2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
143 static const unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
152 static const unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
180 if (k > sizeof buf) {
181 /* bug: 'buf' is too small for this ciphersuite */
182 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
186 for (j = 0; j < k; j++)
189 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
190 EVP_DigestUpdate(&s1, buf, k);
191 EVP_DigestUpdate(&s1, s->session->master_key,
192 s->session->master_key_length);
193 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
194 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
195 EVP_DigestFinal_ex(&s1, smd, NULL);
197 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
198 EVP_DigestUpdate(&m5, s->session->master_key,
199 s->session->master_key_length);
200 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 EVP_DigestFinal_ex(&m5, smd, NULL);
203 memcpy(km, smd, (num - i));
205 EVP_DigestFinal_ex(&m5, km, NULL);
207 km += MD5_DIGEST_LENGTH;
209 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
210 EVP_MD_CTX_cleanup(&m5);
211 EVP_MD_CTX_cleanup(&s1);
215 int ssl3_change_cipher_state(SSL *s, int which)
217 unsigned char *p, *mac_secret;
218 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
219 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
220 unsigned char *ms, *key, *iv, *er1, *er2;
223 #ifndef OPENSSL_NO_COMP
228 int is_exp, n, i, j, k, cl;
231 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
232 c = s->s3->tmp.new_sym_enc;
233 m = s->s3->tmp.new_hash;
234 /* m == NULL will lead to a crash later */
236 #ifndef OPENSSL_NO_COMP
237 if (s->s3->tmp.new_compression == NULL)
240 comp = s->s3->tmp.new_compression->method;
243 if (which & SSL3_CC_READ) {
244 if (s->enc_read_ctx != NULL)
246 else if ((s->enc_read_ctx =
247 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
251 * make sure it's intialized in case we exit later with an error
253 EVP_CIPHER_CTX_init(s->enc_read_ctx);
254 dd = s->enc_read_ctx;
256 if(!ssl_replace_hash(&s->read_hash, m)) {
257 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
260 #ifndef OPENSSL_NO_COMP
262 if (s->expand != NULL) {
263 COMP_CTX_free(s->expand);
267 s->expand = COMP_CTX_new(comp);
268 if (s->expand == NULL) {
269 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
270 SSL_R_COMPRESSION_LIBRARY_ERROR);
273 if(!SSL3_RECORD_setup(RECORD_LAYER_get_rrec(&s->rlayer),
274 SSL3_RT_MAX_PLAIN_LENGTH))
278 memset(&(s->s3->read_sequence[0]), 0, 8);
279 mac_secret = &(s->s3->read_mac_secret[0]);
281 if (s->enc_write_ctx != NULL)
283 else if ((s->enc_write_ctx =
284 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
288 * make sure it's intialized in case we exit later with an error
290 EVP_CIPHER_CTX_init(s->enc_write_ctx);
291 dd = s->enc_write_ctx;
292 if(!ssl_replace_hash(&s->write_hash, m)) {
293 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
296 #ifndef OPENSSL_NO_COMP
298 if (s->compress != NULL) {
299 COMP_CTX_free(s->compress);
303 s->compress = COMP_CTX_new(comp);
304 if (s->compress == NULL) {
305 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
306 SSL_R_COMPRESSION_LIBRARY_ERROR);
311 memset(&(s->s3->write_sequence[0]), 0, 8);
312 mac_secret = &(s->s3->write_mac_secret[0]);
316 EVP_CIPHER_CTX_cleanup(dd);
318 p = s->s3->tmp.key_block;
322 cl = EVP_CIPHER_key_length(c);
323 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
324 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
325 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
326 k = EVP_CIPHER_iv_length(c);
327 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
328 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
335 er1 = &(s->s3->client_random[0]);
336 er2 = &(s->s3->server_random[0]);
345 er1 = &(s->s3->server_random[0]);
346 er2 = &(s->s3->client_random[0]);
349 if (n > s->s3->tmp.key_block_length) {
350 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
354 EVP_MD_CTX_init(&md);
355 memcpy(mac_secret, ms, i);
358 * In here I set both the read and write key/iv to the same value
359 * since only the correct one will be used :-).
361 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
362 EVP_DigestUpdate(&md, key, j);
363 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
364 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
365 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
369 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
370 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
371 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
372 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
377 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
379 #ifdef OPENSSL_SSL_TRACE_CRYPTO
380 if (s->msg_callback) {
382 int wh = which & SSL3_CC_WRITE ?
