2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
143 static unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
152 static unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
181 /* bug: 'buf' is too small for this ciphersuite */
184 for (j = 0; j < k; j++)
187 if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) ||
188 !EVP_DigestUpdate(&s1, buf, k) ||
189 !EVP_DigestUpdate(&s1, s->session->master_key,
190 s->session->master_key_length) ||
191 !EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) ||
192 !EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) ||
193 !EVP_DigestFinal_ex(&s1, smd, NULL))
196 if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) ||
197 !EVP_DigestUpdate(&m5, s->session->master_key,
198 s->session->master_key_length) ||
199 !EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH))
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 if (!EVP_DigestFinal_ex(&m5, smd, NULL))
204 memcpy(km, smd, (num - i));
206 if (!EVP_DigestFinal_ex(&m5, km, NULL))
209 km += MD5_DIGEST_LENGTH;
211 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
212 EVP_MD_CTX_cleanup(&m5);
213 EVP_MD_CTX_cleanup(&s1);
216 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
218 EVP_MD_CTX_cleanup(&m5);
219 EVP_MD_CTX_cleanup(&s1);
223 int ssl3_change_cipher_state(SSL *s, int which)
225 unsigned char *p, *mac_secret;
226 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
227 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
228 unsigned char *ms, *key, *iv, *er1, *er2;
231 #ifndef OPENSSL_NO_COMP
236 int is_exp, n, i, j, k, cl;
239 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
240 c = s->s3->tmp.new_sym_enc;
241 m = s->s3->tmp.new_hash;
242 /* m == NULL will lead to a crash later */
244 #ifndef OPENSSL_NO_COMP
245 if (s->s3->tmp.new_compression == NULL)
248 comp = s->s3->tmp.new_compression->method;
251 if (which & SSL3_CC_READ) {
252 if (s->enc_read_ctx != NULL)
254 else if ((s->enc_read_ctx =
255 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
259 * make sure it's intialized in case we exit later with an error
261 EVP_CIPHER_CTX_init(s->enc_read_ctx);
262 dd = s->enc_read_ctx;
264 if (ssl_replace_hash(&s->read_hash, m) == NULL) {
265 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
268 #ifndef OPENSSL_NO_COMP
270 if (s->expand != NULL) {
271 COMP_CTX_free(s->expand);
275 s->expand = COMP_CTX_new(comp);
276 if (s->expand == NULL) {
277 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
278 SSL_R_COMPRESSION_LIBRARY_ERROR);
281 if (s->s3->rrec.comp == NULL)
282 s->s3->rrec.comp = (unsigned char *)
283 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
284 if (s->s3->rrec.comp == NULL)
288 memset(&(s->s3->read_sequence[0]), 0, 8);
289 mac_secret = &(s->s3->read_mac_secret[0]);
291 if (s->enc_write_ctx != NULL)
293 else if ((s->enc_write_ctx =
294 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
298 * make sure it's intialized in case we exit later with an error
300 EVP_CIPHER_CTX_init(s->enc_write_ctx);
301 dd = s->enc_write_ctx;
302 if (ssl_replace_hash(&s->write_hash, m) == NULL) {
303 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
306 #ifndef OPENSSL_NO_COMP
308 if (s->compress != NULL) {
309 COMP_CTX_free(s->compress);
313 s->compress = COMP_CTX_new(comp);
314 if (s->compress == NULL) {
315 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
316 SSL_R_COMPRESSION_LIBRARY_ERROR);
321 memset(&(s->s3->write_sequence[0]), 0, 8);
322 mac_secret = &(s->s3->write_mac_secret[0]);
326 EVP_CIPHER_CTX_cleanup(dd);
328 p = s->s3->tmp.key_block;
332 cl = EVP_CIPHER_key_length(c);
333 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
334 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
335 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
336 k = EVP_CIPHER_iv_length(c);
337 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
338 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
345 er1 = &(s->s3->client_random[0]);
346 er2 = &(s->s3->server_random[0]);
355 er1 = &(s->s3->server_random[0]);
356 er2 = &(s->s3->client_random[0]);
359 if (n > s->s3->tmp.key_block_length) {
360 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
364 EVP_MD_CTX_init(&md);
365 memcpy(mac_secret, ms, i);
368 * In here I set both the read and write key/iv to the same value
369 * since only the correct one will be used :-).
371 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
372 !EVP_DigestUpdate(&md, key, j) ||
373 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
374 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
375 !EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) {
376 EVP_MD_CTX_cleanup(&md);
382 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
383 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
384 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
385 !EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) {
386 EVP_MD_CTX_cleanup(&md);
392 EVP_MD_CTX_cleanup(&md);
394 s->session->key_arg_length = 0;
396 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)))
399 #ifdef OPENSSL_SSL_TRACE_CRYPTO
400 if (s->msg_callback) {
402 int wh = which & SSL3_CC_WRITE ?
