s3_enc.c 34 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001
  1. /* ssl/s3_enc.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2005 Nokia. All rights reserved.
  113. *
  114. * The portions of the attached software ("Contribution") is developed by
  115. * Nokia Corporation and is licensed pursuant to the OpenSSL open source
  116. * license.
  117. *
  118. * The Contribution, originally written by Mika Kousa and Pasi Eronen of
  119. * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
  120. * support (see RFC 4279) to OpenSSL.
  121. *
  122. * No patent licenses or other rights except those expressly stated in
  123. * the OpenSSL open source license shall be deemed granted or received
  124. * expressly, by implication, estoppel, or otherwise.
  125. *
  126. * No assurances are provided by Nokia that the Contribution does not
  127. * infringe the patent or other intellectual property rights of any third
  128. * party or that the license provides you with all the necessary rights
  129. * to make use of the Contribution.
  130. *
  131. * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
  132. * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
  133. * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
  134. * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
  135. * OTHERWISE.
  136. */
  137. #include <stdio.h>
  138. #include "ssl_locl.h"
  139. #include <openssl/evp.h>
  140. #include <openssl/md5.h>
  141. static unsigned char ssl3_pad_1[48] = {
  142. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  143. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  144. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  145. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  146. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
  147. 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
  148. };
  149. static unsigned char ssl3_pad_2[48] = {
  150. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  151. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  152. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  153. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  154. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
  155. 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
  156. };
  157. static int ssl3_handshake_mac(SSL *s, int md_nid,
  158. const char *sender, int len, unsigned char *p);
  159. static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
  160. {
  161. EVP_MD_CTX m5;
  162. EVP_MD_CTX s1;
  163. unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
  164. unsigned char c = 'A';
  165. unsigned int i, j, k;
  166. #ifdef CHARSET_EBCDIC
  167. c = os_toascii[c]; /* 'A' in ASCII */
  168. #endif
  169. k = 0;
  170. EVP_MD_CTX_init(&m5);
  171. EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  172. EVP_MD_CTX_init(&s1);
  173. for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
  174. k++;
  175. if (k > sizeof(buf))
  176. /* bug: 'buf' is too small for this ciphersuite */
  177. goto err;
  178. for (j = 0; j < k; j++)
  179. buf[j] = c;
  180. c++;
  181. if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) ||
  182. !EVP_DigestUpdate(&s1, buf, k) ||
  183. !EVP_DigestUpdate(&s1, s->session->master_key,
  184. s->session->master_key_length) ||
  185. !EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) ||
  186. !EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) ||
  187. !EVP_DigestFinal_ex(&s1, smd, NULL))
  188. goto err2;
  189. if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) ||
  190. !EVP_DigestUpdate(&m5, s->session->master_key,
  191. s->session->master_key_length) ||
  192. !EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH))
  193. goto err2;
  194. if ((int)(i + MD5_DIGEST_LENGTH) > num) {
  195. if (!EVP_DigestFinal_ex(&m5, smd, NULL))
  196. goto err2;
  197. memcpy(km, smd, (num - i));
  198. } else
  199. if (!EVP_DigestFinal_ex(&m5, km, NULL))
  200. goto err2;
  201. km += MD5_DIGEST_LENGTH;
  202. }
  203. OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
  204. EVP_MD_CTX_cleanup(&m5);
  205. EVP_MD_CTX_cleanup(&s1);
  206. return 1;
  207. err:
  208. SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
  209. err2:
  210. EVP_MD_CTX_cleanup(&m5);
  211. EVP_MD_CTX_cleanup(&s1);
  212. return 0;
  213. }
  214. int ssl3_change_cipher_state(SSL *s, int which)