383 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
384 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
385 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
387 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
388 key, c->key_len, s, s->msg_callback_arg);
390 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
391 iv, k, s, s->msg_callback_arg);
396 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
397 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
398 EVP_MD_CTX_cleanup(&md);
401 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
406 int ssl3_setup_key_block(SSL *s)
415 if (s->s3->tmp.key_block_length != 0)
418 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) {
419 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
423 s->s3->tmp.new_sym_enc = c;
424 s->s3->tmp.new_hash = hash;
425 #ifdef OPENSSL_NO_COMP
426 s->s3->tmp.new_compression = NULL;
428 s->s3->tmp.new_compression = comp;
431 num = EVP_MD_size(hash);
435 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
438 ssl3_cleanup_key_block(s);
440 if ((p = OPENSSL_malloc(num)) == NULL)
443 s->s3->tmp.key_block_length = num;
444 s->s3->tmp.key_block = p;
446 ret = ssl3_generate_key_block(s, p, num);
448 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
450 * enable vulnerability countermeasure for CBC ciphers with known-IV
451 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
453 s->s3->need_empty_fragments = 1;
455 if (s->session->cipher != NULL) {
456 if (s->session->cipher->algorithm_enc == SSL_eNULL)
457 s->s3->need_empty_fragments = 0;
459 #ifndef OPENSSL_NO_RC4
460 if (s->session->cipher->algorithm_enc == SSL_RC4)
461 s->s3->need_empty_fragments = 0;
469 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
473 void ssl3_cleanup_key_block(SSL *s)
475 if (s->s3->tmp.key_block != NULL) {
476 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
477 OPENSSL_free(s->s3->tmp.key_block);
478 s->s3->tmp.key_block = NULL;
480 s->s3->tmp.key_block_length = 0;
484 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
487 * 0: (in non-constant time) if the record is publically invalid (i.e. too
489 * 1: if the record's padding is valid / the encryption was successful.
490 * -1: if the record's padding is invalid or, if sending, an internal error
493 int ssl3_enc(SSL *s, int send)
498 int bs, i, mac_size = 0;
499 const EVP_CIPHER *enc;
502 ds = s->enc_write_ctx;
503 rec = RECORD_LAYER_get_wrec(&s->rlayer);
504 if (s->enc_write_ctx == NULL)
507 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
509 ds = s->enc_read_ctx;
510 rec = RECORD_LAYER_get_rrec(&s->rlayer);
511 if (s->enc_read_ctx == NULL)
514 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
517 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
518 memmove(rec->data, rec->input, rec->length);
519 rec->input = rec->data;
522 bs = EVP_CIPHER_block_size(ds->cipher);
526 if ((bs != 1) && send) {
527 i = bs - ((int)l % bs);
529 /* we need to add 'i-1' padding bytes */
532 * the last of these zero bytes will be overwritten with the
535 memset(&rec->input[rec->length], 0, i);
537 rec->input[l - 1] = (i - 1);
541 if (l == 0 || l % bs != 0)
543 /* otherwise, rec->length >= bs */
546 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
549 if (EVP_MD_CTX_md(s->read_hash) != NULL)
550 mac_size = EVP_MD_CTX_size(s->read_hash);
551 if ((bs != 1) && !send)
552 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
557 void ssl3_init_finished_mac(SSL *s)
559 BIO_free(s->s3->handshake_buffer);
560 if (s->s3->handshake_dgst)
561 ssl3_free_digest_list(s);
562 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
563 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
566 void ssl3_free_digest_list(SSL *s)
569 if (!s->s3->handshake_dgst)
571 for (i = 0; i < SSL_MAX_DIGEST; i++) {
572 if (s->s3->handshake_dgst[i])
573 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
575 OPENSSL_free(s->s3->handshake_dgst);
576 s->s3->handshake_dgst = NULL;
579 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
581 if (s->s3->handshake_buffer
582 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
583 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
586 for (i = 0; i < SSL_MAX_DIGEST; i++) {
587 if (s->s3->handshake_dgst[i] != NULL)
588 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
593 int ssl3_digest_cached_records(SSL *s)
601 /* Allocate handshake_dgst array */
602 ssl3_free_digest_list(s);
603 s->s3->handshake_dgst =
604 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
