1 /* ssl/s3_enc.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111
112 #include <stdio.h>
113 #include "ssl_locl.h"
114 #include <openssl/evp.h>
115 #include <openssl/md5.h>
116
117 static unsigned char ssl3_pad_1[48] = {
118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
124 };
125
126 static unsigned char ssl3_pad_2[48] = {
127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
133 };
134
135 static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
136 const char *sender, int len, unsigned char *p);
137
ssl3_generate_key_block(SSL * s,unsigned char * km,int num)138 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
139 {
140 EVP_MD_CTX m5;
141 EVP_MD_CTX s1;
142 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
143 unsigned char c = 'A';
144 unsigned int i, j, k;
145
146 #ifdef CHARSET_EBCDIC
147 c = os_toascii[c]; /* 'A' in ASCII */
148 #endif
149 k = 0;
150 EVP_MD_CTX_init(&m5);
151 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
152 EVP_MD_CTX_init(&s1);
153 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
154 k++;
155 if (k > sizeof buf) {
156 /* bug: 'buf' is too small for this ciphersuite */
157 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
158 return 0;
159 }
160
161 for (j = 0; j < k; j++)
162 buf[j] = c;
163 c++;
164 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
165 EVP_DigestUpdate(&s1, buf, k);
166 EVP_DigestUpdate(&s1, s->session->master_key,
167 s->session->master_key_length);
168 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
169 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
170 EVP_DigestFinal_ex(&s1, smd, NULL);
171
172 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
173 EVP_DigestUpdate(&m5, s->session->master_key,
174 s->session->master_key_length);
175 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
176 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
177 EVP_DigestFinal_ex(&m5, smd, NULL);
178 memcpy(km, smd, (num - i));
179 } else
180 EVP_DigestFinal_ex(&m5, km, NULL);
181
182 km += MD5_DIGEST_LENGTH;
183 }
184 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
185 EVP_MD_CTX_cleanup(&m5);
186 EVP_MD_CTX_cleanup(&s1);
187 return 1;
188 }
189
ssl3_change_cipher_state(SSL * s,int which)190 int ssl3_change_cipher_state(SSL *s, int which)
191 {
192 unsigned char *p, *mac_secret;
193 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
194 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
195 unsigned char *ms, *key, *iv, *er1, *er2;
196 EVP_CIPHER_CTX *dd;
197 const EVP_CIPHER *c;
198 #ifndef OPENSSL_NO_COMP
199 COMP_METHOD *comp;
200 #endif
201 const EVP_MD *m;
202 EVP_MD_CTX md;
203 int is_exp, n, i, j, k, cl;
204 int reuse_dd = 0;
205
206 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
207 c = s->s3->tmp.new_sym_enc;
208 m = s->s3->tmp.new_hash;
209 #ifndef OPENSSL_NO_COMP
210 if (s->s3->tmp.new_compression == NULL)
211 comp = NULL;
212 else
213 comp = s->s3->tmp.new_compression->method;
214 #endif
215
216 if (which & SSL3_CC_READ) {
217 if (s->enc_read_ctx != NULL)
218 reuse_dd = 1;
219 else if ((s->enc_read_ctx =
220 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
221 goto err;
222 else
223 /*
224 * make sure it's intialized in case we exit later with an error
225 */
226 EVP_CIPHER_CTX_init(s->enc_read_ctx);
227 dd = s->enc_read_ctx;
228 s->read_hash = m;
229 #ifndef OPENSSL_NO_COMP
230 /* COMPRESS */
231 if (s->expand != NULL) {
232 COMP_CTX_free(s->expand);
233 s->expand = NULL;
234 }
235 if (comp != NULL) {
236 s->expand = COMP_CTX_new(comp);
237 if (s->expand == NULL) {
238 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
239 SSL_R_COMPRESSION_LIBRARY_ERROR);
240 goto err2;
241 }
242 if (s->s3->rrec.comp == NULL)
243 s->s3->rrec.comp = (unsigned char *)
244 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
245 if (s->s3->rrec.comp == NULL)
246 goto err;
247 }
248 #endif
249 memset(&(s->s3->read_sequence[0]), 0, 8);
250 mac_secret = &(s->s3->read_mac_secret[0]);
251 } else {
252 if (s->enc_write_ctx != NULL)
253 reuse_dd = 1;
254 else if ((s->enc_write_ctx =
255 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
256 goto err;
257 else
258 /*
259 * make sure it's intialized in case we exit later with an error
260 */
261 EVP_CIPHER_CTX_init(s->enc_write_ctx);
262 dd = s->enc_write_ctx;
263 s->write_hash = m;
264 #ifndef OPENSSL_NO_COMP
265 /* COMPRESS */
266 if (s->compress != NULL) {
267 COMP_CTX_free(s->compress);
268 s->compress = NULL;
269 }
270 if (comp != NULL) {