  215. {
  216. unsigned char *p, *mac_secret;
  217. unsigned char exp_key[EVP_MAX_KEY_LENGTH];
  218. unsigned char exp_iv[EVP_MAX_IV_LENGTH];
  219. unsigned char *ms, *key, *iv, *er1, *er2;
  220. EVP_CIPHER_CTX *dd;
  221. const EVP_CIPHER *c;
  222. #ifndef OPENSSL_NO_COMP
  223. COMP_METHOD *comp;
  224. #endif
  225. const EVP_MD *m;
  226. EVP_MD_CTX md;
  227. int is_exp, n, i, j, k, cl;
  228. int reuse_dd = 0;
  229. is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
  230. c = s->s3->tmp.new_sym_enc;
  231. m = s->s3->tmp.new_hash;
  232. /* m == NULL will lead to a crash later */
  233. OPENSSL_assert(m);
  234. #ifndef OPENSSL_NO_COMP
  235. if (s->s3->tmp.new_compression == NULL)
  236. comp = NULL;
  237. else
  238. comp = s->s3->tmp.new_compression->method;
  239. #endif
  240. if (which & SSL3_CC_READ) {
  241. if (s->enc_read_ctx != NULL)
  242. reuse_dd = 1;
  243. else if ((s->enc_read_ctx =
  244. OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  245. goto err;
  246. else
  247. /*
  248. * make sure it's intialized in case we exit later with an error
  249. */
  250. EVP_CIPHER_CTX_init(s->enc_read_ctx);
  251. dd = s->enc_read_ctx;
  252. if (ssl_replace_hash(&s->read_hash, m) == NULL) {
  253. SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
  254. goto err2;
  255. }
  256. #ifndef OPENSSL_NO_COMP
  257. /* COMPRESS */
  258. if (s->expand != NULL) {
  259. COMP_CTX_free(s->expand);
  260. s->expand = NULL;
  261. }
  262. if (comp != NULL) {
  263. s->expand = COMP_CTX_new(comp);
  264. if (s->expand == NULL) {
  265. SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
  266. SSL_R_COMPRESSION_LIBRARY_ERROR);
  267. goto err2;
  268. }
  269. if (s->s3->rrec.comp == NULL)
  270. s->s3->rrec.comp = (unsigned char *)
  271. OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
  272. if (s->s3->rrec.comp == NULL)
  273. goto err;
  274. }
  275. #endif
  276. memset(&(s->s3->read_sequence[0]), 0, 8);
  277. mac_secret = &(s->s3->read_mac_secret[0]);
  278. } else {
  279. if (s->enc_write_ctx != NULL)
  280. reuse_dd = 1;
  281. else if ((s->enc_write_ctx =
  282. OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
  283. goto err;
  284. else
  285. /*
  286. * make sure it's intialized in case we exit later with an error
  287. */
  288. EVP_CIPHER_CTX_init(s->enc_write_ctx);
  289. dd = s->enc_write_ctx;
  290. if (ssl_replace_hash(&s->write_hash, m) == NULL) {
  291. SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
  292. goto err2;
  293. }
  294. #ifndef OPENSSL_NO_COMP
  295. /* COMPRESS */
  296. if (s->compress != NULL) {
  297. COMP_CTX_free(s->compress);
  298. s->compress = NULL;
  299. }
  300. if (comp != NULL) {
  301. s->compress = COMP_CTX_new(comp);
  302. if (s->compress == NULL) {
  303. SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
  304. SSL_R_COMPRESSION_LIBRARY_ERROR);
  305. goto err2;
  306. }
  307. }
  308. #endif
  309. memset(&(s->s3->write_sequence[0]), 0, 8);
  310. mac_secret = &(s->s3->write_mac_secret[0]);
  311. }
  312. if (reuse_dd)
  313. EVP_CIPHER_CTX_cleanup(dd);
  314. p = s->s3->tmp.key_block;
  315. i = EVP_MD_size(m);
  316. if (i < 0)
  317. goto err2;
  318. cl = EVP_CIPHER_key_length(c);
  319. j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
  320. cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
  321. /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
  322. k = EVP_CIPHER_iv_length(c);
  323. if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
  324. (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
  325. ms = &(p[0]);
  326. n = i + i;
  327. key = &(p[n]);
  328. n += j + j;
  329. iv = &(p[n]);
  330. n += k + k;
  331. er1 = &(s->s3->client_random[0]);
  332. er2 = &(s->s3->server_random[0]);
  333. } else {
  334. n = i;
  335. ms = &(p[n]);
  336. n += i + j;
  337. key = &(p[n]);
  338. n += j + k;
  339. iv = &(p[n]);
  340. n += k;
  341. er1 = &(s->s3->server_random[0]);
  342. er2 = &(s->s3->client_random[0]);
  343. }
  344. if (n > s->s3->tmp.key_block_length) {
  345. SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
  346. goto err2;
  347. }
  348. EVP_MD_CTX_init(&md);
  349. memcpy(mac_secret, ms, i);
  350. if (is_exp) {
  351. /*
  352. * In here I set both the read and write key/iv to the same value
  353. * since only the correct one will be used :-).
