2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
143 static const unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
152 static const unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
180 if (k > sizeof buf) {
181 /* bug: 'buf' is too small for this ciphersuite */
182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
186 for (j = 0; j < k; j++)
189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190 EVP_DigestUpdate(&s1, buf, k);
191 EVP_DigestUpdate(&s1, s->session->master_key,
192 s->session->master_key_length);
193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195 EVP_DigestFinal_ex(&s1, smd, NULL);
197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198 EVP_DigestUpdate(&m5, s->session->master_key,
199 s->session->master_key_length);
200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 EVP_DigestFinal_ex(&m5, smd, NULL);
203 memcpy(km, smd, (num - i));
205 EVP_DigestFinal_ex(&m5, km, NULL);
207 km += MD5_DIGEST_LENGTH;
209 OPENSSL_cleanse(smd, sizeof(smd));
210 EVP_MD_CTX_cleanup(&m5);
211 EVP_MD_CTX_cleanup(&s1);
215 int ssl3_change_cipher_state(SSL *s, int which)
217 unsigned char *p, *mac_secret;
218 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220 unsigned char *ms, *key, *iv, *er1, *er2;
223 #ifndef OPENSSL_NO_COMP
228 int is_exp, n, i, j, k, cl;
231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232 c = s->s3->tmp.new_sym_enc;
233 m = s->s3->tmp.new_hash;
234 /* m == NULL will lead to a crash later */
236 #ifndef OPENSSL_NO_COMP
237 if (s->s3->tmp.new_compression == NULL)
240 comp = s->s3->tmp.new_compression->method;
243 if (which & SSL3_CC_READ) {
244 if (s->enc_read_ctx != NULL)
246 else if ((s->enc_read_ctx =
247 OPENSSL_malloc(sizeof(*s->enc_read_ctx))) == NULL)
251 * make sure it's intialized in case we exit later with an error
253 EVP_CIPHER_CTX_init(s->enc_read_ctx);
254 dd = s->enc_read_ctx;
256 if (!ssl_replace_hash(&s->read_hash, m)) {
257 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
260 #ifndef OPENSSL_NO_COMP
262 COMP_CTX_free(s->expand);
265 s->expand = COMP_CTX_new(comp);
266 if (s->expand == NULL) {
267 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
268 SSL_R_COMPRESSION_LIBRARY_ERROR);
271 if (!RECORD_LAYER_setup_comp_buffer(&s->rlayer))
275 RECORD_LAYER_reset_read_sequence(&s->rlayer);
276 mac_secret = &(s->s3->read_mac_secret[0]);
278 if (s->enc_write_ctx != NULL)
280 else if ((s->enc_write_ctx =
281 OPENSSL_malloc(sizeof(*s->enc_write_ctx))) == NULL)
285 * make sure it's intialized in case we exit later with an error
287 EVP_CIPHER_CTX_init(s->enc_write_ctx);
288 dd = s->enc_write_ctx;
289 if (!ssl_replace_hash(&s->write_hash, m)) {
290 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
293 #ifndef OPENSSL_NO_COMP
295 COMP_CTX_free(s->compress);
298 s->compress = COMP_CTX_new(comp);
299 if (s->compress == NULL) {
300 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
301 SSL_R_COMPRESSION_LIBRARY_ERROR);
306 RECORD_LAYER_reset_write_sequence(&s->rlayer);
307 mac_secret = &(s->s3->write_mac_secret[0]);
311 EVP_CIPHER_CTX_cleanup(dd);
313 p = s->s3->tmp.key_block;
317 cl = EVP_CIPHER_key_length(c);
318 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
319 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
320 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
321 k = EVP_CIPHER_iv_length(c);
322 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
323 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
330 er1 = &(s->s3->client_random[0]);
331 er2 = &(s->s3->server_random[0]);
340 er1 = &(s->s3->server_random[0]);
341 er2 = &(s->s3->client_random[0]);
344 if (n > s->s3->tmp.key_block_length) {
345 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
349 EVP_MD_CTX_init(&md);
350 memcpy(mac_secret, ms, i);
353 * In here I set both the read and write key/iv to the same value
354 * since only the correct one will be used :-).
356 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
357 EVP_DigestUpdate(&md, key, j);
358 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
359 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
360 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
364 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
365 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
366 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
367 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
372 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
374 #ifdef OPENSSL_SSL_TRACE_CRYPTO
375 if (s->msg_callback) {
377 int wh = which & SSL3_CC_WRITE ?