271 s->compress = COMP_CTX_new(comp);
272 if (s->compress == NULL) {
273 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
274 SSL_R_COMPRESSION_LIBRARY_ERROR);
275 goto err2;
276 }
277 }
278 #endif
279 memset(&(s->s3->write_sequence[0]), 0, 8);
280 mac_secret = &(s->s3->write_mac_secret[0]);
281 }
282
283 if (reuse_dd)
284 EVP_CIPHER_CTX_cleanup(dd);
285
286 p = s->s3->tmp.key_block;
287 i = EVP_MD_size(m);
288 cl = EVP_CIPHER_key_length(c);
289 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
290 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
291 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
292 k = EVP_CIPHER_iv_length(c);
293 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
294 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
295 ms = &(p[0]);
296 n = i + i;
297 key = &(p[n]);
298 n += j + j;
299 iv = &(p[n]);
300 n += k + k;
301 er1 = &(s->s3->client_random[0]);
302 er2 = &(s->s3->server_random[0]);
303 } else {
304 n = i;
305 ms = &(p[n]);
306 n += i + j;
307 key = &(p[n]);
308 n += j + k;
309 iv = &(p[n]);
310 n += k;
311 er1 = &(s->s3->server_random[0]);
312 er2 = &(s->s3->client_random[0]);
313 }
314
315 if (n > s->s3->tmp.key_block_length) {
316 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
317 goto err2;
318 }
319
320 EVP_MD_CTX_init(&md);
321 memcpy(mac_secret, ms, i);
322 if (is_exp) {
323 /*
324 * In here I set both the read and write key/iv to the same value
325 * since only the correct one will be used :-).
326 */
327 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
328 EVP_DigestUpdate(&md, key, j);
329 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
330 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
331 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
332 key = &(exp_key[0]);
333
334 if (k > 0) {
335 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
336 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
337 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
338 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
339 iv = &(exp_iv[0]);
340 }
341 }
342
343 s->session->key_arg_length = 0;
344
345 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
346
347 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
348 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
349 EVP_MD_CTX_cleanup(&md);
350 return (1);
351 err:
352 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
353 err2:
354 return (0);
355 }
356
ssl3_setup_key_block(SSL * s)357 int ssl3_setup_key_block(SSL *s)
358 {
359 unsigned char *p;
360 const EVP_CIPHER *c;
361 const EVP_MD *hash;
362 int num;
363 int ret = 0;
364 SSL_COMP *comp;
365
366 if (s->s3->tmp.key_block_length != 0)
367 return (1);
368
369 if (!ssl_cipher_get_evp(s->session, &c, &hash, &comp)) {
370 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
371 return (0);
372 }
373
374 s->s3->tmp.new_sym_enc = c;
375 s->s3->tmp.new_hash = hash;
376 #ifdef OPENSSL_NO_COMP
377 s->s3->tmp.new_compression = NULL;
378 #else
379 s->s3->tmp.new_compression = comp;
380 #endif
381
382 num =
383 EVP_CIPHER_key_length(c) + EVP_MD_size(hash) +
384 EVP_CIPHER_iv_length(c);
385 num *= 2;
386
387 ssl3_cleanup_key_block(s);
388
389 if ((p = OPENSSL_malloc(num)) == NULL)
390 goto err;
391
392 s->s3->tmp.key_block_length = num;
393 s->s3->tmp.key_block = p;
394
395 ret = ssl3_generate_key_block(s, p, num);
396
397 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
398 /*
399 * enable vulnerability countermeasure for CBC ciphers with known-IV
400 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
401 */
402 s->s3->need_empty_fragments = 1;
403
404 if (s->session->cipher != NULL) {
405 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
406 s->s3->need_empty_fragments = 0;
407
408 #ifndef OPENSSL_NO_RC4
409 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
410 s->s3->need_empty_fragments = 0;
411 #endif
412 }
413 }
414
415 return ret;
416
417 err:
418 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
419 return (0);
420 }
421
ssl3_cleanup_key_block(SSL * s)422 void ssl3_cleanup_key_block(SSL *s)
423 {
424 if (s->s3->tmp.key_block != NULL) {
425 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
426 OPENSSL_free(s->s3->tmp.key_block);
427 s->s3->tmp.key_block = NULL;
428 }
429 s->s3->tmp.key_block_length = 0;
430 }
431
432 /*-
433 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
434 *
435 * Returns:
436 * 0: (in non-constant time) if the record is publically invalid (i.e. too
437 * short etc).
