2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
143 static unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
152 static unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_init(&s1);
177 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
179 if (k > sizeof buf) {
180 /* bug: 'buf' is too small for this ciphersuite */
181 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
185 for (j = 0; j < k; j++)
188 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
189 EVP_DigestUpdate(&s1, buf, k);
190 EVP_DigestUpdate(&s1, s->session->master_key,
191 s->session->master_key_length);
192 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
193 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
194 EVP_DigestFinal_ex(&s1, smd, NULL);
196 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
197 EVP_DigestUpdate(&m5, s->session->master_key,
198 s->session->master_key_length);
199 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
200 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
201 EVP_DigestFinal_ex(&m5, smd, NULL);
202 memcpy(km, smd, (num - i));
204 EVP_DigestFinal_ex(&m5, km, NULL);
206 km += MD5_DIGEST_LENGTH;
208 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
209 EVP_MD_CTX_cleanup(&m5);
210 EVP_MD_CTX_cleanup(&s1);
214 int ssl3_change_cipher_state(SSL *s, int which)
216 unsigned char *p, *mac_secret;
217 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
218 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
219 unsigned char *ms, *key, *iv, *er1, *er2;
222 #ifndef OPENSSL_NO_COMP
227 int is_exp, n, i, j, k, cl;
230 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
231 c = s->s3->tmp.new_sym_enc;
232 m = s->s3->tmp.new_hash;
233 /* m == NULL will lead to a crash later */
235 #ifndef OPENSSL_NO_COMP
236 if (s->s3->tmp.new_compression == NULL)
239 comp = s->s3->tmp.new_compression->method;
242 if (which & SSL3_CC_READ) {
243 if (s->enc_read_ctx != NULL)
245 else if ((s->enc_read_ctx =
246 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
250 * make sure it's intialized in case we exit later with an error
252 EVP_CIPHER_CTX_init(s->enc_read_ctx);
253 dd = s->enc_read_ctx;
255 ssl_replace_hash(&s->read_hash, m);
256 #ifndef OPENSSL_NO_COMP
258 if (s->expand != NULL) {
259 COMP_CTX_free(s->expand);
263 s->expand = COMP_CTX_new(comp);
264 if (s->expand == NULL) {
265 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
266 SSL_R_COMPRESSION_LIBRARY_ERROR);
269 if (s->s3->rrec.comp == NULL)
270 s->s3->rrec.comp = (unsigned char *)
271 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
272 if (s->s3->rrec.comp == NULL)
276 memset(&(s->s3->read_sequence[0]), 0, 8);
277 mac_secret = &(s->s3->read_mac_secret[0]);
279 if (s->enc_write_ctx != NULL)
281 else if ((s->enc_write_ctx =
282 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
286 * make sure it's intialized in case we exit later with an error
288 EVP_CIPHER_CTX_init(s->enc_write_ctx);
289 dd = s->enc_write_ctx;
290 ssl_replace_hash(&s->write_hash, m);
291 #ifndef OPENSSL_NO_COMP
293 if (s->compress != NULL) {
294 COMP_CTX_free(s->compress);
298 s->compress = COMP_CTX_new(comp);
299 if (s->compress == NULL) {
300 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
301 SSL_R_COMPRESSION_LIBRARY_ERROR);
306 memset(&(s->s3->write_sequence[0]), 0, 8);
307 mac_secret = &(s->s3->write_mac_secret[0]);
311 EVP_CIPHER_CTX_cleanup(dd);
313 p = s->s3->tmp.key_block;
317 cl = EVP_CIPHER_key_length(c);
318 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
319 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
320 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
321 k = EVP_CIPHER_iv_length(c);
322 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
323 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
330 er1 = &(s->s3->client_random[0]);
331 er2 = &(s->s3->server_random[0]);
340 er1 = &(s->s3->server_random[0]);
341 er2 = &(s->s3->client_random[0]);
344 if (n > s->s3->tmp.key_block_length) {
345 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
349 EVP_MD_CTX_init(&md);
350 memcpy(mac_secret, ms, i);
353 * In here I set both the read and write key/iv to the same value
354 * since only the correct one will be used :-).