378 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
379 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
380 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
382 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
383 key, c->key_len, s, s->msg_callback_arg);
385 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
386 iv, k, s, s->msg_callback_arg);
391 OPENSSL_cleanse(exp_key, sizeof(exp_key));
392 OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
393 EVP_MD_CTX_cleanup(&md);
396 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
398 OPENSSL_cleanse(exp_key, sizeof(exp_key));
399 OPENSSL_cleanse(exp_iv, sizeof(exp_iv));
403 int ssl3_setup_key_block(SSL *s)
412 if (s->s3->tmp.key_block_length != 0)
415 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) {
416 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
420 s->s3->tmp.new_sym_enc = c;
421 s->s3->tmp.new_hash = hash;
422 #ifdef OPENSSL_NO_COMP
423 s->s3->tmp.new_compression = NULL;
425 s->s3->tmp.new_compression = comp;
428 num = EVP_MD_size(hash);
432 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
435 ssl3_cleanup_key_block(s);
437 if ((p = OPENSSL_malloc(num)) == NULL)
440 s->s3->tmp.key_block_length = num;
441 s->s3->tmp.key_block = p;
443 ret = ssl3_generate_key_block(s, p, num);
445 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
447 * enable vulnerability countermeasure for CBC ciphers with known-IV
448 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
450 s->s3->need_empty_fragments = 1;
452 if (s->session->cipher != NULL) {
453 if (s->session->cipher->algorithm_enc == SSL_eNULL)
454 s->s3->need_empty_fragments = 0;
456 #ifndef OPENSSL_NO_RC4
457 if (s->session->cipher->algorithm_enc == SSL_RC4)
458 s->s3->need_empty_fragments = 0;
466 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
470 void ssl3_cleanup_key_block(SSL *s)
472 OPENSSL_clear_free(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
473 s->s3->tmp.key_block = NULL;
474 s->s3->tmp.key_block_length = 0;
477 void ssl3_init_finished_mac(SSL *s)
479 ssl3_free_digest_list(s);
480 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
481 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
485 * Free digest list. Also frees handshake buffer since they are always freed
489 void ssl3_free_digest_list(SSL *s)
492 BIO_free(s->s3->handshake_buffer);
493 s->s3->handshake_buffer = NULL;
494 if (!s->s3->handshake_dgst)
496 for (i = 0; i < SSL_MAX_DIGEST; i++) {
497 if (s->s3->handshake_dgst[i])
498 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
500 OPENSSL_free(s->s3->handshake_dgst);
501 s->s3->handshake_dgst = NULL;
504 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
506 if (s->s3->handshake_dgst == NULL) {
507 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
510 for (i = 0; i < SSL_MAX_DIGEST; i++) {
511 if (s->s3->handshake_dgst[i] != NULL)
512 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
517 int ssl3_digest_cached_records(SSL *s, int keep)
525 if (s->s3->handshake_dgst == NULL) {
526 /* Allocate handshake_dgst array */
527 s->s3->handshake_dgst =
528 OPENSSL_malloc(sizeof(*s->s3->handshake_dgst) * SSL_MAX_DIGEST);
529 if (s->s3->handshake_dgst == NULL) {
530 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
533 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
535 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
539 /* Loop through bits of algorithm2 field and create MD_CTX-es */
540 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
541 if ((mask & ssl_get_algorithm2(s)) && md) {
542 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
543 if (EVP_MD_nid(md) == NID_md5) {
544 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
545 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
547 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
548 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
550 s->s3->handshake_dgst[i] = NULL;
556 BIO_free(s->s3->handshake_buffer);
557 s->s3->handshake_buffer = NULL;
563 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
565 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
568 int ssl3_final_finish_mac(SSL *s,
569 const char *sender, int len, unsigned char *p)
572 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
578 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
586 static int ssl3_handshake_mac(SSL *s, int md_nid,
587 const char *sender, int len, unsigned char *p)
592 unsigned char md_buf[EVP_MAX_MD_SIZE];
593 EVP_MD_CTX ctx, *d = NULL;
595 if (!ssl3_digest_cached_records(s, 0))
599 * Search for digest of specified type in the handshake_dgst array
601 for (i = 0; i < SSL_MAX_DIGEST; i++) {
602 if (s->s3->handshake_dgst[i]
603 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
604 d = s->s3->handshake_dgst[i];
