s3_enc.c revision 296465
1/* ssl/s3_enc.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <stdio.h> 113#include "ssl_locl.h" 114#include <openssl/evp.h> 115#include <openssl/md5.h> 116 117static unsigned char ssl3_pad_1[48] = { 118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36 124}; 125 126static unsigned char ssl3_pad_2[48] = { 127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c 133}; 134 135static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx, 136 const char *sender, int len, unsigned char *p); 137 138static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) 139{ 140 EVP_MD_CTX m5; 141 EVP_MD_CTX s1; 142 unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; 143 unsigned char c = 'A'; 144 unsigned int i, j, k; 145 146#ifdef CHARSET_EBCDIC 147 c = os_toascii[c]; /* 'A' in ASCII */ 148#endif 149 k = 0; 150 EVP_MD_CTX_init(&m5); 151 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 152 EVP_MD_CTX_init(&s1); 153 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { 154 k++; 155 if (k > sizeof buf) { 156 /* bug: 'buf' is too small for this ciphersuite */ 157 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR); 158 return 0; 159 } 160 161 for (j = 0; j < k; j++) 162 buf[j] = c; 163 c++; 164 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL); 165 EVP_DigestUpdate(&s1, buf, k); 166 EVP_DigestUpdate(&s1, s->session->master_key, 167 s->session->master_key_length); 168 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE); 169 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE); 170 EVP_DigestFinal_ex(&s1, smd, NULL); 171 172 EVP_DigestInit_ex(&m5, EVP_md5(), NULL); 173 EVP_DigestUpdate(&m5, s->session->master_key, 174 s->session->master_key_length); 175 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH); 176 if ((int)(i + MD5_DIGEST_LENGTH) > num) { 177 EVP_DigestFinal_ex(&m5, smd, NULL); 178 memcpy(km, smd, (num - i)); 179 } else 180 EVP_DigestFinal_ex(&m5, km, NULL); 181 182 km += MD5_DIGEST_LENGTH; 183 } 184 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH); 185 EVP_MD_CTX_cleanup(&m5); 186 EVP_MD_CTX_cleanup(&s1); 187 return 1; 188} 189 190int ssl3_change_cipher_state(SSL *s, int which) 191{ 192 unsigned char *p, *mac_secret; 193 unsigned char exp_key[EVP_MAX_KEY_LENGTH]; 194 unsigned char exp_iv[EVP_MAX_IV_LENGTH]; 195 unsigned char *ms, *key, *iv, *er1, *er2; 196 EVP_CIPHER_CTX *dd; 197 const EVP_CIPHER *c; 198#ifndef OPENSSL_NO_COMP 199 COMP_METHOD *comp; 200#endif 201 const EVP_MD *m; 202 EVP_MD_CTX md; 203 int is_exp, n, i, j, k, cl; 204 int reuse_dd = 0; 205 206 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); 207 c = s->s3->tmp.new_sym_enc; 208 m = s->s3->tmp.new_hash; 209#ifndef OPENSSL_NO_COMP 210 if (s->s3->tmp.new_compression == NULL) 211 comp = NULL; 212 else 213 comp = s->s3->tmp.new_compression->method; 214#endif 215 216 if (which & SSL3_CC_READ) { 217 if (s->enc_read_ctx != NULL) 218 reuse_dd = 1; 219 else if ((s->enc_read_ctx = 220 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 221 goto err; 222 else 223 /* 224 * make sure it's intialized in case we exit later with an error 225 */ 226 EVP_CIPHER_CTX_init(s->enc_read_ctx); 227 dd = s->enc_read_ctx; 228 s->read_hash = m; 229#ifndef OPENSSL_NO_COMP 230 /* COMPRESS */ 231 if (s->expand != NULL) { 232 COMP_CTX_free(s->expand); 233 s->expand = NULL; 234 } 235 if (comp != NULL) { 236 s->expand = COMP_CTX_new(comp); 237 if (s->expand == NULL) { 238 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 239 SSL_R_COMPRESSION_LIBRARY_ERROR); 240 goto err2; 241 } 242 if (s->s3->rrec.comp == NULL) 243 s->s3->rrec.comp = (unsigned char *) 244 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH); 245 if (s->s3->rrec.comp == NULL) 246 goto err; 247 } 248#endif 249 memset(&(s->s3->read_sequence[0]), 0, 8); 250 mac_secret = &(s->s3->read_mac_secret[0]); 251 } else { 252 if (s->enc_write_ctx != NULL) 253 reuse_dd = 1; 254 else if ((s->enc_write_ctx = 255 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 256 goto err; 257 else 258 /* 259 * make sure it's intialized in case we exit later with an error 260 */ 261 EVP_CIPHER_CTX_init(s->enc_write_ctx); 262 dd = s->enc_write_ctx; 263 s->write_hash = m; 264#ifndef OPENSSL_NO_COMP 265 /* COMPRESS */ 266 if (s->compress != NULL) { 267 COMP_CTX_free(s->compress); 268 s->compress = NULL; 269 } 270 if (comp != NULL) { 271 s->compress = COMP_CTX_new(comp); 272 if (s->compress == NULL) { 273 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, 274 SSL_R_COMPRESSION_LIBRARY_ERROR); 275 goto err2; 276 } 277 } 278#endif 279 memset(&(s->s3->write_sequence[0]), 0, 8); 280 mac_secret = &(s->s3->write_mac_secret[0]); 281 } 282 283 if (reuse_dd) 284 EVP_CIPHER_CTX_cleanup(dd); 285 286 p = s->s3->tmp.key_block; 287 i = EVP_MD_size(m); 288 cl = EVP_CIPHER_key_length(c); 289 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? 290 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; 291 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ 292 k = EVP_CIPHER_iv_length(c); 293 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || 294 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { 295 ms = &(p[0]); 296 n = i + i; 297 key = &(p[n]); 298 n += j + j; 299 iv = &(p[n]); 300 n += k + k; 301 er1 = &(s->s3->client_random[0]); 302 er2 = &(s->s3->server_random[0]); 303 } else { 304 n = i; 305 ms = &(p[n]); 306 n += i + j; 307 key = &(p[n]); 308 n += j + k; 309 iv = &(p[n]); 310 n += k; 311 er1 = &(s->s3->server_random[0]); 312 er2 = &(s->s3->client_random[0]); 313 } 314 315 if (n > s->s3->tmp.key_block_length) { 316 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); 317 goto err2; 318 } 319 320 EVP_MD_CTX_init(&md); 321 memcpy(mac_secret, ms, i); 322 if (is_exp) { 323 /* 324 * In here I set both the read and write key/iv to the same value 325 * since only the correct one will be used :-). 326 */ 327 EVP_DigestInit_ex(&md, EVP_md5(), NULL); 328 EVP_DigestUpdate(&md, key, j); 329 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); 330 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); 331 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL); 332 key = &(exp_key[0]); 333 334 if (k > 0) { 335 EVP_DigestInit_ex(&md, EVP_md5(), NULL); 336 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE); 337 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE); 338 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL); 339 iv = &(exp_iv[0]); 340 } 341 } 342 343 s->session->key_arg_length = 0; 344 345 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)); 346 347 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key)); 348 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv)); 349 EVP_MD_CTX_cleanup(&md); 350 return (1); 351 err: 352 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); 353 err2: 354 return (0); 355} 356 357int ssl3_setup_key_block(SSL *s) 358{ 359 unsigned char *p; 360 const EVP_CIPHER *c; 361 const EVP_MD *hash; 362 int num; 363 int ret = 0; 364 SSL_COMP *comp; 365 366 if (s->s3->tmp.key_block_length != 0) 367 return (1); 368 369 if (!ssl_cipher_get_evp(s->session, &c, &hash, &comp)) { 370 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); 371 return (0); 372 } 373 374 s->s3->tmp.new_sym_enc = c; 375 s->s3->tmp.new_hash = hash; 376#ifdef OPENSSL_NO_COMP 377 s->s3->tmp.new_compression = NULL; 378#else 379 s->s3->tmp.new_compression = comp; 380#endif 381 382 num = 383 EVP_CIPHER_key_length(c) + EVP_MD_size(hash) + 384 EVP_CIPHER_iv_length(c); 385 num *= 2; 386 387 ssl3_cleanup_key_block(s); 388 389 if ((p = OPENSSL_malloc(num)) == NULL) 390 goto err; 391 392 s->s3->tmp.key_block_length = num; 393 s->s3->tmp.key_block = p; 394 395 ret = ssl3_generate_key_block(s, p, num); 396 397 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) { 398 /* 399 * enable vulnerability countermeasure for CBC ciphers with known-IV 400 * problem (http://www.openssl.org/~bodo/tls-cbc.txt) 401 */ 402 s->s3->need_empty_fragments = 1; 403 404 if (s->session->cipher != NULL) { 405 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL) 406 s->s3->need_empty_fragments = 0; 407 408#ifndef OPENSSL_NO_RC4 409 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4) 410 s->s3->need_empty_fragments = 0; 411#endif 412 } 413 } 414 415 return ret; 416 417 err: 418 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE); 419 return (0); 420} 421 422void ssl3_cleanup_key_block(SSL *s) 423{ 424 if (s->s3->tmp.key_block != NULL) { 425 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length); 426 OPENSSL_free(s->s3->tmp.key_block); 427 s->s3->tmp.key_block = NULL; 428 } 429 s->s3->tmp.key_block_length = 0; 430} 431 432/*- 433 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. 434 * 435 * Returns: 436 * 0: (in non-constant time) if the record is publically invalid (i.e. too 437 * short etc). 438 * 1: if the record's padding is valid / the encryption was successful. 439 * -1: if the record's padding is invalid or, if sending, an internal error 440 * occured. 441 */ 442int ssl3_enc(SSL *s, int send) 443{ 444 SSL3_RECORD *rec; 445 EVP_CIPHER_CTX *ds; 446 unsigned long l; 447 int bs, i, mac_size = 0; 448 const EVP_CIPHER *enc; 449 450 if (send) { 451 ds = s->enc_write_ctx; 452 rec = &(s->s3->wrec); 453 if (s->enc_write_ctx == NULL) 454 enc = NULL; 455 else 456 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx); 457 } else { 458 ds = s->enc_read_ctx; 459 rec = &(s->s3->rrec); 460 if (s->enc_read_ctx == NULL) 461 enc = NULL; 462 else 463 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); 464 } 465 466 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { 467 memmove(rec->data, rec->input, rec->length); 468 rec->input = rec->data; 469 } else { 470 l = rec->length; 471 bs = EVP_CIPHER_block_size(ds->cipher); 472 473 /* COMPRESS */ 474 475 if ((bs != 1) && send) { 476 i = bs - ((int)l % bs); 477 478 /* we need to add 'i-1' padding bytes */ 479 l += i; 480 /* 481 * the last of these zero bytes will be overwritten with the 482 * padding length. 483 */ 484 memset(&rec->input[rec->length], 0, i); 485 rec->length += i; 486 rec->input[l - 1] = (i - 1); 487 } 488 489 if (!send) { 490 if (l == 0 || l % bs != 0) 491 return 0; 492 /* otherwise, rec->length >= bs */ 493 } 494 495 EVP_Cipher(ds, rec->data, rec->input, l); 496 497 if (s->read_hash != NULL) 498 mac_size = EVP_MD_size(s->read_hash); 499 500 if ((bs != 1) && !send) 501 return ssl3_cbc_remove_padding(s, rec, bs, mac_size); 502 } 503 return (1); 504} 505 506void ssl3_init_finished_mac(SSL *s) 507{ 508 EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1), 509 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 510 EVP_DigestInit_ex(&(s->s3->finish_dgst1), s->ctx->md5, NULL); 511 EVP_DigestInit_ex(&(s->s3->finish_dgst2), s->ctx->sha1, NULL); 512} 513 514void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len) 515{ 516 EVP_DigestUpdate(&(s->s3->finish_dgst1), buf, len); 517 EVP_DigestUpdate(&(s->s3->finish_dgst2), buf, len); 518} 519 520int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p) 521{ 522 return (ssl3_handshake_mac(s, ctx, NULL, 0, p)); 523} 524 525int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2, 526 const char *sender, int len, unsigned char *p) 527{ 528 int ret; 529 530 ret = ssl3_handshake_mac(s, ctx1, sender, len, p); 531 p += ret; 532 ret += ssl3_handshake_mac(s, ctx2, sender, len, p); 533 return (ret); 534} 535 536static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx, 537 const char *sender, int len, unsigned