2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
111 /* ====================================================================
112 * Copyright 2005 Nokia. All rights reserved.
114 * The portions of the attached software ("Contribution") is developed by
115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
120 * support (see RFC 4279) to OpenSSL.
122 * No patent licenses or other rights except those expressly stated in
123 * the OpenSSL open source license shall be deemed granted or received
124 * expressly, by implication, estoppel, or otherwise.
126 * No assurances are provided by Nokia that the Contribution does not
127 * infringe the patent or other intellectual property rights of any third
128 * party or that the license provides you with all the necessary rights
129 * to make use of the Contribution.
131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 #include "ssl_locl.h"
140 #include <openssl/evp.h>
141 #include <openssl/md5.h>
143 static unsigned char ssl3_pad_1[48] = {
144 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
145 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
146 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
147 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
148 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
149 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
152 static unsigned char ssl3_pad_2[48] = {
153 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
154 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
155 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
156 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
157 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
158 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
161 static int ssl3_handshake_mac(SSL *s, int md_nid,
162 const char *sender, int len, unsigned char *p);
163 static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
167 unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
168 unsigned char c = 'A';
169 unsigned int i, j, k;
171 #ifdef CHARSET_EBCDIC
172 c = os_toascii[c]; /* 'A' in ASCII */
175 EVP_MD_CTX_init(&m5);
176 EVP_MD_CTX_set_flags(&m5, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
177 EVP_MD_CTX_init(&s1);
178 for (i = 0; (int)i < num; i += MD5_DIGEST_LENGTH) {
181 /* bug: 'buf' is too small for this ciphersuite */
184 for (j = 0; j < k; j++)
187 if (!EVP_DigestInit_ex(&s1, EVP_sha1(), NULL) ||
188 !EVP_DigestUpdate(&s1, buf, k) ||
189 !EVP_DigestUpdate(&s1, s->session->master_key,
190 s->session->master_key_length) ||
191 !EVP_DigestUpdate(&s1, s->s3->server_random, SSL3_RANDOM_SIZE) ||
192 !EVP_DigestUpdate(&s1, s->s3->client_random, SSL3_RANDOM_SIZE) ||
193 !EVP_DigestFinal_ex(&s1, smd, NULL))
196 if (!EVP_DigestInit_ex(&m5, EVP_md5(), NULL) ||
197 !EVP_DigestUpdate(&m5, s->session->master_key,
198 s->session->master_key_length) ||
199 !EVP_DigestUpdate(&m5, smd, SHA_DIGEST_LENGTH))
201 if ((int)(i + MD5_DIGEST_LENGTH) > num) {
202 if (!EVP_DigestFinal_ex(&m5, smd, NULL))
204 memcpy(km, smd, (num - i));
206 if (!EVP_DigestFinal_ex(&m5, km, NULL))
209 km += MD5_DIGEST_LENGTH;
211 OPENSSL_cleanse(smd, SHA_DIGEST_LENGTH);
212 EVP_MD_CTX_cleanup(&m5);
213 EVP_MD_CTX_cleanup(&s1);
216 SSLerr(SSL_F_SSL3_GENERATE_KEY_BLOCK, ERR_R_INTERNAL_ERROR);
218 EVP_MD_CTX_cleanup(&m5);
219 EVP_MD_CTX_cleanup(&s1);
223 int ssl3_change_cipher_state(SSL *s, int which)
225 unsigned char *p, *mac_secret;
226 unsigned char exp_key[EVP_MAX_KEY_LENGTH];
227 unsigned char exp_iv[EVP_MAX_IV_LENGTH];
228 unsigned char *ms, *key, *iv, *er1, *er2;
231 #ifndef OPENSSL_NO_COMP
