad;
706	int t;
707
708	if (send)
709		{
710		rec= &(ssl->s3->wrec);
711		mac_sec= &(ssl->s3->write_mac_secret[0]);
712		seq= &(ssl->s3->write_sequence[0]);
713		hash=ssl->write_hash;
714		}
715	else
716		{
717		rec= &(ssl->s3->rrec);
718		mac_sec= &(ssl->s3->read_mac_secret[0]);
719		seq= &(ssl->s3->read_sequence[0]);
720		hash=ssl->read_hash;
721		}
722
723	t=EVP_MD_CTX_size(hash);
724	if (t < 0)
725		return -1;
726	md_size=t;
727	npad=(48/md_size)*md_size;
728
729	/* Chop the digest off the end :-) */
730	EVP_MD_CTX_init(&md_ctx);
731
732	EVP_MD_CTX_copy_ex( &md_ctx,hash);
733	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
734	EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
735	EVP_DigestUpdate(&md_ctx,seq,8);
736	rec_char=rec->type;
737	EVP_DigestUpdate(&md_ctx,&rec_char,1);
738	p=md;
739	s2n(rec->length,p);
740	EVP_DigestUpdate(&md_ctx,md,2);
741	EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
742	EVP_DigestFinal_ex( &md_ctx,md,NULL);
743
744	EVP_MD_CTX_copy_ex( &md_ctx,hash);
745	EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
746	EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
747	EVP_DigestUpdate(&md_ctx,md,md_size);
748	EVP_DigestFinal_ex( &md_ctx,md,&md_size);
749
750	EVP_MD_CTX_cleanup(&md_ctx);
751
752	ssl3_record_sequence_update(seq);
753	return(md_size);
754	}
755
756void ssl3_record_sequence_update(unsigned char *seq)
757	{
758	int i;
759
760	for (i=7; i>=0; i--)
761		{
762		++seq[i];
763		if (seq[i] != 0) break;
764		}
765	}
766
767int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
768	     int len)
769	{
770	static const unsigned char *salt[3]={
771#ifndef CHARSET_EBCDIC
772		(const unsigned char *)"A",
773		(const unsigned char *)"BB",
774		(const unsigned char *)"CCC",
775#else
776		(const unsigned char *)"\x41",
777		(const unsigned char *)"\x42\x42",
778		(const unsigned char *)"\x43\x43\x43",
779#endif
780		};
781	unsigned char buf[EVP_MAX_MD_SIZE];
782	EVP_MD_CTX ctx;
783	int i,ret=0;
784	unsigned int n;
785
786	EVP_MD_CTX_init(&ctx);
787	for (i=0; i<3; i++)
788		{
789		EVP_DigestInit_ex(&ctx,s->ctx->sha1, NULL);
790		EVP_DigestUpdate(&ctx,salt[i],strlen((const char *)salt[i]));
791		EVP_DigestUpdate(&ctx,p,len);
792		EVP_DigestUpdate(&ctx,&(s->s3->client_random[0]),
793			SSL3_RANDOM_SIZE);
794		EVP_DigestUpdate(&ctx,&(s->s3->server_random[0]),
795			SSL3_RANDOM_SIZE);
796		EVP_DigestFinal_ex(&ctx,buf,&n);
797
798		EVP_DigestInit_ex(&ctx,s->ctx->md5, NULL);
799		EVP_DigestUpdate(&ctx,p,len);
800		EVP_DigestUpdate(&ctx,buf,n);
801		EVP_DigestFinal_ex(&ctx,out,&n);
802		out+=n;
803		ret+=n;
804		}
805	EVP_MD_CTX_cleanup(&ctx);
806	return(ret);
807	}
808
809int ssl3_alert_code(int code)
810	{
811	switch (code)
812		{
813	case SSL_AD_CLOSE_NOTIFY:	return(SSL3_AD_CLOSE_NOTIFY);
814	case SSL_AD_UNEXPECTED_MESSAGE:	return(SSL3_AD_UNEXPECTED_MESSAGE);
815	case SSL_AD_BAD_RECORD_MAC:	return(SSL3_AD_BAD_RECORD_MAC);
816	case SSL_AD_DECRYPTION_FAILED:	return(SSL3_AD_BAD_RECORD_MAC);
817	case SSL_AD_RECORD_OVERFLOW:	return(SSL3_AD_BAD_RECORD_MAC);
818	case SSL_AD_DECOMPRESSION_FAILURE:return(SSL3_AD_DECOMPRESSION_FAILURE);
819	case SSL_AD_HANDSHAKE_FAILURE:	return(SSL3_AD_HANDSHAKE_FAILURE);
820	case SSL_AD_NO_CERTIFICATE:	return(SSL3_AD_NO_CERTIFICATE);
821	case SSL_AD_BAD_CERTIFICATE:	return(SSL3_AD_BAD_CERTIFICATE);
822	case SSL_AD_UNSUPPORTED_CERTIFICATE:return(SSL3_AD_UNSUPPORTED_CERTIFICATE);
823	case SSL_AD_CERTIFICATE_REVOKED:return(SSL3_AD_CERTIFICATE_REVOKED);
824	case SSL_AD_CERTIFICATE_EXPIRED:return(SSL3_AD_CERTIFICATE_EXPIRED);
825	case SSL_AD_CERTIFICATE_UNKNOWN:return(SSL3_AD_CERTIFICATE_UNKNOWN);
826	case SSL_AD_ILLEGAL_PARAMETER:	return(SSL3_AD_ILLEGAL_PARAMETER);
827	case SSL_AD_UNKNOWN_CA:		return(SSL3_AD_BAD_CERTIFICATE);
828	case SSL_AD_ACCESS_DENIED:	return(SSL3_AD_HANDSHAKE_FAILURE);
829	case SSL_AD_DECODE_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
830	case SSL_AD_DECRYPT_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
831	case SSL_AD_EXPORT_RESTRICTION:	return(SSL3_AD_HANDSHAKE_FAILURE);
832	case SSL_AD_PROTOCOL_VERSION:	return(SSL3_AD_HANDSHAKE_FAILURE);
833	case SSL_AD_INSUFFICIENT_SECURITY:return(SSL3_AD_HANDSHAKE_FAILURE);
834	case SSL_AD_INTERNAL_ERROR:	return(SSL3_AD_HANDSHAKE_FAILURE);
835	case SSL_AD_USER_CANCELLED:	return(SSL3_AD_HANDSHAKE_FAILURE);
836	case SSL_AD_NO_RENEGOTIATION:	return(-1); /* Don't send it :-) */
837	case SSL_AD_UNSUPPORTED_EXTENSION: return(SSL3_AD_HANDSHAKE_FAILURE);
838	case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(SSL3_AD_HANDSHAKE_FAILURE);
839	case SSL_AD_UNRECOGNIZED_NAME:	return(SSL3_AD_HANDSHAKE_FAILURE);
840	case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
841	case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
842	case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
843	default:			return(-1);
844		}
845	}
846
847