char *p) 538{ 539 unsigned int ret; 540 int npad, n; 541 unsigned int i; 542 unsigned char md_buf[EVP_MAX_MD_SIZE]; 543 EVP_MD_CTX ctx; 544 545 EVP_MD_CTX_init(&ctx); 546 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 547 EVP_MD_CTX_copy_ex(&ctx, in_ctx); 548 549 n = EVP_MD_CTX_size(&ctx); 550 npad = (48 / n) * n; 551 552 if (sender != NULL) 553 EVP_DigestUpdate(&ctx, sender, len); 554 EVP_DigestUpdate(&ctx, s->session->master_key, 555 s->session->master_key_length); 556 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad); 557 EVP_DigestFinal_ex(&ctx, md_buf, &i); 558 559 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL); 560 EVP_DigestUpdate(&ctx, s->session->master_key, 561 s->session->master_key_length); 562 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad); 563 EVP_DigestUpdate(&ctx, md_buf, i); 564 EVP_DigestFinal_ex(&ctx, p, &ret); 565 566 EVP_MD_CTX_cleanup(&ctx); 567 568 return ((int)ret); 569} 570 571int ssl3_mac(SSL *ssl, unsigned char *md, int send) 572{ 573 SSL3_RECORD *rec; 574 unsigned char *mac_sec, *seq; 575 EVP_MD_CTX md_ctx; 576 const EVP_MD *hash; 577 unsigned char *p, rec_char; 578 size_t md_size, orig_len; 579 int npad; 580 581 if (send) { 582 rec = &(ssl->s3->wrec); 583 mac_sec = &(ssl->s3->write_mac_secret[0]); 584 seq = &(ssl->s3->write_sequence[0]); 585 hash = ssl->write_hash; 586 } else { 587 rec = &(ssl->s3->rrec); 588 mac_sec = &(ssl->s3->read_mac_secret[0]); 589 seq = &(ssl->s3->read_sequence[0]); 590 hash = ssl->read_hash; 591 } 592 593 md_size = EVP_MD_size(hash); 594 npad = (48 / md_size) * md_size; 595 596 /* 597 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type 598 */ 599 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); 600 rec->type &= 0xff; 601 602 if (!send && 603 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && 604 ssl3_cbc_record_digest_supported(hash)) { 605 /* 606 * This is a CBC-encrypted record. We must avoid leaking any 607 * timing-side channel information about how many blocks of data we 608 * are hashing because that gives an attacker a timing-oracle. 609 */ 610 611 /*- 612 * npad is, at most, 48 bytes and that's with MD5: 613 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. 614 * 615 * With SHA-1 (the largest hash speced for SSLv3) the hash size 616 * goes up 4, but npad goes down by 8, resulting in a smaller 617 * total size. 618 */ 619 unsigned char header[75]; 620 unsigned j = 0; 621 memcpy(header + j, mac_sec, md_size); 622 j += md_size; 623 memcpy(header + j, ssl3_pad_1, npad); 624 j += npad; 625 memcpy(header + j, seq, 8); 626 j += 8; 627 header[j++] = rec->type; 628 header[j++] = rec->length >> 8; 629 header[j++] = rec->length & 0xff; 630 631 /* Final param == is SSLv3 */ 632 ssl3_cbc_digest_record(hash, 633 md, &md_size, 634 header, rec->input, 635 rec->length + md_size, orig_len, 636 mac_sec, md_size, 1); 637 } else { 638 unsigned int md_size_u; 639 /* Chop the digest off the end :-) */ 640 EVP_MD_CTX_init(&md_ctx); 641 642 EVP_DigestInit_ex(&md_ctx, hash, NULL); 643 EVP_DigestUpdate(&md_ctx, mac_sec, md_size); 644 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad); 645 EVP_DigestUpdate(&md_ctx, seq, 8); 646 rec_char = rec->type; 647 EVP_DigestUpdate(&md_ctx, &rec_char, 1); 648 p = md; 649 s2n(rec->length, p); 650 EVP_DigestUpdate(&md_ctx, md, 2); 651 EVP_DigestUpdate(&md_ctx, rec->input, rec->length); 652 EVP_DigestFinal_ex(&md_ctx, md, NULL); 653 654 EVP_DigestInit_ex(&md_ctx, hash, NULL); 655 EVP_DigestUpdate(&md_ctx, mac_sec, md_size); 656 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad); 657 EVP_DigestUpdate(&md_ctx, md, md_size); 658 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u); 659 md_size = md_size_u; 660 661 EVP_MD_CTX_cleanup(&md_ctx); 662 } 663 664 ssl3_record_sequence_update(seq); 665 return (md_size); 666} 