438 * 1: if the record's padding is valid / the encryption was successful.
439 * -1: if the record's padding is invalid or, if sending, an internal error
440 * occured.
441 */
ssl3_enc(SSL * s,int send)442 int ssl3_enc(SSL *s, int send)
443 {
444 SSL3_RECORD *rec;
445 EVP_CIPHER_CTX *ds;
446 unsigned long l;
447 int bs, i, mac_size = 0;
448 const EVP_CIPHER *enc;
449
450 if (send) {
451 ds = s->enc_write_ctx;
452 rec = &(s->s3->wrec);
453 if (s->enc_write_ctx == NULL)
454 enc = NULL;
455 else
456 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
457 } else {
458 ds = s->enc_read_ctx;
459 rec = &(s->s3->rrec);
460 if (s->enc_read_ctx == NULL)
461 enc = NULL;
462 else
463 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
464 }
465
466 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
467 memmove(rec->data, rec->input, rec->length);
468 rec->input = rec->data;
469 } else {
470 l = rec->length;
471 bs = EVP_CIPHER_block_size(ds->cipher);
472
473 /* COMPRESS */
474
475 if ((bs != 1) && send) {
476 i = bs - ((int)l % bs);
477
478 /* we need to add 'i-1' padding bytes */
479 l += i;
480 /*
481 * the last of these zero bytes will be overwritten with the
482 * padding length.
483 */
484 memset(&rec->input[rec->length], 0, i);
485 rec->length += i;
486 rec->input[l - 1] = (i - 1);
487 }
488
489 if (!send) {
490 if (l == 0 || l % bs != 0)
491 return 0;
492 /* otherwise, rec->length >= bs */
493 }
494
495 EVP_Cipher(ds, rec->data, rec->input, l);
496
497 if (s->read_hash != NULL)
498 mac_size = EVP_MD_size(s->read_hash);
499
500 if ((bs != 1) && !send)
501 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
502 }
503 return (1);
504 }
505
ssl3_init_finished_mac(SSL * s)506 void ssl3_init_finished_mac(SSL *s)
507 {
508 EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
509 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
510 EVP_DigestInit_ex(&(s->s3->finish_dgst1), s->ctx->md5, NULL);
511 EVP_DigestInit_ex(&(s->s3->finish_dgst2), s->ctx->sha1, NULL);
512 }
513
ssl3_finish_mac(SSL * s,const unsigned char * buf,int len)514 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
515 {
516 EVP_DigestUpdate(&(s->s3->finish_dgst1), buf, len);
517 EVP_DigestUpdate(&(s->s3->finish_dgst2), buf, len);
518 }
519
ssl3_cert_verify_mac(SSL * s,EVP_MD_CTX * ctx,unsigned char * p)520 int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
521 {
522 return (ssl3_handshake_mac(s, ctx, NULL, 0, p));
523 }
524
ssl3_final_finish_mac(SSL * s,EVP_MD_CTX * ctx1,EVP_MD_CTX * ctx2,const char * sender,int len,unsigned char * p)525 int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
526 const char *sender, int len, unsigned char *p)
527 {
528 int ret;
529
530 ret = ssl3_handshake_mac(s, ctx1, sender, len, p);
531 p += ret;
532 ret += ssl3_handshake_mac(s, ctx2, sender, len, p);
533 return (ret);
534 }
535
ssl3_handshake_mac(SSL * s,EVP_MD_CTX * in_ctx,const char * sender,int len,unsigned char * p)536 static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
537 const char *sender, int len, unsigned char *p)
538 {
539 unsigned int ret;
540 int npad, n;
541 unsigned int i;
542 unsigned char md_buf[EVP_MAX_MD_SIZE];
543 EVP_MD_CTX ctx;
544
545 EVP_MD_CTX_init(&ctx);
546 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
547 EVP_MD_CTX_copy_ex(&ctx, in_ctx);
548
549 n = EVP_MD_CTX_size(&ctx);
550 npad = (48 / n) * n;
551
552 if (sender != NULL)
553 EVP_DigestUpdate(&ctx, sender, len);
554 EVP_DigestUpdate(&ctx, s->session->master_key,
555 s->session->master_key_length);
556 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
557 EVP_DigestFinal_ex(&ctx, md_buf, &i);
558