403 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
404 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
405 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
407 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
408 key, c->key_len, s, s->msg_callback_arg);
410 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
411 iv, k, s, s->msg_callback_arg);
416 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
417 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
420 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
425 int ssl3_setup_key_block(SSL *s)
434 if (s->s3->tmp.key_block_length != 0)
437 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
438 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
442 s->s3->tmp.new_sym_enc = c;
443 s->s3->tmp.new_hash = hash;
444 #ifdef OPENSSL_NO_COMP
445 s->s3->tmp.new_compression = NULL;
447 s->s3->tmp.new_compression = comp;
450 num = EVP_MD_size(hash);
454 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
457 ssl3_cleanup_key_block(s);
459 if ((p = OPENSSL_malloc(num)) == NULL)
462 s->s3->tmp.key_block_length = num;
463 s->s3->tmp.key_block = p;
465 ret = ssl3_generate_key_block(s, p, num);
467 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
469 * enable vulnerability countermeasure for CBC ciphers with known-IV
470 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
472 s->s3->need_empty_fragments = 1;
474 if (s->session->cipher != NULL) {
475 if (s->session->cipher->algorithm_enc == SSL_eNULL)
476 s->s3->need_empty_fragments = 0;
478 #ifndef OPENSSL_NO_RC4
479 if (s->session->cipher->algorithm_enc == SSL_RC4)
480 s->s3->need_empty_fragments = 0;
488 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
492 void ssl3_cleanup_key_block(SSL *s)
494 if (s->s3->tmp.key_block != NULL) {
495 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
496 OPENSSL_free(s->s3->tmp.key_block);
497 s->s3->tmp.key_block = NULL;
499 s->s3->tmp.key_block_length = 0;
503 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
506 * 0: (in non-constant time) if the record is publically invalid (i.e. too
508 * 1: if the record's padding is valid / the encryption was successful.
509 * -1: if the record's padding is invalid or, if sending, an internal error
512 int ssl3_enc(SSL *s, int send)
517 int bs, i, mac_size = 0;
518 const EVP_CIPHER *enc;
521 ds = s->enc_write_ctx;
522 rec = &(s->s3->wrec);
523 if (s->enc_write_ctx == NULL)
526 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
528 ds = s->enc_read_ctx;
529 rec = &(s->s3->rrec);
530 if (s->enc_read_ctx == NULL)
533 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
536 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
537 memmove(rec->data, rec->input, rec->length);
538 rec->input = rec->data;
541 bs = EVP_CIPHER_block_size(ds->cipher);
545 if ((bs != 1) && send) {
546 i = bs - ((int)l % bs);
548 /* we need to add 'i-1' padding bytes */
551 * the last of these zero bytes will be overwritten with the
554 memset(&rec->input[rec->length], 0, i);
556 rec->input[l - 1] = (i - 1);
560 if (l == 0 || l % bs != 0)
562 /* otherwise, rec->length >= bs */
565 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
568 if (EVP_MD_CTX_md(s->read_hash) != NULL)
569 mac_size = EVP_MD_CTX_size(s->read_hash);
570 if ((bs != 1) && !send)
571 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
576 int ssl3_init_finished_mac(SSL *s)
578 if (s->s3->handshake_buffer)
579 BIO_free(s->s3->handshake_buffer);
580 if (s->s3->handshake_dgst)
581 ssl3_free_digest_list(s);
582 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
583 if (s->s3->handshake_buffer == NULL)
585 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
589 void ssl3_free_digest_list(SSL *s)
592 if (!s->s3->handshake_dgst)
594 for (i = 0; i < SSL_MAX_DIGEST; i++) {
595 if (s->s3->handshake_dgst[i])
596 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
598 OPENSSL_free(s->s3->handshake_dgst);
599 s->s3->handshake_dgst = NULL;
602 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
604 if (s->s3->handshake_buffer
605 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
606 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
609 for (i = 0; i < SSL_MAX_DIGEST; i++) {
610 if (s->s3->handshake_dgst[i] != NULL)
611 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
616 int ssl3_digest_cached_records(SSL *s)
624 /* Allocate handshake_dgst array */
625 ssl3_free_digest_list(s);
626 s->s3->handshake_dgst =
627 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
628 if (s->s3->handshake_dgst == NULL) {
629 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
632 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
633 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
