2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include "ssl_locl.h"
114 #include <openssl/evp.h>
115 #include <openssl/md5.h>
117 static unsigned char ssl3_pad_1[48] = {
118 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
119 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
120 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
121 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
122 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
123 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
126 static unsigned char ssl3_pad_2[48] = {
127 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
128 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
129 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
130 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
131 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
132 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
135 static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
136 const char *sender, int len, unsigned char *p);
138 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
142 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
143 unsigned char c = 'A';
144 unsigned int i, j, k;
146 #ifdef CHARSET_EBCDIC
147 c = os_toascii[c]; /* 'A' in ASCII */
150 EVP_MD_CTX_init(&m5);
151 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
152 EVP_MD_CTX_init(&s1);
153 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
155 if (k > sizeof buf) {
156 /* bug: 'buf' is too small for this ciphersuite */
157 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
161 for (j = 0; j < k; j++)
164 EVP_DigestInit_ex(&s1, EVP_sha1(), NULL);
165 EVP_DigestUpdate(&s1, buf, k);
166 EVP_DigestUpdate(&s1, s->session->master_key,
167 s->session->master_key_length);
168 EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE);
169 EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE);
170 EVP_DigestFinal_ex(&s1, smd, NULL);
172 EVP_DigestInit_ex(&m5, EVP_md5(), NULL);
173 EVP_DigestUpdate(&m5, s->session->master_key,
174 s->session->master_key_length);
175 EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH);
176 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
177 EVP_DigestFinal_ex(&m5, smd, NULL);
178 memcpy(km, smd, (num - i));
180 EVP_DigestFinal_ex(&m5, km, NULL);
182 km += MD5_DIGEST_LENGTH;
184 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
185 EVP_MD_CTX_cleanup(&m5);
186 EVP_MD_CTX_cleanup(&s1);
190 int ssl3_change_cipher_state(SSL *s, int which)
192 unsigned char *p, *mac_secret;
193 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
194 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
195 unsigned char *ms, *key, *iv, *er1, *er2;
198 #ifndef OPENSSL_NO_COMP
203 int is_exp, n, i, j, k, cl;
206 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
207 c = s->s3->tmp.new_sym_enc;
208 m = s->s3->tmp.new_hash;
209 #ifndef OPENSSL_NO_COMP
210 if (s->s3->tmp.new_compression == NULL)
213 comp = s->s3->tmp.new_compression->method;
216 if (which & SSL3_CC_READ) {
217 if (s->enc_read_ctx != NULL)
219 else if ((s->enc_read_ctx =
220 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
224 * make sure it's intialized in case we exit later with an error
226 EVP_CIPHER_CTX_init(s->enc_read_ctx);
227 dd = s->enc_read_ctx;
229 #ifndef OPENSSL_NO_COMP
231 if (s->expand != NULL) {
232 COMP_CTX_free(s->expand);
236 s->expand = COMP_CTX_new(comp);
237 if (s->expand == NULL) {
238 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
239 SSL_R_COMPRESSION_LIBRARY_ERROR);
242 if (s->s3->rrec.comp == NULL)
243 s->s3->rrec.comp = (unsigned char *)
244 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
245 if (s->s3->rrec.comp == NULL)
249 memset(&(s->s3->read_sequence[0]), 0, 8);
250 mac_secret = &(s->s3->read_mac_secret[0]);
252 if (s->enc_write_ctx != NULL)
254 else if ((s->enc_write_ctx =
255 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
259 * make sure it's intialized in case we exit later with an error
261 EVP_CIPHER_CTX_init(s->enc_write_ctx);
262 dd = s->enc_write_ctx;
264 #ifndef OPENSSL_NO_COMP
266 if (s->compress != NULL) {
267 COMP_CTX_free(s->compress);
271 s->compress = COMP_CTX_new(comp);
272 if (s->compress == NULL) {
273 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
274 SSL_R_COMPRESSION_LIBRARY_ERROR);
279 memset(&(s->s3->write_sequence[0]), 0, 8);
280 mac_secret = &(s->s3->write_mac_secret[0]);
284 EVP_CIPHER_CTX_cleanup(dd);
286 p = s->s3->tmp.key_block;
288 cl = EVP_CIPHER_key_length(c);
289 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
290 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
291 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
292 k = EVP_CIPHER_iv_length(c);
293 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
294 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
301 er1 = &(s->s3->client_random[0]);
302 er2 = &(s->s3->server_random[0]);
311 er1 = &(s->s3->server_random[0]);
312 er2 = &(s->s3->client_random[0]);
315 if (n > s->s3->tmp.key_block_length) {
316 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
320 EVP_MD_CTX_init(&md);
321 memcpy(mac_secret, ms, i);
324 * In here I set both the read and write key/iv to the same value
325 * since only the correct one will be used :-).