559 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
560 EVP_DigestUpdate(&ctx, s->session->master_key,
561 s->session->master_key_length);
562 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
563 EVP_DigestUpdate(&ctx, md_buf, i);
564 EVP_DigestFinal_ex(&ctx, p, &ret);
565
566 EVP_MD_CTX_cleanup(&ctx);
567
568 return ((int)ret);
569 }
570
ssl3_mac(SSL * ssl,unsigned char * md,int send)571 int ssl3_mac(SSL *ssl, unsigned char *md, int send)
572 {
573 SSL3_RECORD *rec;
574 unsigned char *mac_sec, *seq;
575 EVP_MD_CTX md_ctx;
576 const EVP_MD *hash;
577 unsigned char *p, rec_char;
578 size_t md_size, orig_len;
579 int npad;
580
581 if (send) {
582 rec = &(ssl->s3->wrec);
583 mac_sec = &(ssl->s3->write_mac_secret[0]);
584 seq = &(ssl->s3->write_sequence[0]);
585 hash = ssl->write_hash;
586 } else {
587 rec = &(ssl->s3->rrec);
588 mac_sec = &(ssl->s3->read_mac_secret[0]);
589 seq = &(ssl->s3->read_sequence[0]);
590 hash = ssl->read_hash;
591 }
592
593 md_size = EVP_MD_size(hash);
594 npad = (48 / md_size) * md_size;
595
596 /*
597 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
598 */
599 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
600 rec->type &= 0xff;
601
602 if (!send &&
603 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
604 ssl3_cbc_record_digest_supported(hash)) {
605 /*
606 * This is a CBC-encrypted record. We must avoid leaking any
607 * timing-side channel information about how many blocks of data we
608 * are hashing because that gives an attacker a timing-oracle.
609 */
610
611 /*-
612 * npad is, at most, 48 bytes and that's with MD5:
613 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
614 *
615 * With SHA-1 (the largest hash speced for SSLv3) the hash size
616 * goes up 4, but npad goes down by 8, resulting in a smaller
617 * total size.
618 */
619 unsigned char header[75];
620 unsigned j = 0;
621 memcpy(header + j, mac_sec, md_size);
622 j += md_size;
623 memcpy(header + j, ssl3_pad_1, npad);
624 j += npad;
625 memcpy(header + j, seq, 8);
626 j += 8;
627 header[j++] = rec->type;
628 header[j++] = rec->length >> 8;
629 header[j++] = rec->length & 0xff;
630
631 /* Final param == is SSLv3 */
632 ssl3_cbc_digest_record(hash,
633 md, &md_size,
634 header, rec->input,
635 rec->length + md_size, orig_len,
636 mac_sec, md_size, 1);
637 } else {
638 unsigned int md_size_u;
639 /* Chop the digest off the end :-) */
640 EVP_MD_CTX_init(&md_ctx);
641
642 EVP_DigestInit_ex(&md_ctx, hash, NULL);
643 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
644 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
645 EVP_DigestUpdate(&md_ctx, seq, 8);
646 rec_char = rec->type;
647 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
648 p = md;
649 s2n(rec->length, p);
650 EVP_DigestUpdate(&md_ctx, md, 2);
651 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
652 EVP_DigestFinal_ex(&md_ctx, md, NULL);
653
654 EVP_DigestInit_ex(&md_ctx, hash, NULL);
655 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
656 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
657 EVP_DigestUpdate(&md_ctx, md, md_size);
658 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
659 md_size = md_size_u;
660
661 EVP_MD_CTX_cleanup(&md_ctx);
662 }
663
664 ssl3_record_sequence_update(seq);
665 return (md_size);
666 }
667
ssl3_record_sequence_update(unsigned char * seq)668 void ssl3_record_sequence_update(unsigned char *seq)
669 {
670 int i;
671
672 for (i = 7; i >= 0; i--) {
673 ++seq[i];
674 if (seq[i] != 0)
675 break;
676 }
677 }
678
ssl3_generate_master_secret(SSL * s,unsigned char * out,unsigned char * p,int len)679 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
680 int len)