605 if (s->s3->handshake_dgst == NULL) {
606 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
609 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
610 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
612 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
616 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
617 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
618 if ((mask & ssl_get_algorithm2(s)) && md) {
619 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
620 if (EVP_MD_nid(md) == NID_md5) {
621 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
622 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
624 EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL);
625 EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata, hdatalen);
627 s->s3->handshake_dgst[i] = NULL;
630 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
631 /* Free handshake_buffer BIO */
632 BIO_free(s->s3->handshake_buffer);
633 s->s3->handshake_buffer = NULL;
639 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
641 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
644 int ssl3_final_finish_mac(SSL *s,
645 const char *sender, int len, unsigned char *p)
648 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
654 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
662 static int ssl3_handshake_mac(SSL *s, int md_nid,
663 const char *sender, int len, unsigned char *p)
668 unsigned char md_buf[EVP_MAX_MD_SIZE];
669 EVP_MD_CTX ctx, *d = NULL;
671 if (s->s3->handshake_buffer)
672 if (!ssl3_digest_cached_records(s))
676 * Search for digest of specified type in the handshake_dgst array
678 for (i = 0; i < SSL_MAX_DIGEST; i++) {
679 if (s->s3->handshake_dgst[i]
680 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
681 d = s->s3->handshake_dgst[i];
686 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
689 EVP_MD_CTX_init(&ctx);
690 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
691 EVP_MD_CTX_copy_ex(&ctx, d);
692 n = EVP_MD_CTX_size(&ctx);
698 EVP_DigestUpdate(&ctx, sender, len);
699 EVP_DigestUpdate(&ctx, s->session->master_key,
700 s->session->master_key_length);
701 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
702 EVP_DigestFinal_ex(&ctx, md_buf, &i);
704 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
705 EVP_DigestUpdate(&ctx, s->session->master_key,
706 s->session->master_key_length);
707 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
708 EVP_DigestUpdate(&ctx, md_buf, i);
709 EVP_DigestFinal_ex(&ctx, p, &ret);
711 EVP_MD_CTX_cleanup(&ctx);
716 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
719 unsigned char *mac_sec, *seq;
721 const EVP_MD_CTX *hash;
722 unsigned char *p, rec_char;
728 rec = RECORD_LAYER_get_wrec(&ssl->rlayer);
729 mac_sec = &(ssl->s3->write_mac_secret[0]);
730 seq = &(ssl->s3->write_sequence[0]);
731 hash = ssl->write_hash;
733 rec = RECORD_LAYER_get_rrec(&ssl->rlayer);
734 mac_sec = &(ssl->s3->read_mac_secret[0]);
735 seq = &(ssl->s3->read_sequence[0]);
736 hash = ssl->read_hash;
739 t = EVP_MD_CTX_size(hash);
743 npad = (48 / md_size) * md_size;
746 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
747 ssl3_cbc_record_digest_supported(hash)) {
749 * This is a CBC-encrypted record. We must avoid leaking any
750 * timing-side channel information about how many blocks of data we
751 * are hashing because that gives an attacker a timing-oracle.
755 * npad is, at most, 48 bytes and that's with MD5:
756 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
758 * With SHA-1 (the largest hash speced for SSLv3) the hash size
759 * goes up 4, but npad goes down by 8, resulting in a smaller
762 unsigned char header[75];
764 memcpy(header + j, mac_sec, md_size);
766 memcpy(header + j, ssl3_pad_1, npad);
768 memcpy(header + j, seq, 8);
770 header[j++] = rec->type;
771 header[j++] = rec->length >> 8;
772 header[j++] = rec->length & 0xff;
774 /* Final param == is SSLv3 */
775 ssl3_cbc_digest_record(hash,
778 rec->length + md_size, rec->orig_len,
779 mac_sec, md_size, 1);
781 unsigned int md_size_u;
782 /* Chop the digest off the end :-) */
783 EVP_MD_CTX_init(&md_ctx);
785 EVP_MD_CTX_copy_ex(&md_ctx, hash);
786 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
787 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
788 EVP_DigestUpdate(&md_ctx, seq, 8);
789 rec_char = rec->type;
790 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
793 EVP_DigestUpdate(&md_ctx, md, 2);
794 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