356 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
357 EVP_DigestUpdate(&md, key, j);
358 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
359 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
360 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
364 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
365 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
366 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
367 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
372 s->session->key_arg_length = 0;
374 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
376 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
377 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
378 EVP_MD_CTX_cleanup(&md);
381 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
386 int ssl3_setup_key_block(SSL *s)
395 if (s->s3->tmp.key_block_length != 0)
398 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
399 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
403 s->s3->tmp.new_sym_enc = c;
404 s->s3->tmp.new_hash = hash;
405 #ifdef OPENSSL_NO_COMP
406 s->s3->tmp.new_compression = NULL;
408 s->s3->tmp.new_compression = comp;
411 num = EVP_MD_size(hash);
415 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
418 ssl3_cleanup_key_block(s);
420 if ((p = OPENSSL_malloc(num)) == NULL)
423 s->s3->tmp.key_block_length = num;
424 s->s3->tmp.key_block = p;
426 ret = ssl3_generate_key_block(s, p, num);
428 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
430 * enable vulnerability countermeasure for CBC ciphers with known-IV
431 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
433 s->s3->need_empty_fragments = 1;
435 if (s->session->cipher != NULL) {
436 if (s->session->cipher->algorithm_enc == SSL_eNULL)
437 s->s3->need_empty_fragments = 0;
439 #ifndef OPENSSL_NO_RC4
440 if (s->session->cipher->algorithm_enc == SSL_RC4)
441 s->s3->need_empty_fragments = 0;
449 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
453 void ssl3_cleanup_key_block(SSL *s)
455 if (s->s3->tmp.key_block != NULL) {
456 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
457 OPENSSL_free(s->s3->tmp.key_block);
458 s->s3->tmp.key_block = NULL;
460 s->s3->tmp.key_block_length = 0;
464 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
467 * 0: (in non-constant time) if the record is publically invalid (i.e. too
469 * 1: if the record's padding is valid / the encryption was successful.
470 * -1: if the record's padding is invalid or, if sending, an internal error
473 int ssl3_enc(SSL *s, int send)
478 int bs, i, mac_size = 0;
479 const EVP_CIPHER *enc;
482 ds = s->enc_write_ctx;
483 rec = &(s->s3->wrec);
484 if (s->enc_write_ctx == NULL)
487 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
489 ds = s->enc_read_ctx;
490 rec = &(s->s3->rrec);
491 if (s->enc_read_ctx == NULL)
494 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
497 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
498 memmove(rec->data, rec->input, rec->length);
499 rec->input = rec->data;
502 bs = EVP_CIPHER_block_size(ds->cipher);
506 if ((bs != 1) && send) {
507 i = bs - ((int)l % bs);
509 /* we need to add 'i-1' padding bytes */
512 * the last of these zero bytes will be overwritten with the
515 memset(&rec->input[rec->length], 0, i);
517 rec->input[l - 1] = (i - 1);
521 if (l == 0 || l % bs != 0)
523 /* otherwise, rec->length >= bs */
526 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
529 if (EVP_MD_CTX_md(s->read_hash) != NULL)
530 mac_size = EVP_MD_CTX_size(s->read_hash);
531 if ((bs != 1) && !send)
532 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
537 void ssl3_init_finished_mac(SSL *s)
539 if (s->s3->handshake_buffer)
540 BIO_free(s->s3->handshake_buffer);
541 if (s->s3->handshake_dgst)
542 ssl3_free_digest_list(s);
543 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
544 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
547 void ssl3_free_digest_list(SSL *s)
550 if (!s->s3->handshake_dgst)
552 for (i = 0; i < SSL_MAX_DIGEST; i++) {
553 if (s->s3->handshake_dgst[i])
554 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
556 OPENSSL_free(s->s3->handshake_dgst);
557 s->s3->handshake_dgst = NULL;
560 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
562 if (s->s3->handshake_buffer) {