681 {
682 static const unsigned char *salt[3] = {
683 #ifndef CHARSET_EBCDIC
684 (const unsigned char *)"A",
685 (const unsigned char *)"BB",
686 (const unsigned char *)"CCC",
687 #else
688 (const unsigned char *)"\x41",
689 (const unsigned char *)"\x42\x42",
690 (const unsigned char *)"\x43\x43\x43",
691 #endif
692 };
693 unsigned char buf[EVP_MAX_MD_SIZE];
694 EVP_MD_CTX ctx;
695 int i, ret = 0;
696 unsigned int n;
697
698 EVP_MD_CTX_init(&ctx);
699 for (i = 0; i < 3; i++) {
700 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
701 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
702 EVP_DigestUpdate(&ctx, p, len);
703 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
704 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
705 EVP_DigestFinal_ex(&ctx, buf, &n);
706
707 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
708 EVP_DigestUpdate(&ctx, p, len);
709 EVP_DigestUpdate(&ctx, buf, n);
710 EVP_DigestFinal_ex(&ctx, out, &n);
711 out += n;
712 ret += n;
713 }
714 EVP_MD_CTX_cleanup(&ctx);
715 OPENSSL_cleanse(buf, sizeof buf);
716 return (ret);
717 }
718
ssl3_alert_code(int code)719 int ssl3_alert_code(int code)
720 {
721 switch (code) {
722 case SSL_AD_CLOSE_NOTIFY:
723 return (SSL3_AD_CLOSE_NOTIFY);
724 case SSL_AD_UNEXPECTED_MESSAGE:
725 return (SSL3_AD_UNEXPECTED_MESSAGE);
726 case SSL_AD_BAD_RECORD_MAC:
727 return (SSL3_AD_BAD_RECORD_MAC);
728 case SSL_AD_DECRYPTION_FAILED:
729 return (SSL3_AD_BAD_RECORD_MAC);
730 case SSL_AD_RECORD_OVERFLOW:
731 return (SSL3_AD_BAD_RECORD_MAC);
732 case SSL_AD_DECOMPRESSION_FAILURE:
733 return (SSL3_AD_DECOMPRESSION_FAILURE);
734 case SSL_AD_HANDSHAKE_FAILURE:
735 return (SSL3_AD_HANDSHAKE_FAILURE);
736 case SSL_AD_NO_CERTIFICATE:
737 return (SSL3_AD_NO_CERTIFICATE);
738 case SSL_AD_BAD_CERTIFICATE:
739 return (SSL3_AD_BAD_CERTIFICATE);
740 case SSL_AD_UNSUPPORTED_CERTIFICATE:
741 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
742 case SSL_AD_CERTIFICATE_REVOKED:
743 return (SSL3_AD_CERTIFICATE_REVOKED);
744 case SSL_AD_CERTIFICATE_EXPIRED:
745 return (SSL3_AD_CERTIFICATE_EXPIRED);
746 case SSL_AD_CERTIFICATE_UNKNOWN:
747 return (SSL3_AD_CERTIFICATE_UNKNOWN);
748 case SSL_AD_ILLEGAL_PARAMETER:
749 return (SSL3_AD_ILLEGAL_PARAMETER);
750 case SSL_AD_UNKNOWN_CA:
751 return (SSL3_AD_BAD_CERTIFICATE);
752 case SSL_AD_ACCESS_DENIED:
753 return (SSL3_AD_HANDSHAKE_FAILURE);
754 case SSL_AD_DECODE_ERROR:
755 return (SSL3_AD_HANDSHAKE_FAILURE);
756 case SSL_AD_DECRYPT_ERROR:
757 return (SSL3_AD_HANDSHAKE_FAILURE);
758 case SSL_AD_EXPORT_RESTRICTION:
759 return (SSL3_AD_HANDSHAKE_FAILURE);
760 case SSL_AD_PROTOCOL_VERSION:
761 return (SSL3_AD_HANDSHAKE_FAILURE);
762 case SSL_AD_INSUFFICIENT_SECURITY:
763 return (SSL3_AD_HANDSHAKE_FAILURE);
764 case SSL_AD_INTERNAL_ERROR:
765 return (SSL3_AD_HANDSHAKE_FAILURE);
766 case SSL_AD_USER_CANCELLED:
767 return (SSL3_AD_HANDSHAKE_FAILURE);
768 case SSL_AD_NO_RENEGOTIATION:
769 return (-1); /* Don't send it :-) */
770 case SSL_AD_UNSUPPORTED_EXTENSION:
771 return (SSL3_AD_HANDSHAKE_FAILURE);
772 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
773 return (SSL3_AD_HANDSHAKE_FAILURE);
774 case SSL_AD_UNRECOGNIZED_NAME:
775 return (SSL3_AD_HANDSHAKE_FAILURE);
776 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
777 return (SSL3_AD_HANDSHAKE_FAILURE);
778 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
779 return (SSL3_AD_HANDSHAKE_FAILURE);
780 case SSL_AD_UNKNOWN_PSK_IDENTITY:
781 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
782 case SSL_AD_INAPPROPRIATE_FALLBACK:
783 return (TLS1_AD_INAPPROPRIATE_FALLBACK);
784 default:
785 return (-1);
786 }
787 }
788