327 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
328 EVP_DigestUpdate(&md, key, j);
329 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
330 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
331 EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL);
335 EVP_DigestInit_ex(&md, EVP_md5(), NULL);
336 EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE);
337 EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE);
338 EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL);
343 s->session->key_arg_length = 0;
345 EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE));
347 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
348 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
349 EVP_MD_CTX_cleanup(&md);
352 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
357 int ssl3_setup_key_block(SSL *s)
366 if (s->s3->tmp.key_block_length != 0)
369 if (!ssl_cipher_get_evp(s->session, &c, &hash, &comp)) {
370 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
374 s->s3->tmp.new_sym_enc = c;
375 s->s3->tmp.new_hash = hash;
376 #ifdef OPENSSL_NO_COMP
377 s->s3->tmp.new_compression = NULL;
379 s->s3->tmp.new_compression = comp;
383 EVP_CIPHER_key_length(c) + EVP_MD_size(hash) +
384 EVP_CIPHER_iv_length(c);
387 ssl3_cleanup_key_block(s);
389 if ((p = OPENSSL_malloc(num)) == NULL)
392 s->s3->tmp.key_block_length = num;
393 s->s3->tmp.key_block = p;
395 ret = ssl3_generate_key_block(s, p, num);
397 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
399 * enable vulnerability countermeasure for CBC ciphers with known-IV
400 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
402 s->s3->need_empty_fragments = 1;
404 if (s->session->cipher != NULL) {
405 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_eNULL)
406 s->s3->need_empty_fragments = 0;
408 #ifndef OPENSSL_NO_RC4
409 if ((s->session->cipher->algorithms & SSL_ENC_MASK) == SSL_RC4)
410 s->s3->need_empty_fragments = 0;
418 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
422 void ssl3_cleanup_key_block(SSL *s)
424 if (s->s3->tmp.key_block != NULL) {
425 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
426 OPENSSL_free(s->s3->tmp.key_block);
427 s->s3->tmp.key_block = NULL;
429 s->s3->tmp.key_block_length = 0;
433 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
436 * 0: (in non-constant time) if the record is publically invalid (i.e. too
438 * 1: if the record's padding is valid / the encryption was successful.
439 * -1: if the record's padding is invalid or, if sending, an internal error
442 int ssl3_enc(SSL *s, int send)
447 int bs, i, mac_size = 0;
448 const EVP_CIPHER *enc;
451 ds = s->enc_write_ctx;
452 rec = &(s->s3->wrec);
453 if (s->enc_write_ctx == NULL)
456 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
458 ds = s->enc_read_ctx;
459 rec = &(s->s3->rrec);
460 if (s->enc_read_ctx == NULL)
463 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
466 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
467 memmove(rec->data, rec->input, rec->length);
468 rec->input = rec->data;
471 bs = EVP_CIPHER_block_size(ds->cipher);
475 if ((bs != 1) && send) {
476 i = bs - ((int)l % bs);
478 /* we need to add 'i-1' padding bytes */
481 * the last of these zero bytes will be overwritten with the
484 memset(&rec->input[rec->length], 0, i);
486 rec->input[l - 1] = (i - 1);
490 if (l == 0 || l % bs != 0)
492 /* otherwise, rec->length >= bs */
495 EVP_Cipher(ds, rec->data, rec->input, l);
497 if (s->read_hash != NULL)
498 mac_size = EVP_MD_size(s->read_hash);
500 if ((bs != 1) && !send)
501 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
506 void ssl3_init_finished_mac(SSL *s)
508 EVP_MD_CTX_set_flags(&(s->s3->finish_dgst1),