236 int is_exp, n, i, j, k, cl;
239 is_exp = SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
240 c = s->s3->tmp.new_sym_enc;
241 m = s->s3->tmp.new_hash;
242 /* m == NULL will lead to a crash later */
244 #ifndef OPENSSL_NO_COMP
245 if (s->s3->tmp.new_compression == NULL)
248 comp = s->s3->tmp.new_compression->method;
251 if (which & SSL3_CC_READ) {
252 if (s->enc_read_ctx != NULL)
254 else if ((s->enc_read_ctx =
255 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
259 * make sure it's intialized in case we exit later with an error
261 EVP_CIPHER_CTX_init(s->enc_read_ctx);
262 dd = s->enc_read_ctx;
264 if (ssl_replace_hash(&s->read_hash, m) == NULL) {
265 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
268 #ifndef OPENSSL_NO_COMP
270 if (s->expand != NULL) {
271 COMP_CTX_free(s->expand);
275 s->expand = COMP_CTX_new(comp);
276 if (s->expand == NULL) {
277 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
278 SSL_R_COMPRESSION_LIBRARY_ERROR);
281 if (s->s3->rrec.comp == NULL)
282 s->s3->rrec.comp = (unsigned char *)
283 OPENSSL_malloc(SSL3_RT_MAX_PLAIN_LENGTH);
284 if (s->s3->rrec.comp == NULL)
288 memset(&(s->s3->read_sequence[0]), 0, 8);
289 mac_secret = &(s->s3->read_mac_secret[0]);
291 if (s->enc_write_ctx != NULL)
293 else if ((s->enc_write_ctx =
294 OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
298 * make sure it's intialized in case we exit later with an error
300 EVP_CIPHER_CTX_init(s->enc_write_ctx);
301 dd = s->enc_write_ctx;
302 if (ssl_replace_hash(&s->write_hash, m) == NULL) {
303 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
306 #ifndef OPENSSL_NO_COMP
308 if (s->compress != NULL) {
309 COMP_CTX_free(s->compress);
313 s->compress = COMP_CTX_new(comp);
314 if (s->compress == NULL) {
315 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE,
316 SSL_R_COMPRESSION_LIBRARY_ERROR);
321 memset(&(s->s3->write_sequence[0]), 0, 8);
322 mac_secret = &(s->s3->write_mac_secret[0]);
326 EVP_CIPHER_CTX_cleanup(dd);
328 p = s->s3->tmp.key_block;
332 cl = EVP_CIPHER_key_length(c);
333 j = is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ?
334 cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
335 /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */
336 k = EVP_CIPHER_iv_length(c);
337 if ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
338 (which == SSL3_CHANGE_CIPHER_SERVER_READ)) {
345 er1 = &(s->s3->client_random[0]);
346 er2 = &(s->s3->server_random[0]);
355 er1 = &(s->s3->server_random[0]);
356 er2 = &(s->s3->client_random[0]);
359 if (n > s->s3->tmp.key_block_length) {
360 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
364 EVP_MD_CTX_init(&md);
365 memcpy(mac_secret, ms, i);
368 * In here I set both the read and write key/iv to the same value
369 * since only the correct one will be used :-).
371 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
372 !EVP_DigestUpdate(&md, key, j) ||
373 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
374 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
375 !EVP_DigestFinal_ex(&md, &(exp_key[0]), NULL)) {
376 EVP_MD_CTX_cleanup(&md);
382 if (!EVP_DigestInit_ex(&md, EVP_md5(), NULL) ||
383 !EVP_DigestUpdate(&md, er1, SSL3_RANDOM_SIZE) ||
384 !EVP_DigestUpdate(&md, er2, SSL3_RANDOM_SIZE) ||
385 !EVP_DigestFinal_ex(&md, &(exp_iv[0]), NULL)) {
386 EVP_MD_CTX_cleanup(&md);
392 EVP_MD_CTX_cleanup(&md);
394 s->session->key_arg_length = 0;
396 if (!EVP_CipherInit_ex(dd, c, NULL, key, iv, (which & SSL3_CC_WRITE)))
399 #ifdef OPENSSL_SSL_TRACE_CRYPTO
400 if (s->msg_callback) {
402 int wh = which & SSL3_CC_WRITE ?