609 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
612 EVP_MD_CTX_init(&ctx);
613 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
614 EVP_MD_CTX_copy_ex(&ctx, d);
615 n = EVP_MD_CTX_size(&ctx);
621 EVP_DigestUpdate(&ctx, sender, len);
622 EVP_DigestUpdate(&ctx, s->session->master_key,
623 s->session->master_key_length);
624 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
625 EVP_DigestFinal_ex(&ctx, md_buf, &i);
627 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
628 EVP_DigestUpdate(&ctx, s->session->master_key,
629 s->session->master_key_length);
630 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
631 EVP_DigestUpdate(&ctx, md_buf, i);
632 EVP_DigestFinal_ex(&ctx, p, &ret);
634 EVP_MD_CTX_cleanup(&ctx);
639 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
642 static const unsigned char *salt[3] = {
643 #ifndef CHARSET_EBCDIC
644 (const unsigned char *)"A",
645 (const unsigned char *)"BB",
646 (const unsigned char *)"CCC",
648 (const unsigned char *)"\x41",
649 (const unsigned char *)"\x42\x42",
650 (const unsigned char *)"\x43\x43\x43",
653 unsigned char buf[EVP_MAX_MD_SIZE];
657 #ifdef OPENSSL_SSL_TRACE_CRYPTO
658 unsigned char *tmpout = out;
661 EVP_MD_CTX_init(&ctx);
662 for (i = 0; i < 3; i++) {
663 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
664 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
665 EVP_DigestUpdate(&ctx, p, len);
666 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
667 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
668 EVP_DigestFinal_ex(&ctx, buf, &n);
670 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
671 EVP_DigestUpdate(&ctx, p, len);
672 EVP_DigestUpdate(&ctx, buf, n);
673 EVP_DigestFinal_ex(&ctx, out, &n);
677 EVP_MD_CTX_cleanup(&ctx);
679 #ifdef OPENSSL_SSL_TRACE_CRYPTO
680 if (s->msg_callback) {
681 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
682 p, len, s, s->msg_callback_arg);
683 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
684 s->s3->client_random, SSL3_RANDOM_SIZE,
685 s, s->msg_callback_arg);
686 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
687 s->s3->server_random, SSL3_RANDOM_SIZE,
688 s, s->msg_callback_arg);
689 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
690 tmpout, SSL3_MASTER_SECRET_SIZE,
691 s, s->msg_callback_arg);
694 OPENSSL_cleanse(buf, sizeof(buf));
698 int ssl3_alert_code(int code)
701 case SSL_AD_CLOSE_NOTIFY:
702 return (SSL3_AD_CLOSE_NOTIFY);
703 case SSL_AD_UNEXPECTED_MESSAGE:
704 return (SSL3_AD_UNEXPECTED_MESSAGE);
705 case SSL_AD_BAD_RECORD_MAC:
706 return (SSL3_AD_BAD_RECORD_MAC);
707 case SSL_AD_DECRYPTION_FAILED:
708 return (SSL3_AD_BAD_RECORD_MAC);
709 case SSL_AD_RECORD_OVERFLOW:
710 return (SSL3_AD_BAD_RECORD_MAC);
711 case SSL_AD_DECOMPRESSION_FAILURE:
712 return (SSL3_AD_DECOMPRESSION_FAILURE);
713 case SSL_AD_HANDSHAKE_FAILURE:
714 return (SSL3_AD_HANDSHAKE_FAILURE);
715 case SSL_AD_NO_CERTIFICATE:
716 return (SSL3_AD_NO_CERTIFICATE);
717 case SSL_AD_BAD_CERTIFICATE:
718 return (SSL3_AD_BAD_CERTIFICATE);
719 case SSL_AD_UNSUPPORTED_CERTIFICATE:
720 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
721 case SSL_AD_CERTIFICATE_REVOKED:
722 return (SSL3_AD_CERTIFICATE_REVOKED);
723 case SSL_AD_CERTIFICATE_EXPIRED:
724 return (SSL3_AD_CERTIFICATE_EXPIRED);
725 case SSL_AD_CERTIFICATE_UNKNOWN:
726 return (SSL3_AD_CERTIFICATE_UNKNOWN);
727 case SSL_AD_ILLEGAL_PARAMETER:
728 return (SSL3_AD_ILLEGAL_PARAMETER);
729 case SSL_AD_UNKNOWN_CA:
730 return (SSL3_AD_BAD_CERTIFICATE);
731 case SSL_AD_ACCESS_DENIED:
732 return (SSL3_AD_HANDSHAKE_FAILURE);
733 case SSL_AD_DECODE_ERROR:
734 return (SSL3_AD_HANDSHAKE_FAILURE);
735 case SSL_AD_DECRYPT_ERROR:
736 return (SSL3_AD_HANDSHAKE_FAILURE);
737 case SSL_AD_EXPORT_RESTRICTION:
738 return (SSL3_AD_HANDSHAKE_FAILURE);
739 case SSL_AD_PROTOCOL_VERSION:
740 return (SSL3_AD_HANDSHAKE_FAILURE);
741 case SSL_AD_INSUFFICIENT_SECURITY:
742 return (SSL3_AD_HANDSHAKE_FAILURE);
743 case SSL_AD_INTERNAL_ERROR:
744 return (SSL3_AD_HANDSHAKE_FAILURE);
745 case SSL_AD_USER_CANCELLED:
746 return (SSL3_AD_HANDSHAKE_FAILURE);
747 case SSL_AD_NO_RENEGOTIATION:
748 return (-1); /* Don't send it :-) */
749 case SSL_AD_UNSUPPORTED_EXTENSION:
750 return (SSL3_AD_HANDSHAKE_FAILURE);
751 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
752 return (SSL3_AD_HANDSHAKE_FAILURE);
753 case SSL_AD_UNRECOGNIZED_NAME:
754 return (SSL3_AD_HANDSHAKE_FAILURE);
755 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
756 return (SSL3_AD_HANDSHAKE_FAILURE);
757 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
758 return (SSL3_AD_HANDSHAKE_FAILURE);
759 case SSL_AD_UNKNOWN_PSK_IDENTITY:
760 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
761 case SSL_AD_INAPPROPRIATE_FALLBACK:
762 return (TLS1_AD_INAPPROPRIATE_FALLBACK);