  354. */
  355. if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
  356. !EVP_DigestUpdate(&md, key, j) ||
  357. !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
  358. !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
  359. !EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) {
  360. EVP_MD_CTX_cleanup(&md);
  361. goto err2;
  362. }
  363. key = &(exp_key[0]);
  364. if (k > 0) {
  365. if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
  366. !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
  367. !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
  368. !EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) {
  369. EVP_MD_CTX_cleanup(&md);
  370. goto err2;
  371. }
  372. iv = &(exp_iv[0]);
  373. }
  374. }
  375. EVP_MD_CTX_cleanup(&md);
  376. s->session->key_arg_length = 0;
  377. if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)))
  378. goto err2;
  379. #ifdef OPENSSL_SSL_TRACE_CRYPTO
  380. if (s->msg_callback) {
  381. int wh = which & SSL3_CC_WRITE ?
  382. TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
  383. s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
  384. mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
  385. if (c->key_len)
  386. s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
  387. key, c->key_len, s, s->msg_callback_arg);
  388. if (k) {
  389. s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
  390. iv, k, s, s->msg_callback_arg);
  391. }
  392. }
  393. #endif
  394. OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
  395. OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
  396. return (1);
  397. err:
  398. SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
  399. err2:
  400. return (0);
  401. }
  402. int ssl3_setup_key_block(SSL *s)
  403. {
  404. unsigned char *p;
  405. const EVP_CIPHER *c;
  406. const EVP_MD *hash;
  407. int num;
  408. int ret = 0;
  409. SSL_COMP *comp;
  410. if (s->s3->tmp.key_block_length != 0)
  411. return (1);
  412. if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
  413. SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
  414. return (0);
  415. }
  416. s->s3->tmp.new_sym_enc = c;
  417. s->s3->tmp.new_hash = hash;
  418. #ifdef OPENSSL_NO_COMP
  419. s->s3->tmp.new_compression = NULL;
  420. #else
  421. s->s3->tmp.new_compression = comp;
  422. #endif
  423. num = EVP_MD_size(hash);
  424. if (num < 0)
  425. return 0;
  426. num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
  427. num *= 2;
  428. ssl3_cleanup_key_block(s);
  429. if ((p = OPENSSL_malloc(num)) == NULL)
  430. goto err;
  431. s->s3->tmp.key_block_length = num;
  432. s->s3->tmp.key_block = p;
  433. ret = ssl3_generate_key_block(s, p, num);
  434. if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
  435. /*
  436. * enable vulnerability countermeasure for CBC ciphers with known-IV
  437. * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
  438. */
  439. s->s3->need_empty_fragments = 1;
  440. if (s->session->cipher != NULL) {
  441. if (s->session->cipher->algorithm_enc == SSL_eNULL)
  442. s->s3->need_empty_fragments = 0;
  443. #ifndef OPENSSL_NO_RC4
  444. if (s->session->cipher->algorithm_enc == SSL_RC4)
  445. s->s3->need_empty_fragments = 0;
  446. #endif
  447. }
  448. }
  449. return ret;
  450. err:
  451. SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
  452. return (0);
  453. }
  454. void ssl3_cleanup_key_block(SSL *s)
  455. {
  456. if (s->s3->tmp.key_block != NULL) {
  457. OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
  458. OPENSSL_free(s->s3->tmp.key_block);
  459. s->s3->tmp.key_block = NULL;
  460. }
  461. s->s3->tmp.key_block_length = 0;
  462. }
  463. /*-
  464. * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
  465. *
  466. * Returns:
  467. * 0: (in non-constant time) if the record is publically invalid (i.e. too
  468. * short etc).
  469. * 1: if the record's padding is valid / the encryption was successful.
  470. * -1: if the record's padding is invalid or, if sending, an internal error
  471. * occured.