403 TLS1_RT_CRYPTO_WRITE : TLS1_RT_CRYPTO_READ;
404 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_MAC,
405 mac_secret, EVP_MD_size(m), s, s->msg_callback_arg);
407 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_KEY,
408 key, c->key_len, s, s->msg_callback_arg);
410 s->msg_callback(2, s->version, wh | TLS1_RT_CRYPTO_IV,
411 iv, k, s, s->msg_callback_arg);
416 OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key));
417 OPENSSL_cleanse(&(exp_iv[0]), sizeof(exp_iv));
420 SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
425 int ssl3_setup_key_block(SSL *s)
434 if (s->s3->tmp.key_block_length != 0)
437 if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp)) {
438 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
442 s->s3->tmp.new_sym_enc = c;
443 s->s3->tmp.new_hash = hash;
444 #ifdef OPENSSL_NO_COMP
445 s->s3->tmp.new_compression = NULL;
447 s->s3->tmp.new_compression = comp;
450 num = EVP_MD_size(hash);
454 num = EVP_CIPHER_key_length(c) + num + EVP_CIPHER_iv_length(c);
457 ssl3_cleanup_key_block(s);
459 if ((p = OPENSSL_malloc(num)) == NULL)
462 s->s3->tmp.key_block_length = num;
463 s->s3->tmp.key_block = p;
465 ret = ssl3_generate_key_block(s, p, num);
467 if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) {
469 * enable vulnerability countermeasure for CBC ciphers with known-IV
470 * problem (http://www.openssl.org/~bodo/tls-cbc.txt)
472 s->s3->need_empty_fragments = 1;
474 if (s->session->cipher != NULL) {
475 if (s->session->cipher->algorithm_enc == SSL_eNULL)
476 s->s3->need_empty_fragments = 0;
478 #ifndef OPENSSL_NO_RC4
479 if (s->session->cipher->algorithm_enc == SSL_RC4)
480 s->s3->need_empty_fragments = 0;
488 SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK, ERR_R_MALLOC_FAILURE);
492 void ssl3_cleanup_key_block(SSL *s)
494 if (s->s3->tmp.key_block != NULL) {
495 OPENSSL_cleanse(s->s3->tmp.key_block, s->s3->tmp.key_block_length);
496 OPENSSL_free(s->s3->tmp.key_block);
497 s->s3->tmp.key_block = NULL;
499 s->s3->tmp.key_block_length = 0;
503 * ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
506 * 0: (in non-constant time) if the record is publically invalid (i.e. too
508 * 1: if the record's padding is valid / the encryption was successful.
509 * -1: if the record's padding is invalid or, if sending, an internal error
512 int ssl3_enc(SSL *s, int send)
517 int bs, i, mac_size = 0;
518 const EVP_CIPHER *enc;
521 ds = s->enc_write_ctx;
522 rec = &(s->s3->wrec);
523 if (s->enc_write_ctx == NULL)
526 enc = EVP_CIPHER_CTX_cipher(s->enc_write_ctx);
528 ds = s->enc_read_ctx;
529 rec = &(s->s3->rrec);
530 if (s->enc_read_ctx == NULL)
533 enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx);
536 if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) {
537 memmove(rec->data, rec->input, rec->length);
538 rec->input = rec->data;
541 bs = EVP_CIPHER_block_size(ds->cipher);
545 if ((bs != 1) && send) {
546 i = bs - ((int)l % bs);
548 /* we need to add 'i-1' padding bytes */
551 * the last of these zero bytes will be overwritten with the
554 memset(&rec->input[rec->length], 0, i);
556 rec->input[l - 1] = (i - 1);
560 if (l == 0 || l % bs != 0)
562 /* otherwise, rec->length >= bs */
565 if (EVP_Cipher(ds, rec->data, rec->input, l) < 1)
568 if (EVP_MD_CTX_md(s->read_hash) != NULL)
569 mac_size = EVP_MD_CTX_size(s->read_hash);
570 if ((bs != 1) && !send)
571 return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
576 void ssl3_init_finished_mac(SSL *s)
578 if (s->s3->handshake_buffer)
579 BIO_free(s->s3->handshake_buffer);
580 if (s->s3->handshake_dgst)
581 ssl3_free_digest_list(s);
582 s->s3->handshake_buffer = BIO_new(BIO_s_mem());
583 (void)BIO_set_close(s->s3->handshake_buffer, BIO_CLOSE);
586 void ssl3_free_digest_list(SSL *s)
589 if (!s->s3->handshake_dgst)
591 for (i = 0; i < SSL_MAX_DIGEST; i++) {
592 if (s->s3->handshake_dgst[i])
593 EVP_MD_CTX_destroy(s->s3->handshake_dgst[i]);
595 OPENSSL_free(s->s3->handshake_dgst);
596 s->s3->handshake_dgst = NULL;
599 void ssl3_finish_mac(SSL *s, const unsigned char *buf, int len)
601 if (s->s3->handshake_buffer
602 && !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
603 BIO_write(s->s3->handshake_buffer, (void *)buf, len);