667 668void ssl3_record_sequence_update(unsigned char *seq) 669{ 670 int i; 671 672 for (i = 7; i >= 0; i--) { 673 ++seq[i]; 674 if (seq[i] != 0) 675 break; 676 } 677} 678 679int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, 680 int len) 681{ 682 static const unsigned char *salt[3] = { 683#ifndef CHARSET_EBCDIC 684 (const unsigned char *)"A", 685 (const unsigned char *)"BB", 686 (const unsigned char *)"CCC", 687#else 688 (const unsigned char *)"\x41", 689 (const unsigned char *)"\x42\x42", 690 (const unsigned char *)"\x43\x43\x43", 691#endif 692 }; 693 unsigned char buf[EVP_MAX_MD_SIZE]; 694 EVP_MD_CTX ctx; 695 int i, ret = 0; 696 unsigned int n; 697 698 EVP_MD_CTX_init(&ctx); 699 for (i = 0; i < 3; i++) { 700 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL); 701 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i])); 702 EVP_DigestUpdate(&ctx, p, len); 703 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE); 704 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE); 705 EVP_DigestFinal_ex(&ctx, buf, &n); 706 707 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL); 708 EVP_DigestUpdate(&ctx, p, len); 709 EVP_DigestUpdate(&ctx, buf, n); 710 EVP_DigestFinal_ex(&ctx, out, &n); 711 out += n; 712 ret += n; 713 } 714 EVP_MD_CTX_cleanup(&ctx); 715 OPENSSL_cleanse(buf, sizeof buf); 716 return (ret); 717} 718 719int ssl3_alert_code(int code) 720{ 721 switch (code) { 722 case SSL_AD_CLOSE_NOTIFY: 723 return (SSL3_AD_CLOSE_NOTIFY); 724 case SSL_AD_UNEXPECTED_MESSAGE: 725 return (SSL3_AD_UNEXPECTED_MESSAGE); 726 case SSL_AD_BAD_RECORD_MAC: 727 return (SSL3_AD_BAD_RECORD_MAC); 728 case SSL_AD_DECRYPTION_FAILED: 729 return (SSL3_AD_BAD_RECORD_MAC); 730 case SSL_AD_RECORD_OVERFLOW: 731 return (SSL3_AD_BAD_RECORD_MAC); 732 case SSL_AD_DECOMPRESSION_FAILURE: 733 return (SSL3_AD_DECOMPRESSION_FAILURE); 734 case SSL_AD_HANDSHAKE_FAILURE: 735 return (SSL3_AD_HANDSHAKE_FAILURE); 736 case SSL_AD_NO_CERTIFICATE: 737 return (SSL3_AD_NO_CERTIFICATE); 738 case SSL_AD_BAD_CERTIFICATE: 739 return (SSL3_AD_BAD_CERTIFICATE); 740 case SSL_AD_UNSUPPORTED_CERTIFICATE: 741 return (SSL3_AD_UNSUPPORTED_CERTIFICATE); 742 case SSL_AD_CERTIFICATE_REVOKED: 743 return (SSL3_AD_CERTIFICATE_REVOKED); 744 case SSL_AD_CERTIFICATE_EXPIRED: 745 return (SSL3_AD_CERTIFICATE_EXPIRED); 746 case SSL_AD_CERTIFICATE_UNKNOWN: 747 return (SSL3_AD_CERTIFICATE_UNKNOWN); 748 case SSL_AD_ILLEGAL_PARAMETER: 749 return (SSL3_AD_ILLEGAL_PARAMETER); 750 case SSL_AD_UNKNOWN_CA: 751 return (SSL3_AD_BAD_CERTIFICATE); 752 case SSL_AD_ACCESS_DENIED: 753 return (SSL3_AD_HANDSHAKE_FAILURE); 754 case SSL_AD_DECODE_ERROR: 755 return (SSL3_AD_HANDSHAKE_FAILURE); 756 case SSL_AD_DECRYPT_ERROR: 757 return (SSL3_AD_HANDSHAKE_FAILURE); 758 case SSL_AD_EXPORT_RESTRICTION: 759 return (SSL3_AD_HANDSHAKE_FAILURE); 760 case SSL_AD_PROTOCOL_VERSION: 761 return (SSL3_AD_HANDSHAKE_FAILURE); 762 case SSL_AD_INSUFFICIENT_SECURITY: 763 return (SSL3_AD_HANDSHAKE_FAILURE); 764 case SSL_AD_INTERNAL_ERROR: 765 return (SSL3_AD_HANDSHAKE_FAILURE); 766 case SSL_AD_USER_CANCELLED: 767 return (SSL3_AD_HANDSHAKE_FAILURE); 768 case SSL_AD_NO_RENEGOTIATION: 769 return (-1); /* Don't send it :-) */ 770 case SSL_AD_UNSUPPORTED_EXTENSION: 771 return (SSL3_AD_HANDSHAKE_FAILURE); 772 case SSL_AD_CERTIFICATE_UNOBTAINABLE: 773 return (SSL3_AD_HANDSHAKE_FAILURE); 774 case SSL_AD_UNRECOGNIZED_NAME: 775 return (SSL3_AD_HANDSHAKE_FAILURE); 776 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: 777 return (SSL3_AD_HANDSHAKE_FAILURE); 778 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: 779 return (SSL3_AD_HANDSHAKE_FAILURE); 780 case SSL_AD_UNKNOWN_PSK_IDENTITY: 781 return (TLS1_AD_UNKNOWN_PSK_IDENTITY); 782 case SSL_AD_INAPPROPRIATE_FALLBACK: 783 return (TLS1_AD_INAPPROPRIATE_FALLBACK); 784 default: 785 return (-1); 786 } 787} 788