  472. */
  473. int ssl3_enc(SSL *s, int send)
  474. {
  475. SSL3_RECORD *rec;
  476. EVP_CIPHER_CTX *ds;
  477. unsigned long l;
  478. int bs, i, mac_size = 0;
  479. const EVP_CIPHER *enc;
  480. if (send) {
  481. ds = s->enc_write_ctx;
  482. rec = &(s->s3->wrec);
  483. if (s->enc_write_ctx == NULL)
  484. enc = NULL;
  485. else
  486. enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
  487. } else {
  488. ds = s->enc_read_ctx;
  489. rec = &(s->s3->rrec);
  490. if (s->enc_read_ctx == NULL)
  491. enc = NULL;
  492. else
  493. enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
  494. }
  495. if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
  496. memmove(rec->data, rec->input, rec->length);
  497. rec->input = rec->data;
  498. } else {
  499. l = rec->length;
  500. bs = EVP_CIPHER_block_size(ds->cipher);
  501. /* COMPRESS */
  502. if ((bs != 1) && send) {
  503. i = bs - ((int)l % bs);
  504. /* we need to add 'i-1' padding bytes */
  505. l += i;
  506. /*
  507. * the last of these zero bytes will be overwritten with the
  508. * padding length.
  509. */
  510. memset(&rec->input[rec->length], 0, i);
  511. rec->length += i;
  512. rec->input[l - 1] = (i - 1);
  513. }
  514. if (!send) {
  515. if (l == 0 || l % bs != 0)
  516. return 0;
  517. /* otherwise, rec->length >= bs */
  518. }
  519. if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
  520. return -1;
  521. if (EVP_MD_CTX_md(s->read_hash) != NULL)
  522. mac_size = EVP_MD_CTX_size(s->read_hash);
  523. if ((bs != 1) && !send)
  524. return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
  525. }
  526. return 1;
  527. }
  528. int ssl3_init_finished_mac(SSL *s)
  529. {
  530. if (s->s3->handshake_buffer)
  531. BIO_free(s->s3->handshake_buffer);
  532. if (s->s3->handshake_dgst)
  533. ssl3_free_digest_list(s);
  534. s->s3->handshake_buffer = BIO_new(BIO_s_mem());
  535. if (s->s3->handshake_buffer == NULL)
  536. return 0;
  537. (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
  538. return 1;
  539. }
  540. void ssl3_free_digest_list(SSL *s)
  541. {
  542. int i;
  543. if (!s->s3->handshake_dgst)
  544. return;
  545. for (i = 0; i < SSL_MAX_DIGEST; i++) {
  546. if (s->s3->handshake_dgst[i])
  547. EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
  548. }
  549. OPENSSL_free(s->s3->handshake_dgst);
  550. s->s3->handshake_dgst = NULL;
  551. }
  552. void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
  553. {
  554. if (s->s3->handshake_buffer
  555. && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
  556. BIO_write(s->s3->handshake_buffer, (void *)buf, len);
  557. } else {
  558. int i;
  559. for (i = 0; i < SSL_MAX_DIGEST; i++) {
  560. if (s->s3->handshake_dgst[i] != NULL)
  561. EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
  562. }
  563. }
  564. }
  565. int ssl3_digest_cached_records(SSL *s)
  566. {
  567. int i;
  568. long mask;
  569. const EVP_MD *md;
  570. long hdatalen;
  571. void *hdata;
  572. /* Allocate handshake_dgst array */
  573. ssl3_free_digest_list(s);
  574. s->s3->handshake_dgst =
  575. OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
  576. if (s->s3->handshake_dgst == NULL) {
  577. SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
  578. return 0;
  579. }
  580. memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
  581. hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
  582. if (hdatalen <= 0) {
  583. SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
  584. return 0;
  585. }
  586. /* Loop through bitso of algorithm2 field and create MD_CTX-es */
  587. for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
  588. if ((mask & ssl_get_algorithm2(s)) && md) {
  589. s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
  590. if (s->s3->handshake_dgst[i] == NULL) {
  591. SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
  592. return 0;
  593. }
  594. #ifdef OPENSSL_FIPS
  595. if (EVP_MD_nid(md) == NID_md5) {
  596. EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
  597. EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  598. }
  599. #endif
  600. if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)
  601. || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata,
  602. hdatalen)) {