795 EVP_DigestFinal_ex(&md_ctx, md, NULL);
797 EVP_MD_CTX_copy_ex(&md_ctx, hash);
798 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
799 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
800 EVP_DigestUpdate(&md_ctx, md, md_size);
801 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
804 EVP_MD_CTX_cleanup(&md_ctx);
807 ssl3_record_sequence_update(seq);
811 void ssl3_record_sequence_update(unsigned char *seq)
815 for (i = 7; i >= 0; i--) {
822 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
825 static const unsigned char *salt[3] = {
826 #ifndef CHARSET_EBCDIC
827 (const unsigned char *)"A",
828 (const unsigned char *)"BB",
829 (const unsigned char *)"CCC",
831 (const unsigned char *)"\x41",
832 (const unsigned char *)"\x42\x42",
833 (const unsigned char *)"\x43\x43\x43",
836 unsigned char buf[EVP_MAX_MD_SIZE];
840 #ifdef OPENSSL_SSL_TRACE_CRYPTO
841 unsigned char *tmpout = out;
844 EVP_MD_CTX_init(&ctx);
845 for (i = 0; i < 3; i++) {
846 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
847 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
848 EVP_DigestUpdate(&ctx, p, len);
849 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
850 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
851 EVP_DigestFinal_ex(&ctx, buf, &n);
853 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
854 EVP_DigestUpdate(&ctx, p, len);
855 EVP_DigestUpdate(&ctx, buf, n);
856 EVP_DigestFinal_ex(&ctx, out, &n);
860 EVP_MD_CTX_cleanup(&ctx);
862 #ifdef OPENSSL_SSL_TRACE_CRYPTO
863 if (s->msg_callback) {
864 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
865 p, len, s, s->msg_callback_arg);
866 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
867 s->s3->client_random, SSL3_RANDOM_SIZE,
868 s, s->msg_callback_arg);
869 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
870 s->s3->server_random, SSL3_RANDOM_SIZE,
871 s, s->msg_callback_arg);
872 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
873 tmpout, SSL3_MASTER_SECRET_SIZE,
874 s, s->msg_callback_arg);
877 OPENSSL_cleanse(buf, sizeof buf);
881 int ssl3_alert_code(int code)
884 case SSL_AD_CLOSE_NOTIFY:
885 return (SSL3_AD_CLOSE_NOTIFY);
886 case SSL_AD_UNEXPECTED_MESSAGE:
887 return (SSL3_AD_UNEXPECTED_MESSAGE);
888 case SSL_AD_BAD_RECORD_MAC:
889 return (SSL3_AD_BAD_RECORD_MAC);
890 case SSL_AD_DECRYPTION_FAILED:
891 return (SSL3_AD_BAD_RECORD_MAC);
892 case SSL_AD_RECORD_OVERFLOW:
893 return (SSL3_AD_BAD_RECORD_MAC);
894 case SSL_AD_DECOMPRESSION_FAILURE:
895 return (SSL3_AD_DECOMPRESSION_FAILURE);
896 case SSL_AD_HANDSHAKE_FAILURE:
897 return (SSL3_AD_HANDSHAKE_FAILURE);
898 case SSL_AD_NO_CERTIFICATE:
899 return (SSL3_AD_NO_CERTIFICATE);
900 case SSL_AD_BAD_CERTIFICATE:
901 return (SSL3_AD_BAD_CERTIFICATE);
902 case SSL_AD_UNSUPPORTED_CERTIFICATE:
903 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
904 case SSL_AD_CERTIFICATE_REVOKED:
905 return (SSL3_AD_CERTIFICATE_REVOKED);
906 case SSL_AD_CERTIFICATE_EXPIRED:
907 return (SSL3_AD_CERTIFICATE_EXPIRED);
908 case SSL_AD_CERTIFICATE_UNKNOWN:
909 return (SSL3_AD_CERTIFICATE_UNKNOWN);
910 case SSL_AD_ILLEGAL_PARAMETER:
911 return (SSL3_AD_ILLEGAL_PARAMETER);
912 case SSL_AD_UNKNOWN_CA:
913 return (SSL3_AD_BAD_CERTIFICATE);
914 case SSL_AD_ACCESS_DENIED:
915 return (SSL3_AD_HANDSHAKE_FAILURE);
916 case SSL_AD_DECODE_ERROR:
917 return (SSL3_AD_HANDSHAKE_FAILURE);
918 case SSL_AD_DECRYPT_ERROR:
919 return (SSL3_AD_HANDSHAKE_FAILURE);
920 case SSL_AD_EXPORT_RESTRICTION:
921 return (SSL3_AD_HANDSHAKE_FAILURE);
922 case SSL_AD_PROTOCOL_VERSION:
923 return (SSL3_AD_HANDSHAKE_FAILURE);
924 case SSL_AD_INSUFFICIENT_SECURITY:
925 return (SSL3_AD_HANDSHAKE_FAILURE);
926 case SSL_AD_INTERNAL_ERROR:
927 return (SSL3_AD_HANDSHAKE_FAILURE);
928 case SSL_AD_USER_CANCELLED:
929 return (SSL3_AD_HANDSHAKE_FAILURE);
930 case SSL_AD_NO_RENEGOTIATION:
931 return (-1); /* Don't send it :-) */
932 case SSL_AD_UNSUPPORTED_EXTENSION:
933 return (SSL3_AD_HANDSHAKE_FAILURE);
934 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
935 return (SSL3_AD_HANDSHAKE_FAILURE);
936 case SSL_AD_UNRECOGNIZED_NAME:
937 return (SSL3_AD_HANDSHAKE_FAILURE);
938 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
939 return (SSL3_AD_HANDSHAKE_FAILURE);
940 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
941 return (SSL3_AD_HANDSHAKE_FAILURE);
942 case SSL_AD_UNKNOWN_PSK_IDENTITY:
943 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
944 case SSL_AD_INAPPROPRIATE_FALLBACK:
945 return (TLS1_AD_INAPPROPRIATE_FALLBACK);