635 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
639 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
640 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
641 if ((mask & ssl_get_algorithm2(s)) && md) {
642 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
643 if (s->s3->handshake_dgst[i] == NULL) {
644 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
648 if (EVP_MD_nid(md) == NID_md5) {
649 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
650 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
653 if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)
654 || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata,
656 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
660 s->s3->handshake_dgst[i] = NULL;
663 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
664 /* Free handshake_buffer BIO */
665 BIO_free(s->s3->handshake_buffer);
666 s->s3->handshake_buffer = NULL;
672 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
674 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
677 int ssl3_final_finish_mac(SSL *s,
678 const char *sender, int len, unsigned char *p)
681 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
687 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
695 static int ssl3_handshake_mac(SSL *s, int md_nid,
696 const char *sender, int len, unsigned char *p)
701 unsigned char md_buf[EVP_MAX_MD_SIZE];
702 EVP_MD_CTX ctx, *d = NULL;
704 if (s->s3->handshake_buffer)
705 if (!ssl3_digest_cached_records(s))
709 * Search for digest of specified type in the handshake_dgst array
711 for (i = 0; i < SSL_MAX_DIGEST; i++) {
712 if (s->s3->handshake_dgst[i]
713 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
714 d = s->s3->handshake_dgst[i];
719 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
722 EVP_MD_CTX_init(&ctx);
723 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
724 EVP_MD_CTX_copy_ex(&ctx, d);
725 n = EVP_MD_CTX_size(&ctx);
730 if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
731 || EVP_DigestUpdate(&ctx, s->session->master_key,
732 s->session->master_key_length) <= 0
733 || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
734 || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
736 || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
737 || EVP_DigestUpdate(&ctx, s->session->master_key,
738 s->session->master_key_length) <= 0
739 || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
740 || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
741 || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
742 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
746 EVP_MD_CTX_cleanup(&ctx);
751 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
754 unsigned char *mac_sec, *seq;
756 const EVP_MD_CTX *hash;
757 unsigned char *p, rec_char;
758 size_t md_size, orig_len;
763 rec = &(ssl->s3->wrec);
764 mac_sec = &(ssl->s3->write_mac_secret[0]);
765 seq = &(ssl->s3->write_sequence[0]);
766 hash = ssl->write_hash;
768 rec = &(ssl->s3->rrec);
769 mac_sec = &(ssl->s3->read_mac_secret[0]);
770 seq = &(ssl->s3->read_sequence[0]);
771 hash = ssl->read_hash;
774 t = EVP_MD_CTX_size(hash);
778 npad = (48 / md_size) * md_size;
781 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
783 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
787 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
788 ssl3_cbc_record_digest_supported(hash)) {
790 * This is a CBC-encrypted record. We must avoid leaking any
791 * timing-side channel information about how many blocks of data we
792 * are hashing because that gives an attacker a timing-oracle.
796 * npad is, at most, 48 bytes and that's with MD5:
797 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
799 * With SHA-1 (the largest hash speced for SSLv3) the hash size
800 * goes up 4, but npad goes down by 8, resulting in a smaller
803 unsigned char header[75];
805 memcpy(header + j, mac_sec, md_size);
807 memcpy(header + j, ssl3_pad_1, npad);
809 memcpy(header + j, seq, 8);
811 header[j++] = rec->type;
812 header[j++] = rec->length >> 8;
813 header[j++] = rec->length & 0xff;
815 /* Final param == is SSLv3 */
816 if (ssl3_cbc_digest_record(hash,
819 rec->length + md_size, orig_len,
820 mac_sec, md_size, 1) <= 0)
823 unsigned int md_size_u;
824 /* Chop the digest off the end :-) */
825 EVP_MD_CTX_init(&md_ctx);
827 rec_char = rec->type;
830 if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
831 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
832 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
833 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
834 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
835 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
836 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
837 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