  603. SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
  604. return 0;
  605. }
  606. } else {
  607. s->s3->handshake_dgst[i] = NULL;
  608. }
  609. }
  610. if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
  611. /* Free handshake_buffer BIO */
  612. BIO_free(s->s3->handshake_buffer);
  613. s->s3->handshake_buffer = NULL;
  614. }
  615. return 1;
  616. }
  617. int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
  618. {
  619. return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
  620. }
  621. int ssl3_final_finish_mac(SSL *s,
  622. const char *sender, int len, unsigned char *p)
  623. {
  624. int ret, sha1len;
  625. ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
  626. if (ret == 0)
  627. return 0;
  628. p += ret;
  629. sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
  630. if (sha1len == 0)
  631. return 0;
  632. ret += sha1len;
  633. return (ret);
  634. }
  635. static int ssl3_handshake_mac(SSL *s, int md_nid,
  636. const char *sender, int len, unsigned char *p)
  637. {
  638. unsigned int ret;
  639. int npad, n;
  640. unsigned int i;
  641. unsigned char md_buf[EVP_MAX_MD_SIZE];
  642. EVP_MD_CTX ctx, *d = NULL;
  643. if (s->s3->handshake_buffer)
  644. if (!ssl3_digest_cached_records(s))
  645. return 0;
  646. /*
  647. * Search for digest of specified type in the handshake_dgst array
  648. */
  649. for (i = 0; i < SSL_MAX_DIGEST; i++) {
  650. if (s->s3->handshake_dgst[i]
  651. && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
  652. d = s->s3->handshake_dgst[i];
  653. break;
  654. }
  655. }
  656. if (!d) {
  657. SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
  658. return 0;
  659. }
  660. EVP_MD_CTX_init(&ctx);
  661. EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
  662. EVP_MD_CTX_copy_ex(&ctx, d);
  663. n = EVP_MD_CTX_size(&ctx);
  664. if (n < 0)
  665. return 0;
  666. npad = (48 / n) * n;
  667. if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
  668. || EVP_DigestUpdate(&ctx, s->session->master_key,
  669. s->session->master_key_length) <= 0
  670. || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
  671. || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
  672. || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
  673. || EVP_DigestUpdate(&ctx, s->session->master_key,
  674. s->session->master_key_length) <= 0
  675. || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
  676. || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
  677. || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
  678. SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
  679. ret = 0;
  680. }
  681. EVP_MD_CTX_cleanup(&ctx);
  682. return ((int)ret);
  683. }
  684. int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
  685. {
  686. SSL3_RECORD *rec;
  687. unsigned char *mac_sec, *seq;
  688. EVP_MD_CTX md_ctx;
  689. const EVP_MD_CTX *hash;
  690. unsigned char *p, rec_char;
  691. size_t md_size, orig_len;
  692. int npad;
  693. int t;
  694. if (send) {
  695. rec = &(ssl->s3->wrec);
  696. mac_sec = &(ssl->s3->write_mac_secret[0]);
  697. seq = &(ssl->s3->write_sequence[0]);
  698. hash = ssl->write_hash;
  699. } else {
  700. rec = &(ssl->s3->rrec);
  701. mac_sec = &(ssl->s3->read_mac_secret[0]);
  702. seq = &(ssl->s3->read_sequence[0]);
  703. hash = ssl->read_hash;
  704. }
  705. t = EVP_MD_CTX_size(hash);
  706. if (t < 0)
  707. return -1;
  708. md_size = t;
  709. npad = (48 / md_size) * md_size;
  710. /*
  711. * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
  712. */
  713. orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
  714. rec->type &= 0xff;
  715. if (!send &&
  716. EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
  717. ssl3_cbc_record_digest_supported(hash)) {
  718. /*
  719. * This is a CBC-encrypted record. We must avoid leaking any
  720. * timing-side channel information about how many blocks of data we
  721. * are hashing because that gives an attacker a timing-oracle.
  722. */
  723. /*-
  724. * npad is, at most, 48 bytes and that's with MD5:
  725. * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
  726. *
  727. * With SHA-1 (the largest hash speced for SSLv3) the hash size
  728. * goes up 4, but npad goes down by 8, resulting in a smaller
  729. * total size.