606 for (i = 0; i < SSL_MAX_DIGEST; i++) {
607 if (s->s3->handshake_dgst[i] != NULL)
608 EVP_DigestUpdate(s->s3->handshake_dgst[i], buf, len);
613 int ssl3_digest_cached_records(SSL *s)
621 /* Allocate handshake_dgst array */
622 ssl3_free_digest_list(s);
623 s->s3->handshake_dgst =
624 OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
625 if (s->s3->handshake_dgst == NULL) {
626 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_MALLOC_FAILURE);
629 memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *));
630 hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata);
632 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, SSL_R_BAD_HANDSHAKE_LENGTH);
636 /* Loop through bitso of algorithm2 field and create MD_CTX-es */
637 for (i = 0; ssl_get_handshake_digest(i, &mask, &md); i++) {
638 if ((mask & ssl_get_algorithm2(s)) && md) {
639 s->s3->handshake_dgst[i] = EVP_MD_CTX_create();
641 if (EVP_MD_nid(md) == NID_md5) {
642 EVP_MD_CTX_set_flags(s->s3->handshake_dgst[i],
643 EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
646 if (!EVP_DigestInit_ex(s->s3->handshake_dgst[i], md, NULL)
647 || !EVP_DigestUpdate(s->s3->handshake_dgst[i], hdata,
649 SSLerr(SSL_F_SSL3_DIGEST_CACHED_RECORDS, ERR_R_INTERNAL_ERROR);
653 s->s3->handshake_dgst[i] = NULL;
656 if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) {
657 /* Free handshake_buffer BIO */
658 BIO_free(s->s3->handshake_buffer);
659 s->s3->handshake_buffer = NULL;
665 int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
667 return (ssl3_handshake_mac(s, md_nid, NULL, 0, p));
670 int ssl3_final_finish_mac(SSL *s,
671 const char *sender, int len, unsigned char *p)
674 ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
680 sha1len = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
688 static int ssl3_handshake_mac(SSL *s, int md_nid,
689 const char *sender, int len, unsigned char *p)
694 unsigned char md_buf[EVP_MAX_MD_SIZE];
695 EVP_MD_CTX ctx, *d = NULL;
697 if (s->s3->handshake_buffer)
698 if (!ssl3_digest_cached_records(s))
702 * Search for digest of specified type in the handshake_dgst array
704 for (i = 0; i < SSL_MAX_DIGEST; i++) {
705 if (s->s3->handshake_dgst[i]
706 && EVP_MD_CTX_type(s->s3->handshake_dgst[i]) == md_nid) {
707 d = s->s3->handshake_dgst[i];
712 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, SSL_R_NO_REQUIRED_DIGEST);
715 EVP_MD_CTX_init(&ctx);
716 EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
717 EVP_MD_CTX_copy_ex(&ctx, d);
718 n = EVP_MD_CTX_size(&ctx);
723 if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
724 || EVP_DigestUpdate(&ctx, s->session->master_key,
725 s->session->master_key_length) <= 0
726 || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
727 || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
729 || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
730 || EVP_DigestUpdate(&ctx, s->session->master_key,
731 s->session->master_key_length) <= 0
732 || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
733 || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
734 || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
735 SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
739 EVP_MD_CTX_cleanup(&ctx);
744 int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
747 unsigned char *mac_sec, *seq;
749 const EVP_MD_CTX *hash;
750 unsigned char *p, rec_char;
751 size_t md_size, orig_len;
756 rec = &(ssl->s3->wrec);
757 mac_sec = &(ssl->s3->write_mac_secret[0]);
758 seq = &(ssl->s3->write_sequence[0]);
759 hash = ssl->write_hash;
761 rec = &(ssl->s3->rrec);
762 mac_sec = &(ssl->s3->read_mac_secret[0]);
763 seq = &(ssl->s3->read_sequence[0]);
764 hash = ssl->read_hash;
767 t = EVP_MD_CTX_size(hash);
771 npad = (48 / md_size) * md_size;
774 * kludge: ssl3_cbc_remove_padding passes padding length in rec->type
776 orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8);
780 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
781 ssl3_cbc_record_digest_supported(hash)) {
783 * This is a CBC-encrypted record. We must avoid leaking any
784 * timing-side channel information about how many blocks of data we
785 * are hashing because that gives an attacker a timing-oracle.