509 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
510 EVP_DigestInit_ex(&(s->s3->finish_dgst1), s->ctx->md5, NULL);
511 EVP_DigestInit_ex(&(s->s3->finish_dgst2), s->ctx->sha1, NULL);
514 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
516 EVP_DigestUpdate(&(s->s3->finish_dgst1), buf, len);
517 EVP_DigestUpdate(&(s->s3->finish_dgst2), buf, len);
520 int ssl3_cert_verify_mac(SSL *s, EVP_MD_CTX *ctx, unsigned char *p)
522 return (ssl3_handshake_mac(s, ctx, NULL, 0, p));
525 int ssl3_final_finish_mac(SSL *s, EVP_MD_CTX *ctx1, EVP_MD_CTX *ctx2,
526 const char *sender, int len, unsigned char *p)
530 ret = ssl3_handshake_mac(s, ctx1, sender, len, p);
532 ret += ssl3_handshake_mac(s, ctx2, sender, len, p);
536 static int ssl3_handshake_mac(SSL *s, EVP_MD_CTX *in_ctx,
537 const char *sender, int len, unsigned char *p)
542 unsigned char md_buf[EVP_MAX_MD_SIZE];
545 EVP_MD_CTX_init(&ctx);
546 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
547 EVP_MD_CTX_copy_ex(&ctx, in_ctx);
549 n = EVP_MD_CTX_size(&ctx);
553 EVP_DigestUpdate(&ctx, sender, len);
554 EVP_DigestUpdate(&ctx, s->session->master_key,
555 s->session->master_key_length);
556 EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
557 EVP_DigestFinal_ex(&ctx, md_buf, &i);
559 EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
560 EVP_DigestUpdate(&ctx, s->session->master_key,
561 s->session->master_key_length);
562 EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
563 EVP_DigestUpdate(&ctx, md_buf, i);
564 EVP_DigestFinal_ex(&ctx, p, &ret);
566 EVP_MD_CTX_cleanup(&ctx);
571 int ssl3_mac(SSL *ssl, unsigned char *md, int send)
574 unsigned char *mac_sec, *seq;
577 unsigned char *p, rec_char;
578 size_t md_size, orig_len;
582 rec = &(ssl->s3->wrec);
583 mac_sec = &(ssl->s3->write_mac_secret[0]);
584 seq = &(ssl->s3->write_sequence[0]);
585 hash = ssl->write_hash;
587 rec = &(ssl->s3->rrec);
588 mac_sec = &(ssl->s3->read_mac_secret[0]);
589 seq = &(ssl->s3->read_sequence[0]);
590 hash = ssl->read_hash;
593 md_size = EVP_MD_size(hash);
594 npad = (48 / md_size) * md_size;
597 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
599 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
603 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
604 ssl3_cbc_record_digest_supported(hash)) {
606 * This is a CBC-encrypted record. We must avoid leaking any
607 * timing-side channel information about how many blocks of data we
608 * are hashing because that gives an attacker a timing-oracle.
612 * npad is, at most, 48 bytes and that's with MD5:
613 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
615 * With SHA-1 (the largest hash speced for SSLv3) the hash size
616 * goes up 4, but npad goes down by 8, resulting in a smaller
618 unsigned char header[75];
620 memcpy(header + j, mac_sec, md_size);
622 memcpy(header + j, ssl3_pad_1, npad);
624 memcpy(header + j, seq, 8);
626 header[j++] = rec->type;
627 header[j++] = rec->length >> 8;
628 header[j++] = rec->length & 0xff;
630 /* Final param == is SSLv3 */
631 ssl3_cbc_digest_record(hash,
634 rec->length + md_size, orig_len,
635 mac_sec, md_size, 1);
637 unsigned int md_size_u;
638 /* Chop the digest off the end :-) */
639 EVP_MD_CTX_init(&md_ctx);
641 EVP_DigestInit_ex(&md_ctx, hash, NULL);
642 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
643 EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
644 EVP_DigestUpdate(&md_ctx, seq, 8);
645 rec_char = rec->type;
646 EVP_DigestUpdate(&md_ctx, &rec_char, 1);
649 EVP_DigestUpdate(&md_ctx, md, 2);
650 EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
651 EVP_DigestFinal_ex(&md_ctx, md, NULL);
653 EVP_DigestInit_ex(&md_ctx, hash, NULL);
654 EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