563 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
566 for (i = 0; i < SSL_MAX_DIGEST; i++) {
567 if (s->s3->handshake_dgst[i] != NULL)
568 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
573 int ssl3_digest_cached_records(SSL *s)
581 /* Allocate handshake_dgst array */
582 ssl3_free_digest_list(s);
583 s->s3->handshake_dgst =
584 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
585 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
586 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
588 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
592 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
593 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
594 if ((mask & s->s3->tmp.new_cipher->algorithm2) && md) {
595 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
596 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
597 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
599 s->s3->handshake_dgst[i] = NULL;
602 /* Free handshake_buffer BIO */
603 BIO_free(s->s3->handshake_buffer);
604 s->s3->handshake_buffer = NULL;
609 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
611 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
614 int ssl3_final_finish_mac(SSL *s,
615 const char *sender, int len, unsigned char *p)
618 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
624 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
632 static int ssl3_handshake_mac(SSL *s, int md_nid,
633 const char *sender, int len, unsigned char *p)
638 unsigned char md_buf[EVP_MAX_MD_SIZE];
639 EVP_MD_CTX ctx, *d = NULL;
641 if (s->s3->handshake_buffer)
642 if (!ssl3_digest_cached_records(s))
646 * Search for digest of specified type in the handshake_dgst array
648 for (i = 0; i < SSL_MAX_DIGEST; i++) {
649 if (s->s3->handshake_dgst[i]
650 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
651 d = s->s3->handshake_dgst[i];
656 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
659 EVP_MD_CTX_init(&ctx);
660 EVP_MD_CTX_copy_ex(&ctx, d);
661 n = EVP_MD_CTX_size(&ctx);
667 EVP_DigestUpdate(&ctx, sender, len);
668 EVP_DigestUpdate(&ctx, s->session->master_key,
669 s->session->master_key_length);
670 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
671 EVP_DigestFinal_ex(&ctx, md_buf, &i);
673 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
674 EVP_DigestUpdate(&ctx, s->session->master_key,
675 s->session->master_key_length);
676 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
677 EVP_DigestUpdate(&ctx, md_buf, i);
678 EVP_DigestFinal_ex(&ctx, p, &ret);
680 EVP_MD_CTX_cleanup(&ctx);
685 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
688 unsigned char *mac_sec, *seq;
690 const EVP_MD_CTX *hash;
691 unsigned char *p, rec_char;
692 size_t md_size, orig_len;
697 rec = &(ssl->s3->wrec);
698 mac_sec = &(ssl->s3->write_mac_secret[0]);
699 seq = &(ssl->s3->write_sequence[0]);
700 hash = ssl->write_hash;
702 rec = &(ssl->s3->rrec);
703 mac_sec = &(ssl->s3->read_mac_secret[0]);
704 seq = &(ssl->s3->read_sequence[0]);
705 hash = ssl->read_hash;
708 t = EVP_MD_CTX_size(hash);
712 npad = (48 / md_size) * md_size;
715 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
717 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
721 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
722 ssl3_cbc_record_digest_supported(hash)) {
724 * This is a CBC-encrypted record. We must avoid leaking any
725 * timing-side channel information about how many blocks of data we
726 * are hashing because that gives an attacker a timing-oracle.
730 * npad is, at most, 48 bytes and that's with MD5:
731 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
733 * With SHA-1 (the largest hash speced for SSLv3) the hash size
734 * goes up 4, but npad goes down by 8, resulting in a smaller
737 unsigned char header[75];
739 memcpy(header + j, mac_sec, md_size);
741 memcpy(header + j, ssl3_pad_1, npad);
743 memcpy(header + j, seq, 8);
745 header[j++] = rec->type;
746 header[j++] = rec->length >> 8;
747 header[j++] = rec->length & 0xff;
749 /* Final param == is SSLv3 */
750 ssl3_cbc_digest_record(hash,
753 rec->length + md_size, orig_len,
754 mac_sec, md_size, 1);
756 unsigned int md_size_u;
757 /* Chop the digest off the end :-) */
758 EVP_MD_CTX_init(&md_ctx);