789 * npad is, at most, 48 bytes and that's with MD5:
790 * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
792 * With SHA-1 (the largest hash speced for SSLv3) the hash size
793 * goes up 4, but npad goes down by 8, resulting in a smaller
796 unsigned char header[75];
798 memcpy(header + j, mac_sec, md_size);
800 memcpy(header + j, ssl3_pad_1, npad);
802 memcpy(header + j, seq, 8);
804 header[j++] = rec->type;
805 header[j++] = rec->length >> 8;
806 header[j++] = rec->length & 0xff;
808 /* Final param == is SSLv3 */
809 if (ssl3_cbc_digest_record(hash,
812 rec->length + md_size, orig_len,
813 mac_sec, md_size, 1) <= 0)
816 unsigned int md_size_u;
817 /* Chop the digest off the end :-) */
818 EVP_MD_CTX_init(&md_ctx);
820 rec_char = rec->type;
823 if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
824 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
825 || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
826 || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
827 || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
828 || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
829 || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
830 || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
831 || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
832 || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
833 || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
834 || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
835 || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
836 EVP_MD_CTX_cleanup(&md_ctx);
841 EVP_MD_CTX_cleanup(&md_ctx);
844 ssl3_record_sequence_update(seq);
848 void ssl3_record_sequence_update(unsigned char *seq)
852 for (i = 7; i >= 0; i--) {
859 int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p,
862 static const unsigned char *salt[3] = {
863 #ifndef CHARSET_EBCDIC
864 (const unsigned char *)"A",
865 (const unsigned char *)"BB",
866 (const unsigned char *)"CCC",
868 (const unsigned char *)"\x41",
869 (const unsigned char *)"\x42\x42",
870 (const unsigned char *)"\x43\x43\x43",
873 unsigned char buf[EVP_MAX_MD_SIZE];
877 #ifdef OPENSSL_SSL_TRACE_CRYPTO
878 unsigned char *tmpout = out;
881 EVP_MD_CTX_init(&ctx);
882 for (i = 0; i < 3; i++) {
883 if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
884 || EVP_DigestUpdate(&ctx, salt[i],
885 strlen((const char *)salt[i])) <= 0
886 || EVP_DigestUpdate(&ctx, p, len) <= 0
887 || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
888 SSL3_RANDOM_SIZE) <= 0
889 || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
890 SSL3_RANDOM_SIZE) <= 0
891 || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
893 || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
894 || EVP_DigestUpdate(&ctx, p, len) <= 0
895 || EVP_DigestUpdate(&ctx, buf, n) <= 0
896 || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
897 SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
904 EVP_MD_CTX_cleanup(&ctx);
906 #ifdef OPENSSL_SSL_TRACE_CRYPTO
