X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=ssl%2Fs3_enc.c;h=ea0fb750f1464a361e0c3b4a5452148fda333013;hb=d23adad1133c5445cd834cab0e598d7817effc6b;hp=4c63d4acd5aafe384423a96a1b7cc752bfc653a1;hpb=dd5a4279f9be3988023a72c7f840aa2690c264f3;p=openssl.git diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index 4c63d4acd5..ea0fb750f1 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -1,21 +1,23 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * Copyright 2005 Nokia. All rights reserved. * - * Licensed under the OpenSSL license (the "License"). You may not use + * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include -#include "ssl_locl.h" +#include "ssl_local.h" #include #include +#include #include "internal/cryptlib.h" static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) { + EVP_MD *md5; EVP_MD_CTX *m5; EVP_MD_CTX *s1; unsigned char buf[16], smd[SHA_DIGEST_LENGTH]; @@ -27,14 +29,14 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) c = os_toascii[c]; /* 'A' in ASCII */ #endif k = 0; + md5 = EVP_MD_fetch(NULL, OSSL_DIGEST_NAME_MD5, "-fips"); m5 = EVP_MD_CTX_new(); s1 = EVP_MD_CTX_new(); - if (m5 == NULL || s1 == NULL) { + if (md5 == NULL || m5 == NULL || s1 == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_MALLOC_FAILURE); goto err; } - EVP_MD_CTX_set_flags(m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) { k++; if (k > sizeof(buf)) { @@ -51,10 +53,10 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) || !EVP_DigestUpdate(s1, buf, k) || !EVP_DigestUpdate(s1, s->session->master_key, s->session->master_key_length) - || !EVP_DigestUpdate(s1, s->s3->server_random, SSL3_RANDOM_SIZE) - || !EVP_DigestUpdate(s1, s->s3->client_random, SSL3_RANDOM_SIZE) + || !EVP_DigestUpdate(s1, s->s3.server_random, SSL3_RANDOM_SIZE) + || !EVP_DigestUpdate(s1, s->s3.client_random, SSL3_RANDOM_SIZE) || !EVP_DigestFinal_ex(s1, smd, NULL) - || !EVP_DigestInit_ex(m5, EVP_md5(), NULL) + || !EVP_DigestInit_ex(m5, md5, NULL) || !EVP_DigestUpdate(m5, s->session->master_key, s->session->master_key_length) || !EVP_DigestUpdate(m5, smd, SHA_DIGEST_LENGTH)) { @@ -84,14 +86,13 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) err: EVP_MD_CTX_free(m5); EVP_MD_CTX_free(s1); + EVP_MD_free(md5); return ret; } int ssl3_change_cipher_state(SSL *s, int which) { unsigned char *p, *mac_secret; - unsigned char exp_key[EVP_MAX_KEY_LENGTH]; - unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms, *key, *iv; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; @@ -103,8 +104,8 @@ int ssl3_change_cipher_state(SSL *s, int which) size_t n, i, j, k, cl; int reuse_dd = 0; - c = s->s3->tmp.new_sym_enc; - m = s->s3->tmp.new_hash; + c = s->s3.tmp.new_sym_enc; + m = s->s3.tmp.new_hash; /* m == NULL will lead to a crash later */ if (!ossl_assert(m != NULL)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, @@ -112,10 +113,10 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; } #ifndef OPENSSL_NO_COMP - if (s->s3->tmp.new_compression == NULL) + if (s->s3.tmp.new_compression == NULL) comp = NULL; else - comp = s->s3->tmp.new_compression->method; + comp = s->s3.tmp.new_compression->method; #endif if (which & SSL3_CC_READ) { @@ -153,8 +154,9 @@ int ssl3_change_cipher_state(SSL *s, int which) } #endif RECORD_LAYER_reset_read_sequence(&s->rlayer); - mac_secret = &(s->s3->read_mac_secret[0]); + mac_secret = &(s->s3.read_mac_secret[0]); } else { + s->statem.enc_write_state = ENC_WRITE_STATE_INVALID; if (s->enc_write_ctx != NULL) { reuse_dd = 1; } else if ((s->enc_write_ctx = EVP_CIPHER_CTX_new()) == NULL) { @@ -188,13 +190,13 @@ int ssl3_change_cipher_state(SSL *s, int which) } #endif RECORD_LAYER_reset_write_sequence(&s->rlayer); - mac_secret = &(s->s3->write_mac_secret[0]); + mac_secret = &(s->s3.write_mac_secret[0]); } if (reuse_dd) EVP_CIPHER_CTX_reset(dd); - p = s->s3->tmp.key_block; + p = s->s3.tmp.key_block; mdi = EVP_MD_size(m); if (mdi < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, @@ -223,7 +225,7 @@ int ssl3_change_cipher_state(SSL *s, int which) n += k; } - if (n > s->s3->tmp.key_block_length) { + if (n > s->s3.tmp.key_block_length) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR); goto err; @@ -237,12 +239,9 @@ int ssl3_change_cipher_state(SSL *s, int which) goto err; } - OPENSSL_cleanse(exp_key, sizeof(exp_key)); - OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); + s->statem.enc_write_state = ENC_WRITE_STATE_VALID; return 1; err: - OPENSSL_cleanse(exp_key, sizeof(exp_key)); - OPENSSL_cleanse(exp_iv, sizeof(exp_iv)); return 0; } @@ -255,7 +254,7 @@ int ssl3_setup_key_block(SSL *s) int ret = 0; SSL_COMP *comp; - if (s->s3->tmp.key_block_length != 0) + if (s->s3.tmp.key_block_length != 0) return 1; if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) { @@ -264,12 +263,12 @@ int ssl3_setup_key_block(SSL *s) return 0; } - s->s3->tmp.new_sym_enc = c; - s->s3->tmp.new_hash = hash; + s->s3.tmp.new_sym_enc = c; + s->s3.tmp.new_hash = hash; #ifdef OPENSSL_NO_COMP - s->s3->tmp.new_compression = NULL; + s->s3.tmp.new_compression = NULL; #else - s->s3->tmp.new_compression = comp; + s->s3.tmp.new_compression = comp; #endif num = EVP_MD_size(hash); @@ -287,8 +286,8 @@ int ssl3_setup_key_block(SSL *s) return 0; } - s->s3->tmp.key_block_length = num; - s->s3->tmp.key_block = p; + s->s3.tmp.key_block_length = num; + s->s3.tmp.key_block = p; /* Calls SSLfatal() as required */ ret = ssl3_generate_key_block(s, p, num); @@ -298,15 +297,15 @@ int ssl3_setup_key_block(SSL *s) * enable vulnerability countermeasure for CBC ciphers with known-IV * problem (http://www.openssl.org/~bodo/tls-cbc.txt) */ - s->s3->need_empty_fragments = 1; + s->s3.need_empty_fragments = 1; if (s->session->cipher != NULL) { if (s->session->cipher->algorithm_enc == SSL_eNULL) - s->s3->need_empty_fragments = 0; + s->s3.need_empty_fragments = 0; #ifndef OPENSSL_NO_RC4 if (s->session->cipher->algorithm_enc == SSL_RC4) - s->s3->need_empty_fragments = 0; + s->s3.need_empty_fragments = 0; #endif } } @@ -316,9 +315,9 @@ int ssl3_setup_key_block(SSL *s) void ssl3_cleanup_key_block(SSL *s) { - OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length); - s->s3->tmp.key_block = NULL; - s->s3->tmp.key_block_length = 0; + OPENSSL_clear_free(s->s3.tmp.key_block, s->s3.tmp.key_block_length); + s->s3.tmp.key_block = NULL; + s->s3.tmp.key_block_length = 0; } int ssl3_init_finished_mac(SSL *s) @@ -331,8 +330,8 @@ int ssl3_init_finished_mac(SSL *s) return 0; } ssl3_free_digest_list(s); - s->s3->handshake_buffer = buf; - (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE); + s->s3.handshake_buffer = buf; + (void)BIO_set_close(s->s3.handshake_buffer, BIO_CLOSE); return 1; } @@ -343,31 +342,31 @@ int ssl3_init_finished_mac(SSL *s) void ssl3_free_digest_list(SSL *s) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; - EVP_MD_CTX_free(s->s3->handshake_dgst); - s->s3->handshake_dgst = NULL; + BIO_free(s->s3.handshake_buffer); + s->s3.handshake_buffer = NULL; + EVP_MD_CTX_free(s->s3.handshake_dgst); + s->s3.handshake_dgst = NULL; } int ssl3_finish_mac(SSL *s, const unsigned char *buf, size_t len) { int ret; - if (s->s3->handshake_dgst == NULL) { + if (s->s3.handshake_dgst == NULL) { /* Note: this writes to a memory BIO so a failure is a fatal error */ if (len > INT_MAX) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, SSL_R_OVERFLOW_ERROR); return 0; } - ret = BIO_write(s->s3->handshake_buffer, (void *)buf, (int)len); + ret = BIO_write(s->s3.handshake_buffer, (void *)buf, (int)len); if (ret <= 0 || ret != (int)len) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, ERR_R_INTERNAL_ERROR); return 0; } } else { - ret = EVP_DigestUpdate(s->s3->handshake_dgst, buf, len); + ret = EVP_DigestUpdate(s->s3.handshake_dgst, buf, len); if (!ret) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINISH_MAC, ERR_R_INTERNAL_ERROR); @@ -383,37 +382,47 @@ int ssl3_digest_cached_records(SSL *s, int keep) long hdatalen; void *hdata; - if (s->s3->handshake_dgst == NULL) { - hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); + if (s->s3.handshake_dgst == NULL) { + hdatalen = BIO_get_mem_data(s->s3.handshake_buffer, &hdata); if (hdatalen <= 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH); return 0; } - s->s3->handshake_dgst = EVP_MD_CTX_new(); - if (s->s3->handshake_dgst == NULL) { + s->s3.handshake_dgst = EVP_MD_CTX_new(); + if (s->s3.handshake_dgst == NULL) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE); return 0; } md = ssl_handshake_md(s); - if (md == NULL || !EVP_DigestInit_ex(s->s3->handshake_dgst, md, NULL) - || !EVP_DigestUpdate(s->s3->handshake_dgst, hdata, hdatalen)) { + if (md == NULL || !EVP_DigestInit_ex(s->s3.handshake_dgst, md, NULL) + || !EVP_DigestUpdate(s->s3.handshake_dgst, hdata, hdatalen)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR); return 0; } } if (keep == 0) { - BIO_free(s->s3->handshake_buffer); - s->s3->handshake_buffer = NULL; + BIO_free(s->s3.handshake_buffer); + s->s3.handshake_buffer = NULL; } return 1; } +void ssl3_digest_master_key_set_params(const SSL_SESSION *session, + OSSL_PARAM params[]) +{ + int n = 0; + params[n++] = OSSL_PARAM_construct_octet_string(OSSL_DIGEST_PARAM_SSL3_MS, + (void *)session->master_key, + session->master_key_length); + params[n++] = OSSL_PARAM_construct_end(); +} + size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, unsigned char *p) { @@ -425,7 +434,7 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, return 0; } - if (EVP_MD_CTX_type(s->s3->handshake_dgst) != NID_md5_sha1) { + if (EVP_MD_CTX_type(s->s3.handshake_dgst) != NID_md5_sha1) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, SSL_R_NO_REQUIRED_DIGEST); return 0; @@ -437,30 +446,36 @@ size_t ssl3_final_finish_mac(SSL *s, const char *sender, size_t len, ERR_R_MALLOC_FAILURE); return 0; } - if (!EVP_MD_CTX_copy_ex(ctx, s->s3->handshake_dgst)) { + if (!EVP_MD_CTX_copy_ex(ctx, s->s3.handshake_dgst)) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); - return 0; + ret = 0; + goto err; } ret = EVP_MD_CTX_size(ctx); if (ret < 0) { SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, ERR_R_INTERNAL_ERROR); - EVP_MD_CTX_reset(ctx); - return 0; + ret = 0; + goto err; } - if ((sender != NULL && EVP_DigestUpdate(ctx, sender, len) <= 0) - || EVP_MD_CTX_ctrl(ctx, EVP_CTRL_SSL3_MASTER_SECRET, - (int)s->session->master_key_length, - s->session->master_key) <= 0 - || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { - SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, - ERR_R_INTERNAL_ERROR); - ret = 0; + if (sender != NULL) { + OSSL_PARAM digest_cmd_params[3]; + + ssl3_digest_master_key_set_params(s->session, digest_cmd_params); + + if (EVP_DigestUpdate(ctx, sender, len) <= 0 + || EVP_MD_CTX_set_params(ctx, digest_cmd_params) <= 0 + || EVP_DigestFinal_ex(ctx, p, NULL) <= 0) { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_FINAL_FINISH_MAC, + ERR_R_INTERNAL_ERROR); + ret = 0; + } } + err: EVP_MD_CTX_free(ctx); return ret; @@ -496,9 +511,9 @@ int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, || EVP_DigestUpdate(ctx, salt[i], strlen((const char *)salt[i])) <= 0 || EVP_DigestUpdate(ctx, p, len) <= 0 - || EVP_DigestUpdate(ctx, &(s->s3->client_random[0]), + || EVP_DigestUpdate(ctx, &(s->s3.client_random[0]), SSL3_RANDOM_SIZE) <= 0 - || EVP_DigestUpdate(ctx, &(s->s3->server_random[0]), + || EVP_DigestUpdate(ctx, &(s->s3.server_random[0]), SSL3_RANDOM_SIZE) <= 0 /* TODO(size_t) : convert me */ || EVP_DigestFinal_ex(ctx, buf, &n) <= 0