760 EVP_MD_CTX_copy_ex(&md_ctx, hash);
761 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
762 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
763 EVP_DigestUpdate(&md_ctx, seq, 8);
764 rec_char = rec->type;
765 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
768 EVP_DigestUpdate(&md_ctx, md, 2);
769 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
770 EVP_DigestFinal_ex(&md_ctx, md, NULL);
772 EVP_MD_CTX_copy_ex(&md_ctx, hash);
773 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
774 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
775 EVP_DigestUpdate(&md_ctx, md, md_size);
776 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
779 EVP_MD_CTX_cleanup(&md_ctx);
782 ssl3_record_sequence_update(seq);
786 void ssl3_record_sequence_update(unsigned char *seq)
790 for (i = 7; i >= 0; i--) {
797 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
800 static const unsigned char *salt[3] = {
801 #ifndef CHARSET_EBCDIC
802 (const unsigned char *)"A",
803 (const unsigned char *)"BB",
804 (const unsigned char *)"CCC",
806 (const unsigned char *)"\x41",
807 (const unsigned char *)"\x42\x42",
808 (const unsigned char *)"\x43\x43\x43",
811 unsigned char buf[EVP_MAX_MD_SIZE];
816 EVP_MD_CTX_init(&ctx);
817 for (i = 0; i < 3; i++) {
818 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
819 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
820 EVP_DigestUpdate(&ctx, p, len);
821 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
822 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
823 EVP_DigestFinal_ex(&ctx, buf, &n);
825 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
826 EVP_DigestUpdate(&ctx, p, len);
827 EVP_DigestUpdate(&ctx, buf, n);
828 EVP_DigestFinal_ex(&ctx, out, &n);
832 EVP_MD_CTX_cleanup(&ctx);
833 OPENSSL_cleanse(buf, sizeof buf);
837 int ssl3_alert_code(int code)
840 case SSL_AD_CLOSE_NOTIFY:
841 return (SSL3_AD_CLOSE_NOTIFY);
842 case SSL_AD_UNEXPECTED_MESSAGE:
843 return (SSL3_AD_UNEXPECTED_MESSAGE);
844 case SSL_AD_BAD_RECORD_MAC:
845 return (SSL3_AD_BAD_RECORD_MAC);
846 case SSL_AD_DECRYPTION_FAILED:
847 return (SSL3_AD_BAD_RECORD_MAC);
848 case SSL_AD_RECORD_OVERFLOW:
849 return (SSL3_AD_BAD_RECORD_MAC);
850 case SSL_AD_DECOMPRESSION_FAILURE:
851 return (SSL3_AD_DECOMPRESSION_FAILURE);
852 case SSL_AD_HANDSHAKE_FAILURE:
853 return (SSL3_AD_HANDSHAKE_FAILURE);
854 case SSL_AD_NO_CERTIFICATE:
855 return (SSL3_AD_NO_CERTIFICATE);
856 case SSL_AD_BAD_CERTIFICATE:
857 return (SSL3_AD_BAD_CERTIFICATE);
858 case SSL_AD_UNSUPPORTED_CERTIFICATE:
859 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
860 case SSL_AD_CERTIFICATE_REVOKED:
861 return (SSL3_AD_CERTIFICATE_REVOKED);
862 case SSL_AD_CERTIFICATE_EXPIRED:
863 return (SSL3_AD_CERTIFICATE_EXPIRED);
864 case SSL_AD_CERTIFICATE_UNKNOWN:
865 return (SSL3_AD_CERTIFICATE_UNKNOWN);
866 case SSL_AD_ILLEGAL_PARAMETER:
867 return (SSL3_AD_ILLEGAL_PARAMETER);
868 case SSL_AD_UNKNOWN_CA:
869 return (SSL3_AD_BAD_CERTIFICATE);
870 case SSL_AD_ACCESS_DENIED:
871 return (SSL3_AD_HANDSHAKE_FAILURE);
872 case SSL_AD_DECODE_ERROR:
873 return (SSL3_AD_HANDSHAKE_FAILURE);
874 case SSL_AD_DECRYPT_ERROR:
875 return (SSL3_AD_HANDSHAKE_FAILURE);
876 case SSL_AD_EXPORT_RESTRICTION:
877 return (SSL3_AD_HANDSHAKE_FAILURE);
878 case SSL_AD_PROTOCOL_VERSION:
879 return (SSL3_AD_HANDSHAKE_FAILURE);
880 case SSL_AD_INSUFFICIENT_SECURITY:
881 return (SSL3_AD_HANDSHAKE_FAILURE);
882 case SSL_AD_INTERNAL_ERROR:
883 return (SSL3_AD_HANDSHAKE_FAILURE);
884 case SSL_AD_USER_CANCELLED:
885 return (SSL3_AD_HANDSHAKE_FAILURE);
886 case SSL_AD_NO_RENEGOTIATION:
887 return (-1); /* Don't send it :-) */
888 case SSL_AD_UNSUPPORTED_EXTENSION:
889 return (SSL3_AD_HANDSHAKE_FAILURE);
890 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
891 return (SSL3_AD_HANDSHAKE_FAILURE);
892 case SSL_AD_UNRECOGNIZED_NAME:
893 return (SSL3_AD_HANDSHAKE_FAILURE);
894 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
895 return (SSL3_AD_HANDSHAKE_FAILURE);
896 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
897 return (SSL3_AD_HANDSHAKE_FAILURE);
898 case SSL_AD_UNKNOWN_PSK_IDENTITY:
899 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
900 case SSL_AD_INAPPROPRIATE_FALLBACK:
901 return (TLS1_AD_INAPPROPRIATE_FALLBACK);