655 EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
656 EVP_DigestUpdate(&md_ctx, md, md_size);
657 EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
660 EVP_MD_CTX_cleanup(&md_ctx);
663 ssl3_record_sequence_update(seq);
667 void ssl3_record_sequence_update(unsigned char *seq)
671 for (i = 7; i >= 0; i--) {
678 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
681 static const unsigned char *salt[3] = {
682 #ifndef CHARSET_EBCDIC
683 (const unsigned char *)"A",
684 (const unsigned char *)"BB",
685 (const unsigned char *)"CCC",
687 (const unsigned char *)"\x41",
688 (const unsigned char *)"\x42\x42",
689 (const unsigned char *)"\x43\x43\x43",
692 unsigned char buf[EVP_MAX_MD_SIZE];
697 EVP_MD_CTX_init(&ctx);
698 for (i = 0; i < 3; i++) {
699 EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
700 EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
701 EVP_DigestUpdate(&ctx, p, len);
702 EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
703 EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
704 EVP_DigestFinal_ex(&ctx, buf, &n);
706 EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
707 EVP_DigestUpdate(&ctx, p, len);
708 EVP_DigestUpdate(&ctx, buf, n);
709 EVP_DigestFinal_ex(&ctx, out, &n);
713 EVP_MD_CTX_cleanup(&ctx);
717 int ssl3_alert_code(int code)
720 case SSL_AD_CLOSE_NOTIFY:
721 return (SSL3_AD_CLOSE_NOTIFY);
722 case SSL_AD_UNEXPECTED_MESSAGE:
723 return (SSL3_AD_UNEXPECTED_MESSAGE);
724 case SSL_AD_BAD_RECORD_MAC:
725 return (SSL3_AD_BAD_RECORD_MAC);
726 case SSL_AD_DECRYPTION_FAILED:
727 return (SSL3_AD_BAD_RECORD_MAC);
728 case SSL_AD_RECORD_OVERFLOW:
729 return (SSL3_AD_BAD_RECORD_MAC);
730 case SSL_AD_DECOMPRESSION_FAILURE:
731 return (SSL3_AD_DECOMPRESSION_FAILURE);
732 case SSL_AD_HANDSHAKE_FAILURE:
733 return (SSL3_AD_HANDSHAKE_FAILURE);
734 case SSL_AD_NO_CERTIFICATE:
735 return (SSL3_AD_NO_CERTIFICATE);
736 case SSL_AD_BAD_CERTIFICATE:
737 return (SSL3_AD_BAD_CERTIFICATE);
738 case SSL_AD_UNSUPPORTED_CERTIFICATE:
739 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
740 case SSL_AD_CERTIFICATE_REVOKED:
741 return (SSL3_AD_CERTIFICATE_REVOKED);
742 case SSL_AD_CERTIFICATE_EXPIRED:
743 return (SSL3_AD_CERTIFICATE_EXPIRED);
744 case SSL_AD_CERTIFICATE_UNKNOWN:
745 return (SSL3_AD_CERTIFICATE_UNKNOWN);
746 case SSL_AD_ILLEGAL_PARAMETER:
747 return (SSL3_AD_ILLEGAL_PARAMETER);
748 case SSL_AD_UNKNOWN_CA:
749 return (SSL3_AD_BAD_CERTIFICATE);
750 case SSL_AD_ACCESS_DENIED:
751 return (SSL3_AD_HANDSHAKE_FAILURE);
752 case SSL_AD_DECODE_ERROR:
753 return (SSL3_AD_HANDSHAKE_FAILURE);
754 case SSL_AD_DECRYPT_ERROR:
755 return (SSL3_AD_HANDSHAKE_FAILURE);
756 case SSL_AD_EXPORT_RESTRICTION:
757 return (SSL3_AD_HANDSHAKE_FAILURE);
758 case SSL_AD_PROTOCOL_VERSION:
759 return (SSL3_AD_HANDSHAKE_FAILURE);
760 case SSL_AD_INSUFFICIENT_SECURITY:
761 return (SSL3_AD_HANDSHAKE_FAILURE);
762 case SSL_AD_INTERNAL_ERROR:
763 return (SSL3_AD_HANDSHAKE_FAILURE);
764 case SSL_AD_USER_CANCELLED:
765 return (SSL3_AD_HANDSHAKE_FAILURE);
766 case SSL_AD_NO_RENEGOTIATION:
767 return (-1); /* Don't send it :-) */
768 case SSL_AD_UNSUPPORTED_EXTENSION:
769 return (SSL3_AD_HANDSHAKE_FAILURE);
770 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
771 return (SSL3_AD_HANDSHAKE_FAILURE);
772 case SSL_AD_UNRECOGNIZED_NAME:
773 return (SSL3_AD_HANDSHAKE_FAILURE);
774 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
775 return (SSL3_AD_HANDSHAKE_FAILURE);
776 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
777 return (SSL3_AD_HANDSHAKE_FAILURE);
778 case SSL_AD_UNKNOWN_PSK_IDENTITY:
779 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
780 case SSL_AD_INAPPROPRIATE_FALLBACK:
781 return (TLS1_AD_INAPPROPRIATE_FALLBACK);