838 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
839 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
840 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
841 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
842 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
843 EVP_MD_CTX_cleanup(&md_ctx);
848 EVP_MD_CTX_cleanup(&md_ctx);
851 ssl3_record_sequence_update(seq);
855 void ssl3_record_sequence_update(unsigned char *seq)
859 for (i = 7; i >= 0; i--) {
866 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
869 static const unsigned char *salt[3] = {
870 #ifndef CHARSET_EBCDIC
871 (const unsigned char *)"A",
872 (const unsigned char *)"BB",
873 (const unsigned char *)"CCC",
875 (const unsigned char *)"\x41",
876 (const unsigned char *)"\x42\x42",
877 (const unsigned char *)"\x43\x43\x43",
880 unsigned char buf[EVP_MAX_MD_SIZE];
884 #ifdef OPENSSL_SSL_TRACE_CRYPTO
885 unsigned char *tmpout = out;
888 EVP_MD_CTX_init(&ctx);
889 for (i = 0; i < 3; i++) {
890 if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
891 || EVP_DigestUpdate(&ctx, salt[i],
892 strlen((const char *)salt[i])) <= 0
893 || EVP_DigestUpdate(&ctx, p, len) <= 0
894 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
895 SSL3_RANDOM_SIZE) <= 0
896 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
897 SSL3_RANDOM_SIZE) <= 0
898 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
900 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
901 || EVP_DigestUpdate(&ctx, p, len) <= 0
902 || EVP_DigestUpdate(&ctx, buf, n) <= 0
903 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
904 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
911 EVP_MD_CTX_cleanup(&ctx);
913 #ifdef OPENSSL_SSL_TRACE_CRYPTO
914 if (ret > 0 && s->msg_callback) {
915 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
916 p, len, s, s->msg_callback_arg);
917 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
918 s->s3->client_random, SSL3_RANDOM_SIZE,
919 s, s->msg_callback_arg);
920 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
921 s->s3->server_random, SSL3_RANDOM_SIZE,
922 s, s->msg_callback_arg);
923 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
924 tmpout, SSL3_MASTER_SECRET_SIZE,
925 s, s->msg_callback_arg);
928 OPENSSL_cleanse(buf, sizeof(buf));
932 int ssl3_alert_code(int code)
935 case SSL_AD_CLOSE_NOTIFY:
936 return (SSL3_AD_CLOSE_NOTIFY);
937 case SSL_AD_UNEXPECTED_MESSAGE:
938 return (SSL3_AD_UNEXPECTED_MESSAGE);
939 case SSL_AD_BAD_RECORD_MAC:
940 return (SSL3_AD_BAD_RECORD_MAC);
941 case SSL_AD_DECRYPTION_FAILED:
942 return (SSL3_AD_BAD_RECORD_MAC);
943 case SSL_AD_RECORD_OVERFLOW:
944 return (SSL3_AD_BAD_RECORD_MAC);
945 case SSL_AD_DECOMPRESSION_FAILURE:
946 return (SSL3_AD_DECOMPRESSION_FAILURE);
947 case SSL_AD_HANDSHAKE_FAILURE:
948 return (SSL3_AD_HANDSHAKE_FAILURE);
949 case SSL_AD_NO_CERTIFICATE:
950 return (SSL3_AD_NO_CERTIFICATE);
951 case SSL_AD_BAD_CERTIFICATE:
952 return (SSL3_AD_BAD_CERTIFICATE);
953 case SSL_AD_UNSUPPORTED_CERTIFICATE:
954 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
955 case SSL_AD_CERTIFICATE_REVOKED:
956 return (SSL3_AD_CERTIFICATE_REVOKED);
957 case SSL_AD_CERTIFICATE_EXPIRED:
958 return (SSL3_AD_CERTIFICATE_EXPIRED);
959 case SSL_AD_CERTIFICATE_UNKNOWN:
960 return (SSL3_AD_CERTIFICATE_UNKNOWN);
961 case SSL_AD_ILLEGAL_PARAMETER:
962 return (SSL3_AD_ILLEGAL_PARAMETER);
963 case SSL_AD_UNKNOWN_CA:
964 return (SSL3_AD_BAD_CERTIFICATE);
965 case SSL_AD_ACCESS_DENIED:
966 return (SSL3_AD_HANDSHAKE_FAILURE);
967 case SSL_AD_DECODE_ERROR:
968 return (SSL3_AD_HANDSHAKE_FAILURE);
969 case SSL_AD_DECRYPT_ERROR:
970 return (SSL3_AD_HANDSHAKE_FAILURE);
971 case SSL_AD_EXPORT_RESTRICTION:
972 return (SSL3_AD_HANDSHAKE_FAILURE);
973 case SSL_AD_PROTOCOL_VERSION:
974 return (SSL3_AD_HANDSHAKE_FAILURE);
975 case SSL_AD_INSUFFICIENT_SECURITY:
976 return (SSL3_AD_HANDSHAKE_FAILURE);
977 case SSL_AD_INTERNAL_ERROR:
978 return (SSL3_AD_HANDSHAKE_FAILURE);
979 case SSL_AD_USER_CANCELLED:
980 return (SSL3_AD_HANDSHAKE_FAILURE);
981 case SSL_AD_NO_RENEGOTIATION:
982 return (-1); /* Don't send it :-) */
983 case SSL_AD_UNSUPPORTED_EXTENSION:
984 return (SSL3_AD_HANDSHAKE_FAILURE);
985 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
986 return (SSL3_AD_HANDSHAKE_FAILURE);
987 case SSL_AD_UNRECOGNIZED_NAME:
988 return (SSL3_AD_HANDSHAKE_FAILURE);
989 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
990 return (SSL3_AD_HANDSHAKE_FAILURE);
991 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
992 return (SSL3_AD_HANDSHAKE_FAILURE);
993 case SSL_AD_UNKNOWN_PSK_IDENTITY:
994 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
995 case SSL_AD_INAPPROPRIATE_FALLBACK:
996 return (TLS1_AD_INAPPROPRIATE_FALLBACK);