907 if (ret > 0 && s->msg_callback) {
908 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_PREMASTER,
909 p, len, s, s->msg_callback_arg);
910 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_CLIENT_RANDOM,
911 s->s3->client_random, SSL3_RANDOM_SIZE,
912 s, s->msg_callback_arg);
913 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_SERVER_RANDOM,
914 s->s3->server_random, SSL3_RANDOM_SIZE,
915 s, s->msg_callback_arg);
916 s->msg_callback(2, s->version, TLS1_RT_CRYPTO_MASTER,
917 tmpout, SSL3_MASTER_SECRET_SIZE,
918 s, s->msg_callback_arg);
921 OPENSSL_cleanse(buf, sizeof(buf));
925 int ssl3_alert_code(int code)
928 case SSL_AD_CLOSE_NOTIFY:
929 return (SSL3_AD_CLOSE_NOTIFY);
930 case SSL_AD_UNEXPECTED_MESSAGE:
931 return (SSL3_AD_UNEXPECTED_MESSAGE);
932 case SSL_AD_BAD_RECORD_MAC:
933 return (SSL3_AD_BAD_RECORD_MAC);
934 case SSL_AD_DECRYPTION_FAILED:
935 return (SSL3_AD_BAD_RECORD_MAC);
936 case SSL_AD_RECORD_OVERFLOW:
937 return (SSL3_AD_BAD_RECORD_MAC);
938 case SSL_AD_DECOMPRESSION_FAILURE:
939 return (SSL3_AD_DECOMPRESSION_FAILURE);
940 case SSL_AD_HANDSHAKE_FAILURE:
941 return (SSL3_AD_HANDSHAKE_FAILURE);
942 case SSL_AD_NO_CERTIFICATE:
943 return (SSL3_AD_NO_CERTIFICATE);
944 case SSL_AD_BAD_CERTIFICATE:
945 return (SSL3_AD_BAD_CERTIFICATE);
946 case SSL_AD_UNSUPPORTED_CERTIFICATE:
947 return (SSL3_AD_UNSUPPORTED_CERTIFICATE);
948 case SSL_AD_CERTIFICATE_REVOKED:
949 return (SSL3_AD_CERTIFICATE_REVOKED);
950 case SSL_AD_CERTIFICATE_EXPIRED:
951 return (SSL3_AD_CERTIFICATE_EXPIRED);
952 case SSL_AD_CERTIFICATE_UNKNOWN:
953 return (SSL3_AD_CERTIFICATE_UNKNOWN);
954 case SSL_AD_ILLEGAL_PARAMETER:
955 return (SSL3_AD_ILLEGAL_PARAMETER);
956 case SSL_AD_UNKNOWN_CA:
957 return (SSL3_AD_BAD_CERTIFICATE);
958 case SSL_AD_ACCESS_DENIED:
959 return (SSL3_AD_HANDSHAKE_FAILURE);
960 case SSL_AD_DECODE_ERROR:
961 return (SSL3_AD_HANDSHAKE_FAILURE);
962 case SSL_AD_DECRYPT_ERROR:
963 return (SSL3_AD_HANDSHAKE_FAILURE);
964 case SSL_AD_EXPORT_RESTRICTION:
965 return (SSL3_AD_HANDSHAKE_FAILURE);
966 case SSL_AD_PROTOCOL_VERSION:
967 return (SSL3_AD_HANDSHAKE_FAILURE);
968 case SSL_AD_INSUFFICIENT_SECURITY:
969 return (SSL3_AD_HANDSHAKE_FAILURE);
970 case SSL_AD_INTERNAL_ERROR:
971 return (SSL3_AD_HANDSHAKE_FAILURE);
972 case SSL_AD_USER_CANCELLED:
973 return (SSL3_AD_HANDSHAKE_FAILURE);
974 case SSL_AD_NO_RENEGOTIATION:
975 return (-1); /* Don't send it :-) */
976 case SSL_AD_UNSUPPORTED_EXTENSION:
977 return (SSL3_AD_HANDSHAKE_FAILURE);
978 case SSL_AD_CERTIFICATE_UNOBTAINABLE:
979 return (SSL3_AD_HANDSHAKE_FAILURE);
980 case SSL_AD_UNRECOGNIZED_NAME:
981 return (SSL3_AD_HANDSHAKE_FAILURE);
982 case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
983 return (SSL3_AD_HANDSHAKE_FAILURE);
984 case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
985 return (SSL3_AD_HANDSHAKE_FAILURE);
986 case SSL_AD_UNKNOWN_PSK_IDENTITY:
987 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
988 case SSL_AD_INAPPROPRIATE_FALLBACK:
989 return (TLS1_AD_INAPPROPRIATE_FALLBACK);