  730. */
  731. unsigned char header[75];
  732. unsigned j = 0;
  733. memcpy(header + j, mac_sec, md_size);
  734. j += md_size;
  735. memcpy(header + j, ssl3_pad_1, npad);
  736. j += npad;
  737. memcpy(header + j, seq, 8);
  738. j += 8;
  739. header[j++] = rec->type;
  740. header[j++] = rec->length >> 8;
  741. header[j++] = rec->length & 0xff;
  742. /* Final param == is SSLv3 */
  743. if (ssl3_cbc_digest_record(hash,
  744. md, &md_size,
  745. header, rec->input,
  746. rec->length + md_size, orig_len,
  747. mac_sec, md_size, 1) <= 0)
  748. return -1;
  749. } else {
  750. unsigned int md_size_u;
  751. /* Chop the digest off the end :-) */
  752. EVP_MD_CTX_init(&md_ctx);
  753. rec_char = rec->type;
  754. p = md;
  755. s2n(rec->length, p);
  756. if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
  757. || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
  758. || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
  759. || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
  760. || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
  761. || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
  762. || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
  763. || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
  764. || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
  765. || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
  766. || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
  767. || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
  768. || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
  769. EVP_MD_CTX_cleanup(&md_ctx);
  770. return -1;
  771. }
  772. md_size = md_size_u;
  773. EVP_MD_CTX_cleanup(&md_ctx);
  774. }
  775. ssl3_record_sequence_update(seq);
  776. return (md_size);
  777. }
  778. void ssl3_record_sequence_update(unsigned char *seq)
  779. {
  780. int i;
  781. for (i = 7; i >= 0; i--) {
  782. ++seq[i];
  783. if (seq[i] != 0)
  784. break;
  785. }
  786. }
  787. int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
  788. int len)
  789. {
  790. static const unsigned char *salt[3] = {
  791. #ifndef CHARSET_EBCDIC
  792. (const unsigned char *)"A",
  793. (const unsigned char *)"BB",
  794. (const unsigned char *)"CCC",
  795. #else
  796. (const unsigned char *)"\x41",
  797. (const unsigned char *)"\x42\x42",
  798. (const unsigned char *)"\x43\x43\x43",
  799. #endif
  800. };
  801. unsigned char buf[EVP_MAX_MD_SIZE];
  802. EVP_MD_CTX ctx;
  803. int i, ret = 0;
  804. unsigned int n;
  805. #ifdef OPENSSL_SSL_TRACE_CRYPTO
  806. unsigned char *tmpout = out;
  807. #endif
  808. EVP_MD_CTX_init(&ctx);
  809. for (i = 0; i < 3; i++) {
  810. if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
  811. || EVP_DigestUpdate(&ctx, salt[i],
  812. strlen((const char *)salt[i])) <= 0
  813. || EVP_DigestUpdate(&ctx, p, len) <= 0
  814. || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
  815. SSL3_RANDOM_SIZE) <= 0
  816. || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
  817. SSL3_RANDOM_SIZE) <= 0
  818. || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
  819. || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
  820. || EVP_DigestUpdate(&ctx, p, len) <= 0
  821. || EVP_DigestUpdate(&ctx, buf, n) <= 0
  822. || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
  823. SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
  824. ret = 0;
  825. break;
  826. }
  827. out += n;
  828. ret += n;
  829. }
  830. EVP_MD_CTX_cleanup(&ctx);
  831. #ifdef OPENSSL_SSL_TRACE_CRYPTO
  832. if (ret > 0 && s->msg_callback) {
  833. s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
  834. p, len, s, s->msg_callback_arg);
  835. s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
  836. s->s3->client_random, SSL3_RANDOM_SIZE,
  837. s, s->msg_callback_arg);
  838. s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
  839. s->s3->server_random, SSL3_RANDOM_SIZE,
  840. s, s->msg_callback_arg);
  841. s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
  842. tmpout, SSL3_MASTER_SECRET_SIZE,
  843. s, s->msg_callback_arg);
  844. }
  845. #endif
  846. OPENSSL_cleanse(buf, sizeof(buf));
  847. return (ret);
  848. }
  849. int ssl3_alert_code(int code)
  850. {
  851. switch (code) {
  852. case SSL_AD_CLOSE_NOTIFY:
  853. return (SSL3_AD_CLOSE_NOTIFY);
  854. case SSL_AD_UNEXPECTED_MESSAGE:
  855. return (SSL3_AD_UNEXPECTED_MESSAGE);
  856. case SSL_AD_BAD_RECORD_MAC:
  857. return (SSL3_AD_BAD_RECORD_MAC);
  858. case SSL_AD_DECRYPTION_FAILED:
  859. return (SSL3_AD_BAD_RECORD_MAC);
  860. case SSL_AD_RECORD_OVERFLOW:
  861. return (SSL3_AD_BAD_RECORD_MAC);
  862. case SSL_AD_DECOMPRESSION_FAILURE:
  863. return (SSL3_AD_DECOMPRESSION_FAILURE);
  864. case SSL_AD_HANDSHAKE_FAILURE:
  865. return (SSL3_AD_HANDSHAKE_FAILURE);
  866. case SSL_AD_NO_CERTIFICATE:
  867. return (SSL3_AD_NO_CERTIFICATE);
  868. case SSL_AD_BAD_CERTIFICATE:
  869. return (SSL3_AD_BAD_CERTIFICATE);
  870. case SSL_AD_UNSUPPORTED_CERTIFICATE:
  871. return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
  872. case SSL_AD_CERTIFICATE_REVOKED:
  873. return (SSL3_AD_CERTIFICATE_REVOKED);
  874. case SSL_AD_CERTIFICATE_EXPIRED:
  875. return (SSL3_AD_CERTIFICATE_EXPIRED);
  876. case SSL_AD_CERTIFICATE_UNKNOWN:
  877. return (SSL3_AD_CERTIFICATE_UNKNOWN);
  878. case SSL_AD_ILLEGAL_PARAMETER:
  879. return (SSL3_AD_ILLEGAL_PARAMETER);
  880. case SSL_AD_UNKNOWN_CA:
  881. return (SSL3_AD_BAD_CERTIFICATE);
  882. case SSL_AD_ACCESS_DENIED:
  883. return (SSL3_AD_HANDSHAKE_FAILURE);
  884. case SSL_AD_DECODE_ERROR:
  885. return (SSL3_AD_HANDSHAKE_FAILURE);
  886. case SSL_AD_DECRYPT_ERROR:
  887. return (SSL3_AD_HANDSHAKE_FAILURE);
  888. case SSL_AD_EXPORT_RESTRICTION:
  889. return (SSL3_AD_HANDSHAKE_FAILURE);
  890. case SSL_AD_PROTOCOL_VERSION:
  891. return (SSL3_AD_HANDSHAKE_FAILURE);
  892. case SSL_AD_INSUFFICIENT_SECURITY:
  893. return (SSL3_AD_HANDSHAKE_FAILURE);
  894. case SSL_AD_INTERNAL_ERROR:
  895. return (SSL3_AD_HANDSHAKE_FAILURE);
  896. case SSL_AD_USER_CANCELLED:
  897. return (SSL3_AD_HANDSHAKE_FAILURE);
  898. case SSL_AD_NO_RENEGOTIATION:
  899. return (-1); /* Don't send it :-) */
  900. case SSL_AD_UNSUPPORTED_EXTENSION:
  901. return (SSL3_AD_HANDSHAKE_FAILURE);
  902. case SSL_AD_CERTIFICATE_UNOBTAINABLE:
  903. return (SSL3_AD_HANDSHAKE_FAILURE);
  904. case SSL_AD_UNRECOGNIZED_NAME:
  905. return (SSL3_AD_HANDSHAKE_FAILURE);
  906. case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
  907. return (SSL3_AD_HANDSHAKE_FAILURE);
  908. case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
  909. return (SSL3_AD_HANDSHAKE_FAILURE);
  910. case SSL_AD_UNKNOWN_PSK_IDENTITY:
  911. return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
  912. case SSL_AD_INAPPROPRIATE_FALLBACK:
  913. return (TLS1_AD_INAPPROPRIATE_FALLBACK);
  914. default:
  915. return (-1);
  916. }
  917. }